Web
Ezpop
ThinkPHP V6.0.12LTS反序列化,扫描路径得到www.zip
给出利于方法

poc.php
payload
.png%3Fid%3Df85ec321-65ff-4cc2-b41e-19b9a553dc08%26table%3Dblock%26spaceId%3Db1f0f519-95cf-4a8e-b754-27a7b5f397ba%26expirationTimestamp%3D1695564000000%26signature%3DfuYufPWxZbzo0P6ZdWUZqY9CqTFf2p20F8CgIQXa1a8?table=block&id=f85ec321-65ff-4cc2-b41e-19b9a553dc08&cache=v2)
Crypto
签到电台
需要发送"弼时安全到达了"
电码表
密码本7*4
模十算法
发送
.png%3Fid%3D7a8231cf-ac0d-457a-a6c1-09d32f758b73%26table%3Dblock%26spaceId%3Db1f0f519-95cf-4a8e-b754-27a7b5f397ba%26expirationTimestamp%3D1695564000000%26signature%3D0AH-kgt1Gr-DMrwrQVDy7ZDKNvOcqPk9L6UL5TLndrc?table=block&id=7a8231cf-ac0d-457a-a6c1-09d32f758b73&cache=v2)
基于挑战码的双向认证
flag在/root/cube-shell/instance/flag-server/flag1.txt位置
.png%3Fid%3Da6506efc-babb-4e9f-9aa3-f597a66336c0%26table%3Dblock%26spaceId%3Db1f0f519-95cf-4a8e-b754-27a7b5f397ba%26expirationTimestamp%3D1695564000000%26signature%3Dh3ymZLZx2ZYeHOsk9WTVcZYg0l0b3-19zzm5LzZd5A0?table=block&id=a6506efc-babb-4e9f-9aa3-f597a66336c0&cache=v2)
基于挑战码的双向认证2
flag在/root/cube-shell/instance/flag_server/flag2.txt位置
.png%3Fid%3D2a28964b-b0a6-463d-8532-20c8ceca2934%26table%3Dblock%26spaceId%3Db1f0f519-95cf-4a8e-b754-27a7b5f397ba%26expirationTimestamp%3D1695564000000%26signature%3Di_VSDVu62a-B_66aLsMIDNCH3NHyKcg8OG0O9uvfJg0?table=block&id=2a28964b-b0a6-463d-8532-20c8ceca2934&cache=v2)
基于挑战码的双向认证3
root密码弱口令,root/toor,find搜索flag*,得到flag路径
.png%3Fid%3D51d07b43-398c-4efd-9d36-72772aeefb3d%26table%3Dblock%26spaceId%3Db1f0f519-95cf-4a8e-b754-27a7b5f397ba%26expirationTimestamp%3D1695564000000%26signature%3Du6xKXFFvIVjtp02P_gbukpp8B8IUYW5AxJFiv-yvQ18?table=block&id=51d07b43-398c-4efd-9d36-72772aeefb3d&cache=v2)
MISC
ez_usb
用wireshark打开发现是usb的流量包
当Source=2.8.1和Destination=host时,会有HID Data数据,过滤流量,导出特定分组为文本,然后用脚本解
.png%3Fid%3D2881d5ef-f399-4fd9-8985-221e34c1b708%26table%3Dblock%26spaceId%3Db1f0f519-95cf-4a8e-b754-27a7b5f397ba%26expirationTimestamp%3D1695564000000%26signature%3DRo6w8UglzTeGxG8_r4P7L6mj7TR0621MBShVeWlyiEI?table=block&id=2881d5ef-f399-4fd9-8985-221e34c1b708&cache=v2)
解密脚本
解密数据
将特殊符号删除
5261为RAR文件头,直接生成压缩包,但是需要密码。
.png%3Fid%3D05eabe69-1a82-4eed-b3fa-9d623eba637e%26table%3Dblock%26spaceId%3Db1f0f519-95cf-4a8e-b754-27a7b5f397ba%26expirationTimestamp%3D1695564000000%26signature%3Dt9n26MVABPKNXs2QuVIvTcPSDQuiZ9ox6hvd8KC7RzE?table=block&id=05eabe69-1a82-4eed-b3fa-9d623eba637e&cache=v2)
后来又发现当Source=2.10.1时也有数据,所以重复操作一次,得到密码:35c535765e50074a
解压得到flag
.png%3Fid%3D3f6d005c-bdd2-4641-bada-ac6c89cdeb8d%26table%3Dblock%26spaceId%3Db1f0f519-95cf-4a8e-b754-27a7b5f397ba%26expirationTimestamp%3D1695564000000%26signature%3DSot7-u9uDQ_ZIbDS05TDvSe7rx3YSzGQIXo7WRjsW4Y?table=block&id=3f6d005c-bdd2-4641-bada-ac6c89cdeb8d&cache=v2)
- Author:Linuz
- URL:https://linuz.me/article/2022-CISCNCTF-Writeup
- Copyright:All articles in this blog, except for special statements, adopt BY-NC-SA agreement. Please indicate the source!
Relate Posts