第三届红明谷杯网络安全大赛WP

RANK:48

web

点击签到

一直点就出flag了

Dreamer

dreamer CMS的漏洞

参考这个文章https://forum.butian.net/share/2183

后台路径/admin

默认账号：wangjn

默认密码：123456

在附件管理处有任意文件下载

在上传文件处抓包，改要读flag的路径，发包

下载就可以看到flag了

Dreamer_revenge

和上题一样登录后台

还是参考这个文章https://forum.butian.net/share/2183

后台模板标签存在任意文件包含

在

flag在环境变量中(猜的)直接读/proc/1/environ

保存后看首页的源码即可

misc

hacker

禅道系统的攻击流量

tcp第4，5流是命令执行，但是tcp没有回显

返回去看马

再去看dns流

需要admin的password异或

在tcp第二流跟踪http流

8a3e684c923b763d252cf1e8734a7a29

根据ls命令的回显

可知每段分别需要截去前0，1，2，4个字符

79227024716c7522787370254c777230667673222570247b76677322632671
d7b357226771575227a7372237677702573611f372570317b7672772076206
1479207024777b60247e6674231a626727666171372570317f766773207620
067879226731756c60206d75703670754e

异或出来可以看出来是dna密码

from Crypto.Util import strxor

secret = """79227024716c7522787370254c777230667673222570247b76677322632671
7b357226771575227a7372237677702573611f372570317b767277207620
79207024777b60247e6674231a626727666171372570317f766773207620
79226731756c60206d75703670754e""".split()

key = b"8a3e684c923b763d252cf1e8734a7a29"
for i in secret:
    print(strxor.strxor(bytes.fromhex(i),key[:len(i)//2]).decode())

ACCAGTAAAACG{AATTCAACAACATGCTGC
CTACA-AACAAAAACAAT-TCATCAACAAA
AACAACTGGTGA-TTCTTCTCATGATGAAA
ACTTCTTCTGCTGC}

根据缺少的部分，可以推测，缺失了好几个字符

是加密方式的缺陷，只能手工爆破了

大概是缺失这些

ACCAGTAAAACG{AATTCAACAACATGCTGC
?CTACA-AACAAAAACAAT-TCATCAACAAA?
这里是-AACAACTGGTGA-TTCTTCTCATGATGAAA
??ACTTCTTCTGCTGC}

第一个缺失的部分，尝试AGCT发现只有T的结果符合uuid

import itertools

mapping = {
'AAA':'a','AAC':'b','AAG':'c','AAT':'d','ACA':'e','ACC':'f','ACG':'g','ACT':'h','AGA':'i','AGC':'j','AGG':'k','AGT':'l','ATA':'m','ATC':'n','ATG':'o','ATT':'p','CAA':'q','CAC':'r','CAG':'s','CAT':'t','CCA':'u','CCC':'v','CCG':'w','CCT':'x','CGA':'y','CGC':'z',
'CGG':'A','CGT':'B','CTA':'C','CTC':'D','CTG':'E','CTT':'F','GAA':'G','GAC':'H','GAG':'I','GAT':'J','GCA':'K','GCC':'L','GCG':'M','GCT':'N','GGA':'O','GGC':'P','GGG':'Q','GGT':'R','GTA':'S','GTC':'T','GTG':'U','GTT':'V','TAA':'W','TAC':'X','TAG':'Y','TAT':'Z',
'TCA':'1','TCC':'2','TCG':'3','TCT':'4','TGA':'5','TGC':'6','TGG':'7','TGT':'8','TTA':'9','TTC':'0','TTG':' ','TTT':'.'
}

for x in itertools.product("AGCT",repeat=3):
    secret = "ACCAGTAAAACG{AATTCAACAACATGCTGCTCTACA-AACAAAAACAAT-TCATCAACAAA%s-AACAACTGGTGA-TTCTTCTCATGATGAAA%s%sACTTCTTCTGCTGC}" % x

    tmp = ""
    group = []
    for a in secret:
        if a.isupper():
            tmp += a
        else:
            group.append(a)
        if len(tmp)==3:
            group.append(tmp)
            tmp = ""


    [print(mapping.get(i),end='')if len(i)==3 else print(i,end='') for i in group]
    print()

然后爆破所有可能，

flag{d1ee664e-babd-11ea-bb75-00155ab0066}
flag{d1ee664e-babd-11ea-bb75-00155aH0066}
flag{d1ee664e-babd-11ea-bb75-00155ar0066}
flag{d1ee664e-babd-11ea-bb75-00155aX0066}
flag{d1ee664e-babd-11ea-bb75-00155cb0066}
flag{d1ee664e-babd-11ea-bb75-00155cH0066}
flag{d1ee664e-babd-11ea-bb75-00155cr0066}
flag{d1ee664e-babd-11ea-bb75-00155cX0066}
flag{d1ee664e-babd-11ea-bb75-00155bb0066}
flag{d1ee664e-babd-11ea-bb75-00155bH0066}
flag{d1ee664e-babd-11ea-bb75-00155br0066}
flag{d1ee664e-babd-11ea-bb75-00155bX0066}
flag{d1ee664e-babd-11ea-bb75-00155db0066}
flag{d1ee664e-babd-11ea-bb75-00155dH0066}
flag{d1ee664e-babd-11ea-bb75-00155dr0066}
flag{d1ee664e-babd-11ea-bb75-00155dX0066}
flag{d1ee664e-babd-11ec-bb75-00155ab0066}
flag{d1ee664e-babd-11ec-bb75-00155aH0066}
flag{d1ee664e-babd-11ec-bb75-00155ar0066}
flag{d1ee664e-babd-11ec-bb75-00155aX0066}
flag{d1ee664e-babd-11ec-bb75-00155cb0066}
flag{d1ee664e-babd-11ec-bb75-00155cH0066}
flag{d1ee664e-babd-11ec-bb75-00155cr0066}
flag{d1ee664e-babd-11ec-bb75-00155cX0066}
flag{d1ee664e-babd-11ec-bb75-00155bb0066}
flag{d1ee664e-babd-11ec-bb75-00155bH0066}
flag{d1ee664e-babd-11ec-bb75-00155br0066}
flag{d1ee664e-babd-11ec-bb75-00155bX0066}
flag{d1ee664e-babd-11ec-bb75-00155db0066}
flag{d1ee664e-babd-11ec-bb75-00155dH0066}
flag{d1ee664e-babd-11ec-bb75-00155dr0066}
flag{d1ee664e-babd-11ec-bb75-00155dX0066}
flag{d1ee664e-babd-11eb-bb75-00155ab0066}
flag{d1ee664e-babd-11eb-bb75-00155aH0066}
flag{d1ee664e-babd-11eb-bb75-00155ar0066}
flag{d1ee664e-babd-11eb-bb75-00155aX0066}
flag{d1ee664e-babd-11eb-bb75-00155cb0066}
flag{d1ee664e-babd-11eb-bb75-00155cH0066}
flag{d1ee664e-babd-11eb-bb75-00155cr0066}
flag{d1ee664e-babd-11eb-bb75-00155cX0066}
flag{d1ee664e-babd-11eb-bb75-00155bb0066}
flag{d1ee664e-babd-11eb-bb75-00155bH0066}
flag{d1ee664e-babd-11eb-bb75-00155br0066}
flag{d1ee664e-babd-11eb-bb75-00155bX0066}
flag{d1ee664e-babd-11eb-bb75-00155db0066}
flag{d1ee664e-babd-11eb-bb75-00155dH0066}
flag{d1ee664e-babd-11eb-bb75-00155dr0066}
flag{d1ee664e-babd-11eb-bb75-00155dX0066}
flag{d1ee664e-babd-11ed-bb75-00155ab0066}
flag{d1ee664e-babd-11ed-bb75-00155aH0066}
flag{d1ee664e-babd-11ed-bb75-00155ar0066}
flag{d1ee664e-babd-11ed-bb75-00155aX0066}
flag{d1ee664e-babd-11ed-bb75-00155cb0066}
flag{d1ee664e-babd-11ed-bb75-00155cH0066}
flag{d1ee664e-babd-11ed-bb75-00155cr0066}
flag{d1ee664e-babd-11ed-bb75-00155cX0066}
flag{d1ee664e-babd-11ed-bb75-00155bb0066}
flag{d1ee664e-babd-11ed-bb75-00155bH0066}
flag{d1ee664e-babd-11ed-bb75-00155br0066}
flag{d1ee664e-babd-11ed-bb75-00155bX0066}
flag{d1ee664e-babd-11ed-bb75-00155db0066}
flag{d1ee664e-babd-11ed-bb75-00155dH0066}
flag{d1ee664e-babd-11ed-bb75-00155dr0066}
flag{d1ee664e-babd-11ed-bb75-00155dX0066}

排除后还剩

flag{d1ee664e-babd-11ea-bb75-00155ab0066}
flag{d1ee664e-babd-11ea-bb75-00155cb0066}
flag{d1ee664e-babd-11ea-bb75-00155bb0066}
flag{d1ee664e-babd-11ea-bb75-00155db0066}
flag{d1ee664e-babd-11ec-bb75-00155ab0066}
flag{d1ee664e-babd-11ec-bb75-00155cb0066}
flag{d1ee664e-babd-11ec-bb75-00155bb0066}
flag{d1ee664e-babd-11ec-bb75-00155db0066}
flag{d1ee664e-babd-11eb-bb75-00155ab0066}
flag{d1ee664e-babd-11eb-bb75-00155cb0066}
flag{d1ee664e-babd-11eb-bb75-00155bb0066}
flag{d1ee664e-babd-11eb-bb75-00155db0066}
flag{d1ee664e-babd-11ed-bb75-00155ab0066}
flag{d1ee664e-babd-11ed-bb75-00155cb0066}
flag{d1ee664e-babd-11ed-bb75-00155bb0066}
flag{d1ee664e-babd-11ed-bb75-00155db0066}

尝试发现就是第一个

flag{d1ee664e-babd-11ea-bb75-00155ab0066}

阿尼亚

图片文件尾有一串数字

解两次hex后爆破编码

得到PixelJihad的密码

解出密码

P@Ss_W0RD:)

解压flag.zip

+-+-++--+- ++---+-++- -+--++-++- +--++-++-- --+++++--- ++-++---+- +++-+-+--- +-+-+---++ ---+++-++- -+--++-++- -+--+++-+- -+--++-++- -+--++-++- ++-+-+-+-- -+--+++-+- ++-++---+- -++++---+- -+--++-++- ++-+-+-+-- +-+++---+- +++-++---- ---+++-++- +-+-+---++ ++-+-+-+-- +-+-+--++- ++--+--++- -++++---+- +---+++-+- ++-+-+-+-- -++++---+- -+--+++-+- +--+-+-++- +++-+-+--- +-+++---+- -+--+-+++- -+--++-++- ---+++-++- ++++----+- -++++---+- -+--+++-+- -+--++-++- ----+++++-

dcode查得为Decabit Code

https://www.dcode.fr/decabit-code

flag{386baeaa-e35a-47b6-905d-5e184cab25ea}

X光的秘密

pcm文件，逐帧导出

from PIL import Image 
import pydicom
import os
import numpy as np

# 读取DCM文件
dcm_file = pydicom.dcmread('task.dcm')

# 获取帧数
num_frames = len(dcm_file.pixel_array)  

# 创建输出目录
out_dir = 'output'
if not os.path.exists(out_dir):
    os.mkdir(out_dir)
    
# 获取图像大小    
img_width, img_height = dcm_file.pixel_array[0].shape    

# 设置输出图片大小
new_width, new_height = img_width, img_height

# 计算填充大小
width_pad = max(0, new_width - img_width)  
height_pad = max(0, new_height - img_height)   

# 逐帧导出  
for frame_num in range(num_frames):         
    # 获取该帧图像数据
    img_2d = dcm_file.pixel_array[frame_num]    
    
    # 填充0
    img_2d = np.pad(img_2d, ((0, height_pad), (0, width_pad)), 'constant', constant_values=0)  

    # 转换为PIL Image
    img = Image.fromarray(img_2d)  

    # 保存图片
    img.save(os.path.join(out_dir, 'image_%03d.png' % frame_num))  

stegsolve可以发现17只有r层有东西

18g有数据，19g有数据

提取合并

from PIL import Image

# 读取图像
img1 = Image.open('image_017.png')
img2 = Image.open('image_018.png') 
img3 = Image.open('image_019.png')

# 分离颜色通道  
channels1 = img1.split() 
r1, g1, b1 = channels1[0], channels1[0], channels1[0]
    
channels2 = img2.split()    
r2, g2, b2 = channels2[0], channels2[0], channels2[0]  

channels3 = img3.split()    
r3, g3, b3 = channels3[0], channels3[0], channels3[0]   

# 拼接颜色通道
new_img = Image.merge('RGB', (b3, g2, r1))    

# 保存图像  
new_img.save('new.png')