WEB

ezDecryption

源码中找到提示2025,就是第一步验证码答案

image-20250806103826682

抓包修改step2为step3进入第三关

分析源码中js文件,在控制台中分析获得第一段为panshi

image-20250806105220729

第二段base64解码后为2oZ5

image-20250806105240372

发包获得flag

image-20250806105310197

flag{d1g1t4l_l0ck_br34k3r_2025}

1web-jaba_ez

MISC

1derderjia

easy_misc

Binwalk提取图片获得压缩包,里面是ook编码,解密获得y0u_c@t_m3!!!,就是压缩包密码,解压获得flag
flag{3088eb0b-6e6b-11ed-9a10-145afc243ea2}

1两个数

level1尝试直接二进制转ascii不行,那就尝试按位反转后补齐转ascii

# 给定的二进制串列表
binary_strings = [
    "1100001", "000011", "0111011", "1110011", "0100111", "001011", "0010111", "1010111",
    "100011", "1000011", "0010111", "1001011", "1111011", "0111011", "100001", "100001",
    "1001101", "000011", "1010111", "1111101", "0001011", "1000011", "0110111", "110011",
    "1111101", "0000111", "1000011", "1100111", "1100111", "1010011", "0010011", "1111101",
    "0010111", "0001011", "110011", "1111101", "0110011", "1001011", "0100111", "1100111",
    "0010111", "1111101", "0011011", "110011", "0110111", "1010011", "100011", "100001",
    "100001"
]

# 处理每个二进制串
decoded_message = []
for binary in binary_strings:
    # 反转字符串
    reversed_binary = binary[::-1]
    # 补齐到7位
    padded_binary = reversed_binary.zfill(7)
    # 确保长度为7(如果原串长度超过7,截取前7位)
    padded_binary = padded_binary[:7]
    # 转换为ASCII字符
    char = chr(int(padded_binary, 2))
    decoded_message.append(char)

# 拼接解码后的字符
result = ''.join(decoded_message)
print(result)

C0ngr4tu1ation!!Y0u_hav3_passed_th3_first_l3ve1!!

看到注释里面有个8bit,那就先按照八位来分组,分组后先按位异或再按位反转最后转ascii

# 给定的二进制串
binary_data = "01111011011110110111101101111011011110111100100101011001100100010101100101110011000001011101100110001001111100110011100101011001001100010000010100110011111010011101000100000101001100111001000101101001101100011011000101111001000001010011001110010001011110011110100100000101010101011111001101100001"

# 1. 分割成8位一组
byte_list = [binary_data[i:i+8] for i in range(0, len(binary_data), 8)]

# 2. 按位取反
inverted_bytes = [''.join(['1' if bit == '0' else '0' for bit in byte]) for byte in byte_list]

# 3. 按位反转
reversed_bytes = [byte[::-1] for byte in inverted_bytes]

# 4. 转换为ASCII字符
decoded_chars = [chr(int(byte, 2)) for byte in reversed_bytes]

# 5. 合并并反转整个字符串
final_message = ''.join(decoded_chars)[::-1]

print(final_message)

y0U_hav3_arriv3_th3_sec0nd_1evel!!!!!

注释中提到“你知道格雷码吗”,

CRYPTO

AES_GCM_IV_Reuse

from binascii import unhexlify

# 已知明文
known_message = "The flag is hidden somewhere in this encrypted system."
# 已知密文(十六进制字符串)
known_ciphertext_hex = "b7eb5c9e8ea16f3dec89b6dfb65670343efe2ea88e0e88c490da73287c86e8ebf375ea1194b0d8b14f8b6329a44f396683f22cf8adf8"
# 目标密文(十六进制字符串)
flag_ciphertext_hex = "85ef58d9938a4d1793a993a0ac0c612368cf3fa8be07d9dd9f8c737d299cd9adb76fdc1187b6c3a00c866a20"

# 将十六进制字符串转换为字节串
known_ciphertext_bytes = unhexlify(known_ciphertext_hex)  # 52 字节
flag_ciphertext_bytes = unhexlify(flag_ciphertext_hex)    # 32 字节

# 获取已知明文的前 52 字节(与 known_ciphertext_bytes 长度匹配)
known_message_bytes = known_message.encode()[:len(known_ciphertext_bytes)]

# 计算密钥流
keystream = [a ^ b for a, b in zip(known_message_bytes, known_ciphertext_bytes)]

# 解密目标密文
flag_bytes = [a ^ b for a, b in zip(flag_ciphertext_bytes, keystream[:len(flag_ciphertext_bytes)])]

# 输出解密结果
flag = bytes(flag_bytes)
try:
    print("解密得到的 flag:", flag.decode())  # 尝试解码为字符串
except UnicodeDecodeError:
    print("解密得到的 flag (字节形式):", flag)  # 如果解码失败,输出字节形式

image-20250806114058087

flag{GCM_IV_r3us3_1s_d4ng3r0us_f0r_s3cur1ty}

RE

EasyRE

找到byte_14001D658,直接解密就行,密文密钥都有

def right_rotate_1(x, n):
    x = x & 0xFF
    return ((x >> n) | (x << (8 - n))) & 0xFF

# 目标字节序列(byte_14001D658),包含所有 29 个字节
t = [147, 249, 141, 146, 82, 87, 217, 5, 198, 10, 80, 199, 219, 79, 203, 216, 93, 166, 185, 64, 149, 112, 231, 154, 55, 114, 77, 239, 87]

# 逆向第二阶段
v24_intermediate = [0] * 29
v24_intermediate[0] = t[0] ^ 0x42
for i in range(1, 29):
    v24_intermediate[i] = t[i] ^ t[i-1] ^ 0x42

# 初始化 S 盒
v23 = list(range(256))
v8 = 0
for v10 in range(256):
    v8 = (v8 + v23[v10] - 7 * (v10 // 7) + v10 + 4919) % 256
    v23[v10], v23[v8] = v23[v8], v23[v10]

# 逆向第一阶段
flag = []
v14 = 0
v15 = 0
for i in range(29):
    v14 = (v14 + 1) % 256
    if v14 % 3 == 0:
        v20 = v23[(3 * v14) % 256] + v15
    else:
        v20 = v23[v14] + v15
    v15 = v20 % 256
    v21 = v23[v14]
    v23[v14], v23[v15] = v23[v15], v23[v14]
    result = (v14 * v15) % 16
    temp = right_rotate_1(v24_intermediate[i], 3)
    if temp < result:
        temp += 256  # 确保非负
    v25_i = (temp - result) ^ v23[(v23[v14] + v21) % 256]
    flag.append(v25_i & 0xFF)

# 转换为字符串
flag_str = ''.join(chr(c) for c in flag)
print("Flag:", flag_str)

# 验证校验和
v12 = 0
for c in flag:
    v12 = (17 * (v12 + c)) % 255
print("Checksum (v12):", v12)

image-20250806154948229

flag{Th1s_1s_A_Fl4w3d_Crypt0}

数据分析

DB_Log

import hashlib
import os
from datetime import datetime

# 部门与数据表映射
dept_table_map = {
    'HR': ['employee_info', 'salary_data', 'personal_info'],
    'Finance': ['financial_reports', 'budget_data', 'payment_records'],
    'IT': ['system_logs', 'server_data', 'network_config'],
    'Sales': ['customer_data', 'sales_records', 'product_info']
}

# 敏感字段列表
sensitive_columns = ['salary', 'ssn', 'phone', 'email', 'address']

def load_user_permissions(file_path):
    """
    加载用户权限数据
    返回: (user_departments, user_access_tables, admin_users)
    """
    user_departments = {}
    user_access_tables = {}
    admin_users = set()
    
    try:
        with open(file_path, 'r', encoding='utf-8') as f:
            for line in f:
                parts = line.strip().split(', ')
                if len(parts) >= 6:
                    user_id = parts[1]
                    department = parts[2]
                    tables = parts[3].split(';')
                    role = parts[5]
                    
                    user_departments[user_id] = department
                    user_access_tables[user_id] = tables
                    if role == 'admin':
                        admin_users.add(user_id)
    except FileNotFoundError:
        print(f"错误:找不到权限文件 {file_path}")
        return {}, {}, set()
    except Exception as e:
        print(f"读取权限文件时出错: {e}")
        return {}, {}, set()
    
    return user_departments, user_access_tables, admin_users

def find_table_department(table_name):
    """
    查找表所属的部门
    """
    for dept, tables in dept_table_map.items():
        if table_name in tables:
            return dept
    return None

def detect_violations(log_file_path, user_depts, user_tables, admins):
    """
    检查日志中的违规操作
    """
    detected_violations = []
    
    try:
        with open(log_file_path, 'r', encoding='utf-8') as f:
            for line in f:
                parts = line.strip().split(' ')
                if len(parts) < 4:
                    continue
                
                log_id = parts[0]
                timestamp = parts[1] + ' ' + parts[2]
                user_id = parts[3]
                
                # 规则3:非工作时间(0-5点)操作检测
                try:
                    log_time = datetime.strptime(timestamp, '%Y-%m-%d %H:%M:%S')
                    if 0 <= log_time.hour < 5:
                        detected_violations.append((3, log_id))
                except ValueError:
                    continue
                
                # 其他规则检查
                if len(parts) >= 5:
                    operation = parts[4]
                    
                    # 规则4:非管理员执行备份操作
                    if operation == 'BACKUP' and user_id in user_depts:
                        if user_id not in admins:
                            detected_violations.append((4, log_id))
                    
                    # 需要表名的操作检查
                    if len(parts) >= 6 and operation == 'QUERY':
                        table_name = parts[5]
                        
                        # 规则1:跨部门访问检测
                        if user_id in user_depts:
                            user_dept = user_depts[user_id]
                            table_dept = find_table_department(table_name)
                            if table_dept and user_dept != table_dept:
                                detected_violations.append((1, log_id))
                        
                        # 规则2:敏感字段访问检测
                        for part in parts:
                            if part.startswith('field='):
                                field = part.split('=')[1]
                                if field in sensitive_columns:
                                    detected_violations.append((2, log_id))
                                    break
    
    except FileNotFoundError:
        print(f"错误:找不到日志文件 {log_file_path}")
    except Exception as e:
        print(f"处理日志文件时出错: {e}")
    
    return detected_violations

if __name__ == "__main__":
    # 获取文件路径
    current_dir = os.path.dirname(os.path.abspath(__file__))
    perm_file = os.path.join(current_dir, 'C:/Users/25050/Downloads/attachment/user_permissions.txt')
    log_file = os.path.join(current_dir, 'C:/Users/25050/Downloads/attachment/database_logs.txt')
    
    # 加载权限信息
    user_depts, user_tables, admins = load_user_permissions(perm_file)
    if not user_depts:
        print("无法加载权限信息,退出")
    
    # 检查违规行为
    violations = detect_violations(log_file, user_depts, user_tables, admins)
    
    if not violations:
        print("未发现违规行为")
    
    # 去重并按log_id和rule排序
    unique_violations = sorted(set(violations), key=lambda x: (int(x[1]), x[0]))
    
    # 生成违规记录字符串
    violation_output = ','.join(f'{rule}-{log_id}' for rule, log_id in unique_violations)
    
    # 计算MD5哈希值
    md5_hash = hashlib.md5(violation_output.encode()).hexdigest()
    
    # 输出结果
    print(f"违规记录: {violation_output}")
    print(f"flag{{{md5_hash}}}")

image-20250806135501393

flag{1ff4054d20e07b42411bded1d6d895cf}

JWT_Weak_Secret

import jwt
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.backends import default_backend
import base64
import json

# List of JWT tokens
tokens = [
    "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiZXZlIiwiaXNzIjoic3ZjLWd3IiwiYWRtaW4iOnRydWV9.u1-WBFIqURvwbKeDRN9bskgxfyR6ABIIEyMoGjbDINviCZ9YH2INQwsyJriB9GKUXo3pPlq2vVZ90rWRVj7jOpyTsYAeu4RKxWkErTxxy2MuGKCfLegx5SXwAixPjDCfFv1GudHdQ5Mk9PZlHWLsoltqCJd7A-MfBhwkWAlFKbV9SZUBADMP8NfH-slxQKZYgOeM9zyQ0u2_v1r4gLS0YiMV8tMSputLcY_qg3ReU6Wj3q76FPW15fKkDXcrc91471nfmFmJUPaEkd9nefhyDG_9qam0zGX63y5Exb7B8TgGSTuQI_hVJKcE5FRpeiG99uUmUCfym6kAhqdSqNXa0Q",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiZGF2ZSIsImlzcyI6InN2Yy1ndyIsInJvbGUiOiJhbmFseXN0In0.c2k8N-bWdK5X1xVmZ1mTB5Ve3iR7JXKE2NuySCeb-XU",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiZXZlIiwiaXNzIjoic3ZjLWd3Iiwicm9sZSI6ImFkbWluIn0.HKj-colBnAUpG09DHdJSKu62Q2Kg8lb1oFWEMGtqlC4",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiZGF2ZSIsImlzcyI6InN2Yy1hcGkiLCJhZG1pbiI6dHJ1ZX0.d3S9cKJTa3tio75VN_IbLZFYwc8W6UYQ6F_yifuNR-I",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiZXZlIiwiaXNzIjoic3ZjLWFwaSIsInJvbGUiOiJhZG1pbiJ9.ZrLvxIYF0_Xa9vs-AYBwYaozbsneuTKajDgxIT5NvzU",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoibWFsbG9yeSIsImlzcyI6InN2Yy1ndyIsInJvbGUiOiJhbmFseXN0In0.lCftjyuIHTjGVdZAsXIuQpBkozR2nLRNYLEb5wFxlrw",
    "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiZXZlIiwiaXNzIjoic3ZjLWd3Iiwicm9sZSI6InZpZXdlciJ9.qzoOCny9o-w3hnPM3jHuJhWF4I70cPxVQW6RWafGQNXHAEyYMDLFK768uLfYeR0jp5-VWmzBYE8uLENCwC3HNhiYLP4H16lLmetS0aW_e_JVnqwttXpiOg99Qc4-8DysyzCIbBmhnNjmSziRQK2-KsP_R4sEkApsTtpRSk9QnZaMob_F1IryUsYek8CIpIKwO3-a5cPFgzf1-sUXdL7cLdbVkFiT9aVAB-FREMbe0-e8lyFtarkAdN1LJ4DyZ9QncIy4IeZp_cPdwZeiSFMH8PTMi3GG8clICKYuiXBi5DvZAb28BQ-KYrsimKBI1m_OdUNsHzKwVrNMYuGzvWgSOQ",
    "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiYWxpY2UiLCJpc3MiOiJzdmMtYXV0aCIsInJvbGUiOiJ2aWV3ZXIifQ.eAMwwxOEiEDogCVqfy4VkOllvh_0WVXSrPfOrMOa1A9JvOS1haycYsPMaRVBTmVLjZIlkrF6NJRmUilKJRA3E8l5jHo4Dfak7NaXSZWIEcVzG7Hx2TVekHEHSZqSYtnl0imZuwC278Ru99cmQECgt6xVGlF-RHiX04_bspRY0ly1KfW996H7ojZu5krL5xMzvGY90tk9-QnelvfkODCyVjai7PGzDXoRLNAO6IzyGeljbLAy81uT-UVmGQD67i31xDBIZEBIZluewRvS9L1u5JDadXtbz-f5TMxy_lwChKhkoLlNLYUVCIP5lA6EJraglsXRBv3_v94-mSOcTsorhw",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoibWFsbG9yeSIsImlzcyI6InN2Yy1hcGkiLCJhZG1pbiI6dHJ1ZX0.qHmA_LKw0b0jeBM7Y75I-PlR7mc0g77jzGvQDometR4",
    "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiZGF2ZSIsImlzcyI6InN2Yy1ndyIsInJvbGUiOiJ2aWV3ZXIifQ.u2dfnGqRntI_WqKOhMePHYi8mDrXjdJkg7aNYhpOk0vBqJDiX37D7IuciMj-dGu-r6S9bXTiQTpEQIki7-ASAWXp96MBiSPLqZbM0G1JW_QJNEPaUQVCeYnGktw2_2FjY3IJ51jo1niERPHgzItu6YTDzKV3vG8Am9IL9kj0ZcbDA91b6HYd4VSRiUBM5s0JeN7xLFJYJKO1WJ1WXE-eXN70e1ab6cOkRgEA1gmUSt_9tvDXr-ZZt0SNkGjtgUyp650zfU2bnCTAUB08w9xwQpSvEKhlMejwfD4zJ24nq4USfVBPTusjGqn3mYrT3-DU9VCCxE3NgyMvxrfOVjxUng",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiY2Fyb2wiLCJpc3MiOiJzdmMtYXV0aCIsInJvbGUiOiJ2aWV3ZXIifQ.CimzECi1hbWAGtt-Ps0VBZdT9f5G4mbYPn02L1UEqoM",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoibWFsbG9yeSIsImlzcyI6InN2Yy1hdXRoIiwicm9sZSI6InVzZXIifQ.vJK8sI5LCA_XNeV751gL1OfSDnfuDTevADDkF0g_fzI",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiYWxpY2UiLCJpc3MiOiJzdmMtYXV0aCIsInJvbGUiOiJ1c2VyIn0.GYuFUzyj34ovBxrrZ7sNtzNzpPUCn5wmxSHZ5xcvq94",
    "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiY2Fyb2wiLCJpc3MiOiJzdmMtYXV0aCIsInJvbGUiOiJzdXBlcnVzZXIifQ.nmGxwNXtIuLw--BDYi5J357VDzXvRykC8ueycOcWuQ1tIDdnzPNN9HjN0XN6bcBz3nhZM5WXLMPWIKoiW5wDr3k44XDLJv4g5bbLNtpiMrjSk4N-zAitteO-eBCOiV2ZCugXKNsBtMOJm7RWSK_UJ0jyGGXseUrhdHZTN7cwXeNILkB87NWv4JBgPBsv1kDot2M2vrC25PGCpHsMv5ia4N-AegJF7Xiv-mQwN0QnnxvUAsr9SI1Rf57RnMfVkwMt9CJ6eqnXN-FcVDIJzovhjqtolL3jgG9JPDwxMIW-U4sddxErkeaWgBprviiVKxno-RDRVuZqUiWFhEYgNGgqRw",
    "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiYWxpY2UiLCJpc3MiOiJzdmMtYXV0aCIsImFkbWluIjp0cnVlfQ.ibbmszD3yQmuurT_yPrlRXL9OY0MXNw3u-gkWaqYJ8HsMAF2vekNq99gSP6gPA8JIi1sDY861CEb7cYu8lgk9VLSOOvVD14fcs-PC1ztQJqoi8DDYW59QZyDz6cHIC95khY3RgH2Q5p-AoCxveoE22-zX63O_f3KHWWHkD-lDhbnZuF8JIqtAoEJj8K8RVk3NqXc5QZOm-dXxCelaQrco_CU89KvU8S3XfYzwfaZV_FynXWsqQX6tvCUXMO30wwb5J7kmRmAy3GxjrNPbNI1KDTpAlK7TvqAqZsYzcp3XIj95QF_4pbnOfOInEQf8IZqAaf1ET5mWBT7QkNyXHkHFw",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiYWxpY2UiLCJpc3MiOiJzdmMtZ3ciLCJyb2xlIjoidmlld2VyIn0.PQCppoULjVaNOr2F27nbQC1XxCnInT_rjV82w8NsRLQ",
    "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoibWFsbG9yeSIsImlzcyI6InN2Yy1ndyIsImFkbWluIjp0cnVlfQ.LaktQpFf0FESB4ebaK5SMkesB-Z6F_tgZD3M7ZjZgDyQK_bzsGGUF72Ek23iUHohOTNzD3QRQHx7GEudROj1GVYqSpPmhwWDAkm_QQOMtZddBwdyJoBF7Nm86frkgU1hvvdCp3wn1EzxpS6psDDYe6eHFSkjp-nJefipi3cFDtt4AOxoNhtXxQiceZimV4HXL4xJb_cn8ctQBLec0ecrHBpxCxvjmQ9rilU0LWSL8W_ur5cslFlps1Kj6T2_IR_z0HgFPk0zgyWwni99UCxPjR6RhUXPNCml_iAqP8b476Hm6_rbUY9nDaEKStgl_Ty5vdBaseoHV_rCxEZKldpbcA",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiZXZlIiwiaXNzIjoic3ZjLWFwaSIsInJvbGUiOiJ2aWV3ZXIifQ.WdsF3ZxesIxKmtC6csh9gk3_9rilZq5l3cKBIJv11Ac",
    "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiZGF2ZSIsImlzcyI6InN2Yy1hcGkiLCJhZG1pbiI6dHJ1ZX0.AiE4y_tUSnIpSgT2Qum3_vo7-dDj-El17v5wgEcgiFXcBn5YfCBlxuoPqIWaySkepfSljtAn5VHGcy5e0xxGg6Qj9aLA3adSZHhWqxievNjawhy72sKOz6gnzky8HjeLLIA-_zHktGV1PoIEcr0NE4cjod_cRpB6hdGqEDV-XOzuw9exyK2bdPnYqHNJ5-8Qz2X7dSyVQXlMGutrQXANXcbcKsy6SptNr6Ok9ZIPXxbx6X2CW8k5SMe12R6eBPUL94TU14X5a3EZFq6S-P9qCJT84oweroS2nGAFJrZlK3mk4PhjOzhFl6j-EBuTtgtpZxJ3he-MBbaznzp1rZaCDQ",
    "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiYWxpY2UiLCJpc3MiOiJzdmMtYXBpIiwiYWRtaW4iOnRydWV9.XTWgQgovF-CFKd5Vnr5W38t4jm0qthD7ZreQYrH_NY2MvmbuE44ebWWNTq1e-85xymkxCxYKuGAjAtAZNAeDybiFnpBvbSp96IgenyL3CdICAitShWFRr_wCUGiIhSLhy_iJYeLI2T6ag0H78LnMlho7_QXwS7s8jhRRs8-Bioa47SgfRtq1Zu-Pr94nS2mqVwrueNWSWIRlCMjSwpEtL4Riay5j-iM5Tuzd3b2_Sqk_aLUzMfTTkAddd_DlRZdeiJxjPhtOCFx4nXfak_efruqmiKPo1w59aA8Y60C6NgHnmJVzLAJWsa-w5ugHqynWOqp0IlcfEy3ej6wPzmY1_w",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiY2Fyb2wiLCJpc3MiOiJzdmMtYXV0aCIsImFkbWluIjp0cnVlfQ.eA35hXftK-fdBrkUE6b3y_ThrUvE6Lou9gLfVB-_emU",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiYWxpY2UiLCJpc3MiOiJzdmMtYXBpIiwicm9sZSI6InZpZXdlciJ9.74HdzHvRdKSz7bdCVPKX5L1uMYAd4UMrMjEpxDjkT-o",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiYm9iIiwiaXNzIjoic3ZjLWF1dGgiLCJyb2xlIjoidmlld2VyIn0.wkcbqeKGN4q_3Zr-nDuhkjLC7mGEkka0Xf5cGutaNjE",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiYm9iIiwiaXNzIjoic3ZjLWFwaSIsInJvbGUiOiJzdXBlcnVzZXIifQ.bUZRWHiEe52iSLH6-WnNPCsSJVQ4ZukXq7ljVyrNWlQ",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiY2Fyb2wiLCJpc3MiOiJzdmMtYXBpIiwicm9sZSI6InVzZXIifQ.McO9wtCNn5PpOTZqZqWZb01iI1du9pzydOIySUcpUvE",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiZXZlIiwiaXNzIjoic3ZjLWFwaSIsInJvbGUiOiJhbmFseXN0In0.kS1oBf0_mOqFLskYFG00MXdvFZcGHKVlrTcUWnvq4Ss",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiYWxpY2UiLCJpc3MiOiJzdmMtZ3ciLCJhZG1pbiI6dHJ1ZX0.M3PnTIGbdHHa_5h0PjNuw-kjov24nYQ5_0KVLkIWfp4",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiYm9iIiwiaXNzIjoic3ZjLWFwaSIsImFkbWluIjp0cnVlfQ.eofNcjj6xkHj3_PHjH07z9GkxGOhg7wCWC5g7uC5IVg",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiZXZlIiwiaXNzIjoic3ZjLWFwaSIsInJvbGUiOiJhbmFseXN0In0.l__G2hCuhUWiW5dqZ9IXVYPyBlIrO9JesFD4s0T_A6o",
    "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NTM2MTA0MDAsImV4cCI6MTc1NjIwMjQwMCwic3ViIjoiZGF2ZSIsImlzcyI6InN2Yy1hcGkiLCJyb2xlIjoidXNlciJ9.o2J8jpkJnoGty5BsLRMCpGSTEgK6XdDDgOR8uPe4aHIQY0GEWPnqdJ6vq_MOqAS8Az-B9BCXmziNZoqfLEPq25VECS8OVqvCCywR3LkwULe28goEH8cpxX7KlnXLdJhNWdQSJz6YM_Odno1EYTvFg2f84Oh2BNou4wO74M1anW0FKhn3ORbmjK5w6h5lc4O0Thu2DabG1MM0UTsQIp3XvImbLk6tKDD3uvJUvLTLR-SxXMTnFDLvD98Z_bOtrVB4fVPeetr9M9LTUuaEHIh_4D-KpQ3VGrH3two778O7nOO6LAgoLvCpy1iuDxVJ_cD-w9BAcq7P8aEUMCUILzV1SA"
]

# Wordlist for HS256
wordlist = [
    "qwerty", "welcome", "dragon", "monkey", "admin", "abc123", "trustno1",
    "iloveyou", "welcome1", "secret", "password", "summer2025", "letmein",
    "123456", "football", "111111", "p@ssw0rd"
]

# Load public key for RS256
with open("C:/Users/25050/Downloads/attachment/public.pem", "rb") as f:
    public_key = serialization.load_pem_public_key(f.read(), backend=default_backend())

# Function to check if token has admin privileges
def has_admin_privileges(payload):
    return payload.get("admin", False) or payload.get("role") in ["admin", "superuser"]

# Function to verify JWT token
def verify_token(token, index):
    try:
        # Decode header to get algorithm
        header = jwt.get_unverified_header(token)
        algo = header["alg"]
        
        # Decode payload without verification to check admin privileges
        payload = json.loads(base64.urlsafe_b64decode(token.split('.')[1] + '=='))
        
        # Skip if no admin privileges
        if not has_admin_privileges(payload):
            return False
        
        # Verify based on algorithm
        if algo == "HS256":
            for secret in wordlist:
                try:
                    jwt.decode(token, secret, algorithms=["HS256"])
                    return True
                except jwt.InvalidTokenError:
                    continue
            return False
        elif algo == "RS256":
            jwt.decode(token, public_key, algorithms=["RS256"])
            return True
        else:
            return False
    except Exception:
        return False

# Process tokens and collect indices of valid admin tokens
admin_indices = []
for i, token in enumerate(tokens, 1):
    if verify_token(token, i):
        admin_indices.append(i)

# Format the flag
flag = f"flag{{{':'.join(map(str, sorted(admin_indices)))}}}"
print(flag)

image-20250806150132815

flag{1:3:4:5:9:14:15:17:19:20:21:24:27:28}

ACL_Allow_Count

def is_ip_match(rule_ip, traffic_ip):
    if rule_ip == 'any':
        return True
    if '/' in rule_ip:
        rule_net, rule_bits = rule_ip.split('/')
        rule_bits = int(rule_bits)
        rule_parts = list(map(int, rule_net.split('.')))
        traffic_parts = list(map(int, traffic_ip.split('.')))
        rule_int = sum(part << (24 - i*8) for i, part in enumerate(rule_parts))
        traffic_int = sum(part << (24 - i*8) for i, part in enumerate(traffic_parts))
        mask = (1 << 32) - (1 << (32 - rule_bits))
        return (rule_int & mask) == (traffic_int & mask)
    return rule_ip == traffic_ip

def is_traffic_allowed(rules, traffic):
    proto, src, dst, dport = traffic
    for rule in rules:
        action, r_proto, r_src, r_dst, r_dport = rule
        if (r_proto == 'any' or r_proto == proto) and \
           is_ip_match(r_src, src) and \
           is_ip_match(r_dst, dst) and \
           (r_dport == 'any' or r_dport == dport):
            return action == 'allow'
    return False

# Define rules
rules = [
    ('deny', 'tcp', 'any', 'any', '23'),
    ('deny', 'udp', 'any', 'any', '22'),
    ('allow', 'any', 'any', 'any', 'any')
]

# Read traffic from file
traffic = []
with open("C:/Users/25050/Downloads/attachment (1)/traffic.txt", 'r') as f:
    for line in f:
        proto, src, dst, dport = line.strip().split()
        traffic.append((proto, src, dst, dport))

# Count allowed traffic
allowed_count = sum(1 for t in traffic if is_traffic_allowed(rules, t))

# Output result
print(f"flag{{{allowed_count}}}")

image-20250806150424312

flag{1729}