…

刷的时候随手就写了，但是刷着刷着又懒得写了。于是就这样吧

2018 hackergame Word 文档

直接把文档binwalk了，直接看到flag.txt

memory

内存镜像文件，题目的描述是：分析内存镜像,破解管理员的登录密码,flag为明文密码的MD5值

使用volatility

1	volatility -f memory imageinfo

先查看镜像的大概信息，发现suggested profile是WinXPSP2x86,WinXPSP3x86 (Instantiated with WinXPSP2x86)使用hashdump命令把内存中所有用户的hash全部dump出来

1	volatility -f memory --profile=WinXPSP2x86 hashdump

得到三行类似于shadow一样的密码串，都复制下来保存成1.txt，使用john爆破

1	john --wordlist=/usr/share/john/password.lst --rules --format=NT 1.txt

--wordlist是字典模式，--rules 是稍微变化的规则，其实不填也行，默认就是。--format是预定义密码破解的类型，有很多，可以通过john --list=formats查看，这里使用了NT类型

得到administrator的密码是123456789，md5加密包上flag{}

misc_snake

附件的解压密码使用ook解密

解压后3个文件：process、data、data.jpg

全丢进winhex查看，process是明文的python代码，后缀改成py打开就能发现加密的原理

对照着写一个解密脚本

with open ('snake.jpg','wb') as flag:
    with open('data.jpg','rb') as f:
        for i in f.read():
            if (i % 2 == 0):
                i = (i+1) ^ 128
            else:
                i = (i-1) ^128
            i = bytes([i])
            flag.write(i)

得到snake.jpg，使用stegsolve切滤镜可以看到加密方式是serpent，google一个serpent在线解密发现需要密钥，密钥应该就从图片里找，steghide查看到有隐写一个key.txt，

1	steghide extract -sf snake.jpg

得到key:VivaLaVida，去http://serpent.online-domain-tools.com/解密，下载解密后的文件，内容是只有w和b组成的文本，能想到w是white，b是black，批量替换，w为1，b为0，而且有40000个字符，那就是200*200的正方形，编写脚本绘制图片

from PIL import Image
with open ("1.txt",'r') as d:
	flag = Image.new('L',(200,200))
	plain = d.read()
	i = 0
	for x in range(200):
		for y in range(200):
			if (plain[i] == '0'):
				flag.putpixel([x,y],0)
			else:
				flag.putpixel([x,y],255)
			i += 1
	flag.show()

得到一个二维码，扫码得flag

MISC_tiga

解压，一个加密的压缩包和一段文本，应该是零宽，但是原来的零宽网站解出来的text是乱码，找了个好点的零宽解密站点https://yuanfux.github.io/zero-width-web/

得到解压密码，解出第二个压缩包和一张图片，压缩包里有一个加密的压缩包和一个装着好些password.txt的文件夹，CRC32爆破，抄来的脚本

import binascii
import string
def crack_crc():
    print('-------------Start Crack CRC-------------')
    crc_list = [0x14433530, 0xaf251007, 0xd554e7b6, 0xebb3156, 0xbb474d49, 0x2cb8a39b, 0x75fe76f0]
    comment = ''
    chars = string.printable
    for crc_value in crc_list:
        for char1 in chars:
            for char2 in chars:
                for char3 in chars:
                    res_char = char1 + char2 + char3
                    char_crc = binascii.crc32(res_char.encode())
                    calc_crc = char_crc & 0xffffffff
                    if calc_crc == crc_value:
                        print('[+] {}: {}'.format(hex(crc_value),res_char))
                        comment += res_char
    print('-----------CRC Crack Completed-----------')
    print('Result: {}'.format(comment))
if __name__ == '__main__':
    crack_crc()

密码T&hg%WL0^rm@c!VK$xEt~，图片丢winhex在尾巴看到hint:加密压缩包的密码是10位数字，使用掩码爆破，2001701725

得到youcanalso.jpg和flag.zip，压缩包里有youcanalso.jpg，那么就是明文攻击了，把youcanalso.jpg添加成压缩包，CRC32值和压缩包里的相同，开始攻击，这里要注意一下，winrar压缩是无法明文攻击的，需要使用bandzip来压缩才可以。

出来密码1amT1G@，得到flag.txt内容是504B开头的串，粘贴进010editor保存为zip，一看是word类型的文件，改后缀为docx，打开发现好几页base加密，估计是全家桶，使用basecrack的m模式全解出来

1	python basecrack.py --magic

然后粘贴word的内容

flag{8fa3e8c4-0121-4f2a-a7f0-0a60032e3763}

pcap

题目要求分析dno3.0协议的流量，wireshark打开，先筛出来，查看

Distributed Network Protocol 3.0> Application Layer>RESPONSE Data OBjects> Object(s): 32-Bit Counter Change Event...> Point Number 0(Quality: Online), Count:102....>Counter(32 bit):102

这个102转换成字符就是f，对应的数据包长度是91，按照数据包长度排序，按顺序查看每个数据包能找到对应位置有相应的字符，一个个找f、l、a、g….拼起来就得到了flag。

pcap_analysis

要求分析modbus流量，筛选之后右键追踪流，竖着读flag拼起来就行

SDNISC2020_简单数据包

一个pcapng文件，wireshark打不开，直接binwalk得到一个zip和一个txt，txt内容解b64得flag(binwalk对付流量包老非预期了)

多啦A梦

解压得到多啦A梦.jpg和提示.txt，提示：图片是不是少了点什么？

直接foremost得到一个二维码png，改宽高扫码解b64得flag

海量的txt文件

几百个txt文件，打开都是没意义的串，放在一个文件夹里，扔kali

1	strings * \| grep flag

发现没东西，修改关键词，改成password、pass、key之类的，试到key后找到

key{fe9ff627da72364a}

技协杯-我的密码呢(对付高版本加密)

如果在archpr里压缩包版本不支持，在010editor中把版本改成0就行了

句末大佬的LSB

一张png，复现的时候题目没描述，应该是用cloacked-pixel的lsb脚本，但是没出来。查wp 密码需要社工到句末师傅的姓氏，chen

1	python lsb.py extract jumo.png flag.txt chen

HEBTUCTF{wuinoknadsflmladflnef}

日志审计

下载附件logcheck.log打开找到盲注的记录如下

192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C1%2C1%29%29%3D102--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C2%2C1%29%29%3D108--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C3%2C1%29%29%3D97--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C4%2C1%29%29%3D103--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C5%2C1%29%29%3D123--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C6%2C1%29%29%3D109--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C7%2C1%29%29%3D97--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C8%2C1%29%29%3D121--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C9%2C1%29%29%3D105--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C10%2C1%29%29%3D121--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C11%2C1%29%29%3D97--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C12%2C1%29%29%3D104--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C13%2C1%29%29%3D101--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C14%2C1%29%29%3D105--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C15%2C1%29%29%3D49--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C16%2C1%29%29%3D57--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C17%2C1%29%29%3D54--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C18%2C1%29%29%3D53--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C19%2C1%29%29%3D97--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C20%2C1%29%29%3D101--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C21%2C1%29%29%3D55--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C22%2C1%29%29%3D53--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C23%2C1%29%29%3D54--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C24%2C1%29%29%3D57--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 +0000] "GET /flag.php?user=hence%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28secret%20AS%20CHAR%29%2C0x20%29%20FROM%20haozi.secrets%20ORDER%20BY%20secret%20LIMIT%200%2C1%29%2C38%2C1%29%29%3D125--%20pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"

提取出来保存为data.txt，脚本解码处理

from urllib.parse import unquote

with open('./data.txt') as f:
    lines = f.readlines()
    for line in lines:
        line = unquote(line)
        line = line[line.find('))=')+3:line.find('--')]
        print(chr(int(line)),end="")

脚本的功能是读取每一条盲注的记录，并且url解码处理，使用find方法去掉无关的字符把flag输出出来

flag{mayiyahei1965ae7569}

神秘压缩包

解压，得到一个压缩包和一个txt，txt内容是base64转图片，得到解压密码：asdfghjkl

解压得到160张二维码图片，使用微微二维码批量扫描生成一个excel，提取其中内容，都是0和1，二进制转字符串得到flag

赢战2019

下载附件，一个jpg，丢winhex看，正常尾巴，binwalk看有些图片，foremost出一张二维码，扫出:眉头一皱，发现这张图片没这么简单，stegsolve改滤镜看到flag

雨霖铃

BMZCTF misc 随手部分wp