noxCTF web writeup
Reference
What is your reference again?
http://chal.noxale.com:5000
打开页面发现:
检查网络请求发现访问了http://chal.noxale.com:5000/check_from_google
。
将HTTP的Referer头改为www.google.com 得到base64编码的字符串:
解密后得到flag。
MyFileUploader
This is my new file uploader server. I bet you can't hack it!
http://chal.noxale.com:8079
随便拖一个文件上传,得到:
提示文件名需包含.jpg/.png/.gif。于是我们上传一个jpg文件,文件被上传至http://chal.noxale.com:8079/uploads/
目录。上传.png.php时,php后缀会被自动抹去。
直接访问该目录,发现可列目录且存在名为Don't open
的文件夹,打开发现htaccess:
于是构造名为a.png.cybr3的一句话:
发现shell可以成功被执行。在当前目录下找到flag:
Dictionary of obscure sorrows
There are a lot of obscure sorrows in our world. Your job is not to find those that are plain in sight; You need to seek further, look deeper. Find the word that can not be written. The most obscure sorrow of them all.
http://54.152.220.222/
打开网页发现里面有很多元素可以点,点开的url形如http://54.152.220.222/word.php?page=Lalalalia
。看到这个url首先想到php文件包含。通过filter伪协议读取文件无果。