{"id":5829,"date":"2019-02-17T17:25:12","date_gmt":"2019-02-17T16:25:12","guid":{"rendered":"https:\/\/2019.prague.wordcamp.org\/?p=5829"},"modified":"2019-02-27T14:02:42","modified_gmt":"2019-02-27T13:02:42","slug":"capture-the-flag-reseni-flagu-0-3","status":"publish","type":"post","link":"https:\/\/prague.wordcamp.org\/2019\/capture-the-flag-reseni-flagu-0-3\/","title":{"rendered":"Capture the Flag &#8211; \u0159e\u0161en\u00ed flag\u016f 0 &#8211; 3"},"content":{"rendered":"<p>V tomto souhrnu si pop\u00ed\u0161eme zp\u016fsob nelezen\u00ed prvn\u00edch 4 flag\u016f v na\u0161\u00ed sout\u011b\u017ei o voln\u00e9 l\u00edstky na WordCamp.<\/p>\n<div class=\"jetpack-video-wrapper\"><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"660\" height=\"372\" src=\"https:\/\/www.youtube.com\/embed\/UyY6XilpEkg?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=cs-CZ&#038;autohide=2&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\"><\/iframe><\/span><\/div>\n<p><a class=\"btn-pozvanka\" href=\"\/capture-the-flag-reseni-flagu-4-6\/\"><span style=\"color: #fff\">&gt; flagy 4 &#8211; 6<\/span><\/a><\/p>\n<h3><strong>Flag 0<\/strong>: &#8222;Obr\u00e1zky mal\u00e9 i velk\u00e9&#8220;<\/h3>\n<p>Kdo u\u017e n\u011bjak\u00e9 CTF hr\u00e1l tak v\u00ed, \u017ee rozeh\u0159\u00edvac\u00ed \u00fakoly jsou \u010dasto spojen\u00e9 s odhalen\u00edm informac\u00ed skryt\u00fdch v r\u016fzn\u00fdch metadatech. N\u00e1\u0161 CTF nen\u00ed v\u00fdjimkou a tak jste mohli jednodu\u0161e naj\u00edt obr\u00e1zek flag-1024&#215;413.jpg. Pak u\u017e sta\u010dilo zobrazit si jeho EXIF metadata a prvn\u00ed flag byl v\u00e1\u0161. Pokud v\u00edte, jak WordPress s obr\u00e1zky pracuje, jste se ur\u010dit\u011b brzo dostali k origin\u00e1ln\u00edmu obr\u00e1zku v nejv\u011bt\u0161\u00edm rozli\u0161en\u00ed a z\u00edskali dal\u0161\u00ed flag. Posledn\u00ed flag se naopak skr\u00fdval v nejmen\u0161\u00edm rozli\u0161en\u00ed\u00a0 150&#215;150 px pou\u017e\u00edvan\u00e9m pro n\u00e1hledy.<\/p>\n<p>Metadata obr\u00e1zk\u016f mohou m\u00edt i n\u011bkolik des\u00edtek kB a p\u0159edev\u0161\u00edm u miniatur mohou zab\u00edrat v\u00edce prostoru ne\u017e samotn\u00e1 obr\u00e1zkov\u00e1 data. Na to je vhodn\u00e9 myslet p\u0159i optimalizaci obr\u00e1zk\u016f. V metadatech \u010dasto naleznete informace, kdy byla fotografie po\u0159\u00edzena, jak\u00fdm fotoapar\u00e1tem, p\u0159\u00edpadn\u011b jak\u00fdm softwarem byla upravena.<\/p>\n<h3><strong>Flag 1<\/strong>: &#8222;Moje lep\u0161\u00ed verze&#8220;<\/h3>\n<p>P\u0159i zkoum\u00e1n\u00ed zdrojov\u00e9ho k\u00f3du str\u00e1nky jste ur\u010dit\u011b velmi rychle nalezli meta tag &#8222;generator&#8220;, kter\u00fd v\u011bt\u0161inou ukazuje verzi WP. Na na\u0161em testovac\u00edm webu prozradil \u010d\u00e1st flagu 1. P\u016fvodn\u00ed \u010d\u00edslo verze zde bylo p\u0159eps\u00e1no filtrem <a href=\"https:\/\/developer.wordpress.org\/reference\/functions\/the_generator\/\">the_generator<\/a>. Tato sada flag\u016f se zam\u011b\u0159ovala pr\u00e1v\u011b na prozrazen\u00ed verze WP a pro z\u00edsk\u00e1n\u00ed flag\u016f tak bylo t\u0159eba nav\u0161t\u00edvit i dal\u0161\u00ed m\u00edsta, kde je verze vypisov\u00e1na.<\/p>\n<p>Readme.html ji\u017e pro tento \u00fa\u010del n\u011bjakou dobu pou\u017e\u00edt nelze (i kdy\u017e alespo\u0148 prozrad\u00ed, \u017ee se jedn\u00e1 o vcelku novou \u0159adu WP).<\/p>\n<p>Verze se \u010dasto vyskytuje ve feedech. Po nav\u0161t\u00edven\u00ed RSS feedu t\u0159eba na \/feed jsme tak ihned z\u00edskali dal\u0161\u00ed flag. Re\u00e1ln\u00e1 verze zde byla nahrazena pomoc\u00ed p\u0159edefinov\u00e1n\u00ed glob\u00e1ln\u00ed prom\u011bnn\u00e9 <a href=\"https:\/\/codex.wordpress.org\/Global_Variables#Version_Variables\">$wp_version<\/a>. Tento flag tak bylo mo\u017en\u00e9 vy\u010d\u00edst i na\u00a0\/wp-links-opml.php.<\/p>\n<p>M\u00e9n\u011b zn\u00e1m\u00fdm m\u00edstem, kde lze vy\u010d\u00edst verzi WP, jsou soubory \/wp-admin\/install.php nebo \/wp-admin\/upgrade.php. Zde je v query parametrech statick\u00fdch soubor\u016f zobrazov\u00e1na nijak nefiltrovan\u00e1 hodnota ze souboru version.php. To je d\u016fvod, pro\u010d tuto hodnotu nemohou modifikovat ani bezpe\u010dnostn\u00ed pluginy.<\/p>\n<p>T\u00edm jsme z\u00edskali posledn\u00ed \u010d\u00e1st kl\u00ed\u010de.<\/p>\n<p>P\u0159esto\u017ee doporu\u010den\u00ed na skryt\u00ed verze WP \u010dasto naleznete mezi tipy pro zv\u00fd\u0161en\u00ed bezpe\u010dnosti WordPress, m\u00e1 tato akce na bezpe\u010dnost minim\u00e1ln\u00ed vliv. Jak m\u016f\u017eeme vid\u011bt, tak lze verzi vy\u010d\u00edst mnoha zp\u016fsoby a \u00fato\u010d\u00edc\u00ed boti rovnou zkou\u0161\u00ed zn\u00e1m\u00e9 exploity, ani\u017e by web n\u011bjak zkoumali. <a href=\"https:\/\/lynt.cz\/blog\/verze-wordpress-skryvat-nebo-ne\">Podrobn\u011bj\u0161\u00ed informace o skr\u00fdv\u00e1n\u00ed verz\u00ed<\/a>.<\/p>\n<h3><strong>Flag 2<\/strong>: \u201ePohozen\u00e9 soubory\u201c<\/h3>\n<p>A\u0165 u\u017e jste web zkoumali ru\u010dn\u011b, nebo jste web oskenovali n\u00e1stroji, jako je nap\u0159\u00edklad <a href=\"https:\/\/wpscan.org\/\">WP-SCAN<\/a>, tak jste ur\u010dit\u011b odhalili n\u011bkter\u00e9 soubory, kter\u00e9 na produk\u010dn\u00ed web ur\u010dit\u011b nepat\u0159\u00ed.<\/p>\n<p>Bylo tak mo\u017en\u00e9 nal\u00e9zt nap\u0159\u00edklad \/wp-content\/debug.log, do kter\u00e9ho si m\u016f\u017eete nechat <a href=\"https:\/\/codex.wordpress.org\/Debugging_in_WordPress#WP_DEBUG_LOG\">logovat chyby<\/a>, m\u00edsto toho, abyste je zobrazovali n\u00e1v\u0161t\u011bvn\u00edk\u016fm. Ur\u010dit\u011b nen\u00ed moudr\u00e9 tento soubor m\u00edt p\u0159\u00edstupn\u00fd, proto\u017ee z n\u011bj lze vy\u010d\u00edst mnoho informac\u00ed a p\u0159edev\u0161\u00edm to, co na va\u0161em webu \u0161patn\u011b funguje. V na\u0161em debug logu jste v\u0161ak nalezli &#8222;jen&#8220; flag.<\/p>\n<p>Mezi dal\u0161\u00ed ne\u0161vary pat\u0159\u00ed soubor s v\u00fdpisem funkce phpinfo(). V n\u011bm lze naj\u00edt u\u017eite\u010dn\u00e9 informace o konfiguraci webu, cest\u00e1ch na serveru a prom\u011bnn\u00e9 prost\u0159ed\u00ed &#8211; informace, kter\u00e9 se \u00fato\u010dn\u00edkovi mohou hodit p\u0159i dal\u0161\u00edch typech \u00fatok\u016f.<\/p>\n<p>U n\u00e1s jste tak mohli nal\u00e9zt phpinfo.php (zde byla mal\u00e1 zrada, proto\u017ee tento soubor n\u00e1m naschv\u00e1l vrac\u00ed stavov\u00fd k\u00f3d 404 a t\u00edm ho jednodu\u0161\u0161\u00ed automatizovan\u00e9 scany p\u0159ehl\u00e9dnou).<\/p>\n<p>Pokud pro v\u00fdvoj pou\u017e\u00edv\u00e1te verzovac\u00ed n\u00e1stroj GIT, tak se m\u016f\u017ee st\u00e1t, \u017ee nedopat\u0159en\u00edm na serveru nech\u00e1te p\u0159\u00edstupn\u00fd cel\u00fd repozit\u00e1\u0159. To se bohu\u017eel stalo i n\u00e1m a tak jste z \/.git\/index mohli jednodu\u0161e zjistit p\u0159\u00edtomnost textov\u00e9ho souboru s flagem v n\u00e1zvu v ko\u0159enov\u00e9 slo\u017ece webu.<\/p>\n<p><a href=\"https:\/\/lynt.cz\/blog\/globalni-scan-otevrenych-git-repozitaru\">V\u00edce o probl\u00e9mu s otev\u0159en\u00fdmi .git repozit\u00e1\u0159i<\/a>.<\/p>\n<h3><strong>Flag 3<\/strong>: \u201eJen tak si listuji\u201c<\/h3>\n<p>V p\u0159edchoz\u00edm kl\u00ed\u010di jsme na\u0161li flag v n\u00e1zvu textov\u00e9ho souboru. Na webu jich bylo v\u0161ak n\u011bkolik dal\u0161\u00edch. Ty jste mohli nal\u00e9zt d\u00edky povolen\u00fdm v\u00fdpis\u016fm adres\u00e1\u0159\u016f, co\u017e je op\u011bt funkce, kter\u00e1 by nem\u011bla b\u00fdt na produkci povoln\u00e1. Tento probl\u00e9m v\u00e1m samoz\u0159ejm\u011b nahl\u00e1s\u00ed i wp-scan.<\/p>\n<p>Sta\u010dilo se tedy pod\u00edvat na 3 m\u00edsta, kde WP soubory vyp\u00ed\u0161e, proto\u017ee ve slo\u017ece standardn\u011b nem\u00e1 \u017e\u00e1dn\u00fd index.html\/php:<\/p>\n<ul>\n<li>\/wp-content\/uploads<\/li>\n<li>\/wp-includes\/<\/li>\n<li>\/wp-content\/language<\/li>\n<\/ul>\n<p>Povolen\u00fd v\u00fdpis adres\u00e1\u0159\u016f m\u016f\u017ee b\u00fdt kritick\u00fdm probl\u00e9mem nap\u0159\u00edklad v kombinaci se z\u00e1lohovac\u00edm pluginem, kter\u00fd z\u00e1lohy ukl\u00e1d\u00e1 do slo\u017eky uploads a nem\u00e1 v\u00fdpisy pohl\u00eddan\u00e9.<\/p>\n<p>P\u0159i\u0161lo v\u00e1m \u0159e\u0161en\u00ed jednoduch\u00e9? P\u0159\u00ed\u0161t\u011b se pod\u00edv\u00e1me na dal\u0161\u00edch p\u00e1r flag\u016f, kter\u00e9 ji\u017e mohou b\u00fdt slo\u017eit\u011bj\u0161\u00ed.<\/p>\n<p><a class=\"btn-pozvanka\" href=\"\/vstupenky\/\"><span style=\"color: #fff\">Kupte si vstupenku a p\u0159ij\u010fte na WordCamp<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>V tomto souhrnu si pop\u00ed\u0161eme zp\u016fsob nelezen\u00ed prvn\u00edch 4 flag\u016f v na\u0161\u00ed sout\u011b\u017ei o voln\u00e9 l\u00edstky na WordCamp. &gt; flagy 4 &#8211; 6 Flag 0: &#8222;Obr\u00e1zky mal\u00e9 i velk\u00e9&#8220; Kdo u\u017e n\u011bjak\u00e9 CTF hr\u00e1l tak v\u00ed, \u017ee rozeh\u0159\u00edvac\u00ed \u00fakoly jsou \u010dasto spojen\u00e9 s odhalen\u00edm informac\u00ed skryt\u00fdch v r\u016fzn\u00fdch metadatech. N\u00e1\u0161 CTF nen\u00ed v\u00fdjimkou a tak &hellip; <a href=\"https:\/\/prague.wordcamp.org\/2019\/capture-the-flag-reseni-flagu-0-3\/\" class=\"more-link\">Pokra\u010dov\u00e1n\u00ed textu <span class=\"screen-reader-text\">Capture the Flag &#8211; \u0159e\u0161en\u00ed flag\u016f 0 &#8211; 3<\/span><\/a><\/p>\n","protected":false},"author":5814035,"featured_media":5583,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"video","meta":{"_crdt_document":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1230900],"tags":[],"class_list":["post-5829","post","type-post","status-publish","format-video","has-post-thumbnail","hentry","category-nezarazene","post_format-post-format-video"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/01\/ctf-img.jpg?fit=600%2C335&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pab3ys-1w1","_links":{"self":[{"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/posts\/5829","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/users\/5814035"}],"replies":[{"embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/comments?post=5829"}],"version-history":[{"count":6,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/posts\/5829\/revisions"}],"predecessor-version":[{"id":7514,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/posts\/5829\/revisions\/7514"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/media\/5583"}],"wp:attachment":[{"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/media?parent=5829"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/categories?post=5829"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/tags?post=5829"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}