add HITCON CTF 2021

Author: orangetw

README.md

@@ -24,6 +24,13 @@ And you can find me via:
 
 ## **Table of Content**
 
+* [HITCON 2021](#W3rmup-PHP)
+    * [W3rmup PHP](#W3rmup-PHP)
+    * [One-Bit Man](#One-Bit-Man)
+    * [Metamon Verse](#Metamon-Verse)
+    * [FBI Warning](#FBI-Warning)
+    * [Vulpixelize](#Vulpixelize)
+
 * [HITCON 2020](#oShell)
     * [oShell](#oShell)
     * [oStyle](#oStyle)
@@ -77,6 +84,149 @@ And you can find me via:
 
 <br>
 
+## **W3rmup PHP**
+  
+Difficulty: **★★**  
+Solved: **22 / 666**  
+Tag:   **PHP**, **Code Review**, **YAML** ,**Command Injection**  
+
+#### Source Code
+
+* [Source](hitcon-ctf-2021/W3rmup-PHP/)  
+
+#### Idea
+
+* [The Norway Problem](https://hitchdev.com/strictyaml/why/implicit-typing-removed/), the country code of Norway (NO) becomes `False` in YAML
+* Bypass the `escapeshellarg` by the logic problem of `count()` + `unset()`  
+
+#### Solution
+
+* TBD
+
+#### Write Ups
+
+* TBD
+
+
+## **One-Bit Man**
+  
+Difficulty: **★**  
+Solved: **49 / 666**  
+Tag:   **PHP**, **Code Review**
+
+#### Source Code
+
+* [Source](hitcon-ctf-2021/One-Bit-Man/)  
+
+#### Idea
+
+You can flip 1-bit on any file of the latest version of WordPress and you have to pwn the server.
+
+#### Solution
+
+Flip the position `5389` of the file `/var/www/html/wp-includes/user.php` to NOP the NOT (`!`) operation.
+
+```php
+    if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
+            return new WP_Error(
+```
+
+#### Write Ups
+
+* TBD
+
+
+
+## **Metamon Verse**
+  
+Difficulty: **★★★☆**  
+Solved: **9 / 666**  
+Tag:   **NFS**, **SSRF** ,**RCE**  
+
+#### Source Code
+
+* [Source](hitcon-ctf-2021/oShell/)  
+
+#### Idea
+
+The idea is using the SSRF to communicate with the local NFS/RPC server to get the RCE. To complete the exploit, you have to:
+
+1. Construct the `RPC/PORTMAP_CALL` packet and send to `gopher://127.0.0.1:111/` to get the port of `mountd` service.
+2. Construct the `RPC/MNT_CALL` packet and send to `gopher://127.0.0.1:<mnt-port>/` to get the file-handler of `/data` volume (remember to specify `CURLOPT_LOCALPORT` to bypass the authentication)
+3. Construct the `RPC/NFS_CALL` packet and send to `gopher://127.0.0.1:2049/` to create a SYMLINK (remember to specify `CURLOPT_LOCALPORT` to bypass the authentication)
+4. Symlink the `/app/templates/index.html` to a controllable file to get a SSTI and get the RCE!
+
+#### Solution
+
+An dirty exploit code can be found [here](https://gist.github.com/orangetw/6d34ff98a6332bc0523b35ea952a790d)
+
+#### Write Ups
+
+* TBD
+
+
+## **FBI Warning**
+  
+Difficulty: **☆**  
+Solved: **25 / 666**  
+Tag:   **MISC**, **OSINT** ,**PHP**, **Code Review**
+
+#### Source Code
+
+* [Source](hitcon-ctf-2021/FBI-Warning/)  
+
+#### Idea
+
+The website uses a famous Message Board project [futaba-ng](https://github.com/futoase/futaba-ng), and the ID generation is based on `REMOTE_ADDR`:
+
+```php
+define("IDSEED", 'idの種');       //idの種
+...
+$now.=" ID:".substr(crypt(md5($_SERVER["REMOTE_ADDR"].IDSEED.gmdate("Ymd", $time+9*60*60)),'id'),-8);
+```
+
+#### Solution
+
+Because of the known IP prefix, you can identify the IP address of Ωrange by brute-force easily.
+
+```php
+var_dump( substr(crypt(md5("219.91.64.47"."idの種"."20211203"),"id"),-8) == "ueyUrcwA" )
+// bool(true)
+```
+
+#### Write Ups
+
+* TBD
+
+
+
+## **Vulpixelize**
+  
+Difficulty: **★☆**  
+Solved: **41 / 666**  
+Tag:   **Browser**, **Feature**
+
+#### Source Code
+
+* [Source](hitcon-ctf-2021/Vulpixelize/)
+
+#### Idea
+
+Use the Chrome new feature [Text Fragments](https://wicg.github.io/scroll-to-text-fragment/) to extract the flag.
+
+
+#### Solution
+
+* TBD
+
+#### Write Ups
+
+* TBD
+
+
+
+
+
 ## **oShell**
 
 Difficulty: **★★**  

hitcon-ctf-2021/FBI-Warning/index.html

@@ -0,0 +1,59 @@
+
+<html><head>
+<meta charset="UTF-8"/>
+<!-- meta HTTP-EQUIV="pragma" CONTENT="no-cache" -->
+<STYLE TYPE="text/css">
+<!--
+body,tr,td,th { font-size:12pt }
+a:hover { color:#DD0000; }
+span { font-size:20pt }
+small { font-size:10pt }
+-->
+</STYLE>
+<title>画像掲示板</title>
+<script language="JavaScript"><!--
+function l(e){var P=getCookie("pwdc"),N=getCookie("namec"),i;with(document){for(i=0;i<forms.length;i++){if(forms[i].pwd)with(forms[i]){pwd.value=P;}if(forms[i].name)with(forms[i]){name.value=N;}}}};onload=l;function getCookie(key, tmp1, tmp2, xx1, xx2, xx3) {tmp1 = " " + document.cookie + ";";xx1 = xx2 = 0;len = tmp1.length;	while (xx1 < len) {xx2 = tmp1.indexOf(";", xx1);tmp2 = tmp1.substring(xx1 + 1, xx2);xx3 = tmp2.indexOf("=");if (tmp2.substring(0, xx3) == key) {return(unescape(tmp2.substring(xx3 + 1, xx2 - xx1 - 1)));}xx1 = xx2 + 1;}return("");}
+//--></script>
+</head>
+<body bgcolor="#FFFFEE" text="#800000" link="#0000EE" vlink="#0000EE">
+<p align=right>
+[<a href="./" target="_top">ホーム</a>]
+[<a href="index.php?mode=admin">管理用</a>]
+<p align=center>
+<font color="#800000" size=5>
+<b><SPAN>画像掲示板</SPAN></b></font>
+<hr width="90%" size=1>
+<center>
+<form action="index.php" method="POST" enctype="multipart/form-data">
+<input type=hidden name=mode value="regist">
+
+<input type=hidden name="MAX_FILE_SIZE" value="512000">
+<table cellpadding=1 cellspacing=1>
+  <tr><td bgcolor=#eeaa88><b>おなまえ</b></td><td><input type=text name=name size="28"></td></tr>
+  <tr><td bgcolor=#eeaa88><b>E-mail</b></td><td><input type=text name=email size="28"></td></tr>
+  <tr><td bgcolor=#eeaa88><b>題　　名</b></td><td><input type=text name=sub size="35">
+  <input type=submit value="送信する"></td></tr>
+  <tr><td bgcolor=#eeaa88><b>コメント</b></td><td><textarea name=com cols="48" rows="4" wrap=soft></textarea></td></tr>
+  <tr><td bgcolor=#eeaa88><b>添付File</b></td>
+    <td><input type=file name=upfile size="35">
+    [<label><input type=checkbox name=textonly value=on>画像なし</label>]</td></tr><tr><td bgcolor=#eeaa88><b>削除キー</b></td><td><input type=password name=pwd size=8 maxlength=8 value=""><small>(記事の削除用。英数字で8文字以内)</small></td></tr>
+  <tr><td colspan=2>
+  <small>
+  <LI>添付可能ファイル：GIF, JPG, PNG ブラウザによっては正常に添付できないことがあります。
+  <LI>最大投稿データ量は 500 KB までです。sage機能付き。
+  <LI>画像は横 250ピクセル、縦 250ピクセルを超えると縮小表示されます。
+  </small></td></tr></table></form></center><hr><form action="index.php" method=POST>画像タイトル：<a href="src/1638537259302.jpg" target=_blank>1638537259302.jpg</a>-(71258 B)<br><a href="src/1638537259302.jpg" target=_blank><img src=src/1638537259302.jpg border=0 align=left width=250 height=141 hspace=20 alt="71258 B"></a><input type=checkbox name="2" value=delete><font color=#cc1105 size=+1><b>FBI was hacked</b></font> 
+Name <font color=#117743><b>Ωrange</b></font> 21/12/03(金)22:14 ID:ueyUrcwA No.2 &nbsp; 
+[<a href=index.php?res=2>返信</a>]
+<blockquote>I have hacked FBI and  dump the DB here.<br /><a href="https://tinyurl.com/fbi-hack" target="_blank">https://tinyurl.com/fbi-hack</a></blockquote><br clear=left><hr>
+<table align=right><tr><td nowrap align=center>
+<input type=hidden name=mode value=usrdel>【記事削除】[<input type=checkbox name=onlyimgdel value=on>画像だけ消す]<br>
+削除キー<input type=password name=pwd size=8 maxlength=8 value="">
+<input type=submit value="削除"></form></td></tr></table><table align=left border=1><tr><td>最初のページ</td><td>[<b>0</b>] </td><td>最後のページ</td></tr></table><br clear=all>
+
+<center>
+<small><!-- GazouBBS v3.0 --><!-- ふたば改0.8 -->
+- <a href="http://php.s3.to" target=_top>GazouBBS</a> + <a href="http://www.2chan.net/" target=_top>futaba</a>-
+</small>
+</center>
+</body></html>

hitcon-ctf-2021/FBI-Warning/src/1638537259302.jpg

@@ -0,0 +1,15 @@
+FROM ubuntu:20.04
+MAINTAINER <Orange Tsai> orange@chroot.org
+
+EXPOSE 80/tcp
+
+RUN apt update && apt install -y libcurl4-openssl-dev openssl libssl-dev python3 python3-pip nfs-common
+RUN pip3 install pycurl flask certifi
+
+COPY app/                 /app
+COPY files/readflag       /readflag
+COPY files/flag           /flag
+COPY files/entrypoint.sh  /
+
+WORKDIR /app/
+CMD ["/entrypoint.sh"]

hitcon-ctf-2021/Metamon-Verse/Dockerfile

@@ -0,0 +1,28 @@
+compile:
+	gcc -o files/readflag files/readflag.c
+
+build: compile clean
+	docker build -t metamon-verse . --no-cache
+
+test-run:
+	docker run --rm -p 12345:80 --name test --add-host=nfs.server:host-gateway --log-driver=syslog --privileged=true --env CTF_PASSWD=ctf -t -i metamon-verse
+
+test-exec:
+	docker exec -ti test /bin/bash
+
+pack: compile
+	rm -rf static/metamon-verse.tgz
+	tar --exclude='flag' --exclude='readflag.c' --transform='flags=r;s|fake-flag|flag|' -zcvf static/metamon-verse.tgz Dockerfile app/ files/
+
+mount:
+	mount -t ext4 /dev/nvme1n1 /data
+
+clean:
+	-docker rm  -f `docker ps -a -q`
+	-docker rmi -f `docker images -a -q`
+
+run: pack
+	python3 run.py 2>&1 | tee -a logs/log.txt
+
+debug-run:
+	python3 run.py debug

hitcon-ctf-2021/Metamon-Verse/Makefile

@@ -0,0 +1,80 @@
+# coding: UTF-8
+import os, sys
+from hashlib import md5
+from functools import wraps
+from flask import Flask, render_template, request
+
+import pycurl
+import certifi
+
+PORT = 80
+
+def login_required(f):
+    @wraps(f)
+    def wrapped_view(**kwargs):
+        def check_auth(username, password):
+            return username == 'ctf' and password == os.environ['CTF_PASSWD']
+        auth = request.authorization
+        if not (auth and check_auth(auth.username, auth.password)):
+            return ('Unauthorized', 401, {
+                'WWW-Authenticate': 'Basic realm="Login Required"'
+            })
+
+        return f(**kwargs)
+
+    return wrapped_view
+
+app = Flask(__name__)
+app.config['TEMPLATES_AUTO_RELOAD'] = True
+
+@app.route('/', methods=['GET'])
+@login_required
+def index():
+    return render_template('index.html')
+
+@app.route('/', methods=['POST'])
+@login_required
+def submit():
+    url = request.form.get('url')
+    if not url:
+        return render_template('index.html', msg='empty url')
+
+    opt_name, opt_value = None, None
+    for key, value in request.form.items():
+        if key.startswith('CURLOPT_'):
+            name = key.split('_', 1)[1].upper()
+            try:
+                opt_name  = getattr(pycurl, name)
+                opt_name  = int(opt_name)
+                opt_value = int(value)
+            except (AttributeError, ValueError, TypeError):
+                break
+
+            break
+
+    name = md5(request.remote_addr.encode() + url.encode()).hexdigest()
+    filename = 'static/images/%s.jpg' % name
+    with open(filename, 'wb+') as fp:
+        c = pycurl.Curl()
+        c.setopt(c.URL, url)
+        c.setopt(c.WRITEDATA, fp)
+        c.setopt(c.CAINFO, certifi.where())
+
+        if opt_name and opt_value:
+            c.setopt(opt_name, opt_value)
+        
+        try:
+            c.perform()
+            c.close()
+            msg = filename
+        except pycurl.error as e:
+            msg = str(e)
+        
+    return render_template('index.html', msg=msg)
+
+if __name__ == '__main__':
+    if 'debug' in sys.argv:
+        app.debug = True
+        PORT = 8000
+
+    app.run('0.0.0.0', PORT)