Table of contents
2.1 Invisibility does not mean absence
3.2 Message board 192.168.1.102
3.3 Project management system 192.168.3.1
0x00 Sui Sui Thoughts
Last year, the other great teams didn’t come and missed the first place by luck. This year, the big guys came and got beaten and shut themselves down. They were not as good as others and could only stand at attention. Some of the pictures are from the replay after the game or the wp of the masters. , I would also like to thank my teammates and other masters for their help.
0x01 Online Preliminary Round
The online preliminaries are theoretical questions, and finally 60 teams will be selected from the undergraduate group and the higher vocational group to advance to the semi-finals according to the ranking (each school can select a maximum of 3 teams to advance). The promotion list will be announced on the same day.
0x02 Online rematch
Few questions were solved, and finally according to the ranking, 50% of the participating teams were selected from the undergraduate group and the higher vocational group to advance to the final (each school selects a maximum of 2 teams to advance). The promotion list will be announced after the referee team reviews the results and Writeup documents.
2.1 Invisibility does not mean absence
Given a txt that contains all blank characters, replace t with 1 and spaces with 0
Then convert it to hexadecimal and finally convert it to ascii code to get flag
2.2 The word is not the word
Binwalk decompressed it, then found the document and found the flag
2.3 HeidunGame
Android reverse engineering question, use jadx-gui to open it
Found that the flag is hard-coded into the program
{heidun_game_of_android}
2.4 Do you secure
Find the file upload address upload_index.php in the source code
After uploading, you will be prompted to automatically detect the file. It is guessed that it is a condition competition. Before the system detects and deletes it, access the PHP execution code and write a sentence.
Access file address after submission
Write the file to view the flag
2.5 Ezweb
I found that the feedback page should be the BeanValidation mentioned in the question, with form verification. The subsequent test is that the email contains verification:
Use poc to rebound shell
View flag
0x3 offline finals
Go to the topology first, our ip is 192.168.1.10-192.168.1.20, you can directly access the dmz area
3.1 Portal 192.168.1.101
The page is as follows
There is a prompt in robots.txt as follows
There is a search folder and a box search command
The page source code is as follows
Finally, the command is successfully executed through the variable name prompted in robots.txt
After the game, I asked other masters that xray+awvs could be scanned, only I was in prison for an hour before making it (losing too thoroughly)
xray
flag-1
/flag in the system root directory
flag-2 3
Upload adminer.php and use root to log in to the database, search the database for the value containing the flag and successfully get two flags
flag 4
There is a flag in the root directory for suid privilege escalation.
3.2 Message board 192.168.1.102
front page
Accessing the backend and using various IP header forgery have no effect.
flag-1
After asking after the game, I learned that there is ly.mdb in the root directory. I checked all the dictionaries but there is no such thing.
flag-2
Because we are 192.168.1. The message board is not accessible on 192.168.2. We use the portal to obtain cookies
The payload is as follows
Submit Message
Successfully hit the cookie, the flag is in the cookie
Official analysis:
https://mp.weixin.qq.com/s/F9v9-8s2_mJhlEWRICzVvg
3.3 Project management system 192.168.3.1
You need to configure a firewall before you can access the system. The firewall requires a 192.168.2.* machine to access it. You can successfully access it through the portal website as a proxy.
I took out the firewall manual that I prepared but didn’t use last year.
Unfortunately the default password failed
Later, the referee gave the account password and instructions.
Configure the firewall
[Pictures pretending to have firewall configuration]
Access 192.168.3.101 is a Zen Tao system, the weak password is 123456
Use the vulnerability getshell below (I heard injection and other vulnerabilities can be used)
3.4 Lost host 192.168.1.50
Topic requirements
flag-1
Search the English word "mine" for the keyword "mine" to find the flag.
flag-2
Convert the log system log to txt and extract the IP
Then use regular expressions to extract the ip
^(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9])$
get
flag-3
Find php's config.php mysql password abc123!
Connect to the database and find no flag Found udf543.dll in the mysql directory
Udf rights escalation found that the function has been created
Open the dll in Notepad and found the flag field
Select flag(); get the function
0x04 final ranking
Seeing the ranking reminds me of the fact that I was beaten
Undergraduate category winners list
| Team name | School name | Ranking |
|---|---|---|
| NISA-HiddenLine | Fujian Normal University | first prize |
| okfafu | Fujian Agriculture and Forestry University | first prize |
| qwq | Fujian College of Engineering | second prize |
| GOD_TS1A | Fuzhou University Zhicheng College | second prize |
| NISA-WhySoSerious | Fujian Normal University | second prize |
| Minhou Shangjie Men's dokidoki Academy F3 missing 1 | Fuzhou University | second prize |
| F_sec | Fujian Police College | third prize |
| Chick exposed blackfeet | Fujian Business College | third prize |
| Work 207 | Minjiang College | third prize |
| Ph0en1x | Xiamen University | third prize |
| LYun | Longyan University | third prize |
| nightmare nghtmare | Minjiang College | third prize |
| cve2077 | Quanzhou Institute of Information Engineering | third prize |
| No. 59, Shoushan Road | Fujian Police College | third prize |
List of winners of the Higher Vocational Group
| Team name | School name | Ranking |
|---|---|---|
| We are responsible for the dishes | Fujian Shipbuilding and Transportation Vocational College | first prize |
| fvti | Fuzhou Vocational and Technical College | first prize |
| AAA | Fujian Information Vocational and Technical College | second prize |
| Payl0ad | Fujian Shipbuilding and Transportation Vocational College | second prize |
| AssaultTroops | Fuzhou Software Vocational and Technical College | second prize |
| Eat or not eat fried cakes | Fujian Business College | second prize |
| NotCTF | Fuzhou Vocational and Technical College | third prize |
| eye star | Xiamen Marine Vocational and Technical College | third prize |
| ABC321 | Fujian Information Vocational and Technical College | third prize |
| Yi Yan Ding Zhen Team | Minjiang Normal College | third prize |
| V_Try | Zhangzhou Vocational and Technical College | third prize |
| tick squad | Xiamen Software Vocational and Technical College | third prize |
0x05 some photos
Some photos taken on site
- Author of this article: Juneha
- Link to this article: Writeup Analysis of the Black Shield Track from the Online Preliminary Round to the Finals of the 2022 Fujian Province Third "Min Shield Cup" Cyberspace Security Competition - JunBlog
- Copyright Statement: Unless otherwise stated, all articles on this blog are licensed under the CC BY-NC-SA 4.0 license.
- Article statement: The procedures (methods) involved in the article may be offensive, and are only for security research and teaching purposes. Readers use their information for other purposes, and the user shall bear all legal and joint liabilities. The author of the article does not assume any legal and Joint and several liability, I firmly oppose the use of the content of the article to conduct malicious attacks, and recommend everyone to better maintain personal information security, corporate security, and national security on the premise of understanding the technical principles.