早睡早起還是好的募逞。
附件是一個(gè)手指的圖片
手指指著下邊?可能是一個(gè)線索蛋铆,,放接,用winhex打開(kāi)刺啦,,
修改它的高和寬一樣 0274保存?得到flag
得到文件
進(jìn)行base64解碼得到:Vm0wd2VFNUdWWGhVV0doVVYwZDRWbFl3WkRSV01XeFZVMjA1V0ZKdGVIcFpWVnBQVjBkS1IxTnNhRmRXZWtGNFdXdGtTMUpzWkhWalJscFhaV3hhV1Zac1kzaFRNVmw0VTJ4c2FGSnNXbGhXYWtwdlRteGtjbGR0UmxWTlZtdzBWa2MxUzFReFdsVldhemxhVm5wR2NWcEVSbUZqVmtweldrVTVVMDFWY0VwV2JGcHZZVEpHUjFOWWJHaFRSVXBXVm01d1IwNXNVbFpYYlhSWVVqQTFTVlF4V21GaFZscHlZak5rVjJGcmJ6QlpWRVp6VmpGT2MxcEhjRk5YUlVwWVZtMTBWMU14WkVkVmJGWlRZVE5TVUZsc1ZuZFRiRlpZVFZSQ1ZXRjZSa2RXYlhCUFYwWmFjMWRzYUdGU1JWcFFWakJhWVdSV1ZuSlBWbWhUVFRKb00xWnNaREJoTVZWNVZHNU9WbUpyY0ZaWmExcDNZMnhTVjFadFJsZE5WbFkwVmxkMGEyRkhTbFpXYWxwWFZqTlNXRll5TVVabFJtUnpZVVpXYVZKdVFubFdiWEJIWVRKT1YxSnVVbXhTYXpWVVdXeFNjazFHV25SalJYUk9VbTE0V0ZaSE5VOVdWbVJKVVd4a1dsWkZXa3hXTVZwWFpGZE9TRTVYZUdsU2EzQlpWakowYTFJeFduSk5WVlpwVW0xU1ZsWnRNVk5OTVdSWFdrVmthazFyTlVwVlYzaFhWakZhYzJOR2JGZFNla1V3V2tSR2ExTkdVbkpoUmtKWFlsZG9kbGRYZEZka2JWWnpXa1pvVGxOSGFIQlVWM2hMVjBaYVNFNVZkRlpTYlZKSFZHeFZlRlpXV2taT1ZWSlZZa1p3WVZwV1pGZFRSa3AwWTBVMVYySnJTVEJXYkZwclRrWlplRlpyWkZoaVJscFlXV3RrVTFZeFduUmpla0pyVFZaS1dGWnNhRzlYUmxsM1lrUldZVlpXVlhoV1ZFWmhWakpPUlZSc1pHaE5iRW8yVmtaV2ExUXhaRWRUYkd4cVVtdHdjRlpxVG05VlZtUlhWV3RrV2xac2NFaFdiR2hyVm0xS1ZWWnJPVnBpUmxwb1dsVmFhMk5zVm5KVWJGWk9WbGhDU1ZacVJtOWpNVnBZVWxob1YyRnNTbWhWYTFaaFRURmFjbHBHVGxSV2EzQjVWR3hhYTFSdFNrWmpSV1JYVFZaS1JGbHFSbk5YUmtweVdrWmthVkl5YUc5V1ZFSmhaREZhVjFWc1dsZFhSMmhQVkZaYWQxSnNWWGxrUjNSb1VtdHdWbFp0ZUhOWlZrcFlWV3BPVm1WcldtaFZiWE14Vm14a1ZGWlljRk5SVTFWNlVrTlZlbEpCSlRORUpUTkU=
還是base64繼續(xù)解碼:Vm0weE5GVXhUWGhUV0d4VlYwZDRWMWxVU205WFJteHpZVVpPV0dKR1NsaFdWekF4WWtkS1JsZHVjRlpXZWxaWVZsY3hTMVl4U2xsaFJsWlhWakpvTmxkcldtRlVNVmw0Vkc1S1QxWlVWazlaVnpGcVpERmFjVkpzWkU5U01VcEpWbFpvYTJGR1NYbGhTRUpWVm5wR05sUlZXbXRYUjA1SVQxWmFhVlpyYjNkV2FrbzBZVEZzVjFOc1pHcFNXRUpYVm10V1MxZEdVbFZTYTNSUFlsVndTbFZYTVRCVWF6RkdWbXBPV0Zac1dsaGFSRVpQVjBaYWRWVnJPVmhTTTJoM1ZsZDBhMVV5VG5OVmJrcFZZa1p3Y2xSV1ZtRldNVlY0Vld0a2FHSlZWalpXVjNSWFYyMUZlRmRzYUZWaVJuQnlWbXBHYTJOV1JuUmxSazVUWWxSck1GWnRjRXROUm14WFZHNU9WVmRJUWxkWlZFWkxWMVpXZFdOSE5XeGlSa3BZVjJ0a1IxWnJNVVZpUm1SVlZtMVNNMWRXWkVkak1rNUpVV3hXVjFac2NGbFdSekUwWkRGa1NGUnJhRkJXYldodldXdFdkbVZzWkZoTlNHaHBUV3hLV0ZaSE5VdFZSbVJHVGxVeFZWWkZOVVJVYkZwYVpWZFdTRkp0Y0U1V2JrSTBWbFprTkZZeFZrZFhiRlpYWWtkU1YxWnRjekJrTVZKWFZsaG9XRll3YkRWYVZWVXhWVEZhVjJORVRsZGhNbEo2VkZWa1QxZEdTbGxqUmtwcFZqTm9VVmRXVWtkWlZscEhWbGhrVm1KVVZrOVpiRlpoWlVaa2NsVnJUbFZOVlhCSVZqRm9jMVpYUlhoV2FsSmhVa1ZhTTFaclpGTlRWa3B5VGxaa1RtSkZjRWRXTVZKRFlqRnNXRkpyWkZkaVIyaG9WVEJhZDFaV1VsWldXR2hPVFZad1JsVXlkR3RoUmtwVlZteHNZVkpYVWpOVmVrWmhVbXMxVmxkVFZYcFNRU1V6UkNVelJBJTNEJTNE
繼續(xù)解碼:Vm0xNFUxTXhTWGxVV0d4V1lUSm9XRmxzYUZOWGJGSlhWVzAxYkdKRlducFZWelZYVlcxS1YxSllhRlZXVjJoNldrWmFUMVl4VG5KT1ZUVk9ZVzFqZDFacVJsZE9SMUpJVlZoa2FGSXlhSEJVVnpGNlRVWmtXR05IT1ZaaVZrb3dWako0YTFsV1NsZGpSWEJXVmtWS1dGUlVSa3RPYlVwSlVXMTBUazFGVmpOWFZsWlhaREZPV0ZadVVrOVhSM2h3Vld0a1UyTnNVbkpVYkZwclRWVmFWMVV4VWtkaGJVVjZWV3RXV21FeFdsaFViRnByVmpGa2NWRnRlRk5TYlRrMFZtcEtNRmxXVG5OVVdIQldZVEZLV1ZWdWNHNWxiRkpYV2tkR1ZrMUViRmRVVm1SM1dWZEdjMk5JUWxWV1ZscFlWRzE0ZDFkSFRraFBWbWhvWWtWdmVsZFhNSGhpTWxKWFZHNUtVRmRGTlUxVVZFNURUbFpaZVdWSFJtcE5WbkI0VlZkNFYxVkdXbFZXYkdSV1ZtczBkMVJXVlhoWFYwbDVaVVUxVTFaV2NETldhMlJ6VFVkT1dGSlljRkppVjNoUVdWUkdZVlpHVlhkVmJUVk9ZbFZhZUZkclVrTlVNVXBIVjFoc1ZXRXhWalJhUkVaM1ZrZFNTVkpyTlZkTmJFcEdWMVJDYjFsWFJrZFdiR2hoVTBad1ZWUlZWWGhOTVZwRlUydGthRkpVVmxsYVJXUjNVekZhUms1VldTVXpSQSUzRCUzRA==
繼續(xù)解碼:Vm14U1MxSXlUWGxWYTJoWFlsaFNXbFJXVW01bGJFWnpVVzVXVW1KV1JYaFVWV2h6WkZaT1YxTnJOVTVOYW1jd1ZqRldOR1JIVVhkaFIyaHBUVzF6TUZkWGNHOVZiVkowVjJ4a1lWSldjRXBWVkVKWFRURktObUpJUW10Tk1FVjNXVlZXZDFOWFZuUk9XR3hwVWtkU2NsUnJUbFprTVVaV1UxUkdhbUV6VWtWWmExWlhUbFprVjFkcVFteFNSbTk0VmpKMFlWTnNUWHBWYTFKWVVucG5lbFJXWkdGVk1EbFdUVmR3WVdGc2NIQlVWVlpYVG14d1dHTkhPVmhoYkVveldXMHhiMlJXVG5KUFdFNU1UVE5DTlZZeWVHRmpNVnB4VVd4V1VGWlVWbGRWVms0d1RWVXhXV0l5ZUU1U1ZWcDNWa2RzTUdOWFJYcFJiV3hQWVRGYVZGVXdVbTVOYlVaeFdrUkNUMUpHV1hsVWExVjRaREZ3VkdSSVJrNVdNbEpGV1RCb1lXRkdWbGhhU0ZwVVRVVXhNMVpFU2tkaFJUVllaRWR3UzFaRk5VWSUzRA==
繼續(xù)解碼:VmxSS1IyTXlVa2hXYlhSWlRWUm5lbEZzUW5WUmJWRXhUVWhzZFZOV1NrNU5NamcwVjFWNGRHUXdhR2hpTW1zMFdXcG9VbVJ0V2xkYVJWcEpVVEJXTTFKNmJIQmtNMEV3WVVWd1NXVnROWGxpUkdSclRrTlZkMUZWU1RGamEzUkVZa1ZXTlZkV1dqQmxSRm94VjJ0YVNsTXpVa1JYUnpnelRWZGFVMDlWTVdwYWFscHBUVVZXTmxwWGNHOVhhbEozWW0xb2RWTnJPWE5MTTNCNVYyeGFjMVpxUWxWUFZUVldVVk4wTVUxWWIyeE5SVVp3VkdsMGNXRXpRbWxPYTFaVFUwUm5NbUZxWkRCT1JGWXlUa1V4ZDFwVGRIRk5WMlJFWTBoYWFGVlhaSFpUTUUxM1ZESkdhRTVYZEdwS1ZFNUY=
繼續(xù)解碼:VlRKR2MyUkhWbXRZTVRnelFsQnVRbVExTUhsdVNWSk5NMjg0V1V4dGQwaGhiMms0WWpoUmRtWldaRVpJUTBWM1J6bHBkM0EwYUVwSWVtNXliRGRrTkNVd1FVSTFja3REYkVWNVdWWjBlRFoxV2taSlMzUkRXRzgzTVdaU09VMWpaalppTUVWNlpXcG9XalJ3Ym1odVNrOXNLM3B5V2xac1ZqQlVPVTVWUVN0MU1Yb2xNRUZwVGl0cWEzQmlOa1ZTU0RnMmFqZDBORFYyTkUxd1pTdHFNV2REY0haaFVXZHZTME13VDJGaE5XdGpKVE5F
繼續(xù)解碼:VTJGc2RHVmtYMTgzQlBuQmQ1MHluSVJNM284WUxtd0hhb2k4YjhRdmZWZEZIQ0V3Rzlpd3A0aEpIem5ybDdkNCUwQUI1cktDbEV5WVZ0eDZ1WkZJS3RDWG83MWZSOU1jZjZiMEV6ZWpoWjRwbmhuSk9sK3pyWlZsVjBUOU5VQSt1MXolMEFpTitqa3BiNkVSSDg2ajd0NDV2NE1wZStqMWdDcHZhUWdvS0MwT2FhNWtjJTNE
繼續(xù)解碼:U2FsdGVkX183BPnBd50ynIRM3o8YLmwHaoi8b8QvfVdFHCEwG9iwp4hJHznrl7d4B5rKClEyYVtx6uZFIKtCXo71fR9Mcf6b0EzejhZ4pnhnJOl+zrZVlV0T9NUA+u1ziN+jkpb6ERH86j7t45v4Mpe+j1gCpvaQgoKC0Oaa5kc=
此時(shí)看到一個(gè)開(kāi)頭U2F.....上回做到這種題?就是U2F開(kāi)頭的?是AES加密然后進(jìn)行AES解密得到:
缽娑遠(yuǎn)吶者若奢顛悉吶集梵提梵蒙夢(mèng)怯倒耶哆般究有栗
又是佛經(jīng)纠脾,玛瘸,,在與佛論禪里邊進(jìn)行解密得到:把我復(fù)制走??
.....這個(gè)是flag苟蹈?捧韵?好吧,汉操,再来,網(wǎng)上說(shuō)的flag就是{把我復(fù)制走}
69742773206561737921
....啊啊啊? ?它竟然只是個(gè)十六進(jìn)制。磷瘤。芒篷。。采缚。轉(zhuǎn)換為字符得flag:it's easy!
ebdgc697g95w3
第一個(gè)線索?凱撒十三世? 用凱撒密碼?移位13得到
roqtp697t95j3
里邊還提到了鍵盤(pán)针炉,,應(yīng)該是鍵盤(pán)密碼扳抽,篡帕,然后發(fā)現(xiàn)roqt下移一位就是flag。贸呢。得出密碼flag:yougotme
圖片用winhex打開(kāi)
這里我想復(fù)制右側(cè)的ascll值镰烧,,但是不知道怎么復(fù)制?只能復(fù)制十六進(jìn)制數(shù)楞陷,怔鳖,百度上也沒(méi)找到,固蛾,就把這十六進(jìn)制數(shù)保存到一個(gè)txt文件中结执,,然后就出來(lái)了后邊的ascil值艾凯,献幔,然后網(wǎng)上直接說(shuō)是unicode解碼,趾诗,我是把這些數(shù)字轉(zhuǎn)換成ascill的值?然后出現(xiàn)
把這些進(jìn)行unicode解碼蜡感,,網(wǎng)上有的解碼網(wǎng)站解不出來(lái)?最后找到https://www.css-js.com/tools/unicode.html這個(gè)網(wǎng)站進(jìn)行解碼,铸敏,
得到flag{iscc is fun}
把zip放到winhex中看頭信息,悟泵,確定是zip文件?所以把后綴改成zip
有兩個(gè)文件打開(kāi)第一個(gè)
里邊的東西加密了 杈笔。。用winhex查看不是偽加密糕非,蒙具,然后發(fā)現(xiàn)里邊還有一個(gè)GetFlag.py文件?然后查看第一個(gè)Getfalg.py和這個(gè)getflag文件的crc32發(fā)現(xiàn)相同,朽肥,可以考慮明文攻擊禁筏,把第一個(gè)getflag.py文件添加到壓縮文件。進(jìn)行明文攻擊衡招,篱昔,,這里出了個(gè)問(wèn)題
這里剛開(kāi)始怎么整都不行始腾,查百度說(shuō)是壓縮軟件沒(méi)有用對(duì)州刽,然后試了是winrar?我用的是布丁壓縮,然后還是不行浪箭,又用bandzip還是不行穗椅,,最后又去查了查 奶栖,說(shuō)是用7-zip可以匹表,,然后用7-zip把GetFlag.py壓縮一下宣鄙,然后就可以明文攻擊得到flag
web里邊? 代碼審計(jì)?里邊有?變量覆蓋$$使用不當(dāng)袍镀,extract()函數(shù)使用不當(dāng),parse_str()函數(shù)使用不當(dāng)冻晤,import_request_variables()使用不當(dāng)流椒,參考文章https://www.cnblogs.com/bmjoker/p/9025351.html
學(xué)到了新知識(shí),用kali命令binwalk分析發(fā)現(xiàn)里邊還有圖片明也,foremost分離一下得到新的圖片宣虾,,温数,圖片內(nèi)容是豬圈加密绣硝,豬圈密碼(亦稱朱高密碼、共濟(jì)會(huì)暗號(hào)撑刺、共濟(jì)會(huì)密碼或共濟(jì)會(huì)員密碼)鹉胖,是一種以格子為基礎(chǔ)的簡(jiǎn)單替代式密碼。即使使用符號(hào),也不會(huì)影響密碼分析甫菠,亦可用在其它替代式的方法挠铲。
從題目也應(yīng)該看出? 共濟(jì)會(huì)密碼,
這是分離后的圖片寂诱,對(duì)照豬圈密碼進(jìn)行解密
得到?goodluck
百度查找二戰(zhàn)拂苹,wheel?cipher?可以找到轉(zhuǎn)輪密碼,密碼內(nèi)容如下圖
首先根據(jù)密匙進(jìn)行排列痰洒,如將原本的第二行放到第一行 瓢棒,原本的第三行放到第二行......
再根據(jù)密文,進(jìn)行移位丘喻,如第一個(gè)N相當(dāng)于把第一行中N放到第一位脯宿,N前邊的往后移循環(huán)....
得到新的密碼表?然后讀每列的句子,通順的則是密碼
附上網(wǎng)上的python代碼解密泉粉,得出的結(jié)果是轉(zhuǎn)換后的密碼表的每一列
rotor = [
"ZWAXJGDLUBVIQHKYPNTCRMOSFE"
,"KPBELNACZDTRXMJQOYHGVSFUWI"
,"BDMAIZVRNSJUWFHTEQGYXPLOCK"
,"RPLNDVHGFCUKTEBSXQYIZMJWAO"
,"IHFRLABEUOTSGJVDKCPMNZQWXY"
,"AMKGHIWPNYCJBFZDRUSLOQXVET"
,"GWTHSPYBXIZULVKMRAFDCEONJQ"
,"NOZUTWDCVRJLXKISEFAPMYGHBQ"
,"XPLTDSRFHENYVUBMCQWAOIKZGJ"
,"UDNAJFBOWTGVRSCZQKELMXYIHP"
,"MNBVCXZQWERTPOIUYALSKDJFHG"
,"LVNCMXZPQOWEIURYTASBKJDFHG"
,"JZQAWSXCDERFVBGTYHNUMKILOP"
]
cipher = "NFQKSEVOQOFNP"
key = [2,3,7,5,13,12,9,1,8,10,4,11,6]
tmp_list=[]
for i in range(0, len(rotor)):
? ? tmp=""
? ? k = key[i] - 1
? ? for j in range(0, len(rotor[k])):
? ? ? ? if cipher[i] == rotor[k][j]:
? ? ? ? ? ? if j == 0:
? ? ? ? ? ? ? ? tmp=rotor[k]
? ? ? ? ? ? ? ? break
? ? ? ? ? ? else:
? ? ? ? ? ? ? ? tmp=rotor[k][j:] + rotor[k][0:j]
? ? ? ? ? ? ? ? break
? ? tmp_list.append(tmp)
# print(tmp_list)
message_list = []
for i in range(0, len(tmp_list[i])):
tmp = ""
for j in range(0, len(tmp_list)):
tmp += tmp_list[j][i]
message_list.append(tmp)
print(message_list)? ? ??
結(jié)果如下
這里邊只有?FIREINTHEHOLE?是通順的?這個(gè)就是flag
