CTF-WriteUp
这两天一直在搞CTF,焦头烂额,这玩意脑洞不够大,思域不够开阔简直分分钟急哭,到现在还有几个没做完,先把做好的附上思路+流程,本人小白一个,大牛遇到不喜勿喷,有其他思路可以帮忙评论教育!谢谢!
第一个
看到题目,提示为robot,打开链接地址
沃特法克?这呆萌的机器人究竟隐藏着什么秘密?
九旬老太为何裸死街头?数百头母驴为何半夜惨叫? 小卖部安全套为何屡遭黑手? 女生宿舍内裤为何频频失窃? 连环强奸母猪案,究竟是何人所为? 老尼姑的门 夜夜
被敲,究竟是人是鬼? 数百只小母狗意外身亡的 背后
又隐藏着什么? 这一切的背后, 是人性的扭曲还是道德的沦丧? 难道玄机在图片里?根据CTF的尿性,一切都不是表面上看起来那么简单!
但事实真的经不起推敲,很遗憾复制图片到本地一看啥也没有,它真的就只是一张图片!!!
So,在这个有问题就搜搜搜的时代,这等问题是难不倒我广大人民群众的,经过一番错综复杂,丧心病狂的“狂轰乱炸”,360终于扛不住如此酷刑如实招供,这一切都跟机器人协议有关,也就是robots。下面是robots协议的词条解释
看到这我只能心里默念几十万遍“666”,大牛估计看到robot这个词立马就联想到了吧,只有我等小白还需要上网查询,此等耻辱必将是我今后称霸互联网的不朽动力!
接着,根据得到的信息,在URL后面拼接上robots.txt,得到完整URL=http://106.75.86.18:1111/robots.txt,访问一下
那么,有如此明显的路径如果还懵逼那我真的可以撞死在豆腐西施怀里了!将/admin/3hell.php拼接在
http://106.75.86.18:1111后面,得到完整URL=http://106.75.86.18:1111/admin/3he11.php,再访问一下
Umm...如此一片洁白如镜,让我想起了北方的雪。。。没有任何显示证明这玩意已经被解析了,根据小白经验,凡是被解析的要么看源码,要么抓包,先看源码试试
黄天不负有心人,只要心想事竟成!(虽然前后也就花了几分钟时间。。。)这么简单就拿到了flag的我在风中凌乱,这尼玛跟我想象中的不一样好么,说好的套路呢???说好的一辈子呢???好吧,心理活动到此结束,深吸一口气,将flag放在答案框里吧,过程虽然简单,但我知道了什么是robot协议,也明白了它的用法
- 1、robots.txt可以告诉百度您网站的哪些页面可以被抓取,哪些页面不可以被抓取。
- 2、您可以通过Robots工具来创建、校验、更新您的robots.txt文件,或查看您网站robots.txt文件在百度生效的情况。
- 3、Robots工具暂不支持https站点。
- 4、Robots工具目前支持48k的文件内容检测,请保证您的robots.txt文件不要过大,目录最长不超过250个字符。
第二个
上面提示ipspoofing,也就是IP欺骗,不管其他,先访问看看
这个网页看起来很舒服,随便点点发现没有任何可跳转的地方,但是拉到最下方可发现一个奇怪的东西
前两个没什么luan用,但是看到administrator的人都会有下意识点击的反应,我也不例外,结果
嗯哼,这就找到后台了。。。但是很多人看到这玩意发现没验证码,所以。。。赶紧爆破啊!!!等毛线啊!!!看我不几万吨TNT轰它个海枯石烂!!!但是,在大多数人都化身董存瑞手扶炸药抗碉堡的时候,我认为CTF的套路不一般,它教会了我们不按套路出牌,那么,我还是看一下源码,在翻到最下面的时候发现了这个东西
。。。。。。在这里我再次嘲讽那些蛮干冒进的伙伴们一番,等你们爆破出来,我们就老了!这赤裸裸的帐号密码写在眼前真的是对你们莫大的侮辱!不过,我喜欢!那么,众乐乐不如独乐乐,偷偷地将帐号密码输入登录,有提示
成功获得flag,事实证明我大天朝部分同学简单事情复杂化的思维模式是不可取的,凡是只看表面是要吃很大亏的,嗯,少说两句,免得来年坟头草三尺高。。。
第三个
访问显示
网页提示,本展示内部网站,非请勿入!很直接,这就是个内网网站,关于内网的渗透思路各路大神可以自行百度,这里应该没有想象那么复杂,而且根据提示,seelog,顾名思义就是看日志,日志怎么看呢,很多网站,在根目录后面跟上log就好了,这里附上服务器日志的百科https://baike.baidu.com/item/%E7%BD%91%E7%AB%99%E6%97%A5%E5%BF%97/8933494?fr=aladdin,那么试试看
由此看到有两种log,先看看第一个
谁来扶我一下,有点晕。。。辣么多怎么看的过来,怪不得朋友一被拉去看日志就会发出几声类似杀猪般的惨叫。。。不过这些难不倒我,每一条日志后面都有响应值,比如404啊403什么的,我只要有用的,有用的是什么?200响应啊!所以查找呗,不过此处有个小技巧,只需要输入HTTP/1.1" 200就可以,不要问我为什么,找规律而已,点了多少次就出来了我想要的东西
WTF??!!对,你没有看错!wojiushihoutai!!!我就是后台!!!只有我大天朝群众才看得懂,让老外懵逼去吧!!!把它拼接在根目录后面访问
第四个
提示为phpinfo,访问之
哟,这下好了,所有东西这里面都有了,我距离成功只有一步之遥!首先注意到连接地址后面多出来个index.php?path=phpinfo.php,看到这个很多人不淡定了,条件反射般的四个字脱口而出“文件包含”!!!对没错,就是文件包含,喊道这里还想着用其他办法搞的就太傻了,不过文件包含是有先决条件的-需要allow_url_include=On,那么看一下是否符合条件
凉凉夜色为你思念成河,化作春泥呵护着我。。。但这首旋律在我心底响起时,我知道我和它已经没可能了,深深的绝望涌出伴随泪流成河。但是我不死心,我不甘心这样输给命运,我们命由我不由天!allow_url_include=Off?不存在的!想到之前研究过的php文件流的用法,将“?path=php://filter/read=convert.base64-encode/resource=flag.php”拼接在根目录(具体用法不再赘述,请自行百度)
这戏剧性一幕释放了我心头的“十万天兵(caonima)”,说好的规则呢?究竟谁对谁错?条件不满足竟然还可以得出如此结果,百撕不得骑姐!有懂的大神可以评论指教!!!将base64编码解密后
第五个
提示为VID,关于VID的解释有很多,就不一一赘述,不懂的请自行百度,访问网址
你知道火神逻辑翻车???这句话不是我说的,是百度翻译告诉我的,什么鬼?懵逼了。。。除此之外,再无其他有用信息,看看源码
发现红字部分信息,拼接之,出现如下代码
Finding entry points
Branch analysis from position: 0
Jump found. Position 1 = 23, Position 2 = 38
Branch analysis from position: 23
Jump found. Position 1 = 26, Position 2 = 35
Branch analysis from position: 26
Jump found. Position 1 = 29, Position 2 = 32
Branch analysis from position: 29
Jump found. Position 1 = 34
Branch analysis from position: 34
Jump found. Position 1 = 37
Branch analysis from position: 37
Jump found. Position 1 = 40
Branch analysis from position: 40
Return found
Branch analysis from position: 32
Jump found. Position 1 = 37
Branch analysis from position: 37
Branch analysis from position: 35
Jump found. Position 1 = 40
Branch analysis from position: 40
Branch analysis from position: 38
Return found
filename: C:\ctf\index.php
function name: (null)
number of ops: 44
compiled vars: !0 = $a, !1 = $b, !2 = $c
line # * op fetch ext return operands
---------------------------------------------------------------------------------
2 0 > EXT_STMT
1 ECHO 'do+you+know+Vulcan+Logic+Dumper%3F%3Cbr%3E'
3 2 EXT_STMT
3 BEGIN_SILENCE ~0
4 FETCH_R global $1 '_GET'
5 FETCH_DIM_R $2 $1, 'flag1'
6 END_SILENCE ~0
7 ASSIGN !0, $2
4 8 EXT_STMT
9 BEGIN_SILENCE ~4
10 FETCH_R global $5 '_GET'
11 FETCH_DIM_R $6 $5, 'flag2'
12 END_SILENCE ~4
13 ASSIGN !1, $6
5 14 EXT_STMT
15 BEGIN_SILENCE ~8
16 FETCH_R global $9 '_GET'
17 FETCH_DIM_R $10 $9, 'flag3'
18 END_SILENCE ~8
19 ASSIGN !2, $10
6 20 EXT_STMT
21 IS_EQUAL ~12 !0, 'fvhjjihfcv'
22 > JMPZ ~12, ->38
7 23 > EXT_STMT
24 IS_EQUAL ~13 !1, 'gfuyiyhioyf'
25 > JMPZ ~13, ->35
8 26 > EXT_STMT
27 IS_EQUAL ~14 !2, 'yugoiiyhi'
28 > JMPZ ~14, ->32
9 29 > EXT_STMT
30 ECHO 'the+next+step+is+xxx.zip'
10 31 > JMP ->34
11 32 > EXT_STMT
33 ECHO 'false%3Cbr%3E'
13 34 > > JMP ->37
14 35 > EXT_STMT
36 ECHO 'false%3Cbr%3E'
16 37 > > JMP ->40
17 38 > EXT_STMT
39 ECHO 'false%3Cbr%3E'
19 40 > NOP
22 41 EXT_STMT
42 ECHO '%3C%21--+index.php.txt+%3F%3E%0D%0A%0D%0A'
43 > RETURN 1
branch: # 0; line: 2- 6; sop: 0; eop: 22; out1: 23; out2: 38
branch: # 23; line: 7- 7; sop: 23; eop: 25; out1: 26; out2: 35
branch: # 26; line: 8- 8; sop: 26; eop: 28; out1: 29; out2: 32
branch: # 29; line: 9- 10; sop: 29; eop: 31; out1: 34
branch: # 32; line: 11- 13; sop: 32; eop: 33; out1: 34
branch: # 34; line: 13- 13; sop: 34; eop: 34; out1: 37
branch: # 35; line: 14- 16; sop: 35; eop: 36; out1: 37
branch: # 37; line: 16- 16; sop: 37; eop: 37; out1: 40
branch: # 38; line: 17- 19; sop: 38; eop: 39; out1: 40
branch: # 40; line: 19- 22; sop: 40; eop: 43
path #1: 0, 23, 26, 29, 34, 37, 40,
path #2: 0, 23, 26, 32, 34, 37, 40,
path #3: 0, 23, 35, 37, 40,
path #4: 0, 38, 40,
do you know Vulcan Logic Dumper?
false
Branch analysis from position: 0
Jump found. Position 1 = 23, Position 2 = 38
Branch analysis from position: 23
Jump found. Position 1 = 26, Position 2 = 35
Branch analysis from position: 26
Jump found. Position 1 = 29, Position 2 = 32
Branch analysis from position: 29
Jump found. Position 1 = 34
Branch analysis from position: 34
Jump found. Position 1 = 37
Branch analysis from position: 37
Jump found. Position 1 = 40
Branch analysis from position: 40
Return found
Branch analysis from position: 32
Jump found. Position 1 = 37
Branch analysis from position: 37
Branch analysis from position: 35
Jump found. Position 1 = 40
Branch analysis from position: 40
Branch analysis from position: 38
Return found
filename: C:\ctf\index.php
function name: (null)
number of ops: 44
compiled vars: !0 = $a, !1 = $b, !2 = $c
line # * op fetch ext return operands
---------------------------------------------------------------------------------
2 0 > EXT_STMT
1 ECHO 'do+you+know+Vulcan+Logic+Dumper%3F%3Cbr%3E'
3 2 EXT_STMT
3 BEGIN_SILENCE ~0
4 FETCH_R global $1 '_GET'
5 FETCH_DIM_R $2 $1, 'flag1'
6 END_SILENCE ~0
7 ASSIGN !0, $2
4 8 EXT_STMT
9 BEGIN_SILENCE ~4
10 FETCH_R global $5 '_GET'
11 FETCH_DIM_R $6 $5, 'flag2'
12 END_SILENCE ~4
13 ASSIGN !1, $6
5 14 EXT_STMT
15 BEGIN_SILENCE ~8
16 FETCH_R global $9 '_GET'
17 FETCH_DIM_R $10 $9, 'flag3'
18 END_SILENCE ~8
19 ASSIGN !2, $10
6 20 EXT_STMT
21 IS_EQUAL ~12 !0, 'fvhjjihfcv'
22 > JMPZ ~12, ->38
7 23 > EXT_STMT
24 IS_EQUAL ~13 !1, 'gfuyiyhioyf'
25 > JMPZ ~13, ->35
8 26 > EXT_STMT
27 IS_EQUAL ~14 !2, 'yugoiiyhi'
28 > JMPZ ~14, ->32
9 29 > EXT_STMT
30 ECHO 'the+next+step+is+xxx.zip'
10 31 > JMP ->34
11 32 > EXT_STMT
33 ECHO 'false%3Cbr%3E'
13 34 > > JMP ->37
14 35 > EXT_STMT
36 ECHO 'false%3Cbr%3E'
16 37 > > JMP ->40
17 38 > EXT_STMT
39 ECHO 'false%3Cbr%3E'
19 40 > NOP
22 41 EXT_STMT
42 ECHO '%3C%21--+index.php.txt+%3F%3E%0D%0A%0D%0A'
43 > RETURN 1
branch: # 0; line: 2- 6; sop: 0; eop: 22; out1: 23; out2: 38
branch: # 23; line: 7- 7; sop: 23; eop: 25; out1: 26; out2: 35
branch: # 26; line: 8- 8; sop: 26; eop: 28; out1: 29; out2: 32
branch: # 29; line: 9- 10; sop: 29; eop: 31; out1: 34
branch: # 32; line: 11- 13; sop: 32; eop: 33; out1: 34
branch: # 34; line: 13- 13; sop: 34; eop: 34; out1: 37
branch: # 35; line: 14- 16; sop: 35; eop: 36; out1: 37
branch: # 37; line: 16- 16; sop: 37; eop: 37; out1: 40
branch: # 38; line: 17- 19; sop: 38; eop: 39; out1: 40
branch: # 40; line: 19- 22; sop: 40; eop: 43
path #1: 0, 23, 26, 29, 34, 37, 40,
path #2: 0, 23, 26, 32, 34, 37, 40,
path #3: 0, 23, 35, 37, 40,
path #4: 0, 38, 40,
do you know Vulcan Logic Dumper?
false