One . Local Administrators

Knowledge point ： forge ip Address , decode

1. forge ip Address ： adopt bp Grab the bag , And add one X-Forwarded-For data

2. Judge the code

(1 Bar message ) 【Crypto】 Judge the encryption method of ciphertext _ Rabbit rabbit bag point eating machine blog -CSDN Blog _ Encryption method judgment

30 Analysis of ciphertext characteristics of more than encryption coding types （ Recommended collection ） - Tencent cloud developer community - Tencent cloud (tencent.com)

How to judge whether a code is base64 Of

* A string can only contain A-Z,a-z,0-9,+,/,= character
* The string length is 4 Multiple
* = Will only appear at the end of the string , There may be no or one equal sign or two equal signs  

In the source code of the topic , See this one , Because his ending has two equal signs , And the length is 12 position , Only  A-Z,a-z,=

So the guess is base64 code , Get the online website to decrypt , Find out

This should be the password , Combined with weak password , Guess the account number is admin

Combine the above two knowledge points

  Successfully get flag

Two .eval Remote code execution

Pictured , Knowledge point 1： request Way to pass parameters

(1 Bar message ) PHP $_REQUEST_ Little spice blog -CSDN Blog _$_request php

It can be understood as Combined with the post and get Request method of , direct /? Send or Construct a post Packet sending

Knowledge point 2： eval function

PHP eval() function (w3school.com.cn)

Knowledge point 3： var_dump() function

PHP var_dump() function | Novice tutorial (runoob.com)

Knowledge point 4：include

PHP Include file (w3school.com.cn)

Knowledge point 5 system function

PHP: system - Manual

The code means ： The header refers to flag.php file （ That is to say flag home ),  Parameters a Accept one from request The parameters passed by , The parameter name is hello, adopt var_dump Output a Value ( That is, the specific value of the parameter ), Then this value will be treated as php Command execution (eval The role of )

Because of the transmission request Parameters and get Almost so we directly stay url bar /?hello= Just pass it on

  The topic turns into remote code execution , Direct use system Function

system('find / -name flag') First look for flag, And then again cat

system(' cat /flag')

  3、 ... and . Variable 1

The title suggests flag In variables ,

That regular indicates that the variable should be expressed in Alphanumeric underscores begin and end  

$GLOBALS!!! This global variable is used in PHP Access global variables anywhere in the script

So we go directly to GLOBALS that will do

(1 Bar message ) Bugku web Variable 1_ Crisp sugar learning blog -CSDN Blog

(1 Bar message ) Regular matching details _ Know drunk Chenxiang's blog -CSDN Blog _ Regular matching

Four . nothing in the world

1. Consider directory scanning

2. consider bp Grab the bag

5、 ... and .source

(1 Bar message ) bugku-source-wp Detailed explanation _forever4024 The blog of -CSDN Blog _bugku wp

direct f12 see

Take it to base64 decode , Find out flag It's fake ,

Scan the directory  

Sure is git Information disclosure of

git Disclose knowledge points  

(1 Bar message ) CTFHUB Medium git Let the cat out of the _kllwlick The blog of -CSDN Blog _ctfhub git

Git Basic operation | Novice tutorial (runoob.com)

(1 Bar message ) ctfhub The skill tree — Information disclosure —git Let the cat out of the —Stash_ A blog meeting on the top of the mountain -CSDN Blog _ctfhub stash

Log | CTFHub

1. download .git file

kali: wget -r http://114.67.175.224:18055/.git
GitHack python2 GitHack.py http://challenge-27567e8a0c3c2b2b.sandbox.ctfhub.com:10800/

2.log

Log discovery flag

  solution 1 adopt git diff Compare the difference between the current version and the previous version

git diff  Version number 

  solution 2 adopt git reset Switch to the previous version

git reset --hard  Version number 

 3.stash

git-stash Summary of usage - Tocy - Blog Garden (cnblogs.com)

With ctfhub Of git Leaking stash For example , The background of the topic is that the staff will flag Submitted to stash in , We need to go from stash To extract from flag

solution 1

git stash list  Check out existing storage 
git stash show  see 
git stash pop  To re apply storage , And immediately remove it from the stack .

Through the first git stash list see stash Cache in , You can find , There is only one cache

So just use git stash pop Remove the cache to get contain flag Of txt file

solution 2

Through the first .git/refs/stash I got the papers stash Medium hash Value and then use diff Directly compare the differences between the two files , Get flag 

Be careful ： If the method has been used 1, Method 2 Will fail , Because the current version has been restored to the existing flag Version of the . Use diff It's equivalent to comparing yourself , The result is empty. .

4.index