前言
BugKu是一个由乌云知识库(wooyun.org)推出的在线漏洞靶场。乌云知识库是一个致力于收集、整理和分享互联网安全漏洞信息的社区平台。
BugKu旨在提供一个实践和学习网络安全的平台,供安全爱好者和渗透测试人员进行挑战和练习。它包含了各种不同类型的漏洞场景,如Web漏洞、系统漏洞、密码学等,参与者需要通过解决这些漏洞来获取Flag。
BugKu的特点如下:
1. 漏洞丰富:BugKu提供了大量的漏洞场景供用户挑战,涵盖了常见的Web漏洞,如XSS、SQL注入、文件上传等,以及其他类型的漏洞,如逆向工程、密码学等。
2. 适合不同水平:BugKu的题目分为不同的难度级别,适合不同水平的参与者。从初学者到专业渗透测试人员,都能在BugKu中找到适合自己的挑战。
3. 学习资源:BugKu提供了丰富的学习资源,包括解题思路、漏洞分析、修复建议等。参与者可以通过学习他人的解题思路和经验,提高自己的技术水平。
4. 排行榜竞赛:BugKu设置了排行榜,参与者可以通过解决题目获取积分,竞争排名。这种竞争激励机制可以激发参与者的学习兴趣和动力。
通过参与BugKu,参与者可以在实践中学习到真实的漏洞和攻击技术,提高自己的技术水平。同时,BugKu也是一个交流和分享的平台,参与者可以与其他安全爱好者进行讨论和学习,共同成长。
一、blind_injection 2
打开靶场
跟上次题目一样,导出 HTTP 对象
不会 tshark 只能一个一个记下来
a =[102,108,97,103,95,56,97,102,56,101,48,51,99,54,56,57,50,52,55,54,102,56,52,100,49,101,51,52,55,49,56,55,98,50,52,52,57]
b=''
for i in range(0,37):
s=chr(a[i])
b=b+s
print(b)
# 输出 flag_8af8e03c6892476f84d1e347187b2449
二、where is flag
打开靶场
解压缩得到 10 个 txt
WinHex 中打开发现全部为空
往后所有文件同样如此
根据题目描述查看文件详细信息
每个文件都不太一样呢,只有大小不一样,放入 Kali 中用 wc 统计字节数
有点像 ASCII 码,拆分开来
'98','117','103','107','117','123','110','97','48','100','48','110','103','100','97','107','97','49','125'
去第三方网站解码拿到 flag
三、Pokergame
打开靶场
解压缩有四个文件
提示就是题目描述
使用随波逐流解析 King 存在文件隐写
使用 Foremost 提取
打开发现需要密码
WinHex 中搜索关键十六进制 1400,有两处是 09 被设置为了伪加密,改为 00 后保存
打开文件是段 Base64 图片数据
去第三方网站转图片得到半张二维码
根据经验继续使用 Foremost 提取小王图片得到另一半二维码
在 PS 中将两张拼起来发现缺少定位符
用套索工具选中后复制粘贴
最后使用 QR Research 扫码得到解压密码:key{P0ke_Paper}
解压缩文件内容如下
txt 文件内容告诉我们 A 是 1
先看 K 文件不是 jpg,用 WinHex 查看文件头
修改后查看内容发现需要密码
回头看之前的文件最下面是有一段数值的
2345678910A2345678910A23456789102345678910AA2345678910A234567891023456789102345678910AAA2345678910A234567891023456789102345678910AA23456789102345678910AAA2345678910AAA2345678910AA234567891023456789102345678910AA2345678910A23456789102345678910A2345678910234567891023456789102345678910AA2345678910A2345678910AA2345678910AA23456789102345678910AAA2345678910AA23456789102345678910A234567891023456789102345678910A234567891023456789102345678910AAA23456789102345678910AAA2345678910234567891023456789102345678910AA23456789102345678910AAA2345678910AA23456789102345678910A234567891023456789102345678910A234567891023456789102345678910AAA2345678910A2345678910A2345678910AA23456789102345678910AAA23456789102345678910AA2345678910AA234567891023456789102345678910A23456789102345678910A2345678910234567891023456789102345678910AA2345678910A2345678910234567891023456789102345678910A234567891023456789102345678910AA2345678910A2345678910A2345678910AA234567891023456789102345678910A234567891023456789102345678910AA23456789102345678910AA2345678910A2345678910A2345678910A2345678910A2345678910AA23456789102345678910AAA2345678910AA2345678910234567891023456789102345678910A23456789102345678910AA23456789102345678910A23456789102345678910A2345678910A2345678910AA234567891023456789102345678910AA2345678910A2345678910A2345678910A23456789102345678910A23456789102345678910A2345678910A234567891023456789102345678910AAA2345678910AA2345678910AA234567891023456789102345678910AAAA2345678910A23456789102345678910A23456789102345678910A23456789102345678910A2345678910A234567891023456789102345678910A2345678910A2345678910AAA2345678910A234567891023456789102345678910AA2345678910AA234567891023456789102345678910AA23456789102345678910A2345678910A2345678910A2345678910AA2345678910234567891023456789102345678910AAA2345678910A234567891023456789102345678910A2345678910A23456789102345678910234567891023456789102345678910A2345678910A2345678910A234567891023456789102345678910A2345678910A2345678910A2345678910A2345678910AA23456789102345678910A234567891023456789102345678910AA23456789102345678910AA23456789102345678910A2345678910A2345678910AAA2345678910A2345678910A2345678910AAA23456789102345678910AAA23456789102345678910A23456789102345678910AA234567891023456789102345678910A2345678910A2345678910AA2345678910A23456789102345678910A234567891023456789102345678910AAA23456789102345678910AAA23456789102345678910A2345678910AAA23456789102345678910234567891023456789102345678910AA23456789102345678910A234567891023456789102345678910A23456789102345678910A23456789102345678910234567891023456789102345678910AA234567891023456789102345678910234567891023456789102345678910AAAA2345678910A
内容基本上 2345678910 是连在一起的,只有 A 是单独或者好几个,盲从是二进制,A = 1,2345678910 = 0
编写脚本替换
import base64
s = "2345678910A2345678910A23456789102345678910AA2345678910A234567891023456789102345678910AAA2345678910A234567891023456789102345678910AA23456789102345678910AAA2345678910AAA2345678910AA234567891023456789102345678910AA2345678910A23456789102345678910A2345678910234567891023456789102345678910AA2345678910A2345678910AA2345678910AA23456789102345678910AAA2345678910AA23456789102345678910A234567891023456789102345678910A234567891023456789102345678910AAA23456789102345678910AAA2345678910234567891023456789102345678910AA23456789102345678910AAA2345678910AA23456789102345678910A234567891023456789102345678910A234567891023456789102345678910AAA2345678910A2345678910A2345678910AA23456789102345678910AAA23456789102345678910AA2345678910AA234567891023456789102345678910A23456789102345678910A2345678910234567891023456789102345678910AA2345678910A2345678910234567891023456789102345678910A234567891023456789102345678910AA2345678910A2345678910A2345678910AA234567891023456789102345678910A234567891023456789102345678910AA23456789102345678910AA2345678910A2345678910A2345678910A2345678910A2345678910AA23456789102345678910AAA2345678910AA2345678910234567891023456789102345678910A23456789102345678910AA23456789102345678910A23456789102345678910A2345678910A2345678910AA234567891023456789102345678910AA2345678910A2345678910A2345678910A23456789102345678910A23456789102345678910A2345678910A234567891023456789102345678910AAA2345678910AA2345678910AA234567891023456789102345678910AAAA2345678910A23456789102345678910A23456789102345678910A23456789102345678910A2345678910A234567891023456789102345678910A2345678910A2345678910AAA2345678910A234567891023456789102345678910AA2345678910AA234567891023456789102345678910AA23456789102345678910A2345678910A2345678910A2345678910AA2345678910234567891023456789102345678910AAA2345678910A234567891023456789102345678910A2345678910A23456789102345678910234567891023456789102345678910A2345678910A2345678910A234567891023456789102345678910A2345678910A2345678910A2345678910A2345678910AA23456789102345678910A234567891023456789102345678910AA23456789102345678910AA23456789102345678910A2345678910A2345678910AAA2345678910A2345678910A2345678910AAA23456789102345678910AAA23456789102345678910A23456789102345678910AA234567891023456789102345678910A2345678910A2345678910AA2345678910A23456789102345678910A234567891023456789102345678910AAA23456789102345678910AAA23456789102345678910A2345678910AAA23456789102345678910234567891023456789102345678910AA23456789102345678910A234567891023456789102345678910A23456789102345678910A23456789102345678910234567891023456789102345678910AA234567891023456789102345678910234567891023456789102345678910AAAA2345678910A"
s = s.replace("2345678910", "0")
s = s.replace("A", "1")
print(s)
将输出结果转 ASCII 码
以 = 结尾,再转遍 Base64
得到密码 OMG_Youdoit,去解压缩 K
文件告诉我们这个 flag 是倒着的
看图片应该还有下半身
对于 JPG 图片修改宽高,先查看详细属性
再将数值转为十六进制去搜索改高一点
将图像倒过来能看到一点点东西 flag{Poker_F@ce}
四、where is flag 4
打开靶场
打开文件是 Base64 编码
直接解码是乱码
转换为 16 进制发现是 5d 开头,推测为压缩文件
仔细观察奇数位置,前16位的奇数位提取出来为 504B0304
from binascii import unhexlify
def extract_odd_positions(hex_data):
# 奇数位置的十六进制字符列表
odd_positions_hex = []
# 遍历十六进制数据,步长为2,从索引1开始,即奇数位置
for i in range(0, len(hex_data), 2):
odd_positions_hex.append(hex_data[i])
# 将列表转换为字符串并返回
return ''.join(odd_positions_hex)
def main():
s = '5d0346b8073d0c4a114c01050328050c0e810f0cff0c94986e3a5e38105909b837edd98b35880d040d090c093f89080203010607068d0c0a0e02040a6c626dcb6e116c7f25ef734e7c817f434cbec2bf449141caabfa0be2c998468b8bdfcff4c3a62ffb28ddc7a64cbaa7dc8accc2fe40fa8dbdc0fcc09ecafdcef3ceeec9c84cbf8dfd4af3cdbf29fc84aa2ff50d1f47adab51011ad051c34f68711e65ce76147eab5a226ee466ea48554fcd62af72945aec602a9ddf62082d0808520549b907170e241a4709041c4d0e0d0923030e0a840606f006909e6538503e1e580cb533ebdc8a3380000d03040e0d3e80010b0301080b0b860d0223480a0c020e070000030d0c000d040b2e060d0e0d0903000e0c0405030a080a6e626ec26b16697028ec7f4e798e72480ba9090c210803080a080d020b04030a0a1e0e0f1b850f073e2b6e76beee1fc1aa48d700d7720c1fa71d69515a011ad9af4cdd0cdb7e051118f6d43078d96c85ad38d809d07e071a5c0947b20252046e040e07090b000b0d07110d01031e0c0659a90a0d0c000c0d5cec090b0404070a03030f0e'
# 调用函数并打印结果
odd_hex_positions = extract_odd_positions(s)
print("奇数位置上的十六进制字符:", odd_hex_positions)
with open('flag.zip', 'wb') as f:
f.write(unhexlify(odd_hex_positions))
if __name__ == '__main__':
main()
拿到 flag