wasm-login
check.startsWith("ccaf33e3512e31f3")
爆破时间戳
`// solve_sunday.mjs
import { authenticate } from "./release.js";
import { createHash } from "node:crypto";
const TARGET_PREFIX = "ccaf33e3512e31f3";
const username = "admin";
// 调整搜索范围:补全 "周日晚上" 的时间段
// 结束时间:2025-12-22 00:00:00 (我们刚才扫过的起点)
const endTs = 1766332800000;
// 开始时间:往前推 5 小时 (周日 19:00 开始) -> 1766314800000
const startTs = 1766314800000;
console.log([+] 开始扫描周日深夜时段...);
console.log([+] 范围: ${new Date(startTs).toLocaleString()} -> ${new Date(endTs).toLocaleString()});
console.log([+] 目标前缀: ${TARGET_PREFIX});
const startTime = Date.now();
let count = 0;
for (let ts = startTs; ts < endTs; ts += 1) {
count++;
if (count % 500000 === 0) {
const speed = (count / ((Date.now() - startTime)/1000) / 1000).toFixed(1);
console.log([*] 进度: ${ts} | 速度: ${speed} k/s);
}
try {
const password = ts.toString();
const resultString = authenticate(username, password);
if (resultString) {
// 务必: parse -> stringify -> MD5
const jsonStr = JSON.stringify(JSON.parse(resultString));
const hash = createHash('md5').update(jsonStr).digest('hex');
if (hash.startsWith(TARGET_PREFIX)) {
console.log(\n\n[SUCCESS] 找到 Flag !!!);
console.log([+] 时间戳: ${ts});
console.log([+] Flag: flag{${hash}});
process.exit(0);
}
}
} catch (e) {}
}
console.log("[-] 周日时段扫描结束。");`
登录的时间戳应该是 1766334550699
WASM 返回为:
{"username":"admin","password":"L0In602=","signature":"LxZiwA05Y9h7wX1CI0gUitOE2LBy9y8McoBqWgKIdDo="}
对其 JSON.parse -> JSON.stringify 后做 MD5,得到:
ccaf33e3512e31f36228f0b97ccbc8f1
包裹上即可
babygame
godat逆向 和羊城杯差不多 标准aes是乱码
extends CenterContainer
@onready var flagTextEdit: Node = $PanelContainer / VBoxContainer / FlagTextEdit
@onready var label2: Node = $PanelContainer / VBoxContainer / Label2
static var key = "FanAglFanAglOoO!"
var data = ""
func _on_ready() -> void :
Flag.hide()
func get_key() -> String:
return key
func submit() -> void :
data = flagTextEdit.text
var aes = AESContext.new()
aes.start(AESContext.MODE_ECB_ENCRYPT, key.to_utf8_buffer())
var encrypted = aes.update(data.to_utf8_buffer())
aes.finish()
if encrypted.hex_encode() == "d458af702a680ae4d089ce32fc39945d":
label2.show()
else:
label2.hide()
func back() -> void :
get_tree().change_scene_to_file("res://scenes/menu.tscn")
是key 会动态变化
extends Node
@onready var fan = $"../Fan"
var score = 0
func add_point():
score += 1
if score == 1:
Flag.key = Flag.key.replace("A", "B")
fan.visible = true
每吃一个金币都会对调 A 和 B
Exp
·from itertools import product
try:
from Crypto.Cipher import AES
except ImportError:
raise SystemExit("需要 pycryptodome:pip install pycryptodome")
BASE_KEY = "FanAglFanAglOoO!"
CT_HEX = "d458af702a680ae4d089ce32fc39945d"
ct = bytes.fromhex(CT_HEX)
找出所有 'A' 的位置
a_pos = [i for i, ch in enumerate(BASE_KEY) if ch == "A"]
print("A positions:", a_pos, "count =", len(a_pos))
def build_key(bits):
# bits: 每个 A 位置是否改成 B
s = list(BASE_KEY)
for pos, b in zip(a_pos, bits):
if b == 1:
s[pos] = "B"
return "".join(s)
def is_valid_utf8(b: bytes) -> bool:
try:
b.decode("utf-8", errors="strict")
return True
except UnicodeDecodeError:
return False
for bits in product([0, 1], repeat=len(a_pos)):
key = build_key(bits).encode("utf-8") # 16 bytes
aes = AES.new(key, AES.MODE_ECB)
pt = aes.decrypt(ct)
ok_utf8 = is_valid_utf8(pt)
print("\n=== bits:", bits, "key:", build_key(bits), "utf8:", ok_utf8)
print("pt_hex:", pt.hex())
if ok_utf8:print("pt_utf8:", pt.decode("utf-8"))
else:# 用 latin-1 只是为了“看见每个字节”,不是说它能输入print("pt_latin1_preview:", pt.decode("latin-1"))
=== bits: (1, 1) key: FanBglFanBglOoO! utf8: True pt_hex: 774f577e796f75417265677245615421 pt_utf8: wOW~youAregrEaT
Eternum
RAT/后门通信
C2 是 192.168.8.160:13337
流量包帧结构:
[ "ET3RNUMX"(8) ][ len(4, big-endian) ][ body(len) ]
- pcap 里应用层帧格式
每条 TCP payload 里是多帧拼接:
b"ET3RNUMX" + u32_be(len) + body - body 是 AES-GCM
nonce = body[:12]
tag = body[-16:]
ct = body[12:-16] - AES key 是可执行文件里硬编码的 32 字节字符串
试试这个
xfqGcVjrOWp5tUGCPFQq448nPDjILTe7
AES-256 key。 - 解密后能看到服务端下发命令、客户端回传输出,其中有一条命令是:
base32 /var/opt/s*/
MZWGCZ33MI3WGNJYG4YDALJSMIYDCLJUMRSDILJYGUZDMLLBGRQTIN3BGY2WCMLBHF6Q==== base32解码就是 flag。
flag
flag{b7c58700-2b01-4dd4-8526-a4a47a65a1a9}