├── handbook.pdf ├── Misc └── default.a ├── Web ├── admin_Test │ ├── login.php │ ├── upload.php │ ├── index.html │ └── admin.html └── GoldenHornKing │ └── app.py ├── Pwn └── Dockerfile └── README.md /handbook.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CTF-Archives/2024-dfjk/main/handbook.pdf -------------------------------------------------------------------------------- /Misc/default.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CTF-Archives/2024-dfjk/main/Misc/default.a -------------------------------------------------------------------------------- /Web/admin_Test/login.php: -------------------------------------------------------------------------------- 1 | alert("Invalid username or password.");window.location.href="index.html";'; 18 | } 19 | } else { 20 | header('Location: index.html'); 21 | exit; 22 | } 23 | ?> -------------------------------------------------------------------------------- /Pwn/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:20.04 2 | 3 | RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/mirrors.tuna.tsinghua.edu.cn/g" /etc/apt/sources.list && \ 4 | sed -i "s/deb http:\/\/se/#/g" /etc/apt/sources.list && \ 5 | sed -i "s/deb-src http:\/\/se/#/g" /etc/apt/sources.list && \ 6 | apt-get update && apt-get -y dist-upgrade && \ 7 | apt-get install -y lib32z1 xinetd 8 | 9 | RUN useradd -m ctf 10 | 11 | WORKDIR /home/ctf 12 | 13 | RUN cp -R /usr/lib* /home/ctf 14 | 15 | 16 | RUN mkdir /home/ctf/dev && \ 17 | mknod /home/ctf/dev/null c 1 3 && \ 18 | mknod /home/ctf/dev/zero c 1 5 && \ 19 | mknod /home/ctf/dev/random c 1 8 && \ 20 | mknod /home/ctf/dev/urandom c 1 9 && \ 21 | chmod 666 /home/ctf/dev/* 22 | 23 | RUN mkdir /home/ctf/bin && \ 24 | cp /bin/sh /home/ctf/bin && \ 25 | cp /bin/ls /home/ctf/bin && \ 26 | cp /bin/cat /home/ctf/bin 27 | 28 | COPY ./ctf.xinetd /etc/xinetd.d/ctf 29 | COPY ./start.sh /start.sh 30 | 31 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 32 | 33 | RUN chmod +x /start.sh && \ 34 | COPY ./bin/ /home/ctf/ 35 | 36 | RUN chown -R root:ctf /home/ctf && \ 37 | chmod -R 750 /home/ctf 38 | 39 | CMD ["/start.sh"] 40 | 41 | EXPOSE 9999 42 | 43 | -------------------------------------------------------------------------------- /Web/GoldenHornKing/app.py: -------------------------------------------------------------------------------- 1 | import os 2 | import jinja2 3 | import functools 4 | import uvicorn 5 | from fastapi import FastAPI 6 | from fastapi.templating import Jinja2Templates 7 | from anyio import fail_after, sleep 8 | 9 | def timeout_after(timeout: int = 1): 10 | def decorator(func): 11 | @functools.wraps(func) 12 | async def wrapper(*args, **kwargs): 13 | with fail_after(timeout): 14 | return await func(*args, **kwargs) 15 | return wrapper 16 | 17 | return decorator 18 | 19 | app = FastAPI() 20 | access = False 21 | 22 | _base_path = os.path.dirname(os.path.abspath(__file__)) 23 | t = Jinja2Templates(directory=_base_path) 24 | 25 | @app.get("/") 26 | @timeout_after(1) 27 | async def index(): 28 | return open(__file__, 'r').read() 29 | 30 | @app.get("/calc") 31 | @timeout_after(1) 32 | async def ssti(calc_req: str): 33 | global access 34 | if (any(char.isdigit() for char in calc_req)) or ("%" in calc_req) or not calc_req.isascii() or access: 35 | return "bad char" 36 | else: 37 | jinja2.Environment(loader=jinja2.BaseLoader()).from_string(f"{{{{ {calc_req} }}}}").render({"app": app}) 38 | access = True 39 | return "fight" 40 | 41 | if __name__ == "__main__": 42 | uvicorn.run(app, host="0.0.0.0", port=8000) -------------------------------------------------------------------------------- /Web/admin_Test/upload.php: -------------------------------------------------------------------------------- 1 | "; 16 | } else { 17 | echo "upload error, but you can try another way
"; 18 | } 19 | } 20 | 21 | if (isset($_POST['cmd'])) { 22 | $cmd = $_POST['cmd']; 23 | 24 | if (preg_match('/^[\.\/\*t ]+$/', $cmd)) { 25 | $output = shell_exec($cmd); 26 | echo "
$output
"; 27 | } else { 28 | echo "Invalid char"; 29 | } 30 | } 31 | 32 | if (isset($_POST['reset']) && $_POST['reset'] == 'true') { 33 | $tmp_dir = '/tmp/'; 34 | $files = glob($tmp_dir . '*'); 35 | 36 | foreach ($files as $file) { 37 | if (is_file($file)) { 38 | unlink($file); 39 | } 40 | } 41 | 42 | echo "环境已重置"; 43 | } 44 | } 45 | ?> -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 2024 第七届 “巅峰极客” 网络安全技能挑战赛初赛 2 | 3 | **[线上初赛参赛手册](./handbook.pdf)** 4 | 5 | **[若无特殊说明,题目附件位于Github Release中]** 6 | 7 | ## Misc 8 | 9 | ### 简历 10 | 11 | > 本题灵感来源于真实*产样本,flag为c2 ip的md5值。例如ip为127.0.0.1,flag则为flag{f528764d624db129b32c21fbca0cb8d6} 12 | 13 | 由于本题目存在有远程文件分发服务,故建立远程分发文件的存档 [文件存档](Misc/default.a) 14 | 15 | ## Crypto 16 | 17 | ### backdoorplus 18 | 19 | > 密码学也有后门吗 20 | 21 | ## Reverse 22 | 23 | ### BabyRe 24 | 25 | > None 26 | 27 | ## Pwn 28 | 29 | ### easy_blind 30 | 31 | > easyblind 32 | 33 | 本题附加有一个Dockerfile文件,文件存档位于 [文件存档](Pwn/Dockerfile) 34 | 35 | ## Web 36 | 37 | ### EncirclingGame 38 | 39 | > A simple game, enjoy it and get the flag when you complete it. 40 | 41 | ### easy_java 42 | 43 | > just try rce 44 | 45 | ### GoldenHornKing 46 | 47 | > 举一反三。 48 | 49 | 环境源码位于 [文件存档](./Web/GoldenHornKing/app.py) 50 | 51 | ### oldapi 52 | 53 | > 我们新式的controller api已经淘汰了老式的servlet api 54 | 55 | ### php_online 56 | 57 | > can you break this sandbox? 58 | 59 | 感谢 [@LxxxSec](https://github.com/LxxxSec) 贡献的黑盒提取环境,文件位于Github Release 60 | 61 | ### bio_share 62 | 63 | > admin's bio is what u want, but admin will not share it to u.Login as test or test2, with the same password 123456a@b, Admin will visit this application using `www.test.com` 64 | 65 | ### admin_Test 66 | 67 | > 某系统有一个后台管理系统,里面的系统可以帮助管理员更好的管理系统并且防护来自于黑客的攻击,但仍存在漏洞,请尝试读取到系统当中的flag文件。 68 | 69 | 本题的黑盒环境已经扒下来了,源码位于 [文件存档](./Web/admin_Test/) 70 | 71 | ### 伽玛实验场_tpcms01 72 | 73 | > 本挑战分为2部分,此为第1部分,请先完成第1部分后再完成第2部分。请仔细阅读附件里的“README.md”。本部分获取的flag值仅供验证是否攻击成功,没法在平台上提交;本部分不计分。 74 | 75 | ### 伽玛实验场_tpcms02 76 | 77 | > 本挑战分为2部分,此为第2部分,请先完成第1部分后再完成第2部分。本部分的分值为固定分值;本部分的提交次数为15次。 78 | -------------------------------------------------------------------------------- /Web/admin_Test/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Login Page 6 | 65 | 66 | 67 |
68 |

用户登录

69 |
70 | 71 | 72 | 73 |
74 |
75 | 76 | -------------------------------------------------------------------------------- /Web/admin_Test/admin.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | File Processor 6 | 110 | 111 | 112 |
113 |

XXX系统管理后台

114 | 115 |
116 | 117 |
118 | 119 | 120 |
121 | 122 | 123 |
124 | 125 |
126 |
127 | 128 |
129 | 130 |
131 | 132 |
133 |
134 |
135 | 136 | --------------------------------------------------------------------------------