๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ
  • Tried. Failed. Logged.
728x90

๐ŸดCTF84

Hack The Box - Busqueda Writeup SynopsisBusqueda is an Easy Difficulty Linux machineinvolves exploiting a command injection vulnerability present in a python module.By leveraging this vulnerability(์ด ์ทจ์•ฝ์ ์„ ์ด์šฉํ•˜์—ฌ), we gain user-level access to the machine.To escalate privileges to root, we discover credentials within a Git config file, allowing us to log into a local Gitea service.Additionally(์ถ”๊ฐ€์ ์œผ๋กœ), we uncover that a system che.. 2025. 4. 16.
CTF - ์›Œ๊ฒŒ์ž„ ์‚ฌ์ดํŠธ ๋ชจ์Œ Web Hacking https://www.root-me.org/?lang=en https://los.rubiya.kr/ https://webhacking.kr/ Pwnable(System Hacking) https://pwnable.kr/ Reversing http://reversing.kr/ Etc https://dreamhack.io/wargame Pentesting Platform https://app.hackthebox.com/ https://tryhackme.com/ 2024. 4. 18.
Hack The Box - Archetype Writeup(2) ์ง์ ‘ ๊ฐ€์ƒ๋จธ์‹ ์—์„œ openvpn์„ ํ†ตํ•ด ํƒ€์ผ“ ๋จธ์‹ ๊ณผ ํ†ต์‹ ์ด ๊ฐ€๋Šฅํ•˜๊ฒŒ ๋งŒ๋“ค์–ด ์ฃผ์—ˆ์Šต๋‹ˆ๋‹ค. ์ด์ „์— ๋ง‰ํ˜”๋˜ ์ธํ„ฐ๋„ท ํ†ต์‹ ์ด ์ด์   ๊ฐ€๋Šฅํ•ด์กŒ์Šต๋‹ˆ๋‹ค.  Task 4. What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?(Microsoft SQL Server์— ์ธ์ฆ๋œ ์—ฐ๊ฒฐ์„ ์„ค์ •ํ•˜๊ธฐ ์œ„ํ•ด Impacket ์ปฌ๋ ‰์…˜์˜ ์–ด๋–ค ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋‚˜์š”?)  ๋ฌธ์ œ๊ฐ€ ์ดํ•ดํ•˜๊ธฐ ์–ด๋ ค์šธ ๊ฒฝ์šฐ ๋งจ ์ƒ๋‹จ์— ํžŒํŠธ๊ฐ€ ์ ํžŒ pdf ํŒŒ์ผ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋Š” ๋ฒ„ํŠผ์ด ์žˆ์Šต๋‹ˆ๋‹ค. ๊ทธ๊ฑธ ๋ˆŒ๋Ÿฌ ์ฐธ๊ณ ํ•˜์„ธ์š”.  ๋ณด์•„ํ•˜๋‹ˆ mssqlclient.py๋ฅผ ํ†ตํ•ด MSSQL ์„œ๋ฒ„์— ์ ‘์†์ด ๊ฐ€๋Šฅํ•œ๊ฐ€.. 2024. 3. 4.
Hack The Box - Archetype Writeup(1) Task 1. Which TCP port is hosting a database server?(๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ์„œ๋ฒ„์˜ ํฌํŠธ ๋ฒˆํ˜ธ๋Š” ๋ฌด์—‡์ธ๊ฐ€?) ์ •๋ณด ์ˆ˜์ง‘์„ ์œ„ํ•ด ํฌํŠธ ์Šค์บ๋„ˆ(nmap)๋ฅผ ์‚ฌ์šฉํ•ด ๋Œ€์ƒ(10.129.44.107)์ด ๊ฐœ๋ฐฉํ•œ ํฌํŠธ๋ฅผ ์Šค์บ”ํ•ฉ๋‹ˆ๋‹ค.  nmap -sC -sV 10.129.44.107 ์Šค์บ” ๊ฒฐ๊ณผ ๋Œ€์ƒ์ด SMB(135, 139, 445)์™€ MS-SQL ์„œ๋ฒ„๊ฐ€ ํ™œ์„ฑํ™”๊ฐ€ ๋œ ๊ฒƒ์„ ๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.  ๋ช…๋ น์–ด ์˜ต์…˜(-sC, -sV) ์„ค๋ช…์€ ์•„๋ž˜์™€ ๊ฐ™์Šต๋‹ˆ๋‹ค.   ๋ฌธ์ œ1 ์ •๋‹ต์€ 1433  Task 2. What is the name of the non-Administrative share available over SMB?(SMB์—์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ๋น„๊ด€๋ฆฌ์ž ๊ณต์œ ์˜ ์ด๋ฆ„์€ ๋ฌด์—‡์ธ๊ฐ€์š”? ) ๋ฆฌ๋ˆ…์Šค์—๋Š” s.. 2024. 2. 28.
Root Me - TCP - Encoded string ๋ฌธ์ œ ๋‚ด์šฉ TCP ํ”„๋กœํ† ์ฝœ์„ ์‚ฌ์šฉํ•˜์—ฌ ์ด ํ…Œ์ŠคํŠธ๋ฅผ ์‹œ์ž‘ํ•˜๋ ค๋ฉด ๋„คํŠธ์›Œํฌ ์†Œ์ผ“์— ์žˆ๋Š” ํ”„๋กœ๊ทธ๋žจ์— ์—ฐ๊ฒฐํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ํ”„๋กœ๊ทธ๋žจ์—์„œ ๋ณด๋‚ธ ์ธ์ฝ”๋”ฉ๋œ ๋ฌธ์ž์—ด์„ ํ•ด๋…ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ํ”„๋กœ๊ทธ๋žจ์ด ๋ฌธ์ž์—ด์„ ๋ณด๋‚ธ ์ˆœ๊ฐ„๋ถ€ํ„ฐ 2์ดˆ ์ด๋‚ด์— ์ •๋‹ต์„ ๋ณด๋‚ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ๋‹ต์€ ๋ฌธ์ž์—ด๋กœ ๋ณด๋‚ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ์ •๋‹ต ์ฝ”๋“œ """ To start this test using the TCP protocol, you need to connect to a program on a network socket. You must decode the encoded character string sent by the program. You have 2 seconds to send the correct answer from the moment the program sen.. 2024. 2. 16.
Root Me - TCP - Back to school ๋ฌธ์ œ ๋‚ด์šฉ ์ˆซ์ž 1์˜ ์ œ๊ณฑ๊ทผ์„ ๊ณ„์‚ฐํ•˜๊ณ  ์ˆซ์ž 2๋ฅผ ๊ณฑํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋Ÿฐ ๋‹ค์Œ ๊ฒฐ๊ณผ๋ฅผ ์†Œ์ˆ˜์  ์ดํ•˜ ๋‘ ์ž๋ฆฌ๋กœ ๋ฐ˜์˜ฌ๋ฆผํ•ฉ๋‹ˆ๋‹ค. ํ”„๋กœ๊ทธ๋žจ์ด ๊ณ„์‚ฐ์„ ๋ณด๋‚ธ ์ˆœ๊ฐ„๋ถ€ํ„ฐ 2์ดˆ ์ด๋‚ด์— ์ •๋‹ต์„ ๋ณด๋‚ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ๋‹ต์€ ๋‹ค์Œ๊ณผ ๊ฐ™์€ ํ˜•์‹์œผ๋กœ ๋ณด๋‚ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ์ •๋‹ต ์ฝ”๋“œ """ To start this test using the TCP protocol, you need to connect to a program on a network socket. Calculate the square root of number 1 and multiply by number 2. Then round the result to two decimal places. You have 2 seconds to send the correct answer from the .. 2024. 2. 16.
Root Me - Encoding - ASCII ๋ฌธ์ œ ๋‚ด์šฉ 4C6520666C6167206465206365206368616C6C656E6765206573743A203261633337363438316165353436636436383964356239313237356433323465 ํžŒํŠธ ์ •๋‹ต ๋ฌธ์ž์—ด์„ ๋‘ ๊ฐœ์”ฉ ๋ถ„๋ฆฌํ•ด์„œ 16์ง„์ˆ˜ ๋ฌธ์ž๋ฅผ ASCII๋กœ ๋ณ€ํ™˜ s = "4C6520666C6167206465206365206368616C6C656E6765206573743A203261633337363438316165353436636436383964356239313237356433323465" a, b = 0, 2 for i in range( len(s)//2 ): c = ( s[ a + (i*2) : b + (i*2) ] ) print( chr( int(c, 16) ).. 2024. 2. 16.
Root Me - CSP Bypass - Inline code Home ํŽ˜์ด์ง€ ํ™ˆ ํŽ˜์ด์ง€์—๋Š” ์ž…๋ ฅ์ฐฝ์ด ๋ณด์ด๊ณ  ์•„๋ž˜์™€ ๊ฐ™์ด ๋ฌธ์ž๋ฅผ ์ž…๋ ฅํ•˜๋ฉด ํŽ˜์ด์ง€์— ๋ฐ˜์˜๋œ๋‹ค. ํŽ˜์ด์ง€ ๋‚ด์šฉ์„ ๋ณด๋ฉด ํ”Œ๋ž˜๊ทธ ๊ฐ’์ด ๋ด‡๋งŒ ํ™•์ธ์ด ๊ฐ€๋Šฅํ•˜๋„๋ก ์„ค์ •์ด ๋˜์–ด์žˆ๋‹ค๊ณ  ํ•œ๋‹ค. ๋˜ํ•œ CSP๊ฐ€ ์„ค์ •์ด ๋˜์–ด XSS๋Š” ๋ถˆ๊ฐ€ํ•˜๋‹ค๊ณ  ์ ํ˜€์žˆ๋‹ค. ๋งŒ์•ฝ ๋ฐฉ๊ธˆ ์ „ ์ž…๋ ฅ์ฐฝ์—๋‹ค ํƒœ๊ทธ๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ์•„๋ž˜์™€ ๊ฐ™์€ ์—๋Ÿฌ ํŽ˜์ด์ง€๊ฐ€ ์ถœ๋ ฅ์ด ๋œ๋‹ค. ์—๋Ÿฌ ์›์ธ์€ "Content-Security-Policy"๊ฐ€ ์„ค์ •์ด ๋˜์–ด ์žˆ๊ธฐ ๋•Œ๋ฌธ์ด๋‹ค. connect-src 'none'; font-src 'none'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'unsafe-inline'; style-src 'self.. 2024. 2. 15.
OWASP Juice Shop - Database Schema Exfiltrate the entire DB schema definition via SQL Injection. ์ง์—ญํ•˜๋ฉด SQL Injection์„ ํ†ตํ•˜์—ฌ DB ์Šคํ‚ค๋งˆ์˜ ์ •์˜์–ด๋ฅผ ๊ฐ€์ ธ์˜ค๋ผ๋Š” ์˜๋ฏธ์ด๋‹ค. SQLi๋ฅผ ์‹œ๋„ํ•ด ๋ณผ ์ˆ˜ ์žˆ๋Š” ๊ณต๊ฒฉ ๋ฒกํ„ฐ๋Š” ํฌ๊ฒŒ ๋กœ๊ทธ์ธ๊ณผ ์ƒํ’ˆ ๊ฒ€์ƒ‰ ๋‘ ๊ฐ€์ง€ ์—ˆ์ง€๋งŒ ๋กœ๊ทธ์ธ ๋ถ€๋ถ„์€ ์ผ๋‹จ SQLi๋ฅผ ํ†ตํ•ด ์›ํ•˜๋Š” ๊ฒฐ๊ณผ๋ฅผ ๊ฐ€์ ธ์˜ค์ง€ ๋ชปํ•˜๋ฏ€๋กœ ์ผ๋‹จ ํŒจ์Šคํ•˜์˜€๋‹ค. (๊ทธ๋ฆฌ๊ณ  ์ด๋Ÿฐ ๋ฌธ์ œ ์œ ํ˜•์˜ ๊ณต๊ฒฉ ๋ฒกํ„ฐ๋Š” ์ฃผ๋กœ ๊ฒ€์ƒ‰ ํŽ˜์ด์ง€์ธ ๊ฒฝ์šฐ๊ฐ€ ๋งŽ์•˜์—ˆ๋‹ค.) ์ฃผ์ œ์™€๋Š” ์ƒ๊ด€ ์—†์ง€๋งŒ ๊ณ„์ • ํŽ˜์ด์ง€์—๋Š” ERROR BASED๋ฅผ ์ด์šฉํ•˜๋Š” ๋ธ”๋ผ์ธ๋“œ SQLi ๊ฐ€๋Šฅ์„ฑ์€ ์žˆ์—ˆ๋‹ค. jim@juice-sh.op' AND CASE WHEN (select 1 from Users where email='jim@juice-sh.op') THEN 1.. 2023. 9. 29.
OWASP Juice Shop - Login Admin (Injection) ๋งŒ์ผ ๋กœ๊ทธ์ธ ์ฟผ๋ฆฌ๋ฌธ์ด ์•„๋ž˜์™€ ๊ฐ™๋‹ค. SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL "admin@juice-sh.op' or '1'='1'--"๋ฅผ ์ž…๋ ฅํ•œ๋‹ค๋ฉด SELECT * FROM Users WHERE email = 'admin@juice-sh.op' or '1'='1'--' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL ์ฟผ๋ฆฌ๋ฌธ์˜ ๊ฒฐ๊ณผ๊ฐ€ ์ฐธ์ด ๋˜๋ฉด์„œ ๋กœ๊ทธ์ธ์ด ์„ฑ๊ณตํ•œ๋‹ค. 2023. 9. 27.
OWASP Juice Shop - 100kB๋ณด๋‹ค ํฐ ํŒŒ์ผ์„ ์˜ฌ๋ฆฌ์„ธ์š”. (Improper Input Validation) ๋‹ค์Œ๊ณผ ๊ฐ™์ด ํฌ๊ธฐ ๋ณ„๋กœ ๋‹ค๋ฅธ ํŒŒ์ผ์ด ์žˆ๋‹ค. ๊ฐ€์žฅ ํฐ ํŒŒ์ผ์€ 120KB (122,880 ๋ฐ”์ดํŠธ) ๊ฐ€์žฅ ์ž‘์€ ํŒŒ์ผ์€ 1๋ฐ”์ดํŠธ (1 ๋ฐ”์ดํŠธ) ์ค‘๊ฐ„์€ 97.6KB (100,000 ๋ฐ”์ดํŠธ) ํŒŒ์ผ ์—…๋กœ๋“œ๋Š” ์ตœ๋Œ€ 100 KB๊นŒ์ง€ ๊ฐ€๋Šฅํ•˜๋ฏ€๋กœ ๊ฐ€์žฅ ํฐ ํŒŒ์ผ์„ ์˜ฌ๋ฆฌ๋ฉด ์œ„์™€ ๊ฐ™์€ ์˜ค๋ฅ˜๊ฐ€ ๋œฌ๋‹ค. ๊ฐœ๋ฐœ์ž ๋„๊ตฌ์— Console ํƒญ์„ ํ™•์ธํ•˜๋ฉด fileSize์— ๊ด€๋ จ๋œ ์˜ค๋ฅ˜๊ฐ€ ๋œจ๊ฒŒ ๋œ๋‹ค. ํฌ๊ธฐ๊ฐ€ ํฐ ํŒŒ์ผ์„ ์˜ฌ๋ฆฌ๋ฉด ์ € ์˜ค๋ฅ˜ ๋ฌธ๊ตฌ๊ฐ€ ๋œจ์ง€๋งŒ ๊ทธ๋ ‡์ง€ ์•Š์œผ๋ฉด ๋œจ์ง€ ์•Š๋Š”๋‹ค. ์˜ค๋ฅ˜ ์›์ธ ํŒŒ์ผ์ธ vendor.js๋ฅผ ํ™•์ธํ•˜๋ฉด ํŒŒ์ผ์˜ ์ตœ๋Œ€ ์‚ฌ์ด์ฆˆ๋ฅผ ๋น„๊ตํ•˜๋Š” ๊ฒƒ ๊ฐ™์€ ํ•„ํ„ฐ ํ•จ์ˆ˜ ๋ถ€๋ถ„์ด ๋ณด์ธ๋‹ค. ์ด๊ฑธ ๋ณด์•˜์„ ๋•Œ๋Š” ์ตœ๋Œ€ ํฌ๊ธฐ ์‚ฌ์ด์ฆˆ์ธ์ง€ ๊ฒ€์ฆ์„ ํด๋ผ์ด์–ธํŠธ ์ธก์—์„œ ํ•˜๋Š” ๊ฒƒ์œผ๋กœ ๋ณด์ธ๋‹ค. ๊ทธ๋Ÿผ ์ € ๋ถ€๋ถ„์„ ์ˆ˜์ •ํ•˜๋ฉด 100 KB๊ฐ€ ๋„˜๋Š” ํŒŒ์ผ๋„ ์˜ฌ๋ ค ๋ณผ ์ˆ˜ ์žˆ์ง€ ์•Š์„.. 2023. 9. 27.
OWASP Juice Shop - ์ƒํ’ˆ ๋ฆฌ๋ทฐ ์กฐ์ž‘ (Broken Access Control) ๋‹ค์Œ์€ ํŠน์ • ์ œํ’ˆ์— ์ƒํ’ˆํ‰์„ ์ž‘์„ฑํ•˜๋Š” ํ™”๋ฉด์ด๋‹ค. ์ž„์˜๋กœ ์ƒํ’ˆํ‰ ๋‚ด์šฉ์„ ์ ๊ณ  ํ™•์ธ์„ ๋ˆ„๋ฅด๋ฉด ๋“ฑ๋ก์ด ๋˜๋Š” ๊ตฌ์กฐ์ด๋‹ค. ํŽ˜์ด๋กœ๋“œ๋ฅผ ํ™•์ธํ•˜๋ฉด author, message๋ฅผ ์ž…๋ ฅ๋ฐ›๋Š” ๊ฒƒ์„ ๋ณผ ์ˆ˜ ์žˆ๋‹ค. ๋ฒ„ํ”„์Šค์œ„ํŠธ๋ฅผ ์‹คํ–‰ํ•ด Interrupt๋ฅผ ๊ฑธ์–ด ์•„๋ž˜์˜ ํŽ˜์ด๋กœ๋“œ ์ค‘ author๋ฅผ "admin@juice-sh.op"๋กœ ์กฐ์ž‘ํ•œ๋‹ค. ๋ฆฌ๋ทฐ๋ฅผ ํ™•์ธํ•˜๋ฉด ์‹ค์ œ ๊ด€๋ฆฌ์ž(admin@juice-sh.op)๊ฐ€ ๋ฆฌ๋ทฐ๋ฅผ ๋‹จ ๊ฒƒ์ฒ˜๋Ÿผ ๋ชจ๋ฐฉํ•  ์ˆ˜ ์žˆ๋‹ค. OWASP TOP 10์— ๋“ฑ์žฌ๋œ ์ทจ์•ฝํ•œ ์ ‘๊ทผ ์ œ์–ด(Broken Access Control)์˜ ํ•œ ์˜ˆ์‹œ ๋ฌธ์ œ๋‹ค. 2023. 9. 27.
728x90

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”