๋ฐ˜์‘ํ˜•

๐Ÿ”’ CTF (Dreamhack)/Web Hacking (์›นํ•ดํ‚น) 21

[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น : ๐ŸŒฑ simple-web-request

https://dreamhack.io/wargame/challenges/830 ๐ŸŒฑ simple-web-request Description STEP 1~2๋ฅผ ๊ฑฐ์ณ FLAG ํŽ˜์ด์ง€์— ๋„๋‹ฌํ•˜๋ฉด ํ”Œ๋ž˜๊ทธ๊ฐ€ ์ถœ๋ ฅ๋ฉ๋‹ˆ๋‹ค. ๋ชจ๋“  ๋‹จ๊ณ„๋ฅผ ํ†ต๊ณผํ•˜์—ฌ ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” flag.txt ํŒŒ์ผ๊ณผ FLAG ๋ณ€์ˆ˜์— ์žˆ์Šต๋‹ˆ๋‹ค. ํ”Œ๋ž˜๊ทธ ํ˜•์‹์€ DH{...} ์ž…๋‹ˆ๋‹ค. ๐Ÿ“œ dreamhack.io ๋ฌธ์ œ STEP 1~2๋ฅผ ๊ฑฐ์ณ FLAG ํŽ˜์ด์ง€์— ๋„๋‹ฌํ•˜๋ฉด ํ”Œ๋ž˜๊ทธ๊ฐ€ ์ถœ๋ ฅ๋ฉ๋‹ˆ๋‹ค. ๋ชจ๋“  ๋‹จ๊ณ„๋ฅผ ํ†ต๊ณผํ•˜์—ฌ ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” flag.txt ํŒŒ์ผ๊ณผ FLAG ๋ณ€์ˆ˜์— ์žˆ์Šต๋‹ˆ๋‹ค. ํ”Œ๋ž˜๊ทธ ํ˜•์‹์€ DH{…} ์ž…๋‹ˆ๋‹ค. ํ’€์ด ๋ฌธ์ œ ํŒŒ์ผ์„ ์ฝ์„ ์ˆ˜๋งŒ ์žˆ์œผ๋ฉด ๋ฐ”๋กœ ํ•ด๊ฒฐ๋˜๋Š” ๋ฌธ์ œ @app.route("/step1", methods=["GET", "..

[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น : blind-command

https://dreamhack.io/wargame/challenges/73/ blind-command Read the flag file XD Reference Server-side Basic Server-side Advanced - Command Injection dreamhack.io ๋ฌธ์ œ Read FLAG file XD ํƒ์ƒ‰ ๋“ค์–ด๊ฐ€๋ฉด ๊ฝค๋‚˜ ๋ถˆ์นœ์ ˆํ•œ ํ™”๋ฉด์ด ๋‚˜์˜จ๋‹ค url ์ฟผ๋ฆฌ์— ?cmd=๊ฐ’ ์„ ์ถ”๊ฐ€ํ•˜๋‹ˆ ํ•ด๋‹นํ•˜๋Š” ๊ฐ’์ด ๋‚˜์˜ค๋Š” ๊ฐ„๋‹จํ•œ ์‚ฌ์ดํŠธ๋‹ค ๋ฌธ์ œ ํŒŒ์ผ์„ ๋ณด์ž #!/usr/bin/env python3 from flask import Flask, request import os app = Flask(__name__) @app.route('/' , methods=['GET']) def index(): cmd..

[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น : Carve Party

https://dreamhack.io/wargame/challenges/96/ Carve Party Description ํ• ๋กœ์œˆ ํŒŒํ‹ฐ๋ฅผ ๊ธฐ๋…ํ•˜๊ธฐ ์œ„ํ•ด ํ˜ธ๋ฐ•์„ ์ค€๋น„ํ–ˆ์Šต๋‹ˆ๋‹ค! ํ˜ธ๋ฐ•์„ 10000๋ฒˆ ํด๋ฆญํ•˜๊ณ  ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”! dreamhack.io ๋ฌธ์ œํŒŒ์ผ ์—ฌ๋Š”๋ฒ• ๋ฌธ์ œํŒŒ์ผ์„ ๋‹ค์šด๋กœ๋“œํ•˜๊ณ  ์••์ถ•์„ ํ’€๋ฉด .html ํŒŒ์ผ ํ•˜๋‚˜๊ฐ€ ๋‚˜์˜จ๋‹ค. ์ด๋ฅผ ๋ธŒ๋ผ์šฐ์ €(์›จ์ผ, ํฌ๋กฌ, ์‚ฌํŒŒ๋ฆฌ ๋“ฑ)์— ๋Œ์–ด์˜ค๋ฉด ํŒŒ์ผ์ด ์—ด๋ฆฐ๋‹ค ํ’€์ด ํ˜ธ๋ฐ•์„ 10000๋ฒˆ ํด๋ฆญํ•˜๋ฉด ํ”Œ๋ž˜๊ทธ๋ฅผ ๋ฐ›์„ ์ˆ˜ ์žˆ๋‹ค๊ณ  ํ•œ๋‹ค. ์ฒ˜์Œ์€ ์‰ฝ๊ฒŒ ๊ฐœ๋ฐœ์ž ๋„๊ตฌ๋ฅผ ์—ด์–ด์„œ ์ฝ”๋“œ๋ฅผ ์‚ดํŽด๋ณด์ž F12 -> source var pumpkin = [ 124, 112, 59, 73, 167, 100, 105, 75, 59, 23, 16, 181, 165, 104, 43, 49, 118, 71, 1..

[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น: web-ssrf

https://dreamhack.io/wargame/challenges/75/ web-ssrf flask๋กœ ์ž‘์„ฑ๋œ image viewer ์„œ๋น„์Šค ์ž…๋‹ˆ๋‹ค. SSRF ์ทจ์•ฝ์ ์„ ์ด์šฉํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” /app/flag.txt์— ์žˆ์Šต๋‹ˆ๋‹ค. Reference Server-side Basic dreamhack.io ํ•จ๊ป˜ ์‹ค์Šต์ธ ๋งŒํผ ํ’€์ด๋Š” ์ž๋ฃŒ์— ๋‹ค ๋‚˜์™€์žˆ๋‹ค. ๋‹ค๋งŒ ์ž๋ฃŒ์—์„œ ๋ถ€๋ฅดํŠธํฌ์Šค๋กœ ํฌํŠธ๋ฒˆํ˜ธ๋ฅผ ์ฐพ์•„๋‚ผ๋•Œ ํŒŒ์ด์ฌ์„ ์ด์šฉํ•˜๋Š”๋ฐ, ์ด ์ฝ”๋“œ๋ฅผ ํ›จ์”ฌ ๋” ๋‹จ์ˆœํ™”ํ•  ์ˆ˜ ์žˆ์ง€ ์•Š์„๊นŒ ์‹ถ์–ด์„œ ๊ฐ„๊ฒฐํ•˜๊ฒŒ ๋ฐ”๊ฟ”๋ดค๋‹ค. import requests ERROR_RESPONSE = "iVBORw0KGgoAAAANSUhEUgAAA04AAAF4CAYAAABjHKkYAAAMRmlDQ1BJQ0MgUHJvZmlsZQAASImVVwdYU..

[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น : file-download-1

https://dreamhack.io/wargame/challenges/37/ file-download-1 File Download ์ทจ์•ฝ์ ์ด ์กด์žฌํ•˜๋Š” ์›น ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. flag.py๋ฅผ ๋‹ค์šด๋กœ๋“œ ๋ฐ›์œผ๋ฉด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Reference Introduction of Webhacking dreamhack.io ๋ฌธ์ œ File Download ์ทจ์•ฝ์ ์ด ์กด์žฌํ•˜๋Š” ์›น ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. flag.py๋ฅผ ๋‹ค์šด๋กœ๋“œ ๋ฐ›์œผ๋ฉด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋ฌธ์ œํŒŒ์ผ ๋”๋ณด๊ธฐ #!/usr/bin/env python3 import os import shutil from flask import Flask, request, render_template, redirect from flag import FLAG APP = Fla..

[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น: command-injection-1

https://dreamhack.io/wargame/challenges/44/ command-injection-1 ํŠน์ • Host์— ping ํŒจํ‚ท์„ ๋ณด๋‚ด๋Š” ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. Command Injection์„ ํ†ตํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” flag.py์— ์žˆ์Šต๋‹ˆ๋‹ค. Reference Introduction of Webhacking dreamhack.io ๋ฌธ์ œ ํŠน์ • Host์— ping ํŒจํ‚ท์„ ๋ณด๋‚ด๋Š” ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. Command Injection์„ ํ†ตํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” flag.py์— ์žˆ์Šต๋‹ˆ๋‹ค. ๋ฌธ์ œํŒŒ์ผ ๋”๋ณด๊ธฐ #!/usr/bin/env python3 import subprocess from flask import Flask, request, render_template, redirect fro..

[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น: csrf-2

https://dreamhack.io/wargame/challenges/269/ csrf-2 ์—ฌ๋Ÿฌ ๊ธฐ๋Šฅ๊ณผ ์ž…๋ ฅ๋ฐ›์€ URL์„ ํ™•์ธํ•˜๋Š” ๋ด‡์ด ๊ตฌํ˜„๋œ ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. CSRF ์ทจ์•ฝ์ ์„ ์ด์šฉํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. Reference Client-side Basic dreamhack.io ๋ฌธ์ œ ์ •๋ณด ์—ฌ๋Ÿฌ ๊ธฐ๋Šฅ๊ณผ ์ž…๋ ฅ๋ฐ›์€ URL์„ ํ™•์ธํ•˜๋Š” ๋ด‡์ด ๊ตฌํ˜„๋œ ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. CSRF ์ทจ์•ฝ์ ์„ ์ด์šฉํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ๋”๋ณด๊ธฐ #!/usr/bin/python3 from flask import Flask, request, render_template, make_response, redirect, url_for from selenium import webdriver import urllib import os app = Flask..

[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น: csrf-1

https://dreamhack.io/wargame/challenges/26/ csrf-1 ์—ฌ๋Ÿฌ ๊ธฐ๋Šฅ๊ณผ ์ž…๋ ฅ๋ฐ›์€ URL์„ ํ™•์ธํ•˜๋Š” ๋ด‡์ด ๊ตฌํ˜„๋œ ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. CSRF ์ทจ์•ฝ์ ์„ ์ด์šฉํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. Reference Client-side Basic dreamhack.io ๋ฌธ์ œ์ •๋ณด ์—ฌ๋Ÿฌ ๊ธฐ๋Šฅ๊ณผ ์ž…๋ ฅ๋ฐ›์€ URL์„ ํ™•์ธํ•˜๋Š” ๋ด‡์ด ๊ตฌํ˜„๋œ ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. CSRF ์ทจ์•ฝ์ ์„ ์ด์šฉํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ๋”๋ณด๊ธฐ #!/usr/bin/python3 from flask import Flask, request, render_template from selenium import webdriver import urllib import os app = Flask(__name__) app.secret_key = os.urand..

[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น: simple-sqli

https://dreamhack.io/wargame/challenges/24/ simple_sqli ๋กœ๊ทธ์ธ ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. SQL INJECTION ์ทจ์•ฝ์ ์„ ํ†ตํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” flag.txt, FLAG ๋ณ€์ˆ˜์— ์žˆ์Šต๋‹ˆ๋‹ค. Reference Server-side Basic dreamhack.io ๋ฌธ์ œ์ •๋ณด ๋กœ๊ทธ์ธ ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. SQL INJECTION ์ทจ์•ฝ์ ์„ ํ†ตํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” flag.txt, FLAG ๋ณ€์ˆ˜์— ์žˆ์Šต๋‹ˆ๋‹ค. ๋”๋ณด๊ธฐ #!/usr/bin/python3 from flask import Flask, request, render_template, g import sqlite3 import os import binascii app = Flask(__name__) app.s..

[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น: Session-basic

https://dreamhack.io/wargame/challenges/6/ cookie ์ฟ ํ‚ค๋กœ ์ธ์ฆ ์ƒํƒœ๋ฅผ ๊ด€๋ฆฌํ•˜๋Š” ๊ฐ„๋‹จํ•œ ๋กœ๊ทธ์ธ ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. admin ๊ณ„์ •์œผ๋กœ ๋กœ๊ทธ์ธ์— ์„ฑ๊ณตํ•˜๋ฉด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Reference Introduction of Webhacking dreamhack.io ๋ฌธ์ œ์ •๋ณด ์ฟ ํ‚ค์™€ ์„ธ์…˜์œผ๋กœ ์ธ์ฆ ์ƒํƒœ๋ฅผ ๊ด€๋ฆฌํ•˜๋Š” ๊ฐ„๋‹จํ•œ ๋กœ๊ทธ์ธ ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. admin ๊ณ„์ •์œผ๋กœ ๋กœ๊ทธ์ธ์— ์„ฑ๊ณตํ•˜๋ฉด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋ฌธ์ œํŒŒ์ผ ๋”๋ณด๊ธฐ #!/usr/bin/python3 from flask import Flask, request, render_template, make_response, redirect, url_for app = Flask(__name__) try: FLAG = op..

๋ฐ˜์‘ํ˜•