about 9 years ago

BCTF 分分鐘而已 Writeup

分分鐘而已 (Web 100)

描述

米特尼克看到現代的互聯網這麼發達簡直驚呆了,但幾秒鐘之後他就回過了神,摩拳擦掌準備一試身手,他需要拿到BAT公司中一個名叫Alice員工的秘密文件,Alice只是個初級的網絡管理員,所以想來拿他的文件也不過是分分鐘的小遊戲而已。

http://218.2.197.237:8081/472644703485f950e3b746f2e3818f49/index.php

解法

連進去之後發現上面有四個分頁,分別寫著

  • H.shao
  • Lamos
  • Angella
  • Ray

戳戳之後可以看到網址列上有所改變,例如戳 Ray 之後網址列會變成:

http://218.2.197.237:8081/472644703485f950e3b746f2e3818f49/index.php?id=8d44a8f03ab5f71ce78ae14509a03453

8d44a8f03ab5f71ce78ae14509a03453 拿去搜索後得知這是 Ray300 的 MD5 值。合理猜測那串 id 應該是人名加上三位數字做 MD5 而得。

因為我們想要拿到 Alice 的文件,就把 1000 種可能都試看看吧:

require 'digest'

1000.times do |i|
  puts i
  url = "http://218.2.197.237:8081/472644703485f950e3b746f2e3818f49/index.php"
  url << "?id=#{Digest::MD5.hexdigest('Alice%d' % i)}"
  html = `curl -s #{url}`
  puts url unless html.include?"Who are you ?"
end

$ ruby web100.rb
http://218.2.197.237:8081/472644703485f950e3b746f2e3818f49/index.php?id=d482f2fc6b29a4605472369baf8b3c47

連上之後可以看到

Hi! Alice
Personal Information:d4b2758da0205c1e0aa9512cd188002a.php

立馬連上去之後看到一張 BackTrack Linux 的桌布,檢視原始碼:

error<html>
    <head><title>BT5</title></head>
    <body style="background-position:center;background-color:black;background-image: url(./bt5.jpg);background-repeat:no-repeat;">
        <!--  $_POST['key=OUR MOTTO'] -->
    </body>
</html>

好,就送他個 key=OUR MOTTO

$ curl --data 'key=OUR MOTTO' http://218.2.197.237:8081/472644703485f950e3b746f2e3818f49/d4b2758da0205c1e0aa9512cd188002a.php
error<html>
        <head><title>BT5</title></head>
        <body style="background-position:center;background-color:black;background-image: url(./bt5.jpg);background-repeat:no-repeat;">
                <!--  $_POST['key=OUR MOTTO'] -->
        </body>
</html>

還是 error 嗚嗚嗚。

因為英語水平不好,查了才知道 motto 是啥,從 BackTrack 官網右上角發現一句話!

$ curl --data 'key=the quieter you become the more you are able to hear' http://218.2.197.237:8081/472644703485f950e3b746f2e3818f49/d4b2758da0205c1e0aa9512cd188002a.php
flag-in-config.php.bak<html>
        <head><title>BT5</title></head>
        <body style="background-position:center;background-color:black;background-image: url(./bt5.jpg);background-repeat:no-repeat;">
                <!--  $_POST['key=OUR MOTTO'] -->
        </body>
</html>

歐歐歐!

$ curl http://218.2.197.237:8081/472644703485f950e3b746f2e3818f49/flag-in-config.php.bak
.......................................................................................... .........
.......................................................................................... .........
.................................mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm............. .........
.........................mmmmmmmmmmmmmmmm..................................mmmmm.......... .........
...................mmmmmmmmmmm..........mmmmm...............mm................mmm......... .........
.................mmmm............................................mm.............mmm....... .........
..............mmmm....m..mmmmmm............mmm..............mm......m............mmm...... .........
............mmmm.................................................mm....m..........mmm..... .........
...........mmm............mmmmm....................m..........mmm...m....m.........mmm.... .........
..........mm...........m.........................m................mm...m....m.......mmm... .........
..........mm.........m............m..................................m..m....m.......mm... .........
..........mm........m..................................................m..m...........mm.. .........
.........mm..........................................mmmmmmmmmmmmmm...................mmm. .........
........mmm............mmmmmmmm...................mmmmm...mmmmmmmmmmmm.................mmm .........
....mmmm...........mmmmmmmmmmmmmm.............mmmm......mmmmmmmm..mmm..................mmm .......
...mmm...mmmmm.mmm.mmmmmmmmmmmmmmm...........mmm.....mmmmmmmmmmmmmmmmm....m....mmmmmmmm.mm mm.....
..mm...m..................mmmmmmmmmmmmm.......mmmmmmmmm...........mm...m.................. mmm....
.mm..m...mm.....................mmmm...........mmmmm......mmm..............mmmmmmmmmm..... ..mm...
.mm.m..m...mmmmmm................mm.........................mmmm.......mmmmmm......mmmm... .m.mm..
.mmm.....mmmmmmmmmm....m.........mm...........................mmmmmmmmmmm.....mm.....mmm.. .m..mmm
.mmm.....m.......mmmmmmmm........mm...........................................mm......mm.. .m..mmm
.mmm..m.......mm..mmmm........mmmm.........................................mmmmm.......mm. .m...mm
.mm....m......mm...........mmmm................mmmmmmmm................mmmmm...mmmmmm..mm. .m...mm
.mmmm...mm..mmmm..........mmmmm....................mm..............mmmmmm.....mmm.mmm.mmm. .m..mmm
..mm.mm.....mmmm.......mm..mmmmm.........mmmmmmm...mm..........mmmmmmm........mm......mm.. ....mmm
..mmm....m..mm.mmm...m........mmm..............m.mmm......mmmmmmmm.mm.......mmmm.....mm... m..mmm.
...mmm.....mmmmmmmmm............mmmmmm...............mmmmmmmm......mm....mmmmmm.........mm ..mm...
....mmm....mm.mm.mmmmmm...........mmm...........mmmmmmmm..........mmm.mmmmmmmm.......m.... .mmm...
.....mm....mmmm..mm..mmmmmmmm........mmmmmmmmmmmmmm..mm..........mmmmmmm..mmm..........mmm mm.....
.....mm....mmmm..mm....mmmmmmmmmmmmmmmmmmmm..........mm......mmmmmmmm....mmm............mm m......
.....mm....mmmm..mm...mmm.......mm.......mm..........mmm.mmmmmmmmm.mm...mmm...........mmm. .......
.....mm....mmmmmmmm...mm........mm.......mm.........mmmmmmmmmmm....mm..mmm...........mmm.. .......
.....mm....mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm.......mmmmmm............mm... .......
.....mm....mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm.mm...........mmm.............mmm... .......
.....mm.....mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm.......mm.........mmm..............mmm.... .......
.....mm.....mm.mmmmmmmmmmmmmmmmmmmmmmmmmmm.mm..........mmm.....mmmm...............mmm..... .......
.....mm......mm.mm..mm...mm.....mmm........mm...........mm...mmmm...............mmm....... .......
.....mm......mmmmmm.mmm...mm.....mm........mm............mmmmmm................mmm........ .......
.....mm.......mmmm...mmm..mmm....mm........mm.........mmmmmm.......m.....m...mmm.......... .......
.....mm.........mmmmmmmmm..mm....mmm.......mm..mmmmmmmmm........m.....mm...mmmm........... .......
.....mm..............mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm.........mm....mm....mmmm ...............
....mmm........m..........................................m.....mm....mmmmm.. ..............
....mm..........m....................................mm......m.....mmmmm..... ..............
....mm............m..............................mm......mm.....mmmmm........ ..............
..mm.....mm........mmm...........mmmmmmmmmm......mm.......mmmmmm....... ............
.mm.........m.........................mmm............mmmmm...... ........
.mmm..........mmmmmmmmmmmmmmm.....................mmmmm...... ....
.mmm..........................................mmmmm...... ..
..mmm...................................mm.mmmmm.......
...mmmm............................mmmmmmmmmm........
....mmmmm...................mmmmmmmmm..............
.......mmmmmmmmmmmmmmmmmmmmmmmm....................

被嘲笑了。

換招試試:

$ curl http://218.2.197.237:8081/472644703485f950e3b746f2e3818f49/config.php.bak
[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])]...(下略)

這長得一臉 JavaScript 樣呀,在 Chrome 的 console 中引入 jQuery 後

> $.get("http://218.2.197.237:8081/472644703485f950e3b746f2e3818f49/config.php.bak", function(data) { console.log(eval(data)); })
BCTF{fuck_the_guys_who_are_exchanging_fl4g_you_are_destroying_this_game}

耶比...?BCTF{fuck_the_guys_who_are_exchanging_fl4g_you_are_destroying_this_game}

註:比賽中我們拿到的 Flag 為 BCTF{Do_you_l0v3_pl4y_D074}

← BCTF 黑客信息系统 Writeup BCTF 最难的题目 Writeup →