LoginSignup
2
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@no1zy_sec(no1zy)

DefCamp CTF Qualification 2017 writeup

Last updated at Posted at 2017-10-02

Is nano good?

nanoで編集するとbackupファイルとしてfile~が作られるらしい
https://junior2.dctf-quals-17.def.camp/index.php~

<?php
$page = $_GET["page"];
$type = $_GET["type"];
if (strpos($page, './../') !== false){
	header("Location: https://www.youtube.com/watch?v=dQw4w9WgXcQ");
	die();
}

if (strpos($page, '..././') !== false){
	header("Location: http://leekspin.com/");
	die();
}

if (strpos($page, '%') !== false){
	header("Location: http://www.nyan.cat/");
	die();
}

if (strpos($page, 'fille') !== false){
	header("Location: https://www.youtube.com/watch?v=o1eHKf-dMwo");
	die();
}

if (strpos($page, '/etc/passwd') === 0) {
	header("Location: https://www.youtube.com/watch?v=djV11Xbc914");
	die();
}
# I wonder if I can bypass path traversal restriction by going back and forward within the directorys....
if ($type == ""){
	echo file_get_contents($page.".php");
} else {
	#maybe we need something from the website 
	echo file_get_contents($page); 
}
?>

脆弱な部分

if (strpos($page, '/etc/passwd') === 0) {
    header("Location: https://www.youtube.com/watch?v=djV11Xbc914");
    die();
}

strposは第二引数の文字列が第一引数に存在した場合、最初のindexを返す。
indexを0の場合redirectされるようになっているが//etc/passwdとした場合indexが1になり
echo file_get_contents($page); が実行される

flagは/etc/passwdにある。

Are you brave enough?

競技中に解けなかった。プロが競技後に教えてくれたのでwriteupを残す(本当にありがとうございます)
index.php~がある。

<?php

$db  = mysqli_connect('localhost','web_brave','','web_brave');

$id  = @$_GET['id'];
$key = $db->real_escape_string(@$_GET['key']);

if(preg_match('/\s|[\(\)\'"\/\\=&\|1-9]|#|\/\*|into|file|case|group|order|having|limit|and|or|not|null|union|select|from|where|--/i', $id))
    die('Attack Detected. Try harder: '. $_SERVER['REMOTE_ADDR']); // attack detected

$query = "SELECT `id`,`name`,`key` FROM `users` WHERE `id` = $id AND `key` = '".$key."'";
$q = $db->query($query);

if($q->num_rows) {
    echo '<h3>Users:</h3><ul>';
    while($row = $q->fetch_array()) {
        echo '<li>'.$row['name'].'</li>';
    }

    echo '</ul>';
} else {    
    die('<h3>Nop.</h3>');
}

$idは''が無いので`id`とすることでidカラムを指定できる。
あとは;でクエリを閉じてコメントアウトの代わりに%00で終端させればflagが振ってくる

https://brave.dctf-quals-17.def.camp/index.php?id=`id`%3b%00

A-talkative-server

競技中に解けなかった。もうちょっとちゃんと取り組めば解けたかもしれないので反省。
https://a-talkative-server.dctf-quals-17.def.camp/image.php
にアクセスすると画像が表示されるんだけどずっとページの読み込みが終わらない。
手がかりが画像しかなさそうなので画像をダウンロードすると11GBくらいの巨大なpngファイルになっていた。
pngの後ろは途中まで¥x00で埋め尽くされているらしい。
¥x00バイトの文字以外を抽出してcatしてみると

DCTF{1542879e00fdfffg8794348ai like trains9ea1ab24e12abba1sbax4dea314a8787542aea10951db794}

が抽出できた。
しかし、flagフォーマットはDCTF{32_bytes_in_hex}らしいのでそれっぽく無い部分を削除する必要がある。
このままじゃよくわからないのでダウンロードしてきた元のpngをhexdumpすると

00004ce0  84 00 00 00 00 49 45 4e  44 ae 42 60 82 00 00 00  |.....IEND.B`....|
00004cf0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
a0004ce0  00 00 00 00 00 00 00 00  00 00 00 00 00 44 43 54  |.............DCT|
a0004cf0  46 7b 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |F{..............|
a0004d00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
dac04cf0  00 00 31 35 34 32 00 00  00 00 00 00 00 00 00 00  |..1542..........|
dac04d00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
df1f34f0  00 00 00 00 00 00 38 37  39 65 00 00 00 00 00 00  |......879e......|
df1f3500  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
fdbff8f0  00 00 00 00 00 00 00 00  00 00 30 30 66 64 00 00  |..........00fd..|
fdbff900  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
1021ff8f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 66 66  |..............ff|
1021ff900  66 67 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |fg..............|
1021ff910  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
11d060d00  00 00 38 37 39 34 00 00  00 00 00 00 00 00 00 00  |..8794..........|
11d060d10  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
11dadf100  00 00 00 00 00 00 33 34  38 61 00 00 00 00 00 00  |......348a......|
11dadf110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
11ea93100  00 00 00 00 00 00 00 00  00 00 69 20 6c 69 6b 65  |..........i like|
11ea93110  20 74 72 61 69 6e 73 00  00 00 00 00 00 00 00 00  | trains.........|
11ea93120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
11fa47110  00 00 00 00 00 00 00 39  65 61 31 00 00 00 00 00  |.......9ea1.....|
11fa47120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
12ae4b910  00 00 00 00 00 00 00 00  00 00 00 61 62 32 34 00  |...........ab24.|
12ae4b920  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
13ff13110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 65  |...............e|
13ff13120  31 32 61 00 00 00 00 00  00 00 00 00 00 00 00 00  |12a.............|
13ff13130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
142714120  00 00 00 62 62 61 31 00  00 00 00 00 00 00 00 00  |...bba1.........|
142714130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
15d575520  00 00 00 00 00 00 00 73  62 61 78 00 00 00 00 00  |.......sbax.....|
15d575530  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
1783d6920  00 00 00 00 00 00 00 00  00 00 00 34 64 65 61 00  |...........4dea.|
1783d6930  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
17ae38920  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 33  |...............3|
17ae38930  31 34 61 00 00 00 00 00  00 00 00 00 00 00 00 00  |14a.............|
17ae38940  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
17cc3d130  00 00 00 38 37 38 37 00  00 00 00 00 00 00 00 00  |...8787.........|
17cc3d140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
1a1a10d30  00 00 00 00 00 00 00 35  34 32 61 00 00 00 00 00  |.......542a.....|
1a1a10d40  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
1ae215d30  00 00 00 00 00 00 00 00  00 00 00 65 61 31 30 00  |...........ea10.|
1ae215d40  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
1dc615d30  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 39  |...............9|
1dc615d40  35 31 64 00 00 00 00 00  00 00 00 00 00 00 00 00  |51d.............|
1dc615d50  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
1e1615d40  00 00 00 62 37 39 34 00  00 00 00 00 00 00 00 00  |...b794.........|
1e1615d50  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
1f6a15d40  00 00 00 00 00 00 00 7d  00 00 00 00 00 00 00 00  |.......}........|
1f6a15d50  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*

と出るのでhexっぽくない部分がある連続した4文字を取り除くとflagが通った。

DCTF{1542879e00fd8794348a9ea1ab24e12abba14dea314a8787542aea10951db794}

A thousand words

テキストファイルが10個与えられる。
0001.txtと各ファイルのdiffを繋げればflagが振ってくる

Inception

foremostで抽出したファイルにflagが書かれている

HitandSplit

stringsするとDCTFという文字列が見えたのでどこかのパケットにflagがあるなと思い、
telnetを見ているとflagがある。

2
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
2
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?