陇剑杯2023writeup

雨点打透心脏的1/2处 2024-03-26 23:22 60阅读 0赞

### SMAILSWORD1 ###

![4274dc816f2348a9ba75f8f042f47709.png][]

先过滤 http

![2c62ffe291eb4a1db1a4b73607ebafd0.png][]

明显是sqllib第7题，sql注入写shell

![f6735f5efc41432cae2f8808bcbb35ff.png][]

将数据复制出来，灰色部分为连接的密码。6ea280898e404bfabd0ebb702327b18f，注意不包含前面的22

tcp contains "$\_POST"

更简单的筛选方法，直接筛选写shell的$\_POST

### SMAILSWORD2 ###

![31037212338d44b8bf49cb027f08dd3b.png][]

http.request.uri matches "info1.php"

这里筛选出木马的流量，做题没找到，实际上是在tcp.stream eq 143 第二项的数据，base64解码，其他的数据都是一致的D:/phpStudy/PHPTutorial/WWW/sqlii/Less-7/ 这些

![1b1f60f8e3294a15b0e361eef9874217.png][]

![122095b690e94d26a593b7d9b2a9d1cd.png][]

YWQ2MjY5YjctM2NlMi00YWU4LWI5N2YtZjI1OTUxNWU3YTkxIA==

ad6269b7-3ce2-4ae8-b97f-f259515e7a91

### SMAILSWORD3 ###

![86f7aa4147684368836a6d436d88db92.png][]

![aa816d46edf6488e9b59a0edcf2c6d11.png][]

浏览这些包、以及之前base64解码的内容，能看到有个huorong.exe

追踪TCP流，能看到明显是个PE文件

![684cca65da2c43a7b68b8b2000ec8b45.png][]

查看原始数据，先筛选0d0a0d0a定位

![0d59181b694b468a8a1da7c140977f30.png][]

根据PE文件头介绍，开头是4d5a

![2ebe93090db04900a85ec263e5cac6ad.png][]

只要从4d5a之后的数据

![1a799f9be192436f853a72f3b33641a8.png][]

转化成

with open('hexdata.txt', 'r') as f: with open('1.exe', 'wb') as f1: lines = f.readlines() for line in lines: line = line.strip() f1.write(bytes.fromhex(line))

![8549edb36e92452caa4fdb9865c77036.png][]

但是没有路径，也没看到同路径下有图片

![3c2da5a3ca6c40dd8fbf5b4be10ef173.png][]

发现放到这里了....................

![bd92855b3a51408e998e4f1f1d6b751b.png][]

打开之后没啥东西

看了网上的内容，发现这其实是个PNG图片...用010editor发现CRC校验报错，推测修改了图片高度

![1b472a2991ab484aa980b644fccfae89.png][]

打开HXD一看，确实，修改了高度

![678a569ac457430aba76f43d9d52de6a.png][]

flag3\{8f0dffac-5801-44a9-bd49-e66192ce4f57\}

smailsword这个题的流程较多，虽然每一步都不难，但是没有什么提示。

--------------------

### ez\_web\_1 ###

![043b20e368a24847b56b5fadda94e0b0.png][]

![fa7925eb7a784b7a9b0d1655a840da27.png][]

翻了一下流量，发现有个d00r.php，但是提交报错

tcp contains "d00r.php"

![0d1c2824ae29420291ed5e7787415163.png][]

ViewMore.php 是这个写的d00r.php

### ez\_web\_2 ###

![b4fd8d3e9ba84b2faebcae4f0eb07753.png][]

![b29cc0c6b31c477a87e408e9f23e7bf8.png][]

这里执行了ipconfig命令，追踪TCP流

![8549599f05664907b0b9ca4f3eb4f0fc.png][]

在[https://craftsmanbai.gitbooks.io/linux-learning-wiki/content/hahah.html][https_craftsmanbai.gitbooks.io_linux-learning-wiki_content_hahah.html]查看

![b7321cc0317342169efba81fe8346366.png][]

gz文件头是1f8b

原始数据，应该是这部分，

![5742dd17c1744fe6a90679c6e83505e5.png][]

解密失败，不过能够确认是这个流

tcp.stream eq 10098

找到http流进行追踪

![ef5a7ddd5aad4efe946f145a3c6ac972.png][]

两个网段，一个是162，另一个是101

192.168.101.132

### ez\_web\_3 ###

![f3df8eed29c845958070d9e7b3ce82fc.png][]

tcp contains "d00r.php"

![17847f5a98cf4620860a1929f5c16f2a.png][]

![0c033e001efa4cd6ab1e3517176c2bed.png][]

![ea6600c71abe447eb400c2b14c172e0c.png][]

能看到有PK头，有key.txt

![516166c5d7d746f4a3aad056bd652e4e.png][]

看来是个zip包，处理一下数据

![b167fe8793f042bd91d8fc3a5d258a43.png][]

![b0b4b4000f6f474193b5ae60b60d61e8.png][]

![a45810e759784ad381a3164976d5d357.png][]

回去找数据包

![8832d07e830d4c81ba7f52299ff4be44.png][]

7e03864b0db7e6f9

![dc16d0e8a3344fc583075c41b74ae327.png][]

7d9ddff2-2d67-4eba-9e48-b91c26c42337

[4274dc816f2348a9ba75f8f042f47709.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/a349a741fb2b4774bfddf19314dbf283.png
[2c62ffe291eb4a1db1a4b73607ebafd0.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/fb802b794be24ee6992bb25de26e09ca.png
[f6735f5efc41432cae2f8808bcbb35ff.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/15539ce617894a20ae269a34bb9762b7.png
[31037212338d44b8bf49cb027f08dd3b.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/a187aea0390c45eab5ef0904ff76de50.png
[1b1f60f8e3294a15b0e361eef9874217.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/3d27d9fd8862469cbe817b129067de07.png
[122095b690e94d26a593b7d9b2a9d1cd.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/1bd8c501a1c14a5783051db103b40852.png
[86f7aa4147684368836a6d436d88db92.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/a7fadac4b9d34b29812e04b5c086fa94.png
[aa816d46edf6488e9b59a0edcf2c6d11.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/9091fe85b6594d57be809f702f5deb3c.png
[684cca65da2c43a7b68b8b2000ec8b45.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/bc8730720c8e4e8f82f3501e2b25f29e.png
[0d59181b694b468a8a1da7c140977f30.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/1c5c390780784da99000bb1dbc5f26a3.png
[2ebe93090db04900a85ec263e5cac6ad.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/b38b3c23455e4f06a20b27c4765fc163.png
[1a799f9be192436f853a72f3b33641a8.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/c789e21ed67649c7afd5a920e37a1c47.png
[8549edb36e92452caa4fdb9865c77036.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/53763f13f67340e998a38eb790658248.png
[3c2da5a3ca6c40dd8fbf5b4be10ef173.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/d1964865e4fd481cb09dd4d43e165510.png
[bd92855b3a51408e998e4f1f1d6b751b.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/97b825dcad3c4c6e9cb52bac3c74c42c.png
[1b472a2991ab484aa980b644fccfae89.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/c984137398754b5a9cd3e0126bd70e27.png
[678a569ac457430aba76f43d9d52de6a.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/0793fa1831d646928e6138183fa81995.png
[043b20e368a24847b56b5fadda94e0b0.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/a78b9e83a09743199f228e6004e7bece.png
[fa7925eb7a784b7a9b0d1655a840da27.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/647c5c9177cb49a083c1207854610c87.png
[0d1c2824ae29420291ed5e7787415163.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/a46b9a12f6eb47b8864fcc89fda07c12.png
[b4fd8d3e9ba84b2faebcae4f0eb07753.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/3b302332456d4b6c822f37cf1e927205.png
[b29cc0c6b31c477a87e408e9f23e7bf8.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/2d866f97684a449d84b8ca0e3fe48d2c.png
[8549599f05664907b0b9ca4f3eb4f0fc.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/ea1686b541214e68b19a432830b76f7a.png
[https_craftsmanbai.gitbooks.io_linux-learning-wiki_content_hahah.html]: https://craftsmanbai.gitbooks.io/linux-learning-wiki/content/hahah.html
[b7321cc0317342169efba81fe8346366.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/65e473a4cc3341328919a983fb2b3b94.png
[5742dd17c1744fe6a90679c6e83505e5.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/c17ae30779a24fab813ede91fe576479.png
[ef5a7ddd5aad4efe946f145a3c6ac972.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/5745ee7bdf3d4e1085682b9a4f18bce8.png
[f3df8eed29c845958070d9e7b3ce82fc.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/b7e6c1d2b73947b288c1074b0ec5ada3.png
[17847f5a98cf4620860a1929f5c16f2a.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/e824fc623b1343e5bb570c2fbfa2bffe.png
[0c033e001efa4cd6ab1e3517176c2bed.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/0d4017e23219490597ea68e64f5db56d.png
[ea6600c71abe447eb400c2b14c172e0c.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/86edb24911e545a8b853e7703ea4b6f5.png
[516166c5d7d746f4a3aad056bd652e4e.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/3df0378d9b9f4303891b77bfb6145566.png
[b167fe8793f042bd91d8fc3a5d258a43.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/568b9dce15974034801311f53a3eac2f.png
[b0b4b4000f6f474193b5ae60b60d61e8.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/008940dcb87448a48d60e16217fb98f8.png
[a45810e759784ad381a3164976d5d357.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/0d6ad4f356d74203b3ed8d4197db7c0c.png
[8832d07e830d4c81ba7f52299ff4be44.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/3c6d182a060f47dd9fdd0aac37d57ca9.png
[dc16d0e8a3344fc583075c41b74ae327.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/11/bf4bcb7cdc2e4c3b9d779379eefd09ce.png