2. 程式人生 > 實用技巧 >[2020強網杯]記錄

[2020強網杯]記錄

阿新 發佈:2020-08-25

除了簽到簽退,只出了3到簽到題(https://shimo.im/docs/QTkJYhjrwq8RQqkJ)
哈哈哈
想著跟大佬們的wp,復現一下miscstudy

miscstudy

題目說明:本題目flag由7個部分構成,第一個部分為flag{level1...,最後一個部分為 !!!} 每一關都會存有flag的一部分,將所有flag的字串拼接即為最後flag

連結:https://pan.baidu.com/s/1iEvJ9_RD4q5gzhh-smvu0w
提取碼:0ycf

用wireshark開啟就卡死,關閉有道詞典,解決!
也過濾http了,就是沒往下看

1、過濾http

訪問http://39.99.247.28/fonts/1

flag{level1_begin_and_level2_is_come
2、
上面是sslkey.log檔案,另存為sslkey.log

把sslkey.log匯入misc.pcapng:編輯->首選項->Protocols->TLS

此時,多出一條流量

https://www.qiangwangbei.com/images/4e5d47b2db53654959295bba216858932.png

用zsteg命令:

zsteg 4e5d47b2db53654959295bba216858932.png

base64解密,得到3600(60*60)位的2進位制和level3(level3_start_it

)

考慮轉二維碼,指令碼網上有

from PIL import Image
MAX = 60
pic = Image.new("RGB",(MAX, MAX))
str="000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111110000000100110000100000000011100001111111111100001111111111110000000110111000100000000011100001111111111100001100000000110010011111110010000000001100111001000000000100001100000000110010000110110010000000000001111001000000000100001100111100110010000100110010011100000011101001001111100100001100111100110000100000001110011111110010000001001111100100001100111100110000000000001110011110110010000001001111100100001100111100110011100100111111111100110011100000001111100100001100000000110011000000000111100110110110000001000000000100001100000000110010011000000011100011111110011001000000000100001111111111110010011001001001100110110010011001111111111100001111111111110010011001001100000100110010011001111111111100000000000000000010011111110010011000111000100000000000000000000000000000000010001111100010011000011101100000000000000000001110011000111100000001000000011000001111111001111000111000000110000000000000000001000000011000000000011001000000000000000010000001000011100001000000111100110000011000000010000000001110011001111110000000000000010001001110011111000010011000001110011001111110000000000000011001001110011111000010011000001100111000000011111000000010000100000100100111000000100100000001100000000111011000000111000100001100000111000000000000000011100000111110011000001111111100001100011111110010000000000000111001001100000000001100000111001110011111001000100100000000111001001000000000001000000111001110011111001100100100000011100000110011111111000000011100001111111000001110011100000011000000010011111110000000011100001111111000000110001100000000000100000010000000000000011000001110011001000000100100000000000000000110000000000000000000001110011011100000000000000010001001111110000100000000100000011111111101111100000000000011000000001110000000111111100110000001100000000010000000000011100000001110000000111111100111000000100000000010000000001110000100111111111111000000011100111000011000001100000000001111000110001001100111000000011000011100011000000000000000001111100111001100100101111111111001111100001001110011111100001100000111110000100000000010000000111100011000000011100100001000000111110000100000000010000000111000011000000011100100000011011100000011100000000000000001110000011111000001100100000111111100000011000000000000000011100000001101000000100100001111100000110010000100000000011111000010000000001100010000000111100000000010000110000000000000000110000000001100000000000011100100000010011111000011100000001110000000111000100000001100111000111110011111001111111100001010011111111100011000001000111000111110011111001111111100001110011011111100011000000000000000000010011001001110000001110001111000001100000100000000000000000010011000001100000000110000011000001100000100001111111111110010011000111000110000111100011001001100111100001100000000110000111100000011111111001110001000001100111000001100000000110000111100000011111111001110011000001100111000001100111100110000100001000000100001001110011111111100000000001100111100110000100001000001100001001100001111111000000000001100111100110010011000111111111000111110000111000011011100001100111100110000011000110000000000000110000000000011011100001100111100110000011111110000000100001110011000000000011100001100000000110011100100111000011001111100011111111111100000001100000000110011100100111000011001111100011111111111100000001011111111010010011111110011111001001110011111100000011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
i=0
for y in range (0,MAX):
    for x in range (0,MAX):
        if(str[i] == '1'):
            pic.putpixel([x,y],(0, 0, 0))
        else:
            pic.putpixel([x,y],(255,255,255))
        i = i+1
pic.save("res.png")

連結:https://pan.baidu.com/s/1wVJ7d0RLW8Rj-HOTL9Shug
提取碼:1lms

3、下載後得到level4.jpg

用stegdetect檢測到圖片是jphide加密(我感覺這工具一般只能檢測jphide
.\stegdetect.exe -t jopi -s 10.0 .\level4.jpg

用stegbreak爆破一下
.\stegbreak.exe -r .\rules.ini -f .\password.txt -t p .\level4.jpg

https://pan.baidu.com/s/1o43y4UGkm1eP-RViC25aOw

mrpt

level4_here_all

4、下載後是leve5.zip(level5.png 1.png level6.zip level7.zip)
level5.png直接是第5段

level6.zip

crc32爆破

level7.zip(1.png 4.png 5.png)
直接明文攻擊(不到一分鐘就可以停了),4.png和5.png是一樣的,嘗試(盲水印)[https://github.com/chishaxie/BlindWaterMark/archive/master.zip](用裡面的py3,py2都沒結果)


得到:level7ishere和39.99.247.28/final_level

根據提示blank,檢視頁面原始碼,發現前2行有空格和tab,html snow隱寫,http://fog.misty.com/perry/ccs/snow/snow/snow.html

the_misc_examaaaaaaa_!!!}

連起來,flag{level1_begin_and_level2_is_comelevel3_start_itlevel4_here_alllevel5_is_aaalevel_isreadylevel7isherethe_misc_examaaaaaaa_!!!}

相關推薦

[2020]記錄

除了簽到簽退,只出了3到簽到題(https://shimo.im/docs/QTkJYhjrwq8RQqkJ) 哈哈哈 想著跟大佬們的wp,復現一下miscstudy

2020第四屆""線上賽部分題解

前言 肝了兩天,日常被虐,這裡記錄一下做出來的幾道題,真*web是一個都沒解出來,感覺還是tcl!!!,還得繼續努力啊

2020 writeup

原文地址:http://phoebe233.cn/?p=242 被二進位制爺爺們帶飛Orz Web half_infiltration 首先反序列化,由於print之後無論走哪都會有ob_end_clean(),永遠也不會輸出,所以嘗試輸出之後讓他報錯來繞過

[ 2019]隨便注 1 【BUUCFT】【SQL注入】

參考教程: 簡簡的我 方法一 判斷是否存在注入,注入是字元型還是數字型 輸入 1’ 發現不回顯

第三屆一道web題(upload)詳解

一拿到題目開啟就是一個登入註冊頁面, 順手先測了下有沒有sql注入,發現沒有後註冊了一個,登入

十三屆全國大學生資訊大賽++DASCTF八月V&N出題賽-刷題筆記

菜鳥的自白: 剛開始我還不知道什麼是CTF到了大學,有學長帶起,慢慢的步入這個信安大世界,我從基礎小白,到現在入門小菜鳥,我覺得學習CTF,可以鍛鍊自己寫指令碼,看bug,學滲透,不斷的充實自己,這次這3個比

細說Web輔助

本文首發於“合天智匯”公眾號 作者:Ch3ng 這裡就藉由的一道題目“Web輔助”,來講講從構造POP鏈,字串逃逸到最後獲取flag的過程

BUUCTF-[ 2019]隨便注

解題 1、網頁標題是easy_sql 輸入1、2有回顯,其餘都無查詢結果 加單引號?inject=1\' 報錯

[青少年賽] 慘慘戰隊WriteUp

Web easy_php 簡單題,PHP黑魔法梭哈 第一層 a1 a2 弱型別繞過 第二層 b1 b2 陣列繞過 第三層 time 科學計數法繞過

CTF-i春秋-Web-cookie欺騙、陣列繞過正則過濾、rot13-who are you?-2017第二屆廣東省線上賽

2020.09.21 經驗教訓 rot13,凱撒密碼的一種變形,因為其加密和解密只用一種方法,所以比較流行,實質就是字母表偏移13位

buuctf-web [ 2019]隨便注 1

啟動靶機,開啟是這個介面 首先輸入1‘,它會報錯 然後輸入1\' order by 2,這說明只有兩個欄位。

CTF[2019 ]隨便注.

照例and or測試一下 發現表裡所有資料,但沒有flag 嘗試一下堆疊注入 可以用堆疊注入,接著看錶

[ 2019]隨便注

這是BUUCTF上刷的第一道題,題目看是SQL注入 1.根據經驗嘗試有無常規注入 1.1 探測有無注入

矩形並(2020

題目連結:https://ac.nowcoder.com/acm/contest/9699/H 題目描述: Bobo 有一個矩形A。舉行的左下角座標是 (x1, y1),右上角座標是 (x2, y2)。設 R(i, j) 是左下角座標是 (0, 0),右上角座標是 (i, j) 的矩形,A

2021 [先鋒]賭徒

2021 [先鋒]賭徒 考點: 構造pop鏈 進去就一句話 I think you need /etc/hint . Before this you need to see the source code

第五屆WEB Writeup

WEB 0x01 [先鋒]尋寶 根據題目資訊可以知道,需要從中獲取兩個KEY,然後獲得flag

2021 [先鋒]尋寶

2021 [先鋒]尋寶 考點:1. php原始碼審計2. 指令碼的編寫 給了我們兩個資訊,分邊對應2個KEY,得到2個KEY後就可以獲得flag了

2021-賭徒-pop鏈的構造

知識點 pop鏈的構造 前言 第一次在比賽裡做出題!!!好激動哈哈哈 [賭徒]是現學現做的一道php反序列化web題,之前對反序列化漏洞的瞭解只停留在繞過__wakeup魔法方法,和群裡的大佬交流發現原來pwn也有。

2021-尋寶

PS:看到WP後血壓拉滿 part 1 <?php header(\'Content-type:text/html;charset=utf-8\'); error_reporting(0);

從2021的一道題學習docx檔案操作

[先鋒]尋寶 啊對就是這道題,大佬們都賊快,菜如我還得慢慢整 key1 大佬們都一筆帶過,哎,雖然簡單,但是也別這麼虐我們啊