Kaspersky Industrial CTF Quals 2017 - Backdoor Pi

1
2
swing@ubuntu:~/Desktop/fs$ ls var/spool/cron/crontabs/
b4ckd00r_us3r pi

我可以看到有给后门账户

我们检查这个账户

1
2
3
4
5
6
swing@ubuntu:~/Desktop/fs$ cat var/spool/cron/crontabs/b4ckd00r_us3r 
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.80NKS4/crontab installed on Wed Oct 4 19:28:12 2017)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# m h dom mon dow command
@reboot python /bin/back

发现python 运行了一个 /bin/bash的文件

我们去查看文件

1
2
swing@ubuntu:~/Desktop/fs$ file bin/back
bin/back: python 2.7 byte-compiled

发现是编译后的python文件

反编译得到:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# uncompyle6 version 2.12.0
# Python bytecode 2.7 (62211)
# [GCC 6.3.0 20170118]
# Embedded file name: back.py
# Compiled at: 2017-10-05 09:09:10
import sys
import os
import time
from flask import Flask
from flask import request
from flask import abort
import hashlib
def check_creds(user, pincode):
if len(pincode) <= 8 and pincode.isdigit():
val = '{}:{}'.format(user, pincode)
key = hashlib.sha256(val).hexdigest()
if key == '34c05015de48ef10309963543b4a347b5d3d20bbe2ed462cf226b1cc8fff222e':
return 'Congr4ts, you found the b@ckd00r. The fl4g is simply : {}:{}'.format(user, pincode)
return abort(404)
app = Flask(__name__)
@app.route('/')
def hello():
return '<h1>HOME</h1>'
@app.route('/backdoor')
def backdoor():
user = request.args.get('user')
pincode = request.args.get('pincode')
return check_creds(user, pincode)
if __name__ == '__main__':
app.run(threaded=True, host='0.0.0.0', port=3333)
# okay decompiling back.pyc

我们可以获取一个hash的值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
swing@ubuntu:~/Desktop/fs$ cat etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
pi:x:1000:1000:,,,:/home/pi:/bin/bash
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
ntp:x:102:104::/home/ntp:/bin/false
statd:x:103:65534::/var/lib/nfs:/bin/false
messagebus:x:104:106::/var/run/dbus:/bin/false
usbmux:x:105:46:usbmux daemon,,,:/home/usbmux:/bin/false
lightdm:x:106:109:Light Display Manager:/var/lib/lightdm:/bin/false
avahi:x:107:110:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
b4ckd00r_us3r:x:1001:1004::/home/b4ckd00r_us3r:/bin/bash

我们已经知道的是 b4ckd00r_us3r 我们只需要确定剩下的位数就行了。可以做个暴力破解的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/env python
# coding=utf-8

import hashlib
import threading
a = '34c05015de48ef10309963543b4a347b5d3d20bbe2ed462cf226b1cc8fff222e'

for i1 in range(10000000,99999999):
b = 'b4ckd00r_us3r:%08d'% (i1)
key = hashlib.sha256(b).hexdigest()
print b,key
if key== a:
print b
break

最后的结果是b4ckd00r_us3r:12171337

flag是:KLCTF{b4ckd00r_us3r:12171337}