刷的时候随手就写了,但是刷着刷着又懒得写了。于是就这样吧

2018 hackergame Word 文档

直接把文档binwalk了,直接看到flag.txt

memory

内存镜像文件,题目的描述是:分析内存镜像,破解管理员的登录密码,flag为明文密码的MD5值

使用volatility

volatility -f memory imageinfo

先查看镜像的大概信息,发现suggested profileWinXPSP2x86,WinXPSP3x86 (Instantiated with WinXPSP2x86)使用hashdump命令把内存中所有用户的hash全部dump出来

volatility -f memory --profile=WinXPSP2x86 hashdump

得到三行类似于shadow一样的密码串,都复制下来保存成1.txt,使用john爆破

john --wordlist=/usr/share/john/password.lst --rules --format=NT 1.txt

--wordlist是字典模式,--rules 是稍微变化的规则,其实不填也行,默认就是。--format是预定义密码破解的类型,有很多,可以通过john --list=formats查看,这里使用了NT类型

得到administrator的密码是123456789,md5加密包上flag{}

misc_snake

附件的解压密码使用ook解密

解压后3个文件:processdatadata.jpg

全丢进winhex查看,process是明文的python代码,后缀改成py打开就能发现加密的原理

对照着写一个解密脚本

with open ('snake.jpg','wb') as flag:
    with open('data.jpg','rb') as f:
        for i in f.read():
            if (i % 2 == 0):
                i = (i+1) ^ 128
            else:
                i = (i-1) ^128
            i = bytes([i])
            flag.write(i)

得到snake.jpg,使用stegsolve切滤镜可以看到加密方式是serpent,google一个serpent在线解密发现需要密钥,密钥应该就从图片里找,steghide查看到有隐写一个key.txt,

steghide extract -sf snake.jpg

得到key:VivaLaVida,去http://serpent.online-domain-tools.com/解密,下载解密后的文件,内容是只有w和b组成的文本,能想到w是white,b是black,批量替换,w为1,b为0,而且有40000个字符,那就是200*200的正方形,编写脚本绘制图片

from PIL import Image
with open ("1.txt",'r') as d:
	flag = Image.new('L',(200,200))
	plain = d.read()
	i = 0
	for x in range(200):
		for y in range(200):
			if (plain[i] == '0'):
				flag.putpixel([x,y],0)
			else:
				flag.putpixel([x,y],255)
			i += 1
	flag.show()

得到一个二维码,扫码得flag

MISC_tiga

解压,一个加密的压缩包和一段文本,应该是零宽,但是原来的零宽网站解出来的text是乱码,找了个好点的零宽解密站点https://yuanfux.github.io/zero-width-web/

得到解压密码,解出第二个压缩包和一张图片,压缩包里有一个加密的压缩包和一个装着好些password.txt的文件夹,CRC32爆破,抄来的脚本

import binascii
import string
def crack_crc():
    print('-------------Start Crack CRC-------------')
    crc_list = [0x14433530, 0xaf251007, 0xd554e7b6, 0xebb3156, 0xbb474d49, 0x2cb8a39b, 0x75fe76f0]
    comment = ''
    chars = string.printable
    for crc_value in crc_list:
        for char1 in chars:
            for char2 in chars:
                for char3 in chars:
                    res_char = char1 + char2 + char3
                    char_crc = binascii.crc32(res_char.encode())
                    calc_crc = char_crc & 0xffffffff
                    if calc_crc == crc_value:
                        print('[+] {}: {}'.format(hex(crc_value),res_char))
                        comment += res_char
    print('-----------CRC Crack Completed-----------')
    print('Result: {}'.format(comment))
if __name__ == '__main__':
    crack_crc()

密码T&hg%WL0^rm@c!VK$xEt~,图片丢winhex在尾巴看到hint:加密压缩包的密码是10位数字,使用掩码爆破,2001701725

得到youcanalso.jpgflag.zip,压缩包里有youcanalso.jpg,那么就是明文攻击了,把youcanalso.jpg添加成压缩包,CRC32值和压缩包里的相同,开始攻击,这里要注意一下,winrar压缩是无法明文攻击的,需要使用bandzip来压缩才可以。

出来密码1amT1G@,得到flag.txt内容是504B开头的串,粘贴进010editor保存为zip,一看是word类型的文件,改后缀为docx,打开发现好几页base加密,估计是全家桶,使用basecrack的m模式全解出来

python basecrack.py --magic

然后粘贴word的内容

flag{8fa3e8c4-0121-4f2a-a7f0-0a60032e3763}

pcap

题目要求分析dno3.0协议的流量,wireshark打开,先筛出来,查看

Distributed Network Protocol 3.0> Application Layer>RESPONSE Data OBjects> Object(s): 32-Bit Counter Change Event...> Point Number 0(Quality: Online), Count:102....>Counter(32 bit):102

这个102转换成字符 就是f,对应的数据包长度是91,按照数据包长度排序,按顺序查看每个数据包能找到对应位置有相应的字符,一个个找f、l、a、g....拼起来就得到了flag。

pcap_analysis

要求分析modbus流量,筛选之后右键追踪流,竖着读flag拼起来就行

SDNISC2020_简单数据包

一个pcapng文件,wireshark打不开,直接binwalk得到一个zip和一个txt,txt内容解b64得flag(binwalk对付流量包老非预期了)

多啦A梦

解压得到多啦A梦.jpg提示.txt,提示:图片是不是少了点什么?

直接foremost得到一个二维码png,改宽高扫码解b64得flag

海量的txt文件

几百个txt文件,打开都是没意义的串,放在一个文件夹里,扔kali

strings * | grep flag

发现没东西,修改关键词,改成password、pass、key之类的,试到key后找到

key{fe9ff627da72364a}

技协杯-我的密码呢(对付高版本加密)

如果在archpr里压缩包版本不支持,在010editor中把版本改成0就行了

句末大佬的LSB

一张png,复现的时候题目没描述,应该是用cloacked-pixel的lsb脚本,但是没出来。查wp 密码需要社工到句末师傅的姓氏,chen

python lsb.py extract jumo.png flag.txt chen

HEBTUCTF{wuinoknadsflmladflnef}

日志审计

下载附件logcheck.log打开找到盲注的记录如下

192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C1%2C1%29%29%3D102--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C2%2C1%29%29%3D108--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C3%2C1%29%29%3D97--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C4%2C1%29%29%3D103--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C5%2C1%29%29%3D123--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C6%2C1%29%29%3D109--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C7%2C1%29%29%3D97--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C8%2C1%29%29%3D121--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C9%2C1%29%29%3D105--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C10%2C1%29%29%3D121--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C11%2C1%29%29%3D97--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C12%2C1%29%29%3D104--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C13%2C1%29%29%3D101--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C14%2C1%29%29%3D105--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C15%2C1%29%29%3D49--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C16%2C1%29%29%3D57--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C17%2C1%29%29%3D54--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C18%2C1%29%29%3D53--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C19%2C1%29%29%3D97--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C20%2C1%29%29%3D101--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C21%2C1%29%29%3D55--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C22%2C1%29%29%3D53--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C23%2C1%29%29%3D54--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C24%2C1%29%29%3D57--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C38%2C1%29%29%3D125--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"

提取出来保存为data.txt,脚本解码处理

from urllib.parse import unquote

with open('./data.txt') as f:
    lines = f.readlines()
    for line in lines:
        line = unquote(line)
        line = line[line.find('))=')+3:line.find('--')]
        print(chr(int(line)),end="")

脚本的功能是读取每一条盲注的记录,并且url解码处理,使用find方法去掉无关的字符把flag输出出来

flag{mayiyahei1965ae7569}

神秘压缩包

解压,得到一个压缩包和一个txt,txt内容是base64转图片,得到解压密码:asdfghjkl

解压得到160张二维码图片,使用微微二维码批量扫描生成一个excel,提取其中内容,都是0和1,二进制转字符串得到flag

赢战2019

下载附件,一个jpg,丢winhex看,正常尾巴,binwalk看有些图片,foremost出一张二维码,扫出:眉头一皱,发现这张图片没这么简单,stegsolve改滤镜看到flag