向诚

向诚

巷子里的猫很自由,却没有归宿。
telegram
email
Home归档关于博客

2024 Mao'an Cup Junior and Senior High School Group WriteUp

228
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The challenge involved solving different tasks in web, miscellaneous, crypto, and PWN categories. Participants had to find vulnerabilities and exploit them to obtain flags. Some tasks required bypassing restrictions and using specific payloads to achieve the desired outcome. Overall, participants had to demonstrate their skills in various areas of cybersecurity to solve the challenges.

Web1#

Check-in question

image-20240808170851461

View source

image-20240808170927179

Get qweasdrtyfgh.php

image-20240808171000834

Web2#

index is a hyperlink go to test.php, after entering, there is a file inclusion at a glance

image-20240808171106313

Read the source code of index and test, nothing found, cannot bypass strpos

image

But data stream is available, indicating that allow_url_fopen and allow_url_include are enabled

Directly execute system arbitrary command and write files, found that the current directory is not writable, also checked ls and found no other shells, write to tmp and combine with file inclusion to get shell

image-20240808171548683

image-20240808171857729

Got the second blood for this question, hahaha

Web3#

image-20240808172153842

Analyze the question, this question has the following limitations

1. phone must be an array
2. avatar cannot contain the word "flag" in the post parameters
3. string cannot contain any "root" or other words

So, bypass the first limitation by using an array in the post, and then use __destruct to unserialize the chain with parameters. Use an escaped serialized string for the name in the chain to bypass the second limitation. The third limitation only affects the post, the avatar in the post is not related to the solution and does not affect the avatar in the chain.

Payload:

name=O:9:"user_info":3:{s:4:"name";s:126:"rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootroot";s:5:"phone";a:2:{i:0;i:1;i:1;i:1;}s:6:"avatar";s:5:"/flag";}&phone[]=1&avatar=123

image-20240808172635216

Two hundred points for this question. Got the first blood and got ten extra points! The only team that solved it!

Misc1#

It's an image, not LSB, no need to change weight

Change it to .rar by right-clicking to get the unencrypted compressed file rsa.txt

Change it to .zip by right-clicking to get an encrypted compressed file, inside is flag.txt, not pseudo-encrypted

1723109396511

Damn, I don't know how to encrypt. Asked gpt and solved it instantly

bfda59a5d29efefc00db14d075e0ba3

455f6b1e4e3fea002b50f877fc37f9d

Misc2#

Check-in question. Scan the QR code in the compressed file to get the flag instantly

Crypto1#

Check-in question.

image-20240808173138965

PWN#

Taught by other experts. I can't learn it either

Main inputs two truncated values and enters get_data

img

The length here is custom and can be -1

img

When entering token calculation, it XORs with 48 ('0'), if my name is 0, at this time the string will become empty

img

When assigning later, because len returns -1, it will be assigned infinitely, v7 can cover file on top of file

img

Calculate the stack offset and overwrite the flag in s to file, then open flag and output

Payload
Input 0:0:

This article is synchronized and updated to xLog by Mix Space
The original link is https://de3ay.com/posts/sec/maoming-ctf-writeup

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.