社区 › 科技 › 2025海丰杯WP

崔瑜然 发表于 7 天前

2025海丰杯WP

https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001431027-2024590086.png
2025海丰杯WP

签到

R1kzRE1ZWldHRTNET04zQ0dNWURHTUpXR1laVFNNWlVHTVpER01SVEdNWkdJTVpYR00zRE1OQlRHWVpHSU1aVUdNWlRHTkpXR0laR0lOUlJHWVpER05KVEdJWkdJTVpXR00yVEdOQldHSTNER01aVEdZM0RHTlpXR1VaVFFNWlFHTTJET1pBPQ==base64解码即可：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001434041-939272969.png
base32
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001434906-1014785315.png
hex转字符
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001435883-2071035898.png
web

web1

爆破
​ctrl+U打开页面源代码，给出了字典，直接导入bp中进行爆破即可。
web2

​ctrl+U打开页面源代码，
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001436714-1783656432.jpg
解码拿到测试用户
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001437302-1757631472.jpg
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001438417-836830396.jpg
登录进去后提示需要admin权限。
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001439257-1592806017.jpg
解码修改为admin后再编码替换cookie，发包即可。
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001442083-1541239281.jpg
web3

文件上传，后台过滤文件后缀名和文件内容。使用bp将常见文件名进行测试，发现log后缀名可以被解析且能上传成功，然后使用短标签绕过一句话内容检测即可。
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001443665-1750040401.png
misc

misc1

https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001446100-1376420464.jpg
使用strings发现里面有东西：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001446750-22359878.png
使用foremost提取出zip文件然后解压，发现：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001447530-462879270.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001448219-1788105521.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001448750-1738361338.png
提示为古代数字字符，在网上找到：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001449274-1426573479.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001449833-1928450606.png
对照解码。
misc2

​secret_upload.pcapng​
过滤http流量，发现POST上传请求。
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001451687-420827579.png
导出分组字节流导出，拿到一个zip文件，但是需要密码
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001453041-294785375.png
没有找到
misc3

https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001454409-1267045403.png
导出压缩包
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001456026-861479948.png
密码就是url的最后一个：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001457183-284592357.png
ZmxhZ3thbjRseXozZF90aDNfdHI0ZmYxY19sMWszX2FfcHIwfQo=解码得到：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001457656-1711245175.png
misc4

​jiemi.pcapng​
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001458479-608530701.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001501098-2067998995.png
​strings看一下：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001503181-903363798.png
​base64解码
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001503803-376837203.png
核心社会主义价值观：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001504249-895109642.png
misc5

​pac.pcapng​
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001505718-1856748624.png
很明显的sql注入payload，所以内网地址为192.168.17.8, md5编码：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001506362-1162729715.png
​flag1为：
flag1{dd73a692d474f6b3f4d668ff6cd37f51}继续查找，发现：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001507986-509946008.png
解码得到flag2：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001508531-416731972.png
flag{451708cd-f7a8-49ae-ae58-f3ff1329733f}misc6

https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001509185-1171901733.png
随波逐流修复宽高：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001509749-50358002.jpg
解压拿到：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001512987-1815222757.png
看到是需要base64转图片：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001514600-1221530300.png
扫一下拿到：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001515166-1864514699.png
misc7

https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001515665-797357188.png
看源代码，拿到解压密码
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001516393-2023868463.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001516860-1520150097.png
解压拿到图像：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001518150-1158760067.png
一张纯色图片
‍
misc8

题目附件： 信号塔密钥，xxdxh.jpg
随波逐流发现图片藏有东西：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001518625-637040738.jpg
提取出来看看：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001521294-1172661496.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001522409-1250197527.png
转换一下，下载下来识别是一个zip包：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001522844-1896277208.png
解压发现解压不了，查看头部信息，发现有脏数据：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001523753-271482498.png
修复一下，尝试解压，发现需要密码：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001525434-775654489.png
想到提示：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001525992-2143296730.png
开始爆破：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001526700-182604019.jpg
爆破拿到密码： abcd​
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001528488-2004038234.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001529026-482901383.png
misc9

​wifi-crack.cap​
使用capinfos查看 pcap 文件类型、包数、时间等元信息
capinfos wifi-crack.caphttps://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001530576-618847992.png
查看密码抓取目标：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001531429-1475466066.png
典型的WPA/WPA2四次握手流程。
查看网络列表和SSID：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001531810-1424283654.png
找到Wi-Fi名为：hackinglab​
获取到关键MAC：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001534427-723822880.png

[*]AP（或 BSSID）: 28:e3:47:f3:7a:7f​
[*]STA (Client): 54:e6:fc:53:e6:d0​
提取用于破解的哈希文件：
hcxpcapngtool -o hackinglab_handshake.22000 wifi-crack.caphttps://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001536959-2085574143.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001537485-1441237671.png
最后使用hashcat进行破解：
hashcat -m 22000 hackinglab_handshake.22000 ../../pentest/reports/rockyou/rockyou.txt --status --status-timer=10https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001539687-1438590148.png
获取到账号与明文密码：hackinglab：19940808​
misc10

题目附件： 狼戈.png曲谱.jpgaudio.zip​
随波逐流提取狼戈.png​
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001540866-1199562909.png
使用key解压压缩包得到docx文件，使用010打开发现是mp3​
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001542311-2115906245.png
misc11

附件misc03.jpg​
​strings发现里面有东西：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001542932-1926459003.png
使用foremost提取，得到一个压缩包：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001543423-381347443.png
爆破压缩包拿到密码：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001544051-518167387.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001545514-2009918871.png
一堆010机器码，使用010转二维码：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001546013-39076329.png
扫描得到：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001546533-1542635665.png
misc12

附件：VExTX19EZWNyeXB0.pcap​
给附件名先来个base64解码：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001547112-1362583894.png
考的是TLS流量解密
分析流量包中的Telnet流量，发现：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001547554-302714483.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001548071-2094684704.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001548711-1580072000.png
其中有文件名以及加密算法，写出解密算法，
# Attempt to decrypt Base64-looking strings found in the Telnet capture# Using the AES parameters from the leaked Python script:# IV = 'QWERTYUIOPASDFGH' used as both key and IV, AES-CBC, null-byte padding.from Crypto.Cipher import AESimport base64key = b'QWERTYUIOPASDFGH'# 16 bytesiv = keyb64_candidates = [    "19aaFYsQQKr+hVX6hl2smAUQ5a767TsULEUebWSajEo="]def try_decrypt(b64):    try:      data = base64.b64decode(b64)    except Exception as e:      return f"Base64 decode error: {e}"    try:      cipher = AES.new(key, AES.MODE_CBC, iv)      dec = cipher.decrypt(data)      # strip trailing nulls      dec_stripped = dec.rstrip(b'\x00')      try:            return dec_stripped.decode('utf-8', errors='replace'), dec, dec_stripped      except:            return ("", dec, dec_stripped)    except Exception as e:      return f"AES decrypt error: {e}"results = {}for b in b64_candidates:    results = try_decrypt(b)results{'19aaFYsQQKr+hVX6hl2smAUQ5a767TsULEUebWSajEo=': ('passwd={No_One_Can_Decrypt_Me}', b'passwd={No_One_Can_Decrypt_Me}\x00\x00', b'passwd={No_One_Can_Decrypt_Me}')}解出密码为{No_One_Can_Decrypt_Me}​
​binwalk分析流量包，发现有一个rar压缩文件：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001549916-799876349.png
根据分析流量包，确认这个是sslkey.rar,根据binwalk的分析结果，我们确定了sslkey.rar文件在TLS__Decrypt.pcap文件中的起始偏移量为212424字节。现在，我们可以使用dd命令来精确地从PCAP文件中提取出这个RAR文件。
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001550456-93367214.png
然后解压，发现需要密码，想到上述解密出来的passwd，成功解密拿到sslkey.log，导入Wireshark成功解密流量：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001551211-2014463985.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001552412-491244503.png
crypto

crypto1

想笑：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001552876-126726854.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001555943-1771462013.png
​Ctrl+U直接查看源代码。
正常解密，首先解十六进制转字符：
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001556472-1717961771.pnghttps://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001558878-346524078.png
​CTF​
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001602572-17034752.png
‍
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001603391-1959761205.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001603998-455354163.png
​VORLVWDB​
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001604931-555294343.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001605883-1355733071.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001607194-1867597455.png
https://img2024.cnblogs.com/blog/3431427/202509/3431427-20250928001608150-917818618.png
crypto2

sm3和sm4,需要想爆破md5一样纯爆破。
‍
总结

有问题还请大佬指出来

来源：程序园用户自行投稿发布，如果侵权，请联系站长删除
免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！

查看完整版本: 2025海丰杯WP