NKctf---webshell_pro

最新推荐文章于 2024-04-23 20:32:46 发布
最新推荐文章于 2024-04-23 20:32:46 发布
阅读量862 收藏 7
点赞数 8
文章标签: 学习 笔记
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/2302_80472909/article/details/136999918
版权

用Wireshark 打开附件
  -->分析-->追踪流-->TCP stream

一堆代码:(有  0~12  共13个流,每个流都有不同的代码,需要将其解码)


POST /hacker HTTP/1.1
Host: 172.22.161.159:5000
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Length: 592
Content-Type: application/x-www-form-urlencoded

shell=FZtON9qcMwGMAVjK63BZyUElFGNTMqs1An6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8Wyn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8We5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMCBo43nSXSPiaGRZfiirk1SiEUPA6HrkDe5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeM04aEJn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WzlkHZgRLSlR5S7xBNESbzHmpKVChcFKHM9viQtOxgEwlZFmhEWAMTurszdfL8pmxokQiavn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WBJDNVULWCn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8W36n6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WqYvUBqwjn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WEcJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2HTTP/1.1 200 OK
Server: Werkzeug/3.0.1 Python/3.8.10
Date: Sun, 28 Jan 2024 11:14:31 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 8
Connection: close

OJXW65AK


         
=========================================================================

MZWGCZZOOR4HICTINFXHILTQPEFOLMEP42MI5Z42QTTJPJPIV2YC45DYOQFA====       
          base32==>
            flag.txt
            hint.py
            小明的日记.txt

=========================================================================

MFLTC53CGNFDASKHJJUGGMSVGJHECMCLIRIXA4DCLBBHMY3OKFTWER3MNFRG4VTUIRIXA3LDNU4XISKFJZ4WKWCCGBRHSNKRMRLUU43BK5HEYWSYNNTWCVZRO4FGEM2KGBEUMSSUKFITAS2EKFYHOZCXJJZFUWDLM5IFGQLJJFUUS5CMKMYHITCVJJDFEMDMJ5EUMQSWKFVXQSSRPFBEYUSWNN2EYUZQORGFCMCLKRKWYSC2NMYUECSNIVSEIVJTIZEFKMDMNFGTAUSSKJKUUQSVKZLEEUKUKJEFI22GIVITASTQKVKXIQ22GFDEIU3ZHF4GI2SWKFHUO3BUKYZHA5SSNNVXSY3OOBDU42SKGBRFIWT2BJJEKWTVKVXE4TDDGBSG6VTMJZCGIWDIKJJVQ2BRLJLWQTSWGFDE2YSYLEZFMRSCGRSVMUSSKVDVM3KTKV2DCWTOOBWVMVK2NBMTERLWK5KWQ4STKZNEUUL2IU2QUYRSNB2FEVCWLFHHUTJUKZEFENCSGJFFAWRSNREFUV2ZGBMW4WTLJ5ME4VSONMYDATLNOM2GI2ZRONITCQSLMNCEMM3CGBJEOUSFHFDWEMCKKJRUQSJQK5MHASIKJZDHAVKVNJNFCY3ZOREVKRDIK5JFK3CLKRKWGMLEK5WE2VKVHFGWKR2SJRNEQ2DQJZCEMUSTKVJEEVKVIZBUIULPORGFGMDUJRKVMT2SINBFCVSVJJGVGVKNM4FFGMCWLJGFGMDUJRJTATSDNFEWSSLHGBFUIULQO5RW23DSLJMGWZ2QKNAWSSLJJF2EYUZQORGFKSSGKIYGYT2JIZBFGU2WLJBFMRKVM5JTAVS2JRJTA5CMKMYE4CSDNMYUUU2VJZVVUMDMINIVKUSCKRVUU3TBGNDG6YJSNREE6WDDO5IWWRSSKJKVUQSRKZHEIUKXGFBGIMTENZJW2TSCLIYFMQSRK44UQULLIZFGG2LUPBGDE43WBJSVK6CHLFKTS3SWK5YGQZDLGFMWG3KFPFMW4RRTKRLGI22SGNSHQZBSIZDVM23MJRHDAWSCMFVWGMKONNLDIV3LIYYVSUZZO5KFGOKJKNVTKQSPKRKTIWRTIUYQUTBQGQ2VKVS2O5SUQSJVLIZFMUTBIZLG4VCGM54WCVLELJLEO6DNMRWVUNCUPJHEMV3OJUZFCMDMMFHFGOLPMRKGW6SNNZUFKYRTOBYVSVSSGVHUQ3CWKNKGQ5AKMJWGQRC2GAYVMVCUKJMFUMC2IRRFQWTPMFVTC3LBI54E6U2HHBZGK2SSNJGDG2CWKVLWI4TEGJFHITTLNQYFCVCSGJJGUQTXJUYGITLBNRNEEWRQGFBVCVKGIYFFCMTELJIWWUT2MNLUMM2WIRLEKUKWKZIFGRSKNVSEIWTWK5UXG5SMGJYHUU3LGFKWG2ZZI5SFIULYMVXFE6KTGJ2GSVKFIZLGGVKONRRTEZ3SJZDES6CWGFUEECTBNRVTAZBSGUZFOVCGLBJEKTSDKRVFMRCUNN4E2U2XHAYFK3CCGFREO23ZKVVGO6CTIZXTAVBTIJQWIV3MJFSGUZ3YMMYDKTSZGJHGQZCXNB4VG3SKOBRDAUTLBJMW42DPMVDUUTSOPE4XCVKULJHE6VTMNBQW4ZDLKRWWY6SUIRLDMUJSPBMVCMBZPJGVGOJVJVCEK4SPLBNEKYKVGFCWC6SCOJLUI2DPMFKWYWTCJBBFCUZQKIZQUYLOIZJFKVLQINIVK5ZSK5KEE3LEK44UWYTNMMYU4MDEJBQUOURTMRVTI6KZPJMTCTTOKJGVERSCOFHVKZCTMFKEE6S2NVLGYVCYIZUGI3CKKVKFQ3ZSJQZUM3AKLFKEMTK2IVDDCZLLKJXVK3JZKRGWYZDJJ5CUM6LBIU4XEV2XGV5E2RLEJZMVQ4BWLF5EM6COIRETIUJRIZJFC6S2PJKFI3CQMFLFUU2OIVLFOTBSKYZVEMRVIMFGE22ZOJGUQQL2LFLXQ2SXLBEXMTBQMR3U2WDEMFHG2WSMKNMEUR2TNRDHOWLLNBKWK3KZPFHDARTPKMZGIUCTNJDHQULKLJBE4MKBOZRFMRSUJZVXAMSXKVJFCCTDGJSHSVTNORIVIRSKOVLUIZCCMEYFMQTDNE4TIY2HLI2VOR22INHEONL2KZMEMWCSNREXUWTKJJLGCVSKORSUI2ZUKVWVU23CIVLGYVKHKZ3E6VTMI5SWWNKVBJSGYZ32MVWXIMLCPJWEQV3KNBWE6SCGJRKGWMKLMFMGI2KXLBYFKTKINRWWIRCVGVKGWZDMKFVXQUSMGJLDKYTOIZLGG3TEJNIVKVJSKRXGQNKNIUYXQTBRNMYQUYSWLJLWGRJRKNMVG5DJLFLUU3CUKVFFUT2WJZEVUV2WINQXUSLZKVME4Q2SNV4DATTLGVKU23DLPJLEQ3ZQKEZFM5STIRKTATRQGVDFE22KJNJEK6CMKNKWYRAKKR5EE6KTNJNHEUTKLJVFKVSONJJFMSSCKUZEUUSTNNDGCZKUIE2E6SCOK5LVIWSFKNXFESCVNN4FCZCYNR5GI2SOJ5QVQ3DNKJMFU4DBGIYWUZLLJZDGCMCSKEFFUWDHGBRTE2BSKJVXQ222JBSE6VSXPB2GCSDQORREIVTXMMZE4STBK5KTATSHGFBVIMDPO5SFMZ32JYZWW4SZGI4HUY2ULJLGEMKKKJNHUMBZIRIW65CMKMYHICSMKVLE6USDIJIVK23MK5IVMUSGJFCXIRSXKMYHITCTGB2EIULPNFEWSSKOINTTAS3DJBLGSYJSKY2USRBQM5KWYTSCJRWWY5DDI44XSZCGHFZFUWDLN5RUQVTJBJQTEVRVJNITAS3DJBFHAYJSKY2USRBQM5KWYTSCJRWWY5DDI44XSZCGHFZFUWDLN5RUQSTQMEZFMNKLKEYEWYTJIE4USSCCGFMW25DMMVJTK5KEKFXU4Q3NKJWAUWTJIJWGE3KOMZRW2VTXMJDUM2S2KNUGSWKYJZWE42SSMZRTGUTZJ5UUE6TEJBEXAT3HGBFUSQ2BM5EUOSTIMMZFKMSOIY4XUZCIJFTVAU2CNFMVQTTMJZVFEZQKMMZVE6KMNZFGYY2HPBUFSMSVN5EWSODJJRBUC2K2KRLE2WRRGVDVIVCWIZKVM3DMJZJUMNKSNFMTETLJKZLUURSWJBFWWSLRKVWVUUS2KUYGSS2RGBFUSQ2BM4FESR2KNBRTEVJSJZDDS6TEJBEWOUCTIJUVSWCONRHGUUTGMMZVE6KMNZFGYY2HPBUFSMSVN5EWS43JJRBUC2LCNJMW2ULKNBEE43JVIZIUISRQMRCFEVSVNJNG6CSNGFDEGZCDN4YUU22NNVRUMWRRJ5DGG2KLKEYEWSKDIFTUSSCKNRSEQVTZMJUUE2KZLBHGYTTKKJTGGM2SPFGG4STMMNDXQ2CZGJKW6SLKGBUUYQ2BNFJWY2CYBJLFKURRKRDFM3TEGFFE2UZQKE2VU22RGJFGYWS2JVWUMR22KVKW2Y3LIJDVU2SJNFFVCMCLIRIXA222K5MWOWSXGVVGG3TMO5SEG2DXMJDUM4DCNQ4TAWSYNAYAUS2UN5HEG2KBM5EUGQLKJFHWK3THMVWVG4DFK5FW6T2XOZUGOMCLJFBUCZ2JI5HHAY2HNBWGG3BZGBNFQ2BQJFCDAZ2ZNFEWSRCRN5TUSQ2BM5NG2OLZJFDWWZYKMFLTIZ3DNVDHKWRSKVXU2Q3XM5REOVTVJNEEE42ZK5WHKWBTKJWGKSCROBGEGQLYJVVGO4CPM4YEWSKDIFTUSQ2BM5EUGQTXLFMEUMCJIQYGOY2HPBUGCVZVMYFGIR2WGRSEM5DQJ5WWW4SNKRETIWCRGBFUSQ2BM5EUGQLHJFBUE3DCNVGWOUCTIJZWCV2KOVSFOMDVMJVEU6SLJBBHMZDZNBZWCV2KOVSFOMDVMN5EU5KLJBBGQCTDNZIXATCDIJ3WG3LMOJNFQ23VLJBXOZ3CNFVXARCRN5TUSQ2BM5EUGQLHJFDU44DDI5UGYY3MHEYFUWDIGBEUG4ZZJFDVM5KZO4YEWSKDIFTUSSCKNRSEQVTZBJRGSQTMMJWU4ZTDNVLHOYSHIZVFUU3INFMVQTTMJZVFC5KZNJMTAWSXGVVGEMSSNRFUOTTQMNDWQ3DDNQ4TAWSYNAYEWUZVNNNFOTTWLJDVK32LKNVU4Q3HGBFQUYKXLFTVQMJZOVMVOMLMLAYTQZ2QKQYGOSRRHFTGEV2GOBRGYOLGJJ5G6TSDNFAWOSKDIJ2ESRBQM5MWSSLUKVWE4QSMKNEWOS3JIF5E2QJQJNEUGQLHJFEEE6IKMFLTKMCLI5MWSNKZGZTDKYLFJQ2XAV3XGVXTE5KPNFBDOYSYGBUUWUJQJNCFC33HJFBUCZ2ZPFATSSKHKZ2VSM2KGVRUQULPMJJWWTSDNFAWOSKDIJ3WG3LMOUFGIQ3INVEXKV2LN5HVO5TIOVQVM42PMFHHE2TPM5STETRZJFUWWTSDM46T2CQ=

    base32解码==>
====================================================

aW1wb3J0IGJhc2U2NA0KDQppbXBvcnQgbGlibnVtDQpmcm9tIENyeXB0by5QdWJsaWNLZXkgaW1w
b3J0IFJTQQ0KDQpwdWJrZXkgPSAiIiItLS0tLUJFR0lOIFBVQkxJQyBLRVktLS0tLQ0KTUlHZk1B
MEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDSy9xdjVQOGl4V2pvRkkycnpGNjJ0bTZz
REZuUnNLc0doVlNDdXhRSXh1ZWhNV1FMbXY2VFB4eVRRUGVmSUt1ZnpmVUZhY2EvWUhrSVZJQzE5
b2htRTVYNzM4VHR4R2JPZ2lHZWY0YnZkOXNVNk00Mms4dk1sQ1BKcDF3b0RGRE9Gb0JRcHI0WXpI
NFpUUjZQcytIUDhWRUlKTUc1dWlMUU9MeGRLZHhpNDFRSURBUUFCDQotLS0tLUVORCBQVUJMSUMg
S0VZLS0tLS0NCiIiIg0KDQpwcmlrZXkgPSAiIiItLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS0N
Ck1JSUNkZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQW1Bd2dnSmNBZ0VBQW9HQkFJcitxL2sv
eUxGYU9nVWphdk1YcmEyYnF3TVdkR3dxd2FGVklLN0ZBakc1NkV4WkF1YS9wTS9ISk5BOTU4Z3E1
L045UVZweHI5Z2VRaFVnTFgyaUdZVGxmdmZ4TzNFWnM2Q0laNS9odTkzMnhUb3pqYVR5OHlVSTht
blhDZ01VTTRXZ0ZDbXZoak1maGxOSG8rejRjL3hVUWdrd2JtNkl0QTR2RjBwM0dMalZBZ01CQUFF
Q2dZQkRzcWF3VDVEQVVPSFJmdDZvWisvL2pzSk1Uck9GdTQxenRyS2tiUEFVcUNlc2grNFIxV1hB
alk0d252WTFXRENCTjVDTkxMSW80UlB1bGkyUjgxSFo0T3BadWlIdjgxc05NY2NhdWhySnJpb0Rk
YnhoeGJNNy9qUTZNOVlhandkTmlzTDV6Q2xYQ09zMS95MDErOXZEaU1EazBrWDhoaUlZbHBQS0R3
anFRUUpCQUw2WTBmdW9Kbmc1N0dHaGR3dk4yYzY1NnRMRFBqOUdSaTBzZmVlTXFhdlJUTXo2L3Fl
YTFMZEF1ekRoUm9TMldiOEFyaE9rWW5zMEdNYXp6YzFxNDI4Q1FRQzZzTTlPaVZSNEVWL2V3R25C
bkYrMHAzYWxjWXIvL0dwMXdaNmZLSXJGSlFwYkhUemYyN0FoS2dPSjFxQjZBN1AvbVFTNkp2WURQ
c2dyVmtQTFJuWDdBa0VBci94cGZ5WGZCNG5zVXFXRlIzZjJVaVJteDk4UmZkbEVlUGVvOVlGek5U
dlgzemt1bzlHWjhlOHFLTk1KaXdiWXpUMHlmdDU5TkdlQkxRL2V5bnFVcndKQUU2Tnh5ME1xL1k1
bVZWcE1SYStiYWJlTUJZOVNIZWVCazIyUXNCRmx0Nk5UMlkzVHo0Q2VvSDU0N05FRkJKRExLSUlD
TzBySjZrRjZjUVNjRVJBU2JRSkFaeTA4OHNWWTZESnRHUkxQdXlzdjNOaXlmRXZpa21jekNFa0RQ
ZXg0c2h2RkxkZHdOVWxtaHptbDVwc2NJaWU0NG1CT0owdVgzN3krY28zcTZVb1JRZz09DQotLS0t
LUVORCBQUklWQVRFIEtFWS0tLS0tDQoiIiINCg0KcHVia2V5ID0gUlNBLmltcG9ydF9rZXkocHVi
a2V5KQ0KcHJpa2V5ID0gUlNBLmltcG9ydF9rZXkocHJpa2V5KQ0KbiA9IHB1YmtleS5uDQoNCmRl
ZiBlbmNfcmVwbGFjZShiYXNlNjRfc3RyOiBzdHIpOg0KICAgIGJhc2U2NF9zdHIgPSBiYXNlNjRf
c3RyLnJlcGxhY2UoIi8iLCAiZTVMZ15GTTVFUVllNSF5RiY2MiVWJFVHKkIqUmZRZU0iKQ0KICAg
IGJhc2U2NF9zdHIgPSBiYXNlNjRfc3RyLnJlcGxhY2UoIisiLCAibjYmQjhHNm5FQDJ0dDRVUjZo
M1FCdCo1JkMmcFZ1OFciKQ0KICAgIHJldHVybiBiYXNlNjRfc3RyLnJlcGxhY2UoIj0iLCAiSlhX
VUR1TFVnd1JMS0Q5ZkQ2JlZZMmFGZUUmckBGZjIiKQ0KDQpkZWYgZW5jcnlwdChwbGFpbl90ZXh0
KToNCiAgICAjIOengemSpeWKoOWvhg0KICAgIGNpcGhlcl90ZXh0ID0gYiIiDQogICAgZm9yIGkg
aW4gcmFuZ2UoMCwgbGVuKHBsYWluX3RleHQpLCAxMjgpOg0KICAgICAgICBwYXJ0ID0gcGxhaW5f
dGV4dFtpOmkrMTI4XQ0KICAgICAgICBlbmMgPSBsaWJudW0ubjJzKHBvdyhsaWJudW0uczJuKHBh
cnQpLCBwcmlrZXkuZCwgbikpDQogICAgICAgIGNpcGhlcl90ZXh0ICs9IGVuYw0KICAgIHJldHVy
biBlbmNfcmVwbGFjZShiYXNlNjQuYjY0ZW5jb2RlKGNpcGhlcl90ZXh0KS5kZWNvZGUoKSkNCg0K
aWYgX19uYW1lX18gPT0gJ19fbWFpbl9fJzoNCiAgICBtID0gYiItUlNBLSIgKiAzMA0KICAgIHBy
aW50KGYi5Y6f5aeL5pWw5o2uOiB7bX0iKQ0KDQogICAgYyA9IGVuY3J5cHQobSkNCiAgICBwcmlu
dChmIuWKoOWvhuaVsOaNrjoge2N9IikNCg==

 base64 解码,是一个加密的脚本==>
===============================================


                                                                 (加密的脚本)
import base64

import libnum
from Crypto.PublicKey import RSA

pubkey = """-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCK/qv5P8ixWjoFI2rzF62tm6sDFnRsKsGhVSCuxQIxuehMWQLmv6TPxyTQPefIKufzfUFaca/YHkIVIC19ohmE5X738TtxGbOgiGef4bvd9sU6M42k8vMlCPJp1woDFDOFoBQpr4YzH4ZTR6Ps+HP8VEIJMG5uiLQOLxdKdxi41QIDAQAB
-----END PUBLIC KEY-----
"""

prikey = """-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAIr+q/k/yLFaOgUjavMXra2bqwMWdGwqwaFVIK7FAjG56ExZAua/pM/HJNA958gq5/N9QVpxr9geQhUgLX2iGYTlfvfxO3EZs6CIZ5/hu932xTozjaTy8yUI8mnXCgMUM4WgFCmvhjMfhlNHo+z4c/xUQgkwbm6ItA4vF0p3GLjVAgMBAAECgYBDsqawT5DAUOHRft6oZ+//jsJMTrOFu41ztrKkbPAUqCesh+4R1WXAjY4wnvY1WDCBN5CNLLIo4RPuli2R81HZ4OpZuiHv81sNMccauhrJrioDdbxhxbM7/jQ6M9YajwdNisL5zClXCOs1/y01+9vDiMDk0kX8hiIYlpPKDwjqQQJBAL6Y0fuoJng57GGhdwvN2c656tLDPj9GRi0sfeeMqavRTMz6/qea1LdAuzDhRoS2Wb8ArhOkYns0GMazzc1q428CQQC6sM9OiVR4EV/ewGnBnF+0p3alcYr//Gp1wZ6fKIrFJQpbHTzf27AhKgOJ1qB6A7P/mQS6JvYDPsgrVkPLRnX7AkEAr/xpfyXfB4nsUqWFR3f2UiRmx98RfdlEePeo9YFzNTvX3zkuo9GZ8e8qKNMJiwbYzT0yft59NGeBLQ/eynqUrwJAE6Nxy0Mq/Y5mVVpMRa+babeMBY9SHeeBk22QsBFlt6NT2Y3Tz4CeoH547NEFBJDLKIICO0rJ6kF6cQScERASbQJAZy088sVY6DJtGRLPuysv3NiyfEvikmczCEkDPex4shvFLddwNUlmhzml5pscIie44mBOJ0uX37y+co3q6UoRQg==
-----END PRIVATE KEY-----
"""

pubkey = RSA.import_key(pubkey)
prikey = RSA.import_key(prikey)
n = pubkey.n

def enc_replace(base64_str: str):
    base64_str = base64_str.replace("/", "e5Lg^FM5EQYe5!yF&62%V$UG*B*RfQeM")
    base64_str = base64_str.replace("+", "n6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W")
    return base64_str.replace("=", "JXWUDuLUgwRLKD9fD6&VY2aFeE&r@Ff2")

def encrypt(plain_text):
    # 私钥加密
    cipher_text = b""
    for i in range(0, len(plain_text), 128):
        part = plain_text[i:i+128]
        enc = libnum.n2s(pow(libnum.s2n(part), prikey.d, n))
        cipher_text += enc
    return enc_replace(base64.b64encode(cipher_text).decode())

if __name__ == '__main__':
    m = b"-RSA-" * 30
    print(f"原始数据: {m}")

    c = encrypt(m)
    print(f"加密数据: {c}")

=========================================================================


KJVXQQSSPFBHAY3ZIJHVIMKRM5JUKVSTKJJUK2CJKNCWQSKTIVUESU2FNBBWO32LKVCUMVCVGFSFAVLLKE3EG3CCNBRTGTRTMIZUU22MK5FGQYZSKZVUYV2WOUFFSM2KGVRUQUTQMIZDISYK

base32  ==>

RkxBRyBpcyBOT1QgSEVSRSEhISEhISEhISEhCgoKUEFTU1dPUkQ6ClBhc3N3b3JkLWJhc2VkLWVu
Y3J5cHRpb24K

base64  ==>

FLAG is NOT HERE!!!!!!!!!!!


PASSWORD:
Password-based-encryption
=========================================================================

MNQXIORA4WYI7ZUYR3TZVBHGS6S6RLVQFZ2HQ5B2EBHG6IDTOVRWQIDGNFWGKIDPOIQGI2LSMVRXI33SPEFA====

base32 ==>

cat: 小明的日记.txt: No such file or directory

=========================================================================

NBUW45BOOB4QVZNQR7TJRDXHTKCONF5F5CXLALTUPB2AU===

base32 ==>

hint.py
小明的日记.txt

=========================================================================

INXW24DSMVZXGZLEBJCGK43LORXXACSEN5RXK3LFNZ2HGCSEN53W43DPMFSHGCSGJRAUOCSNOVZWSYYKKBUWG5DVOJSXGCSQOVRGY2LDBJKGK3LQNRQXIZLTBJLGSZDFN5ZQUV2TJQFA====

base32==>

Compressed
Desktop
Documents
Downloads
FLAG
Music
Pictures
Public
Templates
Videos
WSL

=========================================================================


IRXWG23FOIFGE2LOBJRG633UBJSGK5QKMV2GGCTIN5WWKCTJNZUXICTMNFRAU3DJMIZTECTMNFRDMNAKNRUWE6BTGIFGY33TOQVWM33VNZSAU3LFMRUWCCTNNZ2AU3LZONYWYX3EMF2GCCTPOB2AU4DSN5RQU4TPN52AU4TVNYFHGYTJNYFHG3TBOAFHG4TWBJZXS4YKORWXACTVONZAU5TBOIFHO43MJ5EGSY3PI4FHO43MMJWUUQ2KIYFHO43MM5BUUTTGIUFHO43MNBQUORDCIQFA====

base32==>

Docker
bin
boot
dev
etc
home
init
lib
lib32
lib64
libx32
lost+found
media
mnt
mysql_data
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
var
wslOHicoG
wslbmJCJF
wslgCJNfE
wslhaGDbD

=========================================================================


F5RGS3RPONUDUIBRHIQGS4DDN5XGM2LHHIQG433UEBTG65LOMQFA====

base32==>

/bin/sh: 1: ipconfig: not found


=========================================================================

            (解密的脚本)


import base64

import libnum
from gmpy2 import *
from Crypto.Util.number import *
from Crypto.PublicKey import RSA

pubkey = """-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCK/qv5P8ixWjoFI2rzF62tm6sDFnRsKsGhVSCuxQIxuehMWQLmv6TPxyTQPefIKufzfUFaca/YHkIVIC19ohmE5X738TtxGbOgiGef4bvd9sU6M42k8vMlCPJp1woDFDOFoBQpr4YzH4ZTR6Ps+HP8VEIJMG5uiLQOLxdKdxi41QIDAQAB
-----END PUBLIC KEY-----
"""

prikey = """-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAIr+q/k/yLFaOgUjavMXra2bqwMWdGwqwaFVIK7FAjG56ExZAua/pM/HJNA958gq5/N9QVpxr9geQhUgLX2iGYTlfvfxO3EZs6CIZ5/hu932xTozjaTy8yUI8mnXCgMUM4WgFCmvhjMfhlNHo+z4c/xUQgkwbm6ItA4vF0p3GLjVAgMBAAECgYBDsqawT5DAUOHRft6oZ+//jsJMTrOFu41ztrKkbPAUqCesh+4R1WXAjY4wnvY1WDCBN5CNLLIo4RPuli2R81HZ4OpZuiHv81sNMccauhrJrioDdbxhxbM7/jQ6M9YajwdNisL5zClXCOs1/y01+9vDiMDk0kX8hiIYlpPKDwjqQQJBAL6Y0fuoJng57GGhdwvN2c656tLDPj9GRi0sfeeMqavRTMz6/qea1LdAuzDhRoS2Wb8ArhOkYns0GMazzc1q428CQQC6sM9OiVR4EV/ewGnBnF+0p3alcYr//Gp1wZ6fKIrFJQpbHTzf27AhKgOJ1qB6A7P/mQS6JvYDPsgrVkPLRnX7AkEAr/xpfyXfB4nsUqWFR3f2UiRmx98RfdlEePeo9YFzNTvX3zkuo9GZ8e8qKNMJiwbYzT0yft59NGeBLQ/eynqUrwJAE6Nxy0Mq/Y5mVVpMRa+babeMBY9SHeeBk22QsBFlt6NT2Y3Tz4CeoH547NEFBJDLKIICO0rJ6kF6cQScERASbQJAZy088sVY6DJtGRLPuysv3NiyfEvikmczCEkDPex4shvFLddwNUlmhzml5pscIie44mBOJ0uX37y+co3q6UoRQg==
-----END PRIVATE KEY-----
"""

pubkey = RSA.import_key(pubkey)
prikey = RSA.import_key(prikey)
n = pubkey.n
e = pubkey.e
d = prikey.d
# c = 'OTEBXOzklq47vCMun6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8WvSDL2h4svC0e5Lg^FM5EQYe5!yF&62%V$UG*B*RfQeMoTkLcpmoy0HSto3GoNNT7v86XmkKmXJL0JfzvyZNjgriP7PURYREU35lTsqKxTqvFhmn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W5n6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W9BksBYFqdnX4HS6MMTyS44ZNjbcn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W1jlNLvHmn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8WXABbE6xihToCzcCwQPR39dVasnlr2AREUmIJXWUDuLUgwRLKD9fD6&VY2aFeE&r@Ff2'
# m = pow(bytes_to_long(c),d,n)
# print(long_to_bytes(m))

def enc_replace(base64_str: str):
    base64_str = base64_str.replace("/", "e5Lg^FM5EQYe5!yF&62%V$UG*B*RfQeM")
    base64_str = base64_str.replace("+", "n6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W")
    return base64_str.replace("=", "JXWUDuLUgwRLKD9fD6&VY2aFeE&r@Ff2")

def encrypt(plain_text):
    # ç§é¥å å¯
    cipher_text = b""
    for i in range(0, len(plain_text), 128):
        part = plain_text[i:i+128]
        enc = libnum.n2s(pow(libnum.s2n(part), prikey.d, n))
        cipher_text += enc
    return enc_replace(base64.b64encode(cipher_text).decode())


def de_replace(base64_str: str):
    base64_str = base64_str.replace("e5Lg^FM5EQYe5!yF&62%V$UG*B*RfQeM", "/")
    base64_str = base64_str.replace("n6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W", "+")
    return base64_str.replace("JXWUDuLUgwRLKD9fD6&VY2aFeE&r@Ff2", "=")
# if __name__ == '__main__':
    # m = b"-RSA-" * 30
    # print(f"åå§æ°æ®: {m}")
    #
    # c = encrypt(m)
    # print(f"å å¯æ°æ®: {c}")

# b'cd /root/FLAG && base64 hint.py'
# c = 'OTEBXOzklq47vCMun6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8WvSDL2h4svC0e5Lg^FM5EQYe5!yF&62%V$UG*B*RfQeMoTkLcpmoy0HSto3GoNNT7v86XmkKmXJL0JfzvyZNjgriP7PURYREU35lTsqKxTqvFhmn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W5n6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W9BksBYFqdnX4HS6MMTyS44ZNjbcn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W1jlNLvHmn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8WXABbE6xihToCzcCwQPR39dVasnlr2AREUmIJXWUDuLUgwRLKD9fD6&VY2aFeE&r@Ff2'
# b'cd /root/FLAG && base64 \xe5\xb0\x8f\xe6\x98\x8e\xe7\x9a\x84\xe6\x97\xa5\xe8\xae\xb0.txt'
# c = 'QO0aRn91LW114FkdPXtsz2NXBxffsluGfLkss87RnMen6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8WOM0SdYBMemkKsJ5C406Izn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8WPXn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W2mC19qS0mJvPfBNMH0Vl6w72Ie5Lg^FM5EQYe5!yF&62%V$UG*B*RfQeM20nFUokf6XNMLkq5TuvyVgjCUCZcCERF1gTAZn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W80qMkO0VJxTqdrIc1H5MmMJpAlU2XfYRBCF5kUJXWUDuLUgwRLKD9fD6&VY2aFeE&r@Ff2'
# c = 'co7xLpHsVEAE5l7fsCb7VwK2NiPtkINUh7sNre5Lg^FM5EQYe5!yF&62%V$UG*B**RfQeMNhhn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W3RkS5n6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8Wxa7OyiwyiB8jSnEVIGX2lYKa50q5YI23J5ppkhcohr0ktrcWn91MXrTV0Vq5JW6yPbItn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8WbuBfQXNpYspLKV5Tljge4YWoHDQqiKCYYnPMF7LagcC9fsQffwrMSsJXWUDuLUgwRLKD9fD6&VY2aFeE&r@Ff2'
# c='co7xLpHsVEAE5l7fsCb7VwK2NiPtkINUh7sNre5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMNhhn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8W3RkS5n6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8Wxa7OyiwyiB8jSnEVIGX2lYKa50q5YI23J5ppkhcohr0ktrcWn91MXrTV0Vq5JW6yPbItn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WbuBfQXNpYspLKV5Tljge4YWoHDQqiKCYYnPMF7LagcC9fsQffwrMSsJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2'

c='G1TUg4bIVOFYi8omV2SQrTa8fzYfboRNN7fV6FJn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8Wbm3O74uCUbwMkvRCYae44TX1ZO8X4w2Nk1igaIZjSQIJ9MMHhD9cn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8WSV5EzikNsyM5c1nlPS8uqw1P2pJuYLaLxloK0x5xhQHDqqAxkuKrBzPn0noQ2bDn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8WlVnGwsfP7YP9PYJXWUDuLUgwRLKD9fD6&VY2aFeE&r@Ff2'
cc = base64.b64decode(de_replace(c))

print(long_to_bytes(pow(bytes_to_long(cc),e,n)))
# b'cd /root/FLAG && base64 hint.py'

=========================================================================
(其中一个流)

G1TUg4bIVOFYi8omV2SQrTa8fzYfboRNN7fV6FJn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8Wbm3O74uCUbwMkvRCYae44TX1ZO8X4w2Nk1igaIZjSQIJ9MMHhD9cn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WSV5EzikNsyM5c1nlPS8uqw1P2pJuYLaLxloK0x5xhQHDqqAxkuKrBzPn0noQ2bDn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WlVnGwsfP7YP9PYJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2

      替换编码(比如  %40 -->@)  ========>

G1TUg4bIVOFYi8omV2SQrTa8fzYfboRNN7fV6FJn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8Wbm3O74uCUbwMkvRCYae44TX1ZO8X4w2Nk1igaIZjSQIJ9MMHhD9cn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8WSV5EzikNsyM5c1nlPS8uqw1P2pJuYLaLxloK0x5xhQHDqqAxkuKrBzPn0noQ2bDn6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8WlVnGwsfP7YP9PYJXWUDuLUgwRLKD9fD6&VY2aFeE&r@Ff2

               脚本运行结果=====>

b'echo U2FsdGVkX1+SslS2BbHfe3c4/t/KxLaM6ZFlOdbtfMHnG8lepnhMnde40tNOYjSvoErLzy0csL7c5d4TlMntBQ== > /root/FLAG/flag.txt'

=========================================================================

     将       U2FsdGVkX1+SslS2BbHfe3c4/t/KxLaM6ZFlOdbtfMHnG8lepnhMnde40tNOYjSvoErLzy0csL7c5d4TlMntBQ==           aes解密:

密码为之前已经得到的password:    Password-based-encryption

得到flag:flag{d0e1183c-07c3-49ea-b048-addbe6cc1b20}


=========================================================================

亿.6
关注
  • 8
    点赞
  • 7
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
[CTFSHOW][WEB入门]SSTI模版注入
fallingskies
10-14 451
web361 Flask是一个使用Python编写的轻量级web应用框架,其WSGI工具箱采用Werkzeug,模板引擎则使用Jinja2。 参考https://xz.aliyun.com/t/3679#toc-8https://xz.aliyun.com/t/3679#toc-8 使用poc进行测试 {{5*5}} 显然存在模版注入。 查找可以利用的类 {{"".__class__.__bases__[0].__subclasses__()}} 已知<class '...
windows10 安装pyspider
qq_36064271的博客
08-10 468
windows10 安装pyspider,以及在安装过程中遇到的问题
vulnhub靶机-djinn2
臭nana的博客
06-29 694
1、靶机开机后得到ip:192.168.0.107 2、扫描靶机端口,比上一个靶机多了个5000端口 21 22 1337 5000 7331 root@kali:~/桌面# nmap -p- -A 192.168.0.107 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-28 21:53 CST Nmap scan report for 192.168.0.107 Host is up (0.00100s latency). Not s
python中werkzeug库用法详解
IT之一小佬的博客
07-31 1101
python中werkzeug库用法详解
python web包_Werkzeug——python web开发工具包
weixin_39638105的博客
11-30 387
一:Werkzeug是个啥1)Werkzeug是一个工具包,它封装了很多东西,诸如: Request,Response等。2)Werkzeug不是web服务器,也不是web框架;二:Werkzeug怎么用Werkzeug的翻译很有意思——“犯罪工具”,它提供了很多封装好的类、API,可以帮助我们快速实现一些web开发所需要的功能。例如:WSGI接口的实现。Werkzeug官方教程中就以WSGI s...
百度飞浆OCR识别表格入门python实践
肖永威的专栏
09-07 3555
百度飞浆OCR识别表格入门python实践
CTF-SSH私钥泄露代码详细解说
weixin_45441727的博客
02-26 712
nmap -sV 172.16.101.61 扫描靶机的端口以及开启服务 若发现 31337/tcp open http Werkzeug httpd 0.11.15 (pYTHON 3.5.3) 特殊端口31337端口服务开启 此时我们可以探测大端口的信息 可以通过http://ip:port的形式访问靶机,查看其源代码 另外,还可以通过使用工具来探测隐藏页面 -dirb http://ip:port/ 一般来讲探测之后会发现很多隐藏文件,那么我们可以通过他们来进一步进行渗透。 讲解一下: 如果发现了以
[原创]夺棋赛HackTheBox OpenSource攻略
huandaohack的专栏
06-26 2319
夺棋赛HackTheBox OpenSource攻略
JspMaster-Release-1.02_webshell管理_
09-29
webshell管理工具JspMaster,适用于管理jsp shell文件
Decryption-WEBSHELL.rar_asp webshell_webshell_webshell asp
09-24
坊间流传的ASP WEBSHELL几乎全部加密,而且带有后门,此版本为开源解密版.而且后门以剔除.
webshell-dictionary-master 上千个webshell合集
09-29
webshell就是以asp、php、jsp或者cgi等网页文件形式存在的一种代码执行环境,也可以将其称做为一种网页后门。黑客在入侵了一个网站后,通常会将asp或php后门文件与网站服务器WEB目录下正常的网页文件混在一起,然后...
luci-app-webshell_1-1_all.ipk
08-17
我也不知道怎么搞的,上一个webshell 会在网页上产生一个错误,是xrh.js使用上出现的错吴。我记得自己测试通过的呢,这个是我修正后自己生成的。这个应该兼容大多数的平台,只有一个主页,一个lua。我也不知道怎么写...
webshell 攻与防kill_webshell_detect-master.zip
07-25
最近几个月中,参加过很多webshell检测的比赛,有我们内部的,也有其他厂商的,平心而论,TSRC和 青藤云针对webshell|文件的检测思路和实现成熟度是业界领先的,使用动静态污点分析webshell文件,已经是非常高级的...
Vitis HLS 学习笔记--优化指令-ARRAY_PARTITION
hi94的博客
04-22 1294
ARRAY_PARTITION 指令中非常重要,它用于优化数组的存储和访问。该指令可以将一个大数组分割成多个小数组,以提高并行处理能力和减少访问延迟。
软件设计师软考中项学习(二)之计算机系统基础知识
寻至善的博客
04-20 548
通过学习🔥了解了计算机系统基础知识🔥学习了计算机基础、中央处理单元、数据表示🔥学会了CPU工作原理各进制的转换
web学习
最新发布
MptRe的博客
04-23 227
day03-01day03-02day03-03day03-05day03-07。
贪吃蛇项目实战——学习详解
strive_mianyang的博客
04-20 3634
使用c语言实现贪吃蛇小游戏——详解
TypeScript学习笔记7-枚举
STATICHIT静砸的博客
04-23 263
如果中断了,那么下面的就从中断的地方继续增长。如果是字符串,那么定义的时候就要全部写上。主要作用就是节省因为枚举带来的性能消耗。如果是纯数字,下面的会进行自动增长。
* Serving Flask app '__main__' (lazy loading) * Environment: production WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead. * Debug mode: off Address already in use Port 5000 is in use by another program. Either identify and stop that program, or start the server with a different port. Traceback (most recent call last): File "/usr/local/lib/python3.10/site-packages/werkzeug/serving.py", line 908, in prepare_socket s.bind(server_address) OSError: [Errno 98] Address already in use During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/home/ChengYg/big_screen-master/app.py", line 35, in <module> app.run() File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 920, in run run_simple(t.cast(str, host), port, self, **options) File "/usr/local/lib/python3.10/site-packages/werkzeug/serving.py", line 1059, in run_simple s = prepare_socket(hostname, port) File "/usr/local/lib/python3.10/site-packages/werkzeug/serving.py", line 927, in prepare_socket sys.exit(1) SystemExit: 1 >>>
07-13
这个错误提示表明端口5000已经被其他程序占用了。你可以尝试以下方法来解决这个问题: 1. 停止占用5000端口的程序:找出占用5000端口的程序并停止它。你可以使用命令`lsof -i :5000`来查看占用该端口的程序,并使用`kill`命令停止它。 2. 修改Flask应用的端口:在`app.run()`中指定一个不同的端口,如`app.run(port=8000)`。确保选择一个未被占用的端口。 3. 使用环境变量设置端口:在PythonAnywhere上,你可以通过设置环境变量来指定端口。在代码中可以这样写: ```python import os if __name__ == "__main__": port = int(os.environ.get("PORT", 5000)) app.run(port=port) ``` 然后,在PythonAnywhere上设置一个名为`PORT`的环境变量,并将它的值设为你想要的端口号。 请注意,如果你在生产环境中部署应用,建议使用一个真正的WSGI服务器,如Gunicorn或uWSGI,而不是使用Flask的开发服务器。开发服务器仅适合在开发环境中使用。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值