免责声明:本文章发布于比赛正式结束后,不存在提前泄露比赛信息及违规泄露wp的情况,作者不对读者基于本文内容而产生的任何行为或后果承担责任。如有任何侵权问题,请联系作者删除。
WEB5
传一句话木马,dirsearch扫出来有个www.zip。得到源码:
|
说明在include.php目录下有个GET传参,传入file然后进行文件包含。
可以看到成功包含然后蚂蚁的剑直接连
Tac /flag
Telnet用户密码抓取
进去之后追踪TCP流发现login passwd,根据后面指令发现login可能为双写
包上flag直接交
flag{login:fake&password:user}
HTTP
打开追踪http流,第19个就是
拼接上flag直接交flag{GehFMsqCeNvof5szVpB2Dmjx}
Webshell
打开后看了下流量包发现有secret,然后继续追踪发现有个s3c3r3t.txt然后直接追踪该流如图中z2的值拿去解base64
Flag{Inf0rm4ti0n53}
tribalwars账户密码
进去直接搜user
Flag{username=Falken&password=Joshua}
Hand
改宽高直接出
Flag{St1g_1s_Fun!ny_0!}
手下留情
打开文件,是一个png图片,根据题目,更改图片高度得flag.
Flag{d728a901d0f152828db29a71cbf9cd04}
Networking
进去直接搜flag
flag{d316759c281bf925d600be698a4973d5}
Upx
看题目名去upx壳,拖入IDA中找到加密函数,一个简单的加密对比,写脚本即可
flag{th1s1sf14g}
Exp :
|
no_tell
还是简单的加密字符串对比,flag长度18,提取出flag【index】中保存的字符串,最后逆向脚本即可
102,108,97,103,123,103,101,109,102,105,72,104,76,86,76,70,102,125
flag{gemfiHhLVLFf}
PrivateChannel(G3)
在唯一的一个数据包中发现了一串字符串
CDAISIWillWin |
但是并提交后发现并不是Flag
继续观察发现,STP 数据包都是一样的,DNS 也没有任何特别之处
但是 ICMP 类型的 ping 数据包很奇怪,这里先对ping的数据包进行提取
tshark -r PrivateChannel.pcap.pcapng -Y "icmp.type==8 or icmp.type==0" |
得到的结果如下
376 616.966522 192.168.50.10 → 192.168.0.50 ICMP 98 Echo (ping) request id=0x06ef, seq=1/256, ttl=64 |
378 617.965929 192.168.50.10 → 192.168.0.50 ICMP 98 Echo (ping) request id=0x06ef, seq=2/512, ttl=64 |
379 617.990279 192.168.0.50 → 192.168.50.10 ICMP 98 Echo (ping) reply id=0x06ef, seq=2/512, ttl=41 |
395 641.491491 192.168.0.50 → 192.168.50.10 ICMP 98 Echo (ping) request id=0x152c, seq=1/256, ttl=41 |
396 641.492213 192.168.50.10 → 192.168.0.50 ICMP 98 Echo (ping) reply id=0x152c, seq=1/256, ttl=64 |
479 796.186499 192.168.50.10 → 192.168.0.50 ICMP 42 Echo (ping) request id=0x0000, seq=0/0, ttl=64 |
480 796.205229 192.168.0.50 → 192.168.50.10 ICMP 42 Echo (ping) reply id=0x0000, seq=0/0, ttl=41 |
481 796.297219 192.168.50.10 → 192.168.0.50 ICMP 42 Echo (ping) request id=0x0000, seq=0/0, ttl=64 |
482 796.316115 192.168.0.50 → 192.168.50.10 ICMP 42 Echo (ping) reply id=0x0000, seq=0/0, ttl=41 |
483 796.408717 192.168.50.10 → 192.168.0.50 ICMP 42 Echo (ping) request id=0x0000, seq=0/0, ttl=64 |
484 796.427036 192.168.0.50 → 192.168.50.10 ICMP 42 Echo (ping) reply id=0x0000, seq=0/0, ttl=41 |
485 796.516729 192.168.50.10 → 192.168.0.50 ICMP 42 Echo (ping) request id=0x0000, seq=0/0, ttl=64 |
486 796.527942 192.168.0.50 → 192.168.50.10 ICMP 42 Echo (ping) reply id=0x0000, seq=0/0, ttl=41 |
发现只有前 5 个数据包的字段都填写了(id=),其他的都是0x0000,我们对0填充的ping流量包进行查看,发现不同的地方是 Identification ,过滤值为 ip.id
tshark进行筛取
tshark -r PrivateChannel.pcap.pcapng -Y "icmp.type==0 or icmp.type==8" -T fields -e ip.id > output.txt |
进行From Hex后,发现中间带有部分杂糅字符
研究后发现,icmp.type==0 即reply的 Identification ,只对 icmp.type==8 进行筛取
tshark -r PrivateChannel.pcap.pcapng -Y "icmp.type==8" -T fields -e ip.id > output.txt |
进行 From Hex 后,得到
整理一下
"here is your flag : S3cr3t4g3nt |
DNS(G3)
先通过tshark把DNS提取出来
shark.exe -r dns.pcap -T fields -e dns.qry.name | sed '/^\s*$/d' | uniq > output.txt |
前几条是这样的
5647687063794270.192.168.191.129 |
6379426849484e6c.192.168.191.129 |
google.ca |
88.46.194.173.in-addr.arpa |
6379426849484e6c.192.168.191.129 |
88.46.194.173.in-addr.arpa |
59334a6c64434230.192.168.191.129 |
128.191.168.192.in-addr.arpa |
2.191.168.192.in-addr.arpa |
…… |
可以看到有一些奇怪的Hex数据,全部筛出来,并且将重复行删除
56476870637942706379426849484e6c59334a6c64434230636d4675633231706448526c5a43423061484a766457646f494752756379427864575679655341364b534247544546484c555a554e44646a545667794e6e425865555a5453545a53554664685533493157564a330a |
From Hex ---> From Base64
This is a secret transmitted through dns query :) FLAG-FT47cMX26pWyFSI6RPWaSr5YRw |
Transfer(G3)
在流4中找到一个代码以及密文
import string |
import random |
from base64 import b64encode, b64decode |
FLAG = 'flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}' |
enc_ciphers = ['rot13', 'b64e', 'caesar'] |
# dec_ciphers = ['rot13', 'b64d', 'caesard'] |
def rot13(s): |
_rot13 = string.maketrans( |
"ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz", |
"NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm") |
return string.translate(s, _rot13) |
def b64e(s): |
return b64encode(s) |
def caesar(plaintext, shift=3): |
alphabet = string.ascii_lowercase |
shifted_alphabet = alphabet[shift:] + alphabet[:shift] |
table = string.maketrans(alphabet, shifted_alphabet) |
return plaintext.translate(table) |
def encode(pt, cnt=50): |
tmp = '2{}'.format(b64encode(pt)) |
for cnt in xrange(cnt): |
c = random.choice(enc_ciphers) |
i = enc_ciphers.index(c) + 1 |
_tmp = globals()[c](tmp) |
tmp = '{}{}'.format(i, _tmp) |
return tmp |
if __name__ == '__main__': |
print encode(FLAG, cnt=?) |
大致逻辑如下,根据密文的第一位数字判断解密方式
'2' ----> b64encode(flag) |
'1' ----> rot13(tmp1) |
'3' ----> caesar(tmp2) |
手搓可以实现,也可以代码实现
from string import * |
from base64 import * |
def rot13(s): |
_rot13 = str.maketrans( |
"ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz", |
"NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm") |
return s.translate(_rot13) |
def b64d(s): |
return b64decode(s.encode()).decode() |
def caesar(s): |
shifted_alphabet = ascii_lowercase[3:] + ascii_lowercase[:3] |
table = str.maketrans(shifted_alphabet, ascii_lowercase) |
return s.translate(table) |
def decrypt(s): |
n, s = int(s[0]) - 1, s[1:] |
return [rot13, b64d, caesar][n](s) |
s = '[这里填写密文,太多了就不放上去了]' |
while s[0] in '123': |
s = decrypt(s) |
print(s) |
解密得到Flag
flag{li0ns_and_tig3rs_4nd_b34rs_0h_mi} |
免责声明:本Write-up仅供教育和学习目的使用
部分博客摘自:https://g3rling.top/595
