0%

2018 X-NUCA Cyc1e_writeup

发表于 更新于 分类于
本文字数: 6.4k 阅读时长 ≈ 6 分钟

Warm Up

分析流量包,一共包含六组RSA的交互信息,copy出来对比有两组的n是相同的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
This is a message distribute system. Please tell me your name: 
Dave
Hi Dave, your N is: 25118186052801903419891574512806521370646053661385577314262283167479853375867074736882903917202574957661470179148882538361560784362740207649620536746860883395110443930778132343642295247749797041449601967434690280754279589691669366595486824752597992245067619256368446164574344449914827664991591873150416287647528776014468498025993455819767004213726389160036077170973994848480739499052481386539293425983093644799960322581437734560001018025823047877932105216362961838959964371333287407071080250979421489210165485908404019927393053325809061787560294489911475978342741920115134298253806238766543518220987363050115050813263
And your exponent is: 6947
Last but not least, your secret is: 20494665879116666159961016125949070097530413770391893858215547229071116025581822729798313796823204861624912909030975450742122802775879194445232064367771036011021366123393917354134849911675307877324103834871288513274457941036453477034798647182106422619504345055259543675752998330786906376830335403339610903547255965127196315113331300512641046933227008101401416026809256813221480604662012101542846479052832128788279031727880750642499329041780372405567816904384164559191879422615238580181357183882111249939492668328771614509476229785062819586796660370798030562805224704497570446844131650030075004901216141893420140140568
You will know the secret after I give you P,Q.
See you next time!


This is a message distribute system. Please tell me your name: 
Alice
Hi Alice, your N is: 25118186052801903419891574512806521370646053661385577314262283167479853375867074736882903917202574957661470179148882538361560784362740207649620536746860883395110443930778132343642295247749797041449601967434690280754279589691669366595486824752597992245067619256368446164574344449914827664991591873150416287647528776014468498025993455819767004213726389160036077170973994848480739499052481386539293425983093644799960322581437734560001018025823047877932105216362961838959964371333287407071080250979421489210165485908404019927393053325809061787560294489911475978342741920115134298253806238766543518220987363050115050813263
And your exponent is: 7669
Last but not least, your secret is: 22917655888781915689291442748409371798632133107968171254672911561608350738343707972881819762532175014157796940212073777351362314385074785400758102594348355578275080626269137543136225022579321107199602856290254696227966436244618441350564667872879196269074433751811632437228139470723203848006803856868237706401868436321225656126491701750534688966280578771996021459620472731406728379628286405214996461164892486734170662556518782043881759918394674517409304629842710180023814702447187081112856416034885511215626693534876901484105593275741829434329109239483368867518384522955176807332437540578688867077569728548513876841471
You will know the secret after I give you P,Q.
See you next time!

一个常规的RSA共模攻击,代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# -*- coding: utf-8 -*-
from libnum import n2s,s2n
from gmpy2 import invert
def egcd(a, b):
  if a == 0:
    return (b, 0, 1)
  else:
    g, y, x = egcd(b % a, a)
    return (g, x - (b // a) * y, y)

def main():
  n = 25118186052801903419891574512806521370646053661385577314262283167479853375867074736882903917202574957661470179148882538361560784362740207649620536746860883395110443930778132343642295247749797041449601967434690280754279589691669366595486824752597992245067619256368446164574344449914827664991591873150416287647528776014468498025993455819767004213726389160036077170973994848480739499052481386539293425983093644799960322581437734560001018025823047877932105216362961838959964371333287407071080250979421489210165485908404019927393053325809061787560294489911475978342741920115134298253806238766543518220987363050115050813263
  c1 = 20494665879116666159961016125949070097530413770391893858215547229071116025581822729798313796823204861624912909030975450742122802775879194445232064367771036011021366123393917354134849911675307877324103834871288513274457941036453477034798647182106422619504345055259543675752998330786906376830335403339610903547255965127196315113331300512641046933227008101401416026809256813221480604662012101542846479052832128788279031727880750642499329041780372405567816904384164559191879422615238580181357183882111249939492668328771614509476229785062819586796660370798030562805224704497570446844131650030075004901216141893420140140568
  c2 = 22917655888781915689291442748409371798632133107968171254672911561608350738343707972881819762532175014157796940212073777351362314385074785400758102594348355578275080626269137543136225022579321107199602856290254696227966436244618441350564667872879196269074433751811632437228139470723203848006803856868237706401868436321225656126491701750534688966280578771996021459620472731406728379628286405214996461164892486734170662556518782043881759918394674517409304629842710180023814702447187081112856416034885511215626693534876901484105593275741829434329109239483368867518384522955176807332437540578688867077569728548513876841471
  e1 = 6947
  e2 = 7669
  s = egcd(e1, e2)
  s1 = s[1]
  s2 = s[2]
  if s1<0:
    s1 = - s1
    c1 = invert(c1, n)
  elif s2<0:
    s2 = - s2
    c2 = invert(c2, n)

  m = pow(c1,s1,n)*pow(c2,s2,n) % n
  print n2s(m)

if __name__ == '__main__':
  main()

Blog

题目提示了第三方登入认证方式是OAuth2.0的,OAuth2.0存在一个快捷登录授权劫持问题,主要在于code变量,然后就入坑了,最开始的思路是让admin访问快捷登入页面,修改redirect_uri 来抓取重置的code,然后伪造admin用户登入,然后发现redirect_uri不可伪造,就自闭了(具体分析可以看:https://bbs.ichunqiu.com/thread-34168-1-1.html)。本题的主要利用点在于帐号可重复绑定不同的第三方邮箱,所以让admin绑定上我们注册的邮箱,通过第三方邮箱登入admin帐号即可得到flag。通过/main/register注册一个用户,register需要探测一下


第三方登入方式注册一个邮箱帐号用来绑定,通过绑定第三方邮箱,截取绑定的流量包

绑定第三方邮箱主要通过state和code进行认证,即只要state和code正确,即可绑定成功,并不校验绑定的账户是什么,从而可以达到绑定其他用户并覆盖绑定邮箱的目的,所以我们可以让admin用户去访问Url:http://106.75.66.211:8000/main/oauth/?state=svFglsaloQ&code=AoWZd4NJLHuVomqQn2hWoDAp6hP6nz03VqDbp6sa 便可以达到让admin帐号绑定上我们邮箱的效果,并且后台设置了bot,所以我们可以通过post_bug提交绑定的Url来让admin访问,由于提交框有长度限制,所以直接提交是没有办法的。

由于http://106.75.66.211:8000/main/login?next=/main/login 处存在重定向,所以我们可以通过重定向跳转到vps上,即http://106.75.66.211:8000/main/login?next=[your_ip] 在vps上写一个跳转页面

1
2
3
4
5
<html>
  <script>
    window.open('http://106.75.66.211:8000/main/oauth/?state=9PKyRdpU5D&code=Y5WjDdELjUMGaJpbYfs9lOPBtgEvrOOvZxmmwZsj')
  </script>
</html>

将vps跳转页面地址压缩成短链( 推荐个短链生成地址:https://bitly.com ),提交bug,最终提交Url为:http://106.75.66.211:8000/main/login?next=https://bit.ly/2Qiixxx 等待bot访问后利用第三方邮箱登入

ezdotso

题目配置问题,上手甩一个cat /flag就出了,我和小伙伴都惊呆了。?action=cmd&cmd=ls%20/ 列根目录,flag在根目录下

?action=cmd&cmd=cat%20/flag出奇迹……

ps:其他几个web都比较难,怼到自闭,最后ROIS出了hardphp,还有js+wasm和web+pwn的,又可以学习一波了。