-
-
[原创] 杭电hgame2021 week1 writeup
-
发表于: 2021-5-27 12:52 14821
-
杭电hgame2021 week1
web
Hitchhiking_in_the_Galaxy
http请求头,按照每一步提示增加项
watermelon
f12在调试器中查看project.js,搜索1999
宝藏走私者
http请求走私
1
2
3
4
5
6
7
8
9
10
11
|
GET / HTTP / 1.1
Host: thief. 0727.site
GET / secret HTTP / 1.1
Host:thief. 0727.site
client - ip: 127.0 . 0.1
foo: |
智商检测机
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
import requests
import json
from bs4 import BeautifulSoup
from sympy import *
numArr = [ "0" , "1" , "2" , "3" , "4" , "5" , "6" , "7" , "8" , "9" , "-" , "+" ]
def scan(str1):
newStr = ""
for x in range ( 0 , len (str1)):
if str1[x] in numArr:
newStr + = str1[x]
return newStr
def getQ(session = "session=eyJzb2x2aW5nIjoxfQ.YBfJbQ.L2PH1NyDzVTQcjiJjLR5lqeU4cw" ):
headers = { "Cookie" :session}
res = requests.get(url = "http://r4u.top:5000/api/getQuestion" ,headers = headers)
return json.loads(res.text)
#q = getQ() def anaylaze(q):
q = q[ 'question' ]
soup = BeautifulSoup(q, "lxml" )
xiaxian = soup.msubsup.mo.next_sibling
shangxian = soup.msubsup.mo.next_sibling.next_sibling
a = soup.math.mn
a = a.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element
b = soup.math.mn.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element
fuhao = soup.math.mn.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element
return [ int (scan( str (xiaxian))), int (scan( str (shangxian))), int (scan( str (a))),scan( str (fuhao)), int (scan( str (b)))]
#print(anaylaze(q)) def calc(arr):
print (arr)
x = symbols( 'x' )
if arr[ 3 ] = = "+" :
answer = integrate(arr[ 2 ] * x + arr[ 4 ], (x, arr[ 0 ], arr[ 1 ]))
else :
answer = integrate(arr[ 2 ] * x - arr[ 4 ], (x, arr[ 0 ], arr[ 1 ]))
return ( round (answer, 2 ))
#answer = calc(anaylaze(q)) def submit(answer,cookie = "session=eyJzb2x2aW5nIjoxfQ.YBfJbQ.L2PH1NyDzVTQcjiJjLR5lqeU4cw" ):
data = '{"answer":' + str (answer) + '}'
print (data)
headers = { "Cookie" :cookie, "Content-Type" : "application/json;charset=UTF-8" }
res = requests.post(url = "http://r4u.top:5000/api/verify" ,data = data,headers = headers)
print (res.text)
newCookie = res.headers[ 'Set-Cookie' ]
print (newCookie)
return newCookie
#submit(answer) def run(cookie):
q = getQ(cookie)
answer = calc(anaylaze(q))
cookie = submit(answer,cookie)
run(cookie)
run( "session=eyJzb2x2aW5nIjozfQ.YBfbuQ.R7aqFFYJmRgJ7FITfhRqfCKPNCg" )
|
走私者的愤怒
和宝藏走私者一样的考点
re
apacha
主要加密流程如上,写出正向代码,然后对着逆
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
v6l = [ 0x9E3779B9 , 0x3C6EF372 , 0xDAA66D2B , 0x78DDE6E4 , 0x1715609D , 0xB54CDA56 , 0x5384540F ]
v7l = [ 0x278DDE6E , 0xF1BBCDC , 0x36A99B4A , 0x1E3779B9 , 0x5C55827 , 0x2D533695 , 0x14E11503 ]
key = [ 1 , 2 , 3 , 4 ]
flag = [ 0xE74EB323 , 0xB7A72836 , 0x59CA6FE2 , 0x967CC5C1 , 0xE7802674 , 0x3D2D54E6 , 0x8A9D0356 , 0x99DCC39C , 0x7026D8ED , 0x6A33FDAD , 0xF496550A , 0x5C9C6F9E , 0x1BE5D04C , 0x6723AE17 , 0x5270A5C2 , 0xAC42130A , 0x84BE67B2 , 0x705CC779 , 0x5C513D98 , 0xFB36DA2D , 0x22179645 , 0x5CE3529D , 0xD189E1FB , 0xE85BD489 , 0x73C8D11F , 0x54B5C196 , 0xB67CB490 , 0x2117E4CA , 0x9DE3F994 , 0x2F5AA1AA , 0xA7E801FD , 0xC30D6EAB , 0x1BADDC9C , 0x3453B04A , 0x92A406F9 ]
''' 正向加密代码 flag = b'hgame{aaaaaaaaaaaaaaaaaaaaaaaaaaaa}' flag = list(flag) v5 = flag[34] for i in range(7): for j in range(34):
v5 = flag[j] + ((((v5 >> 5) ^ (4 * flag[j + 1])) + ((16 * v5) ^ (flag[j + 1] >> 3))) ^ ((key[ (j ^ v7l[i] ) & 3 ] ^ v5) + (flag[j + 1] ^ v6l[i])))
v5 &= 0xffffffff
flag[j] = v5
v5 = flag[34] + (((key[(34 ^ v7l[i]) & 3] ^ v5) + (flag[0] ^ v6l[i])) ^ (((4 * flag[0]) ^ (v5 >> 5)) + (((16 * v5) ^ (flag[0] >> 3))&0xffffffff)))
v5 &= 0xffffffff
flag[34] = v5
''' for x in range ( 7 ):
i = 6 - x
v5 = flag[ 34 ]
flag[ 34 ] = v5 - ((((key[( 34 ^ v7l[i]) & 3 ] ^ flag[ 33 ]) + (flag[ 0 ] ^ v6l[i])) ^ ((( 4 * flag[ 0 ]) ^ (flag[ 33 ] >> 5 )) + (( 16 * flag[ 33 ]) ^ (flag[ 0 ] >> 3 ))))& 0xffffffff )
flag[ 34 ]& = 0xffffffff
for y in range ( 34 ):
j = 33 - y
v5 = flag[j]
flag[j] = v5 - (((((flag[j - 1 ] >> 5 ) ^ ( 4 * flag[j + 1 ])) + (( 16 * flag[j - 1 ]) ^ (flag[j + 1 ] >> 3 ))) ^ ((key[ (j ^ v7l[i] ) & 3 ] ^ flag[j - 1 ]) + (flag[j + 1 ] ^ v6l[i])))& 0xffffffff )
flag[j]& = 0xffffffff
if (j = = 0 ):
flag[j] = v5 - (((((flag[ 34 ] >> 5 ) ^ ( 4 * flag[j + 1 ])) + (( 16 * flag[ 34 ]) ^ (flag[j + 1 ] >> 3 ))) ^ ((key[ (j ^ v7l[i] ) & 3 ] ^ flag[ 34 ]) + (flag[j + 1 ] ^ v6l[i])))& 0xffffffff )
flag[j]& = 0xffffffff
print (bytes(flag))
|
HelloRe
签到题,就是一个异或
pypy
简单的python字节码,对照官方文档写出源码,然后逆
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
raw_flag = ''
cipher = list ((raw_flag[ 6 : - 1 ]))
length = len (cipher)
for i in range (length / / 2 ):
cipher[ 2 * i],cipher[ 2 * i + 1 ] = cipher[ 2 * i + 1 ],cipher[ 2 * i]
res = []
for i in range (length):
res.append( ord (cipher[i])^i)
res = bytes(res). hex ()
res = b '30466633346f59213b4139794520572b45514d61583151576638643a'
|
pwn
这几道pwn题都非常有意思,虽然考的都是栈溢出、格式化字符串,但是都有一些有趣的细节
whitegive
签到题,输入的是数字,要和一个字符串比较,相等就返回shell
通过调试发现字符串参与比较的其实是它的内存地址
那么我们直接输入这个地址就get shell了
SteinsGate2
week1压轴题,截至目前只有七解
保护全开
首先是要读源码,然后可以发现一个泄露点和一个溢出点和一处格式化字符串漏洞点
其中泄露点虽然不能溢出,但是可以由于printf的\x00才截断的性质,泄露出libc基址,然后调试的时候我们还发现,除了[rbp-0x8]处是canary的值,在栈中还残留着之前函数的canary值,由于canary在一次运行中都一样,所以我们也可以得到canary的值
溢出点就是栈溢出覆盖返回地址,ret2libc
这里的格式化字符串漏洞是个坑点,虽然存在,但经过反复调试发现触发它的条件永远不可能满足,浪费了我好多时间
泄露点+溢出点就可以打通了
然后还是要读源码,得到触发各个漏洞点的条件,也就是第几天要做固定的事
总体流程就是:
首先输入的世界线变化率要与初始世界线变化率的差值小于0.000001,这样我们就满足了 know_true
赞赏记录
参与人
雪币
留言
时间
PLEBFE
为你点赞~
2023-1-13 03:24
Youlor
为你点赞~
2022-7-17 11:40
SYJ-Re
为你点赞~
2021-5-27 18:22
赞赏
他的文章
赞赏
雪币:
留言: