Involved Knowledge 已知phi,n 分解n DSA K共享攻击 Description from Crypto.Util.number import getPrime, bytes_to_long, inverse, long_to_bytes from Crypto.PublicKey import DSA from hashlib import sha256 import random from secret import flag def gen(a): p = getPrime(a) q = getPrime(a) r = getPrime(a) x = getPrime(a) n = p*q*r*x phi = (p-1)*(q-1)*(r-1)*(x-1) return n, phi, [p, q, r, x] def sign(m, k, x, p, q, g): hm = bytes_to_long(sha256(m).digest()) r = pow(...

Description 来做做数学题吧 from Crypto.Util.number import getPrime,bytes_to_long from sympy import Derivative from fractions import Fraction from secret import flag p=getPrime(1024) q=getPrime(1024) e=65537 n=p*q z=Fraction(1,Derivative(arctan(p),p))-Fraction(1,Derivative(arth(q),q)) m=bytes_to_long(flag) c=pow(m,e,n) print(c,z,n) ''' output: 79225478668577614598074915026542162830127761777895115493506729581018102813484022840983101477965494306892538035109948774201355372685494106526544796208586913241...

ez_rce(NSSRound#4) 笔者尽量写的详细一点，方便大家理解和复现 TOPIC&ANALYSE 页面只有"It works"字样 寻找突破口 我们通过开发者工具看到网络信息-标头-Server看到服务器采用的是Apache/2.4.49(Unix) 尝试从此入手 得知Apache/2.4.49(Unix)有目录穿越漏洞，我们以此为突破口 CVE-2021-41773 Apache版本 = 2.4.49 穿越的目录允许被访问 在服务端开启了gi或者cgid这两个mod的情况下，这个目录穿越漏洞可以执行任意命令 ATTACK 我们拦截到数据包之后，通过Action-Send to Repeater进入重发模块，在这里可以对数据包进行修改并且即时得到回显 在Request处右键，选择Change request method，将GET方法改成POST方法，接着就可以写入payload了 POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1 ... echo;id 重点在/cgi-b...

这道题是一道很老的题了，很遗憾现在才做到，不是简简单单的stackoverflow，是有灵魂的 Checksec Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) 32位程序，开启了NX，RELRO File get_started_3dsctf_2016: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, not stripped 静态链接尝试ROPgadget直接生成ropchain，菜未通 Run the program Qual a palavrinha magica? 接着是等待用户的输入，然后程序结束 Analyse function - main int __cdecl main(int argc, const c...

Analyse sub_4012B6() unsigned int sub_4012B6() { int v0; // eax int fd; // [rsp+Ch] [rbp-4h] setbuf(stdin, 0LL); setbuf(stdout, 0LL); setbuf(stderr, 0LL); fd = open("/dev/urandom", 0); if ( fd == -1 ) { printf("can't open /dev/urandom"); exit(-1); } read(fd, &qword_4040D0, 8uLL); close(fd); v0 = time(0LL); srand(v0 ^ qword_4040D0); return alarm(0x14u); } 这里通过time()时间戳和qword_4040D0作为seed，进行一个随机数的生成 sub_4013EC() __int64 sub_4013...

checksec Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) File pwn4: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1133aeb41afd0e7b11659d5a27e062c4b34b1474, not stripped Analyse run thr program function-main int __cdecl main(int argc, const char **argv, const char **envp) { __int64 v4; // [rsp+8h] [rb...

checksec Arch: amd64-64-little RELRO: No RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) 开启了Canary和堆栈不可执行 main push rbp .text:000000000040068B mov rbp, rsp .text:000000000040068E sub rsp, 150h .text:0000000000400695 mov [rbp+var_144], edi .text:000000000040069B mov [rbp+var_150], rsi .text:00000000004006A2 mov rax, fs:28h .text:00000000004...