๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ

โœ’๏ธ Capture The Flag (CTF)17

[Digital Overdose CTF] This isn't bitrot WriteUp # This isn't bitrot WriteUp 1. ๋ฌธ์ œ๋ฅผ ํ™•์ธํ•œ ํ›„ ๋ฌธ์ œ ํŒŒ์ผ์„ ๋‹ค์šด๋ฐ›๋Š”๋‹ค. + Bitrot ์ด๋ž€? : ์‚ฌ์ „์  ์˜๋ฏธ๋Š” ๋น„ํŠธ ๋ถ€ํŒจ๋กœ, ์ง€์›ํ•˜๋Š” ํ•˜๋“œ์›จ์–ด๋‚˜ ํ”„๋กœ๊ทธ๋žจ์ด ์‚ฌ์žฅ๋˜์–ด ์˜ˆ์ „์˜ ๋””์ง€ํ„ธ ์ž๋ฃŒ๋ฅผ ์—ด๋žŒํ•˜๊ธฐ ์–ด๋ ค์›Œ์ง€๋Š” ๊ฒƒ์„ ์˜๋ฏธ. : ์ •์‹ ํ‘œ๊ธฐ๋Š” Bitrot์ด ์•„๋‹Œ Bit rot 2. ๋‹ค์šด๋ฐ›์€ ๋ฌธ์ œ ํŒŒ์ผ ์˜คํ”ˆ --> ์•”ํ˜ธํ™”๋œ ๊ธ€์ž๋“ค์ด ๋ณด์ž„ 3. ์•”ํ˜ธ๋ฌธ ํŒ๋…๊ธฐ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์•”ํ˜ธ๋ฌธ ๋ณตํ˜ธํ™” + ํ‰๋ฌธ์„ ํ•ด์„ํ•ด๋ณด๋ฉด Flag๋Š” ์ค‘๊ด„ํ˜ธ๋กœ ๋‘˜๋Ÿฌ์‹ธ์—ฌ ์žˆ๊ณ , ์†Œ๋ฌธ์ž๋กœ ๊ตฌ์„ฑ๋˜์–ด์žˆ์œผ๋ฉฐ, ๋นˆ์นธ ๋Œ€์‹  ์–ธ๋”๋ฐ”(_)๊ฐ€ ๋“ค์–ด๊ฐ„๋‹ค๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. 4. ์•„๋ž˜์™€ ๊ฐ™์ด Flag์˜ ํ˜•ํƒœ๋ฅผ ๊ฐ–์ถ˜ ๋ฌธ์ž๋“ค์„ ํ•˜๋‚˜ํ•˜๋‚˜ ์‹œ๋„ํ•ด๋ณด์•˜๋‹ค. A. 1๋ฒˆ์งธ ์‹œ๋„ (์‰ผํ‘œ์™€ ์˜จ์  ํฌํ•จ) DOCTF{without_training,_they_la.. 2022. 11. 20.
[Square CTF 2022] Alex Hanlon Has The Flag! WriteUp # Alex Hanlon Has The Flag! ๋ฌธ์ œ ํ’€์ด 1. ๋ฌธ์ œ์—์„œ ์•ˆ๋‚ดํ•œ ๋งํฌ๋กœ ์ ‘์† 2. F12ํ‹‘ ํ†ตํ•ด ๊ฐœ๋ฐœ์ž ๋„๊ตฌ ์˜คํ”ˆ ํ›„ ์›น ํŽ˜์ด์ง€ ๊ตฌ์กฐ ๋ฐ ์ฝ”๋“œ ๋ถ„์„ 3. ๋‹ค์‹œ ์ดˆ๊ธฐ ํ™”๋ฉด์œผ๋กœ ๋Œ์•„์™€ Username์— Alex Hanlon์„, Password์— 0000์„ ์ž…๋ ฅํ•ด ๋ด„ 4. ์ž ๊น ๋จธ๋ฆฌ๋ฅผ ์‹ํž ๊ฒธ(๋ญํ–ˆ๋‹ค๊ณ ...^^) ๋‹ค๋ฅธ ๋ฌธ์ œ๋ฅผ ๊ตฌ๊ฒฝํ•˜๋˜ ๋„์ค‘ ์˜๋ฏธ์‹ฌ์žฅํ•œ ๋ฌธ์ œ๋ฅผ ๋ฐœ๊ฒฌ + ๊ฐœ๋ฐœ์ž๋“ค์ด ๋˜‘๋˜‘ํ•ด์ ธ์„œ ๋กœ๊ทธ์ธ ํŽ˜์ด์ง€์—์„œ์˜ SQL injection์„ ์˜ˆ๋ฐฉํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋ฌ๋‹ค๊ณ  ํ•จ --> ์˜ˆ์ „์—๋Š” SQL injection ๊ณต๊ฒฉ์ด ๊ฐ€๋Šฅํ–ˆ๋‹ค๋Š” ์˜๋ฏธ...? + ์›น ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜์— ๋” ์ด์ƒ Flag๊ฐ€ ํ•˜๋“œ์ฝ”๋”ฉ๋˜์–ด์„  ์•ˆ๋œ๋‹ค๊ณ  ๊ฒฐ์ • --> ์ด์ „์—๋Š” ํ•˜๋“œ์ฝ”๋”ฉ๋˜์–ด ์žˆ์—ˆ๋‹ค๋Š” ์˜๋ฏธ...? 5. ๋‹ค์‹œ ๋ฌธ์ œ ์›น ํŽ˜์ด์ง€๋กœ ์ ‘์†ํ•˜์—ฌ SQL .. 2022. 11. 19.
[WPI CTF 2022] Muffin Hater WriteUp # WPI CTF 2022 - WriteUp # WPI CTF 2022 WriteUp - Muffin Hater 1. Web ๋ถ„์•ผ์˜ Muffin Hater ๋ฌธ์ œ ์„ ํƒ ํ›„ ๋ฌธ์ œ ์กฐ๊ฑด ํ™•์ธ + ์ด๋ฏธ username ์ด muffinhater88 ์ธ ๊ณ„์ •์ด ์กด์žฌํ•จ + ํ•ด๋‹น ์›น์‚ฌ์ดํŠธ๊ฐ€ CVE ์ทจ์•ฝ์ ์ด ์กด์žฌํ•˜๋Š” FastAPI๋ฅผ ์‚ฌ์šฉ ์ค‘์ž„ --> ์‚ฌ์ดํŠธ์— ์ ‘์† ํ›„ encryption ํ‚ค๋ฅผ ๋ณต๊ตฌํ•ด์•ผ ํ•จ + ์„œ๋ฒ„๊ฐ€ ํฌ๊ฒŒ ๋ฉ”์ธ ์„œ๋ฒ„์™€ ๊ฒ€์ƒ‰์šฉ ์„œ๋ฒ„๋กœ ๋‚˜๋‰˜์–ด์ ธ ์žˆ์Œ์„ ํ™•์ธ 2. ์•ˆ๋‚ด๋œ Main Server์— ์ ‘์† ํ›„ admin ๊ณ„์ •์œผ๋กœ ๋กœ๊ทธ์ธ ์‹œ๋„ --> admin ๊ณ„์ •์ด ์กด์žฌํ•˜์ง€ ์•Š์•„ ๋กœ๊ทธ์ธ ์‹คํŒจ 3. ๋‹ค์‹œ ๋ฉ”์ธ ์„œ๋ฒ„์—์„œ muffinhater88 ๊ณ„์ •์œผ๋กœ ๋กœ๊ทธ์ธ ์‹œ๋„ --> username์— muffinhater88"-- .. 2022. 9. 25.
[DownUnder CTF 2022] Treasure Hunt ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด(๋ฏธํ•ด๊ฒฐ) # DownUnder CTF 2022 - WriteUp 2 # DownUnder CTF 2022 WriteUp 2 - Treasure Hunt 1. Web ๋ถ„์•ผ์—์„œ Treasure Hunt ๋ฌธ์ œ ์„ ํƒ ํ›„ ์•ˆ๋‚ด๋œ ๋งํฌ์ธ https://web-treasure-hunt-e9a4730c2093.2022.ductf.dev/ ์œผ๋กœ ์ ‘์† + ํŽ˜์ด์ง€๋กœ ๋“ค์–ด๊ฐ„ ํ›„ ๋กœ๊ทธ์ธ ๋ฒ„ํŠผ, ํšŒ์›๊ฐ€์ž… ๋ฒ„ํŠผ, ํ™ˆ ๋ฒ„ํŠผ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Œ --> ์•…์„ฑ ๊ณ„์ •์„ ๋งŒ๋“ค๊ฑฐ๋‚˜ ์ด๋ฏธ ์žˆ๋Š” ๊ด€๋ฆฌ์ž ๊ณ„์ •์„ ํƒˆ์ทจํ•˜๋Š” ๋ฌธ์ œ๊ฐ€ ์•„๋‹๊นŒ ์ƒ๊ฐํ•ด ๋ด„ 2. ์›๋ณธ ํŽ˜์ด์ง€์˜ ๊ด€๋ฆฌ์ž ๋„๊ตฌ ์˜คํ”ˆ ํ›„ FLAG ์กด์žฌ ์—ฌ๋ถ€ ํ™•์ธ + ๋ชจ๋“  ํƒญ๊ณผ ์ฝ”๋“œ๋ฅผ ์ฐพ์•„๋ดค์ง€๋งŒ FLAG๋Š” ์—†๋‹ค. --> ์ฐธ๊ณ ๋กœ ํ”Œ๋ž˜๊ทธ ํ˜•์‹์€ DUCTF{........}์ด๋‹ค. 3. login ํŽ˜์ด์ง€๋กœ ๋“ค์–ด๊ฐ€ adm.. 2022. 9. 24.
[DownUnder CTF 2022] helicoptering ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด(๋ฏธํ•ด๊ฒฐ) # DownUnder CTF 2022 - WriteUp 1 # DownUnder CTF 2022 WriteUp 1 - helicoptering 1. Web ๋ถ„์•ผ์—์„œ helicoptering ๋ฌธ์ œ๋ฅผ ์„ ํƒํ•œ ํ›„ ์•ˆ๋‚ด๋œ ๋งํฌ์ธ http://34.87.217.252:30026/๋กœ ์ ‘์† + ์ฐธ๊ณ ๋กœ ์ด ๋Œ€ํšŒ์˜ FLAG ํ˜•์‹์€ DUCTF{..........} ์ด๋‹ค. 2. ์ถœ๋ ฅ๋œ ํ™”๋ฉด์—์„œ ๋ฌธ์ œ์— ๋Œ€ํ•œ ์ •๋ณด๋ฅผ ํ™•์ธ + ํ•˜๋‚˜์˜ FLAG๊ฐ€ ๋‘ ํŒŒํŠธ๋กœ ๋‚˜๋‰˜์–ด์ ธ ์ˆจ๊ฒจ์ ธ ์žˆ๋Š” ๊ตฌ์กฐ์ž„์„ ์•Œ ์ˆ˜ ์žˆ์Œ. --> ์ฒซ ๋ถ€๋ถ„์€ part one ํŽ˜์ด์ง€์—์„œ, ๋‘ ๋ฒˆ์งธ ๋ถ€๋ถ„์€ part two ํŽ˜์ด์ง€์—์„œ ํƒ์ƒ‰ ๊ฐ€๋Šฅ + ๋‚˜๋‰œ ๋‘ ๋ถ€๋ถ„์˜ FLAG ๋ชจ๋‘ .htaccess ํŒŒ์ผ์— ์˜ํ•ด ์ ‘๊ทผ์ด ๊ธˆ์ง€๋œ ์ƒํƒœ์ž„์„ ํ™•์ธ --> ์ฟ ํ‚ค๋‚˜ ์„ธ์…˜ ๊ฐ’ ๋ณ€์กฐ ๋ฐ ๊ธฐํƒ€ ๊ณต.. 2022. 9. 24.

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”