noxCTF web writeup

Reference

What is your reference again?
http://chal.noxale.com:5000

打开页面发现:


检查网络请求发现访问了http://chal.noxale.com:5000/check_from_google
将HTTP的Referer头改为www.google.com 得到base64编码的字符串:


解密后得到flag。

MyFileUploader

This is my new file uploader server. I bet you can't hack it!
http://chal.noxale.com:8079

随便拖一个文件上传,得到:


提示文件名需包含.jpg/.png/.gif。于是我们上传一个jpg文件,文件被上传至http://chal.noxale.com:8079/uploads/目录。上传.png.php时,php后缀会被自动抹去。
直接访问该目录,发现可列目录且存在名为Don't open的文件夹,打开发现htaccess:


于是构造名为a.png.cybr3的一句话:


发现shell可以成功被执行。在当前目录下找到flag:

Dictionary of obscure sorrows

There are a lot of obscure sorrows in our world. Your job is not to find those that are plain in sight; You need to seek further, look deeper. Find the word that can not be written. The most obscure sorrow of them all.
http://54.152.220.222/

打开网页发现里面有很多元素可以点,点开的url形如http://54.152.220.222/word.php?page=Lalalalia。看到这个url首先想到php文件包含。通过filter伪协议读取文件无果。

点击收藏 | 0 关注 | 1
  • 动动手指,沙发就是你的了!
登录 后跟帖