๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ
๋ฐ˜์‘ํ˜•

์ „์ฒด ๊ธ€50

[Dreamhack] Level2: Mango ๐Ÿ›Ž๏ธAccess ์ด ๋ฌธ์ œ๋Š” ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์— ์ €์žฅ๋œ ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜๋Š” ๋ฌธ์ œ์ด๋‹ค. flag๋Š” admin ๊ณ„์ •์˜ ๋น„๋ฐ€๋ฒˆํ˜ธ์ด๋‹ค. ํ”Œ๋ž˜๊ทธ์˜ ํ˜•์‹์€ DH{…} ์ด๋‹ค. {‘uid’: ‘admin’, ‘upw’: ‘DH{32alphanumeric}’} ๐Ÿ‘พExploit Algorithm & Payload ๋”๋ณด๊ธฐ const express = require('express'); const app = express(); const mongoose = require('mongoose'); mongoose.connect('mongodb://localhost/main', { useNewUrlParser: true, useUnifiedTopology: true }); const db = mongoose.connection; // fl.. 2023. 8. 23.
[Dreamhack] Level1: simple_sqli ๐Ÿ›Ž๏ธAccess ๋กœ๊ทธ์ธ ์„œ๋น„์Šค์—์„œ SQL injection ์ทจ์•ฝ์ ์„ ํ†ตํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜๋Š” ๋ฌธ์ œ์ด๋‹ค. ํ”Œ๋ž˜๊ทธ๋Š” flag.txt, FLAG ๋ณ€์ˆ˜์— ์žˆ๋‹ค. ๐Ÿ‘พExploit Algorithm & Payload ๋”๋ณด๊ธฐ #!/usr/bin/python3 from flask import Flask, request, render_template, g import sqlite3 import os import binascii app = Flask(__name__) app.secret_key = os.urandom(32) try: FLAG = open('./flag.txt', 'r').read() except: FLAG = '[**FLAG**]' DATABASE = "database.db" if os.path.exists.. 2023. 8. 22.
[Dreamhack] Level2: shell_basic ๐Ÿ›Ž๏ธAccess ์ž…๋ ฅํ•œ ์…ธ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•˜๋Š” ํ”„๋กœ๊ทธ๋žจ์ด ์„œ๋น„์Šค๋กœ ๋“ฑ๋ก๋˜์–ด ์ž‘๋™ํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. main ํ•จ์ˆ˜๊ฐ€ ์•„๋‹Œ ๋‹ค๋ฅธ ํ•จ์ˆ˜๋“ค์€ execve, execveat ์‹œ์Šคํ…œ ์ฝœ์„ ์‚ฌ์šฉํ•˜์ง€ ๋ชปํ•˜๋ฉฐ, ํ’€์ด์™€ ๊ด€๋ จ์ด ์—†์Šต๋‹ˆ๋‹ค. flag ํŒŒ์ผ์˜ ์œ„์น˜์™€ ์ด๋ฆ„์€ /home/shell_basic/flag_name_is_loooooong์ž…๋‹ˆ๋‹ค. ๐Ÿ‘พ Exploit Algorithm & Payload ๋”๋ณด๊ธฐ // Compile: gcc -o shell_basic shell_basic.c -lseccomp // apt install seccomp libseccomp-dev #include #include #include #include #include #include #include #include #include void alarm.. 2023. 8. 22.
[Dreamhack] Level1: csrf-2 ๐Ÿ›Ž๏ธAccess ์—ฌ๋Ÿฌ ๊ธฐ๋Šฅ๊ณผ ์ž…๋ ฅ ๋ฐ›์€ URL์„ ํ™•์ธํ•˜๋Š” ๋ด‡์ด ๊ตฌํ˜„๋œ ์„œ๋น„์Šค์—์„œ CSRF ์ทจ์•ฝ์ ์„ ์ด์šฉํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜๋Š” ๋ฌธ์ œ์ด๋‹ค. ๐Ÿ‘พExploit Algorithm & Payload ๋”๋ณด๊ธฐ #!/usr/bin/python3 from flask import Flask, request, render_template, make_response, redirect, url_for from selenium import webdriver import urllib import os app = Flask(__name__) app.secret_key = os.urandom(32) try: FLAG = open("./flag.txt", "r").read() except: FLAG = "[**FLAG**]" users =.. 2023. 8. 21.
๋ฐ˜์‘ํ˜•