๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ
[Dreamhack]WebHacking/Wargame&CTF

[Dreamhack] Level1: random-test

by Yun2๐Ÿ‘ 2024. 3. 4.
๋ฐ˜์‘ํ˜•

๐Ÿ›Ž๏ธ Access

์ƒˆ ํ•™๊ธฐ๋ฅผ ๋งž์•„ ๋“œ๋ฆผ์ด์—๊ฒŒ ์‚ฌ๋ฌผํ•จ์ด ๋ฐฐ์ •๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ํ•˜์ง€๋งŒ ๊ธฐ์–ต๋ ฅ์ด ์•ˆ ์ข‹์€ ๋“œ๋ฆผ์ด๋Š” ์‚ฌ๋ฌผํ•จ ๋ฒˆํ˜ธ์™€ ์ž๋ฌผ์‡  ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ๋ชจ๋‘ ์žŠ์–ด๋ฒ„๋ฆฌ๊ณ  ๋ง์•˜์–ด์š”... ๋“œ๋ฆผ์ด๋ฅผ ์œ„ํ•ด ์‚ฌ๋ฌผํ•จ ๋ฒˆํ˜ธ์™€ ์ž๋ฌผ์‡  ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ์•Œ์•„๋‚ด ์ฃผ์„ธ์š”!์‚ฌ๋ฌผํ•จ ๋ฒˆํ˜ธ๋Š” ์•ŒํŒŒ๋ฒณ ์†Œ๋ฌธ์ž ํ˜น์€ ์ˆซ์ž๋ฅผ ํฌํ•จํ•˜๋Š” 4์ž๋ฆฌ ๋žœ๋ค ๋ฌธ์ž์—ด์ด๊ณ , ๋น„๋ฐ€๋ฒˆํ˜ธ๋Š” 100 ์ด์ƒ 200 ์ดํ•˜์˜ ๋žœ๋ค ์ •์ˆ˜์ž…๋‹ˆ๋‹ค. ๋‘ ๊ฐ’์„ ๋งž๊ฒŒ ์ž…๋ ฅํ•˜๋ฉด ํ”Œ๋ž˜๊ทธ๊ฐ€ ์ถœ๋ ฅ๋ฉ๋‹ˆ๋‹ค. ํ”Œ๋ž˜๊ทธ๋Š” FLAG ๋ณ€์ˆ˜์— ์žˆ์Šต๋‹ˆ๋‹ค.
ํ”Œ๋ž˜๊ทธ ํ˜•์‹์€ DH{...} ์ž…๋‹ˆ๋‹ค.

 

 

๐Ÿ‘พ Exploit Algorithm & Payload

> app.py

๋”๋ณด๊ธฐ 
#!/usr/bin/python3
from flask import Flask, request, render_template
import string
import random

app = Flask(__name__)

try:
    FLAG = open("./flag.txt", "r").read()       # flag is here!
except:
    FLAG = "[**FLAG**]"


rand_str = ""
alphanumeric = string.ascii_lowercase + string.digits
for i in range(4):
    rand_str += str(random.choice(alphanumeric))

rand_num = random.randint(100, 200)


@app.route("/", methods = ["GET", "POST"])
def index():
    if request.method == "GET":
        return render_template("index.html")
    else:
        locker_num = request.form.get("locker_num", "")
        password = request.form.get("password", "")

        if locker_num != "" and rand_str[0:len(locker_num)] == locker_num:
            if locker_num == rand_str and password == str(rand_num):
                return render_template("index.html", result = "FLAG:" + FLAG)
            return render_template("index.html", result = "Good")
        else: 
            return render_template("index.html", result = "Wrong!")
            
            
app.run(host="0.0.0.0", port=8000)

 

 

#1

: '/' ํŽ˜์ด์ง€์—์„œ ์‚ฌ๋ฌผํ•จ ๋ฒˆํ˜ธ, ์ž๋ฌผ์‡  ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ์ž…๋ ฅ ํ›„ ๋ฐ˜์‘์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.

: ์ฝ”๋“œ ํ•ด์„์€ ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค.(๋ฌธ์ œ์—์„œ ์•Œ๋ ค์คŒ)

1) ์‚ฌ๋ฌผํ•จ ๋ฒˆํ˜ธ๋Š” ์•ŒํŒŒ๋ฒณ ์†Œ๋ฌธ์ž ํ˜น์€ ์ˆซ์ž๋ฅผ ํฌํ•จํ•˜๋Š” 4์ž๋ฆฌ ๋žœ๋ค ๋ฌธ์ž์—ด

2) ์ž๋ฌผ์‡  ๋น„๋ฐ€๋ฒˆํ˜ธ๋Š” 100์ด์ƒ 200์ดํ•˜ ๋žœ๋ค ์ •์ˆ˜

3) ๊ฐ’์„ ๋งž๊ฒŒ ์ž…๋ ฅํ•˜๋ฉด ํ”Œ๋ž˜๊ทธ๊ฐ€ ์ถœ๋ ฅ

 

 

#2

: burp suite tool์„ ์ด์šฉํ•˜์—ฌ Proxy๋ฅผ ์žก๊ณ  Intruder ๊ธฐ๋Šฅ์„ ์‚ฌ์šฉํ–ˆ๋‹ค.

: ์‚ฌ๋ฌผํ•จ ๋ฒˆํ˜ธ(locker_num)์˜ ๊ฐ’์„ ํ™•์ธํ•˜๊ธฐ ์œ„ํ•ด a-z0-9(Payload count: 36)๊นŒ์ง€ Brute-Forceํ–ˆ๋‹ค.

: ๋‹ค์Œ๊ณผ ๊ฐ™์ด length์˜ ๋ณ€ํ™”๋ฅผ ํ™•์ธํ•˜๊ณ  ๊ฐ’์„ ์œ ์ถ”ํ–ˆ๋‹ค.

: 'g'๋ผ๋Š” ๊ฒƒ์—์„œ ๋‹ค๋ฅธ ๊ฐ’๊ณผ ๋‹ค๋ฅธ Length๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์žˆ์—ˆ๊ณ , Response ๊ฐ’์œผ๋กœ Good์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.

 

 

#3

: 'g3d2'๊ฐ€ ์‚ฌ๋ฌผํ•จ ๋ฒˆํ˜ธ์ž„์ด ํ™•์ธ๋˜์—ˆ๋‹ค.

 

 

๐Ÿ”‘Analysis and results for obtaining the Flag DH{…}

: ๋‹ค์Œ๊ณผ ๊ฐ™์ด ์ž๋ฌผ์‡  ๋ฒˆํ˜ธ๋„ ์œ„์—์„œ ์–ธ๊ธ‰ํ–ˆ๋˜ ์กฐ๊ฑด๋Œ€๋กœ payload๋ฅผ ์ž‘์„ฑํ•˜๊ณ  Brute-Force ์‹œ์ผœ์ฃผ๋ฉด flag๋ฅผ ํš๋“ํ•  ์ˆ˜ ์žˆ๋‹ค.

๋ฐ˜์‘ํ˜•

'[Dreamhack]WebHacking > Wargame&CTF' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[Dreamhack] Level1: simple-ssti  (0) 2024.03.24
[Dreamhack] Level1: [wargame.kr] strcmp  (1) 2024.02.25
[Dreamhack] Level2: login-1  (2) 2024.02.25
[Dreamhack] CTF Season 5 Round #4 - BypassIF  (1) 2024.02.25
[Dreamhack] Level2: baby-sqlite  (0) 2024.02.23

๊ด€๋ จ๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”