CTF红明谷杯2021 MISC WP

最新推荐文章于 2023-04-19 18:05:26 发布
最新推荐文章于 2023-04-19 18:05:26 发布
阅读量1k 收藏 4
点赞数
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Sapphire037/article/details/115434359
版权

红明谷杯赛后复现

没报名呜呜呜

1.InputMonitor

下载文件,发现东西很多,怎么办呢,一个一个找吧,在Desktop中发现有flag.7z和log_data.txt还有个exe文件,先看flag.7z,有密码,再看txt文件,在这里插入图片描述

很明显的提示说在监控输入,那么就要找到他输入的内容,尝试爆破7z无果,到这里就卡住了,听师傅们说取证大师可以一把梭,赛后看了师傅们的wp,取证大师直接把压缩包密码梭出来了,密码是 有志者事竟成.打开压缩包得到hidden.pdf,可以把图片删掉得到flag,也可以直接选中复制得到flag,最终flag为𝑓𝑙𝑎𝑔{𝑌0𝑢_𝐹1𝑛𝑑_ℎ1𝑑𝑑3𝑛_𝑚3𝑔}.

2.我的心是冰冰的

拿到题目,一个图片一个压缩包,压缩包是加密过的,那么正常思路就是从图片里拿到压缩包的密码,尝试了各种各样的隐写方式,都没解出来,赛后才知道这是java盲水印,只能一个一个试…,

java -jar BlindWaterMark.jar decode -c bingbing.jpg 1.jpg
地址:java盲水印

得到在这里插入图片描述

后面几个看不清楚盲猜一下,gnibgnib,得到密码,打开压缩包得到一个流量包,查看发现是键盘流量,tshark梭一把:

tshark -r bingbing.pcapng -T fields -e usb.capdata > data

脚本梭一把(这里我用的是神师傅的脚本,很舒服,一把梭):得到

666c61677b3866396564326639333365662<DEL>31346138643035323364303334396531323939637d

DEL说明把2删掉,拿这串数字十六进制转字符得到flag:flag{8f9ed2f933ef14a8d0523d0349e1299c}

3.歪比歪比

因为没报名,直接从别的师傅那拿了文件,是一个流量包(据说下载下来的还得改后缀)。随便选了一个追踪TCP流得到:

Surprise
Wabby Wabby: 
j 29
z 31
7 25
e 31
l 23
6 37
4 32
p 38
h 27
g 26
x 28
i 25
u 27
n 25
8 36
0 24
o 23
c 28
y 24
1 29
b 26
m 27
2 28
v 25
d 33
f 28
9 33
t 21
w 22
a 31
r 24
s 16
k 32
5 25
q 23
3 32
{ 1
- 4
} 1
Wabby Wabbo: 
0111110001000011001010001111011110101010011011011110100000110010111101000010010010001100001110010000011110011101101111011001111101000000111010100000101101001000111100000000010100110100101001011101110010001100011100010010111001100011100110011010011000101010100011011110001111111110111001011100010100101111100001011011001001001000010111110101110111010111100010111011000011001011001101001010010111111001110101000110001001001100101110111101111000110010010111111000111110000101001100100100001001110100101011111101111110011101011101000000100100100011111111001000101110101001001101110001011101101001001001011010000101111111001011111100110010100111111110001001100100010010010011110111110110110001101000010010110110001011010000100011010111110101110000110000010001111111110000101000100101101111000111100101101011001100010101011000110010011111001010011110100100011000101111110111011011000011011010100011011100010001010001010000000001101001010010100111111010010110110011110100101010010101001010100010101011010011110001000011000100001010111001110001100101100001010111011110110111110000001011011111011101101000111111110100111100110011101111100111100101101101101010100110001100100110101011110000011111111100011110011101010011110101010111100111100001000111110111110100010011110011000010000100001100101111101010110101100011100010010100001110001001010110010010010100010101101101001110000101111110101010110110110000010011000111000010001001101101101101100111000011000011010101111010101100101000011011001011000101101110100011110001100111101111011000100110110000111010101101111101001111111111100001000111000001001011111011110010110101011110001110001101010011000101111100001111111011100110101001000011111101111111011001111110001110111110110010111000111011011110010101010110011001110110011110001111010000011010101000111110111011100101100100100100001111101010011101111100110011100000010100101000111100100011001011111000000111111111000000011111111101110111111001110100100000100000011011111010000000011110101110111101101011001111011010101111000010110001101000111000111000001110110111000100011110101100100100011100111100101101010010110101011111110011100100000111011011010101101110111000001001100110111001000111001000000111000110010110000100100010001001111010101000101101111000000110101110011101001011100110111101101111100001111000110001101010000111100100011110001100110111001101011100010101011110111111111100101100101010001101110101101101010101001110100001101011000100001111011011100101011000001001000011011000111011101110011001101110100000010100000101111010000001000011001101101111010011101000000101101101011101001101110000010011110001110100111000101111101010110111010011010011000011000110110010110001001000101101111000010010001011110100010111010100101100101111010100001110111100000100101101011110010110001000111111001000000101110010111010001101101111101110111000010101100100001010101001010010001011101001100101010101001111110000010011010011110101001001001110010110100111011110110000111101000010011111000111111001111010011101011010011100010001111101001110011110101111111111111011010100000010100010010011110100110011011101011101011101100000100111110111100100000101011000110110000010110001001111111111011101011000010101111110111001011101111111100111011101001000111011110110111101001011110011000110011000010011011001001100010010111110000110100001110111100110110100101010010111001001100101111010010001001111111000010111101010110000001110101000111011010111100110101001001110001110001001111110001000010011011110100111011111000101111110011000011010001000101000110011100011001001011000111011100101101000110001110011011101010101001010011101110100100111101011101010011010101010111101110101101000001111100111111010011010111101000101011111101011100101101101001100011001111101111100100111101101101110111111010111010100100101110111000011100001001000011100010101110100111110011001100101111110110100111101000010001000011011110000011010110111010110001110011111110000011110010001011010010111111101010101110010000001010011111011100101000101101010101101101000101000110011101101010110001100101011101110111100000001010000011110011010011000011111110100111011100100111000001101001110111100000101010110000010000100001110111000011111110010010100111111101010110000000000111011010000101100100111001110000001011101100000110110101011001011000111001111110010101111001011011101000010001100011101110010100111000011111001110001100111110110111101010101011001000101011010001100000010001111110011001101111111010110010001111001100111110001110011100010011011100100010011011000110000100101111100111110111101010010001101010011100110001011001111000100011011110100011101011101010111111110000011110110111011110000010111100110011100011010111101111110100000010001111100101100011110001101011111101111111011111011101010001101001000111000101111110101000110011000111011111101111110100001111011110010100011101110111111010101100111000101100100010011101001011110011111001111101110001110111111011100111100010110010011011010100011100101010101010110000001010111001101111100111110010100111000010101111001110011011011111001101110011111001000000000111101011000111110001101010011011000010100100100111011111110010000000101001111111110101100001010000001110100101001111001011011001001001011100101111110
surprise message len: 1000

什么玩意这是。观察到{ }后面都是1联想到flag格式也是只有一个{和一个},赛后了解到哈夫曼编码,说权重可能更好理解,直接上从或或师傅博客偷来的脑王的脚本

import copy
import re

def dfs(c, d):
    if len(c.keys()) == 1:
        # g = {'j':29,'z':31,'7':25,'e':31,'l':23,'6':37,'4':32,'p':38,'h':27,'g':26,'x':28,'i':25,'u':27,'n':25,'8':36,'0':24,'o':23,'c':28,'y':24,'1':29,'b':26,'m':27,'2':28,'v':25,'d':33,'f':28,'9':33,'t':21,'w':22,'a':31,'r':24,'s':16,'k':32,'5':25,'q':23,'3':32,'{':1,'-':4,'}':1,}
        # num = 0
        # for k in g.keys():
        #     num += g[k] * len(d[k])
        # print(num)
        # print(c, d)
        g = {}
        for k in d.keys():
            g[d[k]] = k
        a = '0111110001000011001010001111011110101010011011011110100000110010111101000010010010001100001110010000011110011101101111011001111101000000111010100000101101001000111100000000010100110100101001011101110010001100011100010010111001100011100110011010011000101010100011011110001111111110111001011100010100101111100001011011001001001000010111110101110111010111100010111011000011001011001101001010010111111001110101000110001001001100101110111101111000110010010111111000111110000101001100100100001001110100101011111101111110011101011101000000100100100011111111001000101110101001001101110001011101101001001001011010000101111111001011111100110010100111111110001001100100010010010011110111110110110001101000010010110110001011010000100011010111110101110000110000010001111111110000101000100101101111000111100101101011001100010101011000110010011111001010011110100100011000101111110111011011000011011010100011011100010001010001010000000001101001010010100111111010010110110011110100101010010101001010100010101011010011110001000011000100001010111001110001100101100001010111011110110111110000001011011111011101101000111111110100111100110011101111100111100101101101101010100110001100100110101011110000011111111100011110011101010011110101010111100111100001000111110111110100010011110011000010000100001100101111101010110101100011100010010100001110001001010110010010010100010101101101001110000101111110101010110110110000010011000111000010001001101101101101100111000011000011010101111010101100101000011011001011000101101110100011110001100111101111011000100110110000111010101101111101001111111111100001000111000001001011111011110010110101011110001110001101010011000101111100001111111011100110101001000011111101111111011001111110001110111110110010111000111011011110010101010110011001110110011110001111010000011010101000111110111011100101100100100100001111101010011101111100110011100000010100101000111100100011001011111000000111111111000000011111111101110111111001110100100000100000011011111010000000011110101110111101101011001111011010101111000010110001101000111000111000001110110111000100011110101100100100011100111100101101010010110101011111110011100100000111011011010101101110111000001001100110111001000111001000000111000110010110000100100010001001111010101000101101111000000110101110011101001011100110111101101111100001111000110001101010000111100100011110001100110111001101011100010101011110111111111100101100101010001101110101101101010101001110100001101011000100001111011011100101011000001001000011011000111011101110011001101110100000010100000101111010000001000011001101101111010011101000000101101101011101001101110000010011110001110100111000101111101010110111010011010011000011000110110010110001001000101101111000010010001011110100010111010100101100101111010100001110111100000100101101011110010110001000111111001000000101110010111010001101101111101110111000010101100100001010101001010010001011101001100101010101001111110000010011010011110101001001001110010110100111011110110000111101000010011111000111111001111010011101011010011100010001111101001110011110101111111111111011010100000010100010010011110100110011011101011101011101100000100111110111100100000101011000110110000010110001001111111111011101011000010101111110111001011101111111100111011101001000111011110110111101001011110011000110011000010011011001001100010010111110000110100001110111100110110100101010010111001001100101111010010001001111111000010111101010110000001110101000111011010111100110101001001110001110001001111110001000010011011110100111011111000101111110011000011010001000101000110011100011001001011000111011100101101000110001110011011101010101001010011101110100100111101011101010011010101010111101110101101000001111100111111010011010111101000101011111101011100101101101001100011001111101111100100111101101101110111111010111010100100101110111000011100001001000011100010101110100111110011001100101111110110100111101000010001000011011110000011010110111010110001110011111110000011110010001011010010111111101010101110010000001010011111011100101000101101010101101101000101000110011101101010110001100101011101110111100000001010000011110011010011000011111110100111011100100111000001101001110111100000101010110000010000100001110111000011111110010010100111111101010110000000000111011010000101100100111001110000001011101100000110110101011001011000111001111110010101111001011011101000010001100011101110010100111000011111001110001100111110110111101010101011001000101011010001100000010001111110011001101111111010110010001111001100111110001110011100010011011100100010011011000110000100101111100111110111101010010001101010011100110001011001111000100011011110100011101011101010111111110000011110110111011110000010111100110011100011010111101111110100000010001111100101100011110001101011111101111111011111011101010001101001000111000101111110101000110011000111011111101111110100001111011110010100011101110111111010101100111000101100100010011101001011110011111001111101110001110111111011100111100010110010011011010100011100101010101010110000001010111001101111100111110010100111000010101111001110011011011111001101110011111001000000000111101011000111110001101010011011000010100100100111011111110010000000101001111111110101100001010000001110100101001111001011011001001001011100101111110'
        m = ''
        st = 0
        while st < len(a):
            ed = st + 5
            while ed <= len(a):
                if a[st:ed] in g.keys():
                    m += g[a[st:ed]]
                    break
                else:
                    ed += 1
            st = ed
        print(re.findall(r'flag\{[a-f0-9-]*\}', m)[0])

    else:
        k0 = list(c.keys())[0]
        k1 = list(c.keys())[1]
        if c[k0] > c[k1]:
            k0, k1 = k1, k0
        for k in list(c.keys())[2:]:
            if c[k] < c[k1]:
                if c[k] < c[k0]:
                    k0, k1 = k, k0
                else:
                    k1 = k
        for a in k0:
            d[a] = '0' + d[a]
        for a in k1:
            d[a] = '1' + d[a]
        c[k0+k1] = c[k0]+c[k1]
        del c[k0]
        del c[k1]
        dfs(copy.deepcopy(c), copy.deepcopy(d))

c = {'j':29,'z':31,'7':25,'e':31,'l':23,'6':37,'4':32,'p':38,'h':27,'g':26,'x':28,'i':25,'u':27,'n':25,'8':36,'r':24,'o':23,'c':28,'y':24,'1':29,'b':26,'m':27,'2':28,'v':25,'d':33,'f':28,'9':33,'t':21,'w':22,'a':31,'0':24,'s':16,'k':32,'5':25,'q':23,'3':32,'{':1,'-':4,'}':1,}
d = {}
for k in c.keys():
    d[k] = ''
dfs(copy.deepcopy(c), copy.deepcopy(d))
# print(c)

得到flag:flag{50d477a2-6r36-dra9-9d63-49c2e9e5d1e5}

ps : tql!

Sapphire037
关注
  • 0
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 3
    评论
领航杯 CTF 2021 决赛 真题 7z
12-07
领航杯 CTF 2021 决赛
PolarD&N MISC(简单)大礼包 :详细思路过程
最新发布
2301_79355407的博客
03-20 994
PolarD&N:MSIC简单部分大礼包详细解题过程(萌新)
2021红明谷杯数据安全大赛技能场景赛 Input Monitor
weixin_45805993的博客
09-25 1544
突然想起这个题… 先用autopsy挂载给的文件 桌面有压缩包和hint 没事,我都删掉了,之前的聊天记录都被我清干净了。除非他们在监控我输入 提示要得到输入记录 用到输入法取证https://mp.weixin.qq.com/s/0p3vbLub5vPKO5Pik9zmUQ 通过对Win10系统自带中文输入法程序运行进程的分析,发现与中文输入法相关的用户词库文件主要存储在 C:\Users\Administrator\AppData\Roaming\Microsoft\InputMethod\Chs
2023红明谷杯密码wp
mxx307的博客
04-19 750
2023红明谷杯密码wp
[红明CTF 2021]JavaWeb
Mrs_H的博客
04-08 2107
[红明CTF 2021]JavaWeb 一.前言 好像是已经很久不刷题了,因为最近一直在忙着复习高数和专业课,拿不出太多的时间来打CTF。但是这次也总算是找到了点时间,做道java的简单题来放松一下,不能总是学那些书本上的知识了,感觉学多了也会烦。 二.正文 这道题目上来就让我们访问/login目录,所以我们直接访问试试看。 服务器那边又让我们访问/json的路径,但是我们如果用post方法对服务器进行访问的话,服务器又会返回另外的结果。 这里的登陆失败,就表明我们需要进行身份验证,我们尝试输入一对用
[红明CTF 2021]EasyTP
Sk1y的博客
01-01 2487
[红明CTF 2021]EasyTP 文章目录[红明CTF 2021]EasyTP解题过程解法1:报错注入解法2:开堆叠写shell解法3:rogue-mysql-server参考链接 解题过程 打开容器 源码泄露/www.zip 下载下来,发现是thinkphp3.2.3的,找链子:ThinkPHP v3.2.* (SQL注入&文件读取)反序列化POP链 (f5.pm) 注意在源码中,控制器中存在反序列化,以这个为入手点 在BUUCTF的环境中,database=test,password
CTF 湖湘杯 决赛 2021 final.zip
12-07
CTF 湖湘杯 决赛 2021 final】 CTF(Capture The Flag)是一项网络安全领域的竞技活动,参与者通过解决一系列网络安全问题来获取得分,最终以得分高低决定胜负。湖湘杯作为一项知名的CTF比赛,旨在促进网络安全...
中山市香山杯 2021 CTF zip
12-07
中山市香山杯 2021 CTF zip
bugku ctf misc wp2.pdf
07-05
bugku ctf misc wp2.pdf
绿城杯 CTF 2021 真题 (1).rar
12-07
【绿城杯 CTF 2021 真题】是一个网络安全竞赛的实战题目集,主要涉及计算机安全领域的各种挑战,旨在检验参赛者在逆向工程、密码学、Web安全、移动安全、取证分析等多个方面的技能。CTF(Capture The Flag)比赛是一...
第二届“红明谷”杯数据安全大赛Misc之一
m0_45373799的博客
04-03 380
Misc MissingFile 好像被攻击者入侵了,但是赶到现场的时候,已经只剩下一个空的文件夹了,快照能找到攻击者留下的秘密吗? 附件中给了一个很大的文件,不确定格式,在Linux下用strings命令找一下特定字符串:flag{ strings /home/zjr/memory | grep flag{ 即可得到结果 strings /home/zjr/memory | grep flag{ flag{Hide_Behind_Windows} flag{Hide_Behind_Wi
红明谷“ 初赛 web 部分WP
feng的博客
04-03 1395
前言 参加了第一届红明谷的比赛,4道web当时只做出2道,第三道苦于那个数据库的密码不知道,赛后才问了别的师傅才知道是123456这个弱密码。。。草了。 因为实在太懒了。。。本来不想专门写这篇WP的,因为当时做题的时候只潦草的记下了当时的wp,用的姿势可能还不是最简便的方式。但是想想,不写的话总感觉缺了点什么,所以就把我当时潦草的wp记录给复制粘贴过来了(笑),见谅见谅。 happysql ban了单引号,但是查询的语句中用的是双引号,拿双引号闭合,如果登录成功的会302跳转到home.php,因此可以布尔
红明谷”杯数据安全大赛 技能场景赛 部分wp
Alanpipi*的博客
04-03 4915
欢迎使用Markdown编辑器 新的改变 全新的界面设计 ,将会带来全新的写作体验; 在创作中心设置你喜爱的代码高亮样式,Markdown 将代码片显示选择的高亮样式 进行展示; 增加了 图片拖拽 功能,你可以将本地的图片直接拖拽到编辑区域直接展示; 全新的 KaTeX数学公式 语法; 增加了支持甘特图的mermaid语法1 功能; 增加了 多屏幕编辑 Markdown文章功能; 增加了 焦点写作模式、预览模式、简洁写作模式、左右区域同步滚轮设置 等功能,功能按钮位于编辑区域与预览区域中间; 增加了 检查
[红明CTF 2021]JavaWeb buu刷题记录
weixin_51458899的博客
04-08 1802
映入眼帘的报错,然后搜一下知道是spring的洞 有个登录,然后提示json,又看到cookie cve-2020-11989 Apache Shiro 身份验证绕过漏洞 (CVE-2020-11989) - 腾讯安全玄武实验室 (tencent.com) Apache Shiro权限绕过漏洞分析(CVE-2020-11989) (qq.com) 参考这两篇,得出两种攻击方式 payload1: 双编码绕过 / -> %2f ->%25%32%66 payload2: 分号 使用payl
Java安全-Java In CTF([红明CTF 2021]JavaWeb、[红明CTF 2021]JavaWeb)
Love&Share
05-05 2260
文章目录[RoarCTF 2019]Easy Java[红明CTF 2021]JavaWeb [RoarCTF 2019]Easy Java 存在文件下载,尝试去读 WEB-INF/web.xml,get 传参发现一直失败 在 burp 中改为 post 传参,可以正常下载文件 只要再去读 class 文件即可 成功下载 class 放到 idea 中,拿到 flag [红明CTF 2021]JavaWeb 题目提示 /login 目录,访问提示 /json 访问 /json 跳回到 /lo.
[红明谷杯]wp(正则注入,hex绕过)
Huamang的博客
04-03 742
write_shell <?php error_reporting(0); highlight_file(__FILE__); function check($input){ if(preg_match("/'| |_|php|;|~|\\^|\\+|eval|{|}/i",$input)){ // if(preg_match("/'| |_|=|php/",$input)){ die('hacker!!!'); }else{ retur
红明谷web部分wp
lllffg的博客
04-07 269
红明谷web部分wp 第十四距离线下赛差一点点,原地裂开 happysql username="||(1)%23&password=1 成功回显 username="||(select(12)regexp(12))%23&password=1 成功回显 username="||(select(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats)regexp("f1ag"))%23&passw
2020祥云杯CTF挑战解析:进制翻转与图像恢复
"2020祥云杯网络安全竞赛的CTF(Capture The Flag)Write-up,高清PDF版本,包含了赛事中的各种挑战解决方案,主要涉及Miscellaneous(杂项)类问题,包括进制转换、音频处理、文件恢复等技术。" 在2020年的祥云杯...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 3
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值