CTF_WP_UPLOAD

2025-03-22 21:03:57 +08:00 · 2025-03-22 21:03:57 +08:00 · fca6e65eb7
commit fca6e65eb7
parent 2391f33117
70 changed files with 68 additions and 74 deletions
--- a/CTF/RedRockCTF/Img/5525.png
+++ b/CTF/RedRockCTF/Img/5525.png
--- a/CTF/RedRockCTF/Img/JPG.png
+++ b/CTF/RedRockCTF/Img/JPG.png
--- a/CTF/RedRockCTF/Img/JPG2.png
+++ b/CTF/RedRockCTF/Img/JPG2.png
--- a/CTF/RedRockCTF/Img/JPG3.png
+++ b/CTF/RedRockCTF/Img/JPG3.png
--- a/CTF/RedRockCTF/Img/JPG4.png
+++ b/CTF/RedRockCTF/Img/JPG4.png
--- a/CTF/RedRockCTF/Img/Morse_Code.png
+++ b/CTF/RedRockCTF/Img/Morse_Code.png
--- a/CTF/RedRockCTF/Img/What
+++ b/CTF/RedRockCTF/Img/What
--- a/CTF/RedRockCTF/Img/baby_Reverse.png
+++ b/CTF/RedRockCTF/Img/baby_Reverse.png
--- a/CTF/RedRockCTF/Img/baby_Reverse2.png
+++ b/CTF/RedRockCTF/Img/baby_Reverse2.png
--- a/CTF/RedRockCTF/Img/baby_Reverse3.png
+++ b/CTF/RedRockCTF/Img/baby_Reverse3.png
--- a/CTF/RedRockCTF/Img/baby_Reverse4.png
+++ b/CTF/RedRockCTF/Img/baby_Reverse4.png
--- a/CTF/RedRockCTF/Img/baby_Reverse5.png
+++ b/CTF/RedRockCTF/Img/baby_Reverse5.png
--- a/CTF/RedRockCTF/Img/baby_Reverse6.png
+++ b/CTF/RedRockCTF/Img/baby_Reverse6.png
--- a/CTF/RedRockCTF/Img/backdoorbetacat.png
+++ b/CTF/RedRockCTF/Img/backdoorbetacat.png
--- a/CTF/RedRockCTF/Img/backdoorbetacat2.png
+++ b/CTF/RedRockCTF/Img/backdoorbetacat2.png
--- a/CTF/RedRockCTF/Img/backdoorbetacat3.png
+++ b/CTF/RedRockCTF/Img/backdoorbetacat3.png
--- a/CTF/RedRockCTF/Img/backdoorbetacat4.png
+++ b/CTF/RedRockCTF/Img/backdoorbetacat4.png
--- a/CTF/RedRockCTF/Img/betacatyuma.png
+++ b/CTF/RedRockCTF/Img/betacatyuma.png
--- a/CTF/RedRockCTF/Img/betacatyuma2.png
+++ b/CTF/RedRockCTF/Img/betacatyuma2.png
--- a/CTF/RedRockCTF/Img/ccat.png
+++ b/CTF/RedRockCTF/Img/ccat.png
--- a/CTF/RedRockCTF/Img/e-small.png
+++ b/CTF/RedRockCTF/Img/e-small.png
--- a/CTF/RedRockCTF/Img/e-small2.png
+++ b/CTF/RedRockCTF/Img/e-small2.png
--- a/CTF/RedRockCTF/Img/e-small3.png
+++ b/CTF/RedRockCTF/Img/e-small3.png
--- a/CTF/RedRockCTF/Img/easy
+++ b/CTF/RedRockCTF/Img/easy
--- a/CTF/RedRockCTF/Img/easy.png
+++ b/CTF/RedRockCTF/Img/easy.png
--- a/CTF/RedRockCTF/Img/ele.png
+++ b/CTF/RedRockCTF/Img/ele.png
--- a/CTF/RedRockCTF/Img/ele2.png
+++ b/CTF/RedRockCTF/Img/ele2.png
--- a/CTF/RedRockCTF/Img/ele4.png
+++ b/CTF/RedRockCTF/Img/ele4.png
--- a/CTF/RedRockCTF/Img/ele5.png
+++ b/CTF/RedRockCTF/Img/ele5.png
--- a/CTF/RedRockCTF/Img/ele6.png
+++ b/CTF/RedRockCTF/Img/ele6.png
--- a/CTF/RedRockCTF/Img/liuyan.png
+++ b/CTF/RedRockCTF/Img/liuyan.png
--- a/CTF/RedRockCTF/Img/liuyan2.png
+++ b/CTF/RedRockCTF/Img/liuyan2.png
--- a/CTF/RedRockCTF/Img/login.png
+++ b/CTF/RedRockCTF/Img/login.png
--- a/CTF/RedRockCTF/Img/lsb.png
+++ b/CTF/RedRockCTF/Img/lsb.png
--- a/CTF/RedRockCTF/Img/md5.png
+++ b/CTF/RedRockCTF/Img/md5.png
--- a/CTF/RedRockCTF/Img/md52.png
+++ b/CTF/RedRockCTF/Img/md52.png
--- a/CTF/RedRockCTF/Img/mermory.png
+++ b/CTF/RedRockCTF/Img/mermory.png
--- a/CTF/RedRockCTF/Img/mermory2.png
+++ b/CTF/RedRockCTF/Img/mermory2.png
--- a/CTF/RedRockCTF/Img/mini_game.png
+++ b/CTF/RedRockCTF/Img/mini_game.png
--- a/CTF/RedRockCTF/Img/mini_game2.png
+++ b/CTF/RedRockCTF/Img/mini_game2.png
--- a/CTF/RedRockCTF/Img/playwithbetacat.png
+++ b/CTF/RedRockCTF/Img/playwithbetacat.png
--- a/CTF/RedRockCTF/Img/playwithbetacat2.png
+++ b/CTF/RedRockCTF/Img/playwithbetacat2.png
--- a/CTF/RedRockCTF/Img/qd.png
+++ b/CTF/RedRockCTF/Img/qd.png
--- a/CTF/RedRockCTF/Img/real
+++ b/CTF/RedRockCTF/Img/real
--- a/CTF/RedRockCTF/Img/real1ty-small.png
+++ b/CTF/RedRockCTF/Img/real1ty-small.png
--- a/CTF/RedRockCTF/Img/real1ty-small2.png
+++ b/CTF/RedRockCTF/Img/real1ty-small2.png
--- a/CTF/RedRockCTF/Img/realqd.png
+++ b/CTF/RedRockCTF/Img/realqd.png
--- a/CTF/RedRockCTF/Img/rel1ty-big.png
+++ b/CTF/RedRockCTF/Img/rel1ty-big.png
--- a/CTF/RedRockCTF/Img/rel1ty-big2.png
+++ b/CTF/RedRockCTF/Img/rel1ty-big2.png
--- a/CTF/RedRockCTF/Img/rel1ty-big3.png
+++ b/CTF/RedRockCTF/Img/rel1ty-big3.png
--- a/CTF/RedRockCTF/Img/robot.png
+++ b/CTF/RedRockCTF/Img/robot.png
--- a/CTF/RedRockCTF/Img/robot2.png
+++ b/CTF/RedRockCTF/Img/robot2.png
--- a/CTF/RedRockCTF/Img/slowjson.png
+++ b/CTF/RedRockCTF/Img/slowjson.png
--- a/CTF/RedRockCTF/Img/snake.png
+++ b/CTF/RedRockCTF/Img/snake.png
--- a/CTF/RedRockCTF/Img/tutu.png
+++ b/CTF/RedRockCTF/Img/tutu.png
--- a/CTF/RedRockCTF/Img/tutu2.png
+++ b/CTF/RedRockCTF/Img/tutu2.png
--- a/CTF/RedRockCTF/Img/tutu3.png
+++ b/CTF/RedRockCTF/Img/tutu3.png
--- a/CTF/RedRockCTF/Img/upload.png
+++ b/CTF/RedRockCTF/Img/upload.png
--- a/CTF/RedRockCTF/Img/upload2.png
+++ b/CTF/RedRockCTF/Img/upload2.png
--- a/CTF/RedRockCTF/Img/upload3.png
+++ b/CTF/RedRockCTF/Img/upload3.png
--- a/CTF/RedRockCTF/Img/upload4.png
+++ b/CTF/RedRockCTF/Img/upload4.png
--- a/CTF/RedRockCTF/Img/upload5.png
+++ b/CTF/RedRockCTF/Img/upload5.png
--- a/CTF/RedRockCTF/Img/upload6.png
+++ b/CTF/RedRockCTF/Img/upload6.png
--- a/CTF/RedRockCTF/Img/upload7.png
+++ b/CTF/RedRockCTF/Img/upload7.png
--- a/CTF/RedRockCTF/Img/upload8.png
+++ b/CTF/RedRockCTF/Img/upload8.png
--- a/CTF/RedRockCTF/Img/wireshark.png
+++ b/CTF/RedRockCTF/Img/wireshark.png
--- a/CTF/RedRockCTF/Img/ymc.png
+++ b/CTF/RedRockCTF/Img/ymc.png
--- a/CTF/RedRockCTF/Img/zip.png
+++ b/CTF/RedRockCTF/Img/zip.png
--- a/CTF/RedRockCTF/Img/zip2.png
+++ b/CTF/RedRockCTF/Img/zip2.png
--- a/CTF/RedRockCTF/RedRockCTF.md
+++ b/CTF/RedRockCTF/RedRockCTF.md
@ -1,6 +1,6 @@
 REDROCK CTF  WP

-参赛人：吴文俊
+参赛人：yingwenzha



@ -16,15 +16,15 @@ MISC

 没啥好说的跑酷就完了(绿宝石那关后面有捷径)

-![ymc](C:\Users\xiaobai\Desktop\CTFWP\ymc.png)
+![ymc](./Img/ymc.png)

 2.签到

-![image-20241117155243713](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117155243713.png)
+![image-20241117155243713](./Img/qd.png)

 cv

-3.290的小秘密 lsb加密用stegsolve![image-20241117155359050](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117155359050.png)
+3.290的小秘密 lsb加密用stegsolve![lsb](./Img/lsb.png)

 就出来了

@ -34,7 +34,7 @@ cv

 最后一个的hex就直接是了

-![image-20241117155513044](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117155513044.png)
+![wireshark](.\Img\wireshark.png)

 5.我图图呢

@ -42,17 +42,17 @@ cv

 另一端是编码最后地方

-![image-20241117155707412](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117155707412.png)
+![tutu](.\Img\tutu.png)

-![image-20241117155726081](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117155726081.png)
+![tutu2](.\Img\tutu2.png)

-![image-20241117155745902](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117155745902.png)
+![tutu3](.\Img\tutu3.png)

 6.easyzip

-![QQ20241117-193457](C:\Users\xiaobai\Desktop\CTFWP\QQ20241117-193457.png)
+![zip](.\Img\zip.png)

-![QQ20241117-193441](C:\Users\xiaobai\Desktop\CTFWP\QQ20241117-193441.png)
+![zip2](.\Img\zip2.png)

 6.Are you a JPG master?

@ -64,13 +64,13 @@ cv

 然后寻找工具

-![image-20241120181653899](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241120181653899.png)
+<img src=".\Img\JPG.png" alt="JPG" style="zoom:50%;" />

 找到了

 剥离水印。获得第一次zip密码

-![image-20241120181755959](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241120181755959.png)
+![JPG2](.\Img\JPG2.png)

 然后level2

@ -100,7 +100,7 @@ binwalk -e。。。。。。。。。。

 于是使用Stegsolve查看图片细节

-发现大量奇怪色块![image-20241120182224866](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241120182224866.png)判断是`steghide`
+发现大量奇怪色块![JPG3](.\Img\JPG3.png)判断是`steghide`

 着手编写脚本

@ -141,15 +141,15 @@ if __name__ == '__main__':

 成功获得flag

-![QQ20241119-224006](C:\Users\xiaobai\Desktop\CTFWP\QQ20241119-224006.png)
+![JPG4](.\Img\JPG4.png)

 7.mermory

-kali里下好vol然后内存分析，在浏览器记录里发现了secret.png![1](C:\Users\xiaobai\Desktop\CTFWP\1.png![QQ20241117-012405](C:\Users\xiaobai\Desktop\CTFWP\QQ20241117-012405.png)和part3
+kali里下好vol然后内存分析，在浏览器记录里发现了secret.png![1](C:\Users\xiaobai\Desktop\CTFWP\1.png![mermory](.\Img\mermory.png)和part3

 然后把secret.png导出获得头

-在剪切板记录里获得part2![QQ20241123-014544](C:\Users\xiaobai\Desktop\CTFWP\QQ20241123-014544.png)
+在剪切板记录里获得part2![mermory2](.\Img\mermory2.png)

 最后结合头部中部尾部得到flag

@ -159,7 +159,7 @@ SilentEye隐写，把音频导入然后解密就行

 根据hint提示这个密码和五月天有关（u1s1它这个误导非常大，因为hint说key是歌手名首字母大写可问题是解出来的key是Mayday二Mayday是五月天这个乐队的名字，五月天是乐队而不是歌手，真的奇了怪了

-![image-20241123194103773](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241123194103773.png)
+![5525](.\Img\5525.png)



@ -167,17 +167,17 @@ SilentEye隐写，把音频导入然后解密就行

 1.real1ty的小秘密

-![image-20241117155855008](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117155855008.png)
+![real1ty-small](.\Img\real1ty-small.png)

 凯撒密码，试几下就出了

-![image-20241117155953587](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117155953587.png)
+![real1ty-small2](Img\real1ty-small2.png)

 2.我解md5真的假的

 一个一个解就行直接用给的那个网站就行

-![image-20241117160809483](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117160809483.png)
+![md5](Img\md5.png)

 注意第4个，给的那个网站我没查到，所有只能硬算

@ -187,7 +187,7 @@ SilentEye隐写，把音频导入然后解密就行



-![image-20241117160632803](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117160632803.png)
+![md52](Img\md52.png)



@ -199,7 +199,7 @@ SilentEye隐写，把音频导入然后解密就行



-![image-20241117160925241](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117160925241.png)
+![Morse_Code](Img\Morse_Code.png)



@ -213,7 +213,7 @@ SilentEye隐写，把音频导入然后解密就行

 那我多跑几遍直到redrock出现就行了

-![image-20241117162352269](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117162352269.png)
+![easy crypto]( Img\easy crypto.png)

 5.What is RSA

@ -221,7 +221,7 @@ SilentEye隐写，把音频导入然后解密就行

 把参数填了就出了

-![image-20241117162920889](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117162920889.png)
+![What is RSA]( Img\What is RSA.png)

 6.e这么小吗

@ -237,9 +237,9 @@ SilentEye隐写，把音频导入然后解密就行

 根据这个思路

-（因为这道题给我发的数字都是10进制所有我需要先改一下代码再获得10进制解密数字后转16进制然后转字符串）![image-20241117164036810](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117164036810.png)
+（因为这道题给我发的数字都是10进制所有我需要先改一下代码再获得10进制解密数字后转16进制然后转字符串）![e-small]( Img\e-small.png)

-结果图：![image-20241117164248812](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117164248812.png)![image-20241117164230008](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117164230008.png)
+结果图：![e-small2](Img\e-small2.png)![e-small3](Img\e-small3.png)

 7.rel1ty的大秘密

@ -247,13 +247,13 @@ SilentEye隐写，把音频导入然后解密就行

 但是总的来说还是很简单

-写3个程序分别用于解base16 32 64编码![QQ20241120-172408](C:\Users\xiaobai\Desktop\CTFWP\QQ20241120-172408.png)
+写3个程序分别用于解base16 32 64编码![rel1ty-big]( Img\rel1ty-big.png)

 然后来回套，看那个可以继续套下去

 直到出现一个很像flag的东西

-![QQ20241120-171836](C:\Users\xiaobai\Desktop\CTFWP\QQ20241120-171836.png)
+![rel1ty-big]( Img\rel1ty-big2.png)

 然后猜测royk与rock处是交换点

@ -271,7 +271,7 @@ SilentEye隐写，把音频导入然后解密就行

 然后提交

-![QQ20241120-171818](C:\Users\xiaobai\Desktop\CTFWP\QQ20241120-171818.png)
+![rel1ty-big3]( Img\rel1ty-big3.png)

 8.real1ty的中秘密

@ -297,18 +297,12 @@ print(vigenere_decrypt(ciphertext, key, shift))

 ```

-然后获得了如图所示的效果
-
-![cccc](C:\Users\xiaobai\Desktop\新建文件夹\cccc.png)
-
 不难发现j是{

 同时呢调整大小写

 使大小写与密文一致

-![bbbb](C:\Users\xiaobai\Desktop\新建文件夹\bbbb.png)
-
 最后发现提交后还是不对

 然后抖了一激灵
@ -329,7 +323,7 @@ pwn

 ida打开 输入-1 开启后门

-![image-20241117164659508](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117164659508.png)
+![login]( Img\login.png)

 故 -1

@ -337,7 +331,7 @@ flag get

 2. real login
 3. 依旧签到
-4. ![image-20241117164923717](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117164923717.png)
+4. ![real login]( Img\real login.png)

 nc 连上

@ -351,9 +345,9 @@ nc 连上

 这道题应该是个内存泄漏题

-![playwithbetacat](C:\Users\xiaobai\Desktop\CTFWP\playwithbetacat.png)
+![爱捉弄人的beatcat]( Img\playwithbetacat.png)

-![image-20241117165607281](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117165607281.png)
+![爱捉弄人的beatcat2]( Img\playwithbetacat2.png)

 要buf=v2那就看怎么填充得到v2了呗，然后就看buf到r的空间大小0x191个，然后就这么填充A占位

@ -367,7 +361,7 @@ nc 连上

 这个就是做脚本自动计算

-![image-20241117170116383](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117170116383.png)
+![ccat]( Img\ccat.png)

 然后就行了

@ -375,13 +369,13 @@ nc 连上

 newstarctf 第一周的一个pwn题一样的过程

-![image-20241117170417461](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117170417461.png)
+![betacatyuma]( Img\betacatyuma.png)

 使nbytes_4的数据溢出到nbytes



-![image-20241117170332899](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117170332899.png)
+![betacatyuma]( Img\betacatyuma2.png)

 把得到的payload输进窗口就完成了

@ -397,19 +391,19 @@ newstarctf 第一周的一个pwn题一样的过程

 最后知道了方法

-先是填充![image-20241117171046383](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117171046383.png)
+先是填充![backdoorbetacat]( Img\backdoorbetacat.png)

 使buf刚刚溢出

-![image-20241117171108847](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117171108847.png)
+![backdoorbetacat]( Img\backdoorbetacat2.png)

 0x50+0x08生成个A

-然后是加上backdoor的地址![image-20241117171206937](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117171206937.png)
+然后是加上backdoor的地址![backdoorbetacat]( Img\backdoorbetacat3.png)

 启动脚本

-![QQ20241117-105938](C:\Users\xiaobai\Desktop\CTFWP\QQ20241117-105938.png)
+![backdoorbetacat4]( Img\backdoorbetacat4.png)

 成功获得flag

@ -419,11 +413,11 @@ web

 score控制台改10000就行

-![image-20241117171428070](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117171428070.png)
+![snake]( Img\snake.png)

 2.这是真签到

-进去翻翻源码![image-20241117171551207](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117171551207.png)
+进去翻翻源码![realqd]( Img\realqd.png)

 得到flag

@ -433,13 +427,13 @@ newstarctf中的智械危机类似

 看robots.txt这是一个协议关于爬虫相关的

-![image-20241117171743276](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117171743276.png)
+![robot]( Img\robot.png)

 然后先看hint知道/flag下的字符串是flag的每个字符填充7个随机字符得到

 所以写个脚本就得到flag了

-![image-20241117172138871](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241117172138871.png)
+![robot2]( Img\robot2.png)

 4.留言板

@ -455,9 +449,9 @@ python版sql注入

 所以写的时候现在前面加一个‘+f’就可在{}里执行任意命令，注意到它有限长，而且和‘’的数量.的数量有关，所以废了下功夫构造出一个函数得到flag

-![QQ20241117-153101](C:\Users\xiaobai\Desktop\CTFWP\QQ20241117-153101.png)
+![liuyan]( Img\liuyan.png)

-![QQ20241117-153055](C:\Users\xiaobai\Desktop\CTFWP\QQ20241117-153055.png)
+![liuyan2]( Img\liuyan2.png)

 5.肚子饿了

@ -475,7 +469,7 @@ python版sql注入

 但是问题最大的是如何找到这个判断通过长时间的分析发现and和union不能用，位置还是在尴尬的order by 后面 并且order by 后面已经有了一个值（在这里命名为x）。所以唯一的出路是想办法让那个by后面的值入手，发现if(e1,e2,e3)这个sql语句中e1是判别式如果正确那么就会返回e2如果错误那么就会返回e3。这就是一个很好的触发点。此时如果找到一个运算符让x与这个if出来的值进行计算可以改变表的顺序就大功告成。

-经过尝试![QQ20241118-232641](C:\Users\xiaobai\Desktop\CTFWP\QQ20241118-232641.png)。![QQ20241118-232629](C:\Users\xiaobai\Desktop\CTFWP\QQ20241118-232629.png)最后发现如果在?type=处填写>>IF((判别式),2,1)就可以做到上条件。然后就开始着手写脚本
+经过尝试![ele]( Img\ele.png)。![ele2]( Img\ele2.png)最后发现如果在?type=处填写>>IF((判别式),2,1)就可以做到上条件。然后就开始着手写脚本

 ```
 import requests
@ -519,21 +513,21 @@ print("Result:", result)

 然后就是用二分法查值最后得出flag

-![饿了4](C:\Users\xiaobai\Desktop\CTFWP\饿了4.png)
+![ele4]( Img\ele4.png)

-![饿了3](C:\Users\xiaobai\Desktop\CTFWP\饿了3.png)
+![ele5]( Img\ele5.png)

-![饿了](C:\Users\xiaobai\Desktop\CTFWP\饿了.png)
+![ele6](Img\ele6.png)

 6.简简单单upload

-进去首先审计代码![image-20241120175357599](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241120175357599.png)
+进去首先审计代码![upload]( Img\upload.png)

 发先了它得上传逻辑，就是说它会将源文件改名并上传道upload得目录下，

 改名逻辑是时间戳+_+原名

-所以通过上传文件时的回显获得服务器时间![image-20241120175552506](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241120175552506.png)
+所以通过上传文件时的回显获得服务器时间![upload]( Img\upload2.png)

 然后写一个脚本换算时间戳

@ -554,13 +548,13 @@ print("时间戳:", timestamp)

 于是上传一个一句话用蚁剑连接它

-![image-20241120180001594](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241120180001594.png)
+![upload]( Img\upload3.png)

 连接后查看根目录

 发现flag就在哪儿

-![image-20241120180041141](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241120180041141.png)
+![upload]( Img\upload4.png)

 但是打开是空白。发现是权限问题

@ -568,7 +562,7 @@ print("时间戳:", timestamp)

 结果shell都无法使用

-![image-20241120180151021](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241120180151021.png)
+![upload]( Img\upload5.png)

 查阅资料，是php设置了disable_function

@ -578,7 +572,7 @@ print("时间戳:", timestamp)

 发现可以用蚁剑插件绕过

-![image-20241120180327665](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241120180327665.png)
+![upload]( Img\upload6.png)

 成功绕过

@ -607,11 +601,11 @@ find / -user root -perm -4000 -print 2>/dev/null

 一番尝试下

-![QQ20241120-131010](C:\Users\xiaobai\Desktop\CTFWP\QQ20241120-131010.png)
+![upload]( Img\upload7.png)

 成功获得flag

-然后得到flag![image-20241123000945812](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241123000945812.png)
+然后得到flag![upload]( Img\upload8.png)

 7.slowjson

@ -631,7 +625,7 @@ spring会反序列化它们（实例化它们），从而让这些类运行起

 所以我只需要略作修改（指把地址改一下）就可以得到flag的anscii码

-![QQ20241122-235931](C:\Users\xiaobai\Desktop\CTFWP\QQ20241122-235931.png)
+![slowjson]( Img\slowjson.png)

 Reverse

@ -639,7 +633,7 @@ Reverse

 走迷宫，首先ida打开看程序长什么样

-![image-20241121214612340](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241121214612340.png)
+![baby_Reverse]( Img\baby_Reverse.png)

 好的，键盘输入每一步的方位，anscii码分别对应的是up down right left的首字母

@ -647,17 +641,17 @@ Reverse

 然后呢不难发现

-![image-20241121214758045](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241121214758045.png)
+![baby_Reverse]( Img\baby_Reverse2.png)

 就是存储地图数据的地方

 那么直接看迷宫啥样

-![image-20241121214923639](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241121214923639.png)
+![baby_Reverse]( Img\baby_Reverse3.png)

 整理一下

-![image-20241121214956387](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241121214956387.png)
+![baby_Reverse]( Img\baby_Reverse4.png)

 发现有部分道路堵塞，没关系，反正都在很后面了影响不大

@ -665,11 +659,11 @@ Reverse

 然后就是用bfs算法算出路径

-![image-20241121215252170](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241121215252170.png)
+![baby_Reverse]( Img\baby_Reverse5.png)

 算出后取前面30个

-![image-20241121215315465](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241121215315465.png)
+![baby_Reverse]( Img\baby_Reverse6.png)

 （A为左右B为上下的位移）

@ -681,7 +675,7 @@ flag就出了

 确实很easy，flag直接明文展示的

-![image-20241121215450519](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241121215450519.png)
+![easy]( Img\easy.png)

 拿就拿下呗

@ -703,6 +697,6 @@ ida打开

 ce启动，启动变速齿轮，然后速度就正常了

-过关呗，然后flag拿下![image-20241121215929180](C:\Users\xiaobai\AppData\Roaming\Typora\typora-user-images\image-20241121215929180.png)
+过关呗，然后flag拿下![mini_game]( Img\mini_game.png)

-![QQ20241121-213758](C:\Users\xiaobai\Desktop\CTFWP\QQ20241121-213758.png)
+![mini_game](G:\wp\CTF\RedRockCTF\Img\mini_game2.png)