2023ciscn初赛复盘

Created2023-05-31Updated2023-06-02Visited

WEB

Unzip


此时发现这是一个文件上传界面,此时我们先随便传一张不带马的图片上去看看;此时上传后得到源码

1
2
3
4
5
6
7
8
9
10
 <?php
error_reporting(0);
highlight_file(__FILE__);

$finfo = finfo_open(FILEINFO_MIME_TYPE);
if (finfo_file($finfo, $_FILES["file"]["tmp_name"]) === 'application/zip'){
    exec('cd /tmp && unzip -o ' . $_FILES["file"]["tmp_name"]);
};

//only this!


此时先进行代码审计;发现这个后台会对我们传入的文件先进行一个验证;看是不是zip格式的文件;然后如果是zip文件的话便把该文件解压在/tmp目录下面;此时
我们先进行尝试访问tmp目录;此时发现无法访问。但是我们的文件又会被解压到该目录;那么此时我们应该考虑对该目录进行一个绕过;看看还有什么方法可以对这个目录进行访问的途径;但是后知后觉才发现这题是2021年深育杯的一题考题 https://forum.butian.net/share/906
此时的方法是利用软连接;使得我们对根目录进行操作时同样也可以作用到/tmp目录

1
软连接的作用:就是可以将某个目录连接到另一个目录或者文件下,那么我们以后对这个目录的任何操作,都会作用到另一个目录或者文件下

所有此时我们可以先弄一个软连接的压缩包;然后在经过解压之后便可以将网站根目录和/tmp目录连接起来;也就是我对网站根目录的所有操作它都可以作用到tmp
目录下
此时我们先创建一个软连接使得这个软连接指向网站的根目录(web环境)

然后在创建一个带马的压缩包;这个压缩包将会被解压到根目录下面

因为我们先前已经将带有软连接的压缩包上传了;所有此时软连接已经产生了效果;我们在对网站根目录进行操做时同时也是在对tmp目录进行操作;这样就绕过了原先我们无法访问/tmp目录的限制

BackendService


打开之后是一个暴露在外网的Nacos;此时感觉这个很像在hvv时遇到的真实情况;此时可以先进行一波的信息收集看看网上有没有Nacos的漏洞可以利用;此时可以一个个的漏洞去尝试;有时候一篇文章可能复现不了;可以多尝试几篇文章看看那种利用方法可以利用 https://juejin.cn/post/7133573986633383950
此时我们按照文章进行绕过Nacos的认证

此时发现我们已经可以添加一个admin用户并且通过它来登入Nacos


接下来看来复现的文章还是不太明白;后面会慢慢补上,java的web安全确实难哇

MISC

PyShell

这题的思路是借助python的shell来获取到flag;因为当时在做题时只考虑到了被过滤的情况没有考虑到字符的长度被限制的后果导致这题没有做出来;此时可以采用python里面的内置函数进行拼接然后借助eval()的执行进行读取

国粹

脑洞题,给的题目原图有两排一模一样的麻将。然后给了a.png和k.png两个一排的麻将的图片,猜测是将这两个一排的麻将合并成一张图片。合并后对于上下两排的麻将,猜测存在某种规律。我们将题目原图从1到42进行编号(一万出现了两次,第一次上面是空白,忽略不计)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import matplotlib.pyplot as plt

x_coords = [1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4,
            5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
            7, 7, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 9, 9, 9, 9, 9, 9, 10, 10, 12, 12, 12, 12, 13, 13, 13, 13, 13,
            13, 13, 13, 13, 13, 13, 13, 13, 13, 14, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 16, 16, 16,
            16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 17, 18, 18, 18, 18, 18, 19, 19, 19, 19, 19, 19, 19, 19, 19,
            19, 19, 19, 19, 19, 19, 19, 19, 20, 20, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 23, 23, 23, 23, 23,
            23, 23, 23, 23, 23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 25, 25, 25, 25, 25, 25, 25, 25, 25,
            25, 25, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 28, 28, 28, 28,
            28, 28, 28, 28, 28, 28, 28, 28, 28, 29, 29, 29, 29, 29, 31, 31, 31, 31, 31, 31, 32, 32, 32, 32, 32, 32, 32,
            32, 32, 32, 32, 32, 32, 32, 32, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 34, 34, 34, 34, 34, 34, 34, 34,
            34, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 36, 36, 36, 36, 36, 36, 36, 37, 37, 37, 37, 37, 37, 37, 37,
            37, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 39, 39, 39]
y_coords = [4, 5, 10, 30, 3, 4, 5, 6, 10, 29, 30, 3, 4, 10, 16, 17, 22, 23, 24, 25, 29, 30, 2, 3, 4, 5, 10, 15, 16, 18,
            21, 22, 24, 25, 29, 30, 3, 4, 10, 15, 17, 18, 19, 20, 22, 25, 28, 29, 3, 4, 10, 15, 16, 18, 19, 21, 22, 25,
            29, 3, 4, 10, 11, 12, 13, 15, 18, 19, 22, 23, 24, 25, 29, 30, 3, 4, 11, 12, 15, 16, 17, 18, 19, 20, 25, 29,
            30, 21, 22, 24, 25, 30, 31, 23, 24, 22, 23, 24, 25, 2, 3, 4, 5, 9, 10, 11, 12, 13, 16, 17, 18, 19, 24, 25,
            2, 5, 6, 9, 12, 19, 23, 24, 5, 9, 12, 18, 19, 22, 23, 4, 5, 9, 12, 17, 18, 23, 23, 24, 3, 4, 9, 12, 16, 17,
            24, 25, 3, 9, 12, 16, 25, 3, 4, 5, 6, 9, 10, 11, 12, 16, 17, 18, 19, 21, 22, 23, 24, 25, 10, 11, 3, 4, 5, 6,
            10, 11, 12, 17, 18, 19, 24, 25, 3, 6, 7, 9, 10, 16, 17, 19, 20, 22, 23, 24, 25, 3, 6, 7, 9, 10, 16, 19, 20,
            24, 25, 3, 6, 7, 10, 11, 12, 16, 19, 20, 20, 24, 25, 3, 6, 7, 12, 13, 16, 19, 20, 24, 25, 3, 6, 7, 9, 12,
            13, 16, 19, 20, 24, 25, 3, 4, 6, 9, 10, 11, 12, 16, 17, 19, 20, 24, 25, 4, 5, 17, 18, 19, 10, 11, 12, 13,
            25, 31, 4, 5, 6, 10, 11, 12, 13, 17, 18, 19, 23, 24, 25, 26, 32, 3, 4, 6, 7, 12, 16, 17, 23, 23, 24, 26, 32,
            6, 7, 11, 16, 17, 23, 24, 26, 32, 6, 11, 12, 17, 18, 19, 23, 24, 25, 26, 33, 5, 12, 13, 4, 5, 13, 16, 19, 20,
            25, 26, 32, 4, 5, 6, 7, 9, 10, 11, 12, 13, 16, 17, 18, 19, 24, 25, 31, 32, 23, 24, 31]

print(len(x_coords))
print(len(y_coords))

plt.scatter(x_coords, y_coords)

plt.title("Scatter Plot")
plt.xlabel("X-axis")
plt.ylabel("Y-axis")

plt.show()

被加密的生产流量

追踪tcp流之后发现可疑字符串

很像base家族;直接base家族试一遍之后发现是base32

md,在比赛的时候提取错字母时不知道是漏了还是咋了了导致base家族解出来是乱码,然后就以为是ssl的加密;直到比赛结束都没有在考虑过base家族。痛失五十分!