2024春秋杯冬季赛day2writeup_cyi

 

解题过程

misc Weevil's Whisper

操作内容：

筛选http流，一开始就把马上传了

搜索可知这是weevely的webshell

这篇讲的很详细了

https://xz.aliyun.com/t/11246?time__1311=Cq0xRD0Q0QD%3DdGNeeeqk75YitmczLbD#toc-5

拿了这篇的解密脚本

https://blog.csdn.net/m0_74091653/article/details/144152597

习惯性从后面解起

如该题使用自己编写的脚本代码请详细写出，不允许截图

 

<?php

$k="161ebd7d";$kh="45089b3446ee";$kf="4e0d86dbcf92";$p="lFDu8RwONqmag5ex";

function x($t,$k){

$c=strlen($k);

$l=strlen($t);

$o="";

for($i=0;$i<$l;){

  for($j=0;($j<$c&&$i<$l);$j++,$i++){

    $o.=$t{$i}^$k{$j};

    }

    }

    return $o;

    }

$msg = "Sap6risomCodHP/PqrQaqvueeU+wURkueAeGLStP+bQE+HqsLq39zTQ2L1hsAA==";

echo(@gzuncompress(@x(@base64_decode($msg),$k)));

?>

flag值：

flag{arsjxh-sjhxbr-3rdd78dfsh-3ndidjl}

misc NetHttP

操作内容：

一开始看到zmxh，直接手搓，最后来个fakeflag，人傻了

流量逻辑挺简单，上来差不多直接rce，读了个私钥文件出来，后面就是echo base64编码后的mw文件和假flag文件

 

"""

：另一位师傅令我灵光一闪：可以这样，减少很多多余

tshark -r "D:\contest\NetHttP.pcapng" -Y "http&&frame.len==66" -T fields -e http.request.uri > http_traffic_good.txt

"""

调教gpt

先用tshark导出，长这样

tshark -r "D:\contest\NetHttP.pcapng" -Y "http" -T fields -e tcp.stream -e frame.number -e frame.len -e http.request.uri -e http.response.code > http_traffic.txt

帧长度为465和469都是密文的

Base64解码得到

S0I3iWhvszKbOM/OalKTA0fpm5O5chVVnYGyKd5nV4erAzRbV6V6w8b/UiOfQEc3Ijh00hFjYFU1HaxNub9GnlPS/lcam5mATkf2sJS6JgpJo6AShVRxWDYKKrojeUeBZj5MEPI8/4DGGGuHFxmx2bxAahdDe1cGnjTZGWONpNI=

证书文件，不过是加过密的

Key在流量最开始：gdkfksy05lx0nv8dl

解密得到私钥

https://www.ssleye.com/ssltool/priv_get.html

如该题使用自己编写的脚本代码请详细写出，不允许截图

from collections import defaultdict

import re

import base64

# 读取提取的 HTTP 流量数据

with open("C:\\Users\\86139\\Desktop\\http_traffic.txt", "r") as file:

lines = file.readlines()

# 按流号组织数据

stream_data = defaultdict(list)

for line in lines:

# 使用 strip() 去除换行符，然后按制表符分割

fields = line.strip().split("\t")

# 检查字段数量

if len(fields) == 5:

stream_id, frame_num, frame_len, request_uri, response_code = fields

else:

# 如果字段不足，填充缺失字段为空字符串

fields += [""] * (5 - len(fields)) # 确保字段数量为 5

stream_id, frame_num, frame_len, request_uri, response_code = fields

# 将数据添加到流号对应的列表中

stream_data[stream_id].append({

"frame_num": frame_num,

"frame_len": int(frame_len) if frame_len else 0, # 如果 frame_len 为空，默认值为 0

"request_uri": request_uri,

"response_code": response_code

})

# 正则表达式匹配 echo%20 和 %20 之间的值

base64_pattern = re.compile(r"echo%20([^%]+)%20")

# 正则表达式匹配单引号里的值

single_quote_pattern = re.compile(r"==\s*'([^']+)'")

flag=''

# 查找符合条件的流

for stream_id, packets in stream_data.items():

request_packet = None

response_packet = None

# 查找请求包和响应包

for packet in packets:

if packet["request_uri"] != "" and (packet["frame_len"] == 469 or packet["frame_len"] == 465): # 修改为实际的请求包长度

request_packet = packet

if packet["response_code"] != "" and packet["frame_len"] == 66: # 修改为实际的响应包长度

response_packet = packet

# 如果找到匹配的请求和响应包，则输出请求 URL 并提取 Base64 数据

if request_packet and response_packet:

print(f"Stream ID: {stream_id}")

print(f"Request URL: {request_packet['request_uri']}")

# 提取 Base64 数据

base64_match = base64_pattern.search(request_packet["request_uri"])

if base64_match:

base64_value = base64_match.group(1) # 提取 Base64 编码的值

try:

# Base64 解码

decoded_value = base64.b64decode(base64_value).decode('utf-8')

print(f"Extracted Base64: {base64_value}")

print(f"Decoded Value: {decoded_value}")

# 提取单引号里的值

single_quote_match = single_quote_pattern.search(decoded_value)

if single_quote_match:

single_quote_value = single_quote_match.group(1)

flag += single_quote_value

print(f"Value inside single quotes: '{single_quote_value}'")

else:

print("No value found inside single quotes.")

except Exception as e:

print(f"Error decoding Base64: {e}")

else:

print("No Base64 data found in the request URL.")

print("-" * 40)

print(flag)

import base64

# RSA 参数
n = 75198391834610743089994427445022622171591577121191724448299339002435832997164232218413508119298295123274196848013892501604504507367027410527023618161491726166765575077336751590544863722532358737240337140569730023629526218796143738463727597005256155751094703947322244106639054703290232743344051122409847668979
d = 47823271942181380918380117208311303072917059719458472058236845602980348253487465624475587910710493956741157673197903864601280854518063619685915091953443290538916965993327948549512195024615088046785300748165298087812720446099735944950660175124872626742440697531498487595767064570672468310421018941583067770553

# Base64 解码密文
s = 'S0I3iWhvszKbOM/OalKTA0fpm5O5chVVnYGyKd5nV4erAzRbV6V6w8b/UiOfQEc3Ijh00hFjYFU1HaxNub9GnlPS/lcam5mATkf2sJS6JgpJo6AShVRxWDYKKrojeUeBZj5MEPI8/4DGGGuHFxmx2bxAahdDe1cGnjTZGWONpNI='
c_bytes = base64.b64decode(s)

# 将字节串转换为整数
c_int = int.from_bytes(c_bytes, byteorder='big')

# RSA 解密
m_int = pow(c_int, d, n)

# 将解密后的整数转换为字节串
m_bytes = m_int.to_bytes((m_int.bit_length() + 7) // 8, byteorder='big')

# 解码为字符串
try:
plaintext = m_bytes.decode('utf-8')
print("Decrypted plaintext:", plaintext)
except UnicodeDecodeError:
print("Decrypted bytes (not valid UTF-8):", m_bytes)

flag值：

flag{343907d2-35a3-4bfe-a5e1-5d6615157851}