所有文章 简体中文

目录

2023年第二届陇剑杯部分题解

   约 2132 字   预计阅读 5 分钟 

HW

hard_web_1

题目内容:服务器开放了哪些端口,请按照端口大小顺序提交答案,并以英文逗号隔开(如服务器开放了80 81 82 83端口,则答案为80,81,82,83)

发现存在端口探测行为,发现80,888,8888端口存活

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827151626824.png

hard_web_2

服务器中根目录下的flag值是多少?

追踪最后一个响应码为200的流量

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827151710687.png

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827151800753.png

设置显示格式为raw:

1

b5c1fadbb7e28da08572486d8e6933a84c5144463f178b352c5bda71cff4e8ffe919f0f115a528ebfc4a79b03aea0e31cb22d460ada998c7657d4d0f1be71ffa

通过哥斯拉流量解码得到flag

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

import gzip
import binascii
from Crypto.Cipher import AES


def ungzip(data):
   return gzip.decompress(data)


def decode(data, key):
   cipher = AES.new(key, AES.MODE_ECB)
   de_data = cipher.decrypt(binascii.a2b_hex(data))
   print(ungzip(de_data.strip(chr(de_data[-1]).encode())))


if __name__ == '__main__':
   key = b'748007e861908c03'
   data = 'b5c1fadbb7e28da08572486d8e6933a84c5144463f178b352c5bda71cff4e8ffe919f0f115a528ebfc4a79b03aea0e31cb22d460ada998c7657d4d0f1be71ffa'
   decode(data, key)

hard_web_3

该webshell的连接密码是多少?

搜索pwd,找到test.jsp,请求了shell.jsp的文件,script中包含748007e861908c03,md5碰撞得到密码14mk3y

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

import hashlib
import itertools

key = '1234567890abcdefghijklmnopqrstuvwxyz'

for i in itertools.product(key, repeat=6):
    res =''.join(i)
    flag = hashlib.md5(res.encode()).hexdigest()
    if flag[:16] == '748007e861908c03':
        print(res)
        break

SS

sevrer save_1

黑客是使用什么漏洞来拿下root权限的。格式为:CVE-2020-114514

pom.xml源码包,发现是Spring4Shell Vulnerable Application的框架

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827152240417.png

google直接搜就有CVE编号

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827152301107.png

sevrer save_2

黑客反弹shell的ip和端口是什么,格式为:10.0.0.1:4444

bbbb.sh文件中有

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827152334081.png

sevrer save_3

黑客的病毒名称是什么? 格式为:filename

home目录下guests用户中

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827152400798.png

sevrer save_4

黑客的病毒运行后创建了什么用户?请将回答用户名与密码:username:password

etc/shadow文件直接查看

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827152425575.png

sevrer save_5

服务器在被入侵时外网ip是多少? 格式为:10.10.0.1

guests目录下隐藏日志文件中

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827152605262.png

sevrer save_6

病毒运行后释放了什么文件?格式:文件1,文件2

.idea目录下存在俩个文件

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827152715693.png

sevrer save_7

矿池地址是什么? 格式:domain:1234

同上mine_doge.sh中有

sevrer save_8

黑客的钱包地址是多少?格式:xx:xxxxxxxx

同上mine_doge.sh中有

WS

Wireshark1_1

入侵主机IP是?

查看wireshark包,发现交互频繁的目标ip

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827152934998.png

Wireshark1_2

被入侵主机的口令是?

追踪tcp流,发现password

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827153006360.png

Wireshark1_3

用户目录下第二个文件夹的名称是?

追踪tcp流,发现ls命令,找到文件目录

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827153058707.png

Wireshark1_4

/etc/passwd中倒数第二个用户的用户名是?

找到最后etc/passwd文件返回值,找到倒数第二个用户名mysql

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827153129109.png

SSW

SmallSwrod_1

连接蚁剑的正确密码是__?(答案示例:123asd)

追踪tcp流,根据蚁剑的特征ini_set查找蚁剑的流,第一个变量名就是密码。

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827153211080.png

SmallSwrod_2

攻击者留存的值是__?(答案示例:d1c3f0d3-68bb-4d85-a337-fb97cf99ee2e)

追踪tcp流,根据蚁剑的特征ini_set查找蚁剑的流,一个个找,找到一个base64字符串,解码后长得跟题目给的提示很像,提交成功。

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827153323523.png

EW

ez_web_1

服务器自带的后门文件名是什么?(含文件后缀)

追踪tcp流,查到ViewMore.php存在任意文件上传漏洞,被上传了一个d00r.php的文件。

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827153412777.png

ez_web_2

服务器的内网IP是多少?

根据第一题中找到的d00r.php木马文件,查找该木马流量,追踪http流,找到内网地址。

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827153431118.png

ez_web_3

攻击者往服务器中写入的key是什么?

根据第一题中找到的d00r.php木马文件,查找该木马流量,追踪http流,找到内网地址。

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827153454167.png

解码

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827153513506.png

利用得到的密码进行加压

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827153522555.png

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827153548060.png

TP

tcpdump_1

攻击者通过暴力破解进入了某Wiki 文档,请给出登录的用户名与密码

提示暴力破解,找到login的请求,一个个翻,翻出登录成功的账号密码。

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827153648471.png

tcpdump_2

攻击者发现软件存在越权漏洞,请给出攻击者越权使用的cookie的内容的md5值。(32位小写)

找到uid=1,响应码为200的流量将cookie加密即可

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827153708382.png

1
2
3
4

import hashlib

key = 'accessToken=f412d3a0378d42439ee016b06ef3330c; zyplayertoken=f412d3a0378d42439ee016b06ef3330cQzw=; userid=1'
print(hashlib.md5(key.encode()).hexdigest())

tcpdump_5

给出攻击者获取系统权限后,下载的工具的名称,比如nmap

数据包在验证成功后开始执行命令

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827153741715.png

发现利用curl下载fscan行为

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827153751723.png

HD

hacked_1

题目内容:admIn用户的密码是什么?

数据包中发现username和password加密js源码

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827153917906.png

中间很多失败的账户和admin账户进行迷惑,直到发现admIn用户显示登录成功

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827154001988.png

追踪数据流发现密码:KGM7NI0%2FWvKswK%2BPlmFIhO4gqe8jJzRdOi02GQ0wZoo%3D

结合js加密规则进行解密得到admIn的密码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

rom Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from base64 import b64decode


def decrypt(encrypted_text, key, iv):
   # 因为加密时使用的是Base64,所以解密前需要先进行Base64解码
   encrypted_text = b64decode(encrypted_text)
   # 创建一个新的cipher对象用于AES解密
   cipher = AES.new(key, AES.MODE_CBC, iv)
   # 解密
   decrypted_text = cipher.decrypt(encrypted_text)
   # 解密后的结果可能包含无效的填充,所以需要去掉填充
   decrypted_text = unpad(decrypted_text, AES.block_size)
   # 最后,将解密后的结果转换回字符串
   return decrypted_text.decode('utf-8')

crypt_key = 'l36DoqKUYQP0N7e1'
crypt_iv = '131b0c8a7a6e072e'
key = crypt_key.encode('utf-8')
iv = crypt_iv.encode('utf-8')

# 这里需要替换成你需要解密的内容
encrypted_text = 'KGM7NI0/WvKswK+PlmFIhO4gqe8jJzRdOi02GQ0wZoo='
print(decrypt(encrypted_text, key, iv))

hacked_2

app.config[‘SECRET_KEY’]值为多少?

往下找到读取配置文件的数据包

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827154109357.png

解码得到KEY的值

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827154123937.png

hacked_3

flask网站由哪个用户启动?

追踪数据包发现打印hello但未显示用户,结合之前的数据包结果此处可能存在疑点

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827154143557.png

将session解密得到用户名

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827154156556.png

hacked_4

攻击者写入的内存马的路由名叫什么?(答案里不需要加/)

往下继续追踪数据发现Index,响应为hello

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827154214223.png

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230827154235161.png

BF

baby_forensics_1

vol读取内存文件后导出

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230828133058585.png

文本编辑器打开得到编码

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230828133038885.png

ROT47解码得到flag

https://21r000-image.oss-cn-shanghai.aliyuncs.com/2023/image-20230828132955538.png

更新于 2023-08-27
阅读原始文档
返回 | 主页