拿到task.py 和 flag加密后的cipher winhex打开 推测hex值为异或结果
taskpy源码 加密方式为flag对key逐位异或循环 并标注了xxxx并非真实key
from secret import flag
key = "xxxx" # not real key
cipher = ""
for i, c in enumerate(flag):
cipher += chr(ord(c) ^ ord(key[i%4]))
with open("cipher", "w") as f:
f.write(cipher)
flag{xxx}前四位为f l a g,依次对cipher前四位做异或处理,得到key,可以看出xxxx就是key的内容(?烟雾d是吧)
写个脚本逆向一下,得到
key = "xxxx" # not real key
f = open('cipher')
cipher = f.read()
f.close()
def jiemi(cipher):
flag = ''
for i, c in enumerate(cipher):
flag += chr(ord(c) ^ ord(key[i % 4]))
print(flag) //flag{fccb0665-bce5-d329-aca7-99179bdc9ed3}
jiemi(cipher)
requests抓取页面,将字符排序,再POST回去,带上header使python使用之前的cookie,排序脚本网上找了一个用
# -*- coding:utf-8 -*-
import requests
import re
def paixu(str): //按出现频率从大到小排序 与题目相反
dic = {}
count = 0
s = str
flag = ''
for i in s:
dic[i] = s.count(i)
list = sorted(dic.items(), key=lambda d: d[1], reverse=True)
for i, j in list:
flag += i
print(i, end="")
count += 1
return flag
url = 'http://120.79.191.238:41227/'
header = {
'POST':'/ HTTP/1.1',
'Host':'http://120.79.191.238:41227/',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length':'5',
'Origin': 'http://120.79.191.238:41227/',
'Referer': 'http://120.79.191.238:41227/',
'Cookie': 'PHPSESSID=0do0gj80dg24120ctdblthjdm7',
'Upgrade-Insecure-Requests':'1'
}
cookie = {
'PHPSESSID':'0do0gj80dg24120ctdblthjdm7'
}
value = '1'
data = {
'ans':value
}
r = requests.session()
post = r.post(url,headers=header,cookies=cookie,data=data) //随意传值获取html内容
html = post.text
html = re.findall("\n(.+?)进到actionphp页面 参数file=2.txt 文件包含 利用伪协议filter读取index与action源码
$_POST name 会被写到session里 尝试读一下session位置
读出来了,那么往name值注入PHP 代码 就会被include视为php执行
payload:name='); ?> 回包username|s:68:“”; http测试一下shell.php 成功传马 蚁剑连接 根目录下找到flag文件
只给了一个pyre.exe 图标看起来像pyinstaller打包的 查了一下需要用 pyinstxtractor.py 来逆向为pyc文件
python .\pyinstxtractor.py .\pyre.exe 执行后多出来一个目录 能看出目录下1.pyc就是原文件 但是无法反编译
尝试修复头部,将struct.pyc的前十六个字节覆盖1.pyc的前十六个字节 修复1pyc的头部 再放进在线反编译网站编译得到源码
def check():
a = input('plz input your flag:')
c = [
144,
163,
158,
177,
121,
39,
58,
58,
91,
111,
25,
158,
72,
53,
152,
78,
171,
12,
53,
105,
45,
12,
12,
53,
12,
171,
111,
91,
53,
152,
105,
45,
152,
144,
39,
171,
45,
91,
78,
45,
158,
8]
if len(a) != 42:
print('wrong length')
return 0
b = None
for i in range(len(a)):
if ord(a[i]) * 33 % b != c[i]:
print('wrong')
return None
print('win')
check()
b未知,先把b爆破出来
#ord('f') *33 % b = 114
flag = 'flag'
for b in range(1,4125):
if((ord('f') * 33) % b == 144):
if((ord('l') * 33) % b == 163):
if ((ord('a') * 33) % b == 158):
if ((ord('g') * 33) % b == 177):
print(b) //179
逆向取余,爆破脚本
c = [
144, 163, 158, 177, 121, 39, 58, 58, 91, 111, 25, 158, 72, 53, 152,
78, 171, 12, 53, 105, 45,
12, 12, 53, 12, 171, 111, 91, 53, 152, 105, 45, 152, 144, 39, 171, 45, 91, 78, 45, 158, 8]
b = 179
for i in range(len(c)):
for d in range(1,24): //ord('}')=125,125*33 / 179 = 23 得到最大爆破次数
if((b*d + c[i]) % 33 == 0):
print(chr((b*d + c[i]) // 33),end='') //flag{2889e7a3-0d6b-4cbb-b6e9-04c0f26c9dca}
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)