CTF: Information leakage. (CTFHub shooting range environment)

"Information leakage" means that a website inadvertently discloses sensitive information to users, leaking data about other users, such as financial information of another username, sensitive business or commercial data, and some information about the website and its infrastructure. Technical details and other leaked information. The dangers of leaking sensitive user or business data are pretty obvious, but leaking technical information can sometimes be just as serious, and although some information has limited use, it can be the starting point for exposing other attack surfaces, which may contain other vulnerabilities.

CTF: Information Disclosure:

(1) Directory traversal:

Directory traversal is a web vulnerability that can traverse any file on the server and may leak sensitive information such as user data and program code. The principle of the vulnerability is that the directory jump characters related to ../ entered by the user are not filtered, allowing the attacker to traverse any file in the server through the directory jump characters.

① Click to enter the environment.

② There is a prompt message here. If there is no direct message prompt on the page, we press F12 to see if there is any message prompt in the front-end code.

③ Look for the flag file (We know this is a directory traversal vulnerability, so just click on it one by one and look at it.)

（2）PHPINFO：

PHPInfo function information leakage vulnerability often occurs in some default installation packages, such as phpstudy, etc. After the default installation is completed, these files that provide environment testing are not deleted in time. The more common ones are phpinfo.php, 1.php and test.php, and then through phpinfo obtains information such as the PHP environment and variables, but the leakage of this information combined with some other vulnerabilities may lead to system penetration and privilege escalation.

① Click to enter the environment.

② There is a prompt message here. If there is no direct message prompt on the page, we press F12 to see if there is any message prompt in the front-end code.

③ Look for the flag file. (After checking, there is nothing else that can be done, so just look for the keyword on the page and see)

“ ctrl+f是查找的快捷键，一般是在大量笔墨网页或文档内快捷找到位置.”

(3) Backup file download:

1. Website source code:

When developers back up the source code in an online environment and place the backup file in the web directory, the website source code will be leaked.

① Click to enter the environment.

② There is a prompt message here. If there is no direct message prompt on the page, we press F12 to see if there is any message prompt in the front-end code.

③ Find the flag file.

方法：
（1）题目给的提示，然后每个都去试一遍.

（2）使用 dirsearch 进行扫描.

2. bak file

When developers back up the source code in an online environment and place the backup file in the web directory, the website source code will be leaked.

① Click to enter the environment.

② Use prompt information.

③ Look for the flag file. (Since the bak file is leaked, .bak must be added at the end)

3. vim cache

When developers use the vim editor in an online environment, the vim editor cache will be left during use. When vim exits abnormally, the cache will remain on the server, causing website source code to be leaked. A temporary cache file will be created during editing, and the cache file will be deleted when vim is closed. When vim exits abnormally, because the cache file is not processed, the original file content can be restored through the cache file.

① Click to enter the environment.

② Use prompt information.

③ Look for the flag file. (Since the vim cache is leaked, you need to add .swp at the end )

后缀添加的 文件名 可能发生变化：

第一次文件名可能为 .index.php.swp

第二次文件名可能为 .index.php.swo 

第三次文件名可能为 .index.php.swn

从上到下每一个文明名都试一遍.

因为这是缓存文件，所以需要我们还原出原本的内容，使用 linux 系统：

vim -r "index.php.swp"

vim -r "文件名"

4..DS_Store

.DS_Store is a hidden file with custom properties for Mac OS save folders. Through .DS_Store, you can know the list of all files in this directory.

① Click to enter the environment.

② Use the prompt information. (Then add .DS_Store directly at the end)

③ Find the flag file.

乱码，然后直接使用 linux 系统：(把文件放在 linux 系统中)

cat DS_Store        // 打开文件

(4) git leaked:

Git is a mainstream distributed version control system. Developers often forget the .git folder during the development process. This allows attackers to obtain all the source code submitted by the developer through the information in the .git folder, which may cause the server to be compromised. Attacked and fell. Currently, a large number of developers use git for version control and automatic deployment of sites. If configured improperly, the .git folder may be deployed directly to the online environment, causing a git leak vulnerability.

1.Log

由于 git log 命令用不了，后面找到方法，则完善.
（★★★致命错误：您的当前分支 'master' 尚无任何提交）

2.Stash

3.lndex

(5) SVN leakage

When developers use SVN for version control, the site is automatically deployed. If configured improperly, the .svn folder may be deployed directly to the online environment, causing SVN leak vulnerabilities.

Preparation (for use in a Linux environment):

(1) You need to download the dvcs-ripper tool, which facilitates the exploitation of vulnerabilities.

https://github.com/kost/dvcs-ripper

(2) Then install the dependent libraries required by the tool:

sudo apt-get install perl libio-socket-ssl-perl libdbd-sqlite3-perl libclass-dbi-perl libio-all-lwp-perl

① Click to enter the environment.

② Exploit prompt information. (The prompt here is that it is an SVN leak vulnerability )

③ Find the flag file. (Use the tool downloaded above)

First use a directory scanning tool to scan the .svn file (dirb)

Find the directory, and then use the downloaded tool dvcs-ripper tool to download the leaked files to the local directory

切换到 下载的工具目录中： 

./rip-svn.pl -u  泄露的 .svn 文件路径

下载下来后，查看有没有成功.

ls -al

切换到 下载下来的目录中，查看文件去找这些目录中有没有 flag 文件的信息：

cd .svn

cat wc.db             // 查找的过程中发现这个目录有 flag 信息

然后利用这个信息去访问一下，发现是 404 没有信息，可能已经被删除了.

但是网页提示说 flag 在服务端旧版本的源代码中，所以检查一下 pristine 文件是否存放 flag 

cd pristine

ls -al

切换到 38 这个文件,然后进行查看，发现 flag 信息.

(6) HG leaked

When developers use Mercurial for version control, the site is automatically deployed. If configured improperly, the .hg folder may be deployed directly to the online environment, which causes the hg leak vulnerability.

Preparation (for use in a Linux environment):

(1) You need to download the dvcs-ripper tool, which facilitates the exploitation of vulnerabilities.

https://github.com/kost/dvcs-ripper

(2) Then install the dependent libraries required by the tool:

sudo apt-get install perl libio-socket-ssl-perl libdbd-sqlite3-perl libclass-dbi-perl libio-all-lwp-perl

① Click to enter the environment.

② Use prompt information.

③ Find the flag file. (Use the tool downloaded above)

First use a directory scanning tool to scan for .hg files.

Find the directory, and then use the downloaded tool dvcs-ripper tool to download the leaked files to the local directory

切换到 下载的工具目录中： 

./rip-svn.pl -u  泄露的 .hg 文件路径

下载下来后，查看有没有成功.

ls -al

Switch to the downloaded directory and check the files to find out whether there is information about flag files in these directories:

cd .hg                // 切换到 .hg 文件

ls                    // 查看 所以文件信息

grep -r flag *        // 在这个目录的所以文件中 查找 flag 有关的信息

Use the found information to access. (Flag information found)

Reference article: ctfhub skill tree information leakage directory traversal PHPINFO backup file download_Jinxi's blog-CSDN blog