Misc
简简单单
附件链接:https://pan.baidu.com/s/1CDm3CHMQPmi5Y7se9e0xUQ
提取码:6666
解法一:
解压附件,Wireshark 打开,在过滤条件中输入:tcp.flags.syn==1
,这样找到的 tcp 流会比较完整,然后工具栏点击分析—追踪流— TCP 流
,等加载完后全局搜索 flag 即可获得:
解法二:
解压,在 Linux 下使用 strings 命令,一行命令解决:
strings misc_02.pcapng | grep flag
如图:
大黑阔的流量附件
附件链接:https://pan.baidu.com/s/1N11rZ4JDPDxpc3eTgBbYqw
提取码:6666
解压附件,Wireshark 打开,过滤 http 流,length 降序排列,找到 /upfile/upload_file.php
的请求,将里面传输的图片以导出分组字节流的方式提取出来:
打开提取的图片附件,在地图的云南昆明上存在 flag :
区域饱和度拉满:
泄露的附件
这题是个 RSA 算法的加解密,题目附件代码如下:
from Crypto.Util.number import *
from gmpy2 import *
from secret import flag
p = getPrime(2048)
q = getPrime(2048)
e = getPrime(32)
phi = (p-1)*(q-1)
d = invert(e, phi)
dp = d % (p - 1)
dq = d % (q - 1)
n = p * q
c = pow(bytes_to_long(flag), e, n)
print("p:", hex(p))
print("q:", hex(q))
print("c:", hex(c))
print("dp:", hex(dp))
print("dq:", hex(dq))
'''
p: 0xfe792bcb26f9ff0de8798d29927165b3f3ad7cf1cf5a27ada547431b858d92cb750f18cbe4d02289e93fcd428f0f47c1b90472de6e78ee464af636622ae2dd1b2551f08da1ab859c6ac4ba87380e67ddcaab9a135db8cec17b06d5bc1b2696ff48609d9600f958d90d3599f500b62b575f7554212a4ebdbbd77758da8a51998e5830c774e66a5c4db4e0168eae2784c2b313f2ebdbc8dbb93d58aa24ab50d34cf359d3f8063863f0668aef3c75446c8a4f92c5396abc373d647487a3bf20685acc49f0ebf06c9004dd828da39ab906883e2f33561dd8a8a930fde54223ad51974999c5dd69e8ab01b75e9445bae7e89ab263c9ab0b2d51be54f3caf497c2f293
q: 0xfe39300a3cbcd8bea6f1df22496d6f4261c68d947ea88bc747f03cec6fa414b847beffff60861dac8b490c67c9c5a010cdc9c02faa7a0c89c215e003a9c4d7a2feafd2c66d504b535d2d120376d6fbd61860ce5cb4149cd3b26c3d9bf0cb594b276e28195912b722a3f3cbcf071ebecfaff8e308809d3bdaa437c36c4b4989b25ab44f9695b5778a76804ef81ed1b97b79e5fb1a69b7fcb011cc0a76e419b9007d858a15934321eea0f4264af872fad3b3d71349a25b47c147948ff6c8d9f699b88fee83d336c2b936495e4ab02459ebfe98c95da36e8ccdbad211410e61079722aeb65ece590d71c648be6648c21bc41a82bb29a2b7a07d436ea14c402db0b5
c: 0x8c8d2382d041073c5db01758960144a6ef6846b8d2985fb287e9512ee6219b96109e2210c5581375d09d0b61cc7d02ca52ae20a835bd7c215830f67e18cdc22b50bf9613e44a20e67fda65595302bb0ce14881501b30e42fcc41e268099f1ef78991cea18ac6b49558714b6a32162e3905246ab0956aa3d283bd4fd38ebc04a7ad0cea7fe1ead59b3966732a94f660d894f5a3b20df1f19a2ec28bacf34e22ad19dda38c8cc683854b8b79b17ac0baf9aa454917c34cb40e943f554dca369b9164b8df19c1f9e6bd459a97df701e55021b10d4a7420c2868c95f73cbaf790f5b022c8921d88ec2d5c9ced74928b1e34c608f56ddd7cd20d38c27cb48d48860e675705c1496da243787492209caf9d64b1848ba70ac4576eadcec55fa0aac0ddbbea06b254635c5db7c1d33cb1fd2a9a808b27d31c27c66c473617f7fdbd91c32bb1edb59573155191c52ec3e17e2c359e256b4c3c62c3576bf66f4448d1470232d01717a2f42f649948d81bb33f1349ec71b393fea1aa5f868b3817417caf7de7feeb9dd68291ddd627a5cf08de8903b47e586efaf74c88cfd72ae07a7cee2e022e9ea211c7f12774cbd25d6bb610a8071080d453eb8bac6e01810f0ddf121a226c49d10970a02ef17605dadf65e490eefd2f8158f0a70d94ef87aab5d0e25f54674f1562c505d8723855d9a2b619a10cf93cfcebc0f1036e58f7b56c3884c0b
dp: 0xdfe4d1f8ac47cf23e7706f99f8b733e3146a1fd9a20732f132453856dfc3e40a93ca55d20b7a4d90b8abf36b4c8d77373f7f4ed4b7437585f18ae09791870cfcd1a63bc619c89b1df675015a13d77db3846abfab705fdb33b17eaf4cf3adb4622092d59d463cae215e814565484f9befd1f9c6da183c6905240b7623286e66e7d7977ab261868f297c233629ca8e5438b9b9ce79b09034914ac22b64ee12dee96afa672b099073ea225354babd86defef33c77569ec1a436562b0dc0a10cc3058b7050aabdb446ca03cbbb93cc48c7b89e4abcfd4554a2794aeec72dae2b4b9365dc49d2a844e0ccabfbc5add9dde2fb4bf6175ff24b4f84b4748c4d4f1ef159
dq: 0x866bc5c8b69b48c222de52e74d44c99c6ab0bd6ae4646430534a5e1b23ad18453ab0fba486839bd435453485fd2dd0ee372efda4b30dc92e070326afff92d1fda9710a3e5edae79e7405a5c9428165295de4cfc120fcbd67319d9f9bc5d577ad377e3ebe68447bf105894f49c519d48fe799c72910298db3f388f716b68c114f18ded27f30bdc630aa6f26ddd604b0e67a690340805446986d0938099288a931421a04951bbeb59fc9454eb275f5f595b24511ebe2edda1165817840f7c1b1f9831a6e8f22770bf4d5a4eaf38eb9ad625ab06e0c056083bd2748c5a2b8034f076cf730ed610d9d272d58a8e3f4fbc1b67d8c90718524e491ccfd5786e0a8e9a5
'''
逆向反推即可,解题 Python 代码如下:
#!/bin/python
# -*- coding:UTF-8 -*-
import gmpy2
from Crypto.Util.number import *
p = 0xfe79... # 素数p
q = 0xfe39... # 素数q
c = 0x8c8d... # 密文
dp = 0xdfe4... # d mod (p-1)
dq = 0x866b... # d mod (q-1)
n = p * q
m1 = pow(c,dp,p)
m2 = pow(c,dq,q)
I = gmpy2.invert(p,q)
m = (m1 + I * ((m2 - m1) % q) * p) % n
flag = long_to_bytes(m)
print(flag)
结果如下:
flag{WOW_You_Can_Really_Decrypt}
WEB
Login
题目提示:sqlmap 启动
打开平台,随便使用账密登录一下,抓包并标注注入点,使用 SQLMap 对数据包进行 SQL 注入,存在时间盲注,在数据库 ggban 的 logins 表下存在用户名和密码字段:
然后对字段 dump ,相关用户名和密码如下:
使用注入获得的账密登录平台,弹出一串 flag :
flag{AABAA10AAAAAAAABBAAABA3949AAAABAAAAA59AAAAAAAAABAAAABAABAA56AABAA057AABAB20AABAB883AABAA}
上述 flag 内的字符使用 培根密码 加密,解密即可(数字不需要动它,只需对字母解密,数字在相应解密后的字母上追加):
flag{E10ADC3949BA59ABBE56E057F20F883E}
解密网站直达:Bacon's cipher
另:该题解答过程中,通过操作将容器的 shell 顺手拿了,发现网站根目录下存在一个 flag 文件,咨询工作人员得知该文件系容器内本来就存在,不是题目向的 flag :