TSTAR 解题 Write Up

原创

用户6785481

发布于 2022-04-24 19:31:18

7340

发布于 2022-04-24 19:31:18

文章被收录于专栏：用户6785481的专栏用户6785481的专栏

第一关

验证码泄露登录

然后fuzz所有的api

这个like api改成xml提交的时候触发了一个报错

联想到xxe，最终在网上找到了下面的不依赖dtd的poc可以使用

然后在读app.py的时候发现了import config

在config里找到了flag

第二关

因为第一关有提示关注主播，去微博找到了同样的id

因为要的是当前地址，关注了一下图片

没找到确切的地址，不过可以大致确定范围是沿海城市

fuzz了一下天津舟山... 然后蒙出答案是深圳

第三关

看文件内容是wireshark的流量包，重命名后缀pcap用wireshark打开，里面有adb的流量

然后还给了密码

用github上找到的

https://github.com/lclevy/ab_decrypt/blob/master/ab_decrypt.py

脚本解一下恢复成一个tar

里面有apk和一个zip

apk扔jeb 反编译下看到一个flagstep1url

http://175.178.148.197:5000/

zip 里给了

拿private_key.pem接一下key.en 接出来

b'\x02\xf8\xd4\xae\xc6\xd6\x8dy(sgH\x10Z\x93w\xc5c\xdb\xa4r\xf5\x91\xa8q\x009BlteBJnZpwrRjbL0DsGlFz5M+MDG74jYIj0zzivGPVW75jYZQpdzpfrpEBcXAJqHrlZlEw9hMhRQ8FijkATyMxpKsPXEWT5K6M5\n'

然后用可见字符部分内容就能解密flag.zip了

这么个玩意 28*28

想到二维码

画一下，扫一下

拿到个url

/033yia8rqea1921ca61/systemlockdown

然后和之前的url结合下下载了systemlockdown这个东西

看协议头是个zip

改后缀解压后拿到这俩

readme给了源码

首先ida patch了最开始的 SYSTEM_SHUTDOWN

根据程序逻辑只能输入连续的相同数字

然后就fuzz了 111111 222222 ... 999999 的六位和七位

发现5555555过了，遂提交答案

第四关

俩文件

补完二维码

下载了call_me.zip

我真是一个压缩包修复下文件头PK

永不消逝的电波是莫斯码

手动听然后拿到密码

解开拿到网址也即flag

https://darknet.hacker5t2ohub.com/

第五关

用第四关的解出来的网站访问

https://darknet.hacker5t2ohub.com/

测了一下买东西能够整数溢出加钱

GET /trpc.cors_filter_test.common.Darknet/Purchase?amount=34&gid=9

买完提示给腾讯安全应急响应中心发T-Star666

你要找的人，即将发起大范围蠕虫攻击！行动计划就藏匿在邮件中，只有解出密匙才能破除攻击！http://159.75.190.64/

nightbaron042@sohu.com

nightBaron1996

登录邮箱

三封邮件三组hash

用cmd5钞能力破解出一部分原文

commo
nly,
 simply 
  ignor 
ant
  about 
  good 
  secur 
ity
  pract 
ices.
  With 
  the 
  same 
  attit 
ude
  as 
  our 
  secur 
ity-co
nscious
  many 
  infor 
mation
  techn 
ology
  (IT) 
  profe 
ssionals
  hold 
  to 
  the 
  misco 
nception
  that 
  made 
  their 
  compa 
nies

网上找到类似文章

然后把中间一段话复制到勒索网站

Security is too often merely an illusion, an illusion sometimes made even worse when gullibility, naivete, or ignorance come into play. The world's most respected scientist of the twentieth century, Albert Einstein, is quoted as saying, "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." In the end, social engineering attacks can succeed when people are stupid or, more commonly, simply ignorant about good security practices. With the same attitude as our security-conscious homeowner, many information technology (IT) professionals hold to the misconception that they've made their companies largely immune to attack because they've deployed standard security products - firewalls, intrusion detection systems, or stronger authentication devices such as time-based tokens or biometric smart cards. Anyone who thinks that security products alone offer true security is settling for. the illusion of security. It's a case of living in a world of fantasy: They will inevitably, later if not sooner, suffer a security incident.