向诚

向诚

巷子里的猫很自由,却没有归宿。
telegram
email
Home归档关于博客

2024 Maoan Cup Junior and Senior High School Group WriteUp

178
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The challenge involved solving three web tasks, with the first task requiring finding a specific PHP file and the second task involving exploiting a data stream to execute commands and write files. The third task had restrictions on input parameters, which were bypassed using a specific payload. Additionally, there were two miscellaneous tasks involving extracting files from images and encrypted archives. The Crypto1 task was a simple challenge, while the PWN task required exploiting a vulnerability to access and output a flag.

Web1#

Check-in question

image-20240808170851461

View the source code

image-20240808170927179

Get qweasdrtyfgh.php

image-20240808171000834

Web2#

index is a hyperlink that says go to test.php. After going in, there is a file inclusion at first glance.

image-20240808171106313

I read the source code of index and test, but didn't find anything. Can't bypass strpos.

image

But data stream is available, indicating that allow_url_fopen and allow_url_include are enabled.

Directly executing system arbitrary commands and writing files, I found that the current directory is not writable. I also checked ls and didn't find any other shells. Write to tmp and combine with file inclusion to get shell.

image-20240808171548683

image-20240808171857729

I got second blood for this question hahaha.

Web3#

image-20240808172153842

Analyze the question, this question has the following restrictions:

1. phone must be an array
2. avatar cannot contain the word "flag" in the post parameters
3. string cannot contain any "root" or other words

So, bypass the first restriction in the post array, and then use __destruct to unserialize the chain and pass the parameters. The name in the chain uses an unserialized string to escape the second restriction. The third restriction only affects the post, the post's avatar is not related to the solution, and does not affect the avatar in the chain.

Payload:

name=O:9:"user_info":3:{s:4:"name";s:126:"rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootroot";s:5:"phone";a:2:{i:0;i:1;i:1;i:1;}s:6:"avatar";s:5:"/flag";}&phone[]=1&avatar=123

image-20240808172635216

A two hundred point question. I got first blood and got ten points! The only team that solved it!

Misc1#

It's an image, not LSB, no need to change weight.

Change it to .rar by right-clicking to get the unencrypted compressed file rsa.txt.

Change it to .zip by right-clicking to get an encrypted compressed file with flag.txt inside, it's not pseudo-encrypted.

1723109396511

Damn it, I don't know how to encrypt. I'll ask gpt.

bfda59a5d29efefc00db14d075e0ba3

455f6b1e4e3fea002b50f877fc37f9d

Misc2#

Check-in question. Scan the QR code in the compressed file to get the flag.

Crypto1#

Check-in question.

image-20240808173138965

PWN#

Taught by other experts. I can't learn it either.

Main inputs two truncated values and enters get_data.

img

The length here is custom and can be -1.

img

Entering the token calculation will XOR with 48 ('0'), if my name is 0, at this time the string will become empty.

img

When assigning a value later, because len returns -1, it will be assigned infinitely, and v7 can cover file on top of file.

img

Calculate the stack offset and just overwrite the flag in s to file, then open flag and output.

Payload:
Input 0:0:

This article is synchronized and updated to xLog by Mix Space
The original link is https://de3ay.com/posts/sec/maoming-ctf-writeup

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.