PicoCTF - Special & Specialer
tags: PicoCTF CTF General Skill
Recon
這兩題都蠻有趣的,感覺打提權應該會用到,所以一起紀錄,第一題是要get shell,關於這一題我是直接看學長之前解題的WP,payload是${0}就直接拿到shell了,詳細的原理我也不清楚,第二題比較簡單,就直接用網路的資源替換一下ls, cat這兩個指令就拿到flag了
Exploit
- 代替
cat的方法:1
2
3
4
5
6
7
8
9
10
11
12
13# Method 1 $ while read line; do while> echo $line; while> done <{filename}} # Method 2 $ exec 3<{filename}} # Assign file descriptor 3 for reading $ while read -u 3 line; do while> echo $line while> done # Method 3 $ echo "$(<{filename})" - 代替
ls的方法1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29# Method 1 $ echo * # Method 2 $ echo */* # Method 3 $ echo * .* # Method 4 $ dir # Method 5 $ printf '%s\n' * # Method 6 $ grep -l '.*' ./* # Method 7 $ find . # Method 8 $ stat -c '%s %A %n' * # Method 9 $ lsattr ./* # Method 10 $ vim .
Reference
Cat without cat on the commandline Alternatives to the ‘ls’ command to list the contents of a directory