记录一下第一次独立在大型比赛中AK Misc~

BrickGame

玩游戏签到

漏洞探踪,流量解密

第一阶段找一个IP地址,确定ip地址是192.168.30.xxx,实在太多了找不到,写个脚本开爆

1
2
3
4
5
6
7
8
9
10
11
# 文件名
output_file = 'ip_addresses.txt'

# 打开文件进行写入
with open(output_file, 'w') as file:
    # 循环生成 IP 地址
    for i in range(1, 256):
        ip_address = f'192.168.30.{i}'
        file.write(ip_address + '\n')

print(f'IP 地址列表已生成并保存到 {output_file}')

生成字典后爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import py7zr
import concurrent.futures

# 文件路径
archive_path = 'C:/Users/67300/Desktop/1/1.7z'
# 字典文件路径
dictionary_path = 'C:/Users/67300/Desktop/1/ip_addresses.txt'
# 线程数
max_threads = 10

def extract_with_password(archive_path, password):
    try:
        with py7zr.SevenZipFile(archive_path, mode='r', password=password) as archive:
            archive.extractall(path='./extracted')
            print(f"Password found: {password}")
            return True
    except py7zr.exceptions.Bad7zFile:
        print("Bad 7z file")
        return False
    except py7zr.exceptions.PasswordRequired:
        return False
    except Exception as e:
        print(f"Error: {e}")
        return False
    return False

def attempt_password(password):
    password = password.strip()
    if extract_with_password(archive_path, password):
        return password
    return None

def brute_force_password(dictionary_path):
    with open(dictionary_path, 'r') as file:
        passwords = file.readlines()
    
    with concurrent.futures.ThreadPoolExecutor(max_workers=max_threads) as executor:
        futures = {executor.submit(attempt_password, password): password for password in passwords}
        for future in concurrent.futures.as_completed(futures):
            result = future.result()
            if result:
                print(f"Success: The password is {result}")
                executor.shutdown(wait=False)
                return result
    print("Password not found")
    return None

# 执行爆破
brute_force_password(dictionary_path)

获得密钥:192.168.30.254

ccb01

进入第二阶段

在流92中获得密钥

ccb02

在95流中获得加密方式RC4

ccb03

在95流中获得加密方式RC4

ccb04

解密rc4后hex即可

ccb05

ccb06

最安全的加密方式

流13内找到一个$pass='25ming@',目测是哥斯拉流量但是没啥用

ccb07

流15找到一个RAR压缩包,另存为下来CyberChef手提一个压缩包,用之前的pass为解压密码成功解压,获得一个flag.txt

ccb08

ccb09

看到这样的形式很像32位md5,联想到UNCTF 2022的那道题,写出hash爆破脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
from hashlib import md5

c = '''8fa14cdd754f91cc6554c9e71929cce7
2db95e8e1a9267b7a1188556b2013b33
0cc175b9c0f1b6a831c399e269772661
b2f5ff47436671b6e533d8dc3614845d
f95b70fdc3088560732a5ac135644506
b9ece18c950afbfa6b0fdbfa4ff731d3
2510c39011c5be704182423e3a695e91
e1671797c52e15f763380b45e841ec32
b14a7b8059d9c055954c92674ce60032
6f8f57715090da2632453988d9a1501b
cfcd208495d565ef66e7dff9f98764da
03c7c0ace395d80182db07ae2c30f034
e358efa489f58062f10dd7316b65649e
b14a7b8059d9c055954c92674ce60032
c81e728d9d4c2f636f067f89cc14862c
e1671797c52e15f763380b45e841ec32
4a8a08f09d37b73795649038408b5f33
4c614360da93c0a041b22e537de151eb
4b43b0aee35624cd95b910189b3dc231
e1671797c52e15f763380b45e841ec32
b14a7b8059d9c055954c92674ce60032
e1671797c52e15f763380b45e841ec32
8d9c307cb7f3c4a32822a51922d1ceaa
4a8a08f09d37b73795649038408b5f33
4b43b0aee35624cd95b910189b3dc231
57cec4137b614c87cb4e24a3d003a3e0
83878c91171338902e0fe0fb97a8c47a
e358efa489f58062f10dd7316b65649e
865c0c0b4ab0e063e5caa3387c1a8741
d95679752134a2d9eb61dbd7b91c4bcc
7b8b965ad4bca0e41ab51de7b31363a1
9033e0e305f247c0c3c80d0c7848c8b3
9033e0e305f247c0c3c80d0c7848c8b3
9033e0e305f247c0c3c80d0c7848c8b3
cbb184dd8e05c9709e5dcaedaa0495cf'''.split('\n')

s = list(range(32,127))
t = {}

for k in s:
    t[md5(chr(k).encode()).hexdigest()] = chr(k)

flag=''
for k in c:
    flag += t[k]

print(flag)
 
 #flag{The_m0st_2ecUre_eNcrYption!!!}

ccb10