0xfd's blog

by 0xfd

Posted on In Word count in article: 2.5k Reading time ≈ 9 mins.

介绍

本文内容来自于ichunqiu的伽玛实验场之拟态挑战mimic-ssrf,借鉴邬江兴院士拟态防御理论设计的mimic-ssrf题目,该题目是个通过ssrf进行RCE的web环境,三种开发语言的debug调试器,代表了三种单异构体。一般黑客的攻击指令只会由一个异构体进行执行反馈,明确的攻击指令会有明确的反馈结果,但是在这道题中选手的攻击指令必须同时让3个异构体反馈一致的结果,不然在拟态的防御机制中,就会被表决失效。

类似于生物界的拟态防御,在网络空间防御领域中,使用拟态技术可极大的提升黑客攻击的难度。

本题内网使用了3种语言所搭建的服务,分别php、python和java,通过ssrf可以访问内网服务,并且服务都是设置debug模式,想办法获取到有用的信息,得到flag。

  • 参考原writeup【拟态挑战WP】2021年春秋杯秋季赛mimic-ssrf,原writeup步骤不完整,故重新补充记录
Read more »

Posted on In Word count in article: 2.6k Reading time ≈ 10 mins.

介绍

本次复现环境使用的为hack the box的logforge靶场

修改版ysoserial介绍

  • ysoserial-modified

修改版ysoserial主要参考了$@|sh – Or: Getting a shell environment from Runtime.exec这篇英文文章,如下。

1
2
3
4
5
6
7
$ java Exec 'sh -c $@|sh . echo ps ft'
  PID TTY      STAT   TIME COMMAND
27109 pts/25   Ss     0:03 /bin/bash
 6904 pts/25   Sl+    0:00  \_ java Exec sh -c $@|sh . echo ps ft
 6914 pts/25   S+     0:00      \_ sh -c $@|sh . echo ps ft
 6916 pts/25   S+     0:00          \_ sh
 6917 pts/25   R+     0:00              \_ ps ft
Read more »

Posted on Edited on In , Word count in article: 3.7k Reading time ≈ 13 mins.

详细过程及exp

0. Connect to the binary:

The only information provided with this challenge was an IP address and port number.
You can connect to the binary using for example netcat as below:

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root💀kali)-[~/hackthebox/challenge/pwn/echoland]
└─# nc 138.68.136.191 32714

🦇 Inside the dark cave. 🦇
1. Scream.
2. Run outside.
> HELLO
HELLO

1. Scream.
2. Run outside.
> asd
asd

Typing HELLO or asd resulting in the same value echoed back.
Another option is to (1) Scream…

1
2
3
4
5
1. Scream.
2. Run outside.
> 1
>> AAAAAAA
Your friend did not recognize you and ran the other way!
Read more »