Crypto

Warm Up

分析流量包，一共包含六组RSA的交互信息，copy出来对比有两组的n是相同的

This is a message distribute system. Please tell me your name: 
Dave
Hi Dave, your N is: 25118186052801903419891574512806521370646053661385577314262283167479853375867074736882903917202574957661470179148882538361560784362740207649620536746860883395110443930778132343642295247749797041449601967434690280754279589691669366595486824752597992245067619256368446164574344449914827664991591873150416287647528776014468498025993455819767004213726389160036077170973994848480739499052481386539293425983093644799960322581437734560001018025823047877932105216362961838959964371333287407071080250979421489210165485908404019927393053325809061787560294489911475978342741920115134298253806238766543518220987363050115050813263
And your exponent is: 6947
Last but not least, your secret is: 20494665879116666159961016125949070097530413770391893858215547229071116025581822729798313796823204861624912909030975450742122802775879194445232064367771036011021366123393917354134849911675307877324103834871288513274457941036453477034798647182106422619504345055259543675752998330786906376830335403339610903547255965127196315113331300512641046933227008101401416026809256813221480604662012101542846479052832128788279031727880750642499329041780372405567816904384164559191879422615238580181357183882111249939492668328771614509476229785062819586796660370798030562805224704497570446844131650030075004901216141893420140140568
You will know the secret after I give you P,Q.
See you next time!


This is a message distribute system. Please tell me your name: 
Alice
Hi Alice, your N is: 25118186052801903419891574512806521370646053661385577314262283167479853375867074736882903917202574957661470179148882538361560784362740207649620536746860883395110443930778132343642295247749797041449601967434690280754279589691669366595486824752597992245067619256368446164574344449914827664991591873150416287647528776014468498025993455819767004213726389160036077170973994848480739499052481386539293425983093644799960322581437734560001018025823047877932105216362961838959964371333287407071080250979421489210165485908404019927393053325809061787560294489911475978342741920115134298253806238766543518220987363050115050813263
And your exponent is: 7669
Last but not least, your secret is: 22917655888781915689291442748409371798632133107968171254672911561608350738343707972881819762532175014157796940212073777351362314385074785400758102594348355578275080626269137543136225022579321107199602856290254696227966436244618441350564667872879196269074433751811632437228139470723203848006803856868237706401868436321225656126491701750534688966280578771996021459620472731406728379628286405214996461164892486734170662556518782043881759918394674517409304629842710180023814702447187081112856416034885511215626693534876901484105593275741829434329109239483368867518384522955176807332437540578688867077569728548513876841471
You will know the secret after I give you P,Q.
See you next time!

一个常规的RSA共模攻击，代码如下

# -*- coding: utf-8 -*-
from libnum import n2s,s2n
from gmpy2 import invert
def egcd(a, b):
  if a == 0:
    return (b, 0, 1)
  else:
    g, y, x = egcd(b % a, a)
    return (g, x - (b // a) * y, y)

def main():
  n = 25118186052801903419891574512806521370646053661385577314262283167479853375867074736882903917202574957661470179148882538361560784362740207649620536746860883395110443930778132343642295247749797041449601967434690280754279589691669366595486824752597992245067619256368446164574344449914827664991591873150416287647528776014468498025993455819767004213726389160036077170973994848480739499052481386539293425983093644799960322581437734560001018025823047877932105216362961838959964371333287407071080250979421489210165485908404019927393053325809061787560294489911475978342741920115134298253806238766543518220987363050115050813263
  c1 = 20494665879116666159961016125949070097530413770391893858215547229071116025581822729798313796823204861624912909030975450742122802775879194445232064367771036011021366123393917354134849911675307877324103834871288513274457941036453477034798647182106422619504345055259543675752998330786906376830335403339610903547255965127196315113331300512641046933227008101401416026809256813221480604662012101542846479052832128788279031727880750642499329041780372405567816904384164559191879422615238580181357183882111249939492668328771614509476229785062819586796660370798030562805224704497570446844131650030075004901216141893420140140568
  c2 = 22917655888781915689291442748409371798632133107968171254672911561608350738343707972881819762532175014157796940212073777351362314385074785400758102594348355578275080626269137543136225022579321107199602856290254696227966436244618441350564667872879196269074433751811632437228139470723203848006803856868237706401868436321225656126491701750534688966280578771996021459620472731406728379628286405214996461164892486734170662556518782043881759918394674517409304629842710180023814702447187081112856416034885511215626693534876901484105593275741829434329109239483368867518384522955176807332437540578688867077569728548513876841471
  e1 = 6947
  e2 = 7669
  s = egcd(e1, e2)
  s1 = s[1]
  s2 = s[2]
  if s1<0:
    s1 = - s1
    c1 = invert(c1, n)
  elif s2<0:
    s2 = - s2
    c2 = invert(c2, n)

  m = pow(c1,s1,n)*pow(c2,s2,n) % n
  print n2s(m)

if __name__ == '__main__':
  main()

Web

Blog

题目提示了第三方登入认证方式是OAuth2.0的，OAuth2.0存在一个快捷登录授权劫持问题，主要在于code变量，然后就入坑了，最开始的思路是让admin访问快捷登入页面，修改redirect_uri 来抓取重置的code，然后伪造admin用户登入，然后发现redirect_uri不可伪造，就自闭了（具体分析可以看：https://bbs.ichunqiu.com/thread-34168-1-1.html）。本题的主要利用点在于帐号可重复绑定不同的第三方邮箱，所以让admin绑定上我们注册的邮箱，通过第三方邮箱登入admin帐号即可得到flag。通过/main/register注册一个用户，register需要探测一下

注册用户登入.png
第三方登入方式注册一个邮箱帐号用来绑定，通过绑定第三方邮箱，截取绑定的流量包 抓取绑定邮箱流量
绑定第三方邮箱主要通过state和code进行认证，即只要state和code正确，即可绑定成功，并不校验绑定的账户是什么，从而可以达到绑定其他用户并覆盖绑定邮箱的目的，所以我们可以让admin用户去访问Url：http://106.75.66.211:8000/main/oauth/?state=svFglsaloQ&code=AoWZd4NJLHuVomqQn2hWoDAp6hP6nz03VqDbp6sa 便可以达到让admin帐号绑定上我们邮箱的效果，并且后台设置了bot，所以我们可以通过post_bug提交绑定的Url来让admin访问，由于提交框有长度限制，所以直接提交是没有办法的。 post_bug

由于http://106.75.66.211:8000/main/login?next=/main/login 处存在重定向，所以我们可以通过重定向跳转到vps上，即http://106.75.66.211:8000/main/login?next=[your_ip] 在vps上写一个跳转页面

<html>
  <script>
    window.open('http://106.75.66.211:8000/main/oauth/?state=9PKyRdpU5D&code=Y5WjDdELjUMGaJpbYfs9lOPBtgEvrOOvZxmmwZsj')
  </script>
</html>

将vps跳转页面地址压缩成短链（推荐个短链生成地址：https://bitly.com），提交bug，最终提交Url为：http://106.75.66.211:8000/main/login?next=https://bit.ly/2Qiixxx 等待bot访问后利用第三方邮箱登入

admin.png

ezdotso

题目配置问题，上手甩一个cat /flag就出了，我和小伙伴都惊呆了。?action=cmd&cmd=ls%20/ 列根目录，flag在根目录下

ls

?action=cmd&cmd=cat%20/flag出奇迹......

flag

ps:其他几个web都比较难，怼到自闭，最后ROIS出了hardphp，还有js+wasm和web+pwn的，又可以学习一波了。