官方wp:CTFtime.org / Square CTF 2023 tasks and writeups
sandbox
Description:
I “made” “a” “python” “sandbox” “”“”
nc 184.72.87.9 8008
先nc連上看看,只允許一個單詞,空格之后的直接無效了。
flag就在當前目錄下的flag.txt文件中,我們用<來代替空格
cat<flag.txt
There’s plenty of ways to break the sandbox, the two easiest that come to mind are cat${IFS}flag or python3 -> open(“flag.txt”, “r”).read()
Be The Admin
Description:
This is a very basic website where you can view other user’s profiles, but you can only see your own secret. I’ll bet other users’ secrets have something of interest
用戶身份是通過Cookie認證的,Cookie就是用戶名的base64編碼(暫且認為)
那我們把session改成Admin的base64編碼QWRtaW4=就好啦,刪掉一個等號,最后是QWRtaW4。為什么要刪掉最后一個等號呢?因為出于安全性考慮,在cookie的名或值中不能使用分號(;)、逗號(,)、等號(=)以及空格。而且等號在base64編碼中起到補位作用,去掉也不影響解碼后的數據。
Just Go Around
Description: This website is a forum where people can make posts, though it’s so broken right now that you can probably only search them. It turns out that someone posted something top secret and later deleted it, but was it truly deleted?
**Hints: ** Have you heard of “soft deletes”?
官方wp:
The index page of the website provides a search feature that performs fuzzy text search, which should indicate that it uses a modern NoSQL DB. There’s also a commented out link to the post page where you can attempt to create a new post, but when you submit the post, you are redirected to another page that says this feature no longer works. However, you can look at the HTTP requests used in that workflow and see that the post is serialized into XML before submitting, which should prompt you to try an XXE attack. Once you get that working, your goal is to use the XXE as an SSRF to query the backend elasticsearch db and get the “deleted” post. You can get the DB host name “db” by guessing/brute forcing or using the XXE for LFI and reading source/config files (or the env file)
翻譯后:
網站的索引頁提供了一個搜索功能,執行模糊文本搜索,這應該表明它使用了現代NoSQL數據庫。還有一個評論鏈接到帖子頁面,在那里你可以嘗試創建一個新的帖子,但是當你提交帖子時,你被重定向到另一個頁面,上面說這個功能不再有效。但是,您可以查看該工作流中使用的HTTP請求,并看到文章在提交之前被序列化為XML,這應該提示您嘗試XXE攻擊。一旦您使其工作,您的目標是使用XXE作為SSRF來查詢后端elasticsearch數據庫并獲取“已刪除”的帖子。您可以通過猜測/暴力強制或使用LFI的XXE和讀取源/配置文件(或env文件)來獲得DB主機名“DB”。
一些題2)
)
)
數據庫實驗(數據庫需求分析):音樂軟件數據管理系統)
)
