Someone said: 'One advantage of having a homemade server is that it becomes much harder to hack.' Do you agree? Give reasons.
Note: The files in src/public are unrelated for the challenge.
Chilli Level:
"A QA engineer walks into a bar. Orders a beer. Orders 0 beers. Orders 99999999999 beers. Orders a lizard. Orders -1 beers. Orders a ueicbksjdhd."
I am working on yet another CTF platform. I haven't implement all the features yet, but I am confident that it is at least secure.
Thanks to Poe I coded a webpage to PDF in seconds! I am genius right?
Chilli Level:
该网站是一个可以发布帖子的网站,同时可以上传图片,所以在源码中关注一下图片上传的地方有没有漏洞
观察源码我们可以发现,这里对每张上传的图片都用 convert 函数进行了处理
router.post(
"/post",
AuthRequired,
fileUpload({
limits: {
fileSize: 2 * 1024 * 1024,
},
}),
ValidationMiddleware("post", "/forum"),
async function (req, res) {
const { title, message, parentId, ...convertParams } = req.body;
if (parentId) {
const parentPost = await db.getPost(parentId);
if (!parentPost) {
req.flashError("That post doesn't seem to exist.");
return res.redirect("/forum");
}
}
let attachedImage = null;
if (req.files && req.files.image) {
const fileName = randomBytes(16).toString("hex");
const filePath = path.join(__dirname, "..", "uploads", fileName);
try {
const processedImage = await convert({
...convertParams,
srcData: req.files.image.data,
format: "AVIF",
});
await fs.writeFile(filePath, processedImage);
attachedImage = `/uploads/${fileName}`;
} catch (error) {
req.flashError(
"There was an issue processing your image, please try again."
);
console.error("Error occured while processing image:", error);
return res.redirect("/forum");
}
}
const { lastID: postId } = await db.createPost(
req.session.userId,
parentId,
title,
message,
attachedImage
);
if (parentId) {
return res.redirect(`/forum/post/${parentId}#post-${postId}`);
} else {
return res.redirect(`/forum/post/${postId}`);
}
}
);
点击页面中的所有按钮,发现整个网站只有登录和注册两个功能,所以我们在源码中关注这两个功能。
在源码中全局搜索 flag 后,在 ProfileController 中发现了读取 flag 的代码。
public function index() {
$token = (string) $_COOKIE["token"] ?? null;
$flag = file_get_contents(filename: APPPATH . "/../flag.txt");
if (isset($token)) {
$key = (string) getenv("JWT_SECRET");
$jwt_decode = JWT::decode($token, new Key($key, "HS256"));
$username = $jwt_decode->username;
if ($username == "administrator") {
return view("ProfilePage", [
"username" => $username,
"content" => $flag,
]);
} else {
$content = "Haven't seen you for a while";
return view("ProfilePage", [
"username" => $username,
"content" => $content,
]);
}
}
}
点击页面的按钮后发现提示 This game is currently available only from dev.apacheblaze.local.
在源码中搜索这个域名,找到对应处理函数
@app.route('/', methods=['GET'])
def index():
game = request.args.get('game')
if not game:
return jsonify({
'error': 'Empty game name is not supported!.'
}), 400
elif game not in app.config['GAMES']:
return jsonify({
'error': 'Invalid game name!'
}), 400
elif game == 'click_topia':
print(request.headers)
if request.headers.get('X-Forwarded-Host') == 'dev.apacheblaze.local':
return jsonify({
'message': f'{app.config["FLAG"]}'
}), 200
else:
return jsonify({
'message': 'This game is currently available only from dev.apacheblaze.local.'
}), 200
else:
return jsonify({
'message': 'This game is currently unavailable due to internal maintenance.'
}), 200
观察 game.js 源码
if (data.status === "game_over") {
alert(`Game Over! Your score: ${data.score}`);
reset_game();
} else if (data.status === "win") {
window.location.href = `${data.url}`;
} else {
snake = data.snake;
food = { x: data.food[0], y: data.food[1] };
score = data.score;
draw();
}
题目来源:CISCN-2019 华东南-Web11
观察首页,在 footer 发现到是 PHP 的 smarty 模板引擎
随手在 X-Forwarded-For 写入一个 IP,可以看到 Current IP 显示了我们写入的 IP,于是可以判断他是通过 X-Forwarded-For 来获取 IP 的,猜测存在 SSTI 漏洞。
题目给出 IP: 39.103.138.101
第一关:请获取 XR Shop 官网源码的备份文件,并尝试获得系统上任意文件读取的能力。并且,管理员在配置 Jenkins 时,仍然选择了使用初始管理员密码,请尝试读取该密码并获取 Jenkins 服务器权限。Jenkins 配置目录为 C:\ProgramData\Jenkins.jenkins。
第二关:管理员为 Jenkins 配置了 Gitlab,请尝试获取 Gitlab API Token,并最终获取 Gitlab 中的敏感仓库。获取敏感信息后,尝试连接至 Oracle 数据库,并获取 ORACLE 服务器控制权限。
第三关:攻击办公区内网,获取办公 PC 控制权限,并通过特权滥用提升至 SYSTEM 权限。
第四关:尝试接管备份管理操作员帐户,并通过转储 NTDS 获得域管理员权限,最终控制整个域环境。
