在Wireshark打开该附件并在上方的筛选HTTP协议
点开最下面的那个选项,看到有一条链接http://39.99.247.28/fonts/1
成功获得flag的两部分,并把这个页面保存下来,这个页面放在下面的环境变量设置的那个文件夹里面
然后在电脑设置环境变量
后面的那个文件目录可以随便填一个,但是前面的值是固定的
这个操作目的是为了能在Wireshark进行TLS解密
来Wireshark的首选项选择协议TLS,然后右边选择那个刚刚保存下来的1文件,由于我不知道是题目的那个1是什么后缀名,我就直接改为txt
就已经成功解密了TLS
他这里是经过TLS访问页面的加密隐藏了一张图片
访问链接就得到这个图片
把图片拉进winhex打开
然后仔细分析一下图片的最下面的十六进制
这个是flag的第三部分
然后将图片的最下面的4组IDAT的前三组都合拼一起,但必须把每组的IDAT头和尾都要去掉
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAxMTExMTExMTExMTEwMDAwMDAwMTAwMTEwMDAwMTAwMDAwMDAwMDExMTAwMDAxMTExMTExMTExMTAwMDAxMTExMTExMTExMTEwMDAwMDAwMTEwMTExMDAwMTAwMDAwMDAwMDExMTAwMDAxMTExMTExMTExMTAwMDAxMTAwMDAwMDAwMTEwMDEwMDExMTExMTEwMDEwMDAwMDAwMDAxMTAwMTExMDAxMDAwMDAwMDAwMTAwMDAxMTAwMDAwMDAwMTEwMDEwMDAwMTEwMTEwMDEwMDAwMDAwMDAwMDAxMTExMDAxMDAwMDAwMDAwMTAwMDAxMTAwMTExMTAwMTEwMDEwMDAwMTAwMTEwMDEwMDExMTAwMDAwMDExMTAxMDAxMDAxMTExMTAwMTAwMDAxMTAwMTExMTAwMTEwMDAwMTAwMDAwMDAxMTEwMDExMTExMTEwMDEwMDAwMDAxMDAxMTExMTAwMTAwMDAxMTAwMTExMTAwMTEwMDAwMDAwMDAwMDAxMTEwMDExMTEwMTEwMDEwMDAwMDAxMDAxMTExMTAwMTAwMDAxMTAwMTExMTAwMTEwMDExMTAwMTAwMTExMTExMTExMTAwMTEwMDExMTAwMDAwMDAxMTExMTAwMTAwMDAxMTAwMDAwMDAwMTEwMDExMDAwMDAwMDAwMTExMTAwMTEwMTEwMTEwMDAwMDAxMDAwMDAwMDAwMTAwMDAxMTAwMDAwMDAwMTEwMDEwMDExMDAwMDAwMDExMTAwMDExMTExMTEwMDExMDAxMDAwMDAwMDAwMTAwMDAxMTExMTExMTExMTEwMDEwMDExMDAxMDAxMDAxMTAwMTEwMTEwMDEwMDExMDAxMTExMTExMTExMTAwMDAxMTExMTExMTExMTEwMDEwMDExMDAxMDAxMTAwMDAwMTAwMTEwMDEwMDExMDAxMTExMTExMTExMTAwMDAwMDAwMDAwMDAwMDAwMDEwMDExMTExMTEwMDEwMDExMDAwMTExMDAwMTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDEwMDAxMTExMTAwMDEwMDExMDAwMDExMTAxMTAwMDAwMDAwMDAwMDAwMDAwMDAxMTEwMDExMDAwMTExMTAwMDAwMDAxMDAwMDAwMDExMDAwMDAxMTExMTExMDAxMTExMDAwMTExMDAwMDAwMTEwMDAwMDAwMDAwMDAwMDAwMDAxMDAwMDAwMDExMDAwMDAwMDAwMDExMDAxMDAwMDAwMDAwMDAwMDAwMDEwMDAwMDAxMDAwMDExMTAwMDAxMDAwMDAwMTExMTAwMTEwMDAwMDExMDAwMDAwMDEwMDAwMDAwMDAxMTEwMDExMDAxMTExMTEwMDAwMDAwMDAwMDAwMDEwMDAxMDAxMTEwMDExMTExMDAwMDEwMDExMDAwMDAxMTEwMDExMDAxMTExMTEwMDAwMDAwMDAwMDAwMDExMDAxMDAxMTEwMDExMTExMDAwMDEwMDExMDAwMDAxMTAwMTExMDAwMDAwMDExMTExMDAwMDAwMDEwMDAwMTAwMDAwMTAwMTAwMTExMDAwMDAwMTAwMTAwMDAwMDAxMTAwMDAwMDAwMTExMDExMDAwMDAwMTExMDAwMTAwMDAxMTAwMDAwMTExMDAwMDAwMDAwMDAwMDAwMDExMTAwMDAwMTExMTEwMDExMDAwMDAxMTExMTExMTAwMDAxMTAwMDExMTExMTEwMDEwMDAwMDAwMDAwMDAwMTExMDAxMDAxMTAwMDAwMDAwMDAxMTAwMDAwMTExMDAxMTEwMDExMTExMDAxMDAwMTAwMTAwMDAwMDAwMTExMDAxMDAxMDAwMDAwMDAwMDAxMDAwMDAwMTExMDAxMTEwMDExMTExMDAxMTAwMTAwMTAwMDAwMDExMTAwMDAwMTEwMDExMTExMTExMDAwMDAwMDExMTAwMDAxMTExMTExMDAwMDAxMTEwMDExMTAwMDAwMDExMDAwMDAwMDEwMDExMTExMTEwMDAwMDAwMDExMTAwMDAxMTExMTExMDAwMDAwMTEwMDAxMTAwMDAwMDAwMDAwMTAwMDAwMDEwMDAwMDAwMDAwMDAwMDExMDAwMDAxMTEwMDExMDAxMDAwMDAwMTAwMTAwMDAwMDAwMDAwMDAwMDAwMTEwMDAwMDAwMDAwMDAwMDAwMDAwMDAxMTEwMDExMDExMTAwMDAwMDAwMDAwMDAwMDEwMDAxMDAxMTExMTEwMDAwMTAwMDAwMDAwMTAwMDAwMDExMTExMTExMTAxMTExMTAwMDAwMDAwMDAwMDExMDAwMDAwMDAxMTEwMDAwMDAwMTExMTExMTAwMTEwMDAwMDAxMTAwMDAwMDAwMDEwMDAwMDAwMDAwMDExMTAwMDAwMDAxMTEwMDAwMDAwMTExMTExMTAwMTExMDAwMDAwMTAwMDAwMDAwMDEwMDAwMDAwMDAxMTEwMDAwMTAwMTExMTExMTExMTExMDAwMDAwMDExMTAwMTExMDAwMDExMDAwMDAxMTAwMDAwMDAwMDAxMTExMDAwMTEwMDAxMDAxMTAwMTExMDAwMDAwMDExMDAwMDExMTAwMDExMDAwMDAwMDAwMDAwMDAwMDAxMTExMTAwMTExMDAxMTAwMTAwMTAxMTExMTExMTExMDAxMTExMTAwMDAxMDAxMTEwMDExMTExMTAwMDAxMTAwMDAwMTExMTEwMDAwMTAwMDAwMDAwMDEwMDAwMDAwMTExMTAwMDExMDAwMDAwMDExMTAwMTAwMDAxMDAwMDAwMTExMTEwMDAwMTAwMDAwMDAwMDEwMDAwMDAwMTExMDAwMDExMDAwMDAwMDExMTAwMTAwMDAwMDExMDExMTAwMDAwMDExMTAwMDAwMDAwMDAwMDAwMDAxMTEwMDAwMDExMTExMDAwMDAxMTAwMTAwMDAwMTExMTExMTAwMDAwMDExMDAwMDAwMDAwMDAwMDAwMDExMTAwMDAwMDAxMTAxMDAwMDAwMTAwMTAwMDAxMTExMTAwMDAwMTEwMDEwMDAwMTAwMDAwMDAwMDExMTExMDAwMDEwMDAwMDAwMDAxMTAwMDEwMDAwMDAwMTExMTAwMDAwMDAwMDEwMDAwMTEwMDAwMDAwMDAwMDAwMDAwMTEwMDAwMDAwMDAxMTAwMDAwMDAwMDAwMDExMTAwMTAwMDAwMDEwMDExMTExMDAwMDExMTAwMDAwMDAxMTEwMDAwMDAwMTExMDAwMTAwMDAwMDAxMTAwMTExMDAwMTExMTEwMDExMTExMDAxMTExMTExMTAwMDAxMDEwMDExMTExMTExMTAwMDExMDAwMDAxMDAwMTExMDAwMTExMTEwMDExMTExMDAxMTExMTExMTAwMDAxMTEwMDExMDExMTExMTAwMDExMDAwMDAwMDAwMDAwMDAwMDAwMDEwMDExMDAxMDAxMTEwMDAwMDAxMTEwMDAxMTExMDAwMDAxMTAwMDAwMTAwMDAwMDAwMDAwMDAwMDAwMDEwMDExMDAwMDAxMTAwMDAwMDAwMTEwMDAwMDExMDAwMDAxMTAwMDAwMTAwMDAxMTExMTExMTExMTEwMDEwMDExMDAwMTExMDAwMTEwMDAwMTExMTAwMDExMDAxMDAxMTAwMTExMTAwMDAxMTAwMDAwMDAwMTEwMDAwMTExMTAwMDAwMDExMTExMTExMDAxMTEwMDAxMDAwMDAxMTAwMTExMDAwMDAxMTAwMDAwMDAwMTEwMDAwMTExMTAwMDAwMDExMTExMTExMDAxMTEwMDExMDAwMDAxMTAwMTExMDAwMDAxMTAwMTExMTAwMTEwMDAwMTAwMDAxMDAwMDAwMTAwMDAxMDAxMTEwMDExMTExMTExMTAwMDAwMDAwMDAxMTAwMTExMTAwMTEwMDAwMTAwMDAxMDAwMDAxMTAwMDAxMDAxMTAwMDAxMTExMTExMDAwMDAwMDAwMDAxMTAwMTExMTAwMTEwMDEwMDExMDAwMTExMTExMTExMDAwMTExMTEwMDAwMTExMDAwMDExMDExMTAwMDAxMTAwMTExMTAwMTEwMDAwMDExMDAwMTEwMDAwMDAwMDAwMDAwMTEwMDAwMDAwMDAwMDExMDExMTAwMDAxMTAwMTExMTAwMTEwMDAwMDExMTExMTEwMDAwMDAwMTAwMDAxMTEwMDExMDAwMDAwMDAwMDExMTAwMDAxMTAwMDAwMDAwMTEwMDExMTAwMTAwMTExMDAwMDExMDAxMTExMTAwMDExMTExMTExMTExMTAwMDAwMDAxMTAwMDAwMDAwMTEwMDExMTAwMTAwMTExMDAwMDExMDAxMTExMTAwMDExMTExMTExMTExMTAwMDAwMDAxMDExMTExMTExMDEwMDEwMDExMTExMTEwMDExMTExMDAxMDAxMTEwMDExMTExMTAwMDAwMDExMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111110000000100110000100000000011100001111111111100001111111111110000000110111000100000000011100001111111111100001100000000110010011111110010000000001100111001000000000100001100000000110010000110110010000000000001111001000000000100001100111100110010000100110010011100000011101001001111100100001100111100110000100000001110011111110010000001001111100100001100111100110000000000001110011110110010000001001111100100001100111100110011100100111111111100110011100000001111100100001100000000110011000000000111100110110110000001000000000100001100000000110010011000000011100011111110011001000000000100001111111111110010011001001001100110110010011001111111111100001111111111110010011001001100000100110010011001111111111100000000000000000010011111110010011000111000100000000000000000000000000000000010001111100010011000011101100000000000000000001110011000111100000001000000011000001111111001111000111000000110000000000000000001000000011000000000011001000000000000000010000001000011100001000000111100110000011000000010000000001110011001111110000000000000010001001110011111000010011000001110011001111110000000000000011001001110011111000010011000001100111000000011111000000010000100000100100111000000100100000001100000000111011000000111000100001100000111000000000000000011100000111110011000001111111100001100011111110010000000000000111001001100000000001100000111001110011111001000100100000000111001001000000000001000000111001110011111001100100100000011100000110011111111000000011100001111111000001110011100000011000000010011111110000000011100001111111000000110001100000000000100000010000000000000011000001110011001000000100100000000000000000110000000000000000000001110011011100000000000000010001001111110000100000000100000011111111101111100000000000011000000001110000000111111100110000001100000000010000000000011100000001110000000111111100111000000100000000010000000001110000100111111111111000000011100111000011000001100000000001111000110001001100111000000011000011100011000000000000000001111100111001100100101111111111001111100001001110011111100001100000111110000100000000010000000111100011000000011100100001000000111110000100000000010000000111000011000000011100100000011011100000011100000000000000001110000011111000001100100000111111100000011000000000000000011100000001101000000100100001111100000110010000100000000011111000010000000001100010000000111100000000010000110000000000000000110000000001100000000000011100100000010011111000011100000001110000000111000100000001100111000111110011111001111111100001010011111111100011000001000111000111110011111001111111100001110011011111100011000000000000000000010011001001110000001110001111000001100000100000000000000000010011000001100000000110000011000001100000100001111111111110010011000111000110000111100011001001100111100001100000000110000111100000011111111001110001000001100111000001100000000110000111100000011111111001110011000001100111000001100111100110000100001000000100001001110011111111100000000001100111100110000100001000001100001001100001111111000000000001100111100110010011000111111111000111110000111000011011100001100111100110000011000110000000000000110000000000011011100001100111100110000011111110000000100001110011000000000011100001100000000110011100100111000011001111100011111111111100000001100000000110011100100111000011001111100011111111111100000001011111111010010011111110011111001001110011111100000011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
然后下一步我们要去把二进制转二维码
把刚才base64解密出来的二进制复制到str=””里面
但是这里必须要按python的PIL库
得出的一个二维码
把这个二维码用QR扫描工具打开
经过扫描,得出一条百度网盘的链接
然后把这个压缩包下载,解压
解压之后发现有一张图片
把这个图片用stegbreak爆破得出密码为power123
然后用JPHS工具来打开这图片,并选择Seek进行输入密码power123
然后导出一个文件
用记事本或者用notepad++打开查看获得flag的第四部分
然后发现这里有一条百度网盘链接和提取码
结果真的有一个压缩包
但是发现两个压缩包都被加密了
然后使用CRC32碰撞攻击脚本把level6.zip直接碰撞爆破出来
看着文本是5、4、5字节,就只把红色框圈住的5、4、5位挑选出来,而且也要把奇怪的符号去掉,就剩下黄色箭头指向的那三个就直接组合成flag的第六部分
Level6_isready
然后用Advanced Archive Password Recovery软件将level7.zip压缩包用level5.zip压缩包中的1.png作为明文密钥进行明文爆破
等到剩下一个小时就可以直接按停止就会出现这个弹窗
之后会让你保存一个新名为level7_decrypted.zip,然后直接解压
由于4.png和5.png两张图片的分辨率是一样的,但是大小不一样,猜测是盲水印攻击
获得flag的第七部分level7ishere
但是在这个图里面发现了有一个网址http://39.99.247.28/final_level 访问后看到了一个百度
感觉就直接复制了百度的页面下来
然后通过查看元素,发现了有一行这样的注释,可以看到它的空格和TAB生成的空格就可以判断出是典型的SNOW隐写
直接去使用SNOW隐写工具破解出,但是这里又看到了一个括号里面的no one can find me
就猜测一下,是不是密码呢?
然后通过把flag所有部分进行拼接得出
flag{level1_begin_and_level2_is_comelevel3_start_itlevel4_here_alllevel5_is_aaalevel6_isreadylevel7isherethe_misc_examaaaaaaa_!!!}
下载附件解压后是一个.pcap
,打开后看到一条数据非常可疑
追踪TCP流,发现了文件,文件头和filename,觉得是一张图片
找到JPEG File Interchange Format
右键导出分组字节流,后缀为jpg,就可以看见一张图片了
看到图片的文件名有点特别,用搜索引擎看了一下原来是个隐写软件,在kali安装后
输入steghide info a.jpg
发现需要输入密码
使用以下脚本暴力破解密码
#bruteStegHide.sh
#!/bin/bash
for line in `cat $2`;do
steghide extract -sf $1 -p $line > /dev/null 2>&1
if [[ $? -eq 0 ]];then
echo 'password is: '$line
exit
fi
done
得到密码为123456
,输入密码后得到输入获得flag.txt文件信息,用steghide extract -sf a.jpg
获取flag.txt文件并用cat查看flag
打开题目很明显是命令注入
ls查看一下发现有flag.php和index.php
由于过滤了flag,就是用通配符?来绕过,发现cat不行,经过测试好像只有tac可以,就用
ip=127.0.01;tac ????.php
来获取flag
//level 1
if ($_GET["hash1"] != hash("md4", $_GET["hash1"]))
{
die('level 1 failed');
}
条件为hash1
的值,需要等于自身md4加密后的值,就是加密前后的值都要相等。
这跟md5($_GET['a'])==md5($_GET['a'])
差不多
PHP在处理哈希会将0E
开头的都解释为0
,所以找一个0E
开头的字符串且其哈希值是0E
开头的
百度时发现了一个0e251288019
这个md4后也是0E
结尾的,所以
payload:?hash1=0e251288019
if($_GET['hash2'] === $_GET['hash3'] || md5($_GET['hash2']) !== md5($_GET['hash3']))
{
die('level 2 failed');
}
需要hash2
不能和hash3
全等或者hash2
的md5不能和hash3
的md5全等
这里就可以用数组绕过
此时payload:?hash1=0e251288019&hash2[]=1&hash3[]=2
$query = "SELECT * FROM flag WHERE password = '" . md5($_GET["hash4"],true) . "'";
$result = $mysqli->query($query);
$row = $result->fetch_assoc();
var_dump($row);
$result->free();
$mysqli->close();
很明显是sql注入和hash结合,参考添加链接描述构造payload为
?hash1=0e251288019&hash2[]=1&hash3[]=2&hash4=ffifdyop
flag就出来了