[GKCTF 2021]easycms

[GKCTF 2021]easycms

Solution 1:

Have a hint to check it before opening

But the login page does not appear when I click the login in the upper right corner of the page

Look at the masters who can scan admin.php with Yujian, but mine can't scan it, add admin.php to the url to find the login page

The prompt tells us that the password is a five-digit weak password, and the account number is admin. The password is 12345

Find Design--Theme--Custom

Then edit the header

Type select php source code

Try to grab the flag directly, , but the savedWhen there is a problem, permission is required (this file name is different for everyone)

Begin to bypass permissions below: find design--component--material library

Feel free to upload a txt file

Refresh the page after uploading successfully, then edit what we uploaded and change the name to ../../../../../system/tmp/mpor (the last mpor is different for everyone), then save

In this way, the permissions have been bypassed. At this time, go back to design--theme--custom--page header editing--type selection as php source code, and grab the flag again

The upload is successful at this point

Return to the homepage of the website to find the flag

Solution 2:

After entering the page, find Design--Theme--Custom

After clicking in, there is an export theme in the upper right corner

Click to enter and fill in the content at will, and save after filling out

At this point, he will pop up the download interface, click download, and then find the file in the download management, right-click there is a copy download link

Found a bunch of base encrypted strings behind the download link, decrypt it and take a look

It should be the path, try to find the flag directly, /flag is encrypted with base64 to L2ZsYWc=

Then replace the path content in the link directly with L2ZsYWc=, go directly to visit

And then a file will pop up, download and open it with Notepad to find the flag