C
C
CTF-WriteUp
Search
⌃K

BlackCat

if(empty($_POST['Black-Cat-Sheriff']) || empty($_POST['One-ear'])){
die('谁!竟敢踩我一只耳的尾巴!');
}
​
$clandestine = getenv("clandestine");
​
if(isset($_POST['White-cat-monitor']))
$clandestine = hash_hmac('sha256', $_POST['White-cat-monitor'], $clandestine);
​
​
$hh = hash_hmac('sha256', $_POST['One-ear'], $clandestine);
​
if($hh !== $_POST['Black-Cat-Sheriff']){
die('有意瞄准,无意击发,你的梦想就是你要瞄准的目标。相信自己,你就是那颗射中靶心的子弹。');
}
​
echo exec("nc".$_POST['One-ear']);
音频存在伪代码
可以看出大概是将密钥再加密后用来加密输入的命令,进行强等判断,如何绕过关键点就是让环境变量$clandestine被加密后可控,这里用了密钥传入数组的方法,加密后''使$clandestine为一个定值,最终Payload:
​
Last modified 8mo ago