2020湖湘杯复赛Writeup

Web #

题目名字不重要反正题挺简单的

解题思路

非预期解:flag在phpinfo里显示出来了

NewWebsite #

解题思路

http://47.111.104.169:56200/?r=content&cid=2

cid参数存在SQL注入漏洞,没有任何过滤,得到后台账号密码为admin/admin

进入后台发现水印图片那里有个php3文件,访问是phpinfo,没什么用

然后访问/upload/watermark/目录,发现可以目录遍历,有可以解析的shell文件

http://47.111.104.169:56200/upload/watermark/82061604228330.php3

盲猜密码cmd

这里猜测预期解应该是上传.php3|.phtml类型后缀进行绕过,但是当时我这个靶机好像有问题,无法上传任何文件,看到了目录遍历直接解了。

Misc #

password

解题思路

下载后解压发现WIN-BU6IJ7FI9RU-20190927-152050.raw文件

直接拖到kali用volatility分析

volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw imageinfo

判断为Win7SP1x86

volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw --profile=Win7SP1x86 hivelist

获取SAM文件虚拟地址

volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw --profile=Win7SP1x86 hashdump -y 0x93fc41e8

导出Hash

CTF用户的hash拿去解密,密码明文为:qwer1234

然后sha1

db25f2fc14cd2d2b1e7af307241f548fb03c312a

颜文字 #

解题思路

题目是颜文字,其实和颜文字没啥关系。

wireshark打开数据包,发现有个index_demo.html的文件,把里面的内容复制出来保存在本地。

本地打开,右键查看源码发现一些类似base64的东西

KO+9oe+9peKIgO+9pSnvvonvvp7ll6hIaX4gCm==

KO+8oF/vvKA7KSjvvKBf77ygOyko77ygX++8oDspCr==

KCtfKyk/KOOAgj7vuL88KV/OuCjjgII+77i/PClfzrgK

bygq77+j4pa977+jKinjg5bjgpwK

77yc77yI77y+77yN77y+77yJ77yeKOKVr+KWveKVsCAp5aW96aaZfn4K

44O9KOKcv+++n+KWve++nynjg44o77yg77y+77yQ77y+KQp=

KF5e44Kezqgo77+j4oiA77+jKc6oKuKYhSzCsCo6LuKYhijvv6Pilr3vv6MpLyQ6Ki7CsOKYhSog44CCCp==

flwo4omn4pa94ommKS9+byhe4pa9XilvKMKs4oC/wqwpKCriiafvuLbiiaYpKSjvv6Pilr3vv6MqICnjgp7ilLPilIHilLMo4pWv4oC14pah4oCyKeKVr++4teKUu+KUgeKUuwp=

4pSz4pSB4pSzIOODjigg44KcLeOCnOODjingsqBf4LKgCn==

4LKgX+CyoCjila/igLXilqHigLIp4pWv54K45by577yB4oCi4oCi4oCiKu+9nuKXjyjCrF/CrCApCp==

KOODjuOBuO+/o+OAgSlvKO+/o+KUsO+/oyop44Ke4pWwKOiJueeav+iJuSAp77yI77i2Xu+4tu+8iSgqIO+/o++4v++/oyko77+jzrUoI++/oykK

KO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAo=

KMKsX8KsIiko77+j77mP77+j77ybKSjila/CsOKWocKw77yJ4pWv77i1IOKUu+KUgeKUu+ODvSjjgpzilr3jgpzjgIAp77yNQzwoLzvil4c7KS9+KOODmO+9pV/vvaUp44OY4pSz4pSB4pSzCu==

4LKgX+CyoCjila/igLXilqHigLIp4pWv54K45by577yB4oCi4oCi4oCiKu+9nuKXjyjCrF/CrCApCo==

KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIMK

4oqZ77mP4oqZ4oil44O9KCrjgII+0JQ8KW/jgpwvKOOEkm/jhJIpL35+KCNfPC0p77yI77ye5Lq677yc77yb77yJCo==

KOODjuOBuO+/o+OAgSlvKO+/o+KUsO+/oyop44Ke4pWwKOiJueeav+iJuSAp77yI77i2Xu+4tu+8iSgqIO+/o++4v++/oyko77+jzrUoI++/oykK

KO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAq=

KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIPvvJ7nm67vvJwpCm==

KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCs==

KO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAp=

KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIPvvJ7nm67vvJwpCr==

KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCt==

KO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAr=

KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIPvvJ7nm67vvJwpCi==

KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCn==

KO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAo=

KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIPvvJ7nm67vvJwpCp==

KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCq==

KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCl==

KO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAq=

KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIPvvJ7nm67vvJwpCl==

KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCi==

KOKVr+KAteKWoeKAsinila/ngrjlvLnvvIHigKLigKLigKIK

KOKVr+KAteKWoeKAsinila/ngrjlvLnvvIHigKLigKLigKIK

KOKVr+KAteKWoeKAsinila/ngrjlvLnvvIHigKLigKLigKIK

KOKVr+KAteKWoeKAsinila/ngrjlvLnvvIHigKLigKLigKIo4pWv4oC14pah4oCyKeKVr+eCuOW8ue+8geKAouKAouKAoijila/igLXilqHigLIp4pWv54K45by577yB4oCi4oCi4oCiKOKVr+KAteKWoeKAsinila/ngrjlvLnvvIHigKLigKLigKIK

ZmxhZ+iiq+aIkeeCuOayoeS6huWTiOWTiOWTiC==

网上搜了一下发现这是base64隐写,网上有现成的脚本

https://www.it610.com/article/1290949422569562112.htm

把base64隐写的东西保存成code.txt,解密脚本

def get_base64_diff_value(s1, s2):

base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'

res = 0

for i in xrange(len(s2)):

if s1[i] != s2[i]:

return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))

return res

def solve_stego():

with open('code.txt', 'rb') as f:

file_lines = f.readlines()

bin_str = ''

for line in file_lines:

steg_line = line.replace('\n', '')

norm_line = line.replace('\n', '').decode('base64').encode('base64').replace('\n', '')

diff = get_base64_diff_value(steg_line, norm_line)

print diff

pads_num = steg_line.count('=')

if diff:

bin_str += bin(diff)[2:].zfill(pads_num * 2)

else:

bin_str += '0' * pads_num * 2

print goflag(bin_str)

def goflag(bin_str):

res_str = ''

for i in xrange(0, len(bin_str), 8):

res_str += chr(int(bin_str[i:i + 8], 2))

return res_str

solve_stego()

运行完输出了一个key

key:"lorrie"

然后将index_demo.html进行snow解密得到以下内容

将其替换(.)(-)

-.... --... -... ...-- ...-- . ...-- ----. -... ..... .---- ----- ..... ..-. -... ....- .- ..--- ----. ..... ...-- .- ----- -.-. . --... ----. -.-. ...-- ...-- --... ---..

莫斯密码解密得到flag。

隐藏的秘密 #

解题思路

提示计算机中没有这个用户,但是还是可以登录。众所周知隐藏账号一般为:test$这种。

接着用volatility分析这个附件,判断版本为Win2003SP2x86

列出SAM表的用户

然后拿得到的密文批量解ntml,将得到的明文信息和用户名对应,例如

JbpPIa4$:980099

vz1rKjG$:565656

yW1fMSd$:19861013

oR9C4h0$:a520520

etiH3Lp$:321321

接着把这些批量md5加密,然后去平台爆破flag(非预期解)。

预期解应该是查看注册表。

虚实之间 #

解题思路:

可以先将附件中的mingwen的副本文件分离出来

修复数据包用winrar自带的或者7z直接能把mingwen副本.txt解压出来

使用ARCHPR对加密的文件进行明文爆破

爆破之后得到密码

进入原加密文件

再栅栏