https://enoch.host好想变强。。。Halo v2.22.14zh-cnhttps://enoch.host/upload/ENOCH.jpghttps://enoch.hostSat, 13 Jun 2026 04:58:10 GMThttps://enoch.host/archives/htb-saunaSauna 拿shell 扫端口 $ nmap -p- -sV 10.129.95.180 Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-03-04 02:54 CST Nmap scan report for 10.129.95.180 Ho]]>/archives/htb-saunaENOCHWed, 4 Mar 2026 11:57:31 GMThttps://enoch.host/archives/htb-returnReturn 拿shell 先简单nmap看看开放了什么常用端口 # nmap 10.129.242.236 PORT     STATE SERVICE 53/tcp   open domain 80/tcp   open http 88/tcp   open kerberos-sec 13]]>/archives/htb-returnENOCHhacktheboxSun, 22 Feb 2026 09:37:48 GMThttps://enoch.host/archives/htb-timelapse先nmap PORT     STATE SERVICE           VERSION 53/tcp   open domain           Simple DNS Plus 88/tcp   open kerberos-sec     Microsoft Windows]]>/archives/htb-timelapseENOCHhacktheboxSat, 14 Feb 2026 09:34:02 GMThttps://enoch.host/archives/htb-support先nmap一下 # nmap -sS -sV -A -Pn 10.129.250.29 <...> PORT     STATE SERVICE       VERSION 53/tcp   open domain       Simple DNS Plus 88/tcp   open ker]]>/archives/htb-supportENOCHhacktheboxThu, 12 Feb 2026 10:19:29 GMThttps://enoch.host/archives/htb-cicadaCicada 先nmap # nmap -sT -p- --min-rate 10000 -o ports 10.129.254.230 Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-06 05:09 CST Nmap scan repo]]>/archives/htb-cicadaENOCHhacktheboxFri, 6 Feb 2026 12:19:24 GMThttps://enoch.host/archives/htb-escapetwoEscapeTwo What is the fully qualified domain name of the machine? # nxc smb 10.129.232.128 SMB         10.129.232.128 445   DC01             [*] Win]]>/archives/htb-escapetwoENOCHhacktheboxFri, 6 Feb 2026 10:57:16 GMThttps://enoch.host/archives/xsleak-learning了解了前置知识后，可以正式进入xsleak的学习了 基于网络时序 这种方法主要是测量响应时间 如果能通过某种方式让命中响应明显变慢或变快，就能通过测量响应时间来判断结果 通常以下内容会影响响应时间]]>/archives/xsleak-learningENOCH记录文章Mon, 2 Feb 2026 06:32:32 GMThttps://enoch.host/archives/xsleak-before-learning前言 XS-Leaks 的本质是Web侧信道攻击 不同于XSS直接执行代码获取敏感信息，XS-Leaks利用浏览器在处理跨站请求时的细微差异，推断用户的状态或敏感数据 国际赛关于XSS以及xsleak的考察呈逐渐增加的趋势，所以想着系统性的学学xsleak 学]]>/archives/xsleak-before-learningENOCH文章Thu, 29 Jan 2026 09:15:47 GMThttps://enoch.host/archives/n1ctf-junior-2026-1-2-chu-ti-xiao-ji这次依旧是出了两道题 posetman在预期范围内 但是notes差点零解，不得已上了hint是我没想到的 可能是大部分师傅都默认http.server 这种官方库应该不存在CRLF这种问题吧，，， 以下是wp Notes 题目提供了一个笔记应用，admin用户在初始化时会创建一个包含flag的笔记]]>/archives/n1ctf-junior-2026-1-2-chu-ti-xiao-jiENOCH文章wpTue, 27 Jan 2026 07:18:38 GMThttps://enoch.host/archives/seccon-ctf-14-quals期末周，还是做了一题就润了 broken-challenge cookie 在 hack.the.planet.seccon 这个域 /hint 路由给了证书私钥 -----BEGIN EC PRIVATE KEY----- MHcCAQEEIDXSM3v5wDSRra/TS/InNmXoVWqm4]]>/archives/seccon-ctf-14-qualsENOCHwpSun, 14 Dec 2025 17:00:00 GMThttps://enoch.host/archives/cykor-ctf-2025最近事情有点多，上线写了一题就去忙其他的了（ dbchat def _generate_sql(self, prompt: str) -> (str, List): m = self._pattern.match(prompt) if not m:]]>/archives/cykor-ctf-2025ENOCHwpMon, 8 Dec 2025 02:10:29 GMThttps://enoch.host/archives/zjb-2025-pre-wpCloudEver战队WP 战队排名：12 WEB 浅析PHP原生类 题目提供了一个反序列化入口 @unserialize($_GET]]>/archives/zjb-2025-pre-wpENOCHwpWed, 26 Nov 2025 07:16:49 GMThttps://enoch.host/archives/rctf-2025-wpphotographer flag 在 public/superadmin.php if (Auth::check() && Auth::type() < $user_types['admin']) {    echo getenv('FLAG') ?: 'RCTF{test_flag}'; }]]>/archives/rctf-2025-wpENOCHwpTue, 18 Nov 2025 02:00:00 GMThttps://enoch.host/archives/infobahn-ctf-2025-wpSandbox Viewer 未解出，赛后复现 给了个iframe，任意写srcdoc然后删除 let iframe = document.getElementById('safe'); iframe.srcdoc = key; iframe.onload = () => { iframe.re]]>/archives/infobahn-ctf-2025-wpENOCHwpWed, 12 Nov 2025 08:38:53 GMThttps://enoch.host/archives/xctf-final-wp比赛时写的，比较简陋 kidding 参考文章curl任意库加载实现远程代码执行 (RCE) 根据文章打包so #include <stdlib.h> #include <stdio.h> __attribute__((constructor)) static void rce_init(void]]>/archives/xctf-final-wpENOCHwpTue, 28 Oct 2025 15:09:40 GMThttps://enoch.host/archives/qwb-2025-wpmisc Personal Vault string 搜索flag正则，一把嗦 The_Interrogation_Room import socket, re, string from hashlib import sha256 ​ HOST = "47.94.202.253" PORT = 34]]>/archives/qwb-2025-wpENOCHwpSun, 19 Oct 2025 16:00:00 GMThttps://enoch.host/archives/htb-proxy-wp分析 后端有一个flushInterface app.post("/flushInterface", validateInput, async (req, res) => {   const { interface } = req.body; ​   try {       const]]>/archives/htb-proxy-wpENOCHhacktheboxWed, 15 Oct 2025 14:15:47 GMThttps://enoch.host/archives/use-localstack-learning-aws配置 皆为windows下的配置 首先要有github学生包，最近更新了，免费使用localstack进行本地aws相关开发，不用真的买存储桶 先安装aws]]>/archives/use-localstack-learning-awsENOCH文章Sun, 5 Oct 2025 12:21:48 GMThttps://enoch.host/archives/sunshinectf-2025没啥意思，写了个白盒就润了 Intergalactic Webhook Service dns重绑定攻击 @app.route('/register', methods=['POST']) def register_webhook(): url = request.form.get('url]]>/archives/sunshinectf-2025ENOCHwpFri, 3 Oct 2025 05:03:08 GMThttps://enoch.host/archives/htb-dusty-alleys题目描述 In the dark, dusty underground labyrinth, the survivors feel lost and their resolve weakens. Just as despair sets in, they notice a faint light:]]>/archives/htb-dusty-alleysENOCHhacktheboxTue, 23 Sep 2025 13:20:44 GMT