dns관리는 https://dnszi.com/ 를 사용

python 코드 내용 (공유기는 ktwlan)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import httplib, urllib, base64, socket, time
 
time.sleep(20)
 
= socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(('google.com'0))
ip = s.getsockname()[0]
 
headers = {"Authorization" : "Basic a3R1c2VyOm1lZ2FhcA=="}
conn = httplib.HTTPConnection("172.30.1.254")
conn.request("GET""/user/log_through.asp",headers=headers)
response = conn.getresponse()
data = response.read()
conn.close()
 
params = {'fw_del' : 1,'Mac_port_countfw_add':1,'selectport':'ON','select1':'ON'}
params = urllib.urlencode(params)
headers = {"Content-type""application/x-www-form-urlencoded""Accept""text/plain"}
conn = httplib.HTTPConnection("172.30.1.254")
conn.request("POST""/goform/formPortFw_KT", params, headers)
response = conn.getresponse()
data = response.read()
conn.close()
time.sleep(15)
 
params = {'SvrPortFrom':'1','SvrPortTo':'60000','LocalIP':ip,'LocalPortFrom':'1','LocalPortTo':'60000','fwProtocol':'tcp','fw_add':'1','Mac_port_countfw_add':'0','submit-url':'..%2Fuser%2Fkt_page5_1.aspect'}
params = urllib.urlencode(params)
headers = {"Content-type""application/x-www-form-urlencoded""Accept""text/plain"}
conn = httplib.HTTPConnection("172.30.1.254")
conn.request("POST""/goform/formPortFw_KT", params, headers)
response = conn.getresponse()
data = response.read()
conn.close() 

cs

1
2
3
root@raspberrypi:~# cat /etc/rc.local 
/bin/sh/usr/bin/python2.7 /root/start.py
/usr/bin/wget -q -O - 'http://ddns.dnszi.com/set.html?user=unknown84&auth=kkkkkk&domain=kkkkkk&record='
cs


'기타' 카테고리의 다른 글

windows 10 bash ssh  (0) 2016.12.28
X64 asm argv  (0) 2016.12.26
geocoding excel (python) web  (0) 2016.02.04
asm  (0) 2015.10.11
blind sql injection lpad  (0) 2015.04.10

Give Me Flag - 150

As the name of the file implies, this program will give you the flag.

givemeflag

Solves: 80





파일을 열어보면 CA FE BA BE 00 00 00 이런식으로 hex값이 띄어쓰기가 되있는것을 알 수 있고,
f = open('givemeflag','r').read()

>>> open('/Users/jinwoo/Downloads/give2','w').write(open('/Users/jinwoo/Downloads/givemeflag','r').read().replace(" ","").decode('hex'))

를 해주고 확인해보면

➜  Downloads  file give2

give2: compiled Java class data, version 51.0

java class라는것을 알 수 있다.


jad로 class를 디컴파일해준뒤 소스를 수정하면

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import java.io.PrintStream;
import java.lang.reflect.Array;
 
public class givemeflag
{
 
    public givemeflag()
    {
    }
 
    public static void main(String[] args){
        String flag="";
            int ai1[] = {
                4329434743014339435143014344433943244339
                43014351433943214326434343204335
            };
            int ai[]  = {
                4329434743014339435143014344433943244339
                43014351433943214326434343204335
            };
            for(int i = 0; i < Array.getLength(ai1); i++)
            {
                    flag+=(char)(ai[i] ^ 0x1092);
            }
            System.out.println(flag);
    }
}
 
 
cs

 ➜  Downloads  java givemeflag

{i_am_java_master}


FLAG : {i_am_java_master}

+ Recent posts

티스토리툴바