niteCTF-2023-MISC

blindjail

nc连接题目，也没有源码

看起来像是python终端，要进行命令执行时发现import被禁了
在这里了解到python中的一个函数breakpoint()

那么这里就使用这个函数尝试一下

当然还可以使用全角字符绕过

趁机偷一下源码😁

# main.py
# print(getattr("".__class__.___mro___.__subclasses__()[108])().load_module("\x6f\x73"),"")
# subclasses = "".__class__.__mro__[1].__subclasses__()
# print("Subclasses:", subclasses)


def checker(inp):
    # a = inp  # f'flag'+ inp
    # print(a)
    # redact the keyword lists

    for keyword in [
        "eval",
        "exec",
        "import",
        "open",
        "os",
        "read",
        "system",
        "write",
        "subprocess",
        "str",
        "flag",
        "import",
        "cat",
        "63",
    ]:
        if keyword in inp:
            print(f" Nope,  {keyword}  is banned! ")
            break
    else:
        o = exec(inp, {}, {})
        if o is not None:
            print(o)


print(
    "------------------------------------------------------------- \n WELCOME TO THE BLINDJAIL \n --------------------------------------------------------\n "
    "\x1B[3m fret not that you cannot see, fret that you cannot leave.\x1B[0m "
)
while True:
    try:
        inp = input(">>> ")
        if inp.lower() == "exit":
            break
        checker(inp)
    except KeyboardInterrupt:
        print("\nBye!")
        break
    except EOFError:
        print("\nBye!")
        break
    except BaseException as e:
        print("look for the light! \n", e.args)

DecryptaQuest

给了一个流量包Decryta_logs.pcapng
存在一些未解密的tls流量包，打开之后经过一番查找找到一段base64密文，使用cyber解码一下

通过一下内容看出是SSLKEYLOGFILE

CLIENT_HANDSHAKE_TRAFFIC_SECRET
CLIENT_HANDSHAKE_TRAFFIC_SECRET
CLIENT_TRAFFIC_SECRET_0
SERVER_TRAFFIC_SECRET_0
EXPORTER_SECRET

现在将SSLKEYLOGFILE导出保存然后再导入到wireshark中
编辑->首选项->Protocols->TLS

然后过滤http流量