内部赛Write-Up 0530

雨点打透心脏的1/2处 2022-10-09 00:48 136阅读 0赞

### **1.Web-签到题** ###

点开题目让猜密码

首先输入发现最大位数是1，而密码为四位数字，就点击源码修改最大长度为5

然后用Burp Suite爆破密码

太久没用BP了稍微详细写一写

首先设置浏览器代理

![20210622221345942.png][]

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70][]

然后配置BP

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 1][]

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 2][]

大概刷新一下要抓包的页面，就会发现Proxy变橙色，说明页面被抓取

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 3][]

密码在index.php里，就使用密码爆破

点击Action发送到Intruder

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 4][]

Intruder变橙，默认进入

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 5][]

点击Position选项，选择要爆破的内容

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 6][]

这里默认标记出来了，当这里有多个选项时参考下面

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 7][]

说了是四位数数字，所以爆破选项设置如下1000-9999

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 8][]

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 9][]

最后start attack

按照长度排序，与众不同的那个就是了

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 10][]

1314真的好土……..

### **2.MISC-CRY** ###

下载的图片看起来就是小jerry在哭，用Winhex打开，先改变0-3行，4-6行的长和宽参数看看，什么也没有，说明不是不完整，然后搜索flag文本

flag就出来了

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 11][]

### **3.MISC-还是解题爽** ###

给出来的解压密码是JS加密过的，用网站在线解密解压密码为password

然后解压的图片有三个残缺，根据二维码的格式自行补上三个方块。

用微信扫一扫得flag

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 12][]

### **[4.CRYPTO-be@r][4.CRYPTO-be_r]** ###

熊说在线解密就行了

### **5.CRYPTO-Are you ok?** ###

下载下来一个压缩包，和还是写题爽的格式一样，通过txt解出压缩密码，打开7z文件即可

看到密文，最后带的等号，base64后面跟的是两个等号，看了wp才知道这是AES加密，密钥就是题目描述: nobody is ok，通过网站[https://www.sojson.com/encrypt\_aes.html][https_www.sojson.com_encrypt_aes.html]

![20210622221531368.png][]

解出密码

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 13][]

输入之后得到全是ook!

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 14][]

在线搜索ook!是什么类型的密码，给到了网站解析，属于ook!编码

[https://www.splitbrain.org/services/ook][https_www.splitbrain.org_services_ook]

得到flag

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 15][]

[20210622221345942.png]: /images/20221005/5abb29ed060442e594da25ccbecd266d.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70]: /images/20221005/54a8f80b083a4082a57aabebfc45f9df.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 1]: /images/20221005/fbdf0c3f751e4fe1b1442e99116f01f8.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 2]: /images/20221005/2eacd85e25334a339b4cae7b8fd04e2c.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 3]: /images/20221005/0eb7f173545b4e8380b6413bd1c04c77.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 4]: /images/20221005/34b1e8ab4b8c4775ba0ae8ad3ef3539f.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 5]: /images/20221005/a508a2f8455541eb8dc486b80694d89a.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 6]: /images/20221005/852de3e05c0e4b3396c39d2c33dd2f9a.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 7]: /images/20221005/b3aab0d9ee60442cbc5c860a54d6672d.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 8]: /images/20221005/1312b3d0aedf4c6ab6e639874eaed879.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 9]: /images/20221005/61f308ac8c224b70ae2ad730cba30cf4.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 10]: /images/20221005/6fe4edaabf1a45aca2b7747768b91a55.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 11]: /images/20221005/28f6ec93efb546179a76ca8b206feea8.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 12]: /images/20221005/45a9d5aa4ea84462a366b023fa4fcb13.png
[4.CRYPTO-be_r]: mailto:4.CRYPTO-be@r
[https_www.sojson.com_encrypt_aes.html]: https://www.sojson.com/encrypt_aes.html
[20210622221531368.png]: /images/20221005/dd58d98507a840148a0c91f9959552e7.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 13]: /images/20221005/f291464049a44e3e8bb321f92466ad78.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 14]: /images/20221005/4deb31b34f754ae3b748caec42a7e429.png
[https_www.splitbrain.org_services_ook]: https://www.splitbrain.org/services/ook
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 15]: /images/20221005/8a53554798a5414e87c9b6c0908920f3.png