loecho@垃圾桶

2020CISCN-线上初赛WriteUp

2020-08-27 · 2 min read
CTF

2020 CISCN Writeup

WEB题目

Babyunserialize

image-20200820164936436
  1. 先探测了一下目录,得到备份文件,代码审计:
image-20200820133129648
  1. 题目提示为反序列化,关键字找一下,每个目录看一下,看看具体的调用方法

    image-20200820135514471
    image-20200820165228840

3 .具体调用在cli.php,构造得到payload,成功!:

easyphp

image-20200821071240623
payload:

easytrick

image-20200821071636350
  1. 代码审计,要求为:trick1与trick2长度<=5,并且后续md5比较通过,得到Flagimage-20200821071611205

  2. 在本地环境模拟,尝试了科学计数法与精度问题,得到结果:

image-20200821072212449

原型链污染

原型链污染:https://snyk.io/vuln/SNYK-JS-SETVALUE-450213,直接打

image-20200820170709773

MISC题目:

the_best_ctf_game

  1. 直接打开文件,发现关键字Flag:
image-20200820134914182
  1. 得到Flag:flag{65e02f26-0d6e-463f-bc63-2df733e47fbe}

电脑被黑

image-20200820165827482
  1. 下载得到附件,BInkwalk看一下文件:

    image-20200820171623811
image-20200820171311058
  1. 通过fsstat看目录:
image-20200820171355720
  1. 通过ext3grep,恢复文件:

    # 查看需要恢复的文件:
    
    ext3grep disk_dump  --ls --inode 2
    
    # 获取文件名:
    
    ext3grep disk_dump --dump-names
    
    # 直接恢复所有文件:
    
    ext3grep disk_dump --restore-all
    
    
    
    image-20200820171933296
image-20200820172107556
image-20200820172221885
  1. 查找关键字,flag乱码!
image-20200820175514005
  1. 查看demo程序,逆向,发现加密算法,写脚本:
image-20200824113135585
#!/usr/bin/ python
# -*- coding:utf-8 -*-
"""
-------------------------------------------------
Author:    loecho
Datetime:  2020/8/20 15:56
ProjectN:  exp-xor.py
Blog:      https://loecho.me
Email:     loecho@foxmail.com
-------------------------------------------------
"""

def main():

    flag = ""
    v4 = 34
    v5 = 0
    with open('flag.txt', 'a+') as f:
        data = f.read()

    for i in data:
        flag = flag + chr((ord(i) ^ v4) - v5)
        v4 = (v4+34)&0xff
        v5 = (v5+2)&0x0f
        
    print flag
    
if __name__ == '__main__':

    main()

得到Flag:

image-20200820180109169

PWN题目:

  1. 分析后,nc连接,得到哑Shell,通过python,弹一个完整的shell:
python -c 'import pty; pty.spawn("/bin/bash")'
image-20200820163836505
  1. flag搜索一下,得到路径:
image-20200820164216625
  1. 得到flag
image-20200820164237204
loecho@垃圾桶