御网杯 2025 半决赛 & 决赛

半决赛

Misc

YWB_Misc_文件隐写 01

Challenge

文件隐写

Solution

附件是加密压缩包,纯数字爆破得到解压密码 882401

ywbCTF2025final-1

解压得到的 Word 文档把图片移开得到 flag

ywbCTF2025final-2

1
FLAG{12axzaq1sz}

YWB_Misc_键盘流量分析

Challenge

我们在监控网络时捕获到一组可疑的流量,现在需要你通过流量包来分析操作者是否传递了某些信息。 注:提交格式为 flag {xxx}。

Solution

一把梭

ywbCTF2025final-3

1
flag{inop97bc6g9}

Crypto

《图像谜途:解锁隐藏的真相》

Challenge

《图像谜途:解锁隐藏的真相》 描述:在一个看似普通的图片中,暗藏着通往密码的秘密。找到正确的图片,成功解压后,揭开加密的 flag,才能获得最终的胜利。

Solution

修复文件头得到解压密码 ctf@welcome

ywbCTF2025final-4

解压得到的图片的 exif 信息中找到 Y3RmX3lvdV9wYXNzZWQ=,base64 解码得到 flag:ctf_you_passed

1
flag{ctf_you_passed}

crypto

Challenge

crypto

Solution

ywbCTF2025final-5

1
flag{hnctfqwer34567}

YWB_Crypto_10

Challenge

在修复古代星象馆的穹顶壁画时,你们在黄道十二宫的镶嵌缝隙中发现一卷残缺的羊皮纸。泛黄的纸面上用褪色墨水写着:5uwSOphsp4poQVBJyTUQfsgxFELy 纸背隐约有抄写者潦草的注释: “此乃大图书馆禁室之钥,须以 62 星轨重排时序。当心,缺失的日月符号会吞噬自身,正如沙漏倒转时消逝的刻度…”

Solution

ywbCTF2025final-6

1
flag{nisp_9i7u_0kj3e}

Reverse

re_python

Challenge

easy python

Solution

pyinstxtractor 解包得到 1.pyc,反编译得到以下代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# Source Generated with Decompyle++
# File: 1.pyc (Python 3.7)


def check():
a = input('plz input your flag:')
c = [
144,
163,
158,
177,
121,
39,
58,
58,
91,
111,
25,
158,
72,
53,
152,
78,
171,
12,
53,
105,
45,
12,
12,
53,
12,
171,
111,
91,
53,
152,
105,
45,
152,
144,
39,
171,
45,
91,
78,
45,
158,
8]
if len(a) != 42:
print('wrong length')
return 0
b = None
for i in range(len(a)):
if ord(a[i]) * 33 % b != c[i]:
print('wrong')
return None

print('win')

check()

exp 如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
a = ["f","l","a","g"]
c = [
144,
163,
158,
177,
121,
39,
58,
58,
91,
111,
25,
158,
72,
53,
152,
78,
171,
12,
53,
105,
45,
12,
12,
53,
12,
171,
111,
91,
53,
152,
105,
45,
152,
144,
39,
171,
45,
91,
78,
45,
158,
8]

b = 0
for k in range(4):
for i in range(1,256):
if ord(a[k]) * 33 % i == c[k]:
b = i


for s in c[4:]:
for j in range(0,128):
if j * 33 % b == s:
a.append(chr(j))


flag = "".join(a).replace("e","4")
print(flag)

RE_C

Challenge

代码分析

Solution

分析代码找到这个字符串 102 108 97 103 123 72 78 67 84 70 109 110 103 49 50 51 52 53 125

ywbCTF2025final-7

10 进制转字符得到 flag

1
flag{HNCTFmng12345}

Web

YWB_Web_SQL 注入_boolblind

Challenge

获得数据库中 flag 值

Solution

sqlmap 一把梭

1
sqlmap -u "http://192.168.20.215:46592/?id=1" -D mylabs -T flagage --dump

ywbCTF2025final-8

1
flag{jKmFcMh5qbzR}

决赛

渗透靶场二

完全仿真业务系统,企业场景包含不同类型虚拟机。在该综合场景下完全仿真相关的系统业务考察内容丰富;考察参赛队伍的信息收集、外网打点、经典漏洞、内网横向、内网信息收集、内网提权等。

1. 通过目录扫描获取 flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.1.202
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict

_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.1.202/_25-07-12_18-07-02.txt

Target: http://192.168.1.202/

[18:07:02] Starting:
[18:07:03] 403 - 2KB - /.config.inc.php.swp
[18:07:03] 403 - 2KB - /.config.php.swp
[18:07:03] 403 - 2KB - /.configuration.php.swp
[18:07:03] 403 - 2KB - /.idea/
[18:07:03] 200 - 750B - /.idea/compiler.xml
[18:07:03] 301 - 170B - /.idea -> http://192.168.1.202/.idea/
[18:07:03] 200 - 987B - /.idea/encodings.xml
[18:07:03] 200 - 569B - /.idea/misc.xml
[18:07:03] 200 - 191B - /.idea/vcs.xml
[18:07:03] 200 - 6KB - /.idea/workspace.xml
[18:07:03] 403 - 2KB - /.index.php.swp
[18:07:03] 403 - 2KB - /.localsettings.php.swp
[18:07:04] 403 - 2KB - /.php-version
[18:07:04] 403 - 2KB - /.php3
[18:07:04] 403 - 2KB - /.php-ini
[18:07:04] 403 - 2KB - /.php_cs
[18:07:04] 403 - 2KB - /.php_history
[18:07:04] 403 - 2KB - /.phpcs.xml
[18:07:04] 403 - 2KB - /.php_cs.dist
[18:07:04] 403 - 2KB - /.phpspec.yml
[18:07:04] 403 - 2KB - /.phpunit.result.cache
[18:07:04] 403 - 2KB - /.phpintel
[18:07:04] 403 - 2KB - /.php_cs.cache
[18:07:04] 403 - 2KB - /.phptidy-cache
[18:07:04] 403 - 2KB - /.phpversion
[18:07:04] 403 - 2KB - /.settings.php.swp
[18:07:04] 403 - 2KB - /.settings/org.eclipse.php.core.prefs
[18:07:04] 403 - 2KB - /.svn/text-base/index.php.svn-base
[18:07:04] 403 - 2KB - /.wp-config.php.swp
[18:07:05] 400 - 2KB - /\..\..\..\..\..\..\..\..\..\etc\passwd
[18:07:06] 403 - 2KB - /admin.php3
[18:07:06] 403 - 2KB - /admin/includes/configure.php~
[18:07:08] 403 - 2KB - /app/bootstrap.php.cache
[18:07:08] 403 - 2KB - /app/etc/local.xml.phpunit
[18:07:09] 403 - 2KB - /bitrix/.settings.php.bak
[18:07:09] 403 - 2KB - /bitrix/php_interface/dbconn.php2
[18:07:09] 403 - 2KB - /bitrix/settings.php.bak
[18:07:10] 403 - 2KB - /conf.inc.php~
[18:07:10] 403 - 2KB - /conf.php.swp
[18:07:10] 403 - 2KB - /conf.php.bak
[18:07:10] 403 - 2KB - /conf.php.old
[18:07:10] 403 - 2KB - /config.inc.php.txt
[18:07:10] 403 - 2KB - /config.inc.php~
[18:07:10] 403 - 2KB - /config.local.php_old
[18:07:10] 403 - 2KB - /config.local.php~
[18:07:10] 403 - 2KB - /config.php-eb
[18:07:10] 403 - 2KB - /config.php.bak
[18:07:10] 403 - 2KB - /config.php.bkp
[18:07:10] 403 - 2KB - /config.php.inc
[18:07:10] 403 - 2KB - /config.php.dist
[18:07:10] 403 - 2KB - /config.php.inc~
[18:07:10] 403 - 2KB - /config.php.save
[18:07:10] 403 - 2KB - /config.php.old
[18:07:10] 403 - 2KB - /config.php.new
[18:07:10] 403 - 2KB - /config.php.swp
[18:07:10] 403 - 2KB - /config.php.txt
[18:07:10] 403 - 2KB - /config.php.zip
[18:07:10] 403 - 2KB - /config.php~
[18:07:10] 403 - 2KB - /configuration.php.old
[18:07:10] 403 - 2KB - /configuration.inc.php~
[18:07:10] 403 - 2KB - /configuration.php.dist
[18:07:10] 403 - 2KB - /configuration.php.save
[18:07:10] 403 - 2KB - /configuration.php.bak
[18:07:10] 403 - 2KB - /configuration.php.swp
[18:07:10] 403 - 2KB - /configuration.php.txt
[18:07:10] 403 - 2KB - /configuration.php.zip
[18:07:10] 403 - 2KB - /configuration.php~
[18:07:11] 403 - 2KB - /configure.php.bak
[18:07:11] 301 - 170B - /doc -> http://192.168.1.202/doc/
[18:07:11] 403 - 2KB - /doc/
[18:07:12] 301 - 170B - /error -> http://192.168.1.202/error/
[18:07:12] 403 - 2KB - /error/
[18:07:12] 403 - 2KB - /file_upload.php3
[18:07:12] 200 - 29B - /flag.txt
[18:07:14] 403 - 2KB - /includes/configure.php~
[18:07:14] 403 - 2KB - /index.pHp
[18:07:14] 403 - 2KB - /index.php-bak
[18:07:14] 403 - 2KB - /index.php.
[18:07:14] 403 - 2KB - /index.php.bak
[18:07:14] 403 - 2KB - /index.php/login/
[18:07:14] 403 - 2KB - /index.php3
[18:07:14] 403 - 2KB - /index.php4
[18:07:14] 403 - 2KB - /index.php5
[18:07:14] 400 - 2KB - /index.php::$DATA
[18:07:14] 403 - 2KB - /index.php~
[18:07:14] 301 - 170B - /index_files -> http://192.168.1.202/index_files/
[18:07:14] 200 - 1KB - /license
[18:07:14] 200 - 1KB - /LICENSE
[18:07:15] 403 - 2KB - /local_conf.php.bac
[18:07:15] 403 - 2KB - /local_conf.php.bak
[18:07:15] 403 - 2KB - /localsettings.php.dist
[18:07:15] 403 - 2KB - /localsettings.php.bak
[18:07:15] 403 - 2KB - /localsettings.php.old
[18:07:15] 403 - 2KB - /localsettings.php.save
[18:07:15] 403 - 2KB - /localsettings.php.swp
[18:07:15] 403 - 2KB - /localsettings.php.txt
[18:07:15] 403 - 2KB - /localsettings.php~
[18:07:17] 403 - 2KB - /painel/config/config.php.example
[18:07:17] 403 - 2KB - /phpinfo.php3
[18:07:17] 403 - 2KB - /phpinfo.php4
[18:07:17] 403 - 2KB - /phpinfo.php5
[18:07:18] 403 - 2KB - /pi.php5
[18:07:18] 200 - 3KB - /pom.xml
[18:07:18] 200 - 4KB - /ReadMe.md
[18:07:18] 200 - 4KB - /Readme.md
[18:07:18] 200 - 4KB - /README.MD
[18:07:18] 200 - 4KB - /README.md
[18:07:18] 200 - 4KB - /readme.md
[18:07:19] 403 - 2KB - /settings.php.dist
[18:07:19] 403 - 2KB - /settings.php.save
[18:07:19] 403 - 2KB - /settings.php.old
[18:07:19] 403 - 2KB - /settings.php.bak
[18:07:19] 403 - 2KB - /settings.php.swp
[18:07:19] 403 - 2KB - /settings.php~
[18:07:19] 403 - 2KB - /settings.php.txt
[18:07:20] 301 - 170B - /sql -> http://192.168.1.202/sql/
[18:07:20] 403 - 2KB - /sql/
[18:07:22] 400 - 2KB - /Trace.axd::$DATA
[18:07:22] 403 - 2KB - /upload.php3
[18:07:22] 403 - 2KB - /var/bootstrap.php.cache
[18:07:23] 400 - 2KB - /web.config::$DATA
[18:07:23] 403 - 2KB - /wp-config.php.0
[18:07:23] 403 - 2KB - /wp-config.php.1
[18:07:23] 403 - 2KB - /wp-config.php.2
[18:07:24] 403 - 2KB - /wp-config.php-bak
[18:07:24] 403 - 2KB - /wp-config.php.3
[18:07:24] 403 - 2KB - /wp-config.php.4
[18:07:24] 403 - 2KB - /wp-config.php.5
[18:07:24] 403 - 2KB - /wp-config.php.bak
[18:07:24] 403 - 2KB - /wp-config.php.6
[18:07:24] 403 - 2KB - /wp-config.php.8
[18:07:24] 403 - 2KB - /wp-config.php.7
[18:07:24] 403 - 2KB - /wp-config.php.backup
[18:07:24] 403 - 2KB - /wp-config.php.cust
[18:07:24] 403 - 2KB - /wp-config.php.9
[18:07:24] 403 - 2KB - /wp-config.php.bak1
[18:07:24] 403 - 2KB - /wp-config.php.dist
[18:07:24] 403 - 2KB - /wp-config.php.disabled
[18:07:24] 403 - 2KB - /wp-config.php.new
[18:07:24] 403 - 2KB - /wp-config.php.bk
[18:07:24] 403 - 2KB - /wp-config.php.inc
[18:07:24] 403 - 2KB - /wp-config.php.old
[18:07:24] 403 - 2KB - /wp-config.php.orig
[18:07:24] 403 - 2KB - /wp-config.php.original
[18:07:24] 403 - 2KB - /wp-config.php.save
[18:07:24] 403 - 2KB - /wp-config.php.swn
[18:07:24] 403 - 2KB - /wp-config.php.swo
[18:07:24] 403 - 2KB - /wp-config.php.txt
[18:07:24] 403 - 2KB - /wp-config.php.swp
[18:07:24] 403 - 2KB - /wp-config.php.zip
[18:07:24] 403 - 2KB - /wp-config.php_
[18:07:24] 403 - 2KB - /wp-config.php~
[18:07:24] 403 - 2KB - /wp-config.php_bak
[18:07:24] 403 - 2KB - /wp-config.php_1
[18:07:24] 403 - 2KB - /wp-config.php_Old
[18:07:24] 403 - 2KB - /wp-config.php_new

Task Completed

http://192.168.1.202/flag.txt

1
2
flag1:
flag{HNZJS01qwaszx1m}

2. 通过获取管理员权限得到 flag

ywbCTF2025final-9

扫描找到永恒之蓝漏洞

ywbCTF2025final-10

1
flag{HNZJS01erdfcv2n}

应急响应

某天客户反馈:服务器操作过一段时间就会非常卡,重启以后就会好一段时间并且重要文件被加密破坏;请你按照下面相关提示完成应急响应帮助客户进行安全加固。

1. 请你获取攻击者的 webshell 文件(提交如下例:abc.asp )

ywbCTF2025final-11

1
driver.php

2. 请你获取攻击者的 webshell 密码

ywbCTF2025final-12

1
hack1234

3. 请你获取攻击者的隐藏用户名

1
Get-LocalUser

ywbCTF2025final-13

1
hack887$

4. 根据内网信息排查,发现攻击者投放了恶意信息收集程序是并且定期执行,排查清理恶意程序并且获取恶意信息收集软件名称(提交如下例:shell )

ywbCTF2025final-14

1
SharpHunter

6. 请你恢复被病毒感染的文件获取到敏感信息 flag

赛中没做出来,我的工具要联网才能用

首先从勒索信的内容判断出来是 GandCrabV5.1,找对应的解密工具解密即可

ywbCTF2025final-15

ywbCTF2025final-16

1
flag{fngD_vwfW_JTqI_E4Kl}

7. 请你对恶意样本(.bat 文件)进行分析获取恶意域名

火绒剑找到可疑启动项

ywbCTF2025final-17

打开恶意脚本就看到了

ywbCTF2025final-18

1
pro.csocools.com