[GKCTF 2021]签到

weixin_34979095

已于 2024-08-22 10:50:13 修改

阅读量448

点赞数 11

文章标签：网络网络安全

于 2024-08-22 10:49:03 首次发布

本文链接：https://blog.csdn.net/weixin_34979095/article/details/141396524

版权

wireshark打开发现有好多tcp和http流

追踪TCP流可以发现，在众多HTTP协议中，像是执nux系统命令：ls cat etc/passwd
在这里进行了ls查看

tcp第五流发现QER1=cat+%2Ff14g%7Cbase64 ，url码转ascii 为QER1=at/flag|base，base关键词出现，按照这条线索往下查，过滤条件设为http，查看所有http

发现大量上传tmpshell.php文件，先导出，放起来备用

！！！第二种解题思路从这里开始，

随便选一个tmpshell.php，追踪http

在右下分组详情里有

和我们之前查的tcp stream内容一致，我们追踪http stream

发现两段16进制字符串，其中QER1=cat+%2Ff14g 对应

44516f4e4367306a49794d6a49794d6a49794d6a49794d6a49794d6a49794d6a49794d6a49794d6a49794d6a49794d6a49794d6a49794d6a49794d4b44534d674943416749434167494341344d446f784d446f774d6941774d79307a4d4330784d6a417949434167494341674943416749776f4e49794d6a49794d6a49794d6a49794d6a49794d6a49794d6a49794d6a49794d6a49794d6a49794d6a49794d6a49794d6a49794d6a436730744c5330744c5330744c5330744c5330744c5330744c5330744c5330744c5330744c5330744c5330744c5330744c5330744c5330744c5330744c5330744c5330744c516f3d

CyberChefThe Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysishttps://icyberchef.com/去上面网站转换编码，hex >base4>ascsii

输出么有任何意义，看下一个

QER1=cat+%2Ff14g%7Cbase64 对应

64306c455357644251306c6e51554e4a5a3046355355737764306c7154586c4a616b31355357704e65556c7154586c4a616b31355357704e65556c7154586c4a616b31355357704e65556c7154586c4a616b31355357704e65556c7154576c44546d39525241707154586c4a616b31355357704e65556c7154586c4a616b31355357704e65556c7154586c4a616b31355357704e65556c7162314645616b46445357644251306c6e51554e4a5a32644554545a46524530325157704e5a3046365458524e524531305257704e436e5177553078304d464e4d6444425454485177553078304d464e4d6444425454485177553078304d464e4d6444425454485177553078304d464e4d6444425454485177553078304d464e4d644442705130354e65556c7154586c4a616b31355357704e65556b4b4e6b467154576442656b31305455524e644556715458644a616b38775a566f324d6d56774e557377643074795556645a64315a485a48593152556c3051576c4e4d5546355a4777316255733254545a7162475a7763573579555552304d464e4d64444254544170304d464e4d6444425454485177553078304d464e4d6444425454485177553078304d464e4d6444425454485177553078304d464e4d6444425454485177553078304d464e4d537a42425357526159585a764e7a567462485a735130354e564530325255524e436e6f77655531334d464e4e6555467154545a524e327877596a647362584a5252484a7a5131706f516c68614d446c745647637751306c355655524a4d315a74596e4676656d3951567974736357563151303477553078304d464e4d64444254544851775530774b63336858576d786b4d5659354d544e6c4e325179576d684752324a7a576d31615a7a427363446c7064573569567974585a7a427363446c7064573569567974585a7a427363446c706457356956797458537a423354586876564531336230524e6555464454517045546a4252524534775555527356324636546c684e65444258596d593562464a48556b524f5245347759584a6b4d464a6d4f565a6162444658596e644252456c6b556d46746345524c61577832526b6c6b556d46746345524c61577832566b747754544a5a436a303955556c6f545442525245347755516f3d

发现base64编码是倒序的，保存上面base64编码为a.txt文件

把这段base64使用下面命令逐行反序

rev a.tyxt > c.txt

DQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyAgICAgICAgIDIw
MjEtMDMtMzAgMjA6MDE6MDggICAgICAgICAjDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tDQrnqpflj6M6Km5ldyA1MiAtIE5vdGVwYWQrKw0K5pe26Ze0OjIwMjEtMDMtMzAgMjA6
MDE6MTMNClvlm57ovaZdIA0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0NCueql+WPozoqbmV3IDUyIC0gTm90ZXBhZCsrDQrml7bpl7Q6MjAyMS0wMy0z
MCAyMDowMToxMw0KW+Wbnui9pl0gW+Wbnui9pl0gW+Wbnui9pl0gZmZsbGFhZ2d7e319V1dlZWxs
Y2MpKVvliKDpmaRdIFvliKDpmaRdIDAwbW1lZV9fR0dra0NDNDRGRl9fbW0xMXNzaWlDQ0NDQ0ND
Q0NDQ0MhIQ==

ffllaagg{{}}WWeellcc))[ffllaagg{{}}WWeellcc))[删除] [删除] 00mmee__GGkkCC44FF__mm11ssiiCCCCCCCCCCCC!!00mmee__GGkkCC44FF__mm11ssiiC

CCCCCCCCCCC!!

字符去重得到flag{Welc0me_GkC4F_m1siCCCCCC!}

另外一种解题思路

导出的php文件全部按大小排列

从上到下以此，进行下面操作，把逐个php文件以二进制打开，再进行Hex>ascii>base64解码

CTL+A选中字符

直到操作2k大小php文件时