Summary of the second 360 cup national information security technology competition for College Students

Well, I didn't have a few questions, so it's just a summary, not Writeup.

The first day is CTF, which includes encryption and decryption, network protocols, web attack defense, digital forensics, and reverse analysis. So far this competition has not actually participated in several CTF competitions, so experience is still insufficient, such as time control and question-type ideas judgment.
In the beginning, I was a web engineer, my teammates were doing reverse engineering, and a sister was playing soy sauce --

When I look at the first question on the web, the first reaction is to change it to my own mailbox, send the verification code, go to the mailbox and check it, and then switch it to gmail. I think the Intranet server of the question is too congested ...... Then thinking is very wave, also sent an email to the 360-question@360.cn to try to have automatic reply, the results are not.
Then I looked at this mailbox, but it didn't actually exist. So I wanted to register this mailbox and get an automatic reply. Maybe it could still be difficult to find someone else ......
No zuo no die! I found that the 360.cn mailbox is not open for registration --
During this process, packets are captured and the returned packets are intercepted. Before the competition, the packets may be easily disturbed, so they are canceled. Then the background check_rank is still refreshing, causing me to completely ignore the returned package ...... The key is found in the returned package.

In this case, the ctf questions are stratified. The total score of the 1--5 layer exceeds the score of the next layer to enable the next layer of questions. So I can't do anything about web20. I looked at the 10 points of encryption and decryption:

What is this?-completely inexperienced...

I ran the password with a script, but I didn't run it ...... I didn't even notice the prompt in my brain hole...
Teammates also said at this moment that the reverse will not ...... Then he went to collect evidence, which was quickly made when I studied decryption 10.
Then I flipped through the network protocol again:

Well, it seems that I know what's going on... However, it still does not

At this time, it was lunch time, and I had a meal. In the afternoon, I noticed the prompt of 10 points of encryption and decryption: What is the key? The key is Rot13.
I looked at this book cryptography and coding theory a few days before the competition, but I didn't seem to have seen this. I Googled it and found that it was one of the keys of Caesar, that is, the value changed to 13, for example, A> n B> O
Decrypts that strange js code ...... After two hours of hard work, I ran it on the Chrome console ...... Submission turned out to be wrong !!! I don't know why ......
After the game, I asked about the Blue Lotus and they didn't do it either ......

In this process, I also discussed the encryption and decryption question 20 points with my teammates. It is a picture. It seems to be changed to zip to decompress it. A txt file can be obtained anyway, two items suspected of md5 are provided in the file, which are decrypted and spliced together, and added to a string for submission.

Decrypt the secret: DBDAAAC4D524F0DF9B34CCC255D061B5 and use it as the customs clearance password after the decryption with 975c692cef5f3726f86705cbfd5dae93.

The partner ran the two websites with md5 decryption and did not get anything. Then, they took them to Google. The first one was like this:

The string "aad3b435b51404eeaad3b435b51404ee" is the LM hash for 'no password'. In other words, its empty.

Not familiar. is it empty?
Then tangled for a while, I took the second to search, and finally found the http://sha1.znaet.org/list/2141000 here
It is not md5, ntml, and plaintext 360360.
Well, since the first one is empty ...... That's not enough. Submit 360360975c692cef5f3726f86705cbfd5dae93, OK! At this time, the third layer also opened ......

 

I have read some questions about image forensics a few days ago ...... After trying it out, I did not make it out and remembered what I could do after the web. However, the status at that time was quite messy and there was no idea to see the questions behind the web --

Then the mixing ends ......

The next day !!! Attack and Defense !!!
Have to vomit

Early in the morning, I gave four Virtual Machine springboards, and there was another hidden goal. In short, I got the permissions and gave them points.
His teammates decided on the division of labor. He first (access is WordPress ). I tried it one by one and found that the last one seemed to be Windows + IIS, so I decided to take the windows knife!
After scanning, I found that some ports were opened and there was no clue (too little experience ).
Then I went to Google to learn how to use Hack Windows, and I didn't find any good stuff... Then it's about (starting from ).
At this time, my friend checked the source code on the homepage and found a strange link in it was a file inclusion vulnerability. It was a plug-in, but he found it online and did not find any method to use it.
I think of the Writeup of ACTF that I saw before. This is the case in it:
First, you can try the php pseudo protocol, such as data: // php: // input. However, this requires the cooperation of php settings on the server. It does not seem to work here;
Then I tried to include the system sensitive file. Previously I found it was CentOS + Nginx, so it contained/usr/local/nginx/conf/nginx. conf, It was displayed successfully. Through this, we found the access log file and error Log File. Of course, I was thinking about making error logs, and found that error_log is at the crit level, general access errors are not recorded

Later, it was found that access to access_log will pop up. I also noted down that this is the organizer's prompt... 2333. We also saw the password for shoes in the cracking background.
Then I realized that -- can access_log be included or parsed differently --
However, I inserted some script pop-up windows through the url, and refresh found that there was no--And then inserted a sentence through the user-agent. The friend connected the client with a kitchen knife and successfully uploaded the Trojan!
Then we got the database account and password, changed the background password to our blog, and started to update the vulnerability plug-in. Through access_log, we found that there was another Arbitrary File Download Vulnerability in the topic, so we changed the topic. (Said at that time the download wp-config.php failed to think it was deleted, and then realized that forget-symbol)
Then we changed the homepage with pleasure (tomorrow ):

In the afternoon, we tried to raise the right and suddenly found out ...... No more web shell!
The password must have been changed!
We immediately went to the WordPress background and wanted to add a web shell through the Theme Editor. The other party was so embarrassed that they actually deleted the Editor (I want to vomit that Nima is not compliant )......
We used the plug-in editing and found that the plug-in cannot directly access the parsing, but it was fruitless, angry, miserable, and regretful ...... We didn't change the web shell default password :-)
Then I plan to find the old version of the plug-in with the vulnerability and try again. It's hard to find the plug-in that contains the log. The log file is too large ...... Cannot access.
In this process, our opponents kept deleting our background accounts, and they changed the homepage to BUPT say.
You can't bear it! Even if we don't want to score, we have to get the home page back!
Then, when the opponent deletes the account, we can remotely connect to MySQL (Fortunately, when there is a web shell, We wittically opened MySQL remote login) and change the password ...... So many times.
Finally, we successfully wrote a sentence to/tmp through MySQL. Access to the earlier version of the plug-in was successful! (I don't know why/etc/passwd cannot be included)

This time is almost over ...... The opponent deleted the background and the homepage was inaccessible ...... In the end, I directly wrote the following:

Then the day passed happily.

Let's take a closer look at some of the chapters in white hats talking about Web security tonight. In this competition, we have made some new gains.