菜的不行,二维码原题都没做出来(
不过shiro拿了个一血勉强可以接受了
吉林第一站
百度识图+搜索引擎搜吉林景点
Neepu{zhuqueshan_songhuahu_dongbeidianlidaxue}
重生之我是CTFer
一点点难以言述的逻辑+一通乱点就出来了,没搞懂在考什么
Neepu{39ad172c-eee1-4ef5-8b39-fac300410246}
倒影
010模板会报错
zsteg看了一下有个DNEI
搜一下GNP也搜到了,看来里面就是一个倒着的图
提取png
import re
with open('reflection.png','rb') as f:
hex_list = ("{:02X}".format(int(c)) for c in f.read()) # 定义变量接受文件内容
buflist = list(hex_list)
string=''
for i in buflist:
string+=i
pattern = r'826042AE(.*?)474E5089'
match = re.search(pattern, string)
data = '826042AE'+match.group(1)+'474E5089'
byte_data = bytes.fromhex(data)
file_path = 'hexdata'
with open(file_path, 'wb') as file:
file.write(byte_data)
倒转回正常顺序
with open('hexdata','rb') as f:
hex_list = ("{:02X}".format(int(c)) for c in f.read()) # 定义变量接受文件内容
buflist = list(hex_list)
string=''
for i in buflist[::-1]:
string+=i
data=bytes.fromhex(string)
with open('reflection1.png','wb') as file:
file.write(data)
得到一张一模一样的图,尝试双图盲水印
用python3版本的可以得到正确的盲水印
ps稍微调节一下对比度,亮度,曝光杂七杂八的,勉强能看清一点了,最后有个很像H
的,但是根据文件名reflection
应该是fl
Neepu{THe_S3cR3t_UNd3r_t4e_R3fl3Ct10n}
Shiro
直接根据题目名结合流量可以知道是Shiro反序列化漏洞,主要参考这篇文章(13条消息) Apache Shiro反序列化漏洞复现并利用(CVE-2016-4437)
cmd参数是命令执行
neepu参数解一次url之后再解base64得到class文件
jadx反编译,得到响应包的加密逻辑,就是一个简单的和密钥进行异或操作,接下来要找密钥
根据文章所述得到rememberMe字段是base64形式的AES加密结果
再根据exp得到AES模式是CBC,iv就是rememberMe前16字节的数据,16字节后的数据就是密文,还缺一个AES的key
流14中得到key为iuzhc745+7itcDCi+vjmxg==
解密脚本
import sys
import base64
from Crypto.Cipher import AES
def get_encrypted_text(RememberMe_cookie):
return base64.b64decode (RememberMe_cookie)
def decode_rememberme_file(encrypted_text):
key = "iuzhc745+7itcDCi+vjmxg=="
mode = AES.MODE_CBC
IV= encrypted_text[:16]
encryptor = AES.new(base64.b64decode(key), mode,IV=IV)
remember_bin = encryptor.decrypt(encrypted_text[16:])
return remember_bin
cookie = 't1eYVYYgag142Lcrwn/u0ZrKhQVRgia8JEqT+LQ24+2cVQJR/r0c9g+uRaGIS6Wylu+g3vvgBJbH4630bJAMg5tzISEtDywL6wM8h0QPrvfKK94bF9SzrtKHKvgrD7d/Ztk7Fe8tdtvgxFNMx4BFC8binVug/dwRMSnRHJUaBPdI6N+17g4FYqF3teINkKfyCblfAiE933hVGau/evCPW3aW1wcGOLrtWokzAHKv2AJQlmeNgOEYLeXPOdgtmUHz46QKVd4Nzg44eX/aFCZfq1g/HajssXM1koVX0QZsBUMwQI7LX2NJq0mu4swjYY44QU/t92ych+kcYqaUu9RyqRv24nsLW0hFJqmEE3MzB1YJ2ABJIQNMQBed7m8qwe9PCuWe2fuwFrIVPie+lcK0FgkZ1rpvZN8W9LHH6chdBlaVUI60hTUJKCxkwl4FEC2ztZLW5PbKM/g6OfSd1uhkRhiO3Tk6EBrXlXJx8zr2DOIrvwAZ2czVDxlQSP51mFEMwd6+tyVMLZumEdipZkEb2u153srO5rF4ZJJYSWwOBiBubeh/3EtcV6SKu9VigLStuKsyJL43f/5yWe/a2OQ60WmgH+c6TzIbp43MIBxBP0iF/KV4vV4DzIQfVL636nCAlJRvbWHZbBoPZGjYBSVcCbyzZcODlimf6J+LNI75LHYhS0/BfPT7x9tyrZWmnH8FducE0kOZ6hFauEh3tibsujhCXZqaf3a8eIHccHz/FGc6IBL7gbfXXdrXaUtorEZc1YTzjUCeCytbZGa+0CX4qPImms+rkiaVZ9QVuF1ZQRqRjTrnchpajVSSJIZOw4wFeHdrOvhZPBOQtSggUb2fp+Nc0XVE4auYxIvHtAOgaFduDfErFE8otEjN5athFBdmYoxEzIWOSuHLgXEKhVYOWDNLxaBTQJckELoWSPIXFbbux4tpwB/LoWgvl+tR2VwrdXdUrqfqXecSAt1T7jcWt6NqYl/2RoZqtEqUArLc6K9hEsb646WhSUgEHBsXAxIWRfpNbrLtz4s7byF8AbRJdY+qRhEwewUqu7p1AAizoj8ojVA8nIsImbDESDzyHGSzCUfLGl7bh4f2GTWUbMDO6vtFXHuOaZTmeOUqBcwJLxPfFort00k1eE77bIZPRQ8m4hOlnp4JdZRhJgl5Rf1+8+Q2xW/zLPXEzCoWC+kkXpYS/KjPmO0uB0rk6eu97pUTC1DlL1OgIh5zskVZZCghQaM/61sZtmlaJFGJPg01Z/kjw5m8Idj7HZ9ElFL+agxdncaSWBbwnnn+Q9JhoQ5Xjq/y3DF9MXkWHSXse1BWjqVUL+qOEA4n+iogxPtS31dEUEBADLQ7rHkHnQv5OmHXXRkrrLtjIPDxFCivzwmVKB2a674S11toQWA0/uL8wZRwNT22ThIejlRvKAb/j3lBsZpjt8CAOGDD6KQSbyMAyi0nFJoFdKbO5uAI7AFt7pDHbtA7sc5cqLKNEeGwaCG3QimHVbFrLMfei4bYUgcvUQxzogTuol3u24eKgDilzfAt7NpgHkl6gsKKgYDe8t4KteE09JGBc54m/wjgtizF4qBfBJT1xGx3CUw+uHbKIg8sXGcTT657rpnmOG9d+PK6UansrN+MgLpkGQWm58vcyWQfiXoUVPb/F1nmbloFdORIQx7I47eRvnoDdzWHmAA74cDMpRPMtCsX8nvT97afz4Sf/K8SQFMrlzeqb7kZpLMa1euWc2dcttRAWAUrQCZEBu8LNEpIsTeLWsAFvZksC4B1DZtUPkDW10nPqCX2DfcaS1SteMgwYWMwSTyN14f+wD/SFfbTRNFxEoGt+iQjsUHVzH8kTt2i2ssZz+yaPdsi7o339b863JlUUabdsWmp9J7BiSLKnCu86SO8sJ7VhOB+IVaI4nl07TFQAkDgfMqHwGDIKHPWwE3HneuJVycHFL1sxkonqwoZcpq4GCJYpMy1xuJpGPb+Itex8281RWaovQIigpIC0Ldvsg2/qtbzNHgEZ31f+yroKdfPvE0PLzkxqHNxtioPlUT6ysaICa1vs3voj/fUpovqI8ibYwIQuSBAqpk8q4vyiQ8zcqMc/rjEW+mj4R9VCsJfxwVmRYVqnuH02c/Z9Jq/LmSKb1pE5PdCWKU+pggqQNEu8pkB3oIBi4GfFQIDVKIzhx/bpQjoHt1sdnqXzwoehLQQbjGX28VmlIpbfvjYhyKb8bqndDqfqJbK1L81RryhJ1VsXN2Awb8P6abajDuDoSABcRUpyvUW6pLmeAGOU5mOr/Zhfm+F/J7j5CBLO19VP8FifXG+qkh6o6N/WnKi0bZ7dswYcO9Hu0kxXs9lLbAPlgnDdO7mQsjTSr2FajicYMWST2tfhTUhaqv2iPUreSFdrEq+rlKeydzera7Kddrw4/WFKLlmgOZdWlyyxE7DLdOsl4KgCh8FONBiEDuSniPcrljHgeFXXDlXl2NCFG80Zh2+j5IuIzRA9ray8trhRllJc0P7u6W1TYlZN30bYADTXyaK13gFx4foQo3ZWW6HBiHp5DAFYvDCzZLZMwOxggHp+LAAl+ZQgXQrJspeAn4zFFydi0QYVjnBfvCmfwRX8Oy94LTfK6a4LJ0acfq1GGvq9FX8SQZ6b39kkDNz9vXlGIsV6aB1qvlh6ZWZuF2jAUMOjm/UoMwMKSKs4jMjvV73mp7ui+XCsvGox+f8EQ6fnfW/3ihL5+wSx2kk6+4aij4JRaPeuYPL/kOgg0pYrha9waYqtwj5CjKyLQUMxh/uQbKJUdhkmKEwg9appv4witt9WfpZG2FOWXKYTbkXUwWnUHpY1DvPU37XvC3zgMntzweIPVInXE2H7O5B8n9wZUwrPeHIIJxic00RPNGjIPRKRZoz8+3u+5JrOiqsVZn8I7MhzbU636kSAcwImF/Scoo/7skHb0J4prkwvTBXvuNVW1yFX7dtvIhdq5AiWJf4RjqO/uiij7Bneu8nTV+nuStbSSYc71iGjmOSwbdYpzWQjD7qpiM4C3cg17YsoIwSLYqZSFX4JWyo3FoD62tBCgH7b/XO8CJvjRs7HZopBhyiRpdGbcDqARSUstLHFAct1P8cw8aTOCrwSzGm7FfGE00KjYBGhILUDKNA9BVHDO9Qdeb5OX3YqD5+0uEkO9kcSzAgtxIO2XoyqUYKSB2pytMrUyYRfNrZ2L48qByuCr6kyD9rbRyqLJ3jt8SyZnDzyGw7j/rE2YohyWwgkyPuz1Cg4yIhz4tY4yJU6cJ7NyTuAEGknQOIbLwFFjkX/rFPe6txJIEe5yr01SlHdRXwdLx6VWXL6MBHho4UUALMVfHrrnCaF2VpUEmMTgz7Mbhr19sWGiitGBlpWodh0Ezyw7+oxeKd3rCqOEQApm16Z2DXuWMOICY0gd3cdEeUaaAuWh3wsRhrKB1K9UyKP5UZIQRFQhNMSUM22pDOn05sPdGYzdb28YFobmhGKeQBpnnoaEa0T0v4feH9hzm4GGbABWnXRsGD57NKgRFj7vM84WSd2e4KKSai+EczKtoC+voKr5CoCDRktDiNW9QXVLuNICSqkO4sBomHHzLGSYZ5OYTs8RAGcGHI7/iV9ructtRgwDESTEuiZ1LUJtUsDOr3GFe+RegKa0QdmdtImmznPp275NItdTO7rBouvVGJOe2STy+DNwALAfglk06L/awK7BtAqLGl9zUNQMKa1JebEZtBA0L/vmWKTwxDmSLRCqbba4BXBsRZB2fNVzpPXsamnVmUx50FND0BL2FaRcr041/R52JiHymWSHXYx3VDNjCUn5+WuejJK2BOHgfFyqJvzYn9dTVZqRt7A+CAwovZEiQ6czll8Kr3Nbgt7b/gtJViaW7K34md3xnNpdHOz8bqYcIrUw8FF7wlnL4Ji4VG4dC3RlgagUxOq4W4srVwAp3uL1Vb+vENPV5nqEh2331aY6FwLap+aVXCBd5GFEarm5qpIVabyVYMQh+pHsKGcKKmy9UoZXbNNI6kc9qhOCRTrjD01ZXVBu18H9L/a1j8j5Z239oybzcGZlpWToXYkhNGqo+bl413dJriTf0MtPj/I4WXfT3ZA3D7U4R7KWuN8jGWrW4q3QIB5lHoBO8nAMrnNGcDHKtWQAhcjHg2XCE2/McTycTayDF4bailGZUPtmgvQfP7uotYqHWvo6EpJRM/I6A/+yEeXxEA3g2s1sAJXPEQf7GsdaHi14Ak9lrzYuIRiYw2f0Rc0zv/ofReIkD2OCY0IgYgeiKQDz2XVcQUtk/UHUg2KpvpvSzJwprG3pbzZ9PM6CBA83/eGFlM5UUsM/U6QyBDqZWLyxGs2ThHUCWHtEHU6kW5YijP2hPolNnvtv3Qx4w33aFnrxkiaWq/ICkPv65+4ppS4lkt6Pr3l5yHVXsCEth7OVgY2BFre/rD6GZkP7g738E24fNfbpbCWK1+qOiaIy4rEyLqNOF5uxzA0Wuf75X/3xLb7qxE5nUw3kT0pa5FfPIM/us63NMxKAGiSFaKFB2+vptf7CPIuNjGiZBndsyk07utdupE9Mee7RDT7tdvt6VEuvxUagL+4jzHmqXVzon/Bi6+6PnDny9672q806bjqxcRqyakJEex4UYCn6crF0uP9pKXT/gLUCi7k6OLW5LjPXCk415RajjFK5BqeXNYgI+tvghq0HEORyw8pxJTjJdrHruc/OvBIEVEIoHeVbz5nAxYMzFkf4z/r3ZkXXk4aqV7u3B6BuOf1bhb4bPJ/jcHDTzzQeEB+Lizl4TKUw7g9wxbVKouuU1Yil1LqtCa6CZb+ntBjflhNUQ4gqajv0mW16H0boE2BJCDiIdkfDkg303fSzY301B5okZDgWfGUQl7W2g4hEokfOthbzsUwnId7eWnauxXSeOAr5MVtb9QSSCPtd+xyN+bNZ4gFkYiG5hZMkF3Cw970OPTbqUKwyjzUtR1DljkNjA6dgCPUxw8azM72CjYzEBXFU9rnOTqCjdNGUXRmwnDq027/cBXEGmbQsH3bFqAy50dKzzXVejs2yIU8vF+1aAJVd+jpDeIRaTYwaX9ZDqMOam8MpF5T2oHgwxgE3z1Yrtzd4XqePWqefPCWc/vd8SilwgjIfFWWPDDRF9dcRatI29RWUuGmU6+OAhUaaJ2ScMmsjbXtS0GAwlIh6vwk4mM+GekQDI8Aii1rLV3+Q1DQ00zV8c8TrmAemgVcY/7voXHj2mHEG4uzbpM9zbi58Gop3dcz5i16gS0cP/RqV9ErCxq1Q1PGBdzxGDXpWsPijeOlioq7k4weaLAS2BW55yalsNQrnhB+x6dPBgEBMJ5c9EEmb1HJe7ztuQn/4r5Hqt0yKLd9fxZ2JpuRkKVTjNhIoN4i4wdRH7YbEo8hRoBAP0Ieq6M2rYV+bGsOJnxMqdFvoE8zyRP1ZguPqHLsk9b1dZg5l5/CGbZdp9dg2zIi2WspgTdjdtNED43SOzMHKwvEuC6HqtR0IDE/GD6Oo5dpGS0DFwfOQfsf0yGqb5bU6eA0mDoxIwsIaM53YWQFiPE/aBHFztV+cl04v23G5srzNzZZ/1RuVOWFcCkLHVT1pF+pjZagYLoCsMK2JiQaokwJh/Pafc9MBIxCmgq9fsJYPh1JfyVViSWPAQG0ZvtTLj5f9MQvSeqrjbLVR85xglMq+QMYbIohnlBHU/wl0hzHtPDA7g6gH7kCcka587/xZYN/DBmOadNfGMk9IvQ5EcLd8DZDiOAuDCPw8eixZOUuZ+stF81ycVL6WSrtpkF9GSR3Mpo52CKAi96nnSJhxvHzdKJmPFBzM1+MmjMGQiL+IV8102yJ4ZWUvRshxY7ZaZ3yCMoO9QzScgidWev3Ndns78LbqHijkMVv269JTlllPr65lwBiS52KfN6i1QhczsYvnpbuKNk8ekklr2X6lK37YB8fZtP6YpFR7WCkorWNrWX6yy+0pbur1bFwTbG3jAztwwpg+PEz6aQjnmEIynM7Sh/MA+z3mpbfQY52Fd8XaAXCewcMq/Nb/TR0yYrtmh+wQFFYg84Yqzpvs/KlzDVoXyRF3gl/hohowCIkfog0jLuWTWXpXAxupv8rNXRsrV0BTk+2BNVgLbrCKbruGy2wWUxuPPyjzgP5Cgf/EFLPAZggT8pkoF37PgQRgJh7JgFMHQRiUcDaY1bvb0b44vEMbwRxiVd5LWaN8bHlsYKtimQW+r1bvqLtyf/aLkcz2fh0k09KBhyLtE14PvGJhwN8HCbz4ca9AY5nn7vqlBdKOYJtORxXACr0Fz5jTzekfanz9rPJkpvpVgN85KGgxs+JUAtXJGotTkaf5GWfaa9QFretKnYKR3B5ssidg3wQZVKlVEGbesXwErjlluqoJX3rIloBUTi6wljpep0ap/OgZGPeDmw3x6f5svePwH5Kp1zJmuS8hZqIwlLrqil7KB0fZCNuPjOBT8IU9X9zxTIKeqhc2Dh0cGOSueVp6QaxJZ/b8Ful/BHgGJbR0aNOHsjVyTRn/qaayRDgE3FoyfOyzmbEsxj9xJDMp7jfNEzlVZAuHAVAPmabox7ZbZHYkxe6Qetla4XUwSy5mrx6xffrZ9azcACCutBJVzV511GAaPG88c5VGbwi/zs290q/abelh9AE46n05CrYlrRGmJRaUzngVLRJCbId44/ZJpYC/0Vozl1QObYz7Ap2z8JDUI5y0GWZz9fOGdzx7f+i9NWPuBNRTktz9xOtsUqScHeCD/E5FFW63pLRHfrwwxGWWA/R2I9NpGo9g7zf5xQbXHSq6I5XwZnTs0vrq3mH4+kZNccY+7zlXhhzJMxeqJZoXT/wY3e84lu13R50GYrMgeCRtGIEP5oSUH4crlXYVhDwEKvWYMsq1hrk2mHkNCTkY8RkatEe9HWwZaELntdIfEz9MwIr8TuRGQCxu+4Bod8mMetzOtN0uaOwn3vx2LRPke1tN7FbhgfQ1KOquhDhSf0tF2ayrRIIfYBiz4SgY2CFhsvN8R+dkGK45c9gLE82vc09Bta82GEtzBHkmpNbL+Eoli+F7Eg74t0qAmaygQR48lQOSjK7ryNlulYpaDIHbON6+lO/tQl07HtPUIumcKiF1B6mw+TVSjvwCQOIw14avAKYEyQow+GseJ+a/rHF82RAGQO9SxhJu2pXlHlIkvykE3zQqcp+fqRMYHsNXCRBpL5mZ+ul2n21nEYqDBQb8RPAk5WRFk/guqmoP8uqha1H0y5GroB+jqvikPQTU+BHHng7aWPYPZHM1dx2gJUUTPZMZV9s+lasgjoQnUCtoG/gQvRVTk4cnSbchu1cJMLqs99cpxnE2nGme+151sxCDNhM81HS5C6hk/28SBaGwFGwAzEPXUUslvRRu/0U4hoTbbp'#rememberMe的值
with open('decrypt.bin','wb+') as f:
f.write(decode_rememberme_file(get_encrypted_text(cookie)))
得到序列化后的poc
不知道拿啥工具去解,只能肉眼硬找,得到密钥th1s_1s_n33pu_K4y
异或解密脚本
key = b'th1s_1s_n33pu_K4y';
content = bytes.fromhex('06075e0755')
content = [key[i % len(key)] ^ content[i] for i in range(len(content))]
print(''.join(chr(_) for _ in content))
根据题目需要
第一部分:SSH私钥的密码
第二部分:隐藏在文件中的密文,提交其密文的明文格式
流21读取了一个docx文件的base64
传输时每2000个字符一个长度分割,这个长度头需要去掉
数据有点多,先保存到txt里再解密写入:
import base64
key = b'th1s_1s_n33pu_K4y';
with open('data.txt','r') as f:
data=f.read()
content = bytes.fromhex(data)
content = [key[i % len(key)] ^ content[i] for i in range(len(content))]
data_base64=(''.join(chr(i) for i in content))
file_data=base64.b64decode(data_base64)
with open('202301114514191980.docx','wb') as file:
file.write(file_data)
直接根据提示解一下rot13,得到第二部分flagW0wYoUF1ndMyAn0th3rS3cr3t
关于中文乱码,GBK转UTF-8,用这个网站就能解www.mytju.com,但是跟这道题没啥关系
流23读取了ssh的私钥
这里直接读取到私钥数据没base64加密的,稍微改一下脚本
key = b'th1s_1s_n33pu_K4y';
with open('data.txt','r') as f:
data=f.read()
content = bytes.fromhex(data)
content = [key[i % len(key)] ^ content[i] for i in range(len(content))]
data=(''.join(chr(i) for i in content))
with open('id_rsa','w') as file:
file.write(data)
john爆破一下,这里一开始爆了巨久,后来跟出题人反应后给了截取的rockyou,秒出,得到ssh密钥nroamntiriina
这里因为爆破过了,有log,所以复现时显示no password
Neepu{nroamntiriina_W0wYoUF1ndMyAn0th3rS3cr3t}
二维码修复计划
wp来自spirit的yaotushaozhu师傅,Orz
1.补齐二维码,拖入qrazybox,可以发现二维码为版本4的L2。
2.用掩码进行异或,将中间的数据块末尾用1110110000010001补齐。同时根据url,可以猜测出部分位置的正确代码https://cowtransfer.com/s/
3.将数据流从qrazybox上拉下来,将损坏的位用?代替
4.此时可以发现距离最大可纠错容量20还差一点,发现有几个字节只有末尾未知,于是进行爆破,得到可见字符的url即可
import sys
import reedsolo
reedsolo.init_tables(0x11d)
qr_bytes=[]
with open('outt.txt','r') as t:
qr_bytes=t.readlines()
def is_0(i):
if i!=0:
return 1
else:
return 0
for i in range(8):
qr_bytes[32]=qr_bytes[32][:7]+str(is_0(i&0b100))
qr_bytes[80]=qr_bytes[80][:7]+str(is_0(i&0b010))
qr_bytes[90]=qr_bytes[90][:7]+str(is_0(i&0b001))
print(qr_bytes[32],qr_bytes[80],qr_bytes[90])
b = bytearray()
erasures = []
counts=0
for i, bits in enumerate(qr_bytes):
if '?' in bits:
erasures.append(i)
b.append(0)
counts+=1
else:
b.append(int(bits, 2))
mes, mes2,mes3 = reedsolo.rs_correct_msg(b, 20,erase_pos=erasures)
ll=''
for c in mes:
ll+=('{:08b}'.format(c))[:4]
if len(ll)==8:
print(chr(int(ll,2)),end='')
ll=('{:08b}'.format(c))[4:]