山东省大学生网络安全技能大赛 爱好者线上选拔赛wp

录屏链接:链接:https://pan.baidu.com/s/1e7gLGuhhzEdBPJwUIg4Wgg?pwd=7lzd
提取码:7lzd

Misc

签到

关注大赛公众号「山东省大学生网络安全技能大赛」,回复“flag-sdnisc2024”即可

flag{a4c7f4c35c8f862debb07f2ce5c8afa3}

deepdeep

用deeosound打开发现要密码,利用deepsounjohn导出hash

image-20240921114212642

利用John进行密码爆破

010看到提示。密码为pw??????

image-20240921114851091

jhon爆破一下

1
john hash.txt --mask=?1?1?1?1?1?1?1?1

image-20240921114939916

deepsond导出为一张图片,

image-20240921115046387结合题目描述,密码用了不止一次,在册下一次还需要密码

cloacked-pixel解密

image-20240921115054266

WEB

ez_calc

利用脚本回答题目

1
2
3
4
5
6
7
8
9
10
11
import requests

session = requests.session()
r = session.get('http://119.45.42.24:20025/')
print(r.text)

exp=r.text.split()[0]
data = {"answer": str(eval(exp)), }
r2 = session.post('http://119.45.42.24:20025/', data=data)
print(r2.text)

得到源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
import uuid,json,os,hashlib,time
from flask import Flask, request, session
from config import key,get_calc

app = Flask(__name__)

app.secret_key = str(uuid.uuid4())

black_list=['__init__']
s='123456789+-'
def check(data):
    for i in black_list:
        if i in data:
            return False
    return True

def merge(src, dst):
    for k, v in src.items():
        if hasattr(dst, '__getitem__'):
            if dst.get(k) and type(v) == dict:
                merge(v, dst.get(k))
            else:
                dst[k] = v
        elif hasattr(dst, k) and type(v) == dict:
            merge(v, getattr(dst, k))
        else:
            setattr(dst, k, v)

class user():
    def __init__(self):
        self.username = ""
        self.password = ""
        pass
    def check(self, data):
        if self.username == data['username'] and self.password == data['password']:
            return True
        return False

Users = []
usernames=[]

@app.route('/admin/register',methods=['POST'])
def register():
    if request.data:
        try:
            data = json.loads(request.data.decode())
            if "username" not in data or "password" not in data:
                return "Register Failed"
            usernames.append(data['username'])
        except Exception:
            return "Register Failed"
        return "Register Success"
    else:
        return "Register Failed"


@app.route('/admin/login',methods=['POST'])
def login():
    if request.data:
        try:
            data = json.loads(request.data)
            if "username" not in data or "password" not in data:
                return "Login Failed"
            if data["username"] in usernames:
                session["username"] = data["username"]
                session["role"] = "guest"
                return "Login Success"
        except Exception:
            return "Login Failed"
    return "Login Failed"


@app.route('/admin/admin', methods=['GET', 'POST'])
def admin():
    username = session.get('username')
    role = session.get('role')
    if not username or role != 'admin':
        return "no admin"
    if request.data:
        if not check(request.data.decode()):
            return "No No No"
        User = user()
        merge(data, User)
        Users.append(User)
        return "Welcome admin"
    else:
        return "whoami"


@app.route('/',methods=['GET','POST'])
def index():
    if request.method != 'POST':
        c1,x1=get_calc()
        session['x1']=x1
        session['time']=int(time.time())
        return c1+' = ? <br><br>plz give me answer'

    answer = request.form.get("answer")
    t = session.get('time')
    x1= session.get('x1')
    if answer == None or x1 == None or t == None:
        return "something error"
    else:
        if int(time.time())-t>2:
            return "time too long"
        else:
            if hashlib.md5(answer.encode()).hexdigest() == x1:
                return open(__file__, "r").read()
            else:
                return "calc failed"


@app.route('/admin/calc',methods=['POST'])
def calc():
    if request.data:
        try:
            data = json.loads(request.data)
            print(data)
            if "calc" not in data or "answer" not in data:
                return "Failed"
            for i in data["calc"]:
                if i not in s:
                    return "no rce , only math"
            if eval(data["calc"]) == data["answer"]:
                return key
        except Exception:
            return "Failed"
    return "Failed"

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=5000)

审计源码发现需要先注册,然后登录上,利用原型链污染data然后再calc返回key的到flag

注册

image-20240921112056986

登陆

1f7013588604ac28eb95f4db8897b18b

但是这个题是公共环境,key应该是被别人直接污染成flag了

image-20240921111944273

拿到flag