CONFidence DS CTF (Teaser CTF)

CONFidence DS CTF という CTF のオンライン予選的なものに参加したときの writeup です。

Apache Underwear (Network / Web, 400)

Pwn this server. Keep in mind, this is a web challenge :-O.

アクセスすると以下のような返事が返ってきます。

HTTP/1.0 403 Too much internet
Server: Apache/3.14 Python/2.7.6
Date: Mon, 27 Apr 2015 10:14:49 GMT
Content-type: text/html

Youe IP (***.***.***.***) is too world wide ;<!-- Try wearing socks on 9090 , then visit local apache :) -->

wearing socks on 9090 ということなので、試しに Firefox のプロキシ設定で SOCKS5 を入れてみると、繋がりません。 SOCKS5 のプロトコルについて調べつつ、パケット取って見てみると、どうやらユーザ名とパスワードによる認証が必要みたいです。しかし、 Firefox はそれが出来ないみたいです。

なので、任意のユーザ名とパスワードを投げられるものを書いて試してみましたが、もちろんユーザ名やパスワードは分かりません。まあしばらくどうしようかなと考えていたのですが、問題文の this is a web challenge という一文をヒントに、もしかして SQLi なのではと思い ‘ を送ってみました。すると、本来ならば返ってくるはずの認証失敗の応答がありません。ますます怪しいです。ということで、 ‘ or 1=1 — と送ってあげると、めでたく認証成功。

あとは普通に GET / HTTP/1.1 すると以下の応答。

HTTP/1.0 200 Ack
Server: Apache/3.14 mod_status  Python/2.7.6
Date: Sat, 25 Apr 2015 19:06:04 GMT
Content-type: text

Nice One ! close ...  <!-- your ip is local now, go deep into my tipi -->

最初フラグが出てきそうな path をいろいろ叩いてみたのですが、全て 404 でだめ。ただ、先ほどの応答に mod_status とかいう怪しい文字列を発見します。というわけで、 GET /server-status HTTP/1.1 です。

HTTP/1.0 200 OK
Server: Apache/3.14 mod_status  Python/2.7.6
Date: Sat, 25 Apr 2015 19:07:17 GMT
Content-type: text

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for 127.0.0.1</h1>

<dl><dt>Server Version: Apache/2.2.22 (Ubuntu)</dt>
</dt></dl><hr><dl>
<dt>Parent Server Generation: 0</dt>
<dt>Server uptime:  9 hour 9 minutes 9 seconds</dt>
<dt>Total accesses: 11 - Total Traffic: 999 kB</dt>
<dt>CPU Usage: u.06 s0 cu0 cs0 - .00126% CPU load</dt>
<dt>.00231 requests/sec - 0 B/second - 186 B/request</dt>
<dt>1 requests currently being processed, 5 idle workers</dt>
</dl><pre>_W____..........................................................
................................................................
................................................................
................................................................
</pre>
<p>Scoreboard Key:<br>
"<b><code>_</code></b>" Waiting for Connection, 
"<b><code>S</code></b>" Starting up, 
"<b><code>R</code></b>" Reading Request,<br>
"<b><code>W</code></b>" Sending Reply, 
"<b><code>K</code></b>" Keepalive (read), 
"<b><code>D</code></b>" DNS Lookup,<br>
"<b><code>C</code></b>" Closing connection, 
"<b><code>L</code></b>" Logging, 
"<b><code>G</code></b>" Gracefully finishing,<br> 
"<b><code>I</code></b>" Idle cleanup of worker, 
"<b><code>.</code></b>" Open slot with no current process</p>
<p>


<table border="0"><tbody><tr><th>Srv</th><th>PID</th><th>Acc</th><th>M</th><th>CPU
</th><th>SS</th><th>Req</th><th>Conn</th><th>Child</th><th>Slot</th><th>Client</th><th>VHost</th><th>Request</th></tr>

<tr><td><b>0-0</b></td><td>2989</td><td>0/2/2</td><td>_
</td><td>0.01</td><td>549</td><td>0</td><td>0.0</td><td>0.00</td><td>0.00
</td><td>127.0.0.1</td><td nowrap="nowrap">127.0.1.1</td><td nowrap="nowrap">GET /omg-omg-s3cr3t-file.txt HTTP/1.0</td></tr>

<tr><td><b>1-0</b></td><td>2990</td><td>0/1/1</td><td><b>W</b>
</td><td>0.01</td><td>0</td><td>0</td><td>0.0</td><td>0.00</td><td>0.00
</td><td>127.0.0.1</td><td nowrap="nowrap">127.0.1.1</td><td nowrap="nowrap">GET /server-status HTTP/1.1</td></tr>

<tr><td><b>2-0</b></td><td>2992</td><td>0/2/2</td><td>_
</td><td>0.02</td><td>506</td><td>0</td><td>0.0</td><td>0.00</td><td>0.00
</td><td>127.0.0.1</td><td nowrap="nowrap">127.0.1.1</td><td nowrap="nowrap">GET /test HTTP/1.0</td></tr>

<tr><td><b>3-0</b></td><td>2993</td><td>0/2/2</td><td>_
</td><td>0.01</td><td>289</td><td>0</td><td>0.0</td><td>0.00</td><td>0.00
</td><td>127.0.0.1</td><td nowrap="nowrap">127.0.1.1</td><td nowrap="nowrap">GET /test HTTP/1.0</td></tr>

<tr><td><b>4-0</b></td><td>2994</td><td>0/2/2</td><td>_
</td><td>0.01</td><td>451</td><td>0</td><td>0.0</td><td>0.00</td><td>0.00
</td><td>127.0.0.1</td><td nowrap="nowrap">127.0.1.1</td><td nowrap="nowrap">GET /test HTTP/1.0</td></tr>

<tr><td><b>5-0</b></td><td>4806</td><td>0/2/2</td><td>_
</td><td>0.00</td><td>257</td><td>0</td><td>0.0</td><td>0.00</td><td>0.00
</td><td>127.0.0.1</td><td nowrap="nowrap">127.0.1.1</td><td nowrap="nowrap">GET /test HTTP/1.0</td></tr>

</tbody></table>
 </p><hr> <table>
 <tbody><tr><th>Srv</th><td>Child Server number - generation</td></tr>
 <tr><th>PID</th><td>OS process ID</td></tr>
 <tr><th>Acc</th><td>Number of accesses this connection / this child / this slot</td></tr>
 <tr><th>M</th><td>Mode of operation</td></tr>
<tr><th>CPU</th><td>CPU usage, number of seconds</td></tr>
<tr><th>SS</th><td>Seconds since beginning of most recent request</td></tr>
 <tr><th>Req</th><td>Milliseconds required to process most recent request</td></tr>
 <tr><th>Conn</th><td>Kilobytes transferred this connection</td></tr>
 <tr><th>Child</th><td>Megabytes transferred this child</td></tr>
 <tr><th>Slot</th><td>Total megabytes transferred this slot</td></tr>
 </tbody></table>
<hr>
<address>Apache/2.2.22 (Ubuntu) Server at 127.0.0.1 Port 80</address>

</body></html>

server-status 曰く /omg-omg-s3cr3t-file.txt とかいうものがあるらしいです。ので GET /omg-omg-s3cr3t-file.txt HTTP/1.1 です。

HTTP/1.0 200 OK
Server: Apache/3.14 mod_status  Python/2.7.6
Date: Sat, 25 Apr 2015 19:09:09 GMT
Content-type: text

DrgnS{S0xySqliAndAp4ch3}

Flag: DrgnS{S0xySqliAndAp4ch3}

A PNG Tale (Steganography, 200)

Find the flag hidden in this PNG file.

最初は色塗り塗りしたりしました。ダメでした。 PNG の構造調べながらバイナリエディタで眺めました。ダメでした。そしていつの日かの CTF でもお世話になった覚えがあるツールを利用しました。

png.identify.js

このツールの作者の方のブログ記事でも PNG についていろいろ解説されていて良いです。

PNG 画像の解析と最適化ツール : document

で、今回はどこが問題かというと、フィルタ最適化というところです。横のラインごとに指定出来るらしく、今回は 800 個の値があるわけです。その値は 0 から 4 までの範囲を取り得るらしいですが、この画像の場合は…。

Line	+0	+1	+2	+3	+4	+5	+6	+7	+8	+9	+A	+B	+C	+D	+E	+F
00000000	00	00	01	00	00	00	01	00	00	01	00	00	01	01	01	00
00000010	01	01	01	00	00	01	01	00	00	01	01	01	00	01	01	00
00000020	01	01	00	00	01	00	01	00	01	01	00	01	01	01	01	00
00000030	01	01	01	00	01	00	01	00	00	00	00	01	00	01	01	00
00000040	01	00	01	00	00	01	01	00	00	01	01	01	00	01	01	00
00000050	01	00	00	01	01	00	01	00	01	01	01	01	00	01	01	00
00000060	01	00	01	00	01	01	01	00	01	01	01	00	00	00	01	00
00000060	01	00	00	00	00	01	01	00	00	01	00	01	01	01	01	00
00000080	01	00	01	00	00	01	01	00	01	00	00	01	00	00	01	00
00000090	00	01	01	01	00	01	01	00	00	00	01	00	01	01	01	00
000000A0	01	01	01	01	00	01	01	00	00	00	01	00	01	00	01	00
000000B0	00	00	00	01	00	01	01	00	01	00	01	00	00	01	01	00
000000C0	00	00	00	00	01	00	01	00	00	01	01	01	00	00	01	00
000000D0	01	01	01	00	00	00	01	00	00	00	01	00	01	00	01	00
000000E0	00	00	00	01	00	01	01	00	01	00	01	00	00	01	01	00
000000F0	00	00	00	00	01	00	01	00	00	01	01	01	00	00	01	00
00000100	01	01	01	00	00	00	01	00	01	00	00	00	00	00	01	00
00000110	00	00	01	01	00	01	01	00	01	01	00	00	01	01	01	00
00000120	01	01	01	01	00	01	01	00	01	01	01	00	00	00	01	00
00000130	01	00	00	00	00	01	01	00	00	01	00	01	01	01	01	00
00000140	01	00	01	00	00	01	01	00	00	01	00	01	01	01	01	00
00000150	01	00	00	01	00	00	01	00	00	01	01	01	00	01	01	00
00000160	00	00	01	00	01	01	01	00	01	01	01	01	00	01	01	00
00000160	01	00	00	01	01	00	01	00	01	01	01	01	00	01	01	00
00000180	01	00	01	00	01	01	01	00	01	00	01	01	01	01	01	00
00000190	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
000001A0	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
000001B0	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
000001C0	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
000001D0	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
000001E0	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
000001F0	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
00000200	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
00000210	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
00000220	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
00000230	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
00000240	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
00000250	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
00000260	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
00000260	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
00000280	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
00000290	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
000002A0	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
000002B0	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
000002C0	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
000002D0	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
000002E0	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
000002F0	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
00000300	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00
00000310	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00

0 と 1 しか使われていません。明らかに怪しいです。というわけで、それぞれの値を 1 ビットとして 8 つ並べて 8 ビットにして、それをアスキーコードだと思って変換しました。すると…。

LSB							MSB	Dec	Char
0	0	1	0	0	0	1	0	68	D
0	1	0	0	1	1	1	0	114	r
1	1	1	0	0	1	1	0	103	g
0	1	1	1	0	1	1	0	110	n
1	1	0	0	1	0	1	0	83	S
1	1	0	1	1	1	1	0	123	{
1	1	1	0	1	0	1	0	87	W
0	0	0	1	0	1	1	0	104	h
1	0	1	0	0	1	1	0	101	e
0	1	1	1	0	1	1	0	110	n
1	0	0	1	1	0	1	0	89	Y
1	1	1	1	0	1	1	0	111	o
1	0	1	0	1	1	1	0	117	u
1	1	1	0	0	0	1	0	71	G
1	0	0	0	0	1	1	0	97	a
0	1	0	1	1	1	1	0	122	z
1	0	1	0	0	1	1	0	101	e
1	0	0	1	0	0	1	0	73	I
0	1	1	1	0	1	1	0	110	n
0	0	1	0	1	1	1	0	116	t
1	1	1	1	0	1	1	0	111	o
0	0	1	0	1	0	1	0	84	T
0	0	0	1	0	1	1	0	104	h
1	0	1	0	0	1	1	0	101	e
0	0	0	0	1	0	1	0	80	P
0	1	1	1	0	0	1	0	78	N
1	1	1	0	0	0	1	0	71	G
0	0	1	0	1	0	1	0	84	T
0	0	0	1	0	1	1	0	104	h
1	0	1	0	0	1	1	0	101	e
0	0	0	0	1	0	1	0	80	P
0	1	1	1	0	0	1	0	78	N
1	1	1	0	0	0	1	0	71	G
1	0	0	0	0	0	1	0	65	A
0	0	1	1	0	1	1	0	108	l
1	1	0	0	1	1	1	0	115	s
1	1	1	1	0	1	1	0	111	o
1	1	1	0	0	0	1	0	71	G
1	0	0	0	0	1	1	0	97	a
0	1	0	1	1	1	1	0	122	z
1	0	1	0	0	1	1	0	101	e
0	1	0	1	1	1	1	0	122	z
1	0	0	1	0	0	1	0	73	I
0	1	1	1	0	1	1	0	110	n
0	0	1	0	1	1	1	0	116	t
1	1	1	1	0	1	1	0	111	o
1	0	0	1	1	0	1	0	89	Y
1	1	1	1	0	1	1	0	111	o
1	0	1	0	1	1	1	0	117	u
1	0	1	1	1	1	1	0	125	}
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0		
0	0	0	0	0	0	0	0

Flag: DrgnS{WhenYouGazeIntoThePNGThePNGAlsoGazezIntoYou}

以上です。

あたがわの日記

茨城県に住む会社員の日々の生活振りを綴ったブログ

Apache Underwear (Network / Web, 400)

A PNG Tale (Steganography, 200)

コメントを残す